pf: Add code to enable filtering for locally delivered packets
ClosedPublic
Actions

Authored by dfr on Jun 1 2023, 10:53 AM.

Details

Reviewers

Commits

rG6dfb2c2dce0f: pf: Add code to enable filtering for locally delivered packets
rG3a1f834b5228: pf: Add code to enable filtering for locally delivered packets

Summary

This is disabled by default so that it can be merged to stable/13
safely.

PR: 268717
MFC-after: 2 weeks

pf: Enable filtering locally delivered packets by default

PR: 268717

Test Plan

kyua test -k /usr/tests/sys/netpfil/common

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

dfr created this revision.Jun 1 2023, 10:53 AM

Herald added subscribers: glebius, melifaro, farrokhi, imp. · View Herald TranscriptJun 1 2023, 10:53 AM

dfr requested review of this revision.Jun 1 2023, 10:53 AM

Harbormaster completed remote builds in B51825: Diff 122697.Jun 1 2023, 10:53 AM

This change looks fine, but we should figure out why some of the pf dummynet tests broke with the previous step before we go further down this path: https://ci.freebsd.org/view/Test/job/FreeBSD-main-amd64-test/23651/#showFailuresLink

We do already activate this new hook for pf in the common tests, but not in the netpfil/pf tests. I'm rather worried that a lot more tests would start failing if we did that.

In D40373#919092, @kp wrote:

This change looks fine, but we should figure out why some of the pf dummynet tests broke with the previous step before we go further down this path: https://ci.freebsd.org/view/Test/job/FreeBSD-main-amd64-test/23651/#showFailuresLink

We do already activate this new hook for pf in the common tests, but not in the netpfil/pf tests. I'm rather worried that a lot more tests would start failing if we did that.

This is a very good point. I will debug the dummynet tests and take a closer look at the netpfil/pf tests

In D40373#919110, @dfr wrote:

In D40373#919092, @kp wrote:

This change looks fine, but we should figure out why some of the pf dummynet tests broke with the previous step before we go further down this path: https://ci.freebsd.org/view/Test/job/FreeBSD-main-amd64-test/23651/#showFailuresLink

We do already activate this new hook for pf in the common tests, but not in the netpfil/pf tests. I'm rather worried that a lot more tests would start failing if we did that.

This is a very good point. I will debug the dummynet tests and take a closer look at the netpfil/pf tests

I think the dummynet test failures are caused by the new filter head adding a second PFIL_OUT for the ping packet. The code allows for dummynet's re-injection but only once:

if (ip_dn_io_ptr != NULL && pd.pf_mtag != NULL &&
    pd.pf_mtag->flags & PF_TAG_DUMMYNET) {
        /* Dummynet re-injects packets after they've
         * completed their delay. We've already
         * processed them, so pass unconditionally. */

        /* But only once. We may see the packet multiple times (e.g.
         * PFIL_IN/PFIL_OUT). */
        pd.pf_mtag->flags &= ~PF_TAG_DUMMYNET;
        PF_RULES_RUNLOCK();

        return (PF_PASS);
}

It turned out that the dummynet test failures were just caused by the pf rules matching packets delivered to the local IP stack. Narrowing the rules to exclude that fixed them, details in D40393

dfr mentioned this in D40393: pf: Fix tests broken by enabling inet-local filtering.Jun 3 2023, 10:05 AM

Rebased

Harbormaster completed remote builds in B51934: Diff 122898.Jun 6 2023, 3:08 PM

Just getting back to this now - I'll spend some time running the netpfil/pf tests and see what breaks.

Rebase and fix unit tests

Harbormaster completed remote builds in B52100: Diff 123331.Jun 16 2023, 10:04 AM

I did not test the ALTQ tests but all the other pf tests pass except sys/netpfil/pf/pfsync:defer which seems to be a known failing test.

@kp I plan to merge this to current this week - do you have any concerns or comments before I do that?

In D40373#924407, @dfr wrote:

@kp I plan to merge this to current this week - do you have any concerns or comments before I do that?

Really only that I don't think we should enable this by default. It'll break existing configurations and we cannot rely on users reading and fully understanding UPDATING.

Ok, I'm happy with that - I will change the default for net.pf.filter_local back to false and adjust the UPDATING text to reflect that. I'll leave the test changes in so that tests will pass on machines where this is enabled. I'll also squash the two commits - there is no need to separate if we are keeping filter_local disabled by default.

This revision was not accepted when it landed; it landed in state Needs Review.Jun 20 2023, 2:36 PM

Closed by commit rG3a1f834b5228: pf: Add code to enable filtering for locally delivered packets (authored by dfr). · Explain Why

This revision was automatically updated to reflect the committed changes.

dfr added a commit: rG3a1f834b5228: pf: Add code to enable filtering for locally delivered packets.

dfr added a commit: rG6dfb2c2dce0f: pf: Add code to enable filtering for locally delivered packets.Jul 16 2023, 10:47 AM

Revision Contents
Changeset List

Path

Size

UPDATING

12 lines

sys/

netpfil/

pf/

pf_ioctl.c

20 lines

tests/

sys/

netpfil/

common/

utils.subr

3 lines

pf/

fragmentation_compat.sh

3 lines

fragmentation_pass.sh

3 lines

24 lines

3 lines

3 lines

1 line

3 lines

2 lines

6 lines

Diff 123516

View Options

UPDATING

	Show First 20 Lines • Show All 131 Lines • ▼ Show 20 Lines
	*/			*/
	#define IEEE80211_CIPHER_WEP 0			#define IEEE80211_CIPHER_WEP 0
	#define IEEE80211_CIPHER_TKIP 1			#define IEEE80211_CIPHER_TKIP 1
	#define IEEE80211_CIPHER_AES_OCB 2			#define IEEE80211_CIPHER_AES_OCB 2
	#define IEEE80211_CIPHER_AES_CCM 3			#define IEEE80211_CIPHER_AES_CCM 3
	#define IEEE80211_CIPHER_TKIPMIC 4 /* TKIP MIC capability */			#define IEEE80211_CIPHER_TKIPMIC 4 /* TKIP MIC capability */
	#define IEEE80211_CIPHER_CKIP 5			#define IEEE80211_CIPHER_CKIP 5
	#define IEEE80211_CIPHER_NONE 6 /* pseudo value */			#define IEEE80211_CIPHER_NONE 6 /* pseudo value */
				#define IEEE80211_CIPHER_AES_CCM_256 7
				#define IEEE80211_CIPHER_BIP_CMAC_128 8
				#define IEEE80211_CIPHER_BIP_CMAC_256 9
				#define IEEE80211_CIPHER_BIP_GMAC_128 10
				#define IEEE80211_CIPHER_BIP_GMAC_256 11
				#define IEEE80211_CIPHER_AES_GCM_128 12
				#define IEEE80211_CIPHER_AES_GCM_256 13

				bzUnsubmitted Not Done Inline Actions I love enums. bz: I love enums.
				ccUnsubmitted Not Done Inline Actions I love enums. +1 cc: > I love enums. +1
				adrianAuthorUnsubmitted Done Inline Actions I do too, but they're already defines. I'm happy to add it to a follow-up enum cleanup task? We just need to be sure there's nothing in the codebase and wpa/hostapd driver_bsd.c code that's using these things as compile time flags? adrian: I do too, but they're already defines. I'm happy to add it to a follow-up enum cleanup task?
	#define IEEE80211_CIPHER_MAX (IEEE80211_CIPHER_NONE+1)			#define IEEE80211_CIPHER_LAST 13

				#define IEEE80211_CIPHER_MAX (IEEE80211_CIPHER_LAST+1)

	/* capability bits in ic_cryptocaps/iv_cryptocaps */			/* capability bits in ic_cryptocaps/iv_cryptocaps */
	#define IEEE80211_CRYPTO_WEP (1<<IEEE80211_CIPHER_WEP)			#define IEEE80211_CRYPTO_WEP (1<<IEEE80211_CIPHER_WEP)
	#define IEEE80211_CRYPTO_TKIP (1<<IEEE80211_CIPHER_TKIP)			#define IEEE80211_CRYPTO_TKIP (1<<IEEE80211_CIPHER_TKIP)
	#define IEEE80211_CRYPTO_AES_OCB (1<<IEEE80211_CIPHER_AES_OCB)			#define IEEE80211_CRYPTO_AES_OCB (1<<IEEE80211_CIPHER_AES_OCB)
	#define IEEE80211_CRYPTO_AES_CCM (1<<IEEE80211_CIPHER_AES_CCM)			#define IEEE80211_CRYPTO_AES_CCM (1<<IEEE80211_CIPHER_AES_CCM)
	#define IEEE80211_CRYPTO_TKIPMIC (1<<IEEE80211_CIPHER_TKIPMIC)			#define IEEE80211_CRYPTO_TKIPMIC (1<<IEEE80211_CIPHER_TKIPMIC)
	#define IEEE80211_CRYPTO_CKIP (1<<IEEE80211_CIPHER_CKIP)			#define IEEE80211_CRYPTO_CKIP (1<<IEEE80211_CIPHER_CKIP)
				#define IEEE80211_CRYPTO_AES_CCM_256 (1<<IEEE80211_CIPHER_AES_CCM_256)
				#define IEEE80211_CRYPTO_BIP_CMAC_128 (1<<IEEE80211_CIPHER_BIP_CMAC_128)
				#define IEEE80211_CRYPTO_BIP_CMAC_256 (1<<IEEE80211_CIPHER_BIP_CMAC_256)
				#define IEEE80211_CRYPTO_BIP_GMAC_128 (1<<IEEE80211_CIPHER_BIP_GMAC_128)
				#define IEEE80211_CRYPTO_BIP_GMAC_256 (1<<IEEE80211_CIPHER_BIP_GMAC_256)
				#define IEEE80211_CRYPTO_AES_GCM_128 (1<<IEEE80211_CIPHER_AES_GCM_128)
				#define IEEE80211_CRYPTO_AES_GCM_256 (1<<IEEE80211_CIPHER_AES_GCM_256)

	#define IEEE80211_CRYPTO_BITS \			#define IEEE80211_CRYPTO_BITS \
	"\20\1WEP\2TKIP\3AES\4AES_CCM\5TKIPMIC\6CKIP"			"\20\1WEP\2TKIP\3AES\4AES_CCM\5TKIPMIC\6CKIP\10AES_CCM_256" \
				"\11BIP_CMAC_128\12BIP_CMAC_256\13BIP_GMAC_128\14BIP_CMAC_256" \
				"\15AES_GCM_128\16AES_GCM_256"
				bzUnsubmitted Done Inline Actions In reality there is no "\7NONE" as we do not define the IEEE80211_CRYPTO_NONE? Where do we want to be consistent: in the defines or the printf? bz: In reality there is no "\7NONE" as we do not define the IEEE80211_CRYPTO_NONE? Where do we…

				ccUnsubmitted Done Inline Actions In C printf, this is what I get. Also the output in Eclipse IDE console is a little different than in a Mac terminal. Is the result what we expected? printf("%s\n", IEEE80211_CRYPTO_BITS); quoted result: WEPTKIPAESAES_CCMTKIPMICCKIPNONEAES_CCM_256 BIP_CMAC_128 BIP_CMAC_256BIP_GMAC_128BIP_CMAC_256 AES_GCM_128AES_GCM_256 cc: In C printf, this is what I get. Also the output in Eclipse IDE console is a little different…
				emasteUnsubmitted Done Inline Actions For use with printf(9)'s %b: The %b identifier expects two arguments: an int and a char . These are used as a register value and a print mask for decoding bitmasks. The print mask is made up of two parts: the base and the arguments. The base value is the output base (radix) expressed as an octal value; for example, \10 gives octal and \20 gives hexadecimal. The arguments are made up of a sequence of bit identifiers. Each bit identifier begins with an octal value which is the number of the bit (starting from 1) this identifier describes. The rest of the identifier is a string of characters containing the name of the bit. The string is terminated by either the bit number at the start of the next bit identifier or NUL for the last bit identifier. emaste:* For use with printf(9)'s %b: ``` The %b identifier expects two arguments: an int and a…
				ccUnsubmitted Done Inline Actions For use with printf(9)'s %b: The %b identifier expects two arguments: an int and a char . These are Thanks for letting me know what I am missing. But after applying this patch in main, the ifconfig does not show the "cryptocaps". In verbose mode, it is empty. Any idea if there is a bug? before the patch: root@n2fbsd:/usr/src # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=b<WEP,TKIP,AES_CCM> after the patch: root@n2fbsd:~ # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> root@n2fbsd:~ # root@n2fbsd:~ # ifconfig -v wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=0<> htcaps=0<> vhtcaps=0<> ... cc:* > For use with printf(9)'s %b: > ``` > The %b identifier expects two arguments: an int and…
				ccUnsubmitted Done Inline Actions Hold on a second. I think I forgot to compile the kernel with the HW CRYPTO defined. Let me test again. cc: Hold on a second. I think I forgot to compile the kernel with the HW CRYPTO defined. Let me…
				ccUnsubmitted Done Inline Actions No surprise. To list it, HW CRYPTO must be defined for my driver. After the patch: root@n2fbsd:~ # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=b<WEP,TKIP,AES_CCM> root@n2fbsd:~ # cc: No surprise. To list it, HW CRYPTO must be defined for my driver. After the patch: >…
	#if defined(__KERNEL__) \|\| defined(_KERNEL)			#if defined(__KERNEL__) \|\| defined(_KERNEL)

	struct ieee80211com;			struct ieee80211com;
	struct ieee80211vap;			struct ieee80211vap;
	struct ieee80211_node;			struct ieee80211_node;
	struct mbuf;			struct mbuf;

	MALLOC_DECLARE(M_80211_CRYPTO);			MALLOC_DECLARE(M_80211_CRYPTO);
	▲ Show 20 Lines • Show All 97 Lines • Show Last 20 Lines

View Options

sys/netpfil/pf/pf_ioctl.c

	Show First 20 Lines • Show All 131 Lines • ▼ Show 20 Lines
	*/			*/
	#define IEEE80211_CIPHER_WEP 0			#define IEEE80211_CIPHER_WEP 0
	#define IEEE80211_CIPHER_TKIP 1			#define IEEE80211_CIPHER_TKIP 1
	#define IEEE80211_CIPHER_AES_OCB 2			#define IEEE80211_CIPHER_AES_OCB 2
	#define IEEE80211_CIPHER_AES_CCM 3			#define IEEE80211_CIPHER_AES_CCM 3
	#define IEEE80211_CIPHER_TKIPMIC 4 /* TKIP MIC capability */			#define IEEE80211_CIPHER_TKIPMIC 4 /* TKIP MIC capability */
	#define IEEE80211_CIPHER_CKIP 5			#define IEEE80211_CIPHER_CKIP 5
	#define IEEE80211_CIPHER_NONE 6 /* pseudo value */			#define IEEE80211_CIPHER_NONE 6 /* pseudo value */
				#define IEEE80211_CIPHER_AES_CCM_256 7
				#define IEEE80211_CIPHER_BIP_CMAC_128 8
				#define IEEE80211_CIPHER_BIP_CMAC_256 9
				#define IEEE80211_CIPHER_BIP_GMAC_128 10
				#define IEEE80211_CIPHER_BIP_GMAC_256 11
				#define IEEE80211_CIPHER_AES_GCM_128 12
				#define IEEE80211_CIPHER_AES_GCM_256 13

				bzUnsubmitted Not Done Inline Actions I love enums. bz: I love enums.
				ccUnsubmitted Not Done Inline Actions I love enums. +1 cc: > I love enums. +1
				adrianAuthorUnsubmitted Done Inline Actions I do too, but they're already defines. I'm happy to add it to a follow-up enum cleanup task? We just need to be sure there's nothing in the codebase and wpa/hostapd driver_bsd.c code that's using these things as compile time flags? adrian: I do too, but they're already defines. I'm happy to add it to a follow-up enum cleanup task?
	#define IEEE80211_CIPHER_MAX (IEEE80211_CIPHER_NONE+1)			#define IEEE80211_CIPHER_LAST 13

				#define IEEE80211_CIPHER_MAX (IEEE80211_CIPHER_LAST+1)

	/* capability bits in ic_cryptocaps/iv_cryptocaps */			/* capability bits in ic_cryptocaps/iv_cryptocaps */
	#define IEEE80211_CRYPTO_WEP (1<<IEEE80211_CIPHER_WEP)			#define IEEE80211_CRYPTO_WEP (1<<IEEE80211_CIPHER_WEP)
	#define IEEE80211_CRYPTO_TKIP (1<<IEEE80211_CIPHER_TKIP)			#define IEEE80211_CRYPTO_TKIP (1<<IEEE80211_CIPHER_TKIP)
	#define IEEE80211_CRYPTO_AES_OCB (1<<IEEE80211_CIPHER_AES_OCB)			#define IEEE80211_CRYPTO_AES_OCB (1<<IEEE80211_CIPHER_AES_OCB)
	#define IEEE80211_CRYPTO_AES_CCM (1<<IEEE80211_CIPHER_AES_CCM)			#define IEEE80211_CRYPTO_AES_CCM (1<<IEEE80211_CIPHER_AES_CCM)
	#define IEEE80211_CRYPTO_TKIPMIC (1<<IEEE80211_CIPHER_TKIPMIC)			#define IEEE80211_CRYPTO_TKIPMIC (1<<IEEE80211_CIPHER_TKIPMIC)
	#define IEEE80211_CRYPTO_CKIP (1<<IEEE80211_CIPHER_CKIP)			#define IEEE80211_CRYPTO_CKIP (1<<IEEE80211_CIPHER_CKIP)
				#define IEEE80211_CRYPTO_AES_CCM_256 (1<<IEEE80211_CIPHER_AES_CCM_256)
				#define IEEE80211_CRYPTO_BIP_CMAC_128 (1<<IEEE80211_CIPHER_BIP_CMAC_128)
				#define IEEE80211_CRYPTO_BIP_CMAC_256 (1<<IEEE80211_CIPHER_BIP_CMAC_256)
				#define IEEE80211_CRYPTO_BIP_GMAC_128 (1<<IEEE80211_CIPHER_BIP_GMAC_128)
				#define IEEE80211_CRYPTO_BIP_GMAC_256 (1<<IEEE80211_CIPHER_BIP_GMAC_256)
				#define IEEE80211_CRYPTO_AES_GCM_128 (1<<IEEE80211_CIPHER_AES_GCM_128)
				#define IEEE80211_CRYPTO_AES_GCM_256 (1<<IEEE80211_CIPHER_AES_GCM_256)

	#define IEEE80211_CRYPTO_BITS \			#define IEEE80211_CRYPTO_BITS \
	"\20\1WEP\2TKIP\3AES\4AES_CCM\5TKIPMIC\6CKIP"			"\20\1WEP\2TKIP\3AES\4AES_CCM\5TKIPMIC\6CKIP\10AES_CCM_256" \
				"\11BIP_CMAC_128\12BIP_CMAC_256\13BIP_GMAC_128\14BIP_CMAC_256" \
				"\15AES_GCM_128\16AES_GCM_256"
				bzUnsubmitted Done Inline Actions In reality there is no "\7NONE" as we do not define the IEEE80211_CRYPTO_NONE? Where do we want to be consistent: in the defines or the printf? bz: In reality there is no "\7NONE" as we do not define the IEEE80211_CRYPTO_NONE? Where do we…

				ccUnsubmitted Done Inline Actions In C printf, this is what I get. Also the output in Eclipse IDE console is a little different than in a Mac terminal. Is the result what we expected? printf("%s\n", IEEE80211_CRYPTO_BITS); quoted result: WEPTKIPAESAES_CCMTKIPMICCKIPNONEAES_CCM_256 BIP_CMAC_128 BIP_CMAC_256BIP_GMAC_128BIP_CMAC_256 AES_GCM_128AES_GCM_256 cc: In C printf, this is what I get. Also the output in Eclipse IDE console is a little different…
				emasteUnsubmitted Done Inline Actions For use with printf(9)'s %b: The %b identifier expects two arguments: an int and a char . These are used as a register value and a print mask for decoding bitmasks. The print mask is made up of two parts: the base and the arguments. The base value is the output base (radix) expressed as an octal value; for example, \10 gives octal and \20 gives hexadecimal. The arguments are made up of a sequence of bit identifiers. Each bit identifier begins with an octal value which is the number of the bit (starting from 1) this identifier describes. The rest of the identifier is a string of characters containing the name of the bit. The string is terminated by either the bit number at the start of the next bit identifier or NUL for the last bit identifier. emaste:* For use with printf(9)'s %b: ``` The %b identifier expects two arguments: an int and a…
				ccUnsubmitted Done Inline Actions For use with printf(9)'s %b: The %b identifier expects two arguments: an int and a char . These are Thanks for letting me know what I am missing. But after applying this patch in main, the ifconfig does not show the "cryptocaps". In verbose mode, it is empty. Any idea if there is a bug? before the patch: root@n2fbsd:/usr/src # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=b<WEP,TKIP,AES_CCM> after the patch: root@n2fbsd:~ # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> root@n2fbsd:~ # root@n2fbsd:~ # ifconfig -v wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=0<> htcaps=0<> vhtcaps=0<> ... cc:* > For use with printf(9)'s %b: > ``` > The %b identifier expects two arguments: an int and…
				ccUnsubmitted Done Inline Actions Hold on a second. I think I forgot to compile the kernel with the HW CRYPTO defined. Let me test again. cc: Hold on a second. I think I forgot to compile the kernel with the HW CRYPTO defined. Let me…
				ccUnsubmitted Done Inline Actions No surprise. To list it, HW CRYPTO must be defined for my driver. After the patch: root@n2fbsd:~ # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=b<WEP,TKIP,AES_CCM> root@n2fbsd:~ # cc: No surprise. To list it, HW CRYPTO must be defined for my driver. After the patch: >…
	#if defined(__KERNEL__) \|\| defined(_KERNEL)			#if defined(__KERNEL__) \|\| defined(_KERNEL)

	struct ieee80211com;			struct ieee80211com;
	struct ieee80211vap;			struct ieee80211vap;
	struct ieee80211_node;			struct ieee80211_node;
	struct mbuf;			struct mbuf;

	MALLOC_DECLARE(M_80211_CRYPTO);			MALLOC_DECLARE(M_80211_CRYPTO);
	▲ Show 20 Lines • Show All 97 Lines • Show Last 20 Lines

View Options

tests/sys/netpfil/common/utils.subr

	Show First 20 Lines • Show All 131 Lines • ▼ Show 20 Lines
	*/			*/
	#define IEEE80211_CIPHER_WEP 0			#define IEEE80211_CIPHER_WEP 0
	#define IEEE80211_CIPHER_TKIP 1			#define IEEE80211_CIPHER_TKIP 1
	#define IEEE80211_CIPHER_AES_OCB 2			#define IEEE80211_CIPHER_AES_OCB 2
	#define IEEE80211_CIPHER_AES_CCM 3			#define IEEE80211_CIPHER_AES_CCM 3
	#define IEEE80211_CIPHER_TKIPMIC 4 /* TKIP MIC capability */			#define IEEE80211_CIPHER_TKIPMIC 4 /* TKIP MIC capability */
	#define IEEE80211_CIPHER_CKIP 5			#define IEEE80211_CIPHER_CKIP 5
	#define IEEE80211_CIPHER_NONE 6 /* pseudo value */			#define IEEE80211_CIPHER_NONE 6 /* pseudo value */
				#define IEEE80211_CIPHER_AES_CCM_256 7
				#define IEEE80211_CIPHER_BIP_CMAC_128 8
				#define IEEE80211_CIPHER_BIP_CMAC_256 9
				#define IEEE80211_CIPHER_BIP_GMAC_128 10
				#define IEEE80211_CIPHER_BIP_GMAC_256 11
				#define IEEE80211_CIPHER_AES_GCM_128 12
				#define IEEE80211_CIPHER_AES_GCM_256 13

				bzUnsubmitted Not Done Inline Actions I love enums. bz: I love enums.
				ccUnsubmitted Not Done Inline Actions I love enums. +1 cc: > I love enums. +1
				adrianAuthorUnsubmitted Done Inline Actions I do too, but they're already defines. I'm happy to add it to a follow-up enum cleanup task? We just need to be sure there's nothing in the codebase and wpa/hostapd driver_bsd.c code that's using these things as compile time flags? adrian: I do too, but they're already defines. I'm happy to add it to a follow-up enum cleanup task?
	#define IEEE80211_CIPHER_MAX (IEEE80211_CIPHER_NONE+1)			#define IEEE80211_CIPHER_LAST 13

				#define IEEE80211_CIPHER_MAX (IEEE80211_CIPHER_LAST+1)

	/* capability bits in ic_cryptocaps/iv_cryptocaps */			/* capability bits in ic_cryptocaps/iv_cryptocaps */
	#define IEEE80211_CRYPTO_WEP (1<<IEEE80211_CIPHER_WEP)			#define IEEE80211_CRYPTO_WEP (1<<IEEE80211_CIPHER_WEP)
	#define IEEE80211_CRYPTO_TKIP (1<<IEEE80211_CIPHER_TKIP)			#define IEEE80211_CRYPTO_TKIP (1<<IEEE80211_CIPHER_TKIP)
	#define IEEE80211_CRYPTO_AES_OCB (1<<IEEE80211_CIPHER_AES_OCB)			#define IEEE80211_CRYPTO_AES_OCB (1<<IEEE80211_CIPHER_AES_OCB)
	#define IEEE80211_CRYPTO_AES_CCM (1<<IEEE80211_CIPHER_AES_CCM)			#define IEEE80211_CRYPTO_AES_CCM (1<<IEEE80211_CIPHER_AES_CCM)
	#define IEEE80211_CRYPTO_TKIPMIC (1<<IEEE80211_CIPHER_TKIPMIC)			#define IEEE80211_CRYPTO_TKIPMIC (1<<IEEE80211_CIPHER_TKIPMIC)
	#define IEEE80211_CRYPTO_CKIP (1<<IEEE80211_CIPHER_CKIP)			#define IEEE80211_CRYPTO_CKIP (1<<IEEE80211_CIPHER_CKIP)
				#define IEEE80211_CRYPTO_AES_CCM_256 (1<<IEEE80211_CIPHER_AES_CCM_256)
				#define IEEE80211_CRYPTO_BIP_CMAC_128 (1<<IEEE80211_CIPHER_BIP_CMAC_128)
				#define IEEE80211_CRYPTO_BIP_CMAC_256 (1<<IEEE80211_CIPHER_BIP_CMAC_256)
				#define IEEE80211_CRYPTO_BIP_GMAC_128 (1<<IEEE80211_CIPHER_BIP_GMAC_128)
				#define IEEE80211_CRYPTO_BIP_GMAC_256 (1<<IEEE80211_CIPHER_BIP_GMAC_256)
				#define IEEE80211_CRYPTO_AES_GCM_128 (1<<IEEE80211_CIPHER_AES_GCM_128)
				#define IEEE80211_CRYPTO_AES_GCM_256 (1<<IEEE80211_CIPHER_AES_GCM_256)

	#define IEEE80211_CRYPTO_BITS \			#define IEEE80211_CRYPTO_BITS \
	"\20\1WEP\2TKIP\3AES\4AES_CCM\5TKIPMIC\6CKIP"			"\20\1WEP\2TKIP\3AES\4AES_CCM\5TKIPMIC\6CKIP\10AES_CCM_256" \
				"\11BIP_CMAC_128\12BIP_CMAC_256\13BIP_GMAC_128\14BIP_CMAC_256" \
				"\15AES_GCM_128\16AES_GCM_256"
				bzUnsubmitted Done Inline Actions In reality there is no "\7NONE" as we do not define the IEEE80211_CRYPTO_NONE? Where do we want to be consistent: in the defines or the printf? bz: In reality there is no "\7NONE" as we do not define the IEEE80211_CRYPTO_NONE? Where do we…

				ccUnsubmitted Done Inline Actions In C printf, this is what I get. Also the output in Eclipse IDE console is a little different than in a Mac terminal. Is the result what we expected? printf("%s\n", IEEE80211_CRYPTO_BITS); quoted result: WEPTKIPAESAES_CCMTKIPMICCKIPNONEAES_CCM_256 BIP_CMAC_128 BIP_CMAC_256BIP_GMAC_128BIP_CMAC_256 AES_GCM_128AES_GCM_256 cc: In C printf, this is what I get. Also the output in Eclipse IDE console is a little different…
				emasteUnsubmitted Done Inline Actions For use with printf(9)'s %b: The %b identifier expects two arguments: an int and a char . These are used as a register value and a print mask for decoding bitmasks. The print mask is made up of two parts: the base and the arguments. The base value is the output base (radix) expressed as an octal value; for example, \10 gives octal and \20 gives hexadecimal. The arguments are made up of a sequence of bit identifiers. Each bit identifier begins with an octal value which is the number of the bit (starting from 1) this identifier describes. The rest of the identifier is a string of characters containing the name of the bit. The string is terminated by either the bit number at the start of the next bit identifier or NUL for the last bit identifier. emaste:* For use with printf(9)'s %b: ``` The %b identifier expects two arguments: an int and a…
				ccUnsubmitted Done Inline Actions For use with printf(9)'s %b: The %b identifier expects two arguments: an int and a char . These are Thanks for letting me know what I am missing. But after applying this patch in main, the ifconfig does not show the "cryptocaps". In verbose mode, it is empty. Any idea if there is a bug? before the patch: root@n2fbsd:/usr/src # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=b<WEP,TKIP,AES_CCM> after the patch: root@n2fbsd:~ # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> root@n2fbsd:~ # root@n2fbsd:~ # ifconfig -v wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=0<> htcaps=0<> vhtcaps=0<> ... cc:* > For use with printf(9)'s %b: > ``` > The %b identifier expects two arguments: an int and…
				ccUnsubmitted Done Inline Actions Hold on a second. I think I forgot to compile the kernel with the HW CRYPTO defined. Let me test again. cc: Hold on a second. I think I forgot to compile the kernel with the HW CRYPTO defined. Let me…
				ccUnsubmitted Done Inline Actions No surprise. To list it, HW CRYPTO must be defined for my driver. After the patch: root@n2fbsd:~ # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=b<WEP,TKIP,AES_CCM> root@n2fbsd:~ # cc: No surprise. To list it, HW CRYPTO must be defined for my driver. After the patch: >…
	#if defined(__KERNEL__) \|\| defined(_KERNEL)			#if defined(__KERNEL__) \|\| defined(_KERNEL)

	struct ieee80211com;			struct ieee80211com;
	struct ieee80211vap;			struct ieee80211vap;
	struct ieee80211_node;			struct ieee80211_node;
	struct mbuf;			struct mbuf;

	MALLOC_DECLARE(M_80211_CRYPTO);			MALLOC_DECLARE(M_80211_CRYPTO);
	▲ Show 20 Lines • Show All 97 Lines • Show Last 20 Lines

View Options

tests/sys/netpfil/pf/fragmentation_compat.sh

	Show First 20 Lines • Show All 131 Lines • ▼ Show 20 Lines
	*/			*/
	#define IEEE80211_CIPHER_WEP 0			#define IEEE80211_CIPHER_WEP 0
	#define IEEE80211_CIPHER_TKIP 1			#define IEEE80211_CIPHER_TKIP 1
	#define IEEE80211_CIPHER_AES_OCB 2			#define IEEE80211_CIPHER_AES_OCB 2
	#define IEEE80211_CIPHER_AES_CCM 3			#define IEEE80211_CIPHER_AES_CCM 3
	#define IEEE80211_CIPHER_TKIPMIC 4 /* TKIP MIC capability */			#define IEEE80211_CIPHER_TKIPMIC 4 /* TKIP MIC capability */
	#define IEEE80211_CIPHER_CKIP 5			#define IEEE80211_CIPHER_CKIP 5
	#define IEEE80211_CIPHER_NONE 6 /* pseudo value */			#define IEEE80211_CIPHER_NONE 6 /* pseudo value */
				#define IEEE80211_CIPHER_AES_CCM_256 7
				#define IEEE80211_CIPHER_BIP_CMAC_128 8
				#define IEEE80211_CIPHER_BIP_CMAC_256 9
				#define IEEE80211_CIPHER_BIP_GMAC_128 10
				#define IEEE80211_CIPHER_BIP_GMAC_256 11
				#define IEEE80211_CIPHER_AES_GCM_128 12
				#define IEEE80211_CIPHER_AES_GCM_256 13

				bzUnsubmitted Not Done Inline Actions I love enums. bz: I love enums.
				ccUnsubmitted Not Done Inline Actions I love enums. +1 cc: > I love enums. +1
				adrianAuthorUnsubmitted Done Inline Actions I do too, but they're already defines. I'm happy to add it to a follow-up enum cleanup task? We just need to be sure there's nothing in the codebase and wpa/hostapd driver_bsd.c code that's using these things as compile time flags? adrian: I do too, but they're already defines. I'm happy to add it to a follow-up enum cleanup task?
	#define IEEE80211_CIPHER_MAX (IEEE80211_CIPHER_NONE+1)			#define IEEE80211_CIPHER_LAST 13

				#define IEEE80211_CIPHER_MAX (IEEE80211_CIPHER_LAST+1)

	/* capability bits in ic_cryptocaps/iv_cryptocaps */			/* capability bits in ic_cryptocaps/iv_cryptocaps */
	#define IEEE80211_CRYPTO_WEP (1<<IEEE80211_CIPHER_WEP)			#define IEEE80211_CRYPTO_WEP (1<<IEEE80211_CIPHER_WEP)
	#define IEEE80211_CRYPTO_TKIP (1<<IEEE80211_CIPHER_TKIP)			#define IEEE80211_CRYPTO_TKIP (1<<IEEE80211_CIPHER_TKIP)
	#define IEEE80211_CRYPTO_AES_OCB (1<<IEEE80211_CIPHER_AES_OCB)			#define IEEE80211_CRYPTO_AES_OCB (1<<IEEE80211_CIPHER_AES_OCB)
	#define IEEE80211_CRYPTO_AES_CCM (1<<IEEE80211_CIPHER_AES_CCM)			#define IEEE80211_CRYPTO_AES_CCM (1<<IEEE80211_CIPHER_AES_CCM)
	#define IEEE80211_CRYPTO_TKIPMIC (1<<IEEE80211_CIPHER_TKIPMIC)			#define IEEE80211_CRYPTO_TKIPMIC (1<<IEEE80211_CIPHER_TKIPMIC)
	#define IEEE80211_CRYPTO_CKIP (1<<IEEE80211_CIPHER_CKIP)			#define IEEE80211_CRYPTO_CKIP (1<<IEEE80211_CIPHER_CKIP)
				#define IEEE80211_CRYPTO_AES_CCM_256 (1<<IEEE80211_CIPHER_AES_CCM_256)
				#define IEEE80211_CRYPTO_BIP_CMAC_128 (1<<IEEE80211_CIPHER_BIP_CMAC_128)
				#define IEEE80211_CRYPTO_BIP_CMAC_256 (1<<IEEE80211_CIPHER_BIP_CMAC_256)
				#define IEEE80211_CRYPTO_BIP_GMAC_128 (1<<IEEE80211_CIPHER_BIP_GMAC_128)
				#define IEEE80211_CRYPTO_BIP_GMAC_256 (1<<IEEE80211_CIPHER_BIP_GMAC_256)
				#define IEEE80211_CRYPTO_AES_GCM_128 (1<<IEEE80211_CIPHER_AES_GCM_128)
				#define IEEE80211_CRYPTO_AES_GCM_256 (1<<IEEE80211_CIPHER_AES_GCM_256)

	#define IEEE80211_CRYPTO_BITS \			#define IEEE80211_CRYPTO_BITS \
	"\20\1WEP\2TKIP\3AES\4AES_CCM\5TKIPMIC\6CKIP"			"\20\1WEP\2TKIP\3AES\4AES_CCM\5TKIPMIC\6CKIP\10AES_CCM_256" \
				"\11BIP_CMAC_128\12BIP_CMAC_256\13BIP_GMAC_128\14BIP_CMAC_256" \
				"\15AES_GCM_128\16AES_GCM_256"
				bzUnsubmitted Done Inline Actions In reality there is no "\7NONE" as we do not define the IEEE80211_CRYPTO_NONE? Where do we want to be consistent: in the defines or the printf? bz: In reality there is no "\7NONE" as we do not define the IEEE80211_CRYPTO_NONE? Where do we…

				ccUnsubmitted Done Inline Actions In C printf, this is what I get. Also the output in Eclipse IDE console is a little different than in a Mac terminal. Is the result what we expected? printf("%s\n", IEEE80211_CRYPTO_BITS); quoted result: WEPTKIPAESAES_CCMTKIPMICCKIPNONEAES_CCM_256 BIP_CMAC_128 BIP_CMAC_256BIP_GMAC_128BIP_CMAC_256 AES_GCM_128AES_GCM_256 cc: In C printf, this is what I get. Also the output in Eclipse IDE console is a little different…
				emasteUnsubmitted Done Inline Actions For use with printf(9)'s %b: The %b identifier expects two arguments: an int and a char . These are used as a register value and a print mask for decoding bitmasks. The print mask is made up of two parts: the base and the arguments. The base value is the output base (radix) expressed as an octal value; for example, \10 gives octal and \20 gives hexadecimal. The arguments are made up of a sequence of bit identifiers. Each bit identifier begins with an octal value which is the number of the bit (starting from 1) this identifier describes. The rest of the identifier is a string of characters containing the name of the bit. The string is terminated by either the bit number at the start of the next bit identifier or NUL for the last bit identifier. emaste:* For use with printf(9)'s %b: ``` The %b identifier expects two arguments: an int and a…
				ccUnsubmitted Done Inline Actions For use with printf(9)'s %b: The %b identifier expects two arguments: an int and a char . These are Thanks for letting me know what I am missing. But after applying this patch in main, the ifconfig does not show the "cryptocaps". In verbose mode, it is empty. Any idea if there is a bug? before the patch: root@n2fbsd:/usr/src # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=b<WEP,TKIP,AES_CCM> after the patch: root@n2fbsd:~ # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> root@n2fbsd:~ # root@n2fbsd:~ # ifconfig -v wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=0<> htcaps=0<> vhtcaps=0<> ... cc:* > For use with printf(9)'s %b: > ``` > The %b identifier expects two arguments: an int and…
				ccUnsubmitted Done Inline Actions Hold on a second. I think I forgot to compile the kernel with the HW CRYPTO defined. Let me test again. cc: Hold on a second. I think I forgot to compile the kernel with the HW CRYPTO defined. Let me…
				ccUnsubmitted Done Inline Actions No surprise. To list it, HW CRYPTO must be defined for my driver. After the patch: root@n2fbsd:~ # ifconfig wlan0 list caps drivercaps=581c001<STA,SHSLOT,SHPREAMBLE,MONITOR,WPA1,WPA2,WME> cryptocaps=b<WEP,TKIP,AES_CCM> root@n2fbsd:~ # cc: No surprise. To list it, HW CRYPTO must be defined for my driver. After the patch: >…
	#if defined(__KERNEL__) \|\| defined(_KERNEL)			#if defined(__KERNEL__) \|\| defined(_KERNEL)

	struct ieee80211com;			struct ieee80211com;
	struct ieee80211vap;			struct ieee80211vap;
	struct ieee80211_node;			struct ieee80211_node;
	struct mbuf;			struct mbuf;

	MALLOC_DECLARE(M_80211_CRYPTO);			MALLOC_DECLARE(M_80211_CRYPTO);
	▲ Show 20 Lines • Show All 97 Lines • Show Last 20 Lines