[continued from previous message]
report will be shared in the near future, after issues above a severity
threshold have been addressed. The FreeBSD Foundation will also publish a
report including commentary on the impact of the Synacktiv code audit report,
classes of vulnerabilities identified, and lessons learned.
More information is available in the Alpha-Omega repository.
Sponsor: The FreeBSD Foundation
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
Endpoint-Independent NAT
Contact: Tom Jones
This project aims to add support for Endpoint-Independent Mappings for UDP to
the pf and ipfw firewalls.
End Point Independent NAT enables applications behind a NAT speaking to
multiple remote hosts to receive the same mappings. This allows an application
without any NAT traversal mechanisms to work around NAT issues to perform peer
discovery. From the remote hosts perspective the NAT is transparent and it is
as-if there is no NAT at all. This form of NAT has been given several names
over the last few decades and might be known as 'full-cone' NAT.
Patches to pf landed in early September based on work by Damjan Jovanovic and
Naman Sood with updates to work on pf in main. The patches add a new
'endpoint-independent' suffix to UDP pf nat rules.
ipfw support for endpoint-independent is going to be made available via
libalias, allowing any system which uses libalias for address translation to
benefit from the change. There is an in-progress review D46689 to add support
to libalias.
The in-progress change and the committed pf change could both benefit from
testing in more and diverse environments.
Sponsor: The FreeBSD Foundation Sponsor: Tailscale
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
Kyua Jail Support
Contact: Igor Ostapenko
The FreeBSD test suite is executed by the kyua(1) utility. Kyua supports
parallel execution of tests with kyua -v parallelism= test, however many
network tests leverage jail(8) features like VNET(9) and have conflicts with
jail naming and network configuration. As a result they are marked with the
is_exclusive=true metadata property to prevent them from running at the same
time and interfering with each other. It creates a dilemma when a project aims
to increase test coverage, but the accumulation of exclusive tests
proportionally increases the time required to run them. This, in turn, affects
the development process from multiple angles.
Kyua has recently got a change in 15-CURRENT to support a new concept called
"execution environment". By default, tests run in the so-called "host"
execution environment, where they are executed as before. A test can opt-in to
use a brand new execution environment, the "jail" one. In this case, kyua
creates a jail before running the test, and then executes the test within the
jail. That opens up the opportunity to run more tests in parallel due to the
extra isolation provided by the jail concept itself, and specifically by the
VNET. It depends on hardware and configuration, but there are reports that
having the same environment netpfil/pf tests can be run around 4 times
faster — a few minutes instead of half an hour.
The following Makefile change is a quick demo of how netpfil/pf tests were
switched to run in parallel with jail execution environment:
-# Tests reuse jail names and so cannot run in parallel.
-TEST_METADATA+= is_exclusive=true
+# Allow tests to run in parallel in their own jails
+TEST_METADATA+= execenv="jail"
+TEST_METADATA+= execenv_jail_params="vnet allow.raw_sockets"
More details:
• The key commit with detailed description:
257e70f1d5ee61037c8c59b116538d3b6b1427a2
• The man pages covering the "execenv" feature: kyuafile(5), kyua.conf(5)
This change also brings new sysctl read-only variables, which expose more
details about current jail, and may be generally useful:
• security.jail.children.max: Maximum number of child jails
• security.jail.children.cur: Current number of child jails
A hint: the sysctl -n security.jail.children.cur run from prison0 provides the
number of all jails in the system.
Further improvements to Kyua, such as requirements definition and automatic
resolution, are currently in the design phase. Potentially new metadata
properties like required_klds and required_pkgs provide a clue to these topics.
Please contact Igor to discuss ideas and use cases that can help shape these
upcoming Kyua enhancements.
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
Linux Source Compatibility Wiki page
Links:
Linux Source Compatibility URL: https://wiki.freebsd.org/LinuxSo
rceCompatibility
Contact: Edward Tomasz Napierala
There is now a wiki page to track source compatibility differences between
FreeBSD and Linux — and it needs your input!
FreeBSD and Linux are already largely compatible at the source code level due
to both being Unix systems and following the same standards. There are however
certain system calls specific to Linux; there are also differences in header
files, constants and so on. Implementing them in FreeBSD would make porting
software easier.
Not all of the items there are fixable. Some differences cannot be eliminated
due to naming clashes, disagreements on how the system is supposed to work, or
because it would make autoconf pick up a less functional compatibility API
instead of the native one. In such cases we should document it and advise what
API to use instead.
The wiki page aims to provide an overview and help track progress. That is
where your help is needed. I need people who actually port software to FreeBSD
to add missing APIs, based on their experiences. This also includes non-syscall
items, like missing headers and unsupported constants. Preferably also mention
the name of the software that could use them.
• Add missing items
• Add prospective API consumers
Sponsor: Innovate UK
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━━━━━━━
━━━━━━━━━━━━━━
Userland
Changes affecting the base system and programs in it.
Service jails — Automatic jailing of rc.d services
Links:
rc-article part for Service Jails URL: https://docs.freebsd.org/
n/articles/rc-scripting/#rcng-service-jails
service jail patches for ports in our bugtracker URL: https://bu
s.freebsd.org/bugzilla/buglist.cgi?quicksearch=service+jail+aware
Contact: Alexander Leidinger
Service jails extend the rc(8) system to allow automatic jailing of rc.d
services. A service jail inherits the filesystem of the parent host or jail,
but uses all other limits of the jail (process visibility, restricted network
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
