[Git][hardenedbsd/HardenedBSD][hardened/14-stable/master] 7 commits: mac_ipacl: Use IfAPI

[HardenedBSD Services (@hardenedbsd-services)]

HardenedBSD Services pushed to branch hardened/14-stable/master at HardenedBSD / HardenedBSD


Commits:
bcd1e5fb by Justin Hibbits at 2025-12-26T16:25:47+08:00
mac_ipacl: Use IfAPI

Use `if_t` instead of `struct ifnet *`, and if_name() accessor.

Sponsored by: Juniper Networks, Inc.

(cherry picked from commit b820820ece099a73511d7daec407d78f38185a9b)

- - - - -
2fef1a6e by Justin Hibbits at 2025-12-26T16:25:47+08:00
netlink: Don't directly access ifnet members

Summary:
Remove the final direct access of struct ifnet members from netlink.
Since only the first address is used, create the iterator and then free,
without fully iterating.

Reviewed By: kp
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D42972

(cherry picked from commit b224af946a17b8e7a7b4942157556b5bc86dd6fb)

- - - - -
63b0b8bd by Justin Hibbits at 2025-12-26T16:25:47+08:00
bnxt: Use IfAPI accessors where able

Summary:
Don't directly access ifnet members, it's a private structure.

Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D47353

(cherry picked from commit 84d7ec4c657f406c6cbd29baf32c8e057b663d17)

- - - - -
16d50efd by Justin Hibbits at 2025-12-26T16:25:47+08:00
qlnx: Convert recent changes to IfAPI

Sponsored by: Juniper Networks, Inc.
Reviewed by: zlei
Differential Revision: https://reviews.freebsd.org/D47533

(cherry picked from commit 1eaecc214ea2bfde84f4194c1d0e20b18117343f)

- - - - -
f95ddf74 by Justin Hibbits at 2025-12-26T16:25:47+08:00
LinuxKPI: Use IfAPI to get LLADDR

Reviewed by: bz, emaste
Differential Revision: https://reviews.freebsd.org/D47525

(cherry picked from commit 57609cb2de149a3c99c43e98d37cfa4784958f73)

- - - - -
3e5025ea by Michael Osipov at 2025-12-26T11:48:19+01:00
bhyve.8: Fix consistency and terms in manpage

Correct inconsistent spelling of terms and duplication.

Reviewed by: ziaee
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D54332

(cherry picked from commit 5819f8b285fc55a75e5dea56ffe73b376525150c)

- - - - -
b831a1ae by HardenedBSD Sync Services at 2025-12-26T06:01:09-07:00
Merge branch 'freebsd/14-stable/main' into hardened/14-stable/master

- - - - -


8 changed files:

- sys/compat/linuxkpi/common/src/linux_80211.c
- sys/dev/bnxt/bnxt_re/bnxt_re.h
- sys/dev/bnxt/bnxt_re/ib_verbs.c
- sys/dev/bnxt/bnxt_re/main.c
- sys/dev/qlnx/qlnxe/qlnx_os.c
- sys/netlink/route/iface.c
- sys/security/mac_ipacl/mac_ipacl.c
- usr.sbin/bhyve/bhyve.8


Changes:

=====================================
sys/compat/linuxkpi/common/src/linux_80211.c
=====================================
@@ -3720,7 +3720,7 @@ lkpi_vif_iflladdr(void *arg, struct ifnet *ifp)
}

vif = arg;
- IEEE80211_ADDR_COPY(vif->bss_conf.addr, IF_LLADDR(ifp));
+ IEEE80211_ADDR_COPY(vif->bss_conf.addr, if_getlladdr(ifp));
NET_EPOCH_EXIT(et);
}



=====================================
sys/dev/bnxt/bnxt_re/bnxt_re.h
=====================================
@@ -946,8 +946,8 @@ int bnxt_re_setup_cnp_cos(struct bnxt_re_dev *rdev, bool reset);

static inline enum ib_port_state bnxt_re_get_link_state(struct bnxt_re_dev *rdev)
{
- if (rdev->netdev->if_drv_flags & IFF_DRV_RUNNING &&
- rdev->netdev->if_link_state == LINK_STATE_UP)
+ if (if_getdrvflags(rdev->netdev) & IFF_DRV_RUNNING &&
+ if_getlinkstate(rdev->netdev) == LINK_STATE_UP)
return IB_PORT_ACTIVE;
return IB_PORT_DOWN;
}


=====================================
sys/dev/bnxt/bnxt_re/ib_verbs.c
=====================================
@@ -299,7 +299,7 @@ int bnxt_re_query_port(struct ib_device *ibdev, u8 port_num,
if (port_attr->state == IB_PORT_ACTIVE)
port_attr->phys_state = IB_PORT_PHYS_STATE_LINK_UP;
port_attr->max_mtu = IB_MTU_4096;
- port_attr->active_mtu = iboe_get_mtu(rdev->netdev->if_mtu);
+ port_attr->active_mtu = iboe_get_mtu(if_getmtu(rdev->netdev));
port_attr->gid_tbl_len = dev_attr->max_sgid;
port_attr->port_cap_flags = IB_PORT_CM_SUP | IB_PORT_REINIT_SUP |
IB_PORT_DEVICE_MGMT_SUP |
@@ -2118,7 +2118,7 @@ static int bnxt_re_init_qp_attr(struct bnxt_re_qp *qp, struct bnxt_re_pd *pd,
qplqp->max_rd_atomic = dev_attr->max_qp_rd_atom;
qplqp->max_dest_rd_atomic = dev_attr->max_qp_init_rd_atom;
}
- qplqp->mtu = ib_mtu_enum_to_int(iboe_get_mtu(rdev->netdev->if_mtu));
+ qplqp->mtu = ib_mtu_enum_to_int(iboe_get_mtu(if_getmtu(rdev->netdev)));
qplqp->dpi = &rdev->dpi_privileged; /* Doorbell page */
if (init_attr->create_flags) {
dev_dbg(rdev_to_dev(rdev),
@@ -2691,7 +2691,7 @@ int bnxt_re_modify_qp(struct ib_qp *ib_qp, struct ib_qp_attr *qp_attr,

/* MTU settings allowed only during INIT -> RTR */
if (qp_attr->qp_state == IB_QPS_RTR) {
- bnxt_re_init_qpmtu(qp, rdev->netdev->if_mtu, qp_attr_mask, qp_attr,
+ bnxt_re_init_qpmtu(qp, if_getmtu(rdev->netdev), qp_attr_mask, qp_attr,
&is_qpmtu_high);
if (udata && !ib_copy_from_udata(&ureq, udata, sizeof(ureq))) {
if (ureq.comp_mask & BNXT_RE_COMP_MASK_MQP_EX_PATH_MTU_MASK) {


=====================================
sys/dev/bnxt/bnxt_re/main.c
=====================================
@@ -4168,8 +4168,8 @@ static int bnxt_re_netdev_event(struct notifier_block *notifier,

dev_info(rdev_to_dev(rdev), "%s: Event = %s (0x%lx), rdev %s (real_dev %s)\n",
__func__, bnxt_re_netevent(event), event,
- rdev ? rdev->netdev ? rdev->netdev->if_dname : "->netdev = NULL" : "= NULL",
- (real_dev == netdev) ? "= netdev" : real_dev->if_dname);
+ rdev ? rdev->netdev ? if_getdname(rdev->netdev) : "->netdev = NULL" : "= NULL",
+ (real_dev == netdev) ? "= netdev" : if_getdname(real_dev));

if (!test_bit(BNXT_RE_FLAG_IBDEV_REGISTERED, &rdev->flags))
goto exit;


=====================================
sys/dev/qlnx/qlnxe/qlnx_os.c
=====================================
@@ -2622,6 +2622,7 @@ static int
qlnx_ioctl(if_t ifp, u_long cmd, caddr_t data)
{
int ret = 0, mask;
+ int flags;
struct ifreq *ifr = (struct ifreq *)data;
#ifdef INET
struct ifaddr *ifa = (struct ifaddr *)data;
@@ -2675,15 +2676,16 @@ qlnx_ioctl(if_t ifp, u_long cmd, caddr_t data)
QL_DPRINT4(ha, "SIOCSIFFLAGS (0x%lx)\n", cmd);

QLNX_LOCK(ha);
+ flags = if_getflags(ifp);

- if (if_getflags(ifp) & IFF_UP) {
+ if (flags & IFF_UP) {
if (if_getdrvflags(ifp) & IFF_DRV_RUNNING) {
- if ((if_getflags(ifp) ^ ha->if_flags) &
+ if ((flags ^ ha->if_flags) &
IFF_PROMISC) {
- ret = qlnx_set_promisc(ha, ifp->if_flags & IFF_PROMISC);
+ ret = qlnx_set_promisc(ha, flags & IFF_PROMISC);
} else if ((if_getflags(ifp) ^ ha->if_flags) &
IFF_ALLMULTI) {
- ret = qlnx_set_allmulti(ha, ifp->if_flags & IFF_ALLMULTI);
+ ret = qlnx_set_allmulti(ha, flags & IFF_ALLMULTI);
}
} else {
ha->max_frame_size = if_getmtu(ifp) +
@@ -7057,12 +7059,14 @@ qlnx_set_rx_mode(qlnx_host_t *ha)
{
int rc = 0;
uint8_t filter;
- const struct ifnet *ifp = ha->ifp;
+ const if_t ifp = ha->ifp;
+ const struct ifaddr *ifa;
struct sockaddr_dl *sdl;

- if (ifp->if_type == IFT_ETHER && ifp->if_addr != NULL &&
- ifp->if_addr->ifa_addr != NULL) {
- sdl = (struct sockaddr_dl *) ifp->if_addr->ifa_addr;
+ ifa = if_getifaddr(ifp);
+ if (if_gettype(ifp) == IFT_ETHER && ifa != NULL &&
+ ifa->ifa_addr != NULL) {
+ sdl = (struct sockaddr_dl *) ifa->ifa_addr;

rc = qlnx_set_ucast_rx_mac(ha, ECORE_FILTER_REPLACE, LLADDR(sdl));
} else {
@@ -7079,10 +7083,10 @@ qlnx_set_rx_mode(qlnx_host_t *ha)
ECORE_ACCEPT_MCAST_MATCHED |
ECORE_ACCEPT_BCAST;

- if (qlnx_vf_device(ha) == 0 || (ha->ifp->if_flags & IFF_PROMISC)) {
+ if (qlnx_vf_device(ha) == 0 || (if_getflags(ha->ifp) & IFF_PROMISC)) {
filter |= ECORE_ACCEPT_UCAST_UNMATCHED;
filter |= ECORE_ACCEPT_MCAST_UNMATCHED;
- } else if (ha->ifp->if_flags & IFF_ALLMULTI) {
+ } else if (if_getflags(ha->ifp) & IFF_ALLMULTI) {
filter |= ECORE_ACCEPT_MCAST_UNMATCHED;
}
ha->filter = filter;


=====================================
sys/netlink/route/iface.c
=====================================
@@ -322,11 +322,13 @@ dump_iface(struct nl_writer *nw, if_t ifp, const struct nlmsghdr *hdr,
*/
if (if_getaddrlen(ifp) != 0) {
struct ifaddr *ifa;
+ struct ifa_iter it;

NET_EPOCH_ENTER(et);
- ifa = CK_STAILQ_FIRST(&ifp->if_addrhead);
+ ifa = ifa_iter_start(ifp, &it);
if (ifa != NULL)
dump_sa(nw, IFLA_ADDRESS, ifa->ifa_addr);
+ ifa_iter_finish(&it);
NET_EPOCH_EXIT(et);
}



=====================================
sys/security/mac_ipacl/mac_ipacl.c
=====================================
@@ -315,7 +315,7 @@ SYSCTL_PROC(_security_mac_ipacl, OID_AUTO, rules,

static int
rules_check(struct ucred *cred,
- struct ipacl_addr *ip_addr, struct ifnet *ifp)
+ struct ipacl_addr *ip_addr, if_t ifp)
{
struct ip_rule *rule;
int error;
@@ -342,7 +342,7 @@ rules_check(struct ucred *cred,
continue;

if (strcmp(rule->if_name, "\0") &&
- strcmp(rule->if_name, ifp->if_xname))
+ strcmp(rule->if_name, if_name(ifp)))
continue;

switch (rule->af) {
@@ -395,7 +395,7 @@ rules_check(struct ucred *cred,
#ifdef INET
static int
ipacl_ip4_check_jail(struct ucred *cred,
- const struct in_addr *ia, struct ifnet *ifp)
+ const struct in_addr *ia, if_t ifp)
{
struct ipacl_addr ip4_addr;

@@ -415,7 +415,7 @@ ipacl_ip4_check_jail(struct ucred *cred,
#ifdef INET6
static int
ipacl_ip6_check_jail(struct ucred *cred,
- const struct in6_addr *ia6, struct ifnet *ifp)
+ const struct in6_addr *ia6, if_t ifp)
{
struct ipacl_addr ip6_addr;



=====================================
usr.sbin/bhyve/bhyve.8
=====================================
@@ -22,7 +22,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd November 20, 2023
+.Dd December 23, 2025
.Dt BHYVE 8
.Os
.Sh NAME
@@ -374,7 +374,7 @@ PCI 16550 serial device.
.It Cm lpc
LPC PCI-ISA bridge with COM1, COM2, COM3, and COM4 16550 serial ports,
a boot ROM, and,
-optionally, a TPM module, a fwcfg type, and the debug/test device.
+optionally, a TPM module, a fw_cfg type, and the debug/test device.
The LPC bridge emulation can only be configured on bus 0.
.It Cm fbuf
Raw framebuffer device attached to VNC server.
@@ -509,10 +509,10 @@ Disable emulation of guest trim requests via
.Dv DIOCGDELETE
requests.
.It Li bootindex= Ns Ar index
-Add the device to the bootorder at
+Add the device to the boot order at
.Ar index .
-A fwcfg file is used to specify the bootorder.
-The guest firmware may ignore or doesn't support this fwcfg file.
+A fw_cfg file is used to specify the boot order.
+The guest firmware may ignore or doesn't support this fw_cfg file.
In that case, this feature doesn't work as expected.
.El
.Pp
@@ -532,10 +532,10 @@ are:
Initiator ID to use when sending requests to specified CTL port.
The default value is 0.
.It Li bootindex= Ns Ar index
-Add the device to the bootorder at
+Add the device to the boot order at
.Ar index .
-A fwcfg file is used to specify the bootorder.
-The guest firmware may ignore or doesn't support this fwcfg file.
+A fw_cfg file is used to specify the boot order.
+The guest firmware may ignore or not support this fw_cfg file.
In that case, this feature doesn't work as expected.
.El
.Pp
@@ -611,10 +611,11 @@ address space, and any modifications the guest makes will be saved
to that file.
.El
.Pp
-Fwcfg types:
+fw_cfg types:
.Bl -tag -width 10n
.It Ar fwcfg
-The fwcfg interface is used to pass information such as the CPU count or ACPI tables to the guest firmware.
+The fw_cfg interface is used to pass information such as the CPU count
+or ACPI tables to the guest firmware.
Supported values are
.Ql bhyve
and
@@ -628,10 +629,13 @@ is used, bhyve's fwctl interface is used.
It currently reports only the CPU count to the guest firmware.
The
.Ql qemu
-option uses QEMU's fwcfg interface.
-This interface is widely used and allows user-defined information to be passed to the guest.
-It is used for passing the CPU count, ACPI tables, a boot order and many other things to the guest.
-Some operating systems such as Fedora CoreOS can be configured by qemu's fwcfg interface as well.
+option uses QEMU's fw_cfg interface.
+This interface is widely used and allows user-defined information to
+be passed to the guest.
+It is used for passing the CPU count, ACPI tables, a boot order and
+many other things to the guest.
+Some operating systems such as Fedora CoreOS can be configured by
+QEMU's fw_cfg interface as well.
.El
.Pp
Pass-through device backends:
@@ -667,10 +671,10 @@ Add
as option ROM to the PCI device.
The ROM will be loaded by firmware and should be capable of initializing the device.
.It Li bootindex= Ns Ar index
-Add the device to the bootorder at
+Add the device to the boot order at
.Ar index .
-A fwcfg file is used to specify the bootorder.
-The guest firmware may ignore or doesn't support this fwcfg file.
+A fw_cfg file is used to specify the boot order.
+The guest firmware may ignore or doesn't support this fw_cfg file.
In that case, this feature doesn't work as expected.
.El
.Pp
@@ -678,7 +682,7 @@ Guest memory must be wired using the
.Fl S
option when a pass-through device is configured.
.Pp
-The host device must have been reserved at boot-time using the
+The host device must have been reserved at boot time using the
.Va pptdevs
loader variable as described in
.Xr vmm 4 .
@@ -793,7 +797,7 @@ standard PCI devices with BAR addressing, but may also
implicitly decode legacy VGA I/O space
.Pq Ad 0x3c0-3df
and memory space
-.Pq 64KB at Ad 0xA0000 .
+.Pq 64 KiB at Ad 0xA0000 .
The default
.Cm io
option should be used for guests that attempt to issue BIOS calls which result
@@ -876,7 +880,7 @@ Serial number with maximum 20 characters.
.It Cm eui64
IEEE Extended Unique Identifier (8 byte value).
.It Cm dsm
-DataSet Management support.
+Dataset Management support.
Supported values are:
.Cm auto , enable ,
and
@@ -899,14 +903,15 @@ Configuration options are defined as follows:
.Bl -tag -width 10n
.It Cm nmrr
Nominal Media Rotation Rate, known as RPM.
-Value 1 will indicate device as Solid State Disk.
-Default value is 0, not report.
+A value of 1 indicates that the device is a solid state drive, i.e.,
+non-rotational.
+Default value is 0.
.It Cm ser
-Serial Number with maximum 20 characters.
+Serial number with maximum 20 characters.
.It Cm rev
-Revision Number with maximum 8 characters.
+Revision number with maximum 8 characters.
.It Cm model
-Model Number with maximum 40 characters.
+Model number with maximum 40 characters.
.El
.Pp
HD Audio device backends:
@@ -1028,7 +1033,7 @@ or a similar boot loader before
can be run.
Otherwise, the boot loader is not needed.
.Pp
-To run a virtual machine with 1GB of memory, two virtual CPUs, a virtio
+To run a virtual machine with 1 GiB of memory, two virtual CPUs, a virtio
block device backed by the
.Pa /my/image
filesystem image, and a serial port for the console:
@@ -1037,7 +1042,7 @@ bhyve -c 2 -s 0,hostbridge -s 1,lpc -s 2,virtio-blk,/my/image \\
-l com1,stdio -A -H -P -m 1G vm1
.Ed
.Pp
-Run a 24GB single-CPU virtual machine with three network ports, one of which
+Run a 24 GiB single-CPU virtual machine with three network ports, one of which
has a MAC address specified:
.Bd -literal -offset indent
bhyve -s 0,hostbridge -s 1,lpc -s 2:0,virtio-net,tap0 \\
@@ -1047,7 +1052,7 @@ bhyve -s 0,hostbridge -s 1,lpc -s 2:0,virtio-net,tap0 \\
-A -H -P -m 24G bigvm
.Ed
.Pp
-Run an 8GB quad-CPU virtual machine with 8 AHCI SATA disks, an AHCI ATAPI
+Run an 8 GiB quad-CPU virtual machine with 8 AHCI SATA disks, an AHCI ATAPI
CD-ROM, a single virtio network port, an AMD hostbridge, and the console
port connected to an
.Xr nmdm 4



View it on GitLab: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/compare/ed4d30c3432a4749f5360bb93d3d04e985866d69...b831a1aec290c2338b94e20ae222c042fe75b697

--
View it on GitLab: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/compare/ed4d30c3432a4749f5360bb93d3d04e985866d69...b831a1aec290c2338b94e20ae222c042fe75b697
You're receiving this email because of your account on git.hardenedbsd.org.