While agreeing this is useful fixing the silent fallout in third
party programs will probably not be so nice.

Approved by:	so
Security:	FreeBSD-SA-18:15.bootpd
Security:	FreeBSD-EN-18:16.ptrace
Security:	FreeBSD-EN-18:17.vm
Security:	FreeBSD-EN-18:18.zfs

Due to insufficient validation of network-provided data it may have been
possible for a malicious actor to craft a bootp packet which could cause
a stack buffer overflow.

admbugs:	850
Reported by:	Reno Robert
Reviewed by:	markj
Approved by:	so
Security:	FreeBSD-SA-18:15.bootpd
Sponsored by:	The FreeBSD Foundation

  This is caused by a deadlock between zil_commit() and zfs_zget()
  Add a way for zfs_zget() to break out of the retry loop in the common case

PR:		229614, 231117
Submitted by:	allanjude
Approved by:	so
Security:	FreeBSD-EN-18:18.zfs
Sponsored by:	Klara Systems, The FreeBSD Foundation

PR:		231296
Submitted by:	markj
Approved by:	so
Security:	FreeBSD-EN-18:17.vm
Sponsored by:	The FreeBSD Foundation

This fixes a panic when attaching to an already-stopped process.

Also do some other clean ups for control flow of sendsig section.

Submitted by:	markj
Approved by:	so
Security:	FreeBSD-EN-18:16.ptrace
Sponsored by:	The FreeBSD Foundation

pull https://reviews.freebsd.org/D17896 to fix netmap tx / bpf packet tap hook, closes https://github.com/opnsense/core/issues/1632

tested locally with intel igb driver, seems to be working fine, lets give this some time in our dev version.

Submitted by:   jhb
Reported by:    Reno Robert
Approved by:    so
Security:       FreeBSD-SA-18:14.bhyve
Security:       CVE-2018-17160

Submitted by:	dteske
Approved by:	so
Security:	FreeBSD-EN-18:15.loader

Approved by:	so
Security:	FreeBSD-EN-18:14.tzdata

Approved by:	so
Security:	FreeBSD-EN-18:13.icmp
Security:	CVE-2018-17156

Reported by:	Jakub Jirasek, Secunia Research at Flexera
Approved by:	so
Security:	FreeBSD-SA-18:13.nfs
Security:	CVE-2018-17157
Security:	CVE-2018-17158
Security:	CVE-2018-17159

HardenedBSD still has SEGVGUARD in opt-in mode by default. OPNsense
needs to have this as opt-out by default.

Signed-off-by: Shawn Webb <shawn@opnsense.org>

Submitted by: @lattera

pf: Replace rwlock on PF_RULES_LOCK with rmlock

Given that PF_RULES_LOCK is a mostly read lock, replace the rwlock with rmlock.
This change improves packet processing rate in high pps environments.
Benchmarking by olivier@ shows a 65% improvement in pps.

While here, also eliminate all appearances of "sys/rwlock.h" includes since it
is not used anymore.

Submitted by:   farrokhi@

pf: Limit the maximum number of fragments per packet

Similar to the network stack issue fixed in r337782 pf did not limit the number
of fragments per packet, which could be exploited to generate high CPU loads
with a crafted series of packets.

Limit each packet to no more than 64 fragments. This should be sufficient on
typical networks to allow maximum-sized IP frames.

This addresses the issue for both IPv4 and IPv6.

Security:	CVE-2018-5391
Sponsored by:	Klara Systems

pfsync: Fix state sync during initial bulk update

States learned via pfsync from a peer with the same ruleset checksum were not
getting assigned to rules like they should because pfsync_in_upd() wasn't
passing the PFSYNC_SI_CKSUM flag along to pfsync_state_import.

PR:		229092
Submitted by:	Kajetan Staszkiewicz <vegeta tuxpowered.net>
Obtained from:	OpenBSD
Sponsored by:	InnoGames GmbH

  Make dhclient(8) verify if new MTU (option 26) differs from current one
  and skip unneeded MTU change. This check eliminates infinite loop
  of MTU change / link flap / lease verification / MTU change / link flap etc.
  in case of some NIC drivers like em(4) or igb(4).

PR:		229432
Approved by:	mav (mentor)

Taken from: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231797

Add description, parameters, options, sysctl and examples of using AQMs to ipfw man page. CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet exist in FreeBSD 11 and 10.3.

Submitted by:	ralsaadi@swin.edu.au
Reviewed by:	AllanJude
Approved by:	re (gjb)
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D12507

When we have three repos, even if two are disabled, the pkg upgrade
output changes and breaks our backend scanning code...

This reverts commit a3d6a458.
Magic undocumented characters in libarchive can fix this elsewhere.

PR: https://github.com/libarchive/libarchive/issues/1071

Taken from: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=189772
PR: https://github.com/opnsense/core/issues/2114

Reported by:	Thomas Barabosch, Fraunhofer FKIE
Approved by:	so
Security:	FreeBSD-EN-18:12.mem
Security:	CVE-2018-17155

Reported by:	Jakub Jirasek, Secunia Research at Flexera
Approved by:	so
Security:	FreeBSD-EN-18:11.listen
Security:	CVE-2018-6925

Reported by:	Thomas Barabosch, Fraunhofer FKIE
Approved by:	so
Security:	FreeBSD-EN-18:10.syscall
Security:	CVE-2018-17154

Approved by:	so
Security:	FreeBSD-EN-18:09.ip

Approved by:	so
Security:	FreeBSD-EN-18:08.lazyfpu

Approved by:	so
Security:	FreeBSD-SA-18:12.elf
Security:	CVE-2018-6924

Fix L1 Terminal Fault (L1TF) kernel information disclosure.
[SA-18:09.l1tf]

Fix resource exhaustion in IP fragment reassembly. [SA-18:10.ip]

Fix unauthenticated EAPOL-Key decryption vulnerability.
[SA-18:11.hostapd]

Approved by:	so

Approved by:	so

Currently, the per-queue limit is a function of the receive buffer
size and the MSS.  In certain cases (such as connections with large
receive buffers), the per-queue segment limit can be quite large.
Because we process segments as a linked list, large queues may not
perform acceptably.

The better long-term solution is to make the queue more efficient.
But, in the short-term, we can provide a way for a system
administrator to set the maximum queue size.

We set the default queue limit to 100.  This is an effort to balance
performance with a sane resource limit.  Depending on their
environment, goals, etc., an administrator may choose to modify this
limit in either direction.

Approved by:	so
Security:	FreeBSD-SA-18:08.tcp
Security:	CVE-2018-6922

pf will unconditionally "set prio", so this will fail if the
sysctl is off.  The sysctl, however, introduces a side-effect
so we would rather keep the default behaviour.  The allocation
slowdown is already taking place, so this in the worst case
only adds a list traversal / lookup.

PR: https://forum.opnsense.org/index.php?topic=6714.0

Based on feedback by countless users, this removes the if_output
calls in the pf code that escape pfil processing in IPv4 by going
the long way.

In our 11.1 iteration ip_tryforward() is easy to port and while
we are at it we shall also tackle IPv6.  :)

11.2 update adds all recent fixes into this single commit.

Many thanks to Andrey V. Elsukov (ae@) for giving this direction
and review.

Also see: https://reviews.freebsd.org/D8877

This fixes an out-of-bounds read vulnerability in libarchive.

Signed-off-by: Shawn Webb <shawn.webb@hardenedbsd.org>
Sponsored-by:	SoldierX
MFC-to:		11-STABLE

Includes later fixes in OPNsense 18.7 while reworking it for 19.1.

Taken from: https://github.com/pfsense/FreeBSD-src/tree/RELENG_2_4