FreeBSD 12.3-BETA2 Now Available
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The second BETA build of the 12.3-RELEASE release cycle is now available. Installation images are available for: o 12.3-BETA2 amd64 GENERIC o 12.3-BETA2 i386 GENERIC o 12.3-BETA2 powerpc GENERIC o 12.3-BETA2 powerpc64 GENERIC64 o 12.3-BETA2 powerpcspe MPC85XXSPE o 12.3-BETA2 sparc64 GENERIC o 12.3-BETA2 armv6 RPI-B o 12.3-BETA2 armv7 BANANAPI o 12.3-BETA2 armv7 BEAGLEBONE o 12.3-BETA2 armv7 CUBIEBOARD o 12.3-BETA2 armv7 CUBIEBOARD2 o 12.3-BETA2 armv7 CUBOX-HUMMINGBOARD o 12.3-BETA2 armv7 RPI2 o 12.3-BETA2 armv7 WANDBOARD o 12.3-BETA2 armv7 GENERICSD o 12.3-BETA2 aarch64 GENERIC o 12.3-BETA2 aarch64 RPI3 o 12.3-BETA2 aarch64 PINE64 o 12.3-BETA2 aarch64 PINE64-LTS Note regarding arm SD card images: For convenience for those without console access to the system, a freebsd user with a password of freebsd is available by default for ssh(1) access. Additionally, the root user password is set to root. It is strongly recommended to change the password for both users after gaining access to the system. Installer images and memory stick images are available here: https://download.freebsd.org/ftp/releases/ISO-IMAGES/12.3/ The image checksums follow at the end of this e-mail. If you notice problems you can report them through the Bugzilla PR system or on the -stable mailing list. If you would like to use SVN to do a source based update of an existing system, use the "releng/12.3" branch. A summary of changes since 12.3-BETA1 includes: o An update to cmp(1) to limit stack garbage limits. o An update to tzdata to correct DST in Palestine. o An update to tzdata to correct DST in Fiji. Please note, the release notes page is not yet complete, and will be updated on an ongoing basis as the 12.3-RELEASE cycle progresses. === Virtual Machine Disk Images === VM disk images are available for the amd64, i386, and aarch64 architectures. Disk images may be downloaded from the following URL (or any of the FreeBSD download mirrors): https://download.freebsd.org/ftp/releases/VM-IMAGES/12.3-BETA2/ The partition layout is: ~ 16 kB - freebsd-boot GPT partition type (bootfs GPT label) ~ 1 GB - freebsd-swap GPT partition type (swapfs GPT label) ~ 20 GB - freebsd-ufs GPT partition type (rootfs GPT label) The disk images are available in QCOW2, VHD, VMDK, and raw disk image formats. The image download size is approximately 135 MB and 165 MB respectively (amd64/i386), decompressing to a 21 GB sparse image. Note regarding arm64/aarch64 virtual machine images: a modified QEMU EFI loader file is needed for qemu-system-aarch64 to be able to boot the virtual machine images. See this page for more information: https://wiki.freebsd.org/arm64/QEMU To boot the VM image, run: % qemu-system-aarch64 -m 4096M -cpu cortex-a57 -M virt \ -bios QEMU_EFI.fd -serial telnet::,server -nographic \ -drive if=none,file=VMDISK,id=hd0 \ -device virtio-blk-device,drive=hd0 \ -device virtio-net-device,netdev=net0 \ -netdev user,id=net0 Be sure to replace "VMDISK" with the path to the virtual machine image. === Amazon EC2 AMI Images === FreeBSD/amd64 EC2 AMIs are available in the following regions: af-south-1 region: ami-077f91c5579626bad eu-north-1 region: ami-01c6e730d8917d8fb ap-south-1 region: ami-0e74c2b98d730343c eu-west-3 region: ami-04fdf60792918c090 eu-west-2 region: ami-01be6f12a4e591114 eu-south-1 region: ami-0ba9a90dd98c1969b eu-west-1 region: ami-079adc2700379a1d1 ap-northeast-3 region: ami-0761cd0c639b03110 ap-northeast-2 region: ami-0cb94263bd6197e12 me-south-1 region: ami-0bc9f87632bece6bf ap-northeast-1 region: ami-05d427cd27dbcf07a sa-east-1 region: ami-021df0ed72eb03e7f ca-central-1 region: ami-04256dde3f8311c5e ap-east-1 region: ami-00a8323acfe870fe0 ap-southeast-1 region: ami-03a8c238c7244735f ap-southeast-2 region: ami-0e1596ddd79df0a10 eu-central-1 region: ami-02f6ffa749afb395c us-east-1 region: ami-095d5102d288197f3 us-east-2 region: ami-01b2bbcb153589b40 us-west-1 region: ami-01d596be82cbb9b27 us-west-2 region: ami-00cc992baab13fc46 These AMI IDs can be retrieved from the Systems Manager Parameter Store in each region using the keys: /aws/service/freebsd/amd64/base/ufs/12.3/BETA2 FreeBSD/aarch64 EC2 AMIs are available in the following regions: af-south-1 region: ami-0db50a53f15e9902b eu-north-1 region: ami-0413d10427fe88127 ap-south-1 region: ami-09ad53f96f56994c2 eu-west-3 region: ami-08897f38e3d6fb380 eu-west-2 region: ami-02d1e2e28ed1f28c4 eu-south-1 region: ami-0d838b338efcf104c eu-west-1 region: ami-09bc1c176a30922f8 ap-northeast-3 region: ami-0ecf1374e8750796f ap-northeast-2 region: ami-05db57ad14b5868a5 me-south-1 region: ami-018cde3f9d96590dd ap-northeast-1 region: ami-01ded5df514820f25 sa-east-1 region: ami-0bc216bdb785ee86a ca-central-1 region: ami-0f8a0b276eb0921f4 ap-east-1 region: ami-05ad39a06870d63
Re: IPv6 checksum errors with divert
27.10.2021 16:28, Peter пишет: > I see these checksum error when the packet goes into the divert > socket, I see it when the packet comes back from divert, and I > see it when the packet goes out onto the network. > But, when I remove the divert socket from the path, then I still > see the checksum error at the place where the divert would have > happened, but when the packet goes out to the network, the checksums > are okay. Hi, This is usually due to enabled IPv6 checksum offloading on the NIC. When upper level protocols like TCP/UDP/SCTP send a packet, they can leave checksum for delayed calculation. This delayed calculation occurs when IP packet is going to the physical interface. If an interface is unable to offload checksums calculation, IP layer does forced calculation, otherwise it leaves checksum as is. This is why you see corrupted checksums in the tcpdump output on egress interface. It is just not yet calculated by interface. Divert was designed for IPv4 only and it does not properly support another address families. But you can try this patch: https://people.freebsd.org/~ae/ipv6_divert_csum.diff -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature
Re: IPv6 checksum errors with divert
Hi Andrey, On Fri, Oct 29, 2021 at 08:45:38PM +0300, Andrey V. Elsukov wrote: ! 27.10.2021 16:28, Peter пишет: ! > I see these checksum error when the packet goes into the divert ! > socket, I see it when the packet comes back from divert, and I ! > see it when the packet goes out onto the network. ! ! > But, when I remove the divert socket from the path, then I still ! > see the checksum error at the place where the divert would have ! > happened, but when the packet goes out to the network, the checksums ! > are okay. ! ! Hi, ! ! This is usually due to enabled IPv6 checksum offloading on the NIC. When The nic is 'tun0', and I don't think it ever does hardware checksum offload. ! upper level protocols like TCP/UDP/SCTP send a packet, they can leave ! checksum for delayed calculation. This delayed calculation occurs when ! IP packet is going to the physical interface. Yes, but when a packet goes thru divert(4), the CSUM_DELAY_DATA* flags are lost, and cksum will not be inserted later when transmitting. ! Divert was designed for IPv4 only and it does not properly support ! another address families. Ah, yes, I figured that. But suricata runs on divert, and it runs IPv4 and IPv6. (suricata wants to dump ipfw support, but I don't want that to happen, because it is just cute to be able to wire it arbitrarily into any flow desired.) ! But you can try this patch: ! https://people.freebsd.org/~ae/ipv6_divert_csum.diff Yeah, I came up with mostly the same patch yesterday. ;) And it works! I don't get why this isn't in the code. Divert my not be supposed to support IPv6; but then, that code does already have some "#ifdef INET6", so it does also not really /not/ support it - it is just stuck somewhere in limbo. Cheerio, PMc
