Re: pf: once for match rules?
On Tue, Aug 12, 2014 at 18:26 +0200, Mike Belopuhov wrote:
On Tue, Jul 22, 2014 at 19:03 +0200, Mike Belopuhov wrote:
Hi,
Before I send a diff for pfctl to disable once on match rules,
I've decided to try and see how much work is it to make it actually
work. Turns out that I need to extend pf_rule_item by 3 pointers
to track the match rule ruleset, anchor rule and the ruleset it
belongs to.
Here's what this means in practice. Consider a ruleset:
block drop all
match out log proto tcp to port 22 once
anchor foo all {
match out log proto tcp to port 22 once
anchor bar all {
match out log proto tcp to port 22 once
pass out quick proto tcp to port 22 once
}
}
Once we send a packet to port 22 the ruleset collapses to just:
block drop all
Thoughts?
Henning thinks it's a bit of an overkill. Any other opinions?
here we go then. OK?
diff --git sbin/pfctl/parse.y sbin/pfctl/parse.y
index c277b8d..61c2646 100644
--- sbin/pfctl/parse.y
+++ sbin/pfctl/parse.y
@@ -1488,12 +1488,18 @@ pfrule : action dir logquick interface af
proto fromto
if ($8.marker FOM_SETPRIO) {
r.set_prio[0] = $8.set_prio[0];
r.set_prio[1] = $8.set_prio[1];
r.scrub_flags |= PFSTATE_SETPRIO;
}
- if ($8.marker FOM_ONCE)
+ if ($8.marker FOM_ONCE) {
+ if (r.action == PF_MATCH) {
+ yyerror(can't specify once for
+ match rules);
+ YYERROR;
+ }
r.rule_flag |= PFRULE_ONCE;
+ }
if ($8.marker FOM_AFTO)
r.rule_flag |= PFRULE_AFTO;
r.af = $5;
if ($8.tag)
Re: Make procfs root listing work again
On Tue, Aug 19, 2014 at 10:14:59PM -0700, Philip Guenther wrote: Can you describe what you're using that needs it? Well, I am not using it. The code has not been sent to the Attic yet and I happened to take a look at it. That is all.
Re: arp(8) output and expire timer
On 18/08/14(Mon) 11:55, Henning Brauer wrote: * Martin Pieuchot mpieuc...@nolizard.org [2014-08-18 11:03]: On 15/08/14(Fri) 10:43, Henning Brauer wrote: * Stuart Henderson st...@openbsd.org [2014-08-15 10:29]: On 2014/08/12 15:46, Martin Pieuchot wrote: I find arp(8) output really difficult to read, but more importantly it does not print the expire time of non permanent entries like ndp(8). So the diff below change arp(8)'s output to be more similar to ndp(8)'s one. Personally I like the extra information from the timer, same here but not the big change of format (I find the extra whitespace makes it harder to see which MAC address goes with each IP address) I actually like the proposed new format there better. or loss of IP addresses where a name exists. here I agree with stuart. Well I couldn't came with a better trade-off. The actual output does not fit in 80 columns as soon as a FQDN is a bit long and adding the timer information does not help. So instead of reinventing an output, I tried to match what ndp does. At least with this diff the -n flag is coherent with what route(8), netsat(8) and ndp(8) do. So I hear what you say but I don't see which output can address the points you raised. So unless somebody has a better idea, I'd like to commit this so that we can get use to the new output 8) fair enough. ok. If I don't get any other suggestion, I'll commit the diff tomorrow.
Re: syslogd ipv6 getnameinfo
Alexander Bluhm alexander.bl...@gmx.net writes: On Tue, Aug 19, 2014 at 01:59:42AM +0200, Alexander Bluhm wrote: I will split this diff into smaller parts to make review and discussion easier. Replace gethostbyaddr(3) with getnameinfo(3). Note that I remove the sigprocmask() that was added in rev 1.23 before privsep. It was necessary because gethostbyaddr() is not signal safe. ok? ok. Could you please update the comments about the return values of priv_get(addr|name)info? [...] -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: let vlan(4) mtu be limited by the parents hardmtu instead of current mtu
ok chris@
David Gwynne [da...@gwynne.id.au] wrote:
this lets you have networks on the native vlan on an interface
at 1500, while setting a child vlan interfaces mtu to jumbos.
ok?
Index: if_vlan.c
===
RCS file: /cvs/src/sys/net/if_vlan.c,v
retrieving revision 1.108
diff -u -p -r1.108 if_vlan.c
--- if_vlan.c 12 Jul 2014 18:44:22 - 1.108
+++ if_vlan.c 19 Aug 2014 23:52:15 -
@@ -528,9 +528,9 @@ vlan_ioctl(struct ifnet *ifp, u_long cmd
case SIOCSIFMTU:
if (ifv-ifv_p != NULL) {
if (ifv-ifv_p-if_capabilities IFCAP_VLAN_MTU)
- p_mtu = ifv-ifv_p-if_mtu;
+ p_mtu = ifv-ifv_p-if_hardmtu;
else
- p_mtu = ifv-ifv_p-if_mtu - EVL_ENCAPLEN;
+ p_mtu = ifv-ifv_p-if_hardmtu - EVL_ENCAPLEN;
if (ifr-ifr_mtu p_mtu || ifr-ifr_mtu ETHERMIN)
error = EINVAL;
Re: syslogd ipv6 socket
On Tue, Aug 19, 2014 at 01:59:42AM +0200, Alexander Bluhm wrote:
I will split this diff into smaller parts to make review and
discussion easier.
Send and receive UDP syslog packets on the IPv6 socket.
ok?
bluhm
Index: usr.sbin/syslogd/privsep.c
===
RCS file: /cvs/src/usr.sbin/syslogd/privsep.c,v
retrieving revision 1.38
diff -u -p -r1.38 privsep.c
--- usr.sbin/syslogd/privsep.c 20 Aug 2014 20:10:17 - 1.38
+++ usr.sbin/syslogd/privsep.c 20 Aug 2014 23:16:41 -
@@ -177,6 +177,8 @@ priv_init(char *conf, int numeric, int l
close(pfd[PFD_UNIX_0 + i].fd);
if (pfd[PFD_INET].fd != -1)
close(pfd[PFD_INET].fd);
+ if (pfd[PFD_INET6].fd != -1)
+ close(pfd[PFD_INET6].fd);
if (pfd[PFD_CTLSOCK].fd != -1)
close(pfd[PFD_CTLSOCK].fd);
if (pfd[PFD_CTLCONN].fd != -1)
@@ -306,8 +308,8 @@ priv_init(char *conf, int numeric, int l
must_read(socks[0], servname, servname_len);
servname[servname_len - 1] = '\0';
- memset(hints, '\0', sizeof(hints));
- hints.ai_family = AF_INET;
+ memset(hints, 0, sizeof(hints));
+ hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM;
i = getaddrinfo(hostname, servname, hints, res0);
if (i != 0 || res0 == NULL) {
Index: usr.sbin/syslogd/syslogd.c
===
RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.114
diff -u -p -r1.114 syslogd.c
--- usr.sbin/syslogd/syslogd.c 20 Aug 2014 20:10:17 - 1.114
+++ usr.sbin/syslogd/syslogd.c 20 Aug 2014 23:16:42 -
@@ -188,7 +188,6 @@ int Debug; /* debug flag */
intStartup = 1;/* startup flag */
char LocalHostName[MAXHOSTNAMELEN]; /* our hostname */
char *LocalDomain; /* our local domain name */
-intInetInuse = 0; /* non-zero if INET sockets are being used */
intInitialized = 0;/* set when we have initialized ourselves */
intMarkInterval = 20 * 60; /* interval between marks in seconds */
@@ -282,7 +281,7 @@ main(int argc, char *argv[])
{
int ch, i, linesize, fd;
struct sockaddr_un fromunix;
- struct sockaddr_in frominet;
+ struct sockaddr_storage from;
socklen_t len;
char *p, *line;
char resolve[MAXHOSTNAMELEN];
@@ -369,7 +368,7 @@ main(int argc, char *argv[])
}
memset(hints, 0, sizeof(hints));
- hints.ai_family = AF_INET;
+ hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_DGRAM;
hints.ai_protocol = IPPROTO_UDP;
hints.ai_flags = AI_PASSIVE;
@@ -384,13 +383,14 @@ main(int argc, char *argv[])
for (res = res0; res; res = res-ai_next) {
struct pollfd *pfdp;
- if (res-ai_family == AF_INET)
+ switch (res-ai_family) {
+ case AF_INET:
pfdp = pfd[PFD_INET];
- else {
- /*
-* XXX AF_INET6 is skipped on purpose, need to
-* fix '@' handling first.
-*/
+ break;
+ case AF_INET6:
+ pfdp = pfd[PFD_INET6];
+ break;
+ default:
continue;
}
@@ -410,7 +410,6 @@ main(int argc, char *argv[])
continue;
}
- InetInuse = 1;
pfdp-fd = fd;
if (SecureMode)
shutdown(pfdp-fd, SHUT_RD);
@@ -582,18 +581,31 @@ main(int argc, char *argv[])
}
}
if ((pfd[PFD_INET].revents POLLIN) != 0) {
- len = sizeof(frominet);
+ len = sizeof(from);
i = recvfrom(pfd[PFD_INET].fd, line, MAXLINE, 0,
- (struct sockaddr *)frominet, len);
+ (struct sockaddr *)from, len);
if (i 0) {
line[i] = '\0';
- cvthname((struct sockaddr *)frominet, resolve,
- sizeof resolve);
+ cvthname((struct sockaddr *)from, resolve,
+ sizeof(resolve));
dprintf(cvthname res: %s\n, resolve);
printline(resolve, line);
} else if (i 0 errno != EINTR)
logerror(recvfrom inet);
}
+ if ((pfd[PFD_INET6].revents POLLIN) != 0) {
+
Re: syslogd ipv6 man5
On Tue, Aug 19, 2014 at 01:59:42AM +0200, Alexander Bluhm wrote: I will split this diff into smaller parts to make review and discussion easier. Document square brackets for IPv6 addresses. From FreeBSD. Index: usr.sbin/syslogd/syslog.conf.5 === RCS file: /cvs/src/usr.sbin/syslogd/syslog.conf.5,v retrieving revision 1.24 diff -u -p -r1.24 syslog.conf.5 --- usr.sbin/syslogd/syslog.conf.5 20 Jan 2014 05:07:48 - 1.24 +++ usr.sbin/syslogd/syslog.conf.5 20 Aug 2014 23:36:16 - @@ -220,6 +220,13 @@ program on the named host. A port number may be optionally specified using the .Ar host:port syntax. +IPv6 addresses can be used by surrounding the address portion with +square brackets +.Po +.Ql [\ +and +.Ql ]\ +.Pc . .It A comma separated list of users. Selected messages are written to those users
Re: let vlan(4) mtu be limited by the parents hardmtu instead of current mtu
sthen@ says this is likely a bit optimistic. while most of our drivers
unconditionally configure their max mru, there's some stupid ones that still
interpret the configured mtu as a what the mru should be.
dlg
On 21 Aug 2014, at 6:29, Chris Cappuccio ch...@nmedia.net wrote:
ok chris@
David Gwynne [da...@gwynne.id.au] wrote:
this lets you have networks on the native vlan on an interface
at 1500, while setting a child vlan interfaces mtu to jumbos.
ok?
Index: if_vlan.c
===
RCS file: /cvs/src/sys/net/if_vlan.c,v
retrieving revision 1.108
diff -u -p -r1.108 if_vlan.c
--- if_vlan.c12 Jul 2014 18:44:22 - 1.108
+++ if_vlan.c19 Aug 2014 23:52:15 -
@@ -528,9 +528,9 @@ vlan_ioctl(struct ifnet *ifp, u_long cmd
case SIOCSIFMTU:
if (ifv-ifv_p != NULL) {
if (ifv-ifv_p-if_capabilities IFCAP_VLAN_MTU)
-p_mtu = ifv-ifv_p-if_mtu;
+p_mtu = ifv-ifv_p-if_hardmtu;
else
-p_mtu = ifv-ifv_p-if_mtu - EVL_ENCAPLEN;
+p_mtu = ifv-ifv_p-if_hardmtu - EVL_ENCAPLEN;
if (ifr-ifr_mtu p_mtu || ifr-ifr_mtu ETHERMIN)
error = EINVAL;
Re: let vlan(4) mtu be limited by the parents hardmtu instead of current mtu
David Gwynne [da...@gwynne.id.au] wrote: sthen@ says this is likely a bit optimistic. while most of our drivers unconditionally configure their max mru, there's some stupid ones that still interpret the configured mtu as a what the mru should be. All the more reason to make this change, I'd say :)
