Re: Add Diffie-Hellman group negotiation to iked

[Tim Stewart]

Hello again,

Tim Stewart  writes:

> Tim Stewart  writes:
>
>> This patch teaches iked to reject a KE with a Notify payload of type
>> INVALID_KE_PAYLOAD when the KE uses a different Diffie-Hellman group
>> than is configured locally.  The rejection indicates the desired
>> group.
>>
>> In my environment, this patch allows stock strongSwan on Android from
>> the Google Play store to interop with iked.  strongSwan's logs show
>> the following once iked is patched:
>>
>>   [IKE] initiating IKE_SA android[7] to 192.0.2.1
>>   [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
>> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>>   [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
>>   [IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
>>   [IKE] initiating IKE_SA android[7] to 192.0.2.1
>>   [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) 
>> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>>   [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>> CERTREQ N(HASH_ALG) ]
>>
>> I'm happy to iterate on this patch to get it into proper shape for
>> inclusion.
>
> I discovered a bug in the previous patch that broke renegotiation of
> CHILD SAs.  I was ignoring "other than NONE" in the following sentence
> from RFC 5996 section 3.4:
>
>   If the selected proposal uses a different Diffie-Hellman group
>   (other than NONE), the message MUST be rejected with a Notify
>   payload of type INVALID_KE_PAYLOAD.
>
> The new patch below repairs the flaw.

After re-reading relevant parts of the RFC I'm not convinced that my fix
(rejecting with INVALID_KE_PAYLOAD unless msg->msg_dhgroup is
IKEV2_XFORMDH_NONE) is correct.  It happens to resolve my local issue
but I think it may accidentally work due to a side effect of the code
path for rekeying a child SA.

I will look at it more closely this week.

-TimS

P.S.  Is there someone I could add to the To: or Cc: headers of these
iked-related messages?  Or should I simply be patient?

--
Tim Stewart
---
Mail:   t...@stoo.org
Matrix: @tim:stoo.org

Re: [PATCH] add D-Link DWA-525 rev A2 to ral(4)

[Jonathan Gray]

On Mon, May 22, 2017 at 01:13:34PM +0800, Kevin Lo wrote:
> Hi,
> 
> The diff below adds D-Link DWA-525 rev A2 to ral(4) which works fine on amd64
> and update ral(4) manpage.

This could also add other missing ids.

RALINK
0x3390 (RT33XX)
0x359f (RT35XX)
0x5362 (RT53XX)

EDIMAX
0x7711 (RT35XX)
0x7722 (RT35XX)

You don't need to change $Mdocdate$, that gets expanded automatically.

> 
> # dmesg |grep ral0
> ral0 at pci3 dev 1 function 0 "Ralink RT5360" rev 0x00: apic 2 int 16, 
> address f8:e9:03:ae:08:c4
> ral0: MAC/BBP RT5392 (rev 0x0223), RF RT5360 (MIMO 1T1R)
> 
> # ifconfig ral0
> ral0: flags=8843 mtu 1500
> lladdr f8:e9:03:ae:08:c4
> index 4 priority 4 llprio 3
> groups: wlan egress
> media: IEEE802.11 autoselect (DS2 mode 11g)
> status: active
> ieee80211: nwid wsl chan 6 bssid 00:0e:8e:75:14:98 -7dBm wpakey 
> 0xa59c2e8f35d4276057224f20c93b023a87c53ed619005772ff1636311b3bfca3 wpaprotos 
> wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
> inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255
> 
> Index: share/man/man4/ral.4
> ===
> RCS file: /cvs/src/share/man/man4/ral.4,v
> retrieving revision 1.110
> diff -u -p -u -p -r1.110 ral.4
> --- share/man/man4/ral.4  17 Aug 2016 11:52:29 -  1.110
> +++ share/man/man4/ral.4  22 May 2017 05:10:41 -
> @@ -14,7 +14,7 @@
>  .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
>  .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
>  .\"
> -.Dd $Mdocdate: August 17 2016 $
> +.Dd $Mdocdate: May 22 2017 $
>  .Dt RAL 4
>  .Os
>  .Sh NAME
> @@ -160,6 +160,7 @@ CNet CWP-854.
>  Compex WLP54G.
>  Conceptronic C54Ri.
>  Corega CG-WLPCI54GL.
> +D-Link DWA-525 rev A2.
>  Digitus DN-7006G-RA.
>  Dynalink WLG25PCI.
>  E-Tech WGPI02.
> Index: sys/dev/ic/rt2860.c
> ===
> RCS file: /cvs/src/sys/dev/ic/rt2860.c,v
> retrieving revision 1.92
> diff -u -p -u -p -r1.92 rt2860.c
> --- sys/dev/ic/rt2860.c   22 Jan 2017 10:17:38 -  1.92
> +++ sys/dev/ic/rt2860.c   22 May 2017 05:10:43 -
> @@ -3106,6 +3106,7 @@ rt2860_get_rf(uint16_t rev)
>   case RT3070_RF_3052:return "RT3052";
>   case RT3070_RF_3320:return "RT3320";
>   case RT3070_RF_3053:return "RT3053";
> + case RT5390_RF_5360:return "RT5360";
>   case RT5390_RF_5390:return "RT5390";
>   case RT5390_RF_5392:return "RT5392";
>   default:return "unknown";
> Index: sys/dev/ic/rt2860reg.h
> ===
> RCS file: /cvs/src/sys/dev/ic/rt2860reg.h,v
> retrieving revision 1.33
> diff -u -p -u -p -r1.33 rt2860reg.h
> --- sys/dev/ic/rt2860reg.h17 Aug 2016 11:50:52 -  1.33
> +++ sys/dev/ic/rt2860reg.h22 May 2017 05:10:44 -
> @@ -925,6 +925,7 @@ struct rt2860_rxwi {
>  #define RT3070_RF_3320   0x000b  /* 1T1R */
>  #define RT3070_RF_3053   0x000d  /* dual-band 3T3R */
>  #define RT5592_RF_5592   0x000f  /* dual-band 2T2R */
> +#define RT5390_RF_5360   0x5360  /* 1T1R */
>  #define RT5390_RF_5370   0x5370  /* 1T1R */
>  #define RT5390_RF_5372   0x5372  /* 2T2R */
>  #define RT5390_RF_5390   0x5390  /* 1T1R */
> Index: sys/dev/pci/if_ral_pci.c
> ===
> RCS file: /cvs/src/sys/dev/pci/if_ral_pci.c,v
> retrieving revision 1.25
> diff -u -p -u -p -r1.25 if_ral_pci.c
> --- sys/dev/pci/if_ral_pci.c  17 Aug 2016 11:50:52 -  1.25
> +++ sys/dev/pci/if_ral_pci.c  22 May 2017 05:10:44 -
> @@ -136,6 +136,7 @@ const struct pci_matchid ral_pci_devices
>   { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3562 },
>   { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3592 },
>   { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3593 },
> + { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5360 },
>   { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5390 },
>   { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5392 },
>   { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5390_1 },
> Index: sys/dev/pci/pcidevs
> ===
> RCS file: /cvs/src/sys/dev/pci/pcidevs,v
> retrieving revision 1.1818
> diff -u -p -u -p -r1.1818 pcidevs
> --- sys/dev/pci/pcidevs   17 May 2017 05:00:17 -  1.1818
> +++ sys/dev/pci/pcidevs   22 May 2017 05:10:46 -
> @@ -6560,6 +6560,7 @@ product RALINK RT3298   0x3298  Bluetooth
>  product RALINK RT35620x3562  RT3562
>  product RALINK RT35920x3592  RT3592
>  product RALINK RT35930x3593  RT3593
> +product RALINK RT53600x5360  RT5360
>  product RALINK RT53900x5390  RT5390
>  product RALINK RT53920x5392  RT5392
>  product RALINK RT5390_1

Re: Add Diffie-Hellman group negotiation to iked

[Tim Stewart]

Tim Stewart  writes:

> This patch teaches iked to reject a KE with a Notify payload of type
> INVALID_KE_PAYLOAD when the KE uses a different Diffie-Hellman group
> than is configured locally.  The rejection indicates the desired
> group.
>
> In my environment, this patch allows stock strongSwan on Android from
> the Google Play store to interop with iked.  strongSwan's logs show
> the following once iked is patched:
>
>   [IKE] initiating IKE_SA android[7] to 192.0.2.1
>   [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>   [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
>   [IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
>   [IKE] initiating IKE_SA android[7] to 192.0.2.1
>   [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>   [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> CERTREQ N(HASH_ALG) ]
>
> I'm happy to iterate on this patch to get it into proper shape for
> inclusion.

I discovered a bug in the previous patch that broke renegotiation of
CHILD SAs.  I was ignoring "other than NONE" in the following sentence
from RFC 5996 section 3.4:

  If the selected proposal uses a different Diffie-Hellman group (other
  than NONE), the message MUST be rejected with a Notify payload of type
  INVALID_KE_PAYLOAD.

The new patch below repairs the flaw.

-TimS


Index: iked.h
===
RCS file: /cvs/src/sbin/iked/iked.h,v
retrieving revision 1.115
diff -u -p -r1.115 iked.h
--- iked.h  26 Apr 2017 10:42:38 -  1.115
+++ iked.h  22 May 2017 05:29:17 -
@@ -502,6 +502,7 @@ struct iked_message {
struct iked_proposalsmsg_proposals;
struct iked_spi  msg_rekey;
struct ibuf *msg_nonce; /* dh NONCE */
+   uint16_t msg_dhgroup;   /* dh group */
struct ibuf *msg_ke;/* dh key exchange */
struct iked_id   msg_auth;  /* AUTH payload */
struct iked_id   msg_id;
Index: ikev2.c
===
RCS file: /cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.154
diff -u -p -r1.154 ikev2.c
--- ikev2.c 26 Apr 2017 10:42:38 -  1.154
+++ ikev2.c 22 May 2017 05:29:18 -
@@ -71,6 +71,8 @@ intikev2_init_done(struct iked *, stru
 voidikev2_resp_recv(struct iked *, struct iked_message *,
struct ike_header *);
 int ikev2_resp_ike_sa_init(struct iked *, struct iked_message *);
+int ikev2_resp_ike_invalid_ke(struct iked *, struct iked_message *,
+   struct iked_kex *);
 int ikev2_resp_ike_auth(struct iked *, struct iked_sa *);
 int ikev2_resp_ike_eap(struct iked *, struct iked_sa *, struct ibuf *);
 int ikev2_send_auth_failed(struct iked *, struct iked_sa *);
@@ -96,8 +98,8 @@ intikev2_sa_responder(struct iked *, s
struct iked_message *);
 int ikev2_sa_initiator_dh(struct iked_sa *, struct iked_message *,
unsigned int);
-int ikev2_sa_responder_dh(struct iked_kex *, struct iked_proposals *,
-   struct iked_message *, unsigned int);
+int ikev2_sa_responder_dh(struct iked *, struct iked_kex *,
+   struct iked_proposals *, struct iked_message *, unsigned int);
 voidikev2_sa_cleanup_dh(struct iked_sa *);
 int ikev2_sa_keys(struct iked *, struct iked_sa *, struct ibuf *);
 int ikev2_sa_tag(struct iked_sa *, struct iked_id *);
@@ -2279,6 +2281,84 @@ ikev2_resp_ike_sa_init(struct iked *env,
 }
 
 int
+ikev2_resp_ike_invalid_ke(struct iked *env, struct iked_message *msg,
+struct iked_kex *kex)
+{
+   struct iked_message  resp;
+   struct ike_header   *hdr;
+   struct ikev2_payload*pld;
+   struct ikev2_notify *n;
+   struct iked_sa  *sa = msg->msg_sa;
+   struct ibuf *buf;
+   uint8_t *ptr;
+   ssize_t  len;
+   uint16_t group;
+   int  ret = -1;
+
+   if (sa->sa_hdr.sh_initiator) {
+   log_debug("%s: called by initiator", __func__);
+   return (-1);
+   }
+
+   log_debug("%s: rejecting with INVALID_KE_PAYLOAD", __func__);
+
+   if ((buf = ikev2_msg_init(env, ,
+   >msg_peer, msg->msg_peerlen,
+   >msg_local, msg->msg_locallen, 1)) == NULL)
+   goto done;
+
+   resp.msg_sa = sa;
+   resp.msg_fd = msg->msg_fd;
+   resp.msg_natt = msg->msg_natt;
+   resp.msg_msgid = 0;
+
+   /* IKE header */
+   if ((hdr = ikev2_add_header(buf, sa, resp.msg_msgid,
+   IKEV2_PAYLOAD_NOTIFY, IKEV2_EXCHANGE_IKE_SA_INIT,
+   IKEV2_FLAG_RESPONSE)) == 

[PATCH] add D-Link DWA-525 rev A2 to ral(4)

[Kevin Lo]

Hi,

The diff below adds D-Link DWA-525 rev A2 to ral(4) which works fine on amd64
and update ral(4) manpage.

# dmesg |grep ral0
ral0 at pci3 dev 1 function 0 "Ralink RT5360" rev 0x00: apic 2 int 16, address 
f8:e9:03:ae:08:c4
ral0: MAC/BBP RT5392 (rev 0x0223), RF RT5360 (MIMO 1T1R)

# ifconfig ral0
ral0: flags=8843 mtu 1500
lladdr f8:e9:03:ae:08:c4
index 4 priority 4 llprio 3
groups: wlan egress
media: IEEE802.11 autoselect (DS2 mode 11g)
status: active
ieee80211: nwid wsl chan 6 bssid 00:0e:8e:75:14:98 -7dBm wpakey 
0xa59c2e8f35d4276057224f20c93b023a87c53ed619005772ff1636311b3bfca3 wpaprotos 
wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255

Index: share/man/man4/ral.4
===
RCS file: /cvs/src/share/man/man4/ral.4,v
retrieving revision 1.110
diff -u -p -u -p -r1.110 ral.4
--- share/man/man4/ral.417 Aug 2016 11:52:29 -  1.110
+++ share/man/man4/ral.422 May 2017 05:10:41 -
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 17 2016 $
+.Dd $Mdocdate: May 22 2017 $
 .Dt RAL 4
 .Os
 .Sh NAME
@@ -160,6 +160,7 @@ CNet CWP-854.
 Compex WLP54G.
 Conceptronic C54Ri.
 Corega CG-WLPCI54GL.
+D-Link DWA-525 rev A2.
 Digitus DN-7006G-RA.
 Dynalink WLG25PCI.
 E-Tech WGPI02.
Index: sys/dev/ic/rt2860.c
===
RCS file: /cvs/src/sys/dev/ic/rt2860.c,v
retrieving revision 1.92
diff -u -p -u -p -r1.92 rt2860.c
--- sys/dev/ic/rt2860.c 22 Jan 2017 10:17:38 -  1.92
+++ sys/dev/ic/rt2860.c 22 May 2017 05:10:43 -
@@ -3106,6 +3106,7 @@ rt2860_get_rf(uint16_t rev)
case RT3070_RF_3052:return "RT3052";
case RT3070_RF_3320:return "RT3320";
case RT3070_RF_3053:return "RT3053";
+   case RT5390_RF_5360:return "RT5360";
case RT5390_RF_5390:return "RT5390";
case RT5390_RF_5392:return "RT5392";
default:return "unknown";
Index: sys/dev/ic/rt2860reg.h
===
RCS file: /cvs/src/sys/dev/ic/rt2860reg.h,v
retrieving revision 1.33
diff -u -p -u -p -r1.33 rt2860reg.h
--- sys/dev/ic/rt2860reg.h  17 Aug 2016 11:50:52 -  1.33
+++ sys/dev/ic/rt2860reg.h  22 May 2017 05:10:44 -
@@ -925,6 +925,7 @@ struct rt2860_rxwi {
 #define RT3070_RF_3320 0x000b  /* 1T1R */
 #define RT3070_RF_3053 0x000d  /* dual-band 3T3R */
 #define RT5592_RF_5592 0x000f  /* dual-band 2T2R */
+#define RT5390_RF_5360 0x5360  /* 1T1R */
 #define RT5390_RF_5370 0x5370  /* 1T1R */
 #define RT5390_RF_5372 0x5372  /* 2T2R */
 #define RT5390_RF_5390 0x5390  /* 1T1R */
Index: sys/dev/pci/if_ral_pci.c
===
RCS file: /cvs/src/sys/dev/pci/if_ral_pci.c,v
retrieving revision 1.25
diff -u -p -u -p -r1.25 if_ral_pci.c
--- sys/dev/pci/if_ral_pci.c17 Aug 2016 11:50:52 -  1.25
+++ sys/dev/pci/if_ral_pci.c22 May 2017 05:10:44 -
@@ -136,6 +136,7 @@ const struct pci_matchid ral_pci_devices
{ PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3562 },
{ PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3592 },
{ PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3593 },
+   { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5360 },
{ PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5390 },
{ PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5392 },
{ PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5390_1 },
Index: sys/dev/pci/pcidevs
===
RCS file: /cvs/src/sys/dev/pci/pcidevs,v
retrieving revision 1.1818
diff -u -p -u -p -r1.1818 pcidevs
--- sys/dev/pci/pcidevs 17 May 2017 05:00:17 -  1.1818
+++ sys/dev/pci/pcidevs 22 May 2017 05:10:46 -
@@ -6560,6 +6560,7 @@ product RALINK RT3298 0x3298  Bluetooth
 product RALINK RT3562  0x3562  RT3562
 product RALINK RT3592  0x3592  RT3592
 product RALINK RT3593  0x3593  RT3593
+product RALINK RT5360  0x5360  RT5360
 product RALINK RT5390  0x5390  RT5390
 product RALINK RT5392  0x5392  RT5392
 product RALINK RT5390_10x539a  RT5390

Re: dig(1) doesn't play well with rebound(8)

[Edgar Pettijohn]

On 05/21/17 14:53, Edgar Pettijohn wrote:
This may not be the best way to handle this, but it was the first fix 
to come to mind.  Not sure where to put this in the manual or if its 
even worth documenting. Thoughts?


Thanks,

Edgar

Well it worked when invoked as /usr/src/usr.sbin/bind/bin/dig/dig -r but 
when installed it says Invalid option -r.  Dig's option parsing confuses 
the hell out of me.

dig(1) doesn't play well with rebound(8)

[Edgar Pettijohn]

This may not be the best way to handle this, but it was the first fix to 
come to mind.  Not sure where to put this in the manual or if its even 
worth documenting. Thoughts?


Thanks,

Edgar

Index: dig.c
===
RCS file: /cvs/src/usr.sbin/bind/bin/dig/dig.c,v
retrieving revision 1.17
diff -u -p -u -r1.17 dig.c
--- dig.c	5 Jun 2016 15:09:17 -	1.17
+++ dig.c	21 May 2017 19:48:09 -
@@ -1053,7 +1053,7 @@ plus_option(char *option, isc_boolean_t 
 /*%
  * #ISC_TRUE returned if value was used
  */
-static const char *single_dash_opts = "46dhimnv";
+static const char *single_dash_opts = "46dhimnrv";
 static const char *dash_opts = "46bcdfhikmnptvyx";
 static isc_boolean_t
 dash_option(char *option, char *next, dig_lookup_t **lookup,
@@ -1121,6 +1121,9 @@ dash_option(char *option, char *next, di
 			break;
 		case 'n':
 			/* deprecated */
+			break;
+		case 'r':
+			rebound = ISC_TRUE;
 			break;
 		case 'v':
 			version();
Index: include/dig/dig.h
===
RCS file: /cvs/src/usr.sbin/bind/bin/dig/include/dig/dig.h,v
retrieving revision 1.8
diff -u -p -u -r1.8 dig.h
--- include/dig/dig.h	16 Aug 2009 13:17:44 -	1.8
+++ include/dig/dig.h	21 May 2017 19:47:52 -
@@ -274,7 +274,7 @@ extern isc_boolean_t validated;
 extern isc_taskmgr_t *taskmgr;
 extern isc_task_t *global_task;
 extern isc_boolean_t free_now;
-extern isc_boolean_t debugging, memdebugging;
+extern isc_boolean_t debugging, memdebugging, rebound;
 
 extern char *progname;
 extern int tries;
Index: dighost.c
===
RCS file: /cvs/src/usr.sbin/bind/bin/dig/dighost.c,v
retrieving revision 1.15
diff -u -p -u -r1.15 dighost.c
--- dighost.c	28 Sep 2015 15:55:54 -	1.15
+++ dighost.c	21 May 2017 19:47:27 -
@@ -118,6 +118,7 @@ isc_boolean_t
 	showsearch = ISC_FALSE,
 	qr = ISC_FALSE,
 	is_dst_up = ISC_FALSE;
+isc_boolean_t rebound;
 in_port_t port = 0;
 unsigned int timeout = 0;
 unsigned int extrabytes;
@@ -2854,17 +2855,19 @@ recv_done(isc_task_t *task, isc_event_t 
 		* sent to 0.0.0.0, :: or to a multicast addresses.
 		* XXXMPA broadcast needs to be handled here as well.
 		*/
-		if ((!isc_sockaddr_eqaddr(>sockaddr, ) &&
-		 !isc_sockaddr_ismulticast(>sockaddr)) ||
-		isc_sockaddr_getport(>sockaddr) !=
-		isc_sockaddr_getport(>address)) {
-			isc_sockaddr_format(>address, buf1,
-			sizeof(buf1));
-			isc_sockaddr_format(>sockaddr, buf2,
-			sizeof(buf2));
-			printf(";; reply from unexpected source: %s,"
-			" expected %s\n", buf1, buf2);
-			match = ISC_FALSE;
+		if (!rebound) {
+			if ((!isc_sockaddr_eqaddr(>sockaddr, ) &&
+		 		!isc_sockaddr_ismulticast(>sockaddr)) ||
+				isc_sockaddr_getport(>sockaddr) !=
+				isc_sockaddr_getport(>address)) {
+	isc_sockaddr_format(>address, buf1,
+	sizeof(buf1));
+	isc_sockaddr_format(>sockaddr, buf2,
+	sizeof(buf2));
+	printf(";; reply from unexpected source: %s,"
+	" expected %s\n", buf1, buf2);
+	match = ISC_FALSE;
+			}
 		}
 	}
 

[patch/openbgpd] make man example works

[Denis Fondras]

Hi,

bgpd.conf manual has an example with :

good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
bad="{ 224.0.0.0/4 prefixlen >= 4, 240.0.0.0/4 prefixlen >= 4 }"
ugly="{ 127.0.0.1/8, 169.254.0.0/16 }"
deny from any prefix { $good $bad $ugly } 

This syntax is not valid with current parse.y.

Here is a patch to make it valid.

Index: parse.y
===
RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v
retrieving revision 1.298
diff -u -p -r1.298 parse.y
--- parse.y 22 Feb 2017 13:55:14 -  1.298
+++ parse.y 21 May 2017 17:29:11 -
@@ -217,6 +217,7 @@ typedef struct {
 %typefilter_set_opt
 %type   filter_set filter_set_l
 %type filter_prefix filter_prefix_l filter_prefix_h
+%type filter_prefix_m
 %typeunaryop equalityop binaryop filter_as_type
 %type   encspec
 %%
@@ -1615,8 +1616,22 @@ filter_prefix_h  : IPV4 prefixlenop  
 {
}
}
| PREFIX filter_prefix  { $$ = $2; }
-   | PREFIX '{' filter_prefix_l '}'{ $$ = $3; }
+   | PREFIX '{' filter_prefix_m '}'{ $$ = $3; }
;
+
+filter_prefix_m: filter_prefix_l
+   | '{' filter_prefix_l '}'   { $$ = $2; }
+   | '{' filter_prefix_l '}' filter_prefix_m
+   {
+   struct filter_prefix_l  *p;
+
+   /* merge, both can be lists */
+   for (p = $2; p != NULL && p->next != NULL; p = p->next)
+   ;   /* nothing */
+   if (p != NULL)
+   p->next = $4;
+   $$ = $2;
+   } 
 
 filter_prefix_l: filter_prefix { $$ = $1; }
| filter_prefix_l comma filter_prefix   {

Re: Displaying flow queue in the systat

[Mike Belopuhov]

On Mon, May 15, 2017 at 20:13 +0200, Mike Belopuhov wrote:
> Here are some bits to display flow queues alongside H-FSC ones.
> It's a bit hackish in a way I switch the "bandwidth" field to
> the "bandwidth or flows" and then use node->qstats.data.period
> because I'm too lazy to change the pfctl_queue_node to include
> a union... This will require changes in the whole file instead
> of just an XXX comment.  Does it bother anybody?
> 
> I also make use of a presently empty field "SCH" to display the
> queue management policy (flow or fifo) which is not strictly a
> scheduler, but it will become descriptive when I'll [hopefully]
> hook up FQ-CoDel to HFSC so that it would be an HFSC class with
> its queue managed by the FQ-CoDel.  This will distinguish such
> queues from the regular HFSC ones that use a FIFO queue.
> 
> OK?
>

No objections?

> diff --git usr.bin/systat/pftop.c usr.bin/systat/pftop.c
> index 673a69df6a6..d19affeae90 100644
> --- usr.bin/systat/pftop.c
> +++ usr.bin/systat/pftop.c
> @@ -146,11 +146,11 @@ field_def fields[] = {
>   {"RATE", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0},
>   {"AVG", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0},
>   {"PEAK", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0},
>   {"ANCHOR", 6, 16, 1, FLD_ALIGN_LEFT, -1, 0, 0},
>   {"QUEUE", 15, 30, 1, FLD_ALIGN_LEFT, -1, 0, 0, 0},
> - {"BW", 4, 5, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0},
> + {"BW/FL", 4, 5, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0},
>   {"SCH", 3, 4, 1, FLD_ALIGN_LEFT, -1, 0, 0, 0},
>   {"DROP_P", 6, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0},
>   {"DROP_B", 6, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0},
>   {"QLEN", 4, 4, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0},
>   {"BORROW", 4, 6, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0},
> @@ -1621,16 +1621,28 @@ print_queue_node(struct pfctl_queue_node *node)
>   tbprintf(" on %s ", node->qs.ifname);
>   print_fld_tb(FLD_QUEUE);
>  
>   // XXX: missing min, max, burst
>   tb_start();
> - rate = node->qs.linkshare.m2.absolute;
> - for (i = 0; rate >= 1000 && i <= 3; i++)
> - rate /= 1000;
> - tbprintf("%u%c", rate, unit[i]);
> + if (node->qs.flags & PFQS_FLOWQUEUE)
> + /*
> +  * XXX We're abusing the fact that 'flows' in
> +  * the fqcodel_stats structure is at the same
> +  * spot as the 'period' in hfsc_class_stats.
> +  */
> + tbprintf("%u", node->qstats.data.period);
> + else {
> + rate = node->qs.linkshare.m2.absolute;
> + for (i = 0; rate >= 1000 && i <= 3; i++)
> + rate /= 1000;
> + tbprintf("%u%c", rate, unit[i]);
> + }
>   print_fld_tb(FLD_BANDW);
>  
> + print_fld_str(FLD_SCHED, node->qs.flags & PFQS_FLOWQUEUE ?
> + "flow" : "fifo");
> +
>   if (node->qstats.valid && node->qstats_last.valid)
>   interval = calc_interval(>qstats.timestamp,
>   >qstats_last.timestamp);
>   else
>   interval = 0;

CPU_LIDSUSPEND in init(8) and reboot(8)

[Martin Natano]

While switching init and reboot to CPU_LIDACTION, I forgot about the
#ifdef's. Ok?

natano


Index: init/init.c
===
RCS file: /cvs/src/sbin/init/init.c,v
retrieving revision 1.64
diff -u -p -r1.64 init.c
--- init/init.c 3 May 2017 09:51:39 -   1.64
+++ init/init.c 21 May 2017 07:25:07 -
@@ -1325,7 +1325,7 @@ f_nice_death(void)
static const int death_sigs[3] = { SIGHUP, SIGTERM, SIGKILL };
int status;
 
-#ifdef CPU_LIDSUSPEND
+#ifdef CPU_LIDACTION
int mib[] = {CTL_MACHDEP, CPU_LIDACTION};
int lidaction = 0;
 
Index: reboot/reboot.c
===
RCS file: /cvs/src/sbin/reboot/reboot.c,v
retrieving revision 1.36
diff -u -p -r1.36 reboot.c
--- reboot/reboot.c 2 Mar 2017 10:38:09 -   1.36
+++ reboot/reboot.c 21 May 2017 07:25:31 -
@@ -112,7 +112,7 @@ main(int argc, char *argv[])
if (geteuid())
errx(1, "%s", strerror(EPERM));
 
-#ifdef CPU_LIDSUSPEND
+#ifdef CPU_LIDACTION
if (howto & RB_POWERDOWN) {
/* Disable suspending on laptop lid close */
int mib[] = {CTL_MACHDEP, CPU_LIDACTION};
@@ -122,7 +122,7 @@ main(int argc, char *argv[])
sizeof(lidaction)) == -1 && errno != EOPNOTSUPP)
warn("sysctl");
}
-#endif /* CPU_LIDSUSPEND */
+#endif /* CPU_LIDACTION */
 
if (qflag) {
reboot(howto);

Re: Fix comment into sys/dev/acpi/acpibtn.c

[Martin Natano]

On Thu, May 11, 2017 at 01:11:16PM +0200, David Coppa wrote:
> 
> I think this comment was copy-pasted as is from the comment some
> lines below, but this is about hibernation, not sleep.

sleep != suspend

Suspend and hibernate both are sleep states.


> 
> Ok?
> 
> Index: acpibtn.c
> ===
> RCS file: /cvs/src/sys/dev/acpi/acpibtn.c,v
> retrieving revision 1.44
> diff -u -p -u -p -r1.44 acpibtn.c
> --- acpibtn.c 2 Mar 2017 10:38:10 -   1.44
> +++ acpibtn.c 11 May 2017 11:10:21 -
> @@ -236,7 +236,7 @@ acpibtn_notify(struct aml_node *node, in
>   goto sleep;
>  #ifdef HIBERNATE
>   case 2:
> - /* Request to go to sleep */
> + /* Request hibernation */
>   if (acpi_record_event(sc->sc_acpi, 
> APM_USER_HIBERNATE_REQ))
>   acpi_addtask(sc->sc_acpi, acpi_sleep_task,
>   sc->sc_acpi, ACPI_SLEEP_HIBERNATE);
>