Re: Add Diffie-Hellman group negotiation to iked
Hello again, Tim Stewartwrites: > Tim Stewart writes: > >> This patch teaches iked to reject a KE with a Notify payload of type >> INVALID_KE_PAYLOAD when the KE uses a different Diffie-Hellman group >> than is configured locally. The rejection indicates the desired >> group. >> >> In my environment, this patch allows stock strongSwan on Android from >> the Google Play store to interop with iked. strongSwan's logs show >> the following once iked is patched: >> >> [IKE] initiating IKE_SA android[7] to 192.0.2.1 >> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >> [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] >> [IKE] peer didn't accept DH group ECP_256, it requested MODP_2048 >> [IKE] initiating IKE_SA android[7] to 192.0.2.1 >> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) >> CERTREQ N(HASH_ALG) ] >> >> I'm happy to iterate on this patch to get it into proper shape for >> inclusion. > > I discovered a bug in the previous patch that broke renegotiation of > CHILD SAs. I was ignoring "other than NONE" in the following sentence > from RFC 5996 section 3.4: > > If the selected proposal uses a different Diffie-Hellman group > (other than NONE), the message MUST be rejected with a Notify > payload of type INVALID_KE_PAYLOAD. > > The new patch below repairs the flaw. After re-reading relevant parts of the RFC I'm not convinced that my fix (rejecting with INVALID_KE_PAYLOAD unless msg->msg_dhgroup is IKEV2_XFORMDH_NONE) is correct. It happens to resolve my local issue but I think it may accidentally work due to a side effect of the code path for rekeying a child SA. I will look at it more closely this week. -TimS P.S. Is there someone I could add to the To: or Cc: headers of these iked-related messages? Or should I simply be patient? -- Tim Stewart --- Mail: t...@stoo.org Matrix: @tim:stoo.org
Re: [PATCH] add D-Link DWA-525 rev A2 to ral(4)
On Mon, May 22, 2017 at 01:13:34PM +0800, Kevin Lo wrote: > Hi, > > The diff below adds D-Link DWA-525 rev A2 to ral(4) which works fine on amd64 > and update ral(4) manpage. This could also add other missing ids. RALINK 0x3390 (RT33XX) 0x359f (RT35XX) 0x5362 (RT53XX) EDIMAX 0x7711 (RT35XX) 0x7722 (RT35XX) You don't need to change $Mdocdate$, that gets expanded automatically. > > # dmesg |grep ral0 > ral0 at pci3 dev 1 function 0 "Ralink RT5360" rev 0x00: apic 2 int 16, > address f8:e9:03:ae:08:c4 > ral0: MAC/BBP RT5392 (rev 0x0223), RF RT5360 (MIMO 1T1R) > > # ifconfig ral0 > ral0: flags=8843mtu 1500 > lladdr f8:e9:03:ae:08:c4 > index 4 priority 4 llprio 3 > groups: wlan egress > media: IEEE802.11 autoselect (DS2 mode 11g) > status: active > ieee80211: nwid wsl chan 6 bssid 00:0e:8e:75:14:98 -7dBm wpakey > 0xa59c2e8f35d4276057224f20c93b023a87c53ed619005772ff1636311b3bfca3 wpaprotos > wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp > inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255 > > Index: share/man/man4/ral.4 > === > RCS file: /cvs/src/share/man/man4/ral.4,v > retrieving revision 1.110 > diff -u -p -u -p -r1.110 ral.4 > --- share/man/man4/ral.4 17 Aug 2016 11:52:29 - 1.110 > +++ share/man/man4/ral.4 22 May 2017 05:10:41 - > @@ -14,7 +14,7 @@ > .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF > .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > .\" > -.Dd $Mdocdate: August 17 2016 $ > +.Dd $Mdocdate: May 22 2017 $ > .Dt RAL 4 > .Os > .Sh NAME > @@ -160,6 +160,7 @@ CNet CWP-854. > Compex WLP54G. > Conceptronic C54Ri. > Corega CG-WLPCI54GL. > +D-Link DWA-525 rev A2. > Digitus DN-7006G-RA. > Dynalink WLG25PCI. > E-Tech WGPI02. > Index: sys/dev/ic/rt2860.c > === > RCS file: /cvs/src/sys/dev/ic/rt2860.c,v > retrieving revision 1.92 > diff -u -p -u -p -r1.92 rt2860.c > --- sys/dev/ic/rt2860.c 22 Jan 2017 10:17:38 - 1.92 > +++ sys/dev/ic/rt2860.c 22 May 2017 05:10:43 - > @@ -3106,6 +3106,7 @@ rt2860_get_rf(uint16_t rev) > case RT3070_RF_3052:return "RT3052"; > case RT3070_RF_3320:return "RT3320"; > case RT3070_RF_3053:return "RT3053"; > + case RT5390_RF_5360:return "RT5360"; > case RT5390_RF_5390:return "RT5390"; > case RT5390_RF_5392:return "RT5392"; > default:return "unknown"; > Index: sys/dev/ic/rt2860reg.h > === > RCS file: /cvs/src/sys/dev/ic/rt2860reg.h,v > retrieving revision 1.33 > diff -u -p -u -p -r1.33 rt2860reg.h > --- sys/dev/ic/rt2860reg.h17 Aug 2016 11:50:52 - 1.33 > +++ sys/dev/ic/rt2860reg.h22 May 2017 05:10:44 - > @@ -925,6 +925,7 @@ struct rt2860_rxwi { > #define RT3070_RF_3320 0x000b /* 1T1R */ > #define RT3070_RF_3053 0x000d /* dual-band 3T3R */ > #define RT5592_RF_5592 0x000f /* dual-band 2T2R */ > +#define RT5390_RF_5360 0x5360 /* 1T1R */ > #define RT5390_RF_5370 0x5370 /* 1T1R */ > #define RT5390_RF_5372 0x5372 /* 2T2R */ > #define RT5390_RF_5390 0x5390 /* 1T1R */ > Index: sys/dev/pci/if_ral_pci.c > === > RCS file: /cvs/src/sys/dev/pci/if_ral_pci.c,v > retrieving revision 1.25 > diff -u -p -u -p -r1.25 if_ral_pci.c > --- sys/dev/pci/if_ral_pci.c 17 Aug 2016 11:50:52 - 1.25 > +++ sys/dev/pci/if_ral_pci.c 22 May 2017 05:10:44 - > @@ -136,6 +136,7 @@ const struct pci_matchid ral_pci_devices > { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3562 }, > { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3592 }, > { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3593 }, > + { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5360 }, > { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5390 }, > { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5392 }, > { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5390_1 }, > Index: sys/dev/pci/pcidevs > === > RCS file: /cvs/src/sys/dev/pci/pcidevs,v > retrieving revision 1.1818 > diff -u -p -u -p -r1.1818 pcidevs > --- sys/dev/pci/pcidevs 17 May 2017 05:00:17 - 1.1818 > +++ sys/dev/pci/pcidevs 22 May 2017 05:10:46 - > @@ -6560,6 +6560,7 @@ product RALINK RT3298 0x3298 Bluetooth > product RALINK RT35620x3562 RT3562 > product RALINK RT35920x3592 RT3592 > product RALINK RT35930x3593 RT3593 > +product RALINK RT53600x5360 RT5360 > product RALINK RT53900x5390 RT5390 > product RALINK RT53920x5392 RT5392 > product RALINK RT5390_1
Re: Add Diffie-Hellman group negotiation to iked
Tim Stewartwrites: > This patch teaches iked to reject a KE with a Notify payload of type > INVALID_KE_PAYLOAD when the KE uses a different Diffie-Hellman group > than is configured locally. The rejection indicates the desired > group. > > In my environment, this patch allows stock strongSwan on Android from > the Google Play store to interop with iked. strongSwan's logs show > the following once iked is patched: > > [IKE] initiating IKE_SA android[7] to 192.0.2.1 > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] > [IKE] peer didn't accept DH group ECP_256, it requested MODP_2048 > [IKE] initiating IKE_SA android[7] to 192.0.2.1 > [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] > [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > CERTREQ N(HASH_ALG) ] > > I'm happy to iterate on this patch to get it into proper shape for > inclusion. I discovered a bug in the previous patch that broke renegotiation of CHILD SAs. I was ignoring "other than NONE" in the following sentence from RFC 5996 section 3.4: If the selected proposal uses a different Diffie-Hellman group (other than NONE), the message MUST be rejected with a Notify payload of type INVALID_KE_PAYLOAD. The new patch below repairs the flaw. -TimS Index: iked.h === RCS file: /cvs/src/sbin/iked/iked.h,v retrieving revision 1.115 diff -u -p -r1.115 iked.h --- iked.h 26 Apr 2017 10:42:38 - 1.115 +++ iked.h 22 May 2017 05:29:17 - @@ -502,6 +502,7 @@ struct iked_message { struct iked_proposalsmsg_proposals; struct iked_spi msg_rekey; struct ibuf *msg_nonce; /* dh NONCE */ + uint16_t msg_dhgroup; /* dh group */ struct ibuf *msg_ke;/* dh key exchange */ struct iked_id msg_auth; /* AUTH payload */ struct iked_id msg_id; Index: ikev2.c === RCS file: /cvs/src/sbin/iked/ikev2.c,v retrieving revision 1.154 diff -u -p -r1.154 ikev2.c --- ikev2.c 26 Apr 2017 10:42:38 - 1.154 +++ ikev2.c 22 May 2017 05:29:18 - @@ -71,6 +71,8 @@ intikev2_init_done(struct iked *, stru voidikev2_resp_recv(struct iked *, struct iked_message *, struct ike_header *); int ikev2_resp_ike_sa_init(struct iked *, struct iked_message *); +int ikev2_resp_ike_invalid_ke(struct iked *, struct iked_message *, + struct iked_kex *); int ikev2_resp_ike_auth(struct iked *, struct iked_sa *); int ikev2_resp_ike_eap(struct iked *, struct iked_sa *, struct ibuf *); int ikev2_send_auth_failed(struct iked *, struct iked_sa *); @@ -96,8 +98,8 @@ intikev2_sa_responder(struct iked *, s struct iked_message *); int ikev2_sa_initiator_dh(struct iked_sa *, struct iked_message *, unsigned int); -int ikev2_sa_responder_dh(struct iked_kex *, struct iked_proposals *, - struct iked_message *, unsigned int); +int ikev2_sa_responder_dh(struct iked *, struct iked_kex *, + struct iked_proposals *, struct iked_message *, unsigned int); voidikev2_sa_cleanup_dh(struct iked_sa *); int ikev2_sa_keys(struct iked *, struct iked_sa *, struct ibuf *); int ikev2_sa_tag(struct iked_sa *, struct iked_id *); @@ -2279,6 +2281,84 @@ ikev2_resp_ike_sa_init(struct iked *env, } int +ikev2_resp_ike_invalid_ke(struct iked *env, struct iked_message *msg, +struct iked_kex *kex) +{ + struct iked_message resp; + struct ike_header *hdr; + struct ikev2_payload*pld; + struct ikev2_notify *n; + struct iked_sa *sa = msg->msg_sa; + struct ibuf *buf; + uint8_t *ptr; + ssize_t len; + uint16_t group; + int ret = -1; + + if (sa->sa_hdr.sh_initiator) { + log_debug("%s: called by initiator", __func__); + return (-1); + } + + log_debug("%s: rejecting with INVALID_KE_PAYLOAD", __func__); + + if ((buf = ikev2_msg_init(env, , + >msg_peer, msg->msg_peerlen, + >msg_local, msg->msg_locallen, 1)) == NULL) + goto done; + + resp.msg_sa = sa; + resp.msg_fd = msg->msg_fd; + resp.msg_natt = msg->msg_natt; + resp.msg_msgid = 0; + + /* IKE header */ + if ((hdr = ikev2_add_header(buf, sa, resp.msg_msgid, + IKEV2_PAYLOAD_NOTIFY, IKEV2_EXCHANGE_IKE_SA_INIT, + IKEV2_FLAG_RESPONSE)) ==
[PATCH] add D-Link DWA-525 rev A2 to ral(4)
Hi, The diff below adds D-Link DWA-525 rev A2 to ral(4) which works fine on amd64 and update ral(4) manpage. # dmesg |grep ral0 ral0 at pci3 dev 1 function 0 "Ralink RT5360" rev 0x00: apic 2 int 16, address f8:e9:03:ae:08:c4 ral0: MAC/BBP RT5392 (rev 0x0223), RF RT5360 (MIMO 1T1R) # ifconfig ral0 ral0: flags=8843mtu 1500 lladdr f8:e9:03:ae:08:c4 index 4 priority 4 llprio 3 groups: wlan egress media: IEEE802.11 autoselect (DS2 mode 11g) status: active ieee80211: nwid wsl chan 6 bssid 00:0e:8e:75:14:98 -7dBm wpakey 0xa59c2e8f35d4276057224f20c93b023a87c53ed619005772ff1636311b3bfca3 wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp inet 10.0.1.3 netmask 0xff00 broadcast 10.0.1.255 Index: share/man/man4/ral.4 === RCS file: /cvs/src/share/man/man4/ral.4,v retrieving revision 1.110 diff -u -p -u -p -r1.110 ral.4 --- share/man/man4/ral.417 Aug 2016 11:52:29 - 1.110 +++ share/man/man4/ral.422 May 2017 05:10:41 - @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 17 2016 $ +.Dd $Mdocdate: May 22 2017 $ .Dt RAL 4 .Os .Sh NAME @@ -160,6 +160,7 @@ CNet CWP-854. Compex WLP54G. Conceptronic C54Ri. Corega CG-WLPCI54GL. +D-Link DWA-525 rev A2. Digitus DN-7006G-RA. Dynalink WLG25PCI. E-Tech WGPI02. Index: sys/dev/ic/rt2860.c === RCS file: /cvs/src/sys/dev/ic/rt2860.c,v retrieving revision 1.92 diff -u -p -u -p -r1.92 rt2860.c --- sys/dev/ic/rt2860.c 22 Jan 2017 10:17:38 - 1.92 +++ sys/dev/ic/rt2860.c 22 May 2017 05:10:43 - @@ -3106,6 +3106,7 @@ rt2860_get_rf(uint16_t rev) case RT3070_RF_3052:return "RT3052"; case RT3070_RF_3320:return "RT3320"; case RT3070_RF_3053:return "RT3053"; + case RT5390_RF_5360:return "RT5360"; case RT5390_RF_5390:return "RT5390"; case RT5390_RF_5392:return "RT5392"; default:return "unknown"; Index: sys/dev/ic/rt2860reg.h === RCS file: /cvs/src/sys/dev/ic/rt2860reg.h,v retrieving revision 1.33 diff -u -p -u -p -r1.33 rt2860reg.h --- sys/dev/ic/rt2860reg.h 17 Aug 2016 11:50:52 - 1.33 +++ sys/dev/ic/rt2860reg.h 22 May 2017 05:10:44 - @@ -925,6 +925,7 @@ struct rt2860_rxwi { #define RT3070_RF_3320 0x000b /* 1T1R */ #define RT3070_RF_3053 0x000d /* dual-band 3T3R */ #define RT5592_RF_5592 0x000f /* dual-band 2T2R */ +#define RT5390_RF_5360 0x5360 /* 1T1R */ #define RT5390_RF_5370 0x5370 /* 1T1R */ #define RT5390_RF_5372 0x5372 /* 2T2R */ #define RT5390_RF_5390 0x5390 /* 1T1R */ Index: sys/dev/pci/if_ral_pci.c === RCS file: /cvs/src/sys/dev/pci/if_ral_pci.c,v retrieving revision 1.25 diff -u -p -u -p -r1.25 if_ral_pci.c --- sys/dev/pci/if_ral_pci.c17 Aug 2016 11:50:52 - 1.25 +++ sys/dev/pci/if_ral_pci.c22 May 2017 05:10:44 - @@ -136,6 +136,7 @@ const struct pci_matchid ral_pci_devices { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3562 }, { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3592 }, { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT3593 }, + { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5360 }, { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5390 }, { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5392 }, { PCI_VENDOR_RALINK, PCI_PRODUCT_RALINK_RT5390_1 }, Index: sys/dev/pci/pcidevs === RCS file: /cvs/src/sys/dev/pci/pcidevs,v retrieving revision 1.1818 diff -u -p -u -p -r1.1818 pcidevs --- sys/dev/pci/pcidevs 17 May 2017 05:00:17 - 1.1818 +++ sys/dev/pci/pcidevs 22 May 2017 05:10:46 - @@ -6560,6 +6560,7 @@ product RALINK RT3298 0x3298 Bluetooth product RALINK RT3562 0x3562 RT3562 product RALINK RT3592 0x3592 RT3592 product RALINK RT3593 0x3593 RT3593 +product RALINK RT5360 0x5360 RT5360 product RALINK RT5390 0x5390 RT5390 product RALINK RT5392 0x5392 RT5392 product RALINK RT5390_10x539a RT5390
Re: dig(1) doesn't play well with rebound(8)
On 05/21/17 14:53, Edgar Pettijohn wrote: This may not be the best way to handle this, but it was the first fix to come to mind. Not sure where to put this in the manual or if its even worth documenting. Thoughts? Thanks, Edgar Well it worked when invoked as /usr/src/usr.sbin/bind/bin/dig/dig -r but when installed it says Invalid option -r. Dig's option parsing confuses the hell out of me.
dig(1) doesn't play well with rebound(8)
This may not be the best way to handle this, but it was the first fix to come to mind. Not sure where to put this in the manual or if its even worth documenting. Thoughts? Thanks, Edgar Index: dig.c === RCS file: /cvs/src/usr.sbin/bind/bin/dig/dig.c,v retrieving revision 1.17 diff -u -p -u -r1.17 dig.c --- dig.c 5 Jun 2016 15:09:17 - 1.17 +++ dig.c 21 May 2017 19:48:09 - @@ -1053,7 +1053,7 @@ plus_option(char *option, isc_boolean_t /*% * #ISC_TRUE returned if value was used */ -static const char *single_dash_opts = "46dhimnv"; +static const char *single_dash_opts = "46dhimnrv"; static const char *dash_opts = "46bcdfhikmnptvyx"; static isc_boolean_t dash_option(char *option, char *next, dig_lookup_t **lookup, @@ -1121,6 +1121,9 @@ dash_option(char *option, char *next, di break; case 'n': /* deprecated */ + break; + case 'r': + rebound = ISC_TRUE; break; case 'v': version(); Index: include/dig/dig.h === RCS file: /cvs/src/usr.sbin/bind/bin/dig/include/dig/dig.h,v retrieving revision 1.8 diff -u -p -u -r1.8 dig.h --- include/dig/dig.h 16 Aug 2009 13:17:44 - 1.8 +++ include/dig/dig.h 21 May 2017 19:47:52 - @@ -274,7 +274,7 @@ extern isc_boolean_t validated; extern isc_taskmgr_t *taskmgr; extern isc_task_t *global_task; extern isc_boolean_t free_now; -extern isc_boolean_t debugging, memdebugging; +extern isc_boolean_t debugging, memdebugging, rebound; extern char *progname; extern int tries; Index: dighost.c === RCS file: /cvs/src/usr.sbin/bind/bin/dig/dighost.c,v retrieving revision 1.15 diff -u -p -u -r1.15 dighost.c --- dighost.c 28 Sep 2015 15:55:54 - 1.15 +++ dighost.c 21 May 2017 19:47:27 - @@ -118,6 +118,7 @@ isc_boolean_t showsearch = ISC_FALSE, qr = ISC_FALSE, is_dst_up = ISC_FALSE; +isc_boolean_t rebound; in_port_t port = 0; unsigned int timeout = 0; unsigned int extrabytes; @@ -2854,17 +2855,19 @@ recv_done(isc_task_t *task, isc_event_t * sent to 0.0.0.0, :: or to a multicast addresses. * XXXMPA broadcast needs to be handled here as well. */ - if ((!isc_sockaddr_eqaddr(>sockaddr, ) && - !isc_sockaddr_ismulticast(>sockaddr)) || - isc_sockaddr_getport(>sockaddr) != - isc_sockaddr_getport(>address)) { - isc_sockaddr_format(>address, buf1, - sizeof(buf1)); - isc_sockaddr_format(>sockaddr, buf2, - sizeof(buf2)); - printf(";; reply from unexpected source: %s," - " expected %s\n", buf1, buf2); - match = ISC_FALSE; + if (!rebound) { + if ((!isc_sockaddr_eqaddr(>sockaddr, ) && + !isc_sockaddr_ismulticast(>sockaddr)) || + isc_sockaddr_getport(>sockaddr) != + isc_sockaddr_getport(>address)) { + isc_sockaddr_format(>address, buf1, + sizeof(buf1)); + isc_sockaddr_format(>sockaddr, buf2, + sizeof(buf2)); + printf(";; reply from unexpected source: %s," + " expected %s\n", buf1, buf2); + match = ISC_FALSE; + } } }
[patch/openbgpd] make man example works
Hi, bgpd.conf manual has an example with : good="{ 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" bad="{ 224.0.0.0/4 prefixlen >= 4, 240.0.0.0/4 prefixlen >= 4 }" ugly="{ 127.0.0.1/8, 169.254.0.0/16 }" deny from any prefix { $good $bad $ugly } This syntax is not valid with current parse.y. Here is a patch to make it valid. Index: parse.y === RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v retrieving revision 1.298 diff -u -p -r1.298 parse.y --- parse.y 22 Feb 2017 13:55:14 - 1.298 +++ parse.y 21 May 2017 17:29:11 - @@ -217,6 +217,7 @@ typedef struct { %typefilter_set_opt %type filter_set filter_set_l %type filter_prefix filter_prefix_l filter_prefix_h +%type filter_prefix_m %typeunaryop equalityop binaryop filter_as_type %type encspec %% @@ -1615,8 +1616,22 @@ filter_prefix_h : IPV4 prefixlenop { } } | PREFIX filter_prefix { $$ = $2; } - | PREFIX '{' filter_prefix_l '}'{ $$ = $3; } + | PREFIX '{' filter_prefix_m '}'{ $$ = $3; } ; + +filter_prefix_m: filter_prefix_l + | '{' filter_prefix_l '}' { $$ = $2; } + | '{' filter_prefix_l '}' filter_prefix_m + { + struct filter_prefix_l *p; + + /* merge, both can be lists */ + for (p = $2; p != NULL && p->next != NULL; p = p->next) + ; /* nothing */ + if (p != NULL) + p->next = $4; + $$ = $2; + } filter_prefix_l: filter_prefix { $$ = $1; } | filter_prefix_l comma filter_prefix {
Re: Displaying flow queue in the systat
On Mon, May 15, 2017 at 20:13 +0200, Mike Belopuhov wrote: > Here are some bits to display flow queues alongside H-FSC ones. > It's a bit hackish in a way I switch the "bandwidth" field to > the "bandwidth or flows" and then use node->qstats.data.period > because I'm too lazy to change the pfctl_queue_node to include > a union... This will require changes in the whole file instead > of just an XXX comment. Does it bother anybody? > > I also make use of a presently empty field "SCH" to display the > queue management policy (flow or fifo) which is not strictly a > scheduler, but it will become descriptive when I'll [hopefully] > hook up FQ-CoDel to HFSC so that it would be an HFSC class with > its queue managed by the FQ-CoDel. This will distinguish such > queues from the regular HFSC ones that use a FIFO queue. > > OK? > No objections? > diff --git usr.bin/systat/pftop.c usr.bin/systat/pftop.c > index 673a69df6a6..d19affeae90 100644 > --- usr.bin/systat/pftop.c > +++ usr.bin/systat/pftop.c > @@ -146,11 +146,11 @@ field_def fields[] = { > {"RATE", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"AVG", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"PEAK", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"ANCHOR", 6, 16, 1, FLD_ALIGN_LEFT, -1, 0, 0}, > {"QUEUE", 15, 30, 1, FLD_ALIGN_LEFT, -1, 0, 0, 0}, > - {"BW", 4, 5, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > + {"BW/FL", 4, 5, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"SCH", 3, 4, 1, FLD_ALIGN_LEFT, -1, 0, 0, 0}, > {"DROP_P", 6, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"DROP_B", 6, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"QLEN", 4, 4, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"BORROW", 4, 6, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > @@ -1621,16 +1621,28 @@ print_queue_node(struct pfctl_queue_node *node) > tbprintf(" on %s ", node->qs.ifname); > print_fld_tb(FLD_QUEUE); > > // XXX: missing min, max, burst > tb_start(); > - rate = node->qs.linkshare.m2.absolute; > - for (i = 0; rate >= 1000 && i <= 3; i++) > - rate /= 1000; > - tbprintf("%u%c", rate, unit[i]); > + if (node->qs.flags & PFQS_FLOWQUEUE) > + /* > + * XXX We're abusing the fact that 'flows' in > + * the fqcodel_stats structure is at the same > + * spot as the 'period' in hfsc_class_stats. > + */ > + tbprintf("%u", node->qstats.data.period); > + else { > + rate = node->qs.linkshare.m2.absolute; > + for (i = 0; rate >= 1000 && i <= 3; i++) > + rate /= 1000; > + tbprintf("%u%c", rate, unit[i]); > + } > print_fld_tb(FLD_BANDW); > > + print_fld_str(FLD_SCHED, node->qs.flags & PFQS_FLOWQUEUE ? > + "flow" : "fifo"); > + > if (node->qstats.valid && node->qstats_last.valid) > interval = calc_interval(>qstats.timestamp, > >qstats_last.timestamp); > else > interval = 0;
CPU_LIDSUSPEND in init(8) and reboot(8)
While switching init and reboot to CPU_LIDACTION, I forgot about the #ifdef's. Ok? natano Index: init/init.c === RCS file: /cvs/src/sbin/init/init.c,v retrieving revision 1.64 diff -u -p -r1.64 init.c --- init/init.c 3 May 2017 09:51:39 - 1.64 +++ init/init.c 21 May 2017 07:25:07 - @@ -1325,7 +1325,7 @@ f_nice_death(void) static const int death_sigs[3] = { SIGHUP, SIGTERM, SIGKILL }; int status; -#ifdef CPU_LIDSUSPEND +#ifdef CPU_LIDACTION int mib[] = {CTL_MACHDEP, CPU_LIDACTION}; int lidaction = 0; Index: reboot/reboot.c === RCS file: /cvs/src/sbin/reboot/reboot.c,v retrieving revision 1.36 diff -u -p -r1.36 reboot.c --- reboot/reboot.c 2 Mar 2017 10:38:09 - 1.36 +++ reboot/reboot.c 21 May 2017 07:25:31 - @@ -112,7 +112,7 @@ main(int argc, char *argv[]) if (geteuid()) errx(1, "%s", strerror(EPERM)); -#ifdef CPU_LIDSUSPEND +#ifdef CPU_LIDACTION if (howto & RB_POWERDOWN) { /* Disable suspending on laptop lid close */ int mib[] = {CTL_MACHDEP, CPU_LIDACTION}; @@ -122,7 +122,7 @@ main(int argc, char *argv[]) sizeof(lidaction)) == -1 && errno != EOPNOTSUPP) warn("sysctl"); } -#endif /* CPU_LIDSUSPEND */ +#endif /* CPU_LIDACTION */ if (qflag) { reboot(howto);
Re: Fix comment into sys/dev/acpi/acpibtn.c
On Thu, May 11, 2017 at 01:11:16PM +0200, David Coppa wrote: > > I think this comment was copy-pasted as is from the comment some > lines below, but this is about hibernation, not sleep. sleep != suspend Suspend and hibernate both are sleep states. > > Ok? > > Index: acpibtn.c > === > RCS file: /cvs/src/sys/dev/acpi/acpibtn.c,v > retrieving revision 1.44 > diff -u -p -u -p -r1.44 acpibtn.c > --- acpibtn.c 2 Mar 2017 10:38:10 - 1.44 > +++ acpibtn.c 11 May 2017 11:10:21 - > @@ -236,7 +236,7 @@ acpibtn_notify(struct aml_node *node, in > goto sleep; > #ifdef HIBERNATE > case 2: > - /* Request to go to sleep */ > + /* Request hibernation */ > if (acpi_record_event(sc->sc_acpi, > APM_USER_HIBERNATE_REQ)) > acpi_addtask(sc->sc_acpi, acpi_sleep_task, > sc->sc_acpi, ACPI_SLEEP_HIBERNATE); >