On Wed, Aug 27, 2014 at 01:52:19PM +0200, Christian Weisgerber wrote:
Add httpd default log files to the rotation.
Index: newsyslog.conf
===
RCS file: /cvs/src/etc/newsyslog.conf,v
retrieving revision 1.32
diff -u -p -r1.32
On Fri, Aug 15, 2014 at 09:35:03PM +0400, Vadim Zhukov wrote:
The SIOCG80211ALLNODES operate on struct ieee80211_nodereq_all, not
on struct ieee80211_nodereq, right? If I understand things correctly,
we were on a safe side because struct ieee80211_nodereq is larger
than struct
Hi,
On Fri, Jul 11, 2014 at 11:33:19AM +0100, David Carlier wrote:
I was wondering if a generic small geoloc lib might interest ? which can
load dynamically any geo localisation library via dlopen and so on ... to
get, let's say, a country code with an ip address ... can serve for some
Hi,
On Wed, Jul 02, 2014 at 01:34:51PM +0200, Markus Gebert wrote:
I hope this is the right mailing list to publish a patch. If not,
please let me know where to place it or how I should get in contact
with the relayd maintainer(s).
I've added some new SSL features and config options to
On Tue, Jul 08, 2014 at 11:39:12PM -0400, Lawrence Teo wrote:
The current divert(4) implementation allocates an mbuf tag in pf_test()
to store the divert port specified by a divert-packet PF rule.
The divert_packet() function then looks up that mbuf tag to retrieve the
divert port number
Hi,
I just committed a big change to relayd: the new filtering language.
tl;dr - I need your help! Please test the new filter rules in relayd
-current to eliminate any remaining issues in the new implementation.
When I wrote the HTTP support in relayd, I needed a way to filter and
manipulate
Hi,
On Wed, Jul 02, 2014 at 01:34:51PM +0200, Markus Gebert wrote:
Hi there
I hope this is the right mailing list to publish a patch. If not,
please let me know where to place it or how I should get in contact
with the relayd maintainer(s).
I've added some new SSL features and config
On Fri, May 02, 2014 at 06:50:04PM -0600, Bob Beck wrote:
What's their hangup with %n? We normally don't like polluting the world
with #ifdef OPENSSL_NO_PERCENT_N... We normally nuke stuff like that
Well, it is an evil thing that is rarely used and well-known for some
format string
On Mon, Apr 21, 2014 at 09:01:52PM +0200, Henning Brauer wrote:
so while so many here were so busy bikeshedding, wasting everyone's
time and hindering progress, reyk and I found that several people,
including me, had flaws in their testing. unfortunately have to go the
vlan_output route. root
On Fri, Apr 18, 2014 at 04:00:28PM +0200, Fritjof Bornebusch wrote:
Hi guys,
this little diff checks if the chmod call was successful or not.
Regards,
Fritjof
Index: rand/randfile.c
===
RCS file:
On Fri, Apr 11, 2014 at 08:15:27PM -0600, Bob Beck wrote:
On Fri, Apr 11, 2014 at 6:09 PM, Reyk Floeter r...@openbsd.org wrote:
I did some testing with apache bench (ab) and it shows a negative
performance impact when running with multiple preforked relays and
concurrent requests
Hi,
On Tue, Apr 15, 2014 at 09:24:48PM +, �?�?�?�?�? �?�?�?омин wrote:
Log message:
Remove the GOST engine: It is not compiled or used and depends on the
dynamic engine feature that is not enabled in our build. People who
need it can still pull it out of the Attic; if it is to have a
On Wed, Apr 09, 2014 at 04:20:23PM +0200, Reyk Floeter wrote:
relayd uses privsep to mitigate the risk of potential attacks.
OpenSSL's SSL code wasn't designed with privsep in mind. We already
have a hack to load the keys and certificates in the parent process
and to send them via imsg
/null 1 Jan 1970 00:00:00 -
+++ ca.c9 Apr 2014 14:02:37 -
@@ -0,0 +1,414 @@
+/* $OpenBSD$ */
+
+/*
+ * Copyright (c) 2014 Reyk Floeter r...@openbsd.org
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby
On 20.02.2014, at 12:23, Martin Pieuchot mpieuc...@nolizard.org wrote:
On 17/02/14(Mon) 01:11, Andre de Oliveira wrote:
On Fri, Feb 14, 2014 at 02:20:57PM +0100, Ingo Schwarze wrote:
Hi,
a few comments regarding the manual:
Ingo, thanks for your feedback.
Here follows an updated
Hi,
I just committed a simple SNMP client implementation to snmpctl/snmpd.
You can use it as an in-tree alternative to net-snmp's
snmpwalk/snmpget.
Examples:
$ snmpctl walk 127.0.0.1
$ snmpctl walk printer.my.domain version 1 oid printerWorkingGroup
$ snmpctl -n walk 203.0.113.240 oid ifMIB
On Tue, Oct 01, 2013 at 04:08:48PM +0100, Stuart Henderson wrote:
Most things are working fine for me.
thanks for testing!
v4 and v6 with opensnmpd OK (need two instances of the daemon
to test this as it only opens one socket).
v4 with net-snmp OK (v6 is possibly a bit broken in the
On Fri, Sep 27, 2013 at 03:24:25PM +0200, Alexander Bluhm wrote:
The error return codes for the enc interface seem quite inconsistent.
Always return the appropriate errno.
ok?
OK
Reyk
bluhm
Index: net/if_enc.c
===
RCS
On Fri, Sep 13, 2013 at 09:53:03AM +0200, Martin Pieuchot wrote:
-let snmpd (or sth else) make up ifindices just for that purpose
That looks like the best solution to me. If a userland program want
to expose following numbers, then it probably needs to create its own
indexes anyway, even
On Fri, Sep 13, 2013 at 10:45:57AM +0200, Martin Pieuchot wrote:
No, that's utterly stupid. The interface index is a value that is
supposed to be consistent across the system. How should it be synced
with other userland tools? How would you handle it in if_nametoindex
and friends?
So
On Thu, Sep 12, 2013 at 06:51:46AM +0200, Claudio Jeker wrote:
On Tue, Aug 27, 2013 at 01:39:14PM +0200, Martin Pieuchot wrote:
I think that's the right approach but the current code generating
interfaces indexes is too clever from my point of view, it tries
to reuse the last index if
On Thu, Sep 12, 2013 at 05:18:39PM +0200, Martin Pieuchot wrote:
For example, you have to query the IfIndex via SNMP to get further
information, like the ifName or statistics, and most monitoring
systems would save interface information based on the index - they
would not recognize that
On Thu, Sep 12, 2013 at 07:19:34PM +0200, Mike Belopuhov wrote:
either way, we need to move forward on this. we want to use if_index
for the purpose of looking up the interface w/o a pointer to the ifnet.
should we implement additional indices for that or snmp problem will
be dealt with?
On Thu, Sep 12, 2013 at 06:28:15PM +0200, Mike Belopuhov wrote:
Sure, I do. You're trying to push one thing and you don't want to
hear the concerns about a specific detail of it.
with all respect, i think you don't. otherwise you wouldn't be asking
the questions you're asking.
we do
On Thu, Sep 12, 2013 at 05:53:42PM +0200, Mike Belopuhov wrote:
looks like you misunderstand the problem we're dealing with here.
Sure, I do. You're trying to push one thing and you don't want to
hear the concerns about a specific detail of it.
FWIW it would be interesting to modify tun(4)
On Thu, Sep 12, 2013 at 06:59:13PM +0200, Mike Belopuhov wrote:
Ok, let's stop this. I don't think you read what I replied before. I
didn't say that we're static with if_indexes, just that we shouldn't
make it worse.
or implement persistent indices in the snmpd itself maybe?
Maybe.
Hi!
On Sun, Aug 11, 2013 at 04:47:08PM -0400, Ted Unangst wrote:
Nobody seemed to much care about my previous effort to get OpenBSD to
play nicely inside a suspended VM.
http://marc.info/?l=openbsd-miscm=134324835209706w=2
Well, I do care about VMs!
Instead of the kernel, this time I'm
On Wed, Sep 04, 2013 at 02:39:16PM +0200, Matthieu Herrb wrote:
On Wed, Sep 04, 2013 at 02:28:00PM +0200, Reyk Floeter wrote:
Bah. I tend to turn ntpd off and rely on the internal clock
synchronization of the hypervisor. But fixing ntpd inside VMs would
probably be a big win
On Wed, Sep 04, 2013 at 08:45:25AM -0400, Ted Unangst wrote:
Bah. I tend to turn ntpd off and rely on the internal clock
synchronization of the hypervisor. But fixing ntpd inside VMs would
probably be a big win.
Can you explain what you do? I have a vmt timedelta sensor that shows
host
On Tue, Sep 03, 2013 at 10:36:15AM +0100, Stuart Henderson wrote:
On 2013/09/02 16:36, Joel Knight wrote:
Hi,
This diff adds the table packet/byte counters for match rules to PF-MIB.
You also need to update LAST-UPDATED in the mib file. otherwise OK.
I agree. I even tested it.
Hi,
since we introduced divert-to, we converted most userland proxies and
relays to use this new interface instead of rdr-to. spamd is still
missing and should switch to divert-to as well.
divert-to has many advantages over rdr-to for proxies. For example,
it is much easier to use (most of the
On Wed, Jun 19, 2013 at 08:00:01PM +0200, Reyk Floeter wrote:
OK?
I forgot the in6_pcblookup_listen() case, updated diff below.
Reyk
Index: sys/netinet/in_pcb.c
===
RCS file: /cvs/src/sys/netinet/in_pcb.c,v
retrieving revision
On Sat, Jun 01, 2013 at 08:01:58PM +0200, Gregor Best wrote:
On Sat, Jun 01, 2013 at 06:57:21AM -0700, Mike Larkin wrote:
[...]
Sure, go ahead.
[...]
Then I propose the following variant of the patch:
code and dmesg looks fine, ok reyk@
acpi0: wakeup devices PCI0(S3) USB_(S1)
Hi,
this is some nice work!
The new virtual VMXNET3 chipset supports a few features that haven't
been available in the previous chipsets, including VLAN Guest Tagging
(VGT), or simply the ability to pass tagged VLANs from VMware hosts
to external switches, and checksum offloading (hint, hint).
===
RCS file: vmx.4
diff -N vmx.4
--- /dev/null 1 Jan 1970 00:00:00 -
+++ vmx.4 31 May 2013 19:55:49 -
@@ -0,0 +1,111 @@
+.\$OpenBSD$
+.\
+.\ Copyright (c) 2006,2013 Reyk Floeter r...@openbsd.org
+.\
+.\ Permission to use, copy, modify, and distribute this software for any
Hi,
On Fri, May 17, 2013 at 12:55:15PM -0700, Aaron Stellman wrote:
Before I proceed, I realize that iked is not yet finished and is missing
some important security features. I am just pointing out something that
may not be known, and perhaps should be addressed.
...
ikev2 esp from
Hi,
the diff is needed - I was running into it quite recently when I was
trying some QinQ/svlan configurations on trunk.
Comments below, otherwise OK
reyk
On Fri, May 10, 2013 at 02:11:28PM +0100, Stuart Henderson wrote:
Index: if_trunk.c
On Fri, May 10, 2013 at 04:53:18PM +0200, Mike Belopuhov wrote:
if (tr-tr_ac.ac_if.if_mtu != ifp-if_mtu) seems wrong. what about people
who want to use trunk between two totally different interfaces for failover?
i think the trunk mtu should simply be the lowest common of the group.
i
On Tue, Mar 19, 2013 at 05:57:16PM +1000, David Gwynne wrote:
this lets the code that picks the filenames to use for certificates
fall through to using the services name, instead of just the ip
addresses of the service.
eg, if i have this in relayd.conf:
relay sslnews.eait.uq.edu.au
Hi!
Am 11.03.2013 um 02:04 schrieb Jason Hall cake...@gmail.com:
I recently started using (open)IKEd, and am quite happy with it. Very
easy to configure/use, well documented, and supports many protocols.
Following USA's NSA Suite B security recommendations for which
protocols to use (because
relay.c
--- relay.c 17 Jan 2013 20:34:18 - 1.161
+++ relay.c 22 Jan 2013 15:33:05 -
@@ -1,7 +1,7 @@
/* $OpenBSD: relay.c,v 1.161 2013/01/17 20:34:18 bluhm Exp $ */
/*
- * Copyright (c) 2006 - 2012 Reyk Floeter r...@openbsd.org
+ * Copyright (c) 2006 - 2013 Reyk
On Thu, Nov 29, 2012 at 11:05 PM, Mark Kettenis mark.kette...@xs4all.nl wrote:
#!/usr/bin/perl
require sys/ioctl.ph;
$TUNSIFUNIT = _IOC(IOC_INOUT, ord('t'), 90, 4);
open(TUN0, +/dev/tun0) or die open;
ioctl(TUN0, $TUNSIFUNIT, $unit = pack(i, -1)) or die ioctl $!;
print Returned:
On Thu, Nov 29, 2012 at 10:59 AM, Mike Belopuhov m...@belopuhov.com wrote:
But currently /dev/tunN is usable from any programming language that
that can do reads and writes. With Reyk's changes you need to do an
ioctl even for basic usage, which is at best quirky in languages other
than
On Thu, Nov 29, 2012 at 3:12 PM, Mike Belopuhov m...@belopuhov.com wrote:
OK?
Please note that pfctl/altq has a bug where bandwidth specification
expressed in percentage gets converted to the absolute value when
pfctl is run. And since for some NICs in some setups it might take
some time
On Tue, Nov 27, 2012 at 10:17 PM, Mike Belopuhov m...@belopuhov.com wrote:
apparently it works just fine. the number of clones is limited
by the v_specbitmap which currently allows for 64 clones total
(per system, not per process).
Please clarify: Does it mean 64 cloned bpf devices per
Hi,
inspired by mikeb@'s clonable bpf patch, this slightly more complex
diff implements clonable interface support to tun(4).
The idea is to split the fixed relation between device minor number
(/dev/tunX) and interface unit (ifconfig tunY). In difference to the
current tun(4) implementation,
On Wed, Nov 28, 2012 at 10:42 PM, Mark Kettenis mark.kette...@xs4all.nl wrote:
But currently /dev/tunN is usable from any programming language that
that can do reads and writes. With Reyk's changes you need to do an
ioctl even for basic usage, which is at best quirky in languages other
than
Am Sonntag, 25. November 2012 schrieb Brad Smith :
On Fri, Nov 23, 2012 at 11:57:50AM -0200, Gleydson Soares wrote:
set ifp-if_baudrate with IF_Gbps() / IF_Mbps().
OK ?
Although it has already been commited its the wrong direction to go in.
These should be removed as the MII framework
On Fri, Nov 23, 2012 at 12:44:32PM +0100, Henning Brauer wrote:
* Fernando Gont ferna...@gont.com.ar [2012-11-23 12:09]:
FYI. This is might affect OpenBSD users employing e.g. OpenVPN:
http://tools.ietf.org/html/draft-gont-opsec-vpn-leakages.
we're way less affected than other OSes, since
On Fri, Nov 23, 2012 at 11:57:50AM -0200, Gleydson Soares wrote:
set ifp-if_baudrate with IF_Gbps() / IF_Mbps().
OK ?
Index: if_ste.c
===
RCS file: /cvs/src/sys/dev/pci/if_ste.c,v
retrieving revision 1.48
diff -u -p -r1.48
On Fri, Nov 23, 2012 at 04:04:20PM +, Stuart Henderson wrote:
This adds an ioctl to retrieve if_hardmtu, and adds code to
display it via ifconfig hwfeatures.
$ ifconfig em0 hwfeatures
em0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu
1500
On Fri, Nov 23, 2012 at 05:01:16PM +0100, Reyk Floeter wrote:
Actually, in the iked(8)/IPsec case we could even block all v6 traffic
without using PF by simply inserting a single deny flow.
For example:
# ping6 -w ff02::1%em0
# ipsecctl -vf /etc/ipsec-block.conf
flow esp out from ::/0
On Fri, Nov 23, 2012 at 05:46:27PM +, Christian Weisgerber wrote:
Stuart Henderson s...@spacehopper.org wrote:
This adds an ioctl to retrieve if_hardmtu, and adds code to
display it via ifconfig hwfeatures.
I'm worried that our drivers don't set this or that the value doesn't
On Thu, Nov 15, 2012 at 5:11 PM, Marc Espie es...@nerim.net wrote:
external people regularly ask but why you don't want to use GNU/m4 GNU/make
GNU/whatever ?
External people seem to ask weird questions.
I just had to dig into autoconf/auto* because it seems to be a must
have for a portable
Hi!
pf currently only supports the round-robin and least-states methods
when using dynamic address pools like tables or interface pools. The
following diff adds support for source-hash and random with dynamic
pools. source-hash can be used in some cases as an alternative to
sticky-address to
Hi!
On Mon, Oct 15, 2012 at 01:44:01PM +0200, Reyk Floeter wrote:
the following diff adds support for the following scheduling algorithms:
relays + rdrs:
- source-hash
- random
rdrs:
- least-states
I was actually wrong about source-hash and random, they do not work
with pf tables
Hi,
the following diff adds support for the following scheduling algorithms:
relays + rdrs:
- source-hash
- random
rdrs:
- least-states
redirect foobar {
listen on 198.51.100.24 port 80
forward to servers check tcp mode least-states
}
relay foobar {
listen on
Hi,
the iked.conf(5) manpage says: If srcid is omitted, the default is to
use the hostname of the local machine, see hostname(1) to set or print
the hostname. This was true but I broke it with a commit about two
years ago :(
The following diff tells ikev2_policy2id() in ca_setreq() that it's
Hi,
any more feedback on this diff? I will move forward and commit this
diff soon if nobody complains before.
Reyk
On Tue, Sep 25, 2012 at 05:29:31PM +0200, Reyk Floeter wrote:
Hi!
During n2k12, I started working on partially rewriting the relay HTTP
handling and filter language
Hi!
During n2k12, I started working on partially rewriting the relay HTTP
handling and filter language. The filter language will introduce a
new grammar, better flexibility, and a reworked code path in the
daemon itself. One goal is to allow selection of the forwarding
target or table with the
Hi,
I just committed simple SNMPv3 support based on Gerhard Roth's diff.
More testing is appreciated, especially with any other clients except
net-snmp.
1. Checkout snmpd(8) from -current (mirrors may take a while to sync)
2. Configure your snmpd.conf with SNMPv3 support:
seclevel enc
user
yes, I agree. It makes sense to keep the RFC terminology in the
implementation but to use the common language in the configuration
grammar. developers need to understand the code related to the RFCs,
users shouldn't have to learn new terminology for crypto thats is
configured in n other places in
Hi,
On Wed, Jul 18, 2012 at 4:16 PM, Gerhard Roth gerhard_r...@genua.de wrote:
thanks for your thorough inspection of my code. I really appreciate this.
Please find my answers inline below. Hope I didn't miss one.
Your latest diff looks good! I will test and have another look at the
diff and
On Fri, May 27, 2011 at 11:11:37AM +0200, Michal Mazurek wrote:
Add listening on interface groups for dhcpd, from gilles@' smtpd.
the dhcpd bit is interesting.
Add static to is_if_in_group in smtpd and relayd.
i normally don't use static functions in relayd.
Fix whitespaces in
Hi!
On Fri, May 20, 2011 at 03:54:03PM +0400, Vadim Zhukov wrote:
This patch splits off IMSG_CFG_POLICY into four messages:
IMSG_CFG_POLICY_BEGIN
IMSG_CFG_POLICY_PROPOSAL
IMSG_CFG_POLICY_FLOW
IMSG_CFG_POLICY_COMMIT
Each new policy should start with IMSG_CFG_POLICY_BEGIN, then
hi,
On Thu, May 19, 2011 at 11:06:44PM +0400, Vadim Zhukov wrote:
This patch allows ipsecctl-like flow grouping along with current
behavior. It allows to write many-to-many policies in a more
compact way, see an example:
ikev2 esp \
from { 1.2.3.4, 5.6.7.8 } to { 3.4.5.6, 4.5.6.7} \
On Thu, May 19, 2011 at 11:26:59AM +0200, Claudio Jeker wrote:
To be honest I'm not sure who will do a 'set skip on sis' or
'set skip on em'.
I would ;-)
Sometimes you have machines with different types of physical
interfaces where one type is used for internal stuff like a dedicated
pfsync or
ok reyk@ but we should think about putting it in all copies of kroute.c
On Thu, Apr 21, 2011 at 01:24:36PM +0100, Stuart Henderson wrote:
Diff below adds a filter-routes option, defaulting to no.
yesno borrowed from bgpd's parser.
I've been using a similar diff (but without the config
Hi,
did anyone except itojun ever use the IPsec socket options?
It currently only seems to be used by isakmpd/iked to bypass IPsec for
IKE traffic but I could not find any code that is using the other
modes like require.
The attached diff is for testing only and is based on an old KAME ping
On Fri, Apr 15, 2011 at 12:37:00PM +0200, Reyk Floeter wrote:
Note that iked(8) doesn't support this type of configuration yet. It
does understand the acquire/require messages from the kernel but
currently requires to have an active flow from an initial IKEv2
handshake. It is on our TODO
hi,
the following diff adds the linkUp/Down traps to snmpd. this will
help to track interface link state changes via snmp and also virtual
link states like carp(4) BACKUP - MASTER transitions. snmpd(8)
monitors the link state changes and send traps to the configured
receivers accordingly.
hi,
this diff will break chunked encoding and keep-alive connections where
we need to enable splicing for a specified amount of data only and
return for the next HTTP header. the env variable should be replaced
with a permanent config option in parse.y.
reyk
On Wed, Mar 02, 2011 at 09:34:14PM
On Thu, Feb 17, 2011 at 12:45:35PM +0100, Camiel Dobbelaar wrote:
On 16-2-2011 14:27, Reyk Floeter wrote:
My previous change to vlan(4) allows to change the vlandev and vlan id
on-the-fly without re-creating the vlan interface.
I hesitated to ask this simple question, because I might
hi,
this will plug another memleak by using m_freem() (free whole mbuf
chain) instead m_free() (free first mbuf only).
ok?
reyk
Index: net/if_trunk.c
===
RCS file: /cvs/src/sys/net/if_trunk.c,v
retrieving revision 1.76
diff -u -p
hi,
this one also looks suspicious to me...
OK?
reyk
Index: net/if_mpe.c
===
RCS file: /cvs/src/sys/net/if_mpe.c,v
retrieving revision 1.24
diff -u -p -r1.24 if_mpe.c
--- net/if_mpe.c21 Jan 2011 17:42:57 - 1.24
Hi!
vlan(4) and svlan(4) users should test this diff.
It annoys me for some time that vlan(4) does not allow to change its
vlan id or parent interface at runtime. The current code returns
EBUSY and always forces you to destroy and re-create the interface.
The attached diff changes this
Hi,
On Mon, Dec 27, 2010 at 11:24:20PM +0100, Sebastian Benoit wrote:
i am using relayd in router mode for a cable-modem link that sometimes
does not work.
I need to run a programm to load/unload pf-rules and to restart a
proxy with a different config whenever this happens.
I remember
On Wed, Jul 07, 2010 at 05:26:22PM +, Christian Weisgerber wrote:
Reyk Floeter r...@openbsd.org wrote:
--- net/if_bridge.c 2 Jul 2010 02:40:16 - 1.181
+++ net/if_bridge.c 3 Jul 2010 17:22:52 -
@@ -152,7 +152,8 @@ u_int8_t bridge_filterrule(struct brl_he
struct mbuf
On Fri, Jul 02, 2010 at 10:49:52PM +0200, Reyk Floeter wrote:
I need people to test the following IPsec diff on existing setups
running -current. This diff will add some cool features for the next
release but I first need regression testing with plain old setups
(ipsec.conf with static keying
Hi!
I need people to test the following IPsec diff on existing setups
running -current. This diff will add some cool features for the next
release but I first need regression testing with plain old setups
(ipsec.conf with static keying or isakmpd); preferrably on IPsecs that
are running closely
Hi,
updating one side should be enough.
reyk
On Sat, Jul 03, 2010 at 01:15:50AM +0400, Vadim Zhukov wrote:
2010/7/3 Reyk Floeter r...@openbsd.org:
Hi!
I need people to test the following IPsec diff on existing setups
running -current. ??This diff will add some cool features
hi,
the idea sounds ok, but why just 128? tcpbench is for benchmarking
and testing and it should be possible to run more concurrent
connections.
it could call getrlimit() to get the actual RLIMIT_NOFILE value which
is 128 by default but can be much higher. another variant is the way
301 - 382 of 382 matches
Mail list logo