Re: pf log drop default rule
On 2023-10-10 18:28, Alexander Bluhm wrote: Hi, If a packet is malformed, it is dropped by pf(4). The rule referenced in pflog(4) is the default rule. As the default rule is a pass rule, tcpdump prints "pass" although the packet is actually dropped. I have reports from genua and OPNsense users who are confused by the output. With the diff below we see pass or blocked when the packet is matched or dropped due to bad fragment respectively. Hello, I have experienced something with pf that I think may be related to this, but I wasn't sure. When I check my pflog files in WireShark, I note that WireShark displays this in the "Info" column: [pass vio0/-1] Does the "-1" for the rule number mean that this is the implicit/default rule ? This is for a packet that is being processed by my default deny rule, which appears to be a malformed packet, but shows up in WireShark as "pass". Thanks, - J
Re: bgpd, fix log_peer_info() and friends
On Fri, Oct 13, 2023 at 07:01:06PM +0200, Claudio Jeker wrote: > Extending the format string with the peer info is a bad idea. > The reason is DNS^WIPv6 and scoped addresses which add a % to the > string returned by log_fmt_peer. > > So instead vasprintf() the emsg and then just use logit(). Ugh. That's nasty. Diff reads fine. There's a change of behavior in that logit() does asprintf() but will not fatal on asprintf() failure. ok tb > -- > :wq Claudio > > Index: logmsg.c > === > RCS file: /cvs/src/usr.sbin/bgpd/logmsg.c,v > retrieving revision 1.9 > diff -u -p -r1.9 logmsg.c > --- logmsg.c 24 Aug 2022 17:14:02 - 1.9 > +++ logmsg.c 13 Oct 2023 16:43:55 - > @@ -60,55 +60,54 @@ log_fmt_peer(const struct peer_config *p > void > log_peer_info(const struct peer_config *peer, const char *emsg, ...) > { > - char*p, *nfmt; > + char*p, *msg; > va_list ap; > > p = log_fmt_peer(peer); > - if (asprintf(&nfmt, "%s: %s", p, emsg) == -1) > - fatal(NULL); > va_start(ap, emsg); > - vlog(LOG_INFO, nfmt, ap); > + if (vasprintf(&msg, emsg, ap) == -1) > + fatal(NULL); > va_end(ap); > + logit(LOG_INFO, "%s: %s", p, msg); > + free(msg); > free(p); > - free(nfmt); > } > > void > log_peer_warn(const struct peer_config *peer, const char *emsg, ...) > { > - char*p, *nfmt; > + char*p, *msg; > va_list ap; > + int saved_errno = errno; > > p = log_fmt_peer(peer); > if (emsg == NULL) { > - if (asprintf(&nfmt, "%s: %s", p, strerror(errno)) == -1) > - fatal(NULL); > + logit(LOG_ERR, "%s: %s", p, strerror(saved_errno)); > } else { > - if (asprintf(&nfmt, "%s: %s: %s", p, emsg, strerror(errno)) == > - -1) > + va_start(ap, emsg); > + if (vasprintf(&msg, emsg, ap) == -1) > fatal(NULL); > + va_end(ap); > + logit(LOG_ERR, "%s: %s: %s", p, msg, strerror(saved_errno)); > + free(msg); > } > - va_start(ap, emsg); > - vlog(LOG_ERR, nfmt, ap); > - va_end(ap); > free(p); > - free(nfmt); > } > > void > log_peer_warnx(const struct peer_config *peer, const char *emsg, ...) > { > - char*p, *nfmt; > + char*p, *msg; > va_list ap; > > p = log_fmt_peer(peer); > - if (asprintf(&nfmt, "%s: %s", p, emsg) == -1) > - fatal(NULL); > va_start(ap, emsg); > - vlog(LOG_ERR, nfmt, ap); > + if (vasprintf(&msg, emsg, ap) == -1) > + fatal(NULL); > va_end(ap); > + logit(LOG_ERR, "%s: %s", p, msg); > + free(msg); > free(p); > - free(nfmt); > } > > void >
bgpd, fix log_peer_info() and friends
Extending the format string with the peer info is a bad idea. The reason is DNS^WIPv6 and scoped addresses which add a % to the string returned by log_fmt_peer. So instead vasprintf() the emsg and then just use logit(). -- :wq Claudio Index: logmsg.c === RCS file: /cvs/src/usr.sbin/bgpd/logmsg.c,v retrieving revision 1.9 diff -u -p -r1.9 logmsg.c --- logmsg.c24 Aug 2022 17:14:02 - 1.9 +++ logmsg.c13 Oct 2023 16:43:55 - @@ -60,55 +60,54 @@ log_fmt_peer(const struct peer_config *p void log_peer_info(const struct peer_config *peer, const char *emsg, ...) { - char*p, *nfmt; + char*p, *msg; va_list ap; p = log_fmt_peer(peer); - if (asprintf(&nfmt, "%s: %s", p, emsg) == -1) - fatal(NULL); va_start(ap, emsg); - vlog(LOG_INFO, nfmt, ap); + if (vasprintf(&msg, emsg, ap) == -1) + fatal(NULL); va_end(ap); + logit(LOG_INFO, "%s: %s", p, msg); + free(msg); free(p); - free(nfmt); } void log_peer_warn(const struct peer_config *peer, const char *emsg, ...) { - char*p, *nfmt; + char*p, *msg; va_list ap; + int saved_errno = errno; p = log_fmt_peer(peer); if (emsg == NULL) { - if (asprintf(&nfmt, "%s: %s", p, strerror(errno)) == -1) - fatal(NULL); + logit(LOG_ERR, "%s: %s", p, strerror(saved_errno)); } else { - if (asprintf(&nfmt, "%s: %s: %s", p, emsg, strerror(errno)) == - -1) + va_start(ap, emsg); + if (vasprintf(&msg, emsg, ap) == -1) fatal(NULL); + va_end(ap); + logit(LOG_ERR, "%s: %s: %s", p, msg, strerror(saved_errno)); + free(msg); } - va_start(ap, emsg); - vlog(LOG_ERR, nfmt, ap); - va_end(ap); free(p); - free(nfmt); } void log_peer_warnx(const struct peer_config *peer, const char *emsg, ...) { - char*p, *nfmt; + char*p, *msg; va_list ap; p = log_fmt_peer(peer); - if (asprintf(&nfmt, "%s: %s", p, emsg) == -1) - fatal(NULL); va_start(ap, emsg); - vlog(LOG_ERR, nfmt, ap); + if (vasprintf(&msg, emsg, ap) == -1) + fatal(NULL); va_end(ap); + logit(LOG_ERR, "%s: %s", p, msg); + free(msg); free(p); - free(nfmt); } void
Re: bwfm(4): support scan v3
> Date: Wed, 11 Oct 2023 10:10:58 +0200 > From: Stefan Sperling > > On Tue, Oct 10, 2023 at 11:41:39PM +0200, Mark Kettenis wrote: > > The firmware for the BCM4388 has yet another version of the "escan" > > command. But we can treat it the same as v2 since it just added a new > > parameter in place of some padding. We just set that new parameter to > > zero, which doesn't change anything. > > > > As a bonus this adds some missing htole16() calls. > > > > This is the equivalent of: > > > > https://github.com/AsahiLinux/linux/commit/399ef7b1cb9094c1c64e0f9ad6caa5c4d114009f > > > > ok? > > > @@ -274,8 +275,10 @@ bwfm_preinit(struct bwfm_softc *sc) > > nmode = 0; > > if (bwfm_fwvar_var_get_int(sc, "vhtmode", &vhtmode)) > > vhtmode = 0; > > - if (bwfm_fwvar_var_get_int(sc, "scan_ver", &sc->sc_scan_ver)) > > - sc->sc_scan_ver = 0; > > + if (bwfm_fwvar_var_get_data(sc, "scan_ver", &scan_ver, > > + sizeof(scan_ver))) > > + scan_ver.scan_ver_major = 0; > > + sc->sc_scan_ver = letoh16(scan_ver.scan_ver_major); > > Perhaps check whether firmware reports a supported scan command version, > and fail or print a warning when it doesn't? > That might make future firmware upgrades a bit easier in case the vendor > changes this again. It does seem that new versions of firmware interfaces are only introduced together with new silicon. So I don't think that is really necessary. The Linux code doesn't do this. > Either way, ok by me. Thanks
Re: Please test: make ipsec(4) timeouts mpsafe
On 12.10.2023. 20:10, Vitaliy Makkoveev wrote: > Hi, MP safe process timeouts were landed to the tree, so time to test > them with network stack :) Diff below makes tdb and ids garbage > collector timeout handlers running without kernel lock. Not for commit, > just share this for tests if someone interesting. Hi, with this diff it seems that it's little slower than without it. 165Kpps with diff 200Kpps without diff test1 ike esp from 10.221.0.0/16 to 10.222.0.0/16 \ local 192.168.1.1 peer 192.168.1.2 \ main auth hmac-sha1 enc aes group modp1024 lifetime 3m \ quick enc aes-128-gcm group modp1024 lifetime 1m \ psk "123" test2 ike esp from 10.222.0.0/16 to 10.221.0.0/16 \ local 192.168.1.2 peer 192.168.1.1 \ main auth hmac-sha1 enc aes group modp1024 lifetime 3m \ quick enc aes-128-gcm group modp1024 lifetime 1m \ psk "123" I'm sending random /24 udp traffic from host connected to test1 box through tunnel to host connected to test2 box ... test1 - top -SHs1 PID TID PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 20980 359894 1400K 1004K sleep/3 netlock 2:26 46.58% softnet3 54870 346439 1400K 1004K sleep/3 netlock 2:24 42.33% softnet4 65020 320085 4200K 1004K onproc/1 - 2:22 41.60% softnet5 3723 371456 4500K 1004K onproc/5 - 2:22 40.67% softnet1 16879 500721 4300K 1004K onproc/4 - 2:26 39.06% softnet2 1371 446835 1400K 1004K sleep/2 netlock 0:13 5.37% softnet0 test2 - top -SHs1 PID TID PRI NICE SIZE RES STATE WAIT TIMECPU COMMAND 61821 455808 1000K 1004K sleep/4 bored 3:02 86.96% softnet0 77299 594039 1000K 1004K sleep/1 bored 0:33 21.63% softnet4
Re: Remove hardcoded ${HOSTCC} calls in games?
I think this is correct support for cross-compilation, and what you are trying to do is less important. Frederic Cambus wrote: > Hi tech@, > > When trying the GCC 11 static analyzer on games, I noticed that some of > them (adventure, boggle, fortune, hack, monop, phantasia) have hardcoded > calls to ${HOSTCC}. They would obviously not compile when passed the GCC's > "-fanalyzer" flag through CFLAGS as it is not recognized by Clang. > > Most of those calls were added in 1996 by the following commit: > > https://github.com/openbsd/src/commit/da34e3c3d40263be91967714eaa1a2c4390ea117 > > And the remaining ones in early 1997: > > https://github.com/openbsd/src/commit/bdcd13e0503c5cfa23706bc22449229ca71dddaf > https://github.com/openbsd/src/commit/06f1ba87d9fbb136e239d3f8fa0b8a7c8c825687 > > Unless I'm mistaken, I don't see any reason why we need to keep them. > > The following diff removes them. > > Comments? OK? > > Index: games/adventure/Makefile > === > RCS file: /cvs/src/games/adventure/Makefile,v > retrieving revision 1.5 > diff -u -p -r1.5 Makefile > --- games/adventure/Makefile 23 May 2002 18:42:59 - 1.5 > +++ games/adventure/Makefile 12 Oct 2023 07:39:02 - > @@ -9,6 +9,6 @@ data.c: glorkz setup > ./setup ${.CURDIR}/glorkz > data.c > > setup: setup.c hdr.h > - ${HOSTCC} -o setup ${.CURDIR}/setup.c > + ${CC} -o setup ${.CURDIR}/setup.c > > .include > Index: games/boggle/mkdict/Makefile > === > RCS file: /cvs/src/games/boggle/mkdict/Makefile,v > retrieving revision 1.4 > diff -u -p -r1.4 Makefile > --- games/boggle/mkdict/Makefile 7 Jan 2016 16:00:31 - 1.4 > +++ games/boggle/mkdict/Makefile 12 Oct 2023 07:39:02 - > @@ -5,7 +5,6 @@ > PROG=mkdict > CFLAGS+=-I${.CURDIR}/../boggle > NOMAN=noman > -CC=${HOSTCC} > > install: > > Index: games/boggle/mkindex/Makefile > === > RCS file: /cvs/src/games/boggle/mkindex/Makefile,v > retrieving revision 1.4 > diff -u -p -r1.4 Makefile > --- games/boggle/mkindex/Makefile 7 Jan 2016 16:00:31 - 1.4 > +++ games/boggle/mkindex/Makefile 12 Oct 2023 07:39:02 - > @@ -5,7 +5,6 @@ > PROG=mkindex > CFLAGS+=-I${.CURDIR}/../boggle > NOMAN=noman > -CC=${HOSTCC} > > install: > > Index: games/fortune/strfile/Makefile > === > RCS file: /cvs/src/games/fortune/strfile/Makefile,v > retrieving revision 1.4 > diff -u -p -r1.4 Makefile > --- games/fortune/strfile/Makefile9 Feb 1997 13:52:40 - 1.4 > +++ games/fortune/strfile/Makefile12 Oct 2023 07:39:02 - > @@ -4,6 +4,5 @@ > > PROG=strfile > MAN= strfile.8 > -CC= ${HOSTCC} > > .include > Index: games/hack/Makefile > === > RCS file: /cvs/src/games/hack/Makefile,v > retrieving revision 1.17 > diff -u -p -r1.17 Makefile > --- games/hack/Makefile 5 Apr 2019 09:02:27 - 1.17 > +++ games/hack/Makefile 12 Oct 2023 07:39:02 - > @@ -24,7 +24,7 @@ hack.onames.h: makedefs def.objects.h > ${.OBJDIR}/makedefs ${.CURDIR}/def.objects.h > hack.onames.h > > makedefs: makedefs.c > - ${HOSTCC} ${CFLAGS} ${LDFLAGS} ${LDSTATIC} -o ${.TARGET} > ${.CURDIR}/${.PREFIX}.c ${LDADD} > + ${CC} ${CFLAGS} ${LDFLAGS} ${LDSTATIC} -o ${.TARGET} > ${.CURDIR}/${.PREFIX}.c ${LDADD} > > beforeinstall: > ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 > ${.CURDIR}/help \ > Index: games/monop/Makefile > === > RCS file: /cvs/src/games/monop/Makefile,v > retrieving revision 1.7 > diff -u -p -r1.7 Makefile > --- games/monop/Makefile 23 May 2002 18:43:00 - 1.7 > +++ games/monop/Makefile 12 Oct 2023 07:39:02 - > @@ -12,7 +12,7 @@ cards.pck: initdeck > ${.OBJDIR}/initdeck ${.CURDIR}/cards.inp > > initdeck: initdeck.c > - ${HOSTCC} ${CFLAGS} ${LDFLAGS} ${LDSTATIC} -o ${.TARGET} > ${.CURDIR}/initdeck.c ${LDADD} > + ${CC} ${CFLAGS} ${LDFLAGS} ${LDSTATIC} -o ${.TARGET} > ${.CURDIR}/initdeck.c ${LDADD} > > beforeinstall: > ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 cards.pck \ > Index: games/phantasia/Makefile > === > RCS file: /cvs/src/games/phantasia/Makefile,v > retrieving revision 1.19 > diff -u -p -r1.19 Makefile > --- games/phantasia/Makefile 11 Jul 2022 03:11:49 - 1.19 > +++ games/phantasia/Makefile 12 Oct 2023 07:39:02 - > @@ -11,13 +11,13 @@ CLEANFILES+=map setup setup.o phantglobs > all: setup phantasia > > setup.o: setup.c > - ${HOSTCC} -c ${CFLAGS} -o ${.TARGET} ${.CURDIR}/setup.c > + ${CC} -c ${CFLAGS} -o ${.TARGET} ${.CU
Remove hardcoded ${HOSTCC} calls in games?
Hi tech@, When trying the GCC 11 static analyzer on games, I noticed that some of them (adventure, boggle, fortune, hack, monop, phantasia) have hardcoded calls to ${HOSTCC}. They would obviously not compile when passed the GCC's "-fanalyzer" flag through CFLAGS as it is not recognized by Clang. Most of those calls were added in 1996 by the following commit: https://github.com/openbsd/src/commit/da34e3c3d40263be91967714eaa1a2c4390ea117 And the remaining ones in early 1997: https://github.com/openbsd/src/commit/bdcd13e0503c5cfa23706bc22449229ca71dddaf https://github.com/openbsd/src/commit/06f1ba87d9fbb136e239d3f8fa0b8a7c8c825687 Unless I'm mistaken, I don't see any reason why we need to keep them. The following diff removes them. Comments? OK? Index: games/adventure/Makefile === RCS file: /cvs/src/games/adventure/Makefile,v retrieving revision 1.5 diff -u -p -r1.5 Makefile --- games/adventure/Makefile23 May 2002 18:42:59 - 1.5 +++ games/adventure/Makefile12 Oct 2023 07:39:02 - @@ -9,6 +9,6 @@ data.c: glorkz setup ./setup ${.CURDIR}/glorkz > data.c setup: setup.c hdr.h - ${HOSTCC} -o setup ${.CURDIR}/setup.c + ${CC} -o setup ${.CURDIR}/setup.c .include Index: games/boggle/mkdict/Makefile === RCS file: /cvs/src/games/boggle/mkdict/Makefile,v retrieving revision 1.4 diff -u -p -r1.4 Makefile --- games/boggle/mkdict/Makefile7 Jan 2016 16:00:31 - 1.4 +++ games/boggle/mkdict/Makefile12 Oct 2023 07:39:02 - @@ -5,7 +5,6 @@ PROG= mkdict CFLAGS+=-I${.CURDIR}/../boggle NOMAN=noman -CC=${HOSTCC} install: Index: games/boggle/mkindex/Makefile === RCS file: /cvs/src/games/boggle/mkindex/Makefile,v retrieving revision 1.4 diff -u -p -r1.4 Makefile --- games/boggle/mkindex/Makefile 7 Jan 2016 16:00:31 - 1.4 +++ games/boggle/mkindex/Makefile 12 Oct 2023 07:39:02 - @@ -5,7 +5,6 @@ PROG= mkindex CFLAGS+=-I${.CURDIR}/../boggle NOMAN=noman -CC=${HOSTCC} install: Index: games/fortune/strfile/Makefile === RCS file: /cvs/src/games/fortune/strfile/Makefile,v retrieving revision 1.4 diff -u -p -r1.4 Makefile --- games/fortune/strfile/Makefile 9 Feb 1997 13:52:40 - 1.4 +++ games/fortune/strfile/Makefile 12 Oct 2023 07:39:02 - @@ -4,6 +4,5 @@ PROG= strfile MAN= strfile.8 -CC=${HOSTCC} .include Index: games/hack/Makefile === RCS file: /cvs/src/games/hack/Makefile,v retrieving revision 1.17 diff -u -p -r1.17 Makefile --- games/hack/Makefile 5 Apr 2019 09:02:27 - 1.17 +++ games/hack/Makefile 12 Oct 2023 07:39:02 - @@ -24,7 +24,7 @@ hack.onames.h: makedefs def.objects.h ${.OBJDIR}/makedefs ${.CURDIR}/def.objects.h > hack.onames.h makedefs: makedefs.c - ${HOSTCC} ${CFLAGS} ${LDFLAGS} ${LDSTATIC} -o ${.TARGET} ${.CURDIR}/${.PREFIX}.c ${LDADD} + ${CC} ${CFLAGS} ${LDFLAGS} ${LDSTATIC} -o ${.TARGET} ${.CURDIR}/${.PREFIX}.c ${LDADD} beforeinstall: ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 ${.CURDIR}/help \ Index: games/monop/Makefile === RCS file: /cvs/src/games/monop/Makefile,v retrieving revision 1.7 diff -u -p -r1.7 Makefile --- games/monop/Makefile23 May 2002 18:43:00 - 1.7 +++ games/monop/Makefile12 Oct 2023 07:39:02 - @@ -12,7 +12,7 @@ cards.pck: initdeck ${.OBJDIR}/initdeck ${.CURDIR}/cards.inp initdeck: initdeck.c - ${HOSTCC} ${CFLAGS} ${LDFLAGS} ${LDSTATIC} -o ${.TARGET} ${.CURDIR}/initdeck.c ${LDADD} + ${CC} ${CFLAGS} ${LDFLAGS} ${LDSTATIC} -o ${.TARGET} ${.CURDIR}/initdeck.c ${LDADD} beforeinstall: ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 cards.pck \ Index: games/phantasia/Makefile === RCS file: /cvs/src/games/phantasia/Makefile,v retrieving revision 1.19 diff -u -p -r1.19 Makefile --- games/phantasia/Makefile11 Jul 2022 03:11:49 - 1.19 +++ games/phantasia/Makefile12 Oct 2023 07:39:02 - @@ -11,13 +11,13 @@ CLEANFILES+=map setup setup.o phantglobs all: setup phantasia setup.o: setup.c - ${HOSTCC} -c ${CFLAGS} -o ${.TARGET} ${.CURDIR}/setup.c + ${CC} -c ${CFLAGS} -o ${.TARGET} ${.CURDIR}/setup.c phantglobs.o.bld: phantglobs.c - ${HOSTCC} -c ${CFLAGS} -o ${.TARGET} ${.CURDIR}/phantglobs.c + ${CC} -c ${CFLAGS} -o ${.TARGET} ${.CURDIR}/phantglobs.c setup: phantglobs.o.bld setup.o monsters.asc ${DPADD} - ${HOSTCC} ${CFLAGS} ${LDFLAGS} ${LDSTATIC} -o ${.TARGET} \ + ${CC} ${CFLAGS} ${LDFLAGS} ${LDSTATIC} -o ${.TARGET}
OpenBGPD 8.3 released
We have released OpenBGPD 8.3, which will be arriving in the OpenBGPD directory of your local OpenBSD mirror soon. This release includes the following changes to the previous release: * bgpd 8.1 and 8.2 could send a bad COMMUNITY attribute when non-transitive ext-communities are present. A workaround is to add a filter rule to clear non-transitive ext-communities: match to ebgp set ext-community delete ovs * This fix is included in OpenBSD 7.4. * Fix a possible fatal error in the RDE when "announce add-path send all" is used. The error is triggered by an ineligible path which is wrongly distributed. * Fix selection of the local nexthop for the alternate address family. This is used by 'announce IPv6 unicast' over an IPv4 session or vice-versa. OpenBGPD-portable is known to compile and run on FreeBSD and the Linux distributions Alpine, Debian, Fedora, RHEL/CentOS and Ubuntu. It is our hope that packagers take interest and help adapt OpenBGPD-portable to more distributions. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.