from:"Henning Brauer"

CVS: cvs.openbsd.org: src

2022-06-28 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2022/06/28 07:48:06

Modified files:
sys/net: pf.c 

Log message:
fix syncookies in conjunction with tcp fast port reuse.
This really pointed out that the place syncookies were hooked in was almost,
but not completely right. The way it was the special case for tcp fast port
reuse in pf_test_state wasn't hit, because the first packet
hitting that was the ACK from the peer finishing the 3WHS, and the
reconstructed SYN came after. We're now doing pf_find_state (and *only* that)
first, then syncookies, then going on so that the old state is thrown away
properly and we get a new one with the sequence number modulator set up
correctly
Bonus: -11 lines of code
tracked down (that took a while) + fixed under contract with Hush
Communications Canada; special thanks to Lyndon
ok sashan

CVS: cvs.openbsd.org: src

2022-06-13 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2022/06/13 06:48:00

Modified files:
sys/net: pf.c 

Log message:
fix logic bug in pf_find_state()
a state in PFTM_PURGE could potentially hide another state on the same state
key that is active and we'd incorrectly block the packet
I believe that cannot happen as things are now.
ok sashan

CVS: cvs.openbsd.org: src

2020-07-21 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2020/07/21 08:13:18

Modified files:
sys/net: pf_ioctl.c 

Log message:
when calculating the ruleset's checksum, skip automatic table names.
the checksum is exclusively used for pfsync to verify rulesets are identical
on all nodes. the automatic table names are random and have a near zero
chance to match. found at a customer in zurich
ok sashan kn

CVS: cvs.openbsd.org: src

2020-07-21 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2020/07/21 08:10:51

Modified files:
sbin/pfctl : pfctl_optimize.c pfctl_parser.h 
sys/net: pfvar.h 

Log message:
rename PF_OPT_TABLE_PREFIX to PF_OPTIMIZER_TABLE_PFX and move it to pfvar.h
OPT is misleading and usually refers to command line arguments to pfctl
ok sashan kn

CVS: cvs.openbsd.org: src

2018-12-07 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/12/07 05:52:47

Modified files:
usr.sbin/dhcpd : pfutils.c 

Log message:
I noticed the "pf table handler" process not going away on dhcpd restart,
looked at the error handling here, and oh my.
If opening /dev/pf on startup fails, don't just warn and move on, but bail.
If chroot (or the chdir after) fail, don't just warn and move on, bail.
If dropping privileges fails, the last thing we want to do is to just move
on with root privs, having warned or not.
If the pipe to the parent process is closed, that almost certainly means
that the parent process went away, and it absolutely certainly means that
the table handler process has no meaningful reason to exist any more, thus
bail.
ok florian ccardenas krw

CVS: cvs.openbsd.org: src

2018-11-15 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/11/15 06:16:37

Modified files:
sys/net: pf.c 

Log message:
in the "pf: key search" debug message, add the direction. interface *and*
dir make debugging much easier than the if alone.

CVS: cvs.openbsd.org: src

2018-09-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/09/10 10:07:20

Modified files:
sys/net: if.c 

Log message:
if_setrdomain could potentially call if_clone_create recursively in the create
rdomain case leading to locking issues and lots of headscratching. turns out
the only case where if_setrdomain could actually create an rdomain and thus
end up with that pattern is the ioctl path.
make if_setrdomain never create an rdomain, return error if it doesn't exist
already, introduce if_createrdomain, and adjust the ioctl path to use it.
ok sashan bluhm claudio

CVS: cvs.openbsd.org: src

2018-09-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/09/10 09:54:28

Modified files:
sys/net: pf_syncookies.c 

Log message:
in pf_syncookie_validate, return early if we don't have syncookies in
flight that can possibly match. there is a tiny but existing chance that
a sequence number matches w/ our hash and we'd end up dropping traffic.
unclear whether that has actually happened since the report chain is long :)
report via haesbert via bluhm; ok bluhm

CVS: cvs.openbsd.org: src

2018-09-09 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/09/09 04:13:21

Modified files:
share/man/man4 : rdomain.4 

Log message:
rdomains can be deleted again - remove caveat, tell ppl how to delete, and
show an example. reminded by kn

CVS: cvs.openbsd.org: src

2018-09-09 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/09/09 04:11:41

Modified files:
sys/net: if_loop.c 

Log message:
allow the automatically created loopback interfaces in rdomains to be
deleted if the rdomain doesn't contain any other interface. turn the rdomain
back into an ordinary, empty rtable in that case.
with this and the previous commits one can get rid of rdomains again without
rebooting, which wasn't possible any more for some time
ok bluhm, input mpi

CVS: cvs.openbsd.org: src

2018-09-09 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/09/09 04:09:06

Modified files:
sys/net: if.c 

Log message:
if_setrdomain: allow empty rtables to be turned into rdomains, not just
nonexistant ones as before. nasty error handling with bluhm, feedback mpi as
well. ok bluhm

CVS: cvs.openbsd.org: src

2018-09-09 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/09/09 04:07:38

Modified files:
sys/net: rtable.c rtable.h 

Log message:
provide rtable_empty(), returns 1 if the rtable doesn't contain any routes
ok bluhm

CVS: cvs.openbsd.org: src

2018-07-12 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/12 13:31:05

Modified files:
usr.sbin/ntpd  : ntp.c 

Log message:
if we couldn't update the clock for ~1h due to lack of data from peers and
sensors, mark us unsynced again. ok reyk krw, pt out / discussion / help naddy

CVS: cvs.openbsd.org: src

2018-07-11 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/11 13:52:19

Modified files:
sys/net: route.c 

Log message:
superfluous newline

CVS: cvs.openbsd.org: src

2018-07-11 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/11 05:39:31

Modified files:
sys/net: pf.c 

Log message:
the STATE_LOOKUP macro made sense ages ago. It stopped making sense
when we moved most of the functionality into a function. g/c the macro
and just call the function. ok mpi jca

CVS: cvs.openbsd.org: src

2018-07-11 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/11 03:08:21

Modified files:
sys/net: if.c 

Log message:
in if_addgroup(), call the new pfi_group_addmember() instead of
pf_group_change() - the latter is called by _addmemeber now to update dynaddr.
before this, "set skip on lo", ifconfig lo1 create -> no skip on lo1 until
pf rueset got reloaded. Now lo1 gets the skip flag as intended. This has
caused much confusion with i. e. gif interfaces in the past.
ok benno, very excited ok phessler

CVS: cvs.openbsd.org: src

2018-07-11 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/11 03:05:51

Modified files:
sys/net: pf_if.c pfvar.h 

Log message:
provide pfi_group_addmember(), which makes the new member interface inherit
set flags from the group. ok phessler benno

CVS: cvs.openbsd.org: src

2018-07-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/10 13:28:35

Modified files:
etc/examples   : pf.conf 

Log message:
we were refering to 10k states by default here as well, pt out by claudio

CVS: cvs.openbsd.org: src

2018-07-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/10 13:27:11

Modified files:
share/man/man5 : pf.conf.5 

Log message:
where we were showing "set limit states 1" make that 100k as well,
and adjust adaptive.start/end as well (just like in the code)

CVS: cvs.openbsd.org: src

2018-07-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/10 10:48:22

Modified files:
sys/net: pfvar.h 

Log message:
The year is 2018.
Mercury, Bowie, Cash, Motorola and DEC all left us.
Just pf still has a default state table limit of 1.
Had! Now it's a tiny little bit more, 100k.
lead guitar: me
ok chorus: phessler theo claudio benno
background school girl laughing: bob

CVS: cvs.openbsd.org: src

2018-07-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/10 07:01:39

Modified files:
sys/net: pf.c 

Log message:
in pf_set_protostate(), only decrement the half-open states counter when
the state was created on this host, i. e. not for those pfsync-imported.
whether pfsync-imported states should be accounted is a seperate discussion,
but as things are, we only increment the counter in pf_create_state(), and
imported states don't excercise that path.
probably fixes the half-open states accounting underflow-wraparounds that
some people have been seeing.
ok sashan

CVS: cvs.openbsd.org: src

2018-07-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/10 03:31:07

Modified files:
share/man/man5 : pf.conf.5 

Log message:
document set delay

CVS: cvs.openbsd.org: src

2018-07-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/10 03:30:49

Modified files:
sbin/pfctl : parse.y pfctl.c pfctl_parser.c 

Log message:
'set delay' for the generic packet delay mechanism, ok benno sashan

CVS: cvs.openbsd.org: src

2018-07-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/10 03:30:13

Modified files:
sys/net: if.c 

Log message:
if_enqueue: call pf_delay_pkt() if m_pkthdr.pf.delay is set
ok benno sashan

CVS: cvs.openbsd.org: src

2018-07-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/07/10 03:28:27

Modified files:
sys/net: pf.c pf_ioctl.c pfvar.h 
sys/sys: mbuf.h 

Log message:
provide a generic packet delay functionality. packets to be delayed are marked
by pf in the packet header. pf_delay_pkt reads the delay value from the packet
header, schedules a timeout and re-queues the packet when the timeout fires.
ok benno sashan

CVS: cvs.openbsd.org: src

2018-04-02 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/04/02 02:40:46

Modified files:
sys/dev/pci: azalia.c 

Log message:
enable snooping on Intel Apollo Lake HD Audio, pt out & ok jsg

CVS: cvs.openbsd.org: src

2018-04-02 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/04/02 02:39:24

Modified files:
sys/dev/pci: ichiic.c 

Log message:
attach on Intel Apollo Lake SMBus, ok jsg

CVS: cvs.openbsd.org: src

2018-04-02 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/04/02 02:38:24

Modified files:
sys/dev/pci: pcidevs.h pcidevs_data.h 

Log message:
regen

CVS: cvs.openbsd.org: src

2018-04-02 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/04/02 02:37:41

Modified files:
sys/dev/pci: pcidevs 

Log message:
add a bunch of Intel Apollo Lake devices found on NUC6CAYH / Celeron J3455
input & ok jsg

CVS: cvs.openbsd.org: www

2018-03-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:www
Changes by: henn...@cvs.openbsd.org 2018/03/10 23:31:00

Modified files:
.  : events.html 
Added files:
papers : asiabsdcon2018-xray.pdf 
 asiabsdcon2018-xray-paper.pdf 

Log message:
add my asiabsdcon slides and paper

CVS: cvs.openbsd.org: src

2018-02-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/10 19:17:46

Modified files:
sys/net: if_bridge.c 

Log message:
if an interface is added to the bridge that doesn't exist, try to create it
triggered by djm's dhclient on vether on bridge setup
ok djm benno claudio

CVS: cvs.openbsd.org: src

2018-02-08 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/08 02:15:46

Modified files:
sys/net: pf_syncookies.c pfvar.h 
sbin/pfctl : parse.y pfctl.c pfctl_parser.h 

Log message:
make the watermarks/thresholds for entering and leaving syncookie mode when
syncookies are set to adaptive tunable, ok claudio benno

CVS: cvs.openbsd.org: src

2018-02-08 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/08 02:14:19

Modified files:
share/man/man5 : pf.conf.5 

Log message:
give jmc another chance to "fix previous" - document syncookies
(thanks jmc!)

CVS: cvs.openbsd.org: src

2018-02-07 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/07 19:26:39

Modified files:
sbin/pfctl : pfctl.c pfctl_parser.c pfctl_parser.h 

Log message:
show current synflood detection watermarks in pfctl -vsi, for the lack
of a more appropriate place. ok claudio benno procter

CVS: cvs.openbsd.org: src

2018-02-07 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/07 19:25:44

Modified files:
sys/net: pf_ioctl.c pf_syncookies.c pfvar.h 

Log message:
add DIOCGETSYNFLWATS to get current synflood detection watermarks,
ok claudio benno procter

CVS: cvs.openbsd.org: src

2018-02-06 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/06 23:11:43

Modified files:
sys/net: pf_ioctl.c 

Log message:
look ma, henning forgot to PF_LOCK/_UNLOCK in the new ioctls, ok procter

CVS: cvs.openbsd.org: src

2018-02-06 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/06 22:48:47

Modified files:
sys/net: pfvar.h pf_syncookies.c 

Log message:
provide counters for # of synfloods detected, # of syncookies sent,
# of syncookies successfuly validated, ok phessler

CVS: cvs.openbsd.org: src

2018-02-06 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/06 16:47:47

Modified files:
sbin/pfctl : parse.y pfctl.c pfctl_parser.h 

Log message:
allow control over syncookies: set syncookies never/always/adaptive

CVS: cvs.openbsd.org: src

2018-02-06 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/06 16:44:48

Modified files:
sys/sys: mbuf.h 
sys/conf   : files 
sys/net: pf.c pf_ioctl.c pfvar.h 

Log message:
syncookies for pf.
when syncookies are on, pf will blindly answer each and every SYN with a
syncookie-SYNACK. Upon reception of the ACK completing the 3WHS, pf will
reconstruct the original SYN, shove it through pf_test, where state will
be created if the ruleset permits it. Then massage the freshly created state
(we won't see the SYNACK), set up the sequence number modulator, and call
into the existing synproxy code to start the 3WHS with the backend host.
Add an - somewhat basic for now - adaptive mode where syncookies get enabled
if a certain percentage of the state table is filled up with half-open tcp
connections. This makes pf firewalls resilient against large synflood
attacks.
syncookies are off by default until we gained more experience, considered
experimental for now.
see http://bulabula.org/papers/2017/bsdcan/ for more details.
joint work with sashan@, widely discussed and with lots of input by many

CVS: cvs.openbsd.org: src

2018-02-06 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/06 16:37:24

Added files:
sys/net: pf_syncookies.c 

Log message:
syncookies implementation to be used in pf, based on the FreeBSD one by
Andre Oppermann, heavily adjusted for pf instead of stack use and with
entirely rewritten timeout machinery and new hashing
with bits from sashan, widely discussed with the other network hackers

Re: CVS: cvs.openbsd.org: src

2018-02-06 Thread Henning Brauer

finger muscles were apparently to sore to include "ok phessler procter"

* Henning Brauer <henn...@openbsd.org> [2018-02-06 10:16]:
> CVSROOT:  /cvs
> Module name:  src
> Changes by:   henn...@cvs.openbsd.org 2018/02/06 02:16:11
> 
> Modified files:
>   sys/net: pf.c pf_if.c pf_ioctl.c pf_lb.c pf_norm.c 
> 
> Log message:
> some finger muscle workout:
> bzero -> memset and (very few) bcopy -> memcpy/memmove
> 

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

CVS: cvs.openbsd.org: src

2018-02-06 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/06 02:16:11

Modified files:
sys/net: pf.c pf_if.c pf_ioctl.c pf_lb.c pf_norm.c 

Log message:
some finger muscle workout:
bzero -> memset and (very few) bcopy -> memcpy/memmove

CVS: cvs.openbsd.org: src

2018-02-05 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/05 17:05:24

Modified files:
usr.sbin/crunchgen: crunchgen.c 

Log message:
chdir to the target directory, run make there and fchdir back after.
allows Makefiles with ${.CURDIR} constructs to work with crunchgen.
pointed out by Holger Mikolon, input from theo, ok theo millert

CVS: cvs.openbsd.org: src

2018-02-04 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/04 22:06:51

Modified files:
sys/net: bridgectl.c if_bridge.c 

Log message:
bcmp -> memcmp; kinda req'd / not-just-kinda ok'd by claudio

CVS: cvs.openbsd.org: src

2018-02-04 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2018/02/04 20:51:53

Modified files:
sys/net: bridgectl.c if_bridge.c if_bridge.h 
sbin/ifconfig  : brconfig.c ifconfig.8 

Log message:
implement an arp filter
allows arp (and rarp) requests and replies to be matched, including matching
based on the source and target host and protocol adresses, and thus control
over arp traffic and learning.
written for medical x-ray machines, but useful in many spread out L2 networks
ok claudio benno

CVS: cvs.openbsd.org: src

2017-11-13 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/11/13 04:30:11

Modified files:
sbin/pfctl : parse.y pfctl_parser.c 
sys/net: pf.c pf_ioctl.c pfvar.h 
share/man/man5 : pf.conf.5 

Log message:
add a generic packet rate matching filter. allows things like
pass in proto icmp max-pkt-rate 100/10
all packets matching the rule in the direction the state was created are
taken into consideration (typically: requests, but not replies).
Just like with the other max-*, the rule stops matching if the maximum is
reached, so in typical scenarios the default block rule would kick in then.
with input from Holger Mikolon
ok mikeb

CVS: cvs.openbsd.org: src

2017-08-14 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/08/14 09:58:17

Modified files:
sys/net: pf.c pfvar.h 

Log message:
move pf_get_wscale + pf_get_mss prototypes to pfvar.h (diff shrinkage)

CVS: cvs.openbsd.org: src

2017-08-14 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/08/14 09:53:04

Modified files:
sbin/pfctl : pfctl_parser.c 

Log message:
expose the half-open tcp states counter, ok bluhm

CVS: cvs.openbsd.org: src

2017-08-14 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/08/14 09:48:29

Modified files:
sys/net: pf.c pfvar.h 

Log message:
add half-open tcp states accounting, road paved by sashan
increment in pf_create_state(), decrement in pf_set_protostate().
input & ok bluhm

CVS: cvs.openbsd.org: src

2017-08-13 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/08/13 10:57:20

Modified files:
sys/net: pf.c pfvar.h 

Log message:
to change a state's state (that term is overloaded in pf, protocol state
like ESTABLISHED for tcp here), don't do it directly, but go through a newly
introduced pf_set_protostate()
ok bluhm benno

CVS: cvs.openbsd.org: www

2017-06-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:www
Changes by: henn...@cvs.openbsd.org 2017/06/10 11:46:32

Modified files:
.  : events.html 

Log message:
link my bsdcan slides

CVS: cvs.openbsd.org: src

2017-06-08 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/06/08 09:39:38

Modified files:
share/man/man5 : pf.conf.5 

Log message:
clarify set prio: the second prio given applies to
1) TCP ACKs
2) packets with ToS=lowdelay
and not TCP ACKs that have ToS=lowdelay
confusion discovered during bsdcan pf tutorial

CVS: cvs.openbsd.org: src

2017-05-31 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/05/31 03:30:38

Modified files:
share/man/man5 : pf.conf.5 

Log message:
clarify that translations happen immediately on match rules, not generally
Tony Gong

CVS: cvs.openbsd.org: src

2017-05-30 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/05/30 13:40:55

Modified files:
sys/net: pfvar.h 

Log message:
remove XXX from the comments marking "holes" in the ioctls. I see very
very little value in these comments at all, but the XXX is just wrong and
in the way when looking for real XXXs. phessler agrees

CVS: cvs.openbsd.org: src

2017-05-30 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/05/30 13:38:47

Modified files:
share/man/man4 : pf.4 

Log message:
remove DIOCCLRRULECTRS here as well, pt out by sashan

CVS: cvs.openbsd.org: src

2017-05-30 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/05/30 13:37:54

Modified files:
sys/net: pf_ioctl.c pfvar.h 

Log message:
g/c DIOCCLRRULECTRS
kinda deprecated for a decade now, nothing in base uses it, nothing in
ports uses it (thanks sthen)
ok phessler sashan

CVS: cvs.openbsd.org: src

2017-05-30 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/05/30 06:13:04

Modified files:
sbin/pfctl : pfctl.c 

Log message:
fix a comment

CVS: cvs.openbsd.org: src

2017-05-30 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/05/30 02:10:01

Modified files:
sys/net: pf.c pfvar.h 

Log message:
teach pf_build_tcp() about SACK, ok & with sashan

CVS: cvs.openbsd.org: src

2017-05-28 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/05/28 18:05:28

Modified files:
share/misc : airport 

Log message:
mlarkin and airport.7 say "must have been there", not "flown there".
Add XFW, Hamburg-Finkenwerder (the Airbus factory)
ok mlarkin fcambus

CVS: cvs.openbsd.org: src

2017-05-28 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/05/28 09:16:52

Modified files:
usr.sbin/bgpd  : bgpd.conf.5 

Log message:
we're not hardcoded to table 0 any more

CVS: cvs.openbsd.org: src

2017-05-28 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/05/28 09:16:33

Modified files:
usr.sbin/bgpd  : bgpd.c bgpd.h config.c kroute.c parse.y 

Log message:
so far, bgpd was hardcoded to use rtable 0 for nexthop verification.
instead, use the rtable bgpd was started in (route -T  exec / rc.d
daemon_rtable) for nexthop verification and as default Adj-RIB-In and
Loc-RIB. This allows multiple bgpds in different rdomains on the same
machine - bgp router virtualization if you like buzzwords.
initial version written under contract more than a year ago, it took us
a while to wrap our brains around the bgpd <-> rdomain interactions -
1) RIBs, 2) nexthop verification and 3) tcp sockets.
ok & input phessler claudio benno

CVS: cvs.openbsd.org: src

2017-04-26 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2017/04/26 04:42:38

Modified files:
sbin/iked  : iked.h ikev2.c ikev2_msg.c 

Log message:
cope with IP address changes. before, we were trying to resend the msg
with the no-longer-available address over and over and over, requiring
iked to be restarted eventually. instead, on EADDRNOTAVAIL, schedule
SA deletion so a new one is set up shortly thereafter. ok reyk mikeb

CVS: cvs.openbsd.org: src

2016-10-18 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/10/18 07:28:01

Modified files:
sys/net: pf.c pfvar.h 

Log message:
split pf_send_tcp() into the part that builds the mbuf and the actual
sending, needed soon. ok sashan mikeb lteo

CVS: cvs.openbsd.org: src

2016-10-09 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/10/09 12:01:57

Modified files:
sys/net: pf.c 

Log message:
formatting nit (a tab got lost somewhen)

CVS: cvs.openbsd.org: src

2016-09-06 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/09/06 05:06:41

Modified files:
libexec/spamd  : spamd.c 

Log message:
must close our fd unconditionally and not just in the !TLS case; tls_close
doesn't do that for us. found, analyzed and patch supplied by Martin Proyer
, many thanks! ok bcook
funny since I just discussed a somewhat mysterious spamd-TLS issue with bob
and brent over breakfast yesterday in cambridge - not sure it is this one,
if it is I've been intensively digging in the wrong corner, almost "missing
the obvious"

CVS: cvs.openbsd.org: src

2016-09-01 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/09/01 10:18:09

Modified files:
regress/sbin/pfctl: pf13.in pf13.loaded pf13.ok pf13.optimized 

Log message:
no route-to/reply-to/dup-to on block rules, aka make this pass again
triggered by bluhm's *meep, secret*

CVS: cvs.openbsd.org: src

2016-07-19 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/07/19 07:34:12

Modified files:
sys/net: pf_osfp.c pf_ruleset.c 

Log message:
style: no spaces after # for define/include, ok phessler benno

CVS: cvs.openbsd.org: src

2016-07-19 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/07/19 07:30:51

Modified files:
sys/net: pfvar.h 

Log message:
don't hide globals between function prototypes; ok phessler benno

CVS: cvs.openbsd.org: src

2016-07-19 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/07/19 06:51:19

Modified files:
sys/net: pf_lb.c 

Log message:
remove wrong and misleading comment, ok phessler

CVS: cvs.openbsd.org: src

2016-07-18 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/07/18 13:11:18

Modified files:
sys/net: pfvar.h 
sbin/pfctl : pfctl_parser.h 

Log message:
no more cbq_opts - CBQ is gone, ok mpi phessler benno

CVS: cvs.openbsd.org: src

2016-07-18 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/07/18 09:21:33

Modified files:
sbin/pfctl : parse.y 

Log message:
g/c unused (global!) var: oqueues isn't used any more. ALTQ leftover; not
noticed since struct node_queue stayed. ok claudio benno gcc

CVS: cvs.openbsd.org: src

2016-06-23 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/06/23 03:08:56

Modified files:
sys/netinet: ip_output.c 

Log message:
when pf_test returns something but PF_PASS, set error to EACCES
instead of EHOSTUNREACH. On the latter, ip_forward can generate undesired
icmp errors - either pf generates those itself (block return), or there
shouldn't be any.
Bizarrely enough, ip_forward has EACCES handling with a comment specifically
pointing to packets blocked by pf, but the code in ip_output used EHOSTUNREACH
from day #1 on.
found & analyzed by Kristof Provost , discussed at BSDcan
ok mpi millert

CVS: cvs.openbsd.org: src

2016-06-16 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/06/16 09:46:20

Modified files:
sbin/pfctl : parse.y 

Log message:
allow include in inline anchors
with this,
anchor foo {
include "/path/to/rules"
}
works and "load anchor" is obsolete, to be removed somewhen later after
release.
co-production with reky at bsdcan, ok reyk mikeb benno sasha

CVS: cvs.openbsd.org: src

2016-05-25 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/05/25 05:50:05

Modified files:
usr.sbin/bgpctl: bgpctl.8 

Log message:
flesh out "show summary" description a bit, from julien at dhaille.com via
jmc, ok benno claudio

CVS: cvs.openbsd.org: src

2016-01-14 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2016/01/14 05:05:51

Modified files:
sbin/pfctl : pfctl.c 

Log message:
detect multiple root queues on a single interface and give a nice error
message - beats "pfctl: DIOCXCOMMIT: Invalid argument".
from Nathanael Rensen , 10x!
ok sthen phessler, commit reminder mikeb

CVS: cvs.openbsd.org: www

2015-12-22 Thread Henning Brauer

CVSROOT:/cvs
Module name:www
Changes by: henn...@cvs.openbsd.org 2015/12/22 06:13:51

Modified files:
openbgpd   : papers.html 

Log message:
add some newer presentations; from TJ (at mrsk.de), thanks!

CVS: cvs.openbsd.org: www

2015-12-22 Thread Henning Brauer

CVSROOT:/cvs
Module name:www
Changes by: henn...@cvs.openbsd.org 2015/12/22 06:13:28

Modified files:
openbgpd   : index.html 

Log message:
wording fixes + bump copyright; from TJ (at mrsk.de), thanks!

CVS: cvs.openbsd.org: src

2015-12-06 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/12/06 03:03:23

Modified files:
sys/net: pf.c 

Log message:
g/c pf_change_a6(). it's exactly the same thing as pf_change_ap() with p =
NULL. inspired by Richard Procter 's mail on
tech from Aug 17, but redone. ok sashan vgross

CVS: cvs.openbsd.org: src

2015-12-05 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/12/05 07:58:06

Modified files:
sys/net: pf.c 

Log message:
pass a pointer to pf_test()'s reason to pf_test_rule instead of using a
local one. While we always intended to keep the logging in pf_test_rule
and pf_test so seperate that we don't end up with a wrong reason, this
is just too fragile and I can't even convince myself that it still is
right. pointed out by markus, ok bluhm benno

CVS: cvs.openbsd.org: src

2015-12-05 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/12/05 13:32:53

Modified files:
libexec/spamd  : spamd.c 

Log message:
adjust to newer tls_read/_write semantics.
quite involved, due to tls_read potentially needing to write and tls_write
potentially needing to read (in the reneg case); that not fitting the spamd
model too well - it needs to keep a little more state.
help & ok bluhm & beck

CVS: cvs.openbsd.org: src

2015-12-05 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/12/05 14:23:51

Modified files:
sys/net: pf.c 

Log message:
g/c unneeded af (address family) params to pf_change_ap and _icmp
both af and naf (af-to case) are in the pf_pdesc
some code shuffling to actually set these before calling pf_change_ap/_icmp
inspired by Richard Procter 's mail on tech
from Aug 17, but redone
ok bluhm vgross

CVS: cvs.openbsd.org: src

2015-12-02 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/12/02 12:03:17

Modified files:
libexec/spamd  : spamd.c 

Log message:
fix error messages to say tls_write after tls_write and not tls_read...
with bluhm

CVS: cvs.openbsd.org: src

2015-12-02 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/12/02 14:10:17

Modified files:
libexec/spamd  : spamd.c 

Log message:
in response to EHLO, don't offer STARTTLS if we already completed the
STARTTLS dance. ok millert

CVS: cvs.openbsd.org: src

2015-05-11 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/05/11 06:22:14

Modified files:
sys/net: pf.c 

Log message:
fix a potential use-after-free in pf_state_rm_src_node
found by jsg; ok jsg mikeb

CVS: cvs.openbsd.org: src

2015-04-29 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/04/29 03:58:16

Modified files:
sbin/disklabel : disklabel.8 disklabel.c editor.c extern.h 

Log message:
support passing a template file for the auto-allocation to disklabel.
template gives mountpoints, min-max size ranges and percentage of disk
foremost intended for autoinstalls, installer bits to follow soon.
with input from many, ok theo

CVS: cvs.openbsd.org: src

2015-04-29 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/04/29 10:56:31

Modified files:
sbin/disklabel : disklabel.8 disklabel.c 

Log message:
some fine-tuning in SYNOPSIS, usage, and order of options, with jmc

CVS: cvs.openbsd.org: src

2015-04-29 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/04/29 10:46:39

Modified files:
sbin/disklabel : editor.c 

Log message:
g/c unneeded second char * var, ok benno

CVS: cvs.openbsd.org: src

2015-04-26 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/04/26 08:49:24

Modified files:
distrib/miniroot: install.sub 

Log message:
get_responsefile: instead of keeping the dhcp-supplied next-server where
we fetch the response file from in a local _server var, put it in an
exported AI_SERVER one. last not least that allows install.site to see it.
ok krw rpe

CVS: cvs.openbsd.org: src

2015-04-21 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/04/21 04:58:29

Modified files:
distrib/miniroot: install.sub 

Log message:
append the setdir (5.7/amd64, snapshots/vax) as get-parameter path
when fetching the autoinstall response file.
a webserver that serves static files doesn't give a damn. if I map that
to something that dynamically creates the response file, i can use that to
construct the sets path, or play other arch and/or version dependent
games.
ok krw uwe

CVS: cvs.openbsd.org: src

2015-03-24 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/03/24 12:25:27

Modified files:
usr.sbin/ntpd  : ntp_dns.c 

Log message:
instead of routing SIGHUP thru sighdlr_dns() which then ignores it,
ignore it directly. no functional change. Rafael Neves rafaelneves at gmail

CVS: cvs.openbsd.org: www

2015-03-14 Thread Henning Brauer

CVSROOT:/cvs
Module name:www
Changes by: henn...@cvs.openbsd.org 2015/03/14 20:39:44

Modified files:
papers : index.html 

Log message:
link my asiabsdcon slides

CVS: cvs.openbsd.org: src

2015-03-03 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/03/03 04:14:00

Modified files:
sys/net: hfsc.c 

Log message:
make sure hfsc_attach, hfsc_detach, hfsc_addqueue, hfsc_delqueue and
hfsc_qstats cope with a NULL ifp. Can happen when refering to nonexistant
interfaces from pf.conf. Problem noticed and fix tested by Kevin Chadwick
ma1l1ists at yahoo.co.uk, ok phessler benno

Re: CVS: cvs.openbsd.org: src

2015-02-15 Thread Henning Brauer

* Stuart Henderson st...@cvs.openbsd.org [2015-02-15 00:32]:
 CVSROOT:  /cvs
 Module name:  src
 Changes by:   st...@cvs.openbsd.org   2015/02/14 16:32:41
 
 Modified files:
   sys/net: pf.c 
   sbin/pfctl : parse.y pfctl_parser.c 
 
 Log message:
 Rather than using 0xff as a placeholder for don't check prio, use 0xff to
 mean prio is 0. This avoids the need for code changes in programs which add
 pf rules (as was done in pfctl but not other programs) to handle the new
 check prio functionality. Specifically this unbreaks ftp-proxy.
 
 Use of #define rather than magic 0xff suggested by benno.
 ok benno if henning doesnt like it he can change it when he recovers from 
 jet-lag

nope, perfectly fine. Thanks for handling and sorry for missing this case.

-- 
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS. Virtual  Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/

CVS: cvs.openbsd.org: src

2015-02-11 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/02/11 18:29:14

Modified files:
share/man/man5 : pf.conf.5 

Log message:
a shot at documenting the changed log(matches) semantics

CVS: cvs.openbsd.org: src

2015-02-11 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/02/11 18:24:10

Modified files:
sys/net: if_pflog.c if_pflog.h pf.c pfvar.h 

Log message:
change log(matches) semantics slightly to make it more useful. since it
is a debug tool change of semantics not considered problematic.
up until now, log(matches) forced logging on subsequent matching rules,
the actual logging used the log settings from that matched rule.
now, log(matches) causes subsequent matches to be logged with the log settings
from the log(matches) rule. in particular (this was the driving point),
log(matches, to pflog23) allows you to have the trace log going to a seperate
pflog interface, not clobbering your regular pflogs, actually not affecting
them at all.
long conversation with bluhm about it, which didn't lead to a single bit
changed in the diff but was very very helpful. ok bluhm as well.

CVS: cvs.openbsd.org: src

2015-02-10 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/02/10 02:28:40

Modified files:
sys/net: if_pfsync.c pf.c pfvar.h 

Log message:
include the set prio values.
no real compat issue since we're using spare bytes.
old - new ends up with set prio (0, 0) equivalent
new - old is entirely harmless, old ignores the prios.
requested by Alexey Suslikov alexey.suslikov at gmail
ok phessler pelikan dlg

CVS: cvs.openbsd.org: src

2015-02-09 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/02/09 23:45:55

Modified files:
sys/net: pf.c pf_ioctl.c pfvar.h 
sbin/pfctl : parse.y pfctl_parser.c 

Log message:
since we inherit prio (as in, the queuing priority) from outside sources,
i. e. on vlan interfaces, it is useful to be able to match on it -
effectively matching on classification done elsewhere.
i thought i had long implemented that, but chrisz@ asking for it made
me notice that wasn't the case.
tests by chrisz, ok phessler pelikan

CVS: cvs.openbsd.org: src

2015-02-09 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/02/09 23:47:08

Modified files:
share/man/man5 : pf.conf.5 

Log message:
document matching on prio

CVS: cvs.openbsd.org: src

2015-02-09 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/02/09 04:01:21

Modified files:
share/dict : propernames 

Log message:
tedu Henning and Miod, please add your names to src/share/dict/propernames

CVS: cvs.openbsd.org: src

2015-02-07 Thread Henning Brauer

CVSROOT:/cvs
Module name:src
Changes by: henn...@cvs.openbsd.org 2015/02/07 02:15:25

Modified files:
sys/net: pf.c 

Log message:
pf synproxy will do the 3WHS on behalf of the target machine, and once
the 3WHS is completed, establish the backend connection. The trigger
for 3WHS completed is the reception of the first ACK. However, we
should not proceed if that ACK also has RST or FIN set.
ACK+RST part pointed out by Kojedzinszky Richard krichy at tvnetwork hu
ok mikeb dlg phessler claudio

1 2 3 4 5 6 7 >

1 - 100 of 606 matches

Mail list logo