Re: nc -U -u (Unix datagram socket support)
On Thu, Jan 06, 2011 at 03:32:17PM -0800, Jeremy Evans wrote:
This patch adds unix datagram socket support to nc(1). It's basically
the same patch I sent last June (see
http://marc.info/?l=openbsd-techm=127627296925965w=2), but updated
for -current.
Tested on amd64. Doesn't appear to cause any regressions to existing
support, tested with unix stream and IP stream and datagram sockets.
Looking for OKs.
Jeremy
Hmm, ISTR I meant to look at this ages ago but it got lost, sorry.
So you are overloading -u to mean UDP without -l and datagram with -l?
I guess this makes sense, but we need man page changes?
Index: atomicio.c
===
RCS file: /cvs/src/usr.bin/nc/atomicio.c,v
retrieving revision 1.9
diff -u -p -r1.9 atomicio.c
--- atomicio.c7 Sep 2007 14:50:44 - 1.9
+++ atomicio.c6 Jan 2011 21:48:04 -
@@ -53,7 +53,7 @@ atomicio(ssize_t (*f) (int, void *, size
case -1:
if (errno == EINTR)
continue;
- if (errno == EAGAIN) {
+ if ((errno == EAGAIN) || (errno == ENOBUFS)) {
(void)poll(pfd, 1, -1);
continue;
}
Hmm. atomicio is used all over the place, but I guess this is necessary.
Index: netcat.c
===
RCS file: /cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.98
diff -u -p -r1.98 netcat.c
--- netcat.c 3 Jul 2010 04:44:51 - 1.98
+++ netcat.c 6 Jan 2011 21:48:04 -
@@ -89,6 +89,7 @@ u_int rtableid;
int timeout = -1;
int family = AF_UNSPEC;
char *portlist[PORT_MAX+1];
+char *unix_dg_tmp_socket;
void atelnet(int, unsigned char *, unsigned int);
void build_ports(char *);
@@ -99,6 +100,7 @@ intremote_connect(const char *, const c
int socks_connect(const char *, const char *, struct addrinfo,
const char *, const char *, struct addrinfo, int, const char *);
int udptest(int);
+int unix_bind(char *);
int unix_connect(char *);
int unix_listen(char *);
void set_common_sockopts(int);
@@ -241,8 +243,6 @@ main(int argc, char *argv[])
/* Cruft to make sure options are clean, and used properly. */
if (argv[0] !argv[1] family == AF_UNIX) {
- if (uflag)
- errx(1, cannot use -u and -U);
host = argv[0];
uport = NULL;
} else if (argv[0] !argv[1]) {
@@ -265,6 +265,18 @@ main(int argc, char *argv[])
if (!lflag kflag)
errx(1, must use -l with -k);
+ /* Get name of temporary socket for unix datagram client */
+ if ((family == AF_UNIX) uflag !lflag) {
+ if(pflag) {
+ unix_dg_tmp_socket = pflag;
+ } else {
+ if((unix_dg_tmp_socket = (char *)malloc(19)) == NULL)
+ errx(1, not enough memory);
Style nit: space between if and (.
+ strlcpy(unix_dg_tmp_socket, /tmp/nc.XX, 19);
+ mktemp(unix_dg_tmp_socket);
What if this fails?
+ }
+ }
+
/* Initialize addrinfo structure. */
if (family != AF_UNIX) {
memset(hints, 0, sizeof(struct addrinfo));
@@ -307,8 +319,12 @@ main(int argc, char *argv[])
int connfd;
ret = 0;
- if (family == AF_UNIX)
- s = unix_listen(host);
+ if (family == AF_UNIX) {
+ if(uflag)
+ s = unix_bind(host);
+ else
+ s = unix_listen(host);
+ }
/* Allow only one connection at a time, but stay alive. */
for (;;) {
@@ -337,17 +353,19 @@ main(int argc, char *argv[])
if (rv 0)
err(1, connect);
- connfd = s;
+ readwrite(s);
} else {
len = sizeof(cliaddr);
connfd = accept(s, (struct sockaddr *)cliaddr,
len);
+ readwrite(connfd);
+ close(connfd);
}
- readwrite(connfd);
- close(connfd);
if (family != AF_UNIX)
close(s);
+ else if (uflag)
+ connect(s, NULL, 0);
Likewise.
if (!kflag)
break;
@@ -361,6 +379,8 @@ main(int argc, char *argv[])
} else
ret = 1;
+ if(uflag)
+
Re: nc -U -u (Unix datagram socket support)
On 01/07 09:31, Nicholas Marriott wrote:
On Thu, Jan 06, 2011 at 03:32:17PM -0800, Jeremy Evans wrote:
This patch adds unix datagram socket support to nc(1). It's basically
the same patch I sent last June (see
http://marc.info/?l=openbsd-techm=127627296925965w=2), but updated
for -current.
Tested on amd64. Doesn't appear to cause any regressions to existing
support, tested with unix stream and IP stream and datagram sockets.
Looking for OKs.
Jeremy
Hmm, ISTR I meant to look at this ages ago but it got lost, sorry.
So you are overloading -u to mean UDP without -l and datagram with -l?
I guess this makes sense, but we need man page changes?
If you mean -U instead of -l, yes. -u without -U is IP UDP, -u with -U
is unix datagram. The man page doesn't say you can't use -u and -U
together, and it doesn't say that -U means unix stream sockets, though
that is currently all that -U supports. However, I think that making
some clarifications to the man page would helpful.
Responses inline and new diff at the end.
Index: netcat.c
===
RCS file: /cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.98
diff -u -p -r1.98 netcat.c
--- netcat.c3 Jul 2010 04:44:51 - 1.98
+++ netcat.c6 Jan 2011 21:48:04 -
@@ -89,6 +89,7 @@ u_int rtableid;
int timeout = -1;
int family = AF_UNSPEC;
char *portlist[PORT_MAX+1];
+char *unix_dg_tmp_socket;
void atelnet(int, unsigned char *, unsigned int);
void build_ports(char *);
@@ -99,6 +100,7 @@ int remote_connect(const char *, const c
intsocks_connect(const char *, const char *, struct addrinfo,
const char *, const char *, struct addrinfo, int, const char *);
intudptest(int);
+intunix_bind(char *);
intunix_connect(char *);
intunix_listen(char *);
void set_common_sockopts(int);
@@ -241,8 +243,6 @@ main(int argc, char *argv[])
/* Cruft to make sure options are clean, and used properly. */
if (argv[0] !argv[1] family == AF_UNIX) {
- if (uflag)
- errx(1, cannot use -u and -U);
host = argv[0];
uport = NULL;
} else if (argv[0] !argv[1]) {
@@ -265,6 +265,18 @@ main(int argc, char *argv[])
if (!lflag kflag)
errx(1, must use -l with -k);
+ /* Get name of temporary socket for unix datagram client */
+ if ((family == AF_UNIX) uflag !lflag) {
+ if(pflag) {
+ unix_dg_tmp_socket = pflag;
+ } else {
+ if((unix_dg_tmp_socket = (char *)malloc(19)) == NULL)
+ errx(1, not enough memory);
Style nit: space between if and (.
OK. My diff was bad about that, so I fixed the other cases as well.
+ strlcpy(unix_dg_tmp_socket, /tmp/nc.XX, 19);
+ mktemp(unix_dg_tmp_socket);
What if this fails?
You're right, a failure of mktemp should definitely be checked.
+ }
+ }
+
/* Initialize addrinfo structure. */
if (family != AF_UNIX) {
memset(hints, 0, sizeof(struct addrinfo));
@@ -307,8 +319,12 @@ main(int argc, char *argv[])
int connfd;
ret = 0;
- if (family == AF_UNIX)
- s = unix_listen(host);
+ if (family == AF_UNIX) {
+ if(uflag)
+ s = unix_bind(host);
+ else
+ s = unix_listen(host);
+ }
/* Allow only one connection at a time, but stay alive. */
for (;;) {
@@ -337,17 +353,19 @@ main(int argc, char *argv[])
if (rv 0)
err(1, connect);
- connfd = s;
+ readwrite(s);
} else {
len = sizeof(cliaddr);
connfd = accept(s, (struct sockaddr *)cliaddr,
len);
+ readwrite(connfd);
+ close(connfd);
}
- readwrite(connfd);
- close(connfd);
if (family != AF_UNIX)
close(s);
+ else if (uflag)
+ connect(s, NULL, 0);
Likewise.
Correct, this should be checked as well.
if (!kflag)
break;
@@ -361,6 +379,8 @@ main(int argc, char *argv[])
} else
ret = 1;
+ if(uflag)
+ unlink(unix_dg_tmp_socket);
Shouldn't this have the same condition as above?
The condition when the
Re: nc -U -u (Unix datagram socket support)
On Fri, Jan 07, 2011 at 08:48:20AM -0800, Jeremy Evans wrote:
On 01/07 09:31, Nicholas Marriott wrote:
On Thu, Jan 06, 2011 at 03:32:17PM -0800, Jeremy Evans wrote:
This patch adds unix datagram socket support to nc(1). It's basically
the same patch I sent last June (see
http://marc.info/?l=openbsd-techm=127627296925965w=2), but updated
for -current.
Tested on amd64. Doesn't appear to cause any regressions to existing
support, tested with unix stream and IP stream and datagram sockets.
Looking for OKs.
Jeremy
Hmm, ISTR I meant to look at this ages ago but it got lost, sorry.
So you are overloading -u to mean UDP without -l and datagram with -l?
I guess this makes sense, but we need man page changes?
If you mean -U instead of -l, yes. -u without -U is IP UDP, -u with -U
is unix datagram. The man page doesn't say you can't use -u and -U
together, and it doesn't say that -U means unix stream sockets, though
that is currently all that -U supports. However, I think that making
some clarifications to the man page would helpful.
Yes, sorry, I meant -U.
This mostly looks fine to me, a few comments:
I don't much like using mktemp at all. How about just plain requiring -s
with -Uu?
Do you actually hit the ENOBUFS condition in atomicio.c?
Responses inline and new diff at the end.
Index: netcat.c
===
RCS file: /cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.98
diff -u -p -r1.98 netcat.c
--- netcat.c 3 Jul 2010 04:44:51 - 1.98
+++ netcat.c 6 Jan 2011 21:48:04 -
@@ -89,6 +89,7 @@ u_int rtableid;
int timeout = -1;
int family = AF_UNSPEC;
char *portlist[PORT_MAX+1];
+char *unix_dg_tmp_socket;
void atelnet(int, unsigned char *, unsigned int);
void build_ports(char *);
@@ -99,6 +100,7 @@ intremote_connect(const char *, const c
int socks_connect(const char *, const char *, struct addrinfo,
const char *, const char *, struct addrinfo, int, const char *);
int udptest(int);
+int unix_bind(char *);
int unix_connect(char *);
int unix_listen(char *);
void set_common_sockopts(int);
@@ -241,8 +243,6 @@ main(int argc, char *argv[])
/* Cruft to make sure options are clean, and used properly. */
if (argv[0] !argv[1] family == AF_UNIX) {
- if (uflag)
- errx(1, cannot use -u and -U);
host = argv[0];
uport = NULL;
} else if (argv[0] !argv[1]) {
@@ -265,6 +265,18 @@ main(int argc, char *argv[])
if (!lflag kflag)
errx(1, must use -l with -k);
+ /* Get name of temporary socket for unix datagram client */
+ if ((family == AF_UNIX) uflag !lflag) {
+ if(pflag) {
+ unix_dg_tmp_socket = pflag;
+ } else {
+ if((unix_dg_tmp_socket = (char *)malloc(19)) == NULL)
+ errx(1, not enough memory);
Style nit: space between if and (.
OK. My diff was bad about that, so I fixed the other cases as well.
+ strlcpy(unix_dg_tmp_socket, /tmp/nc.XX, 19);
+ mktemp(unix_dg_tmp_socket);
What if this fails?
You're right, a failure of mktemp should definitely be checked.
+ }
+ }
+
/* Initialize addrinfo structure. */
if (family != AF_UNIX) {
memset(hints, 0, sizeof(struct addrinfo));
@@ -307,8 +319,12 @@ main(int argc, char *argv[])
int connfd;
ret = 0;
- if (family == AF_UNIX)
- s = unix_listen(host);
+ if (family == AF_UNIX) {
+ if(uflag)
+ s = unix_bind(host);
+ else
+ s = unix_listen(host);
+ }
/* Allow only one connection at a time, but stay alive. */
for (;;) {
@@ -337,17 +353,19 @@ main(int argc, char *argv[])
if (rv 0)
err(1, connect);
- connfd = s;
+ readwrite(s);
} else {
len = sizeof(cliaddr);
connfd = accept(s, (struct sockaddr *)cliaddr,
len);
+ readwrite(connfd);
+ close(connfd);
}
- readwrite(connfd);
- close(connfd);
if (family != AF_UNIX)
close(s);
+ else if (uflag)
+ connect(s, NULL, 0);
Likewise.
Correct, this should be checked as well.
if (!kflag)
Re: nc -U -u (Unix datagram socket support)
On 01/07 06:21, Nicholas Marriott wrote: On Fri, Jan 07, 2011 at 08:48:20AM -0800, Jeremy Evans wrote: On 01/07 09:31, Nicholas Marriott wrote: On Thu, Jan 06, 2011 at 03:32:17PM -0800, Jeremy Evans wrote: This patch adds unix datagram socket support to nc(1). It's basically the same patch I sent last June (see http://marc.info/?l=openbsd-techm=127627296925965w=2), but updated for -current. Tested on amd64. Doesn't appear to cause any regressions to existing support, tested with unix stream and IP stream and datagram sockets. Looking for OKs. Jeremy Hmm, ISTR I meant to look at this ages ago but it got lost, sorry. So you are overloading -u to mean UDP without -l and datagram with -l? I guess this makes sense, but we need man page changes? If you mean -U instead of -l, yes. -u without -U is IP UDP, -u with -U is unix datagram. The man page doesn't say you can't use -u and -U together, and it doesn't say that -U means unix stream sockets, though that is currently all that -U supports. However, I think that making some clarifications to the man page would helpful. Yes, sorry, I meant -U. This mostly looks fine to me, a few comments: I don't much like using mktemp at all. How about just plain requiring -s with -Uu? It's annoying to the user to have to specify it when they won't usually care. If you are worried about security, guenther@ thought this usage was secure: http://marc.info/?l=openbsd-techm=120299257422367w=2 I'd prefer we always use a random socket over forcing the user to specify one, but I thinking giving the user choice is best, just like we give them choice of sending address in the IP case. Do you actually hit the ENOBUFS condition in atomicio.c? Yes. That's the only reason I knew to add it. Jeremy
Colocacion ( REDUCEN EL CALOR / Espejado SEGURIDAD y CONFORT )
= nbsp; LAMINAS PARA CONTROL SOLAR nbsp; instalamos en: Casas, Locales, Oficinas, Barrios Privados, Depar= tamentos, Obras. Abone con TARJETA DE CREDITO , consulte financiacioacute;n.Presupuestos al inst= ante. Solicite asesoramiento: (011) 3531-1755 / 15-3395-6883 Si UD. Desea ser removido de nuestra base de datos, por favor envienos un mail con el asunto REMOVER. Gracias y disculpe las molestias.
brconfig in faq/pf/tagging.html
Hi, I just noticed that in section Tagging Ethernet Frames brconfig(8) is still mentioned (although the link leads to ifconfig(8) manpage). As there is no more brconfig, shouldn't this be changed to ifconfig(8)? gr thomas Index: www/faq/pf/tagging.html === RCS file: /cvs/www/faq/pf/tagging.html,v retrieving revision 1.19 diff -u -r1.19 tagging.html --- www/faq/pf/tagging.html 19 May 2010 13:25:16 - 1.19 +++ www/faq/pf/tagging.html 7 Jan 2011 19:24:27 - @@ -281,7 +281,7 @@ can be made to filter based on the source or destination MAC address. Bridge(4) rules are created using the a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ifconfigamp;sektion=8; -brconfig(8)/a command. Example: +ifconfig(8)/a command. Example: blockquote tt # ifconfig bridge0 rule pass in on fxp0 src 0:de:ad:be:ef:0 \br
Re: nc -U -u (Unix datagram socket support)
On 01/07 07:31, Nicholas Marriott wrote:
On Fri, Jan 07, 2011 at 10:52:18AM -0800, Jeremy Evans wrote:
On 01/07 06:21, Nicholas Marriott wrote:
Two further minor comments:
- Can the mktemp buffer be on the stack rather than malloc()d?
Sure.
- I think the man page should mention it creates a file in /tmp (or
mktemp).
Makes sense.
OK to commit this diff, which contains the above changes?:
Index: atomicio.c
===
RCS file: /cvs/src/usr.bin/nc/atomicio.c,v
retrieving revision 1.9
diff -u -p -r1.9 atomicio.c
--- atomicio.c 7 Sep 2007 14:50:44 - 1.9
+++ atomicio.c 6 Jan 2011 21:48:04 -
@@ -53,7 +53,7 @@ atomicio(ssize_t (*f) (int, void *, size
case -1:
if (errno == EINTR)
continue;
- if (errno == EAGAIN) {
+ if ((errno == EAGAIN) || (errno == ENOBUFS)) {
(void)poll(pfd, 1, -1);
continue;
}
Index: nc.1
===
RCS file: /cvs/src/usr.bin/nc/nc.1,v
retrieving revision 1.55
diff -u -p -r1.55 nc.1
--- nc.125 Jul 2010 07:51:39 - 1.55
+++ nc.17 Jan 2011 20:08:35 -
@@ -155,6 +155,10 @@ assigns them.
Enables the RFC 2385 TCP MD5 signature option.
.It Fl s Ar source_ip_address
Specifies the IP of the interface which is used to send the packets.
+For
+.Ux Ns -domain
+datagram sockets, specifies the local temporary socket file
+to create and use so that datagrams can be received.
It is an error to use this option in conjunction with the
.Fl l
option.
@@ -179,6 +183,15 @@ Specifies to use
sockets.
.It Fl u
Use UDP instead of the default option of TCP.
+For
+.Ux Ns -domain
+sockets, use a datagram socket instead of a stream socket.
+If a
+.Ux Ns -domain
+socket is used, a temporary receiving socket is created in /tmp unless
+you specify one with the
+.Fl s
+flag.
.It Fl V Ar rtable
Set the routing table to be used.
The default is 0.
Index: netcat.c
===
RCS file: /cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.98
diff -u -p -r1.98 netcat.c
--- netcat.c3 Jul 2010 04:44:51 - 1.98
+++ netcat.c7 Jan 2011 20:03:37 -
@@ -62,6 +62,7 @@
#define PORT_MAX 65535
#define PORT_MAX_LEN 6
+#define UNIX_DG_TMP_SOCKET_SIZE19
/* Command Line Options */
intdflag; /* detached, no stdin */
@@ -89,6 +90,7 @@ u_int rtableid;
int timeout = -1;
int family = AF_UNSPEC;
char *portlist[PORT_MAX+1];
+char *unix_dg_tmp_socket;
void atelnet(int, unsigned char *, unsigned int);
void build_ports(char *);
@@ -99,6 +101,7 @@ int remote_connect(const char *, const c
intsocks_connect(const char *, const char *, struct addrinfo,
const char *, const char *, struct addrinfo, int, const char *);
intudptest(int);
+intunix_bind(char *);
intunix_connect(char *);
intunix_listen(char *);
void set_common_sockopts(int);
@@ -117,6 +120,7 @@ main(int argc, char *argv[])
char *proxy;
const char *errstr, *proxyhost = , *proxyport = NULL;
struct addrinfo proxyhints;
+ char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
ret = 1;
s = 0;
@@ -241,8 +245,6 @@ main(int argc, char *argv[])
/* Cruft to make sure options are clean, and used properly. */
if (argv[0] !argv[1] family == AF_UNIX) {
- if (uflag)
- errx(1, cannot use -u and -U);
host = argv[0];
uport = NULL;
} else if (argv[0] !argv[1]) {
@@ -265,6 +267,19 @@ main(int argc, char *argv[])
if (!lflag kflag)
errx(1, must use -l with -k);
+ /* Get name of temporary socket for unix datagram client */
+ if ((family == AF_UNIX) uflag !lflag) {
+ if (sflag) {
+ unix_dg_tmp_socket = sflag;
+ } else {
+ strlcpy(unix_dg_tmp_socket_buf, /tmp/nc.XX,
+ UNIX_DG_TMP_SOCKET_SIZE);
+ if (mktemp(unix_dg_tmp_socket_buf) == NULL)
+ err(1, mktemp);
+ unix_dg_tmp_socket = unix_dg_tmp_socket_buf;
+ }
+ }
+
/* Initialize addrinfo structure. */
if (family != AF_UNIX) {
memset(hints, 0, sizeof(struct addrinfo));
@@ -307,8 +322,12 @@ main(int argc, char *argv[])
int connfd;
ret = 0;
- if (family == AF_UNIX)
- s = unix_listen(host);
+ if (family == AF_UNIX) {
+ if (uflag)
+ s = unix_bind(host);
+
Re: nc -U -u (Unix datagram socket support)
On Fri, Jan 07, 2011 at 12:13:43PM -0800, Jeremy Evans wrote: Index: nc.1 === RCS file: /cvs/src/usr.bin/nc/nc.1,v retrieving revision 1.55 diff -u -p -r1.55 nc.1 --- nc.1 25 Jul 2010 07:51:39 - 1.55 +++ nc.1 7 Jan 2011 20:08:35 - @@ -155,6 +155,10 @@ assigns them. Enables the RFC 2385 TCP MD5 signature option. .It Fl s Ar source_ip_address Specifies the IP of the interface which is used to send the packets. +For +.Ux Ns -domain +datagram sockets, specifies the local temporary socket file +to create and use so that datagrams can be received. so is source_ip_address a bad choice of name for datagram sockets? It is an error to use this option in conjunction with the .Fl l option. @@ -179,6 +183,15 @@ Specifies to use sockets. .It Fl u Use UDP instead of the default option of TCP. +For +.Ux Ns -domain +sockets, use a datagram socket instead of a stream socket. +If a +.Ux Ns -domain +socket is used, a temporary receiving socket is created in /tmp unless you should probably use .Pa /tmp +you specify one with the +.Fl s +flag. ...unless the -s option/flag is used/given/specified. (we try to avoid 2nd person narrative in man pages) i still think the name of the -s arg is now misleading. jmc .It Fl V Ar rtable Set the routing table to be used. The default is 0.
Re: nc -U -u (Unix datagram socket support)
On Fri, Jan 07, 2011 at 01:03:19PM -0700, Theo de Raadt wrote: Well, I'm less worried about security and also about the fact mktemp is deprecated so I don't think adding new uses of it is not ideal. mktemp(3) is not deprecated. It continues to be safe to use for directory creation or other atomic file creations (success or failure; the other party opening it is subject to a race as long as it waits to know that the parent (nc) says it has in fact created it successfully). It is possible to loop. Go through our source tree. There are things calling mktemp(3) on purpose -- in places where mkstemp(3) cannot be used. Fair enough. The man page seems a bit over strong, how about this? Index: mktemp.3 === RCS file: /cvs/src/lib/libc/stdio/mktemp.3,v retrieving revision 1.45 diff -u -p -r1.45 mktemp.3 --- mktemp.327 Dec 2010 21:18:44 - 1.45 +++ mktemp.37 Jan 2011 20:23:00 - @@ -72,12 +72,12 @@ does not actually create the temporary f opportunity during which another process can open the file instead. Because of this race condition, .Fn mktemp -should not be used in new code. +should not be used where +.Fn mkstemp +can be used instead. .Fn mktemp was marked as a legacy interface in -.St -p1003.1-2001 -and may be removed in a future release of -.Ox . +.St -p1003.1-2001 . .Pp The .Fn mkstemp
Re: brconfig in faq/pf/tagging.html
On Fri, Jan 07, 2011 at 09:02:30PM +0100, Thomas Reiter wrote: Hi, I just noticed that in section Tagging Ethernet Frames brconfig(8) is still mentioned (although the link leads to ifconfig(8) manpage). As there is no more brconfig, shouldn't this be changed to ifconfig(8)? gr thomas fixed thanks. but i;ve just realised that pf faq may be running at a different level to -current, so someone (nick!) correct me if i'm wrong (still the change is future proof ;) jmc Index: www/faq/pf/tagging.html === RCS file: /cvs/www/faq/pf/tagging.html,v retrieving revision 1.19 diff -u -r1.19 tagging.html --- www/faq/pf/tagging.html 19 May 2010 13:25:16 - 1.19 +++ www/faq/pf/tagging.html 7 Jan 2011 19:24:27 - @@ -281,7 +281,7 @@ can be made to filter based on the source or destination MAC address. Bridge(4) rules are created using the a href=http://www.openbsd.org/cgi-bin/man.cgi?query=ifconfigamp;sektion=8; -brconfig(8)/a command. Example: +ifconfig(8)/a command. Example: blockquote tt # ifconfig bridge0 rule pass in on fxp0 src 0:de:ad:be:ef:0 \br
Re: nc -U -u (Unix datagram socket support)
Fair enough. The man page seems a bit over strong, how about this? Index: mktemp.3 === RCS file: /cvs/src/lib/libc/stdio/mktemp.3,v retrieving revision 1.45 diff -u -p -r1.45 mktemp.3 --- mktemp.3 27 Dec 2010 21:18:44 - 1.45 +++ mktemp.3 7 Jan 2011 20:23:00 - @@ -72,12 +72,12 @@ does not actually create the temporary f opportunity during which another process can open the file instead. Because of this race condition, .Fn mktemp -should not be used in new code. +should not be used where +.Fn mkstemp +can be used instead. That looks good. .Fn mktemp was marked as a legacy interface in -.St -p1003.1-2001 -and may be removed in a future release of -.Ox . +.St -p1003.1-2001 . That looks good too. I think that whoever wrote that saw smoking something. So there is a mkdtemp(), but where is the AF_UNIX version? I think it is important that people who do use mktemp(3) realize that they must loop over failure (creating a new path each time), and they need to use a do not use the path from elsewhere unless the code that opens it returns success paradigm. mktemp(3) just provides a potentially unique name; the expected gaurantees must be supplied by the caller.
Re: nc -U -u (Unix datagram socket support)
On Fri, Jan 07, 2011 at 01:32:27PM -0700, Theo de Raadt wrote: I think it is important that people who do use mktemp(3) realize that they must loop over failure (creating a new path each time), and they need to use a do not use the path from elsewhere unless the code that opens it returns success paradigm. mktemp(3) just provides a potentially unique name; the expected gaurantees must be supplied by the caller. It is also important that the caller provides enough XXX to actually have a chance to finish the loop against a motivated concurrent user, especially when using something like /tmp. Joerg
Re: nc -U -u (Unix datagram socket support)
It is also important that the caller provides enough XXX to actually have a chance to finish the loop against a motivated concurrent user, especially when using something like /tmp. For us that is not really a problem since our mktemp is using 63 possibilities per slot. Stem selection remains important, too. 250047 for XXX 15752961 for 992436543 for Personally I would recommend 10 X's.
Re: brconfig in faq/pf/tagging.html
On 2011/01/07 20:30, Jason McIntyre wrote: On Fri, Jan 07, 2011 at 09:02:30PM +0100, Thomas Reiter wrote: Hi, I just noticed that in section Tagging Ethernet Frames brconfig(8) is still mentioned (although the link leads to ifconfig(8) manpage). As there is no more brconfig, shouldn't this be changed to ifconfig(8)? gr thomas fixed thanks. but i;ve just realised that pf faq may be running at a different level to -current, so someone (nick!) correct me if i'm wrong (still the change is future proof ;) the faq is indeed for the latest release rather than -current, but brconfig was rolled into ifconfig in 4.7, so this change is ok.
Re: nc -U -u (Unix datagram socket support)
On Fri, Jan 07, 2011 at 01:32:27PM -0700, Theo de Raadt wrote: So there is a mkdtemp(), but where is the AF_UNIX version? Well it wouldn't be big thing to add but from a quick look it seems like nc would be the only user. I think it is important that people who do use mktemp(3) realize that they must loop over failure (creating a new path each time), and they need to use a do not use the path from elsewhere unless the code that opens it returns success paradigm. mktemp(3) just provides a potentially unique name; the expected gaurantees must be supplied by the caller. Maybe with something like this: +Where +.Fn mktemp +must be used, callers should ensure they detect failure when subsequently +attempting to create the file and generate a new name by calling +.Fn mktemp +again before retrying. Or maybe another example in the examples section. Index: mktemp.3 === RCS file: /cvs/src/lib/libc/stdio/mktemp.3,v retrieving revision 1.45 diff -u -p -r1.45 mktemp.3 --- mktemp.327 Dec 2010 21:18:44 - 1.45 +++ mktemp.37 Jan 2011 21:15:11 - @@ -72,12 +72,18 @@ does not actually create the temporary f opportunity during which another process can open the file instead. Because of this race condition, .Fn mktemp -should not be used in new code. +should not be used where +.Fn mkstemp +can be used instead. +Where +.Fn mktemp +must be used, callers should ensure they detect failure when subsequently +attempting to create the file and generate a new name by calling +.Fn mktemp +again before retrying. .Fn mktemp was marked as a legacy interface in -.St -p1003.1-2001 -and may be removed in a future release of -.Ox . +.St -p1003.1-2001 . .Pp The .Fn mkstemp
Re: nc -U -u (Unix datagram socket support)
ok nicm, but you should save jmc the effort and trim the lines you left
with trailing spaces in the man page ;-).
On Fri, Jan 07, 2011 at 12:13:43PM -0800, Jeremy Evans wrote:
On 01/07 07:31, Nicholas Marriott wrote:
On Fri, Jan 07, 2011 at 10:52:18AM -0800, Jeremy Evans wrote:
On 01/07 06:21, Nicholas Marriott wrote:
Two further minor comments:
- Can the mktemp buffer be on the stack rather than malloc()d?
Sure.
- I think the man page should mention it creates a file in /tmp (or
mktemp).
Makes sense.
OK to commit this diff, which contains the above changes?:
Index: atomicio.c
===
RCS file: /cvs/src/usr.bin/nc/atomicio.c,v
retrieving revision 1.9
diff -u -p -r1.9 atomicio.c
--- atomicio.c7 Sep 2007 14:50:44 - 1.9
+++ atomicio.c6 Jan 2011 21:48:04 -
@@ -53,7 +53,7 @@ atomicio(ssize_t (*f) (int, void *, size
case -1:
if (errno == EINTR)
continue;
- if (errno == EAGAIN) {
+ if ((errno == EAGAIN) || (errno == ENOBUFS)) {
(void)poll(pfd, 1, -1);
continue;
}
Index: nc.1
===
RCS file: /cvs/src/usr.bin/nc/nc.1,v
retrieving revision 1.55
diff -u -p -r1.55 nc.1
--- nc.1 25 Jul 2010 07:51:39 - 1.55
+++ nc.1 7 Jan 2011 20:08:35 -
@@ -155,6 +155,10 @@ assigns them.
Enables the RFC 2385 TCP MD5 signature option.
.It Fl s Ar source_ip_address
Specifies the IP of the interface which is used to send the packets.
+For
+.Ux Ns -domain
+datagram sockets, specifies the local temporary socket file
+to create and use so that datagrams can be received.
It is an error to use this option in conjunction with the
.Fl l
option.
@@ -179,6 +183,15 @@ Specifies to use
sockets.
.It Fl u
Use UDP instead of the default option of TCP.
+For
+.Ux Ns -domain
+sockets, use a datagram socket instead of a stream socket.
+If a
+.Ux Ns -domain
+socket is used, a temporary receiving socket is created in /tmp unless
+you specify one with the
+.Fl s
+flag.
.It Fl V Ar rtable
Set the routing table to be used.
The default is 0.
Index: netcat.c
===
RCS file: /cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.98
diff -u -p -r1.98 netcat.c
--- netcat.c 3 Jul 2010 04:44:51 - 1.98
+++ netcat.c 7 Jan 2011 20:03:37 -
@@ -62,6 +62,7 @@
#define PORT_MAX 65535
#define PORT_MAX_LEN 6
+#define UNIX_DG_TMP_SOCKET_SIZE 19
/* Command Line Options */
int dflag; /* detached, no stdin */
@@ -89,6 +90,7 @@ u_int rtableid;
int timeout = -1;
int family = AF_UNSPEC;
char *portlist[PORT_MAX+1];
+char *unix_dg_tmp_socket;
void atelnet(int, unsigned char *, unsigned int);
void build_ports(char *);
@@ -99,6 +101,7 @@ intremote_connect(const char *, const c
int socks_connect(const char *, const char *, struct addrinfo,
const char *, const char *, struct addrinfo, int, const char *);
int udptest(int);
+int unix_bind(char *);
int unix_connect(char *);
int unix_listen(char *);
void set_common_sockopts(int);
@@ -117,6 +120,7 @@ main(int argc, char *argv[])
char *proxy;
const char *errstr, *proxyhost = , *proxyport = NULL;
struct addrinfo proxyhints;
+ char unix_dg_tmp_socket_buf[UNIX_DG_TMP_SOCKET_SIZE];
ret = 1;
s = 0;
@@ -241,8 +245,6 @@ main(int argc, char *argv[])
/* Cruft to make sure options are clean, and used properly. */
if (argv[0] !argv[1] family == AF_UNIX) {
- if (uflag)
- errx(1, cannot use -u and -U);
host = argv[0];
uport = NULL;
} else if (argv[0] !argv[1]) {
@@ -265,6 +267,19 @@ main(int argc, char *argv[])
if (!lflag kflag)
errx(1, must use -l with -k);
+ /* Get name of temporary socket for unix datagram client */
+ if ((family == AF_UNIX) uflag !lflag) {
+ if (sflag) {
+ unix_dg_tmp_socket = sflag;
+ } else {
+ strlcpy(unix_dg_tmp_socket_buf, /tmp/nc.XX,
+ UNIX_DG_TMP_SOCKET_SIZE);
+ if (mktemp(unix_dg_tmp_socket_buf) == NULL)
+ err(1, mktemp);
+ unix_dg_tmp_socket = unix_dg_tmp_socket_buf;
+ }
+ }
+
/* Initialize addrinfo structure. */
if (family != AF_UNIX) {
memset(hints, 0, sizeof(struct addrinfo));
@@ -307,8 +322,12 @@ main(int argc, char *argv[])
int connfd;
ret = 0;
-
netstat default if
i like to run netstat -w 1 -b to watch the bytes. however, netstat
defaults to picking the last interface if you don't specify -I. on my
system, that happens to be pflog. not helpful.
the diff below makes some attempt at picking an interesting interface by
selecting the one with the most traffic.
Index: if.c
===
RCS file: /home/tedu/cvs/src/usr.bin/netstat/if.c,v
retrieving revision 1.62
diff -u -r1.62 if.c
--- if.c22 Nov 2009 22:22:14 - 1.62
+++ if.c8 Jan 2011 00:32:41 -
@@ -500,6 +500,7 @@
char *buf, *next, *lim;
char name[IFNAMSIZ];
size_t len;
+ int takeit = 0;
if (sysctl(mib, 6, NULL, len, NULL, 0) == -1)
err(1, sysctl);
@@ -508,6 +509,7 @@
if (sysctl(mib, 6, buf, len, NULL, 0) == -1)
err(1, sysctl);
+ memset(ip_cur, 0, sizeof(ip_cur));
lim = buf + len;
for (next = buf; next lim; next += rtm-rtm_msglen) {
rtm = (struct rt_msghdr *)next;
@@ -531,6 +533,14 @@
memcpy(name, sdl-sdl_data, sdl-sdl_nlen);
if (interface != NULL !strcmp(name, interface)) {
+ takeit = 1;
+ } else if (interface == NULL
+ ifd-ifi_ibytes + ifd-ifi_obytes =
+ ip_cur.ift_ib + ip_cur.ift_ob) {
+ takeit = 1;
+ } else
+ takeit = 0;
+ if (takeit) {
strlcpy(ip_cur.ift_name, name,
sizeof(ip_cur.ift_name));
ip_cur.ift_ip = ifd-ifi_ipackets;
@@ -554,19 +564,6 @@
sum_cur.ift_dr += 0; /* XXX ifnet.if_snd.ifq_drops */
break;
}
- }
- if (interface == NULL) {
- strlcpy(ip_cur.ift_name, name,
- sizeof(ip_cur.ift_name));
- ip_cur.ift_ip = ifd-ifi_ipackets;
- ip_cur.ift_ib = ifd-ifi_ibytes;
- ip_cur.ift_ie = ifd-ifi_ierrors;
- ip_cur.ift_op = ifd-ifi_opackets;
- ip_cur.ift_ob = ifd-ifi_obytes;
- ip_cur.ift_oe = ifd-ifi_oerrors;
- ip_cur.ift_co = ifd-ifi_collisions;
- ip_cur.ift_dr = 0;
- /* XXX ifnet.if_snd.ifq_drops */
}
free(buf);
}
Re: netstat default if
Hi
Nice idea, but maybe it could pick the same one that the interface group
egress defaults to?
On Fri, Jan 07, 2011 at 07:36:08PM -0500, Ted Unangst wrote:
i like to run netstat -w 1 -b to watch the bytes. however, netstat
defaults to picking the last interface if you don't specify -I. on my
system, that happens to be pflog. not helpful.
the diff below makes some attempt at picking an interesting interface by
selecting the one with the most traffic.
Index: if.c
===
RCS file: /home/tedu/cvs/src/usr.bin/netstat/if.c,v
retrieving revision 1.62
diff -u -r1.62 if.c
--- if.c 22 Nov 2009 22:22:14 - 1.62
+++ if.c 8 Jan 2011 00:32:41 -
@@ -500,6 +500,7 @@
char *buf, *next, *lim;
char name[IFNAMSIZ];
size_t len;
+ int takeit = 0;
if (sysctl(mib, 6, NULL, len, NULL, 0) == -1)
err(1, sysctl);
@@ -508,6 +509,7 @@
if (sysctl(mib, 6, buf, len, NULL, 0) == -1)
err(1, sysctl);
+ memset(ip_cur, 0, sizeof(ip_cur));
lim = buf + len;
for (next = buf; next lim; next += rtm-rtm_msglen) {
rtm = (struct rt_msghdr *)next;
@@ -531,6 +533,14 @@
memcpy(name, sdl-sdl_data, sdl-sdl_nlen);
if (interface != NULL !strcmp(name, interface)) {
+ takeit = 1;
+ } else if (interface == NULL
+ ifd-ifi_ibytes + ifd-ifi_obytes =
+ ip_cur.ift_ib + ip_cur.ift_ob) {
+ takeit = 1;
+ } else
+ takeit = 0;
+ if (takeit) {
strlcpy(ip_cur.ift_name, name,
sizeof(ip_cur.ift_name));
ip_cur.ift_ip = ifd-ifi_ipackets;
@@ -554,19 +564,6 @@
sum_cur.ift_dr += 0; /* XXX ifnet.if_snd.ifq_drops */
break;
}
- }
- if (interface == NULL) {
- strlcpy(ip_cur.ift_name, name,
- sizeof(ip_cur.ift_name));
- ip_cur.ift_ip = ifd-ifi_ipackets;
- ip_cur.ift_ib = ifd-ifi_ibytes;
- ip_cur.ift_ie = ifd-ifi_ierrors;
- ip_cur.ift_op = ifd-ifi_opackets;
- ip_cur.ift_ob = ifd-ifi_obytes;
- ip_cur.ift_oe = ifd-ifi_oerrors;
- ip_cur.ift_co = ifd-ifi_collisions;
- ip_cur.ift_dr = 0;
- /* XXX ifnet.if_snd.ifq_drops */
}
free(buf);
}
Re: netstat default if
Nice idea, but maybe it could pick the same one that the interface group egress defaults to? Ooooh, that is even better than what I suggested to tedu. Right on the money, that is exactly what I would like it to default to!
Re: netstat default if
On Sat, 8 Jan 2011, Nicholas Marriott wrote:
Nice idea, but maybe it could pick the same one that the interface group
egress defaults to?
You're lucky that gives me the same answer. :)
Index: if.c
===
RCS file: /home/tedu/cvs/src/usr.bin/netstat/if.c,v
retrieving revision 1.62
diff -u -r1.62 if.c
--- if.c22 Nov 2009 22:22:14 - 1.62
+++ if.c8 Jan 2011 02:34:33 -
@@ -32,6 +32,7 @@
#include sys/param.h
#include sys/types.h
+#include sys/ioctl.h
#include sys/protosw.h
#include sys/socket.h
#include sys/sysctl.h
@@ -488,6 +489,46 @@
}
}
+
+static int
+isegress(char *name)
+{
+ static int s = -1;
+ int len;
+ struct ifgroupreq ifgr;
+ struct ifg_req *ifg;
+ int rv = 0;
+
+ if (s == -1) {
+ if ((s = socket(AF_INET, SOCK_DGRAM, 0)) 0)
+ return 0;
+ }
+
+ memset(ifgr, 0, sizeof(ifgr));
+ strlcpy(ifgr.ifgr_name, name, IFNAMSIZ);
+
+ if (ioctl(s, SIOCGIFGROUP, (caddr_t)ifgr) == -1) {
+ return 0;
+ }
+
+ len = ifgr.ifgr_len;
+ ifgr.ifgr_groups = calloc(len, 1);
+ if (ifgr.ifgr_groups == NULL)
+ err(1, getifgroups);
+ if (ioctl(s, SIOCGIFGROUP, (caddr_t)ifgr) == -1)
+ err(1, SIOCGIFGROUP);
+
+ ifg = ifgr.ifgr_groups;
+ for (; ifg len = sizeof(struct ifg_req); ifg++) {
+ len -= sizeof(struct ifg_req);
+ if (strcmp(ifg-ifgrq_group, egress) == 0)
+ rv = 1;
+ }
+
+ free(ifgr.ifgr_groups);
+ return rv;
+}
+
static void
fetchifs(void)
{
@@ -500,6 +541,8 @@
char *buf, *next, *lim;
char name[IFNAMSIZ];
size_t len;
+ int takeit = 0;
+ int foundone = 0;
if (sysctl(mib, 6, NULL, len, NULL, 0) == -1)
err(1, sysctl);
@@ -508,6 +551,7 @@
if (sysctl(mib, 6, buf, len, NULL, 0) == -1)
err(1, sysctl);
+ memset(ip_cur, 0, sizeof(ip_cur));
lim = buf + len;
for (next = buf; next lim; next += rtm-rtm_msglen) {
rtm = (struct rt_msghdr *)next;
@@ -531,6 +575,14 @@
memcpy(name, sdl-sdl_data, sdl-sdl_nlen);
if (interface != NULL !strcmp(name, interface)) {
+ takeit = 1;
+ } else if (interface == NULL foundone == 0
+ isegress(name)) {
+ takeit = 1;
+ foundone = 1;
+ } else
+ takeit = 0;
+ if (takeit) {
strlcpy(ip_cur.ift_name, name,
sizeof(ip_cur.ift_name));
ip_cur.ift_ip = ifd-ifi_ipackets;
@@ -555,7 +607,7 @@
break;
}
}
- if (interface == NULL) {
+ if (interface == NULL foundone == 0) {
strlcpy(ip_cur.ift_name, name,
sizeof(ip_cur.ift_name));
ip_cur.ift_ip = ifd-ifi_ipackets;
