Fix iked's auto-srcid based on the local hostname
Hi, the iked.conf(5) manpage says: If srcid is omitted, the default is to use the hostname of the local machine, see hostname(1) to set or print the hostname. This was true but I broke it with a commit about two years ago :( The following diff tells ikev2_policy2id() in ca_setreq() that it's dealing with a srcid that needs to be obtained from the local hostname if empty (setting the srcid parameter to 1). This code is called after receiving a CERTREQ from the peer: The peer gives us a list of SHA1 hashes of accepted CAs and we look up a matching host certificate that is signed by one of these CAs and includes a subjectAltName field that matches our srcid. This should unbreak some configurations with OpenBSD as the initiator. OK? Reyk Index: ca.c === RCS file: /cvs/src/sbin/iked/ca.c,v retrieving revision 1.18 diff -u -p -r1.18 ca.c --- ca.c18 Sep 2012 12:07:59 - 1.18 +++ ca.c9 Oct 2012 10:19:03 - @@ -248,7 +248,7 @@ ca_setreq(struct iked *env, struct iked_ /* Convert to a static Id */ bzero(id, sizeof(id)); - if (ikev2_policy2id(localid, id, 0) != 0) + if (ikev2_policy2id(localid, id, 1) != 0) return (-1); bzero(idb, sizeof(idb));
Re: Fix iked's auto-srcid based on the local hostname
On Tue, Oct 9, 2012 at 1:23 PM, Reyk Floeter r...@openbsd.org wrote: Hi, the iked.conf(5) manpage says: If srcid is omitted, the default is to use the hostname of the local machine, see hostname(1) to set or print the hostname. This was true but I broke it with a commit about two years ago :( The following diff tells ikev2_policy2id() in ca_setreq() that it's dealing with a srcid that needs to be obtained from the local hostname if empty (setting the srcid parameter to 1). This code is called after receiving a CERTREQ from the peer: The peer gives us a list of SHA1 hashes of accepted CAs and we look up a matching host certificate that is signed by one of these CAs and includes a subjectAltName field that matches our srcid. This should unbreak some configurations with OpenBSD as the initiator. OK? OK Reyk
Re: acpiec madness (HP laptop people pay attention to this one) - tested on some HP Compaq platforms
Theo, Thank you for comprehensive answer. It can be wrong and I don't know on how to do acpi things right, but three years ago I wrote about HP-Compaq acpiec specific errors to tech@. I'm not a guru in programming, but it is very sorrowfully having the same acpiec errors from version to version for about of three years on all old and newest HP Compaq laptops... Maybe HP does something wrong for more that three years and we should point on these things? Denis On Mon, Oct 8, 2012 at 9:38 PM, Theo de Raadt dera...@cvs.openbsd.orgwrote: That diff will not go into the tree now, for the same reason it didn't go in two years ago. BECAUSE IT IS WRONG. Two years ago Marco issued a patch in order to prevent incorrect reading acpitz on HP Compaq (or any HP laptops with acpiec madness) by adding some delays to have data prepared to read/write. It has been tested and works perfectly fine on some HP laptops: 6510b, 8510p/w, 8710p/w. Please add this patch into the source tree to have it by default. Index: acpiec.c === RCS file: /cvs/src/sys/dev/acpi/acpiec.c,v retrieving revision 1.43 diff -u -p -r1.43 acpiec.c --- acpiec.c8 Aug 2010 17:25:41 - 1.43 +++ acpiec.c29 Sep 2010 04:24:13 - @@ -92,7 +92,7 @@ void acpiec_wait(struct acpiec_softc *sc, u_int8_t mask, u_int8_t val) { static int acpiecnowait; - u_int8_tstat; + volatile u_int8_t stat; dnprintf(40, %s: EC wait_ns for: %b == %02x\n, DEVNAME(sc), (int)mask, @@ -104,8 +104,14 @@ acpiec_wait(struct acpiec_softc *sc, u_i if (cold || (stat EC_STAT_BURST)) delay(1); else - tsleep(acpiecnowait, PWAIT, acpiec, 1); + tsleep(acpiecnowait, PWAIT, ecstat, 1); } + + /* delay to make sure the data is actually ready */ + if (cold) + delay(10); + else + tsleep(acpiecnowait, PWAIT, ecout, 1); dnprintf(40, %s: EC wait_ns, stat: %b\n, DEVNAME(sc), (int)stat, \20\x8IGN\x7SMI\x6SCI\05BURST\04CMD\03IGN\02IBF\01OBF); -- Best regards, -- Denis Lapshin E-mail: deniza...@gmail.com
smtpd require auth
Hi, I suddenly got a flood of incoming spam, and when I could not find any trace of them in the spamdb output, I suspected it was coming in on port 587, which I had configured with tls and enable auth I did not realize that that would allow anyone to send locally addressed mail to me that way, thus bypassing spamd. So, I hesitated, but quite easily came up with this diff, which I'm testing out now. This allows replacing enable auth with require auth like this: listen on bge0 port 587 tls certificate mycert require auth listen on bge0 smtps certificate mycert require auth Note the require auth, as opposed to enable auth Thoughts? OK? /Alexander Index: parse.y === RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/parse.y,v retrieving revision 1.104 diff -u -p -r1.104 parse.y --- parse.y 30 Sep 2012 17:25:09 - 1.104 +++ parse.y 9 Oct 2012 13:07:54 - @@ -124,7 +124,7 @@ typedef struct { %token DB LDAP PLAIN DOMAIN SOURCE %token RELAY BACKUP VIA DELIVER TO MAILDIR MBOX HOSTNAME %token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR -%token ARROW ENABLE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST +%token ARROW ENABLE REQUIRE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST %token v.string STRING %token v.number NUMBER %type v.map map @@ -263,7 +263,9 @@ ssl : SMTPS { $$ = F_SMTPS; } | /* empty */ { $$ = 0; } ; -auth : ENABLE AUTH { $$ = 1; } +auth : ENABLE AUTH { $$ = F_AUTH; } + | REQUIRE AUTH { $$ = F_AUTH | + F_AUTH_REQUIRED; } | /* empty */ { $$ = 0; } ; @@ -364,10 +366,7 @@ main : QUEUE INTERVAL interval { } cert = ($6 != NULL) ? $6 : $3; - flags = $5; - - if ($7) - flags |= F_AUTH; + flags = $5 | $7; if ($5 ssl_load_certfile(cert, F_SCERT) 0) { yyerror(cannot load certificate: %s, cert); @@ -967,6 +966,7 @@ lookup(char *s) { queue, QUEUE }, { reject, REJECT }, { relay, RELAY }, + { require,REQUIRE }, { single, SINGLE }, { size, SIZE }, { smtps, SMTPS }, Index: smtp_session.c === RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtp_session.c,v retrieving revision 1.169 diff -u -p -r1.169 smtp_session.c --- smtp_session.c 14 Sep 2012 19:22:04 - 1.169 +++ smtp_session.c 9 Oct 2012 13:21:15 - @@ -400,6 +400,12 @@ session_rfc5321_mail_handler(struct sess return 1; } + if (s-s_l-flags F_AUTH_REQUIRED + !(s-s_flags F_AUTHENTICATED)) { + session_respond(s, 530 5.7.0 Authentication required); + return 1; + } + if (s-s_state != S_HELO) { session_respond(s, 503 5.5.1 Sender already specified); return 1; Index: smtpd.h === RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtpd.h,v retrieving revision 1.378 diff -u -p -r1.378 smtpd.h --- smtpd.h 3 Oct 2012 19:42:16 - 1.378 +++ smtpd.h 9 Oct 2012 13:07:54 - @@ -78,6 +78,7 @@ #define F_STARTTLS 0x01 #define F_SMTPS 0x02 #define F_AUTH 0x04 +#define F_AUTH_REQUIRED 0x08 #define F_SSL (F_SMTPS|F_STARTTLS) #defineF_BACKUP0x10/* XXX */
Re: smtpd require auth
Argh, you should have talked to me first ... Both require ssl and require auth are implemented already ... I did not commit yet because we stabilized a release and decided to not add new features to it unless they are critical. This feature should be committed in a few days Gilles On Tue, Oct 09, 2012 at 03:24:32PM +0200, Alexander Hall wrote: Hi, I suddenly got a flood of incoming spam, and when I could not find any trace of them in the spamdb output, I suspected it was coming in on port 587, which I had configured with tls and enable auth I did not realize that that would allow anyone to send locally addressed mail to me that way, thus bypassing spamd. So, I hesitated, but quite easily came up with this diff, which I'm testing out now. This allows replacing enable auth with require auth like this: listen on bge0 port 587 tls certificate mycert require auth listen on bge0 smtps certificate mycert require auth Note the require auth, as opposed to enable auth Thoughts? OK? /Alexander Index: parse.y === RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/parse.y,v retrieving revision 1.104 diff -u -p -r1.104 parse.y --- parse.y 30 Sep 2012 17:25:09 - 1.104 +++ parse.y 9 Oct 2012 13:07:54 - @@ -124,7 +124,7 @@ typedef struct { %token DB LDAP PLAIN DOMAIN SOURCE %token RELAY BACKUP VIA DELIVER TO MAILDIR MBOX HOSTNAME %token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR -%token ARROW ENABLE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST +%token ARROW ENABLE REQUIRE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST %token v.string STRING %token v.number NUMBER %typev.map map @@ -263,7 +263,9 @@ ssl : SMTPS { $$ = F_SMTPS; } | /* empty */ { $$ = 0; } ; -auth : ENABLE AUTH { $$ = 1; } +auth : ENABLE AUTH { $$ = F_AUTH; } + | REQUIRE AUTH { $$ = F_AUTH | + F_AUTH_REQUIRED; } | /* empty */ { $$ = 0; } ; @@ -364,10 +366,7 @@ main : QUEUE INTERVAL interval { } cert = ($6 != NULL) ? $6 : $3; - flags = $5; - - if ($7) - flags |= F_AUTH; + flags = $5 | $7; if ($5 ssl_load_certfile(cert, F_SCERT) 0) { yyerror(cannot load certificate: %s, cert); @@ -967,6 +966,7 @@ lookup(char *s) { queue, QUEUE }, { reject, REJECT }, { relay, RELAY }, + { require,REQUIRE }, { single, SINGLE }, { size, SIZE }, { smtps, SMTPS }, Index: smtp_session.c === RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtp_session.c,v retrieving revision 1.169 diff -u -p -r1.169 smtp_session.c --- smtp_session.c14 Sep 2012 19:22:04 - 1.169 +++ smtp_session.c9 Oct 2012 13:21:15 - @@ -400,6 +400,12 @@ session_rfc5321_mail_handler(struct sess return 1; } + if (s-s_l-flags F_AUTH_REQUIRED + !(s-s_flags F_AUTHENTICATED)) { + session_respond(s, 530 5.7.0 Authentication required); + return 1; + } + if (s-s_state != S_HELO) { session_respond(s, 503 5.5.1 Sender already specified); return 1; Index: smtpd.h === RCS file: /data/openbsd/cvs/src/usr.sbin/smtpd/smtpd.h,v retrieving revision 1.378 diff -u -p -r1.378 smtpd.h --- smtpd.h 3 Oct 2012 19:42:16 - 1.378 +++ smtpd.h 9 Oct 2012 13:07:54 - @@ -78,6 +78,7 @@ #define F_STARTTLS0x01 #define F_SMTPS 0x02 #define F_AUTH0x04 +#define F_AUTH_REQUIRED 0x08 #define F_SSL(F_SMTPS|F_STARTTLS) #define F_BACKUP0x10/* XXX */ -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: smtpd require auth
On 10/09/12 15:33, Gilles Chehade wrote: Argh, you should have talked to me first ... Both require ssl and require auth are implemented already ... I did not commit yet because we stabilized a release and decided to not add new features to it unless they are critical. This feature should be committed in a few days well well, I got the pleasure of pretending to be a real hacker anyway... ;-)
Re: smtpd require auth
On 10/09/12 15:38, Gilles Chehade wrote: ok, discussed with eric, not critical but still very annoying so we'll commit the feature tonight. Ah, so something good came out of my diff anyway! :-) I was actually unsure whether this would get an OK or be postponed, so that could indeed have hinted me to ask you first...
Re: smtpd require auth
On Tue, Oct 09, 2012 at 03:43:03PM +0200, Alexander Hall wrote: On 10/09/12 15:33, Gilles Chehade wrote: Argh, you should have talked to me first ... Both require ssl and require auth are implemented already ... I did not commit yet because we stabilized a release and decided to not add new features to it unless they are critical. This feature should be committed in a few days well well, I got the pleasure of pretending to be a real hacker anyway... ;-) Actually, you're diff has a nice idea regarding the enable|require part which we'll incorporate in my diff, so you didn't hack for nothing :-) -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: smtpd require auth
Gilles, I'm actually wondering - should there even be a difference? Every practical implementation of 587 I've ever seen requires auth. Is there any sane reason to have enable auth not actually require it? I.E. what I'm asking is is enable (without require) simply a silly knob that we're putting in place that nobody should use? If you're accepting without auth, typically I find that's just done on port 25 - and anywhere I've deployed it that's what we've done. does anyone have a real use of port 587 with auth turned on but not required? On Tue, Oct 9, 2012 at 7:48 AM, Gilles Chehade gil...@poolp.org wrote: On Tue, Oct 09, 2012 at 03:43:03PM +0200, Alexander Hall wrote: On 10/09/12 15:33, Gilles Chehade wrote: Argh, you should have talked to me first ... Both require ssl and require auth are implemented already ... I did not commit yet because we stabilized a release and decided to not add new features to it unless they are critical. This feature should be committed in a few days well well, I got the pleasure of pretending to be a real hacker anyway... ;-) Actually, you're diff has a nice idea regarding the enable|require part which we'll incorporate in my diff, so you didn't hack for nothing :-) -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: smtpd require auth
On Tue, Oct 09, 2012 at 03:48:44PM +0200, Gilles Chehade wrote: On Tue, Oct 09, 2012 at 03:43:03PM +0200, Alexander Hall wrote: On 10/09/12 15:33, Gilles Chehade wrote: Argh, you should have talked to me first ... Both require ssl and require auth are implemented already ... I did not commit yet because we stabilized a release and decided to not add new features to it unless they are critical. This feature should be committed in a few days well well, I got the pleasure of pretending to be a real hacker anyway... ;-) Actually, you're diff has a nice idea regarding the enable|require part which we'll incorporate in my diff, so you didn't hack for nothing :-) The following diff is what I intend to commit tonight with an ok from eric@. It applies on -current, but beware as it kills the enable keyword: listen on bnx0 [...] auth # enable auth listen on bnx0 [...] auth-require # require auth diff --git a/parse.y b/parse.y index 8df8521..f0917c1 100644 --- a/parse.y +++ b/parse.y @@ -123,8 +123,9 @@ typedef struct { %token MAP HASH LIST SINGLE SSL SMTPS CERTIFICATE ENCRYPTION %token DB LDAP PLAIN DOMAIN SOURCE %token RELAY BACKUP VIA DELIVER TO MAILDIR MBOX HOSTNAME -%token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR -%token ARROW ENABLE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST +%token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR SSLONLY AUTHONLY +%token ARROW AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST +%token AUTH_REQUIRE TLS_REQUIRE %token v.string STRING %token v.number NUMBER %type v.map map @@ -260,10 +261,12 @@ certname : CERTIFICATE STRING{ ssl: SMTPS { $$ = F_SMTPS; } | TLS { $$ = F_STARTTLS; } | SSL { $$ = F_SSL; } - | /* empty */ { $$ = 0; } + | TLS_REQUIRE { $$ = F_STARTTLS|F_STARTTLS_REQUIRE; } + | /* Empty */ { $$ = 0; } ; -auth : ENABLE AUTH { $$ = 1; } +auth : AUTH { $$ = F_AUTH; } + | AUTH_REQUIRE { $$ = F_AUTH|F_AUTH_REQUIRE; } | /* empty */ { $$ = 0; } ; @@ -367,7 +370,7 @@ main: QUEUE INTERVAL interval { flags = $5; if ($7) - flags |= F_AUTH; + flags |= $7; if ($5 ssl_load_certfile(cert, F_SCERT) 0) { yyerror(cannot load certificate: %s, cert); @@ -940,6 +943,7 @@ lookup(char *s) { all,ALL }, { as, AS }, { auth, AUTH }, + { auth-require, AUTH_REQUIRE }, { backup, BACKUP }, { certificate,CERTIFICATE }, { cipher, CIPHER }, @@ -948,7 +952,6 @@ lookup(char *s) { deliver,DELIVER }, { digest, DIGEST }, { domain, DOMAIN }, - { enable, ENABLE }, { encryption, ENCRYPTION }, { expire, EXPIRE }, { filter, FILTER }, @@ -980,6 +983,7 @@ lookup(char *s) { ssl,SSL }, { tag,TAG }, { tls,TLS }, + { tls-require,TLS_REQUIRE }, { to, TO }, { via,VIA }, { virtual,VIRTUAL }, diff --git a/smtp_session.c b/smtp_session.c index a7b0d30..4c65159 100644 --- a/smtp_session.c +++ b/smtp_session.c @@ -400,6 +400,19 @@ session_rfc5321_mail_handler(struct session *s, char *args) return 1; } + + if (s-s_l-flags F_STARTTLS_REQUIRE) + if (!(s-s_flags F_SECURE)) { + session_respond(s, 530 5.7.0 Must issue a STARTTLS command first); + return 1; + } + + if (s-s_l-flags F_AUTH_REQUIRE) + if (!(s-s_flags F_AUTHENTICATED)) { + session_respond(s, 530 5.7.0 Must issue a AUTH command first); + return 1; + } + if (s-s_state != S_HELO) { session_respond(s, 503 5.5.1 Sender already specified); return 1; diff --git a/smtpd.conf.5 b/smtpd.conf.5 index c4ad738..a070a8d 100644 --- a/smtpd.conf.5 +++ b/smtpd.conf.5 @@ -53,7 +53,7 @@ For example: .Bd -literal -offset indent wan_if = fxp0 listen on $wan_if -listen on $wan_if tls enable auth +listen on $wan_if
Re: smtpd require auth
On Tue, Oct 09, 2012 at 09:05:42AM -0600, Bob Beck wrote: Gilles, I'm actually wondering - should there even be a difference? Every practical implementation of 587 I've ever seen requires auth. Is there any sane reason to have enable auth not actually require it? I.E. what I'm asking is is enable (without require) simply a silly knob that we're putting in place that nobody should use? If you're accepting without auth, typically I find that's just done on port 25 - and anywhere I've deployed it that's what we've done. does anyone have a real use of port 587 with auth turned on but not required? I agree with you that people will probably not want port 587 without auth turned on so on a practical point of view, we could make it implicit. There's a syntax issue though because, users will likely be less surprised by: listen on bnx0 port submission [...] tls-require listen on bnx0 [...] tls-require than: listen on bnx0 port submission [...]# implicit tls-require listen on bnx0 [...]# not here though This is really not a code issue as the diff would be a two-liner but do we want to have this special case with an implicit behaviour just to avoid using the knob (which has to be there since the general use when not on port submission is to enable, not require) ? I killed the enable / require and replaced it with one single keyword: tls / tls-require which is slightly better than the former btw :-) -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: smtpd require auth
On Tue, Oct 9, 2012 at 9:25 AM, Gilles Chehade gil...@poolp.org wrote: I agree with you that people will probably not want port 587 without auth turned on so on a practical point of view, we could make it implicit. There's a syntax issue though because, users will likely be less surprised by: listen on bnx0 port submission [...] tls-require listen on bnx0 [...] tls-require than: listen on bnx0 port submission [...]# implicit tls-require listen on bnx0 [...]# not here though If there's no require for auth, just auth - then there's really no confusion I think And there is a real normal use case for opportunistic (as opposed to required) TLS. I don't think there is one for auth on port 587. I.E. I think tls and tls-require make sense to have differentiated. I'm not sure it makes sense to have auth and auth-required - I think auth should just mean it's required. This is really not a code issue as the diff would be a two-liner but do we want to have this special case with an implicit behaviour just to avoid using the knob (which has to be there since the general use when not on port submission is to enable, not require) ? I killed the enable / require and replaced it with one single keyword: tls / tls-require which is slightly better than the former btw :-) -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: smtpd require auth
On Tue, Oct 09, 2012 at 09:29:25AM -0600, Bob Beck wrote: On Tue, Oct 9, 2012 at 9:25 AM, Gilles Chehade gil...@poolp.org wrote: I agree with you that people will probably not want port 587 without auth turned on so on a practical point of view, we could make it implicit. There's a syntax issue though because, users will likely be less surprised by: listen on bnx0 port submission [...] tls-require listen on bnx0 [...] tls-require than: listen on bnx0 port submission [...]# implicit tls-require listen on bnx0 [...]# not here though If there's no require for auth, just auth - then there's really no confusion I think And there is a real normal use case for opportunistic (as opposed to required) TLS. I don't think there is one for auth on port 587. I.E. I think tls and tls-require make sense to have differentiated. I'm not sure it makes sense to have auth and auth-required - I think auth should just mean it's required. Oh I get it but see my conf for instance: listen on bnx0 [...] auth accept from all for domain opensmtpd.org deliver to maildir accept for all relay Now keep in mind that the relay rule here can only be matched by a local or authenticated user. The distinction between auth and auth-require allows me to make auth optional so that random people can mail @opensmtpd.org but so that only eric, chl or I can relay mail elsewhere from that box. Now with: listen on bnx0 [...] auth-require accept from all for domain opensmtpd.org deliver to maildir accept for all relay people would need to auth on the server to be able to mail us. -- Gilles Chehade https://www.poolp.org @poolpOrg
Scheduler improvements, take 1001
(By popular request as a new thread). Hi people, I've tried splitting my scheduler patch into smaller fragments, and here's the result. I changed a few things people mentioned over the last few days, such as the following: 1) sys/proc.h now includes sys/tree.h, which should make libc builds work again. 2) deadline generation now takes process priorities into account, as suggested by ratchov@. The way it's done now, processes can use their sleep priority as a way to lower their nice value for short periods of time. I didn't notice any real changes, but I'd love to hear from people with more demanding applications. 3) schedstate_percpu is private to the kernel now, as I couldn't find a single occurrence of `struct schedstate_percpu` outside of /usr/src/sys and it seemed cleaner not to expose kernel data to userland in such a broad way. The patches will follow as single emails. -- Gregor Best
Re: Scheduler improvements, take 1001, Patch 1/5
diff --git a/kern/sched_bsd.c b/kern/sched_bsd.c index 172bb8f..c7121dc 100644 --- a/kern/sched_bsd.c +++ b/kern/sched_bsd.c @@ -77,12 +77,12 @@ scheduler_start(void) timeout_set(schedcpu_to, schedcpu, schedcpu_to); - rrticks_init = hz / 10; + rrticks_init = hz / 20; schedcpu(schedcpu_to); } /* - * Force switch among equal priority processes every 100ms. + * Force switch among equal priority processes every 50ms. */ void roundrobin(struct cpu_info *ci) -- 1.7.6
Re: Scheduler improvements, take 1001, Patch 1/5
diff --git a/kern/kern_clock.c b/kern/kern_clock.c index 843965b..f598afc 100644 --- a/kern/kern_clock.c +++ b/kern/kern_clock.c @@ -233,7 +233,7 @@ hardclock(struct clockframe *frame) if (stathz == 0) statclock(frame); - if (--ci-ci_schedstate.spc_rrticks = 0) + if (p (--(p-p_rrticks) = 0)) roundrobin(ci); /* diff --git a/kern/kern_proc.c b/kern/kern_proc.c index ad861c8..e0d5536 100644 --- a/kern/kern_proc.c +++ b/kern/kern_proc.c @@ -398,8 +398,6 @@ proc_printit(struct proc *p, const char *modif, int (*pr)(const char *, ...)) p-p_comm, p-p_pid, pst, p-p_flag, P_BITS); (*pr)(pri=%u, usrpri=%u, nice=%d\n, p-p_priority, p-p_usrpri, p-p_p-ps_nice); - (*pr)(forw=%p, list=%p,%p\n, - TAILQ_NEXT(p, p_runq), p-p_list.le_next, p-p_list.le_prev); (*pr)(process=%p user=%p, vmspace=%p\n, p-p_p, p-p_addr, p-p_vmspace); (*pr)(estcpu=%u, cpticks=%d, pctcpu=%u.%u, swtime=%u\n, diff --git a/kern/kern_sched.c b/kern/kern_sched.c index 253226a..79eb28c 100644 --- a/kern/kern_sched.c +++ b/kern/kern_sched.c @@ -24,11 +24,22 @@ #include sys/resourcevar.h #include sys/signalvar.h #include sys/mutex.h +#include sys/tree.h #include uvm/uvm_extern.h #include sys/malloc.h +static int +sched_cmp_proc(struct proc *a, struct proc *b) { + if (a == b) + return 0; + if (timercmp((a-p_deadline), (b-p_deadline), )) + return -1; + return 1; +} + +RB_GENERATE_STATIC(prochead, proc, p_runq, sched_cmp_proc); void sched_kthreads_create(void *); @@ -79,10 +90,8 @@ void sched_init_cpu(struct cpu_info *ci) { struct schedstate_percpu *spc = ci-ci_schedstate; - int i; - for (i = 0; i SCHED_NQS; i++) - TAILQ_INIT(spc-spc_qs[i]); + RB_INIT(spc-spc_runq); spc-spc_idleproc = NULL; @@ -158,18 +167,19 @@ sched_idle(void *v) cpuset_add(sched_idle_cpus, ci); cpu_idle_enter(); - while (spc-spc_whichqs == 0) { + + while (curcpu_is_idle()) { if (spc-spc_schedflags SPCF_SHOULDHALT - (spc-spc_schedflags SPCF_HALTED) == 0) { +(spc-spc_schedflags SPCF_HALTED) == 0) { cpuset_del(sched_idle_cpus, ci); SCHED_LOCK(s); - atomic_setbits_int(spc-spc_schedflags, - spc-spc_whichqs ? 0 : SPCF_HALTED); + atomic_setbits_int(spc-spc_schedflags, SPCF_HALTED); SCHED_UNLOCK(s); wakeup(spc); } cpu_idle_cycle(); } + cpu_idle_leave(); cpuset_del(sched_idle_cpus, ci); } @@ -222,14 +232,13 @@ void setrunqueue(struct proc *p) { struct schedstate_percpu *spc; - int queue = p-p_priority 2; SCHED_ASSERT_LOCKED(); spc = p-p_cpu-ci_schedstate; spc-spc_nrun++; - TAILQ_INSERT_TAIL(spc-spc_qs[queue], p, p_runq); - spc-spc_whichqs |= (1 queue); + KASSERT(!RB_FIND(prochead, spc-spc_runq, p)); + RB_INSERT(prochead, spc-spc_runq, p); cpuset_add(sched_queued_cpus, p-p_cpu); if (cpuset_isset(sched_idle_cpus, p-p_cpu)) @@ -240,38 +249,29 @@ void remrunqueue(struct proc *p) { struct schedstate_percpu *spc; - int queue = p-p_priority 2; SCHED_ASSERT_LOCKED(); spc = p-p_cpu-ci_schedstate; spc-spc_nrun--; - TAILQ_REMOVE(spc-spc_qs[queue], p, p_runq); - if (TAILQ_EMPTY(spc-spc_qs[queue])) { - spc-spc_whichqs = ~(1 queue); - if (spc-spc_whichqs == 0) - cpuset_del(sched_queued_cpus, p-p_cpu); - } + KASSERT(RB_REMOVE(prochead, spc-spc_runq, p)); + if (RB_EMPTY(spc-spc_runq)) + cpuset_del(sched_queued_cpus, p-p_cpu); } struct proc * sched_chooseproc(void) { struct schedstate_percpu *spc = curcpu()-ci_schedstate; - struct proc *p; - int queue; + struct proc *p, *p_tmp = NULL; SCHED_ASSERT_LOCKED(); if (spc-spc_schedflags SPCF_SHOULDHALT) { - if (spc-spc_whichqs) { - for (queue = 0; queue SCHED_NQS; queue++) { - TAILQ_FOREACH(p, spc-spc_qs[queue], p_runq) { - remrunqueue(p); - p-p_cpu = sched_choosecpu(p); - setrunqueue(p); - } - } + RB_FOREACH_SAFE(p, prochead, spc-spc_runq, p_tmp) { + remrunqueue(p); +
Re: Scheduler improvements, take 1001, Patch 5/5
diff --git a/sys/sched.h b/sys/sched.h index fb01f21..1784ee2 100644 --- a/sys/sched.h +++ b/sys/sched.h @@ -69,8 +69,10 @@ #ifndef_SYS_SCHED_H_ #define_SYS_SCHED_H_ +#ifdef _KERNEL #include sys/queue.h #include sys/tree.h +#endif /* * Posix defines a sched.h which may want to include sys/sched.h @@ -88,11 +90,9 @@ #define CP_IDLE4 #define CPUSTATES 5 -#defineSCHED_NQS 32 /* 32 run queues. */ - +#ifdef _KERNEL /* * Per-CPU scheduler state. - * XXX - expose to userland for now. */ struct schedstate_percpu { struct timeval spc_runtime; /* time curproc started running */ @@ -107,15 +107,13 @@ struct schedstate_percpu { u_int spc_nrun; /* procs on the run queues */ fixpt_t spc_ldavg; /* shortest load avg. for this cpu */ - RB_HEAD(prochead, proc) spc_runq; - #ifdef notyet struct proc *spc_reaper;/* dead proc reaper */ #endif LIST_HEAD(,proc) spc_deadproc; -}; -#ifdef _KERNEL + RB_HEAD(prochead, proc) spc_runq; +}; /* spc_flags */ #define SPCF_SEENRR 0x0001 /* process has seen roundrobin() */ -- 1.7.6
Re: Scheduler improvements, take 1001, Patch 4/5
diff --git a/arch/amd64/include/cpu.h b/arch/amd64/include/cpu.h index 12e48d6..99501a1 100644 --- a/arch/amd64/include/cpu.h +++ b/arch/amd64/include/cpu.h @@ -102,9 +102,11 @@ struct cpu_info { u_int32_t ci_cflushsz; u_int64_t ci_tsc_freq; +#define ARCH_HAVE_CPU_TOPOLOGY u_int32_t ci_smt_id; u_int32_t ci_core_id; u_int32_t ci_pkg_id; + struct cpu_functions *ci_func; void (*cpu_setup)(struct cpu_info *); void (*ci_info)(struct cpu_info *); diff --git a/kern/kern_sched.c b/kern/kern_sched.c index 79eb28c..072ef38 100644 --- a/kern/kern_sched.c +++ b/kern/kern_sched.c @@ -496,6 +496,10 @@ int sched_cost_load = 1; int sched_cost_priority = 1; int sched_cost_runnable = 3; int sched_cost_resident = 1; +#ifdef ARCH_HAVE_CPU_TOPOLOGY +int sched_cost_diffcore = 2; /* cost for moving to a different core */ +int sched_cost_diffpkg = 3; /* cost for moving to a different package */ +#endif int sched_proc_to_cpu_cost(struct cpu_info *ci, struct proc *p) @@ -536,6 +540,13 @@ sched_proc_to_cpu_cost(struct cpu_info *ci, struct proc *p) cost -= l2resident * sched_cost_resident; } +#ifdef ARCH_HAVE_CPU_TOPOLOGY + if (p-p_cpu-ci_pkg_id != ci-ci_pkg_id) + cost *= sched_cost_diffpkg; + else if (p-p_cpu-ci_core_id != ci-ci_core_id) + cost *= sched_cost_diffcore; +#endif + return (cost); } -- 1.7.6
Re: Scheduler improvements, take 1001, Patch 3/5
diff --git a/arch/amd64/amd64/identcpu.c b/arch/amd64/amd64/identcpu.c index c597bb0..982c2bb 100644 --- a/arch/amd64/amd64/identcpu.c +++ b/arch/amd64/amd64/identcpu.c @@ -210,6 +210,8 @@ void (*setperf_setup)(struct cpu_info *); void via_nano_setup(struct cpu_info *ci); +void cpu_topology(struct cpu_info *ci); + void via_nano_setup(struct cpu_info *ci) { @@ -479,4 +481,123 @@ identifycpu(struct cpu_info *ci) sensordev_install(ci-ci_sensordev); #endif } + + cpu_topology(ci); +} + +/* + * Base 2 logarithm of an int. returns 0 for 0 (yeye, I know). + */ +static int +log2(unsigned int i) +{ + int ret = 0; + + while (i = 1) + ret++; + + return (ret); +} + +static int +mask_width(u_int x) +{ + int bit; + int mask; + int powerof2; + + powerof2 = ((x - 1) x) == 0; + mask = (x (1 - powerof2)) - 1; + + /* fls */ + if (mask == 0) + return (0); + for (bit = 1; mask != 1; bit++) + mask = (unsigned int)mask 1; + + return (bit); +} + +/* + * Build up cpu topology for given cpu, must run on the core itself. + */ +void +cpu_topology(struct cpu_info *ci) +{ + u_int32_t eax, ebx, ecx, edx; + u_int32_t apicid, max_apicid, max_coreid; + u_int32_t smt_bits, core_bits, pkg_bits; + u_int32_t smt_mask, core_mask, pkg_mask; + + /* We need at least apicid at CPUID 1 */ + CPUID(0, eax, ebx, ecx, edx); + if (eax 1) + goto no_topology; + + /* Initial apicid */ + CPUID(1, eax, ebx, ecx, edx); + apicid = (ebx 24) 0xff; + + if (strcmp(cpu_vendor, AuthenticAMD) == 0) { + /* We need at least apicid at CPUID 0x8008 */ + CPUID(0x8000, eax, ebx, ecx, edx); + if (eax 0x8008) + goto no_topology; + + CPUID(0x8008, eax, ebx, ecx, edx); + core_bits = (ecx 12) 0xf; + if (core_bits == 0) + goto no_topology; + /* So coreidsize 2 gives 3, 3 gives 7... */ + core_mask = (1 core_bits) - 1; + /* Core id is the least significant considering mask */ + ci-ci_core_id = apicid core_mask; + /* Pkg id is the upper remaining bits */ + ci-ci_pkg_id = apicid ~core_mask; + ci-ci_pkg_id = core_bits; + } else if (strcmp(cpu_vendor, GenuineIntel) == 0) { + /* We only support leaf 1/4 detection */ + CPUID(0, eax, ebx, ecx, edx); + if (eax 4) + goto no_topology; + /* Get max_apicid */ + CPUID(1, eax, ebx, ecx, edx); + max_apicid = (ebx 16) 0xff; + /* Get max_coreid */ + CPUID2(4, 0, eax, ebx, ecx, edx); + max_coreid = ((eax 26) 0x3f) + 1; + /* SMT */ + smt_bits = mask_width(max_apicid / max_coreid); + smt_mask = (1 smt_bits) - 1; + /* Core */ + core_bits = log2(max_coreid); + core_mask = (1 (core_bits + smt_bits)) - 1; + core_mask ^= smt_mask; + /* Pkg */ + pkg_bits = core_bits + smt_bits; + pkg_mask = -1 core_bits; + + ci-ci_smt_id = apicid smt_mask; + ci-ci_core_id = (apicid core_mask) smt_bits; + ci-ci_pkg_id = (apicid pkg_mask) pkg_bits; + } else + goto no_topology; +#ifdef DEBUG + printf(cpu%d: smt %u, core %u, pkg %u + (apicid 0x%x, max_apicid 0x%x, max_coreid 0x%x, smt_bits 0x%x, smt_mask 0x%x, + core_bits 0x%x, core_mask 0x%x, pkg_bits 0x%x, pkg_mask 0x%x)\n, + ci-ci_cpuid, ci-ci_smt_id, ci-ci_core_id, ci-ci_pkg_id, + apicid, max_apicid, max_coreid, smt_bits, smt_mask, core_bits, + core_mask, pkg_bits, pkg_mask); +#else + printf(cpu%d: smt %u, core %u, package %u\n, ci-ci_cpuid, + ci-ci_smt_id, ci-ci_core_id, ci-ci_pkg_id); + +#endif + return; + /* We can't map, so consider ci_core_id as ci_cpuid */ +no_topology: + ci-ci_smt_id = 0; + ci-ci_core_id = ci-ci_cpuid; + ci-ci_pkg_id = 0; } diff --git a/arch/amd64/include/cpu.h b/arch/amd64/include/cpu.h index 9ce437a..12e48d6 100644 --- a/arch/amd64/include/cpu.h +++ b/arch/amd64/include/cpu.h @@ -102,6 +102,9 @@ struct cpu_info { u_int32_t ci_cflushsz; u_int64_t ci_tsc_freq; + u_int32_t ci_smt_id; + u_int32_t ci_core_id; + u_int32_t ci_pkg_id; struct cpu_functions *ci_func; void (*cpu_setup)(struct cpu_info *); void (*ci_info)(struct cpu_info *); diff --git a/arch/amd64/include/specialreg.h b/arch/amd64/include/specialreg.h index 142fbbc..cab0985 100644 ---
Re: Scheduler improvements, take 1001, Patch 2/5
This patch simply halves the timeslice processes get until they are preempted. This patch is standalone and the rest of the patches does not depend on it, but I figured I'd throw it in anyway. -- Gregor Best
Re: Scheduler improvements, take 1001, Patch 3/5
This patch simply imports Christiano's code for detecting CPU topology, as posted on tech@ a while (more than two months) ago. I took it verbatim and didn't change anything yet. -- Gregor Best
Re: Scheduler improvements, take 1001, Patch 4/5
This patch uses the previous one to take CPU topology into account when calculating the cost of moving a process between CPUs. This is only done on amd64 at the moment, and the cost factors are guesses right now, but it's a start. -- Gregor Best
Re: Scheduler improvements, take 1001, Patch 5/5
This patch moves struct schedstate_percpu to kernel land, which I think is cleaner than exposing structures for scheduler state to userland, especially since grepping for 'schedstate' in /usr/src yielded no results outside of /usr/src/sys. I have not seen negative impact from this, but I haven't yet run a full userland build (it's running at the moment but the machine I'm building on is a bit slower than my laptop). -- Gregor Best
Re: smtpd require auth
On 10/09/12 17:38, Gilles Chehade wrote: On Tue, Oct 09, 2012 at 09:29:25AM -0600, Bob Beck wrote: On Tue, Oct 9, 2012 at 9:25 AM, Gilles Chehade gil...@poolp.org wrote: I agree with you that people will probably not want port 587 without auth turned on so on a practical point of view, we could make it implicit. There's a syntax issue though because, users will likely be less surprised by: listen on bnx0 port submission [...] tls-require listen on bnx0 [...] tls-require than: listen on bnx0 port submission [...]# implicit tls-require listen on bnx0 [...]# not here though If there's no require for auth, just auth - then there's really no confusion I think And there is a real normal use case for opportunistic (as opposed to required) TLS. I don't think there is one for auth on port 587. I.E. I think tls and tls-require make sense to have differentiated. I'm not sure it makes sense to have auth and auth-required - I think auth should just mean it's required. Oh I get it but see my conf for instance: listen on bnx0 [...] auth accept from all for domain opensmtpd.org deliver to maildir accept for all relay Now keep in mind that the relay rule here can only be matched by a local or authenticated user. The distinction between auth and auth-require allows me to make auth optional so that random people can mail @opensmtpd.org but so that only eric, chl or I can relay mail elsewhere from that box. Now with: listen on bnx0 [...] auth-require accept from all for domain opensmtpd.org deliver to maildir accept for all relay people would need to auth on the server to be able to mail us. I think Bob's point is that then you use 587 (with auth) for yourselves and 25 (without auth) for mail from the rest of the intertubes.
Re: smtpd require auth
On 2012/10/09 18:49, Alexander Hall wrote: On 10/09/12 17:38, Gilles Chehade wrote: On Tue, Oct 09, 2012 at 09:29:25AM -0600, Bob Beck wrote: On Tue, Oct 9, 2012 at 9:25 AM, Gilles Chehade gil...@poolp.org wrote: I agree with you that people will probably not want port 587 without auth turned on so on a practical point of view, we could make it implicit. There's a syntax issue though because, users will likely be less surprised by: listen on bnx0 port submission [...] tls-require listen on bnx0 [...] tls-require than: listen on bnx0 port submission [...]# implicit tls-require listen on bnx0 [...]# not here though If there's no require for auth, just auth - then there's really no confusion I think And there is a real normal use case for opportunistic (as opposed to required) TLS. I don't think there is one for auth on port 587. I.E. I think tls and tls-require make sense to have differentiated. I'm not sure it makes sense to have auth and auth-required - I think auth should just mean it's required. Oh I get it but see my conf for instance: listen on bnx0 [...] auth accept from all for domain opensmtpd.org deliver to maildir accept for all relay Now keep in mind that the relay rule here can only be matched by a local or authenticated user. The distinction between auth and auth-require allows me to make auth optional so that random people can mail @opensmtpd.org but so that only eric, chl or I can relay mail elsewhere from that box. Now with: listen on bnx0 [...] auth-require accept from all for domain opensmtpd.org deliver to maildir accept for all relay people would need to auth on the server to be able to mail us. I think Bob's point is that then you use 587 (with auth) for yourselves and 25 (without auth) for mail from the rest of the intertubes. Sometimes you need 25 with auth, some stupid clients exist which support auth but make it difficult to change the port number.
Re: smtpd require auth
On Tue, Oct 09, 2012 at 06:49:15PM +0200, Alexander Hall wrote: I think Bob's point is that then you use 587 (with auth) for yourselves and 25 (without auth) for mail from the rest of the intertubes. Yes I understand this :-) What I want to highlight is the implication of this change so that there is no surprise if we go that path. If we decide that auth means auth is required then the setup I described cannot be implemented and we will be imposing on users that they setup a listener on port submission if they want to send mail from a MX. I'm not against it, it has no implication for me and I like smaller conf but I'm unsure everyone feels the same. Do we want to go that path ? -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: smtpd require auth
I think Bob's point is that then you use 587 (with auth) for yourselves and 25 (without auth) for mail from the rest of the intertubes. Yes, that's my point :)
Re: smtpd require auth
On 10/09/12 17:07, Gilles Chehade wrote: On Tue, Oct 09, 2012 at 03:48:44PM +0200, Gilles Chehade wrote: On Tue, Oct 09, 2012 at 03:43:03PM +0200, Alexander Hall wrote: On 10/09/12 15:33, Gilles Chehade wrote: Argh, you should have talked to me first ... Both require ssl and require auth are implemented already ... I did not commit yet because we stabilized a release and decided to not add new features to it unless they are critical. This feature should be committed in a few days well well, I got the pleasure of pretending to be a real hacker anyway... ;-) Actually, you're diff has a nice idea regarding the enable|require part which we'll incorporate in my diff, so you didn't hack for nothing :-) \o/ The following diff is what I intend to commit tonight with an ok from eric@. It applies on -current, but beware as it kills the enable keyword: listen on bnx0 [...] auth # enable auth listen on bnx0 [...] auth-require # require auth I thought 'enable auth' and 'require auth' were more readable, but I could live with this too (now, should we end up having the non-enforcing variant). diff --git a/parse.y b/parse.y index 8df8521..f0917c1 100644 --- a/parse.y +++ b/parse.y @@ -123,8 +123,9 @@ typedef struct { %tokenMAP HASH LIST SINGLE SSL SMTPS CERTIFICATE ENCRYPTION %tokenDB LDAP PLAIN DOMAIN SOURCE %token RELAY BACKUP VIA DELIVER TO MAILDIR MBOX HOSTNAME -%token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR -%token ARROW ENABLE AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST +%token ACCEPT REJECT INCLUDE ERROR MDA FROM FOR SSLONLY AUTHONLY +%token ARROW AUTH TLS LOCAL VIRTUAL TAG ALIAS FILTER KEY DIGEST +%token AUTH_REQUIRE TLS_REQUIRE %tokenv.stringSTRING %token v.number NUMBER %type v.map map @@ -260,10 +261,12 @@ certname : CERTIFICATE STRING{ ssl : SMTPS { $$ = F_SMTPS; } | TLS { $$ = F_STARTTLS; } | SSL { $$ = F_SSL; } - | /* empty */ { $$ = 0; } + | TLS_REQUIRE { $$ = F_STARTTLS|F_STARTTLS_REQUIRE; } + | /* Empty */ { $$ = 0; } ; -auth : ENABLE AUTH { $$ = 1; } +auth : AUTH { $$ = F_AUTH; } + | AUTH_REQUIRE { $$ = F_AUTH|F_AUTH_REQUIRE; } | /* empty */ { $$ = 0; } ; @@ -367,7 +370,7 @@ main: QUEUE INTERVAL interval { flags = $5; if ($7) - flags |= F_AUTH; + flags |= $7; The if statement is pretty pointless. Together with the prior line: flags = $5 | $7; if ($5 ssl_load_certfile(cert, F_SCERT) 0) { yyerror(cannot load certificate: %s, cert); @@ -940,6 +943,7 @@ lookup(char *s) { all, ALL }, { as, AS }, { auth, AUTH }, + { auth-require, AUTH_REQUIRE }, { backup, BACKUP }, { certificate, CERTIFICATE }, { cipher, CIPHER }, @@ -948,7 +952,6 @@ lookup(char *s) { deliver, DELIVER }, { digest, DIGEST }, { domain, DOMAIN }, - { enable, ENABLE }, { encryption, ENCRYPTION }, { expire, EXPIRE }, { filter, FILTER }, @@ -980,6 +983,7 @@ lookup(char *s) { ssl, SSL }, { tag, TAG }, { tls, TLS }, + { tls-require, TLS_REQUIRE }, { to, TO }, { via, VIA }, { virtual, VIRTUAL }, diff --git a/smtp_session.c b/smtp_session.c index a7b0d30..4c65159 100644 --- a/smtp_session.c +++ b/smtp_session.c @@ -400,6 +400,19 @@ session_rfc5321_mail_handler(struct session *s, char *args) return 1; } + + if (s-s_l-flags F_STARTTLS_REQUIRE) + if (!(s-s_flags F_SECURE)) { + session_respond(s, 530 5.7.0 Must issue a STARTTLS command first); long line + return 1; + } + + if (s-s_l-flags F_AUTH_REQUIRE) + if (!(s-s_flags F_AUTHENTICATED)) { + session_respond(s, 530 5.7.0 Must issue a AUTH command first); long line maybe _an_ AUTH command also, is the nested if(), in both cases above, for style reasons? +
Re: smtpd require auth
On Tue, Oct 09, 2012 at 07:05:46PM +0200, Alexander Hall wrote: The following diff is what I intend to commit tonight with an ok from eric@. It applies on -current, but beware as it kills the enable keyword: listen on bnx0 [...] auth # enable auth listen on bnx0 [...] auth-require # require auth I thought 'enable auth' and 'require auth' were more readable, but I could live with this too (now, should we end up having the non-enforcing variant). enable makes the lines very long when you want to enable both ssl we discussed this with eric@ and this was the concensus. it's not written in stone, if we get convinced of a nicer syntax, we can change it again ... it's not like a one word change in a 4 lines config is going to bug people that much :-) flags = $5; if ($7) -flags |= F_AUTH; +flags |= $7; The if statement is pretty pointless. Together with the prior line: flags = $5 | $7; right, will change that +if (s-s_l-flags F_STARTTLS_REQUIRE) +if (!(s-s_flags F_SECURE)) { +session_respond(s, 530 5.7.0 Must issue a STARTTLS command first); long line +return 1; +} + +if (s-s_l-flags F_AUTH_REQUIRE) +if (!(s-s_flags F_AUTHENTICATED)) { +session_respond(s, 530 5.7.0 Must issue a AUTH command first); long line maybe _an_ AUTH command also, is the nested if(), in both cases above, for style reasons? will fix long lines and _an_ the nested if are here because it makes it more readable to me for one and it allowed me to easily put log_debug() to ensure it was doing what it was supposed to during my testing :-) Other than that, reads fine. okie dokie ! -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: smtpd require auth
On Tue, Oct 09, 2012 at 11:08:17AM -0600, Bob Beck wrote: On Tue, Oct 9, 2012 at 11:04 AM, Bob Beck b...@obtuse.com wrote: I think Bob's point is that then you use 587 (with auth) for yourselves and 25 (without auth) for mail from the rest of the intertubes. Yes, that's my point :) Along with the fact that this is probably the 99% use case out there. Keeping with an OpenBSD type phliosophy says that the config should be geared towards that with a minimum of knobs, especially knobs you need to turn to be in the 99% use case. That's all I'm saying :) Then what about the opposite ? listen on fxp0 [...] auth # 99% case listen on fxp0 [...] auth-optional # 1% case -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: smtpd require auth
Bob Beck wrote: On Tue, Oct 9, 2012 at 11:04 AM, Bob Beck b...@obtuse.com wrote: I think Bob's point is that then you use 587 (with auth) for yourselves and 25 (without auth) for mail from the rest of the intertubes. Yes, that's my point :) Along with the fact that this is probably the 99% use case out there. Keeping with an OpenBSD type phliosophy says that the config should be geared towards that with a minimum of knobs, especially knobs you need to turn to be in the 99% use case. That's all I'm saying :) How about auth being authentication required and an optional auth (or optional-auth) to allow the flexibility for setups like the one Gilles was talking about? Giving you the lack of surprise for turning on auth, without locking out the case where you don't want to require it. --Kurt
Re: smtpd require auth
Then what about the opposite ? listen on fxp0 [...] auth # 99% case listen on fxp0 [...] auth-optional # 1% case Better, as long as we're sure there's real use for auth-optional
Re: smtpd require auth
On 10/09/12 19:21, Gilles Chehade wrote: On Tue, Oct 09, 2012 at 11:08:17AM -0600, Bob Beck wrote: On Tue, Oct 9, 2012 at 11:04 AM, Bob Beck b...@obtuse.com wrote: I think Bob's point is that then you use 587 (with auth) for yourselves and 25 (without auth) for mail from the rest of the intertubes. Yes, that's my point :) Along with the fact that this is probably the 99% use case out there. Keeping with an OpenBSD type phliosophy says that the config should be geared towards that with a minimum of knobs, especially knobs you need to turn to be in the 99% use case. That's all I'm saying :) Then what about the opposite ? listen on fxp0 [...] auth # 99% case listen on fxp0 [...] auth-optional # 1% case I'd say this is at least less surprising, and will likely cause less admins to open a backdoor for locally destinated mail, bypassing spam countermeasures and the likes. /Alexander
Re: smtpd require auth
I also like the last version, makes the default sane. Den 9 okt 2012 19:56 skrev Bob Beck b...@obtuse.com: Then what about the opposite ? listen on fxp0 [...] auth # 99% case listen on fxp0 [...] auth-optional # 1% case Better, as long as we're sure there's real use for auth-optional
Re: smtpd require auth
Then what about the opposite ? listen on fxp0 [...] auth # 99% case listen on fxp0 [...] auth-optional # 1% case I'd say this is at least less surprising, and will likely cause less admins to open a backdoor for locally destinated mail, bypassing spam countermeasures and the likes. /Alexander Now having said that - have we now made it easy for admins to accidentally enable auth over cleartext connections? I.E. if I turn on auth - does it insist on TLS for the auth connections unless I tell it please make me insecure or something like that? (My favorite pet hate with some other MTA's) my point is it should be *hard* not easy to turn on auth without TLS.
Re: smtpd require auth
On Tue, Oct 09, 2012 at 12:02:48PM -0600, Bob Beck wrote: Then what about the opposite ? listen on fxp0 [...] auth # 99% case listen on fxp0 [...] auth-optional # 1% case I'd say this is at least less surprising, and will likely cause less admins to open a backdoor for locally destinated mail, bypassing spam countermeasures and the likes. /Alexander Now having said that - have we now made it easy for admins to accidentally enable auth over cleartext connections? I.E. if I turn on auth - does it insist on TLS for the auth connections unless I tell it please make me insecure or something like that? (My favorite pet hate with some other MTA's) my point is it should be *hard* not easy to turn on auth without TLS. Yes, you cannot turn auth without tls/smtps in config and a user cannot request AUTH before he has established a secure channel first ;-) -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: Support power saving with athn(4) in host AP mode
On 22.8.2012 12:52, Marko Saarela wrote: On 18.8.2012 11:40, Mark Kettenis wrote: Further testing would be welcome. Even if you don't use clients with power saving enabled. So if you're running an athn(4) based AP, please give this a spin. Been testing this for two days and everything seems to work like a charm. Testing done with two clients, a Windows 7 laptop (Intel Wifi Link 1000 BGN wlan adapter) and with an iPhone 4S (iOS 5.1.1). Previously I could barely have http connections with the laptop (ssh not working) and the iPhone wouldn't connect to the AP at all. Now I have no problems at all using either device. Thanks for making this possible! After some further testing it seems the Windows 7 laptop has issues from time to time. Most often they appear with power saving set to maximum. I also bought a new toy, the new iPad, and I've had some annoying issues with it. The iPad works fine after authenticating, but when I try to use it again after it has slept for some time I am unable to connect to the AP. (The iPad shows as connected but nothing seems to get through.) Only cure was to bring the athn interface down and up again on the AP. Then I noticed Nathanael Rensen's patch on the mailing list ( http://marc.info/?l=openbsd-techm=134884569621114 ). The IEEE802.11 parts looked worth trying and what do you know - the problems I had were solved. Thanks for the hard work guys! I'll report back if I encounter any more issues. Marko
Re: smtpd require auth
On 10/09/12 15:24, Alexander Hall wrote: Hi, I suddenly got a flood of incoming spam, and when I could not find any trace of them in the spamdb output, I suspected it was coming in on port 587, which I had configured with tls and enable auth For shitz and giggles, I don't believe they spammed me on port 587 any more. I had mistakenly bypassed spamd all by myself by adding a pass in... to port { ..., smtp, smtps, ...} a bit below the spamd stuff in /etc/pf.conf. Last match wins is good. Until it isn't. But nothing helps when PEBKAC. :-) (The change still makes sense, though.) /Alexander
IPv6 stable privacy addresses (Fwd: I-D Action: draft-ietf-6man-stable-privacy-addresses-01.txt)
Folks, FYI. This is meant to solve the problem of host tracking and address scanning: http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-01 Thanks, Fernando Original Message Subject: I-D Action: draft-ietf-6man-stable-privacy-addresses-01.txt Date: Sun, 07 Oct 2012 16:50:49 -0700 From: internet-dra...@ietf.org To: i-d-annou...@ietf.org CC: i...@ietf.org A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the IPv6 Maintenance Working Group of the IETF. Title : A method for Generating Stable Privacy-Enhanced Addresses with IPv6 Stateless Address Autoconfiguration (SLAAC) Author(s) : Fernando Gont Filename: draft-ietf-6man-stable-privacy-addresses-01.txt Pages : 17 Date: 2012-10-07 Abstract: This document specifies a method for generating IPv6 Interface Identifiers to be used with IPv6 Stateless Address Autoconfiguration (SLAAC), such that addresses configured using this method are stable within each subnet, but the Interface Identifier changes when hosts move from one network to another. The aforementioned method is meant to be an alternative to generating Interface Identifiers based on IEEE identifiers, such that the benefits of stable addresses can be achieved without sacrificing the privacy of users. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-6man-stable-privacy-addresses There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-01 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-ietf-6man-stable-privacy-addresses-01 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ IETF IPv6 working group mailing list i...@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 -- Fernando Gont e-mail: ferna...@gont.com.ar || fg...@si6networks.com PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
Re: smtpd require auth
Penned by Bob Beck on 20121009 10:05.42, we have: | Gilles, I'm actually wondering - should there even be a difference? | | Every practical implementation of 587 I've ever seen requires auth. Is there | any sane reason to have enable auth not actually require it? I.E. what | I'm asking is is enable (without require) simply a silly knob that | we're putting | in place that nobody should use? | | If you're accepting without auth, typically I find that's just done on | port 25 - and | anywhere I've deployed it that's what we've done. | | does anyone have a real use of port 587 with auth turned on but not required? Try stupid ISPs that think that filtering port 25 is going to gain them more business class accounts without such filtering. Having a single port with the option to accept inbound traffic as well as authenticated traffic seems to be a use case that could apply to port 25 as well. Though with the existence of spamd, any sane OpenBSD mail server is going to have a 'delivery only protected by spamd' port and an 'authenticated only port without spamd protection'. I personally now could live w/out the ability to specify 'enable' instead of only having 'require' but in the past I would have found it invaluable. I am familiar with the phrase 'permitting admins to shoot themselves in the foot', and it indeed seems to be in this same vein of thinking to me. Thanks, | On Tue, Oct 9, 2012 at 7:48 AM, Gilles Chehade gil...@poolp.org wrote: | On Tue, Oct 09, 2012 at 03:43:03PM +0200, Alexander Hall wrote: | On 10/09/12 15:33, Gilles Chehade wrote: | Argh, you should have talked to me first ... | | Both require ssl and require auth are implemented already ... I did | not commit yet because we stabilized a release and decided to not | add new features to it unless they are critical. | | This feature should be committed in a few days | | well well, I got the pleasure of pretending to be a real hacker | anyway... ;-) | | | Actually, you're diff has a nice idea regarding the enable|require part | which we'll incorporate in my diff, so you didn't hack for nothing :-) | | -- | Gilles Chehade | | https://www.poolp.org @poolpOrg -- Todd Fries .. t...@fries.net |\ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC\ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com\ 1.866.792.3418 (FAX) | PO Box 16169, Oklahoma City, OK 73113 \ sip:freedae...@ekiga.net | ..in support of free software solutions. \ sip:4052279...@ekiga.net \ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt