Re: LibreSSL 2.2 fails to connect to webdav.yandex.com
On Jun 6, 2015, at 5:31 AM, Joel Sing j...@sing.id.au wrote: On Saturday 06 June 2015, 1edhaz+9sj4olxjt6...@guerrillamail.com wrote: Hello, LibreSSL 2.2 (openbsd-current) fails to connect to https://webdav.yandex.com. OpenSSL 1.0.1m from OpenBSD packages does succeed. Yandex is the largest search engine in Russia. The webdav.yandex.com site is for accessing their file-hosting service. System info: $ uname -a OpenBSD roger.my.domain 5.7 GENERIC.MP#1039 amd64 $ dmesg | head -n 1 OpenBSD 5.7-current (GENERIC.MP) #1039: Wed Jun 3 12:09:31 MDT 2015 [snip] The issue is due to the remote end not being RFC compliant and failing to complete a TLS handshake when it does not recognise TLS signature algorithms (sigalgs) that are being advertised by the client. In this case the new signature algorithms are related to GOST - almost the definition of irony... GOST… lol indeed =) If you want to verify this for yourself, you can comment out the GOST related entries in the tls12_sigalgs array in t1_lib.c. HTTPS connections to www.yandex.com work without issue, so it would seemingly be the particular HTTP server that is being used for this service - I would recommend contacting Yandex and reporting the issue to them. He just did - Yandex is heavy BSD user, so many people there are reading tech@ and freebsd-hackers@. Some brave souls even subscribed to trolls@^Wmisc@! Back to the problem itself, as far as I know they are aware of it. In the meantime, while they are busy solving it on their side, you may want to limit ciphersuites client is using by calling `SSL_CTX_set_cipher_list` before `SSL_do_handshake`. PS. Anyway, next time you probably want to report libressl-related problems to recently announced libre...@openbsd.org [1]. [1] http://comments.gmane.org/gmane.os.openbsd.tech/42319 -- Action without study is fatal. Study without action is futile. -- Mary Ritter Beard signature.asc Description: Message signed with OpenPGP using GPGMail
Re: [Patch] httpd - don't leak fcgi file descriptors
On Mon, Jun 08, 2015 at 09:12:32PM +0200, Joerg Jung wrote: On Tue, Jun 02, 2015 at 05:47:47PM +0200, Claudio Jeker wrote: On Tue, Jun 02, 2015 at 01:50:35PM +0200, Joerg Jung wrote: Am 01.06.2015 um 01:25 schrieb Todd Mortimer t...@opennet.ca: I agree that my patch is more of a workaround, and it would be better to track down how it is that the client is being passed to server_fcgi with an open socket. I was going this way when I started looking at the source, but then I saw that clt-clt_srvevb and clt-clt_srvbev get the same treatment (free if not null, then reassign) at the same spot in server_fcgi(), and I figured if it was good enough for clt_srvevb and clt_srvbev, why not for clt_fd? Yes, you are right. I think your proposed diff is correct. I would like to commit it, if anyone is willing to give OK. This feels to me more like a workaround. Since what happens is that a connection is either reused without cleanup or we call the connection establishment multiple time for the same client. relayd had a similar issue that I fixed lately. One of the issues is that event callbacks can be called when you don't really expect them to be called. Yes, workaround was my first impression as well. But after staring at the code for a while, I think fixing it in the right way seems not trivial and involves several changes. So, since the diff below is simple and goes along with the style of the existing code, AND fixes an actual leak, I would suggest to commit it for now, until someone comes up with something better? Sure. Fine with me. Wondering if the -1 check is needed. IIRC close(-1); is save. Anyway you want to add a space after the if. Regards, Joerg Index: server_fcgi.c === RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v retrieving revision 1.53 diff -u -p -u -p -r1.53 server_fcgi.c --- server_fcgi.c26 Mar 2015 09:01:51 -1.53 +++ server_fcgi.c31 May 2015 22:33:54 - @@ -31,6 +31,7 @@ #include stdio.h #include time.h #include ctype.h +#include unistd.h #include event.h #include httpd.h @@ -152,6 +153,9 @@ server_fcgi(struct httpd *env, struct cl errstr = failed to allocate evbuffer; goto fail; } + +if(clt-clt_fd != -1) +close(clt-clt_fd); clt-clt_fd = fd; if (clt-clt_srvbev != NULL) -- :wq Claudio -- :wq Claudio
Re: [Patch] httpd - don't leak fcgi file descriptors
On Tue, Jun 02, 2015 at 05:47:47PM +0200, Claudio Jeker wrote: On Tue, Jun 02, 2015 at 01:50:35PM +0200, Joerg Jung wrote: Am 01.06.2015 um 01:25 schrieb Todd Mortimer t...@opennet.ca: I agree that my patch is more of a workaround, and it would be better to track down how it is that the client is being passed to server_fcgi with an open socket. I was going this way when I started looking at the source, but then I saw that clt-clt_srvevb and clt-clt_srvbev get the same treatment (free if not null, then reassign) at the same spot in server_fcgi(), and I figured if it was good enough for clt_srvevb and clt_srvbev, why not for clt_fd? Yes, you are right. I think your proposed diff is correct. I would like to commit it, if anyone is willing to give OK. This feels to me more like a workaround. Since what happens is that a connection is either reused without cleanup or we call the connection establishment multiple time for the same client. relayd had a similar issue that I fixed lately. One of the issues is that event callbacks can be called when you don't really expect them to be called. Yes, workaround was my first impression as well. But after staring at the code for a while, I think fixing it in the right way seems not trivial and involves several changes. So, since the diff below is simple and goes along with the style of the existing code, AND fixes an actual leak, I would suggest to commit it for now, until someone comes up with something better? Regards, Joerg Index: server_fcgi.c === RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v retrieving revision 1.53 diff -u -p -u -p -r1.53 server_fcgi.c --- server_fcgi.c26 Mar 2015 09:01:51 -1.53 +++ server_fcgi.c31 May 2015 22:33:54 - @@ -31,6 +31,7 @@ #include stdio.h #include time.h #include ctype.h +#include unistd.h #include event.h #include httpd.h @@ -152,6 +153,9 @@ server_fcgi(struct httpd *env, struct cl errstr = failed to allocate evbuffer; goto fail; } + +if(clt-clt_fd != -1) +close(clt-clt_fd); clt-clt_fd = fd; if (clt-clt_srvbev != NULL) -- :wq Claudio
Re: [Patch] httpd - don't leak fcgi file descriptors
Sure. Fine with me. Wondering if the -1 check is needed. IIRC close(-1); is save. Anyway you want to add a space after the if. One side effect: it changes errno. But I don't see an impact immediately.
Re: jail_bin_add: script to add binary and libs to chroot
On Mon, 8 Jun 2015 14:59:28 +0200 Marc Espie es...@nerim.net wrote: On Mon, Jun 08, 2015 at 01:46:17AM -0400, dan mclaughlin wrote: i figure this should be useful to some. any nits welcome. Unfortunately, this will become increasingly useless in gtk-land. Compare ldd firefox vs a ktrace of the running binary... :( well this only adds a binary from base or X, but i know what you mean. i wrote up some scripts to create a chroot and add packages too it, and stumbled upon gtk and glib problems for a number of packages. most of the (few) ones i use regularly work though.
fix iwm(4) watchdog
The iwm(4) watchdog does two things wrong: - It doesn't trigger iwm_init_task so the task remains entirely unused. - It clears the IFF_UP interface flag. Only the intel wifi drivers do this, and I think it's wrong. Other wifi drivers don't clear it. The watchdog should attempt to get the hardware going again with minimal disruption. Can iwm(4) users test this, please? Especially if you occasionally see a message saying 'iwm0: device timeout' this change will affect you. Index: if_iwm.c === RCS file: /cvs/src/sys/dev/pci/if_iwm.c,v retrieving revision 1.42 diff -u -p -r1.42 if_iwm.c --- if_iwm.c30 May 2015 02:49:23 - 1.42 +++ if_iwm.c8 Jun 2015 06:56:31 - @@ -5720,8 +5720,7 @@ iwm_watchdog(struct ifnet *ifp) #ifdef IWM_DEBUG iwm_nic_error(sc); #endif - ifp-if_flags = ~IFF_UP; - iwm_stop(ifp, 1); + task_add(systq, sc-init_task); ifp-if_oerrors++; return; }
Re: fix iwm(4) watchdog
Date: Mon, 8 Jun 2015 09:03:47 +0200 From: Stefan Sperling s...@stsp.name The iwm(4) watchdog does two things wrong: - It doesn't trigger iwm_init_task so the task remains entirely unused. - It clears the IFF_UP interface flag. Only the intel wifi drivers do this, and I think it's wrong. Other wifi drivers don't clear it. The watchdog should attempt to get the hardware going again with minimal disruption. Can iwm(4) users test this, please? Especially if you occasionally see a message saying 'iwm0: device timeout' this change will affect you. Seems reasonable to me. ok kettenis@ Index: if_iwm.c === RCS file: /cvs/src/sys/dev/pci/if_iwm.c,v retrieving revision 1.42 diff -u -p -r1.42 if_iwm.c --- if_iwm.c 30 May 2015 02:49:23 - 1.42 +++ if_iwm.c 8 Jun 2015 06:56:31 - @@ -5720,8 +5720,7 @@ iwm_watchdog(struct ifnet *ifp) #ifdef IWM_DEBUG iwm_nic_error(sc); #endif - ifp-if_flags = ~IFF_UP; - iwm_stop(ifp, 1); + task_add(systq, sc-init_task); ifp-if_oerrors++; return; }
an XOR improvement of 1%
Hi,
I have made a patch against 5.7 that improves the speed of xor for amd64
by 1% (timed on a seperate userland program). I tested the userland
program against an i386 and a amd64 host, didn't have access to any other
architectures.
If a hardcore developer thinks this is worth it ... feel free to include
something similar to my patch. The modes this affects is the CTR and the
XTS AES modes, the latter being tested by me on my amd64 host with a encrypted
sparse file:
sd1 at scsibus3 targ 1 lun 0: OPENBSD, SR CRYPTO, 005 SCSI2 0/direct fixed
sd1: 1023MB, 512 bytes/sector, 2096561 sectors
It worked so the function must be working. I have attached my patch for
review inline. It goes against /sys/crypto/xform.c
-peter
--- xform.c.origMon Jun 8 09:29:27 2015
+++ xform.c Mon Jun 8 09:34:14 2015
@@ -106,6 +106,8 @@
u_int32_t deflate_decompress(u_int8_t *, u_int32_t, u_int8_t **);
u_int32_t lzs_dummy(u_int8_t *, u_int32_t, u_int8_t **);
+void xorfunc(u_int8_t *, u_int8_t *, int);
+
#define AESCTR_NONCESIZE 4
#define AESCTR_IVSIZE 8
#define AESCTR_BLOCKSIZE 16
@@ -499,8 +501,11 @@
if (++ctx-ac_block[i]) /* continue on overflow */
break;
rijndaelEncrypt(ctx-ac_ek, ctx-ac_nr, ctx-ac_block, keystream);
+#if 0
for (i = 0; i AESCTR_BLOCKSIZE; i++)
data[i] ^= keystream[i];
+#endif
+ xorfunc(data, keystream, AESCTR_BLOCKSIZE);
explicit_bzero(keystream, sizeof(keystream));
}
@@ -557,8 +562,11 @@
else
rijndael_decrypt(ctx-key1, block, data);
+#if 0
for (i = 0; i AES_XTS_BLOCKSIZE; i++)
data[i] ^= ctx-tweak[i];
+#endif
+ xorfunc(data, ctx-tweak, AES_XTS_BLOCKSIZE);
/* Exponentiate tweak */
carry_in = 0;
@@ -676,4 +684,27 @@
{
*out = NULL;
return (0);
+}
+
+void
+xorfunc(u_int8_t *output, u_int8_t *input, int len)
+{
+int i;
+#if __amd64__
+u_int8_t *i0, *i1, *i2, *i3;
+u_int8_t *o0, *o1, *o2, *o3;
+
+for (i = 0; i len; i += 4) {
+i0 = (u_int8_t *)input[0 + i]; i1=(u_int8_t *)input[1 + i];
+i2 = (u_int8_t *)input[2 + i]; i3=(u_int8_t *)input[3 + i];
+o0 = (u_int8_t *)output[0 + i]; o1=(u_int8_t *)output[1 + i];
+o2 = (u_int8_t *)output[2 + i]; o3=(u_int8_t *)output[3 + i];
+
+*o0 ^= *i0; *o1 ^= *i1; *o2 ^= *i2; *o3 ^= *i3;
+}
+#else
+for (i = 0; i len; i++) {
+output[i] ^= input[i];
+}
+#endif
}
Fix for handling SNMP GETBULK Requests
Hi,
there's a bug in snmpd that breaks GETBULK requests for multiple OIDs.
Example:
# OID1=1.3.6.1.2.1.1.1
# OID2=1.3.6.1.2.1.31.1.1.1.1
# snmpbulkget -Cr3 -c public -v2c localhost $OID1
SNMPv2-MIB::sysDescr.0 = STRING: OpenBSD null 5.7 GENERIC#123 i386
SNMPv2-MIB::sysObjectID.0 = OID: OPENBSD-BASE-MIB::openBSDDefaultObjectID
SNMPv2-MIB::sysUpTime.0 = Timeticks: (68096) 0:11:20.96
# snmpbulkget -Cr3 -c public -v2c localhost $OID2
IF-MIB::ifName.1 = STRING: em0
IF-MIB::ifName.2 = STRING: iwi0
IF-MIB::ifName.3 = STRING: enc0
# snmpbulkget -Cr3 -c public -v2c localhost $OID1 $OID2
SNMPv2-MIB::sysDescr.0 = STRING: OpenBSD null 5.7 GENERIC#123 i386
IF-MIB::ifName.1 = STRING: em0
IF-MIB::ifName.2 = STRING: iwi0
IF-MIB::ifName.3 = STRING: enc0
Each query for a single OID delivers three repetitions (as requested by
-Cr3). But the query for two OIDs skips the repetitions for the first
one. If we add more OIDs, only the last OID of the query will have
repetitions in the reply.
The reason is that we must link the result of each mps_getbulkreq()
to the end of the previous list and not the start of it.
With the patch below, we get the desired result:
# snmpbulkget -Cr3 -c public -v2c localhost $OID1 $OID2
SNMPv2-MIB::sysDescr.0 = STRING: OpenBSD null 5.7 GENERIC#123 i386
SNMPv2-MIB::sysObjectID.0 = OID: OPENBSD-BASE-MIB::openBSDDefaultObjectID
SNMPv2-MIB::sysUpTime.0 = Timeticks: (239) 0:00:02.39
IF-MIB::ifName.1 = STRING: em0
IF-MIB::ifName.2 = STRING: iwi0
IF-MIB::ifName.3 = STRING: enc0
Gerhard
Index: mps.c
===
RCS file: /cvs/src/usr.sbin/snmpd/mps.c,v
retrieving revision 1.20
diff -u -p -u -p -r1.20 mps.c
--- mps.c 16 Jan 2015 00:05:13 - 1.20
+++ mps.c 3 Jun 2015 08:48:42 -
@@ -289,7 +289,7 @@ mps_getnextreq(struct snmp_message *msg,
int
mps_getbulkreq(struct snmp_message *msg, struct ber_element **root,
-struct ber_oid *o, int max)
+struct ber_element **end, struct ber_oid *o, int max)
{
struct ber_element *c, *d, *e;
size_t len;
@@ -297,14 +297,17 @@ mps_getbulkreq(struct snmp_message *msg,
j = max;
c = *root;
+ *end = NULL;
for (d = NULL, len = 0; j 0; j--) {
e = ber_add_sequence(NULL);
if (c == NULL)
c = e;
ret = mps_getnextreq(msg, e, o);
- if (ret == 1)
+ if (ret == 1) {
+ *root = c;
return (1);
+ }
if (ret == -1) {
ber_free_elements(e);
if (d == NULL)
@@ -319,6 +322,7 @@ mps_getbulkreq(struct snmp_message *msg,
if (d != NULL)
ber_link_elements(d, e);
d = e;
+ *end = d;
}
*root = c;
Index: snmpd.h
===
RCS file: /cvs/src/usr.sbin/snmpd/snmpd.h,v
retrieving revision 1.59
diff -u -p -u -p -r1.59 snmpd.h
--- snmpd.h 16 Jan 2015 00:05:13 - 1.59
+++ snmpd.h 3 Jun 2015 09:02:38 -
@@ -396,6 +396,7 @@ struct snmp_message {
struct ber_element *sm_c;
struct ber_element *sm_next;
struct ber_element *sm_last;
+ struct ber_element *sm_end;
u_int8_t sm_data[READ_BUF_SIZE];
size_t sm_datalen;
@@ -638,7 +639,7 @@ int mps_getreq(struct snmp_message *,
int mps_getnextreq(struct snmp_message *, struct ber_element *,
struct ber_oid *);
int mps_getbulkreq(struct snmp_message *, struct ber_element **,
- struct ber_oid *, int);
+ struct ber_element **, struct ber_oid *, int);
int mps_setreq(struct snmp_message *, struct ber_element *,
struct ber_oid *);
int mps_set(struct ber_oid *, void *, long long);
Index: snmpe.c
===
RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v
retrieving revision 1.40
diff -u -p -u -p -r1.40 snmpe.c
--- snmpe.c 16 Jan 2015 00:05:13 - 1.40
+++ snmpe.c 3 Jun 2015 09:06:31 -
@@ -374,6 +374,7 @@ snmpe_parsevarbinds(struct snmp_message
break;
case 1:
msg-sm_c = NULL;
+ msg-sm_end = NULL;
switch (msg-sm_context) {
@@ -409,7 +410,8 @@ snmpe_parsevarbinds(struct snmp_message
case SNMP_C_GETBULKREQ:
ret = mps_getbulkreq(msg, msg-sm_c,
- o, msg-sm_maxrepetitions);
+ msg-sm_end,
Unneeded splnet()
bridge_ifenqueue() does not need any spl protection, if_output()
already raises it.
ok?
Index: net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.241
diff -u -p -r1.241 if_bridge.c
--- net/if_bridge.c 8 Jun 2015 13:44:08 - 1.241
+++ net/if_bridge.c 8 Jun 2015 13:48:29 -
@@ -967,7 +967,7 @@ bridge_output(struct ifnet *ifp, struct
struct bridge_rtnode *dst_p = NULL;
struct ether_addr *dst;
struct bridge_softc *sc;
- int s, error, len;
+ int error, len;
/* ifp must be a member interface of the bridge. */
if (ifp-if_bridgeport == NULL) {
@@ -1072,9 +1072,7 @@ bridge_output(struct ifnet *ifp, struct
mc = m1;
}
- s = splnet();
error = bridge_ifenqueue(sc, dst_if, mc);
- splx(s);
if (error)
continue;
}
@@ -1093,9 +1091,7 @@ sendunicast:
m_freem(m);
return (ENETDOWN);
}
- s = splnet();
bridge_ifenqueue(sc, dst_if, m);
- splx(s);
return (0);
}
@@ -1135,12 +1131,12 @@ bridgeintr(void)
void
bridgeintr_frame(struct bridge_softc *sc, struct mbuf *m)
{
- int s, len;
struct ifnet *src_if, *dst_if;
struct bridge_iflist *ifl;
struct bridge_rtnode *dst_p;
struct ether_addr *dst, *src;
struct ether_header eh;
+ int len;
if ((sc-sc_if.if_flags IFF_RUNNING) == 0) {
m_freem(m);
@@ -1293,9 +1289,7 @@ bridgeintr_frame(struct bridge_softc *sc
if ((len - ETHER_HDR_LEN) dst_if-if_mtu)
bridge_fragment(sc, dst_if, eh, m);
else {
- s = splnet();
bridge_ifenqueue(sc, dst_if, m);
- splx(s);
}
}
@@ -1499,7 +1493,7 @@ bridge_broadcast(struct bridge_softc *sc
struct bridge_iflist *p;
struct mbuf *mc;
struct ifnet *dst_if;
- int len, s, used = 0;
+ int len, used = 0;
TAILQ_FOREACH(p, sc-sc_iflist, next) {
/*
@@ -1585,9 +1579,7 @@ bridge_broadcast(struct bridge_softc *sc
if ((len - ETHER_HDR_LEN) dst_if-if_mtu)
bridge_fragment(sc, dst_if, eh, mc);
else {
- s = splnet();
bridge_ifenqueue(sc, dst_if, mc);
- splx(s);
}
}
@@ -1638,7 +1630,7 @@ bridge_span(struct bridge_softc *sc, str
struct bridge_iflist *p;
struct ifnet *ifp;
struct mbuf *mc, *m;
- int s, error;
+ int error;
if (TAILQ_EMPTY(sc-sc_spanlist))
return;
@@ -1665,9 +1657,7 @@ bridge_span(struct bridge_softc *sc, str
continue;
}
- s = splnet();
error = bridge_ifenqueue(sc, ifp, mc);
- splx(s);
if (error)
continue;
}
@@ -2555,7 +2545,7 @@ bridge_fragment(struct bridge_softc *sc,
{
struct llc llc;
struct mbuf *m0;
- int s, error = 0;
+ int error = 0;
int hassnap = 0;
u_int16_t etype;
struct ip *ip;
@@ -2570,9 +2560,7 @@ bridge_fragment(struct bridge_softc *sc,
len += ETHER_VLAN_ENCAP_LEN;
if ((ifp-if_capabilities IFCAP_VLAN_MTU)
(len - sizeof(struct ether_vlan_header) = ifp-if_mtu)) {
- s = splnet();
bridge_ifenqueue(sc, ifp, m);
- splx(s);
return;
}
goto dropit;
@@ -2640,13 +2628,10 @@ bridge_fragment(struct bridge_softc *sc,
continue;
}
bcopy(eh, mtod(m, caddr_t), sizeof(*eh));
- s = splnet();
error = bridge_ifenqueue(sc, ifp, m);
if (error) {
- splx(s);
continue;
}
- splx(s);
} else
m_freem(m);
}
Re: jail_bin_add: script to add binary and libs to chroot
On Mon, Jun 08, 2015 at 02:59:28PM +0200, Marc Espie wrote: On Mon, Jun 08, 2015 at 01:46:17AM -0400, dan mclaughlin wrote: i figure this should be useful to some. any nits welcome. Unfortunately, this will become increasingly useless in gtk-land. Compare ldd firefox vs a ktrace of the running binary... :( Totally pointless example - firefox is a very specific case, in that case you want ldd /usr/local/lib/firefox-*/libxul.so.* i dont know of many gtk applications doing this (bundling everything in a dlopen'ed library with tons of linking hacks to improve startup times...) Landry
bridge_output() without m_buf_tag
Diff below moves bridge_output() to if_output(). It fixes the case I
already described some weeks ago where you have a physical interface
in a bridge and a vlan on top of it which is not in the bridge.
It also change the loop prevention code to use M_PROTO1 like in the
input path.
Tests, comments and oks welcome.
Index: net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.338
diff -u -p -r1.338 if.c
--- net/if.c7 Jun 2015 12:02:28 - 1.338
+++ net/if.c8 Jun 2015 13:46:19 -
@@ -449,6 +449,19 @@ if_output(struct ifnet *ifp, struct mbuf
int s, length, error = 0;
unsigned short mflags;
+#ifdef DIAGNOSTIC
+ if (ifp-if_rdomain != rtable_l2(m-m_pkthdr.ph_rtableid)) {
+ printf(%s: trying to send packet on wrong domain.
+ if %d vs. mbuf %d\n, ifp-if_xname, ifp-if_rdomain,
+ rtable_l2(m-m_pkthdr.ph_rtableid));
+ }
+#endif
+
+#if NBRIDGE 0
+ if (ifp-if_bridgeport (m-m_flags M_PROTO1) == 0)
+ return (bridge_output(ifp, m, NULL, NULL));
+#endif
+
length = m-m_pkthdr.len;
mflags = m-m_flags;
Index: net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.241
diff -u -p -r1.241 if_bridge.c
--- net/if_bridge.c 8 Jun 2015 13:44:08 - 1.241
+++ net/if_bridge.c 8 Jun 2015 13:46:19 -
@@ -2665,10 +2665,12 @@ bridge_ifenqueue(struct bridge_softc *sc
{
int error, len;
+ /* Loop prevention. */
+ m-m_flags |= M_PROTO1;
+
#if NGIF 0
/* Packet needs etherip encapsulation. */
if (ifp-if_type == IFT_GIF) {
- m-m_flags |= M_PROTO1;
/* Count packets input into the gif from outside */
ifp-if_ipackets++;
Index: net/if_ethersubr.c
===
RCS file: /cvs/src/sys/net/if_ethersubr.c,v
retrieving revision 1.204
diff -u -p -r1.204 if_ethersubr.c
--- net/if_ethersubr.c 8 Jun 2015 13:44:08 - 1.204
+++ net/if_ethersubr.c 8 Jun 2015 13:46:20 -
@@ -181,15 +181,6 @@ ether_output(struct ifnet *ifp, struct m
struct arpcom *ac = (struct arpcom *)ifp;
int error = 0;
-#ifdef DIAGNOSTIC
- if (ifp-if_rdomain != rtable_l2(m-m_pkthdr.ph_rtableid)) {
- printf(%s: trying to send packet on wrong domain.
- if %d vs. mbuf %d, AF %d\n, ifp-if_xname,
- ifp-if_rdomain, rtable_l2(m-m_pkthdr.ph_rtableid),
- dst-sa_family);
- }
-#endif
-
esrc = ac-ac_enaddr;
if ((ifp-if_flags (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING))
@@ -276,47 +267,6 @@ ether_output(struct ifnet *ifp, struct m
eh-ether_type = etype;
memcpy(eh-ether_dhost, edst, sizeof(eh-ether_dhost));
memcpy(eh-ether_shost, esrc, sizeof(eh-ether_shost));
-
-#if NBRIDGE 0
- /*
-* Interfaces that are bridgeports need special handling for output.
-*/
- if (ifp-if_bridgeport) {
- struct m_tag *mtag;
-
- /*
-* Check if this packet has already been sent out through
-* this bridgeport, in which case we simply send it out
-* without further bridge processing.
-*/
- for (mtag = m_tag_find(m, PACKET_TAG_BRIDGE, NULL); mtag;
- mtag = m_tag_find(m, PACKET_TAG_BRIDGE, mtag)) {
-#ifdef DEBUG
- /* Check that the information is there */
- if (mtag-m_tag_len != sizeof(caddr_t)) {
- error = EINVAL;
- goto bad;
- }
-#endif
- if (!memcmp(ifp-if_bridgeport, mtag + 1,
- sizeof(caddr_t)))
- break;
- }
- if (mtag == NULL) {
- /* Attach a tag so we can detect loops */
- mtag = m_tag_get(PACKET_TAG_BRIDGE, sizeof(caddr_t),
- M_NOWAIT);
- if (mtag == NULL) {
- error = ENOBUFS;
- goto bad;
- }
- memcpy(mtag + 1, ifp-if_bridgeport, sizeof(caddr_t));
- m_tag_prepend(m, mtag);
- error = bridge_output(ifp, m, NULL, NULL);
- return (error);
- }
- }
-#endif
return (if_output(ifp, m));
bad:
Index: sys/mbuf.h
===
RCS file: /cvs/src/sys/sys/mbuf.h,v
retrieving revision 1.191
diff -u -p -r1.191 mbuf.h
--- sys/mbuf.h 23 May 2015 12:52:59 - 1.191
+++ sys/mbuf.h 8 Jun 2015 13:46:20
Conver bridge(4) to if_input()
This is the last pseudo-driver conversion.
The idea is to run bridge_input() *before* any ifih on an interface.
Doing so allow us to remove the hack between vlan(4) and bridge(4)
and simplify the logic for stacked ifih.
With that net/if_ethersubr.c is now free from #ifdef NPSEUDODRIVER.
As usual, tests comments and oks welcome.
Index: net/if.c
===
RCS file: /cvs/src/sys/net/if.c,v
retrieving revision 1.338
diff -u -p -r1.338 if.c
--- net/if.c7 Jun 2015 12:02:28 - 1.338
+++ net/if.c8 Jun 2015 14:07:56 -
@@ -529,6 +529,16 @@ again:
* interface until it is consumed.
*/
ifp = m-m_pkthdr.rcvif;
+
+#if NBRIDGE 0
+ if (ifp-if_bridgeport (m-m_flags M_PROTO1) == 0) {
+ m = bridge_input(m);
+ if (m == NULL)
+ continue;
+ }
+ m-m_flags = ~M_PROTO1;/* Loop prevention */
+#endif
+
SLIST_FOREACH(ifih, ifp-if_inputs, ifih_next) {
if ((*ifih-ifih_input)(m))
break;
Index: net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.241
diff -u -p -r1.241 if_bridge.c
--- net/if_bridge.c 8 Jun 2015 13:44:08 - 1.241
+++ net/if_bridge.c 8 Jun 2015 14:07:57 -
@@ -116,8 +116,6 @@ voidbridge_broadcast(struct bridge_soft
void bridge_localbroadcast(struct bridge_softc *, struct ifnet *,
struct ether_header *, struct mbuf *);
void bridge_span(struct bridge_softc *, struct mbuf *);
-struct mbuf *bridge_dispatch(struct bridge_iflist *, struct ifnet *,
-struct mbuf *);
void bridge_stop(struct bridge_softc *);
void bridge_init(struct bridge_softc *);
intbridge_bifconf(struct bridge_softc *, struct ifbifconf *);
@@ -1198,7 +1196,7 @@ bridgeintr_frame(struct bridge_softc *sc
* If packet is unicast, destined for someone on this
* side of the bridge, drop it.
*/
- if ((m-m_flags (M_BCAST | M_MCAST)) == 0) {
+ if (!ETHER_IS_MULTICAST(eh.ether_dhost)) {
if ((dst_p = bridge_rtlookup(sc, dst)) != NULL)
dst_if = dst_p-brt_if;
else
@@ -1207,8 +1205,14 @@ bridgeintr_frame(struct bridge_softc *sc
m_freem(m);
return;
}
- } else
+ } else {
+ if (memcmp(etherbroadcastaddr, eh.ether_dhost,
+ sizeof(etherbroadcastaddr)) == 0)
+ m-m_flags |= M_BCAST;
+ else
+ m-m_flags |= M_MCAST;
dst_if = NULL;
+ }
/*
* Multicast packets get handled a little differently:
@@ -1304,37 +1308,33 @@ bridgeintr_frame(struct bridge_softc *sc
* not for us, and schedule an interrupt.
*/
struct mbuf *
-bridge_input(struct ifnet *ifp, struct ether_header *eh0, struct mbuf *m)
+bridge_input(struct mbuf *m)
{
+ struct ifnet *ifp;
struct bridge_softc *sc;
struct bridge_iflist *ifl;
+ struct bridge_iflist *srcifl;
struct ether_header *eh;
-#if NVLAN 0
- uint16_t etype = ntohs(eh0-ether_type);
-#endif /* NVLAN 0 */
+ struct arpcom *ac;
+ struct mbuf_list ml = MBUF_LIST_INITIALIZER();
+ struct mbuf *mc;
+ int s;
/*
* Make sure this interface is a bridge member.
*/
- if (ifp == NULL || ifp-if_bridgeport == NULL || m == NULL)
+ ifp = m-m_pkthdr.rcvif;
+ if (ifp == NULL || ifp-if_bridgeport == NULL)
return (m);
if ((m-m_flags M_PKTHDR) == 0)
panic(bridge_input(): no HDR);
- m-m_flags = ~M_PROTO1;/* Loop prevention */
-
ifl = (struct bridge_iflist *)ifp-if_bridgeport;
sc = ifl-bridge_sc;
if ((sc-sc_if.if_flags IFF_RUNNING) == 0)
return (m);
- M_PREPEND(m, sizeof(*eh), M_DONTWAIT);
- if (m == NULL)
- return (NULL);
- eh = mtod(m, struct ether_header *);
- memmove(eh, eh0, sizeof(*eh));
-
#if NBPFILTER 0
if (sc-sc_if.if_bpf)
bpf_mtap_ether(sc-sc_if.if_bpf, m, BPF_DIRECTION_IN);
@@ -1342,35 +1342,8 @@ bridge_input(struct ifnet *ifp, struct e
bridge_span(sc, m);
- m = bridge_dispatch(ifl, ifp, m);
-
-#if NVLAN 0
- if ((m != NULL) ((m-m_flags M_VLANTAG) ||
- etype == ETHERTYPE_VLAN || etype == ETHERTYPE_QINQ)) {
- /* The bridge did not want the vlan frame either, drop it. */
- ifp-if_noproto++;
- m_freem(m);
- m = NULL;
- }
-#endif /* NVLAN 0 */
-
- return (m);
-}
-
-struct mbuf *
-bridge_dispatch(struct bridge_iflist *ifl, struct
Re: jail_bin_add: script to add binary and libs to chroot
On Mon, Jun 08, 2015 at 01:46:17AM -0400, dan mclaughlin wrote: i figure this should be useful to some. any nits welcome. Unfortunately, this will become increasingly useless in gtk-land. Compare ldd firefox vs a ktrace of the running binary... :(
