v6 routing problem, static workstation config, expired ndp for gateway's address
My workstation has static v6 configuration. Recently I have occasionally losing v6 connectivity: $ grep inet6 /etc/hostname.vlan2 inet6 2a02:8011:7003:1:fab1:56ff:feac:3276 inet6 -autoconfprivacy $ grep : /etc/mygate 2a02:8011:7003:1::1 $ ping6 2a02:8011:7003:1::1 PING 2a02:8011:7003:1::1 (2a02:8011:7003:1::1): 56 data bytes ping6: sendmsg: No route to host ping: wrote 2a02:8011:7003:1::1 64 chars, ret=-1 ^C --- 2a02:8011:7003:1::1 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss The default route is present and pointing to 2a02:8011:7003:1::1, but ndp for that address is showing as expired. $ ndp -an Neighbor Linklayer Address Netif ExpireS Flags 2a02:8011:7003:1::1 00:0d:b9:41:7e:48 vlan2 expired P R 3 2a02:8011:7003:1:20d:93ff:fe63:da5a 00:0d:b9:14:30:ec vlan2 23h45m30s S 2a02:8011:7003:1:4c5:3773:8878:f8e9 00:0d:b9:14:30:ec vlan2 14h30m52s S 2a02:8011:7003:1:9446:5c90:a2b0:d2ec 00:0d:b9:14:30:ec vlan2 23h45m35s S 2a02:8011:7003:1:fab1:56ff:feac:3276 f8:b1:56:ac:32:76 vlan2 permanent R l 2a02:8011:7003:3::1 00:0d:b9:41:7e:48 vlan5 23h47m46s S R 2a02:8011:7003:3:fab1:56ff:feac:3276 f8:b1:56:ac:32:76 vlan5 permanent R l fe80::fab1:56ff:feac:3276%vlan2 f8:b1:56:ac:32:76 vlan2 permanent R l fe80::fab1:56ff:feac:3276%vlan4 f8:b1:56:ac:32:76 vlan4 permanent R l fe80::fab1:56ff:feac:3276%vlan5 f8:b1:56:ac:32:76 vlan5 permanent R l Other machines on the subnet are able to resolve and ping6 2a02:8011:7003:1::1 and beyond. (those machines are on older snaps). Trying to remove the old ndp entry with ndc -d or ndp -c reports that it has been deleted but it shows up again in ndp -a output immediately afterwards # ndp -c; ndp -an | grep 2a02:8011:7003:1::1 2a02:8011:7003:1::1 (2a02:8011:7003:1::1) deleted 2a02:8011:7003:1::1 00:0d:b9:41:7e:48 vlan2 expired I R Removing the default route and then the ndp entry does result in it being removed, but adding the default route back in results in ndp showing up as 'expired' again. More bits below. Nothing relating to ND showing in log with nd6_debug. Rebooting the workstation seemed to fix it, last time it happened I tried rebooting the gateway instead and that seemed to fix it too. Any ideas or suggestions of more things to collect next time it happens? $ netstat -rnfinet6 Routing tables Internet6: DestinationGatewayFlags Refs Use Mtu Prio Iface default2a02:8011:7003:1::1UGS1 142441 - 8 vlan2 ::/96 ::1UGRS 0 0 32768 8 lo0 ::/104 ::1UGRS 0 0 32768 8 lo0 ::1::1UHhl 14 58 32768 1 lo0 ::127.0.0.0/104::1UGRS 0 0 32768 8 lo0 ::224.0.0.0/100::1UGRS 0 0 32768 8 lo0 ::255.0.0.0/104::1UGRS 0 0 32768 8 lo0 :::0.0.0.0/96 ::1UGRS 0 0 32768 8 lo0 2002::/24 ::1UGRS 0 0 32768 8 lo0 2002:7f00::/24 ::1UGRS 0 0 32768 8 lo0 2002:e000::/20 ::1UGRS 0 0 32768 8 lo0 2002:ff00::/24 ::1UGRS 0 0 32768 8 lo0 2a02:8011:7003:1::/64 2a02:8011:7003:1:fab1:56ff:feac:3276 UCn 4 28 - 4 vlan2 2a02:8011:7003:1::100:0d:b9:41:7e:48 UHLch 1 53101 - 4 vlan2 2a02:8011:7003:1:20d:93ff:fe63:da5a 00:0d:b9:14:30:ec UHLc 0 1847 - 4 vlan2 2a02:8011:7003:1:4c5:3773:8878:f8e9 00:0d:b9:14:30:ec UHLc 0 538 - 4 vlan2 2a02:8011:7003:1:9446:5c90:a2b0:d2ec 00:0d:b9:14:30:ec UHLc 0 261 - 4 vlan2 2a02:8011:7003:1:fab1:56ff:feac:3276 f8:b1:56:ac:32:76 UHLl 075101 - 1 vlan2 2a02:8011:7003:3::/64 2a02:8011:7003:3:fab1:56ff:feac:3276 UCn 1 14 - 4 vlan5 2a02:8011:7003:3::100:0d:b9:41:7e:48 UHLc 0 9753 - 4 vlan5 2a02:8011:7003:3:fab1:56ff:feac:3276 f8:b1:56:ac:32:76 UHLl 058021 - 1 vlan5 fe80::/10 ::1UGRS 0 4 32768 8 lo0 fec0::/10 ::1UGRS 0
Re: attach SR drive by force even if not all chunks provide native metadata
On Tue, Sep 27, 2016 at 7:27 PM, Joel Sing wrote: > On Saturday 24 September 2016 00:13:47 Karel Gardas wrote: >> Hello, >> >> following patch fixes issue while attempting to attach SR RAID1 drive >> where not all chunks provide native metadata. I.e. one chunk is dd >> zeroed. The complain of SR is good one, but I'd think that force >> parameter should overcome it and really enforce SR to attach such >> drive. > > I'll need to look more closely, but I'm pretty certain this is not correct - > if there is no native metadata on the chunk, then it should not be considered > to be part of the volume. In the case of an SR RAID1 volume, if you have a > chunk that was zeroed, then you should be rebuilding on to it, rather than > bringing it up as an existing part of the volume. Thanks for reply, indeed, looking into the code more deeply and it looks like the patch was working for me just by coincidence.
Re: traceroute(8): drop to _traceroute user
this always does the 3 part setgroups, setresgid, setresuid dance...
diff --git sbin/ping/ping.c sbin/ping/ping.c
index 383ef65..6ea138c 100644
--- sbin/ping/ping.c
+++ sbin/ping/ping.c
@@ -259,7 +259,8 @@ main(int argc, char *argv[])
char rspace[3 + 4 * NROUTES + 1]; /* record route space */
const char *errstr;
double intval;
- uid_t uid;
+ uid_t ouid, uid;
+ gid_t gid;
u_int rtableid = 0;
extern char *__progname;
@@ -274,12 +275,17 @@ main(int argc, char *argv[])
}
/* revoke privs */
- uid = getuid();
- if ((pw = getpwnam(PING_USER)) == NULL)
- errx(1, "no %s user", PING_USER);
- if (setgroups(1, &pw->pw_gid) ||
- setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
- setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
+ ouid = getuid();
+ if ((pw = getpwnam(PING_USER)) != NULL) {
+ uid = pw->pw_uid;
+ gid = pw->pw_gid;
+ } else {
+ uid = getuid();
+ gid = getgid();
+ }
+ if (setgroups(1, &gid) ||
+ setresgid(gid, gid, gid) ||
+ setresuid(uid, uid, uid))
err(1, "unable to revoke privs");
preload = 0;
@@ -309,7 +315,7 @@ main(int argc, char *argv[])
options |= F_AUD_RECV;
break;
case 'f':
- if (uid)
+ if (ouid)
errc(1, EPERM, NULL);
options |= F_FLOOD;
setvbuf(stdout, NULL, _IONBF, 0);
@@ -330,7 +336,7 @@ main(int argc, char *argv[])
intval = strtod(optarg, &e);
if (*optarg == '\0' || *e != '\0')
errx(1, "illegal timing interval %s", optarg);
- if (intval < 1 && uid)
+ if (intval < 1 && ouid)
errx(1, "only root may use interval < 1s");
interval.tv_sec = (time_t)intval;
interval.tv_usec =
@@ -349,7 +355,7 @@ main(int argc, char *argv[])
loop = 0;
break;
case 'l':
- if (uid)
+ if (ouid)
errc(1, EPERM, NULL);
preload = strtonum(optarg, 1, INT64_MAX, &errstr);
if (errstr)
diff --git usr.bin/bgplg/bgplg.8 usr.bin/bgplg/bgplg.8
index d2f0f0d..15e15b2 100644
--- usr.bin/bgplg/bgplg.8
+++ usr.bin/bgplg/bgplg.8
@@ -77,12 +77,19 @@ and
.Xr traceroute6 8
will require a copy of the resolver configuration file
.Xr resolv.conf 5
+for optional host name lookups and the password database with the users
+.Qq _ping
+and
+.Qq _traceroute
in the
.Xr chroot 2
-environment for optional host name lookups.
+environment.
.Bd -literal -offset indent
# mkdir /var/www/etc
# cp /etc/resolv.conf /var/www/etc
+# grep -e ^_ping -e ^_traceroute /etc/master.passwd > \\
+ /var/www/etc/master.passwd.bgplg
+# pwd_mkdb -d /var/www/etc master.passwd.bgplg
.Ed
.It
Start the Border Gateway Protocol daemon with a second,
diff --git usr.sbin/traceroute/traceroute.c usr.sbin/traceroute/traceroute.c
index ba04494..f0ed493 100644
--- usr.sbin/traceroute/traceroute.c
+++ usr.sbin/traceroute/traceroute.c
@@ -328,7 +328,8 @@ main(int argc, char *argv[])
char *ep, hbuf[NI_MAXHOST], *dest, *source = NULL;
const char *errstr;
long l;
- uid_t uid;
+ uid_t ouid, uid;
+ gid_t gid;
u_int rtableid;
socklen_t len;
@@ -346,12 +347,17 @@ main(int argc, char *argv[])
v4sock_errno = errno;
/* revoke privs */
- uid = getuid();
- if ((pw = getpwnam(TRACEROUTE_USER)) == NULL)
- errx(1, "no %s user", TRACEROUTE_USER);
- if (setgroups(1, &pw->pw_gid) ||
- setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
- setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
+ ouid = getuid();
+ if ((pw = getpwnam(TRACEROUTE_USER)) != NULL) {
+ uid = pw->pw_uid;
+ gid = pw->pw_gid;
+ } else {
+ uid = getuid();
+ gid = getgid();
+ }
+ if (setgroups(1, &gid) ||
+ setresgid(gid, gid, gid) ||
+ setresuid(uid, uid, uid))
err(1, "unable to revoke privs");
if (strcmp("traceroute6", __progname) == 0) {
@@ -670,13 +676,13 @@ main(int argc, char *argv[])
if (inet_aton(source, &from4.sin_addr) == 0)
errx(1, "unknown host %s", source);
ip->ip_src = from4.sin_addr;
- if (uid != 0 &&
+ if (ouid != 0 &&
(ntohl(from4.sin_addr.s_addr) & 0xff00U) ==
Re: Modernize regress/libexec/ld.so/constructor
On Tue, Sep 27, 2016 at 07:44:03PM +0200, Mark Kettenis wrote:
> > Date: Tue, 27 Sep 2016 18:01:51 +0200
> > From: Alexander Bluhm
> >
> > On Mon, Sep 26, 2016 at 11:39:29PM +0200, Mark Kettenis wrote:
> > > Since the tests succeed on amd64, and should succeed on other
> > > architectures, the diff re-enables this test.
> >
> > When running with "make regress" the test fails as the regress
> > target does not build the libraries.
> >
> > Usually I add an addidtional rule in such a case.
> >
> > ok?
>
> Other regress tests that build library solve this by having a
>
> regress: all
>
> target in the library Makefile. See lib/libc/cxa-exit for example.
>
> Here is a diff that does that. As a bonus it sets NOPROFILE=yes to
> avoid building a profiled library and also adds $OpenBSD$ markers.
>
> ok?
works for me; OK bluhm@
>
>
> Index: regress/libexec/ld.so/constructor/libaa/Makefile
> ===
> RCS file: /cvs/src/regress/libexec/ld.so/constructor/libaa/Makefile,v
> retrieving revision 1.1
> diff -u -p -r1.1 Makefile
> --- regress/libexec/ld.so/constructor/libaa/Makefile 1 Feb 2003 19:56:17
> - 1.1
> +++ regress/libexec/ld.so/constructor/libaa/Makefile 27 Sep 2016 17:39:56
> -
> @@ -1,3 +1,9 @@
> +# $OpenBSD$
> +
> LIB=aa
> SRCS= aa.C
> +NOPROFILE=yes
> +
> +regress: all
> +
> .include
> Index: regress/libexec/ld.so/constructor/libab/Makefile
> ===
> RCS file: /cvs/src/regress/libexec/ld.so/constructor/libab/Makefile,v
> retrieving revision 1.2
> diff -u -p -r1.2 Makefile
> --- regress/libexec/ld.so/constructor/libab/Makefile 27 Sep 2016 06:52:50
> - 1.2
> +++ regress/libexec/ld.so/constructor/libab/Makefile 27 Sep 2016 17:40:25
> -
> @@ -1,6 +1,12 @@
> +# $OpenBSD$
> +
> LIB=ab
> SRCS= ab.C
> +NOPROFILE=yes
> CPPFLAGS=-I${.CURDIR}/../libaa
> LDADD=-L../libaa
> LDADD+=-laa
> +
> +regress: all
> +
> .include
Re: Modernize regress/libexec/ld.so/constructor
> Date: Tue, 27 Sep 2016 18:01:51 +0200
> From: Alexander Bluhm
>
> On Mon, Sep 26, 2016 at 11:39:29PM +0200, Mark Kettenis wrote:
> > Since the tests succeed on amd64, and should succeed on other
> > architectures, the diff re-enables this test.
>
> When running with "make regress" the test fails as the regress
> target does not build the libraries.
>
> Usually I add an addidtional rule in such a case.
>
> ok?
Other regress tests that build library solve this by having a
regress: all
target in the library Makefile. See lib/libc/cxa-exit for example.
Here is a diff that does that. As a bonus it sets NOPROFILE=yes to
avoid building a profiled library and also adds $OpenBSD$ markers.
ok?
Index: regress/libexec/ld.so/constructor/libaa/Makefile
===
RCS file: /cvs/src/regress/libexec/ld.so/constructor/libaa/Makefile,v
retrieving revision 1.1
diff -u -p -r1.1 Makefile
--- regress/libexec/ld.so/constructor/libaa/Makefile1 Feb 2003 19:56:17
- 1.1
+++ regress/libexec/ld.so/constructor/libaa/Makefile27 Sep 2016 17:39:56
-
@@ -1,3 +1,9 @@
+# $OpenBSD$
+
LIB=aa
SRCS= aa.C
+NOPROFILE=yes
+
+regress: all
+
.include
Index: regress/libexec/ld.so/constructor/libab/Makefile
===
RCS file: /cvs/src/regress/libexec/ld.so/constructor/libab/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- regress/libexec/ld.so/constructor/libab/Makefile27 Sep 2016 06:52:50
- 1.2
+++ regress/libexec/ld.so/constructor/libab/Makefile27 Sep 2016 17:40:25
-
@@ -1,6 +1,12 @@
+# $OpenBSD$
+
LIB=ab
SRCS= ab.C
+NOPROFILE=yes
CPPFLAGS=-I${.CURDIR}/../libaa
LDADD=-L../libaa
LDADD+=-laa
+
+regress: all
+
.include
Re: attach SR drive by force even if not all chunks provide native metadata
On Saturday 24 September 2016 00:13:47 Karel Gardas wrote:
> Hello,
>
> following patch fixes issue while attempting to attach SR RAID1 drive
> where not all chunks provide native metadata. I.e. one chunk is dd
> zeroed. The complain of SR is good one, but I'd think that force
> parameter should overcome it and really enforce SR to attach such
> drive.
I'll need to look more closely, but I'm pretty certain this is not correct -
if there is no native metadata on the chunk, then it should not be considered
to be part of the volume. In the case of an SR RAID1 volume, if you have a
chunk that was zeroed, then you should be rebuilding on to it, rather than
bringing it up as an existing part of the volume.
> Thanks,
> Karel
>
> diff -u -p -u -r1.377 softraid.c
> --- softraid.c 20 Jul 2016 20:45:13 - 1.377
> +++ softraid.c 23 Sep 2016 22:06:55 -
> @@ -1658,7 +1661,7 @@ sr_meta_native_attach(struct sr_discipli
> not_sr++;
> }
>
> - if (sr && not_sr) {
> + if (sr && not_sr && !force) {
> sr_error(sc, "not all chunks are of the native metadata "
> "format");
> goto bad;
Re: traceroute(8): drop to _traceroute user
On Tue, Sep 27, 2016 at 02:48:54PM +0200, Sebastien Marie wrote:
> I think we always want to drop effective uid once SOCK_RAW socket has
> been opened.
yes, I think this is better:
diff --git sbin/ping/ping.c sbin/ping/ping.c
index 383ef65..aa4c025 100644
--- sbin/ping/ping.c
+++ sbin/ping/ping.c
@@ -275,9 +275,11 @@ main(int argc, char *argv[])
/* revoke privs */
uid = getuid();
- if ((pw = getpwnam(PING_USER)) == NULL)
- errx(1, "no %s user", PING_USER);
- if (setgroups(1, &pw->pw_gid) ||
+ if ((pw = getpwnam(PING_USER)) == NULL) {
+ warnx(1, "no %s user", PING_USER);
+ if (setresuid(uid, uid, uid) == -1)
+ err(1, "setresuid");
+ } else if (setgroups(1, &pw->pw_gid) ||
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
err(1, "unable to revoke privs");
diff --git usr.sbin/traceroute/traceroute.c usr.sbin/traceroute/traceroute.c
index ba04494..a32985a 100644
--- usr.sbin/traceroute/traceroute.c
+++ usr.sbin/traceroute/traceroute.c
@@ -347,9 +347,11 @@ main(int argc, char *argv[])
/* revoke privs */
uid = getuid();
- if ((pw = getpwnam(TRACEROUTE_USER)) == NULL)
- errx(1, "no %s user", TRACEROUTE_USER);
- if (setgroups(1, &pw->pw_gid) ||
+ if ((pw = getpwnam(TRACEROUTE_USER)) == NULL) {
+ warnx(1, "no %s user", TRACEROUTE_USER);
+ if (setresuid(uid, uid, uid) == -1)
+ err(1, "setresuid");
+ } else if (setgroups(1, &pw->pw_gid) ||
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
err(1, "unable to revoke privs");
diff --git usr.bin/bgplg/bgplg.8 usr.bin/bgplg/bgplg.8
index d2f0f0d..15e15b2 100644
--- usr.bin/bgplg/bgplg.8
+++ usr.bin/bgplg/bgplg.8
@@ -77,12 +77,19 @@ and
.Xr traceroute6 8
will require a copy of the resolver configuration file
.Xr resolv.conf 5
+for optional host name lookups and the password database with the users
+.Qq _ping
+and
+.Qq _traceroute
in the
.Xr chroot 2
-environment for optional host name lookups.
+environment.
.Bd -literal -offset indent
# mkdir /var/www/etc
# cp /etc/resolv.conf /var/www/etc
+# grep -e ^_ping -e ^_traceroute /etc/master.passwd > \\
+ /var/www/etc/master.passwd.bgplg
+# pwd_mkdb -d /var/www/etc master.passwd.bgplg
.Ed
.It
Start the Border Gateway Protocol daemon with a second,
--
I'm not entirely sure you are real.
Re: iwm: add mac context later
On Tue, Sep 27, 2016 at 05:36:26PM +0200, Stefan Sperling wrote:
> It looks like iwm firmware does not like a MAC context which does not
> specify the AP's BSSID.
>
> The driver currently adds such a context when initializing the hardware
> for the first time after boot (with the BSSID set to all zeros, I also tried
> a broadcast address and that doesn't work either).
> This then triggers the well-known performance bug for some reason which
> only Intel engineers with magic spell books can figure out.
>
> I noticed performance is fixed after running 'ifconfig iwm0 scan' once.
> This brings the interface down and runs the same hardware init sequence,
> but this time it copies the now cached BSSID from ic->ic_bss into the mac
> context command and things start working.
>
> This diff makes sure we don't add a MAC context before we know the BSSID.
> Now things start working correctly right after boot.
>
> I've tested this on 8260 hardware only so far, AFAIK all HW is affected
> by this problem. Additional testing appreciated.
>
Yes, this fixed my problem. Now I instantly get a DHCP lease on boot.
Intel Dual Band Wireless AC 8260, hw rev 0x200, fw ver 16.242414.0
Reyk
> Index: if_iwm.c
> ===
> RCS file: /cvs/src/sys/dev/pci/if_iwm.c,v
> retrieving revision 1.141
> diff -u -p -r1.141 if_iwm.c
> --- if_iwm.c 22 Sep 2016 08:28:38 - 1.141
> +++ if_iwm.c 27 Sep 2016 15:26:08 -
> @@ -5171,6 +5171,13 @@ iwm_auth(struct iwm_softc *sc)
> return err;
> in->in_phyctxt = &sc->sc_phyctxt[0];
>
> + err = iwm_mac_ctxt_cmd(sc, in, IWM_FW_CTXT_ACTION_ADD, 0);
> + if (err) {
> + printf("%s: could not add MAC context (error %d)\n",
> + DEVNAME(sc), err);
> + return err;
> + }
> +
> err = iwm_binding_cmd(sc, in, IWM_FW_CTXT_ACTION_ADD);
> if (err)
> return err;
> @@ -5743,7 +5750,6 @@ int
> iwm_init_hw(struct iwm_softc *sc)
> {
> struct ieee80211com *ic = &sc->sc_ic;
> - struct iwm_node *in = (struct iwm_node *)ic->ic_bss;
> int err, i, ac;
>
> err = iwm_preinit(sc);
> @@ -5865,13 +5871,6 @@ iwm_init_hw(struct iwm_softc *sc)
> goto err;
> }
> }
> -
> - err = iwm_mac_ctxt_cmd(sc, in, IWM_FW_CTXT_ACTION_ADD, 0);
> - if (err) {
> - printf("%s: could not add MAC context (error %d)\n",
> - DEVNAME(sc), err);
> - goto err;
> - }
>
> err = iwm_disable_beacon_filter(sc);
> if (err) {
>
>
>
>
>
--
Re: Modernize regress/libexec/ld.so/constructor
On Mon, Sep 26, 2016 at 11:39:29PM +0200, Mark Kettenis wrote:
> Since the tests succeed on amd64, and should succeed on other
> architectures, the diff re-enables this test.
When running with "make regress" the test fails as the regress
target does not build the libraries.
Usually I add an addidtional rule in such a case.
ok?
bluhm
Index: regress/libexec/ld.so/constructor/Makefile
===
RCS file: /mount/openbsd/cvs/src/regress/libexec/ld.so/constructor/Makefile,v
retrieving revision 1.1
diff -u -p -r1.1 Makefile
--- regress/libexec/ld.so/constructor/Makefile 1 Feb 2003 19:56:17 -
1.1
+++ regress/libexec/ld.so/constructor/Makefile 27 Sep 2016 15:41:24 -
@@ -1,3 +1,8 @@
SUBDIR=libaa libab prog1 prog2
+regress: lib _SUBDIRUSE
+
+lib:
+ ${MAKE} libaa libab
+
.include
Re: iwm: add mac context later
On Tue, Sep 27, 2016 at 05:36:26PM +0200, Stefan Sperling wrote: > It looks like iwm firmware does not like a MAC context which does not > specify the AP's BSSID. > > The driver currently adds such a context when initializing the hardware > for the first time after boot (with the BSSID set to all zeros, I also tried > a broadcast address and that doesn't work either). > This then triggers the well-known performance bug for some reason which > only Intel engineers with magic spell books can figure out. > > I noticed performance is fixed after running 'ifconfig iwm0 scan' once. > This brings the interface down and runs the same hardware init sequence, > but this time it copies the now cached BSSID from ic->ic_bss into the mac > context command and things start working. > > This diff makes sure we don't add a MAC context before we know the BSSID. > Now things start working correctly right after boot. > > I've tested this on 8260 hardware only so far, AFAIK all HW is affected > by this problem. Additional testing appreciated. Just as the earlier version of this patch that you sent in private, this fixes the issues I saw on my iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless AC 7265" rev 0x59, msi iwm0: hw rev 0x210, fw ver 16.242414.0, address 11:22:33:44:55:66 It's a massive improvement, thanks!
iwm: add mac context later
It looks like iwm firmware does not like a MAC context which does not
specify the AP's BSSID.
The driver currently adds such a context when initializing the hardware
for the first time after boot (with the BSSID set to all zeros, I also tried
a broadcast address and that doesn't work either).
This then triggers the well-known performance bug for some reason which
only Intel engineers with magic spell books can figure out.
I noticed performance is fixed after running 'ifconfig iwm0 scan' once.
This brings the interface down and runs the same hardware init sequence,
but this time it copies the now cached BSSID from ic->ic_bss into the mac
context command and things start working.
This diff makes sure we don't add a MAC context before we know the BSSID.
Now things start working correctly right after boot.
I've tested this on 8260 hardware only so far, AFAIK all HW is affected
by this problem. Additional testing appreciated.
Index: if_iwm.c
===
RCS file: /cvs/src/sys/dev/pci/if_iwm.c,v
retrieving revision 1.141
diff -u -p -r1.141 if_iwm.c
--- if_iwm.c22 Sep 2016 08:28:38 - 1.141
+++ if_iwm.c27 Sep 2016 15:26:08 -
@@ -5171,6 +5171,13 @@ iwm_auth(struct iwm_softc *sc)
return err;
in->in_phyctxt = &sc->sc_phyctxt[0];
+ err = iwm_mac_ctxt_cmd(sc, in, IWM_FW_CTXT_ACTION_ADD, 0);
+ if (err) {
+ printf("%s: could not add MAC context (error %d)\n",
+ DEVNAME(sc), err);
+ return err;
+ }
+
err = iwm_binding_cmd(sc, in, IWM_FW_CTXT_ACTION_ADD);
if (err)
return err;
@@ -5743,7 +5750,6 @@ int
iwm_init_hw(struct iwm_softc *sc)
{
struct ieee80211com *ic = &sc->sc_ic;
- struct iwm_node *in = (struct iwm_node *)ic->ic_bss;
int err, i, ac;
err = iwm_preinit(sc);
@@ -5865,13 +5871,6 @@ iwm_init_hw(struct iwm_softc *sc)
goto err;
}
}
-
- err = iwm_mac_ctxt_cmd(sc, in, IWM_FW_CTXT_ACTION_ADD, 0);
- if (err) {
- printf("%s: could not add MAC context (error %d)\n",
- DEVNAME(sc), err);
- goto err;
- }
err = iwm_disable_beacon_filter(sc);
if (err) {
Re: bgpd: local-as
> I know cisco has a similar feature. Can someone of you check how it > detects AS loops? If it does at all. I guess people expect it to work > similar to other vendors. > I expect it to work the OpenBSD way. That means it shouldn't bite me. Detect AS loop is the way to go, whatever way has decided to go.
Re: Remove empty #ifdef and #ifndef blocks
Frederic Cambus writes: > Hi tech@, > > It seems some #ifdef and #ifndef blocks are no longer necessary. > > Comments? OK? Sure. Another one below, here since rev 1.1 Index: msdosfs_vfsops.c === RCS file: /cvs/src/sys/msdosfs/msdosfs_vfsops.c,v retrieving revision 1.80 diff -u -p -p -u -r1.80 msdosfs_vfsops.c --- msdosfs_vfsops.c7 Sep 2016 17:30:12 - 1.80 +++ msdosfs_vfsops.c27 Sep 2016 13:00:01 - @@ -592,8 +592,6 @@ msdosfs_unmount(struct mount *mp, int mn flags = 0; if (mntflags & MNT_FORCE) flags |= FORCECLOSE; -#ifdef QUOTA -#endif if ((error = vflush(mp, NULLVP, flags)) != 0) return (error); pmp = VFSTOMSDOSFS(mp); -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: traceroute(8): drop to _traceroute user
On Tue, Sep 27, 2016 at 01:03:55PM +0100, Stuart Henderson wrote:
> On 2016/09/27 12:23, Stuart Henderson wrote:
> > On 2016/09/27 11:12, Florian Obser wrote:
> > > On Tue, Sep 27, 2016 at 11:32:00AM +0100, Stuart Henderson wrote:
> > > > I just discovered an implication of the ping/traceroute changes:
> > > > bgplg users now need pwd.db in /var/www/etc.
> > > >
> > >
> > > Ooops. I guess this is a documentation problem?
> >
> > I think so ... this is one way to do it:
> >
> > # grep -e ^_ping -e ^_traceroute /etc/master.passwd >
> > /var/www/etc/master.passwd.bgplg
> > # pwd_mkdb -d /var/www/etc master.passwd.bgplg
> >
>
> An alternative might be to allow the privdrop to fail as long as
> the calling user isn't root.
Maybe I will say something stupid, but ping(1) or traceroute(1) are suid
root:
$ ls -l /usr/sbin/traceroute /sbin/ping
-r-sr-xr-x 2 root bin 219408 Sep 23 03:04 /sbin/ping*
-r-sr-xr-x 2 root bin 34616 Sep 23 03:04 /usr/sbin/traceroute*
So not calling privdrop (setgroups+setresgid+setresuid) when real uid
isn't root will still make the program run with effective uid as root,
isn't it ?
I think we always want to drop effective uid once SOCK_RAW socket has
been opened.
Thanks.
--
Sebastien Marie
> Index: usr.sbin/traceroute/traceroute.c
> ===
> RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v
> retrieving revision 1.148
> diff -u -p -r1.148 traceroute.c
> --- usr.sbin/traceroute/traceroute.c 27 Sep 2016 05:33:46 - 1.148
> +++ usr.sbin/traceroute/traceroute.c 27 Sep 2016 12:03:19 -
> @@ -347,9 +347,10 @@ main(int argc, char *argv[])
>
> /* revoke privs */
> uid = getuid();
> - if ((pw = getpwnam(TRACEROUTE_USER)) == NULL)
> - errx(1, "no %s user", TRACEROUTE_USER);
> - if (setgroups(1, &pw->pw_gid) ||
> + if ((pw = getpwnam(TRACEROUTE_USER)) == NULL) {
> + if (uid == 0)
> + errx(1, "no %s user", TRACEROUTE_USER);
> + } else if (setgroups(1, &pw->pw_gid) ||
> setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
> setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
> err(1, "unable to revoke privs");
> Index: sbin/ping/ping.c
> ===
> RCS file: /cvs/src/sbin/ping/ping.c,v
> retrieving revision 1.215
> diff -u -p -r1.215 ping.c
> --- sbin/ping/ping.c 26 Sep 2016 16:42:46 - 1.215
> +++ sbin/ping/ping.c 27 Sep 2016 12:03:19 -
> @@ -275,9 +275,10 @@ main(int argc, char *argv[])
>
> /* revoke privs */
> uid = getuid();
> - if ((pw = getpwnam(PING_USER)) == NULL)
> - errx(1, "no %s user", PING_USER);
> - if (setgroups(1, &pw->pw_gid) ||
> + if ((pw = getpwnam(PING_USER)) == NULL) {
> + if (uid == 0)
> + errx(1, "no %s user", PING_USER);
> + } else if (setgroups(1, &pw->pw_gid) ||
> setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
> setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
> err(1, "unable to revoke privs");
>
Re: traceroute(8): drop to _traceroute user
On 2016/09/27 12:23, Stuart Henderson wrote:
> On 2016/09/27 11:12, Florian Obser wrote:
> > On Tue, Sep 27, 2016 at 11:32:00AM +0100, Stuart Henderson wrote:
> > > I just discovered an implication of the ping/traceroute changes:
> > > bgplg users now need pwd.db in /var/www/etc.
> > >
> >
> > Ooops. I guess this is a documentation problem?
>
> I think so ... this is one way to do it:
>
> # grep -e ^_ping -e ^_traceroute /etc/master.passwd >
> /var/www/etc/master.passwd.bgplg
> # pwd_mkdb -d /var/www/etc master.passwd.bgplg
>
An alternative might be to allow the privdrop to fail as long as
the calling user isn't root.
Index: usr.sbin/traceroute/traceroute.c
===
RCS file: /cvs/src/usr.sbin/traceroute/traceroute.c,v
retrieving revision 1.148
diff -u -p -r1.148 traceroute.c
--- usr.sbin/traceroute/traceroute.c27 Sep 2016 05:33:46 - 1.148
+++ usr.sbin/traceroute/traceroute.c27 Sep 2016 12:03:19 -
@@ -347,9 +347,10 @@ main(int argc, char *argv[])
/* revoke privs */
uid = getuid();
- if ((pw = getpwnam(TRACEROUTE_USER)) == NULL)
- errx(1, "no %s user", TRACEROUTE_USER);
- if (setgroups(1, &pw->pw_gid) ||
+ if ((pw = getpwnam(TRACEROUTE_USER)) == NULL) {
+ if (uid == 0)
+ errx(1, "no %s user", TRACEROUTE_USER);
+ } else if (setgroups(1, &pw->pw_gid) ||
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
err(1, "unable to revoke privs");
Index: sbin/ping/ping.c
===
RCS file: /cvs/src/sbin/ping/ping.c,v
retrieving revision 1.215
diff -u -p -r1.215 ping.c
--- sbin/ping/ping.c26 Sep 2016 16:42:46 - 1.215
+++ sbin/ping/ping.c27 Sep 2016 12:03:19 -
@@ -275,9 +275,10 @@ main(int argc, char *argv[])
/* revoke privs */
uid = getuid();
- if ((pw = getpwnam(PING_USER)) == NULL)
- errx(1, "no %s user", PING_USER);
- if (setgroups(1, &pw->pw_gid) ||
+ if ((pw = getpwnam(PING_USER)) == NULL) {
+ if (uid == 0)
+ errx(1, "no %s user", PING_USER);
+ } else if (setgroups(1, &pw->pw_gid) ||
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
err(1, "unable to revoke privs");
Re: traceroute(8): drop to _traceroute user
On 2016/09/27 11:12, Florian Obser wrote: > On Tue, Sep 27, 2016 at 11:32:00AM +0100, Stuart Henderson wrote: > > I just discovered an implication of the ping/traceroute changes: > > bgplg users now need pwd.db in /var/www/etc. > > > > Ooops. I guess this is a documentation problem? I think so ... this is one way to do it: # grep -e ^_ping -e ^_traceroute /etc/master.passwd > /var/www/etc/master.passwd.bgplg # pwd_mkdb -d /var/www/etc master.passwd.bgplg
Re: traceroute(8): drop to _traceroute user
On 2016 Sep 27 (Tue) at 11:12:40 + (+), Florian Obser wrote: :On Tue, Sep 27, 2016 at 11:32:00AM +0100, Stuart Henderson wrote: :> I just discovered an implication of the ping/traceroute changes: :> bgplg users now need pwd.db in /var/www/etc. :> : :Ooops. I guess this is a documentation problem? : We already require a user to copy over /etc/resolv.conf, so copying over the insecure db should be fine. Add it to the man page, and maybe current.html/upgrade guides. -- As long as war is regarded as wicked, it will always have its fascination. When it is looked upon as vulgar, it will cease to be popular. -- Oscar Wilde
Re: traceroute(8): drop to _traceroute user
On Tue, Sep 27, 2016 at 11:32:00AM +0100, Stuart Henderson wrote: > I just discovered an implication of the ping/traceroute changes: > bgplg users now need pwd.db in /var/www/etc. > Ooops. I guess this is a documentation problem? -- I'm not entirely sure you are real.
Remove empty #ifdef and #ifndef blocks
Hi tech@, It seems some #ifdef and #ifndef blocks are no longer necessary. Comments? OK? Index: sys/netinet/ip_spd.c === RCS file: /cvs/src/sys/netinet/ip_spd.c,v retrieving revision 1.90 diff -u -p -r1.90 ip_spd.c --- sys/netinet/ip_spd.c15 Sep 2016 02:00:18 - 1.90 +++ sys/netinet/ip_spd.c27 Sep 2016 09:25:39 - @@ -38,10 +38,6 @@ #include #include #include - -#ifdef INET6 -#endif /* INET6 */ - #include #include Index: usr.bin/ftp/extern.h === RCS file: /cvs/src/usr.bin/ftp/extern.h,v retrieving revision 1.44 diff -u -p -r1.44 extern.h --- usr.bin/ftp/extern.h20 Aug 2016 20:18:42 - 1.44 +++ usr.bin/ftp/extern.h27 Sep 2016 09:25:39 - @@ -101,8 +101,6 @@ voidptransfer(int); void recvrequest(const char *, const char *, const char *, const char *, int, int); char *remglob(char **, int, char **); -#ifndef SMALL -#endif /* !SMALL */ off_t remotesize(const char *, int); time_t remotemodtime(const char *, int); void reset(int, char **);
Re: traceroute(8): drop to _traceroute user
I just discovered an implication of the ping/traceroute changes: bgplg users now need pwd.db in /var/www/etc.
Re: bgpd: local-as
On Mon, Sep 26, 2016 at 11:14:51PM +0200, Sebastian Benoit wrote:
> If we do this, i think the as-path loop detection needs to also check for
> these additional ASes.
>
> Otherwise we create a nice loop when we get our own route
> from an ebgp neighbor with this as in the path.
>
I know cisco has a similar feature. Can someone of you check how it
detects AS loops? If it does at all. I guess people expect it to work
similar to other vendors.
> Peter Hessler(phess...@openbsd.org) on 2016.09.26 20:09:13 +0200:
> > We already have a local AS saved per peer. Let's use it. This is very
> > useful when one needs to change their local AS.
> >
> > "
> > neighbor 192.0.2.1 {
> > remote-as 65530
> > local-as 131000
> > }
> > "
> >
> > OK?
> >
> >
> > Index: parse.y
> > ===
> > RCS file: /cvs/openbsd/src/usr.sbin/bgpd/parse.y,v
> > retrieving revision 1.288
> > diff -u -p -u -p -r1.288 parse.y
> > --- parse.y 21 Jun 2016 21:35:24 - 1.288
> > +++ parse.y 26 Sep 2016 14:46:23 -
> > @@ -175,7 +175,7 @@ typedef struct {
> > %token RDOMAIN RD EXPORTTRGT IMPORTTRGT
> > %token RDE RIB EVALUATE IGNORE COMPARE
> > %token GROUP NEIGHBOR NETWORK
> > -%token REMOTEAS DESCR LOCALADDR MULTIHOP PASSIVE MAXPREFIX RESTART
> > +%token LOCALAS REMOTEAS DESCR LOCALADDR MULTIHOP PASSIVE MAXPREFIX
> > RESTART
> > %token ANNOUNCE CAPABILITIES REFRESH AS4BYTE CONNECTRETRY
> > %token DEMOTE ENFORCE NEIGHBORAS REFLECTOR DEPEND DOWN SOFTRECONFIG
> > %token DUMP IN OUT SOCKET RESTRICTED
> > @@ -1004,6 +1004,9 @@ peeroptsl : peeropts nl
> > peeropts : REMOTEAS as4number{
> > curpeer->conf.remote_as = $2;
> > }
> > + | LOCALAS as4number {
> > + curpeer->conf.local_as = $2;
> > + }
> > | DESCR string {
> > if (strlcpy(curpeer->conf.descr, $2,
> > sizeof(curpeer->conf.descr)) >=
> > @@ -2249,6 +2252,7 @@ lookup(char *s)
> > { "key",KEY},
> > { "listen", LISTEN},
> > { "local-address", LOCALADDR},
> > + { "local-as", LOCALAS},
> > { "localpref", LOCALPREF},
> > { "log",LOG},
> > { "match", MATCH},
> > Index: printconf.c
> > ===
> > RCS file: /cvs/openbsd/src/usr.sbin/bgpd/printconf.c,v
> > retrieving revision 1.97
> > diff -u -p -u -p -r1.97 printconf.c
> > --- printconf.c 13 Jul 2016 20:07:38 - 1.97
> > +++ printconf.c 26 Sep 2016 17:41:58 -
> > @@ -365,6 +365,8 @@ print_peer(struct peer_config *p, struct
> > printf("%s\trib \"%s\"\n", c, p->rib);
> > if (p->remote_as)
> > printf("%s\tremote-as %s\n", c, log_as(p->remote_as));
> > + if (p->local_as != conf->as)
> > + printf("%s\tlocale-as %s\n", c, log_as(p->local_as));
> > if (p->down)
> > printf("%s\tdown\n", c);
> > if (p->distance > 1)
> > Index: session.c
> > ===
> > RCS file: /cvs/openbsd/src/usr.sbin/bgpd/session.c,v
> > retrieving revision 1.354
> > diff -u -p -u -p -r1.354 session.c
> > --- session.c 3 Sep 2016 16:22:17 - 1.354
> > +++ session.c 26 Sep 2016 17:47:59 -
> > @@ -1461,7 +1461,7 @@ session_open(struct peer *p)
> > if (p->capa.ann.as4byte) { /* 4 bytes data */
> > u_int32_t nas;
> >
> > - nas = htonl(conf->as);
> > + nas = htonl(p->conf.local_as);
> > errs += session_capa_add(opb, CAPA_AS4BYTE, sizeof(nas));
> > errs += ibuf_add(opb, &nas, sizeof(nas));
> > }
> > @@ -2120,7 +2120,7 @@ parse_open(struct peer *peer)
> > /* if remote-as is zero and it's a cloned neighbor, accept any */
> > if (peer->template && !peer->conf.remote_as && as != AS_TRANS) {
> > peer->conf.remote_as = as;
> > - peer->conf.ebgp = (peer->conf.remote_as != conf->as);
> > + peer->conf.ebgp = (peer->conf.remote_as != peer->conf.local_as);
> > if (!peer->conf.ebgp)
> > /* force enforce_as off for iBGP sessions */
> > peer->conf.enforce_as = ENFORCE_AS_OFF;
> > @@ -3074,7 +3074,7 @@ session_template_clone(struct peer *p, s
> >
> > if (as) {
> > p->conf.remote_as = as;
> > - p->conf.ebgp = (p->conf.remote_as != conf->as);
> > + p->conf.ebgp = (p->conf.remote_as != p->conf.local_as);
> > if (!p->conf.ebgp)
> > /* force enforce_as off for iBGP sessions */
> > p->conf.enforce_as = ENFORCE_AS_OFF;
> > Index: bgpd.conf.5
> > ===
>
netstart+switch(4): delay interface start
switch(4) needs to have its interface start up delayed, otherwise the netstart script will fail to configure switch(4) with virtual interfaces like vether(4). This diff adds switch(4) to the delayed list just like bridge(4). ok? Index: netstart === RCS file: /home/obsdcvs/src/etc/netstart,v retrieving revision 1.170 diff -u -p -r1.170 netstart --- netstart9 Sep 2016 19:48:16 - 1.170 +++ netstart27 Sep 2016 10:04:47 - @@ -251,7 +251,7 @@ fi # Configure all the non-loopback interfaces which we know about, but # do not start interfaces which must be delayed. Refer to hostname.if(5) -ifmstart "" "trunk svlan vlan carp gif gre pfsync pppoe tun bridge pflow" +ifmstart "" "trunk svlan vlan carp gif gre pfsync pppoe tun bridge pflow switch" # The trunk interfaces need to come up first in this list. # The (s)vlan interfaces need to come up after trunk. @@ -283,7 +283,7 @@ fi # require routes to be set. TUN might depend on PPPoE, and GIF or GRE may # depend on either of them. PFLOW might bind to ip addresses configured # on either of them. -ifmstart "pppoe tun gif gre bridge pflow" +ifmstart "pppoe tun gif gre bridge pflow switch" # Reject 127/8 other than 127.0.0.1. route -qn add -net 127 127.0.0.1 -reject >/dev/null
