Re: ocspcheck typos

[Jason McIntyre]

On Fri, Jan 27, 2017 at 03:58:39AM +, Tom Cosgrove wrote:
> >>> Jason McIntyre 26-Jan-17 23:00 >>>
> >
> > On Thu, Jan 26, 2017 at 11:15:05PM +0100, Holger Mikolon wrote:
> > > Hi,
> > > 
> > > below are two minor typo fixes: s/OSCP/OCSP/
> > > 
> > > Holger
> > > ;-se
> >
> > fixed, thanks, plus one more in nc.
> > jmc
> 
> There are also these in comments and warning messages.
> 
> ok?  (Asking as these aren't any of my usual areas)
> 

yes, ok.
jmc

> 
> Index: lib/libtls/tls_ocsp.c
> ===
> RCS file: /cvs/src/lib/libtls/tls_ocsp.c,v
> retrieving revision 1.9
> diff -u -p -u -r1.9 tls_ocsp.c
> --- lib/libtls/tls_ocsp.c 5 Nov 2016 15:13:26 -   1.9
> +++ lib/libtls/tls_ocsp.c 27 Jan 2017 03:58:11 -
> @@ -356,7 +356,7 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg
>   * Public API
>   */
>  
> -/* Retrieve OSCP URL from peer certificate, if present */
> +/* Retrieve OCSP URL from peer certificate, if present */
>  const char *
>  tls_peer_ocsp_url(struct tls *ctx)
>  {
> Index: usr.sbin/httpd/parse.y
> ===
> RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
> retrieving revision 1.87
> diff -u -p -u -r1.87 parse.y
> --- usr.sbin/httpd/parse.y5 Jan 2017 13:53:09 -   1.87
> +++ usr.sbin/httpd/parse.y27 Jan 2017 03:58:11 -
> @@ -344,7 +344,7 @@ server: SERVER optmatch STRING{
>  
>   if (server_tls_load_ocsp(srv) == -1) {
>   yyerror("server \"%s\": failed to load "
> - "oscp staple", srv->srv_conf.name);
> + "ocsp staple", srv->srv_conf.name);
>   serverconfig_free(srv_conf);
>   free(srv);
>   YYERROR;
> @@ -2069,7 +2069,7 @@ server_inherit(struct server *src, struc
>   }
>  
>   if (server_tls_load_ocsp(dst) == -1) {
> - yyerror("failed to load oscp staple "
> + yyerror("failed to load ocsp staple "
>   "for server %s", dst->srv_conf.name);
>   serverconfig_free(>srv_conf);
>   free(dst);
> Index: regress/usr.bin/openssl/appstest.sh
> ===
> RCS file: /cvs/src/regress/usr.bin/openssl/appstest.sh,v
> retrieving revision 1.1
> diff -u -p -u -r1.1 appstest.sh
> --- regress/usr.bin/openssl/appstest.sh   6 Nov 2016 11:56:43 -   
> 1.1
> +++ regress/usr.bin/openssl/appstest.sh   27 Jan 2017 03:58:11 -
> @@ -847,7 +847,7 @@ ocsp_svr_pid=$!
>  echo "ocsp server pid = [ $ocsp_svr_pid ]"
>  sleep 1
>  
> -# send query to oscp server
> +# send query to ocsp server
>  start_message "ocsp ... send OCSP request to server"
>  
>  ocsp_qry=$user1_dir/ocsp_qry.der

Re: ocspcheck typos

[Tom Cosgrove]

>>> Jason McIntyre 26-Jan-17 23:00 >>>
>
> On Thu, Jan 26, 2017 at 11:15:05PM +0100, Holger Mikolon wrote:
> > Hi,
> > 
> > below are two minor typo fixes: s/OSCP/OCSP/
> > 
> > Holger
> > ;-se
>
> fixed, thanks, plus one more in nc.
> jmc

There are also these in comments and warning messages.

ok?  (Asking as these aren't any of my usual areas)


Index: lib/libtls/tls_ocsp.c
===
RCS file: /cvs/src/lib/libtls/tls_ocsp.c,v
retrieving revision 1.9
diff -u -p -u -r1.9 tls_ocsp.c
--- lib/libtls/tls_ocsp.c   5 Nov 2016 15:13:26 -   1.9
+++ lib/libtls/tls_ocsp.c   27 Jan 2017 03:58:11 -
@@ -356,7 +356,7 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg
  * Public API
  */
 
-/* Retrieve OSCP URL from peer certificate, if present */
+/* Retrieve OCSP URL from peer certificate, if present */
 const char *
 tls_peer_ocsp_url(struct tls *ctx)
 {
Index: usr.sbin/httpd/parse.y
===
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.87
diff -u -p -u -r1.87 parse.y
--- usr.sbin/httpd/parse.y  5 Jan 2017 13:53:09 -   1.87
+++ usr.sbin/httpd/parse.y  27 Jan 2017 03:58:11 -
@@ -344,7 +344,7 @@ server  : SERVER optmatch STRING{
 
if (server_tls_load_ocsp(srv) == -1) {
yyerror("server \"%s\": failed to load "
-   "oscp staple", srv->srv_conf.name);
+   "ocsp staple", srv->srv_conf.name);
serverconfig_free(srv_conf);
free(srv);
YYERROR;
@@ -2069,7 +2069,7 @@ server_inherit(struct server *src, struc
}
 
if (server_tls_load_ocsp(dst) == -1) {
-   yyerror("failed to load oscp staple "
+   yyerror("failed to load ocsp staple "
"for server %s", dst->srv_conf.name);
serverconfig_free(>srv_conf);
free(dst);
Index: regress/usr.bin/openssl/appstest.sh
===
RCS file: /cvs/src/regress/usr.bin/openssl/appstest.sh,v
retrieving revision 1.1
diff -u -p -u -r1.1 appstest.sh
--- regress/usr.bin/openssl/appstest.sh 6 Nov 2016 11:56:43 -   1.1
+++ regress/usr.bin/openssl/appstest.sh 27 Jan 2017 03:58:11 -
@@ -847,7 +847,7 @@ ocsp_svr_pid=$!
 echo "ocsp server pid = [ $ocsp_svr_pid ]"
 sleep 1
 
-# send query to oscp server
+# send query to ocsp server
 start_message "ocsp ... send OCSP request to server"
 
 ocsp_qry=$user1_dir/ocsp_qry.der

Re: ip6_output: copypktopts - drop canwait

[Martin Pieuchot]

On 26/01/17(Thu) 15:40, David Hill wrote:
> Hi -
> 
> copypktopts is only called by ip6_setpktopts with M_NOWAIT.  Drop
> canwait to make this simpler and more readable.

ok mpi@

> 
> Index: ip6_output.c
> ===
> RCS file: /cvs/src/sys/netinet6/ip6_output.c,v
> retrieving revision 1.221
> diff -u -p -r1.221 ip6_output.c
> --- ip6_output.c  19 Jan 2017 14:49:19 -  1.221
> +++ ip6_output.c  26 Jan 2017 20:18:00 -
> @@ -127,7 +127,7 @@ int ip6_insertfraghdr(struct mbuf *, str
>  int ip6_insert_jumboopt(struct ip6_exthdrs *, u_int32_t);
>  int ip6_splithdr(struct mbuf *, struct ip6_exthdrs *);
>  int ip6_getpmtu(struct rtentry *, struct ifnet *, u_long *);
> -int copypktopts(struct ip6_pktopts *, struct ip6_pktopts *, int);
> +int copypktopts(struct ip6_pktopts *, struct ip6_pktopts *);
>  static __inline u_int16_t __attribute__((__unused__))
>  in6_cksum_phdr(const struct in6_addr *, const struct in6_addr *,
>  u_int32_t, u_int32_t);
> @@ -1839,22 +1839,22 @@ ip6_clearpktopts(struct ip6_pktopts *pkt
>  do {\
>   if (src->type) {\
>   size_t hlen = (((struct ip6_ext *)src->type)->ip6e_len + 1) << 
> 3;\
> - dst->type = malloc(hlen, M_IP6OPT, canwait);\
> - if (dst->type == NULL && canwait == M_NOWAIT)\
> + dst->type = malloc(hlen, M_IP6OPT, M_NOWAIT);\
> + if (dst->type == NULL)\
>   goto bad;\
>   memcpy(dst->type, src->type, hlen);\
>   }\
>  } while (/*CONSTCOND*/ 0)
>  
>  int
> -copypktopts(struct ip6_pktopts *dst, struct ip6_pktopts *src, int canwait)
> +copypktopts(struct ip6_pktopts *dst, struct ip6_pktopts *src)
>  {
>   dst->ip6po_hlim = src->ip6po_hlim;
>   dst->ip6po_tclass = src->ip6po_tclass;
>   dst->ip6po_flags = src->ip6po_flags;
>   if (src->ip6po_pktinfo) {
>   dst->ip6po_pktinfo = malloc(sizeof(*dst->ip6po_pktinfo),
> - M_IP6OPT, canwait);
> + M_IP6OPT, M_NOWAIT);
>   if (dst->ip6po_pktinfo == NULL)
>   goto bad;
>   *dst->ip6po_pktinfo = *src->ip6po_pktinfo;
> @@ -2256,7 +2256,7 @@ ip6_setpktopts(struct mbuf *control, str
>* but we can allow this since this option should be rarely
>* used.
>*/
> - if ((error = copypktopts(opt, stickyopt, M_NOWAIT)) != 0)
> + if ((error = copypktopts(opt, stickyopt)) != 0)
>   return (error);
>   }
>  
> 

Re: ocspcheck typos

[Jason McIntyre]

On Thu, Jan 26, 2017 at 11:15:05PM +0100, Holger Mikolon wrote:
> Hi,
> 
> below are two minor typo fixes: s/OSCP/OCSP/
> 
> Holger
> ;-se
> 
> 

fixed, thanks, plus one more in nc.
jmc

> Index: ocspcheck.8
> ===
> RCS file: /cvs/src/usr.sbin/ocspcheck/ocspcheck.8,v
> retrieving revision 1.5
> diff -u -p -u -r1.5 ocspcheck.8
> --- ocspcheck.8   24 Jan 2017 12:00:19 -  1.5
> +++ ocspcheck.8   26 Jan 2017 22:11:08 -
> @@ -19,7 +19,7 @@
>  .Os
>  .Sh NAME
>  .Nm ocspcheck
> -.Nd check a certificate for validity against its OSCP responder
> +.Nd check a certificate for validity against its OCSP responder
>  .Sh SYNOPSIS
>  .Nm
>  .Op Fl Nv
> Index: ocspcheck.c
> ===
> RCS file: /cvs/src/usr.sbin/ocspcheck/ocspcheck.c,v
> retrieving revision 1.13
> diff -u -p -u -r1.13 ocspcheck.c
> --- ocspcheck.c   26 Jan 2017 00:58:32 -  1.13
> +++ ocspcheck.c   26 Jan 2017 22:11:08 -
> @@ -556,7 +556,7 @@ main(int argc, char **argv)
>  
>   /*
>* Load our certificate and keystore, and build up an
> -  * OSCP request based on the full certificate chain
> +  * OCSP request based on the full certificate chain
>* we have been given to check.
>*/
>   if ((castore = read_cacerts(cafile)) == NULL)
> 

ocspcheck typos

[Holger Mikolon]

Hi,

below are two minor typo fixes: s/OSCP/OCSP/

Holger
;-se


Index: ocspcheck.8
===
RCS file: /cvs/src/usr.sbin/ocspcheck/ocspcheck.8,v
retrieving revision 1.5
diff -u -p -u -r1.5 ocspcheck.8
--- ocspcheck.8 24 Jan 2017 12:00:19 -  1.5
+++ ocspcheck.8 26 Jan 2017 22:11:08 -
@@ -19,7 +19,7 @@
 .Os
 .Sh NAME
 .Nm ocspcheck
-.Nd check a certificate for validity against its OSCP responder
+.Nd check a certificate for validity against its OCSP responder
 .Sh SYNOPSIS
 .Nm
 .Op Fl Nv
Index: ocspcheck.c
===
RCS file: /cvs/src/usr.sbin/ocspcheck/ocspcheck.c,v
retrieving revision 1.13
diff -u -p -u -r1.13 ocspcheck.c
--- ocspcheck.c 26 Jan 2017 00:58:32 -  1.13
+++ ocspcheck.c 26 Jan 2017 22:11:08 -
@@ -556,7 +556,7 @@ main(int argc, char **argv)
 
/*
 * Load our certificate and keystore, and build up an
-* OSCP request based on the full certificate chain
+* OCSP request based on the full certificate chain
 * we have been given to check.
 */
if ((castore = read_cacerts(cafile)) == NULL)

ip6_output: copypktopts - drop canwait

[David Hill]

Hi -

copypktopts is only called by ip6_setpktopts with M_NOWAIT.  Drop
canwait to make this simpler and more readable.

Index: ip6_output.c
===
RCS file: /cvs/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.221
diff -u -p -r1.221 ip6_output.c
--- ip6_output.c19 Jan 2017 14:49:19 -  1.221
+++ ip6_output.c26 Jan 2017 20:18:00 -
@@ -127,7 +127,7 @@ int ip6_insertfraghdr(struct mbuf *, str
 int ip6_insert_jumboopt(struct ip6_exthdrs *, u_int32_t);
 int ip6_splithdr(struct mbuf *, struct ip6_exthdrs *);
 int ip6_getpmtu(struct rtentry *, struct ifnet *, u_long *);
-int copypktopts(struct ip6_pktopts *, struct ip6_pktopts *, int);
+int copypktopts(struct ip6_pktopts *, struct ip6_pktopts *);
 static __inline u_int16_t __attribute__((__unused__))
 in6_cksum_phdr(const struct in6_addr *, const struct in6_addr *,
 u_int32_t, u_int32_t);
@@ -1839,22 +1839,22 @@ ip6_clearpktopts(struct ip6_pktopts *pkt
 do {\
if (src->type) {\
size_t hlen = (((struct ip6_ext *)src->type)->ip6e_len + 1) << 
3;\
-   dst->type = malloc(hlen, M_IP6OPT, canwait);\
-   if (dst->type == NULL && canwait == M_NOWAIT)\
+   dst->type = malloc(hlen, M_IP6OPT, M_NOWAIT);\
+   if (dst->type == NULL)\
goto bad;\
memcpy(dst->type, src->type, hlen);\
}\
 } while (/*CONSTCOND*/ 0)
 
 int
-copypktopts(struct ip6_pktopts *dst, struct ip6_pktopts *src, int canwait)
+copypktopts(struct ip6_pktopts *dst, struct ip6_pktopts *src)
 {
dst->ip6po_hlim = src->ip6po_hlim;
dst->ip6po_tclass = src->ip6po_tclass;
dst->ip6po_flags = src->ip6po_flags;
if (src->ip6po_pktinfo) {
dst->ip6po_pktinfo = malloc(sizeof(*dst->ip6po_pktinfo),
-   M_IP6OPT, canwait);
+   M_IP6OPT, M_NOWAIT);
if (dst->ip6po_pktinfo == NULL)
goto bad;
*dst->ip6po_pktinfo = *src->ip6po_pktinfo;
@@ -2256,7 +2256,7 @@ ip6_setpktopts(struct mbuf *control, str
 * but we can allow this since this option should be rarely
 * used.
 */
-   if ((error = copypktopts(opt, stickyopt, M_NOWAIT)) != 0)
+   if ((error = copypktopts(opt, stickyopt)) != 0)
return (error);
}
 

Re: Help with the NET_LOCK()

[RD Thrush]

On 01/25/17 01:32, Martin Pieuchot wrote:
> I just enabled the NET_LOCK() again and I'm looking for test reports.
> Please go build a kernel from sources or wait for the next snapshot,
> run it and report back.
> 
> If you're looking for some small coding tasks related to the NET_LOCK()
> just do:
> 
>   # sysctl kern.splassert=2
>   # sysctl kern.pool_debug=2
>   
> Then watch for the traces on your console.
> 
> You'll see something like:
> 
>   Starting stack trace...
>   yield(0,1,d09dac52,f5549dbc,d94e9378) at yield+0xa4
>   yield(d0bc8f40,1,f5549e18,80,14) at yield+0xa4
>   pool_get(d0bc8f40,1,f5549ec8,d03ecbfb,d97815f4) at pool_get+0x1ba
>   m_get(1,3,f5549ec0,d03a9362,d0bc22e0) at m_get+0x30
>   doaccept(d977e6c4,3,cf7ee4f8,cf7ee4ec,2000) at doaccept+0x193
>   sys_accept(d977e6c4,f5549f5c,f5549f7c,0,f5549fa8) at sys_accept+0x37
>   syscall() at syscall+0x250
>   
> This means accept(2) is doing a memory allocation that can sleep, here
> with m_get(9), while holding the NET_LOCK().  Even if these should be
> ok, it is easy to avoid them.  In the case of doaccept() a mbuf could
> be allocated beforehand or simply use the stack for that.


I updated a nuc w/ amd64 -current (GENERIC.MP) #154 and have more data.  The 
nuc doesn't have a serial port so I extracted[1] dmesg parts from 
/var/log/messages.  Here's a bit of a summary:

>cut -d\  -f4- messages.nuc2.NET_LOCK.01|grep -e 'syscall ' | sort|uniq -c|sort 
>-nr
  32 --- syscall (number 97) ---
  31 --- syscall (number 55) ---
  21 --- syscall (number 54) ---
  13 --- syscall (number 118) ---
   9 --- syscall (number 105) ---

[1]


##
OpenBSD 6.0-current (GENERIC.MP) #154: Wed Jan 25 19:50:16 MST 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 16959188992 (16173MB)
avail mem = 16440545280 (15678MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x9eee3000 (56 entries)
bios0: vendor Intel Corporation version "MYBDWi5v.86A.0033.2016.1124.2006" date 
11/24/2016
bios0: Intel Corporation NUC5i5MYBE
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT UEFI LPIT SSDT ASF! SSDT 
SSDT SSDT DMAR BGRT
acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) 
PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) 
PXSX(S4) RP05(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz, 2295.06 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: TSC frequency 2295060110 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz, 2294.69 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz, 2294.70 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 1, core 0, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz, 2294.69 MHz
cpu3: 

Re: pfctl: Kill states within a rdomain

[Bertrand Provost]

Hi,

On 2017-01-26 01:56 AM, Jason McIntyre wrote:
> you still need to s/for kill/to kill/
> jmc

I forgot that one, here a new version.

Regards,

-- 
Bertrand Provost

Index: pfctl.8
===
RCS file: /cvs/src/sbin/pfctl/pfctl.8,v
retrieving revision 1.165
diff -u -p -r1.165 pfctl.8
--- pfctl.8 15 Jun 2015 08:48:23 -  1.165
+++ pfctl.8 26 Jan 2017 15:38:37 -
@@ -47,6 +47,7 @@
 .Op Fl S Ar statefile
 .Op Fl s Ar modifier Op Fl R Ar id
 .Op Fl t Ar table Fl T Ar command Op Ar address ...
+.Op Fl V Ar rdomain
 .Op Fl x Ar level
 .Ek
 .Sh DESCRIPTION
@@ -644,6 +645,10 @@ This flag is set when per-address counte
 .El
 .It Fl t Ar table
 Specify the name of the table.
+.It Fl V Ar rdomain
+Select the routing domain to be used to kill states by host or by label.
+The rdomain of a state is displayed in parentheses before the host by
+.Fl s Cm states .
 .It Fl v
 Produce more verbose output.
 A second use of
Index: pfctl.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.334
diff -u -p -r1.334 pfctl.c
--- pfctl.c 14 Jan 2016 12:05:51 -  1.334
+++ pfctl.c 26 Jan 2017 15:38:37 -
@@ -69,9 +69,9 @@ intpfctl_clear_src_nodes(int, int);
 int pfctl_clear_states(int, const char *, int);
 voidpfctl_addrprefix(char *, struct pf_addr *);
 int pfctl_kill_src_nodes(int, const char *, int);
-int pfctl_net_kill_states(int, const char *, int);
-int pfctl_label_kill_states(int, const char *, int);
-int pfctl_id_kill_states(int, const char *, int);
+int pfctl_net_kill_states(int, const char *, int, int);
+int pfctl_label_kill_states(int, const char *, int, int);
+int pfctl_id_kill_states(int, int);
 voidpfctl_init_options(struct pfctl *);
 int pfctl_load_options(struct pfctl *);
 int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
@@ -231,7 +231,7 @@ struct pf_qihead qspecs = TAILQ_HEAD_INI
 struct pf_qihead rootqs = TAILQ_HEAD_INITIALIZER(rootqs);
 
 
-void
+__dead void
 usage(void)
 {
extern char *__progname;
@@ -243,7 +243,7 @@ usage(void)
fprintf(stderr, "[-L statefile] [-o level] [-p device]\n");
fprintf(stderr, "\t[-S statefile] [-s modifier [-R id]] ");
fprintf(stderr, "[-t table -T command [address ...]]\n");
-   fprintf(stderr, "\t[-x level]\n");
+   fprintf(stderr, "\t[-V rdomain] [-x level]\n");
exit(1);
 }
 
@@ -512,7 +512,7 @@ pfctl_kill_src_nodes(int dev, const char
 }
 
 int
-pfctl_net_kill_states(int dev, const char *iface, int opts)
+pfctl_net_kill_states(int dev, const char *iface, int opts, int rdomain)
 {
struct pfioc_state_kill psk;
struct addrinfo *res[2], *resp[2];
@@ -531,6 +531,8 @@ pfctl_net_kill_states(int dev, const cha
sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
errx(1, "invalid interface: %s", iface);
 
+   psk.psk_rdomain = rdomain;
+
pfctl_addrprefix(state_kill[0], _src.addr.v.a.mask);
 
if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, [0]))) {
@@ -618,7 +620,7 @@ pfctl_net_kill_states(int dev, const cha
 }
 
 int
-pfctl_label_kill_states(int dev, const char *iface, int opts)
+pfctl_label_kill_states(int dev, const char *iface, int opts, int rdomain)
 {
struct pfioc_state_kill psk;
 
@@ -635,6 +637,8 @@ pfctl_label_kill_states(int dev, const c
sizeof(psk.psk_label))
errx(1, "label too long: %s", state_kill[1]);
 
+   psk.psk_rdomain = rdomain;
+
if (ioctl(dev, DIOCKILLSTATES, ))
err(1, "DIOCKILLSTATES");
 
@@ -645,7 +649,7 @@ pfctl_label_kill_states(int dev, const c
 }
 
 int
-pfctl_id_kill_states(int dev, const char *iface, int opts)
+pfctl_id_kill_states(int dev, int opts)
 {
struct pfioc_state_kill psk;
 
@@ -2098,6 +2102,7 @@ main(int argc, char *argv[])
int  opts = 0;
int  optimize = PF_OPTIMIZE_BASIC;
int  level;
+   int  rdomain = 0;
char anchorname[PATH_MAX];
int  anchor_wildcard = 0;
char*path;
@@ -2109,7 +2114,7 @@ main(int argc, char *argv[])
usage();
 
while ((ch = getopt(argc, argv,
-   "a:dD:eqf:F:ghi:k:K:L:no:Pp:R:rS:s:t:T:vx:z")) != -1) {
+   "a:dD:eqf:F:ghi:k:K:L:no:Pp:R:rS:s:t:T:vV:x:z")) != -1) {
switch (ch) {
case 'a':
anchoropt = optarg;
@@ -2215,6 +2220,13 @@ main(int argc, char *argv[])
opts |= PF_OPT_VERBOSE2;
opts |= PF_OPT_VERBOSE;
break;
+   case 'V':
+   rdomain = strtonum(optarg, 0, RT_TABLEID_MAX, );
+   if (errstr) {
+   warnx("Invalid rdomain: %s", errstr);
+   usage();
+   

Re: ldomctl(8) usage

[Andrew Grillet]

Yes. A few lines, but really useful. The man page is for the full details.
However, if usage doesnt list
all options, you may assume the one you want does not exist, or belongs to
some other command,
rather than check with the man page.

The bikeshed is where school kids go for privacy with the opposite sex.
(Bikeshed music is like garage music,
but cheaper, and not so loud :-).

Prioritizing the small over the big is a problem too. Like the hospital
directors pending more time on whether to
compensate a patient for loss of his shirt than on spending £10M on a new
wing (my dad was the architect).

On 26 January 2017 at 13:49, Stefan Sperling  wrote:

> On Thu, Jan 26, 2017 at 01:37:14PM +, Andrew Grillet wrote:
> > I am not sure what bikeshedding means in this case (it was all different
> > when I was at school ;-)
>
> http://producingoss.com/en/common-pitfalls.html#bikeshed
>
> > However, as an ldomctl user, I would be happier if the usage was
> consistent
> > with the man page:
> > it makes everything seem more trustworthy.
>
> Right, so you mean like this?
>
> SYNOPSIS
>  ldomctl command [argument ...]
>

Re: ldomctl(8) usage

[Stefan Sperling]

On Thu, Jan 26, 2017 at 01:37:14PM +, Andrew Grillet wrote:
> I am not sure what bikeshedding means in this case (it was all different
> when I was at school ;-)

http://producingoss.com/en/common-pitfalls.html#bikeshed

> However, as an ldomctl user, I would be happier if the usage was consistent
> with the man page:
> it makes everything seem more trustworthy.

Right, so you mean like this?

SYNOPSIS
 ldomctl command [argument ...]

[wscons] User-space access to terminal emulation data

[Enrico Mioso]

Hello to everyone reading this message, and thank you.

I am a blind user, using a braille display to read the output of my 
computer. Each braille display has it's own protocol, so there is the 
need of a software package (specifically a daemon process), that reads 
the output of the system and sends it to the braille device using the 
appropriate protocol. The BRLTTY software does exactly that 
( http://dave.mielke.cc/brltty ). My goal was to make it possible for a 
blind user to use OpenBSD on a standalone system, without serial 
consoles, a setup that may not confortable, on laptops for example.


To this end, I was playing with the wscons subsystem, to allow for 
user-space to access terminal emulation (wsemul) data.
This would enable access to the system even before login, and may also 
be useful to access a shell in early boot stages if something goes 
wrong...


The idea was to allocate a memory zone for each wscreen, where an 
emulation module (for example wsemul_vt100) could copy the data 
(characters and color attributes). In addition, some auxiliary 
informations are saved (the position of the cursor and the number of 
rows and columns).
This data would then be exported to user-space via some interfaces like 
mmap, or by other means. My goal is to make OpenBSD more "accessible2, 
or braille friendly in other words: making it more confortable to 
administer a system even for a braille user. I am posting now some 
hackish code I came up with so far, to hear from you. I am absolutely 
open (and hoping) for any suggestions and comments / ideas: and doing 
things in a completely different ways. Consider the code like a kind of 
proof-of-concept. I would clearly avoid using printfs like this, and I 
clearly would use something like

#ifdef HAVE_UWSEMUL
and not
#if 11
around. I know that, especially in the case of kernel code, security and 
quality are very important: and I will do my best.
Regarding my choice to work in the emulation framework: I tried to find 
a solution that would work across different platforms. For that matter, 
I avoided the VGA driver for example, and the VGA memory region. I can 
also consider this altenrative if you let me know. For now I worked only 
on the vt100 emulation, but the idea was to put all uwsemul code in 
wsdisplay_subr.c or in some other file, and call needed functions in all 
emulation modules. This code may show signs of inexperience, but I am 
willing to learn, and at least try.


Thank you for your patience and attention,
Enrico

diff --git a/sys/dev/wscons/wsdisplay.c b/sys/dev/wscons/wsdisplay.c
index cb7bde50593..2980e738ce4 100644
--- a/sys/dev/wscons/wsdisplay.c
+++ b/sys/dev/wscons/wsdisplay.c
@@ -130,6 +130,9 @@ struct wsscreen {
 #define IS_SEL_BY_WORD(scr)((scr)->mouse_flags & SEL_BY_WORD)
 #define IS_SEL_BY_LINE(scr)((scr)->mouse_flags & SEL_BY_LINE)
 #endif /* HAVE_WSMOUSED_SUPPORT */
+#if 11
+   void *uwsmem;
+#endif
 };

 struct wsscreen *wsscreen_attach(struct wsdisplay_softc *, int, const char *,
@@ -263,6 +266,9 @@ wsscreen_attach(struct wsdisplay_softc *sc, int console, 
const char *emul,
 {
struct wsscreen_internal *dconf;
struct wsscreen *scr;
+#if 11
+   struct uwsemul_info *u_info;
+#endif

scr = malloc(sizeof(*scr), M_DEVBUF, M_ZERO | M_NOWAIT);
if (!scr)
@@ -294,6 +300,16 @@ wsscreen_attach(struct wsdisplay_softc *sc, int console, 
const char *emul,
scr->scr_dconf = dconf;
scr->scr_tty = ttymalloc(0);
scr->sc = sc;
+#if 11
+   printf("uwsemul_access: %d rows and %d 
columns",scr->scr_dconf->scrdata->nrows,scr->scr_dconf->scrdata->ncols);
+   scr->uwsmem = malloc(sizeof(struct uwsemul_info)+(sizeof(struct 
wsdisplay_charcell)*(scr->scr_dconf->scrdata->nrows*scr->scr_dconf->scrdata->ncols)),
 M_DEVBUF, M_ZERO | M_NOWAIT);
+   if (!scr->uwsmem)
+   goto fail;
+   printf(": %ld bytes allocated at address %p\n",sizeof(struct uwsemul_info)+(sizeof(struct 
wsdisplay_charcell)*(scr->scr_dconf->scrdata->nrows*scr->scr_dconf->scrdata->ncols)),scr->uwsmem);
+   u_info = scr->uwsmem;
+   u_info->nrows = scr->scr_dconf->scrdata->nrows;
+   u_info->ncols = scr->scr_dconf->scrdata->ncols;
+#endif
return (scr);

 fail:
@@ -315,6 +331,10 @@ wsscreen_detach(struct wsscreen *scr)
(*scr->scr_dconf->wsemul->detach)(scr->scr_dconf->wsemulcookie,
, );
free(scr->scr_dconf, M_DEVBUF, sizeof(*scr->scr_dconf));
+#if 11
+   if (scr->uwsmem != NULL)
+   free(scr->uwsmem, M_DEVBUF, sizeof(struct uwsemul_info)+(sizeof(struct 
wsdisplay_charcell)*(scr->scr_dconf->scrdata->nrows*scr->scr_dconf->scrdata->ncols)));
+#endif
free(scr, M_DEVBUF, sizeof(*scr));
 }

@@ -1365,8 +1385,24 @@ wsdisplaymmap(dev_t dev, off_t offset, int prot)
if ((scr = sc->sc_scr[WSDISPLAYSCREEN(dev)]) == NULL)
return (-1);

-   if (!(scr->scr_flags & SCR_GRAPHICS))
-   return (-1);
+  

Re: ldomctl(8) usage

[Andrew Grillet]

I am not sure what bikeshedding means in this case (it was all different
when I was at school ;-)

However, as an ldomctl user, I would be happier if the usage was consistent
with the man page:
it makes everything seem more trustworthy.

And once the machine is up and stable, you probably wont be using the
command very often, and might need to
quickly check if it is (eg) init-system or system-init.


On 26 January 2017 at 12:33, Stefan Sperling  wrote:

> I am not sure about the best way to fix this, but ldomctl's usage()
> is rather bogus. It only mentions some of the supported commands.
> The diff below adds the missing ones.
>
> However, I am tempted to just change all of it to something like this:
> fprintf(stderr, "usage: ldomctl command [arguments]\n");
> and let people refer to the man page instead.
>
> Is this worth bikeshedding about?
>
> Index: ldomctl.c
> ===
> RCS file: /cvs/src/usr.sbin/ldomctl/ldomctl.c,v
> retrieving revision 1.20
> diff -u -p -r1.20 ldomctl.c
> --- ldomctl.c   9 Oct 2014 02:44:55 -   1.20
> +++ ldomctl.c   26 Jan 2017 11:16:30 -
> @@ -161,6 +161,11 @@ usage(void)
>
> fprintf(stderr, "usage: %s start|stop|panic domain\n", __progname);
> fprintf(stderr, "   %s status [domain]\n", __progname);
> +   fprintf(stderr, "   logical domain configuration:\n",
> __progname);
> +   fprintf(stderr, "   %s list|dump\n", __progname);
> +   fprintf(stderr, "   %s select|delete configuration\n",
> __progname);
> +   fprintf(stderr, "   %s download directory\n", __progname);
> +   fprintf(stderr, "   %s init-system file\n", __progname);
> exit(EXIT_FAILURE);
>  }
>
>
>

ldomctl(8) usage

[Stefan Sperling]

I am not sure about the best way to fix this, but ldomctl's usage()
is rather bogus. It only mentions some of the supported commands.
The diff below adds the missing ones.

However, I am tempted to just change all of it to something like this:
fprintf(stderr, "usage: ldomctl command [arguments]\n");
and let people refer to the man page instead.

Is this worth bikeshedding about?

Index: ldomctl.c
===
RCS file: /cvs/src/usr.sbin/ldomctl/ldomctl.c,v
retrieving revision 1.20
diff -u -p -r1.20 ldomctl.c
--- ldomctl.c   9 Oct 2014 02:44:55 -   1.20
+++ ldomctl.c   26 Jan 2017 11:16:30 -
@@ -161,6 +161,11 @@ usage(void)
 
fprintf(stderr, "usage: %s start|stop|panic domain\n", __progname);
fprintf(stderr, "   %s status [domain]\n", __progname);
+   fprintf(stderr, "   logical domain configuration:\n", __progname);
+   fprintf(stderr, "   %s list|dump\n", __progname);
+   fprintf(stderr, "   %s select|delete configuration\n", __progname);
+   fprintf(stderr, "   %s download directory\n", __progname);
+   fprintf(stderr, "   %s init-system file\n", __progname);
exit(EXIT_FAILURE);
 }
 

Re: pfctl: Kill states within a rdomain

[Mike Belopuhov]

On 26 January 2017 at 01:12, Bertrand Provost
 wrote:
> Hi,
>
> Based on feedback from jmc and florian here a new version of the patch
> - Add -V in usage() && __dead usage()
> - Change man
>
> (I hope this time my mail client is well configure)
>
> Regards,
>
> --
> Bertrand Provost
>

Looks good to me too.

Re: Help with the NET_LOCK()

[RD Thrush]

On 01/25/17 01:32, Martin Pieuchot wrote:
> I just enabled the NET_LOCK() again and I'm looking for test reports.
> Please go build a kernel from sources or wait for the next snapshot,
> run it and report back.
> 
> If you're looking for some small coding tasks related to the NET_LOCK()
> just do:
> 
>   # sysctl kern.splassert=2
>   # sysctl kern.pool_debug=2
>   
> Then watch for the traces on your console.
> 
> You'll see something like:
> 
>   Starting stack trace...
>   yield(0,1,d09dac52,f5549dbc,d94e9378) at yield+0xa4
>   yield(d0bc8f40,1,f5549e18,80,14) at yield+0xa4
>   pool_get(d0bc8f40,1,f5549ec8,d03ecbfb,d97815f4) at pool_get+0x1ba
>   m_get(1,3,f5549ec0,d03a9362,d0bc22e0) at m_get+0x30
>   doaccept(d977e6c4,3,cf7ee4f8,cf7ee4ec,2000) at doaccept+0x193
>   sys_accept(d977e6c4,f5549f5c,f5549f7c,0,f5549fa8) at sys_accept+0x37
>   syscall() at syscall+0x250
>   
> This means accept(2) is doing a memory allocation that can sleep, here
> with m_get(9), while holding the NET_LOCK().  Even if these should be
> ok, it is easy to avoid them.  In the case of doaccept() a mbuf could
> be allocated beforehand or simply use the stack for that.

I updated my firewall w/ amd64 -current (GENERIC.MP) #154 and got quite a lot 
of data.  The full serial console[1] is ~130k.  Here's a bit of a summary:

>grep -e 'syscall ' Log.tarpit.NET_LOCK.ddb.01 | sort|uniq -c|sort -nr
  94 --- syscall (number 105) ---
  86 --- syscall (number 54) ---
  33 --- syscall (number 97) ---
  24 --- syscall (number 118) ---
   3 --- syscall (number 202) ---

[1]

#
OpenBSD 6.0-current (GENERIC.MP) #154: Wed Jan 25 19:50:16 MST 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4273856512 (4075MB)
avail mem = 4139667456 (3947MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7fbf0420 (7 entries)
bios0: vendor coreboot version "ADI_RCCVE-01.00.00.08-nodebug" date 01/22/2016
bios0: ADI Engineering RCC-VE
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP SPCR HPET APIC MCFG SSDT
acpi0: wakeup devices EHC1(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU C2358 @ 1.74GHz, 1750.32 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: TSC frequency 1750324380 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU C2358 @ 1.74GHz, 1749.99 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 1 (RP01)
acpiprt1 at acpi0: bus 2 (RP02)
acpiprt2 at acpi0: bus 3 (RP03)
acpiprt3 at acpi0: bus 4 (RP04)
acpiprt4 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpicpu1 at acpi0: C1(@1 halt!), PSS
cpu0: Enhanced SpeedStep 1750 MHz: speeds: 2100, 1800, 1600, 1400 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x1f0e rev 0x02
ppb0 at pci0 dev 1 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 2 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci2 at ppb1 bus 2
ppb2 at pci0 dev 3 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci3 at ppb2 bus 3
ppb3 at pci0 dev 4 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci4 at ppb3 bus 4
vendor "Intel", unknown product 0x1f18 (class processor subclass Co-processor, 
rev 0x02) at pci0 dev 11 function 0 not configured
pchb1 at pci0 dev 14 function 0 "Intel Atom C2000 RAS" rev 0x02
"Intel Atom C2000 RCEC" rev 0x02 at pci0 dev 15 function 0 not configured
"Intel Atom C2000 SMBus" rev 0x02 at pci0 dev 19 function 0 not configured
em0 at pci0 dev 20 function 0 "Intel I354 SGMII" rev 0x03: msi, address 
00:08:a2:0a:73:bd
em1 at pci0 dev 20 function 1 "Intel I354 SGMII" rev 0x03: msi, address 
00:08:a2:0a:73:be
em2 at pci0 dev 20 function 2 "Intel I354 SGMII" rev 0x03: msi, address 

mira sfer overflow panic (was: Re: 11n support for athn(4))

[Stefan Sperling]

On Thu, Jan 26, 2017 at 06:36:06AM +, Peter Kay wrote:
> sfer overflow

Interesting. This is the first time I've ever seen this panic trigger.

Can you apply this patch and try to trigger it again?

Index: ieee80211_mira.c
===
RCS file: /cvs/src/sys/net80211/ieee80211_mira.c,v
retrieving revision 1.8
diff -u -p -r1.8 ieee80211_mira.c
--- ieee80211_mira.c12 Jan 2017 18:06:57 -  1.8
+++ ieee80211_mira.c26 Jan 2017 09:37:27 -
@@ -427,8 +427,15 @@ ieee80211_mira_update_stats(struct ieee8
 
/* Compute Sub-Frame Error Rate (see section 2.2 in MiRA paper). */
sfer = (mn->frames * mn->retries + mn->txfail);
-   if ((sfer >> MIRA_FP_SHIFT) != 0)
+   if ((sfer >> MIRA_FP_SHIFT) != 0) {
+   printf("%s: driver stats:\n", __func__);
+   printf("mn->frames = %u\n", mn->frames);
+   printf("mn->retries = %u\n", mn->retries);
+   printf("mn->txfail = %u\n", mn->txfail);
+   printf("mn->ampdu_size = %u\n", mn->ampdu_size);
+   printf("mn->agglen = %u\n", mn->agglen);
panic("sfer overflow"); /* bug in wifi driver */
+   }
sfer <<= MIRA_FP_SHIFT; /* convert to fixed-point */
sfer /= ((mn->retries + 1) * mn->frames);
if (sfer > MIRA_FP_1)

Re: iwn: Centrino Ultimate-N 6300 scans, doesn't dhcp?

[Stefan Sperling]

On Wed, Jan 25, 2017 at 08:43:11PM -0600, Austin Bentley wrote:
> Interesting. It seems that on OpenBSD the reception is quite weak.
> I've connected, HOWEVER, I have to be in the same room as my router!
> On Linux I can be anywhere in my house.
> 
> I tried disabling powersave (-powersave), and still I have to be very

I believe the powersave option is a no-op with iwn(4) so I am
not surprised it doesn't change anything.

> close to my router. My phone can connect to it no problem anywhere in
> the house. Does anyone have any clue what's going on? Is it possible
> that the driver is permanently set on a power save mode?

Well, it seems something strange is going on since it works with Linux.

It is not clear whether the problem is with sending or receiving.
I would guess it is more likely that iwn(4) has some problem with
sending data, rather than receiving it. Both have to work to associate
successfully.

You can enable some debug output like this:

  ifconfig iwn0 debug

Look in /var/log/messages. Any beacon received should be mentioned there,
and in case a WPA handshare is attempted you should see this as well.

Perhaps the problem has to do with regdomain settings? iwn(4) does not
do anything about those -- it relies on hardware/firmware defaults.
Does Linux print anything about regulatory domains in its dmesg?
 
> On Wed, Jan 25, 2017 at 7:37 PM, Austin Bentley  wrote:
> >  nwid MYSSID chan 6 bssid yy:yy:yy:yy:yy:yy -58dBm HT-MCS15
> >  privacy,short_slottime,wpa1

Do you also happen to have this AP on a 5GHz channel or is this
AP on 2GHz only? If iwn(4) is trying to connect on 5GHz instead of 2,
that would explain why it doesn't work well through walls.