disable efi watchdog

[Jonathan Gray]

The UEFI specification states a watchdog should be armed for 5 minutes.
Stop this from resetting a system when in efiboot.

Index: amd64/stand/efiboot/efiboot.c
===
RCS file: /cvs/src/sys/arch/amd64/stand/efiboot/efiboot.c,v
retrieving revision 1.28
diff -u -p -r1.28 efiboot.c
--- amd64/stand/efiboot/efiboot.c   25 Nov 2017 19:02:07 -  1.28
+++ amd64/stand/efiboot/efiboot.c   11 Feb 2018 05:25:11 -
@@ -81,6 +81,9 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TA
RS = ST->RuntimeServices;
IH = image;
 
+   /* disable reset by watchdog after 5 minutes */
+   EFI_CALL(BS->SetWatchdogTimer, 0, 0, 0, NULL);
+
efi_video_init();
efi_heap_init();
 
Index: armv7/stand/efiboot/efiboot.c
===
RCS file: /cvs/src/sys/arch/armv7/stand/efiboot/efiboot.c,v
retrieving revision 1.19
diff -u -p -r1.19 efiboot.c
--- armv7/stand/efiboot/efiboot.c   21 Aug 2017 20:05:32 -  1.19
+++ armv7/stand/efiboot/efiboot.c   11 Feb 2018 05:25:11 -
@@ -71,6 +71,9 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TA
BS = ST->BootServices;
IH = image;
 
+   /* disable reset by watchdog after 5 minutes */
+   EFI_CALL(BS->SetWatchdogTimer, 0, 0, 0, NULL);
+
status = EFI_CALL(BS->HandleProtocol, image, _guid,
(void **));
if (status == EFI_SUCCESS)
Index: arm64/stand/efiboot/efiboot.c
===
RCS file: /cvs/src/sys/arch/arm64/stand/efiboot/efiboot.c,v
retrieving revision 1.15
diff -u -p -r1.15 efiboot.c
--- arm64/stand/efiboot/efiboot.c   6 Feb 2018 20:35:21 -   1.15
+++ arm64/stand/efiboot/efiboot.c   11 Feb 2018 05:25:12 -
@@ -74,6 +74,9 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TA
BS = ST->BootServices;
IH = image;
 
+   /* disable reset by watchdog after 5 minutes */
+   EFI_CALL(BS->SetWatchdogTimer, 0, 0, 0, NULL);
+
status = EFI_CALL(BS->HandleProtocol, image, _guid,
(void **));
if (status == EFI_SUCCESS)

Re: vmctl show

[Mike Larkin]

On Sun, Feb 11, 2018 at 12:51:57AM +0100, Peter Hessler wrote:
> My fingers have typed "vmctl show" instead of "vmctl status" for over a
> year now, so add it as an alias.
> 
> OK?
> 
> 
> Index: main.c
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/vmctl/main.c,v
> retrieving revision 1.34
> diff -u -p -u -p -r1.34 main.c
> --- main.c3 Jan 2018 05:39:56 -   1.34
> +++ main.c10 Feb 2018 23:46:44 -
> @@ -68,6 +68,7 @@ struct ctl_command ctl_commands[] = {
>   { "log",CMD_LOG,ctl_log,"(verbose|brief)" },
>   { "reload", CMD_RELOAD, ctl_reload, "" },
>   { "reset",  CMD_RESET,  ctl_reset,  "[all|vms|switches]" },
> + { "show",   CMD_STATUS, ctl_status, "[id]" },
>   { "start",  CMD_START,  ctl_start,  "\"name\""
>   " [-Lc] [-b image] [-r image] [-m size]\n"
>   "\t\t[-n switch] [-i count] [-d disk]*" },
> Index: vmctl.8
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/vmctl/vmctl.8,v
> retrieving revision 1.37
> diff -u -p -u -p -r1.37 vmctl.8
> --- vmctl.8   3 Jan 2018 08:17:18 -   1.37
> +++ vmctl.8   10 Feb 2018 23:48:59 -
> @@ -143,6 +143,10 @@ with '.', '-' or '_'.
>  .It Cm status Op Ar id
>  Lists VMs running on the host, optionally listing just the selected VM
>  .Ar id .
> +.It Cm show Op Ar id
> +An alias for the
> +.Cm status
> +command.
>  .It Cm stop Ar id
>  Stops (terminates) a VM defined by the specified VM
>  .Ar id .
> 
> 
> -- 
> Coito ergo sum
> 

No objections. Since at least 3-4 people have said they want it, go for it.

re-enable mfii(4) aen

[Jonathan Matthew]

Almost exactly a year ago (give or take an hour), we disabled AEN handling in 
mfii(4)
because it didn't work on SAS2208 controllers.  I finally got around to looking 
into this
and found we were just missing one magical offset in one of the command 
structures.  The
diff below add this and re-enables AEN processing.

I've tested on the following:

mfii0 at pci3 dev 0 function 0 "Symbios Logic MegaRAID SAS2208" rev 0x01: msi
mfii0: "PERC H710P Mini", firmware 21.0.2-0001, 1024MB cache

mfii0 at pci1 dev 0 function 0 "Symbios Logic MegaRAID SAS3108" rev 0x02: msi
mfii0: "PERC H730 Mini", firmware 25.4.0.0015, 1024MB cache

Could someone test on a SAS3.5 controller (megaraid 34xx or 35xx)?  I don't 
have access to
one currently.  All you need to do is boot the resulting kernel and check mfii0 
isn't
generating interrupts constantly.  Tests on other hardware would also be useful.


Index: mfii.c
===
RCS file: /cvs/src/sys/dev/pci/mfii.c,v
retrieving revision 1.46
diff -u -p -r1.46 mfii.c
--- mfii.c  2 Feb 2018 11:24:37 -   1.46
+++ mfii.c  11 Feb 2018 02:34:50 -
@@ -630,22 +630,18 @@ mfii_attach(struct device *parent, struc
 
mfii_syspd(sc);
 
-#ifdef notyet
if (mfii_aen_register(sc) != 0) {
/* error printed by mfii_aen_register */
goto intr_disestablish;
}
-#endif
 
/* enable interrupts */
mfii_write(sc, MFI_OSTS, 0x);
mfii_write(sc, MFI_OMSK, ~MFII_OSTS_INTR_VALID);
 
return;
-#ifdef notyet
 intr_disestablish:
pci_intr_disestablish(sc->sc_pc, sc->sc_ih);
-#endif
 free_sgl:
mfii_dmamem_free(sc, sc->sc_sgl);
 free_requests:
@@ -851,6 +847,7 @@ mfii_dcmd_start(struct mfii_softc *sc, s
 
io->function = MFII_FUNCTION_PASSTHRU_IO;
io->sgl_offset0 = (uint32_t *)sge - (uint32_t *)io;
+   io->chain_offset = io->sgl_offset0 / 4;
 
htolem64(>sg_addr, ccb->ccb_sense_dva);
htolem32(>sg_len, sizeof(*ccb->ccb_sense));

Re: ospfd (route socket filter on priority)

[Claudio Jeker]

On Sun, Feb 11, 2018 at 02:17:38AM +0100, Sebastian Benoit wrote:
> 
> Hi,
> 
> here is the ospfd part again, now the socket option is set on reload as
> well.
> 
> ok?
> 
> (benno_route_priofilter_2_ospfd.diff)
> 
> diff --git usr.sbin/ospfd/kroute.c usr.sbin/ospfd/kroute.c
> index 17febefbdcb..4f6dc933a42 100644
> --- usr.sbin/ospfd/kroute.c
> +++ usr.sbin/ospfd/kroute.c
> @@ -127,10 +127,11 @@ kif_init(void)
>  }
>  
>  int
> -kr_init(int fs, u_int rdomain)
> +kr_init(int fs, u_int rdomain, int redis_label_or_prefix)
>  {
>   int opt = 0, rcvbuf, default_rcvbuf;
>   socklen_t   optlen;
> + int filter_prio = RTP_OSPF;
>  
>   kr_state.fib_sync = fs;
>   kr_state.rdomain = rdomain;
> @@ -146,6 +147,18 @@ kr_init(int fs, u_int rdomain)
>   , sizeof(opt)) == -1)
>   log_warn("kr_init: setsockopt");/* not fatal */
>  
> + if (redis_label_or_prefix) {
> + filter_prio = 0;
> + log_info("%s: priority filter disabled", __func__);
> + } else
> + log_debug("%s: priority filter enabled", __func__);
> +
> + if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER, _prio,
> + sizeof(filter_prio)) == -1) {
> + log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER", __func__);
> + /* not fatal */
> + }
> +
>   /* grow receive buffer, don't wanna miss messages */
>   optlen = sizeof(default_rcvbuf);
>   if (getsockopt(kr_state.fd, SOL_SOCKET, SO_RCVBUF,
> @@ -600,12 +613,27 @@ kr_redistribute(struct kroute_node *kh)
>  }
>  
>  void
> -kr_reload(void)
> +kr_reload(int redis_label_or_prefix)
>  {
>   struct kroute_node  *kr, *kn;
>   u_int32_tdummy;
>   int  r;
> + int  filter_prio = RTP_OSPF;
> +
> + /* update the priority filter */
> + if (redis_label_or_prefix) {
> + filter_prio = 0;
> + log_info("%s: priority filter disabled", __func__);
> + } else
> + log_debug("%s: priority filter enabled", __func__);
> +
> + if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER, _prio,
> + sizeof(filter_prio)) == -1) {
> + log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER", __func__);
> + /* not fatal */
> + }
>  
> + /* update redistribute lists */
>   RB_FOREACH(kr, kroute_tree, ) {
>   for (kn = kr; kn; kn = kn->next) {
>   r = ospf_redistribute(>r, );
> diff --git usr.sbin/ospfd/ospfd.c usr.sbin/ospfd/ospfd.c
> index 3c5057ae04e..01fd6bbafb9 100644
> --- usr.sbin/ospfd/ospfd.c
> +++ usr.sbin/ospfd/ospfd.c
> @@ -265,7 +265,7 @@ main(int argc, char *argv[])
>   event_add(_rde->ev, NULL);
>  
>   if (kr_init(!(ospfd_conf->flags & OSPFD_FLAG_NO_FIB_UPDATE),
> - ospfd_conf->rdomain) == -1)
> + ospfd_conf->rdomain, ospfd_conf->redist_label_or_prefix) == -1)
>   fatalx("kr_init failed");
>  
>   /* remove unneeded stuff from config */
> @@ -637,7 +637,7 @@ ospf_reload(void)
>  
>   merge_config(ospfd_conf, xconf);
>   /* update redistribute lists */
> - kr_reload();
> + kr_reload(ospfd_conf->redist_label_or_prefix);
>   return (0);
>  }
>  
> @@ -667,6 +667,7 @@ merge_config(struct ospfd_conf *conf, struct ospfd_conf 
> *xconf)
>   SIMPLEQ_EMPTY(>redist_list))
>   rchange = 1;
>   conf->rfc1583compat = xconf->rfc1583compat;
> + conf->redist_label_or_prefix = xconf->redist_label_or_prefix;
>  
>   if (ospfd_process == PROC_MAIN) {
>   /* main process does neither use areas nor interfaces */
> diff --git usr.sbin/ospfd/ospfd.h usr.sbin/ospfd/ospfd.h
> index af082b1079c..1a5d20e0068 100644
> --- usr.sbin/ospfd/ospfd.h
> +++ usr.sbin/ospfd/ospfd.h
> @@ -394,6 +394,7 @@ struct ospfd_conf {
>   int spf_state;
>   int ospf_socket;
>   int flags;
> + int redist_label_or_prefix;
>   u_int8_trfc1583compat;
>   u_int8_tborder;
>   u_int8_tredistribute;
> @@ -567,7 +568,7 @@ u_int16_t  iso_cksum(void *, u_int16_t, u_int16_t);
>  /* kroute.c */
>  int   kif_init(void);
>  void  kif_clear(void);
> -int   kr_init(int, u_int);
> +int   kr_init(int, u_int, int);
>  int   kr_change(struct kroute *, int);
>  int   kr_delete(struct kroute *);
>  void  kr_shutdown(void);
> @@ -578,7 +579,7 @@ void   kr_dispatch_msg(int, short, void *);
>  void  kr_show_route(struct imsg *);
>  void  kr_ifinfo(char *, pid_t);
>  struct kif   *kif_findname(char *, struct in_addr, struct kif_addr **);
> -void  kr_reload(void);
> +void  kr_reload(int);
>  
>  u_int8_t mask2prefixlen(in_addr_t);
>  in_addr_tprefixlen2mask(u_int8_t);
> diff --git 

Re: route socket filter on priority

[Claudio]

On Sun, Feb 11, 2018 at 02:14:32AM +0100, Sebastian Benoit wrote:
> Stuart Henderson(s...@spacehopper.org) on 2018.02.10 10:41:11 +:
> > This comment needs fixing or removing, otherwise ok.
> > Feel free to use this accompanying manpage diff.
> 
> Hi sthen, thanks
> 
> updated diff,this is only the kernel part + manpage.
> I added the RTP constants to the manpage, as all the other ones are there as
> well.
> The other change is to move from u_char to unsinged int, because the other
> socket options are unsinged int as well.
> 
> i will send the ospfd diff as seperate mail.
> 
> ok?
> 

Comments inline

> (benno_route_priofilter_2_kernel.diff)
> 
> diff --git share/man/man4/route.4 share/man/man4/route.4
> index 654b9a1505a..4e5d26724e6 100644
> --- share/man/man4/route.4
> +++ share/man/man4/route.4
> @@ -210,6 +210,41 @@ if (setsockopt(routefd, PF_ROUTE, ROUTE_MSGFILTER,
>   err(1, "setsockopt(ROUTE_MSGFILTER)");
>  .Ed
>  .Pp
> +Similarly, a process can specify that it is only interested in messages
> +relating to routes where the priority is no more than a certain value
> +by issuing a setsockopt call with the
> +.Dv ROUTE_PRIOFILTER
> +option.
> +For example, to select only local, directly connected and static routes:
> +.Bd -literal -offset indent
> +unsigned int maxprio = RTP_STATIC;
> +
> +if (setsockopt(routefd, PF_ROUTE, ROUTE_PRIOFILTER,
> +, sizeof(maxprio)) == -1)
> + err(1, "setsockopt(ROUTE_PRIOFILTER)");
> +.Ed
> +.Pp
> +The predefined constants for the routing priorities are:
> +.Bd -literal
> +#define RTP_NONE 0   /* unset priority use sane default */
> +#define RTP_LOCAL1   /* local address routes (must be the highest) */
> +#define RTP_CONNECTED4   /* directly connected routes */
> +#define RTP_STATIC   8   /* static routes base priority */
> +#define RTP_EIGRP28  /* EIGRP routes */
> +#define RTP_OSPF 32  /* OSPF routes */
> +#define RTP_ISIS 36  /* IS-IS routes */
> +#define RTP_RIP  40  /* RIP routes */
> +#define RTP_BGP  48  /* BGP routes */
> +#define RTP_DEFAULT  56  /* routes that have nothing set */
> +#define RTP_PROPOSAL_STATIC  57
> +#define RTP_PROPOSAL_DHCLIENT58
> +#define RTP_PROPOSAL_SLAAC   59
> +#define RTP_MAX  63  /* maximum priority */
> +#define RTP_ANY  64  /* any of the above */
> +#define RTP_MASK 0x7f
> +#define RTP_DOWN 0x80/* route/link is down */
> +.Ed
> +.Pp
>  If a route is in use when it is deleted,
>  the routing entry will be marked down and removed from the routing table,
>  but the resources associated with it will not
> diff --git sys/net/route.h sys/net/route.h
> index 1ca0a22c45f..b27d42bd555 100644
> --- sys/net/route.h
> +++ sys/net/route.h
> @@ -297,6 +297,9 @@ struct rt_msghdr {
>  sent to the client. */
>  #define ROUTE_TABLEFILTER 2  /* change routing table the socket is listening
>  on, RTABLE_ANY listens on all tables. */
> +#define ROUTE_PRIOFILTER 3   /* only pass updates with a priority higher or
> +equal (actual value lower) to the specified
> +priority. */
>  
>  #define ROUTE_FILTER(m)  (1 << (m))
>  #define RTABLE_ANY   0x
> diff --git sys/net/rtsock.c sys/net/rtsock.c
> index 35bdd09d143..09c622840aa 100644
> --- sys/net/rtsock.c
> +++ sys/net/rtsock.c
> @@ -141,6 +141,7 @@ struct routecb {
>   unsigned intmsgfilter;
>   unsigned intflags;
>   u_int   rtableid;
> + u_char  priority;
>  };
>  #define  sotoroutecb(so) ((struct routecb *)(so)->so_pcb)
>  
> @@ -308,7 +309,7 @@ route_ctloutput(int op, struct socket *so, int level, int 
> optname,
>  {
>   struct routecb *rop = sotoroutecb(so);
>   int error = 0;
> - unsigned int tid;
> + unsigned int tid, prio;
>  
>   if (level != AF_ROUTE)
>   return (EINVAL);
> @@ -333,6 +334,17 @@ route_ctloutput(int op, struct socket *so, int level, 
> int optname,
>   else
>   rop->rtableid = tid;
>   break;
> + case ROUTE_PRIOFILTER:
> + if (m == NULL || m->m_len != sizeof(unsigned int)) {
> + error = EINVAL;
> + break;
> + }
> + prio = *mtod(m, unsigned int *);
> + if (prio > RTP_MAX)
> + error = EINVAL;
> + else
> + rop->priority = prio;
> + break;
>   default:
>   error = ENOPROTOOPT;
>   break;
> @@ -348,6 +360,10 @@ route_ctloutput(int op, struct socket *so, int level, 
> int optname,
>   m->m_len = 

ospfd (route socket filter on priority)

[Sebastian Benoit]

Hi,

here is the ospfd part again, now the socket option is set on reload as
well.

ok?

(benno_route_priofilter_2_ospfd.diff)

diff --git usr.sbin/ospfd/kroute.c usr.sbin/ospfd/kroute.c
index 17febefbdcb..4f6dc933a42 100644
--- usr.sbin/ospfd/kroute.c
+++ usr.sbin/ospfd/kroute.c
@@ -127,10 +127,11 @@ kif_init(void)
 }
 
 int
-kr_init(int fs, u_int rdomain)
+kr_init(int fs, u_int rdomain, int redis_label_or_prefix)
 {
int opt = 0, rcvbuf, default_rcvbuf;
socklen_t   optlen;
+   int filter_prio = RTP_OSPF;
 
kr_state.fib_sync = fs;
kr_state.rdomain = rdomain;
@@ -146,6 +147,18 @@ kr_init(int fs, u_int rdomain)
, sizeof(opt)) == -1)
log_warn("kr_init: setsockopt");/* not fatal */
 
+   if (redis_label_or_prefix) {
+   filter_prio = 0;
+   log_info("%s: priority filter disabled", __func__);
+   } else
+   log_debug("%s: priority filter enabled", __func__);
+
+   if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER, _prio,
+   sizeof(filter_prio)) == -1) {
+   log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER", __func__);
+   /* not fatal */
+   }
+
/* grow receive buffer, don't wanna miss messages */
optlen = sizeof(default_rcvbuf);
if (getsockopt(kr_state.fd, SOL_SOCKET, SO_RCVBUF,
@@ -600,12 +613,27 @@ kr_redistribute(struct kroute_node *kh)
 }
 
 void
-kr_reload(void)
+kr_reload(int redis_label_or_prefix)
 {
struct kroute_node  *kr, *kn;
u_int32_tdummy;
int  r;
+   int  filter_prio = RTP_OSPF;
+
+   /* update the priority filter */
+   if (redis_label_or_prefix) {
+   filter_prio = 0;
+   log_info("%s: priority filter disabled", __func__);
+   } else
+   log_debug("%s: priority filter enabled", __func__);
+
+   if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER, _prio,
+   sizeof(filter_prio)) == -1) {
+   log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER", __func__);
+   /* not fatal */
+   }
 
+   /* update redistribute lists */
RB_FOREACH(kr, kroute_tree, ) {
for (kn = kr; kn; kn = kn->next) {
r = ospf_redistribute(>r, );
diff --git usr.sbin/ospfd/ospfd.c usr.sbin/ospfd/ospfd.c
index 3c5057ae04e..01fd6bbafb9 100644
--- usr.sbin/ospfd/ospfd.c
+++ usr.sbin/ospfd/ospfd.c
@@ -265,7 +265,7 @@ main(int argc, char *argv[])
event_add(_rde->ev, NULL);
 
if (kr_init(!(ospfd_conf->flags & OSPFD_FLAG_NO_FIB_UPDATE),
-   ospfd_conf->rdomain) == -1)
+   ospfd_conf->rdomain, ospfd_conf->redist_label_or_prefix) == -1)
fatalx("kr_init failed");
 
/* remove unneeded stuff from config */
@@ -637,7 +637,7 @@ ospf_reload(void)
 
merge_config(ospfd_conf, xconf);
/* update redistribute lists */
-   kr_reload();
+   kr_reload(ospfd_conf->redist_label_or_prefix);
return (0);
 }
 
@@ -667,6 +667,7 @@ merge_config(struct ospfd_conf *conf, struct ospfd_conf 
*xconf)
SIMPLEQ_EMPTY(>redist_list))
rchange = 1;
conf->rfc1583compat = xconf->rfc1583compat;
+   conf->redist_label_or_prefix = xconf->redist_label_or_prefix;
 
if (ospfd_process == PROC_MAIN) {
/* main process does neither use areas nor interfaces */
diff --git usr.sbin/ospfd/ospfd.h usr.sbin/ospfd/ospfd.h
index af082b1079c..1a5d20e0068 100644
--- usr.sbin/ospfd/ospfd.h
+++ usr.sbin/ospfd/ospfd.h
@@ -394,6 +394,7 @@ struct ospfd_conf {
int spf_state;
int ospf_socket;
int flags;
+   int redist_label_or_prefix;
u_int8_trfc1583compat;
u_int8_tborder;
u_int8_tredistribute;
@@ -567,7 +568,7 @@ u_int16_tiso_cksum(void *, u_int16_t, u_int16_t);
 /* kroute.c */
 int kif_init(void);
 voidkif_clear(void);
-int kr_init(int, u_int);
+int kr_init(int, u_int, int);
 int kr_change(struct kroute *, int);
 int kr_delete(struct kroute *);
 voidkr_shutdown(void);
@@ -578,7 +579,7 @@ void kr_dispatch_msg(int, short, void *);
 voidkr_show_route(struct imsg *);
 voidkr_ifinfo(char *, pid_t);
 struct kif *kif_findname(char *, struct in_addr, struct kif_addr **);
-voidkr_reload(void);
+voidkr_reload(int);
 
 u_int8_t   mask2prefixlen(in_addr_t);
 in_addr_t  prefixlen2mask(u_int8_t);
diff --git usr.sbin/ospfd/parse.y usr.sbin/ospfd/parse.y
index 4bf64d5d7e3..6f1cf5b7b19 100644
--- usr.sbin/ospfd/parse.y
+++ usr.sbin/ospfd/parse.y
@@ -295,6 +295,8 @@ redistribute: no 

Re: route socket filter on priority

[Sebastian Benoit]

Stuart Henderson(s...@spacehopper.org) on 2018.02.10 10:41:11 +:
> This comment needs fixing or removing, otherwise ok.
> Feel free to use this accompanying manpage diff.

Hi sthen, thanks

updated diff,this is only the kernel part + manpage.
I added the RTP constants to the manpage, as all the other ones are there as
well.
The other change is to move from u_char to unsinged int, because the other
socket options are unsinged int as well.

i will send the ospfd diff as seperate mail.

ok?

(benno_route_priofilter_2_kernel.diff)

diff --git share/man/man4/route.4 share/man/man4/route.4
index 654b9a1505a..4e5d26724e6 100644
--- share/man/man4/route.4
+++ share/man/man4/route.4
@@ -210,6 +210,41 @@ if (setsockopt(routefd, PF_ROUTE, ROUTE_MSGFILTER,
err(1, "setsockopt(ROUTE_MSGFILTER)");
 .Ed
 .Pp
+Similarly, a process can specify that it is only interested in messages
+relating to routes where the priority is no more than a certain value
+by issuing a setsockopt call with the
+.Dv ROUTE_PRIOFILTER
+option.
+For example, to select only local, directly connected and static routes:
+.Bd -literal -offset indent
+unsigned int maxprio = RTP_STATIC;
+
+if (setsockopt(routefd, PF_ROUTE, ROUTE_PRIOFILTER,
+, sizeof(maxprio)) == -1)
+   err(1, "setsockopt(ROUTE_PRIOFILTER)");
+.Ed
+.Pp
+The predefined constants for the routing priorities are:
+.Bd -literal
+#define RTP_NONE   0   /* unset priority use sane default */
+#define RTP_LOCAL  1   /* local address routes (must be the highest) */
+#define RTP_CONNECTED  4   /* directly connected routes */
+#define RTP_STATIC 8   /* static routes base priority */
+#define RTP_EIGRP  28  /* EIGRP routes */
+#define RTP_OSPF   32  /* OSPF routes */
+#define RTP_ISIS   36  /* IS-IS routes */
+#define RTP_RIP40  /* RIP routes */
+#define RTP_BGP48  /* BGP routes */
+#define RTP_DEFAULT56  /* routes that have nothing set */
+#define RTP_PROPOSAL_STATIC57
+#define RTP_PROPOSAL_DHCLIENT  58
+#define RTP_PROPOSAL_SLAAC 59
+#define RTP_MAX63  /* maximum priority */
+#define RTP_ANY64  /* any of the above */
+#define RTP_MASK   0x7f
+#define RTP_DOWN   0x80/* route/link is down */
+.Ed
+.Pp
 If a route is in use when it is deleted,
 the routing entry will be marked down and removed from the routing table,
 but the resources associated with it will not
diff --git sys/net/route.h sys/net/route.h
index 1ca0a22c45f..b27d42bd555 100644
--- sys/net/route.h
+++ sys/net/route.h
@@ -297,6 +297,9 @@ struct rt_msghdr {
   sent to the client. */
 #define ROUTE_TABLEFILTER 2/* change routing table the socket is listening
   on, RTABLE_ANY listens on all tables. */
+#define ROUTE_PRIOFILTER 3 /* only pass updates with a priority higher or
+  equal (actual value lower) to the specified
+  priority. */
 
 #define ROUTE_FILTER(m)(1 << (m))
 #define RTABLE_ANY 0x
diff --git sys/net/rtsock.c sys/net/rtsock.c
index 35bdd09d143..09c622840aa 100644
--- sys/net/rtsock.c
+++ sys/net/rtsock.c
@@ -141,6 +141,7 @@ struct routecb {
unsigned intmsgfilter;
unsigned intflags;
u_int   rtableid;
+   u_char  priority;
 };
 #definesotoroutecb(so) ((struct routecb *)(so)->so_pcb)
 
@@ -308,7 +309,7 @@ route_ctloutput(int op, struct socket *so, int level, int 
optname,
 {
struct routecb *rop = sotoroutecb(so);
int error = 0;
-   unsigned int tid;
+   unsigned int tid, prio;
 
if (level != AF_ROUTE)
return (EINVAL);
@@ -333,6 +334,17 @@ route_ctloutput(int op, struct socket *so, int level, int 
optname,
else
rop->rtableid = tid;
break;
+   case ROUTE_PRIOFILTER:
+   if (m == NULL || m->m_len != sizeof(unsigned int)) {
+   error = EINVAL;
+   break;
+   }
+   prio = *mtod(m, unsigned int *);
+   if (prio > RTP_MAX)
+   error = EINVAL;
+   else
+   rop->priority = prio;
+   break;
default:
error = ENOPROTOOPT;
break;
@@ -348,6 +360,10 @@ route_ctloutput(int op, struct socket *so, int level, int 
optname,
m->m_len = sizeof(unsigned int);
*mtod(m, unsigned int *) = rop->rtableid;
break;
+   case ROUTE_PRIOFILTER:
+   m->m_len = sizeof(u_char);
+   *mtod(m, 

Re: vmctl show

[Ax0n]

Guilty.

On Feb 10, 2018 17:56, "Sebastian Benoit"  wrote:

> Peter Hessler(phess...@openbsd.org) on 2018.02.11 00:51:57 +0100:
> > My fingers have typed "vmctl show" instead of "vmctl status" for over a
> > year now, so add it as an alias.
>
> oh yes please, i thought i was the only stupid one.
>
> > OK?
>
> ok
>
> > Index: main.c
> > ===
> > RCS file: /cvs/openbsd/src/usr.sbin/vmctl/main.c,v
> > retrieving revision 1.34
> > diff -u -p -u -p -r1.34 main.c
> > --- main.c3 Jan 2018 05:39:56 -   1.34
> > +++ main.c10 Feb 2018 23:46:44 -
> > @@ -68,6 +68,7 @@ struct ctl_command ctl_commands[] = {
> >   { "log",CMD_LOG,ctl_log,"(verbose|brief)"
> },
> >   { "reload", CMD_RELOAD, ctl_reload, "" },
> >   { "reset",  CMD_RESET,  ctl_reset,
> "[all|vms|switches]" },
> > + { "show",   CMD_STATUS, ctl_status, "[id]" },
> >   { "start",  CMD_START,  ctl_start,  "\"name\""
> >   " [-Lc] [-b image] [-r image] [-m size]\n"
> >   "\t\t[-n switch] [-i count] [-d disk]*" },
> > Index: vmctl.8
> > ===
> > RCS file: /cvs/openbsd/src/usr.sbin/vmctl/vmctl.8,v
> > retrieving revision 1.37
> > diff -u -p -u -p -r1.37 vmctl.8
> > --- vmctl.8   3 Jan 2018 08:17:18 -   1.37
> > +++ vmctl.8   10 Feb 2018 23:48:59 -
> > @@ -143,6 +143,10 @@ with '.', '-' or '_'.
> >  .It Cm status Op Ar id
> >  Lists VMs running on the host, optionally listing just the selected VM
> >  .Ar id .
> > +.It Cm show Op Ar id
> > +An alias for the
> > +.Cm status
> > +command.
> >  .It Cm stop Ar id
> >  Stops (terminates) a VM defined by the specified VM
> >  .Ar id .
> >
> >
> > --
> > Coito ergo sum
> >
>
>

Re: vmctl show

[Sebastian Benoit]

Peter Hessler(phess...@openbsd.org) on 2018.02.11 00:51:57 +0100:
> My fingers have typed "vmctl show" instead of "vmctl status" for over a
> year now, so add it as an alias.

oh yes please, i thought i was the only stupid one.

> OK?

ok

> Index: main.c
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/vmctl/main.c,v
> retrieving revision 1.34
> diff -u -p -u -p -r1.34 main.c
> --- main.c3 Jan 2018 05:39:56 -   1.34
> +++ main.c10 Feb 2018 23:46:44 -
> @@ -68,6 +68,7 @@ struct ctl_command ctl_commands[] = {
>   { "log",CMD_LOG,ctl_log,"(verbose|brief)" },
>   { "reload", CMD_RELOAD, ctl_reload, "" },
>   { "reset",  CMD_RESET,  ctl_reset,  "[all|vms|switches]" },
> + { "show",   CMD_STATUS, ctl_status, "[id]" },
>   { "start",  CMD_START,  ctl_start,  "\"name\""
>   " [-Lc] [-b image] [-r image] [-m size]\n"
>   "\t\t[-n switch] [-i count] [-d disk]*" },
> Index: vmctl.8
> ===
> RCS file: /cvs/openbsd/src/usr.sbin/vmctl/vmctl.8,v
> retrieving revision 1.37
> diff -u -p -u -p -r1.37 vmctl.8
> --- vmctl.8   3 Jan 2018 08:17:18 -   1.37
> +++ vmctl.8   10 Feb 2018 23:48:59 -
> @@ -143,6 +143,10 @@ with '.', '-' or '_'.
>  .It Cm status Op Ar id
>  Lists VMs running on the host, optionally listing just the selected VM
>  .Ar id .
> +.It Cm show Op Ar id
> +An alias for the
> +.Cm status
> +command.
>  .It Cm stop Ar id
>  Stops (terminates) a VM defined by the specified VM
>  .Ar id .
> 
> 
> -- 
> Coito ergo sum
> 

vmctl show

[Peter Hessler]

My fingers have typed "vmctl show" instead of "vmctl status" for over a
year now, so add it as an alias.

OK?


Index: main.c
===
RCS file: /cvs/openbsd/src/usr.sbin/vmctl/main.c,v
retrieving revision 1.34
diff -u -p -u -p -r1.34 main.c
--- main.c  3 Jan 2018 05:39:56 -   1.34
+++ main.c  10 Feb 2018 23:46:44 -
@@ -68,6 +68,7 @@ struct ctl_command ctl_commands[] = {
{ "log",CMD_LOG,ctl_log,"(verbose|brief)" },
{ "reload", CMD_RELOAD, ctl_reload, "" },
{ "reset",  CMD_RESET,  ctl_reset,  "[all|vms|switches]" },
+   { "show",   CMD_STATUS, ctl_status, "[id]" },
{ "start",  CMD_START,  ctl_start,  "\"name\""
" [-Lc] [-b image] [-r image] [-m size]\n"
"\t\t[-n switch] [-i count] [-d disk]*" },
Index: vmctl.8
===
RCS file: /cvs/openbsd/src/usr.sbin/vmctl/vmctl.8,v
retrieving revision 1.37
diff -u -p -u -p -r1.37 vmctl.8
--- vmctl.8 3 Jan 2018 08:17:18 -   1.37
+++ vmctl.8 10 Feb 2018 23:48:59 -
@@ -143,6 +143,10 @@ with '.', '-' or '_'.
 .It Cm status Op Ar id
 Lists VMs running on the host, optionally listing just the selected VM
 .Ar id .
+.It Cm show Op Ar id
+An alias for the
+.Cm status
+command.
 .It Cm stop Ar id
 Stops (terminates) a VM defined by the specified VM
 .Ar id .


-- 
Coito ergo sum

[patch] starttls.8

[Edgar Pettijohn]

Remove `sendmail' ism's from starttls.8


--- /usr/share/man/man8/starttls.8Tue Oct  3 22:13:42 2017
+++ starttls.8Sat Feb 10 15:57:06 2018
@@ -102,17 +102,6 @@
 .Pp
 .Dl # openssl x509 -in /etc/ssl/mail.example.com.crt -text
 .Pp
-If you don't intend to use TLS for authentication (and if you are using
-self-signed certificates you probably don't) you can simply link
-your new certificate to
-.Pa CAcert.pem .
-.Pp
-.Dl # ln -s /etc/ssl/mail.example.com.crt /etc/ssl/CAcert.pem
-.Pp
-If, on the other hand, you intend to use TLS for authentication
-you should install your certificate authority bundle as
-.Pa /etc/ssl/CAcert.pem .
-.Pp
 Because the private key files are unencrypted,
 MTAs
 can be picky about using tight permissions on those files.
@@ -196,36 +185,9 @@
 We can use this authentication to selectively relay clients, including
 other mail servers and mobile clients like laptops.
 However, there have been some problems getting some mail clients to 
work using

-certificate-based authentication.
-Note that your clients will have to generate certificates and have them
-signed (for trust validation) by a CA (certificate authority) you also 
trust,

-if you configure your server to do client certificate checking.
-Two new entries are available for TLS options:
-.Bl -tag -width Ds -offset indent
-.It VERIFY
-contains the status of the level of verification (held in the macro 
{verify})

-.It ENCR
-the strength of the encryption (in the macro {cipher_bits})
-.El
-.Pp
-VERIFY can also accept the argument for {cipher_bits}.
-Here are a few example entries that illustrate these features, and
-the role based granularity as well:
-.Pp
-Require strong (256-bit) encryption for communication with this server:
-.Pp
-.Dl TLS_Srv:server1.example.netENCR:256
-.Pp
-For a TLS client,
-require verification and a minimum of 128-bit encryption:
-.Pp
-.Dl TLS_Clt:desktop.example.net VERIFY:128
-.Pp
-Much more complicated access maps are possible, and error conditions (such
-as permanent or temporary, PERM+ or TEMP+) can be set on the basis of
-various criteria.
-This allows you fine-grained control over the types of connections you
-can allow.
+certificate-based authentication. If you configure your server to do client
+certificate checking, your clients will have to generate certificates 
signed

+by a CA you also trust.
 .Pp
 Note that it is unwise to force all SMTP clients to use TLS, as it is not
 yet widespread.

Re: allow marking IPv6 with a do not fragment flag for ip6_output

[Claudio Jeker]

On Sat, Feb 10, 2018 at 09:03:10PM +1000, David Gwynne wrote:
> ipv6 packets dont have a DF bit you can set in the header, you have
> to pass it as an option to ip6_output if you want that behaviour
> on output. however, ip6_send makes it hard to pass ip6 options to
> ip6_output because you give it an mbuf, and hope for the best in
> the future.
> 
> to cope with this, im proposing we treat "dont fragment on output"
> for ipv6 as a checksum flag on an mbuf. the diff below implements
> this:
> 

Not a fan of this since this is yet another special hack but I see why you
need it and how hard it is to fix it properly.

Grumbling ok claudio@

> Index: sys/mbuf.h
> ===
> RCS file: /cvs/src/sys/sys/mbuf.h,v
> retrieving revision 1.234
> diff -u -p -r1.234 mbuf.h
> --- sys/mbuf.h9 Feb 2018 02:26:33 -   1.234
> +++ sys/mbuf.h10 Feb 2018 09:38:40 -
> @@ -224,12 +224,14 @@ struct mbuf {
>  #define  M_ICMP_CSUM_OUT 0x0200  /* ICMP/ICMPv6 checksum needed 
> */
>  #define  M_ICMP_CSUM_IN_OK   0x0400  /* ICMP/ICMPv6 checksum 
> verified */
>  #define  M_ICMP_CSUM_IN_BAD  0x0800  /* ICMP/ICMPv6 checksum bad */
> +#define  M_IPV6_DF_OUT   0x1000  /* don't fragment outgoing IPv6 
> */
>  
>  #ifdef _KERNEL
>  #define MCS_BITS \
>  ("\20\1IPV4_CSUM_OUT\2TCP_CSUM_OUT\3UDP_CSUM_OUT\4IPV4_CSUM_IN_OK" \
>  "\5IPV4_CSUM_IN_BAD\6TCP_CSUM_IN_OK\7TCP_CSUM_IN_BAD\10UDP_CSUM_IN_OK" \
> -
> "\11UDP_CSUM_IN_BAD\12ICMP_CSUM_OUT\13ICMP_CSUM_IN_OK\14ICMP_CSUM_IN_BAD")
> +
> "\11UDP_CSUM_IN_BAD\12ICMP_CSUM_OUT\13ICMP_CSUM_IN_OK\14ICMP_CSUM_IN_BAD" \
> +"\15IPV6_NODF_OUT")
>  #endif
>  
>  /* mbuf types */
> Index: netinet6/ip6_output.c
> ===
> RCS file: /cvs/src/sys/netinet6/ip6_output.c,v
> retrieving revision 1.232
> diff -u -p -r1.232 ip6_output.c
> --- netinet6/ip6_output.c 1 Sep 2017 15:05:31 -   1.232
> +++ netinet6/ip6_output.c 10 Feb 2018 09:38:40 -
> @@ -656,7 +656,10 @@ reroute:
>*/
>   tlen = m->m_pkthdr.len;
>  
> - if (opt && (opt->ip6po_flags & IP6PO_DONTFRAG))
> + if (ISSET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT)) {
> + CLR(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT);
> + dontfrag = 1;
> + } else if (opt && ISSET(opt->ip6po_flags, IP6PO_DONTFRAG))
>   dontfrag = 1;
>   else
>   dontfrag = 0;
> 

-- 
:wq Claudio

Re: tidy up get_hibernate_io_function

[Mike Larkin]

On Sat, Feb 10, 2018 at 02:51:55PM +1000, Jonathan Matthew wrote:
> It's hard to see exactly what the dv->dv_parent->etc. checks are doing.
> Before adding sdmmc I'd like to tidy up a bit.
> 
> ok?
> 

Reads ok to me, and thanks for the cleanup. ok mlarkin if you didn't
already commit this.

> Index: arch/amd64/amd64/hibernate_machdep.c
> ===
> RCS file: /cvs/src/sys/arch/amd64/amd64/hibernate_machdep.c,v
> retrieving revision 1.39
> diff -u -p -u -p -r1.39 hibernate_machdep.c
> --- arch/amd64/amd64/hibernate_machdep.c  29 May 2017 12:58:37 -  
> 1.39
> +++ arch/amd64/amd64/hibernate_machdep.c  10 Feb 2018 04:37:14 -
> @@ -95,26 +95,32 @@ get_hibernate_io_function(dev_t dev)
>   extern int sr_hibernate_io(dev_t dev, daddr_t blkno,
>   vaddr_t addr, size_t size, int op, void *page);
>   struct device *dv = disk_lookup(_cd, DISKUNIT(dev));
> -
> + struct {
> + const char *driver;
> + hibio_fn io_func;
> + } sd_io_funcs[] = {
>  #if NAHCI > 0
> - if (dv && dv->dv_parent && dv->dv_parent->dv_parent &&
> - 
> strcmp(dv->dv_parent->dv_parent->dv_cfdata->cf_driver->cd_name,
> - "ahci") == 0)
> - return ahci_hibernate_io;
> + { "ahci", ahci_hibernate_io },
>  #endif
>  #if NNVME > 0
> - if (dv && dv->dv_parent && dv->dv_parent->dv_parent &&
> - 
> strcmp(dv->dv_parent->dv_parent->dv_cfdata->cf_driver->cd_name,
> - "nvme") == 0)
> - return nvme_hibernate_io;
> + { "nvme", nvme_hibernate_io },
>  #endif
>  #if NSOFTRAID > 0
> - if (dv && dv->dv_parent && dv->dv_parent->dv_parent &&
> - 
> strcmp(dv->dv_parent->dv_parent->dv_cfdata->cf_driver->cd_name,
> - "softraid") == 0)
> - return sr_hibernate_io;
> - }
> + { "softraid", sr_hibernate_io },
>  #endif
> + };
> +
> + if (dv && dv->dv_parent && dv->dv_parent->dv_parent) {
> + const char *driver = 
> dv->dv_parent->dv_parent->dv_cfdata->
> + cf_driver->cd_name;
> + int i;
> +
> + for (i = 0; i < nitems(sd_io_funcs); i++) {
> + if (strcmp(driver, sd_io_funcs[i].driver) == 0)
> + return sd_io_funcs[i].io_func;
> + }
> + }
> + }
>  #endif /* NSD > 0 */
>   return NULL;
>  }
> Index: arch/i386/i386/hibernate_machdep.c
> ===
> RCS file: /cvs/src/sys/arch/i386/i386/hibernate_machdep.c,v
> retrieving revision 1.49
> diff -u -p -u -p -r1.49 hibernate_machdep.c
> --- arch/i386/i386/hibernate_machdep.c20 May 2016 02:30:41 -  
> 1.49
> +++ arch/i386/i386/hibernate_machdep.c10 Feb 2018 04:37:14 -
> @@ -98,20 +98,29 @@ get_hibernate_io_function(dev_t dev)
>   extern int sr_hibernate_io(dev_t dev, daddr_t blkno,
>   vaddr_t addr, size_t size, int op, void *page);
>   struct device *dv = disk_lookup(_cd, DISKUNIT(dev));
> -
> + struct {
> + const char *driver;
> + hibio_fn io_func;
> + } sd_io_funcs[] = {
>  #if NAHCI > 0
> - if (dv && dv->dv_parent && dv->dv_parent->dv_parent &&
> - 
> strcmp(dv->dv_parent->dv_parent->dv_cfdata->cf_driver->cd_name,
> - "ahci") == 0)
> - return ahci_hibernate_io;
> + { "ahci", ahci_hibernate_io },
>  #endif
>  #if NSOFTRAID > 0
> - if (dv && dv->dv_parent && dv->dv_parent->dv_parent &&
> - 
> strcmp(dv->dv_parent->dv_parent->dv_cfdata->cf_driver->cd_name,
> - "softraid") == 0)
> - return sr_hibernate_io;
> - }
> + { "softraid", sr_hibernate_io },
>  #endif
> + };
> +
> + if (dv && dv->dv_parent && dv->dv_parent->dv_parent) {
> + const char *driver = 
> dv->dv_parent->dv_parent->dv_cfdata->
> + cf_driver->cd_name;
> + int i;
> +
> + for (i = 0; i < nitems(sd_io_funcs); i++) {
> + if (strcmp(driver, sd_io_funcs[i].driver) == 0)
> + return sd_io_funcs[i].io_func;
> + }
> + }
> + }
>  #endif /* NSD > 0 */
>   return NULL;
>  }
> 

Extracting pledge information from kernel code for every process.

[Neeraj Pal]

Hello, Tech,

I am doing some hands-on with OpenBSD Kernel code especially with
"sys/kern/kern_sched.c".

I am trying to extract pledge information from kernel code for every process.

In below function, I am doing some modifications for that,

void
schedcpu(void *arg)
{
..

..

LIST_FOREACH(p, , p_list) {
/*
 * Increment sleep time (if sleeping). We ignore overflow.
 */
if (p->p_stat == SSLEEP || p->p_stat == SSTOP)
p->p_slptime++;
p->p_pctcpu = (p->p_pctcpu * ccpu) >> FSHIFT;
/*
 * If the process has slept the entire second,
 * stop recalculating its priority until it wakes up.
 */
if (p->p_slptime > 1)
continue;
SCHED_LOCK(s);
/*
 * p_pctcpu is only for diagnostic tools such as ps.
 */




}

Now, here, after reading some little source code, I found that
LIST_FOREACH macro will traverse from the head () and put it
on var (p).

Now, here, p will contain the address of struct proc structure of
every process which is in the file sys/sys/proc.h.

Now, again, this structure contains another struct process *p_p
structure, which denotes the properties of every process like its pid,
flags, threads etc.

struct proc {
TAILQ_ENTRY(proc) p_runq;
LIST_ENTRY(proc) p_list;/* List of all threads. */

struct  process *p_p;   /* The process of this thread. */
TAILQ_ENTRY(proc) p_thr_link;   /* Threads in a process linkage. */

TAILQ_ENTRY(proc) p_fut_link;   /* Threads in a futex linkage. */
struct  futex   *p_futex;   /* Current sleeping futex. */

/* substructures: */
struct  filedesc *p_fd; /* copy of p_p->ps_fd */
struct  vmspace *p_vmspace; /* copy of p_p->ps_vmspace */
#define p_rlimitp_p->ps_limit->pl_rlimit





}


Now, structure struct process contains uint64_t ps_plegde.

struct process {
/*
 * ps_mainproc is the original thread in the process.
 * It's only still special for the handling of p_xstat and
 * some signal and ptrace behaviors that need to be fixed.
 */
struct  proc *ps_mainproc;
struct  ucred *ps_ucred;/* Process owner's identity. */





u_short ps_acflag;  /* Accounting flags. */

uint64_t ps_pledge;
uint64_t ps_execpledge;






}


Now, I wrote some modification in void schedcpu() function code.

void
schedcpu(void *arg)
{
pid_t pid;
uint64_t pledge_bit;





LIST_FOREACH(p, , p_list) {

pid=p->p_p->pid;
pledge_bit=p->p_p->ps_pledge;

if (pledge_bit) {
printf("pid: %10d pledge_bit: %10llu
pledge_xbit:%10llx\n",pid,pledge_bit,pledge_bit);
}

/*
 * Increment sleep time (if sleeping). We ignore overflow.
 */
if (p->p_stat == SSLEEP || p->p_stat == SSTOP)
p->p_slptime++;
p->p_pctcpu = (p->p_pctcpu * ccpu) >> FS




}

Here, Kernel log

pid:  37846 pledge_bit: 393359 pledge_xbit:  6008f
pid:  96037 pledge_bit: 393544 pledge_xbit:  60148
pid:  86032 pledge_bit: 264297 pledge_xbit:  40869
pid:  72264 pledge_bit: 393480 pledge_xbit:  60108
pid:  40102 pledge_bit:   8 pledge_xbit:  8
pid:  841 pledge_bit: 2148162527 pledge_xbit:   800a5bdf
pid:  49970 pledge_bit: 2148096143 pledge_xbit:   8009588f
pid:  68505 pledge_bit: 40 pledge_xbit: 28
pid:  46106 pledge_bit: 72 pledge_xbit: 48
pid:  77690 pledge_bit: 537161 pledge_xbit:  83249
pid:  44005 pledge_bit: 262152 pledge_xbit:  40008
pid:  82731 pledge_bit: 2148096143 pledge_xbit:   8009588f
pid:  71609 pledge_bit: 262472 pledge_xbit:  40148
pid:  54330 pledge_bit: 662063 pledge_xbit:  a1a2f
pid:  77764 pledge_bit:1052776pledge_xbit: 101068
pid:699   pledge_bit: 2148096143 pledge_xbit:   8009588f
pid:  84265 pledge_bit:1052776pledge_xbit: 101068






Is it possible to know which process pledges what permissions,
from looking at pledge_bit (decimal or hex values) that I got from
above output?

I took pledge hex value of dhclient process i.e 0x8009588f, then, I
wrote a simple hello world program with a pledge("STDIO",NULL); and
again I looked at dmesg and got the same pledge_bit for hello world
i.e 0x8009588f.

Then, this time I looked at dhclient source code and found out that,
dhclient code pledged pledge("stdio inet dns route proc", NULL).

But, then, how is it possible to get same pledge hex bit for different
pledge parameters?

Or, Is there some other pledge variable in kernel which keeps track of
permission bits that pass from user-space code using pledge()?


Is it the correct way that I did above to extract pledge information
or Am I missing or doing it wrong?

merge kern_mutex.c into kern_lock.c

[Martin Pieuchot]

I'd like to keep all locking code in the same file then slowly remove
the abstractions.

ok?

Index: kern/kern_lock.c
===
RCS file: /cvs/src/sys/kern/kern_lock.c,v
retrieving revision 1.56
diff -u -p -r1.56 kern_lock.c
--- kern/kern_lock.c10 Feb 2018 12:59:24 -  1.56
+++ kern/kern_lock.c10 Feb 2018 13:02:15 -
@@ -1,6 +1,7 @@
 /* $OpenBSD: kern_lock.c,v 1.56 2018/02/10 12:59:24 mpi Exp $  */
 
 /*
+ * Copyright (c) 2017 Visa Hankala
  * Copyright (c) 2014 David Gwynne 
  * Copyright (c) 2004 Artur Grabowski 
  *
@@ -350,3 +351,52 @@ __mtx_leave(struct mutex *mtx)
splx(s);
 }
 #endif /* __USE_MI_MUTEX */
+
+#ifdef WITNESS
+void
+_mtx_init_flags(struct mutex *m, int ipl, const char *name, int flags,
+struct lock_type *type)
+{
+   struct lock_object *lo = MUTEX_LOCK_OBJECT(m);
+
+   lo->lo_flags = MTX_LO_FLAGS(flags);
+   if (name != NULL)
+   lo->lo_name = name;
+   else
+   lo->lo_name = type->lt_name;
+   WITNESS_INIT(lo, type);
+
+   _mtx_init(m, ipl);
+}
+
+void
+_mtx_enter(struct mutex *m, const char *file, int line)
+{
+   struct lock_object *lo = MUTEX_LOCK_OBJECT(m);
+
+   WITNESS_CHECKORDER(lo, LOP_EXCLUSIVE | LOP_NEWORDER, file, line, NULL);
+   __mtx_enter(m);
+   WITNESS_LOCK(lo, LOP_EXCLUSIVE, file, line);
+}
+
+int
+_mtx_enter_try(struct mutex *m, const char *file, int line)
+{
+   struct lock_object *lo = MUTEX_LOCK_OBJECT(m);
+
+   if (__mtx_enter_try(m)) {
+   WITNESS_LOCK(lo, LOP_EXCLUSIVE, file, line);
+   return 1;
+   }
+   return 0;
+}
+
+void
+_mtx_leave(struct mutex *m, const char *file, int line)
+{
+   struct lock_object *lo = MUTEX_LOCK_OBJECT(m);
+
+   WITNESS_UNLOCK(lo, LOP_EXCLUSIVE, file, line);
+   __mtx_leave(m);
+}
+#endif /* WITNESS */
Index: kern/kern_mutex.c
===
RCS file: kern/kern_mutex.c
diff -N kern/kern_mutex.c
--- kern/kern_mutex.c   20 Apr 2017 13:57:30 -  1.1
+++ /dev/null   1 Jan 1970 00:00:00 -
@@ -1,69 +0,0 @@
-/* $OpenBSD: kern_mutex.c,v 1.1 2017/04/20 13:57:30 visa Exp $ */
-
-/*
- * Copyright (c) 2017 Visa Hankala
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include 
-#include 
-#include 
-#include 
-
-void
-_mtx_init_flags(struct mutex *m, int ipl, const char *name, int flags,
-struct lock_type *type)
-{
-   struct lock_object *lo = MUTEX_LOCK_OBJECT(m);
-
-   lo->lo_flags = MTX_LO_FLAGS(flags);
-   if (name != NULL)
-   lo->lo_name = name;
-   else
-   lo->lo_name = type->lt_name;
-   WITNESS_INIT(lo, type);
-
-   _mtx_init(m, ipl);
-}
-
-void
-_mtx_enter(struct mutex *m, const char *file, int line)
-{
-   struct lock_object *lo = MUTEX_LOCK_OBJECT(m);
-
-   WITNESS_CHECKORDER(lo, LOP_EXCLUSIVE | LOP_NEWORDER, file, line, NULL);
-   __mtx_enter(m);
-   WITNESS_LOCK(lo, LOP_EXCLUSIVE, file, line);
-}
-
-int
-_mtx_enter_try(struct mutex *m, const char *file, int line)
-{
-   struct lock_object *lo = MUTEX_LOCK_OBJECT(m);
-
-   if (__mtx_enter_try(m)) {
-   WITNESS_LOCK(lo, LOP_EXCLUSIVE, file, line);
-   return 1;
-   }
-   return 0;
-}
-
-void
-_mtx_leave(struct mutex *m, const char *file, int line)
-{
-   struct lock_object *lo = MUTEX_LOCK_OBJECT(m);
-
-   WITNESS_UNLOCK(lo, LOP_EXCLUSIVE, file, line);
-   __mtx_leave(m);
-}
Index: conf/files
===
RCS file: /cvs/src/sys/conf/files,v
retrieving revision 1.658
diff -u -p -r1.658 files
--- conf/files  7 Feb 2018 01:09:57 -   1.658
+++ conf/files  10 Feb 2018 13:02:17 -
@@ -671,7 +671,6 @@ file kern/kern_kthread.c
 file kern/kern_ktrace.cktrace
 file kern/kern_lock.c
 file kern/kern_malloc.c
-file kern/kern_mutex.c witness
 file kern/kern_rwlock.c
 file kern/kern_physio.c
 file kern/kern_proc.c

Re: pf half-open tcp in state table

[Matthieu Herrb]

On Fri, Feb 09, 2018 at 11:11:18AM +0100, Matthieu Herrb wrote:
> Hi,
> 
> I've recently setup a new pair of OpenBSD 6.2 pf firewalls (with carp)
> in my lab, and that's not performing very well.
> 
> tcp-based NFS v3 and v4 traffic (between Linux clients and a NetApp
> server) through it is struggling, and some SSH or HTTPS transfers are
> stalling, with their states disapearing from the state table.
> 
> I'm trying to figure out what's going on to fix the issue.
>

Thanks to all  who answered in private.

With their advices and a bit of personal research, it looks like this
firewall pair is now working as expected.

One of the main issues was caused by a server having 2 interfaces in 2
different vlans that are routed through this firewall. This generated
asymetric routing, so the reply paquets weren't travesing the firewall
and not updating the state, wich stayed half-open for 30s, before
expiring and cutting the connection. A tad of source-routing on the
linux side now forces the trafic to stay symetric and everything's
fine. 

Another issue seem to come from the fact that the new firewalls are
faster than the previous Cisco router. That apparentlt triggered bugs
in the vmxnet3 driver of CentOS 6 virtual machines, Upgrading to the
driver from open-vm-tools, seems to have fixed the reset of the NFS
traffic issues.

The last point is that there seems to be a bug in the half-open
accounting code. The huge number I'm seeing here is in fact pretty
surely negative: 
> 
> The main anomaly I see is the huge number (and it keeps growing) of
> half-open tcp states, after 24h of uptime. See pfctl -vsi output
> below.
> 
>   half-open tcp 4294375902

This is 0xfff6f9de

So it seems that, either because of the assymetric route issue, or
something else, the number of half open connections is decremented
more often that it's incremented and lead to this unsigned overflow.

But as Henning@ mentionned it, this is only accounting and not
actually used anywhere, so it should cause any real-life issue.

-- 
Matthieu Herrb

sparc64: use MI mutex

[Martin Pieuchot]

Diff below switches sparc64 to the MI mutex implementation.  I've been
running this on my 16CPUs guest on a T5220 without issues.

I'm not removing the assembly code yet in case we spot an issue.

More tests and oks welcome :)

Index: arch/sparc64/conf/files.sparc64
===
RCS file: /cvs/src/sys/arch/sparc64/conf/files.sparc64,v
retrieving revision 1.149
diff -u -p -r1.149 files.sparc64
--- arch/sparc64/conf/files.sparc64 17 Oct 2017 14:25:35 -  1.149
+++ arch/sparc64/conf/files.sparc64 10 Feb 2018 10:49:56 -
@@ -329,7 +329,6 @@ filearch/sparc64/sparc64/kgdb_machdep.c
 file   arch/sparc64/sparc64/machdep.c
 file   arch/sparc64/sparc64/mdesc.csun4v
 file   arch/sparc64/sparc64/mem.c
-file   arch/sparc64/sparc64/mutex.S
 file   arch/sparc64/sparc64/openprom.c
 file   arch/sparc64/sparc64/openfirm.c
 file   arch/sparc64/sparc64/ofw_machdep.c
Index: arch/sparc64/include/mutex.h
===
RCS file: /cvs/src/sys/arch/sparc64/include/mutex.h,v
retrieving revision 1.7
diff -u -p -r1.7 mutex.h
--- arch/sparc64/include/mutex.h13 Jan 2018 15:18:11 -  1.7
+++ arch/sparc64/include/mutex.h10 Feb 2018 10:49:36 -
@@ -1,85 +1,3 @@
 /* $OpenBSD: mutex.h,v 1.7 2018/01/13 15:18:11 mpi Exp $   */
 
-/*
- * Copyright (c) 2004 Artur Grabowski 
- * All rights reserved. 
- *
- * Redistribution and use in source and binary forms, with or without 
- * modification, are permitted provided that the following conditions 
- * are met: 
- *
- * 1. Redistributions of source code must retain the above copyright 
- *notice, this list of conditions and the following disclaimer. 
- * 2. The name of the author may not be used to endorse or promote products
- *derived from this software without specific prior written permission. 
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
- * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL  DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
- */
-
-#ifndef _MACHINE_MUTEX_H_
-#define _MACHINE_MUTEX_H_
-
-#include 
-
-struct mutex {
-   volatile void *mtx_owner; /* mutex.S relies upon this being first */
-   int mtx_wantipl;
-   int mtx_oldipl;
-#ifdef WITNESS
-   struct lock_object mtx_lock_obj;
-#endif
-};
-
-/*
- * To prevent lock ordering problems with the kernel lock, we need to
- * make sure we block all interrupts that can grab the kernel lock.
- * The simplest way to achieve this is to make sure mutexes always
- * raise the interrupt priority level to the highest level that has
- * interrupts that grab the kernel lock.
- */
-#ifdef MULTIPROCESSOR
-#define __MUTEX_IPL(ipl) \
-(((ipl) > IPL_NONE && (ipl) < IPL_MPFLOOR) ? IPL_MPFLOOR : (ipl))
-#else
-#define __MUTEX_IPL(ipl) (ipl)
-#endif
-
-#ifdef WITNESS
-#define MUTEX_INITIALIZER_FLAGS(ipl, name, flags) \
-   { NULL, __MUTEX_IPL((ipl)), IPL_NONE, MTX_LO_INITIALIZER(name, flags) }
-#else
-#define MUTEX_INITIALIZER_FLAGS(ipl, name, flags) \
-   { NULL, __MUTEX_IPL((ipl)), IPL_NONE }
-#endif
-
-void __mtx_init(struct mutex *, int);
-#define _mtx_init(mtx, ipl) __mtx_init((mtx), __MUTEX_IPL((ipl)))
-
-#ifdef DIAGNOSTIC
-#define MUTEX_ASSERT_LOCKED(mtx) do {  \
-   if ((mtx)->mtx_owner != curcpu())   \
-   panic("mutex %p not held in %s", (mtx), __func__);  \
-} while (0)
-
-#define MUTEX_ASSERT_UNLOCKED(mtx) do {
\
-   if ((mtx)->mtx_owner == curcpu())   \
-   panic("mutex %p held in %s", (mtx), __func__);  \
-} while (0)
-#else
-#define MUTEX_ASSERT_LOCKED(mtx) do { } while (0)
-#define MUTEX_ASSERT_UNLOCKED(mtx) do { } while (0)
-#endif
-
-#define MUTEX_LOCK_OBJECT(mtx) (&(mtx)->mtx_lock_obj)
-#define MUTEX_OLDIPL(mtx)  (mtx)->mtx_oldipl
-
-#endif /* _MACHINE_MUTEX_H_ */
+#define __USE_MI_MUTEX

pkg_add vs https

[Marc Espie]

So we've been working with the tls crowd to bring you decent https support.

The crux of the matter is that pkg_add does not handle https directly,
it does use ftp(1) to fetch every single file.

... which means a new connection for each single package it looks at.

with http, that's fairly okay. Establishing a new connection is pretty cheap.

For https, there's tls involved, and if you look at the protocol, normal
connections do begin with an authentication exchange, which uses public
key cryptography, which is, for the most part, using RSA in the https world.

This slows things down in two ways:
- public key cryptography is still somewhat expensive, especially for slower
machines.
- there is a lot of back-and-forth involved, on top of normal tcp handshakes.
Namely client sends clienthello, server replies with serverhello,
client responds with certificateinfo, server responds with finished
and we can FINALLY send data.  (from 3 to 7 back, wee)


There's a functionality in tls called "session resumption", where all the
back-and-forth already used in the first connection is replaced in
subsequent connections by a simple token exchange (after all
the client and server already authenticated each other, and can prove they
know the same shared secret). This speeds up things a little:
- no public key cryptography involved
- the handshake devolves into clienthello, serverhello+finished, finished
so it shaves one packet... well, not as good as could be expected but
still something.

So, this functionality exists in libressl. What Joel and others did was
expose it in libtls, and add a hook in ftp(1) so that it could be used by
pkg_add.

This is still fairly secure: pkg_add creates a temporary file as _pkgfetch,
unlinks it from the filesystem, and passes /dev/fd/  
as the session file to ftp(1), which is happy to work with it 
(no easy way to spy on that secret... and if you can look at other 
processes opened files, I'd say you have bigger problems).

(I don't know who exactly came up with the idea of making it work with a
pure file descriptor, but this is brilliant)

Measuring this shows that   https gets somewhat less slow.  It's still slower
than pure http (the extra 3 messages are still something), but it becomes
more of a choice for people who want anonymity.

Note that, if you use session resumption, ftp(1) will report on whether or
not it was successful. pkg_add(1) parses those messages and will tell whether
you are using a "slow" https mirror or not.

I've also run into bizarre session resumption implementations (apache...)
which seems to think that 5mn is a good timeout for expiring tokens (we're
talking about session tokens that are actually ACTIVE AND USED, not keeping
tokens around while the connection is closed. Nope, looks like at least one
mirror expires tokens after five minutes, irregardless of their use).

So, this is as good as it gets from this end, until I figure out a better
way to interleave operations...

allow marking IPv6 with a do not fragment flag for ip6_output

[David Gwynne]

ipv6 packets dont have a DF bit you can set in the header, you have
to pass it as an option to ip6_output if you want that behaviour
on output. however, ip6_send makes it hard to pass ip6 options to
ip6_output because you give it an mbuf, and hope for the best in
the future.

to cope with this, im proposing we treat "dont fragment on output"
for ipv6 as a checksum flag on an mbuf. the diff below implements
this:

Index: sys/mbuf.h
===
RCS file: /cvs/src/sys/sys/mbuf.h,v
retrieving revision 1.234
diff -u -p -r1.234 mbuf.h
--- sys/mbuf.h  9 Feb 2018 02:26:33 -   1.234
+++ sys/mbuf.h  10 Feb 2018 09:38:40 -
@@ -224,12 +224,14 @@ struct mbuf {
 #defineM_ICMP_CSUM_OUT 0x0200  /* ICMP/ICMPv6 checksum needed 
*/
 #defineM_ICMP_CSUM_IN_OK   0x0400  /* ICMP/ICMPv6 checksum 
verified */
 #defineM_ICMP_CSUM_IN_BAD  0x0800  /* ICMP/ICMPv6 checksum bad */
+#defineM_IPV6_DF_OUT   0x1000  /* don't fragment outgoing IPv6 
*/
 
 #ifdef _KERNEL
 #define MCS_BITS \
 ("\20\1IPV4_CSUM_OUT\2TCP_CSUM_OUT\3UDP_CSUM_OUT\4IPV4_CSUM_IN_OK" \
 "\5IPV4_CSUM_IN_BAD\6TCP_CSUM_IN_OK\7TCP_CSUM_IN_BAD\10UDP_CSUM_IN_OK" \
-"\11UDP_CSUM_IN_BAD\12ICMP_CSUM_OUT\13ICMP_CSUM_IN_OK\14ICMP_CSUM_IN_BAD")
+"\11UDP_CSUM_IN_BAD\12ICMP_CSUM_OUT\13ICMP_CSUM_IN_OK\14ICMP_CSUM_IN_BAD" \
+"\15IPV6_NODF_OUT")
 #endif
 
 /* mbuf types */
Index: netinet6/ip6_output.c
===
RCS file: /cvs/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.232
diff -u -p -r1.232 ip6_output.c
--- netinet6/ip6_output.c   1 Sep 2017 15:05:31 -   1.232
+++ netinet6/ip6_output.c   10 Feb 2018 09:38:40 -
@@ -656,7 +656,10 @@ reroute:
 */
tlen = m->m_pkthdr.len;
 
-   if (opt && (opt->ip6po_flags & IP6PO_DONTFRAG))
+   if (ISSET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT)) {
+   CLR(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT);
+   dontfrag = 1;
+   } else if (opt && ISSET(opt->ip6po_flags, IP6PO_DONTFRAG))
dontfrag = 1;
else
dontfrag = 0;

Re: route socket filter on priority

[Stuart Henderson]

On 2018/02/10 10:12, Sebastian Benoit wrote:
> 
> 
> - add ROUTE_PRIOFILTER
> - it has one argument that is interpreted as a route priority
> - all route updates with prio lower or equal will pass the filter,
>   all with higher priority value will be filtered.
> - example use in ospfd
> 
> comments/oks?
> 
> (benno_ospfd_route_priofilter_1.diff)
> 
> diff --git sys/net/route.h sys/net/route.h
> index 1ca0a22c45f..7a4008b7ac1 100644
> --- sys/net/route.h
> +++ sys/net/route.h
> @@ -298,6 +298,9 @@ struct rt_msghdr {
>  #define ROUTE_TABLEFILTER 2  /* change routing table the socket is listening
>  on, RTABLE_ANY listens on all tables. */
>  
> +#define ROUTE_PRIOFILTER 3   /* change routing table the socket is listening
> +on, RTABLE_ANY listens on all tables. */
> +

This comment needs fixing or removing, otherwise ok.
Feel free to use this accompanying manpage diff.

Index: route.4
===
RCS file: /cvs/src/share/man/man4/route.4,v
retrieving revision 1.44
diff -u -p -r1.44 route.4
--- route.4 12 Jan 2018 04:36:44 -  1.44
+++ route.4 10 Feb 2018 10:39:08 -
@@ -210,6 +210,20 @@ if (setsockopt(routefd, PF_ROUTE, ROUTE_
err(1, "setsockopt(ROUTE_MSGFILTER)");
 .Ed
 .Pp
+Similarly, a process can specify that it is only interested in messages
+relating to routes where the priority is no more than a certain value
+by issuing a setsockopt call with the
+.Dv ROUTE_PRIOFILTER
+option.
+For example, to select only static, directly connected and local routes:
+.Bd -literal -offset indent
+u_char maxprio;
+
+if (setsockopt(routefd, PF_ROUTE, ROUTE_PRIOFILTER,
+, sizeof(maxprio)) == -1)
+   err(1, "setsockopt(ROUTE_PRIOFILTER)");
+.Ed
+.Pp
 If a route is in use when it is deleted,
 the routing entry will be marked down and removed from the routing table,
 but the resources associated with it will not

Re: route socket filter on priority

[Tom Smyth]

Nice feature
lots of real world use cases.


On 10 Feb 2018 9:19 AM, "Sebastian Benoit"  wrote:

>
>
> - add ROUTE_PRIOFILTER
> - it has one argument that is interpreted as a route priority
> - all route updates with prio lower or equal will pass the filter,
>   all with higher priority value will be filtered.
> - example use in ospfd
>
> comments/oks?
>
> (benno_ospfd_route_priofilter_1.diff)
>
> diff --git sys/net/route.h sys/net/route.h
> index 1ca0a22c45f..7a4008b7ac1 100644
> --- sys/net/route.h
> +++ sys/net/route.h
> @@ -298,6 +298,9 @@ struct rt_msghdr {
>  #define ROUTE_TABLEFILTER 2/* change routing table the socket is
> listening
>on, RTABLE_ANY listens on all tables. */
>
> +#define ROUTE_PRIOFILTER 3 /* change routing table the socket is
> listening
> +  on, RTABLE_ANY listens on all tables. */
> +
>  #define ROUTE_FILTER(m)(1 << (m))
>  #define RTABLE_ANY 0x
>
> diff --git sys/net/rtsock.c sys/net/rtsock.c
> index 35bdd09d143..5f4244e6057 100644
> --- sys/net/rtsock.c
> +++ sys/net/rtsock.c
> @@ -141,6 +141,7 @@ struct routecb {
> unsigned intmsgfilter;
> unsigned intflags;
> u_int   rtableid;
> +   u_char  priority;
>  };
>  #definesotoroutecb(so) ((struct routecb *)(so)->so_pcb)
>
> @@ -309,6 +310,7 @@ route_ctloutput(int op, struct socket *so, int level,
> int optname,
> struct routecb *rop = sotoroutecb(so);
> int error = 0;
> unsigned int tid;
> +   u_char prio;
>
> if (level != AF_ROUTE)
> return (EINVAL);
> @@ -333,6 +335,17 @@ route_ctloutput(int op, struct socket *so, int level,
> int optname,
> else
> rop->rtableid = tid;
> break;
> +   case ROUTE_PRIOFILTER:
> +   if (m == NULL || m->m_len != sizeof(u_char)) {
> +   error = EINVAL;
> +   break;
> +   }
> +   prio = *mtod(m, u_char *);
> +   if (prio > RTP_MAX)
> +   error = EINVAL;
> +   else
> +   rop->priority = prio;
> +   break;
> default:
> error = ENOPROTOOPT;
> break;
> @@ -348,6 +361,10 @@ route_ctloutput(int op, struct socket *so, int level,
> int optname,
> m->m_len = sizeof(unsigned int);
> *mtod(m, unsigned int *) = rop->rtableid;
> break;
> +   case ROUTE_PRIOFILTER:
> +   m->m_len = sizeof(u_char);
> +   *mtod(m, u_char *) = rop->priority;
> +   break;
> default:
> error = ENOPROTOOPT;
> break;
> @@ -431,6 +448,8 @@ route_input(struct mbuf *m0, struct socket *so,
> sa_family_t sa_family)
> if (rtm->rtm_type != RTM_DESYNC && rop->msgfilter != 0 &&
> !(rop->msgfilter & (1 << rtm->rtm_type)))
> continue;
> +   if (rop->priority != 0 && rop->priority <
> rtm->rtm_priority)
> +   continue;
> switch (rtm->rtm_type) {
> case RTM_IFANNOUNCE:
> case RTM_DESYNC:
> diff --git usr.sbin/ospfd/kroute.c usr.sbin/ospfd/kroute.c
> index 17febefbdcb..a5c069aa540 100644
> --- usr.sbin/ospfd/kroute.c
> +++ usr.sbin/ospfd/kroute.c
> @@ -127,10 +127,11 @@ kif_init(void)
>  }
>
>  int
> -kr_init(int fs, u_int rdomain)
> +kr_init(int fs, u_int rdomain, u_int8_t redis_label_or_prefix)
>  {
> int opt = 0, rcvbuf, default_rcvbuf;
> socklen_t   optlen;
> +   u_char  filter_prio = RTP_OSPF;
>
> kr_state.fib_sync = fs;
> kr_state.rdomain = rdomain;
> @@ -146,6 +147,14 @@ kr_init(int fs, u_int rdomain)
> , sizeof(opt)) == -1)
> log_warn("kr_init: setsockopt");/* not fatal */
>
> +   if (redis_label_or_prefix)
> +   filter_prio = 0;
> +   if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER,
> _prio,
> +   sizeof(filter_prio)) == -1) {
> +   log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER",
> __func__);
> +   return (-1);
> +   }
> +
> /* grow receive buffer, don't wanna miss messages */
> optlen = sizeof(default_rcvbuf);
> if (getsockopt(kr_state.fd, SOL_SOCKET, SO_RCVBUF,
> diff --git usr.sbin/ospfd/ospfd.c usr.sbin/ospfd/ospfd.c
> index 3c5057ae04e..0e91819f673 100644
> --- usr.sbin/ospfd/ospfd.c
> +++ usr.sbin/ospfd/ospfd.c
> @@ -265,7 +265,7 @@ main(int argc, char *argv[])
> 

route socket filter on priority

[Sebastian Benoit]

- add ROUTE_PRIOFILTER
- it has one argument that is interpreted as a route priority
- all route updates with prio lower or equal will pass the filter,
  all with higher priority value will be filtered.
- example use in ospfd

comments/oks?

(benno_ospfd_route_priofilter_1.diff)

diff --git sys/net/route.h sys/net/route.h
index 1ca0a22c45f..7a4008b7ac1 100644
--- sys/net/route.h
+++ sys/net/route.h
@@ -298,6 +298,9 @@ struct rt_msghdr {
 #define ROUTE_TABLEFILTER 2/* change routing table the socket is listening
   on, RTABLE_ANY listens on all tables. */
 
+#define ROUTE_PRIOFILTER 3 /* change routing table the socket is listening
+  on, RTABLE_ANY listens on all tables. */
+
 #define ROUTE_FILTER(m)(1 << (m))
 #define RTABLE_ANY 0x
 
diff --git sys/net/rtsock.c sys/net/rtsock.c
index 35bdd09d143..5f4244e6057 100644
--- sys/net/rtsock.c
+++ sys/net/rtsock.c
@@ -141,6 +141,7 @@ struct routecb {
unsigned intmsgfilter;
unsigned intflags;
u_int   rtableid;
+   u_char  priority;
 };
 #definesotoroutecb(so) ((struct routecb *)(so)->so_pcb)
 
@@ -309,6 +310,7 @@ route_ctloutput(int op, struct socket *so, int level, int 
optname,
struct routecb *rop = sotoroutecb(so);
int error = 0;
unsigned int tid;
+   u_char prio;
 
if (level != AF_ROUTE)
return (EINVAL);
@@ -333,6 +335,17 @@ route_ctloutput(int op, struct socket *so, int level, int 
optname,
else
rop->rtableid = tid;
break;
+   case ROUTE_PRIOFILTER:
+   if (m == NULL || m->m_len != sizeof(u_char)) {
+   error = EINVAL;
+   break;
+   }
+   prio = *mtod(m, u_char *);
+   if (prio > RTP_MAX)
+   error = EINVAL;
+   else
+   rop->priority = prio;
+   break;
default:
error = ENOPROTOOPT;
break;
@@ -348,6 +361,10 @@ route_ctloutput(int op, struct socket *so, int level, int 
optname,
m->m_len = sizeof(unsigned int);
*mtod(m, unsigned int *) = rop->rtableid;
break;
+   case ROUTE_PRIOFILTER:
+   m->m_len = sizeof(u_char);
+   *mtod(m, u_char *) = rop->priority;
+   break;
default:
error = ENOPROTOOPT;
break;
@@ -431,6 +448,8 @@ route_input(struct mbuf *m0, struct socket *so, sa_family_t 
sa_family)
if (rtm->rtm_type != RTM_DESYNC && rop->msgfilter != 0 &&
!(rop->msgfilter & (1 << rtm->rtm_type)))
continue;
+   if (rop->priority != 0 && rop->priority < rtm->rtm_priority)
+   continue;
switch (rtm->rtm_type) {
case RTM_IFANNOUNCE:
case RTM_DESYNC:
diff --git usr.sbin/ospfd/kroute.c usr.sbin/ospfd/kroute.c
index 17febefbdcb..a5c069aa540 100644
--- usr.sbin/ospfd/kroute.c
+++ usr.sbin/ospfd/kroute.c
@@ -127,10 +127,11 @@ kif_init(void)
 }
 
 int
-kr_init(int fs, u_int rdomain)
+kr_init(int fs, u_int rdomain, u_int8_t redis_label_or_prefix)
 {
int opt = 0, rcvbuf, default_rcvbuf;
socklen_t   optlen;
+   u_char  filter_prio = RTP_OSPF;
 
kr_state.fib_sync = fs;
kr_state.rdomain = rdomain;
@@ -146,6 +147,14 @@ kr_init(int fs, u_int rdomain)
, sizeof(opt)) == -1)
log_warn("kr_init: setsockopt");/* not fatal */
 
+   if (redis_label_or_prefix)
+   filter_prio = 0;
+   if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER, _prio,
+   sizeof(filter_prio)) == -1) {
+   log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER", __func__);
+   return (-1);
+   }
+
/* grow receive buffer, don't wanna miss messages */
optlen = sizeof(default_rcvbuf);
if (getsockopt(kr_state.fd, SOL_SOCKET, SO_RCVBUF,
diff --git usr.sbin/ospfd/ospfd.c usr.sbin/ospfd/ospfd.c
index 3c5057ae04e..0e91819f673 100644
--- usr.sbin/ospfd/ospfd.c
+++ usr.sbin/ospfd/ospfd.c
@@ -265,7 +265,7 @@ main(int argc, char *argv[])
event_add(_rde->ev, NULL);
 
if (kr_init(!(ospfd_conf->flags & OSPFD_FLAG_NO_FIB_UPDATE),
-   ospfd_conf->rdomain) == -1)
+   ospfd_conf->rdomain, ospfd_conf->redist_label_or_prefix) == -1)
fatalx("kr_init failed");
 
/* remove unneeded stuff from config */
diff --git usr.sbin/ospfd/ospfd.h usr.sbin/ospfd/ospfd.h

IPv6 reject routes autocreation

[Claudio Jeker]

Similar to IPv4 this will inject all the magic reject routes for IPv6.
This includes the bad networks in the 6to4 range (2002::/16) and some
other magic.

Here it what you get:
Internet6:
DestinationGateway Flags Refs   Use Mtu  Prio Iface
::/96  ::1 UGRS 00 32768 8 lo2  
::1::1 UHhl 10   10 327681 lo2  
:::0.0.0.0/96  ::1 UGRS 00 32768 8 lo2  
2002::/24  ::1 UGRS 00 32768 8 lo2  
2002:7f00::/24 ::1 UGRS 00 32768 8 lo2  
2002:e000::/20 ::1 UGRS 00 32768 8 lo2  
2002:ff00::/24 ::1 UGRS 00 32768 8 lo2  
fe80::/10  ::1 UGRS 01 32768 8 lo2  
fec0::/10  ::1 UGRS 00 32768 8 lo2  
fe80::1%lo2fe80::1%lo2 UHl  00 32768 1 lo2  
ff01::/16  ::1 UGRS 00 32768 8 lo2  
ff01::%lo2/32  ::1 Um   01 32768 4 lo2  
ff02::/16  ::1 UGRS 00 32768 8 lo2  
ff02::%lo2/32  ::1 Um   01 32768 4 lo2  

-- 
:wq Claudio

Index: netinet6//in6_ifattach.c
===
RCS file: /cvs/src/sys/netinet6/in6_ifattach.c,v
retrieving revision 1.105
diff -u -p -r1.105 in6_ifattach.c
--- netinet6//in6_ifattach.c10 Feb 2018 05:52:08 -  1.105
+++ netinet6//in6_ifattach.c10 Feb 2018 08:31:12 -
@@ -61,6 +61,8 @@ int   in6_get_hw_ifid(struct ifnet *, stru
 intin6_get_soii_ifid(struct ifnet *, struct in6_addr *);
 void   in6_get_ifid(struct ifnet *, struct in6_addr *);
 intin6_ifattach_loopback(struct ifnet *);
+intin6_ifattach_loopback_routes(struct ifnet *, struct in6_ifaddr *);
+
 
 #define EUI64_GBIT 0x01
 #define EUI64_UBIT 0x02
@@ -419,6 +421,63 @@ in6_ifattach_loopback(struct ifnet *ifp)
return (in6_update_ifa(ifp, , NULL));
 }
 
+int
+in6_ifattach_loopback_routes(struct ifnet *ifp, struct in6_ifaddr *ia6)
+{
+   struct rt_addrinfo info;
+   struct sockaddr_in6 addr, mask, gate;
+   int error, i;
+
+   struct {
+   struct in6_addr addr;
+   struct in6_addr mask;
+   } reject_routes[] = {
+   { {{{ 0 }}}, IN6MASK96 },
+   { {{{ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 0, 0 }}}, IN6MASK96 },
+   { {{{ 0x20, 0x02, 0, 0 }}}, {{{ 0xff, 0xff, 0xff, 0 }}} },
+   { {{{ 0x20, 0x02, 0x7f, 0 }}}, {{{ 0xff, 0xff, 0xff, 0 }}} },
+   { {{{ 0x20, 0x02, 0xe0, 0 }}}, {{{ 0xff, 0xff, 0xf0, 0 }}} },
+   { {{{ 0x20, 0x02, 0xff, 0 }}}, {{{ 0xff, 0xff, 0xff, 0 }}} },
+   { {{{ 0xfe, 0x80, 0, 0 }}}, {{{ 0xff, 0xc0, 0, 0 }}} },
+   { {{{ 0xfe, 0xc0, 0, 0 }}}, {{{ 0xff, 0xc0, 0, 0 }}} },
+   { {{{ 0xff, 0x01, 0, 0 }}}, {{{ 0xff, 0xff, 0, 0 }}} },
+   { {{{ 0xff, 0x02, 0, 0 }}}, {{{ 0xff, 0xff, 0, 0 }}} }
+   };
+
+   KASSERT(ifp->if_flags & IFF_LOOPBACK);
+   KASSERT(ia6 != NULL);
+
+   bzero(, sizeof(info));
+   bzero(, sizeof(addr));
+   bzero(, sizeof(mask));
+   bzero(, sizeof(gate));
+
+   addr.sin6_len = sizeof(struct sockaddr_in6);
+   addr.sin6_family = AF_INET6;
+   mask.sin6_len = sizeof(struct sockaddr_in6);
+   mask.sin6_family = AF_INET6;
+   gate.sin6_len = sizeof(struct sockaddr_in6);
+   gate.sin6_family = AF_INET6;
+   gate.sin6_addr = in6addr_loopback;
+
+   info.rti_flags = RTF_GATEWAY | RTF_REJECT | RTF_STATIC;
+   info.rti_ifa = >ia_ifa;
+   info.rti_info[RTAX_GATEWAY] = sin6tosa();
+
+   for (i = 0; i < nitems(reject_routes); i++) {
+   /* Now insert the reject routes */
+   addr.sin6_addr = reject_routes[i].addr;
+   mask.sin6_addr = reject_routes[i].mask;
+   info.rti_info[RTAX_DST] = sin6tosa();
+   info.rti_info[RTAX_NETMASK] = sin6tosa();
+
+   error = rtrequest(RTM_ADD, , 0, NULL, ifp->if_rdomain);
+   if (error)
+   return (error);
+   }
+   return (0);
+}
+
 /*
  * compute NI group address, based on the current hostname setting.
  * see draft-ietf-ipngwg-icmp-name-lookup-* (04 and later).
@@ -507,6 +566,10 @@ in6_ifattach(struct ifnet *ifp)
return (0);
 
error = in6_ifattach_loopback(ifp);
+   if (error)
+   return (error);
+   error = in6_ifattach_loopback_routes(ifp, 
+   in6ifa_ifpwithaddr(ifp, ));
if (error)
return (error);
}