[PATCH] www/books.html - SSH Mastery, 2nd Edition has now been released
Hi all, An update of the "SSH Mastery" book entry to its 2nd edition. While there, I moved its subtitle up, where it belongs, and swapped ISBN 10 and 13 to keep it consistent with other books. I had also taken the liberty to update: - release date of Peter N. M. Hansteen's Book of PF - included ISBN-10 for Michael W. Lucas's Absolute OpenBSD - updated links to both of these books - saves a redirect I could send the diff for these separately if need be. Cheers, Raf Index: books.html === RCS file: /cvs/www/books.html,v retrieving revision 1.114 diff -u -p -r1.114 books.html --- books.html 13 Nov 2017 06:42:06 - 1.114 +++ books.html 15 Feb 2018 05:12:48 - @@ -56,7 +56,7 @@ A No-Nonsense Guide to the OpenBSD Firew by Peter N. M. Hansteen ISBN-10: 1-59327-589-7 ISBN-13: 978-1-59327-589-1 -Copyright 2015. +October 2014, 248 pp. The first sentence of this book is "This is a book about building the network you need." Taking it from there, Peter walks you through the whys @@ -68,27 +68,28 @@ load balancing with "self-healing" netwo problems such as DoS attempts and spamming. A basic understanding of TCP/IP and some Unix knowledge is assumed. The official book website for a sample chapter, table of contents and errata -can be found http://www.nostarch.com/pf3;>here. +can be found https://nostarch.com/pf3;>here. -SSH Mastery +SSH Mastery, 2nd Edition +OpenSSH, PuTTY, Tunnels and Keys by Michael W. Lucas -ISBN-13: 978-1470069711 -ISBN-10: 1470069717 -February 2012, 145 pp. -OpenSSH, PuTTY, Tunnels, and Keys +ISBN-10: 1642350028 +ISBN-13: 978-1642350029 +February 2018, 242 pp. A guide to what you need to know about SSH. This book will help you eliminate passwords on your network, tunnel unencrypted protocols through secure channels, build VPNs with OpenSSH, and more. Focuses on the OpenSSH server, the OpenSSH client, and the PuTTY client. Michael W. Lucas is the author of Absolute OpenBSD and other BSD books. -The official SSH Mastery website is -https://www.michaelwlucas.com/nonfiction/ssh-mastery;>here. +The official SSH Mastery 2nd edition website is +https://www.michaelwlucas.com/tools/ssh;>here. Absolute OpenBSD. 2nd Edition! by Michael W. Lucas +ISBN-10: 1593274769 ISBN-13: 978-1-59327-476-4 April 2013, 536 pp. @@ -96,8 +97,7 @@ Michael W. Lucas brings us the long anti wildly successful book about using OpenBSD. This book covers all aspects of the OpenBSD system for new UNIX and BSD users alike. The official Absolute OpenBSD 2nd edition website is -https://www.michaelwlucas.com/nonfiction/absolute-openbsd-2nd-edition;> -here. +https://www.michaelwlucas.com/os/ao2e;>here.
add [-]tunneldf to allow/disallow fragmentation in tunnel protocols
sometimes you want to avoid fragmentation of the encapsulated traffic, and this gives up the option to prevent fragmentation. the diff includes updating etherip to show how it is used, but if this goes through i'll update gre/egre, gif, and maybe vxlan. # ifconfig etherip0 etherip0: flags=8943mtu 1500 lladdr fe:e1:ba:d0:d4:dd index 8 priority 0 llprio 3 groups: etherip media: Ethernet autoselect status: active tunnel: inet 192.168.0.1 -> 192.168.1.1 nodf if you tcpdump that traffic: 12:22:07.929427 etherip 192.168.0.1 > 192.168.1.1 ver 3 len 44: arp who-has 100.64.9.3 tell 100.64.9.1 (fe:e1:ba:d1:56:5d) [tos 0x10] [ttl 0] # ifconfig etherip0 tunneldf # ifconfig etherip0 etherip0: flags=8943 mtu 1500 lladdr fe:e1:ba:d0:d4:dd index 8 priority 0 llprio 3 groups: etherip media: Ethernet autoselect status: active tunnel: inet 192.168.0.1 -> 192.168.1.1 df note the DF flag in tcpdump now: 12:21:11.924485 etherip 192.168.0.1 > 192.168.1.1 ver 3 len 44: arp who-has 100.64.9.2 tell 100.64.9.1 (fe:e1:ba:d1:56:5d) (DF) [tos 0x10] [ttl 0] ok? Index: sbin/ifconfig/ifconfig.8 === RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v retrieving revision 1.299 diff -u -p -r1.299 ifconfig.8 --- sbin/ifconfig/ifconfig.815 Feb 2018 04:21:46 - 1.299 +++ sbin/ifconfig/ifconfig.815 Feb 2018 04:22:52 - @@ -1603,6 +1603,7 @@ for a complete list of the available pro .Op Oo Fl Oc Ns Cm keepalive Ar period count .Op Oo Fl Oc Ns Cm tunnel Ar src_address dest_address .Op Cm tunneldomain Ar tableid +.Op Oo Fl Oc Ns Cm tunneldf .Op Cm tunnelttl Ar ttl .Op Oo Fl Oc Ns Cm vnetid Ar network-id .Ek @@ -1654,6 +1655,10 @@ interface itself. .Ar tableid can be set to any valid routing table ID; the corresponding routing domain is derived from this table. +.It Cm tunneldf +Do not allow fragmentation of encapsulated packets. +.It Cm -tunneldf +Allow fragmentation of the encapsulated packets. .It Cm tunnelttl Ar ttl Set the IP or multicast TTL of the tunnel packets. If supported by the tunnel protocol, Index: sbin/ifconfig/ifconfig.c === RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v retrieving revision 1.357 diff -u -p -r1.357 ifconfig.c --- sbin/ifconfig/ifconfig.c10 Feb 2018 05:55:26 - 1.357 +++ sbin/ifconfig/ifconfig.c15 Feb 2018 04:22:52 - @@ -252,6 +252,8 @@ voidsetpfsync_syncpeer(const char *, in void unsetpfsync_syncpeer(const char *, int); void setpfsync_defer(const char *, int); void pfsync_status(void); +void settunneldf(const char *, int); +void settunnelnodf(const char *, int); void setpppoe_dev(const char *,int); void setpppoe_svc(const char *,int); void setpppoe_ac(const char *,int); @@ -434,6 +436,8 @@ const structcmd { { "deletetunnel", 0, 0, deletetunnel }, { "tunneldomain", NEXTARG, 0, settunnelinst }, { "tunnelttl", NEXTARG,0, settunnelttl }, + { "tunneldf", 0, 0, settunneldf }, + { "-tunneldf", 0, 0, settunnelnodf }, { "pppoedev", NEXTARG,0, setpppoe_dev }, { "pppoesvc", NEXTARG,0, setpppoe_svc }, { "-pppoesvc", 1, 0, setpppoe_svc }, @@ -2750,6 +2754,10 @@ phys_status(int force) else if (ifr.ifr_ttl > 0) printf(" ttl %d", ifr.ifr_ttl); } + + if (ioctl(s, SIOCGLIFPHYDF, (caddr_t)) == 0) + printf(" %s", ifr.ifr_df ? "df" : "nodf"); + #ifndef SMALL if (ioctl(s, SIOCGLIFPHYRTABLE, (caddr_t)) == 0 && (rdomainid != 0 || ifr.ifr_rdomainid != 0)) @@ -3283,6 +3291,24 @@ settunnelttl(const char *id, int param) ifr.ifr_ttl = ttl; if (ioctl(s, SIOCSLIFPHYTTL, (caddr_t)) < 0) warn("SIOCSLIFPHYTTL"); +} + +void +settunneldf(const char *ignored, int alsoignored) +{ + strlcpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); + ifr.ifr_df = 1; + if (ioctl(s, SIOCSLIFPHYDF, (caddr_t)) < 0) + warn("SIOCSLIFPHYDF"); +} + +void +settunnelnodf(const char *ignored, int alsoignored) +{ + strlcpy(ifr.ifr_name, name, sizeof(ifr.ifr_name)); + ifr.ifr_df = 0; + if (ioctl(s, SIOCSLIFPHYDF, (caddr_t)) < 0) + warn("SIOCSLIFPHYDF"); } void Index: sys/net/if.c === RCS file: /cvs/src/sys/net/if.c,v retrieving revision 1.544 diff -u -p -r1.544 if.c --- sys/net/if.c10 Feb 2018 09:32:54 - 1.544 +++ sys/net/if.c15 Feb 2018 04:22:52 - @@
Re: use the link0 flag on gre(4) interfaces to allow WCCP
On Thu, Feb 15, 2018 at 01:00:53PM +1000, David Gwynne wrote: > the subject says it all. this also tweaks the wccp code to sneak a > look inside the payload to see if it is ipv4 or not. the wccp > protocol specifies values for the bits that overlap the ipv4 version > nibble that cannot be set to 4, so if it isn't 4 we can assume it is > the wccp header. > > in the future i would like to deprecate the sysctl. > > ok? Aren't LINK* flags something to be replaced not added? ie, gre used to use LINK0 to pick between gre/mobileip until: revision 1.80 date: 2016/08/31 15:00:02; author: reyk; state: Exp; lines: +15 -7; commitid: 7HICEJ2aTYkrMgNF; Split gre(4) into two interfaces: gre(4) and mobileip(4). Like vlan/svlan and tun/tap, it remains a single driver that decides on the mode based on the interface name. This removes the need for removing the default link0 flag to turn gre into Mobile IP mode. Using linkX / IFF_LINK{0,1,2} for interface modes is a deprecated style. OK millert@ dlg@ many Not much consensus on the name but mobileip is also used for the sysctls, so OK henning@ > > Index: sys/net/if_gre.c > === > RCS file: /cvs/src/sys/net/if_gre.c,v > retrieving revision 1.101 > diff -u -p -r1.101 if_gre.c > --- sys/net/if_gre.c 15 Feb 2018 01:03:17 - 1.101 > +++ sys/net/if_gre.c 15 Feb 2018 02:55:33 - > @@ -563,8 +563,13 @@ gre_input_key(struct mbuf **mp, int *off > if (sc == NULL) > goto decline; > > + ifp = >sc_if; > + > switch (gh->gre_proto) { > - case htons(GRE_WCCP): > + case htons(GRE_WCCP): { > + struct mbuf *n; > + int off; > + > /* WCCP/GRE: >* So far as I can see (and test) it seems that Cisco's WCCP >* GRE tunnel is precisely a IP-in-GRE tunnel that differs > @@ -574,22 +579,23 @@ gre_input_key(struct mbuf **mp, int *off >* the following: >* draft-forster-wrec-wccp-v1-00.txt >* draft-wilson-wrec-wccp-v2-01.txt > - * > - * So yes, we're doing a fall-through (unless, of course, > - * net.inet.gre.wccp is 0). >*/ > - switch (gre_wccp) { > - case 1: > - break; > - case 2: > - hlen += sizeof(gre_wccp); > - break; > - case 0: > - default: > + > + if (!gre_wccp && !ISSET(ifp->if_flags, IFF_LINK0)) > goto decline; > - } > + > + /* > + * If the first nibble of the payload does not look like > + * IPv4, assume it is WCCP v2. > + */ > + n = m_getptr(m, hlen, ); > + if (n == NULL) > + goto decline; > + if (n->m_data[off] >> 4 != IPVERSION) > + hlen += sizeof(gre_wccp); > > /* FALLTHROUGH */ > + } > case htons(ETHERTYPE_IP): > #if NBPFILTER > 0 > bpf_af = AF_INET; > @@ -628,8 +634,6 @@ gre_input_key(struct mbuf **mp, int *off > default: > goto decline; > } > - > - ifp = >sc_if; > > m_adj(m, hlen); > > Index: share/man/man4/gre.4 > === > RCS file: /cvs/src/share/man/man4/gre.4,v > retrieving revision 1.54 > diff -u -p -r1.54 gre.4 > --- share/man/man4/gre.4 15 Feb 2018 02:09:21 - 1.54 > +++ share/man/man4/gre.4 15 Feb 2018 02:55:33 - > @@ -112,6 +112,10 @@ virtual network idenfitier. > .Nm gre > optionally supports sending keepalive packets to the remote endpoint, > which allows tunnel failure to be detected. > +.Nm gre > +interfaces can be individually configured to receive WCCP packets by > +setting the link-level flag > +.Cm link0 . > .Sh EXAMPLES > .Nm gre > Configuration example: >
use the link0 flag on gre(4) interfaces to allow WCCP
the subject says it all. this also tweaks the wccp code to sneak a look inside the payload to see if it is ipv4 or not. the wccp protocol specifies values for the bits that overlap the ipv4 version nibble that cannot be set to 4, so if it isn't 4 we can assume it is the wccp header. in the future i would like to deprecate the sysctl. ok? Index: sys/net/if_gre.c === RCS file: /cvs/src/sys/net/if_gre.c,v retrieving revision 1.101 diff -u -p -r1.101 if_gre.c --- sys/net/if_gre.c15 Feb 2018 01:03:17 - 1.101 +++ sys/net/if_gre.c15 Feb 2018 02:55:33 - @@ -563,8 +563,13 @@ gre_input_key(struct mbuf **mp, int *off if (sc == NULL) goto decline; + ifp = >sc_if; + switch (gh->gre_proto) { - case htons(GRE_WCCP): + case htons(GRE_WCCP): { + struct mbuf *n; + int off; + /* WCCP/GRE: * So far as I can see (and test) it seems that Cisco's WCCP * GRE tunnel is precisely a IP-in-GRE tunnel that differs @@ -574,22 +579,23 @@ gre_input_key(struct mbuf **mp, int *off * the following: * draft-forster-wrec-wccp-v1-00.txt * draft-wilson-wrec-wccp-v2-01.txt -* -* So yes, we're doing a fall-through (unless, of course, -* net.inet.gre.wccp is 0). */ - switch (gre_wccp) { - case 1: - break; - case 2: - hlen += sizeof(gre_wccp); - break; - case 0: - default: + + if (!gre_wccp && !ISSET(ifp->if_flags, IFF_LINK0)) goto decline; - } + + /* +* If the first nibble of the payload does not look like +* IPv4, assume it is WCCP v2. +*/ + n = m_getptr(m, hlen, ); + if (n == NULL) + goto decline; + if (n->m_data[off] >> 4 != IPVERSION) + hlen += sizeof(gre_wccp); /* FALLTHROUGH */ + } case htons(ETHERTYPE_IP): #if NBPFILTER > 0 bpf_af = AF_INET; @@ -628,8 +634,6 @@ gre_input_key(struct mbuf **mp, int *off default: goto decline; } - - ifp = >sc_if; m_adj(m, hlen); Index: share/man/man4/gre.4 === RCS file: /cvs/src/share/man/man4/gre.4,v retrieving revision 1.54 diff -u -p -r1.54 gre.4 --- share/man/man4/gre.415 Feb 2018 02:09:21 - 1.54 +++ share/man/man4/gre.415 Feb 2018 02:55:33 - @@ -112,6 +112,10 @@ virtual network idenfitier. .Nm gre optionally supports sending keepalive packets to the remote endpoint, which allows tunnel failure to be detected. +.Nm gre +interfaces can be individually configured to receive WCCP packets by +setting the link-level flag +.Cm link0 . .Sh EXAMPLES .Nm gre Configuration example:
Re: deprecate sysctl net.inet.{etherip,gre,mobileip}.allow
> On 14 Feb 2018, at 20:03, Stuart Hendersonwrote: > > On 2018/02/14 18:05, David Gwynne wrote: >> i dont understand the usefulness of the sysctls to turn etherip, >> gre, and mobileip handling on. if you arent going to handle etherip, >> gre, or mobileip, just dont create interfaces to handle them. >> >> for now, this dummies up handling of the sysctls by letting userland >> read that theyre allowed, but allow is readonly. > > The etherip one is really "allow unprotected etherip" to give a foolproof > way of ensuring it only works over ipsec by default. (otherwise you need > to know about if-bound states in pf). grumble grumble. id argue there are similar concerns for traffic over vxlan, tun, and tap, but they lack a magic sysctl. ipsec.conf includes a "PACKET FILTERING" section that discusses this for ipencap, we could point etherip.4 at that or move this kind of into the pf.conf manpage. another interesting idea would be to have tunnel interfaces take a "tagged" configuration option that would allow them to check that their encapsulated traffic has been tagged by some other subsystem, like ipsec or pf. dlg
mpath cloning routes and cloned routes
Hi, If we delete cloning routes, we also delete their cloned routes. This doesn't make sense if we delete a multipath cloning route and may result in broken gateway routes: # netstat -rn | grep 192.168.178 default192.168.178.1 UGS5 4939 -12 iwn0 192.168.178/24 192.168.178.52 UCPn 1 51 - 8 iwn0 192.168.178/24 192.168.178.53 UCPn 00 - 8 iwn0 192.168.178.1 34:31:c4:24:83:d4 UHLch 1 118 - 7 iwn0 192.168.178.52 a4:4e:31:38:70:7c UHLl 0 3749 - 1 iwn0 192.168.178.53 a4:4e:31:38:70:7c UHLl 00 - 1 iwn0 192.168.178.255192.168.178.52 UHPb 00 - 1 iwn0 192.168.178.255192.168.178.53 UHPb 00 - 1 iwn0 As you can see above, iwn0 has 192.168.178.52/24 and 192.168.178.53/24 assigned and therefore we have 2 mpath cloning routes (P). Their is a cloned route to 192.168.178.1 with RTF_CACHED (h) to reach the default gateway. # ifconfig iwn0 inet 192.168.178.53 delete # netstat -rn | grep 192.168.178 default192.168.178.1 UGS5 4955 -12 iwn0 192.168.178/24 192.168.178.52 UCn0 51 - 8 iwn0 192.168.178.52 a4:4e:31:38:70:7c UHLl 0 3754 - 1 iwn0 192.168.178.255192.168.178.52 UHb00 - 1 iwn0 Now 192.168.178.53/24 was deleted, therefore the cloned route to the gateway (192.168.178.1) is also gone and the default route is 'broken': # ping 8.8.8.8 # dmesg | tail arpresolve: 192.168.178.1: route contains no arp information arpresolve: 192.168.178.1: route contains no arp information arpresolve: 192.168.178.1: route contains no arp information arpresolve: 192.168.178.1: route contains no arp information I think there is no need to delete cloned routes as long as we don't delete the last cloning route to a network. ok? friehm Index: sys/net/route.c === RCS file: /home/friehm/repos/openbsd-cvs/cvs/src/sys/net/route.c,v retrieving revision 1.371 diff -u -p -r1.371 route.c --- sys/net/route.c 10 Feb 2018 09:17:56 - 1.371 +++ sys/net/route.c 14 Feb 2018 09:37:29 - @@ -781,7 +781,7 @@ rtrequest_delete(struct rt_addrinfo *inf rt_putgwroute(rt); /* Clean up any cloned children. */ - if (ISSET(rt->rt_flags, RTF_CLONING)) + if (ISSET(rt->rt_flags, RTF_CLONING) && !ISSET(rt->rt_flags, RTF_MPATH)) rtflushclone(tableid, rt); rtfree(rt->rt_parent);
hostapd: account for subseconds when checking rule rates
Hi, You need to account for subsecond differences when evaluating a rule rate, otherwise you'll reset f_rate_cnt prematurely in some cases. e.g.: t_now = { .tv_sec = 100, .tv_usec = 25 }; frame->f_last = { .tv_sec = 99, .tv_usec = 75 }; frame->f_rate_intval = 1; /* true */ t_now.tv_sec - frame->f_last.tv_sec >= frame->f_rate_intval /* and yet ... */ struct timeval t_diff; timersub(_now, >f_last, _diff); /* also true */ t_diff.tv_sec < frame->f_rate_intval ok? -- Scott Cheloha Index: usr.sbin/hostapd/handle.c === RCS file: /cvs/src/usr.sbin/hostapd/handle.c,v retrieving revision 1.12 diff -u -p -r1.12 handle.c --- usr.sbin/hostapd/handle.c 16 Jan 2015 06:40:17 - 1.12 +++ usr.sbin/hostapd/handle.c 14 Feb 2018 19:34:49 - @@ -114,7 +114,7 @@ hostapd_handle_frame(struct hostapd_apme struct hostapd_ieee80211_frame *mh; struct hostapd_radiotap rtap; u_int8_t *wfrom, *wto, *wbssid; - struct timeval t_now; + struct timeval t_diff, t_now; u_int32_t flags; int offset, min_rate = 0, val; @@ -247,7 +247,8 @@ hostapd_handle_frame(struct hostapd_apme /* Handle optional minimal rate */ if (frame->f_rate && frame->f_rate_intval) { - frame->f_rate_delay = t_now.tv_sec - frame->f_last.tv_sec; + timersub(_now, >f_last, _diff); + frame->f_rate_delay = t_diff.tv_sec; if (frame->f_rate_delay < frame->f_rate_intval) { frame->f_rate_cnt++; if (frame->f_rate_cnt < frame->f_rate)
sleep(1): cleanup and style(9)
Roughly top to bottom: - Sort includes alphabetically - Ditch __progname for getprogname(3) - Sort prototypes alphabetically - usage() is __dead - Sort stack variables by size (?), then alphabetically (?) * I have no idea if I did this right, but it looks cleaner than before. * Don't sizes vary by architecture? At least for pointers? * Alphabetically by type name and then by variable name? Some other scheme? style(9) seems to contradict itself here in the example. - rqtp -> timeout, to match nanosleep(2) manpage - t -> tsecs, more obvious - Don't initialize variables in the declaration block - Brace the getopt switch statement - Use for loops in lieu of while loops to initialize and iterate cp * I don't think it clarifies things in the first nanosecond loop, so that's unchanged - Check explicitly for -1 on nanosleep's return - No need to (void) the fprintf in usage() - POSIX.2 was consolidated into POSIX.1 after 1997 - sleep(1) *may* exit 0 when it gets a SIGALRM: it's allowed to do other things, too - No more lint: drop ARGSUSED - _exit(2)ing from a signal handler is (now) a well-known practice, no need to explain ok? -- Scott Cheloha Index: bin/sleep/sleep.c === RCS file: /cvs/src/bin/sleep/sleep.c,v retrieving revision 1.26 diff -u -p -r1.26 sleep.c --- bin/sleep/sleep.c 4 Feb 2018 02:18:15 - 1.26 +++ bin/sleep/sleep.c 14 Feb 2018 17:12:52 - @@ -31,52 +31,51 @@ */ #include +#include #include #include #include #include #include -#include -extern char *__progname; - -void usage(void); void alarmh(int); +void __dead usage(void); int main(int argc, char *argv[]) { - int ch; - time_t secs = 0, t; + struct timespec timeout; + time_t secs, tsecs; + long nsecs; char *cp; - long nsecs = 0; - struct timespec rqtp; - int i; + int ch, i; + + secs = nsecs = 0; if (pledge("stdio", NULL) == -1) err(1, "pledge"); signal(SIGALRM, alarmh); - while ((ch = getopt(argc, argv, "")) != -1) + while ((ch = getopt(argc, argv, "")) != -1) { switch(ch) { default: usage(); } + } argc -= optind; argv += optind; if (argc != 1) usage(); - cp = *argv; - while ((*cp != '\0') && (*cp != '.')) { + for (cp = *argv; *cp != '\0' && *cp != '.'; cp++) { if (!isdigit((unsigned char)*cp)) errx(1, "seconds is invalid: %s", *argv); - t = (secs * 10) + (*cp++ - '0'); - if (t / 10 != secs) /* oflow */ + tsecs = (secs * 10) + (*cp - '0'); + if (tsecs / 10 != secs) /* overflow */ errx(1, "seconds is too large: %s", *argv); - secs = t; + secs = tsecs; } /* Handle fractions of a second */ @@ -95,8 +94,8 @@ main(int argc, char *argv[]) * in the above for loop. Be pedantic about * checking the rest of the argument. */ - while (*cp != '\0') { - if (!isdigit((unsigned char)*cp++)) + for (; *cp != '\0'; cp++) { + if (!isdigit((unsigned char)*cp)) errx(1, "seconds is invalid: %s", *argv); } } @@ -108,38 +107,32 @@ main(int argc, char *argv[]) * calls if we have more than that. */ if (secs > 1) { - rqtp.tv_sec = 1; - rqtp.tv_nsec = 0; + timeout.tv_sec = 1; + timeout.tv_nsec = 0; } else { - rqtp.tv_sec = secs; - rqtp.tv_nsec = nsecs; + timeout.tv_sec = secs; + timeout.tv_nsec = nsecs; } - if (nanosleep(, NULL)) - err(1, NULL); - secs -= rqtp.tv_sec; - nsecs -= rqtp.tv_nsec; + if (nanosleep(, NULL) == -1) + err(1, "nanosleep"); + secs -= timeout.tv_sec; + nsecs -= timeout.tv_nsec; } return (0); } -void +void __dead usage(void) { - (void)fprintf(stderr, "usage: %s seconds\n", __progname); + fprintf(stderr, "usage: %s seconds\n", getprogname()); exit(1); } /* - * POSIX 1003.2 says sleep should exit with 0 return code on reception - * of SIGALRM. + * POSIX.1 says sleep may exit with status 0 upon receipt of SIGALRM. */ -/* ARGSUSED */ void alarmh(int signo) { - /* -* exit() flushes stdio buffers, which
left shift of negative (-1 << ...)
Hi, Please apply the following or a variation, thanks. diff --git a/sys/arch/amd64/amd64/identcpu.c b/sys/arch/amd64/amd64/identcpu.c index 046fde685..6f4feff84 100644 --- a/sys/arch/amd64/amd64/identcpu.c +++ b/sys/arch/amd64/amd64/identcpu.c @@ -804,7 +804,7 @@ cpu_topology(struct cpu_info *ci) core_mask ^= smt_mask; /* Pkg */ pkg_bits = core_bits + smt_bits; - pkg_mask = -1 << core_bits; + pkg_mask = ~0U << core_bits; ci->ci_smt_id = apicid & smt_mask; ci->ci_core_id = (apicid & core_mask) >> smt_bits; diff --git a/sys/arch/hppa/hppa/db_disasm.c b/sys/arch/hppa/hppa/db_disasm.c index 071f91235..51c4d641d 100644 --- a/sys/arch/hppa/hppa/db_disasm.c +++ b/sys/arch/hppa/hppa/db_disasm.c @@ -867,11 +867,11 @@ struct majoropcode { #defineIm11(i) (Im11S(i) ? Im11M(i) | (-1<<10) : Im11M(i)) #defineBdisp(i)((OffS(i) ? (Off5(i)<<11 | Off11L(i)<<10|Off11H(i)) \ -/* branch displacement (bytes) */ | (-1 << 16)\ +/* branch displacement (bytes) */ | (~0U << 16) \ : (Off5(i)<<11|Off11L(i)<<10|Off11H(i))) << 2) #defineCbdisp(i) ((OffS(i) ? (Off11L(i) << 10 | Off11H(i)) \ - /* compare/branch disp (bytes) */ | (-1 << 11)\ + /* compare/branch disp (bytes) */ | (~0U << 11) \ :Off11L(i) << 10 | Off11H(i)) << 2) #defineSr(i) (SrH(i)<<2 | SrL(i)) diff --git a/sys/net/pf_table.c b/sys/net/pf_table.c index bc93e8709..440759ee9 100644 --- a/sys/net/pf_table.c +++ b/sys/net/pf_table.c @@ -1028,7 +1028,7 @@ pfr_prepare_network(union sockaddr_union *sa, int af, int net) case AF_INET: sa->sin.sin_len = sizeof(sa->sin); sa->sin.sin_family = AF_INET; - sa->sin.sin_addr.s_addr = net ? htonl(-1 << (32-net)) : 0; + sa->sin.sin_addr.s_addr = net ? htonl(~0U << (32-net)) : 0; break; #ifdef INET6 case AF_INET6: @@ -1037,7 +1037,7 @@ pfr_prepare_network(union sockaddr_union *sa, int af, int net) for (i = 0; i < 4; i++) { if (net <= 32) { sa->sin6.sin6_addr.s6_addr32[i] = - net ? htonl(-1 << (32-net)) : 0; + net ? htonl(~0U << (32-net)) : 0; break; } sa->sin6.sin6_addr.s6_addr32[i] = 0x;
patch: file(1) imsg_compose receives -1 cast to uint32_t
as shown in patch imsg_compose receives -1 as type and peerid argument to imsg_compose, according to imsg_compose definition: int imsg_compose(struct imsgbuf *ibuf, uint32_t type, uint32_t peerid, pid_t pid, int fd, const void *data, uint16_t datalen); So 4294967295 is used as special value when maybe 0 should be used? regress ok on amd64, patch inline and attached in case of mangling Index: file.c === RCS file: /cvs/src/usr.bin/file/file.c,v retrieving revision 1.66 diff -u -p -r1.66 file.c --- file.c 15 Jan 2018 19:45:51 - 1.66 +++ file.c 14 Feb 2018 16:02:46 - @@ -280,7 +280,7 @@ prepare_message(struct input_msg *msg, i static void send_message(struct imsgbuf *ibuf, void *msg, size_t msglen, int fd) { - if (imsg_compose(ibuf, -1, -1, 0, fd, msg, msglen) != 1) + if (imsg_compose(ibuf, 0, 0, 0, fd, msg, msglen) != 1) err(1, "imsg_compose"); if (imsg_flush(ibuf) != 0) err(1, "imsg_flush"); Index: file.c === RCS file: /cvs/src/usr.bin/file/file.c,v retrieving revision 1.66 diff -u -p -r1.66 file.c --- file.c 15 Jan 2018 19:45:51 - 1.66 +++ file.c 14 Feb 2018 16:02:46 - @@ -280,7 +280,7 @@ prepare_message(struct input_msg *msg, i static void send_message(struct imsgbuf *ibuf, void *msg, size_t msglen, int fd) { - if (imsg_compose(ibuf, -1, -1, 0, fd, msg, msglen) != 1) + if (imsg_compose(ibuf, 0, 0, 0, fd, msg, msglen) != 1) err(1, "imsg_compose"); if (imsg_flush(ibuf) != 0) err(1, "imsg_flush");
patch: imsg_init.3 fixes
Match description arguments with synopsis arguments, and fix style of one function argument description typesetted as .Fn instead of .Fa Also, .Sh DESCRIPTION differes form .Sh BUFFERS in that description functions refer (.Fa) argument types but in BUFFERS function refer (.Fa) to argument names, and confuses me now that I'm trying to learn about imsg, a patch for that would be ok? patch inline and attached in case of mangling. thanks Index: imsg_init.3 === RCS file: /cvs/src/lib/libutil/imsg_init.3,v retrieving revision 1.20 diff -u -p -r1.20 imsg_init.3 --- imsg_init.3 6 Dec 2017 12:07:08 - 1.20 +++ imsg_init.3 14 Feb 2018 14:42:26 - @@ -181,17 +181,17 @@ returns a pointer to a new message if it .Pp .Fn imsg_add appends to -.Fa imsg -.Fa len +.Fa ibuf +.Fa datalen bytes of ancillary data pointed to by -.Fa buf . +.Fa data . It returns .Fa len if it succeeds, \-1 otherwise. .Pp .Fn imsg_close completes creation of -.Fa imsg +.Fa ibuf by adding it to .Fa imsgbuf output buffer. @@ -391,7 +391,7 @@ ready to be sent. The .Fn ibuf_write routine transmits as many pending buffers as possible from -.Fn msgbuf +.Fa msgbuf using .Xr writev 2 . It returns 1 if it succeeds, \-1 on error and 0 when no buffers were Index: imsg_init.3 === RCS file: /cvs/src/lib/libutil/imsg_init.3,v retrieving revision 1.20 diff -u -p -r1.20 imsg_init.3 --- imsg_init.3 6 Dec 2017 12:07:08 - 1.20 +++ imsg_init.3 14 Feb 2018 14:42:26 - @@ -181,17 +181,17 @@ returns a pointer to a new message if it .Pp .Fn imsg_add appends to -.Fa imsg -.Fa len +.Fa ibuf +.Fa datalen bytes of ancillary data pointed to by -.Fa buf . +.Fa data . It returns .Fa len if it succeeds, \-1 otherwise. .Pp .Fn imsg_close completes creation of -.Fa imsg +.Fa ibuf by adding it to .Fa imsgbuf output buffer. @@ -391,7 +391,7 @@ ready to be sent. The .Fn ibuf_write routine transmits as many pending buffers as possible from -.Fn msgbuf +.Fa msgbuf using .Xr writev 2 . It returns 1 if it succeeds, \-1 on error and 0 when no buffers were
Re: deprecate sysctl net.inet.{etherip,gre,mobileip}.allow
On 2018/02/14 18:05, David Gwynne wrote: > i dont understand the usefulness of the sysctls to turn etherip, > gre, and mobileip handling on. if you arent going to handle etherip, > gre, or mobileip, just dont create interfaces to handle them. > > for now, this dummies up handling of the sysctls by letting userland > read that theyre allowed, but allow is readonly. The etherip one is really "allow unprotected etherip" to give a foolproof way of ensuring it only works over ipsec by default. (otherwise you need to know about if-bound states in pf).
Re: signed overflow in atan2
>>> Eitan Adler 14-Feb-18 08:09 >>> > > Hi all, > > you may want the following patch. Previous discussion: > https://lists.freebsd.org/pipermail/freebsd-numerics/2018-February/thread.html > > Original submission: https://github.com/freebsd/freebsd/pull/130 > > > === > > As a component of atan2(y, x), the case of x == 1.0 is farmed out to > atan(y). The current implementation of this comparison is vulnerable > to signed integer underflow (that is, undefined behavior), and it's > performed in a somewhat more complicated way than it need be. Change > it to not be quite so cute, rather directly comparing the high/low > bits of x to the specific IEEE-754 bit pattern that encodes 1.0. > > Note that while there are three different e_atan* files in the > relevant directory, only this one needs fixing. e_atan2f.c already > compares against the full bit pattern encoding 1.0f, while > e_atan2l.cuses bitwise-ands/ors/nots and so doesn't require a change. > === > > > > Index: e_atan2.c > === > RCS file: /cvs/src/lib/libm/src/e_atan2.c,v > retrieving revision 1.13 > diff -u -r1.13 e_atan2.c > --- e_atan2.c 12 Sep 2016 19:47:02 - 1.13 > +++ e_atan2.c 14 Feb 2018 08:06:05 - > @@ -64,7 +64,7 @@ > if(((ix|((lx|-lx)>>31))>0x7ff0)|| > ((iy|((ly|-ly)>>31))>0x7ff0)) /* x or y is NaN */ > return x+y; > - if(((hx-0x3ff0)|lx)==0) return atan(y); /* x=1.0 */ > + if(hx==0x3ff0&==0) return atan(y); /* x=1.0 */ Wouldn't it work just as well, with fewer jumps, and match the original intent, to replace the subtraction with xor? if(((hx^0x3ff0)|lx)==0) return atan(y); /* x=1.0 */ > m = ((hy>>31)&1)|((hx>>30)&2); /* 2*sign(x)+sign(y) */ > > /* when y = 0 */ > > Tom
signed overflow in atan2
Hi all, you may want the following patch. Previous discussion: https://lists.freebsd.org/pipermail/freebsd-numerics/2018-February/thread.html Original submission: https://github.com/freebsd/freebsd/pull/130 === As a component of atan2(y, x), the case of x == 1.0 is farmed out to atan(y). The current implementation of this comparison is vulnerable to signed integer underflow (that is, undefined behavior), and it's performed in a somewhat more complicated way than it need be. Change it to not be quite so cute, rather directly comparing the high/low bits of x to the specific IEEE-754 bit pattern that encodes 1.0. Note that while there are three different e_atan* files in the relevant directory, only this one needs fixing. e_atan2f.c already compares against the full bit pattern encoding 1.0f, while e_atan2l.cuses bitwise-ands/ors/nots and so doesn't require a change. === Index: e_atan2.c === RCS file: /cvs/src/lib/libm/src/e_atan2.c,v retrieving revision 1.13 diff -u -r1.13 e_atan2.c --- e_atan2.c 12 Sep 2016 19:47:02 - 1.13 +++ e_atan2.c 14 Feb 2018 08:06:05 - @@ -64,7 +64,7 @@ if(((ix|((lx|-lx)>>31))>0x7ff0)|| ((iy|((ly|-ly)>>31))>0x7ff0)) /* x or y is NaN */ return x+y; - if(((hx-0x3ff0)|lx)==0) return atan(y); /* x=1.0 */ + if(hx==0x3ff0&==0) return atan(y); /* x=1.0 */ m = ((hy>>31)&1)|((hx>>30)&2); /* 2*sign(x)+sign(y) */ /* when y = 0 */ -- Eitan Adler
deprecate sysctl net.inet.{etherip,gre,mobileip}.allow
i dont understand the usefulness of the sysctls to turn etherip, gre, and mobileip handling on. if you arent going to handle etherip, gre, or mobileip, just dont create interfaces to handle them. for now, this dummies up handling of the sysctls by letting userland read that theyre allowed, but allow is readonly. ok? Index: if_gre.c === RCS file: /cvs/src/sys/net/if_gre.c,v retrieving revision 1.100 diff -u -p -r1.100 if_gre.c --- if_gre.c12 Feb 2018 03:15:32 - 1.100 +++ if_gre.c14 Feb 2018 08:02:30 - @@ -288,7 +288,6 @@ struct gre_list egre_list = TAILQ_HEAD_I * allowed as well. * */ -int gre_allow = 0; int gre_wccp = 0; void @@ -495,9 +494,6 @@ gre_input_key(struct mbuf **mp, int *off int mcast = 0; int ttloff; - if (!gre_allow) - goto decline; - hlen = iphlen + sizeof(*gh); if (m->m_pkthdr.len < hlen) goto decline; @@ -555,7 +551,11 @@ gre_input_key(struct mbuf **mp, int *off key->t_rtableid = m->m_pkthdr.ph_rtableid; switch (gh->gre_proto) { - case htons(GRE_WCCP): + case htons(GRE_WCCP): { + struct mbuf *n; + int off; + uint8_t v; + /* WCCP/GRE: * So far as I can see (and test) it seems that Cisco's WCCP * GRE tunnel is precisely a IP-in-GRE tunnel that differs @@ -569,11 +569,19 @@ gre_input_key(struct mbuf **mp, int *off * So yes, we're doing a fall-through (unless, of course, * net.inet.gre.wccp is 0). */ + + n = m_getptr(m, hlen, ); + if (n == NULL) + goto decline; + + v = n->m_data[off]; + if (v >> 4 != IPVERSION) + hlen += sizeof(gre_wccp); + switch (gre_wccp) { case 1: break; case 2: - hlen += sizeof(gre_wccp); break; case 0: default: @@ -811,11 +819,6 @@ gre_output(struct ifnet *ifp, struct mbu struct m_tag *mtag; int error = 0; - if (!gre_allow) { - error = EACCES; - goto drop; - } - if (!ISSET(ifp->if_flags, IFF_RUNNING)) { error = ENETDOWN; goto drop; @@ -964,9 +967,6 @@ egre_start(struct ifnet *ifp) caddr_t if_bpf; #endif - if (!gre_allow) - ifq_purge(>if_snd); - while ((m0 = ifq_dequeue(>if_snd)) != NULL) { #if NBPFILTER > 0 if_bpf = ifp->if_bpf; @@ -1691,10 +1691,7 @@ gre_sysctl(int *name, u_int namelen, voi switch (name[0]) { case GRECTL_ALLOW: - NET_LOCK(); - error = sysctl_int(oldp, oldlenp, newp, newlen, _allow); - NET_UNLOCK(); - return (error); + return (sysctl_rdint(oldp, oldlenp, newp, 1)); case GRECTL_WCCP: NET_LOCK(); error = sysctl_int(oldp, oldlenp, newp, newlen, _wccp); Index: if_etherip.c === RCS file: /cvs/src/sys/net/if_etherip.c,v retrieving revision 1.35 diff -u -p -r1.35 if_etherip.c --- if_etherip.c12 Feb 2018 01:43:42 - 1.35 +++ if_etherip.c14 Feb 2018 08:02:30 - @@ -88,12 +88,6 @@ struct etherip_softc { uint8_t sc_ttl; }; -/* - * We can control the acceptance of EtherIP packets by altering the sysctl - * net.inet.etherip.allow value. Zero means drop them, all else is acceptance. - */ -int etherip_allow = 0; - struct cpumem *etheripcounters; void etheripattach(int); @@ -547,11 +541,6 @@ etherip_input(struct etherip_tunnel *key struct ifnet *ifp; struct etherip_header *eip; - if (!etherip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) { - etheripstat_inc(etherips_pdrops); - goto drop; - } - key->t_rtableid = m->m_pkthdr.ph_rtableid; NET_ASSERT_LOCKED(); @@ -696,10 +685,7 @@ etherip_sysctl(int *name, u_int namelen, switch (name[0]) { case ETHERIPCTL_ALLOW: - NET_LOCK(); - error = sysctl_int(oldp, oldlenp, newp, newlen, _allow); - NET_UNLOCK(); - return (error); + return (sysctl_rdint(oldp, oldlenp, newp, 1); case ETHERIPCTL_STATS: return (etherip_sysctl_etheripstat(oldp, oldlenp, newp)); default: Index: if_mobileip.c === RCS file: /cvs/src/sys/net/if_mobileip.c,v retrieving revision 1.7 diff -u -p -r1.7 if_mobileip.c --- if_mobileip.c 12 Feb 2018 02:55:40 - 1.7 +++ if_mobileip.c 14 Feb 2018 08:02:30 - @@
Re: Remove DM* modem control commands
On 14/02/18(Wed) 00:48, Tobias Ulmer wrote: > Remove the ancient tty.h DMSET etc. modem control commands. They're confusing > to someone without the historical background. No documentation doesn't help > either. > > TIOCM* serve the same purpose, are documented in tty(4) and the various *ctl() > functions use the TTYCM_ register definitions, making this mix particularly > odd > looking. > > I've modified the *ctl() functions to use the same type and name as ioctl for > clarity and correctness. Not strictly necessary, but makes me sleep better :) > > Tested lightly on sparc64. sab still works. No luna88k, sorry. > > > ## Background blah blah, skip if you just don't care :) > > I've noticed these odd DM{SET,GET,BIC,BIS} constants in serial drivers all > over the place and got curious. What do they mean? > > Turns out, "DM" is a bolt-in add-on modem by DEC you would connect to > your DH-11, apparently a 16 port serial port multiplexer for your VAX or > PDP-11. As far as I can tell, the drivers were last included in 4.3BSD. > You grey beards correct me on this. > > The DM constants and the dmctl() function to manipulate the modem > control register were added to dh in 1980 in order to support this fancy > new modem. > > Since then, just about every BSD serial driver has copied the basic structure, > spreading DM* absolutely everywhere. > > In 1982, Bill Shannon wanted to play with this control register in userspace > (tip) and the ioctl interface was expanded by TIOCM{SET,GET,BIS,BIC}, hard > coding the interface and register layout of that modem family for decades to > come. > > dh gains dm support: > https://github.com/weiss/original-bsd/commit/b47c3865305da4a404343aeedf0e3561071aae10 > > TIOCM modem control register bits show up: > https://github.com/weiss/original-bsd/commit/d9d9928137170ec2f49e62509b12d012cac154de > https://github.com/weiss/original-bsd/commit/c849aa74bd3aaa1d644d74d9628ba0e1be028e1a > > http://gunkies.org/wiki/DH11_asynchronous_serial_line_interface > http://bitsavers.trailing-edge.com/pdf/dec/unibus/ datasheets.. > > Who needs TV when you can dig up amusing trivia about early BSD development! Your diff contains a duplicated chunk: the one in sys/tty.h. No software on codesearch.debian.net rely on the defines you're removing, so ok with me :) > Index: sys/tty.h > === > RCS file: /home/vcs/cvs/openbsd/src/sys/sys/tty.h,v > retrieving revision 1.37 > diff -u -p -r1.37 tty.h > --- sys/tty.h 24 May 2016 16:09:07 - 1.37 > +++ sys/tty.h 13 Feb 2018 20:39:54 - > @@ -215,12 +215,6 @@ struct speedtab { > int sp_code;/* Code. */ > }; > > -/* Modem control commands (driver). */ > -#define DMSET 0 > -#define DMBIS 1 > -#define DMBIC 2 > -#define DMGET 3 > - > /* Flags on a character passed to ttyinput. */ > #define TTY_CHARMASK0x00ff /* Character mask */ > #define TTY_QUOTE 0x0100 /* Character quoted */ > > Index: arch/armv7/exynos/exuart.c > === > RCS file: /home/vcs/cvs/openbsd/src/sys/arch/armv7/exynos/exuart.c,v > retrieving revision 1.13 > diff -u -p -r1.13 exuart.c > --- arch/armv7/exynos/exuart.c27 Oct 2017 11:23:28 - 1.13 > +++ arch/armv7/exynos/exuart.c13 Feb 2018 20:38:56 - > @@ -784,37 +784,37 @@ exuartioctl( dev_t dev, u_long cmd, cadd > > case TIOCSDTR: > #if 0 > - (void) clmctl(dev, TIOCM_DTR | TIOCM_RTS, DMBIS); > + (void) clmctl(dev, TIOCM_DTR | TIOCM_RTS, TIOCMBIS); > #endif > break; > > case TIOCCDTR: > #if 0 > - (void) clmctl(dev, TIOCM_DTR | TIOCM_RTS, DMBIC); > + (void) clmctl(dev, TIOCM_DTR | TIOCM_RTS, TIOCMBIC); > #endif > break; > > case TIOCMSET: > #if 0 > - (void) clmctl(dev, *(int *) data, DMSET); > + (void) clmctl(dev, *(int *) data, TIOCMSET); > #endif > break; > > case TIOCMBIS: > #if 0 > - (void) clmctl(dev, *(int *) data, DMBIS); > + (void) clmctl(dev, *(int *) data, TIOCMBIS); > #endif > break; > > case TIOCMBIC: > #if 0 > - (void) clmctl(dev, *(int *) data, DMBIC); > + (void) clmctl(dev, *(int *) data, TIOCMBIC); > #endif > break; > > case TIOCMGET: > #if 0 > - *(int *)data = clmctl(dev, 0, DMGET); > + *(int *)data = clmctl(dev, 0, TIOCMGET); > #endif > break; > > Index: arch/armv7/imx/imxuart.c > === > RCS file: /home/vcs/cvs/openbsd/src/sys/arch/armv7/imx/imxuart.c,v > retrieving revision 1.17 > diff -u -p -r1.17 imxuart.c > --- arch/armv7/imx/imxuart.c 30 Dec 2017 13:34:56 - 1.17 > +++