extend BPF filter drop to allow not capturing packets
this extends the fildrop mechanism so you can drop the packets with bpf using the existing fildrop method, but with an extra tweak so you can avoid the cost of copying packets to userland. i wanted to quickly drop some packets in the rx interrupt path to try and prioritise some traffic getting processed by the system. the initial version was going to use weird custom DLTs and extra bpf interface pointers and stuff, but most of the glue is already in place with the fildrop functionality. this also adds a bit to tcpdump so you can set a fildrop action. it means tcpdump can be used as a quick and dirty firewall. Index: sys/net/bpf.c === RCS file: /cvs/src/sys/net/bpf.c,v retrieving revision 1.170 diff -u -p -r1.170 bpf.c --- sys/net/bpf.c 13 Jul 2018 08:51:15 - 1.170 +++ sys/net/bpf.c 4 Mar 2019 22:30:32 - @@ -926,9 +926,20 @@ bpfioctl(dev_t dev, u_long cmd, caddr_t *(u_int *)addr = d->bd_fildrop; break; - case BIOCSFILDROP: /* set "filter-drop" flag */ - d->bd_fildrop = *(u_int *)addr ? 1 : 0; + case BIOCSFILDROP: {/* set "filter-drop" flag */ + unsigned int fildrop = *(u_int *)addr; + switch (fildrop) { + case BPF_FILDROP_PASS: + case BPF_FILDROP_CAPTURE: + case BPF_FILDROP_DROP: + d->bd_fildrop = fildrop; + break; + default: + error = EINVAL; + break; + } break; + } case BIOCGDIRFILT: /* get direction filter */ *(u_int *)addr = d->bd_dirfilt; @@ -1261,23 +1272,26 @@ _bpf_mtap(caddr_t arg, const struct mbuf pktlen += m0->m_len; SRPL_FOREACH(d, , >bif_dlist, bd_next) { + struct srp_ref bsr; + struct bpf_program *bf; + struct bpf_insn *fcode = NULL; + atomic_inc_long(>bd_rcount); - if ((direction & d->bd_dirfilt) != 0) - slen = 0; - else { - struct srp_ref bsr; - struct bpf_program *bf; - struct bpf_insn *fcode = NULL; - - bf = srp_enter(, >bd_rfilter); - if (bf != NULL) - fcode = bf->bf_insns; - slen = bpf_mfilter(fcode, m, pktlen); - srp_leave(); - } + if (ISSET(d->bd_dirfilt, direction)) + continue; + + bf = srp_enter(, >bd_rfilter); + if (bf != NULL) + fcode = bf->bf_insns; + slen = bpf_mfilter(fcode, m, pktlen); + srp_leave(); - if (slen > 0) { + if (slen == 0) + continue; + if (d->bd_fildrop != BPF_FILDROP_PASS) + drop = 1; + if (d->bd_fildrop != BPF_FILDROP_DROP) { if (!gottime++) microtime(); @@ -1285,9 +1299,6 @@ _bpf_mtap(caddr_t arg, const struct mbuf bpf_catchpacket(d, (u_char *)m, pktlen, slen, cpfn, ); mtx_leave(>bd_mtx); - - if (d->bd_fildrop) - drop = 1; } } SRPL_LEAVE(); Index: sys/net/bpf.h === RCS file: /cvs/src/sys/net/bpf.h,v retrieving revision 1.65 diff -u -p -r1.65 bpf.h --- sys/net/bpf.h 3 Feb 2018 13:37:37 - 1.65 +++ sys/net/bpf.h 4 Mar 2019 22:30:32 - @@ -126,6 +126,13 @@ struct bpf_version { #define BPF_DIRECTION_IN 1 #define BPF_DIRECTION_OUT (1<<1) +/* + * Values for BIOCGFILDROP/BIOCSFILDROP + */ +#define BPF_FILDROP_PASS 0 /* capture, pass */ +#define BPF_FILDROP_CAPTURE1 /* capture, drop */ +#define BPF_FILDROP_DROP 2 /* no capture, drop */ + struct bpf_timeval { u_int32_t tv_sec; u_int32_t tv_usec; Index: share/man/man4/bpf.4 === RCS file: /cvs/src/share/man/man4/bpf.4,v retrieving revision 1.38 diff -u -p -r1.38 bpf.4 --- share/man/man4/bpf.428 Apr 2016 19:07:19 - 1.38 +++ share/man/man4/bpf.44 Mar 2019 22:30:32 - @@ -391,11 +391,24 @@ This flag is initialized to zero by defa .Pp .It Dv BIOCSFILDROP Fa "u_int *" .It Dv BIOCGFILDROP Fa "u_int *" -Sets or gets the status of the +Sets or gets the .Dq filter drop -flag. -If non-zero, packets matching any filters will be reported to the -associated interface so that they can be dropped. +action. +The supported actions for packets matching
Re: Patch: relayd support for HTTP 101 Switching Protocols
Hi, thanks for bringing this to my attention, i've commited my latest diff. /Benno Daniel Lamando(d...@danopia.net) on 2019.02.28 21:09:35 -0800: > Hi all, > > I noticed that relayd doesn't support Websocket connections. > When a Websocket request is forwarded through relayd, > the handshake completes ok, but the backend never > receives further packets sent from the client. > > I found several messages in the openbsd-misc archive > mentioning websockets not working with relayd: > - https://marc.info/?l=openbsd-misc=152510591921674 > - https://marc.info/?l=openbsd-misc=152558941423236 > - https://marc.info/?l=openbsd-misc=153997265632162 > > After examining conversations and the relayd source I've traced > this to the fact that Websockets negotiate using the GET method. > relayd does not currently forward any request body upstream > after forwarding a GET message from the client: > > case HTTP_METHOD_GET: > cre->toread = 0; > > I found that relayd already supports bidirectional client<->server > communication when the HTTP CONNECT method is sent by > the client. Websockets are signalled slightly differently. > The client includes a 'Connection: Upgrade' header, and > the server returns an HTTP 101 response body. > There are also other websocket-specific headers but they > do not concern us as a proxy server. > > The Websocket handshake is completed by the server sending: > HTTP/1.1 101 Switching Protocols > According to RFC 2616's section on HTTP 101: > The server will switch protocols to those defined by the response's > Upgrade header field immediately after the empty line which > terminates the 101 response. > > I've attached a small patch for relayd which re-enables > client->server forwarding when an HTTP 101 is passed down. > Applying this patch over OpenBSD 6.5-beta allows relayd to > pass bidirectional websocket data, fixing my chat app :) > > PS: I???ve also tested relayd by relaying the example server from here: > https://www.websocket.org/echo.html > If you try that, note that the server is strict about the `Connection??? > request header being preserved. Otherwise it will 400. > > > Index: relay_http.c > === > RCS file: /cvs/src/usr.sbin/relayd/relay_http.c,v > retrieving revision 1.71 > diff -u -p -r1.71 relay_http.c > --- relay_http.c 6 Aug 2018 17:31:31 - 1.71 > +++ relay_http.c 1 Mar 2019 04:52:26 - > @@ -276,6 +276,13 @@ relay_read_http(struct bufferevent *bev, > DPRINTF("http_version %s http_rescode %s " > "http_resmesg %s", desc->http_version, > desc->http_rescode, desc->http_resmesg); > + > + /* HTTP 101 Switching Protocols */ > + if (desc->http_status == 101) { > + cre->dst->toread = TOREAD_UNLIMITED; > + cre->dst->bev->readcb = relay_read; > + } > + > goto lookup; > } else if (cre->line == 1 && cre->dir == RELAY_DIR_REQUEST) { > if ((desc->http_method = relay_httpmethod_byname(key)) >
Re: Pass IPv6 through pppx(4)
ok. > On 5 Mar 2019, at 02:46, Denis Fondras wrote: > > Simple diff to allow IPv6 through pppx(4). > > Denis > > Index: net/if_pppx.c > === > RCS file: /cvs/src/sys/net/if_pppx.c,v > retrieving revision 1.66 > diff -u -p -r1.66 if_pppx.c > --- net/if_pppx.c 11 Jul 2018 21:18:23 - 1.66 > +++ net/if_pppx.c 4 Mar 2019 16:33:50 - > @@ -1047,6 +1047,11 @@ pppx_if_output(struct ifnet *ifp, struct > #endif > if (pipex_enable) { > switch (dst->sa_family) { > +#ifdef INET6 > + case AF_INET6: > + proto = PPP_IPV6; > + break; > +#endif > case AF_INET: > proto = PPP_IP; > break; >
Re: Patch: relayd support for HTTP 101 Switching Protocols
On Mon, Mar 04, 2019 at 07:53:04PM +0100, Sebastian Benoit wrote: > > The RFC says it must be a GET request. We should check at least > > this. If we check more, an attacker can create less dubious states. > > thx, I was looking for something like that and could not find it. > Where? RFC 6455, The WebSocket Protocol, Page 16 2. The method of the request MUST be GET, and the HTTP version MUST be at least 1.1. There are a lot of other MUST, but let's only do the obvious and easy ones now. Can be extended later. > (relayd_101Switching_policy4.diff) OK bluhm@ > diff --git usr.sbin/relayd/http.h usr.sbin/relayd/http.h > index 052bc0ce326..135ca5bbcb7 100644 > --- usr.sbin/relayd/http.h > +++ usr.sbin/relayd/http.h > @@ -251,4 +251,10 @@ struct http_descriptor { > struct kvtreehttp_headers; > }; > > +struct relay_http_priv { > +#define HTTP_CONNECTION_UPGRADE 0x01 > +#define HTTP_UPGRADE_WEBSOCKET 0x02 > + int http_upgrade_req; > +}; > + > #endif /* HTTP_H */ > diff --git usr.sbin/relayd/parse.y usr.sbin/relayd/parse.y > index 9875973fd80..66a568d5e62 100644 > --- usr.sbin/relayd/parse.y > +++ usr.sbin/relayd/parse.y > @@ -176,6 +176,7 @@ typedef struct { > %token TO ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL > RTABLE > %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE > PASSWORD ECDHE > %token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS > +%token WEBSOCKETS > %token STRING > %token NUMBER > %type hostname interface table value optstring > @@ -1064,8 +1065,20 @@ protoptsl : ssltls tlsflags > | ssltls '{' tlsflags_l '}' > | TCP tcpflags > | TCP '{' tcpflags_l '}' > - | HTTP httpflags > - | HTTP '{' httpflags_l '}' > + | HTTP { > + if (proto->type != RELAY_PROTO_HTTP) { > + yyerror("can set http options only for " > + "http protocol"); > + YYERROR; > + } > + } httpflags > + | HTTP { > + if (proto->type != RELAY_PROTO_HTTP) { > + yyerror("can set http options only for " > + "http protocol"); > + YYERROR; > + } > + } '{' httpflags_l '}' > | RETURN ERROR opteflags{ proto->flags |= F_RETURN; } > | RETURN ERROR '{' eflags_l '}' { proto->flags |= F_RETURN; } > | filterrule > @@ -1078,17 +1091,14 @@ httpflags_l : httpflags comma httpflags_l > ; > > httpflags: HEADERLEN NUMBER { > - if (proto->type != RELAY_PROTO_HTTP) { > - yyerror("can set http options only for " > - "http protocol"); > - YYERROR; > - } > if ($2 < 0 || $2 > RELAY_MAXHEADERLENGTH) { > yyerror("invalid headerlen: %d", $2); > YYERROR; > } > proto->httpheaderlen = $2; > } > + | WEBSOCKETS{ proto->httpflags |= HTTPFLAG_WEBSOCKETS; } > + | NO WEBSOCKETS { proto->httpflags &= ~HTTPFLAG_WEBSOCKETS; } > ; > > tcpflags_l : tcpflags comma tcpflags_l > @@ -2338,6 +2348,7 @@ lookup(char *s) > { "url",URL }, > { "value", VALUE }, > { "virtual",VIRTUAL }, > + { "websockets", WEBSOCKETS }, > { "with", WITH } > }; > const struct keywords *p; > diff --git usr.sbin/relayd/relay.c usr.sbin/relayd/relay.c > index 739c9226b65..bf662b9a1df 100644 > --- usr.sbin/relayd/relay.c > +++ usr.sbin/relayd/relay.c > @@ -1410,7 +1410,13 @@ relay_session(struct rsession *con) > return; > } > > - if (rlay->rl_proto->type != RELAY_PROTO_HTTP) { > + if (rlay->rl_proto->type == RELAY_PROTO_HTTP) { > + if (relay_http_priv_init(con) == -1) { > + relay_close(con, > + "failed to allocate http session data", 1); > + return; > + } > + } else { > if (rlay->rl_conf.fwdmode == FWD_TRANS) > relay_bindanyreq(con, 0, IPPROTO_TCP); > else if (relay_connect(con) == -1) { > diff --git usr.sbin/relayd/relay_http.c usr.sbin/relayd/relay_http.c > index a9d27bfe605..e431d2b8f44 100644 > --- usr.sbin/relayd/relay_http.c > +++ usr.sbin/relayd/relay_http.c > @@ -109,6 +109,17 @@ relay_http_init(struct relay *rlay) >
Re: Patch: relayd support for HTTP 101 Switching Protocols
Alexander Bluhm(alexander.bl...@gmx.net) on 2019.03.04 17:44:08 +0100: > On Sat, Mar 02, 2019 at 12:13:20AM +0100, Sebastian Benoit wrote: > > --- usr.sbin/relayd/parse.y > > +++ usr.sbin/relayd/parse.y > > @@ -176,6 +176,7 @@ typedef struct { > > %token TO ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL > > RTABLE > > %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE > > PASSWORD ECDHE > > %token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS > > +%token WEBSOCKETS > > %token STRING > > %token NUMBER > > %typehostname interface table value optstring > > Here are some tab vs space incosistencies. fixed. > > + if (strcasecmp("Connection", key) == 0 && > > + strcasecmp("Upgrade", value) == 0) > > + priv->http_upgrade_req |= > > + HTTP_UPGRADE_CONN; > > Would the name HTTP_CONNECTION_UPGRADE be better? Perhaps we want > to do something spcific with connection keep-alive or close some > day. changed. > > @@ -422,6 +445,28 @@ relay_read_http(struct bufferevent *bev, void *arg) > > return; > > } > > > > + /* HTTP 101 Switching Protocols */ > > + if (cre->dir == RELAY_DIR_REQUEST) { > > + if (!(proto->httpflags & HTTPFLAG_WEBSOCKETS) && > > + (priv->http_upgrade_req & > > + HTTP_UPGRADE_WEBSOCKET)) { > > Should we check for both upgrade and websocket? i am now checking: 1. 'Upgrade: websocket' hdr AND NOT "http { websockets }" --> 403 2. 'Upgrade: websocket' hdr AND NO 'Connection: upgrade' hdr --> 400 3. 'Upgrade: websocket' hdr AND method NOT "GET" --> 405 > > + relay_abort_http(con, 403, > > + "Forbidden", 0); > > A more specific error message like "Websocket Forbidden" would make > debugging much easier. done in all cases > The RFC says it must be a GET request. We should check at least > this. If we check more, an attacker can create less dubious states. thx, I was looking for something like that and could not find it. Where? Implemented. > > + return; > > + } > > + } else if (cre->dir == RELAY_DIR_RESPONSE && > > + desc->http_status == 101) { > > + if ((priv->http_upgrade_req & > > + (HTTP_UPGRADE_CONN | HTTP_UPGRADE_WEBSOCKET)) && > > Both flags must be present. oops. fixed. > > > + proto->httpflags & HTTPFLAG_WEBSOCKETS) { > > + cre->dst->toread = TOREAD_UNLIMITED; > > + cre->dst->bev->readcb = relay_read; > > + } else { > > + relay_abort_http(con, 502, "Bad Gateway", 0); > > Could we have a more specific message like "Bad Websocket Gateway"? > > > + return; > > + } > > + } > > + > > switch (desc->http_method) { > > case HTTP_METHOD_CONNECT: > > /* Data stream */ > > bluhm > (relayd_101Switching_policy4.diff) diff --git usr.sbin/relayd/http.h usr.sbin/relayd/http.h index 052bc0ce326..135ca5bbcb7 100644 --- usr.sbin/relayd/http.h +++ usr.sbin/relayd/http.h @@ -251,4 +251,10 @@ struct http_descriptor { struct kvtreehttp_headers; }; +struct relay_http_priv { +#define HTTP_CONNECTION_UPGRADE0x01 +#define HTTP_UPGRADE_WEBSOCKET 0x02 + int http_upgrade_req; +}; + #endif /* HTTP_H */ diff --git usr.sbin/relayd/parse.y usr.sbin/relayd/parse.y index 9875973fd80..66a568d5e62 100644 --- usr.sbin/relayd/parse.y +++ usr.sbin/relayd/parse.y @@ -176,6 +176,7 @@ typedef struct { %token TO ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL RTABLE %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE %token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS +%token WEBSOCKETS %token STRING %token NUMBER %typehostname interface table value optstring @@ -1064,8 +1065,20 @@ protoptsl: ssltls tlsflags | ssltls '{' tlsflags_l '}' | TCP tcpflags | TCP '{' tcpflags_l '}' - | HTTP httpflags - | HTTP '{' httpflags_l '}' + | HTTP { + if (proto->type != RELAY_PROTO_HTTP) { + yyerror("can set http options only for " + "http protocol"); + YYERROR; + } + } httpflags + | HTTP { + if (proto->type != RELAY_PROTO_HTTP) { + yyerror("can set http options only for " +
Pass IPv6 through pppx(4)
Simple diff to allow IPv6 through pppx(4). Denis Index: net/if_pppx.c === RCS file: /cvs/src/sys/net/if_pppx.c,v retrieving revision 1.66 diff -u -p -r1.66 if_pppx.c --- net/if_pppx.c 11 Jul 2018 21:18:23 - 1.66 +++ net/if_pppx.c 4 Mar 2019 16:33:50 - @@ -1047,6 +1047,11 @@ pppx_if_output(struct ifnet *ifp, struct #endif if (pipex_enable) { switch (dst->sa_family) { +#ifdef INET6 + case AF_INET6: + proto = PPP_IPV6; + break; +#endif case AF_INET: proto = PPP_IP; break;
Re: Patch: relayd support for HTTP 101 Switching Protocols
On Sat, Mar 02, 2019 at 12:13:20AM +0100, Sebastian Benoit wrote: > --- usr.sbin/relayd/parse.y > +++ usr.sbin/relayd/parse.y > @@ -176,6 +176,7 @@ typedef struct { > %token TO ROUTER RTLABEL TRANSPARENT TRAP UPDATES URL VIRTUAL WITH TTL > RTABLE > %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE > PASSWORD ECDHE > %token EDH TICKETS CONNECTION CONNECTIONS ERRORS STATE CHANGES CHECKS > +%token WEBSOCKETS > %token STRING > %token NUMBER > %type hostname interface table value optstring Here are some tab vs space incosistencies. > + if (strcasecmp("Connection", key) == 0 && > + strcasecmp("Upgrade", value) == 0) > + priv->http_upgrade_req |= > + HTTP_UPGRADE_CONN; Would the name HTTP_CONNECTION_UPGRADE be better? Perhaps we want to do something spcific with connection keep-alive or close some day. > @@ -422,6 +445,28 @@ relay_read_http(struct bufferevent *bev, void *arg) > return; > } > > + /* HTTP 101 Switching Protocols */ > + if (cre->dir == RELAY_DIR_REQUEST) { > + if (!(proto->httpflags & HTTPFLAG_WEBSOCKETS) && > + (priv->http_upgrade_req & > + HTTP_UPGRADE_WEBSOCKET)) { Should we check for both upgrade and websocket? > + relay_abort_http(con, 403, > + "Forbidden", 0); A more specific error message like "Websocket Forbidden" would make debugging much easier. The RFC says it must be a GET request. We should check at least this. If we check more, an attacker can create less dubious states. > + return; > + } > + } else if (cre->dir == RELAY_DIR_RESPONSE && > + desc->http_status == 101) { > + if ((priv->http_upgrade_req & > + (HTTP_UPGRADE_CONN | HTTP_UPGRADE_WEBSOCKET)) && Both flags must be present. > + proto->httpflags & HTTPFLAG_WEBSOCKETS) { > + cre->dst->toread = TOREAD_UNLIMITED; > + cre->dst->bev->readcb = relay_read; > + } else { > + relay_abort_http(con, 502, "Bad Gateway", 0); Could we have a more specific message like "Bad Websocket Gateway"? > + return; > + } > + } > + > switch (desc->http_method) { > case HTTP_METHOD_CONNECT: > /* Data stream */ bluhm
Re: mail(1): use "sendmail" as argv[0] for sendmail
Todd C. Miller wrote: > On Mon, 04 Mar 2019 16:38:37 +0100, Gilles Chehade wrote: > > > I wish we had an historian who could enlighten us as to why both exist. > > That code actually predates sendmail and was in the original revision > when delivermail was still in use. Sendmail itself never checked > its argv[0] for "send-mail" as far as I know. > > At this point I consider it a historical oddity that is safe to > remove. Sounds right.
Re: mail(1): use "sendmail" as argv[0] for sendmail
On Mon, 04 Mar 2019 16:38:37 +0100, Gilles Chehade wrote: > I wish we had an historian who could enlighten us as to why both exist. That code actually predates sendmail and was in the original revision when delivermail was still in use. Sendmail itself never checked its argv[0] for "send-mail" as far as I know. At this point I consider it a historical oddity that is safe to remove. - todd
Re: mail(1): use "sendmail" as argv[0] for sendmail
On Fri, Mar 01, 2019 at 03:16:26PM +0200, Lauri Tirkkonen wrote: > For some reason mail(1) is using "send-mail" as argv[0] for sendmail. > /etc/mailer.conf and smtpctl handle this identically to "sendmail", so > it seems a bit redundant. This diff makes mail(1) use "sendmail" as > argv[0], possibly allowing that duplication to be removed later from > mailer.conf and smtpctl. > > Noticed while porting mail(1) to Unleashed (where we also have > mailwrapper, but no default configuration for "send-mail"). > I wish we had an historian who could enlighten us as to why both exist. smtpctl handles send-mail because mail uses send-mail and I suspect that some hackers use mua from the seventies that also use send-mail. if we could confirm that there's no harm in the following diff, then the send-mail case in mailer.conf and smtpctl could bite the dust afaic > diff --git a/usr.bin/mail/send.c b/usr.bin/mail/send.c > index 8f127ac837f..723f9da0a53 100644 > --- a/usr.bin/mail/send.c > +++ b/usr.bin/mail/send.c > @@ -371,7 +371,7 @@ mail1(struct header *hp, int printheaders) > (void)savemail(expand(cp), mtf); > > /* Setup sendmail arguments. */ > -*ap++ = "send-mail"; > +*ap++ = "sendmail"; > *ap++ = "-i"; > *ap++ = "-t"; > cp = hp->h_from ? hp->h_from : value("from"); > -- > Lauri Tirkkonen | lotheac @ IRCnet > -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg
Re: update xserver to version 1.19.7
On Sun, Mar 03 2019, Matthieu Herrb wrote: > Hi, > > the patch below updates the X server to version 1.19.7. It's a bug-fix > release. You'll find the change log at the begining of the patch. > > To test, apply the patch with patch -p0 -E in /usr/xenocara/xserver, > and then re build xenocara as documented in release(8). > > The patch is also available at https://herrb.eu/xserver-1.19.7.diff > > Test reports and/or Oks welcome, Works fine on my thinkpad x230. No user-visible change except additional modelines in Xorg.0.log. ok jca@ (Though it probably needs more tests than my relatively usual setup and use cases permit). -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
httpd: New log format to log X-Forwarded-{For|Port} headers
Hi, I've completely reworked my patch for httpd(8). The last patch broke the log format combined. And the config option was ugly. This time I've added another log format called forwarded. It appends two fields to the log format combined: The first field contains the value of the header X-Forwarded-For and the second one the value of X-Forwarded-Port. If either of the headers is empty or missing a dash (-) is written. The new log format is compatible with log analyzing tools like Webalizer or GoAccess. If you run httpd(8) behind a proxy like relayd(8) the new log format finally gives you a way to track the origin of the requests. Cheers, Bruno Index: usr.sbin/httpd/httpd.conf.5 === RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v retrieving revision 1.103 diff -u -p -r1.103 httpd.conf.5 --- usr.sbin/httpd/httpd.conf.5 19 Feb 2019 11:37:26 - 1.103 +++ usr.sbin/httpd/httpd.conf.5 27 Feb 2019 15:26:48 - @@ -450,7 +450,8 @@ The .Ar style can be .Cm common , -.Cm combined +.Cm combined , +.Cm forwarded or .Cm connection . The styles @@ -459,6 +460,14 @@ and .Cm combined write a log entry after each request similar to the standard Apache and nginx access log formats. +The style +.Cm forwarded +extends the style +.Cm combined +by appending two fields containing the values of the headers +.Ar X-Forwarded-For +and +.Ar X-Forwarded-Port . The style .Cm connection writes a summarized log entry after each connection, Index: usr.sbin/httpd/httpd.h === RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v retrieving revision 1.143 diff -u -p -r1.143 httpd.h --- usr.sbin/httpd/httpd.h 19 Feb 2019 11:37:26 - 1.143 +++ usr.sbin/httpd/httpd.h 27 Feb 2019 15:26:48 - @@ -437,7 +437,8 @@ SPLAY_HEAD(client_tree, client); enum log_format { LOG_FORMAT_COMMON, LOG_FORMAT_COMBINED, - LOG_FORMAT_CONNECTION + LOG_FORMAT_CONNECTION, + LOG_FORMAT_FORWARDED }; struct log_file { Index: usr.sbin/httpd/parse.y === RCS file: /cvs/src/usr.sbin/httpd/parse.y,v retrieving revision 1.110 diff -u -p -r1.110 parse.y --- usr.sbin/httpd/parse.y 19 Feb 2019 11:37:26 - 1.110 +++ usr.sbin/httpd/parse.y 27 Feb 2019 15:26:48 - @@ -140,7 +140,7 @@ typedef struct { %token PROTOCOLS REQUESTS ROOT SACK SERVER SOCKET STRIP STYLE SYSLOG TCP TICKET %token TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD REQUEST %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS REWRITE -%token CA CLIENT CRL OPTIONAL PARAM +%token CA CLIENT CRL OPTIONAL PARAM FORWARDED %token STRING %token NUMBER %type port @@ -1024,6 +1024,11 @@ logstyle : COMMON{ srv_conf->flags |= SRVFLAG_LOG; srv_conf->logformat = LOG_FORMAT_CONNECTION; } + | FORWARDED { + srv_conf->flags &= ~SRVFLAG_NO_LOG; + srv_conf->flags |= SRVFLAG_LOG; + srv_conf->logformat = LOG_FORMAT_FORWARDED; + } ; filter : block RETURN NUMBER optstring { @@ -1295,6 +1300,7 @@ lookup(char *s) { "ecdhe", ECDHE }, { "error", ERR }, { "fastcgi",FCGI }, + { "forwarded", FORWARDED }, { "hsts", HSTS }, { "include",INCLUDE }, { "index", INDEX }, Index: usr.sbin/httpd/server_http.c === RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v retrieving revision 1.129 diff -u -p -r1.129 server_http.c --- usr.sbin/httpd/server_http.c10 Feb 2019 13:41:27 - 1.129 +++ usr.sbin/httpd/server_http.c27 Feb 2019 15:26:49 - @@ -1632,7 +1632,7 @@ server_log_http(struct client *clt, unsi static char tstamp[64]; static char ip[INET6_ADDRSTRLEN]; time_t t; - struct kvkey, *agent, *referrer; + struct kvkey, *agent, *referrer, *xff, *xfp; struct tm *tm; struct server_config*srv_conf; struct http_descriptor *desc; @@ -1642,6 +1642,8 @@ server_log_http(struct client *clt, unsi char*version = NULL; char*referrer_v = NULL; char*agent_v = NULL; + char*xff_v = NULL; + char*xfp_v = NULL; if ((srv_conf = clt->clt_srv_conf) == NULL) return (-1); @@ -1698,6 +1700,7 @@ server_log_http(struct client *clt, unsi
Re: interface queue drops in systat again, plus netstat
On Mon, Mar 04, 2019 at 09:17:00PM +1000, David Gwynne wrote: > this combines errors and qdrops into fails, and shows them by default. > if you want to look at drops or errors, you can use d or f to switch to > that view. > > this also changes netstat so it shows fails by default which is a > combination of errors and qdrops too, but -d and -e force drops or > errors respectively. > > it is really frustrating at the moment that i can't see qdrops anywhere, > which makes it hard to judge the effectiveness of some changes im > working on. > > for example, this is before and after with netstat: > > dlg@ix netstat$ netstat -I ix1 > NameMtu Network Address Ipkts IerrsOpkts Oerrs > Colls > ix1 1500b8:ca:3a:66:e2:72 193968251 0 172754300 0 > ix1 1500 192.168.1.3 192.168.1.3 193968251 0 172754300 0 > ix1 1500 192.168.1.1 192.168.1.19 193968251 0 172754300 0 > dlg@ix netstat$ ./obj/netstat -I ix1 > NameMtu Network Address Ipkts IfailOpkts Ofail > Colls > ix1 1500b8:ca:3a:66:e2:72 193968251 1789065 172754300 0 > ix1 1500 192.168.1.3 192.168.1.3 193968251 1789065 172754300 0 > ix1 1500 192.168.1.1 192.168.1.19 193968251 1789065 172754300 0 > dlg@ix netstat$ ./obj/netstat -dI ix1 > NameMtu Network Address Ipkts IdropOpkts Odrop > Colls > ix1 1500b8:ca:3a:66:e2:72 193968251 1789065 172754300 0 > ix1 1500 192.168.1.3 192.168.1.3 193968251 1789065 172754300 0 > ix1 1500 192.168.1.1 192.168.1.19 193968251 1789065 172754300 0 > dlg@ix netstat$ ./obj/netstat -eI ix1 > NameMtu Network Address Ipkts IerrsOpkts Oerrs > Colls > ix1 1500b8:ca:3a:66:e2:72 193968251 0 172754300 0 > ix1 1500 192.168.1.3 192.168.1.3 193968251 0 172754300 0 > ix1 1500 192.168.1.1 192.168.1.19 193968251 0 172754300 0 > > thoughts? I'm all for this. Having a way to see every place where packets are dropped is important. > Index: systat/if.c > === > RCS file: /cvs/src/usr.bin/systat/if.c,v > retrieving revision 1.23 > diff -u -p -r1.23 if.c > --- systat/if.c 16 Jan 2015 00:03:37 - 1.23 > +++ systat/if.c 4 Mar 2019 11:13:40 - > @@ -56,6 +56,49 @@ static void showifstat(struct ifstat *); > static void showtotal(void); > static void rt_getaddrinfo(struct sockaddr *, int, struct sockaddr **); > > +const char ifails[] = "IFAILS"; > +const char ofails[] = "OFAILS"; > + > +#define IF_ERR_SUM 0 > +#define IF_ERR_ERRORS1 > +#define IF_ERR_QDROPS2 > + > +struct if_err_view { > + const char *iname; > + const char *oname; > + uint64_t (*icount)(const struct ifcount *); > + uint64_t (*ocount)(const struct ifcount *); > +}; > + > +static uint64_t if_err_ifails(const struct ifcount *); > +static uint64_t if_err_ofails(const struct ifcount *); > +static uint64_t if_err_ierrors(const struct ifcount *); > +static uint64_t if_err_oerrors(const struct ifcount *); > +static uint64_t if_err_iqdrops(const struct ifcount *); > +static uint64_t if_err_oqdrops(const struct ifcount *); > + > +static const struct if_err_view if_err_views[] = { > + [IF_ERR_SUM] ={ > + .iname = ifails, > + .oname = ofails, > + .icount = if_err_ifails, > + .ocount = if_err_ofails, > + }, > + [IF_ERR_ERRORS] = { > + .iname = "IERRS", > + .oname = "OERRS", > + .icount = if_err_ierrors, > + .ocount = if_err_oerrors, > + }, > + [IF_ERR_QDROPS] = { > + .iname = "IQDROPS", > + .oname = "OQDROPS", > + .icount = if_err_iqdrops, > + .ocount = if_err_oqdrops, > + }, > +}; > + > +static const struct if_err_view *if_err_view = _err_views[IF_ERR_SUM]; > > /* Define fields */ > field_def fields_if[] = { > @@ -63,10 +106,10 @@ field_def fields_if[] = { > {"STATE", 4, 6, 1, FLD_ALIGN_LEFT, -1, 0, 0, 0}, > {"IPKTS", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"IBYTES", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > - {"IERRS", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > + {ifails, 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"OPKTS", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"OBYTES", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > - {"OERRS", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > + {ofails, 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"COLLS", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, > {"DESC", 14, 64, 1, FLD_ALIGN_LEFT, -1, 0, 0, 0}, > }; > @@ -264,9 +307,11 @@ fetchifstat(void) > UPDATE(ifc_ip, ifm_data.ifi_ipackets); > UPDATE(ifc_ib, ifm_data.ifi_ibytes); > UPDATE(ifc_ie, ifm_data.ifi_ierrors); > +
Re: mandoc -Tlint systat.1 fix
Hi David, David Gwynne wrote on Mon, Mar 04, 2019 at 08:59:12PM +1000: > lint thinks uvm_swap_get() looks like a function name, > so this uses .Fn to mark it up as one. > > ok? Sure. Given that the function uvm_swap_get() appears to be important enough to be mentioned even in a userland manual page, would it maybe also make sense to document it in uvm(9)? Not sure, just asking. If so, then the line would become ".Xr uvm_swap_get 9" afterwards. Yours, Ingo > Index: systat.1 > === > RCS file: /cvs/src/usr.bin/systat/systat.1,v > retrieving revision 1.110 > diff -u -p -r1.110 systat.1 > --- systat.1 25 Jul 2018 17:24:14 - 1.110 > +++ systat.1 4 Mar 2019 10:58:15 - > @@ -697,7 +697,8 @@ swap pages in use > .It swpgonly > in use swap pages not in RAM > .It nswget > -fault called uvm_swap_get() > +fault called > +.Fn uvm_swap_get > .It nanon > total anon's > .Pp
interface queue drops in systat again, plus netstat
this combines errors and qdrops into fails, and shows them by default. if you want to look at drops or errors, you can use d or f to switch to that view. this also changes netstat so it shows fails by default which is a combination of errors and qdrops too, but -d and -e force drops or errors respectively. it is really frustrating at the moment that i can't see qdrops anywhere, which makes it hard to judge the effectiveness of some changes im working on. for example, this is before and after with netstat: dlg@ix netstat$ netstat -I ix1 NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls ix1 1500b8:ca:3a:66:e2:72 193968251 0 172754300 0 ix1 1500 192.168.1.3 192.168.1.3 193968251 0 172754300 0 ix1 1500 192.168.1.1 192.168.1.19 193968251 0 172754300 0 dlg@ix netstat$ ./obj/netstat -I ix1 NameMtu Network Address Ipkts IfailOpkts Ofail Colls ix1 1500b8:ca:3a:66:e2:72 193968251 1789065 172754300 0 ix1 1500 192.168.1.3 192.168.1.3 193968251 1789065 172754300 0 ix1 1500 192.168.1.1 192.168.1.19 193968251 1789065 172754300 0 dlg@ix netstat$ ./obj/netstat -dI ix1 NameMtu Network Address Ipkts IdropOpkts Odrop Colls ix1 1500b8:ca:3a:66:e2:72 193968251 1789065 172754300 0 ix1 1500 192.168.1.3 192.168.1.3 193968251 1789065 172754300 0 ix1 1500 192.168.1.1 192.168.1.19 193968251 1789065 172754300 0 dlg@ix netstat$ ./obj/netstat -eI ix1 NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls ix1 1500b8:ca:3a:66:e2:72 193968251 0 172754300 0 ix1 1500 192.168.1.3 192.168.1.3 193968251 0 172754300 0 ix1 1500 192.168.1.1 192.168.1.19 193968251 0 172754300 0 thoughts? Index: systat/if.c === RCS file: /cvs/src/usr.bin/systat/if.c,v retrieving revision 1.23 diff -u -p -r1.23 if.c --- systat/if.c 16 Jan 2015 00:03:37 - 1.23 +++ systat/if.c 4 Mar 2019 11:13:40 - @@ -56,6 +56,49 @@ static void showifstat(struct ifstat *); static void showtotal(void); static void rt_getaddrinfo(struct sockaddr *, int, struct sockaddr **); +const char ifails[] = "IFAILS"; +const char ofails[] = "OFAILS"; + +#define IF_ERR_SUM 0 +#define IF_ERR_ERRORS 1 +#define IF_ERR_QDROPS 2 + +struct if_err_view { + const char *iname; + const char *oname; + uint64_t (*icount)(const struct ifcount *); + uint64_t (*ocount)(const struct ifcount *); +}; + +static uint64_t if_err_ifails(const struct ifcount *); +static uint64_t if_err_ofails(const struct ifcount *); +static uint64_t if_err_ierrors(const struct ifcount *); +static uint64_t if_err_oerrors(const struct ifcount *); +static uint64_t if_err_iqdrops(const struct ifcount *); +static uint64_t if_err_oqdrops(const struct ifcount *); + +static const struct if_err_view if_err_views[] = { + [IF_ERR_SUM] ={ + .iname = ifails, + .oname = ofails, + .icount = if_err_ifails, + .ocount = if_err_ofails, + }, + [IF_ERR_ERRORS] = { + .iname = "IERRS", + .oname = "OERRS", + .icount = if_err_ierrors, + .ocount = if_err_oerrors, + }, + [IF_ERR_QDROPS] = { + .iname = "IQDROPS", + .oname = "OQDROPS", + .icount = if_err_iqdrops, + .ocount = if_err_oqdrops, + }, +}; + +static const struct if_err_view *if_err_view = _err_views[IF_ERR_SUM]; /* Define fields */ field_def fields_if[] = { @@ -63,10 +106,10 @@ field_def fields_if[] = { {"STATE", 4, 6, 1, FLD_ALIGN_LEFT, -1, 0, 0, 0}, {"IPKTS", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, {"IBYTES", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, - {"IERRS", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, + {ifails, 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, {"OPKTS", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, {"OBYTES", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, - {"OERRS", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, + {ofails, 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, {"COLLS", 5, 8, 1, FLD_ALIGN_RIGHT, -1, 0, 0, 0}, {"DESC", 14, 64, 1, FLD_ALIGN_LEFT, -1, 0, 0, 0}, }; @@ -264,9 +307,11 @@ fetchifstat(void) UPDATE(ifc_ip, ifm_data.ifi_ipackets); UPDATE(ifc_ib, ifm_data.ifi_ibytes); UPDATE(ifc_ie, ifm_data.ifi_ierrors); + UPDATE(ifc_iq, ifm_data.ifi_iqdrops); UPDATE(ifc_op, ifm_data.ifi_opackets); UPDATE(ifc_ob, ifm_data.ifi_obytes); UPDATE(ifc_oe, ifm_data.ifi_oerrors); + UPDATE(ifc_oq, ifm_data.ifi_oqdrops); UPDATE(ifc_co, ifm_data.ifi_collisions);
mandoc -Tlint systat.1 fix
lint thinks uvm_swap_get() looks like a function name, so this uses .Fn to mark it up as one. ok? Index: systat.1 === RCS file: /cvs/src/usr.bin/systat/systat.1,v retrieving revision 1.110 diff -u -p -r1.110 systat.1 --- systat.125 Jul 2018 17:24:14 - 1.110 +++ systat.14 Mar 2019 10:58:15 - @@ -697,7 +697,8 @@ swap pages in use .It swpgonly in use swap pages not in RAM .It nswget -fault called uvm_swap_get() +fault called +.Fn uvm_swap_get .It nanon total anon's .Pp