uaq(4): aquantia usb ethernet driver
Here's a driver for the Aquantia USB ethernet devices I just added
to usbdevs. These are somewhat interesting because they theoretically
go up to 5GbE and support jumbo frames (not implemented yet).
While working on this I noticed that it doesn't receive 15-25% of the packets
it should, even at very low packet rates, when connected to ehci(4) controllers.
No such packet loss occurs with an xhci(4) controller. I'm not sure if this
is a problem with our ehci driver or a poor hardware interaction.
ok?
Index: files.usb
===
RCS file: /cvs/src/sys/dev/usb/files.usb,v
retrieving revision 1.145
diff -u -p -u -r1.145 files.usb
--- files.usb 4 Feb 2021 16:25:39 - 1.145
+++ files.usb 31 Aug 2021 23:41:35 -
@@ -295,6 +295,10 @@ device ure: ether, ifnet, mii, ifmedia
attach ure at uhub
file dev/usb/if_ure.cure
+# Aquantia AQC111
+device uaq: ether, ifnet, ifmedia
+attach uaq at uhub
+file dev/usb/if_uaq.cuaq
# Serial drivers
# Modems
Index: if_uaq.c
===
RCS file: if_uaq.c
diff -N if_uaq.c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ if_uaq.c31 Aug 2021 23:41:35 -
@@ -0,0 +1,1397 @@
+/* $OpenBSD$ */
+/*-
+ * Copyright (c) 2021 Jonathan Matthew
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "bpfilter.h"
+#include "vlan.h"
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include
+
+#include
+#include
+
+#if NBPFILTER > 0
+#include
+#endif
+
+#include
+#include
+
+#include
+#include
+#include
+#include
+#include
+
+#ifdef UAQ_DEBUG
+#define DPRINTF(x) do { if (uaqdebug) printf x; } while (0)
+#define DPRINTFN(n,x) do { if (uaqdebug >= (n)) printf x; } while (0)
+intuaqdebug = 0;
+#else
+#define DPRINTF(x)
+#define DPRINTFN(n,x)
+#endif
+
+#define UAQ_ENDPT_RX 0
+#define UAQ_ENDPT_TX 1
+#define UAQ_ENDPT_INTR 2
+#define UAQ_ENDPT_MAX 3
+
+#define UAQ_TX_LIST_CNT1
+#define UAQ_RX_LIST_CNT1
+#define UAQ_TX_BUF_ALIGN 8
+#define UAQ_RX_BUF_ALIGN 8
+
+#define UAQ_TX_BUFSZ 16384
+#define UAQ_RX_BUFSZ 32768
+
+#define UAQ_CTL_READ 1
+#define UAQ_CTL_WRITE 2
+
+#define UAQ_MCAST_FILTER_SIZE 8
+
+/* control commands */
+#define UAQ_CMD_ACCESS_MAC 0x01
+#define UAQ_CMD_FLASH_PARAM0x20
+#define UAQ_CMD_PHY_POWER 0x31
+#define UAQ_CMD_WOL_CFG0x60
+#define UAQ_CMD_PHY_OPS0x61
+
+/* SFR registers */
+#define UAQ_SFR_GENERAL_STATUS 0x03
+#define UAQ_SFR_CHIP_STATUS0x05
+#define UAQ_SFR_RX_CTL 0x0B
+#define UAQ_SFR_RX_CTL_STOP 0x
+#define UAQ_SFR_RX_CTL_PRO0x0001
+#define UAQ_SFR_RX_CTL_AMALL 0x0002
+#define UAQ_SFR_RX_CTL_AB 0x0008
+#define UAQ_SFR_RX_CTL_AM 0x0010
+#define UAQ_SFR_RX_CTL_START 0x0080
+#define UAQ_SFR_RX_CTL_IPE0x0200
+#define UAQ_SFR_IPG_0 0x0D
+#define UAQ_SFR_NODE_ID0x10
+#define UAQ_SFR_MCAST_FILTER 0x16
+#define UAQ_SFR_MEDIUM_STATUS_MODE 0x22
+#define UAQ_SFR_MEDIUM_XGMIIMODE 0x0001
+#define UAQ_SFR_MEDIUM_FULL_DUPLEX0x0002
+#define UAQ_SFR_MEDIUM_RXFLOW_CTRLEN 0x0010
+#define UAQ_SFR_MEDIUM_TXFLOW_CTRLEN 0x0020
+#define UAQ_SFR_MEDIUM_JUMBO_EN 0x0040
+#define UAQ_SFR_MEDIUM_RECEIVE_EN 0x0100
+#define UAQ_SFR_MONITOR_MODE 0x24
+#define UAQ_SFR_MONITOR_MODE_EPHYRW 0x01
+#define UAQ_SFR_MONITOR_MODE_RWLC 0x02
+#define UAQ_SFR_MONITOR_MODE_RWMP 0x04
+#define UAQ_SFR_MONITOR_MODE_RWWF
acpibtn.4: Mention sleep putton, lid status and machdep.{lid,pwr}action
landry added the sensor back in 2013 and suspend via sleep button also works (at least on ThinkPads). machdep.*action are super useful and I dislike grepping /etc/examples/ for to read about them. acpibtn(4) is the most prominent driver supporting, so documenting them there seems fine and finally pleases my muscle memory: $ man -k any=lidaction acpibtn(4) - ACPI button suspend/hibernate wording is taken from apm(8). sysctl value list style is taken from sysctl(2)'s KERN_POOL_DEBUG. Feedback? OK? Index: acpibtn.4 === RCS file: /cvs/src/share/man/man4/acpibtn.4,v retrieving revision 1.5 diff -u -p -r1.5 acpibtn.4 --- acpibtn.4 16 Jul 2013 16:05:48 - 1.5 +++ acpibtn.4 31 Aug 2021 23:37:20 - @@ -25,17 +25,59 @@ .Sh DESCRIPTION The .Nm -driver is used to handle the event triggered when the user presses an ACPI -button. -Currently, the only event handled is the press of a power button which -causes the system to perform a regular system shutdown and power off the -machine if the +driver handles events triggered by ACPI buttons. +Currently, only power button, sleep button and lid status events are supported. +.Pp +The power button event is handled according to the +.Va machdep.pwraction +.Xr sysctl 8 . +Valid values are: +.Pp +.Bl -tag -width 3n -offset indent -compact +.It 0 +Do nothing. +.It 1 +Perform a regular system shutdown and power off the machine if the .Va hw.allowpowerdown +sysctl is set to 1. +.It 2 +Put the system into suspend (deep sleep) state. +.El +.Pp +The sleep button event puts the system into suspend (deep sleep) state. +.Pp +The lid status event is handled according to the +.Va machdep.lidaction +sysctl. +Valid values are: +.Pp +.Bl -tag -width 3n -offset indent -compact +.It 0 +Do nothing. +.It 1 +Put the system into suspend (deep sleep) state. +.It 2 +Put the system into hibernation. +System memory is saved to disk (swap space) +and the machine is powered down. +For machines supporting the +.Xr acpi 4 +style hibernate functionality, on resume a full kernel +boot will occur, followed by the reading of the saved +memory image. +The image will then be unpacked and the system resumed +at the point immediately after the hibernation request. +.El +.Pp +The lid status is set up as sensor and can be monitored using .Xr sysctl 8 -is set to 1. +or +.Xr sensorsd 8 . .Sh SEE ALSO .Xr acpi 4 , -.Xr intro 4 +.Xr intro 4 , +.Xr sensorsd 8 , +.Xr sysctl 8 .Sh HISTORY The .Nm
diff(1)ing hardlinks
If two files to be compared share the same inode, it should
be reasonable to consider them identical.
This gives a substantial speedup when comparing directory
structures with many hardlinked files, e.g. when using
rsnapshot for incremental backup.
Comments? OK?
/Alexander
Index: diffreg.c
===
RCS file: /cvs/src/usr.bin/diff/diffreg.c,v
retrieving revision 1.93
diff -u -p -r1.93 diffreg.c
--- diffreg.c 28 Jun 2019 13:35:00 - 1.93
+++ diffreg.c 31 Aug 2021 23:07:51 -
@@ -429,6 +429,10 @@ files_differ(FILE *f1, FILE *f2, int fla
if ((flags & (D_EMPTY1|D_EMPTY2)) || stb1.st_size != stb2.st_size ||
(stb1.st_mode & S_IFMT) != (stb2.st_mode & S_IFMT))
return (1);
+
+ if (stb1.st_dev == stb2.st_dev && stb1.st_ino == stb2.st_ino)
+ return (0);
+
for (;;) {
i = fread(buf1, 1, sizeof(buf1), f1);
j = fread(buf2, 1, sizeof(buf2), f2);
Re: teach pf to refragment ipv4 packets
On Tue, Aug 31, 2021 at 09:34:19PM +0200, Alexander Bluhm wrote: > Hi, > > This looks like a hack for a problem that should not exist. I should unconditionally refragment reassembled packets? > What is the MTU of the outgoing interface on your pf router? If > the layer 2 switches do not support 9k jumbo frames, it must be > 1500. There are two outgoing interfaces on each of the pf routers, and they all use 9000 as their MTU. Because we're using OSPF for peering at the moment, the MTU has to agree for the protocol to come up. I could modify or add a route with a low MTU to the endpoint in question, but there's no way to integrate that with the dynamic routing and failover handling that OSPF provides. The network they're connected to is made up of over 2000 switches though, which is best described as "an ongoing effort to maintain". In my current situation with the tunnelled packets, the l2 hop with a 1500 byte MTU is not directly connected to any of my hosts. An example topology for this situation is: - Tunnel endpoint - etherip0 has 1500 byte MTU and -tunneldf - em0 has 1500 byte MTU - PF+OSPF box - vlan881 facing tunnel endpoint has 1500 byte MTU - vlan362/vlan363 facing campus has 9000 byte MTU - Campus core - here be dragons, but also 9000 byte MTU - Building router - 9000 byte MTU - distribution switch - 1500 byte MTU - access switch - 9000 byte MTU - Tunnel endpoint - bge0 has 1500 byte MTU - etherip0 has 1500 byte MTU and -tunneldf Annoyingly, this would be fine except for that distribution switch with the 1500 byte mtu. I'm forever grateful that OpenBSD accepts large packets regardless of what the MTU is set to, it's only limited by hardware. However, I have had similar problem where the network supports 9k the whole way through, but the hosts on each end of the network only handle 1500. > Why are the outgoing packets not fragmented to the MTU? Say I have a 4k UDP packet that enters the firewall as 1500 byte fragments. PF reassembles it, and then sends it as a single 4k frame to one of my outgoing links. The second topology is like this: - A server sending 4k UDP packets - ix0 has 1500 byte MTU - PF+OSPF box - vlan82 facing the server has 1500 byte MTU - vlan362/vlan363 facing campus has 9000 byte MTU - Campus core - here be dragons, but also 9000 byte MTU - Building router - 9000 byte MTU - distribution switch - 9000 byte MTU - access switch - 9000 byte MTU - Windows box - MTU is 1500, so MRU is also 1500 I guess the overall question is if an IPv4 packet size is a hop by hop thing, or whether the endpoints should have final say about what they're prepared to deal with. > Is the dont-fragment flag set? No. It wasn't set entering the firewall, and it's not set leaving the firewall. > Does pf preserve the DF flag when reassembling and forwarding? Yes, but that's not what's being discussed here. It's vanilla fragmented packets I'm having trouble with. > I think we must clear the DF of reassembled forwarded packets. Do > you see fragments with DF? I don't have fragmented packets with DF set. > If we have fragments with DF and reassemble them, we should have > the logic like you suggest. Then we are basically in the same > sitution as IPv6 and have to preserve the fragment length for path > MTU discovery. Agreed. > I have not seen this in the last 10 years. And to reduce complexity > I would prefer to clear the DF instead. Have you tried the no-df > option? There's no DF to clear. > If your solution fixes a DF problem, and makes the no-df option > superfluous, and works out of the box, we can consider implementing > it for DF packets. I'll have to think about that for a bit. > > bluhm > > On Tue, Aug 31, 2021 at 10:56:34PM +1000, David Gwynne wrote: > > i am in an annoying situation where i peer with a campus network on an > > ospf link with a 9k mtu, but some corners of that network have layer 2 > > hops that don't support 9k packets. i sometimes want to tunnel large > > (1500 byte) packets to hosts in those corners of the network by > > letting the encapsulation protocol fragment. the tunnel endpoint > > will then reassemble the packet and forward the full sized frame > > as if nothing untoward happened. > > > > the problem is that pf on the ospf hop "helps" by reassembling these > > fragmented tunnel packets before sending them out the 9k ospf link. > > the layer 2 hops then drop the packet because it's too big. i do > > want pf to reassemble the packets so it can check it, but i also > > want it to refragment it again afterward. > > > > it turns out this is something that happens for ipv6 already, because > > fragmentation in v6 is only supposed to be done by the endpoints. this > > diff allows this same semantic for v4 packets if requested. to enable > > it, configure "set reassemble yes refragment" in your pf.conf and it > > will do the same for v4 that it does for v6. > > > > i've only tested this lightly and now i need sleep.
Re: allow KARL with config(8)'d kernels
Thank you for the suggestion Theo, I tried to update those two pages, but a better name did not occur to me. If anything it points at an issue in the boot_config page which currently states: "Changes made can be saved for the next reboot, by using config(8)." Although true, this breaks KARL with the user non the wiser (they may not even be aware of the feature in the first place). The diff below talks a little bit about kernel relinking; I'm not sure it should (I don't think there's mention of this elsewhere .. should it be left out?). Anyway, I'm a bit stuck with this project now. Perhaps Theo's suggestion /etc/bsd.re-config [1] is the best way to go? The age-old axiom of "only two hard problems in computer science" persists: off-by-one's, cache invalidation .. and naming things :-/ Paul [1]: https://marc.info/?l=openbsd-tech=163024631923964=2 Index: ./usr.sbin/config/config.8 === RCS file: /home/OpenBSD/cvs/src/usr.sbin/config/config.8,v retrieving revision 1.71 diff -u -p -r1.71 config.8 --- ./usr.sbin/config/config.8 8 Mar 2021 02:47:29 - 1.71 +++ ./usr.sbin/config/config.8 31 Aug 2021 19:17:43 - @@ -65,6 +65,11 @@ Similarly, the same editing can be done using the in-kernel editor, as described in .Xr boot_config 8 . +Note that any such edits will be lost during upgrades and prevent a newly +linked kernel from being installed at boot time. +For such cases, this process can also be automated during boot using the +.Xr kernel.conf 5 +configuration file. .Pp For kernel building, the options are as follows: .Bl -tag -width Ds @@ -436,6 +441,7 @@ was given, else ignore changes). .Sh SEE ALSO .Xr options 4 , .Xr files.conf 5 , +.Xr kernel.conf 5, .Xr boot.conf 8 , .Xr boot_config 8 .Pp Index: ./share/man/man8/boot_config.8 === RCS file: /home/OpenBSD/cvs/src/share/man/man8/boot_config.8,v retrieving revision 1.31 diff -u -p -r1.31 boot_config.8 --- ./share/man/man8/boot_config.8 6 Sep 2019 21:30:32 - 1.31 +++ ./share/man/man8/boot_config.8 31 Aug 2021 19:17:20 - @@ -60,6 +60,12 @@ UKC> .Pp Changes made can be saved for the next reboot, by using .Xr config 8 . +However, those would not be persisted across system upgrades and would +prevent kernel relinking. +To ensure these changes are carried over to upgraded kernels, they can +be save to the +.Xr kernel.conf 5 +configuration file. .Sh COMMANDS .Bl -tag -width "disable devno | dev" .It Ic add Ar dev @@ -189,6 +195,7 @@ Continuing... mainbus0 (root) .Ed .Sh SEE ALSO +.Xr kernel.conf 5 .Xr config 8 .Sh AUTHORS .An Mats O Jansson Aq Mt m...@stacken.kth.se On Sun, Aug 29, 2021 at 07:30:02AM -0600, Theo de Raadt wrote: | man -k kernel, and man -k ukc, both suggest these are poor names | for different reasons. | | maybe if you write some diffs to hint at the existance of this mechanism | in the config(8) and boot_config(8) manual pages, a better name will | sneak up on us. | | Paul de Weerd wrote: | | > Hi Theo, | > | > That's a good point, but I have no better alternative. kernel.conf | > was the best I could come up with, as it is a configuration file for | > the (installed) kernel. I briefly considered: | > | > - config.conf (after config(8), but seems hilariously worse to me) | > - ukc.conf (has similar (perhaps even stronger) issues as kernel.conf) | > | > Do others have a good suggestion for the color of this particular bike | > shed? Open to suggestions! | > | > Paul | > | > On Sun, Aug 29, 2021 at 07:15:34AM -0600, Theo de Raadt wrote: | > | I am not thrilled with the name "kernel.conf". | > | | > | It does not seem intuitively discoverable. | > | | > | Paul de Weerd wrote: | > | | > | > Got some more positive feedback off-list, which reminded me that | > | > there's a small piece missing: | > | > | > | > Index: changelist | > | > === | > | > RCS file: /home/OpenBSD/cvs/src/etc/changelist,v | > | > retrieving revision 1.128 | > | > diff -u -p -r1.128 changelist | > | > --- changelist 30 Jul 2021 07:00:02 - 1.128 | > | > +++ changelist 29 Aug 2021 12:12:04 - | > | > @@ -56,6 +56,7 @@ | > | > +/etc/isakmpd/isakmpd.policy | > | > /etc/isakmpd/local.pub | > | > +/etc/isakmpd/private/local.key | > | > +/etc/kernel.conf | > | > /etc/ksh.kshrc | > | > /etc/ldapd.conf | > | > /etc/ldpd.conf | > | > | > | > Full diff (including the original diff, the diff to install.sub and | > | > the above changelist diff) below. Anything else I overlooked? | > | > | > | > Paul | > | > | > | > Index: distrib/miniroot/install.sub | > | > === | > | > RCS file: /home/OpenBSD/cvs/src/distrib/miniroot/install.sub,v | > | > retrieving revision 1.1172 | > | > diff -u -p -r1.1172 install.sub | > | > ---
Re: teach pf to refragment ipv4 packets
Hi,
This looks like a hack for a problem that should not exist.
What is the MTU of the outgoing interface on your pf router? If
the layer 2 switches do not support 9k jumbo frames, it must be
1500.
Why are the outgoing packets not fragmented to the MTU? Is the
dont-fragment flag set? Does pf preserve the DF flag when reassembling
and forwarding?
I think we must clear the DF of reassembled forwarded packets. Do
you see fragments with DF?
If we have fragments with DF and reassemble them, we should have
the logic like you suggest. Then we are basically in the same
sitution as IPv6 and have to preserve the fragment length for path
MTU discovery.
I have not seen this in the last 10 years. And to reduce complexity
I would prefer to clear the DF instead. Have you tried the no-df
option?
If your solution fixes a DF problem, and makes the no-df option
superfluous, and works out of the box, we can consider implementing
it for DF packets.
bluhm
On Tue, Aug 31, 2021 at 10:56:34PM +1000, David Gwynne wrote:
> i am in an annoying situation where i peer with a campus network on an
> ospf link with a 9k mtu, but some corners of that network have layer 2
> hops that don't support 9k packets. i sometimes want to tunnel large
> (1500 byte) packets to hosts in those corners of the network by
> letting the encapsulation protocol fragment. the tunnel endpoint
> will then reassemble the packet and forward the full sized frame
> as if nothing untoward happened.
>
> the problem is that pf on the ospf hop "helps" by reassembling these
> fragmented tunnel packets before sending them out the 9k ospf link.
> the layer 2 hops then drop the packet because it's too big. i do
> want pf to reassemble the packets so it can check it, but i also
> want it to refragment it again afterward.
>
> it turns out this is something that happens for ipv6 already, because
> fragmentation in v6 is only supposed to be done by the endpoints. this
> diff allows this same semantic for v4 packets if requested. to enable
> it, configure "set reassemble yes refragment" in your pf.conf and it
> will do the same for v4 that it does for v6.
>
> i've only tested this lightly and now i need sleep. anyone have any
> thoughts on this?
>
> note that m_tag_find is really cheap if the tag doesnt exist thanks to
> henning@.
>
> Index: sys/net/pf.c
> ===
> RCS file: /cvs/src/sys/net/pf.c,v
> retrieving revision 1.1122
> diff -u -p -r1.1122 pf.c
> --- sys/net/pf.c 7 Jul 2021 18:38:25 - 1.1122
> +++ sys/net/pf.c 31 Aug 2021 12:42:51 -
> @@ -6049,6 +6049,7 @@ void
> pf_route(struct pf_pdesc *pd, struct pf_state *s)
> {
> struct mbuf *m0;
> + struct m_tag*mtag;
> struct mbuf_list fml;
> struct sockaddr_in *dst, sin;
> struct rtentry *rt = NULL;
> @@ -6132,6 +6133,15 @@ pf_route(struct pf_pdesc *pd, struct pf_
> ip = mtod(m0, struct ip *);
> }
>
> + /*
> + * If packet has been reassembled by PF earlier, we might have to
> + * use pf_refragment4() here to turn it back to fragments.
> + */
> + if ((mtag = m_tag_find(m0, PACKET_TAG_PF_REASSEMBLED, NULL))) {
> + (void) pf_refragment4(, mtag, dst, ifp, rt);
> + goto done;
> + }
> +
> in_proto_cksum_out(m0, ifp);
>
> if (ntohs(ip->ip_len) <= ifp->if_mtu) {
> @@ -7357,16 +7367,20 @@ done:
> break;
> }
>
> -#ifdef INET6
> /* if reassembled packet passed, create new fragments */
> - if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD &&
> - pd.af == AF_INET6) {
> + if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD) {
> struct m_tag*mtag;
>
> - if ((mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL)))
> + mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL);
> + if (mtag == NULL)
> + ; /* no reassembly required */
> +#ifdef INET6
> + else if (pd.af == AF_INET6)
> action = pf_refragment6(, mtag, NULL, NULL, NULL);
> - }
> #endif /* INET6 */
> + else
> + action = pf_refragment4(, mtag, NULL, NULL, NULL);
> + }
> if (s && action != PF_DROP) {
> if (!s->if_index_in && dir == PF_IN)
> s->if_index_in = ifp->if_index;
> Index: sys/net/pf_norm.c
> ===
> RCS file: /cvs/src/sys/net/pf_norm.c,v
> retrieving revision 1.223
> diff -u -p -r1.223 pf_norm.c
> --- sys/net/pf_norm.c 10 Mar 2021 10:21:48 - 1.223
> +++ sys/net/pf_norm.c 31 Aug 2021 12:42:51 -
> @@ -782,7 +782,7 @@ pf_reassemble(struct mbuf **m0, int dir,
> struct pf_frent *frent;
> struct pf_fragment *frag;
> struct pf_frnode
Re: rpki-client exclude files from rsync fetch
Theo de Raadt(dera...@openbsd.org) on 2021.08.31 11:09:22 -0600:
> I don't understand -- why would people edit this file?
>
> If this list is in argv, it will be difficult to identify targets using
> ps, because the hostname is way at the end.
Yes.
If we worry about people touching it, rpki-client could write it out to a
tmp file just before running rsync. But i think that can be done when
someone actually shot themself in the foot.
ok for the diff.
> Job Snijders wrote:
>
> > Hi,
> >
> > I don't think this should be user configurable.
> >
> > If folks remove entries like "+ *.crl" it breaks things.
> > If folks add entries like "+ *.mp3" it wastes network bandwidth. :-)
> >
> > Let's use "--include" and "--exclude" instead.
> >
> > kind regards,
> >
> > Job
> >
> > On Tue, Aug 31, 2021 at 02:23:57PM +0200, Claudio Jeker wrote:
> > > RPKI repository can only include a few specific files, everything else is
> > > just ignored and deleted after every fetch. Since openrsync supports
> > > --exclude-file now we can use this to limit what is actually accepted by
> > > the client.
> > >
> > > I used a config file in /etc/rpki instead of using multiple --exclude /
> > > --include arguments. Mostly to keep the execvp argv short.
> > >
> > > What you think?
> > > --
> > > :wq Claudio
> > >
> > > Index: etc/Makefile
> > > ===
> > > RCS file: /cvs/src/etc/Makefile,v
> > > retrieving revision 1.484
> > > diff -u -p -r1.484 Makefile
> > > --- etc/Makefile 1 May 2021 16:11:07 - 1.484
> > > +++ etc/Makefile 31 Aug 2021 12:17:40 -
> > > @@ -156,7 +156,7 @@ distribution-etc-root-var: distrib-dirs
> > > ${DESTDIR}/etc/ppp
> > > cd rpki; \
> > > ${INSTALL} -c -o root -g wheel -m 644 \
> > > - afrinic.tal apnic.tal lacnic.tal ripe.tal \
> > > + afrinic.tal apnic.tal lacnic.tal ripe.tal rsync.filter \
> > > ${DESTDIR}/etc/rpki
> > > cd examples; \
> > > ${INSTALL} -c -o root -g wheel -m 644 ${EXAMPLES} \
> > > Index: etc/rpki/rsync.filter
> > > ===
> > > RCS file: etc/rpki/rsync.filter
> > > diff -N etc/rpki/rsync.filter
> > > --- /dev/null 1 Jan 1970 00:00:00 -
> > > +++ etc/rpki/rsync.filter 31 Aug 2021 12:09:24 -
> > > @@ -0,0 +1,7 @@
> > > ++ */
> > > ++ *.cer
> > > ++ *.crl
> > > ++ *.gbr
> > > ++ *.mft
> > > ++ *.roa
> > > +- *
> > > Index: usr.sbin/rpki-client/rsync.c
> > > ===
> > > RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v
> > > retrieving revision 1.24
> > > diff -u -p -r1.24 rsync.c
> > > --- usr.sbin/rpki-client/rsync.c 19 Apr 2021 17:04:35 - 1.24
> > > +++ usr.sbin/rpki-client/rsync.c 31 Aug 2021 12:17:11 -
> > > @@ -279,6 +279,8 @@ proc_rsync(char *prog, char *bind_addr,
> > > args[i++] = "--no-motd";
> > > args[i++] = "--timeout";
> > > args[i++] = "180";
> > > + args[i++] = "--exclude-from";
> > > + args[i++] = "/etc/rpki/rsync.filter";
> > > if (bind_addr != NULL) {
> > > args[i++] = "--address";
> > > args[i++] = (char *)bind_addr;
> > >
> >
>
Re: rpki-client exclude files from rsync fetch
I don't understand -- why would people edit this file?
If this list is in argv, it will be difficult to identify targets using
ps, because the hostname is way at the end.
Job Snijders wrote:
> Hi,
>
> I don't think this should be user configurable.
>
> If folks remove entries like "+ *.crl" it breaks things.
> If folks add entries like "+ *.mp3" it wastes network bandwidth. :-)
>
> Let's use "--include" and "--exclude" instead.
>
> kind regards,
>
> Job
>
> On Tue, Aug 31, 2021 at 02:23:57PM +0200, Claudio Jeker wrote:
> > RPKI repository can only include a few specific files, everything else is
> > just ignored and deleted after every fetch. Since openrsync supports
> > --exclude-file now we can use this to limit what is actually accepted by
> > the client.
> >
> > I used a config file in /etc/rpki instead of using multiple --exclude /
> > --include arguments. Mostly to keep the execvp argv short.
> >
> > What you think?
> > --
> > :wq Claudio
> >
> > Index: etc/Makefile
> > ===
> > RCS file: /cvs/src/etc/Makefile,v
> > retrieving revision 1.484
> > diff -u -p -r1.484 Makefile
> > --- etc/Makefile1 May 2021 16:11:07 - 1.484
> > +++ etc/Makefile31 Aug 2021 12:17:40 -
> > @@ -156,7 +156,7 @@ distribution-etc-root-var: distrib-dirs
> > ${DESTDIR}/etc/ppp
> > cd rpki; \
> > ${INSTALL} -c -o root -g wheel -m 644 \
> > - afrinic.tal apnic.tal lacnic.tal ripe.tal \
> > + afrinic.tal apnic.tal lacnic.tal ripe.tal rsync.filter \
> > ${DESTDIR}/etc/rpki
> > cd examples; \
> > ${INSTALL} -c -o root -g wheel -m 644 ${EXAMPLES} \
> > Index: etc/rpki/rsync.filter
> > ===
> > RCS file: etc/rpki/rsync.filter
> > diff -N etc/rpki/rsync.filter
> > --- /dev/null 1 Jan 1970 00:00:00 -
> > +++ etc/rpki/rsync.filter 31 Aug 2021 12:09:24 -
> > @@ -0,0 +1,7 @@
> > ++ */
> > ++ *.cer
> > ++ *.crl
> > ++ *.gbr
> > ++ *.mft
> > ++ *.roa
> > +- *
> > Index: usr.sbin/rpki-client/rsync.c
> > ===
> > RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v
> > retrieving revision 1.24
> > diff -u -p -r1.24 rsync.c
> > --- usr.sbin/rpki-client/rsync.c19 Apr 2021 17:04:35 - 1.24
> > +++ usr.sbin/rpki-client/rsync.c31 Aug 2021 12:17:11 -
> > @@ -279,6 +279,8 @@ proc_rsync(char *prog, char *bind_addr,
> > args[i++] = "--no-motd";
> > args[i++] = "--timeout";
> > args[i++] = "180";
> > + args[i++] = "--exclude-from";
> > + args[i++] = "/etc/rpki/rsync.filter";
> > if (bind_addr != NULL) {
> > args[i++] = "--address";
> > args[i++] = (char *)bind_addr;
> >
>
regress progs
Hi,
bsd.prog.mk supports PROGS (with an S) for a while. I think we
should have multiple programs in bsd.regress.mk, too. Mainly for
consistency, but a few tests could be simplified with this.
ok?
bluhm
Index: bsd.regress.mk
===
RCS file: /data/mirror/openbsd/cvs/src/share/mk/bsd.regress.mk,v
retrieving revision 1.23
diff -u -p -r1.23 bsd.regress.mk
--- bsd.regress.mk 17 Dec 2020 14:54:15 - 1.23
+++ bsd.regress.mk 30 Aug 2021 20:42:35 -
@@ -8,7 +8,7 @@ NOMAN=
install:
# If REGRESS_TARGETS is defined and PROG is not defined, set NOPROG
-.if defined(REGRESS_TARGETS) && !defined(PROG)
+.if defined(REGRESS_TARGETS) && !defined(PROG) && !defined(PROGS)
NOPROG=
.endif
@@ -31,16 +31,16 @@ _REGRESS_NAME=${.CURDIR:S/${BSDSRCDIR}\/
_REGRESS_TMP?=/dev/null
_REGRESS_OUT= | tee -a ${REGRESS_LOG} ${_REGRESS_TMP} 2>&1 > /dev/null
-.if defined(PROG) && !empty(PROG)
-run-regress-${PROG}: ${PROG}
- ./${PROG}
-.PHONY: run-regress-${PROG}
-.endif
+.for p in ${PROG} ${PROGS}
+run-regress-$p: $p
+ ./$p
+.PHONY: run-regress-$p
+.endfor
-.if defined(PROG) && !defined(REGRESS_TARGETS)
-REGRESS_TARGETS=run-regress-${PROG}
+.if (defined(PROG) || defined(PROGS)) && !defined(REGRESS_TARGETS)
+REGRESS_TARGETS= ${PROG:S/^/run-regress-/} ${PROGS:S/^/run-regress-/}
. if defined(REGRESS_SKIP)
-REGRESS_SKIP_TARGETS=run-regress-${PROG}
+REGRESS_SKIP_TARGETS= ${PROG:S/^/run-regress-/} ${PROGS:S/^/run-regress-/}
. endif
.endif
Re: rpki-client exclude files from rsync fetch
Hi,
I don't think this should be user configurable.
If folks remove entries like "+ *.crl" it breaks things.
If folks add entries like "+ *.mp3" it wastes network bandwidth. :-)
Let's use "--include" and "--exclude" instead.
kind regards,
Job
On Tue, Aug 31, 2021 at 02:23:57PM +0200, Claudio Jeker wrote:
> RPKI repository can only include a few specific files, everything else is
> just ignored and deleted after every fetch. Since openrsync supports
> --exclude-file now we can use this to limit what is actually accepted by
> the client.
>
> I used a config file in /etc/rpki instead of using multiple --exclude /
> --include arguments. Mostly to keep the execvp argv short.
>
> What you think?
> --
> :wq Claudio
>
> Index: etc/Makefile
> ===
> RCS file: /cvs/src/etc/Makefile,v
> retrieving revision 1.484
> diff -u -p -r1.484 Makefile
> --- etc/Makefile 1 May 2021 16:11:07 - 1.484
> +++ etc/Makefile 31 Aug 2021 12:17:40 -
> @@ -156,7 +156,7 @@ distribution-etc-root-var: distrib-dirs
> ${DESTDIR}/etc/ppp
> cd rpki; \
> ${INSTALL} -c -o root -g wheel -m 644 \
> - afrinic.tal apnic.tal lacnic.tal ripe.tal \
> + afrinic.tal apnic.tal lacnic.tal ripe.tal rsync.filter \
> ${DESTDIR}/etc/rpki
> cd examples; \
> ${INSTALL} -c -o root -g wheel -m 644 ${EXAMPLES} \
> Index: etc/rpki/rsync.filter
> ===
> RCS file: etc/rpki/rsync.filter
> diff -N etc/rpki/rsync.filter
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ etc/rpki/rsync.filter 31 Aug 2021 12:09:24 -
> @@ -0,0 +1,7 @@
> ++ */
> ++ *.cer
> ++ *.crl
> ++ *.gbr
> ++ *.mft
> ++ *.roa
> +- *
> Index: usr.sbin/rpki-client/rsync.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v
> retrieving revision 1.24
> diff -u -p -r1.24 rsync.c
> --- usr.sbin/rpki-client/rsync.c 19 Apr 2021 17:04:35 - 1.24
> +++ usr.sbin/rpki-client/rsync.c 31 Aug 2021 12:17:11 -
> @@ -279,6 +279,8 @@ proc_rsync(char *prog, char *bind_addr,
> args[i++] = "--no-motd";
> args[i++] = "--timeout";
> args[i++] = "180";
> + args[i++] = "--exclude-from";
> + args[i++] = "/etc/rpki/rsync.filter";
> if (bind_addr != NULL) {
> args[i++] = "--address";
> args[i++] = (char *)bind_addr;
>
Re: reduce debug logging from slowcgi
OK florian
On 2021-08-31 16:24 +02, Paul de Weerd wrote:
> Hi all,
>
> On a busy-ish site, I found that slowcgi is doing quite excessive
> logging: every single environment variable is logged on a separate
> logline. There's at least 17 variables per hit, but I've seen it go
> up to 35. If you're writing debug logs from syslog, that adds up
> rather quickly. Of course you can argue "don't do that", but why have
> the system do all this work of sending stuff through syslog when
> you're not going to anything with it anyway?
>
> Anyway, after a hint from Florian, I added a -v flag to slowcgi to
> only log syslog events at the DEBUG level when it's given and not
> always / by default. It's good to be able to log these when you're
> debugging issues, but then you'll have to add '-v' to the
> slowcgi_flags in /etc/rc.conf.local using rcctl(8).
>
> I've tested this on that busy-ish setup - works for me (tm).
>
> Cheers,
>
> Paul 'WEiRD' de Weerd
>
> Index: slowcgi.8
> ===
> RCS file: /home/OpenBSD/cvs/src/usr.sbin/slowcgi/slowcgi.8,v
> retrieving revision 1.14
> diff -u -p -r1.14 slowcgi.8
> --- slowcgi.8 13 Aug 2018 16:54:50 - 1.14
> +++ slowcgi.8 31 Aug 2021 13:10:42 -
> @@ -27,6 +27,7 @@
> .Op Fl s Ar socket
> .Op Fl U Ar user
> .Op Fl u Ar user
> +.Op Fl v
> .Sh DESCRIPTION
> .Nm
> is a server which implements the FastCGI Protocol to execute CGI scripts.
> @@ -90,6 +91,8 @@ instead of default user www and
> to
> the home directory of
> .Ar user .
> +.It Fl v
> +Enable more verbose (debug) logging.
> .El
> .Sh SEE ALSO
> .Xr httpd 8
> Index: slowcgi.c
> ===
> RCS file: /home/OpenBSD/cvs/src/usr.sbin/slowcgi/slowcgi.c,v
> retrieving revision 1.60
> diff -u -p -r1.60 slowcgi.c
> --- slowcgi.c 20 Apr 2021 07:35:42 - 1.60
> +++ slowcgi.c 31 Aug 2021 13:08:37 -
> @@ -260,6 +260,7 @@ usage(void)
> struct timeval timeout = { TIMEOUT_DEFAULT, 0 };
> struct slowcgi_proc slowcgi_proc;
> int debug = 0;
> +int verbose = 0;
> int on = 1;
> char *fcgi_socket = "/var/www/run/slowcgi.sock";
>
> @@ -292,7 +293,7 @@ main(int argc, char *argv[])
> }
> }
>
> - while ((c = getopt(argc, argv, "dp:s:U:u:")) != -1) {
> + while ((c = getopt(argc, argv, "dp:s:U:u:v")) != -1) {
> switch (c) {
> case 'd':
> debug++;
> @@ -309,6 +310,9 @@ main(int argc, char *argv[])
> case 'u':
> slowcgi_user = optarg;
> break;
> + case 'v':
> + verbose++;
> + break;
> default:
> usage();
> /* NOTREACHED */
> @@ -1261,9 +1265,10 @@ syslog_info(const char *fmt, ...)
> void
> syslog_debug(const char *fmt, ...)
> {
> - va_list ap;
> -
> - va_start(ap, fmt);
> - vsyslog(LOG_DEBUG, fmt, ap);
> - va_end(ap);
> + if (verbose > 0) {
> + va_list ap;
> + va_start(ap, fmt);
> + vsyslog(LOG_DEBUG, fmt, ap);
> + va_end(ap);
> + }
> }
>
>
> --
>>[<++>-]<+++.>+++[<-->-]<.>+++[<+
> +++>-]<.>++[<>-]<+.--.[-]
> http://www.weirdnet.nl/
>
--
I'm not entirely sure you are real.
reduce debug logging from slowcgi
Hi all,
On a busy-ish site, I found that slowcgi is doing quite excessive
logging: every single environment variable is logged on a separate
logline. There's at least 17 variables per hit, but I've seen it go
up to 35. If you're writing debug logs from syslog, that adds up
rather quickly. Of course you can argue "don't do that", but why have
the system do all this work of sending stuff through syslog when
you're not going to anything with it anyway?
Anyway, after a hint from Florian, I added a -v flag to slowcgi to
only log syslog events at the DEBUG level when it's given and not
always / by default. It's good to be able to log these when you're
debugging issues, but then you'll have to add '-v' to the
slowcgi_flags in /etc/rc.conf.local using rcctl(8).
I've tested this on that busy-ish setup - works for me (tm).
Cheers,
Paul 'WEiRD' de Weerd
Index: slowcgi.8
===
RCS file: /home/OpenBSD/cvs/src/usr.sbin/slowcgi/slowcgi.8,v
retrieving revision 1.14
diff -u -p -r1.14 slowcgi.8
--- slowcgi.8 13 Aug 2018 16:54:50 - 1.14
+++ slowcgi.8 31 Aug 2021 13:10:42 -
@@ -27,6 +27,7 @@
.Op Fl s Ar socket
.Op Fl U Ar user
.Op Fl u Ar user
+.Op Fl v
.Sh DESCRIPTION
.Nm
is a server which implements the FastCGI Protocol to execute CGI scripts.
@@ -90,6 +91,8 @@ instead of default user www and
to
the home directory of
.Ar user .
+.It Fl v
+Enable more verbose (debug) logging.
.El
.Sh SEE ALSO
.Xr httpd 8
Index: slowcgi.c
===
RCS file: /home/OpenBSD/cvs/src/usr.sbin/slowcgi/slowcgi.c,v
retrieving revision 1.60
diff -u -p -r1.60 slowcgi.c
--- slowcgi.c 20 Apr 2021 07:35:42 - 1.60
+++ slowcgi.c 31 Aug 2021 13:08:37 -
@@ -260,6 +260,7 @@ usage(void)
struct timeval timeout = { TIMEOUT_DEFAULT, 0 };
struct slowcgi_procslowcgi_proc;
intdebug = 0;
+intverbose = 0;
inton = 1;
char *fcgi_socket = "/var/www/run/slowcgi.sock";
@@ -292,7 +293,7 @@ main(int argc, char *argv[])
}
}
- while ((c = getopt(argc, argv, "dp:s:U:u:")) != -1) {
+ while ((c = getopt(argc, argv, "dp:s:U:u:v")) != -1) {
switch (c) {
case 'd':
debug++;
@@ -309,6 +310,9 @@ main(int argc, char *argv[])
case 'u':
slowcgi_user = optarg;
break;
+ case 'v':
+ verbose++;
+ break;
default:
usage();
/* NOTREACHED */
@@ -1261,9 +1265,10 @@ syslog_info(const char *fmt, ...)
void
syslog_debug(const char *fmt, ...)
{
- va_list ap;
-
- va_start(ap, fmt);
- vsyslog(LOG_DEBUG, fmt, ap);
- va_end(ap);
+ if (verbose > 0) {
+ va_list ap;
+ va_start(ap, fmt);
+ vsyslog(LOG_DEBUG, fmt, ap);
+ va_end(ap);
+ }
}
--
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
http://www.weirdnet.nl/
ddb: machine sysregs for amd64
Hi,
This is a short diff to add "machine sysregs" to ddb on amd64 (plus it
also prints out gsbase/kgsbase). This command is available on i386 but
not amd64. I swear I remember discussing this with mlarkin at some point
but I couldn't find a previous patch for it on tech@. If I missed it
somehow, I am super sorry, and please hit me with the search stick.
This command is mostly useful if you're futzing with page tables or
GDT/IDT setup etc, but it's also useful for sanity-checking state
generally sometimes, and quite useful for teaching demos showing how it
all works (which is the main reason I want it right now).
Index: sys/arch/amd64//amd64/db_interface.c
===
RCS file: /cvs/./src/sys/arch/amd64/amd64/db_interface.c,v
retrieving revision 1.35
diff -u -p -r1.35 db_interface.c
--- sys/arch/amd64//amd64/db_interface.c6 Nov 2019 07:34:35 -
1.35
+++ sys/arch/amd64//amd64/db_interface.c31 Aug 2021 08:12:06 -
@@ -46,6 +46,7 @@
#include
#include
#include
+#include
#include
#include
@@ -160,6 +161,45 @@ db_ktrap(int type, int code, db_regs_t *
return (1);
}
+void
+db_sysregs_cmd(db_expr_t addr, int have_addr, db_expr_t count, char *modif)
+{
+ int64_t idtr, gdtr;
+ uint64_t cr;
+ uint16_t ldtr, tr;
+ uint64_t gsb;
+
+ __asm__ volatile("sidt %0" : "=m" (idtr));
+ db_printf("idtr: 0x%08llx/%04llx\n", idtr >> 16, idtr & 0x);
+
+ __asm__ volatile("sgdt %0" : "=m" (gdtr));
+ db_printf("gdtr: 0x%08llx/%04llx\n", gdtr >> 16, gdtr & 0x);
+
+ __asm__ volatile("sldt %0" : "=g" (ldtr));
+ db_printf("ldtr: 0x%04x\n", ldtr);
+
+ __asm__ volatile("str %0" : "=g" (tr));
+ db_printf("tr: 0x%04x\n", tr);
+
+ __asm__ volatile("movq %%cr0,%0" : "=r" (cr));
+ db_printf("cr0:0x%016llx\n", cr);
+
+ __asm__ volatile("movq %%cr2,%0" : "=r" (cr));
+ db_printf("cr2:0x%016llx\n", cr);
+
+ __asm__ volatile("movq %%cr3,%0" : "=r" (cr));
+ db_printf("cr3:0x%016llx\n", cr);
+
+ __asm__ volatile("movq %%cr4,%0" : "=r" (cr));
+ db_printf("cr4:0x%016llx\n", cr);
+
+ gsb = rdmsr(MSR_GSBASE);
+ db_printf("gsb:0x%016llx\n", gsb);
+
+ gsb = rdmsr(MSR_KERNELGSBASE);
+ db_printf("kgsb: 0x%016llx\n", gsb);
+}
+
#ifdef MULTIPROCESSOR
void
@@ -368,6 +408,7 @@ struct db_command db_machine_command_tab
{ "startcpu", db_startproc_cmd, 0, 0 },
{ "stopcpu", db_stopproc_cmd,0, 0 },
{ "ddbcpu", db_ddbproc_cmd, 0, 0 },
+ { "sysregs", db_sysregs_cmd, 0, 0 },
#endif
#if NACPI > 0
{ "acpi", NULL, 0, db_acpi_cmds },
teach pf to refragment ipv4 packets
i am in an annoying situation where i peer with a campus network on an
ospf link with a 9k mtu, but some corners of that network have layer 2
hops that don't support 9k packets. i sometimes want to tunnel large
(1500 byte) packets to hosts in those corners of the network by
letting the encapsulation protocol fragment. the tunnel endpoint
will then reassemble the packet and forward the full sized frame
as if nothing untoward happened.
the problem is that pf on the ospf hop "helps" by reassembling these
fragmented tunnel packets before sending them out the 9k ospf link.
the layer 2 hops then drop the packet because it's too big. i do
want pf to reassemble the packets so it can check it, but i also
want it to refragment it again afterward.
it turns out this is something that happens for ipv6 already, because
fragmentation in v6 is only supposed to be done by the endpoints. this
diff allows this same semantic for v4 packets if requested. to enable
it, configure "set reassemble yes refragment" in your pf.conf and it
will do the same for v4 that it does for v6.
i've only tested this lightly and now i need sleep. anyone have any
thoughts on this?
note that m_tag_find is really cheap if the tag doesnt exist thanks to
henning@.
Index: sys/net/pf.c
===
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.1122
diff -u -p -r1.1122 pf.c
--- sys/net/pf.c7 Jul 2021 18:38:25 - 1.1122
+++ sys/net/pf.c31 Aug 2021 12:42:51 -
@@ -6049,6 +6049,7 @@ void
pf_route(struct pf_pdesc *pd, struct pf_state *s)
{
struct mbuf *m0;
+ struct m_tag*mtag;
struct mbuf_list fml;
struct sockaddr_in *dst, sin;
struct rtentry *rt = NULL;
@@ -6132,6 +6133,15 @@ pf_route(struct pf_pdesc *pd, struct pf_
ip = mtod(m0, struct ip *);
}
+ /*
+* If packet has been reassembled by PF earlier, we might have to
+* use pf_refragment4() here to turn it back to fragments.
+*/
+ if ((mtag = m_tag_find(m0, PACKET_TAG_PF_REASSEMBLED, NULL))) {
+ (void) pf_refragment4(, mtag, dst, ifp, rt);
+ goto done;
+ }
+
in_proto_cksum_out(m0, ifp);
if (ntohs(ip->ip_len) <= ifp->if_mtu) {
@@ -7357,16 +7367,20 @@ done:
break;
}
-#ifdef INET6
/* if reassembled packet passed, create new fragments */
- if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD &&
- pd.af == AF_INET6) {
+ if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD) {
struct m_tag*mtag;
- if ((mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL)))
+ mtag = m_tag_find(pd.m, PACKET_TAG_PF_REASSEMBLED, NULL);
+ if (mtag == NULL)
+ ; /* no reassembly required */
+#ifdef INET6
+ else if (pd.af == AF_INET6)
action = pf_refragment6(, mtag, NULL, NULL, NULL);
- }
#endif /* INET6 */
+ else
+ action = pf_refragment4(, mtag, NULL, NULL, NULL);
+ }
if (s && action != PF_DROP) {
if (!s->if_index_in && dir == PF_IN)
s->if_index_in = ifp->if_index;
Index: sys/net/pf_norm.c
===
RCS file: /cvs/src/sys/net/pf_norm.c,v
retrieving revision 1.223
diff -u -p -r1.223 pf_norm.c
--- sys/net/pf_norm.c 10 Mar 2021 10:21:48 - 1.223
+++ sys/net/pf_norm.c 31 Aug 2021 12:42:51 -
@@ -782,7 +782,7 @@ pf_reassemble(struct mbuf **m0, int dir,
struct pf_frent *frent;
struct pf_fragment *frag;
struct pf_frnode key;
- u_int16_ttotal, hdrlen;
+ u_int16_ttotal, maxlen, hdrlen;
/* Get an entry for the fragment queue */
if ((frent = pf_create_fragment(reason)) == NULL)
@@ -821,6 +821,7 @@ pf_reassemble(struct mbuf **m0, int dir,
/* We have all the data */
frent = TAILQ_FIRST(>fr_queue);
KASSERT(frent != NULL);
+ maxlen = frag->fr_maxlen;
total = TAILQ_LAST(>fr_queue, pf_fragq)->fe_off +
TAILQ_LAST(>fr_queue, pf_fragq)->fe_len;
hdrlen = frent->fe_hdrlen;
@@ -843,6 +844,63 @@ pf_reassemble(struct mbuf **m0, int dir,
PF_FRAG_UNLOCK();
DPFPRINTF(LOG_INFO, "complete: %p(%d)", m, ntohs(ip->ip_len));
+
+ if (ISSET(pf_status.reass, PF_REASS_REFRAG)) {
+ struct m_tag *mtag;
+ struct pf_fragment_tag *ftag;
+
+ mtag = m_tag_get(PACKET_TAG_PF_REASSEMBLED, sizeof(*ftag),
+ M_NOWAIT);
+ if (mtag == NULL) {
+ REASON_SET(reason, PFRES_MEMORY);
+ return (PF_DROP);
+ }
+
+
Re: ddb: machine sysregs for amd64
On Tue, Aug 31, 2021 at 06:30:40PM +1000, Alex Wilson wrote:
> Hi,
>
> This is a short diff to add "machine sysregs" to ddb on amd64 (plus it also
> prints out gsbase/kgsbase). This command is available on i386 but not amd64.
> I swear I remember discussing this with mlarkin at some point but I couldn't
> find a previous patch for it on tech@. If I missed it somehow, I am super
> sorry, and please hit me with the search stick.
>
> This command is mostly useful if you're futzing with page tables or GDT/IDT
> setup etc, but it's also useful for sanity-checking state generally
> sometimes, and quite useful for teaching demos showing how it all works
> (which is the main reason I want it right now).
>
Thanks, I'll commit this.
-ml
>
>
> Index: sys/arch/amd64//amd64/db_interface.c
> ===
> RCS file: /cvs/./src/sys/arch/amd64/amd64/db_interface.c,v
> retrieving revision 1.35
> diff -u -p -r1.35 db_interface.c
> --- sys/arch/amd64//amd64/db_interface.c 6 Nov 2019 07:34:35 -
> 1.35
> +++ sys/arch/amd64//amd64/db_interface.c 31 Aug 2021 08:12:06 -
> @@ -46,6 +46,7 @@
> #include
> #include
> #include
> +#include
>
> #include
> #include
> @@ -160,6 +161,45 @@ db_ktrap(int type, int code, db_regs_t *
> return (1);
> }
>
> +void
> +db_sysregs_cmd(db_expr_t addr, int have_addr, db_expr_t count, char *modif)
> +{
> + int64_t idtr, gdtr;
> + uint64_t cr;
> + uint16_t ldtr, tr;
> + uint64_t gsb;
> +
> + __asm__ volatile("sidt %0" : "=m" (idtr));
> + db_printf("idtr: 0x%08llx/%04llx\n", idtr >> 16, idtr & 0x);
> +
> + __asm__ volatile("sgdt %0" : "=m" (gdtr));
> + db_printf("gdtr: 0x%08llx/%04llx\n", gdtr >> 16, gdtr & 0x);
> +
> + __asm__ volatile("sldt %0" : "=g" (ldtr));
> + db_printf("ldtr: 0x%04x\n", ldtr);
> +
> + __asm__ volatile("str %0" : "=g" (tr));
> + db_printf("tr: 0x%04x\n", tr);
> +
> + __asm__ volatile("movq %%cr0,%0" : "=r" (cr));
> + db_printf("cr0:0x%016llx\n", cr);
> +
> + __asm__ volatile("movq %%cr2,%0" : "=r" (cr));
> + db_printf("cr2:0x%016llx\n", cr);
> +
> + __asm__ volatile("movq %%cr3,%0" : "=r" (cr));
> + db_printf("cr3:0x%016llx\n", cr);
> +
> + __asm__ volatile("movq %%cr4,%0" : "=r" (cr));
> + db_printf("cr4:0x%016llx\n", cr);
> +
> + gsb = rdmsr(MSR_GSBASE);
> + db_printf("gsb:0x%016llx\n", gsb);
> +
> + gsb = rdmsr(MSR_KERNELGSBASE);
> + db_printf("kgsb: 0x%016llx\n", gsb);
> +}
> +
>
> #ifdef MULTIPROCESSOR
> void
> @@ -368,6 +408,7 @@ struct db_command db_machine_command_tab
> { "startcpu", db_startproc_cmd, 0, 0 },
> { "stopcpu",db_stopproc_cmd,0, 0 },
> { "ddbcpu", db_ddbproc_cmd, 0, 0 },
> + { "sysregs",db_sysregs_cmd, 0, 0 },
> #endif
> #if NACPI > 0
> { "acpi", NULL, 0, db_acpi_cmds },
>
rpki-client exclude files from rsync fetch
RPKI repository can only include a few specific files, everything else is
just ignored and deleted after every fetch. Since openrsync supports
--exclude-file now we can use this to limit what is actually accepted by
the client.
I used a config file in /etc/rpki instead of using multiple --exclude /
--include arguments. Mostly to keep the execvp argv short.
What you think?
--
:wq Claudio
Index: etc/Makefile
===
RCS file: /cvs/src/etc/Makefile,v
retrieving revision 1.484
diff -u -p -r1.484 Makefile
--- etc/Makefile1 May 2021 16:11:07 - 1.484
+++ etc/Makefile31 Aug 2021 12:17:40 -
@@ -156,7 +156,7 @@ distribution-etc-root-var: distrib-dirs
${DESTDIR}/etc/ppp
cd rpki; \
${INSTALL} -c -o root -g wheel -m 644 \
- afrinic.tal apnic.tal lacnic.tal ripe.tal \
+ afrinic.tal apnic.tal lacnic.tal ripe.tal rsync.filter \
${DESTDIR}/etc/rpki
cd examples; \
${INSTALL} -c -o root -g wheel -m 644 ${EXAMPLES} \
Index: etc/rpki/rsync.filter
===
RCS file: etc/rpki/rsync.filter
diff -N etc/rpki/rsync.filter
--- /dev/null 1 Jan 1970 00:00:00 -
+++ etc/rpki/rsync.filter 31 Aug 2021 12:09:24 -
@@ -0,0 +1,7 @@
++ */
++ *.cer
++ *.crl
++ *.gbr
++ *.mft
++ *.roa
+- *
Index: usr.sbin/rpki-client/rsync.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/rsync.c,v
retrieving revision 1.24
diff -u -p -r1.24 rsync.c
--- usr.sbin/rpki-client/rsync.c19 Apr 2021 17:04:35 - 1.24
+++ usr.sbin/rpki-client/rsync.c31 Aug 2021 12:17:11 -
@@ -279,6 +279,8 @@ proc_rsync(char *prog, char *bind_addr,
args[i++] = "--no-motd";
args[i++] = "--timeout";
args[i++] = "180";
+ args[i++] = "--exclude-from";
+ args[i++] = "/etc/rpki/rsync.filter";
if (bind_addr != NULL) {
args[i++] = "--address";
args[i++] = (char *)bind_addr;
Re: iked(8): client-side DNS support via resolvd(8)
+ rtm.rtm_priority = RTP_PROPOSAL_STATIC; So my gut reaction is we should have /usr/include/net/route.h:#define RTP_PROPOSAL_TEMPORARY62 I hesitate calling this "VPN", or "road warrior", or making it specific to certain types of proposal offering daemons...
Re: [External] : better use the tokeniser in the pfctl parser
I am really against the idea of the parser inspecting a static buffer
from the lex.
Also we have a ton of these parsers, and discourage them from deviating.
This tiny little "please use the right keyword" change feels so minor; we
do not have a generic error-correction-proposing parser, 99% of plausible
errors emit "syntax error".
The only reason "no" is a TOKEN is because of previous use in other
parts of the grammer, whereas "yes" does not occur in other places in
the grammer. Let's keep this simple.
David Gwynne wrote:
> On Tue, Aug 31, 2021 at 07:33:40AM +0200, Alexandr Nedvedicky wrote:
> > Hello,
> >
> > On Tue, Aug 31, 2021 at 02:40:57PM +1000, David Gwynne wrote:
> > > handling the "no" option with a token, and "yes" via a string made my
> > > eye twitch.
> > >
> > > ok? or is the helpful yyerror a nice feature?
> > >
> >
> > I actually think it's a nice feature. below is output
> > for current pfctl we have in tree:
>
> it is nice, but the implementation isn't... rigorous.
>
> >
> > lumpy$ pfctl -n -f /tmp/pf.conf
> > /tmp/pf.conf:6: invalid value 'nope', expected 'yes' or 'no'
> >
> > and output with diff applied:
> >
> > lumpy$ ./pfctl -n -f /tmp/pf.conf
> > /tmp/pf.conf:6: syntax error
>
> but if you try to use a keyword instead of a string, you get this:
>
> dlg@kbuild ~$ echo "set reassemble yes" | pfctl -vnf -
> set reassemble yes
> dlg@kbuild ~$ echo "set reassemble no" | pfctl -vnf -
> set reassemble no
> dlg@kbuild ~$ echo "set reassemble nope" | pfctl -vnf -
> stdin:1: invalid value 'nope', expected 'yes' or 'no'
> dlg@kbuild ~$ echo "set reassemble block" | pfctl -vnf -
> stdin:1: syntax error
> dlg@kbuild ~$
>
> if the tokeniser exposed the buffer it was working on, we could make it
> consistent for all arguments:
>
> dlg@kbuild pfctl$ echo "set reassemble yes" | ./obj/pfctl -vnf -
> set reassemble yes
> dlg@kbuild pfctl$ echo "set reassemble no" | ./obj/pfctl -vnf -
> set reassemble no
> dlg@kbuild pfctl$ echo "set reassemble nope" | ./obj/pfctl -vnf -
> stdin:1: syntax error
> stdin:1: invalid value 'nope', expected 'yes' or 'no'
> dlg@kbuild pfctl$ echo "set reassemble block" | ./obj/pfctl -vnf -
> stdin:1: syntax error
> stdin:1: invalid value 'block', expected 'yes' or 'no'
>
> the extremely rough PoC diff for pfctl that implements this is
> below. because the tokeniser handles some operators without using the
> buffer, if you give "set reassemble" an operator then you get confusing
> output:
>
> dlg@kbuild pfctl$ echo "set reassemble <" | ./obj/pfctl -vnf -
> stdin:1: syntax error
> stdin:1: invalid value 'reassemble', expected 'yes' or 'no'
>
> anyway, it might be easier to drop the diff for now.
>
> Index: parse.y
> ===
> RCS file: /cvs/src/sbin/pfctl/parse.y,v
> retrieving revision 1.709
> diff -u -p -r1.709 parse.y
> --- parse.y 1 Feb 2021 00:31:04 - 1.709
> +++ parse.y 31 Aug 2021 09:20:38 -
> @@ -458,6 +458,8 @@ typedef struct {
> int lineno;
> } YYSTYPE;
>
> +static u_char *yytext;
> +
> #define PPORT_RANGE 1
> #define PPORT_STAR 2
> int parseport(char *, struct range *r, int);
> @@ -471,7 +473,7 @@ int parseport(char *, struct range *r, i
> %token PASS BLOCK MATCH SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO
> FLAGS
> %token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY
> ICMPTYPE
> %token ICMP6TYPE CODE KEEP MODULATE STATE PORT BINATTO NODF
> -%token MINTTL ERROR ALLOWOPTS FILENAME ROUTETO DUPTO REPLYTO NO LABEL
> +%token MINTTL ERROR ALLOWOPTS FILENAME ROUTETO DUPTO REPLYTO YES NO
> LABEL
> %token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS
> DROP TABLE
> %token REASSEMBLE ANCHOR SYNCOOKIES
> %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID
> @@ -3754,16 +3756,11 @@ comma : ','
> ;
>
> yesno: NO{ $$ = 0; }
> - | STRING{
> - if (!strcmp($1, "yes"))
> - $$ = 1;
> - else {
> - yyerror("invalid value '%s', expected 'yes' "
> - "or 'no'", $1);
> - free($1);
> - YYERROR;
> - }
> - free($1);
> + | YES { $$ = 1; }
> + | error {
> + yyerror("invalid value '%s', expected 'yes' or 'no'",
> + yytext);
> + YYABORT;
> }
> ;
>
> @@ -5048,6 +5045,7 @@ lookup(char *s)
> { "urpf-failed",URPFFAILED},
> { "user", USER},
> { "weight", WEIGHT},
> + { "yes",
Re: [External] : better use the tokeniser in the pfctl parser
On Tue, Aug 31, 2021 at 07:33:40AM +0200, Alexandr Nedvedicky wrote:
> Hello,
>
> On Tue, Aug 31, 2021 at 02:40:57PM +1000, David Gwynne wrote:
> > handling the "no" option with a token, and "yes" via a string made my
> > eye twitch.
> >
> > ok? or is the helpful yyerror a nice feature?
> >
>
> I actually think it's a nice feature. below is output
> for current pfctl we have in tree:
it is nice, but the implementation isn't... rigorous.
>
> lumpy$ pfctl -n -f /tmp/pf.conf
> /tmp/pf.conf:6: invalid value 'nope', expected 'yes' or 'no'
>
> and output with diff applied:
>
> lumpy$ ./pfctl -n -f /tmp/pf.conf
> /tmp/pf.conf:6: syntax error
but if you try to use a keyword instead of a string, you get this:
dlg@kbuild ~$ echo "set reassemble yes" | pfctl -vnf -
set reassemble yes
dlg@kbuild ~$ echo "set reassemble no" | pfctl -vnf -
set reassemble no
dlg@kbuild ~$ echo "set reassemble nope" | pfctl -vnf -
stdin:1: invalid value 'nope', expected 'yes' or 'no'
dlg@kbuild ~$ echo "set reassemble block" | pfctl -vnf -
stdin:1: syntax error
dlg@kbuild ~$
if the tokeniser exposed the buffer it was working on, we could make it
consistent for all arguments:
dlg@kbuild pfctl$ echo "set reassemble yes" | ./obj/pfctl -vnf -
set reassemble yes
dlg@kbuild pfctl$ echo "set reassemble no" | ./obj/pfctl -vnf -
set reassemble no
dlg@kbuild pfctl$ echo "set reassemble nope" | ./obj/pfctl -vnf -
stdin:1: syntax error
stdin:1: invalid value 'nope', expected 'yes' or 'no'
dlg@kbuild pfctl$ echo "set reassemble block" | ./obj/pfctl -vnf -
stdin:1: syntax error
stdin:1: invalid value 'block', expected 'yes' or 'no'
the extremely rough PoC diff for pfctl that implements this is
below. because the tokeniser handles some operators without using the
buffer, if you give "set reassemble" an operator then you get confusing
output:
dlg@kbuild pfctl$ echo "set reassemble <" | ./obj/pfctl -vnf -
stdin:1: syntax error
stdin:1: invalid value 'reassemble', expected 'yes' or 'no'
anyway, it might be easier to drop the diff for now.
Index: parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.709
diff -u -p -r1.709 parse.y
--- parse.y 1 Feb 2021 00:31:04 - 1.709
+++ parse.y 31 Aug 2021 09:20:38 -
@@ -458,6 +458,8 @@ typedef struct {
int lineno;
} YYSTYPE;
+static u_char *yytext;
+
#define PPORT_RANGE1
#define PPORT_STAR 2
intparseport(char *, struct range *r, int);
@@ -471,7 +473,7 @@ int parseport(char *, struct range *r, i
%token PASS BLOCK MATCH SCRUB RETURN IN OS OUT LOG QUICK ON FROM TO FLAGS
%token RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE
%token ICMP6TYPE CODE KEEP MODULATE STATE PORT BINATTO NODF
-%token MINTTL ERROR ALLOWOPTS FILENAME ROUTETO DUPTO REPLYTO NO LABEL
+%token MINTTL ERROR ALLOWOPTS FILENAME ROUTETO DUPTO REPLYTO YES NO LABEL
%token NOROUTE URPFFAILED FRAGMENT USER GROUP MAXMSS MAXIMUM TTL TOS DROP TABLE
%token REASSEMBLE ANCHOR SYNCOOKIES
%token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY RANDOMID
@@ -3754,16 +3756,11 @@ comma : ','
;
yesno : NO{ $$ = 0; }
- | STRING{
- if (!strcmp($1, "yes"))
- $$ = 1;
- else {
- yyerror("invalid value '%s', expected 'yes' "
- "or 'no'", $1);
- free($1);
- YYERROR;
- }
- free($1);
+ | YES { $$ = 1; }
+ | error {
+ yyerror("invalid value '%s', expected 'yes' or 'no'",
+ yytext);
+ YYABORT;
}
;
@@ -5048,6 +5045,7 @@ lookup(char *s)
{ "urpf-failed",URPFFAILED},
{ "user", USER},
{ "weight", WEIGHT},
+ { "yes",YES},
};
const struct keywords *p;
@@ -5170,10 +5168,12 @@ findeol(void)
int
yylex(void)
{
- u_char buf[8096];
+ static u_char buf[8192];
u_char *p, *val;
int quotec, next, c;
int token;
+
+ yytext = buf;
top:
p = buf;
Re: iked(8): client-side DNS support via resolvd(8)
This diff doesn't set rtm_index (to identify the interface the dns proposal is associated with) I guess that means rtm_index is 0. Inside resolvd, the proposal rtm_index is used to track proposals in the learned[] array. resolvd uses if_indextoname() to annotate the interface name on these dynamic lines with "# resolvd: em0". Using 0 means if_indextoname() will fail, and it will write "# resolvd: ", I guess? If multiple agents start offering proposals with the same rtm_index + family, things get a little weird. What would isakmpd or some other vpn layer do if they want to start doing the same as this iked diff -- would they also submit rtm_index 0? The code cannot disambiguate/sort/select from the proposals with the same id#, so all such offers will act as a single proposal, and I think whoever submits the latest will win the fight. That might behave weirdly. So, does the route message need an extension to indicate "who" is making the offer, or should iked (ando other vpns) have unique RTP_PROPOSAL_* identifiers, and then we can have resolvd mix that into the sort also?
Re: iked(8): client-side DNS support via resolvd(8)
Very interesting. Please be very careful that proposal withdrawal actually works, or the experience will be poor.
iked(8): client-side DNS support via resolvd(8)
IKEv2 allows road warrior servers to announce internal name servers in a
configuration payload. iked responders can be configured to send such
payloads with the 'config name-server' option.
This diff adds support for receiving DNS server configuration payloads as a
road warrior client and proposing them to resolvd(8) via route messages.
It is enabled by default for clients using the 'iface' option for automatic
address configuration.
ok?
Index: config.c
===
RCS file: /cvs/src/sbin/iked/config.c,v
retrieving revision 1.79
diff -u -p -r1.79 config.c
--- config.c13 May 2021 15:20:48 - 1.79
+++ config.c30 Aug 2021 12:15:10 -
@@ -174,6 +174,7 @@ config_free_sa(struct iked *env, struct
free(sa->sa_cp_addr);
free(sa->sa_cp_addr6);
+ free(sa->sa_cp_dns);
free(sa->sa_tag);
free(sa);
Index: iked.c
===
RCS file: /cvs/src/sbin/iked/iked.c,v
retrieving revision 1.57
diff -u -p -r1.57 iked.c
--- iked.c 13 May 2021 15:20:48 - 1.57
+++ iked.c 30 Aug 2021 12:15:10 -
@@ -459,6 +459,9 @@ parent_dispatch_ikev2(int fd, struct pri
case IMSG_IF_ADDADDR:
case IMSG_IF_DELADDR:
return (vroute_getaddr(env, imsg));
+ case IMSG_VDNS_ADD:
+ case IMSG_VDNS_DEL:
+ return (vroute_getdns(env, imsg));
case IMSG_VROUTE_ADD:
case IMSG_VROUTE_DEL:
return (vroute_getroute(env, imsg));
Index: iked.h
===
RCS file: /cvs/src/sbin/iked/iked.h,v
retrieving revision 1.192
diff -u -p -r1.192 iked.h
--- iked.h 23 Jun 2021 12:11:40 - 1.192
+++ iked.h 30 Aug 2021 12:15:10 -
@@ -429,6 +429,7 @@ struct iked_sa {
int sa_cp; /* XXX */
struct iked_addr*sa_cp_addr;/* requested address */
struct iked_addr*sa_cp_addr6; /* requested address */
+ struct iked_addr*sa_cp_dns; /* requested dns */
struct iked_policy *sa_policy;
struct timeval sa_timecreated;
@@ -611,6 +612,7 @@ struct iked_message {
int msg_cp;
struct iked_addr*msg_cp_addr; /* requested address */
struct iked_addr*msg_cp_addr6; /* requested address */
+ struct iked_addr*msg_cp_dns;/* requested dns */
/* MOBIKE */
int msg_update_sa_addresses;
@@ -975,6 +977,8 @@ void vroute_init(struct iked *);
int vroute_setaddr(struct iked *, int, struct sockaddr *, int, unsigned int);
void vroute_cleanup(struct iked *);
int vroute_getaddr(struct iked *, struct imsg *);
+int vroute_setdns(struct iked *, int, struct sockaddr *);
+int vroute_getdns(struct iked *, struct imsg *);
int vroute_setaddroute(struct iked *, uint8_t, struct sockaddr *,
uint8_t, struct sockaddr *);
int vroute_setcloneroute(struct iked *, uint8_t, struct sockaddr *,
Index: ikev2.c
===
RCS file: /cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.325
diff -u -p -r1.325 ikev2.c
--- ikev2.c 29 Jun 2021 15:39:20 - 1.325
+++ ikev2.c 30 Aug 2021 12:15:10 -
@@ -998,6 +998,13 @@ ikev2_ike_auth_recv(struct iked *env, st
log_info("%s: obtained lease: %s", SPI_SA(sa, __func__),
print_host((struct sockaddr
*)>sa_cp_addr6->addr, NULL, 0));
}
+ if (msg->msg_cp_dns) {
+ sa->sa_cp_dns = msg->msg_cp_dns;
+ msg->msg_cp_dns = NULL;
+ log_debug("%s: DNS: %s", __func__,
+ print_host((struct sockaddr *)>sa_cp_dns->addr,
+ NULL, 0));
+ }
sa->sa_cp = msg->msg_cp;
}
@@ -4508,6 +4515,8 @@ ikev2_ikesa_enable(struct iked *env, str
sa->sa_cp_addr = NULL;
nsa->sa_cp_addr6 = sa->sa_cp_addr6;
sa->sa_cp_addr6 = NULL;
+ nsa->sa_cp_dns = sa->sa_cp_dns;
+ sa->sa_cp_dns = NULL;
/* Transfer other attributes */
if (sa->sa_dstid_entry_valid) {
sa_dstid_remove(env, sa);
Index: ikev2_msg.c
===
RCS file: /cvs/src/sbin/iked/ikev2_msg.c,v
retrieving revision 1.77
diff -u -p -r1.77 ikev2_msg.c
--- ikev2_msg.c 29 Oct 2020 21:49:58 - 1.77
+++ ikev2_msg.c 30 Aug 2021 12:15:10 -
@@ -197,6 +197,7 @@ ikev2_msg_cleanup(struct iked *env, stru
free(msg->msg_eap.eam_user);
free(msg->msg_cp_addr);
free(msg->msg_cp_addr6);
+ free(msg->msg_cp_dns);
msg->msg_nonce = NULL;
rpki-client add http_proxy support
This diff improves the http code by a) adding an IO timeout and b)
implementing http_proxy support.
Works for me using tinyproxy as proxy server.
--
:wq Claudio
Index: encoding.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/encoding.c,v
retrieving revision 1.2
diff -u -p -r1.2 encoding.c
--- encoding.c 19 Apr 2021 17:04:35 - 1.2
+++ encoding.c 30 Aug 2021 19:53:47 -
@@ -64,6 +64,36 @@ fail:
return -1;
}
+int
+base64_encode(const unsigned char *in, size_t inlen, char **out)
+{
+ static EVP_ENCODE_CTX *ctx;
+ unsigned char *to;
+ int tolen;
+
+ if (ctx == NULL && (ctx = EVP_ENCODE_CTX_new()) == NULL)
+ err(1, "EVP_ENCODE_CTX_new");
+
+ *out = NULL;
+
+ if (inlen >= INT_MAX / 2)
+ return -1;
+ tolen = ((inlen + 2) / 3) * 4 + 1;
+ if ((to = malloc(tolen)) == NULL)
+ return -1;
+
+ EVP_EncodeInit(ctx);
+ if (EVP_EncodeUpdate(ctx, to, , in, inlen) != 1)
+ goto fail;
+ EVP_EncodeFinal(ctx, to + tolen, );
+ *out = to;
+ return 0;
+
+fail:
+ free(to);
+ return -1;
+}
+
/*
* Convert binary buffer of size dsz into an upper-case hex-string.
* Returns pointer to the newly allocated string. Function can't fail.
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
retrieving revision 1.65
diff -u -p -r1.65 extern.h
--- extern.h13 Jul 2021 18:39:39 - 1.65
+++ extern.h30 Aug 2021 19:52:47 -
@@ -364,8 +364,6 @@ extern int verbose;
/* Routines for RPKI entities. */
-int base64_decode(const unsigned char *, unsigned char **,
- size_t *);
voidtal_buffer(struct ibuf *, const struct tal *);
voidtal_free(struct tal *);
struct tal *tal_parse(const char *, char *);
@@ -499,6 +497,7 @@ void cryptoerrx(const char *, ...)
int base64_decode(const unsigned char *, unsigned char **,
size_t *);
+int base64_encode(const unsigned char *, size_t, char **);
char *hex_encode(const unsigned char *, size_t);
Index: http.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/http.c,v
retrieving revision 1.36
diff -u -p -r1.36 http.c
--- http.c 9 Aug 2021 10:30:23 - 1.36
+++ http.c 31 Aug 2021 07:52:16 -
@@ -70,6 +70,7 @@
#define HTTP_USER_AGENT"OpenBSD rpki-client"
#define HTTP_BUF_SIZE (32 * 1024)
#define HTTP_IDLE_TIMEOUT 10
+#define HTTP_IO_TIMEOUT(3 * 60)
#define MAX_CONNECTIONS64
#define NPFDS (MAX_CONNECTIONS + 1)
@@ -83,6 +84,9 @@ enum http_state {
STATE_FREE,
STATE_CONNECT,
STATE_TLSCONNECT,
+ STATE_PROXY_REQUEST,
+ STATE_PROXY_STATUS,
+ STATE_PROXY_RESPONSE,
STATE_REQUEST,
STATE_RESPONSE_STATUS,
STATE_RESPONSE_HEADER,
@@ -96,9 +100,9 @@ enum http_state {
struct http_proxy {
char*proxyhost;
- char*proxyuser;
- char*proxypw;
-};
+ char*proxyport;
+ char*proxyauth;
+} proxy;
struct http_connection {
LIST_ENTRY(http_connection) entry;
@@ -116,6 +120,7 @@ struct http_connection {
size_t bufpos;
off_t iosz;
time_t idle_time;
+ time_t io_time;
int status;
int fd;
int chunked;
@@ -177,10 +182,13 @@ static enum res http_handle(struct http_
/* Internal state functions used by the above functions */
static enum reshttp_finish_connect(struct http_connection *);
+static enum resproxy_connect(struct http_connection *);
static enum reshttp_tls_connect(struct http_connection *);
static enum reshttp_tls_handshake(struct http_connection *);
static enum reshttp_read(struct http_connection *);
static enum reshttp_write(struct http_connection *);
+static enum resproxy_read(struct http_connection *);
+static enum resproxy_write(struct http_connection *);
static enum resdata_write(struct http_connection *);
static time_t
@@ -277,6 +285,138 @@ url_encode(const char *path)
return (epath);
}
+static char
+hextochar(const char *str)
+{
+ unsigned char c, ret;
+
+ c = str[0];
+ ret = c;
+ if (isalpha(c))
+ ret -= isupper(c) ? 'A' - 10 : 'a' - 10;
+ else
+ ret -= '0';
+ ret *= 16;
+
+ c = str[1];
+ ret += c;
+ if (isalpha(c))
+ ret -= isupper(c) ? 'A' - 10 : 'a' - 10;
+ else
+ ret -= '0';
+ return
