Re: remove hostname not IP addr test in libtls tls_servername_cb()

[Anders Berggren]

> On 6 Jun 2017, at 12:51, Jonathan Gray  wrote:
> While chromium, firefox, lua(sec), java, go, ftp(1), curl, wget,
> and others when acting as TLS clients all manage to get it right.
> 
> Both apache 2.4.25 and nginx 1.10.2p from ports do not strictly
> enforce this on the server side but httpd(8) does as libtls does.

This fixes TLS in httpd(8) on Safari for me.

Re: Xen virtual network (Netfront) driver

[Anders Berggren]

> On 06 Jan 2016, at 18:49, Reyk Floeter  wrote:
> - I didn't work on m4.10xlarge (see cvs:~reyk/dmesg.m4.10xlarge).

I didn’t see any mentions of it in the dmesg 
https://gist.github.com/reyk/b372af303eb86bab3fee but could it be that those 
machine classes (*x*large-ish) uses Intel NICs with SR-IOV (ixgbe/ixv-ish) by 
default 
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html. 
Last time I tried, sriovNetSupport couldn’t be disabled after the AMI/VM was 
created, and I had to use the "aws ec2 register-image …” commands, because the 
AWS web console didn’t offer any web to create a machine without it...

npppd: crashes/random behaviour due to non-zeroed struct

[Anders Berggren]

Hi,

I had a problem where npppd sometimes started with random configurations, and 
resolved it by callocing the struct in subject. 

Cheers!
Anders

--- /usr/src/usr.sbin/npppd/npppd/parse.y.orig  Wed May  7 09:25:49 2014
+++ /usr/src/usr.sbin/npppd/npppd/parse.y   Wed May  7 09:26:20 2014
@@ -874,7 +874,7 @@
YYERROR;
}
 
-   if ((n = malloc(sizeof(struct iface))) == NULL) {
+   if ((n = calloc(1, sizeof(struct iface))) == NULL) {
yyerror(out of memory);
free($2);
YYERROR;

Re: npppd: crashes/random behaviour due to non-zeroed struct

[Anders Berggren]

 I had a problem where npppd sometimes started with random
 configurations, and resolved it by callocing the struct in subject.
 
 Thanks, committed.

Thank you, much appreciated!

 I don't think this causes a crash.  Did it?

It most likely exited normally because of an invalid (because of the bug) 
configuration. So no, not really a crash in the segmentation fault sense or 
anything like that.

pflow in rdomain

[Anders Berggren]

We tried to get pflow running in a non-default rdomain, and found this to get 
it going. Make sense?

--- sys/net/if_pflow.c.orig Fri Sep 13 20:58:40 2013
+++ sys/net/if_pflow.c  Mon Sep 16 13:25:54 2013
@@ -1213,6 +1213,8 @@
sc-sc_if.if_opackets++;
sc-sc_if.if_obytes += m-m_pkthdr.len;
 
+   m-m_pkthdr.rdomain = sc-sc_if.if_rdomain;
+
if ((err = ip_output(m, NULL, NULL, IP_RAWOUTPUT, sc-sc_imo, NULL))) {
pflowstats.pflow_oerrors++;
sc-sc_if.if_oerrors++;

Re: manual patch for isakmpd's FIFO r

[Anders Berggren]

 The following patch clarifies that sending r over the FIFO doesn't 
 produce the exact same results as SIGUSR1. Or do you prefer that we change 
 the behaviour of the FIFO's r to match SIGUSR1, for example by changing 
 ui_report() to something similar to ui_report_sa(); opening a file, and 
 rewrite a few _report functions to use fprintf instead of LOG_DBG()?

New diff, produced and prettified by jmc

Index: isakmpd.8
===
RCS file: /cvs/src/sbin/isakmpd/isakmpd.8,v
retrieving revision 1.111
diff -u -r1.111 isakmpd.8
--- isakmpd.8   25 Sep 2012 13:58:00 -  1.111
+++ isakmpd.8   12 Jul 2013 13:24:11 -
@@ -494,7 +494,8 @@
.It Ic r
Report
.Nm
-internal state to a file.
+internal state to
+.Xr syslog 3 .
See the
.Fl R
option.

manual patch for isakmpd's FIFO r

[Anders Berggren]

The following patch clarifies that sending r over the FIFO doesn't produce 
the exact same results as SIGUSR1. Or do you prefer that we change the 
behaviour of the FIFO's r to match SIGUSR1, for example by changing 
ui_report() to something similar to ui_report_sa(); opening a file, and rewrite 
a few _report functions to use fprintf instead of LOG_DBG()?

--- sbin/isakmpd/isakmpd.8  Thu Jul 11 14:51:52 2013
+++ sbin/isakmpd/isakmpd.8.orig Thu Jul 11 14:44:58 2013
@@ -494,10 +494,13 @@
 .It Ic r
 Report
 .Nm
-internal state to log destination.
-Same output as when sent a
+internal state to a file.
+See the
+.Fl R
+option.
+Same as when sent a
 .Dv SIGUSR1
-signal, except that it is not written to the same file.
+signal.
 .Pp
 .It Ic S
 Report information on all known SAs to the

Re: manual patch for isakmpd's FIFO r

[Anders Berggren]

 The following patch clarifies that sending r over the FIFO doesn't produce 
 the exact same results as SIGUSR1. Or do you prefer that we change the 
 behaviour of the FIFO's r to match SIGUSR1, for example by changing 
 ui_report() to something similar to ui_report_sa(); opening a file, and 
 rewrite a few _report functions to use fprintf instead of LOG_DBG()?

...and here's the patch, in the right direction 

--- sbin/isakmpd/isakmpd.8.orig Thu Jul 11 14:44:58 2013
+++ sbin/isakmpd/isakmpd.8  Thu Jul 11 14:51:52 2013
@@ -494,13 +494,10 @@
 .It Ic r
 Report
 .Nm
-internal state to a file.
-See the
-.Fl R
-option.
-Same as when sent a
+internal state to log destination.
+Same output as when sent a
 .Dv SIGUSR1
-signal.
+signal, except that it is not written to the same file.
 .Pp
 .It Ic S
 Report information on all known SAs to the

1GE SFP+ media support to Intel 82599 patch

[Anders Berggren]

This patch adds 1GE SFP+ media support to Intel's 82599_SFP.

I wasn't able to find a 1GE SFP/SFP+ LR (single mode) optic module for 82599, 
and therefore needed to bring my E10GSFPLR optics down in speed (possible in 
some other operating systems). 

Some notes:
* The patch is extensively tested on 82599_SFP (link ups/downs, reboot, used in 
production)
* It seems to work on other NICs as well (82599_SFP_SF2, for example) but I've 
not been enable to perform careful testing on those
* The patch is designed not to produce any functional change for people not 
explicitly setting media, in order to simplify testing and reviewing
* I realise that 1000baseT is not the optimal media name for fibre, but since 
it was aleady used to report 1GE status in the driver, I didn't change it (in 
order to keep the patch small and reviewable)

--- sys/dev/pci/if_ix.c-before-speedThu May  2 11:05:16 2013
+++ sys/dev/pci/if_ix.c Fri May  3 16:56:26 2013
@@ -1067,8 +1067,44 @@
int
ixgbe_media_change(struct ifnet * ifp)
{
-   /* ignore */
-   return (0);
+   struct ix_softc *sc = ifp-if_softc;
+   struct ifmedia *ifm = sc-media;
+   ixgbe_link_speed speed;
+   int err = 0;
+
+   INIT_DEBUGOUT(ixgbe_media_change: begin);
+
+   if (IFM_TYPE(ifm-ifm_media) != IFM_ETHER)
+   return (EINVAL);
+
+   switch (IFM_SUBTYPE(ifm-ifm_media)) {
+   case IFM_AUTO:
+   speed = IXGBE_LINK_SPEED_100_FULL |
+   IXGBE_LINK_SPEED_1GB_FULL |
+   IXGBE_LINK_SPEED_10GB_FULL;
+   break;
+   case IFM_10G_T:
+   case IFM_10G_LR:
+   case IFM_10G_SR:
+   case IFM_10G_SFP_CU:
+   case IFM_10G_CX4:
+   speed = IXGBE_LINK_SPEED_10GB_FULL;
+   break;
+   case IFM_1000_T:
+   speed = IXGBE_LINK_SPEED_1GB_FULL;
+   break;
+   case IFM_100_TX:
+   speed = IXGBE_LINK_SPEED_100_FULL;
+   break;
+   default:
+   printf(%s: Unsupported media type\n, ifp-if_xname);
+   return (EINVAL);
+   }
+
+   if (sc-hw.mac.ops.setup_link)
+   err = sc-hw.mac.ops.setup_link(sc-hw, speed, FALSE, 
sc-link_up);
+
+   return (err);
}

/*
@@ -1632,6 +1668,10 @@
   ifmedia_add(sc-media,
   IFM_ETHER | IFM_1000_T, 0, NULL);
   }
+   if (hw-device_id == PCI_PRODUCT_INTEL_82599_SFP) {
+   ifmedia_add(sc-media,
+   IFM_ETHER | IFM_1000_T | IFM_FDX, 0, NULL);
+   }
   ifmedia_add(sc-media, IFM_ETHER | IFM_AUTO, 0, NULL);
   ifmedia_set(sc-media, IFM_ETHER | IFM_AUTO);

@@ -1645,6 +1685,8 @@
void
ixgbe_config_link(struct ix_softc *sc)
{
+   struct ixgbe_hw *hw = sc-hw;
+   struct ifmedia *ifm = sc-media;
   uint32_tautoneg, err = 0;
   int sfp, negotiate = FALSE;

@@ -1688,6 +1730,13 @@
   err = sc-hw.mac.ops.setup_link(sc-hw, autoneg,
   negotiate, sc-link_up);
   }
+
+   /* 82599_SFP defaults to 10G when brought up, sync with user set */
+   if ((hw-device_id == PCI_PRODUCT_INTEL_82599_SFP) 
+   (IFM_SUBTYPE(ifm-ifm_media) == IFM_1000_T) 
+   (sc-hw.mac.ops.setup_link))
+   err = sc-hw.mac.ops.setup_link(sc-hw,
+   IXGBE_LINK_SPEED_1GB_FULL, FALSE, sc-link_up);
}

Re: bge(4) support for BCM57{18,19,20}

[Anders Berggren]

 Here is a diff to support the newer Broadcom chips seen in Dell and HP
 servers. This was tested against a BCM57765, BCM5721, and BCM5720.

I've been running the code that was brought back yesterday/today on four Dell 
R320s with 5720s on semi-production servers (router setup with BGP and OSPF) 
with seemingly good results. Great work!

Re: cloneable tun

[Anders Berggren]

   unit = 13;
if ((fd = open(/dev/tun0, O_RDONLY)) == -1)
err(1, failed to open /dev/tun0);
if (ioctl(fd, TUNSIFUNIT, unit) == -1)
err(1, ioctl failed);

I like it. I've got a few questions from npppd and openvpn users hitting the 4 
tun limit, and think it would make more sense to to write code that dynamically 
creates tun interfaces (in C/C++ progs such as the mentioned) if you didn't 
have to use system() or something like

if (stat(node, _stat) == 0)
continue;
dev_t dev = makedev(40, i); // from MAKEDEV :(
if (mknod(node, 0600 | S_IFCHR, dev)  0) // from MAKEDEV :(
syslog(LOG_ERR, mknod %s: %m, node);
chown(node, 0, 0);

but rather the ioctl example above.

Re: [clau...@openbsd.org: graceful restart diff]

[Anders Berggren]

On Sep 3, 2012, at 8:14 PM, Claudio Jeker clau...@openbsd.org wrote:

 I never got any negative test results back about this change. I assume
 that either nobody is interested or that it just works.

I've been using this in semi-production with announce restart yes without
issues.