Re: remove hostname not IP addr test in libtls tls_servername_cb()
> On 6 Jun 2017, at 12:51, Jonathan Graywrote: > While chromium, firefox, lua(sec), java, go, ftp(1), curl, wget, > and others when acting as TLS clients all manage to get it right. > > Both apache 2.4.25 and nginx 1.10.2p from ports do not strictly > enforce this on the server side but httpd(8) does as libtls does. This fixes TLS in httpd(8) on Safari for me.
Re: Xen virtual network (Netfront) driver
> On 06 Jan 2016, at 18:49, Reyk Floeterwrote: > - I didn't work on m4.10xlarge (see cvs:~reyk/dmesg.m4.10xlarge). I didn’t see any mentions of it in the dmesg https://gist.github.com/reyk/b372af303eb86bab3fee but could it be that those machine classes (*x*large-ish) uses Intel NICs with SR-IOV (ixgbe/ixv-ish) by default http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html. Last time I tried, sriovNetSupport couldn’t be disabled after the AMI/VM was created, and I had to use the "aws ec2 register-image …” commands, because the AWS web console didn’t offer any web to create a machine without it...
npppd: crashes/random behaviour due to non-zeroed struct
Hi, I had a problem where npppd sometimes started with random configurations, and resolved it by callocing the struct in subject. Cheers! Anders --- /usr/src/usr.sbin/npppd/npppd/parse.y.orig Wed May 7 09:25:49 2014 +++ /usr/src/usr.sbin/npppd/npppd/parse.y Wed May 7 09:26:20 2014 @@ -874,7 +874,7 @@ YYERROR; } - if ((n = malloc(sizeof(struct iface))) == NULL) { + if ((n = calloc(1, sizeof(struct iface))) == NULL) { yyerror(out of memory); free($2); YYERROR;
Re: npppd: crashes/random behaviour due to non-zeroed struct
I had a problem where npppd sometimes started with random configurations, and resolved it by callocing the struct in subject. Thanks, committed. Thank you, much appreciated! I don't think this causes a crash. Did it? It most likely exited normally because of an invalid (because of the bug) configuration. So no, not really a crash in the segmentation fault sense or anything like that.
pflow in rdomain
We tried to get pflow running in a non-default rdomain, and found this to get it going. Make sense? --- sys/net/if_pflow.c.orig Fri Sep 13 20:58:40 2013 +++ sys/net/if_pflow.c Mon Sep 16 13:25:54 2013 @@ -1213,6 +1213,8 @@ sc-sc_if.if_opackets++; sc-sc_if.if_obytes += m-m_pkthdr.len; + m-m_pkthdr.rdomain = sc-sc_if.if_rdomain; + if ((err = ip_output(m, NULL, NULL, IP_RAWOUTPUT, sc-sc_imo, NULL))) { pflowstats.pflow_oerrors++; sc-sc_if.if_oerrors++;
Re: manual patch for isakmpd's FIFO r
The following patch clarifies that sending r over the FIFO doesn't produce the exact same results as SIGUSR1. Or do you prefer that we change the behaviour of the FIFO's r to match SIGUSR1, for example by changing ui_report() to something similar to ui_report_sa(); opening a file, and rewrite a few _report functions to use fprintf instead of LOG_DBG()? New diff, produced and prettified by jmc Index: isakmpd.8 === RCS file: /cvs/src/sbin/isakmpd/isakmpd.8,v retrieving revision 1.111 diff -u -r1.111 isakmpd.8 --- isakmpd.8 25 Sep 2012 13:58:00 - 1.111 +++ isakmpd.8 12 Jul 2013 13:24:11 - @@ -494,7 +494,8 @@ .It Ic r Report .Nm -internal state to a file. +internal state to +.Xr syslog 3 . See the .Fl R option.
manual patch for isakmpd's FIFO r
The following patch clarifies that sending r over the FIFO doesn't produce the exact same results as SIGUSR1. Or do you prefer that we change the behaviour of the FIFO's r to match SIGUSR1, for example by changing ui_report() to something similar to ui_report_sa(); opening a file, and rewrite a few _report functions to use fprintf instead of LOG_DBG()? --- sbin/isakmpd/isakmpd.8 Thu Jul 11 14:51:52 2013 +++ sbin/isakmpd/isakmpd.8.orig Thu Jul 11 14:44:58 2013 @@ -494,10 +494,13 @@ .It Ic r Report .Nm -internal state to log destination. -Same output as when sent a +internal state to a file. +See the +.Fl R +option. +Same as when sent a .Dv SIGUSR1 -signal, except that it is not written to the same file. +signal. .Pp .It Ic S Report information on all known SAs to the
Re: manual patch for isakmpd's FIFO r
The following patch clarifies that sending r over the FIFO doesn't produce the exact same results as SIGUSR1. Or do you prefer that we change the behaviour of the FIFO's r to match SIGUSR1, for example by changing ui_report() to something similar to ui_report_sa(); opening a file, and rewrite a few _report functions to use fprintf instead of LOG_DBG()? ...and here's the patch, in the right direction --- sbin/isakmpd/isakmpd.8.orig Thu Jul 11 14:44:58 2013 +++ sbin/isakmpd/isakmpd.8 Thu Jul 11 14:51:52 2013 @@ -494,13 +494,10 @@ .It Ic r Report .Nm -internal state to a file. -See the -.Fl R -option. -Same as when sent a +internal state to log destination. +Same output as when sent a .Dv SIGUSR1 -signal. +signal, except that it is not written to the same file. .Pp .It Ic S Report information on all known SAs to the
1GE SFP+ media support to Intel 82599 patch
This patch adds 1GE SFP+ media support to Intel's 82599_SFP. I wasn't able to find a 1GE SFP/SFP+ LR (single mode) optic module for 82599, and therefore needed to bring my E10GSFPLR optics down in speed (possible in some other operating systems). Some notes: * The patch is extensively tested on 82599_SFP (link ups/downs, reboot, used in production) * It seems to work on other NICs as well (82599_SFP_SF2, for example) but I've not been enable to perform careful testing on those * The patch is designed not to produce any functional change for people not explicitly setting media, in order to simplify testing and reviewing * I realise that 1000baseT is not the optimal media name for fibre, but since it was aleady used to report 1GE status in the driver, I didn't change it (in order to keep the patch small and reviewable) --- sys/dev/pci/if_ix.c-before-speedThu May 2 11:05:16 2013 +++ sys/dev/pci/if_ix.c Fri May 3 16:56:26 2013 @@ -1067,8 +1067,44 @@ int ixgbe_media_change(struct ifnet * ifp) { - /* ignore */ - return (0); + struct ix_softc *sc = ifp-if_softc; + struct ifmedia *ifm = sc-media; + ixgbe_link_speed speed; + int err = 0; + + INIT_DEBUGOUT(ixgbe_media_change: begin); + + if (IFM_TYPE(ifm-ifm_media) != IFM_ETHER) + return (EINVAL); + + switch (IFM_SUBTYPE(ifm-ifm_media)) { + case IFM_AUTO: + speed = IXGBE_LINK_SPEED_100_FULL | + IXGBE_LINK_SPEED_1GB_FULL | + IXGBE_LINK_SPEED_10GB_FULL; + break; + case IFM_10G_T: + case IFM_10G_LR: + case IFM_10G_SR: + case IFM_10G_SFP_CU: + case IFM_10G_CX4: + speed = IXGBE_LINK_SPEED_10GB_FULL; + break; + case IFM_1000_T: + speed = IXGBE_LINK_SPEED_1GB_FULL; + break; + case IFM_100_TX: + speed = IXGBE_LINK_SPEED_100_FULL; + break; + default: + printf(%s: Unsupported media type\n, ifp-if_xname); + return (EINVAL); + } + + if (sc-hw.mac.ops.setup_link) + err = sc-hw.mac.ops.setup_link(sc-hw, speed, FALSE, sc-link_up); + + return (err); } /* @@ -1632,6 +1668,10 @@ ifmedia_add(sc-media, IFM_ETHER | IFM_1000_T, 0, NULL); } + if (hw-device_id == PCI_PRODUCT_INTEL_82599_SFP) { + ifmedia_add(sc-media, + IFM_ETHER | IFM_1000_T | IFM_FDX, 0, NULL); + } ifmedia_add(sc-media, IFM_ETHER | IFM_AUTO, 0, NULL); ifmedia_set(sc-media, IFM_ETHER | IFM_AUTO); @@ -1645,6 +1685,8 @@ void ixgbe_config_link(struct ix_softc *sc) { + struct ixgbe_hw *hw = sc-hw; + struct ifmedia *ifm = sc-media; uint32_tautoneg, err = 0; int sfp, negotiate = FALSE; @@ -1688,6 +1730,13 @@ err = sc-hw.mac.ops.setup_link(sc-hw, autoneg, negotiate, sc-link_up); } + + /* 82599_SFP defaults to 10G when brought up, sync with user set */ + if ((hw-device_id == PCI_PRODUCT_INTEL_82599_SFP) + (IFM_SUBTYPE(ifm-ifm_media) == IFM_1000_T) + (sc-hw.mac.ops.setup_link)) + err = sc-hw.mac.ops.setup_link(sc-hw, + IXGBE_LINK_SPEED_1GB_FULL, FALSE, sc-link_up); }
Re: bge(4) support for BCM57{18,19,20}
Here is a diff to support the newer Broadcom chips seen in Dell and HP servers. This was tested against a BCM57765, BCM5721, and BCM5720. I've been running the code that was brought back yesterday/today on four Dell R320s with 5720s on semi-production servers (router setup with BGP and OSPF) with seemingly good results. Great work!
Re: cloneable tun
unit = 13; if ((fd = open(/dev/tun0, O_RDONLY)) == -1) err(1, failed to open /dev/tun0); if (ioctl(fd, TUNSIFUNIT, unit) == -1) err(1, ioctl failed); I like it. I've got a few questions from npppd and openvpn users hitting the 4 tun limit, and think it would make more sense to to write code that dynamically creates tun interfaces (in C/C++ progs such as the mentioned) if you didn't have to use system() or something like if (stat(node, _stat) == 0) continue; dev_t dev = makedev(40, i); // from MAKEDEV :( if (mknod(node, 0600 | S_IFCHR, dev) 0) // from MAKEDEV :( syslog(LOG_ERR, mknod %s: %m, node); chown(node, 0, 0); but rather the ioctl example above.
Re: [clau...@openbsd.org: graceful restart diff]
On Sep 3, 2012, at 8:14 PM, Claudio Jeker clau...@openbsd.org wrote: I never got any negative test results back about this change. I assume that either nobody is interested or that it just works. I've been using this in semi-production with announce restart yes without issues.