CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/12/19 05:04:38

Modified files:
sys/dev: vscsi.c 
sys/dev/usb: uhid.c 
sys/net: switchctl.c 
sys/arch/sparc64/dev: vldcp.c 

Log message:
poll handlers must return a poll(2) revents value, not errno(2) values.

Some drivers have returned ENXIO (6) if the device is not available
which incorrectly translates into POLLPRI|POLLOUT (2|4) in userland.

Change it to POLLERR for now, but it might as well be POLLHUP.

OK mpi@

CVS: cvs.openbsd.org: www

[Reyk Floeter]

CVSROOT:/cvs
Module name:www
Changes by: r...@cvs.openbsd.org2019/12/17 12:27:39

Modified files:
faq: current.html 

Log message:
Mention recent usb(4), ugen(4), uhid(4), and fido(4) changes.

With input from deraadt@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/12/17 06:18:06

Modified files:
etc/etc.alpha  : MAKEDEV 
etc/etc.amd64  : MAKEDEV 
etc/etc.arm64  : MAKEDEV 
etc/etc.armv7  : MAKEDEV 
etc/etc.hppa   : MAKEDEV 
etc/etc.i386   : MAKEDEV 
etc/etc.landisk: MAKEDEV 
etc/etc.loongson: MAKEDEV 
etc/etc.macppc : MAKEDEV 
etc/etc.octeon : MAKEDEV 
etc/etc.sgi: MAKEDEV 
etc/etc.sparc64: MAKEDEV 
share/man/man8/man8.alpha: MAKEDEV.8 
share/man/man8/man8.amd64: MAKEDEV.8 
share/man/man8/man8.arm64: MAKEDEV.8 
share/man/man8/man8.armv7: MAKEDEV.8 
share/man/man8/man8.hppa: MAKEDEV.8 
share/man/man8/man8.i386: MAKEDEV.8 
share/man/man8/man8.landisk: MAKEDEV.8 
share/man/man8/man8.loongson: MAKEDEV.8 
share/man/man8/man8.macppc: MAKEDEV.8 
share/man/man8/man8.octeon: MAKEDEV.8 
share/man/man8/man8.sgi: MAKEDEV.8 
share/man/man8/man8.sparc64: MAKEDEV.8 

Log message:
sync

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/12/17 06:15:17

Modified files:
etc: MAKEDEV.common 

Log message:
Fix fido(4) documentation link (no functional change)

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/12/17 06:08:56

Modified files:
sys/dev/usb: files.usb uhid.c 
share/man/man4 : usb.4 
sys/dev/hid: hid.h 
sys/sys: conf.h 
lib/libfido2   : Makefile 
lib/libfido2/src: hid_openbsd.c 
sys/arch/alpha/conf: GENERIC 
sys/arch/alpha/alpha: conf.c 
etc: MAKEDEV.common 
etc/etc.alpha  : MAKEDEV.md 
sys/arch/amd64/conf: GENERIC 
sys/arch/amd64/amd64: conf.c 
etc/etc.amd64  : MAKEDEV.md 
sys/arch/arm64/conf: GENERIC 
sys/arch/arm64/arm64: conf.c 
etc/etc.arm64  : MAKEDEV.md 
sys/arch/arm/arm: conf.c 
etc/etc.armv7  : MAKEDEV.md 
sys/arch/armv7/conf: GENERIC 
sys/arch/hppa/conf: GENERIC 
sys/arch/hppa/hppa: conf.c 
etc/etc.hppa   : MAKEDEV.md 
sys/arch/i386/conf: GENERIC 
sys/arch/i386/i386: conf.c 
etc/etc.i386   : MAKEDEV.md 
sys/arch/landisk/conf: GENERIC 
sys/arch/landisk/landisk: conf.c 
etc/etc.landisk: MAKEDEV.md 
sys/arch/loongson/conf: GENERIC 
sys/arch/loongson/loongson: conf.c 
etc/etc.loongson: MAKEDEV.md 
sys/arch/macppc/conf: GENERIC 
sys/arch/macppc/macppc: conf.c 
etc/etc.macppc : MAKEDEV.md 
sys/arch/octeon/conf: GENERIC 
sys/arch/octeon/octeon: conf.c 
etc/etc.octeon : MAKEDEV.md 
sys/arch/sgi/conf: GENERIC-IP27 GENERIC-IP30 GENERIC-IP32 
sys/arch/sgi/sgi: conf.c 
etc/etc.sgi: MAKEDEV.md 
sys/arch/sparc64/conf: GENERIC 
sys/arch/sparc64/sparc64: conf.c 
etc/etc.sparc64: MAKEDEV.md 
Added files:
sys/dev/usb: fido.c uhid.h 
share/man/man4 : fido.4 

Log message:
Add fido(4), a HID driver for FIDO/U2F security keys

While FIDO/U2F keys were already supported by the generic uhid(4)
driver, this driver adds the first step to tighten the security of
FIDO/U2F access.  Specifically, users don't need read/write access to
all USB/HID devices anymore and the driver also improves integration
with pledge(2) and unveil(2): It is pledge-friendly because it doesn't
require any ioctls to discover the device and unveil-friendly because
it uses a single /dev/fido/* directory for its device nodes.

It also allows to support FIDO/U2F in firefox without further
weakening the "sandbox" of the browser.  Firefox does not have a
proper privsep design and many operations, such as U2F access, are
handled directly by the main process.  This means that the browser's
"fat" main process needs direct read/write access to all USB HID
devices, at least on other operating systems.  With fido(4) we can
support security keys in Firefox under OpenBSD without such a
compromise.

With this change, libfido2 stops using the ioctl to query the device
vendor/product and just assumes "OpenBSD" "fido(4)" instead.  The
ioctl is still supported but there was no benefit in obtaining the
vendor product or name; it also allows to use libfido2 under pledge.

With feedback from deraadt@ and many others
OK kettenis@ djm@ and jmc@ for the manpage bits

Re: CVS: cvs.openbsd.org: src

[Reyk Floeter]

On Wed, Jun 26, 2019 at 06:13:48AM -0600, Reyk Floeter wrote:
> CVSROOT:  /cvs
> Module name:  src
> Changes by:   r...@cvs.openbsd.org2019/06/26 06:13:48
> 
> Modified files:
>   usr.sbin/relayd: config.c relay.c relayd.c relayd.conf.5 
>relayd.h 
> 
> Log message:
> Add support for OCSP stapling
> 
> Many thanks to Bruno Flueckiger who independently sent a very similar
> patch.  He also tested the one I'm committing that it works as
> expected.
> 
> OK tb@
> 

I forgot to mention:
Thanks to jmc@ for input & OK on the manpage bits.

Reyk

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/06/26 06:13:48

Modified files:
usr.sbin/relayd: config.c relay.c relayd.c relayd.conf.5 
 relayd.h 

Log message:
Add support for OCSP stapling

Many thanks to Bruno Flueckiger who independently sent a very similar
patch.  He also tested the one I'm committing that it works as
expected.

OK tb@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/06/01 03:54:19

Modified files:
usr.sbin/relayd: config.c 

Log message:
Make sure that the IMSG_CTL_RESET message is sent immediately.

This fixes an issue that might better be solved in imsg itself.

The problem is that IMSG_CTL_RESET does not include an fd while the
following messages (IMSG_CFG_RELAY and IMSG_CFG_RELAY_FD) do contain
fds.  If the receiver gets them in one buffer (via recvmsg), the first
fd might be wrongly associated to the IMSG_CTL_RESET message.  This is
theoretically taken care of by the imsg API, so it is either a bug in
relayd's API usage or in imsg itself.

"sure" claudio@ as a temporary fix.

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/05/31 09:25:57

Modified files:
usr.sbin/relayd: config.c parse.y relayd.c relayd.conf.5 
 relayd.h 

Log message:
Add support for SNI with new "tls keypair" option to load additional certs.

Tested by many (thanks!)

Feedback & OK rob@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/05/31 09:15:37

Modified files:
usr.sbin/relayd: ca.c config.c parse.y relay.c relayd.c relayd.h 

Log message:
Move the relay keys/certs into a separate global list and look them up by id.

Moving the certs out of the relay struct will help to add multiple SNI certs.

Tested by many users (thanks!)

Feedback & OK rob@

CVS: cvs.openbsd.org: www

[Reyk Floeter]

CVSROOT:/cvs
Module name:www
Changes by: r...@cvs.openbsd.org2019/05/29 15:44:06

Modified files:
faq: current.html 

Log message:
Changed vmctl to vmctl(8) in the link text.

Pointed out by tb@

CVS: cvs.openbsd.org: www

[Reyk Floeter]

CVSROOT:/cvs
Module name:www
Changes by: r...@cvs.openbsd.org2019/05/29 15:42:30

Modified files:
faq: faq16.html 

Log message:
Revert previous: The FAQ is for -stable, not for -current.

I moved the vmctl syntax change into a comment for the next release.

Pointed out by tb@

CVS: cvs.openbsd.org: www

[Reyk Floeter]

CVSROOT:/cvs
Module name:www
Changes by: r...@cvs.openbsd.org2019/05/29 15:33:53

Modified files:
faq: current.html faq16.html 

Log message:
vmctl(8) syntax changed: command options before argument

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/05/29 15:32:43

Modified files:
usr.sbin/vmctl : main.c vmctl.8 

Log message:
Change vmctl(8) syntax: command options before the disk/name/id argument.

vmctl had a CLI-style syntax (bgpctl-style) for a short time but I
changed it back to a more suitable getopt syntax. I replaced the CLI
tokens to getopts flags but didn't consider swapping the order of
command options and arguments to be more UNIX-like again ("vmctl
create disk.img size 10G" simply became "vmctl create disk.img -s 10G").

This changes "create", "start", and "stop" commands to the commonly
expected syntax like "vmctl create -s 10G disk.img".

Requested by many

OK mlarkin@ kn@ solene@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/05/29 05:52:56

Modified files:
usr.sbin/relayd: parse.y 

Log message:
Fix the check if a relay has been specified twice

Relays cannot have the same name or listen address.  If a listen
address is specified multiple times, the parser expands the
configuration into multiple relays automatically.

OK rob@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/05/29 05:48:29

Modified files:
usr.sbin/relayd: parse.y relay.c relayd.c relayd.h 

Log message:
Move relay_load_*() functions into relayd.c

Pass the *env as an explicit argument instead of using the global
pointer: The relay_load_certfiles() function is called early before
the *env is set up.  This does not change anything in the current code
as *env is not used by anything in the function (not even
ssl_load_key() that is taking it as an argument) but it will be needed
by upcoming changes for SNI.

Ok rob@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/05/13 09:19:16

Modified files:
usr.sbin/relayd: relay_http.c 

Log message:
Add Connection: close when switching to "unlimited" reading mode.

Ask the server to close the connection after the request since we
don't read any further request headers.  This fixes an issue with
OPTIONS and optional body, as well as similar cases.

Reported and tested by Rivo Nurges

OK benno@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/05/13 03:54:07

Modified files:
usr.sbin/relayd: relay.c relay_http.c relayd.h util.c 

Log message:
Fix filter rules with "forward to" statement in persistent connections.

OK bentley@ mikeb@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/05/10 14:47:54

Modified files:
distrib/miniroot: install.sub 

Log message:
Improve error message of "Question has no answer in response file".

It didn't always print the actual question so it was hard to debug
problems in the autoinstall(8) script.

OK florian@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/05/10 03:15:00

Modified files:
usr.sbin/relayd: parse.y relay.c relay_http.c relayd.conf.5 
 relayd.h 

Log message:
Add support for from/to in relay filter rules.

For example,
pass from 10.0.0.0/8 path "/hello/*" forward to 

Ok benno@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/05/08 17:22:19

Modified files:
usr.sbin/relayd: http.h relay.c relay_http.c relayd.c relayd.h 

Log message:
Fix and tweak websocket upgrade handling.

- Don't expect the Connection header to equal Upgrade, it may include Upgrade
- Reshuffle the code to check the Upgrade/Connection headers in one place

Reported and tested by Rivo Nurges

OK and input from benno@
Cvs: --

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2019/05/08 13:57:45

Modified files:
usr.sbin/httpd : config.c httpd.h parse.y server_fcgi.c 
 server_http.c 

Log message:
spacing

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/12/05 11:02:51

Modified files:
sys/dev/pv : pvclock.c 

Log message:
Correctly disable pvclock(4) on old hardware that lack a stable clock

I falsely assumed that the KVM_FEATURE_CLOCKSOURCE_STABLE_BIT
indicates that the actual clock values are stable, but it turned out
that this isn't always the case.  To detect if the clock value is
stable, we now read it once in pvclock_attach() and check for the
PVCLOCK_FLAG_TSC_STABLE flag.  This needs further investigation.

Reported and fix tested by johnw.mail at gmail.com

OK chris@ phessler@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/11/26 03:39:30

Modified files:
usr.sbin/vmd   : vioqcow2.c vioraw.c virtio.c virtio.h vmboot.c 
usr.sbin/vmctl : main.c vmctl.c vmctl.h 

Log message:
Move the {qcow2,raw} create functions from vmctl into vmd/vio{qcow2,raw}.c

This way they are in the appropriate place and code can be shared with vmd.

Ok ori@ mlarkin@ ccardenas@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/11/23 05:38:44

Modified files:
share/man/man4 : Makefile 

Log message:
Install pvclock(4)

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/11/23 05:37:40

Modified files:
sys/arch/amd64/conf: GENERIC 
sys/arch/i386/conf: GENERIC 
sys/dev/pv : files.pv pvreg.h 
Added files:
share/man/man4 : pvclock.4 
sys/dev/pv : pvclock.c 

Log message:
Add the pvclock(4) guest driver for paravirtual clocks

This improves timekeeping on KVM guests as it runs much better than
the virtualized acpihpet or acpitimer timecounters and the invtsc is
not always available.

Many thanks to Janne Johansson, landry@, and benno@ for testing amd64/i386.

OK mlarkin@ phessler@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/11/22 10:31:11

Modified files:
share/man/man4 : vxlan.4 

Log message:
Use em0 instead of vmx0 to clarify the parent interface example.

Pointed out by Josh Grosse
OK deraadt@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/11/21 05:31:47

Modified files:
usr.sbin/vmd   : config.c dhcp.c parse.y priv.c vm.conf.5 vmd.c 
 vmd.h 

Log message:
Add support for "local inet6" interfaces.

ok & test ccardenas@, additional review from kn@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/11/21 02:50:19

Modified files:
usr.sbin/rad   : frontend.c rad.conf.5 

Log message:
Allow rad(8) to watch interface groups; e.g. "interface tap" in rad.conf.

OK florian@, additional review from kn@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/11/20 02:06:08

Modified files:
share/man/man4 : islrtc.4 pcfrtc.4 pcxrtc.4 

Log message:
Fix spelling of kettenis' email address

"just fix" deraadt@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/11/16 12:45:40

Modified files:
usr.sbin/rad   : frontend.c 

Log message:
Don't fatal if IPV6_LEAVE_GROUP fails.

The underlying interface might have been destroyed or detached and
rad(8) will just cope with that.

OK florian@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/10/26 05:24:45

Modified files:
usr.sbin/vmd   : config.c 

Log message:
I broke base images with my previous commit by missing a line.

The disk path wasn't updated so vmd tried to open the derived disk
image for each base over and over again.

OK ori@ mlarkin@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/10/23 03:53:06

Modified files:
sys/net: pf_norm.c 

Log message:
Make pf compile without DIAGNOSTIC again

OK bluhm@ kn@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/10/19 04:12:39

Modified files:
usr.sbin/vmd   : config.c vioqcow2.c virtio.c virtio.h vmd.h 
usr.sbin/vmctl : Makefile main.c vmctl.8 vmctl.c vmctl.h 

Log message:
Add support to create and convert disk images from existing images

The -i option to vmctl create (eg. vmctl create output.qcow2 -i input.img)
lets you create a new image from an input file and convert it if it is a
different format.  This allows to convert qcow2 images from raw images,
raw from qcow2, or even qcow2 from qcow2 and raw from raw to re-optimize
the disk.

This re-uses Ori's vioqcow2.c from vmd by reaching into it and
compiling it in.  The API has been adjust to be used from both vmctl
and vmd accordingly.

OK mlarkin@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/10/18 02:36:11

Modified files:
usr.sbin/vmd   : parse.y 

Log message:
Use realpath(3) on the "boot" config option as well.

This fixes code that detects if boot and the first disk are identical.

OK mlarkin@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/10/15 04:35:41

Modified files:
usr.sbin/vmd   : config.c vmd.c vmd.h 

Log message:
Prevent VM reboot loops by rate-limiting the interval a VM can reboot.

This looping has been experienced by people who run VMs with a broken
kernel or boot loader that trigger a very fast reboot loop (triple
fault) of a VM that ends up using a lot of CPU and resources on the
host.  Some fixes in vmm(4) and vmd(8) helped to avoid such conditions
but it can still occur if something is wrong in the guest VM itself.

If the VM restarts after less than VM_START_RATE_SEC (6) seconds, we
increment the limit counter.  After VM_START_RATE_LIMIT (3) of suchs
fast reboots the VM is stopped.

There are only very few people who intentionally want to reboot-loop a
VM very quickly (many times within a second); mostly for fuzzing.
They will have to recompile and adjust the stated #defines in the code
as we don't have a config option to disable it.

OK mlarkin@

CVS: cvs.openbsd.org: www

[Reyk Floeter]

CVSROOT:/cvs
Module name:www
Changes by: r...@cvs.openbsd.org2018/10/10 07:05:23

Modified files:
.  : 64.html 

Log message:
ldap(1) has its debut in OpenBSD 6.4.

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/10/10 05:46:59

Modified files:
sys/netinet: ip_mroute.c 
sys/netinet6   : ip6_mroute.c ip6_var.h 
usr.sbin/snmpd : kroute.c 

Log message:
RT_TABLEID_MAX is 255, fix places that assumed that it is less than 255.

rtable 255 is a valid routing table or domain id that wasn't handled
by the ip[6]_mroute code or by snmpd.  The arrays in the ip[6]_mroute
code where off by one and didn't allocate space for rtable 255; snmpd
simply ignored rtable 255.  All other places in the tree seem to
handle RT_TABLEID_MAX correctly.

OK florian@ benno@ henning@ deraadt@

CVS: cvs.openbsd.org: www

[Reyk Floeter]

CVSROOT:/cvs
Module name:www
Changes by: r...@cvs.openbsd.org2018/10/08 13:46:26

Modified files:
.  : 64.html 

Log message:
More about vmd/vmctl

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/10/08 10:32:01

Modified files:
usr.sbin/vmd   : config.c vioqcow2.c vioraw.c virtio.c virtio.h 
 vm.c vmboot.c vmd.c vmd.h vmm.c 
usr.sbin/vmctl : main.c vmctl.8 vmctl.c vmctl.h 
regress/usr.sbin/vmd/diskfmt: Makefile vioscribble.c 

Log message:
Add support for qcow2 base images (external snapshots).

This works is from Ori Bernstein, committing on his behalf:

Add support to vmd for external snapshots. That is, snapshots that are
derived from a base image. Data lookups start in the derived image,
and if the derived image does not contain some data, the search
proceeds ot the base image.  Multiple derived images may exist off of
a single base image.

A limitation of this format is that modifying the base image will
corrupt the derived image.

This change also adds support for creating disk derived disk images to
vmctl.  To use it:

vmctl create derived.qcow2 -s 16G -b base.qcow2

>From Ori Bernstein
OK mlarkin@ reyk@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/10/05 06:54:57

Modified files:
usr.sbin/vmctl : main.c 

Log message:
Setting getopt optreset to 1 needs an additional reset of optind to 1.

OK millert@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/10/02 10:42:38

Modified files:
usr.sbin/vmctl : vmctl.c 

Log message:
Fix potential rounding errors when calculating the qcow2 l1 and ref tables sizes

OK ccardenas@ mlarkin@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/10/01 11:34:56

Modified files:
usr.sbin/vmd   : vioqcow2.c 

Log message:
Fix potential double-free in error path

qc2_open() calls qc2_close() on error which already frees diskp.

OK ccardenas@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/10/01 03:31:15

Modified files:
usr.sbin/vmctl : main.c vmctl.8 vmctl.h 
usr.sbin/vmd   : parse.y vioqcow2.c vm.conf.5 vmd.h 

Log message:
Try to derive the qcow2 file format from an image file automatically.

This makes the "-d qcow2:" and "format qcow" arguments optional as vmctl
and vmd will read the magic bytes at the beginning of a file to guess if
it is a raw or a qcow image file.

The "vmctl create" command has been changed by removing the -f qcow2 option
and replacing it with the same syntax as -d: "vmctl create qcow2:foo.img".
In a slightly ununixy but intended way, the create command now also
considers the file extension for the format as "vmctl create foo.qcow2"
creates a qcow2 disk and not a raw image file.

Ok mlarkin@ (and ccardenas@ on an earlier version of the diff)

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/09/28 06:35:32

Modified files:
usr.sbin/vmd   : vioqcow2.c vioraw.c virtio.c virtio.h vm.c 
 vmboot.c vmd.h 

Log message:
Support vmd-internal's vmboot with qcow2 disk images.

OK mlarkin@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/09/28 02:29:06

Modified files:
usr.sbin/vmd   : vioqcow2.c 

Log message:
Compress qcow2 open debug messages into a single line

Please avoid tabs and excessive multi-line information with log_debug
as it also goes to syslog.

No functional change.

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/09/28 02:23:43

Modified files:
usr.sbin/vmd   : vmd.c 

Log message:
Fix copy-pasto to use maxmem instead of maxcpu

Reported by Greg Steuck

OK mlarkin@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/09/27 11:15:36

Modified files:
etc/rc.d   : vmd 
usr.sbin/vmctl : main.c vmctl.8 vmctl.c vmctl.h 

Log message:
Add vmctl stop -a [-fw] option to stop or terminate all running VMs.

This is also be used to simplify the vmd rc stop script.

OK mlarkin@ ccardenas@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/09/19 05:28:02

Modified files:
usr.sbin/relayd: ca.c relay.c 

Log message:
Do not abort when the ca privenc runs into a timeout.

OK claudio@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/08/29 01:50:16

Modified files:
usr.bin/mg : def.h funmap.c line.c mg.1 

Log message:
Add set-case-replaced to toggle case-preserving replace on or off.

By default, replacing "foo" with "bar" turns "FOO" into "BAR".
With case-replace turned off, "FOO" will turn into "bar".

OK florian@ tb@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/08/23 00:04:53

Modified files:
usr.sbin/vmctl : vmctl.c 

Log message:
Allow to boot CDROM-only VMs.

Pointed out by Jon Williams

OK mlarkin@ kn@ ccardenas@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/08/07 08:49:05

Modified files:
usr.sbin/vmd   : config.c 

Log message:
Post-g2k18 fix: unbreak the optional vmd-internal vmboot loader.

The new vm_checkaccess() call didn't account for the vmboot case.

OK ccardenas@ mikeb@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/08/07 05:28:29

Modified files:
usr.sbin/vmd   : config.c 

Log message:
Fix paste error in "no read access to" debug message, tweak messages.

Found by mikeb@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/15 08:42:04

Modified files:
usr.sbin/vmd   : vioscsi.c 

Log message:
Revert unrelated change to vioscsi.c

(I had this in my tree to silence vioscsi.c log_debug, but Carlos
already has a better diff for that)

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/15 08:36:54

Modified files:
usr.sbin/vmd   : config.c proc.h vioscsi.c vmd.c vmd.h 

Log message:
Track resources and enforce cpu/memory/interface limits for non-root users.

The limits are currently hard-coded and undocumented (4 CPUs/VMs, 2G
memory, 8 interfaces) but will be configurable in an upcoming diff.
These limits are tracked in total usage; for example, a user will be
able to run up to 4 VMs with 512M of memory or a single VM with 2G.

OK ccardenas@ mlarkin@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/13 04:26:57

Modified files:
usr.sbin/vmd   : config.c vmd.c vmd.h 

Log message:
Check the disk/kernel/cdrom file permissions after openening the fd.

This prevents time of TOCTOU attacks for instances.

OK mlarkin@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/13 02:42:49

Modified files:
usr.sbin/vmd   : control.c parse.y vm.conf.5 vmd.c vmd.h vmm.c 

Log message:
Add "allow instance" option.

This allows users to create VM instances and change desired options,
for example a user can be allowed to run a VM with all the
pre-configured options but specify an own disk image.

(mlarkin@ was fine with iterating over it)

OK ccardenas@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/12 08:53:37

Modified files:
usr.sbin/vmctl : main.c 

Log message:
The vmctl start -I option was changed to -t.

I committed the manpage but accidentally forgot the main.c part.

OK ccardenas@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/12 06:04:49

Modified files:
usr.sbin/vmd   : parse.y vm.conf.5 vmd.c vmd.h vmm.c 
usr.sbin/vmctl : main.c vmctl.8 vmctl.c vmctl.h 

Log message:
Allow to use configured/running VMs as templates for other VM instances.

This introduces new grammar and the -t optional in vmctl start.

(For now, only root can create VM instances; but it is planned to allow
users to create their own VMs based on permissions and quota.)

OK ccardenas@ mlarkin@ jmc@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/11 15:29:05

Modified files:
usr.sbin/vmctl : vmctl.c 

Log message:
check string lengths in vm_start

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/11 10:43:24

Modified files:
usr.sbin/vmd   : parse.y 

Log message:
sort tokens

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/11 10:37:31

Modified files:
usr.sbin/vmd   : vmd.c 

Log message:
style - indent each case statement in a switch.

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/11 07:19:47

Modified files:
etc/rc.d   : vmd 
usr.sbin/vmd   : config.c control.c vmd.c vmd.h vmm.c 
usr.sbin/vmctl : main.c vmctl.8 vmctl.c vmctl.h 

Log message:
Add -w option to vmctl stop to wait for completion of VM termination.

Use it in /etc/rc.d/vmd accordingly.

OK sthen@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/11 04:31:45

Modified files:
usr.sbin/vmd   : vmd.c 

Log message:
Rename function to vmd_check_vmh

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/11 03:35:44

Modified files:
usr.sbin/vmctl : main.c vmctl.8 vmctl.c vmctl.h 
usr.sbin/vmd   : control.c vmd.c vmd.h vmm.c 

Log message:
Add -f option to vmctl stop to forcefully kill a VM.

This also fixes a bug in vmm_sighdlr where it might have missed
forwarding the TERMINATE_EVENT to the vmd parent after a VM child
died, leading to an abandoned VM in the vmd parent process.

OK ccardenas@ mlarkin@ benno@ kn@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/10 15:12:20

Modified files:
usr.sbin/vmd   : vmd.c 

Log message:
style (single-line ifs don't need braces)

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/10 14:52:51

Modified files:
usr.sbin/vmd   : vmm.c 

Log message:
Return the VM pid to the vmd parent.  This pid field already existed
in the result but wasn't filled in by the vmm process.  No functional
change.

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/10 14:46:50

Modified files:
usr.sbin/vmd   : control.c 

Log message:
Remove a debug message

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/10 14:43:15

Modified files:
usr.sbin/vmd   : pci.c vioscsi.c vmd.c vmd.h vmm.c 

Log message:
vmd already had DEBUG/DPRINTF, there is no need for VMD_DEBUG/dprintf

Replace all occurences of dprintf with DPRINTF (defined in proc.h).

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/07/10 10:15:51

Modified files:
usr.sbin/vmd   : config.c vmd.c vmd.h vmm.c 

Log message:
Tweak debug log messages

- Turn tracing messages into DPRINTF (only compiled with DEBUG).

- Pass __func__ to vm_stop and vm_remove: this way we can track who
called the function in the async context.  It replaces the manual
log_debug in front of each vm_stop/vm_remove.  This debug logging
trick can be removed in the future once we are more confident about
it.

OK ccardenas@ mlarkin@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/26 04:00:08

Modified files:
usr.sbin/vmd   : control.c parse.y proc.h vm.conf.5 vmd.c vmd.h 

Log message:
Add "socket owner" to allow changing the owner of the vmd control socket.

This allows to open vmctl control or console access to other users
that are not in group wheel.  Access for non-root users still defaults
to read-only actions unless you change the owner (user/group) of each
individual VM.

Requested by Mischa Peters

OK mlarkin@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/26 03:47:20

Modified files:
usr.bin/ldap   : ldap.1 ldapclient.c 

Log message:
Allow to read the password from a file with -y

Pointed out by Tim Chase

OK rob@ gsoares@ jmc@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/21 04:37:00

Modified files:
usr.sbin/ypldap: aldap.c aldap.h 

Log message:
Sync aldap from ldap(1).

This also fixes the _url functions that was previously #ifdef'ed out.

OK claudio@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/21 02:27:35

Modified files:
usr.bin/ldap   : aldap.c 

Log message:
Fix DEBUG message

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/20 10:43:05

Modified files:
usr.sbin/httpd : config.c httpd.conf.5 httpd.h parse.y 
 server_http.c 

Log message:
Add support for simple one-off internal rewrites.

For example:

location match "/page/(%d+)/.*" {
request rewrite "/static/index.php?id=%1&$QUERY_STRING"
}

Requested by many.

Ok benno@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/20 03:20:51

Modified files:
usr.sbin/snmpd : mib.h 

Log message:
Add bsws and arcaTrust PENs

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/19 12:15:01

Modified files:
usr.sbin/vmd   : config.c 

Log message:
print process name in debug message

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/19 11:13:50

Modified files:
usr.sbin/vmctl : vmctl.c 

Log message:
knf

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/19 11:12:34

Modified files:
usr.sbin/vmd   : config.c i8253.c i8259.c ns8250.c parse.y pci.c 
 task.c vioscsi.c virtio.c vm.c vmd.c 

Log message:
knf

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/19 08:01:16

Modified files:
usr.bin: Makefile 

Log message:
Enable ldap(1) in the build.

OK deraadt@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/15 11:17:40

Modified files:
usr.sbin/httpd : httpd.conf.5 

Log message:
Something went wrong - the strip option was documented twice.

Found by Mischa Peters, thanks

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/15 06:36:05

Modified files:
usr.sbin/httpd : server_file.c server_http.c 

Log message:
Fix 304 Not Modified response: don't send a body, use the correct MIME type.

Reported by Hidvegi Gabor  gaborca  websivision  hu

Fix found by anton@

OK anton@

CVS: cvs.openbsd.org: www

[Reyk Floeter]

CVSROOT:/cvs
Module name:www
Changes by: r...@cvs.openbsd.org2018/06/13 12:24:24

Modified files:
faq: current.html 

Log message:
duplicate label r20180613 (bgpd, httpd), rename the 2nd to r20180613b

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/13 09:51:08

Modified files:
usr.bin/ldap   : ldap.1 

Log message:
Update AuthorizedKeysCommand example: only match ^sshPublicKey: lines.

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/13 09:45:58

Log message:
Import ldap(1), a simple ldap search client.

We have an ldapd(8) server and ypldap in base, so it makes sense to
have a simple LDAP client without depending on the OpenLDAP package.
This tool can be used in an ssh(1) AuthorizedKeysCommand script.

With feedback from many including millert@ schwarze@ gilles@ dlg@ jsing@

OK deraadt@

Status:

Vendor Tag: reyk
Release Tags:   ldap_20180613

N src/usr.bin/ldap/Makefile
N src/usr.bin/ldap/aldap.c
N src/usr.bin/ldap/aldap.h
N src/usr.bin/ldap/ber.c
N src/usr.bin/ldap/ber.h
N src/usr.bin/ldap/ldap.1
N src/usr.bin/ldap/ldapclient.c
N src/usr.bin/ldap/log.c
N src/usr.bin/ldap/log.h

No conflicts created by this import

CVS: cvs.openbsd.org: www

[Reyk Floeter]

CVSROOT:/cvs
Module name:www
Changes by: r...@cvs.openbsd.org2018/06/13 09:11:22

Modified files:
faq: current.html 

Log message:
httpd.conf(5) grammar changed: 'root strip' is now 'request strip'.

OK claudio@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/13 09:08:24

Modified files:
etc/examples   : httpd.conf 
usr.sbin/acme-client: acme-client.1 acme-client.conf.5 
regress/usr.sbin/acme-client: httpd.conf 
usr.sbin/httpd : httpd.conf.5 parse.y 

Log message:
Rename httpd.conf "root strip" option to "request strip".

"root strip" was semantically incorrect and did cause some confusion
as it never stripped the root but the client's request path.

Discussed with many.  Heads up: this is a grammar change that also
affects acme-client(1) configurations (see current.html).

OK claudio@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/13 09:02:09

Modified files:
libexec/login_passwd: common.h login.c login_passwd.c 

Log message:
Call pledge(2) earlier before opening the auth channel and readpassphrase()

Before this change, only the password validation was pledged, now it
also includes some more code including the "Password:" prompt.

To pledge the code earlier, the getpwnam_shadow() had to be moved up -
it works under "getpw" but it does not return the actual password hash
under pledge.  This also works with yp(ldap).

OK deraadt@ tb@ brynet@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/13 08:54:42

Modified files:
libexec/login_passwd: Makefile common.h login.c 

Log message:
Remove #ifdef PASSWD, it was always enabled and is a leftover from krb5 days.

No other uses of -DPASSWD were found in the tree.

OK deraadt@ tb@ brynet@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/06/11 06:12:51

Modified files:
usr.sbin/httpd : httpd.conf.5 server_http.c 

Log message:
The http_query is already url_encoded; don't encode it twice.

This fixes a bug in the macros and log file handler that
double-encoded the query.  This does not change FCGI as it was already
handling the query correctly.

Additional verification of the QUERY_STRING should be implemented as well.

OK claudio@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/05/23 13:02:50

Modified files:
usr.sbin/httpd : httpd.conf.5 

Log message:
Forgot to revert another "port 80"

Pointed out by jmc@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/05/23 08:49:08

Modified files:
sys/tmpfs  : tmpfs_vnops.c 

Log message:
Fix build without DIAGNOSTIC, ok mikeb@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/05/18 09:20:46

Modified files:
usr.sbin/httpd : parse.y 

Log message:
Move LISTEN ON {} code into a function listen_on().

No functional change, but it makes it easier to deal with the grammar.

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/05/18 09:04:07

Modified files:
usr.sbin/httpd : httpd.conf.5 

Log message:
Revert manpage description as well

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/05/18 08:24:26

Modified files:
usr.sbin/httpd : httpd.conf.5 parse.y 

Log message:
Revert previous: it introduced a shift/reduce conflict in the grammar.

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/05/18 08:07:46

Modified files:
usr.sbin/httpd : httpd.conf.5 parse.y 

Log message:
Allow to omit the listen port configuration. Default to port 80, tls port 443.

OK florian@ jmc@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/05/18 06:36:30

Modified files:
usr.sbin/ldapd : ldapd.conf.5 parse.y search.c 

Log message:
Add support for attribute filter rules on search/read operations.

OK jmatthew@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/05/16 07:19:00

Modified files:
sys/netinet: ip_ipsp.c ip_spd.c 
sys/net: pfkeyv2.c 

Log message:
Fix kernel builds without IPSEC.

OK mikeb@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/05/16 04:08:47

Modified files:
usr.sbin/ldapd : search.c 

Log message:
Fix the client search request time and size limits.

ldapd failed when the specified limits were reached instead of
exceeded.  This fixes search queries that define such a limit, for
example with "ldapsearch -z 1".

Thanks to Christophe Simon for the bug report, analysis, and fix!

OK jmatthew@

CVS: cvs.openbsd.org: src

[Reyk Floeter]

CVSROOT:/cvs
Module name:src
Changes by: r...@cvs.openbsd.org2018/05/15 09:54:51

Modified files:
usr.sbin/snmpd : snmpd.conf.5 

Log message:
The snmpd.conf file is divided into four (not three) main sections.

>From Steve Arntzen