Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
On 2013-09-16 Mon 23:28 PM |, Alexander Hall wrote:
sed can do it all. Really.
This is getting beyond me Alexander.
Is sed a mechanism to step away from using file(1) ?
Notes:
- I separate re_quote() cause I think it can be useful in other places.
- I think re_quote() is (basic) regex complete.
- I don't care if the interpreter is (or seems) nonexistant, as that
shouldn't be a runtime error.
- I'm sure sed may die horribly if you try to feed it a 9GB oneline
file. However, if so, it should not produce any output anyway. ;)
If this would ever be considered a real problem, dd(1) would help
(as espie already mentioned).
re_quote() { sed 's/\([]^$*.\\[]\)/\\\1/g'; }
interpreter=$(
sed -n 's/^#![[:space:]]*\(.*\)/\1 /p;q' ${daemon} |
re_quote)
pexp=$interpreter$pexp
Moreover,
- you probably want to unset $interpreter when done.
- we might want to re_quote the entire $pexp later instead.
divert-to with port range
Hi
I've been asked, by net admin, to implement pf.conf simplification for
divert-to rule.
Reason is that divert-to is written to support only one port per line
and because of that there are situations where admins must write lot of lines
only because different ports. After looking at pfctl/parse.y I've found that
patch (for 5.3) would be trivial and wouldn't break anything, ie. works for
one port and port range at the same time.
Please let me know if there is interest for this and ofc if something needs to
be fixed.
Here is an example.
Now:
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42240 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42241 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42242 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42243 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42244 modulate state
After patching:
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42240:42243 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42244 modulate state
Patch:
Index: parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.621
diff -u -r1.621 parse.y
--- parse.y 16 Jan 2013 01:49:20 - 1.621
+++ parse.y 17 Sep 2013 15:45:20 -
@@ -261,7 +261,7 @@
u_int8_t set_prio[2];
struct {
struct node_host*addr;
- u_int16_t port;
+ u_int16_t port, port_top;
}divert, divert_packet;
struct redirspec nat;
struct redirspec rdr;
@@ -475,7 +475,7 @@
%type v.i sourcetrack flush unaryop statelock
%type v.b action
%type v.b flags flag blockspec prio
-%type v.range portplain portstar portrange
+%type v.range portstar portrange
%type v.hashkey hashkey
%type v.proto proto proto_list proto_item
%type v.number protoval
@@ -2078,6 +2078,28 @@
r.divert.addr =
$8.divert.addr-addr.v.a.addr;
}
+ if ($8.divert.port_top
+ $8.divert.port_top r.divert.port) {
+ yyerror(invalid divert port range:
+ %u:%u, ntohs(r.divert.port),
+ ntohs($8.divert.port_top));
+ YYERROR;
+ }
+
+#define NHS_LT(x, y) (ntohs(x) ntohs(y))
+#define NHS_INC(x) x = htons(ntohs(x) + 1)
+ while(NHS_LT(r.divert.port,
+ $8.divert.port_top)) {
+ expand_rule(r, 1, $4, $8.nat, $8.rdr,
+ $8.rroute, $6, $7.src_os,
+ $7.src.host, $7.src.port,
+ $7.dst.host, $7.dst.port,
+ $8.uid, $8.gid, $8.rcv,
+ $8.icmpspec, );
+ NHS_INC(r.divert.port);
+ }
+#undef NHS_INC
+#undef NHS_LT
}
r.divert_packet.port = $8.divert_packet.port;
@@ -2197,7 +2219,7 @@
}
filter_opts.rtableid = $2;
}
- | DIVERTTO STRING PORT portplain {
+ | DIVERTTO STRING PORT portrange {
if ((filter_opts.divert.addr = host($2)) == NULL) {
yyerror(could not parse divert address: %s,
$2);
@@ -2210,6 +2232,7 @@
yyerror(invalid divert port: %u, ntohs($4.a));
YYERROR;
}
+ filter_opts.divert.port_top = $4.b;
}
| DIVERTREPLY {
filter_opts.divert.port = 1;/* some random value */
@@ -3073,15 +3096,6 @@
$$-op = $2;
$$-next = NULL;
$$-tail = $$;
- }
- ;
-
-portplain : numberstring {
- if
Re: divert-to with port range
On Tue, 17 Sep 2013, Ivan Popovski wrote:
Hi
I've been asked, by net admin, to implement pf.conf simplification for
divert-to rule. Reason is that divert-to is written to support only one
port per line and because of that there are situations where admins
must write lot of lines only because different ports. After looking at
pfctl/parse.y I've found that patch (for 5.3) would be trivial and
wouldn't break anything, ie. works for one port and port range at the
same time.
Please let me know if there is interest for this and ofc if something
needs to be fixed.
Here is an example.
Now:
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42240 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42241 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42242 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42243 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42244 modulate state
This appears to be intended to divide connections equally among five
ports, but (given that the probability applies only to the packets which
actually reach the rule) doesn't it actually divide them as 20%, 16%,
12.8%, 10.24%, 40.96%? To get an (approximately) equal distribution I
think you'd need to use probabilities 20%, 25%, 33%, 50%.
If using a port range were to implicitly divide connections equally
among those ports, this problem would go away. But that's not what your
patch does.
Dave
After patching:
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42240:42243 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21 divert-to
127.0.0.1 port 42244 modulate state
Patch:
Index: parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.621
diff -u -r1.621 parse.y
--- parse.y16 Jan 2013 01:49:20 - 1.621
+++ parse.y17 Sep 2013 15:45:20 -
@@ -261,7 +261,7 @@
u_int8_t set_prio[2];
struct {
struct node_host*addr;
- u_int16_t port;
+ u_int16_t port, port_top;
}divert, divert_packet;
struct redirspec nat;
struct redirspec rdr;
@@ -475,7 +475,7 @@
%type v.i sourcetrack flush unaryop statelock
%type v.b action
%type v.b flags flag blockspec prio
-%type v.range portplain portstar portrange
+%type v.range portstar portrange
%type v.hashkey hashkey
%type v.proto proto proto_list proto_item
%type v.number protoval
@@ -2078,6 +2078,28 @@
r.divert.addr =
$8.divert.addr-addr.v.a.addr;
}
+ if ($8.divert.port_top
+ $8.divert.port_top r.divert.port) {
+ yyerror(invalid divert port range:
+ %u:%u, ntohs(r.divert.port),
+ ntohs($8.divert.port_top));
+ YYERROR;
+ }
+
+#define NHS_LT(x, y) (ntohs(x) ntohs(y))
+#define NHS_INC(x) x = htons(ntohs(x) + 1)
+ while(NHS_LT(r.divert.port,
+ $8.divert.port_top)) {
+ expand_rule(r, 1, $4, $8.nat, $8.rdr,
+ $8.rroute, $6, $7.src_os,
+ $7.src.host, $7.src.port,
+ $7.dst.host, $7.dst.port,
+ $8.uid, $8.gid, $8.rcv,
+ $8.icmpspec, );
+ NHS_INC(r.divert.port);
+ }
+#undef NHS_INC
+#undef NHS_LT
}
r.divert_packet.port = $8.divert_packet.port;
@@ -2197,7 +2219,7 @@
}
filter_opts.rtableid = $2;
}
- | DIVERTTO STRING PORT portplain {
+ | DIVERTTO STRING PORT portrange {
if ((filter_opts.divert.addr = host($2)) == NULL) {
yyerror(could not parse divert address: %s,
$2);
@@ -2210,6 +2232,7 @@
yyerror(invalid divert port: %u, ntohs($4.a));
Re: divert-to with port range
The patch is extending the rules, so i dont see how it could behave
differently
The original set of percentage is still strange so you have a point.
Unless they expect this behavior (they still end with the good 100% rules)
isn't it possible to round robin this ? with relayd or something else ?
On Tue, Sep 17, 2013 at 3:42 PM, Dave Anderson d...@daveanderson.comwrote:
On Tue, 17 Sep 2013, Ivan Popovski wrote:
Hi
I've been asked, by net admin, to implement pf.conf simplification for
divert-to rule. Reason is that divert-to is written to support only one
port per line and because of that there are situations where admins
must write lot of lines only because different ports. After looking at
pfctl/parse.y I've found that patch (for 5.3) would be trivial and
wouldn't break anything, ie. works for one port and port range at the
same time.
Please let me know if there is interest for this and ofc if something
needs to be fixed.
Here is an example.
Now:
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21
divert-to 127.0.0.1 port 42240 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21
divert-to 127.0.0.1 port 42241 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21
divert-to 127.0.0.1 port 42242 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21
divert-to 127.0.0.1 port 42243 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21
divert-to 127.0.0.1 port 42244 modulate state
This appears to be intended to divide connections equally among five
ports, but (given that the probability applies only to the packets which
actually reach the rule) doesn't it actually divide them as 20%, 16%,
12.8%, 10.24%, 40.96%? To get an (approximately) equal distribution I
think you'd need to use probabilities 20%, 25%, 33%, 50%.
If using a port range were to implicitly divide connections equally
among those ports, this problem would go away. But that's not what your
patch does.
Dave
After patching:
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21
divert-to 127.0.0.1 port 42240:42243 modulate state probability 20%
pass in quick inet proto tcp from 192.168.1.0/24 to any port 21
divert-to 127.0.0.1 port 42244 modulate state
Patch:
Index: parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.621
diff -u -r1.621 parse.y
--- parse.y16 Jan 2013 01:49:20 - 1.621
+++ parse.y17 Sep 2013 15:45:20 -
@@ -261,7 +261,7 @@
u_int8_t set_prio[2];
struct {
struct node_host*addr;
- u_int16_t port;
+ u_int16_t port, port_top;
}divert, divert_packet;
struct redirspec nat;
struct redirspec rdr;
@@ -475,7 +475,7 @@
%type v.i sourcetrack flush unaryop statelock
%type v.b action
%type v.b flags flag blockspec prio
-%type v.range portplain portstar portrange
+%type v.range portstar portrange
%type v.hashkey hashkey
%type v.proto proto proto_list proto_item
%type v.number protoval
@@ -2078,6 +2078,28 @@
r.divert.addr =
$8.divert.addr-addr.v.a.addr;
}
+ if ($8.divert.port_top
+ $8.divert.port_top r.divert.port) {
+ yyerror(invalid divert port
range:
+ %u:%u, ntohs(r.divert.port),
+ ntohs($8.divert.port_top));
+ YYERROR;
+ }
+
+#define NHS_LT(x, y) (ntohs(x) ntohs(y))
+#define NHS_INC(x) x = htons(ntohs(x) + 1)
+ while(NHS_LT(r.divert.port,
+ $8.divert.port_top)) {
+ expand_rule(r, 1, $4, $8.nat,
$8.rdr,
+ $8.rroute, $6, $7.src_os,
+ $7.src.host, $7.src.port,
+ $7.dst.host, $7.dst.port,
+ $8.uid, $8.gid, $8.rcv,
+ $8.icmpspec, );
+ NHS_INC(r.divert.port);
+ }
+#undef NHS_INC
+#undef NHS_LT
}
r.divert_packet.port = $8.divert_packet.port;
@@ -2197,7 +2219,7 @@
rman.h
tech@, I was porting over some freebsd kernel code and came across a struct rman and some rman_* utility functions, defined in fbsd's sys/rman.h . Does obsd have an equivalent interface?
Re: /etc/rc.d/rc.subr; prefix ${pexp} with script interpretor path
On 09/17/13 13:49, Craig R. Skinner wrote:
On 2013-09-16 Mon 23:28 PM |, Alexander Hall wrote:
sed can do it all. Really.
This is getting beyond me Alexander.
Is sed a mechanism to step away from using file(1) ?
Heh, sorry about that. :)
Nah, it's merely a way to combine `head | grep | sed | cut | ...` pipes
since sed is often capable to cope with it all.
Notes:
- I separate re_quote() cause I think it can be useful in other places.
- I think re_quote() is (basic) regex complete.
- I don't care if the interpreter is (or seems) nonexistant, as that
shouldn't be a runtime error.
- I'm sure sed may die horribly if you try to feed it a 9GB oneline
file. However, if so, it should not produce any output anyway. ;)
If this would ever be considered a real problem, dd(1) would help
(as espie already mentioned).
re_quote() { sed 's/\([]^$*.\\[]\)/\\\1/g'; }
interpreter=$(
sed -n 's/^#![[:space:]]*\(.*\)/\1 /p;q' ${daemon} |
In this case I make sure sed only looks at the first line (unconditional
'q'uit at the end), and prints it, followed by a space, but only if it
was able to withdraw a shebang and optional following whitespace from
the start of the line (-n, s/^...\(.*\)/\1 /p).
What is known and discussed though, is that sed could potentially crash
on a *really* long first line in that file. In this case, a pre-check
with file(1), or input truncation with dd, would help.
Anyway, my $.02 is running out, so I leave it up to the rc.d
maintainer(s) to determine if they consider it a real problem or if it
can go the way of the hash-collision discussion...
/Alexander
re_quote)
pexp=$interpreter$pexp
Moreover,
- you probably want to unset $interpreter when done.
- we might want to re_quote the entire $pexp later instead.
Re: edgerouter lite ethernet
On 9/17/2013 12:45 AM, Brian Callahan wrote:
On 09/16/13 19:29, Jonathan Matthew wrote:
Here's the rest of the changes required to get ethernet working on the
edgerouter lite, which makes it possible to boot off nfsroot and do
exciting
stuff like build kernels.
- add atphy(4) to configs
- allow separate rx and tx clock settings
- add phy mapping for erl
- add tx/rx clock settings for erl
ok?
No. This breaks the RAMDISK (tested on CAM-0100). Log at the bottom of
this email from the CAM-0100 (and attached as a tarball too because I
don't trust Thunderbird). Note that everything else works except for the
RAMDISK. The GENERIC kernel works great on the CAM-0100 and ERL and
everything works as expected on both machines with GENERIC.
Also, the panic still occurs if you remove the atphy* line from RAMDISK.
Can someone else who has a CAM-0100 double check to make sure it's not
just me, since I'd love to have this go in.
I double and triple checked this today: turns out the first RAMDISK was
built incorrectly somehow. The second and third check RAMDISKs work fine
so I retract everything I said before and this is ok me.
~Brian
~Brian
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights
reserved.
Copyright (c) 1995-2013 OpenBSD. All rights reserved.
http://www.OpenBSD.org
OpenBSD 5.4-current (GENERIC) #29: Tue Sep 17 08:07:14 EST 2013
r...@cantrip.eait.uq.edu.au:/usr/src/sys/arch/octeon/compile/GENERIC
real mem = 247922688 (236MB)
avail mem = 245612544 (234MB)
mainbus0 at root
cpu0 at mainbus0: Cavium OCTEON CPU rev 0.1 500 MHz, Software FP
emulation
cpu0: cache L1-I 32KB D 16KB 4 way, L2 128KB direct
clock0 at mainbus0: int 5
iobus0 at mainbus0
octcf at iobus0 base 0x1d000800 irq 0 not configured
pcibus at iobus0 irq 0 not configured
cn30xxgmx0 at iobus0 base 0x118000800 irq 48
cnmac0 at cn30xxgmx0 address=0x000118000800: RGMII, address
dc:9f:db:29:40:2f
atphy0 at cnmac0 phy 7: F1 10/100/1000 PHY, rev. 2
cnmac1 at cn30xxgmx0 address=0x000118000800: RGMII, address
dc:9f:db:29:40:30
atphy1 at cnmac1 phy 6: F1 10/100/1000 PHY, rev. 2
cnmac2 at cn30xxgmx0 address=0x000118000800: RGMII, address
dc:9f:db:29:40:31
atphy2 at cnmac2 phy 5: F1 10/100/1000 PHY, rev. 2
uar: ns16550, no working fifo
com0: console
com1 at uartbus0 base 0x118000c00 irq 35: ns16550, no working fifo
/dev/ksyms: Symbol table not valid.
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root device: cnmac0
nfs_boot: using interface cnmac0, with revarp bootparams
cnmac0: link up (1000baseT-FDX)
cnmac0: link down
cnmac0: link up (1000baseT-FDX)
nfs_boot: client_addr=192.168.1.2
nfs_boot: server_addr=192.168.1.22 hostname=erl
root on 192.168.1.22:/srv/octeon-nfsroot
WARNING: No TOD clock, believing file system.
WARNING: CHECK AND RESET THE DATE!
swap on 192.168.1.22:/srv/octeon-nfsswap
Index: arch/octeon/conf/GENERIC
===
RCS file: /cvs/src/sys/arch/octeon/conf/GENERIC,v
retrieving revision 1.9
diff -u -p -r1.9 GENERIC
--- arch/octeon/conf/GENERIC24 Jun 2011 02:18:17 -1.9
+++ arch/octeon/conf/GENERIC16 Sep 2013 22:50:31 -
@@ -44,6 +44,7 @@ cnmac*at cn30xxgmx?
rgephy*at mii?
ukphy*at mii?
+atphy*at mii?
# IDE Controller
pciide*at pci? flags 0x
Index: arch/octeon/conf/RAMDISK
===
RCS file: /cvs/src/sys/arch/octeon/conf/RAMDISK,v
retrieving revision 1.11
diff -u -p -r1.11 RAMDISK
--- arch/octeon/conf/RAMDISK26 Mar 2013 14:23:19 -1.11
+++ arch/octeon/conf/RAMDISK16 Sep 2013 22:50:31 -
@@ -64,6 +64,7 @@ cnmac*at cn30xxgmx?
rgephy*at mii?
ukphy*at mii?
+atphy*at mii?
pseudo-deviceloop1# network loopback
pseudo-devicebpfilter1# packet filter
Index: arch/octeon/dev/cn30xxasx.c
===
RCS file: /cvs/src/sys/arch/octeon/dev/cn30xxasx.c,v
retrieving revision 1.3
diff -u -p -r1.3 cn30xxasx.c
--- arch/octeon/dev/cn30xxasx.c5 Dec 2012 23:20:14 -1.3
+++ arch/octeon/dev/cn30xxasx.c16 Sep 2013 22:50:31 -
@@ -175,10 +175,10 @@ cn30xxasx_enable_intr(struct cn30xxasx_s
#endif
int
-cn30xxasx_clk_set(struct cn30xxasx_softc *sc, int setting)
+cn30xxasx_clk_set(struct cn30xxasx_softc *sc, int tx_setting, int
rx_setting)
{
-_ASX_WR8(sc, ASX0_TX_CLK_SET0_OFFSET + 8 * sc-sc_port, setting);
-_ASX_WR8(sc, ASX0_RX_CLK_SET0_OFFSET + 8 * sc-sc_port, setting);
+_ASX_WR8(sc, ASX0_TX_CLK_SET0_OFFSET + 8 * sc-sc_port, tx_setting);
+_ASX_WR8(sc, ASX0_RX_CLK_SET0_OFFSET + 8 * sc-sc_port, rx_setting);
return 0;
}
Index: arch/octeon/dev/cn30xxasxvar.h
===
RCS file:
