Re: tun(4) and if_input()
Don’t have tun(4), but applied.
As well as latest carp and bridge patches.
So far no problems, except that I see following in dmesg :
arpresolve: unresolved and rt_expire == 0
but this is probably not related to new diffs.
//mxb
On 28 maj 2015, at 11:28, Martin Pieuchot m...@openbsd.org wrote:
Replace the last ether_input_mbuf() by if_input().
Index: net/if_tun.c
===
RCS file: /cvs/src/sys/net/if_tun.c,v
retrieving revision 1.144
diff -u -p -r1.144 if_tun.c
--- net/if_tun.c 26 May 2015 11:36:26 - 1.144
+++ net/if_tun.c 28 May 2015 09:25:52 -
@@ -871,32 +871,34 @@ tunwrite(dev_t dev, struct uio *uio, int
}
top-m_pkthdr.len = tlen;
- top-m_pkthdr.rcvif = ifp;
-
-#if NBPFILTER 0
- if (ifp-if_bpf) {
- s = splnet();
- bpf_mtap(ifp-if_bpf, top, BPF_DIRECTION_IN);
- splx(s);
- }
-#endif
if (tp-tun_flags TUN_LAYER2) {
+ struct mbuf_list ml = MBUF_LIST_INITIALIZER();
+
+ ml_enqueue(ml, top);
s = splnet();
- ether_input_mbuf(ifp, top);
+ if_input(ifp, ml);
splx(s);
-
ifp-if_ipackets++;
return (0);
}
+#if NBPFILTER 0
+ if (ifp-if_bpf) {
+ s = splnet();
+ bpf_mtap(ifp-if_bpf, top, BPF_DIRECTION_IN);
+ splx(s);
+ }
+#endif
+
th = mtod(top, u_int32_t *);
/* strip the tunnel header */
top-m_data += sizeof(*th);
top-m_len -= sizeof(*th);
top-m_pkthdr.len -= sizeof(*th);
top-m_pkthdr.ph_rtableid = ifp-if_rdomain;
+ top-m_pkthdr.rcvif = ifp;
switch (ntohl(*th)) {
case AF_INET:
Re: Fix for connect race in relayd
it is possible to remove the inflight var by opening the socket before accepting. Thus there is no need for guessing if the peer socket can be open, Where is your diff to demonstrate this? Show your work. (Or we'll have to make an assumption).
httpd with cd9660 filesystem
I noticed that httpd will exit if it attempts to serve a file from a cd9660 filesystem. This is due to libevent's use of kqueue by default and kqueue's lack of support for cd9660 filesystems. I'm not sure if this is the most appropriate fix but the patch below restricts the server processes from using libevent/kqueue. I haven't encountered any issues with libevent/poll running with this for about a week on a low volume web server. Index: proc.c === RCS file: /cvs/src/usr.sbin/httpd/proc.c,v retrieving revision 1.8 diff -u -p -r1.8 proc.c --- proc.c 21 Jan 2015 22:21:05 - 1.8 +++ proc.c 30 May 2015 18:10:41 - @@ -395,6 +395,8 @@ proc_run(struct privsep *ps, struct priv ps-ps_instance + 1, ps-ps_instances[p-p_id], getpid()); #endif + if (strcmp(p-p_title, server) == 0) + setenv(EVENT_NOKQUEUE, yes, 0); event_init(); signal_set(ps-ps_evsigint, SIGINT, proc_sig_handler, p);
build with DRMDEBUG
this might have been a typo and i can build a kernel
with DRMDEBUG now (failed in radeon_benchmark.c).
-f
--
i got real close to seeing elvis but my shovel broke.
Index: drmP.h
===
RCS file: /cvs/src/sys/dev/pci/drm/drmP.h,v
retrieving revision 1.195
diff -u -p -r1.195 drmP.h
--- drmP.h 18 Apr 2015 14:47:34 - 1.195
+++ drmP.h 30 May 2015 17:36:29 -
@@ -188,7 +188,7 @@ drm_can_sleep(void)
curproc-p_pid, __func__ , ## arg)
-#ifdef DRM_DEBUG
+#ifdef DRMDEBUG
#define DRM_INFO(fmt, arg...) printf(drm: fmt, ## arg)
#else
#define DRM_INFO(fmt, arg...) do { } while(/* CONSTCOND */ 0)
Re: Fix for connect race in relayd
The patch is in a turned off machine, after doing the patch i contacted directly reyk for the matter, i d like to push the issue further by not accepting the socket while the connect didnt succeed when possible. (The pastebin expire) Please be a bit patient. On Sat, May 30, 2015 at 12:35 PM, Theo de Raadt dera...@cvs.openbsd.org wrote: it is possible to remove the inflight var by opening the socket before accepting. Thus there is no need for guessing if the peer socket can be open, Where is your diff to demonstrate this? Show your work. (Or we'll have to make an assumption). -- - () ascii ribbon campaign - against html e-mail /\
Re: Fix for connect race in relayd
it is possible to remove the inflight var by opening the socket before
accepting.
Thus there is no need for guessing if the peer socket can be open,
On Sat, May 30, 2015 at 7:40 AM, Claudio Jeker clau...@openbsd.org wrote:
On Fri, May 22, 2015 at 09:18:29PM +0200, Alexander Bluhm wrote:
This breaks relayd with TLS inspection. Moving down the called
once check after the F_TLSINSPECT block fixes the plain SSL case.
But HTTPS still hangs. I have just commited a test. Try
cd /usr/src/regress/usr.sbin/relayd make
run-regress-args-https-inspect.pl
bluhm
On Fri, May 22, 2015 at 03:55:16PM +0200, Claudio Jeker wrote:
On our production systems we did hit the relay_connect: no connection
in
flight on a so regular bases that I had to make it non-fatal with the
result of leaking sockets.
After more investigation I found the problem to be a race against
connecting to the backend servers. In short:
- relay_read_http() will open a connection if following conditions are
met
cre-dir == RELAY_DIR_REQUEST cre-toread = 0 cre-dst-bev
== NULL
- relay_connect() does not initialize con-se_out.bev (which is also
cre-dst-bev). Instead this is deferred to relay_connected()
- if a event happens that calls relay_read_http() while connecting to
the
backend then relay_connect() will be called again. Result is the
panic
since the count gets out of sync.
The following diff solves this issue by adding an extra flag to
ctl_relay_event to know if a relay is already connected (or the
connect is
pending). relay_close() will then clean the flag when closing the
session.
I decided to use a flag since the EMFILE || ENFILE case is hard to
detect
otherwise.
Running with this on production with no visible issues at the moment.
I think it would make sense to restructure the http proxy code more and
introduce a proper state machine but that is a much bigger and complex
issue, so lets fix the bug first.
New version that now passes all regress tests. It got a fair bit more
complex because the F_TLSINSPECT case results in multiple entries of
relay_connect and relay_connected. So I switched to use a state variable
instead of a flag. It seems to work (and also works in the EMFILE/ENFILE
case). At least it worked for me by forcing that code path all the time.
--
:wq Claudio
Index: relay.c
===
RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
retrieving revision 1.194
diff -u -p -r1.194 relay.c
--- relay.c 18 May 2015 16:57:20 - 1.194
+++ relay.c 30 May 2015 11:12:27 -
@@ -1408,8 +1408,10 @@ relay_connect_retry(int fd, short sig, v
struct relay*rlay = con-se_relay;
int bnds = -1;
- if (relay_inflight 1)
- fatalx(relay_connect_retry: no connection in flight);
+ if (relay_inflight 1) {
+ log_warnx(relay_connect_retry: no connection in flight);
+ relay_inflight = 1;
+ }
DPRINTF(%s: retry %d of %d, inflight: %d,__func__,
con-se_retrycount, con-se_retry, relay_inflight);
@@ -1466,6 +1468,10 @@ relay_connect_retry(int fd, short sig, v
return;
}
+ if (rlay-rl_conf.flags F_TLSINSPECT)
+ con-se_out.state = PRECONNECT;
+ else
+ con-se_out.state = CONNECTED;
relay_inflight--;
DPRINTF(%s: inflight decremented, now %d,__func__,
relay_inflight);
@@ -1484,9 +1490,14 @@ relay_connect_retry(int fd, short sig, v
int
relay_preconnect(struct rsession *con)
{
+ int rv;
+
log_debug(%s: session %d: process %d, __func__,
con-se_id, privsep_process);
- return (relay_connect(con));
+ rv = relay_connect(con);
+ if (con-se_out.state == CONNECTED)
+ con-se_out.state = PRECONNECT;
+ return (rv);
}
int
@@ -1496,18 +1507,28 @@ relay_connect(struct rsession *con)
struct timeval evtpause = { 1, 0 };
int bnds = -1, ret;
+ /* relay_connect should only be called once per relay */
+ if (con-se_out.state == CONNECTED) {
+ log_debug(%s: connect already called once, __func__);
+ return (0);
+ }
+
/* Connection is already established but session not active */
- if ((rlay-rl_conf.flags F_TLSINSPECT) con-se_out.s != -1) {
+ if ((rlay-rl_conf.flags F_TLSINSPECT)
+ con-se_out.state == PRECONNECT) {
if (con-se_out.ssl == NULL) {
log_debug(%s: tls connect failed, __func__);
return (-1);
}
relay_connected(con-se_out.s, EV_WRITE, con);
+ con-se_out.state = CONNECTED;
return (0);
}
- if (relay_inflight 1)
-
