gre(4) update
this is a big change to gre, with the main motivation of adding
support for gre keys.
gre keys are supported by the vnetid ioctls, and works much like
vxlan (funny that). by default gre doesnt use a key, but you can
set one and change you mind and remove it later. the current code
simply skips over the key header, and still accepts it.
while here, it adds support for gre over ipv6.
on the other hand, it drops support for gre keepalives and wccp handling.
gre keepalives dont work if the tunnelled traffic is in a different
rdomain to the underlay network. i can add wccp back later though.
ok?
Index: net/if_gre.c
===
RCS file: /cvs/src/sys/net/if_gre.c,v
retrieving revision 1.90
diff -u -p -r1.90 if_gre.c
--- net/if_gre.c7 Feb 2018 01:52:15 - 1.90
+++ net/if_gre.c7 Feb 2018 06:27:17 -
@@ -38,9 +38,6 @@
* Also supported: IP in IP encapsulation (proto 55) per RFC 2004.
*/
-#include "gre.h"
-#if NGRE > 0
-
#include "bpfilter.h"
#include "pf.h"
@@ -50,10 +47,12 @@
#include
#include
#include
-#include
+#include
+#include
#include
#include
+#include
#include
#include
@@ -61,6 +60,19 @@
#include
#include
+#ifdef INET6
+#include
+#include
+#endif
+
+#ifdef PIPEX
+#include
+#endif
+
+#ifdef MPLS
+#include
+#endif /* MPLS */
+
#if NBPFILTER > 0
#include
#endif
@@ -71,25 +83,115 @@
#include
-#ifndef GRE_RECURSION_LIMIT
-#define GRE_RECURSION_LIMIT3 /* How many levels of recursion allowed */
-#endif /* GRE_RECURSION_LIMIT */
+#include
+#include
/*
- * It is not easy to calculate the right value for a GRE MTU.
- * We leave this task to the admin and use the same default that
- * other vendors use.
+ * packet formats
*/
-#define GREMTU 1476
+struct gre_header {
+ uint16_tgre_flags;
+#define GRE_CP 0x8000 /* Checksum Present */
+#define GRE_KP 0x2000 /* Key Present */
+#define GRE_SP 0x1000 /* Sequence Present */
+
+#define GRE_VERS_MASK 0x0007
+#define GRE_VERS_0 0x
+#define GRE_VERS_1 0x0001
+
+ uint16_tgre_proto;
+} __packed __aligned(4);
+
+struct gre_h_cksum {
+ uint16_tgre_cksum;
+ uint16_tgre_reserved1;
+} __packed __aligned(4);
+
+struct gre_h_key {
+ uint32_tgre_key;
+} __packed __aligned(4);
+
+struct gre_h_seq {
+ uint32_tgre_seq;
+} __packed __aligned(4);
+
+
+/*
+ * GRE tunnel metadata
+ */
+
+struct gre_tunnel {
+ RBT_ENTRY(gre_entry)t_entry;
+
+ uint32_tt_key_mask;
+#define GRE_KEY_NONE htonl(0xU)
+#define GRE_KEY_ENTROPYhtonl(0xff00U)
+#define GRE_KEY_MASK htonl(0xU)
+ uint32_tt_key;
+
+ u_int t_rtableid;
+ int t_af;
+ uint32_tt_src[4];
+ uint32_tt_dst[4];
-intgre_clone_create(struct if_clone *, int);
-intgre_clone_destroy(struct ifnet *);
+ uint8_t t_ttl;
+};
-struct gre_softc_head gre_softc_list;
+RBT_HEAD(gre_tree, gre_tunnel);
+
+static inline int
+ gre_cmp(const struct gre_tunnel *, const struct gre_tunnel *);
+
+RBT_PROTOTYPE(gre_tree, gre_tunnel, t_entry, gre_cmp);
+
+static int gre_set_tunnel(struct gre_tunnel *, struct if_laddrreq *);
+static int gre_get_tunnel(struct gre_tunnel *, struct if_laddrreq *);
+static int gre_del_tunnel(struct gre_tunnel *);
+
+static int gre_set_vnetid(struct gre_tunnel *, struct ifreq *);
+static int gre_get_vnetid(struct gre_tunnel *, struct ifreq *);
+static int gre_del_vnetid(struct gre_tunnel *);
+
+static int gre_ip_output(const struct gre_tunnel *, struct mbuf *,
+ uint8_t);
+/*
+ * layer 3 GRE tunnels
+ */
+
+struct gre_softc {
+ struct gre_tunnel sc_tunnel; /* must be first */
+ struct ifnetsc_if;
+};
+
+static int gre_clone_create(struct if_clone *, int);
+static int gre_clone_destroy(struct ifnet *);
struct if_clone gre_cloner =
IF_CLONE_INITIALIZER("gre", gre_clone_create, gre_clone_destroy);
+struct gre_tree gre_softcs = RBT_INITIALIZER();
+
+static int gre_output(struct ifnet *, struct mbuf *, struct sockaddr *,
+ struct rtentry *);
+static voidgre_start(struct ifnet *);
+static int gre_ioctl(struct ifnet *, u_long, caddr_t);
+
+static int gre_up(struct gre_softc *);
+static int gre_down(struct gre_softc *);
+
+static int gre_input_key(struct mbuf **, int *, int, int,
+ struct gre_tunnel *);
+
+static struct mbuf *
+ gre_encap(struct gre_softc *, struct mbuf *, uint8_t *);
+
+/*
+ * It is not easy
randomly put pool items on the head or tail of free lists
this is a quick and simple change to add some randomness to pool
item allocation patterns.
it basically pregenerates 64 * 8 coin flips to see which end of the
free list items and pool cache pages should go on.
can someone check if there's a performance impact? i dont want to
prematurely complicate this if it's not expensive.
Index: subr_pool.c
===
RCS file: /cvs/src/sys/kern/subr_pool.c,v
retrieving revision 1.222
diff -u -p -r1.222 subr_pool.c
--- subr_pool.c 6 Feb 2018 22:35:32 - 1.222
+++ subr_pool.c 7 Feb 2018 04:58:30 -
@@ -277,6 +277,14 @@ int pool_wait_gc = 8;
RBT_PROTOTYPE(phtree, pool_page_header, ph_node, phtree_compare);
+#define POOL_RBYTES128 /* XXX magic */
+#define POOL_RBITS (POOL_RBYTES * 8)
+
+static unsigned int pool_rbytes[POOL_RBYTES / sizeof(unsigned int)];
+static unsigned int pool_rbit = 0;
+
+static int pool_getrbit(void);
+
static inline int
phtree_compare(const struct pool_page_header *a,
const struct pool_page_header *b)
@@ -460,6 +468,8 @@ pool_init(struct pool *pp, size_t size,
TAILQ_INIT(&pp->pr_requests);
if (phpool.pr_size == 0) {
+ arc4random_buf(pool_rbytes, sizeof(pool_rbytes));
+
pool_init(&phpool, sizeof(struct pool_page_header), 0,
IPL_HIGH, 0, "phpool", NULL);
@@ -851,7 +861,11 @@ pool_do_put(struct pool *pp, void *v)
#endif /* DIAGNOSTIC */
pi->pi_magic = POOL_IMAGIC(ph, pi);
- XSIMPLEQ_INSERT_HEAD(&ph->ph_items, pi, pi_list);
+ if (pool_getrbit())
+ XSIMPLEQ_INSERT_HEAD(&ph->ph_items, pi, pi_list);
+ else
+ XSIMPLEQ_INSERT_TAIL(&ph->ph_items, pi, pi_list);
+
#ifdef DIAGNOSTIC
if (POOL_PHPOISON(ph))
poison_mem(pi + 1, pp->pr_size - sizeof(*pi));
@@ -1840,7 +1854,10 @@ pool_cache_list_free(struct pool *pp, st
pp->pr_cache_tick = ticks;
pp->pr_cache_nitems += POOL_CACHE_ITEM_NITEMS(ci);
- TAILQ_INSERT_TAIL(&pp->pr_cache_lists, ci, ci_nextl);
+ if (pool_getrbit())
+ TAILQ_INSERT_HEAD(&pp->pr_cache_lists, ci, ci_nextl);
+ else
+ TAILQ_INSERT_TAIL(&pp->pr_cache_lists, ci, ci_nextl);
pc->pc_nlput++;
@@ -2296,3 +2313,25 @@ static const struct pool_lock_ops pool_l
pool_lock_rw_assert_unlocked,
pool_lock_rw_sleep,
};
+
+static int
+pool_getrbit(void)
+{
+ unsigned int rbit;
+ unsigned int word;
+ unsigned int bit;
+
+ rbit = atomic_inc_int_nv(&pool_rbit) % POOL_RBITS;
+ if (rbit == 0) {
+ /*
+* the next, but concurrent reader will get stale bits, but
+* that is hard to predict, ie, sort of random?
+*/
+ arc4random_buf(pool_rbytes, sizeof(pool_rbytes));
+ }
+
+ word = rbit / (sizeof(word) * 8);
+ bit = rbit % (sizeof(word) * 8);
+
+ return (ISSET(pool_rbytes[word], 1 << bit));
+}
handle updates via Adj-RIB-Out
This diff changes the way bgpd does updates. Instead of having its own
special update queue/tree it uses a regular RIB (Adj-RIB-Out) to store all
updates to be sent. Stuff that has been sent is linked to the prefixes
queue. On the peer there are also queues for updates and withdraws.
The whole update code becomes a lot simpler but also results in the bulk
of the diff. Other changes include the bgpctl show rib handling (we can
just walk the Adj-RIB-Out now). Last but not least the EOR records are
also now a magic rde_aspath (flag F_ATTR_EOR) which is added to the update
queue.
This diff is still very large and the changes are intrusive so reviews and
testing is very welcome.
--
:wq Claudio
Index: rde.c
===
RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
retrieving revision 1.377
diff -u -p -r1.377 rde.c
--- rde.c 7 Feb 2018 00:02:02 - 1.377
+++ rde.c 7 Feb 2018 00:02:18 -
@@ -80,8 +80,6 @@ void rde_dump_rib_as(struct prefix *,
int);
voidrde_dump_filter(struct prefix *,
struct ctl_show_rib_request *);
-voidrde_dump_filterout(struct rde_peer *, struct prefix *,
-struct ctl_show_rib_request *);
voidrde_dump_upcall(struct rib_entry *, void *);
voidrde_dump_prefix_upcall(struct rib_entry *, void *);
voidrde_dump_ctx_new(struct ctl_show_rib_request *, pid_t,
@@ -2262,71 +2260,33 @@ rde_dump_rib_as(struct prefix *p, struct
}
void
-rde_dump_filterout(struct rde_peer *peer, struct prefix *p,
-struct ctl_show_rib_request *req)
+rde_dump_filter(struct prefix *p, struct ctl_show_rib_request *req)
{
- struct bgpd_addr addr;
- struct rde_aspath *asp, *fasp;
- enum filter_actions a;
+ struct rde_aspath *asp;
- if (up_test_update(peer, p) != 1)
+ if (req->peerid && req->peerid != prefix_peer(p)->conf.id)
return;
+ if (p->flags & F_PREFIX_USE_PEER)
+ return; /* pending withdraw, skip */
- pt_getaddr(p->re->prefix, &addr);
asp = prefix_aspath(p);
- a = rde_filter(out_rules, &fasp, peer, asp, &addr,
- p->re->prefix->prefixlen, asp->peer);
- if (fasp)
- fasp->peer = asp->peer;
- else
- fasp = asp;
-
- if (a == ACTION_ALLOW)
- rde_dump_rib_as(p, fasp, req->pid, req->flags);
-
- if (fasp != asp)
- path_put(fasp);
-}
-
-void
-rde_dump_filter(struct prefix *p, struct ctl_show_rib_request *req)
-{
- struct rde_peer *peer;
- struct rde_aspath *asp;
-
- if (req->flags & F_CTL_ADJ_IN ||
- !(req->flags & (F_CTL_ADJ_IN|F_CTL_ADJ_OUT))) {
- asp = prefix_aspath(p);
- if (req->peerid && req->peerid != asp->peer->conf.id)
- return;
- if (req->type == IMSG_CTL_SHOW_RIB_AS &&
- !aspath_match(asp->aspath->data, asp->aspath->len,
- &req->as, req->as.as))
- return;
- if (req->type == IMSG_CTL_SHOW_RIB_COMMUNITY &&
- !community_match(asp, req->community.as,
- req->community.type))
- return;
- if (req->type == IMSG_CTL_SHOW_RIB_EXTCOMMUNITY &&
- !community_ext_match(asp, &req->extcommunity, 0))
- return;
- if (req->type == IMSG_CTL_SHOW_RIB_LARGECOMMUNITY &&
- !community_large_match(asp, req->large_community.as,
- req->large_community.ld1, req->large_community.ld2))
- return;
- if ((req->flags & F_CTL_ACTIVE) && p->re->active != p)
- return;
- rde_dump_rib_as(p, asp, req->pid, req->flags);
- } else if (req->flags & F_CTL_ADJ_OUT) {
- if (p->re->active != p)
- /* only consider active prefix */
- return;
- if (req->peerid) {
- if ((peer = peer_get(req->peerid)) != NULL)
- rde_dump_filterout(peer, p, req);
- return;
- }
- }
+ if (req->type == IMSG_CTL_SHOW_RIB_AS &&
+ !aspath_match(asp->aspath->data, asp->aspath->len,
+ &req->as, req->as.as))
+ return;
+ if (req->type == IMSG_CTL_SHOW_RIB_COMMUNITY &&
+ !community_match(asp, req->community.as, req->community.type))
+ return;
+ if (req->type == IMSG_CTL_SHOW_RIB_EXTCOMMUNITY &&
+ !community_ext_match(asp, &req->extcommunity, 0))
+ return;
+ if (req->type == IMSG_CTL_SHOW_RIB_LARGECOMMUNITY &&
+ !community_large_match(asp, req->large_community.as,
+ req->large_co
Re: shorten pppoe output in tcpdump
On 2018/02/07 06:08, David Gwynne wrote: > On Tue, Feb 06, 2018 at 05:19:57PM +1000, David Gwynne wrote: > > if you're tcpdumping on a pppoe(4)s parent, you'll see stuff like this: > > > > 23:43:26.780560 PPPoE-Discovery > > code Initiation, version 1, type 1, id 0x, length 12 > > tag Service-Name, length 0 > > tag Host-Uniq, length 4 d\023\205\030 > > ... > > 23:43:29.205560 PPPoE-Session > > code Session, version 1, type 1, id 0x0011, length 12 > > LCP: Configure-Request, Magic-Number=100455513, Vendor-Ext > > > > the diff below changes it to: > > > > 23:43:26.780560 PPPoE-Discovery Initiation sid=0x > > tag Service-Name > > tag Host-Uniq=d\023\205\030 > > ... > > 23:43:29.205560 LCP Configure-Request Id=0x01: Magic-Number=100455513 > > > > you can see more detail with -e: > > > > 23:43:26.780560 cc:05:0e:88:00:00 Broadcast 8863 60: PPPoE-Discovery > > Initiation sid=0x > > tag Service-Name > > tag Host-Uniq=d\023\205\030 > > ... > > 23:43:29.205560 cc:05:0e:88:00:00 ca:01:0e:88:00:06 8864 60: PPPoE > > sid=0x0011: LCP Configure-Request Id=0x01: Magic-Number=100455513 > > > > or the useless stuff with -v: > > > > 23:43:26.780560 cc:05:0e:88:00:00 Broadcast 8863 60: PPPoE-Discovery > > Initiation ver=1 type=1 sid=0x len=12 > > tag Service-Name > > tag Host-Uniq=d\023\205\030 > > ... > > 23:43:29.205560 cc:05:0e:88:00:00 ca:01:0e:88:00:06 8864 60: PPPoE ver=1 > > type=1 code=Session sid=0x0011 len=12: LCP Configure-Request Id=0x01: > > Magic-Number=100455513 > > > > the printer for pppoe interfaces now uses the printer for pppoe > > session packets. by default you'll see nothing, but can make it > > appear with -e. > > > > ok? I like all the above on PPP_ETHER interfaces, but not so keen on how it ends up printing ethers containing pppoe frames (i.e. pppoedev interfaces). Before: # tcpdump -tiem1 tcpdump: listening on em1, link-type EN10MB PPPoE-Session code Session, version 1, type 1, id 0x006a, length 105 IP: obsdcvsweb.cs.toronto.edu.https > symphytum.spacehopper.org.44230: P 3370:3421(51) ack 290 win 271 (DF) PPPoE-Session code Session, version 1, type 1, id 0x006a, length 54 IP: symphytum.spacehopper.org.44230 > obsdcvsweb.cs.toronto.edu.https: F 290:290(0) ack 3421 win 256 (DF) Ugly but it's clear that these are encap'd packets. # ./tcpdump.dlg -tiem1 tcpdump: listening on em1, link-type EN10MB lhr35s03-in-f14.1e100.net.https > symphytum.spacehopper.org.46272: P 179:345(166) ack 1 win 811 lhr35s03-in-f14.1e100.net.https > symphytum.spacehopper.org.46272: P 345:417(72) ack 1 win 811 So with your diff you need -e to tell that these aren't normal ether: # ./tcpdump.dlg -tiem1 -e tcpdump: listening on em1, link-type EN10MB 10:e8:78:a7:e6:67 00:0d:b9:41:7e:49 8864 249: PPPoE sid=0x006a: IP lhr35s03-in-f14.1e100.net.https > symphytum.spacehopper.org.46272: P 239:414(175) ack 1 win 811 10:e8:78:a7:e6:67 00:0d:b9:41:7e:49 8864 170: PPPoE sid=0x006a: IP lhr35s03-in-f14.1e100.net.https > symphytum.spacehopper.org.46272: P 414:510(96) ack 1 win 811 Here's a diff on top of yours, it's not particularly elegant but makes it work more how I'd expect - print "PPPoE sid=..." by default when it's an ethernet interface, but skip on a pppoe interface unless -e is used. # ./tcpdump.sthen -tiem1 tcpdump: listening on em1, link-type EN10MB PPPoE sid=0x006a: natted.lan.spacehopper.org.53734 > ctr-ams04.atlas.ripe.net.https: . 6840:8188(1348) ack 53 win 32044 (DF) [tos 0x10] PPPoE sid=0x006a: natted.lan.spacehopper.org.53734 > ctr-ams04.atlas.ripe.net.https: . 8188:9536(1348) ack 53 win 32044 (DF) [tos 0x10] --- interface.h.dlg Wed Feb 7 00:33:06 2018 +++ interface.h Wed Feb 7 00:32:02 2018 @@ -183,7 +183,7 @@ extern int ether_encap_print(u_short, const u_char *, extern int llc_print(const u_char *, u_int, u_int, const u_char *, const u_char *); extern void pppoe_disc_print(const u_char *, u_int, u_int); -extern void pppoe_print(const u_char *, u_int, u_int); +extern void pppoe_print(const u_char *, u_int, u_int, u_int); extern void aarp_print(const u_char *, u_int); extern void arp_print(const u_char *, u_int, u_int); extern void atalk_print(const u_char *, u_int); --- print-ether.c.dlg Wed Feb 7 00:31:24 2018 +++ print-ether.c Wed Feb 7 00:31:45 2018 @@ -252,7 +252,7 @@ recurse: pppoe_disc_print(p, length, caplen); return (1); case ETHERTYPE_PPPOE: - pppoe_print(p, length, caplen); + pppoe_print(p, length, caplen, 1); return (1); #endif --- print-ppp.c.dlg Wed Feb 7 00:28:59 2018 +++ print-ppp.c Wed Feb 7 00:31:14 2018 @@ -1179,7 +1179,7 @@ ppp_ether_if_print(u_char *user, const struct pcap_pkt ts_print(&h->ts); - pppoe_print(p, length, l); + pppoe_print(p, length, l, 0); if (xflag)
Re: Export IPsec flows via snmpd(8)
>> Am 02.01.2018 um 15:23 schrieb Martin Pieuchot : >> >>> On 19/12/17(Tue) 18:06, Marco Pfatschbacher wrote: >>> On Tue, Dec 19, 2017 at 12:43:48PM +0100, Martin Pieuchot wrote: >>> I'd like to see some information about my tunnels in my NMS. >> >> Nice. I would find that very useful :) >> >>> The problem is that there's not standard MIB for this and most vendor >>> MIBs are huge and are not easy to implement. >> >> What about https://tools.ietf.org/html/rfc4807 ? > > This MIB is about the "Policy Database Configuration" which, as far as I > understand, would be useful to export the content of isakmpd.policy(5). The Security Policy Database has nothing to do with isakmpd.policy or keynote. SPD is the standard term for what we call, for historic reasons, flows. In other words: an IPsec flow in OpenBSD is an IPsec policy in other operating systems. So RFC 4807 might be the right thing after all. Reyk > I'm more interested into something like the "IPsec Flow Monitoring" > https://www.ietf.org/archive/id/draft-ietf-ipsec-flow-monitoring-mib-02.txt > However this is an archived & expired draft. > > So I looked at both Cisco & Juniper MIBs, but implementing any of them > is a lot of work and do not always make sense with our IPsec stack. > That's why I'm asking for inputs :) >
Re: amd64: much earlier Intel microcode loading
On 2018-02-04, Patrick Wildt wrote: >> this diff allows us to load the Intel microcode much earlier. I'm trying to understand the twisty logic here. There are three cases: (1) old rev < update rev => update gets applied (2) old rev == update rev => cpu_ucode_intel_match() returns success => "microcode already up-to-date" (3) old rev > update rev => cpu_ucode_intel_match() returns failure => "no microcode update found" Is the different code path for (2) and (3) intentional? Admittedly this is cosmetic. I currently have machines that are in state (3), which is why I noticed. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: tcp timeout milliseconds
OK dhill@ On Tue, Feb 06, 2018 at 05:10:17PM +0100, Alexander Bluhm wrote: > Hi, > > Historically TCP timeouts were implemented with pr_slowtimo and > pr_fasttimo. That is the reason why we have two timeout mechanisms > with complicated ticks calculation. > > I would like to move to milliseconds and merge them eventually. > This makes it easier to see the actual values. > > Let's get rid of some easy ticks and hz. > > ok? > > bluhm >
Re: tcp timeout milliseconds
OK florian@
On Tue, Feb 06, 2018 at 05:10:17PM +0100, Alexander Bluhm wrote:
> Hi,
>
> Historically TCP timeouts were implemented with pr_slowtimo and
> pr_fasttimo. That is the reason why we have two timeout mechanisms
> with complicated ticks calculation.
>
> I would like to move to milliseconds and merge them eventually.
> This makes it easier to see the actual values.
>
> Let's get rid of some easy ticks and hz.
>
> ok?
>
> bluhm
>
> Index: netinet/tcp_timer.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_timer.c,v
> retrieving revision 1.63
> diff -u -p -r1.63 tcp_timer.c
> --- netinet/tcp_timer.c 6 Feb 2018 15:13:08 - 1.63
> +++ netinet/tcp_timer.c 6 Feb 2018 15:47:06 -
> @@ -64,7 +64,7 @@ int tcp_maxidle;
> * Time to delay the ACK. This is initialized in tcp_init(), unless
> * its patched.
> */
> -int tcp_delack_ticks;
> +int tcp_delack_msecs;
>
> void tcp_timer_rexmt(void *);
> void tcp_timer_persist(void *);
> @@ -96,8 +96,8 @@ tcp_timer_init(void)
> if (tcp_maxpersistidle == 0)
> tcp_maxpersistidle = TCPTV_KEEP_IDLE;
>
> - if (tcp_delack_ticks == 0)
> - tcp_delack_ticks = TCP_DELACK_TICKS;
> + if (tcp_delack_msecs == 0)
> + tcp_delack_msecs = TCP_DELACK_MSECS;
> }
>
> /*
> Index: netinet/tcp_timer.h
> ===
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_timer.h,v
> retrieving revision 1.16
> diff -u -p -r1.16 tcp_timer.h
> --- netinet/tcp_timer.h 6 Feb 2018 15:13:08 - 1.16
> +++ netinet/tcp_timer.h 6 Feb 2018 15:47:06 -
> @@ -106,7 +106,7 @@
>
> #define TCP_MAXRXTSHIFT 12 /* maximum retransmits
> */
>
> -#define TCP_DELACK_TICKS (hz / PR_FASTHZ) /* time to delay ACK */
> +#define TCP_DELACK_MSECS 200/* time to delay ACK */
>
> #ifdef TCPTIMERS
> const char *tcptimers[TCPT_NTIMERS] =
> @@ -122,7 +122,7 @@ const char *tcptimers[TCPT_NTIMERS] =
> #define TCP_TIMER_ARM(tp, timer, nticks)
> \
> do { \
> SET((tp)->t_flags, TF_TIMER << (timer));\
> - timeout_add(&(tp)->t_timer[(timer)], (nticks) * (hz / PR_SLOWHZ)); \
> + timeout_add_msec(&(tp)->t_timer[(timer)], (nticks) * 500); \
> } while (0)
>
> #define TCP_TIMER_DISARM(tp, timer)
> \
> @@ -151,6 +151,7 @@ typedef void (*tcp_timer_func_t)(void *)
>
> extern const tcp_timer_func_t tcp_timer_funcs[TCPT_NTIMERS];
>
> +extern int tcp_delack_msecs; /* delayed ACK timeout in millisecs */
> extern int tcptv_keep_init;
> extern int tcp_always_keepalive; /* assume SO_KEEPALIVE is always set */
> extern int tcp_keepidle; /* time before keepalive probes begin */
> Index: netinet/tcp_var.h
> ===
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_var.h,v
> retrieving revision 1.130
> diff -u -p -r1.130 tcp_var.h
> --- netinet/tcp_var.h 6 Feb 2018 15:13:08 - 1.130
> +++ netinet/tcp_var.h 6 Feb 2018 15:47:06 -
> @@ -205,14 +205,13 @@ struct tcpcb {
> #define sototcpcb(so) (intotcpcb(sotoinpcb(so)))
>
> #ifdef _KERNEL
> -extern int tcp_delack_ticks;
> void tcp_delack(void *);
>
> #define TCP_INIT_DELACK(tp) \
> timeout_set_proc(&(tp)->t_delack_to, tcp_delack, tp)
>
> #define TCP_RESTART_DELACK(tp)
> \
> - timeout_add(&(tp)->t_delack_to, tcp_delack_ticks)
> + timeout_add_msec(&(tp)->t_delack_to, tcp_delack_msecs)
>
> #define TCP_SET_DELACK(tp)
> \
> do { \
>
--
I'm not entirely sure you are real.
Re: shorten pppoe output in tcpdump
On Tue, Feb 06, 2018 at 05:19:57PM +1000, David Gwynne wrote:
> if you're tcpdumping on a pppoe(4)s parent, you'll see stuff like this:
>
> 23:43:26.780560 PPPoE-Discovery
> code Initiation, version 1, type 1, id 0x, length 12
> tag Service-Name, length 0
> tag Host-Uniq, length 4 d\023\205\030
> ...
> 23:43:29.205560 PPPoE-Session
> code Session, version 1, type 1, id 0x0011, length 12
> LCP: Configure-Request, Magic-Number=100455513, Vendor-Ext
>
> the diff below changes it to:
>
> 23:43:26.780560 PPPoE-Discovery Initiation sid=0x
> tag Service-Name
> tag Host-Uniq=d\023\205\030
> ...
> 23:43:29.205560 LCP Configure-Request Id=0x01: Magic-Number=100455513
>
> you can see more detail with -e:
>
> 23:43:26.780560 cc:05:0e:88:00:00 Broadcast 8863 60: PPPoE-Discovery
> Initiation sid=0x
> tag Service-Name
> tag Host-Uniq=d\023\205\030
> ...
> 23:43:29.205560 cc:05:0e:88:00:00 ca:01:0e:88:00:06 8864 60: PPPoE
> sid=0x0011: LCP Configure-Request Id=0x01: Magic-Number=100455513
>
> or the useless stuff with -v:
>
> 23:43:26.780560 cc:05:0e:88:00:00 Broadcast 8863 60: PPPoE-Discovery
> Initiation ver=1 type=1 sid=0x len=12
> tag Service-Name
> tag Host-Uniq=d\023\205\030
> ...
> 23:43:29.205560 cc:05:0e:88:00:00 ca:01:0e:88:00:06 8864 60: PPPoE ver=1
> type=1 code=Session sid=0x0011 len=12: LCP Configure-Request Id=0x01:
> Magic-Number=100455513
>
> the printer for pppoe interfaces now uses the printer for pppoe
> session packets. by default you'll see nothing, but can make it
> appear with -e.
>
> ok?
sthen@ pointed out i forgot the print-ether.c chunk.
Index: interface.h
===
RCS file: /cvs/src/usr.sbin/tcpdump/interface.h,v
retrieving revision 1.71
diff -u -p -r1.71 interface.h
--- interface.h 6 Feb 2018 03:07:51 - 1.71
+++ interface.h 6 Feb 2018 19:53:05 -
@@ -182,7 +182,8 @@ struct pcap_pkthdr;
extern int ether_encap_print(u_short, const u_char *, u_int, u_int);
extern int llc_print(const u_char *, u_int, u_int, const u_char *,
const u_char *);
-extern int pppoe_if_print(u_short, const u_char *, u_int, u_int);
+extern void pppoe_disc_print(const u_char *, u_int, u_int);
+extern void pppoe_print(const u_char *, u_int, u_int);
extern void aarp_print(const u_char *, u_int);
extern void arp_print(const u_char *, u_int, u_int);
extern void atalk_print(const u_char *, u_int);
Index: print-ether.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-ether.c,v
retrieving revision 1.31
diff -u -p -r1.31 print-ether.c
--- print-ether.c 11 Jul 2016 00:27:50 - 1.31
+++ print-ether.c 6 Feb 2018 19:53:05 -
@@ -249,8 +249,10 @@ recurse:
#ifdef PPP
case ETHERTYPE_PPPOEDISC:
+ pppoe_disc_print(p, length, caplen);
+ return (1);
case ETHERTYPE_PPPOE:
- pppoe_if_print(ethertype, p, length, caplen);
+ pppoe_print(p, length, caplen);
return (1);
#endif
Index: print-ppp.c
===
RCS file: /cvs/src/usr.sbin/tcpdump/print-ppp.c,v
retrieving revision 1.32
diff -u -p -r1.32 print-ppp.c
--- print-ppp.c 6 Feb 2018 03:41:58 - 1.32
+++ print-ppp.c 6 Feb 2018 19:53:05 -
@@ -1171,7 +1171,6 @@ ppp_if_print(u_char *user, const struct
void
ppp_ether_if_print(u_char *user, const struct pcap_pkthdr *h, const u_char *p)
{
- u_int16_t pppoe_sid, pppoe_len;
u_int l = h->caplen;
u_int length = h->len;
@@ -1180,192 +1179,213 @@ ppp_ether_if_print(u_char *user, const s
ts_print(&h->ts);
- if (eflag)
- printf("PPPoE ");
-
- if (l < sizeof(struct pppoe_header)) {
- printf("[|pppoe]");
- return;
- }
+ pppoe_print(p, length, l);
- pppoe_sid = EXTRACT_16BITS(p + 2);
- pppoe_len = EXTRACT_16BITS(p + 4);
-
- if (eflag) {
- printf("\n\tcode ");
- switch (p[1]) {
- case PPPOE_CODE_PADI:
- printf("Initiation");
- break;
- case PPPOE_CODE_PADO:
- printf("Offer");
- break;
- case PPPOE_CODE_PADR:
- printf("Request");
- break;
- case PPPOE_CODE_PADS:
- printf("Confirm");
- break;
- case PPPOE_CODE_PADT:
- printf("Terminate");
- break;
- case PPPOE_CODE_SESSION:
- printf("Session");
- break;
- default:
- printf("Unknown(0x%02x)", p[1]);
- break;
- }
Re: daily(8): don't fail silently if backup disk is unavailable
Hi Theo,
Theo Buehler wrote on Mon, Feb 05, 2018 at 12:13:31PM +1300:
> After a power failure, my apu2 booted, but its sdmmc controller didn't
> attach properly. A few days later I was wondering why I didn't get the
> usual dump output from the backup of the root filesystem in my daily
> mails.
>
> It turns out that daily(8) fails silently if it can't find the backup
> volume. Since this happens due to a failure of some kind or because of
> misconfiguration, I suggest that we print an error message, so this can
> be easily spotted in the mail.
That makes a lot of sense to me.
The patch reads well and survived basic testing.
OK schwarze@
Ingo
>
Index: etc/daily
> ===
> RCS file: /var/cvs/src/etc/daily,v
> retrieving revision 1.90
> diff -u -p -r1.90 daily
> --- etc/daily 10 Jul 2017 11:18:48 - 1.90
> +++ etc/daily 4 Feb 2018 22:28:12 -
> @@ -90,7 +90,10 @@ while [ "X$ROOTBACKUP" = X1 ]; do
> fi
> rootbak=${rootbak#/dev/}
> bakdisk=${rootbak%%?(.)[a-p]}
> - sysctl -n hw.disknames | grep -Fqw $bakdisk || break
> + if ! sysctl -n hw.disknames | grep -Fqw $bakdisk; then
> + echo "Backup disk '$bakdisk' not available in hw.disknames."
> + break
> + fi
> bakpart=${rootbak##$bakdisk?(.)}
> OLDIFS=$IFS
> IFS=,
leave(1): schedule absolute alarm for start of minute
Hi,
When I schedule an alarm for an absolute time with minute granularity,
I expect the alarm to go off at the beginning of that minute.
So, this:
leave 1430
should go off at 14:30:00.
The two-second sleep in the child of doalarm() confounds this, but I
have a subsequent diff that refactors that function to obviate it.
ok?
--
Scott Cheloha
Index: usr.bin/leave/leave.c
===
RCS file: /cvs/src/usr.bin/leave/leave.c,v
retrieving revision 1.17
diff -u -p -r1.17 leave.c
--- usr.bin/leave/leave.c 9 Oct 2015 01:37:08 - 1.17
+++ usr.bin/leave/leave.c 6 Feb 2018 16:58:45 -
@@ -113,6 +113,7 @@ main(int argc, char *argv[])
secs = (hours - t->tm_hour) * HOUR;
secs += (minutes - t->tm_min) * MINUTE;
+ secs -= now % 60; /* aim for beginning of minute */
}
doalarm(secs);
exit(0);
@@ -155,12 +156,16 @@ doalarm(u_int secs)
sleep(secs - MINUTE);
if (puts("\a\aJust one more minute!") == EOF)
exit(0);
+ secs = MINUTE;
}
+ sleep(secs);
+
for (bother = 10; bother--;) {
- sleep(MINUTE);
if (puts("\a\aTime to leave!") == EOF)
exit(0);
+ if (bother)
+ sleep(MINUTE);
}
puts("\a\aThat was the last time I'll tell you. Bye.");
Re: Export IPsec flows via snmpd(8)
On 19/12/17(Tue) 12:43, Martin Pieuchot wrote:
> I'd like to see some information about my tunnels in my NMS. The
> problem is that there's not standard MIB for this and most vendor
> MIBs are huge and are not easy to implement.
>
> So here's a diff that export the equivalent of "$ ipsecctl -s flow".
> I'm basically gluing ipsecctl(8) internals into snmpd(8).
>
> It can be considered as a first step towards a more complete solution.
> So I'd like to hear from people interested to export IPsec information
> via SNMP, what would like to see and do you have a preferred format?
Here's an updated diff including a MIB. I'm still looking for comments
and inputs. I'm now considering implementing CISCO-IPSEC-FLOW-MONITOR
mib since that would give us out of the box support for many NMS,
including libreNMS. However this is a lot of work.
Index: usr.sbin/snmpd/Makefile
===
RCS file: /cvs/src/usr.sbin/snmpd/Makefile,v
retrieving revision 1.15
diff -u -p -r1.15 Makefile
--- usr.sbin/snmpd/Makefile 3 Jul 2017 22:21:47 - 1.15
+++ usr.sbin/snmpd/Makefile 17 Oct 2017 12:04:16 -
@@ -4,7 +4,8 @@ PROG= snmpd
MAN= snmpd.8 snmpd.conf.5
SRCS= parse.y ber.c log.c control.c snmpe.c \
mps.c trap.c mib.c smi.c kroute.c snmpd.c timer.c \
- pf.c proc.c usm.c agentx.c traphandler.c util.c
+ pf.c proc.c usm.c agentx.c traphandler.c util.c \
+ ipsec.c pfkey.c
LDADD= -levent -lutil -lkvm -lcrypto
DPADD= ${LIBEVENT} ${LIBUTIL}
Index: usr.sbin/snmpd/ipsec.c
===
RCS file: usr.sbin/snmpd/ipsec.c
diff -N usr.sbin/snmpd/ipsec.c
--- /dev/null 1 Jan 1970 00:00:00 -
+++ usr.sbin/snmpd/ipsec.c 6 Feb 2018 16:12:41 -
@@ -0,0 +1,105 @@
+/* $OpenBSD$ */
+
+/*
+ * Copyright (c) 2004, 2005 Hans-Joerg Hoexer
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include
+#include
+#include
+#include
+
+#include
+#include
+
+#include
+#include
+#include
+#include
+
+#include "snmpd.h"
+#include "ipsec.h"
+
+const char *direction[] = {"?", "in", "out"};
+const char *flowtype[] = {"?", "use", "acquire", "require", "deny",
+"bypass", "dontacq"};
+const char *satype[] = {"?", "esp", "ah", "ipcomp", "tcpmd5", "ipip"};
+const char *auth[] = {"?", "psk", "rsa"};
+
+struct ipsec_rule *
+ipsec_get_rule(uint32_t idx)
+{
+ struct ipsecctl ipsec;
+ struct ipsec_rule *r, *rule = NULL;
+
+ memset(&ipsec, 0, sizeof(ipsec));
+ TAILQ_INIT(&ipsec.rule_queue);
+ ipsec_get_rules(&ipsec);
+
+ while ((r = TAILQ_FIRST(&ipsec.rule_queue)) != NULL) {
+ TAILQ_REMOVE(&ipsec.rule_queue, r, rule_entry);
+ if ((r->nr + 1) == idx)
+ rule = r;
+ else
+ free(r);
+ }
+
+ return rule;
+}
+
+void
+ipsec_get_rules(struct ipsecctl *ipsec)
+{
+ struct sadb_msg *msg;
+ struct ipsec_rule *rule;
+ int mib[4];
+ size_t need;
+ char*buf, *lim, *next;
+
+ mib[0] = CTL_NET;
+ mib[1] = PF_KEY;
+ mib[2] = PF_KEY_V2;
+ mib[3] = NET_KEY_SPD_DUMP;
+
+ if (sysctl(mib, 4, NULL, &need, NULL, 0) == -1)
+ err(1, "%s: sysctl", __func__);
+ if (need == 0)
+ return;
+ if ((buf = malloc(need)) == NULL)
+ err(1, "%s: malloc", __func__);
+ if (sysctl(mib, 4, buf, &need, NULL, 0) == -1)
+ err(1, "%s: sysctl", __func__);
+ lim = buf + need;
+
+ for (next = buf; next < lim; next += msg->sadb_msg_len *
+ PFKEYV2_CHUNK) {
+ msg = (struct sadb_msg *)next;
+ if (msg->sadb_msg_len == 0)
+ break;
+
+ rule = calloc(1, sizeof(struct ipsec_rule));
+ if (rule == NULL)
+ err(1, "%s: calloc", __func__);
+ rule->nr = ipsec->rule_nr++;
+ rule->type |= RULE_FLOW;
+
+ if (pfkey_parse(msg, rule))
+ errx(1, "%s: failed to parse PF_KEY message", __func__);
+
+
tcp timeout milliseconds
Hi,
Historically TCP timeouts were implemented with pr_slowtimo and
pr_fasttimo. That is the reason why we have two timeout mechanisms
with complicated ticks calculation.
I would like to move to milliseconds and merge them eventually.
This makes it easier to see the actual values.
Let's get rid of some easy ticks and hz.
ok?
bluhm
Index: netinet/tcp_timer.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_timer.c,v
retrieving revision 1.63
diff -u -p -r1.63 tcp_timer.c
--- netinet/tcp_timer.c 6 Feb 2018 15:13:08 - 1.63
+++ netinet/tcp_timer.c 6 Feb 2018 15:47:06 -
@@ -64,7 +64,7 @@ int tcp_maxidle;
* Time to delay the ACK. This is initialized in tcp_init(), unless
* its patched.
*/
-inttcp_delack_ticks;
+inttcp_delack_msecs;
void tcp_timer_rexmt(void *);
void tcp_timer_persist(void *);
@@ -96,8 +96,8 @@ tcp_timer_init(void)
if (tcp_maxpersistidle == 0)
tcp_maxpersistidle = TCPTV_KEEP_IDLE;
- if (tcp_delack_ticks == 0)
- tcp_delack_ticks = TCP_DELACK_TICKS;
+ if (tcp_delack_msecs == 0)
+ tcp_delack_msecs = TCP_DELACK_MSECS;
}
/*
Index: netinet/tcp_timer.h
===
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_timer.h,v
retrieving revision 1.16
diff -u -p -r1.16 tcp_timer.h
--- netinet/tcp_timer.h 6 Feb 2018 15:13:08 - 1.16
+++ netinet/tcp_timer.h 6 Feb 2018 15:47:06 -
@@ -106,7 +106,7 @@
#defineTCP_MAXRXTSHIFT 12 /* maximum retransmits
*/
-#defineTCP_DELACK_TICKS (hz / PR_FASTHZ) /* time to delay ACK */
+#defineTCP_DELACK_MSECS 200/* time to delay ACK */
#ifdef TCPTIMERS
const char *tcptimers[TCPT_NTIMERS] =
@@ -122,7 +122,7 @@ const char *tcptimers[TCPT_NTIMERS] =
#defineTCP_TIMER_ARM(tp, timer, nticks)
\
do { \
SET((tp)->t_flags, TF_TIMER << (timer));\
- timeout_add(&(tp)->t_timer[(timer)], (nticks) * (hz / PR_SLOWHZ)); \
+ timeout_add_msec(&(tp)->t_timer[(timer)], (nticks) * 500); \
} while (0)
#defineTCP_TIMER_DISARM(tp, timer)
\
@@ -151,6 +151,7 @@ typedef void (*tcp_timer_func_t)(void *)
extern const tcp_timer_func_t tcp_timer_funcs[TCPT_NTIMERS];
+extern int tcp_delack_msecs; /* delayed ACK timeout in millisecs */
extern int tcptv_keep_init;
extern int tcp_always_keepalive; /* assume SO_KEEPALIVE is always set */
extern int tcp_keepidle; /* time before keepalive probes begin */
Index: netinet/tcp_var.h
===
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_var.h,v
retrieving revision 1.130
diff -u -p -r1.130 tcp_var.h
--- netinet/tcp_var.h 6 Feb 2018 15:13:08 - 1.130
+++ netinet/tcp_var.h 6 Feb 2018 15:47:06 -
@@ -205,14 +205,13 @@ struct tcpcb {
#definesototcpcb(so) (intotcpcb(sotoinpcb(so)))
#ifdef _KERNEL
-extern int tcp_delack_ticks;
void tcp_delack(void *);
#define TCP_INIT_DELACK(tp)\
timeout_set_proc(&(tp)->t_delack_to, tcp_delack, tp)
#define TCP_RESTART_DELACK(tp) \
- timeout_add(&(tp)->t_delack_to, tcp_delack_ticks)
+ timeout_add_msec(&(tp)->t_delack_to, tcp_delack_msecs)
#defineTCP_SET_DELACK(tp)
\
do { \
Re: carp_ourether() tweak
On Tue, Feb 06, 2018 at 01:05:44PM +0100, Martin Pieuchot wrote:
> > You're right. The current logic is broken since the last refactoring.
> > It should read "if it's not my MAC nor the one of my carp(4) children".
> > Diff below corrects that in a way that should prevent future refactoring
> > to break it again.
>
> Anyone?
OK bluhm@
> > Index: net/if_bridge.c
> > ===
> > RCS file: /cvs/src/sys/net/if_bridge.c,v
> > retrieving revision 1.301
> > diff -u -p -r1.301 if_bridge.c
> > --- net/if_bridge.c 10 Jan 2018 23:50:39 - 1.301
> > +++ net/if_bridge.c 25 Jan 2018 14:27:43 -
> > @@ -997,6 +997,25 @@ bridgeintr_frame(struct bridge_softc *sc
> > }
> >
> > /*
> > + * Return 1 if `ena' belongs to `ifl', 0 otherwise.
> > + */
> > +int
> > +bridge_ourether(struct bridge_iflist *ifl, uint8_t *ena)
> > +{
> > + struct arpcom *ac = (struct arpcom *)ifl->ifp;
> > +
> > + if (bcmp(ac->ac_enaddr, ena, ETHER_ADDR_LEN) == 0)
> > + return (1);
> > +
> > +#if NCARP > 0
> > + if (carp_ourether(ifl->ifp, ena))
> > + return (1);
> > +#endif
> > +
> > + return (0);
> > +}
> > +
> > +/*
> > * Receive input from an interface. Queue the packet for bridging if its
> > * not for us, and schedule an interrupt.
> > */
> > @@ -1022,7 +1041,6 @@ bridge_process(struct ifnet *ifp, struct
> > struct bridge_iflist *ifl;
> > struct bridge_iflist *srcifl;
> > struct ether_header *eh;
> > - struct arpcom *ac;
> > struct mbuf *mc;
> >
> > ifl = (struct bridge_iflist *)ifp->if_bridgeport;
> > @@ -1105,13 +1123,7 @@ bridge_process(struct ifnet *ifp, struct
> > TAILQ_FOREACH(ifl, &sc->sc_iflist, next) {
> > if (ifl->ifp->if_type != IFT_ETHER)
> > continue;
> > - ac = (struct arpcom *)ifl->ifp;
> > - if (bcmp(ac->ac_enaddr, eh->ether_dhost, ETHER_ADDR_LEN) == 0
> > -#if NCARP > 0
> > - || (!SRPL_EMPTY_LOCKED(&ifl->ifp->if_carp) &&
> > - !carp_ourether(ifl->ifp, eh->ether_dhost))
> > -#endif
> > - ) {
> > + if (bridge_ourether(ifl, eh->ether_dhost)) {
> > if (srcifl->bif_flags & IFBIF_LEARNING)
> > bridge_rtupdate(sc,
> > (struct ether_addr *)&eh->ether_shost,
> > @@ -1129,12 +1141,7 @@ bridge_process(struct ifnet *ifp, struct
> > bridge_ifinput(ifl->ifp, m);
> > return;
> > }
> > - if (bcmp(ac->ac_enaddr, eh->ether_shost, ETHER_ADDR_LEN) == 0
> > -#if NCARP > 0
> > - || (!SRPL_EMPTY_LOCKED(&ifl->ifp->if_carp) &&
> > - !carp_ourether(ifl->ifp, eh->ether_shost))
> > -#endif
> > - ) {
> > + if (bridge_ourether(ifl, eh->ether_shost)) {
> > m_freem(m);
> > return;
> > }
> > Index: netinet/ip_carp.c
> > ===
> > RCS file: /cvs/src/sys/netinet/ip_carp.c,v
> > retrieving revision 1.327
> > diff -u -p -r1.327 ip_carp.c
> > --- netinet/ip_carp.c 12 Jan 2018 23:47:24 - 1.327
> > +++ netinet/ip_carp.c 25 Jan 2018 14:18:44 -
> > @@ -1339,12 +1348,15 @@ carp_iamatch(struct ifnet *ifp)
> > int
> > carp_ourether(struct ifnet *ifp, u_int8_t *ena)
> > {
> > - struct srpl *cif;
> > + struct srpl *cif = &ifp->if_carp;
> > struct carp_softc *vh;
> >
> > KERNEL_ASSERT_LOCKED(); /* touching if_carp + carp_vhosts */
> > +
> > + if (SRPL_EMPTY_LOCKED(cif))
> > + return (0);
> > +
> > KASSERT(ifp->if_type == IFT_ETHER);
> > - cif = &ifp->if_carp;
> >
> > SRPL_FOREACH_LOCKED(vh, cif, sc_list) {
> > struct carp_vhost_entry *vhe;
> >
Re: ipsec ah_massage_headers cleanup
On Tue, Feb 06, 2018 at 11:04:51AM +1300, Richard Procter wrote:
> > @@ -657,12 +667,13 @@ ah_input(struct mbuf *m, struct tdb *tdb
> > m_copyback(m, skip + rplen, ahx->authsize, ipseczeroes, M_NOWAIT);
> >
> > /* "Massage" the packet headers for crypto processing. */
> > - if ((btsx = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family,
> > - skip, ahx->type, 0)) != 0) {
> > + error = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family, skip,
> > + ahx->type, 0);
> > + if (error) {
> > /* mbuf will be free'd by callee. */
>
> This pre-existing comment muddled me. ah_massage_headers() has already
> freed it on error.
Although the code is correct, I also had to read the comment twice
when I first saw it. I think the tense is wrong. The callee is
ah_massage_headers, and there free has been called.
Does this clarify it?
bluhm
Index: netinet/ip_ah.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ah.c,v
retrieving revision 1.135
diff -u -p -r1.135 ip_ah.c
--- netinet/ip_ah.c 6 Feb 2018 14:54:22 - 1.135
+++ netinet/ip_ah.c 6 Feb 2018 15:14:29 -
@@ -670,7 +670,7 @@ ah_input(struct mbuf *m, struct tdb *tdb
error = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family, skip,
ahx->type, 0);
if (error) {
- /* mbuf will be free'd by callee. */
+ /* mbuf has been be free'd by callee. */
free(tc, M_XDATA, 0);
crypto_freereq(crp);
return error;
@@ -1158,7 +1158,7 @@ ah_output(struct mbuf *m, struct tdb *td
error = ah_massage_headers(&m, tdb->tdb_dst.sa.sa_family, skip,
ahx->type, 1);
if (error) {
- /* mbuf will be free'd by callee. */
+ /* mbuf has been be free'd by callee. */
free(tc, M_XDATA, 0);
crypto_freereq(crp);
return error;
Re: carp_ourether() tweak
On 25/01/18(Thu) 15:29, Martin Pieuchot wrote:
> On 24/01/18(Wed) 09:30, Alexander Bluhm wrote:
> > On Mon, Jan 22, 2018 at 11:58:30AM +0100, Martin Pieuchot wrote:
> > > Check if `if_carp' is empty inside carp_ourether() instead of outside.
> > >
> > > ok?
> >
> > Maybe I am confused by the ! and && but I think this diff changes the
> > logic.
>
> You're right. The current logic is broken since the last refactoring.
>
> It should read "if it's not my MAC nor the one of my carp(4) children".
>
> Diff below corrects that in a way that should prevent future refactoring
> to break it again.
Anyone?
> Index: net/if_bridge.c
> ===
> RCS file: /cvs/src/sys/net/if_bridge.c,v
> retrieving revision 1.301
> diff -u -p -r1.301 if_bridge.c
> --- net/if_bridge.c 10 Jan 2018 23:50:39 - 1.301
> +++ net/if_bridge.c 25 Jan 2018 14:27:43 -
> @@ -997,6 +997,25 @@ bridgeintr_frame(struct bridge_softc *sc
> }
>
> /*
> + * Return 1 if `ena' belongs to `ifl', 0 otherwise.
> + */
> +int
> +bridge_ourether(struct bridge_iflist *ifl, uint8_t *ena)
> +{
> + struct arpcom *ac = (struct arpcom *)ifl->ifp;
> +
> + if (bcmp(ac->ac_enaddr, ena, ETHER_ADDR_LEN) == 0)
> + return (1);
> +
> +#if NCARP > 0
> + if (carp_ourether(ifl->ifp, ena))
> + return (1);
> +#endif
> +
> + return (0);
> +}
> +
> +/*
> * Receive input from an interface. Queue the packet for bridging if its
> * not for us, and schedule an interrupt.
> */
> @@ -1022,7 +1041,6 @@ bridge_process(struct ifnet *ifp, struct
> struct bridge_iflist *ifl;
> struct bridge_iflist *srcifl;
> struct ether_header *eh;
> - struct arpcom *ac;
> struct mbuf *mc;
>
> ifl = (struct bridge_iflist *)ifp->if_bridgeport;
> @@ -1105,13 +1123,7 @@ bridge_process(struct ifnet *ifp, struct
> TAILQ_FOREACH(ifl, &sc->sc_iflist, next) {
> if (ifl->ifp->if_type != IFT_ETHER)
> continue;
> - ac = (struct arpcom *)ifl->ifp;
> - if (bcmp(ac->ac_enaddr, eh->ether_dhost, ETHER_ADDR_LEN) == 0
> -#if NCARP > 0
> - || (!SRPL_EMPTY_LOCKED(&ifl->ifp->if_carp) &&
> - !carp_ourether(ifl->ifp, eh->ether_dhost))
> -#endif
> - ) {
> + if (bridge_ourether(ifl, eh->ether_dhost)) {
> if (srcifl->bif_flags & IFBIF_LEARNING)
> bridge_rtupdate(sc,
> (struct ether_addr *)&eh->ether_shost,
> @@ -1129,12 +1141,7 @@ bridge_process(struct ifnet *ifp, struct
> bridge_ifinput(ifl->ifp, m);
> return;
> }
> - if (bcmp(ac->ac_enaddr, eh->ether_shost, ETHER_ADDR_LEN) == 0
> -#if NCARP > 0
> - || (!SRPL_EMPTY_LOCKED(&ifl->ifp->if_carp) &&
> - !carp_ourether(ifl->ifp, eh->ether_shost))
> -#endif
> - ) {
> + if (bridge_ourether(ifl, eh->ether_shost)) {
> m_freem(m);
> return;
> }
> Index: netinet/ip_carp.c
> ===
> RCS file: /cvs/src/sys/netinet/ip_carp.c,v
> retrieving revision 1.327
> diff -u -p -r1.327 ip_carp.c
> --- netinet/ip_carp.c 12 Jan 2018 23:47:24 - 1.327
> +++ netinet/ip_carp.c 25 Jan 2018 14:18:44 -
> @@ -1339,12 +1348,15 @@ carp_iamatch(struct ifnet *ifp)
> int
> carp_ourether(struct ifnet *ifp, u_int8_t *ena)
> {
> - struct srpl *cif;
> + struct srpl *cif = &ifp->if_carp;
> struct carp_softc *vh;
>
> KERNEL_ASSERT_LOCKED(); /* touching if_carp + carp_vhosts */
> +
> + if (SRPL_EMPTY_LOCKED(cif))
> + return (0);
> +
> KASSERT(ifp->if_type == IFT_ETHER);
> - cif = &ifp->if_carp;
>
> SRPL_FOREACH_LOCKED(vh, cif, sc_list) {
> struct carp_vhost_entry *vhe;
>
Re: ftp: don't close fin or s twice
Stuart Henderson wrote: > Regarding ftp(1), it would be nice to get more eyes on sunil@'s rewrite, > apart from anything else it fixes problems with some servers (like > ftp.tug.org) > that don't work with the existing code.. Hi, For folks on tech@, the latest code is at https://nimmagadda.net/ftp.tar.gz
Re: ftp: don't close fin or s twice
Regarding ftp(1), it would be nice to get more eyes on sunil@'s rewrite, apart from anything else it fixes problems with some servers (like ftp.tug.org) that don't work with the existing code..
