Re: resolvd: write nameservers in expected order
If you do not sort the, you cannot remove duplicates.
resolvd: write nameservers in expected order
RFC 2132 "DHCP Options and BOOTP Vendor Extensions" 3.8. Domain Name Server Option says: The domain name server option specifies a list of Domain Name System (STD 13, RFC 1035 [8]) name servers available to the client. Servers SHOULD be listed in order of preference. I'm on a wifi with three name servers in its DHCP OFFER, which tcpdump', `route monitor' and and `dhcpleasctl -l athn0' show in the same order. But in my case, resolvd writes them in reverse order, making our resolver query the least preferred one first as per resolv.conf(5): Up to ASR_MAXNS (currently 5) name servers may be listed, one per line. If there are multiple servers, the resolver library queries them in the order listed. I have yet into a specific problem due to this, but this behaviour did surprise me. Looking at resolvd(8), this is because it sorts the list of name servers by prio (makes sense) as well as IP (why?). If I sort them only by prio and switch to mergesort(3) to have a stable function, the resulting order in resolv.conf is exactly what I see in the DHCP OFFER, as expected. So why do we sort them by IP? Index: resolvd.c === RCS file: /cvs/src/sbin/resolvd/resolvd.c,v retrieving revision 1.28 diff -u -p -r1.28 resolvd.c --- resolvd.c 2 Sep 2022 09:39:55 - 1.28 +++ resolvd.c 3 Nov 2022 22:25:30 - @@ -503,8 +503,8 @@ handle_route_message(struct rt_msghdr *r return; } - /* Sort proposals, based upon priority and IP */ - qsort(learning, ASR_MAXNS, sizeof(learning[0]), cmp); + /* Sort proposals, based upon priority */ + mergesort(learning, ASR_MAXNS, sizeof(learning[0]), cmp); /* Eliminate duplicates */ for (i = 0; i < ASR_MAXNS - 1; i++) { @@ -694,10 +694,7 @@ cmp(const void *a, const void *b) { const struct rdns_proposal *rpa = a, *rpb = b; - if (rpa->prio == rpb->prio) - return strcmp(rpa->ip, rpb->ip); - else - return rpa->prio < rpb->prio ? -1 : 1; + return rpa->prio < rpb->prio ? -1 : rpa->prio > rpb->prio; } #ifndef SMALL
rpki-client: check SIA signedObject on ASPA/MFT/ROA/GBR/TAK
Hi all, RFC 6487 section 4.8.8.2 mandates that the SIA extension must be present, and contain *at least* an instance of accessMethod id-ad-signedObject. The below changeset enforces this requirement. OK? Index: aspa.c === RCS file: /cvs/src/usr.sbin/rpki-client/aspa.c,v retrieving revision 1.6 diff -u -p -r1.6 aspa.c --- aspa.c 2 Nov 2022 10:04:41 - 1.6 +++ aspa.c 3 Nov 2022 15:12:26 - @@ -207,11 +207,14 @@ aspa_parse(X509 **x509, const char *fn, goto out; if (!x509_get_aki(*x509, fn, &p.res->aki)) goto out; + if (!x509_get_sia(*x509, fn, &p.res->sia)) + goto out; if (!x509_get_ski(*x509, fn, &p.res->ski)) goto out; - if (p.res->aia == NULL || p.res->aki == NULL || p.res->ski == NULL) { + if (p.res->aia == NULL || p.res->aki == NULL || p.res->sia == NULL + || p.res->ski == NULL) { warnx("%s: RFC 6487 section 4.8: " - "missing AIA, AKI or SKI X509 extension", fn); + "missing AIA, AKI, SIA, or SKI X509 extension", fn); goto out; } Index: extern.h === RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v retrieving revision 1.157 diff -u -p -r1.157 extern.h --- extern.h2 Nov 2022 12:43:02 - 1.157 +++ extern.h3 Nov 2022 15:12:27 - @@ -213,6 +213,7 @@ struct mft { char*seqnum; /* manifestNumber */ char*aia; /* AIA */ char*aki; /* AKI */ + char*sia; /* SIA signedObject */ char*ski; /* SKI */ char*crl; /* CRL file name */ unsigned charcrlhash[SHA256_DIGEST_LENGTH]; @@ -248,6 +249,7 @@ struct roa { int valid; /* validated resources */ char*aia; /* AIA */ char*aki; /* AKI */ + char*sia; /* SIA signedObject */ char*ski; /* SKI */ time_t expires; /* do not use after */ }; @@ -298,6 +300,7 @@ struct tak { struct takey*successor; char*aia; /* AIA */ char*aki; /* AKI */ + char*sia; /* SIA signed Object */ char*ski; /* SKI */ time_t expires; /* Not After of the TAK EE */ }; @@ -309,6 +312,7 @@ struct gbr { char*vcard; char*aia; /* AIA */ char*aki; /* AKI */ + char*sia; /* SIA signedObject */ char*ski; /* SKI */ }; @@ -325,6 +329,7 @@ struct aspa { int talid; /* TAL the ASPA is chained up to */ char*aia; /* AIA */ char*aki; /* AKI */ + char*sia; /* SIA signedObject */ char*ski; /* SKI */ uint32_t custasid; /* the customerASID */ struct aspa_provider*providers; /* the providers */ @@ -737,6 +742,7 @@ struct ibuf *io_buf_recvfd(int, struct i voidx509_init_oid(void); int x509_get_aia(X509 *, const char *, char **); int x509_get_aki(X509 *, const char *, char **); +int x509_get_sia(X509 *, const char *, char **); int x509_get_ski(X509 *, const char *, char **); int x509_get_expire(X509 *, const char *, time_t *); int x509_get_crl(X509 *, const char *, char **); Index: gbr.c === RCS file: /cvs/src/usr.sbin/rpki-client/gbr.c,v retrieving revision 1.16 diff -u -p -r1.16 gbr.c --- gbr.c 11 May 2022 21:19:06 - 1.16 +++ gbr.c 3 Nov 2022 15:12:27 - @@ -67,11 +67,14 @@ gbr_parse(X509 **x509, const char *fn, c goto out; if (!x509_get_aki(*x509, fn, &p.res->aki)) goto out; + if (!x509_get_sia(*x509, fn, &p.res->sia)) + goto out; if (!x509_get_ski(*x509, fn, &p.res->ski)) goto out; - if (p.res->aia == NULL || p.res->aki == NULL || p.res->ski == NULL) { + if (p.res->aia == NULL || p.res->aki == NULL || p.res->sia == NULL + || p.res->ski == NULL) { warnx("%s: RFC 6487 section 4.8: " - "missing AIA, AKI or SKI X509 extension", fn); + "missing AIA, AKI, SIA or SKI X509 extension", fn); goto out; } Index: mft.c === RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v retrieving revision 1.76 diff -u -p -r1.76 mft.c --- mft.c 2 Nov 2022 12:43:02 - 1.76 +++ mft.c 3 Nov 2022 15:12:27 - @@ -368,11 +368,14 @@ mft_parse(X509 **x509, co
bgpctl show mpls label in fib output
Noticed while figuring out the kroute bug with MPLS. I think it would be nice to know the MPLS label of a fib MPLS route. bgpctl show fib table 13 flags: B = BGP, C = Connected, S = Static N = BGP Nexthop reachable via this route r = reject route, b = blackhole route flags prio destination gateway C1 127.0.0.1/32 link#129 B 48 192.168.44.0/24 10.12.57.2 mpls 44 C1 192.168.237.242/32 link#128 Not sure if the keyword should be "mpls" or "label". -- :wq Claudio Index: bgpctl.h === RCS file: /cvs/src/usr.sbin/bgpctl/bgpctl.h,v retrieving revision 1.17 diff -u -p -r1.17 bgpctl.h --- bgpctl.h17 Oct 2022 12:01:19 - 1.17 +++ bgpctl.h3 Nov 2022 14:21:14 - @@ -58,3 +58,5 @@ const char*fmt_community(uint16_t, uint const char *fmt_large_community(uint32_t, uint32_t, uint32_t); const char *fmt_ext_community(uint8_t *); const char *fmt_set_type(struct ctl_show_set *); + +#define MPLS_LABEL_OFFSET 12 Index: output.c === RCS file: /cvs/src/usr.sbin/bgpctl/output.c,v retrieving revision 1.30 diff -u -p -r1.30 output.c --- output.c17 Oct 2022 12:01:19 - 1.30 +++ output.c3 Nov 2022 14:21:33 - @@ -477,6 +477,8 @@ show_fib(struct kroute_full *kf) printf("link#%u", kf->ifindex); else printf("%s", log_addr(&kf->nexthop)); + if (kf->flags & F_MPLS) + printf(" mpls %d", ntohl(kf->mplslabel) >> MPLS_LABEL_OFFSET); printf("\n"); } Index: output_json.c === RCS file: /cvs/src/usr.sbin/bgpctl/output_json.c,v retrieving revision 1.24 diff -u -p -r1.24 output_json.c --- output_json.c 17 Oct 2022 12:01:19 - 1.24 +++ output_json.c 3 Nov 2022 14:22:48 - @@ -385,6 +385,9 @@ json_fib(struct kroute_full *kf) else json_do_printf("nexthop", "%s", log_addr(&kf->nexthop)); + if (kf->flags & F_CONNECTED) + json_do_printf("mplslabel", "%d", + ntohl(kf->mplslabel) >> MPLS_LABEL_OFFSET); json_do_end(); }
tweak to dependency checking
I'd like to add a special construct to dependencies, "=" to mean the exact version of the package we're depending on. The patch is trivial: Index: OpenBSD/PackingElement.pm === RCS file: /cvs/src/usr.sbin/pkg_add/OpenBSD/PackingElement.pm,v retrieving revision 1.283 diff -u -p -r1.283 PackingElement.pm --- OpenBSD/PackingElement.pm 28 Jun 2022 08:15:43 - 1.283 +++ OpenBSD/PackingElement.pm 1 Nov 2022 18:20:37 - @@ -1079,7 +1079,13 @@ OpenBSD::Auto::cache(spec, require OpenBSD::Search; my $self = shift; - return OpenBSD::Search::PkgSpec->new($self->{pattern}) + my $src; + if ($self->{pattern} eq '=') { + $src = $self->{def}; + } else { + $src = $self->{pattern}; + } + return OpenBSD::Search::PkgSpec->new($src) ->add_pkgpath_hint($self->{pkgpath}); }); (This takes advantage of the fact that PkgSpec comparisons have an implicit = if no operator has been mentionned) This would result in lines like @depend archivers/libarchive:=:libarchive-3.6.1p0 meaning "hey I want to depend on the exact version of libarchive we have". There are several reasons behind this patch. - most of the stuff that wants exact version comparison has to go through hoops to get it. - register-plist can't flag changes in PKGSPEC as relevant, because... with exact version comparisons, those change ALL THE TIME. I would be able to say "hey, you changed PKGSPEC, you want to bump the dependant port". Because, in the way we do things, PKGSPEC changes are almost invariably to restrict/move the dependency along so that we don't end up with broken dependency tree (case in point: the introduction of gimp-3.x which broke all dependency chains for gimp-2.x) The only downside I see to this is that this will be the exact version, including REVISION, whereas a few ports shun the REVISION part while making the comparison. Testing this patch on debug packages is trivial: Index: bsd.port.mk === RCS file: /cvs/ports/infrastructure/mk/bsd.port.mk,v retrieving revision 1.1580 diff -u -p -r1.1580 bsd.port.mk --- bsd.port.mk 1 Nov 2022 10:55:54 - 1.1580 +++ bsd.port.mk 3 Nov 2022 07:05:12 - @@ -1203,7 +1203,7 @@ _pkg_cookie${_S} = ${_PACKAGE_COOKIE${_S . if ${DEBUG_PACKAGES:M${_S}} _DBG_PKG_ARGS${_S} := ${PKG_ARGS${_S}} -_DBG_PKG_ARGS${_S} += -P${FULLPKGPATH${_S}}:${FULLPKGNAME${_S}}:${FULLPKGNAME${_S}} +_DBG_PKG_ARGS${_S} += -P${FULLPKGPATH${_S}}:=:${FULLPKGNAME${_S}} _DBG_PKG_ARGS${_S} += -DCOMMENT="debug info for ${PKGSTEM${_S}}" _DBG_PKG_ARGS${_S} += -d"-debug info for ${FULLPKGNAME${_S}}" # XXX revisit that fullpkgpath later ? There is also a slightly more involved patch to extend the *_DEPENDS = some/path>=2.1 glue so that *_DEPENDS = some/path= works Index: bsd.port.mk === RCS file: /cvs/ports/infrastructure/mk/bsd.port.mk,v retrieving revision 1.1580 diff -u -p -r1.1580 bsd.port.mk --- bsd.port.mk 1 Nov 2022 10:55:54 - 1.1580 +++ bsd.port.mk 1 Nov 2022 18:20:54 - @@ -1602,16 +1602,20 @@ ERRORS += "Fatal: old style depends ${_C # the C,, part basically does this: # if the depends contains only pkgpath>=something # then we rebuild it as STEM->=something:pkgpath +# also, pkgpath= becomes =:pkgpath .for _v in BUILD LIB RUN TEST ${_v}_DEPENDS := ${${_v}_DEPENDS:C,^([^:]+/[^:<=>]+)([<=>][^:]+)$,STEM-\2:\1,} +${_v}_DEPENDS := ${${_v}_DEPENDS:C,^([^:]+/[^:=]+)=[^:]*$,=:\1,} .endfor .for _v in BUILD TEST ${_v}_DEPENDS := ${${_v}_DEPENDS:C,^([^:]+/[^:<=>]+)([<=>][^:]+)(:patch|:configure|:build)$,STEM-\2:\1\3,} +${_v}_DEPENDS := ${${_v}_DEPENDS:C,^([^:]+/[^:=]+)=[^:]*)(:patch|:configure|:build)$,=:\1\2,} .endfor .for _s in ${MULTI_PACKAGES} . for _v in RUN LIB ${_v}_DEPENDS${_s} := ${${_v}_DEPENDS${_s}:C,^([^:]+/[^:<=>]+)([<=>][^:]+)$,STEM-\2:\1,} +${_v}_DEPENDS${_s} := ${${_v}_DEPENDS${_s}:C,^([^:]+/[^:=]+)=[^:]*$,=:\1,} . endfor .endfor Obviously, this involves a bit of patience, because the pkg_add change needs to trickle down to snapshots before the other parts can go in. Any objection to moving forward with this ?