Re: resolvd: write nameservers in expected order
If you do not sort the, you cannot remove duplicates.
resolvd: write nameservers in expected order
RFC 2132 "DHCP Options and BOOTP Vendor Extensions"
3.8. Domain Name Server Option says:
The domain name server option specifies a list of Domain Name System
(STD 13, RFC 1035 [8]) name servers available to the client. Servers
SHOULD be listed in order of preference.
I'm on a wifi with three name servers in its DHCP OFFER, which tcpdump',
`route monitor' and and `dhcpleasctl -l athn0' show in the same order.
But in my case, resolvd writes them in reverse order, making our
resolver query the least preferred one first as per resolv.conf(5):
Up to ASR_MAXNS (currently 5) name servers may be listed, one
per line. If there are multiple servers, the resolver
library queries them in the order listed.
I have yet into a specific problem due to this, but this behaviour did
surprise me.
Looking at resolvd(8), this is because it sorts the list of name servers
by prio (makes sense) as well as IP (why?).
If I sort them only by prio and switch to mergesort(3) to have a stable
function, the resulting order in resolv.conf is exactly what I see in
the DHCP OFFER, as expected.
So why do we sort them by IP?
Index: resolvd.c
===
RCS file: /cvs/src/sbin/resolvd/resolvd.c,v
retrieving revision 1.28
diff -u -p -r1.28 resolvd.c
--- resolvd.c 2 Sep 2022 09:39:55 - 1.28
+++ resolvd.c 3 Nov 2022 22:25:30 -
@@ -503,8 +503,8 @@ handle_route_message(struct rt_msghdr *r
return;
}
- /* Sort proposals, based upon priority and IP */
- qsort(learning, ASR_MAXNS, sizeof(learning[0]), cmp);
+ /* Sort proposals, based upon priority */
+ mergesort(learning, ASR_MAXNS, sizeof(learning[0]), cmp);
/* Eliminate duplicates */
for (i = 0; i < ASR_MAXNS - 1; i++) {
@@ -694,10 +694,7 @@ cmp(const void *a, const void *b)
{
const struct rdns_proposal *rpa = a, *rpb = b;
- if (rpa->prio == rpb->prio)
- return strcmp(rpa->ip, rpb->ip);
- else
- return rpa->prio < rpb->prio ? -1 : 1;
+ return rpa->prio < rpb->prio ? -1 : rpa->prio > rpb->prio;
}
#ifndef SMALL
rpki-client: check SIA signedObject on ASPA/MFT/ROA/GBR/TAK
Hi all,
RFC 6487 section 4.8.8.2 mandates that the SIA extension must be
present, and contain *at least* an instance of accessMethod
id-ad-signedObject. The below changeset enforces this requirement.
OK?
Index: aspa.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/aspa.c,v
retrieving revision 1.6
diff -u -p -r1.6 aspa.c
--- aspa.c 2 Nov 2022 10:04:41 - 1.6
+++ aspa.c 3 Nov 2022 15:12:26 -
@@ -207,11 +207,14 @@ aspa_parse(X509 **x509, const char *fn,
goto out;
if (!x509_get_aki(*x509, fn, &p.res->aki))
goto out;
+ if (!x509_get_sia(*x509, fn, &p.res->sia))
+ goto out;
if (!x509_get_ski(*x509, fn, &p.res->ski))
goto out;
- if (p.res->aia == NULL || p.res->aki == NULL || p.res->ski == NULL) {
+ if (p.res->aia == NULL || p.res->aki == NULL || p.res->sia == NULL
+ || p.res->ski == NULL) {
warnx("%s: RFC 6487 section 4.8: "
- "missing AIA, AKI or SKI X509 extension", fn);
+ "missing AIA, AKI, SIA, or SKI X509 extension", fn);
goto out;
}
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
retrieving revision 1.157
diff -u -p -r1.157 extern.h
--- extern.h2 Nov 2022 12:43:02 - 1.157
+++ extern.h3 Nov 2022 15:12:27 -
@@ -213,6 +213,7 @@ struct mft {
char*seqnum; /* manifestNumber */
char*aia; /* AIA */
char*aki; /* AKI */
+ char*sia; /* SIA signedObject */
char*ski; /* SKI */
char*crl; /* CRL file name */
unsigned charcrlhash[SHA256_DIGEST_LENGTH];
@@ -248,6 +249,7 @@ struct roa {
int valid; /* validated resources */
char*aia; /* AIA */
char*aki; /* AKI */
+ char*sia; /* SIA signedObject */
char*ski; /* SKI */
time_t expires; /* do not use after */
};
@@ -298,6 +300,7 @@ struct tak {
struct takey*successor;
char*aia; /* AIA */
char*aki; /* AKI */
+ char*sia; /* SIA signed Object */
char*ski; /* SKI */
time_t expires; /* Not After of the TAK EE */
};
@@ -309,6 +312,7 @@ struct gbr {
char*vcard;
char*aia; /* AIA */
char*aki; /* AKI */
+ char*sia; /* SIA signedObject */
char*ski; /* SKI */
};
@@ -325,6 +329,7 @@ struct aspa {
int talid; /* TAL the ASPA is chained up to */
char*aia; /* AIA */
char*aki; /* AKI */
+ char*sia; /* SIA signedObject */
char*ski; /* SKI */
uint32_t custasid; /* the customerASID */
struct aspa_provider*providers; /* the providers */
@@ -737,6 +742,7 @@ struct ibuf *io_buf_recvfd(int, struct i
voidx509_init_oid(void);
int x509_get_aia(X509 *, const char *, char **);
int x509_get_aki(X509 *, const char *, char **);
+int x509_get_sia(X509 *, const char *, char **);
int x509_get_ski(X509 *, const char *, char **);
int x509_get_expire(X509 *, const char *, time_t *);
int x509_get_crl(X509 *, const char *, char **);
Index: gbr.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/gbr.c,v
retrieving revision 1.16
diff -u -p -r1.16 gbr.c
--- gbr.c 11 May 2022 21:19:06 - 1.16
+++ gbr.c 3 Nov 2022 15:12:27 -
@@ -67,11 +67,14 @@ gbr_parse(X509 **x509, const char *fn, c
goto out;
if (!x509_get_aki(*x509, fn, &p.res->aki))
goto out;
+ if (!x509_get_sia(*x509, fn, &p.res->sia))
+ goto out;
if (!x509_get_ski(*x509, fn, &p.res->ski))
goto out;
- if (p.res->aia == NULL || p.res->aki == NULL || p.res->ski == NULL) {
+ if (p.res->aia == NULL || p.res->aki == NULL || p.res->sia == NULL
+ || p.res->ski == NULL) {
warnx("%s: RFC 6487 section 4.8: "
- "missing AIA, AKI or SKI X509 extension", fn);
+ "missing AIA, AKI, SIA or SKI X509 extension", fn);
goto out;
}
Index: mft.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
retrieving revision 1.76
diff -u -p -r1.76 mft.c
--- mft.c 2 Nov 2022 12:43:02 - 1.76
+++ mft.c 3 Nov 2022 15:12:27 -
@@ -368,11 +368,14 @@ mft_parse(X509 **x509, co
bgpctl show mpls label in fib output
Noticed while figuring out the kroute bug with MPLS.
I think it would be nice to know the MPLS label of a fib MPLS route.
bgpctl show fib table 13
flags: B = BGP, C = Connected, S = Static
N = BGP Nexthop reachable via this route
r = reject route, b = blackhole route
flags prio destination gateway
C1 127.0.0.1/32 link#129
B 48 192.168.44.0/24 10.12.57.2 mpls 44
C1 192.168.237.242/32 link#128
Not sure if the keyword should be "mpls" or "label".
--
:wq Claudio
Index: bgpctl.h
===
RCS file: /cvs/src/usr.sbin/bgpctl/bgpctl.h,v
retrieving revision 1.17
diff -u -p -r1.17 bgpctl.h
--- bgpctl.h17 Oct 2022 12:01:19 - 1.17
+++ bgpctl.h3 Nov 2022 14:21:14 -
@@ -58,3 +58,5 @@ const char*fmt_community(uint16_t, uint
const char *fmt_large_community(uint32_t, uint32_t, uint32_t);
const char *fmt_ext_community(uint8_t *);
const char *fmt_set_type(struct ctl_show_set *);
+
+#define MPLS_LABEL_OFFSET 12
Index: output.c
===
RCS file: /cvs/src/usr.sbin/bgpctl/output.c,v
retrieving revision 1.30
diff -u -p -r1.30 output.c
--- output.c17 Oct 2022 12:01:19 - 1.30
+++ output.c3 Nov 2022 14:21:33 -
@@ -477,6 +477,8 @@ show_fib(struct kroute_full *kf)
printf("link#%u", kf->ifindex);
else
printf("%s", log_addr(&kf->nexthop));
+ if (kf->flags & F_MPLS)
+ printf(" mpls %d", ntohl(kf->mplslabel) >> MPLS_LABEL_OFFSET);
printf("\n");
}
Index: output_json.c
===
RCS file: /cvs/src/usr.sbin/bgpctl/output_json.c,v
retrieving revision 1.24
diff -u -p -r1.24 output_json.c
--- output_json.c 17 Oct 2022 12:01:19 - 1.24
+++ output_json.c 3 Nov 2022 14:22:48 -
@@ -385,6 +385,9 @@ json_fib(struct kroute_full *kf)
else
json_do_printf("nexthop", "%s", log_addr(&kf->nexthop));
+ if (kf->flags & F_CONNECTED)
+ json_do_printf("mplslabel", "%d",
+ ntohl(kf->mplslabel) >> MPLS_LABEL_OFFSET);
json_do_end();
}
tweak to dependency checking
I'd like to add a special construct to dependencies, "=" to mean
the exact version of the package we're depending on.
The patch is trivial:
Index: OpenBSD/PackingElement.pm
===
RCS file: /cvs/src/usr.sbin/pkg_add/OpenBSD/PackingElement.pm,v
retrieving revision 1.283
diff -u -p -r1.283 PackingElement.pm
--- OpenBSD/PackingElement.pm 28 Jun 2022 08:15:43 - 1.283
+++ OpenBSD/PackingElement.pm 1 Nov 2022 18:20:37 -
@@ -1079,7 +1079,13 @@ OpenBSD::Auto::cache(spec,
require OpenBSD::Search;
my $self = shift;
- return OpenBSD::Search::PkgSpec->new($self->{pattern})
+ my $src;
+ if ($self->{pattern} eq '=') {
+ $src = $self->{def};
+ } else {
+ $src = $self->{pattern};
+ }
+ return OpenBSD::Search::PkgSpec->new($src)
->add_pkgpath_hint($self->{pkgpath});
});
(This takes advantage of the fact that PkgSpec comparisons
have an implicit = if no operator has been mentionned)
This would result in lines like
@depend archivers/libarchive:=:libarchive-3.6.1p0
meaning "hey I want to depend on the exact version of libarchive
we have".
There are several reasons behind this patch.
- most of the stuff that wants exact version comparison
has to go through hoops to get it.
- register-plist can't flag changes in PKGSPEC as relevant, because...
with exact version comparisons, those change ALL THE TIME. I would
be able to say "hey, you changed PKGSPEC, you want to bump the
dependant port". Because, in the way we do things, PKGSPEC changes
are almost invariably to restrict/move the dependency along so that
we don't end up with broken dependency tree (case in point: the
introduction of gimp-3.x which broke all dependency chains for
gimp-2.x)
The only downside I see to this is that this will be the exact
version, including REVISION, whereas a few ports shun the REVISION
part while making the comparison.
Testing this patch on debug packages is trivial:
Index: bsd.port.mk
===
RCS file: /cvs/ports/infrastructure/mk/bsd.port.mk,v
retrieving revision 1.1580
diff -u -p -r1.1580 bsd.port.mk
--- bsd.port.mk 1 Nov 2022 10:55:54 - 1.1580
+++ bsd.port.mk 3 Nov 2022 07:05:12 -
@@ -1203,7 +1203,7 @@ _pkg_cookie${_S} = ${_PACKAGE_COOKIE${_S
. if ${DEBUG_PACKAGES:M${_S}}
_DBG_PKG_ARGS${_S} := ${PKG_ARGS${_S}}
-_DBG_PKG_ARGS${_S} +=
-P${FULLPKGPATH${_S}}:${FULLPKGNAME${_S}}:${FULLPKGNAME${_S}}
+_DBG_PKG_ARGS${_S} += -P${FULLPKGPATH${_S}}:=:${FULLPKGNAME${_S}}
_DBG_PKG_ARGS${_S} += -DCOMMENT="debug info for ${PKGSTEM${_S}}"
_DBG_PKG_ARGS${_S} += -d"-debug info for ${FULLPKGNAME${_S}}"
# XXX revisit that fullpkgpath later ?
There is also a slightly more involved patch to extend the
*_DEPENDS = some/path>=2.1 glue so that
*_DEPENDS = some/path= works
Index: bsd.port.mk
===
RCS file: /cvs/ports/infrastructure/mk/bsd.port.mk,v
retrieving revision 1.1580
diff -u -p -r1.1580 bsd.port.mk
--- bsd.port.mk 1 Nov 2022 10:55:54 - 1.1580
+++ bsd.port.mk 1 Nov 2022 18:20:54 -
@@ -1602,16 +1602,20 @@ ERRORS += "Fatal: old style depends ${_C
# the C,, part basically does this:
# if the depends contains only pkgpath>=something
# then we rebuild it as STEM->=something:pkgpath
+# also, pkgpath= becomes =:pkgpath
.for _v in BUILD LIB RUN TEST
${_v}_DEPENDS := ${${_v}_DEPENDS:C,^([^:]+/[^:<=>]+)([<=>][^:]+)$,STEM-\2:\1,}
+${_v}_DEPENDS := ${${_v}_DEPENDS:C,^([^:]+/[^:=]+)=[^:]*$,=:\1,}
.endfor
.for _v in BUILD TEST
${_v}_DEPENDS :=
${${_v}_DEPENDS:C,^([^:]+/[^:<=>]+)([<=>][^:]+)(:patch|:configure|:build)$,STEM-\2:\1\3,}
+${_v}_DEPENDS :=
${${_v}_DEPENDS:C,^([^:]+/[^:=]+)=[^:]*)(:patch|:configure|:build)$,=:\1\2,}
.endfor
.for _s in ${MULTI_PACKAGES}
. for _v in RUN LIB
${_v}_DEPENDS${_s} :=
${${_v}_DEPENDS${_s}:C,^([^:]+/[^:<=>]+)([<=>][^:]+)$,STEM-\2:\1,}
+${_v}_DEPENDS${_s} := ${${_v}_DEPENDS${_s}:C,^([^:]+/[^:=]+)=[^:]*$,=:\1,}
. endfor
.endfor
Obviously, this involves a bit of patience, because the pkg_add
change needs to trickle down to snapshots before the other parts
can go in.
Any objection to moving forward with this ?
