vlan tagging surgery

M_PREPEND(m, sizeof(evh), M_DONTWAIT); - if (m == NULL) { - ifp->if_oerrors++; - continue; - } - - m_copyback(m, 0, sizeof(evh), &evh, M_NOWAIT); - } /* * Send it, p

stop "advertising" disabling pmtud and window size increasing

asing #net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol #net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol #net.inet.esp.udpencap=0 # 0=Disable ESP-in-UDP encapsulation -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de,

Re: help needed from someone with an sk(4)

* Christian Weisgerber [2014-04-19 00:30]: > On 2014-04-18, Henning Brauer wrote: > > so, what are we doing with this now? > > I still want to hide in_cksum_phdr() and kill in_cksum_addword() so that > > nobody ever uses that sh*t again. > > yes, sk loses is half-baked

Re: tighten /etc/rc's pf ruleset slightly further

this one is still open as well. oks? * Henning Brauer [2014-01-21 03:24]: > absolutely prevent forwarding carp or NFS/rpc using the shiny new > received-on any. > > can only minimally test that here. need at least one carp and one > diskless test.

Re: help needed from someone with an sk(4)

so, what are we doing with this now? I still want to hide in_cksum_phdr() and kill in_cksum_addword() so that nobody ever uses that sh*t again. yes, sk loses is half-baked cksum offload support with this, as discussed before. as naddy pointed out there are (at least) two private copies of in_cksum_

Re: ffs2 boot

> The fact my router has 8 cores available doesn't really help it very > much. (Maybe BGP converges a little bit faster?) it can help bgpd indeed. > Ditto for my DNS servers, my mail server, my proxy server, etc. depends on the workload. heavy content filtering on mailservers will b

Re: remove pf_check_congestion()

> easier to read imo. exactly. making in static inline would be the max I'd find acceptable - but I'm certain you won't be able to demonstrate any performance benefit (previous profiling is pretty clear on that). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web S

Re: Packet Filter nat-to issue

* Loïc Blot [2014-02-28 11:33]: > Is this normal ? yes. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, h

Re: Routing issues

hat because of adaptive timeouts you can end up > with failing connections without hitting the hard state limit. > I think those connections will not show up in the stats (I could be > wrong). failing connections because of adaptive timeouts? HUH? -- Henning Brauer, h...@bsws.de, henn...@open

Re: Routing issues

te creation time is ok. > The current use of PFRES_MAXSTATES particularly with pfctl's textual > form "state-limit" is definitely a bit confusing. yup. the default of 1 might be a bit small today as well. it's not like a higher one would cost anything these days. 100k?

Re: Routing issues

* Philipp [2014-02-17 13:36]: > Am 17.02.2014 13:11 schrieb Henning Brauer: > >how do you emit such a maessage in pcap? as payload with a dummy > >packet header? (N!!) > pf is taking action without telling anyone - and that's not nice. doesn't cha

Re: Routing issues

a maessage in pcap? as payload with a dummy packet header? (NOOOO!!!!!!) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Braue

Re: help needed from someone with an sk(4)

* David Higgs [2014-01-25 18:25]: > On Jan 25, 2014, at 12:48 AM, David Higgs wrote: > > On Fri, Jan 24, 2014 at 4:24 AM, Henning Brauer > wrote: > > * Henning Brauer [2014-01-24 05:50]: > > i need this tested on an sk(4). > I don't have that hardware at

Re: help needed from someone with an sk(4)

* Ted Unangst [2014-01-24 17:48]: > On Fri, Jan 24, 2014 at 16:27, Christian Weisgerber wrote: > > Henning Brauer wrote: > > > >> i need this tested on an sk(4). > >> I don't have that hardware at all. > > [Summary: Henning wants to confine in_cksum_p

Re: help needed from someone with an sk(4)

* Henning Brauer [2014-01-24 05:50]: > i need this tested on an sk(4). > I don't have that hardware at all. this gets rif od a slight little bit more. Index: netinet/in.h === RCS file: /cvs/src/sys/netinet/in.h,v

Re: tcp_respond: let the stack worry about the ksum

, ro, ip_mtudisc ? IP_MTUDISC : 0, (void *)NULL, tp ? tp->t_inpcb : (void *)NULL); } -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

tcp_respond: let the stack worry about the ksum

th->th_sum = 0; - th->th_sum = in_cksum(m, tlen); ip->ip_len = htons(tlen); ip->ip_ttl = ip_defttl; + ip->ip_tos = 0; ip_output(m, (void *)NULL, ro, ip_mtudisc ? IP_MTUDISC : 0,

pf_send_tcp: ask the stack to do the cksum instead of doing it manually

pf_rule *r, sa_ #endif /* INET */ #ifdef INET6 case AF_INET6: - /* TCP checksum */ - th->th_sum = in6_cksum(m, IPPROTO_TCP, - sizeof(struct ip6_hdr), tlen); - - h6->ip6_vfc |= IPV6_VERSION; - h6->ip6_hlim = IPV6

help needed from someone with an sk(4)

hdr(u_int32_t src, u_int32_t dst, u_int32_t lenproto) +{ + u_int32_t sum; + + sum = lenproto + + (u_int16_t)(src >> 16) + + (u_int16_t)(src /*& 0x*/) + + (u_int16_t)(dst >> 16) + + (u_int16_t)(dst /*& 0xffff*/

_SUM_IN_OK flags

+ } } #ifdef IPSEC -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

tighten /etc/rc's pf ruleset slightly further

absolutely prevent forwarding carp or NFS/rpc using the shiny new received-on any. can only minimally test that here. need at least one carp and one diskless test. Index: rc === RCS file: /cvs/src/etc/rc,v retrieving revision 1.420

received-on any

n5/pf.conf.520 Jan 2014 04:05:09 - @@ -1,4 +1,4 @@ -.\"$OpenBSD: pf.conf.5,v 1.532 2013/12/21 20:57:01 camield Exp $ +.\" $OpenBSD: pf.conf.5,v 1.534 2014/01/20 02:59:55 henning Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" Copyright (c) 2003 - 2013 He

Re: rc default PF ruleset too restrictive for DHCPv6

* Kenneth Westerback [2014-01-19 09:56]: > *But what is the practical problem being addressed? Is dhcp not functional > with the existing default **ruleset?* it's not correct and we rely on dhclient falling back to a new discovery eventually. -- Henning Brauer, h...@bs

Re: report icmp error drops because of rate limiting

because old message was icmp\n"); > + p(icps_toofreq, > + "\t%llu error%s not generated because of rate limitation\n"); > + > for (first = 1, i = 0; i < ICMP_MAXTYPE + 1; i++) > if (icmpstat.icps_outhist[i] != 0) { > if (

Re: security(8) check maildir as well as mailbox permissions

;s the logic, here? > THEREFORE software in base can deliver to maildir in /var/mail THEREFORE software in base can also deliver mail to /omgohmymail/pr0n/$uid - does that mean we check it in security? The question is rather wether Maildirs in /var/mail are a common enough setup to warrant a ch

Re: pf.os: add additional fingerprints

ints then is the way to go. Please sombody pick that up. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: Kill IF_LEN() and IF_IS_EMPTY()

i think we need to figure out better > api before randomly changing stuff... agreed. the whole IF_ vs IFQ_ mess needs reevaluation. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Server

msgbuf_write audit

so, msgbuf_write can now (again) return EAGAIN. some daemons have been fixed/adopted, some not. I did a full audit of the tree for all msgbuf_write users EAGAIN handling - this is the result. Index: usr.sbin/dvmrpd/control.c === RCS f

icmp cksums

make the icmp stack use the fake offload engine. prevents double cksumming in some cases and happens to fix a bug in an obscure, constructed case. Index: ip_icmp.c === RCS file: /cvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.1

Re: IPv6 routing header type 0

s on", then there > is > no argument for resisting code for the "pf is disabled" case... heh :) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: IPv6 routing header type 0

you run any routers with pf disabled? If so, please identify one, > for a demonstration. yes, I do. utterly pointless, since a) no v6 there at all and b) several pf pairs behind it and nothing else - as in, everything else is behind those pf boxes. -- Henning Brauer, h...@bsws.de, henn...@o

Re: IPv6 routing header type 0

at otoh. i'm still pretty damn sure you were Cc'd; won't dig for old mail just to prove it; don't see the point, doesn't change anything now anyway. > The non-pf RH0 filtering case is worthwhile. and here we disagree. -- Henning Brauer, h...@bsws.de, henn...@openbs

Re: IPv6 routing header type 0

y incomplete or expensive. the aproach "stack protects the local machine (in this case: don't obey RH0), pf handles forwarded packets" matches what we do generally. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: IPv6 routing header type 0

27;t process RH0 itself, and otherwise leave it to pf. aka the status quo. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: unlimited HFSC v3: more readable, less hacks

r. besides, newqueue isn't a 100% replacement yet. last not least RED (or sth similiar) is missing. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning B

cksum pseudo-header wankery

so stop that pseudo-header wankery. v6 doesn't have it at all. instead of incrementally pre-computing a tiny part of the proto cksum, just do it in in_proto_cksum_out when needed. makes everything else in the stack super easy: need cksum? set flag, done. stack and pf cases tested with all 3 offloa

Re: defer routing table updates on link state changes

* Reyk Floeter [2013-09-13 10:20]: > please read the history: if_index _was_ created for SNMP. I'm not at all certain you got the history right there... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail

Re: Iso image integrity verification

case, CD images). buy the CD set. it's more than good enough for the PCI DSS theatre (been there). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully

Re: defer routing table updates on link state changes

;s snmp itself. using the OS-private ifindex and making assumptions about it is the root problem. but since that's in the standards, there are only 2 possible solutions I see: -keep trying to please snmp in the way we assign ifindex -let snmpd (or sth else) make up ifindices just for that purpos

Re: osfp pfctl and states

least hurts performance), so it has to be truly worth it. I don't see that in this case. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: osfp pfctl and states

hould look into. no, creatorID is for pfsync setups to know which node created the state. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer C

Re: in_var.h incudes in6_var.h

ike to split that up. > > > > Is this a good idea? comments/ok? > > I like the idea but we should be careful about ports assuming that > in_var.h includes in6_var.h even if there's no RFC requirement. indeed, that needs to be checked. otherwise ok. -- Henning Brauer, h

Re: remove obsolete nd6 ioctls

t; ok? > if ports are fine with it, i'm fine as well (: what Sir Mike said. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: set ifp->if_baudrate with IF_Gbps() / IF_Mbps()

d bandwidths. the altq side isn't easily fixable, pfctl does relative -> absolute conversions, the kernel has no idea what used to be a relative spec. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail

Re: VPN traffic leaks in IPv6/IPv4 dual-stack networks/hosts

ork. I recommend "ifconfig $foo -inet6" in any case :) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: proto cksum madness

ll or none per given output path. Just run it. You'll notice when your network connections fail. The more obscure your setup, the better, basically. bridge, tunnels, you name it. if you spot breakage, drop me a mail. if you don't, do so as well please. * Henning Brauer [2012-07-13 13:23

Re: PF: match ... tag ; pass tagged { , } keep state

* Stuart Henderson [2012-09-17 17:23]: > On 2012/09/17 17:14, Mike Belopuhov wrote: > > On Mon, Sep 17, 2012 at 5:03 PM, Henning Brauer wrote: > > > * mxb [2012-09-10 17:51]: > > >> is there any plans to expand 'tagged' keyword in PF into list? > &g

Re: PF: match ... tag ; pass tagged { , } keep state

* mxb [2012-09-10 17:51]: > is there any plans to expand 'tagged' keyword in PF into list? not that I am aware of, but it would make sense to have list expansion there as well. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP S

PF_PRIO_NOTSET

so PF_PRIO_NOTSET doesn't turn out to have been such a good idea. Reasoning: prio 0 is valid. So to indicate we don't wanna touch the prio I used said define. Which in turn means that each an every place that makes new struct pf_rules has to initialize those fields. So instead let's use a flag indi

Re: ntpd(8) option to provide time even when not being synced

I think the way to go for this is: -fake a sensor inside ntpd -that sensor must be specifically asked for, say, with "sensor local-clock" or the like -make sure ntpd only ever uses that in absence of anything else -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Serv

Re: CoDel

noticed, no? altq being slow has and is being noticed. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: PF_PRIO_NOTSET wasn't such a smart attempt

err, nobody? * Henning Brauer [2012-07-11 13:14]: > ..because now you had to initialize both set_prio in pf_rule to it > everywhere. we did that, at least in some parts of our tree... > problem being of course that 0 is a valid value there and can\t easily > be used as "don&#

proto cksum madness

NET6 Index: net/pf.c === RCS file: /cvs/src/sys/net/pf.c,v retrieving revision 1.808 diff -u -p -r1.808 pf.c --- net/pf.c10 Jul 2012 17:33:48 - 1.808 +++ net/pf.c 13 Jul 2012 10:52:40 - @@ -2,7 +2,7 @@ /* * Copyright (c

Re: mask support for ethernet bridge filtering

int i; > + struct ether_addr ea_cmp; > + for (i = 0; i < ETHER_ADDR_LEN; ++i) { > + ea_cmp.ether_addr_octet[i] = ea_mask->ether_addr_octet[i] > + & ea_packet->ether_addr_octet[i]; > + } > + return (bcmp(&ea_cmp, ea_rules, ETHER_ADDR_LEN)); > +} > + that is

PF_PRIO_NOTSET wasn't such a smart attempt

..because now you had to initialize both set_prio in pf_rule to it everywhere. we did that, at least in some parts of our tree... problem being of course that 0 is a valid value there and can\t easily be used as "don't touch" indicator. so use a flag and only ever look at the set_prio fields if the

Re: set { tos ..., prio ... }

"set prio" ( number | "(" number [ [ "," ] number ] ")" ) | "queue" ( string | "(" string [ [ "," ] string ] ")" ) | "rtable" number | "probability" number&

set { tos ..., prio ... }

so, we have some utter confusion in pf about filter criteria versus packet modifying options. I propose we move the ones that "write" into a set block, while the filter criteria remain as they are. for the moment this diff handles tos (I always disliked set-tos...) and prio. rdomain/rtable stuff sh

kill incorrect check in pfctl

kernel side actually handles set-tos for IPvShit - see pf_scrub() in pf_norm.c ok? Index: sbin/pfctl/parse.y === RCS file: /cvs/src/sbin/pfctl/parse.y,v retrieving revision 1.614 diff -u -p -r1.614 parse.y --- sbin/pfctl/parse.y 7

Re: spring clearance: pflog

* Henning Brauer [2012-07-07 12:21]: > old M from my tree, now with 50% discount! > > kill the arbitary limit on the # of pflog interfaces and make it all > dynamic. ok? now even with free memory saver (allocated a little much for **pflogifs) Index

spring clearance: pflog

*from, str #if NPFLOG > 0 if (!to->log) to->logif = 0; - if (to->logif >= PFLOGIFS_MAX) - return (EINVAL); #endif to->quick = from->quick; to->ifnot = from->ifnot; - End forwarded message - -- Henning Brauer, h..

Re: Bridge rules

are it is. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: Bridge rules

*m_b = n; > + } > + rule.ifbr_flags |= m_flag; > + ea = ether_aton(mac); > + free(mac); > + } else { > + ea = ether_aton(argv

Re: Bridge rules

* Mike Belopuhov [2012-06-29 13:46]: > On Fri, Jun 29, 2012 at 1:36 PM, Henning Brauer > wrote: > > now it's very unclear what your actual problem is - the struct is > > called ifbreq and used in a number of places, most notably of course > > the ioctls. > he

Re: Bridge rules

struct ifbreq *ifbr = (struct ifbreq *)data; sys/net/if_bridge.c:291:struct ifbreq *req = (struct ifbreq *)data; sys/net/if_bridge.c:789:struct ifbreq *breq = NULL; sys/net/if_bridge.c:802: if ((breq = (struct ifbreq *) the actual filtering is in sys/net/if_bridge.c, bridge_filterrule(). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: tmux and login shells

* Nicholas Marriott [2012-06-21 09:19]: > I think it is correct and better to spawn login shells by default, these > are not child shells of some shell process, they are entirely new > shells. indeed. and changing that would get you into trouble with the rest of us ;) -- Henning

Re: pf logs: def/(short) pass in , but should say block

I'm looking for oks on this diff to commit it. * Leonardo Guardati [2012-05-10 21:29]: > Hi, > here is a solution to the problem I posted on bugs@ about pf logging > incoming UDP packets to port 0 as pass while being blocked instead. > > action is added to pflog_packet() arguments. > > I trie

Re: How to have more than 15 pflog interfaces?

* Siju George [2012-05-04 08:44]: > On Thu, Apr 12, 2012 at 3:44 AM, Henning Brauer > wrote: > > diffs are for current of course but should work for 5.1 as well - > > dunno what you are trying. > I have upgraded my firewall to 5.1 > could you please give ma a unified dif

Re: "Do you want to do any manual network configuration?"

ually and > > restart it, but I don't really see a benefit in removing that > > question. > ^Z or ! works anywhere. exactly. and the installer points out the ! way right at the beginning. I intend to commit this with the 3 oks I got, if people strongly disagree speak up quic

Re: "Do you want to do any manual network configuration?"

me_ money tho :)) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

"Do you want to do any manual network configuration?"

de.sh 19 Apr 2012 13:20:11 - @@ -71,7 +71,6 @@ THESETS="$THESETS site$VERSION-$(hostnam # Configure the network. enable_network -manual_net_cfg startftplist -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting

Re: How to have more than 15 pflog interfaces?

* Sebastian Benoit [2012-04-13 17:00]: > Henning Brauer(henn...@openbsd.org) on 2012.04.13 10:10:41 +0200: > > if nobody tests this beyond my extremely light tests (try actually > > USING the pflog interfaces to log to, I didn't), I can't get this in :) > works somewh

Re: How to have more than 15 pflog interfaces?

if nobody tests this beyond my extremely light tests (try actually USING the pflog interfaces to log to, I didn't), I can't get this in :) * Henning Brauer [2012-04-11 12:21]: > * Henning Brauer [2012-04-11 11:26]: > > * Siju George [2012-04-10 08:16]: > > > On T

Re: How to have more than 15 pflog interfaces?

* Henning Brauer [2012-04-12 10:11]: > take out? a slot can be nulled. the index is the interface index, so > if just pflog25 exists that array has 26 entries. s/interface index/unit number/ -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Servi

Re: How to have more than 15 pflog interfaces?

* patrick keshishian [2012-04-12 00:52]: > On Wed, Apr 11, 2012 at 3:14 PM, Henning Brauer > wrote: > > * patrick keshishian [2012-04-11 14:55]: > >> On Wed, Apr 11, 2012 at 12:20:30PM +0200, Henning Brauer wrote: > >> don't you need two different index vars

Re: How to have more than 15 pflog interfaces?

* patrick keshishian [2012-04-11 14:55]: > On Wed, Apr 11, 2012 at 12:20:30PM +0200, Henning Brauer wrote: > don't you need two different index vars for this next > section? no, why? > > + for (i = 0; i < n; i++) > > + if (i < npflogifs) > >

Re: How to have more than 15 pflog interfaces?

* Siju George [2012-04-11 14:25]: > On Wed, Apr 11, 2012 at 3:50 PM, Henning Brauer wrote: > > > > please try this & report back > > > > Thanks Henning but I need some help :-( > > I got the following errors and I have attached the .rej files diffs are

Re: How to have more than 15 pflog interfaces?

* Henning Brauer [2012-04-11 11:26]: > * Siju George [2012-04-10 08:16]: > > On Tue, Apr 10, 2012 at 11:40 AM, Andres Perera wrote: > > > altering the max might have consequences i don't know about: > > I will stick with 15 :-) > > actually, bumping it sho

Re: relayd and rdomain/prio defaults

ain = -1; > +rio.rule.prio[0] = rio.rule.prio[1] = PF_PRIO_NOTSET; > > if (rio.rule.proto == IPPROTO_TCP) > rio.rule.timeout[PFTM_TCP_ESTABLISHED] = > -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-

Re: Unbound in base

ne transfers. I see no reason to support or even remotely take such a stupid setup into consideration. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Braue

Re: Unbound in base

nd anyway - i have never seen such a dramatic design fuckup as the bind10 design docs, and anything depending on PYTHON (gimme a break) will never make it into base anyway. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mai

Re: little-but-scary ahc(4) diff, testers wanted

disabling port 2 vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets sd5 at scsibus3 targ 1 lun 0: SCSI2 0/direct fixed sd5: 953866MB, 512 bytes/sector, 1953519473 sectors softraid0: resuming rebuild on sd5 at 83% sd6 at scsibus3 targ 2 lun 0: SCSI2 0/direct fixed sd6: 953866MB, 512 bytes/sector, 1953519473 sectors root on sd0a (50a385fb5e19501a.a) swap on sd0b dump on sd0b -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: tcpbench: setpgid

pbench since my parent process uses > setsid(). you're right. good catch! -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: divert(4) manpage: add EXAMPLE section

le and a simple > program that uses the divert port. It is designed to be simple enough > that someone can try this on their desktop. > > Comments? I like. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail

Re: tcpbench: add timer command-line option

edback would be appreciated. idea is sound, code is sane - who wants to give the second ok? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer C

Re: [BUG] pfctl(8) silently accept directories as config files

; - } else if (secret && > - check_file_secrecy(fileno(nfile->stream), nfile->name)) { > - fclose(nfile->stream); > - free(nfile->name); > - free(nfile); > - return (NULL); > } > + > nfile->lineno = 1; > TAILQ_INSERT_TAIL(&files, nfile, entry); > return (nfile); > + > +file_err: > + fclose(nfile->stream); > +err: > + free(nfile->name); > + free(nfile); > + return (NULL); > } > > int > -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: raise max value for tcp autosizing buffer [WAS: misc@ network tuning for high bandwidth and high latency]

bmax perhaps? Such a hierarchy could be populated > with all the parameters it's, umm, unwise to tweak without a lot of > knowledge. A 90% frivolous suggestion. and now that everybody had his/her fun back to serious pls. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS

Re: raise max value for tcp autosizing buffer [WAS: misc@ network tuning for high bandwidth and high latency]

* Mark Kettenis [2011-12-04 21:02]: > But 256k simply isn't enough for some use cases. Turning this into a > sysctl tunable like FreeBSD and NetBSD would be a good idea if you ask > me. Yes, people will use it to shoot themselves in the foot. I don't > care. I agree.

Re: raise max value for tcp autosizing buffer [WAS: misc@ network tuning for high bandwidth and high latency]

* Geoff Steckel [2011-12-04 16:17]: > To generalize this problem: kernel memory is limited. It is > autosized at boot time. that might have been true a decade ago, but not today. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP

Re: relayd should verify config before (re)loading

ies does the job just fine for logging to the console, too. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

the ipsec mess and ipsecctl

hey, news: ipsec is one giant mess. unless someone has ze magic recipe for those two connections being able to live in one ipsec.conf that i might have missed (despite help), i declare it impossible to have both in one due to the default peer conflict - both connections have an (implicit or not) "

Re: PPPoEoA DSL bandwidth shaping

en, i don't have much to do with these encapsulating things like atm and ppp and the like, everything is ethernet in one form and another and an occasional STM link. and I don't shape for these links anyway, they're more than fat enough. -- Henning Brauer, h...@bsws.de, he

Re: enable aucat by default

makes sense to me. if you want it for console-only use you can still enable/start it manually. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

DIOCCHANGERULE

oc_natlook) #define DIOCSETDEBUG _IOWR('D', 24, u_int32_t) #define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states) -#define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule) /* XXX cut 26 - 28 */ #define DIOCSETTIMEOUT _IOWR('D', 29, struct pf

Re: enable aucat by default

Do you want to start zless by default? [Y/n] Do you want to start zmore by default? [Y/n] Do you want to start znew by default? [Y/n] -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, R

Re: enable aucat by default

n the same boat as syslogd. i dunno about aucat. on laptops/workstations i'd want it by default, on the servers i'd hate it. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers,

Re: pflog shows 0.0.0.0.0 > 0.0.0.0.0

proto) { case PF_VPROTO_FRAGMENT: /* @@ -5838,6 +5827,12 @@ pf_setup_pdesc(sa_family_t af, int dir, } #endif /* INET6 */ } + + if (pd->sport) + pd->nsport = *pd->sport; + if (pd->dport) + pd->ndport = *

Re: remove PROMISC flag if carp device is destroyed

UFS); > if ((error = ifpromisc(ifp, 1))) { > -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: pflog shows 0.0.0.0.0 > 0.0.0.0.0

* Alexander Bluhm [2011-08-30 20:59]: > When pf_test_rule() is called for fragments that have not been > reassembled, the address copy is not done anymore. good catch, new diff below. > I think pf_setup_pdesc() should not call pf_test_rule() at all and > just fill the pd struct. indeed, the tes

Re: pflog shows 0.0.0.0.0 > 0.0.0.0.0

PF_ACPY(&pd->ndaddr, pd->dst, pd->af); + if (pd->sport) + pd->nsport = *pd->sport; + if (pd->dport) + pd->ndport = *pd->dport; + return (0); } -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting

Re: "flush global" in pf.conf BNF

* william dunand [2011-08-18 09:34]: > I think the "global" option (after "overload flush") has been > omitted in the BNF grammar part of pf.conf(5) indeed, fixed, 10x

<    1   2   3   4   >