M_PREPEND(m, sizeof(evh), M_DONTWAIT);
- if (m == NULL) {
- ifp->if_oerrors++;
- continue;
- }
-
- m_copyback(m, 0, sizeof(evh), &evh, M_NOWAIT);
- }
/*
* Send it, p
asing
#net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0 # 0=Disable ESP-in-UDP encapsulation
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de,
* Christian Weisgerber [2014-04-19 00:30]:
> On 2014-04-18, Henning Brauer wrote:
> > so, what are we doing with this now?
> > I still want to hide in_cksum_phdr() and kill in_cksum_addword() so that
> > nobody ever uses that sh*t again.
> > yes, sk loses is half-baked
this one is still open as well. oks?
* Henning Brauer [2014-01-21 03:24]:
> absolutely prevent forwarding carp or NFS/rpc using the shiny new
> received-on any.
>
> can only minimally test that here. need at least one carp and one
> diskless test.
so, what are we doing with this now?
I still want to hide in_cksum_phdr() and kill in_cksum_addword() so that
nobody ever uses that sh*t again.
yes, sk loses is half-baked cksum offload support with this, as
discussed before.
as naddy pointed out there are (at least) two private copies of
in_cksum_
> The fact my router has 8 cores available doesn't really help it very
> much. (Maybe BGP converges a little bit faster?)
it can help bgpd indeed.
> Ditto for my DNS servers, my mail server, my proxy server, etc.
depends on the workload. heavy content filtering on mailservers will
b
> easier to read imo.
exactly.
making in static inline would be the max I'd find acceptable - but I'm
certain you won't be able to demonstrate any performance benefit
(previous profiling is pretty clear on that).
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web S
* Loïc Blot [2014-02-28 11:33]:
> Is this normal ?
yes.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, h
hat because of adaptive timeouts you can end up
> with failing connections without hitting the hard state limit.
> I think those connections will not show up in the stats (I could be
> wrong).
failing connections because of adaptive timeouts? HUH?
--
Henning Brauer, h...@bsws.de, henn...@open
te creation time is ok.
> The current use of PFRES_MAXSTATES particularly with pfctl's textual
> form "state-limit" is definitely a bit confusing.
yup.
the default of 1 might be a bit small today as well. it's not like
a higher one would cost anything these days. 100k?
* Philipp [2014-02-17 13:36]:
> Am 17.02.2014 13:11 schrieb Henning Brauer:
> >how do you emit such a maessage in pcap? as payload with a dummy
> >packet header? (N!!)
> pf is taking action without telling anyone - and that's not nice.
doesn't cha
a maessage in pcap? as payload with a dummy
packet header? (NOOOO!!!!!!)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Braue
* David Higgs [2014-01-25 18:25]:
> On Jan 25, 2014, at 12:48 AM, David Higgs wrote:
>
> On Fri, Jan 24, 2014 at 4:24 AM, Henning Brauer
> wrote:
>
> * Henning Brauer [2014-01-24 05:50]:
>
> i need this tested on an sk(4).
> I don't have that hardware at
* Ted Unangst [2014-01-24 17:48]:
> On Fri, Jan 24, 2014 at 16:27, Christian Weisgerber wrote:
> > Henning Brauer wrote:
> >
> >> i need this tested on an sk(4).
> >> I don't have that hardware at all.
> > [Summary: Henning wants to confine in_cksum_p
* Henning Brauer [2014-01-24 05:50]:
> i need this tested on an sk(4).
> I don't have that hardware at all.
this gets rif od a slight little bit more.
Index: netinet/in.h
===
RCS file: /cvs/src/sys/netinet/in.h,v
, ro, ip_mtudisc ? IP_MTUDISC : 0,
(void *)NULL, tp ? tp->t_inpcb : (void *)NULL);
}
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
th->th_sum = 0;
- th->th_sum = in_cksum(m, tlen);
ip->ip_len = htons(tlen);
ip->ip_ttl = ip_defttl;
+ ip->ip_tos = 0;
ip_output(m, (void *)NULL, ro, ip_mtudisc ? IP_MTUDISC : 0,
pf_rule *r, sa_
#endif /* INET */
#ifdef INET6
case AF_INET6:
- /* TCP checksum */
- th->th_sum = in6_cksum(m, IPPROTO_TCP,
- sizeof(struct ip6_hdr), tlen);
-
- h6->ip6_vfc |= IPV6_VERSION;
- h6->ip6_hlim = IPV6
hdr(u_int32_t src, u_int32_t dst, u_int32_t lenproto)
+{
+ u_int32_t sum;
+
+ sum = lenproto +
+ (u_int16_t)(src >> 16) +
+ (u_int16_t)(src /*& 0x*/) +
+ (u_int16_t)(dst >> 16) +
+ (u_int16_t)(dst /*& 0xffff*/
+ }
}
#ifdef IPSEC
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
absolutely prevent forwarding carp or NFS/rpc using the shiny new
received-on any.
can only minimally test that here. need at least one carp and one
diskless test.
Index: rc
===
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.420
n5/pf.conf.520 Jan 2014 04:05:09 -
@@ -1,4 +1,4 @@
-.\"$OpenBSD: pf.conf.5,v 1.532 2013/12/21 20:57:01 camield Exp $
+.\" $OpenBSD: pf.conf.5,v 1.534 2014/01/20 02:59:55 henning Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" Copyright (c) 2003 - 2013 He
* Kenneth Westerback [2014-01-19 09:56]:
> *But what is the practical problem being addressed? Is dhcp not functional
> with the existing default **ruleset?*
it's not correct and we rely on dhclient falling back to a new
discovery eventually.
--
Henning Brauer, h...@bs
because old message was icmp\n");
> + p(icps_toofreq,
> + "\t%llu error%s not generated because of rate limitation\n");
> +
> for (first = 1, i = 0; i < ICMP_MAXTYPE + 1; i++)
> if (icmpstat.icps_outhist[i] != 0) {
> if (
;s the logic, here?
> THEREFORE software in base can deliver to maildir in /var/mail
THEREFORE software in base can also deliver mail to
/omgohmymail/pr0n/$uid - does that mean we check it in security?
The question is rather wether Maildirs in /var/mail are a common
enough setup to warrant a ch
ints then is the way to go. Please sombody pick that up.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
i think we need to figure out better
> api before randomly changing stuff...
agreed.
the whole IF_ vs IFQ_ mess needs reevaluation.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Server
so, msgbuf_write can now (again) return EAGAIN. some daemons have been
fixed/adopted, some not. I did a full audit of the tree for all
msgbuf_write users EAGAIN handling - this is the result.
Index: usr.sbin/dvmrpd/control.c
===
RCS f
make the icmp stack use the fake offload engine.
prevents double cksumming in some cases and happens to fix a bug in an
obscure, constructed case.
Index: ip_icmp.c
===
RCS file: /cvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.1
s on", then there
> is
> no argument for resisting code for the "pf is disabled" case...
heh :)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
you run any routers with pf disabled? If so, please identify one,
> for a demonstration.
yes, I do.
utterly pointless, since a) no v6 there at all and b) several pf pairs
behind it and nothing else - as in, everything else is behind those pf
boxes.
--
Henning Brauer, h...@bsws.de, henn...@o
at otoh.
i'm still pretty damn sure you were Cc'd; won't dig for old mail just
to prove it; don't see the point, doesn't change anything now anyway.
> The non-pf RH0 filtering case is worthwhile.
and here we disagree.
--
Henning Brauer, h...@bsws.de, henn...@openbs
y incomplete or expensive. the aproach "stack protects the
local machine (in this case: don't obey RH0), pf handles forwarded
packets" matches what we do generally.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
27;t process RH0 itself, and otherwise leave it to pf.
aka the status quo.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
r.
besides, newqueue isn't a 100% replacement yet. last not least RED (or
sth similiar) is missing.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning B
so stop that pseudo-header wankery. v6 doesn't have it at all. instead
of incrementally pre-computing a tiny part of the proto cksum, just do
it in in_proto_cksum_out when needed.
makes everything else in the stack super easy: need cksum? set flag,
done.
stack and pf cases tested with all 3 offloa
* Reyk Floeter [2013-09-13 10:20]:
> please read the history: if_index _was_ created for SNMP.
I'm not at all certain you got the history right there...
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail
case, CD images).
buy the CD set. it's more than good enough for the PCI DSS theatre
(been there).
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
;s snmp itself. using
the OS-private ifindex and making assumptions about it is the root
problem. but since that's in the standards, there are only 2 possible
solutions I see:
-keep trying to please snmp in the way we assign ifindex
-let snmpd (or sth else) make up ifindices just for that purpos
least hurts
performance), so it has to be truly worth it.
I don't see that in this case.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
hould look into.
no, creatorID is for pfsync setups to know which node created the
state.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer C
ike to split that up.
> >
> > Is this a good idea? comments/ok?
>
> I like the idea but we should be careful about ports assuming that
> in_var.h includes in6_var.h even if there's no RFC requirement.
indeed, that needs to be checked. otherwise ok.
--
Henning Brauer, h
t; ok?
> if ports are fine with it, i'm fine as well (:
what Sir Mike said.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
d bandwidths.
the altq side isn't easily fixable, pfctl does relative -> absolute
conversions, the kernel has no idea what used to be a relative spec.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail
ork.
I recommend "ifconfig $foo -inet6" in any case :)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
ll or none per given
output path.
Just run it. You'll notice when your network connections fail. The
more obscure your setup, the better, basically. bridge, tunnels, you
name it.
if you spot breakage, drop me a mail. if you don't, do so as well
please.
* Henning Brauer [2012-07-13 13:23
* Stuart Henderson [2012-09-17 17:23]:
> On 2012/09/17 17:14, Mike Belopuhov wrote:
> > On Mon, Sep 17, 2012 at 5:03 PM, Henning Brauer wrote:
> > > * mxb [2012-09-10 17:51]:
> > >> is there any plans to expand 'tagged' keyword in PF into list?
> &g
* mxb [2012-09-10 17:51]:
> is there any plans to expand 'tagged' keyword in PF into list?
not that I am aware of, but it would make sense to have list expansion
there as well.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
S
so PF_PRIO_NOTSET doesn't turn out to have been such a good idea.
Reasoning: prio 0 is valid. So to indicate we don't wanna touch the
prio I used said define. Which in turn means that each an every place
that makes new struct pf_rules has to initialize those fields.
So instead let's use a flag indi
I think the way to go for this is:
-fake a sensor inside ntpd
-that sensor must be specifically asked for, say, with "sensor
local-clock" or the like
-make sure ntpd only ever uses that in absence of anything else
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Serv
noticed, no?
altq being slow has and is being noticed.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
err, nobody?
* Henning Brauer [2012-07-11 13:14]:
> ..because now you had to initialize both set_prio in pf_rule to it
> everywhere. we did that, at least in some parts of our tree...
> problem being of course that 0 is a valid value there and can\t easily
> be used as "don
NET6
Index: net/pf.c
===
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.808
diff -u -p -r1.808 pf.c
--- net/pf.c10 Jul 2012 17:33:48 - 1.808
+++ net/pf.c 13 Jul 2012 10:52:40 -
@@ -2,7 +2,7 @@
/*
* Copyright (c
int i;
> + struct ether_addr ea_cmp;
> + for (i = 0; i < ETHER_ADDR_LEN; ++i) {
> + ea_cmp.ether_addr_octet[i] = ea_mask->ether_addr_octet[i]
> + & ea_packet->ether_addr_octet[i];
> + }
> + return (bcmp(&ea_cmp, ea_rules, ETHER_ADDR_LEN));
> +}
> +
that is
..because now you had to initialize both set_prio in pf_rule to it
everywhere. we did that, at least in some parts of our tree...
problem being of course that 0 is a valid value there and can\t easily
be used as "don't touch" indicator.
so use a flag and only ever look at the set_prio fields if the
"set prio" ( number | "(" number [ [ "," ] number ] ")" ) |
"queue" ( string | "(" string [ [ "," ] string ] ")" ) |
"rtable" number | "probability" number&
so, we have some utter confusion in pf about filter criteria versus
packet modifying options. I propose we move the ones that "write" into
a set block, while the filter criteria remain as they are. for the
moment this diff handles tos (I always disliked set-tos...) and prio.
rdomain/rtable stuff sh
kernel side actually handles set-tos for IPvShit - see pf_scrub() in
pf_norm.c
ok?
Index: sbin/pfctl/parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.614
diff -u -p -r1.614 parse.y
--- sbin/pfctl/parse.y 7
* Henning Brauer [2012-07-07 12:21]:
> old M from my tree, now with 50% discount!
>
> kill the arbitary limit on the # of pflog interfaces and make it all
> dynamic. ok?
now even with free memory saver (allocated a little much for
**pflogifs)
Index
*from, str
#if NPFLOG > 0
if (!to->log)
to->logif = 0;
- if (to->logif >= PFLOGIFS_MAX)
- return (EINVAL);
#endif
to->quick = from->quick;
to->ifnot = from->ifnot;
- End forwarded message -
--
Henning Brauer, h..
are it is.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
*m_b = n;
> + }
> + rule.ifbr_flags |= m_flag;
> + ea = ether_aton(mac);
> + free(mac);
> + } else {
> + ea = ether_aton(argv
* Mike Belopuhov [2012-06-29 13:46]:
> On Fri, Jun 29, 2012 at 1:36 PM, Henning Brauer
> wrote:
> > now it's very unclear what your actual problem is - the struct is
> > called ifbreq and used in a number of places, most notably of course
> > the ioctls.
> he
struct ifbreq *ifbr = (struct ifbreq *)data;
sys/net/if_bridge.c:291:struct ifbreq *req = (struct ifbreq *)data;
sys/net/if_bridge.c:789:struct ifbreq *breq = NULL;
sys/net/if_bridge.c:802: if ((breq = (struct ifbreq *)
the actual filtering is in sys/net/if_bridge.c, bridge_filterrule().
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
* Nicholas Marriott [2012-06-21 09:19]:
> I think it is correct and better to spawn login shells by default, these
> are not child shells of some shell process, they are entirely new
> shells.
indeed. and changing that would get you into trouble with the rest of
us ;)
--
Henning
I'm looking for oks on this diff to commit it.
* Leonardo Guardati [2012-05-10 21:29]:
> Hi,
> here is a solution to the problem I posted on bugs@ about pf logging
> incoming UDP packets to port 0 as pass while being blocked instead.
>
> action is added to pflog_packet() arguments.
>
> I trie
* Siju George [2012-05-04 08:44]:
> On Thu, Apr 12, 2012 at 3:44 AM, Henning Brauer
> wrote:
> > diffs are for current of course but should work for 5.1 as well -
> > dunno what you are trying.
> I have upgraded my firewall to 5.1
> could you please give ma a unified dif
ually and
> > restart it, but I don't really see a benefit in removing that
> > question.
> ^Z or ! works anywhere.
exactly. and the installer points out the ! way right at the beginning.
I intend to commit this with the 3 oks I got, if people strongly
disagree speak up quic
me_ money tho :))
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
de.sh 19 Apr 2012 13:20:11 -
@@ -71,7 +71,6 @@ THESETS="$THESETS site$VERSION-$(hostnam
# Configure the network.
enable_network
-manual_net_cfg
startftplist
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Sebastian Benoit [2012-04-13 17:00]:
> Henning Brauer(henn...@openbsd.org) on 2012.04.13 10:10:41 +0200:
> > if nobody tests this beyond my extremely light tests (try actually
> > USING the pflog interfaces to log to, I didn't), I can't get this in :)
> works somewh
if nobody tests this beyond my extremely light tests (try actually
USING the pflog interfaces to log to, I didn't), I can't get this in :)
* Henning Brauer [2012-04-11 12:21]:
> * Henning Brauer [2012-04-11 11:26]:
> > * Siju George [2012-04-10 08:16]:
> > > On T
* Henning Brauer [2012-04-12 10:11]:
> take out? a slot can be nulled. the index is the interface index, so
> if just pflog25 exists that array has 26 entries.
s/interface index/unit number/
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Servi
* patrick keshishian [2012-04-12 00:52]:
> On Wed, Apr 11, 2012 at 3:14 PM, Henning Brauer
> wrote:
> > * patrick keshishian [2012-04-11 14:55]:
> >> On Wed, Apr 11, 2012 at 12:20:30PM +0200, Henning Brauer wrote:
> >> don't you need two different index vars
* patrick keshishian [2012-04-11 14:55]:
> On Wed, Apr 11, 2012 at 12:20:30PM +0200, Henning Brauer wrote:
> don't you need two different index vars for this next
> section?
no, why?
> > + for (i = 0; i < n; i++)
> > + if (i < npflogifs)
> >
* Siju George [2012-04-11 14:25]:
> On Wed, Apr 11, 2012 at 3:50 PM, Henning Brauer wrote:
> >
> > please try this & report back
> >
>
> Thanks Henning but I need some help :-(
>
> I got the following errors and I have attached the .rej files
diffs are
* Henning Brauer [2012-04-11 11:26]:
> * Siju George [2012-04-10 08:16]:
> > On Tue, Apr 10, 2012 at 11:40 AM, Andres Perera wrote:
> > > altering the max might have consequences i don't know about:
> > I will stick with 15 :-)
>
> actually, bumping it sho
ain = -1;
> +rio.rule.prio[0] = rio.rule.prio[1] = PF_PRIO_NOTSET;
>
> if (rio.rule.proto == IPPROTO_TCP)
> rio.rule.timeout[PFTM_TCP_ESTABLISHED] =
>
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-
ne transfers.
I see no reason to support or even remotely take such a stupid setup
into consideration.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Braue
nd anyway - i have never seen such a dramatic design
fuckup as the bind10 design docs, and anything depending on PYTHON
(gimme a break) will never make it into base anyway.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mai
disabling port 2
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
sd5 at scsibus3 targ 1 lun 0: SCSI2 0/direct fixed
sd5: 953866MB, 512 bytes/sector, 1953519473 sectors
softraid0: resuming rebuild on sd5 at 83%
sd6 at scsibus3 targ 2 lun 0: SCSI2 0/direct fixed
sd6: 953866MB, 512 bytes/sector, 1953519473 sectors
root on sd0a (50a385fb5e19501a.a) swap on sd0b dump on sd0b
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
pbench since my parent process uses
> setsid().
you're right. good catch!
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
le and a simple
> program that uses the divert port. It is designed to be simple enough
> that someone can try this on their desktop.
>
> Comments?
I like.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail
edback would be appreciated.
idea is sound, code is sane - who wants to give the second ok?
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer C
; - } else if (secret &&
> - check_file_secrecy(fileno(nfile->stream), nfile->name)) {
> - fclose(nfile->stream);
> - free(nfile->name);
> - free(nfile);
> - return (NULL);
> }
> +
> nfile->lineno = 1;
> TAILQ_INSERT_TAIL(&files, nfile, entry);
> return (nfile);
> +
> +file_err:
> + fclose(nfile->stream);
> +err:
> + free(nfile->name);
> + free(nfile);
> + return (NULL);
> }
>
> int
>
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
bmax perhaps? Such a hierarchy could be populated
> with all the parameters it's, umm, unwise to tweak without a lot of
> knowledge. A 90% frivolous suggestion.
and now that everybody had his/her fun back to serious pls.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS
* Mark Kettenis [2011-12-04 21:02]:
> But 256k simply isn't enough for some use cases. Turning this into a
> sysctl tunable like FreeBSD and NetBSD would be a good idea if you ask
> me. Yes, people will use it to shoot themselves in the foot. I don't
> care.
I agree.
* Geoff Steckel [2011-12-04 16:17]:
> To generalize this problem: kernel memory is limited. It is
> autosized at boot time.
that might have been true a decade ago, but not today.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
ies
does the job just fine for logging to the console, too.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
hey, news: ipsec is one giant mess.
unless someone has ze magic recipe for those two connections being able
to live in one ipsec.conf that i might have missed (despite help), i
declare it impossible to have both in one due to the default peer
conflict - both connections have an (implicit or not) "
en, i don't have much to do
with these encapsulating things like atm and ppp and the like,
everything is ethernet in one form and another and an occasional STM
link. and I don't shape for these links anyway, they're more than fat
enough.
--
Henning Brauer, h...@bsws.de, he
makes sense to me. if
you want it for console-only use you can still enable/start it manually.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
oc_natlook)
#define DIOCSETDEBUG _IOWR('D', 24, u_int32_t)
#define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states)
-#define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule)
/* XXX cut 26 - 28 */
#define DIOCSETTIMEOUT _IOWR('D', 29, struct pf
Do you want to start zless by default? [Y/n]
Do you want to start zmore by default? [Y/n]
Do you want to start znew by default? [Y/n]
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, R
n
the same boat as syslogd.
i dunno about aucat. on laptops/workstations i'd want it by default,
on the servers i'd hate it.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers,
proto) {
case PF_VPROTO_FRAGMENT:
/*
@@ -5838,6 +5827,12 @@ pf_setup_pdesc(sa_family_t af, int dir,
}
#endif /* INET6 */
}
+
+ if (pd->sport)
+ pd->nsport = *pd->sport;
+ if (pd->dport)
+ pd->ndport = *
UFS);
> if ((error = ifpromisc(ifp, 1))) {
>
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
* Alexander Bluhm [2011-08-30 20:59]:
> When pf_test_rule() is called for fragments that have not been
> reassembled, the address copy is not done anymore.
good catch, new diff below.
> I think pf_setup_pdesc() should not call pf_test_rule() at all and
> just fill the pd struct.
indeed, the tes
PF_ACPY(&pd->ndaddr, pd->dst, pd->af);
+ if (pd->sport)
+ pd->nsport = *pd->sport;
+ if (pd->dport)
+ pd->ndport = *pd->dport;
+
return (0);
}
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* william dunand [2011-08-18 09:34]:
> I think the "global" option (after "overload flush") has been
> omitted in the BNF grammar part of pf.conf(5)
indeed, fixed, 10x
101 - 200 of 305 matches
Mail list logo