erhaps swapping the for loop block with pf_state_insert() will work.
> We can then bail out using goto csfailed then (see patch below...)
makes sense, I like it.
> > > would you be interested in SMP patch for PF?
> > > it basically introduces fine locking and reference co
rules.
> This result are really puzzling for me,
> when i first test the table negation i was really glad that list negation
> was possible,
> the (block) alternative is often ridiculous to write.
so use a table - since lists are expanded at load time, negation there
just can't work t
* sven falempin [2015-05-22 16:33]:
> But it does not explain the output i have.
otoh I'd say your diff is incomplete and misses a bit in expand_rule.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail
ike to split that up.
> >
> > Is this a good idea? comments/ok?
>
> I like the idea but we should be careful about ports assuming that
> in_var.h includes in6_var.h even if there's no RFC requirement.
indeed, that needs to be checked. otherwise ok.
--
Henning Brauer, h
hould look into.
no, creatorID is for pfsync setups to know which node created the
state.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer C
least hurts
performance), so it has to be truly worth it.
I don't see that in this case.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
;s snmp itself. using
the OS-private ifindex and making assumptions about it is the root
problem. but since that's in the standards, there are only 2 possible
solutions I see:
-keep trying to please snmp in the way we assign ifindex
-let snmpd (or sth else) make up ifindices just for that purpos
case, CD images).
buy the CD set. it's more than good enough for the PCI DSS theatre
(been there).
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
* Reyk Floeter [2013-09-13 10:20]:
> please read the history: if_index _was_ created for SNMP.
I'm not at all certain you got the history right there...
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail
so stop that pseudo-header wankery. v6 doesn't have it at all. instead
of incrementally pre-computing a tiny part of the proto cksum, just do
it in in_proto_cksum_out when needed.
makes everything else in the stack super easy: need cksum? set flag,
done.
stack and pf cases tested with all 3 offloa
r.
besides, newqueue isn't a 100% replacement yet. last not least RED (or
sth similiar) is missing.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning B
27;t process RH0 itself, and otherwise leave it to pf.
aka the status quo.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
y incomplete or expensive. the aproach "stack protects the
local machine (in this case: don't obey RH0), pf handles forwarded
packets" matches what we do generally.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
at otoh.
i'm still pretty damn sure you were Cc'd; won't dig for old mail just
to prove it; don't see the point, doesn't change anything now anyway.
> The non-pf RH0 filtering case is worthwhile.
and here we disagree.
--
Henning Brauer, h...@bsws.de, henn...@openbs
you run any routers with pf disabled? If so, please identify one,
> for a demonstration.
yes, I do.
utterly pointless, since a) no v6 there at all and b) several pf pairs
behind it and nothing else - as in, everything else is behind those pf
boxes.
--
Henning Brauer, h...@bsws.de, henn...@o
s on", then there
> is
> no argument for resisting code for the "pf is disabled" case...
heh :)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
make the icmp stack use the fake offload engine.
prevents double cksumming in some cases and happens to fix a bug in an
obscure, constructed case.
Index: ip_icmp.c
===
RCS file: /cvs/src/sys/netinet/ip_icmp.c,v
retrieving revision 1.1
so, msgbuf_write can now (again) return EAGAIN. some daemons have been
fixed/adopted, some not. I did a full audit of the tree for all
msgbuf_write users EAGAIN handling - this is the result.
Index: usr.sbin/dvmrpd/control.c
===
RCS f
i think we need to figure out better
> api before randomly changing stuff...
agreed.
the whole IF_ vs IFQ_ mess needs reevaluation.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Server
ints then is the way to go. Please sombody pick that up.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
;s the logic, here?
> THEREFORE software in base can deliver to maildir in /var/mail
THEREFORE software in base can also deliver mail to
/omgohmymail/pr0n/$uid - does that mean we check it in security?
The question is rather wether Maildirs in /var/mail are a common
enough setup to warrant a ch
because old message was icmp\n");
> + p(icps_toofreq,
> + "\t%llu error%s not generated because of rate limitation\n");
> +
> for (first = 1, i = 0; i < ICMP_MAXTYPE + 1; i++)
> if (icmpstat.icps_outhist[i] != 0) {
> if (
* Kenneth Westerback [2014-01-19 09:56]:
> *But what is the practical problem being addressed? Is dhcp not functional
> with the existing default **ruleset?*
it's not correct and we rely on dhclient falling back to a new
discovery eventually.
--
Henning Brauer, h...@bs
n5/pf.conf.520 Jan 2014 04:05:09 -
@@ -1,4 +1,4 @@
-.\"$OpenBSD: pf.conf.5,v 1.532 2013/12/21 20:57:01 camield Exp $
+.\" $OpenBSD: pf.conf.5,v 1.534 2014/01/20 02:59:55 henning Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" Copyright (c) 2003 - 2013 He
absolutely prevent forwarding carp or NFS/rpc using the shiny new
received-on any.
can only minimally test that here. need at least one carp and one
diskless test.
Index: rc
===
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.420
+ }
}
#ifdef IPSEC
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
hdr(u_int32_t src, u_int32_t dst, u_int32_t lenproto)
+{
+ u_int32_t sum;
+
+ sum = lenproto +
+ (u_int16_t)(src >> 16) +
+ (u_int16_t)(src /*& 0x*/) +
+ (u_int16_t)(dst >> 16) +
+ (u_int16_t)(dst /*& 0xffff*/
pf_rule *r, sa_
#endif /* INET */
#ifdef INET6
case AF_INET6:
- /* TCP checksum */
- th->th_sum = in6_cksum(m, IPPROTO_TCP,
- sizeof(struct ip6_hdr), tlen);
-
- h6->ip6_vfc |= IPV6_VERSION;
- h6->ip6_hlim = IPV6
th->th_sum = 0;
- th->th_sum = in_cksum(m, tlen);
ip->ip_len = htons(tlen);
ip->ip_ttl = ip_defttl;
+ ip->ip_tos = 0;
ip_output(m, (void *)NULL, ro, ip_mtudisc ? IP_MTUDISC : 0,
, ro, ip_mtudisc ? IP_MTUDISC : 0,
(void *)NULL, tp ? tp->t_inpcb : (void *)NULL);
}
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
* Henning Brauer [2014-01-24 05:50]:
> i need this tested on an sk(4).
> I don't have that hardware at all.
this gets rif od a slight little bit more.
Index: netinet/in.h
===
RCS file: /cvs/src/sys/netinet/in.h,v
* Ted Unangst [2014-01-24 17:48]:
> On Fri, Jan 24, 2014 at 16:27, Christian Weisgerber wrote:
> > Henning Brauer wrote:
> >
> >> i need this tested on an sk(4).
> >> I don't have that hardware at all.
> > [Summary: Henning wants to confine in_cksum_p
* David Higgs [2014-01-25 18:25]:
> On Jan 25, 2014, at 12:48 AM, David Higgs wrote:
>
> On Fri, Jan 24, 2014 at 4:24 AM, Henning Brauer
> wrote:
>
> * Henning Brauer [2014-01-24 05:50]:
>
> i need this tested on an sk(4).
> I don't have that hardware at
a maessage in pcap? as payload with a dummy
packet header? (NOOOO!!!!!!)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Braue
* Philipp [2014-02-17 13:36]:
> Am 17.02.2014 13:11 schrieb Henning Brauer:
> >how do you emit such a maessage in pcap? as payload with a dummy
> >packet header? (N!!)
> pf is taking action without telling anyone - and that's not nice.
doesn't cha
te creation time is ok.
> The current use of PFRES_MAXSTATES particularly with pfctl's textual
> form "state-limit" is definitely a bit confusing.
yup.
the default of 1 might be a bit small today as well. it's not like
a higher one would cost anything these days. 100k?
hat because of adaptive timeouts you can end up
> with failing connections without hitting the hard state limit.
> I think those connections will not show up in the stats (I could be
> wrong).
failing connections because of adaptive timeouts? HUH?
--
Henning Brauer, h...@bsws.de, henn...@open
* Loïc Blot [2014-02-28 11:33]:
> Is this normal ?
yes.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, h
> easier to read imo.
exactly.
making in static inline would be the max I'd find acceptable - but I'm
certain you won't be able to demonstrate any performance benefit
(previous profiling is pretty clear on that).
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web S
> The fact my router has 8 cores available doesn't really help it very
> much. (Maybe BGP converges a little bit faster?)
it can help bgpd indeed.
> Ditto for my DNS servers, my mail server, my proxy server, etc.
depends on the workload. heavy content filtering on mailservers will
b
so, what are we doing with this now?
I still want to hide in_cksum_phdr() and kill in_cksum_addword() so that
nobody ever uses that sh*t again.
yes, sk loses is half-baked cksum offload support with this, as
discussed before.
as naddy pointed out there are (at least) two private copies of
in_cksum_
this one is still open as well. oks?
* Henning Brauer [2014-01-21 03:24]:
> absolutely prevent forwarding carp or NFS/rpc using the shiny new
> received-on any.
>
> can only minimally test that here. need at least one carp and one
> diskless test.
* Christian Weisgerber [2014-04-19 00:30]:
> On 2014-04-18, Henning Brauer wrote:
> > so, what are we doing with this now?
> > I still want to hide in_cksum_phdr() and kill in_cksum_addword() so that
> > nobody ever uses that sh*t again.
> > yes, sk loses is half-baked
asing
#net.inet.esp.enable=0 # 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0 # 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0 # 0=Disable ESP-in-UDP encapsulation
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de,
M_PREPEND(m, sizeof(evh), M_DONTWAIT);
- if (m == NULL) {
- ifp->if_oerrors++;
- continue;
- }
-
- m_copyback(m, 0, sizeof(evh), &evh, M_NOWAIT);
- }
/*
* Send it, p
's going on imho.
> We could also add a ifp->if_encap function pointer but if it is just for
> vlan(4) I see no point in it.
indeed.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. D
* Alexey Suslikov [2014-04-21 12:38]:
> Henning Brauer bsws.de> writes:
>
> > > #if NVLAN > 0
> > > if (ifp->if_type == IFT_L2VLAN)
> > > return vlan_encap(ifp, m);
> > > #endif
> >
> > I don't think so, really.
* Alexey Suslikov [2014-04-21 13:13]:
> Henning Brauer bsws.de> writes:
> > congratulations, that is close to unauditable.
> > i put the vlan and the !vlan case next to each other ON PURPOSE. both
> > cases add an ethernet header, one with a few extra fields, one
> >
* Alexey Suslikov [2014-04-21 13:56]:
> Henning Brauer bsws.de> writes:
>
> > I must admit I am getting tired of all these "good proposals/ideas".
> > don't you think we've gone thru this before?
>
> Look, I haven't called them good or
ainly not dreamed up layering
violations that don't exist here.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
ifp->if_oerrors++;
- continue;
- }
-
- m_copyback(m, 0, sizeof(evh), &evh, M_NOWAIT);
- }
/*
* Send it, precisely as ether_output() would have.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
* Fritjof Bornebusch [2014-04-22 18:29]:
> it's Trojan horse not Trojan horsed, right?
yup.
a trojan horse.
the binary has been trojan horsed.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS
* Jérémie Courrèges-Anglas [2014-04-23 02:05]:
> If I'm not mistaken, we had no drivers left that use those types?
correct, swing the burning axe. ok.
> - case DLT_FDDI:
> - case DLT_ATM_RFC1483:
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH,
x27;t moved forward in years, and I have a hard time seeing it going
anywhere (except Attic). But that's just me, of course.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Server
> If opencvs is going to be deleted, what is the alternative? gnucvs?
err, that's what we've been using all the time. It has never become
ready.
revision 1.114
date: 2010/06/26 03:59:34; author: deraadt; state: Exp; lines: +2 -2;
disable opencvs; maintainers went bye bye
--
Hen
reach a network only present on
the carp if or the like), and i seem to remember it doesn't quite work
as expected anyway, but don't take my word for it, memory REALLY fuzzy
on that front.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Ful
tend towards that.
ryan, marco?
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
arm than good in its current state.
if this is desired (I can't really see the need to be honest) it must
be done properly doing route priorities and marking routes down. This
functionaity didn't exist when we did carp. Going that route (haha),
the code for that wouldn't have much in
come first?
that is the right question, and there is no good answer...
> Someone has to take the first/next step
except that it is a step towards the drain.
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
Sent from a computer using a keyboard and software.
--
Henning Bra
* Simon Perreault [2014-04-29 14:58]:
> I don't see how "usage" is relevant. If IPv6 provided 1000% performance
> improvement with no downsides, we would want to use it even if global
> usage was low.
however, it provides far worse performance with shitloads of downside
rst
> > AF you try? Just wait for a full time out before you try the second AF!
>
> This is a valid point IMHO.
>
> Wouldn't it be better if libasr would run A and requests in
> parallel? Whichever response arrives first "wins".
no, since that gives extremel
* Simon Perreault [2014-04-29 16:05]:
> Le 2014-04-29 09:55, Henning Brauer a écrit :
> >> Wouldn't it be better if libasr would run A and requests in
> >> parallel? Whichever response arrives first "wins".
> > no, since that gives extremely unpre
if (p->if_capabilities & IFCAP_VLAN_HWTAGGING)
ifv->ifv_if.if_capabilities = p->if_capabilities &
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
_set_phase(struct sppp *sp)
>
>
> --
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
>
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
ith IPv4? You
> don't expect to get IPv4 connectivity when you
> configure IPv6, do you?
a very good question to ask.
i wish -inet6 was default.
i'll probably add a sysctl to globally nuke v6 from all interfaces
soon. somebody pls remind me at the next hackathon.
--
He
to 1, enforces -inet6 on all ifs.
what the default of such a sysctl would be is another discussion -
any value is fine with me as long as it is 0.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
our libc, the point is wether we can add a
#define to allow people compiling themselves (probably not as part of
OpenBSD) to remove it without having to change the code.
And since that's not intrusive and doesn't create a portability mess
like the one we're dealing with in libssl rig
st.s_addr, htons((u_int16_t)len +
sizeof (struct udphdr) + IPPROTO_UDP));
Index: sys/mbuf.h
=======
RCS file: /cvs/src/sys/sys/mbuf.h,v
retrieving revision 1.147
diff -u -p -r1.147 mbuf.h
--- sys/mbuf.h 5 Apr 2011 11:48:28 - 1.147
* Henning Brauer [2011-04-05 18:22]:
> - if (m->m_pkthdr.csum_flags & M_IPV4_CSUM_OUT)
> + if (m->m_pkthdr.csum_flags & M_IP_CSUM_OUT)
err. minus this of course.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws
* Christiano F. Haesbaert [2011-04-07 19:37]:
> Not sure if I got this, but couldn't this be applied to TCP/UDP
> checksumming as well ?
one thing after the other.
i have a big big big big diff rototoilling the csum handling, needs a
bit mroe work before it goes out
--
Hennin
>
> What do you think about that ? Does it respond to the issue or should I look
> in other functions ??
holy crap. this is wrong in at least 5 ways. please do yourself and
everybody else a favor and don't touch kernel code.
for fun, run that on a 32 bit machine. or a big endian one.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
ars of pf".
and you should come too, wether speaking or "just" attending.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
gt; >
> > Anyway, I've been running with several variations of that diff on
> > some machines (i386 and macppc) for several weeks without seeing any
> > regressions.
> > And I can confirm large beasts do benefit from it.
> >
> > --
> > Antoine
>
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
ll happilly adopt FHS if you guys make it match hier(7).
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
ink the prefix match test is a common behaviour so I think you
> should keep that.
no, that is just leftover.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
is
> better to make it work like all other users of interface names and people
> needing 'set skip on em' should add a 'group em' line to their
> hostname.em* files.
spot on.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
I see zero for teh regular
drivers. the ones where it makes sense are the clonables like ppp and
for those we have automatic base class group, i. e. all tun interfaces
end up in the tun group by default.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
inherit the flag from a group when an interface is created.
> This would have no impact on runtime execution time.
>
> I would really like to have set skip pick up interfaces at runtime because
> I get constantly burned by it.
again, spot on.
--
Henning Brauer, h...@bsws.de, henn..
; needing 'set skip on em' should add a 'group em' line to their
> > hostname.em* files.
> "ifconfig em" also works, so i think it would be less special and
> confusing if "set skip on em" would just work without extra config
> magic.
I disagree.
't want to walk the
> groups of all interfaces on the system for every packet.
nah. we get calls from the interface subsystem when interfaces show up
or go. just a few lines of code missing to deal with skip.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http:
* Janjaap van Velthooven [2011-06-22 21:37]:
> Just a vague idea for the moment;
>
> How aboot some mechanism that can do number lookups by name for disks?
like... fstab?
b6c15508a519d7ae.d /backup/ftp ffs rw,softdep,nodev,nosuid,noexec,noatime,noauto
--
Henning Brauer, h...@bsws
you check the other BSD if they finished these two modes?
what i have in mind in that ara only involved prio and hfsc (the
latter just because ppl will want it :(( ) - I think cdnr and rio
belong to the attic, so kill kill kill. if anyone wants to revive them
they're still available in
+++ net/pf.c 3 Jul 2011 19:16:07 -
@@ -2,7 +2,7 @@
/*
* Copyright (c) 2001 Daniel Hartmeier
- * Copyright (c) 2002 - 2010 Henning Brauer
+ * Copyright (c) 2002 - 2011 Henning Brauer
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -14
oper way instead of hacks in each driver.
even if it's only 2 of them using this for the moment.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
#x27;s everything with long-living potentially idle
tcp sessions. trying to make my mind up on this i find a small
tendency in favor of that knob.
> But if you add the knob then please also update sysctl(3) too.
indeed.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services
; m_copyback(mfake, off, min(mfake->m_len - off, hdrlen),
> pd.hdr.any, M_NOWAIT);
> PF_ACPY(&pfloghdr->saddr, &osaddr, pd.af);
> Index: net/pf.c
> ===
> RCS file: /cvs
8 queues, 8 priority levels, 0 - 7 (just like basically any better
switch, the vlan header, ...) always, unconditional. pf is being used
as classifier, like
pass in proto tcp to port 22 prio 6
and the old trick of a second queue or rather prio level for empty
acks and IPTOS_LOWDELAY is still ther
now with even more straightforward if_detach_queues
? sys2
? sys/ID
Index: sbin/pfctl/parse.y
===
RCS file: /cvs/src/sbin/pfctl/parse.y,v
retrieving revision 1.603
diff -u -p -r1.603 parse.y
--- sbin/pfctl/parse.y 7 Jul 2011 00:47:19
disregard this for now.
i fucking hate checksums.
now with unfucked antispoof and without debug printf per packet!
this has gathered enough oks to go in in roughly 12 hours, so speak up
now or never if you have anything to say on the topic
Index: sbin/pfctl/parse.y
===
RCS file: /cv
TATALK */
}
break;
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
rely qualifies as workaround.
> This means there is a problem
indeed!
> I'll try to figure out a fix.
:)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
on the interface(s) the default route(s) point to, wether it matched
the (really a) default route or a more specific.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* Christopher Zimmermann [2011-07-21 23:46]:
> ok, found the villain. Seems like my ISP is limiting bandwidth by
> randomly dropping packets.
congratulations, you just figured out how IP works.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-S
* Christopher Zimmermann [2011-07-28 02:05]:
> ntpd does have a fixed port number (2049)
err, no :)
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
t; I would prefer to take as much as possible from the KAME solution.
> > No need to introduce more differently implemented code.
>
> Ugh, you want to take the zone crap from KAME? It is just yet another
> layer of steaming bullshit added on top of an already huge dunghill.
and, se
s you can see source and destination addresses as well as a destination
> > port are the same, but these rules serve for two different concurrent
> > connections (source ports are different).
> >
> > Currently this won't work because the first rule matches the second
>
* Ryan McBride [2011-08-10 14:49]:
> On Wed, Aug 10, 2011 at 01:07:28PM +0200, Henning Brauer wrote:
> > this is indeed the way it was supposed to work.
>
> I dissagree. This is not at all what my understanding was of how it was
> supposed to work. You'd have to tal
he address any
more.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
* william dunand [2011-08-18 09:34]:
> I think the "global" option (after "overload flush") has been
> omitted in the BNF grammar part of pf.conf(5)
indeed, fixed, 10x
101 - 200 of 305 matches
Mail list logo