On Fri, Oct 05, 2018 at 11:53:08PM +0200, Klemens Nanni wrote:
> On Fri, Oct 05, 2018 at 10:38:48PM +0200, Fabian Mueller-Knapp wrote:
> > If i read man correctly it means "evaluate the rules inside and stop if
> > any rule within matched".
> While it's ow
On Mon, Sep 24, 2018 at 09:33:50AM -0600, Todd C. Miller wrote:
> I wonder if we can do unveil(NULL, NULL) for getent databases without
> an explicit file. A quick test seems to work for dns.
Same thought here at first, but we're pledging without "unveil" promise
after unveiling files so no need
On Mon, Sep 24, 2018 at 10:49:42AM +0100, Ricardo Mestre wrote:
> Comments? OK? The initial pledge(2) is so short lived that I was tempted to
> remove it, but I'm open to suggestions :)
Is there any compelling reason to keep the initial superset pledge?
Without it, the only code paths without
hostsprint() reserves only 16 columns for IPs and prints one whitespace
too many afterwards:
$ getent hosts 1.1.1.1 long :::::::
1.1.1.1 one.one.one.one
::::::: long
On Wed, Sep 26, 2018 at 06:48:07AM -0600, Todd C. Miller wrote:
> One comment inline, otherwise OK millert@
> > @@ -397,6 +397,9 @@ static int
> > services(int argc, char *argv[])
> > {
> > struct servent *se;
> > + const char *err;
> > + char*proto;
> > + int
OK?
Index: getent.c
===
RCS file: /cvs/src/usr.bin/getent/getent.c,v
retrieving revision 1.16
diff -u -p -r1.16 getent.c
--- getent.c25 Sep 2018 06:48:48 - 1.16
+++ getent.c25 Sep 2018 19:41:04 -
@@ -55,7 +55,7
hostsaddrinfo() is called from hosts() for non-IP keys, e.g.
`getent hosts foo openbsd.org'.
Using getnameinfo(2) simplifies the code, makes it less address family
specific and plays nicely with previously used getaddrinfo(2).
While here, make function paramter `const', sort stack variables by
Replace `long long id' with appropiate types and names, use smaller
limits where applicable and move variable declarations up out of loops.
This makes the code clearer and a tad simpler while staying consistent
across databases.
Feedback? OK?
Index: getent.c
On Mon, Sep 24, 2018 at 08:56:14PM +0100, Ricardo Mestre wrote:
> I actually prefer to see it go away since it doesn't protect us much and the
> real meat is actually on the pledge(2) inside the loop. Nevertheless this
> still
> should on a separate commit.
OK kn
Tables under different anchors may have the same name, but pfctl warns
about such scenarios upon table creation to avoid mixups. Unique and
descriptive names are highly recommended (for sanity).
# pfctl -T replace -t t1
1 table created.
no changes.
# pfctl -T
On Thu, Dec 27, 2018 at 02:36:36PM -0200, Martin Pieuchot wrote:
> New version using 'iSerial'. This is coherent w/ what lsusb(8) displays
> and isn't ambiguous with regard to the device descriptor name as pointed
> out by deraadt@.
Even better, sure.
There since import and last used by ALTQ which henning removed in 2004.
OK?
Index: sbin/pfctl//pfctl.h
===
RCS file: /cvs/src/sbin/pfctl/pfctl.h,v
retrieving revision 1.57
diff -u -p -r1.57 pfctl.h
--- sbin/pfctl//pfctl.h 6 Sep 2018
On Sun, Dec 30, 2018 at 12:19:54PM +0100, Alexander Bluhm wrote:
> uudecode: in: out: character value (159) out of range [33-96]
OK
and are required for b64_ntop()/b64_pton(),
but there's nothing socket related here as far as I'm concerned.
Included since millert's sync in 2004 with FreeBSD which still has it.
No object change on amd64 and sparc64.
Feedback? OK?
Index: usr.bin/uudecode/uudecode.c
Synopsis is `[-t table -T command [address ...]]', yet tables without
commands are silently ignored:
$ pfctl -t t
pfctl: /dev/pf: Permission denied
# pfctl -t t ; echo $?
0
Commands without tables are catched, but only after opening pf(4):
$ pfctl -T show
On Wed, Jan 02, 2019 at 11:27:18PM +0100, Alexandr Nedvedicky wrote:
> I don't object your change. However I hesitate to give OK too. I hope PF
> users, who have non-trivial rulesets will speak up here.
Feedback is welcome.
> IMO opinion we are hitting limitations of pfctl(8) here. Making
Limiting the "flush all" operation to a specific interface does not
make sense, and the intention was clear as well:
pfctl.c revision 1.298
date: 2010/06/28 23:21:41; author: mcbride; state: Exp; lines: +27
-11;
Clean up iterface stats handling:
- 'make -Fi'
On Sat, Jan 05, 2019 at 12:07:59PM -0700, Theo de Raadt wrote:
> + if (!*optarg)
>
> I despise this idiom. You are checking for a zero-length string.
> But you are hiding what is going on.
Because the value is used in many places. Some check for nullity, some
check for
On Sat, Jan 05, 2019 at 08:04:07PM +0100, Klemens Nanni wrote:
> Diff below bails out immediately when `-i ...' is passed
Just that now.
Ignore the option argument if the option was passed since that already
fulfills our error condition of passing `-i ...' with `-F all'.
`ifaceopt' is glo
Never used, probably just copy/pasta since introduction in 2006.
`-i' and other flags are completely ignored with `-K' anyway.
OK?
Index: pfctl.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.362
diff -u -p
A few assorted nits for consistency and proper format, no object change.
OK?
Index: pfctl.c
===
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.365
diff -u -p -r1.365 pfctl.c
--- pfctl.c 11 Jan 2019 03:09:24 -
On Sat, Jan 19, 2019 at 05:14:56PM +1300, Richard Procter wrote:
> > +#define PF_OPTIMIZE_NONE 0x
>
> these PF_OPTIMIZE_* are bit-field definitions,
> see e.g. pfctl_optimize.c:299.
While I'm aware of this,
> But PF_OPTIMIZE_NONE is not, as pf->optimize & PF_OPTIMIZE_NONE
> is never
Last usage got removed in
revision 1.9
date: 2001/02/08 08:35:17; author: itojun; state: Exp; lines: +109
-27;
pull latest kame tree. ndp -n -a printing is now prettier with long
IPv6 addresses. -l is deprecated (ignored).
OK?
Index: ndp.c
On Tue, Jan 22, 2019 at 11:09:10PM +0100, Claudio Jeker wrote:
> On Tue, Jan 22, 2019 at 12:57:34PM -0200, Martin Pieuchot wrote:
> > If a bridge(4) is down packets don't flow through it, so be coherent and
> > do not copy them for span ports.
I hesitated to OK this since possible implications
On Tue, Dec 11, 2018 at 10:31:37PM -0500, Ted Unangst wrote:
> I have some trace files that are gzipped to save space. (They compress really
> well.) It would be convenient if I could simply zcat them into kdump for
> inspection.
FWIW I've always used `kdump -f/dev/stdin' for that.
> This patch
All interface drivers have their interface group, but users can create
extra, driver independent groups as well.
# ifconfig lo0 group foo
# pfctl -sI -ifoo
foo
lo0
Feedback? OK?
Index: share/man/man4/pf.4
OK
On Sun, Dec 16, 2018 at 06:45:39PM +0100, Claudio Jeker wrote:
> Simple conversion of timeout_add(X, Y * hz) to timeout_add_sec(X, Y)
> and timeout_add(X, tvtohz()) to timeout_add_tv(X, ).
OK
On Sat, Dec 22, 2018 at 06:53:24PM -0500, Ted Unangst wrote:
> @@ -393,7 +393,7 @@ option is given).
> .Ar port
> can be a specified as a numeric port number, or as a service name.
stray ^ article that can be zapped with this diff while here.
> Ports may be specified in a range of the form
>From pf.conf(5):
The anchor can also be populated by adding a load anchor rule after the
anchor rule. When pfctl(8) loads pf.conf, it will also load all the
rules from the file /etc/pf-spam.conf into the anchor.
anchor spam
load anchor
On Sat, Dec 22, 2018 at 04:44:14PM -0500, Daniel Jakots wrote:
> Here's a diff that change the delimiter to ":". This breaks existing
> scripts but it would make the syntax like pf.conf instead of using
> another symbol for a port range.
Changing it to double-colon for sanity and consistency seems
On Tue, Dec 25, 2018 at 10:19:35AM -0700, Theo de Raadt wrote:
> I have always disliked the reliance on include, because errors detected
> during parse are poorly handled. Garbage format in the file will adjust
> the global scope and the parser is clueless to cope well.
Can you elaborate on this?
On Tue, Dec 25, 2018 at 07:19:21PM +0100, Sebastian Benoit wrote:
> that said, if we want this, we might want to have pfctl print a warning for
> a release cycle because it can impact the reachability of a machine. Like we
> do with ifconfig vlanid/parent changes.
Keep the behaviour in 6.4
On Thu, Nov 29, 2018 at 02:50:58PM -0500, Ted Unangst wrote:
> I would find it useful to know battery percentage at the time of suspend and
> resume. This makes it possible to see how much battery was consumed while
> sleeping. I don't think this is much noisier than things already are.
Sounds
On Fri, Nov 30, 2018 at 01:24:27PM -0500, Ted Unangst wrote:
> Developers who shall remain anonymous were confused by the behavior of apmd -d
> because the behavior of apmd -d is confusing. It doesn't do anything like any
> other daemon in the system when running with -d.
:-)
> This introduces a
Base 10 suffices, negative numbers should be invalid (not converted) and
zero not treated specially:
# apmd -dt -1
apmd: kevent loop: Invalid argument
# apmd -dt 0
usage: apmd [-AadHLs] [-f devname] [-S sockname] [-t seconds] [-Z
percent] [-z percent]
#
All they do is case conversion^Wconfusion, so remove them.
Relevant pfvar.h diff at the top, all other hunks were done with sed(1).
Feedback? Objections? OK?
Index: net/pfvar.h
===
RCS file: /cvs/src/sys/net/pfvar.h,v
retrieving
On Thu, Dec 06, 2018 at 03:33:06PM -0500, Ted Unangst wrote:
> ktrace -C will return an error if you don't have a ktrace.out file because
> sys_ktrace tries to open it whenever it has a filename, even if it won't be
> used. I think it is more consistent to require it be null, so that we aren't
>
OK
These are identical (see increased context) since introduction:
revision 1.240
date: 2006/10/27 13:56:51; author: mcbride; state: Exp; lines: +26 -8;
Split ruleset manipulation functions out into pf_ruleset.c to allow them to
be imported into pfctl. This is a precursor to separating ruleset
On Sat, Dec 01, 2018 at 08:58:31AM +0100, Martijn van Duren wrote:
> > I'm not sure the EINVAL error string adds valuable information. I would
> > prefer if all these used variants of the idiom suggested in the strtonum
> > manual, something like:
> >
> > errx("number of seconds is
Sometimes I want to see certain programs with least amount of memory,
so this diff implements `o -field' to sort in reverse order.
The logic is straight forward:
1. merge common code from argument and command loops into new setorder()
2. introduce global state `rev_order' (set in the helper)
3.
On Tue, Nov 27, 2018 at 11:28:31AM -0600, Scott Cheloha wrote:
> No objections here to the feature in general. We already support reversing
> select orderings in systat(1), which I've found useful in practice, so this
> is not without precedent and is consistent with at least one other monitoring
On Tue, Nov 27, 2018 at 03:52:52PM -0600, Scott Cheloha wrote:
> > > static int
> > > +getorder(char *field)
> > > +{
> > > + rev_order = field[0] == '-';
> > > +
> > > + return string_index(rev_order ? field + 1 : field, statics.order_names);
> > > +}
> > > +
>
> You need to check that the
On Wed, Nov 28, 2018 at 12:07:37AM +0100, Klemens Nanni wrote:
> Note how an empty field is silently treated as the default field
> "state", but that's an independent issue I'd like to address in a
> separate diff for string_index().
Not a problem of string_index() actuall
On Sun, Nov 11, 2018 at 05:39:52PM +0100, Klemens Nanni wrote:
> On Sat, Nov 03, 2018 at 09:01:33PM +0100, Klemens Nanni wrote:
> > Closing stdin makes sense, but I still want to see error messages from
> > the program I'm running. Since arbitrary progams can be run, keep
On Fri, Nov 16, 2018 at 08:56:52PM +0100, Reyk Floeter wrote:
> > the following diff allows rad(8) to watch interface groups. This
> > allows to automatically add/remove interfaces in a given group.
> >
> > For example, I put "interface tap" into rad.conf and it automatically
> > serves my VM
On Sun, Nov 11, 2018 at 06:07:10PM +0100, Klemens Nanni wrote:
> There's no point in parsing `-display' separately, just do it once and
> simplify the code while here.
>
> This addresses two of cheloha's comments from my strtonum diff.
Ping.
Feedback? OK?
In
In pfctl_optimize.c r1.39 I removed the `af' parameter from `unmask()'
but accidently zapped the macro's closing paranthese.
Since DEBUG() is needlessly under an OPT_DEBUG guard here, this was not
effecting normal builds.
Add the missing ')' and remove the ifdef.
Relevant defines includede here
On Sun, Jan 13, 2019 at 01:30:09PM -0600, Scott Cheloha wrote:
> The microtime(9) functions are in kern_tc.c, not kern_clock.c.
OK.
The rest looks fine as is:
$ man -k pa=kern_tc
tc_init(9) - machine-independent binary timescale
$ man -k pa=kern_clock
hardclock(9)
On Fri, Dec 28, 2018 at 05:21:02PM +0100, Denis Fondras wrote:
> int
> +krVPN6_change(struct ktable *kt, struct kroute_full *kl, u_int8_t fib_prio)
> +{
> + struct kroute6_node *kr6;
> + struct in6_addr lo6 = IN6ADDR_LOOPBACK_INIT;
> + int action =
If the given table "t" does not exist, `pfctl -t t -T replace' and
`pfctl -t t -T add ::1' will create it persistently:
# pfctl -sT
# pfctl -tt -Tr
1 table created.
no changes.
# pfctl -vsT
-pa t
pf.conf(5) provides this information:
There's a (subtle) bug in anchor creation/handling I haven't quite
pinned down yet:
Nested brace anchors with names end up being loaded under a different
name if their ruleset is empty:
$ pfctl -aa1 -vnf-
anchor a2 {
}
match
^D
anchor "a1/a2" all
On Wed, Jan 09, 2019 at 01:12:31PM +1000, David Gwynne wrote:
> -#define TRUNK_MAX_STACKING 4 /* maximum number of stacked trunks */
Is this an arbitrary limit or does it conceal other limitiations?
The commit that added it lacks this information:
revision 1.2
date:
On Mon, Dec 31, 2018 at 07:05:06AM +, Jason McIntyre wrote:
> i'm not a huge fan of how it reads now anyway. but your proposal makes
> sense. so, without wanting to pick the text apart right now, i say just
> go for it.
The change is kept small deliberately, as I did not want to rewrite this
On Wed, Sep 12, 2018 at 02:05:25PM +0200, Alexander Bluhm wrote:
> On Tue, Sep 11, 2018 at 12:17:05PM +0200, Klemens Nanni wrote:
> > Now `t' under the anonymous anchors (internally named "_1") must not be
> > modified through pfctl:
> >
> > # pfctl -a
On Fri, Sep 14, 2018 at 01:23:05PM +0100, Jason McIntyre wrote:
> hi. i'm not so keen - we use this syntax in a lot of pages. it is not
> vague. i don;t see how changing it makes anything clearer.
So is "Sames as" used in a lot of places.
It seemed worth suggesting, but I won't push it as there's
"Similar" can be a bit vague; I thought `mount -a -t nfs' would mount
all NFS shares except those already mounted.
This might be just be, but a little emphasis makes it even clearer that
this is not the case.
Feedback? OK?
Index: mount.8
This simplifies host() and merges host_v{4,6}() into host_ip() as
recently done for pfctl and ntpd.
config regress still passes but I don't have a real BGP setup to tinker
with so proper testing is highly appreciated.
Feedback? OK?
Index: config.c
On Tue, Sep 18, 2018 at 03:44:27PM -0600, Theo de Raadt wrote:
> I honestly think this is a foolishly complicated.
>
> Just install the program, then run regress. Install an older version
> without the broken changes if it doesn't work.
>
> I tire of these interactions between environment
Same as in pfctl or route so I can easily test my changes with
$ make BGPD=/usr/obj/usr.sbin/bgpd/bgpd config
OK?
Index: config/Makefile
===
RCS file: /cvs/src/regress/usr.sbin/bgpd/config/Makefile,v
retrieving revision 1.5
On Wed, Dec 19, 2018 at 07:57:11PM +0100, Claudio Jeker wrote:
> This is mostly replacing timeout_add calls that use some sort of HZ
> dependent value to timeout_add_(m)sec(). IFNET_SLOWHZ is only used in one
> place and could be moved there.
> In general I think the result is easier to
On Tue, Jan 22, 2019 at 12:58:56PM -0200, Martin Pieuchot wrote:
> Directly pass a pointer, which implies we have a valid reference for
> the given interface. This will matters when we'll start using ifp
> indexes.
Yes, OK kn.
On Tue, Apr 02, 2019 at 11:28:43AM +0200, Petr Hoffmann wrote:
> would make me believe everything mentioned as OPTIONS in pf.conf(5) is about
> to be reset. I see e.g. the debug level is reset, but what about the other
> stuff like fingerprints, 'skip on' and other options set via the 'set'
>
On Tue, Apr 02, 2019 at 05:20:19PM +0200, Theo Buehler wrote:
> Yes, ^L is printed in vi insert mode. The text you quoted is about vi
> command mode which does indeed redraw the current line on ^L. I agree
> with jca, no need for a change there.
I'm confused. Without jca's diff, I did the
On Tue, Apr 02, 2019 at 02:01:05PM +0200, Alexandr Nedvedicky wrote:
> I think Petr is right here. my patch requires yet another finishing touch:
Fair enough, but it should be noted that this somewhat changes behaviour
of the existing interface:
>
On Sun, Dec 30, 2018 at 02:43:37PM -0800, Philip Guenther wrote:
> This thread was never resolved/committed. Looking again at the diffs, I
> still think I prefer that we _not_ touch print_value_quoted(), as the
> other callers all use the 'key=value' format and don't need special
> handling of
On Tue, Apr 02, 2019 at 10:52:34AM +0200, Jeremie Courreges-Anglas wrote:
> So here's a diff. oks/nays?
OK with the one mention in sh(1) adjusted as well:
There are two modes, interactive and command. The shell starts in
interactive mode. In this mode text is entered normally. A
On Tue, Apr 02, 2019 at 11:39:05AM -0400, Andras Farkas wrote:
> $ set -o vi
> $ true^[^L #redraws the line
> $ true
>
> vi uses the escape or ^[ character to go into command mode from insert mode
Ooooh... I blatantly tried ^L without ESC in vi mode, of course that
won't work.
Yup, sorry for the
On Tue, Apr 02, 2019 at 04:56:58PM +0200, Jeremie Courreges-Anglas wrote:
> The diff changes only the emacs mode. I don't think sh.1 needs to be
> adjusted given that the paragraph you quote is about vi mode.
Sure it's just emacs mode. But for sh(1), ^L does print a literal "^L"
in vi mode; in
On Wed, Apr 03, 2019 at 09:53:46AM +0200, Klemens Nanni wrote:
> While here, document RTABLE_ANY and mention rtable(4).
Improved versiono that uses 5 as example and marks up RTABLE_ANY inline
instead, making it searchable with `man -k .=RTABLE_ANY'.
OK?
Index: rout
After claudio helped me with some details, here's the first round of
improvements.
SO_TABLE is not applicable to AF_ROUTE, ROUTE_TABLEFILTER works across
all families and goes well in line with the other ROUTE_* macros.
While here, document RTABLE_ANY and mention rtable(4).
OK?
Index: route.4
On Tue, Mar 12, 2019 at 03:19:56PM +0100, Otto Moerbeek wrote:
> > I also fixed a case of parsing IPv6 addresses.
> >
> > Anyone willing to ok?
See comments inline.
> And now also with a lexer bug fixed. Earlier I thougt it was an order
> dependency in the clauses. But is was an order
On Thu, Mar 21, 2019 at 11:52:56AM +0100, Otto Moerbeek wrote:
> Meanwhile, I tested a IPv6 setup, it works ok.
> So I'm going to commit the diff below,
Thanks!
OK kn
On Wed, Apr 03, 2019 at 11:10:21AM +0200, Alexandr Nedvedicky wrote:
> I did look at pf.conf(5) manpage yesterday. It requires more updates,
> which
> I would like to leave for another diff. For example pf.conf(5) does not
> mention default values for limits and time outs. I expect
On Wed, Mar 27, 2019 at 12:34:52PM +0100, Petr Hoffmann wrote:
> I noticed it is possible to specify an invalid netmask,
> e.g. 1.1.1.1/10/20 and still get the address loaded into a table. I
> conjecture this was introduced by the following change:
>
> a7ede25358dad545e0342d2a9f8ef6ce68c6df66
>
On Wed, Mar 27, 2019 at 02:17:03AM +0100, Alexandr Nedvedicky wrote:
> tedu@ has planted idea for diff below here [1]. That particular email is part
> of thread [2], where various cleanup/unconfigure options for PF are discussed.
> To keep progressing in small steps I've decided to factor out the
Coming from an UP and RUNNING interface, turning off the hardware kill
switch removes the RUNNING flag and powers down the device.
Iff still UP, switching it back on should set RUNNING again to ensure
seemless operation at runtime.
We can do this by fixing the interrupt handler which currently
As promised in my earlier mail, here's a diff that fixes seemless
operation with the hardware kill switch on resume after suspend.
Like the interrupt handler, the resume path needs to check the register
to update flags in order to propagate the hardware kill switch state,
otherwise the driver
As of now, `vmctl status test' will tell you whether the VM is running
or not; except that "STATE" actually denotes whether the VCPU is
currently running or haltet, not whether the VM is started/running or
stopped.
I tripped over this when trying to use
vmctl status test | fgrep 'STATE:
On Mon, Apr 01, 2019 at 09:53:31AM -0600, Todd C. Miller wrote:
> AT ksh doesn't clear the screen by default on ^L. Other shells
> like bash, zsh, and tcsh do. I don't object to making it the default
> but as I'm not a ksh user I'll defer to those who are.
Although I'm mostly using ksh in Vi
On Mon, Nov 26, 2018 at 06:40:05PM +0100, Klemens Nanni wrote:
> On Sun, Nov 11, 2018 at 06:07:10PM +0100, Klemens Nanni wrote:
> > There's no point in parsing `-display' separately, just do it once and
> > simplify the code while here.
> >
> > This addresses two of
OK
On Sat, Apr 06, 2019 at 02:37:05AM +0200, Alexandr Nedvedicky wrote:
> updated diff is attached. I'll commit the change after unlock.
OK kn with comments inline.
> + pf.ifname = strdup("none");
> + if (pf.ifname == NULL)
> + warn("%s: Warning: can't reset loginterface\n",
OK
tedu's apm(8) diff reminded me that certain vmctl(8) commands are too
relaxed:
$ vmctl start a b
vmctl: start vm command failed: Operation not permitted
$ vmctl stop a b
stopping vm a: vm not found
$ vmctl create a b
could not create a: missing size
On Fri, Feb 22, 2019 at 01:52:24AM +0100, Alexandr Nedvedicky wrote:
> so far so good. Now let's flush the rules from kernel:
>
> lumpy# ./pfctl -Fr
> rules cleared
> lumpy# ./pfctl -sr
> lumpy#
>
> However the underscore anchors are still there:
Any unreferenced anchor will
On Fri, Feb 22, 2019 at 12:42:02PM +0100, Alexandr Nedvedicky wrote:
> yes, that's what I thought. We have a kind 'service' on Solaris, which
> wraps pfctl to manage firewall. If firewall is being enabled, the service
> cleans up all rules (anchors). We basically dump the rulesets
Diff reads good, although I'm not a BGP user.
One nit inline:
> @@ -689,31 +690,32 @@ mrt_parse_dump_mp(struct mrt_hdr *hdr, v
> - case AF_VPNv4:
> + case AID_VPN_IPv4:
> if (len < MRT_PREFIX_LEN(r->prefixlen))
> goto fail;
> - errx(1,
On Thu, Feb 21, 2019 at 02:53:55PM +0200, Lauri Tirkkonen wrote:
> Updated diff to remove -S from all files mentioned above.
OK kn if anyone wants to commit, otherwise I'll do so on sunday unless
I hear objections.
On Fri, Feb 22, 2019 at 03:02:07PM +0100, Alexandr Nedvedicky wrote:
> so the option '-F Anchors' will also perform a '-Fr' on main ruleset, is
> that correct?
No, my `-f /etc/pf.conf' is the equivalent to your `-F rules' here.
> And also one more thing, which comes to my mind. How
On Tue, Mar 05, 2019 at 04:27:22PM +0100, Christian Weisgerber wrote:
> Minor man page tweaks to reflect the fact that PKCS#11 support is
> no longer limited to RSA.
OK, I've been using ECDSA on a PIV smartcard just fine.
Thanks! Diff makes sense, see comments inline. I confirm that this
restores intended behaviour and regress is fine as well.
With those addressed OK kn; or I take care of it after getting an OK.
sashan?
On Tue, Mar 05, 2019 at 04:31:40AM -0800, petr.hoffm...@oracle.com wrote:
> @@ -913,7
I blatantly missed the argc/argv adjustments after getopt(3), resulting
in valid commands like `vmctl create a -s 1G' to fail.
Noticed by ajacoutot the hard way.
OK?
Index: usr.sbin/vmctl/main.c
===
RCS file:
On Sat, Mar 16, 2019 at 10:22:14PM +, Jason McIntyre wrote:
> i think more properly we should show
>
> -t id | name
It's about referencing the VM to be started itself, not templates.
`-t id' is not possible.
But you pointed out how my addition would errornously imply that, so
change
On Thu, Mar 07, 2019 at 10:21:50PM +0100, Klemens Nanni wrote:
> # vmctl start 1
> vmctl: started vm 1 successfully, tty /dev/ttypo
> # vmctl stop 1 -f
> stopping vm: forced to terminate vm 1
> # vmctl start a
> vmctl: started vm 2 successful
On Sat, Mar 16, 2019 at 11:41:02PM +, Jason McIntyre wrote:
> i don;t understand why you special case "id" in a separate paragraph.
Specifying an ID is valid only if you want to start an existing VM.
You cannot create new VMs using a numerical name, that is an ID. This
limitation is the point
vmd(8) does not support numerical names with `start' and `receive'.
It never worked, the manuals are now clearer about this, but error
handling can still be improved:
$ vmctl start 60 -t test -d 60.qcow2
vmctl: start vm command failed: No such file or directory
That's from
On Thu, Mar 07, 2019 at 09:00:55PM +0100, Theo Buehler wrote:
> On Thu, Mar 07, 2019 at 08:52:45PM +0100, Klemens Nanni wrote:
> > vmd(8) does not support numerical names with `start' and `receive'.
> > It never worked, the manuals are now clearer about this, but error
> &g
When using anchors, they ought to have a non-empty name or none at all.
By accident, I discovered the following:
$ printf 'anchor ""\n' | pfctl -vnf-
pass all no state
No errors and it parses in a potentially harmful way. Other use cases
behave badly as well:
$ printf
301 - 400 of 1834 matches
Mail list logo