Re: bgpd: adjust loopback filter for network statements
I agree with this.
ok benno@
Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.12.23 15:37:02 +0100:
> In bgpd statements like
> network inet static
> or
> network rtlabel "exportme"
> will skip routes that use 127.0.0.1 as nexthop. This makes sense for
> network connected and network static but for rtlabel and even priority
> based selection this makes less sense.
>
> Especially using rtlabel to export routes should give the admin also the
> option to export reject or blackhole routes (which have their nexthop set
> to 127.0.0.1).
>
> This diff does this change but still skips networks like 224/4 for network
> inet static. I think this is a decent compromise.
> --
> :wq Claudio
>
> Index: kroute.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
> retrieving revision 1.239
> diff -u -p -r1.239 kroute.c
> --- kroute.c 1 Oct 2019 08:57:48 - 1.239
> +++ kroute.c 4 Dec 2020 11:31:09 -
> @@ -110,7 +110,7 @@ int kr6_delete(struct ktable *, struct k
> int krVPN4_delete(struct ktable *, struct kroute_full *, u_int8_t);
> int krVPN6_delete(struct ktable *, struct kroute_full *, u_int8_t);
> void kr_net_delete(struct network *);
> -int kr_net_match(struct ktable *, struct network_config *, u_int16_t);
> +int kr_net_match(struct ktable *, struct network_config *, u_int16_t, int);
> struct network *kr_net_find(struct ktable *, struct network *);
> void kr_net_clear(struct ktable *);
> void kr_redistribute(int, struct ktable *, struct kroute *);
> @@ -1318,7 +1318,8 @@ kr_net_redist_del(struct ktable *kt, str
> }
>
> int
> -kr_net_match(struct ktable *kt, struct network_config *net, u_int16_t flags)
> +kr_net_match(struct ktable *kt, struct network_config *net, u_int16_t flags,
> +int loopback)
> {
> struct network *xn;
>
> @@ -1330,10 +1331,16 @@ kr_net_match(struct ktable *kt, struct n
> /* static match already redistributed */
> continue;
> case NETWORK_STATIC:
> + /* Skip networks with nexthop on loopback. */
> + if (loopback)
> + continue;
> if (flags & F_STATIC)
> break;
> continue;
> case NETWORK_CONNECTED:
> + /* Skip networks with nexthop on loopback. */
> + if (loopback)
> + continue;
> if (flags & F_CONNECTED)
> break;
> continue;
> @@ -1419,6 +1426,7 @@ kr_redistribute(int type, struct ktable
> {
> struct network_confignet;
> u_int32_ta;
> + int loflag = 0;
>
> bzero(&net, sizeof(net));
> net.prefix.aid = AID_INET;
> @@ -1449,9 +1457,9 @@ kr_redistribute(int type, struct ktable
> (a >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET)
> return;
>
> - /* Consider networks with nexthop loopback as not redistributable. */
> + /* Check if the nexthop is the loopback addr. */
> if (kr->nexthop.s_addr == htonl(INADDR_LOOPBACK))
> - return;
> + loflag = 1;
>
> /*
>* never allow 0.0.0.0/0 the default route can only be redistributed
> @@ -1460,7 +1468,7 @@ kr_redistribute(int type, struct ktable
> if (kr->prefix.s_addr == INADDR_ANY && kr->prefixlen == 0)
> return;
>
> - if (kr_net_match(kt, &net, kr->flags) == 0)
> + if (kr_net_match(kt, &net, kr->flags, loflag) == 0)
> /* no longer matches, if still present remove it */
> kr_net_redist_del(kt, &net, 1);
> }
> @@ -1468,7 +1476,8 @@ kr_redistribute(int type, struct ktable
> void
> kr_redistribute6(int type, struct ktable *kt, struct kroute6 *kr6)
> {
> - struct network_confignet;
> + struct network_config net;
> + int loflag = 0;
>
> bzero(&net, sizeof(net));
> net.prefix.aid = AID_INET6;
> @@ -1503,11 +1512,9 @@ kr_redistribute6(int type, struct ktable
> IN6_IS_ADDR_V4COMPAT(&kr6->prefix))
> return;
>
> - /*
> - * Consider networks with nexthop loopback as not redistributable.
> - */
> + /* Check if the nexthop is the loopback addr. */
> if (IN6_IS_ADDR_LOOPBACK(&kr6->nexthop))
> - return;
> + loflag = 1;
>
> /*
>* never allow ::/0 the default route can only be redistributed
> @@ -1517,7 +1524,7 @@ kr_redistribute6(int type, struct ktable
> memcmp(&kr6->prefix, &in6addr_any, sizeof(struct in6_addr)) == 0)
> return;
>
> - if (kr_net_match(kt, &net, kr6->flags) == 0)
> + if (kr_net_match(kt, &net, kr6->flags, loflag) == 0)
> /* no longer matches, if still present remove it */
>
Re: bgpd show status of set tables
reads ok, benno@
Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.12.29 10:33:53 +0100:
> On Thu, Dec 10, 2020 at 02:42:49PM +0100, Claudio Jeker wrote:
> > On Thu, Dec 03, 2020 at 10:59:29PM +0100, Claudio Jeker wrote:
> > > The use of roa-set, prefix-set and as-set is fairly common in bgpd.
> > > Still sometimes it is not exactly clear how old the data in those tables
> > > is. This diff is a first step at inproving inspection by adding
> > > bgpctl show sets
> > >
> > > Sample output is:
> > > Type Name #IPv4 #Ipv6 #ASnum Last
> > > Change
> > > ROARPKI ROA158810 26257 -
> > > 00:00:07
> > > ASNUM asns_AS15600 - - 26
> > > 01:19:10
> > > PREFIX p4_AS21040 8 0 -
> > > 01:19:10
> > >
> > > I just did a bgpctl reload with a new roa table (generated by rpki-client)
> > > but the as-set and prefix-set did not change during this reload.
> > > The output also includes the number of entries in the tables but in the
> > > case of roa-set the number of unique prefixes is counted. So the number is
> > > a bit under the count from rpki-client because e.g.
> > > 1.32.219.0/24 source-as 4842
> > > 1.32.219.0/24 source-as 138570
> > > are counted as 1 right now (instead of 2 prefixes).
> > >
> > > More statistics can be added if their calculation is easy.
> >
> > Am I the only one interested in knowing how old my set data is?
>
> Any feedback on this? This should help people to detect issues where
> rpki-client or bgpq3 fail to produce updates.
>
> --
> :wq Claudio
>
> PS: apply diff in /usr/src/usr.sbin
>
> Index: bgpctl/bgpctl.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpctl/bgpctl.c,v
> retrieving revision 1.263
> diff -u -p -r1.263 bgpctl.c
> --- bgpctl/bgpctl.c 10 May 2020 13:38:46 - 1.263
> +++ bgpctl/bgpctl.c 3 Dec 2020 20:17:14 -
> @@ -213,6 +213,9 @@ main(int argc, char *argv[])
> case SHOW_INTERFACE:
> imsg_compose(ibuf, IMSG_CTL_SHOW_INTERFACE, 0, 0, -1, NULL, 0);
> break;
> + case SHOW_SET:
> + imsg_compose(ibuf, IMSG_CTL_SHOW_SET, 0, 0, -1, NULL, 0);
> + break;
> case SHOW_NEIGHBOR:
> case SHOW_NEIGHBOR_TIMERS:
> case SHOW_NEIGHBOR_TERSE:
> @@ -393,6 +396,7 @@ show(struct imsg *imsg, struct parse_res
> struct ctl_timer*t;
> struct ctl_show_interface *iface;
> struct ctl_show_nexthop *nh;
> + struct ctl_show_set *set;
> struct kroute_full *kf;
> struct ktable *kt;
> struct ctl_show_rib rib;
> @@ -466,6 +470,10 @@ show(struct imsg *imsg, struct parse_res
> memcpy(&hash, imsg->data, sizeof(hash));
> output->rib_hash(&hash);
> break;
> + case IMSG_CTL_SHOW_SET:
> + set = imsg->data;
> + output->set(set);
> + break;
> case IMSG_CTL_RESULT:
> if (imsg->hdr.len != IMSG_HEADER_SIZE + sizeof(rescode)) {
> warnx("got IMSG_CTL_RESULT with wrong len");
> @@ -974,6 +982,23 @@ fmt_ext_community(u_int8_t *data)
> log_ext_subtype(type, subtype),
> (unsigned long long)be64toh(ext));
> return buf;
> + }
> +}
> +
> +const char *
> +fmt_set_type(struct ctl_show_set *set)
> +{
> + switch (set->type) {
> + case ROA_SET:
> + return "ROA";
> + case PREFIX_SET:
> + return "PREFIX";
> + case ORIGIN_SET:
> + return "ORIGIN";
> + case ASNUM_SET:
> + return "ASNUM";
> + default:
> + return "BULA";
> }
> }
>
> Index: bgpctl/bgpctl.h
> ===
> RCS file: /cvs/src/usr.sbin/bgpctl/bgpctl.h,v
> retrieving revision 1.7
> diff -u -p -r1.7 bgpctl.h
> --- bgpctl/bgpctl.h 2 May 2020 14:33:33 - 1.7
> +++ bgpctl/bgpctl.h 3 Dec 2020 20:12:34 -
> @@ -30,6 +30,7 @@ struct output {
> struct parse_result *);
> void(*rib_hash)(struct rde_hashstats *);
> void(*rib_mem)(struct rde_memstats *);
> + void(*set)(struct ctl_show_set *);
> void(*result)(u_int);
> void(*tail)(void);
> };
> @@ -53,3 +54,4 @@ const char *fmt_attr(u_int8_t, int);
> const char *fmt_community(u_int16_t, u_int16_t);
> const char *fmt_large_community(u_int32_t, u_int32_t, u_int32_t);
> const char *fmt_ext_community(u_int8_t *);
> +const char *fmt_set_type(struct ctl_show_set *);
> Index: bgpctl/output.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpctl/output.c,v
> retrieving revision 1.10
> diff -u -p -r1.10 output.c
> --- bgpctl/output.c 21 Oct 2020 06:52:45 - 1.10
> +++ b
Re: bgpd: getifaddrs ifa_addr NULL check
Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.12.29 10:29:00 +0100:
> On Thu, Dec 17, 2020 at 01:26:09PM +0100, Claudio Jeker wrote:
> > getifaddrs can return a struct ifaddrs entry with a NULL ifa_addr.
> > I think an unnumbered point-to-point interface can trigger this.
> > So better check for it before accessing anything in ifa_addr.
>
> I will commit this later today. The change is obvious and simple.
>
yes, ok benno@
> --
> :wq Claudio
>
> Index: config.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/config.c,v
> retrieving revision 1.95
> diff -u -p -r1.95 config.c
> --- config.c 14 Feb 2020 13:54:31 - 1.95
> +++ config.c 4 Dec 2020 11:46:33 -
> @@ -339,7 +339,8 @@ get_bgpid(void)
> fatal("getifaddrs");
>
> for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
> - if (ifa->ifa_addr->sa_family != AF_INET)
> + if (ifa->ifa_addr == NULL ||
> + ifa->ifa_addr->sa_family != AF_INET)
> continue;
> cur = ((struct sockaddr_in *)ifa->ifa_addr)->sin_addr.s_addr;
> if ((cur & localnet) == localnet) /* skip 127/8 */
> Index: session.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/session.c,v
> retrieving revision 1.406
> diff -u -p -r1.406 session.c
> --- session.c 11 Dec 2020 12:00:01 - 1.406
> +++ session.c 17 Dec 2020 12:18:54 -
> @@ -1223,7 +1223,8 @@ get_alternate_addr(struct sockaddr *sa,
> fatal("getifaddrs");
>
> for (match = ifap; match != NULL; match = match->ifa_next)
> - if (sa_cmp(sa, match->ifa_addr) == 0)
> + if (match->ifa_addr != NULL &&
> + sa_cmp(sa, match->ifa_addr) == 0)
> break;
>
> if (match == NULL) {
> @@ -1234,7 +1235,8 @@ get_alternate_addr(struct sockaddr *sa,
> switch (sa->sa_family) {
> case AF_INET6:
> for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
> - if (ifa->ifa_addr->sa_family == AF_INET &&
> + if (ifa->ifa_addr != NULL &&
> + ifa->ifa_addr->sa_family == AF_INET &&
> strcmp(ifa->ifa_name, match->ifa_name) == 0) {
> sa2addr(ifa->ifa_addr, alt, NULL);
> break;
> @@ -1243,10 +1245,12 @@ get_alternate_addr(struct sockaddr *sa,
> break;
> case AF_INET:
> for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
> - struct sockaddr_in6 *s =
> - (struct sockaddr_in6 *)ifa->ifa_addr;
> - if (ifa->ifa_addr->sa_family == AF_INET6 &&
> + if (ifa->ifa_addr != NULL &&
> + ifa->ifa_addr->sa_family == AF_INET6 &&
> strcmp(ifa->ifa_name, match->ifa_name) == 0) {
> + struct sockaddr_in6 *s =
> + (struct sockaddr_in6 *)ifa->ifa_addr;
> +
> /* only accept global scope addresses */
> if (IN6_IS_ADDR_LINKLOCAL(&s->sin6_addr) ||
> IN6_IS_ADDR_SITELOCAL(&s->sin6_addr))
>
Re: kern.video.record man page updates
ok. maybe add a line to current.html so that people are not surprised that their video is no longer working after upgrade. /Benno Marcus Glocker(mar...@nazgul.ch) on 2020.12.28 23:47:54 +0100: > Since I'm receiving various private queries about documenting the new > kern.video.record sysctl(2) variable, I send the diff I've created > already for the man page updates here. > > OK? (I'm happy if others want to do improvements afterwards in-tree) > > > Index: share/man/man4/video.4 > === > RCS file: /cvs/src/share/man/man4/video.4,v > retrieving revision 1.18 > diff -u -p -u -p -r1.18 video.4 > --- share/man/man4/video.431 Jul 2020 18:17:17 - 1.18 > +++ share/man/man4/video.428 Dec 2020 20:09:50 - > @@ -40,6 +40,16 @@ Therefore this document mainly describes > which are supported by the > .Nm > driver. > +.Pp > +For security reasons video recording is disabled by default. > +To achieve this, the > +.Nm > +driver will blank the image data received from the underlying video hardware > +driver. > +The superuser can change this behavior by the > +.Va kern.video.record > +.Xr sysctl 2 > +variable. > .Sh IOCTLS > The following > .Xr ioctl 2 > Index: share/man/man8/afterboot.8 > === > RCS file: /cvs/src/share/man/man8/afterboot.8,v > retrieving revision 1.167 > diff -u -p -u -p -r1.167 afterboot.8 > --- share/man/man8/afterboot.823 Oct 2020 20:37:45 - 1.167 > +++ share/man/man8/afterboot.828 Dec 2020 20:09:50 - > @@ -414,6 +414,14 @@ Normal audio recording can be enabled by > .Xr sysctl.conf 5 : > .Pp > .Dl kern.audio.record=1 > +.Ss Video recording > +The > +.Xr video 4 > +driver by default records only blanked images. > +Normal video recording can be enabled by adding the following directive to > +.Xr sysctl.conf 5 : > +.Pp > +.Dl kern.video.record=1 > .Ss Mail aliases > Edit > .Pa /etc/mail/aliases > Index: lib/libc/sys/sysctl.2 > === > RCS file: /cvs/src/lib/libc/sys/sysctl.2,v > retrieving revision 1.41 > diff -u -p -u -p -r1.41 sysctl.2 > --- lib/libc/sys/sysctl.2 4 Aug 2020 09:32:05 - 1.41 > +++ lib/libc/sys/sysctl.2 28 Dec 2020 20:09:50 - > @@ -491,6 +491,7 @@ information. > .It Dv KERN_TTYCOUNT Ta "integer" Ta "no" > .It Dv KERN_UTC_OFFSET Ta "integer" Ta "yes" > .It Dv KERN_VERSION Ta "string" Ta "no" > +.It Dv KERN_VIDEO Ta "node" Ta "yes" > .It Dv KERN_WATCHDOG Ta "node" Ta "not applicable" > .It Dv KERN_WITNESS Ta "node" Ta "not applicable" > .It Dv KERN_WXABORT Ta "integer" Ta "yes" > @@ -1104,6 +1105,23 @@ greater than 0, > this variable may not be changed. > .It Dv KERN_VERSION Pq Va kern.version > The system version string. > +.It Dv KERN_VIDEO Pq Va kern.video > +Control device-independent aspects of the > +.Xr video 4 > +subsystem. > +Currently, there is one subnode: > +.Bl -column "KERN_VIDEO_RECORD" "integer" "Changeable" -offset indent > +.It Sy "Third level name" Ta Sy "Type" Ta Sy "Changeable" > +.It Dv KERN_VIDEO_RECORD Ta "integer" Ta "yes" > +.El > +.Pp > +Its meaning is as follows: > +.Bl -tag -width "123456" > +.It Dv KERN_VIDEO_RECORD Pq Va kern.video.record > +If set to the default value of 0, recording is disabled by default > +for all video devices. > +Otherwise, video recording is enabled by default. > +.El > .It Dv KERN_WATCHDOG Pq Va kern.watchdog > Return information on hardware watchdog timers. > If the kernel does not support a hardware watchdog timer, >
Re: bgpd refactor roa-set internals
ok.
Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.12.29 10:23:53 +0100:
> On Fri, Dec 18, 2020 at 11:36:33AM +0100, Claudio Jeker wrote:
> > In preparation for RTR support this diff changes the internal
> > representation of roa-set to a simple RB tree based on struct roa.
> > The big difference is that overlapping roas, e.g.
> > 10/8 source-as 3
> > 10/8 maxlen 24 source-as 3
> > are now merged in the RDE and so bgpd -nv will show both entries instead
> > of only the second one.
> >
> > On my testbox there is no difference in OVS state between a -current bgpd
> > and the one with this diff applied. More testing welcome.
>
> Ping. I would like to get this in so I can reduce the size of my RTR work
> in progress diff.
>
> --
> :wq Claudio
>
> Index: bgpd.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/bgpd.c,v
> retrieving revision 1.230
> diff -u -p -r1.230 bgpd.c
> --- bgpd.c5 Nov 2020 11:52:59 - 1.230
> +++ bgpd.c18 Dec 2020 10:27:44 -
> @@ -502,6 +502,7 @@ send_config(struct bgpd_config *conf)
> struct as_set *aset;
> struct prefixset*ps;
> struct prefixset_item *psi, *npsi;
> + struct roa *roa, *nroa;
>
> reconfpending = 2; /* one per child */
>
> @@ -567,7 +568,6 @@ send_config(struct bgpd_config *conf)
> if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIX_SET_ITEM,
> 0, 0, -1, psi, sizeof(*psi)) == -1)
> return (-1);
> - set_free(psi->set);
> free(psi);
> }
> free(ps);
> @@ -579,23 +579,12 @@ send_config(struct bgpd_config *conf)
> if (imsg_compose(ibuf_rde, IMSG_RECONF_ORIGIN_SET, 0, 0, -1,
> ps->name, sizeof(ps->name)) == -1)
> return (-1);
> - RB_FOREACH_SAFE(psi, prefixset_tree, &ps->psitems, npsi) {
> - struct roa_set *rs;
> - size_t i, l, n;
> - RB_REMOVE(prefixset_tree, &ps->psitems, psi);
> - rs = set_get(psi->set, &n);
> - for (i = 0; i < n; i += l) {
> - l = (n - i > 1024 ? 1024 : n - i);
> - if (imsg_compose(ibuf_rde,
> - IMSG_RECONF_ROA_SET_ITEMS,
> - 0, 0, -1, rs + i, l * sizeof(*rs)) == -1)
> - return -1;
> - }
> - if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIX_SET_ITEM,
> - 0, 0, -1, psi, sizeof(*psi)) == -1)
> + RB_FOREACH_SAFE(roa, roa_tree, &ps->roaitems, nroa) {
> + RB_REMOVE(roa_tree, &conf->roa, roa);
> + if (imsg_compose(ibuf_rde, IMSG_RECONF_ROA_ITEM, 0, 0,
> + -1, roa, sizeof(*roa)) == -1)
> return (-1);
> - set_free(psi->set);
> - free(psi);
> + free(roa);
> }
> free(ps);
> }
> @@ -604,23 +593,12 @@ send_config(struct bgpd_config *conf)
> if (imsg_compose(ibuf_rde, IMSG_RECONF_ROA_SET, 0, 0, -1,
> NULL, 0) == -1)
> return (-1);
> - RB_FOREACH_SAFE(psi, prefixset_tree, &conf->roa, npsi) {
> - struct roa_set *rs;
> - size_t i, l, n;
> - RB_REMOVE(prefixset_tree, &conf->roa, psi);
> - rs = set_get(psi->set, &n);
> - for (i = 0; i < n; i += l) {
> - l = (n - i > 1024 ? 1024 : n - i);
> - if (imsg_compose(ibuf_rde,
> - IMSG_RECONF_ROA_SET_ITEMS,
> - 0, 0, -1, rs + i, l * sizeof(*rs)) == -1)
> - return -1;
> - }
> - if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIX_SET_ITEM,
> - 0, 0, -1, psi, sizeof(*psi)) == -1)
> + RB_FOREACH_SAFE(roa, roa_tree, &conf->roa, nroa) {
> + RB_REMOVE(roa_tree, &conf->roa, roa);
> + if (imsg_compose(ibuf_rde, IMSG_RECONF_ROA_ITEM, 0, 0,
> + -1, roa, sizeof(*roa)) == -1)
> return (-1);
> - set_free(psi->set);
> - free(psi);
> + free(roa);
> }
> }
>
> Index: bgpd.h
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/bgpd.h,v
> retrieving revision 1.405
> diff -u -p -r1.405 bgpd.h
> --- bgpd.h5 Nov 2020 11:52:59 - 1.405
> +++ bgpd.h18 Dec
usr.sbin/* getifaddrs ifa_addr NULL check
Hi,
claudios bgpd diff and florian mentioning rad(8) made me look into usr.sbin/
for getifaddrs() usage. I think these need a NULL check as well.
ok?
diff --git usr.sbin/ospf6d/parse.y usr.sbin/ospf6d/parse.y
index f163e24149d..509aa2f2e88 100644
--- usr.sbin/ospf6d/parse.y
+++ usr.sbin/ospf6d/parse.y
@@ -1253,7 +1253,8 @@ get_rtr_id(void)
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
if (strncmp(ifa->ifa_name, "carp", 4) == 0)
continue;
- if (ifa->ifa_addr->sa_family != AF_INET)
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET)
continue;
cur = ((struct sockaddr_in *)ifa->ifa_addr)->sin_addr.s_addr;
if ((cur & localnet) == localnet) /* skip 127/8 */
diff --git usr.sbin/ospfd/parse.y usr.sbin/ospfd/parse.y
index a09696504f8..3fbcca0c911 100644
--- usr.sbin/ospfd/parse.y
+++ usr.sbin/ospfd/parse.y
@@ -1469,7 +1469,8 @@ get_rtr_id(void)
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
if (strncmp(ifa->ifa_name, "carp", 4) == 0)
continue;
- if (ifa->ifa_addr->sa_family != AF_INET)
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET)
continue;
cur = ((struct sockaddr_in *)ifa->ifa_addr)->sin_addr.s_addr;
if ((cur & localnet) == localnet) /* skip 127/8 */
diff --git usr.sbin/pppd/sys-bsd.c usr.sbin/pppd/sys-bsd.c
index e8deee6d2ff..73f0e287938 100644
--- usr.sbin/pppd/sys-bsd.c
+++ usr.sbin/pppd/sys-bsd.c
@@ -1334,6 +1334,8 @@ get_ether_addr(ipaddr, hwaddr)
* address on the same subnet as `ipaddr'.
*/
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
+ if (ifa->ifa_addr == NULL)
+ continue;
if (ifa->ifa_addr->sa_family == AF_INET) {
ina = ((struct sockaddr_in *)ifa->ifa_addr)->sin_addr.s_addr;
/*
@@ -1367,6 +1369,8 @@ get_ether_addr(ipaddr, hwaddr)
*/
ifp = ifa;
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
+ if (ifa->ifa_addr == NULL)
+ continue;
if (strcmp(ifp->ifa_name, ifa->ifa_name) == 0
&& ifa->ifa_addr->sa_family == AF_LINK) {
/*
@@ -1418,8 +1422,9 @@ GetMask(addr)
/*
* Check the interface's internet address.
*/
- if (ifa->ifa_addr->sa_family != AF_INET)
- continue;
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET)
+ continue;
ina = ((struct sockaddr_in *)ifa->ifa_addr)->sin_addr.s_addr;
if ((ntohl(ina) & nmask) != (addr & nmask))
continue;
diff --git usr.sbin/rad/frontend.c usr.sbin/rad/frontend.c
index b69e9b7b0a3..c4dcf46e068 100644
--- usr.sbin/rad/frontend.c
+++ usr.sbin/rad/frontend.c
@@ -731,7 +731,8 @@ get_link_state(char *if_name)
return LINK_STATE_UNKNOWN;
}
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (ifa->ifa_addr->sa_family != AF_LINK)
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_LINK)
continue;
if (strcmp(if_name, ifa->ifa_name) != 0)
continue;
@@ -969,7 +970,8 @@ interface_has_linklocal_address(char *name)
for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
if (strcmp(name, ifa->ifa_name) != 0)
continue;
- if (ifa->ifa_addr->sa_family != AF_INET6)
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET6)
continue;
sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
@@ -1013,7 +1015,8 @@ get_interface_prefixes(struct ra_iface *ra_iface, struct
ra_prefix_conf
for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
if (strcmp(ra_iface->name, ifa->ifa_name) != 0)
continue;
- if (ifa->ifa_addr->sa_family != AF_INET6)
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET6)
continue;
sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
diff --git usr.sbin/rarpd/rarpd.c usr.sbin/rarpd/rarpd.c
index f3227883404..7652dcd3c4f 100644
--- usr.sbin/rarpd/rarpd.c
+++ usr.sbin/rarpd/rarpd.c
@@ -200,6 +200,8 @@ init_all(void)
error("getifaddrs: %s", strerror(errno));
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
+ if (ifa->ifa_addr == NULL)
+ continue;
sdl = (struct sockaddr_dl *)ifa->ifa_addr;
if (sdl->sdl_family != AF_LINK || sdl->sdl_type != IFT_ETHER ||
sdl->sdl_alen != 6)
@@ -513,6 +515,8 @@ lookup_addrs(char *ifname, struct if_info *p)
for (ifa = ifap; i
more getifaddrs ifa_addr NULL checks
More missing checks, outside of usr.sbin.
Missing: isakmpd and ifconfig
I have not yet looked at libc internal use, libpcap and regress/.
ok?
diff --git sbin/iked/parse.y sbin/iked/parse.y
index aedbb74f3fd..b02ff55d4e7 100644
--- sbin/iked/parse.y
+++ sbin/iked/parse.y
@@ -2166,7 +2166,8 @@ ifa_load(void)
err(1, "ifa_load: getifaddrs");
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (!(ifa->ifa_addr->sa_family == AF_INET ||
+ if (ifa->ifa_addr == NULL ||
+ !(ifa->ifa_addr->sa_family == AF_INET ||
ifa->ifa_addr->sa_family == AF_INET6 ||
ifa->ifa_addr->sa_family == AF_LINK))
continue;
diff --git sbin/ipsecctl/parse.y sbin/ipsecctl/parse.y
index d61f6d5e151..5121d8bb655 100644
--- sbin/ipsecctl/parse.y
+++ sbin/ipsecctl/parse.y
@@ -1827,7 +1827,8 @@ ifa_load(void)
err(1, "ifa_load: getifaddrs");
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (!(ifa->ifa_addr->sa_family == AF_INET ||
+ if (ifa->ifa_addr == NULL ||
+ !(ifa->ifa_addr->sa_family == AF_INET ||
ifa->ifa_addr->sa_family == AF_INET6 ||
ifa->ifa_addr->sa_family == AF_LINK))
continue;
diff --git sbin/pfctl/pfctl_parser.c sbin/pfctl/pfctl_parser.c
index 32b14d8b4cb..164b0639a48 100644
--- sbin/pfctl/pfctl_parser.c
+++ sbin/pfctl/pfctl_parser.c
@@ -1352,7 +1352,8 @@ ifa_load(void)
err(1, "getifaddrs");
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (!(ifa->ifa_addr->sa_family == AF_INET ||
+ if (ifa->ifa_addr == NULL ||
+ !(ifa->ifa_addr->sa_family == AF_INET ||
ifa->ifa_addr->sa_family == AF_INET6 ||
ifa->ifa_addr->sa_family == AF_LINK))
continue;
diff --git sbin/route/route.c sbin/route/route.c
index c13f5b6be07..e1d31902e98 100644
--- sbin/route/route.c
+++ sbin/route/route.c
@@ -506,7 +506,8 @@ setsource(int argc, char **argv)
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
if (if_nametoindex(ifa->ifa_name) != ifindex)
continue;
- if (!(ifa->ifa_addr->sa_family == AF_INET ||
+ if (ifa->ifa_addr == NULL ||
+ !(ifa->ifa_addr->sa_family == AF_INET ||
ifa->ifa_addr->sa_family == AF_INET6))
continue;
if ((af != AF_UNSPEC) &&
diff --git sbin/slaacd/frontend.c sbin/slaacd/frontend.c
index 6bdfc92339d..0e877d03bdb 100644
--- sbin/slaacd/frontend.c
+++ sbin/slaacd/frontend.c
@@ -584,6 +584,8 @@ update_autoconf_addresses(uint32_t if_index, char* if_name)
for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
if (strcmp(if_name, ifa->ifa_name) != 0)
continue;
+ if (ifa->ifa_addr == NULL)
+ continue;
if (ifa->ifa_addr->sa_family == AF_LINK)
imsg_link_state.link_state =
@@ -937,6 +939,8 @@ get_lladdr(char *if_name, struct ether_addr *mac, struct
sockaddr_in6 *ll)
for (ifa = ifap; ifa != NULL; ifa = ifa->ifa_next) {
if (strcmp(if_name, ifa->ifa_name) != 0)
continue;
+ if (ifa->ifa_addr == NULL)
+ continue;
switch(ifa->ifa_addr->sa_family) {
case AF_LINK:
diff --git usr.bin/netstat/route.c usr.bin/netstat/route.c
index 9e8e22ba54b..1aef3f9cd3c 100644
--- usr.bin/netstat/route.c
+++ usr.bin/netstat/route.c
@@ -368,7 +368,8 @@ rdomainpr(void)
getifaddrs(&ifap);
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (ifa->ifa_addr->sa_family != AF_LINK)
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_LINK)
continue;
ifd = ifa->ifa_data;
if (rdom_if[ifd->ifi_rdomain] == NULL) {
diff --git usr.bin/rusers/rusers.c usr.bin/rusers/rusers.c
index 53f50a8ce6a..124ebd6cc9c 100644
--- usr.bin/rusers/rusers.c
+++ usr.bin/rusers/rusers.c
@@ -558,7 +558,8 @@ allhosts(void)
*/
for (i = 0; i < 6; i++) {
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (ifa->ifa_addr->sa_family != AF_INET ||
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET ||
!(ifa->ifa_flags & IFF_BROADCAST) ||
!(ifa->ifa_flags & IFF_UP) ||
ifa->ifa_broadaddr == NULL ||
getifaddrs ifa_addr NULL checks round 3
Another set of NULL checks in programs under usr.sbin/
ok?
diff --git usr.sbin/eigrpd/parse.y usr.sbin/eigrpd/parse.y
index f024e3cf0cd..0ac9431e829 100644
--- usr.sbin/eigrpd/parse.y
+++ usr.sbin/eigrpd/parse.y
@@ -1246,7 +1246,8 @@ get_rtr_id(void)
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
if (strncmp(ifa->ifa_name, "carp", 4) == 0)
continue;
- if (ifa->ifa_addr->sa_family != AF_INET)
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET)
continue;
cur = ((struct sockaddr_in *)ifa->ifa_addr)->sin_addr.s_addr;
if ((cur & localnet) == localnet) /* skip 127/8 */
diff --git usr.sbin/httpd/parse.y usr.sbin/httpd/parse.y
index b3c8786aaee..a1afcc799c1 100644
--- usr.sbin/httpd/parse.y
+++ usr.sbin/httpd/parse.y
@@ -2124,7 +2124,8 @@ host_if(const char *s, struct addresslist *al, int max,
nextaf:
for (p = ifap; p != NULL && cnt < max; p = p->ifa_next) {
- if (p->ifa_addr->sa_family != af ||
+ if (p->ifa_addr == NULL ||
+ p->ifa_addr->sa_family != af ||
(strcmp(s, p->ifa_name) != 0 &&
!is_if_in_group(p->ifa_name, s)))
continue;
diff --git usr.sbin/ifstated/ifstated.c usr.sbin/ifstated/ifstated.c
index 225f5aaa9e0..248c2a7d2bd 100644
--- usr.sbin/ifstated/ifstated.c
+++ usr.sbin/ifstated/ifstated.c
@@ -642,7 +642,8 @@ fetch_ifstate(int do_eval)
fatal("getifaddrs");
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (ifa->ifa_addr->sa_family == AF_LINK) {
+ if (ifa->ifa_addr != NULL &&
+ ifa->ifa_addr->sa_family == AF_LINK) {
struct if_data *ifdata = ifa->ifa_data;
scan_ifstate(ifa->ifa_name, ifdata->ifi_link_state,
do_eval);
diff --git usr.sbin/inetd/inetd.c usr.sbin/inetd/inetd.c
index 4627ef81148..24a08c9b901 100644
--- usr.sbin/inetd/inetd.c
+++ usr.sbin/inetd/inetd.c
@@ -487,7 +487,8 @@ dg_broadcast(struct in_addr *in)
if (getifaddrs(&ifap) == -1)
return (0);
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (ifa->ifa_addr->sa_family != AF_INET ||
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET ||
(ifa->ifa_flags & IFF_BROADCAST) == 0)
continue;
sin = (struct sockaddr_in *)ifa->ifa_broadaddr;
diff --git usr.sbin/ldapd/parse.y usr.sbin/ldapd/parse.y
index c003b3fcb6a..1e3801383fa 100644
--- usr.sbin/ldapd/parse.y
+++ usr.sbin/ldapd/parse.y
@@ -1122,6 +1122,8 @@ interface(const char *s, const char *cert,
for (p = ifap; p != NULL; p = p->ifa_next) {
if (strcmp(s, p->ifa_name) != 0)
continue;
+ if (p->ifa_addr == NULL)
+ continue;
switch (p->ifa_addr->sa_family) {
case AF_INET:
diff --git usr.sbin/mrouted/cfparse.y usr.sbin/mrouted/cfparse.y
index 0b8af93ea21..bf06644987c 100644
--- usr.sbin/mrouted/cfparse.y
+++ usr.sbin/mrouted/cfparse.y
@@ -558,7 +558,8 @@ ifconfaddr(a)
return (NULL);
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (ifa->ifa_addr->sa_family == AF_INET &&
+ if (ifa->ifa_addr != NULL &&
+ ifa->ifa_addr->sa_family == AF_INET &&
((struct sockaddr_in *)ifa->ifa_addr)->sin_addr.s_addr == a) {
strlcpy(ifname, ifa->ifa_name, sizeof(ifname));
freeifaddrs(ifap);
diff --git usr.sbin/mtrace/mtrace.c usr.sbin/mtrace/mtrace.c
index 5acf9ab3171..15b44fc92f7 100644
--- usr.sbin/mtrace/mtrace.c
+++ usr.sbin/mtrace/mtrace.c
@@ -284,8 +284,9 @@ get_netmask(int s, u_int32_t dst)
return (retval);
}
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (ifa->ifa_addr->sa_family != AF_INET)
- continue;
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET)
+ continue;
if_addr = ((struct sockaddr_in *)ifa->ifa_addr)->sin_addr.s_addr;
if_mask = ((struct sockaddr_in *)ifa->ifa_netmask)->sin_addr.s_addr;
if ((dst & if_mask) == (if_addr & if_mask)) {
diff --git usr.sbin/npppd/common/net_utils.c usr.sbin/npppd/common/net_utils.c
index e282f0dd2b5..c13679c116a 100644
--- usr.sbin/npppd/common/net_utils.c
+++ usr.sbin/npppd/common/net_utils.c
@@ -48,9 +48,10 @@ get_ifname_by_sockaddr(struct sockaddr *sa, char *ifname)
ifname0 = NULL;
/* I want other way than linear search */
getifaddrs(&addr0);
- for (addr = addr0; ifname0 == NULL&& addr != NULL;
+ for (addr = addr0; ifname0 == NULL && addr != NULL;
addr = addr->ifa_next) {
- if (addr->ifa_addr->sa_family !=
getifaddrs ifa_addr NULL checks, last set
Hi,
these last ones are a bit different from the others:
Two cases in libc, two in ifconfig, and one in isakmpd that is a bit tricky.
comments?
ok?
diff --git lib/libc/rpc/get_myaddress.c lib/libc/rpc/get_myaddress.c
index d0ac78f796e..b84968e1807 100644
--- lib/libc/rpc/get_myaddress.c
+++ lib/libc/rpc/get_myaddress.c
@@ -67,6 +67,7 @@ get_myaddress(struct sockaddr_in *addr)
again:
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
if ((ifa->ifa_flags & IFF_UP) &&
+ ifa->ifa_addr != NULL &&
ifa->ifa_addr->sa_family == AF_INET &&
(loopback == 1 && (ifa->ifa_flags & IFF_LOOPBACK))) {
*addr = *((struct sockaddr_in *)ifa->ifa_addr);
diff --git lib/libc/rpc/pmap_rmt.c lib/libc/rpc/pmap_rmt.c
index 097999b5ae6..a6c41cf7175 100644
--- lib/libc/rpc/pmap_rmt.c
+++ lib/libc/rpc/pmap_rmt.c
@@ -163,7 +163,8 @@ newgetbroadcastnets(struct in_addr **addrsp)
return 0;
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (ifa->ifa_addr->sa_family != AF_INET)
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET)
continue;
if ((ifa->ifa_flags & IFF_BROADCAST) &&
(ifa->ifa_flags & IFF_UP) &&
@@ -180,7 +181,8 @@ newgetbroadcastnets(struct in_addr **addrsp)
}
for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
- if (ifa->ifa_addr->sa_family != AF_INET)
+ if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET)
continue;
if ((ifa->ifa_flags & IFF_BROADCAST) &&
(ifa->ifa_flags & IFF_UP) &&
diff --git regress/sys/netinet/in_pcbbind/runtest.c
regress/sys/netinet/in_pcbbind/runtest.c
index e26d2832dce..bb93cc71415 100644
--- regress/sys/netinet/in_pcbbind/runtest.c
+++ regress/sys/netinet/in_pcbbind/runtest.c
@@ -415,7 +415,8 @@ main(int argc, char *argv[])
err(2, "getifaddrs()");
curifa = ifap;
while (curifa) {
- if (memcmp(curifa->ifa_addr,
+ if (curifa->ifa_addr != NULL &&
+ memcmp(curifa->ifa_addr,
mifa->ai_addr,
mifa->ai_addrlen) == 0)
break;
diff --git sbin/ifconfig/ifconfig.c sbin/ifconfig/ifconfig.c
index 3799cc3a8e9..4dfcc628ce6 100644
--- sbin/ifconfig/ifconfig.c
+++ sbin/ifconfig/ifconfig.c
@@ -1180,12 +1180,13 @@ printif(char *name, int ifaliases)
}
}
/* quickhack: sizeof(ifr) < sizeof(ifr6) */
- if (ifa->ifa_addr->sa_family == AF_INET6) {
+ if (ifa->ifa_addr != NULL &&
+ ifa->ifa_addr->sa_family == AF_INET6) {
memset(&ifr6, 0, sizeof(ifr6));
memcpy(&ifr6.ifr_addr, ifa->ifa_addr,
MINIMUM(sizeof(ifr6.ifr_addr),
ifa->ifa_addr->sa_len));
ifrp = (struct ifreq *)&ifr6;
- } else {
+ } else if (ifa->ifa_addr != NULL) {
memset(&ifr, 0, sizeof(ifr));
memcpy(&ifr.ifr_addr, ifa->ifa_addr,
MINIMUM(sizeof(ifr.ifr_addr),
ifa->ifa_addr->sa_len));
@@ -1194,7 +1195,8 @@ printif(char *name, int ifaliases)
strlcpy(ifname, ifa->ifa_name, sizeof(ifname));
strlcpy(ifrp->ifr_name, ifa->ifa_name, sizeof(ifrp->ifr_name));
- if (ifa->ifa_addr->sa_family == AF_LINK) {
+ if (ifa->ifa_addr != NULL &&
+ ifa->ifa_addr->sa_family == AF_LINK) {
namep = ifa->ifa_name;
if (getinfo(ifrp, 0) < 0)
continue;
@@ -1209,8 +1211,9 @@ printif(char *name, int ifaliases)
if (!namep || !strcmp(namep, ifa->ifa_name)) {
const struct afswtch *p;
- if (ifa->ifa_addr->sa_family == AF_INET &&
- ifaliases == 0 && noinet == 0)
+ if (ifa->ifa_addr == NULL ||
+ (ifa->ifa_addr->sa_family == AF_INET &&
+ ifaliases == 0 && noinet == 0))
continue;
if ((p = afp) != NULL) {
if (ifa->ifa_addr->sa_family == p->af_af)
diff --git sbin/isakmpd/virtual.c sbin/isakmpd/virtual.c
index 52a692a72c0..6d0db8cd004 100644
--- sbin/isakmpd/virtual.c
+++ sbin/isakmpd/virtual.c
@@ -334,17 +334,23 @@ virtual_bind_if(char *ifname, struct sockaddr *if_addr,
void *arg)
char*addr_str;
int s, error;
- if (sockaddr2text(if_addr, &addr_str, 0))
+ addr_str = 0;
+ if (if_ad
npppd: result of getifaddrs() not used?
It seems to me that this call to getifaddrs() is actually not needed.
ok?
diff --git usr.sbin/npppd/pppoe/pppoed.c usr.sbin/npppd/pppoe/pppoed.c
index 5b3f09dccb1..bae41732199 100644
--- usr.sbin/npppd/pppoe/pppoed.c
+++ usr.sbin/npppd/pppoe/pppoed.c
@@ -458,7 +459,6 @@ pppoed_reload(pppoed *_this, struct pppoe_confs *pppoe_conf)
{
inti, count, do_start, found;
struct pppoe_conf *conf;
- struct ifaddrs*ifa0;
slist rmlist, newlist;
struct {
char ifname[IF_NAMESIZE];
@@ -470,15 +470,9 @@ pppoed_reload(pppoed *_this, struct pppoe_confs
*pppoe_conf)
hash_link *hl;
do_start = 0;
- ifa0 = NULL;
slist_init(&rmlist);
slist_init(&newlist);
- if (getifaddrs(&ifa0) != 0) {
- pppoed_log(_this, LOG_ERR,
- "getifaddrs() failed on %s(): %m", __func__);
- goto fail;
- }
count = 0;
TAILQ_FOREACH(conf, pppoe_conf, entry) {
strlcpy(listeners[count].ifname, conf->if_name,
@@ -563,8 +557,6 @@ pppoed_reload(pppoed *_this, struct pppoe_confs *pppoe_conf)
slist_fini(&rmlist);
slist_fini(&newlist);
- if (ifa0 != NULL)
- freeifaddrs(ifa0);
if (pppoed_start(_this) != 0)
return 1;
@@ -573,8 +565,6 @@ pppoed_reload(pppoed *_this, struct pppoe_confs *pppoe_conf)
fail:
slist_fini(&rmlist);
slist_fini(&newlist);
- if (ifa0 != NULL)
- freeifaddrs(ifa0);
return 1;
}
getifaddrs(3) manpage improvement
Hi,
maybe add a hint about the needed check?
comments?
ok?
diff --git lib/libc/net/getifaddrs.3 lib/libc/net/getifaddrs.3
index 26eac493202..946c2d9a9b0 100644
--- lib/libc/net/getifaddrs.3
+++ lib/libc/net/getifaddrs.3
@@ -74,13 +74,13 @@ Contains the interface flags, as set by
References either the address of the interface or the link level
address of the interface, if one exists, otherwise it is
.Dv NULL .
-(The
+After checking for NULL, the
.Fa sa_family
field of the
.Fa ifa_addr
-field should be consulted to determine the format of the
+struct should be consulted to determine the format of the
.Fa ifa_addr
-address.)
+address.
.It Fa ifa_netmask
References the netmask associated with
.Fa ifa_addr ,
@@ -119,6 +119,23 @@ is dynamically allocated and should be freed using
when no longer needed.
.Sh RETURN VALUES
.Rv -std
+.Sh EXAMPLES
+The interface addresses can be accessed through
+*ifa_addr
+like this:
+.Bd -literal -offset indent
+struct ifaddrs *ifap, *ifa;
+struct sockaddr_in6 *sin6;
+
+if (getifaddrs(&ifap) == -1)
+fatal("getifaddrs");
+
+for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
+if (ifa->ifa_addr == NULL ||
+ ifa->ifa_addr->sa_family != AF_INET6)
+continue;
+sin6 = (struct sockaddr_in6 *)ifa->ifa_addr;
+.Ed
.Sh ERRORS
The
.Fn getifaddrs
Re: acme-client(1): backup certs
ok
Florian Obser(flor...@openbsd.org) on 2021.01.02 17:23:11 +0100:
>
> Create .1 backup files when acme-client is going to overwrite a
> certificate file.
>
> This files are not terribly big and it's convenient to keep one
> previous file around for example if one adds or removes domains to the
> certificate and then wants to revoke the previous one.
>
> (Note that it's kinda difficult to revoke the old certificate with
> acme-client currently. The whole revoke machinery needs to be
> overhauled. I have ideas...)
>
> Comments, OKs?
>
> diff --git acme-client.conf.5 acme-client.conf.5
> index 3c5fd1c2362..3fdd40a5eb0 100644
> --- acme-client.conf.5
> +++ acme-client.conf.5
> @@ -149,6 +149,11 @@ The filename of the certificate that will be issued.
> This is optional if
> .Ar domain full chain certificate
> is specified.
> +A backup with name
> +.Ar file.1
> +is created if
> +.Ar file
> +exists.
> .It Ic domain chain certificate Ar file
> The filename in which to store the certificate chain
> that will be returned by the certificate authority.
> @@ -156,6 +161,11 @@ It needs to be in the same directory as the
> .Ar domain certificate
> (or in a subdirectory) and can be specified as a relative or absolute path.
> This setting is optional.
> +A backup with name
> +.Ar file.1
> +is created if
> +.Ar file
> +exists.
> .It Ic domain full chain certificate Ar file
> The filename in which to store the full certificate chain
> that will be returned by the certificate authority.
> @@ -170,6 +180,11 @@ in one file, and is required by most browsers.
> This is optional if
> .Ar domain certificate
> is specified.
> +A backup with name
> +.Ar file.1
> +is created if
> +.Ar file
> +exists.
> .It Ic sign with Ar authority
> The certificate authority (as declared above in the
> .Sx AUTHORITIES
> diff --git fileproc.c fileproc.c
> index b7cdff5525d..cc3aa293712 100644
> --- fileproc.c
> +++ fileproc.c
> @@ -34,6 +34,19 @@ serialise(const char *real, const char *v, size_t vsz,
> const char *v2, size_t v2
> int fd;
> char *tmp;
>
> + /* create backup hardlink */
> + if (asprintf(&tmp, "%s.1", real) == -1) {
> + warn("asprintf");
> + return 0;
> + }
> + (void) unlink(tmp);
> + if (link(real, tmp) == -1 && errno != ENOENT) {
> + warn("link");
> + free(tmp);
> + return 0;
> + }
> + free(tmp);
> +
> /*
>* Write into backup location, overwriting.
>* Then atomically do the rename.
>
> --
> I'm not entirely sure you are real.
>
Re: fix opsfd parse.y shit/reduce conflicts
Thanks,
i think the dependon might have been my fault.
code reads ok.
I also checked a few configs, including an artificial one that uses depend
on.
/Benno
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.01.06 11:11:49 +0100:
> The dependon statement in ospfd parse.y introduces some troubles since it
> holds an empty rule that then conflicts with optnl.
> This diff changes dependon into dependon and dependonopt so that in the
> place where it is optional dependonopt can be used and in the places where
> it must not be optional it isn't. With this the shift/reduce conficts are
> gone. While at it cleanup some other rules and use the same optnl idiom
> for area and interface (it is the same one as used by bgpd).
>
> Please test this with your configs to see if this causes any parse errors
> (ospfd -n should be enough for this).
> --
> :wq Claudio
>
>
> Index: parse.y
> ===
> RCS file: /cvs/src/usr.sbin/ospfd/parse.y,v
> retrieving revision 1.101
> diff -u -p -r1.101 parse.y
> --- parse.y 29 Dec 2020 19:44:47 - 1.101
> +++ parse.y 6 Jan 2021 10:10:23 -
> @@ -144,7 +144,7 @@ typedef struct {
> %token NUMBER
> %type yesno no optlist optlist_l option demotecount
> msec
> %type deadtime
> -%type string dependon
> +%type string dependon dependonopt
> %type redistribute
> %type areaid
>
> @@ -297,7 +297,7 @@ conf_main : ROUTERID STRING {
> ;
>
>
> -redistribute : no REDISTRIBUTE NUMBER '/' NUMBER optlist dependon {
> +redistribute : no REDISTRIBUTE NUMBER '/' NUMBER optlist dependonopt {
> struct redistribute *r;
>
> if ((r = calloc(1, sizeof(*r))) == NULL)
> @@ -323,7 +323,7 @@ redistribute : no REDISTRIBUTE NUMBER '/
> free($7);
> $$ = r;
> }
> - | no REDISTRIBUTE STRING optlist dependon {
> + | no REDISTRIBUTE STRING optlist dependonopt {
> struct redistribute *r;
>
> if ((r = calloc(1, sizeof(*r))) == NULL)
> @@ -426,8 +426,10 @@ option : METRIC NUMBER {
> }
> ;
>
> -dependon : /* empty */ { $$ = NULL; }
> - | DEPEND ON STRING {
> +dependonopt : /* empty */ { $$ = NULL; }
> + | dependon
> +
> +dependon : DEPEND ON STRING {
> struct in_addr addr;
> struct kif *kif;
>
> @@ -599,7 +601,7 @@ area : AREA areaid {
> memcpy(&areadefs, defs, sizeof(areadefs));
> md_list_copy(&areadefs.md_list, &defs->md_list);
> defs = &areadefs;
> - } '{' optnl areaopts_l '}' {
> + } '{' optnl areaopts_l optnl '}' {
> area = NULL;
> md_list_clr(&defs->md_list);
> defs = &globaldefs;
> @@ -627,8 +629,8 @@ areaid: NUMBER {
> }
> ;
>
> -areaopts_l : areaopts_l areaoptsl nl
> - | areaoptsl optnl
> +areaopts_l : areaopts_l nl areaoptsl
> + | areaoptsl
> ;
>
> areaoptsl: interface
> @@ -739,13 +741,13 @@ interface : INTERFACE STRING {
> }
> ;
>
> -interface_block : '{' optnl interfaceopts_l '}'
> +interface_block : '{' optnl interfaceopts_l optnl '}'
> | '{' optnl '}'
> - |
> + | /* empty */
> ;
>
> -interfaceopts_l : interfaceopts_l interfaceoptsl nl
> - | interfaceoptsl optnl
> +interfaceopts_l : interfaceopts_l nl interfaceoptsl
> + | interfaceoptsl
> ;
>
> interfaceoptsl : PASSIVE { iface->passive = 1; }
>
Re: bgpd simplify update path
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.01.07 19:34:23 +0100:
> When bgpd generates an UPDATE to update or withdraw prefixes it does this
> from rde_generate_updates() and then decends into up_generate_update().
> Now there is up_test_update() that checks if a new prefix is actually OK
> to be distributed. It checks things for route reflectors and the common
> communities (NO_EXPORT, ...). There are a few more checks that are pure
> peer config checks and those should be moved up to rde_generate_updates().
>
> Last but not least there is this bit about ORIGINATOR_ID which seems
> sensible but on second thought I think it is actually wrong and an
> extension on top of the RFC. Since I think this code currently has not the
> right withdraw behaviour I decided it is the best to just remove it.
I think it should not matter because the receiving router will do the same
check (against its own id) and ignore the update:
A router [that recognizes the ORIGINATOR_ID attribute] SHOULD
ignore a route received with its BGP Identifier as the ORIGINATOR_ID.
(RFC 4456)
However your change is correct because the RFC does say that the receiver
should make this descision. We do seem to correctly check that when
receiving updates in rde_reflector().
> This code simplifies the return of up_test_update() to a pure true / false
> case and make up_generate_update() simpler. Also I think doing the peer
> checks early on will improve performance.
ok benno@
one whitespace error below
>
> Please review :)
> --
> :wq Claudio
>
> Index: rde.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.510
> diff -u -p -r1.510 rde.c
> --- rde.c 30 Dec 2020 07:29:56 - 1.510
> +++ rde.c 7 Jan 2021 17:04:53 -
> @@ -2814,7 +2814,8 @@ rde_send_kroute(struct rib *rib, struct
> void
> rde_generate_updates(struct rib *rib, struct prefix *new, struct prefix *old)
> {
> - struct rde_peer *peer;
> + struct rde_peer *peer;
> + u_int8_t aid;
>
> /*
>* If old is != NULL we know it was active and should be removed.
> @@ -2824,6 +2825,11 @@ rde_generate_updates(struct rib *rib, st
> if (old == NULL && new == NULL)
> return;
>
> + if (new)
> + aid = new->pt->aid;
> + else
> + aid = old->pt->aid;
> +
> LIST_FOREACH(peer, &peerlist, peer_l) {
> if (peer->conf.id == 0)
> continue;
> @@ -2831,6 +2837,14 @@ rde_generate_updates(struct rib *rib, st
> continue;
> if (peer->state != PEER_UP)
> continue;
> + /* check if peer actually supports the address family */
> + if (peer->capa.mp[aid] == 0)
> + continue;
> + /* skip peers with special export types */
spaces instead of tabs
> + if (peer->conf.export_type == EXPORT_NONE ||
> + peer->conf.export_type == EXPORT_DEFAULT_ROUTE)
> + continue;
> +
> up_generate_updates(out_rules, peer, new, old);
> }
> }
> Index: rde_update.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde_update.c,v
> retrieving revision 1.123
> diff -u -p -r1.123 rde_update.c
> --- rde_update.c 24 Jan 2020 05:44:05 - 1.123
> +++ rde_update.c 7 Jan 2021 18:13:45 -
> @@ -47,11 +47,9 @@ static struct communitycomm_no_expsubco
> static int
> up_test_update(struct rde_peer *peer, struct prefix *p)
> {
> - struct bgpd_addr addr;
> struct rde_aspath *asp;
> struct rde_community*comm;
> struct rde_peer *prefp;
> - struct attr *attr;
>
> if (p == NULL)
> /* no prefix available */
> @@ -70,10 +68,6 @@ up_test_update(struct rde_peer *peer, st
> if (asp->flags & F_ATTR_LOOP)
> fatalx("try to send out a looped path");
>
> - pt_getaddr(p->pt, &addr);
> - if (peer->capa.mp[addr.aid] == 0)
> - return (-1);
> -
> if (!prefp->conf.ebgp && !peer->conf.ebgp) {
> /*
>* route reflector redistribution rules:
> @@ -90,16 +84,6 @@ up_test_update(struct rde_peer *peer, st
> return (0);
> }
>
> - /* export type handling */
> - if (peer->conf.export_type == EXPORT_NONE ||
> - peer->conf.export_type == EXPORT_DEFAULT_ROUTE) {
> - /*
> - * no need to withdraw old prefix as this will be
> - * filtered out as well.
> - */
> - return (-1);
> - }
> -
> /* well known communities */
> if (community_match(comm, &comm_no_advertise, NULL))
> return (0);
> @@ -110,18 +94,6 @@ up_test_update(struct rde_peer *peer, st
>
OpenBSD Errata: January 11th, 2021 (nd6)
Errata patches for the kernel have been released for OpenBSD 6.7 and 6.8. When an NDP entry is invalidated the associated layer 2 address is not invalidated. Binary updates for the amd64, i386, and arm64 platforms are available via the syspatch utility. Source code patches can be found on the respective errata page: https://www.openbsd.org/errata67.html https://www.openbsd.org/errata68.html As these affect the kernel, a reboot will be needed after patching.
Re: Make ospf6d work on point-to-point links
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.01.12 10:07:57 +0100:
> On Wed, Jan 06, 2021 at 01:02:50PM +0100, Claudio Jeker wrote:
> > The code in ospf6d is a bit broken when it comes to point-to-point links.
> > This diff fixes this by a) using the neighbor address instead of the unset
> > interface destination address and by b) matching the incomming packet
> > against all possible IPs of that interface.
> >
> > I tripped on b) because my P2P interface has more than one link-local
> > address and the code just likes to select the wrong one.
> >
> > This works for my case, please check I did not break something else.
>
> So this seems to work. Anyone wants to OK else I will commit this later
> today.
Code reads ok.
Did not get around to testing it.
>
> > --
> > :wq Claudio
> >
> > Index: lsupdate.c
> > ===
> > RCS file: /cvs/src/usr.sbin/ospf6d/lsupdate.c,v
> > retrieving revision 1.18
> > diff -u -p -r1.18 lsupdate.c
> > --- lsupdate.c 15 Jul 2020 14:47:41 - 1.18
> > +++ lsupdate.c 6 Jan 2021 11:28:43 -
> > @@ -474,7 +474,7 @@ ls_retrans_timer(int fd, short event, vo
> > /* ls_retrans_list_free retriggers the timer */
> > return;
> > } else if (nbr->iface->type == IF_TYPE_POINTOPOINT)
> > - memcpy(&addr, &nbr->iface->dst, sizeof(addr));
> > + memcpy(&addr, &nbr->addr, sizeof(addr));
> > else
> > inet_pton(AF_INET6, AllDRouters, &addr);
> > } else
> > Index: packet.c
> > ===
> > RCS file: /cvs/src/usr.sbin/ospf6d/packet.c,v
> > retrieving revision 1.17
> > diff -u -p -r1.17 packet.c
> > --- packet.c23 Dec 2019 07:33:49 - 1.17
> > +++ packet.c6 Jan 2021 11:52:08 -
> > @@ -82,12 +82,9 @@ send_packet(struct iface *iface, struct
> > struct in6_addr *dst)
> > {
> > struct sockaddr_in6 sa6;
> > - struct msghdr msg;
> > - struct ioveciov[1];
> >
> > - /* setup buffer */
> > + /* setup sockaddr */
> > bzero(&sa6, sizeof(sa6));
> > -
> > sa6.sin6_family = AF_INET6;
> > sa6.sin6_len = sizeof(sa6);
> > sa6.sin6_addr = *dst;
> > @@ -104,15 +101,8 @@ send_packet(struct iface *iface, struct
> > return (-1);
> > }
> >
> > - bzero(&msg, sizeof(msg));
> > - msg.msg_name = &sa6;
> > - msg.msg_namelen = sizeof(sa6);
> > - iov[0].iov_base = buf->buf;
> > - iov[0].iov_len = ibuf_size(buf);
> > - msg.msg_iov = iov;
> > - msg.msg_iovlen = 1;
> > -
> > - if (sendmsg(iface->fd, &msg, 0) == -1) {
> > + if (sendto(iface->fd, buf->buf, ibuf_size(buf), 0,
> > + (struct sockaddr *)&sa6, sizeof(sa6)) == -1) {
> > log_warn("send_packet: error sending packet on interface %s",
> > iface->name);
> > return (-1);
> > @@ -186,11 +176,16 @@ recv_packet(int fd, short event, void *b
> > * AllDRouters is only valid for DR and BDR but this is checked later.
> > */
> > inet_pton(AF_INET6, AllSPFRouters, &addr);
> > -
> > if (!IN6_ARE_ADDR_EQUAL(&dest, &addr)) {
> > inet_pton(AF_INET6, AllDRouters, &addr);
> > if (!IN6_ARE_ADDR_EQUAL(&dest, &addr)) {
> > - if (!IN6_ARE_ADDR_EQUAL(&dest, &iface->addr)) {
> > + struct iface_addr *ia;
> > +
> > + TAILQ_FOREACH(ia, &iface->ifa_list, entry) {
> > + if (IN6_ARE_ADDR_EQUAL(&dest, &ia->addr))
> > + break;
> > + }
> > + if (ia == NULL) {
> > log_debug("recv_packet: packet sent to wrong "
> > "address %s, interface %s",
> > log_in6addr(&dest), iface->name);
> >
>
OpenBSD Errata: January 13th, 2021 (carp)
Errata patches for the kernel have been released for OpenBSD 6.8. Use of bpf(4) on a carp interface could result in a use after free error. Binary updates for the amd64, i386, and arm64 platforms are available via the syspatch utility. Source code patches can be found on the respective errata page: https://www.openbsd.org/errata68.html As these affect the kernel, a reboot will be needed after patching.
Re: more refactor bgpd route decision process
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.01.13 13:10:23 +0100:
> This is another cleanup round of the route decision process.
> This time focusing on prefix_cmp(). Make sure that when using
> return (a - b) that the results always fits in an int type.
> Also make sure the check of the remote_addr at the end is done
> properly. The result is probably the same but this is the same
> way it is done in many other places.
>
> Unless I made a mistake the result should still be the same.
ok
> --
> :wq Claudio
>
> ? obj
> Index: rde_decide.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde_decide.c,v
> retrieving revision 1.79
> diff -u -p -r1.79 rde_decide.c
> --- rde_decide.c 13 Jan 2021 11:34:01 - 1.79
> +++ rde_decide.c 13 Jan 2021 12:08:21 -
> @@ -113,12 +113,12 @@ prefix_cmp(struct prefix *p1, struct pre
> struct rde_peer *peer1, *peer2;
> struct attr *a;
> u_int32_tp1id, p2id;
> - int p1cnt, p2cnt;
> + int p1cnt, p2cnt, i;
>
> if (p1 == NULL)
> - return (-1);
> + return -1;
> if (p2 == NULL)
> - return (1);
> + return 1;
>
> asp1 = prefix_aspath(p1);
> asp2 = prefix_aspath(p2);
> @@ -127,15 +127,15 @@ prefix_cmp(struct prefix *p1, struct pre
>
> /* pathes with errors are not eligible */
> if (asp1 == NULL || asp1->flags & F_ATTR_PARSE_ERR)
> - return (-1);
> + return -1;
> if (asp2 == NULL || asp2->flags & F_ATTR_PARSE_ERR)
> - return (1);
> + return 1;
>
> /* only loop free pathes are eligible */
> if (asp1->flags & F_ATTR_LOOP)
> - return (-1);
> + return -1;
> if (asp2->flags & F_ATTR_LOOP)
> - return (1);
> + return 1;
>
> /*
>* 1. check if prefix is eligible a.k.a reachable
> @@ -144,14 +144,16 @@ prefix_cmp(struct prefix *p1, struct pre
>*/
> if (prefix_nexthop(p2) != NULL &&
> prefix_nexthop(p2)->state != NEXTHOP_REACH)
> - return (1);
> + return 1;
> if (prefix_nexthop(p1) != NULL &&
> prefix_nexthop(p1)->state != NEXTHOP_REACH)
> - return (-1);
> + return -1;
>
> /* 2. local preference of prefix, bigger is better */
> - if ((asp1->lpref - asp2->lpref) != 0)
> - return (asp1->lpref - asp2->lpref);
> + if (asp1->lpref > asp2->lpref)
> + return 1;
> + if (asp1->lpref < asp2->lpref)
> + return -1;
>
> /* 3. aspath count, the shorter the better */
> if ((asp2->aspath->ascnt - asp1->aspath->ascnt) != 0)
> @@ -161,12 +163,19 @@ prefix_cmp(struct prefix *p1, struct pre
> if ((asp2->origin - asp1->origin) != 0)
> return (asp2->origin - asp1->origin);
>
> - /* 5. MED decision, only comparable between the same neighboring AS */
> - if (rde_decisionflags() & BGPD_FLAG_DECISION_MED_ALWAYS ||
> - aspath_neighbor(asp1->aspath) == aspath_neighbor(asp2->aspath))
> + /*
> + * 5. MED decision
> + * Only comparable between the same neighboring AS or if
> + * 'rde med compare always' is set.
> + */
> + if ((rde_decisionflags() & BGPD_FLAG_DECISION_MED_ALWAYS) ||
> + aspath_neighbor(asp1->aspath) == aspath_neighbor(asp2->aspath)) {
> /* lowest value wins */
> - if ((asp2->med - asp1->med) != 0)
> - return (asp2->med - asp1->med);
> + if (asp1->med < asp2->med)
> + return 1;
> + if (asp1->med > asp2->med)
> + return -1;
> + }
>
> /*
>* 6. EBGP is cooler than IBGP
> @@ -187,8 +196,10 @@ prefix_cmp(struct prefix *p1, struct pre
>* a metric that weights a prefix at a very late stage in the
>* decision process.
>*/
> - if ((asp1->weight - asp2->weight) != 0)
> - return (asp1->weight - asp2->weight);
> + if (asp1->weight > asp2->weight)
> + return 1;
> + if (asp1->weight < asp2->weight)
> + return -1;
>
> /* 8. nexthop costs. NOT YET -> IGNORE */
>
> @@ -196,9 +207,12 @@ prefix_cmp(struct prefix *p1, struct pre
>* 9. older route (more stable) wins but only if route-age
>* evaluation is enabled.
>*/
> - if (rde_decisionflags() & BGPD_FLAG_DECISION_ROUTEAGE)
> - if ((p2->lastchange - p1->lastchange) != 0)
> - return (p2->lastchange - p1->lastchange);
> + if (rde_decisionflags() & BGPD_FLAG_DECISION_ROUTEAGE) {
> + if (p1->lastchange < p2->lastchange) /* p1 is older */
> + return 1;
> + if (p1->lastchange > p2->lastchange)
> + return -1;
> + }
Re: grep: add --null flag
Hi,
the diff looks good, i would change the wording in the manpage a bit, see
below.
Anyone else who wants to ok it?
/Benno
Omar Polo(o...@omarpolo.com) on 2021.01.22 12:19:08 +0100:
>
> quasi three-weekly ping.
>
> Is this such a bad idea?
>
> (TBH: I have still to look at how to write a regression test for this)
>
> Omar Polo writes:
>
> > Hello,
> >
> > There are various program, especially the one written with GNU grep in
> > mind, that expects various flags that grep in base doesn't have. While
> > some of the flags (like --color) can be easily worked out (i.e. by
> > patching/customising these programs) one thing that it isn't easily
> > workable is --null, because it alters the way grep outputs its data.
> >
> > --null makes grep output an ASCII NUL byte after the file name, so a
> > program can parse the output of grep unambiguously even when the file
> > names contains "funny" characters, such as a newline.
> >
> > GNU grep isn't the only one with a --null flag, also FreeBSD and NetBSD
> > grep do (at least by looking at their manpages), so it's somewhat
> > widespread.
> >
> > I searched the archives on marc.info but I haven't seen a previous
> > discussion about this.
> >
> > The following patch was tried against GNU grep (installed from packages)
> > and seem to behave consistently.
> >
> > I used the same text of the FreeBSD/NetBSD manpage for the description
> > of the --null option, but I really dislike it: it feels way to verbose
> > for what it's trying to say, but I wasn't able to come up with something
> > better.
> >
> > I'm not familiar at all with the grep codebase, so I hope I'm not
> > missing something. If this has some chances of being accepted, I guess
> > I should also add some regress test; I'll try to work on them soon, but
> > in the meantime I'm sending this.
> >
> > Thanks,
> >
> > Omar Polo
>
>
> diff e992327fc31d0277a6f8518613a7db1b9face78b /home/op/w/openbsd-src
> blob - 5cc228df222c54a0553f289b5da8bbbe6afd171e
> file + usr.bin/grep/grep.1
> --- usr.bin/grep/grep.1
> +++ usr.bin/grep/grep.1
> @@ -49,6 +49,7 @@
> .Op Fl -context Ns Op = Ns Ar num
> .Op Fl -label Ns = Ns Ar name
> .Op Fl -line-buffered
> +.Op Fl -null
> .Op Ar pattern
> .Op Ar
> .Ek
> @@ -297,6 +298,25 @@ instead of the filename before lines.
> Force output to be line buffered.
> By default, output is line buffered when standard output is a terminal
> and block buffered otherwise.
> +.It Fl -null
> +Output a zero byte (the ASCII NUL character) instead of the character
> +that normally follows a file name.
> +For example,
> +.Nm Fl l Fl -null
> +outputs a zero byte after each file name instead of the usual newline.
> +This option makes the output unambiguous, even in the presence of file
> +names containing unusual characters like newlines.
> +This option can be used with commands like
> +.Xr find 1
> +.Fl print0 Ns ,
> +.Xr perl 1
> +.Fl 0 Ns ,
> +.Xr sort 1
> +.Fl z Ns , and
> +.Xr args 1
xargs ?
> +.Fl 0
> +to process arbitrary file names, even those that contain newline
> +characters.
This list of commands is a bit verbose.
I would rephrase it to match find(1):
-null
Print the pathname of the current file to standard output, followed by
a null
character, suitable for use with the -0 option to xargs(1).
If we dont list all these commands in find(1), why here? The list might be
incomplete anyway.
> .El
> .Sh EXIT STATUS
> The
> blob - f41b5e20ca68c9e9a36d2f7dd3c44329c621f29b
> file + usr.bin/grep/grep.c
> --- usr.bin/grep/grep.c
> +++ usr.bin/grep/grep.c
> @@ -80,6 +80,7 @@ int vflag; /* -v: only show non-matching lines */
> int wflag; /* -w: pattern must start and end on word boundaries */
> int xflag; /* -x: pattern must match entire line */
> int lbflag;/* --line-buffered */
> +int nullflag; /* --null */
> const char *labelname; /* --label=name */
>
> int binbehave = BIN_FILE_BIN;
> @@ -89,6 +90,7 @@ enum {
> HELP_OPT,
> MMAP_OPT,
> LINEBUF_OPT,
> + NULL_OPT,
> LABEL_OPT,
> };
>
> @@ -134,6 +136,7 @@ static const struct option long_options[] =
> {"mmap",no_argument,NULL, MMAP_OPT},
> {"label", required_argument, NULL, LABEL_OPT},
> {"line-buffered", no_argument,NULL, LINEBUF_OPT},
> + {"null",no_argument,NULL, NULL_OPT},
> {"after-context", required_argument, NULL, 'A'},
> {"before-context", required_argument, NULL, 'B'},
> {"context", optional_argument, NULL, 'C'},
> @@ -436,6 +439,9 @@ main(int argc, char *argv[])
> case LINEBUF_OPT:
> lbflag = 1;
> break;
> + case NULL_OPT:
> + nullflag = 1;
> + break;
> case HELP_OPT:
> default:
>
Re: grep: add --null flag
Theo de Raadt(dera...@openbsd.org) on 2021.01.24 16:01:32 -0700: > Stuart Henderson wrote: > > > On 2021/01/24 12:10, Theo de Raadt wrote: > > > I completely despise that the option is called "--null". > > > > > > Someone was a complete idiot. > > > > gnu grep has both --null and -z for this (why do they do that?!). > > If it's added as --null it should be added as -z too. > > > > Looking at Debian codesearch most things using it as --null use other > > long options that we don't have. Maybe just adding as -z would be > > enough. It does seem a useful and fairly widely supported feature. > > Yes, maybe just add -z. Actually it's "-Z, --null". The lowercase -z in gnu grep is -z, --null-data Treat input and output data as sequences of lines, each terminated by a zero byte (the ASCII NUL character) instead of a newline. Like the -Z or --null option, this option can be used with commands like sort-z to process arbitrary file names. Note that we have the -z in sort(1), which at least is consistent. That also is a non-posix extension. > > Should have been -0 to match xargs and be similar to find's -print0 > > but it's too late for that now. > > Yes it should have been -0. > > But unfortunately some an uneducated idiot got involved. None of this > is standardized. Unix script portability is being ruined by idiots, not > just the people proposing it or writing it originally, but also the people > who don't say "wrong" quickly enough. And much of this is because of > intentional development silos. >
Re: grep: add --null flag
Sebastian Benoit(be...@openbsd.org) on 2021.01.25 00:27:05 +0100:
> Theo de Raadt(dera...@openbsd.org) on 2021.01.24 16:01:32 -0700:
> > Stuart Henderson wrote:
> >
> > > On 2021/01/24 12:10, Theo de Raadt wrote:
> > > > I completely despise that the option is called "--null".
> > > >
> > > > Someone was a complete idiot.
> > >
> > > gnu grep has both --null and -z for this (why do they do that?!).
> > > If it's added as --null it should be added as -z too.
> > >
> > > Looking at Debian codesearch most things using it as --null use other
> > > long options that we don't have. Maybe just adding as -z would be
> > > enough. It does seem a useful and fairly widely supported feature.
> >
> > Yes, maybe just add -z.
>
> Actually it's "-Z, --null". The lowercase -z in gnu grep is
>
>-z, --null-data
> Treat input and output data as sequences of lines, each
> terminated by a zero byte (the ASCII NUL character) instead of
> a newline. Like the -Z or --null option, this option can be
> used with commands like sort-z to process arbitrary file
> names.
And we already have -z for "force grep to behave as zgrep".
Diff below with tedu@ suggestion and changed manpage text.
>
> Note that we have the -z in sort(1), which at least is consistent.
> That also is a non-posix extension.
>
> > > Should have been -0 to match xargs and be similar to find's -print0
> > > but it's too late for that now.
> >
> > Yes it should have been -0.
> >
> > But unfortunately some an uneducated idiot got involved. None of this
> > is standardized. Unix script portability is being ruined by idiots, not
> > just the people proposing it or writing it originally, but also the people
> > who don't say "wrong" quickly enough. And much of this is because of
> > intentional development silos.
diff --git usr.bin/grep/grep.1 usr.bin/grep/grep.1
index 5cc228df222..e1edae7e432 100644
--- usr.bin/grep/grep.1
+++ usr.bin/grep/grep.1
@@ -49,6 +49,7 @@
.Op Fl -context Ns Op = Ns Ar num
.Op Fl -label Ns = Ns Ar name
.Op Fl -line-buffered
+.Op Fl -null
.Op Ar pattern
.Op Ar
.Ek
@@ -297,6 +298,16 @@ instead of the filename before lines.
Force output to be line buffered.
By default, output is line buffered when standard output is a terminal
and block buffered otherwise.
+.It Fl -null
+Output a zero byte instead of the character that normally follows a
+file name.
+This option makes the output unambiguous, even in the presence of file
+names containing unusual characters like newlines, making the output
+suitable for use with the
+.Fl 0
+option to
+.Xr xargs 1 .
+This option is a non-POSIX extension and may not be portable.
.El
.Sh EXIT STATUS
The
diff --git usr.bin/grep/grep.c usr.bin/grep/grep.c
index f41b5e20ca6..279d949fae7 100644
--- usr.bin/grep/grep.c
+++ usr.bin/grep/grep.c
@@ -80,6 +80,7 @@ intvflag; /* -v: only show non-matching lines */
int wflag; /* -w: pattern must start and end on word boundaries */
int xflag; /* -x: pattern must match entire line */
int lbflag;/* --line-buffered */
+int nullflag; /* --null */
const char *labelname; /* --label=name */
int binbehave = BIN_FILE_BIN;
@@ -89,6 +90,7 @@ enum {
HELP_OPT,
MMAP_OPT,
LINEBUF_OPT,
+ NULL_OPT,
LABEL_OPT,
};
@@ -134,6 +136,7 @@ static const struct option long_options[] =
{"mmap",no_argument,NULL, MMAP_OPT},
{"label", required_argument, NULL, LABEL_OPT},
{"line-buffered", no_argument,NULL, LINEBUF_OPT},
+ {"null",no_argument,NULL, NULL_OPT},
{"after-context", required_argument, NULL, 'A'},
{"before-context", required_argument, NULL, 'B'},
{"context", optional_argument, NULL, 'C'},
@@ -436,6 +439,9 @@ main(int argc, char *argv[])
case LINEBUF_OPT:
lbflag = 1;
break;
+ case NULL_OPT:
+ nullflag = 1;
+ break;
case HELP_OPT:
default:
usage();
diff --git usr.bin/grep/grep.h usr.bin/grep/grep.h
index b3d24ae662b..37e295d4d40 100644
--- usr.bin/grep/grep.h
+++ usr.bin/grep/grep.h
@@ -68,7 +68,7 @@ extern int cflags, eflags;
extern int Aflag, Bflag, Eflag, Fflag, Hflag, Lflag,
Rflag, Zflag,
bfla
Re: "monitoring only" interfaces
David Gwynne(da...@gwynne.id.au) on 2021.01.27 17:13:09 +1000:
> some of the discussion around dup-to made me think that a diff we
> have here at work might be more broadly useful.
>
> we run a box here with a bunch of ethernet ports plugged into span
> ports on switches. basically every packet going to our firewalls gets
> duplicated to this host. we then have code that generates flow data from
> these ports. it's also nice to have one place to ssh to and so you can
> tcpdump things. anyway, that flow collector watches packets on those
> interfaces via bpf, but apart from that we don't actually want to
> do anythign with the packets those interfaces receive. we especially
> do not want them entering the stack. we ssh to this box over the
> firewall, so if the span port copies those packets to the box and
> the stack tries to process them, things dont work great.
>
> we could enable the fildrop stuff with bpf, but there's an annoying gap
> between when the interfaces come up and when the flow collector starts
> running. also, if the flow collector crashes or we restart it cos we're
> hacking on the code, this provides more gaps for packets to enter the
> stack.
>
> we prevented this by adding a "monitor" interface flag. it makes the
> interface input code drop all the packets rather than queuing them for
> the stack to process.
>
> is there any interest in having this in the tree?
>
> if so, i need to do some work to make sure all interfaces push
> packets into the stack with if_input, ifiq_input, or if_vinput. a
> bunch of them like gif and gre currently call protocol input routines
> directly, so they skip this check.
>
> so, thoughts?
I'd like this.
Previously when i needed something similar, i put the interface into its own
routing domain. But of course that doesnt avoid the packets entering the
stack, just some consequences.
I also think 'monitor' is the right keyword for ifconfig.
ok benno, but manpage is missing
> Index: sbin/ifconfig/ifconfig.c
> ===
> RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
> retrieving revision 1.432
> diff -u -p -r1.432 ifconfig.c
> --- sbin/ifconfig/ifconfig.c 16 Jan 2021 17:44:29 - 1.432
> +++ sbin/ifconfig/ifconfig.c 27 Jan 2021 06:57:37 -
> @@ -469,6 +469,8 @@ const struct cmd {
> { "soii", -IFXF_INET6_NOSOII, 0, setifxflags },
> { "-soii", IFXF_INET6_NOSOII, 0, setifxflags },
> #ifndef SMALL
> + { "monitor",IFXF_MONITOR, 0, setifxflags },
> + { "-monitor", -IFXF_MONITOR, 0, setifxflags },
> { "hwfeatures", NEXTARG0, 0, printifhwfeatures },
> { "metric", NEXTARG,0, setifmetric },
> { "powersave", NEXTARG0, 0, setifpowersave },
> @@ -675,7 +677,7 @@ const struct cmd {
> "\7RUNNING\10NOARP\11PROMISC\12ALLMULTI\13OACTIVE\14SIMPLEX"\
> "\15LINK0\16LINK1\17LINK2\20MULTICAST" \
> "\23INET6_NOPRIVACY\24MPLS\25WOL\26AUTOCONF6\27INET6_NOSOII"\
> - "\30AUTOCONF4"
> + "\30AUTOCONF4" "\32MONITOR"
>
> int getinfo(struct ifreq *, int);
> void getsock(int);
> Index: sys/net/if.c
> ===
> RCS file: /cvs/src/sys/net/if.c,v
> retrieving revision 1.625
> diff -u -p -r1.625 if.c
> --- sys/net/if.c 18 Jan 2021 09:55:43 - 1.625
> +++ sys/net/if.c 27 Jan 2021 06:57:37 -
> @@ -860,7 +860,8 @@ if_vinput(struct ifnet *ifp, struct mbuf
> }
> #endif
>
> - (*ifp->if_input)(ifp, m);
> + if (__predict_true(!ISSET(ifp->if_xflags, IFXF_MONITOR)))
> + (*ifp->if_input)(ifp, m);
> }
>
> void
> Index: sys/net/if.h
> ===
> RCS file: /cvs/src/sys/net/if.h,v
> retrieving revision 1.205
> diff -u -p -r1.205 if.h
> --- sys/net/if.h 18 Jan 2021 09:55:43 - 1.205
> +++ sys/net/if.h 27 Jan 2021 06:57:37 -
> @@ -230,6 +230,7 @@ struct if_status_description {
> #define IFXF_AUTOCONF6 0x20/* [N] v6 autoconf enabled */
> #define IFXF_INET6_NOSOII0x40/* [N] don't do RFC 7217 */
> #define IFXF_AUTOCONF4 0x80/* [N] v4 autoconf (aka dhcp)
> enabled */
> +#define IFXF_MONITOR0x200 /* [N] only used for bpf */
>
> #define IFXF_CANTCHANGE \
> (IFXF_MPSAFE|IFXF_CLONED)
> Index: sys/net/ifq.c
> ===
> RCS file: /cvs/src/sys/net/ifq.c,v
> retrieving revision 1.41
> diff -u -p -r1.41 ifq.c
> --- sys/net/ifq.c 7 Jul 2020 00:00:03 - 1.41
> +++ sys/net/ifq.c 27 Jan 2021 06:57:37 -
> @@ -715,10 +715,12 @@ ifiq_input(struct ifiqueue *ifiq, struct
> ifiq->ifiq_bytes += bytes;
>
> len = ml_len(&ifiq->ifiq_ml);
> - if (len > if
Re: unwind(8): improve DNS64 detection
Florian Obser(flor...@openbsd.org) on 2021.02.06 19:18:20 +0100:
> I noticed that sometimes DNS64 detection is not working correctly on
> boot. Eventually I tracked it down to this:
> Feb 6 08:56:22 x1 unwind[7139]: check_dns64_done: bad packet: too short: -1
>
> The problem is that we are checking for dns64 while we might not yet
> have a route to the nameserver provided by the router advertisement or
> our IPv6 addresses are all tentative. Since we only re-schedule the
> check when the network changes we are stuck. Instead we can check for
> the presence of DNS64 when we know that DNS works, which is being
> rescheduled correctly.
>
> OK?
ok
> diff --git resolver.c resolver.c
> index 302f381a0dd..95c32369830 100644
> --- resolver.c
> +++ resolver.c
> @@ -1142,6 +1142,8 @@ new_resolver(enum uw_resolver_type type, enum
> uw_resolver_state state)
> /* FALLTHROUGH */
> case RESOLVING:
> resolvers[type]->state = state;
> + if (type == UW_RES_ASR)
> + check_dns64();
> break;
> }
> }
> @@ -2053,7 +2055,6 @@ replace_autoconf_forwarders(struct imsg_rdns_proposal
> *rdns_proposal)
> new_resolver(UW_RES_ASR, UNKNOWN);
> new_resolver(UW_RES_DHCP, UNKNOWN);
> new_resolver(UW_RES_ODOT_DHCP, UNKNOWN);
> - check_dns64();
> } else {
> while ((tmp = TAILQ_FIRST(&new_forwarder_list)) != NULL) {
> TAILQ_REMOVE(&new_forwarder_list, tmp, entry);
>
>
>
> --
> I'm not entirely sure you are real.
>
Re: apmd: log ioctl failures
Klemens Nanni(k...@openbsd.org) on 2021.03.25 19:45:04 +0100: > On Sat, Mar 20, 2021 at 07:46:38PM +0100, Klemens Nanni wrote: > > Otherwise there is no way other than reading driver code to determine > > why running zzz(8) for example does not do anything on certain machines. > > > > apm(4/arm64) for one currently does not implement suspend and resume, > > i.e. it yields ENOSUPP which gets lost in userland. > > > > This still does not make `zzz' or `apm -z' report the informative > > warning, but syslog now has it: > > > > $ zzz > > Suspending system... > > $ tail -n3 /var/log/messages > > Mar 20 19:16:57 pine64 apmd: system suspending > > Mar 20 19:16:57 pine64 apmd: battery status: unknown. external power > > status: not known. estimated battery life 0% > > Mar 20 19:16:58 pine64 apmd: suspend: Operation not supported > > > > > > Feedback? OK? > Anyone? > > This is a trivial but helpful change, just like the ones in > these other mails on tech@: > "apm/macppc: Mark unsupported ioctl as such, merge cases" > "apm/arm64: fix errno, merge ioctl cases" reads ok and yeah, it might be useful to know if this doesnt work. ok benno@ > > > Index: apmd.c > === > RCS file: /cvs/src/usr.sbin/apmd/apmd.c,v > retrieving revision 1.101 > diff -u -p -r1.101 apmd.c > --- apmd.c16 Mar 2021 09:00:43 - 1.101 > +++ apmd.c20 Mar 2021 18:47:13 - > @@ -329,7 +329,8 @@ suspend(int ctl_fd) > do_etc_file(_PATH_APM_ETC_SUSPEND); > sync(); > sleep(1); > - ioctl(ctl_fd, APM_IOC_SUSPEND, 0); > + if (ioctl(ctl_fd, APM_IOC_SUSPEND, 0) == -1) > + logmsg(LOG_WARNING, "%s: %s", __func__, strerror(errno)); > } > > void > @@ -340,7 +341,8 @@ stand_by(int ctl_fd) > do_etc_file(_PATH_APM_ETC_STANDBY); > sync(); > sleep(1); > - ioctl(ctl_fd, APM_IOC_STANDBY, 0); > + if (ioctl(ctl_fd, APM_IOC_STANDBY, 0) == -1) > + logmsg(LOG_WARNING, "%s: %s", __func__, strerror(errno)); > } > > void > @@ -351,7 +353,8 @@ hibernate(int ctl_fd) > do_etc_file(_PATH_APM_ETC_HIBERNATE); > sync(); > sleep(1); > - ioctl(ctl_fd, APM_IOC_HIBERNATE, 0); > + if (ioctl(ctl_fd, APM_IOC_HIBERNATE, 0) == -1) > + logmsg(LOG_WARNING, "%s: %s", __func__, strerror(errno)); > } > > void >
delete unused variable in ix(4) rx checksum calc
ptype is never used.
ok?
diff --git sys/dev/pci/if_ix.c sys/dev/pci/if_ix.c
index cb233034d23..72a221b97d9 100644
--- sys/dev/pci/if_ix.c
+++ sys/dev/pci/if_ix.c
@@ -148,7 +148,7 @@ voidixgbe_enable_intr(struct ix_softc *);
void ixgbe_disable_intr(struct ix_softc *);
intixgbe_txeof(struct tx_ring *);
intixgbe_rxeof(struct rx_ring *);
-void ixgbe_rx_checksum(uint32_t, struct mbuf *, uint32_t);
+void ixgbe_rx_checksum(uint32_t, struct mbuf *);
void ixgbe_iff(struct ix_softc *);
void ixgbe_map_queue_statistics(struct ix_softc *);
void ixgbe_update_link_status(struct ix_softc *);
@@ -3103,7 +3103,7 @@ ixgbe_rxeof(struct rx_ring *rxr)
struct mbuf *mp, *sendmp;
uint8_t eop = 0;
uint16_t len, vtag;
- uint32_t staterr = 0, ptype;
+ uint32_t staterr = 0;
struct ixgbe_rx_buf *rxbuf, *nxbuf;
union ixgbe_adv_rx_desc *rxdesc;
size_t dsize = sizeof(union ixgbe_adv_rx_desc);
@@ -3140,8 +3140,6 @@ ixgbe_rxeof(struct rx_ring *rxr)
mp = rxbuf->buf;
len = letoh16(rxdesc->wb.upper.length);
- ptype = letoh32(rxdesc->wb.lower.lo_dword.data) &
- IXGBE_RXDADV_PKTTYPE_MASK;
vtag = letoh16(rxdesc->wb.upper.vlan);
eop = ((staterr & IXGBE_RXD_STAT_EOP) != 0);
hash = lemtoh32(&rxdesc->wb.lower.hi_dword.rss);
@@ -3213,7 +3211,7 @@ ixgbe_rxeof(struct rx_ring *rxr)
sendmp = NULL;
mp->m_next = nxbuf->buf;
} else { /* Sending this frame? */
- ixgbe_rx_checksum(staterr, sendmp, ptype);
+ ixgbe_rx_checksum(staterr, sendmp);
if (hashtype != IXGBE_RXDADV_RSSTYPE_NONE) {
sendmp->m_pkthdr.ph_flowid = hash;
@@ -3251,7 +3249,7 @@ next_desc:
*
*/
void
-ixgbe_rx_checksum(uint32_t staterr, struct mbuf * mp, uint32_t ptype)
+ixgbe_rx_checksum(uint32_t staterr, struct mbuf * mp)
{
uint16_t status = (uint16_t) staterr;
uint8_t errors = (uint8_t) (staterr >> 24);
Re: bgpd move nexthops to RB tree
Claudio Jeker(cje...@diehard.n-r-g.com) on 2022.08.30 19:11:15 +0200:
> I'm on a mission to remove the hash tables :)
>
> This one is for struct nexthop. Hopefully it makes nexthop_get a bit
> better.
ok, but one __func__ below
>
> --
> :wq Claudio
>
> Index: rde.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.569
> diff -u -p -r1.569 rde.c
> --- rde.c 29 Aug 2022 18:18:55 - 1.569
> +++ rde.c 30 Aug 2022 16:01:11 -
> @@ -198,7 +198,6 @@ rde_main(int debug, int verbose)
> /* initialize the RIB structures */
> pt_init();
> attr_init(attrhashsize);
> - nexthop_init(nexthophashsize);
> peer_init(peerhashsize);
>
> /* make sure the default RIBs are setup */
> Index: rde.h
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde.h,v
> retrieving revision 1.266
> diff -u -p -r1.266 rde.h
> --- rde.h 29 Aug 2022 18:18:55 - 1.266
> +++ rde.h 30 Aug 2022 16:00:55 -
> @@ -238,7 +238,7 @@ enum nexthop_state {
> };
>
> struct nexthop {
> - LIST_ENTRY(nexthop) nexthop_l;
> + RB_ENTRY(nexthop) entry;
> TAILQ_ENTRY(nexthop)runner_l;
> struct prefix_list prefix_h;
> struct prefix *next_prefix;
> @@ -677,7 +677,6 @@ prefix_re(struct prefix *p)
> return (p->entry.list.re);
> }
>
> -void nexthop_init(uint32_t);
> void nexthop_shutdown(void);
> int nexthop_pending(void);
> void nexthop_runner(void);
> Index: rde_rib.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde_rib.c,v
> retrieving revision 1.246
> diff -u -p -r1.246 rde_rib.c
> --- rde_rib.c 29 Aug 2022 18:18:55 - 1.246
> +++ rde_rib.c 30 Aug 2022 15:58:37 -
> @@ -1515,7 +1515,6 @@ prefix_free(struct prefix *p)
> /*
> * nexthop functions
> */
> -struct nexthop_head *nexthop_hash(struct bgpd_addr *);
> struct nexthop *nexthop_lookup(struct bgpd_addr *);
>
> /*
> @@ -1527,56 +1526,28 @@ struct nexthop*nexthop_lookup(struct b
> * may be passed to the external neighbor if the neighbor and the exit
> nexthop
> * reside in the same subnet -- directly connected.
> */
> -struct nexthop_table {
> - LIST_HEAD(nexthop_head, nexthop)*nexthop_hashtbl;
> - uint32_t nexthop_hashmask;
> -} nexthoptable;
>
> -SIPHASH_KEY nexthoptablekey;
> +TAILQ_HEAD(nexthop_queue, nexthop) nexthop_runners =
> + TAILQ_HEAD_INITIALIZER(nexthop_runners);
>
> -TAILQ_HEAD(nexthop_queue, nexthop) nexthop_runners;
> -
> -void
> -nexthop_init(uint32_t hashsize)
> -{
> - uint32_t hs, i;
> -
> - for (hs = 1; hs < hashsize; hs <<= 1)
> - ;
> - nexthoptable.nexthop_hashtbl = calloc(hs, sizeof(struct nexthop_head));
> - if (nexthoptable.nexthop_hashtbl == NULL)
> - fatal("nextop_init");
> -
> - TAILQ_INIT(&nexthop_runners);
> - for (i = 0; i < hs; i++)
> - LIST_INIT(&nexthoptable.nexthop_hashtbl[i]);
> - arc4random_buf(&nexthoptablekey, sizeof(nexthoptablekey));
> -
> - nexthoptable.nexthop_hashmask = hs - 1;
> -}
> +RB_HEAD(nexthop_tree, nexthop) nexthoptable =
> + RB_INITIALIZER(&nexthoptree);
> +RB_GENERATE_STATIC(nexthop_tree, nexthop, entry, nexthop_compare);
>
> void
> nexthop_shutdown(void)
> {
> - uint32_t i;
> struct nexthop *nh, *nnh;
>
> - for (i = 0; i <= nexthoptable.nexthop_hashmask; i++) {
> - for (nh = LIST_FIRST(&nexthoptable.nexthop_hashtbl[i]);
> - nh != NULL; nh = nnh) {
> - nnh = LIST_NEXT(nh, nexthop_l);
> - nh->state = NEXTHOP_UNREACH;
> - nexthop_unref(nh);
> - }
> - if (!LIST_EMPTY(&nexthoptable.nexthop_hashtbl[i])) {
> - nh = LIST_FIRST(&nexthoptable.nexthop_hashtbl[i]);
> - log_warnx("nexthop_shutdown: non-free table, "
> - "nexthop %s refcnt %d",
> - log_addr(&nh->exit_nexthop), nh->refcnt);
> - }
> + RB_FOREACH_SAFE(nh, nexthop_tree, &nexthoptable, nnh) {
> + nh->state = NEXTHOP_UNREACH;
> + nexthop_unref(nh);
> }
>
> - free(nexthoptable.nexthop_hashtbl);
> + RB_FOREACH(nh, nexthop_tree, &nexthoptable) {
> + log_warnx("nexthop_shutdown: nexthop %s refcnt %d",
__func__
> + log_addr(&nh->exit_nexthop), nh->refcnt);
> + }
> }
>
> int
> @@ -1758,8 +1729,8 @@ nexthop_get(struct bgpd_addr *nexthop)
> nh->state = NEXTHOP_LOOKUP;
> nexthop_ref(nh);/* take reference
make kernel build without INET6 again (pf_lb.c)
ok?
diff --git sys/net/pf_lb.c sys/net/pf_lb.c
index 588115cbff7..905af42e463 100644
--- sys/net/pf_lb.c
+++ sys/net/pf_lb.c
@@ -519,13 +519,18 @@ pf_map_addr(sa_family_t af, struct pf_rule *r, struct
pf_addr *saddr,
* fall back to POOL_NONE if there is a single host
* address in pool.
*/
- if ((af == AF_INET &&
- rmask->addr32[0] == INADDR_BROADCAST) ||
- (af == AF_INET6 &&
- IN6_ARE_ADDR_EQUAL(&rmask->v6, &in6mask128))) {
+ if (af == AF_INET &&
+ rmask->addr32[0] == INADDR_BROADCAST) {
pf_addrcpy(naddr, raddr, af);
break;
}
+#ifdef INET6
+ if (af == AF_INET6 &&
+ IN6_ARE_ADDR_EQUAL(&rmask->v6, &in6mask128)) {
+ pf_addrcpy(naddr, raddr, af);
+ break;
+ }
+#endif
} else if (pf_match_addr(0, raddr, rmask, &rpool->counter, af))
return (1);
Re: bgpd: only run one roa softreconfig process at a time
ok
Claudio Jeker(cje...@diehard.n-r-g.com) on 2022.08.30 22:54:43 +0200:
> Currently if bgpd takes a long time to re-evaluate all prefixes because of
> a ROA change a second update can come in before the first is processed.
> This is not good. So add a barrier to only run one rde_roa_softreconfig
> dump at a time.
>
> If a dump is pending while a new roa set is received ignore that roa-set
> and wait for the next one. Later on the roa update should be done with
> deltas and only the networks affected by the delta should be touched but
> that is way more complicated.
>
> The following diff should do that.
> --
> :wq Claudio
>
> Index: rde.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.570
> diff -u -p -r1.570 rde.c
> --- rde.c 30 Aug 2022 18:50:21 - 1.570
> +++ rde.c 30 Aug 2022 19:54:45 -
> @@ -1083,6 +1083,7 @@ rde_dispatch_imsg_rtr(struct imsgbuf *ib
> switch (imsg.hdr.type) {
> case IMSG_RECONF_ROA_SET:
> /* start of update */
> + trie_free(&roa_new.th); /* clear new roa */
> break;
> case IMSG_RECONF_ROA_ITEM:
> if (imsg.hdr.len - IMSG_HEADER_SIZE !=
> @@ -3923,11 +3924,14 @@ rde_roa_softreload(struct rib_entry *re,
> }
> }
>
> +static int roa_update_pending;
> +
> static void
> rde_roa_softreload_done(void *arg, uint8_t aid)
> {
> /* the roa update is done */
> log_info("ROA softreload done");
> + roa_update_pending = 0;
> }
>
> static void
> @@ -3935,6 +3939,11 @@ rde_roa_reload(void)
> {
> struct rde_prefixset roa_old;
>
> + if (roa_update_pending) {
> + log_info("ROA softreload skipped, old still running");
> + return;
> + }
> +
> roa_old = rde_roa;
> rde_roa = roa_new;
> memset(&roa_new, 0, sizeof(roa_new));
> @@ -3950,6 +3959,7 @@ rde_roa_reload(void)
> trie_free(&roa_old.th); /* old roa no longer needed */
>
> log_debug("ROA change: reloading Adj-RIB-In");
> + roa_update_pending = 1;
> if (rib_dump_new(RIB_ADJ_IN, AID_UNSPEC, RDE_RUNNER_ROUNDS,
> rib_byid(RIB_ADJ_IN), rde_roa_softreload,
> rde_roa_softreload_done, NULL) == -1)
> Index: rde_trie.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde_trie.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 rde_trie.c
> --- rde_trie.c23 May 2022 13:40:12 - 1.15
> +++ rde_trie.c30 Aug 2022 19:53:11 -
> @@ -468,6 +468,7 @@ trie_free(struct trie_head *th)
> {
> trie_free_v4(th->root_v4);
> trie_free_v6(th->root_v6);
> + memset(th, 0, sizeof(*th));
> }
>
> static int
> Index: rtr.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rtr.c,v
> retrieving revision 1.6
> diff -u -p -r1.6 rtr.c
> --- rtr.c 17 Aug 2022 15:15:26 - 1.6
> +++ rtr.c 30 Aug 2022 19:59:20 -
> @@ -76,7 +76,7 @@ rtr_expire_roas(time_t now)
> }
> }
> if (recalc != 0)
> - log_warnx("%u roa-set entries expired", recalc);
> + log_info("%u roa-set entries expired", recalc);
> return recalc;
> }
>
>
Re: bgpd change attr cache to use RB tree
Claudio Jeker(cje...@diehard.n-r-g.com) on 2022.08.31 13:56:18 +0200:
> Like all other hash tables use an RB tree instead.
> Again the calculation of the hash can be skipped because the compare
> function is probably fast enough.
that sentence does parse, but i am semantically challenged by it.
diff is ok :)
>
> --
> :wq Claudio
>
> ? ktrace.out
> ? obj
> Index: rde.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.571
> diff -u -p -r1.571 rde.c
> --- rde.c 31 Aug 2022 11:25:36 - 1.571
> +++ rde.c 31 Aug 2022 11:27:54 -
> @@ -197,7 +197,6 @@ rde_main(int debug, int verbose)
>
> /* initialize the RIB structures */
> pt_init();
> - attr_init(attrhashsize);
> peer_init(peerhashsize);
>
> /* make sure the default RIBs are setup */
> @@ -360,7 +359,6 @@ rde_dispatch_imsg_session(struct imsgbuf
> struct session_upsup;
> struct rde_peer *peer;
> struct rde_aspath *asp;
> - struct rde_hashstats rdehash;
> struct filter_set *s;
> struct as_set *aset;
> struct rde_prefixset*pset;
> @@ -628,9 +626,6 @@ badnetdel:
> case IMSG_CTL_SHOW_RIB_MEM:
> imsg_compose(ibuf_se_ctl, IMSG_CTL_SHOW_RIB_MEM, 0,
> imsg.hdr.pid, -1, &rdemem, sizeof(rdemem));
> - attr_hash_stats(&rdehash);
> - imsg_compose(ibuf_se_ctl, IMSG_CTL_SHOW_RIB_HASH, 0,
> - imsg.hdr.pid, -1, &rdehash, sizeof(rdehash));
> imsg_compose(ibuf_se_ctl, IMSG_CTL_END, 0, imsg.hdr.pid,
> -1, NULL, 0);
> break;
> Index: rde.h
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde.h,v
> retrieving revision 1.267
> diff -u -p -r1.267 rde.h
> --- rde.h 30 Aug 2022 18:50:21 - 1.267
> +++ rde.h 31 Aug 2022 11:27:54 -
> @@ -162,9 +162,8 @@ enum attrtypes {
> #define ATTR_WELL_KNOWN ATTR_TRANSITIVE
>
> struct attr {
> - LIST_ENTRY(attr) entry;
> + RB_ENTRY(attr) entry;
> u_char *data;
> - uint64_t hash;
> int refcnt;
> uint16_t len;
> uint8_t flags;
> @@ -429,9 +428,7 @@ intattr_write(void *, uint16_t, uint8
> uint16_t);
> int attr_writebuf(struct ibuf *, uint8_t, uint8_t, void *,
> uint16_t);
> -void attr_init(uint32_t);
> void attr_shutdown(void);
> -void attr_hash_stats(struct rde_hashstats *);
> int attr_optadd(struct rde_aspath *, uint8_t, uint8_t,
> void *, uint16_t);
> struct attr *attr_optget(const struct rde_aspath *, uint8_t);
> Index: rde_attr.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde_attr.c,v
> retrieving revision 1.129
> diff -u -p -r1.129 rde_attr.c
> --- rde_attr.c29 Aug 2022 18:18:55 - 1.129
> +++ rde_attr.c31 Aug 2022 11:27:54 -
> @@ -92,74 +92,21 @@ attr_writebuf(struct ibuf *buf, uint8_t
> }
>
> /* optional attribute specific functions */
> -int attr_diff(struct attr *, struct attr *);
> -struct attr *attr_alloc(uint8_t, uint8_t, const void *, uint16_t);
> -struct attr *attr_lookup(uint8_t, uint8_t, const void *, uint16_t);
> +struct attr *attr_alloc(uint8_t, uint8_t, void *, uint16_t);
> +struct attr *attr_lookup(uint8_t, uint8_t, void *, uint16_t);
> void attr_put(struct attr *);
>
> -struct attr_table {
> - struct attr_list*hashtbl;
> - uint64_t hashmask;
> -} attrtable;
> +static inline int attr_diff(struct attr *, struct attr *);
>
> -SIPHASH_KEY attrtablekey;
> +RB_HEAD(attr_tree, attr) attrtable = RB_INITIALIZER(&attr);
> +RB_GENERATE_STATIC(attr_tree, attr, entry, attr_diff);
>
> -#define ATTR_HASH(x) \
> - &attrtable.hashtbl[(x) & attrtable.hashmask]
> -
> -void
> -attr_init(uint32_t hashsize)
> -{
> - uint32_ths, i;
> -
> - arc4random_buf(&attrtablekey, sizeof(attrtablekey));
> - for (hs = 1; hs < hashsize; hs <<= 1)
> - ;
> - attrtable.hashtbl = calloc(hs, sizeof(struct attr_list));
> - if (attrtable.hashtbl == NULL)
> - fatal("%s", __func__);
> -
> - for (i = 0; i < hs; i++)
> - LIST_INIT(&attrtable.hashtbl[i]);
> -
> - attrtable.hashmask = hs - 1;
> -}
>
> void
> attr_shutdown(void)
> {
> - uint64_ti;
> -
> - for (i = 0; i <= attrtable.hashmask; i++)
> - if (!LIST_EMPTY(&attrtable.hashtbl[i]))
> - log
Re: bgpd cleanup hash leftovers
ok
Claudio Jeker(cje...@diehard.n-r-g.com) on 2022.09.01 12:48:32 +0200:
> bgpd no longer needs siphash.h and also remove a hash member and a
> prototype which are now unused.
>
> --
> :wq Claudio
>
> Index: rde.h
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde.h,v
> retrieving revision 1.268
> diff -u -p -r1.268 rde.h
> --- rde.h 31 Aug 2022 14:29:36 - 1.268
> +++ rde.h 1 Sep 2022 09:55:49 -
> @@ -217,7 +217,6 @@ struct rde_aspath {
> RB_ENTRY(rde_aspath) entry;
> struct attr **others;
> struct aspath *aspath;
> - uint64_t hash;
> int refcnt;
> uint32_t flags; /* internally used */
> uint32_t med; /* multi exit disc */
> @@ -434,7 +433,6 @@ intattr_optadd(struct rde_aspath *, u
> struct attr *attr_optget(const struct rde_aspath *, uint8_t);
> void attr_copy(struct rde_aspath *, const struct rde_aspath *);
> int attr_compare(struct rde_aspath *, struct rde_aspath *);
> -uint64_t attr_hash(struct rde_aspath *);
> void attr_freeall(struct rde_aspath *);
> void attr_free(struct rde_aspath *, struct attr *);
> #define attr_optlen(x) \
> Index: rde_attr.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde_attr.c,v
> retrieving revision 1.130
> diff -u -p -r1.130 rde_attr.c
> --- rde_attr.c31 Aug 2022 14:29:36 - 1.130
> +++ rde_attr.c1 Sep 2022 09:56:55 -
> @@ -24,7 +24,6 @@
> #include
> #include
> #include
> -#include
>
> #include "bgpd.h"
> #include "rde.h"
> Index: rde_community.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde_community.c,v
> retrieving revision 1.8
> diff -u -p -r1.8 rde_community.c
> --- rde_community.c 29 Aug 2022 16:44:47 - 1.8
> +++ rde_community.c 1 Sep 2022 09:56:57 -
> @@ -21,7 +21,6 @@
> #include
> #include
> #include
> -#include
>
> #include "bgpd.h"
> #include "rde.h"
> Index: rde_rib.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde_rib.c,v
> retrieving revision 1.247
> diff -u -p -r1.247 rde_rib.c
> --- rde_rib.c 30 Aug 2022 18:50:21 - 1.247
> +++ rde_rib.c 1 Sep 2022 09:57:02 -
> @@ -22,7 +22,6 @@
> #include
> #include
> #include
> -#include
> #include
>
> #include "bgpd.h"
> @@ -640,7 +639,7 @@ path_lookup(struct rde_aspath *aspath)
> }
>
> /*
> - * Link this aspath into the global hash table.
> + * Link this aspath into the global table.
> * The asp had to be alloced with path_get.
> */
> static void
> @@ -679,7 +678,6 @@ struct rde_aspath *
> path_copy(struct rde_aspath *dst, const struct rde_aspath *src)
> {
> dst->aspath = aspath_copy(src->aspath);
> - dst->hash = 0; /* not linked so no hash and no refcnt */
> dst->refcnt = 0;
> dst->flags = src->flags & ~F_ATTR_LINKED;
>
> Index: rde_update.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde_update.c,v
> retrieving revision 1.146
> diff -u -p -r1.146 rde_update.c
> --- rde_update.c 17 Aug 2022 15:15:26 - 1.146
> +++ rde_update.c 1 Sep 2022 09:57:06 -
> @@ -22,7 +22,6 @@
> #include
> #include
> #include
> -#include
> #include
>
> #include "bgpd.h"
>
Re: bgpd switch rde_peer to RB tree
Claudio Jeker(cje...@diehard.n-r-g.com) on 2022.09.01 12:04:03 +0200:
> Convert the rde_peer hash table to an RB tree. This is a bit more complex
> because rde_peer list is used in a lot of places. As a bonus use
> peer_foreach in mrt.c to write the table v2 peer header (this needs a
> special callback struct because two values need to be passed to the
> callback).
>
> The rest of the code is mostly a simple conversion. Only peer_match
> required to be adjusted because the code is now able to use peer_get()
> to find the start point.
> --
> :wq Claudio
ok benno@
>
> Index: mrt.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/mrt.c,v
> retrieving revision 1.109
> diff -u -p -r1.109 mrt.c
> --- mrt.c 17 Aug 2022 15:15:26 - 1.109
> +++ mrt.c 1 Sep 2022 00:25:24 -
> @@ -783,14 +783,33 @@ fail:
> return (-1);
> }
>
> +struct cb_arg {
> + struct ibuf *buf;
> + int nump;
> +};
> +
> +static void
> +mrt_dump_v2_hdr_peer(struct rde_peer *peer, void *arg)
> +{
> + struct cb_arg *a = arg;
> +
> + if (a->nump == -1)
> + return;
> + peer->mrt_idx = a->nump;
> + if (mrt_dump_peer(a->buf, peer) == -1) {
> + a->nump = -1;
> + return;
> + }
> + a->nump++;
> +}
> +
> int
> -mrt_dump_v2_hdr(struct mrt *mrt, struct bgpd_config *conf,
> -struct rde_peer_head *ph)
> +mrt_dump_v2_hdr(struct mrt *mrt, struct bgpd_config *conf)
> {
> - struct rde_peer *peer;
> struct ibuf *buf, *hbuf = NULL;
> size_t len, off;
> uint16_t nlen, nump;
> + struct cb_argarg;
>
> if ((buf = ibuf_dynamic(0, UINT_MAX)) == NULL) {
> log_warn("%s: ibuf_dynamic", __func__);
> @@ -812,14 +831,13 @@ mrt_dump_v2_hdr(struct mrt *mrt, struct
> log_warn("%s: ibuf_reserve error", __func__);
> goto fail;
> }
> - nump = 0;
> - LIST_FOREACH(peer, ph, peer_l) {
> - peer->mrt_idx = nump;
> - if (mrt_dump_peer(buf, peer) == -1)
> - goto fail;
> - nump++;
> - }
> - nump = htons(nump);
> + arg.nump = 0;
> + arg.buf = buf;
> + peer_foreach(mrt_dump_v2_hdr_peer, &arg);
> + if (arg.nump == -1)
> + goto fail;
> +
> + nump = htons(arg.nump);
> memcpy(ibuf_seek(buf, off, sizeof(nump)), &nump, sizeof(nump));
>
> len = ibuf_size(buf);
> Index: rde.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.573
> diff -u -p -r1.573 rde.c
> --- rde.c 31 Aug 2022 15:51:44 - 1.573
> +++ rde.c 1 Sep 2022 08:29:31 -
> @@ -114,8 +114,8 @@ struct rde_memstatsrdemem;
> int softreconfig;
> static intrde_eval_all;
>
> -extern struct rde_peer_head peerlist;
> -extern struct rde_peer *peerself;
> +extern struct peer_tree peertable;
> +extern struct rde_peer *peerself;
>
> struct rde_dump_ctx {
> LIST_ENTRY(rde_dump_ctx)entry;
> @@ -145,8 +145,6 @@ rde_sighdlr(int sig)
> }
> }
>
> -uint32_t peerhashsize = 1024;
> -
> void
> rde_main(int debug, int verbose)
> {
> @@ -194,7 +192,7 @@ rde_main(int debug, int verbose)
>
> /* initialize the RIB structures */
> pt_init();
> - peer_init(peerhashsize);
> + peer_init();
>
> /* make sure the default RIBs are setup */
> rib_new("Adj-RIB-In", 0, F_RIB_NOFIB | F_RIB_NOEVALUATE);
> @@ -2982,7 +2980,7 @@ rde_dump_mrt_new(struct mrt *mrt, pid_t
> }
>
> if (ctx->mrt.type == MRT_TABLE_DUMP_V2)
> - mrt_dump_v2_hdr(&ctx->mrt, conf, &peerlist);
> + mrt_dump_v2_hdr(&ctx->mrt, conf);
>
> if (rib_dump_new(rid, AID_UNSPEC, CTL_MSG_HIGH_MARK, &ctx->mrt,
> mrt_dump_upcall, rde_mrt_done, rde_mrt_throttled) == -1)
> @@ -3105,7 +3103,7 @@ rde_update_queue_pending(void)
> if (ibuf_se && ibuf_se->w.queued >= SESS_MSG_HIGH_MARK)
> return 0;
>
> - LIST_FOREACH(peer, &peerlist, peer_l) {
> + RB_FOREACH(peer, peer_tree, &peertable) {
> if (peer->conf.id == 0)
> continue;
> if (peer->state != PEER_UP)
> @@ -3131,7 +3129,7 @@ rde_update_queue_runner(void)
> len = sizeof(queue_buf) - MSGSIZE_HEADER;
> do {
> sent = 0;
> - LIST_FOREACH(peer, &peerlist, peer_l) {
> + RB_FOREACH(peer, peer_tree, &peertable) {
> if (peer->conf.id == 0)
> continue;
> if (peer->state != PEER_UP)
> @@ -3189,7 +3187,7 @@ rde_update6_queue_runner(uint8_t aid)
> /* first withdraws ... */
> do {
> sent = 0;
> - LIST_FOREACH(peer, &peerlist, peer_l) {
> + RB_FOREACH
Re: ps(1): add -d (descendancy) option to display parent/child process relationships
Job Snijders(j...@openbsd.org) on 2022.09.01 03:37:59 +:
> Dear all,
>
> Some ps(1) implementations have an '-d' ('descendancy') option. Through
> ASCII art parent/child process relationships are grouped and displayed.
> Here is an example:
>
> $ ps ad -O ppid,user
> PID PPID USER TT STATTIME COMMAND
> 18180 12529 job pb I+p 0:00.01 `-- -sh (sh)
> 26689 56460 job p3 Ip 0:00.01 `-- -ksh (ksh)
> 5153 26689 job p3 I+p 0:40.18 `-- mutt
> 62046 25272 job p4 Sp 0:00.25 `-- -ksh (ksh)
> 61156 62046 job p4 R+/0 0:00.00 `-- ps -ad -O ppid
> 26816 2565 job p5 Ip 0:00.01 `-- -ksh (ksh)
> 79431 26816 root p5 Ip 0:00.16 `-- /bin/ksh
> 43915 79431 _rpki-cl p5 S+pU 0:06.97 `-- rpki-client
> 70511 43915 _rpki-cl p5 I+pU 0:01.26 |-- rpki-client: parser
> (rpki-client)
> 96992 43915 _rpki-cl p5 I+pU 0:00.00 |-- rpki-client: rsync
> (rpki-client)
> 49160 43915 _rpki-cl p5 S+p 0:01.52 |-- rpki-client: http
> (rpki-client)
> 99329 43915 _rpki-cl p5 S+p 0:03.20 `-- rpki-client: rrdp
> (rpki-client)
>
> The functionality is similar to pstree(1) in the ports collection.
>
> The below changeset borrows heavily from the following two
> implementations:
>
>
> https://github.com/freebsd/freebsd-src/commit/044fce530f89a819827d351de364d208a30e9645.patch
>
> https://github.com/NetBSD/src/commit/b82f6d00d93d880d3976c4f1e88c33d88a8054ad.patch
>
> Thoughts?
i like it. found some little things below, with those fixed and some
agreement on the option letter (which i dont care about) it has my ok.
>
> Kind regards,
>
> Job
>
> Index: extern.h
> ===
> RCS file: /cvs/src/bin/ps/extern.h,v
> retrieving revision 1.23
> diff -u -p -r1.23 extern.h
> --- extern.h 5 Jan 2022 04:10:36 - 1.23
> +++ extern.h 1 Sep 2022 03:31:36 -
> @@ -44,44 +44,44 @@ extern VAR var[];
> extern VARENT *vhead;
>
> __BEGIN_DECLS
> -void command(const struct kinfo_proc *, VARENT *);
> -void cputime(const struct kinfo_proc *, VARENT *);
> +void command(const struct pinfo *, VARENT *);
> +void cputime(const struct pinfo *, VARENT *);
> int donlist(void);
> -void elapsed(const struct kinfo_proc *, VARENT *);
> +void elapsed(const struct pinfo *, VARENT *);
> doublegetpcpu(const struct kinfo_proc *);
> -doublegetpmem(const struct kinfo_proc *);
> -void gname(const struct kinfo_proc *, VARENT *);
> -void supgid(const struct kinfo_proc *, VARENT *);
> -void supgrp(const struct kinfo_proc *, VARENT *);
> -void logname(const struct kinfo_proc *, VARENT *);
> -void longtname(const struct kinfo_proc *, VARENT *);
> -void lstarted(const struct kinfo_proc *, VARENT *);
> -void maxrss(const struct kinfo_proc *, VARENT *);
> +doublegetpmem(const struct pinfo *);
> +void gname(const struct pinfo *, VARENT *);
> +void supgid(const struct pinfo *, VARENT *);
> +void supgrp(const struct pinfo *, VARENT *);
> +void logname(const struct pinfo *, VARENT *);
> +void longtname(const struct pinfo *, VARENT *);
> +void lstarted(const struct pinfo *, VARENT *);
> +void maxrss(const struct pinfo *, VARENT *);
> void nlisterr(struct nlist *);
> -void p_rssize(const struct kinfo_proc *, VARENT *);
> -void pagein(const struct kinfo_proc *, VARENT *);
> +void p_rssize(const struct pinfo *, VARENT *);
> +void pagein(const struct pinfo *, VARENT *);
> void parsefmt(char *);
> -void pcpu(const struct kinfo_proc *, VARENT *);
> -void pmem(const struct kinfo_proc *, VARENT *);
> -void pri(const struct kinfo_proc *, VARENT *);
> +void pcpu(const struct pinfo *, VARENT *);
> +void pmem(const struct pinfo *, VARENT *);
> +void pri(const struct pinfo *, VARENT *);
> void printheader(void);
> -void pvar(const struct kinfo_proc *kp, VARENT *);
> -void pnice(const struct kinfo_proc *kp, VARENT *);
> -void rgname(const struct kinfo_proc *, VARENT *);
> -void rssize(const struct kinfo_proc *, VARENT *);
> -void runame(const struct kinfo_proc *, VARENT *);
> +void pvar(const struct pinfo *, VARENT *);
> +void pnice(const struct pinfo *, VARENT *);
> +void rgname(const struct pinfo *, VARENT *);
> +void rssize(const struct pinfo *, VARENT *);
> +void runame(const struct pinfo *, VARENT *);
> void showkey(void);
> -void started(const struct kinfo_proc *, VARENT *);
> -void printstate(const struct kinfo_proc *, VARENT *);
> -void printpledge(const struct kinfo_proc *, VARENT *);
> -void tdev(const struct kinfo_proc *, VARENT *);
> -void tname(const struct kinfo_proc *, VARENT *);
> -void tsize(const struct kinfo_proc *, VARENT *);
> -void dsize(const struct kinfo_proc *, VARENT *);
> -void ssize(const struct kinfo_proc *, VARENT *);
> -void ucomm(const struct kinfo_proc *, VARENT *);
> -void
Re: httpd: overwrite rather than error for duplicate type entries
thanks, commited!
Florian Obser(flor...@openbsd.org) on 2022.09.02 08:08:09 +0200:
> This diff is correct and the use-case makes sense to me.
> OK florian
>
>
> On 2022-09-01 21:30 +01, Ben Fuller wrote:
> > On Thu, Sep 01, 2022 at 21:22:13 +0100, Ben Fuller wrote:
> >> On Thu, Sep 01, 2022 at 21:44:34 +0200, Florian Obser wrote:
> >> > Pretty sure this doesn't compile.
> >> > If it were to compile it would leak memory.
> >>
> >> It did compile, but you're right. This version should free everything:
> >
> > Makes more sense to use the existing function (sorry for the spam):
> >
> > ---
> > usr.sbin/httpd/httpd.c | 4 ++--
> > usr.sbin/httpd/httpd.conf.5 | 1 +
> > 2 files changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git usr.sbin/httpd/httpd.c usr.sbin/httpd/httpd.c
> > index 2acecd1732f..efe199c20a9 100644
> > --- usr.sbin/httpd/httpd.c
> > +++ usr.sbin/httpd/httpd.c
> > @@ -1080,9 +1080,9 @@ media_add(struct mediatypes *types, struct media_type
> > *media)
> > struct media_type *entry;
> >
> > if ((entry = RB_FIND(mediatypes, types, media)) != NULL) {
> > - log_debug("%s: duplicated entry for \"%s\"", __func__,
> > + log_debug("%s: entry overwritten for \"%s\"", __func__,
> > media->media_name);
> > - return (NULL);
> > + media_delete(types, entry);
> > }
> >
> > if ((entry = malloc(sizeof(*media))) == NULL)
> > diff --git usr.sbin/httpd/httpd.conf.5 usr.sbin/httpd/httpd.conf.5
> > index b5f0be465a0..02f240091b0 100644
> > --- usr.sbin/httpd/httpd.conf.5
> > +++ usr.sbin/httpd/httpd.conf.5
> > @@ -753,6 +753,7 @@ to the specified extension
> > .Ar name .
> > One or more names can be specified per line.
> > Each line may end with an optional semicolon.
> > +Later lines overwrite earlier lines.
> > .It Ic include Ar file
> > Include types definitions from an external file, for example
> > .Pa /usr/share/misc/mime.types .
> >
>
> --
> I'm not entirely sure you are real.
>
Re: unbound and cannot increase max open fds from 512 to 4152
Mikolaj Kucharski(miko...@kucharski.name) on 2022.09.02 06:47:00 +: > Hi, > > I have a question, could or should unbound in base be delivered with: > > # cat /etc/login.conf.d/unbound > unbound:\ > :openfiles-cur=4096:\ > :openfiles-max=8192:\ > :tc=daemon: > > or the like? Above is taken from dovecot. I was able to trigger via > rcctl reload unbound following warnings in logs: > > Sep 2 06:37:21 x1c unbound: [32940:0] notice: Restart of unbound 1.16.0. > Sep 2 06:37:21 x1c unbound: [32940:0] warning: setrlimit: Operation not > permitted > Sep 2 06:37:21 x1c unbound: [32940:0] warning: cannot increase max open fds > from 512 to 4152 > Sep 2 06:37:21 x1c unbound: [32940:0] warning: continuing with less udp > ports: 460 > Sep 2 06:37:21 x1c unbound: [32940:0] warning: increase ulimit or decrease > threads, ports in config to remove this warning > Sep 2 06:37:21 x1c unbound: [32940:0] notice: init module 0: validator > Sep 2 06:37:21 x1c unbound: [32940:0] notice: init module 1: iterator > > After placing above login.conf.d login class capability file above > warnings go away: > > Sep 2 06:39:58 x1c unbound: [14264:0] notice: Restart of unbound 1.16.0. > Sep 2 06:39:58 x1c unbound: [14264:0] notice: init module 0: validator > Sep 2 06:39:58 x1c unbound: [14264:0] notice: init module 1: iterator As far as i understand, the number of fds that unbound is asking for is based on the num-threads, outgoing-num-tcp, interface and some other setting in the unbound config. Did you change any? We already ship with this unbound:\ :openfiles=512:\ :tc=daemon: It is expected that you change login.conf yourself when you tune unbound to your needs.
Re: unbound and cannot increase max open fds from 512 to 4152
Mikolaj Kucharski(miko...@kucharski.name) on 2022.09.02 08:07:01 +: > On Fri, Sep 02, 2022 at 09:53:54AM +0200, Sebastian Benoit wrote: > > Mikolaj Kucharski(miko...@kucharski.name) on 2022.09.02 06:47:00 +: > > > Hi, > > > > > > I have a question, could or should unbound in base be delivered with: > > > > > > # cat /etc/login.conf.d/unbound > > > unbound:\ > > > :openfiles-cur=4096:\ > > > :openfiles-max=8192:\ > > > :tc=daemon: > > > > > > or the like? Above is taken from dovecot. I was able to trigger via > > > rcctl reload unbound following warnings in logs: > > > > > > Sep 2 06:37:21 x1c unbound: [32940:0] notice: Restart of unbound 1.16.0. > > > Sep 2 06:37:21 x1c unbound: [32940:0] warning: setrlimit: Operation not > > > permitted > > > Sep 2 06:37:21 x1c unbound: [32940:0] warning: cannot increase max open > > > fds from 512 to 4152 > > > Sep 2 06:37:21 x1c unbound: [32940:0] warning: continuing with less udp > > > ports: 460 > > > Sep 2 06:37:21 x1c unbound: [32940:0] warning: increase ulimit or > > > decrease threads, ports in config to remove this warning > > > Sep 2 06:37:21 x1c unbound: [32940:0] notice: init module 0: validator > > > Sep 2 06:37:21 x1c unbound: [32940:0] notice: init module 1: iterator > > > > > > After placing above login.conf.d login class capability file above > > > warnings go away: > > > > > > Sep 2 06:39:58 x1c unbound: [14264:0] notice: Restart of unbound 1.16.0. > > > Sep 2 06:39:58 x1c unbound: [14264:0] notice: init module 0: validator > > > Sep 2 06:39:58 x1c unbound: [14264:0] notice: init module 1: iterator > > > > As far as i understand, the number of fds that unbound is asking for is > > based on the num-threads, outgoing-num-tcp, interface and some other setting > > in the unbound config. > > Those particular settings mentioned I did not modified. However the > values are not that important. I expected /etc/login.conf.d/unbound to > be present on a fresh install. More on that below. It would still be interesting why it wants to increase the limit to 4152. My list of settings is probably not complete. Show your config if you can. Support for login.conf.d was added mostly to support ports that need to make modifications to drop files in there. I dont expect that the base system will ship with files in login.conf.d anytime soon. /B. > > > > Did you change any? > > > > We already ship with this > > > > unbound:\ > > :openfiles=512:\ > > :tc=daemon: > > Ah, in the main file. I didn't expect this. I started this email thread > as I expected daemon which has rc.d script to have separated login class > capability file: > > # ls -1A /etc/login.conf.d/ | wc -l >0 > > # tar -zvvtf /var/sysmerge/etc.tgz | grep -c login.conf.d > 0 > > > It is expected that you change login.conf yourself when you tune unbound to > > your needs. > > Yes, I'm aware. That's what I did, but were surprised that there is no > pre-existing /etc/login.conf.d/unbound > > However now looking again at this, maybe missing /etc/login.conf.d/ > from base is by design. > > -- > Regards, > Mikolaj >
Re: unbound and cannot increase max open fds from 512 to 4152
Stuart Henderson(s...@spacehopper.org) on 2022.09.02 12:16:06 +0100: > On 2022/09/02 11:25, Sebastian Benoit wrote: > > > > > Sep 2 06:39:58 x1c unbound: [14264:0] notice: Restart of unbound > > > > > 1.16.0. > > > > > Sep 2 06:39:58 x1c unbound: [14264:0] notice: init module 0: > > > > > validator > > > > > Sep 2 06:39:58 x1c unbound: [14264:0] notice: init module 1: iterator > > > > > > > > As far as i understand, the number of fds that unbound is asking for is > > > > based on the num-threads, outgoing-num-tcp, interface and some other > > > > setting > > > > in the unbound config. > > > > > > Those particular settings mentioned I did not modified. However the > > > values are not that important. I expected /etc/login.conf.d/unbound to > > > be present on a fresh install. More on that below. > > > > It would still be interesting why it wants to increase the limit to 4152. > > My list of settings is probably not complete. Show your config if you can. > > The key thing here is that it's for reload not startup. > Easy to reproduce here. Ah yes, thanks. So should the default limit be changed?
Re: rpki-client add abort to rrdp
Claudio Jeker(cje...@diehard.n-r-g.com) on 2022.09.02 19:55:28 +0200:
> We want to be able to abort RRDP syncs. Now the problem is that depending
> on the state the abort request is more or less complex. What needs to be
> avoided is that a message received after the corresponding RRDP session
> was removed. This is mainly the RRDP_FILE and RRDP_HTTP_FIN messages that
> cause this.
>
> So once a RRDP_HTTP_INI message was received the abort code goes through
> most states, it just aborts the internal XML parser and closes the input
> fd.
ok.
> --
> :wq Claudio
>
> Index: extern.h
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
> retrieving revision 1.151
> diff -u -p -r1.151 extern.h
> --- extern.h 30 Aug 2022 18:56:49 - 1.151
> +++ extern.h 2 Sep 2022 17:41:07 -
> @@ -408,6 +408,7 @@ enum rrdp_msg {
> RRDP_HTTP_REQ,
> RRDP_HTTP_INI,
> RRDP_HTTP_FIN,
> + RRDP_ABORT,
> };
>
> /*
> Index: rrdp.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/rrdp.c,v
> retrieving revision 1.24
> diff -u -p -r1.24 rrdp.c
> --- rrdp.c15 May 2022 16:43:35 - 1.24
> +++ rrdp.c2 Sep 2022 17:54:58 -
> @@ -57,6 +57,7 @@ struct rrdp {
> struct pollfd *pfd;
> int infd;
> int state;
> + int aborted;
> unsigned int file_pending;
> unsigned int file_failed;
> enum http_result res;
> @@ -73,7 +74,7 @@ struct rrdp {
> struct delta_xml*dxml;
> };
>
> -TAILQ_HEAD(, rrdp) states = TAILQ_HEAD_INITIALIZER(states);
> +static TAILQ_HEAD(, rrdp)states = TAILQ_HEAD_INITIALIZER(states);
>
> char *
> xstrdup(const char *s)
> @@ -256,7 +257,7 @@ rrdp_failed(struct rrdp *s)
> /* reset file state before retrying */
> s->file_failed = 0;
>
> - if (s->task == DELTA) {
> + if (s->task == DELTA && !s->aborted) {
> /* fallback to a snapshot as per RFC8182 */
> free_delta_xml(s->dxml);
> s->dxml = NULL;
> @@ -289,7 +290,7 @@ rrdp_finished(struct rrdp *s)
> if (s->file_pending > 0)
> return;
>
> - if (s->state & RRDP_STATE_PARSE_ERROR) {
> + if (s->state & RRDP_STATE_PARSE_ERROR || s->aborted) {
> rrdp_failed(s);
> return;
> }
> @@ -372,6 +373,34 @@ rrdp_finished(struct rrdp *s)
> }
>
> static void
> +rrdp_abort_req(struct rrdp *s)
> +{
> + unsigned int id = s->id;
> +
> + s->aborted = 1;
> + if (s->state == RRDP_STATE_REQ) {
> + /* nothing is pending, just abort */
> + rrdp_free(s);
> + rrdp_done(id, 1);
> + return;
> + }
> + if (s->state == RRDP_STATE_WAIT)
> + /* wait for HTTP_INI which will progress the state */
> + return;
> +
> + /*
> + * RRDP_STATE_PARSE or later, close infd, abort parser but
> + * wait for HTTP_FIN and file_pending to drop to 0.
> + */
> + if (s->infd != -1) {
> + close(s->infd);
> + s->infd = -1;
> + s->state |= RRDP_STATE_PARSE_DONE | RRDP_STATE_PARSE_ERROR;
> + }
> + rrdp_finished(s);
> +}
> +
> +static void
> rrdp_input_handler(int fd)
> {
> static struct ibuf *inbuf;
> @@ -408,12 +437,15 @@ rrdp_input_handler(int fd)
> errx(1, "expected fd not received");
> s = rrdp_get(id);
> if (s == NULL)
> - errx(1, "rrdp session %u does not exist", id);
> + errx(1, "http ini, rrdp session %u does not exist", id);
> if (s->state != RRDP_STATE_WAIT)
> errx(1, "%s: bad internal state", s->local);
> -
> s->infd = b->fd;
> s->state = RRDP_STATE_PARSE;
> + if (s->aborted) {
> + rrdp_abort_req(s);
> + break;
> + }
> break;
> case RRDP_HTTP_FIN:
> io_read_buf(b, &res, sizeof(res));
> @@ -423,20 +455,19 @@ rrdp_input_handler(int fd)
>
> s = rrdp_get(id);
> if (s == NULL)
> - errx(1, "rrdp session %u does not exist", id);
> + errx(1, "http fin, rrdp session %u does not exist", id);
> if (!(s->state & RRDP_STATE_PARSE))
> errx(1, "%s: bad internal state", s->local);
> -
> + s->state |= RRDP_STATE_HTTP_DONE;
> s->res = res;
> free(s->last_mod);
> s->last_mod = last_mod;
> - s->state |= RRDP_STATE_HTTP_DONE;
> rrdp_finished(s);
> break;
> case RRDP_FILE:
> s = rrdp_get(id);
> if (s == NULL)
> -
Re: mld6 remove global variable
Alexander Bluhm(alexander.bl...@gmx.net) on 2022.09.02 20:38:04 +0200:
> Hi,
>
> Due to the KAME scope address hack, the link-local all nodes and
> routers IPv6 addresses cannot be const. So move memory from data
> to stack to make variables MP safe.
>
> ok?
>
> bluhm
>
> Index: netinet6/mld6.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/mld6.c,v
> retrieving revision 1.58
> diff -u -p -r1.58 mld6.c
> --- netinet6/mld6.c 22 Aug 2022 21:02:44 - 1.58
> +++ netinet6/mld6.c 2 Sep 2022 17:43:06 -
> @@ -85,9 +85,6 @@
>
> static struct ip6_pktopts ip6_opts;
> int mld6_timers_are_running;/* [N] shortcut for fast timer */
> -/* XXX: These are necessary for KAME's link-local hack */
> -static struct in6_addr mld_all_nodes_linklocal =
> IN6ADDR_LINKLOCAL_ALLNODES_INIT;
> -static struct in6_addr mld_all_routers_linklocal =
> IN6ADDR_LINKLOCAL_ALLROUTERS_INIT;
>
> void mld6_checktimer(struct ifnet *);
> static void mld6_sendpkt(struct in6_multi *, int, const struct in6_addr *);
> @@ -118,6 +115,9 @@ mld6_init(void)
> void
> mld6_start_listening(struct in6_multi *in6m)
> {
> + /* XXX: These are necessary for KAME's link-local hack */
> + struct in6_addr all_nodes = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
> +
> /*
>* RFC2710 page 10:
>* The node never sends a Report or Done for the link-scope all-nodes
> @@ -125,9 +125,10 @@ mld6_start_listening(struct in6_multi *i
>* MLD messages are never sent for multicast addresses whose scope is 0
>* (reserved) or 1 (node-local).
>*/
> - mld_all_nodes_linklocal.s6_addr16[1] = htons(in6m->in6m_ifidx);/* XXX */
> - if (IN6_ARE_ADDR_EQUAL(&in6m->in6m_addr, &mld_all_nodes_linklocal) ||
> - __IPV6_ADDR_MC_SCOPE(&in6m->in6m_addr) <
> __IPV6_ADDR_SCOPE_LINKLOCAL) {
> + all_nodes.s6_addr16[1] = htons(in6m->in6m_ifidx);
> + if (IN6_ARE_ADDR_EQUAL(&in6m->in6m_addr, &all_nodes) ||
> + __IPV6_ADDR_MC_SCOPE(&in6m->in6m_addr) <
> + __IPV6_ADDR_SCOPE_LINKLOCAL) {
> in6m->in6m_timer = 0;
> in6m->in6m_state = MLD_OTHERLISTENER;
> } else {
> @@ -143,15 +144,19 @@ mld6_start_listening(struct in6_multi *i
> void
> mld6_stop_listening(struct in6_multi *in6m)
> {
> - mld_all_nodes_linklocal.s6_addr16[1] = htons(in6m->in6m_ifidx);/* XXX */
> - mld_all_routers_linklocal.s6_addr16[1] =
> - htons(in6m->in6m_ifidx); /* XXX: necessary when mrouting */
> + /* XXX: These are necessary for KAME's link-local hack */
> + struct in6_addr all_nodes = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
> + struct in6_addr all_routers = IN6ADDR_LINKLOCAL_ALLROUTERS_INIT;
> +
> + all_nodes.s6_addr16[1] = htons(in6m->in6m_ifidx);
> + /* XXX: necessary when mrouting */
> + all_routers.s6_addr16[1] = htons(in6m->in6m_ifidx);
>
> if (in6m->in6m_state == MLD_IREPORTEDLAST &&
> - (!IN6_ARE_ADDR_EQUAL(&in6m->in6m_addr, &mld_all_nodes_linklocal)) &&
> - __IPV6_ADDR_MC_SCOPE(&in6m->in6m_addr) >
> __IPV6_ADDR_SCOPE_INTFACELOCAL)
> - mld6_sendpkt(in6m, MLD_LISTENER_DONE,
> - &mld_all_routers_linklocal);
> + (!IN6_ARE_ADDR_EQUAL(&in6m->in6m_addr, &all_nodes)) &&
> + __IPV6_ADDR_MC_SCOPE(&in6m->in6m_addr) >
> + __IPV6_ADDR_SCOPE_INTFACELOCAL)
> + mld6_sendpkt(in6m, MLD_LISTENER_DONE, &all_routers);
> }
>
> void
> @@ -163,6 +168,8 @@ mld6_input(struct mbuf *m, int off)
> struct in6_multi *in6m;
> struct ifmaddr *ifma;
> int timer; /* timer value in the MLD query header */
> + /* XXX: These are necessary for KAME's link-local hack */
> + struct in6_addr all_nodes = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
>
> IP6_EXTHDR_GET(mldh, struct mld_hdr *, m, off, sizeof(*mldh));
> if (mldh == NULL) {
> @@ -239,15 +246,13 @@ mld6_input(struct mbuf *m, int off)
> timer = ntohs(mldh->mld_maxdelay)*PR_FASTHZ/MLD_TIMER_SCALE;
> if (timer == 0 && mldh->mld_maxdelay)
> timer = 1;
> - mld_all_nodes_linklocal.s6_addr16[1] =
> - htons(ifp->if_index); /* XXX */
> + all_nodes.s6_addr16[1] = htons(ifp->if_index);
>
> TAILQ_FOREACH(ifma, &ifp->if_maddrlist, ifma_list) {
> if (ifma->ifma_addr->sa_family != AF_INET6)
> continue;
> in6m = ifmatoin6m(ifma);
> - if (IN6_ARE_ADDR_EQUAL(&in6m->in6m_addr,
> - &mld_all_nodes_linklocal) ||
> + if (IN6_ARE_ADDR_EQUAL(&in6m->in6m_addr, &all_nodes) ||
> __IPV6_ADDR_MC_SCOPE(&in6m->in6m_addr) <
> __IPV6_ADDR_SCOPE_LINKLOCAL)
> continue;
>
Re: mld6 remove global variable
that was meant to be an ok :)
Sebastian Benoit(be...@openbsd.org) on 2022.09.02 22:04:41 +0200:
> Alexander Bluhm(alexander.bl...@gmx.net) on 2022.09.02 20:38:04 +0200:
> > Hi,
> >
> > Due to the KAME scope address hack, the link-local all nodes and
> > routers IPv6 addresses cannot be const. So move memory from data
> > to stack to make variables MP safe.
> >
> > ok?
> >
> > bluhm
> >
> > Index: netinet6/mld6.c
> > ===
> > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/mld6.c,v
> > retrieving revision 1.58
> > diff -u -p -r1.58 mld6.c
> > --- netinet6/mld6.c 22 Aug 2022 21:02:44 - 1.58
> > +++ netinet6/mld6.c 2 Sep 2022 17:43:06 -
> > @@ -85,9 +85,6 @@
> >
> > static struct ip6_pktopts ip6_opts;
> > intmld6_timers_are_running;/* [N] shortcut for fast timer
> > */
> > -/* XXX: These are necessary for KAME's link-local hack */
> > -static struct in6_addr mld_all_nodes_linklocal =
> > IN6ADDR_LINKLOCAL_ALLNODES_INIT;
> > -static struct in6_addr mld_all_routers_linklocal =
> > IN6ADDR_LINKLOCAL_ALLROUTERS_INIT;
> >
> > void mld6_checktimer(struct ifnet *);
> > static void mld6_sendpkt(struct in6_multi *, int, const struct in6_addr *);
> > @@ -118,6 +115,9 @@ mld6_init(void)
> > void
> > mld6_start_listening(struct in6_multi *in6m)
> > {
> > + /* XXX: These are necessary for KAME's link-local hack */
> > + struct in6_addr all_nodes = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
> > +
> > /*
> > * RFC2710 page 10:
> > * The node never sends a Report or Done for the link-scope all-nodes
> > @@ -125,9 +125,10 @@ mld6_start_listening(struct in6_multi *i
> > * MLD messages are never sent for multicast addresses whose scope is 0
> > * (reserved) or 1 (node-local).
> > */
> > - mld_all_nodes_linklocal.s6_addr16[1] = htons(in6m->in6m_ifidx);/* XXX */
> > - if (IN6_ARE_ADDR_EQUAL(&in6m->in6m_addr, &mld_all_nodes_linklocal) ||
> > - __IPV6_ADDR_MC_SCOPE(&in6m->in6m_addr) <
> > __IPV6_ADDR_SCOPE_LINKLOCAL) {
> > + all_nodes.s6_addr16[1] = htons(in6m->in6m_ifidx);
> > + if (IN6_ARE_ADDR_EQUAL(&in6m->in6m_addr, &all_nodes) ||
> > + __IPV6_ADDR_MC_SCOPE(&in6m->in6m_addr) <
> > + __IPV6_ADDR_SCOPE_LINKLOCAL) {
> > in6m->in6m_timer = 0;
> > in6m->in6m_state = MLD_OTHERLISTENER;
> > } else {
> > @@ -143,15 +144,19 @@ mld6_start_listening(struct in6_multi *i
> > void
> > mld6_stop_listening(struct in6_multi *in6m)
> > {
> > - mld_all_nodes_linklocal.s6_addr16[1] = htons(in6m->in6m_ifidx);/* XXX */
> > - mld_all_routers_linklocal.s6_addr16[1] =
> > - htons(in6m->in6m_ifidx); /* XXX: necessary when mrouting */
> > + /* XXX: These are necessary for KAME's link-local hack */
> > + struct in6_addr all_nodes = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
> > + struct in6_addr all_routers = IN6ADDR_LINKLOCAL_ALLROUTERS_INIT;
> > +
> > + all_nodes.s6_addr16[1] = htons(in6m->in6m_ifidx);
> > + /* XXX: necessary when mrouting */
> > + all_routers.s6_addr16[1] = htons(in6m->in6m_ifidx);
> >
> > if (in6m->in6m_state == MLD_IREPORTEDLAST &&
> > - (!IN6_ARE_ADDR_EQUAL(&in6m->in6m_addr, &mld_all_nodes_linklocal)) &&
> > - __IPV6_ADDR_MC_SCOPE(&in6m->in6m_addr) >
> > __IPV6_ADDR_SCOPE_INTFACELOCAL)
> > - mld6_sendpkt(in6m, MLD_LISTENER_DONE,
> > - &mld_all_routers_linklocal);
> > + (!IN6_ARE_ADDR_EQUAL(&in6m->in6m_addr, &all_nodes)) &&
> > + __IPV6_ADDR_MC_SCOPE(&in6m->in6m_addr) >
> > + __IPV6_ADDR_SCOPE_INTFACELOCAL)
> > + mld6_sendpkt(in6m, MLD_LISTENER_DONE, &all_routers);
> > }
> >
> > void
> > @@ -163,6 +168,8 @@ mld6_input(struct mbuf *m, int off)
> > struct in6_multi *in6m;
> > struct ifmaddr *ifma;
> > int timer; /* timer value in the MLD query header */
> > + /* XXX: These are necessary for KAME's link-local hack */
> > + struct in6_addr all_nodes = IN6ADDR_LINKLOCAL_ALLNODES_INIT;
> >
> > IP6_EXTHDR_GET(mldh, struct mld_hdr *, m, off, sizeof(*mldh));
> > if (mldh == NULL) {
> > @@ -239,15 +246,13 @@ mld6_input(struct mbuf *m, int off)
> > timer = ntohs(mldh->mld_maxdelay)*PR_FASTH
Re: rpki-client stop all repo fetching a bit before the timeout
Claudio Jeker(cje...@diehard.n-r-g.com) on 2022.09.02 22:02:33 +0200:
> Lets try to finish work by stopping all syncs and fall back to what we
> have in cache after 7/8 of the timeout (timeout - 1/2 repo_timeout).
> This way we still have 1/8 of time to finish the calculation and produce
> output.
>
> Tested this diff by setting the deadline to fire after 60sec.
ok
> --
> :wq Claudio
>
> Index: main.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v
> retrieving revision 1.217
> diff -u -p -r1.217 main.c
> --- main.c2 Sep 2022 19:14:04 - 1.217
> +++ main.c2 Sep 2022 19:58:19 -
> @@ -66,6 +66,7 @@ int noop;
> int filemode;
> int rrdpon = 1;
> int repo_timeout;
> +time_t deadline;
>
> struct skiplist skiplist = LIST_HEAD_INITIALIZER(skiplist);
>
> @@ -1044,6 +1045,9 @@ main(int argc, char *argv[])
>*/
> alarm(timeout);
> signal(SIGALRM, suicide);
> +
> + /* give up a bit before the hard timeout and try to finish up */
> + deadline = getmonotime() + timeout - repo_timeout / 2;
> }
>
> if (pledge("stdio rpath wpath cpath fattr sendfd unveil", NULL) == -1)
> Index: repo.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/repo.c,v
> retrieving revision 1.38
> diff -u -p -r1.38 repo.c
> --- repo.c2 Sep 2022 19:10:37 - 1.38
> +++ repo.c2 Sep 2022 19:15:41 -
> @@ -41,6 +41,8 @@ extern struct stats stats;
> extern int noop;
> extern int rrdpon;
> extern int repo_timeout;
> +extern time_tdeadline;
> +int nofetch;
>
> enum repo_state {
> REPO_LOADING = 0,
> @@ -288,7 +290,7 @@ repo_done(const void *vp, int ok)
> if (vp == rp->rsync)
> entityq_flush(&rp->queue, rp);
> if (vp == rp->rrdp) {
> - if (!ok) {
> + if (!ok && !nofetch) {
> /* try to fall back to rsync */
> rp->rrdp = NULL;
> rp->rsync = rsync_get(rp->repouri,
> @@ -937,8 +939,8 @@ rrdp_finish(unsigned int id, int ok)
> stats.rrdp_repos++;
> rr->state = REPO_DONE;
> } else {
> - warnx("%s: load from network failed, fallback to rsync",
> - rr->notifyuri);
> + warnx("%s: load from network failed, fallback to %s",
> + rr->notifyuri, nofetch ? "cache" : "rsync");
> stats.rrdp_fails++;
> rr->state = REPO_FAILED;
> /* clear the RRDP repo since it failed */
> @@ -1044,7 +1046,6 @@ repo_lookup(int talid, const char *uri,
> {
> struct repo *rp;
> char*repouri;
> - int nofetch = 0;
>
> if ((repouri = rsync_base_uri(uri)) == NULL)
> errx(1, "bad caRepository URI: %s", uri);
> @@ -1223,8 +1224,26 @@ repo_check_timeout(int timeout)
> {
> struct repo *rp;
> time_t now;
> + int diff;
>
> now = getmonotime();
> +
> + /* check against our runtime deadline first */
> + if (deadline != 0) {
> + if (deadline <= now) {
> + warnx("deadline reached, giving up on repository sync");
> + nofetch = 1;
> + /* clear deadline since nofetch is set */
> + deadline = 0;
> + /* increase now enough so that all pending repos fail */
> + now += repo_timeout;
> + } else {
> + diff = deadline - now;
> + diff *= 1000;
> + if (timeout == INFTIM || diff < timeout)
> + timeout = diff;
> + }
> + }
> /* Look up in repository table. (Lookup should actually fail here) */
> SLIST_FOREACH(rp, &repos, entry) {
> if (repo_state(rp) == REPO_LOADING) {
> @@ -1233,7 +1252,7 @@ repo_check_timeout(int timeout)
> rp->repouri);
> repo_abort(rp);
> } else {
> - int diff = rp->alarm - now;
> + diff = rp->alarm - now;
> diff *= 1000;
> if (timeout == INFTIM || diff < timeout)
> timeout = diff;
>
rpki-client 8.0 released
rpki-client 8.0 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: * Add suport for validating Autonomous System Provider Authorization (ASPA) objects conforming to draft-ietf-sidrops-aspa-profile-10. Validated ASPA payloads are visible in JSON and filemode (-f) output. * Set rsync connection I/O idle timeout to 15 seconds. * Unify the maximum idle I/O and connect timeouts for RSYNC & HTTPS. * Rpki-client now performs stricter EE certificate validation: - Disallow AS Resources extensions in ROA EE certificates. - Disallow Subject Information Access (SIA) extensions in RPKI Signed Checklist (RSC) EE certs. - Check the resources in ROAs and RSCs against EE certs. * Improve readability and add various information being printed in verbose mode. * Extend filemode (-f) output and print X.509 certificates in PEM format when increased verbosity (-vv) is specified. * Shorten the RRDP I/O idle timeout. * Introduce a deadline timer that aborts all repository synchronization after seven eights of timeout (-s). With this rpki-client has improved chances to complete and produce an output even when a CA is excessivly slow. * Abort a currently running RRDP request process when the per-repository timeout is reached. * Permit multiple AccessDescription entries in SIA X.509 extensions. While fetching from secondary locations is not yet supported, rpki-client will not treat occurence as a fatal error. * Resolve a potential for a race condition in non-atomic RRDP deltas. * Fix some memory leaks. * Improve compliance with the HTTP protocol specification. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.5, and a libtls library compatible with LibreSSL 3.5 or later. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client can be found are on https://www.rpki-client.org/portable.html Reporting Bugs: === General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via secur...@openbsd.org.
Re: wc(1): add -L flag to write length of longest line
Theo de Raadt(dera...@openbsd.org) on 2022.09.30 11:11:42 -0600: > I'm sure there are other people have other desireable features which I > haven't listed. For instance, could wc.c be the scaffold to use for the > long-desired web browser to be included in OpenBSD? Oh, it's clearly incomplete until it can send its result by mail.
Re: tzset(3): update man page to reality
Todd C. Miller(mill...@openbsd.org) on 2022.10.03 13:32:22 -0600: > On Mon, 03 Oct 2022 13:27:05 -0600, "Todd C. Miller" wrote: > > > We did not document tzname, timezone or daylight and the rules > > regarding pathnames was not entirely clear. reads ok to me > > I think it is worth mentioning that unless your program calls > > chroot(2), you probably don't need to call tzset(3). good idea > > Opinions? > > Now including examples of the pathname format. ok benno@ > - todd > > Index: lib/libc/time/tzset.3 > === > RCS file: /cvs/src/lib/libc/time/tzset.3,v > retrieving revision 1.25 > diff -u -p -u -r1.25 tzset.3 > --- lib/libc/time/tzset.3 23 Sep 2022 17:29:22 - 1.25 > +++ lib/libc/time/tzset.3 3 Oct 2022 19:32:05 - > @@ -8,62 +8,103 @@ > .Nd initialize time conversion information > .Sh SYNOPSIS > .In time.h > +.Vt extern char *tzname[2]; > +.Vt extern long timezone; > +.Vt extern long daylight; > .Ft void > .Fn tzset "void" > .Ft void > .Fn tzsetwall "void" > .Sh DESCRIPTION > +The > .Fn tzset > -uses the value of the environment variable > +function uses the value of the environment variable > .Ev TZ > -to set time conversion information used by > +to set the time conversion information used by > .Xr localtime 3 . > -If > -.Ev TZ > -does not appear in the environment, > -or if the calling process has changed its user or group ID, > -the best available approximation to local wall clock time, as specified > -by the > -.Xr tzfile 5 > -format file > -.Pa /etc/localtime , > -is used by > +It also sets the following external variables: > +.Bl -tag -width "tzname[2]" > +.It Vt tzname[2] > +the designations for standard and daylight saving time, see the description > of > +.Ar std No and Ar dst > +below > +.It Vt timezone > +the number of seconds West of UTC > +.It Vt daylight > +0 if the time zone has never observed daylight saving time, otherwise > +non-zero > +.El > +.Pp > +Most programs do not need to call > +.Fn tzset > +directly, it will be called automatically as needed by the functions > +described in > .Xr localtime 3 . > +Privileged processes that use > +.Xr chroot 2 > +may wish to call > +.Fn tzset > +to initialize the time conversion information before changing to > +a restricted root directory that does not include time conversion > +data files. > .Pp > If > .Ev TZ > -appears in the environment but its value is a null string, > -Coordinated Universal Time (UTC) is used (without leap second > -correction). > +does not appear in the environment, or if the calling process has > +changed its user or group ID, the system time zone file, > +.Pa /etc/localtime , > +is used. > .Pp > If > .Ev TZ > -appears in the environment and its value begins with a colon, > -it is used as the pathname of a file > -from which to read the time conversion information. > +appears in the environment it may be one of two formats: > +.Bl -bullet > +.It > +the pathname of a > +.Xr tzfile 5 > +format file from which to read the time conversion information, > +optionally prefixed with a colon > +.Pq Ql \&: , > +such as > +.Dq :America/Denver > +or > +.Dq Europe/Berlin . > +.It > +a string that directly specifies the time conversion information > +(see below) which may not begin with a colon > +.Pq Ql \&: > +.El > .Pp > If > .Ev TZ > appears in the environment and its value does not begin with a colon, > it is first used as the > -pathname of a file from which to read the time conversion information, > +pathname of a > +.Xr tzfile 5 > +format file from which to read the time conversion information, > and, if that file cannot be read, is used directly as a specification of > the time conversion information. > +A value beginning with a colon > +.Pq Ql \&: > +is always treated as a pathname. > +.Pp > +If > +.Ev TZ > +it set to the empty string, Coordinated Universal Time (UTC) is > +used (without leap second correction). > .Pp > When > .Ev TZ > -is used as a pathname, it must be relative to the system time > +is used as a pathname, it must either be a path relative to the system time > conversion information directory, > -.Pa /usr/share/zoneinfo . > -If > -.Ev TZ > -begins with a > -.Ql / > -or contains > +.Pa /usr/share/zoneinfo > +or an absolute path that begins with > +.Pa /usr/share/zoneinfo/ . > +Other absolute paths, or paths that contain > .Ql \&../ , > -it is ignored and the system local time zone file, > +will be ignored and the system local time zone file, > .Pa /etc/localtime , > -is used instead. > +will be used instead. > The file must be in the format specified in > .Xr tzfile 5 . > .Pp > @@ -74,7 +115,7 @@ it must have the following syntax (witho > .Ar std > and > .Ar offset ) : > -.Bd -ragged -offset indent > +.Bd -offset indent > .Ar std > .Sm off > .Ar offset > @@ -88,23 +129,23 @@ Where: > .It Ar std No and Ar dst > Three or more bytes that are the designation for the standard >
rpki-client 8.5 has been released
rpki-client 8.5 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - ASPA support was updated to draft-ietf-sidrops-aspa-profile-16. As part of supporting AFI-agnostic ASPAs, the JSON syntax for Validated ASPA Payloads changed in both filemode and normal output. - Support for gzip and deflate HTTP Content-Encoding compression was added. This allows web servers to send RRDP XML in compressed form, saving around 50% of bandwidth. Zlib was added as a dependency. - File modification timestamps of objects retrieved via RRDP are now deterministically set to prepare the on-disk cache for seamless failovers from RRDP to RSYNC. See draft-ietf-sidrops-cms-signing-time for more information. - A 30%-50% performance improvement was achieved through libcrypto's partial chains certificate validation feature. Already validated non-inheriting CA certificates are now marked as trusted roots. This way it can be ensured that a leaf's delegated resources are properly covered, and at the same time most validation paths are significantly shortened. - Improved detection of RRDP session desynchronization: a check was added to compare whether the delta hashes associated to previously seen serials are different in newly fetched notification files. - Improved handling of RRDP deltas in which objects are published, withdrawn, and published again. - A check to disallow duplicate X.509 certificate extensions was added. - A check to disallow empty sets of IP Addresses or AS numbers in RFC 3779 extensions was added. - A compliance check for the proper X.509 Certificate version and CRL version was added. - A warning is printed when the CMS signing-time attribute in a Signed Object is missing. - Warnings about unrecoverable message digest mismatches now include the manifestNumber to aid debugging the cause. - A check was added to disallow multiple RRDP publish elements for the same file in RRDP snapshots. If this error condition is encountered, the RRDP transfer is failed and the RP falls back to rsync. - A compliance check was added to ensure CMS Signed Objects contain SignedData, in accordance to RFC 6488 section 3 checklist item 1a. - Compliance checks were added for the version, KeyUsage, and ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR Signed Objects. - A CMS signing-time value being after the X.509 notAfter timestamp was downgraded from an error to a warning. - A bug was fixed in the handling of CA certificates which inherit IP resources. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.5, a libtls library compatible with LibreSSL 3.5 or later, and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client can be found are on https://www.rpki-client.org/portable.html Reporting Bugs: === General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via secur...@openbsd.org.
rpki-client 8.6 has been released
rpki-client 8.6 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of BGP announcements. The program queries the global RPKI repository system and validates untrusted network inputs. The program outputs validated ROA payloads, BGPsec Router keys, and ASPA payloads in configuration formats suitable for OpenBGPD and BIRD, and supports emitting CSV and JSON for consumption by other routing stacks. See RFC 6480 and RFC 6811 for a description of how RPKI and BGP Prefix Origin Validation help secure the global Internet routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, Theo Buehler, Theo de Raadt and Sebastian Benoit as part of the OpenBSD Project. This release includes the following changes to the previous release: - A compliance check was added to ensure the X.509 Subject only contains commonName and optionally serialNumber. - A compliance check was added to ensure the CMS SignedData and SignerInfo versions to be 3. - Fisher-Yates shuffle the order in which Manifest entries are processed. Previously, work items were enqueued in the order the CA intended them to appear on a Manifest. However, there is no obvious benefit to third parties deciding the order in which things are processed. Now the Manifest ordering is randomized (as the order has no meaning anyway), and the number of concurrent repository synchronization operations is limited & timeboxed. - Various refactoring work. rpki-client works on all operating systems with a libcrypto library based on OpenSSL 1.1 or LibreSSL 3.5, a libtls library compatible with LibreSSL 3.5 or later, and zlib. rpki-client is known to compile and run on at least the following operating systems: Alpine, CentOS, Debian, Fedora, FreeBSD, Red Hat, Rocky, Ubuntu, macOS, and of course OpenBSD! It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client can be found are on https://www.rpki-client.org/portable.html Reporting Bugs: === General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible. Assistance to coordinate security issues is available via secur...@openbsd.org.
Re: log.c use buffered IO
Theo Buehler(t...@theobuehler.org) on 2023.10.17 09:13:15 +0200:
> On Mon, Oct 16, 2023 at 12:19:17PM +0200, Claudio Jeker wrote:
> > I dislike how log.c does all these asprintf() calls with dubious
> > workaround calls in case asprintf() fails.
>
> You're not alone.
>
> > IMO it is easier to use the stdio provided buffers and fflush() to get
> > "atomic" writes on stderr. At least from my understanding this is the
> > reason to go all this lenght to do a single fprintf call.
>
> This makes sense, but I don't know the history here.
as far as i can remember, it was done so it would still be able to work
somewhat when out of memeory.
> > We need this since in privsep daemons can log from multiple processes
> > concurrently and we want the log to be not too mangled.
> >
> > While there also use one static buffer to handle log_warn() and vfatalc()
> > where the error message is first expanded and then printed with
> > logit(LOG_ERR, "%s: %s", fmtbuf, strerror(saved_errno));
> >
> > Any opinions?
>
> I like this much better than the existing code.
>
> ok tb, one small request inline
>
> > --
> > :wq Claudio
> >
> > Index: log.c
> > ===
> > RCS file: /cvs/src/usr.sbin/bgpd/log.c,v
> > retrieving revision 1.64
> > diff -u -p -r1.64 log.c
> > --- log.c 21 Mar 2017 12:06:55 - 1.64
> > +++ log.c 16 Oct 2023 09:42:55 -
> > @@ -29,6 +29,7 @@
> > static int debug;
> > static int verbose;
> > static const char *log_procname;
> > +static char logbuf[4096], fmtbuf[4096];
> >
> > void
> > log_init(int n_debug, int facility)
> > @@ -41,6 +42,8 @@ log_init(int n_debug, int facility)
> >
> > if (!debug)
> > openlog(__progname, LOG_PID | LOG_NDELAY, facility);
> > + else
> > + setvbuf(stderr, logbuf, _IOFBF, sizeof(logbuf));
can you turn this around (if (debug) ...)
> > tzset();
> > }
> > @@ -77,18 +80,11 @@ logit(int pri, const char *fmt, ...)
> > void
> > vlog(int pri, const char *fmt, va_list ap)
> > {
> > - char*nfmt;
> > int saved_errno = errno;
> >
> > if (debug) {
>
> Could log_init() and vlog() either both use if (debug) or both if (!debug),
> please? Missing the ! in log_init() confused me for a few minutes since it
> looked wrong.
yes please :)
>
> > - /* best effort in out of mem situations */
> > - if (asprintf(&nfmt, "%s\n", fmt) == -1) {
> > - vfprintf(stderr, fmt, ap);
> > - fprintf(stderr, "\n");
> > - } else {
> > - vfprintf(stderr, nfmt, ap);
> > - free(nfmt);
> > - }
> > + vfprintf(stderr, fmt, ap);
> > + fprintf(stderr, "\n");
> > fflush(stderr);
> > } else
> > vsyslog(pri, fmt, ap);
> > @@ -99,7 +95,6 @@ vlog(int pri, const char *fmt, va_list a
> > void
> > log_warn(const char *emsg, ...)
> > {
> > - char*nfmt;
> > va_list ap;
> > int saved_errno = errno;
> >
> > @@ -108,16 +103,8 @@ log_warn(const char *emsg, ...)
> > logit(LOG_ERR, "%s", strerror(saved_errno));
> > else {
> > va_start(ap, emsg);
> > -
> > - if (asprintf(&nfmt, "%s: %s", emsg,
> > - strerror(saved_errno)) == -1) {
> > - /* we tried it... */
> > - vlog(LOG_ERR, emsg, ap);
> > - logit(LOG_ERR, "%s", strerror(saved_errno));
> > - } else {
> > - vlog(LOG_ERR, nfmt, ap);
> > - free(nfmt);
> > - }
> > + (void)vsnprintf(fmtbuf, sizeof(fmtbuf), emsg, ap);
> > + logit(LOG_ERR, "%s: %s", fmtbuf, strerror(saved_errno));
> > va_end(ap);
> > }
> >
> > @@ -159,21 +146,20 @@ log_debug(const char *emsg, ...)
> > static void
> > vfatalc(int code, const char *emsg, va_list ap)
> > {
> > - static char s[BUFSIZ];
> > const char *sep;
> >
> > if (emsg != NULL) {
> > - (void)vsnprintf(s, sizeof(s), emsg, ap);
> > + (void)vsnprintf(fmtbuf, sizeof(fmtbuf), emsg, ap);
> > sep = ": ";
> > } else {
> > - s[0] = '\0';
> > + fmtbuf[0] = '\0';
> > sep = "";
> > }
> > if (code)
> > logit(LOG_CRIT, "fatal in %s: %s%s%s",
> > - log_procname, s, sep, strerror(code));
> > + log_procname, fmtbuf, sep, strerror(code));
> > else
> > - logit(LOG_CRIT, "fatal in %s%s%s", log_procname, sep, s);
> > + logit(LOG_CRIT, "fatal in %s%s%s", log_procname, sep, fmtbuf);
> > }
> >
> > void
> >
>
Re: Improve IPv6 link-local support in bgpd
Claudio Jeker(cje...@diehard.n-r-g.com) on 2023.10.16 09:23:12 +0200:
> This diff fixes a few more things when establishing connections with
> link-local IPv6 addresses. In get_alternate_addr() the interface scope
> of the connection is recovered and then passed to the RDE. The RDE can
> then use this scope id to insert link-local addresses with the correct
> scope.
looks good.
> I built a regress test for this which passes with this diff.
> Now probably more is needed because IPv6 link-local addresses are a gift
> that keep on giving. One thing to implement on top of this is template
> matching for link local -- which allows to auto-configure sessions more
> easily. This will probably follow soon.
it would be nice if that could match just on interfaces. As in "neighbor
", with some syntactic sugar so its clear this is for
link-local?
> --
> :wq Claudio
>
> Index: bgpd.h
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/bgpd.h,v
> retrieving revision 1.477
> diff -u -p -r1.477 bgpd.h
> --- bgpd.h30 Aug 2023 08:16:28 - 1.477
> +++ bgpd.h9 Oct 2023 13:50:36 -
> @@ -796,6 +796,7 @@ struct session_up {
> struct bgpd_addrremote_addr;
> struct capabilities capa;
> uint32_tremote_bgpid;
> + unsigned intif_scope;
> uint16_tshort_as;
> };
>
> @@ -1439,6 +1440,7 @@ void kr_ifinfo(char *);
> void kr_net_reload(u_int, uint64_t, struct network_head *);
> int kr_reload(void);
> int get_mpe_config(const char *, u_int *, u_int *);
> +uint8_t mask2prefixlen(sa_family_t, struct sockaddr *);
>
> /* log.c */
> void log_peer_info(const struct peer_config *, const char *, ...)
> Index: kroute.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/kroute.c,v
> retrieving revision 1.305
> diff -u -p -r1.305 kroute.c
> --- kroute.c 1 Jun 2023 09:47:34 - 1.305
> +++ kroute.c 9 Oct 2023 13:54:25 -
> @@ -168,8 +168,6 @@ struct kroute6*kroute6_match(struct kta
> void kroute_detach_nexthop(struct ktable *, struct knexthop *);
>
> uint8_t prefixlen_classful(in_addr_t);
> -uint8_t mask2prefixlen(in_addr_t);
> -uint8_t mask2prefixlen6(struct sockaddr_in6 *);
> uint64_t ift2ifm(uint8_t);
> const char *get_media_descr(uint64_t);
> const char *get_linkstate(uint8_t, int);
> @@ -2419,21 +2417,28 @@ prefixlen_classful(in_addr_t ina)
> return (8);
> }
>
> -uint8_t
> -mask2prefixlen(in_addr_t ina)
> +static uint8_t
> +mask2prefixlen4(struct sockaddr_in *sa_in)
> {
> + in_addr_t ina;
> +
> + if (sa_in->sin_len == 0)
> + return (0);
> + ina = sa_in->sin_addr.s_addr;
> if (ina == 0)
> return (0);
> else
> return (33 - ffs(ntohl(ina)));
> }
>
> -uint8_t
> +static uint8_t
> mask2prefixlen6(struct sockaddr_in6 *sa_in6)
> {
> uint8_t *ap, *ep;
> u_intl = 0;
>
> + if (sa_in6->sin6_len == 0)
> + return (0);
> /*
>* sin6_len is the size of the sockaddr so subtract the offset of
>* the possibly truncated sin6_addr struct.
> @@ -2480,6 +2485,19 @@ mask2prefixlen6(struct sockaddr_in6 *sa_
> return (l);
> }
>
> +uint8_t
> +mask2prefixlen(sa_family_t af, struct sockaddr *mask)
> +{
> + switch (af) {
> + case AF_INET:
> + return mask2prefixlen4((struct sockaddr_in *)mask);
> + case AF_INET6:
> + return mask2prefixlen6((struct sockaddr_in6 *)mask);
> + default:
> + fatalx("%s: unsupported af", __func__);
> + }
> +}
> +
> const struct if_status_description
> if_status_descriptions[] = LINK_STATE_DESCRIPTIONS;
> const struct ifmedia_description
> @@ -3079,9 +3097,7 @@ dispatch_rtmsg_addr(struct rt_msghdr *rt
> case AF_INET:
> sa_in = (struct sockaddr_in *)rti_info[RTAX_NETMASK];
> if (sa_in != NULL) {
> - if (sa_in->sin_len != 0)
> - kf->prefixlen =
> - mask2prefixlen(sa_in->sin_addr.s_addr);
> + kf->prefixlen = mask2prefixlen4(sa_in);
> } else if (rtm->rtm_flags & RTF_HOST)
> kf->prefixlen = 32;
> else
> @@ -3091,8 +3107,7 @@ dispatch_rtmsg_addr(struct rt_msghdr *rt
> case AF_INET6:
> sa_in6 = (struct sockaddr_in6 *)rti_info[RTAX_NETMASK];
> if (sa_in6 != NULL) {
> - if (sa_in6->sin6_len != 0)
> - kf->prefixlen = mask2prefixlen6(sa_in6);
> + kf->prefixlen = mask2prefixlen6(sa_in6);
> } else if (rtm->rtm_flags & RTF_HOST)
> kf->prefixlen = 128;
>
Re: relayd.conf.5: less SSL
Klemens Nanni(k...@openbsd.org) on 2023.10.26 13:28:42 +:
> On Tue, Oct 24, 2023 at 09:09:21AM +0200, Peter N. M. Hansteen wrote:
> > On Tue, Oct 24, 2023 at 06:54:30AM +, Klemens Nanni wrote:
> > > - parse.y still accepting undocumented "ssl" with a warning since 2014
> > > - more "SSL/TLS" instead of "TLS" in manual and code comments
> >
> > my take would be that while it's fine to streamline the documentation to use
> > the modern terminology, I suspect there may still be ancient configurations
> > out there that use the "ssl" keyword, so removing the last bit of support
> > for
> > that option should be accompanied by or preceded by a warning on relevant
> > mailing lists or at least in the commit message.
> >
> > And I think undeadly.org would be more than happy to help spread the word :)
>
> current.html entry should do for a deprecated keyword we've been warning
> about for almost ten years...
Yes, please kick it where it belongs.
> I've checked faq/upgrade*.html for previous
> notes, but couldn't find any.
no, because it wasnt removed after 2 releases with the warning.
> Here's a first try, relayd regress is also happy.
ok benno@
> Index: usr.sbin/relayd/parse.y
> ===
> RCS file: /cvs/src/usr.sbin/relayd/parse.y,v
> retrieving revision 1.254
> diff -u -p -r1.254 parse.y
> --- usr.sbin/relayd/parse.y 3 Jul 2023 09:38:08 - 1.254
> +++ usr.sbin/relayd/parse.y 26 Oct 2023 06:07:08 -
> @@ -175,7 +175,7 @@ typedef struct {
> %token LOOKUP METHOD MODE NAT NO DESTINATION NODELAY NOTHING ON PARENT
> PATH
> %token PFTAG PORT PREFORK PRIORITY PROTO QUERYSTR REAL REDIRECT RELAY
> REMOVE
> %token REQUEST RESPONSE RETRY QUICK RETURN ROUNDROBIN ROUTE SACK
> SCRIPT SEND
> -%token SESSION SOCKET SPLICE SSL STICKYADDR STRIP STYLE TABLE TAG
> TAGGED TCP
> +%token SESSION SOCKET SPLICE STICKYADDR STRIP STYLE TABLE TAG TAGGED
> TCP
> %token TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE
> %token MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE
> PASSWORD ECDHE
> %token EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES
> CHECKS
> @@ -227,21 +227,12 @@ include : INCLUDE STRING{
> }
> ;
>
> -ssltls : SSL {
> - log_warnx("%s:%d: %s",
> - file->name, yylval.lineno,
> - "please use the \"tls\" keyword"
> - " instead of \"ssl\"");
> - }
> - | TLS
> - ;
> -
> opttls : /*empty*/ { $$ = 0; }
> - | ssltls{ $$ = 1; }
> + | TLS { $$ = 1; }
> ;
>
> opttlsclient : /*empty*/ { $$ = 0; }
> - | WITH ssltls { $$ = 1; }
> + | WITH TLS { $$ = 1; }
> ;
>
> http_type: HTTP { $$ = 0; }
> @@ -905,7 +896,7 @@ hashkey : /* empty */ {
>
> tablecheck : ICMP { table->conf.check = CHECK_ICMP; }
> | TCP { table->conf.check = CHECK_TCP; }
> - | ssltls{
> + | TLS {
> table->conf.check = CHECK_TCP;
> conf->sc_conf.flags |= F_TLS;
> table->conf.flags |= F_TLS;
> @@ -1114,7 +1105,7 @@ protopts_l : protopts_l protoptsl nl
> | protoptsl optnl
> ;
>
> -protoptsl: ssltls {
> +protoptsl: TLS {
> if (!(proto->type == RELAY_PROTO_TCP ||
> proto->type == RELAY_PROTO_HTTP)) {
> yyerror("can set tls options only for "
> @@ -1122,7 +1113,7 @@ protoptsl : ssltls {
> YYERROR;
> }
> } tlsflags
> - | ssltls {
> + | TLS {
> if (!(proto->type == RELAY_PROTO_TCP ||
> proto->type == RELAY_PROTO_HTTP)) {
> yyerror("can set tls options only for "
> @@ -2492,7 +2483,6 @@ lookup(char *s)
> { "socket", SOCKET },
> { "source-hash",SRCHASH },
> { "splice", SPLICE },
> - { "ssl",SSL },
> { "state", STATE },
> { "sticky-address", STICKYADDR },
> { "strip", STRIP },
> Index: usr.sbin/relayd/relay.c
> ===
> RCS file: /cvs/src/usr.sbin/relayd/relay.c,v
> retrieving revision 1.257
> diff -u -p -r1.257 relay.c
> --- usr.sbin/relayd/relay.c 3 Sep 2023 10:22:03 - 1.257
> +++ usr.sbin/relayd/relay.c 26 Oct 2023 05:49:22 -00
Re: BIRD 1.x/2.x support at rpki-client
Robert Scheck(rob...@fedoraproject.org) on 2020.03.03 01:20:24 +0100: > Hi, > > job@ suggested to move this from GitHub to tech@ list (as upstream): > > 1. Currently, BIRD 1.x support in rpki-client seems to be broken: As per >BIRD upstream the "combined format" produced by rpki-client can't be >used as-is with BIRD 1.x due to separated daemons (and configuration >files) for IPv4 and IPv6. > 2. Lack of BIRD 2.x support in rpki-client, which requires a different >output/configuration format (semi-finished pull request at GitHub). Hi, can you point me to that pull request, i could not find it. /Benno > > To cover this, job@ suggested to maybe generate bird1-ipv6, bird1-ipv4 and > bird2 when using -B option. The option currently leads to "bird" file with > BIRD 1.x support only. > > However, I'm not sure if the current options -B, -c, -j and -o are that > great. Maybe something like "-o " would be > more powerful and more flexible? > > Opinions? > > > Regards, > Robert >
Re: BIRD 1.x/2.x support at rpki-client
Robert Scheck(rob...@fedoraproject.org) on 2020.03.06 14:02:26 +0100: > On Fri, 06 Mar 2020, Job Snijders wrote: > > I believe Robert is referring to this snippet of code: > > > > > > https://patch-diff.githubusercontent.com/raw/kristapsdz/rpki-client/pull/21.patch > > Exactly. Ah, i thought it was some diff to bird! Thanks, i'll tkae care of it. /Benno
Re: BIRD 1.x/2.x support at rpki-client
Hi,
generate 3 different outputs for BIRD:
- bird v1 with IPv4 routes
- bird v1 with IPv6 routes
- bird v2
when using command line option -B.
BIRD v2 output from Robert Scheck, robert AT fedoraproject DOT org
Note that I haven't tried this with bird 1 or 2 yet ;)
comments, oks?
(benno_rpki_bird.diff)
diff --git usr.sbin/rpki-client/extern.h usr.sbin/rpki-client/extern.h
index 127db60fa37..6592ea83b5e 100644
--- usr.sbin/rpki-client/extern.h
+++ usr.sbin/rpki-client/extern.h
@@ -374,7 +374,9 @@ FILE*output_createtmp(char *);
voidoutput_cleantmp(void);
voidoutput_finish(FILE *);
int output_bgpd(FILE *, struct vrp_tree *);
-int output_bird(FILE *, struct vrp_tree *);
+int output_bird1v4(FILE *, struct vrp_tree *);
+int output_bird1v6(FILE *, struct vrp_tree *);
+int output_bird2(FILE *, struct vrp_tree *);
int output_csv(FILE *, struct vrp_tree *);
int output_json(FILE *, struct vrp_tree *);
diff --git usr.sbin/rpki-client/output-bird.c usr.sbin/rpki-client/output-bird.c
index a15faa69164..0299018f8af 100644
--- usr.sbin/rpki-client/output-bird.c
+++ usr.sbin/rpki-client/output-bird.c
@@ -1,6 +1,7 @@
/* $OpenBSD: output-bird.c,v 1.6 2019/12/04 23:03:05 benno Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker
+ * Copyright (c) 2020 Robert Scheck
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -21,7 +22,7 @@
#include "extern.h"
int
-output_bird(FILE *out, struct vrp_tree *vrps)
+output_bird1v4(FILE *out, struct vrp_tree *vrps)
{
extern const char *bird_tablename;
char buf[64];
@@ -31,10 +32,78 @@ output_bird(FILE *out, struct vrp_tree *vrps)
return -1;
RB_FOREACH(v, vrp_tree, vrps) {
- ip_addr_print(&v->addr, v->afi, buf, sizeof(buf));
- if (fprintf(out, "\troa %s max %u as %u;\n", buf, v->maxlength,
- v->asid) < 0)
+ if (v->afi == AFI_IPV4) {
+ ip_addr_print(&v->addr, v->afi, buf, sizeof(buf));
+ if (fprintf(out, "\troa %s max %u as %u;\n", buf,
+ v->maxlength, v->asid) < 0)
+ return -1;
+ }
+ }
+
+ if (fprintf(out, "}\n") < 0)
return -1;
+ return 0;
+}
+
+int
+output_bird1v6(FILE *out, struct vrp_tree *vrps)
+{
+ extern const char *bird_tablename;
+ char buf[64];
+ struct vrp *v;
+
+ if (fprintf(out, "roa table %s {\n", bird_tablename) < 0)
+ return -1;
+
+ RB_FOREACH(v, vrp_tree, vrps) {
+ if (v->afi == AFI_IPV6) {
+ ip_addr_print(&v->addr, v->afi, buf, sizeof(buf));
+ if (fprintf(out, "\troa %s max %u as %u;\n", buf,
+ v->maxlength, v->asid) < 0)
+ return -1;
+ }
+ }
+
+ if (fprintf(out, "}\n") < 0)
+ return -1;
+ return 0;
+}
+
+int
+output_bird2(FILE *out, struct vrp_tree *vrps)
+{
+ extern const char *bird_tablename;
+ char buf[64];
+ struct vrp *v;
+ time_t now = time(NULL);
+
+ if (fprintf(out, "define force_roa_table_update = %lld;\n\n"
+ "roa4 table %s4;\nroa6 table %s6;\n\n"
+ "protocol static {\n\troa4 { table %s4; };\n\n",
+ (long long) now, bird_tablename, bird_tablename,
+ bird_tablename) < 0)
+ return -1;
+
+ RB_FOREACH(v, vrp_tree, vrps) {
+ if (v->afi == AFI_IPV4) {
+ ip_addr_print(&v->addr, v->afi, buf, sizeof(buf));
+ if (fprintf(out, "\troute %s max %u as %u;\n", buf,
+ v->maxlength, v->asid) < 0)
+ return -1;
+ }
+ }
+
+ if (fprintf(out, "}\n\nprotocol static {\n\troa6 { table %s6; };\n\n",
+ bird_tablename) < 0)
+ return -1;
+
+ RB_FOREACH(v, vrp_tree, vrps) {
+ if (v->afi == AFI_IPV6) {
+ ip_addr_print(&v->addr, v->afi, buf, sizeof(buf));
+ if (fprintf(out, "\troute %s max %u as %u;\n", buf,
+ v->maxlength, v->asid) < 0)
+ return -1;
+ }
}
if (fprintf(out, "}\n") < 0)
diff --git usr.sbin/rpki-client/output.c usr.sbin/rpki-client/output.c
index adafc5c0b53..b26b964eeaa 100644
--- usr.sbin/rpki-client/output.c
+++ usr.sbin/rpki-client/output.c
@@ -39,10 +39,12 @@ struct outputs {
char*name;
int (*fn)(FILE *, struct vrp_tree *);
} outputs[] = {
- { FORMAT_OPENBGPD, "openbgpd", output
Re: BIRD 1.x/2.x support at rpki-client
Job Snijders(j...@openbsd.org) on 2020.03.06 17:31:13 +: > I have a small suggestion, in some deployments I saw the convention to > name it as following so it is clear the data came from user provided > data rather than internal bird structures > > I tested Benno's patch against BIRD 1.6.6 - wfm. thanks. I did not commit this bit, and i have not substantiated opinion on it. If thats how bird users do it, commit it ;) > > Index: main.c > === > RCS file: /cvs/src/usr.sbin/rpki-client/main.c,v > retrieving revision 1.58 > diff -u -p -r1.58 main.c > --- main.c11 Feb 2020 18:41:39 - 1.58 > +++ main.c6 Mar 2020 17:25:56 - > @@ -156,7 +156,7 @@ static void build_chain(const struct aut > static void build_crls(const struct auth *, struct crl_tree *, > STACK_OF(X509_CRL) **); > > -const char *bird_tablename = "roa"; > +const char *bird_tablename = "ROAS"; > > int verbose; > >
Re: BIRD 1.x/2.x support at rpki-client
Robert Scheck(rob...@fedoraproject.org) on 2020.03.06 14:02:26 +0100: > On Fri, 06 Mar 2020, Job Snijders wrote: > > I believe Robert is referring to this snippet of code: > > > > > > https://patch-diff.githubusercontent.com/raw/kristapsdz/rpki-client/pull/21.patch Thanks for the patch. I commited it with the function moved into output-bird.c If you have more (feature) diffs, send them to tech@ too. /Benno
Re: regress: bgpd: config: Fix attribute ordering
I dont see that here.
Sure that you have an up-to-date tree?
And no diff in there?
Klemens Nanni(k...@openbsd.org) on 2020.03.05 23:39:20 +0100:
>
> I ran bgpd to test diffs and stumbled across what looks like simple
> disorder in the config checks.
>
> bgpd must have changed in how it orders attributes within `set { ... }'
> blocks; breaking the sets into multiple lines and diffing line-wise
> instead of word-wise shows that the printed config indeed only differs
> in the way set attributes from the config appear in bgpd output.
>
> Still, I'd like any of the bgpd hackers to verify before I "fix" regress.
>
> OK?
>
>
> Index: regress/usr.sbin/bgpd/config/bgpd.conf.10.ok
> ===
> RCS file: /cvs/src/regress/usr.sbin/bgpd/config/bgpd.conf.10.ok,v
> retrieving revision 1.6
> diff -u -p -r1.6 bgpd.conf.10.ok
> --- regress/usr.sbin/bgpd/config/bgpd.conf.10.ok 17 Jul 2019 10:27:50
> - 1.6
> +++ regress/usr.sbin/bgpd/config/bgpd.conf.10.ok 5 Mar 2020 22:32:53
> -
> @@ -40,4 +40,4 @@ match from any large-community 1234:5678
> match from any large-community 1234:5678:1 large-community 1234:5678:2
> large-community 1234:5678:3
> match from any community 1234:1 large-community 1234:5678:1
> match from any large-community 1234:5678:1 community 1234:1
> -match from any set { community delete 1234:5678 community delete 1234:*
> community delete *:5678 community delete local-as:5678 community delete
> local-as:neighbor-as large-community delete 1234:15:5678 large-community
> delete *:15:5678 large-community delete local-as:15:5678 large-community
> delete local-as:15:* large-community delete local-as:15:neighbor-as
> large-community delete local-as:*:* community 1234:5678 community
> local-as:5678 community local-as:neighbor-as large-community 1234:15:5678
> large-community local-as:15:5678 large-community local-as:15:neighbor-as }
> +match from any set { community delete 1234:5678 large-community delete
> 1234:15:5678 community delete *:5678 large-community delete *:15:5678
> community delete local-as:5678 large-community delete local-as:15:5678
> community delete 1234:* community delete local-as:neighbor-as large-community
> delete local-as:15:* large-community delete local-as:*:* large-community
> delete local-as:15:neighbor-as community 1234:5678 large-community
> 1234:15:5678 community local-as:5678 large-community local-as:15:5678
> community local-as:neighbor-as large-community local-as:15:neighbor-as }
> Index: regress/usr.sbin/bgpd/config/bgpd.conf.11.ok
> ===
> RCS file: /cvs/src/regress/usr.sbin/bgpd/config/bgpd.conf.11.ok,v
> retrieving revision 1.5
> diff -u -p -r1.5 bgpd.conf.11.ok
> --- regress/usr.sbin/bgpd/config/bgpd.conf.11.ok 17 Jul 2019 10:27:50
> - 1.5
> +++ regress/usr.sbin/bgpd/config/bgpd.conf.11.ok 5 Mar 2020 22:35:04
> -
> @@ -33,7 +33,7 @@ match from any ext-community ovs invalid
> match from any ext-community ovs not-found
> match from any ext-community rt 64496:201 ext-community soo 64496:202
> match from any ext-community rt 64496:301 ext-community soo 420001:302
> ext-community odi 127.0.0.1:303
> -match from any set { ext-community delete ovs valid ext-community delete odi
> 127.0.0.1:6003 ext-community delete soo 420001:6002 ext-community delete
> ort 0x123456789abf ext-community delete rt 64496:6001 ext-community ovs valid
> ext-community odi 127.0.0.1:5003 ext-community soo 420001:5002
> ext-community ort 0x123456789abc ext-community rt 64496:5001 }
> +match from any set { ext-community delete ovs valid ext-community delete ort
> 0x123456789abf ext-community delete rt 64496:6001 ext-community delete odi
> 127.0.0.1:6003 ext-community delete soo 420001:6002 ext-community ovs
> valid ext-community ort 0x123456789abc ext-community rt 64496:5001
> ext-community odi 127.0.0.1:5003 ext-community soo 420001:5002 }
> match from any ext-community * *
> match from any ext-community rt *
> match from any ext-community soo *
> @@ -47,7 +47,7 @@ match from any ext-community rt 127.0.0.
> match from any ext-community soo 64496:*
> match from any ext-community soo 420001:*
> match from any ext-community soo 127.0.0.1:*
> -match from any set { ext-community delete odi 127.0.0.1:* ext-community
> delete soo 420001:* ext-community delete rt 64496:* ext-community delete
> mac-mob * ext-community delete ovs * ext-community delete rt * ext-community
> delete soo * ext-community delete odi * ext-community delete ort * }
> +match from any set { ext-community delete ort * ext-community delete mac-mob
> * ext-community delete ovs * ext-community delete rt * ext-community delete
> soo * ext-community delete odi * ext-community delete rt 64496:*
> ext-community delete odi 127.0.0.1:* ext-community delete soo 420001:* }
> match from any ext-comm
Re: bgpctl code reshuffle
Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.03.19 18:42:28 +0100:
> Move some more output functions to output.c and convert some other
> functions to a fmt_xyz() function that returns a string with the value
> instead of doing a printf(). This is mostly mechanical but please test.
>
ok
> --
> :wq Claudio
>
> Index: bgpctl.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpctl/bgpctl.c,v
> retrieving revision 1.258
> diff -u -p -r1.258 bgpctl.c
> --- bgpctl.c 24 Jan 2020 05:46:00 - 1.258
> +++ bgpctl.c 19 Mar 2020 17:36:18 -
> @@ -46,11 +46,6 @@
>
> int main(int, char *[]);
> int show(struct imsg *, struct parse_result *);
> -void show_attr(void *, u_int16_t, int);
> -void show_communities(u_char *, size_t, int);
> -void show_community(u_char *, u_int16_t);
> -void show_large_community(u_char *, u_int16_t);
> -void show_ext_community(u_char *, u_int16_t);
> void send_filterset(struct imsgbuf *, struct filter_set_head *);
> void show_mrt_dump_neighbors(struct mrt_rib *, struct mrt_peer *,
> void *);
> @@ -425,7 +420,6 @@ show(struct imsg *imsg, struct parse_res
> if (imsg->hdr.len < IMSG_HEADER_SIZE + sizeof(*kt))
> errx(1, "wrong imsg len");
> kt = imsg->data;
> -
> show_fib_table(kt);
> break;
> case IMSG_CTL_SHOW_RIB:
> @@ -443,7 +437,7 @@ show(struct imsg *imsg, struct parse_res
> warnx("bad IMSG_CTL_SHOW_RIB_COMMUNITIES received");
> break;
> }
> - show_communities(imsg->data, ilen, res->flags);
> + show_communities(imsg->data, ilen, res);
> break;
> case IMSG_CTL_SHOW_RIB_ATTR:
> ilen = imsg->hdr.len - IMSG_HEADER_SIZE;
> @@ -451,7 +445,7 @@ show(struct imsg *imsg, struct parse_res
> warnx("bad IMSG_CTL_SHOW_RIB_ATTR received");
> break;
> }
> - show_attr(imsg->data, ilen, res->flags);
> + show_attr(imsg->data, ilen, res);
> break;
> case IMSG_CTL_SHOW_RIB_MEM:
> memcpy(&stats, imsg->data, sizeof(stats));
> @@ -506,7 +500,7 @@ fmt_peer(const char *descr, const struct
> }
>
> const char *
> -print_auth_method(enum auth_method method)
> +fmt_auth_method(enum auth_method method)
> {
> switch (method) {
> case AUTH_MD5SIG:
> @@ -525,75 +519,6 @@ print_auth_method(enum auth_method metho
> }
> }
>
> -void
> -print_neighbor_capa_mp(struct peer *p)
> -{
> - int comma;
> - u_int8_ti;
> -
> - for (i = 0, comma = 0; i < AID_MAX; i++)
> - if (p->capa.peer.mp[i]) {
> - printf("%s%s", comma ? ", " : "", aid2str(i));
> - comma = 1;
> - }
> -}
> -
> -void
> -print_neighbor_capa_restart(struct peer *p)
> -{
> - int comma;
> - u_int8_ti;
> -
> - if (p->capa.peer.grestart.timeout)
> - printf(": Timeout: %d, ", p->capa.peer.grestart.timeout);
> - for (i = 0, comma = 0; i < AID_MAX; i++)
> - if (p->capa.peer.grestart.flags[i] & CAPA_GR_PRESENT) {
> - if (!comma &&
> - p->capa.peer.grestart.flags[i] & CAPA_GR_RESTART)
> - printf("restarted, ");
> - if (comma)
> - printf(", ");
> - printf("%s", aid2str(i));
> - if (p->capa.peer.grestart.flags[i] & CAPA_GR_FORWARD)
> - printf(" (preserved)");
> - comma = 1;
> - }
> -}
> -
> -void
> -print_neighbor_msgstats(struct peer *p)
> -{
> - printf(" Message statistics:\n");
> - printf(" %-15s %-10s %-10s\n", "", "Sent", "Received");
> - printf(" %-15s %10llu %10llu\n", "Opens",
> - p->stats.msg_sent_open, p->stats.msg_rcvd_open);
> - printf(" %-15s %10llu %10llu\n", "Notifications",
> - p->stats.msg_sent_notification, p->stats.msg_rcvd_notification);
> - printf(" %-15s %10llu %10llu\n", "Updates",
> - p->stats.msg_sent_update, p->stats.msg_rcvd_update);
> - printf(" %-15s %10llu %10llu\n", "Keepalives",
> - p->stats.msg_sent_keepalive, p->stats.msg_rcvd_keepalive);
> - printf(" %-15s %10llu %10llu\n", "Route Refresh",
> - p->stats.msg_sent_rrefresh, p->stats.msg_rcvd_rrefresh);
> - printf(" %-15s %10llu %10llu\n\n", "Total",
> - p->stats.msg_sent_open + p->stats.msg_sent_notification +
> - p->stats.msg_sent_update + p->stats.msg_sent_keepalive +
> - p->stats.msg_sent_rrefresh,
> - p->stats.msg_rcvd_open + p->stats.msg_rcvd_notification +
> - p->stats.msg_rcvd_update + p->stats.msg_r
Re: rpki-client and non-existing files
ok
you remove the "if (verbose > 0)" in the cms_parse_validate() case on
purpose?
Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.04.01 16:33:44 +0200:
> On Wed, Apr 01, 2020 at 01:06:21PM +0200, Claudio Jeker wrote:
> > Currently rpki-client logs missing files like this:
> >
> > rpki-client: ...trace: error:02FFF002:system library:func(4095):No such
> > file or directory
> > rpki-client: ...trace: error:20FFF080:BIO routines:CRYPTO_internal:no such
> > file
> > rpki-client:
> > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft:
> > BIO_new_file
> >
> > Yes, you need to read the errors in reverse and even then the errors are
> > just hard to read.
> >
> > This ugly format is mostly to blame on the error stack of OpenSSL.
> > As a workaround I switched to using fopen() and then BIO_new_fd()
> > which does the same thing but allows me to get a nice error from fopen():
> >
> > rpki-client:
> > rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: fopen:
> > No such file or directory
> >
> > Any opinions?
>
> This diff removes the fopen: from the warn string:
>
> rpki-client:
> rpki.cnnic.cn/rpki/A9162E3D/515/FE-4PMY9qqTI2aJ0xLDm7cD-fvw.mft: No such
> file or directory
>
> This is more in form with e.g.
>
> rpki-client:
> rpki-repo.registro.br/repo/D81aiXpDAv5WBmgE8oEpfordjGP62otn2fHrhaL4cgby/0/3137372e3133302e302e302f32302d3234203d3e203238323630.roa:
> CRL has expired
>
> --
> :wq Claudio
>
> Index: cert.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> retrieving revision 1.14
> diff -u -p -r1.14 cert.c
> --- cert.c26 Feb 2020 02:35:08 - 1.14
> +++ cert.c1 Apr 2020 14:28:29 -
> @@ -930,12 +930,18 @@ cert_parse_inner(X509 **xp, const char *
> ASN1_OBJECT *obj;
> struct parse p;
> BIO *bio = NULL, *shamd;
> + FILE*f;
> EVP_MD *md;
> char mdbuf[EVP_MAX_MD_SIZE];
>
> *xp = NULL;
>
> - if ((bio = BIO_new_file(fn, "rb")) == NULL) {
> + if ((f = fopen(fn, "rb")) == NULL) {
> + warn("%s", fn);
> + return NULL;
> + }
> +
> + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
> if (verbose > 0)
> cryptowarnx("%s: BIO_new_file", fn);
> return NULL;
> Index: cms.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/cms.c,v
> retrieving revision 1.6
> diff -u -p -r1.6 cms.c
> --- cms.c 29 Nov 2019 05:14:11 - 1.6
> +++ cms.c 1 Apr 2020 14:28:34 -
> @@ -42,6 +42,7 @@ cms_parse_validate(X509 **xp, const char
> ASN1_OCTET_STRING **os = NULL;
> BIO *bio = NULL, *shamd;
> CMS_ContentInfo *cms;
> + FILE*f;
> char buf[128], mdbuf[EVP_MAX_MD_SIZE];
> int rc = 0, sz;
> STACK_OF(X509) *certs = NULL;
> @@ -55,10 +56,13 @@ cms_parse_validate(X509 **xp, const char
>* This is usually fopen() failure, so let it pass through to
>* the handler, which will in turn ignore the entity.
>*/
> + if ((f = fopen(fn, "rb")) == NULL) {
> + warn("%s", fn);
> + return NULL;
> + }
>
> - if ((bio = BIO_new_file(fn, "rb")) == NULL) {
> - if (verbose > 0)
> - cryptowarnx("%s: BIO_new_file", fn);
> + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
> + cryptowarnx("%s: BIO_new_fp", fn);
> return NULL;
> }
>
> Index: crl.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/crl.c,v
> retrieving revision 1.7
> diff -u -p -r1.7 crl.c
> --- crl.c 29 Nov 2019 04:40:04 - 1.7
> +++ crl.c 1 Apr 2020 14:28:41 -
> @@ -36,10 +36,16 @@ crl_parse(const char *fn, const unsigned
> int rc = 0, sz;
> X509_CRL*x = NULL;
> BIO *bio = NULL, *shamd;
> + FILE*f;
> EVP_MD *md;
> char mdbuf[EVP_MAX_MD_SIZE];
>
> - if ((bio = BIO_new_file(fn, "rb")) == NULL) {
> + if ((f = fopen(fn, "rb")) == NULL) {
> + warn("%s", fn);
> + return NULL;
> + }
> +
> + if ((bio = BIO_new_fp(f, BIO_CLOSE)) == NULL) {
> if (verbose > 0)
> cryptowarnx("%s: BIO_new_file", fn);
> return NULL;
>
Re: slaacd(8): honour rdomain we are running in
Florian Obser(flor...@openbsd.org) on 2020.04.12 19:53:23 +0200: > OK? yes, this is probably better than having it configurable via option. > diff --git slaacd.c slaacd.c > index 58f15bcda37..dae2eab3434 100644 > --- slaacd.c > +++ slaacd.c > @@ -755,7 +755,7 @@ configure_gateway(struct imsg_configure_dfr *dfr, uint8_t > rtm_type) > rtm.rtm_version = RTM_VERSION; > rtm.rtm_type = rtm_type; > rtm.rtm_msglen = sizeof(rtm); > - rtm.rtm_tableid = 0; /* XXX imsg->rdomain; */ > + rtm.rtm_tableid = getrtable(); > rtm.rtm_index = dfr->if_index; > rtm.rtm_seq = ++rtm_seq; > rtm.rtm_priority = RTP_NONE; > @@ -852,7 +852,7 @@ send_rdns_proposal(struct imsg_propose_rdns *rdns) > rtm.rtm_version = RTM_VERSION; > rtm.rtm_type = RTM_PROPOSAL; > rtm.rtm_msglen = sizeof(rtm); > - rtm.rtm_tableid = 0; /* XXX imsg->rdomain; */ > + rtm.rtm_tableid = getrtable(); > rtm.rtm_index = rdns->if_index; > rtm.rtm_seq = ++rtm_seq; > rtm.rtm_priority = RTP_PROPOSAL_SLAAC; > > > -- > I'm not entirely sure you are real. >
Re: cpu utilisation bars for top(1)
Edd Barrett(e...@theunixzoo.co.uk) on 2020.04.13 15:47:03 +0100: > Hi, > > One thing I miss from our top(1) is the ability to see overall CPU > utilisation at a glance (I usually scan for the idle percentage and > invert it in my head). > > This diff adds a way to toggle (using `B`) CPU utilisation bars, like this: > > ``` > load averages: 0.92, 0.52, 1.26 arrakis.home > 15:31:14 > 110 processes: 108 idle, 1 stopped, 1 on processorup 1 day, > 2:15 > [] > 37.1% > [# ] > 45.0% > [] > 42.8% > [### ] > 47.2% > Memory: Real: 4399M/12G act/tot Free: 11G Cache: 6204M Swap: 0K/1028M > ``` > > The value reported is the inverse of the idle percentage and the bars > replace the 'user, nice, sys, ...' lines. > > Can also be enabled from the command line with `-B`. > > What do people think? If you make them look like the display in systat, you still get the user, ... nice, sys information. Also i like my bikeshed green.
rpki-client 6.6p2 (portable) has been released
rpki-client 6.6p2 has just been released. It is the first public portable release of the rpki-client code, available in OpenBSD. It will be available from the mirrors listed at http://www.rpki-client.org/ shortly. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system and outputs Validated ROA Payloads in the configuration format of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by other routing stacks. See RFC 6811 for a description of how BGP Prefix Origin Validation secures the Internet's global routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, and Sebastian Benoit as part of the OpenBSD Project and gets released as a base component of OpenBSD every six months. This first release is based on the OpenBSD source code available in the OpenBSD CVS repository as of 2020-04-19. Reporting Bugs: === General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable
Re: unwind(8): recommend supersede in dhclient.conf
Florian Obser(flor...@openbsd.org) on 2020.04.21 06:57:49 +0200: > We didn't get around to run unwind per default and integrate it > tighter with dhclient this release cycle. > But there is also no need anymore to recomend prepend in > dhclient.conf, unwind(8) is no longer closing it's service port when > it's running so it should always be available. > > (I checked the installer there supersede does not have any effect, > probably because the small dhclient doesn't parse /etc/dhclient.conf.) > > Comments, OK? I've actually wondered about this myself and been using it with supersede for a few weeks now. ok benno@ > > diff --git unwind.8 unwind.8 > index fe08a9b4c4c..7014db070f9 100644 > --- unwind.8 > +++ unwind.8 > @@ -52,7 +52,7 @@ in > .Pp > Adding > .Pp > -.Dl prepend domain-name-servers 127.0.0.1; > +.Dl supersede domain-name-servers 127.0.0.1; > .Pp > to > .Pa /etc/dhclient.conf > > > -- > I'm not entirely sure you are real. >
Re: acme-client(1) and Buypass Go SSL
Bartosz Kuzma(bartosz.ku...@release11.com) on 2020.04.20 18:51:17 +0200:
> Hello,
>
> I've tried to get a certificate from Buypass Go SSL provider using
> acme-client(1) but it ends with the following error:
>
> acme-client: https://api.buypass.com/acme-v02/new-acct: bad HTTP: 400
> acme-client: transfer buffer:
> [{"type":"urn:ietf:params:acme:error:malformed","d
> etail":"Email is a required
> contact","code":400,"message":"MALFORMED_BAD_REQUEST
> ","details":"HTTP 400 Bad Request"}] (164 bytes)
>
> Buypass Go SSL requires that optional field contact in Account Objects
> will contain email address.
>
> I've added new option "contact" to acme-client.conf to fullfil this
> requirement.
Thanks, that looks ok.
> It is also required to change MARKER in certproc.c to fix
> line endings handling in pem files.
Can you explain what happens there?
/Benno
> --
> Kind regards, Bartosz Kuzma.
> Index: usr.sbin/acme-client/acme-client.conf.5
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v
> retrieving revision 1.22
> diff -u -p -r1.22 acme-client.conf.5
> --- usr.sbin/acme-client/acme-client.conf.5 10 Feb 2020 13:18:21 -
> 1.22
> +++ usr.sbin/acme-client/acme-client.conf.5 20 Apr 2020 16:24:46 -
> @@ -98,6 +98,10 @@ It defaults to
> Specify the
> .Ar url
> under which the ACME API is reachable.
> +.It Ic contact Ar contact
> +Optional
> +.Ar contact
> +URLs that the authority can use to contact the client for issues related to
> this account.
> .El
> .Sh DOMAINS
> The certificates to be obtained through ACME.
> Index: usr.sbin/acme-client/certproc.c
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/certproc.c,v
> retrieving revision 1.12
> diff -u -p -r1.12 certproc.c
> --- usr.sbin/acme-client/certproc.c 7 Jun 2019 08:07:52 - 1.12
> +++ usr.sbin/acme-client/certproc.c 20 Apr 2020 16:24:46 -
> @@ -28,7 +28,7 @@
>
> #include "extern.h"
>
> -#define MARKER "-END CERTIFICATE-\n"
> +#define MARKER "-END CERTIFICATE-"
>
> int
> certproc(int netsock, int filesock)
> @@ -94,6 +94,12 @@ certproc(int netsock, int filesock)
> }
>
> chaincp += strlen(MARKER);
> +
> + if ((chaincp = strchr(chaincp, '-')) == NULL) {
> + warn("strchr");
> + goto out;
> + }
> +
> if ((chain = strdup(chaincp)) == NULL) {
> warn("strdup");
> goto out;
> Index: usr.sbin/acme-client/extern.h
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/extern.h,v
> retrieving revision 1.17
> diff -u -p -r1.17 extern.h
> --- usr.sbin/acme-client/extern.h 7 Feb 2020 14:34:15 - 1.17
> +++ usr.sbin/acme-client/extern.h 20 Apr 2020 16:24:46 -
> @@ -261,13 +261,13 @@ int json_parse_capaths(struct jsmnn *,
>
> char *json_fmt_newcert(const char *);
> char *json_fmt_chkacc(void);
> -char *json_fmt_newacc(void);
> +char *json_fmt_newacc(const char *);
> char *json_fmt_neworder(const char *const *, size_t);
> char *json_fmt_protected_rsa(const char *,
> const char *, const char *, const char *);
> char *json_fmt_protected_ec(const char *, const char *, const char *,
> const char *);
> -char *json_fmt_protected_kid(const char*, const char *, const char *,
> +char *json_fmt_protected_kid(const char *, const char *, const char
> *,
> const char *);
> char *json_fmt_revokecert(const char *);
> char *json_fmt_thumb_rsa(const char *, const char *);
> Index: usr.sbin/acme-client/json.c
> ===
> RCS file: /cvs/src/usr.sbin/acme-client/json.c,v
> retrieving revision 1.16
> diff -u -p -r1.16 json.c
> --- usr.sbin/acme-client/json.c 22 Jan 2020 22:25:22 - 1.16
> +++ usr.sbin/acme-client/json.c 20 Apr 2020 16:24:46 -
> @@ -616,19 +616,30 @@ json_fmt_chkacc(void)
> * Format the "newAccount" resource request.
> */
> char *
> -json_fmt_newacc(void)
> +json_fmt_newacc(const char *contact)
> {
> int c;
> - char*p;
> + char*p, *cnt;
> +
> + c = asprintf(&cnt, "\"contact\": [ \"%s\" ], ", contact);
> + if (c == -1) {
> + warn("asprintf");
> + goto err;
> + }
>
> c = asprintf(&p, "{"
> + "%s"
> "\"termsOfServiceAgreed\": true"
> - "}");
> + "}", contact == NULL ? "" : cnt);
> + free(cnt);
> if (c == -1) {
> warn("asprintf");
> p = NULL;
> }
> return p;
> +
> +err:
> + return NULL;
> }
>
> /*
> Index: usr.sbin/acme-client/netproc.c
> ===
Re: acme-client(1) and Buypass Go SSL
Bartosz Kuzma(bartosz.ku...@release11.com) on 2020.04.21 20:59:54 +0200:
> Hello,
>
> thanks for looking at this!
>
> On 21/04/2020 17:43, Florian Obser wrote:
> >Hi,
> >
> >thanks for working on this and finding another acme implementor!
> >
> >On Mon, Apr 20, 2020 at 06:51:17PM +0200, Bartosz Kuzma wrote:
> >>Hello,
> >>
> >>I've tried to get a certificate from Buypass Go SSL provider using
> >>acme-client(1) but it ends with the following error:
> >>
> >>acme-client: https://api.buypass.com/acme-v02/new-acct: bad HTTP: 400
> >>acme-client: transfer buffer:
> >>[{"type":"urn:ietf:params:acme:error:malformed","d
> >>etail":"Email is a required
> >>contact","code":400,"message":"MALFORMED_BAD_REQUEST
> >>","details":"HTTP 400 Bad Request"}] (164 bytes)
> >>
> >>Buypass Go SSL requires that optional field contact in Account Objects
> >>will contain email address.
> >>
> >>I've added new option "contact" to acme-client.conf to fullfil this
> >>requirement. It is also required to change MARKER in certproc.c to fix
> >>line
> >>endings handling in pem files.
> >
> >they are leaving out the last newline?
>
> It seems that chain can be provided with "\n" or "\r\n" line separator.
> I removed it from MARKER to handle both cases.
>
> >
> >>
> >>--
> >>Kind regards, Bartosz Kuzma.
> >
> >>Index: usr.sbin/acme-client/acme-client.conf.5
> >>===
> >>RCS file: /cvs/src/usr.sbin/acme-client/acme-client.conf.5,v
> >>retrieving revision 1.22
> >>diff -u -p -r1.22 acme-client.conf.5
> >>--- usr.sbin/acme-client/acme-client.conf.5 10 Feb 2020 13:18:21 -
> >>1.22
> >>+++ usr.sbin/acme-client/acme-client.conf.5 20 Apr 2020 16:24:46 -
> >>@@ -98,6 +98,10 @@ It defaults to
> >> Specify the
> >> .Ar url
> >> under which the ACME API is reachable.
> >>+.It Ic contact Ar contact
> >>+Optional
> >>+.Ar contact
> >>+URLs that the authority can use to contact the client for issues related
> >>to this account.
> >
> >I think we should call it emails. That's what people actually have.
> >According to the RFC it's a list of contacts, but I'm fine with having
> >only one.
>
> For me one contact is also enough.
>
> >
> >> .El
> >> .Sh DOMAINS
> >> The certificates to be obtained through ACME.
> >>Index: usr.sbin/acme-client/certproc.c
> >>===
> >>RCS file: /cvs/src/usr.sbin/acme-client/certproc.c,v
> >>retrieving revision 1.12
> >>diff -u -p -r1.12 certproc.c
> >>--- usr.sbin/acme-client/certproc.c 7 Jun 2019 08:07:52 - 1.12
> >>+++ usr.sbin/acme-client/certproc.c 20 Apr 2020 16:24:46 -
> >>@@ -28,7 +28,7 @@
> >>
> >> #include "extern.h"
> >>
> >>-#define MARKER "-END CERTIFICATE-\n"
> >>+#define MARKER "-END CERTIFICATE-"
> >>
> >> int
> >> certproc(int netsock, int filesock)
> >>@@ -94,6 +94,12 @@ certproc(int netsock, int filesock)
> >>}
> >>
> >>chaincp += strlen(MARKER);
> >>+
> >>+ if ((chaincp = strchr(chaincp, '-')) == NULL) {
> >>+ warn("strchr");
> >>+ goto out;
> >>+ }
> >>+
> >
> >I don't quite understand what this is doing.
> >
> Because I removed new line character from MARKER strchr() just move
> pointer to -BEGIN CERTIFICATE to skip any new lines character
> from chain. It can be replaced by strstr("-BEGIN CERTIFICATE-")
> if this improve readability.
The warn() should be a warnx() then, because strchr() does not set errno.
When it returns NULL it just means that it did not find the string. So
warnx("invalid certificate chain");
would be a good error message here i think.
Re: bgpd local-address improvement
reads ok
Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.04.23 10:04:15 +0200:
> local-address is one of those values that need to be set in some cases but
> is not very flexible to use. This diff tries to change this a bit.
>
> It allows to set the local-address for both IPv4 and IPv6 at the same time
> and also allows to unset a previously set local-address. For example:
>
> group IBGP {
> local-address 192.0.2.1
> local-address 2001:db8:abcd::1
>
> neighbor 192.0.2.2 { remote-as $AS }
> neighbor 2001:db8:abcd::2 { remote-as $AS }
>
> # reset the local-address for whatever reason
> neighbor 192.0.2.3 {
> no local-address
> remote-as $AS
> }
> }
>
> As usual setting a local-address on the neighbor will override the group
> config. I think for IBGP and multihop sessions this can simplify the
> config a fair bit. In my case this will collaps IPv4 and IPv6 specific
> groups back together since the only reason they are split is because of
> local-address.
>
> What do other bgpd user think?
> --
> :wq Claudio
>
> Index: bgpd.h
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/bgpd.h,v
> retrieving revision 1.401
> diff -u -p -r1.401 bgpd.h
> --- bgpd.h14 Feb 2020 13:54:31 - 1.401
> +++ bgpd.h22 Apr 2020 15:50:46 -
> @@ -365,7 +365,8 @@ struct capabilities {
>
> struct peer_config {
> struct bgpd_addr remote_addr;
> - struct bgpd_addr local_addr;
> + struct bgpd_addr local_addr_v4;
> + struct bgpd_addr local_addr_v6;
> struct peer_auth auth;
> struct capabilities capabilities;
> char group[PEER_DESCR_LEN];
> Index: parse.y
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v
> retrieving revision 1.405
> diff -u -p -r1.405 parse.y
> --- parse.y 16 Mar 2020 14:47:30 - 1.405
> +++ parse.y 23 Apr 2020 07:51:25 -
> @@ -1260,8 +1260,27 @@ peeropts : REMOTEAS as4number{
> free($2);
> }
> | LOCALADDR address {
> - memcpy(&curpeer->conf.local_addr, &$2,
> - sizeof(curpeer->conf.local_addr));
> + if ($2.aid == AID_INET)
> + memcpy(&curpeer->conf.local_addr_v4, &$2,
> + sizeof(curpeer->conf.local_addr_v4));
> + else if ($2.aid == AID_INET6)
> + memcpy(&curpeer->conf.local_addr_v6, &$2,
> + sizeof(curpeer->conf.local_addr_v6));
> + else {
> + yyerror("Unsupported address family %s for "
> + "local-addr", aid2str($2.aid));
> + YYERROR;
> + }
> + }
> + | yesno LOCALADDR {
> + if ($1) {
> + yyerror("bad local-address definition");
> + YYERROR;
> + }
> + memset(&curpeer->conf.local_addr_v4, 0,
> + sizeof(curpeer->conf.local_addr_v4));
> + memset(&curpeer->conf.local_addr_v6, 0,
> + sizeof(curpeer->conf.local_addr_v6));
> }
> | MULTIHOP NUMBER {
> if ($2 < 2 || $2 > 255) {
> @@ -4176,11 +4195,17 @@ str2key(char *s, char *dest, size_t max_
> int
> neighbor_consistent(struct peer *p)
> {
> - /* local-address and peer's address: same address family */
> - if (p->conf.local_addr.aid &&
> - p->conf.local_addr.aid != p->conf.remote_addr.aid) {
> - yyerror("local-address and neighbor address "
> - "must be of the same address family");
> + struct bgpd_addr *local_addr;
> +
> + switch (p->conf.remote_addr.aid) {
> + case AID_INET:
> + local_addr = &p->conf.local_addr_v4;
> + break;
> + case AID_INET6:
> + local_addr = &p->conf.local_addr_v6;
> + break;
> + default:
> + yyerror("Bad address family for remote-addr");
> return (-1);
> }
>
> @@ -4189,7 +4214,7 @@ neighbor_consistent(struct peer *p)
> p->conf.auth.method == AUTH_IPSEC_IKE_AH ||
> p->conf.auth.method == AUTH_IPSEC_MANUAL_ESP ||
> p->conf.auth.method == AUTH_IPSEC_MANUAL_AH) &&
> - !p->conf.local_addr.aid) {
> + local_addr->aid == AID_UNSPEC) {
> yyerror("neighbors with any form of IPsec configured "
> "need local-address to be specified");
> return (-1);
> Index: pfkey.c
> ===
> RCS fil
Re: Make Rockchip RK3399 eMMC faster
Mark Kettenis(mark.kette...@xs4all.nl) on 2020.04.23 22:56:17 +0200: > I put this in at some point since I couldn't get the eMMC on my > firefly-rk3399 working otherwise. But its eMMC died and on my > rockpro64 and rk3399-q7 boards things work very well without it. On > the latter board it even makes things a bit speedier: the raw read > performance goes up from 35 MB/s to 43 MB/s. > > Probably good if this was tested on the pinebook pro. On the pinebook pro with the diff i get 38 MB/s from the eMMC, reading from rsd1c. Thats average over 10 reads. Without the diff i get only about 28 MB/s. /Benno > > ok? > > > Index: dev/fdt/sdhc_fdt.c > === > RCS file: /cvs/src/sys/dev/fdt/sdhc_fdt.c,v > retrieving revision 1.7 > diff -u -p -r1.7 sdhc_fdt.c > --- dev/fdt/sdhc_fdt.c21 Apr 2020 07:58:57 - 1.7 > +++ dev/fdt/sdhc_fdt.c23 Apr 2020 20:51:48 - > @@ -154,9 +154,6 @@ sdhc_fdt_attach(struct device *parent, s >*/ > phy_enable(faa->fa_node, "phy_arasan"); > sc->sc.sc_flags |= SDHC_F_NOPWR0; > - > - /* XXX Doesn't work on Rockchip RK3399. */ > - sc->sc.sc_flags |= SDHC_F_NODDR50; > } > > if (OF_is_compatible(faa->fa_node, "brcm,bcm2711-emmc2")) >
alpha installation notes INSTALL.alpha
Hi,
there have been no floppy images since the 6.2 release. This removes mention
of boot floppies from the INSTALL.alpha notes. Maybe someone who knows
something about alpha machines can do a check?
comments or oks?
diff --git distrib/notes/alpha/contents distrib/notes/alpha/contents
index eccbc79af6c..bb3867a540b 100644
--- distrib/notes/alpha/contents
+++ distrib/notes/alpha/contents
@@ -5,35 +5,6 @@ OpenBSDminiroot
It can be copied to the swap partition of an existing
disk to allow installing or upgrading to OpenBSD OSREV.
-OpenBSDfloppy
- This floppy image will boot on the following MACHINE
- models:
- - AlphaStation 200, 250, 255, 400
- - AlphaServer 300 and 400
- - AlphaStation 500, 600
- - AlphaStation 600A, 1200
- - AlphaServer 800, 1000, 1000A, 1200, 4000 and 4100
- - AXPpci33 based machines, including ``Noname'',
- UDB, Multia
- - EB164 based machines, including PC164, 164SX,
- and 164LX
- - Personal Workstation (Miata)
-
- floppyB{:--:}OSrev.fs Another MACHINE boot and installation floppy;
see
- below.
- This floppy image will boot on the following MACHINE
- models:
- - Alpha Processor, Inc. UP1000, UP1100, UP2000 and
- UP2000+
- - XP900, XP1000, CS20, DS10, DS20, DS20L, ES40 and
- 264DP
-
- floppyC{:--:}OSrev.fs Another MACHINE boot and installation floppy;
see
- below.
- This floppy image will boot on the following MACHINE
- models:
- - Tadpole AlphaBook
-
OpenBSDdistsets
OpenBSDbsd
@@ -57,8 +28,6 @@ OpenBSDcd
netboot.mop The OpenBSD/MACHINE network boot loader, for MOP
protocol.
-OpenBSDfloppydesc(three,Each,s)
-
DistributionDescription(eight)
OpenBSDbase(101660534,244170752)
diff --git distrib/notes/alpha/install distrib/notes/alpha/install
index 1c0033aafa9..3ab01311789 100644
--- distrib/notes/alpha/install
+++ distrib/notes/alpha/install
@@ -3,23 +3,9 @@ OpenBSDInstallPrelude
There are several ways to install OpenBSD onto a disk. The easiest way is
to boot from the bootable CD-ROM mini image, then install from your favorite
-source. You can also use one of the OpenBSD installation floppies, if your
-machine has a floppy drive. Network booting is supported through means of
+source. Network booting is supported through means of
dhcpd(8) and tftpd(8).
-Booting from Floppy Disk installation media:
-
- At the SRM console prompt, enter
- boot dva0
- You should see info about the primary and secondary boot
- and then the kernel should start to load. It will take a
- while to load the kernel from the floppy, most likely more
- than a minute. If some action doesn't eventually happen,
- or the spinning cursor has stopped and nothing further has
- happened, or the machine spontaneously reboots, then either
- you have a bad boot floppy (in which case you should try
- another) or your alpha is not currently supported by OpenBSD.
-
Booting from CD-ROM installation media:
At the SRM console prompt, enter
@@ -36,12 +22,12 @@ Booting from CD-ROM installation media:
boot DEVICE
where DEVICE is the dka device name.
- You should see info about the primary and secondary boot
- and then the kernel should start to load. If the kernel
- fails to load or the spinning cursor has stopped and nothing
- further has happened, you either have a hardware problem or
- your MACHINE is not currently supported by OpenBSD; try booting
- from a floppy instead if possible.
+ You should see info about the primary and secondary boot and then the
+ kernel should start to load. If the kernel fails to load or the
+ spinning cursor has stopped and nothing further has happened, you
+ either have a hardware problem or your MACHINE is not currently
+ supported by OpenBSD; try booting from the network instead if
+ possible.
Booting from Network:
@@ -124,7 +110,7 @@ Booting from Network:
Once loaded, the boot loader will mount /alpha over NFS and load
the kernel from there.
-Installing using the Floppy, CD-ROM or Network procedure:
+Installing using the CD-ROM or Network procedure:
OpenBSDInstallPart2
diff --git distrib/notes/alpha/prep distrib/notes/alpha/prep
index 29fda76e463..4aadfc21f83 100644
--- distrib/notes/alpha/prep
+++ distrib/notes/alpha/prep
@@ -63,8 +63,7 @@ Using the SRM console:
Re: [PATCH] sysupgrade
James Jerkins(j...@jamesjerkinscomputer.com) on 2020.04.29 22:28:12 -0500: > Hello, > > This patch adds two new options to sysupgrade. The first option is for > small box systems like an APU system that only has the base and manual We wont add tons of options to this tool for every use case. Just make a copy of the sysupgrade script and add your own mondifications there. Or a wrapper around it.
Re: [patch] relayd.conf.5, DHE params seems incorrect/outdated.
Jesper Wallin(jes...@ifconfig.se) on 2020.05.01 12:15:06 +0200: > Hi all, > > I was trying to score 100 on all the tests over at ssllabs.com, but seem > to only reach 90 on "Key Exchange". Not sure if it's related, but I was > playing with the "dhe" option in relayd.conf(5) in order to increase the > number of bits used for the ephemeral key. No matter how I specified > the option, nothing really changed and I started reading the code in > order to understand what the option actually do. I might be completely > wrong, but from my understanding, it feeds the params of "dhe" as the > second argument to tls_config_set_dheparams(), which expects "none", > "legacy" or "auto". > > My guess is that tls_config_set_dheparams() has been updated and the > manual for relayd.conf(5) has not. Here's a diff that hopefully solves > that. > > > Jesper Wallin Thanks for noticing this. Indeed it has to specified as auto, none or legacy. I cant see how this could ever have worked, i believe the documentation was always wrong. I changed the description in the manpage a bit. ok? Index: relayd.conf.5 === RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v retrieving revision 1.195 diff -u -p -r1.195 relayd.conf.5 --- relayd.conf.5 23 Apr 2020 21:28:10 - 1.195 +++ relayd.conf.5 1 May 2020 12:30:30 - @@ -960,17 +960,22 @@ suites, in order of preference. The special value of "default" will use the default curves; see .Xr tls_config_set_ecdhecurves 3 for further details. -.It Ic edh Op Ic params Ar maximum +.It Ic edh Op Ic params Pq Ic none Ns | Ns Ic auto Ns | Ns Ic legacy Enable EDH-based cipher suites with Perfect Forward Secrecy (PFS) for older clients that do not support ECDHE. -If the -.Ar maximum -length of the DH params for EDH is not specified, the default value of -1024 bits will be used. -Other possible values are numbers between 1024 and 8192, including -1024, 1536, 2048, 4096, or 8192. -Values higher than 1024 bits can cause incompatibilities with older -TLS clients. +In +.Ic auto +mode, the key size of the ephemeral key is automatically selected +based on the size of the private key used for signing. +In +.Ic legacy +mode, a 1024 bit ephemeral key is used. +If +.Ic edh +is enabled without specifiying the +.Ic params , +.Ic auto +is used. The default is .Ic no edh . .It Ic keypair Ar name
Re: JSON support for bgpctl(8)
Hiltjo Posthuma(hil...@codemadness.org) on 2020.05.01 16:31:33 +0200: > On Fri, May 01, 2020 at 01:18:03PM +0200, Claudio Jeker wrote: > > This diff add JSON output support for bgpctl. > > Most commands should produce now a resonable JSON object. > > The individual objects can probably be improved and extended. > > I'm at a point where I'm happy with the result and looking for feedback. > > It is possible to commit the non-JSON bits first and add output-json.c > > once the output is enough stable. > > > > Hi, > > Maybe in the function do_name() and in functions where strings are printed the > text should be escaped just in case? For example the characters ", \ and > encoding of control-characters. I think the only string thats not generated from trusted data (i.e. hardcoded strings, strings fromthe configuration file or numbers) is escaped with strnvis() in log_shutcomm().
Re: iked(8): Removing SHA1 from default transforms
Stuart Henderson(s...@spacehopper.org) on 2020.05.01 23:46:49 +0100: > On 2020/05/02 00:43, Stephan Mending wrote: > > On 02/05/2020 00:40, Stuart Henderson wrote: > > > On 2020/05/02 00:23, Stephan Mending wrote: > > > > Hi, > > > > > > > > I actually read your thread. By what I understood you're at the moment > > > > trying to change a few defaults. > > > > > > > > That was the reason I wanted to add SHA1 for removal. I just thought it > > > > deserved a seperate thread. > > > > > > > > I do understand that you're trying to be careful with removing or > > > > changing > > > > defaults. From my point of view everybody that is (maybe implicitly) > > > > using > > > > SHA1 right now is better off to be get this wakeup call the earlier the > > > > better. > > > > > > > > We aren't even removing SHA1 we're just not offering it as default. And > > > > for > > > > those Windows boxes who require it, those people just have to add a > > > > line to > > > > explicitly enable it. I would not see such big of a problem. > > > The things removed recently have a very low risk of affecting anyone. > > > sha1 (and modp1024) are high risk. > > > > > > Removing from the default list may cause some people to be unable > > > to connect to their network after updating. This may mean that they > > > are then unable to connect back in to fix it. > > > > > > If this change is made it needs to be done fairly early in the release > > > cycle, and preferably at a time when slightly fewer people are relying > > > on working remote access to get at their networks. > > > > > > > I dont't have much experience with such a big projekt like OpenBSD. How do > > you normally carry through with such significant changes ? Just the release > > notes and hoping somebody in snaps will complain ? Or is there more to it, > > which I didn't notice ? > > > > Testing where we can, but allowing for the fact that we can't test > everything riskier changes need to be done at a point where we have a > good chance to get feedback from -current users so we can come up with > good advice for release notes. For flag days like this, we try to have a transition period if possible. For example here we could announce (in the release notes and/or the upgrade guide for 6.7) that sha1/modp1024 is deprecated, including a command for users to check if they have it in use. Some time after 6.7 is released, in the -current branch, we remove them. Then users of releases/stable-branch have 6 months to change their configuration. Alternatively we can remove them after 6.8 has been released, giving even more time.
Re: [patch] relayd.conf.5, DHE params seems incorrect/outdated.
Jesper Wallin(jes...@ifconfig.se) on 2020.05.01 12:15:06 +0200: > Hi all, > > I was trying to score 100 on all the tests over at ssllabs.com, but seem > to only reach 90 on "Key Exchange". Not sure if it's related, but I was > playing with the "dhe" option in relayd.conf(5) in order to increase the > number of bits used for the ephemeral key. No matter how I specified > the option, nothing really changed and I started reading the code in > order to understand what the option actually do. I might be completely > wrong, but from my understanding, it feeds the params of "dhe" as the > second argument to tls_config_set_dheparams(), which expects "none", > "legacy" or "auto". > > My guess is that tls_config_set_dheparams() has been updated and the > manual for relayd.conf(5) has not. Here's a diff that hopefully solves > that. > > > Jesper Wallin Thanks for noticing this, i fixed the manpage. /Benno
Re: teach bgpctl about IPv6 MPLS VPN
Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.05.08 09:40:38 +0200:
> Bgpctl has a way to specify the address family to show in 'show rib'
> commands. Teach it to also support IPv6 MPLS VPNs (aka VPNv6).
>
> OK?
ok
> --
> :wq Claudio
>
> Index: parser.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpctl/parser.c,v
> retrieving revision 1.101
> diff -u -p -r1.101 parser.c
> --- parser.c 22 Jan 2020 07:52:38 - 1.101
> +++ parser.c 7 May 2020 17:11:38 -
> @@ -581,6 +581,11 @@ match_token(int *argc, char **argv[], co
> t = &table[i];
> res.aid = AID_VPN_IPv4;
> }
> + if (!strcasecmp(word, "VPNv6")) {
> + match++;
> + t = &table[i];
> + res.aid = AID_VPN_IPv6;
> + }
> break;
> case ADDRESS:
> if (parse_addr(word, &res.addr)) {
> @@ -878,7 +883,8 @@ show_valid_args(const struct token table
> fprintf(stderr, " \n");
> break;
> case FAMILY:
> - fprintf(stderr, " [ inet | inet6 | IPv4 | IPv6 | VPNv4
> ]\n");
> + fprintf(stderr, " [ inet | inet6 | IPv4 | IPv6 | "
> + "VPNv4 | VPNv6 ]\n");
> break;
> case FILENAME:
> fprintf(stderr, " \n");
>
Re: bgpctl parser cleanup
Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.05.12 12:42:36 +0200:
> Minimal cleanup of things not used in the bgpctl parser.
> Bulk is not used and the ADDRESS / PREFIX tokens no longer overwrite the
> action since a while.
ok benno@
>
> --
> :wq Claudio
>
> Index: parser.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpctl/parser.c,v
> retrieving revision 1.103
> diff -u -p -r1.103 parser.c
> --- parser.c 11 May 2020 07:55:18 - 1.103
> +++ parser.c 12 May 2020 10:25:37 -
> @@ -61,8 +61,7 @@ enum token_type {
> RD,
> FAMILY,
> RTABLE,
> - FILENAME,
> - BULK
> + FILENAME
> };
>
> struct token {
> @@ -592,24 +591,18 @@ match_token(int *argc, char **argv[], co
> if (parse_addr(word, &res.addr)) {
> match++;
> t = &table[i];
> - if (t->value)
> - res.action = t->value;
> }
> break;
> case PEERADDRESS:
> if (parse_addr(word, &res.peeraddr)) {
> match++;
> t = &table[i];
> - if (t->value)
> - res.action = t->value;
> }
> break;
> case PREFIX:
> if (parse_prefix(word, wordlen, &res.addr,
> &res.prefixlen)) {
> match++;
> t = &table[i];
> - if (t->value)
> - res.action = t->value;
> }
> break;
> case ASTYPE:
> @@ -797,10 +790,6 @@ match_token(int *argc, char **argv[], co
> t = &table[i];
> }
> break;
> - case BULK:
> - match++;
> - t = &table[i];
> - break;
> case ENDTOKEN:
> break;
> }
> @@ -890,7 +879,6 @@ show_valid_args(const struct token table
> case FILENAME:
> fprintf(stderr, " \n");
> break;
> - case BULK:
> case ENDTOKEN:
> break;
> }
>
rpki-client 6.7p0 released
rpki-client 6.7 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system and outputs Validated ROA Payloads in the configuration format of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by other routing stacks. See RFC 6811 for a description of how BGP Prefix Origin Validation secures the Internet's global routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, and Sebastian Benoit as part of the OpenBSD Project and gets released as a base component of OpenBSD every six months, and follows the OpenBSD release numbering scheme. This is the first release of the 6.7 version. It includes the follwoing changes to the previous release: * Document the suggested interval for running rpki-client in man page. * Always initialize cachedir and outputdir. * Print statistics as comments at the top of the output files which can take comments, including the date and time when the files were produced, and runtime statistics when producing them. * Improve log messages to clarify what's happening. * Fix a bug where rpki-client would not properly wait for exiting rsync processes, causing rpki-client to hang. The mirrors where rpki-client can be found are on https://www.rpki-client.org/portable.html Reporting Bugs: === General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.
Re: include interface name in rad error message
Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.05.20 09:12:23 +0200:
> In my syslog I have this:
> rad[83563]: RA from non link local address ::
> now it would be splendid to know on which of the 4 interfaces rad is
> operating on this happened. So here is a diff doing that.
ok
>
> --
> :wq Claudio
>
> Index: engine.c
> ===
> RCS file: /cvs/src/usr.sbin/rad/engine.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 engine.c
> --- engine.c 15 Mar 2019 16:47:19 - 1.15
> +++ engine.c 20 May 2020 07:09:32 -
> @@ -482,7 +482,8 @@ parse_rs(struct imsg_ra_rs *rs)
> len = rs->len;
>
> if (!IN6_IS_ADDR_LINKLOCAL(&rs->from.sin6_addr)) {
> - log_warnx("RA from non link local address %s", hbuf);
> + log_warnx("RA from non link local address %s on %s", hbuf,
> + if_indextoname(rs->if_index, ifnamebuf));
> return;
> }
>
>
Re: {plus,}67.html: fix link crontab(5)
Martin Vahlensieck(open...@academicsolutions.ch) on 2020.05.20 19:15:48 +0200: > Hey there! > > Otherwise it's going to crontab(1). Thanks, commited. Benno
Re: sysupgrade change to allow installing from url
Solene Rapenne(sol...@perso.pw) on 2020.05.25 15:25:40 +0200:
> Hi,
>
> I don't know if this will be accepted but I propose to add a -u [url]
> parameter to use older snapshots from an archive server for example.
>
> I wanted to add an optional parameter to -s at first but in case of
> sysupgrade -s [installurl] the install url would have been mistaken by
> this.
>
> If you specify a -u url and installurl at the same time, -u url
> superseed installurl.
>
> This would allow easier bisecting using older snapshots.
I have fixed the way the directories are laid out, so now you can do this
# echo "http://ftp.hostserver.de/archive/2020-05-14-0105"; > /etc/installurl
# sysupgrade -n
# strings /home/_sysupgrade/bsd | grep 6.7-current
@(#)OpenBSD 6.7-current (GENERIC) #181: Wed May 13 12:43:30 MDT 2020
> Index: sysupgrade.8
> ===
> RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.8,v
> retrieving revision 1.10
> diff -u -p -r1.10 sysupgrade.8
> --- sysupgrade.8 3 Oct 2019 12:43:58 - 1.10
> +++ sysupgrade.8 25 May 2020 13:23:06 -
> @@ -24,6 +24,7 @@
> .Nm
> .Op Fl fkn
> .Op Fl r | s
> +.Op Fl u Pa url
> .Op Ar installurl
> .Sh DESCRIPTION
> .Nm
> @@ -66,6 +67,13 @@ This is the default if the system is cur
> .It Fl s
> Upgrade to a snapshot.
> This is the default if the system is currently running a snapshot.
> +.It Fl u Pa url
> +Fetch and verify the files downloaded from
> +.Pa url .
> +This is superseeding
> +.Op Pa installurl ,
> +its usage is intended for installing older snapshots available under url not
> following
> +the usual installurl format.
> .El
> .Sh FILES
> .Bl -tag -width "/auto_upgrade.conf" -compact
> Index: sysupgrade.sh
> ===
> RCS file: /cvs/src/usr.sbin/sysupgrade/sysupgrade.sh,v
> retrieving revision 1.37
> diff -u -p -r1.37 sysupgrade.sh
> --- sysupgrade.sh 26 Jan 2020 22:08:36 - 1.37
> +++ sysupgrade.sh 25 May 2020 13:23:06 -
> @@ -34,7 +34,7 @@ ug_err()
>
> usage()
> {
> - ug_err "usage: ${0##*/} [-fkn] [-r | -s] [installurl]"
> + ug_err "usage: ${0##*/} [-fkn] [-r | -s] [-u url] [installurl]"
> }
>
> unpriv()
> @@ -79,13 +79,14 @@ FORCE=false
> KEEP=false
> REBOOT=true
>
> -while getopts fknrs arg; do
> +while getopts fknrsu: arg; do
> case ${arg} in
> f) FORCE=true;;
> k) KEEP=true;;
> n) REBOOT=false;;
> r) RELEASE=true;;
> s) SNAP=true;;
> + u) SNAPURL=${OPTARG};;
> *) usage;;
> esac
> done
> @@ -121,7 +122,11 @@ else
> fi
>
> if $SNAP; then
> - URL=${MIRROR}/snapshots/${ARCH}/
> + if [[ -n "$SNAPURL" ]]; then
> + URL=$SNAPURL
> + else
> + URL=${MIRROR}/snapshots/${ARCH}/
> + fi
> else
> URL=${MIRROR}/${NEXT_VERSION}/${ARCH}/
> fi
>
Re: ospf6d: change the way interfaces are handled
Remi Locherer(remi.loche...@relo.ch) on 2020.06.03 15:36:17 +0200:
> On Sat, May 30, 2020 at 04:37:43PM +0200, Denis Fondras wrote:
> > This diff updates how ospf6d(8) handles interfaces.
> > It is now in line with what ospfd(8) does.
> >
> > Last step before enabling reload.
> >
> > Tested against Mikrotik and Zebra implementations.
> >
> > Warning: it changes the default behaviour. No prefix is announced if no
> > "redistribute" statement is present in config file. Is this a showstopper ?
>
> The diff reads good and works. I mostly agree with it.
>
> But we should not change the behaviour. That prefixes configured on an
> interface need a redistribute statement is counter intuitive. The "passive"
> statement would be useless.
There is also a behaviour difference: the "interface { passive }" way only
announces the prefix on active/master interfaces.
I think it needs to stay.
Great work btw!
/Benno
>
> >
> > Index: hello.c
> > ===
> > RCS file: /cvs/src/usr.sbin/ospf6d/hello.c,v
> > retrieving revision 1.22
> > diff -u -p -r1.22 hello.c
> > --- hello.c 3 Jan 2020 17:25:48 - 1.22
> > +++ hello.c 30 May 2020 14:19:09 -
> > @@ -175,12 +175,16 @@ recv_hello(struct iface *iface, struct i
> > nbr->priority = LSA_24_GETHI(ntohl(hello.opts));
> > /* XXX neighbor address shouldn't be stored on virtual links */
> > nbr->addr = *src;
> > + ospfe_imsg_compose_rde(IMSG_NEIGHBOR_ADDR, nbr->peerid, 0,
> > + src, sizeof(struct in6_addr));
> > }
> >
> > if (!IN6_ARE_ADDR_EQUAL(&nbr->addr, src)) {
> > log_warnx("%s: neighbor ID %s changed its address to %s",
> > __func__, inet_ntoa(nbr->id), log_in6addr(src));
> > nbr->addr = *src;
> > + ospfe_imsg_compose_rde(IMSG_NEIGHBOR_ADDR, nbr->peerid, 0,
> > + src, sizeof(struct in6_addr));
> > }
> >
> > nbr->options = opts;
> > Index: interface.c
> > ===
> > RCS file: /cvs/src/usr.sbin/ospf6d/interface.c,v
> > retrieving revision 1.29
> > diff -u -p -r1.29 interface.c
> > --- interface.c 27 May 2020 09:03:56 - 1.29
> > +++ interface.c 30 May 2020 14:19:09 -
> > @@ -72,8 +72,6 @@ struct {
> > static int vlink_cnt = 0;
> > #endif
> >
> > -TAILQ_HEAD(, iface)iflist;
> > -
> > const char * const if_event_names[] = {
> > "NOTHING",
> > "UP",
> > @@ -145,10 +143,6 @@ if_fsm(struct iface *iface, enum iface_e
> > area_track(iface->area);
> > orig_rtr_lsa(iface->area);
> > orig_link_lsa(iface);
> > -
> > - /* state change inform RDE */
> > - ospfe_imsg_compose_rde(IMSG_IFINFO, iface->self->peerid, 0,
> > - &iface->state, sizeof(iface->state));
> > }
> >
> > if (old_state & (IF_STA_MULTI | IF_STA_POINTTOPOINT) &&
> > @@ -166,41 +160,8 @@ if_fsm(struct iface *iface, enum iface_e
> > return (ret);
> > }
> >
> > -int
> > -if_init(void)
> > -{
> > - TAILQ_INIT(&iflist);
> > -
> > - return (fetchifs(0));
> > -}
> > -
> > -/* XXX using a linked list should be OK for now */
> > struct iface *
> > -if_find(unsigned int ifindex)
> > -{
> > - struct iface*iface;
> > -
> > - TAILQ_FOREACH(iface, &iflist, list) {
> > - if (ifindex == iface->ifindex)
> > - return (iface);
> > - }
> > - return (NULL);
> > -}
> > -
> > -struct iface *
> > -if_findname(char *name)
> > -{
> > - struct iface*iface;
> > -
> > - TAILQ_FOREACH(iface, &iflist, list) {
> > - if (!strcmp(name, iface->name))
> > - return (iface);
> > - }
> > - return (NULL);
> > -}
> > -
> > -struct iface *
> > -if_new(u_short ifindex, char *ifname)
> > +if_new(struct kif *kif, struct kif_addr *ka)
> > {
> > struct iface*iface;
> >
> > @@ -210,7 +171,6 @@ if_new(u_short ifindex, char *ifname)
> > iface->state = IF_STA_DOWN;
> >
> > LIST_INIT(&iface->nbr_list);
> > - TAILQ_INIT(&iface->ifa_list);
> > TAILQ_INIT(&iface->ls_ack_list);
> > RB_INIT(&iface->lsa_tree);
> >
> > @@ -225,34 +185,36 @@ if_new(u_short ifindex, char *ifname)
> > return (iface);
> > }
> > #endif
> > - strlcpy(iface->name, ifname, sizeof(iface->name));
> > - iface->ifindex = ifindex;
> > -
> > - TAILQ_INSERT_TAIL(&iflist, iface, list);
> > -
> > - return (iface);
> > -}
> >
> > -void
> > -if_update(struct iface *iface, int mtu, int flags, u_int8_t type,
> > -u_int8_t state, u_int64_t rate, u_int32_t rdomain)
> > -{
> > - iface->mtu = mtu;
> > - iface->flags = flags;
> > - iface->if_type = type;
> > - iface->linkstate = state;
> > - iface->baudrate = rate;
> > - iface->rdomain = rdomain;
> > + strlcpy(iface->name, kif->ifname, sizeof(iface->name));
> >
> > - /* set type */
> > - if (flags
Re: urtwn(4) hardware crypto
Jonathan Matthew(jonat...@d14n.org) on 2020.06.05 21:54:30 +1000:
> This enables use of hardware crypto for CCMP in urtwn(4). As with other
> drivers, this reduces cpu usage significantly when moving lots of data.
> I've tested this on an assortment of hardware (RTL8188CUS, RTL8188EU,
> RTL8192EU) with no problems, and this is one of the few things that
> remains constant across a lot of Realtek wifi chips, but some wider
> testing couldn't hurt. Since this touches the code shared with rtwn(4),
> I've also tested that that still works.
Works on
urtwn0 at uhub2 port 2 configuration 1 interface 0 "Realtek 802.11n NIC" rev
2.00/0.00 addr 3
urtwn0: MAC/BB RTL8188EU, RF 6052 1T1R, address d4:6e:0e:29:e2:84
usb stick, on armv7.
In a quick test, download of a 10MB large file is faster with your diff, up
from 1MB/s to now 1.6MB/s.
/Benno
>
>
> Index: ic/r92creg.h
> ===
> RCS file: /cvs/src/sys/dev/ic/r92creg.h,v
> retrieving revision 1.24
> diff -u -p -r1.24 r92creg.h
> --- ic/r92creg.h 11 Mar 2019 06:19:33 - 1.24
> +++ ic/r92creg.h 5 Jun 2020 11:52:21 -
> @@ -688,6 +688,16 @@
> #define R92C_CAMCMD_CLR 0x4000
> #define R92C_CAMCMD_POLLING 0x8000
>
> +/* Bits for R92C_SECCFG. */
> +#define R92C_SECCFG_TXUCKEY_DEF 0x0001
> +#define R92C_SECCFG_RXUCKEY_DEF 0x0002
> +#define R92C_SECCFG_TXENC_ENA0x0004
> +#define R92C_SECCFG_RXENC_ENA0x0008
> +#define R92C_SECCFG_CMP_A2 0x0010
> +#define R92C_SECCFG_MC_SRCH_DIS 0x0020
> +#define R92C_SECCFG_TXBCKEY_DEF 0x0040
> +#define R92C_SECCFG_RXBCKEY_DEF 0x0080
> +
> /* IMR */
>
> /*Beacon DMA interrupt 6 */
> Index: ic/rtwn.c
> ===
> RCS file: /cvs/src/sys/dev/ic/rtwn.c,v
> retrieving revision 1.49
> diff -u -p -r1.49 rtwn.c
> --- ic/rtwn.c 9 Jan 2020 14:35:19 - 1.49
> +++ ic/rtwn.c 5 Jun 2020 11:52:22 -
> @@ -3154,6 +3154,14 @@ rtwn_init(struct ifnet *ifp)
> /* Clear per-station keys table. */
> rtwn_cam_init(sc);
>
> + /* Enable decryption / encryption. */
> + if (sc->chip & RTWN_CHIP_USB) {
> + rtwn_write_2(sc, R92C_SECCFG,
> + R92C_SECCFG_TXUCKEY_DEF | R92C_SECCFG_RXUCKEY_DEF |
> + R92C_SECCFG_TXENC_ENA | R92C_SECCFG_RXENC_ENA |
> + R92C_SECCFG_TXBCKEY_DEF | R92C_SECCFG_RXBCKEY_DEF);
> + }
> +
> /* Enable hardware sequence numbering. */
> rtwn_write_1(sc, R92C_HWSEQ_CTRL, 0xff);
>
> @@ -3204,14 +3212,14 @@ rtwn_init(struct ifnet *ifp)
> ifq_clr_oactive(&ifp->if_snd);
> ifp->if_flags |= IFF_RUNNING;
>
> -#ifdef notyet
> - if (ic->ic_flags & IEEE80211_F_WEPON) {
> + if ((ic->ic_flags & IEEE80211_F_WEPON) &&
> + (sc->chip & RTWN_CHIP_USB)) {
> /* Install WEP keys. */
> for (i = 0; i < IEEE80211_WEP_NKID; i++)
> ic->ic_set_key(ic, NULL, &ic->ic_nw_keys[i]);
> sc->sc_ops.wait_async(sc->sc_ops.cookie);
> }
> -#endif
> +
> if (ic->ic_opmode == IEEE80211_M_MONITOR)
> ieee80211_new_state(ic, IEEE80211_S_RUN, -1);
> else
> Index: usb/if_urtwn.c
> ===
> RCS file: /cvs/src/sys/dev/usb/if_urtwn.c,v
> retrieving revision 1.89
> diff -u -p -r1.89 if_urtwn.c
> --- usb/if_urtwn.c26 May 2020 06:04:30 - 1.89
> +++ usb/if_urtwn.c5 Jun 2020 11:52:22 -
> @@ -490,10 +490,8 @@ urtwn_attach(struct device *parent, stru
>
> ic->ic_updateslot = urtwn_updateslot;
> ic->ic_updateedca = urtwn_updateedca;
> -#ifdef notyet
> ic->ic_set_key = urtwn_set_key;
> ic->ic_delete_key = urtwn_delete_key;
> -#endif
> /* Override state transition machine. */
> ic->ic_newstate = urtwn_newstate;
>
> @@ -1035,6 +1033,10 @@ urtwn_set_key(struct ieee80211com *ic, s
> struct urtwn_softc *sc = (struct urtwn_softc *)self;
> struct urtwn_cmd_key cmd;
>
> + /* Only handle keys for CCMP */
> + if (k->k_cipher != IEEE80211_CIPHER_CCMP)
> + return ieee80211_set_key(ic, ni, k);
> +
> /* Defer setting of WEP keys until interface is brought up. */
> if ((ic->ic_if.if_flags & (IFF_UP | IFF_RUNNING)) !=
> (IFF_UP | IFF_RUNNING))
> @@ -1065,6 +1067,12 @@ urtwn_delete_key(struct ieee80211com *ic
> struct urtwn_softc *sc = (struct urtwn_softc *)self;
> struct urtwn_cmd_key cmd;
>
> + /* Only handle keys for CCMP */
> + if (k->k_cipher != IEEE80211_CIPHER_CCMP) {
> + ieee80211_delete_key(ic, ni, k);
> + return;
> + }
> +
> if (!(ic->ic_if.if_flags & IFF_RUNNING) ||
> ic->ic_state != IEEE80211_S_RUN)
> return; /* Nothing to do. */
> @@ -1084,6 +1092,52 @@ urtwn_delete_key_cb(struct urtwn_softc *
> rtwn_delete_key(ic, cmd->ni,
Re: netstat -R: list rdomains with associated ifs and tables
Remi Locherer(remi.loche...@relo.ch) on 2020.06.10 22:16:36 +0200:
> On Tue, Jun 09, 2020 at 10:02:06AM +0200, Remi Locherer wrote:
> > On Tue, Jun 09, 2020 at 09:17:31AM +0200, Claudio Jeker wrote:
> > > On Tue, Jun 09, 2020 at 08:44:42AM +0200, Remi Locherer wrote:
> > > > On Mon, Jun 08, 2020 at 10:10:17PM +0200, Remi Locherer wrote:
> > > > > Hi,
> > > > >
> > > > > to my knowledge there is no easy way to list all active rdomains or
> > > > > routing tables. Other platforms have "show vrf" or similar commands
> > > > > for an overview.
> > > > >
> > > > > Here is my attempt at such a view for OpenBSD:
> > > >
> > > > Updated diff with small changes:
> > > > - Print inet instead of Internet (input deraadt)
> > > > - Removed padding before rdomain id.
> > > > - Changed man page wording.
> > > >
> > > > twister ..in/netstat$ obj/netstat -R
> > > > Rdomain 0
> > > > Interfaces: lo0 iwm0 re0 enc0 pflog0 mpe0
> > > > Routing tables:
> > > > 0: inet 8, inet6 45, mpls 1
> > > > 3: inet 1, inet6 0, mpls 0
> > > > 7: inet 130309, inet6 1, mpls 0
> > > >
> > > > Rdomain 77
> > > > Interfaces: vether77 lo77
> > > > Routing tables:
> > > > 77: inet 0, inet6 0, mpls 0
> > > >
> > > > Rdomain 122
> > > > Interfaces: vether122 lo122 pair122 vether1122 vether1123 vether1124
> > > > vether1125 vether1126 vether1127
> > > > Routing tables:
> > > > 122: inet 24, inet6 0, mpls 0
> > > >
> > > > Rdomain 255
> > > > Interfaces: vether255 lo255
> > > > Routing tables:
> > > > 255: inet 3, inet6 0, mpls 0
> > > >
> > > > twister ..in/netstat$
> > > >
> > > > OK?
> > >
> > > Why do you think the route counts are needed? You fetch all routing tables
> > > to count them in userland. The sysctl for doing that is expensive and
> > > especially on systems with full tables will make this command slow.
> > > If this is something we really want then the kernel should track and
> > > provide the count.
> >
> > These counters are of interest for operators. But I agree that counting
> > the routes in userland is unfortunate. But I don't know how bad it is.
> > Is a lock involved in the kernel when dumping the full table?
>
> I did some homework and figured out, that dumping a routing table takes the
> NET_LOCK. So it's not just inefficient counting all routes in userland it
> might have a negative impact on the system.
>
> Below my new proposal without the counters. I still think it would be good
> to have those counters. Maybe I'll try to find a solution for that.
Maybe sysctl NET_RT_STATS and struct rtstat could be expanded to cover this?
As for the diff, ok benno@. The number of routes is interesting but can be
added later.
/B.
> twister ..in/netstat$ obj/netstat -R
> Rdomain 0
> Interfaces: lo0 iwm0 re0 enc0 pflog0
> Routing tables: 0 6 7 77
>
> Rdomain 100
> Interfaces: vether100 lo100 vether101 vether102 vether103 vether104
> vether105 vether106 vether107 vether108 vether109
> Routing tables: 100
>
> Rdomain 255
> Interfaces: vether255 lo255
> Routing tables: 255
>
> twister ..in/netstat$
>
>
>
> Index: main.c
> ===
> RCS file: /cvs/src/usr.bin/netstat/main.c,v
> retrieving revision 1.116
> diff -u -p -r1.116 main.c
> --- main.c28 Apr 2019 17:59:51 - 1.116
> +++ main.c30 May 2020 17:59:33 -
> @@ -127,7 +127,7 @@ main(int argc, char *argv[])
> tableid = getrtable();
>
> while ((ch = getopt(argc, argv,
> - "AaBbc:deFf:ghI:iLlM:mN:np:P:qrsT:tuvW:w:")) != -1)
> + "AaBbc:deFf:ghI:iLlM:mN:np:P:qRrsT:tuvW:w:")) != -1)
> switch (ch) {
> case 'A':
> Aflag = 1;
> @@ -225,6 +225,9 @@ main(int argc, char *argv[])
> case 'q':
> qflag = 1;
> break;
> + case 'R':
> + Rflag = 1;
> + break;
> case 'r':
> rflag = 1;
> break;
> @@ -318,6 +321,11 @@ main(int argc, char *argv[])
> mroutepr();
> if (af == AF_INET6 || af == AF_UNSPEC)
> mroute6pr();
> + exit(0);
> + }
> +
> + if (Rflag) {
> + rdomainpr();
> exit(0);
> }
>
> Index: netstat.1
> ===
> RCS file: /cvs/src/usr.bin/netstat/netstat.1,v
> retrieving revision 1.86
> diff -u -p -r1.86 netstat.1
> --- netstat.1 17 Apr 2019 20:34:21 - 1.86
> +++ netstat.1 8 Jun 2020 20:42:46 -
> @@ -74,6 +74,8 @@
> .Op Fl i | I Ar interface
> .Nm
> .Op Fl W Ar interface
> +.Nm
> +.Op Fl R
> .Sh DESCRIPTION
> The
> .Nm
> @@ -267,6 +269,8 @@ Otherwise the states of the matching soc
> Only show interfaces that have
Re: netstat -R: list rdomains with associated ifs and tables
Remi Locherer(remi.loche...@relo.ch) on 2020.06.11 21:46:45 +0200: > > This would be clearer if it used table/tables as appropriate e.g. > > > > Routing table: 0 > > Routing table: 100 > > Routing tables: 0 6 7 77 > > > > the code to handle this gets messy though, maybe someone can think > > of alternative wording that gets around this another way.. > > > > It's not too messy I think. > > twister ..in/netstat$ obj/netstat -R > Rdomain 0 > Interfaces: lo0 iwm0 re0 enc0 pflog0 > Routing tables: 0 5 > > Rdomain 255 > Interface: lo255 > Routing table: 255 Of course that makes parsing the output more difficult. Maybe we can change this in tree when we fins a better solution? /B.
Re: unveil(2) relayd(8)'s main proc, now for real
Ricardo Mestre(ser...@helheim.mooo.com) on 2020.06.18 23:40:54 +0100:
> Hi,
>
> Yes, this is a really broad permission to give but it's needed in order to
> read
> the config file (and those ones included from it) and also to exec the "check
> script(s)" which I missed in my last attempt to unveil(2) relayd(8).
>
> The reason it cannot be pledge(2)d is due to forbidden ioctls(2)s related to
> carp(4).
>
> This permits reading or execing anything from the filesystem but at least
> prevents create/write/delete files and regress tests still pass.
>
> Comments? OK?
ok benno@
> Index: relayd.c
> ===
> RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v
> retrieving revision 1.182
> diff -u -p -u -r1.182 relayd.c
> --- relayd.c 15 Sep 2019 19:23:29 - 1.182
> +++ relayd.c 18 Jun 2020 22:19:50 -
> @@ -223,6 +223,11 @@ main(int argc, char *argv[])
> if (ps->ps_noaction == 0)
> log_info("startup");
>
> + if (unveil("/", "rx") == -1)
> + err(1, "unveil");
> + if (unveil(NULL, NULL) == -1)
> + err(1, "unveil");
> +
> event_init();
>
> signal_set(&ps->ps_evsigint, SIGINT, parent_sig_handler, ps);
>
Re: 11n Tx aggregation for iwm(4)
Stefan Sperling(s...@stsp.name) on 2020.06.26 14:45:53 +0200: > This patch adds support for 11n Tx aggregation to iwm(4). > > Please help with testing if you can by running the patch and using wifi > as usual. Nothing should change, except that Tx speed may potentially > improve. If you have time to run before/after performance measurements with > tcpbench or such, that would be nice. But it's not required for testing. > > If Tx aggregation is active then netstat will show a non-zero output block ack > agreement counter: > > $ netstat -W iwm0 | grep 'output block' > 3 new output block ack agreements > 0 output block ack agreements timed out iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless-AC 8265" rev 0x78, msi iwm0: hw rev 0x230, fw ver 34.0.1, address 9c:da:3e:6f:51:a4 With intel firmware updated: intel-firmware-20200520v0->20200609v0: ok With the patch i get a speedup from ca 25 MBit/s to ca. 35 MBit/s. However i do not see any 'new output block ack agreements'. 0 new output block ack agreements 0 output block ack agreements timed out This is with two TP-Link APs (Archer A7 or something like that). /Benno
Re: 11n Tx aggregation for iwm(4)
Sebastian Benoit(be...@openbsd.org) on 2020.06.29 16:18:03 +0200: > Stefan Sperling(s...@stsp.name) on 2020.06.26 14:45:53 +0200: > > This patch adds support for 11n Tx aggregation to iwm(4). > > > > Please help with testing if you can by running the patch and using wifi > > as usual. Nothing should change, except that Tx speed may potentially > > improve. If you have time to run before/after performance measurements with > > tcpbench or such, that would be nice. But it's not required for testing. > > > > If Tx aggregation is active then netstat will show a non-zero output block > > ack > > agreement counter: > > > > $ netstat -W iwm0 | grep 'output block' > > 3 new output block ack agreements > > 0 output block ack agreements timed out > > iwm0 at pci2 dev 0 function 0 "Intel Dual Band Wireless-AC 8265" rev 0x78, msi > iwm0: hw rev 0x230, fw ver 34.0.1, address 9c:da:3e:6f:51:a4 > > With intel firmware updated: intel-firmware-20200520v0->20200609v0: ok He, i meant to say with "iwm-firmware-20191022p1" as before, but copied the wrong line and then wrote the correct thing for it :)
Re: missing case in rpki-client rrdp repo merge
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.04.13 11:29:57 +0200:
> rpki-client applies all delta files to a temporary location. At the same
> time files or uri are tracked in a added and deleted set to know which
> files to remove from the repo or move into place.
>
> Now when adding a file to the temp dir one step is missing. If the file
> was previously removed and then in a later delta added again the file will
> be on both the added and removed set and during merge the file will be
> removed and the rename will fail.
>
> Btw. for the PUB_DEL case the inverse check happens earlier in
> rrdp_handle_file() since the hash of the file must be checked before
> accepting the delete. At that point files in the added set will be checked
> and removed from the set.
>
> This issue is not common but I think I hit it once and this diff should
> take care of it.
easy enough.
ok benno@
> --
> :wq Claudio
>
> Index: repo.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/repo.c,v
> retrieving revision 1.4
> diff -u -p -r1.4 repo.c
> --- repo.c7 Apr 2021 14:19:31 - 1.4
> +++ repo.c12 Apr 2021 17:24:34 -
> @@ -778,6 +778,10 @@ rrdp_handle_file(size_t id, enum publish
> if (pt == PUB_DEL) {
> filepath_add(&rr->deleted, uri);
> } else {
> + fp = filepath_find(&rr->deleted, uri);
> + if (fp != NULL)
> + filepath_put(&rr->deleted, fp);
> +
> /* add new file to temp dir */
> if ((fn = rrdp_filename(rr, uri, 1)) == NULL)
> return 0;
>
Re: rpki-client more http.c cleanup
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.04.13 14:14:38 +0200:
> This is another minor cleanup. It makes http_done() similar to http_fail()
> and by taking all the arguments (which would allow it to be called after
> the http connection was removed) and it also no longer alters the http
> state.
>
> At the same time move some common code between http_connect() and
> http_finish_connect() into a new function.
>
> OK?
reads ok benno@
With a bit more shuffeling, you can get this closer to relayd ;) /s
> --
> :wq Claudio
>
> Index: http.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/http.c,v
> retrieving revision 1.27
> diff -u -p -r1.27 http.c
> --- http.c9 Apr 2021 06:52:50 - 1.27
> +++ http.c13 Apr 2021 12:07:06 -
> @@ -259,17 +259,15 @@ http_resolv(struct http_connection *conn
> }
>
> static void
> -http_done(struct http_connection *conn, enum http_result res)
> +http_done(size_t id, enum http_result res, const char *last_modified)
> {
> struct ibuf *b;
>
> - conn->state = STATE_DONE;
> -
> if ((b = ibuf_dynamic(64, UINT_MAX)) == NULL)
> err(1, NULL);
> - io_simple_buffer(b, &conn->id, sizeof(conn->id));
> + io_simple_buffer(b, &id, sizeof(id));
> io_simple_buffer(b, &res, sizeof(res));
> - io_str_buffer(b, conn->last_modified);
> + io_str_buffer(b, last_modified);
> ibuf_close(&msgq, b);
> }
>
> @@ -406,6 +404,43 @@ http_new(size_t id, char *uri, char *mod
> }
>
> static int
> +http_connect_done(struct http_connection *conn)
> +{
> + freeaddrinfo(conn->res0);
> + conn->res0 = NULL;
> + conn->res = NULL;
> +
> +#if 0
> + /* TODO proxy connect */
> + if (proxyenv)
> + proxy_connect(conn->fd, sslhost, proxy_credentials); */
> +#endif
> +
> + return 0;
> +}
> +
> +static int
> +http_finish_connect(struct http_connection *conn)
> +{
> + int error = 0;
> + socklen_t len;
> +
> + len = sizeof(error);
> + if (getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &error, &len) == -1) {
> + warn("%s: getsockopt SO_ERROR", http_info(conn->url));
> + /* connection will be closed by http_connect() */
> + return -1;
> + }
> + if (error != 0) {
> + errno = error;
> + warn("%s: connect", http_info(conn->url));
> + return -1;
> + }
> +
> + return http_connect_done(conn);
> +}
> +
> +static int
> http_connect(struct http_connection *conn)
> {
> const char *cause = NULL;
> @@ -472,47 +507,7 @@ http_connect(struct http_connection *con
> return -1;
> }
>
> - freeaddrinfo(conn->res0);
> - conn->res0 = NULL;
> - conn->res = NULL;
> -
> -#if 0
> - /* TODO proxy connect */
> - if (proxyenv)
> - proxy_connect(conn->fd, sslhost, proxy_credentials); */
> -#endif
> - return 0;
> -}
> -
> -static int
> -http_finish_connect(struct http_connection *conn)
> -{
> - int error = 0;
> - socklen_t len;
> -
> - len = sizeof(error);
> - if (getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &error, &len) == -1) {
> - warn("%s: getsockopt SO_ERROR", http_info(conn->url));
> - /* connection will be closed by http_connect() */
> - return -1;
> - }
> - if (error != 0) {
> - errno = error;
> - warn("%s: connect", http_info(conn->url));
> - return -1;
> - }
> -
> - freeaddrinfo(conn->res0);
> - conn->res0 = NULL;
> - conn->res = NULL;
> -
> -#if 0
> - /* TODO proxy connect */
> - if (proxyenv)
> - proxy_connect(conn->fd, sslhost, proxy_credentials); */
> -#endif
> -
> - return 0;
> + return http_connect_done(conn);
> }
>
> static int
> @@ -838,7 +833,8 @@ http_parse_chunked(struct http_connectio
> conn->iosz = chunksize;
>
> if (conn->iosz == 0) {
> - http_done(conn, HTTP_OK);
> + http_done(conn->id, HTTP_OK, conn->last_modified);
> + conn->state = STATE_DONE;
> return 0;
> }
>
> @@ -985,7 +981,8 @@ data_write(struct http_connection *conn)
>
> /* check if regular file transfer is finished */
> if (!conn->chunked && conn->iosz == 0) {
> - http_done(conn, HTTP_OK);
> + http_done(conn->id, HTTP_OK, conn->last_modified);
> + conn->state = STATE_DONE;
> return 0;
> }
>
> @@ -1088,9 +1085,12 @@ http_nextstep(struct http_connection *co
> conn->state = STATE_RESPONSE_DATA;
> } else {
> if (conn->status == 304)
> - http_done(conn, HTTP_NOT_MOD);
> + http_done(conn->id, HTTP_NOT_MOD,
> + conn->last_modified);
> else
> - http_done
Re: rpki-client skip deltas if session_id does not match
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.04.14 20:18:25 +0200:
> There is no need to queue up any deltas if the session-id differes from
> the one on disk. New session-id will always result in a snapshot download.
> This may help in some situation to skip queuing many deltas that are just
> discarded.
ok
>
> --
> :wq Claudio
>
> Index: rrdp_notification.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/rrdp_notification.c,v
> retrieving revision 1.3
> diff -u -p -r1.3 rrdp_notification.c
> --- rrdp_notification.c 2 Apr 2021 08:07:47 - 1.3
> +++ rrdp_notification.c 14 Apr 2021 18:08:32 -
> @@ -243,7 +243,9 @@ start_delta_elem(struct notification_xml
>
> /* optimisation, add only deltas that could be interesting */
> if (nxml->repository->serial != 0 &&
> - nxml->repository->serial < delta_serial) {
> + nxml->repository->serial < delta_serial &&
> + nxml->repository->session_id != NULL &&
> + strcmp(nxml->session_id, nxml->repository->session_id) == 0) {
> if (add_delta(nxml, delta_uri, delta_hash, delta_serial) == 0)
> PARSE_FAIL(p, "parse failed - adding delta failed");
> }
>
Re: relayd regress tcp performance
Hi,
just a bit of caution: i remember getting args-http-slow-consumer.pl to work
right in the first place was not easy. If i remember correctly i had quite a
lot false positives depending on where i ran it. Alexander made it a bit
better later, but i would not be surprised if it can still fail under funny
situations.
That said, i have no opinion on the ACK issue, there is probably a valid
case to revert the change for the release and figure things out after 6.9.
/Benno
Alexander Bluhm(alexander.bl...@gmx.net) on 2021.04.15 20:43:02 +0200:
> Hi,
>
> I found another regression with Jan's TCP diff that sends less ACK
> packets. relayd run-args-http-slow-consumer.pl fails on i386 due
> to his commit. This test writes a lot of data from the http server,
> but blocks receive for 2 seconds in the client. Relayd between
> these machines should handle the delay. The socket buffer size is
> very small to trigger the situation reliably.
>
> The current TCP stack does not recover after the delay. Packets
> are sent very slowly and the regress test runs in a timeout. When
> I backout the change, the test passes quickly.
>
> Ususally the test runs on localhost loopback. There the problem
> is not triggered. Only my i386 regress setup uses a remote machine.
>
> As Jan's change send less ACKs that have to be handled, throughput
> increases when TCP/IP stack is CPU bound. This can give a 20%
> increase.
>
> Due to the maxburst limitation, throughput may also drop by 70% on
> a single connection. I have removed this limitation, so it does
> not happen if the other side is a current OpenBSD. But TCP connection
> between -current and 6.8 can run into this problem.
>
> Now I have found another corner case in a regress test where we get
> only 10 TCP packets per second. But that may be the result of
> unrealistic settings of the socket buffer size.
>
> Should we back it out for release? Diff below.
>
> bluhm
>
> Index: netinet/tcp_input.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_input.c,v
> retrieving revision 1.366
> retrieving revision 1.365
> diff -u -p -r1.366 -r1.365
> --- netinet/tcp_input.c 3 Feb 2021 13:40:06 - 1.366
> +++ netinet/tcp_input.c 19 Jun 2020 22:47:22 - 1.365
> @@ -165,8 +165,8 @@ do { \
> #endif
>
> /*
> - * Macro to compute ACK transmission behavior. Delay the ACK until
> - * a read from the socket buffer or the delayed ACK timer causes one.
> + * Macro to compute ACK transmission behavior. Delay the ACK unless
> + * we have already delayed an ACK (must send an ACK every two segments).
> * We also ACK immediately if we received a PUSH and the ACK-on-PUSH
> * option is enabled or when the packet is coming from a loopback
> * interface.
> @@ -176,7 +176,8 @@ do { \
> struct ifnet *ifp = NULL; \
> if (m && (m->m_flags & M_PKTHDR)) \
> ifp = if_get(m->m_pkthdr.ph_ifidx); \
> - if ((tcp_ack_on_push && (tiflags) & TH_PUSH) || \
> + if (TCP_TIMER_ISARMED(tp, TCPT_DELACK) || \
> + (tcp_ack_on_push && (tiflags) & TH_PUSH) || \
> (ifp && (ifp->if_flags & IFF_LOOPBACK))) \
> tp->t_flags |= TF_ACKNOW; \
> else \
>
rpki-client 7.0 released
rpki-client 7.0 has just been released and will be available in the rpki-client directory of any OpenBSD mirror soon. rpki-client is a FREE, easy-to-use implementation of the Resource Public Key Infrastructure (RPKI) for Relying Parties (RP) to facilitate validation of the Route Origin of a BGP announcement. The program queries the RPKI repository system and outputs Validated ROA Payloads in the configuration format of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by other routing stacks. See RFC 6811 for a description of how BGP Prefix Origin Validation secures the Internet's global routing system. rpki-client was primarily developed by Kristaps Dzonsons, Claudio Jeker, Job Snijders, and Sebastian Benoit as part of the OpenBSD Project and gets released as a base component of OpenBSD every six months, and follows the OpenBSD release numbering scheme. This release includes the following changes to the previous release: * Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support as a 'technology preview'. To use it, the "-r" flag needs to be used. * Support the use of more than one URI in the TAL file sorting with a preference for https. * Validation of ghostbuster records (RFC 6493) * Fixed checks of the manifest validity interval. * The rsync connection is now killed when the rsync server stalls. * Limited the URL embedded in .cer files to alphanumeric characters and punctuation. * Added a "-V" option to show version. * Included the default cert.pem file path in tls_load_file error messages. * Use of the ibuf (imsg) API for data exchange between the rpki-client processes. In the portable version, * Emit all output formats, no need to choose with options. * Changes to for using github actions forautomatic testing. * The RRDP support requires HTTPS connections, necessitating a dependency for libtls from LibreSSL. * Support for building rpki-client on MacOSX. * Added expat as an extra dependency, needed for RRDP support. Finally, with this release, we will change the way in which we release rpki-client updates: Instead of tracking OpenBSD releases every 6 months and providing patches for bugfixes in the intervening time, we will produce full releases more often. We hope that this will give users on other operating systems earlier access to new features. If security bugs necessitate an update, a full release will be provided that may also include new features that were developed up to that point. rpki-client is known to compile and run on at least the following operating systems: Alpine 3.12, Debian 9, 10, Fedora 31, 32, 33, macOS Catalina, RHEL/CentOS 7, 8, Windows Subsystem for Linux 2. It is our hope that packagers take interest and help adapt rpki-client-portable to more distributions. The mirrors where rpki-client can be found are on https://www.rpki-client.org/portable.html Reporting Bugs: === General bugs may be reported to tech@openbsd.org Portable bugs may be filed at https://github.com/rpki-client/rpki-client-portable We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.
Re: bgpctl time in sec in JSON output
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.04.28 10:45:20 +0200:
> There are various time fields in the JSON output.
> last_read, last_write, last_updown on sessions, last_update for rib
> entries and last_change for sets. Currently the value is the fmt_timeframe
> string (which looks something like 7w3d12h) and is hard to parse for
> machines. Include an additional _sec value which is the same value in
> seconds.
>
> OK?
ok benno@
> --
> :wq Claudio
>
> Index: bgpctl.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpctl/bgpctl.c,v
> retrieving revision 1.266
> diff -u -p -r1.266 bgpctl.c
> --- bgpctl.c 15 Apr 2021 14:12:05 - 1.266
> +++ bgpctl.c 28 Apr 2021 08:34:53 -
> @@ -510,6 +510,20 @@ show(struct imsg *imsg, struct parse_res
> return (0);
> }
>
> +time_t
> +get_monotime(time_t t)
> +{
> + struct timespec ts;
> +
> + if (t == 0)
> + return -1;
> + if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0)
> + err(1, "clock_gettime");
> + if (t > ts.tv_sec) /* time in the future is not possible */
> + t = ts.tv_sec;
> + return (ts.tv_sec - t);
> +}
> +
> char *
> fmt_peer(const char *descr, const struct bgpd_addr *remote_addr,
> int masklen)
> @@ -596,16 +610,12 @@ fmt_timeframe(time_t t)
> const char *
> fmt_monotime(time_t t)
> {
> - struct timespec ts;
> + t = get_monotime(t);
>
> - if (t == 0)
> + if (t == -1)
> return ("Never");
>
> - if (clock_gettime(CLOCK_MONOTONIC, &ts) != 0)
> - err(1, "clock_gettime");
> - if (t > ts.tv_sec) /* time in the future is not possible */
> - t = ts.tv_sec;
> - return (fmt_timeframe(ts.tv_sec - t));
> + return (fmt_timeframe(t));
> }
>
> const char *
> Index: bgpctl.h
> ===
> RCS file: /cvs/src/usr.sbin/bgpctl/bgpctl.h,v
> retrieving revision 1.10
> diff -u -p -r1.10 bgpctl.h
> --- bgpctl.h 15 Apr 2021 14:12:05 - 1.10
> +++ bgpctl.h 28 Apr 2021 08:34:33 -
> @@ -41,6 +41,7 @@ extern const size_t pt_sizes[];
>
> #define EOL0(flag) ((flag & F_CTL_SSV) ? ';' : '\n')
>
> +time_tget_monotime(time_t);
> char *fmt_peer(const char *, const struct bgpd_addr *, int);
> const char *fmt_timeframe(time_t);
> const char *fmt_monotime(time_t);
> Index: output_json.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpctl/output_json.c,v
> retrieving revision 1.9
> diff -u -p -r1.9 output_json.c
> --- output_json.c 15 Apr 2021 14:12:05 - 1.9
> +++ output_json.c 28 Apr 2021 08:38:42 -
> @@ -104,7 +104,9 @@ json_neighbor_stats(struct peer *p)
> {
> json_do_object("stats");
> json_do_printf("last_read", "%s", fmt_monotime(p->stats.last_read));
> + json_do_int("last_read_sec", get_monotime(p->stats.last_read));
> json_do_printf("last_write", "%s", fmt_monotime(p->stats.last_write));
> + json_do_int("last_write_sec", get_monotime(p->stats.last_write));
>
> json_do_object("prefixes");
> json_do_uint("sent", p->stats.prefix_out_cnt);
> @@ -267,6 +269,7 @@ json_neighbor(struct peer *p, struct par
> }
> json_do_printf("state", "%s", statenames[p->state]);
> json_do_printf("last_updown", "%s", fmt_monotime(p->stats.last_updown));
> + json_do_int("last_updown_sec", get_monotime(p->stats.last_updown));
>
> switch (res->action) {
> case SHOW:
> @@ -827,6 +830,7 @@ json_rib(struct ctl_show_rib *r, u_char
> json_do_uint("localpref", r->local_pref);
> json_do_uint("weight", r->weight);
> json_do_printf("last_update", "%s", fmt_timeframe(r->age));
> + json_do_int("last_update_sec", r->age);
>
> /* keep the object open for communities and attribuites */
> }
> @@ -927,6 +931,7 @@ json_rib_set(struct ctl_show_set *set)
> json_do_printf("name", "%s", set->name);
> json_do_printf("type", "%s", fmt_set_type(set));
> json_do_printf("last_change", "%s", fmt_monotime(set->lastchange));
> + json_do_int("last_change_sec", get_monotime(set->lastchange));
> if (set->type == ASNUM_SET) {
> json_do_uint("num_ASnum", set->as_cnt);
> } else {
>
Re: bgpd: stricter multiprotocol negotiation
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.04.28 12:40:46 +0200:
> At the moment bgpd will fall back to IPv4 unicast if there was no match in
> the multiprotocol capabilities between local and remote peer.
> This is not correct, if the router expects a certain AFI/SAFI for the
> session then it should not fall back to IPv4 unicast.
>
> An example is when bgpd uses IPv6 unicast for a session but the remote
> side sends back IPv4 unicast. In that case the session would unexpectedly
> fall back to IPv4 unicast.
>
> The right behaviour in that case to estabilsh the connection but no
> UPDATEs are exchanged since there is no matching AFI/SAFI pair.
>
> This diff implements this. This is based on the fact that p->capa.ann.mp
> (the capabilities we announced) will have something set if a multiprotocol
> capability was inserted in the OPEN message. If nothing is set in
> p->capa.ann.mp then the OPEN message did not include a multiprotocol
> capability and the system needs to fall back to AF_INET since that is the
> default.
>
> This should help with systems that have silly defaults and annouce only IPv4
> unicast on IPv6 sessions.
reads ok benno@
> --
> :wq Claudio
>
> Index: session.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/session.c,v
> retrieving revision 1.412
> diff -u -p -r1.412 session.c
> --- session.c 27 Apr 2021 09:12:23 - 1.412
> +++ session.c 27 Apr 2021 15:13:19 -
> @@ -2557,11 +2557,12 @@ capa_neg_calc(struct peer *p)
>
> /* MP: both side must announce capability */
> for (i = 0; i < AID_MAX; i++) {
> - if (p->capa.ann.mp[i] && p->capa.peer.mp[i]) {
> + if (p->capa.ann.mp[i] && p->capa.peer.mp[i])
> p->capa.neg.mp[i] = 1;
> - hasmp = 1;
> - } else
> + else
> p->capa.neg.mp[i] = 0;
> + if (p->capa.ann.mp[i])
> + hasmp = 1;
> }
> /* if no MP capability present default to IPv4 unicast mode */
> if (!hasmp)
>
Re: rpki-client delay deletes also for RRDP repos
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.04.29 15:34:15 +0200:
> Like for rsync repos files in the RRDP repos should be delayed until after
> the validation finished. As with anything RPKI related there is little
> trust in the repositories and their abilities to not botch an update.
>
> One thing I'm not sure is what should happen if a file is supposed to be
> removed but is still referenced by some other file. For now this fact is
> logged and the file is kept in the repo. I'm unsure about keeping the
fine with me, ok benno@
> file, it feels like the right move but may result in unreferenced files
> piling up in the rrdp repo dirs.
>
> There is no way to detect stale files in RRDP repos (apart from removing
> all files and fetching a snapshot). So until RRDP grows up to a real sync
> protocol the only thing one can do is to provide a large enough partition
> and to remove the cache from time to time.
You could get a file listing at the start and then remove files from the
list that are referenced, at the end you delete the ones left.
> --
> :wq Claudio
>
>
> Index: repo.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/repo.c,v
> retrieving revision 1.6
> diff -u -p -r1.6 repo.c
> --- repo.c19 Apr 2021 17:04:35 - 1.6
> +++ repo.c29 Apr 2021 13:12:34 -
> @@ -553,16 +553,19 @@ rrdp_free(void)
> }
> }
>
> -static int
> +static struct rrdprepo *
> rrdp_basedir(const char *dir)
> {
> struct rrdprepo *rr;
>
> SLIST_FOREACH(rr, &rrdprepos, entry)
> - if (strcmp(dir, rr->basedir) == 0)
> - return 1;
> + if (strcmp(dir, rr->basedir) == 0) {
> + if (rr->state == REPO_FAILED)
> + return NULL;
> + return rr;
> + }
>
> - return 0;
> + return NULL;
> }
>
> /*
> @@ -840,27 +843,6 @@ rrdp_merge_repo(struct rrdprepo *rr)
> struct filepath *fp, *nfp;
> char *fn, *rfn;
>
> - /* XXX should delay deletes */
> - RB_FOREACH_SAFE(fp, filepath_tree, &rr->deleted, nfp) {
> - fn = rrdp_filename(rr, fp->file, 1);
> - rfn = rrdp_filename(rr, fp->file, 0);
> -
> - if (fn == NULL || rfn == NULL)
> - errx(1, "bad filepath");/* should not happen */
> -
> - if (unlink(rfn) == -1) {
> - if (errno == ENOENT) {
> - if (unlink(fn) == -1)
> - warn("%s: unlink", fn);
> - } else
> - warn("%s: unlink", rfn);
> - }
> -
> - free(rfn);
> - free(fn);
> - filepath_put(&rr->deleted, fp);
> - }
> -
> RB_FOREACH_SAFE(fp, filepath_tree, &rr->added, nfp) {
> fn = rrdp_filename(rr, fp->file, 1);
> rfn = rrdp_filename(rr, fp->file, 0);
> @@ -1146,12 +1128,40 @@ add_to_del(char **del, size_t *dsz, char
> *dsz = i + 1;
> return del;
> }
> +
> +static char **
> +repo_rrdp_cleanup(struct filepath_tree *tree, struct rrdprepo *rr,
> +char **del, size_t *delsz)
> +{
> + struct filepath *fp, *nfp;
> + char *fn;
> +
> + RB_FOREACH_SAFE(fp, filepath_tree, &rr->deleted, nfp) {
> + fn = rrdp_filename(rr, fp->file, 0);
> + /* temp dir will be cleaned up by repo_cleanup() */
> +
> + if (fn == NULL)
> + errx(1, "bad filepath");/* should not happen */
> +
> + if (!filepath_exists(tree, fn))
> + del = add_to_del(del, delsz, fn);
> + else
> + warnx("%s: referenced file supposed to be deleted", fn);
> +
> + free(fn);
> + filepath_put(&rr->deleted, fp);
> + }
> +
> + return del;
> +}
> +
> void
> repo_cleanup(struct filepath_tree *tree)
> {
> - size_t i, delsz = 0, dirsz = 0;
> + size_t i, cnt, delsz = 0, dirsz = 0;
> char **del = NULL, **dir = NULL;
> char *argv[4] = { "ta", "rsync", "rrdp", NULL };
> + struct rrdprepo *rr;
> FTS *fts;
> FTSENT *e;
>
> @@ -1166,10 +1176,12 @@ repo_cleanup(struct filepath_tree *tree)
> e->fts_path);
> break;
> case FTS_D:
> - /* skip rrdp base directories during cleanup */
> - if (rrdp_basedir(e->fts_path))
> + /* special cleanup for rrdp directories */
> + if ((rr = rrdp_basedir(e->fts_path)) != NULL) {
> + del = repo_rrdp_cleanup(tree, rr, del, &delsz);
> if (fts_set(fts, e, FTS_SKIP) == -1)
> err(1, "fts_set");
> + }
> break;
> case FTS_DP:
>
Re: bgpd better reload behaviour
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.05.05 14:20:58 +0200:
> The peer flags (mainly rde evaluate all but also transparent-as) and the
> export options (none, default) are not properly handled on a config
> reload. In both cases a full session restart is needed after the config
> reload (with a bit of extra wait time to ensure that the peer config is
> actually up to date).
>
> The following diff should fix this.
>
> Add an extra reload barrier (IMSG_RECONF_DRAIN) to the sync of the peer
> config from the session engine to the rde. This way it can be ensured that
> the peer config is up to date in the RDE before hitting reconfiguration
> function.
>
> Store the export_type and the peer flags outside of peer->conf. Adjust all
> users of these two fields so they only look at the copies in peer.
> This way the RDE is able to notice that a value has changed during reload.
> Flush the Adj-RIB-Out for a peer where either the export_type changed or
> where rde evaluate or transparent-as is changed. After the flush the RIB
> is rebuilt in a 2nd step.
>
> Fix multiple issues in the rde_softreconfig_in_done handler that resulted
> in multiple runs of the out stage of the softreconfig pipeline.
>
> OK?
yes, ok.
> --
> :wq Claudio
>
> Index: rde.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
> retrieving revision 1.519
> diff -u -p -r1.519 rde.c
> --- rde.c 27 Apr 2021 09:07:10 - 1.519
> +++ rde.c 5 May 2021 12:04:55 -
> @@ -666,6 +666,10 @@ badnetdel:
> rde_dump_ctx_throttle(imsg.hdr.pid, 1);
> }
> break;
> + case IMSG_RECONF_DRAIN:
> + imsg_compose(ibuf_se, IMSG_RECONF_DRAIN, 0, 0,
> + -1, NULL, 0);
> + break;
> default:
> break;
> }
> @@ -2136,7 +2140,7 @@ rde_update_log(const char *message, u_in
> char*p = NULL;
>
> if (!((conf->log & BGPD_LOG_UPDATES) ||
> - (peer->conf.flags & PEERFLAG_LOG_UPDATES)))
> + (peer->flags & PEERFLAG_LOG_UPDATES)))
> return;
>
> if (next != NULL)
> @@ -2919,7 +2923,7 @@ rde_generate_updates(struct rib *rib, st
> if (peer->state != PEER_UP)
> continue;
> /* handle evaluate all, keep track if it is needed */
> - if (peer->conf.flags & PEERFLAG_EVALUATE_ALL)
> + if (peer->flags & PEERFLAG_EVALUATE_ALL)
> rde_eval_all = 1;
> else if (eval_all)
> /* skip default peers if the best path didn't change */
> @@ -2931,8 +2935,8 @@ rde_generate_updates(struct rib *rib, st
> if (peer->capa.mp[aid] == 0)
> continue;
> /* skip peers with special export types */
> - if (peer->conf.export_type == EXPORT_NONE ||
> - peer->conf.export_type == EXPORT_DEFAULT_ROUTE)
> + if (peer->export_type == EXPORT_NONE ||
> + peer->export_type == EXPORT_DEFAULT_ROUTE)
> continue;
>
> up_generate_updates(out_rules, peer, new, old);
> @@ -3289,13 +3293,34 @@ rde_reload_done(void)
> continue;
> peer->reconf_out = 0;
> peer->reconf_rib = 0;
> + if (peer->export_type != peer->conf.export_type) {
> + log_peer_info(&peer->conf, "export type change, "
> + "reloading");
> + peer->reconf_rib = 1;
> + }
> + if ((peer->flags & PEERFLAG_EVALUATE_ALL) !=
> + (peer->conf.flags & PEERFLAG_EVALUATE_ALL)) {
> + log_peer_info(&peer->conf, "rde evaluate change, "
> + "reloading");
> + peer->reconf_rib = 1;
> + }
> + if ((peer->flags & PEERFLAG_TRANS_AS) !=
> + (peer->conf.flags & PEERFLAG_TRANS_AS)) {
> + log_peer_info(&peer->conf, "transparent-as change, "
> + "reloading");
> + peer->reconf_rib = 1;
> + }
> if (peer->loc_rib_id != rib_find(peer->conf.rib)) {
> log_peer_info(&peer->conf, "rib change, reloading");
> peer->loc_rib_id = rib_find(peer->conf.rib);
> if (peer->loc_rib_id == RIB_NOTFOUND)
> fatalx("King Bula's peer met an unknown RIB");
> peer->reconf_rib = 1;
> - softreconfig++;
> + }
> + peer->export_type = peer->conf.export_type;
> + peer->flags = peer->conf.flags;
> +
> + if (peer->reconf_rib) {
> if (prefix_dump_new(peer, AID_UNS
Re: openrsync mini cleanup
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.05.05 17:13:03 +0200:
> Normalize some code.
ok
>
> --
> :wq Claudio
>
> Index: receiver.c
> ===
> RCS file: /cvs/src/usr.bin/rsync/receiver.c,v
> retrieving revision 1.25
> diff -u -p -r1.25 receiver.c
> --- receiver.c24 Nov 2020 16:54:44 - 1.25
> +++ receiver.c5 May 2021 15:11:38 -
> @@ -356,7 +356,7 @@ rsync_receiver(struct sess *sess, int fd
>*/
>
> if (sess->mplex_reads &&
> - (POLLIN & pfd[PFD_SENDER_IN].revents)) {
> + (pfd[PFD_SENDER_IN].revents & POLLIN)) {
> if (!io_read_flush(sess, fdin)) {
> ERRX1("io_read_flush");
> goto out;
> @@ -371,8 +371,8 @@ rsync_receiver(struct sess *sess, int fd
>* is read to mmap.
>*/
>
> - if ((POLLIN & pfd[PFD_UPLOADER_IN].revents) ||
> - (POLLOUT & pfd[PFD_SENDER_OUT].revents)) {
> + if ((pfd[PFD_UPLOADER_IN].revents & POLLIN) ||
> + (pfd[PFD_SENDER_OUT].revents & POLLOUT)) {
> c = rsync_uploader(ul,
> &pfd[PFD_UPLOADER_IN].fd,
> sess, &pfd[PFD_SENDER_OUT].fd);
> @@ -391,8 +391,8 @@ rsync_receiver(struct sess *sess, int fd
>* messages, which will otherwise clog up the pipes.
>*/
>
> - if ((POLLIN & pfd[PFD_SENDER_IN].revents) ||
> - (POLLIN & pfd[PFD_DOWNLOADER_IN].revents)) {
> + if ((pfd[PFD_SENDER_IN].revents & POLLIN) ||
> + (pfd[PFD_DOWNLOADER_IN].revents & POLLIN)) {
> c = rsync_downloader(dl, sess,
> &pfd[PFD_DOWNLOADER_IN].fd);
> if (c < 0) {
> @@ -421,10 +421,12 @@ rsync_receiver(struct sess *sess, int fd
> if (!io_write_int(sess, fdout, -1)) {
> ERRX1("io_write_int");
> goto out;
> - } else if (!io_read_int(sess, fdin, &ioerror)) {
> + }
> + if (!io_read_int(sess, fdin, &ioerror)) {
> ERRX1("io_read_int");
> goto out;
> - } else if (ioerror != -1) {
> + }
> + if (ioerror != -1) {
> ERRX("expected phase ack");
> goto out;
> }
> @@ -445,7 +447,8 @@ rsync_receiver(struct sess *sess, int fd
> if (!sess_stats_recv(sess, fdin)) {
> ERRX1("sess_stats_recv");
> goto out;
> - } else if (!io_write_int(sess, fdout, -1)) {
> + }
> + if (!io_write_int(sess, fdout, -1)) {
> ERRX1("io_write_int");
> goto out;
> }
>
Re: simplify the openrsync uploader
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.05.05 17:53:20 +0200:
> The rsync uploader (what is the generator in rsync) can be simplified and
> cleaned up a fair bit.
>
> There is some confusion of non-blocking IO on regular files and the idea
> to poll() between openat() and fstat(). This is all not needed and
> therefor a lot of the code handling files can be moved into pre_file.
> This also removes the UPLOAD_READ_LOCAL state since it is no longer
> needed.
>
> As a little extra gift this diff also plugs a mem leak in rsync_uploader.
> The mbuf buffer was not freed and so for every file being checksummed it
> would leak one of those.
see below about that.
Other than that its ok.
>
> --
> :wq Claudio
>
> Index: uploader.c
> ===
> RCS file: /cvs/src/usr.bin/rsync/uploader.c,v
> retrieving revision 1.24
> diff -u -p -r1.24 uploader.c
> --- uploader.c22 Mar 2021 11:20:04 - 1.24
> +++ uploader.c5 May 2021 15:39:10 -
> @@ -33,8 +33,7 @@
>
> enum uploadst {
> UPLOAD_FIND_NEXT = 0, /* find next to upload to sender */
> - UPLOAD_WRITE_LOCAL, /* wait to write to sender */
> - UPLOAD_READ_LOCAL, /* wait to read from local file */
> + UPLOAD_WRITE, /* wait to write to sender */
> UPLOAD_FINISHED /* nothing more to do in phase */
> };
>
> @@ -180,7 +179,8 @@ pre_link(struct upload *p, struct sess *
> if (!sess->opts->preserve_links) {
> WARNX("%s: ignoring symlink", f->path);
> return 0;
> - } else if (sess->opts->dry_run) {
> + }
> + if (sess->opts->dry_run) {
> log_link(sess, f);
> return 0;
> }
> @@ -282,7 +282,8 @@ pre_dev(struct upload *p, struct sess *s
> if (!sess->opts->devices || getuid() != 0) {
> WARNX("skipping non-regular file %s", f->path);
> return 0;
> - } else if (sess->opts->dry_run) {
> + }
> + if (sess->opts->dry_run) {
> log_file(sess, f);
> return 0;
> }
> @@ -369,7 +370,8 @@ pre_fifo(struct upload *p, struct sess *
> if (!sess->opts->specials) {
> WARNX("skipping non-regular file %s", f->path);
> return 0;
> - } else if (sess->opts->dry_run) {
> + }
> + if (sess->opts->dry_run) {
> log_file(sess, f);
> return 0;
> }
> @@ -444,7 +446,8 @@ pre_sock(struct upload *p, struct sess *
> if (!sess->opts->specials) {
> WARNX("skipping non-regular file %s", f->path);
> return 0;
> - } else if (sess->opts->dry_run) {
> + }
> + if (sess->opts->dry_run) {
> log_file(sess, f);
> return 0;
> }
> @@ -518,7 +521,8 @@ pre_dir(const struct upload *p, struct s
> if (!sess->opts->recursive) {
> WARNX("%s: ignoring directory", f->path);
> return 0;
> - } else if (sess->opts->dry_run) {
> + }
> + if (sess->opts->dry_run) {
> log_dir(sess, f);
> return 0;
> }
> @@ -579,13 +583,14 @@ post_dir(struct sess *sess, const struct
>
> if (!sess->opts->recursive)
> return 1;
> - else if (sess->opts->dry_run)
> + if (sess->opts->dry_run)
> return 1;
>
> if (fstatat(u->rootfd, f->path, &st, AT_SYMLINK_NOFOLLOW) == -1) {
> ERR("%s: fstatat", f->path);
> return 0;
> - } else if (!S_ISDIR(st.st_mode)) {
> + }
> + if (!S_ISDIR(st.st_mode)) {
> WARNX("%s: not a directory", f->path);
> return 0;
> }
> @@ -631,12 +636,13 @@ post_dir(struct sess *sess, const struct
>
> /*
> * Try to open the file at the current index.
> - * If the file does not exist, returns with success.
> + * If the file does not exist, returns with >0.
> * Return <0 on failure, 0 on success w/nothing to be done, >0 on
> * success and the file needs attention.
> */
> static int
> -pre_file(const struct upload *p, int *filefd, struct sess *sess)
> +pre_file(const struct upload *p, int *filefd, struct stat *st,
> +struct sess *sess)
> {
> const struct flist *f;
>
> @@ -654,19 +660,54 @@ pre_file(const struct upload *p, int *fi
>
> /*
>* For non dry-run cases, we'll write the acknowledgement later
> - * in the rsync_uploader() function because we need to wait for
> - * the open() call to complete.
> + * in the rsync_uploader() function.
>* If the call to openat() fails with ENOENT, there's a
> - * fast-path between here and the write function, so we won't do
> - * any blocking between now and then.
> + * fast-path between here and the write function.
>*/
>
> *filefd = openat(p->rootfd, f->path,
> - O_RDONLY | O_NOFOLLOW | O_NONBLOCK, 0);
> - if (*filefd != -1 || errno == ENOENT)
> + O_RDONLY | O_NOFO
Re: rpki-client: change "asn" from string to integer in JSON output
Job Snijders(j...@openbsd.org) on 2021.05.05 16:35:46 +:
> I'd like to modify our JSON format, many people in the community have
> voiced complaints that transforming the string to an integer is
> annoying.
>
> This won't break existing deployments coupled with GoRTR.
>
> OK?
ok benno@
>
> Index: output-json.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/output-json.c,v
> retrieving revision 1.15
> diff -u -p -r1.15 output-json.c
> --- output-json.c 8 Apr 2021 19:49:27 - 1.15
> +++ output-json.c 5 May 2021 15:29:15 -
> @@ -100,7 +100,7 @@ output_json(FILE *out, struct vrp_tree *
>
> ip_addr_print(&v->addr, v->afi, buf, sizeof(buf));
>
> - if (fprintf(out, "\t\t{ \"asn\": \"AS%u\", \"prefix\": \"%s\", "
> + if (fprintf(out, "\t\t{ \"asn\": %u, \"prefix\": \"%s\", "
> "\"maxLength\": %u, \"ta\": \"%s\" }",
> v->asid, buf, v->maxlength, v->tal) < 0)
> return -1;
>
Re: make rsync -v less verbose
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.05.05 20:03:19 +0200:
> I like rsync -v but hell it is noisy with openrsync.
> Just shut up about all the files that have not changed unless you go -vv.
Before we do this, are there reasons to keep this like it is in the original?
I think i actually made it do this.
If you really think it helps, ok benno@
>
> --
> :wq Claudio
>
> Index: downloader.c
> ===
> RCS file: /cvs/src/usr.bin/rsync/downloader.c,v
> retrieving revision 1.21
> diff -u -p -r1.21 downloader.c
> --- downloader.c 8 May 2019 21:30:11 - 1.21
> +++ downloader.c 5 May 2021 17:56:20 -
> @@ -85,7 +85,7 @@ log_file(struct sess *sess,
> if (sess->opts->server)
> return;
>
> - frac = (dl->total == 0) ? 100.0 :
> + frac = (dl->total == 0) ? 0.0 :
> 100.0 * dl->downloaded / dl->total;
>
> if (dl->total > 1024 * 1024 * 1024) {
> @@ -102,8 +102,12 @@ log_file(struct sess *sess,
> unit = "KB";
> }
>
> - LOG1("%s (%.*f %s, %.1f%% downloaded)",
> - f->path, prec, tot, unit, frac);
> + if (dl->downloaded > 0)
> + LOG1("%s (%.*f %s, %.1f%% downloaded)",
> + f->path, prec, tot, unit, frac);
> + else
> + LOG2("%s (%.*f %s, %.1f%% downloaded)",
> + f->path, prec, tot, unit, frac);
> }
>
> /*
>
Re: more rsync cleanup
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.05.06 17:59:32 +0200:
> As noticed by benno@ the blk.blks buffer is leaked in some cases.
> Fix those and cleanup up the pre_* functions a bit more.
> I increased the diff context a bit to make the diff easier to read.
reads ok
>
> --
> :wq Claudio
>
> Index: uploader.c
> ===
> RCS file: /cvs/src/usr.bin/rsync/uploader.c,v
> retrieving revision 1.25
> diff -u -p -U6 -r1.25 uploader.c
> --- uploader.c6 May 2021 07:35:22 - 1.25
> +++ uploader.c6 May 2021 15:34:36 -
> @@ -191,22 +191,24 @@ pre_link(struct upload *p, struct sess *
>* to overwriting with a symbolic link.
>* If it's a non-directory, we just overwrite it.
>*/
>
> assert(p->rootfd != -1);
> rc = fstatat(p->rootfd, f->path, &st, AT_SYMLINK_NOFOLLOW);
> +
> + if (rc == -1 && errno != ENOENT) {
> + ERR("%s: fstatat", f->path);
> + return -1;
> + }
> if (rc != -1 && !S_ISLNK(st.st_mode)) {
> if (S_ISDIR(st.st_mode) &&
> unlinkat(p->rootfd, f->path, AT_REMOVEDIR) == -1) {
> ERR("%s: unlinkat", f->path);
> return -1;
> }
> rc = -1;
> - } else if (rc == -1 && errno != ENOENT) {
> - ERR("%s: fstatat", f->path);
> - return -1;
> }
>
> /*
>* If the symbolic link already exists, then make sure that it
>* points to the correct place.
>*/
> @@ -294,22 +296,23 @@ pre_dev(struct upload *p, struct sess *s
>* If it replaces a directory, remove the directory first.
>*/
>
> assert(p->rootfd != -1);
> rc = fstatat(p->rootfd, f->path, &st, AT_SYMLINK_NOFOLLOW);
>
> + if (rc == -1 && errno != ENOENT) {
> + ERR("%s: fstatat", f->path);
> + return -1;
> + }
> if (rc != -1 && !(S_ISBLK(st.st_mode) || S_ISCHR(st.st_mode))) {
> if (S_ISDIR(st.st_mode) &&
> unlinkat(p->rootfd, f->path, AT_REMOVEDIR) == -1) {
> ERR("%s: unlinkat", f->path);
> return -1;
> }
> rc = -1;
> - } else if (rc == -1 && errno != ENOENT) {
> - ERR("%s: fstatat", f->path);
> - return -1;
> }
>
> /* Make sure existing device is of the correct type. */
>
> if (rc != -1) {
> if ((f->st.mode & (S_IFCHR|S_IFBLK)) !=
> @@ -382,22 +385,23 @@ pre_fifo(struct upload *p, struct sess *
>* mark it from replacement.
>*/
>
> assert(p->rootfd != -1);
> rc = fstatat(p->rootfd, f->path, &st, AT_SYMLINK_NOFOLLOW);
>
> + if (rc == -1 && errno != ENOENT) {
> + ERR("%s: fstatat", f->path);
> + return -1;
> + }
> if (rc != -1 && !S_ISFIFO(st.st_mode)) {
> if (S_ISDIR(st.st_mode) &&
> unlinkat(p->rootfd, f->path, AT_REMOVEDIR) == -1) {
> ERR("%s: unlinkat", f->path);
> return -1;
> }
> rc = -1;
> - } else if (rc == -1 && errno != ENOENT) {
> - ERR("%s: fstatat", f->path);
> - return -1;
> }
>
> if (rc == -1) {
> newfifo = 1;
> if (mktemplate(&temp, f->path, sess->opts->recursive) == -1) {
> ERRX1("mktemplate");
> @@ -458,22 +462,23 @@ pre_sock(struct upload *p, struct sess *
>* mark it from replacement.
>*/
>
> assert(p->rootfd != -1);
> rc = fstatat(p->rootfd, f->path, &st, AT_SYMLINK_NOFOLLOW);
>
> + if (rc == -1 && errno != ENOENT) {
> + ERR("%s: fstatat", f->path);
> + return -1;
> + }
> if (rc != -1 && !S_ISSOCK(st.st_mode)) {
> if (S_ISDIR(st.st_mode) &&
> unlinkat(p->rootfd, f->path, AT_REMOVEDIR) == -1) {
> ERR("%s: unlinkat", f->path);
> return -1;
> }
> rc = -1;
> - } else if (rc == -1 && errno != ENOENT) {
> - ERR("%s: fstatat", f->path);
> - return -1;
> }
>
> if (rc == -1) {
> newsock = 1;
> if (mktemplate(&temp, f->path, sess->opts->recursive) == -1) {
> ERRX1("mktemplate");
> @@ -530,13 +535,14 @@ pre_dir(const struct upload *p, struct s
> assert(p->rootfd != -1);
> rc = fstatat(p->rootfd, f->path, &st, AT_SYMLINK_NOFOLLOW);
>
> if (rc == -1 && errno != ENOENT) {
> ERR("%s: fstatat", f->path);
> return -1;
> - } else if (rc != -1 && !S_ISDIR(st.st_mode)) {
> + }
> + if (rc != -1 && !S_ISDIR(st.st_mode)) {
> ERRX("%s: not a directory", f->path);
> return -1;
> } else if (rc != -1
Re: bgpd, non-blocking rtr connect
ok benno@
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.05.03 17:37:36 +0200:
> The RTR session was opened with a blocking connect() call. This is rather
> bad if the RTR peer does not exist since then bgpd will block until the
> connect timed out. This diff makes the connect() call non-blocking.
> With this connecting to non-existing RTR servers no longer blocks the main
> process.
>
> --
> :wq Claudio
>
> Index: bgpd.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/bgpd.c,v
> retrieving revision 1.235
> diff -u -p -r1.235 bgpd.c
> --- bgpd.c3 May 2021 13:18:06 - 1.235
> +++ bgpd.c3 May 2021 15:33:20 -
> @@ -50,6 +50,7 @@ static void getsockpair(int [2]);
> int imsg_send_sockets(struct imsgbuf *, struct imsgbuf *,
> struct imsgbuf *);
> void bgpd_rtr_connect(struct rtr_config *);
> +void bgpd_rtr_connect_done(int, struct bgpd_config *);
>
> int cflags;
> volatile sig_atomic_t mrtdump;
> @@ -64,6 +65,16 @@ struct rib_namesribnames = SIMPLEQ_HEA
> char *cname;
> char *rcname;
>
> +struct connect_elm {
> + TAILQ_ENTRY(connect_elm)entry;
> + u_int32_t id;
> + int fd;
> +};
> +
> +TAILQ_HEAD( ,connect_elm)connect_queue = \
> + TAILQ_HEAD_INITIALIZER(connect_queue);
> +u_intconnect_cnt;
> +
> void
> sighdlr(int sig)
> {
> @@ -97,7 +108,7 @@ usage(void)
> #define PFD_PIPE_RTR 2
> #define PFD_SOCK_ROUTE 3
> #define PFD_SOCK_PFKEY 4
> -#define POLL_MAX 5
> +#define PFD_CONNECT_START5
> #define MAX_TIMEOUT 3600
>
> int cmd_opts;
> @@ -109,11 +120,13 @@ main(int argc, char *argv[])
> enum bgpd_processproc = PROC_MAIN;
> struct rde_rib *rr;
> struct peer *p;
> - struct pollfdpfd[POLL_MAX];
> + struct pollfd *pfd = NULL;
> + struct connect_elm *ce;
> time_t timeout;
> pid_tse_pid = 0, rde_pid = 0, rtr_pid = 0, pid;
> char*conffile;
> char*saved_argv0;
> + u_intpfd_elms = 0, npfd, i;
> int debug = 0;
> int rfd, keyfd;
> int ch, status;
> @@ -289,7 +302,21 @@ BROKEN if (pledge("stdio rpath wpath cpa
> quit = 1;
>
> while (quit == 0) {
> - bzero(pfd, sizeof(pfd));
> + if (pfd_elms < PFD_CONNECT_START + connect_cnt) {
> + struct pollfd *newp;
> +
> + if ((newp = reallocarray(pfd,
> + PFD_CONNECT_START + connect_cnt,
> + sizeof(struct pollfd))) == NULL) {
> + log_warn("could not resize pfd from %u -> %u"
> + " entries", pfd_elms, PFD_CONNECT_START +
> + connect_cnt);
> + fatalx("exiting");
> + }
> + pfd = newp;
> + pfd_elms = PFD_CONNECT_START + connect_cnt;
> + }
> + bzero(pfd, sizeof(struct pollfd) * pfd_elms);
>
> timeout = mrt_timeout(conf->mrt);
>
> @@ -303,9 +330,17 @@ BROKEN if (pledge("stdio rpath wpath cpa
> set_pollfd(&pfd[PFD_PIPE_RDE], ibuf_rde);
> set_pollfd(&pfd[PFD_PIPE_RTR], ibuf_rtr);
>
> + npfd = PFD_CONNECT_START;
> + TAILQ_FOREACH(ce, &connect_queue, entry) {
> + pfd[npfd].fd = ce->fd;
> + pfd[npfd++].events = POLLOUT;
> + if (npfd > pfd_elms)
> + fatalx("polli pfd overflow");
> + }
> +
> if (timeout < 0 || timeout > MAX_TIMEOUT)
> timeout = MAX_TIMEOUT;
> - if (poll(pfd, POLL_MAX, timeout * 1000) == -1)
> + if (poll(pfd, npfd, timeout * 1000) == -1)
> if (errno != EINTR) {
> log_warn("poll error");
> quit = 1;
> @@ -357,6 +392,10 @@ BROKEN if (pledge("stdio rpath wpath cpa
> }
> }
>
> + for (i = PFD_CONNECT_START; i < npfd; i++)
> + if (pfd[i].revents != 0)
> + bgpd_rtr_connect_done(pfd[i].fd, conf);
> +
> if (reconfig) {
> u_int error;
>
> @@ -1261,32 +1300,97 @@ imsg_send_sockets(struct imsgbuf *se, st
> void
> bgpd_rtr_connect(struct rtr_config *r)
> {
> + struct connect_elm *ce;
> struct sockaddr *sa;
> sock
Re: httpd(8): don't try to chunk-encode an empty body
Florian Obser(flor...@openbsd.org) on 2021.05.14 19:13:49 +0200:
> As found out by Chris Narkiewicz the hard way, trying to chunk encode an
> empty body makes the nextclown app stop working. (see "Nextcloud stopped
> working after upgrade to 6.9" on ports@).
>
> I don't think there is a valid way to do this, so don't try to.
>
> This is kinda maybe a hack since there might be other stuff that isn't
> sending a body. So if anyone has a long list of status codes that should
> be in the same list, let me know.
https://datatracker.ietf.org/doc/html/rfc7230#page-32
gives the list as
... any response with a 1xx
(Informational), 204 (No Content), or 304 (Not Modified) status
code is always terminated by the first empty line after the
header fields, regardless of the header fields present in the
message, and thus cannot contain a message body.
see the text for other responses that must have an empty body (for other
reasons than the status code).
/Benno
>
> We can't easily find out if the fcgi server is going to send us an
> empty body without reading everything from the server until we hit the
> body. I'm happy to entertain a diff that does that.
>
> In the meantime, this scratches my itch.
> OK?
ok benno@
>
> diff --git server_fcgi.c server_fcgi.c
> index 8d3b581568f..0ac80c27d11 100644
> --- server_fcgi.c
> +++ server_fcgi.c
> @@ -615,6 +615,10 @@ server_fcgi_header(struct client *clt, unsigned int code)
> if (kv_add(&resp->http_headers, "Server", HTTPD_SERVERNAME) == NULL)
> return (-1);
>
> + /* we cannot chunk-encode no-content */
> + if (code == 204)
> + clt->clt_fcgi.chunked = 0;
> +
> /* Set chunked encoding */
> if (clt->clt_fcgi.chunked) {
> /* XXX Should we keep and handle Content-Length instead? */
>
>
> --
> I'm not entirely sure you are real.
>
Re: limit concurrent RTR connects in bgpd
Claudio Jeker(cje...@diehard.n-r-g.com) on 2021.05.14 11:21:11 +0200:
> I think it is a good idea to limit the number of concurrent connects in
> bgpd. I used 32 as the limit since that is way enough for the number of
> RTR sessions people will configure.
>
> If the limit is hit the request will be dropped and the rtr process will
> retry the connect after the retry timeout. Hopefully by then the number of
> connections is down again.
ok benno
but i suggest to s/inflight/concurrent/, and keep the word inflight for log
messages about tracking connections for purpose of not running out of file
descriptors?
> --
> :wq Claudio
>
> Index: bgpd.c
> ===
> RCS file: /cvs/src/usr.sbin/bgpd/bgpd.c,v
> retrieving revision 1.236
> diff -u -p -r1.236 bgpd.c
> --- bgpd.c11 May 2021 07:57:24 - 1.236
> +++ bgpd.c11 May 2021 08:00:25 -
> @@ -74,6 +74,7 @@ struct connect_elm {
> TAILQ_HEAD( ,connect_elm)connect_queue = \
> TAILQ_HEAD_INITIALIZER(connect_queue);
> u_intconnect_cnt;
> +#define MAX_CONNECT_CNT 32
>
> void
> sighdlr(int sig)
> @@ -1303,6 +1304,12 @@ bgpd_rtr_connect(struct rtr_config *r)
> struct connect_elm *ce;
> struct sockaddr *sa;
> socklen_t len;
> +
> + if (connect_cnt >= MAX_CONNECT_CNT) {
> + log_warnx("rtr %s: too many inflight connection requests",
> + r->descr);
> + return;
> + }
>
> if ((ce = calloc(1, sizeof(*ce))) == NULL) {
> log_warn("rtr %s", r->descr);
>
