tcp reaper timeout

2018-01-20 Thread Alexander Bluhm
Hi, The tcp reaper timeout is still imlemented as soft timeout. So it can run while net lock is held by others and it is not synchronized with the other tcp timeouts. Convert it to an ordinary tcp timeout so it is scheduled on the same timeout thread. It grabs the net lock to make sure that

Re: Zap PF_TRANS_ALTQ

2018-01-19 Thread Alexander Bluhm
On Fri, Jan 19, 2018 at 08:24:23PM +, Stuart Henderson wrote: > To be honest though, unless it's in the way of something, I'm not sure it's > worth removing. If those constatns are in ports and require revision bumps, we can leave it in the header. Rebuilding base is one thing, but doing

Re: Zap PF_TRANS_ALTQ

2018-01-19 Thread Alexander Bluhm
On Thu, Jan 18, 2018 at 11:15:41PM -0500, Lawrence Teo wrote: > Nothing uses PF_TRANS_ALTQ anymore, so zap it. > > ok? This means that people have to recompile their pfctl and some other tools together with the kernel. But that should not prevent code cleanup. OK bluhm@ > Index: pfvar.h >

Re: Explicitly check PF_TRANS_RULESET

2018-01-19 Thread Alexander Bluhm
On Thu, Jan 18, 2018 at 11:12:59PM -0500, Lawrence Teo wrote: > The pf(4) DIOCX{BEGIN,COMMIT,ROLLBACK} calls support two ruleset types: > PF_TRANS_RULESET and PF_TRANS_TABLE. > > However, their switch statements in pf_ioctl.c only check for > PF_TRANS_TABLE and do not check PF_TRANS_RULESET at

Re: Basic SHA3 support (cryptographic discussion)

2018-01-19 Thread Alexander Bluhm
On Wed, Jan 17, 2018 at 10:20:50PM +0100, Christian Weisgerber wrote: > What do you want to USE your SHA-3 implementation for? I would like to have a sha3 command line tool. Just to have it there and start using it. For example adding it to ports distfiles would be trivial. Yes, general

Re: stack pointer checking

2018-01-15 Thread Alexander Bluhm
On Thu, Jan 11, 2018 at 08:39:25PM -0700, Theo de Raadt wrote: > I'm asking for some feedback to discover what ports this breaks, we'd The go package immediately core dumps. Signature: go-1.9.2,1,c.92.2,pthread.25.1 root@ot6:.../~# go Abort trap (core dumped) Core was generated by

Re: stack pointer checking

2018-01-15 Thread Alexander Bluhm
On Thu, Jan 11, 2018 at 08:39:25PM -0700, Theo de Raadt wrote: > At every trap and system call, it checks if the stack-pointer is on a > page that is marked MAP_STACK. On amd64 3 regression tests fail with this diff. src/regress/lib/libpthread src/regress/lib/libc src/regress/sys/kern/stackjmp

Re: -staticarp & IFF* doc

2018-01-15 Thread Alexander Bluhm
On Mon, Jan 15, 2018 at 05:22:26PM +0100, Martin Pieuchot wrote: > 1) It recycles IFF_NOTRAILERS to IFF_STATICARP and adds some glue to Grep says NOTRAILERS is also in sbin/route/route.c and usr.sbin/route6d/route6d.c. They are easy to fix. > +.It Fl staticarp > +If the Address Resolution

pf route-to source address correction

2018-01-15 Thread Alexander Bluhm
Hi, When pf route-to is used for locally generated packets, they may have invalid source address. In my case, an ICMP error packet created by ip_forward() with source 127.0.0.1 is sent out over the network. Of course this is rejected by th other side. 14:28:02.298099 10.188.220.17 >

pf route-to ttl

2018-01-13 Thread Alexander Bluhm
Hi, When pf(4) forwards incoming packets with route-to or reply-to, it should decrement the time-to-live or hop-limit field. This makes traceroute work and prevents routing loops. For outgoing packets ip_forward() has already done this. ok? bluhm Index: net/pf.c

powernow abs unsigned

2018-01-13 Thread Alexander Bluhm
Hi, I have seen a warning that "while (abs(vco_fid - vco_cfid) > 2)" is operating on unsigned values. As our kernel's abs() takes a signed integer as parameter, I think this codes works anyway. The unsigned is converted to signed before it is passed to abs(). Using singned values seems better

pf icmp error

2018-01-09 Thread Alexander Bluhm
Hi, I think we should use pf_send_icmp() in pf_route(). It is more consistent and sets the routing domain and other mbuf flags. In pf_route6() the bad packet counter and PF_DUPTO check were missing which is inconsistent to IPv4. ok? bluhm Index: net/pf.c

Re: shuffle protocol family input in ether_input()

2018-01-09 Thread Alexander Bluhm
On Tue, Jan 09, 2018 at 06:40:49PM +1000, David Gwynne wrote: > the main change here is to defer chopping the ethernet header off > the frame until just before the protocol input function is called. > this means we don't have to reattach it for pppoe. > > ok? OK bluhm@ > Index: if_ethersubr.c >

Re: TCP/UDP/etc input path w/o KERNEL_LOCK()

2018-01-09 Thread Alexander Bluhm
On Tue, Jan 09, 2018 at 11:24:14AM +0100, Martin Pieuchot wrote: > On 02/01/18(Tue) 16:04, Martin Pieuchot wrote: > > New year, new diff. Assuming we can live with the kqueue(2) races, > > here's a diff to remove the KERNEL_LOCK() from all pr_input() routines. > > > > I'd appreciate tests. > >

Re: sosetstate/soclrstate

2018-01-09 Thread Alexander Bluhm
On Tue, Jan 09, 2018 at 11:23:32AM +0100, Martin Pieuchot wrote: > --- netinet6/ip6_output.c 1 Sep 2017 15:05:31 - 1.232 > +++ netinet6/ip6_output.c 9 Jan 2018 10:16:10 - > @@ -1033,12 +1033,12 @@ int > ip6_ctloutput(int op, struct socket *so, int level, int optname, >

cloned interface malloc wait

2018-01-08 Thread Alexander Bluhm
Hi, Creating a cloned interface could return ENOMEM during a temporary memory shortage. As it is invoked from a system call, it should not fail and wait instead. ok? bluhm Index: net/if_bridge.c === RCS file:

Re: interface tx mitigation, with NET LOCK fixes

2018-01-08 Thread Alexander Bluhm
On Mon, Jan 08, 2018 at 03:07:34PM +0100, Martin Pieuchot wrote: > Well if_start() is a driver function. It should not require the > NET_LOCK(). pf(4) has been fixed to not be re-entrant so the same > thing has to be done for pseudo-driver. I like the fact that your > diff is defining a new

Re: sosetstate/soclrstate

2018-01-08 Thread Alexander Bluhm
On Mon, Jan 08, 2018 at 03:50:14PM +0100, Martin Pieuchot wrote: > ok? OK bluhm@ with a few remarks. > @@ -1422,12 +1422,12 @@ somove(struct socket *so, int wait) > > /* Receive buffer did shrink by len bytes, adjust oob. */ > state = so->so_state; > - so->so_state &=

Re: mess with regression tests

2018-01-08 Thread Alexander Bluhm
On Fri, Jan 05, 2018 at 07:01:56PM +0300, Sergey Bronnikov wrote: > I have updated patch for bin/ed and now the most part of tests are > works. I have converted your work into a single Makefile. It is easier to have everything in one place. So mkscripts.sh and ckscripts.sh are implemented as

Re: make mpls_input take struct ifnet *ifp as an argument

2018-01-08 Thread Alexander Bluhm
On Mon, Jan 08, 2018 at 11:49:05AM +1000, David Gwynne wrote: > i want this so it makes mpls_input have the same function signature > as all the other protocol input functions we care about. > > it also helps mpls_input because it looks up the interface the mpls > packet was received on, but it's

Re: relayd and PUT

2018-01-04 Thread Alexander Bluhm
On Wed, Dec 13, 2017 at 07:42:03AM +0100, Claudio Jeker wrote: > On Wed, Dec 13, 2017 at 12:25:39AM +, Rivo Nurges wrote: > > If you http PUT a "big" file through relayd, server<>relay read side > > will eventually get a EVBUFFER_TIMEOUT. Nothing comes back from the > > server until the PUT is

Re: pf state key linking mbuf assert

2017-12-29 Thread Alexander Bluhm
On Thu, Dec 28, 2017 at 12:46:45AM +0100, Alexandr Nedvedicky wrote: > I like your change. You have my OK with small change here: I have commitet my diff with a small addition. I fixed a memory leak that I had introduced before. > > -pf_pkt_state_key_ref(struct mbuf *m) > >

pf badopts routing header

2017-12-27 Thread Alexander Bluhm
Hi, pf drops IPv4 packets with options by default. For IPv6 the same is done for certain option headers. I think we should add the routing header to this list. ok? bluhm Index: net/pf.c === RCS file:

Re: sorflush hack

2017-12-27 Thread Alexander Bluhm
On Wed, Dec 27, 2017 at 04:58:07PM +0100, Martin Pieuchot wrote: > Simpler diff that just do the zeroing, anyone? OK bluhm@ > Index: kern/uipc_socket.c > === > RCS file: /cvs/src/sys/kern/uipc_socket.c,v > retrieving revision 1.212

Re: if_ioctl: move NET_LOCK down

2017-12-27 Thread Alexander Bluhm
On Wed, Dec 27, 2017 at 04:55:49PM +0100, Martin Pieuchot wrote: > Updated diff below. OK bluhm@ > Index: net/if.c > === > RCS file: /cvs/src/sys/net/if.c,v > retrieving revision 1.531 > diff -u -p -r1.531 if.c > --- net/if.c 15

pf state key linking

2017-12-26 Thread Alexander Bluhm
Hi, The functions to link the pf state keys always confused me a bit. I think the new naming and code of the functions is more consistent. ok? bluhm Index: kern/uipc_mbuf.c === RCS file:

Re: llvm: patch-update to release 5.0.1

2017-12-24 Thread Alexander Bluhm
On Fri, Dec 22, 2017 at 01:35:28PM +0100, Patrick Wildt wrote: > Feedback appreciated! On i386 I used clang version 5.0.1 to build a kernel and /usr/src. The regression tests passed on that system. bluhm

Re: pf divert raw sockets

2017-12-22 Thread Alexander Bluhm
On Fri, Dec 15, 2017 at 03:10:49PM +0100, Alexander Bluhm wrote: > Hi, > > With pf divert raw sockets behave differently than TCP or UDP. > > TCP and UDP first make an exact match without divert in_pcbhashlookup(). > Then they do the divert-to match in in_pcblookup_listen(). &g

pf state key link inp

2017-12-22 Thread Alexander Bluhm
Hi, There is a corner case where linking the inp to the state key does not work in pf. The function pf_inp_link() takes the state key from the mbuf and not the one we have just found. Introduce a new function pf_state_key_link_inpcb() that does exactly that together with some sanity checks. I

Re: if_ioctl: move NET_LOCK down

2017-12-20 Thread Alexander Bluhm
On Wed, Dec 20, 2017 at 01:43:13PM +0100, Martin Pieuchot wrote: > > rtm_ifchg() calls route_input() which needs the net lock. > > Does it? What needs the lock in route_input()? I thought routing > sockets are still protected by the KERNEL_LOCK(). My fault. I have misread the code. Your

Re: if_ioctl: move NET_LOCK down

2017-12-19 Thread Alexander Bluhm
On Mon, Dec 18, 2017 at 04:01:12PM +0100, Martin Pieuchot wrote: > Diff below moves the NET_LOCK() into every switch case that need it and > document locking for most of the fields of 'struct ifnet'. > case SIOCSIFXFLAGS: > if ((error = suser(p, 0)) != 0) >

Re: soreceive() unlock/relock

2017-12-18 Thread Alexander Bluhm
On Mon, Dec 18, 2017 at 02:46:32PM +0100, Martin Pieuchot wrote: > Diff below remove an unnecessary unlock/relock dance when following the > 'goto restart'. > > ok? OK bluhm@ > Index: kern/uipc_socket.c > === > RCS file:

Re: inline sb define in uipc_usrreq

2017-12-18 Thread Alexander Bluhm
On Mon, Dec 11, 2017 at 09:29:00AM +0100, Martin Pieuchot wrote: > It's complicated to see which socket buffer associated to which socket > need protection. So inline the defines, ok? OK bluhm@ > Index: kern/uipc_usrreq.c > === >

Re: 20+ years ifdef notdef & SB_LOCK

2017-12-18 Thread Alexander Bluhm
On Mon, Dec 11, 2017 at 08:59:52AM +0100, Martin Pieuchot wrote: > This chunk has been #ifdef since r1.1 in 1995. I'd like to revisit > SB_LOCK so this is in my way. Ok to remove it? OK bluhm@ > Index: kern/uipc_usrreq.c > === >

pf divert raw sockets

2017-12-15 Thread Alexander Bluhm
Hi, With pf divert raw sockets behave differently than TCP or UDP. TCP and UDP first make an exact match without divert in_pcbhashlookup(). Then they do the divert-to match in in_pcblookup_listen(). This diff makes it consistent. Search for bound and connected sockets in raw_input() also if

Re: mess with regression tests

2017-12-13 Thread Alexander Bluhm
On Wed, Dec 06, 2017 at 11:19:18PM +0300, Sergey Bronnikov wrote: > Patch below adds similar scripts for ed, perl, gdb, libkeynote, ctags, > m4 and sed. Patch looks huge but it is actually simple. Anyway if you > want splitted patch I will resend. It is not the patch that is too big but the task.

Re: libressl: crash in DES_fcrypt

2017-12-13 Thread Alexander Bluhm
Hi, I would like to commit this fix. I tried to avoid the crash in libcrypto with least possible impact for the DES_fcrypt() API. ok? bluhm On Tue, Dec 05, 2017 at 05:20:49PM +0100, Alexander Bluhm wrote: > On Fri, Oct 27, 2017 at 01:50:26AM +0200, Jan Engelhardt wrote: > > #include

Re: sb_flags vs sb_flagsintr

2017-12-08 Thread Alexander Bluhm
On Thu, Dec 07, 2017 at 01:37:15PM +0100, Martin Pieuchot wrote: > Right, updated diff below. OK bluhm@ > Index: kern/uipc_socket.c > === > RCS file: /cvs/src/sys/kern/uipc_socket.c,v > retrieving revision 1.209 > diff -u -p -r1.209

Re: libressl: crash in DES_fcrypt

2017-12-05 Thread Alexander Bluhm
On Fri, Oct 27, 2017 at 01:50:26AM +0200, Jan Engelhardt wrote: > #include > int main(void) { > char salt[3] = {0xf8, 0xd0, 0x00}; > char out[32]; > DES_fcrypt("foo", salt, out); > } This program produces a Segmentation fault in OpenBSD current. > openssl 1.1.x has it

Re: sb_flags vs sb_flagsintr

2017-12-05 Thread Alexander Bluhm
On Mon, Dec 04, 2017 at 03:33:56PM +0100, Martin Pieuchot wrote: > Diff below change the usage of `sb_flags' and `sb_flagsintr'. The > former will be protected by the socket lock while the latter will > be using atomic operations. I like this plan. > @@ -381,17 +381,18 @@ sbunlock(struct socket

Re: pf neighbor discovery hop limit

2017-12-04 Thread Alexander Bluhm
On Mon, Dec 04, 2017 at 08:23:26PM +, Job Snijders wrote: > On Mon, Dec 04, 2017 at 02:55:16PM +0100, Alexander Bluhm wrote: > > RFC 4861 requires that all neighbor discovery packets have 255 in > > their IPv6 header hop limit field. Let pf drop neighbor solicitatio

Re: mess with regression tests

2017-12-04 Thread Alexander Bluhm
On Mon, Dec 04, 2017 at 04:56:49PM +0100, Sebastian Benoit wrote: > > connected to the Makefile in a source directory, tests looks broken. > > > > - lib/libexpat/tests/ > > (2), but regress/lib/libexpat exists I update the libexpat tests together with libexpat sources, so they reside in

pf neighbor discovery hop limit

2017-12-04 Thread Alexander Bluhm
Hi, RFC 4861 requires that all neighbor discovery packets have 255 in their IPv6 header hop limit field. Let pf drop neighbor solicitation, neighbor advertisement, router solicitation, router advertisement, and redirect ICMP6 packets that do not comply. This enforces that bogus packets cannot

pf divert socket lookup

2017-12-01 Thread Alexander Bluhm
Hi, I want to make divert lookup similar for all socket types: If PF_TAG_DIVERTED is set, pf_find_divert() cannot fail so put an assert there. Explicitly check all possible divert types, panic in the default case. For raw sockets call pf_find_divert() before of the socket loop. Divert reply

pcb lookup listen PF_TAG_TRANSLATE_LOCALHOST

2017-11-30 Thread Alexander Bluhm
Hi, I would like to simplify the reverse pcb lookup logic. The PF_TAG_TRANSLATE_LOCALHOST security check predates the divert feature. It prevents that you accidentally use redirect where a divert-to would be appropriate. Instead of spreading the logic into tcp and udp input, we could just

Re: TCP/UDP/etc input w/o KERNEL_LOCK()

2017-11-28 Thread Alexander Bluhm
On Tue, Nov 28, 2017 at 02:42:58PM +0100, Martin Pieuchot wrote: > > login: panic: kernel diagnostic assertion "_kernel_lock_held()" failed: > > file "/usr/src/sys/kern/uipc_socket.c", line 1882 > > Stopped at db_enter+0x4: popl%ebp Next crash, now during regress/usr.bin/openssl.

pf divert type

2017-11-27 Thread Alexander Bluhm
Hi, This converts the pf rule structure to use the divert type. Old semantics was: divert.port: divert-to or divert-reply divert.addr: divert-to divert_packet.port: divert-packet Now we have one divert structure with an explicit type. ok? bluhm Index: sys/net/pf.c

Re: relayd load certificates via fd

2017-11-27 Thread Alexander Bluhm
On Mon, Nov 27, 2017 at 11:26:06PM +0100, Claudio Jeker wrote: > Guess we should make the 3 fatalx() in that code different so that it > becomes more clear on which call it fails. As in the diff below? > Wonder what kind of startup race we lose... I can reproduce one of the errors on my laptop:

Re: relayd load certificates via fd

2017-11-27 Thread Alexander Bluhm
On Mon, Nov 27, 2017 at 11:04:49PM +0100, Alexander Bluhm wrote: > And I am waiting for my loop to fail ... Now I have got a different error: execute: ssh ot2 perl -I /usr/src/regress/usr.sbin/relayd /usr/src/regress/usr.sbin/relayd/remote.pl copy 10.188.81.22 10.188.81.21 37198 /usr/

Re: relayd load certificates via fd

2017-11-27 Thread Alexander Bluhm
On Mon, Nov 27, 2017 at 10:40:33PM +0100, Claudio Jeker wrote: > Does not happen here. Running > while make run-regress-args-https-inspect.pl ; do echo -n; done > for a few minutes now and no failure. It takes a while. I am running it on - very old and slow i386 machine, different timing -

Re: relayd load certificates via fd

2017-11-27 Thread Alexander Bluhm
On Mon, Nov 27, 2017 at 08:23:29PM +0100, Claudio Jeker wrote: > Instead of using imsg to pass certificates, pass the fd to the cert to the > relay processes. This allows for large certificates and esp. ca file to > work. OCSP stapling will also be added through this. relayd regression tests pass

pfctl divert type

2017-11-27 Thread Alexander Bluhm
Hi, The divert structure uses the port number to indicate that divert-to or divert-reply is active. Divert packet uses a separate structure. This is confusing and makes it hard to add new features. It is better to have a divert type that explicitly says what is configured. This is the first

Re: race-less nd6_timer

2017-11-27 Thread Alexander Bluhm
On Mon, Nov 27, 2017 at 10:43:09AM +0100, Martin Pieuchot wrote: > Here's a diff that includes that and prevent a user-after-free pointed > out by visa@. We should not try to dereference `rt' if nd6_free() has > been called. > > Hrvoje Popovski confirmed he couldn't reproduce the panic with this

Re: TCP/UDP/etc input w/o KERNEL_LOCK()

2017-11-27 Thread Alexander Bluhm
On Mon, Nov 27, 2017 at 12:20:34PM +0100, Martin Pieuchot wrote: > Questions, comments, tests? New panic with regress. I think it was sys/kern/sosplice this time. login: panic: kernel diagnostic assertion "_kernel_lock_held()" failed: file "/usr/src/sys/kern/uipc_socket.c", line 1882 Stopped

Re: nc: exit client after server shutdown socket

2017-11-26 Thread Alexander Bluhm
On Sun, Nov 26, 2017 at 09:58:48PM +0100, Klemens Nanni wrote: > On Sun, Nov 26, 2017 at 09:17:11PM +0100, Alexander Bluhm wrote: > > On Sun, Nov 26, 2017 at 03:52:33PM +0100, Klemens Nanni wrote: > > > nc as client keeps sending after the server shutdown the socket: > >

Re: nc: exit client after server shutdown socket

2017-11-26 Thread Alexander Bluhm
On Sun, Nov 26, 2017 at 03:52:33PM +0100, Klemens Nanni wrote: > nc as client keeps sending after the server shutdown the socket: Yes, that is a half closed connection. Server has shutdown, but client is still sending. This is a TCP feature made accessible by the nc tool. > tedu@ introduced

Re: pfctl fails to handle nested 'load anchor' properly

2017-11-24 Thread Alexander Bluhm
On Fri, Nov 24, 2017 at 02:58:48PM +0100, Alexandr Nedvedicky wrote: > this diff is part of the 'big patch' [1] to pfctl I've sent while back. The > pfctl fails to handle nested 'load anchor' statements properly, when ruleset > is > being loaded to non-root anchor (e.g. pfctl -a regress ...),

Re: pfctl rule optimizer: anchor name vs. anchor path mix up

2017-11-24 Thread Alexander Bluhm
On Fri, Nov 24, 2017 at 11:36:28AM +0100, Alexandr Nedvedicky wrote: > this is yet another occurrence of infamous 'name vs. path mix up' [1]. > Leonardo Guardati hit this bug in rule optimizer this time. The patch > below is part of 'the big diff' I've sent while ago [2]. > > OK? OK bluhm@ >

Re: patching use-after-free and innocent memory leak in pfctl_optimzie.c

2017-11-24 Thread Alexander Bluhm
On Fri, Nov 24, 2017 at 01:11:08PM +0100, Alexandr Nedvedicky wrote: > the patch below is part of larger diff [1] I've sent earlier. Leonardo seen a > pfctl.core, when pfctl_optimize failed to create a radix table. The use after > free happens in superblock_free() at 1621: I have seen exactly

Re: race-less nd6_timer

2017-11-23 Thread Alexander Bluhm
On Wed, Nov 22, 2017 at 04:24:22PM +0100, Martin Pieuchot wrote: > Diff below implements 3/ because it seems the simplest approach to > me and reduce differences with ARP a bit further. Yes. > void > -nd6_llinfo_settimer(struct llinfo_nd6 *ln, int secs) > +nd6_llinfo_settimer(struct llinfo_nd6

Re: mp-safe carp_iamatch6()

2017-11-22 Thread Alexander Bluhm
On Wed, Nov 22, 2017 at 03:48:43PM +0100, Martin Pieuchot wrote: > Hrvoje Popovski reported the following panic when testing my diff to > unlock protocol inputs function: > > panic() at panic+0x128 > __assert(814d1114,800022755d80,809ce000,800022755e20) >

Re: cvsweb: cvs annotate error

2017-11-22 Thread Alexander Bluhm
On Wed, Nov 22, 2017 at 03:30:09PM +0800, Michael W. Bombardieri wrote: > Sorry if this is the wrong list, but I found a couple of branch > revisions in file src/sys/dev/midi.c which produce an error when > clicking "annotate" link in cvsweb. >

Re: sbunlock() w/o KERNEL_LOCK()

2017-11-22 Thread Alexander Bluhm
On Wed, Nov 22, 2017 at 01:01:25PM +0100, Martin Pieuchot wrote: > When we converted most of the splsoftnet() to NET_LOCK() we ended up > with some "lock" inversions between the socket buffer "lock" and the > NET_LOCK(). At that time the KERNEL_LOCK() was serializing access to > `sb_flags'. > >

Re: ip_deliver() w/o KERNEL_LOCK

2017-11-22 Thread Alexander Bluhm
On Wed, Nov 22, 2017 at 12:19:49PM +0100, Martin Pieuchot wrote: > On 22/11/17(Wed) 11:05, Martin Pieuchot wrote: > > ip_deliver() dispatches incoming packets to their corresponding protocol > > input function. It doesn't need the KERNEL_LOCK(), so remove the assert > > and mark the dispatch

Re: avoid pcb lookup in pf forward

2017-11-22 Thread Alexander Bluhm
On Wed, Nov 22, 2017 at 09:49:06AM +0100, Alexandr Nedvedicky wrote: > > /* if reassembled packet passed, create new fragments */ > > - if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD) { > > + if (pf_status.reass && action == PF_PASS && pd.m && fwdir == PF_FWD && > > +

avoid pcb lookup in pf forward

2017-11-21 Thread Alexander Bluhm
Hi, markus@ pointed out that it makes no sense to call pcb lookup from pf during packet forwarding. While there remove a useless ifp parameter form ip_output_ipsec_send(). ok? bluhm Index: net/pf.c === RCS file:

Re: carp: address update hook gone after interface detach

2017-11-20 Thread Alexander Bluhm
On Thu, Nov 16, 2017 at 03:23:07PM +0100, Patrick Wildt wrote: > when we detach the interface from the carp the hook that is called > when an address is updated is disestablished. But it never again > gets re-established, which makes the carp interface unusable. This > happens for instance if

Re: TCP/UDP/etc input w/o KERNEL_LOCK()

2017-11-20 Thread Alexander Bluhm
On Mon, Nov 20, 2017 at 04:22:25PM +0100, Martin Pieuchot wrote: > Diff below remove the KERNEL_LOCK() around all pr_input() routines. > It's a bit rough so I'd appreciate more tests before splitting it into > pieces. regress/lib/libpthread runs into a deadlock: ===> socket/1 cc -O2 -pipe

Re: ip_ipsp.h merge #ifdef _KERNEL

2017-11-20 Thread Alexander Bluhm
On Mon, Nov 20, 2017 at 02:25:01PM +0100, Martin Pieuchot wrote: > On 20/11/17(Mon) 14:15, Alexander Bluhm wrote: > > On Mon, Nov 20, 2017 at 12:37:35PM +0100, Martin Pieuchot wrote: > > > Merge multiple _KERNEL blocks, ok? > > > > My grep over /usr/src found these

Re: ip_ipsp.h merge #ifdef _KERNEL

2017-11-20 Thread Alexander Bluhm
On Mon, Nov 20, 2017 at 12:37:35PM +0100, Martin Pieuchot wrote: > Merge multiple _KERNEL blocks, ok? My grep over /usr/src found these defines only within the kernel. So perhaps we should not export them to user land. bluhm > Index: netinet/ip_ipsp.h >

Re: ifconfig gif0 deletetunnel is different

2017-11-17 Thread Alexander Bluhm
On Fri, Nov 17, 2017 at 04:51:55PM +0100, Sebastian Benoit wrote: > ok? OK bluhm@ with a nit > +.It Cm -tunnel Ar src_address dest_address > +Remove the source and destination tunnel addresses. -tunnel does not take arguments

Re: add an iqdrops view to systat to show interface queue drops

2017-11-16 Thread Alexander Bluhm
On Wed, Nov 15, 2017 at 01:29:42PM +1000, David Gwynne wrote: > im adding numbers to input and output qdrops in the kernel, so im > aware that they exist now. however, i don't really see these values > in userland. it seems netstat and systat think errors are more > important. > > i tried adding

Re: maximum size of http headers in relayd

2017-11-16 Thread Alexander Bluhm
On Wed, Nov 15, 2017 at 08:15:15PM +0100, Sebastian Benoit wrote: > Thanks, here is a diff on top of the last to check that. > > If you manage to set the default headerlen on non http protocols, it does > not catch that, but i dont want to add another variable for that corner > case. I think it

Re: maximum size of http headers in relayd

2017-11-15 Thread Alexander Bluhm
On Tue, Nov 14, 2017 at 06:15:05PM +0100, Sebastian Benoit wrote: > +.It Ic http Ar option > +Set the HTTP options and session settings. > +This is only used if HTTP is enabled in the relay. Could we check that the http option is not used for non-http configs? Then writing correct relayd.conf

Re: Fwd [misc@]: Suppessing logging of arp movement messages

2017-11-14 Thread Alexander Bluhm
On Tue, Nov 14, 2017 at 02:04:27PM +, Stuart Henderson wrote: > Any thoughts (and suggestions for mib for an af-independent one if > that's the way to go)? I have the requirement to log all arp overwrites in the local network. So I would like to keep the log message, it does no harm in a

frag6 splassert net lock

2017-11-14 Thread Alexander Bluhm
Hi, On my regress test machine I see this trace: splassert: rt_match: want 2 have 0 Starting stack trace... rt_match(2,0,d0bb032e,604a56c3) at rt_match+0x45 rt_match(f5475540,0,0,0) at rt_match+0x45 rtalloc(f5475540,0,0) at rtalloc+0x13 icmp6_reflect(d818de00,28) at icmp6_reflect+0x1f7

Re: Introduce ipsec_sysctl()

2017-11-13 Thread Alexander Bluhm
On Mon, Nov 13, 2017 at 01:30:43PM +0100, Martin Pieuchot wrote: > This move all IPsec tunables to netinet/ipsec_input.c without breaking > the "net.inet.ip" sysctl(3) namespace. > > The reason for this move is to properly separate IPsec and IP globals > in order to ease the removal of the

tcp socket splicing block output

2017-11-07 Thread Alexander Bluhm
Hi, I had to debug a crash in socket splicing that happened with an old version of OpenBSD 5.2. It is triggered when system calls and TCP packets with urgent pointer occur in a certain order. The crash does not happen in OpenBSD -current as I delay moving the spliced data to a special sosplice

Re: tftpd(8): diff for ip path rewrite

2017-11-07 Thread Alexander Bluhm
On Wed, Oct 25, 2017 at 06:54:01PM +0200, Jeremie Courreges-Anglas wrote: > New diff after feedback from jmc@ OK bluhm@ > Index: tftpd.8 > === > RCS file: /d/cvs/src/usr.sbin/tftpd/tftpd.8,v > retrieving revision 1.5 > diff -u -p

Re: Add reset option to boot command of ddb(4)

2017-10-26 Thread Alexander Bluhm
On Thu, Oct 26, 2017 at 10:32:42PM +1100, Jonathan Gray wrote: > What specifically? Skip if_downall() if rebooting from ddb? > That could perhaps even be done for RB_NOSYNC. I thought of someting like a big hammer. Skip everything except the final call in boot() that causes the machine to

Re: Add reset option to boot command of ddb(4)

2017-10-26 Thread Alexander Bluhm
On Thu, Oct 26, 2017 at 08:08:35PM +1100, Jonathan Gray wrote: > No, cpu_reset() is MD this will break ddb on all non x86 archs besides > landisk. Would it make sense to implement a boot(RB_RESET) that works everywhere? Problem is that when adding MP locks to the kernel, ddb boot reboot does not

Re: Refactor TCP partial ACK handling

2017-10-24 Thread Alexander Bluhm
On Tue, Oct 24, 2017 at 03:21:08PM +0200, Mike Belopuhov wrote: > I didn't do it because tcp_var.h is where tcp keeps all of it's prototypes > but I don't mind moving them into tcp_input.c. Any objections? Otherwise > I'll check in the diff below. Regression tests pass. OK bluhm@ > diff --git

Re: [patch]Use BUFSIZE instead of hard-code in netcat.c

2017-10-24 Thread Alexander Bluhm
On Tue, Oct 24, 2017 at 07:44:02PM +0800, Nan Xiao wrote: > Use BUFSIZE instead of hard-code in netcat.c, FYI. Thanks! As this buffer is used with MSG_PEEK and its content is discarded, the size does not really matter. The complicated logic seems to be a leftover from the -j jumbo option. I

Re: kqueue_scan() in parallel

2017-10-24 Thread Alexander Bluhm
On Tue, Oct 24, 2017 at 11:14:22AM +0200, Martin Pieuchot wrote: > This is not a problem. The way knote_acquire() is designed is to sleep > for a small amount of time, 1 * hz for the moment. Ah yes, I see the hz now. So there cannot be starvation. This is a best effort algorithm, we do not

Re: kqueue_scan() in parallel

2017-10-23 Thread Alexander Bluhm
On Wed, Oct 18, 2017 at 11:22:01AM +0200, Martin Pieuchot wrote: > Diff below is the last version of my kqueue diff to allow grabbing the > solock() and possibly sleeping, inside kqueue_scan(). I wonder why you don't call knote_release() when calling knote_drop(). Another thread could sleep in

Re: syslogd file system full

2017-10-23 Thread Alexander Bluhm
Anyone? On Thu, Oct 05, 2017 at 07:19:29PM +0200, Alexander Bluhm wrote: > Hi, > > When /var/log/ is full, syslogd(8) stops writing to these files. > It does this permanently so cleaning /var without SIGHUP to syslogd > does not help. Better retry, write an error message to ot

Re: KAME ioctl leftovers

2017-10-19 Thread Alexander Bluhm
On Wed, Oct 18, 2017 at 01:34:27PM +0200, Martin Pieuchot wrote: > Kill ioctl(2) added with original KAME import that have never been used. > FreeBSD also stopped supporting them in 2013. > > ok? OK bluhm@ > Index: sys/sockio.h >

Re: if_ioctl is not NULL

2017-10-19 Thread Alexander Bluhm
On Wed, Oct 18, 2017 at 01:42:57PM +0200, Martin Pieuchot wrote: > All are drivers provides it and if_attach() now asserts that it is not > NULL. > > Let's get rid of those checks, ok? OK bluhm@ > Index: netinet/in.c > === > RCS

Re: queue packet in loopback

2017-10-18 Thread Alexander Bluhm
On Wed, Oct 18, 2017 at 10:48:30AM +0200, Alexandr Nedvedicky wrote: > I think you also want to add if_ih_remove() to loop_clone_destroy(). Yes, thanks for catching that. > I feel it should be called after if_detach(). I disagree. Other pseudo-interfaces call it before. But more

queue packet in loopback

2017-10-17 Thread Alexander Bluhm
Hi, markus@ has found a possible stack overrun in the network as we have removed some queueing. Now lo(4) output calls the ip input routines without a queue. So if a packet loops through the kernel, the kernel stack fills up. root@q70:.../~# route add 1.2.3.4 127.0.0.1 add host 1.2.3.4:

Re: route warning

2017-10-17 Thread Alexander Bluhm
On Mon, Oct 16, 2017 at 01:18:27PM +0200, Martin Pieuchot wrote: > Removing the if () block should do it. This diff is not quite right. /usr/src/regress/sbin/route rttest20 shows that there is an additional +get net 2001:ee0:2001:c0::/64 each time you call route get. You only want such a line

Re: route warning

2017-10-16 Thread Alexander Bluhm
On Mon, Oct 16, 2017 at 01:18:27PM +0200, Martin Pieuchot wrote: > Removing the if () block should do it. It introduces a small change in > behavior, route(8) now exists with an error code if an entry doesn't > exist in the table. That's a good thing, because one can now test if a > route is

Re: Kill SIOCSIFPHYADDR & friends

2017-10-16 Thread Alexander Bluhm
On Mon, Oct 16, 2017 at 12:35:35PM +0200, Martin Pieuchot wrote: > The following ioctl(2)s are deprecated since 2001. I'd like to > remove our kernel support for them: > - SIOCSIFPHYADDR > - SIOCSIFPHYADDR_IN6 > - SIOCGIFPSRCADDR > - SIOCGIFPSRCADDR_IN6 > -

Re: ifioctl() tweak #3

2017-10-16 Thread Alexander Bluhm
On Mon, Oct 16, 2017 at 12:13:09PM +0200, Martin Pieuchot wrote: > All interfaces define an `if_ioctl' function pointer. So do not check > for it. > > Change the remaining 'return' into 'break'. > > In SIOCSIFLLADDR change the address *after* querying the driver. This > make the logic in

Re: IPsec w/o KERNEL_LOCK()

2017-10-11 Thread Alexander Bluhm
On Wed, Oct 11, 2017 at 05:01:46PM +0200, Martin Pieuchot wrote: > Tests and comments welcome. All regress tests passed. Code looks reasonable. OK bluhm@ > Index: net/if_enc.c > === > RCS file: /cvs/src/sys/net/if_enc.c,v >

Re: perl 5.24.3 update (OK?)

2017-10-11 Thread Alexander Bluhm
On Fri, Sep 22, 2017 at 06:56:27PM -0700, Andrew Fresh wrote: > Hoping this will be able to go in before the lock, I've heard good Updating Perl after unlock is better. Running with it for a while without problems. No library bump needed. OK bluhm@ for Perl v5.24.3

Re: Send sysctl_mq() where it belongs

2017-10-11 Thread Alexander Bluhm
On Wed, Oct 11, 2017 at 02:58:21PM +0200, Martin Pieuchot wrote: > sysctl_mq() messes with 'struct mbuf_queue' internals, so keep it in > kern/uipc_mbuf.c with the rest of the mq* functions. I wonder whether it should be called mq_sysctl() as it will be located in the mq_ namespace. A grep for

Re: ifioctl() cleanup, step 2

2017-10-11 Thread Alexander Bluhm
On Wed, Oct 11, 2017 at 10:44:22AM +0200, Martin Pieuchot wrote: > Moar cleanup to be able to selectively take the NET_LOCK() around some > ioctls. > > This diff change many "return (error)" into "break". It looks a bit inconsistent, where you replace the return and where not. But I am sure

Re: [PATCH] tests for vmd config parsing

2017-10-11 Thread Alexander Bluhm
On Tue, Oct 10, 2017 at 10:57:22PM -0700, Mike Larkin wrote: > On Tue, Oct 10, 2017 at 07:54:20PM -0700, Carlos Cardenas wrote: > > This patch adds a set of tests for vmd config parsing. > > > > Comments? Ok? > > > > ok by me. I think bluhm@ also looked at this. > > bluhm, ok to commit? > >

Re: Move 'struct kevent' storage to the stack

2017-10-10 Thread Alexander Bluhm
On Mon, Oct 09, 2017 at 11:48:56AM +0200, Martin Pieuchot wrote: > The diff below move 'struct kevent' storage to the stack. This is > the simplest way to make it mp-safe. > > This has been tested as part of a larger diff by many. I am currently running the regression tests with it. > Ok? OK

  1   2   3   4   5   6   7   8   9   10   >