tcpdump wireguard big endian

2021-04-14 Thread Alexander Bluhm
Hi, regress/sys/net/wg fails on powerpc64 as tcpdump(8) cannot parse wireguard packets. EXTRACT_LE_32BITS() converts the type from little endian to host endian. So we need the constants in host endianess. ok? bluhm Index: print-wg.c

Re: uvm_page_physload: use km_alloc(9)

2021-04-12 Thread Alexander Bluhm
On Mon, Mar 22, 2021 at 11:50:00AM +0100, Mark Kettenis wrote: > > Date: Mon, 22 Mar 2021 11:29:52 +0100 > > From: Martin Pieuchot > > > > Convert the last MI uvm_km_zalloc(9) to km_alloc(9), ok? > > Also needs some careful testing on multiple architectures. I did run both diffs through a full

Re: update explicit_bzero test to not assume SIGSTKSZ to be constant

2021-03-26 Thread Alexander Bluhm
On Mon, Mar 22, 2021 at 08:38:23PM -0500, Brent Cook wrote: > In the next version of Linux glibc, SIGSTKSZ is defined at runtime if > source is built with _GNU_SOURCE. On LibreSSL-portable, this is set to > bring in asprintf/vasprintf, which causes the explicit_bzero test to > fail to compile

Re: [External] : [ICMP] IP options lead to malformed reply

2021-03-26 Thread Alexander Bluhm
On Fri, Mar 26, 2021 at 11:00:22AM +, Schreilechner, Dominik wrote: > --- a/sys/netinet/ip_output.c > +++ b/sys/netinet/ip_output.c > @@ -765,6 +765,11 @@ ip_insertoptions(struct mbuf *m, struct mbuf *opt, int > *phlen) > optlen = opt->m_len - sizeof(p->ipopt_dst); > if

/dev/kmem address range check

2021-03-22 Thread Alexander Bluhm
Hi, By specifying an invalid offset when reading /dev/kmem it is easy to crash the kernel from userland. sysctl kern.allowkmem=0 prevents this per default kernel: protection fault trap, code=0 Stopped at copyout+0x53: repe movsq (%rsi),%es:(%rdi) ddb> trace copyout() at copyout+0x53

syslogd kernel timestamp

2021-03-18 Thread Alexander Bluhm
Hi, Since we stash log messages in the kernel, the timestamps added by syslogd are delayed. The kernel could add the timestamp when it receives the message by sendsyslog(2). This is more precise and can be expressed by more digits in the ISO timestamp. I have to copyin(9) at the beginning of

ntpd offset loop refactoring

2021-03-18 Thread Alexander Bluhm
Hi, While hunting a bug in ntpd offset handling, I found some things that could be improved. Call the index of the offset loops "shift" consistently. Merge the two offset loops in client_update() into one. Assign the best value instead of memcpy. Use the same mechanism everywhere to avoid an

Re: unlock sys_sendsyslog

2021-03-17 Thread Alexander Bluhm
On Thu, Mar 11, 2021 at 12:40:37AM +0300, Vitaliy Makkoveev wrote: > Since UNIX domain sockets are unlocked it makes sense to unlock > sys_sendsyslog too. Console output still requires kernel lock to be > held but this path is only followed while `syslogf' socket is not set. > > New

ntpd adjtime offset race

2021-03-16 Thread Alexander Bluhm
Hi, I am running ntpd as a client with three upstream servers. Some of them are not synchonized and report a time that is off by several seconds. The ntpd client code corrects both T1 and T4 with the current offset returned by adjtime(2) from the kernel. T1 is local time when the NTP packet is

Re: sendsyslog kernel buffer

2021-03-09 Thread Alexander Bluhm
On Mon, Mar 08, 2021 at 11:55:30PM +0300, Vitaliy Makkoveev wrote: > This silently drops message if copyin() fails. Could we count them as > `logstash_dropped??? too? No, as there is no message. Userland made something wrong. At least that is how I understand one of visa@'s remarks. The

Re: sendsyslog kernel buffer

2021-03-08 Thread Alexander Bluhm
I hope to have addressed all issues. On Sun, Mar 07, 2021 at 11:50:24AM +, Visa Hankala wrote: > This copyin() can also result in copying the buffer from userspace twice. > This might not be a problem with log data though. Is double copyin a problem? I think error != EFAULT should catch all

sendsyslog kernel buffer

2021-03-06 Thread Alexander Bluhm
Hi Early daemons like dhcpleased, slaacd, unwind, resolvd are started before syslogd. This results in ugly sendsyslog: dropped 1 message logs and the real message is lost. Changing the start order of syslogd and and network daemons is not feasible. A possible solution is a temporary buffer for

ip_fragment ip6_fragment

2021-02-26 Thread Alexander Bluhm
Hi, I always bothered me that ip_fragment() and ip6_fragment() behave sligtly differently. Unify them and use an mlist to simplify the fragment list. - The functions ip_fragment() and ip6_fragment() always consume the mbuf. - They free the mbuf and mbuf list in case of an error. - They care

Re: have m_copydata use a void * instead of caddr_t

2021-02-24 Thread Alexander Bluhm
On Wed, Feb 24, 2021 at 04:27:03PM +1000, David Gwynne wrote: > it's a start though. cocci and i came up with this to push in after. Less casting is better. OK bluhm@ > Index: arch/armv7/sunxi/sxie.c > === > RCS file:

Re: have m_copydata use a void * instead of caddr_t

2021-02-23 Thread Alexander Bluhm
On Tue, Feb 23, 2021 at 07:31:30PM +1000, David Gwynne wrote: > i'm not a fan of having to cast to caddr_t when we have modern > inventions like void *s we can take advantage of. Shoud you remove all the (caddr_t) casts in the callers then? Without that step this diff does not provide more

mbuf leak ip_insertoptions

2021-02-22 Thread Alexander Bluhm
Hi, ip_insertoptions() may prepend a mbuf. In this case "goto bad" has to free the new chain. Currently we leak the new mbuf in front of the old chain. NetBSD has fixed this bug here: revision 1.33 date: 1996-10-11 18:19:08 +; author: is; state: Exp; lines:

Re: Possible null deref on pf.c

2021-02-12 Thread Alexander Bluhm
On Fri, Feb 12, 2021 at 01:11:24PM +0100, Claudio Jeker wrote: > On Fri, Feb 12, 2021 at 12:03:49PM +, Ricardo Mestre wrote: > > This was reported on CID 1501718, ifp starts as NULL and then might be > > deref'ed. > This code is strange, the scope for the IPv6 address needs to be pulled >

Re: route sockets: simplify route_attach() error path

2021-02-11 Thread Alexander Bluhm
On Wed, Feb 10, 2021 at 10:51:52PM +0300, Vitaliy Makkoveev wrote: > Do soreserve() before `rop' allocation. It doesn't require protocol > control block be attached to socket. Also we always call `pr_attach' in > thread context so we always have `curproc'. While I found one pr_attach() from TCP

Re: isakmpd link dynamically

2021-02-11 Thread Alexander Bluhm
On Wed, Feb 10, 2021 at 04:16:10PM -0700, Theo de Raadt wrote: > When I re-ordered rc in Slovenia many years ago, I got it right. NFS /usr over IPsec cannot work. Without IPsec it is fine. 1. mount -s /usr >/dev/null 2>&1 2. start_daemon syslogd ldattach pflogd nsd unbound ntpd 3. start_daemon

isakmpd link dynamically

2021-02-10 Thread Alexander Bluhm
Hi, Every time we ship a libcrypto erratum, we have to relink isakmpd. I think that isakmpd and iked are in /sbin due to a historic mistake. Probably it is for people who mount /usr via NFS over IPsec. Moving isakmpd to /usr/sbin is hard, linking dynamically is easy. Lines stolen from iked. Is

interface group name validation

2021-02-09 Thread Alexander Bluhm
Hi, Next try to fix syzkaller crash https://syzkaller.appspot.com/bug?id=54e16dc5bce6929e14b42e2f1379f1c18f62be43 Interface group names must fit into IFNAMSIZ and be unique. But the kernel makes the unique check before trunkating with strlcpy(). So there can be two interfaces groups with the

Re: PF_UNIX sockets unlocking

2021-02-09 Thread Alexander Bluhm
On Tue, Feb 09, 2021 at 09:14:44PM +0300, Vitaliy Makkoveev wrote: > On Tue, Feb 09, 2021 at 05:20:33PM +0100, Alexander Bluhm wrote: > > > +extern struct rwlock unp_lock; > > > > Could you put this declaration into a header file? > > I see no such sense to do this.

Re: PF_UNIX sockets unlocking

2021-02-09 Thread Alexander Bluhm
On Thu, Feb 04, 2021 at 03:07:44PM +0300, Vitaliy Makkoveev wrote: > I hope someone else will try it and gives positive feedback which allow > to push it forward. OK bluhm@ > +extern struct rwlock unp_lock; Could you put this declaration into a header file?

Re: diff: tcp ack improvement

2021-02-08 Thread Alexander Bluhm
On Mon, Feb 08, 2021 at 07:03:59PM +0100, Jan Klemkow wrote: > On Mon, Feb 08, 2021 at 03:42:54PM +0100, Alexander Bluhm wrote: > > On Wed, Feb 03, 2021 at 11:20:04AM +0100, Claudio Jeker wrote: > > > Just commit it. OK claudio@ > > > If people see proble

Re: diff: tcp ack improvement

2021-02-08 Thread Alexander Bluhm
On Wed, Feb 03, 2021 at 11:20:04AM +0100, Claudio Jeker wrote: > Just commit it. OK claudio@ > If people see problems we can back it out again. This has huge impact on TCP performance. http://bluhm.genua.de/perform/results/2021-02-07T00%3A01%3A40Z/perform.html For a single TCP connection

Re: ifg_refcnt atomic operation

2021-02-06 Thread Alexander Bluhm
On Sat, Feb 06, 2021 at 04:44:08PM +0100, Alexander Bluhm wrote: > Or should we go with a self crafted ++ -- refcounting? This would look like this, also fine with me. kasserts are also in refcnt_... API. ok? bluhm Index: net/i

Re: ifg_refcnt atomic operation

2021-02-06 Thread Alexander Bluhm
On Sat, Feb 06, 2021 at 05:58:35PM +0300, Vitaliy Makkoveev wrote: > I???m not sure it should be atomic. It seems groups require their own > lock and this lock should be held while we perform if_addgroup() and > if_delgroup(). I also think that atomic refcounting is not needed here. But it does

Re: broadcast simplex checksum

2021-02-06 Thread Alexander Bluhm
On Sat, Feb 06, 2021 at 08:26:35PM +1300, richard.n.proc...@gmail.com wrote: > I'm ok with your latest diff as-is. I prefer a slightly different > direction, see below, but not enough to object. I have commited my diff as is. It is better if you expess your arguments yourself in the comment

Re: ifg_refcnt atomic operation

2021-02-06 Thread Alexander Bluhm
On Sat, Feb 06, 2021 at 05:04:20PM +1000, David Gwynne wrote: > refcnt_init starts counting at 1, while the existing code starts at 0. Do > the crashes stop because we never fully release all the references and > never free it now? You are absolutely right. I was too optimistic. Correct diff is

ifg_refcnt atomic operation

2021-02-05 Thread Alexander Bluhm
Hi, When I replace the ++ and -- of ifg_refcnt with an atomic operation, it fixes this syzkaller panic. https://syzkaller.appspot.com/bug?id=54e16dc5bce6929e14b42e2f1379f1c18f62be43 Without the fix "syz-execprog -repeat=0 -procs=8 repro-pfi.syz" crashes my vmm in a few seconds. With the diff I

Re: broadcast simplex checksum

2021-02-05 Thread Alexander Bluhm
On Mon, Feb 01, 2021 at 02:04:51AM +0100, Alexander Bluhm wrote: > On Mon, Feb 01, 2021 at 08:08:56AM +1300, Richard Procter wrote: > > - Might the rule disabling checksum offload for broadcasts on IFF_SIMPLEX > > interfaces be weakened to disable checksum offload for all broadcas

Re: reference trpt(8) in getsockopt(2)

2021-02-04 Thread Alexander Bluhm
On Thu, Feb 04, 2021 at 12:34:22PM +0100, Claudio Jeker wrote: > Also should we export the tcp_debug buffer via sysctl so that > trpt can run without kern.allowkmem? I have set kern.allowkmem on my development and testing machines. But of course a sysctl that always works would make this often

reference trpt(8) in getsockopt(2)

2021-02-04 Thread Alexander Bluhm
Hi, I always forget the name of trpt(8). It should be refereced in the SO_DEBUG section of getsockopt(2). ok? bluhm Index: lib/libc/sys/getsockopt.2 === RCS file: /data/mirror/openbsd/cvs/src/lib/libc/sys/getsockopt.2,v

tcpbench -D

2021-02-04 Thread Alexander Bluhm
Hi, I would like to analyse tcpbench(1) TCP connections. So I copied the nc -D socket debug option. ok? bluhm Index: usr.bin/tcpbench/tcpbench.1 === RCS file: /data/mirror/openbsd/cvs/src/usr.bin/tcpbench/tcpbench.1,v retrieving

Re: Remove obsolete vnode opv declarations

2021-02-01 Thread Alexander Bluhm
On Mon, Feb 01, 2021 at 02:14:24PM +, Visa Hankala wrote: > This removes obsolete vnode operation vector declarations from > header . The functions were removed in r1.28 of vfs_init.c. > > OK? OK bluhm@ > Index: sys/systm.h >

Re: broadcast simplex checksum

2021-01-31 Thread Alexander Bluhm
On Mon, Feb 01, 2021 at 08:08:56AM +1300, Richard Procter wrote: > - Might the rule disabling checksum offload for broadcasts on IFF_SIMPLEX > interfaces be weakened to disable checksum offload for all broadcast > packets instead? I just copied the condition from ether_resolve():

IPsec IPv6 Path MTU discovery

2021-01-29 Thread Alexander Bluhm
Hi, This fixes path MTU discovery for ESP tunneled in IPv6. In IPv6 we always want short TCP segments or fragments encapsulated in ESP instead off fragmented ESP packets. ok? bluhm Index: netinet/ip_output.c === RCS file:

Re: have pf_route bail out if it resolves a route with RTF_LOCAL set

2021-01-29 Thread Alexander Bluhm
On Fri, Jan 29, 2021 at 10:53:09AM +1000, David Gwynne wrote: > > Are you sure that it does not break any use case? I have seen so > > much strange stuff. What is the advantage? > > The current behaviour is lucky at best, and quirky at worst. Usually I > would agree with you that breaking stuff

Re: systat(1): improve parsing of delay value

2021-01-28 Thread Alexander Bluhm
On Thu, Jan 28, 2021 at 09:06:51PM +0100, Martijn van Duren wrote: > Thanks for checking. Should be fixed below. OK bluhm@ > Index: main.c > === > RCS file: /cvs/src/usr.bin/systat/main.c,v > retrieving revision 1.72 > diff -u -p

Re: pf: route-to IPs, not interfaces

2021-01-28 Thread Alexander Bluhm
On Thu, Jan 28, 2021 at 10:54:30PM +1000, David Gwynne wrote: > this is the diff from the "pf route-to issues" thread, but on it's own. I think we should make progress and commit something. > the caveat is that route-to becomes tied to pass rules that create > state, like rdr-to and nat-to.

Re: have pf_route bail out if it resolves a route with RTF_LOCAL set

2021-01-28 Thread Alexander Bluhm
On Thu, Jan 28, 2021 at 09:57:33AM +1000, David Gwynne wrote: > calling if_output with a route to a local IP is confusing, and I'm not > sure it makes sense anyway. > > this treats a an RTF_LOCAL route like an invalid round and drops the > packet. > > ok? Are you sure that it does not break any

Re: if pf_route{,6} route isn't valid, generate an icmp error

2021-01-27 Thread Alexander Bluhm
On Wed, Jan 27, 2021 at 04:41:01PM +1000, David Gwynne wrote: > at the moment if the route is invalid, we drop the packet. this > generates an icmp error. > > ok? OK bluhm@ > Index: pf.c > === > RCS file: /cvs/src/sys/net/pf.c,v >

Re: don't run dup-to generated packets through pf_test in pf_route{,6}

2021-01-26 Thread Alexander Bluhm
On Wed, Jan 27, 2021 at 11:31:27AM +1000, David Gwynne wrote: > this was discussed as part of the big route-to issues thread. i think > it's easy to break out and handle separately now. > > the diff does what the subject line says. it seems to work as expected > for me. i don't see weird state

Re: tiny pf_route{,6} tweak

2021-01-26 Thread Alexander Bluhm
On Wed, Jan 27, 2021 at 11:14:51AM +1000, David Gwynne wrote: > On Wed, Jan 27, 2021 at 11:13:12AM +1000, David Gwynne wrote: > > when pf_route (and pf_route6) are supposed to handle forwarding the > > packet (ie, for route-to or reply-to rules), they take the mbuf > > away from the calling code

Re: systat(1): improve parsing of delay value

2021-01-26 Thread Alexander Bluhm
On Mon, Jan 25, 2021 at 11:17:04AM +0100, Martijn van Duren wrote: > if (argc == 1) { > - double del = atof(argv[0]); > - if (del == 0) > + delay = strtodnum(argv[0], 0, UINT32_MAX / 100, ); > + if (errstr != NULL) >

Re: pf route-to issues

2021-01-26 Thread Alexander Bluhm
On Tue, Jan 26, 2021 at 10:39:30AM +1000, David Gwynne wrote: > > But what about dup-to? The packet is duplicated for both directions. > > I guess the main use case for dup-to is implementing a monitor port. > > There you have to pass packets stateless, otherwise it would not > > work anyway.

Re: pf route-to issues

2021-01-25 Thread Alexander Bluhm
On Fri, Jan 22, 2021 at 06:07:59PM +1000, David Gwynne wrote: > --- sys/conf/GENERIC 30 Sep 2020 14:51:17 - 1.273 > +++ sys/conf/GENERIC 22 Jan 2021 07:33:30 - > @@ -82,6 +82,7 @@ pseudo-device msts1 # MSTS line discipl > pseudo-deviceendrun 1 #

Re: [External] : Re: pf route-to issues

2021-01-25 Thread Alexander Bluhm
Hi, Some personal thoughts. I am happy when pf route-to gets simpler. Especially I have never understood what this address@interface syntax is used for. I cannot estimate what configuration is used by our cutomers in many installations. Simple syntax change address@interface -> address of next

IPv6 IPsec path MTU discovery

2021-01-20 Thread Alexander Bluhm
Hi, This part of the IPv6 IPsec path MTU discovery is for the case where the router is between the tunnel endpoints. Basically it handles ICMP6 packets for ESP. Originally this diff came from markus@. ok? bluhm Index: netinet/ip_ipsp.h

broadcast simplex checksum

2021-01-19 Thread Alexander Bluhm
Hi, Simplex interfaces reinject broadcast packets back into the IP stack. As this is a software features, no hardware checksumming occurs. So local broadcast packets are dropped with wrong checksum if the underlying hardware supports checksumming. Do software checksumming in ip_output() if the

tcpdump pflog af and rewritten addresses

2021-01-18 Thread Alexander Bluhm
Hi, tcpdump pflog with addresses rewritten by rdr-to, nat-to, or af-to is broken. 1. Fix address family of the packet in af-to rules: before: 19:26:37.620926 169.254.0.14 > 169.254.0.14: icmp: echo request 19:26:37.620946 bad-ip6-version 4 19:26:37.620963 fc00::23 > fc00::24: icmp6: echo

pflog remove translation

2021-01-18 Thread Alexander Bluhm
Hi, pflog(4) tries to log the translated packet with rdr-to, nat-to, and af-to applied. Therefore it creates a mbuf chain on the stack with a partial copy. This might have been a good idea for plain IPv4 10 years ago. But now the concept fails miserably due to: - IP options - extension header

Re: Add if_mreqn support to IP_MULTICAST_IF

2021-01-15 Thread Alexander Bluhm
On Fri, Jan 15, 2021 at 03:02:37PM +0100, Claudio Jeker wrote: > On Fri, Jan 15, 2021 at 02:53:17PM +0100, Claudio Jeker wrote: > > I forgot to add ip_mreqn support to IP_MULTICAST_IF and so the > > IP_ADD_MEMBERSHIP change is not fixing all the issues I have. > > > > Linux supports calling

Re: tell pfctl(8) route-to and reply-to accept next-hop only

2021-01-15 Thread Alexander Bluhm
On Tue, Jan 12, 2021 at 08:45:22PM +0100, Alexandr Nedvedicky wrote: > I think bluhm@ and dlg@ have committed part of that change already. I have only commited a refactoring change. Next step in kernel would be to remove the check in pf_find_state() and see what happens. I was waiting for dlg@

Re: pf af-to sysctl forwarding

2021-01-15 Thread Alexander Bluhm
On Fri, Jan 15, 2021 at 03:24:43PM +0100, Klemens Nanni wrote: > Existing routers doing NAT64 for IPv6-only networks will require > `net.inet.ip.forwarding=1' for NAT64 to work. Actually you will need both of them. When sending "IPv6 -> pf-router -> IPv4" you need ip forwarding as pf translates

sysctl ip.forwarding 2

2021-01-15 Thread Alexander Bluhm
Hi, As documented in sysctl(2) net.inet.ip.forwarding can be 2. netinet/ip_output.c:448 if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) && Current input validation prevents this. # sysctl net.inet.ip.forwarding=2 sysctl: net.inet.ip.forwarding: Invalid argument

pf af-to sysctl forwarding

2021-01-15 Thread Alexander Bluhm
Hi, sysctl net.inet.ip.forwarding is checked before ip_input() passes the packet to ip_forward(). But with an af-to rule, pf(4) calls ip_forward() directly. I think we should check the sysctl also in pf to get consistent behaviour. ok? bluhm Index: net/pf.c

pf log user and group

2021-01-11 Thread Alexander Bluhm
Hi, Sometimes an uid is logged in pflog(4) although the logopt of the rule does not specify it. Check the option again for the log rule in case another rule has triggered a socket lookup. Remove logopt group, it is not documented and cannot work as struct pfloghdr does not contain a gid.

Re: pf route-to issues

2021-01-08 Thread Alexander Bluhm
On Tue, Jan 05, 2021 at 10:05:39PM +1000, David Gwynne wrote: > If the idea is to avoid running most of pf_test again if route-to is > applied during ip_output, I think this tweaked diff is simpler. Is there > a valid use case for running some of pf_test again after route-to is > applied? I found

Re: pf route-to issues

2021-01-04 Thread Alexander Bluhm
On Mon, Jan 04, 2021 at 11:21:50PM +1000, David Gwynne wrote: > this chunk pops out as a standalone change. > > having pf_find_state() return PF_PASS here means the callers short > circuit and let the packet go through without running it through the > a lot of the state handling, which includes

Re: pf route-to issues

2021-01-04 Thread Alexander Bluhm
On Mon, Jan 04, 2021 at 04:32:45PM +0100, Alexandr Nedvedicky wrote: > so either rt_kif must stay for a while, or your new diff (rebased on top > of > stuff committed already) must be expanded by the nit pick I've sent. The diff I sent contains this bit. I still think the merge bug is

Re: pf route-to issues

2021-01-04 Thread Alexander Bluhm
On Mon, Jan 04, 2021 at 03:26:15PM +0100, Alexandr Nedvedicky wrote: > you refactoring diff requires a minor finishing touch to keep the > stuff compiling: Did I commit something that does not compile? I just made cvs update on another machine. There it worked. The rt_kif in pf_state still

Re: pf route-to issues

2021-01-04 Thread Alexander Bluhm
On Mon, Jan 04, 2021 at 11:46:16AM +0100, Alexandr Nedvedicky wrote: > > let's put this in and then i'll have a look. ok by me. > bluhm's diff is fine with me. Refactoring is commited, here is the remaining kernel diff after merge. bluhm Index: net/if_pfsync.c

Re: convert i386 fix_f00f() uvm_km_zalloc

2021-01-03 Thread Alexander Bluhm
On Mon, Jan 04, 2021 at 10:00:25AM +1000, Jonathan Matthew wrote: > I don't have a real 586, but I can tell qemu to pretend to be one, > which at least executes this code. You can run regress/sys/arch/i386/f00f/ . > Using kd_waitok here seems suspect, because if we're out of memory > this early

Re: pf route-to issues

2021-01-03 Thread Alexander Bluhm
On Sun, Jan 03, 2021 at 06:56:20PM +0100, Alexander Bluhm wrote: > I am currently running a full regress to find more fallout. These regress tests fail: sys/net/pf_forward sys/net/pf_fragment sbin/pfctl The first two are easy to fix. That means my tests using route-to work fine with your d

Re: pf route-to issues

2021-01-03 Thread Alexander Bluhm
On Sun, Jan 03, 2021 at 02:00:00PM +1000, David Gwynne wrote: > On Tue, Oct 20, 2020 at 09:27:09AM +1000, David Gwynne wrote: > We've been running this diff in production for the last couple of > months, and it's been solid for us so far. Ignoring the fixes for > crashes, I personally find it a

Re: uvm_fault: amap & anon locking

2021-01-01 Thread Alexander Bluhm
On Wed, Dec 30, 2020 at 11:19:41AM -0300, Martin Pieuchot wrote: > This has been extensively tested as part of the unlocking diff I sent to > many developers. However, I'd appreciate if you could test again because > this diff doesn't include WITNESS and do not unlock the fault handler. Passed

Re: Thread local data setup and destruct

2020-12-31 Thread Alexander Bluhm
On Tue, Dec 29, 2020 at 04:07:19PM +0100, Otto Moerbeek wrote: > This workds better, checking the flags does not work if the thread is > already on the road to desctruction. This diff survived a full regress run on amd64. bluhm > Index: asr/asr.c >

Re: IPsec IPv6 PMTU

2020-12-27 Thread Alexander Bluhm
On Thu, Dec 24, 2020 at 10:54:59PM +0100, Alexander Bluhm wrote: > It also makes v4 and v6 code look simmilar. If you want, I can > split this for easier review. This is the part of the diff that creates a path MTU host route for IPv6. Basically the code is copied from IPv4 and adapted.

IPsec IPv6 PMTU

2020-12-24 Thread Alexander Bluhm
Hi, This diff makes path MTU discovery work for IPv6 IPsec ESP over IPv4 tunnel. Basically it ports code from v4 to v6. It also makes v4 and v6 code look simmilar. If you want, I can split this for easier review. ok? bluhm Index: netinet/icmp6.h

Re: netstat - proto ip record

2020-12-23 Thread Alexander Bluhm
On Wed, Dec 16, 2020 at 05:24:50PM +0100, Claudio Jeker wrote: > On Wed, Dec 16, 2020 at 03:54:04PM +, Stuart Henderson wrote: > > On 2020/12/16 16:43, Salvatore Cuzzilla wrote: > > > Hi folks, > > > > > > is there any process associated with this netstat record? > > > btw, what's the meaning

IPv6 pf_test EACCES

2020-12-21 Thread Alexander Bluhm
Hi, A while ago we decided to pass EACCES to uerland if pf blocks a packet. IPv6 still has the old EHOSTUNREACH code. Use the same errno for dropped IPv6 packets as in IPv4. ok? bluhm Index: netinet6/ip6_output.c === RCS file:

IPsec PMTU and reject route

2020-12-19 Thread Alexander Bluhm
Hi, In revision 1.87 of ip_icmp.c claudio@ added ignoring reject routes to icmp_mtudisc_clone(). Otherwise TCP would clone these routes for PMTU discovery. They will not work, even after dynamic routing has found a better route than the reject route. With IPsec the use case is different.

Re: converting uvm_km_valloc to km_alloc

2020-12-18 Thread Alexander Bluhm
On Fri, Dec 18, 2020 at 10:36:28AM +1000, Jonathan Matthew wrote: > Here are a couple of relatively easy ones, applying changes from r1.86 of > amd64's acpi_machdep.c to i386 and arm64. I've tested i386 but it turns out I > don't have any arm64 machines with acpi. A machine like this? Something

amd64 pmap pv_entry SLIST

2020-12-17 Thread Alexander Bluhm
Hi, Can we convert the pv_entry list in amd64 pmap into an SLIST? I think the code with macros is easier to read. ok? bluhm Index: arch/amd64//amd64/pmap.c === RCS file: /data/mirror/openbsd/cvs/src/sys/arch/amd64/amd64/pmap.c,v

Re: regress print target name

2020-12-17 Thread Alexander Bluhm
On Wed, Dec 16, 2020 at 04:42:59PM +0100, Alexander Bluhm wrote: > When debugging tests, it is useful to see the target name and which > output belongs to it. A small addition: Run setup_once targets in a sepearate block with headline before all other targets. ok? bluhm Index: sh

regress print target name

2020-12-16 Thread Alexander Bluhm
Hi, When debugging tests, it is useful to see the target name and which output belongs to it. A lot of my tests have echo lines, but I think this is better done in the framework. Then all tests behave simmilar. I would remove the echos from the Makefiles afterwards. ok? bluhm Index:

amd64 pamp panic messages

2020-12-16 Thread Alexander Bluhm
Hi, during all my pmap crashes, I sometimes get this strange address. panic: pmap_remove_pte: unmanaged page marked PG_PVLIST, va = 0x5d155753000, pa = 0xfdfdfdfdfd000 I think we should not clear bits in a panic messages. Debugging with the full picture is easier. While there make the panics

Re: Kernel panic with i386 on latest snapshot

2020-12-15 Thread Alexander Bluhm
On Tue, Dec 15, 2020 at 06:57:03PM +0100, Mark Kettenis wrote: > Does the diff below fix this? I can reproduce the panic and your diff fixes it. Usually my regress machines do not trigger it as I do not install firmware. fw_update and reboot makes it crash. bluhm OpenBSD 6.8-current

Re: diff: replace useless use of MCLGETL with MCLGET

2020-12-14 Thread Alexander Bluhm
On Sat, Dec 12, 2020 at 02:05:48PM +0100, Jan Klemkow wrote: > Thus, this diff removes '(void)' from the MCLGET macro > -#define MCLGET(m, how) (void) m_clget((m), (how), MCLBYTES) > +#define MCLGET(m, how) m_clget((m), (how), MCLBYTES) The MCLGET API is to add a cluster to an existing mbuf.

Re: diff: cleanup type handling

2020-12-12 Thread Alexander Bluhm
On Sat, Dec 12, 2020 at 02:25:03PM +0100, Jan Klemkow wrote: > The type of the local variable hash in pf_map_addr() has right length > but the wrong type. This diff uses the correct type and removes the > useless casts. Both functions uses hash as pf_addr, so no cast is > needed. > > OK? OK

Re: PF synproxy should act on inbound packets only

2020-12-04 Thread Alexander Bluhm
On Fri, Dec 04, 2020 at 01:08:53AM +0100, Alexandr Nedvedicky wrote: > below is updated diff. The new diff also updates pf.conf(5) manpage. OK bluhm@ A note for the man page. > @@ -2126,6 +2126,9 @@ will not work if > .Xr pf 4 > operates on a > .Xr bridge 4 . > +Also > +.Cm synproxy state >

Re: PF synproxy should act on inbound packets only

2020-12-03 Thread Alexander Bluhm
On Wed, Dec 02, 2020 at 12:43:28AM +0100, Alexandr Nedvedicky wrote: > the fix is to apply synproxy action on inbound packets only. Diff below > does that exactly. Furthermore it also makes pfctl(8) to emit warning, > when synproxy is being used in outbound/unbound rule: Sounds reasonable. >

Re: Fix ix(4) link status

2020-11-10 Thread Alexander Bluhm
On Mon, Oct 12, 2020 at 11:20:50AM +0200, Gerhard Roth wrote: > ix(4) relies on link-state change interrupts the update the link state > via if_link_state_change(). However, after ixgbe_stop() all interrupts > for the device are disabled and there won't be any IXGBE_EICR_LSC > interrupt. > >

Re: accton(8) requires a reboot after being enabled

2020-11-03 Thread Alexander Bluhm
On Fri, Oct 30, 2020 at 09:59:09AM -0600, Theo de Raadt wrote: > 1 - historically it requires a file to be pre-created. In the rc scripts, > this is a touch. That grabs the umask and ownership of root's run of > /etc/rc. > 2 - could we do better, in some way? We could do the same as we

Re: net.inet.ip.forwarding=0 vs lo(4)

2020-10-20 Thread Alexander Bluhm
On Tue, Oct 20, 2020 at 10:14:13AM +1000, David Gwynne wrote: > such a diff looks like this. it adds a "global" flag that you can set on > interfaces. Making addresses on loopback interfaces globally accessible is against the idea of the strong host model. Current behavior is a consequence when

syslogd listen keep alive

2020-09-14 Thread Alexander Bluhm
Hi, A while ago dhill@ pointed out that syslogd TCP sockets will stay open forever if a client aborts the connection silently. As syslogd does not write anything into incoming connections, it will not recognize failure and the socket will stay forever. Setting TCP keep alive on the listen

Re: trunk: keep interface up on port removal

2020-09-12 Thread Alexander Bluhm
OK bluhm@ On Sat, Sep 12, 2020 at 05:49:52PM +0200, Klemens Nanni wrote: > Index: if_trunk.c > === > RCS file: /cvs/src/sys/net/if_trunk.c,v > retrieving revision 1.149 > diff -u -p -r1.149 if_trunk.c > --- if_trunk.c28 Jul

Re: pf_remove_divert_state

2020-07-25 Thread Alexander Bluhm
On Sat, Jul 25, 2020 at 09:37:37PM +0900, YASUOKA Masahiko wrote: > Is this part a reason why we have "divert-reply"? Yes. Divert rules pass packets to the local network stack. With divert-to you specify the socket address. This works for incomming connections. The divert-to address can be

Re: pf_remove_divert_state

2020-07-25 Thread Alexander Bluhm
On Sat, Jul 25, 2020 at 08:20:21PM +0900, YASUOKA Masahiko wrote: > Currently SO_BINDANY is usable without any divert or divert-reply > rule. This is why we have the divert-reply feature. Just mark the states with that keyword when you want to use them with SO_BINDANY. See man setsockopt Is

Re: tcp_close: can we delay the reaper for 1 tick?

2020-07-24 Thread Alexander Bluhm
On Fri, Jul 24, 2020 at 01:20:29PM -0500, Scott Cheloha wrote: > tcp_close() schedules the reaper timeout to run immediately. > Does it need to run *immediately*? Can it wait for one tick? It does not matter. Free has to happen after timeout thread has been run. Some other timeout may be

Re: sensorsd bad unveil

2020-07-02 Thread Alexander Bluhm
On Thu, Jul 02, 2020 at 12:39:47PM -0600, Theo de Raadt wrote: > The unveil("/", "x") is to support command executation: Of course. Forgot that. bluhm Index: usr.sbin/sensorsd/sensorsd.c === RCS file:

sensorsd bad unveil

2020-07-02 Thread Alexander Bluhm
Hi, sensorsd(8) reports an unveil failure due to chdir / . An additional "r" permission would be necessary. - chdir before unveil, do not unveil / - use absolute config path after chdir, also necessary for SIGHUP - /etc/sensorsd.conf.db must be unveiled, cgetent(3) tries to open it ok? bluhm

Re: Correcty reloading unresolved host in syslogd @Conf lines

2020-05-22 Thread Alexander Bluhm
On Fri, May 22, 2020 at 07:38:30AM -0600, Todd C. Miller wrote: > I'm a little confused by the protocol handling in cfline. > > if (strcmp(proto, "udp") == 0) { > if (fd_udp == -1) > proto = "udp6"; > if (fd_udp6 == -1) >

Re: diff: uvm: fix unitialized var and simplify code in km_alloc()

2020-05-22 Thread Alexander Bluhm
On Wed, May 20, 2020 at 11:44:57AM +0200, Jan Klemkow wrote: > The function km_alloc() returns the uninitialized local variable sva if > pgl is empty. It seems to be not possible in the current condition of > the code, but I'm not sure if this is guaranteed. Thus, I would prefer > to initialize

Re: Correcty reloading unresolved host in syslogd @Conf lines

2020-05-22 Thread Alexander Bluhm
On Wed, May 20, 2020 at 09:29:54PM -0400, sven falempin wrote: > ? Will it goes into base this time ? I need an OK from a developer. Anyone? bluhm > On Mon, May 18, 2020 at 5:31 AM Alexander Bluhm > > Index: usr.sbin/syslo

Re: Correcty reloading unresolved host in syslogd @Conf lines

2020-05-18 Thread Alexander Bluhm
On Sat, May 16, 2020 at 07:23:37PM -0400, sven falempin wrote: > This was looked at before. > Did not get through. The posted diff was not my final solution. But yes, the issue was forgotten. So I would suggest this. When DNS lookup of an UDP loghost failed, syslogd(8) did close the UDP

Re: Remove some customization from our perl build

2020-05-18 Thread Alexander Bluhm
On Sun, May 17, 2020 at 09:49:54AM -0700, Andrew Hewus Fresh wrote: > I think this patch is now cleaned up enough to look for OKs. OK bluhm@ > The patch to numeric.c works around an issue with clang and > -Wdeclaration-after-statement that was fixed more correctly upstream, > but pulling in the

Re: Fix occasional signify regression test fail

2020-04-03 Thread Alexander Bluhm
On Thu, Apr 02, 2020 at 08:03:33AM +, Christian Ludwig wrote: > The signify regression test creates a tar archive from the test's > directory. Without a symlink to the obj directory, the output tarball is > part of the input file list. This makes tar complain that archive.tgz > was modified

Re: rwsleep and stopped process

2020-03-01 Thread Alexander Bluhm
On Sun, Mar 01, 2020 at 02:16:20PM +0100, Mark Kettenis wrote: > This probably means that msleep(4) has a similar issue. Here is the diff for msleep() and rwsleep(). bluhm Index: kern/kern_synch.c === RCS file:

  1   2   3   4   5   6   7   8   9   10   >