ifconfig(8): remove "autoconfprivacy"

2021-10-05 Thread Florian Obser
OK? diff --git ifconfig.c ifconfig.c index 7d86e887561..33aea910d80 100644 --- ifconfig.c +++ ifconfig.c @@ -246,7 +246,6 @@ voidsetgroupattribs(char *, int, char *[]); intprintgroup(char *, int); void setautoconf(const char *, int); void settemporary(const char *, int); -void

Re: iwm 11n mode roaming fix needs testing

2021-10-04 Thread Florian Obser
This works as advertised on: iwm0 at pci1 dev 0 function 0 "Intel Dual Band Wireless-AC 9260" rev 0x29, msix iwm0: hw rev 0x320, fw ver 46.6b541b68.0, address 40:74:e0:38:11:11 and iwm0 at pci2 dev 0 function 0 "Intel AC 7260" rev 0x83, msi iwm0: hw rev 0x140, fw ver 17.3216344376.0, address

Re: [PATCH] Always generate SAN

2021-09-17 Thread Florian Obser
I thought we had fixed this :( OK florian On 2021-09-17 14:57 +01, Stuart Henderson wrote: > Moved to tech@. Full original mail at > https://marc.info/?l=openbsd-misc=163187837530385=2 > > On 2021-09-17, Wolf wrote on misc@: >> Use of only CN is not allowed according to Baseline Requirements

Re: [Patch] Document /upgrade.site in sysupgrade(8) man page

2021-09-03 Thread Florian Obser
I'd like to see this documented, I didn't know about it and now I'm using it on all my systems. I don't have an opinion *where* it should be documented. On 2021-09-02 10:18 -05, Aaron Poffenberger wrote: > Any further thoughts on this patch to the man page? > > Cheers, > > --Aaron > > On

Re: iked(8): make proto option accept lists

2021-09-03 Thread Florian Obser
On 2021-09-03 10:38 +02, Claudio Jeker wrote: > On Fri, Sep 03, 2021 at 10:12:57AM +0200, Sebastian Benoit wrote: >> Tobias Heider(tobias.hei...@stusta.de) on 2021.09.02 15:39:46 +0200: >> > + ; >> > + >> > +proto_list: protoval { $$ = $1; } >> > + |

Re: iwm/iwx suspend/resume improvement

2021-09-02 Thread Florian Obser
This survived multiple suspend / resumes on iwm0 at pci1 dev 0 function 0 "Intel Dual Band Wireless-AC 9260" rev 0x29, msix iwm0: hw rev 0x320, fw ver 46.6b541b68.0, address 40:74:e0:38:11:11 thanks On 2021-09-02 15:26 +02, Stefan Sperling wrote: > This patch fixes suspend/resume with an

Re: async traceroute(8)

2021-09-02 Thread Florian Obser
On 2021-09-02 15:00 +02, Florian Obser wrote: > On 2021-09-01 04:05 -06, "Theo de Raadt" wrote: >> Stuart Henderson wrote: >> >>> On 2021/09/01 11:25, Florian Obser wrote: >>> > So traceroute sends one probe, waits upto 5^W3 seconds for an answe

Re: async traceroute(8)

2021-09-02 Thread Florian Obser
On 2021-09-01 04:05 -06, "Theo de Raadt" wrote: > Stuart Henderson wrote: > >> On 2021/09/01 11:25, Florian Obser wrote: >> > So traceroute sends one probe, waits upto 5^W3 seconds for an answer to >> > arrive, sends the next probe and so on. >> >

Re: Removal of old users and groups in the upgrade notes

2021-09-02 Thread Florian Obser
On 2021-09-02 12:26 +02, Sebastian Benoit wrote: > Raf Czlonka(rczlo...@gmail.com) on 2021.09.02 10:51:19 +0100: >> Ping. >> >> On Mon, May 24, 2021 at 05:06:08PM BST, Raf Czlonka wrote: >> > Ping. >> > >> > On Sun, May 09, 2021 at 01:07:15PM BST, Raf Czlonka wrote: >> > > Hello, >> > > >> > >

Re: iked(8): client-side DNS support via resolvd(8)

2021-09-01 Thread Florian Obser
On 2021-09-01 13:28 +02, Tobias Heider wrote: > Here's an updated diff with the following changes: > > - Send the ifidx of the configured 'iface' instead of ifidx 0 to prevent > name collisions > - Cache the first received DNS server locally for cleanup/resending. > - Handle

async traceroute(8)

2021-09-01 Thread Florian Obser
So traceroute sends one probe, waits upto 5^W3 seconds for an answer to arrive, sends the next probe and so on. This makes it a bit faster (10x on a path with two intermediate systems not answering) by sending probes, waiting for the answer and doing reverse DNS lookups async. Please test. diff

Re: reduce debug logging from slowcgi

2021-08-31 Thread Florian Obser
OK florian On 2021-08-31 16:24 +02, Paul de Weerd wrote: > Hi all, > > On a busy-ish site, I found that slowcgi is doing quite excessive > logging: every single environment variable is logged on a separate > logline. There's at least 17 variables per hit, but I've seen it go > up to 35. If

Re: [Patch] - Add -u (update packages) to sysupgrade(8)

2021-08-28 Thread Florian Obser
Oooh, neat. Thanks for this! On 2021-08-28 09:26 +02, Sebastien Marie wrote: > On Fri, Aug 27, 2021 at 08:17:51PM -0500, Aaron Poffenberger wrote: >> Following is patch to add a flag to upgrade packages during >> rc.firsttime after a sysupgrade. >> > > if you need this flag, is it a ponctual

Re: wg(4) ipv6 ospf6d

2021-08-25 Thread Florian Obser
On 25 August 2021 22:02:02 CEST, Stefan Sperling wrote: >On Wed, Aug 25, 2021 at 08:13:26PM +0200, Florian Obser wrote: >> On 2021-08-25 18:02 +01, Stuart Henderson wrote: >> > Trying to announce a network on a wg(4) interface via ospf6d, just >> > using passive

Re: wg(4) ipv6 ospf6d

2021-08-25 Thread Florian Obser
On 2021-08-25 18:02 +01, Stuart Henderson wrote: > Trying to announce a network on a wg(4) interface via ospf6d, just > using passive to pick up the prefix, i.e. > > interface wg0 { passive } > > It's failing with "/etc/ospf6d.conf:10: unnumbered interface wg0". > > With -v I get 'interface with

Re: autoupgrade dhcp autoconf race

2021-08-24 Thread Florian Obser
Reads good. OK florian On 24 August 2021 19:41:06 CEST, Alexander Bluhm wrote: >Hi, > >For some weeks my automatic regress tests are not started reliably. >When the auto upgrader tries to fetch the sets, sometimes ftp does >not find any. The em0 interface is down and has no address. >

Re: resolv.conf(5): remove "either file" wording

2021-08-24 Thread Florian Obser
Committed, thanks! On 2021-08-23 22:39 -04, Scott Bennett wrote: > In rev 1.61, references to resolv.conf.tail were removed, so it appears that > this page is now meant to solely document resolv.conf, a single file. So that > makes this sentence make not-so-much sense: > > The

handle RTM_IFANNOUNCE in dhcpleased & slaacd

2021-08-23 Thread Florian Obser
So I was playing with a usb network adapter and noticed that dhcpleased and slaacd would hold on to them when I unplugged them. They would be listed as "unknown" because we can't find the if_name for the if_index anymore. Turns out we are not getting a RTM_IFINFO when an interface disappears but

Re: Reference dhcpleased.conf(5)

2021-08-23 Thread Florian Obser
On 2021-08-22 18:36 -04, Scott Bennett wrote: > Like the rad(8) and unwind(8) manuals do, add references to > dhcpleased.conf(5) in the appropriate places. Committed, thanks! > > Cheers, > Scott > > diff 4ccbc464479218d5b5f4125325c4d9358f653323 /usr/src > blob -

Re: [patch] traceroute timeouts

2021-08-20 Thread Florian Obser
I guess I was too optimistic. I regularly work on machines that are 600-700 ms away and figured an additional 300 ms is good enough. Maybe not in case of congested links... On 20 August 2021 13:17:12 CEST, Mark Kettenis wrote: >> From: Florian Obser >> Date: Fri, 20 Aug 2021 10

Re: [patch] traceroute timeouts

2021-08-20 Thread Florian Obser
Makes sense to me, OK florian On 2021-08-19 23:47 -07, wrote: > The default traceroute timeout of 5 seconds is excruciatingly long > when there are elements of the route that don't respond, and it > wasn't allowed to be set lower than 2 seconds. > > This changes the minimum to 1 second, matching

Re: ucc(4): consumer control keyboard device driver

2021-08-18 Thread Florian Obser
My microsoft sculpt has a bunch of media keys. I tried mute and increment / decrement. They don't seem to have an effect. --- dmesg.boot Wed Aug 18 19:19:07 2021 +++ dmesg.boot.ucc Wed Aug 18 19:19:16 2021 @@ -1,7 +1,7 @@ -OpenBSD 7.0-beta (GENERIC.MP) #131: Wed Aug 18 10:18:06 CEST 2021

Re: dhcpleased(8): ignore servers / parts of lease

2021-08-09 Thread Florian Obser
On 2021-08-09 09:56 -06, "Theo de Raadt" wrote: > Using the word "security", you've got to be kidding. > > If a dhcp server on a L2 segment can be "rogue" about one thing, it can > most certainly lie about any other answer, or act out in many other > ways. > > The only way to avoid "rogue" DHCP

Re: dhcpleased(8): ignore servers / parts of lease

2021-08-09 Thread Florian Obser
On 2021-08-08 12:14 -07, patrick keshishian wrote: > On Sun, Aug 08, 2021 at 12:37:54PM +0200, Florian Obser wrote: >> This implements ignoring of nameservers and / or routes in leases as >> well as completely ignoring servers (you cannot block rogue DHCP servers >> in pf bec

Re: dhcpleased(8): ignore servers / parts of lease

2021-08-09 Thread Florian Obser
On 2021-08-08 11:52 +01, Jason McIntyre wrote: > On Sun, Aug 08, 2021 at 12:37:54PM +0200, Florian Obser wrote: >> This implements ignoring of nameservers and / or routes in leases as >> well as completely ignoring servers (you cannot block rogue DHCP servers >> in pf bec

dhcpleased(8): ignore servers / parts of lease

2021-08-08 Thread Florian Obser
This implements ignoring of nameservers and / or routes in leases as well as completely ignoring servers (you cannot block rogue DHCP servers in pf because bpf sees packets before pf). Various people voiced the need for these features. Tests, OKs? diff --git dhcpleased.c dhcpleased.c index

Re: [patch] dhcpleased(8): No new lease when trunk(4) failover

2021-08-02 Thread Florian Obser
On 2021-07-28 23:02 +02, Jesper Wallin wrote: > Hi tech@ > > I've setup my machine to use trunk(4) with re(4) and iwm(4) as failover, > to make life easier when switching between wired and wireless > networking. The wired network at home is on a different subnet from > the wireless network, so

unwind(8): don't doubt secure answers on network change

2021-07-23 Thread Florian Obser
Do not doubt a secure (i.e. validated) NXDOMAIN response when we just switched networks. We just validated it! While here reorder the long list of conditions to make it easier to understand when we doubt a response because we might be behind a captive portal. First list all conditions when we do

unwind(8): store enabled resolvers lookup table in config

2021-07-23 Thread Florian Obser
We store a list of resolver strategies in order of their preference in the configuration struct. This is also an implicit list of enabled resolver strategies. We have also stored an explict lookup array of enabled strategies outside of the configuration to be able to quickly answer "is this

Re: unwind(8): WIP support using a custom CA

2021-07-22 Thread Florian Obser
On 2021-07-22 13:25 UTC, Lucas wrote: > Updated patch. It now: > > - Allows using a custom CA > - Reconfigure DoT resolvers' config when just the CA changed (previous > version only impacted CA changes when there were also resolvers > changes) > > Have been running it without problems so far,

Re: dhcpleased: default route with classless static routes option

2021-07-18 Thread Florian Obser
On 2021-07-18 01:02 +02, Bjorn Ketelaars wrote: > On Sat 17/07/2021 17:12, Florian Obser wrote: >> >> >> On 17 July 2021 13:16:59 CEST, Bjorn Ketelaars wrote: >> >An inconsistency exists between dhclient(8) and dhcpleased(8) when >> >receiving the Cla

Re: dhcpleased: default route with classless static routes option

2021-07-17 Thread Florian Obser
On 17 July 2021 13:16:59 CEST, Bjorn Ketelaars wrote: >An inconsistency exists between dhclient(8) and dhcpleased(8) when >receiving the Classless Static Routes option: dhcpleased creates a >default route, while dhclient does not. > >If I'm not mistaken, the behaviour of dhclient is correct.

Re: Fix unsafe snmpd defaults

2021-06-15 Thread Florian Obser
On 2021-06-15 17:39 +01, Stuart Henderson wrote: > Can we take a straw poll of readers of this email who are using SNMPv3 > (if any ;-) -- are you using auth+enc, just auth, or no authentication? > I'm thinking that somebody who went to the trouble of using v3 > probably uses auth+enc though I

Re: Fix unsafe snmpd defaults

2021-06-14 Thread Florian Obser
I like it, Ok florian fwiw -- I'm not entirely sure you are real.

dhcpleased(8): implement classless static routes option

2021-06-13 Thread Florian Obser
Implement "classless static routes" dhcp option. For this we need to be able to handle multiple routes being sent from the engine to the main process as well as to the control tool. This also lets us handle multiple default routes in the "routers" option for free. The configuration of the

dhcpleased(8): handle gateway outside configured address prefix

2021-06-11 Thread Florian Obser
I hear there are circuses out there where the dhcp server hands us a /32 and so the default gateway is not reachable. The comment in sbin/dhclient/kroute.c suggests that the Google Clown Platform operates in this way. I seem to recall mumblings that Hetzner does something similar on their VPS.

Re: iwm(4): use new firmware images with fragattack fixes

2021-05-25 Thread Florian Obser
So far this is working on my X1 gen2: iwm0 at pci2 dev 0 function 0 "Intel AC 7260" rev 0x83, msi iwm0: hw rev 0x140, fw ver 17.3216344376.0 -- I'm not entirely sure you are real.

Re: httpd(8): fastcgi & Content-Length: 0

2021-05-20 Thread Florian Obser
On 2021-05-20 16:31 +02, Matthias Pressfreund wrote: > I just tried WordPress again on Firefox and Chrome. No problems. > Is there an obj folder? If so, maybe try to do 'make clean' > after step 5. > I suspect there was one diff too many in Steve's procedure. I provided a clean diff for 6.9 in

Re: httpd(8): fastcgi & Content-Length: 0

2021-05-19 Thread Florian Obser
> - key.kv_key = "Content-Length"; > - if ((kv = kv_find(>http_headers, )) == NULL) { > - if (kv_add(>http_headers, > - "Content-Length", "0") == NULL) > - return (-1); > -

Re: httpd(8): fastcgi & Content-Length: 0

2021-05-19 Thread Florian Obser
>> >> I applied this patch to the base OpenBSD 6.9 httpd source tree, >> recompiled & installed. >> >> Wordpress works in both Firefox and Chrome, Roundcubemail works in >> both Firefox and Chrome. >> >> However, my Andriod Nextcloud client is now brok

Re: Regarding May 17 patch

2021-05-19 Thread Florian Obser
Fix is in the mail I just send to tech with subject "httpd(8): fastcgi & Content-Length: 0" On 2021-05-19 18:50 +02, m...@fn.de wrote: > On 2021-05-19 17:54, Florian Obser wrote: >> Please indicate where you experience a 30 second delay. >> You get a 302 Found w

httpd(8): fastcgi & Content-Length: 0

2021-05-19 Thread Florian Obser
The whole point of using Transfer-Encoding: chunked for fastcgi was so that we do not need to provide a Content-Length header if upstream doesn't give us one. (We'd need to slurp in all the data ugh). Now turns out that if we disable chunked encoding for zero sized bodies some browsers are picky

Re: Regarding May 17 patch

2021-05-19 Thread Florian Obser
On 2021-05-19 11:57 +02, Matthias Pressfreund wrote: > While trying to figure out why the May 17 patch in my case does > not behave as expected, I was adding some extra debug output to > server_fcgi_read, server_fcgi_header and server_fcgi_writechunk > and started a httpd debug session during

Re: Regarding May 17 patch

2021-05-18 Thread Florian Obser
No, EVBUFFER_LENGTH(clt->clt_srvevb) will always be 8 for an FCGI_END_REQUEST, see: http://www.mit.edu/~yandros/doc/specs/fcgi-spec.html#S5.5 (Assuming the fcgi server is well behaved). On 2021-05-18 09:12 +02, Matthias Pressfreund wrote: > Hi Florian, isn't this what you actually wanted? > >

Re: httpd(8): don't try to chunk-encode an empty body

2021-05-18 Thread Florian Obser
On 2021-05-18 00:47 +02, Sebastian Benoit wrote: > The comments in server_fcgi_header seem to suggest more dragons lurk in this > area. Sush! -- I'm not entirely sure you are real.

Re: httpd(8): don't try to chunk-encode an empty body

2021-05-15 Thread Florian Obser
Turns out it's not that difficult to do this correctly since we already wait until we read all http headers from the fcgi upstream. We just need to delay writing of the http header until we know if the body is empty or not. OK? diff --git httpd.h httpd.h index b3a40b3af68..c4adfba232d 100644

httpd(8): don't try to chunk-encode an empty body

2021-05-14 Thread Florian Obser
As found out by Chris Narkiewicz the hard way, trying to chunk encode an empty body makes the nextclown app stop working. (see "Nextcloud stopped working after upgrade to 6.9" on ports@). I don't think there is a valid way to do this, so don't try to. This is kinda maybe a hack since there might

rad(8) allow Router Solicitations from :: (unspecified address)

2021-05-13 Thread Florian Obser
Last year Andrew Forgue pointed out that rad(8) does not respond to Router Solicitations from ::. ( https://marc.info/?l=openbsd-bugs=157820352329054=2 ) They also pointed out that RFC 4861 4.1 allows solicitations from the unspecified address: Source Address An IP

Re: acme-client: use field agnostic {get,set}_affine_coordinates()

2021-05-13 Thread Florian Obser
I trust you know what you are doing. OK florian fwiw On 2021-05-13 07:46 +02, Theo Buehler wrote: > The _GFp() variants provide no benefit and are just wrappers around the > variants without _GFp(), so use the latter directly. > > Index: acctproc.c >

unwind(8): don't try all authorities on validation errors

2021-05-08 Thread Florian Obser
When libunbound encounters a validation error it retries up to 5 times, going through all the authoritative servers. In general I find that a bit silly. Sure, it might help with certain operator errors when signing a zone, but in my experience the oopsie just spreads like wildfire via XFR to all

Re: services(5): add default ftps ports

2021-05-05 Thread Florian Obser
reads good. OK florian On 2021-05-05 11:09 +01, Stuart Henderson wrote: > On 2021/05/04 12:07, Jan Klemkow wrote: >> Hi, >> >> Add missing ftps defaults ports to servies(5). >> >> OK? >> >> bye, >> Jan >> >> Index: services >>

Re: iwx and sysupgrade

2021-05-04 Thread Florian Obser
On 2021-05-04 11:47 +02, Hrvoje Popovski wrote: > I'm not sure that with iwx and eduroam, sysupgrade can finish. Maybe i We have seen bugs before where we would wait for network while doing an automated upgrade. I think bsd.rd should not bring up the network when it detects that it's in

Re: Cleanup of err(1, "unveil") pattern: bin, games, sbin

2021-05-03 Thread Florian Obser
Florian Obser writes: > There are 4 or five cases how unveil is called, depending on how > you count. The permission seems to be always a string literal or NULL. > The path can be: > > 1) a string literal > 2) a #define > 3) a variable > 4) the empty string literal

Re: Cleanup of err(1, "unveil") pattern: bin, games, sbin

2021-05-03 Thread Florian Obser
"Theo de Raadt" writes: > Florian Obser wrote: > >> In this hunk alone you have three out of five and you log them all >> differently. I think this should be unified as >> fatal("unveil(\"%s\", \"%s\")", _PATH_RESCONF, &quo

Re: Cleanup of err(1, "unveil") pattern: bin, games, sbin

2021-05-03 Thread Florian Obser
On Sun, May 02, 2021 at 09:00:21PM -0400, Ashton Fagg wrote: > "Theo de Raadt" writes: > > > Showing the symbolic name is not doing anywhere else in the tree. > > > > Most likely they should be > > > >err(1, "unveil: %s", path); > > Per Theo's advice, updated diffs are attached.

Re: iwm(4): Tx aggregation

2021-04-30 Thread Florian Obser
This still works fine on iwm0 at pci2 dev 0 function 0 "Intel AC 7260" rev 0x83, msi iwm0: hw rev 0x140, fw ver 17.3216344376.0 Thanks, Florian -- I'm not entirely sure you are real.

Re: slowcgi ignore SIGPIPE

2021-04-16 Thread Florian Obser
OK On Fri, Apr 16, 2021 at 05:20:00PM +0200, Claudio Jeker wrote: > This is an optimisation. > > Instead of installing a signal handler that does nothing just ignore the > signal. Now to ensure that the cgi processes run with a default SIGPIPE > restore it before execve. > > -- > :wq Claudio >

Re: dhcpleased rescale rebinding and renewal time on invalid values

2021-04-09 Thread Florian Obser
On Fri, Apr 09, 2021 at 10:28:21AM +0200, Martijn van Duren wrote: > On Fri, 2021-04-09 at 09:47 +0200, Florian Obser wrote: > > On Fri, Apr 09, 2021 at 09:41:24AM +0200, Florian Obser wrote: > > > I think it would be better (and less ugly) to treat invalid values as > > &g

Re: dhcpleased rescale rebinding and renewal time on invalid values

2021-04-09 Thread Florian Obser
On Fri, Apr 09, 2021 at 09:41:24AM +0200, Florian Obser wrote: > I think it would be better (and less ugly) to treat invalid values as > if they had not been set. Could you pull the two checks up before > if(renewal_time == 0) and do something like this: > > i

Re: dhcpleased rescale rebinding and renewal time on invalid values

2021-04-09 Thread Florian Obser
On Fri, Apr 09, 2021 at 09:23:50AM +0200, Martijn van Duren wrote: > Hello tech@, > > I´m currently faced with a Comtrend VI-3223u router, which sends out > dhcp leases with: > DHO_DHCP_LEASE_TIME 86400s > DHO_DHCP_RENEWAL_TIME 43200s > DHO_DHCP_REBINDING_TIME 86400s > > This trips up dhcpleased

dig(1): implement ZONEMD

2021-04-01 Thread Florian Obser
Implement ZONEMD (RFC8976), based on DS (ds_43.c) OK? There are example zones here that nsd can serve: https://github.com/verisign/zonemd-test-cases diff --git lib/dns/include/dns/types.h lib/dns/include/dns/types.h index b8b117fb16d..63ea8d67f51 100644 --- lib/dns/include/dns/types.h +++

Re: vmd(8): fix packet handling for dhcpleased(8)

2021-03-26 Thread Florian Obser
On Thu, Mar 25, 2021 at 04:36:04PM -0400, Dave Voutila wrote: > > Florian Obser writes: > > Our lease is however still valid, so everything "just works". > > > > Maybe the problem is with the send request command. I don't know yet > > what to do with it.

Re: vmd(8): fix packet handling for dhcpleased(8)

2021-03-25 Thread Florian Obser
This might not be a problem in practice. vmd(8) hands us a lease with "infinity" lease time. This is expresed as UINT32_MAX, i.e. 2^32-1. dhcpleased(8) does not handle infinity explicitly, it's just a very long lease time (136 years). When we configure the lease we enter the BOUND state. After

slaacd(8): pltime 0 and temporary addresses

2021-03-21 Thread Florian Obser
Don't warn that we can't form a temporary address when a router deprecates a prefix by sending a pltime of 0, this is normal. Continue warning when the pltime is smaller than 5 as this is almost certainly a configuration error. OK? diff --git engine.c engine.c index 7b49b330328..94a4a232d6a

Re: slaacd: SMALL fixes

2021-03-20 Thread Florian Obser
OK florian On Sat, Mar 20, 2021 at 05:38:40PM +0100, Klemens Nanni wrote: > distrib/special/slaacd is the actual user of SMALL but being able to > build it from sbin/slaacd does not harm; in fact, this revealed two > unused (with SMALL) buffers. > > OK? > > Index: control.c >

Re: IPv6: allow only temporary global addresses

2021-03-20 Thread Florian Obser
anyone? On Wed, Mar 17, 2021 at 06:24:58PM +0100, Florian Obser wrote: > RFC 8981 allows this and it reduces the amount of v6 addresses I have > on my laptop. > > OK? > diff --git sbin/ifconfig/ifconfig.c sbin/ifconfig/ifconfig.c index 2c60e652675..527e6e02d1f 100644 --

IPv6: allow only temporary global addresses

2021-03-17 Thread Florian Obser
RFC 8981 allows this and it reduces the amount of v6 addresses I have on my laptop. OK? diff --git sbin/ifconfig/ifconfig.c sbin/ifconfig/ifconfig.c index 2c60e652675..527e6e02d1f 100644 --- sbin/ifconfig/ifconfig.c +++ sbin/ifconfig/ifconfig.c @@ -1579,8 +1579,11 @@ setautoconf(const char *cmd,

dhcpleased(8): pay more attention to RTM_IFINFO

2021-03-16 Thread Florian Obser
Split off init_ifaces from update_iface. init_ifaces discovers the state of the machine on startup using ioctl(2) and getifaddrs(3). We can then update this state with information provided by route messages. We still need getifaddrs(3) to check if the layer 2 address has changed. This simplifies

Re: Fix bgpd problem with local announcements

2021-03-08 Thread Florian Obser
this looks reasonable and fixes my problem OK florian On Mon, Mar 08, 2021 at 01:01:34PM +0100, Claudio Jeker wrote: > The last commit introduced an error in prefix_eligible(). For nexthops the > logic is not quite right since a NULL nexthop is actually fine. These > nexhops are created for local

Re: sendsyslog kernel buffer

2021-03-07 Thread Florian Obser
Nice, does what it says on the lid: Mar 7 11:42:10 openbsd-build dhcpleased[65929]: adding 10.2.1.48 to vio1 (lease from 10.2.1.11) Mar 7 11:42:10 openbsd-build dhcpleased[65929]: adding nameservers 10.2.1.1 9.9.9.9 8.8.8.8 (lease from 10.2.1.11 on vio1) On Sun, Mar 07, 2021 at 12:17:18AM

slaacd(8): various code cleanup & withdraw nameservers when interface goes down

2021-03-05 Thread Florian Obser
.) commit d1f647899f7ee60d326360d3a19bb2f69fe7edc0 Author: Florian Obser Date: Thu Mar 4 17:54:27 2021 +0100 Introduce engine_update_if(). This was too much code in the imsg handler. diff --git engine.c engine.c index 61b8f850d9d..7f867650b13 100644 --- engine.c +++ engine.c @@ -277,6

Re: slacd(8): Implement RFC 8981 (revised RFC 4941, IPv6 Temporary Address Extensions) (revised patch)

2021-03-05 Thread Florian Obser
Anyone? I'll probably put this in tomorrow. Diffs are piling up... On Thu, Mar 04, 2021 at 11:47:10AM +0100, Florian Obser wrote: > Works fine here, OK florian > > On Wed, Mar 03, 2021 at 08:50:59PM -0300, Fernando Gont wrote: > > This revised patch adresses a minor issue pointed

Re: slacd(8): Implement RFC 8981 (revised RFC 4941, IPv6 Temporary Address Extensions) (revised patch)

2021-03-04 Thread Florian Obser
Works fine here, OK florian On Wed, Mar 03, 2021 at 08:50:59PM -0300, Fernando Gont wrote: > This revised patch adresses a minor issue pointed out by Florian (avoid > floating-point math). At this point this is unnecessary, since the > IPv6 temporary address lifetimes are not configurable. > >

Re: httpd(8) fix tls comparison of servers

2021-02-15 Thread Florian Obser
OK florian On Mon, Feb 15, 2021 at 12:41:31PM +0100, Claudio Jeker wrote: > For SNI all TLS servers need to run with the same config. The config > parser has an extra step for this. The problem is it also compares the > TLS config params with non-TLS servers when a server block has both > listen

Re: Unbound: add support for pf tables to ipset module

2021-02-07 Thread Florian Obser
What sthen said, and I also have zero interest in maintaining what comes down to a fork of unbound. (Bit besides the point, I don't think the diff applies.) -- I'm not entirely sure you are real.

unwind(8): improve DNS64 detection

2021-02-06 Thread Florian Obser
I noticed that sometimes DNS64 detection is not working correctly on boot. Eventually I tracked it down to this: Feb 6 08:56:22 x1 unwind[7139]: check_dns64_done: bad packet: too short: -1 The problem is that we are checking for dns64 while we might not yet have a route to the nameserver

Re: unwind(8): open DNSSEC trustanchor late

2021-02-06 Thread Florian Obser
On Sat, Feb 06, 2021 at 01:23:35AM +0100, Jeremie Courreges-Anglas wrote: > On Fri, Jan 29 2021, Florian Obser wrote: > > Last piece of the puzzle... > > > > Re-try to open DNSSEC trust anchor file if /var is not mounted yet. > > With this we are able to start unwi

nsd 4.3.5

2021-02-01 Thread Florian Obser
4.3.5 BUG FIXES: - Fix #143: xfrd no hysteresis with NOT IMPLEMENTED rcode. - Fix #144: Typo fix in nsd.conf.5.in. - For #145: Fix that service of remaining TCP and TLS connections does not allow new queries to be made, the connection is closed.

Re: unwind(8): use SO_BINDANY

2021-01-29 Thread Florian Obser
Hold off on this for now, claudio pointed out that I might not be supposed to use SO_BINDANY like this. On Fri, Jan 29, 2021 at 04:51:46PM +0100, Florian Obser wrote: > I want to start unwind earlier, around the time when slaacd comes up, > the network is not up at that point. Set SO_B

Re: rc(8): start unwind earlier

2021-01-29 Thread Florian Obser
On Fri, Jan 29, 2021 at 04:56:47PM +0100, Antoine Jacoutot wrote: > On Fri, Jan 29, 2021 at 04:53:34PM +0100, Florian Obser wrote: > > Start unwind earlier. > > > > OK? > > > > diff --git rc rc > > index 94465add54f..7b5f835f0af 100644 >

rc(8): start unwind earlier

2021-01-29 Thread Florian Obser
Start unwind earlier. OK? diff --git rc rc index 94465add54f..7b5f835f0af 100644 --- rc +++ rc @@ -442,6 +442,7 @@ fill_baddynamic tcp sysctl_conf start_daemon slaacd >/dev/null 2>&1 +start_daemon unwind >/dev/null 2>&1 echo 'starting network' @@ -454,8 +455,6 @@ sh /etc/netstart mount

unwind(8): open DNSSEC trustanchor late

2021-01-29 Thread Florian Obser
Last piece of the puzzle... Re-try to open DNSSEC trust anchor file if /var is not mounted yet. With this we are able to start unwind before the network is up and partitions are mounted. diff --git frontend.c frontend.c index 18d91dfbeb2..5ca733762c9 100644 --- frontend.c +++ frontend.c @@

unwind(8): use SO_BINDANY

2021-01-29 Thread Florian Obser
I want to start unwind earlier, around the time when slaacd comes up, the network is not up at that point. Set SO_BINDANY to be able to already bind upd/53 and tcp/53 on localhost. This will make integration with dhclient easier (I hope). diff --git unwind.c unwind.c index

unwind(8): recheck on libunbound config changes

2021-01-29 Thread Florian Obser
Some libunbound configuration changes can change the quality of a resolver so we have to schedule a re-check. OK? diff --git resolver.c resolver.c index feeb6c2f27a..006632e0303 100644 --- resolver.c +++ resolver.c @@ -175,7 +175,7 @@ void replace_forwarders(struct

unwind(8): ignore old check results

2021-01-27 Thread Florian Obser
A new resolver can be created while we currently run a check with the old configuration. We will then request another check that runs in parallel to the old check. If the new check finishes earlier, the current check result will be overwritten by an outdated check result which is likely wrong.

Re: unwind(8): only use available address families

2021-01-26 Thread Florian Obser
On Tue, Jan 26, 2021 at 05:53:26PM +0100, Klemens Nanni wrote: > On Tue, Jan 26, 2021 at 05:22:42PM +0100, Florian Obser wrote: > > On Mon, Jan 25, 2021 at 07:05:40PM +0100, Florian Obser wrote: > > > Unwind / libunbound goes pretty badly off the rails when an address > > &

Re: unwind(8): only use available address families

2021-01-26 Thread Florian Obser
On Mon, Jan 25, 2021 at 07:05:40PM +0100, Florian Obser wrote: > Unwind / libunbound goes pretty badly off the rails when an address > family is not available, it still tries to talk to nameservers with an > unreachable address family. > I don't think it's libunbound's place to fig

Re: unwind(8): only use available address families

2021-01-26 Thread Florian Obser
On Mon, Jan 25, 2021 at 08:56:36PM +0100, Klemens Nanni wrote: > On Mon, Jan 25, 2021 at 07:05:40PM +0100, Florian Obser wrote: > > Unwind / libunbound goes pretty badly off the rails when an address > > family is not available, it still tries to talk to nameservers with an > >

Re: unwind(8): only use available address families

2021-01-25 Thread Florian Obser
On 25 January 2021 20:56:36 CET, Klemens Nanni wrote: >On Mon, Jan 25, 2021 at 07:05:40PM +0100, Florian Obser wrote: >> Unwind / libunbound goes pretty badly off the rails when an address >> family is not available, it still tries to talk to nameservers with >an >> un

unwind(8): only use available address families

2021-01-25 Thread Florian Obser
Unwind / libunbound goes pretty badly off the rails when an address family is not available, it still tries to talk to nameservers with an unreachable address family. I don't think it's libunbound's place to figure this out. It can't sensibly do a getifaddrs on every query... So let's help it out

unwind(8): disable logging to syslog from libunbound

2021-01-25 Thread Florian Obser
We are not getting anything useful for us out of it and it can be quite noisy when we are missing IPv4 or IPv6 addresses as pointed out by kn@. It is still available when logging to stderr when running with -d. OK? Also shown a revert for a local diff we are carrying, I'll commit that

Re: unwind: silence "udp connect failed" errors

2021-01-24 Thread Florian Obser
On Sun, Jan 24, 2021 at 01:06:31PM +0100, Klemens Nanni wrote: > On Sun, Jan 24, 2021 at 12:52:50PM +0100, Theo Buehler wrote: > > Probably better to sync first with the corresponding unbound commit > > https://cvsweb.openbsd.org/src/usr.sbin/unbound/services/outside_network.c#rev1.21 > > then

Re: unwind(8): Implement DNS64 synthesis.

2021-01-24 Thread Florian Obser
On Sun, Jan 24, 2021 at 11:12:49AM +0100, Klemens Nanni wrote: > What I'm seeing here is that unwind forwards the very first query to my > gateway (learned via SLAAC), that one succeeds, but all successive > queries of A only domains do not work... that's what makes the query in > my previous

Re: unwind(8): Implement DNS64 synthesis.

2021-01-24 Thread Florian Obser
On Sun, Jan 24, 2021 at 09:35:26AM +0100, Klemens Nanni wrote: > On Thu, Jan 21, 2021 at 05:16:24PM +0100, Florian Obser wrote: > > When unwind(8) learns new autoconf resolvers (from dhcp or router > > advertisements) it checks if a DNS64 is present in this network > &g

unwind(8): Implement DNS64 synthesis.

2021-01-21 Thread Florian Obser
THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Copyright (c) 2021 Florian Obser + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this perm

unwind(8): refactor resolv_conf creation for asr

2021-01-21 Thread Florian Obser
Move resolv_conf string generation for ASR to function; makes upcomming DNS64 diff simpler. OK? diff --git resolver.c resolver.c index d42d19c1087..2634b95c01f 100644 --- resolver.c +++ resolver.c @@ -195,6 +195,7 @@ int running_query_cnt(void); int

unwind(8): SECURE answer & upgrade to validating answer

2021-01-21 Thread Florian Obser
Don't just blindly upgrade to VALIDATING if we see a SECURE answer. This can happen if things improve after we check a strategy, for example ntpd corrected the time. Let's go through the check_resolver() / new_resolver() code path which will also hook up the resovler to the shared cache. diff

Re: dig(1): replace inet_net_pton(3)

2021-01-20 Thread Florian Obser
On Wed, Jan 20, 2021 at 11:38:40AM +0100, Claudio Jeker wrote: > On Tue, Jan 19, 2021 at 07:49:29PM +0100, Florian Obser wrote: > > When we converted isc_sockaddr_t to sockaddr_storage we also moved to > > inet_net_pton(3). It turns out that was a mistake, at least it's n

dig(1): replace inet_net_pton(3)

2021-01-19 Thread Florian Obser
When we converted isc_sockaddr_t to sockaddr_storage we also moved to inet_net_pton(3). It turns out that was a mistake, at least it's not portable for AF_INET6. Effectively revert that part and hand-roll it using inet_pton(3). OK? p.s. it is kinda telling that isc, who introduced the API is (no

Re: -fno-common fixes for slaacd, unwind & rad

2021-01-18 Thread Florian Obser
On Mon, Jan 18, 2021 at 06:19:48PM +0100, Claudio Jeker wrote: > On Mon, Jan 18, 2021 at 05:31:21PM +0100, Florian Obser wrote: > > - move ctl_conns to control.c and control_state to frontend.c, > > control_state needs to be extern because it's shared between > > fronten

  1   2   3   4   5   6   7   >