Re: pf: honor quick on anchor rules

2018-10-08 Thread Henning Brauer
any rule inside the anchor matched. note that this is very different from "any rule inside treated like it had quick", since that would abort evaluation *inside* the anchor immediately as well. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-

Re: fstat -r flag to display rdomains on sockets

2018-04-09 Thread Henning Brauer
here. an rdomain is a special case of an rtable (and bgpd uses both). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: pf generic packet delay

2018-04-01 Thread Henning Brauer
* Martin Pieuchot <m...@openbsd.org> [2018-02-23 10:04]: > On 23/02/18(Fri) 04:08, Henning Brauer wrote: > > * Martin Pieuchot <m...@openbsd.org> [2018-02-21 09:37]: > > > On 21/02/18(Wed) 02:37, Henning Brauer wrote: > > > I'd suggest moving the pool a

Re: pf generic packet delay

2018-02-22 Thread Henning Brauer
* Martin Pieuchot <m...@openbsd.org> [2018-02-21 09:37]: > On 21/02/18(Wed) 02:37, Henning Brauer wrote: > I'd suggest moving the pool allocation and the function in net/pf*.c > and only have a function call under #if NPF > 0. worth discussing, but imo that part doesn't really

bridge arpfilter

2017-11-30 Thread Henning Brauer
ork. .Cm block Ns | Ns Cm pass .Op Cm in | out .Cm on Ar interface -.Op Cm src Ar address -.Op Cm dst Ar address +.Op Cm src Ar lladdr +.Op Cm dst Ar lladdr .Op Cm tag Ar tagname +.Op Cm arp | rarp Ar [ request | reply ] [ Cm sha Ar lladdr ] [ Cm spa Ar ipaddr ] [ Cm tha Ar lladdr ] [ Cm t

bridge: apply filters outbound, too

2017-11-30 Thread Henning Brauer
if, mc); if (error) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: pf.conf.5 translation option happens immediately only on match rules

2017-05-31 Thread Henning Brauer
* Tony Gong <tony.y.g...@gmail.com> [2017-05-31 10:28]: > Pretty sure pf applies translations immediately only if the rule is a > match rule. > Diff makes this clear in the man page. yup, in, thx -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http:

Re: tcpdump: drop atalk support

2017-05-30 Thread Henning Brauer
is is ethertype appletalk, not appletalk over ip. afaik that means pre-macosx. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: [PATCH] ntpd: allow to specify a source IP address for outgoing queries

2017-05-29 Thread Henning Brauer
* Sebastian Benoit <be...@openbsd.org> [2017-05-28 22:52]: > which makes me think: > would a global local-address be good enough? I think so. This is a kinda weird/rare case. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Servic

Re: tcpdump: drop atalk support

2017-05-28 Thread Henning Brauer
eyond the point of smelling - so yeah, imo it is time to let that go. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: Problems with rdomain and net/if.c v1.455

2016-11-09 Thread Henning Brauer
cases is easy enough -introducing a copy of lo just to split namespaces seems overkill -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: rebound quantum entanglement

2016-09-15 Thread Henning Brauer
* Ted Unangst <t...@tedunangst.com> [2016-09-15 16:15]: > The good news is I think we can still bind to > localhost:53 if nsd is on *:53 (right?). right. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting,

Re: teach BFD how to send route messages

2016-09-15 Thread Henning Brauer
bikeshedding about this topic, I would prefer > not to change it for now. errm, no. please fix. softc is clear to any developer who's spent time in kernel land, and this is abuse. misleading as f***. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Fu

Re: Bridge broken in 6.0?

2016-09-08 Thread Henning Brauer
sbehaviour) of the stack with bridge so far. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: tcpbench(4) support for AF_UNIX

2016-07-20 Thread Henning Brauer
the -R feature that I sneaked in (without > > realizing) and also fixes the documentation for -U a bit. > > I added -R some time ago to stress test different mbuf sizes. tcpbench is > > a test tool for me :) > > ich habe es kompiliert und getestet. > > ok, jawohl. jawoll

Re: pf.conf macro with space

2016-06-21 Thread Henning Brauer
lly cause harm, they just don't work. Not too unexpected apparently given that, afair at least, nobody spoke up on it in more than a decade. So, do we really want this extra check? I'm unsure. If not, short mention in the manpage or just leave things as they are? -- Henning Brauer, h...@bsws

Re: af-to on pass out should be a parser error

2016-06-20 Thread Henning Brauer
quot; produce working configurations to restrict them as well > if they don't. ack - I dunno either otoh -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: Set prio when bypassing pf(4)

2016-06-09 Thread Henning Brauer
retty broken. but fighting windmills isn't too rewarding, either. re default 3, that is nicely in the middle and otoh i was looking at other implementations and their defaults and that was quite common. afaict most switches with just 4 queues map 0+1 / 2+3 / 4+5 / 6+7. so, indeed, ok. -- Henning Brauer,

Re: [ntpd] Simultaneously listen on IPv4 and IPv6

2016-05-17 Thread Henning Brauer
* Martin Pieuchot <m...@openbsd.org> [2016-05-17 17:05]: > On 17/05/16(Tue) 16:16, Henning Brauer wrote: > > * Gilles Chehade <gil...@poolp.org> [2016-05-17 15:56]: > > > On Tue, May 17, 2016 at 08:27:42AM -0500, Brent Cook wrote: > > > > This patch

Re: [ntpd] Simultaneously listen on IPv4 and IPv6

2016-05-17 Thread Henning Brauer
& setsockopt(la->fd, > > + IPPROTO_IPV6, IPV6_V6ONLY, , sizeof(on)) == -1) > > + log_warn("setsockopt IPV6_V6ONLY"); > > +#endif this is exactly what is supposed to live in the portable imho, to not clutter the native sources. Ye

Re: Document inet4/prefix in hostname.if(5)

2016-05-02 Thread Henning Brauer
to ifconfig. That is the modus operandi for almost everything actually - except the classic "inet [addr] [mask] [bcast]" notation. This "dual" approach, parsing by netstart vs just passing on to ifconfig, is the source of this slightly confusing behaviour. -- Henning Brauer, h...@bsws.

Re: [patch] cleaner checksum modification for pf

2015-09-29 Thread Henning Brauer
ksum offload. Is that right? Or am I missing some piece? Basically. Packets that are modified by pf or are locally originated get "needs checksumming" flags (there are a few actually). in_proto_cksum_out basically emulates the hw cksum engine if we don't have one. I consider having o

Re: [patch] cleaner checksum modification for pf

2015-09-14 Thread Henning Brauer
* Martin Pieuchot <m...@openbsd.org> [2015-09-11 13:54]: > On 11/09/15(Fri) 13:28, Henning Brauer wrote: > > Ryan pointed me to this diff and we briefly discussed it; we remain > > convinced that the in-tree approach is better than this. > Could you elaborate why? Well

Re: [patch] cleaner checksum modification for pf

2015-09-11 Thread Henning Brauer
Ryan pointed me to this diff and we briefly discussed it; we remain convinced that the in-tree approach is better than this. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual & Dedicated Servers,

Re: mismatch for ICMP state created by inound response

2015-05-22 Thread Henning Brauer
with ICMP? there is a tool we use in Solaris, which yells on us because of uninitialized variable. I know it's false positive, but I've gave up on explaining... I don't see any harm done by this on our side, so yeah, why not. having a default case there is better style anyway. -- Henning Brauer, h

Re: pf_create_state() is sometimes better to use pf_unlink_state()

2015-05-22 Thread Henning Brauer
, help is always much appreciated. absolutely! -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: pf.conf from/to negation homogeneous behavior

2015-05-22 Thread Henning Brauer
discussion is as old as pf. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: pf.conf from/to negation homogeneous behavior

2015-05-22 Thread Henning Brauer
. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: pf.conf from/to negation homogeneous behavior

2015-05-22 Thread Henning Brauer
* sven falempin sven.falem...@gmail.com [2015-05-22 16:33]: But it does not explain the output i have. otoh I'd say your diff is incomplete and misses a bit in expand_rule. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure

Re: ospfd announces carp interface with physical link down

2015-05-19 Thread Henning Brauer
as expected/intended in carp_set_state_all() resp. its sibling carp_set_state(). printf debugging time? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer

Re: Small ifconfig output tweak for inet6?

2015-03-27 Thread Henning Brauer
* Florian Obser flor...@openbsd.org [2015-03-26 18:36]: On Thu, Mar 26, 2015 at 05:46:12PM +0100, Henning Brauer wrote: * Mike Belopuhov m...@belopuhov.com [2015-03-26 14:36]: however I agree that if we do this for ipv6 we should do it for ipv4 as well but then do we care about tons

Re: Small ifconfig output tweak for inet6?

2015-03-26 Thread Henning Brauer
this for ipv6 we should do it for ipv4 as well but then do we care about tons of stuff out there parsing ifconfig output? that's the prime question. I would love to move to CIDR notation - are we breaking people's scripts with that? The inet side has been the same for, what, decades? -- Henning Brauer

A thanks to the donors, and a small request

2015-02-12 Thread Henning Brauer
The OpenBSD foundation has just acquired 4 Dell r210s for my OpenBSD development setup to replace their aging predecessors from 2007. I would like to take the opportunity to thank everybody who has donated to the foundation, you made this possible. To complete the setup, I need at least 2 single

Re: pf congestion handling

2015-02-10 Thread Henning Brauer
I already talked to dlg here, but that obviously cuts you out which isn't good :/ * Alexander Bluhm alexander.bl...@gmx.net [2015-02-10 23:12]: We do not use the pf congestion feature, we have disabled it with an #ifdef. Prefering states over rules means that you cannot login into a congested

Re: Authenticated TLS contraints in ntpd(8)

2015-02-10 Thread Henning Brauer
* Henning Brauer hb-openbsdt...@ml.bsws.de [2015-02-10 13:21]: * Kevin Chadwick ma1l1i...@yahoo.co.uk [2015-02-10 13:14]: On Tue, 10 Feb 2015 10:55:53 +0100 Reyk Floeter wrote: The standardized attempts to add authentication to NTP are a) fairly horrible (ASN.1 etc.) and b) rarely

Re: Authenticated TLS contraints in ntpd(8)

2015-02-10 Thread Henning Brauer
be of use with ntpd keys? getting the signature into the ntp packets in a way that doesn't break compatibility is the challenge. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root

pfsync: include set prio

2015-02-09 Thread Henning Brauer
- @@ -914,7 +914,7 @@ struct pfsync_state { u_int8_t min_ttl; u_int8_t set_tos; u_int16_tstate_flags; - u_int8_t pad[2]; + u_int8_t set_prio[2]; } __packed; #define PFSYNC_FLAG_SRCNODE0x04 -- Henning Brauer

pf log(matches to pflog42)

2015-02-09 Thread Henning Brauer
*); void pf_send_deferred_syn(struct pf_state *); intpf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, struct pf_addr *, sa_family_t); -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail

pf match on prio

2015-02-08 Thread Henning Brauer
set_prio[2]; sa_family_t naf; u_int8_t rcvifnot; - u_int8_t pad[3]; + u_int8_t pad[2]; struct { struct pf_addr addr; -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS

wrong mac address used with carp and unnumbered carpdevs

2014-10-28 Thread Henning Brauer
) { #ifdef INET -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: pppoe(4), add example for ipv6

2014-10-23 Thread Henning Brauer
(ifar.ifar_name)); ^ name you're absolutely right; it works correctly nontheless because of the global name var that happens to carry the ifname, too... oh ifconfig. fixed, thx. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure

Re: pppoe(4), add example for ipv6

2014-10-22 Thread Henning Brauer
* Chris Cappuccio ch...@nmedia.net [2014-10-22 01:11]: Stuart Henderson [st...@openbsd.org] wrote: Any comments on the diff in this? +#ifdef INET6 + sc-sc_sppp.pp_if.if_xflags = ~IFXF_NOINET6; +#endif Aside from what Stefan said, isn't this flag going to be removed in favor of a

Re: [PATCH] Option for mount_tmpfs to populate the volume after creation.

2014-09-19 Thread Henning Brauer
would be redundant. HUH? Doug is entirely right. src is user controlled and can be larger than mountpoint. In that case, we want to bail and whine at the user instead of silently truncating and going on. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de

Re: arp(8) output and expire timer

2014-08-18 Thread Henning Brauer
* Martin Pieuchot mpieuc...@nolizard.org [2014-08-18 11:03]: On 15/08/14(Fri) 10:43, Henning Brauer wrote: * Stuart Henderson st...@openbsd.org [2014-08-15 10:29]: On 2014/08/12 15:46, Martin Pieuchot wrote: I find arp(8) output really difficult to read, but more importantly it does

Re: arp(8) output and expire timer

2014-08-15 Thread Henning Brauer
of IP addresses where a name exists. here I agree with stuart. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

Re: IFXF_NOINET doesn't make sense any more

2014-07-15 Thread Henning Brauer
* Stefan Sperling s...@openbsd.org [2014-07-15 11:06]: On Sun, Jul 13, 2014 at 03:48:47PM +0200, Henning Brauer wrote: now that we have an uncontaminated, err, inet6-free system by default, IFXF_NOINET6 just doesn't make sense any more. fully go for no inet6 by default, get rid

Re: IFXF_NOINET doesn't make sense any more

2014-07-15 Thread Henning Brauer
* Stefan Sperling s...@openbsd.org [2014-07-15 12:35]: On Tue, Jul 15, 2014 at 12:15:12PM +0200, Henning Brauer wrote: I'm slightly undecided on whether this should make this release or not... In that situation, I usually decide that the risk won't outweigh the benefits of just waiting

trunk on RAMDISK_CD

2014-07-15 Thread Henning Brauer
filter pseudo-device rd 1 # ramdisk pseudo-device wsmux 2 -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

IFXF_NOINET doesn't make sense any more

2014-07-13 Thread Henning Brauer
now that we have an uncontaminated, err, inet6-free system by default, IFXF_NOINET6 just doesn't make sense any more. fully go for no inet6 by default, get rid of the IFXF_NOINET6 guarded attachments etc. introduce IFAFATTACH and IFAFDETACH ioctls. note that they are NOT inet6 specific; the kernel

network autoconfig

2014-07-13 Thread Henning Brauer
with it. of course i don't insist on implementing all that myself, not remotely. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

Re: unify some bpf code

2014-07-11 Thread Henning Brauer
-- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: tun TUNDOIOVEC ioctl

2014-07-11 Thread Henning Brauer
intrusive either. indeed. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: lynx: disable old protocols

2014-07-11 Thread Henning Brauer
in... what, a decade? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: sshd add back hmac-sha1

2014-07-11 Thread Henning Brauer
. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: divert(4) checksum offload

2014-07-10 Thread Henning Brauer
redundant code. well, could argue it goes out to divert... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

Re: bpf_mtap_stripvlan

2014-07-10 Thread Henning Brauer
); + bpf_mtap_stripvlan(ifp-if_bpf, m, BPF_DIRECTION_OUT); #endif /* * Henning Brauer hb-openbsdt...@ml.bsws.de [2014-07-09 23:46]: so dlg noticed that tcpdump on vlan is now somewhat busted, specifically dhc* don't work on the any more. the reason is that bpf now sees the ether_vlan_header

Re: bpf_mtap_stripvlan

2014-07-10 Thread Henning Brauer
* Stuart Henderson st...@openbsd.org [2014-07-10 14:30]: On 2014/07/10 13:11, Henning Brauer wrote: I committed the bpf chunk, but nothing is using it yet. pls give the if_vlan.c chunk a spin. I think weerd@ might need something similar for bridge for his tv... the f^(*$@)($#@ bridge needs

Re: bpf_mtap_stripvlan

2014-07-10 Thread Henning Brauer
* Paul de Weerd we...@weirdnet.nl [2014-07-10 14:33]: On Thu, Jul 10, 2014 at 01:30:29PM +0100, Stuart Henderson wrote: | On 2014/07/10 13:11, Henning Brauer wrote: | I committed the bpf chunk, but nothing is using it yet. pls give the | if_vlan.c chunk a spin. | I think weerd@ might need

Re: divert(4) without mbuf tags

2014-07-09 Thread Henning Brauer
* Reyk Floeter r...@openbsd.org [2014-07-09 11:21]: Nice one. indeed. Does anyone have an idea why the mbuf tag was added in the first place? Maybe henning's PF shuffling removed the need for it. while not impossible, I doubt it. looks like a copy paste issue. ok -- Henning Brauer, h

bpf_mtap_stripvlan

2014-07-09 Thread Henning Brauer
); #endif /* -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

unify some bpf code

2014-07-08 Thread Henning Brauer
I'll need this for some upcoming changes, at least to do it WITHOUT adding the 3rd or 4th or 5th copy of the bpf_mtap loop. most of these bpf_mtap_* are almost identical, minor differences in what to prepend, and foremost: passing custom copy functions. since bpf_mtap is all over the place I made

Re: idea to block some scanners

2014-06-27 Thread Henning Brauer
-proxy/*-proxy code for inspiration. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: NOINET6 by default

2014-06-08 Thread Henning Brauer
); wether we need a less obscure ifconfig command than eui64 can be discussed after. oks? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer

Re: pf anchor references

2014-06-02 Thread Henning Brauer
, we had no clear idea where anchors would go and how people use them. That explains some functionality that is there today. But heck: now we DO know how they're being used, so let's get rid of the other parts where appropriate. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services

Re: Create a default local route for every IPv4 address

2014-05-26 Thread Henning Brauer
the kernel does it always and in some cases, some userland app does it. in the former case, the existance of the local route can be used e. g. for the local/remote decision, in the latter case that is utterly unreliable. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http

Re: NOINET6 by default

2014-05-16 Thread Henning Brauer
IFXF_NOINET6. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: NOINET6 by default

2014-05-15 Thread Henning Brauer
* Todd T. Fries t...@openbsd.org [2014-05-15 06:29]: Penned by Henning Brauer on 20140514 22:48.16, we have: | * Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]: | On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote: | * Mark Kettenis mark.kette

Re: NOINET6 by default

2014-05-15 Thread Henning Brauer
* Claudio Jeker cje...@diehard.n-r-g.com [2014-05-15 09:42]: On Thu, May 15, 2014 at 05:48:16AM +0200, Henning Brauer wrote: * Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]: On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote: * Mark Kettenis

Re: NOINET6 by default

2014-05-15 Thread Henning Brauer
* Claudio Jeker cje...@diehard.n-r-g.com [2014-05-15 09:33]: On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: so as discussed recently having the inet6 link-local addrs on every interface by default is stupid and a security risk. this diff fixes that. well, really two

NOINET6 by default

2014-05-14 Thread Henning Brauer
-s6_addr[8], 8) != 0) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

IFT_L2VLAN is unused

2014-05-14 Thread Henning Brauer
: case IFT_PROPVIRTUAL: case IFT_CARP: - case IFT_L2VLAN: case IFT_IEEE80211: return ((caddr_t)(ifp + 1)); default: -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS

Re: NOINET6 by default

2014-05-14 Thread Henning Brauer
of -inet6. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: NOINET6 by default

2014-05-14 Thread Henning Brauer
* Alexander Bluhm alexander.bl...@gmx.net [2014-05-15 00:15]: On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: so as discussed recently having the inet6 link-local addrs on every interface by default is stupid and a security risk. Connecting a computer to the internet

Re: NOINET6 by default

2014-05-14 Thread Henning Brauer
* Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]: On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote: * Mark Kettenis mark.kette...@xs4all.nl [2014-05-15 00:15]: I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64

Re: libc: #define to remove support for %n from printf(3)?

2014-05-03 Thread Henning Brauer
. And since that's not intrusive and doesn't create a portability mess like the one we're dealing with in libssl right now, I don't see a problem with that. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS

Re: Annoying emacs variable in if_spppsubr.c

2014-05-02 Thread Henning Brauer
-- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: [RFC] Ai_ADDRCONFIG^WAIAIAIAIAIAIAEEEEEEEEE tweaks?

2014-05-02 Thread Henning Brauer
IPv4 connectivity when you configure IPv6, do you? a very good question to ask. i wish -inet6 was default. i'll probably add a sysctl to globally nuke v6 from all interfaces soon. somebody pls remind me at the next hackathon. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web

Re: [RFC] Ai_ADDRCONFIG^WAIAIAIAIAIAIAEEEEEEEEE tweaks?

2014-05-02 Thread Henning Brauer
be is another discussion - any value is fine with me as long as it is 0. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

vlan: stop if_type wankery

2014-05-01 Thread Henning Brauer
) ifv-ifv_if.if_capabilities = p-if_capabilities -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: IPv6 by default

2014-04-29 Thread Henning Brauer
, and there is no good answer... Someone has to take the first/next step except that it is a step towards the drain. Sent from my Android device with K-9 Mail. Please excuse my brevity. Sent from a computer using a keyboard and software. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS

Re: IPv6 by default

2014-04-29 Thread Henning Brauer
... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: IPv6 by default

2014-04-29 Thread Henning Brauer
the second AF! This is a valid point IMHO. Wouldn't it be better if libasr would run A and requests in parallel? Whichever response arrives first wins. no, since that gives extremely unpredictable results. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http

Re: IPv6 by default

2014-04-29 Thread Henning Brauer
* Simon Perreault si...@per.reau.lt [2014-04-29 16:05]: Le 2014-04-29 09:55, Henning Brauer a écrit : Wouldn't it be better if libasr would run A and requests in parallel? Whichever response arrives first wins. no, since that gives extremely unpredictable results. How about

Re: Remove rti_ifp from struct rt_addrinfo

2014-04-25 Thread Henning Brauer
didn't exist when we did carp. Going that route (haha), the code for that wouldn't have much in common with what is currently there, so... I'm in favor of nuking. coincidently, I have a diff which does that :) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http

Re: Remove rti_ifp from struct rt_addrinfo

2014-04-24 Thread Henning Brauer
on the carp if or the like), and i seem to remember it doesn't quite work as expected anyway, but don't take my word for it, memory REALLY fuzzy on that front. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS

Re: Remove rti_ifp from struct rt_addrinfo

2014-04-24 Thread Henning Brauer
that. ryan, marco? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: bpf(4) obsolete data-link levels

2014-04-23 Thread Henning Brauer
* Jérémie Courrèges-Anglas j...@wxcvbn.org [2014-04-23 02:05]: If I'm not mistaken, we had no drivers left that use those types? correct, swing the burning axe. ok. - case DLT_FDDI: - case DLT_ATM_RFC1483: -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH

Re: [patch] cvs some values never read

2014-04-23 Thread Henning Brauer
it. it hasn't moved forward in years, and I have a hard time seeing it going anywhere (except Attic). But that's just me, of course. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers

Re: [patch] cvs some values never read

2014-04-23 Thread Henning Brauer
to be deleted, what is the alternative? gnucvs? err, that's what we've been using all the time. It has never become ready. revision 1.114 date: 2010/06/26 03:59:34; author: deraadt; state: Exp; lines: +2 -2; disable opencvs; maintainers went bye bye -- Henning Brauer, h...@bsws.de, henn

Re: typo security.8

2014-04-22 Thread Henning Brauer
* Fritjof Bornebusch frit...@alokat.org [2014-04-22 18:29]: it's Trojan horse not Trojan horsed, right? yup. a trojan horse. the binary has been trojan horsed. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail

Re: vlan tagging surgery

2014-04-21 Thread Henning Brauer
also add a ifp-if_encap function pointer but if it is just for vlan(4) I see no point in it. indeed. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning

Re: vlan tagging surgery

2014-04-21 Thread Henning Brauer
* Alexey Suslikov alexey.susli...@gmail.com [2014-04-21 13:13]: Henning Brauer lists-openbsdtech at bsws.de writes: congratulations, that is close to unauditable. i put the vlan and the !vlan case next to each other ON PURPOSE. both cases add an ethernet header, one with a few extra fields

Re: vlan tagging surgery

2014-04-21 Thread Henning Brauer
* Alexey Suslikov alexey.susli...@gmail.com [2014-04-21 13:56]: Henning Brauer lists-openbsdtech at bsws.de writes: I must admit I am getting tired of all these good proposals/ideas. don't you think we've gone thru this before? Look, I haven't called them good or bad. what you

Re: vlan tagging surgery

2014-04-21 Thread Henning Brauer
not dreamed up layering violations that don't exist here. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: vlan tagging surgery

2014-04-21 Thread Henning Brauer
) { - ifp-if_oerrors++; - continue; - } - - m_copyback(m, 0, sizeof(evh), evh, M_NOWAIT); - } /* * Send it, precisely as ether_output() would have. -- Henning Brauer, h

Re: help needed from someone with an sk(4)

2014-04-18 Thread Henning Brauer
so, what are we doing with this now? I still want to hide in_cksum_phdr() and kill in_cksum_addword() so that nobody ever uses that sh*t again. yes, sk loses is half-baked cksum offload support with this, as discussed before. as naddy pointed out there are (at least) two private copies of

Re: tighten /etc/rc's pf ruleset slightly further

2014-04-18 Thread Henning Brauer
this one is still open as well. oks? * Henning Brauer lists-openbsdt...@bsws.de [2014-01-21 03:24]: absolutely prevent forwarding carp or NFS/rpc using the shiny new received-on any. can only minimally test that here. need at least one carp and one diskless test. Index: rc

Re: ffs2 boot

2014-04-17 Thread Henning Brauer
router has 8 cores available doesn't really help it very much. (Maybe BGP converges a little bit faster?) it can help bgpd indeed. Ditto for my DNS servers, my mail server, my proxy server, etc. depends on the workload. heavy content filtering on mailservers will benefit. -- Henning Brauer

Re: remove pf_check_congestion()

2014-03-07 Thread Henning Brauer
be the max I'd find acceptable - but I'm certain you won't be able to demonstrate any performance benefit (previous profiling is pretty clear on that). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services

Re: Packet Filter nat-to issue

2014-02-28 Thread Henning Brauer
* Loïc Blot loic.b...@unix-experience.fr [2014-02-28 11:33]: Is this normal ? yes. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer

  1   2   3   >