Re: vlan tagging surgery

2014-04-21 Thread Henning Brauer
also add a ifp-if_encap function pointer but if it is just for vlan(4) I see no point in it. indeed. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning

Re: vlan tagging surgery

2014-04-21 Thread Henning Brauer
* Alexey Suslikov alexey.susli...@gmail.com [2014-04-21 13:13]: Henning Brauer lists-openbsdtech at bsws.de writes: congratulations, that is close to unauditable. i put the vlan and the !vlan case next to each other ON PURPOSE. both cases add an ethernet header, one with a few extra fields

Re: vlan tagging surgery

2014-04-21 Thread Henning Brauer
* Alexey Suslikov alexey.susli...@gmail.com [2014-04-21 13:56]: Henning Brauer lists-openbsdtech at bsws.de writes: I must admit I am getting tired of all these good proposals/ideas. don't you think we've gone thru this before? Look, I haven't called them good or bad. what you

Re: vlan tagging surgery

2014-04-21 Thread Henning Brauer
not dreamed up layering violations that don't exist here. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: vlan tagging surgery

2014-04-21 Thread Henning Brauer
) { - ifp-if_oerrors++; - continue; - } - - m_copyback(m, 0, sizeof(evh), evh, M_NOWAIT); - } /* * Send it, precisely as ether_output() would have. -- Henning Brauer, h

Re: typo security.8

2014-04-22 Thread Henning Brauer
* Fritjof Bornebusch frit...@alokat.org [2014-04-22 18:29]: it's Trojan horse not Trojan horsed, right? yup. a trojan horse. the binary has been trojan horsed. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail

Re: bpf(4) obsolete data-link levels

2014-04-23 Thread Henning Brauer
* Jérémie Courrèges-Anglas j...@wxcvbn.org [2014-04-23 02:05]: If I'm not mistaken, we had no drivers left that use those types? correct, swing the burning axe. ok. - case DLT_FDDI: - case DLT_ATM_RFC1483: -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH

Re: [patch] cvs some values never read

2014-04-23 Thread Henning Brauer
it. it hasn't moved forward in years, and I have a hard time seeing it going anywhere (except Attic). But that's just me, of course. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers

Re: [patch] cvs some values never read

2014-04-23 Thread Henning Brauer
to be deleted, what is the alternative? gnucvs? err, that's what we've been using all the time. It has never become ready. revision 1.114 date: 2010/06/26 03:59:34; author: deraadt; state: Exp; lines: +2 -2; disable opencvs; maintainers went bye bye -- Henning Brauer, h...@bsws.de, henn

Re: Remove rti_ifp from struct rt_addrinfo

2014-04-24 Thread Henning Brauer
on the carp if or the like), and i seem to remember it doesn't quite work as expected anyway, but don't take my word for it, memory REALLY fuzzy on that front. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS

Re: Remove rti_ifp from struct rt_addrinfo

2014-04-24 Thread Henning Brauer
that. ryan, marco? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: Remove rti_ifp from struct rt_addrinfo

2014-04-25 Thread Henning Brauer
didn't exist when we did carp. Going that route (haha), the code for that wouldn't have much in common with what is currently there, so... I'm in favor of nuking. coincidently, I have a diff which does that :) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http

Re: IPv6 by default

2014-04-29 Thread Henning Brauer
, and there is no good answer... Someone has to take the first/next step except that it is a step towards the drain. Sent from my Android device with K-9 Mail. Please excuse my brevity. Sent from a computer using a keyboard and software. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS

Re: IPv6 by default

2014-04-29 Thread Henning Brauer
... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: IPv6 by default

2014-04-29 Thread Henning Brauer
the second AF! This is a valid point IMHO. Wouldn't it be better if libasr would run A and requests in parallel? Whichever response arrives first wins. no, since that gives extremely unpredictable results. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http

Re: IPv6 by default

2014-04-29 Thread Henning Brauer
* Simon Perreault si...@per.reau.lt [2014-04-29 16:05]: Le 2014-04-29 09:55, Henning Brauer a écrit : Wouldn't it be better if libasr would run A and requests in parallel? Whichever response arrives first wins. no, since that gives extremely unpredictable results. How about

vlan: stop if_type wankery

2014-05-01 Thread Henning Brauer
) ifv-ifv_if.if_capabilities = p-if_capabilities -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: Annoying emacs variable in if_spppsubr.c

2014-05-02 Thread Henning Brauer
-- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: [RFC] Ai_ADDRCONFIG^WAIAIAIAIAIAIAEEEEEEEEE tweaks?

2014-05-02 Thread Henning Brauer
IPv4 connectivity when you configure IPv6, do you? a very good question to ask. i wish -inet6 was default. i'll probably add a sysctl to globally nuke v6 from all interfaces soon. somebody pls remind me at the next hackathon. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web

Re: [RFC] Ai_ADDRCONFIG^WAIAIAIAIAIAIAEEEEEEEEE tweaks?

2014-05-02 Thread Henning Brauer
be is another discussion - any value is fine with me as long as it is 0. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

Re: libc: #define to remove support for %n from printf(3)?

2014-05-03 Thread Henning Brauer
. And since that's not intrusive and doesn't create a portability mess like the one we're dealing with in libssl right now, I don't see a problem with that. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS

NOINET6 by default

2014-05-14 Thread Henning Brauer
-s6_addr[8], 8) != 0) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

IFT_L2VLAN is unused

2014-05-14 Thread Henning Brauer
: case IFT_PROPVIRTUAL: case IFT_CARP: - case IFT_L2VLAN: case IFT_IEEE80211: return ((caddr_t)(ifp + 1)); default: -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS

Re: NOINET6 by default

2014-05-14 Thread Henning Brauer
of -inet6. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: NOINET6 by default

2014-05-14 Thread Henning Brauer
* Alexander Bluhm alexander.bl...@gmx.net [2014-05-15 00:15]: On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: so as discussed recently having the inet6 link-local addrs on every interface by default is stupid and a security risk. Connecting a computer to the internet

Re: NOINET6 by default

2014-05-14 Thread Henning Brauer
* Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]: On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote: * Mark Kettenis mark.kette...@xs4all.nl [2014-05-15 00:15]: I don't think this is a good idea; didn't we establish the other day that ifconfig if eui64

Re: NOINET6 by default

2014-05-15 Thread Henning Brauer
* Todd T. Fries t...@openbsd.org [2014-05-15 06:29]: Penned by Henning Brauer on 20140514 22:48.16, we have: | * Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]: | On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote: | * Mark Kettenis mark.kette

Re: NOINET6 by default

2014-05-15 Thread Henning Brauer
* Claudio Jeker cje...@diehard.n-r-g.com [2014-05-15 09:42]: On Thu, May 15, 2014 at 05:48:16AM +0200, Henning Brauer wrote: * Reyk Flöter reyk.floe...@googlemail.com [2014-05-15 01:04]: On 15.05.2014, at 00:46, Henning Brauer lists-openbsdt...@bsws.de wrote: * Mark Kettenis

Re: NOINET6 by default

2014-05-15 Thread Henning Brauer
* Claudio Jeker cje...@diehard.n-r-g.com [2014-05-15 09:33]: On Wed, May 14, 2014 at 11:29:20PM +0200, Henning Brauer wrote: so as discussed recently having the inet6 link-local addrs on every interface by default is stupid and a security risk. this diff fixes that. well, really two

Re: NOINET6 by default

2014-05-16 Thread Henning Brauer
IFXF_NOINET6. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: Create a default local route for every IPv4 address

2014-05-26 Thread Henning Brauer
the kernel does it always and in some cases, some userland app does it. in the former case, the existance of the local route can be used e. g. for the local/remote decision, in the latter case that is utterly unreliable. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http

Re: pf anchor references

2014-06-02 Thread Henning Brauer
, we had no clear idea where anchors would go and how people use them. That explains some functionality that is there today. But heck: now we DO know how they're being used, so let's get rid of the other parts where appropriate. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services

Re: NOINET6 by default

2014-06-08 Thread Henning Brauer
); wether we need a less obscure ifconfig command than eui64 can be discussed after. oks? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer

Re: idea to block some scanners

2014-06-27 Thread Henning Brauer
-proxy/*-proxy code for inspiration. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

unify some bpf code

2014-07-08 Thread Henning Brauer
I'll need this for some upcoming changes, at least to do it WITHOUT adding the 3rd or 4th or 5th copy of the bpf_mtap loop. most of these bpf_mtap_* are almost identical, minor differences in what to prepend, and foremost: passing custom copy functions. since bpf_mtap is all over the place I made

Re: divert(4) without mbuf tags

2014-07-09 Thread Henning Brauer
* Reyk Floeter r...@openbsd.org [2014-07-09 11:21]: Nice one. indeed. Does anyone have an idea why the mbuf tag was added in the first place? Maybe henning's PF shuffling removed the need for it. while not impossible, I doubt it. looks like a copy paste issue. ok -- Henning Brauer, h

bpf_mtap_stripvlan

2014-07-09 Thread Henning Brauer
); #endif /* -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: divert(4) checksum offload

2014-07-10 Thread Henning Brauer
redundant code. well, could argue it goes out to divert... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

Re: bpf_mtap_stripvlan

2014-07-10 Thread Henning Brauer
); + bpf_mtap_stripvlan(ifp-if_bpf, m, BPF_DIRECTION_OUT); #endif /* * Henning Brauer hb-openbsdt...@ml.bsws.de [2014-07-09 23:46]: so dlg noticed that tcpdump on vlan is now somewhat busted, specifically dhc* don't work on the any more. the reason is that bpf now sees the ether_vlan_header

Re: bpf_mtap_stripvlan

2014-07-10 Thread Henning Brauer
* Stuart Henderson st...@openbsd.org [2014-07-10 14:30]: On 2014/07/10 13:11, Henning Brauer wrote: I committed the bpf chunk, but nothing is using it yet. pls give the if_vlan.c chunk a spin. I think weerd@ might need something similar for bridge for his tv... the f^(*$@)($#@ bridge needs

Re: bpf_mtap_stripvlan

2014-07-10 Thread Henning Brauer
* Paul de Weerd we...@weirdnet.nl [2014-07-10 14:33]: On Thu, Jul 10, 2014 at 01:30:29PM +0100, Stuart Henderson wrote: | On 2014/07/10 13:11, Henning Brauer wrote: | I committed the bpf chunk, but nothing is using it yet. pls give the | if_vlan.c chunk a spin. | I think weerd@ might need

Re: unify some bpf code

2014-07-11 Thread Henning Brauer
-- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: tun TUNDOIOVEC ioctl

2014-07-11 Thread Henning Brauer
intrusive either. indeed. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: lynx: disable old protocols

2014-07-11 Thread Henning Brauer
in... what, a decade? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: sshd add back hmac-sha1

2014-07-11 Thread Henning Brauer
. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

IFXF_NOINET doesn't make sense any more

2014-07-13 Thread Henning Brauer
now that we have an uncontaminated, err, inet6-free system by default, IFXF_NOINET6 just doesn't make sense any more. fully go for no inet6 by default, get rid of the IFXF_NOINET6 guarded attachments etc. introduce IFAFATTACH and IFAFDETACH ioctls. note that they are NOT inet6 specific; the kernel

network autoconfig

2014-07-13 Thread Henning Brauer
with it. of course i don't insist on implementing all that myself, not remotely. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

Re: IFXF_NOINET doesn't make sense any more

2014-07-15 Thread Henning Brauer
* Stefan Sperling s...@openbsd.org [2014-07-15 11:06]: On Sun, Jul 13, 2014 at 03:48:47PM +0200, Henning Brauer wrote: now that we have an uncontaminated, err, inet6-free system by default, IFXF_NOINET6 just doesn't make sense any more. fully go for no inet6 by default, get rid

Re: IFXF_NOINET doesn't make sense any more

2014-07-15 Thread Henning Brauer
* Stefan Sperling s...@openbsd.org [2014-07-15 12:35]: On Tue, Jul 15, 2014 at 12:15:12PM +0200, Henning Brauer wrote: I'm slightly undecided on whether this should make this release or not... In that situation, I usually decide that the risk won't outweigh the benefits of just waiting

trunk on RAMDISK_CD

2014-07-15 Thread Henning Brauer
filter pseudo-device rd 1 # ramdisk pseudo-device wsmux 2 -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

Re: arp(8) output and expire timer

2014-08-15 Thread Henning Brauer
of IP addresses where a name exists. here I agree with stuart. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

Re: arp(8) output and expire timer

2014-08-18 Thread Henning Brauer
* Martin Pieuchot mpieuc...@nolizard.org [2014-08-18 11:03]: On 15/08/14(Fri) 10:43, Henning Brauer wrote: * Stuart Henderson st...@openbsd.org [2014-08-15 10:29]: On 2014/08/12 15:46, Martin Pieuchot wrote: I find arp(8) output really difficult to read, but more importantly it does

Re: [PATCH] Option for mount_tmpfs to populate the volume after creation.

2014-09-19 Thread Henning Brauer
would be redundant. HUH? Doug is entirely right. src is user controlled and can be larger than mountpoint. In that case, we want to bail and whine at the user instead of silently truncating and going on. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de

Re: pppoe(4), add example for ipv6

2014-10-22 Thread Henning Brauer
* Chris Cappuccio ch...@nmedia.net [2014-10-22 01:11]: Stuart Henderson [st...@openbsd.org] wrote: Any comments on the diff in this? +#ifdef INET6 + sc-sc_sppp.pp_if.if_xflags = ~IFXF_NOINET6; +#endif Aside from what Stefan said, isn't this flag going to be removed in favor of a

Re: pppoe(4), add example for ipv6

2014-10-23 Thread Henning Brauer
(ifar.ifar_name)); ^ name you're absolutely right; it works correctly nontheless because of the global name var that happens to carry the ifname, too... oh ifconfig. fixed, thx. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure

wrong mac address used with carp and unnumbered carpdevs

2014-10-28 Thread Henning Brauer
) { #ifdef INET -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: remove obsolete nd6 ioctls

2013-08-15 Thread Henning Brauer
? if ports are fine with it, i'm fine as well (: what Sir Mike said. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

Re: in_var.h incudes in6_var.h

2013-09-05 Thread Henning Brauer
. Is this a good idea? comments/ok? I like the idea but we should be careful about ports assuming that in_var.h includes in6_var.h even if there's no RFC requirement. indeed, that needs to be checked. otherwise ok. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH

Re: osfp pfctl and states

2013-09-06 Thread Henning Brauer
hould look into. no, creatorID is for pfsync setups to know which node created the state. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer

Re: osfp pfctl and states

2013-09-12 Thread Henning Brauer
not least hurts performance), so it has to be truly worth it. I don't see that in this case. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer

Re: defer routing table updates on link state changes

2013-09-12 Thread Henning Brauer
the OS-private ifindex and making assumptions about it is the root problem. but since that's in the standards, there are only 2 possible solutions I see: -keep trying to please snmp in the way we assign ifindex -let snmpd (or sth else) make up ifindices just for that purpose -- Henning Brauer, h

Re: Iso image integrity verification

2013-09-13 Thread Henning Brauer
set. it's more than good enough for the PCI DSS theatre (been there). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http

Re: defer routing table updates on link state changes

2013-09-13 Thread Henning Brauer
* Reyk Floeter r...@openbsd.org [2013-09-13 10:20]: please read the history: if_index _was_ created for SNMP. I'm not at all certain you got the history right there... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting

cksum pseudo-header wankery

2013-10-18 Thread Henning Brauer
so stop that pseudo-header wankery. v6 doesn't have it at all. instead of incrementally pre-computing a tiny part of the proto cksum, just do it in in_proto_cksum_out when needed. makes everything else in the stack super easy: need cksum? set flag, done. stack and pf cases tested with all 3

Re: unlimited HFSC v3: more readable, less hacks

2013-10-21 Thread Henning Brauer
on it is clear. besides, newqueue isn't a 100% replacement yet. last not least RED (or sth similiar) is missing. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed

Re: IPv6 routing header type 0

2013-11-14 Thread Henning Brauer
it to pf. aka the status quo. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: IPv6 routing header type 0

2013-11-14 Thread Henning Brauer
sure you were in the loop even. I stand by my point either way. the stack check for forwarded packets is either very incomplete or expensive. the aproach stack protects the local machine (in this case: don't obey RH0), pf handles forwarded packets matches what we do generally. -- Henning Brauer

Re: IPv6 routing header type 0

2013-11-14 Thread Henning Brauer
to prove it; don't see the point, doesn't change anything now anyway. The non-pf RH0 filtering case is worthwhile. and here we disagree. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated

Re: IPv6 routing header type 0

2013-11-14 Thread Henning Brauer
there at all and b) several pf pairs behind it and nothing else - as in, everything else is behind those pf boxes. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully

Re: IPv6 routing header type 0

2013-11-15 Thread Henning Brauer
:) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

icmp cksums

2013-11-20 Thread Henning Brauer
make the icmp stack use the fake offload engine. prevents double cksumming in some cases and happens to fix a bug in an obscure, constructed case. Index: ip_icmp.c === RCS file: /cvs/src/sys/netinet/ip_icmp.c,v retrieving revision

msgbuf_write audit

2013-11-20 Thread Henning Brauer
so, msgbuf_write can now (again) return EAGAIN. some daemons have been fixed/adopted, some not. I did a full audit of the tree for all msgbuf_write users EAGAIN handling - this is the result. Index: usr.sbin/dvmrpd/control.c === RCS

Re: pf.os: add additional fingerprints

2013-12-03 Thread Henning Brauer
then is the way to go. Please sombody pick that up. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: security(8) check maildir as well as mailbox permissions

2013-12-19 Thread Henning Brauer
wether Maildirs in /var/mail are a common enough setup to warrant a check in security. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer

Re: rc default PF ruleset too restrictive for DHCPv6

2014-01-19 Thread Henning Brauer
* Kenneth Westerback kwesterb...@gmail.com [2014-01-19 09:56]: *But what is the practical problem being addressed? Is dhcp not functional with the existing default **ruleset?* it's not correct and we rely on dhclient falling back to a new discovery eventually. -- Henning Brauer, h...@bsws.de

received-on any

2014-01-20 Thread Henning Brauer
henning Exp $ .\ .\ Copyright (c) 2002, Daniel Hartmeier .\ Copyright (c) 2003 - 2013 Henning Brauer henn...@openbsd.org @@ -276,6 +276,8 @@ see the .Ic group keyword in .Xr ifconfig 8 . +.Ar any +will match any existing interface except loopback ones. .It Ar on Ar rdomain Aq Ar number This rule

tighten /etc/rc's pf ruleset slightly further

2014-01-20 Thread Henning Brauer
absolutely prevent forwarding carp or NFS/rpc using the shiny new received-on any. can only minimally test that here. need at least one carp and one diskless test. Index: rc === RCS file: /cvs/src/etc/rc,v retrieving revision 1.420

_SUM_IN_OK flags

2014-01-23 Thread Henning Brauer
-- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

help needed from someone with an sk(4)

2014-01-23 Thread Henning Brauer
16) + + (u_int16_t)(dst /* 0x*/); + + sum = (u_int16_t)(sum 16) + (u_int16_t)(sum /* 0x*/); + + if (sum 0x) + sum -= 0x; + + return (sum); } /* -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http

pf_send_tcp: ask the stack to do the cksum instead of doing it manually

2014-01-23 Thread Henning Brauer
(struct ip6_hdr), tlen); - - h6-ip6_vfc |= IPV6_VERSION; - h6-ip6_hlim = IPV6_DEFHLIM; - ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); break; #endif /* INET6 */ -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH

tcp_respond: let the stack worry about the ksum

2014-01-23 Thread Henning Brauer
); ip-ip_len = htons(tlen); ip-ip_ttl = ip_defttl; + ip-ip_tos = 0; ip_output(m, (void *)NULL, ro, ip_mtudisc ? IP_MTUDISC : 0, (void *)NULL, tp ? tp-t_inpcb : (void *)NULL); } -- Henning Brauer, h...@bsws.de, henn

Re: tcp_respond: let the stack worry about the ksum

2014-01-23 Thread Henning Brauer
); } -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/

Re: help needed from someone with an sk(4)

2014-01-24 Thread Henning Brauer
* Henning Brauer lists-openbsdt...@bsws.de [2014-01-24 05:50]: i need this tested on an sk(4). I don't have that hardware at all. this gets rif od a slight little bit more. Index: netinet/in.h === RCS file: /cvs/src/sys/netinet

Re: help needed from someone with an sk(4)

2014-01-24 Thread Henning Brauer
* Ted Unangst t...@tedunangst.com [2014-01-24 17:48]: On Fri, Jan 24, 2014 at 16:27, Christian Weisgerber wrote: Henning Brauer lists-openbsdt...@bsws.de wrote: i need this tested on an sk(4). I don't have that hardware at all. [Summary: Henning wants to confine in_cksum_phdr

Re: help needed from someone with an sk(4)

2014-02-05 Thread Henning Brauer
* David Higgs hig...@gmail.com [2014-01-25 18:25]: On Jan 25, 2014, at 12:48 AM, David Higgs hig...@gmail.com wrote: On Fri, Jan 24, 2014 at 4:24 AM, Henning Brauer lists-openbsdt...@bsws.de wrote: * Henning Brauer lists-openbsdt...@bsws.de [2014-01-24 05:50]: i need this tested

Re: Routing issues

2014-02-17 Thread Henning Brauer
do you emit such a maessage in pcap? as payload with a dummy packet header? (N!!) -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning

Re: Routing issues

2014-02-17 Thread Henning Brauer
* Philipp e1c1bac6253dc54a1e89ddc046585...@posteo.net [2014-02-17 13:36]: Am 17.02.2014 13:11 schrieb Henning Brauer: how do you emit such a maessage in pcap? as payload with a dummy packet header? (N!!) pf is taking action without telling anyone - and that's not nice

Re: Routing issues

2014-02-17 Thread Henning Brauer
with pfctl's textual form state-limit is definitely a bit confusing. yup. the default of 1 might be a bit small today as well. it's not like a higher one would cost anything these days. 100k? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP

Re: Routing issues

2014-02-17 Thread Henning Brauer
is that because of adaptive timeouts you can end up with failing connections without hitting the hard state limit. I think those connections will not show up in the stats (I could be wrong). failing connections because of adaptive timeouts? HUH? -- Henning Brauer, h...@bsws.de, henn

Re: Packet Filter nat-to issue

2014-02-28 Thread Henning Brauer
* Loïc Blot loic.b...@unix-experience.fr [2014-02-28 11:33]: Is this normal ? yes. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer

Re: remove pf_check_congestion()

2014-03-07 Thread Henning Brauer
be the max I'd find acceptable - but I'm certain you won't be able to demonstrate any performance benefit (previous profiling is pretty clear on that). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services

Re: ffs2 boot

2014-04-17 Thread Henning Brauer
router has 8 cores available doesn't really help it very much. (Maybe BGP converges a little bit faster?) it can help bgpd indeed. Ditto for my DNS servers, my mail server, my proxy server, etc. depends on the workload. heavy content filtering on mailservers will benefit. -- Henning Brauer

Re: help needed from someone with an sk(4)

2014-04-18 Thread Henning Brauer
so, what are we doing with this now? I still want to hide in_cksum_phdr() and kill in_cksum_addword() so that nobody ever uses that sh*t again. yes, sk loses is half-baked cksum offload support with this, as discussed before. as naddy pointed out there are (at least) two private copies of

Re: tighten /etc/rc's pf ruleset slightly further

2014-04-18 Thread Henning Brauer
this one is still open as well. oks? * Henning Brauer lists-openbsdt...@bsws.de [2014-01-21 03:24]: absolutely prevent forwarding carp or NFS/rpc using the shiny new received-on any. can only minimally test that here. need at least one carp and one diskless test. Index: rc

Re: carp shutdown in /etc/rc

2011-02-04 Thread Henning Brauer
* Camiel Dobbelaar c...@sentia.nl [2011-02-04 13:21]: With hundreds of (vlan) interfaces, a shutdown takes quite a while. Fix below. hmm. this relies on all carp interfaces being in the carp interface group. while that is the default, it is not necessarily so. -- Henning Brauer, h...@bsws.de

Re: carp shutdown in /etc/rc

2011-02-04 Thread Henning Brauer
* Camiel Dobbelaar c...@sentia.nl [2011-02-04 15:30]: On 4-2-2011 15:06, Stuart Henderson wrote: On 2011/02/04 14:37, Camiel Dobbelaar wrote: On 4-2-2011 13:32, Henning Brauer wrote: * Camiel Dobbelaar c...@sentia.nl [2011-02-04 13:21]: With hundreds of (vlan) interfaces, a shutdown takes

Re: carp shutdown in /etc/rc

2011-02-04 Thread Henning Brauer
pppoeX - pppoe group and so on -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting

Re: carp shutdown in /etc/rc

2011-02-04 Thread Henning Brauer
* Tobias Weingartner weing...@tepid.org [2011-02-04 20:19]: On Friday, February 4, Henning Brauer wrote: i don't think there is is special treatment for the carp group. but memory is fuzzy. we might very well forget to clean up when a group becomes empty. There is a bit of an inconsistency

Re: incorrect fallthrough in pf

2011-02-05 Thread Henning Brauer
for that matter)? Somebody could send us such a packet. I'm pretty damn sure we catch that way earlier. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting

Re: httpd(8) - allow location of etag-state to be configured

2011-02-06 Thread Henning Brauer
. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting

  1   2   3   >