Re: Make ospf6d work on point-to-point links
On 06/01/2021 14:02, Claudio Jeker wrote: The code in ospf6d is a bit broken when it comes to point-to-point links. This diff fixes this by a) using the neighbor address instead of the unset interface destination address and by b) matching the incomming packet against all possible IPs of that interface. I tripped on b) because my P2P interface has more than one link-local address and the code just likes to select the wrong one. This works for my case, please check I did not break something else. With this, the annoying send_ls_update: Network is unreachable send_packet: error sending packet on interface vlanXXX to ::: Network is unreachable is gone :) other than that, I didn't have any other problem with p2p, neither have now. Failover worked fine, demote worked fine. G
Re: fix opsfd parse.y shit/reduce conflicts
On 06/01/2021 12:11, Claudio Jeker wrote: The dependon statement in ospfd parse.y introduces some troubles since it holds an empty rule that then conflicts with optnl. This diff changes dependon into dependon and dependonopt so that in the place where it is optional dependonopt can be used and in the places where it must not be optional it isn't. With this the shift/reduce conficts are gone. While at it cleanup some other rules and use the same optnl idiom for area and interface (it is the same one as used by bgpd). Please test this with your configs to see if this causes any parse errors (ospfd -n should be enough for this). ./ospfd -n configuration OK I have depend on carpXXX, on 2 interfaces G
relayd exit with check_table: cannot get table stats
Hi, I've send a bug report in bugs@ with subject "relayd crashing some times" After I disable all hosts from a redirect, I get random fatal() error from check_tables() like the one bellow: pfe: check_table: cannot get table stats for dir-sieve@relayd/dir-sieve: No such file or directory Even running with debug I can't find why the table is missing. kill_tables() is not being called from relayd. Don't know if some other part of pf is messing with the tables. I don't have access to them with pfctl, apart from pfctl -vsA where I see the specific redirect/table missing after the error. I can't find a consistent way to reproduce it, but maybe statistics could be disabled when redirects or tables are down or empty. The following disables statistics updating when redirect is disabled and when table is either disabled or all hosts in table are disabled. It does not solve the problem of the missing table(s) but at least don't go the fatal path in that case... Index: pfe.c === RCS file: /cvs/src/usr.sbin/relayd/pfe.c,v retrieving revision 1.90 diff -u -p -r1.90 pfe.c --- pfe.c 14 Sep 2020 11:30:25 - 1.90 +++ pfe.c 5 Jul 2023 20:59:41 - @@ -790,8 +790,12 @@ pfe_statistics(int fd, short events, voi getmonotime(&tv_now); TAILQ_FOREACH(rdr, env->sc_rdrs, entry) { - cnt = check_table(env, rdr, rdr->table); - if (rdr->conf.backup_id != EMPTY_TABLE) + if (rdr->conf.flags & F_DISABLE) + continue; + if (!(rdr->table->conf.flags & F_DISABLE) && rdr->table->up > 0) + cnt = check_table(env, rdr, rdr->table); + if (rdr->conf.backup_id != EMPTY_TABLE && !(rdr->backup->conf.flags & F_DISABLE) && + rdr->backup->up > 0) cnt += check_table(env, rdr, rdr->backup); resethour = resetday = 0;
relayd redirect does not stay down for disabled table
Hello, I have a problem with relayd and redirects. If I disable a table, redirect stays down only for a while. After a few seconds, redirect gets active again and forwards to the disabled table. Same happens for redirect with a backup forward table. Redirect points momentarily to backup table but after a while forwards to the disabled table. This happens only with a combination of a table with parent hosts. patch at bottom regards, Giannis table { dir1 retry 2, dir2 retry 2 } table { dir1 parent 1 retry 2, dir2 parent 2 retry 2 } table { foo1 retry 2, foo2 retry 2 } redirect dir-imap { listen on $dir_addr port imaps pftag RELAYD_dir sticky-address forward to port 993 mode least-states check icmp } redirect dir-pop { listen on $dir_addr port pop3s pftag RELAYD_dir sticky-address forward to port 995 mode least-states check icmp } redirect dir-lmtp { listen on $dir_addr port 24 pftag RELAYD_dir sticky-address forward to port 24 mode least-states check icmp forward to port 24 mode least-states check icmp } # relayctl show sum Id TypeNameAvlblty Status 1 redirectdir-imapactive 1 table dir:993 active (2 hosts) 1 hostdir1100.00% up 2 hostdir2100.00% up 2 redirectdir-pop active 2 table dir_:995active (2 hosts) 3 hostdir1 parent 1 100.00% up 4 hostdir2 parent 2 100.00% up 3 redirectdir-lmtpactive 3 table dir_:24 active (2 hosts) 5 hostdir1 parent 1 100.00% up 6 hostdir2 parent 2 100.00% up 4 table dir_backup:24 active (2 hosts) 7 hostfoo1100.00% up 8 hostfoo2100.00% up # relayctl table dis dir_:995 disable_table: table 2 flush_table: flushed table dir-pop pfe_sync: disabling ruleset sync_ruleset: rules removed pfe_dispatch_hce: state 1 for host 4 dir2 pfe_dispatch_hce: state 1 for host 3 dir1 # relayctl show sum Id TypeNameAvlblty Status 2 redirectdir-pop down 2 table dir_:995disabled # pfctl -a 'relayd/*' -sr anchor "dir-pop" all { } // empty as it should But after a while: table dir-pop: 2 added, 0 deleted, 0 changed, 0 killed pfe_sync: enabling ruleset sync_ruleset: rule added to anchor "relayd/dir-pop" # relayctl show sum Id TypeNameAvlblty Status 2 redirectdir-pop active 2 table dir_:995disabled Although table is disabled, redirect comes active, pf rule in anchor is active and table has dir1 and dir2 inside. # pfctl -a 'relayd/*' -sr anchor "dir-pop" all { pass in quick on rdomain 0 inet proto tcp from any to $dir_addr port = 995 flags S/SA keep state (tcp.established 600) tag RELAYD_dir rdr-to port 995 least-states sticky-address } Same happens with the backup table on last dir-lmtp redirect. Table is updated momentarily with the backup hosts, but after a while traffic is forwarded back to primary hosts although their table is disabled. # relayctl show sum Id TypeNameAvlblty Status 3 redirectdir-lmtpactive 3 table dir_:24 active (2 hosts) 5 hostdir1 parent 1 100.00% up 6 hostdir2 parent 2 100.00% up 4 table dir_backup:24 active (2 hosts) 7 hostfoo1100.00% up 8 hostfoo2100.00% up # relayctl table dis dir_:24 disable_table: table 3 table dir-lmtp: 2 added, 2 deleted, 0 changed, 0 killed pfe_dispatch_hce: state 1 for host 6 dir2 pfe_dispatch_hce: state 1 for host 5 dir1 # relayctl show sum Id TypeNameAvlblty Status 3 redirectdir-lmtpactive (using backup table) 3 table dir_:24 disabled 4 table dir_backup:24 active (2 hosts) 7 hostfoo1100.00% up 8 hostfoo2100.00%
Re: pf(4) may cause relayd(8) to abort
Just for the record, I'm running that pf_table patch for almost a month now without any negative impact on my load balancers. pfsync/carp/relayd It also solved my problem with relayd. However I believe some care should also be taken on relayd part - do not check statistics on disabled redirects - make redirect respect disabled table I did posted some patches on tech@, don't know if they are ok but I do also run them on my load balancers. https://marc.info/?l=openbsd-tech&m=168859090917010&w=2 https://marc.info/?l=openbsd-tech&m=168899743827537&w=2 G On 01/08/2023 02:50, Alexandr Nedvedicky wrote: > Hello, > > the issue has been reported by Gianni Kapetanakis month ago [1]. It took > several emails to figure out relayd(8) exists after hosts got disabled > by 'relayctl host dis ...' > > The thing is that relayd(8) relies on pf(4) to create persistent > tables (PFR_TFLAG_PERSIST) as relayd requests that: > > 47 void > 48 init_tables(struct relayd *env) > 49 { > ... > 62 TAILQ_FOREACH(rdr, env->sc_rdrs, entry) { > 63 if (strlcpy(tables[i].pfrt_anchor, RELAYD_ANCHOR "/", > 64 sizeof(tables[i].pfrt_anchor)) >= PF_ANCHOR_NAME_SIZE) > 65 goto toolong; > 66 if (strlcat(tables[i].pfrt_anchor, rdr->conf.name, > 67 sizeof(tables[i].pfrt_anchor)) >= PF_ANCHOR_NAME_SIZE) > 68 goto toolong; > 69 if (strlcpy(tables[i].pfrt_name, rdr->conf.name, > 70 sizeof(tables[i].pfrt_name)) >= > 71 sizeof(tables[i].pfrt_name)) > 72 goto toolong; > 73 tables[i].pfrt_flags |= PFR_TFLAG_PERSIST; > 74 i++; > 75 } > > unfortunately it's not the case as further investigation revealed [2]. > > the issue can be easily reproduced by pfctl(8) which also creates > persistent tables on behalf of command line: > > pfctl -t foo -T add ... > > command above always asks pf(4) to create persistent table, however > pf(4) does not honor persistent flag when table exists already. > One can verify that using commands as follows: > > ## create 'referenced' table only (table exists but has no active flag) > # echo 'pass from in to any' |pfctl -f - > # pfctl -sT -vg > r-- foo > # create instance of table using command line: > # pfctl -t foo -T add 192.168.1.0/24 > 1/1 addresses added. > # pfctl -sT -vg > --a-r-- foo > ## create instance of table , note the table will get 'p' flag > # pfctl -t bar -T add 192.168.10.0/24 > 1 table created. > 1/1 addresses added. > # pfctl -sT -vg > -pa bar > --a-r-- foo > > one-liner change to sys/net/pf_table.c fixes that it also works for Gianni > Kapetanakis. I'm also adding tests to regress/sys/net/pf_table/Makefile > to cover it. > > On system which runs current the test fails with error as follows: > > pfctl -a regress/ttest -t instance -T add 192.168.1.0/24 > 1/1 addresses added. > pfctl -a regress/ttest -sT -vg | diff table-persist.out - > 1c1 > < -pa-r-- instanceregress/ttest > --- > > --a-r-- instanceregress/ttest > *** Error 1 in . (Makefile:96 'flags') > FAILED > > the failure is expected on system without patch. On system with > patch applied all tests do pass. > > OK to commit? > > thanks and > regards > sashan > > > [1] https://marc.info/?t=16881127045&r=1&w=2 > > [2] https://marc.info/?l=openbsd-bugs&m=168868165801905&w=2 > > 8<---8<---8<--8< > diff --git a/sys/net/pf_table.c b/sys/net/pf_table.c > index 6f23a6f795d..c862c804f84 100644 > --- a/sys/net/pf_table.c > +++ b/sys/net/pf_table.c > @@ -1565,8 +1565,10 @@ pfr_add_tables(struct pfr_table *tbl, int size, int > *nadd, int flags) > xadd++; > } else if (!(flags & PFR_FLAG_DUMMY) && > !(p->pfrkt_flags & PFR_TFLAG_ACTIVE)) { > - p->pfrkt_nflags = (p->pfrkt_flags & > - ~PFR_TFLAG_USRMASK) | PFR_TFLAG_ACTIVE; > + p->pfrkt_nflags = > + (p->pfrkt_flags & ~PFR_TFLAG_USRMASK) | > + (n->pfrkt_flags & PFR_TFLAG_USRMASK) | > + PFR_TFLAG_ACTIVE; > SLIST_INSERT_HEAD(&changeq, p, pfrkt_workq); > } > } > diff --git a/regress/sys/net/pf_table/Makefile > b/regress/sys/net/pf_table/Makefile > index a71f0190c73..8911e8a1d35 100644 > --- a/regress/sys/net/pf_table/Makefile > +++ b/regress/sys/net/pf_table/Makefile > @@ -1,15 +1,26 @@ > #$OpenBSD: Makefile,v 1.3 2017/07/07 23:15:27 bluhm Exp $ > > -REGRESS_TARGETS= hit miss cleanup > -CLEANFILES= stamp-* > +REGRESS_TARGETS= hit miss cleanup flags > +CLEANFILES= stamp-* \ > + pf-r
relayd does not delete control socket on shutdown
After 7.4 relayd does not unlink it's socket I've added the following but it's probably not enough. unveil? G Index: relayd.c === RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v retrieving revision 1.191 diff -u -p -r1.191 relayd.c --- relayd.c 25 Jun 2023 08:07:38 - 1.191 +++ relayd.c 21 Oct 2023 11:39:44 - @@ -382,6 +382,8 @@ parent_shutdown(struct relayd *env) free(env->sc_ps); free(env); + unlink(env->sc_ps->ps_csock.cs_name); + log_info("parent terminating, pid %d", getpid()); exit(0);
Re: relayd does not delete control socket on shutdown
Rev 1.140 by florian@ seems to have changed that. Do not try to unlink the control socket in an unprivileged child process on shutdown. Found while working ontame(2) <http://man.openbsd.org/tame.2>. OK benno@ G On 21/10/2023 14:41, Kapetanakis Giannis wrote: After 7.4 relayd does not unlink it's socket I've added the following but it's probably not enough. unveil? G Index: relayd.c === RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v retrieving revision 1.191 diff -u -p -r1.191 relayd.c --- relayd.c 25 Jun 2023 08:07:38 - 1.191 +++ relayd.c 21 Oct 2023 11:39:44 - @@ -382,6 +382,8 @@ parent_shutdown(struct relayd *env) free(env->sc_ps); free(env); + unlink(env->sc_ps->ps_csock.cs_name); + log_info("parent terminating, pid %d", getpid()); exit(0);
Re: relayd does not delete control socket on shutdown
On 21/10/2023 20:39, Florian Obser wrote: Which was 8 years ago. I don't understand why you see a change in 7.4. Anyway, we decided to not clean up control sockets in any of our privsep daemons because leaving them behind does not cause any issues. I just noticed it today when I tried to use the socket in a script and noticed that it stayed there even after shutdown and though it was after 7.4 but I was wrong about that. Your commit made it that clear. Agree it's not a big case if it stays there. Would the unlink succeed if the socket was owned by _relayd? G
Re: ospfd seq out of order in ls_upd floods
On 05/06/2021 21:31, Stuart Henderson wrote: Sometimes I see authentication errors from ospfd, mainly (though possibly not entirely always) on a 30 minute cycle, e.g. these log entries 2021-06-03T05:30:04.952Z ospfd[31748]: spf_calc: area 0.0.0.0 calculated 2021-06-03T05:51:43.785Z ospfd[76044]: auth_validate: decreasing seq num, interface vlan760 2021-06-03T05:51:43.785Z ospfd[76044]: recv_packet: authentication error, interface vlan760 2021-06-03T05:56:03.248Z ospfd[76044]: auth_validate: decreasing seq num, interface vlan760 2021-06-03T05:56:03.248Z ospfd[76044]: recv_packet: authentication error, interface vlan760 2021-06-03T05:59:58.978Z ospfd[31748]: spf_calc: area 0.0.0.0 calculated snip... Has anyone else noticed something like this, or have any suspicions about code in this area that might be problematic? snip... Don't know if it's relevant, but I almost always see authentication errors upon starting/restarting the daemon. One log entry though and not continuous. G
Re: hostname.if '!' commands and rdomains
On 29/07/2020 12:54, Matthieu Herrb wrote: > Hi, > > When I'm configuring an interface with a spécific rdomain, I'd assume > that '!' commands (especially /sbin/route commands) are executed in > the rdomain for this interface. > > I know that parsing this file is complex and somehow fragile but still > I tried to write a patch. > > What do you think ? > > Of course I'm ok with any enhancements / fixes to my shell foo. > > --- netstart.orig Wed Jul 29 11:19:53 2020 > +++ netstart Wed Jul 29 11:52:39 2020 > @@ -67,8 +67,16 @@ > _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]} up;dhclient $_if" > V4_DHCPCONF=true > ;; > + rdomain) ((${#_c[*]} == 2)) || return > + _cmds[${#_cmds[*]}]="ifconfig $_if rdomain ${_c[_name]}" > + _rdomain=${_c[_name]} > + ;; > '!'*) _cmd=$(print -- "${_c[@]}" | sed 's/\$if/'$_if'/g') > - _cmds[${#_cmds[*]}]="${_cmd#!}" > + if [[ $_rdomain -ne 0 ]]; then > +_cmds[${#_cmds[*]}]="/sbin/route -T$_rdomain exec > ${_cmd#!}" > + else > +_cmds[${#_cmds[*]}]="${_cmd#!}" > + fi > ;; > *) _cmds[${#_cmds[*]}]="ifconfig $_if ${_c[@]}" > ;; > Wouldn't this break those who already have !route -T2 in their hostname.if files? G
Re: hostname.if '!' commands and rdomains
On 29/07/2020 17:43, Klemens Nanni wrote: > On Wed, Jul 29, 2020 at 05:33:14PM +0300, Kapetanakis Giannis wrote: >> Wouldn't this break those who already have >> !route -T2 >> >> in their hostname.if files? > No, > > $ route -T1 exec id -R > 1 > $ route -T0 exec route -T1 exec id -R > 1 > you're right, Also verified with route -T0 route -T1 add G
Re: ospfd: point-to-point on ethernet interfaces
Hi, This does not work for me with IOS. neighbor is full, rib is ok fib does not list the routes to IOS and routing table is not updated on BSD On IOS I do have the loopback route the BSD is announcing. G On 24/06/2019 01:33, Remi Locherer wrote: > Diff below adds to ospfd point to point support for Ethernet interfaces. > I successfully tested this against Junos and FastIron. > > I first made the key word in the config "point-to-point". But then I > changed to "type p2p". The later would allow for "type nbma" or "type p2mp" > should we implement these types. > > On Junos it looks like this: > > area 0.0.0.0 { > interface ge-0/0/1.0 { > interface-type p2p; > } > } > > On FastIron it's similar to IOS: > > interface ethernet 1/2/1 > ip address 10.10.10.5 255.255.255.0 > ip ospf area 0 > ip ospf network point-to-point > > Comments, test reports and OKs are welcome. > > Remi > > > Index: interface.c > === > RCS file: /cvs/src/usr.sbin/ospfd/interface.c,v > retrieving revision 1.82 > diff -u -p -r1.82 interface.c > --- interface.c 11 Mar 2018 13:16:49 - 1.82 > +++ interface.c 23 Jun 2019 11:27:57 - > @@ -190,6 +190,8 @@ if_new(struct kif *kif, struct kif_addr > if (kif->flags & IFF_BROADCAST && > kif->flags & IFF_MULTICAST) > iface->type = IF_TYPE_BROADCAST; > + if (iface->p2p) > + iface->type = IF_TYPE_POINTOPOINT; > if (kif->flags & IFF_LOOPBACK) { > iface->type = IF_TYPE_POINTOPOINT; > iface->passive = 1; > @@ -351,6 +353,9 @@ if_act_start(struct iface *iface) > orig_rtr_lsa(iface->area); > return (0); > } > + > + if (iface->p2p) > + iface->type = IF_TYPE_POINTOPOINT; > > switch (iface->type) { > case IF_TYPE_POINTOPOINT: > Index: ospfd.c > === > RCS file: /cvs/src/usr.sbin/ospfd/ospfd.c,v > retrieving revision 1.108 > diff -u -p -r1.108 ospfd.c > --- ospfd.c 16 May 2019 05:49:22 - 1.108 > +++ ospfd.c 23 Jun 2019 21:06:44 - > @@ -911,6 +911,22 @@ merge_interfaces(struct area *a, struct > if_fsm(i, IF_EVT_UP); > } > > + if (i->p2p != xi->p2p) { > + /* re-add interface to enable or disable DR election */ > + if (ospfd_process == PROC_OSPF_ENGINE) > + if_fsm(i, IF_EVT_DOWN); > + else if (ospfd_process == PROC_RDE_ENGINE) > + rde_nbr_iface_del(i); > + LIST_REMOVE(i, entry); > + if_del(i); > + LIST_REMOVE(xi, entry); > + LIST_INSERT_HEAD(&a->iface_list, xi, entry); > + xi->area = a; > + if (ospfd_process == PROC_OSPF_ENGINE) > + xi->state = IF_STA_NEW; > + continue; > + } > + > strlcpy(i->dependon, xi->dependon, > sizeof(i->dependon)); > i->depend_ok = xi->depend_ok; > Index: ospfd.conf.5 > === > RCS file: /cvs/src/usr.sbin/ospfd/ospfd.conf.5,v > retrieving revision 1.57 > diff -u -p -r1.57 ospfd.conf.5 > --- ospfd.conf.5 10 Jun 2019 06:07:15 - 1.57 > +++ ospfd.conf.5 23 Jun 2019 22:10:32 - > @@ -419,6 +419,9 @@ Router. > .It Ic transmit-delay Ar seconds > Set the transmit delay. > The default value is 1; valid range is 1\-3600 seconds. > +.It Ic type p2p > +Set the interface type to point to point. > +This disables the election of a DR and BDR for the given interface. > .El > .Sh FILES > .Bl -tag -width "/etc/ospfd.conf" -compact > Index: ospfd.h > === > RCS file: /cvs/src/usr.sbin/ospfd/ospfd.h,v > retrieving revision 1.104 > diff -u -p -r1.104 ospfd.h > --- ospfd.h 16 May 2019 05:49:22 - 1.104 > +++ ospfd.h 23 Jun 2019 11:28:24 - > @@ -363,6 +363,7 @@ struct iface { > u_int8_t linkstate; > u_int8_t priority; > u_int8_t passive; > + u_int8_t p2p; > }; > > struct ifaddrchange { > Index: parse.y > === > RCS file: /cvs/src/usr.sbin/ospfd/parse.y,v > retrieving revision 1.98 > diff -u -p -r1.98 parse.y > --- parse.y 7 Jun 2019 04:57:45 - 1.98 > +++ parse.y 23 Jun 2019 22:04:22 - > @@ -129,7 +129,7 @@ typedef struct { > %token AREA INTERFACE ROUTERID FIBPRIORITY FIBUPDATE REDISTRIBUTE > RTLABEL > %token RDOMAIN RFC1583COMPAT STUB ROUTER SPFDELAY SPFHOLDTIME EXTTAG > %token AUTHKEY AUTHTYPE AUTHMD AUTHMDKEYID > -%token ME
Re: syslog.conf(5): example about logging by sender
On 01/02/18 00:06, Todd C. Miller wrote: Shouldn't this be: # Log everything coming from host bastion to a separate file ++bastion /var/log/bastion *.* +* how about # Log everything coming from host bastion to a separate file ++bastion *.* /var/log/bastion G
Re: ospfd: depend on interface (new feature)
On 04/02/18 01:42, Remi Locherer wrote: Hi This adds a new feature to ospfd: depend on interface. A ospfd.conf using it looks like this: --%<-- redistribute default depend on carp0 area 0.0.0.0 { interface em2 { depend on carp0 } [...] } --%<-- This router would send out the default route and the em2 network with default metrics as long as carp0 is master. When carp0 becomes backup these routes are advertised with metric 65535. "depend on" can also be used with other interface types than carp. This diff was started by benno@ at p2k17 (redistribute and config parser). I added the interface part. jca@ contributed several improvements. Comments, OKs? Remi If I understand this right, someone could use this combined with pfsync, to wait for states full sync before switching routes from backup to master? nice :) G
Re: ospfd: depend on interface (new feature)
On 04/02/18 17:52, Stuart Henderson wrote: On 2018/02/04 02:56, Kapetanakis Giannis wrote: On 04/02/18 01:42, Remi Locherer wrote: Hi This adds a new feature to ospfd: depend on interface. If I understand this right, someone could use this combined with pfsync, to wait for states full sync before switching routes from backup to master? nice :) G I'm not sure pfsync specifically handles that, but as long as you make sure the interface is not master at boot (e.g. carpdemote in hostname.carpX) and sleep and -carpdemote in rc.local, it will have that effect. Nice thing here is when you combine it with bgpd's demote handling. That way you can avoid feeding default to OSPF until BGP sessions are up. I'm not talking about "depend on pfsync" Since carp waits for pfync demotion counter to become master, if ospf is waiting for carp (which is waiting for pfsync) then eventually you have the same effect don't you? You can even use an unused carp interface just for depending on it's status. G
Re: gre(4) update
On 07/02/18 08:38, David Gwynne wrote: this is a big change to gre, with the main motivation of adding support for gre keys. gre keys are supported by the vnetid ioctls, and works much like vxlan (funny that). by default gre doesnt use a key, but you can set one and change you mind and remove it later. the current code simply skips over the key header, and still accepts it. while here, it adds support for gre over ipv6. on the other hand, it drops support for gre keepalives and wccp handling. gre keepalives dont work if the tunnelled traffic is in a different rdomain to the underlay network. i can add wccp back later though. ok? Hi, Not my call but is there a way to leave gre keepalives in place at least for non-rdomain setups? We use it in some tunnels with remote branches with some ciscos behind DSL lines. Keepalives helped us with connection drops. regards, G
Re: ospfd: depend on interface (new feature)
On 04/02/18 01:42, Remi Locherer wrote: > Hi > > This adds a new feature to ospfd: depend on interface. > > A ospfd.conf using it looks like this: > > --%<-- > redistribute default depend on carp0 > area 0.0.0.0 { > interface em2 { depend on carp0 } > [...] > } > --%<-- > > This router would send out the default route and the em2 network with > default metrics as long as carp0 is master. When carp0 becomes backup these > routes are advertised with metric 65535. > > "depend on" can also be used with other interface types than carp. > > This diff was started by benno@ at p2k17 (redistribute and config parser). > I added the interface part. jca@ contributed several improvements. > > Comments, OKs? > > Remi Hi, I'm trying to evaluate this new feature on my routers (in/out OSPF only, no carp). While it does the job for local connected/static networks (on the router), it doesn't do it for forwarded routes which I learn from remote OSPF routers. Is this normal behavior? relevant config parts: stub router no # redistribute default redistribute 192.168.1.0/24 set { metric 100 } depend on carp0 area 0.0.0.1 { interface vlan_int { metric 1 depend on carp0 } interface vlan_ext { metric 1 depend on carp0 } } 192.168.1.0/24 (which is a local blackhole route) is propagated with the correct metric, either 65535 or 100, depended on the carp0 status. Rest of ospf routes don't change metric on carp0 demotion. thanks for any info on this, G
Re: ospfd: depend on interface (new feature)
On 20/04/18 16:20, Remi Locherer wrote: > On 2018-04-20 14:46, Kapetanakis Giannis wrote: >> While it does the job for local connected/static networks (on the router), >> it doesn't do it for forwarded routes which I learn from remote OSPF routers. > > LSAs from other routers are not changed by the "depend on" feature. But other > OSPF routers us the metric when they calculate their path. > > If this does not answer your question, can you provide a simplified > description > or schema of your network? > >> Is this normal behavior? >> >> relevant config parts: >> >> stub router no >> # redistribute default >> redistribute 192.168.1.0/24 set { metric 100 } depend on carp0 >> >> area 0.0.0.1 { >> interface vlan_int { >> metric 1 >> depend on carp0 >> } >> interface vlan_ext { >> metric 1 >> depend on carp0 >> } >> } >> >> 192.168.1.0/24 (which is a local blackhole route) is propagated with >> the correct metric, >> either 65535 or 100, depended on the carp0 status. >> >> Rest of ospf routes don't change metric on carp0 demotion. > > And what about the networks direct connected on vlan_int and vlan_ext? > Above you state it works as you expected for direct connected networks. > > Remi Thanks for the answer. I also thought that maybe LSAs are not changed... that's why I've asked if it's normal. I was expecting/hoping router links to be changed and thus affecting LSAs indirectly. My setup is like this [Cisco_int] <-> [OB1]/[OB2] <-> [Cisco_ext] I manage Cisco_int and the BSDs. I was monitoring ospf routes on Cisco_int to see behavior. vlan_int is also connected on Cisco_int so I didn't expect to see something different there as it is a connected network. I tried this because I wanted the primary router/firewall to not take over after boot, before pfsync is done. So eventually this would only work on a setup where internal_network(s) are carp interfaces and external is ospf right? G
Re: ospfd: depend on interface (new feature)
sorry setup is different: - [OB1]- [Cisco_ext_1] --- [Cisco_int] --| |--- [BGP router] - [OB2]- [Cisco_ext2_ ]--- G
relayctl friendlier
Hi, By default we have: # relayctl show missing argument: valid commands/args: summary hosts redirects relays routers sessions On the other hand: # relayctl host usage: relayctl [-s socket] command [argument ...] # relayctl host dis missing argument: valid commands/args: I think it's better if it is like: # ./relayctl host missing argument: valid commands/args: disable enable same for table, redirect If this is accepted maybe NOTOKEN can be completely removed from code. regards, G Index: parser.c === RCS file: /cvs/src/usr.sbin/relayctl/parser.c,v retrieving revision 1.27 diff -u -p -r1.27 parser.c --- parser.c22 Jan 2015 17:42:09 - 1.27 +++ parser.c11 May 2018 10:52:11 - @@ -81,21 +81,18 @@ static const struct token t_show[] = { }; static const struct token t_rdr[] = { - {NOTOKEN, "", NONE, NULL}, {KEYWORD, "disable", RDR_DISABLE,t_rdr_id}, {KEYWORD, "enable", RDR_ENABLE, t_rdr_id}, {ENDTOKEN, "", NONE, NULL} }; static const struct token t_table[] = { - {NOTOKEN, "", NONE, NULL}, {KEYWORD, "disable", TABLE_DISABLE, t_table_id}, {KEYWORD, "enable", TABLE_ENABLE, t_table_id}, {ENDTOKEN, "", NONE, NULL} }; static const struct token t_host[] = { - {NOTOKEN, "", NONE, NULL}, {KEYWORD, "disable", HOST_DISABLE, t_host_id}, {KEYWORD, "enable", HOST_ENABLE,t_host_id}, {ENDTOKEN, "", NONE, NULL}
Re: ospfd: type p2p
On 25/10/2019 13:57, Remi Locherer wrote: > Hi tech@, > > earlier this year I sent a diff that allowed to change an interface > from broadcast to point-to-point. > > https://marc.info/?l=openbsd-tech&m=156132923203704&w=2 > > It turned out that this was not sufficient. It made the adjacency > come up in p2p mode (no selection of DR or BDR) but didn't set a valid > next hop for routes learned over this p2p link. Actually the next hop was > 0.0.0.0 which was never installed into the routing table. > > This is because for P2P interfaces the neighbor address is not taken from > the received hello but from the "destination" parameter configured on the > interface. Since this is not set on a broadcast interface the address is > 0.0.0.0. > > My new diff changes this. Now also for P2P links the IP address of the > neighbor is taken from the hello packets (src address). This on it's own > would make it simpler to interfere with the routing from remote. One could > send unicast ospf hello messages and potentially disrupt the routing setup. > I believe I mitigated this with an additional check I committed in August: > only hello messages sent to the multicast address are now processed. > > The config looks like this: > > area 0.0.0.0 { > interface em0 { > type p2p > } > } > > It would be nice to get test reports for this new feature (check the fib > and routing table!) and also test reports with real p2p2 interfaces (gif > or gre). > > Of course OKs are also welcome. ;-) > > Remi Hi, >From first test seems to work :) looking forward test it for IPv6 as well thanks Giannis > > > > Index: hello.c > === > RCS file: /cvs/src/usr.sbin/ospfd/hello.c,v > retrieving revision 1.24 > diff -u -p -r1.24 hello.c > --- hello.c 12 Aug 2019 20:21:58 - 1.24 > +++ hello.c 21 Sep 2019 22:06:17 - > @@ -189,14 +189,13 @@ recv_hello(struct iface *iface, struct i > nbr->dr.s_addr = hello.d_rtr; > nbr->bdr.s_addr = hello.bd_rtr; > nbr->priority = hello.rtr_priority; > - /* XXX neighbor address shouldn't be stored on virtual links */ > - nbr->addr.s_addr = src.s_addr; > + nbr_update_addr(nbr->peerid, src); > } > > if (nbr->addr.s_addr != src.s_addr) { > log_warnx("%s: neighbor ID %s changed its IP address", > __func__, inet_ntoa(nbr->id)); > - nbr->addr.s_addr = src.s_addr; > + nbr_update_addr(nbr->peerid, src); > } > > nbr->options = hello.opts; > Index: lsupdate.c > === > RCS file: /cvs/src/usr.sbin/ospfd/lsupdate.c,v > retrieving revision 1.46 > diff -u -p -r1.46 lsupdate.c > --- lsupdate.c15 Jul 2019 18:26:39 - 1.46 > +++ lsupdate.c15 Aug 2019 21:10:13 - > @@ -470,7 +470,7 @@ ls_retrans_timer(int fd, short event, vo > /* ls_retrans_list_free retriggers the timer */ > return; > } else if (nbr->iface->type == IF_TYPE_POINTOPOINT) > - memcpy(&addr, &nbr->iface->dst, sizeof(addr)); > + memcpy(&addr, &nbr->addr, sizeof(addr)); > else > inet_aton(AllDRouters, &addr); > } else > Index: neighbor.c > === > RCS file: /cvs/src/usr.sbin/ospfd/neighbor.c,v > retrieving revision 1.48 > diff -u -p -r1.48 neighbor.c > --- neighbor.c9 Feb 2018 02:14:03 - 1.48 > +++ neighbor.c21 Sep 2019 15:28:43 - > @@ -312,6 +312,7 @@ nbr_new(u_int32_t nbr_id, struct iface * > bzero(&rn, sizeof(rn)); > rn.id.s_addr = nbr->id.s_addr; > rn.area_id.s_addr = nbr->iface->area->id.s_addr; > + rn.addr.s_addr = nbr->addr.s_addr; > rn.ifindex = nbr->iface->ifindex; > rn.state = nbr->state; > rn.self = self; > @@ -347,6 +348,23 @@ nbr_del(struct nbr *nbr) > LIST_REMOVE(nbr, hash); > > free(nbr); > +} > + > +int > +nbr_update_addr(u_int32_t peerid, struct in_addr addr) { > + > + struct nbr *nbr = NULL; > + > + nbr = nbr_find_peerid(peerid); > + if (nbr == NULL) > + return (1); > + > + /* XXX neighbor address shouldn't be stored on virtual links */ > + nbr->addr.s_addr = addr.s_addr; > + ospfe_imsg_compose_rde(IMSG_NEIGHBOR_ADDR, peerid, 0, &addr, > + sizeof(addr)); > + > + return (0); > } > > struct nbr * > Index: ospfd.c > === > RCS file: /cvs/src/usr.sbin/ospfd/ospfd.c,v > retrieving revision 1.108 > diff -u -p -r1.108 ospfd.c > --- ospfd.c 16 May 2019 05:49:22 - 1.108 > +++ ospfd.c 23 Jun 2019 21:06:44 - > @@ -911,6 +911,22 @@ merge_interfaces(struct area *a, struct >
Re: ospfd: type p2p
On 17/11/2019 13:44, Remi Locherer wrote: > Yes, I'll send a separate diff for that later. > > OK for the new diff? Works for me. G
Re: ospf6d: type p2p
On 24/12/2019 00:09, Remi Locherer wrote: Hi, this brings support for interface "type p2p" to ospf6d (ospfd got it a few weeks ago). The configuration looks like this: area 0.0.0.0 { interface em0 { type p2p } } OK? Remi works for me :) kudos G Index: ospf6d.conf.5 === RCS file: /cvs/src/usr.sbin/ospf6d/ospf6d.conf.5,v retrieving revision 1.19 diff -u -p -r1.19 ospf6d.conf.5 --- ospf6d.conf.5 26 May 2019 09:27:09 - 1.19 +++ ospf6d.conf.5 5 Oct 2019 14:17:29 - @@ -328,6 +328,9 @@ Router. .It Ic transmit-delay Ar seconds Set the transmit delay. The default value is 1; valid range is 1\-3600 seconds. +.It Ic type p2p +Set the interface type to point to point. +This disables the election of a DR and BDR for the given interface. .El .Sh FILES .Bl -tag -width "/etc/ospf6d.conf" -compact Index: ospf6d.h === RCS file: /cvs/src/usr.sbin/ospf6d/ospf6d.h,v retrieving revision 1.42 diff -u -p -r1.42 ospf6d.h --- ospf6d.h23 Dec 2019 07:33:49 - 1.42 +++ ospf6d.h23 Dec 2019 09:08:23 - @@ -329,6 +329,7 @@ struct iface { u_int8_t if_type; u_int8_t linkstate; u_int8_t priority; + u_int8_t p2p; u_int8_t cflags; #define F_IFACE_PASSIVE 0x01 #define F_IFACE_CONFIGURED0x02 Index: parse.y === RCS file: /cvs/src/usr.sbin/ospf6d/parse.y,v retrieving revision 1.47 diff -u -p -r1.47 parse.y --- parse.y 23 Dec 2019 07:33:49 - 1.47 +++ parse.y 23 Dec 2019 10:40:28 - @@ -126,7 +126,7 @@ typedef struct { %token AREA INTERFACE ROUTERID FIBPRIORITY FIBUPDATE REDISTRIBUTE RTLABEL %tokenRDOMAIN STUB ROUTER SPFDELAY SPFHOLDTIME EXTTAG -%token METRIC PASSIVE +%token METRIC P2P PASSIVE %tokenHELLOINTERVAL TRANSMITDELAY %tokenRETRANSMITINTERVAL ROUTERDEADTIME ROUTERPRIORITY %tokenSET TYPE @@ -566,6 +566,10 @@ interfaceopts_l: interfaceopts_l interf ; interfaceoptsl : PASSIVE { iface->cflags |= F_IFACE_PASSIVE; } + | TYPE P2P { + iface->p2p = 1; + iface->type = IF_TYPE_POINTOPOINT; + } | DEMOTE STRING { if (strlcpy(iface->demote_group, $2, sizeof(iface->demote_group)) >= @@ -645,6 +649,7 @@ lookup(char *s) {"metric",METRIC}, {"no",NO}, {"on",ON}, + {"p2p", P2P}, {"passive", PASSIVE}, {"rdomain", RDOMAIN}, {"redistribute", REDISTRIBUTE}, Index: printconf.c === RCS file: /cvs/src/usr.sbin/ospf6d/printconf.c,v retrieving revision 1.8 diff -u -p -r1.8 printconf.c --- printconf.c 29 Dec 2018 16:04:31 - 1.8 +++ printconf.c 5 Oct 2019 14:14:19 - @@ -135,6 +135,9 @@ print_iface(struct iface *iface) printf("\t\trouter-priority %d\n", iface->priority); printf("\t\ttransmit-delay %d\n", iface->transmit_delay); + if (iface->p2p) + printf("\t\ttype p2p\n"); + printf("\t}\n"); }
list manual upgrade for single processor in upgrade59.html
Hi, This adds manual upgrade instructions for bsd.sp kernels similar to what upgrade58 did. Don't want to miss the nice copy & paste for all kind of machines I support. regards, Giannis Index: upgrade59.html === RCS file: /cvs/www/faq/upgrade59.html,v retrieving revision 1.19 diff -u -p -r1.19 upgrade59.html --- upgrade59.html 29 Mar 2016 11:17:47 - 1.19 +++ upgrade59.html 30 Mar 2016 14:31:55 - @@ -306,12 +306,25 @@ access to the system console. Install new kernels. The extra steps for copying over the primary kernel are done to ensure that there is always a valid kernel on the disk. - -cd /usr/rel# where you put the release files -ln -f /bsd /obsd && cp bsd.mp /nbsd && mv /nbsd /bsd -cp bsd.rd / -cp bsd /bsd.sp - + + + If you are using a multiprocessor kernel: + +cd /usr/rel# where you put the release files +ln -f /bsd /obsd && cp bsd.mp /nbsd && mv /nbsd /bsd +cp bsd.rd / +cp bsd /bsd.sp + + + If you are using a single processor kernel: + +cd /usr/rel# where you put the release files +ln -f /bsd /obsd && cp bsd /nbsd && mv /nbsd /bsd +cp bsd.rd bsd.mp / + + (note: you will get a harmless error message if your platform + doesn't have a bsd.mp) + Install new userland.
relayd/ctl alternative control socket
Hi, Here is a patch for using alternative control socket for relayd and relayctl. It's based on ospfd. I would like for this to get in order to be able to control multiple relayd daemons on different rdomains. regards, Giannis Index: relayd.8 === RCS file: /cvs/src/usr.sbin/relayd/relayd.8,v retrieving revision 1.25 diff -u -p -u -r1.25 relayd.8 --- relayd.827 Jul 2015 14:50:58 - 1.25 +++ relayd.822 Jun 2017 15:08:26 - @@ -25,6 +25,7 @@ .Op Fl dnv .Op Fl D Ar macro Ns = Ns Ar value .Op Fl f Ar file +.Op Fl s Ar socket .Sh DESCRIPTION .Nm is a daemon to relay and dynamically redirect incoming connections to @@ -118,6 +119,8 @@ The default is .It Fl n Configtest mode. Only check the configuration file for validity. +.It Fl s Ar socket +Use an alternate location for the default control socket. .It Fl v Produce more verbose output. .El Index: relayd.c === RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v retrieving revision 1.169 diff -u -p -u -r1.169 relayd.c --- relayd.c31 May 2017 04:14:34 - 1.169 +++ relayd.c22 Jun 2017 15:08:26 - @@ -107,7 +107,8 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-dnv] [-D macro=value] [-f file]\n", + fprintf(stderr, "usage: %s [-dnv] [-D macro=value] [-f file]" + " [-s socket]\n", __progname); exit(1); } @@ -121,12 +122,13 @@ main(int argc, char *argv[]) struct relayd *env; struct privsep *ps; const char *conffile = CONF_FILE; + const char *sockname = RELAYD_SOCKET; enum privsep_procid proc_id = PROC_PARENT; int proc_instance = 0; const char *errp, *title = NULL; int argc0 = argc; - while ((c = getopt(argc, argv, "dD:nI:P:f:v")) != -1) { + while ((c = getopt(argc, argv, "dD:nI:P:f:s:v")) != -1) { switch (c) { case 'd': debug = 2; @@ -143,6 +145,9 @@ main(int argc, char *argv[]) case 'f': conffile = optarg; break; + case 's': + sockname = optarg; + break; case 'v': verbose++; opts |= RELAYD_OPT_VERBOSE; @@ -200,7 +205,7 @@ main(int argc, char *argv[]) errx(1, "unknown user %s", RELAYD_USER); /* Configure the control socket */ - ps->ps_csock.cs_name = RELAYD_SOCKET; + ps->ps_csock.cs_name = sockname; log_init(debug, LOG_DAEMON); log_setverbose(verbose); Index: relayctl.8 === RCS file: /cvs/src/usr.sbin/relayctl/relayctl.8,v retrieving revision 1.32 diff -u -p -u -r1.32 relayctl.8 --- relayctl.8 28 Nov 2015 01:22:44 - 1.32 +++ relayctl.8 22 Jun 2017 15:08:37 - @@ -23,6 +23,7 @@ .Nd control the relay daemon .Sh SYNOPSIS .Nm +.Op Fl s Ar socket .Ar command .Op Ar argument ... .Sh DESCRIPTION @@ -31,6 +32,21 @@ The program controls the .Xr relayd 8 daemon. +Commands may be abbreviated to the minimum unambiguous prefix; for example, +.Cm sh su +for +.Cm show summary . +.Pp +The following options are available: +.Bl -tag -width Ds +.It Fl s Ar socket +Use +.Ar socket +instead of the default +.Pa /var/run/relayd.sock +to communicate with +.Xr relayd 8 . +.El .Pp The following commands are available: .Bl -tag -width Ds Index: relayctl.c === RCS file: /cvs/src/usr.sbin/relayctl/relayctl.c,v retrieving revision 1.57 diff -u -p -u -r1.57 relayctl.c --- relayctl.c 3 Sep 2016 14:44:21 - 1.57 +++ relayctl.c 22 Jun 2017 15:08:37 - @@ -88,7 +88,8 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s command [argument ...]\n", __progname); + fprintf(stderr, "usage: %s [-s socket] command [argument ...]\n", + __progname); exit(1); } @@ -101,9 +102,25 @@ main(int argc, char *argv[]) int ctl_sock; int done = 0; int n, verbose = 0; + int ch; + char*sockname; + + sockname = RELAYD_SOCKET; + while ((ch = getopt(argc, argv, "s:")) != -1) { + switch (ch) { + case 's': + sockname = optarg; + break; + default: + usage(); + /* NOTREACHED */ + } + } + argc -= optind; + argv += optind; /* parse options */ - if ((res = parse
Re: relayd/ctl alternative control socket
On 23/06/17 04:43, David Gwynne wrote: > >> On 23 Jun 2017, at 01:15, Kapetanakis Giannis >> wrote: >> >> Hi, >> >> Here is a patch for using alternative control socket for relayd and relayctl. >> It's based on ospfd. I would like for this to get in order to be able to >> control multiple relayd daemons on different rdomains. > > i had something very much like this here, but more to limit the scope of > failure than run in multiple rdomains. > > id like to see some tweaks for the ctl side though. see below. Thanks for the comments. updated diff bellow btw char instead of const char is used all over the tree, also for conf files. G Index: relayctl/relayctl.8 === RCS file: /cvs/src/usr.sbin/relayctl/relayctl.8,v retrieving revision 1.32 diff -u -p -r1.32 relayctl.8 --- relayctl/relayctl.8 28 Nov 2015 01:22:44 - 1.32 +++ relayctl/relayctl.8 23 Jun 2017 07:57:59 - @@ -23,6 +23,7 @@ .Nd control the relay daemon .Sh SYNOPSIS .Nm +.Op Fl s Ar socket .Ar command .Op Ar argument ... .Sh DESCRIPTION @@ -31,6 +32,21 @@ The program controls the .Xr relayd 8 daemon. +Commands may be abbreviated to the minimum unambiguous prefix; for example, +.Cm sh su +for +.Cm show summary . +.Pp +The following options are available: +.Bl -tag -width Ds +.It Fl s Ar socket +Use +.Ar socket +instead of the default +.Pa /var/run/relayd.sock +to communicate with +.Xr relayd 8 . +.El .Pp The following commands are available: .Bl -tag -width Ds Index: relayctl/relayctl.c === RCS file: /cvs/src/usr.sbin/relayctl/relayctl.c,v retrieving revision 1.57 diff -u -p -r1.57 relayctl.c --- relayctl/relayctl.c 3 Sep 2016 14:44:21 - 1.57 +++ relayctl/relayctl.c 23 Jun 2017 07:57:59 - @@ -88,7 +88,8 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s command [argument ...]\n", __progname); + fprintf(stderr, "usage: %s [-s socket] command [argument ...]\n", + __progname); exit(1); } @@ -101,9 +102,25 @@ main(int argc, char *argv[]) int ctl_sock; int done = 0; int n, verbose = 0; + int ch; + const char *sockname; + + sockname = RELAYD_SOCKET; + while ((ch = getopt(argc, argv, "s:")) != -1) { + switch (ch) { + case 's': + sockname = optarg; + break; + default: + usage(); + /* NOTREACHED */ + } + } + argc -= optind; + argv += optind; /* parse options */ - if ((res = parse(argc - 1, argv + 1)) == NULL) + if ((res = parse(argc, argv)) == NULL) exit(1); /* connect to relayd control socket */ @@ -112,7 +129,9 @@ main(int argc, char *argv[]) bzero(&sun, sizeof(sun)); sun.sun_family = AF_UNIX; - (void)strlcpy(sun.sun_path, RELAYD_SOCKET, sizeof(sun.sun_path)); + if (strlcpy(sun.sun_path, sockname, sizeof(sun.sun_path)) >= + sizeof(sun.sun_path)) + errx(1, "socket `%s' too long", sockname); reconnect: if (connect(ctl_sock, (struct sockaddr *)&sun, sizeof(sun)) == -1) { /* Keep retrying if running in monitor mode */ @@ -121,7 +140,7 @@ main(int argc, char *argv[]) usleep(100); goto reconnect; } - err(1, "connect: %s", RELAYD_SOCKET); + err(1, "connect: %s", sockname); } if (pledge("stdio", NULL) == -1) Index: relayd/relayd.8 === RCS file: /cvs/src/usr.sbin/relayd/relayd.8,v retrieving revision 1.25 diff -u -p -r1.25 relayd.8 --- relayd/relayd.8 27 Jul 2015 14:50:58 - 1.25 +++ relayd/relayd.8 23 Jun 2017 07:57:26 - @@ -25,6 +25,7 @@ .Op Fl dnv .Op Fl D Ar macro Ns = Ns Ar value .Op Fl f Ar file +.Op Fl s Ar socket .Sh DESCRIPTION .Nm is a daemon to relay and dynamically redirect incoming connections to @@ -118,6 +119,8 @@ The default is .It Fl n Configtest mode. Only check the configuration file for validity. +.It Fl s Ar socket +Use an alternate location for the default control socket. .It Fl v Produce more verbose output. .El Index: relayd/relayd.c === RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v retrieving revision 1.169 diff -u -p -r1.169 relayd.c --- relayd/relayd.c 31 May 2017 04:14:34 - 1.169 +++ relayd/relayd.c 23 Jun 2017 07:57:26 - @@
relayd ipv6 ttl check_icmp / check_tcp
Hi, Using relayd's redirect/forward on ipv6 addresses I discovered problems relating to setting TTL. There is no check for address family and setsockopt tries to apply IP_TTL always. Without ip ttl on ipv6 table, check_icmp gives send_icmp: getsockopt: Invalid argument With ip ttl on ipv6 table, check_tcp gives hce_notify_done: fdaa:10:1:9::11 (tcp socket option) is the following diff valid? I've removed the IP_IPDEFTTL check. Was this ok? regards, Giannis Index: check_icmp.c === RCS file: /cvs/src/usr.sbin/relayd/check_icmp.c,v retrieving revision 1.45 diff -u -p -r1.45 check_icmp.c --- check_icmp.c28 May 2017 10:39:15 - 1.45 +++ check_icmp.c23 Jun 2017 10:42:30 - @@ -165,7 +165,7 @@ send_icmp(int s, short event, void *arg) struct icmp6_hdr*icp6; ssize_t r; u_char packet[ICMP_BUF_SIZE]; - socklen_tslen, len; + socklen_tslen; int i = 0, ttl; u_int32_tid; @@ -221,18 +221,18 @@ send_icmp(int s, short event, void *arg) } if ((ttl = host->conf.ttl) > 0) - (void)setsockopt(s, IPPROTO_IP, IP_TTL, - &host->conf.ttl, sizeof(int)); - else { - /* Revert to default TTL */ - len = sizeof(ttl); - if (getsockopt(s, IPPROTO_IP, IP_IPDEFTTL, - &ttl, &len) == 0) - (void)setsockopt(s, IPPROTO_IP, IP_TTL, - &ttl, len); - else - log_warn("%s: getsockopt",__func__); - } + switch(cie->af) { + case AF_INET: + if (setsockopt(s, IPPROTO_IP, IP_TTL, + &host->conf.ttl, sizeof(int)) == -1) + log_warn("%s: setsockopt",__func__); + break; + case AF_INET6: + if (setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS, + &host->conf.ttl, sizeof(int)) == -1) + log_warn("%s: setsockopt",__func__); + break; + } r = sendto(s, packet, sizeof(packet), 0, to, slen); if (r == -1) { Index: check_tcp.c === RCS file: /cvs/src/usr.sbin/relayd/check_tcp.c,v retrieving revision 1.54 diff -u -p -r1.54 check_tcp.c --- check_tcp.c 28 May 2017 10:39:15 - 1.54 +++ check_tcp.c 23 Jun 2017 10:42:30 - @@ -82,11 +82,19 @@ check_tcp(struct ctl_tcp_event *cte) if (setsockopt(s, SOL_SOCKET, SO_LINGER, &lng, sizeof(lng)) == -1) goto bad; - if (cte->host->conf.ttl > 0) { - if (setsockopt(s, IPPROTO_IP, IP_TTL, - &cte->host->conf.ttl, sizeof(int)) == -1) - goto bad; - } + if (cte->host->conf.ttl > 0) + switch (cte->host->conf.ss.ss_family) { + case AF_INET: + if (setsockopt(s, IPPROTO_IP, IP_TTL, + &cte->host->conf.ttl, sizeof(int)) == -1) + goto bad; + break; + case AF_INET6: + if (setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS, + &cte->host->conf.ttl, sizeof(int)) == -1) + goto bad; + break; + } bcopy(&cte->table->conf.timeout, &tv, sizeof(tv)); if (connect(s, (struct sockaddr *)&cte->host->conf.ss, len) == -1) {
Re: relayd ipv6 ttl check_icmp / check_tcp
On 04/07/17 23:56, Sebastian Benoit wrote: > Florian Obser(flor...@openbsd.org) on 2017.07.04 19:27:15 +: >> On Fri, Jun 23, 2017 at 01:52:52PM +0300, Kapetanakis Giannis wrote: >>> Hi, >>> >>> Using relayd's redirect/forward on ipv6 addresses I discovered problems >>> relating to setting TTL. >>> >>> There is no check for address family and setsockopt tries to apply IP_TTL >>> always. >>> >>> Without ip ttl on ipv6 table, check_icmp gives >>> send_icmp: getsockopt: Invalid argument >>> >>> I've removed the IP_IPDEFTTL check. Was this ok? >> >> Nope, relayd reuses the raw socket between config reloads (I think), >> if the ttl gets removed from the config we need to reset to the >> default. Don't think there is a getsockopt for v6, you can take a look > > i think jca@ once had a diff for somethin called IPV6_MINHOPLIMIT? Unsure if > thats what we need here though. > >> at the sysctl(3) song and dance in traceroute(8) how to do this >> somewhat AF independet. >> >> Also please make sure to not exceed 80 cols Thanks for the commit on check_tcp. My tabstop was set to 3 and not 8. fixed that, but it looks ugly. According to ip6(4): IPV6_UNICAST_HOPS int * Get or set the default hop limit header field for outgoing unicast datagrams sent on this socket. A value of -1 resets to the default value. So I changed the diff and use this. Couldn't make it work with sysctl. comments? Giannis ps. There is still a patch on @tech for alternative socket name. Could you also have a look there when you have some time? thanks Index: check_icmp.c === RCS file: /cvs/src/usr.sbin/relayd/check_icmp.c,v retrieving revision 1.45 diff -u -p -r1.45 check_icmp.c --- check_icmp.c28 May 2017 10:39:15 - 1.45 +++ check_icmp.c5 Jul 2017 14:35:03 - @@ -168,6 +168,7 @@ send_icmp(int s, short event, void *arg) socklen_tslen, len; int i = 0, ttl; u_int32_tid; + int ip6_def_hlim = -1; if (event == EV_TIMEOUT) { icmp_checks_timeout(cie, HCE_ICMP_WRITE_TIMEOUT); @@ -220,18 +221,46 @@ send_icmp(int s, short event, void *arg) sizeof(packet)); } - if ((ttl = host->conf.ttl) > 0) - (void)setsockopt(s, IPPROTO_IP, IP_TTL, - &host->conf.ttl, sizeof(int)); - else { - /* Revert to default TTL */ - len = sizeof(ttl); - if (getsockopt(s, IPPROTO_IP, IP_IPDEFTTL, - &ttl, &len) == 0) - (void)setsockopt(s, IPPROTO_IP, IP_TTL, - &ttl, len); - else - log_warn("%s: getsockopt",__func__); + switch(cie->af) { + case AF_INET: + if ((ttl = host->conf.ttl) > 0) { + if (setsockopt(s, IPPROTO_IP, IP_TTL, + &host->conf.ttl, sizeof(int)) == -1) + log_warn("%s: setsockopt", + __func__); + } + else { + /* Revert to default TTL */ + len = sizeof(ttl); + if (getsockopt(s, IPPROTO_IP, + IP_IPDEFTTL, &ttl, &len) == 0) { + if (setsockopt(s, IPPROTO_IP, + IP_TTL, &ttl, len) == -1) + log_warn( + "%s: setsockopt", + __func__); + } + else + log_warn("%s: getsockopt",__func__); + } + break; + case AF_INET6: + if ((ttl = host->conf.ttl) > 0) { + if (setsockopt(
Re: relayd/ctl alternative control socket
On 23/06/17 11:07, Kapetanakis Giannis wrote: > On 23/06/17 04:43, David Gwynne wrote: >> >>> On 23 Jun 2017, at 01:15, Kapetanakis Giannis >>> wrote: >>> >>> Hi, >>> >>> Here is a patch for using alternative control socket for relayd and >>> relayctl. >>> It's based on ospfd. I would like for this to get in order to be able to >>> control multiple relayd daemons on different rdomains. >> >> i had something very much like this here, but more to limit the scope of >> failure than run in multiple rdomains. >> >> id like to see some tweaks for the ctl side though. see below. > > Thanks for the comments. > updated diff bellow > > btw char instead of const char is used all over the tree, also for conf files. > > G Hi, After reading back in the archive, I found out that it's preferred for this to be in conf file instead of argument. Here is an updated version for relayd that uses configuration file. relayctl is the same so I don't post again. regards, Giannis Index: config.c === RCS file: /cvs/src/usr.sbin/relayd/config.c,v retrieving revision 1.32 diff -u -p -r1.32 config.c --- config.c27 May 2017 08:33:25 - 1.32 +++ config.c10 Jul 2017 08:49:09 - @@ -44,6 +44,7 @@ config_init(struct relayd *env) env->sc_conf.interval.tv_usec = 0; env->sc_conf.prefork_relay = RELAY_NUMPROC; env->sc_conf.statinterval.tv_sec = RELAY_STATINTERVAL; + env->sc_ps->ps_csock.cs_name = RELAYD_SOCKET; } ps->ps_what[PROC_PARENT] = CONFIG_ALL; Index: parse.y === RCS file: /cvs/src/usr.sbin/relayd/parse.y,v retrieving revision 1.215 diff -u -p -r1.215 parse.y --- parse.y 27 May 2017 08:33:25 - 1.215 +++ parse.y 10 Jul 2017 08:49:09 - @@ -413,6 +413,9 @@ main: INTERVAL NUMBER { AGENTX_SOCKET, sizeof(conf->sc_conf.snmp_path)); } + | SOCKET STRING { + conf->sc_ps->ps_csock.cs_name = $2; + } ; trap : /* nothing */ { $$ = 0; } Index: relayd.c === RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v retrieving revision 1.169 diff -u -p -r1.169 relayd.c --- relayd.c31 May 2017 04:14:34 - 1.169 +++ relayd.c10 Jul 2017 08:49:09 - @@ -199,9 +199,6 @@ main(int argc, char *argv[]) if ((ps->ps_pw = getpwnam(RELAYD_USER)) == NULL) errx(1, "unknown user %s", RELAYD_USER); - /* Configure the control socket */ - ps->ps_csock.cs_name = RELAYD_SOCKET; - log_init(debug, LOG_DAEMON); log_setverbose(verbose); Index: relayd.conf.5 === RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v retrieving revision 1.177 diff -u -p -r1.177 relayd.conf.5 --- relayd.conf.5 19 Apr 2017 10:48:57 - 1.177 +++ relayd.conf.5 10 Jul 2017 08:49:09 - @@ -163,6 +163,12 @@ will be used. See .Xr snmpd.conf 5 for more information about SNMP configuration. +.It Ic socket Qo Ar path Qc +Create a control socket at +.Ar path . +By default +.Pa /var/run/relayd.sock +is created and no other sockets are created. .It Ic timeout Ar number Set the global timeout in milliseconds for checks. This can be overridden by the timeout value in the table definitions. > > Index: relayctl/relayctl.8 > === > RCS file: /cvs/src/usr.sbin/relayctl/relayctl.8,v > retrieving revision 1.32 > diff -u -p -r1.32 relayctl.8 > --- relayctl/relayctl.8 28 Nov 2015 01:22:44 - 1.32 > +++ relayctl/relayctl.8 23 Jun 2017 07:57:59 - > @@ -23,6 +23,7 @@ > .Nd control the relay daemon > .Sh SYNOPSIS > .Nm > +.Op Fl s Ar socket > .Ar command > .Op Ar argument ... > .Sh DESCRIPTION > @@ -31,6 +32,21 @@ The > program controls the > .Xr relayd 8 > daemon. > +Commands may be abbreviated to the minimum unambiguous prefix; for example, > +.Cm sh su > +for > +.Cm show summary . > +.Pp > +The following options are available: > +.Bl -tag -width Ds > +.It Fl s Ar socket > +Use > +.Ar socket > +instead of the default > +.Pa /var/run/relayd.sock > +to communicate with > +.Xr relayd 8 . > +.El > .Pp > The following commands are available: > .Bl -tag -width Ds > Index: relayctl/relayctl.c > ===
Re: relayd ipv6 ttl check_icmp / check_tcp
On 10/07/17 17:22, Jeremie Courreges-Anglas wrote: > Using -1 for IPV6_UNICAST_HOPS is correct. > > Note that you can also use -1 for IP_TTL on OpenBSD, sadly some systems > out there don't support it. > >> comments? > > ok jca@ with the nits below. > > It would be nice to factor this out in a helper function and use it > elsewhere in relayd. Thanks for the comments. My guess is that the helper function should go outside of relayd so it can be used by others as well? I leave that to a more competent programmer. Would you like me to set -1 to IP_TTL as well and drop the call to getsockopt(2)? updated diff bellow (in case not) with jca@ recommendations. G Index: check_icmp.c === RCS file: /cvs/src/usr.sbin/relayd/check_icmp.c,v retrieving revision 1.45 diff -u -p -r1.45 check_icmp.c --- check_icmp.c28 May 2017 10:39:15 - 1.45 +++ check_icmp.c10 Jul 2017 15:16:02 - @@ -220,18 +220,45 @@ send_icmp(int s, short event, void *arg) sizeof(packet)); } - if ((ttl = host->conf.ttl) > 0) - (void)setsockopt(s, IPPROTO_IP, IP_TTL, - &host->conf.ttl, sizeof(int)); - else { - /* Revert to default TTL */ - len = sizeof(ttl); - if (getsockopt(s, IPPROTO_IP, IP_IPDEFTTL, - &ttl, &len) == 0) - (void)setsockopt(s, IPPROTO_IP, IP_TTL, - &ttl, len); - else - log_warn("%s: getsockopt",__func__); + switch(cie->af) { + case AF_INET: + if ((ttl = host->conf.ttl) > 0) { + if (setsockopt(s, IPPROTO_IP, IP_TTL, + &host->conf.ttl, sizeof(int)) == -1) + log_warn("%s: setsockopt", + __func__); + } else { + /* Revert to default TTL */ + len = sizeof(ttl); + if (getsockopt(s, IPPROTO_IP, + IP_IPDEFTTL, &ttl, &len) == 0) { + if (setsockopt(s, IPPROTO_IP, + IP_TTL, &ttl, len) == -1) + log_warn( + "%s: setsockopt", + __func__); + } else + log_warn("%s: getsockopt", + __func__); + } + break; + case AF_INET6: + if ((ttl = host->conf.ttl) > 0) { + if (setsockopt(s, IPPROTO_IPV6, + IPV6_UNICAST_HOPS, &host->conf.ttl, + sizeof(int)) == -1) + log_warn("%s: setsockopt", + __func__); + } else { + /* Revert to default hop limit */ + ttl = -1; + if (setsockopt(s, IPPROTO_IPV6, + IPV6_UNICAST_HOPS, &ttl, + sizeof(int)) == -1) + log_warn("%s: setsockopt", + __func__); + } + break; } r = sendto(s, packet, sizeof(packet), 0, to, slen);
Re: relayd ipv6 ttl check_icmp / check_tcp
On 12/07/17 22:00, Jeremie Courreges-Anglas wrote: The tweak I had in mind: consistently use "ttl" for all the get/setsockopt calls. ok? nice, you can also replace sizeof(int) to sizeof(ttl) on the else{} block of case AF_INET6 G Index: check_icmp.c === RCS file: /d/cvs/src/usr.sbin/relayd/check_icmp.c,v retrieving revision 1.46 diff -u -p -p -u -r1.46 check_icmp.c --- check_icmp.c11 Jul 2017 19:41:30 - 1.46 +++ check_icmp.c12 Jul 2017 18:57:52 - @@ -220,11 +220,12 @@ send_icmp(int s, short event, void *arg) sizeof(packet)); } + ttl = host->conf.ttl; switch(cie->af) { case AF_INET: - if ((ttl = host->conf.ttl) > 0) { + if (ttl > 0) { if (setsockopt(s, IPPROTO_IP, IP_TTL, - &host->conf.ttl, sizeof(int)) == -1) + &ttl, sizeof(ttl)) == -1) log_warn("%s: setsockopt", __func__); } else { @@ -243,10 +244,10 @@ send_icmp(int s, short event, void *arg) } break; case AF_INET6: - if ((ttl = host->conf.ttl) > 0) { + if (ttl > 0) { if (setsockopt(s, IPPROTO_IPV6, - IPV6_UNICAST_HOPS, &host->conf.ttl, - sizeof(int)) == -1) + IPV6_UNICAST_HOPS, &ttl, + sizeof(ttl)) == -1) log_warn("%s: setsockopt", __func__); } else {
Re: which programming language to use?
On 19/07/17 13:13, Peer Dong wrote: > Hi Tech, > > > which programming language should i dig on to understand the programming > codes i am reading. > > > thanks again. > > Peerdong. C https://en.wikipedia.org/wiki/C_(programming_language)
typo in tcp_input.c
Just noticed this typo in tcp_input.c G Index: tcp_input.c === RCS file: /cvs/src/sys/netinet/tcp_input.c,v retrieving revision 1.318 diff -u -p -u -p -r1.318 tcp_input.c --- tcp_input.c 31 Mar 2016 13:11:14 - 1.318 +++ tcp_input.c 7 Jun 2016 08:36:39 - @@ -3372,8 +3372,8 @@ syn_cache_insert(struct syn_cache *sc, s /* * If there are no entries in the hash table, reinitialize -* the hash secrets. To avoid useless cache swaps and -* and reinitialization, use it until the limit is reached. +* the hash secrets. To avoid useless cache swaps and +* reinitialization, use it until the limit is reached. */ if (set->scs_count == 0 && set->scs_use <= 0) { arc4random_buf(set->scs_random, sizeof(set->scs_random));
client certificate support in syslogd
Hi, Following http://marc.info/?l=openbsd-tech&m=142136923124184&w=2 which added TLS client support in syslogd and since now libtls supports client certificates, this patch adds client's certificate support in syslogd for mutual authentication to a remote syslog server. It is based on code from netcat.c tested on -current logging to a a remote syslog-ng server using syslog driver requiring trusted certificates from it's peers. It adds two switches: -c client_cert_file -k client_key_file Minor modification in CAfile setup as well to match the netcat code. It is missing manual page change for the two switches. I will fix this if ok. comments? Giannis Index: syslogd.c === RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.205 diff -u -p -r1.205 syslogd.c --- syslogd.c 2 Apr 2016 19:55:10 - 1.205 +++ syslogd.c 23 Jun 2016 15:09:23 - @@ -63,6 +63,7 @@ #define DEFUPRI(LOG_USER|LOG_NOTICE) #define DEFSPRI(LOG_KERN|LOG_CRIT) #define TIMERINTVL 30 /* interval for checking flush, mark */ +#define DEFAULT_CA_FILE "/etc/ssl/cert.pem" #include #include @@ -223,8 +224,16 @@ char *path_ctlsock = NULL; /* Path to co struct tls *server_ctx; struct tls_config *client_config, *server_config; -const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */ -intNoVerify = 0; /* do not verify TLS server x509 certificate */ +intNoVerify = 0; /* verify TLS server x509 certificate */ +char *CAfile = DEFAULT_CA_FILE; /* file containing CA certificates */ +char *PubCertfile; /* file containing public certificate */ +char *PrivKeyfile; /* file containing private key */ +uint8_t*cacert; +size_t cacertlen; +uint8_t*privkey; +size_t privkeylen; +uint8_t*pubcert; +size_t pubcertlen; inttcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ #define CTL_READING_CMD 1 @@ -353,7 +362,7 @@ main(int argc, char *argv[]) int ch, i; int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; - while ((ch = getopt(argc, argv, "46a:C:dFf:hm:np:S:s:T:U:uV")) != -1) + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) != -1) switch (ch) { case '4': /* disable IPv6 */ Family = PF_INET; @@ -369,6 +378,9 @@ main(int argc, char *argv[]) case 'C': /* file containing CA certificates */ CAfile = optarg; break; + case 'c': /* file containing public certificate */ + PubCertfile = optarg; + break; case 'd': /* debug */ Debug++; break; @@ -381,6 +393,9 @@ main(int argc, char *argv[]) case 'h': /* RFC 3164 hostnames */ IncludeHostname = 1; break; + case 'k': /* file containing private key */ + PrivKeyfile = optarg; + break; case 'm': /* mark interval */ MarkInterval = strtonum(optarg, 0, 365*24*60, &errstr); if (errstr) @@ -553,35 +568,37 @@ main(int argc, char *argv[]) tls_config_insecure_noverifycert(client_config); tls_config_insecure_noverifyname(client_config); } else { - struct stat sb; int fail = 1; - fd = -1; - p = NULL; - if ((fd = open(CAfile, O_RDONLY)) == -1) { - logerror("open CAfile"); - } else if (fstat(fd, &sb) == -1) { - logerror("fstat CAfile"); - } else if (sb.st_size > 50*1024*1024) { - logerrorx("CAfile larger than 50MB"); - } else if ((p = calloc(sb.st_size, 1)) == NULL) { - logerror("calloc CAfile"); - } else if (read(fd, p, sb.st_size) != sb.st_size) { - logerror("read CAfile"); - } else if (tls_config_set_ca_mem(client_config, p, - sb.st_size) == -1) { - logerrorx("tls_config_set_ca_mem"); - } else { + if (CAfile && (cacert = tls_load_file(CAfile, &cacertlen, NULL)) + == NULL) + errx(1, "unable to load CAfile %s", CAfile); + if (CAfile && tls_config_set_ca_mem(client_config, cacert, cacertle
Re: client certificate support in syslogd
On 23/06/16 18:14, Kapetanakis Giannis wrote: Hi, Following http://marc.info/?l=openbsd-tech&m=142136923124184&w=2 which added TLS client support in syslogd and since now libtls supports client certificates, this patch adds client's certificate support in syslogd for mutual authentication to a remote syslog server. It is based on code from netcat.c tested on -current logging to a a remote syslog-ng server using syslog driver requiring trusted certificates from it's peers. It adds two switches: -c client_cert_file -k client_key_file Minor modification in CAfile setup as well to match the netcat code. It is missing manual page change for the two switches. I will fix this if ok. comments? Giannis slightly improved version which handles CAfile if missing (like previous behavior). Changed usage and removed unnecessary checks of CAfile. Index: syslogd.c === RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.205 diff -u -p -r1.205 syslogd.c --- syslogd.c 2 Apr 2016 19:55:10 - 1.205 +++ syslogd.c 23 Jun 2016 16:49:58 - @@ -63,6 +63,7 @@ #define DEFUPRI(LOG_USER|LOG_NOTICE) #define DEFSPRI(LOG_KERN|LOG_CRIT) #define TIMERINTVL 30 /* interval for checking flush, mark */ +#define DEFAULT_CA_FILE "/etc/ssl/cert.pem" #include #include @@ -223,8 +224,16 @@ char *path_ctlsock = NULL; /* Path to co struct tls *server_ctx; struct tls_config *client_config, *server_config; -const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */ -intNoVerify = 0; /* do not verify TLS server x509 certificate */ +intNoVerify = 0; /* verify TLS server x509 certificate */ +char *CAfile = DEFAULT_CA_FILE; /* file containing CA certificates */ +char *PubCertfile = NULL; /* file containing public certificate */ +char *PrivKeyfile = NULL; /* file containing private key */ +uint8_t*cacert; +size_t cacertlen; +uint8_t*privkey; +size_t privkeylen; +uint8_t*pubcert; +size_t pubcertlen; inttcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ #define CTL_READING_CMD 1 @@ -353,7 +362,7 @@ main(int argc, char *argv[]) int ch, i; int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; - while ((ch = getopt(argc, argv, "46a:C:dFf:hm:np:S:s:T:U:uV")) != -1) + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) != -1) switch (ch) { case '4': /* disable IPv6 */ Family = PF_INET; @@ -369,6 +378,9 @@ main(int argc, char *argv[]) case 'C': /* file containing CA certificates */ CAfile = optarg; break; + case 'c': /* file containing public certificate */ + PubCertfile = optarg; + break; case 'd': /* debug */ Debug++; break; @@ -381,6 +393,9 @@ main(int argc, char *argv[]) case 'h': /* RFC 3164 hostnames */ IncludeHostname = 1; break; + case 'k': /* file containing private key */ + PrivKeyfile = optarg; + break; case 'm': /* mark interval */ MarkInterval = strtonum(optarg, 0, 365*24*60, &errstr); if (errstr) @@ -553,34 +568,33 @@ main(int argc, char *argv[]) tls_config_insecure_noverifycert(client_config); tls_config_insecure_noverifyname(client_config); } else { - struct stat sb; int fail = 1; - fd = -1; - p = NULL; - if ((fd = open(CAfile, O_RDONLY)) == -1) { - logerror("open CAfile"); - } else if (fstat(fd, &sb) == -1) { - logerror("fstat CAfile"); - } else if (sb.st_size > 50*1024*1024) { - logerrorx("CAfile larger than 50MB"); - } else if ((p = calloc(sb.st_size, 1)) == NULL) { - logerror("calloc CAfile"); - } else if (read(fd, p, sb.st_size) != sb.st_size) { - logerror("read CAfile"); - } else if (tls_config_set_ca_mem(client_config, p, - sb.st_size) == -1) {
Re: client certificate support in syslogd
On 27/06/16 02:02, Alexander Bluhm wrote: > On Thu, Jun 23, 2016 at 07:52:06PM +0300, Kapetanakis Giannis wrote: >> On 23/06/16 18:14, Kapetanakis Giannis wrote: >>> It adds two switches: >>> -c client_cert_file >>> -k client_key_file > > That's fine. > >>> Minor modification in CAfile setup as well to match the netcat code. > > Please do not change that now. There is a diff for libtls and > syslogd floating around that will make the code much simpler. > ... > bluhm Thanks for the comments. new version with all changes ok? Giannis Index: syslogd.8 === RCS file: /cvs/src/usr.sbin/syslogd/syslogd.8,v retrieving revision 1.40 diff -u -p -r1.40 syslogd.8 --- syslogd.8 31 Mar 2016 15:53:25 - 1.40 +++ syslogd.8 27 Jun 2016 13:53:50 - @@ -42,7 +42,9 @@ .Op Fl 46dFhnuV .Op Fl a Ar path .Op Fl C Ar CAfile +.Op Fl c Ar cert_file .Op Fl f Ar config_file +.Op Fl k Ar key_file .Op Fl m Ar mark_interval .Op Fl p Ar log_socket .Op Fl S Ar listen_address @@ -81,6 +83,9 @@ PEM encoded file containing CA certifica validation; the default is .Pa /etc/ssl/cert.pem . +.It Fl c Ar cert_file +PEM encoded file containing the client certificate for TLS connection +to a remote host. The default is not to use a certificate. .It Fl d Enable debugging to the standard output, and do not disassociate from the controlling terminal. @@ -93,6 +98,9 @@ the default is .Pa /etc/syslog.conf . .It Fl h Include the hostname when forwarding messages to a remote host. +.It Fl k Ar key_file +PEM encoded file containing the client private key for TLS connection +to a remote host. .It Fl m Ar mark_interval Select the number of minutes between .Dq mark Index: syslogd.c === RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.205 diff -u -p -r1.205 syslogd.c --- syslogd.c 2 Apr 2016 19:55:10 - 1.205 +++ syslogd.c 27 Jun 2016 13:53:51 - @@ -225,6 +225,8 @@ struct tls *server_ctx; struct tls_config *client_config, *server_config; const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */ intNoVerify = 0; /* do not verify TLS server x509 certificate */ +char *ClientCertfile = NULL; +char *ClientKeyfile = NULL; inttcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ #define CTL_READING_CMD1 @@ -353,7 +355,7 @@ main(int argc, char *argv[]) int ch, i; int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; - while ((ch = getopt(argc, argv, "46a:C:dFf:hm:np:S:s:T:U:uV")) != -1) + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) != -1) switch (ch) { case '4': /* disable IPv6 */ Family = PF_INET; @@ -369,6 +371,9 @@ main(int argc, char *argv[]) case 'C': /* file containing CA certificates */ CAfile = optarg; break; + case 'c': /* file containing client certificate */ + ClientCertfile = optarg; + break; case 'd': /* debug */ Debug++; break; @@ -381,6 +386,9 @@ main(int argc, char *argv[]) case 'h': /* RFC 3164 hostnames */ IncludeHostname = 1; break; + case 'k': /* file containing client key */ + ClientKeyfile = optarg; + break; case 'm': /* mark interval */ MarkInterval = strtonum(optarg, 0, 365*24*60, &errstr); if (errstr) @@ -582,6 +590,31 @@ main(int argc, char *argv[]) free(p); close(fd); } + if (ClientCertfile && ClientKeyfile) { + uint8_t *clientcert, *clientkey; + size_t clientcertlen, clientkeylen; + + clientcert = tls_load_file(ClientCertfile, &clientcertlen, NULL); + if (clientcert == NULL) { + logerror("unable to load client TLS certificate file"); + } else if (tls_config_set_cert_mem(client_config, clientcert, + clientcertlen) == -1) { + logerror("unable to set client TLS certificate file"); + } else { + l
Re: client certificate support in syslogd
On 12/07/16 02:28, Alexander Bluhm wrote: > On Mon, Jun 27, 2016 at 05:10:14PM +0300, Kapetanakis Giannis wrote: >> new version with all changes > > I have polished the diff a bit and would like to commit it. > > ok? > > bluhm Nice, One question. Since you've already changed to tls_config_set_XXX_file for the server side https://www.marc.info/?l=openbsd-tech&m=146784645120595&w=2 would it be ok to use those functions for the client as well instead of tls_load_file && tls_config_set_XXX_mem ? G > > Index: usr.sbin/syslogd/syslogd.8 > === > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v > retrieving revision 1.40 > diff -u -p -r1.40 syslogd.8 > --- usr.sbin/syslogd/syslogd.831 Mar 2016 15:53:25 - 1.40 > +++ usr.sbin/syslogd/syslogd.811 Jul 2016 22:07:22 - > @@ -42,7 +42,9 @@ > .Op Fl 46dFhnuV > .Op Fl a Ar path > .Op Fl C Ar CAfile > +.Op Fl c Ar cert_file > .Op Fl f Ar config_file > +.Op Fl k Ar key_file > .Op Fl m Ar mark_interval > .Op Fl p Ar log_socket > .Op Fl S Ar listen_address > @@ -81,6 +83,11 @@ PEM encoded file containing CA certifica > validation; > the default is > .Pa /etc/ssl/cert.pem . > +.It Fl c Ar cert_file > +PEM encoded file containing the client certificate for TLS connection > +to a remote host. > +The default is not to use a client certificate for the connection > +to a syslog server. > .It Fl d > Enable debugging to the standard output, > and do not disassociate from the controlling terminal. > @@ -93,6 +100,11 @@ the default is > .Pa /etc/syslog.conf . > .It Fl h > Include the hostname when forwarding messages to a remote host. > +.It Fl k Ar key_file > +PEM encoded file containing the client private key for TLS connection > +to a remote host. > +This option has to be used together with > +.Fl c Ar cert_file . > .It Fl m Ar mark_interval > Select the number of minutes between > .Dq mark > Index: usr.sbin/syslogd/syslogd.c > === > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v > retrieving revision 1.208 > diff -u -p -r1.208 syslogd.c > --- usr.sbin/syslogd/syslogd.c6 Jul 2016 19:29:13 - 1.208 > +++ usr.sbin/syslogd/syslogd.c11 Jul 2016 23:06:48 - > @@ -225,6 +225,8 @@ structtls *server_ctx; > struct tls_config *client_config, *server_config; > const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates > */ > int NoVerify = 0; /* do not verify TLS server x509 certificate */ > +char *ClientCertfile = NULL; > +char *ClientKeyfile = NULL; > int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ > > #define CTL_READING_CMD 1 > @@ -353,7 +355,8 @@ main(int argc, char *argv[]) > int ch, i; > int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; > > - while ((ch = getopt(argc, argv, "46a:C:dFf:hm:np:S:s:T:U:uV")) != -1) > + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) > + != -1) > switch (ch) { > case '4': /* disable IPv6 */ > Family = PF_INET; > @@ -369,6 +372,9 @@ main(int argc, char *argv[]) > case 'C': /* file containing CA certificates */ > CAfile = optarg; > break; > + case 'c': /* file containing client certificate */ > + ClientCertfile = optarg; > + break; > case 'd': /* debug */ > Debug++; > break; > @@ -381,6 +387,9 @@ main(int argc, char *argv[]) > case 'h': /* RFC 3164 hostnames */ > IncludeHostname = 1; > break; > + case 'k': /* file containing client key */ > + ClientKeyfile = optarg; > + break; > case 'm': /* mark interval */ > MarkInterval = strtonum(optarg, 0, 365*24*60, &errstr); > if (errstr) > @@ -582,6 +591,31 @@ main(int argc, char *argv[]) > free(p); > close(fd); > } > + if (ClientCertfile && ClientKeyfile) { > + uint8_t *cert, *key; > + siz
switchd manual pages minor diff
Hi, just a minor change to manual pages of switch daemon. G Index: switchd.8 === RCS file: /cvs/src/usr.sbin/switchd/switchd.8,v retrieving revision 1.2 diff -u -p -r1.2 switchd.8 --- switchd.8 25 Sep 2016 23:05:29 - 1.2 +++ switchd.8 19 Oct 2016 12:08:36 - @@ -68,6 +68,9 @@ options increase the verbosity. .It Pa /etc/switchd.conf Default configuration file. .El +.Sh SEE ALSO +.Xr switchd.conf 5 , +.Xr switchctl 8 .Sh STANDARDS .Rs .%A Open Networking Foundation (ONF) Index: switchd.conf.5 === RCS file: /cvs/src/usr.sbin/switchd/switchd.conf.5,v retrieving revision 1.3 diff -u -p -r1.3 switchd.conf.5 --- switchd.conf.5 20 Jul 2016 07:21:24 - 1.3 +++ switchd.conf.5 19 Oct 2016 12:08:36 - @@ -112,4 +112,5 @@ listen on 0.0.0.0 port 6633 .\"device "/dev/switch1" forward to tcp:192.168.0.1:6633 .Ed .Sh SEE ALSO +.Xr switchctl 8 , .Xr switchd 8 Index: switchctl.8 === RCS file: /cvs/src/usr.sbin/switchctl/switchctl.8,v retrieving revision 1.2 diff -u -p -r1.2 switchctl.8 --- switchctl.8 12 Oct 2016 19:07:42 - 1.2 +++ switchctl.8 19 Oct 2016 12:09:09 - @@ -100,7 +100,8 @@ socket used for communication with .Xr switchd 8 .El .Sh SEE ALSO -.Xr bridge 4 +.Xr bridge 4 , +.Xr switchd.conf 8 , .Xr switchd 8 .Sh HISTORY The
Re: relayd/ctl alternative control socket
Hi, On June I've posted a patch about using alternative control socket for relayd and relayctl. There was a comment from David Gwynne which was evaluated. Is it OK to get this is in order to be able to control multiple relayd daemons on different rdomains? thanks Giannis Index: config.c === RCS file: /cvs/src/usr.sbin/relayd/config.c,v retrieving revision 1.35 diff -u -p -r1.35 config.c --- config.c27 Nov 2017 23:21:16 - 1.35 +++ config.c28 Nov 2017 10:43:37 - @@ -44,6 +44,7 @@ config_init(struct relayd *env) env->sc_conf.interval.tv_usec = 0; env->sc_conf.prefork_relay = RELAY_NUMPROC; env->sc_conf.statinterval.tv_sec = RELAY_STATINTERVAL; + env->sc_ps->ps_csock.cs_name = RELAYD_SOCKET; } ps->ps_what[PROC_PARENT] = CONFIG_ALL; Index: parse.y === RCS file: /cvs/src/usr.sbin/relayd/parse.y,v retrieving revision 1.220 diff -u -p -r1.220 parse.y --- parse.y 27 Nov 2017 23:21:16 - 1.220 +++ parse.y 28 Nov 2017 10:43:38 - @@ -418,6 +418,9 @@ main: INTERVAL NUMBER { AGENTX_SOCKET, sizeof(conf->sc_conf.snmp_path)); } + | SOCKET STRING { + conf->sc_ps->ps_csock.cs_name = $2; + } ; trap : /* nothing */ { $$ = 0; } Index: relayd.c === RCS file: /cvs/src/usr.sbin/relayd/relayd.c,v retrieving revision 1.170 diff -u -p -r1.170 relayd.c --- relayd.c27 Nov 2017 21:06:26 - 1.170 +++ relayd.c28 Nov 2017 10:43:38 - @@ -199,9 +199,6 @@ main(int argc, char *argv[]) if ((ps->ps_pw = getpwnam(RELAYD_USER)) == NULL) errx(1, "unknown user %s", RELAYD_USER); - /* Configure the control socket */ - ps->ps_csock.cs_name = RELAYD_SOCKET; - log_init(debug, LOG_DAEMON); log_setverbose(verbose); Index: relayd.conf.5 === RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v retrieving revision 1.180 diff -u -p -r1.180 relayd.conf.5 --- relayd.conf.5 27 Nov 2017 23:21:16 - 1.180 +++ relayd.conf.5 28 Nov 2017 10:43:38 - @@ -163,6 +163,12 @@ will be used. See .Xr snmpd.conf 5 for more information about SNMP configuration. +.It Ic socket Qo Ar path Qc +Create a control socket at +.Ar path . +By default +.Pa /var/run/relayd.sock +is created and no other sockets are created. .It Ic timeout Ar number Set the global timeout in milliseconds for checks. This can be overridden by the timeout value in the table definitions. Index: relayctl.8 === RCS file: /cvs/src/usr.sbin/relayctl/relayctl.8,v retrieving revision 1.32 diff -u -p -r1.32 relayctl.8 --- relayctl.8 28 Nov 2015 01:22:44 - 1.32 +++ relayctl.8 28 Nov 2017 10:43:22 - @@ -23,6 +23,7 @@ .Nd control the relay daemon .Sh SYNOPSIS .Nm +.Op Fl s Ar socket .Ar command .Op Ar argument ... .Sh DESCRIPTION @@ -31,6 +32,17 @@ The program controls the .Xr relayd 8 daemon. +.Pp +The following options are available: +.Bl -tag -width Ds +.It Fl s Ar socket +Use +.Ar socket +instead of the default +.Pa /var/run/relayd.sock +to communicate with +.Xr relayd 8 . +.El .Pp The following commands are available: .Bl -tag -width Ds Index: relayctl.c === RCS file: /cvs/src/usr.sbin/relayctl/relayctl.c,v retrieving revision 1.57 diff -u -p -r1.57 relayctl.c --- relayctl.c 3 Sep 2016 14:44:21 - 1.57 +++ relayctl.c 28 Nov 2017 10:43:22 - @@ -88,7 +88,8 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s command [argument ...]\n", __progname); + fprintf(stderr, "usage: %s [-s socket] command [argument ...]\n", + __progname); exit(1); } @@ -101,9 +102,25 @@ main(int argc, char *argv[]) int ctl_sock; int done = 0; int n, verbose = 0; + int ch; + const char *sockname; + + sockname = RELAYD_SOCKET; + while ((ch = getopt(argc, argv, "s:")) != -1) { + switch (ch) { + case 's': + sockname = optarg; + break; + default: + usage(); + /* NOTREACHED */ + } + } + argc -= optind; + argv += optind; /* parse options */ - if ((res = parse(argc - 1, argv + 1)) == NULL) + if ((res = parse(argc, argv)) == NULL
Re: relayd/ctl alternative control socket
On 28/11/17 17:06, Sebastian benoit wrote: > Hi, > > your diff looks good, but i would rather do it the way bgpd/bgpctl do it: > > there the default is /var/run/bgpd.sock. where is the > routing domain bgpctl is running in. To administer bgpd(8) in a different > routing domain, run bgpctl in said routing domain. > > i.e. it detects the rdomain at startup, bgpctl does the same. > > Can you do that in relayd? It was commited there in sometime in summer. > > /Benno I followed snmpd way. My first diff was with -s command line option (ospfd, ldpd, iscsid, slaccd, ripd way). Then I changed it to relayd.conf socket option cause I saw a comment from Reyk on an older thread that this is the way to go. https://marc.info/?l=openbsd-tech&m=148840138521470&w=2 I don't think locking on rdomain is good in relayd since someone might want to run multiple daemons on same rdomain. With bgpd this is not a requirement. Anyway if the patch is ok I believe it should go in because this feature is really needed by many people. Then later on if a universal way is decided on handling control sockets it should be changed on all daemons not following that decision. G
Re: disable hw vlan tagging support in ix(4)
On 13/12/17 10:29, Martin Pieuchot wrote: > On 13/12/17(Wed) 09:54, David Gwynne wrote: >> im still looking at vlan performance problems, as discussed by mpi@ >> at http://www.grenadille.net/post/2017/02/13/What-happened-to-my-vlan. >> >> recently it occurred to me that we're making an implicit assumption >> that having the chip handle the injection of vlan tags has zero >> cost, and that all the loss in performance is purely a software >> problem. to test this assumption i knocked up the diff below to >> disable hw vlan tagging in ix(4), which was used in the tests mpi >> and hrvoje did. >> >> hrvoje tested this diff for me and noted a 10% improvement in pps >> when forwarding between vlan interfaces on ix(4). to quote hrvoje: >> >> without diff >> send - receive >> vlan - vlan = 830Kpps >> >> with diff >> send - receive >> vlan - vlan = 995Kpps >> >> my conclusion is that assumption that nics are fast at offloads is >> wrong. therefore id like to put this in. unfortunately 10% doesnt >> account for the entire loss in forwarding over vlan, but it does >> help a bit. >> >> would anyone else like to test? or ok it? > > I don't have hardware to test but I'd like to add that in bridge(4) > scenario hardware tagging also decrease performance. > > From my point of view removing this per-chip option makes the stack > simpler, so I'm all for it. However I'd like to hear more test reports > on different ix(4) models. Sorry to jump in but it looks to me that apart from different ix(4) models this should also be checked with different CPUs as well. I mean that with a recent fast CPU like E5-26xx it seems you get an improvement. This might not be the case with an older CPU. Also what happens with L2 performance (not only L3 routing). best, G
pflow PF_OUT use WIRE ips
Hi, A problem with our flows and nat-to on the $ext_if is that it exports the original (private) IP address and not the new-public IP after the translation. We already have the information about the private IP from the flow on the $int_if. Similar problem with rdr-to and PF_OUT. This diff changes st->key to use PF_SK_WIRE for PF_OUT and export what you see in tcpdump. Tested with PF_IN/PF_OUT and normal, nat-to, rdr-to connections, although there is problem only with PF_OUT which used PF_SK_STACK. Did not test IPv6. regards, Giannis ps. I'll make an attempt to add NEL extension record types to hold NAT information in IPFIX from https://tools.ietf.org/html/draft-ietf-behave-ipfix-nat-logging-13 nfdump already supports this info so it will be good to be able to export it. Index: if_pflow.c === RCS file: /cvs/src/sys/net/if_pflow.c,v retrieving revision 1.86 diff -u -p -r1.86 if_pflow.c --- if_pflow.c 9 Jan 2018 15:24:24 - 1.86 +++ if_pflow.c 30 Jan 2018 13:10:46 - @@ -786,7 +786,7 @@ export_pflow(struct pf_state *st) struct pflow_softc *sc = NULL; struct pf_state_key *sk; - sk = st->key[st->direction == PF_IN ? PF_SK_WIRE : PF_SK_STACK]; + sk = st->key[PF_SK_WIRE]; SLIST_FOREACH(sc, &pflowif_list, sc_next) { switch (sc->sc_version) {