CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2010/01/12 19:29:51 Modified files: sys/net: if.c Log message: make ifa_ifwithaddr use the shiny new ifaddr RB tree instead of traversing the list of all interfaces and traversing the list of all addresses on each interface. if bugs show up with addressing this is the #1 backout candidate, something i missed might fuck with ifaddrs behind our back, although i looked & tested hard. 10x to naddy for inet6 testing. ok theo ryan dlg
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2010/01/12 19:13:12 Modified files: sys/net: if.c if.h sys/netinet: in.c sys/netinet6 : in6.c in6_ifattach.c sys/netatalk : at_control.c Log message: instead of fiddling with the per-interface address lists directly in many places create a proper API (ifa_add / ifa_del) and use it. ok theo ryan dlg
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2010/01/12 19:02:43 Modified files: sys/netinet6 : in6.c Log message: adding an empty ifaddr struct to the per-interface ifaddr list and somewhen later eventually filling the address in is NOT nice. set address first, then insert. ok dlg theo ryan
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2010/01/12 18:26:28 Modified files: sys/netinet: igmp.c in.c in_var.h ip_carp.c ip_input.c Log message: let's admit it's not 1992 any more. CIDR is around for a long time, even that router vendor doesn't default to classful routing any more, and there really is no point in having a classful netmask and a subnetmask to split it. we still do classful guesses on the netmask if it isn't supplied by userland, but that's about it. i decided to keep ia_netmask and kill ia_subnetmask which makes this diff bigish, the classful ia_netmask wasn't really used all that much. the real changes are in in.c, the rest is mostly s/ia_subnetmask/ia_netmask. ok claudio dlg ryan
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2010/01/12 00:43:41 Modified files: etc: netstart Log message: when setting up lo0 use 127.0.0.1/8 instead of 127.0.0.1 for clarity and correctness. it's not 1992 any more, kids. ok mcbride dlg krw
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2010/01/10 21:07:07 Modified files: sys/net: pf.c Log message: "final" leak in state creation: in pf_state_key_setup, if we actually need two state keys (NAT case), and we succeed allocating the first one but fail getting the second we'd leak the first one. obvious and thus ok'd by dlg ryan and theo within seconds
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2010/01/10 20:52:03 Modified files: sys/net: pf.c Log message: fix a bug in pf_create_state that was a major source of amusement for me over the last couple of weeks (ever since I found it): when we are out of memory for the state keys we leak the state. oh the irony. instead of just fixing that one case rework the error handling in the entire function. verified painfully by yours truly by forcefully exercising each and every error path in there. ryan ok
Re: CVS: cvs.openbsd.org: src
* Claudio Jeker [2009-12-31 17:04]: > CVSROOT: /cvs > Module name: src > Changes by: clau...@cvs.openbsd.org 2009/12/31 08:34:02 > > Modified files: > usr.sbin/bgpd : bgpd.c rde.c session.c session.h > > Log message: > Instead of passing the config via arguments to the childs on bootup issue > a config reload as first step in bootup. This allows childs to start with > an empty config and a lot of special cleanup code can bite the dust. > Testing by myself and sthen@ with a few configs (more testing welcome). > Seems like a good idea henning@ & sthen@ this is basically the same change we made in ntpd many years ago and does simplify things. if anything breaks now it kida must have been broken for reloads already, so this is good... -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/12/14 05:31:45 Modified files: sys/net: if_pfsync.c pf.c pf_ioctl.c pf_lb.c pfvar.h sbin/pfctl : pfctl_parser.c Log message: fix sticky-address - by pretty much re-implementing it. still following the original approach using a source tracking node. the reimplementation i smore flexible than the original one, we now have an slist of source tracking nodes per state. that is cheap because more than one entry will be an absolute exception. ok beck and jsg, also stress tested by Sebastian Benoit
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: henn...@cvs.openbsd.org 2009/12/08 06:43:26 Modified files: faq: faq2.html Log message: there is really no need to do that make -n | sed dance, we have DEBUG for that. ok sthen and nick has no objections
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/26 06:40:43 Modified files: usr.sbin/bgpd : bgpd.conf.5 bgpd.h parse.y printconf.c rde_filter.c Log message: support for set origin; based on an initial diff from Sebastian Benoit who also tested this version claudio ok
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/24 06:23:55 Modified files: sys/net: pf_ioctl.c pfvar.h Log message: kill obsolete natpass
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/23 14:44:33 Modified files: usr.bin/systat : mbufs.c Log message: args, not that file
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/23 14:29:21 Modified files: sbin/pfctl : pfctl_optimize.c pfctl_parser.c Log message: since "nat/rdr pass" are history natpass can go
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/23 14:30:14 Modified files: usr.bin/systat : mbufs.c pftop.c Log message: no more natpass
Re: CVS: cvs.openbsd.org: src
* Henning Brauer [2009-11-23 19:43]: > CVSROOT: /cvs > Module name: src > Changes by: henn...@cvs.openbsd.org 2009/11/23 11:41:21 > > Modified files: > sys/net: pf.c > > Log message: > with the old code we initialized the state keys early in some cases with the old NAT code, that is > and thus had to get rid of them if we didn't create state. this is no > longer the case, kill dead code. ok claudio > -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/23 11:41:21 Modified files: sys/net: pf.c Log message: with the old code we initialized the state keys early in some cases and thus had to get rid of them if we didn't create state. this is no longer the case, kill dead code. ok claudio
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/23 11:10:43 Modified files: sys/net: pf.c Log message: one kinda-missing log |= PFLOG_FORCE in the v6 case, spotted by claudio
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/23 11:04:11 Modified files: sys/net: pf.c Log message: sync the handling of the log flag from pf_test (where it is correct) to pf_test6 (where it is wrong in some edge cases, for match rules and logs a packet twice in some cases). ok claudio
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/23 10:22:11 Modified files: sys/net: pf.c Log message: pf_test_fragment: we need to bail out if action == PF_DROP, not if action != PF_PASS. same was changed in pf_test_rule a while back but the fragment case was forgotten. since everybody reassembles nobody ran into this.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/23 10:18:05 Modified files: sys/net: pf.c Log message: sync some comments with reality
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/23 09:03:10 Modified files: sys/net: if_pfsync.c pf.c pf_ioctl.c pfvar.h Log message: remove the nat_rule pointer on pf_state and pf_pdesc, obsolete after the NAT rewrite and ever since then only checked in a couple of plaes but never set. same for nat_src_node on pf_state. with this the NAT rewrite made pf over 1000 lines shorter.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/22 15:34:50 Modified files: sbin/pfctl : parse.y pfctl.c pfctl_optimize.c pfctl_parser.c sys/net: if_pfsync.c pf.c pf_ioctl.c pf_ruleset.c pfvar.h Log message: cleanup after the NAT changes. we used to have multiple rulesets (scrub, NAT, filter). now we only have one. no need for an array any more. simplifies the code quite a bit. in the process fix the abuse of PF_RULESET_* by (surprise, isn't it) the table code. written at the filesystem hackathon in stockholm, committed from the hardware hackathon in portugal. ok gcc and jsing
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/11/21 13:54:27 Modified files: sys/net: pf.c Log message: knf
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: henn...@cvs.openbsd.org 2009/09/22 09:23:07 Modified files: . : events.html Log message: link slides here too
CVS: cvs.openbsd.org: www
CVSROOT:/cvs Module name:www Changes by: henn...@cvs.openbsd.org 2009/09/22 08:44:15 Modified files: papers : index.html Log message: link my slides and the ones oga & I did for the BSD new thing
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/09/16 06:28:19 Modified files: sys/net: pf.c Log message: style: in pf_test_state_other, fix indentation, kill excessive newlines, add break in the last case block
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/09/16 06:26:56 Modified files: sys/net: pf.c Log message: fix copy & paste error from almost a year ago (bad ryan) PF_ANEQ call in pf_test_state_other in the IPVshit case used AF_INET, found by claudio
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/09/02 08:50:02 Modified files: share/man/man5 : pf.conf.5 Log message: match in pass is bullshit (conversion error from nat pass), spotted by phessler
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/09/01 07:51:19 Modified files: etc: pf.conf Log message: todd reminded me we need to adjust this too
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/09/01 07:44:01 Modified files: share/man/man4 : pf.4 Log message: i have no idea who smuggled this in my tree but it is right (adopt for new pf)
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/09/01 07:43:15 Modified files: share/man/man5 : pf.conf.5 Log message: document new pf. mostly from igor, input and bnf by me
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/09/01 07:42:00 Modified files: sbin/pfctl : pfctl_optimize.c pfctl_parser.h pfctl.c pfctl_parser.c parse.y sys/net: pf.c pf_lb.c pfvar.h pf_ioctl.c Log message: the diff theo calls me insanae for: rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/12 16:15:53 Modified files: usr.bin/mg : theo.c Log message: i am sorry to commit to userland from a kernel hackathon
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/12 15:44:49 Modified files: sys/kern : uipc_mbuf.c Log message: just bzero the pkthdr instead of setting each and every member of that struct to 0/NULL. no performance impact but way less error prone on addition of new pkthdr field (as just ran into with a theo diff). ok theo
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/12 09:58:20 Modified files: sys/net: if.c Log message: dlg deferred calling interfaces' if_start routine so we call them less, which does pay out, performance wise. one of the conditions to call the interfaces' if_start routine immediately was "send queue is full". on a very busy (hammered) machine this will itroduce too much latency since we spend almost all cpu time in interrupt handlers and softnet, so the softint actually doing the if_start gets called to seldom and the queue full check is what triggers the actual transmit. change the logic to call if's if_start routing immediately when there are at least 8 packets (or in case if maxlen being smaller than 8, maxlen) 8 chose because it shows best performance in my test setup here. ok dlg
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/10 09:29:34 Modified files: sys/netinet: ip_input.c Log message: 7 years of #if 1 reasonable #else bullshit required by some committee #endif are enough. theo ok
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/10 09:26:34 Modified files: sys/netinet: ip_input.c Log message: we need to null mcopy, gotos bite. theo and i both missed them, theo ok
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/10 07:20:08 Modified files: sys/netinet: ip_input.c Log message: fix previous: -m_copydata istead of straight bcopy. noticed by damien -handle the pretty much impossible case that the packet header grows so much that MHLEN < 68. i bet this had been the least of our worries, in that case, but code oughta be correct anyway. ok theo and dlg
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/10 05:48:02 Modified files: sys/netinet: ip_input.c Log message: this is basically a fixed version of r1.165, avoid m_copym of each and every forwarded packet in case ip_output returns an error and we have to quote some of it back in an icmp error message. this implementation done from scratch: place an mbuf on the stack. copy the pkthdr from the forwarded packet and the first 68 bytes of payload. if we need to send an icmp error, just m_copym our mbuf-on-the-stack into a real one that icmp_error can fuck with and eat as it desires. ok theo dlg
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/09 12:45:30 Modified files: sys/sys: mbuf.h Log message: kill M_DUP_HDR. M_DUP_PKTHDR was the only user, we can just put the 3 lines of code in there directly, and we hate the M_ macros anyway. ok claudio
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/09 07:53:03 Modified files: sys/sys: mbuf.h Log message: no point in clearing/re-initing packet header fields in a non-packet-header mbuf. ok claudio theo
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/09 06:50:09 Modified files: sys/kern : uipc_mbuf.c uipc_mbuf2.c sys/sys: mbuf.h Log message: make mbuf tags suck a bit less, performance wise. the most common operation is checking for a particular tag to be there. in the majority of the cases it is not. introduce a "tagsset" in the mbuf packet header which has a bit for each mbuf tag type that is in the chain set, checking for its existance is now as easy and cheap as (tagsset & type) != 0. theo ok
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/09 06:51:08 Modified files: sys/sys: mbuf.h Log message: 16 bits are enough for tagsset
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/09 06:47:50 Modified files: sys/netinet: ipsec_input.c Log message: once again ipsec tries to be clever and plays fast, this time by recycling an mbuf tag and changing its type. just always get a new one. theo ok
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/08 04:41:41 Modified files: sys/conf : Tag: OPENBSD_4_6 newvers.sh Log message: reveal identidy
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/08/06 05:15:18 Modified files: sys/net: Tag: OPENBSD_4_6 pf.c Log message: MFC, ok deraadt revision 1.656 date: 2009/07/28 11:20:09; author: henning; state: Exp; lines: +9 -4 check that pool_get actually gives us memory in pf_test_rule. introduced by yours truly (no idea how that could happpen), problem found by sthen the hard way, fix by me. ok dlg revision 1.657 date: 2009/07/28 11:22:33; author: henning; state: Exp; lines: +8 -0 do not leak pf_rule_item_pl items in pf_test_rule() when 1) at least one match rule matched the packet and 2) we do not create state found by me while fixing the pool_get problem, ok dlg
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/07/28 05:22:33 Modified files: sys/net: pf.c Log message: do not leak pf_rule_item_pl items in pf_test_rule() when 1) at least one match rule matched the packet and 2) we do not create state found by me while fixing the pool_get problem, ok dlg
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/07/28 05:20:09 Modified files: sys/net: pf.c Log message: check that pool_get actually gives us memory in pf_test_rule. introduced by yours truly (no idea how that could happpen), problem found by sthen the hard way, fix by me. ok dlg
Re: CVS: cvs.openbsd.org: www
* Nick Holland [2009-07-23 13:22]: > CVSROOT: /cvs > Module name: www > Changes by: n...@cvs.openbsd.org2009/07/23 05:19:47 > > Modified files: > faq: current.html > > Log message: > idea several people seem to have come up with at about the same time -- > henning@, sthen@, and me (and probably a bunch of others who looked at > it and said, "of course!"). current.html is supposed to help people > follow current, ports and packages issues impact people following > current, so..put them here, too. Makes my life easier for > upgradeXX.html, too. which also means that people updating a port have to maintain current.html if manual steps are to be done on/after/before pkg_add -ui now. basically, pkg_add -ui + current.html/upgradeXX.html = no surprises. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/07/21 08:48:08 Modified files: sys/net: pf_norm.c Log message: pf_scrub_ip/ip6 prototypes are already in pfvar.h
Re: CVS: cvs.openbsd.org: src
* Claudio Jeker [2009-07-21 15:13]: > On Tue, Jul 21, 2009 at 05:49:36AM -0600, Henning Brauer wrote: > > CVSROOT:/cvs > > Module name:src > > Changes by: henn...@cvs.openbsd.org 2009/07/21 05:49:36 > > > > Modified files: > > usr.sbin/bgpctl: bgpctl.c > > > > Log message: > > sorry, but showing a diff, getting an explicit "not ok" and then committing > > anyway without oks is not our process > > > > And just saying I don't like it and reverting to a even worse diff I did not revert to "an even worse diff", I restoered what was in-tree before, I reverted your commit. the process is wrong, sorry. > is also > not ok. Sorry but your reasoning here is wrong. You never could realy > justify why you need to see the media state in bgpctl show nexthop when > the same info is available in bgpctl show interface (where it belongs). > Actually we have already ifconfig(8) which shows this info as well. > So sure revert it, don't show the info people actually need to see to > figure out why the hell all the traffic flows in the wrong direction, it > seems it is more important to see the fluffy "UP, Ethernet, active, 100 > MBit/s" > repeated dozens of times. > > > > bgpctl show next > Nexthop State > 192.0.2.126 valid rl2 UP, Ethernet, active, 100 MBit/s > > I just don't get it why almost 50% of a line is spent for redundant and > unimportant information and what's so bad about: > > bgpctl show next > Nexthop Gateway State Interface Link State > 192.0.2.1connectedvalid fxp0 active > 192.168.1.1 192.0.2.1valid fxp0 active that is all irrelevant really. you show a diff, asking for ok. I disagree. I even gave you the right idea to have everything in one view (replace valid/invalid column by a marker upfront, * for valid or > like show rib or whatever). and then you just commit the diff anyways? sorry, that is not acceptable.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/07/21 05:49:36 Modified files: usr.sbin/bgpctl: bgpctl.c Log message: sorry, but showing a diff, getting an explicit "not ok" and then committing anyway without oks is not our process
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/07/09 17:52:25 Modified files: sbin/pfctl : pfctl.c Log message: repair -x since all this stuff is transactional now we need to wrap that into DIOCXBEGIN/COMMIT. bad henning forgot to commit this chunk at c2k9
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/24 11:34:32 Modified files: usr.sbin/ntpd : client.c Log message: recvmsg ENOENT noncritical too
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/19 08:05:32 Modified files: sbin/ifconfig : ifconfig.8 ifconfig.c Log message: after long discussion with many... ifconfig inet6 used to print all inet6 addresses, and last not least the installer relies on that behaviour. so don't. to turn inet6 on again you have to assign any inet6 address or run rtsol. nobody happy about this asymmetry, but that is the best we could come up with for now.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/17 05:52:54 Modified files: usr.sbin/ntpd : client.c Log message: ENOPROTOOPT is non-fatal on recvfrom, can apparently happen with ipvshit
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/11 11:36:53 Modified files: usr.sbin/ntpd : ntp.c Log message: effectively un-do r1.111, it fucks machines with bad clocks royally. spotted the hard way by theo on armish, pinned to this changed by me. no cookie for ckuethe for not testing on machines with bad clocks.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/07 21:56:14 Modified files: sys/net: pf.c Log message: in pf_print_state_parts, do not use skw->proto to print the protocol but our local copy proto that we very carefully set beforehands. skw being NULL is perfectly valid there.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/07 20:39:15 Modified files: sys/net: pfvar.h Log message: bring back the fixed PF_AEQ/ANEQ/AZERO macros, the offending use has been found by sthen and fixed, all other callers of these macros checked by both of us
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/07 19:55:42 Modified files: sys/net: pfvar.h Log message: gah. something is not quite right, sthen sees strange behaviour fixed by backing out the macro fix. something must rely on the broken behaviour
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/07 18:50:30 Modified files: sys/net: pfvar.h Log message: unfuck PF_AEQ PF_ANEQ PF_AZERO macos that got fucked when v6 support was added in 2001. yes i got bitten by inet6 shit again. in the ANEQ case, if af == AF_INET, (a)->addr32[0] != (b)->addr32[0] is false when the adresses ARE equal. now it goes right in the intended-for-v6 case and starts to compare the other addr32 fields - in the v4 case I have garbage in them, so it reports all v4 as different when they are in fact the same. fix by adding explicit af == INET6 test before going on to compare the rest. found the really hard way (many hours wasted, thought the bug was in my new code) by me. ok sthen markus claudio
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/04 16:45:32 Modified files: usr.sbin/rtsold: if.c Log message: turn ipvcrap on on the interface in question. sake bottle pushed by theo, tested by naddy
Re: CVS: cvs.openbsd.org: src
* Pierre-Yves Ritschard [2009-06-04 20:11]: > CVSROOT: /cvs > Module name: src > Changes by: p...@cvs.openbsd.org2009/06/04 12:06:35 > > Modified files: > include: resolv.h > lib/libc/net : res_init.c getaddrinfo.c > > Log message: > Add a resolv.conf option to specify the order in which getaddrinfo > PF_UNSPEC queries are made. While there change the default from inet6 > first then inet4 to inet4 first then inet6, this prevents the many > people with IPv4 only connectivity from constantly trying to contact > IPv6 addresses, and also unbreaks many ports who don't use getaddrinfo > right. yay! > ok deraadt@, plenty of cheering in the room wrt the idea, not loud > enough complaining from the v6 crowd. two ppl makes a crowd? -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/04 13:15:26 Modified files: sbin/ifconfig : ifconfig.8 Log message: i care about theo's hydration level. make him stop whining by documenting inet6/-inet6
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/04 13:07:21 Modified files: sys/net: if.c if.h sys/netinet6 : in6.c sys/sys: sockio.h sbin/ifconfig : ifconfig.c Log message: allow IPvShit to be turned off completely per-interface. ifconfig em0 -inet6 deletes all v6 addresses including link-local and prevents new ones from being added. ifconfig em0 inet6 re-enables v6, brings the link local back and adds optional ok theo reyk
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/03 23:02:25 Modified files: sys/netinet: ip_input.c Log message: the decision on wether a packet is to be delivered locally or forwarded is pretty expensive, the more the more addresses are configured locally, since we walk a list. when pf is on and we have a state key pointer, and that state key is linked to another state key, we know for sure this is not local. when it has a link to a pcb, it certainly goes to the local codepath. on a box with 1000 adresses forwarding 3 times as fast as before. theo ok
Re: CVS: cvs.openbsd.org: src
* Miod Vallat [2009-06-04 04:21]: > > CVSROOT:/cvs > > Module name:src > > Changes by: blamb...@cvs.openbsd.org2009/06/03 20:06:40 > > > > Modified files: > > sys/nfs: nfs.h > > > > Log message: > > Add some descriptive comments, because not having to read NFS code > > is good for the brain. > > There is actually no proof of that assertion. there's enough proof that having to read nfs code is painful and bad for brain. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/02 11:10:23 Modified files: sys/net: if_gre.c sys/netinet: ip_gre.c Log message: do the pf_pkt_addr_changed(m) magic just like gif etc tested by Manuel Rodriguez Morales
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/01 17:22:58 Modified files: usr.sbin/dvmrpd: dvmrpd.c rde.c Log message: no endpwent
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/06/01 17:21:09 Modified files: usr.sbin/ntpd : ntpd.c Log message: no we don't need endpwent i remember we already had the confusion and bgpd doesn't have the endpwent
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/05/31 13:16:16 Modified files: etc: rc.conf Log message: enable pf by default. turns bombs into flowers, water into beer and eradicts swine flu
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/05/31 13:10:51 Modified files: sys/net: pf_ioctl.c Log message: make set loginterface, set hostid, set reassemble and set debug transactional. sanity checked claudio, requested by theo for some time
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/05/30 19:27:30 Modified files: usr.sbin/ntpd : client.c Log message: use the SCM_TIMESTAMP socket option to get the time we received the reply instead of doing it in ntpd itself by getting the time we read from the socket. based on a diff from mickey hacked in shape by me, lots of testing and review from ckuethe and sthen, theo and claudio like it too
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/05/30 16:18:15 Modified files: etc: pf.conf Log message: shorter, ok theo
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/05/30 16:15:20 Modified files: etc: pf.conf Log message: we want pass, not pass in, so we get state for all connections
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/05/20 08:55:59 Modified files: usr.sbin/ntpd : server.c Log message: fix looking at the mode bits so that we do not reply to broadcast and other junk. from thorsten glaser.
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/30 06:54:32 Modified files: sys/net: pf.c Log message: treat log as what it is, a flag variable. effectively a noop now but stops us relying on where we are setting it. ok ryan dlg
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/25 13:29:54 Modified files: sbin/pfctl : parse.y Log message: scrub_opts must not be empty, scrub on its own does nothing. noticed due to a question from otto@, ok regress/sbin/pfctl/ ;)
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/23 06:58:44 Modified files: usr.bin/systat : pftop.c Log message: sync actiontypes (pass, block etc) with pfvar so that match rules are displayed correctly (actually thsi was out of sync for more than just match) From: Craig Barraclough
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/22 01:42:17 Modified files: usr.sbin/ntpd : client.c ntp.h Log message: ignore replies with timestamps after 2030 to prevent time_t / tv_sec wraps input & ok theo
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/21 09:25:52 Modified files: usr.sbin/bgpd : pfkey.c Log message: instead of calling getpid() all over the place do it once, claudio ok
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/21 07:57:14 Modified files: usr.sbin/bgpd : pfkey.c Log message: ignore pfkey replies not for us and discard them From: Matthew Dempsky markus and hshoexer and claudio agree
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/17 12:37:07 Modified files: sys/net: pf.c Log message: move the lastr = r assignment behind the anchor rule check so we don't ever try to aplly options from the anchor rule if it was the last matching one but the last matching real rule. it is right but despite begging nobody has the balls to ok it ;(
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/17 11:17:03 Modified files: etc: rc Log message: a scrub was hiding here when nfs was enabled. since we want the no-df behaviour here replace by an explicit set reassemble yes no-df. noticed by Valery Masiutsin
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/15 07:10:38 Modified files: sys/net: pf.c Log message: little dose of scrubbing after the monster changes: correctly inherit queue stuff, tag, rtableid from the rule if we have no state some logic simplification and removal of redundant checks ok dlg
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/07 07:26:23 Modified files: sys/net: pf_norm.c Log message: after i took everything in this fiule apart and reassembled with a lot of new stuff asserting copyright is in order
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/07 07:52:29 Modified files: share/man/man5 : pf.conf.5 Log message: bnf-tweaks
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/07 07:48:38 Modified files: share/man/man5 : pf.conf.5 Log message: don't we all love BNF? make it lie less
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/07 07:40:18 Modified files: share/man/man5 : pf.conf.5 Log message: nits
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/07 06:50:44 Modified files: share/man/man5 : pf.conf.5 Log message: bit more precise
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/07 06:52:57 Modified files: share/man/man5 : pf.conf.5 Log message: fragment reassembly on by default
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/07 06:48:40 Modified files: sys/net: pf_ioctl.c Log message: turn fragment reassembly on by default. the is little to no reason to not do fragment reassembly. discussed with dlg and ryan in basel. ok ryan dlg sthen jdixon todd deraadt
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/06 06:43:23 Modified files: regress/sbin/pfctl: pfopt2.in pfopt3.in pfopt4.in pfopt5.in pfopt5.ok Log message: more scrub scrubbing
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/06 06:41:48 Modified files: regress/sbin/pfctl: Makefile pf15.in pf15.loaded pf15.ok pf15.optimized pf16.in pf16.loaded pf16.ok pf16.optimized pf21.in pf21.ok pf21.optimized pf40.in pf40.loaded pf40.ok pf40.optimized pf44.in pf44.loaded pf44.ok pf44.optimized pf48.in pf48.loaded pf48.ok pf48.optimized pf54.in pf54.loaded pf54.ok pf54.optimized pf68.in pf68.loaded pf68.ok pf68.optimized pf73.in pf73.loaded pf73.ok pf73.optimized pfail10.in pfail10.ok pfail25.in pfail25.ok pfail9.in Removed files: regress/sbin/pfctl: pf21.loaded Log message: scrub gone
Re: CVS: cvs.openbsd.org: src
* Henning Brauer [2009-04-06 14:07]: > CVSROOT: /cvs > Module name: src > Changes by: henn...@cvs.openbsd.org 2009/04/06 06:05:55 > > Modified files: > sbin/pfctl : pfctl_parser.h pfctl.c pfctl_parser.c parse.y > share/man/man5 : pf.conf.5 > sys/net: pf.c pf_ruleset.c pf_ioctl.c pfvar.h pf_norm.c > > Log message: parts of the commit message missing: almost entirely hacked at n2k9 in basel, could not be committed close to release. this really should have been multiple diffs, but splitting them now is not feasible any more, amanging a diff that size outside the tree was painful enough without having it in many pieces already. input from mcbride and dlg, and frantzen about the fragment handling. speedup around 7% for the common case, the more the more scrub rules were in use. manpage not up to date, being worked on. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/06 06:11:52 Modified files: sbin/pfctl : pfctl_parser.c Log message: print prettier, from sthen@
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/06 06:10:10 Modified files: etc: pf.conf Log message: reassembly works different now
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/06 06:09:06 Modified files: usr.sbin/tcpdump: print-pflog.c Log message: teach tcpdump about match rules
CVS: cvs.openbsd.org: src
CVSROOT:/cvs Module name:src Changes by: henn...@cvs.openbsd.org 2009/04/06 06:08:26 Modified files: usr.bin/systat : pftop.c Log message: scrub rules gone