Re: newsyslog timestamp

[lists]

Tue, 14 Mar 2017 00:16:01 +0100 Alexander Bluhm 
> On Mon, Mar 13, 2017 at 04:31:35PM -0600, Todd C. Miller wrote:
> > How about we just eliminate the "logfile turned over" message
> > entirely?  It's kind of bogus for newsyslog to be writing to the
> > log files directly.  I don't think that message provides any useful
> > info.  
> 
> Perhaps /var/log/messages was a bad example.  syslogd does not write
> the restart message into /var/log/daemon, newsyslog also rotates
> files that do not belong to syslogd.  Here is daemon log:
> 
> 2017-03-14T00:11:46+01:00 t430s newsyslog[31315]: logfile turned over
> 2017-03-13T23:12:16.690Z t430s isakmpd[95880]: sendmsg ...
> 2017-03-13T23:12:43.720Z t430s last message repeated 3 times
> 
> It is useful that log files are never empty and that you can see
> when they were rotated.
> 

Hi Alexander, Mark, Todd, tech@,

Please see the quote: https://en.wikipedia.org/wiki/ISO_8601#cite_note-21

 "ISO 8601:2004(E)". ISO. 2004-12-01. “4.3.2 NOTE: By mutual agreement of
the partners in information interchange, the character [T] may be omitted
in applications where there's no risk of confusing a date and time of day
representation with others defined in this International Standard.”

I also suggest we do not use the [Z] as a mutual agreement ALL times UTC,
indicated by omission of the offset to be human friendly and yet correct.
Please, see some additional information in the following resources pages.

https://tools.ietf.org/html/rfc3339#section-5.2
https://www.cl.cam.ac.uk/~mgk25/iso-time.html
https://www.cs.tut.fi/~jkorpela/iso8601.html#sol

Kind regards,
Anton Lazarov

[PATCH] socppc discontinued in 61.html

[Bryan Vyhmeister]

I am not sure what happened to the patch tj@ committed but it is not
there for 61.html. Perhaps it was clobbered by another commit or was
this not left in because socppc was essentially retired after 5.8 since
there was no 5.9 or 6.0 release?

For reference:

http://marc.info/?l=openbsd-cvs=148890947117155=2

http://marc.info/?l=openbsd-cvs=148899205909012=2

Bryan



Index: 61.html
===
RCS file: /cvs/www/61.html,v
retrieving revision 1.37
diff -u -p -r1.37 61.html
--- 61.html 11 Mar 2017 16:33:30 -  1.37
+++ 61.html 14 Mar 2017 01:54:24 -
@@ -69,6 +69,7 @@ to 6.1.
 ...
 The following platforms were retired:
 https://www.openbsd.org/armish.html;>armish,
+https://www.openbsd.org/socppc.html;>socppc,
 https://www.openbsd.org/sparc.html;>sparc,
 https://www.openbsd.org/zaurus.html;>zaurus
 ...

Re: newsyslog timestamp

[Alexander Bluhm]

On Mon, Mar 13, 2017 at 04:31:35PM -0600, Todd C. Miller wrote:
> How about we just eliminate the "logfile turned over" message
> entirely?  It's kind of bogus for newsyslog to be writing to the
> log files directly.  I don't think that message provides any useful
> info.

Perhaps /var/log/messages was a bad example.  syslogd does not write
the restart message into /var/log/daemon, newsyslog also rotates
files that do not belong to syslogd.  Here is daemon log:

2017-03-14T00:11:46+01:00 t430s newsyslog[31315]: logfile turned over
2017-03-13T23:12:16.690Z t430s isakmpd[95880]: sendmsg ...
2017-03-13T23:12:43.720Z t430s last message repeated 3 times

It is useful that log files are never empty and that you can see
when they were rotated.

bluhm

Re: newsyslog timestamp

[Mark Kettenis]

> From: "Todd C. Miller" 
> Date: Mon, 13 Mar 2017 16:31:35 -0600
> 
> How about we just eliminate the "logfile turned over" message
> entirely?  It's kind of bogus for newsyslog to be writing to the
> log files directly.  I don't think that message provides any useful
> info.

I do find the message useful as it reminds me that there is another
file to look into.

Re: newsyslog timestamp

[Todd C. Miller]

How about we just eliminate the "logfile turned over" message
entirely?  It's kind of bogus for newsyslog to be writing to the
log files directly.  I don't think that message provides any useful
info.

 - todd

newsyslog timestamp

[Alexander Bluhm]

Hi,

syslogd(8) -Z generates log files in ISO format and UTC.  newsyslog(8)
still uses BSD syslog timstamps.  This looks a bit ugly when you
combine them this way.

Mar 12 01:00:01 t430s newsyslog[32158]: logfile turned over
2017-03-12T00:00:01.547Z t430s syslogd: restart

I think it is overkill to add a -Z option to newsyslog.  In fact
it would better if the creation year and the time zone delta is
always visible at the beginning of the file.  So you can still look
at the short timestamps from syslogd and figure out when it all
started.

2017-03-13T22:02:33+01:00 t430s newsyslog[42096]: logfile turned over
Mar 13 22:02:33 t430s syslogd: restart

Although this would be a bit inconsistent when used with syslogd -Z.

2017-03-13T22:30:04+01:00 t430s newsyslog[30641]: logfile turned over
2017-03-13T21:30:04.822Z t430s syslogd: restart

I think the combination of local time and time zone without fractions
of seconds is the best choice for newsyslog.  Or should we use
2017-03-13T21:30:04.822Z in newsyslogd?

comments/ok?

bluhm

Index: usr.bin/newsyslog/newsyslog.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.bin/newsyslog/newsyslog.c,v
retrieving revision 1.101
diff -u -p -r1.101 newsyslog.c
--- usr.bin/newsyslog/newsyslog.c   1 Jun 2016 16:57:48 -   1.101
+++ usr.bin/newsyslog/newsyslog.c   13 Mar 2017 21:57:48 -
@@ -142,7 +142,7 @@ int force = 0;  /* Force the logs to be 
 char   *conf = CONF;   /* Configuration file to use */
 time_t timenow;
 char   hostname[HOST_NAME_MAX+1]; /* Hostname */
-char   *daytime;   /* timenow in human readable form */
+char   daytime[33];/* timenow in human readable form */
 char   *arcdir;/* Dir to put archives in (if it exists) */
 
 FILE   *openmail(void);
@@ -402,12 +402,23 @@ send_signal(char *pidfile, int signal)
 void
 parse_args(int argc, char **argv)
 {
+   struct timeval now;
+   struct tm *tm;
+   size_t l;
char *p;
int ch;
 
-   timenow = time(NULL);
-   daytime = ctime() + 4;
-   daytime[15] = '\0';
+   gettimeofday(, NULL);
+   timenow = now.tv_sec;
+   tm = localtime(_sec);
+   l = strftime(daytime, sizeof(daytime), "%FT%T%z", tm);
+   if (l == 24 && l+1 < sizeof(daytime)) {
+   /* syslog timestamp has colon in time zone, %z may be empty */
+   daytime[l+1] = '\0';
+   daytime[l+0] = daytime[l-1];
+   daytime[l-1] = daytime[l-2];
+   daytime[l-2] = ':';
+   }
 
/* Let's get our hostname */
(void)gethostname(hostname, sizeof(hostname));

Re: mg(1): keep current buffer if switch-to-buffer is aborted

[Sebastian Benoit]

ok benno@

Florian Obser(flor...@openbsd.org) on 2017.03.11 20:00:21 +:
> For some reason I find myself quite often in the situation that I want
> to C-x b to a different buffer but on entering the buffer name I
> decide against it and C-g abort it.
> 
> mg(1) then switches me to *scratch*. IMO that is the least useful
> thing mg(1) can do. This brings it in line with what emacs does and
> keeps the current buffer.
> 
> OK?
> 
> diff --git buffer.c buffer.c
> index ca1f30177f1..a789db6f0e3 100644
> --- buffer.c
> +++ buffer.c
> @@ -89,6 +89,9 @@ usebuffer(int f, int n)
>   bufp = eread("Switch to buffer: (default %s) ", bufn, NBUFN,
>   EFNUL | EFNEW | EFBUF, curbp->b_altb->b_bname);
>  
> + if (bufp == NULL)
> + return FALSE;
> +
>   return (usebufname(bufp));
>  }
>  
> 
> 
> -- 
> I'm not entirely sure you are real.
> 

Re: httpd: expand HTTP Host

[Rivo Nurges]

Hi!

Sure. Should I create new patch?

Rivo

On 13/03/2017, 20:38, "Florian Obser"  wrote:

On Mon, Mar 13, 2017 at 06:22:50PM +, Rivo Nurges wrote:
> Hi!
> 
> Host header is mandatory for HTTP 1.1 requests and httpd will return
> 400 Bad request without it. With HTTP 1.0 requests I get 301 to the
> IP the httpd is running on.
> 

right, so the
if (desc->http_host == NULL) {
can't actually happen.

how about

+   if (desc->http_host == NULL)
+   return (NULL)
+ 
+   if ((str = url_encode(desc->http_host)) == NULL)
...

that would be OK by me

> Connected to 10.XXX
> Escape character is '^]'.
> GET / HTTP/1.0\r\n\r\n
> 
> HTTP/1.0 301 Moved Permanently
> Date: Mon, 13 Mar 2017 18:20:48 GMT
> Server: OpenBSD httpd
> Connection: close
> Content-Type: text/html
> Content-Length: 443
> Location: https://10.XXX/
> 
> Rivo
> 
> On 13/03/2017, 20:10, "Florian Obser"  wrote:
> 
> On Sat, Mar 11, 2017 at 06:11:53PM +, Rivo Nurges wrote:
> > Hi!
> > 
> > Following will add possibility to expand $HTTP_HOST to the HTTP
> > Host header in "block return".
> > 
> > In my setup I have relayd on port 443 and httpd on 80. This patch
> > allows me to redirect http(httpd) to https(relayd) without knowing
> > the host.
> > 
> > /etc/httpd.conf:
> > server "redirect" {
> >   listen on * port 80
> >   block return 301 "https://$HTTP_HOST$REQUEST_URI;
> > }
> > 
> > Rivo
> > 
> > Index: usr.sbin/httpd/server_http.c
> > ===
> > RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
> > retrieving revision 1.115
> > diff -u -p -r1.115 server_http.c
> > --- usr.sbin/httpd/server_http.c10 Mar 2017 21:06:43 -  
1.115
> > +++ usr.sbin/httpd/server_http.c11 Mar 2017 17:51:23 -
> > @@ -1068,6 +1068,18 @@ server_expand_http(struct client *clt, c
> > if (ret != 0)
> > return (NULL);
> > }
> > +   if (strstr(val, "$HTTP_HOST") != NULL) {
> > +   if (desc->http_host == NULL) {
> > +   ret = expand_string(buf, len, "$HTTP_HOST", "");
> 
> This will not create a working redirect. Should we return 500 instead
> if there is no host header?
> 
> What is nginx doing in that case?
> 
> nginx has $http_host and $host, $host is assigned the host header and
> if that doesn't exist the server name. (Wouldn't help in your case
> since it would redirect to https://redirect/).
> 
> Other than this looks good.
> 
> > +   } else {
> > +   if ((str = url_encode(desc->http_host)) == NULL)
> > +   return (NULL);
> > +   ret = expand_string(buf, len, "$HTTP_HOST", 
str);
> > +   free(str);
> > +   }
> > +   if (ret != 0)
> > +   return (NULL);
> > +   }
> > if (strstr(val, "$REMOTE_") != NULL) {
> > if (strstr(val, "$REMOTE_ADDR") != NULL) {
> > if (print_host(>clt_ss,
> > Index: usr.sbin/httpd/httpd.conf.5
> > ===
> > RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> > retrieving revision 1.79
> > diff -u -p -r1.79 httpd.conf.5
> > --- usr.sbin/httpd/httpd.conf.5 7 Feb 2017 12:27:42 -   
1.79
> > +++ usr.sbin/httpd/httpd.conf.5 11 Mar 2017 17:51:23 -
> > @@ -221,6 +221,8 @@ The configured IP address of the server.
> >  The configured TCP server port of the server.
> >  .It Ic $SERVER_NAME
> >  The name of the server.
> > +.It Ic $HTTP_HOST
> > +The host from the HTTP Host header.
> >  .It Pf % Ar n
> >  The capture index
> >  .Ar n
> > 
> > begin-base64 644 http_host.diff
> > 
SW5kZXg6IHVzci5zYmluL2h0dHBkL3NlcnZlcl9odHRwLmMKPT09PT09PT09PT09PT09PT09PT09
> > 
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTog
> > 
L2N2cy9zcmMvdXNyLnNiaW4vaHR0cGQvc2VydmVyX2h0dHAuYyx2CnJldHJpZXZpbmcgcmV2aXNp
> > 
b24gMS4xMTUKZGlmZiAtdSAtcCAtcjEuMTE1IHNlcnZlcl9odHRwLmMKLS0tIHVzci5zYmluL2h0
> > 
dHBkL3NlcnZlcl9odHRwLmMJMTAgTWFyIDIwMTcgMjE6MDY6NDMgLTAwMDAJMS4xMTUKKysrIHVz
> > 

Re: httpd: expand HTTP Host

[Florian Obser]

On Mon, Mar 13, 2017 at 06:22:50PM +, Rivo Nurges wrote:
> Hi!
> 
> Host header is mandatory for HTTP 1.1 requests and httpd will return
> 400 Bad request without it. With HTTP 1.0 requests I get 301 to the
> IP the httpd is running on.
> 

right, so the
if (desc->http_host == NULL) {
can't actually happen.

how about

+   if (desc->http_host == NULL)
+   return (NULL)
+ 
+   if ((str = url_encode(desc->http_host)) == NULL)
...

that would be OK by me

> Connected to 10.XXX
> Escape character is '^]'.
> GET / HTTP/1.0\r\n\r\n
> 
> HTTP/1.0 301 Moved Permanently
> Date: Mon, 13 Mar 2017 18:20:48 GMT
> Server: OpenBSD httpd
> Connection: close
> Content-Type: text/html
> Content-Length: 443
> Location: https://10.XXX/
> 
> Rivo
> 
> On 13/03/2017, 20:10, "Florian Obser"  wrote:
> 
> On Sat, Mar 11, 2017 at 06:11:53PM +, Rivo Nurges wrote:
> > Hi!
> > 
> > Following will add possibility to expand $HTTP_HOST to the HTTP
> > Host header in "block return".
> > 
> > In my setup I have relayd on port 443 and httpd on 80. This patch
> > allows me to redirect http(httpd) to https(relayd) without knowing
> > the host.
> > 
> > /etc/httpd.conf:
> > server "redirect" {
> >   listen on * port 80
> >   block return 301 "https://$HTTP_HOST$REQUEST_URI;
> > }
> > 
> > Rivo
> > 
> > Index: usr.sbin/httpd/server_http.c
> > ===
> > RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
> > retrieving revision 1.115
> > diff -u -p -r1.115 server_http.c
> > --- usr.sbin/httpd/server_http.c10 Mar 2017 21:06:43 -  
> 1.115
> > +++ usr.sbin/httpd/server_http.c11 Mar 2017 17:51:23 -
> > @@ -1068,6 +1068,18 @@ server_expand_http(struct client *clt, c
> > if (ret != 0)
> > return (NULL);
> > }
> > +   if (strstr(val, "$HTTP_HOST") != NULL) {
> > +   if (desc->http_host == NULL) {
> > +   ret = expand_string(buf, len, "$HTTP_HOST", "");
> 
> This will not create a working redirect. Should we return 500 instead
> if there is no host header?
> 
> What is nginx doing in that case?
> 
> nginx has $http_host and $host, $host is assigned the host header and
> if that doesn't exist the server name. (Wouldn't help in your case
> since it would redirect to https://redirect/).
> 
> Other than this looks good.
> 
> > +   } else {
> > +   if ((str = url_encode(desc->http_host)) == NULL)
> > +   return (NULL);
> > +   ret = expand_string(buf, len, "$HTTP_HOST", 
> str);
> > +   free(str);
> > +   }
> > +   if (ret != 0)
> > +   return (NULL);
> > +   }
> > if (strstr(val, "$REMOTE_") != NULL) {
> > if (strstr(val, "$REMOTE_ADDR") != NULL) {
> > if (print_host(>clt_ss,
> > Index: usr.sbin/httpd/httpd.conf.5
> > ===
> > RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> > retrieving revision 1.79
> > diff -u -p -r1.79 httpd.conf.5
> > --- usr.sbin/httpd/httpd.conf.5 7 Feb 2017 12:27:42 -   1.79
> > +++ usr.sbin/httpd/httpd.conf.5 11 Mar 2017 17:51:23 -
> > @@ -221,6 +221,8 @@ The configured IP address of the server.
> >  The configured TCP server port of the server.
> >  .It Ic $SERVER_NAME
> >  The name of the server.
> > +.It Ic $HTTP_HOST
> > +The host from the HTTP Host header.
> >  .It Pf % Ar n
> >  The capture index
> >  .Ar n
> > 
> > begin-base64 644 http_host.diff
> > 
> SW5kZXg6IHVzci5zYmluL2h0dHBkL3NlcnZlcl9odHRwLmMKPT09PT09PT09PT09PT09PT09PT09
> > 
> PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTog
> > 
> L2N2cy9zcmMvdXNyLnNiaW4vaHR0cGQvc2VydmVyX2h0dHAuYyx2CnJldHJpZXZpbmcgcmV2aXNp
> > 
> b24gMS4xMTUKZGlmZiAtdSAtcCAtcjEuMTE1IHNlcnZlcl9odHRwLmMKLS0tIHVzci5zYmluL2h0
> > 
> dHBkL3NlcnZlcl9odHRwLmMJMTAgTWFyIDIwMTcgMjE6MDY6NDMgLTAwMDAJMS4xMTUKKysrIHVz
> > 
> ci5zYmluL2h0dHBkL3NlcnZlcl9odHRwLmMJMTEgTWFyIDIwMTcgMTc6NTE6MjMgLTAwMDAKQEAg
> > 
> LTEwNjgsNiArMTA2OCwxOCBAQCBzZXJ2ZXJfZXhwYW5kX2h0dHAoc3RydWN0IGNsaWVudCAqY2x0
> > 
> LCBjCiAJCWlmIChyZXQgIT0gMCkKIAkJCXJldHVybiAoTlVMTCk7CiAJfQorCWlmIChzdHJzdHIo
> > 
> dmFsLCAiJEhUVFBfSE9TVCIpICE9IE5VTEwpIHsKKwkJaWYgKGRlc2MtPmh0dHBfaG9zdCA9PSBO
> > 
> VUxMKSB7CisJCQlyZXQgPSBleHBhbmRfc3RyaW5nKGJ1ZiwgbGVuLCAiJEhUVFBfSE9TVCIsICIi
> > 
> KTsKKwkJfSBlbHNlIHsKKwkJCWlmICgoc3RyID0gdXJsX2VuY29kZShkZXNjLT5odHRwX2hvc3Qp
> > 
> 

Re: httpd: expand HTTP Host

[Rivo Nurges]

Hi!

Host header is mandatory for HTTP 1.1 requests and httpd will return
400 Bad request without it. With HTTP 1.0 requests I get 301 to the
IP the httpd is running on.

Connected to 10.XXX
Escape character is '^]'.
GET / HTTP/1.0\r\n\r\n

HTTP/1.0 301 Moved Permanently
Date: Mon, 13 Mar 2017 18:20:48 GMT
Server: OpenBSD httpd
Connection: close
Content-Type: text/html
Content-Length: 443
Location: https://10.XXX/

Rivo

On 13/03/2017, 20:10, "Florian Obser"  wrote:

On Sat, Mar 11, 2017 at 06:11:53PM +, Rivo Nurges wrote:
> Hi!
> 
> Following will add possibility to expand $HTTP_HOST to the HTTP
> Host header in "block return".
> 
> In my setup I have relayd on port 443 and httpd on 80. This patch
> allows me to redirect http(httpd) to https(relayd) without knowing
> the host.
> 
> /etc/httpd.conf:
> server "redirect" {
>   listen on * port 80
>   block return 301 "https://$HTTP_HOST$REQUEST_URI;
> }
> 
> Rivo
> 
> Index: usr.sbin/httpd/server_http.c
> ===
> RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
> retrieving revision 1.115
> diff -u -p -r1.115 server_http.c
> --- usr.sbin/httpd/server_http.c  10 Mar 2017 21:06:43 -  1.115
> +++ usr.sbin/httpd/server_http.c  11 Mar 2017 17:51:23 -
> @@ -1068,6 +1068,18 @@ server_expand_http(struct client *clt, c
>   if (ret != 0)
>   return (NULL);
>   }
> + if (strstr(val, "$HTTP_HOST") != NULL) {
> + if (desc->http_host == NULL) {
> + ret = expand_string(buf, len, "$HTTP_HOST", "");

This will not create a working redirect. Should we return 500 instead
if there is no host header?

What is nginx doing in that case?

nginx has $http_host and $host, $host is assigned the host header and
if that doesn't exist the server name. (Wouldn't help in your case
since it would redirect to https://redirect/).

Other than this looks good.

> + } else {
> + if ((str = url_encode(desc->http_host)) == NULL)
> + return (NULL);
> + ret = expand_string(buf, len, "$HTTP_HOST", str);
> + free(str);
> + }
> + if (ret != 0)
> + return (NULL);
> + }
>   if (strstr(val, "$REMOTE_") != NULL) {
>   if (strstr(val, "$REMOTE_ADDR") != NULL) {
>   if (print_host(>clt_ss,
> Index: usr.sbin/httpd/httpd.conf.5
> ===
> RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> retrieving revision 1.79
> diff -u -p -r1.79 httpd.conf.5
> --- usr.sbin/httpd/httpd.conf.5   7 Feb 2017 12:27:42 -   1.79
> +++ usr.sbin/httpd/httpd.conf.5   11 Mar 2017 17:51:23 -
> @@ -221,6 +221,8 @@ The configured IP address of the server.
>  The configured TCP server port of the server.
>  .It Ic $SERVER_NAME
>  The name of the server.
> +.It Ic $HTTP_HOST
> +The host from the HTTP Host header.
>  .It Pf % Ar n
>  The capture index
>  .Ar n
> 
> begin-base64 644 http_host.diff
> 
SW5kZXg6IHVzci5zYmluL2h0dHBkL3NlcnZlcl9odHRwLmMKPT09PT09PT09PT09PT09PT09PT09
> 
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTog
> 
L2N2cy9zcmMvdXNyLnNiaW4vaHR0cGQvc2VydmVyX2h0dHAuYyx2CnJldHJpZXZpbmcgcmV2aXNp
> 
b24gMS4xMTUKZGlmZiAtdSAtcCAtcjEuMTE1IHNlcnZlcl9odHRwLmMKLS0tIHVzci5zYmluL2h0
> 
dHBkL3NlcnZlcl9odHRwLmMJMTAgTWFyIDIwMTcgMjE6MDY6NDMgLTAwMDAJMS4xMTUKKysrIHVz
> 
ci5zYmluL2h0dHBkL3NlcnZlcl9odHRwLmMJMTEgTWFyIDIwMTcgMTc6NTE6MjMgLTAwMDAKQEAg
> 
LTEwNjgsNiArMTA2OCwxOCBAQCBzZXJ2ZXJfZXhwYW5kX2h0dHAoc3RydWN0IGNsaWVudCAqY2x0
> 
LCBjCiAJCWlmIChyZXQgIT0gMCkKIAkJCXJldHVybiAoTlVMTCk7CiAJfQorCWlmIChzdHJzdHIo
> 
dmFsLCAiJEhUVFBfSE9TVCIpICE9IE5VTEwpIHsKKwkJaWYgKGRlc2MtPmh0dHBfaG9zdCA9PSBO
> 
VUxMKSB7CisJCQlyZXQgPSBleHBhbmRfc3RyaW5nKGJ1ZiwgbGVuLCAiJEhUVFBfSE9TVCIsICIi
> 
KTsKKwkJfSBlbHNlIHsKKwkJCWlmICgoc3RyID0gdXJsX2VuY29kZShkZXNjLT5odHRwX2hvc3Qp
> 
KSA9PSBOVUxMKQorCQkJCXJldHVybiAoTlVMTCk7CisJCQlyZXQgPSBleHBhbmRfc3RyaW5nKGJ1
> 
ZiwgbGVuLCAiJEhUVFBfSE9TVCIsIHN0cik7CisJCQlmcmVlKHN0cik7CisJCX0KKwkJaWYgKHJl
> 
dCAhPSAwKQorCQkJcmV0dXJuIChOVUxMKTsKKwl9CiAJaWYgKHN0cnN0cih2YWwsICIkUkVNT1RF
> 
XyIpICE9IE5VTEwpIHsKIAkJaWYgKHN0cnN0cih2YWwsICIkUkVNT1RFX0FERFIiKSAhPSBOVUxM
> 
KSB7CiAJCQlpZiAocHJpbnRfaG9zdCgmY2x0LT5jbHRfc3MsCkluZGV4OiB1c3Iuc2Jpbi9odHRw
> 
ZC9odHRwZC5jb25mLjUKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
> 
PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTogL2N2cy9zcmMvdXNyLnNiaW4vaHR0
> 
cGQvaHR0cGQuY29uZi41LHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjc5CmRpZmYgLXUgLXAgLXIx
> 

Re: httpd: expand HTTP Host

[Florian Obser]

On Sat, Mar 11, 2017 at 06:11:53PM +, Rivo Nurges wrote:
> Hi!
> 
> Following will add possibility to expand $HTTP_HOST to the HTTP
> Host header in "block return".
> 
> In my setup I have relayd on port 443 and httpd on 80. This patch
> allows me to redirect http(httpd) to https(relayd) without knowing
> the host.
> 
> /etc/httpd.conf:
> server "redirect" {
>   listen on * port 80
>   block return 301 "https://$HTTP_HOST$REQUEST_URI;
> }
> 
> Rivo
> 
> Index: usr.sbin/httpd/server_http.c
> ===
> RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
> retrieving revision 1.115
> diff -u -p -r1.115 server_http.c
> --- usr.sbin/httpd/server_http.c  10 Mar 2017 21:06:43 -  1.115
> +++ usr.sbin/httpd/server_http.c  11 Mar 2017 17:51:23 -
> @@ -1068,6 +1068,18 @@ server_expand_http(struct client *clt, c
>   if (ret != 0)
>   return (NULL);
>   }
> + if (strstr(val, "$HTTP_HOST") != NULL) {
> + if (desc->http_host == NULL) {
> + ret = expand_string(buf, len, "$HTTP_HOST", "");

This will not create a working redirect. Should we return 500 instead
if there is no host header?

What is nginx doing in that case?

nginx has $http_host and $host, $host is assigned the host header and
if that doesn't exist the server name. (Wouldn't help in your case
since it would redirect to https://redirect/).

Other than this looks good.

> + } else {
> + if ((str = url_encode(desc->http_host)) == NULL)
> + return (NULL);
> + ret = expand_string(buf, len, "$HTTP_HOST", str);
> + free(str);
> + }
> + if (ret != 0)
> + return (NULL);
> + }
>   if (strstr(val, "$REMOTE_") != NULL) {
>   if (strstr(val, "$REMOTE_ADDR") != NULL) {
>   if (print_host(>clt_ss,
> Index: usr.sbin/httpd/httpd.conf.5
> ===
> RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
> retrieving revision 1.79
> diff -u -p -r1.79 httpd.conf.5
> --- usr.sbin/httpd/httpd.conf.5   7 Feb 2017 12:27:42 -   1.79
> +++ usr.sbin/httpd/httpd.conf.5   11 Mar 2017 17:51:23 -
> @@ -221,6 +221,8 @@ The configured IP address of the server.
>  The configured TCP server port of the server.
>  .It Ic $SERVER_NAME
>  The name of the server.
> +.It Ic $HTTP_HOST
> +The host from the HTTP Host header.
>  .It Pf % Ar n
>  The capture index
>  .Ar n
> 
> begin-base64 644 http_host.diff
> SW5kZXg6IHVzci5zYmluL2h0dHBkL3NlcnZlcl9odHRwLmMKPT09PT09PT09PT09PT09PT09PT09
> PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTog
> L2N2cy9zcmMvdXNyLnNiaW4vaHR0cGQvc2VydmVyX2h0dHAuYyx2CnJldHJpZXZpbmcgcmV2aXNp
> b24gMS4xMTUKZGlmZiAtdSAtcCAtcjEuMTE1IHNlcnZlcl9odHRwLmMKLS0tIHVzci5zYmluL2h0
> dHBkL3NlcnZlcl9odHRwLmMJMTAgTWFyIDIwMTcgMjE6MDY6NDMgLTAwMDAJMS4xMTUKKysrIHVz
> ci5zYmluL2h0dHBkL3NlcnZlcl9odHRwLmMJMTEgTWFyIDIwMTcgMTc6NTE6MjMgLTAwMDAKQEAg
> LTEwNjgsNiArMTA2OCwxOCBAQCBzZXJ2ZXJfZXhwYW5kX2h0dHAoc3RydWN0IGNsaWVudCAqY2x0
> LCBjCiAJCWlmIChyZXQgIT0gMCkKIAkJCXJldHVybiAoTlVMTCk7CiAJfQorCWlmIChzdHJzdHIo
> dmFsLCAiJEhUVFBfSE9TVCIpICE9IE5VTEwpIHsKKwkJaWYgKGRlc2MtPmh0dHBfaG9zdCA9PSBO
> VUxMKSB7CisJCQlyZXQgPSBleHBhbmRfc3RyaW5nKGJ1ZiwgbGVuLCAiJEhUVFBfSE9TVCIsICIi
> KTsKKwkJfSBlbHNlIHsKKwkJCWlmICgoc3RyID0gdXJsX2VuY29kZShkZXNjLT5odHRwX2hvc3Qp
> KSA9PSBOVUxMKQorCQkJCXJldHVybiAoTlVMTCk7CisJCQlyZXQgPSBleHBhbmRfc3RyaW5nKGJ1
> ZiwgbGVuLCAiJEhUVFBfSE9TVCIsIHN0cik7CisJCQlmcmVlKHN0cik7CisJCX0KKwkJaWYgKHJl
> dCAhPSAwKQorCQkJcmV0dXJuIChOVUxMKTsKKwl9CiAJaWYgKHN0cnN0cih2YWwsICIkUkVNT1RF
> XyIpICE9IE5VTEwpIHsKIAkJaWYgKHN0cnN0cih2YWwsICIkUkVNT1RFX0FERFIiKSAhPSBOVUxM
> KSB7CiAJCQlpZiAocHJpbnRfaG9zdCgmY2x0LT5jbHRfc3MsCkluZGV4OiB1c3Iuc2Jpbi9odHRw
> ZC9odHRwZC5jb25mLjUKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
> PT09PT09PT09PT09PT09PT09PT09PT09PQpSQ1MgZmlsZTogL2N2cy9zcmMvdXNyLnNiaW4vaHR0
> cGQvaHR0cGQuY29uZi41LHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjc5CmRpZmYgLXUgLXAgLXIx
> Ljc5IGh0dHBkLmNvbmYuNQotLS0gdXNyLnNiaW4vaHR0cGQvaHR0cGQuY29uZi41CTcgRmViIDIw
> MTcgMTI6Mjc6NDIgLTAwMDAJMS43OQorKysgdXNyLnNiaW4vaHR0cGQvaHR0cGQuY29uZi41CTEx
> IE1hciAyMDE3IDE3OjUxOjIzIC0wMDAwCkBAIC0yMjEsNiArMjIxLDggQEAgVGhlIGNvbmZpZ3Vy
> ZWQgSVAgYWRkcmVzcyBvZiB0aGUgc2VydmVyLgogVGhlIGNvbmZpZ3VyZWQgVENQIHNlcnZlciBw
> b3J0IG9mIHRoZSBzZXJ2ZXIuCiAuSXQgSWMgJFNFUlZFUl9OQU1FCiBUaGUgbmFtZSBvZiB0aGUg
> c2VydmVyLgorLkl0IEljICRIVFRQX0hPU1QKK1RoZSBob3N0IGZyb20gdGhlIEhUVFAgSG9zdCBo
> ZWFkZXIuCiAuSXQgUGYgJSBBciBuCiBUaGUgY2FwdHVyZSBpbmRleAogLkFyIG4K
> 
> 

-- 
I'm not entirely sure you are real.

Re: pf: time since uptime instead of wall clock?

[Mike Belopuhov]

On 13 March 2017 at 15:09, Patrick Wildt  wrote:
> On Mon, Mar 13, 2017 at 02:33:02PM +0100, Mike Belopuhov wrote:
>> On Tue, Mar 07, 2017 at 10:36 +0100, Patrick Wildt wrote:
>> > On Tue, Mar 07, 2017 at 10:17:16AM +0100, Patrick Wildt wrote:
>> > > Hi,
>> > >
>> > > currently the pf status struct contains the time since pf was enabled as
>> > > seen on the wall clock.  This means when time drifts, or is set to some
>> > > earlier value, the time will be off.  If we use time since uptime it
>> > > always increments and shows how long pf has been running compared to
>> > > its uptime.
>> > >
>> > > Does this make sense?  Opinions?
>> > >
>> > > Patrick
>> >
>> > Alternatively it might be nicer to still use the uptime, but only return
>> > the delta since it was enabled.
>> >
>>
>> I see nothing wrong with this diff.  OK mikeb
>
> On the one where we return the delta instead of an absolute time?
>

It's only a status. You might have to go through ports that expect a
timestamp and fix those, but that's a different question :-)

Re: pf: time since uptime instead of wall clock?

[Patrick Wildt]

On Mon, Mar 13, 2017 at 02:33:02PM +0100, Mike Belopuhov wrote:
> On Tue, Mar 07, 2017 at 10:36 +0100, Patrick Wildt wrote:
> > On Tue, Mar 07, 2017 at 10:17:16AM +0100, Patrick Wildt wrote:
> > > Hi,
> > > 
> > > currently the pf status struct contains the time since pf was enabled as
> > > seen on the wall clock.  This means when time drifts, or is set to some
> > > earlier value, the time will be off.  If we use time since uptime it
> > > always increments and shows how long pf has been running compared to
> > > its uptime.
> > > 
> > > Does this make sense?  Opinions?
> > > 
> > > Patrick
> > 
> > Alternatively it might be nicer to still use the uptime, but only return
> > the delta since it was enabled.
> >
> 
> I see nothing wrong with this diff.  OK mikeb

On the one where we return the delta instead of an absolute time?

> 
> > diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
> > index e241b11f6fc..ab8834e605c 100644
> > --- a/sbin/pfctl/pfctl_parser.c
> > +++ b/sbin/pfctl/pfctl_parser.c
> > @@ -525,7 +525,7 @@ print_status(struct pf_status *s, int opts)
> > charbuf[PF_MD5_DIGEST_LENGTH * 2 + 1];
> > static const char   hex[] = "0123456789abcdef";
> >  
> > -   runtime = time(NULL) - s->since;
> > +   runtime = s->since;
> > running = s->running ? "Enabled" : "Disabled";
> >  
> > if (s->since) {
> > diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
> > index 56a43a55ab8..cd5be10e2a1 100644
> > --- a/sys/net/pf_ioctl.c
> > +++ b/sys/net/pf_ioctl.c
> > @@ -994,7 +994,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> > struct proc *p)
> > error = EEXIST;
> > else {
> > pf_status.running = 1;
> > -   pf_status.since = time_second;
> > +   pf_status.since = time_uptime;
> > if (pf_status.stateid == 0) {
> > pf_status.stateid = time_second;
> > pf_status.stateid = pf_status.stateid << 32;
> > @@ -1009,7 +1009,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int 
> > flags, struct proc *p)
> > error = ENOENT;
> > else {
> > pf_status.running = 0;
> > -   pf_status.since = time_second;
> > +   pf_status.since = time_uptime;
> > pf_remove_queues();
> > DPFPRINTF(LOG_NOTICE, "pf: stopped");
> > }
> > @@ -1577,6 +1577,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int 
> > flags, struct proc *p)
> > case DIOCGETSTATUS: {
> > struct pf_status *s = (struct pf_status *)addr;
> > bcopy(_status, s, sizeof(struct pf_status));
> > +   s.since = time_uptime - pf_status.since;
> > pfi_update_status(s->ifname, s);
> > break;
> > }
> > @@ -1605,7 +1606,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int 
> > flags, struct proc *p)
> > bzero(pf_status.counters, sizeof(pf_status.counters));
> > bzero(pf_status.fcounters, sizeof(pf_status.fcounters));
> > bzero(pf_status.scounters, sizeof(pf_status.scounters));
> > -   pf_status.since = time_second;
> > +   pf_status.since = time_uptime;
> >  
> > break;
> > }
> > diff --git a/usr.bin/systat/pf.c b/usr.bin/systat/pf.c
> > index 6e282bb7359..882985e6594 100644
> > --- a/usr.bin/systat/pf.c
> > +++ b/usr.bin/systat/pf.c
> > @@ -229,7 +229,7 @@ print_pf(void)
> > if (end > num_disp)
> > end = num_disp;
> >  
> > -   tm = time(NULL) - s->since;
> > +   tm = s->since;
> >  
> > ADD_LINE_S("pf", "Status", s->running ? "Enabled" : "Disabled");
> > ADD_LINE_A("pf", "Since", tm);
> > diff --git a/usr.sbin/snmpd/mib.c b/usr.sbin/snmpd/mib.c
> > index f53d9379b07..7fb82f22cb5 100644
> > --- a/usr.sbin/snmpd/mib.c
> > +++ b/usr.sbin/snmpd/mib.c
> > @@ -1650,7 +1650,6 @@ int
> >  mib_pfinfo(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
> >  {
> > struct pf_status s;
> > -   time_t   runtime;
> > char str[11];
> >  
> > if (pf_get_stats())
> > @@ -1661,12 +1660,7 @@ mib_pfinfo(struct oid *oid, struct ber_oid *o, 
> > struct ber_element **elm)
> > *elm = ber_add_integer(*elm, s.running);
> > break;
> > case 2:
> > -   if (s.since > 0)
> > -   runtime = time(NULL) - s.since;
> > -   else
> > -   runtime = 0;
> > -   runtime *= 100;
> > -   *elm = ber_add_integer(*elm, runtime);
> > +   *elm = ber_add_integer(*elm, s.since * 100);
> > ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_TIMETICKS);
> > break;
> > case 3:
> > 
> 

Re: pf: time since uptime instead of wall clock?

[Mike Belopuhov]

On Tue, Mar 07, 2017 at 10:36 +0100, Patrick Wildt wrote:
> On Tue, Mar 07, 2017 at 10:17:16AM +0100, Patrick Wildt wrote:
> > Hi,
> > 
> > currently the pf status struct contains the time since pf was enabled as
> > seen on the wall clock.  This means when time drifts, or is set to some
> > earlier value, the time will be off.  If we use time since uptime it
> > always increments and shows how long pf has been running compared to
> > its uptime.
> > 
> > Does this make sense?  Opinions?
> > 
> > Patrick
> 
> Alternatively it might be nicer to still use the uptime, but only return
> the delta since it was enabled.
>

I see nothing wrong with this diff.  OK mikeb

> diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
> index e241b11f6fc..ab8834e605c 100644
> --- a/sbin/pfctl/pfctl_parser.c
> +++ b/sbin/pfctl/pfctl_parser.c
> @@ -525,7 +525,7 @@ print_status(struct pf_status *s, int opts)
>   charbuf[PF_MD5_DIGEST_LENGTH * 2 + 1];
>   static const char   hex[] = "0123456789abcdef";
>  
> - runtime = time(NULL) - s->since;
> + runtime = s->since;
>   running = s->running ? "Enabled" : "Disabled";
>  
>   if (s->since) {
> diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
> index 56a43a55ab8..cd5be10e2a1 100644
> --- a/sys/net/pf_ioctl.c
> +++ b/sys/net/pf_ioctl.c
> @@ -994,7 +994,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
>   error = EEXIST;
>   else {
>   pf_status.running = 1;
> - pf_status.since = time_second;
> + pf_status.since = time_uptime;
>   if (pf_status.stateid == 0) {
>   pf_status.stateid = time_second;
>   pf_status.stateid = pf_status.stateid << 32;
> @@ -1009,7 +1009,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
>   error = ENOENT;
>   else {
>   pf_status.running = 0;
> - pf_status.since = time_second;
> + pf_status.since = time_uptime;
>   pf_remove_queues();
>   DPFPRINTF(LOG_NOTICE, "pf: stopped");
>   }
> @@ -1577,6 +1577,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
>   case DIOCGETSTATUS: {
>   struct pf_status *s = (struct pf_status *)addr;
>   bcopy(_status, s, sizeof(struct pf_status));
> + s.since = time_uptime - pf_status.since;
>   pfi_update_status(s->ifname, s);
>   break;
>   }
> @@ -1605,7 +1606,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
>   bzero(pf_status.counters, sizeof(pf_status.counters));
>   bzero(pf_status.fcounters, sizeof(pf_status.fcounters));
>   bzero(pf_status.scounters, sizeof(pf_status.scounters));
> - pf_status.since = time_second;
> + pf_status.since = time_uptime;
>  
>   break;
>   }
> diff --git a/usr.bin/systat/pf.c b/usr.bin/systat/pf.c
> index 6e282bb7359..882985e6594 100644
> --- a/usr.bin/systat/pf.c
> +++ b/usr.bin/systat/pf.c
> @@ -229,7 +229,7 @@ print_pf(void)
>   if (end > num_disp)
>   end = num_disp;
>  
> - tm = time(NULL) - s->since;
> + tm = s->since;
>  
>   ADD_LINE_S("pf", "Status", s->running ? "Enabled" : "Disabled");
>   ADD_LINE_A("pf", "Since", tm);
> diff --git a/usr.sbin/snmpd/mib.c b/usr.sbin/snmpd/mib.c
> index f53d9379b07..7fb82f22cb5 100644
> --- a/usr.sbin/snmpd/mib.c
> +++ b/usr.sbin/snmpd/mib.c
> @@ -1650,7 +1650,6 @@ int
>  mib_pfinfo(struct oid *oid, struct ber_oid *o, struct ber_element **elm)
>  {
>   struct pf_status s;
> - time_t   runtime;
>   char str[11];
>  
>   if (pf_get_stats())
> @@ -1661,12 +1660,7 @@ mib_pfinfo(struct oid *oid, struct ber_oid *o, struct 
> ber_element **elm)
>   *elm = ber_add_integer(*elm, s.running);
>   break;
>   case 2:
> - if (s.since > 0)
> - runtime = time(NULL) - s.since;
> - else
> - runtime = 0;
> - runtime *= 100;
> - *elm = ber_add_integer(*elm, runtime);
> + *elm = ber_add_integer(*elm, s.since * 100);
>   ber_set_header(*elm, BER_CLASS_APPLICATION, SNMP_T_TIMETICKS);
>   break;
>   case 3:
>