disable efi watchdog
The UEFI specification states a watchdog should be armed for 5 minutes. Stop this from resetting a system when in efiboot. Index: amd64/stand/efiboot/efiboot.c === RCS file: /cvs/src/sys/arch/amd64/stand/efiboot/efiboot.c,v retrieving revision 1.28 diff -u -p -r1.28 efiboot.c --- amd64/stand/efiboot/efiboot.c 25 Nov 2017 19:02:07 - 1.28 +++ amd64/stand/efiboot/efiboot.c 11 Feb 2018 05:25:11 - @@ -81,6 +81,9 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TA RS = ST->RuntimeServices; IH = image; + /* disable reset by watchdog after 5 minutes */ + EFI_CALL(BS->SetWatchdogTimer, 0, 0, 0, NULL); + efi_video_init(); efi_heap_init(); Index: armv7/stand/efiboot/efiboot.c === RCS file: /cvs/src/sys/arch/armv7/stand/efiboot/efiboot.c,v retrieving revision 1.19 diff -u -p -r1.19 efiboot.c --- armv7/stand/efiboot/efiboot.c 21 Aug 2017 20:05:32 - 1.19 +++ armv7/stand/efiboot/efiboot.c 11 Feb 2018 05:25:11 - @@ -71,6 +71,9 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TA BS = ST->BootServices; IH = image; + /* disable reset by watchdog after 5 minutes */ + EFI_CALL(BS->SetWatchdogTimer, 0, 0, 0, NULL); + status = EFI_CALL(BS->HandleProtocol, image, &imgp_guid, (void **)&imgp); if (status == EFI_SUCCESS) Index: arm64/stand/efiboot/efiboot.c === RCS file: /cvs/src/sys/arch/arm64/stand/efiboot/efiboot.c,v retrieving revision 1.15 diff -u -p -r1.15 efiboot.c --- arm64/stand/efiboot/efiboot.c 6 Feb 2018 20:35:21 - 1.15 +++ arm64/stand/efiboot/efiboot.c 11 Feb 2018 05:25:12 - @@ -74,6 +74,9 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TA BS = ST->BootServices; IH = image; + /* disable reset by watchdog after 5 minutes */ + EFI_CALL(BS->SetWatchdogTimer, 0, 0, 0, NULL); + status = EFI_CALL(BS->HandleProtocol, image, &imgp_guid, (void **)&imgp); if (status == EFI_SUCCESS)
Re: vmctl show
On Sun, Feb 11, 2018 at 12:51:57AM +0100, Peter Hessler wrote: > My fingers have typed "vmctl show" instead of "vmctl status" for over a > year now, so add it as an alias. > > OK? > > > Index: main.c > === > RCS file: /cvs/openbsd/src/usr.sbin/vmctl/main.c,v > retrieving revision 1.34 > diff -u -p -u -p -r1.34 main.c > --- main.c3 Jan 2018 05:39:56 - 1.34 > +++ main.c10 Feb 2018 23:46:44 - > @@ -68,6 +68,7 @@ struct ctl_command ctl_commands[] = { > { "log",CMD_LOG,ctl_log,"(verbose|brief)" }, > { "reload", CMD_RELOAD, ctl_reload, "" }, > { "reset", CMD_RESET, ctl_reset, "[all|vms|switches]" }, > + { "show", CMD_STATUS, ctl_status, "[id]" }, > { "start", CMD_START, ctl_start, "\"name\"" > " [-Lc] [-b image] [-r image] [-m size]\n" > "\t\t[-n switch] [-i count] [-d disk]*" }, > Index: vmctl.8 > === > RCS file: /cvs/openbsd/src/usr.sbin/vmctl/vmctl.8,v > retrieving revision 1.37 > diff -u -p -u -p -r1.37 vmctl.8 > --- vmctl.8 3 Jan 2018 08:17:18 - 1.37 > +++ vmctl.8 10 Feb 2018 23:48:59 - > @@ -143,6 +143,10 @@ with '.', '-' or '_'. > .It Cm status Op Ar id > Lists VMs running on the host, optionally listing just the selected VM > .Ar id . > +.It Cm show Op Ar id > +An alias for the > +.Cm status > +command. > .It Cm stop Ar id > Stops (terminates) a VM defined by the specified VM > .Ar id . > > > -- > Coito ergo sum > No objections. Since at least 3-4 people have said they want it, go for it.
re-enable mfii(4) aen
Almost exactly a year ago (give or take an hour), we disabled AEN handling in mfii(4) because it didn't work on SAS2208 controllers. I finally got around to looking into this and found we were just missing one magical offset in one of the command structures. The diff below add this and re-enables AEN processing. I've tested on the following: mfii0 at pci3 dev 0 function 0 "Symbios Logic MegaRAID SAS2208" rev 0x01: msi mfii0: "PERC H710P Mini", firmware 21.0.2-0001, 1024MB cache mfii0 at pci1 dev 0 function 0 "Symbios Logic MegaRAID SAS3108" rev 0x02: msi mfii0: "PERC H730 Mini", firmware 25.4.0.0015, 1024MB cache Could someone test on a SAS3.5 controller (megaraid 34xx or 35xx)? I don't have access to one currently. All you need to do is boot the resulting kernel and check mfii0 isn't generating interrupts constantly. Tests on other hardware would also be useful. Index: mfii.c === RCS file: /cvs/src/sys/dev/pci/mfii.c,v retrieving revision 1.46 diff -u -p -r1.46 mfii.c --- mfii.c 2 Feb 2018 11:24:37 - 1.46 +++ mfii.c 11 Feb 2018 02:34:50 - @@ -630,22 +630,18 @@ mfii_attach(struct device *parent, struc mfii_syspd(sc); -#ifdef notyet if (mfii_aen_register(sc) != 0) { /* error printed by mfii_aen_register */ goto intr_disestablish; } -#endif /* enable interrupts */ mfii_write(sc, MFI_OSTS, 0x); mfii_write(sc, MFI_OMSK, ~MFII_OSTS_INTR_VALID); return; -#ifdef notyet intr_disestablish: pci_intr_disestablish(sc->sc_pc, sc->sc_ih); -#endif free_sgl: mfii_dmamem_free(sc, sc->sc_sgl); free_requests: @@ -851,6 +847,7 @@ mfii_dcmd_start(struct mfii_softc *sc, s io->function = MFII_FUNCTION_PASSTHRU_IO; io->sgl_offset0 = (uint32_t *)sge - (uint32_t *)io; + io->chain_offset = io->sgl_offset0 / 4; htolem64(&sge->sg_addr, ccb->ccb_sense_dva); htolem32(&sge->sg_len, sizeof(*ccb->ccb_sense));
Re: ospfd (route socket filter on priority)
On Sun, Feb 11, 2018 at 02:17:38AM +0100, Sebastian Benoit wrote: > > Hi, > > here is the ospfd part again, now the socket option is set on reload as > well. > > ok? > > (benno_route_priofilter_2_ospfd.diff) > > diff --git usr.sbin/ospfd/kroute.c usr.sbin/ospfd/kroute.c > index 17febefbdcb..4f6dc933a42 100644 > --- usr.sbin/ospfd/kroute.c > +++ usr.sbin/ospfd/kroute.c > @@ -127,10 +127,11 @@ kif_init(void) > } > > int > -kr_init(int fs, u_int rdomain) > +kr_init(int fs, u_int rdomain, int redis_label_or_prefix) > { > int opt = 0, rcvbuf, default_rcvbuf; > socklen_t optlen; > + int filter_prio = RTP_OSPF; > > kr_state.fib_sync = fs; > kr_state.rdomain = rdomain; > @@ -146,6 +147,18 @@ kr_init(int fs, u_int rdomain) > &opt, sizeof(opt)) == -1) > log_warn("kr_init: setsockopt");/* not fatal */ > > + if (redis_label_or_prefix) { > + filter_prio = 0; > + log_info("%s: priority filter disabled", __func__); > + } else > + log_debug("%s: priority filter enabled", __func__); > + > + if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER, &filter_prio, > + sizeof(filter_prio)) == -1) { > + log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER", __func__); > + /* not fatal */ > + } > + > /* grow receive buffer, don't wanna miss messages */ > optlen = sizeof(default_rcvbuf); > if (getsockopt(kr_state.fd, SOL_SOCKET, SO_RCVBUF, > @@ -600,12 +613,27 @@ kr_redistribute(struct kroute_node *kh) > } > > void > -kr_reload(void) > +kr_reload(int redis_label_or_prefix) > { > struct kroute_node *kr, *kn; > u_int32_tdummy; > int r; > + int filter_prio = RTP_OSPF; > + > + /* update the priority filter */ > + if (redis_label_or_prefix) { > + filter_prio = 0; > + log_info("%s: priority filter disabled", __func__); > + } else > + log_debug("%s: priority filter enabled", __func__); > + > + if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER, &filter_prio, > + sizeof(filter_prio)) == -1) { > + log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER", __func__); > + /* not fatal */ > + } > > + /* update redistribute lists */ > RB_FOREACH(kr, kroute_tree, &krt) { > for (kn = kr; kn; kn = kn->next) { > r = ospf_redistribute(&kn->r, &dummy); > diff --git usr.sbin/ospfd/ospfd.c usr.sbin/ospfd/ospfd.c > index 3c5057ae04e..01fd6bbafb9 100644 > --- usr.sbin/ospfd/ospfd.c > +++ usr.sbin/ospfd/ospfd.c > @@ -265,7 +265,7 @@ main(int argc, char *argv[]) > event_add(&iev_rde->ev, NULL); > > if (kr_init(!(ospfd_conf->flags & OSPFD_FLAG_NO_FIB_UPDATE), > - ospfd_conf->rdomain) == -1) > + ospfd_conf->rdomain, ospfd_conf->redist_label_or_prefix) == -1) > fatalx("kr_init failed"); > > /* remove unneeded stuff from config */ > @@ -637,7 +637,7 @@ ospf_reload(void) > > merge_config(ospfd_conf, xconf); > /* update redistribute lists */ > - kr_reload(); > + kr_reload(ospfd_conf->redist_label_or_prefix); > return (0); > } > > @@ -667,6 +667,7 @@ merge_config(struct ospfd_conf *conf, struct ospfd_conf > *xconf) > SIMPLEQ_EMPTY(&xconf->redist_list)) > rchange = 1; > conf->rfc1583compat = xconf->rfc1583compat; > + conf->redist_label_or_prefix = xconf->redist_label_or_prefix; > > if (ospfd_process == PROC_MAIN) { > /* main process does neither use areas nor interfaces */ > diff --git usr.sbin/ospfd/ospfd.h usr.sbin/ospfd/ospfd.h > index af082b1079c..1a5d20e0068 100644 > --- usr.sbin/ospfd/ospfd.h > +++ usr.sbin/ospfd/ospfd.h > @@ -394,6 +394,7 @@ struct ospfd_conf { > int spf_state; > int ospf_socket; > int flags; > + int redist_label_or_prefix; > u_int8_trfc1583compat; > u_int8_tborder; > u_int8_tredistribute; > @@ -567,7 +568,7 @@ u_int16_t iso_cksum(void *, u_int16_t, u_int16_t); > /* kroute.c */ > int kif_init(void); > void kif_clear(void); > -int kr_init(int, u_int); > +int kr_init(int, u_int, int); > int kr_change(struct kroute *, int); > int kr_delete(struct kroute *); > void kr_shutdown(void); > @@ -578,7 +579,7 @@ void kr_dispatch_msg(int, short, void *); > void kr_show_route(struct imsg *); > void kr_ifinfo(char *, pid_t); > struct kif *kif_findname(char *, struct in_addr, struct kif_addr **); > -void kr_reload(void); > +void kr_reload(int); > > u_int8_t mask2prefixlen(in_addr_t); > in_addr_t
Re: route socket filter on priority
On Sun, Feb 11, 2018 at 02:14:32AM +0100, Sebastian Benoit wrote: > Stuart Henderson(s...@spacehopper.org) on 2018.02.10 10:41:11 +: > > This comment needs fixing or removing, otherwise ok. > > Feel free to use this accompanying manpage diff. > > Hi sthen, thanks > > updated diff,this is only the kernel part + manpage. > I added the RTP constants to the manpage, as all the other ones are there as > well. > The other change is to move from u_char to unsinged int, because the other > socket options are unsinged int as well. > > i will send the ospfd diff as seperate mail. > > ok? > Comments inline > (benno_route_priofilter_2_kernel.diff) > > diff --git share/man/man4/route.4 share/man/man4/route.4 > index 654b9a1505a..4e5d26724e6 100644 > --- share/man/man4/route.4 > +++ share/man/man4/route.4 > @@ -210,6 +210,41 @@ if (setsockopt(routefd, PF_ROUTE, ROUTE_MSGFILTER, > err(1, "setsockopt(ROUTE_MSGFILTER)"); > .Ed > .Pp > +Similarly, a process can specify that it is only interested in messages > +relating to routes where the priority is no more than a certain value > +by issuing a setsockopt call with the > +.Dv ROUTE_PRIOFILTER > +option. > +For example, to select only local, directly connected and static routes: > +.Bd -literal -offset indent > +unsigned int maxprio = RTP_STATIC; > + > +if (setsockopt(routefd, PF_ROUTE, ROUTE_PRIOFILTER, > +&maxprio, sizeof(maxprio)) == -1) > + err(1, "setsockopt(ROUTE_PRIOFILTER)"); > +.Ed > +.Pp > +The predefined constants for the routing priorities are: > +.Bd -literal > +#define RTP_NONE 0 /* unset priority use sane default */ > +#define RTP_LOCAL1 /* local address routes (must be the highest) */ > +#define RTP_CONNECTED4 /* directly connected routes */ > +#define RTP_STATIC 8 /* static routes base priority */ > +#define RTP_EIGRP28 /* EIGRP routes */ > +#define RTP_OSPF 32 /* OSPF routes */ > +#define RTP_ISIS 36 /* IS-IS routes */ > +#define RTP_RIP 40 /* RIP routes */ > +#define RTP_BGP 48 /* BGP routes */ > +#define RTP_DEFAULT 56 /* routes that have nothing set */ > +#define RTP_PROPOSAL_STATIC 57 > +#define RTP_PROPOSAL_DHCLIENT58 > +#define RTP_PROPOSAL_SLAAC 59 > +#define RTP_MAX 63 /* maximum priority */ > +#define RTP_ANY 64 /* any of the above */ > +#define RTP_MASK 0x7f > +#define RTP_DOWN 0x80/* route/link is down */ > +.Ed > +.Pp > If a route is in use when it is deleted, > the routing entry will be marked down and removed from the routing table, > but the resources associated with it will not > diff --git sys/net/route.h sys/net/route.h > index 1ca0a22c45f..b27d42bd555 100644 > --- sys/net/route.h > +++ sys/net/route.h > @@ -297,6 +297,9 @@ struct rt_msghdr { > sent to the client. */ > #define ROUTE_TABLEFILTER 2 /* change routing table the socket is listening > on, RTABLE_ANY listens on all tables. */ > +#define ROUTE_PRIOFILTER 3 /* only pass updates with a priority higher or > +equal (actual value lower) to the specified > +priority. */ > > #define ROUTE_FILTER(m) (1 << (m)) > #define RTABLE_ANY 0x > diff --git sys/net/rtsock.c sys/net/rtsock.c > index 35bdd09d143..09c622840aa 100644 > --- sys/net/rtsock.c > +++ sys/net/rtsock.c > @@ -141,6 +141,7 @@ struct routecb { > unsigned intmsgfilter; > unsigned intflags; > u_int rtableid; > + u_char priority; > }; > #define sotoroutecb(so) ((struct routecb *)(so)->so_pcb) > > @@ -308,7 +309,7 @@ route_ctloutput(int op, struct socket *so, int level, int > optname, > { > struct routecb *rop = sotoroutecb(so); > int error = 0; > - unsigned int tid; > + unsigned int tid, prio; > > if (level != AF_ROUTE) > return (EINVAL); > @@ -333,6 +334,17 @@ route_ctloutput(int op, struct socket *so, int level, > int optname, > else > rop->rtableid = tid; > break; > + case ROUTE_PRIOFILTER: > + if (m == NULL || m->m_len != sizeof(unsigned int)) { > + error = EINVAL; > + break; > + } > + prio = *mtod(m, unsigned int *); > + if (prio > RTP_MAX) > + error = EINVAL; > + else > + rop->priority = prio; > + break; > default: > error = ENOPROTOOPT; > break; > @@ -348,6 +360,10 @@ route_ctloutput(int op, struct socket *so, int level, > int optname, > m->m_len = sizeof
ospfd (route socket filter on priority)
Hi, here is the ospfd part again, now the socket option is set on reload as well. ok? (benno_route_priofilter_2_ospfd.diff) diff --git usr.sbin/ospfd/kroute.c usr.sbin/ospfd/kroute.c index 17febefbdcb..4f6dc933a42 100644 --- usr.sbin/ospfd/kroute.c +++ usr.sbin/ospfd/kroute.c @@ -127,10 +127,11 @@ kif_init(void) } int -kr_init(int fs, u_int rdomain) +kr_init(int fs, u_int rdomain, int redis_label_or_prefix) { int opt = 0, rcvbuf, default_rcvbuf; socklen_t optlen; + int filter_prio = RTP_OSPF; kr_state.fib_sync = fs; kr_state.rdomain = rdomain; @@ -146,6 +147,18 @@ kr_init(int fs, u_int rdomain) &opt, sizeof(opt)) == -1) log_warn("kr_init: setsockopt");/* not fatal */ + if (redis_label_or_prefix) { + filter_prio = 0; + log_info("%s: priority filter disabled", __func__); + } else + log_debug("%s: priority filter enabled", __func__); + + if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER, &filter_prio, + sizeof(filter_prio)) == -1) { + log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER", __func__); + /* not fatal */ + } + /* grow receive buffer, don't wanna miss messages */ optlen = sizeof(default_rcvbuf); if (getsockopt(kr_state.fd, SOL_SOCKET, SO_RCVBUF, @@ -600,12 +613,27 @@ kr_redistribute(struct kroute_node *kh) } void -kr_reload(void) +kr_reload(int redis_label_or_prefix) { struct kroute_node *kr, *kn; u_int32_tdummy; int r; + int filter_prio = RTP_OSPF; + + /* update the priority filter */ + if (redis_label_or_prefix) { + filter_prio = 0; + log_info("%s: priority filter disabled", __func__); + } else + log_debug("%s: priority filter enabled", __func__); + + if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER, &filter_prio, + sizeof(filter_prio)) == -1) { + log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER", __func__); + /* not fatal */ + } + /* update redistribute lists */ RB_FOREACH(kr, kroute_tree, &krt) { for (kn = kr; kn; kn = kn->next) { r = ospf_redistribute(&kn->r, &dummy); diff --git usr.sbin/ospfd/ospfd.c usr.sbin/ospfd/ospfd.c index 3c5057ae04e..01fd6bbafb9 100644 --- usr.sbin/ospfd/ospfd.c +++ usr.sbin/ospfd/ospfd.c @@ -265,7 +265,7 @@ main(int argc, char *argv[]) event_add(&iev_rde->ev, NULL); if (kr_init(!(ospfd_conf->flags & OSPFD_FLAG_NO_FIB_UPDATE), - ospfd_conf->rdomain) == -1) + ospfd_conf->rdomain, ospfd_conf->redist_label_or_prefix) == -1) fatalx("kr_init failed"); /* remove unneeded stuff from config */ @@ -637,7 +637,7 @@ ospf_reload(void) merge_config(ospfd_conf, xconf); /* update redistribute lists */ - kr_reload(); + kr_reload(ospfd_conf->redist_label_or_prefix); return (0); } @@ -667,6 +667,7 @@ merge_config(struct ospfd_conf *conf, struct ospfd_conf *xconf) SIMPLEQ_EMPTY(&xconf->redist_list)) rchange = 1; conf->rfc1583compat = xconf->rfc1583compat; + conf->redist_label_or_prefix = xconf->redist_label_or_prefix; if (ospfd_process == PROC_MAIN) { /* main process does neither use areas nor interfaces */ diff --git usr.sbin/ospfd/ospfd.h usr.sbin/ospfd/ospfd.h index af082b1079c..1a5d20e0068 100644 --- usr.sbin/ospfd/ospfd.h +++ usr.sbin/ospfd/ospfd.h @@ -394,6 +394,7 @@ struct ospfd_conf { int spf_state; int ospf_socket; int flags; + int redist_label_or_prefix; u_int8_trfc1583compat; u_int8_tborder; u_int8_tredistribute; @@ -567,7 +568,7 @@ u_int16_tiso_cksum(void *, u_int16_t, u_int16_t); /* kroute.c */ int kif_init(void); voidkif_clear(void); -int kr_init(int, u_int); +int kr_init(int, u_int, int); int kr_change(struct kroute *, int); int kr_delete(struct kroute *); voidkr_shutdown(void); @@ -578,7 +579,7 @@ void kr_dispatch_msg(int, short, void *); voidkr_show_route(struct imsg *); voidkr_ifinfo(char *, pid_t); struct kif *kif_findname(char *, struct in_addr, struct kif_addr **); -voidkr_reload(void); +voidkr_reload(int); u_int8_t mask2prefixlen(in_addr_t); in_addr_t prefixlen2mask(u_int8_t); diff --git usr.sbin/ospfd/parse.y usr.sbin/ospfd/parse.y index 4bf64d5d7e3..6f1cf5b7b19 100644 --- usr.sbin/ospfd/parse.y +++ usr.sbin/ospfd/parse.y @@ -
Re: route socket filter on priority
Stuart Henderson(s...@spacehopper.org) on 2018.02.10 10:41:11 +: > This comment needs fixing or removing, otherwise ok. > Feel free to use this accompanying manpage diff. Hi sthen, thanks updated diff,this is only the kernel part + manpage. I added the RTP constants to the manpage, as all the other ones are there as well. The other change is to move from u_char to unsinged int, because the other socket options are unsinged int as well. i will send the ospfd diff as seperate mail. ok? (benno_route_priofilter_2_kernel.diff) diff --git share/man/man4/route.4 share/man/man4/route.4 index 654b9a1505a..4e5d26724e6 100644 --- share/man/man4/route.4 +++ share/man/man4/route.4 @@ -210,6 +210,41 @@ if (setsockopt(routefd, PF_ROUTE, ROUTE_MSGFILTER, err(1, "setsockopt(ROUTE_MSGFILTER)"); .Ed .Pp +Similarly, a process can specify that it is only interested in messages +relating to routes where the priority is no more than a certain value +by issuing a setsockopt call with the +.Dv ROUTE_PRIOFILTER +option. +For example, to select only local, directly connected and static routes: +.Bd -literal -offset indent +unsigned int maxprio = RTP_STATIC; + +if (setsockopt(routefd, PF_ROUTE, ROUTE_PRIOFILTER, +&maxprio, sizeof(maxprio)) == -1) + err(1, "setsockopt(ROUTE_PRIOFILTER)"); +.Ed +.Pp +The predefined constants for the routing priorities are: +.Bd -literal +#define RTP_NONE 0 /* unset priority use sane default */ +#define RTP_LOCAL 1 /* local address routes (must be the highest) */ +#define RTP_CONNECTED 4 /* directly connected routes */ +#define RTP_STATIC 8 /* static routes base priority */ +#define RTP_EIGRP 28 /* EIGRP routes */ +#define RTP_OSPF 32 /* OSPF routes */ +#define RTP_ISIS 36 /* IS-IS routes */ +#define RTP_RIP40 /* RIP routes */ +#define RTP_BGP48 /* BGP routes */ +#define RTP_DEFAULT56 /* routes that have nothing set */ +#define RTP_PROPOSAL_STATIC57 +#define RTP_PROPOSAL_DHCLIENT 58 +#define RTP_PROPOSAL_SLAAC 59 +#define RTP_MAX63 /* maximum priority */ +#define RTP_ANY64 /* any of the above */ +#define RTP_MASK 0x7f +#define RTP_DOWN 0x80/* route/link is down */ +.Ed +.Pp If a route is in use when it is deleted, the routing entry will be marked down and removed from the routing table, but the resources associated with it will not diff --git sys/net/route.h sys/net/route.h index 1ca0a22c45f..b27d42bd555 100644 --- sys/net/route.h +++ sys/net/route.h @@ -297,6 +297,9 @@ struct rt_msghdr { sent to the client. */ #define ROUTE_TABLEFILTER 2/* change routing table the socket is listening on, RTABLE_ANY listens on all tables. */ +#define ROUTE_PRIOFILTER 3 /* only pass updates with a priority higher or + equal (actual value lower) to the specified + priority. */ #define ROUTE_FILTER(m)(1 << (m)) #define RTABLE_ANY 0x diff --git sys/net/rtsock.c sys/net/rtsock.c index 35bdd09d143..09c622840aa 100644 --- sys/net/rtsock.c +++ sys/net/rtsock.c @@ -141,6 +141,7 @@ struct routecb { unsigned intmsgfilter; unsigned intflags; u_int rtableid; + u_char priority; }; #definesotoroutecb(so) ((struct routecb *)(so)->so_pcb) @@ -308,7 +309,7 @@ route_ctloutput(int op, struct socket *so, int level, int optname, { struct routecb *rop = sotoroutecb(so); int error = 0; - unsigned int tid; + unsigned int tid, prio; if (level != AF_ROUTE) return (EINVAL); @@ -333,6 +334,17 @@ route_ctloutput(int op, struct socket *so, int level, int optname, else rop->rtableid = tid; break; + case ROUTE_PRIOFILTER: + if (m == NULL || m->m_len != sizeof(unsigned int)) { + error = EINVAL; + break; + } + prio = *mtod(m, unsigned int *); + if (prio > RTP_MAX) + error = EINVAL; + else + rop->priority = prio; + break; default: error = ENOPROTOOPT; break; @@ -348,6 +360,10 @@ route_ctloutput(int op, struct socket *so, int level, int optname, m->m_len = sizeof(unsigned int); *mtod(m, unsigned int *) = rop->rtableid; break; + case ROUTE_PRIOFILTER: + m->m_len = sizeof(u_char); + *mtod
Re: vmctl show
Guilty. On Feb 10, 2018 17:56, "Sebastian Benoit" wrote: > Peter Hessler(phess...@openbsd.org) on 2018.02.11 00:51:57 +0100: > > My fingers have typed "vmctl show" instead of "vmctl status" for over a > > year now, so add it as an alias. > > oh yes please, i thought i was the only stupid one. > > > OK? > > ok > > > Index: main.c > > === > > RCS file: /cvs/openbsd/src/usr.sbin/vmctl/main.c,v > > retrieving revision 1.34 > > diff -u -p -u -p -r1.34 main.c > > --- main.c3 Jan 2018 05:39:56 - 1.34 > > +++ main.c10 Feb 2018 23:46:44 - > > @@ -68,6 +68,7 @@ struct ctl_command ctl_commands[] = { > > { "log",CMD_LOG,ctl_log,"(verbose|brief)" > }, > > { "reload", CMD_RELOAD, ctl_reload, "" }, > > { "reset", CMD_RESET, ctl_reset, > "[all|vms|switches]" }, > > + { "show", CMD_STATUS, ctl_status, "[id]" }, > > { "start", CMD_START, ctl_start, "\"name\"" > > " [-Lc] [-b image] [-r image] [-m size]\n" > > "\t\t[-n switch] [-i count] [-d disk]*" }, > > Index: vmctl.8 > > === > > RCS file: /cvs/openbsd/src/usr.sbin/vmctl/vmctl.8,v > > retrieving revision 1.37 > > diff -u -p -u -p -r1.37 vmctl.8 > > --- vmctl.8 3 Jan 2018 08:17:18 - 1.37 > > +++ vmctl.8 10 Feb 2018 23:48:59 - > > @@ -143,6 +143,10 @@ with '.', '-' or '_'. > > .It Cm status Op Ar id > > Lists VMs running on the host, optionally listing just the selected VM > > .Ar id . > > +.It Cm show Op Ar id > > +An alias for the > > +.Cm status > > +command. > > .It Cm stop Ar id > > Stops (terminates) a VM defined by the specified VM > > .Ar id . > > > > > > -- > > Coito ergo sum > > > >
Re: vmctl show
Peter Hessler(phess...@openbsd.org) on 2018.02.11 00:51:57 +0100: > My fingers have typed "vmctl show" instead of "vmctl status" for over a > year now, so add it as an alias. oh yes please, i thought i was the only stupid one. > OK? ok > Index: main.c > === > RCS file: /cvs/openbsd/src/usr.sbin/vmctl/main.c,v > retrieving revision 1.34 > diff -u -p -u -p -r1.34 main.c > --- main.c3 Jan 2018 05:39:56 - 1.34 > +++ main.c10 Feb 2018 23:46:44 - > @@ -68,6 +68,7 @@ struct ctl_command ctl_commands[] = { > { "log",CMD_LOG,ctl_log,"(verbose|brief)" }, > { "reload", CMD_RELOAD, ctl_reload, "" }, > { "reset", CMD_RESET, ctl_reset, "[all|vms|switches]" }, > + { "show", CMD_STATUS, ctl_status, "[id]" }, > { "start", CMD_START, ctl_start, "\"name\"" > " [-Lc] [-b image] [-r image] [-m size]\n" > "\t\t[-n switch] [-i count] [-d disk]*" }, > Index: vmctl.8 > === > RCS file: /cvs/openbsd/src/usr.sbin/vmctl/vmctl.8,v > retrieving revision 1.37 > diff -u -p -u -p -r1.37 vmctl.8 > --- vmctl.8 3 Jan 2018 08:17:18 - 1.37 > +++ vmctl.8 10 Feb 2018 23:48:59 - > @@ -143,6 +143,10 @@ with '.', '-' or '_'. > .It Cm status Op Ar id > Lists VMs running on the host, optionally listing just the selected VM > .Ar id . > +.It Cm show Op Ar id > +An alias for the > +.Cm status > +command. > .It Cm stop Ar id > Stops (terminates) a VM defined by the specified VM > .Ar id . > > > -- > Coito ergo sum >
vmctl show
My fingers have typed "vmctl show" instead of "vmctl status" for over a year now, so add it as an alias. OK? Index: main.c === RCS file: /cvs/openbsd/src/usr.sbin/vmctl/main.c,v retrieving revision 1.34 diff -u -p -u -p -r1.34 main.c --- main.c 3 Jan 2018 05:39:56 - 1.34 +++ main.c 10 Feb 2018 23:46:44 - @@ -68,6 +68,7 @@ struct ctl_command ctl_commands[] = { { "log",CMD_LOG,ctl_log,"(verbose|brief)" }, { "reload", CMD_RELOAD, ctl_reload, "" }, { "reset", CMD_RESET, ctl_reset, "[all|vms|switches]" }, + { "show", CMD_STATUS, ctl_status, "[id]" }, { "start", CMD_START, ctl_start, "\"name\"" " [-Lc] [-b image] [-r image] [-m size]\n" "\t\t[-n switch] [-i count] [-d disk]*" }, Index: vmctl.8 === RCS file: /cvs/openbsd/src/usr.sbin/vmctl/vmctl.8,v retrieving revision 1.37 diff -u -p -u -p -r1.37 vmctl.8 --- vmctl.8 3 Jan 2018 08:17:18 - 1.37 +++ vmctl.8 10 Feb 2018 23:48:59 - @@ -143,6 +143,10 @@ with '.', '-' or '_'. .It Cm status Op Ar id Lists VMs running on the host, optionally listing just the selected VM .Ar id . +.It Cm show Op Ar id +An alias for the +.Cm status +command. .It Cm stop Ar id Stops (terminates) a VM defined by the specified VM .Ar id . -- Coito ergo sum
[patch] starttls.8
Remove `sendmail' ism's from starttls.8 --- /usr/share/man/man8/starttls.8Tue Oct 3 22:13:42 2017 +++ starttls.8Sat Feb 10 15:57:06 2018 @@ -102,17 +102,6 @@ .Pp .Dl # openssl x509 -in /etc/ssl/mail.example.com.crt -text .Pp -If you don't intend to use TLS for authentication (and if you are using -self-signed certificates you probably don't) you can simply link -your new certificate to -.Pa CAcert.pem . -.Pp -.Dl # ln -s /etc/ssl/mail.example.com.crt /etc/ssl/CAcert.pem -.Pp -If, on the other hand, you intend to use TLS for authentication -you should install your certificate authority bundle as -.Pa /etc/ssl/CAcert.pem . -.Pp Because the private key files are unencrypted, MTAs can be picky about using tight permissions on those files. @@ -196,36 +185,9 @@ We can use this authentication to selectively relay clients, including other mail servers and mobile clients like laptops. However, there have been some problems getting some mail clients to work using -certificate-based authentication. -Note that your clients will have to generate certificates and have them -signed (for trust validation) by a CA (certificate authority) you also trust, -if you configure your server to do client certificate checking. -Two new entries are available for TLS options: -.Bl -tag -width Ds -offset indent -.It VERIFY -contains the status of the level of verification (held in the macro {verify}) -.It ENCR -the strength of the encryption (in the macro {cipher_bits}) -.El -.Pp -VERIFY can also accept the argument for {cipher_bits}. -Here are a few example entries that illustrate these features, and -the role based granularity as well: -.Pp -Require strong (256-bit) encryption for communication with this server: -.Pp -.Dl TLS_Srv:server1.example.netENCR:256 -.Pp -For a TLS client, -require verification and a minimum of 128-bit encryption: -.Pp -.Dl TLS_Clt:desktop.example.net VERIFY:128 -.Pp -Much more complicated access maps are possible, and error conditions (such -as permanent or temporary, PERM+ or TEMP+) can be set on the basis of -various criteria. -This allows you fine-grained control over the types of connections you -can allow. +certificate-based authentication. If you configure your server to do client +certificate checking, your clients will have to generate certificates signed +by a CA you also trust. .Pp Note that it is unwise to force all SMTP clients to use TLS, as it is not yet widespread.
Re: allow marking IPv6 with a do not fragment flag for ip6_output
On Sat, Feb 10, 2018 at 09:03:10PM +1000, David Gwynne wrote: > ipv6 packets dont have a DF bit you can set in the header, you have > to pass it as an option to ip6_output if you want that behaviour > on output. however, ip6_send makes it hard to pass ip6 options to > ip6_output because you give it an mbuf, and hope for the best in > the future. > > to cope with this, im proposing we treat "dont fragment on output" > for ipv6 as a checksum flag on an mbuf. the diff below implements > this: > Not a fan of this since this is yet another special hack but I see why you need it and how hard it is to fix it properly. Grumbling ok claudio@ > Index: sys/mbuf.h > === > RCS file: /cvs/src/sys/sys/mbuf.h,v > retrieving revision 1.234 > diff -u -p -r1.234 mbuf.h > --- sys/mbuf.h9 Feb 2018 02:26:33 - 1.234 > +++ sys/mbuf.h10 Feb 2018 09:38:40 - > @@ -224,12 +224,14 @@ struct mbuf { > #define M_ICMP_CSUM_OUT 0x0200 /* ICMP/ICMPv6 checksum needed > */ > #define M_ICMP_CSUM_IN_OK 0x0400 /* ICMP/ICMPv6 checksum > verified */ > #define M_ICMP_CSUM_IN_BAD 0x0800 /* ICMP/ICMPv6 checksum bad */ > +#define M_IPV6_DF_OUT 0x1000 /* don't fragment outgoing IPv6 > */ > > #ifdef _KERNEL > #define MCS_BITS \ > ("\20\1IPV4_CSUM_OUT\2TCP_CSUM_OUT\3UDP_CSUM_OUT\4IPV4_CSUM_IN_OK" \ > "\5IPV4_CSUM_IN_BAD\6TCP_CSUM_IN_OK\7TCP_CSUM_IN_BAD\10UDP_CSUM_IN_OK" \ > - > "\11UDP_CSUM_IN_BAD\12ICMP_CSUM_OUT\13ICMP_CSUM_IN_OK\14ICMP_CSUM_IN_BAD") > + > "\11UDP_CSUM_IN_BAD\12ICMP_CSUM_OUT\13ICMP_CSUM_IN_OK\14ICMP_CSUM_IN_BAD" \ > +"\15IPV6_NODF_OUT") > #endif > > /* mbuf types */ > Index: netinet6/ip6_output.c > === > RCS file: /cvs/src/sys/netinet6/ip6_output.c,v > retrieving revision 1.232 > diff -u -p -r1.232 ip6_output.c > --- netinet6/ip6_output.c 1 Sep 2017 15:05:31 - 1.232 > +++ netinet6/ip6_output.c 10 Feb 2018 09:38:40 - > @@ -656,7 +656,10 @@ reroute: >*/ > tlen = m->m_pkthdr.len; > > - if (opt && (opt->ip6po_flags & IP6PO_DONTFRAG)) > + if (ISSET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT)) { > + CLR(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT); > + dontfrag = 1; > + } else if (opt && ISSET(opt->ip6po_flags, IP6PO_DONTFRAG)) > dontfrag = 1; > else > dontfrag = 0; > -- :wq Claudio
Re: tidy up get_hibernate_io_function
On Sat, Feb 10, 2018 at 02:51:55PM +1000, Jonathan Matthew wrote: > It's hard to see exactly what the dv->dv_parent->etc. checks are doing. > Before adding sdmmc I'd like to tidy up a bit. > > ok? > Reads ok to me, and thanks for the cleanup. ok mlarkin if you didn't already commit this. > Index: arch/amd64/amd64/hibernate_machdep.c > === > RCS file: /cvs/src/sys/arch/amd64/amd64/hibernate_machdep.c,v > retrieving revision 1.39 > diff -u -p -u -p -r1.39 hibernate_machdep.c > --- arch/amd64/amd64/hibernate_machdep.c 29 May 2017 12:58:37 - > 1.39 > +++ arch/amd64/amd64/hibernate_machdep.c 10 Feb 2018 04:37:14 - > @@ -95,26 +95,32 @@ get_hibernate_io_function(dev_t dev) > extern int sr_hibernate_io(dev_t dev, daddr_t blkno, > vaddr_t addr, size_t size, int op, void *page); > struct device *dv = disk_lookup(&sd_cd, DISKUNIT(dev)); > - > + struct { > + const char *driver; > + hibio_fn io_func; > + } sd_io_funcs[] = { > #if NAHCI > 0 > - if (dv && dv->dv_parent && dv->dv_parent->dv_parent && > - > strcmp(dv->dv_parent->dv_parent->dv_cfdata->cf_driver->cd_name, > - "ahci") == 0) > - return ahci_hibernate_io; > + { "ahci", ahci_hibernate_io }, > #endif > #if NNVME > 0 > - if (dv && dv->dv_parent && dv->dv_parent->dv_parent && > - > strcmp(dv->dv_parent->dv_parent->dv_cfdata->cf_driver->cd_name, > - "nvme") == 0) > - return nvme_hibernate_io; > + { "nvme", nvme_hibernate_io }, > #endif > #if NSOFTRAID > 0 > - if (dv && dv->dv_parent && dv->dv_parent->dv_parent && > - > strcmp(dv->dv_parent->dv_parent->dv_cfdata->cf_driver->cd_name, > - "softraid") == 0) > - return sr_hibernate_io; > - } > + { "softraid", sr_hibernate_io }, > #endif > + }; > + > + if (dv && dv->dv_parent && dv->dv_parent->dv_parent) { > + const char *driver = > dv->dv_parent->dv_parent->dv_cfdata-> > + cf_driver->cd_name; > + int i; > + > + for (i = 0; i < nitems(sd_io_funcs); i++) { > + if (strcmp(driver, sd_io_funcs[i].driver) == 0) > + return sd_io_funcs[i].io_func; > + } > + } > + } > #endif /* NSD > 0 */ > return NULL; > } > Index: arch/i386/i386/hibernate_machdep.c > === > RCS file: /cvs/src/sys/arch/i386/i386/hibernate_machdep.c,v > retrieving revision 1.49 > diff -u -p -u -p -r1.49 hibernate_machdep.c > --- arch/i386/i386/hibernate_machdep.c20 May 2016 02:30:41 - > 1.49 > +++ arch/i386/i386/hibernate_machdep.c10 Feb 2018 04:37:14 - > @@ -98,20 +98,29 @@ get_hibernate_io_function(dev_t dev) > extern int sr_hibernate_io(dev_t dev, daddr_t blkno, > vaddr_t addr, size_t size, int op, void *page); > struct device *dv = disk_lookup(&sd_cd, DISKUNIT(dev)); > - > + struct { > + const char *driver; > + hibio_fn io_func; > + } sd_io_funcs[] = { > #if NAHCI > 0 > - if (dv && dv->dv_parent && dv->dv_parent->dv_parent && > - > strcmp(dv->dv_parent->dv_parent->dv_cfdata->cf_driver->cd_name, > - "ahci") == 0) > - return ahci_hibernate_io; > + { "ahci", ahci_hibernate_io }, > #endif > #if NSOFTRAID > 0 > - if (dv && dv->dv_parent && dv->dv_parent->dv_parent && > - > strcmp(dv->dv_parent->dv_parent->dv_cfdata->cf_driver->cd_name, > - "softraid") == 0) > - return sr_hibernate_io; > - } > + { "softraid", sr_hibernate_io }, > #endif > + }; > + > + if (dv && dv->dv_parent && dv->dv_parent->dv_parent) { > + const char *driver = > dv->dv_parent->dv_parent->dv_cfdata-> > + cf_driver->cd_name; > + int i; > + > + for (i = 0; i < nitems(sd_io_funcs); i++) { > + if (strcmp(driver, sd_io_funcs[i].driver) == 0) > + return sd_io_funcs[i].io_func; > + } > + } > + } > #endif /* NSD > 0 */ > return NULL; > } >
Extracting pledge information from kernel code for every process.
Hello, Tech, I am doing some hands-on with OpenBSD Kernel code especially with "sys/kern/kern_sched.c". I am trying to extract pledge information from kernel code for every process. In below function, I am doing some modifications for that, void schedcpu(void *arg) { .. .. LIST_FOREACH(p, &allproc, p_list) { /* * Increment sleep time (if sleeping). We ignore overflow. */ if (p->p_stat == SSLEEP || p->p_stat == SSTOP) p->p_slptime++; p->p_pctcpu = (p->p_pctcpu * ccpu) >> FSHIFT; /* * If the process has slept the entire second, * stop recalculating its priority until it wakes up. */ if (p->p_slptime > 1) continue; SCHED_LOCK(s); /* * p_pctcpu is only for diagnostic tools such as ps. */ } Now, here, after reading some little source code, I found that LIST_FOREACH macro will traverse from the head (&allproc) and put it on var (p). Now, here, p will contain the address of struct proc structure of every process which is in the file sys/sys/proc.h. Now, again, this structure contains another struct process *p_p structure, which denotes the properties of every process like its pid, flags, threads etc. struct proc { TAILQ_ENTRY(proc) p_runq; LIST_ENTRY(proc) p_list;/* List of all threads. */ struct process *p_p; /* The process of this thread. */ TAILQ_ENTRY(proc) p_thr_link; /* Threads in a process linkage. */ TAILQ_ENTRY(proc) p_fut_link; /* Threads in a futex linkage. */ struct futex *p_futex; /* Current sleeping futex. */ /* substructures: */ struct filedesc *p_fd; /* copy of p_p->ps_fd */ struct vmspace *p_vmspace; /* copy of p_p->ps_vmspace */ #define p_rlimitp_p->ps_limit->pl_rlimit } Now, structure struct process contains uint64_t ps_plegde. struct process { /* * ps_mainproc is the original thread in the process. * It's only still special for the handling of p_xstat and * some signal and ptrace behaviors that need to be fixed. */ struct proc *ps_mainproc; struct ucred *ps_ucred;/* Process owner's identity. */ u_short ps_acflag; /* Accounting flags. */ uint64_t ps_pledge; uint64_t ps_execpledge; } Now, I wrote some modification in void schedcpu() function code. void schedcpu(void *arg) { pid_t pid; uint64_t pledge_bit; LIST_FOREACH(p, &allproc, p_list) { pid=p->p_p->pid; pledge_bit=p->p_p->ps_pledge; if (pledge_bit) { printf("pid: %10d pledge_bit: %10llu pledge_xbit:%10llx\n",pid,pledge_bit,pledge_bit); } /* * Increment sleep time (if sleeping). We ignore overflow. */ if (p->p_stat == SSLEEP || p->p_stat == SSTOP) p->p_slptime++; p->p_pctcpu = (p->p_pctcpu * ccpu) >> FS } Here, Kernel log pid: 37846 pledge_bit: 393359 pledge_xbit: 6008f pid: 96037 pledge_bit: 393544 pledge_xbit: 60148 pid: 86032 pledge_bit: 264297 pledge_xbit: 40869 pid: 72264 pledge_bit: 393480 pledge_xbit: 60108 pid: 40102 pledge_bit: 8 pledge_xbit: 8 pid: 841 pledge_bit: 2148162527 pledge_xbit: 800a5bdf pid: 49970 pledge_bit: 2148096143 pledge_xbit: 8009588f pid: 68505 pledge_bit: 40 pledge_xbit: 28 pid: 46106 pledge_bit: 72 pledge_xbit: 48 pid: 77690 pledge_bit: 537161 pledge_xbit: 83249 pid: 44005 pledge_bit: 262152 pledge_xbit: 40008 pid: 82731 pledge_bit: 2148096143 pledge_xbit: 8009588f pid: 71609 pledge_bit: 262472 pledge_xbit: 40148 pid: 54330 pledge_bit: 662063 pledge_xbit: a1a2f pid: 77764 pledge_bit:1052776pledge_xbit: 101068 pid:699 pledge_bit: 2148096143 pledge_xbit: 8009588f pid: 84265 pledge_bit:1052776pledge_xbit: 101068 Is it possible to know which process pledges what permissions, from looking at pledge_bit (decimal or hex values) that I got from above output? I took pledge hex value of dhclient process i.e 0x8009588f, then, I wrote a simple hello world program with a pledge("STDIO",NULL); and again I looked at dmesg and got the same pledge_bit for hello world i.e 0x8009588f. Then, this time I looked at dhclient source code and found out that, dhclient code pledged pledge("stdio inet dns route proc", NULL). But, then, how is it possible to get same pledge hex bit for different pledge parameters? Or, Is there some other pledge variable in kernel which keeps track of permission bits that pass from user-space code using pledge()? Is it the correct way that I did above to extract pledge information or Am I missing
merge kern_mutex.c into kern_lock.c
I'd like to keep all locking code in the same file then slowly remove the abstractions. ok? Index: kern/kern_lock.c === RCS file: /cvs/src/sys/kern/kern_lock.c,v retrieving revision 1.56 diff -u -p -r1.56 kern_lock.c --- kern/kern_lock.c10 Feb 2018 12:59:24 - 1.56 +++ kern/kern_lock.c10 Feb 2018 13:02:15 - @@ -1,6 +1,7 @@ /* $OpenBSD: kern_lock.c,v 1.56 2018/02/10 12:59:24 mpi Exp $ */ /* + * Copyright (c) 2017 Visa Hankala * Copyright (c) 2014 David Gwynne * Copyright (c) 2004 Artur Grabowski * @@ -350,3 +351,52 @@ __mtx_leave(struct mutex *mtx) splx(s); } #endif /* __USE_MI_MUTEX */ + +#ifdef WITNESS +void +_mtx_init_flags(struct mutex *m, int ipl, const char *name, int flags, +struct lock_type *type) +{ + struct lock_object *lo = MUTEX_LOCK_OBJECT(m); + + lo->lo_flags = MTX_LO_FLAGS(flags); + if (name != NULL) + lo->lo_name = name; + else + lo->lo_name = type->lt_name; + WITNESS_INIT(lo, type); + + _mtx_init(m, ipl); +} + +void +_mtx_enter(struct mutex *m, const char *file, int line) +{ + struct lock_object *lo = MUTEX_LOCK_OBJECT(m); + + WITNESS_CHECKORDER(lo, LOP_EXCLUSIVE | LOP_NEWORDER, file, line, NULL); + __mtx_enter(m); + WITNESS_LOCK(lo, LOP_EXCLUSIVE, file, line); +} + +int +_mtx_enter_try(struct mutex *m, const char *file, int line) +{ + struct lock_object *lo = MUTEX_LOCK_OBJECT(m); + + if (__mtx_enter_try(m)) { + WITNESS_LOCK(lo, LOP_EXCLUSIVE, file, line); + return 1; + } + return 0; +} + +void +_mtx_leave(struct mutex *m, const char *file, int line) +{ + struct lock_object *lo = MUTEX_LOCK_OBJECT(m); + + WITNESS_UNLOCK(lo, LOP_EXCLUSIVE, file, line); + __mtx_leave(m); +} +#endif /* WITNESS */ Index: kern/kern_mutex.c === RCS file: kern/kern_mutex.c diff -N kern/kern_mutex.c --- kern/kern_mutex.c 20 Apr 2017 13:57:30 - 1.1 +++ /dev/null 1 Jan 1970 00:00:00 - @@ -1,69 +0,0 @@ -/* $OpenBSD: kern_mutex.c,v 1.1 2017/04/20 13:57:30 visa Exp $ */ - -/* - * Copyright (c) 2017 Visa Hankala - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include -#include -#include -#include - -void -_mtx_init_flags(struct mutex *m, int ipl, const char *name, int flags, -struct lock_type *type) -{ - struct lock_object *lo = MUTEX_LOCK_OBJECT(m); - - lo->lo_flags = MTX_LO_FLAGS(flags); - if (name != NULL) - lo->lo_name = name; - else - lo->lo_name = type->lt_name; - WITNESS_INIT(lo, type); - - _mtx_init(m, ipl); -} - -void -_mtx_enter(struct mutex *m, const char *file, int line) -{ - struct lock_object *lo = MUTEX_LOCK_OBJECT(m); - - WITNESS_CHECKORDER(lo, LOP_EXCLUSIVE | LOP_NEWORDER, file, line, NULL); - __mtx_enter(m); - WITNESS_LOCK(lo, LOP_EXCLUSIVE, file, line); -} - -int -_mtx_enter_try(struct mutex *m, const char *file, int line) -{ - struct lock_object *lo = MUTEX_LOCK_OBJECT(m); - - if (__mtx_enter_try(m)) { - WITNESS_LOCK(lo, LOP_EXCLUSIVE, file, line); - return 1; - } - return 0; -} - -void -_mtx_leave(struct mutex *m, const char *file, int line) -{ - struct lock_object *lo = MUTEX_LOCK_OBJECT(m); - - WITNESS_UNLOCK(lo, LOP_EXCLUSIVE, file, line); - __mtx_leave(m); -} Index: conf/files === RCS file: /cvs/src/sys/conf/files,v retrieving revision 1.658 diff -u -p -r1.658 files --- conf/files 7 Feb 2018 01:09:57 - 1.658 +++ conf/files 10 Feb 2018 13:02:17 - @@ -671,7 +671,6 @@ file kern/kern_kthread.c file kern/kern_ktrace.cktrace file kern/kern_lock.c file kern/kern_malloc.c -file kern/kern_mutex.c witness file kern/kern_rwlock.c file kern/kern_physio.c file kern/kern_proc.c
Re: pf half-open tcp in state table
On Fri, Feb 09, 2018 at 11:11:18AM +0100, Matthieu Herrb wrote: > Hi, > > I've recently setup a new pair of OpenBSD 6.2 pf firewalls (with carp) > in my lab, and that's not performing very well. > > tcp-based NFS v3 and v4 traffic (between Linux clients and a NetApp > server) through it is struggling, and some SSH or HTTPS transfers are > stalling, with their states disapearing from the state table. > > I'm trying to figure out what's going on to fix the issue. > Thanks to all who answered in private. With their advices and a bit of personal research, it looks like this firewall pair is now working as expected. One of the main issues was caused by a server having 2 interfaces in 2 different vlans that are routed through this firewall. This generated asymetric routing, so the reply paquets weren't travesing the firewall and not updating the state, wich stayed half-open for 30s, before expiring and cutting the connection. A tad of source-routing on the linux side now forces the trafic to stay symetric and everything's fine. Another issue seem to come from the fact that the new firewalls are faster than the previous Cisco router. That apparentlt triggered bugs in the vmxnet3 driver of CentOS 6 virtual machines, Upgrading to the driver from open-vm-tools, seems to have fixed the reset of the NFS traffic issues. The last point is that there seems to be a bug in the half-open accounting code. The huge number I'm seeing here is in fact pretty surely negative: > > The main anomaly I see is the huge number (and it keeps growing) of > half-open tcp states, after 24h of uptime. See pfctl -vsi output > below. > > half-open tcp 4294375902 This is 0xfff6f9de So it seems that, either because of the assymetric route issue, or something else, the number of half open connections is decremented more often that it's incremented and lead to this unsigned overflow. But as Henning@ mentionned it, this is only accounting and not actually used anywhere, so it should cause any real-life issue. -- Matthieu Herrb
sparc64: use MI mutex
Diff below switches sparc64 to the MI mutex implementation. I've been running this on my 16CPUs guest on a T5220 without issues. I'm not removing the assembly code yet in case we spot an issue. More tests and oks welcome :) Index: arch/sparc64/conf/files.sparc64 === RCS file: /cvs/src/sys/arch/sparc64/conf/files.sparc64,v retrieving revision 1.149 diff -u -p -r1.149 files.sparc64 --- arch/sparc64/conf/files.sparc64 17 Oct 2017 14:25:35 - 1.149 +++ arch/sparc64/conf/files.sparc64 10 Feb 2018 10:49:56 - @@ -329,7 +329,6 @@ filearch/sparc64/sparc64/kgdb_machdep.c file arch/sparc64/sparc64/machdep.c file arch/sparc64/sparc64/mdesc.csun4v file arch/sparc64/sparc64/mem.c -file arch/sparc64/sparc64/mutex.S file arch/sparc64/sparc64/openprom.c file arch/sparc64/sparc64/openfirm.c file arch/sparc64/sparc64/ofw_machdep.c Index: arch/sparc64/include/mutex.h === RCS file: /cvs/src/sys/arch/sparc64/include/mutex.h,v retrieving revision 1.7 diff -u -p -r1.7 mutex.h --- arch/sparc64/include/mutex.h13 Jan 2018 15:18:11 - 1.7 +++ arch/sparc64/include/mutex.h10 Feb 2018 10:49:36 - @@ -1,85 +1,3 @@ /* $OpenBSD: mutex.h,v 1.7 2018/01/13 15:18:11 mpi Exp $ */ -/* - * Copyright (c) 2004 Artur Grabowski - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - *notice, this list of conditions and the following disclaimer. - * 2. The name of the author may not be used to endorse or promote products - *derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL - * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; - * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _MACHINE_MUTEX_H_ -#define _MACHINE_MUTEX_H_ - -#include - -struct mutex { - volatile void *mtx_owner; /* mutex.S relies upon this being first */ - int mtx_wantipl; - int mtx_oldipl; -#ifdef WITNESS - struct lock_object mtx_lock_obj; -#endif -}; - -/* - * To prevent lock ordering problems with the kernel lock, we need to - * make sure we block all interrupts that can grab the kernel lock. - * The simplest way to achieve this is to make sure mutexes always - * raise the interrupt priority level to the highest level that has - * interrupts that grab the kernel lock. - */ -#ifdef MULTIPROCESSOR -#define __MUTEX_IPL(ipl) \ -(((ipl) > IPL_NONE && (ipl) < IPL_MPFLOOR) ? IPL_MPFLOOR : (ipl)) -#else -#define __MUTEX_IPL(ipl) (ipl) -#endif - -#ifdef WITNESS -#define MUTEX_INITIALIZER_FLAGS(ipl, name, flags) \ - { NULL, __MUTEX_IPL((ipl)), IPL_NONE, MTX_LO_INITIALIZER(name, flags) } -#else -#define MUTEX_INITIALIZER_FLAGS(ipl, name, flags) \ - { NULL, __MUTEX_IPL((ipl)), IPL_NONE } -#endif - -void __mtx_init(struct mutex *, int); -#define _mtx_init(mtx, ipl) __mtx_init((mtx), __MUTEX_IPL((ipl))) - -#ifdef DIAGNOSTIC -#define MUTEX_ASSERT_LOCKED(mtx) do { \ - if ((mtx)->mtx_owner != curcpu()) \ - panic("mutex %p not held in %s", (mtx), __func__); \ -} while (0) - -#define MUTEX_ASSERT_UNLOCKED(mtx) do { \ - if ((mtx)->mtx_owner == curcpu()) \ - panic("mutex %p held in %s", (mtx), __func__); \ -} while (0) -#else -#define MUTEX_ASSERT_LOCKED(mtx) do { } while (0) -#define MUTEX_ASSERT_UNLOCKED(mtx) do { } while (0) -#endif - -#define MUTEX_LOCK_OBJECT(mtx) (&(mtx)->mtx_lock_obj) -#define MUTEX_OLDIPL(mtx) (mtx)->mtx_oldipl - -#endif /* _MACHINE_MUTEX_H_ */ +#define __USE_MI_MUTEX
pkg_add vs https
So we've been working with the tls crowd to bring you decent https support. The crux of the matter is that pkg_add does not handle https directly, it does use ftp(1) to fetch every single file. ... which means a new connection for each single package it looks at. with http, that's fairly okay. Establishing a new connection is pretty cheap. For https, there's tls involved, and if you look at the protocol, normal connections do begin with an authentication exchange, which uses public key cryptography, which is, for the most part, using RSA in the https world. This slows things down in two ways: - public key cryptography is still somewhat expensive, especially for slower machines. - there is a lot of back-and-forth involved, on top of normal tcp handshakes. Namely client sends clienthello, server replies with serverhello, client responds with certificateinfo, server responds with finished and we can FINALLY send data. (from 3 to 7 back&forth, wee) There's a functionality in tls called "session resumption", where all the back-and-forth already used in the first connection is replaced in subsequent connections by a simple token exchange (after all the client and server already authenticated each other, and can prove they know the same shared secret). This speeds up things a little: - no public key cryptography involved - the handshake devolves into clienthello, serverhello+finished, finished so it shaves one packet... well, not as good as could be expected but still something. So, this functionality exists in libressl. What Joel and others did was expose it in libtls, and add a hook in ftp(1) so that it could be used by pkg_add. This is still fairly secure: pkg_add creates a temporary file as _pkgfetch, unlinks it from the filesystem, and passes /dev/fd/ as the session file to ftp(1), which is happy to work with it (no easy way to spy on that secret... and if you can look at other processes opened files, I'd say you have bigger problems). (I don't know who exactly came up with the idea of making it work with a pure file descriptor, but this is brilliant) Measuring this shows that https gets somewhat less slow. It's still slower than pure http (the extra 3 messages are still something), but it becomes more of a choice for people who want anonymity. Note that, if you use session resumption, ftp(1) will report on whether or not it was successful. pkg_add(1) parses those messages and will tell whether you are using a "slow" https mirror or not. I've also run into bizarre session resumption implementations (apache...) which seems to think that 5mn is a good timeout for expiring tokens (we're talking about session tokens that are actually ACTIVE AND USED, not keeping tokens around while the connection is closed. Nope, looks like at least one mirror expires tokens after five minutes, irregardless of their use). So, this is as good as it gets from this end, until I figure out a better way to interleave operations...
allow marking IPv6 with a do not fragment flag for ip6_output
ipv6 packets dont have a DF bit you can set in the header, you have to pass it as an option to ip6_output if you want that behaviour on output. however, ip6_send makes it hard to pass ip6 options to ip6_output because you give it an mbuf, and hope for the best in the future. to cope with this, im proposing we treat "dont fragment on output" for ipv6 as a checksum flag on an mbuf. the diff below implements this: Index: sys/mbuf.h === RCS file: /cvs/src/sys/sys/mbuf.h,v retrieving revision 1.234 diff -u -p -r1.234 mbuf.h --- sys/mbuf.h 9 Feb 2018 02:26:33 - 1.234 +++ sys/mbuf.h 10 Feb 2018 09:38:40 - @@ -224,12 +224,14 @@ struct mbuf { #defineM_ICMP_CSUM_OUT 0x0200 /* ICMP/ICMPv6 checksum needed */ #defineM_ICMP_CSUM_IN_OK 0x0400 /* ICMP/ICMPv6 checksum verified */ #defineM_ICMP_CSUM_IN_BAD 0x0800 /* ICMP/ICMPv6 checksum bad */ +#defineM_IPV6_DF_OUT 0x1000 /* don't fragment outgoing IPv6 */ #ifdef _KERNEL #define MCS_BITS \ ("\20\1IPV4_CSUM_OUT\2TCP_CSUM_OUT\3UDP_CSUM_OUT\4IPV4_CSUM_IN_OK" \ "\5IPV4_CSUM_IN_BAD\6TCP_CSUM_IN_OK\7TCP_CSUM_IN_BAD\10UDP_CSUM_IN_OK" \ -"\11UDP_CSUM_IN_BAD\12ICMP_CSUM_OUT\13ICMP_CSUM_IN_OK\14ICMP_CSUM_IN_BAD") +"\11UDP_CSUM_IN_BAD\12ICMP_CSUM_OUT\13ICMP_CSUM_IN_OK\14ICMP_CSUM_IN_BAD" \ +"\15IPV6_NODF_OUT") #endif /* mbuf types */ Index: netinet6/ip6_output.c === RCS file: /cvs/src/sys/netinet6/ip6_output.c,v retrieving revision 1.232 diff -u -p -r1.232 ip6_output.c --- netinet6/ip6_output.c 1 Sep 2017 15:05:31 - 1.232 +++ netinet6/ip6_output.c 10 Feb 2018 09:38:40 - @@ -656,7 +656,10 @@ reroute: */ tlen = m->m_pkthdr.len; - if (opt && (opt->ip6po_flags & IP6PO_DONTFRAG)) + if (ISSET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT)) { + CLR(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT); + dontfrag = 1; + } else if (opt && ISSET(opt->ip6po_flags, IP6PO_DONTFRAG)) dontfrag = 1; else dontfrag = 0;
Re: route socket filter on priority
On 2018/02/10 10:12, Sebastian Benoit wrote: > > > - add ROUTE_PRIOFILTER > - it has one argument that is interpreted as a route priority > - all route updates with prio lower or equal will pass the filter, > all with higher priority value will be filtered. > - example use in ospfd > > comments/oks? > > (benno_ospfd_route_priofilter_1.diff) > > diff --git sys/net/route.h sys/net/route.h > index 1ca0a22c45f..7a4008b7ac1 100644 > --- sys/net/route.h > +++ sys/net/route.h > @@ -298,6 +298,9 @@ struct rt_msghdr { > #define ROUTE_TABLEFILTER 2 /* change routing table the socket is listening > on, RTABLE_ANY listens on all tables. */ > > +#define ROUTE_PRIOFILTER 3 /* change routing table the socket is listening > +on, RTABLE_ANY listens on all tables. */ > + This comment needs fixing or removing, otherwise ok. Feel free to use this accompanying manpage diff. Index: route.4 === RCS file: /cvs/src/share/man/man4/route.4,v retrieving revision 1.44 diff -u -p -r1.44 route.4 --- route.4 12 Jan 2018 04:36:44 - 1.44 +++ route.4 10 Feb 2018 10:39:08 - @@ -210,6 +210,20 @@ if (setsockopt(routefd, PF_ROUTE, ROUTE_ err(1, "setsockopt(ROUTE_MSGFILTER)"); .Ed .Pp +Similarly, a process can specify that it is only interested in messages +relating to routes where the priority is no more than a certain value +by issuing a setsockopt call with the +.Dv ROUTE_PRIOFILTER +option. +For example, to select only static, directly connected and local routes: +.Bd -literal -offset indent +u_char maxprio; + +if (setsockopt(routefd, PF_ROUTE, ROUTE_PRIOFILTER, +&maxprio, sizeof(maxprio)) == -1) + err(1, "setsockopt(ROUTE_PRIOFILTER)"); +.Ed +.Pp If a route is in use when it is deleted, the routing entry will be marked down and removed from the routing table, but the resources associated with it will not
Re: route socket filter on priority
Nice feature lots of real world use cases. On 10 Feb 2018 9:19 AM, "Sebastian Benoit" wrote: > > > - add ROUTE_PRIOFILTER > - it has one argument that is interpreted as a route priority > - all route updates with prio lower or equal will pass the filter, > all with higher priority value will be filtered. > - example use in ospfd > > comments/oks? > > (benno_ospfd_route_priofilter_1.diff) > > diff --git sys/net/route.h sys/net/route.h > index 1ca0a22c45f..7a4008b7ac1 100644 > --- sys/net/route.h > +++ sys/net/route.h > @@ -298,6 +298,9 @@ struct rt_msghdr { > #define ROUTE_TABLEFILTER 2/* change routing table the socket is > listening >on, RTABLE_ANY listens on all tables. */ > > +#define ROUTE_PRIOFILTER 3 /* change routing table the socket is > listening > + on, RTABLE_ANY listens on all tables. */ > + > #define ROUTE_FILTER(m)(1 << (m)) > #define RTABLE_ANY 0x > > diff --git sys/net/rtsock.c sys/net/rtsock.c > index 35bdd09d143..5f4244e6057 100644 > --- sys/net/rtsock.c > +++ sys/net/rtsock.c > @@ -141,6 +141,7 @@ struct routecb { > unsigned intmsgfilter; > unsigned intflags; > u_int rtableid; > + u_char priority; > }; > #definesotoroutecb(so) ((struct routecb *)(so)->so_pcb) > > @@ -309,6 +310,7 @@ route_ctloutput(int op, struct socket *so, int level, > int optname, > struct routecb *rop = sotoroutecb(so); > int error = 0; > unsigned int tid; > + u_char prio; > > if (level != AF_ROUTE) > return (EINVAL); > @@ -333,6 +335,17 @@ route_ctloutput(int op, struct socket *so, int level, > int optname, > else > rop->rtableid = tid; > break; > + case ROUTE_PRIOFILTER: > + if (m == NULL || m->m_len != sizeof(u_char)) { > + error = EINVAL; > + break; > + } > + prio = *mtod(m, u_char *); > + if (prio > RTP_MAX) > + error = EINVAL; > + else > + rop->priority = prio; > + break; > default: > error = ENOPROTOOPT; > break; > @@ -348,6 +361,10 @@ route_ctloutput(int op, struct socket *so, int level, > int optname, > m->m_len = sizeof(unsigned int); > *mtod(m, unsigned int *) = rop->rtableid; > break; > + case ROUTE_PRIOFILTER: > + m->m_len = sizeof(u_char); > + *mtod(m, u_char *) = rop->priority; > + break; > default: > error = ENOPROTOOPT; > break; > @@ -431,6 +448,8 @@ route_input(struct mbuf *m0, struct socket *so, > sa_family_t sa_family) > if (rtm->rtm_type != RTM_DESYNC && rop->msgfilter != 0 && > !(rop->msgfilter & (1 << rtm->rtm_type))) > continue; > + if (rop->priority != 0 && rop->priority < > rtm->rtm_priority) > + continue; > switch (rtm->rtm_type) { > case RTM_IFANNOUNCE: > case RTM_DESYNC: > diff --git usr.sbin/ospfd/kroute.c usr.sbin/ospfd/kroute.c > index 17febefbdcb..a5c069aa540 100644 > --- usr.sbin/ospfd/kroute.c > +++ usr.sbin/ospfd/kroute.c > @@ -127,10 +127,11 @@ kif_init(void) > } > > int > -kr_init(int fs, u_int rdomain) > +kr_init(int fs, u_int rdomain, u_int8_t redis_label_or_prefix) > { > int opt = 0, rcvbuf, default_rcvbuf; > socklen_t optlen; > + u_char filter_prio = RTP_OSPF; > > kr_state.fib_sync = fs; > kr_state.rdomain = rdomain; > @@ -146,6 +147,14 @@ kr_init(int fs, u_int rdomain) > &opt, sizeof(opt)) == -1) > log_warn("kr_init: setsockopt");/* not fatal */ > > + if (redis_label_or_prefix) > + filter_prio = 0; > + if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER, > &filter_prio, > + sizeof(filter_prio)) == -1) { > + log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER", > __func__); > + return (-1); > + } > + > /* grow receive buffer, don't wanna miss messages */ > optlen = sizeof(default_rcvbuf); > if (getsockopt(kr_state.fd, SOL_SOCKET, SO_RCVBUF, > diff --git usr.sbin/ospfd/ospfd.c usr.sbin/ospfd/ospfd.c > index 3c5057ae04e..0e91819f673 100644 > --- usr.sbin/ospfd/ospfd.c > +++ usr.sbin/ospfd/ospfd.c > @@ -265,7 +265,7 @@ main(int argc, char *argv[]) > event_add(&iev_r
route socket filter on priority
- add ROUTE_PRIOFILTER - it has one argument that is interpreted as a route priority - all route updates with prio lower or equal will pass the filter, all with higher priority value will be filtered. - example use in ospfd comments/oks? (benno_ospfd_route_priofilter_1.diff) diff --git sys/net/route.h sys/net/route.h index 1ca0a22c45f..7a4008b7ac1 100644 --- sys/net/route.h +++ sys/net/route.h @@ -298,6 +298,9 @@ struct rt_msghdr { #define ROUTE_TABLEFILTER 2/* change routing table the socket is listening on, RTABLE_ANY listens on all tables. */ +#define ROUTE_PRIOFILTER 3 /* change routing table the socket is listening + on, RTABLE_ANY listens on all tables. */ + #define ROUTE_FILTER(m)(1 << (m)) #define RTABLE_ANY 0x diff --git sys/net/rtsock.c sys/net/rtsock.c index 35bdd09d143..5f4244e6057 100644 --- sys/net/rtsock.c +++ sys/net/rtsock.c @@ -141,6 +141,7 @@ struct routecb { unsigned intmsgfilter; unsigned intflags; u_int rtableid; + u_char priority; }; #definesotoroutecb(so) ((struct routecb *)(so)->so_pcb) @@ -309,6 +310,7 @@ route_ctloutput(int op, struct socket *so, int level, int optname, struct routecb *rop = sotoroutecb(so); int error = 0; unsigned int tid; + u_char prio; if (level != AF_ROUTE) return (EINVAL); @@ -333,6 +335,17 @@ route_ctloutput(int op, struct socket *so, int level, int optname, else rop->rtableid = tid; break; + case ROUTE_PRIOFILTER: + if (m == NULL || m->m_len != sizeof(u_char)) { + error = EINVAL; + break; + } + prio = *mtod(m, u_char *); + if (prio > RTP_MAX) + error = EINVAL; + else + rop->priority = prio; + break; default: error = ENOPROTOOPT; break; @@ -348,6 +361,10 @@ route_ctloutput(int op, struct socket *so, int level, int optname, m->m_len = sizeof(unsigned int); *mtod(m, unsigned int *) = rop->rtableid; break; + case ROUTE_PRIOFILTER: + m->m_len = sizeof(u_char); + *mtod(m, u_char *) = rop->priority; + break; default: error = ENOPROTOOPT; break; @@ -431,6 +448,8 @@ route_input(struct mbuf *m0, struct socket *so, sa_family_t sa_family) if (rtm->rtm_type != RTM_DESYNC && rop->msgfilter != 0 && !(rop->msgfilter & (1 << rtm->rtm_type))) continue; + if (rop->priority != 0 && rop->priority < rtm->rtm_priority) + continue; switch (rtm->rtm_type) { case RTM_IFANNOUNCE: case RTM_DESYNC: diff --git usr.sbin/ospfd/kroute.c usr.sbin/ospfd/kroute.c index 17febefbdcb..a5c069aa540 100644 --- usr.sbin/ospfd/kroute.c +++ usr.sbin/ospfd/kroute.c @@ -127,10 +127,11 @@ kif_init(void) } int -kr_init(int fs, u_int rdomain) +kr_init(int fs, u_int rdomain, u_int8_t redis_label_or_prefix) { int opt = 0, rcvbuf, default_rcvbuf; socklen_t optlen; + u_char filter_prio = RTP_OSPF; kr_state.fib_sync = fs; kr_state.rdomain = rdomain; @@ -146,6 +147,14 @@ kr_init(int fs, u_int rdomain) &opt, sizeof(opt)) == -1) log_warn("kr_init: setsockopt");/* not fatal */ + if (redis_label_or_prefix) + filter_prio = 0; + if (setsockopt(kr_state.fd, AF_ROUTE, ROUTE_PRIOFILTER, &filter_prio, + sizeof(filter_prio)) == -1) { + log_warn("%s: setsockopt AF_ROUTE ROUTE_PRIOFILTER", __func__); + return (-1); + } + /* grow receive buffer, don't wanna miss messages */ optlen = sizeof(default_rcvbuf); if (getsockopt(kr_state.fd, SOL_SOCKET, SO_RCVBUF, diff --git usr.sbin/ospfd/ospfd.c usr.sbin/ospfd/ospfd.c index 3c5057ae04e..0e91819f673 100644 --- usr.sbin/ospfd/ospfd.c +++ usr.sbin/ospfd/ospfd.c @@ -265,7 +265,7 @@ main(int argc, char *argv[]) event_add(&iev_rde->ev, NULL); if (kr_init(!(ospfd_conf->flags & OSPFD_FLAG_NO_FIB_UPDATE), - ospfd_conf->rdomain) == -1) + ospfd_conf->rdomain, ospfd_conf->redist_label_or_prefix) == -1) fatalx("kr_init failed"); /* remove unneeded stuff from config */ diff --git usr.sbin/ospfd/ospfd.h usr.sbin
IPv6 reject routes autocreation
Similar to IPv4 this will inject all the magic reject routes for IPv6. This includes the bad networks in the 6to4 range (2002::/16) and some other magic. Here it what you get: Internet6: DestinationGateway Flags Refs Use Mtu Prio Iface ::/96 ::1 UGRS 00 32768 8 lo2 ::1::1 UHhl 10 10 327681 lo2 :::0.0.0.0/96 ::1 UGRS 00 32768 8 lo2 2002::/24 ::1 UGRS 00 32768 8 lo2 2002:7f00::/24 ::1 UGRS 00 32768 8 lo2 2002:e000::/20 ::1 UGRS 00 32768 8 lo2 2002:ff00::/24 ::1 UGRS 00 32768 8 lo2 fe80::/10 ::1 UGRS 01 32768 8 lo2 fec0::/10 ::1 UGRS 00 32768 8 lo2 fe80::1%lo2fe80::1%lo2 UHl 00 32768 1 lo2 ff01::/16 ::1 UGRS 00 32768 8 lo2 ff01::%lo2/32 ::1 Um 01 32768 4 lo2 ff02::/16 ::1 UGRS 00 32768 8 lo2 ff02::%lo2/32 ::1 Um 01 32768 4 lo2 -- :wq Claudio Index: netinet6//in6_ifattach.c === RCS file: /cvs/src/sys/netinet6/in6_ifattach.c,v retrieving revision 1.105 diff -u -p -r1.105 in6_ifattach.c --- netinet6//in6_ifattach.c10 Feb 2018 05:52:08 - 1.105 +++ netinet6//in6_ifattach.c10 Feb 2018 08:31:12 - @@ -61,6 +61,8 @@ int in6_get_hw_ifid(struct ifnet *, stru intin6_get_soii_ifid(struct ifnet *, struct in6_addr *); void in6_get_ifid(struct ifnet *, struct in6_addr *); intin6_ifattach_loopback(struct ifnet *); +intin6_ifattach_loopback_routes(struct ifnet *, struct in6_ifaddr *); + #define EUI64_GBIT 0x01 #define EUI64_UBIT 0x02 @@ -419,6 +421,63 @@ in6_ifattach_loopback(struct ifnet *ifp) return (in6_update_ifa(ifp, &ifra, NULL)); } +int +in6_ifattach_loopback_routes(struct ifnet *ifp, struct in6_ifaddr *ia6) +{ + struct rt_addrinfo info; + struct sockaddr_in6 addr, mask, gate; + int error, i; + + struct { + struct in6_addr addr; + struct in6_addr mask; + } reject_routes[] = { + { {{{ 0 }}}, IN6MASK96 }, + { {{{ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff, 0, 0 }}}, IN6MASK96 }, + { {{{ 0x20, 0x02, 0, 0 }}}, {{{ 0xff, 0xff, 0xff, 0 }}} }, + { {{{ 0x20, 0x02, 0x7f, 0 }}}, {{{ 0xff, 0xff, 0xff, 0 }}} }, + { {{{ 0x20, 0x02, 0xe0, 0 }}}, {{{ 0xff, 0xff, 0xf0, 0 }}} }, + { {{{ 0x20, 0x02, 0xff, 0 }}}, {{{ 0xff, 0xff, 0xff, 0 }}} }, + { {{{ 0xfe, 0x80, 0, 0 }}}, {{{ 0xff, 0xc0, 0, 0 }}} }, + { {{{ 0xfe, 0xc0, 0, 0 }}}, {{{ 0xff, 0xc0, 0, 0 }}} }, + { {{{ 0xff, 0x01, 0, 0 }}}, {{{ 0xff, 0xff, 0, 0 }}} }, + { {{{ 0xff, 0x02, 0, 0 }}}, {{{ 0xff, 0xff, 0, 0 }}} } + }; + + KASSERT(ifp->if_flags & IFF_LOOPBACK); + KASSERT(ia6 != NULL); + + bzero(&info, sizeof(info)); + bzero(&addr, sizeof(addr)); + bzero(&mask, sizeof(mask)); + bzero(&gate, sizeof(gate)); + + addr.sin6_len = sizeof(struct sockaddr_in6); + addr.sin6_family = AF_INET6; + mask.sin6_len = sizeof(struct sockaddr_in6); + mask.sin6_family = AF_INET6; + gate.sin6_len = sizeof(struct sockaddr_in6); + gate.sin6_family = AF_INET6; + gate.sin6_addr = in6addr_loopback; + + info.rti_flags = RTF_GATEWAY | RTF_REJECT | RTF_STATIC; + info.rti_ifa = &ia6->ia_ifa; + info.rti_info[RTAX_GATEWAY] = sin6tosa(&gate); + + for (i = 0; i < nitems(reject_routes); i++) { + /* Now insert the reject routes */ + addr.sin6_addr = reject_routes[i].addr; + mask.sin6_addr = reject_routes[i].mask; + info.rti_info[RTAX_DST] = sin6tosa(&addr); + info.rti_info[RTAX_NETMASK] = sin6tosa(&mask); + + error = rtrequest(RTM_ADD, &info, 0, NULL, ifp->if_rdomain); + if (error) + return (error); + } + return (0); +} + /* * compute NI group address, based on the current hostname setting. * see draft-ietf-ipngwg-icmp-name-lookup-* (04 and later). @@ -507,6 +566,10 @@ in6_ifattach(struct ifnet *ifp) return (0); error = in6_ifattach_loopback(ifp); + if (error) + return (error); + error = in6_ifattach_loopback_routes(ifp, + in6ifa_ifpwithaddr(ifp, &in6)); if (error) return (error); }