Add bufferevent_setwatermark(3) to manual
Hello tech, I noticed the event(3) manual pages don't mention the bufferevent_setwatermark(3) function and glosses over the details of watermarks, even though there's a few programs in userland that set both read and write watermarks. Looks like there was an effort in 2017 to add some documentation but it stalled. Here's a patch that adds the function synopsis and a brief description of how watermarks work separately for read and write. Mostly copied from the function declaration comments in event.h. ok? Geoff Hill Index: event.3 === RCS file: /cvs/src/lib/libevent/event.3,v retrieving revision 1.54 diff -u -p -u -r1.54 event.3 --- event.3 26 Jul 2018 12:50:04 - 1.54 +++ event.3 22 Sep 2018 01:26:56 - @@ -68,6 +68,7 @@ .Nm bufferevent_enable , .Nm bufferevent_disable , .Nm bufferevent_settimeout , +.Nm bufferevent_setwatermark , .Nm EVBUFFER_INPUT , .Nm EVBUFFER_OUTPUT .Nd execute a function when a specific event occurs @@ -156,6 +157,8 @@ .Fn "bufferevent_disable" "struct bufferevent *bufev" "short event" .Ft void .Fn "bufferevent_settimeout" "struct bufferevent *bufev" "int timeout_read" "int timeout_write" +.Ft void +.Fn "bufferevent_setwatermark" "struct bufferevent *bufev" "short events" "size_t lowmark" "size_t highmark" .Ft "struct evbuffer *" .Fn "EVBUFFER_INPUT" "struct bufferevent *bufev" .Ft "struct evbuffer *" @@ -492,10 +495,35 @@ and When read enabled the bufferevent will try to read from the file descriptor and call the read callback. The write callback is executed -whenever the output buffer is drained below the write low watermark, +whenever the output buffer is drained below the write +.Fa "lowmark" , which is .Va 0 by default. +.Pp +The +.Fn bufferevent_setwatermark +function can set the the low and high watermarks +for read and write events. +.Fa "events" +can be +.Va EV_READ , +.Va EV_WRITE +or both. +When used with +.Va EV_READ , +a bufferevent does not invoke the user read callback +unless there is at least +.Fa "lowmark" +data in the buffer. +If the read buffer is beyond +.Fa "highmark" , +the bufferevent stops reading from the file descriptor. +When used with +.Va EV_WRITE, +the user write callback is invoked whenever the buffered data +falls below +.Fa "lowmark" . .Pp The .Fn bufferevent_write
Re: bgpd ROA validation
Claudio Jeker(cje...@diehard.n-r-g.com) on 2018.09.21 22:30:17 +0200: > > In my setup I get these numbers: > > 5895 invalid prefixes > > 67478 valid prefixes > > 638299 unknown prefixes > > This is from a single IPv4 only full feed. > > > > Disclaimer: works for me but I did not test it thoroughly especially no > > comparison was done to other implementations. Still wanted to share it > > now so other people can help. fwiw, the numbers you are seeing and what i get seem to agree with the stats on https://rpki-monitor.antd.nist.gov/ (Of course more tests and reality checks/comparisions are still welcome)
Re: bgpd ROA validation
On Fri, Sep 21, 2018 at 05:29:24PM +0200, Claudio Jeker wrote:
> This diff adds the rest needed to do ROA validation.
>
> It does:
> - add the filter logic for roa validation check
>deny from any roa-set RPKI invalid
>match from any roa-set RPKI valid set community local-as:42
> - makes the RDE do the roa validation check whenever a prefix is added to
> the RIB (both via UPDATE or via network statement)
> - adds some magic for reloads (currently a big hammer that needs to be
> optimized but lets start easy)
> - various bug fixes
> - introduces a new funciton aspath_origin() to get the origin AS from an
> AS path. This info may later be used for source-as checks as well but
> they currently behave a bit different when it comes to pathes not ending
> with a AS SEQUENCE segement.
>
> I currently use the RIPE RPKI validator to grab a JSON file (e.g.
> http://localcert.ripe.net:8088/export.json) and feed that to this perl
> script to convert it into bgpd syntax:
>
> #!/usr/bin/perl
> use strict;
> use warnings;
> use JSON::PP;
> my $json = do { local $/; <> };
> my $roa = decode_json $json;
> print "roa-set RPKI {\n";
> foreach (@{$roa->{'roas'}}) {
> my $as = substr $_->{'asn'}, 2;
> print "\t$_->{'prefix'} maxlen $_->{'maxLength'} source-as $as\n";
> }
> print "}\n";
>
> With that configs like this work:
> include "/etc/bgpd/rpki.conf"
>
> deny from any roa-set RPKI invalid
> match from any roa-set RPKI valid set community local-as:42
> match from any roa-set RPKI unknown set community local-as:43
>
> In my setup I get these numbers:
> 5895 invalid prefixes
> 67478 valid prefixes
> 638299 unknown prefixes
> This is from a single IPv4 only full feed.
>
> Disclaimer: works for me but I did not test it thoroughly especially no
> comparison was done to other implementations. Still wanted to share it
> now so other people can help.
Updated diff, fixes an issue with IPv6 sessions which was found by benno@
--
:wq Claudio
Index: bgpd.c
===
RCS file: /cvs/src/usr.sbin/bgpd/bgpd.c,v
retrieving revision 1.201
diff -u -p -r1.201 bgpd.c
--- bgpd.c 21 Sep 2018 04:55:27 - 1.201
+++ bgpd.c 21 Sep 2018 13:56:16 -
@@ -529,15 +529,15 @@ reconfigure(char *conffile, struct bgpd_
ps->name, sizeof(ps->name)) == -1)
return (-1);
RB_FOREACH_SAFE(psi, prefixset_tree, &ps->psitems, npsi) {
- u_int32_t *as;
+ struct roa_set *rs;
size_t i, l, n;
RB_REMOVE(prefixset_tree, &ps->psitems, psi);
- as = set_get(psi->set, &n);
+ rs = set_get(psi->set, &n);
for (i = 0; i < n; i += l) {
l = (n - i > 1024 ? 1024 : n - i);
if (imsg_compose(ibuf_rde,
IMSG_RECONF_ROA_AS_SET_ITEMS,
- 0, 0, -1, as + i, l) == -1)
+ 0, 0, -1, rs + i, l * sizeof(*rs)) == -1)
return -1;
}
if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIXSETITEM, 0,
@@ -569,7 +569,7 @@ reconfigure(char *conffile, struct bgpd_
for (i = 0; i < n; i += l) {
l = (n - i > 1024 ? 1024 : n - i);
if (imsg_compose(ibuf_rde, IMSG_RECONF_AS_SET_ITEMS,
- 0, 0, -1, as + i, l) == -1)
+ 0, 0, -1, as + i, l * sizeof(*as)) == -1)
return -1;
}
Index: bgpd.h
===
RCS file: /cvs/src/usr.sbin/bgpd/bgpd.h,v
retrieving revision 1.344
diff -u -p -r1.344 bgpd.h
--- bgpd.h 21 Sep 2018 04:55:27 - 1.344
+++ bgpd.h 21 Sep 2018 12:20:16 -
@@ -695,6 +695,12 @@ struct filter_prefixset {
struct rde_prefixset*ps;
};
+struct filter_roaset {
+ u_int32_tvalidity;
+ char name[SET_NAME_LEN];
+ struct rde_prefixset*ps;
+};
+
struct filter_community {
int as;
int type;
@@ -886,6 +892,7 @@ struct filter_match {
struct filter_largecommunitylarge_community;
struct filter_extcommunity ext_community;
struct filter_prefixset prefixset;
+ struct filter_roasetroaset;
};
union filter_rule_ptr {
@@ -1015,6 +1022,8 @@ extern struct rib_names ribnames;
/* 4-byte magic AS number */
#define AS_TRANS 23456
+/* AS_NONE for origin validation */
+#define AS_NONE0
struct rde_memstats {
int64_t path_cnt;
Index: parse.y
===
bgpd ROA validation
This diff adds the rest needed to do ROA validation.
It does:
- add the filter logic for roa validation check
deny from any roa-set RPKI invalid
match from any roa-set RPKI valid set community local-as:42
- makes the RDE do the roa validation check whenever a prefix is added to
the RIB (both via UPDATE or via network statement)
- adds some magic for reloads (currently a big hammer that needs to be
optimized but lets start easy)
- various bug fixes
- introduces a new funciton aspath_origin() to get the origin AS from an
AS path. This info may later be used for source-as checks as well but
they currently behave a bit different when it comes to pathes not ending
with a AS SEQUENCE segement.
I currently use the RIPE RPKI validator to grab a JSON file (e.g.
http://localcert.ripe.net:8088/export.json) and feed that to this perl
script to convert it into bgpd syntax:
#!/usr/bin/perl
use strict;
use warnings;
use JSON::PP;
my $json = do { local $/; <> };
my $roa = decode_json $json;
print "roa-set RPKI {\n";
foreach (@{$roa->{'roas'}}) {
my $as = substr $_->{'asn'}, 2;
print "\t$_->{'prefix'} maxlen $_->{'maxLength'} source-as $as\n";
}
print "}\n";
With that configs like this work:
include "/etc/bgpd/rpki.conf"
deny from any roa-set RPKI invalid
match from any roa-set RPKI valid set community local-as:42
match from any roa-set RPKI unknown set community local-as:43
In my setup I get these numbers:
5895 invalid prefixes
67478 valid prefixes
638299 unknown prefixes
This is from a single IPv4 only full feed.
Disclaimer: works for me but I did not test it thoroughly especially no
comparison was done to other implementations. Still wanted to share it
now so other people can help.
--
:wq Claudio
Index: bgpd.c
===
RCS file: /cvs/src/usr.sbin/bgpd/bgpd.c,v
retrieving revision 1.201
diff -u -p -r1.201 bgpd.c
--- bgpd.c 21 Sep 2018 04:55:27 - 1.201
+++ bgpd.c 21 Sep 2018 13:56:16 -
@@ -529,15 +529,15 @@ reconfigure(char *conffile, struct bgpd_
ps->name, sizeof(ps->name)) == -1)
return (-1);
RB_FOREACH_SAFE(psi, prefixset_tree, &ps->psitems, npsi) {
- u_int32_t *as;
+ struct roa_set *rs;
size_t i, l, n;
RB_REMOVE(prefixset_tree, &ps->psitems, psi);
- as = set_get(psi->set, &n);
+ rs = set_get(psi->set, &n);
for (i = 0; i < n; i += l) {
l = (n - i > 1024 ? 1024 : n - i);
if (imsg_compose(ibuf_rde,
IMSG_RECONF_ROA_AS_SET_ITEMS,
- 0, 0, -1, as + i, l) == -1)
+ 0, 0, -1, rs + i, l * sizeof(*rs)) == -1)
return -1;
}
if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIXSETITEM, 0,
@@ -569,7 +569,7 @@ reconfigure(char *conffile, struct bgpd_
for (i = 0; i < n; i += l) {
l = (n - i > 1024 ? 1024 : n - i);
if (imsg_compose(ibuf_rde, IMSG_RECONF_AS_SET_ITEMS,
- 0, 0, -1, as + i, l) == -1)
+ 0, 0, -1, as + i, l * sizeof(*as)) == -1)
return -1;
}
Index: bgpd.h
===
RCS file: /cvs/src/usr.sbin/bgpd/bgpd.h,v
retrieving revision 1.344
diff -u -p -r1.344 bgpd.h
--- bgpd.h 21 Sep 2018 04:55:27 - 1.344
+++ bgpd.h 21 Sep 2018 12:20:16 -
@@ -695,6 +695,12 @@ struct filter_prefixset {
struct rde_prefixset*ps;
};
+struct filter_roaset {
+ u_int32_tvalidity;
+ char name[SET_NAME_LEN];
+ struct rde_prefixset*ps;
+};
+
struct filter_community {
int as;
int type;
@@ -886,6 +892,7 @@ struct filter_match {
struct filter_largecommunitylarge_community;
struct filter_extcommunity ext_community;
struct filter_prefixset prefixset;
+ struct filter_roasetroaset;
};
union filter_rule_ptr {
@@ -1015,6 +1022,8 @@ extern struct rib_names ribnames;
/* 4-byte magic AS number */
#define AS_TRANS 23456
+/* AS_NONE for origin validation */
+#define AS_NONE0
struct rde_memstats {
int64_t path_cnt;
Index: parse.y
===
RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v
retrieving revision 1.359
diff -u -p -r1.359 parse.y
--- parse.y 21 Sep 2018 08:17:15 - 1.359
+++ parse.y 21 Sep 2018 11:18:44 -
@@ -100,6 +100,7 @@ static struct filte
Re: Maybe need to enrich `-T' option in netcat manual
On Fri, Sep 21, 2018 at 10:07:54PM +0800, Nan Xiao wrote:
> Hi Jason,
>
> Thanks very much for your response!
>
> I check the ping & traceroute code, For ping:
>
> if (options & F_TTL) {
> if (IN_MULTICAST(ntohl(dst4.sin_addr.s_addr)))
> moptions |= MULTICAST_TTL;
> else
> options |= F_HDRINCL;
> }
>
> For traceroute:
> void
> check_tos(struct ip *ip, int *last_tos)
> {
> struct icmp *icp;
> struct ip *inner_ip;
>
> icp = (struct icmp *) (((u_char *)ip)+(ip->ip_hl<<2));
> inner_ip = (struct ip *) (((u_char *)icp)+8);
>
> if (inner_ip->ip_tos != *last_tos)
> printf (" (TOS=%d!)", inner_ip->ip_tos);
>
> *last_tos = inner_ip->ip_tos;
> }
>
> They indeed don't handle IPv6. But for netcat, it actually hangle IPv6
> case at leaet from code in preceding mail. If netcat doesn't want to
> handle IPv6 intentionally, I think the IPv6 code should be removed,
> thanks!
>
if you submit a diff for whatever improvement you hope for, there is a
chance i can find people to review it and possibly commit it.
judging by the lack of responses from everyone else about your mail, i'd
say nothing will happen without such a diff.
jmc
carp_ourether() mpsafe
This is a requirement to get the bridge input/output path out of the
KERNEL_LOCK().
The diff is simple, use the non-locked version of SRP lists, as it is
already done in other paths in carp(4).
Ok?
Index: netinet/ip_carp.c
===
RCS file: /cvs/src/sys/netinet/ip_carp.c,v
retrieving revision 1.333
diff -u -p -r1.333 ip_carp.c
--- netinet/ip_carp.c 10 Jul 2018 11:22:54 - 1.333
+++ netinet/ip_carp.c 19 Sep 2018 13:17:29 -
@@ -259,6 +259,7 @@ voidcarp_update_lsmask(struct carp_soft
intcarp_new_vhost(struct carp_softc *, int, int);
void carp_destroy_vhosts(struct carp_softc *);
void carp_del_all_timeouts(struct carp_softc *);
+intcarp_vhe_match(struct carp_softc *, uint8_t *);
struct if_clone carp_cloner =
IF_CLONE_INITIALIZER("carp", carp_clone_create, carp_clone_destroy);
@@ -1340,29 +1341,27 @@ carp_iamatch(struct ifnet *ifp)
}
int
-carp_ourether(struct ifnet *ifp, u_int8_t *ena)
+carp_ourether(struct ifnet *ifp, uint8_t *ena)
{
struct srpl *cif = &ifp->if_carp;
- struct carp_softc *vh;
-
- KERNEL_ASSERT_LOCKED(); /* touching if_carp + carp_vhosts */
-
- if (SRPL_EMPTY_LOCKED(cif))
- return (0);
+ struct carp_softc *sc;
+ struct srp_ref sr;
+ int match = 0;
KASSERT(ifp->if_type == IFT_ETHER);
- SRPL_FOREACH_LOCKED(vh, cif, sc_list) {
- struct carp_vhost_entry *vhe;
- if ((vh->sc_if.if_flags & (IFF_UP|IFF_RUNNING)) !=
+ SRPL_FOREACH(sc, &sr, cif, sc_list) {
+ if ((sc->sc_if.if_flags & (IFF_UP|IFF_RUNNING)) !=
(IFF_UP|IFF_RUNNING))
continue;
- vhe = SRPL_FIRST_LOCKED(&vh->carp_vhosts);
- if ((vhe->state == MASTER || vh->sc_balancing >= CARP_BAL_IP) &&
- !memcmp(ena, vh->sc_ac.ac_enaddr, ETHER_ADDR_LEN))
- return (1);
+ if (carp_vhe_match(sc, ena)) {
+ match = 1;
+ break;
+ }
}
- return (0);
+ SRPL_LEAVE(&sr);
+
+ return (match);
}
int
Re: [patch] Fix "Address already in use" issue when using netcat with UNIX-domain socket
ping tech@,
Very sorry for interrupting again! Anyone can give comment on this
issue? Thanks!
On 9/18/2018 6:37 PM, Nan Xiao wrote:
> Hi tech@,
>
> Assume I use netcat with UNIX-domain socket, and there is no
> temp_socket. Launch the server:
>
> # ./nc -U -l temp_socket
>
> It works normally. But after netcat exits, launch it again:
>
> # nc -U -l temp_socket
> nc: Address already in use
>
> The only method seems to delete temp_socket.
>
> I am not sure this behavior is as expected, and come out following patch
> may fix this issue, thanks!
>
> diff --git usr.bin/nc/netcat.c usr.bin/nc/netcat.c
> index 341e7e50485..3b2150a01dc 100644
> --- usr.bin/nc/netcat.c
> +++ usr.bin/nc/netcat.c
> @@ -749,6 +749,9 @@ unix_bind(char *path, int flags)
> return -1;
> }
>
> + if (lflag)
> + unlink(path);
> +
> if (bind(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) {
> save_errno = errno;
> close(s);
>
--
Best Regards
Nan Xiao(肖楠)
Re: Maybe need to enrich `-T' option in netcat manual
Hi Jason,
Thanks very much for your response!
I check the ping & traceroute code, For ping:
if (options & F_TTL) {
if (IN_MULTICAST(ntohl(dst4.sin_addr.s_addr)))
moptions |= MULTICAST_TTL;
else
options |= F_HDRINCL;
}
For traceroute:
void
check_tos(struct ip *ip, int *last_tos)
{
struct icmp *icp;
struct ip *inner_ip;
icp = (struct icmp *) (((u_char *)ip)+(ip->ip_hl<<2));
inner_ip = (struct ip *) (((u_char *)icp)+8);
if (inner_ip->ip_tos != *last_tos)
printf (" (TOS=%d!)", inner_ip->ip_tos);
*last_tos = inner_ip->ip_tos;
}
They indeed don't handle IPv6. But for netcat, it actually hangle IPv6
case at leaet from code in preceding mail. If netcat doesn't want to
handle IPv6 intentionally, I think the IPv6 code should be removed,
thanks!
Best Regards
Nan Xiao
On Thu, Sep 20, 2018 at 7:45 PM Jason McIntyre wrote:
>
> On Wed, Sep 19, 2018 at 06:35:13PM +0800, Nan Xiao wrote:
> > Hi tech@,
> >
> > For `-T' option explanation in netcat manual:
> >
> > -T keyword
> > Change the IPv4 TOS value or the TLS options.
> >
> > But in fact, the netcat code not only processes IPv4 but also IPv6:
> >
> > if (Tflag != -1) {
> > if (af == AF_INET && setsockopt(s, IPPROTO_IP,
> > IP_TOS, &Tflag, sizeof(Tflag)) == -1)
> > err(1, "set IP ToS");
> >
> > else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6,
> > IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1)
> > err(1, "set IPv6 traffic class");
> > }
> >
> > So I think maybe the netcat manual should be enriched at least for `-T'
> > option, thanks!
> >
>
> hi.
>
> i think if you submit a diff, there will be a better chance of getting
> an ok (or otherwise).
>
> i'm unsure about -T myself. i know that we synced the -T options for
> ping/nc/traceroute to keep them in sync with pf, but none of those other
> docs claim support for ip6 classes - actually quite the opposite.
> so i'm unsure if they work (have you tested?) or whether we want to
> document them.
>
> jmc
>
Re: add explanations of vmctl send command in vmctl.8
On Wed, Sep 19 2018, Solene Rapenne wrote: > Solene Rapenne wrote: >> This diff explains a little more about the send commands. >> send pauses the VM and send its memory + the start parameters. >> > > new diff with some changes, also thx bentley@ for telling me sentences should > start on a newline in mdoc. ok jca@ > Index: vmctl.8 > === > RCS file: /cvs/src/usr.sbin/vmctl/vmctl.8,v > retrieving revision 1.47 > diff -u -p -r1.47 vmctl.8 > --- vmctl.8 11 Sep 2018 04:03:16 - 1.47 > +++ vmctl.8 19 Sep 2018 10:20:06 - > @@ -90,6 +90,13 @@ Reset and terminate all VMs. > Send a VM with the specified > .Ar id > to standard output and terminate it. > +The VM is paused while send is processing. > +Data sent to standard output contains the VM parameters and its memory, > +not the disk image. > +.Pp > +In order to move a VM from one host to another, disk files must be > +synced between the send and the receive processes and must be located > +under the same path. > .It Cm show Op Ar id > An alias for the > .Cm status -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: smtpd: force TLS when relaying
That syntax makes sense to be and I didn't notice any problems in the diff. OK millert@ - todd
smtpd: force TLS when relaying
There is currently no way to force TLS on a relay rule in general, and
force certificate checking. Typical use case: a secondary MX needing
to relay safely to lower preference MXs.
This diff below allows the "tls" option to be used alone, including on
non-smarthost relay rules, to specify that the relay must be using
TLS. The "no-verify" keyword becomes optional.
Currently, the different cases are as follows:
- action relay
Standard relaying, using smtp with opportunistic STARTTLS.
When using TLS, certificates are not checked.
- action relay host
Relay through smarthost, using TLS or not, depending on the protocol.
When using TLS, certificates are checked.
- action relay host tls no-verify
Same as above, but certificates are not checked.
With the proposed change, we get:
- action relay
Standard relaying, using smtp with opportunistic STARTTLS.
When using TLS, certificates are not checked.
- action relay tls
Standard relaying, using smtp with mandatory STARTTLS.
Certificates are checked.
- action relay tls no-verify
Same as above, but certificates are not checked.
- action relay host
Relay through smarthost, using TLS or not, depending on the protocol.
For "smtp+tls://" and "smtps://" certificates are checked.
For "smtp://" (opportunistic TLS) certificates are not checked.
- action relay host tls
Relay through smarthost with mandatory TLS.
Certificates are checked.
The "smtp://" protocol is updated to "smtp+tls://" internally.
The "smtp+notls://" protocol is rejected, and no relaying happens.
- action relay host tls no-verify
Same as above, but certificates are not checked.
The differences with the currently allowed syntax are:
1) the "tls no-verify" option on smarthost relay actually forces TLS,
2) a relay with a "smtp://" smarthost and no "tls no-verify" does not
require a valid certificate anymore.
It is more constistent altogether, and in practice it should not be
a problem because most smarthost configurations uses strict TLS.
Now, for the secondary MX example, the rule would look like:
action "do-backup" relay backup tls
Comments?
Eric.
Index: mta.c
===
RCS file: /cvs/src/usr.sbin/smtpd/mta.c,v
retrieving revision 1.225
diff -u -p -r1.225 mta.c
--- mta.c 19 Sep 2018 05:31:12 - 1.225
+++ mta.c 21 Sep 2018 08:09:14 -
@@ -657,6 +657,23 @@ mta_handle_envelope(struct envelope *evp
return;
}
+ if (dispatcher->u.remote.tls_required) {
+ /* Reject relay if smtp+notls:// is requested */
+ if (relayh.tls == RELAY_TLS_NO) {
+ log_warnx("warn: TLS required for action \"%s\"",
+ evp->dispatcher);
+ m_create(p_queue, IMSG_MTA_DELIVERY_TEMPFAIL, 0, 0, -1);
+ m_add_evpid(p_queue, evp->id);
+ m_add_string(p_queue, "TLS required for relaying");
+ m_add_int(p_queue, ESC_OTHER_STATUS);
+ m_close(p_queue);
+ return;
+ }
+ /* Update smtp:// to smtp+tls:// */
+ if (relayh.tls == RELAY_TLS_OPPORTUNISTIC)
+ relayh.tls = RELAY_TLS_STARTTLS;
+ }
+
relay = mta_relay(evp, &relayh);
/* ignore if we don't know the limits yet */
if (relay->limits &&
@@ -1739,7 +1756,7 @@ mta_relay(struct envelope *e, struct rel
if (!key.authlabel[0])
key.authlabel = NULL;
- if (dispatcher->u.remote.smarthost &&
+ if ((key.tls == RELAY_TLS_STARTTLS || key.tls == RELAY_TLS_SMTPS) &&
dispatcher->u.remote.tls_noverify == 0)
key.flags |= RELAY_TLS_VERIFY;
Index: parse.y
===
RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v
retrieving revision 1.221
diff -u -p -r1.221 parse.y
--- parse.y 7 Sep 2018 07:35:31 - 1.221
+++ parse.y 21 Sep 2018 08:09:14 -
@@ -739,17 +739,21 @@ HELO STRING {
dispatcher->u.remote.smarthost = strdup(t->t_name);
}
-| TLS NO_VERIFY {
- if (dispatcher->u.remote.smarthost == NULL) {
- yyerror("tls no-verify may not be specified without host on a
dispatcher");
+| TLS {
+ if (dispatcher->u.remote.tls_required == 1) {
+ yyerror("tls already specified for this dispatcher");
YYERROR;
}
- if (dispatcher->u.remote.tls_noverify == 1) {
- yyerror("tls no-verify already specified for this dispatcher");
+ dispatcher->u.remote.tls_required = 1;
+}
+| TLS NO_VERIFY {
+ if (dispatcher->u.remote.tls_required == 1) {
+ yyerror("tls already specified for this dispatcher");
YYERROR;
}
+ disp
Re: bgpd, AS 0 is also special
On Fri, Sep 21, 2018 at 08:47:31AM +0200, Denis Fondras wrote:
> On Fri, Sep 21, 2018 at 07:20:24AM +0200, Claudio Jeker wrote:
> > Similar to AS_TRANS (23456) AS 0 should not be allowed.
> > This adds this restriction for asnumbers which are used on AS, remote-as
> > and local-as tokens in the config. Inside filters as4numer_any is used
> > which does not have any kind of restriction.
> >
> > OK?
>
> Error message does not really match.
Good point it should use what people put in there. Was lurd into the trap
by the %u in the string and forgot to double check the argument. Will fix
that before commit.
> Otherwise OK denis@
>
> > --
> > :wq Claudio
> >
> >
> > ? obj
> > Index: parse.y
> > ===
> > RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v
> > retrieving revision 1.357
> > diff -u -p -r1.357 parse.y
> > --- parse.y 21 Sep 2018 05:13:35 - 1.357
> > +++ parse.y 21 Sep 2018 05:16:45 -
> > @@ -297,7 +297,7 @@ as4number : STRING{
> > free($1);
> > YYERROR;
> > }
> > - if (uvalh == 0 && uval == AS_TRANS) {
> > + if (uvalh == 0 && (uval == AS_TRANS || uval == 0)) {
> > yyerror("AS %u is reserved and may not be used",
> > AS_TRANS);
> > YYERROR;
> > @@ -305,7 +305,7 @@ as4number : STRING{
> > $$ = uval | (uvalh << 16);
> > }
> > | asnumber {
> > - if ($1 == AS_TRANS) {
> > + if ($1 == AS_TRANS || $1 == 0) {
> > yyerror("AS %u is reserved and may not be used",
> > AS_TRANS);
> > YYERROR;
> >
>
--
:wq Claudio
Re: Add "Spleen 5x8" font to wsfont
On Thu, Sep 20, 2018 at 09:44:09PM +0200, Frederic Cambus wrote:
> Hi tech@,
>
> Here is a diff to add "Spleen 5x8" to wsfont, a font targetted at small
> OLED displays to be used with devices handled by ssdfb(4). It contains
> all printable ASCII characters (96 glyphes).
>
> The font is 2-Clause BSD licensed and is my original creation.
>
> In order to enable and test the font, this option should be added to the
> kernel configuration file: option FONT_SPLEEN5x8
>
> Screenshot: https://www.cambus.net/files/openbsd/dmesg-spleen5x8.png
>
> Comments? OK?
I have already tested the other versions and I'm very happy with the
results. So ok by me. Thanks for all your efforts!
> Index: sys/dev/wsfont/wsfont.c
> ===
> RCS file: /cvs/src/sys/dev/wsfont/wsfont.c,v
> retrieving revision 1.52
> diff -u -p -r1.52 wsfont.c
> --- sys/dev/wsfont/wsfont.c 8 Sep 2017 05:36:53 - 1.52
> +++ sys/dev/wsfont/wsfont.c 20 Sep 2018 18:52:29 -
> @@ -43,6 +43,11 @@
>
> #undef HAVE_FONT
>
> +#ifdef FONT_SPLEEN5x8
> +#define HAVE_FONT 1
> +#include
> +#endif
> +
> #ifdef FONT_BOLD8x16
> #define HAVE_FONT 1
> #include
> @@ -105,6 +110,9 @@ static struct font builtin_fonts[] = {
> #endif
> #ifdef FONT_GALLANT12x22
> BUILTIN_FONT(gallant12x22, 3),
> +#endif
> +#ifdef FONT_SPLEEN5x8
> + BUILTIN_FONT(spleen5x8, 4),
> #endif
> #undef BUILTIN_FONT
> };
> Index: sys/dev/wsfont/spleen5x8.h
> ===
> RCS file: sys/dev/wsfont/spleen5x8.h
> diff -N sys/dev/wsfont/spleen5x8.h
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ sys/dev/wsfont/spleen5x8.h20 Sep 2018 18:52:29 -
> @@ -0,0 +1,910 @@
> +/* $OpenBSD$ */
> +
> +/*
> + * Copyright (c) 2018 Frederic Cambus
> + * All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + * 1. Redistributions of source code must retain the above copyright
> + *notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + *notice, this list of conditions and the following disclaimer in the
> + *documentation and/or other materials provided with the distribution.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
> + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> + * SUCH DAMAGE.
> + */
> +
> +static u_char spleen5x8_data[];
> +
> +struct wsdisplay_font spleen5x8 = {
> + "Spleen 5x8", /* typeface name */
> + 0, /* index */
> + ' ',/* firstchar */
> + 128 - ' ', /* numchars */
> + WSDISPLAY_FONTENC_ISO, /* encoding */
> + 5, /* width */
> + 8, /* height */
> + 1, /* stride */
> + WSDISPLAY_FONTORDER_L2R,/* bit order */
> + WSDISPLAY_FONTORDER_L2R,/* byte order */
> + NULL, /* cookie */
> + spleen5x8_data /* data */
> +};
> +
> +static u_char spleen5x8_data[] = {
> + 0x00, /* */
> + 0x00, /* */
> + 0x00, /* */
> + 0x00, /* */
> + 0x00, /* */
> + 0x00, /* */
> + 0x00, /* */
> + 0x00, /* */
> +
> + 0x20, /* ..*. */
> + 0x20, /* ..*. */
> + 0x20, /* ..*. */
> + 0x20, /* ..*. */
> + 0x20, /* ..*. */
> + 0x00, /* */
> + 0x20, /* ..*. */
> + 0x00, /* */
> +
> + 0x50, /* .*.* */
> + 0x50, /* .*.* */
> + 0x50, /* .*.* */
> + 0x00, /* */
> + 0x00, /* */
> + 0x00, /* */
> + 0x00, /* */
> + 0x00, /* */
> +
> + 0x00, /* */
> + 0x50, /* .*.* */
> + 0xf8, /* *... */
> + 0x50, /* .*.* */
> + 0x50, /* .*.* */
> + 0xf8, /* *... */
> + 0x50, /* .*.* */
> + 0x00, /* ..
