Add bufferevent_setwatermark(3) to manual
Hello tech, I noticed the event(3) manual pages don't mention the bufferevent_setwatermark(3) function and glosses over the details of watermarks, even though there's a few programs in userland that set both read and write watermarks. Looks like there was an effort in 2017 to add some documentation but it stalled. Here's a patch that adds the function synopsis and a brief description of how watermarks work separately for read and write. Mostly copied from the function declaration comments in event.h. ok? Geoff Hill Index: event.3 === RCS file: /cvs/src/lib/libevent/event.3,v retrieving revision 1.54 diff -u -p -u -r1.54 event.3 --- event.3 26 Jul 2018 12:50:04 - 1.54 +++ event.3 22 Sep 2018 01:26:56 - @@ -68,6 +68,7 @@ .Nm bufferevent_enable , .Nm bufferevent_disable , .Nm bufferevent_settimeout , +.Nm bufferevent_setwatermark , .Nm EVBUFFER_INPUT , .Nm EVBUFFER_OUTPUT .Nd execute a function when a specific event occurs @@ -156,6 +157,8 @@ .Fn "bufferevent_disable" "struct bufferevent *bufev" "short event" .Ft void .Fn "bufferevent_settimeout" "struct bufferevent *bufev" "int timeout_read" "int timeout_write" +.Ft void +.Fn "bufferevent_setwatermark" "struct bufferevent *bufev" "short events" "size_t lowmark" "size_t highmark" .Ft "struct evbuffer *" .Fn "EVBUFFER_INPUT" "struct bufferevent *bufev" .Ft "struct evbuffer *" @@ -492,10 +495,35 @@ and When read enabled the bufferevent will try to read from the file descriptor and call the read callback. The write callback is executed -whenever the output buffer is drained below the write low watermark, +whenever the output buffer is drained below the write +.Fa "lowmark" , which is .Va 0 by default. +.Pp +The +.Fn bufferevent_setwatermark +function can set the the low and high watermarks +for read and write events. +.Fa "events" +can be +.Va EV_READ , +.Va EV_WRITE +or both. +When used with +.Va EV_READ , +a bufferevent does not invoke the user read callback +unless there is at least +.Fa "lowmark" +data in the buffer. +If the read buffer is beyond +.Fa "highmark" , +the bufferevent stops reading from the file descriptor. +When used with +.Va EV_WRITE, +the user write callback is invoked whenever the buffered data +falls below +.Fa "lowmark" . .Pp The .Fn bufferevent_write
Re: bgpd ROA validation
Claudio Jeker(cje...@diehard.n-r-g.com) on 2018.09.21 22:30:17 +0200: > > In my setup I get these numbers: > > 5895 invalid prefixes > > 67478 valid prefixes > > 638299 unknown prefixes > > This is from a single IPv4 only full feed. > > > > Disclaimer: works for me but I did not test it thoroughly especially no > > comparison was done to other implementations. Still wanted to share it > > now so other people can help. fwiw, the numbers you are seeing and what i get seem to agree with the stats on https://rpki-monitor.antd.nist.gov/ (Of course more tests and reality checks/comparisions are still welcome)
Re: bgpd ROA validation
On Fri, Sep 21, 2018 at 05:29:24PM +0200, Claudio Jeker wrote: > This diff adds the rest needed to do ROA validation. > > It does: > - add the filter logic for roa validation check >deny from any roa-set RPKI invalid >match from any roa-set RPKI valid set community local-as:42 > - makes the RDE do the roa validation check whenever a prefix is added to > the RIB (both via UPDATE or via network statement) > - adds some magic for reloads (currently a big hammer that needs to be > optimized but lets start easy) > - various bug fixes > - introduces a new funciton aspath_origin() to get the origin AS from an > AS path. This info may later be used for source-as checks as well but > they currently behave a bit different when it comes to pathes not ending > with a AS SEQUENCE segement. > > I currently use the RIPE RPKI validator to grab a JSON file (e.g. > http://localcert.ripe.net:8088/export.json) and feed that to this perl > script to convert it into bgpd syntax: > > #!/usr/bin/perl > use strict; > use warnings; > use JSON::PP; > my $json = do { local $/; <> }; > my $roa = decode_json $json; > print "roa-set RPKI {\n"; > foreach (@{$roa->{'roas'}}) { > my $as = substr $_->{'asn'}, 2; > print "\t$_->{'prefix'} maxlen $_->{'maxLength'} source-as $as\n"; > } > print "}\n"; > > With that configs like this work: > include "/etc/bgpd/rpki.conf" > > deny from any roa-set RPKI invalid > match from any roa-set RPKI valid set community local-as:42 > match from any roa-set RPKI unknown set community local-as:43 > > In my setup I get these numbers: > 5895 invalid prefixes > 67478 valid prefixes > 638299 unknown prefixes > This is from a single IPv4 only full feed. > > Disclaimer: works for me but I did not test it thoroughly especially no > comparison was done to other implementations. Still wanted to share it > now so other people can help. Updated diff, fixes an issue with IPv6 sessions which was found by benno@ -- :wq Claudio Index: bgpd.c === RCS file: /cvs/src/usr.sbin/bgpd/bgpd.c,v retrieving revision 1.201 diff -u -p -r1.201 bgpd.c --- bgpd.c 21 Sep 2018 04:55:27 - 1.201 +++ bgpd.c 21 Sep 2018 13:56:16 - @@ -529,15 +529,15 @@ reconfigure(char *conffile, struct bgpd_ ps->name, sizeof(ps->name)) == -1) return (-1); RB_FOREACH_SAFE(psi, prefixset_tree, &ps->psitems, npsi) { - u_int32_t *as; + struct roa_set *rs; size_t i, l, n; RB_REMOVE(prefixset_tree, &ps->psitems, psi); - as = set_get(psi->set, &n); + rs = set_get(psi->set, &n); for (i = 0; i < n; i += l) { l = (n - i > 1024 ? 1024 : n - i); if (imsg_compose(ibuf_rde, IMSG_RECONF_ROA_AS_SET_ITEMS, - 0, 0, -1, as + i, l) == -1) + 0, 0, -1, rs + i, l * sizeof(*rs)) == -1) return -1; } if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIXSETITEM, 0, @@ -569,7 +569,7 @@ reconfigure(char *conffile, struct bgpd_ for (i = 0; i < n; i += l) { l = (n - i > 1024 ? 1024 : n - i); if (imsg_compose(ibuf_rde, IMSG_RECONF_AS_SET_ITEMS, - 0, 0, -1, as + i, l) == -1) + 0, 0, -1, as + i, l * sizeof(*as)) == -1) return -1; } Index: bgpd.h === RCS file: /cvs/src/usr.sbin/bgpd/bgpd.h,v retrieving revision 1.344 diff -u -p -r1.344 bgpd.h --- bgpd.h 21 Sep 2018 04:55:27 - 1.344 +++ bgpd.h 21 Sep 2018 12:20:16 - @@ -695,6 +695,12 @@ struct filter_prefixset { struct rde_prefixset*ps; }; +struct filter_roaset { + u_int32_tvalidity; + char name[SET_NAME_LEN]; + struct rde_prefixset*ps; +}; + struct filter_community { int as; int type; @@ -886,6 +892,7 @@ struct filter_match { struct filter_largecommunitylarge_community; struct filter_extcommunity ext_community; struct filter_prefixset prefixset; + struct filter_roasetroaset; }; union filter_rule_ptr { @@ -1015,6 +1022,8 @@ extern struct rib_names ribnames; /* 4-byte magic AS number */ #define AS_TRANS 23456 +/* AS_NONE for origin validation */ +#define AS_NONE0 struct rde_memstats { int64_t path_cnt; Index: parse.y ===
bgpd ROA validation
This diff adds the rest needed to do ROA validation. It does: - add the filter logic for roa validation check deny from any roa-set RPKI invalid match from any roa-set RPKI valid set community local-as:42 - makes the RDE do the roa validation check whenever a prefix is added to the RIB (both via UPDATE or via network statement) - adds some magic for reloads (currently a big hammer that needs to be optimized but lets start easy) - various bug fixes - introduces a new funciton aspath_origin() to get the origin AS from an AS path. This info may later be used for source-as checks as well but they currently behave a bit different when it comes to pathes not ending with a AS SEQUENCE segement. I currently use the RIPE RPKI validator to grab a JSON file (e.g. http://localcert.ripe.net:8088/export.json) and feed that to this perl script to convert it into bgpd syntax: #!/usr/bin/perl use strict; use warnings; use JSON::PP; my $json = do { local $/; <> }; my $roa = decode_json $json; print "roa-set RPKI {\n"; foreach (@{$roa->{'roas'}}) { my $as = substr $_->{'asn'}, 2; print "\t$_->{'prefix'} maxlen $_->{'maxLength'} source-as $as\n"; } print "}\n"; With that configs like this work: include "/etc/bgpd/rpki.conf" deny from any roa-set RPKI invalid match from any roa-set RPKI valid set community local-as:42 match from any roa-set RPKI unknown set community local-as:43 In my setup I get these numbers: 5895 invalid prefixes 67478 valid prefixes 638299 unknown prefixes This is from a single IPv4 only full feed. Disclaimer: works for me but I did not test it thoroughly especially no comparison was done to other implementations. Still wanted to share it now so other people can help. -- :wq Claudio Index: bgpd.c === RCS file: /cvs/src/usr.sbin/bgpd/bgpd.c,v retrieving revision 1.201 diff -u -p -r1.201 bgpd.c --- bgpd.c 21 Sep 2018 04:55:27 - 1.201 +++ bgpd.c 21 Sep 2018 13:56:16 - @@ -529,15 +529,15 @@ reconfigure(char *conffile, struct bgpd_ ps->name, sizeof(ps->name)) == -1) return (-1); RB_FOREACH_SAFE(psi, prefixset_tree, &ps->psitems, npsi) { - u_int32_t *as; + struct roa_set *rs; size_t i, l, n; RB_REMOVE(prefixset_tree, &ps->psitems, psi); - as = set_get(psi->set, &n); + rs = set_get(psi->set, &n); for (i = 0; i < n; i += l) { l = (n - i > 1024 ? 1024 : n - i); if (imsg_compose(ibuf_rde, IMSG_RECONF_ROA_AS_SET_ITEMS, - 0, 0, -1, as + i, l) == -1) + 0, 0, -1, rs + i, l * sizeof(*rs)) == -1) return -1; } if (imsg_compose(ibuf_rde, IMSG_RECONF_PREFIXSETITEM, 0, @@ -569,7 +569,7 @@ reconfigure(char *conffile, struct bgpd_ for (i = 0; i < n; i += l) { l = (n - i > 1024 ? 1024 : n - i); if (imsg_compose(ibuf_rde, IMSG_RECONF_AS_SET_ITEMS, - 0, 0, -1, as + i, l) == -1) + 0, 0, -1, as + i, l * sizeof(*as)) == -1) return -1; } Index: bgpd.h === RCS file: /cvs/src/usr.sbin/bgpd/bgpd.h,v retrieving revision 1.344 diff -u -p -r1.344 bgpd.h --- bgpd.h 21 Sep 2018 04:55:27 - 1.344 +++ bgpd.h 21 Sep 2018 12:20:16 - @@ -695,6 +695,12 @@ struct filter_prefixset { struct rde_prefixset*ps; }; +struct filter_roaset { + u_int32_tvalidity; + char name[SET_NAME_LEN]; + struct rde_prefixset*ps; +}; + struct filter_community { int as; int type; @@ -886,6 +892,7 @@ struct filter_match { struct filter_largecommunitylarge_community; struct filter_extcommunity ext_community; struct filter_prefixset prefixset; + struct filter_roasetroaset; }; union filter_rule_ptr { @@ -1015,6 +1022,8 @@ extern struct rib_names ribnames; /* 4-byte magic AS number */ #define AS_TRANS 23456 +/* AS_NONE for origin validation */ +#define AS_NONE0 struct rde_memstats { int64_t path_cnt; Index: parse.y === RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v retrieving revision 1.359 diff -u -p -r1.359 parse.y --- parse.y 21 Sep 2018 08:17:15 - 1.359 +++ parse.y 21 Sep 2018 11:18:44 - @@ -100,6 +100,7 @@ static struct filte
Re: Maybe need to enrich `-T' option in netcat manual
On Fri, Sep 21, 2018 at 10:07:54PM +0800, Nan Xiao wrote: > Hi Jason, > > Thanks very much for your response! > > I check the ping & traceroute code, For ping: > > if (options & F_TTL) { > if (IN_MULTICAST(ntohl(dst4.sin_addr.s_addr))) > moptions |= MULTICAST_TTL; > else > options |= F_HDRINCL; > } > > For traceroute: > void > check_tos(struct ip *ip, int *last_tos) > { > struct icmp *icp; > struct ip *inner_ip; > > icp = (struct icmp *) (((u_char *)ip)+(ip->ip_hl<<2)); > inner_ip = (struct ip *) (((u_char *)icp)+8); > > if (inner_ip->ip_tos != *last_tos) > printf (" (TOS=%d!)", inner_ip->ip_tos); > > *last_tos = inner_ip->ip_tos; > } > > They indeed don't handle IPv6. But for netcat, it actually hangle IPv6 > case at leaet from code in preceding mail. If netcat doesn't want to > handle IPv6 intentionally, I think the IPv6 code should be removed, > thanks! > if you submit a diff for whatever improvement you hope for, there is a chance i can find people to review it and possibly commit it. judging by the lack of responses from everyone else about your mail, i'd say nothing will happen without such a diff. jmc
carp_ourether() mpsafe
This is a requirement to get the bridge input/output path out of the KERNEL_LOCK(). The diff is simple, use the non-locked version of SRP lists, as it is already done in other paths in carp(4). Ok? Index: netinet/ip_carp.c === RCS file: /cvs/src/sys/netinet/ip_carp.c,v retrieving revision 1.333 diff -u -p -r1.333 ip_carp.c --- netinet/ip_carp.c 10 Jul 2018 11:22:54 - 1.333 +++ netinet/ip_carp.c 19 Sep 2018 13:17:29 - @@ -259,6 +259,7 @@ voidcarp_update_lsmask(struct carp_soft intcarp_new_vhost(struct carp_softc *, int, int); void carp_destroy_vhosts(struct carp_softc *); void carp_del_all_timeouts(struct carp_softc *); +intcarp_vhe_match(struct carp_softc *, uint8_t *); struct if_clone carp_cloner = IF_CLONE_INITIALIZER("carp", carp_clone_create, carp_clone_destroy); @@ -1340,29 +1341,27 @@ carp_iamatch(struct ifnet *ifp) } int -carp_ourether(struct ifnet *ifp, u_int8_t *ena) +carp_ourether(struct ifnet *ifp, uint8_t *ena) { struct srpl *cif = &ifp->if_carp; - struct carp_softc *vh; - - KERNEL_ASSERT_LOCKED(); /* touching if_carp + carp_vhosts */ - - if (SRPL_EMPTY_LOCKED(cif)) - return (0); + struct carp_softc *sc; + struct srp_ref sr; + int match = 0; KASSERT(ifp->if_type == IFT_ETHER); - SRPL_FOREACH_LOCKED(vh, cif, sc_list) { - struct carp_vhost_entry *vhe; - if ((vh->sc_if.if_flags & (IFF_UP|IFF_RUNNING)) != + SRPL_FOREACH(sc, &sr, cif, sc_list) { + if ((sc->sc_if.if_flags & (IFF_UP|IFF_RUNNING)) != (IFF_UP|IFF_RUNNING)) continue; - vhe = SRPL_FIRST_LOCKED(&vh->carp_vhosts); - if ((vhe->state == MASTER || vh->sc_balancing >= CARP_BAL_IP) && - !memcmp(ena, vh->sc_ac.ac_enaddr, ETHER_ADDR_LEN)) - return (1); + if (carp_vhe_match(sc, ena)) { + match = 1; + break; + } } - return (0); + SRPL_LEAVE(&sr); + + return (match); } int
Re: [patch] Fix "Address already in use" issue when using netcat with UNIX-domain socket
ping tech@, Very sorry for interrupting again! Anyone can give comment on this issue? Thanks! On 9/18/2018 6:37 PM, Nan Xiao wrote: > Hi tech@, > > Assume I use netcat with UNIX-domain socket, and there is no > temp_socket. Launch the server: > > # ./nc -U -l temp_socket > > It works normally. But after netcat exits, launch it again: > > # nc -U -l temp_socket > nc: Address already in use > > The only method seems to delete temp_socket. > > I am not sure this behavior is as expected, and come out following patch > may fix this issue, thanks! > > diff --git usr.bin/nc/netcat.c usr.bin/nc/netcat.c > index 341e7e50485..3b2150a01dc 100644 > --- usr.bin/nc/netcat.c > +++ usr.bin/nc/netcat.c > @@ -749,6 +749,9 @@ unix_bind(char *path, int flags) > return -1; > } > > + if (lflag) > + unlink(path); > + > if (bind(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) { > save_errno = errno; > close(s); > -- Best Regards Nan Xiao(肖楠)
Re: Maybe need to enrich `-T' option in netcat manual
Hi Jason, Thanks very much for your response! I check the ping & traceroute code, For ping: if (options & F_TTL) { if (IN_MULTICAST(ntohl(dst4.sin_addr.s_addr))) moptions |= MULTICAST_TTL; else options |= F_HDRINCL; } For traceroute: void check_tos(struct ip *ip, int *last_tos) { struct icmp *icp; struct ip *inner_ip; icp = (struct icmp *) (((u_char *)ip)+(ip->ip_hl<<2)); inner_ip = (struct ip *) (((u_char *)icp)+8); if (inner_ip->ip_tos != *last_tos) printf (" (TOS=%d!)", inner_ip->ip_tos); *last_tos = inner_ip->ip_tos; } They indeed don't handle IPv6. But for netcat, it actually hangle IPv6 case at leaet from code in preceding mail. If netcat doesn't want to handle IPv6 intentionally, I think the IPv6 code should be removed, thanks! Best Regards Nan Xiao On Thu, Sep 20, 2018 at 7:45 PM Jason McIntyre wrote: > > On Wed, Sep 19, 2018 at 06:35:13PM +0800, Nan Xiao wrote: > > Hi tech@, > > > > For `-T' option explanation in netcat manual: > > > > -T keyword > > Change the IPv4 TOS value or the TLS options. > > > > But in fact, the netcat code not only processes IPv4 but also IPv6: > > > > if (Tflag != -1) { > > if (af == AF_INET && setsockopt(s, IPPROTO_IP, > > IP_TOS, &Tflag, sizeof(Tflag)) == -1) > > err(1, "set IP ToS"); > > > > else if (af == AF_INET6 && setsockopt(s, IPPROTO_IPV6, > > IPV6_TCLASS, &Tflag, sizeof(Tflag)) == -1) > > err(1, "set IPv6 traffic class"); > > } > > > > So I think maybe the netcat manual should be enriched at least for `-T' > > option, thanks! > > > > hi. > > i think if you submit a diff, there will be a better chance of getting > an ok (or otherwise). > > i'm unsure about -T myself. i know that we synced the -T options for > ping/nc/traceroute to keep them in sync with pf, but none of those other > docs claim support for ip6 classes - actually quite the opposite. > so i'm unsure if they work (have you tested?) or whether we want to > document them. > > jmc >
Re: add explanations of vmctl send command in vmctl.8
On Wed, Sep 19 2018, Solene Rapenne wrote: > Solene Rapenne wrote: >> This diff explains a little more about the send commands. >> send pauses the VM and send its memory + the start parameters. >> > > new diff with some changes, also thx bentley@ for telling me sentences should > start on a newline in mdoc. ok jca@ > Index: vmctl.8 > === > RCS file: /cvs/src/usr.sbin/vmctl/vmctl.8,v > retrieving revision 1.47 > diff -u -p -r1.47 vmctl.8 > --- vmctl.8 11 Sep 2018 04:03:16 - 1.47 > +++ vmctl.8 19 Sep 2018 10:20:06 - > @@ -90,6 +90,13 @@ Reset and terminate all VMs. > Send a VM with the specified > .Ar id > to standard output and terminate it. > +The VM is paused while send is processing. > +Data sent to standard output contains the VM parameters and its memory, > +not the disk image. > +.Pp > +In order to move a VM from one host to another, disk files must be > +synced between the send and the receive processes and must be located > +under the same path. > .It Cm show Op Ar id > An alias for the > .Cm status -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: smtpd: force TLS when relaying
That syntax makes sense to be and I didn't notice any problems in the diff. OK millert@ - todd
smtpd: force TLS when relaying
There is currently no way to force TLS on a relay rule in general, and force certificate checking. Typical use case: a secondary MX needing to relay safely to lower preference MXs. This diff below allows the "tls" option to be used alone, including on non-smarthost relay rules, to specify that the relay must be using TLS. The "no-verify" keyword becomes optional. Currently, the different cases are as follows: - action relay Standard relaying, using smtp with opportunistic STARTTLS. When using TLS, certificates are not checked. - action relay host Relay through smarthost, using TLS or not, depending on the protocol. When using TLS, certificates are checked. - action relay host tls no-verify Same as above, but certificates are not checked. With the proposed change, we get: - action relay Standard relaying, using smtp with opportunistic STARTTLS. When using TLS, certificates are not checked. - action relay tls Standard relaying, using smtp with mandatory STARTTLS. Certificates are checked. - action relay tls no-verify Same as above, but certificates are not checked. - action relay host Relay through smarthost, using TLS or not, depending on the protocol. For "smtp+tls://" and "smtps://" certificates are checked. For "smtp://" (opportunistic TLS) certificates are not checked. - action relay host tls Relay through smarthost with mandatory TLS. Certificates are checked. The "smtp://" protocol is updated to "smtp+tls://" internally. The "smtp+notls://" protocol is rejected, and no relaying happens. - action relay host tls no-verify Same as above, but certificates are not checked. The differences with the currently allowed syntax are: 1) the "tls no-verify" option on smarthost relay actually forces TLS, 2) a relay with a "smtp://" smarthost and no "tls no-verify" does not require a valid certificate anymore. It is more constistent altogether, and in practice it should not be a problem because most smarthost configurations uses strict TLS. Now, for the secondary MX example, the rule would look like: action "do-backup" relay backup tls Comments? Eric. Index: mta.c === RCS file: /cvs/src/usr.sbin/smtpd/mta.c,v retrieving revision 1.225 diff -u -p -r1.225 mta.c --- mta.c 19 Sep 2018 05:31:12 - 1.225 +++ mta.c 21 Sep 2018 08:09:14 - @@ -657,6 +657,23 @@ mta_handle_envelope(struct envelope *evp return; } + if (dispatcher->u.remote.tls_required) { + /* Reject relay if smtp+notls:// is requested */ + if (relayh.tls == RELAY_TLS_NO) { + log_warnx("warn: TLS required for action \"%s\"", + evp->dispatcher); + m_create(p_queue, IMSG_MTA_DELIVERY_TEMPFAIL, 0, 0, -1); + m_add_evpid(p_queue, evp->id); + m_add_string(p_queue, "TLS required for relaying"); + m_add_int(p_queue, ESC_OTHER_STATUS); + m_close(p_queue); + return; + } + /* Update smtp:// to smtp+tls:// */ + if (relayh.tls == RELAY_TLS_OPPORTUNISTIC) + relayh.tls = RELAY_TLS_STARTTLS; + } + relay = mta_relay(evp, &relayh); /* ignore if we don't know the limits yet */ if (relay->limits && @@ -1739,7 +1756,7 @@ mta_relay(struct envelope *e, struct rel if (!key.authlabel[0]) key.authlabel = NULL; - if (dispatcher->u.remote.smarthost && + if ((key.tls == RELAY_TLS_STARTTLS || key.tls == RELAY_TLS_SMTPS) && dispatcher->u.remote.tls_noverify == 0) key.flags |= RELAY_TLS_VERIFY; Index: parse.y === RCS file: /cvs/src/usr.sbin/smtpd/parse.y,v retrieving revision 1.221 diff -u -p -r1.221 parse.y --- parse.y 7 Sep 2018 07:35:31 - 1.221 +++ parse.y 21 Sep 2018 08:09:14 - @@ -739,17 +739,21 @@ HELO STRING { dispatcher->u.remote.smarthost = strdup(t->t_name); } -| TLS NO_VERIFY { - if (dispatcher->u.remote.smarthost == NULL) { - yyerror("tls no-verify may not be specified without host on a dispatcher"); +| TLS { + if (dispatcher->u.remote.tls_required == 1) { + yyerror("tls already specified for this dispatcher"); YYERROR; } - if (dispatcher->u.remote.tls_noverify == 1) { - yyerror("tls no-verify already specified for this dispatcher"); + dispatcher->u.remote.tls_required = 1; +} +| TLS NO_VERIFY { + if (dispatcher->u.remote.tls_required == 1) { + yyerror("tls already specified for this dispatcher"); YYERROR; } + disp
Re: bgpd, AS 0 is also special
On Fri, Sep 21, 2018 at 08:47:31AM +0200, Denis Fondras wrote: > On Fri, Sep 21, 2018 at 07:20:24AM +0200, Claudio Jeker wrote: > > Similar to AS_TRANS (23456) AS 0 should not be allowed. > > This adds this restriction for asnumbers which are used on AS, remote-as > > and local-as tokens in the config. Inside filters as4numer_any is used > > which does not have any kind of restriction. > > > > OK? > > Error message does not really match. Good point it should use what people put in there. Was lurd into the trap by the %u in the string and forgot to double check the argument. Will fix that before commit. > Otherwise OK denis@ > > > -- > > :wq Claudio > > > > > > ? obj > > Index: parse.y > > === > > RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v > > retrieving revision 1.357 > > diff -u -p -r1.357 parse.y > > --- parse.y 21 Sep 2018 05:13:35 - 1.357 > > +++ parse.y 21 Sep 2018 05:16:45 - > > @@ -297,7 +297,7 @@ as4number : STRING{ > > free($1); > > YYERROR; > > } > > - if (uvalh == 0 && uval == AS_TRANS) { > > + if (uvalh == 0 && (uval == AS_TRANS || uval == 0)) { > > yyerror("AS %u is reserved and may not be used", > > AS_TRANS); > > YYERROR; > > @@ -305,7 +305,7 @@ as4number : STRING{ > > $$ = uval | (uvalh << 16); > > } > > | asnumber { > > - if ($1 == AS_TRANS) { > > + if ($1 == AS_TRANS || $1 == 0) { > > yyerror("AS %u is reserved and may not be used", > > AS_TRANS); > > YYERROR; > > > -- :wq Claudio
Re: Add "Spleen 5x8" font to wsfont
On Thu, Sep 20, 2018 at 09:44:09PM +0200, Frederic Cambus wrote: > Hi tech@, > > Here is a diff to add "Spleen 5x8" to wsfont, a font targetted at small > OLED displays to be used with devices handled by ssdfb(4). It contains > all printable ASCII characters (96 glyphes). > > The font is 2-Clause BSD licensed and is my original creation. > > In order to enable and test the font, this option should be added to the > kernel configuration file: option FONT_SPLEEN5x8 > > Screenshot: https://www.cambus.net/files/openbsd/dmesg-spleen5x8.png > > Comments? OK? I have already tested the other versions and I'm very happy with the results. So ok by me. Thanks for all your efforts! > Index: sys/dev/wsfont/wsfont.c > === > RCS file: /cvs/src/sys/dev/wsfont/wsfont.c,v > retrieving revision 1.52 > diff -u -p -r1.52 wsfont.c > --- sys/dev/wsfont/wsfont.c 8 Sep 2017 05:36:53 - 1.52 > +++ sys/dev/wsfont/wsfont.c 20 Sep 2018 18:52:29 - > @@ -43,6 +43,11 @@ > > #undef HAVE_FONT > > +#ifdef FONT_SPLEEN5x8 > +#define HAVE_FONT 1 > +#include > +#endif > + > #ifdef FONT_BOLD8x16 > #define HAVE_FONT 1 > #include > @@ -105,6 +110,9 @@ static struct font builtin_fonts[] = { > #endif > #ifdef FONT_GALLANT12x22 > BUILTIN_FONT(gallant12x22, 3), > +#endif > +#ifdef FONT_SPLEEN5x8 > + BUILTIN_FONT(spleen5x8, 4), > #endif > #undef BUILTIN_FONT > }; > Index: sys/dev/wsfont/spleen5x8.h > === > RCS file: sys/dev/wsfont/spleen5x8.h > diff -N sys/dev/wsfont/spleen5x8.h > --- /dev/null 1 Jan 1970 00:00:00 - > +++ sys/dev/wsfont/spleen5x8.h20 Sep 2018 18:52:29 - > @@ -0,0 +1,910 @@ > +/* $OpenBSD$ */ > + > +/* > + * Copyright (c) 2018 Frederic Cambus > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * 1. Redistributions of source code must retain the above copyright > + *notice, this list of conditions and the following disclaimer. > + * 2. Redistributions in binary form must reproduce the above copyright > + *notice, this list of conditions and the following disclaimer in the > + *documentation and/or other materials provided with the distribution. > + * > + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND > + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE > + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE > + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE > + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL > + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS > + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) > + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT > + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY > + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF > + * SUCH DAMAGE. > + */ > + > +static u_char spleen5x8_data[]; > + > +struct wsdisplay_font spleen5x8 = { > + "Spleen 5x8", /* typeface name */ > + 0, /* index */ > + ' ',/* firstchar */ > + 128 - ' ', /* numchars */ > + WSDISPLAY_FONTENC_ISO, /* encoding */ > + 5, /* width */ > + 8, /* height */ > + 1, /* stride */ > + WSDISPLAY_FONTORDER_L2R,/* bit order */ > + WSDISPLAY_FONTORDER_L2R,/* byte order */ > + NULL, /* cookie */ > + spleen5x8_data /* data */ > +}; > + > +static u_char spleen5x8_data[] = { > + 0x00, /* */ > + 0x00, /* */ > + 0x00, /* */ > + 0x00, /* */ > + 0x00, /* */ > + 0x00, /* */ > + 0x00, /* */ > + 0x00, /* */ > + > + 0x20, /* ..*. */ > + 0x20, /* ..*. */ > + 0x20, /* ..*. */ > + 0x20, /* ..*. */ > + 0x20, /* ..*. */ > + 0x00, /* */ > + 0x20, /* ..*. */ > + 0x00, /* */ > + > + 0x50, /* .*.* */ > + 0x50, /* .*.* */ > + 0x50, /* .*.* */ > + 0x00, /* */ > + 0x00, /* */ > + 0x00, /* */ > + 0x00, /* */ > + 0x00, /* */ > + > + 0x00, /* */ > + 0x50, /* .*.* */ > + 0xf8, /* *... */ > + 0x50, /* .*.* */ > + 0x50, /* .*.* */ > + 0xf8, /* *... */ > + 0x50, /* .*.* */ > + 0x00, /* ..