| Commit message (Collapse) | Author | Files | Lines |
|---|
|
disabled as there were some stability issues. It seems that the
crashes were fixed when reference counting for pf states was
implemented. Se reenable this code. Apart from the performance
improvement it also makes corner cases for pf divert-to more reliable.
OK henning@
|
|
Nothing uses this fd-tracking part of pledge yet.
OK deraadt@
|
|
So this macro does not make much sense, just call pflog_packet().
OK sashan@ henning@
|
|
Found and fixed by Bernd Edlinger as part of OpenSSL commit
83b4049ab75e9da1815e9c854a9297bca3d4af6b
ok jsing, deraadt, bcook
|
|
|
|
Tighten up checks for various X509_VERIFY_PARAM functions, and
allow for the verify param to be poisoned (preculding future
successful cert validation) if the setting of host, ip, or email
for certificate validation fails. (since many callers do not
check the return code in the wild and blunder along anyway)
Inspired by some discussions with Adam Langley.
ok jsing@
|
|
|
|
underscores in variable names (regression introduced in 7.7).
bz2851, ok deraadt@
|
|
Jakub Jelen via bz2835
|
|
is for configuration files only. bz#2840, patch from Jakub Jelen
|
|
Allard (via otto@)
|
|
nor the heirloom-doctools support it. Adding it was a mistake in
the first place.
|
|
heirloom-doctools support it. Work around the gap by using .BR
with an empty first argument. This was noticed more than once in
the past, but i always forgot to fix it.
|
|
UEFI firmware as well.
|
|
|
|
|
|
character escape sequences rather than the undocumented and
non-portable \(Lq and \(Rq.
Bug reported by Tim L <darkxst at github>
via Thomas Klausner <wiz at NetBSD>;
see https://github.com/nih-at/libzip/pull/42
|
|
libpcap-based program to process packets as soon as they arrive.
feedback from jasper@
ok jca@
(a long time ago)
|
|
Note: Remember to "make includes" and recompile the following programs together
with the kernel:
sbin/pfctl
usr.sbin/authpf
usr.sbin/ftp-proxy
usr.sbin/relayd
usr.sbin/tftp-proxy
Thanks to sthen@ for checking the ports tree.
ok bluhm@ sashan@ visa@
|
|
ok bluhm@ sashan@ visa@
|
|
ok kettenis
|
|
|
|
AF21 was selected as this is the highest priority within the low-latency
service class (and it is higher than what we have today). SSH is elastic
and time-sensitive data, where a user is waiting for a response via the
network in order to continue with a task at hand. As such, these flows
should be considered foreground traffic, with delays or drops to such
traffic directly impacting user-productivity.
For bulk SSH traffic, the CS1 "Lower Effort" marker was chosen to enable
networks implementing a scavanger/lower-than-best effort class to
discriminate scp(1) below normal activities, such as web surfing. In
general this type of bulk SSH traffic is a background activity.
An advantage of using "AF21" for interactive SSH and "CS1" for bulk SSH
is that they are recognisable values on all common platforms (IANA
https://www.iana.org/assignments/dscp-registry/dscp-registry.xml), and
for AF21 specifically a definition of the intended behavior exists
https://tools.ietf.org/html/rfc4594#section-4.7 in addition to the definition
of the Assured Forwarding PHB group https://tools.ietf.org/html/rfc2597, and
for CS1 (Lower Effort) there is https://tools.ietf.org/html/rfc3662
The first three bits of "AF21" map to the equivalent IEEEE 802.1D PCP, IEEE
802.11e, MPLS EXP/CoS and IP Precedence value of 2 (also known as "Immediate",
or "AC_BE"), and CS1's first 3 bits map to IEEEE 802.1D PCP, IEEE 802.11e,
MPLS/CoS and IP Precedence value 1 ("Background" or "AC_BK").
OK deraadt@, "no objection" djm@
|
|
|
|
|
|
setlocale(3) manual page, such that the latter becomes easier
to read. No text change.
|
|
|
|
(1) Evaluate the "set" argument, which says whether to create a new
RDN or to prepend or append to an existing one, before reusing it
for a different purpose, i.e. for the "set" field of the new
X509_NAME_ENTRY structure.
(2) When incrementing of some "set" fields is needed, increment the
correct ones: All those to the right of the newly inserted entry,
but not the one of that entry itself.
These two bugs caused wrong results whenever using loc != -1,
i.e. whenever inserting rather than appending entries, even when
using set == 0 only, that is, even when using single-values RDNs only.
Both bugs have been continuously present since at least SSLeay-0.8.1
(released July 18, 1997) and the second one since at least SSLeay-0.8.0
(released June 25, 1997), so both are over twenty years old.
I found these bugs by code inspection while trying to document the
function X509_NAME_ENTRY_set(3), which is public, but undocumented
in OpenSSL.
OK beck@, jsing@
|
|
okay jca@
|
|
|
|
From Edgar Pettijohn
|
|
|
|
|
|
Problem reported by jj@ on bugs@, fix based on
https://gitlab.isc.org/isc-projects/bind9/commit/084ba95b083dc55fd10631ad43fa8fff48707648
(under ISC license) by Caspar Schutijser.
|
|
|
|
|
|
"snps,dw-pcie" for now. There are considerable variations between
implementations of the Synapsys Designware PCIe core and glue logic and
the current code isn't flexible enough to deal with that yet.
|
|
getvnode().
ok millert@
|
|
The syscall doesn't sleep before a vnode reference is taken, so it
doesn't stickly need the refcounts now. But they will be soon be
used for parrallelism, so make it ready.
ok bluhm@
|
|
ok millert@, bluhm@
|
|
ok bluhm@
|
|
Prevents witness(4) from panic'ing the kernel now that mutexes and rwlock
are always "taken" while in ddb(4).
ok visa@
|
|
|
|
|
|
|
|
|
|
some ISPs now provide services over vlans, but require vlan packets
going to the internet have their priority set to 1 (ie, 0 on the
wire) or they will be dropped. configuring this on openbsd requires
config in several places, eg, pf rules to set the prio on ip packets,
llprio on the pppoe interface for it's management frames, and the
llprio on the vlan interface if you're using dhclient on it. this
has the side effect that you can no longer use priority queuing,
and can be error prone to get right.
using link0 to flatteng the priority for isp transit is simple to
configure, and allows priority queuing.
a man page update is coming.
ok henning@
|
|
|
|
the vlan specs have the priority of 0 and 1 swapped on the wire,
which is how the kernel handles them. eg, if you use pf to set prio
1, it will end up being 0 on the wire. this makes 0 on the wire
come out as 1 in tcpdump so it is consistent with the rest of the
tooling.
ok henning@
|
|
|
bluhm
tb
nicm
beck
dtucker
djm
schwarze
kettenis
deraadt
lteo
mlarkin
job
jsg
espie
jca
mpi
dlg