| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
|
|
| |
bInterfaceNumber and bAlternateSetting as following:
ifaceidx -> ifaceno
altidx -> altno
Suggested and ok mpi@
|
| |
|
|
|
|
|
| |
Otherwise this `pxi' can be killed by concurrent thread after context
switch caused by following netlock.
ok yasuoka@
|
| |
|
|
|
|
| |
OpenBSD 6.7 npppd(8) can't work over tun(4).
ok yasuoka@
|
| |
|
|
| |
ok bluhm@ dlg@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this is a significant (and breaking) reworking of the policy based
routing that pf can do. the intention is to make it as easy as
nat/rdr to use, and more robust when it's operating.
the main reasons for this change are:
- route-to, reply-to, and dup-to do not work with pfsync
this is because the information about where to route-to is stored in
rules, and it is hard to have a ruleset synced between firewalls,
and impossible to have them synced 100% of the time.
- i can make my boxes panic in certain situations using route-to
yeah...
- the configuration and syntax for route-to rules are confusing.
the argument to route-to and co is an interace name with an optional
ip address. there are several problems with this. one is that people
tend to think about routing as sending packets to peers by their
address, not by the interface they're reachable on. another is that
we currently have no way to synchronise interface topology information
between firewalls, so using an interface to say where packets go
means we can't do failover of these states with pfsync. another
is that a change in routing topology means a host may become
reachable over a different interface. tying routing policy to
interfaces gets in the way of failover and load balancing.
this change does the following:
- stores the route info in the state instead of the pf rule
this allows route-to to keep working when the ruleset changes, and
allows route-to info to be sent over pfsync. there's enough spare bits
in pfsync messages that the protocol doesnt break.
the caveat is that route-to becomes tied to pass rules that create
state, like rdr-to and nat-to.
- the argument to route-to etc is a destination ip address
it's not limited to a next-hop address (thought a next-hop can be a
destination address). this allows for the failover and load balancing
referred to above.
- deprecates the address@interface host syntax in pfctl
because routing is done entirely by IPs, the interface is derived from
the route lookup, not pf. any attempt to use the @interface syntax
will fail now in all contexts.
there's enthusiasm from proctor@ jmatthew@ and others
ok sashan@ bluhm@
|
| | |
|
| |
|
|
| |
little bit more to do though before it can be enabled.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
Detect octeon board model in one place, and replace firmware-supplied
board_type with an abstract model identifier in driver code. This makes
it easier to manage with different products, and board flavours, that
happen to use the same model information, such as board_type.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
partly from Alessandro Ricci
|
| |
|
|
| |
ok kettenis
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When obtaining an interface handle, we currently rely on the device being
properly USB compliant, and thus the interface being at the correct index in
the interfaces array.
However, some devices present their indices incorrectly. For example, the
following audio device exposes interfaces 0, 1 and 3, in that order (skipping
interface 2 entirely):
uaudio2 at uhub4 port 4 configuration 1 interface 3 "E+ Corp. DAC Audio" rev 1.10/0.01 addr 2
uaudio2: class v1, full-speed, async, channels: 2 play, 0 rec, 3 ctls
This means that that the audio stream interface (number 3) is not found at the
expected index of 2, and this causes looking up the handle to fail.
This change makes usbd_device2interface_handle() search for the right
interface, instead of assuming it will be at the right index. Although this is
a little slower, note that this routine not very frequently called and there
are typically not hundreds of interfaces on a typical USB device.
This fixes the above E+ Corp device, and one other uaudio device reported
broken by a user.
With input from, tested by, and OK ratchov@, mglocker@ and kettenis@.
Many thanks!
|
| |
|
|
|
| |
of the v_un pointers).
OK jsg@ mvs@
|
| | |
|
| | |
|
| |
|
|
| |
ok bluhm@ sashan@
|
| |
|
|
| |
ok bluhm@
|
| |
|
|
| |
ok kettenis
|
| |
|
|
|
| |
SMALL_KERNEL specific variations.
ok espie jsg
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tpm(4) has timeout constants in milliseconds, e.g.
#define TPM_ACCESS_TMO 2000 /* 2sec */
This is fine.
The odd thing is that tpm(4) first converts these timeouts to counts
of ticks via tpm_tmotohz() before using DELAY() to busy-wait. DELAY()
takes a count of microseconds, which are not equivalent to ticks, so
the units are all screwed up.
Let's correct this:
- Remove tpm_tmotohz(). We're not working with ticks so we don't it.
- Multiply the timeouts to match the delay interval. tpm_request_locality()
and tpm_getburst() use intervals of 10 microseconds, so multiply the
millisecond timeouts by 100. In tpm_waitfor() the delay interval is 1
microsecond, so multiply the millisecond timeout by 1000.
- Update the parameter name in tpm_waitfor() to note that we expect a
count of milliseconds, not "tries".
Discussion: https://marc.info/?l=openbsd-tech&m=160995671326406&w=2
Prompted by kettenis@.
Suspend/resume tested by florian@ on an X1 Gen 2. For the record, it
looks like this:
tpm0 at acpi0 TPM_ addr 0xfed40000/0x5000, device 0x0000104a rev 0x4e
Earlier versions of this patch were reviewed by kn@, but the patch
became more ambitious when kettenis@ got involved so those reviews
are no longer applicable.
jcs@ notes (https://marc.info/?l=openbsd-tech&m=160834427630142&w=2)
in a related discussion that this driver "sucks" and should be
replaced with NetBSD's rewrite. This would get us a cleaner driver
with TPM 2.0 support. So there is future work to do here.
ok kettenis@
|
| |
|
|
|
|
| |
This makes it clearer why lock order traces are sometimes not displayed.
Prompted by a question from, and OK anton@
|
| |
|
|
| |
OK deraadt@
|
| |
|
|
| |
I've missed two more cases in the previous commit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
pfsync may want to defer the transmission of a packet. it does this so
it can try and get a state over to a peer firewall before a host may
send a reply to the peer, which would get dropped cos there's no
matching state.
i think the once rule processing should happen before that. the state
is created from the rule, whether the packet the state is for goes out
immediately or not shouldn't matter.
ok sashan@
|
| | |
|
| |
|
|
|
|
| |
of course this is limited to the !dup-to case.
ok sashan@ bluhm@
|
| |
|
|
|
|
| |
available device interfaces is called 'bNumInterfaces'.
ok phessler@, thfr@ (who provided the man page diff)
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok jmatthew@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pf_route and pf_route6 are called to take over delivery of the
packet with route-to and reply-to instead of letting it get processed
normally. for the dup-to handling, it copies the mbuf but leaves
the original mbuf in place. pf_route takes over the packet by
clearing the mbuf pointer in the pf_pdesc struct. this diff moves
the clearing of that pointer to the start of the function, rather
than checking for dup-to again on the way out of the function.
i think this is better because it means that it's more robust in
the face of future code changes. even if that's not true, it's still
shorter code in a forwarding path.
ok sashan@ jmatthew@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
dup-to is kind of like what you do with a span port, but is a bit
more fine grained. it copies packets in a connection out an interface
so that connection can be monitored. it doesnt make sense for pf
to see the copied packets and try to match or create new states for
them either. at best it needs config to stop pf seeing the copies
(eg, set skip on $dup_to_tgt_if). at worst it breaks the connections
you're monitoring because the states in pf get confused.
found while discussing larger route-to changes on tech@.
ok bluhm@ sashan@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When a kqueue file is closed, the kqueue can still have threads
scanning it. Consequently, kqueue_terminate() can see scan markers
in the event queue. These markers are removed when the scanning threads
leave the kqueue. Take this into account when checking the queue's
state, to avoid a panic when kqueue is closed from under a thread.
OK anton@
Reported-by: syzbot+757c60a2aa1125137cce@syzkaller.appspotmail.com
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ifs = ifunit(req->ifbr_ifsname);
if (ifs == NULL) {
error = ENOENT;
break;
}
if (ifs->if_bridgeidx != ifp->if_index) {
error = ESRCH;
break;
}
bif = bridge_getbif(ifs);
This sequence repeats 8 times. Also we don't check value returned by
bridge_getbig() before use. Newly introduced bridge_getbig() function
replaces this sequence. This not only reduces duplicated code but also
makes `bif' dereference safe.
ok bluhm@
|
| |
|
|
| |
ok patrick@
|
| |
|
|
|
|
|
|
|
|
| |
on xhci(4) controllers by clearing the interface endpoints before opening
the pipes.
Tested by Mikolaj Kucharski for ugen(4) and gnezdo@ for uhidev(4), plus
myself for both.
ok mpi@
|
| |
|
|
|
|
|
| |
an UR_CLEAR_FEATURE request on a specific endpoint address without the
need to have a pipe open to that endpoint.
From NetBSD, ok mpi@
|
| |
|
|
|
|
|
|
|
| |
jmatthew@ has tried this before, but hrvoje popovski experienced
breakage so it wasn't enabled. we've tightened the code up since
then so it's time to try again.
this diff has been tested by hrvoje popovski and myself
ok jmatthew@
|
| |
|
|
| |
ok jmatthew@
|
| |
|
|
|
| |
found while poking around with hrvoje popovski
yes jmatthew@
|
| |
|
|
|
|
| |
Diff from Yuichiro NAITO.
ok procter
|
bluhm
mglocker
mvs
dlg
patrick
deraadt
visa
sthen
edd
claudio
jsg
rob
cheloha
kurt
kettenis
yasuoka