| Age | Commit message (Collapse) | Author |
|---|
|
The kernel uses a huge amount of processing time for sending ACKs to the sender
on the receiving interface. After receiving a data segment, we send out two
ACKs. The first one in tcp_input() direct after receiving. The second ACK is
send out, after the userland or the sosplice task read some data out of the
socket buffer. Thus, we save some processing time and improve network
performance.
Longer tested by sthen@
OK claudio@
|
|
broke pthreads on hppa. Reverting. Ok deraadt@
|
|
https://tools.ietf.org/html/draft-ietf-opsawg-finding-geofeeds describes
a mechanism to authenticate RFC 8805 Geofeed data files through the RPKI.
OpenSSL counterpart https://github.com/openssl/openssl/pull/14050
OK tb@ jsing@
|
|
which finally makes umb(4) fail, since ugen(4) attaches to one of the
umb(4) interfaces, fails, and marks the whole device dying. Therefore
make usbd_device2interface_handle() backwards compatible again.
Problem reported by Mikolaj Kucharski.
ok edd@
|
|
|
|
|
|
before this change pf_route operated on the semantic that pf runs
when packets go over an interface, so when pf_route changed which
interface the packet was on it would run pf_test again. this change
changes (restores) the semantic that pf is only supposed to run
when packets go in or out of the network stack, even if route-to
is responsibly for short circuiting past the network stack.
just to be clear, for normal packets (ie, those not touched by
route-to/reply-to/dup-to), there isn't a difference between running
pf when packets enter or leave the stack, or having pf run when a
packet goes over an interface.
the main reason for this change is that running the same packet
through pf multiple times creates confusion for the state table.
by default, pf states are floating, meaning that packets are matched
to states regardless of which interface they're going over. if a
packet leaving on em0 is rerouted out em1, both traversals will end
up using the same state, which at best will make the accounting
look weird, or at worst fail some checks in the state and get
dropped.
another reason for this commit is is to make handling of the changes
that route-to makes consistent with other changes that are made to
packet. eg, when nat is applied to a packet, we don't run pf_test
again with the new addresses.
the main caveat with this diff is you can't have one rule that
pushes a packet out a different interface, and then have a rule on
that second interface that NATs the packet. i'm not convinced this
ever worked reliably or was used much anyway, so we don't think
it's a big concern.
discussed with many, with special thanks to bluhm@, sashan@ and
sthen@ for weathering most of that pain.
ok claudio@ sashan@ jmatthew@
|
|
ok millert tb
|
|
|
|
between redundant fields in private key certificate and private key
body; ok markus@
|
|
|
|
|
|
store repo (rsync URI) and local (the local path to the repository).
Simplifies the the rsync handling a fair bit.
OK deraadt@
|
|
directories.
OK deraadt@
|
|
via index is actually in the right rdomain for the socket.
OK bluhm@ mvs@
|
|
|
|
kernel make sure that the rdomain of that interface is the same as
the rdomain of the inpcb.
Problem spotted and fix tested by semarie@
OK bluhm@ mvs@
|
|
Switch from poll(2) to ppoll(2) in a few more functions.
Because we're working with ppoll(2) and clock_gettime(2) it is easier
to encode the various timeouts as static const timespecs instead of
preprocessor macros. This way we aren't packing timespecs in the
middle of the code, which distracts from the (more important) logic of
what the code is doing.
Part of a larger campaign improve "time stuff" in dhclient(8).
Prompted by and discussed with krw@. Based on a diff by krw@.
ok krw@
|
|
Since getline() returns a C string, we don't need to carry around
the length separately.
ok millert@
|
|
of prefixes is always correct. The strict RFC4271 way of checking MED is
requires to check the neighbor AS and only do the check if the AS are equal.
Because of this it is possible that inserting or removing a route reshuffles
the total order.
prefix_cmp() was extended to return the location where the decision happened:
- 0 if the decision was before the MED comparison or med compare always is set
- 1 if the decision happened after the MED comparison
- 2 if the MED made caused the decision
With this the new functions prefix_insert() and prefix_remove() are able
to decide if more prefixes need to be evaluated (testall was not 0.) and
if prefixes need to be re-evaluated after this one was put (testall = 2).
There is a local redo list where prefixes where the MED resulted in a
reshuffle are put on. After the new prefix is inserted all prefixes on
the redo list are reinserted. Because now all affected MED routes get
reevaluated the order is always correct.
|
|
RFC6482 - A Profile for Route Origin Authorizations (ROAs)
RFC6484 - Certificate Policy (CP) for the RPKI
RFC6493 - The RPKI Ghostbusters Record
RFC8182 - The RPKI Repository Delta Protocol (RRDP)
RFC8360 - RPKI Validation Reconsidered
draft-ietf-sidrops-rpki-rta - A profile for RTAs
Also in OpenSSL: https://github.com/openssl/openssl/commit/d3372c2f35495d0c61ab09daf7fba3ecbbb595aa
OK sthen@ tb@ jsing@
|
|
|
|
fetching over http(s) and use the timestamps from the remote server's
Last-Modified header if available when saving local files
this makes it possible to mirror files better with ftp(1)
the new timestamp behaviour can be disabled with the new '-u' flag
ok sthen@, input from sthen@ and gnezdo@
|
|
Fixes crash that can occur when an usb device is unplugged, found by edd@
|
|
|
|
|
|
Remove a trailing white space, don't misspell misconfiguration and
use https.
ok jmc, claudio
|
|
ok bket@ sthen@ (who initially suggested the if-not-native value under
a similar name)
|
|
this does fix the grep case
|
|
|
|
|
|
|
|
Fixes a bug where policies that only differ in their flow
configuration lead to a handshake error.
Found by claudio@
ok patrick@
|
|
Use ppoll(2) instead of poll(2) in default_route_index(). Using
ppoll(2) here forces us to use clock_gettime(2) to measure the
timeout, which is less error-prone than using time(3).
Part of a larger campaign in dhclient(8) to make "time stuff" more
accurate and robust.
Prompted by krw@. Based on a diff from krw@.
ok krw@
|
|
variables used here instead of using the ones from config.c.
ok deraadt@, kn@
|
|
OK bluhm@, claudio@, mpi@, semarie@
|
|
ok eric jsing
|
|
|
|
needed for >= linux 5.9 dtbs on bbb
ok kettenis@
|
|
short TCP segments or fragments encapsulated in ESP instead of
fragmented ESP packets. Pass the don't fragment flag down along
the stack so that dynamic routes with MTU are created eventually.
with and OK markus@; OK tobhe@
|
|
|
|
|
|
Allows to check the existence of a variable in predicates, making it
possible to trace syscall latency, as follow:
syscall:select:entry
{
@start[pid] = nsecs;
}
syscall:select:return
/@start[pid]/
{
@usecs = hist((nsecs - @start[pid]) / 1000);
delete(@start[pid]);
}
|
|
bInterfaceNumber and bAlternateSetting as following:
ifaceidx -> ifaceno
altidx -> altno
Suggested and ok mpi@
|
|
there are no other detached sessions to switch to, from Sencer Selcuk in
GitHub issue 2553.
|
|
Otherwise this `pxi' can be killed by concurrent thread after context
switch caused by following netlock.
ok yasuoka@
|
|
OpenBSD 6.7 npppd(8) can't work over tun(4).
ok yasuoka@
|
|
ok bluhm@ dlg@
|
|
clean up FILES while here
ok claudio for the former
|
|
|
