| Age | Commit message (Collapse) | Author |
|---|
|
Also reorder the RTF_HOST vs netmask check. RTF_HOST wins if both are set.
Makes the code a bit neater.
OK tb@
|
|
OK tb@
|
|
When a session is established determine the possible interface scope of that
session. The scope is only set when the remote address is directly connected.
This interface scope is passed to the RDE that uses this information when
link-local nexthops are received. Again checking that a link-local nexthop
is actually acceptable.
OK tb@
|
|
Signify is happy to overwite the file with the signature stripped off.
However, if we do that, when downloading firmware we lose the ability
to check the signature before verifying checksums on the downloaded files.
Noticed by Thomas <exnihilo () fastmail ! org>
Right deraadt@
|
|
Passing the peer description as part of the format string was a bad idea
since the peer description may include some % signs (e.g. for link local
IPv6 addresses). So instead of asprintf a new fmt string use vasprintf
to get the message and then use logit("%s: %s", peer_info, msg).
OK tb@
|
|
The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.
For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
|
|
|
If DNS lookup for a remote loghost configured in syslog.conf did
not work at startup, the entry was ignored. Better retry the lookup
in intervals until it succeeds. Improve debug output to print IP
address after resolution. Unify retry code that resolves DNS for
UDP and connects to TCP server.
testing and feedback from Paul de Weerd; OK deraadt@
|
|
Link: https://marc.info/?l=openbsd-tech&m=169695435209410&w=2
ok mpi@
|
|
path is actually eligible. If this is not the case pass NULL instead.
This is an optimisation to bypass extra work if both old and new path
were ineligible.
OK tb@
|
|
This should fix a fatal error reported by Arend Brouwer (arend at eritap com)
when "announce add-path send all" is used.
As a workaround "announce add-path send best plus 500" can used.
OK tb@
|
|
The autoinstall(8) response file contains only non-defaults, except for
Set name(s)? (or 'abort' or 'done') [done] done
which is the hardcoded default since 2009.
Added in 2019 r1.23 "Let sysupgrade(8) create auto_upgrade.conf file [...]"
with all others, remove the exception.
OK florian
|
|
Extend it slightly: do not stub quirks, so that caching mechanisms work
as usual even when using stubs.
|
|
|
|
|
|
ext-communities was put into the wrong place in the loop finding
start, end and number of communities to dump. As a result the end
pointer for regular communities can point at an ext-community and
with that the COMMUNITY attribute written includes unexpected extra
bytes. This in turn causes the peer to send a NOTIFICATION error
and to terminate the session.
Fix for -portable issue #64 reported by Pier Carlo Chiodi (pierky)
OK tb@
|
|
Since listener->port is in network byte order we need to compare
against htons(587). The fix for this got dropped in the rewrite
in revision 1.335.
|
|
|
|
The code in get_alternate_addr() checked for sa_cmp() == 0 but actually
sa_cmp() returned 1 for equal addrs. So rename the function to sa_equal()
to make it clear that a true return value means equality.
Found by Asa Yeamans (enigma2e at rivin net)
OK tb@
|
|
|
|
|
|
happens regardless.
Add a third one to only disregard base libraries
|
|
allows me to redefine methods to not do a thing
(maybe this will migrate to its own file if it grows enough)
|
|
|
|
|
|
and just say that instead of a dauntingly long list of packages
|
|
|
|
|
|
|
|
behaviour in accordance with man page. Introduce '-v' option to make
output more verbose.
Do a little refactoring to make code more consistent with other daemons
like ospfd(8), httpd(8), relayd(8), etc.
Feedback from bluhm benno
ok bluhm
|
|
|
|
|
|
|
|
bgpctl before calling strlcpy() with that string.
OK tb@ some long time ago
|
|
If installing firmware with `make install` from a port, it doesn't register
properly by adding "@option firmware" to the packing list, this means we ignore
that it is installed and reinstall it over and over with the registration
ending up in a tmpdir named directory inside the existing directory in
/var/db/pkg.
Unfortunately I don't know of a good way to automatically clean up from that,
so we just print a message after installing the actual firmware.
Reported by job@
No complaints about the patch on tech@ for several weeks.
|
|
Otherwise the exit status depends on whether we kept any firmware.
Reported by Brian Conway <bconway () rcesoftware ! com>
The clean solution suggested by guenther@
|
|
Previously if you did: fw_update otus-firmware-1.0p1.tgz
and that firmware didn't exist in the current directory,
we would download that firmware into the current directory.
Which is not the expected outcome.
|
|
The logging output from vmd(8) often specifies the function performing
the logging, but leaves which vm or vm device to guesswork and
reading tea leaves.
Change the logging formatting to prefix with information about the
specific vm and potentially the device subprocess. Most of this
logging is behind the "verbose" mode, but for warnings this will
clarify which vm or device logged the warning.
The format of vm/<name>/<device><index> is chosen to be concise and
less ugly than other approaches. This adjusts the process naming
for devices to match, dropping the use of brackets.
In the process of this change, updating log settings dynamically
via vmctl(8) is fixed by properly broadcasting that information to
the device subprocesses. The "vmm" process also now updates its own
state properly, so settings survive vm reboots.
ok mlarkin@
|
|
When vcpu threads pause, they are holding the run mutex lock. If
the event thread is asked to assert an irq on the pic and interrupts
are pending, it will try to take the run mutex lock on the vcpu.
This deadlocks.
Release the lock in the vcpu thread before waiting on the pause
condition variable.
ok mlarkin@
|
|
The previous commit used suboptimal variable names for ease of review.
Fix this up now.
ok claudio
|
|
An upcoming diff requires the ability to convert ASIdentifiers and
IpAddrBlocks into rpki-client's internal structures. Accordingly,
split already existing code into dedicated parsing functions . The
original functions now only extract the extension-specific data from
the X509_EXTENSION.
input/ok claudio
|
|
This will be needed by an upcoming feature where we will need to know
what trust anchor a given cert chains to. This doesn't change anything
except the size of the diff.
ok claudio job
|
|
OK tb@
|
|
Some log messages incorrectly said "vionet" or "vioblk". Fix based
on the context.
|
|
Some guests cause a warning message during a shutdown. Log the vmd
vm id and not the kernel vmm id as it's next to useless to the end
user. This has annoyed me too much.
|
|
|
|
|
|
OK mpi@
|
|
|
|
Upstream LLVM decided to drop the -dc flag and keep its -d alias for
some time:
https://github.com/llvm/llvm-project/commit/0688b00fc39fe87ec6dd3d37a732d067ff487f16
So this is only a workaround to let us update llvm to a recent release.
We'll probably need another fix not so distant future. Another approach
would be to just drop -dc from the linker invocation, and use
cc -fno-common when building instbin with base-gcc (already the default
with base-clang). But this approach needs more testing than I can
provide, as deraadt@ feared it would break in subtle ways.
ld -d compat alias pointed out by robert@, ok robert@
|
