| Age | Commit message (Collapse) | Author |
|---|
|
OK tb@
|
|
For this use the validation state (vstate) in struct prefix and
struct filterstate to store both the ASPA and ROA validity.
Introduce helper functions to set and get the various states for
struct prefix and make sure struct filterstate is also setup properly.
Change the ASPA state in rde_aspath to be AFI/AID and role independent
by storing all 4 possible outcomes. Also add a ASPA generation count
which is used to update the rde_aspath ASPA state cache on reloads.
Rework the rde_aspa.c code to be AFI/AID and role independent. Doing
this for roles is trivial but AFI switch goes deep and is so unnecessary.
The reload is combined with the ROA reload logic and renamed to RPKI
softreload.
OK tb@
|
|
For recent devices amdgpu matches via the hardware ip discovery table,
not with a table of pci vendor and product ids.
So amdgpu_devlist.h and pcidevs do not cover all devices that amdgpu
may match.
in dmesg amdgpu with an unknown product takes the form:
ramdisk kernel, bios/mbr:
vga1 at pci12 dev 0 function 0 vendor "ATI", unknown product 0x687f rev 0xc3
ramdisk kernel, efi or non-x86 arch:
vendor "ATI", unknown product 0x687f (class display subclass VGA, rev 0x03) at pci12 dev 0 function 0 not configured
non-ramdisk kernel:
amdgpu0 at pci12 dev 0 function 0 vendor "ATI", unknown product 0x687f rev 0xc3
ok deraadt@ on an earlier version
|
|
Multiple error paths, specifically the one related to if a guest
cannot allocate memory at start, resulted in a known vm (via
vm.conf(5)) being removed from the vm list. Adjust the error paths
to check if the failing vm is defined in the config before tearing
it down.
Tested with help from beck@ and Mischa Peters.
ok beck@
|
|
Feedback from jmc and Crystal Kolipe
OK jmc
|
|
needed.
OK tb@
|
|
keyword.
OK tb@
|
|
|
|
|
|
|
|
OK tb@
|
|
to the various prefix update functions.
While there fix a filterstate leak in up_generate_updates().
With and OK tb@
|
|
and by making peer_imsg_pending() a true O(1) function.
OK tb@
|
|
roa-set and aspa-set by default. So make the man page less specific.
OK tb@ job@ kn@
|
|
In x509_verify.c r1.62, beck disabled policy checks by default in the new
X.509 verifier to match the behavior of the legacy validator and OpenSSL.
In order to keep policy checks as mandated by RFC 7318, we need to opt
into them explicitly.
ok beck
|
|
OK tb@
|
|
RDE. The actual reload logic is missing to keep the diff small.
OK tb@
|
|
riscv64 efiboot already supports booting from softraid volumes.
These installboot bits make sure that the boot loader will be installed on
chunk devices rather than the volume for root on softraid installations,
i.e. full boot support for riscv64, just like amd64, arm64 and sparc64.
regress is happy.
OK kettenis
|
|
Found by and fix provided by Zenon Mousmoulas (@zmousm)
|
|
Have the parent process open /dev/vmm and send the fd to the vmm
child process. Only the vmm process and its resulting children
(guest vms) need it for ioctl calls.
ok kn@
|
|
Change the way the validated ASPA tree is built since OpenBGPD config
follows more the ASPA profile and puts the optional AFI to each provider
ASnum instead of duplicated everything into an IPv4 and IPv6 tree.
The JSON output of ASPA is still the same.
The inclusion of the aspa-set can currently be disabled by the -A flag.
OK tb@
|
|
- rde_filterstate_init(): initialize a filterstate to default values
- rde_filterstate_copy(): copy from a filterstate into a new state object
- rde_filterstate_prep(): set filtersate based on prefix passed as argument.
This makes the code a bit easier to read.
OK tb@
|
|
Removes vstate argument from rde_filter().
Rename prefix_vstate() to prefix_roa_vstate().
OK tb@
|
|
This implements ASPA validation based on the current draft. Implementing
this showed various weaknesses in the current ASPA draft which I hope to
fix in the near future.
Unlike the algorithm specified in the draft our version validates the
AS_PATH attribute in a single path doing one or two lookups depending on
the sessions BGP role.
The code is not yet hooked up into the RDE (see the NOTYET blocks).
Missing are reload logic, bgpctl integration and the loading of the
merged ASPA set from the rtr process.
OK tb@
|
|
OK claudio@
|
|
ok guenther@.
|
|
ok yasuoka
|
|
Swap repo_id and filename to simplify the code in parser.c. In filemode
both repo_id and filename are ignored.
Additionally do not errx() in case of unknown file types. Instead send back
enough info that the code can move on.
OK tb@
|
|
|
|
|
|
|
|
OK tb@
|
|
of some files in NetBSD. Make the same changes here.
https://mail-index.netbsd.org/source-changes/2017/06/03/msg084953.html
https://mail-index.netbsd.org/source-changes/2017/06/03/msg084955.html
https://mail-index.netbsd.org/source-changes/2019/12/02/msg111431.html
https://mail-index.netbsd.org/source-changes/2019/12/02/msg111432.html
|
|
This somewhat replaces the RFC 9234 open policy role. This is done because
ASPA requires the same role to be present to properly validate paths.
For iBGP sessions the role is forced to ROLE_NONE. If no role is set on
an ebgp session then 'announce policy' is forced to 'no'.
Also make sure the the role capability is only added if the role is set.
OK tb@
|
|
RFC 8182 requires the session_id to be a version 4 random UUID (using
variant 1). Now checking the version and variant is currently disabled
because there is at least one CA with a session_id that is all random
and therefor the version check triggers there.
Joint work with job@. OK job@, tb@
|
|
NetBSD fsck.8 rev 1.35 fsutil.h rev 1.14 pathnames.h rev 1.2
netgroup_mkdb.8 rev 1.9 netgroup_mkdb.c rev 1.18 str.c rev 1.7
str.h rev 1.4 rdate.8 rev 1.11 rdate.c rev 1.19 extern.h rev 1.14
getnetgrent.c rev 1.41 netgroup.h rev 1.10
fparseln.3 rev 1.4 fparseln.c rev 1.10
our stringlist.c/stringlist.h are derived from getnetgrent.c
rfc868time.c from rdate.c
newfs/pathnames.h from fsck/pathnames.h
https://mail-index.netbsd.org/source-changes/2009/10/21/msg002182.html
Not all files are covered as some had copyright assigned to TNF in 1998.
|
|
|
|
|
|
OK tb@ claudio@
|
|
|
|
|
|
any parts of his diff not taken are noted on tech
|
|
Prefer setitimer(2)+sigsuspend(2) to nanosleep(2) when performing
periodic work. The latter drifts.
Link: https://marc.info/?l=openbsd-tech&m=167068674625838&w=2
ok millert@
|
|
OpenBSD coding practices (fork+exec/privsep/pledge/...). It is only
intended to replace the lpd(8) daemon for the moment, not the lpr(1),
lprm(1), lpq(1) and lpc(8) commands.
This is a work in progress. The server part should be fairly functionnal,
but the printer part is not complete: remote printers should work, for
local printers it depends on the setup. Anyway, at this point it's better
in the tree than rotting on my disk.
ok deraadt@
|
|
|
|
Do not consider comments and whitespace leading up to a comment as part
of the line.
ok claudio job
|
|
- Exclude the role capability on ibgp sessions when sending an OPEN
- Warn when a role capability is received on an iBGP session
- Make sure the capability negotiation is skipped for ibgp sessions,
this in turn disables the role capability on the session.
OK tb@
|
|
Problem reported by Wouter Prins. Initial diff by kn@
OK remi@
|
|
When booting guests with SeaBIOS, vmd(8) supplied details about the
available guest memory via CMOS registers. Consequently, we've been
carrying some patches in the ports tree to SeaBIOS to fetch this
information like it's the 1990s.
When a vm initializes memory ranges, we now track what each range
represents. This information can be used to supply the e820 memory
map to SeaBIOS via the fw_cfg interface allowing it to properly
communicate memory ranges to a guest operating system. (This will
also allow us to drop some patches from the port.)
Given the ranges can now be marked with a purpose, this also allows
vmm(4) to switch from hard-coded mmio ranges and instead let the
information on the memory range dictate if vmm should be handling
a page fault or sending to vmd for a memory assist.
Tested by Mischa Peters and others. OK mlarkin@.
|
|
The original virtio device implementation relied on allocating a
buffer on heap, copying the virtqueue from the guest, mutating the
copy, and then overwriting the virtqueue in the guest.
While the approach worked, it was both complex and added extra
overhead. On older hardware, switching to the zero-copy approach
can show a noticeable performance improvement for vionet devices.
An added benefit is this diff also reduces the amount of code in
vmd, which is always a welcome change.
In addition, change to talking about the queue pfn and not "address"
as the virtio-pci spec has drivers provide a 32-bit value representing
the physical page number of the location in guest memory, not the
linear address.
Original idea from dlg@ while working on re-adding async task queues.
ok dlg@, tested by many
|
