summaryrefslogtreecommitdiff
path: root/usr.sbin
AgeCommit message (Collapse)Author
2021-07-08typo: hibenate -> hibernateTheo Buehler
2021-07-01remove useless and confusing log message when client has no certificateEric Faurot
ok millert@
2021-06-30use @ to silently execute "exec make"Theo de Raadt
2021-06-29Flip the -r RRDP switch, which went through community testing for half a year.Theo de Raadt
Default is now to attempt RRDP first, then try RSYNC. If problems show up, return to rsync-only behaviour with -R, and file a report. ok claudio
2021-06-28Have tcpdump split the 802.11 sequence number field into its sequence numberStefan Sperling
and fragment number components instead of printing the whole field in decimal. ok sthen@ kn@ jca@
2021-06-28placeholder for laterMarc Espie
2021-06-28Garbage collect loop index i which is no longer used after usage tweak.Theo Buehler
2021-06-28remove old "paranoid" option, I'm pretty sure nobody uses it.Marc Espie
refactor the code into figuring out simple updates: if we don't have any @execs but just @tags, we can probably do something simpler wrt temporary files and temporary filenames, which should speed up texlive updates significantly. (the tempfile code is not there yet, just the check for safe updates)
2021-06-28Also show the time spent in userland when analyzing the kernel stackAlexander Bluhm
in flame graph. Only when both kernel and userland are displayed, the whole picture of system activity becomes clear. Fixes a parsing bug in the flame graph tool where userland time was interpreted as invalid kernel stack. OK kn@
2021-06-27reuse armv7 installboot for riscv64Jonathan Gray
ok deraadt@
2021-06-26make usage less chatty; ok mlarkinJason McIntyre
2021-06-26make SYNOPSIS match usage; ok ajacoutotJason McIntyre
2021-06-26delete extra explanations in the usage: messages which are describedTheo de Raadt
far better in the manual pages ok jmc
2021-06-25The network flush code only operates on peerself (like all the otherClaudio Jeker
network commands). Instead of passing the peer as argument to the tree walker just default to peerself in network_flush_upcall(). OK benno@
2021-06-25Do the multiprotocol check first for the IPv4 case. So it is the sameClaudio Jeker
everywhere. OK benno@
2021-06-24Simplify the multiprotocol handling by moving the while loops out of theClaudio Jeker
switch statement. This way common code is referenced only once. OK sthen@
2021-06-24aspath_deflate() did free the passed in data but since the way aspathsClaudio Jeker
are processed in the Adj-RIB-Out this is no longer needed since the passed in pointer is still referenced and is not allowed to be freed. Adjust the mrt code similar to how up_generate_attr() uses aspath_deflate(). OK sthen@
2021-06-24Fix add-path capability encoding, the length was not correctly calculatedClaudio Jeker
because it included two extra bytes (copy-paste error from graceful restart).
2021-06-23btrace(8): init and update timespec for BEGIN/END eventdv
BEGIN and END use a fake dt(4) event, so in order to use the nsecs var or time() it needs a timespec set. Init for BEGIN and update at END. ok mpi@
2021-06-22reduce verbosity in usage and make it match SYNOPSIS;Jason McIntyre
ok millert
2021-06-22reduce verbosity of usage(), making it match SYNOPSIS;Jason McIntyre
ok kettenis
2021-06-21under some circumstances, we end up with libexecinfo -> BaseSystem beingMarc Espie
recorded as a new dependency. Even though ForwardDependencies normally takes care of that, with tags, this is not enough. (this happens only because libexecinfo was a "tight" dependency, thus resulting in a large UpdateSet, and when some of the objects did require tags in the new package, and when the order of things meant that BaseSystem was considered a bit early). Since there's no handle at this point, a dirty but efficient test vs BaseSystem will do (which is not a valid normal package name anyhow) tested to fix the obnoxious warning landry@ saw, which I was able to reproduce on a box...
2021-06-21vmd(8): support variable length vionet rx descriptor chainsdv
The original implementation of the virtio network device assumed a driver would only provide a 2-descriptor chain for receiving packets. The virtio spec allows for variable length chains and drivers, in practice, construct them when they use a sufficiently large MTU. This change lets the device use variable length chains provided by the driver, thus allowing for drivers to set an MTU up to the underlying host-side tap(4)'s limit of TUNMRU (16384). Size limitations are now enforced on both tx and rx-side dropping anything violating the underlying tap(4) min and max limits. More work is needed to increase the read(2) buffer in use by vmd to prevent packet truncation. OK mlarkin@
2021-06-20Change default user auth to hmac-sha256 and enc to aes.Martijn van Duren
The old defaults are just not sane anymore. OK sthen@
2021-06-20Tighten default security for snmpd(8). This is done by doing severalMartijn van Duren
things: - Only allow SNMPv3 by default. SNMPv1 and SNMPv2c can be enabled by setting the new snmpv* flags on the "liston on" statements. - Remove the default community names. They're not secure to use. - Change the default seclevel to enc. Initial idea, help from and OK sthen@
2021-06-20Move towards a 7.1 OpenBGPD releaseClaudio Jeker
2021-06-17vmd(8): handle VIRTIO_BLK_T_GET_ID, check descriptor r/w flagsdv
Linux guests like to issue VIRTIO_BLK_T_GET_ID commands in attempts to read the device serial number. It's not part of the virtio spec, but has been part of QEMU and Bhyve for multiple years. It will be landing in the next version of virtio (1.2), so this stubs out handling for the request type. The added benefit is it helps squelch log noise from Linux guests. For now, no serial number is set and the request status is set to VIRTIO_BLK_S_UNSUPP to tell the driver we don't support it. While here, swap the response to VIRTIO_BLK_T_FLUSH{,_OUT} to be also returning VIRTIO_BLK_S_UNSUPP. It's not negotiated nor implemented. Lastly, add checks for validating the vioblk device is only reading/writing descriptors with approrpriate read/write-only flags per the virtio spec. With input from claudio@, OK mlarkin@
2021-06-17Implement RFC 7313 enhanced route refresh. It is off by default andClaudio Jeker
can be enabled with 'announce enhanced refresh yes' Similar to graceful restart this allows to mark routes as stale, refresh them and the flush out routes that are still stale. Enhanced route refresh uses a begin of rr and a end of rr message to signal the various stages. A future enhancement would be the addition of a timeout in case the EoRR message is not sent in reasonable time. OK denis@ job@
2021-06-17Add simple BGP Enhanced Route Refresh Message decodingjob
seems OK claudio@
2021-06-17Refactor common code for peer filtering out into rde_skip_peer()Claudio Jeker
and use it in the two places that need to keep in sync. OK sthen@
2021-06-17Add a bit of extra paranoia befor the up_generate_updates() call inClaudio Jeker
rde_up_dump_upcall(). This is the 4th place up_generate_updates() is called.
2021-06-17In Rev 1.511 I moved peer related checks from inside up_generate_updates()Claudio Jeker
to rde_generate_updates() but forgot to add the same checks to rde_softreconfig_out(). As a result a config reload could result in prefixes for a not-negotiated address family to leak into the Adj-RIB-Out. Adjust both rde_generate_updates() and rde_softreconfig_out() to use the same filter logic. Also adjust rde_up_flush_upcall() to pass the peer as argument instead of using prefix_peer(). The up_generate_updates() call there does not need any filtering since the walker runs on the Adj-RIB-Out and just withdraws everything. OK job@ on a previous diff
2021-06-17Better error message when a bad nexthop is passed to nexthop_hash().Claudio Jeker
OK job@
2021-06-17Before adding a prefix to the Adj-RIB-Out modify the attributes to theClaudio Jeker
ones being sent out. Mainly prepend the ASPATH if needed and also change the nexthop to the one being sent. This should make the `bgpctl show rib out` output show the values the peer receives. OK job@
2021-06-16cleanup vmd(8) includes and header filesdv
Lots of organic growth other the years lead to unnecessary includes (proc.h everywhere) and odd dependencies between header files. This cleans things up a bit to help with upcoming cleanup around dhcp code. No functional change. "go for it" mlarkin@
2021-06-16Add command line option to show the versionjob
OK claudio@
2021-06-16Implement classless static routes dhcp option.Florian Obser
For this we need to be able to handle multiple routes being sent from the engine to the main process as well as to the control tool. The configuration of the various cases (default route, directly connected routes, non-default route via a gateway) was inspired by dhclient's set_routes() and should behave the same way. Tested by Uwe Werler
2021-06-15Filter out packets that are not IPv4. This code came from dhcp programsClaudio Jeker
where this filtering was done in bpf but here vmd needs to make sure to not look at non IPv4 packets. OK florian@ and dv@
2021-06-14add required headers for smtpd.h and remove unnecessary ones in other files.Eric Faurot
ok jung@
2021-06-14snmpd.conf(5): fix typo/plurals and tweak wording. ok jmc martijnStuart Henderson
2021-06-14Fix ROA & MFT version check handlingjob
This check was incomplete: to correctly verify the ASN1 INTEGER holding the version component, first the context specific explicit tag would need to be checked. However, the X.690 spec (section 11.5) states that if the one should not encode a component if it is the default value. There are no RFCs specifying new versions of ROA or MFT, so checking the content of the version component should be skipped entirely. Thus if the version component is present, something is wrong.
2021-06-14Change errors for file manipulations from err(3) to warn(3) and adjust theClaudio Jeker
surrounding code to handle these errors gracefully. When rpki-client runs out of space it will keep on running including the cleanup at the end. This way the temporary and old files are removed hopfully giving back some space. This affects mainly RRDP and the initial fetch of TA files. OK job@
2021-06-14Do a fstatvfs() call to figure out if the filesystem used for the cacheClaudio Jeker
is large enough for the cache. People like to build VM images with way too small filesystems and so warning about this situation should help. With deraadt@ and job@
2021-06-11vmd(8): deduplicate vioblk command logicdv
No need for each case in the switch block to have the same logic for updating the used ring and writing the state back to the guest. Move it outside the switch. No functional change. ok mlarkin@
2021-06-10vmctl(8)/vmd(8): communicate TERMINATE_VM_EVENT imsgs on vm stop.dv
Instead of translating imsg types, update vmclt(8) to handle receiving IMSG_VMDOP_TERMINATE_VM_EVENT messages on vm termination. This finishes the work previously committed for supporting multiple waiters or the cancellation of a client waiting on a vm shutdown. vmd no longer needs to translate an IMSG_VMDOP_TERMINATE_VM_RESPONSE into an *_EVENT. ok mlarkin@
2021-06-08vmd(8): malicious dhcp packets on local ifs can cause stack overflowsdv
A sufficiently large dhcp packet can cause a stack overflow in vmd's internal dhcp server used for providing ip addresses to local guest interfaces. (This does not affect non-local interfaces.) The primary changes drop larger packets and change the memory copying logic to use a compile-time constant. The dhcp option processing also additional prevention for out of bound reads. While here, improve construction of the dhcp response's hostname handling to guard against overflowing the response dhcp options. Vulnerability reported by Maxime Villard. ok claudio@
2021-06-07btrace(8): add "cpu" to long conversiondv
Special values need to be translated to longs for use with functions like hist/lhist. Add "cpu" to conversion list. ok mpi@
2021-06-07tweak previous: avoid markup and refer to an HTTP header only by itsTheo Buehler
name as is done elsewhere on this page. pointed out by jmc
2021-06-06appease mandoc -TlintTheo Buehler
2021-06-06Add .Pp for consistency with all other config blocks.Theo Buehler