| Age | Commit message (Collapse) | Author |
|---|
|
the NON_DEFAULT_CONTEXT set. Remove the argument from ax_response().
OK tb@
|
|
elements.
OK tb@
|
|
favour of 'blocklist pfTblAddrTable'.
OK tb@
|
|
|
|
|
|
value here since *olen is (conditionally) set a few lines later to the
same value as xoff.
Should fix the CodeQL warnings because *olen is dereferenced without
proper NULL check.
OK tb@
|
|
|
|
to be used with REGRESSION_TESTING, where it's somewhat inconvenient to
know the full list in advance.
|
|
attributes of the response properly.
|
|
BPFTrace's exit() statement executes the END probe (if any) and prints
the contents of all non-empty maps before terminating the interpreter.
Implement this in btrace(8) with a halting check after each statement.
If a statement causes the program to halt, the condition bubbles up to
the top-level evaluation loop and causes rules_teardown() to run
immediately.
btrace(8) still performs a full rules_setup() if exit() is called
during the BEGIN probe, though the top-level evaluation loop is never
run.
One edge-like case: an exit() from the END probe is treated as an
early return; END is not executed multiple times.
Thread: https://marc.info/?l=openbsd-tech&m=169765169420751&w=2
ok mpi@
|
|
Now that syslogd handles delayed DNS lookups, also count dropped
packets to UDP loghosts. Although not every outgoing UDP packet
dropped along the path can be detected, the message makes the admin
aware that there is a local blind spot during startup.
Improve debug and log messages, especially if UDP logging is shut
down permanently. Also do not print 'last message repeated' if the
message was dropped.
OK deraadt@
|
|
ECDSA signatures are much smaller than RSA signatures while offering
similar security. Adding support for P-256 now allows CA developers
to test their implementations, and paving the way for signers in the
production environment in the future to take advantage of ECDSA.
OK tb@
|
|
is still better to check for error.
OK tb@
|
|
More yak shaving required which will follow.
OK tb@
|
|
OK tb@
|
|
|
|
While alphabetic order makes sense, having inherit between individual
AS and IP entries and ranges makes little sense. Use the order that we
have elsewhere.
ok claudio job
|
|
Avoid conditional early returns and significantly simplify the printing
of ip addresses/ranges by using the new ip_warn(). This also eliminates
an extremely weird usage of the comma operator and reduces noise levels
quite a bit.
ok claudio job
|
|
Avoid early returns and use a single copy of the warning by reworking
the control flow through two nested switches.
ok claudio job
|
|
|
|
Also reorder the RTF_HOST vs netmask check. RTF_HOST wins if both are set.
Makes the code a bit neater.
OK tb@
|
|
OK tb@
|
|
When a session is established determine the possible interface scope of that
session. The scope is only set when the remote address is directly connected.
This interface scope is passed to the RDE that uses this information when
link-local nexthops are received. Again checking that a link-local nexthop
is actually acceptable.
OK tb@
|
|
Signify is happy to overwite the file with the signature stripped off.
However, if we do that, when downloading firmware we lose the ability
to check the signature before verifying checksums on the downloaded files.
Noticed by Thomas <exnihilo () fastmail ! org>
Right deraadt@
|
|
Passing the peer description as part of the format string was a bad idea
since the peer description may include some % signs (e.g. for link local
IPv6 addresses). So instead of asprintf a new fmt string use vasprintf
to get the message and then use logit("%s: %s", peer_info, msg).
OK tb@
|
|
The ability to constrain a RPKI Trust Anchor's effective signing
authority to a limited set of Internet Number Resources allows
Relying Parties to enjoy the potential benefits of assuming trust,
within a bounded scope.
Some examples: ARIN does not support inter-RIR IPv6 transfers, so
it wouldn't make any sense to see a ROA subordinate to ARIN's trust
anchor covering RIPE-managed IPv6 space. Conversely, it wouldn't
make sense to observe a ROA covering ARIN-managed IPv6 space under
APNIC's, LACNIC's, or RIPE's trust anchor - even if a derived trust
arc (a cryptographically valid certificate path) existed. Along these
same lines, AFRINIC doesn't support inter-RIR transfers of any kind,
and none of the RIRs have authority over private resources like
10.0.0.0/8 and 2001:db8::/32.
For more background see:
https://datatracker.ietf.org/doc/draft-snijders-constraining-rpki-trust-anchors/
https://mailman.nanog.org/pipermail/nanog/2023-September/223354.html
With and OK tb@, OK claudio@
|
|
|
|
If DNS lookup for a remote loghost configured in syslog.conf did
not work at startup, the entry was ignored. Better retry the lookup
in intervals until it succeeds. Improve debug output to print IP
address after resolution. Unify retry code that resolves DNS for
UDP and connects to TCP server.
testing and feedback from Paul de Weerd; OK deraadt@
|
|
Link: https://marc.info/?l=openbsd-tech&m=169695435209410&w=2
ok mpi@
|
|
path is actually eligible. If this is not the case pass NULL instead.
This is an optimisation to bypass extra work if both old and new path
were ineligible.
OK tb@
|
|
This should fix a fatal error reported by Arend Brouwer (arend at eritap com)
when "announce add-path send all" is used.
As a workaround "announce add-path send best plus 500" can used.
OK tb@
|
|
The autoinstall(8) response file contains only non-defaults, except for
Set name(s)? (or 'abort' or 'done') [done] done
which is the hardcoded default since 2009.
Added in 2019 r1.23 "Let sysupgrade(8) create auto_upgrade.conf file [...]"
with all others, remove the exception.
OK florian
|
|
Extend it slightly: do not stub quirks, so that caching mechanisms work
as usual even when using stubs.
|
|
|
|
|
|
ext-communities was put into the wrong place in the loop finding
start, end and number of communities to dump. As a result the end
pointer for regular communities can point at an ext-community and
with that the COMMUNITY attribute written includes unexpected extra
bytes. This in turn causes the peer to send a NOTIFICATION error
and to terminate the session.
Fix for -portable issue #64 reported by Pier Carlo Chiodi (pierky)
OK tb@
|
|
Since listener->port is in network byte order we need to compare
against htons(587). The fix for this got dropped in the rewrite
in revision 1.335.
|
|
|
|
The code in get_alternate_addr() checked for sa_cmp() == 0 but actually
sa_cmp() returned 1 for equal addrs. So rename the function to sa_equal()
to make it clear that a true return value means equality.
Found by Asa Yeamans (enigma2e at rivin net)
OK tb@
|
|
|
|
|
|
happens regardless.
Add a third one to only disregard base libraries
|
|
allows me to redefine methods to not do a thing
(maybe this will migrate to its own file if it grows enough)
|
|
|
|
|
|
and just say that instead of a dauntingly long list of packages
|
|
|
|
|
|
|
|
behaviour in accordance with man page. Introduce '-v' option to make
output more verbose.
Do a little refactoring to make code more consistent with other daemons
like ospfd(8), httpd(8), relayd(8), etc.
Feedback from bluhm benno
ok bluhm
|
