| Age | Commit message (Collapse) | Author |
|---|
|
the same time. So in case of a valid crl pass the CRL filename as entity
message to the parent process together with the MFT. This way the MFT and
CRL end up both in the valid cache even if some files in the MFT are missing.
On severe errors (like X.509 verify errors) the CRL is not moved since it
is not considered valid.
With and OK job@, tb@
|
|
Found by codechecker.
ok dv@
|
|
Now that we always try to load the CRL from both locations, we can deal
with loading the DER directly in proc_parser_mft_pre(), so shuffle the
code around to accomplish that. This should make an upcoming diff by
claudio a bit simpler.
ok claudio
|
|
ok jmc
|
|
This change makes proc_parser_mft_pre() -> parse_load_crl_from_mft()
search in both DIR_TEMP and DIR_VALID for a CRL with a matching SHA256
hash, increasing our chances of constructing a full publication point.
With and OK tb@ claudio@
|
|
The d2i functions are designed in such a way that the caller is responsible
to check if the entire buffer was consumed. Add checks on deserializing a
signed object to ensure the entire file has been consumed. Reject the file
if it has trailing garbage.
found by & ok job, ok claudio
|
|
|
|
|
|
|
|
- escape "An" as this is also a macro
|
|
Also drop largely irrelevant references like IPv6 and CIDR
(as we didn't reference IPv4 either), remove obsoleted RFCs and add
their successors.
|
|
GEN_OTHERNAME is the type of a GENERAL_NAMES, not of a DIST_POINT_NAME,
which needs naked numbers as there is no enum nor defines describing it.
claudio agrees
|
|
OK tb@ claudio@
|
|
ok job
|
|
Intel(R) does not appear in
cpu0: Intel Atom(R) x6425RE Processor @ 1.90GHz, 1895.90 MHz, 06-96-01
reported by patrick@ ok deraadt@
|
|
ok florian@ bluhm@
ok for vmd mlarkin@
|
|
eo the remote end. With this the RDE has a chance to finish config reload
before the session to a new peer is established.
OK tb@
|
|
sending the IMSG_RECONF_DONE message to the RDE. The RDE does not depend
on the RTR config reload (in contrast to the SE).
The ROA / ASPA reload is async from the RDE config reload.
OK tb@
|
|
With this the newbest and oldbest arguments can go since the infromation
is part of the rib_entry. Especially the prefix in the rib_entry is
always valid so simplify some code in various functions below to use
this information.
OK tb@
|
|
Simplifies up_generate_updates(), up_generate_addpath() and
up_generate_addpath_all() a fair bit.
OK tb@
|
|
discussed with job
|
|
stat numbers, just send the peerid and have the RDE response with the
stats. The control code will then merge these counters into the real
peer struct and send that to bgpctl. This reduces the number of bytes
sent around a fair bit.
OK tb@
|
|
|
|
vmd's SeaBIOS bootorder strings had hardcoded pci device ids, so
if a user added a network interface the bootorder strings didn't
line up with reality. Using vmctl(8) to boot from a cdrom (-B cdrom)
would fail, for instance, if attaching both a nic and a disk as
well.
This change scans the pci devices and finds the first of each type
to construct viable bootorder strings.
ok jan@
|
|
avoid using inet_pton(3) which doesn't support scoped ipv6 address, and use
getaddrinfo(3) instead of.
ok millert@ florian@ kn@
|
|
OK bluhm@ deraadt@ jmc@
|
|
This makes the function definition match the prototype and silences a
clang-15 warning.
|
|
|
|
OK tb@ claudio@
|
|
|
|
|
|
with disabled pipex(4), because in such case npppd(8) successfully
establishes connection, but doesn't create corresponding interface, so
the traffic doesn't flow.
This is not applicable for pppac(4) interfaces, they work with disabled
pipex(4).
ok yasuoka@
|
|
|
|
but also reset the cache and start totally fresh. The RFC is exceptionally
vague about error handling but in most cases the cache state is enough
off after an error that a fresh restart makes most sense.
With and OK job@
|
|
OK claudio@
|
|
OK claudio@
|
|
On slower hosts, such as those in a nested virtualization scenario
of OpenBSD guest inside OpenBSD atop Linux KVM, ns8250 can cause a
race between the kevent firing and the vcpu being kicked by an
assert/deassert of the irq.
The end user experiences a "stuck" serial console and the host will
see a vmd process peg the cpu.
This change only toggles the irq if we were in a position of being
ready to receive data on the device so while the kevent might
continuously fire, the vcpu will not be kicked repeatedly.
OK mlarkin@
|
|
Use 2-byte ASnum encoding as a default when local-as/neighbor-as is used.
|
|
is auto-expanded or masked off.
Try to match against both 2- and 4-byte AS encoding and on insertion
check if expansion is actually possible and deny communities where both
community values are > USHRT_MAX.
OK tb@
|
|
Part of an ongoing effort to move userland-specific information out
of a kernel header and directly into vmd(8). No functional change.
ok mlarkin@
|
|
ports like "lang/chicken/core" do generate files like lang.chicken.core.lru
instead of lang.chicken.core (which can create confusion in people's mind)
do so transparently by reading the old file if need be, and removing it
afterwards.
Funny thing noticed by tb@
ok tb@, sthen@
|
|
|
|
|
|
This will show all invalid ASPA paths.
OK tb@
|
|
This adds avs (ASPA validation state) which can be 'unknown', 'valid'
or 'invalid'. It behaves similar to ovs but the ASPA validation state
of paths from iBGP sessions is 'unknown' and the role of the ebgp session
is important to get the right validation state.
OK tb@
|
|
OK tb@
|
|
For this use the validation state (vstate) in struct prefix and
struct filterstate to store both the ASPA and ROA validity.
Introduce helper functions to set and get the various states for
struct prefix and make sure struct filterstate is also setup properly.
Change the ASPA state in rde_aspath to be AFI/AID and role independent
by storing all 4 possible outcomes. Also add a ASPA generation count
which is used to update the rde_aspath ASPA state cache on reloads.
Rework the rde_aspa.c code to be AFI/AID and role independent. Doing
this for roles is trivial but AFI switch goes deep and is so unnecessary.
The reload is combined with the ROA reload logic and renamed to RPKI
softreload.
OK tb@
|
|
For recent devices amdgpu matches via the hardware ip discovery table,
not with a table of pci vendor and product ids.
So amdgpu_devlist.h and pcidevs do not cover all devices that amdgpu
may match.
in dmesg amdgpu with an unknown product takes the form:
ramdisk kernel, bios/mbr:
vga1 at pci12 dev 0 function 0 vendor "ATI", unknown product 0x687f rev 0xc3
ramdisk kernel, efi or non-x86 arch:
vendor "ATI", unknown product 0x687f (class display subclass VGA, rev 0x03) at pci12 dev 0 function 0 not configured
non-ramdisk kernel:
amdgpu0 at pci12 dev 0 function 0 vendor "ATI", unknown product 0x687f rev 0xc3
ok deraadt@ on an earlier version
|
|
Multiple error paths, specifically the one related to if a guest
cannot allocate memory at start, resulted in a known vm (via
vm.conf(5)) being removed from the vm list. Adjust the error paths
to check if the failing vm is defined in the config before tearing
it down.
Tested with help from beck@ and Mischa Peters.
ok beck@
|
|
Feedback from jmc and Crystal Kolipe
OK jmc
|
