openbsd
3 years agoGive machdep.c a thorough cleanup that is long overdue.
kettenis [Mon, 25 Jan 2021 19:37:17 +0000 (19:37 +0000)]
Give machdep.c a thorough cleanup that is long overdue.

ok patrick@

3 years agoRevert local diff now that we no longer use syslog logging in
florian [Mon, 25 Jan 2021 16:57:37 +0000 (16:57 +0000)]
Revert local diff now that we no longer use syslog logging in
libunbound.
OK phessler

3 years agoDisable logging to syslog for libunbound. We are not getting anything
florian [Mon, 25 Jan 2021 16:56:59 +0000 (16:56 +0000)]
Disable logging to syslog for libunbound. We are not getting anything
useful for us out of it and it can be quite noisy when we are missing
IPv4 or IPv6 addresses.
It is still available when logging to stderr when running with -d.
OK phessler

3 years agoResolve data toggle out of sync problem for ugen(4) and uhidev(4) devices
mglocker [Mon, 25 Jan 2021 14:14:42 +0000 (14:14 +0000)]
Resolve data toggle out of sync problem for ugen(4) and uhidev(4) devices
on xhci(4) controllers by clearing the interface endpoints before opening
the pipes.

Tested by Mikolaj Kucharski for ugen(4) and gnezdo@ for uhidev(4), plus
myself for both.

ok mpi@

3 years agoAdd the new function usbd_clear_endpoint_feature() which allows to issue
mglocker [Mon, 25 Jan 2021 14:05:57 +0000 (14:05 +0000)]
Add the new function usbd_clear_endpoint_feature() which allows to issue
an UR_CLEAR_FEATURE request on a specific endpoint address without the
need to have a pipe open to that endpoint.

From NetBSD, ok mpi@

3 years agophp.port.mk sets MODPHP_BUILDDEP=No by default now.
sthen [Mon, 25 Jan 2021 14:02:18 +0000 (14:02 +0000)]
php.port.mk sets MODPHP_BUILDDEP=No by default now.

3 years agoraise the max number of queues/interrupts to 16, up from 1.
dlg [Mon, 25 Jan 2021 12:27:42 +0000 (12:27 +0000)]
raise the max number of queues/interrupts to 16, up from 1.

jmatthew@ has tried this before, but hrvoje popovski experienced
breakage so it wasn't enabled. we've tightened the code up since
then so it's time to try again.

this diff has been tested by hrvoje popovski and myself
ok jmatthew@

3 years agoif the rx descriptor reports the rss hash, use it for the mbuf flowid.
dlg [Mon, 25 Jan 2021 11:11:22 +0000 (11:11 +0000)]
if the rx descriptor reports the rss hash, use it for the mbuf flowid.

ok jmatthew@

3 years agodon't lose the M_FLOWID flag if the ipv4 cksum is ok.
dlg [Mon, 25 Jan 2021 09:36:48 +0000 (09:36 +0000)]
don't lose the M_FLOWID flag if the ipv4 cksum is ok.

found while poking around with hrvoje popovski
yes jmatthew@

3 years agoAdjust code since bgpd added an extra argument to aspath_verify() to
claudio [Mon, 25 Jan 2021 09:17:33 +0000 (09:17 +0000)]
Adjust code since bgpd added an extra argument to aspath_verify() to
reject AS_SET segments. In bgpctl this is always off.
OK benno@

3 years agoRFC6472 discourages the use of AS_SET segements in ASPATH attributes.
claudio [Mon, 25 Jan 2021 09:15:23 +0000 (09:15 +0000)]
RFC6472 discourages the use of AS_SET segements in ASPATH attributes.
The main reason is that AS_SET does not play nice with RPKI ROA.

Introduce a per neighbor and global config option
    'reject as-set yes' and 'reject as-set no'
If set to yes received UPDATES with AS_SET segements are rejected.
This is done the same way other ASPATH soft-errors are handled. The UPDATE
is marked invalid and all prefixes are treated as withdraws.
`bgpctl show rib in error` can be used to show prefixes that where denied
and treated as withdraws because of errors.

By default this feature is off.

OK benno@

3 years agoFix wg(4) ioctl to be able to handle multiple wgpeers.
yasuoka [Mon, 25 Jan 2021 09:11:36 +0000 (09:11 +0000)]
Fix wg(4) ioctl to be able to handle multiple wgpeers.
Diff from Yuichiro NAITO.

ok procter

3 years agofix filtering on kstat unit numbers
dlg [Mon, 25 Jan 2021 06:55:59 +0000 (06:55 +0000)]
fix filtering on kstat unit numbers

3 years agor1.102 forgot to tweak the "redistribute rtlabel" part of the grammar.
dlg [Mon, 25 Jan 2021 06:16:38 +0000 (06:16 +0000)]
r1.102 forgot to tweak the "redistribute rtlabel" part of the grammar.

fixes "redistribute rtlabel foo" without "depend on".

3 years agomake ssh hostbased authentication send the signature algorithm in
djm [Mon, 25 Jan 2021 06:00:17 +0000 (06:00 +0000)]
make ssh hostbased authentication send the signature algorithm in
its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
This make HostbasedAcceptedAlgorithms do what it is supposed to -
filter on signature algorithm and not key type.

spotted with dtucker@ ok markus@

3 years agoif stoeplitz is enabled, use it to provide a flowid for tcp packets.
dlg [Mon, 25 Jan 2021 03:40:46 +0000 (03:40 +0000)]
if stoeplitz is enabled, use it to provide a flowid for tcp packets.

drivers that implement rss and multiple rings depend on the symmetric
toeplitz code, and use it to generate a key that decides with rx
ring a packet lands on. if the toeplitz code is enabled, this diff
has the pcb and tcp layer use the toeplitz code to generate a flowid
for packets they send, which in turn is used to pick a tx ring.
because the nic and the stack use the same key, the tx and rx sides
end up with the same hash/flowid. at the very least this means that
the same rx and tx queue pair on a particular nic are used for both
sides of the connection. as the stack becomes more parallel, it
will also help keep both sides of the tcp connection processing in
the one place.

3 years agouse an intrmap when establishing interrupts for queues.
dlg [Mon, 25 Jan 2021 01:45:55 +0000 (01:45 +0000)]
use an intrmap when establishing interrupts for queues.

mcx is still hardcoded/limited to 1 queue for now, but this lets
different mcx devices use different cpus for handling packets.

looks good jmatthew@

3 years agoUpdate to tzdata2021a from www.iana.org. Major changes:
millert [Sun, 24 Jan 2021 20:18:50 +0000 (20:18 +0000)]
Update to tzdata2021a from iana.org.  Major changes:
 o South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

3 years agohmac-sha2-384 and hmac-sha2-512 are enabled by default.
tobhe [Sun, 24 Jan 2021 19:10:19 +0000 (19:10 +0000)]
hmac-sha2-384 and hmac-sha2-512 are enabled by default.

3 years agoImplement DNS64 synthesis.
florian [Sun, 24 Jan 2021 18:29:15 +0000 (18:29 +0000)]
Implement DNS64 synthesis.
When unwind(8) learns new autoconf resolvers (from dhcp or router
advertisements) it checks if a DNS64 is present in this network
location and tries to recover the IPv6 prefix used according to
RFC7050.
The learned autoconf resolvers are then prevented from upgrading to
the validating state since DNS64 breaks DNSSEC.
unwind(8) can now perform its own synthesis. If a query for a AAAA
record results in no answer we re-send the query for A and if that
leads to an answer we synthesize an AAAA answer using the learned
prefixes.

Testing & OK kn

3 years agomatch on Intel Alder Lake and Meteor Lake I219 Ethernet ids
jsg [Sun, 24 Jan 2021 10:21:43 +0000 (10:21 +0000)]
match on Intel Alder Lake and Meteor Lake I219 Ethernet ids

3 years agoregen
jsg [Sun, 24 Jan 2021 10:17:32 +0000 (10:17 +0000)]
regen

3 years agoadd Intel Alder Lake and Meteor Lake I219 Ethernet ids
jsg [Sun, 24 Jan 2021 10:16:58 +0000 (10:16 +0000)]
add Intel Alder Lake and Meteor Lake I219 Ethernet ids

3 years agoAdd missing __KAME__ markers.
florian [Sun, 24 Jan 2021 08:58:50 +0000 (08:58 +0000)]
Add missing __KAME__ markers.
OK claudio

3 years agoPass sockaddr_in6 arround so that we have space to store the scope in
florian [Sun, 24 Jan 2021 08:57:10 +0000 (08:57 +0000)]
Pass sockaddr_in6 arround so that we have space to store the scope in
a proper field. Move KAME hack to kernel / userland boundaries.
Due to the way -d (delete) works in ndp(8), once we flip the kernel
over to not pass down embedded scope it also must not expect embeded
scope passed to the kernel.
OK claudio

3 years agosync
deraadt [Sun, 24 Jan 2021 02:44:51 +0000 (02:44 +0000)]
sync

3 years agomatch on Realtek RTL8168H ids for Killer E2500V2 and E2600
jsg [Sun, 24 Jan 2021 01:59:20 +0000 (01:59 +0000)]
match on Realtek RTL8168H ids for Killer E2500V2 and E2600

checked against linux and windows drivers

3 years agoregen
jsg [Sun, 24 Jan 2021 01:57:17 +0000 (01:57 +0000)]
regen

3 years agoadd Realtek RTL8168H ids for Killer E2500V2 and E2600
jsg [Sun, 24 Jan 2021 01:56:44 +0000 (01:56 +0000)]
add Realtek RTL8168H ids for Killer E2500V2 and E2600

checked against linux and windows drivers

3 years agomatch on another Realtek RTL8168 id
jsg [Sat, 23 Jan 2021 23:39:40 +0000 (23:39 +0000)]
match on another Realtek RTL8168 id

reported and tested by John Batteen on a TP-Link TG-3468

3 years agoregen
jsg [Sat, 23 Jan 2021 23:36:20 +0000 (23:36 +0000)]
regen

3 years agoadd another Realtek RTL8168 id
jsg [Sat, 23 Jan 2021 23:35:28 +0000 (23:35 +0000)]
add another Realtek RTL8168 id

shows up on a TP-Link TG-3468 John Batteen has

3 years agoFix whitespace issues
mlarkin [Sat, 23 Jan 2021 22:56:35 +0000 (22:56 +0000)]
Fix whitespace issues

3 years agovmm(4): wire faulted in pages
mlarkin [Sat, 23 Jan 2021 22:34:46 +0000 (22:34 +0000)]
vmm(4): wire faulted in pages

This change wires the pages used by virtual machines managed by vmm(4).
When uvm swaps out a page, vmm(4) does not properly do TLB flushing,
possibly leading to memory corruption or improper page access later.

While this diff is not the correct fix (implementing proper TLB flush
semantics), it does work around the problem by not letting the pages
get swapped out in the first place.

This means that under memory pressure, swap pages will have to come
from other processes, and it also means you cannot overcommit vmm(4)
memory assignment (eg, assign more memory to VMs than you actually
have).

It is my plan to fix this the correct way, but that will take time.

This issue was originally pointed out a long time ago by Maxime V., but
due to my taking a year away from OpenBSD, the issue remained unfixed.

3 years agoHandle write() errors.
tobhe [Sat, 23 Jan 2021 22:04:55 +0000 (22:04 +0000)]
Handle write() errors.

ok patrick@

3 years agoHandle errors and truncated output from snprintf().
tobhe [Sat, 23 Jan 2021 21:51:29 +0000 (21:51 +0000)]
Handle errors and truncated output from snprintf().

ok patrick@

3 years agolist-io must be run from config dir
kn [Sat, 23 Jan 2021 21:39:54 +0000 (21:39 +0000)]
list-io must be run from config dir

The current description fails to explain how to use it properly and the
error message is only helpful for people that know how ldomctl works
and/or what the Phsyical Resource Inventory is.

OK afresh1 kettenis

3 years agoFix typos.
tobhe [Sat, 23 Jan 2021 21:35:48 +0000 (21:35 +0000)]
Fix typos.

From Ryan Kavanagh
ok patrick@

3 years agoFix IORT struct for Context and PMU interrupts. I misread bytes with bits.
patrick [Sat, 23 Jan 2021 20:01:01 +0000 (20:01 +0000)]
Fix IORT struct for Context and PMU interrupts.  I misread bytes with bits.

ok kettenis@

3 years agosync
deraadt [Sat, 23 Jan 2021 17:36:22 +0000 (17:36 +0000)]
sync

3 years agoMove resolv_conf string generation for ASR to function; makes
florian [Sat, 23 Jan 2021 16:28:12 +0000 (16:28 +0000)]
Move resolv_conf string generation for ASR to function; makes
upcomming DNS64 diff simpler.

3 years agoDon't just blindly upgrade to VALIDATING if we see a SECURE answer.
florian [Sat, 23 Jan 2021 16:27:24 +0000 (16:27 +0000)]
Don't just blindly upgrade to VALIDATING if we see a SECURE answer.
Let's go through the check_resolver() / new_resolver() code path
which will also hook up the resovler to the shared cache.
This means also one less special case for upcomming DNS64 support.

3 years agoRemove unused variables found by clang. Additional unused var spotted by eric@.
rob [Sat, 23 Jan 2021 16:11:11 +0000 (16:11 +0000)]
Remove unused variables found by clang. Additional unused var spotted by eric@.

OK mvs@, eric@

3 years agosync
sthen [Sat, 23 Jan 2021 15:03:00 +0000 (15:03 +0000)]
sync

3 years agoOPAL implements firmware calls that abstract communicating with the BMC over
kettenis [Sat, 23 Jan 2021 12:10:08 +0000 (12:10 +0000)]
OPAL implements firmware calls that abstract communicating with the BMC over
IPMI.  Use these calls to add support for impi(4) on PowerNV systems.

ok dlg@

3 years agorecognize those ubiquitous webp file
espie [Sat, 23 Jan 2021 10:18:28 +0000 (10:18 +0000)]
recognize those ubiquitous webp file
cherry-picked from FreeBSD

okay millert@, deraadt@, sthen@

3 years agointroduce ujoy(4), a restricted subset of uhid(4) for gamecontrollers.
thfr [Sat, 23 Jan 2021 05:08:33 +0000 (05:08 +0000)]
introduce ujoy(4), a restricted subset of uhid(4) for gamecontrollers.
This includes ujoy_hid_is_collection() to work around limitations of
hid_is_collection() until this can be combined without fallout.

input, testing with 8bitdo controller, and ok brynet@
PS4 controller testing, fix for hid_is_collection, and ok mglocker@

3 years agoGracefully handle any erroneous closing bracket/brace trailers in
rob [Fri, 22 Jan 2021 18:27:52 +0000 (18:27 +0000)]
Gracefully handle any erroneous closing bracket/brace trailers in
ober_scanf_elements().

OK martijn@

3 years agoims: an actual i2c-connected mouse is unlikely
jcs [Fri, 22 Jan 2021 17:35:00 +0000 (17:35 +0000)]
ims: an actual i2c-connected mouse is unlikely

Claim to be a touchpad instead, which sets up ims devices in X11 to
be more like touchpads.

ok mglocker

3 years agoExtend test with an full depth search of all possible prefix_evaluations.
claudio [Fri, 22 Jan 2021 17:18:13 +0000 (17:18 +0000)]
Extend test with an full depth search of all possible prefix_evaluations.
This currently fails because the MED is not handled properly. Fix for this
will follow shortly.

3 years agoThe correct spelling is NULL.
florian [Fri, 22 Jan 2021 16:10:01 +0000 (16:10 +0000)]
The correct spelling is NULL.

3 years agoAvoid NULL deref on BIO_new{_mem_buf,}() failure.
tb [Fri, 22 Jan 2021 15:56:17 +0000 (15:56 +0000)]
Avoid NULL deref on BIO_new{_mem_buf,}() failure.

3 years agoAvoid NULL deref on BIO_new{_mem_buf,}() failure.
tb [Fri, 22 Jan 2021 15:54:32 +0000 (15:54 +0000)]
Avoid NULL deref on BIO_new{_mem_buf,}() failure.

3 years agoPrivate functions in the kernel do not to be prototyped.
millert [Fri, 22 Jan 2021 14:13:57 +0000 (14:13 +0000)]
Private functions in the kernel do not to be prototyped.
We don't use static in the kernel due to ddb so functions private
to the compilation unit are basically equivalent.
OK cheloha@ gnezdo@ mglocker@

3 years agoCleanup and document the code a bit
claudio [Fri, 22 Jan 2021 13:57:32 +0000 (13:57 +0000)]
Cleanup and document the code a bit

3 years agofix a memory leak, found by rob@ in relayd.
benno [Fri, 22 Jan 2021 13:07:17 +0000 (13:07 +0000)]
fix a memory leak, found by rob@ in relayd.

ok tb@

3 years agoRevert clear changes to writing as they don't work properly, better
nicm [Fri, 22 Jan 2021 11:28:33 +0000 (11:28 +0000)]
Revert clear changes to writing as they don't work properly, better
change to come.

3 years agoAdd rectangle-on and rectangle-off copy mode commands, GitHub isse 2546
nicm [Fri, 22 Jan 2021 10:24:52 +0000 (10:24 +0000)]
Add rectangle-on and rectangle-off copy mode commands, GitHub isse 2546
from author at will dot party.

3 years agoFix some cursor movement commands, from Anindya Mukherjee.
nicm [Fri, 22 Jan 2021 10:21:24 +0000 (10:21 +0000)]
Fix some cursor movement commands, from Anindya Mukherjee.

3 years agoAdjust for traphandler process removal commit.
martijn [Fri, 22 Jan 2021 06:35:26 +0000 (06:35 +0000)]
Adjust for traphandler process removal commit.

OK denis@, rob@

3 years agoRemove the traphandler process, which was nothing more then a sham.
martijn [Fri, 22 Jan 2021 06:33:26 +0000 (06:33 +0000)]
Remove the traphandler process, which was nothing more then a sham.
It did nothing more then receive a message over UDP, do some basic ber
and ASN.1 parsing and forward the packet to the parent process. snmpe can
do/does the same thing but with a far more thorough ASN.1 validation.
Because we move trap receiving to snmpe we get trap over tcp for free.

However, to make sure that a normal snmp port doesn't automatically start
handling traps a new set of "listen on" flags are introduced: read, write,
and notify. To enable trap handling either let snmpd listen on port 162
without flags, or add the notify flag. Only a flag without port results in
listening on port 162.

To keep current behaviour copy all UDP-based "listen on" lines without port
and add the notify keyword:
listen on 127.0.0.1 port 666
becomes
listen on 127.0.0.1 port 666
listen on 127.0.0.1 notify

This change also enforces snmpd to honor trap community on receiving a
trap, where previously no community was checked before handling a packet.

OK denis@, rob@

3 years agoValid integer and enumerated types always have non-zero length. Perform
rob [Fri, 22 Jan 2021 03:20:56 +0000 (03:20 +0000)]
Valid integer and enumerated types always have non-zero length. Perform
check to ensure we avoid a possible (undefined) negative shift. Found
with clang static analyzer.

Tweaked and OK martijn@

3 years agoPubkeyAcceptedKeyTypes->PubkeyAcceptedAlgorithms here too.
dtucker [Fri, 22 Jan 2021 02:46:40 +0000 (02:46 +0000)]
PubkeyAcceptedKeyTypes->PubkeyAcceptedAlgorithms here too.

3 years agoRename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms.
dtucker [Fri, 22 Jan 2021 02:44:58 +0000 (02:44 +0000)]
Rename PubkeyAcceptedKeyTypes keyword to PubkeyAcceptedAlgorithms.
While the two were originally equivalent, this actually specifies the
signature algorithms that are accepted.  Some key types (eg RSA) can be
used by multiple algorithms (eg ssh-rsa, rsa-sha2-512) so the old name is
becoming increasingly misleading.  The old name is retained as an alias.
Prompted by bz#3253, help & ok djm@, man page help jmc@

3 years agowhen using fake keys, skip the private key check
eric [Thu, 21 Jan 2021 22:03:25 +0000 (22:03 +0000)]
when using fake keys, skip the private key check

ok tb@

3 years agoreturn -1 on error for consistency
eric [Thu, 21 Jan 2021 22:02:17 +0000 (22:02 +0000)]
return -1 on error for consistency

ok tb@

3 years agoIgnore special keys returned by the curses getch() function.
millert [Thu, 21 Jan 2021 20:08:17 +0000 (20:08 +0000)]
Ignore special keys returned by the curses getch() function.
Prevents canfield from suspending itself when you resize the window.
Canfield is not prepared to deal with anything other than normal
characters so just ignore them.  OK tb@ pjanzen@

3 years agondp only deals with current localtime. Print time with subsecond
florian [Thu, 21 Jan 2021 19:12:13 +0000 (19:12 +0000)]
ndp only deals with current localtime. Print time with subsecond
resolution in a less roundabout way.
OK phessler, bluhm

3 years agosync for libtls bump
eric [Thu, 21 Jan 2021 19:11:39 +0000 (19:11 +0000)]
sync for libtls bump

3 years agominor bump after symbol addition
eric [Thu, 21 Jan 2021 19:09:43 +0000 (19:09 +0000)]
minor bump after symbol addition

3 years agoAllow setting a keypair on a tls context without specifying the private
eric [Thu, 21 Jan 2021 19:09:10 +0000 (19:09 +0000)]
Allow setting a keypair on a tls context without specifying the private
key, and fake it internally with the certificate public key instead.
It makes it easier for privsep engines like relayd that don't have to
use bogus keys anymore.

ok beck@ tb@ jsing@

3 years agoMop up unused dtls1_build_sequence_number() function.
jsing [Thu, 21 Jan 2021 18:48:56 +0000 (18:48 +0000)]
Mop up unused dtls1_build_sequence_number() function.

3 years agoPledge violation for SO_RTABLE prints "wroute" now. Adapt test.
bluhm [Thu, 21 Jan 2021 17:02:37 +0000 (17:02 +0000)]
Pledge violation for SO_RTABLE prints "wroute" now.  Adapt test.

3 years agoHandle NO_PROPOSAL_CHOSEN for CREATE_CHILD_SA.
tobhe [Thu, 21 Jan 2021 16:50:46 +0000 (16:50 +0000)]
Handle NO_PROPOSAL_CHOSEN for CREATE_CHILD_SA.

ok markus@

3 years agoAdd support for INVALID_KE_PAYLOAD in CREATE_CHILD_SA
tobhe [Thu, 21 Jan 2021 16:46:47 +0000 (16:46 +0000)]
Add support for INVALID_KE_PAYLOAD in CREATE_CHILD_SA
exchange.  In the case of an invalid KE error, retry
CREATE_CHILD_SA exchange with different group instead
of restarting the full IKE handshake.

ok markus@

3 years agorevert previous after complaints from sthen and deraadt;
jmc [Thu, 21 Jan 2021 13:19:58 +0000 (13:19 +0000)]
revert previous after complaints from sthen and deraadt;

3 years agoMake it possible to convert map arguments to long and insert nsecs in maps.
mpi [Thu, 21 Jan 2021 13:19:25 +0000 (13:19 +0000)]
Make it possible to convert map arguments to long and insert nsecs in maps.

Necessary to measure latency, example below to better understand the kqueue
select(2) regression:

syscall:select:entry { @start[pid] = nsecs; }
syscall:select:return { @usecs = hist((nsecs - @start[pid]) / 1000); }

3 years agocarp(4): convert ifunit() to if_unit(9)
mvs [Thu, 21 Jan 2021 13:18:07 +0000 (13:18 +0000)]
carp(4): convert ifunit() to if_unit(9)

ok dlg@ bluhm@

3 years agovlan(4): convert ifunit() to if_unit(9)
mvs [Thu, 21 Jan 2021 13:17:13 +0000 (13:17 +0000)]
vlan(4): convert ifunit() to if_unit(9)

ok dlg@ kn@

3 years agoremove an unneccessary escape; from martin vahlensieck
jmc [Thu, 21 Jan 2021 12:43:30 +0000 (12:43 +0000)]
remove an unneccessary escape; from martin vahlensieck
ok gilles

while, there, zap an unneccessary Tn;

3 years agolet vfs keep track of nonblocking state for us.
dlg [Thu, 21 Jan 2021 12:33:14 +0000 (12:33 +0000)]
let vfs keep track of nonblocking state for us.

ok claudio@ mvs@

3 years agoDocument IFM_2500_T media type.
kevlo [Thu, 21 Jan 2021 11:05:38 +0000 (11:05 +0000)]
Document IFM_2500_T media type.

ok claudio@ jmc@ sthen@

3 years agoBackport "Squelch udp connect 'no route to host' errors" from upstream.
sthen [Thu, 21 Jan 2021 10:31:57 +0000 (10:31 +0000)]
Backport "Squelch udp connect 'no route to host' errors" from upstream.
Problem reported and diff tested by danj@

From 5906811ff19f005110b2edbda5aa144ad5fa05b1 Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Tue, 1 Dec 2020 09:09:13 +0100
Subject: [PATCH] - Fix #358: Squelch udp connect 'no route to host' errors on
  low verbosity.

3 years agoRevert r1.87 "Pledge before authentication when possible"
kn [Thu, 21 Jan 2021 08:13:59 +0000 (08:13 +0000)]
Revert r1.87 "Pledge before authentication when possible"

Someone reported to me that

''This breaks ansible managed machines where "persist" isn't used. There
i get

/bsd: doas[49341]: pledge "proc", syscall 2

Using "persist", everything is fine.''

3 years agosome updates from pjanzen;
jmc [Thu, 21 Jan 2021 07:12:34 +0000 (07:12 +0000)]
some updates from pjanzen;

3 years agodon't set AUTO_RETRY. it's a remnant of an experiment.
tb [Thu, 21 Jan 2021 05:02:25 +0000 (05:02 +0000)]
don't set AUTO_RETRY. it's a remnant of an experiment.

3 years agoRearrange variables in dump / restore to handle -fno-common.
mortimer [Thu, 21 Jan 2021 00:16:36 +0000 (00:16 +0000)]
Rearrange variables in dump / restore to handle -fno-common.

Largely following the commit by mckusick in FreeBSD.

ok naddy@

3 years agoAn invalid packet may not have set src and dst in packet descriptor.
bluhm [Wed, 20 Jan 2021 23:25:19 +0000 (23:25 +0000)]
An invalid packet may not have set src and dst in packet descriptor.
Add a NULL check to prevent crash in pflog(4) introduced in previous
commit.
Reported-by: syzbot+c6d2f2ad34b822bce98a@syzkaller.appspotmail.com
3 years agoMissing return value; ok jmc@
otto [Wed, 20 Jan 2021 19:44:48 +0000 (19:44 +0000)]
Missing return value; ok jmc@

3 years agoMake sure to enforce matching dstid as initiator. Use policy lookup
tobhe [Wed, 20 Jan 2021 18:44:28 +0000 (18:44 +0000)]
Make sure to enforce matching dstid as initiator. Use policy lookup
to make sure the negotiated SA matches the selected policy.

ok patrick@

3 years agoCleanup, fix and add a few more test cases. Make sure that the decision
claudio [Wed, 20 Jan 2021 18:02:19 +0000 (18:02 +0000)]
Cleanup, fix and add a few more test cases. Make sure that the decision
flags work (by checking the same routes with and without the flag).

3 years agoTest path MTU discovery with IPv6 TCP packets tunneled in IPv4 ESP.
bluhm [Wed, 20 Jan 2021 17:38:18 +0000 (17:38 +0000)]
Test path MTU discovery with IPv6 TCP packets tunneled in IPv4 ESP.

3 years agoIf pledge "wroute" is missing for setsockopt SO_RTABLE, print failure
bluhm [Wed, 20 Jan 2021 16:36:09 +0000 (16:36 +0000)]
If pledge "wroute" is missing for setsockopt SO_RTABLE, print failure
message "wroute" into dmesg.  Since revision 1.263 pledge "wroute"
allows to change the routing table of a socket.
OK florian@ semarie@

3 years agoCheck the rewritten address output from tcpdump -e on pflog.
bluhm [Wed, 20 Jan 2021 13:50:09 +0000 (13:50 +0000)]
Check the rewritten address output from tcpdump -e on pflog.

3 years agoPrint rewritten addresses in tcpdump(8) logged with pflog(4) for
bluhm [Wed, 20 Jan 2021 13:40:15 +0000 (13:40 +0000)]
Print rewritten addresses in tcpdump(8) logged with pflog(4) for
rdr-to, nat-to, af-to rules.  The kernel uses the information from
the packet description and fills it into the fields in the pflog
header.  While doing this, it is trival to figure out whether the
packet has been rewritten.
OK sashan@

3 years agoReprogram outbound windows to match the device tree. Necessary because
kettenis [Wed, 20 Jan 2021 12:44:45 +0000 (12:44 +0000)]
Reprogram outbound windows to match the device tree.  Necessary because
the EDK2-based UEFI firmware sets it to its own hardcoded values.
Makes device-tree mode work with newer versions of the Raspberry Pi firmware.

ok patrick@

3 years agotypo; spotted by jmc
sthen [Wed, 20 Jan 2021 12:37:26 +0000 (12:37 +0000)]
typo; spotted by jmc

3 years agoCheck management capabilities before trying to attach temperature sensors,
jmatthew [Wed, 20 Jan 2021 10:04:26 +0000 (10:04 +0000)]
Check management capabilities before trying to attach temperature sensors,
avoiding an unhelpful error message if the card's firmware doesn't expose
the sensor registers.

tested by chris@, who saw the unhelpful error message
ok dlg@

3 years agoPledge before authentication when possible
kn [Wed, 20 Jan 2021 07:30:51 +0000 (07:30 +0000)]
Pledge before authentication when possible

Generally, pleding before parsing the file seems hardly possible due to
unveil() being involved.

Pledging in case of the winning rule being a "persist" one is not possible
either due to TIOC{SET,CHK}VERAUTH not being allowed in the "tty" pledge.

But if "persist" is not used, we can pledge before authentication
without having to hoist or chang anything.

Feedback deraadt tedu
OK tdeu

3 years agoChange so that window_flags escapes # automatically which means configs
nicm [Wed, 20 Jan 2021 07:16:54 +0000 (07:16 +0000)]
Change so that window_flags escapes # automatically which means configs
will not have to change. A new format window_raw_flags contains the old
unescaped version.