SecBSD/src
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sync with OpenBSD -current

Browse Source
This commit is contained in:
purplerain 2024-08-15 02:21:18 +00:00
parent ee61daa776
commit e247f83c76
Signed by: purplerain
GPG Key ID: F42C07F07E2E35B7
42 changed files with 45418 additions and 262 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
distrib/notes/arm64/prep
View File

@ -1,4 +1,4 @@
dnl $OpenBSD: prep,v 1.19 2023/10/18 06:45:45 kevlo Exp $
dnl $OpenBSD: prep,v 1.21 2024/08/14 15:34:39 jsg Exp $
To perform an installation you must be able to interact with the
console of the machine. In some cases this can be done by an attached
monitor and keyboard. In others a serial console is required.
@ -54,6 +54,13 @@ Install on Apple Silicon:
These machines do not come with UEFI firmware by default. In order
to install SecBSD on these machine you need to run the Asahi Linux
installer first in macOS or the macOS recovery environment.
If "Erase All Content and Settings" has been run, the machine will
need to connect to Apple's servers to activate. A user-linked
Activation Lock can be removed by turning off Find My for the machine
through iCloud. An Apple account is otherwise not required for
activation or installation.
Instructions on how to download and run the Asahi Linux installer
can be found at https://asahilinux.org/. Run it in macOS or the
macOS recovery environment.
@ -77,7 +84,7 @@ Install on Apple Silicon:
Now you can copy the miniroot or install image
("miniroot{:--:}OSrev.img" or "install{:--:}OSrev.img") to a USB
drive, plug it into one of the type-C ports on the machine and reset
drive, plug it into one of the ports on the machine and reset
the machine to boot into the SecBSD installer.
Install on Raspberry Pi:

6
lib/libradius/radius.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: radius.c,v 1.5 2024/08/08 09:16:37 yasuoka Exp $ */
/* $OpenBSD: radius.c,v 1.6 2024/08/14 04:50:31 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@ -261,7 +261,7 @@ radius_check_response_authenticator(const RADIUS_PACKET * packet,
uint8_t authenticator[16];
radius_calc_response_authenticator(authenticator, packet, secret);
return (timingsafe_memcmp(authenticator, packet->pdata->authenticator,
return (timingsafe_bcmp(authenticator, packet->pdata->authenticator,
16));
}
@ -300,7 +300,7 @@ radius_check_accounting_request_authenticator(const RADIUS_PACKET * packet,
radius_calc_accounting_request_authenticator(authenticator, packet,
secret);
return (timingsafe_memcmp(authenticator, packet->pdata->authenticator,
return (timingsafe_bcmp(authenticator, packet->pdata->authenticator,
16));
}

4
lib/libradius/radius_msgauth.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: radius_msgauth.c,v 1.4 2024/08/08 09:16:37 yasuoka Exp $ */
/* $OpenBSD: radius_msgauth.c,v 1.5 2024/08/14 04:50:31 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@ -149,5 +149,5 @@ radius_check_message_authenticator(RADIUS_PACKET * packet, const char *secret)
if (len != sizeof(ma1))
return (-1);
return (timingsafe_memcmp(ma0, ma1, sizeof(ma1)));
return (timingsafe_bcmp(ma0, ma1, sizeof(ma1)));
}

142
sys/arch/amd64/amd64/bus_dma.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: bus_dma.c,v 1.51 2019/06/09 12:52:04 kettenis Exp $ */
/* $OpenBSD: bus_dma.c,v 1.52 2024/08/14 18:31:33 bluhm Exp $ */
/* $NetBSD: bus_dma.c,v 1.3 2003/05/07 21:33:58 fvdl Exp $ */
/*-
@ -108,8 +108,13 @@ _bus_dmamap_create(bus_dma_tag_t t, bus_size_t size, int nsegments,
bus_size_t maxsegsz, bus_size_t boundary, int flags, bus_dmamap_t *dmamp)
{
struct bus_dmamap *map;
struct pglist mlist;
struct vm_page **pg, *pgnext;
size_t mapsize, sz, ssize;
vaddr_t va, sva;
void *mapstore;
size_t mapsize;
int npages, error;
const struct kmem_dyn_mode *kd;
/*
* Allocate and initialize the DMA map. The end of the map
@ -125,6 +130,16 @@ _bus_dmamap_create(bus_dma_tag_t t, bus_size_t size, int nsegments,
*/
mapsize = sizeof(struct bus_dmamap) +
(sizeof(bus_dma_segment_t) * (nsegments - 1));
/* allocate and use bounce buffers when running as SEV guest */
if (cpu_sev_guestmode) {
/* this many pages plus one in case we get split */
npages = round_page(size) / PAGE_SIZE + 1;
if (npages < nsegments)
npages = nsegments;
mapsize += sizeof(struct vm_page *) * npages;
}
if ((mapstore = malloc(mapsize, M_DEVBUF,
(flags & BUS_DMA_NOWAIT) ?
(M_NOWAIT|M_ZERO) : (M_WAITOK|M_ZERO))) == NULL)
@ -135,8 +150,59 @@ _bus_dmamap_create(bus_dma_tag_t t, bus_size_t size, int nsegments,
map->_dm_segcnt = nsegments;
map->_dm_maxsegsz = maxsegsz;
map->_dm_boundary = boundary;
if (cpu_sev_guestmode) {
map->_dm_pages = (void *)&map->dm_segs[nsegments];
map->_dm_npages = npages;
}
map->_dm_flags = flags & ~(BUS_DMA_WAITOK|BUS_DMA_NOWAIT);
if (!cpu_sev_guestmode) {
*dmamp = map;
return (0);
}
sz = npages << PGSHIFT;
kd = flags & BUS_DMA_NOWAIT ? &kd_trylock : &kd_waitok;
va = (vaddr_t)km_alloc(sz, &kv_any, &kp_none, kd);
if (va == 0) {
map->_dm_npages = 0;
free(map, M_DEVBUF, mapsize);
return (ENOMEM);
}
TAILQ_INIT(&mlist);
error = uvm_pglistalloc(sz, 0, -1, PAGE_SIZE, 0, &mlist, nsegments,
(flags & BUS_DMA_NOWAIT) ? UVM_PLA_NOWAIT : UVM_PLA_WAITOK);
if (error) {
map->_dm_npages = 0;
km_free((void *)va, sz, &kv_any, &kp_none);
free(map, M_DEVBUF, mapsize);
return (ENOMEM);
}
sva = va;
ssize = sz;
pgnext = TAILQ_FIRST(&mlist);
for (pg = map->_dm_pages; npages--; va += PAGE_SIZE, pg++) {
*pg = pgnext;
error = pmap_enter(pmap_kernel(), va, VM_PAGE_TO_PHYS(*pg),
PROT_READ | PROT_WRITE,
PROT_READ | PROT_WRITE | PMAP_WIRED |
PMAP_CANFAIL | PMAP_NOCRYPT);
if (error) {
pmap_update(pmap_kernel());
map->_dm_npages = 0;
km_free((void *)sva, ssize, &kv_any, &kp_none);
free(map, M_DEVBUF, mapsize);
uvm_pglistfree(&mlist);
return (ENOMEM);
}
pgnext = TAILQ_NEXT(*pg, pageq);
bzero((void *)va, PAGE_SIZE);
}
pmap_update(pmap_kernel());
map->_dm_pgva = sva;
*dmamp = map;
return (0);
}
@ -149,6 +215,21 @@ void
_bus_dmamap_destroy(bus_dma_tag_t t, bus_dmamap_t map)
{
size_t mapsize;
struct vm_page **pg;
struct pglist mlist;
if (map->_dm_pgva) {
km_free((void *)map->_dm_pgva, map->_dm_npages << PGSHIFT,
&kv_any, &kp_none);
}
if (map->_dm_pages) {
TAILQ_INIT(&mlist);
for (pg = map->_dm_pages; map->_dm_npages--; pg++) {
TAILQ_INSERT_TAIL(&mlist, *pg, pageq);
}
uvm_pglistfree(&mlist);
}
mapsize = sizeof(struct bus_dmamap) +
(sizeof(bus_dma_segment_t) * (map->_dm_segcnt - 1));
@ -383,6 +464,7 @@ _bus_dmamap_unload(bus_dma_tag_t t, bus_dmamap_t map)
*/
map->dm_mapsize = 0;
map->dm_nsegs = 0;
map->_dm_nused = 0;
}
/*
@ -393,7 +475,40 @@ void
_bus_dmamap_sync(bus_dma_tag_t t, bus_dmamap_t map, bus_addr_t addr,
bus_size_t size, int op)
{
/* Nothing to do here. */
bus_dma_segment_t *sg;
int i, off = addr;
bus_size_t l;
if (!cpu_sev_guestmode)
return;
for (i = map->_dm_segcnt, sg = map->dm_segs; size && i--; sg++) {
if (off >= sg->ds_len) {
off -= sg->ds_len;
continue;
}
l = sg->ds_len - off;
if (l > size)
l = size;
size -= l;
/* PREREAD and POSTWRITE are no-ops. */
/* READ: device -> memory */
if (op & BUS_DMASYNC_POSTREAD) {
bcopy((void *)(sg->_ds_bounce_va + off),
(void *)(sg->_ds_va + off), l);
}
/* WRITE: memory -> device */
if (op & BUS_DMASYNC_PREWRITE) {
bcopy((void *)(sg->_ds_va + off),
(void *)(sg->_ds_bounce_va + off), l);
}
off = 0;
}
}
/*
@ -566,9 +681,10 @@ _bus_dmamap_load_buffer(bus_dma_tag_t t, bus_dmamap_t map, void *buf,
{
bus_size_t sgsize;
bus_addr_t curaddr, lastaddr, baddr, bmask;
vaddr_t vaddr = (vaddr_t)buf;
int seg;
vaddr_t pgva = -1, vaddr = (vaddr_t)buf;
int seg, page, off;
pmap_t pmap;
struct vm_page *pg;
if (p != NULL)
pmap = p->p_vmspace->vm_map.pmap;
@ -589,6 +705,18 @@ _bus_dmamap_load_buffer(bus_dma_tag_t t, bus_dmamap_t map, void *buf,
panic("Non dma-reachable buffer at curaddr %#lx(raw)",
curaddr);
if (cpu_sev_guestmode) {
/* use bounce buffer */
if (map->_dm_nused + 1 >= map->_dm_npages)
return (ENOMEM);
off = vaddr & PAGE_MASK;
pg = map->_dm_pages[page = map->_dm_nused++];
curaddr = VM_PAGE_TO_PHYS(pg) + off;
pgva = map->_dm_pgva + (page << PGSHIFT) + off;
}
/*
* Compute the segment size, and adjust counts.
*/
@ -612,6 +740,8 @@ _bus_dmamap_load_buffer(bus_dma_tag_t t, bus_dmamap_t map, void *buf,
if (first) {
map->dm_segs[seg].ds_addr = curaddr;
map->dm_segs[seg].ds_len = sgsize;
map->dm_segs[seg]._ds_va = vaddr;
map->dm_segs[seg]._ds_bounce_va = pgva;
first = 0;
} else {
if (curaddr == lastaddr &&
@ -626,6 +756,8 @@ _bus_dmamap_load_buffer(bus_dma_tag_t t, bus_dmamap_t map, void *buf,
break;
map->dm_segs[seg].ds_addr = curaddr;
map->dm_segs[seg].ds_len = sgsize;
map->dm_segs[seg]._ds_va = vaddr;
map->dm_segs[seg]._ds_bounce_va = pgva;
}
}

3
sys/arch/amd64/conf/GENERIC
View File

@ -1,4 +1,4 @@
# $OpenBSD: GENERIC,v 1.524 2024/08/04 11:05:18 kettenis Exp $
# $OpenBSD: GENERIC,v 1.525 2024/08/14 14:40:45 patrick Exp $
#
# For further information on compiling SecBSD kernels, see the config(8)
# man page.
@ -589,6 +589,7 @@ iwn* at pci? # Intel WiFi Link 4965/5000/1000/6000
iwm* at pci? # Intel WiFi Link 7xxx
iwx* at pci? # Intel WiFi Link 22xxx
qwx* at pci? # Qualcomm 802.11ax
#qwz* at pci? # Qualcomm 802.11be
ral* at pci? # Ralink RT2500/RT2501/RT2600
ral* at cardbus? # Ralink RT2500/RT2501/RT2600
rtw* at pci? # Realtek 8180

3
sys/arch/amd64/conf/RAMDISK_CD
View File

@ -1,4 +1,4 @@
# $OpenBSD: RAMDISK_CD,v 1.206 2024/05/09 17:05:22 mglocker Exp $
# $OpenBSD: RAMDISK_CD,v 1.207 2024/08/14 14:40:45 patrick Exp $
machine amd64
maxusers 4
@ -289,6 +289,7 @@ iwn* at pci? # Intel Wireless WiFi Link 4965AGN
iwm* at pci? # Intel WiFi Link 7xxx
iwx* at pci? # Intel WiFi Link 22xxx
qwx* at pci? # Qualcomm 802.11ax
#qwz* at pci? # Qualcomm 802.11be
ral* at pci? # Ralink RT2500/RT2501/RT2600
ral* at cardbus? # Ralink RT2500/RT2501/RT2600
rtw* at pci? # Realtek 8180

10
sys/arch/amd64/include/bus.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: bus.h,v 1.35 2020/10/28 09:58:57 jsg Exp $ */
/* $OpenBSD: bus.h,v 1.36 2024/08/14 18:31:33 bluhm Exp $ */
/* $NetBSD: bus.h,v 1.6 1996/11/10 03:19:25 thorpej Exp $ */
/*-
@ -552,6 +552,9 @@ typedef struct bus_dmamap *bus_dmamap_t;
struct bus_dma_segment {
bus_addr_t ds_addr; /* DMA address */
bus_size_t ds_len; /* length of transfer */
vaddr_t _ds_va; /* mapped loaded data */
vaddr_t _ds_bounce_va; /* mapped bounced data */
/*
* Ugh. need this so can pass alignment down from bus_dmamem_alloc
* to scatter gather maps. only the first one is used so the rest is
@ -655,6 +658,11 @@ struct bus_dmamap {
void *_dm_cookie; /* cookie for bus-specific functions */
struct vm_page **_dm_pages; /* replacement pages */
vaddr_t _dm_pgva; /* those above -- mapped */
int _dm_npages; /* number of pages allocated */
int _dm_nused; /* number of pages replaced */
/*
* PUBLIC MEMBERS: these are used by machine-independent code.
*/

3
sys/arch/arm64/conf/GENERIC
View File

@ -1,4 +1,4 @@
# $OpenBSD: GENERIC,v 1.288 2024/07/31 10:07:33 mglocker Exp $
# $OpenBSD: GENERIC,v 1.289 2024/08/14 14:40:46 patrick Exp $
#
# GENERIC machine description file
#
@ -407,6 +407,7 @@ iwn* at pci? # Intel WiFi Link 4965/5000/1000/6000
iwm* at pci? # Intel WiFi Link 7xxx
iwx* at pci? # Intel WiFi Link 22xxx
qwx* at pci? # Qualcomm 802.11ax
#qwz* at pci? # Qualcomm 802.11be
# PCI SCSI
ahci* at pci? flags 0x0000 # AHCI SATA controllers

3
sys/arch/arm64/conf/RAMDISK
View File

@ -1,4 +1,4 @@
# $OpenBSD: RAMDISK,v 1.218 2024/07/31 10:07:33 mglocker Exp $
# $OpenBSD: RAMDISK,v 1.219 2024/08/14 14:40:46 patrick Exp $
machine arm64
maxusers 4
@ -322,6 +322,7 @@ athn* at pci? # Atheros AR9k (802.11a/g/n)
bwfm* at pci? # Broadcom FullMAC
iwx* at pci? # Intel WiFi Link 22xxx
qwx* at pci? # Qualcomm 802.11ax
#qwz* at pci? # Qualcomm 802.11be
# PCI SCSI
ahci* at pci? flags 0x0000 # AHCI SATA controllers

6
sys/conf/files
View File

@ -1,4 +1,4 @@
# $OpenBSD: files,v 1.734 2024/07/13 13:20:44 bluhm Exp $
# $OpenBSD: files,v 1.735 2024/08/14 14:40:46 patrick Exp $
# $NetBSD: files,v 1.87 1996/05/19 17:17:50 jonathan Exp $
# @(#)files.newconf 7.5 (Berkeley) 5/10/93
@ -429,6 +429,10 @@ file dev/ic/bwi.c bwi
device qwx: ether, ifnet, ifmedia, firmload, wlan
file dev/ic/qwx.c qwx
# Qualcomm 802.11be
device qwz: ether, ifnet, ifmedia, firmload, wlan
file dev/ic/qwz.c qwz
# Intel OnChip System Fabric
device iosf
file dev/ic/iosf.c iosf needs-flag

4
sys/dev/fdt/qcpmic.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: qcpmic.c,v 1.1 2022/11/08 19:40:08 patrick Exp $ */
/* $OpenBSD: qcpmic.c,v 1.2 2024/08/14 10:54:58 mglocker Exp $ */
/*
* Copyright (c) 2022 Patrick Wildt <patrick@blueri.se>
*
@ -117,7 +117,7 @@ qcpmic_read(struct qcpmic_softc *sc, uint16_t addr)
err = spmi_cmd_read(sc->sc_tag, sc->sc_sid, SPMI_CMD_EXT_READL,
addr, &reg, sizeof(reg));
if (err)
printf("%s: error (%u) reading 0x%x\n", sc->sc_dev.dv_xname,
printf("%s: error (%u) reading 0x%x", sc->sc_dev.dv_xname,
err, addr);
return reg;

23
sys/dev/fdt/qcspmi.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: qcspmi.c,v 1.5 2024/07/04 21:54:38 kettenis Exp $ */
/* $OpenBSD: qcspmi.c,v 1.6 2024/08/14 10:54:58 mglocker Exp $ */
/*
* Copyright (c) 2022 Patrick Wildt <patrick@blueri.se>
*
@ -408,14 +408,23 @@ qcspmi_cmd_read(void *cookie, uint8_t sid, uint8_t cmd, uint16_t addr,
SPMI_OBSV_OFF(sc, sc->sc_ee, apid) + SPMI_STATUS);
if (reg & SPMI_STATUS_DONE)
break;
if (reg & SPMI_STATUS_FAILURE) {
printf(": transaction failed\n");
return EIO;
}
if (reg & SPMI_STATUS_DENIED) {
printf(": transaction denied\n");
return EIO;
}
if (reg & SPMI_STATUS_DROPPED) {
printf(": transaction dropped\n");
return EIO;
}
}
if (i == 0)
if (i == 0) {
printf("\n");
return ETIMEDOUT;
if (reg & SPMI_STATUS_FAILURE ||
reg & SPMI_STATUS_DENIED ||
reg & SPMI_STATUS_DROPPED)
return EIO;
}
if (len > 0) {
reg = HREAD4(sc, QCSPMI_REG_OBSRVR,

25568
sys/dev/ic/qwz.c Normal file
View File

File diff suppressed because it is too large Load Diff

13253
sys/dev/ic/qwzreg.h Normal file
View File

File diff suppressed because it is too large Load Diff

2031
sys/dev/ic/qwzvar.h Normal file
View File

File diff suppressed because it is too large Load Diff

6
sys/dev/pci/files.pci
View File

@ -1,4 +1,4 @@
# $OpenBSD: files.pci,v 1.365 2024/04/09 14:58:41 mglocker Exp $
# $OpenBSD: files.pci,v 1.366 2024/08/14 14:40:46 patrick Exp $
# $NetBSD: files.pci,v 1.20 1996/09/24 17:47:15 christos Exp $
#
# Config file and device description for machine-independent PCI code.
@ -559,6 +559,10 @@ file dev/pci/if_iwx.c iwx
attach qwx at pci with qwx_pci
file dev/pci/if_qwx_pci.c qwx_pci
# Qualcomm 802.11be
attach qwz at pci with qwz_pci
file dev/pci/if_qwz_pci.c qwz_pci
# C-Media CMI8x38 Audio Chip
device cmpci {}: audio
attach cmpci at pci

4142
sys/dev/pci/if_qwz_pci.c Normal file
View File

File diff suppressed because it is too large Load Diff

63
sys/kern/kern_sysctl.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kern_sysctl.c,v 1.437 2024/08/11 15:10:53 mvs Exp $ */
/* $OpenBSD: kern_sysctl.c,v 1.439 2024/08/14 17:52:47 mvs Exp $ */
/* $NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $ */
/*-
@ -252,6 +252,7 @@ sys_sysctl(struct proc *p, void *v, register_t *retval)
fn = uvm_sysctl;
break;
case CTL_NET:
dolock = 0;
fn = net_sysctl;
break;
case CTL_FS:
@ -306,7 +307,7 @@ char hostname[MAXHOSTNAMELEN];
int hostnamelen;
char domainname[MAXHOSTNAMELEN];
int domainnamelen;
long hostid;
int hostid;
char *disknames = NULL;
size_t disknameslen;
struct diskstats *diskstats = NULL;
@ -507,6 +508,8 @@ kern_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
return (sysctl_rdstring(oldp, oldlenp, newp, version));
case KERN_NUMVNODES: /* XXX numvnodes is a long */
return (sysctl_rdint(oldp, oldlenp, newp, numvnodes));
case KERN_HOSTID:
return (sysctl_int(oldp, oldlenp, newp, newlen, &hostid));
case KERN_CLOCKRATE:
return (sysctl_clockrate(oldp, oldlenp, newp));
case KERN_BOOTTIME: {
@ -585,7 +588,7 @@ int
kern_sysctl_locked(int *name, u_int namelen, void *oldp, size_t *oldlenp,
void *newp, size_t newlen, struct proc *p)
{
int error, level, inthostid, stackgap;
int error, level, stackgap;
dev_t dev;
extern int pool_debug;
@ -623,11 +626,6 @@ kern_sysctl_locked(int *name, u_int namelen, void *oldp, size_t *oldlenp,
if (newp && !error)
domainnamelen = newlen;
return (error);
case KERN_HOSTID:
inthostid = hostid; /* XXX assumes sizeof long <= sizeof int */
error = sysctl_int(oldp, oldlenp, newp, newlen, &inthostid);
hostid = inthostid;
return (error);
case KERN_CONSBUF:
if ((error = suser(p)))
return (error);
@ -1055,17 +1053,36 @@ int
sysctl_int_lower(void *oldp, size_t *oldlenp, void *newp, size_t newlen,
int *valp)
{
unsigned int oval = *valp, val = *valp;
unsigned int oldval, newval;
int error;
if (newp == NULL)
return (sysctl_rdint(oldp, oldlenp, newp, val));
if (oldp && *oldlenp < sizeof(int))
return (ENOMEM);
if (newp && newlen != sizeof(int))
return (EINVAL);
*oldlenp = sizeof(int);
if (newp) {
if ((error = copyin(newp, &newval, sizeof(int))))
return (error);
do {
oldval = atomic_load_int(valp);
if (oldval < (unsigned int)newval)
return (EPERM); /* do not allow raising */
} while (atomic_cas_uint(valp, oldval, newval) != oldval);
if (oldp) {
/* new value has been set although user gets error */
if ((error = copyout(&oldval, oldp, sizeof(int))))
return (error);
}
} else if (oldp) {
oldval = atomic_load_int(valp);
if ((error = copyout(&oldval, oldp, sizeof(int))))
return (error);
}
if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)))
return (error);
if (val > oval)
return (EPERM); /* do not allow raising */
*(unsigned int *)valp = val;
return (0);
}
@ -1076,18 +1093,8 @@ sysctl_int_lower(void *oldp, size_t *oldlenp, void *newp, size_t newlen,
int
sysctl_int(void *oldp, size_t *oldlenp, void *newp, size_t newlen, int *valp)
{
int error = 0;
if (oldp && *oldlenp < sizeof(int))
return (ENOMEM);
if (newp && newlen != sizeof(int))
return (EINVAL);
*oldlenp = sizeof(int);
if (oldp)
error = copyout(valp, oldp, sizeof(int));
if (error == 0 && newp)
error = copyin(newp, valp, sizeof(int));
return (error);
return (sysctl_int_bounded(oldp, oldlenp, newp, newlen, valp,
INT_MIN, INT_MAX));
}
/*

17
sys/kern/uipc_domain.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: uipc_domain.c,v 1.66 2024/08/12 11:25:27 bluhm Exp $ */
/* $OpenBSD: uipc_domain.c,v 1.67 2024/08/14 17:52:47 mvs Exp $ */
/* $NetBSD: uipc_domain.c,v 1.14 1996/02/09 19:00:44 christos Exp $ */
/*
@ -236,9 +236,18 @@ net_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
return (EISDIR); /* overloaded */
protocol = name[1];
for (pr = dp->dom_protosw; pr < dp->dom_protoswNPROTOSW; pr++)
if (pr->pr_protocol == protocol && pr->pr_sysctl)
return ((*pr->pr_sysctl)(name + 2, namelen - 2,
oldp, oldlenp, newp, newlen));
if (pr->pr_protocol == protocol && pr->pr_sysctl) {
size_t savelen = *oldlenp;
int error;
if ((error = sysctl_vslock(oldp, savelen)))
return (error);
error = (*pr->pr_sysctl)(name + 2, namelen - 2,
oldp, oldlenp, newp, newlen);
sysctl_vsunlock(oldp, savelen);
return (error);
}
return (ENOPROTOOPT);
}

10
sys/netmpls/mpls_raw.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: mpls_raw.c,v 1.20 2024/04/29 00:29:48 jsg Exp $ */
/* $OpenBSD: mpls_raw.c,v 1.21 2024/08/14 17:52:47 mvs Exp $ */
/*
* Copyright (C) 1999, 2000 and 2001 AYAME Project, WIDE Project.
@ -58,6 +58,12 @@ int
mpls_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
size_t newlen)
{
return sysctl_bounded_arr(mplsctl_vars, nitems(mplsctl_vars),
int error;
KERNEL_LOCK();
error = sysctl_bounded_arr(mplsctl_vars, nitems(mplsctl_vars),
name, namelen, oldp, oldlenp, newp, newlen);
KERNEL_UNLOCK();
return error;
}

4
sys/sys/kernel.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kernel.h,v 1.26 2023/03/03 20:16:44 cheloha Exp $ */
/* $OpenBSD: kernel.h,v 1.27 2024/08/14 13:54:08 mvs Exp $ */
/* $NetBSD: kernel.h,v 1.11 1995/03/03 01:24:16 cgd Exp $ */
/*-
@ -40,7 +40,7 @@
/* Global variables for the kernel. */
/* 1.1 */
extern long hostid;
extern int hostid;
extern char hostname[MAXHOSTNAMELEN];
extern int hostnamelen;
extern char domainname[MAXHOSTNAMELEN];

16
usr.bin/dig/lib/lwres/include/lwres/lwres.h
View File

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: lwres.h,v 1.3 2020/02/12 13:05:04 jsg Exp $ */
/* $Id: lwres.h,v 1.6 2024/08/14 17:38:57 florian Exp $ */
#ifndef LWRES_LWRES_H
#define LWRES_LWRES_H 1
@ -101,34 +101,20 @@ struct lwres_addr {
*/
#define LWRES_CONFMAXNAMESERVERS 3 /*%< max 3 "nameserver" entries */
#define LWRES_CONFMAXLWSERVERS 1 /*%< max 1 "lwserver" entry */
#define LWRES_CONFMAXSEARCH 8 /*%< max 8 domains in "search" entry */
#define LWRES_CONFMAXLINELEN 256 /*%< max size of a line */
#define LWRES_CONFMAXSORTLIST 10 /*%< max 10 */
/*% lwres_conf_t */
typedef struct {
lwres_addr_t nameservers[LWRES_CONFMAXNAMESERVERS];
uint8_t nsnext; /*%< index for next free slot */
lwres_addr_t lwservers[LWRES_CONFMAXLWSERVERS];
uint8_t lwnext; /*%< index for next free slot */
char *domainname;
char *search[LWRES_CONFMAXSEARCH];
uint8_t searchnxt; /*%< index for next free slot */
struct {
lwres_addr_t addr;
/*% mask has a non-zero 'family' and 'length' if set */
lwres_addr_t mask;
} sortlist[LWRES_CONFMAXSORTLIST];
uint8_t sortlistnxt;
uint8_t resdebug; /*%< non-zero if 'options debug' set */
uint8_t ndots; /*%< set to n in 'options ndots:n' */
uint8_t no_tld_query; /*%< non-zero if 'options no_tld_query' */
int flags;
} lwres_conf_t;

109
usr.bin/dig/lib/lwres/lwconfig.c
View File

@ -56,18 +56,12 @@
static lwres_result_t
lwres_conf_parsenameserver(lwres_conf_t *confdata, FILE *fp);
static lwres_result_t
lwres_conf_parselwserver(lwres_conf_t *confdata, FILE *fp);
static lwres_result_t
lwres_conf_parsedomain(lwres_conf_t *confdata, FILE *fp);
static lwres_result_t
lwres_conf_parsesearch(lwres_conf_t *confdata, FILE *fp);
static lwres_result_t
lwres_conf_parsesortlist(lwres_conf_t *confdata, FILE *fp);
static lwres_result_t
lwres_conf_parseoption(lwres_conf_t *confdata, FILE *fp);
@ -159,13 +153,9 @@ lwres_conf_init(lwres_conf_t *confdata, int lwresflags) {
int i;
confdata->nsnext = 0;
confdata->lwnext = 0;
confdata->domainname = NULL;
confdata->searchnxt = 0;
confdata->sortlistnxt = 0;
confdata->resdebug = 0;
confdata->ndots = 1;
confdata->no_tld_query = 0;
confdata->flags = lwresflags;
for (i = 0; i < LWRES_CONFMAXNAMESERVERS; i++)
@ -174,10 +164,6 @@ lwres_conf_init(lwres_conf_t *confdata, int lwresflags) {
for (i = 0; i < LWRES_CONFMAXSEARCH; i++)
confdata->search[i] = NULL;
for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
lwres_resetaddr(&confdata->sortlist[i].addr);
lwres_resetaddr(&confdata->sortlist[i].mask);
}
}
/*% Frees up all the internal memory used by the config data structure, returning it to the lwres_context_t. */
@ -196,19 +182,10 @@ lwres_conf_clear(lwres_conf_t *confdata) {
confdata->search[i] = NULL;
}
for (i = 0; i < LWRES_CONFMAXSORTLIST; i++) {
lwres_resetaddr(&confdata->sortlist[i].addr);
lwres_resetaddr(&confdata->sortlist[i].mask);
}
confdata->nsnext = 0;
confdata->lwnext = 0;
confdata->domainname = NULL;
confdata->searchnxt = 0;
confdata->sortlistnxt = 0;
confdata->resdebug = 0;
confdata->ndots = 1;
confdata->no_tld_query = 0;
}
static lwres_result_t
@ -241,31 +218,6 @@ lwres_conf_parsenameserver(lwres_conf_t *confdata, FILE *fp) {
return (LWRES_R_SUCCESS);
}
static lwres_result_t
lwres_conf_parselwserver(lwres_conf_t *confdata, FILE *fp) {
char word[LWRES_CONFMAXLINELEN];
int res;
if (confdata->lwnext == LWRES_CONFMAXLWSERVERS)
return (LWRES_R_SUCCESS);
res = getword(fp, word, sizeof(word));
if (strlen(word) == 0U)
return (LWRES_R_FAILURE); /* Nothing on line. */
else if (res == ' ' || res == '\t')
res = eatwhite(fp);
if (res != EOF && res != '\n')
return (LWRES_R_FAILURE); /* Extra junk on line. */
res = lwres_create_addr(word,
&confdata->lwservers[confdata->lwnext++], 1);
if (res != LWRES_R_SUCCESS)
return (res);
return (LWRES_R_SUCCESS);
}
static lwres_result_t
lwres_conf_parsedomain(lwres_conf_t *confdata, FILE *fp) {
char word[LWRES_CONFMAXLINELEN];
@ -398,57 +350,6 @@ lwres_create_addr(const char *buffer, lwres_addr_t *addr, int convert_zero) {
return (LWRES_R_SUCCESS);
}
static lwres_result_t
lwres_conf_parsesortlist(lwres_conf_t *confdata, FILE *fp) {
int delim, res, idx;
char word[LWRES_CONFMAXLINELEN];
char *p;
delim = getword(fp, word, sizeof(word));
if (strlen(word) == 0U)
return (LWRES_R_FAILURE); /* Empty line after keyword. */
while (strlen(word) > 0U) {
if (confdata->sortlistnxt == LWRES_CONFMAXSORTLIST)
return (LWRES_R_FAILURE); /* Too many values. */
p = strchr(word, '/');
if (p != NULL)
*p++ = '\0';
idx = confdata->sortlistnxt;
res = lwres_create_addr(word, &confdata->sortlist[idx].addr, 1);
if (res != LWRES_R_SUCCESS)
return (res);
if (p != NULL) {
res = lwres_create_addr(p,
&confdata->sortlist[idx].mask,
0);
if (res != LWRES_R_SUCCESS)
return (res);
} else {
/*
* Make up a mask.
*/
confdata->sortlist[idx].mask =
confdata->sortlist[idx].addr;
memset(&confdata->sortlist[idx].mask.address, 0xff,
confdata->sortlist[idx].addr.length);
}
confdata->sortlistnxt++;
if (delim == EOF || delim == '\n')
break;
else
delim = getword(fp, word, sizeof(word));
}
return (LWRES_R_SUCCESS);
}
static lwres_result_t
lwres_conf_parseoption(lwres_conf_t *confdata, FILE *fp) {
int delim;
@ -461,11 +362,7 @@ lwres_conf_parseoption(lwres_conf_t *confdata, FILE *fp) {
return (LWRES_R_FAILURE); /* Empty line after keyword. */
while (strlen(word) > 0U) {
if (strcmp("debug", word) == 0) {
confdata->resdebug = 1;
} else if (strcmp("no_tld_query", word) == 0) {
confdata->no_tld_query = 1;
} else if (strncmp("ndots:", word, 6) == 0) {
if (strncmp("ndots:", word, 6) == 0) {
ndots = strtol(word + 6, &p, 10);
if (*p != '\0') /* Bad string. */
return (LWRES_R_FAILURE);
@ -509,14 +406,10 @@ lwres_conf_parse(lwres_conf_t *confdata, const char *filename) {
rval = LWRES_R_SUCCESS;
else if (strcmp(word, "nameserver") == 0)
rval = lwres_conf_parsenameserver(confdata, fp);
else if (strcmp(word, "lwserver") == 0)
rval = lwres_conf_parselwserver(confdata, fp);
else if (strcmp(word, "domain") == 0)
rval = lwres_conf_parsedomain(confdata, fp);
else if (strcmp(word, "search") == 0)
rval = lwres_conf_parsesearch(confdata, fp);
else if (strcmp(word, "sortlist") == 0)
rval = lwres_conf_parsesortlist(confdata, fp);
else if (strcmp(word, "options") == 0)
rval = lwres_conf_parseoption(confdata, fp);
else {

4
usr.bin/ssh/cipher.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: cipher.c,v 1.121 2024/05/17 02:39:11 jsg Exp $ */
/* $OpenBSD: cipher.c,v 1.122 2024/08/14 15:42:18 tobias Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -249,7 +249,7 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
#endif
*ccp = NULL;
if ((cc = calloc(sizeof(*cc), 1)) == NULL)
if ((cc = calloc(1, sizeof(*cc))) == NULL)
return SSH_ERR_ALLOC_FAIL;
cc->plaintext = (cipher->flags & CFLAG_NONE) != 0;

18
usr.bin/ssh/sshbuf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: sshbuf.c,v 1.19 2022/12/02 04:40:27 djm Exp $ */
/* $OpenBSD: sshbuf.c,v 1.23 2024/08/14 15:42:18 tobias Exp $ */
/*
* Copyright (c) 2011 Damien Miller
*
@ -55,6 +55,7 @@ sshbuf_check_sanity(const struct sshbuf *buf)
SSHBUF_TELL("sanity");
if (__predict_false(buf == NULL ||
(!buf->readonly && buf->d != buf->cd) ||
buf->parent == buf ||
buf->refcount < 1 || buf->refcount > SSHBUF_REFS_MAX ||
buf->cd == NULL ||
buf->max_size > SSHBUF_SIZE_MAX ||
@ -91,7 +92,7 @@ sshbuf_new(void)
{
struct sshbuf *ret;
if ((ret = calloc(sizeof(*ret), 1)) == NULL)
if ((ret = calloc(1, sizeof(*ret))) == NULL)
return NULL;
ret->alloc = SSHBUF_SIZE_INIT;
ret->max_size = SSHBUF_SIZE_MAX;
@ -111,7 +112,7 @@ sshbuf_from(const void *blob, size_t len)
struct sshbuf *ret;
if (blob == NULL || len > SSHBUF_SIZE_MAX ||
(ret = calloc(sizeof(*ret), 1)) == NULL)
(ret = calloc(1, sizeof(*ret))) == NULL)
return NULL;
ret->alloc = ret->size = ret->max_size = len;
ret->readonly = 1;
@ -130,7 +131,8 @@ sshbuf_set_parent(struct sshbuf *child, struct sshbuf *parent)
if ((r = sshbuf_check_sanity(child)) != 0 ||
(r = sshbuf_check_sanity(parent)) != 0)
return r;
if (child->parent != NULL && child->parent != parent)
if ((child->parent != NULL && child->parent != parent) ||
child == parent)
return SSH_ERR_INTERNAL_ERROR;
child->parent = parent;
child->parent->refcount++;
@ -177,16 +179,14 @@ sshbuf_free(struct sshbuf *buf)
return;
/*
* If we are a child, the free our parent to decrement its reference
* If we are a child, then free our parent to decrement its reference
* count and possibly free it.
*/
sshbuf_free(buf->parent);
buf->parent = NULL;
if (!buf->readonly) {
explicit_bzero(buf->d, buf->alloc);
free(buf->d);
}
if (!buf->readonly)
freezero(buf->d, buf->alloc);
freezero(buf, sizeof(*buf));
}

9
usr.sbin/bgpctl/bgpctl.8
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: bgpctl.8,v 1.111 2023/05/09 13:26:27 claudio Exp $
.\" $OpenBSD: bgpctl.8,v 1.112 2024/08/14 19:10:51 claudio Exp $
.\"
.\" Copyright (c) 2003 Henning Brauer <henning@openbsd.org>
.\"
@ -14,7 +14,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: May 9 2023 $
.Dd $Mdocdate: August 14 2024 $
.Dt BGPCTL 8
.Os
.Sh NAME
@ -416,6 +416,11 @@ Show only routes which are not eligible.
Show only prefixes which are marked invalid and were treated as withdrawn.
.It Ar family
Limit the output to the given address family.
.It Cm filtered
Show only routes which were filtered out.
Requires
.Ic rde rib Loc-RIB include filtered
to be set in the config.
.It Cm in
Show routes from the unfiltered Adj-RIB-In.
The

6
usr.sbin/bgpctl/bgpctl.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: bgpctl.c,v 1.306 2024/05/22 08:42:34 claudio Exp $ */
/* $OpenBSD: bgpctl.c,v 1.307 2024/08/14 19:10:51 claudio Exp $ */
/*
* Copyright (c) 2003 Henning Brauer <henning@openbsd.org>
@ -745,6 +745,8 @@ fmt_flags(uint32_t flags, int sum)
char *p = flagstr;
if (sum) {
if (flags & F_PREF_FILTERED)
*p++ = 'F';
if (flags & F_PREF_INVALID)
*p++ = 'E';
if (flags & F_PREF_OTC_LEAK)
@ -771,6 +773,8 @@ fmt_flags(uint32_t flags, int sum)
else
strlcpy(buf, "external", sizeof(buf));
if (flags & F_PREF_FILTERED)
strlcat(buf, ", filtered", sizeof(buf));
if (flags & F_PREF_INVALID)
strlcat(buf, ", invalid", sizeof(buf));
if (flags & F_PREF_OTC_LEAK)

4
usr.sbin/bgpctl/output.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: output.c,v 1.52 2024/08/12 09:05:28 claudio Exp $ */
/* $OpenBSD: output.c,v 1.53 2024/08/14 19:10:51 claudio Exp $ */
/*
* Copyright (c) 2003 Henning Brauer <henning@openbsd.org>
@ -66,7 +66,7 @@ show_head(struct parse_result *res)
break;
printf("flags: "
"* = Valid, > = Selected, I = via IBGP, A = Announced,\n"
" S = Stale, E = Error\n");
" S = Stale, E = Error, F = Filtered\n");
printf("origin validation state: "
"N = not-found, V = valid, ! = invalid\n");
printf("aspa validation state: "

4
usr.sbin/bgpctl/output_json.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: output_json.c,v 1.45 2024/08/12 09:05:28 claudio Exp $ */
/* $OpenBSD: output_json.c,v 1.46 2024/08/14 19:10:51 claudio Exp $ */
/*
* Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org>
@ -834,6 +834,8 @@ json_rib(struct ctl_show_rib *r, struct ibuf *asbuf, struct parse_result *res)
/* flags */
json_do_bool("valid", r->flags & F_PREF_ELIGIBLE);
if (r->flags & F_PREF_FILTERED)
json_do_bool("filtered", 1);
if (r->flags & F_PREF_BEST)
json_do_bool("best", 1);
if (r->flags & F_PREF_ECMP)

3
usr.sbin/bgpctl/parser.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: parser.c,v 1.134 2023/11/20 14:18:21 claudio Exp $ */
/* $OpenBSD: parser.c,v 1.135 2024/08/14 19:10:51 claudio Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -183,6 +183,7 @@ static const struct token t_show_rib[] = {
{ ASTYPE, "empty-as", AS_EMPTY, t_show_rib},
{ FLAG, "error", F_CTL_INVALID, t_show_rib},
{ EXTCOMMUNITY, "ext-community", NONE, t_show_rib},
{ FLAG, "filtered", F_CTL_FILTERED, t_show_rib},
{ FLAG, "in", F_CTL_ADJ_IN, t_show_rib},
{ LRGCOMMUNITY, "large-community", NONE, t_show_rib},
{ FLAG, "leaked", F_CTL_LEAKED, t_show_rib},

11
usr.sbin/bgpd/bgpd.conf.5
View File

@ -1,4 +1,4 @@
.\" $OpenBSD: bgpd.conf.5,v 1.241 2024/08/12 09:04:23 claudio Exp $
.\" $OpenBSD: bgpd.conf.5,v 1.242 2024/08/14 19:09:51 claudio Exp $
.\"
.\" Copyright (c) 2004 Claudio Jeker <claudio@openbsd.org>
.\" Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -16,7 +16,7 @@
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: August 12 2024 $
.Dd $Mdocdate: August 14 2024 $
.Dt BGPD.CONF 5
.Os
.Sh NAME
@ -325,6 +325,13 @@ and
.Ic Loc-RIB ,
which are created automatically and used by default.
.Pp
.It Ic rde rib Loc-RIB include filtered
Include filtered prefixes in the
.Ic Loc-RIB .
Filtered prefixes are not eligible by the decision process but can be
displayed by
.Xr bgpctl 8 .
.Pp
.It Xo
.Ic rde
.Ic route-age

5
usr.sbin/bgpd/bgpd.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: bgpd.h,v 1.494 2024/08/12 09:04:23 claudio Exp $ */
/* $OpenBSD: bgpd.h,v 1.495 2024/08/14 19:09:51 claudio Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -101,6 +101,7 @@
#define F_CTL_AVS_VALID 0x1000000
#define F_CTL_AVS_INVALID 0x2000000
#define F_CTL_AVS_UNKNOWN 0x4000000
#define F_CTL_FILTERED 0x8000000 /* only set on requests */
#define F_CTL_SSV 0x80000000 /* only used by bgpctl */
#define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \
@ -317,6 +318,7 @@ struct bgpd_config {
uint16_t min_holdtime;
uint16_t connectretry;
uint8_t fib_priority;
uint8_t filtered_in_locrib;
};
extern int cmd_opts;
@ -888,6 +890,7 @@ struct ctl_neighbor {
#define F_PREF_OTC_LEAK 0x080
#define F_PREF_ECMP 0x100
#define F_PREF_AS_WIDE 0x200
#define F_PREF_FILTERED 0x400
struct ctl_show_rib {
struct bgpd_addr true_nexthop;

3
usr.sbin/bgpd/config.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: config.c,v 1.109 2024/05/22 08:41:14 claudio Exp $ */
/* $OpenBSD: config.c,v 1.110 2024/08/14 19:09:51 claudio Exp $ */
/*
* Copyright (c) 2003, 2004, 2005 Henning Brauer <henning@openbsd.org>
@ -87,6 +87,7 @@ copy_config(struct bgpd_config *to, struct bgpd_config *from)
to->min_holdtime = from->min_holdtime;
to->connectretry = from->connectretry;
to->fib_priority = from->fib_priority;
to->filtered_in_locrib = from->filtered_in_locrib;
}
void

13
usr.sbin/bgpd/parse.y
View File

@ -1,4 +1,4 @@
/* $OpenBSD: parse.y,v 1.464 2024/08/12 09:04:23 claudio Exp $ */
/* $OpenBSD: parse.y,v 1.465 2024/08/14 19:09:51 claudio Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -250,7 +250,7 @@ typedef struct {
%token SEND RECV PLUS POLICY ROLE
%token DEMOTE ENFORCE NEIGHBORAS ASOVERRIDE REFLECTOR DEPEND DOWN
%token DUMP IN OUT SOCKET RESTRICTED
%token LOG TRANSPARENT
%token LOG TRANSPARENT FILTERED
%token TCP MD5SIG PASSWORD KEY TTLSECURITY
%token ALLOW DENY MATCH
%token QUICK
@ -941,6 +941,14 @@ conf_main : AS as4number {
}
free($3);
}
| RDE RIB STRING INCLUDE FILTERED {
if (strcmp($3, "Loc-RIB") != 0) {
yyerror("include filtered only supported in "
"Loc-RIB");
YYERROR;
}
conf->filtered_in_locrib = 1;
}
| NEXTHOP QUALIFY VIA STRING {
if (!strcmp($4, "bgp"))
conf->flags |= BGPD_FLAG_NEXTHOP_BGP;
@ -3551,6 +3559,7 @@ lookup(char *s)
{ "ext-community", EXTCOMMUNITY},
{ "fib-priority", FIBPRIORITY},
{ "fib-update", FIBUPDATE},
{ "filtered", FILTERED},
{ "flags", FLAGS},
{ "flowspec", FLOWSPEC},
{ "fragment", FRAGMENT},

4
usr.sbin/bgpd/printconf.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: printconf.c,v 1.173 2024/05/22 08:41:14 claudio Exp $ */
/* $OpenBSD: printconf.c,v 1.174 2024/08/14 19:09:51 claudio Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -1276,6 +1276,8 @@ print_config(struct bgpd_config *conf, struct rib_names *rib_l)
SIMPLEQ_FOREACH(vpn, &conf->l3vpns, entry)
print_l3vpn(vpn);
printf("\n");
if (conf->filtered_in_locrib)
printf("rde rib Loc-RIB include filtered\n");
SIMPLEQ_FOREACH(rr, rib_l, entry) {
if (rr->flags & F_RIB_NOEVALUATE)
printf("rde rib %s no evaluate\n", rr->name);

64
usr.sbin/bgpd/rde.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: rde.c,v 1.625 2024/05/22 08:41:14 claudio Exp $ */
/* $OpenBSD: rde.c,v 1.626 2024/08/14 19:09:51 claudio Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -1854,7 +1854,7 @@ rde_update_update(struct rde_peer *peer, uint32_t path_id,
path_id_tx = pathid_assign(peer, path_id, prefix, prefixlen);
/* add original path to the Adj-RIB-In */
if (prefix_update(rib_byid(RIB_ADJ_IN), peer, path_id, path_id_tx,
in, prefix, prefixlen) == 1)
in, 0, prefix, prefixlen) == 1)
peer->stats.prefix_cnt++;
/* max prefix checker */
@ -1883,11 +1883,16 @@ rde_update_update(struct rde_peer *peer, uint32_t path_id,
&state.nexthop->exit_nexthop, prefix,
prefixlen);
prefix_update(rib, peer, path_id, path_id_tx, &state,
prefix, prefixlen);
} else if (prefix_withdraw(rib, peer, path_id, prefix,
prefixlen)) {
rde_update_log(wmsg, i, peer,
NULL, prefix, prefixlen);
0, prefix, prefixlen);
} else if (conf->filtered_in_locrib && i == RIB_LOC_START) {
rde_update_log(wmsg, i, peer, NULL, prefix, prefixlen);
prefix_update(rib, peer, path_id, path_id_tx, &state,
1, prefix, prefixlen);
} else {
if (prefix_withdraw(rib, peer, path_id, prefix,
prefixlen))
rde_update_log(wmsg, i, peer,
NULL, prefix, prefixlen);
}
rde_filterstate_clean(&state);
@ -2738,7 +2743,7 @@ rde_dump_rib_as(struct prefix *p, struct rde_aspath *asp, pid_t pid, int flags,
rib.aspa_validation_state = prefix_aspa_vstate(p);
rib.dmetric = p->dmetric;
rib.flags = 0;
if (!adjout) {
if (!adjout && prefix_eligible(p)) {
re = prefix_re(p);
TAILQ_FOREACH(xp, &re->prefix_h, entry.list.rib) {
switch (xp->dmetric) {
@ -2768,6 +2773,8 @@ rde_dump_rib_as(struct prefix *p, struct rde_aspath *asp, pid_t pid, int flags,
rib.flags |= F_PREF_ANNOUNCE;
if (prefix_eligible(p))
rib.flags |= F_PREF_ELIGIBLE;
if (prefix_filtered(p))
rib.flags |= F_PREF_FILTERED;
/* otc loop includes parse err so skip the latter if the first is set */
if (asp->flags & F_ATTR_OTC_LEAK)
rib.flags |= F_PREF_OTC_LEAK;
@ -2854,6 +2861,8 @@ rde_dump_filter(struct prefix *p, struct ctl_show_rib_request *req, int adjout)
if ((req->flags & F_CTL_INVALID) &&
(asp->flags & F_ATTR_PARSE_ERR) == 0)
return;
if ((req->flags & F_CTL_FILTERED) && !prefix_filtered(p))
return;
if ((req->flags & F_CTL_INELIGIBLE) && prefix_eligible(p))
return;
if ((req->flags & F_CTL_LEAKED) &&
@ -3557,7 +3566,7 @@ rde_reload_done(void)
struct rde_prefixset_head originsets_old;
struct as_set_head as_sets_old;
uint16_t rid;
int reload = 0;
int reload = 0, force_locrib = 0;
softreconfig = 0;
@ -3568,6 +3577,12 @@ rde_reload_done(void)
SIMPLEQ_CONCAT(&originsets_old, &conf->rde_originsets);
SIMPLEQ_CONCAT(&as_sets_old, &conf->as_sets);
/* run softreconfig in if filter mode changed */
if (conf->filtered_in_locrib != nconf->filtered_in_locrib) {
log_debug("filter mode changed, reloading Loc-Rib");
force_locrib = 1;
}
/* merge the main config */
copy_config(conf, nconf);
@ -3688,7 +3703,7 @@ rde_reload_done(void)
}
/* bring ribs in sync */
for (rid = 0; rid < rib_size; rid++) {
for (rid = RIB_LOC_START; rid < rib_size; rid++) {
struct rib *rib = rib_byid(rid);
if (rib == NULL)
continue;
@ -3734,10 +3749,11 @@ rde_reload_done(void)
rib->state = RECONF_KEEP;
/* FALLTHROUGH */
case RECONF_KEEP:
if (rde_filter_equal(rib->in_rules, rib->in_rules_tmp))
if (!(force_locrib && rid == RIB_LOC_START) &&
rde_filter_equal(rib->in_rules, rib->in_rules_tmp))
/* rib is in sync */
break;
log_debug("in filter change: reloading RIB %s",
log_debug("filter change: reloading RIB %s",
rib->name);
rib->state = RECONF_RELOAD;
reload++;
@ -3935,9 +3951,14 @@ rde_softreconfig_in(struct rib_entry *re, void *bula)
if (action == ACTION_ALLOW) {
/* update Local-RIB */
prefix_update(rib, peer, p->path_id,
p->path_id_tx, &state,
p->path_id_tx, &state, 0,
&prefix, pt->prefixlen);
} else if (action == ACTION_DENY) {
} else if (conf->filtered_in_locrib &&
i == RIB_LOC_START) {
prefix_update(rib, peer, p->path_id,
p->path_id_tx, &state, 1,
&prefix, pt->prefixlen);
} else {
/* remove from Local-RIB */
prefix_withdraw(rib, peer, p->path_id, &prefix,
pt->prefixlen);
@ -4084,9 +4105,14 @@ rde_rpki_softreload(struct rib_entry *re, void *bula)
if (action == ACTION_ALLOW) {
/* update Local-RIB */
prefix_update(rib, peer, p->path_id,
p->path_id_tx, &state,
p->path_id_tx, &state, 0,
&prefix, pt->prefixlen);
} else if (action == ACTION_DENY) {
} else if (conf->filtered_in_locrib &&
i == RIB_LOC_START) {
prefix_update(rib, peer, p->path_id,
p->path_id_tx, &state, 1,
&prefix, pt->prefixlen);
} else {
/* remove from Local-RIB */
prefix_withdraw(rib, peer, p->path_id, &prefix,
pt->prefixlen);
@ -4365,7 +4391,7 @@ network_add(struct network_config *nc, struct filterstate *state)
path_id_tx = pathid_assign(peerself, 0, &nc->prefix, nc->prefixlen);
if (prefix_update(rib_byid(RIB_ADJ_IN), peerself, 0, path_id_tx,
state, &nc->prefix, nc->prefixlen) == 1)
state, 0, &nc->prefix, nc->prefixlen) == 1)
peerself->stats.prefix_cnt++;
for (i = RIB_LOC_START; i < rib_size; i++) {
struct rib *rib = rib_byid(i);
@ -4374,8 +4400,8 @@ network_add(struct network_config *nc, struct filterstate *state)
rde_update_log("announce", i, peerself,
state->nexthop ? &state->nexthop->exit_nexthop : NULL,
&nc->prefix, nc->prefixlen);
prefix_update(rib, peerself, 0, path_id_tx, state, &nc->prefix,
nc->prefixlen);
prefix_update(rib, peerself, 0, path_id_tx, state, 0,
&nc->prefix, nc->prefixlen);
}
filterset_free(&nc->attrset);
}

34
usr.sbin/bgpd/rde.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: rde.h,v 1.303 2024/05/29 10:36:32 claudio Exp $ */
/* $OpenBSD: rde.h,v 1.304 2024/08/14 19:09:51 claudio Exp $ */
/*
* Copyright (c) 2003, 2004 Claudio Jeker <claudio@openbsd.org> and
@ -281,19 +281,21 @@ struct prefix {
time_t lastchange;
uint32_t path_id;
uint32_t path_id_tx;
uint16_t flags;
uint8_t validation_state;
uint8_t nhflags;
int8_t dmetric; /* decision metric */
uint8_t flags;
#define PREFIX_FLAG_WITHDRAW 0x01 /* enqueued on withdraw queue */
#define PREFIX_FLAG_UPDATE 0x02 /* enqueued on update queue */
#define PREFIX_FLAG_DEAD 0x04 /* locked but removed */
#define PREFIX_FLAG_STALE 0x08 /* stale entry (graceful reload) */
#define PREFIX_FLAG_MASK 0x0f /* mask for the prefix types */
#define PREFIX_FLAG_ADJOUT 0x10 /* prefix is in the adj-out rib */
#define PREFIX_FLAG_EOR 0x20 /* prefix is EoR */
#define PREFIX_NEXTHOP_LINKED 0x40 /* prefix is linked onto nexthop list */
#define PREFIX_FLAG_LOCKED 0x80 /* locked by rib walker */
};
#define PREFIX_FLAG_WITHDRAW 0x0001 /* enqueued on withdraw queue */
#define PREFIX_FLAG_UPDATE 0x0002 /* enqueued on update queue */
#define PREFIX_FLAG_DEAD 0x0004 /* locked but removed */
#define PREFIX_FLAG_STALE 0x0008 /* stale entry (graceful reload) */
#define PREFIX_FLAG_MASK 0x000f /* mask for the prefix types */
#define PREFIX_FLAG_ADJOUT 0x0010 /* prefix is in the adj-out rib */
#define PREFIX_FLAG_EOR 0x0020 /* prefix is EoR */
#define PREFIX_NEXTHOP_LINKED 0x0040 /* prefix is linked onto nexthop list */
#define PREFIX_FLAG_LOCKED 0x0080 /* locked by rib walker */
#define PREFIX_FLAG_FILTERED 0x0100 /* prefix is filtered (ineligible) */
#define PREFIX_DMETRIC_NONE 0
#define PREFIX_DMETRIC_INVALID 1
@ -301,7 +303,6 @@ struct prefix {
#define PREFIX_DMETRIC_AS_WIDE 3
#define PREFIX_DMETRIC_ECMP 4
#define PREFIX_DMETRIC_BEST 5
};
/* possible states for nhflags */
#define NEXTHOP_SELF 0x01
@ -579,7 +580,8 @@ struct prefix *prefix_adjout_lookup(struct rde_peer *, struct bgpd_addr *,
int);
struct prefix *prefix_adjout_match(struct rde_peer *, struct bgpd_addr *);
int prefix_update(struct rib *, struct rde_peer *, uint32_t,
uint32_t, struct filterstate *, struct bgpd_addr *, int);
uint32_t, struct filterstate *, int, struct bgpd_addr *,
int);
int prefix_withdraw(struct rib *, struct rde_peer *, uint32_t,
struct bgpd_addr *, int);
int prefix_flowspec_update(struct rde_peer *, struct filterstate *,
@ -669,6 +671,12 @@ prefix_re(struct prefix *p)
return (p->entry.list.re);
}
static inline int
prefix_filtered(struct prefix *p)
{
return ((p->flags & PREFIX_FLAG_FILTERED) != 0);
}
void nexthop_shutdown(void);
int nexthop_pending(void);
void nexthop_runner(void);

6
usr.sbin/bgpd/rde_decide.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: rde_decide.c,v 1.102 2023/10/12 14:22:08 claudio Exp $ */
/* $OpenBSD: rde_decide.c,v 1.103 2024/08/14 19:09:51 claudio Exp $ */
/*
* Copyright (c) 2003, 2004 Claudio Jeker <claudio@openbsd.org>
@ -486,6 +486,10 @@ prefix_eligible(struct prefix *p)
{
struct rde_aspath *asp = prefix_aspath(p);
/* prefix itself is marked ineligible */
if (prefix_filtered(p))
return 0;
/* The aspath needs to be loop and error free */
if (asp == NULL ||
asp->flags & (F_ATTR_LOOP|F_ATTR_OTC_LEAK|F_ATTR_PARSE_ERR))

28
usr.sbin/bgpd/rde_rib.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: rde_rib.c,v 1.262 2024/05/29 10:34:56 claudio Exp $ */
/* $OpenBSD: rde_rib.c,v 1.263 2024/08/14 19:09:51 claudio Exp $ */
/*
* Copyright (c) 2003, 2004 Claudio Jeker <claudio@openbsd.org>
@ -801,10 +801,10 @@ path_put(struct rde_aspath *asp)
static int prefix_add(struct bgpd_addr *, int, struct rib *,
struct rde_peer *, uint32_t, uint32_t, struct rde_aspath *,
struct rde_community *, struct nexthop *,
uint8_t, uint8_t);
uint8_t, uint8_t, int);
static int prefix_move(struct prefix *, struct rde_peer *,
struct rde_aspath *, struct rde_community *,
struct nexthop *, uint8_t, uint8_t);
struct nexthop *, uint8_t, uint8_t, int);
static void prefix_link(struct prefix *, struct rib_entry *,
struct pt_entry *, struct rde_peer *, uint32_t, uint32_t,
@ -967,8 +967,8 @@ prefix_adjout_match(struct rde_peer *peer, struct bgpd_addr *addr)
*/
int
prefix_update(struct rib *rib, struct rde_peer *peer, uint32_t path_id,
uint32_t path_id_tx, struct filterstate *state, struct bgpd_addr *prefix,
int prefixlen)
uint32_t path_id_tx, struct filterstate *state, int filtered,
struct bgpd_addr *prefix, int prefixlen)
{
struct rde_aspath *asp, *nasp = &state->aspath;
struct rde_community *comm, *ncomm = &state->communities;
@ -987,6 +987,10 @@ prefix_update(struct rib *rib, struct rde_peer *peer, uint32_t path_id,
/* no change, update last change */
p->lastchange = getmonotime();
p->validation_state = state->vstate;
if (filtered)
p->flags |= PREFIX_FLAG_FILTERED;
else
p->flags &= ~PREFIX_FLAG_FILTERED;
return (0);
}
}
@ -1010,11 +1014,11 @@ prefix_update(struct rib *rib, struct rde_peer *peer, uint32_t path_id,
/* If the prefix was found move it else add it to the RIB. */
if (p != NULL)
return (prefix_move(p, peer, asp, comm, state->nexthop,
state->nhflags, state->vstate));
state->nhflags, state->vstate, filtered));
else
return (prefix_add(prefix, prefixlen, rib, peer, path_id,
path_id_tx, asp, comm, state->nexthop, state->nhflags,
state->vstate));
state->vstate, filtered));
}
/*
@ -1024,7 +1028,7 @@ static int
prefix_add(struct bgpd_addr *prefix, int prefixlen, struct rib *rib,
struct rde_peer *peer, uint32_t path_id, uint32_t path_id_tx,
struct rde_aspath *asp, struct rde_community *comm,
struct nexthop *nexthop, uint8_t nhflags, uint8_t vstate)
struct nexthop *nexthop, uint8_t nhflags, uint8_t vstate, int filtered)
{
struct pt_entry *pte;
struct prefix *p;
@ -1041,6 +1045,9 @@ prefix_add(struct bgpd_addr *prefix, int prefixlen, struct rib *rib,
prefix_link(p, re, re->prefix, peer, path_id, path_id_tx, asp, comm,
nexthop, nhflags, vstate);
if (filtered)
p->flags |= PREFIX_FLAG_FILTERED;
/* add possible pftable reference form aspath */
if (asp && asp->pftableid)
rde_pftable_add(asp->pftableid, p);
@ -1055,7 +1062,7 @@ prefix_add(struct bgpd_addr *prefix, int prefixlen, struct rib *rib,
static int
prefix_move(struct prefix *p, struct rde_peer *peer,
struct rde_aspath *asp, struct rde_community *comm,
struct nexthop *nexthop, uint8_t nhflags, uint8_t vstate)
struct nexthop *nexthop, uint8_t nhflags, uint8_t vstate, int filtered)
{
struct prefix *np;
@ -1070,6 +1077,9 @@ prefix_move(struct prefix *p, struct rde_peer *peer,
prefix_link(np, prefix_re(p), p->pt, peer, p->path_id, p->path_id_tx,
asp, comm, nexthop, nhflags, vstate);
if (filtered)
np->flags |= PREFIX_FLAG_FILTERED;
/* add possible pftable reference from new aspath */
if (asp && asp->pftableid)
rde_pftable_add(asp->pftableid, np);

20
usr.sbin/radiusd/radiusd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: radiusd.c,v 1.52 2024/07/22 09:27:16 yasuoka Exp $ */
/* $OpenBSD: radiusd.c,v 1.55 2024/08/14 07:06:50 yasuoka Exp $ */
/*
* Copyright (c) 2013, 2023 Internet Initiative Japan Inc.
@ -518,10 +518,10 @@ radiusd_listen_handle_packet(struct radiusd_listen *listn,
break; /* found it */
}
if (q != NULL) {
log_info("Received %s(code=%d) from %s id=%d: duplicate "
"request by q=%u", radius_code_string(req_code), req_code,
log_info("Received %s(code=%d) from %s id=%d: duplicated "
"with q=%u", radius_code_string(req_code), req_code,
peerstr, req_id, q->id);
/* XXX RFC 5080 suggests to answer the cached result */
q = NULL;
goto on_error;
}
@ -708,9 +708,11 @@ radius_query_access_response(struct radius_query *q)
goto on_error;
q0 = q;
q = q->prev;
/* dissolve the relation */
q0->prev = NULL;
q->hasnext = false;
radiusd_module_next_response(q->authen->auth->module,
q, q_last->res);
q0->prev = NULL;
radiusd_access_request_aborted(q0);
return;
}
@ -864,6 +866,7 @@ radiusd_access_request_next(struct radius_query *q, RADIUS_PACKET *pkt)
radius_get_authenticator(pkt, q_next->req_auth);
q_next->authen = authen;
q_next->prev = q;
q->hasnext = true;
strlcpy(q_next->username, username, sizeof(q_next->username));
TAILQ_INSERT_TAIL(&q->radiusd->query, q_next, next);
@ -878,8 +881,12 @@ radiusd_access_request_next(struct radius_query *q, RADIUS_PACKET *pkt)
void
radiusd_access_request_aborted(struct radius_query *q)
{
if (q->prev != NULL)
if (q->hasnext) /* don't abort if filtering */
return;
if (q->prev != NULL) {
q->prev->hasnext = false;
radiusd_access_request_aborted(q->prev);
}
if (q->req != NULL)
radius_delete_packet(q->req);
if (q->res != NULL)
@ -1398,6 +1405,7 @@ radiusd_module_imsg_read(struct radiusd_module *module)
if (n == 0)
return (0);
radiusd_module_imsg(module, &imsg);
imsg_free(&imsg);
}
return (0);

4
usr.sbin/radiusd/radiusd_ipcp.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: radiusd_ipcp.c,v 1.8 2024/08/01 00:58:14 yasuoka Exp $ */
/* $OpenBSD: radiusd_ipcp.c,v 1.9 2024/08/14 04:47:08 yasuoka Exp $ */
/*
* Copyright (c) 2024 Internet Initiative Japan Inc.
@ -485,6 +485,8 @@ ipcp_config_set(void *ctx, const char *name, int argc, char * const * argv)
}
}
} else if (strcmp(name, "dae") == 0) {
memset(&dae, 0, sizeof(dae));
dae.sock = -1;
if (!(argc >= 1 || strcmp(argv[1], "server") == 0)) {
module_send_message(module->base, IMSG_NG,
"`%s' is unknown", argv[1]);

3
usr.sbin/radiusd/radiusd_local.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: radiusd_local.h,v 1.16 2024/07/17 11:31:46 yasuoka Exp $ */
/* $OpenBSD: radiusd_local.h,v 1.17 2024/08/14 07:04:54 yasuoka Exp $ */
/*
* Copyright (c) 2013 Internet Initiative Japan Inc.
@ -131,6 +131,7 @@ struct radius_query {
struct sockaddr_storage clientaddr;
int clientaddrlen;
int req_id;
bool hasnext;
u_char req_auth[16];
struct radiusd_listen *listen;
struct radiusd_client *client;