Adj-RIB-Out and in that case set F_CTL_ADJ_OUT on the request.
With this 'bgpctl show rib out' and 'bgpctl show rib table Adj-RIB-Out'
return the same results.
OK tb@
AS0 TALs represent unmitigated operational risks: what if the RIR by
accident marks some IP space as 'unassigned'?
APNIC notes in their limitation of liability statement:
"""
Depending on router configuration, errors in the AS0 ROA could
cause unintended interruption to routing with other networks.
For this reason, it is strongly recommended that the AS0 ROA is
used for advisory and/ or alerting purposes only, and not for
automatic filtering of BGP routes.
"""
https://www.apnic.net/community/security/resource-certification/apnic-limitations-of-liability-for-rpki-2/
Guard usage of AS0 TALs behind new '-0' option
OK deraadt@ tb@
is for pool when selecting a random address from the pools, and tweak
the code for easier understanding. Also, check whether the left
value of an address range configuration is smaller than the right
value.
Historically, CMS_get1_crls() returned NULL if the CMS is an
unsupported content type or contained zero CRLs. Nowadays, if
the CMS contains zero CRLs, some implementations will return a
pointer to a STACK of CRLs with zero objects.
OK tb@
The manual says without -a or any drivers specified, fw_update -d
will delete all firmware not required by a driver, and now it does.
While here, slightly improve function name.
Rather than setting the destination struct member's size in an
AF-specific way only to read from and then overwrite it with
memcpy, use the destination size directly.
OK mlarkin
The tricky bit here is the fact that the peer wbuf needs to be allocated
and freed in the right places (when a peer is setup and when it is freed).
During lifetime we just flush the msgbuf with msgbuf_clear().
mrt has a similar issue. I think that freeing the msgbuf in mrt_clean is right.
OK tb@
issues by introducing imsg_read_one().
This code is still a bit strange since it uses imsg_flush() on
non-blocking sockets. A possible fix would be to replace imsg_flush()
with a new imsg_write_one() that uses poll like atomicio.
This is what imsg_read_one() does here.
OK tb@
The imsg handling in here is not quite right. It works but more by luck.
- use imsgbuf_read_one (similar code as found in a few other places)
to read the one message we expect.
- do not call imsgbuf_flush() without a child running to read the data.
With large enough requests imsgbuf_flush() may be locked forever since
there is no reader on the other side of the pipe.
OK tb@
punt. A single res_query() call can return immediately (e.g. success
or the nameservers are unreachable), or take quite some time,
depending on how many nameservers are configured. So measure the
actual time it takes and decide wat to do based on that.
Early version from beck@; ok claudio@ deraadt@
Having a single letter to distinguish a length from a pointer is error
prone. This results in binary change only in validate.c and cert.c due
to a line wrap resulting in line number changes and in cert.c there's in
addition two asserts that change.
checked with/ok job
Replace literal braces with .Brq, use lists, replace literal 'foo options'
with .Ar option ... and indent options where they belong.
This highlights config parser differences between daemons:
- dhcpleased: requires empty blocks, e.g. 'interface em0 {}' (Brq Op Ar option ...)
- rad: lets you omit them, e.g. 'interface em0' (Op Brq Ar option ...)
Feedback OK jmc
It turns out that DOWNLOAD_ONLY was just used as the inverse of INSTALL,
so use the one variable instead of two.
This also uncovered some small cleanups.
syslogd should immediately detect that the incoming TLS handshake
is complete. The old logic detected it when the first log message
over TLS was arriving. For now only a debug message is logged, but
the callback will be used to print the common name of the client
certificate in the future.
OK tb@
Log messages from vmd(8) child processes went to /dev/null. Re-exec
set the -n option, which in turn sets vmd_noaction and vmd_debug.
Debugging means no more syslog(3), but stderr, which is /dev/null
for a daemon.
Remove -n from child re-exec, it does not have any effect except
looging. Pass on the -d flag when debugging. The VMD_VERBOSE
defines are more confusing than useful, just write -v like all the
other options. Rework creation of execvp arguments. Do not use
tab in syslog messages, space is sufficient.
OK mlarkin@ hshoexer@ dv@
The psp.c source is restricted in makefile with .if ${MACHINE} ==
"amd64" so use #ifdef __amd64__ around the call to psp_setup(). On
arm64 set vmd_psp_fd to an invalid value.
OK hshoexer@ mlarkin@
Use shutdown and init to reset psp(4) on vmd(8) startup. This helps
when hacking on vmd(8) and crashing it. The psp(4) reset cleans
up all remnants of dead VMs from psp(4). Otherwise one would have
to reboot the machine.
from hshoexer@; OK mlarkin@
Currently the validation indicator only takes the certificate's status
into account. In case everything check out, check the product's life
time and the signature path's expiration moment before printing OK.
should fix an issue encountered by job
looks good to claudio
Our kernel supports 16 groups (NGROUPS_MAX), but nothing prevents
an admin from adding a user to more groups. With that tweak we'll keep
on ignoring them instead of potentially reading past the buffer passed to
getgrouplist(3). That behavior is explicitely described in initgroups(3).
ok millert@ gilles@
Previously, if using fw_update -Fp ..., the argument to -p was
treated as a destination path, unless it looked like a URL.
This is too complex, if we want to be able to change the download
destination, that wll need to be a new option.
It is helpful for network operators, publication point operators, and CA
operators to have more insight into whether the RP noticed an issuance
gap between two versions of a given manifest.
* high number of gaps all the time might be an indication the RP is not
refreshing often enough
* the CA is trying to issue manifests more than once a second
* the RFC 8181 publication server's ingress API endpoint has issues
* the RFC 8181 publication client has trouble reaching the server
* the CA's private keys (RPKI + BPKI) are used on a second (cloned) system
* the CA's issuance database is broken
Correlation opportunity: detection of a gap means some of the CA's
intermediate states were occluded from the RP; the RP operator might
want to correlate this to traffic shifts in BGP or publication point
reachability issues.
Going forward, emit a warning per manifest, adds metrics to the
openmetrics output, and displays a summary at the end of the run about
issuance gaps.
OK tb@
they're tags where text is likely. strvis on random cookies is hard to read
and compare, and it's easier to convert 0x05dc than \005\334 to 1500 for
PPP-Max-Payload. ok claudio dlg
