i've had a couple of reports of redundant firewalls misbehaving
since these changes, so until i can figure out what's wrong i'm
backing them out.
reported by hrvoje popovski and mark patruck
802.1ax says that LLDP packets sent to the multicast groups listed
in 802.1ab (the lldp spec) should be treated as "control frames"
so they can be processed by an lldp agent on physical interface.
in our situation that means we shouldn't aggregate LLDP packets so
they appear to enter the system on aggr(4) interfaces, we should
let the physical port interfaces handle them. this will allow
AF_FRAME sockets listening on aggr port interfaces receive lldp
packets.
jmatthew@ says it looks good.
The main benefit is moving the cumbersome and error-prone method of
using EVP_EncryptInit(3) for AES-GCM out of the important, but obese
manual page EVP_EncryptInit(3), and to create a logical place for
pointing readers to the safer and more flexible EVP_AEAD_CTX_init(3).
As a side benefit, document three control commands that were so far
undocumented and make the description of three others more precise.
Feedback and OK tb@.
This had an extra dance to allow a NULL output buffer. The plan was to
use this in i2o_ECPublicKey() to preserve the behavior of avoiding an
allocation if out == NULL. However, when I rewrote the latter I punted
on preserving that complication, as it was already batshit crazy enough.
Thus, remove said dance and make ec_point_to_octets() cleaner.
ok jsing
Replace selinfo data with klist. Introduce `sc_mtx' mutex(9) to protect
`sc_frames_data' and `sc_rklist'.
Additionally tested by Laurence Tratt.
ok kirill mglocker
this allows userland to use sockets to send and receive Ethernet
frames. as per the upcoming frame.4 man page:
frame protocol family sockets are designed as an alternative to bpf(4)
for handling low data and packet rate communication protocols. Rather
than filtering every frame entering the system before the network stack
like bpf(4), the frame protocol family processing avoids this overhead by
running after the built in protocol handlers in the kernel. For this
reason, it is not possible to handle IPv4 or IPv6 packets with frame
protocol sockets because the kernel network stack consumes them before
the receive handling for frame sockets is run.
if you've used udp sockets then these should feel much the same.
my main motivation is to implement an lldp agent in userland, but
without having to have bpf look at every packet when lldp happens
every minute or two.
the only feedback i had was positive, so i'm putting it in
ok claudio@
This quirk was introduced as a workaround, not the fix for the real
issue. The root cause was fixed in the previous commit (v1.227) to
uvide.c with skip uvideo_vs_set_alt for bulk endpoint.
OK mglocker@ kn@
This is an extension to graceful restart and requires graceful restart to
be enabled to work. The NOTIFICATION bits are implemented as specified but
a much more strict stand was taken as to when send a graceful reset.
bgpd only sends graceful notifications for a few cease cases (same as in
the RFC) and for the holdtimer and sendholdtimer errors. Everything else
is a hard error because the other side is not trustworthy.
OK tb@
Changes include conversion from C++, basic KNF, then adaptation to
use our sha3 functions for sha3 and shake instead of the BorinSSL
version. This Adds units tests to run against BoringSSL and NIST test
vectors.
The future public API is the same as Boring's - but is not yet exposed
pending making bytestring.h public (which will happen separately) and
a minor bump
Currently this will just ensure we build and run regress.
ok tb@ to get it into the tree and massage from there.
Changes include conversion from C++, basic KNF, then adaptation to
use our sha3 functions for sha3 and shake instead of the BorinSSL
version. This Adds units tests to run against BoringSSL and NIST test
vectors.
The future public API is the same as Boring's - but is not yet exposed
pending making bytesring.h public (which will happen separately) and
a minor bump
Currently this will just ensure we build and run regress.
ok tb@ to get it into the tree and massage from there.
INTERVAL_SESSION_DOWN (3600) seconds.
Rebuilding the Adj-RIB-Out is a lot of work while keeping the RIB in sync
is reasonably trivial. So avoid the work for the case that a session
was just quickly reset. This only works if the same peer settings are
used in the old and new session.
For this introduce a IMSG_SESSION_DELETE that tells the RDE to remove the
peer and split peer_down into a part that takes the session down (and
clears the Adj-RIB-In) and a part the frees the peer (peer_delete).
The SE now sends an IMSG_SESSION_ADD command on first connect and skips
that imsg on later connects unless IMSG_SESSION_DELETE was called before.
During config reload the IMSG_SESSION_ADD calls only need to happen when
the RDE actually has that information.
OK tb@
