ksh(1)'s OPTIND is global and only saved/restored for `function' style functions.
That means passing, e.g. -d to rcctl(8) would leave OPTIND=2 for rc_pre() in
rc.subr(8) scripts using getopts, thus starting (continuing, really) parsing
options at the second argument.
jsg@ pointed out that i was unconditionally calling bpf_mtap when
the convention is to test if the bpf if pointer is set before calling
bpf_mdap.
while here drop incoming packets if the bpf filter tells us to to
be consistent with the if_input handlers.
original nit pointed out by jsg@
peer information for TCP connections including source address and port
This provides enough information to uniquely identify a connection on
the host or network.
pkg_create was skipping this check because it had "!$x =~ m/y/"
instead of "$x !~ m/y/". The misplaced "!" warns in Perl 5.42. When
afresh1 fixed the warning, it exposed other problems with the check.
Here, espie rewrites the check to allow @lib versions like
${LIBvala-${API_V}_VERSION} in lang/vala. Substitute every variable
but the one we need, then ensure it matches what we want.
If you upgrade base but keep an old ports tree, then cad/qcad and
devel/libtalloc would fail to package; those 2 ports were fixed by
2025-11-21.
from Marc Espie <marc.espie.openbsd () gmail ! com>
bulk and ok jca@
ok afresh1@
this moves the pfctl_status.fcounters, which includes the state
search counter which is bumped every time the state table is searched.
the places that get a copy of these counters now have to read the
per cpu counters and fold them into a struct pf_status rather than
just copy the global now.
ok sashan@
this means you can put the openbsd boot loader and bsd.rd on the
efi boot partition and run the installer that way. this is a port
of the same code i got working on arm64.
ok jmatthew@
Introduces a global and per-server "[no] banner" directive that prevents httpd
from sending the Server HTTP response header and removes server identification
from error documents. The SERVER_SOFTWARE CGI environment variable remains set
as required by RFC 3875.
Diff by Lloyd (thanks), ok kirill@
--------
Fix incomplete mitigation of CVE-2025-11411 by applying the non-test part of
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411_2_wtests.diff
This extends the previous fix by also scrubbing unsolicited NS RRSets (and
their respective address records) for YXDOMAIN and nodata non-referral answers.
--------
This makes it easier to read and more in line with other code in
libcrypto. Also add a missing error check for the CMS_set_detached()
call.
ok jsing kenjiro
In nref_nos(), nnums must not be freed on error because in the caller it
is not->noticeref->noticenos and hangs off the POLICYQUALINFO qual which
is freed as part of POLICYQUALINFO_free() in the error path.
ok jsing kenjiro
nd6_rtrequest() could crash with a NULL pointer dereference if an
interator in nd6_list was inspected. Skip freeing neigbor discovery
entries and optimization in this unlikely case and try again later.
reported by Mischa and Anton Kasimov; OK mvs@
GZIP_STATIC flag at position \33 was missing from the debug string.
Also correct the truncated PATH_REWRITE/NO_PATH_REWRITE flag names.
The PATH_REWRITE and NO_PATH_REWRITE flag names were truncated to
PATH and NO_PATH in the SRVFLAG_BITS string definition.
OK kirill@ deraadt@
When bootet by /boot (or EFI boot loaders) both amd64 and i386
kernel start in a 32-bit mode.
When launching kernel directly (vmctl start -b <path>) vmd(8)
configures a flat 64-bit register set as default register set. The
GDT provides a 32-bit flat code segment.
For the i386 kernel the default register set is reconfigured to
32-bit legacy mode; paging is enabled and uses 4 Mb pages. This
is different to i386 being bootet by /boot. /boot launches the
i386 kernel with paging disabled.
The amd64 kernel uses the default register set, i.e. long mode is
enabled in EFER. However, it uses the 32-bit code segment of the
GDT. Thus ther kernel is effectively running in 32-bit compatibility
mode.
This has implications when using SEV-ES as #VC traps are delivered
by 64-bit rules. Booting an amd64 kernel on Linux/KVM the kernel
is actually running in 32-bit legacy mode, thus #VC traps are
delivered by 32-bit rules. Therefore, we have two #VC trap handlers
for locore0, a 32-bit and a 64-bit one.
To simplify this, start both i386 and amd64 in 32-bit legacy mode
with paging disabled.
All in all with this diff the run time configuration is similar to
what /boot provides for both amd64 and i386.
In a later diff #VC trap handling in locore0 can be simplified.
ok mlarkin
appl_sysuptime() uses CLOCK_MONOTONIC instead of gettimeofday(), works
on a per context basis as per RFC2741, and puts it in a sane namespace.
Makes sense to tb@
OK jmatthew@
The idea is that it's shorter to special-case ${@D} and the likes
(two characters variables ending in D or F) instead of having a weird
idx encoding.
Cons:
- this yields an extra "ext" parameter to classify_var
Pros:
- the weird index encoding vanishes
- no need for special treatment if we add more similar variables.
- drastically reduces the size of the switch (and the modulo shrinks from
82 to 36)
- code will recognize constructs like ${?D} and ${?F}, which puts us in
line with FreeBSD and NetBSD bmake, and also with gnu make.
from espie
Buy a t: rename hex_prin() to hex_print() and accept an ASN1_STRING so that
we only need to use accessors once. Also avoid a printf %s NULL.
ok kenjiro
mpw, mpip, and mpe all add entries to the local mpls fib that points to
themselves, and when these labels are "output" via these interfaces they
then go and push the packets into their input processing. this is all
boilerplate, so it can be factored out and better integrated into the
larger network stack. in particular, we can pass struct netstack through
to the input handlers.
there's some small downsides to this. the main one is that using
if_vinput to dispatch to their input handlers means the vinput
handling has to cope with mpls encapsulated packets. this is easy
except for mpw, where ether_ifattach does a lot of setup that has
to be tweaked for mpls encapsualted ethernet packets.
while here, this changes mpe output so it doesnt have to prepend the
mbuf with the sockaddr it uses as the nexthop on the underlay. it only
had to do that to carry the information across the ifq. if we just don't
use ifq for output then this gets simplified a lot. the only downside is
that you can't use altq on mpe interfaces after this. i dont think this
is a huge loss.
ok claudio@
When MP is enabled, OpenBSD uses the WBINVD instruction. With SEV-ES,
this causes a VC trap if the hypervisor has the WBINVD intercept enabled.
In the trap handler, simply forward the WBINVD exit to the hypervisor.
From Sebastian Sturm
ok mlarkin hshoexer
An upcoming change requires the inclusion of asn1_local.h in x509_local.h
which doesn't work due to missing header guards. Add guards to all local
headers that don't have them, although reacharounds and multiple inclusions
are unlikely to occur for most of those.
ok jsing
If the server.device control is used to switch to a new device, then
sndiod will always try to use it first. If the device is not present
sndiod will try to fall back to the previous one and so on until a
working device is found.
ok armani
there are some situations where vport will queue packets it has
"received". this spreads the processing of them over the softnet
threads.
this is like what's done for lo(4) and rport(4)