Make divert-packet / divert(4) properly rdomain aware.
divert(4) only partially handled rtables / rdomains. While it was used
outbound, inbound packets did not check the rdomain. This is confusing
and incorrect.
Now inbound packets need to match the rdomain of the listening socket
so one needs to listen on the rdomain the packets come in.
If packets from multiple rdomains match the rule then userland
needs to listen on each rdomain. If not the packet will be dropped.
Report by Y Yang, et al from Tsinghua University
With and OK bluhm@ OK sashan@ mvs@
sndiod: Refactor and simplify the hello message handling
Use proper enums for the resource type (audio device, midithru port,
etc) in place of magic numbers and factor duplicated code.
No behavior change.
CCVS: ----------------------------------------------------------------------
Extend multicast router counter.
ip_mforward() contained a static variable that poorly implements a
rate limited log message. Replace the log with a counter, which
is MP-safe.
Also count drops due to time-to-live and hop-limit. As the default
ttl is 1, this is the most common pitfall when configuring a multicast
router. This counter helps debugging.
OK claudio@ deraadt@
For IPC_STAT (and KERN_SYSVIPC_SHM_INFO) the three fields
__shm_atimensec/__shm_dtimensec/_shm_ctimensec fields leak kernel memory
contents because we never initialize them, they should clearly be zero
until such time as we add more precision. The Tsinghua University group
suggested clearing these at export time, but the real problem is the
memory is being allocated without PR_ZERO.
ok kettenis mvs
Move our auto-mode-alist tweak to default.el
This is the Right Way to do it according to the emacs docs. Users can
then ignore this custom file with emacs -q if it becomes an issue. Also
using default.el avoids possible patch conflicts when upgrading to newer
emacs releases.
Initial version from Timo Myyra, thanks!
Add a backoff retry mechanism for non-functional CAs
Many non-functional CAs never recover once they become non-functional
causing inefficiency in the operation of relying party instances.
The existing detection mechanism for non-functional CAs is changed into
a stateful backoff retry mechanism, eventually settling on retrying
broken CAs only once per day. Backoff helps reduce load on both the
RP and publication point sides of the house, reduces log clutter, and
improves RP run duration.
The sync schedule is reset if a given non-functional CA is discovered to
be in working order again (i.e., backoff is not applied to healthy CAs).
A few new statistics are exposed in the json & metrics outputs.
An interesting side-effect of this mechanism is that it appears to
obviate some of the need for a manually curated (and therefore, easily
outdated) skiplist.
OK claudio@ tb@
