Put snmp engineids in a struct instead of having the data/length in
everything that needs in. This is in preparation for wider use of the
engineids
OK jmatthew@
Fix vmm(4) id assignment in vm_create.
My recent changes to fix race conditions confused vmm's global vm
counter with the always-incrementing index used for identifying new
vm's. This caused id collision resulting in vmd(8) not cleanly
rebooting vm's.
Reported by bluhm@.
ok bluhm@, mlarkin@
Add support for the Genesys Logic GL9755 SDHC controller. This includes
the SDHC controller found on some of the Apple Silicon laptops.
ok stsp@, mlarkin@
Rewrite the adj-rib-out code to not be per-peer based but instead
global with a peer bitmap to know which peer holds which prefix version.
So a pt_entry now includes an array of struct adjout_prefix elements
each entry is for a different path (different set of attributes) and
includes a bitmap that tracks which peers include this prefix / attr combo.
An optimisation on top of this is that the path_id_tx is forced to 0 for
peers that have no add-path send enabled. This way the lookup for this
common case is less deep.
The peer_reaper is now replaced with a simple adjout_prefix_dump call.
In general this reduces memory consumption by more than 50% especially if
the outbound filters are producing the same path for many peers. My IXP
test setup dropped from over 20GB to below 5GB memory usage.
OK tb@
virtio: Fix condition for buffer chaining, negotiate VIRTIO_F_ANY_LAYOUT
In 0.9-only time, the VIO_HAVE_MRG_RXBUF macro checked just for the
VIRTIO_NET_F_MRG_RXBUF feature. The meaning was later changed to
(version_1 || VIRTIO_NET_F_MRG_RXBUF), but the new meaning is only
correct for one use of the macro. The buffer chaining must check for the
MRG_RXBUF feature exclusively.
On the other hand, the check if we have to split the header from the
rest of the buffer in the rx queue is a workaround for old kvm versions.
The standard has since then gained the ANY_LAYOUT feature flag to turn
off this workaround. According to the virtio 1.x standard, we should
accept VIRTIO_F_ANY_LAYOUT if it is offered for transitional devices.
ANY_LAYOUT is implicit if VERSION_1 has been negotiated.
Since accepting ANY_LAYOUT only relaxes the requirements for us, we can
simply accept it globally for all virtio device types. vioblk(4) and
vioscsi(4) unconditionally use the strict buffer layout required for
legacy devices without ANY_LAYOUT, anyway.
[4 lines not shown]
Inherit the DMA tag from the device itself and only override what
is necessary. Whether a device is DMA coherent or not depends on
the device, the SMMU does not influence DMA coherency attributes.
I assume we have been lucky so far that our machines that have an
SMMUv2 usually have devices with DMA coherency. On the RK3588
this is not the case, and us always adding the COHERENT flag makes
devices fail to work when used with smmu(4) enabled.
ok kettenis@
regression tests for certificates with empty principals sections
(which are now unconditionally refused) and for certificates with
wildcard principals (which should only be accepted in host certs)
When certificate support was added to OpenSSH, certificates were
originally specified to represent any principal if the principals
list was empty.
This was, in retrospect, a mistake as it created a fail-open
situation if a CA could be convinced to accidentally sign a
certificate with no principals. This actually happened in a 3rd-
party CA product (CVE-2024-7594).
Somewhat fortunately, the main pathway for using certificates in
sshd (TrustedUserCAKeys) never supported empty-principals
certificates, so the blast radius of such mistakes was
substantially reduced.
This change removes this footcannon and requires all certificates
include principals sections. It also fixes interpretation of
wildcard principals, and properly enables them for host
certificates only.
[4 lines not shown]
Don't misuse the sftp limits extension's open-handles field.
This value is supposed to be the number of handles a server will allow
to be opened and not a number of outstanding read/write requests
that can be sent during an upload/download.
ok markus@
add a "ssh -O channels user at host" multiplexing command to get a
running mux process to show information about what channels are
currently open; ok dtucker@ markus@
X509_NAME_ENTRY_set_data: remove V_ASN1_APP_CHOOSE quirk
This is the last remaining actual use of ASN1_PRINTABLE_type(), which will
go away in the next major bump.
ok kenjiro
conf_api: remove CONF_DEBUG and disabling of assert()
The only thing CONF_DEBUG has done in ages is defining NDEBUG in a file
that does not contain a single assert. Kill it.
ok jsing kenjiro
