Page MenuHomeFreeBSD

franco_opnsense.org (Franco Fichtner)
User

Projects

User does not belong to any projects.

User Details

User Since
Jun 15 2015, 5:39 PM (504 w, 2 d)

Recent Activity

Jan 8 2025

franco_opnsense.org added a comment to D47908: security/ca_root_nss: handle bundle links consistently for ETCSYMLINK.

@des did you find the time to make a technical assessment? thanks!

Jan 8 2025, 8:46 AM

Dec 23 2024

franco_opnsense.org added a comment to D48163: ip: Defer checks for an unspecified dstaddr until after pfil hooks.

The Common Criteria aspects are documented here https://docs.vmware.com/en/VMware-SD-WAN/6.0/VMware-SD-WAN-Administration-Guide/GUID-DF592A36-E680-44CE-ABFC-ACE19B55B448.html

Dec 23 2024, 7:14 AM

Dec 20 2024

franco_opnsense.org added inline comments to D47908: security/ca_root_nss: handle bundle links consistently for ETCSYMLINK.
Dec 20 2024, 7:08 PM

Dec 18 2024

franco_opnsense.org updated the summary of D47908: security/ca_root_nss: handle bundle links consistently for ETCSYMLINK.
Dec 18 2024, 12:50 PM
franco_opnsense.org updated the diff for D47908: security/ca_root_nss: handle bundle links consistently for ETCSYMLINK.

change summary

Dec 18 2024, 12:49 PM
franco_opnsense.org added a comment to D47777: pf: NAT rule logs its own NAT action, not PF_PASS.

@kp let me know how to proceed

Dec 18 2024, 12:45 PM

Dec 16 2024

franco_opnsense.org added a comment to D46301: netlink/route: make route deletion behavior match route(4) socket.

We've tested https://github.com/opnsense/src/commit/7f55b75b successfully with the user in OPNsense.

Dec 16 2024, 8:28 AM

Dec 13 2024

franco_opnsense.org requested review of D48068: security/suricata: update to 7.0.8.
Dec 13 2024, 7:00 AM

Dec 11 2024

franco_opnsense.org requested review of D48029: benchmarks/stress-ng: fix build against newer ipsec-mb.
Dec 11 2024, 1:52 PM

Dec 6 2024

franco_opnsense.org requested review of D47939: math/py-numpy: make FORTRAN configurable, on by default.
Dec 6 2024, 4:18 PM

Dec 5 2024

franco_opnsense.org added a comment to D47495: pf: fix potential state key leak.

Done, for reference: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283137

Dec 5 2024, 7:58 AM

Dec 4 2024

franco_opnsense.org abandoned D47658: pf: prevent SCTP-based NULL dereference in pfi_kkif_match().

Potentially fixed by c22c98798 ;)

Dec 4 2024, 8:25 PM
franco_opnsense.org requested review of D47908: security/ca_root_nss: handle bundle links consistently for ETCSYMLINK.
Dec 4 2024, 12:39 PM
franco_opnsense.org added a comment to D47495: pf: fix potential state key leak.

This commit likely causes the following panic reported by multiple users:

Dec 4 2024, 10:14 AM

Dec 3 2024

franco_opnsense.org added a comment to D46301: netlink/route: make route deletion behavior match route(4) socket.

Offered a test kernel to the user in the meantime. @glebius is probably busy (last I spoke with him) and doesn't mind if you commit?

Dec 3 2024, 2:18 PM
franco_opnsense.org added a comment to D46301: netlink/route: make route deletion behavior match route(4) socket.

Like this?

Dec 3 2024, 12:33 PM

Dec 2 2024

franco_opnsense.org added a comment to D46301: netlink/route: make route deletion behavior match route(4) socket.

I'm going to come up with a different version of this patch (likely using a new flag rtmsg->rtm_flags to signal RTM_F_FORCE) in a day or two. The current version allows all netlink customers to fully bypass PINNED route protection, which defeats its purpose.

Dec 2 2024, 7:04 PM
franco_opnsense.org planned changes to D47658: pf: prevent SCTP-based NULL dereference in pfi_kkif_match().

For the record I have no stakes in SCTP and I'm not involved in the changes done here. This work with the user reporting it is a courtesy to the FreeBSD pf code and to triage panics which I only think is a good idea for production code.

Dec 2 2024, 1:35 PM
franco_opnsense.org added a comment to D47777: pf: NAT rule logs its own NAT action, not PF_PASS.

What's the status now? From my point of you I've explained the previous behaviour, the change that caused this to exhibit the wrong behaviour and how it was fixed. I'd like to get to a more productive cooperation based on technical urgency. I don't think tests prevented this from happening and I don't think the issue gets any better discussing commit messages.

Dec 2 2024, 1:29 PM

Nov 28 2024

franco_opnsense.org added a comment to D47658: pf: prevent SCTP-based NULL dereference in pfi_kkif_match().

Here it is:

Nov 28 2024, 1:39 PM

Nov 27 2024

franco_opnsense.org retitled D47777: pf: NAT rule logs its own NAT action, not PF_PASS from pf: NAT rule logs it own NAT action, not PF_PASS to pf: NAT rule logs its own NAT action, not PF_PASS.
Nov 27 2024, 10:54 AM
franco_opnsense.org added a comment to D47777: pf: NAT rule logs its own NAT action, not PF_PASS.

Feel free to make a different suggestion. I've long been under the impressions explaining one liners is not the scope of a commit message and the tests should make this rather clear as requested in previous discussions.

Nov 27 2024, 10:46 AM
franco_opnsense.org updated the summary of D47777: pf: NAT rule logs its own NAT action, not PF_PASS.
Nov 27 2024, 10:45 AM
franco_opnsense.org added a comment to D47777: pf: NAT rule logs its own NAT action, not PF_PASS.

I changed the summary.

Nov 27 2024, 10:28 AM
franco_opnsense.org retitled D47777: pf: NAT rule logs its own NAT action, not PF_PASS from pf: fix NAT pflog regression in 948e8413 to pf: NAT rule logs it own NAT action, not PF_PASS.
Nov 27 2024, 10:27 AM
franco_opnsense.org added a comment to D47777: pf: NAT rule logs its own NAT action, not PF_PASS.

D47658 is on hold as I struggle to understand why the code discussed there is not covered by existing tests and how to actually trigger it (it should easily panic after all but the code is never hit).

Nov 27 2024, 10:17 AM
franco_opnsense.org added a reviewer for D47777: pf: NAT rule logs its own NAT action, not PF_PASS: kp.
Nov 27 2024, 9:29 AM
franco_opnsense.org requested review of D47777: pf: NAT rule logs its own NAT action, not PF_PASS.
Nov 27 2024, 9:28 AM

Nov 18 2024

franco_opnsense.org added a comment to D47658: pf: prevent SCTP-based NULL dereference in pfi_kkif_match().
In D47658#1086724, @kp wrote:

The entire backtrace would have been nice.

Nov 18 2024, 6:33 PM
franco_opnsense.org added a comment to D47660: libexec: atf is needed by kyua, which is wired by MK_TESTS_SUPPORT.

Sounds good to me, thanks :)

Nov 18 2024, 6:13 PM
franco_opnsense.org added a comment to D47660: libexec: atf is needed by kyua, which is wired by MK_TESTS_SUPPORT.

Meh, sorry for the misinformation. All of this is very difficult to trace.

Nov 18 2024, 4:09 PM
franco_opnsense.org added a comment to D47660: libexec: atf is needed by kyua, which is wired by MK_TESTS_SUPPORT.

(kyua depends on e.g. libexec/atf-sh for script execution via shebang in /usr/src/tests/sys/netpfil/pf/*.sh)

Nov 18 2024, 4:00 PM
franco_opnsense.org added a comment to D47660: libexec: atf is needed by kyua, which is wired by MK_TESTS_SUPPORT.

I have WITHOUT_TESTS=yes and WITH_TESTS_SUPPORT=yes which adds kyua and libatf, but not atf tools in libexec. On a build without WITHOUT_TESTS=yes the atf tools are placed in the base system as a side effect.

Nov 18 2024, 3:54 PM
franco_opnsense.org added a reviewer for D47660: libexec: atf is needed by kyua, which is wired by MK_TESTS_SUPPORT: markj.
Nov 18 2024, 2:20 PM
franco_opnsense.org requested review of D47660: libexec: atf is needed by kyua, which is wired by MK_TESTS_SUPPORT.
Nov 18 2024, 2:20 PM
franco_opnsense.org added a comment to D47658: pf: prevent SCTP-based NULL dereference in pfi_kkif_match().

Sure. For context:

Nov 18 2024, 10:40 AM
franco_opnsense.org added a reviewer for D47658: pf: prevent SCTP-based NULL dereference in pfi_kkif_match(): kp.
Nov 18 2024, 10:07 AM
franco_opnsense.org requested review of D47658: pf: prevent SCTP-based NULL dereference in pfi_kkif_match().
Nov 18 2024, 10:06 AM
franco_opnsense.org abandoned D47543: pf: close nc file descriptors in killstates test.

I'm trying to understand the entry barrier here. If kyua fixes everything that's alright and thanks for the pointers. From release engineering scope there are a number of kyua integration challenges irrelevant to your argumentation (which I can understand), but you both seem to see the situation too easy from an established development workflow ("just do it right"). Using a custom src.conf already makes kyua defunct, but it is what it is. Going to raise appropriate patches elsewhere then. Thanks!

Nov 18 2024, 9:58 AM

Nov 15 2024

franco_opnsense.org added a comment to D47543: pf: close nc file descriptors in killstates test.

So regardless of why I already stated this is a technical issue that is by no means "pointless", what do you suggest to improve this particular test to make it more robust? Uncontrolled creation of processes that inherit file descriptors isn't exactly clean design but I can see why you do not want to apply this mere bandaid with that larger issue at hand. I'm happy to do the work since a lot of people were asking for test cases and here I am offering work on test cases to get started. :)

Nov 15 2024, 12:35 PM

Nov 14 2024

franco_opnsense.org added a comment to D47543: pf: close nc file descriptors in killstates test.

Thanks, just to be clear you imply the change is wrong even though the test still works?

Nov 14 2024, 4:32 PM
franco_opnsense.org added a comment to D47543: pf: close nc file descriptors in killstates test.

Consider running tests from the src tree using atf-sh (I'm using devel/atf but the base one also works with the full path I think):

Nov 14 2024, 7:30 AM

Nov 13 2024

franco_opnsense.org added reviewers for D47543: pf: close nc file descriptors in killstates test: kp, vegeta_tuxpowered.net.
Nov 13 2024, 7:32 PM
franco_opnsense.org requested review of D47543: pf: close nc file descriptors in killstates test.
Nov 13 2024, 7:30 PM
franco_opnsense.org added reviewers for D47535: pf: remove stale no_df tests from fragemtation_*.sh: kp, vegeta_tuxpowered.net.
Nov 13 2024, 8:50 AM
franco_opnsense.org requested review of D47535: pf: remove stale no_df tests from fragemtation_*.sh.
Nov 13 2024, 8:48 AM

Nov 8 2024

franco_opnsense.org updated the diff for D47433: libfetch: allow use of SSL_CRL_VERIFY.
  • libfetch: shuffle SSL_CRL_VERIFY options
Nov 8 2024, 1:24 PM
franco_opnsense.org added a comment to D47433: libfetch: allow use of SSL_CRL_VERIFY.

"all" to "chain" is also fine. We can do "none" but it will just add conditionals to the code and the libfetch style works with implicit defaults everywhere. Your choice :)

Nov 8 2024, 10:52 AM
franco_opnsense.org added a comment to D47433: libfetch: allow use of SSL_CRL_VERIFY.

So I avoided the "none" case for lack of functionality and added the "leaf" (could call it "one") case for flexibility. "opt" or "optional" .. I'm not attached either way. I also added the error number to the default message which has bugged me for a while now while testing this and the optional message that a CRL was not provided now goes to stderr which attempts to make sure it is seen by the user. In the pkg case fetch_info appeared to be suppressed somewhere. What do you think? :)

Nov 8 2024, 10:10 AM
franco_opnsense.org updated the diff for D47433: libfetch: allow use of SSL_CRL_VERIFY.
  • libfetch: rewrite SSL_CRL_VERIFY behaviour
  • libfetch: add the error number to verify callback failure case
  • libfetch: wording
  • libfetch: redo docs
Nov 8 2024, 10:06 AM
franco_opnsense.org abandoned D47449: libfetch: allow to optionally verify CRL with SSL_CRL_OPTIONAL.
Nov 8 2024, 9:38 AM

Nov 6 2024

franco_opnsense.org added a comment to D47433: libfetch: allow use of SSL_CRL_VERIFY.

I don't disagree, but introducing multiple vars for the same config isn't better either in my opinion. Consider you want to expose that to the CLI for fetch(1), do you want to introduce multiple switches?

Nov 6 2024, 12:10 PM
franco_opnsense.org updated the diff for D47433: libfetch: allow use of SSL_CRL_VERIFY.
  • lib/libfetch: feedback on previous
Nov 6 2024, 12:01 PM
franco_opnsense.org added a comment to D47433: libfetch: allow use of SSL_CRL_VERIFY.

Well, then maybe SSL_VERIFY_CRL should not be boolean, but rather an enum? E.g, optional, yes, much like https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslverifyclient because it the end it will require more and more flags. Default value would be none/NULL.

Nov 6 2024, 11:58 AM
franco_opnsense.org added a comment to D47433: libfetch: allow use of SSL_CRL_VERIFY.

Like fine, but then CR, not CRL because we don't verify the list, do we? :-D Since it is a *verbose* flag I don't mind being verbose literally.

Nov 6 2024, 11:54 AM
franco_opnsense.org added a comment to D47433: libfetch: allow use of SSL_CRL_VERIFY.

Oh about SSL_VERIFY or SSL_CRL I'm not sure. Keeping it closer to SSL_CRL_FILE may be more beneficial also with SSL_CRL_OPTIONAL in mind later. Don't want these vars too long if it can be avoided and cluster all CRL into SSL_CRL prefix?

Nov 6 2024, 11:46 AM
franco_opnsense.org added a comment to D47433: libfetch: allow use of SSL_CRL_VERIFY.

WDYT?

Nov 6 2024, 11:44 AM
franco_opnsense.org added a comment to D47433: libfetch: allow use of SSL_CRL_VERIFY.

I have now played around with the patch and one of our intermediate CAs:

$ openssl s_client -connect dw-eng-rsc.innomotics.net:443
CONNECTED(00000003)
depth=2 C = DE, ST = Bayern, L = Muenchen, O = Siemens, serialNumber = ZZZZZZA1, OU = Siemens Trust Center, CN = Siemens Root CA V3.0 2016
verify return:1
depth=1 C = DE, ST = Bayern, L = Muenchen, O = Siemens, serialNumber = ZZZZZZE7, CN = Siemens Issuing CA Intranet Server 2022
verify return:1
depth=0 C = DE, O = Siemens, OU = IN HVM DW, CN = dw-eng-rsc.innomotics.net
verify return:1

It works with a CRL file as well as hashed in /etc/ssl/certs, but certctl(8) is totally unusable here (read broken), had to do it manually. Obtaining the CRLs from all CAs in that chain, convert from DER to text is a pain and technically needs to happen periodically. As being completely off topic: I consider CRLs as a total pain, cannot tell whether OCSP is any better, but that is a different discussion. I have only concerns with the verbose output which I will add inline.

Nov 6 2024, 9:14 AM
franco_opnsense.org added a comment to D47433: libfetch: allow use of SSL_CRL_VERIFY.

While testing this, do you intend to add a flag to fetch(1) as well? E.g., --crl-verify?

Nov 6 2024, 9:05 AM

Nov 5 2024

franco_opnsense.org added inline comments to D47433: libfetch: allow use of SSL_CRL_VERIFY.
Nov 5 2024, 1:57 PM
franco_opnsense.org added a comment to D47433: libfetch: allow use of SSL_CRL_VERIFY.

I think I have found it, the documentation isn't really good in this case for both SSL_CTX_load_verify_locations() and SSL_CTX_set_default_verify_paths(). If a hashed dir is passed it boils down to https://github.com/openssl/openssl/blob/ccaa754b5f66cc50d8ecbac48b38268e2acd715e/crypto/x509/x509_d2.c#L73-L76 where the manpage says:

X509_LOOKUP_add_dir() passes a directory specification from which certificates and CRLs are loaded on demand into the associated X509_STORE. type indicates what type of object is expected. This can only be used with a lookup using the implementation X509_LOOKUP_hash_dir(3).

Do you copy?

Nov 5 2024, 1:31 PM
franco_opnsense.org added inline comments to D47433: libfetch: allow use of SSL_CRL_VERIFY.
Nov 5 2024, 1:25 PM
franco_opnsense.org added reviewers for D47449: libfetch: allow to optionally verify CRL with SSL_CRL_OPTIONAL: michaelo, grembo.
Nov 5 2024, 12:53 PM
franco_opnsense.org requested review of D47449: libfetch: allow to optionally verify CRL with SSL_CRL_OPTIONAL.
Nov 5 2024, 12:53 PM
franco_opnsense.org updated the diff for D47433: libfetch: allow use of SSL_CRL_VERIFY.

remove unused variable

Nov 5 2024, 11:04 AM
franco_opnsense.org added inline comments to D47337: e1000: Improve igb SFP support .
Nov 5 2024, 7:02 AM

Nov 4 2024

franco_opnsense.org added inline comments to D47433: libfetch: allow use of SSL_CRL_VERIFY.
Nov 4 2024, 1:18 PM
franco_opnsense.org added reviewers for D47433: libfetch: allow use of SSL_CRL_VERIFY: grembo, michaelo.
Nov 4 2024, 11:55 AM
franco_opnsense.org requested review of D47433: libfetch: allow use of SSL_CRL_VERIFY.
Nov 4 2024, 11:53 AM

Oct 11 2024

franco_opnsense.org accepted D46794: axgbe: Fix setting promisc mode.

Let's get this in for the sake of correctness although my testing was inconclusive and will circle back eventually.

Oct 11 2024, 6:59 AM

Oct 7 2024

franco_opnsense.org added a comment to D46973: fetch: correct env var name for --crl option to work.

In any case finally fixed, thanks! :)

Oct 7 2024, 9:54 AM
franco_opnsense.org added reviewers for D46973: fetch: correct env var name for --crl option to work: grembo, michaelo.
Oct 7 2024, 9:05 AM
franco_opnsense.org requested review of D46973: fetch: correct env var name for --crl option to work.
Oct 7 2024, 9:00 AM

Aug 29 2024

franco_opnsense.org added a comment to D40860: ixl: fix multicast filters handling.

as requested: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=281125

Aug 29 2024, 1:18 PM

Aug 8 2024

franco_opnsense.org added a comment to D40860: ixl: fix multicast filters handling.

@pkubaj @erj we upgraded from FreeBSD 13.2 to 14.1 and ran into this driver related issue issue: https://github.com/opnsense/src/issues/212

Aug 8 2024, 5:00 AM

Jul 31 2024

franco_opnsense.org updated the summary of D46190: mcast: fix leaked igmp packets on multicast cleanup.
Jul 31 2024, 8:56 AM
franco_opnsense.org retitled D46190: mcast: fix leaked igmp packets on multicast cleanup from Revert "mcast: fix memory leak in imf_purge()" to mcast: fix leaked igmp packets on multicast cleanup.
Jul 31 2024, 8:52 AM
franco_opnsense.org added a reverting change for rGfa03d37432ca: mcast: fix memory leak in imf_purge(): D46190: mcast: fix leaked igmp packets on multicast cleanup.
Jul 31 2024, 8:47 AM
franco_opnsense.org requested review of D46190: mcast: fix leaked igmp packets on multicast cleanup.
Jul 31 2024, 8:46 AM
franco_opnsense.org added a reverting change for D41629: mcast: fix memory leak in imf_purge(): D46190: mcast: fix leaked igmp packets on multicast cleanup.
Jul 31 2024, 8:46 AM

Jul 30 2024

franco_opnsense.org added reviewers for D46182: dummynet: fix pie: kp, cperciva, glebius.
Jul 30 2024, 6:24 AM
franco_opnsense.org requested review of D46182: dummynet: fix pie.
Jul 30 2024, 6:22 AM

May 29 2024

franco_opnsense.org updated the summary of D8877: pf|ipfw|netinet6?: shared IP forwarding.
May 29 2024, 7:01 PM
franco_opnsense.org retitled D8877: pf|ipfw|netinet6?: shared IP forwarding from netinet[6]: KPI for opaque fwd_tag handling for PFIL consumers to pf|ipfw|netinet6?: shared IP forwarding.
May 29 2024, 6:55 PM
franco_opnsense.org updated the diff for D8877: pf|ipfw|netinet6?: shared IP forwarding.

Update the downstream code and adapt for main

May 29 2024, 6:51 PM

May 28 2024

franco_opnsense.org added a comment to D36259: rc: also run NAME_setup on NAME_reload.

In principle this only changes the user side setup (rc.conf), not the ports side. There is no direct ports consumer of this feature and it tries to hook into all services in order to automate configuration changes when service commands are dispatched.

May 28 2024, 2:39 PM · rc
franco_opnsense.org closed D36259: rc: also run NAME_setup on NAME_reload.

Yes I just need to wrap up testing for the updated GH PR

May 28 2024, 2:10 PM · rc
franco_opnsense.org added a comment to D36259: rc: also run NAME_setup on NAME_reload.

This won't merge, I'm talking to @imp at https://github.com/freebsd/freebsd-src/pull/1258

May 28 2024, 2:07 PM · rc

May 25 2024

franco_opnsense.org abandoned D42717: dhclient: remove unused primary_address.
May 25 2024, 6:18 AM

May 24 2024

franco_opnsense.org abandoned D41572: pf: fix failure to log correct action through default rule.

Maybe fixed, who knows ;)

May 24 2024, 4:08 PM

Mar 26 2024

franco_opnsense.org added a comment to D36259: rc: also run NAME_setup on NAME_reload.

No takers? This has been in a half-working state in FreeBSD 14 for quite some time. :/

Mar 26 2024, 1:56 PM · rc

Dec 20 2023

franco_opnsense.org added a comment to D42485: libnetmap: change interface name character exclusion approach.

@vmaffione yes I am not a committer

Dec 20 2023, 9:50 AM

Dec 1 2023

franco_opnsense.org updated the summary of D42485: libnetmap: change interface name character exclusion approach.
Dec 1 2023, 7:36 AM
franco_opnsense.org updated the diff for D42485: libnetmap: change interface name character exclusion approach.
  • libnetmap: different approach as discussed on GitHub upstream
Dec 1 2023, 7:35 AM

Nov 22 2023

franco_opnsense.org updated the summary of D42717: dhclient: remove unused primary_address.
Nov 22 2023, 7:30 AM
franco_opnsense.org requested review of D42717: dhclient: remove unused primary_address.
Nov 22 2023, 7:29 AM

Nov 21 2023

franco_opnsense.org added a comment to D36259: rc: also run NAME_setup on NAME_reload.

Maybe to add to that: the main motivation was a user-side precmd type hook support since the precmd is hard or impossible to overwrite (being used in the rc scripts defined by the ports) and name_setup=path/to/file seemed to be the easiest solution.

Nov 21 2023, 10:17 AM · rc
franco_opnsense.org added a comment to D36259: rc: also run NAME_setup on NAME_reload.

Set up script variable:

Nov 21 2023, 10:14 AM · rc
franco_opnsense.org added a comment to D36259: rc: also run NAME_setup on NAME_reload.

@oshogbo I've updated this again fixing a remaining issue with restart_precmd -- if you can find the time to review I'd appreciate it.

Nov 21 2023, 9:58 AM · rc
franco_opnsense.org updated the summary of D36259: rc: also run NAME_setup on NAME_reload.
Nov 21 2023, 9:57 AM · rc