> > > Excuse me, but if you think your physical medium is either 100%
> > > inaccessible to an adversary, or simply not worth a real attack,
> and
> > > the speed is the concern, then why do you want to use any
> encryption
> > > at all?
> >
> > 100% is not available yet introduced GELI keys / moun
> > Options I have not so much.
> > 1. Drink vodka and use slow AES-XTS :) 2. Use ChaCha GELI private
> > patch 3. Write Geom node.
>
> 4. Look at GBDE.
Already looked. Do not like it.
> > Cipher = ChaCha/XChaCha
> > Hash = Blake2 - https://blake2.net/
> > Key1 = key for cipher
> > Key2 = key
> I'm very happy that you have spent the time to play with GELI code and
> I hope you will continue to work on it, but this particular change
> won't be accepted as part of GELI, please accept that even if you don't
> fully agree. Stream ciphers are not compatible with GELI design.
Hopefully ChaCh
> >> Excuse me, but if you think your physical medium is either 100%
> >> inaccessible to an adversary, or simply not worth a real attack, and
> >> the speed is the concern, then why do you want to use any encryption
> >> at all?
> >
> > 100% is not available yet introduced GELI keys / mounted driv
> Excuse me, but if you think your physical medium is either 100%
> inaccessible to an adversary, or simply not worth a real attack, and
> the speed is the concern, then why do you want to use any encryption at
> all?
100% is not available yet introduced GELI keys / mounted drive.
AES-XTS is good
> > > >> Depends on the capabilities of the attacker.
> > > >>
> > > >> To be able to continuously read encrypted sectors for data
> > > collection is too much.
> > > >>
> > > >
> > > When talking about disk encryption the first assumption is that
> > > the attacker always has this capability, eve
> > > > > Maybe faster but a stream cipher is unusable for disk
> encryption
> > > > > - iv is derived from sector number and doesn't change. Being
> > > > > able to write a known plaintext and read resulting ciphertext
> > > > > allows you to recover the cipher stream and decrypt any past or
> >
I've updated the patch.
Deleted XTC mode. ChaCha/XChaCha added to GELI.
http://netlab.linkpc.net/download/software/FreeBSD/patches/chacha.patch
> > > Also, where are the man page diffs? They might have explained the
> > > difference between the two, and explained why two versions of
> chacha
>
> >>> Maybe faster but a stream cipher is unusable for disk encryption -
> >>> iv is derived from sector number and doesn't change. Being able to
> >>> write a known plaintext and read resulting ciphertext allows you to
> >>> recover the cipher stream and decrypt any past or future data
> stored
>
> On (14/01/2015 05:21), rozhuk...@gmail.com wrote:
> > > Maybe faster but a stream cipher is unusable for disk encryption -
> > > iv is derived from sector number and doesn't change. Being able to
> > > write a known plaintext and read resulting ciphertext allows you to
> > > recover the cipher st
> >> Depends on the capabilities of the attacker.
> >>
> >> To be able to continuously read encrypted sectors for data
> collection is too much.
> >>
> >
> When talking about disk encryption the first assumption is that the
> attacker always has this capability, even with so much power the
> atta
> Maybe faster but a stream cipher is unusable for disk encryption - iv
> is derived from sector number and doesn't change. Being able to write a
> known plaintext and read resulting ciphertext allows you to recover the
> cipher stream and decrypt any past or future data stored on that
> sector.
D
> Maybe faster but a stream cipher is unusable for disk encryption - iv
> is derived from sector number and doesn't change. Being able to write a
> known plaintext and read resulting ciphertext allows you to recover the
> cipher stream and decrypt any past or future data stored on that
> sector.
>
> > Cha?ha patch:
> >
> http://netlab.linkpc.net/download/software/FreeBSD/patches/chacha.patch
>
> What's the difference between CHACHA and XCHACHA?
Same as between SALSA and XSALSA.
XChaCha20 uses a 256-bit key as well as the first 128 bits of the nonce in
order to compute a subkey. This subke
FreeBSD firewall 11.0-CURRENT FreeBSD 11.0-CURRENT #3 r276867M: Fri Jan 9
09:34:39 MSK 2015 root@firewall:/usr/obj/usr/src/sys/RIMx64 amd64
ChaСha patch:
http://netlab.linkpc.net/download/software/FreeBSD/patches/chacha.patch
HW: Core Duo E8500, 8Gb DDR2-800.
dd if=/dev/zero of=/dev/md0 bs
Hi!
I have a working code for DSA - GOST and ECDSA.
Differences between GOST and ECDSA minimal.
Could you add support GOST LibreSSL.
I can help as much.
http://netlab.linkpc.net/download/software/SDK/core/include/ecdsa.h
pass out quick inet proto udp to 224.0.0.0/4 no state allow-opts
pass out quick inet proto igmp to 224.0.0.0/4 no state allow-opts
pass out quick inet6 proto udp to ff00::/8 no state allow-opts # Allow send
multicast
pass out quick inet6 proto icmp6 no state allow-opts # mld (igmp6) also here
pas
I updated amdtemp and now I need your help with testing.
Now the driver should support all AMD processors.
For a family of 15h and 16h, not all sensors are available - for my system
does not find drivers for ati SMBus, and other systems based on the AMD I
have not.
/*-
* Copyright (c) 2008, 200
# install
gpart create -s GPT ada1
gpart show
gpart add -i 1 -t freebsd-boot -b 40 -s 512 ada1
gpart add -i 2 -t freebsd-ufs -b 552 -s . ada1
gpart bootcode -b /boot/pmbr ada1
gpart bootcode -p /boot/gptboot -i 1 ada1
# for data
gpart create -s GPT ada1
gpart show
gpart add -i 1 -t freebsd-uf
# install
gpart create -s GPT ada1
gpart show
gpart add -i 1 -t freebsd-boot -b 40 -s 512 ada1
gpart add -i 2 -t freebsd-ufs -b 552 -s . ada1
gpart bootcode -b /boot/pmbr ada1
gpart bootcode -p /boot/gptboot -i 1 ada1
# for data
gpart create -s GPT ada1
gpart show
gpart add -i 1 -t freebsd-uf
Use ng_patch
> -Original Message-
> From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-
> n...@freebsd.org] On Behalf Of David Somayajulu
> Sent: Wednesday, June 20, 2012 6:51 AM
> To: freebsd-net@freebsd.org
> Cc: davi...@freebsd.org
> Subject: Setting User Priority Bits in VLAN T
Hi, All!
I've fixed many warnings: "warning: 'XXX' may be used uninitialized in this
function"
PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=168979
But there are still warning: "- param large-function-growth limit reached
[-Winline]" and sometimes the compiler just crashes with errors:
{standard
> My EeePC netbook shows for the two SSD:
>
> $ uname -a
> FreeBSD tiny 10.0-CURRENT FreeBSD 10.0-CURRENT #1 r226986: Tue Nov 1
> 14:27:40 CET 2011 guru@caracas:/usr/obj/usr/src/sys/GENERIC i386
> $ gpart show
> => 63 7880481 ada0 MBR (3.8G)
>63 7880481 1 freebsd [acti
Partition must be aligned to:
# gpart show
=> 34 62533229 ada0 GPT (29G)
34 6- free - (3.0k) - for align
40 512 1 freebsd-boot (256k) - size 4k aligned
552 62532648 2 freebsd-ufs (29G) - size 4k aligned
6253320063
> > guess this is a good time to thank the FreeBSD hackers for that FPU
> > stack FILD/FISTP idea!
> > I'll append the copy related notes of our doc/memperf.txt.
> > Thanks,
>
> I made an implementation of fpu unwinding and mmx copy to see if they
> were really making a difference years ago (reimp
> > guess this is a good time to thank the FreeBSD hackers for that FPU
> > stack FILD/FISTP idea!
> > I'll append the copy related notes of our doc/memperf.txt.
> > Thanks,
>
> I made an implementation of fpu unwinding and mmx copy to see if they
> were really making a difference years ago (reimp
ioctl(FIONREAD)
> -Original Message-
> From: owner-freebsd-hack...@freebsd.org [mailto:owner-freebsd-
> hack...@freebsd.org] On Behalf Of Ivan Voras
> Sent: Sunday, April 08, 2012 6:17 AM
> To: freebsd-hackers
> Subject: Socket buffer usage
>
> Hi,
>
> I'm tracking down an obscure bug in
Remove space: name re0-hub:downstream re0-vlan
> -Original Message-
> From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-
> n...@freebsd.org] On Behalf Of jammin2night
> Sent: Tuesday, March 20, 2012 2:12 AM
> To: freebsd-net@freebsd.org
> Subject: RE: Cloning VLAN interfaces
>
>
#!/bin/sh
ngctl shutdown re0:lower
ngctl shutdown re0:upper
ngctl mkpeer re0: hub lower lower
ngctl name re0:lower re0-hub
ngctl connect re0: re0-hub: upper upper
ngctl mkpeer re0-hub: vlan downstream downstream
ngctl name re0-hub: downstream re0-vlan
ngctl mkpeer re0-vlan: eiface vlan10 ether
Use netgraph nodes.
> -Original Message-
> From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-
> n...@freebsd.org] On Behalf Of h bagade
> Sent: Sunday, March 04, 2012 3:31 PM
> To: freebsd-net
> Subject: problem with vlan interfaces tagging/untagging in a simulated
> switch box
>
Hi!
"ip_tos" (ipv4) and "Traffic Class" (ipv6) field in the header of ip packet
may contain a DSCP and ECN.
"iptos" and "ipprecedence" options in ipfw does not allow to use these
fields in the header of packets.
May want to add two additional options for working with them in the ipv4 and
ipv6 pa
The following reply was made to PR kern/165296; it has been noted by GNATS.
From: rozhuk...@gmail.com
To: ,
Cc:
Subject: Re: kern/165296: Fix EVL_APPLY_VLID, update EVL_APPLY_PRI macro
Date: Mon, 20 Feb 2012 03:16:00 +0900
This is a multi-part message in MIME format.
--=_NextPa
I am writing a netgraph node for processing UDP packets passing through the
router / bridge.
Node must fully inspect the entire contents of the package, in some cases,
change them.
Node is connected to ng_ether (lower, upper).
I was faced with the fact that all packets are processed normally, exce
The function does not allow access to data if m_flags & M_EXT size and more
MHLEN, although the data is actually available.
Why if there is no m_flags & M_PKTHDR size anyway MHLEN instead MLEN?
As an improvement, you can try to copy the data from the current m in
m_next, if m is not enough space
Hello!
The function always returns an error and remove the chain MBUF for two or
more generated on the same host.
If the pre-call m_defrag no error occurs.
This is normal behavior?
How to know in advance the maximum size for MBUF that does not cause a
failure in m_pullup?
mbuf: 0xfe0074fc06
Hi!
I found a comment in the code:
/*
* This node has all kinds of stuff that could be screwed by SMP.
* Until it gets it's own internal protection, we go through in
* single file. This could hurt a machine bridging beteen two
* GB ethernets so it sho
Who can commit?
> -Original Message-
> From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-
> n...@freebsd.org] On Behalf Of ead...@freebsd.org
> Sent: Monday, October 24, 2011 7:35 AM
> To: ead...@freebsd.org; freebsd-b...@freebsd.org; freebsd-
> n...@freebsd.org
> Subject: Re: ke
Hi!
If you need custom encap tag, use this:
http://www.freebsd.org/cgi/query-pr.cgi?pr=161908
Scheme: ng_ether <-> ng_vlan(outer/metro tag) <-> ng_vlan(inner/customer
tag) <-> ng_eiface
> -Original Message-
> From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-
> n...@freebsd.or
Hi!
igmpprixy and mrouted - did not work, I wrote on netgraph replacement.
This is a good example of the opportunities ng_bpf
I propose to place in: /usr/share/examples/netgraph
http://www.netlab.linkpc.net/download/software/FreeBSD/mcastbridge/mcastbr2.
sh
This is not my personal problem, this in: /etc/rc.subr
if [ -n "$_user" ]; then
_doit="su -m $_user -c 'sh -c \"$_doit\"'"
fi
--
Rozhuk Ivan
> -Original Message-
> From: owner-freebsd-hack...@freebsd.org [mailto:owner-freebsd-
> hack...@freebsd.org] On Behalf Of Joerg Sonnenbe
At system startup, the init script is run with limits calculated on the
basis of the core MAXFILES.
After you run sysctl limits of the system may be altered, for example
"kern.maxfilesperproc", but the script will continue to work with the old
values.
This is bad in two ways:
1. When using the
I have same problem with one ISP some years ago, but config file is lost )
Try this config for mpd5.
If not help - read mpd5 manuals and play with config file.
### Rozhuk Ivan 2009 - 2010
### MPD configuration file
###
startup:
###set user foo bar admin
###set user foo1 bar1
The following reply was made to PR kern/161908; it has been noted by GNATS.
From: rozhuk...@gmail.com
To: ,
Cc:
Subject: Re: kern/161908: [netgraph] [patch] ng_vlan update for QinQ support
Date: Tue, 25 Oct 2011 21:38:40 +0900
This is a multi-part message in MIME format.
--=_Ne
The following reply was made to PR kern/161908; it has been noted by GNATS.
From: rozhuk...@gmail.com
To: ,
Cc:
Subject: Re: kern/161908: ng_vlan update for QinQ support
Date: Sun, 23 Oct 2011 08:01:20 +0900
This is a multi-part message in MIME format.
--=_NextPart_000_02C1_01C
http://www.freebsd.org/cgi/query-pr.cgi?pr=161908
All done.
IEEE 802.1Q + IEEE 802.1p
IEEE 802.1ad (IEEE 802.1QinQ) - if two ng_vlan node
+ ethernet_type for VLAN encapsulation is tunable, default is: 0x8100
(33024)
+ PCP (Priority Code Point) and CFI (Canonical Format Indicator) for VLAN
encap
The following reply was made to PR usb/138798; it has been noted by GNATS.
From: rozhuk...@gmail.com
To: ,
Cc:
Subject: Re: usb/138798: [boot] [usb8] 8.0-BETA4 can't boot from USB flash
drive [regression]
Date: Sat, 22 Oct 2011 04:58:16 +0900
This can help: http://www.freebsd.org/cgi
> > In what cases vlan-tagged packet can be received by
> ng_ether_rcv_upper ?
>
> If another node attaches to an ng_ether node's upper hook and sends a
> vlan tagged packet to the hook.
This may be a wrong configuration or QinQ: packet may have M_VLAN tag is
set and still vlan-tagged (ether_type
> ether_demux currently assumes that all vlan-tagged packets that it
> sees have had the vlan stripped out and the M_VLAN tag is set, so it
> never checks the ether type for a vlan. However ng_ether_rcv_upper
> currently does not guarantee that this is the case(and there may be
> other code paths
...
IEEE 802.1ad (802.1QinQ) specifies architecture and bridge protocols to
provide separate instances of the MAC services to multiple independent users
of a Bridged Local Area Network in a manner that does not require
cooperation among the users, and requires a minimum of cooperation between
the
Arp - is a part of INET (ipv4).
But arp proto can be used with any other L3 proto to resolve L2 addr from L3
addr.
TCP/IP is L4 proto and it can work without IPv4 - on IPv6.
--
Rozhuk Ivan
> -Original Message-
> From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-
> n...@free
Diffs
--
Rozhuk Ivan
ng_vlan.h.orig.patch
Description: Binary data
ng_vlan.c.orig.patch
Description: Binary data
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "
Hi!
Changes:
1. list + hash was replaced by array of hooks: its simple and faster
2. added encap setting.
"getencap" and "setencap" messages for control it:
Default = 1 (do the VLAN encapsulation)
0: no encapsulation, just:
m->m_flags |= M_VLANTAG;
m->m_pkthdr.ether_vtag = (vlan & EVL_VLID_M
net.inet.ip.fastforwarding
- double check incoming packet, if: dst = this host / multicast / contain
options
- all packets processing by one cpu core
This option is good for one cpu core routers.
--
Rozhuk Ivan
> -Original Message-
> From: Mike Tancsa [mailto:m...@sentex.net]
> S
Try:
net.inet.ip.fastforwarding = 0
net.isr.bindthreads = 1
net.isr.direct = 0
net.isr.direct_force = 0
--
Rozhuk Ivan
> -Original Message-
> From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-
> n...@freebsd.org] On Behalf Of Mike Tancsa
> Sent: Friday, June 24, 2011 4:56
Hi!
Another way for vlans is: "ng_ether + ng_vlan + ng_iface".
See in sources: VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM
I don’t see any profits with hardware PPPoE, mpd5 is fast.
For hardware NAT you can try make "closed" netgraph based interface.
Node like "ng_ether + ng_nat" = ng_hwnat, compatible
Hi all!
I need Your help with testing and adding code to FreeBSD sources.
Not tested:
- redboot/FIS
- map search by key
Build options:
options GEOM_MAP#
options GEOM_MAP_NO_REDBOOT # turn off redboot/fis support
Static mappings in hints:
> > I need your opinions, suggestions and help with testing and including
> code
> > to main stream source tree.
>
> I think this likely is a good refactoring.
>
> > PS: I can test only "map" part on my Agestar LB2.
>
> But please make sure FIS still works.
I hope peoples with redboot hardware
Hi!
geom_redboot and geom_map
( http://my.ddteam.net/hg/BASE/file/783974ced979/head/sys/geom/geom_map.c -
based on redboot)
Do same things: allow access to memory blocks on cfi/spi flash like
partitions on disk.
Redboot - Flash Image System (FIS), stored on flash
Map - like li
Hi!
I have 8.2 + latest updates, em + gigabit net, few HDDs in mirror.
Samba for share HDDs to win hosts.
(E5300, G33 + ICH9R, 2GB, PCI-E intel desktop GB adapter)
ifconfig_em0="inet 172.16.0.254 netmask 255.255.255.0 mtu 9000"
Then I start copy files to mirror (trough net or using cp from oth
> -Original Message-
> From: Sergey Matveychuk [mailto:s...@freebsd.org]
> Sent: Wednesday, February 09, 2011 12:53 AM
> To: rozhuk...@gmail.com
> Cc: freebsd-net@freebsd.org
> Subject: Re: divert rewrite
>
> 08.02.2011 19:08, rozhuk...@gmail.com wrote:
> > Did you try ng_ether + ng_ksocke
> -Original Message-
> From: owner-freebsd-...@freebsd.org [mailto:owner-freebsd-
> n...@freebsd.org] On Behalf Of Sergey Matveychuk
> Sent: Monday, February 07, 2011 11:37 PM
> To: Julian Elischer
> Cc: Ivo Vachkov; FreeBSD Net
> Subject: Re: divert rewrite
>
> 06.02.2011 4:42, Julian Eli
Hi, Alex!
You can make virtual NIC via netgraph.
1. ng_ether automatic attached to every physical NICs on load module.
2. connect ng_bridge to upper and lower hooks on ng_ether 3. create and
connect ng_eiface to ng_bridge and you will get new NIC ngethX with its own
MAC address and IP addrs too.
Hi!
What I need to do to include this patch to main source tree?
--
Rozhuk Ivan
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org
Hi!
> I wonder which version of netinet/if_ether.c you are working from?
uname -a
FreeBSD firewall 9.0-CURRENT FreeBSD 9.0-CURRENT #2: Wed Dec 8 02:53:50
IRKT 2010 r...@firewall:/usr/obj/usr/src/sys/RIMx64 amd64
--
Rozhuk Ivan
> -Original Message-
> From: Chuck Swiger [mailto:
Hi!
1. ah->ar_hln - is depend from ar_hrd?
Yes, and for ARPHRD_ETHER is 6 (ETHER_ADDR_LEN)
For ARPHRD_IEEE1394 - sizeof(struct fw_hwaddr)
ah->ar_hln ignored in ether_output: bcopy(ar_tha(ah), edst, ETHER_ADDR_LEN);
check in in_arpinput:
if (ifp->if_addrlen != ah->ar_hln) {
Hi!
More correct statistic update in ip_fastfwd
ip_input not affected
Please, add patch to source.
--
Rozhuk Ivan
ip_fastfwd.patch
Description: Binary data
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/fre
This is a patched version of original function
code
/*
* If underlying interface can not do VLAN tag insertion itself
* then attach a packet tag that holds it.
*/
if ((m->m_flags & M_VLANTAG) &&
(ifp->if_capenable & IFCAP_VLAN_HWTAGGING) == 0)
67 matches
Mail list logo
