Re: pf or npf?

[Jan Danielsson]

On 25/02/16 19:40, Jukka Marin wrote:
> I'm setting up a new gateway machine (NetBSD 7.0).  My old gateway is based
> on NetBSD 6.0 and pf.  Can I use pf on NetBSD 7.0 or should I move to npf?
> Why?

   My router panics (in pf) from time to time (NetBSD/amd64 6.1.x).
Also, I run miniupnpd (because I need UPnP), and while the rules will
successfully be created in pf, inbound UDP packets more often than not
will not pass through.  For me pf is a little flaky, so I'm always on
the side of moving away from it.  But to be fair, it seems more stable
for others..

   If it weren't for me needing UPnP, I would have moved to npf a long
time ago.

> I have found more examples and manuals for pf, and moving to npf seems like
> extra work.  With pf, I could also copy my config over with minor
> modifications (I guess).

   If you don't have any specific needs (like UPnP), then I would say
it's a good opportunity to do the migration.

   I did convert one of my pf configurations to npf (I was looking into
adding npf support to miniupnpd), and it was definitely not a huge task.

-- 
Kind Regards,
Jan

Re: nVidia vs NetBSD v7 resolving issue.

[Roy Bixler]

On Fri, Feb 26, 2016 at 12:12:55AM +0330, Mohammad BadieZadegan wrote:
> Thanks for your Helps,
> I downloaded 
> *http://nyftp.netbsd.org/pub/NetBSD-daily/HEAD/201602241810Z/images/NetBSD-7.99.26-amd64-install.img.gz
> *
> and boot from it and my Notebook hanged on:
> *http://pasteboard.co/1PfvN8Bl.jpg *
> 
> I think that working on last release is better that this hanging!

It crashed.  The reason you see the last release working better is
that Nouveau is not the default framebuffer.  I guess it works except
for graphics.  Just out of curiosity, have you tried (booting) using the
vesa framebuffer?

Unfortunately, the situation with nVidia graphics cards is not good
because they have not chosen to write an open source driver or open
their specifications necessary to write a driver.  In Linux, there is
a proprietary binary blob you could try or, in *x operating systems
(including NetBSD), the nv X server with obfuscated source code.
nouveau is reverse engineered and supports older nVidia cards.  It
works for me in Linux, but not in NetBSD.  I wonder what happens if
you try nouveau on Linux with your system.  It could be that your
nVidia card is too new to be supported by nouveau or the X nv server.

-- 
Roy Bixler 
"The fundamental principle of science, the definition almost, is this: the
sole test of the validity of any idea is experiment."
-- Richard P. Feynman

Re: pf or npf?

[Swift Griggs]

On Thu, 25 Feb 2016, John Nemeth wrote:
You didn't ask, but I'll add that the third option is ipfilter. It sits 
somewhere in the middle.  It hasn't seen a lot of maintenance or 
enhancement lately, but it is still much newer then pf.


Just FYI, the last version was 4.1.33 and was released 2013-04-24 
according to source forge. Looks like Darren Reed still runs the project, 
but as you say, there isn't any action lately.



It is also quite stable and usable.


I still use it on Tru64 5.1B as it is the only realistic and free option 
available that I'm aware of. I've also used it on Solaris 8, IRIX 6.2 and 
6.5, Unixware 7, QNX, and HPUX.


I don't know much about all the bitchery and crying that went on between 
Darren and Theo. *shrug*. I will just say ipfilter works amazingly great 
considering some of the challenging and crappy situations I've put it in. 
Years ago I ran a firewall with IRIX 6.2 that was up for about 3 years 
with no issues at all (yeah, laugh it up at IRIX, but it was beat on 
constantly and nobody hacked it).


All that said, I'm excited about NPF, too. Finally our own code we can go 
fine-grain or lockless on. That should help us push the turbo-button on 
the filtering performance. Congrats to Mr. Rasiukevicius and friends on a 
great job so far!


-Swift

Re: Simple IPSEC client with certificate - phase 1 time out

[Andy Ruhl]

On Thu, Feb 25, 2016 at 3:10 PM, Frank Wille  wrote:
> Seems I forgot IPSEC_DEBUG, so I missed important information? I tried it
> again with a 7.0 kernel and IPSEC_DEBUG on my PowerBook and the cause
> turned out to be a bad "authentication_method" in my propsal:
>
> Feb 25 22:30:08 powerbook racoon: [1.2.3.4] ERROR: notification
> NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
>
> I had to replace "hybrid_rsa_client" by "rsasig" - although I'm not
> completely sure about the difference. I have a signed certificate and don't
> want to use any username or password authentication with xauth, so "rsasig"
> is probably ok...?
>
>
> Now I reach phase 2 and it looks to me that the VPN connection is
> established for a second, but a few seconds later I get "DPD: remote seems
> to be dead". No idea at the moment.
>
> Do I have to worry about "WARNING: unable to get certificate CRL(3)" ?
>
> What does "KA" mean?

Sorry, not a lot of help here, I just felt like replying.

I've been trying to get IPSEC transport mode set up between NetBSD and
a stupid router who's name I won't mention and it's not working. I
tried it with Linux and it's not working. I tried it with another
brand of router and it's not working. I tried the same brand of router
and it works. Probably because all the names of the toggles line up or
something ridiculous like that.

It might be worth trying some other OS or device just to sanity check
it and make sure it CAN work before you assume it's a NetBSD issue.

Would be really nice if there was an IPSEC secret decoder ring for
device compatibility/setup.

Andy

Re: Simple IPSEC client with certificate - phase 1 time out

[Frank Wille]

On 25.02.16 18:52:52 I wrote:

> and the VPN connection
> # racoonctl vc 1.2.3.4
>
> ...it fails very early:
>
> [...]
> Feb 25 17:24:08 arwen racoon: INFO: begin Identity Protection mode. 
> Feb 25 17:24:59 arwen racoon: ERROR: phase1 negotiation failed due to
> time up. 05349d3fe352e138:

Seems I forgot IPSEC_DEBUG, so I missed important information? I tried it
again with a 7.0 kernel and IPSEC_DEBUG on my PowerBook and the cause
turned out to be a bad "authentication_method" in my propsal:

Feb 25 22:30:08 powerbook racoon: [1.2.3.4] ERROR: notification
NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. 

I had to replace "hybrid_rsa_client" by "rsasig" - although I'm not
completely sure about the difference. I have a signed certificate and don't
want to use any username or password authentication with xauth, so "rsasig"
is probably ok...?


Now I reach phase 2 and it looks to me that the VPN connection is
established for a second, but a few seconds later I get "DPD: remote seems
to be dead". No idea at the moment.

Do I have to worry about "WARNING: unable to get certificate CRL(3)" ?

What does "KA" mean?

---8<---
Feb 25 22:31:25 powerbook racoon: INFO: @(#)ipsec-tools cvs
(http://ipsec-tools.sourceforge.net) 
Feb 25 22:31:25 powerbook racoon: INFO: @(#)This product linked OpenSSL
1.0.1p 9 Jul 2015 (http://www.openssl.org/) 
Feb 25 22:31:25 powerbook racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf" 
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used for NAT-T 
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[500] used as isakmp port
(fd=7) 
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used for NAT-T 
Feb 25 22:31:25 powerbook racoon: INFO: 192.168.1.5[4500] used as isakmp
port (fd=8) 
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used for NAT-T 
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=9) 
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used for NAT-T 
Feb 25 22:31:25 powerbook racoon: INFO: 127.0.0.1[4500] used as isakmp port
(fd=10) 
Feb 25 22:31:35 powerbook racoon: INFO: accept a request to establish
IKE-SA: 1.2.3.4 
Feb 25 22:31:35 powerbook racoon: INFO: initiate new phase 1 negotiation:
192.168.1.5[500]<=>1.2.3.4[500] 
Feb 25 22:31:35 powerbook racoon: INFO: begin Identity Protection mode. 
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02  
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-03 
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: RFC 3947 
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt 
Feb 25 22:31:35 powerbook racoon: INFO: received Vendor ID: DPD 
Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Selected NAT-T version:
RFC 3947 
Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with
algo #1  
Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing
192.168.1.5[500] with algo #1  
Feb 25 22:31:35 powerbook racoon: INFO: Adding remote and local NAT-D
payloads. 
Feb 25 22:31:35 powerbook racoon: [192.168.1.5] INFO: Hashing
192.168.1.5[500] with algo #1  
Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #0 doesn't match 
Feb 25 22:31:35 powerbook racoon: [1.2.3.4] INFO: Hashing 1.2.3.4[500] with
algo #1  
Feb 25 22:31:35 powerbook racoon: INFO: NAT-D payload #1 verified 
Feb 25 22:31:35 powerbook racoon: INFO: NAT detected: ME  
Feb 25 22:31:35 powerbook racoon: INFO: KA list add:
192.168.1.5[4500]->1.2.3.4[4500] 
Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3)
at depth:0
SubjectName:/postalCode=32052/OU=IT/ST=NRW/L=HERFORD/C=DE/O=WPS/CN=ZENTRALE

Feb 25 22:31:36 powerbook racoon: WARNING: unable to get certificate CRL(3)
at depth:1 SubjectName:/C=DE/O=LANCOM SYSTEMS/CN=LANCOM CA 
Feb 25 22:31:36 powerbook racoon: [1.2.3.4] INFO: received INITIAL-CONTACT 
Feb 25 22:31:36 powerbook racoon: INFO: ISAKMP-SA established
192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd 
Feb 25 22:32:42 powerbook racoon: [1.2.3.4] INFO: DPD: remote (ISAKMP-SA
spi=554e0ed2b394bee9:df77769896bfb2bd) seems to be dead. 
Feb 25 22:32:42 powerbook racoon: INFO: purging ISAKMP-SA
spi=554e0ed2b394bee9:df77769896bfb2bd. 
Feb 25 22:32:42 powerbook racoon: INFO: purged ISAKMP-SA
spi=554e0ed2b394bee9:df77769896bfb2bd. 
Feb 25 22:32:42 powerbook racoon: INFO: ISAKMP-SA deleted
192.168.1.5[4500]-1.2.3.4[4500] spi:554e0ed2b394bee9:df77769896bfb2bd 
Feb 25 22:32:42 powerbook racoon: INFO: KA remove:
192.168.1.5[4500]->1.2.3.4[4500] 
---8<---

-- 
Frank Wille

Re: pf or npf?

[Marc Balmer]

you should move to npf. it is the firewall supported by NetBSD and it works.

> Am 25.02.2016 um 19:40 schrieb Jukka Marin :
> 
> Dear List,
> 
> I'm setting up a new gateway machine (NetBSD 7.0).  My old gateway is based
> on NetBSD 6.0 and pf.  Can I use pf on NetBSD 7.0 or should I move to npf?
> Why?
> 
> I have found more examples and manuals for pf, and moving to npf seems like
> extra work.  With pf, I could also copy my config over with minor
> modifications (I guess).
> 
> Thanks for wisdom and opinions.
> 
>  -jm

Re: pf or npf?

[John Nemeth]

On Feb 25,  8:40pm, Jukka Marin wrote:
} 
} I'm setting up a new gateway machine (NetBSD 7.0).  My old gateway is based
} on NetBSD 6.0 and pf.  Can I use pf on NetBSD 7.0 or should I move to npf?
} Why?

 You could certainly use pf with NetBSD 7.0.  However, I would
have to point out that the version of pf that came with NetBSD 6.0
was ancient and unmaintained.  The situation hasn't changed with
NetBSD 7.0, i.e it ships with pretty much the same code for pf that
NetBSD 6.0 did.

} I have found more examples and manuals for pf, and moving to npf seems like
} extra work.  With pf, I could also copy my config over with minor
} modifications (I guess).

 npf is relatively new and only in NetBSD (as far as I know)
so naturally there will be less information about it.  However,
keep in mind that information that you find on the 'net about pf
might be assuming a more modern version.  npf has appeared in two
major NetBSD releases now, and while still undergoing development,
should be relatively stable.  It is also designed to be much more
performant.

 You didn't ask, but I'll add that the third option is ipfilter.
It sits somewhere in the middle.  It hasn't seen a lot of maintenance
or enhancement lately, but it is still much newer then pf.  It is
also quite stable and usable.

}-- End of excerpt from Jukka Marin

pf or npf?

[Jukka Marin]

Dear List,

I'm setting up a new gateway machine (NetBSD 7.0).  My old gateway is based
on NetBSD 6.0 and pf.  Can I use pf on NetBSD 7.0 or should I move to npf?
Why?

I have found more examples and manuals for pf, and moving to npf seems like
extra work.  With pf, I could also copy my config over with minor
modifications (I guess).

Thanks for wisdom and opinions.

  -jm

Re: nVidia vs NetBSD v7 resolving issue.

[Mohammad BadieZadegan]

Yes, I tried with default xorg.conf and startx but it error again.
BTW, I try with nouveau but still this error show me again.
Maybe, I must download and install the current version of NetBSD to resolve
this problem.
Thanks so much.

On Thu, Feb 25, 2016 at 3:51 PM,  wrote:

> On Thu, Feb 25, 2016 at 12:37:00PM +0330, Mohammad BadieZadegan wrote:
> > Hi all,
> > I have Dell E6410 Latitude notebook (With nVidia Graphic card) and I
> > installed NetBSD v7.0 as a main OS on it.
> > While I run [X -configure] it make a [xorg.conf.new] and then I run [X
> > -config /root/xorg.conf.new] but it errored me: [(EE) No device
> Detected].
> >
> > Finally I changed "nv" in [xorg.conf.new] to "vesa" but still error me
> > [(EE) No device Detected]!
> >
> > How can I resolve this nVidia issue?
> > Thanks in advance.
>
> Have you tried just startx without an X config?
>
> In general, nVidia support should be better in -current, as nouveau was
> not included in 7.0 (but is in -current).
>
> I've written about my experiences with an nVidia card here:
> http://mail-index.netbsd.org/current-users/2016/01/20/msg028722.html
> Maybe you will find it useful.
>



-- 
[image: ( openbsd.pro  933k.ir )] 

Simple IPSEC client with certificate - phase 1 time out

[Frank Wille]

Hi,

I want to set up an IPSEC client to connect to my office's Lancom router. I
was provided with the following details:

- Main mode IKEv1
- DH group 2 (1024 bit)
- PFS group 2 (1024 bit)
- phase 1: IKE AES128, MD5
- phase 2: IPSec AES128, MD5
- phase 2 tunnel mode ESP
- remote network 192.168.0.0/24, configuring with ISAKMP mode config
- supports NAT-T UDP port 4500
- using x509 certificate/key

I got a PKCS12 archive, where I extracted my client certificate/key and the
CA-certificate.

# openssl pkcs12 -cacerts -nokeys -in vpnclient15.p12 -out ca.crt
# openssl pkcs12 -clcerts -nokeys -in vpnclient15.p12 -out
arwen.wpsd.lcl.crt
# openssl pkcs12 -nocerts -in vpnclient15.p12 -out arwen.rsa
# openssl rsa -in arwen.rsa -out arwen.wpsd.lcl.key


After a lot of reading I came up with the following racoon.conf for the task
(remote address of the Lancom replaced by 1.2.3.4 here):

---8<---
path include "/etc/racoon";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
log debug2;

#timer
#{
#   natt_keepalive 15 seconds;
#}

remote 1.2.3.4
{
#exchange_mode main,aggressive,base;
exchange_mode main,base;

#my_identifier fqdn "arwen.wpsd.lcl";
my_identifier asn1dn;
#peers_identifier asn1dn;
#verify_identifier on;

certificate_type x509 "arwen.wpsd.lcl.crt" "arwen.wpsd.lcl.key";
ca_type x509 "ca.crt";

#initial_contact off;
mode_cfg on;# ISAKMP mode config
dpd_delay 20;   # peer detection (alive check)
nat_traversal on;   # force

#ike_frag on;
#esp_frag 552;
#script "phase1-up.sh" phase1_up;
#script "phase1-down.sh" phase1_down;
script "test.sh" phase1_up;
script "test.sh" phase1_down;
lifetime time 8 hour;

# phase 1 proposal (for ISAKMP SA)
proposal {
encryption_algorithm aes 128;
hash_algorithm md5;
authentication_method hybrid_rsa_client;
#authentication_method rsasig;
dh_group 2;
}

# the configuration could makes racoon (as a responder)
# to obey the initiator's lifetime and PFS group proposal,
# by setting proposal_check to obey.
# this would makes testing "so much easier", but is really
# *not* secure !!!
#proposal_check strict;
proposal_check obey;
}

# phase 2 proposal (for IPsec SA).
# actual phase 2 proposal will obey the following items:
# - kernel IPsec policy configuration (like "esp/transport//use)
# - permutation of the crypto/hash/compression algorithms presented below
sainfo anonymous
{
pfs_group 2;
lifetime time 8 hour;
encryption_algorithm aes 128;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
---8<---

Are there any serious problems left in it?


I'm testing on a Soekris router, running NetBSD 6.1.5, having IPSEC,
IPSEC_ESP and IPSEC_NAT_T enabled in the kernel. It has a WAN interface, so
NAT-T is not really needed for now.

Unfortunately after starting Racoon
# /etc/rc.d/racoon onestart

and the VPN connection
# racoonctl vc 1.2.3.4

...it fails very early:

Feb 25 17:23:38 arwen racoon: INFO: @(#)ipsec-tools cvs
(http://ipsec-tools.sourceforge.net) 
Feb 25 17:23:38 arwen racoon: INFO: @(#)This product linked OpenSSL 1.0.1i 6
Aug 2014 (http://www.openssl.org/) 
Feb 25 17:23:38 arwen racoon: INFO: Reading configuration from
"/etc/racoon/racoon.conf" 
Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[500] used as isakmp port
(fd=8) 
Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[4500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 192.168.0.254[4500] used as isakmp port
(fd=9) 
Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[500] used as isakmp port
(fd=10)
Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[4500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 127.0.0.1[4500] used as isakmp port
(fd=11) 
Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[500] used as isakmp port
(fd=12) 
Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[4500] used for NAT-T 
Feb 25 17:23:38 arwen racoon: INFO: 91.56.242.176[4500] used as isakmp port
(fd=13) 
Feb 25 17:24:08 arwen racoon: INFO: accept a request to establish IKE-SA:
1.2.3.4 
Feb 25 17:24:08 arwen racoon: INFO: initiate new phase 1 negotiation:
91.56.242.176[4500]<=>1.2.3.4[500] 
Feb 25 17:24:08 arwen racoon: INFO: begin Identity Protection mode. 
Feb 25 17:24:59 arwen racoon: ERROR: phase1 negotiation failed due to time
up. 05349d3fe352e138:



---8<---
arwen# tcpdump -i pppoe0 host 212.62.95.76
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pppoe0, link-type PPP_ETHER (PPPoE), capture size 65535 bytes
17:24:08.847578 PPPoE  [ses 0x9b9] IP 91.56.242.176.ipsec-nat-t >

Re: nVidia vs NetBSD v7 resolving issue.

[Roy Bixler]

On Thu, Feb 25, 2016 at 12:37:00PM +0330, Mohammad BadieZadegan wrote:
> I have Dell E6410 Latitude notebook (With nVidia Graphic card) and I
> installed NetBSD v7.0 as a main OS on it.
> While I run [X -configure] it make a [xorg.conf.new] and then I run [X
> -config /root/xorg.conf.new] but it errored me: [(EE) No device Detected].
> 
> Finally I changed "nv" in [xorg.conf.new] to "vesa" but still error me
> [(EE) No device Detected]!
> 
> How can I resolve this nVidia issue?

I have about a 10 year old Dell laptop with an nVidia card.  In my
case, it wasn't necessary to run "X -configure".  It worked, up to a
point (i.e. stability is an issue.)

You might want to try netbsd-current, where the Nouveau driver has
been made the default framebuffer for nVidia graphics cards.  I
haven't quite gotten that to work, since the PCI BARs don't seem to be
where the code expects them.

If you hesitate to make the leap to -current, you could try booting
with a Linux LiveCD like Knoppix and see if the Nouveau framebuffer
works there.  It did for me, which led me to try the experiment with
-current.

-- 
Roy Bixler 
"The fundamental principle of science, the definition almost, is this: the
sole test of the validity of any idea is experiment."
-- Richard P. Feynman

Re: Last version of of citrix Client core dumps (Was Re: How to run Microsoft Internet Explorer on NetBSD?)

[Patrick Welche]

On Thu, Feb 25, 2016 at 02:44:32PM +0100, Stephan wrote:
> Why don´t you just use the Receiver for HTML5? With regard to your
> crash, do you have a backtrace handy?

Have a look at Jose's from earlier in this thread:

http://mail-index.netbsd.org/netbsd-users/2016/02/03/msg017788.html

P

Re: Last version of of citrix Client core dumps (Was Re: How to run Microsoft Internet Explorer on NetBSD?)

[Stephan]

Why don´t you just use the Receiver for HTML5? With regard to your
crash, do you have a backtrace handy?

2016-02-25 14:03 GMT+01:00 Patrick Welche :
> On Wed, Feb 03, 2016 at 07:31:35PM +0100, Jose Luis Rodriguez Garcia wrote:
>> On Tue, Feb 2, 2016 at 4:17 AM, Eric Haszlakiewicz  wrote:
>> > On 2/1/2016 3:51 PM, Jose Luis Rodriguez Garcia wrote:
>>
>>
>> > Have you tried downloading a newer version of the client from Citrix's 
>> > site?
>>
>> I have just tried the last version of citrix as you told me.
>>
>> It solves the problem of the certificate (the old version didn't
>> understand the CA from Godaddy, but it coredumps at the startup.
>>
>> I copy backtrace/registers and output from ktruss:
> ...
>>   2412   2412 wficaRET   writev 324/0x144
>>   2412   2412 wficaCALL  poll(0xbfbff418,1,0x)
>>   2412   2412 wficaRET   poll 1
>>   2412   2412 wficaCALL  read(3,0x8264a38,0x1000)
>>   2412   2412 wficaGIO   fd 3 read 32 bytes
>>"\^A\^B8\^B\0\0\0\0002\0`\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
>>   2412   2412 wficaRET   read 32/0x20
>>   2412   2412 wficaCALL  read(3,0x8264a38,0x1000)
>>   2412   2412 wficaRET   read -1 unknown errno 35
>>   2412   2412 wficaCALL  read(3,0x8264a38,0x1000)
>>   2412   2412 wficaRET   read -1 unknown errno 35
>>   2412   2412 wficaCALL  gettimeofday(0xbfbff8bc,0)
>>   2412   2412 wficaRET   gettimeofday 0
>>   2412   2412 wficaCALL  gettimeofday(0xbfbff83c,0)
>>   2412   2412 wficaRET   gettimeofday 0
>>   2412   2412 wficaCALL  gettimeofday(0xbfbff7dc,0)
>>   2412   2412 wficaRET   gettimeofday 0
>>   2412   2412 wficaCALL  socketcall(9,0xbfbff5f0)
>>   2412   2412 wficaMISC  send: 16,
>> 0600ffe87cffdcffb92200
>>   2412   2412 wficaMISC  msghdr: [name=0x0, namelen=0,
>> iov=0xf323bc84, iovlen=1, control=0x0, controllen=3226819742, flags=0]
>>   2412   2412 wficaGIO   fd 6 wrote 34 bytes
>>
>> "\^W\^C\^A\0\^]\\\M-f`WIH*\M^F\M-%\^X\M-y\M^@9\M-t({In39$\M-!\^[\M^TNc\M^N/\M-_"
>>   2412   2412 wficaRET   socketcall 34/0x22
>>   2412   2412 wficaCALL  gettimeofday(0xbfbff6fc,0)
>>   2412   2412 wficaRET   gettimeofday 0
>>   2412   2412 wficaCALL  gettimeofday(0xbfbff68c,0)
>>   2412   2412 wficaRET   gettimeofday 0
>>   2412   2412 wficaCALL  gettimeofday(0xbfbff6fc,0)
>>   2412   2412 wficaRET   gettimeofday 0
>>   2412   2412 wficaPSIG  SIGSEGV SIG_DFL: code=SEGV_MAPERR,
>> addr=0x92ee48c6, trap=14)
>>   2412   2459 wficaRET   select -1 unknown errno 4
>>   2412   2412 wficaNAMI  "wfica.core"
>
> I am seeing this too. Essentially there are a load of calls to
> linux_sys_recvmsg which returns 35 (EAGAIN). The last round looks like
>
>  got here linux_sys_recvmsg 834 (do_sys_recvmsg=35)
>  got here linux_select1 894 selcommon=0
>  got here linux_sys_select 844
>  got here linux_sys_recvmsg 815
>  got here linux_to_bsd_msghdr 455
>  got here linux_sys_recvmsg 820
>  got here linux_to_bsd_msg_flags 279
>  msg_name=0x0
>  msg_namelen=0
>  msg_iov=0x7f7febd0
>  msg_iov=0x7f
>  msg_control=0x7f7fec20
>  msg_controllen=80
>  msg_flags=400
>  control=0x80586483
>  from=0xfe804534be58
>  got here linux_sys_recvmsg 834 (do_sys_recvmsg=35)
>  got here linux_select1 894 selcommon=4
>  pid 3382 (wfica), uid 1000: exited on signal 11 (core dumped)
>
> So it seems that after too many retries, a timer fires and kills the
> process (linux_select1()). I suppose the underlying issue is with
> linux_sys_recvmsg, but how can you find out what?
>
> Cheers,
>
> Patrick

Re: Linux emulation - chroot always?

[Eric Haszlakiewicz]

On February 24, 2016 6:11:36 PM EST, Swift Griggs  wrote:
>
>When a Linux-binary runs, what does it "see" in terms of the root file 
>system? So, for example, if I run 'ldconfig', does it see Linux
>libraries 
>in /emul/linux/lib or just "/lib" ?
>
>Also, how does this play out when I want to run Linux binaries from my 
>home directory? Ie.. if I wanted to run foobar.exe and it expects to
>find 
>some shared lib in /usr/local/lib does that need to be relative or 
>absolute?
>
>What about 32 vs 64 bit binaries, is there any automatic translation or
>
>chrooting for /emul/linux vs /emul/linux32 ?

For linux emul, it's more like a leaky overlay than a chroot.  Processes 
running as linux emul will generally look in /emul/linux first, and if the 
desired file/directory isn't found there it'll try /.  There are other details, 
like whiteout entries, magic /../ escape prefixes, etc.. and I believe it's 
documented in a man page somewhere, but sorry, I don't remember off-hand which 
one.

I'm assuming it's the same for 32-on-64, but I've never looked.

Eric

Re: Last version of of citrix Client core dumps (Was Re: How to run Microsoft Internet Explorer on NetBSD?)

[Patrick Welche]

On Wed, Feb 03, 2016 at 07:31:35PM +0100, Jose Luis Rodriguez Garcia wrote:
> On Tue, Feb 2, 2016 at 4:17 AM, Eric Haszlakiewicz  wrote:
> > On 2/1/2016 3:51 PM, Jose Luis Rodriguez Garcia wrote:
> 
> 
> > Have you tried downloading a newer version of the client from Citrix's site?
> 
> I have just tried the last version of citrix as you told me.
> 
> It solves the problem of the certificate (the old version didn't
> understand the CA from Godaddy, but it coredumps at the startup.
> 
> I copy backtrace/registers and output from ktruss:
...
>   2412   2412 wficaRET   writev 324/0x144
>   2412   2412 wficaCALL  poll(0xbfbff418,1,0x)
>   2412   2412 wficaRET   poll 1
>   2412   2412 wficaCALL  read(3,0x8264a38,0x1000)
>   2412   2412 wficaGIO   fd 3 read 32 bytes
>"\^A\^B8\^B\0\0\0\0002\0`\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
>   2412   2412 wficaRET   read 32/0x20
>   2412   2412 wficaCALL  read(3,0x8264a38,0x1000)
>   2412   2412 wficaRET   read -1 unknown errno 35
>   2412   2412 wficaCALL  read(3,0x8264a38,0x1000)
>   2412   2412 wficaRET   read -1 unknown errno 35
>   2412   2412 wficaCALL  gettimeofday(0xbfbff8bc,0)
>   2412   2412 wficaRET   gettimeofday 0
>   2412   2412 wficaCALL  gettimeofday(0xbfbff83c,0)
>   2412   2412 wficaRET   gettimeofday 0
>   2412   2412 wficaCALL  gettimeofday(0xbfbff7dc,0)
>   2412   2412 wficaRET   gettimeofday 0
>   2412   2412 wficaCALL  socketcall(9,0xbfbff5f0)
>   2412   2412 wficaMISC  send: 16,
> 0600ffe87cffdcffb92200
>   2412   2412 wficaMISC  msghdr: [name=0x0, namelen=0,
> iov=0xf323bc84, iovlen=1, control=0x0, controllen=3226819742, flags=0]
>   2412   2412 wficaGIO   fd 6 wrote 34 bytes
>
> "\^W\^C\^A\0\^]\\\M-f`WIH*\M^F\M-%\^X\M-y\M^@9\M-t({In39$\M-!\^[\M^TNc\M^N/\M-_"
>   2412   2412 wficaRET   socketcall 34/0x22
>   2412   2412 wficaCALL  gettimeofday(0xbfbff6fc,0)
>   2412   2412 wficaRET   gettimeofday 0
>   2412   2412 wficaCALL  gettimeofday(0xbfbff68c,0)
>   2412   2412 wficaRET   gettimeofday 0
>   2412   2412 wficaCALL  gettimeofday(0xbfbff6fc,0)
>   2412   2412 wficaRET   gettimeofday 0
>   2412   2412 wficaPSIG  SIGSEGV SIG_DFL: code=SEGV_MAPERR,
> addr=0x92ee48c6, trap=14)
>   2412   2459 wficaRET   select -1 unknown errno 4
>   2412   2412 wficaNAMI  "wfica.core"

I am seeing this too. Essentially there are a load of calls to
linux_sys_recvmsg which returns 35 (EAGAIN). The last round looks like

 got here linux_sys_recvmsg 834 (do_sys_recvmsg=35)
 got here linux_select1 894 selcommon=0
 got here linux_sys_select 844
 got here linux_sys_recvmsg 815
 got here linux_to_bsd_msghdr 455
 got here linux_sys_recvmsg 820
 got here linux_to_bsd_msg_flags 279
 msg_name=0x0
 msg_namelen=0
 msg_iov=0x7f7febd0
 msg_iov=0x7f
 msg_control=0x7f7fec20
 msg_controllen=80
 msg_flags=400
 control=0x80586483
 from=0xfe804534be58
 got here linux_sys_recvmsg 834 (do_sys_recvmsg=35)
 got here linux_select1 894 selcommon=4
 pid 3382 (wfica), uid 1000: exited on signal 11 (core dumped)

So it seems that after too many retries, a timer fires and kills the
process (linux_select1()). I suppose the underlying issue is with
linux_sys_recvmsg, but how can you find out what?

Cheers,

Patrick

Re: nVidia vs NetBSD v7 resolving issue.

[coypu]

On Thu, Feb 25, 2016 at 12:37:00PM +0330, Mohammad BadieZadegan wrote:
> Hi all,
> I have Dell E6410 Latitude notebook (With nVidia Graphic card) and I
> installed NetBSD v7.0 as a main OS on it.
> While I run [X -configure] it make a [xorg.conf.new] and then I run [X
> -config /root/xorg.conf.new] but it errored me: [(EE) No device Detected].
> 
> Finally I changed "nv" in [xorg.conf.new] to "vesa" but still error me
> [(EE) No device Detected]!
> 
> How can I resolve this nVidia issue?
> Thanks in advance.

Have you tried just startx without an X config?

In general, nVidia support should be better in -current, as nouveau was
not included in 7.0 (but is in -current).

I've written about my experiences with an nVidia card here:
http://mail-index.netbsd.org/current-users/2016/01/20/msg028722.html
Maybe you will find it useful.

nVidia vs NetBSD v7 resolving issue.

[Mohammad BadieZadegan]

Hi all,
I have Dell E6410 Latitude notebook (With nVidia Graphic card) and I
installed NetBSD v7.0 as a main OS on it.
While I run [X -configure] it make a [xorg.conf.new] and then I run [X
-config /root/xorg.conf.new] but it errored me: [(EE) No device Detected].

Finally I changed "nv" in [xorg.conf.new] to "vesa" but still error me
[(EE) No device Detected]!

How can I resolve this nVidia issue?
Thanks in advance.

Re: Change default compat_linux path ?

[Gary Duzan]

In Message ,
   Adrien Fernandes wrote:

=>Hello,is it possible to change /emul/linux path ? I downloaded
=>by myself Arch Linux operating system and I put it in my home
=>directory (~/Linux) and I wish to be able to use binaries from
=>there. The fact is that if I move Arch Linux root to /emul/linux/,
=>I can use binaries but if I move it elsewhere, it won't work
=>anymore.I didn't install any emulators/suse package. I wished to
=>do it all by myself. Yes, I can still create a symlink but before,
=>I wish to know if it can be changed.
=>Adrien Fernandes

   It looks like it is hard-coded:

compat/linux/common/linux_exec.c: .e_path =   "/emul/linux",

NetBSD recognizes the executable as Linux and modifies the process
to look for executables under the e_path before looking under the
real root.

Gary Duzan

Change default compat_linux path ?

[Adrien Fernandes]

Hello,is it possible to change /emul/linux path ? I downloaded by myself Arch 
Linux operating system and I put it in my home directory (~/Linux) and I wish 
to be able to use binaries from there. The fact is that if I move Arch Linux 
root to /emul/linux/, I can use binaries but if I move it elsewhere, it won't 
work anymore.I didn't install any emulators/suse package. I wished to do it all 
by myself. Yes, I can still create a symlink but before, I wish to know if it 
can be changed.Adrien Fernandes