Re: php system using httpd and php-fpm

[Kevin Chadwick]

You can also use the femail-chroot package and build ksh with env CC="cc
-static" to get a sh binary that can go in /var/www/bin and even add a more
restrictive pledge to ksh if you like.

Re: php system using httpd and php-fpm

[Noah]

I'm running tinytiny RSS on OpenBSD httpd with PHP-FPM and MariaDB. In
order to get mail working for it, I also needed these copied from their
usual places into the /var/www chroot:

/var/www/usr/sbin/sendmail
/var/www/usr/lib/libutil.so.12.1
/var/www/usr/lib/libc.so.80.1
/var/www/usr/libexec/ld.so
/var/www/etc/resolv.conf
/var/www/etc/hosts

Hope this helps.


On Fri, Nov 4, 2016 at 1:38 PM, Otto Moerbeek  wrote:

> On Fri, Nov 04, 2016 at 05:29:54PM +, Peter Fraser wrote:
>
> > I actually wanted to call php's mail function which I could not get to
> work, I
> > think I have tracked to problem down to exec not working
> > the details follow using a test web page datetest.php
> >
> >
> >
> > newweb:/var/www/htdocs/web # cat datetest.php
> > cat datetest.php
> > 
> >
> > 
> > 
> > Date Test
> > 
> > 
> >>  ini_set('display_errors', 'On');
> >  error_reporting(E_ALL | E_STRICT);
> >  if(function_exists('exec')) {
> >   echo "exec is enabled";
> >  } else {
> >   echo "exec is disabled";
> >  }
> >  echo 'Date Test';
> >  exec('/bin/date',$output);
> >  print_r($output);
> >  echo 'End Date test';
> > ?>
> > 
> > 
> > newweb:/var/www/htdocs/web # php-7.0 -f datetest.php
> > php-7.0 -f datetest.php
> > 
> >
> > 
> > 
> > Date Test
> > 
> > 
> >   exec is enabledDate TestArray
> > (
> > [0] => Fri Nov  4 13:16:35 EDT 2016
> > )
> > End Date test
> > 
> > newweb:/var/www/htdocs/web # # date has been copied under /var/www/bin
> for
> > testing
> > # date has been copied under /var/www/bin
> > newweb:/var/www/htdocs/web # ls -l /var/www/bin
> > ls -l /var/www/bin
> > total 4216
> > --  1 root  bin 249392 Jul 26 14:48 bgpctl
> > -rwxr-xr-x  1 root  daemon  119216 Nov  3 13:18 cat
> > -r-xr-xr-x  1 root  daemon  140112 Nov  4 12:52 date
> > -rwxr-xr-x  1 root  bin 271856 Jul 25 20:37 femail
> > -rwxr-xr-x  1 root  daemon  470096 Nov  3 12:49 ksh
> > -rwxr-xr-x  1 root  daemon9816 Nov  3 12:51 logger
> > -rwxrwxrwx  1 root  daemon  27 Nov  3 15:56 mailtest
> > -rwxr-xr-x  1 root  bin 204240 Jul 26 14:48 ping
> > --  1 root  bin 207920 Jul 26 14:48 ping6
> > --  2 root  bin 179760 Jul 26 14:48 traceroute
> > --  2 root  bin 179760 Jul 26 14:48 traceroute6
> > newweb:/var/www/htdocs/web # chroot -u www /var/www /bin/date
> > chroot -u www /var/www /bin/date
> > Fri Nov  4 17:18:34 GMT 2016
> >
> > I believe this shows that the php web page is correct and that 'date'
> does
> > exist in the chroot,
> >
> > but when I invoke web page from a browser I get.
> >
> > exec is enabled
> > Date Test
> > Array ( )
> > End Date test
> >
> > What am I doing wrong.
>
> For exec to work you also need /bin/sh
>
> -Otto

Re: Oddness with pkg_add

[Erling Westenvik]

On Fri, Nov 04, 2016 at 09:46:19AM -0500, Chris Bennett wrote:
> If I offended anyone on the list, say so and I will pay penance with a
> small donation to OpenBSD.

Just don't say you're gonna "make OpenBSD great again"..

Erling

-- 
Erling Westenvik

Re: php system using httpd and php-fpm

[Otto Moerbeek]

On Fri, Nov 04, 2016 at 05:29:54PM +, Peter Fraser wrote:

> I actually wanted to call php's mail function which I could not get to work, I
> think I have tracked to problem down to exec not working
> the details follow using a test web page datetest.php
> 
> 
> 
> newweb:/var/www/htdocs/web # cat datetest.php
> cat datetest.php
> 
> 
> 
> 
> Date Test
> 
> 
> ini_set('display_errors', 'On');
>  error_reporting(E_ALL | E_STRICT);
>  if(function_exists('exec')) {
>   echo "exec is enabled";
>  } else {
>   echo "exec is disabled";
>  }
>  echo 'Date Test';
>  exec('/bin/date',$output);
>  print_r($output);
>  echo 'End Date test';
> ?>
> 
> 
> newweb:/var/www/htdocs/web # php-7.0 -f datetest.php
> php-7.0 -f datetest.php
> 
> 
> 
> 
> Date Test
> 
> 
>   exec is enabledDate TestArray
> (
> [0] => Fri Nov  4 13:16:35 EDT 2016
> )
> End Date test
> 
> newweb:/var/www/htdocs/web # # date has been copied under /var/www/bin for
> testing
> # date has been copied under /var/www/bin
> newweb:/var/www/htdocs/web # ls -l /var/www/bin
> ls -l /var/www/bin
> total 4216
> --  1 root  bin 249392 Jul 26 14:48 bgpctl
> -rwxr-xr-x  1 root  daemon  119216 Nov  3 13:18 cat
> -r-xr-xr-x  1 root  daemon  140112 Nov  4 12:52 date
> -rwxr-xr-x  1 root  bin 271856 Jul 25 20:37 femail
> -rwxr-xr-x  1 root  daemon  470096 Nov  3 12:49 ksh
> -rwxr-xr-x  1 root  daemon9816 Nov  3 12:51 logger
> -rwxrwxrwx  1 root  daemon  27 Nov  3 15:56 mailtest
> -rwxr-xr-x  1 root  bin 204240 Jul 26 14:48 ping
> --  1 root  bin 207920 Jul 26 14:48 ping6
> --  2 root  bin 179760 Jul 26 14:48 traceroute
> --  2 root  bin 179760 Jul 26 14:48 traceroute6
> newweb:/var/www/htdocs/web # chroot -u www /var/www /bin/date
> chroot -u www /var/www /bin/date
> Fri Nov  4 17:18:34 GMT 2016
> 
> I believe this shows that the php web page is correct and that 'date' does
> exist in the chroot,
> 
> but when I invoke web page from a browser I get.
> 
> exec is enabled
> Date Test
> Array ( )
> End Date test
> 
> What am I doing wrong.

For exec to work you also need /bin/sh

-Otto

php system using httpd and php-fpm

[Peter Fraser]

I actually wanted to call php's mail function which I could not get to work, I
think I have tracked to problem down to exec not working
the details follow using a test web page datetest.php



newweb:/var/www/htdocs/web # cat datetest.php
cat datetest.php




Date Test


  Date Test';
 exec('/bin/date',$output);
 print_r($output);
 echo 'End Date test';
?>


newweb:/var/www/htdocs/web # php-7.0 -f datetest.php
php-7.0 -f datetest.php




Date Test


  exec is enabledDate TestArray
(
[0] => Fri Nov  4 13:16:35 EDT 2016
)
End Date test

newweb:/var/www/htdocs/web # # date has been copied under /var/www/bin for
testing
# date has been copied under /var/www/bin
newweb:/var/www/htdocs/web # ls -l /var/www/bin
ls -l /var/www/bin
total 4216
--  1 root  bin 249392 Jul 26 14:48 bgpctl
-rwxr-xr-x  1 root  daemon  119216 Nov  3 13:18 cat
-r-xr-xr-x  1 root  daemon  140112 Nov  4 12:52 date
-rwxr-xr-x  1 root  bin 271856 Jul 25 20:37 femail
-rwxr-xr-x  1 root  daemon  470096 Nov  3 12:49 ksh
-rwxr-xr-x  1 root  daemon9816 Nov  3 12:51 logger
-rwxrwxrwx  1 root  daemon  27 Nov  3 15:56 mailtest
-rwxr-xr-x  1 root  bin 204240 Jul 26 14:48 ping
--  1 root  bin 207920 Jul 26 14:48 ping6
--  2 root  bin 179760 Jul 26 14:48 traceroute
--  2 root  bin 179760 Jul 26 14:48 traceroute6
newweb:/var/www/htdocs/web # chroot -u www /var/www /bin/date
chroot -u www /var/www /bin/date
Fri Nov  4 17:18:34 GMT 2016

I believe this shows that the php web page is correct and that 'date' does
exist in the chroot,

but when I invoke web page from a browser I get.

exec is enabled
Date Test
Array ( )
End Date test

What am I doing wrong.

Re: Why isn't "sort -R" random?

[Shazaum]

Sorry for saying this, but debian it would not be wrong...

# sort -R a.txt
7
7
7
7
...

On 11/04/2016 02:17 PM, Joel Wirāmu Pauling wrote:
> Pipe through uniq and you'll get what you are after.
>
> Design intent for sort, as others point out this behaviour is documented.
>
> On 4 November 2016 at 11:47, Christian Gruhl  wrote:
>
>> Hi minek,
>>
>> On 11/04/2016 04:41 PM, minek van wrote:
>>> Hello,
>>>
>>> # strings /dev/arandom | grep -o '[[:print:]]' | head -100 > a.txt
>>> # sort -R a.txt
>>> K
>> ...
>>> 9
>>> # uname -mrs
>>> OpenBSD 6.0 amd64
>>> #
>>> # sort -R a.txt > b.txt
>>> # cksum b.txt
>>> 3374888359 200 b.txt
>>> # sort -R a.txt > b.txt
>>> # cksum b.txt
>>> 109071951 200 b.txt
>>> # sort -R a.txt > b.txt
>>> # cksum b.txt
>>> 3441576000 200 b.txt
>>> #
>>>
>>> from: http://man.openbsd.org/OpenBSD-current/man1/sort.1
>>>
>>>  -R, --random-sort, --sort=random
>>>
>>> Sort lines in random order. This is a random permutation of the
>> inputs with the exception that equal keys sort together. It is
>> implemented by hashing the input keys and sorting the hash values. The
>> hash function is randomized with data from arc4random_buf(3), or by file
>> content if one is specified via --random-source. If multiple sort fields
>> are specified, the same random hash function is used for all of them.
>>> Although the "b.txt" differs, if we check it by the human eye... that
>> is not random.. **Why**? Why is it called random, WHEN IT IS NOT
>> RANDOM?! Random should mean RANDOM. Not "almost" random..
>>> The same can be seen on ex.: RHEL7.
>>>
>> I would guess this is the desired behavior. The man page cited by you
>> also states:
>>
>> 'This is a random permutation of the inputs with the exception that
>> equal keys sort together. It is implemented by hashing the input keys
>> and sorting the hash values.'
>>
>> So clearly same values/strings will be put together.
>>
>> Best wishes
>>
>> Chris
>>
>> [demime 1.01d removed an attachment of type application/pkcs7-signature
>> which had a name of smime.p7s]

Re: Why isn't "sort -R" random?

[Joel Wirāmu Pauling]

Pipe through uniq and you'll get what you are after.

Design intent for sort, as others point out this behaviour is documented.

On 4 November 2016 at 11:47, Christian Gruhl  wrote:

> Hi minek,
>
> On 11/04/2016 04:41 PM, minek van wrote:
> > Hello,
> >
> > # strings /dev/arandom | grep -o '[[:print:]]' | head -100 > a.txt
> > # sort -R a.txt
> > K
> ...
> > 9
> > # uname -mrs
> > OpenBSD 6.0 amd64
> > #
> > # sort -R a.txt > b.txt
> > # cksum b.txt
> > 3374888359 200 b.txt
> > # sort -R a.txt > b.txt
> > # cksum b.txt
> > 109071951 200 b.txt
> > # sort -R a.txt > b.txt
> > # cksum b.txt
> > 3441576000 200 b.txt
> > #
> >
> > from: http://man.openbsd.org/OpenBSD-current/man1/sort.1
> >
> >  -R, --random-sort, --sort=random
> >
> > Sort lines in random order. This is a random permutation of the
> inputs with the exception that equal keys sort together. It is
> implemented by hashing the input keys and sorting the hash values. The
> hash function is randomized with data from arc4random_buf(3), or by file
> content if one is specified via --random-source. If multiple sort fields
> are specified, the same random hash function is used for all of them.
> >
> > Although the "b.txt" differs, if we check it by the human eye... that
> is not random.. **Why**? Why is it called random, WHEN IT IS NOT
> RANDOM?! Random should mean RANDOM. Not "almost" random..
> >
> > The same can be seen on ex.: RHEL7.
> >
>
> I would guess this is the desired behavior. The man page cited by you
> also states:
>
> 'This is a random permutation of the inputs with the exception that
> equal keys sort together. It is implemented by hashing the input keys
> and sorting the hash values.'
>
> So clearly same values/strings will be put together.
>
> Best wishes
>
> Chris
>
> [demime 1.01d removed an attachment of type application/pkcs7-signature
> which had a name of smime.p7s]

Re: Why isn't "sort -R" random?

[Christian Gruhl]

Hi minek,

On 11/04/2016 04:41 PM, minek van wrote:
> Hello,
>
> # strings /dev/arandom | grep -o '[[:print:]]' | head -100 > a.txt
> # sort -R a.txt
> K
...
> 9
> # uname -mrs
> OpenBSD 6.0 amd64
> #
> # sort -R a.txt > b.txt
> # cksum b.txt
> 3374888359 200 b.txt
> # sort -R a.txt > b.txt
> # cksum b.txt
> 109071951 200 b.txt
> # sort -R a.txt > b.txt
> # cksum b.txt
> 3441576000 200 b.txt
> #
>
> from: http://man.openbsd.org/OpenBSD-current/man1/sort.1
>
>  -R, --random-sort, --sort=random
>
> Sort lines in random order. This is a random permutation of the
inputs with the exception that equal keys sort together. It is
implemented by hashing the input keys and sorting the hash values. The
hash function is randomized with data from arc4random_buf(3), or by file
content if one is specified via --random-source. If multiple sort fields
are specified, the same random hash function is used for all of them.
>
> Although the "b.txt" differs, if we check it by the human eye... that
is not random.. **Why**? Why is it called random, WHEN IT IS NOT
RANDOM?! Random should mean RANDOM. Not "almost" random..
>
> The same can be seen on ex.: RHEL7.
>

I would guess this is the desired behavior. The man page cited by you
also states:

'This is a random permutation of the inputs with the exception that
equal keys sort together. It is implemented by hashing the input keys
and sorting the hash values.'

So clearly same values/strings will be put together.

Best wishes

Chris

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Why isn't "sort -R" random?

[minek van]

Hello, 

# strings /dev/arandom | grep -o '[[:print:]]' | head -100 > a.txt 
# sort -R a.txt
K
]
U
O
B
B
~
o
o
I
I
P
s
s
Q
f
f
p
,
1
5
#
X
X
c
c
W
W
\
\
h
w
v
v
?
`
L
L
L
L
A
A
A
E
J
J
Y
$
|
!
x
2
2
2
2
(
a
q
q
q
q
3
3
7
d
+
z
z
z
S
S
S
S
F
6
=
i
i
G
G
.
.
.
:
[
[
T
 
 
{
-
}
}
}
j
j
&
9
9
9
# uname -mrs
OpenBSD 6.0 amd64
# 
# sort -R a.txt > b.txt 
# cksum b.txt   
3374888359 200 b.txt
# sort -R a.txt > b.txt 
# cksum b.txt   
109071951 200 b.txt
# sort -R a.txt > b.txt 
# cksum b.txt   
3441576000 200 b.txt
# 

from: http://man.openbsd.org/OpenBSD-current/man1/sort.1

 -R, --random-sort, --sort=random

Sort lines in random order. This is a random permutation of the inputs with 
the exception that equal keys sort together. It is implemented by hashing the 
input keys and sorting the hash values. The hash function is randomized with 
data from arc4random_buf(3), or by file content if one is specified via 
--random-source. If multiple sort fields are specified, the same random hash 
function is used for all of them.

Although the "b.txt" differs, if we check it by the human eye... that is not 
random.. **Why**? Why is it called random, WHEN IT IS NOT RANDOM?! Random 
should mean RANDOM. Not "almost" random.. 

The same can be seen on ex.: RHEL7. 

Re: Oddness with pkg_add

[Chris Bennett]

On Fri, Nov 04, 2016 at 10:06:13AM -0400, Raul Miller wrote:
> On Fri, Nov 4, 2016 at 9:54 AM, Chris Bennett
>  wrote:
> > As a side note, if you use a server to download OpenBSD that is located
> > in the US, there is always that chance that those crypto issues might
> > one day be a concern.
> 
> Something similar could be said about hardware purchases and (*insert
> name of country where hardware was manufactured*).
> 
> > Also, inside the US, anything that goes wrong, including cold coffee is
> > the Russians fault.
> > Luckily, Mexico is going to pay for a wall to keep illegal Mexicans from
> > returning to Mexico where there are better jobs. :)
> >

I was trying to be a little lighthearted with this comment, but
unfortunately I am a US citizen and the political situation is
terrifying. 
Actually, this is a good reason to be VERY concerned about what the US
might do with crypto and hardware, which is why I threw it in.

If I offended anyone on the list, say so and I will pay penance with a
small donation to OpenBSD.

Chris


> > Sadly, I wasn't joking about the better jobs part.
> 
> Personally, I'm not motivated to solve these problems.
> 
> Or, rather, I'm not motivated to do more about solving these problems
> than I already am attempting to do. Call it a lack of vision, thing...
> 
> Thanks,
> 
> -- 
> Raul

Re: Oddness with pkg_add

[Raul Miller]

On Fri, Nov 4, 2016 at 9:54 AM, Chris Bennett
 wrote:
> As a side note, if you use a server to download OpenBSD that is located
> in the US, there is always that chance that those crypto issues might
> one day be a concern.

Something similar could be said about hardware purchases and (*insert
name of country where hardware was manufactured*).

> Also, inside the US, anything that goes wrong, including cold coffee is
> the Russians fault.
> Luckily, Mexico is going to pay for a wall to keep illegal Mexicans from
> returning to Mexico where there are better jobs. :)
>
> Sadly, I wasn't joking about the better jobs part.

Personally, I'm not motivated to solve these problems.

Or, rather, I'm not motivated to do more about solving these problems
than I already am attempting to do. Call it a lack of vision, thing...

Thanks,

-- 
Raul

Re: Oddness with pkg_add

[Chris Bennett]

On Thu, Nov 03, 2016 at 10:21:57PM -0400, trondd wrote:
> Try substituting the IP for the hostname.  Is it just DNS that's the
> problem or all network connectivity?
> 

+1 on this. I frequently have DNS issues so I no longer use the
hostname.

As a side note, if you use a server to download OpenBSD that is located
in the US, there is always that chance that those crypto issues might
one day be a concern.

Also, inside the US, anything that goes wrong, including cold coffee is
the Russians fault.
Luckily, Mexico is going to pay for a wall to keep illegal Mexicans from
returning to Mexico where there are better jobs. :)

Sadly, I wasn't joking about the better jobs part.

Chris

Re: berkeleydb in ports

[Stuart Henderson]

On 2016-11-04, Peter J. Philipp  wrote:
> Hi,
>
> I'm writing because I'm wondering if people out there have had problems
> with the 4.6 version of Berkeley DB in ports, and I'm wondering if I'm
> the only one.  The reason is this.  I'm the author of a DNS server that
> uses Berkeley DB as a backend and I've stumbled on some database
> weirdness a few months ago.  In particular the query function seems to
> have stuck after some usage whereas the AXFR function which is on the
> same descriptor is not stuck.  What I've done is I've pulled my DNS
> server away from answering queries and it does only AXFR as a hidden
> master, but I do plan on bringing it back some day.  I don't have any
> old core files currently with me so this report is based only on my
> memory.  When I gdb'ed a stuck process by attaching gdb to it I noticed
> that the query engine was in berkeley db and probably not returning
> possibly a dead-lock situation.
>
> The way I use berkeley db is across several forked childs, there is a
> child that does solely AXFR (using a cursor on the db and walking the
> zones)  and there is a child that does queries to port 53.  Since the
> database was opened before the fork() the descriptor is shared among the
> childs.  I always saw this as no problem in terms of how the program was
> designed.
>
> Has anyone else seen possible dead-locks in berkeley db 4.6 as provided
> by the OpenBSD ports?  If not there is a chance it's my program meaning
> I'll never figure out what is causing this because I have planned on
> replacing berkeley db altogether, however if it's a known bug it would
> save me the effort next year.  The DNS server was built with OpenBSD as
> the development machine and is now also running in a strict OpenBSD
> environment on my VPS's.
>
> Thanks in advance for your sharing,
>
> -peter
>
>

I haven't noticed any myself, but the only thing I'm using it with is
openldap (not forked afaik).

We are many releases behind with db (last time it came up I don't
think there was a good plan to deal with the file format change), so
there might well be a problem that has been fixed upstream in the
meantime..

Re: Oddness with pkg_add

[Marc Espie]

On Thu, Nov 03, 2016 at 09:26:43PM -0400, trondd wrote:
> On Thu, November 3, 2016 9:19 pm, trondd wrote:
> > On Thu, November 3, 2016 9:07 pm, Chris Huxtable wrote:
> >> Same as before unfortunately.
> >>
> >> # pkg_add -v nano
> >> Error from http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/
> >> ftp: ftp.openbsd.org: no address associated with name
> >> http://ftp.openbsd.org/pub/OpenBSD/6.0/packages/amd64/ is empty
> >> Error from http://openbsd.cs.toronto.edu/pub/OpenBSD/6.0/packages/amd64/
> >> ftp: openbsd.cs.toronto.edu: no address associated with name
> >> http://openbsd.cs.toronto.edu/pub/OpenBSD/6.0/packages/amd64/ is empty
> >> Error from
> >> http://athena.caslab.queensu.ca/pub/OpenBSD/6.0/packages/amd64/
> >> ftp: athena.caslab.queensu.ca: no address associated with name
> >> http://athena.caslab.queensu.ca/pub/OpenBSD/6.0/packages/amd64/ is empty
> >> Can't find nano
> >>
> >> Could this be a pledge issue?
> >>
> >
> > Check dmesg, but on a clean install, probably not.
> >
> > Are you doing something funky with pf, like only allowing certain users
> > internet access?  pkg_add downloads as the _pfetch user.  Try doas -u
> > _pfetch host ftp.openbsd.org
> >
> 
> Correction:  6.0 changed the user to _pkgfetch.

Not really. _pfetch was stolen from dpb until we got a proper user.
The window where _pfetch got used in pkg_add is rather small,
(2016/02/09 -> 2016/03/18)

Re: npppd troubles

[Stefan Sperling]

On Thu, Nov 03, 2016 at 06:48:56PM -0400, Marina Brown wrote:
> On 11/03/2016 03:36 PM, Stefan Sperling wrote:
> > On Thu, Nov 03, 2016 at 03:17:40PM -0400, Marina Brown wrote:
> >> Hi All:
> >>
> >> I have been trying to create an nppp connection across my property -
> >> about 100M for one of my friends who lives here. He wants less security
> >> than i like behind my firewall. I have not been able to get OpenBSD to
> >> route his connection out of the network. Here are my settings.
> > 
> >> # NAT Rule to translate from internal to External NET
> >> pass out on em0 inet from em1:network to any nat-to (em0)
> > 
> > You're using NAT when passing out on em0 here, and...
> >  
> >> external = em0
> > 
> >> pass out quick on $external from 10.0.0.103/32 to any
> > 
> > ... my guess is that you're missing 'nat-to ($external)' here ^
> > 
> 
> Thanks - is there a way to exclude the npppd users from the nat
> altogether. That is the reason for the excersize. If i put him
> behind the nat we are right where we started. He runs games that
> don't play well with strict NAT settings and i don't want the rest of my
> network exposed to reduced security.
> 
> I thought he would be on pppx0. Is there a way to do this.

Well, one way or another he will need to have his private 10.0.0.103
IP address translated to an IP that is actually valid on the internet.
There is no way around that.

pppx0 is where his packets arrive on your firewall. Your firewall has to
forward those packets to the internet and that requires using a public IP
as source address, else the internet won't be able to reply.

One option would be for him to get a VPN tunnel with some provider that
assigns public IPs to their VPN clients. That would solve this issue as long
as you still provide NAT so that his VPN client can reach the provider's
server across the internet. He would get his own public IP to use for the game.

Another option is to try adding 'static-port' to his NAT rule:

pass out quick on $external from 10.0.0.103/32 to any nat-to ($external) 
static-port

Perhaps that's enough to make the game he's playing work through NAT.

You could further restrict the above to certain ports used by the game.
For example, if the game was using the port range 5000:5100 then you could
do something like this:

pass out quick on $external from 10.0.0.103/32 to any port 5000:5100 nat-to 
($external) static-port

In this case all his other connections would still use randomized NAT ports.

Re: permanent ARP being overwritten by ISP

[Martin Pieuchot]

On 25/10/16(Tue) 03:27, Doug Moss wrote:
> On Wednesday, January 20, 2016 1:37 PM, Martin Pieuchot  
> wrote:
> >If you're referring to my reply, I was interested in the behavior in a
> >-current kernel, what will be 5.9 soon.  A lot of changes happened
> >since 5.8.
> >
> >It would be nice if you could also post the output of "route -n show -inet"
> 
> >with such kernel.
> 
> I have brought up this issue before, but I think I have narrowed down the 
> possible causes/scenario,
> and I have my machine up to date with the current release.
> 
> I think my question is:
> on my openbsd 6.0 amd64 machine, where I already have an accurate ARP entry 
> that has been manually
> set as permanent, when the sshd daemon receives a connection, why does that 
> machine broadcast
> an ARP 'who-has' for the IP address of the SSH client machine?

Good question.  Could you rebuild arp(8) with the diff attached and show
me the output of "arp -an" after triggering the 'who-has'?  I'd like to
know if some code path set the expiration timer of your permanent entry.

Index: arp.c
===
RCS file: /cvs/src/usr.sbin/arp/arp.c,v
retrieving revision 1.76
diff -u -p -r1.76 arp.c
--- arp.c   27 Aug 2016 04:15:52 -  1.76
+++ arp.c   4 Nov 2016 10:03:34 -
@@ -556,7 +556,7 @@ print_entry(struct sockaddr_dl *sdl, str
 
if (rtm->rtm_flags & (RTF_PERMANENT_ARP|RTF_LOCAL))
printf(" %-10.10s", "permanent");
-   else if (rtm->rtm_rmx.rmx_expire == 0)
+   if (rtm->rtm_rmx.rmx_expire == 0)
printf(" %-10.10s", "static");
else if (rtm->rtm_rmx.rmx_expire > now.tv_sec)
printf(" %-10.10s",

berkeleydb in ports

[Peter J. Philipp]

Hi,

I'm writing because I'm wondering if people out there have had problems
with the 4.6 version of Berkeley DB in ports, and I'm wondering if I'm
the only one.  The reason is this.  I'm the author of a DNS server that
uses Berkeley DB as a backend and I've stumbled on some database
weirdness a few months ago.  In particular the query function seems to
have stuck after some usage whereas the AXFR function which is on the
same descriptor is not stuck.  What I've done is I've pulled my DNS
server away from answering queries and it does only AXFR as a hidden
master, but I do plan on bringing it back some day.  I don't have any
old core files currently with me so this report is based only on my
memory.  When I gdb'ed a stuck process by attaching gdb to it I noticed
that the query engine was in berkeley db and probably not returning
possibly a dead-lock situation.

The way I use berkeley db is across several forked childs, there is a
child that does solely AXFR (using a cursor on the db and walking the
zones)  and there is a child that does queries to port 53.  Since the
database was opened before the fork() the descriptor is shared among the
childs.  I always saw this as no problem in terms of how the program was
designed.

Has anyone else seen possible dead-locks in berkeley db 4.6 as provided
by the OpenBSD ports?  If not there is a chance it's my program meaning
I'll never figure out what is causing this because I have planned on
replacing berkeley db altogether, however if it's a known bug it would
save me the effort next year.  The DNS server was built with OpenBSD as
the development machine and is now also running in a strict OpenBSD
environment on my VPS's.

Thanks in advance for your sharing,

-peter

Re: Is 6.1 expected to happen soon?

[Paul de Weerd]

On Thu, Nov 03, 2016 at 07:42:01PM -0600, Theo de Raadt wrote:
| We need to learn somehow.  Sometimes the commit-pullout-recommit-
| pullout-recommit-pullout-recommit-pullout-recommit-pullout-recommit
| process is too costly.  Want to help shortcut?  Run snapshots?
| 
| Afraid of that?  Don't worry, it happens randomly, rarely and
| sporatically and you likely won't get hit except 1 round of builds.
| Someone will hit it first, we hope.
| 
| Otherwise run releases, and don't participate in the process that
| makes the next release better.  We ask for a bit of snapshot use, but
| you get to make your own choices.

My approach the last few years has been to very frequently update
local, less important, machines (my laptop and workstation).  Then,
when the snapshot is fine on those machines (which it usually is), I
update my home gateway with some of those snaps (it has a different
workload, so it tends to excercise other codepaths possibly finding
bugs I don't find on my laptop/workstation - and besides, reboots are
slightly more annoying, since I lose connectivity for like three whole
minutes while I wait for the machine to come up again).

When it's also fine on my home gateway, I sometimes roll it out to
other machines that run services on the internet.  Here I don't want
to reboot very frequently: that introduces brief downtime.  But
keeping track of source-changes@ and ports-changes@, sometimes bugs
are fixed (think Open/LibreSSL or random bugs in ports for some of the
software I run) which make upgrading a bit more pressing.

Anecdotally, snapshots are quite stable.  My workstation and laptop
almost never have problems, so I'm happy.  And when I do run into
issues, I try to report them to bugs@ so that they're fixed before I
move those more important machines forward.  Since they must move
forward at some point... :)

One thing I've not been doing very much lately is testing diffs that
are sent to tech@.  Time permitting, I'm hoping to pick that up again
soon, applying diffs to machines that are likely to be affected.

Anyway .. this is a very common and easy way to help OpenBSD
development: give feedback about new code.  I guess it's the easiest
approach after donating to the project.

-- 
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/