bgpd question...
Hello
I am trying to understand the behavior of BGPD. My setup is as below I'm
trying to understand when
BGPD will withdraw a route of a local interface.
/etc/hostname.vether0
inet 192.0.2.1 255.255.255.255
/etc/bgpd.conf
myas="65003"
AS $myas
router-id 1.0.0.1
network inet connected
fib-update yes
log updates
group "tests" {
remote-as 65001
local-address 192.168.1.111
neighbor 192.168.1.114
}
allow from any
allow to any
When vether0 is in an UP state I look at the rib and see what I expect. The IP
of vether0 is in the
rib.
router1# bgpctl show rib
claustrum# bgpctl show rib
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete
flags ovs destination gateway lpref med aspath origin
AI*>N 192.0.2.1/32 0.0.0.0 100 0 i
AI*>N 192.168.1.0/24 0.0.0.0 100 0 i
* N 192.168.1.0/24 192.168.1.114 100 0 65001 i
When I down the vether0 interface with 'ifconfig vether0 down'
I would expect that the route is either removed or at least become invalid and
the announce is
withdrawn. But when I check the rib 'A' and '*' flags are still set.
router1# bgpctl show rib
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete
flags ovs destination gateway lpref med aspath origin
AI*>N 192.0.2.1/32 0.0.0.0 100 0 i
AI*>N 192.168.1.0/24 0.0.0.0 100 0 i
* N 192.168.1.0/24 192.168.1.114 100 0 65001 i
The rib is unchanged.
Is this expected behavior?
Thank you in advance
Re: FireFox Browser 'Open File' error
On Tue, Aug 25, 2020 at 07:24:20PM +0100, Tom Smyth wrote: > as Bob Beck once said, > "I want to be able to surf the web but I dont want my browser accessing my > ssh keys..." I think there's a Firefox extension for that. Themeable. Very modern. Ew
Re: routing ipv6 over wireguard
On 8/25/20 3:27 PM, Aisha Tammy wrote: > Hi all, > I'm having some trouble getting wireguard to work nicely. > > Goal: Try to give public ipv6 addresses to my wireguard peers. > > How I've tried to tackle it is by giving the ip6 to the peer and > then adding a route to the peer for the ipv6. > > My vps (peer A) has ipv6 subet - 2001:19f0:5:5cd5::0/64 > > And I give peer A on wg0 the address - 2001:19f0:5:5cd5::6942:6/112 Small correction, peer A was given the address - 2001:19f0:5:5cd5::6942:17/112 > I give peer B has been given ipv6 - 2001:19f0:5:5cd5::6942:6/128 > > I've used wg-quick for now so when I try to get the route > > (peer A)$ route get 2001:19f0:5:5cd5::6942:6 >route to: 2001:19f0:5:5cd5::6942:6 > destination: 2001:19f0:5:5cd5::6942:6 >mask: ::::::: > interface: wg0 > if address: 2001:19f0:5:5cd5::6942:17 >priority: 8 (static) > flags: > use mtuexpire > 15 0 0 > > Everything seems fine for now, as I am also able to ping peer B from peer A! > > But when I ping from any computer from outside the wireguard network > I don't get any pings back. > > When I try to do some debugging via tcpdump on vio0 (egress interface) > > (peer A)$ tcpdump -inet6 -i vio0 icmp6 > 15:23:04.918459 fe80::fc00:2ff:feee:5248 > ff02::1:ff42:6: icmp6: neighbor > sol: who has 2001:19f0:5:5cd5::6942:6 > > (a lot of such lines) > > I am not sure what is happening here. > Is adding a route to peer B on peer A not enough? > Am unsure how to go about getting this to work >.< > Any help would be nice. > > Thanks, > Aisha >
routing ipv6 over wireguard
Hi all, I'm having some trouble getting wireguard to work nicely. Goal: Try to give public ipv6 addresses to my wireguard peers. How I've tried to tackle it is by giving the ip6 to the peer and then adding a route to the peer for the ipv6. My vps (peer A) has ipv6 subet - 2001:19f0:5:5cd5::0/64 And I give peer A on wg0 the address - 2001:19f0:5:5cd5::6942:6/112 I give peer B has been given ipv6 - 2001:19f0:5:5cd5::6942:6/128 I've used wg-quick for now so when I try to get the route (peer A)$ route get 2001:19f0:5:5cd5::6942:6 route to: 2001:19f0:5:5cd5::6942:6 destination: 2001:19f0:5:5cd5::6942:6 mask: ::::::: interface: wg0 if address: 2001:19f0:5:5cd5::6942:17 priority: 8 (static) flags: use mtuexpire 15 0 0 Everything seems fine for now, as I am also able to ping peer B from peer A! But when I ping from any computer from outside the wireguard network I don't get any pings back. When I try to do some debugging via tcpdump on vio0 (egress interface) (peer A)$ tcpdump -inet6 -i vio0 icmp6 15:23:04.918459 fe80::fc00:2ff:feee:5248 > ff02::1:ff42:6: icmp6: neighbor sol: who has 2001:19f0:5:5cd5::6942:6 (a lot of such lines) I am not sure what is happening here. Is adding a route to peer B on peer A not enough? Am unsure how to go about getting this to work >.< Any help would be nice. Thanks, Aisha
Re: FireFox Browser 'Open File' error
Thank you for suggestions on unveil. Very helpful. Caution on running browser as root well received. Thanks and regards, Kihaguru. On Tue, Aug 25, 2020 at 9:37 PM Stuart Henderson wrote: > On 2020-08-25, Kihaguru Gathura wrote: > > Hi, > > > > I have tested on a 64 bit version of the same ThinkPad T60 and error is > > consistent.. > > See /usr/local/share/doc/pkg-readmes/firefox about unveil > > > However Firefox opens files from any folder as root on these same > machines > > running OpenBSD 6.5. > > Running any browser as root is not really a smart move > >
an interesting case for BGP
Hello Everybody, I was helping my friend to switch to new ip block and asn recently and run into situation, when I need to announce a new network over the same session here's how i implemented this with quagga: network xxx.xxx.xxx.0/24 route-map NEW route-map NEW permit 30 set as-path prepend NEWAS NEWAS ip prefix-list out-to-uplink seq 10 permit xxx.xxx.xxx.0/24 However, with OpenBGPD, it seems like I could not implement the trick because it only allows to prepend self or neighbor, not an arbitrary ASn. Am I missing something?
Re: FireFox Browser 'Open File' error
Hello Kihaguru,
having a glancing look
I think this is because of unveil potentially
can you browse
/home/username/Downloads ?
unveil will restrict other parts of the filesystem that firefox
wouldnt typically need to acces...
as Bob Beck once said,
"I want to be able to surf the web but I dont want my browser accessing my
ssh keys..."
On Tue, 25 Aug 2020 at 19:11, Kihaguru Gathura wrote:
> Hi,
>
> I have tested on a 64 bit version of the same ThinkPad T60 and error is
> consistent..
>
> However Firefox opens files from any folder as root on these same machines
> running OpenBSD 6.5.
>
> Kind regards,
>
> Kihaguru.
>
>
>
>
> On Sat, Aug 22, 2020 at 9:34 AM Kihaguru Gathura
> wrote:
>
> > Hi,
> >
> > Firefox fails to list files at 'File Open' with error message:
> >
> > (firefox:89328): dconf-WARNING **: 09:12:15.835: failed to commit changes
> > to dconf: The given address is empty
> >
> > Please advise
> >
> > Regards,
> >
> > Kihaguru.
> >
> >
> > #
> > OpenBSD 6.7 (GENERIC.MP) #169: Thu May 7 11:37:15 MDT 2020
> > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> > real mem = 2137341952 (2038MB)
> > avail mem = 2082598912 (1986MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: date 04/30/07, BIOS32 rev. 0 @ 0xfd6b0, SMBIOS rev.
> 2.4
> > @ 0xe0010 (68 entries)
> > bios0: vendor LENOVO version "79ETD3WW (2.13 )" date 04/30/2007
> > bios0: LENOVO 195143U
> > acpi0 at bios0: ACPI 3.0
> > acpi0: sleep states S0 S3 S4 S5
> > acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT SSDT
> > SSDT SSDT
> > acpi0: wakeup devices LID_(S3) SLPB(S3) EXP0(S4) EXP1(S4) EXP2(S4)
> > EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4)
> > acpitimer0 at acpi0: 3579545 Hz, 24 bits
> > acpiec0 at acpi0
> > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> > cpu0 at mainbus0: apid 0 (boot processor)
> > cpu0: Genuine Intel(R) CPU T2400 @ 1.83GHz ("GenuineIntel" 686-class)
> 1.83
> > GHz, 06-0e-08
> > cpu0:
> >
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
> > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> > cpu0: apic clock running at 166MHz
> > cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> > cpu1 at mainbus0: apid 1 (application processor)
> > cpu1: Genuine Intel(R) CPU T2400 @ 1.83GHz ("GenuineIntel" 686-class)
> 1.83
> > GHz, 06-0e-08
> > cpu1:
> >
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
> > ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
> > acpimcfg0 at acpi0
> > acpimcfg0: addr 0xf000, bus 0-63
> > acpihpet0 at acpi0: 14318179 Hz
> > acpiprt0 at acpi0: bus 0 (PCI0)
> > acpiprt1 at acpi0: bus -1 (AGP_)
> > acpiprt2 at acpi0: bus 2 (EXP0)
> > acpiprt3 at acpi0: bus 3 (EXP1)
> > acpiprt4 at acpi0: bus 4 (EXP2)
> > acpiprt5 at acpi0: bus 12 (EXP3)
> > acpiprt6 at acpi0: bus 21 (PCI1)
> > acpicpu0 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014),
> C1(1000@1
> > halt), PSS
> > acpicpu1 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014),
> C1(1000@1
> > halt), PSS
> > acpipwrres0 at acpi0: PUBS, resource for USB0, USB2, USB7
> > acpitz0 at acpi0: critical temperature is 127 degC
> > acpitz1 at acpi0: critical temperature is 99 degC
> > acpibtn0 at acpi0: LID_
> > acpibtn1 at acpi0: SLPB
> > "PNP0A08" at acpi0 not configured
> > acpicmos0 at acpi0
> > "IBM0071" at acpi0 not configured
> > "ATM1200" at acpi0 not configured
> > acpibat0 at acpi0: BAT0 model "COMPATIBLE" serial44 type LION oem
> > "SANYO"
> > acpiac0 at acpi0: AC unit online
> > acpithinkpad0 at acpi0: version 1.0
> > acpidock0 at acpi0: GDCK not docked (0)
> > acpivideo0 at acpi0: VID_
> > acpivout0 at acpivideo0: LCD0
> > acpivideo1 at acpi0: VID_
> > bios0: ROM list: 0xc/0xea00! 0xcf000/0x1000 0xd/0x1000
> > 0xdc000/0x4000! 0xe/0x1!
> > cpu0: Enhanced SpeedStep 1829 MHz: speeds: 1833, 1333, 1000 MHz
> > pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> > pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
> > inteldrm0 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03
> > drm0 at inteldrm0
> > intagp0 at inteldrm0
> > agp0 at intagp0: aperture at 0xd000, size 0x1000
> > inteldrm0: apic 1 int 16, I945GM, gen 3
> > "Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured
> > azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi
> > azalia0: codecs: Analog Devices AD1981HD, Conexant/0x2bfa, using Analog
> > Devices AD1981HD
> > audio0 at azalia0
> > ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 1 int
> 20
> > pci1 at ppb0 bus 2
> > em0 at pci1 dev 0 function 0 "Intel 82573L" rev 0x00: msi, address
> > 00:15:58:c4:f6:49
> > ppb1 at pci0 dev
Re: FireFox Browser 'Open File' error
On 2020-08-25, Kihaguru Gathura wrote: > Hi, > > I have tested on a 64 bit version of the same ThinkPad T60 and error is > consistent.. See /usr/local/share/doc/pkg-readmes/firefox about unveil > However Firefox opens files from any folder as root on these same machines > running OpenBSD 6.5. Running any browser as root is not really a smart move
Re: FireFox Browser 'Open File' error
On Tue, Aug 25, 2020 at 08:59:34PM +0300, Kihaguru Gathura wrote:
> Hi,
>
> I have tested on a 64 bit version of the same ThinkPad T60 and error is
> consistent..
>
> However Firefox opens files from any folder as root on these same machines
> running OpenBSD 6.5.
Please don't run such software as root, ever.
Especially on old code that isn't supported anymore.
If this is a disposable version for testing only, then nevermind.
Chris Bennett
>
> Kind regards,
>
> Kihaguru.
>
>
>
>
> On Sat, Aug 22, 2020 at 9:34 AM Kihaguru Gathura wrote:
>
> > Hi,
> >
> > Firefox fails to list files at 'File Open' with error message:
> >
> > (firefox:89328): dconf-WARNING **: 09:12:15.835: failed to commit changes
> > to dconf: The given address is empty
> >
> > Please advise
> >
> > Regards,
> >
> > Kihaguru.
> >
> >
> > #
> > OpenBSD 6.7 (GENERIC.MP) #169: Thu May 7 11:37:15 MDT 2020
> > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> > real mem = 2137341952 (2038MB)
> > avail mem = 2082598912 (1986MB)
> > mpath0 at root
> > scsibus0 at mpath0: 256 targets
> > mainbus0 at root
> > bios0 at mainbus0: date 04/30/07, BIOS32 rev. 0 @ 0xfd6b0, SMBIOS rev. 2.4
> > @ 0xe0010 (68 entries)
> > bios0: vendor LENOVO version "79ETD3WW (2.13 )" date 04/30/2007
> > bios0: LENOVO 195143U
> > acpi0 at bios0: ACPI 3.0
> > acpi0: sleep states S0 S3 S4 S5
> > acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT SSDT
> > SSDT SSDT
> > acpi0: wakeup devices LID_(S3) SLPB(S3) EXP0(S4) EXP1(S4) EXP2(S4)
> > EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4)
> > acpitimer0 at acpi0: 3579545 Hz, 24 bits
> > acpiec0 at acpi0
> > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> > cpu0 at mainbus0: apid 0 (boot processor)
> > cpu0: Genuine Intel(R) CPU T2400 @ 1.83GHz ("GenuineIntel" 686-class) 1.83
> > GHz, 06-0e-08
> > cpu0:
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
> > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> > cpu0: apic clock running at 166MHz
> > cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> > cpu1 at mainbus0: apid 1 (application processor)
> > cpu1: Genuine Intel(R) CPU T2400 @ 1.83GHz ("GenuineIntel" 686-class) 1.83
> > GHz, 06-0e-08
> > cpu1:
> > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
> > ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
> > acpimcfg0 at acpi0
> > acpimcfg0: addr 0xf000, bus 0-63
> > acpihpet0 at acpi0: 14318179 Hz
> > acpiprt0 at acpi0: bus 0 (PCI0)
> > acpiprt1 at acpi0: bus -1 (AGP_)
> > acpiprt2 at acpi0: bus 2 (EXP0)
> > acpiprt3 at acpi0: bus 3 (EXP1)
> > acpiprt4 at acpi0: bus 4 (EXP2)
> > acpiprt5 at acpi0: bus 12 (EXP3)
> > acpiprt6 at acpi0: bus 21 (PCI1)
> > acpicpu0 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014), C1(1000@1
> > halt), PSS
> > acpicpu1 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014), C1(1000@1
> > halt), PSS
> > acpipwrres0 at acpi0: PUBS, resource for USB0, USB2, USB7
> > acpitz0 at acpi0: critical temperature is 127 degC
> > acpitz1 at acpi0: critical temperature is 99 degC
> > acpibtn0 at acpi0: LID_
> > acpibtn1 at acpi0: SLPB
> > "PNP0A08" at acpi0 not configured
> > acpicmos0 at acpi0
> > "IBM0071" at acpi0 not configured
> > "ATM1200" at acpi0 not configured
> > acpibat0 at acpi0: BAT0 model "COMPATIBLE" serial44 type LION oem
> > "SANYO"
> > acpiac0 at acpi0: AC unit online
> > acpithinkpad0 at acpi0: version 1.0
> > acpidock0 at acpi0: GDCK not docked (0)
> > acpivideo0 at acpi0: VID_
> > acpivout0 at acpivideo0: LCD0
> > acpivideo1 at acpi0: VID_
> > bios0: ROM list: 0xc/0xea00! 0xcf000/0x1000 0xd/0x1000
> > 0xdc000/0x4000! 0xe/0x1!
> > cpu0: Enhanced SpeedStep 1829 MHz: speeds: 1833, 1333, 1000 MHz
> > pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> > pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
> > inteldrm0 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03
> > drm0 at inteldrm0
> > intagp0 at inteldrm0
> > agp0 at intagp0: aperture at 0xd000, size 0x1000
> > inteldrm0: apic 1 int 16, I945GM, gen 3
> > "Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured
> > azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi
> > azalia0: codecs: Analog Devices AD1981HD, Conexant/0x2bfa, using Analog
> > Devices AD1981HD
> > audio0 at azalia0
> > ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 1 int 20
> > pci1 at ppb0 bus 2
> > em0 at pci1 dev 0 function 0 "Intel 82573L" rev 0x00: msi, address
> > 00:15:58:c4:f6:49
> > ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: apic 1 int 21
> > pci2 at ppb1 bus 3
> > wpi0 at pci2 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02: msi,
>
Re: FireFox Browser 'Open File' error
Hi,
I have tested on a 64 bit version of the same ThinkPad T60 and error is
consistent..
However Firefox opens files from any folder as root on these same machines
running OpenBSD 6.5.
Kind regards,
Kihaguru.
On Sat, Aug 22, 2020 at 9:34 AM Kihaguru Gathura wrote:
> Hi,
>
> Firefox fails to list files at 'File Open' with error message:
>
> (firefox:89328): dconf-WARNING **: 09:12:15.835: failed to commit changes
> to dconf: The given address is empty
>
> Please advise
>
> Regards,
>
> Kihaguru.
>
>
> #
> OpenBSD 6.7 (GENERIC.MP) #169: Thu May 7 11:37:15 MDT 2020
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> real mem = 2137341952 (2038MB)
> avail mem = 2082598912 (1986MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: date 04/30/07, BIOS32 rev. 0 @ 0xfd6b0, SMBIOS rev. 2.4
> @ 0xe0010 (68 entries)
> bios0: vendor LENOVO version "79ETD3WW (2.13 )" date 04/30/2007
> bios0: LENOVO 195143U
> acpi0 at bios0: ACPI 3.0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP SSDT ECDT TCPA APIC MCFG HPET SLIC BOOT SSDT SSDT
> SSDT SSDT
> acpi0: wakeup devices LID_(S3) SLPB(S3) EXP0(S4) EXP1(S4) EXP2(S4)
> EXP3(S4) PCI1(S4) USB0(S3) USB1(S3) USB2(S3) USB7(S3) HDEF(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpiec0 at acpi0
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Genuine Intel(R) CPU T2400 @ 1.83GHz ("GenuineIntel" 686-class) 1.83
> GHz, 06-0e-08
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 166MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Genuine Intel(R) CPU T2400 @ 1.83GHz ("GenuineIntel" 686-class) 1.83
> GHz, 06-0e-08
> cpu1:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,MWAIT,VMX,EST,TM2,xTPR,PDCM,NXE,PERF,SENSOR,MELTDOWN
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins, remapped
> acpimcfg0 at acpi0
> acpimcfg0: addr 0xf000, bus 0-63
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus -1 (AGP_)
> acpiprt2 at acpi0: bus 2 (EXP0)
> acpiprt3 at acpi0: bus 3 (EXP1)
> acpiprt4 at acpi0: bus 4 (EXP2)
> acpiprt5 at acpi0: bus 12 (EXP3)
> acpiprt6 at acpi0: bus 21 (PCI1)
> acpicpu0 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014), C1(1000@1
> halt), PSS
> acpicpu1 at acpi0: !C3(250@17 io@0x1015), !C2(500@1 io@0x1014), C1(1000@1
> halt), PSS
> acpipwrres0 at acpi0: PUBS, resource for USB0, USB2, USB7
> acpitz0 at acpi0: critical temperature is 127 degC
> acpitz1 at acpi0: critical temperature is 99 degC
> acpibtn0 at acpi0: LID_
> acpibtn1 at acpi0: SLPB
> "PNP0A08" at acpi0 not configured
> acpicmos0 at acpi0
> "IBM0071" at acpi0 not configured
> "ATM1200" at acpi0 not configured
> acpibat0 at acpi0: BAT0 model "COMPATIBLE" serial44 type LION oem
> "SANYO"
> acpiac0 at acpi0: AC unit online
> acpithinkpad0 at acpi0: version 1.0
> acpidock0 at acpi0: GDCK not docked (0)
> acpivideo0 at acpi0: VID_
> acpivout0 at acpivideo0: LCD0
> acpivideo1 at acpi0: VID_
> bios0: ROM list: 0xc/0xea00! 0xcf000/0x1000 0xd/0x1000
> 0xdc000/0x4000! 0xe/0x1!
> cpu0: Enhanced SpeedStep 1829 MHz: speeds: 1833, 1333, 1000 MHz
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82945GM Host" rev 0x03
> inteldrm0 at pci0 dev 2 function 0 "Intel 82945GM Video" rev 0x03
> drm0 at inteldrm0
> intagp0 at inteldrm0
> agp0 at intagp0: aperture at 0xd000, size 0x1000
> inteldrm0: apic 1 int 16, I945GM, gen 3
> "Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured
> azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi
> azalia0: codecs: Analog Devices AD1981HD, Conexant/0x2bfa, using Analog
> Devices AD1981HD
> audio0 at azalia0
> ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 1 int 20
> pci1 at ppb0 bus 2
> em0 at pci1 dev 0 function 0 "Intel 82573L" rev 0x00: msi, address
> 00:15:58:c4:f6:49
> ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: apic 1 int 21
> pci2 at ppb1 bus 3
> wpi0 at pci2 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02: msi,
> MoW1, address 00:1b:77:4f:64:5f
> ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x02: apic 1 int 22
> pci3 at ppb2 bus 4
> ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02: apic 1 int 23
> pci4 at ppb3 bus 12
> uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 1 int 16
> uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: apic 1 int 17
> uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: apic 1 int 18
> uhci3 at pci0 dev
Re: FAQ file sets missing cmdbox
On 8/25/20 10:33 AM, jungle Boogie wrote: On Tue, 25 Aug 2020 at 00:05, Greg Thomas wrote: I'm getting pretty old and struggle with stuff like this more and more these days but I don't see what is "very difficult to follow" about the current layout, and I'm not sure what's weird about it either? See if these photos illustrate the problem more clearly: https://imgur.com/a/zT6hAxi Looks like you may have been playing with the font sizes in your browser preferences (e.g. General > Fonts and Colors > Advanced... > Monospace > Size). If I change my monospace font size to 17 (bigger than the Proportional font) I get the effect in your screenshot. The reason is that the "dt" tags are styled as "float: left" and if the "dt" is taller than the "dd" it will float left up to the previous "dt" instead of all the way to the left. You could add a "clear: left" to the CSS for the "dt" but then the "dt" and corresponding "dd" do not line up. Using CSS "float" for layout is a minefield. - Aner
Re: multiple simultaneous X sessions?
On 08-25 01:55, Eldritch wrote: > > Rather, I'm looking for a full separation between the users, > > nothing shared but the obsd kernel and hardware, and no more overhead for > > each one than X normally has, since each user is just running > > flat normal X, but fully and independently of the other X user. Am I > > mistaken in how I understand Xnest and Xephyr? > > It's possible to run multiple X servers. As far as I know all you would > have to do is add another line to /etc/X11/xenodm/Xservers and edit > /etc/ttys to not launch a tty on the console window you selected. > > Altough you don't really need multiple X servers for privilege > separation. ssh and vnc open an untrusted connection to the X server, > which you can do manually with xauth. > > I managed to get Firefox running as an untrusted client with the > following snippet in /etc/X11/xenodm/Xsetup_0: > > user=_firefox > auth=/home/$user/.Xauthority > umask 077 > xauth -f $auth generate :0 . untrusted timeout 0 > chown $user:$user $auth > chmod 0600 $auth > > And then starting it as the unprivileged _firefox user. Thank you! I need to spend some time trying your suggestions, including getting my mind around xauth usage, then testing it with things like xinput or xev, to make sure that, like with "ssh -X...", it prevents any user from getting keystrokes sent to apps which run as other users (though I realize ssh -X doesn't hide mouse events or prevent clipboard sharing, or some such IIRC), and that the total attack surface isn't much larger, etc. -- Luke Call "...I, the Lord, justify you...in befriending that law which is the constitutional law of the land Wherefore, when the wicked rule the people mourn. Wherefore, honest men and wise men should be sought for diligently, and good men and wise men ye should observe to uphold; ...whatsoever is less than these cometh of evil." (Doctrine & Covenants 98:6,9-10. >From 1833, when I think "men" often meant "persons". More at my site: >lukecall.net .) I think *honesty*, the Constitution and the rule of law (as opposed to of individuals), are far more important, relatively, than most or all policy issues, even important ones.
Re: FAQ file sets missing cmdbox
On Tue, 25 Aug 2020 at 08:21, Aner Perez wrote: > > Looks like you may have been playing with the font sizes in your browser > preferences (e.g. > General > Fonts and Colors > Advanced... > Monospace > Size). I haven't changed from the default of what Firefox has. I just created a new firefox profile and have the same results as in the picture. At any rate, somehow it doesn't affect a wider audience and therefore it's fine as is.
Re: FAQ file sets missing cmdbox
On Tue, 25 Aug 2020 at 00:05, Greg Thomas wrote: > > I'm getting pretty old and struggle with stuff like this more and more these > days but I don't see what is "very difficult to follow" about the current > layout, and I'm not sure what's weird about it either? >>See if these photos illustrate the problem more clearly: >>https://imgur.com/a/zT6hAxi There seems to be a difference in rendering with Chromium vs Firefox. The issue you present with Firefox doesn't seem to happen with Chromium.
Re: FAQ file sets missing cmdbox
>FWIW firefox (79.0) renders everything correctly at any width, including >on "device simulation" mode. I have an old Android (5.1) device around >with a 480x854 screen and Chrome 79 also displays everything properly. Just tested on Firefox, both on desktop and mobile (android). On desktop the indentations render as expected, and on mobile it's formatted more like a table (justified). I don't see an issue here, and not sure if it's worth "fixing" the FAQ for every fringe end-user scenario. Personally I can get along with minor formatting issues, my main concern being the content itself.
Re: FAQ file sets missing cmdbox
On Tue, 25 Aug 2020 at 00:05, Greg Thomas wrote: > > I'm getting pretty old and struggle with stuff like this more and more these > days but I don't see what is "very difficult to follow" about the current > layout, and I'm not sure what's weird about it either? See if these photos illustrate the problem more clearly: https://imgur.com/a/zT6hAxi
Re: multiple simultaneous X sessions?
Rather, I'm looking for a full separation between the users, nothing shared but the obsd kernel and hardware, and no more overhead for each one than X normally has, since each user is just running flat normal X, but fully and independently of the other X user. Am I mistaken in how I understand Xnest and Xephyr? Right, I think the vnc / Xnest / Xephyr suggestions assume you've got one "main" user accessing the sessions that belong to the other users. I don't really know enough to comment on how much any of this helps with security. -- James
Re: bgpd config advice needed
On Tue, Aug 25, 2020 at 09:48:04AM -, Stuart Henderson wrote: > > Guesses can be made, but a quick email might get a more accurate > answer :) "Hi, I see you are padding your announcements at $IX and we > are seeing you from other peers with the same path length, would you > prefer we send to you directly or via 64512?" Don't forget the circuit id. SCNR -- I'm not entirely sure you are real.
Re: bgpd config advice needed
On 2020-08-25, Remi Locherer wrote: > On Tue, Aug 25, 2020 at 07:11:12AM -, Stuart Henderson wrote: >> On 2020-08-24, Claudio Jeker wrote: >> > On Mon, Aug 24, 2020 at 04:36:10PM +, Laura Smith wrote: >> >> *> N 2001:db8:::/29 2001:db8::::1 100 100 >> >> 64512 65500 i >> >> * N 2001:db8:::/29 2001:db8::::2 100 100 >> >> 65500 65500 i >> >> >> >> In this example, both 64512 and 65500 are peers (med=100) but obviously >> >> 65500 65500 should be the preferred route. >> >> That's not obvious to me. (The behaviour would be the same with the more >> common localpref setting too). > > AS path length is the same for both cases and med is also the same. The > selected path comes from the peer with the lowest IP address I guess. Or weight, optionally route-age, BGP ID/ORIGINATOR_ID. >> > Now it is a bit strange that an AS is prepending on peering. I wonder why >> > they do that (is their connection to the IX undersized?). >> > > Maybe AS 65500 just aranged a new peering with AS 64512 and now needs to > impose more traffic to suffice some peering agreements? > > Dr. Peering might give some hints. ;-) > http://drpeering.net/tools/HTML_IPP/ipptoc.html Guesses can be made, but a quick email might get a more accurate answer :) "Hi, I see you are padding your announcements at $IX and we are seeing you from other peers with the same path length, would you prefer we send to you directly or via 64512?"
Re: FAQ file sets missing cmdbox
On Tue, Aug 25, 2020 at 01:25:36AM -0700, Greg Thomas wrote: > Interesting. I used my phone a bunch to check the FAQ when I got back to > OpenBSD a couple of months ago, and I'm checking on my phone now > (Android/Chrome), and it still looks fine. A bit like the OP, I wasn't specific enough, apologies. On my desktop (-current-ish, iridium-2020.04.81p2) everything's fine even with very narrow windows. However, if I use Developer Mode to simulate a mobile device the indentation gets messed up, even at large page widths: each inside the gets rendered further and further right and starts pushing the s as well. FWIW firefox (79.0) renders everything correctly at any width, including on "device simulation" mode. I have an old Android (5.1) device around with a 480x854 screen and Chrome 79 also displays everything properly. Maybe the problem is on Chrome's "device simulation" renderer, and if that is the case, apologies for the noise. As the OP wasn't entirely clear, I was guessing what the problem could be and stumbled upon that. > On Tue, Aug 25, 2020 at 1:04 AM Zé Loff wrote: > > > > > On Tue, Aug 25, 2020 at 12:04:57AM -0700, Greg Thomas wrote: > > > I'm getting pretty old and struggle with stuff like this more and more > > > these days but I don't see what is "very difficult to follow" about the > > > current layout, and I'm not sure what's weird about it either? > > > > Indentation gets messed up on a narrow screen/window, I think that's > > what the OP meant. > > > > > On Mon, Aug 24, 2020 at 10:09 PM Jungle Boogie > > > wrote: > > > > > > > Hi, > > > > > > > > I don't think it's intended for the file sets section of the FAQ is be > > > > formatted so weird. If the current layout is correct, it's very > > > > difficult to follow. > > > > > > > > https://www.openbsd.org/faq/faq4.html#FilesNeeded > > > > > > > > I think the section needs to go into the cmdbox class, such as the > > > > simple install section above the file sets. > > > > > > > > Thanks, > > > > j.b. > > > > > > > > > > > > -- > > > > --
Re: FAQ file sets missing cmdbox
Interesting. I used my phone a bunch to check the FAQ when I got back to OpenBSD a couple of months ago, and I'm checking on my phone now (Android/Chrome), and it still looks fine. On Tue, Aug 25, 2020 at 1:04 AM Zé Loff wrote: > > On Tue, Aug 25, 2020 at 12:04:57AM -0700, Greg Thomas wrote: > > I'm getting pretty old and struggle with stuff like this more and more > > these days but I don't see what is "very difficult to follow" about the > > current layout, and I'm not sure what's weird about it either? > > Indentation gets messed up on a narrow screen/window, I think that's > what the OP meant. > > > On Mon, Aug 24, 2020 at 10:09 PM Jungle Boogie > > wrote: > > > > > Hi, > > > > > > I don't think it's intended for the file sets section of the FAQ is be > > > formatted so weird. If the current layout is correct, it's very > > > difficult to follow. > > > > > > https://www.openbsd.org/faq/faq4.html#FilesNeeded > > > > > > I think the section needs to go into the cmdbox class, such as the > > > simple install section above the file sets. > > > > > > Thanks, > > > j.b. > > > > > > > > -- > >
hostctl -q print no infomation
A am using OpenBSD-current on VMware ESXi. The hostinfo command print no information with -q option. Is this a expected behavior? $ hostctl guestinfo.ip 172.19.200.100 $ hostctl -q guestinfo.ip $ The following is an extract from man hostctl. -q Don't ask for confirmation of any default options. -- ASOU Masato
Re: FAQ file sets missing cmdbox
On Tue, Aug 25, 2020 at 12:04:57AM -0700, Greg Thomas wrote: > I'm getting pretty old and struggle with stuff like this more and more > these days but I don't see what is "very difficult to follow" about the > current layout, and I'm not sure what's weird about it either? Indentation gets messed up on a narrow screen/window, I think that's what the OP meant. > On Mon, Aug 24, 2020 at 10:09 PM Jungle Boogie > wrote: > > > Hi, > > > > I don't think it's intended for the file sets section of the FAQ is be > > formatted so weird. If the current layout is correct, it's very > > difficult to follow. > > > > https://www.openbsd.org/faq/faq4.html#FilesNeeded > > > > I think the section needs to go into the cmdbox class, such as the > > simple install section above the file sets. > > > > Thanks, > > j.b. > > > > --
Re: rtables and kernel routes
Amazing answer, thanks Claudio and Sebastian. Will alter my rules accordingly. It all makes sense now that I understand how PF routing/filtering works under the hood, at least in principle. On Fri, Aug 21, 2020 at 5:36 PM Sebastian Benoit wrote: > > Claudio Jeker(cje...@diehard.n-r-g.com) on 2020.08.21 09:04:09 +0200: > > On Fri, Aug 21, 2020 at 08:45:36AM +0200, open...@kene.nu wrote: > > > Hello, > > > > > > I am seeing rather strange, or maybe expected, behaviour. I utilise > > > rtables to send internal traffic towards the internet via a default > > > route in rtable 2. The traffic is punted to rtable 2 with pf. The > > > strangeness I am seeing is that unless there is a matching dummy route > > > in rtable 0 the traffic gets dropped on ingress hence the pf ruleset > > > that moves it into rtable 2 is never evalutated. > > > > > > Is this expected? The man pages for rdomain seems to suggest so but it > > > is not explicitly stated. > > > > I guess with internal traffic you mean traffic on the local LAN that is > > forwarded by the router. Not traffic local to the machine. > > > > pf(4) runs twice in your box. Once on packet reception (in rules) and once > > before sending out a packet (out rules). In between these two checkpoints > > packet forwarding happens (if forwarding is enabled and traffic is > > not for the local system). During forwarding a route lookup is made and > > based on that lookup the packet is sent out on the right interface. > > If this lookup fails the packet can't be forwarded and is dropped. Now > > the pf hook for out rules happens after this point and so a valid route is > > required to get there. > > > > In your case you either need a (default) route in rtable 0 so that traffic > > makes it to the out rule that then changes the rtable to 2 and sends out > > the packet towards the internet or you need to change the rtable on input > > (match in ... rtable 2) so that the forwarding lookup is done on rtable 2 > > (where there is a valid route to the destination). > > > > It seems most people prefer to write pf rulesets like yours with out rules > > and so a dummy default route in rtable 0 is needed but from a technical > > perspective it is better to do the rtable change on input. By doing so you > > actually save an extra route lookup (the one on rtable 0 hitting the dummy > > route). > > Even if you use the "match in ... rtable 2" solution (which you should), you > may want to add a default route to rdomain 0, because this problem can > happen in other cases as well. > > To make sure your route points packets to nowhere, but make pf work you can > do this (in one of your hostname.* files): > > !/sbin/route add -inet 0.0.0.0/0 127.0.0.1 -blackhole >
Re: bgpd config advice needed
On Tue, Aug 25, 2020 at 07:11:12AM -, Stuart Henderson wrote: > On 2020-08-24, Claudio Jeker wrote: > > On Mon, Aug 24, 2020 at 04:36:10PM +, Laura Smith wrote: > >> *> N 2001:db8:::/29 2001:db8::::1 100 100 > >> 64512 65500 i > >> * N 2001:db8:::/29 2001:db8::::2 100 100 > >> 65500 65500 i > >> > >> In this example, both 64512 and 65500 are peers (med=100) but obviously > >> 65500 65500 should be the preferred route. > > That's not obvious to me. (The behaviour would be the same with the more > common localpref setting too). AS path length is the same for both cases and med is also the same. The selected path comes from the peer with the lowest IP address I guess. > > > Now it is a bit strange that an AS is prepending on peering. I wonder why > > they do that (is their connection to the IX undersized?). > Maybe AS 65500 just aranged a new peering with AS 64512 and now needs to impose more traffic to suffice some peering agreements? Dr. Peering might give some hints. ;-) http://drpeering.net/tools/HTML_IPP/ipptoc.html
Re: bgpd config advice needed
On 2020-08-24, Claudio Jeker wrote: > On Mon, Aug 24, 2020 at 04:36:10PM +, Laura Smith wrote: >> *> N 2001:db8:::/29 2001:db8::::1 100 100 64512 >> 65500 i >> * N 2001:db8:::/29 2001:db8::::2 100 100 65500 >> 65500 i >> >> In this example, both 64512 and 65500 are peers (med=100) but obviously >> 65500 65500 should be the preferred route. That's not obvious to me. (The behaviour would be the same with the more common localpref setting too). > Now it is a bit strange that an AS is prepending on peering. I wonder why > they do that (is their connection to the IX undersized?). Certainly possible. Maybe ask the peer?
Re: FAQ file sets missing cmdbox
I'm getting pretty old and struggle with stuff like this more and more these days but I don't see what is "very difficult to follow" about the current layout, and I'm not sure what's weird about it either? On Mon, Aug 24, 2020 at 10:09 PM Jungle Boogie wrote: > Hi, > > I don't think it's intended for the file sets section of the FAQ is be > formatted so weird. If the current layout is correct, it's very > difficult to follow. > > https://www.openbsd.org/faq/faq4.html#FilesNeeded > > I think the section needs to go into the cmdbox class, such as the > simple install section above the file sets. > > Thanks, > j.b. > >
