Re: OpenSMTP lmtp without unix users

[Nicolas Goy]

On Sat Apr 27, 2024 at 5:31 PM CEST, Nicolas Goy wrote:
>
> How can I make it work with a single vmail unix user? Without losing the
> catchall?

Ok, I finally figured it out with the answer I got.

I tried to use the rcpt-to flag in deliver in the smtpd.conf, but I always ended
with non existing users.

The thing is, in vusers, there must be alias to emails AND at the end, an alias
to the virtual user, like:

a...@example.com a...@example.com
@ m...@example.com
m...@example.com vmail
a...@example.com vmail

Then, rcpt-to must be added in the smtpd.conf, like so

  action deliver lmtp "/var/dovecot/lmtp" rcpt-to virtual 

Then dovecot will get emails with the full email address as username, but that
can easily be mapped to the correct folder with

  mail_home=/srv/mail/%Ln  # (%Ln insteand of %Lu)

Of course, the vusers table above will need to have different local part for all
users, but that's ok in my case.

-- 
Nicolas Goy
Developer and electronic engineer
Goyman SA

https://kuon.ch
https://goyman.com

OpenSMTP lmtp without unix users

[Nicolas Goy]

Hello,

I have my OpenSMTP server configured as follow:

pki mx-pki cert   "xxx"
pki mx-pki key"xxx"

filter   "rdns" phase connect match   !rdns disconnect "550 DNS error"
filter "fcrdns" phase connect match !fcrdns disconnect "550 DNS error"
filter "rspamd" proc-exec "/usr/local/libexec/smtpd/filter-rspamd"
filter "rspamd-dkim" proc-exec "/usr/local/libexec/smtpd/filter-rspamd 
-settings-id dkim"

srs key "xxx"

table credsfile:/etc/mail/creds
table vdomsfile:/etc/mail/vdoms
table vusers   file:/etc/mail/vusers
table aliases  file:/etc/mail/aliases

# Inbound from external
listen on re0 tls pki mx-pki filter { "rdns", "fcrdns", "rspamd" }

# Run rspamd on outgoing for DKIM
listen on re0 port 587 tls pki mx-pki auth-optional  filter "rspamd-dkim"

action expand expand-only alias 
action deliver lmtp "/var/dovecot/lmtp" virtual 
action send relay helo  srs

match from local for local action expand
match from local !for domain  action send
match from any for domain  action deliver
match from auth for any action send
match from src 10.0.0.0/8 for any action send


Now, in vdom, I have a list of domain that I accept email for:

a.com
b.com
...

And in vusers, I have something like this:

exter...@a.com someth...@gmail.com
foo...@a.com foobar
@ kuon

Now this works, emails received for exter...@a.com are relayed back to 
someth...@gmail.com
and foo...@a.com is delivered to the foobar user and the rest to my user kuon.

The problem is that this requires the local users kuon and foobar.

How can I make it work with a single vmail unix user? Without losing the
catchall?

Thanks

-- 
Nicolas Goy
Developer and electronic engineer
Goyman SA

https://kuon.ch
https://goyman.com

Re: snmpd dies

[Nicolas Goy]

On 07.01.24 09:37, Martijn van Duren wrote:

On Sat, 2024-01-06 at 16:12 +0100, Nicolas Goy wrote:

Unfortunately this isn't enough to give me a hint where the issue might
be... Let's keep an eye out and hope that we can gather some more
context next time, or that I can find something during normal
development.



Yeah, I took a glimpse at the logs and I thought it wouldn't help that 
much, but I still sent them because maybe it might help later.


I kept the agent in verbose mode and I will send the logs again if it 
crash again.


Thanks for your time.

Have a great day

--
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

snmpd dies

[Nicolas Goy]

Hello,

I am on OpenBSD 7.4 amd64 and today snmpd died with the following error 
message:


snmpd[44109]: AgentX(1207475061): Protocol 
error<27>snmpd_metrics[52600]: [fd:0 sess:3150713266 ctx:]: 
unsupported call: agentx-Close-PDU
snmpd[44109]: AgentX(1207475061/3150713266): Closed by snmpd (shutting 
down)<26>snmpd[44109]: snmpe: AgentX(1207475061): disappeared unexpected



My snmpd.conf

listen on :::1 snmpv2c
listen on xxx.xxx.xxx.1 snmpv2c
filter-pf-addresses yes
filter-routes yes

read-only community public


Any idea if there is something wrong or if it is just an snmpd bug?

Regards

--
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Smtpd is not adding message-id

[Nicolas Goy]

On 09.10.23 22:56, Todd C. Miller wrote:


I just committed the fix but I don't think there is a workaround.
You will need to patch and recompile smtpd.



Thank you very much.

Have a great day

--
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Smtpd is not adding message-id

[Nicolas Goy]

Hello,

I am hitting this issue with some go based process that send emails:

https://github.com/OpenSMTPD/OpenSMTPD/issues/1068

Basically the client is not putting any Message-Id header and smtpd is 
not adding it when sending the email.


Do you have an idea how to work around it? Or do I need to patch and 
recompile smtpd?


Regards

--
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: IPv4 to IPv6 mapping

[Nicolas Goy]

On Wed, 2023-04-12 at 21:42 +, Stuart Henderson wrote:
> On 2023-04-12, Gabor LENCSE  wrote:
> > 
> 
> That's for the opposite translation (v6 connection to "fake"
> addresses
> mapped to v4).
> 
> Nicolas wants the other direction. af-to can do that as well, to a
> fixed
> address, but doesn't currently have a way to extract the v4 address
> and
> embed it in a fake v6 address.
> 

Yeah, I don't see a problem technically, but af-to does not support it.

I'll see if I can find a solution with somekind of proxy outside pf.

-- 
Nicolas Goy
Developer & Engineer

https://kuon.ch
https://goyman.com

Re: IPv4 to IPv6 mapping

[Nicolas Goy]

On Fri, 2023-04-07 at 10:30 +, Stuart Henderson wrote:
> On 2023-04-04, Nicolas Goy  wrote:
> 
> 
> Looking at pf.conf(5) for syntax I just tried something fairly
> obvious:
> 
> pass in quick log proto tcp from any to $v4_address port 8383 af-to
> inet6 from $dummy_v6_address to $listening_v6_address
> 

Yeah, but as you said, you lose source address.

I was trying to get the effect that the source address would be changed
in a predictable way.

For example, instead of dummy_v6_address, you give a /96 subnet, and
the source ipv4 would be put in the last 32 bits. But af-to seems to be
only able to do that with destination.



-- 
Nicolas Goy
Developer & Engineer

https://kuon.ch
https://goyman.com

Re: IPv4 to IPv6 mapping

[Nicolas Goy]

On Sun, 2023-04-02 at 15:49 +, Stuart Henderson wrote:
> On 2023-04-02, Jared Harper  wrote:
> > On Sun, Apr 2, 2023, at 6:56 AM, Nicolas Goy wrote:
> > > Hello,
> > > 
> > > Is it possible, with pf, to expose an ipv6 server on an ipv4
> > > port?
> > > 
> > > Something like this:
> > > 
> > > -req on 1.2.3.4:80->pf->[1:2:3:4::1]:80
> > > 
> > > I know this doesn't work:
> > > 
> > > pass in on any proto {tcp, udp} to $wan_ip port {80, 443} rdr-to
> > > $some_ipv6
> > > 
> > > I know af-to can map between families, but I don't know if I can
> > > couple
> > > it with rdr-to in some way.
> > 
> > This seems like a job for relayd.
> 
> Or af-to.
> 
> 

How would you use af-to this configuration? 

-- 
Nicolas Goy
Developer & Engineer

https://kuon.ch
https://goyman.com

IPv4 to IPv6 mapping

[Nicolas Goy]

Hello,

Is it possible, with pf, to expose an ipv6 server on an ipv4 port?

Something like this:

-req on 1.2.3.4:80->pf->[1:2:3:4::1]:80

I know this doesn't work:

pass in on any proto {tcp, udp} to $wan_ip port {80, 443} rdr-to
$some_ipv6

I know af-to can map between families, but I don't know if I can couple
it with rdr-to in some way.




Thanks

-- 
Nicolas Goy
Developer & Engineer

https://kuon.ch
https://goyman.com

Re: Selecting a 10G NIC

[Nicolas Goy]

On 17.02.23 19:28, Hrvoje Popovski wrote:




long time ago i've stopped worrying about performance and start learning
about features that pf and openbsd gave me



This is also my general mood, pf and openbsd provide an ecosystem we can 
rely on, keeping this is very valuable to us.


I'll go with the fastest ryzen and a intel NIC.

Thanks

--
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Selecting a 10G NIC

[Nicolas Goy]

I know this question has been answered multiple times, but I wonder if things 
changed with 7.2.

Which NIC would provide the best performance with 10G physical layer with open 
bsd?

I have choice between intel e810, x710, x550, x520, broadcom BCM957414A4142CC 
or maybe even something else.

It will be forwarding through pf.

Thanks


--
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Configuration of static ipv6 router

[Nicolas Goy]

On 2022 sam 06 aoû - 09:51, Zack Newman wrote:
> Correction. Apparently even though it is not explicitly stated,
> Section 2.4 merely allocates fe80::/10 for link-local addresses while
> Section 2.5.6 defines what range, fe80::/64, from that allocation is
> currently valid, so it is not a contradiction; just poorly worded.
> 
> Source: 
> https://community.cisco.com/t5/ipv6/ipv6-link-local-address-space/td-p/3411919
> 

As a follow up, I was able to get my ISP to change the link local
address of their cisco and now everything works.

I realize I've be a bit vague in this thread as I was debbugging the
issue. And I am very grateful that regardeless you were able to guide me
to the solution.

Best regards

-- 
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Configuration of static ipv6 router

[Nicolas Goy]

On 2022 ven 29 jui - 14:08, Stuart Henderson wrote:
> On 2022-07-28, Nicolas Goy  wrote:
> >
> > Ok, I think I found the issue.
> >
> > The cisco is useing the address fe80:b2b:11fe:161::2  but for some
> > reason, openbsd doesn't link this.
> >
> > I cannot ping fe80:b2b:11fe:161::2%vport0 
> >
> > The system is adding fe80::%vport0/64 to the routing table.
> >
> > I am not sure, but I think that's the cause.
> >
> > I tried to add it to the routing table but it says "file exists".
> 
> I suggest you send output from the commands which show the current
> actual state of the system, i.e. netstat -rnfinet6, ifconfig -A, etc.
> And instead of e.g. "I cannot ping X", show the actual command you
> typed and what happened.
> 
> For anyone who might have an idea what's up, it's a lot easier to read
> these than it is to interpret information from english descriptions,
> and might give some clues from things which you didn't describe.
> Also it's much easier to compare this with how things look on a working
> system.
> 
> I don't think there's a dmesg in the information scattered in the
> thread either, sometimes that is useful, which is why it's always
> requested.
> 
> 


Well, yes, maybe I missed some info.

But hopefully someone figured it out, my ISP is using a link local
address that does not follow RFC 4129 which states that there must be 54
0 before the interface id.

https://www.rfc-editor.org/rfc/rfc4291.html#section-2.5.6

I asked my ISP to changeg the link local address, but no answer yet,
they are "working on it".



-- 
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

OpenBSD 7.1 : reorder_kernel: failed

[Nicolas]

Hello,

I recently used the multiprocessor kernel on my OpenBSD 7.1 computer,
using this command :

cp bsd bsd.sp && cp bsd.mp bsd

Since then, I have this message in /var/log/messages :

Jul 25 20:17:05 server reorder_kernel: failed -- see
/usr/share/relink/kernel/GENERIC.MP/relink.log

Here is the contents of the relink.log file :
(SHA256) /bsd: OK

LD="ld" sh makegap.sh 0x gapdummy.o
ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o
${OBJS}
ld: error: duplicate symbol: i915_get_bridge_dev
>>> defined at i915_drv.c:106
(/usr/src/sys/dev/pci/drm/i915/i915_drv.c:106)
>>>    i915_drv.o:(i915_get_bridge_dev)
>>> defined at i915_dma.c:206
(/usr/src/sys/dev/pci/drm/i915/i915_dma.c:206)
>>>    i915_dma.o:(.text+0x0)
*** Error 1 in /usr/share/relink/kernel/GENERIC.MP (Makefile:999
'newbsd': @echo ld -T ld.script -X --warn-common -nopie -o newbsd
'${SYSTEM...)

I did a :

sha256 -h /var/db/kernel.SHA256 /bsd
That did not change anything.

Here is what I have in / :

-rwx--   2 root  wheel  22977229 Jul 20 20:10 bsd
-rwx--   1 root  wheel  15629818 Sep 19  2019 bsd.backup
-rwx--   2 root  wheel  22977229 Jul 20 20:10 bsd.booted
-rw-r--r--   1 root  wheel  22977229 Apr 22 13:40 bsd.mp
-rw---   1 root  wheel   4606368 Apr 22 13:40 bsd.rd
-rw---   1 root  wheel  22863908 Jul 20 20:09 bsd.sp

The computer seems to run fine. I don't know if that error message is
important.

What's you opinion, could you help me with that message ?

Thank you !

Nicolas, Paris

PS : BTW, that's the computer which freezed some time ago. I sent some
messages about that issue in the past. From then, it hasn't freezed
anymore ! Fingers crossed !

Re: Configuration of static ipv6 router

[Nicolas Goy]

On 2022 jeu 28 jui - 12:20, Kevin Wallace wrote:
> On 2022-07-28 11:32 AM, Nicolas Goy wrote:
> > I found something weird that might be a bug.
> 
> > ping6 fe80:b2b:11fe:161::2%vport0
> 
> The KAME IPv6 code uses the second word of link-local addresses for
> internal bookkeeping, and clears it before sending the packet over the
> wire.  Addresses within fe80::/10 but outside of fe80::/32 will cause
> weirdness like this.  See
> https://github.com/kame/kame/blob/master/IMPLEMENTATION, section 1.3.1

Is there a workaround? It seems those link local addresses are common
with cisco routers.

Thanks
-- 
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Configuration of static ipv6 router

[Nicolas Goy]

I found something weird that might be a bug.

If I do

doas ifconfig vport0 inet6 fe80::2/10

Then

ping6 fe80:b2b:11fe:161::2%vport0

On the tcpdump output, I see a different address


20:31:15.816576 fe80::fce1:baff:fed1:b34 > ff02::1:ff00:2: icmp6: neighbor sol: 
who has fe80:0:11fe:161::2


--
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Configuration of static ipv6 router

[Nicolas Goy]

Ok, I think I found the issue.

The cisco is useing the address fe80:b2b:11fe:161::2  but for some
reason, openbsd doesn't link this.

I cannot ping fe80:b2b:11fe:161::2%vport0 

The system is adding fe80::%vport0/64 to the routing table.

I am not sure, but I think that's the cause.

I tried to add it to the routing table but it says "file exists".


-- 
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Configuration of static ipv6 router

[Nicolas Goy]

I added this as my first line in pf.conf

pass quick log on vport0 proto icmp6

When I do tcpdump -i vport0 I do see the packets


19:21:09.846069 fe80:b2b:11fe:161::2 > ff02::1:ff01:1: icmp6: neighbor sol: who 
has  [class 0xe0]

But there is nothing on tcpdump -i pflog0

It seems those packet disapears somewhere.

I tried on a regular interface (without veb) but same behaviour.



-- 
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Configuration of static ipv6 router

[Nicolas Goy]

As additional info, here are my sysctl

net.inet6.ip6.forwarding=1
net.inet6.ip6.redirect=1
net.inet6.ip6.hlim=64
net.inet6.ip6.mrtproto=0
net.inet6.ip6.maxfragpackets=200
net.inet6.ip6.log_interval=5
net.inet6.ip6.hdrnestlimit=10
net.inet6.ip6.dad_count=1
net.inet6.ip6.auto_flowlabel=1
net.inet6.ip6.defmcasthlim=1
net.inet6.ip6.use_deprecated=1
net.inet6.ip6.maxfrags=200
net.inet6.ip6.mforwarding=0
net.inet6.ip6.multipath=0
net.inet6.ip6.multicast_mtudisc=0
net.inet6.ip6.neighborgcthresh=2048
net.inet6.ip6.maxdynroutes=4096
net.inet6.ip6.dad_pending=0
net.inet6.ip6.mtudisctimeout=600
net.inet6.icmp6.redirtimeout=600
net.inet6.icmp6.nd6_delay=5
net.inet6.icmp6.nd6_umaxtries=3
net.inet6.icmp6.nd6_mmaxtries=3
net.inet6.icmp6.errppslimit=100
net.inet6.icmp6.nd6_maxnudhint=0
net.inet6.icmp6.mtudisc_hiwat=1280
net.inet6.icmp6.mtudisc_lowat=256
net.inet6.icmp6.nd6_debug=0
net.inet6.divert.recvspace=65636
net.inet6.divert.sendspace=65636


-- 
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Configuration of static ipv6 router

[Nicolas Goy]

Ok, actually the ISP router is also trying the multicast after failing
the unicast:

Here are two packets, the first one works, the router responds (openbsd
box), but the second one is ignored.

first one (works is responded to):

[+] Frame 12012: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on 
interface vport0, id 0 
[+] Ethernet II, Src: ASUSTekC_42:5c:dc (7c:10:c9:42:5c:dc), Dst: 
IPv6mcast_ff:01:00:01 (33:33:ff:01:00:01)
[-] Internet Protocol Version 6, Src: fe80::7e10:c9ff:fe42:5cdc, Dst: 
ff02::1:ff01:1
  0110  = Version: 6
  [+]         = Traffic Class: 0x00 (DSCP: CS0, 
ECN: Not-ECT)
   1110 0100 0001  0010 = Flow Label: 0xe41f2
  Payload Length: 32
  Next Header: ICMPv6 (58)
  Hop Limit: 255
  Source Address: fe80::7e10:c9ff:fe42:5cdc
  Destination Address: ff02::1:ff01:1
  Source SLAAC MAC: ASUSTekC_42:5c:dc (7c:10:c9:42:5c:dc)
[-] Internet Control Message Protocol v6
  Type: Neighbor Solicitation (135)
  Code: 0
  Checksum: 0xd6ae [correct]
  Checksum Status: Good
  Reserved: 
  Target Address: 2a02:aa08::::1:1 # redacted
  [-] ICMPv6 Option (Source link-layer address : 7c:10:c9:42:5c:dc)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: ASUSTekC_42:5c:dc (7c:10:c9:42:5c:dc) [=]

second one (doesn't work, is ignored):

[+] Frame 10611: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) on 
interface vport0, id 0
[+] Ethernet II, Src: Cisco_4e:41:74 (00:df:1d:4e:41:74), Dst: 
IPv6mcast_ff:01:00:01 (33:33:ff:01:00:01)
[-] Internet Protocol Version 6, Src: fe80:b2b:11fe:161::2, Dst: ff02::1:ff01:1
  0110  = Version: 6
  [+]  1110       = Traffic Class: 0xe0 (DSCP: CS7, 
ECN: Not-ECT)
        = Flow Label: 0x0
  Payload Length: 32
  Next Header: ICMPv6 (58)
  Hop Limit: 255
  Source Address: fe80:b2b:11fe:161::2
  Destination Address: ff02::1:ff01:1
[-] Internet Control Message Protocol v6
  Type: Neighbor Solicitation (135)
  Code: 0
  Checksum: 0x9de0 [correct]
  Checksum Status: Good
  Reserved: 
  Target Address: 2a02:aa08::::1:1 # redacted
  [-] ICMPv6 Option (Source link-layer address : 00:df:1d:4e:41:74)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: Cisco_4e:41:74 (00:df:1d:4e:41:74) [=]


-- 
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Configuration of static ipv6 router

[Nicolas Goy]

On 2022 jeu 28 jui - 16:14, Nicolas Goy wrote:
> On 2022 jeu 28 jui - 15:52, Nicolas Goy wrote:
> > On 2022 jeu 28 jui - 13:18, Nicolas Goy wrote:
> > > 
> > > - I can ping internet from my router, but it cuts every 10 seconds or
> > >   so. If I inspect the traffic, I see that the ISP router is sending
> > >   neighbor discovery with my router address, and that my router does not
> > >   respond. 
> > > 
> > 
> > This seems to be the main issue, (I'll figure out the second one after
> > that, using nd proxy or other method), I watched the network for some time
> > now, and the openbsd router is never responding to neighbor solicitation
> > on the wan interface.
> > 
> > When I use tcpdump, I see that on the wan interface, neighbor
> > solicitation has an added [class 0xe0] at the end of the line which is
> > not present on working solicitations.
> > 
> 
> 

After more analyse, I realized that the dst of the ISP/Cisco neighbor
solicitation is the actual IP, while usually it's ff02::1:ff01:1 it
seems to do unicast solicitation.

-- 
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Configuration of static ipv6 router

[Nicolas Goy]

On 2022 jeu 28 jui - 15:52, Nicolas Goy wrote:
> On 2022 jeu 28 jui - 13:18, Nicolas Goy wrote:
> > 
> > - I can ping internet from my router, but it cuts every 10 seconds or
> >   so. If I inspect the traffic, I see that the ISP router is sending
> >   neighbor discovery with my router address, and that my router does not
> >   respond. 
> > 
> 
> This seems to be the main issue, (I'll figure out the second one after
> that, using nd proxy or other method), I watched the network for some time
> now, and the openbsd router is never responding to neighbor solicitation
> on the wan interface.
> 
> When I use tcpdump, I see that on the wan interface, neighbor
> solicitation has an added [class 0xe0] at the end of the line which is
> not present on working solicitations.
> 


I forgot to mention that the WAN port is a vport with veb, I don't know
if that can affect the ndp protocol.

-- 
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Configuration of static ipv6 router

[Nicolas Goy]

On 2022 jeu 28 jui - 13:18, Nicolas Goy wrote:
> 
> - I can ping internet from my router, but it cuts every 10 seconds or
>   so. If I inspect the traffic, I see that the ISP router is sending
>   neighbor discovery with my router address, and that my router does not
>   respond. 
> 

This seems to be the main issue, (I'll figure out the second one after
that, using nd proxy or other method), I watched the network for some time
now, and the openbsd router is never responding to neighbor solicitation
on the wan interface.

When I use tcpdump, I see that on the wan interface, neighbor
solicitation has an added [class 0xe0] at the end of the line which is
not present on working solicitations.



-- 
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Configuration of static ipv6 router

[Nicolas Goy]

Hello,

My ISP gave me a /56 and told me it was statically routed (no
DHCPv6-PD).

Let's say this prefix 2a02:aa08::YY00::/56 is now x00::/56

What I want to do, is to split this prefix into /64 and use the /64 for
my vlans.

So what I did is on my interfaces I have the following ips:

wan x00::1:1/64
vlan1 x01::1:1/64
vlan2 x02::1:1/64
...

The ISP router is at x00::1 so I did

route add -inet6 default x00::1

In pf.conf I have a pass all for icmpv6

>From this point I have two issues:

- I can ping internet from my router, but it cuts every 10 seconds or
  so. If I inspect the traffic, I see that the ISP router is sending
  neighbor discovery with my router address, and that my router does not
  respond. 

So on my wan interface I see tons of neighbor advertisement from the ISP
router at x00::1 with flags router/solicited/override set, I also see
neighbor solicitation from the ISP router to my router. There is also
neighbor solicitation from my router to the ISP router, but what I
don't see is the neighbord advertisement from my router TO the ISP
router. So I guess the ISP router is removing the NDP entry of my router
after some times, and put it back when it sees the neighbor solicitation
again. How can I make so that my openbsd router will respond to the
neighbor solicitation from the ISP router?

- The second issue is how do I tell the ISP (cisco) router that I am the
  router for the /64 in the /56? If I ping from an inside host, the
  packet gets router into the WAN interface, and I see that the ISP
  router is doing neighbor solicitation for the source addrress, like
  this:

ping from x01::10:1 to external ip E
packet reaches x01::1:1, is routed by the openbsd router, and is visible
on wan
ISP router sees the packet on the WAN inteface and sends a neighbor
solicitation for x01::1:1 which is not answered because x01::1:1 is on
another subnet behind the openbsd router.

Any idea for those two issues?


-- 
Nicolas Goy
Engineer & Developer

https://www.kuon.ch
https://www.goyman.com

Re: Freeze on OpenBSD 7.1

[Nicolas]

Le 20/07/2022 à 09:20, Stuart Henderson a écrit :

On 2022-07-20, Stuart Henderson  wrote:

On 2022-07-19, Zé Loff  wrote:

You have a single core machine with 2Gb RAM, and the data you sent seems
to indicate that there is no free RAM left.

Where are you seeing that? systat vm shows ~850MB free. No apparent mbuf leak.
No pool allocation failures.

Also it is a dual core machine but currently running a single-processor kernel
(GENERIC not GENERIC.MP) - see the "cpu: not configured"



Hello,

I didn't notice.

I rebooted on bsd.mp and now get that from sysctl :

hw.model=Intel(R) Celeron(R) CPU 1037U @ 1.80GHz
hw.ncpu=2

Thanks again to all of you for your help ! =)

Nicolas, Paris.

Re: Freeze on OpenBSD 7.1

[Nicolas]

Hello Stuart,

I haven't seen your messages immediately, it was incorrectly filtered by 
my email client.


Here are the results of the commands. I hope my email client won't 
render it useless !


For the moment, I try to cool the AC adapter and plan to plug in a 
monitor if another freeze occurs.


Thank you, Stuart !

Nicolas, Paris.

netstat -m returns :
300 mbufs in use:
    223 mbufs allocated to data
    1 mbuf allocated to packet headers
    76 mbufs allocated to socket names and addresses
10/16 mbuf 2048 byte clusters in use (current/peak)
104/165 mbuf 2112 byte clusters in use (current/peak)
0/8 mbuf 4096 byte clusters in use (current/peak)
0/8 mbuf 8192 byte clusters in use (current/peak)
0/0 mbuf 9216 byte clusters in use (current/peak)
0/0 mbuf 12288 byte clusters in use (current/peak)
0/0 mbuf 16384 byte clusters in use (current/peak)
0/0 mbuf 65536 byte clusters in use (current/peak)
376/568/524288 Kbytes allocated to network (current/peak/max)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
Memory statistics by bucket size
    Size   In Use   Free   Requests  HighWater  Couldfree
  16 1702    602   4536    1280  0
  32  972    820   9906 640    559
  64 1862 58  12534 320  0
 128 7173 27 411621 160    153
 256  136 40   4018  80  0
 512  157  3   1101  40  0
    1024   87  5   4193  20  0
    2048   66  2    125  10  0
    4096 3120  1   5939   5  0
    8192   41  2    260   5  0
   16384   11  0    276   5  0
   32768    7  0  9   5  0
   65536    2  0   2608   5  0
  131072    9  0  9   5  0
  524288    1  0  1   5  0

vmstat -m returns :


Memory usage type by bucket size
    Size  Type(s)
  16  devbuf, pcb, rtable, UFS mount, dirhash, ACPI, proc, exec, VM 
swap,

  UVM amap, UVM aobj, USB, USB device, temp, DRM
  32  devbuf, pcb, rtable, ifaddr, sysctl, UFS mount, sem, dirhash, 
ACPI,
  proc, in_multi, ether_multi, exec, UVM amap, USB, USB device, 
NDP,

  temp, AGP Memory, DRM
  64  devbuf, rtable, ifaddr, counters, vnodes, UFS mount, dirhash, 
ACPI,

  proc, in_multi, VM swap, UVM amap, USB, temp, DRM
 128  devbuf, rtable, ifaddr, sysctl, counters, vnodes, sem, 
dirhash, ACPI,

  NFS srvsock, in_multi, UVM amap, USB, USB device, temp, DRM
 256  devbuf, rtable, ifaddr, counters, ioctlops, vnodes, shm, VM map,
  dirhash, ACPI, exec, tdb, UVM amap, USB, USB device, DRM
 512  devbuf, counters, ioctlops, UFS mount, dirhash, ACPI, file 
desc, ttys,

  newblk, USB device, USB HC, temp, kqueue, DRM
    1024  devbuf, pcb, sysctl, counters, ioctlops, mount, shm, ACPI, 
proc, ttys,

  exec, UVM amap, crypto data, temp, DRM
    2048  devbuf, ioctlops, UFS mount, ACPI, VM swap, UVM aobj, USB, temp,
  kqueue, DRM
    4096  devbuf, ifaddr, counters, ioctlops, proc, ttys, USB, memdesc, 
temp,

  DRM
    8192  devbuf, counters, proc, ttys, pagedep, UVM amap, USB HC, temp,
  SYN cache, DRM
   16384  devbuf, NFS daemon, MSDOSFS mount, ttys, temp, DRM
   32768  devbuf, UFS quota, UFS mount, ISOFS mount, inodedep
   65536  devbuf, temp
  131072  devbuf, VM swap
  524288  temp

Memory statistics by type   Type  Kern
  Type InUse MemUse HighUse  Limit Requests Limit Size(s)
    devbuf  5994 13933K  13934K 78644K 6920    0 
16,32,64,128,256,512,1024,2048,4096,8192,16384,32768,65536,131072

   pcb    13 9K  9K 78644K   13    0 16,32,1024
    rtable   105 5K  6K 78644K  572    0 16,32,64,128,256
    ifaddr    95    14K 14K 78644K  183    0 32,64,128,256,4096
    sysctl 3 2K  2K 78644K    3    0 32,128,1024
  counters    19    17K 17K 78644K   19    0 
64,128,256,512,1024,4096,8192
  ioctlops 0 0K  4K 78644K 1624    0 
256,512,1024,2048,4096

 mount 9 9K  9K 78644K    9    0  1024
    vnodes  1228    78K 78K 78644K 1243    0 64,128,256
 UFS quota 1    32K 32K 78644K    1    0  32768
 UFS mount    37    73K 73K 78644K   37    0 
16,32,64,512,2048,32768

   shm 2 2K  2K 78644K    2    0  256,1024
    VM map 2 1K  1K 78644K    2    0  256
   sem 2 1K  1K 78644K    2    0  32,128
   dirhash   141    27K 27K 78644K  168    0 
16,32,64,128,256,512
  ACPI  5153   623K

pf nat64 interface reference

[Nicolas Goy]

In my pf.conf, I have a line like this:

wan = "re2"
pass in quick on $priv inet6 from any to 64:ff9b::/96 af-to inet from $wan

It used to work, but now it doesn't, I suspect that's because the order
of the ip addresses have changed when I type "ifconfig". Now I have some
ipv6 addresses before the ipv4 one.

I have this error:

/etc/pf.conf:74: translation spec contains addresses that don't match target 
address family

If instead of $wan, I put the ip, it works.

My $wan interface have only 1 ipv4 address, is there a way to reference
it?

-- 
Nicolas Goy

https://www.kuon.ch
https://www.goyman.com

OpenBSD benchmarks

[Nicolas Goy]

Hello,

I'd like to make some 10gbit/s benchmarks for an OpenBSD based router.

I was wondering if there was some "standard" pf ruleset I could use to
have a meaningful metric.

Also, I'm curious if anymody is aware of such existing benchmarks.

Regards

-- 
Nicolas Goy

https://www.kuon.ch
https://www.goyman.com

Re: Hardware for OpenBSD based access point

[Nicolas Goy]

On Mon, Mar 14, 2022 at 02:31:13PM -, Stuart Henderson wrote:
> 
> Roaming decisions are client-side though there are some things an AP can
> do to influence them.

At present, with non communicating AP, the android clients are holding
to their AP for way too long. For example if I enable wifi in the
garden, it pairs with the garden AP to get a strong signal, but as I
move in the house to the basement, it holds to the garden AP with like
1% signal even if the basement AP is literraly next to it, and I have to
disable-enable wifi on the phone to force it to change, otherwise it
doesn't. I heard that controller based AP "fleet" can mitigate that by
kicking devices that are on the "wrong" AP. But I am not sure how it
works in practice as I only read about it and it is not any standard.

-- 
Nicolas Goy

https://www.kuon.ch
https://www.goyman.com

Re: Hardware for OpenBSD based access point

[Nicolas Goy]

On Mon, Mar 14, 2022 at 01:32:35PM -, Stuart Henderson wrote:
> There's no chance of meeting all of these requirements with OpenBSD.
> 
> For AP-side 11ac there are some bwfm(4) devices which _might_ do but they
> are not common. Really at this point the emphasis for wifi on OpenBSD
> is for client-side not AP-side. There are some options but they are limited,
> and bwfm is the only one with 11ac.
> 
> Ignoring trying to run it on OpenBSD, for setups with more than a couple
> of APs I would probably get either TP-Link Omada or Ubiquiti Unifi with
> an on-site controller. Omada is a Unifi clone and so far they haven't
> made quite such annoying/questionable decisions as Ubiquiti have been
> doing recently.
> 
> They both use java 8+mongodb for the controllers. Unifi runs on
> amd64 OpenBSD (you need to install it from ports as we can't distribute
> packages - you can't run distributions direct from upstream as some
> binary part in one of the .jar files isn't built for OpenBSD).
> I haven't tried running omada on OpenBSD recently; last time I tried
> it didn't work but that may have changed. There are fairly cheap small
> "hardware" controllers which might not be a bad idea.
> 

Thanks. I had many issue with device not being able to roam properly, so
I guess having a managed setup would help, as it would allow me to not
have to turn off/on wifi on my devices when moving around the house.

I should have a Raspberry pi to spare, I can put the controller on it
and jail that.

Thanks for all your feedback.

Regards

-- 
Nicolas Goy

https://www.kuon.ch
https://www.goyman.com

Re: Hardware for OpenBSD based access point

[Nicolas Goy]

On Mon, Mar 14, 2022 at 01:45:09PM +1000, Stuart Longland wrote:
> On Mon, 14 Mar 2022 03:43:01 +0100
> Nicolas Goy  wrote:
> 
> > I looked at the hardware that was supported, but I forgot to check
> > the wifi controller, I took that for granted, my bad.
> > 
> > Thanks for the pcengine suggestion, but I have already a dedicated
> > OpenBSD box as router/firewall. I just want to replace my access
> > points.
> > 
> > Last time I installed an access point (netgear) for my aunt, I had to
> > create a cloud account to be able to access the config UI, this
> > enraged me quite a bit, that's why I am scared to buy a WAP that I do
> > not control. I live in a old farm with very thick stone walls and I
> > currently have 8 WAP to cover all rooms.
> 
> Yeah, that seems to be the latest fashion, "let's require a
> cloud-hosted server to control a device on your network critical for
> security of said network".  Given how well consumer routers' firmware
> seems to be written, I don't hold a lot of faith for security when they
> decide to host that rubbish publicly.

Yeah, this is literally a gift to DDoS botnet. I must be seeing an
article about a remote control exploit on consumer router at least once
a month.


> 
> If you don't mind having a small Linux machine running Java 8 (yes, I
> know), Ubiquiti UniFI APs aren't bad, but I can well understand the
> desire to avoid such a dependency.  The silver lining I guess is the
> Linux machine could be a virtual machine running atop an OpenBSD host
> on-premise and "powered off" unless configuration settings need to be
> made.

Aren't unifi AP notorious for phoning home? Well, I can deny them
outside access. I actually have a linux server with java for my kids'
minecraft world, so I can use that. The controller is only required to
be running for configuration changes? I guess that could work.

> 
> The other approach would be to look for something that runs OpenWRT,
> either as an after-market OS or out-of-the-box.  Yes it's still Linux,
> but the source code is available (like OpenBSD) and the user interfaces
> are all _local_.

I actually have an OpenWRT box (LTE SMS gateway, the LTE modem wasn't
compatible with OpenBSD when I installed it), and yeah, it is very
decent. I guess that would be a viable alternative.


Thanks for the suggestions.

-- 
Nicolas Goy

https://www.kuon.ch
https://www.goyman.com

Re: Hardware for OpenBSD based access point

[Nicolas Goy]

On 14.03.22 03:28, Atticus wrote:

AFAIK, OpenBSD doesn't support .11ac or .11ax at all, with only a very limited 
number of cards supporting Host AP mode. The only .11n ones I found being 
athn(4), bwfm(4), and ral(4). The (few) others that support Host AP mode only 
do so in .11g or .11b. In the future, I would take a look through section 4 of 
the manual pages, and search the mailing list archives, which could have told 
you this within a few minutes.

I use (and I believe there are others on here who do as well) an external WAP, 
that handles only the wireless connections, with DHCP, routing, firewalling, 
etc., handled by a separate OpenBSD box, the WAP being used only as a bridge.

For the OpenBSD hardware portion, you could try https://pcengines.ch 
<https://pcengines.ch> APU models, which run from around $130-$180 USD price point, and 
are well supported by OpenBSD. Unfortunately, they don't have any current stocking information 
other than "expected ~ 2022."


I looked at the hardware that was supported, but I forgot to check the wifi 
controller, I took that for granted, my bad.

Thanks for the pcengine suggestion, but I have already a dedicated OpenBSD box 
as router/firewall. I just want to replace my access points.

Last time I installed an access point (netgear) for my aunt, I had to create a 
cloud account to be able to access the config UI, this enraged me quite a bit, 
that's why I am scared to buy a WAP that I do not control. I live in a old farm 
with very thick stone walls and I currently have 8 WAP to cover all rooms.

Anyway, thanks for your reply, I'll try to find a decent WAP.

--
Nicolas Goy

https://www.kuon.ch
https://www.goyman.com

Hardware for OpenBSD based access point

[Nicolas Goy]

Hello,

I use OpenBSD for all my network gears except wireless access points.

My current access points are getting old and I'd like to replace them.

I did a bit of researches and there are quite some boards supported by OpenBSD, 
but I cannot find one that tick all my boxes.

Here are my requirements:

- OpenBSD compatible without proprietary binary blob (coreboot...)
- Wifi .11ax or way to update to it in the future (mini PCI), I can manage 
without it for now with .11ac, my current AP are .11n
- SMA/i-pex... connector
- 1 gigabit ethernet
- Bonus: PoE but I don't mind if it doesn't, I'll manage
- can be a board, a full computer... I'll manage.
- the form factor doesn't really matter as long as I don't have to hang a midi 
tower to my wall.
- must be available in europe (switzerland)
- < 200$

If you have any suggestion, I would be delighted.

Regards

--
Nicolas Goy

https://www.kuon.ch
https://www.goyman.com

NextCloud: failed integrity checks

[Nicolas Schmidt]

After installation on OpenBSD 6.3 with pkg_add, NextCloud complains about files 
failing the integrity checks. More specifically:

- occ
 * expected hash: 
7e3fce0d7b5c20a7775ed1b548cb2e29bed078d3ca77b01a83d438f671b3d473147d4e8217d2084e17b6fe23a18ba258b11ba60106e23381f1e2889ce14971c4
 * current hash:  
7693eb89c0bc218712d68ec58599efa46e5c3729814e2aad16bf2c0079be7ae1909f072ead7889883c0a89b6c51570800d9e8a71f35866cb4e0c47aeaa5a4b2b

- version.php
 * expected hash: 
4e9046aca4fd8e942ba7bd505374e22ddd500a99b3a46d57d629b99c3132a66206883053f22801894929e51fca307c740062b497d55639bcc9a3154ada3504ff
 * current hash:  
30cd43589fc8ab273fa25e1a477c8cbadb13bac5541daa6d3fa0490a0c2054c2c29a274fd50eec66934a9d9adc541dec8701e7463922d36174478ae3e9a64981

- apps/updatenotification/appinfo/info.xml
 * expected hash: 
bf7983ffe422ba215c04a0069081fab0c78ba81fa40a90cbdd3595182e011fb7f3e0bd1cd14cdea742cafb89f1da001582fe8d560749d98ea540b4ee76dd9898
 * current hash:  
d2984fa816b4cea71e7c09f36a4132e7cb88d357f22e1c795778deccdb4066beaef2876b95d849e6eeae37b879c0f63500b0958a6a61bab1c933736bf135c440


Anybody able to reproduce?

--Nicolas

Re: Status of Owncloud?

[Nicolas Schmidt]

Thanks for the hint ax0n, I'll give NextCloud a try; after all, I wasn't 
entirely happy with Owncloud anyway, as I had issues uploading large files (100 
MB and bigger).

@Mischa: Your diagnosis was correct: I completely forgot that there is some 
extra work to be done to make PHP/cURL work in jailroot. Besides 
"/etc/resolv.conf", I also had to copy

/etc/ssl/cert.pem
/etc/services
/etc/php-5.6.ini

to /var/www/etc/ to make things work.

--Nicolas

> Am 22.07.2018 um 19:31 schrieb Mischa :
> 
> Besides that, in order to provide it an "internet" connection you need to 
> copy your resolv.conf to /var/www/etc/
> 
> Mischa
> 
> 
>> On 22 Jul 2018, at 19:26, Ax0n  wrote:
>> 
>> On Jul 22, 2018 10:11, "Nicolas Schmidt"  wrote:
>> 
>> Hi,
>> 
>> I just installed and configured owncloud on OpenBSD 6.3, and so far
>> everything seems to work (except for owncloud complaining about not having
>> an internet connection). However, when visiting http://localhost/owncloud/
>> after installation, I was greeted by an unfriendly message telling me that
>> owncloud doesn't run properly on OpenBSD. This message didn't go into more
>> details, nor could I find anything on owncloud.com or openbsd.org regarding
>> this.
>> 
>> So I'm wondering, what's the status of owncloud on OpenBSD? Is it still
>> supported? Are there plans to remove support for it in future releases?
>> 
>> Best,
>> Nicolas
>> 
>> 
>> I know this doesn't directly answer your question, but it seems like many
>> users (especially within but not limited to the OpenBSD community) started
>> preferring NextCloud ( https://nextcloud.com ) which appears to be
>> maintained by several of the original OwnCloud developers.
>> 
>> --ax0n

Status of Owncloud?

[Nicolas Schmidt]

Hi,

I just installed and configured owncloud on OpenBSD 6.3, and so far everything 
seems to work (except for owncloud complaining about not having an internet 
connection). However, when visiting http://localhost/owncloud/ after 
installation, I was greeted by an unfriendly message telling me that owncloud 
doesn't run properly on OpenBSD. This message didn't go into more details, nor 
could I find anything on owncloud.com or openbsd.org regarding this.

So I'm wondering, what's the status of owncloud on OpenBSD? Is it still 
supported? Are there plans to remove support for it in future releases?

Best,
Nicolas

segfault when exiting a program

[Nicolas Schmidt]

Hi,

a while ago I posted on this list because of a problem I experienced with 
building OpenBSD 6.2-current from source (the base system, not the kernel). 
Today I found the culprit, and it's rather strange: returning from main(), or 
calling exit() explicitly causes a segmentation fault.

A minimal example is:

int main(int argc, char **argv) { return 0; }

Evaluating cc -o test test.c; ./test should result in a segmentation fault. 
Here's the backtrace gdb gives me:

#0  _libc___cxa_finalize () at /usr/src/lib/libc/stdlib/atexit.c:133
#1  0x0de4d9fb in _libc_exit (status=0) at /usr/src/lib/libc/stdlib/exit.c:54
#2  0x18bef421 in main () from /home/nico/test

Anyone able to reproduce this?

Best,
Nicolas Schmidt

make_keys produces segfault when building 6.2-stable

[Nicolas Schmidt]

I just tried building the base in 6.2-stable (building the kernel worked fine), 
following the instructions in https://man.openbsd.org/release. Unfortunately, 
the build process fails when trying to build libcurses. The error I get is

./make_keys keys.list > init_keytry.h
Segmentation fault (core dumped)
*** Error 139 in lib/libcurses (Makefile:123 'init_keytry.h')
*** Error 1 in lib (:48 'all')
*** Error 1 in . (Makefile:90 'do-build')
*** Error 1 in /usr/src (Makefile:74 'build')

Manually running `cd /usr/obj/lib/libcurses && ./make_keys key.list` also 
produces a Segmentation fault. Any ideas what's going on here?

Best,
Nicolas

Re: Upgrade 6.1->6.2 fails with "id 0 on/: file system full"

[Nicolas Schmidt]

Thanks Tim, that was right on the money! Indeed my „/bsd“ was a symbolic link, 
pointing to „/bsd.mp“. Because the target path of the symlink was absolute, 
when it tried to write the new kernel to „./mnt/bsd“ it of course pointed to 
the ramdisk.

After removing that symlink, the upgrade process went through without a hitch.

TL;DR: Use relative paths when you symlink „/bsd“.

Nicolas

> Am 20.02.2018 um 15:42 schrieb trondd <tro...@kagu-tsuchi.com>:
> 
>> On Tue, February 20, 2018 8:34 am, Nicolas Schmidt wrote:
>> Hey,
>> 
>> it's me again, still trying to upgrade to 6.2.
>> 
>> After choosing to skip verification and continue the upgrade process, I
>> now immediately get the following error:
>> 
>>Installing bsd0% |
>>id 0 on /: file system full
>> 
>>/: write failed, file system full
>>ftp: Writing -: No space left on device
>> 
>> Going to a shell, "df" reveals
>> 
>>Filesystem512-blocksUsedAvailCapacityMounted on
>>/dev/rd0a  61436116   27100%/
>>/dev/sd2a   2057756179068  1775804  9%/mnt
>>.
>>.
>>.
>> 
>> To me it seems, the install script is trying to install the kernel on the
>> ram disk mounted on / instead of the actual root partition mounted on /mnt
>> (sd2 is the volume I chose for installation; it's a RAID 1). Since the ram
>> disk is full, this of course has to fail.
>> 
>> Any suggestions?
>> 
>> Best regards and thanks for your help,
>> Nicolas
>> 
> 
> This just came up on Daemonforums.  The user had a symlink pointing to an
> absolute path starting with /.  The installer follows that symlink to the
> ramdisk / instead of /mnt.
> 
> http://daemonforums.org/showthread.php?p=63885
> 
> Tim.

Upgrade 6.1->6.2 fails with "id 0 on/: file system full"

[Nicolas Schmidt]

Hey,

it's me again, still trying to upgrade to 6.2.

After choosing to skip verification and continue the upgrade process, I now 
immediately get the following error:

Installing bsd  0% |
id 0 on /: file system full

/: write failed, file system full
ftp: Writing -: No space left on device

Going to a shell, "df" reveals

Filesystem  512-blocks  UsedAvail   CapacityMounted on
/dev/rd0a 6143  6116   27   100%/
/dev/sd2a  2057756179068  1775804 9%/mnt
.
.
.

To me it seems, the install script is trying to install the kernel on the ram 
disk mounted on / instead of the actual root partition mounted on /mnt (sd2 is 
the volume I chose for installation; it's a RAID 1). Since the ram disk is 
full, this of course has to fail.

Any suggestions?

Best regards and thanks for your help,
Nicolas

Re: SHA256.sig not contained in install62.iso

[Nicolas Schmidt]

Sorry, I of course meant to say it‘s *not* on it.

> Am 20.02.2018 um 12:56 schrieb Nicolas Schmidt <schmi...@math.hu-berlin.de>:
> 
> Hi,
> 
> I am finally getting around to upgrading 6.1->6.2. When I try to install from 
> CD using the install62.iso image, the install script complains that it can't 
> find SHA256.sig (indeed, it's on it).
> 
> Is that supposed to happen?
> 
> Best,
> Nicolas A. Schmidt

SHA256.sig not contained in install62.iso

[Nicolas Schmidt]

Hi,

I am finally getting around to upgrading 6.1->6.2. When I try to install from 
CD using the install62.iso image, the install script complains that it can't 
find SHA256.sig (indeed, it's on it).

Is that supposed to happen?

Best,
Nicolas A. Schmidt

Re: Integrating "safe" languages into OpenBSD?

[Nicolas Schmidt]

> Am 04.12.2017 um 14:45 schrieb Nick Holland :
...
> 
> Oh yeah.
> I recently discovered a very major business operations application where
> rather than using the OS's FTP and SFTP functions, they wrote their own
> in "safe" Java.  I don't know why.
...
> If the other machine is being serviced?  Network broke?  receiving
> machine unable to recieve?  Oh well.  Magic doesn't work, the file is
> lost, without alerting the "sending" program.
> 
> Error reporting?  Well, for a long time, I thought it was non-existent,
> but I recently found they just dumped all the java runtime output to a
> file.  Nothing is actually done with this info in the application, but
> if 100+ lines of J-crap is your favorite way to see "server timeout",
> this is your tool.
...
> Nick.

So they wrote a program that was a) shitty and b) memory-safe? Those are two 
orthogonal dimensions. Also, the anecdotal evidence that safe languages attract 
bad programmers does not imply that using safe languages is bad: a good 
programmer won't suddenly commit such atrocities as you mentioned, just because 
they use a safe language.

Finally, your example probably speaks more about business practices than about 
safe programming languages. If you want to compare Java to a non-memory-safe 
language, you should compare it to one that is also designed *for* (instead of 
*by*) programmers, like Cobol.

Integrating "safe" languages into OpenBSD?

[Nicolas Schmidt]

Hi,

I recently watched a recording of Theo's talk on pledge at EuroBSDCon 2017, in 
which the question of memory-safe languages and their practical usefulness came 
up. Specifically, someone in the audience criticized the approach taken by 
OpenBSD, which (as I understand) accepts that all software is broken and 
mitigates the damage caused by various classes of exploits through techniques 
like ASLR, and suggested that instead one should stick to "memory safe 
languages" to avoid these exploits altogether.

As a response to this, Theo asked rhetorically "Where's ls, where's cat, 
where's grep, and where's sort?", implying that noone so far bothered to write 
implementations of even the basic unix utilities in such a language.

This brings me to the question, what if someone actually bothered? Under what 
conditions would you consider replacing one of the current C implementations 
with an implementation written in another, "safer" language? Note that with 
Cgrep and haskell-ls, there do in fact exist implementations/analogues of two 
of the mentioned utilities in a memory safe language (Haskell).

Best,
Nicolas Schmidt

Re: About WPA2 compromised protocol

[Nicolas Schmidt]

Can this issue even be fixed on the AP side? You could change the AP‘s 
behaviour to never ever resend Message 3, but that seems very drastic.

As far as I understood the article by Vanhoef and Piessens, the vulnerability 
lies within the behavior of the client (that conforms to the 802.11i 
amendment), as it still accepts retransmissions of Message 3 even if it is 
already in the PTK-DONE state.

—
Nicolas Schmidt

> Am 17.10.2017 um 19:15 schrieb Matthew Graybosch <li...@matthewgraybosch.com>:
> 
> On Tue, 17 Oct 2017 19:09:29 +0200
> "Stephane HUC \"PengouinBSD\"" <b...@stephane-huc.net> wrote:
> 
>> Just for the fun:
>> http://www.commitstrip.com/en/2017/10/16/wpa2-vulnerability-just-a-small-update/
> 
> I saw somebody share that on Mastodon this morning. :)
> 
> On a more serious note; am I correct in assuming that the patch is
> already in 6.2?
> 
> -- 
> Matthew Graybosch
> https://matthewgraybosch.com
> 
> "If you didn't want me to say 'both', you should have used XOR."

Re: Fail2Ban filter for OpenSMTPD

[Nicolas]

Hi

I know some people was searching for fail2ban filters for opensmtpd.

I had the same need, and I've created my own simple filter, I share it here if 
it can help.


# Fail2Ban filter for opensmtpd
# Author: Nicolas Repentin
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

failregex = ^.*smtp event=connected address=.*\n.*smtp 
event=failed-command command="AUTH
LOGIN" result="503 5.5.1 Invalid command: Command not supported

ignoreregex = 

[Init]
maxlines = 2 

It only work actually for this example:

#Aug 23 10:48:54 myserver smtpd[17412]: abc813f0c6789766 smtp event=connected 
address=177.135.X.X
host=hidden.host.com
#Aug 23 10:48:55 myserver smtpd[17412]: abc813f0c6789766 smtp 
event=failed-command command="AUTH
LOGIN" result="503 5.5.1 Invalid command: Command not supported"



Nicolas

Re: permission denied local nfs mount

[Nicolas Schmidt]

Did you try setting an explicit netmask?

> Am 29.07.2017 um 01:36 schrieb Allan Streib :
> 
> 6.1 amd64 release
> 
> My goal is to serve files from a directory in my home dir via httpd. As
> I understand it the way to do this is a local NFS mount in the httpd
> chroot.
> 
> Basically following the FAQ for NFS I set up this:
> 
> $ cat /etc/exports
> /home/astreib/work/new-site.org -ro -network=127.0.0.1
> 
> $ showmount -e
> Exports list on localhost:
> /home/astreib/work/new-site.org127.0.0.1
> 
> $ doas mount -t nfs 127.0.0.1:/home/astreib/work/new-site.org 
> /var/www/htdocs/new-site
> mount_nfs: can't access /home/astreib/work/new-site.org: Permission denied
> 
> Everyhing works if I remove the "-network=" from /etc/exports, i.e.:
> 
> /home/astreib/work/new-site.org -ro 127.0.0.1
> 
> I don't really understand why?
> 
> Allan

Re: isakmpd memory usage

[Nicolas]

Hi

Here is my ipsec.conf :

ike esp from /24 to /24 
 peer  
 main auth hmac-sha1 enc aes-256 group modp1024 lifetime 28800 
 quick auth hmac-sha1 enc aes-256 group modp1024 lifetime 3600 
 srcid  
 psk '' 
 tag vpn

ike passive esp transport proto udp from  to any port 1701 
 main auth hmac-sha1 enc aes group modp2048 
 quick auth hmac-sha1 enc aes 
 srcid  
 psk "" 
 tag vpnrw

ike esp from /32 to /24 
 peer  
 main auth hmac-sha2-256 enc aes-256 group modp1024 lifetime 3600 
 quick auth hmac-sha2-256 enc aes-256 group modp2048 lifetime 1200 
 srcid  
 psk ''

ike esp from /32 to /24 
 peer  
 main auth hmac-sha2-256 enc aes-256 group modp1024 lifetime 3600 
 quick auth hmac-sha2-256 enc aes-256 group modp1024 lifetime 1200 
 srcid  
 psk ''

ike esp from  to /24 
 peer  
 main auth hmac-sha1 enc aes-256 group modp1024 lifetime 28800 
 quick auth hmac-sha1 enc aes-256 group modp1024 lifetime 3600 
 srcid  
 psk '' 
 tag vpn

Actually the isakmpd process is eating more than 100MB of memory per day. 
Nicolas
17 juin 2017 11:13 "Michał Koc"  a écrit:
Hi Nicolas, 

We are currently investigating some isakmpd memory problem with the 
devs. 

We have isakmpd running more than 100 tunnels. 

Please post Your ipsec.conf with auth data and addresses anonimised to 
investigate. 

best regards
Michał Koc 
-- Wiadomość oryginalna --
Temat: Re: isakmpd memory usage
Nadawca: Nicolas Repentin  (mailto:nico...@shivaserv.fr)
Adresat: misc@openbsd.org (mailto:misc@openbsd.org)
Data: 17.06.2017 09:49  

No one ? Le 13 juin 2017 09:11:02 GMT+02:00, Nicolas  
(mailto:nico...@shivaserv.fr) a écrit : 

Hi everyone I'm searching some help about isakmpd, which is eating a 
lot of memory, until the machine crash. It's an OpenBSD 6.1 on Qemu KVM 
(ganeti). After 3 days, the process is using 650MB of memory. When she's 
"freezed", she's unreachable on network, and on console she's blinking on tty, 
like normal, but we can't write anything on it. No .core are generated. I got a 
lot of errors like "INVALID_ID_INFORMATION" on "NO_PROPOSAL_CHOSEN" on ipsec 
logs, but ipsec connections are working. Any idea how I can debug it? Thanks, 
Nicolas

Re: isakmpd memory usage

[Nicolas Repentin]

No one ?

Le 13 juin 2017 09:11:02 GMT+02:00, Nicolas <nico...@shivaserv.fr> a écrit :
>Hi everyone
>
>I'm searching some help about isakmpd, which is eating a lot of memory,
>until the machine crash. It's an OpenBSD 6.1 on Qemu KVM (ganeti).
>After 3 days, the process is using 650MB of memory.
>
>When she's "freezed", she's unreachable on network, and on console
>she's blinking on tty, like normal, but we can't write anything on it.
>No .core are generated.
>
>I got a lot of errors like "INVALID_ID_INFORMATION" on
>"NO_PROPOSAL_CHOSEN" on ipsec logs, but ipsec connections are working.
>
>Any idea how I can debug it?
>Thanks,
>
>Nicolas

-- 
Nicolas

isakmpd memory usage

[Nicolas]

Hi everyone

I'm searching some help about isakmpd, which is eating a lot of memory, until 
the machine crash. It's an OpenBSD 6.1 on Qemu KVM (ganeti).
After 3 days, the process is using 650MB of memory.

When she's "freezed", she's unreachable on network, and on console she's 
blinking on tty, like normal, but we can't write anything on it.
No .core are generated.

I got a lot of errors like "INVALID_ID_INFORMATION" on "NO_PROPOSAL_CHOSEN" on 
ipsec logs, but ipsec connections are working.

Any idea how I can debug it?
Thanks,

Nicolas

Re: Can I use OpenBSD as a desktop system?

[Nicolas Schmidt]

>> On 06/09/17 15:39, SOUL_OF_ROOT 55 wrote:
>> Can I use OpenBSD as a desktop system?
> 
> You?  No, I doubt it.
...
> But, you are welcome, and invited
...
> Nick.

Nick, I don't think you were being either welcoming or inviting there.

To answer OP's question: Yes of course you can, and I did so in the past. The 
experience wasn't bad, although of course using any free Unix as a desktop 
system is guaranteed to deliver some pain at least (don't expect it to "just 
work").

Nicolas

kernel panic: ehci_device_clear_toggle

[Nicolas Schmidt]

Hi,

I just installed OpenBSD 6.1 and set up a CUPS server with a usb printer, and 
I'm experiencing kernel panics that seem usb related.
These kernel panics actually occured also on the old version of OpenBSD I 
upgraded from, but only very rarely (once every few months a most). Now I've 
had three panics in the course of a few hours. The irony is that one of the 
reasons for upgradings was this exact problem; I assumed it would have been 
fixed, as it was mentioned on this list already.

I would like to file a bug report, but I can't gather all the infos asked for 
https://www.openbsd.org/ddb.html, as the keyboard stops working after the 
kernel panic (probably because it's a usb keyboard). So, here's the output I 
can give you:

# panic: ehci_device_clear_toggle: queue active
Stopped at  Debugger+0x7:   leave
TID PID UID PRFLAGS PFLAGS  CPU COMMAND
*359035 78367   541 0x1002  0x8 1   usb
216484  46276   0   0x14000 0x200   0   reaper
Debugger(d0a08f55,f54ee848,d09d62e0,f54ee848,0) at Debugger+0x7
panic(d09d62e0,dbaed460,f54ee88c,d08a0895,0) at panic+0x71
ehci_device_clear_toggle(d5d8ff00,d5d8ff00,d5a02800,0,2) at 
ehci_device_clear_toggle+0x29
usbd_clear_endpoint_stall(d5d8ff00,d5d8ff00,0,f54ee8dc,400) at 
usbd_clear_endpoint_stall+0x20
ugen_do_write(d5aa,1,f54eee8c,1,f54eed10) at ugen_do_write+0x2a8
ugenwrite(3f01,f54eee8c,1,d0508d09,db91169c) at ugenwrite+0x4f
spec_write(f54eedb8,db7b2aa4,f54eee74,d03cd5e9,d0bf6ae0) at spec_write+0xa7
VOP_WRITE(dba0fccc,f54eee8c,1,dbaf2c00,17a8840) at VOP_WRITE+0x42
vn_write(db91169c,db91116b4,f54eee8c,dbaf2c00,d0bf6ae0) at vn_write+0x8a
dofilewritev(db7b2aa4,8,db91169c,f54eeef4,1) at dofilewritev+0x1c6
sys_write(db7b2aa4,f54eef5c,f54eef7c,0,200286) at sys_write+0x8f
syscall() at syscall+0x250
--- syscall (number -813756072) ---
0x6:



One piece of context: the uid 541 is the user _cups, under which cupsd runs.

Best,
Nicolas

Re: torrent downloads

[Nicolas Schmidt]

Many distros sport torrents: NetBSD, Debian, and Ubuntu to name some. Rationale 
behind this is simple: torrents download with ridiculous speed if they are 
popular enough.

Best,
Nicolas

> Am 27.04.2017 um 14:36 schrieb Markus Rosjat <ros...@ghweb.de>:
> 
> Hi,
> 
> I think it's kinda pointless to have a torrent for this. You got enough good 
> mirrors to download from anyway. And nowadays it's not a biggy to download a 
> iso or so of somewhat 200mb.
> 
> and yes I'm the proud owner of some awesome puffy shirts too (if someone is 
> concerned about the download part :-P )
> 
> regards
> 
> markus
> 
>> Am 27.04.2017 um 13:55 schrieb Thuban:
>> Hello,
>> I was wondering if there is any particular reason explaining why there
>> is no torrent file to retrieve OpenBSD *.fs and *.iso.
>> 
>> I've been looking on the list and only found this site that doesn't
>> seems up to date [1].
>> 
>> If the reason is a lack of human ressources, I think I can handle it.
>> 
>> Regards.
>> 
>> [1] : http://openbsd.somedomain.net/
>> 
> 
> -- 
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
> 
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
> 
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
> 
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you 
> print it, think about your responsibility and commitment to the ENVIRONMENT

Re: OpenBSD 6.1, boot can't find kernel anymore

[Nicolas Vollmar]

Thanks for the response Jonathan.
Seems probable, boot output looks something like this:

disk: hd0 hd1 hd2
open(hd0a:/etc/boot.conf): Invalid argument 
booting hd0a:/bsd: open hd0a:/bsd: Invalid argument 
and so on...

It does only check hd0 (which is not a readable disk), while the OpenBSD
partition is under hd2.



--
View this message in context: 
http://openbsd-archive.7691.n7.nabble.com/OpenBSD-6-1-boot-can-t-find-kernel-anymore-tp317055p317199.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: OpenBSD 6.1, boot can't find kernel anymore

[Nicolas Vollmar]

Here is the output of the dmesg.boot:

OpenBSD 6.1 (GENERIC.MP) #20: Sat Apr  1 13:45:56 MDT 2017
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
RTC BIOS diagnostic error 37
real mem = 3645538304 (3476MB)
avail mem = 3530371072 (3366MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x5b907000 (51 entries)
bios0: vendor American Megatrends Inc. version "UPC1BM0X" date 09/10/2016
bios0: AAEON UP-CHT01
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI HPET SSDT
SSDT SSDT SSDT TPM2 LPIT BCFG PRAM CSRT WDAT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) x5-Z8350 CPU @ 1.44GHz, 1440.27 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: TSC frequency 1440272340 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 79MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) x5-Z8350 CPU @ 1.44GHz, 1439.96 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Atom(TM) x5-Z8350 CPU @ 1.44GHz, 1439.96 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Atom(TM) x5-Z8350 CPU @ 1.44GHz, 1439.96 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus -1 (RP02)
acpiprt3 at acpi0: bus -1 (RP03)
acpiprt4 at acpi0: bus -1 (RP04)
acpicpu0 at acpi0: C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: ID3C, resource for ISP3
acpipwrres1 at acpi0: CLK3
acpipwrres2 at acpi0: CLK4
acpipwrres3 at acpi0: CLK2
acpipwrres4 at acpi0: CLK1
acpipwrres5 at acpi0: CLK0
acpipwrres6 at acpi0: CLK1
acpipwrres7 at acpi0: USBC, resource for XHC1, OTG1
acpipwrres8 at acpi0: P28X
acpipwrres9 at acpi0: P18X
acpipwrres10 at acpi0: P12X
acpipwrres11 at acpi0: P28P
acpipwrres12 at acpi0: P18P
acpipwrres13 at acpi0: P19X
acpipwrres14 at acpi0: P06X
acpipwrres15 at acpi0: P28T
acpipwrres16 at acpi0: P18D
acpipwrres17 at acpi0: P18T
acpipwrres18 at acpi0: P3P3
acpipwrres19 at acpi0: P12T
acpipwrres20 at acpi0: P28W
acpipwrres21 at acpi0: P18W
acpipwrres22 at acpi0: P12W
acpipwrres23 at acpi0: P33W
acpipwrres24 at acpi0: P33X
acpipwrres25 at acpi0: P4BW
acpitz0 at acpi0: critical temperature is 90 degC
"INT33A4" at acpi0 not configured
dwiic0 at acpi0: I2C7 addr 0xa1722000/0x1000 irq 38
iic0 at dwiic0
"INT33BD" at acpi0 not configured
chvgpio0 at acpi0: GPO1 uid 2 addr 0xfed88000/0x8000 irq 48, 59 pins
"PNP0501" at acpi0 not configured
sdhc0 at acpi0: SDHA addr 0xa173/0x1000 irq 45
sdhc0: SDHC 3.0, 200 MHz base clock
sdmmc0 at sdhc0: 8-bit, sd high-speed, mmc high-speed, dma
"INTL9C60" at acpi0 not configured
"INTL9C60" at acpi0 not configured
"80862288" at acpi0 not configured
"80862288" at acpi0 not configured
"8086228A" at acpi0 not configured
"8086228E" at acpi0 not configured
dwiic1 at acpi0: I2C1 addr 0xa172c000/0x1000 irq 32
iic1 at dwiic1
dwiic2 at acpi0: I2C2 addr 0xa172a000/0x1000 irq 33
iic2 at dwiic2
dwiic3 at acpi0: I2C3 addr 0xa1728000/0x1000 irq 34
iic3 at dwiic3
"ADC081C" at acpi0 not configured

OpenBSD 6.1, boot can't find kernel anymore

[Nicolas Vollmar]

Hello everyone,

I've upgraded to OpenBSD 6.1 from 6.0 on my up board according the upgrade
guide.
As a result it seems something changed in boot which results in it not
finding the kernel anymore. There are now two additional hd found by boot
(4MB each, empty and one not readable) despite only having one disk (onboard
eMMC storage). I've to manually boot OpenBSD from hd2a instead of hd0a.

I couldn't figure out what changed, so I tried a clean install of OpenBSD
6.1, still the same effect it can't boot.
Also ensured that the OpenBSD partition is flagged with fdisk.

Any ideas?

Kind Regards,
Nicolas



--
View this message in context: 
http://openbsd-archive.7691.n7.nabble.com/OpenBSD-6-1-boot-can-t-find-kernel-anymore-tp317055.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: IPPORT_RESERVED 'security' check in nfsd obsolete?

[Nicolas Schmidt]

Am 19.01.2017 um 12:21 schrieb Theo de Raadt :

>> Then may I suggest to add an option to disable this behaviour for specific
mounts
>> ounts?
>
> No.
>
> NFS always required reserved ports.

Do you mean that the "reserved ports restriction" is required as part of the
NFS protocol spec? I took a look at https://tools.ietf.org/html/rfc7530 , but
couldn't find anyhing related to that.

Re: IPPORT_RESERVED 'security' check in nfsd obsolete?

[Nicolas Schmidt]

> Am 19.01.2017 um 01:20 schrieb Theo de Raadt :
>
> No, this change will not be done.

Then may I suggest to add an option to disable this behaviour for specific
mounts? NetBSD provides the "-noresvport" flag for this. The following quote
is from the NetBSD man for exports:

"The -noresvport option specifies that NFS RPC calls for the filesystem do
not have to come from reserved ports. Normally, clients are required to use
reserved ports for operations. Using this option decreases the security of
your system."

IPPORT_RESERVED 'security' check in nfsd obsolete?

[Nicolas Schmidt]

Hello everyone,


I'd like to make a suggestion regarding NFS in OpenBSD; let me apologize in
advance if this isn't the right place to make this suggestion.

Currently (at least on 5.8, I haven't upgraded yet), the nfs daemon refuses to
accept a mount request if it comes from a non-privileged port (>=
IPPORT_RESERVED). As I understand, this was once a 'security feature' in the
time of mainframes, when access to computer was restricted. In any case, I
believe this behaviour should be changed as it does not provide security, and
also leads to problems: for example, it means one has to use the markably
slower SMB protocol when using an OpenBSD server as a remote mount on a FireTV
stick (my use case).

I therefore propose to remove this source port check from the nfs code, or
alternatively, to add an option to export nfs volumes without this check. The
first thing can e.g. be accomplished by modifying the OpenBSD source in two
places, as follows (patches for 5.8):

patch /usr/src/sbin/mountd/mountd.c < mountd.patch
patch /usr/src/sys/nfs/nfs_subs.c < nfs_subs.patch

where

### start of mountd.patch ###
369c369
<   if (sport >= IPPORT_RESERVED) {
---
>   if (0 == 1) { // don't fail when sport >= IPPORT_RESERVED
467c467
<   if (sport >= IPPORT_RESERVED) {
---
>   if (0 == 1) { //don't fail when sport >= IPPORT_RESERVED
483c483
<   if (sport >= IPPORT_RESERVED) {
---
>   if (0 == 1) { //don't fail when sport >= IPPORT_RESERVED
### end of mountd.patch ###


### start of nfs_subs.patch ###
1455c1455
<   (ntohs(saddr->sin_port) >= IPPORT_RESERVED ||
---
>   (0 == 1 || // don't fail when sport >= IPPORT_RESERVED
### end of nfs_subs.patch ###


Best,
Nicolas Schmidt

Intel Chipset c606 / c612

[Nicolas Gailly]

Hello,

I am unable to install OpenBSD on a supermicro server model
http://www.supermicro.com/products/system/1U/6017/SYS-6017R-N3RFT_.cfm.
OpenBSD is unable to detect any disks even though the BIOS does. When try
with 'fdisk /dev/sd0' it says 'Unrecognized Devices'.
 It seems an issue with the chipset .It uses the chipset intel c606.
Also, we wanted to buy more super micro server models :
http://www.supermicro.com/products/system/1u/6018/sys-6018r-tdtpr.cfm
But it doesn't seem to be supported by OpenBSD neither.

Is it planned in a future release ? Or is the c606 actually supported and
the problem is elsewhere ?

Thank you,

Nicolas

Re: multicast packets on tun interface

[Nicolas Haller]

On 20/10/14 06:31 AM, Giancarlo Razzolini wrote:

On 20-10-2014 01:53, Nicolas Haller wrote:

I have a strange issue while trying to reconfigure my Soekris after
the CompactFlash died.
Here the picture. I have a dedicated FreeBSD server linked with my
Soekris acting as my home gateway(which was running OpenBSD 4.0, and
now running OpenBSD 5.5).


If you can, wait for November 1st for OpenBSD 5.6. It will be worth it.


Sure I can. Did you see any change fitting with my issue? I took a look 
on the changelog but I didn't find anything relevant.
I think I'll try to reproduce the issue on two 5.5 OpenBSD VMs to rule 
out (or not) FreeBSD and with the last snapshot to see if it fixes my issue.



The both machines talked to each other through an OpenVPN tunnel with
point-to-point tun interfaces. This part is working smoothly.

IIRC, you'll need to used bridge based, instead of routed based openvpn
connection. Just be aware that, depending on how you bridge your
interfaces, there will be a lot of broadcast and multicast traffic going
through it. You will probably need to block some of those and just allow
the OSPF traffic.


I don't know. I don't want to extend my network to the remote node. I 
mean, each location has it's own subnet, The FreeBSD servers contains 
some Jails and an OpenVPN server for my cellular and my laptop, and they 
are all on separate subnets too. That's why all my links between 
locations are routed ones with OSPF on top.


Thanks for the answer, I'll keep you posted if I find something with my 
test on VMs.


--
Nicolas

Re: multicast packets on tun interface

[Nicolas Haller]

On 20/10/14 07:08 AM, Louis Bailleul wrote:


I am using openvpn (with tun interfaces) and quagga to do something
similar between two linux boxes .

I experienced that exact issue a while back and managed to solve it by
accident while upgrading openvpn ...

I am currently using OpenVPN 2.2.1 x86_64-linux-gnu  and quagga 0.99.23.1


The OpenBSD server is using the version 2.3.2 and the FreeBSD one the 
version 2.3.4. :-/


Thanks

--
Nicolas

multicast packets on tun interface

[Nicolas Haller]

Hello,

I have a strange issue while trying to reconfigure my Soekris after the 
CompactFlash died.
Here the picture. I have a dedicated FreeBSD server linked with my 
Soekris acting as my home gateway(which was running OpenBSD 4.0, and now 
running OpenBSD 5.5).


The both machines talked to each other through an OpenVPN tunnel with 
point-to-point tun interfaces. This part is working smoothly.



FreeBSD server --- internet --- OpenBSD Soekris -- home
   tun4  tun0 network
 10.8.0.6  10.8.0.5
\--/

Using this tunnel, two OpenOSPF daemons are running. The one on the 
OpenBSD server is receiving the OSPF HELLO from the FreeBSD server but 
the FreeBSD server doesn't receive the HELLO from the openBSD server.


So, where are the OpenBSD HELLO packets? I don't know. A tcpdump on the 
FreeBSD's tun interface shows nothing is received. A tcpdump on the 
OpenBSD tun interface shows the packet seems to be sent.
Using ktrace/kdump on the OpenVPN daemon on the OpenBSD server, it seems 
the daemon does nothing to send the HELLO packet, like it's not aware it 
has to send these packets.


--- OpenBSD server -- -- Freebsd Box --
OpenOSPF -- tun0  -- OpenVPN -- ext_if -- internet -- ext_if -- tun4
   -  - - -
 packettcpdump   nothing   nothing
  sent shows it   here!!   received


If I do a ping -I 10.8.0.6 224.0.0.5 from the FreeBSD server, I can see 
the packet on the OpenBSD tun interface.
If I do a ping -I 10.8.0.5 224.0.0.5 from the OpenBSD server, packets 
seems lost at the same point (between tun0 and OpenVPN).


I did the test with pf disabled on both server. I tried to remove the 
224/4 and ::224.0.0.0/100 routes from the OpenBSD routing table. I also 
tried to destroy the tun interfaces and restart the daemons.


Here some information about the OpenBSD server:
- it's a brand new OpenBSD 5.5
OpenBSD vauban.foo.bar 5.5 GENERIC#276 i386
- pf was disabled on both side
- The openVPN is the following:
OpenVPN 2.3.2 i386-unknown-openbsd5.5 [SSL (OpenSSL)] [LZO] [eurephia] 
[MH] [IPv6] built on Mar  5 2014


-The ifconfig output of the both tun ifs:
OpenBSD
tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1500
priority: 0
groups: tun
status: active
inet6 fe80::200:24ff:fecc:7c74%tun0 -  prefixlen 64 scopeid 0x9
inet 10.8.0.5 -- 10.8.0.6 netmask 0x
FreeBSD
tun4: flags=8151UP,POINTOPOINT,RUNNING,PROMISC,MULTICAST metric 0 mtu 1500
options=8LINKSTATE
inet6 fe80::e23f:49ff:fee6:332d%tun4 prefixlen 64 scopeid 0x12
inet 10.8.0.6 -- 10.8.0.5 netmask 0x
nd6 options=21PERFORMNUD,AUTO_LINKLOCAL
Opened by PID 94692

The ospf configuration:
**OpenBSD**
router-id 192.168.0.3

stub router no
fib-update yes
no redistribute default
no redistribute my ISP subnet
redistribute connected

area 0.0.0.0 {
interface tun0
interface lo1 { passive }
}

**FreeBSD**
router-id 192.168.0.1

stub router no
fib-update yes
no redistribute default
no redistribute my ISP subnet
redistribute connected

area 0.0.0.0 {
interface tun0
interface tun1
interface tun2
interface tun3
interface tun4
interface lo1 { passive }
}

So if you can help me to find these missings multicast HELLO, it would 
be great :-)


Thanks

--
Nicolas

Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?

[Nicolas Christener]

Hi

First, thank you Paul and Andy for your input! I'm very thankful for
your effort!

On Thu, 2014-10-09 at 16:08 +0100, Andy wrote:
 I have seen this when the allowed number or states is too low and PF 
 clears the idle states too early..
 
 See http://www.openbsd.org/faq/pf/options.html;
 set optimization/option/

We already had optimization set to conservative and we also followed
[1] to be sure that we don't hit the state table limit.
The state table limit is set to 300k and we're seeing around 110k states
per average and no massiv peaks.

But what we do see is the following quite high number - could this be a
problem (pfctl -s info)?:
# pfctl -s info 
state-mismatch   90777051.4/s
congestion  22280.0/s

Some settings from our pf.conf which could be related:
set block-policy return
set debug urgent
set fingerprints /etc/pf.os
set limit states 30
set limit src-nodes 5
set loginterface none
set optimization conservative
set reassemble no
set ruleset-optimization basic
set state-policy floating
set timeout frag 30
set timeout interval 10

So according to Paul the problem lays somewhere in pf itself, should we
fill a bug in that case? Or can we do something more to make sure that
the problem isn't on our side?

Thanks again for your help and have a nice day!

Kind regards,
Nicolas

[1]
http://www.packetmischief.ca/2011/02/17/hitting-the-pf-state-table-limit/

Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?

[Nicolas Christener]

Hello

We have a somewhat curious issue and run out of ideas ;)

We do not have a trigger to reproduce the issue, but we for example see
some IRC disconnects from users behind our firewall.

What we have:
- two HP Proliant DL360 G5 with Broadcom BCM5708 NICs, 2GB RAM,
  Intel Xeon E5335@2.0GHz
- OpenBSD 5.5
- trunk between the two NICs
- 13 VLANs interfaces with carp failover
- one VLAN for pfsync
- ospfd and ospf6d
- approx. 200Mbit/s of traffic
- the initial pfysnc takes quite long (~1h)

The setup looks like this (not sure if relevant):
- both servers have a failover trunk with two interfaces
- all traffic including pfsync is sent over this trunk
- the problem also occurs, if we disable one box

What happens/what we tried:
The main issue is, that we occasionally see broken SSH connections and
quite a lot of broken IRC connections during the day. It looks a bit
like the problem happens more in the evening - however we do not see a
correlation with the amount of traffic or number of connections.
As a first reaction we updated to the latest stable OpenBSD release
which didn't solve the issue. Afterwards we replaced the onboard
Broadcom NIC with a PCIe Intel 82576 (em driver) card, however this card
seems to cause some new issues - i.e. we see quite some input (rx)
errors using netstat -i. Because we don't see such errors using the
Broadcom NICs we decided to not investigate this issue any further and
switch back to the Broadcom setup.
Besides those steps we also disabled one of the boxes by stopping ospf
and removing the carp interfaces - however, the disconnects didn't go
away. 
Furthermore we also checked if any state-tables are overflowing and we
didn't find any suspicious kernel messages either.

We have quite a similar setup which doesn't show those issues - however
we don't have the same amount of traffic over those systems.

I uploaded some information about the system to this place:
* sysctl -a http://dpaste.com/08VBA93
* pfctl (w/o rules and states) http://dpaste.com/2BBJG5P
Feel free to ask for more if needed.

Long story short; do you have any hints or ideas where we could look
next? Did you ever see such a problem in an other setup? At least to me,
it looks like long-during sessions (like IRC) are somehow affected -
does this ring some bells?

I appreciate any hints and hope that I didn't miss any important
information - otherwise feel free to bug me.

Thanks in advance and have a nice day!

Kind regards,
Nicolas

Re: Interactive Unix System V/386 Release 3.2

[Nicolas]

Christopher Zimmermann chrisz at openbsd.org writes:
 
 
 Hi,
 
 I got two SunSoft Unix System V 3.2 of 1994. With still sealed
installation diskettes,  user's and
 maintenance Guides. Anyone interested? I could ship them from germany.
 
 Christopher
 
 --
 http://gmerlin.de
 OpenPGP: http://gmerlin.de/christopher.pub
 F190 D013 8F01 AA53 E080  3F3C F17F B0A1 D44E 4FEE
 iQJKBAEBCgA0BQJTVPsuLRxDaHJpc3RvcGhlciBaaW1tZXJtYW5uIDxtYWRyb2Fj
 aEBnbWVybGluLmRlPgAKCRB+JNGfNLgqKnjWD/4s0jxVeXH8nABEX6rjTCRelFR3
 XreMnh527KRV/T26O70HsMlNJZ2q6yXKOU4BsdCDWP2I7wHafky1l89sJhjBsFo2
 f8MYWYrEvkBPAlm6FwVFzOXhDngVT7wVbUIA2YhwaQ1GrsfocAH64NzqcJ1JANbr
 wht8z0Ra9SNzxXNmEZGBfMflKkjrpJIkc6FuiJdDgixCQyxzvLu5o72HN2nP7TCV
 iaUgoDPCdd7Y5hM0fyfg+SM4eXs+4dPZe6lpyYjFKgyWt9eCyHNWnE85YrK2oW7q
 YKXf5Ixzr/Jb8nV8yjj7OqnWS4jGBgXwRjzgtRnCQMxm34bBMAStWBNG/9fayicW
 aUsOFDSbnxuGU5Zabc2V6tZ+jDdAnZnwbKXcG2WtgatrE0m2wQdmmjOJY+vrm668
 VjoKrY0nSDkzmD/nc0G1BAEsvonnpaDEpDjo4hytVjyCBjLWsuCwTrZ+tpm5YfjV
 tf6cDXpJ8wcJhTYK6Ufu5LzIwQoUlUqFEIPvcDFpUkOBsC+rzRbuzUmDn989m3Tb
 pgjj7Pa/0xi1Yfibc4ORiG4kwg/kgzeeL5DwWImYJCBunLH9TdscveZ7RCQuD+Ag
 2SFBubROZNHBGhD5OteZubxbGEEGFaMfRZil9+wg6tpdnr888a9pxcQlBU+wBeqc
 G8huTzyHcaHyxa+j5g==
 =pvcj
 -END PGP SIGNATURE-
 
 

Hi Christopher,

   Any chance that you still have those disks? I'm in particular looking for
the INTERACTIVE Network Drivers extension disk. 

   It's one final piece that I'd need to have networking in a PCIX VM.

The manual does say: The INTERACTIVETM Network Drivers extension from
SunSoft is supplied with some SunSoftTM networking products, such as
INTERACTIVE TCPIIP.

Regards,
Nicolas

Re: OpenBSD forked

[Nicolas Legrand]

Hey,

On Fri, Jun 22, 2012 at 03:04:39PM +0200, Marc Espie wrote:
 On Fri, Jun 22, 2012 at 02:55:02PM +0200, Gilles Chehade wrote:
  That's an implementation detail :-p
  
  Someone who really wants to understand things will look at the man
  pages and try to understand, someone who doesn't give a damn about
  getting things done right will produce crap with or without proper
  courses ...
  
 
 I don't think you can really understand fork/exit/wait without proper
 course material, just from the man pages.
 
 That is, read R.J.Steven, obviously.

Do you have a reference for this?

cheers,

-- 
n

Re: Can't install rrdtool on OpenBSD 5.0

[Nicolas Pence]

Hi, if you upgrade to 5.1 you'll have the same problem
(but for libfreetype.so.18.1).

You don't really need to install the complete xbase,
just that specific library, you can do it like this
(change the values for your release and libfreetype version):

tar -C / -xzphf xbase51.tgz ./usr/X11R6/lib/libfreetype.so.18.1

you can check yours with:

tar tvzf xbase${RELEASE}.tgz | grep libfreetype.so

good luck!

El 02/05/12 17:30, R0me0 *** escribis:
 Installing xbase solve problem
 
 =/
 
 2012/5/2 R0me0 *** knight@gmail.com
 
 Hello misc,

 I'm trying to install:
 pkg_add -vi
 ftp://ftp.openbsd.org/pub/OpenBSD/5.0/packages/i386/rrdtool-1.2.30p3.tgz
 but
 I got this error:

 Can't install rrdtool-1.2.30p3 because of libraries
 |library freetype.18.0 not found
 | not found anywhere
 Direct dependencies for rrdtool-1.2.30p3 resolve to png-1.5.4 libart-2.3.21
 Full dependency tree is png-1.5.4 libart-2.3.21

 png and libart are installed, ( I tried install X sets too without success
 )

 Any directions are appreciated,

 Regards,

Re: DNS Google ?

[Nicolas Pence]

El 22/11/11 15:16, Nick Holland escribis:
 On 11/22/11 10:31, Claer wrote:
 On Tue, Nov 22 2011 at 13:16, Jan Stary wrote:
 On Nov 22 08:16:21, Nick Holland wrote:
 Long term, BIND is done.
 Long term, unbound will probably be replacing it in OpenBSD.

 IF you are doing anything beyond a simple resolver, I'd agree
 completely...take the time to learn unbound/nsd (or djbdns or ...)

 However, right now, unbound is a package requiring separate install and
 maintenance.

 Nick, would you please clarify:

 nsd(8) is in base, unbound is a package;
 yet it is unbound who's gonna be the default resolver?
 What is the status of nsd then? (I am just about to try
 it on one of my resolvers).

 NSD is just an autoritative name server that doesn't do cache and does not
 answer recursive queries.
 nsd and unbound are complementary.


I've changed several DNS's from bind to unbound without problems and
with a few great improvements, lower RAM usage, improved Query Speed,
between others.

Configuration is really easy as unbound.conf is nicely documented.

unbound-control(8) it's quite helpful allows you tu run the server and
do administrative tasks such as remove a recursed zone from memory so
you can update it
again by making a query, reload configuration, etc.

Another good thing is that DNSSEC configuration is relatively simple
using unbound-anchor(8).

 nsd and unbound are complementary.
Well... Unbound allows you to resolve and to be authoritative, so it
does both functions, and it works well.

I've tryed before unbound(8), MaraDNS, and in a small enviroment it
behaves properly, you can do both tasks too, but on boxes with high
traffic it didn't run well (a lot of Didn't spawn thread messages),
maybe my fault, but I didn't want to modify any OpenBSD default
configuration, and unbound worked fine out-of-the-box without tunning.

Some people even recommended djbdns, but again, unbound is in
packages/ports, secured by chroot(), good security record, removed root
privileges, I really didn't feel the need to re-invent the wheel.

If you are worried about performance, I can tell you that it runs
at 400 ~ 500 queries/second smoothly on 5.0 amd64 GENERIC.MP with
num-threads: 2 configured on unbound.conf(5).

thanks to jakob@ for porting !

Re: Updating plus.html

[Nicolas P. M. Legrand]

Hey,

On Wed, Nov 02, 2011 at 06:57:22AM -0500, Amit Kulkarni wrote:
 On Wed, Nov 2, 2011 at 6:42 AM, Brett brett.ma...@gmx.com wrote:
  Hi,
  If no-one else is updating this page, I will do it. Can someone tell me
  what date the OPENBSD_5_0 tag was added so I know when to start from? I
  couldn't figure out if this was possible from cvs. My plan is to go
  through the source changes and plunder from the commit messages.
  Brett.
 
 
 
 Brett,
 I offered to do it. But I am contributing to KDE porting and that's
 taking a lot of time, so if you could do the plus.html, just great! I
 didn't realize that diffing plus.html would take so much of my time.
 That's real work.
 
 I would say, you follow the github.com/openbsd repo, and do a git log.
 
 OpenBSD 5.0 tag was added on August 8th per the latest changelog
 ftp://ftp.openbsd.org/pub/OpenBSD/Changelogs/ChangeLog
 
 I have a diff for updating plus50.html but it needs further
 corrections, right now it takes to 06/20/2011 from 05/15/2011. I will
 do the diff tomorrow and then I hope you can do the future diffs?
 
 You would need to download the www repo and cvs diff -u against plus.html
 
 thanks in advance


I've done most of the latest updates with Janne's corrections. It's
true I have a lot of diffulties to find time to do it lately, sorry
:(, so maybe it'll be better if someone else take it now.

Anyway I'm a bit surprised some other people worked on it, I've worked
with Janne and some stuff are almost but not yet published (to week
#26, the beginning of c2k11 for 5.0, and week #33 and #34 of
current). I've done some work I could submit soon to Janne with weeks
#35, #36 and #37. Let me know if it's needed.

Doing a week of plus.html is about 3 or 4 hours of work for me, I've
learn a lot of stuff by doing it and that's cool. Unfortunately, new
job and weird life have distracted me a lot lately. I'd be happy to
give any insight I can on the subject :).

Cheers,

-- 
nicolas

Re: OpenBSD 4.9 pre-orders

[Nicolas P. M. Legrand]

On Wed, Mar 16, 2011 at 05:06:30PM +1100, Rod Whitworth wrote:
 On Tue, 15 Mar 2011 15:10:02 -0600, Theo de Raadt wrote:
 
 I've turned on OpenBSD 4.9 pre-orders.  Support us by buying something
 please.   These sales are a part of keeping the project going.  
 
 As for clothing... there's going to be a black hoodie this time.
 
 Of course there is an OpenBSD 4.9 song to go with the new artwork.
 That is at:
  http://www.openbsd.org/lyrics.html
 
 Enjoy!
 
 
 
 Hey guys,
 usually when Theo puts out the pre-order message there is a flood of
 messages about who has ordered what and, although it's no genuine race,
 there are many who kinda compete to be first.
 
 I'm #13 so twelve guys beat me and they aren't even boasting. WTF?
 
 Only two related messages on undeadly.org
 
 C'mon don't you like your new CDs and swag?
 
 Order up!

I hate so much people posting photos of the latest OpenBSD CDs sets
while I'm not having it yet that I ordered them as soon as I read the
announcement.

Maybe I beat you, I didn't boast, because I didn't really know what to
say appart from AWESOME!!! or THANK YOU SO MUCH!!! and since
capitalize letters and multiple exclamation points are kinda silly I
just gave money and remained silent :).

 The song's pretty good too and it's free to download.

Right!

cheers,

-- 
n

Re: Tracking What it's changing in current

[Nicolas P. M. Legrand]

On Wed, Feb 16, 2011 at 12:01:22PM -0500, Luis Useche wrote:
 One thing I would really like to see is the diffs of every commit. This is
 available for DragonflyBSD for instance. Is there a way to find this on
 OBSD?

CVS and git are very different I don't think you can easily have this
feature with CVS (if it exists I'd be glad to know it :)). Personally
I follow the commit changes on marc.info
http://marc.info/?l=openbsd-cvsr=1w=2 and use CVS tools (cvs
itself or Emacs version control) with a local source tree when I want
to see the diffs.

Re: Tracking What it's changing in current

[Nicolas P. M. Legrand]

On Wed, Feb 16, 2011 at 11:16:01AM -0800, patrick keshishian wrote:
 On Wed, Feb 16, 2011 at 10:29 AM, Nicolas P. M. Legrand
 nlegr...@ethelred.fr wrote:
  On Wed, Feb 16, 2011 at 12:01:22PM -0500, Luis Useche wrote:
  One thing I would really like to see is the diffs of every commit. This is
  available for DragonflyBSD for instance. Is there a way to find this on
  OBSD?
 
  CVS and git are very different I don't think you can easily have this
  feature with CVS (if it exists I'd be glad to know it :)). Personally
 
 Sure it can. see CVSROOT/loginfo. You define a filter and need a
 filter-script that will take files with changed revisions, do the 'cvs
 diff' and mail out the outputs.

ha thanks! I'll have a look.

Re: Advice on learning C as first language

[Nicolas P. M. Legrand]

On Thu, Nov 25, 2010 at 09:26:52AM -0500, Kenneth Gober wrote:
 On Thu, Nov 25, 2010 at 7:20 AM, Christiano F. Haesbaert 
 haesba...@haesbaert.org wrote:
 
  On 24 November 2010 13:55, Kenneth Gober kgo...@gmail.com wrote:
   since you've indicated that you are interested in a 'first' language, I
  must
   assume you plan to learn other languages later.  as a result, I strongly
   recommend that you start with the book Structure and Interpretation of
   Computer Programs (available online at
   http://mitpress.mit.edu/sicp/full-text/book/book.html, or you can buy a
   paper copy if you prefer, for example from Amazon:
  
  http://www.amazon.com/Structure-Interpretation-Computer-Programs-Engineering/dp/0262011530
  ).
this book will give you an excellent foundation on programming in
  general
   (and the Scheme programming language in specific).
  
 
  Are you insane ?
  Recommending  SICP to a guy that just started programming and CS in general
  ?
  Have in mind that not everyone is a MIT grad.
 
  Learning lisp/scheme as ones first language is sweet, but it just
  doesn't happen in 2010, that makes me said, but it's the truth. Before
  flaming me, I'm quite fond of scheme and elisp.
 
 
 SICP isn't used to teach MIT grads, it's used as the entry-level course to
 teach MIT undergrads how to program (or so I understand, I never went to
 MIT).  if a college undergrad can use it to learn programming while also
 taking 5-6 other classes at the same time, then I'm confident the OP (who I
 assume isn't trying to learn 4-5 other things at the same time) can manage
 the task as well.

actualy I'm not sure it's used anymore

http://www.wisdomandwonder.com/link/2110/why-mit-switched-from-scheme-to-python

It's on the list of books I want to read anyway :)

Re: Advice on learning C as first language

[Nicolas P. M. Legrand]

On Wed, Nov 24, 2010 at 03:49:27PM +, Jona Joachim wrote:
 On 2010-11-24, Jan Stary h...@stare.cz wrote:
  On Nov 24 06:55:20, James Hozier wrote:
  I read online that the first programming language one learns could
  be crucial to the person's future programming skills and habits
  that become ported to other programming languages they learn later
 
  Start with LISP, I'm tellin' ya.
 
 Come on, LISP is from teh past, learn Haskell already.

http://www.lisperati.com/landoflisp/panel57.html
 
from http://landoflisp.com/

:)

Re: OpenCVS in Base?

[Nicolas P. M. Legrand]

On Sat, Nov 20, 2010 at 01:05:21AM -0700, Clint Pachl wrote:
 I am starting a new project that needs version control and I was
 thinking about using OpenCVS. However, I'm not sure if it is in the
 base (I'm running -current). My old 4.4 firewall has
 /usr/bin/opencvs. Is /usr/bin/cvs actually opencvs?

No /usr/bin/cvs is GNU CVS:

/usr/bin/cvs -v

 I noticed http://www.openbsd.org/plus48.html states Removed OpenCVS
 from the build.

It means the sources are still there, but aren't build with the whole
system. You have to build it yourself with something like:

cd /usr/src/bin/cvs
make
sudo make install

Here is the commit mentionning the removal from the build:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/Makefile#rev1.114

Since then the commits on OpenCVS and OpenRCS have been pretty active
again, but not yet putted back in the build:

http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/cvs/

 And OpenCVS.org directs me to
 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/cvs/.
 
 What's the status?
 

The default CVS shipped with OpenBSD it's still GNU CVS. So I wouldn't
use OpenCVS unless I wanted to test it and/or improve it.

Re: OpenBSD PPC on iBook G3 -- Wireless alternatives?

[Nicolas P. M. Legrand]

Hello,

On Sat, Nov 06, 2010 at 08:30:54PM -0600, David Astua wrote:
 I've just got an old iBook G3, and want to run OpenBSD on it, so
 there's some recommendation about which USB wireless adapter would
 work better on this PPC laptop?
 The idea is to to learn PPC assembly and do some C code on it, there's
 no need for X or sound, a minimal install and some developer tools
 would be enough for me.
 
 So all I need on this box is OpenBSD/Vi/Wifi/OpenBSD sticker to cover
 the Apple Logo.

I have a D-Link DWA-110 I have plugged in various G3/G4 PPC systems
that works very well.

rum0 at uhub1 port 4 Ralink 802.11 bg WLAN rev 2.00/0.01 addr 2
rum0: MAC/BBP RT2573 (rev 0x2573a), RF RT2528, address ba:ba:ba:ba:ba:ba

cheers,

-- 
nicolas

Re: Ordering CDs in Europe becoming increasingly difficult

[Nicolas P. M. Legrand]

I've bought from the computer shop directly on three occasions, I get
the CDs in the right time and I didn't felt the shipping was that
expensive. In fact, I think it was quite the same.

I'm working near Eyrolles, and I didn't saw OpenBSD sets their for a
long time. Not far from Eyrolles, the excellent book shop le monde en
tique http://www.lmet.fr/ sell them, but they receive them some
times after official release day.

Personnaly I'll keep buying from the Computer Shop. They are nice and
efficient.

cheers,

-- 
nicolas

On Thu, Jul 08, 2010 at 01:31:26PM +0200, Andri Braselmann wrote:
 On Thu, Jul 08, 2010 at 12:21:54PM +0100, John Wright wrote:
 
   Ordering the CD sets just isn't as much fun anymore as it used to be.
  
  I feel the same way. 
 
 rrright. 
 
 Andri 

diff for getenv.3

[Nicolas P. M. Legrand]

to reflect changes from this commit :

http://marc.info/?l=openbsd-cvsm=127778468909371w=2

Index: getenv.3
===
RCS file: /cvs/openbsd/src/lib/libc/stdlib/getenv.3,v
retrieving revision 1.14
diff -u -r1.14 getenv.3
--- getenv.310 Mar 2010 20:46:16 -  1.14
+++ getenv.33 Jul 2010 14:33:53 -
@@ -130,6 +130,12 @@
 character.
 .Pp
 The
+.Fn unsetenv
+function was passed an empty
+.Ar name
+or a NULL pointer.
+.Pp
+The
 .Fn putenv
 function was passed a
 .Ar string

Time te restart plus.html, the daily changelog

[Nicolas P. M. Legrand]

Hello,

after a talk initiated by Rod Whitworth on www@ it seems some people
are willing to restart the daily changelog, after it stopped in last
november. We could set up a team to submit plus.html diffs. If you are
interested please email me.

cheers,

-- 
nicolas

typos in upgrade47.html

[Nicolas P. M. Legrand]

Hello,

received the CDs on friday, a very nice moment as always, thanks
everyone :-).

I saw minor typos in upgrade47.html while upgrading, useless prompt,
useless sudo and use of obsolete -F pkg_add flag:

Index: upgrade47.html
===
RCS file: /cvs/openbsd/www/faq/upgrade47.html,v
retrieving revision 1.8
diff -u -r1.8 upgrade47.html
--- upgrade47.html  6 May 2010 01:36:59 -   1.8
+++ upgrade47.html  9 May 2010 14:40:26 -
@@ -553,7 +553,7 @@
 your $RELEASEPATH, run it with:
 
 blockquotepre
-# bsudo sysmerge -s $RELEASEPATH/etc47.tgz -x $RELEASEPATH/xetc47.tgz/b
+bsysmerge -s $RELEASEPATH/etc47.tgz -x $RELEASEPATH/xetc47.tgz/b
 /pre/blockquote
 
 Sysmerge(8) will show you a unified
@@ -654,7 +654,7 @@
 and use something like
  
 blockquotepre
-#b pkg_add -ui -F update -F updatedepends/b
+bpkg_add -ui -D update -D updatedepends/b
 /pre/blockquote
 
 where the tt-u/tt indicates update mode, and tt-i/tt specifies

Re: typos in upgrade47.html

[Nicolas P. M. Legrand]

On Sun, May 09, 2010 at 08:17:29PM +0100, Jason McIntyre wrote:
 On Sun, May 09, 2010 at 04:49:26PM +0200, Nicolas P. M. Legrand wrote:
  Hello,
  
  received the CDs on friday, a very nice moment as always, thanks
  everyone :-).
  
  I saw minor typos in upgrade47.html while upgrading, useless prompt,
  useless sudo and use of obsolete -F pkg_add flag:
  
  Index: upgrade47.html
  ===
  RCS file: /cvs/openbsd/www/faq/upgrade47.html,v
  retrieving revision 1.8
  diff -u -r1.8 upgrade47.html
  --- upgrade47.html  6 May 2010 01:36:59 -   1.8
  +++ upgrade47.html  9 May 2010 14:40:26 -
  @@ -553,7 +553,7 @@
   your $RELEASEPATH, run it with:
   
   blockquotepre
  -# bsudo sysmerge -s $RELEASEPATH/etc47.tgz -x $RELEASEPATH/xetc47.tgz/b
  +bsysmerge -s $RELEASEPATH/etc47.tgz -x $RELEASEPATH/xetc47.tgz/b
   /pre/blockquote
   
 
 this should either be # or $ sudo, i think, which is how we normally
 refer to prompts. i'm not sure whether that's a consistent faq thing too
 though.

Sorry i didn't mention it has already been discussed for upgrade46.html:

http://marc.info/?l=openbsd-miscm=125696072511365w=2

Nick then said:

Slapping a sudo in front
of everything they contribute to the FAQ is some people's style,
but not mine.  And yes, the # in front is really annoying, since
much of upgrade46.html (including that line) is intended to be
copy/pasted.  This is not true of most of the rest of the FAQ, where
I generally DON'T want people to copy/paste blindly and ignorantly.

reading upgrade47.html for the first time, i thought it must be a sort
of copy/paste error and that I should mention it again. By the way
maybe there is a better way to mention those kind of problem than
posting on misc?

regards,

-- 
nicolas

typo in faq/index.html

[Nicolas Legrand]

Index: faq/index.html
===
RCS file: /cvs/openbsd/www/faq/index.html,v
retrieving revision 1.320
diff -u -r1.320 index.html
--- faq/index.html  16 Dec 2009 04:32:35 -  1.320
+++ faq/index.html  22 Jan 2010 15:25:35 -
@@ -144,7 +144,7 @@
 lia href=faq4.html#Boot4.4 - Booting OpenBSD install
 media/a
 lia href=faq4.html#Install 4.5 - Performing an install/a
-lia href=faq4.html#More4.6 - Details for more a more complex
+lia href=faq4.html#More4.6 - Details for a more complex
 install/a
 lia href=faq4.html#FilesNeeded 4.7 - What files are needed for
 Installation?/a

Re: release(8), xenocara/README and faq5.html

[Nicolas Legrand]

On Fri, Nov 20, 2009 at 09:44:21PM +, Jason McIntyre wrote:
 On Sat, Oct 31, 2009 at 12:14:46AM +0100, Nicolas Legrand wrote:
  Hey,
  
  in Building Xenocara (release(8), xenocara/README, faq5.html) should:
  
  # rm -rf /usr/xobj/*
  
  be removed from faq5.html or added to release(8) and xenocara/README?
 
 sorry to take 2 weeks to reply... looks like no one knows, so do as you
 please...

Actually I ran into a problem compiling a 46-stable xenocara while
following release(8) and xenocara/README. It's by reading faq5.html
that I found the rm -rf /usr/xobj/* and then it worked. It was added
last year by nick@ on this revision:

http://www.openbsd.org/cgi-bin/cvsweb/www/faq/faq5.html?rev=1.166content-type=text/x-cvsweb-markup

I was wondering if it was a usefull add just for this time or if it
should be run everytime. In fact I'm a bit surprise you could keep
your /usr/xobj/* from a make to another one, I thought it was better
to clean it, so old .o won't be reused? Or am I missing something?

regards,

-- nl

Useless '#' prompt in upgrade46.html?

[Nicolas Legrand]

Hey,

thanks for all the great work on 46, it's delicious.

I've been a bit confused to see in upgrade46.html commands with the
'#' prompt at the end of the page (for sysmerge and pkg_add) since no
preceding commands had a prompt. Reading '# sudo' was even
weirder. Wouldn't it be more consistent with the rest of the page to
remove them?

regards,

-- nl

Index: www/faq/upgrade46.html
===
RCS file: /cvs/openbsd/www/faq/upgrade46.html,v
retrieving revision 1.17
diff -u -r1.17 upgrade46.html
--- www/faq/upgrade46.html  19 Oct 2009 23:30:39 -  1.17
+++ www/faq/upgrade46.html  30 Oct 2009 13:47:17 -
@@ -615,7 +615,7 @@
 your $RELEASEPATH, run it with:
 
 blockquotepre
-# bsudo sysmerge -as $RELEASEPATH/etc46.tgz -x $RELEASEPATH/xetc46.tgz/b
+bsysmerge -as $RELEASEPATH/etc46.tgz -x $RELEASEPATH/xetc46.tgz/b
 /pre/blockquote
 
 Sysmerge(8) will show you a unified
@@ -705,7 +705,7 @@
 and use something like
  
 blockquotepre
-#b pkg_add -ui -F update -F updatedepends/b
+bpkg_add -ui -F update -F updatedepends/b
 /pre/blockquote
 
 where the tt-u/tt indicates update mode, and tt-i/tt specifies

Re: Useless '#' prompt in upgrade46.html?

[Nicolas Legrand]

Hey,

On Fri, Oct 30, 2009 at 03:09:30PM -0400, Brynet wrote:
 [...] 
 It is quite traditional to use '#' or '$' to indicate whether a
 command is to be executed as root or as normal user, it is Bourne/Korn
 shell lingo.

Sur, but it wasn't exactly my point, my point was precedings examples
of commands don't have prompt. It's more about typographical
harmonization.

release(8), xenocara/README and faq5.html

[Nicolas Legrand]

Hey,

in Building Xenocara (release(8), xenocara/README, faq5.html) should:

# rm -rf /usr/xobj/*

be removed from faq5.html or added to release(8) and xenocara/README?

smtpd IP log

[Philippe NICOLAS]

Hello

I tried smtpd for a while and I must admit it is very convenient to use !

Anyway is it possible for smtpd to log the IP of the remote server in the
maillog as sendmail did it ?

Thanks

Re: no hostname in mails sent with smtpd in a crontab

[Nicolas Letellier]

I tested with the latest files on CVS (this morning), the error is 
always here.

To reproduce the problem:

  - edit crontab root
  - set a fake cronjob which print anything: */1 * * * * ls /
  - set a root alias (/etc/mail/aliases) to an other mail (root: 
yourem...@yourprovider.com)

And wait to receive the mail... See the header (I replaced my full 
hostname by sub.domain.net, and the root alias by yourem...@free.fr)

 From - Tue Oct 13 09:34:56 2009
X-Account-Key: account4
X-UIDL: 1255419242.14725.mrelay6-g25
X-Mozilla-Status: 0001
X-Mozilla-Status2: 
X-Mozilla-Keys:
Return-Path: r...@sub.domain.net
Delivered-To: yourem...@free.fr
Received: (qmail 14687 invoked from network); 13 Oct 2009 07:34:02 -
Received: from mx23-g26.free.fr (HELO sub.domain.net) (212.xx.xx.xx)
   by mrelay6-g25.free.fr with SMTP; 13 Oct 2009 07:34:02 -
Received: from sub.domain.net ([82.xxx.xx.xxx])
 by mx2-g20.free.fr (MXproxy) for yourem...@free.fr ;
 Tue, 13 Oct 2009 09:34:02 +0200 (CEST)
X-ProXaD-SC: state=HAM score=10
Received: from localhost (0...@localhost [IPv6:::1])
 by sub.domain.net (OpenSMTPD) with ESMTP id 1255419241.POaAAxCh6duP43wr
 for r...@sub.domain.net; Tue, 13 Oct 2009 09:34:01 +0200 (CEST)
Date: Tue, 13 Oct 2009 09:34:01 +0200 (CEST)
Message-Id: 5391984582864661144.enqu...@sub.domain.tld
From: root (Cron Daemon)
To: root
Subject: Cron r...@esgaroth ls /
Auto-Submitted: auto-generated
X-Cron-Env: SHELL=/bin/sh
X-Cron-Env: PATH=/bin:/sbin:/usr/bin:/usr/sbin
X-Cron-Env: HOME=/var/log
X-Cron-Env: LOGNAME=root
X-Cron-Env: USER=root

As you can see, the problem is the From field. There is no hostname 
here. So, a MUA can't answer to it.

If you send a mail with : echo hello world | mail 
youru...@yourprovider.com, no problem. The problem is *only* when a mail 
is sent from and by a crontab with OpenSMTPd (no problems with Sendmail 
or Postfix).

Regards,

Nicolas

Le 13/10/2009 08:52, Gilles Chehade a icrit :
 I'll fix this by this week-end, yesterday's late bug tracking of this 
 issue
 was not successful, I can totally reproduce it on my production 
 server, but
 not on the box im hacking on ...

 Gilles

 Nicolas Letellier wrote:
 Hello.

 I'm on a OPENBSD_4_6. I use smtpd insted of sendmail. All works 
 perfect with it, except one point. When a mail is sent from a 
 crontab, the mail received has this in the header:

  From: root (Cron Daemon)

 I have no hostname, no domain, nothing. Just the user in the From part.

 This case is only when a mail is sent from a crontab (crontab -e -u 
 root). With this line for example:

  */1 *   *   *   *   echo test

 So, we wan't answer to this mail, or know who is the machine which 
 send it. However, in other informations in the header, we wan see the 
 domain in 'Received' parts.


 See my /etc/mail/smtpd.conf:
  listen on sk0

  hostname my.hostname.tld

  map aliases { source db /etc/mail/aliases.db }

  accept from all for local deliver to mbox
  accept for all relay

 See the end of /etc/mail/aliases
  root:   u...@myprovider.tld


 And, other question... Why Cron Daemon AND root are printed in my 
 From?

 Thanks.

 Regards,



-- 
Nicolas

Re: home, end, delete, pageup, pagedown with ksh

[Nicolas Letellier]

Hello.

First, thanks for this answer!

Le 13/10/2009 09:57, Nicholas Marriott a icrit :

For me, Home and End generate ^[[H and ^[[F (you can check they do for you as
well by running cat then pressing the keys, if they don't let me know, I might
have fiddled with some setting), so you should be able to bind them with:

 bind '^XH'=beginning-of-line
 bind '^XF'=end-of-line
   
For me, Home, End, PgUp, PgDown, Insert generate a ^[[7~ ^[[6~ ^[[5~ 
^[[4~ (and it's a basic usb keyboard :-))

^XH and ^XF does not work in my system.


It is possible to (use a hack to) bind ONE key with a trailing ~ by binding the
start to prefix-2 and then binding ~ itself to the command, I do this for the
Del key.
That's the hack I found, and as you say, it works only for one key. 
However, all my keys generate a four character sequence with a tilde. I 
tried with another TERM (vt220), the problem is the same.


I think ksh is too complicate, and I have to get back to csh or tcsh (or 
ignore these bindkeys on ksh :-)). With them, my bindkeys work.



--
Nicolas

Re: home, end, delete, pageup, pagedown with ksh

[Nicolas Letellier]

Le 13/10/2009 12:29, Markus Hennecke a icrit :
 Nicolas Letellier wrote:

 Le 13/10/2009 09:57, Nicholas Marriott a icrit :
  
 For me, Home and End generate ^[[H and ^[[F (you can check they do for
 you as
 well by running cat then pressing the keys, if they don't let me know,
 I might
 have fiddled with some setting), so you should be able to bind them with:

   bind '^XH'=beginning-of-line
   bind '^XF'=end-of-line


 For me, Home, End, PgUp, PgDown, Insert generate a ^[[7~ ^[[6~ ^[[5~
 ^[[4~ (and it's a basic usb keyboard :-))
 ^XH and ^XF does not work in my system.

  
 It is possible to (use a hack to) bind ONE key with a trailing ~ by
 binding the
 start to prefix-2 and then binding ~ itself to the command, I do this
 for the
 Del key.

 That's the hack I found, and as you say, it works only for one key.
 However, all my keys generate a four character sequence with a tilde. I
 tried with another TERM (vt220), the problem is the same.

 I think ksh is too complicate, and I have to get back to csh or tcsh (or
 ignore these bindkeys on ksh :-)). With them, my bindkeys work.
  
 I have the lines
 XTerm*loginShell: true
 XTerm*eightBitInput: true
 in my .Xdefaults file together with set +o emacs-usemeta in my .profile.
 Those bind statements are in my .kshrc, set differently for each terminal:

 if [ -o interactive ]; then
  case $TERM in
  vt220)
  bind '^[[3'=prefix-2# DEL
  bind '^[[3~'=delete-char-forward# DEL
  ;;
  wsvt25)
  bind '^[[3'=prefix-2# DEL
  bind '^[[3~'=delete-char-forward# DEL
  ;;
  xterm*)
  export TERM=xterm-color # force color
  bind '^XH'=beginning-of-line# Pos1
  bind '^XF'=end-of-line  # End
  ;;
  nxterm)
  bind '^XH'=beginning-of-line# Pos1
  bind '^XF'=end-of-line  # End
  ;;
  *)  ;;
  esac
 fi


 HTH,
Markus

It does not work on my config.
In xterm*, vt220, nxterm, etc home is ^[[7~, end is ^[[8~, etc...
In tcsh/zsh, I can use these keys for my bindkeys.

I have the same .Xdefaults

-- 
Nicolas

home, end, delete, pageup, pagedown with ksh

[Nicolas Letellier]

Hello.

I want to use home, end, delete, pageup, pagedown with ksh. My TERM is 
xterm-color. These keys works fine with tcsh and zsh, but not with ksh 
(print a tilda ~)

I found this:

bind '^[[3'=prefix-2
bind '^[[3~'=delete-char-forward
bind '^[[1'=prefix-2
bind '^[[1~'=beginning-of-line
bind '^[[4'=prefix-2
bind '^[[4~'=end-of-line

But when I set one bindkey, the last does not work anymore.

How can I use these keys in ksh with a .kshrc ?

Best regards,

-- 
Nicolas

no hostname in mails sent with smtpd in a crontab

[Nicolas Letellier]

Hello.

I'm on a OPENBSD_4_6. I use smtpd insted of sendmail. All works perfect 
with it, except one point. When a mail is sent from a crontab, the mail 
received has this in the header:

  From: root (Cron Daemon)

I have no hostname, no domain, nothing. Just the user in the From part.

This case is only when a mail is sent from a crontab (crontab -e -u root). With 
this line for example:

  */1 *   *   *   *   echo test

So, we wan't answer to this mail, or know who is the machine which send it. 
However, in other informations in the header, we wan see the domain in 
'Received' parts.


See my /etc/mail/smtpd.conf:
  listen on sk0

  hostname my.hostname.tld

  map aliases { source db /etc/mail/aliases.db }

  accept from all for local deliver to mbox
  accept for all relay

See the end of /etc/mail/aliases
  root:   u...@myprovider.tld


And, other question... Why Cron Daemon AND root are printed in my From?

Thanks.

Regards,

-- 

Nicolas

Re: European orders

[Nicolas Legrand]

On Fri, Mar 27, 2009 at 09:33:14AM +0100, Michiel van Baak wrote:
 On 02:17, Fri 27 Mar 09, Theo de Raadt wrote:
   I've purchased hardware from Wim multiple times over the last two or
   three years and found him to be fast, reliable and helpful in every
   order.  In each, he's provided far superior service than any other
   vendors I've dealt with in the last decade, though some of those have
   been good, too.
  
  It is a real pity the project did not find him nearly as reliable when
  it came time to pay the money rightfully owed to the project from CD
  sales.
  
  As to your comments about CDs becoming obsolete, well perhaps they
  slowly are becoming so, but all other physical mediums share these
  problems of obscelence and delivery.  I think (hope?) that people buy
  our releases for the art, and as an opportunity to give back to
  sustain the project (or in Europe, at least the failed hope for that).
 
 That's the only reason I buy the cd-sets.

Same reasons here.

[...]

Error in fsck_ffs: cannot allocate memory for inode cache

[Nicolas Letellier]

Hello m...@.

My server crashed this night. However, OpenBSD 4.4 does not want to
boot. There are errors on my /home partition (125 Go, ffs type).

The following file system had unexpected inconsistency
ffs: /dev/rwd0g (/home)

I must run fsck_ffs manually.

However, when I run it :

fsck_ffs /dev/rwd0g

1824 DUP I=2678
1825 DUP I=2678

cannot allocate memory for inode cache.

I tried to reboot, same problem. I didn't find informations about it in
fsck_ffs manpage.

Do you have some advices to repair this disk, and for booting my
OpenBSD?

Regards,

-- 
Nicolas

Re: Error in fsck_ffs: cannot allocate memory for inode cache

[Nicolas Letellier]

Le Thu, 26 Feb 2009 13:50:12 +0100,
Otto Moerbeek o...@drijf.net a icrit :

 On Thu, Feb 26, 2009 at 11:23:16AM +0100, Nicolas Letellier wrote:

  Hello m...@.
 
  My server crashed this night. However, OpenBSD 4.4 does not want to
  boot. There are errors on my /home partition (125 Go, ffs type).
 
  The following file system had unexpected inconsistency
  ffs: /dev/rwd0g (/home)
 
  I must run fsck_ffs manually.
 
  However, when I run it :
 
  fsck_ffs /dev/rwd0g
 
  1824 DUP I=2678
  1825 DUP I=2678
 
  cannot allocate memory for inode cache.

 Run fsck by using the fsck(8) command. It sets up the max resource
 limits before calling fsck_ffs(8). That might save your day.

   -Otto

Thanks for your advice but it did not work. So, we bought another hard
disks.

Regards,

--
Nicolas

diff for xenocara' README.macppc

[Nicolas Legrand]

Hey,

the iBookHacks option shouldn't be in the sample xorg.conf since it is
not used anymore :

http://www.openbsd.org/faq/upgrade44.html#newXdrivers

bye,

-- nicolas

Index: README.macppc
===
RCS file: /cvs/openbsd/xenocara/distrib/notes/README.macppc,v
retrieving revision 1.4
diff -u -r1.4 README.macppc
--- README.macppc   31 Aug 2008 07:33:29 -  1.4
+++ README.macppc   2 Jan 2009 14:37:44 -
@@ -81,8 +81,8 @@
 #  These options are required for use on the Ti PBG4.
 #  Option  PanelWidth  1152
 #  Option  PanelHeight 768
-#  This option may help if your iBook or Mac mini has screen sync problems
-#  Option  iBookHacks on
+#  This option enable quirks for specified Mac model, details in Radeon(4)
+#  Option MacModel ibook
 
 EndSection

Find duplicate files

[Pc Nicolas]

Hi

Do you know a command line utility to find duplicate files with OpenBSD ?

Thanks

Re: OpenBSD 4.4 httpd reverse proxy

[Pc Nicolas]

There is a problem in installation
install: /usr/src/usr.sbin/httpd/obj/src/modules/proxy/libproxy.so: No such
file or directory

But I can't find any problem with compilation...

Any idea ?

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pc
Nicolas
Sent: mercredi 5 novembre 2008 16:14
To: misc@openbsd.org
Subject: OpenBSD 4.4 httpd reverse proxy

Hi

 

I try to reconfigure httpd on OpenBSD 4.4 to do reverse proxy as I did for
years following this documentation : http://undeadly.org/cgi?action=article
http://undeadly.org/cgi?action=articlesid=20040118105719
sid=20040118105719

 

I can't get it done.

The only relevant message is in /var/www/logs/error_log 

(13)Permission denied: proxy: error creating cache file
/var/www/proxy/tmpzjzsP11224

 

The permissions are the same as OpenBSD 4.3.

I try chroot and no chroot (httpd -u).

 

Any idea ?

 

Thanks