from:"Reyk Floeter"

new rust-libtls crates

2019-11-02 Thread Reyk Floeter

Hi,

a bit off-topic, but a Rust-LibreSSL crossover:

It seems that many people have written Rust crates for libtls. And
most (or all) of them haven't been updated for years.

I talked to the owner of libtls and libtls-sys and he assigned
ownership of his libtls crates to me.  Yesterday I published a
complete and API-incompatible rewrite of the crates, under the ISC
license.  I'm trying to find a compromise between a close adaption of
the libtls API and a modern Rust way to implement such an API.

https://crates.io/crates/libtls

I'm working on additional code for async I/O with tokio and/or
async/await.  Async client/server already works but I'm tweaking the
code to a) clean it up and b) adjust it to the future with the new
"futures" API ;)

Why libtls?  Because it is a sane TLS API with secure defaults.  I
trust the decisions of the LibreSSL developers and libtls provides
some the best defaults.

The code works on OpenBSD and Linux.  Many distributions such as
Ubuntu don't seem to provide LibreSSL packages, so the very nice
libtls API is not available for them.  My crate tries to download,
build, and link LibreSSL statically if it is not found. 

(I wonder if anyone has ever looked into packaging just libtls for
Ubuntu/Debian independently.  This would even help portability of our
OpenBSD daemons.)

Reyk

Re: OpenBSD on VMware ESXi

2019-05-22 Thread Reyk Floeter

On Wed, May 22, 2019 at 01:43:35PM +0200, Janne Johansson wrote:
> Den ons 22 maj 2019 kl 12:52 skrev Roderick :
> 
> > Hallo!
> > As far as I read in WWW, OpenBSD do run on VMware ESXi out of the box.
> > What does run better on amd64 virtual machine? i386 or amd64?
> > Are there reasons to preffer one to the other?
> >
> 
> The ESX template for 64-bit comes with more recent "hardware" in the
> environment IIRC, so it will be less tweaking the supplied virtualized
> hardware if you select 64bit guest instead of 32bit.
> Apart from that, 64bit is better on both virtual and real hw.
> 

But unfortunately, there is no openbsd template.  So use "Other 64bit"
and enable vmxnet3 manually, as mentioned in vmx(4):

 The following entry must be added to the VMware configuration file to
 provide the vmx device:

   ethernet0.virtualDev = "vmxnet3"

This is much better than the e1000 emulation.

Reyk

Re: relayd without pf?

2019-05-14 Thread Reyk Floeter



> Am 14.05.2019 um 23:06 schrieb Adam Thompson :
> 
>> On 2019-05-14 15:42, Adam Thompson wrote:
>> OK, I'm pretty sure this is a dumb question, but...
>> Does relayd work properly, or at all with pf disabled?  (in 6.5-RELEASE)
> 
> 
> I have partially answered my own question.  That last message was posted 
> prematurely, in more than one way, sorry!
> 
> 1. the relayd.conf in the previous message was copied-and-pasted from the 
> wrong window, in mid-edit.
> 
> 2. relayd(8) does not work with pf(4) disabled.  I'm unclear if this is a 
> bug, or by design.  With pf disabled, it outputs:
> root@rt:~# relayd -dv
> startup
> relayd: pfe: pf is disabled
> parent: proc_open: imsg_flush: Broken pipe
> ca exiting, pid 37187
> ca exiting, pid 79962
> ca exiting, pid 95113
> root@rt:~# hce exiting, pid 91576
> relay exiting, pid 26432
> relay exiting, pid 6966
> relay exiting, pid 50166
> 
> The message "pfe: pf is disabled" looks like an informational message to me, 
> I'm not using any pf features, so it shouldn't matter... but it very much 
> does matter, and relayd exits shortly after starting if pf is disabled.
> 
> Pinging @reyk - is this a bug or deliberate?
> 

It’s a historical reason because redirects existed first. And most OpenBSD 
systems keep pf enabled by default.

But you’re right; it should be easy to fix.

Reyk

Re: Got hits Job offering in the mail

2019-05-02 Thread Reyk Floeter

I’ve got it as well from a different random recruiter and it was addressed to 
the wrong name.

I doubt that Apple is doing such unprofessional recruiting - It looks like some 
scam.

Reyk

> Am 02.05.2019 um 16:56 schrieb Dan Shechter :
> 
> Got approached by a head hunter.
> 
> If anyone in the community is interested and read it as is, I am just copy
> pasting, and I know NOTHING about this job or the head hunter that sent me
> the bellow email:
> 
> Hii There!
> 
> 
> 
> Greetings of the day!!
> 
> 
> 
> I found your resume from one of the job portal and just want to check if
> you are available for new opportunity and it seems really a good match with
> the requirement so please have a look at the requirement and let me know if
> you are comfortable with the requirement. If interested please revert back
> with updated resume
> 
> 
> 
> *JD : OpenBSD Resource*
> 
> *Start Date:  Immediate*
> 
> *Location:  Apple Park*
> 
> 
> 
> 
> *Tasks:*
> 1. Document the existing state of projects
>  - Diff versions in macOS vs released by project
>  - Public state of projects (how much active development,
> direction, potential replacements, license status, etc.)
> 2. Bring macOS forward
>  - Pull latest project versions in
>  - Review radars to determine what is fixed in latests
> versions vs. is still a problem or is a new feature/enhancement request
>  - Fix high/medium impact issues
>  - Upstream changes, if possible and as appropriate
> 3. Testing suite
>  - Integrate existing open source tests
>  - Develop new tests where there are gaps
> 4. Automate the process
>  - Create a tool that will automate as much of the work as
> possible
>  - Pull down latest repo, apply Apple-specific patches,
> prep for submission to build
>  - Would be run on a set cadence relative to OS releases
> 5. GPL replacements
>  - Develop BSD licensed replacements for any strategically
> important projects that don’t currently have one
> 
> 
> 
> 
> 
> 
> 
> Thanks & Regards,
> 
> *Jack Thomson*
> 
> *Talent Acquisition Team*
> 
> *Ph: 732-200-1396*
> 
> *2 N. Market St., #400, San Jose, CA, 95113*
> 
> *jac...@e-solutionsinc.com* 
> 
> www.e-solutionsinc.com

Re: Viewing SFP diagnostic data in OpenBSD ?

2019-04-10 Thread Reyk Floeter

On Wed, Apr 10, 2019 at 12:11:34PM +0100, Stuart Henderson wrote:
> On 2019/04/10 12:43, Reyk Floeter wrote:
> > I have an em(4) with SFP in my FTTH gateway, a Lanner LEB-6032.  I'd
> > be happy to test any em(4) diff for it.
> > 
> > I had to get a special SFP that is compatible with the FTTH specs here
> > in Zurich.  It is using an asymmetric wavelength, Tx1310nm and
> > Rx1460-1580nm, and I am wondering if your code could show this fact
> > somehow.
> 
> There is really nothing in the spec for bidi optiocs. If you can plug it
> into a supported nic (ix/ixl for now) you should see the Tx wavelength
> but there's nowhere to retrieve the Rx wavelength.
> 
> Nice to have an FTTH setup that just lets you use your own kit! The few
> UK providers doing ethernet FTTH are mostly using Genexis boxes I think
> (probably for laser safety reasons, their fibre management makes it hard
> to look straight into a disconnected fibre).
> 

I heard that a few years ago the people in Zurich voted that everyone
gets FTTH.  So the network is now provided by ewz, the local
electricity company, or by Swisscom and almost every household is
about to get an OTO wall outlet with two possible fiber ports.

You can choose between a number of professional and consumer-grade
ISPs, so they don't even lock you in.  The ISPs either give you a
typical fritzbox CPE and/or a media converter (like the TP-Link
MC220L), but it also works fine with the mentioned SFP.  I now have
1Gbps Internet, fixed IPv4+v6, simply with DHCP (dhcp6c is needed to
get the assigned IPv6 prefix for reassigning it to rad(8) internally).
At least one (consumer-grade) ISP even offers 10G, at least
theoretically, but I didn't dare to try them out.

Reyk

Re: Viewing SFP diagnostic data in OpenBSD ?

2019-04-10 Thread Reyk Floeter

On Mon, Apr 08, 2019 at 02:25:28PM +1000, David Gwynne wrote:
> 
> 
> > On 6 Apr 2019, at 01:54, Rachel Roch  wrote:
> > 
> > 
> > 
> > 
> > Apr 2, 2019, 11:19 PM by da...@gwynne.id.au:
> > 
> >> 
> >> 
> >>> On 3 Apr 2019, at 04:52, Stuart Henderson <>> s...@spacehopper.org 
> >>> >> > wrote:
> >>> 
> >>> On 2019-04-02, Rachel Roch <>> rr...@tutanota.de 
> >>> >> > wrote:
> >>> 
>  Hi,
>  
>  Hopefully I'm just searching the man pages wrong but I can't seem to 
>  find any hints as to how I can view SFP diagnostics in OpenBSD (i.e. 
>  light power etc.)
>  
>  Perhaps someone could kindly point me in the right direction ?
>  
>  Rachel
>  
> >>> 
> >>> I don't think that code has been written yet.
> >>> 
> >> 
> >> You're right, it hasn't.
> >> 
> >> Rachel, which nic are you interested in having this on?
> >> 
> >> dlg
> >> 
> > 
> > Just spotted this email.
> > 
> > An Intel I350 based NIC made by HotLava  
> > (https://hotlavasystems.com/products_gbe.html) 
> > 
> 
> OK. I made a start on this. Have a look for "sfp module info and diagnostics" 
> on tech@, or click on https://marc.info/?l=openbsd-tech=155469738013008=2
> 
> We don't have an em(4) here with optics, but a diff doesn't look too bad if 
> you're willing to test it.
> 
> dlg
> 

I have an em(4) with SFP in my FTTH gateway, a Lanner LEB-6032.  I'd
be happy to test any em(4) diff for it.

I had to get a special SFP that is compatible with the FTTH specs here
in Zurich.  It is using an asymmetric wavelength, Tx1310nm and
Rx1460-1580nm, and I am wondering if your code could show this fact
somehow.

https://www.flexoptix.net/en/wideband-sfp-bidi-transceiver-1-gigabit-sm-tx1310nm-rx1550nm-10km-12db-ddm-dom.html?co8658=83928

em6: flags=208843 mtu 1500
lladdr 00:90:0b:55:3d:e4
index 7 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseSX full-duplex)
status: active

But I also have many different "regular" SFPs here that I can plug
into the second em(4) fiber port test the diff.

The attached dmesg is a few days old.

Reyk

OpenBSD 6.5-beta (GENERIC.MP) #768: Sun Mar  3 23:58:33 MST 2019
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4181184512 (3987MB)
avail mem = 4044509184 (3857MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebf30 (15 entries)
bios0: vendor American Megatrends Inc. version "5.6.5" date 06/24/2016
bios0: Lanner Electronics LEB-6032
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT LPIT MCFG HPET SSDT SSDT SSDT UEFI CSRT
acpi0: wakeup devices PS2K(S4) XHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU E3845 @ 1.91GHz, 1916.99 MHz, 06-37-09
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU E3845 @ 1.91GHz, 1916.67 MHz, 06-37-09
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Atom(TM) CPU E3845 @ 1.91GHz, 1916.67 MHz, 06-37-09
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Atom(TM) CPU E3845 @ 1.91GHz, 1916.67 MHz, 06-37-09
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN
cpu3: 1MB

Re: Broken links on http://www.openiked.org/

2019-04-05 Thread Reyk Floeter

Thanks, I’m afk this weekend but I’ll take care afterwards.

Reyk

> Am 05.04.2019 um 19:24 schrieb Alex Naumov :
> 
> Hey,
> 
> it seems openiked.org is not maintained well.
> 1. Copyright is just until 2015.
> 2. There are some broken links on it: links to "CD's" and "Posters".
> 3. Old links-format for man.openbsd.org is used.
> 
> Cheers,
> Alex

Re: QEMU + snapshots - pvclock0: unstable result on stable clock

2018-12-03 Thread Reyk Floeter

Hi,

thanks for the report.

We’re going to disable pvclock until I found a solution. It seems that old KVMs 
or KVM on old CPUs report stable support incorrectly.

Do you have a dmesg?

Reyk

> Am 03.12.2018 um 09:26 schrieb Zach Nedwich :
> 
> Hi all,
> 
> I'm running OpenBSD snapshots on QEMU (amd64) via a VPS provider, I
> upgraded yesterday and now I'm unable to boot.
> 
> The panic is: pvclock0: unstable result on stable clock
> 
> Excuse the images as a NoVNC console is the only out-of-band access I have:
> 
> 
> [image: 1543825179.png]
> [image: 1543825235.png]
> 
> Any input would be appreciated.
> 
> Thanks,
> Zach

Re: rying to get meta-data configured for cloud-image VMM instances

2018-07-16 Thread Reyk Floeter

https://www.openbsd.org/faq/current.html#r20180613b

I can respond in more details when I’m back online later this week.

Reyk

> Am 16.07.2018 um 20:29 schrieb Ax0n :
> 
> On Mon, Jul 16, 2018 at 4:56 AM, Rickard von Essen <
> rickard.von.es...@gmail.com> wrote:
> 
>> It looks like cloud-init in the VM can't even reach 169.254.169.254. Does
>> it have routing to get there? Is there a fw blocking the calls from the VM
>> to 169.254.169.254?
>> 
> 
> I don't think so. This is my pf.conf (n.b. it's mostly just additional
> stuff so that I can access the permanently-configired VMs through the NAT)
> 
> #   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
> #
> # See pf.conf(5) and /etc/examples/pf.conf
> ext_if="athn0"
> #ext_if="bge0"
> vmd_if="vether0"
> 
> set skip on lo
> 
> block return# block stateless traffic
> pass# establish keep-state
> 
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
> 
> # vmm setup: outbound nat, inbound port mapping
> match out on $ext_if inet from $vmd_if:network to any nat-to ($ext_if)
> pass in on $ext_if proto tcp from any to any port 2200 rdr-to 10.13.37.200
> port 22
> pass in on $ext_if proto tcp from any to any port 2201 rdr-to 10.13.37.201
> port 22
> pass in on $ext_if proto tcp from any to any port 2202 rdr-to 10.13.37.202
> port 22
> pass in on $ext_if proto tcp from any to any port 2203 rdr-to 10.13.37.203
> port 22
> pass in on $ext_if proto tcp from any to any port 2204 rdr-to 10.13.37.204
> port 22
> pass in on $ext_if proto tcp from any to any port 8000 rdr-to 10.13.37.200
> port 80
> pass in on $ext_if proto tcp from any to any port 8001 rdr-to 10.13.37.201
> port 80
> pass in on $ext_if proto tcp from any to any port 8002 rdr-to 10.13.37.202
> port 80
> pass in on $ext_if proto tcp from any to any port 8003 rdr-to 10.13.37.203
> port 80
> 
> So that you can get a feel for my setup:
> vether0 is static-configured 10.13.37.1 255.255.255.0. dhcpd is bound only
> to vether0 (to assign a mix of reserved and pool IPs to VMM guests) and
> vether0 is added to bridge0 at boot via hostname.bridge0.
> 
> bridge0 is tied to the "local" switch in vm.conf, and that's what all of my
> VMs connect to.
> 
> 
>> On Mon, Jul 16, 2018 at 12:20 PM,  wrote:
>> 
>> 
>> I thought it was:
>> 
>> root "/" strip 1
>> 
>> No curlies and no comma, but I haven't tried it.
>> 
>> 
> httpd doesn't like that syntax, either:
> 
> [axon@transient ~]$ doas httpd -d
> startup
> /etc/httpd.conf:16: syntax error
> logger exiting, pid 63722
> server exiting, pid 24069
> server exiting, pid 34562
> server exiting, pid 69335
> [axon@transient ~]$ cat -n /etc/httpd.conf
> 1  ext_addr="*"
> 2  server "default" {
> 3  root "/htdocs/"
> 4  directory auto index
> 5  listen on $ext_addr port 80
> 6  }
> 7
> 8  # Include MIME types instead of the built-in ones
> 9  types {
>10  include "/usr/share/misc/mime.types"
>11  }
>12
>13  server "meta-data" {
>14  listen on 169.254.169.254 port 80
>15  fastcgi socket "/run/httpd.sock"
>16  root  "/" strip 1
>17  }
>18

Re: Rewards of Up to $500,000 Offered for OpenBSD Zero-Days (and other dist.)

2018-07-04 Thread Reyk Floeter

Are you advertising this crap on our list?

I hope somebody steps up and donates $500,000 to the OpenBSD foundation instead.

> Am 30.06.2018 um 23:11 schrieb Szekeres Dani :
> 
> Just read: 
> 
> https://www.bleepingcomputer.com/news/security/rewards-of-up-to-500-000-offered-for-freebsd-openbsd-netbsd-linux-zero-days/
> 
> 
> 
> 
> Rewards of Up to $500,000 Offered for FreeBSD, OpenBSD, NetBSD, Linux 
> Zero-Days
> 
> Exploit broker Zerodium is offering rewards of up to $500,000 for zero-days 
> in UNIX-based operating systems like OpenBSD, FreeBSD, NetBSD, but also for 
> Linux distros such as Ubuntu, CentOS, Debian, and Tails.
> 
> The offer, first advertised via Twitter earlier this week, is available as 
> part of the company's latest zero-day acquisition drive. Zerodium is known 
> for buying zero-days and selling them to government agencies and law 
> enforcement.
> 
> 
> 
> https://twitter.com/Zerodium/status/1012007051466162177
>

Re: add HISTORY to ldap.1

2018-07-03 Thread Reyk Floeter

OK reyk@

(please send diffs to tech@ not misc@)

> Am 03.07.2018 um 21:20 schrieb Rob Pierce :
> 
> Ok?
> 
> Index: ldap.1
> ===
> RCS file: /cvs/src/usr.bin/ldap/ldap.1,v
> retrieving revision 1.7
> diff -u -p -r1.7 ldap.1
> --- ldap.13 Jul 2018 10:10:09 -1.7
> +++ ldap.13 Jul 2018 19:19:21 -
> @@ -233,6 +233,11 @@ Match Group ldapusers
> .%R RFC 4516
> .%T Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator
> .Re
> +.Sh HISTORY
> +The
> +.Nm
> +program first appeared in
> +.Ox 6.4 .
> .Sh AUTHORS
> .An -nosplit
> The
>

Re: sgtty.h

2018-06-11 Thread Reyk Floeter

On Mon, Jun 11, 2018 at 05:05:02PM +0200, Pau wrote:
> Hello:
> 
> I am trying to compile a very old piece of software, supermongo, on -current.
> 
> The first complain I get from gmake is that
> 
> get1char.c:26:14: fatal error: 'sgtty.h' file not found
> #include 
>  ^
> 1 error generated.
> *** Error 1 in devices (Makefile:5 'get1char.o')
> 
> 
> My first guess is that it's been removed from current because it was a
> very old thing and maybe with security holes. What would be a
> workaround? I guess that quite a few codes still need that?
> 

Wow. It has been removed but you can see it in an old, I mean very
old, man page http://man.openbsd.org/OpenBSD-2.2/stty.3

---snip---
 These interfaces are obsoleted by ioctl(2).  They are available from the
 compatibility library, libcompat.

 The stty() function sets the state of the terminal associated with fd.
 The gtty() function retrieves the state of the terminal associated with
 fd. To set the state of a terminal the call must have write permission.

 The stty() call is actually `ioctl(fd, TIOCSETP, buf)', while the gtty()
 call is `ioctl(fd, TIOCGETP, buf)'. See ioctl(2) and tty(4) for an expla-
 nation.
---snap---

Reyk

Re: attach chroot-jail to switchd(8) ?

2018-05-23 Thread Reyk Floeter

switchd is already privsep‘ed with a chroot jail.

But I don’t quite understand what you mean.

> Am 23.05.2018 um 10:35 schrieb Thomas Huber :
> 
> Hi all,
> 
> I´m just tinkering a little bit and try to mimic some "containerization" on
> OpenBSD with chroot. Is it somehow possible to attach a chrooted
> envirionment to swtichd(8) ?
> 
> Thanks
> Thomas

Re: Please Advise on licencing

2017-08-04 Thread Reyk Floeter

Hi,

the license is your choice ;-)

But we use ISC for new code in OpenBSD and I also use for all other open source 
code these days.

See:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/share/misc/license.template?rev=1.3=text/x-cvsweb-markup

http://www.openbsd.org/goals.html

And:
https://en.m.wikipedia.org/wiki/ISC_license

Note that the mentioned Atheros drivers in the Linux kernel are ISC-licensed 
because they were derived from my ar5k drivers in OpenBSD. Long time ago.

http://linuxwireless.org/en/users/Drivers/Atheros/#Licensing

Reyk

> Am 04.08.2017 um 05:11 schrieb Siju George :
> 
> Hi,
> 
> I have a git repo 
> 
> https://github.com/sgeorge
> 
> where I populate mainly contents about docker.
> 
> I want this information to be available to all without discrimination.
> 
> Which is the best licence I can give them?
> 
> BSD or ISC or MIT or any other?
> 
> Heard Reyk is not using BSD licence for his drivers but ISC
> 
> Thus the confusion in my mind.
> 
> Please advise
> 
> Thank you :-)
> 
> Siju Oommen George
> 
>

Re: OpenBSD as Open Networking OS

2017-07-17 Thread Reyk Floeter

Yes, I'm very interested in this but there is no "open" hardware.

As Mischa mentioned, all of the platforms need vendor drivers
and AFAIK all of them are gigantic and non-free *.

OpenFlow is an alternative to control switches in a standard way
without direct access to the switch chipsets, but it is a long way to
get switchd(8) to this point. And it has limitations, of course.

*) let me know if I'm wrong.

Reyk

> On 17.07.2017, at 11:00, miraculli .  wrote:
> 
> Hi misc,
> 
> I just read about a trending topic: SDN and Open Networking.
> The principal idea behind Open Networking is to allow the customer
> to install a custom OS to switch-hardware.
> The main software player in this business seems to be a penguin OS
> called: Cumulus
> There is also a overview of devices that are able install a custom OS:
> 
> https://cumulusnetworks.com/products/hardware-compatibility-list/
> 
> Is there any experience using OpenBSD in this domain and with this
> kind of hardware?
> 
> Thanks
> Thomas
>

Re: dhcrelay broken after Apr 5

2017-07-05 Thread Reyk Floeter


> On 05.07.2017, at 11:50, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> 
> wrote:
> 
> On 05/07/17 12:45, Reyk Floeter wrote:
>> 
>>> On 05.07.2017, at 11:41, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> 
>>> wrote:
>>> 
>>> On 04/07/17 19:09, Reyk Floeter wrote:
>>>> Could you try again with the attached diff?  It doesn't change
>>>> behavior but it adds some chatty logging when a packet is rejected.
>>>> Maybe it helps to find the issue.
>>>> 
>>>> Reyk
>>> 
>>> I've send the bug report as detailed as I could.
>>> 
>> 
>> Thanks, now it is a good bug report and I think it helps to find the issue 
>> with carp+dhcrelay.
>> 
>> You had a typo in the email subject ;-)
>> 
>>> In a few words, applying your diff gave me these:
>>> Jul  5 11:53:09 dhcrelay[68565]: decode_hw_header:229: invalid htype 0
>>> Jul  5 11:53:09 dhcrelay[68565]: receive_packet:457: decode_hw_header 
>>> failed, len 364
>>> Jul  5 11:53:10 dhcrelay[68565]: decode_hw_header:229: invalid htype 0
>>> Jul  5 11:53:10 dhcrelay[68565]: receive_packet:457: decode_hw_header 
>>> failed, len 364
>>> 
>> 
>> Reyk
>> 
> 
> oops :))
> 
> sorry for that, do you want me to send it again with the correct subject so 
> it's archived ok?
> 
> G
> 

No, no, it's fine. The content of the mail is more important.

Reyk

Re: dhcrelay broken after Apr 5

2017-07-05 Thread Reyk Floeter


> On 05.07.2017, at 11:41, Kapetanakis Giannis <bil...@edu.physics.uoc.gr> 
> wrote:
> 
> On 04/07/17 19:09, Reyk Floeter wrote:
>> Could you try again with the attached diff?  It doesn't change
>> behavior but it adds some chatty logging when a packet is rejected.
>> Maybe it helps to find the issue.
>> 
>> Reyk
> 
> I've send the bug report as detailed as I could.
> 

Thanks, now it is a good bug report and I think it helps to find the issue with 
carp+dhcrelay.

You had a typo in the email subject ;-)

> In a few words, applying your diff gave me these:
> Jul  5 11:53:09 dhcrelay[68565]: decode_hw_header:229: invalid htype 0
> Jul  5 11:53:09 dhcrelay[68565]: receive_packet:457: decode_hw_header failed, 
> len 364
> Jul  5 11:53:10 dhcrelay[68565]: decode_hw_header:229: invalid htype 0
> Jul  5 11:53:10 dhcrelay[68565]: receive_packet:457: decode_hw_header failed, 
> len 364
> 

Reyk

Re: dhcrelay broken after Apr 5

2017-07-04 Thread Reyk Floeter

Hi,

On Tue, Jul 04, 2017 at 02:41:30PM +0300, Kapetanakis Giannis wrote:
> Hi,
> 
> Just upgraded a set of my firewalls that also do dhcrelay to -current.
> 
> The program stopped working ok. Some dhcp requests where being forwarded some 
> not.
> 
> tcpdump was showing the request on internal interface but I couldn't see the 
> request being forwarded on the external interface.
> For some vlans the relay was working for some not.
> 
> I've located the problem to this commit:
> http://marc.info/?l=openbsd-cvs=149140326301074=2
> 
> Reverting back to:
> bpf.c,v 1.17
> packet.c,v 1.13
> dhcpd.h,v 1.22 2017/04/04
> 
> everything was ok again.
> 
> My setup is (trunk - on one firewall) - Vlans - carp - dhcrelay
> 28 vlans, 28 carps, 18 dhcrelay, 30 bpf devices
> 

First of all, please send a proper bug reports to bugs@, not misc.
"It used to work but now it doesn't" is not very helpful.

Could you share your actual configuration or, even better, provide a
simplified way to reproduce your problem? rzalamena, me, and some
other people have tested different setups but you seem to have an
interestingly complex configuration.

The new code has more validation, so it might be that it rightfully or
wrongfully rejects packets that have been accepted before.  

Could you try again with the attached diff?  It doesn't change
behavior but it adds some chatty logging when a packet is rejected.
Maybe it helps to find the issue.

Reyk

Index: usr.sbin/dhcrelay/bpf.c
===
RCS file: /cvs/src/usr.sbin/dhcrelay/bpf.c,v
retrieving revision 1.19
diff -u -p -u -p -r1.19 bpf.c
--- usr.sbin/dhcrelay/bpf.c 19 Apr 2017 05:36:12 -  1.19
+++ usr.sbin/dhcrelay/bpf.c 4 Jul 2017 16:01:29 -
@@ -349,11 +349,17 @@ send_packet(struct interface_info *inter
 
/* Assemble the headers... */
if ((bufp = assemble_hw_header(buf, sizeof(buf), 0, pc,
-   interface->hw_address.htype)) == -1)
+   interface->hw_address.htype)) == -1) {
+   log_warnx("%s:%d: assemble_hw_header failed, len %zu",
+   __func__, __LINE__, len); 
goto done;
+   }
if ((bufp = assemble_udp_ip_header(buf, sizeof(buf), bufp, pc,
-   (unsigned char *)raw, len)) == -1)
+   (unsigned char *)raw, len)) == -1) {
+   log_warnx("%s:%d: assemble_udp_ip_header failed,"
+   " offset %zd len %zu", __func__, __LINE__, bufp, len); 
goto done;
+   }
 
/* Fire it off */
iov[0].iov_base = (char *)buf;
@@ -447,6 +453,9 @@ receive_packet(struct interface_info *in
 * skip this packet.
 */
if (offset < 0) {
+   log_warnx("%s:%d: decode_hw_header failed,"
+   " len %zu", __func__, __LINE__,
+   interface->rbuf_len);
interface->rbuf_offset += hdr.bh_caplen;
continue;
}
@@ -457,6 +466,9 @@ receive_packet(struct interface_info *in
 
/* If the IP or UDP checksum was bad, skip the packet... */
if (offset < 0) {
+   log_warnx("%s:%d: decode_udp_ip_header failed,"
+   " offset %zd len %zu", __func__, __LINE__,
+   offset, interface->rbuf_len);
interface->rbuf_offset += hdr.bh_caplen;
continue;
}
@@ -470,6 +482,10 @@ receive_packet(struct interface_info *in
 * life, though).
 */
if (hdr.bh_caplen > len) {
+   log_warnx("%s:%d: XXX shouldn't happen in real life,"
+   " caplen %u > len %zu", __func__, __LINE__,
+   hdr.bh_caplen, len);
+
interface->rbuf_offset += hdr.bh_caplen;
continue;
}
Index: usr.sbin/dhcrelay/packet.c
===
RCS file: /cvs/src/usr.sbin/dhcrelay/packet.c,v
retrieving revision 1.14
diff -u -p -u -p -r1.14 packet.c
--- usr.sbin/dhcrelay/packet.c  5 Apr 2017 14:40:56 -   1.14
+++ usr.sbin/dhcrelay/packet.c  4 Jul 2017 16:01:29 -
@@ -104,8 +104,12 @@ assemble_hw_header(unsigned char *buf, s
 
switch (intfhtype) {
case HTYPE_ETHER:
-   if (buflen < offset + ETHER_HDR_LEN)
+   if (buflen < offset + ETHER_HDR_LEN) {
+   log_warnx("%s:%d: short ether hdr buflen %zu < %zu",
+   __func__, __LINE__,
+   buflen, offset + ETHER_HDR_LEN);
return (-1);
+   }
 
/* Use the supplied address or let the kernel fill it. */
memcpy(eh.ether_shost, pc->pc_smac, ETHER_ADDR_LEN);
@@ -117,6 +121,8 @@

Re: Can I use OpenBSD in a virtual machine, for example, VirtualBox?

2017-07-04 Thread Reyk Floeter

On Mon, Jul 03, 2017 at 02:36:20PM -0400, J Doe wrote:
> 
> >> On 27 Jun 2017 10:45 am, "Stuart Henderson"  wrote:
> >> 
> >>> On 2017-06-26, Josh Stephens  wrote:
> >>> I could be wrong when I say this but the only gotcha that you will run
> >> into
> >>> with virtual box will be the guest additions.
> >> 
> >> Does virtualbox still do that thing where it patches the running
> >> kernel when it detects OpenBSD?
> 
> Hi,
> 
>
> Just thought I'd chime in that I've had success with OpenBSD 5.x to
> 6.0 running under VMware Fusion (Mac OS X version of VMware).  There
> isn't support for guest additions with the most recent version of
> Fusion (8.x), but I haven't had any issues.
> 

I don't know what you mean with "there isn't support for guest
additions".  We don't support VMware's 3rd party tools but we use our
own drivers.

VMware Fusion Pro 8.5.8 with version 12 VMs works fine, vmt(4)
attaches, provides guest services such as shutdown/reboot, timedelta
sensor, and access to VMware's guestinfo key/value via hostctl(8) (eg.
hostctl guestinfo.ip).  X11-related features are provide by vmwh in
ports, but I've never tested it.  We also have vmx(4) for vmxnet3
networking but you manually have to edit the .vmx file and change
ethernetX.virtualDev = "vmxnet3" (VMware has ignored all of our
requests to add a device profile for OpenBSD).

The only issue that I just saw with -current is that ahci(4)
initialization hangs on boot - I had to disable ahci and use SCSI or
IDE.  I haven't noticed this on ESXi.

I mostly used Fusion for testing and development for ESXi/vSphere but
I switched to OpenBSD VMM for most of the testing.

> I saw in the thread that someone was mentioning full screen support.
> There's no problem with that under Fusion, but you are limited to
> legacy style video output (ie: not a high res display).  The easiest
> way around that is I run OpenBSD minimized and SSH in from Terminal on
> Mac OS X, then use the full-screen mode on OS X Terminal.
> 
> If you're interested in OpenBSD in virtual machines in the cloud, I
> have nothing but praise for the people at RootBSD [1], which have
> supported OpenBSD for a while.  IIRC they run OpenBSD on top of Xen,
> so the previous comments about security not being the same as running
> it natively do apply, but it's definitely an option.
> 
> I believe Undeadly recently posted about partial support for Hyper-V
> has been committed, which also opens up the future possibly of running
> OpenBSD on Azure.  Seems like the only holdout is AWS, but there is
> now official support for FreeBSD on it, so here's hoping its' more
> secure cousin will make it's way to Amazon.

You cannot really compare FreeBSD in Azure or AWS to OpenBSD.  We have
totally different drivers for Hyper-V and Xen.  But Hyper-V is "fully"
supported on OpenBSD, the latest hvs(4) driver adds support for
StorVSC paravirtual SCSI.  mikeb@ has done some great work to
implement all the missing drivers and I helped where I could and
focussed on the part to get it from Hyper-V/Xen to the "cloud".

The situation in Azure is about the same as in AWS: we don't provide
OpenBSD images in the marketplaces or community images yet, but there
are scripts and howtos to create your OpenBSD VMs in Azure.  This
might change as soon as we feel confident enough with the VM "layout"
and the (mandatory) agent.  But, for now, use the tools from
unofficial external github projects:

For AWS:
https://github.com/ajacoutot/aws-openbsd

For Azure (also works in AWS and under VMM):
https://github.com/reyk/cloud-openbsd   (create images with cloud-agent)
https://github.com/reyk/cloud-agent (an alternative to waagent in ports)
https://github.com/reyk/meta-data   (test + boot cloud images under VMM)

We also have VirtIO drivers for OpenBSD VMM and KVM, as used by most
other clouds, and I'm planning to add support for OpenStack (JSON) and
OpenNebula (contexts) to my cloud-agent.

But please note that we're currently trying to find ways to create VM
images that still provide the benefits of OpenBSD-style things like
KARL.  The problem with pre-provisioned VM images is that they all
have the "same random values" in the filesystem, kernel, and libraries
where the installer usually makes each installation unique.  A
pre-provisioned image is always the same, at least on first boot,
unless we create something that prepares or installs everything before
getting a new VM instance online.  The first real* OpenBSD image on
Azure will probably be fully pre-provisioned, but maybe we switch to a
totally different model later.

In summary, I think all x86 VM hypervisors are more or less supported.
Just like real hardware platforms, some of them have problems, and
others work better.  But we're in a pretty good shape and it was an
interesting journey over the last years to get to this point.

*) There is currently only my company's OpenBSD-based product in
Azure.  Some PR got it wrong and announced

Re: /usr/sbin/httpd and chunked transfer encoding

2017-05-07 Thread Reyk Floeter

Hi,

you cannot disable it and this Android client is broken.

"A recipient MUST be able to parse and decode the chunked transfer coding."

https://tools.ietf.org/html/rfc7230#section-4.1

Reyk

> Am 08.05.2017 um 03:06 schrieb johnw :
> 
> Hi, After installed owncloud/nextcloud on my openbsd,
> 
> I noticed android client do not support "chunked transfer encoding"
> 
> (https://github.com/owncloud/android/issues/1128;
> 
> Is it possible to disable this feature with "/usr/sbin/httpd"?
> 
> Any idea how to solve it?
> 
> Thanks.
> 
>

Re: DHCP in vmm guest

2017-05-04 Thread Reyk Floeter


> On 04.05.2017, at 16:13, Jiri B <ji...@devio.us> wrote:
> 
> On Thu, May 04, 2017 at 03:49:27PM +0200, Reyk Floeter wrote:
>> So you have the VM interface and the host interface on a bridge:
>> dhclient on the host "steals" all DHCP packets via BPF.
>> 
>> Try to pkill dhclient on the host and the VM should be able to get DHCP.
>> 
>> There is currently no solution for that, it is the way our dhclient works,
>> you can try to run the VM on a NAT'ed bridge or use "-L" local interfaces.
>> 
>> Reyk
> 
> What about using vether with bridge and having host's dhclient using
> vether?
> 
> What about having dhcrelay and relaying VM's dhcp to upstream dhcp server?
> 
> j.



You should also try "local interface" or "-L" with -current.

It doesn't need bridge or vether or dhcpd, just forwarding and pf on the host.

Reyk

Re: DHCP in vmm guest

2017-05-04 Thread Reyk Floeter

So you have the VM interface and the host interface on a bridge:
dhclient on the host "steals" all DHCP packets via BPF.

Try to pkill dhclient on the host and the VM should be able to get DHCP.

There is currently no solution for that, it is the way our dhclient works,
you can try to run the VM on a NAT'ed bridge or use "-L" local interfaces.

Reyk

> On 04.05.2017, at 14:51, Francois Stephany  wrote:
> 
> Hi,
> 
> I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has
> access to the network via tap and bridge. The host uses a wired connection
> and gets its network address with DHCP.
> 
> Here's my /etc/vm.conf:
> 
> switch "vms_switch" {
>interface bridge0
>add bge0
> }
> 
> vm "vm.test" {
>memory 1G
>boot /home/fstephany/bsd.rd
>disk /var/vms/fstephany/vmtest-disk.img
>owner fstephany
>interface tap {
>switch "vms_switch"
>}
>disable
> }
> 
> 
> I've stopped vmd with #rcctl stop vmd
> and started it manually:
> 
> # vmd -dvv
> startup
> /etc/vm.conf:4: switch "vms_switch" registered
> /etc/vm.conf:15: vm "vm.test" registered (disabled)
> vm_priv_brconfig: interface bridge0 description switch1-vms_switch
> vm_priv_brconfig: interface bridge0 add bge0
> vmd_configure: not creating vm vm.test (disabled)
> vm_opentty: vm vm.test tty /dev/ttyp1 uid 0 gid 4 mode 620
> vm_priv_ifconfig: interface tap0 description vm1-if0-vm.test
> vm_priv_ifconfig: interface bridge0 add tap0
> vm.test: started vm 1 successfully, tty /dev/ttyp1
> loadfile_elf: loaded ELF kernel
> run_vm: initializing hardware for vm vm.test
> virtio_init: vm "vm.test" vio0 lladdr fe:e1:bb:d1:6d:23
> run_vm: starting vcpu threads for vm vm.test
> vcpu_reset: resetting vcpu 0 for vm 5
> run_vm: waiting on events for VM vm.test
> i8259_write_datareg: master pic, reset IRQ vector to 0x20
> i8259_write_datareg: slave pic, reset IRQ vector to 0x28
> vcpu_exit_i8253: channel 0 reset, mode=7, start=11932
> virtio_blk_io: device reset
> virtio_net_io: device reset
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> vionet queue notify - no space, dropping packet
> virtio_net_io: device reset
> 
> 
> Here's what happens when the installer tries to get a network address:
> 
> # vmctl status
>   ID   PID VCPUS  MAXMEM  CURMEM TTYOWNER NAME
>1 - 11.0G   -   -fstephany vm.test
> # vmctl start vm.test -c
> Connected to /dev/ttyp1 (speed 9600)
> 
> Copyright (c) 1982, 1986, 1989, 1991, 1993
>The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2017 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
> 
> OpenBSD 6.1-current (RAMDISK_CD) #41: Tue May  2 21:13:30 MDT 2017
>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
> real mem = 1056964608 (1008MB)
> avail mem = 1021235200 (973MB)
> mainbus0 at root
> bios0 at mainbus0
> acpi at bios0 not configured
> cpu0 at mainbus0: (uniprocessor)
> cpu0: Intel(R) Celeron(R) CPU G1610T @ 2.30GHz, 2295.33 MHz
> cpu0:
> FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,XSAVE,HV,NXE,LONG,LAHF,FSGSBASE,SMEP,ERMS
> cpu0: 256KB 64b/line 8-way L2 cache
> pvbus0 at mainbus0: OpenBSD
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00
> virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
> viornd0 at virtio0
> virtio0: irq 3
> virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
> vioblk0 at virtio1
> scsibus0 at vioblk0: 2 targets
> sd0 at scsibus0 targ 0 lun 0:  SCSI3 0/direct fixed
> sd0: 4096MB, 512 bytes/sector, 8388608 sectors
> virtio1: irq 5
> virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
> vio0 at virtio2: address fe:e1:bb:d1:6d:23
> virtio2: irq 7
> virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00
> virtio3: no matching child driver; not configured
> isa0 at mainbus0
> com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo
> com0: console
> softraid0 at root
> scsibus1 at softraid0: 256 targets
> root on rd0a swap on rd0b dump on rd0b
> 
> erase ^?, werase ^W, kill ^U, intr ^C, status ^T
> 
> Welcome to the OpenBSD/amd64 6.1 installation program.
> (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I
> At any prompt except password prompts you can escape to a shell by
> typing '!'. Default answers are shown in []'s and are selected by
> pressing RETURN.  You can exit this program at any time by pressing
> Control-C, but this can leave your system in an inconsistent state.
> 
> Terminal type? [vt220]
> System hostname? (short form, e.g. 'foo') vmtest
> 
> Available network interfaces are: vio0 vlan0.
> Which network interface do you wish to configure? (or

Re: pledge for sockets

2017-04-29 Thread Reyk Floeter


> Am 26.04.2017 um 13:38 schrieb Luke Small :
> 
> Pledge will presumably have per process (including fork()ed process) **path
> limitations on rpath rpath and wpath calls, why not limitations on inet and
> unix?

We usually want to isolate our network speakers from the local system - 
combining inet and rpath/wpath should be avoided.

Use privsep and fd passing to open the socket in another process with the 
capability to do so.

This is what we do in most daemons.

Or open the socket before pledge for static configurations.

Reyk

>> On Wed, Apr 26, 2017 at 6:26 AM Janne Johansson  wrote:
>> 
>> 2017-04-26 13:19 GMT+02:00 Luke Small :
>> 
>>> I'm not saying to alter pledge necessarily, maybe make new system call
>>> like pledge. There aren't any per-process pf rules that are applied.
>> 
>> 
>> If your daemon has a specific user, you can make such rules in PF.
>> The goal you stated can be reached already, why keep on suggesting new
>> syscalls?
>> 
>> 
>> --
>> May the most significant bit of your life be positive.
>>

Re: tinc on openBSD?

2017-04-27 Thread Reyk Floeter

On Thu, Apr 27, 2017 at 07:51:18AM +0200, Harald Dunkel wrote:
> Hi folks,
> 
> AFAICS tinc is included in the packages for 6.1, but surely
> that doesn't mean its safe to use without looking.
> 
> Are there security concerns against running tinc on an OpenBSD
> gateway as an alternative to IPsec and openvpn in a +50 road
> warriors setup? What is your impression of this tool in daily
> usage? Which VPN solution would you prefer?
> 
> 

I never used tinc and it is not related to OpenBSD; so I cannot judge
on the quality or usability of the software.

But a quick look at source and documentation shows me that --chroot
and --user are not enabled by default (see switchuser and do_chroot in
tind.c).  Who would do that in 2017?

Another question that you should ask yourself: do you trust tinc's
crypto protocol?  It seems a bit dated; but what really matters if you
care about security: did it get a good crypto review recently?

It does show up with examples and documentation in Wikileak's Vault7
documents, but I'm not sure if this is a good or bad thing.

Reyk

Re: Arch and vmd

2017-04-26 Thread Reyk Floeter

On Wed, Apr 26, 2017 at 11:15:57AM -0700, Mike Larkin wrote:
> On Wed, Apr 26, 2017 at 06:47:17PM +0200, Karl Pettersson wrote:
> > Arch Linux works well as a vmd guest. Some notes about my experiences 
> > installing the system:
> > 
> > * The Arch installation can be started from the serial console, see:
> >   https://wiki.archlinux.org/index.php/Working_with_the_serial_console
> >   #Installing_Arch_Linux_using_the_serial_console
> >   However, the installation still tends to be unstable, due to unreliable
> >   downloads (which has been discussed earlier). Until this is fixed, the 
> >   installation can be run in QEMU, or in a guest under Linux/KVM (as is
> >   currently required by distributions with graphical install).
> > 
> > * Syslinux has to be used as bootloader, and serial console should be
> >   enabled: https://wiki.archlinux.org/index.php/Syslinux#Serial_console
> >   Moreover, the generated config has to be edited to point to the
> >   correct root device, and if Ext4 is used as root file system, it must
> >   not be 64bit (which is enabled by default when the file system is
> >   created): http://www.syslinux.org/wiki/index.php?title=Filesystem
> > 
> 
> Thanks for trying this out and reporting Karl.
> 
> The notes about serial console are welcome. Do note that we are working toward
> an sgabios + seabios payload so that you will be able to install from media
> that uses the regular VGA console (sgabios redirects VGA text mode I/O to
> the serial console). There are a couple of developers working on this, 
> hopefully
> it will make it to the tree soon.
> 

vmd -current is ready to handle sgabios with a different BIOS image.

sthen@ has made an updated sysutils/firmware/vmm port that includes
sgabios, but it is not available yet, you can give it quick try by
replacing the /etc/firmware/vmm-bios file with the following image
that I created manually:

https://bsd.plumbing/vmm-bios-sgabios

Notes and config (to build your own):
https://bsd.plumbing/vmm-bios-sgabios.config.txt

Reyk

Re: spamd and outlook.com

2017-04-21 Thread Reyk Floeter

On Fri, Apr 21, 2017 at 01:52:05PM +0200, Boudewijn Dijkstra wrote:
> Op Fri, 21 Apr 2017 12:16:31 +0200 schreef Reyk Floeter <r...@openbsd.org>:
> > On Fri, Apr 21, 2017 at 11:59:20AM +0200, Peter N. M. Hansteen wrote:
> > > On Fri, Apr 21, 2017 at 11:25:14AM +0200, Markus Rosjat wrote:
> > > >
> > 
> > I use the attached script to fetch the SPF entries recursively, in a
> > plain text format that can be fed into pfctl.
> 
> Have you tried mx3a.certifiedfactory.info ?  ;)
> 

great

I think you got something wrong:

I don't use this simple script automatically or for "untrusted
domains", I just use it _manually_ and for _well-known_ offenders like
outlook.com that break greylisting.  SPF is not a security solution,
but it is a band-aid that helps to handle these stupid cloud-based MTAs.

The script below fixes it - or akpoff's slightly more complicated (and
probably more correct) version.

Reyk

---snip---
#!/usr/bin/perl

# Copyright (c) 2016, 2017 Reyk Floeter <r...@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

$domain = shift @ARGV or die "usage: $0 domain";
%seen = {};

sub parsespf
{
my $domain = shift;
my @foo = `nslookup -q=TXT $domain`;
my @results = ();

foreach (@foo) {
next if not /$domain\ttext/;
next if not s/$domain\ttext = "v=spf1([^"]+)"/$1/;

@results = split /\s+/;
foreach (@results) {
next if /.all/;
if (s/^ip[46]://) {
print "$_\n";
} elsif (s/^(redirect|include)[:=]//) {
print "\n#$_\n";
if (!$seen{$_}) {
$seen{$_} = true;
parsespf($_);
}
}
} 
} 
}

parsespf($domain);

0;

Re: spamd and outlook.com

2017-04-21 Thread Reyk Floeter

On Fri, Apr 21, 2017 at 11:59:20AM +0200, Peter N. M. Hansteen wrote:
> On Fri, Apr 21, 2017 at 11:25:14AM +0200, Markus Rosjat wrote:
> > 
> > so if you have spamd in place in greylisting mode and you have customers
> > that work with people who use Office365 as a service you will get calls that
> > emails are delayed for a freaking long time and if you check the ip range
> > that outlook.com could send from you get scared.
> 
> start with
> 
> $ host -ttxt outlook.com
> 
> and follow the includes to the very end. Then weep.
> 
> TL;DR: last time I looked that expanded to eighty-some *networks* of varying 
> sizes.
> 
> https://github.com/akpoff/spf_fetch fed the relevant domains is one solution,
> and in addition you will find my collection of manually maintained SPF 
> sedimentation 
> is available at https://home.nuug.no/~peter/nospamd 
> 

I use the attached script to fetch the SPF entries recursively, in a
plain text format that can be fed into pfctl.

outlook.com gives me 82 networks.

Reyk

---snip---
#!/usr/bin/perl

# Copyright (c) 2016 Reyk Floeter <r...@openbsd.org>
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

$domain = shift @ARGV or die "usage: $0 domain";

sub parsespf
{
my $domain = shift;
my @foo = `nslookup -q=TXT $domain`;
my @results = ();

foreach (@foo) {
next if not /$domain\ttext/;
next if not s/$domain\ttext = "v=spf1([^"]+)"/$1/;

@results = split /\s+/;
foreach (@results) {
next if /.all/;
if (s/^ip[46]://) {
print "$_\n";
} elsif (s/^(redirect|include)[:=]//) {
print "\n#$_\n";
parsespf($_);
}
} 
} 
}

parsespf($domain);

0;

Re: iked/IKEv2 issue with 6.1

2017-04-20 Thread Reyk Floeter

On Thu, Apr 20, 2017 at 04:03:38PM -0400, Igor V. Gubenko wrote:
> Hello everyone,
> 
> OpenIKED just doesn't seem to like me much.
> 
> I managed to get it working around 5.8 but from upgrade to upgrade I
> encountered different issues.
> 
> I have 3 tunnels using IKEv2. 2 are using a PSK, and 1 is using cert/RSA
> auth.
> 
> They were working fine on 6.0. However the same configuration now fails
> with 6.1 - iked refuses to start.
> 

> srcid "/C=US/ST=New Jersey/L=Livingston/O=some org/OU=some
> dept/CN=some_cn_fqdn" \
> dstid "/C=US/ST=New Jersey/L=Princeton/O=some org2/OU=some
> dept2/CN=some_cn_fqdn2"
> 

> set_policy: unknown type = 9

Thanks for the good report!

It seems that using ASN1_DN IDs got broken with parse.y 1.62.
Does the attached diff fix your problem?

Reyk

Index: sbin/iked/parse.y
===
RCS file: /cvs/src/sbin/iked/parse.y,v
retrieving revision 1.64
diff -u -p -u -p -r1.64 parse.y
--- sbin/iked/parse.y   28 Mar 2017 16:56:39 -  1.64
+++ sbin/iked/parse.y   20 Apr 2017 21:40:14 -
@@ -1807,7 +1807,7 @@ set_policy(char *idstr, int type, struct
 {
char keyfile[PATH_MAX];
const char  *prefix = NULL;
-   EVP_PKEY*key;
+   EVP_PKEY*key = NULL;
 
switch (type) {
case IKEV2_ID_IPV4:
@@ -1822,6 +1822,9 @@ set_policy(char *idstr, int type, struct
case IKEV2_ID_UFQDN:
prefix = "ufqdn";
break;
+   case IKEV2_ID_ASN1_DN:
+   /* public key authentication is not supported with ASN.1 IDs */
+   goto done;
default:
/* Unspecified ID or public key not supported for this type */
log_debug("%s: unknown type = %d", __func__, type);
@@ -1841,6 +1844,7 @@ set_policy(char *idstr, int type, struct
keyfile);
}
 
+ done:
if (set_policy_auth_method(keyfile, key, pol) < 0) {
EVP_PKEY_free(key);
log_warnx("%s: failed to set policy auth method for %s",

Re: OpenBSD httpd and HTTP/2

2017-03-31 Thread Reyk Floeter

On Fri, Mar 31, 2017 at 09:14:10AM +0200, Marina Ala wrote:
> Hello!
> 
> When will the httpd have HTTP/2 support in OpenBSD? 
> 
> Endpoints, webservers and the devices/networs between the two points would 
> greatly benefit from HTTP/2. 
> 
> Faster and less traffic. 
> 
> Thanks. 
> 

Isn't QUIC the hot new thing now?  It is UDP, so Google can reinvent
TCP and turn even more of their browser into an OS-replacement ;)

Seriously, there are benefits of implementing HTTP/2, and it would be
an interesting exercise to do so, but it is also adds many problems
and some complexity.

So: maybe.

Reyk

Re: UEFI and Hyper-v

2017-03-27 Thread Reyk Floeter

On Mon, Mar 27, 2017 at 10:46:00AM +0200, Reyk Floeter wrote:
> btw. Is there any reason or benefit to use Gen 2?  AFAIK, it is only
> for Windows for secure boot etc.  I think Gen 1 is fine for OpenBSD,
> you even have the hvn(4) and the hyperv(4) drivers now.  Even the
> latest machines in Azure are Gen 1-based.
> 
> On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote:
> like the topic says I look for some feedback here. I try to set up a Gen 2
> 

And you shouldn't get confused by the naming: "Gen 1" and "Gen 2"
implies that one is better than the other.  This doesn't seem to be
the case - they are just different in regards to legacy devices.

Gen 2 is a bit like HVPVM in in Xen (or was it PVHVM?).

Gen 2 requires UEFI and PV drivers, while Gen 1 does not require them.
And we still miss a PV storage driver (aka. "hvs(4)") for Hyper-V, it
wouldn't support the disk.  OpenBSD requires Gen 1 and the pciide(4)
emulation on Hyper-V.

Reyk

> 
> On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote:
> > Hi there,
> > 
> > like the topic says I look for some feedback here. I try to set up a Gen 2
> > Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a UEFI
> > Medium. Since the normal iso doesnt provide that I took the following
> > approch:
> > 
> >  1. I created a USB stick from installXX.fs
> >  2. verified that I could boot from the stick
> >  3. created a VHDX from the stick
> >  4. Attached it to a Gen 2 VM
> >  5. booted the VM and here Im stuck for now
> > It starts to bood but instead of showing me all the nice dmesg
> > stuff I would expect  it just went black.
> > 
> > but the rest of the way would look like this
> > 
> >  6. Install OpenBSD on another VHDX
> >  7. dettach the first VHDX
> > 
> > So the question really is, do I miss a step or is it just not possible at
> > the moment to get it working with Gen 2 VMs? The secure boot feature of the
> > VM is disabled.
> > 
> > Regards
> > 
> > -- 
> > Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
> > 
> > G+H Webservice GbR Gorzolla, Herrmann
> > K??nigsbr??cker Str. 70, 01099 Dresden
> > 
> > http://www.ghweb.de
> > fon: +49 351 8107220   fax: +49 351 8107227
> > 
> > Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> > you print it, think about your responsibility and commitment to the
> > ENVIRONMENT
> > 
> 
> -- 

--

Re: UEFI and Hyper-v

2017-03-27 Thread Reyk Floeter

Hi,

I tried it once with a custom ISO but didn't get any further than the
OpenBSD UEFI boot loader.  At this point, it couldn't find the disk so
I couldn't get to boot OpenBSD.  But this was in the early stages of
our UEFI support.

So we seem to miss some EFI drivers for Hyper-V Gen 2.  If you get to
the boot loader and it finds the disk, you still might not be able to
get display output if it doesn't use an efifb(4)-compatible display.

btw. Is there any reason or benefit to use Gen 2?  AFAIK, it is only
for Windows for secure boot etc.  I think Gen 1 is fine for OpenBSD,
you even have the hvn(4) and the hyperv(4) drivers now.  Even the
latest machines in Azure are Gen 1-based.

Reyk

On Mon, Mar 27, 2017 at 10:07:03AM +0200, Markus Rosjat wrote:
> Hi there,
> 
> like the topic says I look for some feedback here. I try to set up a Gen 2
> Hyper-V VM (Gen 1 is really not a problem) so I need to boot with a UEFI
> Medium. Since the normal iso doesnt provide that I took the following
> approch:
> 
>  1. I created a USB stick from installXX.fs
>  2. verified that I could boot from the stick
>  3. created a VHDX from the stick
>  4. Attached it to a Gen 2 VM
>  5. booted the VM and here Im stuck for now
> It starts to bood but instead of showing me all the nice dmesg
> stuff I would expect  it just went black.
> 
> but the rest of the way would look like this
> 
>  6. Install OpenBSD on another VHDX
>  7. dettach the first VHDX
> 
> So the question really is, do I miss a step or is it just not possible at
> the moment to get it working with Gen 2 VMs? The secure boot feature of the
> VM is disabled.
> 
> Regards
> 
> -- 
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
> 
> G+H Webservice GbR Gorzolla, Herrmann
> K??nigsbr??cker Str. 70, 01099 Dresden
> 
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
> 
> Bitte pr??fen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
> you print it, think about your responsibility and commitment to the
> ENVIRONMENT
> 

--

Re: Running OpenBSD on Hypervisor

2017-03-08 Thread Reyk Floeter

> Am 08.03.2017 um 07:22 schrieb Phil Eaton :
>
> I have OpenBSD (and FreeBSD) running on Linode VMs (on a KVM host) and it
> works well enough. I'm more than hazy on the details, but the issue as far
> as I'm aware is that OpenBSD does not yet have full support for virtio. So
> I need to use full virtualization for it to recognize my disks and network
> devices. Presumably this affects performance, but I haven't gotten into
> testing it much and haven't noticed it in my (admittedly light) use so far.
>

What do you mean with "does not yet have full support"?

We have all relevant virtio drivers.

Could you provide more details, dmesg?

> At home I have FreeBSD running on Hyper-V and it works well too. But
> FreeBSD has better support for the virtio drivers so I'd expect it to
> perform better in both cases.
>

Your information is obsolete.

OpenBSD has great Hyper-V drivers. They're awesome.

The only missing one is the PV disk driver and you have to stick with wd(4)
for now.

> Disclosure: I work for Linode

Offering free accounts? ;)

Reyk

>> On Wed, Mar 8, 2017 at 10:07 AM, Markus Rosjat  wrote:
>>
>> Hi there,
>>
>> just like to get opinions or examples of OpenBSd as guest on a hypervisor.
>> I had it running on a VMware Host but since the free version is missing
>> quiet a lot features I was wondering where to look at. I also tried
Hyper-V
>> from MS and this looks qiet ok. So if the "virtual" guys like to share
>> there expericence it would be nice. Im open for every thing so KVM or
BHive
>> are points Ive looked at but haven't tried for now.
>>
>> thanks for the input
>>
>> regards
>> --
>> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>>
>> G+H Webservice GbR Gorzolla, Herrmann
>> Königsbrücker Str. 70, 01099 Dresden
>>
>> http://www.ghweb.de
>> fon: +49 351 8107220   fax: +49 351 8107227
>>
>> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
>> you print it, think about your responsibility and commitment to the
>> ENVIRONMENT
>>
>>
>
>
> --
> Phil Eaton

Re: Running OpenBSD on Hypervisor

2017-03-08 Thread Reyk Floeter

Hi,

what exactly is your question?

Nowadays OpenBSD runs by default on:

- OpenBSD vmm
- Xen (HVM modes)
- Hyper-V
- VMware
- KVM
- VirtualBox
- bhyve
- qemu (also aarch64 and others)
- sun4v logical domains
- ...

We have PV drivers for all of them in GENERIC.

Reyk

> Am 08.03.2017 um 07:07 schrieb Markus Rosjat :
>
> Hi there,
>
> just like to get opinions or examples of OpenBSd as guest on a hypervisor. I
had it running on a VMware Host but since the free version is missing quiet a
lot features I was wondering where to look at. I also tried Hyper-V from MS
and this looks qiet ok. So if the "virtual" guys like to share there
expericence it would be nice. Im open for every thing so KVM or BHive are
points Ive looked at but haven't tried for now.
>
> thanks for the input
>
> regards
> --
> Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de
>
> G+H Webservice GbR Gorzolla, Herrmann
> Königsbrücker Str. 70, 01099 Dresden
>
> http://www.ghweb.de
> fon: +49 351 8107220   fax: +49 351 8107227
>
> Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before
you print it, think about your responsibility and commitment to the
ENVIRONMENT

Re: From SHA1 to SHA256 in dhcpd sync

2017-02-27 Thread Reyk Floeter

> On 27.02.2017, at 16:10, Theo de Raadt  wrote:
>
>>>
>>> A patch to get away from SHA1 in dhcpd
>>>
>>
>> HMAC-SHA1 is not affected by the published collision, but I'm not
>> against switching the sync protocol to SHA2.  Performance also doesn't
>> matter that much here as the typical sync rate is fairly small.
>>
>> Once done, it should also be done for spamd-sync where the protocol came
from.
>
> Well, I don't see the point of making the change.  HMAC's are still safe.

True, I don't mind either way.

So let's keep "version 1" as it is.

Reyk

Re: From SHA1 to SHA256 in dhcpd sync

2017-02-27 Thread Reyk Floeter

On Sat, Feb 25, 2017 at 04:15:07PM +0100, Denis Fondras wrote:
> Hi,
> 
> A patch to get away from SHA1 in dhcpd
> 

HMAC-SHA1 is not affected by the published collision, but I'm not
against switching the sync protocol to SHA2.  Performance also doesn't
matter that much here as the typical sync rate is fairly small.

Once done, it should also be done for spamd-sync where the protocol came from.

See comments below.

> 
> Index: sync.c
> ===
> RCS file: /cvs/src/usr.sbin/dhcpd/sync.c,v
> retrieving revision 1.23
> diff -u -p -r1.23 sync.c
> --- sync.c13 Feb 2017 23:04:05 -  1.23
> +++ sync.c25 Feb 2017 15:12:52 -
> @@ -32,7 +32,7 @@
>  
>  #include 
>  #include 
> -#include 
> +#include 
>  #include 
>  #include 
>  #include 
> @@ -140,7 +140,7 @@ sync_init(const char *iface, const char 
>   }
>   }
>  
> - sync_key = SHA1File(DHCP_SYNC_KEY, NULL);
> + sync_key = SHA256File(DHCP_SYNC_KEY, NULL);
>   if (sync_key == NULL) {
>   if (errno != ENOENT) {
>   log_warn("failed to open sync key");
> @@ -270,7 +270,7 @@ sync_recv(void)
>   /* Compute and validate HMAC */
>   memcpy(hmac[0], hdr->sh_hmac, DHCP_SYNC_HMAC_LEN);
>   explicit_bzero(hdr->sh_hmac, DHCP_SYNC_HMAC_LEN);
> - HMAC(EVP_sha1(), sync_key, strlen(sync_key), buf, len,
> + HMAC(EVP_sha256(), sync_key, strlen(sync_key), buf, len,
>   hmac[1], _len);
>   if (bcmp(hmac[0], hmac[1], DHCP_SYNC_HMAC_LEN) != 0)
>   goto trunc;
> @@ -404,7 +404,7 @@ sync_lease(struct lease *lease)
>   memset(, 0, sizeof(pad));
>  
>   HMAC_CTX_init();
> - HMAC_Init(, sync_key, strlen(sync_key), EVP_sha1());
> + HMAC_Init(, sync_key, strlen(sync_key), EVP_sha256());
>  
>   leaselen = sizeof(lv);
>   padlen = DHCP_ALIGN(leaselen) - leaselen;
> Index: sync.h
> ===
> RCS file: /cvs/src/usr.sbin/dhcpd/sync.h,v
> retrieving revision 1.5
> diff -u -p -r1.5 sync.h
> --- sync.h4 Oct 2016 22:47:51 -   1.5
> +++ sync.h25 Feb 2017 15:12:52 -
> @@ -20,6 +20,8 @@
>  #ifndef _DHCPD_SYNC
>  #define _DHCPD_SYNC
>  
> +#include 
> +
>  /*
>   * dhcpd(8) synchronisation protocol.
>   *
> @@ -28,14 +30,14 @@
>   * It is a simple Type-Length-Value based protocol, it allows easy
>   * extension with future subtypes and bulk transfers by sending multiple
>   * entries at once. The unencrypted messages will be authenticated using
> - * HMAC-SHA1.
> + * HMAC-SHA256.
>   *
>   */
>  
>  #define DHCP_SYNC_VERSION1

This should be bumped to version 2

>  #define DHCP_SYNC_MCASTADDR  "224.0.1.240"   /* XXX choose valid address */
>  #define DHCP_SYNC_MCASTTTL   IP_DEFAULT_MULTICAST_TTL
> -#define DHCP_SYNC_HMAC_LEN   20  /* SHA1 */
> +#define DHCP_SYNC_HMAC_LEN   SHA256_DIGEST_LENGTH
>  #define DHCP_SYNC_MAXSIZE1408
>  #define DHCP_SYNC_KEY"/var/db/dhcpd.key"
> 

You should also look at the struct below and adjust the padding to
keep it aligned to 8 bytes:

```
struct dhcp_synchdr {
u_int8_tsh_version;
u_int8_tsh_af;
u_int16_t   sh_length;
u_int32_t   sh_counter;
u_int8_tsh_hmac[DHCP_SYNC_HMAC_LEN];
u_int8_tsh_pad[4];
} __packed;
```

Before: 1+1+2+4+20+4 = 32
After:  1+2+2+4+32+0 = 40

```
struct dhcp_synchdr {
u_int8_tsh_version;
u_int8_tsh_af;
u_int16_t   sh_length;
u_int32_t   sh_counter;
u_int8_tsh_hmac[DHCP_SYNC_HMAC_LEN];
} __packed;
```

So we increase the HMAC_LEN by 12 bytes but removing the now unneeded
padding reduces the overhead to a total of 8 bytes.  I think that's
worth it.

Reyk

Re: http 408 messages in httpd logs

2017-02-14 Thread Reyk Floeter

> Am 14.02.2017 um 11:27 schrieb trondd :
>
>> On Tue, February 14, 2017 1:48 pm, Walter Alejandro Iglesias wrote:
>> Starting from Feb 11 my httpd logs are filled with 408 messages:
>>
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET /
>> HTTP/1.1" 200 2535
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
>> /en/styles.css HTTP/1.1" 200 282
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
>> /en/img/home-novelas.png HTTP/1.1" 200 1812
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
>> /en/img/home-comic.png HTTP/1.1" 200 2779
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
>> /en/img/at.png HTTP/1.1" 200 324
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
>> /en/img/home-devel.png HTTP/1.1" 200 4111
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
>> /en/img/home-articles.png HTTP/1.1" 200 5835
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
>> /en/img/home-about.jpg HTTP/1.1" 200 22211
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
>> /en/img/home-social.png HTTP/1.1" 200 2782
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
>> 408 0
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
>> 408 0
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
>> 408 0
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
>> 408 0
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
>> 408 0
>> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
>> 408 0
>>
>> This affects my main site only (I have other several virtual sites
>> hosted in that machine), the only one using ssl on 443 port.  As the
>> example shows, some of them come right before a same source IP
>> successful connection.  In fact, the hidden ip above is me browsing my
>> web site from another location.  Besides, I didn't notice any delay, the
>> pages are loaded as fast as before the messages started to appear.
>>
>> Increasing the request time out (in /etc/httpd.conf):
>>
>>  connection request timeout 120
>>
>> seems (not sure) to reduce a bit the number of messages.
>>
>> What intrigues me (and the reason I'm mentioning this here) is before
>> Feb 11th, the date the first appeared, there is none, passed that date
>> *all* requests generate that message.  I follow -current and upgrade
>> snapshots regularly.  Could be some change in the system the cause?
>>
>
> Yes:
>
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/httpd/server.c.diff?r1=
1.106=1.107=h
>
> I am assuming these are client pre-negotiated connections to speed up the
> user experience.  I guess they were not properly being closed before.
> Unfortunately the commit message is not helpful here.
>

Good catch. Maybe changing it to a 408 was not the right thing here.

Reyk

Re: http 408 messages in httpd logs

2017-02-14 Thread Reyk Floeter

> Am 14.02.2017 um 10:48 schrieb Walter Alejandro Iglesias
:
>
> Starting from Feb 11 my httpd logs are filled with 408 messages:
>
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET /
HTTP/1.1" 200 2535
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
/en/styles.css HTTP/1.1" 200 282
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
/en/img/home-novelas.png HTTP/1.1" 200 1812
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
/en/img/home-comic.png HTTP/1.1" 200 2779
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
/en/img/at.png HTTP/1.1" 200 324
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
/en/img/home-devel.png HTTP/1.1" 200 4111
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
/en/img/home-articles.png HTTP/1.1" 200 5835
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
/en/img/home-about.jpg HTTP/1.1" 200 22211
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:48:32 +0100] "GET
/en/img/home-social.png HTTP/1.1" 200 2782
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
408 0
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
408 0
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
408 0
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
408 0
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
408 0
> roquesor.com 79.xxx.150.xx4 - - [14/Feb/2017:15:49:32 +0100] " "
408 0
>
> This affects my main site only (I have other several virtual sites
> hosted in that machine), the only one using ssl on 443 port.  As the
> example shows, some of them come right before a same source IP
> successful connection.  In fact, the hidden ip above is me browsing my
> web site from another location.  Besides, I didn't notice any delay, the
> pages are loaded as fast as before the messages started to appear.
>
> Increasing the request time out (in /etc/httpd.conf):
>
>  connection request timeout 120
>
> seems (not sure) to reduce a bit the number of messages.
>
> What intrigues me (and the reason I'm mentioning this here) is before
> Feb 11th, the date the first appeared, there is none, passed that date
> *all* requests generate that message.  I follow -current and upgrade
> snapshots regularly.  Could be some change in the system the cause?
>

Yes, this is possible. Could you send me some more
details including config?

Reyk

Re: OpenBSD 6.0, httpd chroot & nfs

2017-02-14 Thread Reyk Floeter

Hi,

On Tue, Feb 14, 2017 at 07:24:17AM -0700, Steve Williams wrote:
> Hi,
> 
> I have a web based application (Gallery 3) on one web server with a 
> fairly large number of photos.
> 
> I have nfs mounted that folder onto a new APU2 system with OpenBSD 6.0 
> on it.
> 192.168.123.3:/ext_gallery/gallery3 520142836  89008296 405127400
> 18%/var/www/htdocs/gallery3
> 
> A very simple httpd.conf file:
> 
> server "photos.williamsitconsulting.com" {
>  listen on $ext_addr port 80
>  root "/htdocs/gallery3"
>  directory index index.php
> 
>  location "*.php" {
>  fastcgi socket "/run/php-fpm.sock"
>  }
> }
> 
> 
> I cannot access the "index.php" file with a web browser.
> 
> I believe I have confirmed that it's not a problem with chroot itself...
> 
> # chroot -g www -u www /var/www /bin/ksh
> $ cd /htdocs/gallery3
> $ echo *
> LICENSE README application bin index.php installer lib modules
> php.ini robots.txt system themes var
> ^
> 
> 
> To troubleshoot, I unmounted the NFS folder and copied a portion of over 
> to /var/www/htdocs/gallery3.  Accessing the information locally works 
> fine.  Unfortunately, I don't have disk space on the APU2 system to copy 
> the entire folder over (it's got a ton of photos in it).
> 
> I suspect this is to do with some kind of conflict between nfs, httpd 
> and chroot.
> 
> With the NFS mounted, I've run "httpd -d -v -v -v -v -v -v" and I don't 
> get any errors when I try to access the index.php, it just doesn't serve 
> anything up (likely because there's nothing there!).
> 
> There's no message in the error.log, and I have tried putting php-fpm 
> into "debug" mode and there's nothing relevant logged there either.
> 
> What am I missing?  or is this even possible?
> 

It is really hard to tell without logs, but the problem can also be in
php-fpm, not just in httpd.  Can you access files that are not served
via fastcgi (static files, images)?

You could try to start httpd with the following way:

# env EVENT_NOKQUEUE=1 httpd -ddvvv

This will switch libevent from kqueue to poll.  We had kernel-related
with kqueue on NFS in the past, but should have been fixed.

Reyk

Re: relayd send/expect syntax

2017-02-08 Thread Reyk Floeter

On Tue, Feb 07, 2017 at 05:04:18PM -0500, Michael W. Lucas wrote:
> host 104.236.197.233, check send expect (9020ms,tcp read timeout), state 
> unknown -> down, availability 0.00%

The send/expect code looses its error because of its async nature -
it goes like:

1. "we got data, let's verify it"
2. "expect test failed, but maybe we didn't read enough, let's try again"
3. "no more data, timeout"

When we reach 3), the code also has to check if there is anything in
the input buffer from 1) and verify it again.  The following code
fixes it to show "send/expect failed" instead of "tcp read timeout".

Reyk

Index: usr.sbin/relayd/check_tcp.c
===
RCS file: /cvs/src/usr.sbin/relayd/check_tcp.c,v
retrieving revision 1.51
diff -u -p -u -p -r1.51 check_tcp.c
--- usr.sbin/relayd/check_tcp.c 11 Jan 2016 21:31:42 -  1.51
+++ usr.sbin/relayd/check_tcp.c 8 Feb 2017 23:16:14 -
@@ -233,8 +233,12 @@ tcp_read_buf(int s, short event, void *a
struct ctl_tcp_event*cte = arg;

if (event == EV_TIMEOUT) {
-   tcp_close(cte, HOST_DOWN);
-   hce_notify_done(cte->host, HCE_TCP_READ_TIMEOUT);
+   if (ibuf_size(cte->buf))
+   (void)cte->validate_close(cte);
+   else
+   cte->host->he = HCE_TCP_READ_TIMEOUT;
+   tcp_close(cte, cte->host->up == HOST_UP ? 0 : HOST_DOWN);
+   hce_notify_done(cte->host, cte->host->he);
return;
}

Re: PC-Engines apu2c4 install reboot loop :(

2017-01-10 Thread Reyk Floeter

On Tue, Jan 10, 2017 at 03:26:01PM -0700, Scott Seekamp wrote:
> Also, are you setting the serial port of the loader:
> 
> stty pc0 115200

You don't need this line, the tty will be switched to com0.

> stty com0 115200
> set tty com0
> 

I think this will solve the problem.

The APU2 doesn't provide a pc0 console ("vga") and it ends in this
reboot cycle when not switching to serial.

Reyk

Re: relayd[66834]: relayd: socketpair: Too many open files

2017-01-03 Thread Reyk Floeter

dmesg please

> Am 03.01.2017 um 22:16 schrieb Kevin :
> 
> Hey gang,
> 
> So I'm putting a new firewall in place and have run into issues with
> getting relayd to start using:
> 
> # /etc/rc.d/relayd start
> 
> When I try starting it like that inevitably I get:
> 
>relayd(failed)
> 
> checking the log files tells me:
> 
>relayd: socketpair: Too many open files
> 
> Having trolled through pages of SERPs, I can't find an answer; however, in
> the interest of science, if I do this:
> 
> # ulimit -n 512
> # /usr/sbin/relayd
> 
> it starts perfectly.
> 
> Anyone care to give me a quick strike with the clue stick, please?
> 
> Oh yah, here's my relayd.conf
> 
> # Example.com
> # 145.176.20.136
> exm_chi01="192.168.2.0"
> exm_chi02="192.168.2.1"
> 
> table{ $exm_chi01, $exm_chi02 }
> 
> #=#
> # Servers #
> #=#
> redirect "Example.com" {
>listen on 145.176.20.162 port 80 interface vio0
>pftag RELAYD-Example.com
>forward to  check tcp
> }
> 
> 
> For what it's worth, I'm using a hosts file to point example.com to my IP
> for the time being, as I can't pull the real sites down and move them 'til
> this is working.
> 
> Also of interest: pf seems to be working as advertised, as does relayd when
> it's started with the ulimit cranked up.
> 
> 
> Thanks,
> Kevin

Re: vmm use only one core but 100%

2016-12-30 Thread Reyk Floeter

> # dmesg
> OpenBSD 6.0-stable (DEV.MP) #1: Thu Dec 15 22:11:22 CET 2016

Use -current (a snapshot) or wait until 6.1 -
100% CPU was normal in 6.0's vmm busy loop.

Reyk

Re: vmm use only one core but 100%

2016-12-30 Thread Reyk Floeter

The 100% CPU has been fixed a while ago.

You should at least show a dmesg of the host.

> 
> Hi,
> 
> I run VMM end it uses only a single core but 100%. What I do bad?
> 
> 
> my /etc/vm.conf
> #--
> sets="/var/www/htdocs/pub/OpenBSD/snapshots/amd64/"
> 
> vm "vm1.vm" {
>memory 512M
>kernel "/bsd.rd"
>disk "/vm1.img"
>interfaces 1
> }
> #--
> 
> 
> my /etc/rc.conf.local
> #--
> apmd_flags="-A"
> vmd_flags=
> #--
> 
> 
> 
> Regards,
> Krzysztof Strzeszewski

Re: bgplg httpd "ping: socket: Permission denied"

2016-12-14 Thread Reyk Floeter

On Wed, Dec 14, 2016 at 03:14:51PM +0100, Jeremie Courreges-Anglas wrote:
> Reyk Floeter <r...@openbsd.org> writes:
> 
> > On Tue, Dec 13, 2016 at 02:03:37PM -0500, Michael W. Lucas wrote:
> >> On Tue, Dec 13, 2016 at 02:21:51AM +0100, Jeremie Courreges-Anglas wrote:
> >> > "Michael W. Lucas" <mwlu...@michaelwlucas.com> writes:
> >> > 
> >> > > Hi,
> >> > 
> >> > Hi,
> >> > 
> >> > > Running the 12/12 snapshot, amd64.
> >> > >
> >> > > I'm setting up the looking glass CGI included with httpd. Requests for
> >> > > ping and traceroute fail.
> >> > >
> >> > > Per bgplg(8), I've set mode 4555 on the static binaries:
> >> > >
> >> > > ls -lai /var/www/bin/
> >> > > total 1844
> >> > > 77958 drwxr-xr-x   2 root  daemon 512 Dec 11 17:47 .
> >> > > 77956 drwxr-xr-x  15 root  daemon 512 Dec 12 15:35 ..
> >> > > 77959 -r-xr-xr-x   1 root  bin 256240 Dec  8 12:09 bgpctl
> >> > > 77978 -rwxr-xr-x   1 root  bin 273200 Dec  8 15:36 femail
> >> > > 77960 -r-sr-xr-x   2 root  bin 318320 Dec  8 12:09 ping
> >> > > 77960 -r-sr-xr-x   2 root  bin 318320 Dec  8 12:09 ping6
> >> > > 77961 -r-sr-xr-x   2 root  bin 281168 Dec  8 12:09 traceroute
> >> > > 77961 -r-sr-xr-x   2 root  bin 281168 Dec  8 12:09 traceroute6
> >> > >
> >> > > Ping and traceroute run fine as root. As an unprivileged user, though,
> >> > > I get:
> >> > >
> >> > > ./ping 8.8.8.8
> >> > > ping: socket: Permission denied
> >> > >
> >> > > $ ./traceroute 8.8.8.8
> >> > > traceroute: unable to revoke privs: Operation not permitted
> >> > >
> >> > > Any suggestions? Or have I found a bug?
> >> > 
> >> > Is the partition that holds /var/www/bin mounted "nosuid"?
> >> 
> >> (Replying mostly for the archives.)
> >> 
> >> Yes, /var is mounted nosuid.
> >> 
> >> bgplg(8) has lovely detailed instructions on how to set it up,
> >> including setting the suid bit, but don't mention that detail.
> >> 
> >
> > And, for the sake of completeness, it should mention that detail.
> 
> Agreed, Michael isn't the first one to stumble upon this.
> 
> > Does the attached wording sound right?
> 
> Looks better than the diff I had, ok jca@
> 

Thanks,  I committed it with a tweak from jmc@

> > Reyk
> >
> > Index: usr.bin/bgplg/bgplg.8
> > ===
> > RCS file: /cvs/src/usr.bin/bgplg/bgplg.8,v
> > retrieving revision 1.15
> > diff -u -p -u -p -r1.15 bgplg.8
> > --- usr.bin/bgplg/bgplg.8   10 Sep 2015 15:16:44 -  1.15
> > +++ usr.bin/bgplg/bgplg.8   14 Dec 2016 13:53:14 -
> > @@ -153,6 +153,12 @@ To enable the corresponding functionalit
> >  .Xr chmod 1
> >  utility to manually set the file permission mode to 0555 or anything
> >  appropriate.
> > +Some of these executables need the set-user-ID bit;
> > +enabling them requires to mount the filesystem of
> > +.Pa /var/www
> > +without the
> > +.Ic nosuid
> > +option.
> >  .Pp
> >  .Bl -tag -width "/var/www/bin/traceroute6XX" -compact
> >  .It Pa /var/www/cgi-bin/bgplg
> >
> 
> 
> -- 
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: bgplg httpd "ping: socket: Permission denied"

2016-12-14 Thread Reyk Floeter

On Tue, Dec 13, 2016 at 02:03:37PM -0500, Michael W. Lucas wrote:
> On Tue, Dec 13, 2016 at 02:21:51AM +0100, Jeremie Courreges-Anglas wrote:
> > "Michael W. Lucas"  writes:
> > 
> > > Hi,
> > 
> > Hi,
> > 
> > > Running the 12/12 snapshot, amd64.
> > >
> > > I'm setting up the looking glass CGI included with httpd. Requests for
> > > ping and traceroute fail.
> > >
> > > Per bgplg(8), I've set mode 4555 on the static binaries:
> > >
> > > ls -lai /var/www/bin/
> > > total 1844
> > > 77958 drwxr-xr-x   2 root  daemon 512 Dec 11 17:47 .
> > > 77956 drwxr-xr-x  15 root  daemon 512 Dec 12 15:35 ..
> > > 77959 -r-xr-xr-x   1 root  bin 256240 Dec  8 12:09 bgpctl
> > > 77978 -rwxr-xr-x   1 root  bin 273200 Dec  8 15:36 femail
> > > 77960 -r-sr-xr-x   2 root  bin 318320 Dec  8 12:09 ping
> > > 77960 -r-sr-xr-x   2 root  bin 318320 Dec  8 12:09 ping6
> > > 77961 -r-sr-xr-x   2 root  bin 281168 Dec  8 12:09 traceroute
> > > 77961 -r-sr-xr-x   2 root  bin 281168 Dec  8 12:09 traceroute6
> > >
> > > Ping and traceroute run fine as root. As an unprivileged user, though,
> > > I get:
> > >
> > > ./ping 8.8.8.8
> > > ping: socket: Permission denied
> > >
> > > $ ./traceroute 8.8.8.8
> > > traceroute: unable to revoke privs: Operation not permitted
> > >
> > > Any suggestions? Or have I found a bug?
> > 
> > Is the partition that holds /var/www/bin mounted "nosuid"?
> 
> (Replying mostly for the archives.)
> 
> Yes, /var is mounted nosuid.
> 
> bgplg(8) has lovely detailed instructions on how to set it up,
> including setting the suid bit, but don't mention that detail.
> 

And, for the sake of completeness, it should mention that detail.

Does the attached wording sound right?

Reyk

Index: usr.bin/bgplg/bgplg.8
===
RCS file: /cvs/src/usr.bin/bgplg/bgplg.8,v
retrieving revision 1.15
diff -u -p -u -p -r1.15 bgplg.8
--- usr.bin/bgplg/bgplg.8   10 Sep 2015 15:16:44 -  1.15
+++ usr.bin/bgplg/bgplg.8   14 Dec 2016 13:53:14 -
@@ -153,6 +153,12 @@ To enable the corresponding functionalit
 .Xr chmod 1
 utility to manually set the file permission mode to 0555 or anything
 appropriate.
+Some of these executables need the set-user-ID bit;
+enabling them requires to mount the filesystem of
+.Pa /var/www
+without the
+.Ic nosuid
+option.
 .Pp
 .Bl -tag -width "/var/www/bin/traceroute6XX" -compact
 .It Pa /var/www/cgi-bin/bgplg

Re: Setting MAC address of vm in vm.conf with lladdr

2016-12-05 Thread Reyk Floeter

On Sun, Dec 04, 2016 at 09:55:32AM -0600, Eric Brown wrote:
> Dear List,
> 
> I am using the current snapshot (Dec 3 as of this post), and I am trying
> to set the MAC address of a vm host in vm.conf.
> 
> However, the MAC address reported by ifconfig -a seems to change with
> each restart. The lladdr that I had typed in was from a copy/paste of a
> random assignment, so I hope that it is valid.
> 
> I know that this is still a WIP, but I thought I would ask in case I'm
> making a dumb mistake.
> 
> Thanks, 
> Eric
> 

I cannot reproduce it, it works as intended.  Are you sure that you
were looking at the MAC address on the "VM guest side" and not on the
host side, as mentioned in vm.conf(5):

 lladdr etheraddr
 Change the link layer address (MAC address) of the
 interface on the VM guest side.  If not specified, a
 randomized address will be assigned by vmd(8).

Can you try with current and run vmd in foreground "vmd -dvv", I added
a debug message that will show more details:

run_vm: initializing hardware for vm openbsd.vm
virtio_init: vm "openbsd.vm" vio0 lladdr 00:01:ba:d0:e8:db
virtio_init: vm "openbsd.vm" vio1 lladdr fe:e1:bb:d2:bc:72
run_vm: starting vcpu threads for vm openbsd.vm

As you see, my test cases uses a fixed lladdr for the first interface;
ifconfig within the guest show the same.

Reyk

> 
> -
> /etc/vm.conf:
> 
> vm "current.ericcbrown.com" {
>   memory 2048M
>   kernel "/root/vmm/current/bsd"
>   disk "/var/vmm/current/disk.img"
>   interface tap {
> lladdr fe:e1:ba:d1:77:24
> switch uplink
>   } 
> }
> 
> switch uplink {
>   add bge0
> }
> 

--

Re: Setting MAC address of vm in vm.conf with lladdr

2016-12-04 Thread Reyk Floeter

Hi,

you are second person who repots this since Friday,
I will check tomorrow if lladdr in vm.conf got broken.

The config looks OK. 

Reyk

> Am 04.12.2016 um 16:55 schrieb Eric Brown :
> 
> Dear List,
> 
> I am using the current snapshot (Dec 3 as of this post), and I am trying
> to set the MAC address of a vm host in vm.conf.
> 
> However, the MAC address reported by ifconfig -a seems to change with
> each restart. The lladdr that I had typed in was from a copy/paste of a
> random assignment, so I hope that it is valid.
> 
> I know that this is still a WIP, but I thought I would ask in case I'm
> making a dumb mistake.
> 
> Thanks, 
> Eric
> 
> 
> -
> /etc/vm.conf:
> 
> vm "current.ericcbrown.com" {
>  memory 2048M
>  kernel "/root/vmm/current/bsd"
>  disk "/var/vmm/current/disk.img"
>  interface tap {
>lladdr fe:e1:ba:d1:77:24
>switch uplink
>  } 
> }
> 
> switch uplink {
>  add bge0
> }

Re: IPv6 Setup not working on Hetzner server

2016-12-02 Thread Reyk Floeter

Hi,

> On 02.12.2016, at 12:55, Leo Unglaub  wrote:
>
> Hey friends,
> i have the exact same problem as Heiko had more than one year ago here
> on this mailinglist. See
> http://marc.info/?l=openbsd-misc=143231965324314=2
>
> Sadly his temporary solution does not work for me so i have to bring
> this topic up again.
>
> I have a server at the german hoster "Hetzner". The IPv4 setup works
> fine, but the IPv6 setup does not work properly. I am unable to ping6
> anything other than my gateway. The gateway is reachable over IPv6, but
> thats it. Nothing more is reachable.
>
> My subnet is 2a01:4f8:192:42d6:: / 64 and i assigned
> 2a01:4f8:192:42d6::10  to this server. The IPv6 gateway is for all
> Hetzner customers fe80::1 :::::.
>

I have a similar setup that works fine at hostway.de, see below.

>
> I configured my system as follows:
>> # cat /etc/hostname.em0
>> inet 144.76.102.204 255.255.255.224 144.76.102.223 description
hetzner-uplink
>> inet6 2a01:4f8:192:42d6::10 64
>
>> # cat /etc/mygate
>> 144.76.102.193
>> fe80::1
>
>

This is a link-local address, you have to specify the interface scope id:

$ cat /etc/mygate
144.76.102.193
fe80::1%em0

Hetzner also needs to know your link-local address on em0,
do they use the fe80::921b:eff:fe8b:f34%em0 derived from the MAC (I think they
do)
or do you have to configure something like fe80::2%em0 on your side?

Reyk

> This results in the following config:
>> # ifconfig em0
>> em0: flags=8843 mtu 1500
>>lladdr 90:1b:0e:8b:0f:34
>>description: hetzner-uplink
>>index 1 priority 0 llprio 3
>>groups: egress
>>media: Ethernet autoselect (1000baseT
full-duplex,master,rxpause,txpause)
>>status: active
>>inet 144.76.102.204 netmask 0xffe0 broadcast 144.76.102.223
>>inet6 fe80::921b:eff:fe8b:f34%em0 prefixlen 64 scopeid 0x1
>>inet6 2a01:4f8:192:42d6::10 prefixlen 64
>>
>
>
> But IPv6 does not work. Here are some examples:
>
>> # ping6 -c 3 google.com
>> PING6 google.com (2a00:1450:4001:80e::200e): 24 data bytes
>> ping6: sendmsg: No route to host
>> ping6: wrote google.com 32 chars, ret=-1
>> ping6: sendmsg: No route to host
>> ping6: wrote google.com 32 chars, ret=-1
>> ping6: sendmsg: No route to host
>> ping6: wrote google.com 32 chars, ret=-1
>> --- google.com ping6 statistics ---
>> 3 packets transmitted, 0 packets received, 100.0% packet loss
>
>
>> # ping6 -c 3 fe80::921b:eff:fe8b:f34%em0
>> PING6 fe80::921b:eff:fe8b:f34%em0 (fe80::921b:eff:fe8b:f34%em0): 24 data
bytes
>> 32 bytes from fe80::921b:eff:fe8b:f34%em0, icmp_seq=0 hlim=64 time=0.188
ms
>> 32 bytes from fe80::921b:eff:fe8b:f34%em0, icmp_seq=1 hlim=64 time=0.088
ms
>> 32 bytes from fe80::921b:eff:fe8b:f34%em0, icmp_seq=2 hlim=64 time=0.087
ms
>> --- fe80::921b:eff:fe8b:f34%em0 ping6 statistics ---
>> 3 packets transmitted, 3 packets received, 0.0% packet loss
>> round-trip min/avg/max/std-dev = 0.087/0.121/0.188/0.047 ms
>
>
> Here are my routes and my ndp
>
>> # ndp -an
>> Neighbor Linklayer Address  Netif ExpireS
Flags
>> 2a01:4f8:192:42d6::1090:1b:0e:8b:0f:34em0 permanent R
l
>> fe80::921b:eff:fe8b:f34%em0  90:1b:0e:8b:0f:34em0 permanent R
l
>
>
>> # route -n show -inet6
>> Routing tables
>>
>> Internet6:
>> DestinationGatewayFlags
Refs  Use   Mtu  Prio Iface
>> ::/96  ::1UGRS
00 32768 8 lo0
>> ::/104 ::1UGRS
00 32768 8 lo0
>> ::1::1UHl
14   14 32768 1 lo0
>> ::127.0.0.0/104::1UGRS
00 32768 8 lo0
>> ::224.0.0.0/100::1UGRS
00 32768 8 lo0
>> ::255.0.0.0/104::1UGRS
00 32768 8 lo0
>> :::0.0.0.0/96  ::1UGRS
00 32768 8 lo0
>> 2002::/24  ::1UGRS
00 32768 8 lo0
>> 2002:7f00::/24 ::1UGRS
00 32768 8 lo0
>> 2002:e000::/20 ::1UGRS
00 32768 8 lo0
>> 2002:ff00::/24 ::1UGRS
00 32768 8 lo0
>> 2a01:4f8:192:42d6::/64 2a01:4f8:192:42d6::10  UC
00 - 4 em0
>> 2a01:4f8:192:42d6::10  90:1b:0e:8b:0f:34  UHLl
00 - 1 em0
>> fe80::/10  ::1UGRS
02 32768 8 lo0
>> fec0::/10  ::1UGRS
00 32768

Re: How should vmm hosts access the internet?

2016-10-13 Thread Reyk Floeter

> Am 13.10.2016 um 16:18 schrieb Dimitris Papastamos :
>
>> On Thu, Oct 13, 2016 at 03:43:54PM +0200, Stefan Sperling wrote:
>>> On Thu, Oct 13, 2016 at 02:23:20PM +0100, Edd Barrett wrote:
>>> Hi,
>>>
>>> Since vmm is now enabled, I thought I would have a play.
>>>
>>> So far so good, but I've not managed to get the host on the internet
>>> yet.
>>>
>>> If I set up a vmm VM on my laptop, we have on the host:
>>>
>>> * iwn0 providing internet access to the host
>>> * tap0 connected to vio0 in the guest.
>>>
>>> What is the reccommended way to give the guest internet access via iwn0?
>>>
>>> I thought I could bridge the interfaces using bridge(4), but it seems I
>>> am wrong. (I have a vague recollection that a bridge involving a
>>> wireless interface doesn't do as one might expect, but I don't recall
>>> the exact details).
>>>
>>> (I also tried routing between the two interfaces, using static addresses
>>> for tap0 and vio0, then adding a default route in the guest and a static
>>> route in the host. I was able to ping between the host and guest via
>>> tap, but I couldn't ping between subnets.)
>>>
>>> (Yep, I have net.inet.ip.forwarding=1).
>>
>> Use NAT.
>>
>> Bridging over wifi does not work (limitation of the ieee802.11 standard).
>
> Just hijacking the thread for a moment, I tried vmm yesterday in
> bridge mode with em(4).  Everything works fine except dhcp.  I cannot use
> dhclient to get an address from within the vm.  IPv6 SLAAC works though
> as well as setting IPv4 addresses manually.
>
> Any ideas?
>

Do you run dhclient on the host as well (on em0)?

It is a known problem that dhclient "steals" dhcp packets from the stack with
its bpf drop filter.

For laptop or mobile hosts, I suggest to use NAT and dhcpd on a vether0 in the
same bridge as the taps.

Reyk

Re: System monitor in base?

2016-09-03 Thread Reyk Floeter

On Fri, Sep 02, 2016 at 05:02:07PM -0700, Aioi Yuuko wrote:
> Sorry, I was vague in my original email: What I meant was, I'm aware that 
> there are ways of getting it off the command line; I'm mostly curious about 
> getting it on my desktop so it's easy to glance at. Would my best bet be 
> running a script like that in a particular xterm, and marking that xterm as 
> sticky in fvwm?On 2 Sep 2016 16:22, Raf Czlonka  wrote:
> >

$ systat vm

Reyk

> > On Fri, Sep 02, 2016 at 11:46:27PM BST, Aioi Yuuko wrote: 
> > > Hi, 
> > > 
> > > I'm trying to wean myself off external packages as much as possible. 
> > > Is there a common, accepted way of viewing, for instance, battery 
> > > life, with only included programs? 
> >
> > Hi Aioi, 
> >
> > There's the already mentioned apm(8) (i.e. -l, -m options) or you 
> > could run something like this: 
> >
> > #!/bin/sh 
> >
> > sysctl -n hw.sensors.acpiac0.indicator0 \ 
> > hw.sensors.acpibat0.watthour0 \ 
> > hw.sensors.acpibat0.watthour3 | awk 'NR == 1 { ac = $1 } 
> > NR == 2 { full = $1 } 
> > NR == 3 { remaining = $1 } 
> > END { if ( ac == "On" ) 
> > state = "charging" 
> > else 
> > state = "discharging" 
> > printf("%s %d%s %s%s\n", "Remaining battery life is", 
> > remaining/full*100, "% and it is", state, "\.") }' 
> >
> > Regards, 
> >
> > Raf 
> 

--

Re: How to turn off disk elevator

2016-07-13 Thread Reyk Floeter

> On 13.07.2016, at 13:07, Mike Belopuhov  wrote:
>
> On Wed, Jul 13, 2016 at 12:48 +0200, Peter N. M. Hansteen wrote:
>> On Wed, Jul 13, 2016 at 12:39:14PM +0200, Christian Rner wrote:
 Hello, you should use virtio drivers for the disk in KVM.
>>>
>>> I already use virtio ;-) But there is no need for the BSD kernel to do
further
>>> scheduling.
>>
>> I'm not at all there is a knob to twiddle here, but if there is, will you
>> realistically see any difference in performance (assuming this is about
>> shaving cycles off)?
>>
>
> Christian has a point, there's no need to involve the default block
> number oriented elevator (nscan) for devices that don't care about
> this.
>
> Unfortunately, as it stands the NOOP elevator (called FIFO in OpenBSD)
> will only be used by disks properly advertising SCSI Thin Provisioning
> support like this SSD for example:
>
> sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct
fixed naa.50025388a08facb7
> sd0: 244198MB, 512 bytes/sector, 500118192 sectors, thin
>
> The controller in question (vioblk) must fake those SCSI pages to let
> sd(4) driver query them and select FIFO scheduler.  It's not doing it
> at the moment.
>
> It's possible to change the default disk elevator to FIFO by changing
> BUFQ_DEFAULT define in /sys/sys/buf.h to BUFQ_FIFO and recompile the
> kernel.  There's no way to change it in the runtime.
>
> I would argue that instead of faking SCSI pages, it must be possible
> for the controller to hint sd(4) drivers that FIFO scheduling is
> preferred.
>


And it is not just about virtual disks, nvme(4) suffers from the same
problem:

sd0 at scsibus1 targ 0 lun 0:  SCSI4 0/direct
fixed
sd0: 488386MB, 512 bytes/sector, 1000215217 sectors

This NVMe disk uses nscan because it doesn't advertise "thin".
To be fair, the driver is new and dlg@ knows about it.

Reyk

Re: can't run multiple instances of httpd, flags not visible in processes

2016-01-27 Thread Reyk Floeter

On Wed, Jan 27, 2016 at 01:49:30PM +0100, Antoine Jacoutot wrote:
> On Wed, Jan 27, 2016 at 12:30:08PM +0100, Reyk Floeter wrote:
> > On Wed, Jan 27, 2016 at 06:12:22AM -0500, Jiri B wrote:
> > > Hi,
> > > 
> > > I can't run multiple instances of httpd via rc.d as I can't distinguish
> > > between httpd instances. ps aux never show flags passed to httpd.
> > > 
> > > Could httpd be extended to show flags like sshd does it?
> > > 
> > > root 15681  0.0  0.1  1196  2308 ??  Ssp   12:08PM0:00.05 httpd: 
> > > parent (httpd)
> > > 
> > > vs
> > > 
> > > root 17247  0.0  0.1   920  1376 ??  Ss12:09PM0:00.03 
> > > /usr/sbin/sshd -f /etc/ssh/test_sshd_config
> > > 
> > > Or is there any other way to distinguish between two httpd instances?
> > > 
> > > j.
> > > 
> > 
> > Interesting point, I never thought about it.
> 
> That's not httpd specific. Most of our privilege separated daemons do that 
> and it sucks :-)
> 

Well, we "tradionally" had setproctitle("[priv]") in the parent.  I
changed the tradition to setproctitle("parent").

I have no objections with changing this in the parent (but keeping the
setproctitles in the children) to either the default (all command line
flags) or to something like setproctitle("parent, %s", conffile).
Command line flags suck and I don't think that -d or -v would be
helpful in the output, so I prefer the latter.

All rc scripts would have to be adjusted by somebody with better rc-fu.

Opinions?

Reyk

Re: can't run multiple instances of httpd, flags not visible in processes

2016-01-27 Thread Reyk Floeter

> On 27.01.2016, at 23:31, Stuart Henderson <s...@spacehopper.org> wrote:
>
> On 2016-01-27, Antoine Jacoutot <ajacou...@bsdfrog.org> wrote:
>> On Wed, Jan 27, 2016 at 12:30:08PM +0100, Reyk Floeter wrote:
>>> On Wed, Jan 27, 2016 at 06:12:22AM -0500, Jiri B wrote:
>>>> Hi,
>>>>
>>>> I can't run multiple instances of httpd via rc.d as I can't distinguish
>>>> between httpd instances. ps aux never show flags passed to httpd.
>>>>
>>>> Could httpd be extended to show flags like sshd does it?
>>>>
>>>> root 15681  0.0  0.1  1196  2308 ??  Ssp   12:08PM0:00.05 httpd:
parent (httpd)
>>>>
>>>> vs
>>>>
>>>> root 17247  0.0  0.1   920  1376 ??  Ss12:09PM0:00.03
/usr/sbin/sshd -f /etc/ssh/test_sshd_config
>>>>
>>>> Or is there any other way to distinguish between two httpd instances?
>>>>
>>>> j.
>>>>
>>>
>>> Interesting point, I never thought about it.
>>
>> That's not httpd specific. Most of our privilege separated daemons do that
and it sucks :-)
>
> This does the trick. It probably doesn't make sense to run multiple
> copies of all of the privsep daemons though I see definite use cases
> for httpd, snmpd [v4 and v6 need separate daemons], and possibly some
> others, but it would be better to keep them all in-sync..
>

Fine, this is what I suggested as the first option.

But let's do it everywhere and not just for httpd -
don't use setproctitle in the parent process.

It does make sense for many more privsep daemons, especially in combination
with rdomains (ntpd, iked, …). bgpd would probably not need it, but it does
not harm
and I'd prefer to change it for consistency (please don't forget that we try
to keep
the daemons synced somehow - it's an ecosystem).

Reyk

> Index: etc/rc.d/httpd
> ===
> RCS file: /cvs/src/etc/rc.d/httpd,v
> retrieving revision 1.3
> diff -u -p -r1.3 httpd
> --- etc/rc.d/httpd22 Jul 2014 17:37:16 -  1.3
> +++ etc/rc.d/httpd27 Jan 2016 22:22:11 -
> @@ -6,6 +6,4 @@ daemon="/usr/sbin/httpd"
>
> . /etc/rc.d/rc.subr
>
> -pexp="httpd: parent.*"
> -
> rc_cmd $1
> Index: usr.sbin/httpd/httpd.c
> ===
> RCS file: /cvs/src/usr.sbin/httpd/httpd.c,v
> retrieving revision 1.53
> diff -u -p -r1.53 httpd.c
> --- usr.sbin/httpd/httpd.c3 Dec 2015 11:46:25 -   1.53
> +++ usr.sbin/httpd/httpd.c27 Jan 2016 22:22:11 -
> @@ -248,7 +248,6 @@ main(int argc, char *argv[])
>
>   proc_init(ps, procs, nitems(procs));
>
> - setproctitle("parent");
>   log_procinit("parent");
>
>   if (pledge("stdio rpath wpath cpath inet dns proc ioctl sendfd",

Re: can't run multiple instances of httpd, flags not visible in processes

2016-01-27 Thread Reyk Floeter

On Wed, Jan 27, 2016 at 06:12:22AM -0500, Jiri B wrote:
> Hi,
> 
> I can't run multiple instances of httpd via rc.d as I can't distinguish
> between httpd instances. ps aux never show flags passed to httpd.
> 
> Could httpd be extended to show flags like sshd does it?
> 
> root 15681  0.0  0.1  1196  2308 ??  Ssp   12:08PM0:00.05 httpd: 
> parent (httpd)
> 
> vs
> 
> root 17247  0.0  0.1   920  1376 ??  Ss12:09PM0:00.03 
> /usr/sbin/sshd -f /etc/ssh/test_sshd_config
> 
> Or is there any other way to distinguish between two httpd instances?
> 
> j.
> 

Interesting point, I never thought about it.

Reyk

Re: Building AMI for AWS EC2

2016-01-21 Thread Reyk Floeter

On Thu, Jan 21, 2016 at 07:36:01AM +0100, Antoine Jacoutot wrote:
> > There are a couple public AMIs available, but I'm curious as to how they are
> > built. It'd be pretty cool to be able to build a given snapshot into an AMI,
> > rather than be dependent on whomever is creating the public ones.
> > 
> > If the builder of the public AMIs is reading this, I'd love to hear what
> > your process is.
> 

I started putting out some experimental AMIs on EC2, I usually copy
them to the following zones: eu-central-1, eu-west-1, us-west-2 and
ap-northeast-1.  So the public images are probably from me - they
aren't official and I didn't publish the ami IDs, so there is no way
to verify it yet.

These images are not meant to replace your own images - but they can
help to test, play and to get started.

> You can play with this if you're brave:
> https://github.com/ajacoutot/aws-openbsd
> 
> It's kind of ugly but should do the job. Once vmm is in GENERIC, I'll script 
> something around it instead.
> 

I'm using Antoine's aws-openbsd/create-ami.sh script to upload my
images with -i.  But I manually create them in vmm because I prefer
images that have been created with the standard installer (see below).

That's my process of creating the images:

- I boot bsd.rd with install59.fs in vmm and install the latest
OpenBSD/amd64 snapshot in a 1G disk image.

- For the images, I use all the default installer options, auto-layout
etc.  These images are for experimenting with OpenBSD on EC2, so there
is no need for any manual "cloud tweaks" (and, after all, I wouldn't
expect custom changes in an image that calls itself openbsd).

- I install a custom -current kernel that has xen/xnf enabled and
sometimes extra things that helps mikeb@'s development (debug
messages, upcoming fixes etc.).  Now that it is enabled by default, I
could just switch to snapshot kernel as well, but we're still trying
to figure out why it doesn't work on the biggest machines (such as
m4.10xlarge with 40CPU and 160GB RAM - xnf cannot transmit there).

- I mount the image, add ec2-init.sh and configure /etc/hostname.xnf0.

- I upload the new image with create-ami.sh -i openbsd-amd64-mmDDHHMM

- I mark it as public and copy it to a few regions (with aws ec2 copy-image).

Amazon gave me a generous amount of EC2 credits for development and/or
evaluation (thanks!) and I hope that they will last a while as
constantly uploading new images already exceeded my free tier limits.
But my company is also willing to support this and to continue
providing irregular snapshot images.

Reyk

Re: Building AMI for AWS EC2

2016-01-21 Thread Reyk Floeter

On Wed, Jan 20, 2016 at 08:56:25PM -0800, Jonathon Sisson wrote:
> On Wed, Jan 20, 2016 at 02:51:21PM -0800, Simon McFarlane wrote:
> > Hi all,
> > 
> > Now that the Xen guest stuff is getting some love, I think it would be fun
> > to toy around with OpenBSD on EC2 (particularly because of EBS -- other VPS
> > providers like the old standby ARP Networks don't allow you to attach
> > copious amounts of storage to a low-spec system).
> > 
> > There are a couple public AMIs available, but I'm curious as to how they are
> > built. It'd be pretty cool to be able to build a given snapshot into an AMI,
> > rather than be dependent on whomever is creating the public ones.
> > 
> > If the builder of the public AMIs is reading this, I'd love to hear what
> > your process is.
> > 
> > Thanks,
> > Simon
> > 
> I have a relatively simple process involving the use of vmimport.
> 
> Basically, build out the VM how you want (I used VirtualBox, but YMMV),
> then ran something like ec2-import-volume to bring the VHD into AWS.
> Once that was complete, I booted up an Amazon Linux instance, stopped it,
> detached the root volume, attached the OpenBSD volume as /dev/xvda, then
> booted up into OpenBSD.  Afterwards, create an AMI of your work.
> 
> Also note that OpenBSD won't recognize EBS volumes attached as anything
> other than xvd*.  I haven't bothered looking into why.
> 

We don't have a Xen driver for the blkfront disks yet, and we only
support the emulated IDE controller.  Nobody has started working on it
yet.  The Xen HVPVM layer and the netfront (xnf) driver were necessary
to bootstrap OpenBSD in EC2, the blkfront driver is optional but
needed to mount additional volumes.

Reyk

Re: vmm(4) status?

2016-01-20 Thread Reyk Floeter

On Wed, Jan 20, 2016 at 05:44:36PM +0100, Christian Weisgerber wrote:
> I was wondering about the status of OpenBSD's vmm(4) hypervisor.
> Is it ready for some limited use, say, testing a port in an i386
> VM on an amd64 host?
> 
> (TL;DR: nope.)
> 
> There's little information, so I decided to give it a try after
> reading the various vmm(4), vm.conf(5), vmd(8), vmctl(8), virtio(4),
> etc. man pages.
> 
> First, you need to build a kernel with vmm(4).  It is not enabled
> in GENERIC yet.  You also need an up-to-date /dev since vmd opens
> /dev/vmm and /dev/tap0.
> 
> Next: Start vmd, create a disk image (can you use a raw partition
> instead?), spin up a VM with an amd64 bsd.rd kernel I had at hand.
> 
> # /etc/rc.d/vmd -f start
> # vmctl create /home/bardioc.img -s 4G
> # vmctl start -c -k /bsd.rd -m 1G -d /home/bardioc.img -i 1
> 
> Something's happening!  There's a copyright message.  And that's
> it...  I was about to give up when the bsd.rd kernel continued,
> successfully booted, and allowed to drop me into a (S)hell.
> 
> Observation: vmd completely hogs one CPU core even if the guest
> isn't doing anything.
> 
> Next step: networking.  As expected, a vio0 interface showed up
> inside the VM, but the man pages don't explain how to connect this
> to the outside.  Since I had noticed that vmd opens tap0, I created
> a bridge on the host and added tap0 and a real interface.  I don't
> know if that's the intended way, but after manually configuring an
> IP address on vio0, I could ping other machines from the guest. \o/
> 
> ping also showed that time was running three times slower in the
> VM than on the outside.  Uh-oh.
> 
> I deleted the inet configuration from vio0 and started the installer.
> I got as far as the network configuration, when the guest kernel
> died with an UVM error--and my patience along with it.
> 
> So, yeah, interesting but not useful yet.
> 

It is not enabled in GENERIC, so obviously not ready yet :)

The CPU usage, time and networking issues are know and should go away
after mlarkin@ finished implementing proper interrupt handling. 

On the userland side, the networking configuration will be changed to
a slightly different approach, but I kind of suspended this until the
previous issue is solved.

But, in fact, I already use vmm for some things, like installing
images that I upload to EC2 :) So it is partially useful, at least for
me.

Thanks for feedback & testing!

Reyk

Re: OpenBSD on GitHub

2015-12-12 Thread Reyk Floeter

On Sun, Aug 05, 2012 at 05:35:47PM -0400, Kenneth R Westerback wrote:
> On Sun, Aug 05, 2012 at 03:00:04PM -0400, Ted Unangst wrote:
> > On Sun, Aug 05, 2012 at 10:46, Darrin Chandler wrote:
> > > On Sat, Aug 04, 2012 at 07:05:38PM +0200, Marc Espie wrote:
> > >> Well, git just has a different set of bugs than cvs.
> > > ...
> > >> I would deem cvs MORE painful than git on average, it's just that
> > >> we're more accustomed to the pain...
> > > 
> > > Yes, this is right. And also there would be a price to pay in lost
> > > productivity in switching to a new system. To those very familiar with
> > > CVS and not very familiar with Git (or hg, et al), the benefits of
> > > switching are nebulous and uncertain, while the cost is very real.
> > 
> > I will add a somewhat controversial viewpoint to the mix.  Because cvs
> > makes working with branches and large diffs so painful, it forces
> > developers to split their work into smaller pieces.  In OpenBSD,
> > that's a good thing.  Keeping your changes in a private fork is
> > difficult, which is good.  It means fewer private forks.  If every
> > developer could maintain a branch with some private tweaks, and not
> > bother integrating their changes or fixing regressions, progress would
> > grind to a halt.  [I have mentioned this to people before and their
> > eyes just about popped out of their head.  I don't expect
> > everyone to agree.]
> 
> ++1 here. My only experience with a project that moved from cvs to
> git was that a) the number of brances exploded and b) the number
> of repositories containing branches exploded and were erratically
> interconnected.
> 
> This resulted in many rotting branches, many private playgrounds
> and far less incentive to move forward together. I particularly
> enjoyed messages containing lists of random hex numbers that one
> should revert, merge with or sacrifice chickens over if one could
> only find the appropriate repository.
> 

I can share that we had the same experience when we started to use git
at work: exploded and rotting branches, playgrounds, and all these
troubles with git-isms and endless ways to do the same thing. 

But, quite frankly, it is a sign that
a) the release maintenance sucks.
b) the willingness and experience to master git is missing.

After more than two years, we got used to git, established stricter
rules, and I think we got rid of these problems plus having some of
the benefits and reliefs over CVS (see espie's mail for a few
examples).

Most importantly, unused branches have to be deleted from the server,
people have to work and develop in "master", and arbitrary experiments
do not belong on the shared remote, unless they are important or
intereting for others.  If people do not test their changes in master,
they will keep on breaking the tree and you'll have to deal with them
personally (I think that is the "social" part of the model).

After all, git is not github.  The latter is the same old bazaar-like
model where everyone does something somewhere and it eventually turns
into releases, excluding quality.  You do not have to use git like
that, but it is a learning curve for people who only knew github.
You can use git in a more traditional, centralized and self-hosted way.

> OK, one experience but it left an indelible impression. :-)
> 
> I think git gives you a lot of rope.

It does.

I'm fine with using CVS in OpenBSD.

Reyk

Re: bridge fails to broadcast ARP from gif tunnel

2015-12-01 Thread Reyk Floeter

On Tue, Dec 01, 2015 at 10:07:12AM +0100, Kazuya GODA wrote:
> Hi,
> 
> It seems to bridge doesn't forward broadcast/multicast frames from gif.
> This pathc will fix this problem, so would you try it?
> 
> Thanks,
> 
> - Goda
> 

that matches the behaviour of -r1.239 before the enqueue changes.

OK reyk@

> Index: net/if_bridge.c
> ===
> RCS file: /cvs/src/sys/net/if_bridge.c,v
> retrieving revision 1.270
> diff -u -p -r1.270 if_bridge.c
> --- net/if_bridge.c   7 Nov 2015 12:42:19 -   1.270
> +++ net/if_bridge.c   1 Dec 2015 08:44:42 -
> @@ -1337,18 +1337,21 @@ bridge_process(struct ifnet *ifp, struct
>   if (mc == NULL)
>   goto reenqueue;
> 
> - bridge_ifinput(ifp, mc);
>  #if NGIF > 0
>   if (ifp->if_type == IFT_GIF) {
>   TAILQ_FOREACH(ifl, >sc_iflist, next) {
>   if (ifl->ifp->if_type != IFT_ETHER)
>   continue;
> 
> - bridge_ifinput(ifl->ifp, m);
> - return;
> + bridge_ifinput(ifl->ifp, mc);
> + break;
>   }
> - }
> + if (!ifl)
> + m_freem(mc);
> + } else
>  #endif /* NGIF */
> + bridge_ifinput(ifp, mc);
> + 
>   bridgeintr_frame(sc, ifp, m);
>   return;
>   }
> 
> 
> 
> 
> On 2015/11/28 15:33, Rolf Sommerhalder wrote:
> >Using the simple Layer-2 bridge setup below, an ICMP Ping 172.17.1.5
> >from HostA does not get to HostB while using EtherIP encapsulation with
> >gif(4) at its tunnel end points.
> >
> >The Ping's initial Ethernet broadcasts with the ARP Requests make it
> >through the gif tunnel to BridgeB, to both its bridge0 and vio2
> >interfaces (check with tcpdump, tshark).
> >
> >However, vio2 never re-broadcasts those ARP Requests on the wire to
> >HostB!? E.g. the physical egress interface vio2, which is member of a
> >bridge(4) on BridgeB, receives the ARP Requests, but it fails
> >re-broadcast them to HostB so that Host could answer with ARP Reponses.
> >
> >Also, BridgeB does not learn the source MAC from HostA (and of course it
> >can not learn the MAC of HostB, because ARP Requests never get there).
> >
> >However, pinging the (numbered) vio2 on BridgeB succeeds (Ping
> >172.17.1.2 from HostA), e.g. the gif tunnel is OK.
> >
> >Also, HostA can ping HostB after removal of the gif tunnel, e.g. after
> >deleting gif0 from bridge0 on both BridgeA and BridgeB, and adding vio1
> >to them instead.
> >
> >Testing conditions:
> >- default installs of OpenBSD i386 snapshot from yesterday
> >- pf is disabled
> >- no L2 filter rules on the bridge member interfaces
> >- set sysctl net.inet.etherip.allow=1 to enable EtherIP on gif()
> >- the observation is the same on both VirtualBox with vio() interfaces,
> >as well as on a real hardware with APU2 that have em() interfaces.
> >
> >Currently, experimenting with pf enabled on BridgeB, I found that ARP
> >Requests apparently do not generate state with a very basic rule-set,
> >such as 'pass log all'.
> >
> >What did I miss?  Or, is there "just a bug" in the gif/bridge combo that
> >is haunting me?
> >Would it be worthwhile to try with -stable or an older version of
> >OpenBSD?  Years ago, I had such a setup working with 4.3, and I can make
> >configuration files available (although they are very minimal, mostly
> >running default install) ...
> >
> >Thanks for any hints and suggestions!
> >Rolf
> >
> >
> >*HostA*
> >vio1 172.16.0.5/22
> >  |
> >  v
> >vio2 172.16.0.2/22
> >*BridgeA*
> >bridge0 add vio2 add gif0
> >gif0 tunnel 10.10.1.2 10.10.1.3
> >vio1 10.10.1.2/24
> >  |
> >  v
> >vio1 10.10.1.3/24
> >gif0 tunnel 10.10.1.3 10.10.1.2
> >bridge0 add vio2 add gif0
> >*BridgeB*
> >vio2 172.16.1.2/22
> >  |
> >  v
> >vio1 172.16.1.5/22
> >*HostB*
> 

--

Re: OpenBSD 5.8 on VMware 5.5

2015-12-01 Thread Reyk Floeter

Hi,

On Tue, Dec 01, 2015 at 01:50:57PM -0200, Felipe Gomes wrote:
> I've been trying to search for more information on OpenBSD as a VMWare
> guest, but I wasn't able to find much... and the information is pretty much
> outdated.
> 
> What are the recommendations for OpenBSD 5.8 (amd64) as a guest on VMware
> 5.5?
> 
> Guest Operating System: should I pick "Other (64bit)" or FreeBSD?
> 

I usually pick FreeBSD 64 bit.  It doesn't make a big difference, as
there aren't any defaults that fit OpenBSD.  VMware never dares to add
OpenBSD, and we are not using their drivers but reimplementations.

> How does OpenBSD work with "virtual sockets" and "cores per virtual socket"?
> 

?  I think OpenBSD doesn't care.  GENERIC.MP will show you numbered
cpus, no matter if they are cores or sockets.  

> What is the best NIC? E1000, E1000E, VMXNET2 ENHANCED or VMXNET3?
> 

Name- OpenBSD driver:

e1000*  - em(4) (supports VLANs, but is kind of slow)
vmxnet2 - vic(4)(older NIC, no VLANs)
vmxnet3 - vmx(4)(emulates 10GbaseT, supports VLANs)

Use vmxnet3.

> What is the recommended SCSI Controller? LSI Logic Parallel, LSI Logic SAS
> or VMware Paravirtual?
> 

LSI Logic SAS   - mpi(4)
VMware Paravirtual  - vmwpvs(4)

Use LSI Logic SAS.  The VMware Paravirtual has bugs that might corrupt
your data (seen with fsck).

> I'd believe that all of these options work... I just don't know which is
> more stable or perform better.
> 

You will also have vmt(4) for limited VMware tools support.

> Any other tips on fine tunning or special setting?
> 

Tuning?  No, everything should work by default and is enabled in GENERIC[.MP]

> I'm planning on migrating a few Soekris boxes to virtual machines. Is this
> reliable? Is anyone running production OpenBSD servers on VMware?
> 

Many of them.

Reyk

Re: TLS intercepting proxy [MitM]

2015-11-24 Thread Reyk Floeter

On Tue, Nov 24, 2015 at 01:05:34AM +0100, Stefan Wollny wrote:
> Am 11/23/15 um 23:41 schrieb Lampshade:
> >Hello,
> >I would like to use privoxy to scrub/delete
> >some informations in application layer (HTTP) going out from my PC.
> >Problem is that a lot of connections are secured with TLS, so privoxy can 
> >not filter them.
> >Is there any way to do something like that:
> >Firefox -> decrypt [MitM] -> privoxy -> encrypt securely  -(NIC)-> Internet?
> >It is my PC, so I can install new certificate or something like that,
> >but neverthless I don't know how to achieve that result.
> >Is this possible using relayd?
> >Is it possible with other tool in ports or something that I can compile from 
> >source?
> >
> It is about 2 years old but should give you a starting poing:
> http://www.reykfloeter.com/post/41814177050/relayd-ssl-interception
> 

"There are some known limitations:" ... I didn't know about vendors
and their own CAs with pre-installed private keys at this point.
This makes it useable for everyone!

When superfish was found, I published the following gist:

https://gist.github.com/reyk/4b42858d1eab3825f9bc

Something similar should work with #eDellRoot as well.

Reyk

Re: Bridge and blocknonip

2015-11-21 Thread Reyk Floeter

On Sat, Nov 21, 2015 at 04:22:51PM +0100, Momtchil Momtchev wrote:
> Hello,
> 
> Sorry for what may appear to be a strange question, but shouldn't there
> be a check against IFBIF_BLOCKNONIP in bridge_output() in
> sys/net/if_bridge.c?
> 

Why?  bridge_output() is used for packets that are sent from local
interfaces.  I think you should be aware if you're running any non-IP
service on your OpenBSD machine.

I think your change would also break bridge_send_icmp_err() with
IFBIF_BLOCKNONIP, which is used by bridge_ipsec() and
bridge_fragment(). blocknonip and tunnels are not uncommon.

btw., what OpenBSD version is this diff for?  This is not -current.

Reyk

> Something like this :
> 
> --- if_bridge.c.origTue Jul 21 00:54:29 2015
> +++ if_bridge.c Sat Nov 21 16:05:12 2015
> @@ -1051,6 +1051,10 @@
> (m->m_flags & (M_BCAST | M_MCAST)) == 0)
> continue;
> 
> +   if (p->bif_flags & IFBIF_BLOCKNONIP &&
> bridge_blocknonip(eh, m)) {
> +   continue;
> +   }
> +
> if (IF_QFULL(_if->if_snd)) {
> IF_DROP(_if->if_snd);
> sc->sc_if.if_oerrors++;
> 

--

Re: Iked, ca_getreq: no valid local certificate found

2015-11-05 Thread Reyk Floeter

Copy ikeca.cnf from the ipsecctl source tree to /etc/ssl/ and retry.

http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.sbin/ikectl/ikeca
.cnf

The openssl.cnf version broke and we somehow didn't install ikeca.cnf by
default.

Reyk

> On 05.11.2015, at 08:28, Toyam Cox  wrote:
>
> Ho misc@,
>
> I have been (loosely) following the guide at
> http://puffysecurity.com/wiki/openikedoffshore.html and have run into
> a roadblock.
>
> I have packets going between my two hosts on different networks, the
> configuration files on both are good, and both have the ca installed.
>
> However on my remote host, I get (ips and hostnames redacted):
> Nov  5 01:38:14 hostname iked[7047]: ikev2_msg_send: IKE_SA_INIT
> request from $local_wan:500 to $remote.168:500 msgid 0, 534 bytes
> Nov  5 01:38:14 hostname iked[7047]: ikev2_recv: IKE_SA_INIT response
> from responder $remote8:500 to $local:500 policy 'policy1' id 0, 471
> bytes
> Nov  5 01:38:14 hostname iked[12679]: ca_getreq: no valid local
> certificate found
>
> This is coupled with, as I create the ca key...
> # ikectl ca vpn1 create
> CA passphrase:
> Retype CA passphrase:
> [stuff-happens-and-inputs]
> Getting Private key
> Using configuration from /etc/ssl/openssl.cnf
> variable lookup failed for ca::default_ca
> 24387713617796:error:0E06D06C:configuration file
> routines:NCONF_get_string:no
>
value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:3
23:group=ca
> name=default_ca
>
> I've checked the mail logs for misc@ and found a person in August with
> this problem, http://marc.info/?l=openbsd-misc=133675466519976=2
>
> Unfortunately, editing /etc/ssl/x509v3.cnf didn't work for me.
> Variable lookup still failed.
>
> Thank you for any help.

Re: Ntpd(8) in current: server (IP numerical) not used

2015-10-31 Thread Reyk Floeter

I tested and verified your fix, thanks!

OK reyk@

On Sat, Oct 31, 2015 at 02:00:08PM +0100, Christian Weisgerber wrote:
> Gerald Hanuer:
> 
> >  Ntpd(8)  in current: server ("IP numerical") not being used, FQDN works.
> > 
> >  ### Works as expected.
> >  server time1.google.com
> > 
> >  ### This does not. ( Numerical of above )
> >  server 216.239.32.15
> 
> I can confirm this.  The bug was introduced with this commit:
> 
> 
> CVSROOT:/cvs
> Module name:src
> Changes by: phess...@cvs.openbsd.org2015/10/23 08:52:20
> 
> Modified files:
> usr.sbin/ntpd  : client.c control.c ntp.c ntpd.conf.5 ntpd.h 
>  parse.y 
> 
> Log message:
> Allowing upstream servers of ntp being in multiple routing tables is
> non-sensical.  The dns lookups happened in the process routing table
> (usually '0'), which is very likely to have different results from the
> other routing domains.  If you do depend on having this behaviour,
> you'll need to use pf to cross the rtable boundary.
> 
> "listen on * rtable X" is still supported.
> 
> Users of "server * rtable X" will need to switch to launching ntpd with
> "route -T X exec /usr/sbin/ntpd"
> 
> OK deraadt@
> 
> 
> Reverting these additional parts that were introduced with the
> original rtable commit fixes it:
> 
> Index: parse.y
> ===
> RCS file: /cvs/src/usr.sbin/ntpd/parse.y,v
> retrieving revision 1.64
> diff -u -p -r1.64 parse.y
> --- parse.y   23 Oct 2015 14:52:20 -  1.64
> +++ parse.y   31 Oct 2015 12:49:44 -
> @@ -161,9 +161,7 @@ main  : LISTEN ON address listen_opts {
>   fatal(NULL);
>   if (p->addr != NULL)
>   p->state = STATE_DNS_DONE;
> - if (!(p->addr))
> - TAILQ_INSERT_TAIL(>ntp_peers,
> - p, entry);
> + TAILQ_INSERT_TAIL(>ntp_peers, p, entry);
>   h = next;
>   } while (h != NULL);
>  
> @@ -199,8 +197,7 @@ main  : LISTEN ON address listen_opts {
>   fatal(NULL);
>   if (p->addr != NULL)
>   p->state = STATE_DNS_DONE;
> - if (!(p->addr))
> - TAILQ_INSERT_TAIL(>ntp_peers, p, entry);
> + TAILQ_INSERT_TAIL(>ntp_peers, p, entry);
>   free($2->name);
>   free($2);
>   }
> -- 
> Christian "naddy" Weisgerber  na...@mips.inka.de
> 

--

Re: OS X 10.11 'El Capitan' IKEv2

2015-10-03 Thread Reyk Floeter

On Sun, Aug 16, 2015 at 11:28:24PM +0300, Or Elimelech wrote:
> Hello misc,
> 
> Has anyone connected successfully between the new OS X ikev2 impl. To an 
> OpenBSD box?
> 
> Thanks in advance.
> 

I got the official update and I successfully connected from El Capitan
to OSX.  I did it without using profiles, just with the GUI in network
settings.

ON OPENBSD:

- Get -current from yesterday (small fix went in)

- Configure an IP on enc0 directly (eg. 10.2.0.2 in this case), a dns
cache, forwarding, PF etc.

- Configure iked.conf, for example:

user "user1" "password123"
ikev2 "ios9" passive esp \
   from 0.0.0.0/0 to 0.0.0.0/0 \
   local any peer any \
   childsa enc 3des \
   eap "mschap-v2" \
   config address 10.2.0.1/24 \
   config name-server 10.2.0.2 \
   tag "$name-$id"

- Yes, 3DES. As you see in your log, El Capitan currently only accepts
3DES by default.  You can probably change it with the external
security profiles program.  iOS9 uses AES-128 instead.

ON OSX:

- Use "ikectl ca" (or other CA tool) to create ca, keys and certs for
the gateway and peers.  I recommend to use FQDNs for the certs.

- Install the ca.pfx and $CERT.pfx on OSX from keychain (import
objects). Trust the CA for EAP and IPsec.

- I tested different options in OSX, user-based, "without" auth + shared
secret, "without" auth + certificate.  Certificate-based auth doesn't
work since it is two factor EAP-TLS.  User-based is EAP-MSCHAPv2.
Select the installed certificate. 

In summary, the GUI part is very easy but certificate configuration is
a bit difficult.  It's the same complexity as in Windows.  But much
better compared to earlier IPsec configurations.

Reyk

Re: httpd client certificate authentication in OpenBSD5.8

2015-08-25 Thread Reyk Floeter

 On 25.08.2015, at 15:10, Torsten tmp...@4ss.de wrote:
 
 | Will httpd in OpenBSD 5.8 support client certificates
 At least not until LibreSSL's libtls supports it.  See
 https://github.com/reyk/httpd/issues/23
 
 Thanks for the hint! For my purpose Client Cert authentication is
 mandatory and therefore I'm desperate. But now I have hope!
 
 Reyk wrote: Once libtls supports things like SNI or
 client certificates with an easy-to-use interface, we can review such
 features.
 

Yes, jsing@ showed me diffs for client certificate support in libtls
and we talked about the the design of SNI in the library a few
months ago. It didn't get finished because we both got busy
with other items or simply because of $DAYJOB.

Reyk

 On the 21. August 2015, so just a couple of days ago, markokr submitted
 a patch to libressl-portable which added this feature:
 
 https://github.com/libressl-portable/openbsd/pull/41
 
 So there is hope that this will become available in the (near?) future.
 
 However, probably not in OpenBSD 5.8
 
 T.

Re: iked rsa pki configuration

2015-08-19 Thread Reyk Floeter

On Wed, Aug 19, 2015 at 03:50:47PM +0200, Sebastien Marie wrote:
 On Wed, Aug 19, 2015 at 10:33:54AM +0200, Reyk Floeter wrote:
  
  In this case, LibreSSL was Theo who unintentionally broke ikectl.
  
  I attached a diff that generates new .cnf files by expanding the
  variables in the source .cnf files and generating target .cnf files.
  It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings),
  but you/we should install ikeca.cnf to /etc/ssl/ by default.
  
  There are more pending changes for ikectl (eg. from semarie@), but I'd
  like to fix this first.
 
 for new code at least, you should check snprintf() return value for
 overflow. you could reuse the xsnprintf() code I sent previously if you
 want :)
 

I usually do one thing at a time.  Yes, snprintf() doesn't check for
overflow but it is not adding any serious additional risk now - I
wanted to fix basic operation of ikectl first.

I'm not fond of adding x* functions (like xmalloc) but I agree that
the return values should be checked.  But they should be checked
everywhere - I didn't forget about your diff.  So maybe xsnprintf() is
OK in ikeca'c specific case.

Could you update and resend your ikectl diffs?

 and some others notes inline.
 
  Index: ikeca.c
  ===
  RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v
  retrieving revision 1.32
  diff -u -p -u -p -r1.32 ikeca.c
  --- ikeca.c 15 Aug 2015 04:47:28 -  1.32
  +++ ikeca.c 19 Aug 2015 08:12:39 -
 
 [...]
 
  @@ -489,6 +527,46 @@ fcopy(char *src, char *dst, mode_t mode)
   }
   
   int
  +fcopy_env(const char *src, const char *dst, mode_t mode)
  +{
 
 returning int isn't useful: all errors are fatal and you always return 0
 value (which is also unused by caller).
 

Same here, I saw the useless return values in ikeca.c and just adopted
the style.  It might sound crazy, but it is actually an invitation to
change it everywhere in a separate step (incl. fcopy()).

  +   int  ofd = -1, i;
  +   u_int8_t buf[BUFSIZ];
  +   ssize_t  r = -1, len;
  +   FILE*ifp = NULL;
  +   int  saved_errno;
  +
  +   if ((ifp = fopen(src, r)) == NULL)
  +   err(1, fopen %s, src);
  +
  +   if ((ofd = open(dst, O_WRONLY|O_CREAT|O_TRUNC, mode)) == -1)
  +   goto done;
  +
  +   while (fgets(buf, sizeof(buf), ifp) != 0) {
  +   for (i = 0; ca_env[i][0] != NULL; i++) {
  +   if (ca_env[i][1] == NULL)
  +   continue;
  +   expand_string(buf, sizeof(buf),
  +   ca_env[i][0], ca_env[i][1]);
  +   }

btw., the expand_string() return value is checked in the committed diff.

 
 something could go wrong here if fgets() partially read a normally expanded 
 name:
 
 for example: file with `$ENV::CADB' inside
 
 one read:
   buf = ...$ENV::C
   expand don't found `$ENV::CADB'
 
 next read
   buf = ADB...
 
 `$ENV::CADB' wouldn't be expanded
 

But how likely or valid is it that fgets() will return an incomplete
line from a .cnf file?  It must be BUFSIZ or a read from weird I/O
(maybe fuse or NFS) but fgets() would return NULL on I/O errors.

To be safe, I could a) check for feof() and ferror() and b) test if
the returned line includes a newline.  Growing a buffer from multiple
lines doesn't seem to be necessary.

Reyk

  +   len = strlen(buf);
  +   if (write(ofd, buf, len) != len)
  +   goto done;
  +   }
  +
  +   r = 0;
  +
  + done:
  +   saved_errno = errno;
  +   close(ofd);
  +   if (ifp != NULL)
  +   fclose(ifp);
  +   if (r == -1)
  +   errc(1, saved_errno, open %s, dst);
  +
  +   return (0);
  +}
  +
 
 -- 
 Sebastien Marie

--

Re: iked rsa pki configuration

2015-08-19 Thread Reyk Floeter

On Wed, Aug 19, 2015 at 02:04:47PM +1000, Jonathan Gray wrote:
 On Tue, Aug 18, 2015 at 09:22:14PM +0200, Reyk Floeter wrote:
  On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote:
   Hi,
   I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between
   two OpenBSD boxes running a recent amd64 snapshot. The client is behing
   a NAT.
   The setup works with a PSK but I cannot make it work with RSA
   certificates. No matter what I tried, the client seems to fail
   connecting with:
   ca_getreq: no valid local certificate found
   
   I turn to the mailing list to see if anybody can point me into the right
   direction.
   
   I loosely followed the following guide:
   http://puffysecurity.com/wiki/openikedoffshore.html
   I will try to shorten the command output to make it more readable.
   
   There is an OpenSSL error during the creation of the CA concerning a
   missing element in openssl.cnf. I did not modify openssl.cnf.
   
   On the server side I did the following:
   
   # ikectl ca ikeca create 
   [...]
   Signature ok
   subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc
   Getting Private key
   Using configuration from /etc/ssl/openssl.cnf
   variable lookup failed for ca::default_ca
   7504668282756:error:0E06D06C:configuration file
   routines:NCONF_get_string:no
   value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca
   name=default_ca
   
  
  It seems that the changes in LibreSSL (or newer OpenSSL before the
  fork) broke some things in ikectl.
  
  Specifically, the possibility to overwrite variables like CERTIP or
  CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be
  broken; or not longer supported because of security concerns.
  
  Your log file gives a hint that the default CERTFQDN = nohost.nodomain
  value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead
  of the CERTFQDN overwrite from the environment (as set by ikectl):
  
   ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc
   ca_x509_subjectaltname: FQDN/nohost.nodomain
   ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched
   ca_getreq: no valid local certificate found
  
  If libressl no longer supports $ENV in the .cnf files, we have to find
  another way, eg. by generating and using a .cnf file for each
  certificate.
 
 LibreSSL purposefully removed support for environment variables in
 http://marc.info/?l=openbsd-cvsm=142876823016723w=2
 http://marc.info/?l=openbsd-cvsm=142876823016723w=2
 
 So another way is indeed needed.

In this case, LibreSSL was Theo who unintentionally broke ikectl.

I attached a diff that generates new .cnf files by expanding the
variables in the source .cnf files and generating target .cnf files.
It works with both, ikeca.cnf and x508v3.cnf (ignore the warnings),
but you/we should install ikeca.cnf to /etc/ssl/ by default.

There are more pending changes for ikectl (eg. from semarie@), but I'd
like to fix this first.

OK?

Reyk

Index: Makefile
===
RCS file: /cvs/src/usr.sbin/ikectl/Makefile,v
retrieving revision 1.3
diff -u -p -u -p -r1.3 Makefile
--- Makefile18 Jan 2014 05:54:51 -  1.3
+++ Makefile19 Aug 2015 08:12:39 -
@@ -3,7 +3,7 @@
 .PATH: ${.CURDIR}/../../sbin/iked
 
 PROG=  ikectl
-SRCS=  log.c ikeca.c ikectl.c parser.c
+SRCS=  log.c ikeca.c ikectl.c parser.c util.c
 
 MAN=   ikectl.8
 
Index: ikeca.c
===
RCS file: /cvs/src/usr.sbin/ikectl/ikeca.c,v
retrieving revision 1.32
diff -u -p -u -p -r1.32 ikeca.c
--- ikeca.c 15 Aug 2015 04:47:28 -  1.32
+++ ikeca.c 19 Aug 2015 08:12:39 -
@@ -82,13 +82,39 @@ struct {
{ /private,   0700 }
 };
 
-int ca_sign(struct ca *, char *, int, char *);
+/* explicitly list allowed variables */
+const char *ca_env[][2] = {
+   { $ENV::CADB, NULL },
+   { $ENV::CERTFQDN, NULL },
+   { $ENV::CERTIP, NULL },
+   { $ENV::CERTPATHLEN, NULL },
+   { $ENV::CERTUSAGE, NULL },
+   { $ENV::CERT_C, NULL },
+   { $ENV::CERT_CN, NULL },
+   { $ENV::CERT_EMAIL, NULL },
+   { $ENV::CERT_L, NULL },
+   { $ENV::CERT_O, NULL },
+   { $ENV::CERT_OU, NULL },
+   { $ENV::CERT_ST, NULL },
+   { $ENV::EXTCERTUSAGE, NULL },
+   { $ENV::NSCERTTYPE, NULL },
+   { NULL }
+};
+
+int ca_sign(struct ca *, char *, int);
 int ca_request(struct ca *, char *);
 int ca_newpass(char *, char *);
 char *  ca_readpass(char *, size_t *);
 int fcopy(char *, char *, mode_t);
+int fcopy_env(const char *, const char *, mode_t);
 int rm_dir(char *);
 int ca_hier(char *);
+voidca_setenv(const char *, const char *);
+voidca_clrenv(void);
+voidca_setcnf(struct ca *, const char

Re: iked rsa pki configuration

2015-08-18 Thread Reyk Floeter

On Tue, Aug 18, 2015 at 02:26:29PM +, Jona Joachim wrote:
 Hi,
 I'm currently trying to setup a road warrior IKEv2 IPSEC tunnel between
 two OpenBSD boxes running a recent amd64 snapshot. The client is behing
 a NAT.
 The setup works with a PSK but I cannot make it work with RSA
 certificates. No matter what I tried, the client seems to fail
 connecting with:
 ca_getreq: no valid local certificate found
 
 I turn to the mailing list to see if anybody can point me into the right
 direction.
 
 I loosely followed the following guide:
 http://puffysecurity.com/wiki/openikedoffshore.html
 I will try to shorten the command output to make it more readable.
 
 There is an OpenSSL error during the creation of the CA concerning a
 missing element in openssl.cnf. I did not modify openssl.cnf.
 
 On the server side I did the following:
 
 # ikectl ca ikeca create 
 [...]
 Signature ok
 subject=/C=NL/CN=ikeca/emailAddress=j...@joachim.cc
 Getting Private key
 Using configuration from /etc/ssl/openssl.cnf
 variable lookup failed for ca::default_ca
 7504668282756:error:0E06D06C:configuration file
 routines:NCONF_get_string:no
 value:/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/conf/conf_lib.c:323:group=ca
 name=default_ca
 

It seems that the changes in LibreSSL (or newer OpenSSL before the
fork) broke some things in ikectl.

Specifically, the possibility to overwrite variables like CERTIP or
CERTFQDN via $ENV:: options in x509v3.cnf ikeca.cnf* seems to be
broken; or not longer supported because of security concerns.

Your log file gives a hint that the default CERTFQDN = nohost.nodomain
value from /etc/ssl/x509v3.cnf (or /etc/ssl/ikeca.cnf) is used instead
of the CERTFQDN overwrite from the environment (as set by ikectl):

 ca_getreq: found CA /C=NL/CN=ikeca/emailAddress=j...@joachim.cc
 ca_x509_subjectaltname: FQDN/nohost.nodomain
 ca_x509_subjectaltname_cmp: FQDN/nohost.nodomain mismatched
 ca_getreq: no valid local certificate found

If libressl no longer supports $ENV in the .cnf files, we have to find
another way, eg. by generating and using a .cnf file for each
certificate.

As a workaround, you could try to edit CERTFQDN/CERTIP in
x509v3.cnf/ikeca.cnf manually before generating the certificate.

*) ikeca.cnf is an alternative to x509v3.cnf that sets some additional
x509 attributes that are required for Windows interop and some other
cases.  It is not installed by default (why?) and found in
src/usr.sbin/ikectl/ikeca.cnf of the source tree.

Reyk

 # ikectl ca ikeca certificate 188.226.168.224 create
 [...]
 Signature ok
 subject=/C=NL/CN=188.226.168.224/emailAddress=j...@joachim.cc
 Getting CA Private Key
 
 # ikectl ca ikeca certificate asterix.my.domain create
 [...]
 Signature ok
 subject=/C=FR/CN=asterix.my.domain/emailAddress=j...@joachim.cc
 Getting CA Private Key
 
 # ikectl ca ikeca install  
 certificate for CA 'ikeca' installed into /etc/iked/ca/ca.crt
 
 # ikectl ca ikeca certificate 188.226.168.224 install
 writing RSA key
 
 # ikectl ca ikeca certificate asterix.my.domain export 
 Export passphrase:
 Retype export passphrase:
 writing RSA key
 exported files in /root/asterix.my.domain.tgz
 
 
 On the client side then I did the following:
 asterix% sudo tar -C /etc/iked -xzpf asterix.my.domain.tgz
 
 The server configuration files look like this:
 iked.conf:
 local_ip = 188.226.168.224
 
 ikev2 passive ipcomp esp \
   from 0.0.0.0/0 to 10.0.0.0/8 \
   from 0.0.0.0/0 to 172.16.0.0/12 \
   from 0.0.0.0/0 to 192.168.0.0/16 \
   local $local_ip peer any \
   srcid $local_ip \
   tag IKED
 
 pf.conf (partial):
 set skip on { lo, enc }
 block in log
 pass in quick inet proto icmp icmp-type { echoreq, unreach }
 pass in on egress proto { ah, esp }
 pass in on egress proto udp from any to any port { isakmp, ipsec-nat-t }
 
 pass out all modulate state
 pass out log on egress \
 from any to any tagged IKED \
 nat-to (egress)
 
 
 The client configuration files look like this:
 
 iked.conf:
 lan = 192.168.1.0/24
 remote_gw = 188.226.168.224
 
 ikev2 active esp \
   from $lan to 0.0.0.0/0 \
   peer $remote_gw \
   srcid asterix.my.domain \
   tag IKED
 
 Here's the output of iked -dvv on the client side:
 
 ca_privkey_serialize: type RSA_KEY length 1191
 ca_pubkey_serialize: type RSA_KEY length 270
 ca_reload: loaded ca file ca.crt
 ca_reload: /C=NL/CN=ikeca/emailAddress=j...@joachim.cc
 ca_reload: loaded 1 ca certificate
 ca_reload: loaded cert file asterix.my.domain.crt
 ca_validate_cert: /C=FR/CN=asterix.my.domain/emailAddress=j...@joachim.cc
 ok
 ca_reload: local cert type X509_CERT
 lan = 192.168.1.0/24
 
 remote_gw = 188.226.168.224
 
 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
 /etc/iked.conf: loaded 1 configuration rules
 config_getocsp: ocsp_url none
 config_getpolicy: received policy
 ikev2 policy1 active esp inet from 192.168.1.0/24 to 0.0.0.0/0 local
 any

Re: OS X 10.11 'El Capitan' IKEv2

2015-08-17 Thread Reyk Floeter

On Sun, Aug 16, 2015 at 11:28:24PM +0300, Or Elimelech wrote:
 Hello misc,
 
 Has anyone connected successfully between the new OS X ikev2 impl.
 To an OpenBSD box?
 

No, we don't have the beta.

Reyk

Re: Microsoft Now OpenBSD Foundation Gold Contributor

2015-07-08 Thread Reyk Floeter

On Wed, Jul 08, 2015 at 10:12:44AM -0400, Kenneth R Westerback wrote:
 The OpenBSD Foundation is happy to announce that Microsoft has made
 a significant financial donation to the Foundation. This donation
 is in recognition of the role of the Foundation in supporting the
 OpenSSH project. This donation makes Microsoft the first Gold level
 contributor in the OpenBSD Foundation's 2015 fundraising campaign.
 
 Donations to the Foundation can be made on our Donations Page at
 
 www.openbsdfoundation.org/donations.html
 
 We can be contacted regarding corporate sponsorship at
 
 fundrais...@openbsdfoundation.org.
 

Nice!

Reyk

Re: panic during boot of 5.7 in de(4) running in Hyper-V

2015-06-25 Thread Reyk Floeter

On Tue, Jun 23, 2015 at 09:08:25PM -0600, Theo de Raadt wrote:
  I looked into this last year but lost interest. It seems like the DMA buffer
  is being placed past the UVM constraint for DMA ( eg  4GB).
 
 A configuration buffer is in the softc.  It should be allocated to be
 dma-reachable.
 
 This driver is quite ugly.  Maybe the following diff works?
 

It fixes the issue for me, with two changes below, otherwise OK.

But I still don't get any traffic with de(4) on Hyper-V here ...  or
just once in a while with dhclient  but this seems to be a
different issue.

Reyk

 Index: if_de.c
 ===
 RCS file: /cvs/src/sys/dev/pci/if_de.c,v
 retrieving revision 1.120
 diff -u -p -u -r1.120 if_de.c
 --- if_de.c   15 May 2015 11:36:30 -  1.120
 +++ if_de.c   24 Jun 2015 00:05:05 -
 @@ -49,6 +49,7 @@
  #include sys/kernel.h
  #include sys/device.h
  #include sys/timeout.h
 +#include sys/pool.h
  
  #include net/if.h
  #include net/if_media.h
 @@ -2907,7 +2908,7 @@ tulip_addr_filter(tulip_softc_t * const 
* go into hash perfect mode (512 bit multicast
* hash and one perfect hardware).
*/
 - bzero(sc-tulip_setupdata, sizeof(sc-tulip_setupdata));
 + bzero(sc-tulip_setupdata, TULIP_SETUP);
   if (ac-ac_multirangecnt  0) {
   sc-tulip_flags |= TULIP_ALLMULTI;
   sc-tulip_flags = ~(TULIP_WANTHASHONLY|TULIP_WANTHASHPERFECT);
 @@ -4085,8 +4086,7 @@ tulip_txput_setup(tulip_softc_t * const 
   sc-tulip_if.if_start = tulip_ifstart;
   return;
  }
 -bcopy(sc-tulip_setupdata, sc-tulip_setupbuf,
 -   sizeof(sc-tulip_setupbuf));
 +bcopy(sc-tulip_setupdata, sc-tulip_setupbuf, TULIP_SETUP);
  /*
   * Clear WANTSETUP and set DOINGSETUP.  Set know that WANTSETUP is
   * set and DOINGSETUP is clear doing an XOR of the two will DTRT.
 @@ -4357,16 +4357,17 @@ tulip_busdma_init(tulip_softc_t * const 
  {
  int error = 0;
  
 +sc-tulip_setupbuf = dma_alloc(TULIP_SETUP, PR_WAITOK);
 +sc-tulip_setupdata = malloc(TULIP_SETUP, M_DEVBUF, M_WAITOK);
 +
  /*
   * Allocate dmamap for setup descriptor
   */
  error = bus_dmamap_create(sc-tulip_dmatag, sizeof(sc-tulip_setupbuf), 
 2,

Here is a missing TULIP_SETUP, it should be:

  error = bus_dmamap_create(sc-tulip_dmatag, TULIP_SETUP, 2,
TULIP_SETUP, 0, BUS_DMA_NOWAIT, sc-tulip_setupmap);

 -   sizeof(sc-tulip_setupbuf), 0, BUS_DMA_NOWAIT,
 -   sc-tulip_setupmap);
 + TULIP_SETUP, 0, BUS_DMA_NOWAIT, sc-tulip_setupmap);
  if (error == 0) {
   error = bus_dmamap_load(sc-tulip_dmatag, sc-tulip_setupmap,
 - sc-tulip_setupbuf, sizeof(sc-tulip_setupbuf),
 - NULL, BUS_DMA_NOWAIT);
 + sc-tulip_setupbuf, TULIP_SETUP, NULL, BUS_DMA_NOWAIT);
   if (error)
   bus_dmamap_destroy(sc-tulip_dmatag, sc-tulip_setupmap);
  }
 Index: if_devar.h
 ===
 RCS file: /cvs/src/sys/dev/pci/if_devar.h,v
 retrieving revision 1.33
 diff -u -p -u -r1.33 if_devar.h
 --- if_devar.h10 Feb 2015 03:51:58 -  1.33
 +++ if_devar.h24 Jun 2015 00:04:36 -
 @@ -600,8 +600,10 @@ struct _tulip_softc_t {
   * one is the one being sent while the other is the one being
   * filled.
   */
 -u_int32_t tulip_setupbuf[192/sizeof(u_int32_t)];
 -u_int32_t tulip_setupdata[192/sizeof(u_int32_t)];
 +#define TULIP_SETUP  (192 / sizeof(u_int32_t))

As mentioned in another mail, this should be changed to

#define TULIP_SETUP 192

 +u_int32_t *tulip_setupbuf;
 +u_int32_t *tulip_setupdata;
 +
  char tulip_boardid[16];  /* buffer for board ID */
  u_int8_t tulip_rombuf[128];
  struct device *tulip_pci_busno;  /* needed for multiport boards */

Re: sogo, httpd(8) and the rewrite need

2015-06-14 Thread Reyk Floeter

 On 14.06.2015, at 18:08, Joel Carnat j...@carnat.net wrote:
 
 Hi,
 
 I was going to install SOGo on OpenBSD 5.7 using the native httpd(8).
 In the readme, there are configuration examples for nginx and 
 apache-httpd-openbsd. Nothing for the new httpd.
 There are rewrite/redirect features that I can’t figure out how to setup with 
 httpd(8).
 
 nginx example:
location = /principals/
{
rewrite ^ http://$server_name/SOGo/dav;
allow all;
}
 
 apache-httpd-openbsd example:
 RedirectMatch ^/principals/$ http://127.0.0.1:8800/SOGo/dav/
 
 Is it possible to achieve such feature with httpd and/or relayd ?
 

Kind of. You could try something like:

location /principals/ {
block return 301 http://$SERVER_NAME/SOGo/dav/;
}

Replace $SERVER_NAME with the IP, or add $SERVER_PORT, if required.

Reyk

Re: wscons, variants and X11

2015-05-31 Thread Reyk Floeter

On Sat, May 30, 2015 at 09:30:56PM +0100, Sevan / Venture37 wrote:
 Hi,
 It seems that there is no X11 configuration needed for a US keyboard
 layout with Dvorak variant (us.dvorak) if wscons is already set for
 this layout. Adding a second variant (in this case swapctrlcaps) to
 config causes X11 to revert to a US layout,  though wscons is
 configured for us.swapctrlcaps.dvorak. Is this to be expected an in
 such a scenario recommended to revert to setting things up in
 xorg.conf?
 
 

Maybe X doesn't know about a matching variant?  As far as I remember,
the kbdtype/wscons is only used as a hint to find a matching X layout.

I have no idea about the current situation -

To make zero conf X useable for me, I created a patch in 2008 to
derive the X keyboard layout from wscons.  I use de.nodead so it did
work with a single variant.  Since the initial patch, that I didn't
commit myself to keep my X commit count low, the driver has been
changed many times and the feature has eventually been moved to a new
wscons hotplug driver:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/xenocara/driver/xf86-input-keyboard/src/bsd_kbd.c

Reyk

Re: Httpd perfect forward secrecy

2015-05-18 Thread Reyk Floeter

On Mon, May 18, 2015 at 07:43:26PM +0200, Martijn Rijkeboer wrote:
 Hi,
 
 I've just switched my webserver from 5.6/nginx to 5.7/httpd and was
 testing my TLS setup using SSL Labs[1]. The SSL Labs test indicates that
 my setup doesn't support forward secrecy. Is this not implemented in
 the 5.7 version of httpd or is my configuration wrong (included below)?
 
 OS: OpenBSD 5.7-stable AMD64
 
 Kind regards,
 
 
 Martijn Rijkeboer
 

We disabled older cipher suites and protocols by default.  Any new-ish
browser should prefer ECDHE over DHE.

From httpd.conf:
---snip---
 dhe params
 Specify the DHE parameters to use for DHE cipher suites.
 Valid parameter values are none, legacy and auto.  For
 legacy a fixed key length of 1024 bits is used, whereas
 for auto the key length is determined automatically.  The
 default is none, which disables DHE cipher suites.

 ecdhe curve
 Specify the ECDHE curve to use for ECDHE cipher suites.
 Valid parameter values are none, auto and the short name
 of any known curve.  The default is auto.
---snap---

So if your really want to enable legacy DHE modes, set the following
in the server section:

tls dhe legacy

Reyk

 
 --- /etc/httpd.conf ---
 
 ext_addr=*
 
 server www.bunix.org {
 listen on $ext_addr tls port 443
 tls certificate /etc/ssl/www.bunix.org.crt.pem
 tls key /etc/ssl/private/www.bunix.org.key.pem
 
 connection {
 max requests 500
 timeout 3600
 }
 
 root /htdocs/www.bunix.org
 }
 
 types {
 include /usr/share/misc/mime.types
 }
 
 
 -
 
 [1] https://www.ssllabs.com/ssltest/
 

--

Re: relayd.conf man page question

2015-05-15 Thread Reyk Floeter

On Fri, May 15, 2015 at 08:30:14PM +0100, Jason McIntyre wrote:
 On Wed, May 06, 2015 at 09:15:17PM +0200, Alex Greif wrote:
  Hi,
  
  while reading the relayd.conf man page, I found the following unclear 
  paragraph:
  ...
  RELAYS
   listen on address [port port] [tls]
  ... If the port option is not specified, the port from the listen on 
  directive will be used.
  
  My question: 
  which *other* listen on directive is meant here? Or is the port mandatory?
  
  
  Thanks,
  ALex.
  
 
 you're right that this bit of text is unclear. can someone clarify it,
 please?
 

Clarification: it is a documentation error that was caused by
cut'n'paste (actually kill'n'yank).

OK?

Reyk

Index: relayd.conf.5
===
RCS file: /cvs/src/usr.sbin/relayd/relayd.conf.5,v
retrieving revision 1.162
diff -u -p -u -p -r1.162 relayd.conf.5
--- relayd.conf.5   15 May 2015 19:26:37 -  1.162
+++ relayd.conf.5   15 May 2015 19:59:47 -
@@ -658,17 +658,11 @@ it will be used as a backup if the looku
 Like the previous directive, but for redirections with rdr-to in
 .Xr pf.conf 5 .
 .It Xo
-.Ic listen on Ar address
-.Op Ic port Ar port
+.Ic listen on Ar address Ic port Ar port
 .Op Ic tls
 .Xc
 Specify the address and port for the relay to listen on.
 The relay will accept incoming connections to the specified address.
-If the
-.Ic port
-option is not specified, the port from the
-.Ic listen on
-directive will be used.
 .Pp
 If the
 .Ic tls

Re: OpenBSD and 40G/100G ethernet cards

2015-03-03 Thread Reyk Floeter

Hi,

 On 03.03.2015, at 23:09, Theron ZORBAS theronzor...@yahoo.com wrote:
 
 Hi,
 
 Is there any plan to support 40G/100G ethernet cards? You may see a vendor's 
 product in this category at this link: 
 http://www.mellanox.com/page/ethernet_cards_overview
 Thanks
 Theron
 

if there is hardware documentation and/or a driver for another OS (eg. 
FreeBSD), we could port it to OpenBSD. I'm not sure about Mellanox, but the 
Intel 40G stuff would definitely be interesting, and there is a FreeBSD driver 
as a starting point. But please don't except any miracles with the performance 
- we hardly do 10G at the moment.

But we don't have the hardware yet, so we depend on donations of two of each 
40G/100G cards and the required cables; we could run them back-to-back and try 
to get them working. Get them to mikeb@ and me, maybe other developers as well. 
Of course, 10/40/100G switch donations would also always work… ;-)

Reyk

Re: Last snapshots won't install on VMWare ESXi or getting ether_output panic

2015-02-25 Thread Reyk Floeter

Hi,

I haven't seen such crashes. Can you provide more information incl. dmesg and 
.vmx file of the VM?

Reyk

 On 25.02.2015, at 18:55, Romain FABBRI romain.fab...@alienconsulting.net 
 wrote:
 
 On last snapshots I can't complete the install when installing as a guest VM 
 in VMWare ESXi 5.5. (snap: 20150217-20150223)
 
 The install fails when installing sets from CD.
 
 So I tried to convert a Hyper-V install which completes correctly and then to 
 deploy the image to VMWare ESXi 5.5.
 It can boot but when doing a simple ping I get a kernel panic.
 
 Ddb output :
 
 panic: smashed stack in ether_output
 Stopped at Debugger+0x7:leave
 ddbtrace
 Debugger(d09e204a,f53adc08,d09bae0c,f53adc08,da0336c4) at Debugger+0x7
 panic(d09bae0c,d09c33de,0,f53adc1c,d0203025) at panic+0x71
 __stack_smash_handler(d09c33de,e,2,da0336ca,f53adc9a) at __stack_smash_handler
 0x19
 ether_output(d4085830,d9ee8b00,da0336c4,da00fb54,0) at ether_output+0x541
 ip_output(d9ee8b00,0,da0336bc,20,0) at ip_output+0xd0b
 rip-output(d9ee8b00,d9f1f648,1b2d23e,d9ee8e00,0) at rip_output+0x144
 sosend(d9f1f648,d9ee8e00,f53ade90,d9ee8e00,0) at sosend+0x444
 sendit(d9ef6174,3,f53adef4,0,f53adf80) at sendit+0x1e1
 sys_sendto(d9ef6174,3,f53adf60,f53adf80,d0569f25,d9ef6174) at sys_sendto+0x6c
 syscall() at syscall+0x24d
 
 ddbps
 PID PPIDPGRPUID   S   FLAGS   WAIT  COMMAND
 * 5393  20454   53930 7 0x33ping
 
 
 Tested from i386 image on VMWare ESXi 5.5 (I tried with E1000 and VMX3 
 network drivers and got same panic).
 
 Romain

Re: gzip compression in httpd

2015-02-15 Thread Reyk Floeter

On Mon, Feb 16, 2015 at 02:46:27AM +0600, �?�?�?�?�? �?�?�?омин wrote:
 On Sun, Feb 15, 2015 at 07:20:53PM +, Florian Obser wrote:
  On Sun, Feb 15, 2015 at 07:11:48PM -, Merci Brault wrote:
   Does the new httpd support gzip compression?
   
  
  No.
 
 Planned?
 

No.

Re: Hannover BSD meetup

2015-02-12 Thread Reyk Floeter

Hi,

just a reminder - we'll have our Hannover BSD meetup next week.

And due to the positive feedback, I would appreciate if you'd
optionally drop me a private note if you're intending to attend.
We'll have some users and OpenBSD developers joining us.  The people
at the bar got concerned when we told them we don't know how many
people - we announced it publically in the Internet ;)

Ok, time to pack my stuff and to leave #s2k15 and Australia...

Reyk

On Thu, Jan 22, 2015 at 03:02:30PM +0100, Reyk Floeter wrote:
 Hi,
 
 we figured out that there are more BSD people in the Hannover area,
 Germany, which seems to be a good reason to meet and get beer.
 
 We're not quite a user group, but let's give it a try.  We're a few
 developers and users, mostly from OpenBSD but the other ones are
 welcome.
 
 We don't have a mailing list; just contact me directly or poke me on
 twitter (@reykfloeter).
 
 Save the date: Thursday, February 19th, 19:30 at GiG Linden.
 
 Thanks,
 Reyk

--

Re: Hannover BSD meetup

2015-01-23 Thread Reyk Floeter

I'm amazed about the feedback on twitter and misc; it will   
definitively happen.  Thanks!

And I'm sure that people in Munich can find others to have their own
OpenBSD Haxn-und-Mass-Oktoberfest every now and then ;)   

Reyk

On Thu, Jan 22, 2015 at 03:02:30PM +0100, Reyk Floeter wrote:
 Hi,
 
 we figured out that there are more BSD people in the Hannover area,
 Germany, which seems to be a good reason to meet and get beer.
 
 We're not quite a user group, but let's give it a try.  We're a few
 developers and users, mostly from OpenBSD but the other ones are
 welcome.
 
 We don't have a mailing list; just contact me directly or poke me on
 twitter (@reykfloeter).
 
 Save the date: Thursday, February 19th, 19:30 at GiG Linden.
 
 Thanks,
 Reyk

--

Hannover BSD meetup

2015-01-22 Thread Reyk Floeter

Hi,

we figured out that there are more BSD people in the Hannover area,
Germany, which seems to be a good reason to meet and get beer.

We're not quite a user group, but let's give it a try.  We're a few
developers and users, mostly from OpenBSD but the other ones are
welcome.

We don't have a mailing list; just contact me directly or poke me on
twitter (@reykfloeter).

Save the date: Thursday, February 19th, 19:30 at GiG Linden.

Thanks,
Reyk

Re: What are the disadvantages of soft updates?

2015-01-22 Thread Reyk Floeter

On Thu, Jan 22, 2015 at 09:02:51AM -0500, Steve Shockley wrote:
 On 1/21/2015 5:50 AM, frantisek holop wrote:
 but in my experience it is not that hard to get a
 corrupted filesystem with softupdates and i had to stop
 using it.  but i seem to attract panics and
 page faults.
 
 I've personally had problems with OpenBSD panics with softupdates when
 running under ESXi when the back-end storage becomes high-latency
 (aggressive SAN backups, not enough spindles).  I haven't tried recently (it
 was difficult to repro on demand) but I didn't really consider it an OpenBSD
 issue.  Presumably softupdate has shorter timeouts.
 

What release and what virtualized SCSI controller where you using?

Reyk

Re: 500 httpd error with owncloud

2015-01-07 Thread Reyk Floeter

Hi,

On Sun, Dec 28, 2014 at 10:41:01AM +0100, Clemens Goessnitzer wrote:
 I installed the owncloud server from ports, and tried to get it running with
 the new httpd. Unfortunately, I get a 500 Internal Server Error once I log
 in. However, the login page is shown perfectly fine.
 
 Here is the server log, when I run the server in debug/verbose mode without
 demonizing:
 
 default 192.168.178.18 - - [28/Dec/2014:10:29:52 +0100] GET
 /owncloud/index.php/apps/files/ HTTP/1.1 500 0
 server default, client 5 (1 active), 192.168.178.18:49545 - 192.168.178.49,
 /owncloud/index.php/apps/files/ (500 Internal Server Error)
 
 IMHO, neither the server error log nor the owncloud log provide any evidence
 to locate the error. Since I am not a developer, I would appreciate any help
 you could give me to solve this error.
 
 The owncloud installation is standard, using /owncloud-data as data
 directory, and sqlite3 as database. I installed owncloud by directly
 downloading it from owncloud.org; however, the error remainded unchanged.
 
 Thanks in advance,
 Clemens
 

OK, I tested ownCloud with httpd and it works fine.  I tested it with
-current/5.7-beta but 5.6-stable might work with some limitations
(without the /owncloud path).

So httpd is ready for owncloud - liars ;-)

I quickly wrote down some steps here:
https://github.com/reyk/httpd/wiki/Running-ownCloud-with-httpd-on-OpenBSD

This is enough to get it running, but only lightly tested and maybe
with some flaws.  We can get it in the pkg-readme for owncloud later.
I have to admit that it could be easier with some more flexibility in
httpd.  But it works.

For reference, here is my example configuration:

---snip---
server myowncloud.example.com {
listen on * port 80
listen on * tls port 443

# Set max upload size to 513M (in bytes)
connection max request body 537919488

root /owncloud

# First deny access to the specified files
# (as a workaround, run 'mkdir -p 0 /var/www/forbidden' first)
location */db_structure.xml {
root /forbidden
}
location */.ht* {
root /forbidden
}
location */README {
root /forbidden
}
location */data {
root /forbidden
}
location */config {
root /forbidden
}

# If it is accessed as /owncloud
location /owncloud/*.php* {
root { /owncloud, strip 1 }
fastcgi socket /run/php-fpm.sock
}
location /owncloud/* {
root { /owncloud, strip 1 }
}

# Any other PHP file
location /*.php* {
fastcgi socket /run/php-fpm.sock
}

#
# XXX The following configuration from the nginx examples are
# XXX currently not supported in httpd(8).
#

# No WebFinger possible
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json 
/public.php?service=host-meta-json last;
#rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
#rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

# What does this mean?
#rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

# No (optional) EXPIRES headers in httpd
#location ~* ^.+\.(jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
#   expires 30d;
#   # Optional: Don't log access to assets
#   access_log off;
#}

# Custom error pages are currently not supported
#error_page 403 /core/templates/403.php;
#error_page 404 /core/templates/404.php;
}
---snap---

Reyk

Re: 500 httpd error with owncloud

2015-01-07 Thread Reyk Floeter

On Wed, Jan 07, 2015 at 06:03:23PM +0100, Stefan Sperling wrote:
 On Wed, Jan 07, 2015 at 05:53:24PM +0100, Reyk Floeter wrote:
  # First deny access to the specified files
  # (as a workaround, run 'mkdir -p 0 /var/www/forbidden' first)
 ^
 mkdir -m 0 /var/www/forbidden
^
 
 ?

Thanks, I fixed it in the Wiki.

This is a workaround that will go away as soon as we have a real
deny-like rule in httpd.

Reyk

Re: PRG airport in misc

2015-01-04 Thread Reyk Floeter

On Sun, Jan 04, 2015 at 12:08:44PM +0100, Jan Stary wrote:
 The PRG airport has been renamed
 in honor of Vaclav Havel quite some time ago.
 
   Jan
 

Thanks, done.

 Index: airport
 ===
 RCS file: /cvs/src/share/misc/airport,v
 retrieving revision 1.45
 diff -u -p -r1.45 airport
 --- airport   29 Dec 2014 20:16:58 -  1.45
 +++ airport   4 Jan 2015 11:06:48 -
 @@ -1339,7 +1339,7 @@ PPT:Pape'ete, Tahiti, French Polynesia
  PQI:Presque Isle, Maine, USA
  PQQ:Port Macquarie, New South Wales, Australia
  PRC:Prescott, Arizona, USA
 -PRG:Ruzyne, Prague, Czech Republic
 +PRG:Vaclav Havel Airport, Prague, Czech Republic
  PRI:Praslin Island, Seychelles
  PSA:G Galilei, Pisa, Italy
  PSE:Mercedita, Ponce, Puerto Rico, USA
 

--

Re: httpd and ~user directories

2015-01-03 Thread Reyk Floeter

On Sat, Jan 03, 2015 at 10:33:52PM +0100, Tor Houghton wrote:
 Hello,
 
 I'm wondering if there is a plan to add support for ~user style URL 
 expansion to the new httpd.
 
 I've tried fudging it for 'someuser' by adding the following to the default
 server within /etc/httpd.conf, but to no avail:
 
   location /~someuser/* {
   root /htdocs/users/someuser
   }
 
 (I also tried creating a directory '/htdocs/~someuser', but that didn't work
 either, thankfully.)
 
 I'm running 5.6 (not -current; so I should probably do that), but looking at
 the current commits, I can't see that this is supported right now?
 
 Or am I doing it wrong?
 

- User directories are not explicitly supported and have to be  
within the chroot - somewhere in /var/www.  

- For example, you can currently create user directories the following way:

# mkdir /var/www/users/~reyk
# ln -s /var/www/users/reyk ~reyk/public_html
# echo Hallo  /var/www/users/~reyk/index.html

location /~* {
root /users
}
  
- For your snippet, you would need an upcoming feature from chrisz@ to
strip elements from the request path (so it can be done without
rewrite/regex).

Currently, a client requesting http://somehost/~someuser/ would end up
in /var/www/htdocs/users/someuser/~someuser/ - which does not exist.

location /~someuser/* {
root /htdocs/users/someuser
}

You can fix the path by stripping the last path element so that it
turns into /var/www/htdocs/users/someuser.

location /~someuser/* {
root { /htdocs/users/someuser, strip 1 }
}

Reyk

Re: httpd: multiple addresses for one server

2015-01-03 Thread Reyk Floeter

On Thu, Jan 01, 2015 at 11:54:46PM -0500, Geoff Steckel wrote:
 Is there any way todo the equivalent of:
 
 server an.example.com
 listen on 192.168.2.99
 listen on 2001.fefe.1.1::99
 
 ??
 It appears that the code in parse.y explicitly forbids this
 and the data structures for a server don't *seem*
 to have more than one slot for an address.
 
 Is there another way to achieve this effect?
 From one comment in the checkins, it looks like
 
 server an.example.com
 listen on 192.168.2.99
 .
 server an.example.com
 listen on 2001.fefe.1.1::99
 
 would work.
 
 Duplicating the entire server description is
 difficult to maintain.
 
 Is someone planning to work in this area soon?
 
 thanks
 Geoff Steckel
 

I used include directives to avoid duplications (see previous reply)
but the following diff allows to add aliases and multiple listen
statements.

Reyk

Index: config.c
===
RCS file: /cvs/src/usr.sbin/httpd/config.c,v
retrieving revision 1.26
diff -u -p -u -p -r1.26 config.c
--- config.c21 Dec 2014 00:54:49 -  1.26
+++ config.c3 Jan 2015 13:33:25 -
@@ -174,7 +174,9 @@ config_setserver(struct httpd *env, stru
if ((what  CONFIG_SERVERS) == 0 || id == privsep_process)
continue;
 
-   DPRINTF(%s: sending server \%s[%u]\ to %s fd %d, __func__,
+   DPRINTF(%s: sending %s \%s[%u]\ to %s fd %d, __func__,
+   (srv-srv_conf.flags  SRVFLAG_LOCATION) ?
+   location : server,
srv-srv_conf.name, srv-srv_conf.id,
ps-ps_title[id], srv-srv_s);
 
Index: httpd.conf.5
===
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.40
diff -u -p -u -p -r1.40 httpd.conf.5
--- httpd.conf.528 Dec 2014 13:53:23 -  1.40
+++ httpd.conf.53 Jan 2015 13:33:25 -
@@ -135,6 +135,10 @@ must have a
 .Ar name
 and include one or more lines of the following syntax:
 .Bl -tag -width Ds
+.It Ic alias Ar name
+Specify an additional alias
+.Ar name
+for this server.
 .It Ic connection Ar option
 Set the specified options and limits for HTTP connections.
 Valid options are:
@@ -180,6 +184,7 @@ and defaults to
 .Pa /run/slowcgi.sock .
 .It Ic listen on Ar address Oo Ic tls Oc Ic port Ar number
 Set the listen address and port.
+This statement can be specified multiple times.
 .It Ic location Ar path Brq ...
 Specify server configuration rules for a specific location.
 The
@@ -391,6 +396,13 @@ If the same address is repeated multiple
 statement,
 the server will be matched based on the requested host name.
 .Bd -literal -offset indent
+server www.example.com {
+   alias example.com
+   listen on * port 80
+   listen on * tls port 443
+   root /htdocs/www.example.com
+}
+
 server www.a.example.com {
listen on 203.0.113.1 port 80
root /htdocs/www.a.example.com
Index: parse.y
===
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.46
diff -u -p -u -p -r1.46 parse.y
--- parse.y 21 Dec 2014 00:54:49 -  1.46
+++ parse.y 3 Jan 2015 13:33:26 -
@@ -106,6 +106,8 @@ int  host_if(const char *, struct addre
 int host(const char *, struct addresslist *,
int, struct portrange *, const char *, int);
 voidhost_free(struct addresslist *);
+struct server  *server_inherit(struct server *, const char *,
+   struct server_config *);
 int getservice(char *);
 int is_if_in_group(const char *, const char *);
 
@@ -125,10 +127,10 @@ typedef struct {
 
 %}
 
-%token ACCESS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON
+%token ACCESS ALIAS AUTO BACKLOG BODY BUFFER CERTIFICATE CHROOT CIPHERS COMMON
 %token COMBINED CONNECTION DIRECTORY ERR FCGI INDEX IP KEY LISTEN LOCATION
 %token LOG LOGDIR MAXIMUM NO NODELAY ON PORT PREFORK REQUEST REQUESTS ROOT
-%token SACK SERVER SOCKET STYLE SYSLOG TCP TIMEOUT TLS TYPES 
+%token SACK SERVER SOCKET STYLE SYSLOG TCP TIMEOUT TLS TYPES
 %token ERROR INCLUDE
 %token v.string  STRING
 %token  v.number NUMBER
@@ -247,8 +249,14 @@ server : SERVER STRING {
srv_conf = srv-srv_conf;
 
SPLAY_INIT(srv-srv_clients);
+   TAILQ_INIT(srv-srv_hosts);
+
+   TAILQ_INSERT_TAIL(srv-srv_hosts, srv_conf, entry);
} '{' optnl serveropts_l '}'{
-   struct server   *s = NULL;
+   struct server   *s = NULL, *sn;
+   struct server_config*a, *b;
+
+   srv_conf = srv-srv_conf;
 
TAILQ_FOREACH(s, conf-sc_servers, srv_entry) {
if

Re: httpd(8) - Update index docs to HTML5

2015-01-01 Thread Reyk Floeter

Hi,


On Thu, Jan 01, 2015 at 01:20:49AM -0600, James Jerkins wrote:
 Hello,
 
 Based on the W3c moving HTML5 to Recommendation status on October 28,
 2014, (http://www.w3.org/2014/10/html5-rec.html.en) these two patches update
 the built-in index documents in httpd(8) to HTML5.
 

Thanks for the heads up.  I think it is OK to use the html5 doctype
(and it looks nicer...).  But I'll skip the (optional) charset for now
because UTF-8 is not handled by httpd.

Reyk

 
 Index: src/usr.sbin/httpd/server_file.c
 ===
 RCS file: /cvs/src/usr.sbin/httpd/server_file.c,v
 retrieving revision 1.42
 diff -u -p -u -r1.42 server_file.c
 --- src/usr.sbin/httpd/server_file.c  21 Dec 2014 00:54:49 -  1.42
 +++ src/usr.sbin/httpd/server_file.c  1 Jan 2015 07:15:52 -
 @@ -311,11 +311,11 @@ server_file_index(struct httpd *env, str
   sans-serif; }\nhr { border: 0; border-bottom: 1px dashed; }\n;
   /* Generate simple HTML index document */
   if (evbuffer_add_printf(evb,
 - !DOCTYPE HTML PUBLIC 
 - \-//W3C//DTD HTML 4.01 Transitional//EN\\n
 + !DOCTYPE html\n
   html\n
   head\n
   titleIndex of %s/title\n
 + meta charset=\utf-8\\n
   style type=\text/css\!--\n%s\n--/style\n
   /head\n
   body\n
 Index: src/usr.sbin/httpd/server_http.c
 ===
 RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
 retrieving revision 1.57
 diff -u -p -u -r1.57 server_http.c
 --- src/usr.sbin/httpd/server_http.c  21 Dec 2014 00:54:49 -  1.57
 +++ src/usr.sbin/httpd/server_http.c  1 Jan 2015 07:15:52 -
 @@ -712,11 +712,11 @@ server_abort_http(struct client *clt, u_
 
   /* Generate simple HTML error document */
   if ((bodylen = asprintf(body,
 - !DOCTYPE HTML PUBLIC 
 - \-//W3C//DTD HTML 4.01 Transitional//EN\\n
 + !DOCTYPE html\n
   html\n
   head\n
   title%03d %s/title\n
 + meta charset=\utf-8\\n
   style type=\text/css\!--\n%s\n--/style\n
   /head\n
   body\n
 

--

Re: Best way forward w.r.t. apache/nginx/httpd?

2015-01-01 Thread Reyk Floeter

On Mon, Dec 29, 2014 at 10:41:26PM +, Stuart Henderson wrote:
  b) Migrate to nginx
 This seems to be the least interesting option - not only do I have to
 migrate now, but once more in the future, as nginx is also on the way
 out (so, the same developer attention caveat applies as with
 apache)
 
 This might be a reasonable choice, especially if the CMS you're looking
 at already documents how to use it with nginx.
 

We already got some of the most common CMS / web things working.  But
I'm interested in examples from users who created such configurations
with httpd (and please make sure to mention httpd in the subject to
let me find them in my inbox).

  c) Migrate to httpd
 From what I've gathered so far from this list, this would basically
 require me to switch to -current, as the 5.6 version is too fresh and
 too many changes have happened since - or am I being pessimistic
 here? I've never run -current before, hence, I'm a bit hesitant...
 
 Personally I don't think httpd is quite ready for use with a typical
 PHP-based CMS yet (including -current). Two big issues for this type
 of use: clean urls functionality in most CMS needs rewrite support
 which httpd doesn't have. httpd's fastcgi support passes every url
 matching a location block to the handler meaning there's no mitigation
 for the issue described in
 http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
 (which also affects naive nginx configurations).
 

And I personally disagree with the conclusion that httpd is not ready.
It is not finished but it is ready for many common things.

- People are using it with different CMS, including Wordpress,
CVSWeb, different Wikis, etc.  I even tested it with node-fastcgi (I
know, it's weird, but I had to satisfy my inner web hipster).  I'm
looking forward to hear about more examples (hint: send me your
testimonials).

- Some features are missing, and will be implemented, but there are
ways to deal with them:

1. redirects / return 301 etc.: This can be done without regex by
using a few built-in variables.  Current workaround is to either do it
in the fastcgi backend or with, ahem, html refresh.  btw., nginx'
return 444; is such an ugly workaround...

2. basic auth: We don't have a satisfying implementation for
authentication yet.  But it is needed and will be done.

3. deny: We cannot deny access to specific locations but the current
workaround is to set a non-accessible root:

location */.* {
# mkdir -m 0 /var/www/forbidden
root /forbidden
}

4. Server aliases and a few restrictions of the grammar: Individual
server blocks can currently only have one name and listen statement.
This will be fixed in the parser later.  To avoid too much repeating
configuration, I currently use includes:

server www.example.com {
listen on $ip4_addr port 80
include /etc/httpd/example.com.inc
}
server www.example.com {
listen on $ip6_addr port 80
include /etc/httpd/example.com.inc
}
server www.example.com {
listen on $ip4_addr tls port 443
include /etc/httpd/example.com.ssl
include /etc/httpd/example.com.inc
}
server www.example.com {
listen on $ip6_addr tls port 443
include /etc/httpd/example.com.ssl
include /etc/httpd/example.com.inc
}

5. Some minor things, eg. charsets (for auto index), fixes, ...

6. The web server needs some more FAQ-style documentation in addition
to our excellent man pages and examples.  Examples for each CMS would
go beyond the scope of them, and probably don't fit into the OpenBSD
FAQ.  So I'm thinking about putting something on http://bsd.plumbing/.

- Like nginx describes, there are also various ways to safely handle
#Passing_Uncontrolled_Requests_to_PHP in httpd:

1. It's a non-issue for OpenBSD because php-fpm rejects execution of
non-php files by default.  See php-fpm.conf:

; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; exectute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5

2. You can write locations as a ruleset in first-matching order, eg.

location */.* {
root /forbidden
}
location /cms/*.jpg {
no fastcgi
}
location /cms/uploads/* {
no fastcgi
}
location /cms/* {
fastcgi socket run/php-fpm.sock
}

3. Don't use PATH_INFO and only match PHP files (fnmatch has an implicit $).

location /cms/*.php {
fastcgi socket run/php-fpm.sock
}

- I

Re: OpenBSD projects

2014-12-28 Thread Reyk Floeter

On Sat, Dec 27, 2014 at 07:32:06PM -0500, Predrag Punosevac wrote:
 I was too quick with my earlier message. 
 
 I don't think anybody mentioned OpenBSD implementation of dhcp server
 and client. IIRC FreeBSD uses OpenBSD version of the client for its base
 installation. Traditionally FreeBSD doesn't come with dhcp server which
 needs to be installed from ports.
 
 OpenBSD has its own sensorsd which is pure gold and unlike other BSDs
 IPMI driver is disabled from generic. FreeBSD has half finished native
 sensoring framewark but encourages the use of IPMI. 
 
 OpenBSD has its own SNMP daemon. Somebody could probably clarify what is
 the relation to BSD SNMP (bsnmp) daemon found in FreeBSD for example.

Don't get fooled, the term BSD is often used as an alias for FreeBSD.

OpenBSD's snmpd is not related to bsnmp.  I started snmpd in 2007
after dissatisfaction with other implementations.  And, in contrast to
net-snmp and bsnmp, snmpd is designed to be monolithic, non-modular
and is specifically for OpenBSD. 

 The OpenBSD snmpd comes with bunch of custom MIBs comparing to net-snmp
 which can be installed from the ports and it is too bad that no tool can
 out of box pool all PF for example related stuff into RRD and display it
 in nice fashion (at least Observium which I am using is not capable of
 doing it).
 

? You can use the OpenBSD MIBs to generate fancy graphs with many tools.

Reyk

Re: OpenBSD projects

2014-12-27 Thread Reyk Floeter

On Fri, Dec 26, 2014 at 09:42:18AM -0800, jungle Boogie wrote:
 Hello All,
 
 Here's a list of projects that I'm aware of that openBSD created. Is
 that correct? (p) is for portable. What else am I missing?
 openssh (p)
 opensmtpd (p)
 mandoc (p)
 openntpd (p)
 openbgpd
 libressl (p)
 openiked (p?)

OpenIKED -portable hasn't been updated for while.  OpenBSD's version
is alive and well.  I'm missing a maintainer for the portable version,
and that's some difficult work.

 pf

An ancient version of pf is found in FreeBSD, OS X, iOS etc.  But it
is actively used.

 relayd

FreeBSD has an active port of relayd.

 httpd

Not yet.

 carp
 
 Thanks,
 Jungle
 

You're welcome, Jungle
Reyk

Re: openhttpd

2014-12-21 Thread Reyk Floeter

On Sat, Dec 20, 2014 at 08:33:00PM -0600, Edgar Pettijohn wrote:
 Is there a mailing list for openhttpd?  Also all the links on openhttpd.net 
 are broken.
 
 thanks
 

I don't know what openhttpd.net is, but it is not related to us. The
page is not even new.

Reyk

Re: httpd

2014-11-18 Thread Reyk Floeter

On Tue, Nov 18, 2014 at 02:20:40PM +0200, Gregory Edigarov wrote:
 Hi,
 
 While downloading a big file from httpd it eats somewhere from 77 to 100% or
 even 150% cpu.

Do you have any more details?  OK, you're running -current.  But how
big is your big file?  What is your httpd configuration?  Your dmesg?
Is the file served as static file or via FastCGI?  Is it a busy web
server with many connections etc.?  How-to-preproduce?

 Is it normal?
 I've never seen such numbers with nginx.
 

Is 77 to 150% cpu to serve a file normal? - Yes, of course!  nginx
is not even able to utilize the provided resources of your system,
what a waste of CPU power! ...

Reyk

Re: httpd

2014-11-18 Thread Reyk Floeter

On Tue, Nov 18, 2014 at 03:22:36PM +0100, Reyk Floeter wrote:
 On Tue, Nov 18, 2014 at 02:20:40PM +0200, Gregory Edigarov wrote:
  Hi,
  
  While downloading a big file from httpd it eats somewhere from 77 to 100% or
  even 150% cpu.
 
 Do you have any more details?  OK, you're running -current.  But how
 big is your big file?  What is your httpd configuration?  Your dmesg?
 Is the file served as static file or via FastCGI?  Is it a busy web
 server with many connections etc.?  How-to-preproduce?
 

'ktrace -di' could also give more information.

But it would be easier if we could try to reproduce it or get any
hints about your configuration and downloaded files. 

Reyk

  Is it normal?
  I've never seen such numbers with nginx.
  
 
 Is 77 to 150% cpu to serve a file normal? - Yes, of course!  nginx
 is not even able to utilize the provided resources of your system,
 what a waste of CPU power! ...
 
 Reyk

--

Re: IPv6 nonfunctional after upgrade from 5.5 to 5.6

2014-11-03 Thread Reyk Floeter

Hi,

can you show us the contents of your hostname.* and mygate files?
What are the specific configuration steps?

Reyk

 Am 03.11.2014 um 18:04 schrieb Sly Midnight slymidni...@yahoo.com:
 
 Hello everyone.
 
 I am new to this list but I am in need of some help.
 
 I have been running OpenBSD since 4.6 as my firewall and gateway with
 much success (transitioned from FreeBSD) and it was working out great as
 a light weight and secure OS for my Internet router and gateway.
 
 One of the uses of this box is to route IPv6 for my local subnet out to
 the Internet.  It used to use a free tunnel service that worked great. 
 But I have since transitioned to the IPv6 that my ISP provides me
 directly.  This was a bit painful at first but I got it working with the
 help of some 3rd party software not available in the ports collection
 called Dibbler.  This software is not perfect, but with the help of a
 script I fleshed out myself i got it to do what I needed.  The client
 portion of that DHCPv6 program reaches out to the DHCPv6 server on my
 ISP's network and obtains all the information I need.  The only thing it
 is currently able to do on it's own is plumb up the primary IPv6 address
 it obtains from the ISP.  But I still have to add the requisite default
 route information.  Also I have to then manually plumb up the delegated
 IPv6 prefix assigned to my subnet (that I request) to my internal interface.
 
 I then use rtadvd to advertise that route and allow for SLAAC to work on
 my internal network to all IPv6 aware hosts.
 
 This used to work just fine until I upgraded my router to 5.6 from 5.5. 
 After adding 'inet6 autoconf' to my hostname.if files, it appeared I got
 my IPv6 functionality back.
 
 However, while the box itself is back on IPv6 Internet, the subnet it
 acts as a router for can no longer get onto the Internet.
 
 After looking into it further it appears there is something wrong with
 the routing table.  There is no route for the subnet of the address I
 manually add via ifconfig to the internal interface.  I do not know how
 to do this, nor was this previously necessary.  The ifconfig command I
 call to add the address specified the prefixlen 64 which *should* imply
 the address is part of a /64 subnet where all other addresses within
 that subnet should be reachable via the same interface the address is
 plumbed up on.
 
 When I do a route show or a netstat -nr I do not see such a route nor
 have I been successful in figuring out how to call the route add command
 to add such a route.
 
 Thanks in advance.
 SlyM
 
 Here is my ifconfig output:
 vr0: flags=208843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6 mtu 1500
   lladdr 00:40:63:e6:42:a5
   priority: 0
   groups: egress
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet 50.186.155.188 netmask 0xff00 broadcast 50.186.155.255
   inet6 fe80::240:63ff:fee6:42a5%vr0 prefixlen 64 scopeid 0x1
   inet6 2001:558:6030:44:35cc:9a5e:65f7:c139 prefixlen 64
 em0:
 flags=208b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,AUTOCONF6
 mtu 1500
   lladdr 00:1b:21:4e:d4:a2
   priority: 0
   media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
   status: active
   inet 192.168.82.1 netmask 0xff00 broadcast 192.168.82.255
   inet6 fe80::21b:21ff:fe4e:d4a2%em0 prefixlen 64 scopeid 0x2
   inet6 2601:7:5780:c99::1 prefixlen 64
 
 Here is my route show output:
 Routing tables
 
 Internet:
 DestinationGatewayFlags   Refs  Use   Mtu  Prio
 Iface
 default50.186.155.1   UGS5   741497 - 8
 vr0 
 50.186.155/24  link#1 UC 10 - 4
 vr0 
 50.186.155.1   00:01:5c:6f:f6:46  UHLc   10 - 4
 vr0 
 50.186.155.188 00:40:63:e6:42:a5  UHLl   00 - 1
 lo0 
 127/8  127.0.0.1  UGRS   00 32768 8
 lo0 
 127.0.0.1  127.0.0.1  UH 10 32768 4
 lo0 
 192.168.82/24  link#2 UC 40 - 4
 em0 
 192.168.82.1   00:1b:21:4e:d4:a2  HLl00 - 1
 lo0 
 192.168.82.200 80:ee:73:64:13:0c  UHLc   4   512052 - 4
 em0 
 192.168.82.251 08:3e:8e:07:e5:64  UHLc   00 - 4
 em0 
 192.168.82.253 00:15:c5:f5:0d:b4  UHLc   2 6854 - 4
 em0 
 192.168.82.254 00:24:2b:df:8f:2b  UHLc   0 3722 - 4
 em0 
 224/4  127.0.0.1  URS00 32768 8
 lo0 
 
 Internet6:
 DestinationGateway   
 Flags   Refs  Use   Mtu  Prio Iface
 ::/104 ::1   
 UGRS   00 32768 8 lo0 
 ::/96  ::1   
 UGRS   00 32768 8 lo0 
 default

Re: Netasq now named Stormshield Firewalls

2014-10-29 Thread Reyk Floeter

Hi,

 Am 28.10.2014 um 21:55 schrieb Romain FABBRI 
 romain.fab...@alienconsulting.net:
 
 I found something interesting today playing with a Netasq F150 (rebranded 
 Stormshield firewall).
 The firewall OS (named ASQ) is based on the top of FreeBSD.
 
 When I looked at the internal text files which contains the configuration for 
 the firewall rules I found that the rule syntax looks a lot like PF.
 
 Simple coincidence ?

So what?

FreeBSD uses an ancient version of PF, just see the weird/obsolete NAT rules 
below.

There are OpenBSD-based firewall products with real PF from 
shameless-plugEsdenera/shameless-plug, GeNUA or others. But, in either way, 
posts related to FreeBSD’s ancient PF or something like my shameless plug are 
totally off-topic on this list.

Reyk

 
 #=
 # /usr/Firewall/ConfigFiles/Filter
 #=
 # more 02
 [Filter]
 pass from network_internals to any port web_srv
 pass from network_internals to any port ftp # Force FTP analysis
 pass from network_internals to any port mail_srv
 pass ipproto icmp type 8 code 0 from network_internals to any   # Accept PING 
 only
 
 # more 03
 [Filter]
 pass from network_internals to any port plugins # Force plugins analysis
 pass ipproto tcp from network_internals to any  # Accept TCP only
 
 # more 04
 [Filter]
 pass from network_internals to any port plugins # Force plugins analysis
 pass from network_internals to any  # Accept all
 
 # more 05
 [Filter]
 pass inspection firewall log from IP_Pub-MainPool1 on out to IP_Pub_1.1.1.2 
 port microsoft-ts - to srv-ToIP_4760 rulename Télémaintenance
 pass inspection firewall log from IP_Pub-MainPool1 on out to Firewall_out_1 
 port Port_4343 - to Ctrl-Wifi rulename Télémaintenance
 pass inspection firewall log from Network_internals to shared-printer 
 rulename Shared Printer # Internet
 pass inspection firewall log from Network_Cutomer_A|Network_Phone-TOIP to 
 Network_Vlans_Impairs port ssh|Port_4343|https|telnet rulename Admin Switch 
 + FW# Internet
 pass inspection firewall log from Network_internals to internet rulename 
 Internet # Internet
 pass inspection firewall log from any to firewall_all port 
 firewall_srv|ssh|https   # Admin from everywhere
 pass inspection firewall log ipproto icmp type 8 code 0 proto none from any 
 to any  # Allow Ping from everywhere
 block inspection firewall log from any to any   # Block all
 
 [NAT]
 nat from Network_Phone-TOIP to internet - from IP_Pub_1.1.1.2 to original
 nat from Network_KI_EXECUTIVE to internet - from IP_Pub_1.1.1.2 to original
 nat from VisioConférence to any on out - from IP_Pub_1.2.3.4 arp-# 
 NAT
 nat from any on out to IP_Pub_1.2.4.5 - beforevpn to VideoConference arp-
 # NAT
 nat from Network_internals to internet on out - from Firewall_out_1 to 
 original

Re: how to debug iked failures?

2014-08-12 Thread Reyk Floeter

On Tue, Aug 12, 2014 at 11:39:11AM +0200, Markus Wernig wrote:
 On 08/10/2014 03:09 PM, Reyk Floeter wrote:
 
  Just try to increase the number of vs to get more info, for example,
  iked -dvv or iked -dvvv to get packet dumps.
 
 Thanks for the hint. That brought some progress.
 I've now switched back to -current and changed the client setup (I had
 been using the NetworkManager backend of the charon keying daemon, which
 caused the crashes, also on -current).
 
 Now iked does not crash anymore - I will still do the recompiling and
 backtracing, as this clearly should not happen. But I think it would
 make sense to first get a working setup.
 
 That said, the connection does still not succeed.
 After SA_INIT and IKE_AUTH everything seems fine, certificate gets
 authenticated, but then iked says it can't send the ike_auth packet back.
 
 Aug 12 11:02:47 tunnel iked[26844]: sa_stateok: VALID flags 0x1f,
 require 0x1f cert,certvalid,auth,authvalid,sa
 ug 12 11:02:47 tunnel iked[26844]: ikev2_next_payload: length 22
 nextpayload CERT
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_next_payload: length 1520
 nextpayload AUTH
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_next_payload: length 264
 nextpayload CP
 Aug 12 11:02:47 tunnel iked[26844]: pfkey_sa_getspi: message: Operation
 not supported
 ...
 Strange ... what is not supported?

Operation not supported is from the kernel returning EOPNOTSUPP.

If any of the following sysctls are turned off and it is requested via
the PFKEYv2 socket, the kernel will return EOPNOTSUPP:

net.inet.esp.enable=1
net.inet.ah.enable=1
net.inet.ipcomp.enable=0

You can also monitor the pfkey messages with ipsectl -m [add one or
more -v for packet dumps] to see what message returns EOPNOTSUPP.

Yes, it should print a log message in iked.

Reyk

 ...
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_payloads: decrypted
 payload TSi nextpayload TSr critical 0x00 length 24
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_ts: count 1 length 16
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_ts: type IPV4_ADDR_RANGE
 protoid 0 length 16 startport 0 endport 65535
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_ts: start 10.x.y.z end
 10.x.y.z
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_payloads: decrypted
 payload TSr nextpayload NONE critical 0x00 length 8
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_ts: count 1 length 0
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_pld_ts: type UNKNOWN:0
 protoid 0 length 0 startport 0 endport 65535
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_msg_send: IKE_AUTH response
 from 10.x.y.z:4500 to A.B.C.D:4500 msgid 1, 1996 bytes, NAT-T
 Aug 12 11:02:47 tunnel iked[26844]: pfkey_sa_add: update spi 0xf82bfb58
 Aug 12 11:02:47 tunnel iked[26844]: pfkey_sa: udpencap port 4500
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_childsa_enable: loaded CHILD
 SA spi 0xf82bfb58
 Aug 12 11:02:47 tunnel iked[26844]: pfkey_sa_add: add spi 0xcdac6edf
 Aug 12 11:02:47 tunnel iked[26844]: pfkey_sa: udpencap port 4500
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_childsa_enable: loaded CHILD
 SA spi 0xcdac6edf
 Aug 12 11:02:47 tunnel iked[26844]: pfkey_flow: unsupported address family 0
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_childsa_enable: failed to load
 flow
 Aug 12 11:02:47 tunnel iked[26844]: ikev2_dispatch_cert: failed to send
 ike auth
 
 Does anybody see what's going wrong here?
 
 It does then send out a packet, but on the client side this triggers an
 error:
 
 initiating IKE_SA xfertunnel[1] to E.F.G.H
 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
 sending packet: from 192.168.1.x[500] to E.F.G.H[500] (1204 bytes)
 received packet: from E.F.G.H[500] to 192.168.1.x[500] (457 bytes)
 parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
 local host is behind NAT, sending keep alives
 remote host is behind NAT
 received cert request for CA
 sending cert request for CA
 authentication of 'j...@doe.com' (myself) with RSA signature successful
 sending end entity cert johndoe DN
 establishing CHILD_SA xfertunnel
 generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
 AUTH CPRQ(ADDR DNS DNS) N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP)
 N(NO_ADD_ADDR) N(EAP_ONLY) ]
 sending packet: from 192.168.1.x[4500] to E.F.G.H[4500] (2236 bytes)
 received packet: from E.F.G.H[4500] to 192.168.1.x[4500] (1996 bytes)
 TS_RESPONDER verification failed
 could not decrypt payloads
 message verification failed
 IKE_AUTH response with message ID 1 processing failed
 
 
 Any more ideas?
 
 Thx /markus
 

--

Re: nginx in the default newsyslog.conf

2014-08-12 Thread Reyk Floeter

 Related issue: If you are running httpd, any attempt to signal nginx
 will be futile.
 

For httpd, use the following command instead:
pkill -USR1 -u root -U root -x httpd

(or just pkill -USR1 httpd)

Reyk

Re: how to debug iked failures?

2014-08-12 Thread Reyk Floeter

On Tue, Aug 12, 2014 at 06:57:50PM +0200, Markus Wernig wrote:
 On 08/12/2014 05:39 PM, Markus Wernig wrote:
 
  But really, I think this is the problem:
  Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: loaded CHILD
  SA spi 0xcb320247
  Aug 12 16:56:18 tunnel iked[22215]: pfkey_flow: unsupported address family 0
  Aug 12 16:56:18 tunnel iked[22215]: ikev2_childsa_enable: failed to load
  flow
  Aug 12 16:56:18 tunnel iked[22215]: ikev2_dispatch_cert: failed to send
  ike auth
  
  It seems that the flow that comes from sa-sa_flows in
  ikev2.c::ikev2_childsa_enable does not have its AF set. How could this
  happen?
  
 
 Could this be the reason?
 
 Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_payloads: decrypted payload
 TSi nextpayload TSr critical 0x00 length 24
 Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_ts: count 1 length 16
 Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_ts: type IPV4_ADDR_RANGE
 protoid 0 length 16 startport 0 endport 65535
 Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_ts: start 10.x.y.z end 10.x.y.z
 Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_payloads: decrypted payload
 TSr nextpayload NONE critical 0x00 length 8
 Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_ts: count 1 length 0
 Aug 12 18:38:09 tunnel iked[3574]: ikev2_pld_ts: type UNKNOWN:0
 protoid 0 length 0 startport 0 endport 65535
 
 
 Should not the TSi contain the IP of the Client? In the log above it
 appears that it contains the IP of the VPN GW. And then TSr is of an
 unknown type? Is strongswan sending something wrong here?
 

UNKNOWN:0 also means that the type Id is 0.  So I would say it is
unset/empty, not unknown.  The TS length is also 0.  strongswan is
sending something strange, but maybe it is common in other
implementations - I never saw it.

Another reason for AF 0 could be the use of the keyword any in your
iked.conf.  I thought we fixed that before to inherit the AF from the
peer, but try to use 0.0.0.0/0 instead of any for IPv4 and
something like ::/0 for IPv6.

Reyk

1 2 3 4 >

1 - 100 of 347 matches

Mail list logo