Re: pfctl(8) and securelevel(7)
Here: > Wiadomość napisana przez Klemens Nanni w dniu 27.09.2018, > o godz. 15:19: > > What version are you running? sorry, forgot mention: 6.3 -stable > > On Thu, Sep 27, 2018 at 02:06:44PM +0200, Zbyszek Żółkiewski wrote: >> At securelevel(7) set to 2, NAT rules and filter cannot be altered, however >> as stated in pfctl.conf(5) manual - it is possible to modify tables by >> adding/deleting entries >> (https://man.openbsd.org/pf.conf.5#TABLES) >> >> and this works fine. Question: why it is not possible to list content of >> tables?: >> n >> kern.securelevel=2 >> pfctl -t whitelist -T show >> pfctl: Operation not permitted. >> >> while: >> kern.securelevel=1 >> pfctl -t whitelist -T show >> 192.168.1.7 >> 192.168.1.20 >> 192.168.1.25 >> >> and more odd, adding -v flag allow list it anyway: >> >> pfctl -t whitelist -v -T show >> 192.168.1.7 >>Cleared: Thu Sep 27 13:47:58 2018 >> 192.168.1.20 >>Cleared: Thu Sep 27 13:47:58 2018 >> >> I am bit confused, this is bug or i am missing something ? > So am I. Did you add `-v' while securelevel was set to 2 or 1? it was set 2 > > Please provide a clear way to reproduce your scenario, possibly > including the table definitions from your pf.conf. pf.conf snippet: table persist file "/etc/pf/whitelist” counters whitelist contains list of IPs to reproduce: - at securelevel=1 - load pf.conf - file whitelist is populated with IP addresses - try to list table: pfctl -t whitelist -T show - will all work as expected - set securelevel=2 (sysctl kern.securelevel=2) - repeat command: pfctl -t whitelist -T show - this result in "Operation not permitted” - now try: pfctl -t whitelist -v -T show - this will result with printed table contents as well as some stats _ Zbyszek Żółkiewski
pfctl(8) and securelevel(7)
Hi list, At securelevel(7) set to 2, NAT rules and filter cannot be altered, however as stated in pfctl.conf(5) manual - it is possible to modify tables by adding/deleting entries (https://man.openbsd.org/pf.conf.5#TABLES) and this works fine. Question: why it is not possible to list content of tables?: kern.securelevel=2 pfctl -t whitelist -T show pfctl: Operation not permitted. while: kern.securelevel=1 pfctl -t whitelist -T show 192.168.1.7 192.168.1.20 192.168.1.25 and more odd, adding -v flag allow list it anyway: pfctl -t whitelist -v -T show 192.168.1.7 Cleared: Thu Sep 27 13:47:58 2018 192.168.1.20 Cleared: Thu Sep 27 13:47:58 2018 I am bit confused, this is bug or i am missing something ? _ Zbyszek Żółkiewski
PF: skip on VS pass in
Hi list, OpenBSD 6.3 -stable: I was playing with local network - tunning various things on pf, and i observe this odd(maybe not?) performance when using different approach: (trunk0 is local network, ext_1 is external, NAT is performed) when i used: set skip on trunk0 … … pass out on $ext_1 from 192.168.50.0/24 to any nat-to ($ext_1) pf was performing at around 600Mbps but when i used: pass out on $ext_1 from 192.168.50.0/24 to any nat-to ($ext_1) pass in on trunk0 performance dropped by 50% to 300Mbps other rules on pf do not matter - i ruled out their influence on performance, but i am curious if anyone observed this and have some insights on that, or am I doing something terribly wrong? (btw, yes i know what skip-on means, just i am surprised by diff in performance by using that 2 options…) _ Zbyszek Żółkiewski
Re: ENA support
> Wiadomość napisana przez Mike Belopuhov w dniu > 27.08.2018, o godz. 22:06: > > It would be nice to have a thoughtful port or a partial rewrite of > this vendor code dump. IIRC, dlg@ was toying with the idea. I just realized that (i think) it would require not only driver port but whole nitro support, that make it non-trivial... _ Zbyszek Żółkiewski
Re: Need an advice: Raspberry Pi3 B+ or Pine64 ROCK64
i think APU2C4 is best choice (not ARM), later you have Pine ROCKPro64 (RK3399 based - standard Pine do not support hardware encryption - see cpu spec) and Firefly - also RK3399 but pricier option RpiX is really bad choice. among all solutions i considered for network things APU2C4 was always best (based on Intel 210AT) _ Zbyszek Żółkiewski > Wiadomość napisana przez Carlos López w dniu > 26.08.2018, o godz. 11:26: > > My only requirements are: > > a/ OpenBSD well hardware's supported > b/ Best network throughput
ENA support
Hi, just a question: anyone tried/consider porting ENA (Elastic Network Adapter) support to OpenBSD (https://github.com/amzn/amzn-drivers/tree/master/kernel/fbsd/ena), how hard would be to get it to obsd? _ Zbyszek Żółkiewski
Re: Floating point exception on boot after using syspatch(8)
and we have errata: https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/016_fpuinit.patch.sig I confirm AMI now works as expected Thank you for great work! _ Zbyszek Żółkiewski > Wiadomość napisana przez Zbyszek Żółkiewski w dniu > 06.08.2018, o godz. 11:54: > >> On Thu, 2 Aug 2018,Mike Erdely wrote: >> I applied this diff to my system running on a t2.medium running GENERIC.MP >> and it fixed the problem I was having post 010_intelfpu errata. >> >> Would be great to see this as an Errata. > > can it be backported to -stable, so i can test ? No idea if that’s right for > reliability errata patch, but looks like it’s now impossible to create > working image on AWS
Floating point exception on boot after using syspatch(8)
ASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz, 2300.31 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 acpihpet0 at acpi0: 6250 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) "ACPI0007" at acpi0 not configured "ACPI0007" at acpi0 not configured pvbus0 at mainbus0: Xen 4.2 xen0 at pvbus0: features 0x705, 329 grant table frames, event channel 4 xbf0 at xen0 backend 0 channel 6: disk scsibus1 at xbf0: 2 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed sd0: 25600MB, 512 bytes/sector, 52428800 sectors xnf0 at xen0 backend 0 channel 7: address 06:e9:8b:a9:83:f0 "console" at xen0: device/console/0 not configured pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x01: SMBus disabled vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) xspd0 at pci0 dev 3 function 0 "XenSource Platform Device" rev 0x01 isa0 at pcib0 isadma0 at isa0 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on sd0a (e00ea5eace8ee4cd.a) swap on sd0b dump on sd0b Automatic boot in progress: starting file system checks. /dev/sd0a (e00ea5eace8ee4cd.a): file system is clean; not checking /dev/sd0i (e00ea5eace8ee4cd.i): file system is clean; not checking /dev/sd0d (e00ea5eace8ee4cd.d): file system is clean; not checking /dev/sd0f (e00ea5eace8ee4cd.f): file system is clean; not checking /dev/sd0e (e00ea5eace8ee4cd.e): file system is clean; not checking setting tty flags pf enabled starting network fd0 at fdc0 drive 0: density unknown Floating point exception (core dumped) WARNING: /etc/hostname.xnf0 is insecure, fixing permissions. Floating point exception (core dumped) no IP address found for egress stdin:1: could not parse host specification pfctl: Syntax error in config file: pf rules not loaded Floating point exception (core dumped) Floating point exception (core dumped) Floating point exception (core dumped) reordering libraries:fd1 at fdc0 drive 1: density unknown done. starting early daemons: syslogd pflogd(failed) ntpd. starting RPC daemons:. savecore: no core dump checking quotas: done. clearing /tmp kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. Floating point exception (core dumped) starting network daemons: sshd smtpd. starting local daemons: cron. Floating point exception (core dumped) Floating point exception (core dumped) reorder_kernel: kernel relinking failed; see /usr/share/relink/kernel/GENERIC.MP/relink.log OpenBSD/amd64 (ip-10-1-0-195.eu-west-1.compute.internal) (tty00) login: thanks! _ Zbyszek Żółkiewski
Re: Eliminate trailing whitespace & typo in chmod
guys, I learn from this list so much beside technical stuff! Glad i am here _ Zbyszek Żółkiewski > Wiadomość napisana przez Theo de Raadt <dera...@openbsd.org> w dniu > 14.04.2018, o godz. 09:23: > >> https://en.wikipedia.org/wiki/If_and_only_if >> >> As a non-native speaker, it took some years before I realized the use of >> "iff" is not a typo. > > And now you either find your own language has a similar linguistic > tool, or you miss the strictness of the phrase? > > (42) >
syspatch(8) exit code
Hi! It looks like in OpenBSD 6.3-release, syspatch(8) changed exit code and now when running alone or with -c flag, it exit with status code 1. On 6.2 exit code was 0 63# syspatch;echo $? 1 Is it correct ? _ Zbyszek Żółkiewski