Re: Disk partition not recognized

[Rob Whitlock]

On Mon, Dec 27, 2021 at 7:28 PM Rob Whitlock  wrote:

> Thanks for the work tracking down the problems. I reformatted the hard
> drive to see if that would do anything and then I installed OpenBSD 7.0
> like you suggested and it started working. I used Disk Utility in MacOS
> 10.15.7 Catalina, and when I reformatted it I got some errors from Disk
> Utility. My guess is that Disk Utility is doing something incorrectly.
>

Correction: I reformatted it with diskutil, but I have since reformatted it
with Disk Utility and it shows up in OpenBSD 7.0 as well.

Re: Disk partition not recognized

[Rob Whitlock]

On Sat, Dec 25, 2021 at 8:46 AM Crystal Kolipe 
wrote:

> OK, the issue lies with the four byte checksum at offset 0x58 in sector 1.
>
> Testing on OpenBSD 7.0 release and using your GPT:
>
> The kernel enters spoofgptlabel and reads sector 1.
>
> When we call gpt_chk_parts, the calculated checksum comes to 0x0BE89E52,
> whereas the on-disk checksum is 0x3F7A886C, as you can see in the hexdumps.
>
> Note that the on-disk checksum is stored in little-endian format.
>
> As a result, gpt_chk_parts returns EINVAL.  When control returns to
> spoofgptlabel, it doesn't read the partitions contained within, and goes on
> to try to read the second GPT at sector dsize-1, which in your case is
> sector 9767541167.
>
> That's the reason why you don't see the non-OpenBSD partitions in your,
> (spoofed), disklabel, the on-disk checksum of the partition entries does
> not match the calculated checksum, so the kernel considers the GPT to be
> invalid.
>
> If you want to test removing the call to gpt_chk_parts, thereby forcing
> the kernel to parse whatever it finds and ignoring any checksum errors, the
> attached diffs should allow you to do that.  As you said that you were
> still running OpenBSD 6.9, I've produced a diff against that too, including
> the change in line 609 that I mentioned earlier, but it's untested.  There
> were other changes to this code between 6.9 and 7.0 that I have not really
> looked at.
>
> On OpenBSD 7.0, with the diff applied, I am able to parse the GPT that you
> supplied.
>
> I doubt that a kernel option to disable the checksum verification would be
> appropriate or welcome, but I don't know how common the problem is.
>

Thanks for the work tracking down the problems. I reformatted the hard
drive to see if that would do anything and then I installed OpenBSD 7.0
like you suggested and it started working. I used Disk Utility in MacOS
10.15.7 Catalina, and when I reformatted it I got some errors from Disk
Utility. My guess is that Disk Utility is doing something incorrectly.

Re: Issues with veb/vport and vlan interactions

[David Gwynne]

On Sun, Dec 26, 2021 at 07:46:01AM +, Simon Baker wrote:
> Hi,
> 
> Struggling a bit debugging something, and hoping someone can point me in the 
> right direction.

ok. after staring at this for a while im pretty sure it's an actual bug
rather than a misconfiguration.

> I???ve got 4 physical intel nics, all configured as part of a veb bridge.  
> The veb bridge itself has two vports attached, one with an address and one 
> without:
> 
>   cat /etc/hostname.vport0 
>   inet 172.16.0.250 255.255.255.0
>   group trusted
>   up 
> 
>   cat /etc/hostname.vport1
>   group vlan-interface
>   link0

as an aside, link0 on a vport doesn't do anything.

>   up
> 
> The hostname.veb0 file contains this:
>   add em0
>   add em1
>   add em2
>   add em3
>   add vport0
>   add vport1
>   link0
>   up
> 
> This setup is working fine for all hosts on my main LAN, and everything is as 
> expected.  However I???ve tried and (partially) failed in adding some 
> VLAN???s to the veb.
> 
> For example, here???s one of the vlan configurations:
>   cat /etc/hostname.vlan210
>   inet 172.16.210.2 255.255.255.0 172.16.210.255 
>   parent vport1
>   vlan 210 
>   description "VLAN 210 - A/V & Media Devices???
>   up 
> 
> Note the following only discusses one VLAN, but the issue is present on all 
> of the configured VLANs.
> 
> From a host on the VLAN network, it can connect outbound to the internet 
> absolutely fine - but it cannot talk back to the main network.  Strangely, 
> running tcpdump on interfaces shows traffic moving as (possibly) expected - 
> but packets never seem to appear on the wire to the downstream host.
> 
> In the following example, Volumio is a host on the VLAN 210 as above, 
> attempting to send an ICMP echo request to a host on the main lan.  First up, 
> here???s a PF log showing the permitted packet:
> 
> Dec 25 20:41:13.342006 rule 86/(match) pass out on vport0: 172.16.210.13 > 
> 172.16.0.1: icmp: echo request
> 
> (Note, I still get the same issues even with disabling pf)
> 
> Next, here???s the packet on the vport1 interface from above:
> 
> 20:41:22.663129 dc:a6:32:4d:9a:4c fe:e1:ba:d3:54:a5 8100 102: 802.1Q vid 210 
> pri 1 volumio.av.kaizo.lan > nas.kaizo.lan: icmp: echo request (DF)
> 
> Now, here???s the packet on the vport0 interface:
> 20:41:22.663145 fe:e1:ba:d2:e4:93 68:05:ca:4a:7c:18 ip 98: 
> volumio.av.kaizo.lan > nas.kaizo.lan: icmp: echo request
> 
> However, this is where it stops.  I see no matching packet on the veb0 
> interface, nor do I see a packet egress on the physical em1 interface, to 
> which the host ???nas??? is connected to.  Obviously I don???t see the packet 
> on that host, either.
> 
> I???m a little perplexed as to what???s going on here - it???s almost as if 
> the veb doesn???t believe it???s responsible for this packet.  It seems to be 
> happily routing packets from the LAN to hosts on a VLAN, it???s just the 
> return traffic that never arrives.

you're right, the veb doesn't think it should handle the packet.

veb sets and clears a flag on packets going in and out of vport
interfaces as a sort of loop prevention mechanism. because vlan packets
are handled before veb can clear this flag, the packet ends up being
marked as inside veb when it goes through the network stack. when it
comes out the stack on a vport interface again, it gets dropped because
of this flag still being set.

there's a diff below that moves away from the flag to try and avoid this
problem. can you give it a go in your setup?

alternatively, i think you could use a separate veb per vlan, but
that's a lot of boilerplate...

> For completeness, below are output of ifconfig for the interfaces (edited).
> 
> Simon.
> 
> veb0: flags=9943
>index 12 llprio 3
>groups: veb
>em0 flags=3
>port 1 ifpriority 0 ifcost 0
>em1 flags=3
>port 2 ifpriority 0 ifcost 0
>em2 flags=3
>port 3 ifpriority 0 ifcost 0
>em3 flags=3
>port 4 ifpriority 0 ifcost 0
>vport0 flags=3
>port 19 ifpriority 0 ifcost 0
>vport1 flags=3
>port 20 ifpriority 0 ifcost 0
>Addresses (max cache: 100, timeout: 240):
>???snip???.
>68:05:ca:4a:7c:18 em1 0 flags=0<>
>???.snip???.
>fe:e1:ba:d2:e4:93 vport0 0 flags=0<>
>fe:e1:ba:d3:54:a5 vport1 0 flags=0<>
> 
> vport0: flags=8943 mtu 1500
>lladdr fe:e1:ba:d2:e4:93
>index 19 priority 0 llprio 3
>groups: vport trusted
>inet 172.xx.xx.250 netmask 0xff00 broadcast 172.16.0.255
> 
> vport1: flags=9943 mtu 
> 1500
>lladdr fe:e1:ba:d3:54:a5
>index 20 priority 0 llprio 3
>groups: vport vlan-interface
> 
> vlan210: flags=8843 mtu 1500
>lladdr fe:e1:ba:d3:54:a5
>description: VLAN 210 - A/V & Media 

Re: I did not realize I was an OpenBSD user!

[Brian Brombacher]

Hi David,

Thank you for the write-up, this was an awesome read.  I was on the edge of a 
cliff waiting to hear what device or app you replaced next.

Bravo, excellent job done!

-Brian

> On Dec 27, 2021, at 1:03 AM, David Rinehart  wrote:
> 
> A long read, but may be interesting...
> 
> I Wanted to get into a nix OS at home, after being away for many 
> years. Researched a short list of nix OSs. To be honest, OpenBSD was at 
> the bottom of the list due to text install and what seemed like a 
> limited list of ports. Tried the others. If I got an install I liked, 
> they all failed on updates with various script errors. I can 
> troubleshoot and fix script errors - the point is I want to spend time 
> working on my code. I was down to my last option - OpenBSD.
> 
> I'd been watching CDE progress to open source - Fond memories of a Sun / 
> Solaris / CDE environment. When CDE / MWM did go open source, OpenBSD 
> was supported. I did the OpenBSD / CDE install on my desktop at the end 
> of 2018 and it has been great. I've since moved on to a more modern 
> window manager but CDE got my foot in the door.
> 
> When it came time to update to a new OpenBSD version I did a clean 
> install and started scripting my custom changes. From long ago, I prefer 
> not to upgrade in place, due to the cruft. Sure I could figure out a way 
> to analyze what is not needed but why bother. The OpenBSD install is so 
> simple and fast. I install, run a script to configure and then have a 
> shiny new machine. For small server roles, it takes 15-20 minutes to 
> reinstall. Desktop machines take an hour or so, due to ports installs. 
> With other OSs it would take several days to reinstall my desktop, 
> including base system, latest drivers, GUI apps and then customizing all 
> the settings. Scripting configuration and package installs is so much 
> simpler.
> 
> Then, I replaced my DNS / DHCP / NTP / Web server with OpenBSD. At this 
> point, I started going fanless for new machines - APU2D4 (now APU2E4) is 
> more than needed but provides headroom for the future. I studied and 
> configured unbound and it has been so stable. I've had a home web server 
> for years which migrated from PERL to C# to C++ and from plain HTML to 
> Angular with JQuery Mobile. I migrated this code to run with httpd 
> slowcgi (sort of like a poor man's serverless config - perfect for home 
> use).
> 
> Next, I had several off the shelf systems I wanted to replace - 
> Multi-room audio, NAS, VPN Router, Wifi AP.  I estimated the lines of
> code running on my existing home network and the numbers were crazy.
> 
> For multi-room audio, I set up a proof of concept with some old 
> computers and configured mpd to use sndio. It worked great. I purchased 
> several more APU2D4 machines and USB Behringer UCA202 DACs for the 
> audio. I created C++ microservices to run with httpd slowcgi and build / 
> send mpc commands to control mpd. Simple, no library dependencies and 
> easy to update / test. Maybe someday I'll change the interface but this 
> has been working well. For UI, I created a page to select a room and 
> send commands. Wanting a single volume control, I opted to expose master 
> volume (rather than mpd volume). I needed to select music, so I created 
> another page to access music data. I'm only really interested in 
> playlists, artists, genres and songs, so I provided these in the song UI 
> and allow adding to the queue of whatever room is currently selected. 
> Each room can operate independently or output to multiple rooms.
> 
>> From the beginning I have used amd to mount NAS NFS shares. Tweaked the 
> mount_nfs parameters to get better throughput - It is great.
> 
> With the concept of rooms on the web page, I added more remote control 
> features. I control all infrared home audio and video devices with IP2IR 
> from Global Cache. Used to have an app (that had issues) - replaced it 
> with my web page. Then, added control of a home theater receiver using 
> it's REST API.
> 
> In my spare time, I had created a mobile first remote control for the 
> whole home audio and video. Put all the remotes in a drawer. With one 
> web page, it works across-platforms on any device with a browser (all 
> types of phones, desktops, tablets) with zero install. The page 
> refreshes when others make changes, so there are no issues with synch 
> across clients.
> 
> With a few nodes on my network, I wanted to see status over time. I used 
> d3js to create a network diagram web page. Added an APU2 machine to the 
> network for running cron jobs. Added a script to create SVGs for CPU, 
> memory, network and disk from symux RRD files. Now click a node in the 
> diagram and see the machine stats. I can change the time reference for 
> the last 24 hours, 7 days, 30 days or year. The SVG charts are built on 
> a schedule, based on priority of the machines. It is incredible to have 
> this visibility. Always wanted to monitor my network over time but did 

IPv6 autoconf with static IID?

[Mike Fischer]

Hi!

Maybe I’m completely off track with my idea, so please let me know if that is 
the case. I’ve done some reading and experimenting with IPv6 but wouldn’t 
consider myself an expert yet.


Goal:
=
My Internet connection is using dynamic IPv6 prefixes. I want to configure a 
local (OpenBSD) machine so its public IPv6 address adjusts to changes in the 
network prefix but keeps a static Interface Identifier (IID). I’d also like to 
be able to configure the IID manually.

Essentially this would be a server running on the LAN but with a public IPv6 
address, reachable from the Internet.


Details:

My Internet provider allocates a dynamic, public IPv6 /64 prefix to my router. 
The IID of the router is based on the MAC-address of its outside interface 
(EUI64) and doesn’t change. I’ll call this combination of /64 prefix and IID 
the "IPv6 address of the router".

My Internet provider additionally allocates a dynamic, public IPv6 /56 prefix 
to my router. Traffic to addresses from this range are routed to the IPv6 
address of the router. The router in turn communicates a /64 prefix based on 
this /56 prefix and a fixed 8-bit value to my LAN devices. Effectively the LAN 
devices operate with a dynamic, public /64 prefix.

My router also allows configuration of LAN devices/ports that are reachable 
from the Internet. This forwarding configuration is based on the IID of the 
device for IPv6. Without such a forwarding rule, no Internet traffic can open a 
connection to any LAN device.

So for an IPv6 service on the LAN to be reachable from the Internet, the 
following criteria must be met:
- A forwarding rule must exist on the router that matches the port and IID of 
the LAN device. Packets from the Internet are routed to the public IPv6 address 
of the router. The forwarding rule sets up routing to the LAN device.
- The LAN device must have an IPv6 address matching the current /64 prefix and 
the IID configured for the forwarding settings on the router.
- A service must listen on the port and IPv6 address on the LAN device. (pf(4) 
must allow the traffic of course.)
- (Optional) A DNS  entry could point to the IPv6 address. This probably 
requires some form of DDNS to adjust the DNS record when the IPv6 prefix 
changes. Keeping this updated is a separate problem not relevant for my 
question.

Note: When I use the term "its IPv6 address" I realize that this is generally 
only one of a number of IPv6 addresses in use on an interface at any given 
time. Basically I am referencing the address returned by:
ifconfig em0|grep 'inet6'|grep -vE ' fe80:| fd|deprecated|temporary'
I.e. no link-local, ULA, temporary or deprecated addresses.

Also note that there is no DHCPv6 server in my configuration.


Question/Problem:
=
After reading man pages for slaacd(8), hostname.if(5) and ifconfig(8) the only 
way to combine a static IID with a dynamic prefix seems to be the eui64 option:
inet6 autoconf eui64

However this limits the IID to a fixed value based on the MAC-address of the 
interface and potentially leaks information about the vendor of the interface 
to the Internet.

Is there a way to combine "inet6 autoconf" with an arbitrary manually defined 
IID?

Example: So let’s say I want to use 0123:4567:89ab:cdef as the IID and the 
current prefix is 2001:db8:0:4201::/64 then how would I specify this in a way 
that allows slaacd(8) to generate an address using the current /64 prefix and 
this IID to form 2001:db8::4201:123:4567:89ab:cdef/128? When the prefix changes 
to e.g. 2001:db8:0:2a01::/64 I want the address of the interface to change to 
2001:db8::2a01:123:4567:89ab:cdef/128.


I may be showing my ignorance here but it seems to me that combining dynamic 
IPv6 prefixes with manually chosen IIDs should be possible?


This question pertains to OpenBSD 7.0 stable on amd64 with all patches applied 
in case that makes a difference.


Thanks!

Regards,
Mike

Re: route advertisement question

[Florian Obser]

On 2021-12-26 19:43 UTC, mgra...@brainfat.net wrote:
> So my question is, is this expected behavior?  When the router advertisement 
> does not have a router and
> thus sets the router lifetime to 0 (as it should), should slaacd ignore 
> advertisement?  Or should
> it still configure an IP address?

It should still form an autoconf address, this is a bug in slaacd.

This should fix it. The diff only removes if (ra->router_lifetime != 0)

diff --git engine.c engine.c
index 81a06cc5528..7a2c11e1bc2 100644
--- engine.c
+++ engine.c
@@ -1749,14 +1749,13 @@ void update_iface_ra(struct slaacd_iface *iface, struct 
radv *ra)
 
update_iface_ra_dfr(iface, ra);
 
-   if (ra->router_lifetime != 0)
-   LIST_FOREACH(prefix, >prefixes, entries) {
-   if (!prefix->autonomous || prefix->vltime == 0 ||
-   prefix->pltime > prefix->vltime ||
-   IN6_IS_ADDR_LINKLOCAL(>prefix))
-   continue;
-   update_iface_ra_prefix(iface, ra, prefix);
-   }
+   LIST_FOREACH(prefix, >prefixes, entries) {
+   if (!prefix->autonomous || prefix->vltime == 0 ||
+   prefix->pltime > prefix->vltime ||
+   IN6_IS_ADDR_LINKLOCAL(>prefix))
+   continue;
+   update_iface_ra_prefix(iface, ra, prefix);
+   }
 
update_iface_ra_rdns(iface, ra);
 }


-- 
I'm not entirely sure you are real.