Re: How to use /dev/srandom

[Kevin Chadwick]

On Mon, 4 Oct 2010 13:33:00 +0200
Janne Johansson icepic...@gmail.com wrote:

 2010/10/4 Kevin Chadwick ma1l1i...@yahoo.co.uk
 
   I do love all this considerations. Just wondering by on earth entropy
   doesn't get much attention in a world where people seems so worried
   about security and privacy.
 
  Do you mean the world in general or the OpenBSD world.
 
  I presume you've read the OpenBSD crypto papers that talk about how
  impossible it is to create a true random generator.
 
  First I'd ask how well can anyone prove that the NIST statistical test
  suite can reliably judge randomness?
 
 
 It just tries to prove the opposite. If the data has patterns it can find,
 its not random.
 Proving something is random is insanely much harder.
 
 -- 
  To our sweethearts and wives.  May they never meet. -- 19th century toast
 

Thought about that but surely you'd need a lab to do that well as you'd
need a ridiculous amount of processing power and/or would be helping any
attacker do his job. Plus truly random data could very occasionally
have short lived random patterns. I imagine the current system monitors
the input and output of the entropy pool, which would seem like the
logical thing to do, but I wouldn't know.

If you can improve the current codes info or accuracy, then cool.

Re: Router components

[David Higgs]

On Sun, Oct 3, 2010 at 11:02 PM, Nick Holland
n...@holland-consulting.net wrote:
 On 10/03/10 22:11, David Higgs wrote:
 I am building a replacement router/firewall for home use

 stop there.

 You aren't General Motors, Yahoo, or Google.
 You are looking to spend a lot of time and money trying to optimize
 performance on a super-fast-sport-car that will be only used to go to
 and from work in rush hour traffic.  You aren't going any faster than
 the guy in front of you is going, or in this case, than your ISP is
 handing you data.

 There is nothing built in the last 10 years that can't do a home
 router/firewall like this for most people, with the exception of a few
 crappy super-low-power systems that people like to suggest as the answer
 to all questions (and then complain when the pathetic NICs and anemic
 CPUs don't pump data like a ten year old machine with non-pathetic NICs
 does).

 NONE OF IT WILL MATTER TO YOU.

Yeah, you got me -- I know it's overkill.  But give me a little
credit, I don't plan on tweaking knobs or compiling custom kernels to
squeeze performance.  I outgrew that phase five years ago on my circa
1999 desktop-turned-router that just recently passed on.  To stick
with the car analogy, I just want a reliable new car with better gas
mileage, that will get me through the next 10 years or more.

 Realtek NICs, three digit celeron processors, the worst of the worst
 will pump more data than your ISP will deliver, so what do you gain by
 tweaking for the last one percent of data flow you will never see?

 Conventional stuff will cost less and run more reliably than fancy
 stuff, and while you may save a few watts, you are unlikely to recoup
 your investment.

 And why would you put an SSD on a firewall?  so you can discover they
 are a lot more expensive and less reliable than an old hard disk?  If
 you want fast and reliable, use an old, burned in HD, and back up your
 /etc directory.  If you want low power or silent, get a CF adapter and a
 small CF card, or if your hw can boot from it, a USB flash drive.

I was researching SSDs to make the box quieter and maybe lower power;
I/O speed was just a bonus.  I can just as easily use spinning
platters until SSD tech improves and/or converges with OpenBSD
support.  I'll google up some smaller systems (Soekris, ALIX, etc?)
and see how they strike me.  Pointers here are even more welcome, as I
am not as familiar with this end of the spectrum and want to avoid the
aforementioned crappy super-low-power systems.

Thanks for the input.

--david

Re: smtpd and spamd, with antivirus

[Gregory Edigarov]

On Fri, 1 Oct 2010 08:42:04 -0400
Michael W. Lucas mwlu...@blackhelicopters.org wrote:

 Hi,
 
 I have to build a new mail relay host, and would like to use spamd and
 smtpd on OpenBSD.  I'm required to provide antivirus scanning of mail
 contents, however.  Has anyone attached any antivirus software to this
 combination?
 
 I'm well aware that spamd stops a vast amount of viruses, but I'm not
 the one writing the requirements.

Hi Michael,

I think you will be pretty much done by setting up hermes antispam
proxy in front of your server, or even on the same machine.

just setup smtpd to listen on lo0 port 2025, and let hermes pickup
smtp sessions after gleylisting is done by spamd.
-- 
With best regards,
Gregory Edigarov

Re: How to use /dev/srandom

[Kevin Chadwick]

On Thu, 30 Sep 2010 11:37:14 +0200
Daniel Gracia lists.d...@electronicagracia.com wrote:

 I do love all this considerations. Just wondering by on earth entropy 
 doesn't get much attention in a world where people seems so worried 
 about security and privacy.

Do you mean the world in general or the OpenBSD world.

I presume you've read the OpenBSD crypto papers that talk about how
impossible it is to create a true random generator.

First I'd ask how well can anyone prove that the NIST statistical test
suite can reliably judge randomness?

Re: Router components

[Stuart Henderson]

On 2010-10-04, David Higgs hig...@gmail.com wrote:
 I am building a replacement router/firewall for home use and am
 soliciting suggestions/commentary/alternatives on the components
 below.

What sort of internet connection and what will be running over it?
Will you be doing crypto on the firewall (ipsec/some other vpn)?

 I was planning to use an SSD in the 32 GB size range, but the archives
 indicate we don't have TRIM support yet.  Though this obviously isn't
 a showstopper to usage, am I better off getting an older-generation
 SSD that doesn't require TRIM, or perhaps hold off on SSDs until the
 tech is more mature?

Newer SSDs don't *require* TRIM, it is optional. I think it's probably
a better idea to get the newer generation. Though a 2-4GB CF might be
quite good enough too.

For what a lot of people need for a router/firewall a 2-4GB CF
card in an IDE adapter would be fine too (smaller works too if you can
still find them, but it's easier to have this much space).

 Finally, I want this box to act as wireless AP, and hope to have
 out-of-the-box 802.11n support (when eventually available).  I've read
 that run(4) is a solid chipset in this regard; any other suggestions?

run(4) does not support host AP.

athn(4) is likely the best choice, I haven't used it with OpenBSD but it
looks like this is the most actively developed wireless driver at the moment.
I have used it with commercial APs running their embedded linux-based OS
and the hardware itself works very well indeed.

As I think you're aware we don't support 802.11n capabilities yet, also
note we don't support clients that use power-saving mode (this is an
absolute show-stopper for some users; some client hardware has no way
to disable this).

Re: Kerberos: Server not found in database: krbtgt/ualberta...@realm

[Antoine Jacoutot]

On Mon, 4 Oct 2010, Clint Pachl wrote:

 In the KDC log file, I get the following errors:
 
 2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for
 afs/ualberta...@mokaz.com
 2010-10-04T02:40:11 Server not found in database: afs/ualberta...@mokaz.com:
 No such entry in the database
 2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for
 krbtgt/ualberta...@mokaz.com
 2010-10-04T02:40:11 Server not found in database:
 krbtgt/ualberta...@mokaz.com: No such entry in the database
 
 
 Why am I getting these errors? Are they compiled in?
 
 How do I quiet this?
 
 For clients, all of my Kerberos settings are in DNS; there is no krb5.conf.
 
 Here is krb5.conf on the Kerberos server:

Try adding the following into your krb5.conf:

[appdefaults]
kinit = {
afslog = no
}

Or comment the entry in /etc/afs/ThisCell.

-- 
Antoine

Re: Incorrect FAQ entry about ksh(1) does not appear to read my .profile

[Sean Kamath]

On Oct 3, 2010, at 2:52 PM, Amit Kulkarni wrote:

 Then why is it placed there in the FAQ entry? Somebody thought there's a
 relation there.

It's there because when you start an X terminal (xterm), you can tell xterm
(via X resource DB) if you want shells it starts to be login shells, and
that's what that resource setting is doing.  It is not a resource setting for
ksh.  Further, it's in the FAQ about why isn't my .profile being read for
the ksh because most people are completely unaware of what is going on when
they click that Terminal button.

.Xdefaults may or may not be read by X-based applications, and is often loaded
into the Resource DB of the X server on login (depending on the system --
everything does it differently).  At one point is was .Xresources (which may
be what X reads still -- I don't know anymore, I stopped thinking about xrdb
about 8 years ago).

The space is completely irrelevant, and this thread should die.

 IMHO, I think ksh should be able to read .profile by default

The rules of what ksh reads and when are based on ancient login mechanisms --
.profile was read only on login.  In the csh, .login was read on login, and
.cshrc was read on every invocation of csh.

ksh reads the file pointed to by the environment variable ENV on invocation.

Put things you want to happen when you log in (via SSH, for example) into
.profile, and also set ENV=$HOME/.kshrc into it.  Then put everything into
.kshrc that you want to invoke with all subshells.

It's no good to say I think ksh should do. . . because it ain't gonna
happen.  It would break all sorts of crap if it did.


Sean

PS Linux's pdksh sucks, and does all sorts of weird shit.  OpenBSD's ksh is
much more sane.


 On Sat, Oct 2, 2010 at 10:39 PM, Abel Abraham Camarillo Ojeda 
 acam...@verlet.org wrote:

 .Xdefaults has nothing to do with .profile ...

Descanso doble

[Barceló Tucancun]

Muy buenos dias, en esta oportunidad estamos ofreciendo la segunda estadia 
gratuita, puede ver mas acerca de la propuesta en,  
http://www.fullallotment.com/barcelo.htm en plan todo inlcuido, la mejor 
ubicacion de Cancun frente al mar, desde ya le agradezco su tiempo y 
atencion, saludos cordiales

Elsa Sanchez

举国同欢庆

[网络营销大师]

f6e0h?e0
i.d;6of/e f(efd;,gd:e
(e3g3;o


f,h?f(omisc

ef f3fg$:h/7g9e;h?i

e=e:

---

g=g;h%ie$'e8--e8ffh!!igg=g;h%ih=/d;6

g=eowww.xidengke.com

ee$
fh'
 ef6h.i
d;%d8
d?!f
/d;dehoh/g;h/7g;e=g=g;h%ie$'e8f%h/

Kerberos: Server not found in database: krbtgt/ualberta...@realm

[Clint Pachl]

In the KDC log file, I get the following errors:

2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for 
afs/ualberta...@mokaz.com
2010-10-04T02:40:11 Server not found in database: 
afs/ualberta...@mokaz.com: No such entry in the database
2010-10-04T02:40:11 TGS-REQ pa...@mokaz.com from IPv4:10.0.9.15 for 
krbtgt/ualberta...@mokaz.com
2010-10-04T02:40:11 Server not found in database: 
krbtgt/ualberta...@mokaz.com: No such entry in the database



Why am I getting these errors? Are they compiled in?

How do I quiet this?

For clients, all of my Kerberos settings are in DNS; there is no krb5.conf.

Here is krb5.conf on the Kerberos server:

[libdefaults]
default_realm = MOKAZ.COM
clockskew = 120
[kadmin]
require-preauth = true
password_lifetime = 365 days
[kdc]
require-preauth = true
[logging]
kadmind = FILE:/var/heimdal/kadmind.log

Re: How to use /dev/srandom

[Janne Johansson]

2010/10/4 Kevin Chadwick ma1l1i...@yahoo.co.uk

  I do love all this considerations. Just wondering by on earth entropy
  doesn't get much attention in a world where people seems so worried
  about security and privacy.

 Do you mean the world in general or the OpenBSD world.

 I presume you've read the OpenBSD crypto papers that talk about how
 impossible it is to create a true random generator.

 First I'd ask how well can anyone prove that the NIST statistical test
 suite can reliably judge randomness?


It just tries to prove the opposite. If the data has patterns it can find,
its not random.
Proving something is random is insanely much harder.

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: route-to and divert-packet

[Daniel Browning-Weber]

 The code says it well - after your divert(4) client reinjects the
 packet back into the kernel, it bypasses any pf checks and goes
 straight to the {ip_,ip6_}output function because of possible loops.

That's all perfectly sensible, and I feel more likely to hurt myself
if I could get a packet to go back into pf.

 What exactly are you trying to accomplish here, with the
 combination of these two?

I have two network connections I want to load balance. I'm using the
example rules here: http://www.openbsd.org/faq/pf/pools.html#outgoing

Those work great, without the divert-packet.  And the divert-packet
works great, if I only have one internet connection.  But I'm trying
to get them to both be applied.



2010/10/4 Martin Pelikan martin.peli...@gmail.com:
 2010/10/3, Daniel Browning-Weber weber...@gmail.com:
 Okay, and the divert (4) man page says that outbound packets,
 after being reinjected, are processed directly by the relevant
 IP/IPv6 output function, so I probably can't get pf to take
 another look at them so that route-to will apply.

 If I were feeling brave and wanted to mess with this in the
 kernel, should I try to get the packet's routing changed
 after processing?  Or would it be less insane for me to
 try to play with the routing before the divert?

 The code says it well - after your divert(4) client reinjects the
 packet back into the kernel, it bypasses any pf checks and goes
 straight to the {ip_,ip6_}output function because of possible loops.

 What exactly are you trying to accomplish here, with the combination
 of these two?
 Please be more specific about your goals, not just the technical stuff
around.

 I'm not sure about this though, but passing the packet to divert app
 and changing IP headers _in there_ should suffice for most what you'd
 accomplish using route-to (now I'm waiting for the cold-shower of
 corrections and RTFM's). Provided that your routing table is
 consistent with what you want to do, of course.
 --
 Martin Pelikan

Re: Router components

[russell]

Stuart Henderson wrote:

On 2010-10-04, David Higgs hig...@gmail.com wrote:

I am building a replacement router/firewall for home use and am
soliciting suggestions/commentary/alternatives on the components
below.


What sort of internet connection and what will be running over it?
Will you be doing crypto on the firewall (ipsec/some other vpn)?


I was planning to use an SSD in the 32 GB size range, but the archives
indicate we don't have TRIM support yet.  Though this obviously isn't
a showstopper to usage, am I better off getting an older-generation
SSD that doesn't require TRIM, or perhaps hold off on SSDs until the
tech is more mature?


Newer SSDs don't *require* TRIM, it is optional. I think it's probably
a better idea to get the newer generation. Though a 2-4GB CF might be
quite good enough too.

For what a lot of people need for a router/firewall a 2-4GB CF
card in an IDE adapter would be fine too (smaller works too if you can
still find them, but it's easier to have this much space).


Finally, I want this box to act as wireless AP, and hope to have
out-of-the-box 802.11n support (when eventually available).  I've read
that run(4) is a solid chipset in this regard; any other suggestions?


run(4) does not support host AP.

athn(4) is likely the best choice, I haven't used it with OpenBSD but it
looks like this is the most actively developed wireless driver at the moment.
I have used it with commercial APs running their embedded linux-based OS
and the hardware itself works very well indeed.

As I think you're aware we don't support 802.11n capabilities yet, also
note we don't support clients that use power-saving mode (this is an
absolute show-stopper for some users; some client hardware has no way
to disable this).


I tend to swear by ral(4)
Mainly due to the unscientific but proven mechanisim
all my ral cards have worked, and all my ath cards end up having a 
unsupported chipset.

and there was something freaky about that zyd,
almost working is worse than not working at all.

Given half a chance stay away from usb radios.

but ral has always been there for me.
best of luck.
I know I enjoy my k6-2(450) based firewall/nat device infinitely more 
than the netgear piece of crap it replaced.

BIOCTL Rebuild: invalid argument

[Clint Pachl]

I tried to rebuild a single disk in a 4 disk raid-10 array using the 
following command:


# bioctl -R 0:3 sd0
bioctl: BIOCSETSTATE: invalid argument

What does this mean exactly?

I did rebuild the array via the MegaRAID BIOS utility. Are we able to 
rebuild arrays via bioctl?


# bioctl sd0
Volume  Status   Size Device
 ami0 0 Online73494691840 sd0 RAID10
  0 Online36747345920 0:1.0   noencl FUJITSU 
MAP3367NP   0108
  1 Online36747345920 0:2.0   noencl FUJITSU 
MAP3367NP   0108
  2 Online36747345920 0:3.0   noencl FUJITSU 
MAP3367NP   0108
  3 Online36747345920 0:4.0   noencl FUJITSU 
MAP3367NP   0108


$ sysctl hw.sensors.ami0
hw.sensors.ami0.drive0=online (sd0), OK

$ dmesg | grep ^ami
ami0 at pci2 dev 4 function 0 AMI MegaRAID rev 0x20: apic 2 int 20 
(irq 11)

ami0: AMI 475, 64b/lhc, FW 163D, BIOS v5.07, 32MB RAM
ami0: 1 channels, 0 FC loops, 1 logical drives


OpenBSD 4.8-current (GENERIC.MP) #385: Tue Sep 21 05:01:01 MDT 2010
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,SER,MMX,FXSR,SSE

real mem  = 2138599424 (2039MB)
avail mem = 2093604864 (1996MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/26/01, BIOS32 rev. 0 @ 0xfd7e3, 
SMBIOS rev. 2.1 @ 0xef840 (46 entries)
bios0: vendor Intel Corporation version 
L440GX0.86B.0133.P14.0103261759 date 03/26/01

bios0: Intel L440GX+
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices PCI0(S4) COMB(S4) USBC(S1)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 1 (boot processor)
cpu0: apic clock running at 99MHz
cpu1 at mainbus0: apid 0 (application processor)
cpu1: Intel Pentium III (GenuineIntel 686-class) 1 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PSE36,SER,MMX,FXSR,SSE

ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpibtn0 at acpi0: SLPB
bios0: ROM list: 0xc/0x8000 0xc8000/0x1800 0xc9800/0x1000
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82440BX AGP rev 0x00
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xf800, size 0x400
ppb0 at pci0 dev 1 function 0 Intel 82440BX AGP rev 0x00
pci1 at ppb0 bus 1
ppb1 at pci1 dev 15 function 0 DEC 21150-BC PCI-PCI rev 0x06
pci2 at ppb1 bus 2
ami0 at pci2 dev 4 function 0 AMI MegaRAID rev 0x20: apic 2 int 20 
(irq 11)

ami0: AMI 475, 64b/lhc, FW 163D, BIOS v5.07, 32MB RAM
ami0: 1 channels, 0 FC loops, 1 logical drives
scsibus0 at ami0: 40 targets
sd0 at scsibus0 targ 0 lun 0: AMI, Host drive #00,  SCSI2 0/direct fixed
sd0: 70090MB, 512 bytes/sec, 143544320 sec total
scsibus1 at ami0: 16 targets
ahc0 at pci0 dev 12 function 0 Adaptec AIC-7896/7 U2 rev 0x00: apic 2 
int 19 (irq 11)

scsibus2 at ahc0: 16 targets, initiator 7
ahc1 at pci0 dev 12 function 1 Adaptec AIC-7896/7 U2 rev 0x00: apic 2 
int 19 (irq 11)

scsibus3 at ahc1: 16 targets, initiator 7
em0 at pci0 dev 13 function 0 Intel PRO/1000MT (82546EB) rev 0x01: 
apic 2 int 17 (irq 11), address 00:04:23:ac:66:d2
em1 at pci0 dev 13 function 1 Intel PRO/1000MT (82546EB) rev 0x01: 
apic 2 int 22 (irq 5), address 00:04:23:ac:66:d3
fxp0 at pci0 dev 14 function 0 Intel 8255x rev 0x08, i82559: apic 2 
int 21 (irq 10), address 00:03:47:11:2e:58

inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
ohci0 at pci0 dev 16 function 0 NEC USB rev 0x43: apic 2 int 16 (irq 
11), version 1.0
ohci1 at pci0 dev 16 function 1 NEC USB rev 0x43: apic 2 int 21 (irq 
10), version 1.0

ehci0 at pci0 dev 16 function 2 NEC USB rev 0x04: apic 2 int 22 (irq 5)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 NEC EHCI root hub rev 2.00/1.00 addr 1
piixpcib0 at pci0 dev 18 function 0 Intel 82371AB PIIX4 ISA rev 0x02
pciide0 at pci0 dev 18 function 1 Intel 82371AB IDE rev 0x01: DMA, 
channel 0 wired to compatibility, channel 1 wired to compatibility

atapiscsi0 at pciide0 channel 0 drive 0
scsibus4 at atapiscsi0: 2 targets
cd0 at scsibus4 targ 0 lun 0: SONY, DVD RW DRU-720A, JY02 ATAPI 
5/cdrom removable

cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 18 function 2 Intel 82371AB USB rev 0x01: apic 2 int 
21 (irq 10)

piixpm0 at pci0 dev 18 function 3 Intel 82371AB Power rev 0x02: SMI
iic0 at piixpm0
spdmem0 at iic0 addr 0x50: 512MB SDRAM registered ECC PC100CL2
spdmem1 at iic0 addr 0x51: 512MB SDRAM registered ECC PC100CL2
spdmem2 at iic0 addr 0x52: 512MB SDRAM registered ECC PC100CL2
spdmem3 at iic0 addr 0x53: 512MB SDRAM registered ECC PC100CL2
vga1 at pci0 dev 20 function 0 Cirrus Logic CL-GD5480 rev 0x23
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, 

Re: Router components

[David Higgs]

On Mon, Oct 4, 2010 at 3:51 PM, russell russ...@dotplan.dyndns.org wrote:
 Stuart Henderson wrote:

 On 2010-10-04, David Higgs hig...@gmail.com wrote:

 I am building a replacement router/firewall for home use and am
 soliciting suggestions/commentary/alternatives on the components
 below.

 What sort of internet connection and what will be running over it?
 Will you be doing crypto on the firewall (ipsec/some other vpn)?

Just your basic consumer-class cable connection, and practically
nothing.  Crypto acceleration might be nice, but in no way a
requirement.

 I was planning to use an SSD in the 32 GB size range, but the archives
 indicate we don't have TRIM support yet.  Though this obviously isn't
 a showstopper to usage, am I better off getting an older-generation
 SSD that doesn't require TRIM, or perhaps hold off on SSDs until the
 tech is more mature?

 Newer SSDs don't *require* TRIM, it is optional. I think it's probably
 a better idea to get the newer generation. Though a 2-4GB CF might be
 quite good enough too.

 For what a lot of people need for a router/firewall a 2-4GB CF
 card in an IDE adapter would be fine too (smaller works too if you can
 still find them, but it's easier to have this much space).

I know SSDs don't require TRIM, but most benchmarks are made by
knob-twiddlers that are presumably overemphasizing the performance
degradation you get without it.  Is this even noticeable in practice?
Good suggestion on the CF card, though I would feel dirty using it in
that overpowered Atom system...

 Finally, I want this box to act as wireless AP, and hope to have
 out-of-the-box 802.11n support (when eventually available).  I've read
 that run(4) is a solid chipset in this regard; any other suggestions?

 run(4) does not support host AP.

 athn(4) is likely the best choice, I haven't used it with OpenBSD but it
 looks like this is the most actively developed wireless driver at the
 moment.
 I have used it with commercial APs running their embedded linux-based OS
 and the hardware itself works very well indeed.

 As I think you're aware we don't support 802.11n capabilities yet, also
 note we don't support clients that use power-saving mode (this is an
 absolute show-stopper for some users; some client hardware has no way
 to disable this).

 I tend to swear by ral(4)
 Mainly due to the unscientific but proven mechanisim
 all my ral cards have worked, and all my ath cards end up having a
 unsupported chipset.
 and there was something freaky about that zyd,
 almost working is worse than not working at all.

 Given half a chance stay away from usb radios.

 but ral has always been there for me.
 best of luck.
 I know I enjoy my k6-2(450) based firewall/nat device infinitely more than
 the netgear piece of crap it replaced.

Crap, missed lack of AP support in run(4).  Disappointing that USB
radios aren't all that great.  I've been pretty happy with my ral(4)
card as well, even in the face of occasional interface hangs.

Thanks.

--david

PF OS fingerprint update

[Claudio Jeker]

If you use the pf OS fingerprinting feature you want to apply the
following diff to your system or -current OpenBSD boxes will not
be identified as beeing OpenBSD.

To apply the patch just use:
cd /etc
patch  this_mail
pfctl -f /etc/pf.conf
-- 
:wq Claudio

Index: pf.os
===
RCS file: /cvs/src/etc/pf.os,v
retrieving revision 1.22
diff -u -p -r1.22 pf.os
--- pf.os   8 Aug 2009 09:24:51 -   1.22
+++ pf.os   1 Oct 2010 14:11:04 -
@@ -298,12 +298,15 @@ S22:64:1:52:M*,N,N,S,N,W0:Linux:2.2:ts:
 # - OpenBSD -
 
 16384:64:0:60:M*,N,W0,N,N,T:   OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6)
-16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0::OpenBSD 3.0-4.0
-16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:no-df:OpenBSD 3.0-4.0 
(scrub no-df)
+16384:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8::OpenBSD 3.0-4.8
+16384:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.8:no-df:OpenBSD 3.0-4.8 
(scrub no-df)
 57344:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0::OpenBSD 3.3-4.0
 57344:64:0:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.3-4.0:no-df:OpenBSD 3.3-4.0 
(scrub no-df)
 
 65535:64:1:64:M*,N,N,S,N,W0,N,N,T: OpenBSD:3.0-4.0:opera:OpenBSD 3.0-4.0 
(Opera)
+
+16384:64:1:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9::OpenBSD 4.9
+16384:64:0:64:M*,N,N,S,N,W3,N,N,T: OpenBSD:4.9:no-df:OpenBSD 4.9 (scrub 
no-df)
 
 # - Solaris -

pflogd dying silently?

[Matthieu Herrb]

Hi,

on a machine running something close to what should be OpenBSD 4.8,
I'm seeing pflogd disapearing every few days whithout any message in
log files.

Not to say that it's an annoying issue from the security point of
view...

Is this a known problem with a fix in -current ? Should I try to
gather more information and file a PR ? 
-- 
Matthieu Herrb

Re: Mobile VPN

[Claudiu Pruna]

On Sat, 2010-10-02 at 11:56 +0300, Evgeniy Sudyr wrote:
 I was able to get it working with 4.6/4.7 and E60/E65/E52 it works as
 expected :)
 
 Nokia VPN config tool will save hours instead trial by error.
 
 On Fri, Oct 1, 2010 at 10:29 PM, Claudiu Pruna clau...@net-go.net
 wrote:
 
 On Fri, 2010-10-01 at 21:19 +0200, David Coppa wrote:
  On Fri, Oct 1, 2010 at 9:11 PM, Claudiu Pruna
 clau...@net-go.net wrote:
  I was wondering has anyone got an S60 mobile phone
 to connect to
   OpenBSD Ipsec ?
  
  I did some tryies, but no luck.
 
  Maybe this is of some use:
 
  http://betabug.ch/wiki/VPNNotes
 
  I'm sorry, but I have no personal experiences with mobile
 vpns...
 
  cheers,
  david
 
 
 thanks a lot, sounds very interesting, I will test it and see
 what
 happens ;)
 
 --
 
 Claudiu Pruna clau...@net-go.net
 
 
 
 
 
 -- 
 --
 With regards,
 Eugene Sudyr
 
Well, I have tried that and ... it works  
Yes, it is working ok, but if your setup is like mine and after
connecting to the ipsec, your internal network contains more branches
connected through vpn and in conclusion the internal network contains
more unroutable ip address classes, the problem appears because you
appear in your network with the ip that your phone gets from the
internet connection it has. So it is a little bit tricky to route your
phone to other ip classes then the one you are directly connected. 
I have used in ipsecctl the tag  option, and then in pf.conf I have
created an nat pool which is just for the phones connecting from
outside.

But it is a start, I mean, from no vpn (except symbian pptp) until here
we allready have a big progress. It would be nice if we could also get
working the xauth and ip address assigning to phone through ipsec, but
as I am not a developer, I hope it will happen someday.

Cheers
-- 
Claudiu Pruna clau...@net-go.net

Re: How to use /dev/srandom

[Daniel Gracia]

I do love all this considerations. Just wondering by on earth entropy 
doesn't get much attention in a world where people seems so worried 
about security and privacy.


Have you ever used any specific method to measure the randomness quality 
of the numbers generated by the kernel when randomness pool goes low? By 
means of the NIST Statistical Test Suite or anything like that.


Maybe it could be possible to maintain a 'randomness quality factor' 
variable updated in the kernel to be able to estimate, in a given time, 
the randomness available. Just thinking loud! I'd take a look to that.


El 29/09/2010 19:16, Theo de Raadt escribis:

On Wed, Sep 29, 2010 at 12:49 PM, Kevin Chadwickma1l1i...@yahoo.co.uk  wrote:

And isn't srandom sometimes (very rarely!) appropriate? E.g. for
generating encryption keys?


If arandom is somehow not appropriate for generating keys, it should
be fixed.  I'd be interested to hear more.


For those who don't want to go read the code, the algorith on the very back
end is roughly this:

 (a) collect entropy until there is a big enough buffer
 (b) fold it into the srandom buffer, eventually

That is just like the past.

But the front end is different.  From the kernel side:

 (1) grab a srandom buffer and start a arc4 stream cipher on it
(discarding the first bit, of course)
 (2) now the kernel starts taking data from this on every packet
it sends, to modulate this, to modulate that, who knows.
 (3) lots of other subsystems get small chunks of random from the
stream; deeply unpredictable when
 (4) on very interrupt, based on quality, the kernel injects something
into (a)
 (5) re-seed the buffer as stated in (1) when needed

Simultaneously, userland programs need random data:

 (i) libc does a sysctl to get a chunk from the rc4 buffer
 (ii) starts a arc4 buffer of it's own, in that program
 (iii) feeds data to the program, and re-seeds the buffer when needed

The arc4 stream ciphers get new entropy when they need. But the really
neat architecture here is that a single stream cipher is *unpredictably*
having entropy taken out of it, by hundreds of consumers.  In regular
unix operating systems, there are only a few entropy consumers.  In OpenBSD
there are hundreds and hundreds.  The entire system is full of random number
readers, at every level.  That is why this works so well.


I notice arandom doesn't pause. Is arandom always better or only when
there's enough entropy?


It is more efficient.  There is almost always enough entropy for
arandom, and if there isn't, you would have a hard time detecting
that.


There is always enough.  The generator will keep moving, until it has fetched
too much, or too much time has gone by.  Then it reseeds; though I think
it fundamentally does not care if the srandom buffer it feeds from is full
or not.

Re: carp + client avahi-daemon = OpenBSD kernel hang

[Stuart Henderson]

On 2010-10-03, Devin Reade g...@gno.org wrote:
snip *excellent* write-up of the problem and network layout;
if only all problem reports were this good!

So basically there are untrusted machines on the interface on which you
also run pfsync. This is an unsupported configuration, as per pfsync(4):

 It is important that the pfsync traffic be well secured as there is no
 authentication on the protocol and it would be trivial to spoof packets
 which create states, bypassing the pf ruleset.  Either run the pfsync
 protocol on a trusted network - ideally a network dedicated to pfsync
 messages such as a crossover cable between two firewalls, or specify a
 peer address and protect the traffic with ipsec(4).

(though I do think this warning could be strengthened).

There might be a way that this particular problem with multicast traffic
from avahi could be avoided (full pcap traces of the relevant traffic e.g.
tcpdump -i interface -s 1500 -w somefile.pcap would help work this out)
but it's still unsafe. Until you can move to a dedicated nic, I would
suggest switching to using syncpeer in pfsync config, and ipsec with
manual keying to protect the traffic e.g.

isakmpd_flags=-Ka
ipsec=YES

and in ipsec.conf on one side,

flow esp proto pfsync from 1.1.1.1 to 2.2.2.2
esp from 1.1.1.1 to 2.2.2.2 spi 0x12345678:0x9abcdef0 \
authkey 
0x:0x
 \
enckey 
0x:0x

and the other,

flow esp proto pfsync from 2.2.2.2 to 1.1.1.1
esp from 2.2.2.2 to 1.1.1.1 spi 0x9abcdef0:0x12345678 \
authkey 
0x:0x
 \
enckey 
0x:0x

(using your own random hex numbers in place of these).

You will probably want to pass the ipsec traffic (proto esp) with
the no-sync option in pf.conf.

(I would not choose to use automatic ipsec keying for this).

No Livelock on 2 Oct 2010 current

[Insan Praja SW]

Hi Misc@,
On this machine;

OpenBSD 4.8-current (GENERIC.MP) #5: Sat Oct  2 21:06:09 WIT 2010
r...@border-rf.mygreenlinks.net:/usr/src/sys/arch/i386/compile/GENERIC.MP
RTC BIOS diagnostic error ffixed_disk,invalid_time
cpu0: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz (GenuineIntel 686-class) 2.41  
GHz
cpu0:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S

SE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
real mem  = 1069002752 (1019MB)
avail mem = 1041489920 (993MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/26/07, SMBIOS rev. 2.4 @  
0x3fbe4000 (42 entries)
bios0: vendor Intel Corporation version  
S3000.86B.02.00.0054.061120091710 date 06/11/2009

bios0: Intel S3000AH
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT SLIC FACP APIC WDDT HPET MCFG ASF! SSDT SSDT SSDT SSDT  
SSDT HEST BERT ERST EINJ
acpi0: wakeup devices SLPB(S4) P32_(S4) UAR1(S1) PEX4(S4) PEX5(S4)  
UHC1(S1) UHC2(S1) UHC3(S1) UHC4(S1) EHCI(S1) AC9M(S4) AZAL(

S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 266MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz (GenuineIntel 686-class) 2.41  
GHz
cpu1:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S

SE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
cpu2 at mainbus0: apid 1 (application processor)
cpu2: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz (GenuineIntel 686-class) 2.41  
GHz
cpu2:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S

SE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU X3220 @ 2.40GHz (GenuineIntel 686-class) 2.41  
GHz
cpu3:  
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,S

SE3,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM
ioapic0 at mainbus0: apid 5 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 5
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 4 (P32_)
acpiprt2 at acpi0: bus 1 (PEX0)
acpiprt3 at acpi0: bus -1 (PEX1)
acpiprt4 at acpi0: bus -1 (PEX2)
acpiprt5 at acpi0: bus -1 (PEX3)
acpiprt6 at acpi0: bus 2 (PEX4)
acpiprt7 at acpi0: bus 3 (PEX5)
acpicpu0 at acpi0: PSS
acpicpu1 at acpi0: PSS
acpicpu2 at acpi0: PSS
acpicpu3 at acpi0: PSS
acpibtn0 at acpi0: SLPB
bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1800  
0xcb800/0x1000

cpu0: Enhanced SpeedStep 2401 MHz: speeds: 2394, 1596 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7230 Host rev 0x00
ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 5 int  
17 (irq 255)

pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01: apic 5 int 17  
(irq 255)

pci2 at ppb1 bus 2
em0 at pci2 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06: apic  
5 int 16 (irq 9), address 00:15:17:86:52:fc
em1 at pci2 dev 0 function 1 Intel PRO/1000 PT (82571EB) rev 0x06: apic  
5 int 17 (irq 10), address 00:15:17:86:52:fd
ppb2 at pci0 dev 28 function 5 Intel 82801G PCIE rev 0x01: apic 5 int 16  
(irq 255)

pci3 at ppb2 bus 3
em2 at pci3 dev 0 function 0 Intel PRO/1000MT (82573E) rev 0x03: apic 5  
int 17 (irq 10), address 00:15:17:49:04:0d

Intel 82573E Serial rev 0x03 at pci3 dev 0 function 3 not configured
Intel 82573E KCS rev 0x03 at pci3 dev 0 function 4 not configured
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x01: apic 5 int  
23 (irq 11)
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x01: apic 5 int  
19 (irq 11)
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x01: apic 5 int  
18 (irq 11)
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x01: apic 5 int  
16 (irq 9)
ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x01: apic 5 int  
23 (irq 11)

ehci0: timed out waiting for BIOS
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0xe1
pci4 at ppb3 bus 4
skc0 at pci4 dev 0 function 0 D-Link DGE-530T B1 rev 0x11, Yukon Lite  
(0x9): apic 5 int 21 (irq 11)

sk0 at skc0 port A: address 00:1c:f0:11:6c:d4
eephy0 at sk0 phy 0: 88E1011 Gigabit PHY, rev. 5
em3 at pci4 dev 1 function 0 Intel PRO/1000MT (82540EM) rev 0x02: apic 5  
int 22 (irq 11), address 00:07:e9:0f:44:e3

vga1 at pci4 dev 4 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
radeondrm0 at vga1: apic 5 int 18 (irq 11)
drm0 at radeondrm0
em4 at pci4 dev 5 function 0 Intel PRO/1000MT (82541GI) rev 0x05: apic 5  
int 17 (irq 10), 

Re: Router components

[Sean Kamath]

On Oct 3, 2010, at 11:15 PM, David Higgs wrote:
 NONE OF IT WILL MATTER TO YOU.
 
 I'll google up some smaller systems (Soekris, ALIX, etc?)
 and see how they strike me.  Pointers here are even more welcome, as I
 am not as familiar with this end of the spectrum and want to avoid the
 aforementioned crappy super-low-power systems.

 Thanks for the input.

I just bought a Alix 2d13 board.  Then ended up buying about 7 of them for
work for OOB back-channel machines.

Insanely straightforward, and they Just Work(tm).

Sean

Re: route-to and divert-packet

[Martin Pelikán]

2010/10/3, Daniel Browning-Weber weber...@gmail.com:
 Okay, and the divert (4) man page says that outbound packets,
 after being reinjected, are processed directly by the relevant
 IP/IPv6 output function, so I probably can't get pf to take
 another look at them so that route-to will apply.

 If I were feeling brave and wanted to mess with this in the
 kernel, should I try to get the packet's routing changed
 after processing?  Or would it be less insane for me to
 try to play with the routing before the divert?

The code says it well - after your divert(4) client reinjects the
packet back into the kernel, it bypasses any pf checks and goes
straight to the {ip_,ip6_}output function because of possible loops.

What exactly are you trying to accomplish here, with the combination
of these two?
Please be more specific about your goals, not just the technical stuff around.

I'm not sure about this though, but passing the packet to divert app
and changing IP headers _in there_ should suffice for most what you'd
accomplish using route-to (now I'm waiting for the cold-shower of
corrections and RTFM's). Provided that your routing table is
consistent with what you want to do, of course.
-- 
Martin Pelikan

Re: BIOCTL Rebuild: invalid argument

[Marco Peereboom]

On Mon, Oct 04, 2010 at 06:34:03AM -0700, Clint Pachl wrote:
 I tried to rebuild a single disk in a 4 disk raid-10 array using the
 following command:
 
 # bioctl -R 0:3 sd0
 bioctl: BIOCSETSTATE: invalid argument
 
 What does this mean exactly?
 
 I did rebuild the array via the MegaRAID BIOS utility. Are we able
 to rebuild arrays via bioctl?

No.  You need to use the CTRL-M BIOS thing.  At some point I'll add
support for that to bioctl but currently it is only for softraid.

Re: route-to and divert-packet

[Michele Marchetto]

Il giorno lun, 04/10/2010 alle 10.03 -0400, Daniel Browning-Weber ha
scritto:
 Those work great, without the divert-packet.  And the divert-packet
 works great, if I only have one internet connection.  But I'm trying
 to get them to both be applied.

I'll look into that in the next few days, i'm running in short of time
currently... :)

Re: Router components

[Forman, Jeffrey]

On Mon, Oct 4, 2010 at 2:28 AM, Sean Kamath kam...@geekoids.com wrote:

 I just bought a Alix 2d13 board.  Then ended up buying about 7 of them for
 work for OOB back-channel machines.

 Insanely straightforward, and they Just Work(tm).


I did exactly what Sean did myself several months ago. Purchased a 2d13
board from Netgate [1]. I boot off a 2GB CF card, and stuck a cheap USB HD
off of the alix board. The thing just runs without any fuss. I use it to
connect my home network to another network via OpenVPN over my home Internet
connection. When I get around to it, I might throw a mini-pci 802.11b/g card
in there to create a WAP.

dmesg porn:

OpenBSD 4.7 (GENERIC) #1: Thu Jun  3 07:32:40 EDT 2010
r...@builder47.my.domain:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class)
499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem  = 268009472 (255MB)
avail mem = 250978304 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe/0xa800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x33
glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10,
address 00:0d:b9:1b:b6:4c
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 10 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
address 00:0d:b9:1b:b6:4d
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 15,
address 00:0d:b9:1b:b6:4e
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: SanDisk SDCFH-008G
wd0: 1-sector PIO, LBA, 7641MB, 15649200 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 12, version
1.0, legacy support
ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1
biomask 73e7 netmask ffe7 ttymask 
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
umass0 at uhub0 port 1 configuration 1 interface 0 Western Digital External
HDD rev 2.00/1.75 addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0: WD, 2500BMV External, 1.75 SCSI2 0/direct
fixed
sd0: 238475MB, 512 bytes/sec, 488397168 sec total
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
clock: unknown CMOS layout

Cheers,
Jeff

[1] http://store.netgate.com/ALIX2D3-2D13-Kit-Blue-Unassembled-P173C86.aspx

Re: Router components

[Brad Tilley]

David Higgs wrote:

big snips

 I know SSDs don't require TRIM, but most benchmarks are made by
 knob-twiddlers that are presumably overemphasizing the performance
 degradation you get without it.  Is this even noticeable in practice?

I've used an inexpensive SSD (cheapest one I could find at the time) in
an Intel Celeron based OpenBSD home firewall for more than a year. It
works fine. Here is part of an old dmesg:

wd0 at pciide1 channel 0 drive 0: Kingston SSDNow V Series 64GB
wd0: 1-sector PIO, LBA, 61057MB, 125045424 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6

No noise, cool, low power. Try it for a year, then post back your
experience.

Brad

Re: How to use /dev/srandom

[Chris Palmer]

Kevin Chadwick writes:

 First I'd ask how well can anyone prove that the NIST statistical test
 suite can reliably judge randomness?

It can't; it can only weed out weak generators but could not distinguish
an entropic generator from, say, MD5. See
http://lcamtuf.coredump.cx/soft/stompy.tgz for some fun.


-- 
http://noncombatant.org/

Re: How to use /dev/srandom

[Kevin Chadwick]

Then of course the tiiiny tiiiny problem of defining in code how to
_prove_ that the input
is random. Proving some input is skewed in one of 123 ways is easy and
relatively fast,
but proving that the input data will never fail a statistical test is..
Hard.

If a situation is possible where a certain device starts doing a ton of
work in a highly regular fashion that the entropy gathering code
doesn't dismiss and so affects the entropy, then I can see this being
useful, but if that was possible which I doubt, then maybe the entropy
gathering should be improved. 

Or do you mean a tool that can alert and so pause actions like ssl if
highly sensitive, which may be useful but it was stated that arandom is
like a duracell bunny on john smiths bitter and won't drain the entropy.

It is more efficient.  There is almost always enough entropy for
arandom, and if there isn't, you would have a hard time detecting
that.

I would be interested what effect an attacker purposefully draining the
entropy could have (Ted's comment suggests little, but you never know)
and if your proposed tool could detect and warn of that.

Re: Mobile VPN

[Shiu Lam]

Does anyone knows any OpenVPN client for S60 mobile phones?

Thanks

Claudiu Pruna wrote:

On Sat, 2010-10-02 at 11:56 +0300, Evgeniy Sudyr wrote:
  

I was able to get it working with 4.6/4.7 and E60/E65/E52 it works as
expected :)

Nokia VPN config tool will save hours instead trial by error.

On Fri, Oct 1, 2010 at 10:29 PM, Claudiu Pruna clau...@net-go.net
wrote:

On Fri, 2010-10-01 at 21:19 +0200, David Coppa wrote:

 On Fri, Oct 1, 2010 at 9:11 PM, Claudiu Pruna
clau...@net-go.net wrote:
 I was wondering has anyone got an S60 mobile phone
to connect to
  OpenBSD Ipsec ?
 
 I did some tryies, but no luck.

 Maybe this is of some use:

 http://betabug.ch/wiki/VPNNotes

 I'm sorry, but I have no personal experiences with mobile
vpns...

 cheers,
 david


thanks a lot, sounds very interesting, I will test it and see

what
happens ;)

--

Claudiu Pruna clau...@net-go.net






--
--
With regards,
Eugene Sudyr



Well, I have tried that and ... it works  
Yes, it is working ok, but if your setup is like mine and after
connecting to the ipsec, your internal network contains more branches
connected through vpn and in conclusion the internal network contains
more unroutable ip address classes, the problem appears because you
appear in your network with the ip that your phone gets from the
internet connection it has. So it is a little bit tricky to route your
phone to other ip classes then the one you are directly connected. 
I have used in ipsecctl the tag  option, and then in pf.conf I have

created an nat pool which is just for the phones connecting from
outside.

But it is a start, I mean, from no vpn (except symbian pptp) until here
we allready have a big progress. It would be nice if we could also get
working the xauth and ip address assigning to phone through ipsec, but
as I am not a developer, I hope it will happen someday.

Cheers

OpenBGP Filter - Selectively Announcing by Peer.

[Eduardo Meyer]

Hello,

I want to selectively announce what I get from my peers (whom I am
transit for) for a certain upstream peer. I decided to use community
to do so, like that:

# Add what I get from my transit peers to communyt $myasn:1010
match from $peer_t1 set community $myasn:1010
match from $peer_t2 set community $myasn:1010

# Selectively announce it to by upstream peer number 2
deny to $peer_up2
allow to $peer_up2 community $myasn:1010

But it did not work.

I dont want to manually declare the networks I get, and my upstream
wont allow me to announce all.

What is wrong with the above OpenBGP rules?

-- 
===
Eduardo Meyer
pessoal: dudu.me...@gmail.com
profissional: ddm.farmac...@saude.gov.br

Re: How to use /dev/srandom

[Janne Johansson]

2010/10/4 Kevin Chadwick ma1l1i...@yahoo.co.uk

 Then of course the tiiiny tiiiny problem of defining in code how to
 _prove_ that the input
 is random. Proving some input is skewed in one of 123 ways is easy and
 relatively fast,
 but proving that the input data will never fail a statistical test is..
 Hard.

 If a situation is possible where a certain device starts doing a ton of
 work in a highly regular fashion that the entropy gathering code
 doesn't dismiss and so affects the entropy, then I can see this being
 useful, but if that was possible which I doubt, then maybe the entropy
 gathering should be improved.


What I meant was that one can complain of that the NIST programs (diehard
and
dieharder springs to mind) only do certain tests, but that is just because
noone
can make a short program that _proves_ a certain stream is random.  The only
thing available seems to be a series of tests against a defined set of
properties a
random stream shouldnt have, but that list isnt conclusive, nor finished.
And it
probably never will. Its just among the best options available right now,
and it
takes lots of time to run and it can only disprove certain inputs, not prove
randomness
in the others.

-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: How to use /dev/srandom

[Brad Tilley]

Janne Johansson wrote:

 What I meant was that one can complain of that the NIST programs (diehard
 and
 dieharder springs to mind) only do certain tests, but that is just because
 noone
 can make a short program that _proves_ a certain stream is random.  The only
 thing available seems to be a series of tests against a defined set of
 properties a
 random stream shouldnt have, but that list isnt conclusive, nor finished.

Check out ent (it's in ports) it does chi-square, entropy, and a few
other tests to grade the data stream. Not perfect, but about the best
you'll do for now.

Brad

Re: How to use /dev/srandom

[Janne Johansson]

2010/10/4 Brad Tilley b...@16systems.com

 Janne Johansson wrote:

  What I meant was that one can complain of that the NIST programs (diehard
  and
  dieharder springs to mind) only do certain tests,



 Check out ent (it's in ports) it does chi-square, entropy, and a few
 other tests to grade the data stream. Not perfect, but about the best
 you'll do for now.



List of the CURRENT fully implemented tests (as of the 08/18/08 snapshot):

#=#
#  dieharder version 3.29.4beta Copyright 2003 Robert G. Brown#
#=#
Installed dieharder tests:
 Test Number Test NameTest Reliability
===
  -d 0Diehard Birthdays Test  Good
  -d 1   Diehard OPERM5 Test   Suspect
  -d 2Diehard 32x32 Binary Rank Test  Good
  -d 3  Diehard 6x8 Binary Rank Test  Good
  -d 4Diehard Bitstream Test  Good
  -d 5  Diehard OPSO  Good
  -d 6 Diehard OQSO Test  Good
  -d 7  Diehard DNA Test  Good
  -d 8Diehard Count the 1s (stream) Test  Good
  -d 9  Diehard Count the 1s Test (byte)  Good
  -d 10 Diehard Parking Lot Test  Good
  -d 11 Diehard Minimum Distance (2d Circle) Test Good
  -d 12 Diehard 3d Sphere (Minimum Distance) Test Good
  -d 13 Diehard Squeeze Test  Good
  -d 14Diehard Sums TestDo Not Use
  -d 15Diehard Runs Test  Good
  -d 16   Diehard Craps Test  Good
  -d 17 Marsaglia and Tsang GCD Test  Good
  -d 100STS Monobit Test  Good
  -d 101   STS Runs Test  Good
  -d 102   STS Serial Test (Generalized)  Good
  -d 200   RGB Bit Distribution Test  Good
  -d 201   RGB Generalized Minimum Distance Test  Good
  -d 202   RGB Permutations Test  Good
  -d 203 RGB Lagged Sum Test  Good
  -d 204RGB Kolmogorov-Smirnov Test Test  Good


-- 
 To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: Incorrect FAQ entry about ksh(1) does not appear to read my .profile

[Amit Kulkarni]

Sean, Sorry my bad. Thanks for enlightening me.

Abel, ksh -l works for me and will use both of your suggestions.

Thanks

On Mon, Oct 4, 2010 at 1:24 AM, Sean Kamath kam...@geekoids.com wrote:


 On Oct 3, 2010, at 2:52 PM, Amit Kulkarni wrote:

  Then why is it placed there in the FAQ entry? Somebody thought there's a
  relation there.

 It's there because when you start an X terminal (xterm), you can tell xterm
 (via X resource DB) if you want shells it starts to be login shells, and
 that's what that resource setting is doing.  It is not a resource setting
 for ksh.  Further, it's in the FAQ about why isn't my .profile being read
 for the ksh because most people are completely unaware of what is going on
 when they click that Terminal button.

 .Xdefaults may or may not be read by X-based applications, and is often
 loaded into the Resource DB of the X server on login (depending on the
 system -- everything does it differently).  At one point is was .Xresources
 (which may be what X reads still -- I don't know anymore, I stopped thinking
 about xrdb about 8 years ago).

 The space is completely irrelevant, and this thread should die.

  IMHO, I think ksh should be able to read .profile by default

 The rules of what ksh reads and when are based on ancient login mechanisms
 -- .profile was read only on login.  In the csh, .login was read on login,
 and .cshrc was read on every invocation of csh.

 ksh reads the file pointed to by the environment variable ENV on
 invocation.

 Put things you want to happen when you log in (via SSH, for example) into
 .profile, and also set ENV=$HOME/.kshrc into it.  Then put everything into
 .kshrc that you want to invoke with all subshells.

 It's no good to say I think ksh should do. . . because it ain't gonna
 happen.  It would break all sorts of crap if it did.


 Sean

 PS Linux's pdksh sucks, and does all sorts of weird shit.  OpenBSD's ksh is
 much more sane.


  On Sat, Oct 2, 2010 at 10:39 PM, Abel Abraham Camarillo Ojeda 
  acam...@verlet.org wrote:
 
  .Xdefaults has nothing to do with .profile ...

Re: How to use /dev/srandom

[Brad Tilley]

Janne Johansson wrote:

 List of the CURRENT fully implemented tests (as of the 08/18/08 snapshot):
 
 #=#
 #  dieharder version 3.29.4beta Copyright 2003 Robert G. Brown
 #
 #=#
 Installed dieharder tests:
  Test Number Test NameTest Reliability
 ===
   -d 0Diehard Birthdays Test  Good
   -d 1   Diehard OPERM5 Test   Suspect
   -d 2Diehard 32x32 Binary Rank Test  Good
   -d 3  Diehard 6x8 Binary Rank Test  Good
   -d 4Diehard Bitstream Test  Good
   -d 5  Diehard OPSO  Good
   -d 6 Diehard OQSO Test  Good
   -d 7  Diehard DNA Test  Good
   -d 8Diehard Count the 1s (stream) Test  Good
   -d 9  Diehard Count the 1s Test (byte)  Good
   -d 10 Diehard Parking Lot Test  Good
   -d 11 Diehard Minimum Distance (2d Circle) Test Good
   -d 12 Diehard 3d Sphere (Minimum Distance) Test Good
   -d 13 Diehard Squeeze Test  Good
   -d 14Diehard Sums TestDo Not Use
   -d 15Diehard Runs Test  Good
   -d 16   Diehard Craps Test  Good
   -d 17 Marsaglia and Tsang GCD Test  Good
   -d 100STS Monobit Test  Good
   -d 101   STS Runs Test  Good
   -d 102   STS Serial Test (Generalized)  Good
   -d 200   RGB Bit Distribution Test  Good
   -d 201   RGB Generalized Minimum Distance Test  Good
   -d 202   RGB Permutations Test  Good
   -d 203 RGB Lagged Sum Test  Good
   -d 204RGB Kolmogorov-Smirnov Test Test  Good


Interesting. Looks like ent with more tests. You should submit a port.

Re: How to use /dev/srandom

[Theo de Raadt]

-d 1   Diehard OPERM5 Test   Suspect
-d 14Diehard Sums TestDo Not Use

And from the site:

Note that a few tests appear to have stubborn bugs. In particular,
the diehard operm5 test seems to fail all generators in dieharder.

and:

Similarly, the diehard sums test appears to produce a systematically
non-flat distribution of p-values for all rngs tested, in particular
for the gold standard cryptographic generators aes and threefish, as
well as for the good generators in the GSL (mt19937, taus,
gfsr4). It seems very unlikely that all of these generators would be
flawed in the same way, so this test also should not be used to test
your rng.

Enjoy your windmill tilting.

Re: carp + client avahi-daemon = OpenBSD kernel hang

[Devin Reade]

--On Monday, October 04, 2010 12:11:01 PM + Stuart Henderson
s...@spacehopper.org wrote:

 On 2010-10-03, Devin Reade g...@gno.org wrote:
 snip *excellent* write-up of the problem and network layout;
 if only all problem reports were this good!

Thanks.  I'm also a developer, just not in the OpenBSD kernel.

 Until you can move to a dedicated nic, I would
 suggest switching to using syncpeer in pfsync config, and ipsec [snip]

I forgot to include /etc/hostname.pfsync0, but it is using syncpeer on vr0.

 So basically there are untrusted machines on the interface on which you
 also run pfsync.

That depends on your definition of untrusted.  vr0 being the DMZ, all
machines there are under my control and I'm pretty confident that there's
nothing malicious happening.  It is true, though, that there is traffic
other than pfsync on that segment.

Are you suspecting that other traffic (and in particular avahi-daemon)
is interfering with pfsync?

The dual-port NICs arrived, so I can put pfsync on its own interface
now and see if that affects the situation.

One other recent datapoint:  In following Kenneth's suggestion of breaking
into the kernel, I disabled the watchdog and set
 ddb.panic=1
 ddb.console=1
Since then I have had time to trigger only one failure so far (again,
no panic, no automatic drop to ddb), but in that case when I did a
'continue' in ddb, the failed machine returned to operation.  So it
looks like the hang may not have been a permanent hang, but just long
enough to (previously) trigger the watchdog which had a timeout 32 seconds.
But that's still inconclusive.  (I have nothing else useful to add
yet re ddb.)

Devin

Re: OpenBGP Filter - Selectively Announcing by Peer.

[Claudio Jeker]

On Mon, Oct 04, 2010 at 02:20:55PM -0300, Eduardo Meyer wrote:
 Hello,
 
 I want to selectively announce what I get from my peers (whom I am
 transit for) for a certain upstream peer. I decided to use community
 to do so, like that:
 
 # Add what I get from my transit peers to communyt $myasn:1010
 match from $peer_t1 set community $myasn:1010
 match from $peer_t2 set community $myasn:1010
 
 # Selectively announce it to by upstream peer number 2
 deny to $peer_up2
 allow to $peer_up2 community $myasn:1010
 
 But it did not work.
 
 I dont want to manually declare the networks I get, and my upstream
 wont allow me to announce all.
 
 What is wrong with the above OpenBGP rules?
 

You need to set the announce type to all which means process all entries
in the RIB with the outbound filterset. Announce self which is the
default for eBGP sessions will block all non empty as pathes before
passing the prefix to the outbound filtering. As soon as you do tranist
you need announce all plus correct filters.

-- 
:wq Claudio

masquerade in smtpd?

[Markus Bergkvist]

Can smtpd do masquerading of outgoing email? Something like what is 
described here

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#fantasy

hostname doesn't seem to do the trick.

/Markus

Re: OpenBSD Vim Programming FAQ

[Tomas Vavrys]

After 2 months I have to announce that I am unable to finish the
guide. I am too busy at the moment and unfortunately I will be still
busy for a long time. Anyway, there has been a lot of people
interested in this guide, so I suppose someone could use my work/ideas
and make it come true.

Document link (First week progress)
https://docs.google.com/a/cleancode.cz/document/pub?id=11NGGh2Wbr7gESXCCxwHhwe35V_HCROMKNNIQE1qB6-0

Feel free to edit it, keep it or distribute it.

Re: No Livelock on 2 Oct 2010 current

[Stuart Henderson]

On 2010-10-04, Insan Praja SW insan.pr...@gmail.com wrote:
 I can't see any livelocks. I'm aware of new algorithm on mclgeti got  
 something to do with this, I just want to confirm this. If this systat  
 output tells me the truth, well that just a huge achievement.

# pstat -d u mcllivelocks

You will probbaly see more livelocks than before (the detection is more
sensitive), but the effect on network traffic should be smaller.

Re: OpenBGP Filter - Selectively Announcing by Peer.

[Eduardo Meyer]

On Mon, Oct 4, 2010 at 6:12 PM, Claudio Jeker cje...@diehard.n-r-g.com wrote:
 On Mon, Oct 04, 2010 at 02:20:55PM -0300, Eduardo Meyer wrote:
 Hello,

 I want to selectively announce what I get from my peers (whom I am
 transit for) for a certain upstream peer. I decided to use community
 to do so, like that:

 # Add what I get from my transit peers to communyt $myasn:1010
 match from $peer_t1 set community $myasn:1010
 match from $peer_t2 set community $myasn:1010

 # Selectively announce it to by upstream peer number 2
 deny to $peer_up2
 allow to $peer_up2 community $myasn:1010

 But it did not work.

 I dont want to manually declare the networks I get, and my upstream
 wont allow me to announce all.

 What is wrong with the above OpenBGP rules?


 You need to set the announce type to all which means process all entries
 in the RIB with the outbound filterset. Announce self which is the
 default for eBGP sessions will block all non empty as pathes before
 passing the prefix to the outbound filtering. As soon as you do tranist
 you need announce all plus correct filters.

Hello Jeker,

I am announcing al already.

Please enlighten ment, when I do a

bgpctl sh rib out nei description

The prefixes I see are the ones the peer *accepted* from me or the
ones I am actually announcing, no matter if the peer accepts or not?

Because I announce all and later, filter by community, and the
abouve sh rib out nei d shows empty.

Thanks again.


 --
 :wq Claudio





-- 
===
Eduardo Meyer
pessoal: dudu.me...@gmail.com
profissional: ddm.farmac...@saude.gov.br

upgrade to 4.7

[R0me0 ***]

Hello misc,

I've a little doubt,

In my old firewall I wrote the rdr rules thus:


rdr pass on egress  - ip port 3030

block log all

pass out on $dmz ... to port 3030

It's fine

now I wrote rules thus:


match in on egress ... rdr-to ip port 3030

block log all

pass in on egress .. to port 3030
pass out on $dmz .. to port 3030

with rdr pass, I don't need write the pass in rule

I must write the rule thus ?

Regards

Re: No Livelock on 2 Oct 2010 current

[David Gwynne]

On Mon, Oct 04, 2010 at 10:41:15PM +, Stuart Henderson wrote:
 On 2010-10-04, Insan Praja SW insan.pr...@gmail.com wrote:
  I can't see any livelocks. I'm aware of new algorithm on mclgeti got  
  something to do with this, I just want to confirm this. If this systat  
  output tells me the truth, well that just a huge achievement.
 
 # pstat -d u mcllivelocks
 
 You will probbaly see more livelocks than before (the detection is more
 sensitive), but the effect on network traffic should be smaller.
 

this restores the visibility of network livelocks to systat.

anyone object? if not i'll commit it tomorrow morning around 10am
in a GMT+10 timezeon.

Index: sbin/sysctl/sysctl.c
===
RCS file: /cvs/src/sbin/sysctl/sysctl.c,v
retrieving revision 1.173
diff -u -p -r1.173 sysctl.c
--- sbin/sysctl/sysctl.c19 Aug 2010 18:14:14 -  1.173
+++ sbin/sysctl/sysctl.c5 Oct 2010 01:20:59 -
@@ -447,6 +447,9 @@ parse(char *string, int flags)
case KERN_CONSDEV:
special |= CHRDEV;
break;
+   case KERN_NETLIVELOCKS:
+   special |= UNSIGNED;
+   break;
}
break;
 
Index: sys/kern/kern_sysctl.c
===
RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.193
diff -u -p -r1.193 kern_sysctl.c
--- sys/kern/kern_sysctl.c  23 Sep 2010 13:24:22 -  1.193
+++ sys/kern/kern_sysctl.c  5 Oct 2010 01:21:02 -
@@ -110,6 +110,7 @@ extern int nselcoll, fscale;
 extern struct disklist_head disklist;
 extern fixpt_t ccpu;
 extern  long numvnodes;
+extern u_int mcllivelocks;
 
 extern void nmbclust_update(void);
 
@@ -585,6 +586,8 @@ kern_sysctl(int *name, u_int namelen, vo
else
dev = NODEV;
return sysctl_rdstruct(oldp, oldlenp, newp, dev, sizeof(dev));
+   case KERN_NETLIVELOCKS:
+   return (sysctl_rdint(oldp, oldlenp, newp, mcllivelocks));
default:
return (EOPNOTSUPP);
}
Index: sys/sys/sysctl.h
===
RCS file: /cvs/src/sys/sys/sysctl.h,v
retrieving revision 1.106
diff -u -p -r1.106 sysctl.h
--- sys/sys/sysctl.h19 Aug 2010 18:14:13 -  1.106
+++ sys/sys/sysctl.h5 Oct 2010 01:21:03 -
@@ -190,7 +190,8 @@ struct ctlname {
 #defineKERN_FILE2  73  /* struct: file entries */
 #defineKERN_RTHREADS   74  /* kernel rthreads support 
enabled */
 #defineKERN_CONSDEV75  /* dev_t: console terminal 
device */
-#defineKERN_MAXID  76  /* number of valid kern ids */
+#defineKERN_NETLIVELOCKS   76  /* int: number of network 
livelocks */
+#defineKERN_MAXID  77  /* number of valid kern ids */
 
 #defineCTL_KERN_NAMES { \
{ 0, 0 }, \
@@ -269,6 +270,7 @@ struct ctlname {
{ file2, CTLTYPE_STRUCT }, \
{ rthreads, CTLTYPE_INT }, \
{ consdev, CTLTYPE_STRUCT }, \
+   { netlivelocks, CTLTYPE_INT }, \
 }
 
 /*
Index: usr.bin/systat/mbufs.c
===
RCS file: /cvs/src/usr.bin/systat/mbufs.c,v
retrieving revision 1.29
diff -u -p -r1.29 mbufs.c
--- usr.bin/systat/mbufs.c  23 Sep 2010 10:49:55 -  1.29
+++ usr.bin/systat/mbufs.c  5 Oct 2010 01:21:04 -
@@ -41,6 +41,7 @@ struct mclpool_info {
 int mclpool_count = 0;
 int mbpool_index = -1;
 struct pool mbpool;
+u_int mcllivelocks = 0;
 
 /* interfaces */
 static int num_ifs;
@@ -198,6 +199,15 @@ read_mb(void)
int i, p, nif, ret = 1;
size_t size;
 
+   mib[0] = CTL_KERN;
+   mib[1] = KERN_NETLIVELOCKS;
+   size = sizeof(mcllivelocks);
+   if (sysctl(mib, 2, mcllivelocks, size, NULL, 0)  0 
+   errno != EOPNOTSUPP) {
+   error(sysctl(KERN_NETLIVELOCKS));
+   goto exit;
+   }
+
num_disp = 0;
if (getifaddrs(ifap)) {
error(getifaddrs: %s, strerror(errno));
@@ -341,6 +351,7 @@ showmbuf(struct if_info *ifi, int p, int
print_fld_str(FLD_MB_IFACE, ifi-name);
 
if (p == -1  ifi == interfaces) {
+   print_fld_uint(FLD_MB_LLOCKS, mcllivelocks);
print_fld_size(FLD_MB_MSIZE, mbpool.pr_size);
print_fld_size(FLD_MB_MALIVE, mbpool.pr_nget - mbpool.pr_nput);
print_fld_size(FLD_MB_MHWM, mbpool.pr_hiwat);
@@ -349,8 +360,6 @@ showmbuf(struct if_info *ifi, int p, int
 #if NOTYET
print_fld_uint(FLD_MB_RXDELAY, ifi-data.ifi_rxdelay);
print_fld_uint(FLD_MB_TXDELAY, ifi-data.ifi_txdelay);
-   if (ifi-data.ifi_livelocks)
-   print_fld_size(FLD_MB_LLOCKS, ifi-data.ifi_livelocks);
 

Re: OpenBSD Vim Programming FAQ

[Marco Peereboom]

It asks for a password and shit.  Not sure how I could use this.

On Mon, Oct 04, 2010 at 11:32:10PM +0200, Tomas Vavrys wrote:
 After 2 months I have to announce that I am unable to finish the
 guide. I am too busy at the moment and unfortunately I will be still
 busy for a long time. Anyway, there has been a lot of people
 interested in this guide, so I suppose someone could use my work/ideas
 and make it come true.
 
 Document link (First week progress)
 https://docs.google.com/a/cleancode.cz/document/pub?id=11NGGh2Wbr7gESXCCxwHhwe35V_HCROMKNNIQE1qB6-0
 
 Feel free to edit it, keep it or distribute it.

Re: masquerade in smtpd?

[Gilles Chehade]

 On 10/4/2010 11:28 PM, Markus Bergkvist wrote:
Can smtpd do masquerading of outgoing email? Something like what is 
described here

http://www.postfix.org/STANDARD_CONFIGURATION_README.html#fantasy

hostname doesn't seem to do the trick.

/Markus


It currently can't
I have a diff somewhere which bring initial (and basic) support for 
masquerading, I need to dig it up and see if it still works


Gilles