Re: dhclient broken on 2015-09-21 amd64 snapshot

[Stuart Henderson]

On 2015/09/23 08:16, Kurt Mosiejczuk wrote:
> On Wed, Sep 23, 2015 at 07:37:05AM +, Stuart Henderson wrote:
> > On 2015-09-22, Kurt Mosiejczuk  wrote:
> > > I just updated my current box to yesterdays (2015-09-21) snapshot.  Now
> > > it won't keep a network address.  
> 
> > That's a recent bug - should be fixed if you update again.
> 
> Excellent.  I'll watch my mirror for a newer snapshot.  It just occurred
> to me I didn't have a problem when using bsd.rd.  Hopefully that is still
> true when I try and install the new snapshot.
> 
> Can you point me at the bug fix?  I was looking at cvsweb again and the
> newest change I could see there is 2 weeks ago...

I believe this is the issue fixed by this commit - if you saved the
previous kernel before updating, you might be able to boot with that
instead.

-
PatchSet 4122 
Date: 2015/09/22 11:05:00
Author: mpi
Branch: HEAD
Tag: (none) 
Log:
When a connected route is deleted, pass the corresponding priority to
rtrequest1(9) otherwise the route will remain attached to a stale ifa.

Found by matthieu@

Members: 
route.c:1.240->1.241 

Index: src/sys/net/route.c
diff -u src/sys/net/route.c:1.240 src/sys/net/route.c:1.241
--- src/sys/net/route.c:1.240   Mon Sep 21 11:15:27 2015
+++ src/sys/net/route.c Tue Sep 22 10:05:00 2015
@@ -1,4 +1,4 @@
-/* $OpenBSD: route.c,v 1.240 2015/09/21 11:15:27 mpi Exp $ */
+/* $OpenBSD: route.c,v 1.241 2015/09/22 10:05:00 mpi Exp $ */
 /* $NetBSD: route.c,v 1.14 1996/02/13 22:00:46 christos Exp $  */
 
 /*
@@ -1267,6 +1267,9 @@
 
if (flags & (RTF_LOCAL|RTF_BROADCAST))
prio = RTP_LOCAL;
+
+   if (flags & RTF_CONNECTED)
+   prio = RTP_CONNECTED;
 
error = rtrequest1(RTM_DELETE, , prio, , rtableid);
if (error == 0) {

Separators [Was: lighter sleep]

[Douglas Ray]

North American? ...

On 22/09/15 12:45 AM, Mark Kettenis wrote:

From: Christian Weisgerber 
Date: Mon, 21 Sep 2015 14:29:03 + (UTC)

On 2015-09-21, Stefan Sperling  wrote:


The function that parses funny numbers is iswdigit() which gets a wchar_t.
But sleep(1) doesn't need that.


The sole somewhat realistic use of i18n in sleep(1) is the decimal
separator, so you could do

$ sleep 1,5

in an appropriate locale.  Of course the current code doesn't support
that.


And fortunately POSIX agrees with our implementation:

   The following operand shall be supported:

   time
 A non-negative decimal integer specifying the number of
 seconds for which to suspend execution.

You could argue that the thousands separator should be supported though:

   $ sleep 1.000.000

if your locale is something vaguely european, and

   # sleep 1,000,000

for the north-americans.


I grew up with "," separators as British Commonwealth, not
North American.  The Commonwealth does extend beyond Canada;
the British Empire precedes the USA; so you might just call
"," (as 10^3 separators) British, Commonwealth or non-Euro.

Douglas (Australia)


But let's not go there...

Re: ugen0 instead of urtwn0

[Thuban]

> Those instructions are for 5.8 or possible 5.7, they aren't needed for
> -current snapshots which already include this change.
>
Of course, I read the files.

--
Thuban
PubKey : http://yeuxdelibad.net/Divers/thuban.pub

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Gmane carries Squish OpenBSD Source Changes aggregate lists

[lists]

Hi misc@ advocacy@

As mentioned on the OpenBSD Mailing Lists page [1] in the Other Lists
section, the fine folks at squish.net [2] run daily and weekly source
changes and ports changes summary lists:

[1] http://www.openbsd.org/mail.html#OtherLists
[2] http://www.squish.net/log/openbsd-source-changes/

Since May 2015 these are now carried also by Gmane [3] on yours truly
humble request's and the kind cooperation by Lars Ingebrigtsen
(responsible for and running Gmane and other useful services and
software tools)

[3] http://news.gmane.org/search.php?match=openbsd.changes

These are now tested for a while and supposedly September is a good
month to announce this insignificant addition, and the fact that these
are also available by NNTP as well as honourable mention in the List
Archives [4] section of the OpenBSD Mailing Lists page:

[4] http://www.openbsd.org/mail.html#Archives

Thank you for your time reading this, and everyone participating.

Regards,
Anton

Re: ugen0 instead of urtwn0

[Stuart Henderson]

On 2015-09-23, Thuban  wrote:
> * Stefan Sperling  le [22-09-2015 11:33:28 +0200]:
>>
>> Starting with pristine OpenBSD 5.8 kernel source (or 5.7, if you want to
>> try your luck), add the line
[..snip..]

> Thank you for this very complete explanations.
>
> Currently, I can't build the kernel without any error vith the last
> snapshot, even without modifying anything.
> Same with current.
> I'll wait some time and see.

Those instructions are for 5.8 or possible 5.7, they aren't needed for
-current snapshots which already include this change.

rookie questions about flavors

[Thuban]

Hello,
I'm not sure to understand correctly somme points :
1. A snapshot is a build made at one time of the developpement, more
recent than *-stable* flavor.
It is not *-current*. Can we consider a snapshot as an unreleased *5.8*
at this time. Or is it above *5.8*?
2. In odrer to build the system, one can choose :
- to follow *-current* with `cvs -d$CVSROOT checkout -P src`
- to follow *-stable* with `cvs -d$CVSROOT checkout -rOPENBSD_5_7 -P src
`

Is it possible to upgrade from 5.7 yo 5.8 using this flag :
cvs -d$CVSROOT checkout -rOPENBSD_5_8 -P src

3. If one use a 5.8 snapshot (i.e [1] ), is it possible to apply updates
for 5.8 *-stable* later? And if so, what PKG_PATH should be used to stay
on 5.8?

PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/packages/`uname
-m`/

then switch to

PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/5.8/packages/`uname -m`/

when 5.8 is released?
The missing packages must be replaced with ports build until the 19 Oct?

Sorry for the long message. I know the best  is to use *-current* or a
*-stable* flavor, but I wish to understand these points in order to keep
things clean.

Regards

[1] : http://ftp.openbsd.org/pub/OpenBSD/snapshots/amd64/install58.iso
--
Thuban

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: rookie questions about flavors

[Peter N. M. Hansteen]

On Wed, Sep 23, 2015 at 02:55:21PM +0200, Thuban wrote:
> Hello,
> I'm not sure to understand correctly somme points :
> 1. A snapshot is a build made at one time of the developpement, more
> recent than *-stable* flavor.
> It is not *-current*. Can we consider a snapshot as an unreleased *5.8*
> at this time. Or is it above *5.8*?

Actually, snapshots are in almost all cases built from -current cvs checkouts.
At times snaps have included not yet committed code that was in need of testing,
but I'm not too sure how often that has happened recently. 

So any snapshot you download by now is past 5.8, with hints of things that will
be in 5.9 (but the exact feature set of 5.9 is not yet known). 

> Is it possible to upgrade from 5.7 yo 5.8 using this flag :
> cvs -d$CVSROOT checkout -rOPENBSD_5_8 -P src

In almost all cases, a binary upgrade followed by sysmerge will be quicker and
easier, but in the general case, yes.

> 3. If one use a 5.8 snapshot (i.e [1] ), is it possible to apply updates
> for 5.8 *-stable* later? 

No. As I said earlier (and would be clear from a careful reading of the FAQ),
snapshots track -current, not -stable.

- Peter 

-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Making IPv6 NAT prefer privacy address

[Marios Makassikis]

On 23 September 2015 at 15:34, Giancarlo Razzolini  wrote:
> Em 23-09-2015 04:40, Stuart Henderson escreveu:
>> Saves messing about with DHCPv6-PD
>
> I see. So you translate from what exactly? Wouldn't it be better to use
> af-to instead of nat?

Hello,

Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix
from fd00::/8 and announce that on your network.
It is the equivalent to RFC1918 addresses, except it is for IPv6.
Therefore, it is
not routable and you need to perform NAT on it. The global address is the one
the router obtained via static configuration/SLAAC/DHCPv6, which will then be
used by all your clients.

> But I can relate to that, given that my CPE will
> give me a PD, but won't route packets back because it thinks the prefix
> is reachable using NDP. Hence the need for a proxy, which OpenBSD
> currently doesn't have.
>
> Cheers,
> Giancarlo Razzolini
>

Your CPE will see only the OpenBSD router's address so it should work.

Marios

Re: Making IPv6 NAT prefer privacy address

[Giancarlo Razzolini]

Em 23-09-2015 04:40, Stuart Henderson escreveu:
> Saves messing about with DHCPv6-PD

I see. So you translate from what exactly? Wouldn't it be better to use
af-to instead of nat? But I can relate to that, given that my CPE will
give me a PD, but won't route packets back because it thinks the prefix
is reachable using NDP. Hence the need for a proxy, which OpenBSD
currently doesn't have.

Cheers,
Giancarlo Razzolini

Re: Booting Live openbsd image on fat32 media

[bytevolcano]

The Windows DISKPART command-line utility (Windows Vista and later) can
split your USB disk into multiple partitions.

There are no GUI tools that can do this, to the best of my knowledge,
though perhaps the Disk Management (diskmgmt.msc) snap-in can.

On Mon, 21 Sep 2015 16:24:40 +0330
Mohammad BadieZadegan  wrote:

> OK, It's true,
> But spliting the memstick into 2 partition causes more questions:
> 1.What tools can do that best?
> 2.What is the size of partitions?
> 3.How can write OpenBSD memstick image on the last partition?
> 
> On Mon, Sep 21, 2015 at 4:12 PM, Dmitrij D. Czarkoff
>  wrote:
> 
> > Mohammad BadieZadegan said:
> > > How put OpenBSD image on it that don't curropt its file system or
> > > booting OpenBSD?
> >
> > The easiest way is to split your drive in two partitions: first one
> > should be FAT32 if you want it so, and the last one should be
> > OpenBSD slice.
> >
> > Windows and most consumer devices' firmwares don't read partition
> > table on USB flash devices, so these systems won't notice your
> > OpenBSD partition, but it will be bootable.
> >
> > --
> > Dmitrij D. Czarkoff

Re: rookie questions about flavors

[Thuban]

Thanks a lot for this answer.

> > 3. If one use a 5.8 snapshot (i.e [1] ), is it possible to apply updates
> > for 5.8 *-stable* later?
>
> No. As I said earlier (and would be clear from a careful reading of the
FAQ),
> snapshots track -current, not -stable.
Finding an install58.iso in a snapshot directory gave me some doubts
about what i understood in the FAQ (as english is not my first
language).

--
Thuban
PubKey : http://yeuxdelibad.net/Divers/thuban.pub

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: rookie questions about flavors

[Josh Grosse]

On 2015-09-23 09:41, Peter N. M. Hansteen wrote:

On Wed, Sep 23, 2015 at 02:55:21PM +0200, Thuban wrote:



Is it possible to upgrade from 5.7 yo 5.8 using this flag :
cvs -d$CVSROOT checkout -rOPENBSD_5_8 -P src


In almost all cases, a binary upgrade followed by sysmerge will be 
quicker and

easier, but in the general case, yes.


Source code "upgrades" are possible, but completely unsupported.  So any 
user
conducting one is entirely on his own.  I used to do this when I was 
preparing live media
images some years ago, so they would be ready the same day as an actual 
release.


It requires *very* careful application of the Following -current FAQ 
entries, especially

any ABI/API changes -- the so-called "flag day" actions.

---

(I cannot believe I'm offering any sort of correction of a statement by 
Peter Hansteen.

Is the sky falling?)

Re: dhclient broken on 2015-09-21 amd64 snapshot

[Kurt Mosiejczuk]

On Wed, Sep 23, 2015 at 07:37:05AM +, Stuart Henderson wrote:
> On 2015-09-22, Kurt Mosiejczuk  wrote:
> > I just updated my current box to yesterdays (2015-09-21) snapshot.  Now
> > it won't keep a network address.  

> That's a recent bug - should be fixed if you update again.

Excellent.  I'll watch my mirror for a newer snapshot.  It just occurred
to me I didn't have a problem when using bsd.rd.  Hopefully that is still
true when I try and install the new snapshot.

Can you point me at the bug fix?  I was looking at cvsweb again and the
newest change I could see there is 2 weeks ago...

> > Did the dhclient change get overlooked?  Am I doing something else
> > obviously wrong?

> This is unrelated, but dhclient just needed recompiling with the updated
> headers ("include files") to know about the larger ifmedia struct, it
> just uses it to check link status and didn't require any code changes.
> On the other hand ifconfig does more processing with the media status,
> e.g. passing the type to another function to look up the text description,
> so the variable types need changing so that the larger values fit.

Okay, good.  Also glad I didn't work hard on getting an up to date source
tree on the machine with no network currently to try and fix it :)

> BTW this ifmedia change was because we were running out of space in
> the structure for different media types (10base2, 10baseT, 100baseTX,
> 1000baseSX, 1000baseT etc for ethernet, various modulation types for
> 802.11 wireless, etc), the change allows space for more types for
> future use (e.g. there's an IEEE working group, 802.3bz, looking at
> standardizing 2.5/5Gb over cat5e, and other existing standards we don't
> support yet).

Cool.  Thanks for the explanation on the change.

--Kurt

Re: rookie questions about flavors

[Ted Unangst]

Josh Grosse wrote:
> On 2015-09-23 09:41, Peter N. M. Hansteen wrote:
> > On Wed, Sep 23, 2015 at 02:55:21PM +0200, Thuban wrote:
> 
> >> Is it possible to upgrade from 5.7 yo 5.8 using this flag :
> >> cvs -d$CVSROOT checkout -rOPENBSD_5_8 -P src
> > 
> > In almost all cases, a binary upgrade followed by sysmerge will be 
> > quicker and
> > easier, but in the general case, yes.
> 
> Source code "upgrades" are possible, but completely unsupported.  So any 

One of the reasons they're not supported is because that's not how developers
upgrade. In particular, the machines building the 5.8 release were not
upgraded from 5.7 that way. They were building current the whole time in
between. You may well be the first person to even try it.

Re: SR RAID5 rebuild/stability issue.

[Joel Sing]

On Tuesday 22 September 2015 09:58:57 Karel Gardas wrote:
> On Tue, Sep 22, 2015 at 3:20 AM, Chris Cappuccio  wrote:
> > Karel Gardas [gard...@gmail.com] wrote:
> >> Let me ask, should SR RAID5 survive such testing or is for example
> >> rebuilding with off-lined drive considered unsupported feature?
> > 
> > It's new, considered experimental and not well tested.
> 
> OK so I'll omit this from my testing.
> 
> > Are you working with someone to bring your RAID1 changes in tree? The
> > complete, understood improvements should be individually labeled
> > and committed, one by one.
> 
> So far on tech@ I was merely ignored, but this is probably due to the
> fact that I posted patches[1][2][3] clearly marked as a
> work-in-progress. Once the patch is complete I will offer my view how
> it may be divided and perhaps discussion will start...

It has not been ignored; but you've not yet received a reply :)

> [1] https://www.mail-archive.com/tech@openbsd.org/msg25388.html
> [2] https://www.mail-archive.com/tech@openbsd.org/msg25419.html
> [3] https://www.mail-archive.com/tech@openbsd.org/msg25716.html

Re: Making IPv6 NAT prefer privacy address

[Giancarlo Razzolini]

Em 23-09-2015 11:49, Stuart Henderson escreveu:
> Exactly. It also makes it easier to handle multiple ISPs for load-balancing
> or failover, which IPv6 handles poorly (short of using BGP).

Wouldn't multipath and properly constructed ifstated scripts be better
in this case? Like reloading dhcpv6 servers, rtadvd, and anchors, etc.

>
> Also it's good for winding up IPv6 purists :-)

Wound up me. :-)  

Cheers,
Giancarlo Razzolini

Re: rookie questions about flavors

[David Dahlberg]

Am Mittwoch, den 23.09.2015, 14:55 +0200 schrieb Thuban:
> 1. A snapshot is a build made at one time of the developpement, more
> recent than *-stable* flavor.

Correct.

> It is not *-current*. Can we consider a snapshot as an unreleased 
> *5.8*
> at this time. Or is it above *5.8*?

At this point of time, it is fresher than 58. Look at -snapshot more as
the -current of a few days ago (depending on your architecture).

> 2. In odrer to build the system, one can choose :
> - to follow *-current* with `cvs -d$CVSROOT checkout -P src`
> - to follow *-stable* with `cvs -d$CVSROOT checkout -rOPENBSD_5_7 
> -P src
> `
> 
> Is it possible to upgrade from 5.7 yo 5.8 using this flag :
> cvs -d$CVSROOT checkout -rOPENBSD_5_8 -P src

Er, ay, never done it this way but I should think so, if you do it
carefully. You should follow the instructions on the website
nevertheless. 

> 3. If one use a 5.8 snapshot (i.e [1] ), is it possible to apply
> updates
> for 5.8 *-stable* later?

No, as -snapshot is already newer than 58.

> Sorry for the long message. I know the best  is to use *-current* or a
> *-stable* flavor, but I wish to understand these points in order to
> keep
> things clean.

Well, usually there are two paths:

To follow -current:
* Use -snapshots
* Update to -current (CVS) when you require it
  (e.g. to test some new code).

To follow -stable(ish):
* Install a -release
* Update from CVS
* OR use errata patches
* OR use M:TIER stable service

-- 
David Dahlberg 

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277

Re: Making IPv6 NAT prefer privacy address

[Giancarlo Razzolini]

Em 23-09-2015 11:16, Marios Makassikis escreveu:
> Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix
> from fd00::/8 and announce that on your network.
> It is the equivalent to RFC1918 addresses, except it is for IPv6.

Figured it. These are ULA, right?

> Therefore, it is
> not routable and you need to perform NAT on it. The global address is the one
> the router obtained via static configuration/SLAAC/DHCPv6, which will then be
> used by all your clients.

It kind of defeats the purpose of IPv6, doesn't it?

> Your CPE will see only the OpenBSD router's address so it should work.

I ended up setting up a bridge for that. It's harder to filter on them
though. I plan to port some NDP proxy to OpenBSD, but all of the
candidates looked very cumbersome to my taste. I'll have eventually to
do it, unless someone else beat me to it.

Cheers,
Giancarlo Razzolini

Re: SR RAID5 rebuild/stability issue.

[Joel Sing]

On Monday 21 September 2015 23:02:39 Karel Gardas wrote:
> Hello,
> 
> due to work on SR RAID1 check summing support where I've touched SR
> RAID internals (workunit scheduling) I'd like to test SR RAID5/6
> functionality on snapshot and on my tree to see that I've not broken
> the stuff while hacking it. My current problem is that I'm not able to
> come with some testing which would not break RAID5 (I'm starting with
> it) after several hours of execution while using snapshot. My test is
> basically:
> - on one console in loop
>   mount raid to /raid
>   rsync /usr/src/ to /raid
>   compute sha1 sums of all files in /raid
>   umount /raid
>   mount /raid
>   check sha1 -- if failure, fail the test, if not, just repeat
> - on another console in loop
>   - off line random drive
>   - wait random time (up to minute)
>   - rebuild raid with the offlined drive
>   - wait random time (up to 2 minutes)
>   - repeat
> 
> Now, the issue with this is that I get sha1 errors from time to time.
> Usually in such case the problematic source file contain some garbage.
> Since I do not yet have a machine dedicated to this testing, I'm using
> for this thinkpad T500 with one drive. I just created 4 RAID slices in
> OpenBSD partition. Last week I've been using vndX devices (and files),
> but this way I even got to kernel panic (on snapshot) like this one:
> http://openbsd-archive.7691.n7.nabble.com/panic-ffs-valloc-dup-alloc-td25473
> 8.html -- so this weekend I've started testing with slices and so far not
> panic, but still data corruption issue. Last snapshot I'm using for testing
> is from last Sunday.
> 
> Let me ask, should SR RAID5 survive such testing or is for example
> rebuilding with off-lined drive considered unsupported feature?

RAID5 should work (ignore RAID6 - it is still incomplete) and rebuilding 
should be functional:

 http://undeadly.org/cgi?action=article=20150413071009

When I reenabled RAID5, I had tested it reasonably as I could, but it still 
needs to be put through its paces. How are you offlining the drive? If you're 
doing it via bioctl then it will potentially behave differently to a hardware 
failure (top down through the bio(4)/softraid(4) driver, instead of bottom up 
via the I/O path). If you can dependably reproduce the issue then I would 
certainly be interested in tracking down the cause.

Re: Making IPv6 NAT prefer privacy address

[Stuart Henderson]

On 2015/09/23 16:16, Marios Makassikis wrote:
> On 23 September 2015 at 15:34, Giancarlo Razzolini  
> wrote:
> > Em 23-09-2015 04:40, Stuart Henderson escreveu:
> >> Saves messing about with DHCPv6-PD
> >
> > I see. So you translate from what exactly? Wouldn't it be better to use
> > af-to instead of nat?
> 
> Hello,
> 
> Rather than announcing the prefix obtained via DHCPv6-PD you can pick a prefix
> from fd00::/8 and announce that on your network.
> It is the equivalent to RFC1918 addresses, except it is for IPv6.
> Therefore, it is
> not routable and you need to perform NAT on it. The global address is the one
> the router obtained via static configuration/SLAAC/DHCPv6, which will then be
> used by all your clients.
> 
> > But I can relate to that, given that my CPE will
> > give me a PD, but won't route packets back because it thinks the prefix
> > is reachable using NDP. Hence the need for a proxy, which OpenBSD
> > currently doesn't have.
> >
> > Cheers,
> > Giancarlo Razzolini
> >
> 
> Your CPE will see only the OpenBSD router's address so it should work.

Exactly. It also makes it easier to handle multiple ISPs for load-balancing
or failover, which IPv6 handles poorly (short of using BGP).

Also it's good for winding up IPv6 purists :-)

Re: rookie questions about flavors

[Josh Grosse]

On 2015-09-23 10:52, Ted Unangst wrote:


You may well be the first person to even try it.


Peter was correct, though.  It is *possible*.  :)

I haven't produced live media since 5.1, so it's been several years
since I last needed to do this.  And, if I'd done a better job of
pre-launch planning, I'd have built from a previous -current rather
than already having all my -current systems beyond the nexxt -release.

Re: Making IPv6 NAT prefer privacy address

[Sly Midnight]

Giancarlo,

Why are you unable to route your DHCPv6-PD?  I ask because I have been
able to use OpenBSD as a typical IPv4 NAT type of router as well as a
pure IPv6 router (does use pf for firewalling the router and the PD
subnet, but no NAT on IPv6) all for my home network LAN.

I use a fair bit of custom scripts and a little known DHCPv6 client
software not available in OpenBSD ports (at least last time I checked)
to make it all work.  But I've been using this setup now for at least 2
or more years now successfully and it can sometimes run reliably for 6
months without a hiccup.

So maybe I can help.

Sly


On 09/23/2015 10:58 AM, Giancarlo Razzolini wrote:
> Em 23-09-2015 11:49, Stuart Henderson escreveu:
>> Exactly. It also makes it easier to handle multiple ISPs for load-balancing
>> or failover, which IPv6 handles poorly (short of using BGP).
> Wouldn't multipath and properly constructed ifstated scripts be better
> in this case? Like reloading dhcpv6 servers, rtadvd, and anchors, etc.
>
>> Also it's good for winding up IPv6 purists :-)
> Wound up me. :-)  
>
> Cheers,
> Giancarlo Razzolini

Adding zombies to a pf table?

[Craig Skinner]

Hello,

Zombies are often attacking ports which don't have services running,
such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc.

With a default pf block drop in on $ext_if, how can those source ips be
added to a  table? Which all can be dropped & small queued.

I've tried to overload a match statement, but that won't work.

Or is there something handy in ports to help?

Thanks.
-- 
By the time they had diminished from 50 to 8,
the other dwarves began to suspect "Hungry" ...
-- Gary Larson, "The Far Side"

Re: dhclient broken on 2015-09-21 amd64 snapshot

[Kurt Mosiejczuk]

On Wed, Sep 23, 2015 at 01:27:27PM +0100, Stuart Henderson wrote:
> On 2015/09/23 08:16, Kurt Mosiejczuk wrote:

> > Can you point me at the bug fix?  I was looking at cvsweb again and the
> > newest change I could see there is 2 weeks ago...

> I believe this is the issue fixed by this commit - if you saved the
> previous kernel before updating, you might be able to boot with that
> instead.

Ah.  So the bug is even more unrelated to dhclient than I was
thinking.  

A newer snapshot (from yesterday, 2015-09-22) was on my mirror today, and
booting from the bsd.rd worked for upgrading to the newer snapshot with
the fix.  I'm guessing whatever caused the bug isn't enabled for the
RAMDISK kernel.

--Kurt

Re: UEFI boot attempt on AM1 platform with logs (9/16 snapshot)

[Brian Conway]

> This picture shows
>
>   Load address: Loader Data (2) 0xd0 for 4096KB FATAL
>
> This is what I want to know.  0xd0 + 4M is overlapping the kernel
> area.
>
> I think the following diff or
>
>   http://yasuoka.net/~yasuoka/BOOTX64.EFI
>   (updated)
>
> will fix the problem.

Great, thanks. I grabbed the updated binary. `machine memory` is
looking better, but no improvement on the boot situation, yet. This is
with the latest install58.fs from 9/23 with BOOTX64.EFI replaced.

http://i.imgur.com/oiEO3fr.jpg

http://i.imgur.com/adwNcnk.jpg

Re: Making IPv6 NAT prefer privacy address

[Stuart Henderson]

On 2015-09-22, Giancarlo Razzolini  wrote:
> Nat on IPv6? Why?

Saves messing about with DHCPv6-PD ;)

Re: dhclient broken on 2015-09-21 amd64 snapshot

[Stuart Henderson]

On 2015-09-22, Kurt Mosiejczuk  wrote:
> I just updated my current box to yesterdays (2015-09-21) snapshot.  Now
> it won't keep a network address.  

That's a recent bug - should be fixed if you update again.

> I'm seeing a note on the current FAQ from the 12th indicating the
> ifmedia options have been extended to 64 bits.  I'm seeing a change to
> ifconfig in the tree for this, but I don't see a corresponding change to
> dhclient in the tree (looking at cvsweb).  
>
> Did the dhclient change get overlooked?  Am I doing something else
> obviously wrong?

This is unrelated, but dhclient just needed recompiling with the updated
headers ("include files") to know about the larger ifmedia struct, it
just uses it to check link status and didn't require any code changes.
On the other hand ifconfig does more processing with the media status,
e.g. passing the type to another function to look up the text description,
so the variable types need changing so that the larger values fit.

BTW this ifmedia change was because we were running out of space in
the structure for different media types (10base2, 10baseT, 100baseTX,
1000baseSX, 1000baseT etc for ethernet, various modulation types for
802.11 wireless, etc), the change allows space for more types for
future use (e.g. there's an IEEE working group, 802.3bz, looking at
standardizing 2.5/5Gb over cat5e, and other existing standards we don't
support yet).

Re: Making IPv6 NAT prefer privacy address

[Stuart Henderson]

On 2015-09-22, Daniel Gillen  wrote:
> Hi
>
> I currently have the following rule to nat traffic out to the internet:
>
> match out on $if_ext inet6 from $if_int:network to any nat-to ($if_ext)
>
> But this chooses from one of the configures addresses (using round-robin).
>
> Is there a way I can configure pf to prefer the privacy address (the one
> without my MAC in it)?

Not at present.

HDMI on hp pavilion 10 10-f014au ?

[Joel Rees]

Is there anything that can be done to get HDMI video functioning on this HP
Pavilion 10 10-f015au? (dmesg below)

After switching several times between virtual consoles with X11 running, it
will begin to mostly mirror the laptop display on the HDMI device (a
Toshiba Regza TV). It will be missing ten, maybe
15 big pixels at the top, left, and right borders. (Laptop pixels, not TV
pixels.)

> OpenBSD 5.8-current (GENERIC.MP) #1367: Sat Sep 12 14:59:55 MDT 2015
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 1835790336 (1750MB)
> avail mem = 1776250880 (1693MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP UEFI HPET APIC MCFG ASF! BOOT FPDT MSDM SSDT
> SSDT SSDT SSDT SSDT
> acpi0: wakeup devices GPP0(S5) GPP1(S4) OHC1(S3) OHC2(S3) OHC3(S3)
> EHC1(S3) EHC2(S3) EHC3(S3) XHC0(S4) AWAD(S4)
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpihpet0 at acpi0: 14318180 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD A4-1200 APU with Radeon(TM) HD Graphics, 998.27 MHz
> cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPC
NT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMC
R8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
> cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 1MB
> 64b/line 16-way L2 cache
> cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully
associative
> cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully
associative
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: AMD A4-1200 APU with Radeon(TM) HD Graphics, 998.13 MHz
> cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPC
NT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMC
R8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
> cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 1MB
> 64b/line 16-way L2 cache
> cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully
associative
> cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully
associative
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 0 pa 0xfec0, version 21, 24 pins
> ioapic1 at mainbus0: apid 5 pa 0xfec01000, version 21, 32 pins
> ioapic1: misconfigured as apic 0, remapped to apid 5
> acpimcfg0 at acpi0 addr 0xf800, bus 0-63
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 1 (GPP0)
> acpiprt2 at acpi0: bus 5 (GPP1)
> acpiprt3 at acpi0: bus -1 (GPP2)
> acpiprt4 at acpi0: bus -1 (GPP3)
> acpiprt5 at acpi0: bus -1 (GFX_)
> acpiec0 at acpi0
> acpicpu0 at acpi0: !C2(0@400 io@0x414), C1(@1 halt!), PSS
> acpicpu1 at acpi0: !C2(0@400 io@0x414), C1(@1 halt!), PSS
> acpipwrres0 at acpi0: FN00, resource for FAN0
> acpitz0 at acpi0: critical temperature is 118 degC
> acpibtn0 at acpi0: PWRB
> acpiac0 at acpi0: AC unit online
> acpibat0 at acpi0: BAT0 model "Primary" serial 43346 03/09/2014 type
> LIon oem "Hewlett-Packard"
> acpibtn1 at acpi0: LID_
> acpivideo0 at acpi0: VGA_
> acpivideo1 at acpi0: VGA_
> cpu0: 998 MHz: speeds: 1000 900 800 700 600 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "AMD AMD64 16h Host" rev 0x00
> vga1 at pci0 dev 1 function 0 vendor "ATI", unknown product 0x9839 rev
0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> azalia0 at pci0 dev 1 function 1 vendor "ATI", unknown product 0x9840
> rev 0x00: msi
> azalia0: no supported codecs
> pchb1 at pci0 dev 2 function 0 vendor "AMD", unknown product 0x1538 rev
0x00
> ppb0 at pci0 dev 2 function 2 "AMD AMD64 16h PCIE" rev 0x00: msi
> pci1 at ppb0 bus 1
> rtsx0 at pci1 dev 0 function 0 "Realtek RTL8402 Card Reader" rev 0x01: msi
> sdmmc0 at rtsx0
> re0 at pci1 dev 0 function 2 "Realtek 8101E" rev 0x06: RTL8402
> (0x4400), msi, address 14:58:d0:06:96:26
> rlphy0 at re0 phy 7: RTL8201E 10/100 PHY, rev. 2
> ppb1 at pci0 dev 2 function 3 "AMD AMD64 16h PCIE" rev 0x00: msi
> pci2 at ppb1 bus 5
> "Ralink RT3290" rev 0x00 at pci2 dev 0 function 0 not configured
> "Ralink Bluetooth" rev 0x00 at pci2 dev 0 function 1 not configured
> xhci0 at pci0 dev 16 function 0 vendor "AMD", unknown product 0x7814
> rev 0x01: msi
> usb0 at xhci0: USB revision 3.0
> uhub0 at usb0 "AMD xHCI root hub" rev 3.00/1.00 addr 1
> ahci0 at pci0 dev 17 function 0 "AMD Hudson-2 SATA" rev 0x00: apic 0
> int 19, AHCI 1.3
> ahci0: port 0: 6.0Gb/s
> scsibus1 at ahci0: 32 targets
> sd0 at scsibus1 targ 0 lun 

Re: ugen0 instead of urtwn0

[Thuban]

* Stefan Sperling  le [22-09-2015 11:33:28 +0200]:
> On Mon, Sep 21, 2015 at 11:14:22AM +0200, Thuban wrote:
> > Hi,
> > I have a usb wifi dongle supposed to work with urtwn firmware.
> > usbdevs returns WNA 1000Mv2 Netgear listed here [0]
> >
> > But the device is detected as ugen.
> >
> > How can I fix this?
>
> This device was added to -current after 5.8.
> It will work out of the box in OpenBSD 5.9.
>
> The easiest way to get support for it is to use snapshots (i.e. -current).
> See the "Snapshots" section in http://www.openbsd.org/faq/faq5.html#Flavors
>
> You can try to get it to work with 5.7 but this might not work.
> Getting this device to work on 5.8 (to be released on Oct 18) should be
> possible using the steps below.
>
> Starting with pristine OpenBSD 5.8 kernel source (or 5.7, if you want to
> try your luck), add the line
>
> product NETGEAR WNA1000Mv20x9043  WNA1000Mv2
>
> somewhere in the file /usr/src/sys/dev/usb/usbdevs
>
> as shown here:
>
> ===
> RCS file: /cvs/src/sys/dev/usb/usbdevs,v
> retrieving revision 1.654
> retrieving revision 1.655
> diff -u -r1.654 -r1.655
> --- src/sys/dev/usb/usbdevs   2015/07/15 13:25:49 1.654
> +++ src/sys/dev/usb/usbdevs   2015/08/22 15:10:19 1.655
> @@ -3135,6 +3135,7 @@
>  product NETGEAR WNA1100  0x9030  WNA1100
>  product NETGEAR WNA1000  0x9040  WNA1000
>  product NETGEAR WNA1000M 0x9041  WNA1000M
> +product NETGEAR WNA1000Mv2   0x9043  WNA1000Mv2
>
>  /* Netgear(2) products */
>  product NETGEAR2 MA101   0x4100  MA101
>
>
> Now run
>
>   $ cd /usr/src/sys/dev/usb/
>   $ make
>
> to re-create the USB device list header files usbdevs.h and usbdevs_data.h.
>
> Next, add the line
>
>   { USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_WNA1000Mv2 },
>
> to /usr/src/sys/dev/usb/if_urtwn.c somewhere in the driver's ID table,
> as shown here:
>
> ===
> RCS file: /cvs/src/sys/dev/usb/if_urtwn.c,v
> retrieving revision 1.48
> retrieving revision 1.49
> diff -u -r1.48 -r1.49
> --- src/sys/dev/usb/if_urtwn.c2015/06/12 15:47:31 1.48
> +++ src/sys/dev/usb/if_urtwn.c2015/08/22 15:19:33 1.49
> @@ -110,6 +110,7 @@
>   { USB_VENDOR_IODATA,USB_PRODUCT_IODATA_WNG150UM },
>   { USB_VENDOR_IODATA,USB_PRODUCT_IODATA_RTL8192CU },
>   { USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_WNA1000M },
> + { USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_WNA1000Mv2 },
>   { USB_VENDOR_NETGEAR,   USB_PRODUCT_NETGEAR_RTL8192CU },
>   { USB_VENDOR_NETGEAR4,  USB_PRODUCT_NETGEAR4_RTL8188CU },
>   { USB_VENDOR_NETWEEN,   USB_PRODUCT_NETWEEN_RTL8192CU },
>
> Now compile a new kernel and install it.
>
> For more information on the steps involved in compiling the kernel,
> see http://www.openbsd.org/faq/faq5.html#Bld and in particular this
> section: http://www.openbsd.org/faq/faq5.html#BldKernel

Thank you for this very complete explanations.

Currently, I can't build the kernel without any error vith the last
snapshot, even without modifying anything.
Same with current.
I'll wait some time and see.

Regards

--
Thuban
PubKey : http://yeuxdelibad.net/Divers/thuban.pub

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Re: ipsec tunnel over IPv6

[Matt Hamilton]

Nevermind! Worked it out… I spotted that the pings I were doing from the
gateways were using the source address of the external interface, which was
not part of the SA.

explicitly adding the source address of the *internal* interface means it now
looks good:

# traceroute6 -s 2001:470:1f1d:301::1  2001:41c8:11a:5::1
traceroute6 to 2001:41c8:11a:5::1 (2001:41c8:11a:5::1) from
2001:470:1f1d:301::1, 64 hops max, 60 byte packets
 1  2001:41c8:11a:5::1 (2001:41c8:11a:5::1)  32.884 ms  32.795 ms  32.316 ms
#

-Matt

> On 23 Sep 2015, at 22:31, Matt Hamilton  wrote:
>
> Hi all,
>  I’ve just tried to set up an IPSec tunnel between two IPv6 networks, over
IPv6 between the OpenBSD gateways. Isakmpd seems to have set the SAs up, but
traffic is not flowing over the tunnel.
>
> A ipsec.conf:
>
> ike dynamic esp from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 local
2001:470:1f1c:301::2 peer 2001:41c8:11a::1 \
> main auth hmac-sha1  enc aes group modp1024 \
> quick auth hmac-sha1 enc aes \
> srcid 2001:470:1f1c:301::2 dstid 2001:41c8:11a::1 \
> psk secret
>
> B ipsec.conf:
>
> ike dynamic esp from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 local
2001:41c8:11a::1 peer 2001:470:1f1c:301::2 \
> main auth hmac-sha1  enc aes group modp1024 \
> quick auth hmac-sha1 enc aes \
> srcid 2001:41c8:11a::1 dstid 2001:470:1f1c:301::2 \
> psk secret
>
> A ipsecctl -sa:
>
> # ipsecctl -sa
> FLOWS:
> flow esp in from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 peer
2001:41c8:11a::1 srcid 2001:470:1f1c:301::2/128 dstid 2001:41c8:11a::1/128
type use
> flow esp out from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 peer
2001:41c8:11a::1 srcid 2001:470:1f1c:301::2/128 dstid 2001:41c8:11a::1/128
type require
>
> SAD:
> esp tunnel from 2001:470:1f1c:301::2 to 2001:41c8:11a::1 spi 0x74ed3662 auth
hmac-sha1 enc aes
> esp tunnel from 2001:41c8:11a::1 to 2001:470:1f1c:301::2 spi 0x7b1c75cd auth
hmac-sha1 enc aes
>
> B ipsecctl -sa:
>
> FLOWS:
> flow esp in from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 peer
2001:470:1f1c:301::2 srcid 2001:41c8:11a::1/128 dstid 2001:470:1f1c:301::2/128
type use
> flow esp out from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 peer
2001:470:1f1c:301::2 srcid 2001:41c8:11a::1/128 dstid 2001:470:1f1c:301::2/128
type require
>
> SAD:
> esp tunnel from 2001:470:1f1c:301::2 to 2001:41c8:11a::1 spi 0x74ed3662 auth
hmac-sha1 enc aes
> esp tunnel from 2001:41c8:11a::1 to 2001:470:1f1c:301::2 spi 0x7b1c75cd auth
hmac-sha1 enc aes
>
>
> A ping from A to B:
> # ping6 2001:41c8:11a:5::1
> PING6(56=40+8+8 bytes) 2001:470:1f1c:301::2 --> 2001:41c8:11a:5::1
> 16 bytes from 2001:41c8:11a:5::1, icmp_seq=0 hlim=57 time=31.905 ms
> 16 bytes from 2001:41c8:11a:5::1, icmp_seq=1 hlim=57 time=31.843 ms
> 16 bytes from 2001:41c8:11a:5::1, icmp_seq=2 hlim=57 time=31.709 ms
> ^C
> --- 2001:41c8:11a:5::1 ping6 statistics ---
> 3 packets transmitted, 3 packets received, 0.0% packet loss
> round-trip min/avg/max/std-dev = 31.709/31.819/31.905/0.082 ms
>
> The ping works, but it is *not* going over the tunnel. tcpdump is not
showing the traffic via enc0 or any ESP traffic on the external interface.
Traceroute6 also shows all intermediate hops, i.e. no tunnel.
>
> Is it because, being IPv6, the networks on each end can route to each other
(as opposed to on IPv4 normally they are RFC1918 networks) so OpenBSD send the
packets the ‘easy’ route?
>
> -Matt
>
> —
> Matt Hamilton
> Quernus
> m...@quernus.co.uk
> +44 117 325 3025
> 49b Easton Business Centre
> Felix Road, Easton
> Bristol, BS5 0HE
>
> Quernus Ltd is a company registered in England and Wales. Registered number:
09076246
>


—
Matt Hamilton
Quernus
m...@quernus.co.uk
+44 117 325 3025
49b Easton Business Centre
Felix Road, Easton
Bristol, BS5 0HE

Quernus Ltd is a company registered in England and Wales. Registered number:
09076246

Re: Recommended miniPCI express wireless module for PC Engines' APU system board?

[Mike Bregg]

The reason I am so onto this, is, there has been so many posts and
threads has been here praising the PC Engines APU boards. I assume
quite a few of you use it as a router, given its Ethernet ports. Then,
why not add a wireless access point, too? That might be a popular
request as well.

Wi-Fi is important, but unfortunately it's a hit and miss.

Thanks


I'm using an APU as a firewall/router and it works very well.  However, 
after experimenting with some different wireless cards, I actually opted 
to install a separate EnGenius EAP600 Access Point on the main floor of 
my house, using PoE to run to the router/switch.


This was a better solution for me as the router was in the basement, and 
the wireless signal from the APU wasn't very good.


To answer your original question, the card that seemed to work the best 
in the APU was an Atheros AR9280.


Regards,
Mike

Re: Adding zombies to a pf table?

[Ted Unangst]

Craig Skinner wrote:
> Hello,
> 
> Zombies are often attacking ports which don't have services running,
> such as telnet (most popular indeed), mysql, 3551, 8080, 13272, etc.
> 
> With a default pf block drop in on $ext_if, how can those source ips be
> added to a  table? Which all can be dropped & small queued.
> 
> I've tried to overload a match statement, but that won't work.
> 
> Or is there something handy in ports to help?

block log those ports, then process the log file?

block quick from 
block quick log in to port 8080

then you won't see them showing up in the log over and over.

ipsec tunnel over IPv6

[Matt Hamilton]

Hi all,
  I’ve just tried to set up an IPSec tunnel between two IPv6 networks, over 
IPv6 between the OpenBSD gateways. Isakmpd seems to have set the SAs up, but 
traffic is not flowing over the tunnel.

A ipsec.conf:

ike dynamic esp from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 local 
2001:470:1f1c:301::2 peer 2001:41c8:11a::1 \
 main auth hmac-sha1  enc aes group modp1024 \
 quick auth hmac-sha1 enc aes \
 srcid 2001:470:1f1c:301::2 dstid 2001:41c8:11a::1 \
 psk secret

B ipsec.conf:

ike dynamic esp from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 local 
2001:41c8:11a::1 peer 2001:470:1f1c:301::2 \
 main auth hmac-sha1  enc aes group modp1024 \
 quick auth hmac-sha1 enc aes \
 srcid 2001:41c8:11a::1 dstid 2001:470:1f1c:301::2 \
 psk secret

A ipsecctl -sa:

# ipsecctl -sa  


FLOWS:
flow esp in from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 peer 
2001:41c8:11a::1 srcid 2001:470:1f1c:301::2/128 dstid 2001:41c8:11a::1/128 type 
use
flow esp out from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 peer 
2001:41c8:11a::1 srcid 2001:470:1f1c:301::2/128 dstid 2001:41c8:11a::1/128 type 
require

SAD:
esp tunnel from 2001:470:1f1c:301::2 to 2001:41c8:11a::1 spi 0x74ed3662 auth 
hmac-sha1 enc aes
esp tunnel from 2001:41c8:11a::1 to 2001:470:1f1c:301::2 spi 0x7b1c75cd auth 
hmac-sha1 enc aes

B ipsecctl -sa:

FLOWS:
flow esp in from 2001:470:1f1d:301::/64 to 2001:41c8:11a:5::/64 peer 
2001:470:1f1c:301::2 srcid 2001:41c8:11a::1/128 dstid 2001:470:1f1c:301::2/128 
type use
flow esp out from 2001:41c8:11a:5::/64 to 2001:470:1f1d:301::/64 peer 
2001:470:1f1c:301::2 srcid 2001:41c8:11a::1/128 dstid 2001:470:1f1c:301::2/128 
type require

SAD:
esp tunnel from 2001:470:1f1c:301::2 to 2001:41c8:11a::1 spi 0x74ed3662 auth 
hmac-sha1 enc aes
esp tunnel from 2001:41c8:11a::1 to 2001:470:1f1c:301::2 spi 0x7b1c75cd auth 
hmac-sha1 enc aes


A ping from A to B:
# ping6 2001:41c8:11a:5::1 
PING6(56=40+8+8 bytes) 2001:470:1f1c:301::2 --> 2001:41c8:11a:5::1
16 bytes from 2001:41c8:11a:5::1, icmp_seq=0 hlim=57 time=31.905 ms
16 bytes from 2001:41c8:11a:5::1, icmp_seq=1 hlim=57 time=31.843 ms
16 bytes from 2001:41c8:11a:5::1, icmp_seq=2 hlim=57 time=31.709 ms
^C
--- 2001:41c8:11a:5::1 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 31.709/31.819/31.905/0.082 ms

The ping works, but it is *not* going over the tunnel. tcpdump is not showing 
the traffic via enc0 or any ESP traffic on the external interface. Traceroute6 
also shows all intermediate hops, i.e. no tunnel.

Is it because, being IPv6, the networks on each end can route to each other (as 
opposed to on IPv4 normally they are RFC1918 networks) so OpenBSD send the 
packets the ‘easy’ route?

-Matt

— 
Matt Hamilton
Quernus
m...@quernus.co.uk
+44 117 325 3025
49b Easton Business Centre
Felix Road, Easton
Bristol, BS5 0HE

Quernus Ltd is a company registered in England and Wales. Registered number: 
09076246

Re: Recommended miniPCI express wireless module for PC Engines' APU system board?

[Adam]

> I bought this card for my APU:
>
> http://www.amazon.com/dp/B005HMZ8B2/
>
> Has worked great in AP mode.  You will need the
> bracket to make it full height.  When I bought
> it, it was $15, too.
>
> If I remember correctly, it shipped from China or
> Tiawan and the estimate was a month, but it
> arrived in maybe 10 days. You might want
> to try to find one more local, I wasn't able to.

So the one you recommend from Amazon got some mediocre reviews and comes from 
Asia. But it works, good for you, that's a plus. It is also a Qualcomm Atheros, 
maybe not so dissimilar from the ones PC Engines sells on their site:
http://www.pcengines.ch/wle200nx.htm and
http://www.pcengines.ch/wle600vx.htm

On Amazon there are better reviewed Broadcom and Intel modules, shipping from 
USA, sold/fulfilled by Amazon, etc.

Or who knows, since then PC Engines may offer revised modules which work better.

Anyone has any +/- experiences with any of the add-on boards which works (or 
doesn't work) with the APU boards? Praise or recommend against any particular 
build?

The reason I am so onto this, is, there has been so many posts and threads has 
been here praising the PC Engines APU boards. I assume quite a few of you use 
it as a router, given its Ethernet ports. Then, why not add a wireless access 
point, too? That might be a popular request as well.

Wi-Fi is important, but unfortunately it's a hit and miss.

Thanks

Re: SR RAID5 rebuild/stability issue.

[Karel Gardas]

On Wed, Sep 23, 2015 at 5:27 PM, Joel Sing  wrote:
> RAID5 should work (ignore RAID6 - it is still incomplete) and rebuilding
> should be functional:
>
>  http://undeadly.org/cgi?action=article=20150413071009
>
> When I reenabled RAID5, I had tested it reasonably as I could, but it still
> needs to be put through its paces. How are you offlining the drive? If you're
> doing it via bioctl then it will potentially behave differently to a hardware
> failure (top down through the bio(4)/softraid(4) driver, instead of bottom up
> via the I/O path). If you can dependably reproduce the issue then I would
> certainly be interested in tracking down the cause.

I'm using bioctl offlining indeed. And yes, the issue is easily
duplicable, but it takes time. I'll send you my scripts off-list.
Thanks for the note about RAID6.

Re: UEFI boot attempt on AM1 platform with logs (9/16 snapshot)

[YASUOKA Masahiko]

On Wed, 23 Sep 2015 14:40:52 -0500
Brian Conway  wrote:
>> This picture shows
>>
>>   Load address: Loader Data (2) 0xd0 for 4096KB FATAL
>>
>> This is what I want to know.  0xd0 + 4M is overlapping the kernel
>> area.
>>
>> I think the following diff or
>>
>>   http://yasuoka.net/~yasuoka/BOOTX64.EFI
>>   (updated)
>>
>> will fix the problem.
> 
> Great, thanks. I grabbed the updated binary. `machine memory` is
> looking better,

Thanks.  The test code for `machine memory' was removed from that
binary.. Sorry.

> but no improvement on the boot situation, yet.

Umm.  I reverted the test code.  Can you try "machine memory" with

  http://yasuoka.net/~yasuoka/BOOTX64.EFI

again?  This will not fix the problem, but I'd like to verify my
assumption is correct.

--yasuoka

Re: Recommended miniPCI express wireless module for PC Engines' APU system board?

[Stuart Henderson]

On 2015-09-23, Adam  wrote:
>> I bought this card for my APU:
>>
>> http://www.amazon.com/dp/B005HMZ8B2/
>>
>> Has worked great in AP mode.  You will need the
>> bracket to make it full height.  When I bought
>> it, it was $15, too.
>>
>> If I remember correctly, it shipped from China or
>> Tiawan and the estimate was a month, but it
>> arrived in maybe 10 days. You might want
>> to try to find one more local, I wasn't able to.
>
> So the one you recommend from Amazon got some mediocre reviews and comes from 
> Asia. But it works, good for you, that's a plus. It is also a Qualcomm 
> Atheros, maybe not so dissimilar from the ones PC Engines sells on their site:
> http://www.pcengines.ch/wle200nx.htm and

This one should work ok with athn(4).

> http://www.pcengines.ch/wle600vx.htm

This is a QCA9882 from the 802.11ac range, on Linux this uses the
Ath10k driver. Not yet supported on OpenBSD.

> On Amazon there are better reviewed Broadcom and Intel modules, shipping from 
> USA, sold/fulfilled by Amazon, etc.

No HostAP on those. Broadcom is unlikely to work at all (unless it's an
old b/g one with certain firmware versions).

> Or who knows, since then PC Engines may offer revised modules which work 
> better.
>
> Anyone has any +/- experiences with any of the add-on boards which works (or 
> doesn't work) with the APU boards? Praise or recommend against any particular 
> build?
>
> The reason I am so onto this, is, there has been so many posts and threads 
> has been here praising the PC Engines APU boards. I assume quite a few of you 
> use it as a router, given its Ethernet ports. Then, why not add a wireless 
> access point, too? That might be a popular request as well.

I like to put my APs in positions that will give good radio coverage,
and routers in places where it's easier to run multiple cables to.
YMMV, but for me these are rarely in the same place.

Re: rookie questions about flavors

[Stuart Henderson]

On 2015-09-23, David Dahlberg  wrote:
> Am Mittwoch, den 23.09.2015, 14:55 +0200 schrieb Thuban:
>> 
>> Is it possible to upgrade from 5.7 yo 5.8 using this flag :
>> cvs -d$CVSROOT checkout -rOPENBSD_5_8 -P src
>
> Er, ay, never done it this way but I should think so, if you do it
> carefully. You should follow the instructions on the website
> nevertheless. 

You'll need to follow the parts of faq/current.html up to the
5.8-release cutoff point (indicated in comments in html source),
and will also need to build xenocara and packages yourself.

I wouldn't recommend it. The clean way is to install 5.7 now, then
do an upgrade installation to 5.8 release when available.