Re: IPsec IKEv1 accepts non-matching phase 2 parameters

[Stuart Henderson]

On 2015-12-31, Julian Hsiao  wrote:
> Hi,
>
> I've set up two hosts to experiment with IPsec, obsd1 (192.168.0.1) and 
> obsd2 (192.168.0.2).
>
> ipsec.conf on obsd1:
>
> ike passive esp transport \
>   from 192.168.0.1 to any \
>   main  auth hmac-sha2-256 enc aes-128 group modp8192 \
>   quick auth hmac-sha2-256 enc aes-128 group modp8192 \
>   psk puffy
>
> ipsec.conf on obsd2:
>
> ike active esp transport \
>   from 192.168.0.2 to 192.168.0.1 \
>   main  auth hmac-sha2-256 enc aes-128  group modp8192 \
>   quick auth hmac-md5  enc blowfish group modp768 \
>   psk puffy
>
> If the phase 1 parameters don't match, then negotiation fails, which is 
> what I expect.  However, isakmpd seems to accept the phase 2 parameters 
> from the initiating end (obsd2) unconditionally.  With the above 
> config, ipsecctl -s sa prints:
>
> esp transport from 192.168.0.1 to 192.168.0.2 spi 0x32345f6f auth 
> hmac-md5 enc blowfish
> esp transport from 192.168.0.2 to 192.168.0.1 spi 0x6cf20561 auth 
> hmac-md5 enc blowfish
>
> How do I configure isakmpd such that phase 2 parameters must also match 
> on both ends in order to establish security associations?

See isakmpd.policy(5). It's an utter pain but it's necessary in order to
secure things with isakmpd. The other "fun" thing a client can do if it's
not restricted by keynote policy is to set "their" side of the tunnel to
something which diverts the wrong traffic - 0.0.0.0/0 is an obvious
example but rather unsubtle.

Re: ddclient won't auto run on OpenBSD 5.8

[Stuart Henderson]

On 2015-12-31, Jay Hart  wrote:
> Recently updated a router from 5.2 to 5.8.  I had a working ddclient process 
> connected to and
> fully working with DynDNS.  Trying to use same config, may have to tweak just 
> a bit.
>
> My main issue right now is trying to get the ddclient process to run upon 
> booting.  In 5.2, I had
> the following script in rc.local
>
> if [ -x /usr/local/sbin/ddclient ] ; then
>  echo -n ' ddclient'
>  /usr/local/sbin/ddclient -file /etc/ddclient/ddclient.conf
> fi
>
> This ran ddclient upon startup.
>
> I've tried the same thing in  rc.conf.local with no joy, it won't start.  I 
> also commented that
> out and tried
>
> ddclient = ""
>
> and also
>
> ddclient = "-file /etc/ddclient/ddclient.conf"
>
> Upon every reboot ddclient is not running per a 'ps aux |grep dd' command.  
> Not is there a pid
> file in /var/run
>
> ddclient will start manually.
>
> Looking for some guidance on getting this running please.
>
>

Either keep the old rc.local fragment or use the new rc.d(8) method by
adding this to rc.conf.local:

pkg_scripts=ddclient

To set flags you can do:

ddclient_flags=-file /etc/ddclient/ddclient.conf

Re: bandwidth usage limits with pf, etc.

[Stuart Henderson]

On 2015-12-31, Mark Carroll  wrote:
> I was wondering recently what the biggest bandwidth hogs were on my home
> network at a certain moment. On Linux I use iftop on the router for
> this, but I wonder in OpenBSD if, rather than install the iftop package,
> there's something different -- more OpenBSD-ish -- I should be doing
> with clients to pflow or whatever to achieve this same near-instanteous
> view of machines' Internet usage across the router (which NATs them from
> their LAN).

Others have mentioned systat for an instantaneous view. Or there are things
like darkstat in ports. pflow (in combination with a netflow receiver program)
is one way to get historical stats of traffic flows.

> Lately I've been reading about CARP and discovering that the packet
> filter code has all kinds of cool stuff built in for transparent
> load-balancing and failover. And, I like the keep-state stuff that lets
> me do things like rate-limit ssh connections. So, I'm thinking that PF
> may offer me all manner of wonders. So, I got to thinking today:
>
> I wondered about my kids' use of YouTube and suchlike, and I wondered if
> there's a good way of using PF on the router to give them a weekly
> download limit, perhaps cumulative over their devices, after which it
> gets limited to a slow crawl or even cut off. Is this (or some variant
> thereof) something that PF makes easy (any pointers?), or is tricky but
> clearly described in the latest Book of PF, or just not worth the effort
> of attempting -- any thoughts? I may have just picked the wrong web
> search terms, or maybe this just isn't yet at all easy.

The 'counters' flag for PF tables is probably the simplest way to get the
data. You may want to cope with it being reset if rules are reloaded or
the machine is restarted. You could throttle/block by adding the relevant
addresses to a table which is referenced in a suitable rule.

Error loading pf rules: Device busy

[C. L. Martinez]

Hi all,


I have a strange problem. Every time that I try to reload my pf rules I see
the following error message:


pfctl: DIOCADDRULE: Device busy.


I am using OpenBSD 5.8 amd64 fully patched.


Any idea??

Re: Connect to OpenVPN from OpenBSD

[Jiri B]

On Sat, Jan 02, 2016 at 08:55:35PM +0500, ? ??? wrote:
> Is it possible to connect to OpenVPN (riseup.net) from OpenBSD without
> installing openvpn client to OpenBSD?

No, you need OpenVPN package as it uses its own homemade SSL-VPN
protocol.

> I don't understand all this vpn-technologies very well, but know that
> OpenBSD has built-in vpn-services/clients, so I don't want to install
> openvpn-client if it possible to use software distributed/developed
> with/by OpenBSD.

OpenBSD supports IPSec etc...

j.

Connect to OpenVPN from OpenBSD

[Артур Истомин]

Is it possible to connect to OpenVPN (riseup.net) from OpenBSD without
installing openvpn client to OpenBSD?

I don't understand all this vpn-technologies very well, but know that
OpenBSD has built-in vpn-services/clients, so I don't want to install
openvpn-client if it possible to use software distributed/developed
with/by OpenBSD.

I've tried googling but all results are OpenVPN-client to OpenVPN-server.

Thanks.

Re: Connect to OpenVPN from OpenBSD

[Josh Grosse]

On Sat, Jan 02, 2016 at 08:55:35PM +0500, art.istom wrote:
> Is it possible to connect to OpenVPN (riseup.net) from OpenBSD without
> installing openvpn client to OpenBSD?

No. OpenVPN servers require OpenVPN clients.

> I don't understand all this vpn-technologies very well, but know that
> OpenBSD has built-in vpn-services/clients, so I don't want to install
> openvpn-client if it possible to use software distributed/developed
> with/by OpenBSD.

The "built-in" VPN technology is IPSec, which is not used by OpenVPN.
 
> I've tried googling but all results are OpenVPN-client to OpenVPN-server.
> 
> Thanks.

Re: Error loading pf rules: Device busy

[C.L. Martinez]

On 01/02/2016 08:33 AM, C. L. Martinez wrote:

Hi all,


I have a strange problem. Every time that I try to reload my pf rules I
seethe following error message:


pfctl: DIOCADDRULE: Device busy.


I am using OpenBSD 5.8 amd64 fully patched.


Any idea??



Sorry for the noise. There was an error in a customized anchor's rules.

Thanks.

Re: Add Bay Trail EHCI controller to pcidevs

[Mark Kettenis]

> acpi0 at bios2: rev 2, ACPI control unavailable

The diff below should fix that issue and get rid of the

  can't map interrupt

issues.


Index: acpi.c
===
RCS file: /cvs/src/sys/dev/acpi/acpi.c,v
retrieving revision 1.297
diff -u -p -r1.297 acpi.c
--- acpi.c  23 Nov 2015 00:10:53 -  1.297
+++ acpi.c  2 Jan 2016 17:53:09 -
@@ -852,6 +852,7 @@ acpi_attach(struct device *parent, struc
struct device *dev;
 #endif /* SMALL_KERNEL */
paddr_t facspa;
+   uint16_t pm1;
int s;
 
sc->sc_iot = ba->ba_iot;
@@ -912,8 +913,9 @@ acpi_attach(struct device *parent, struc
/*
 * Check if we are able to enable ACPI control
 */
-   if (sc->sc_fadt->smi_cmd &&
-   (!sc->sc_fadt->acpi_enable && !sc->sc_fadt->acpi_disable)) {
+   pm1 = acpi_read_pmreg(sc, ACPIREG_PM1_CNT, 0);
+   if ((pm1 & ACPI_PM1_SCI_EN) == 0 &&
+   (sc->sc_fadt->smi_cmd == 0 || sc->sc_fadt->acpi_enable == 0)) {
printf(", ACPI control unavailable\n");
return;
}
@@ -997,7 +999,7 @@ acpi_attach(struct device *parent, struc
 * This may prevent thermal control on some systems where
 * that actually does work
 */
-   if (sc->sc_fadt->smi_cmd) {
+   if ((pm1 & ACPI_PM1_SCI_EN) == 0) {
if (acpi_enable(sc)) {
printf(", can't enable ACPI\n");
return;

Question about urndis_decap invalid buffer len 1 < minimum header 44

[Christoph R. Murauer]

Hello !

Could someone tell me please, where I could find more informations
about the following message in /var/log/messages ?

Jan  3 00:48:38 thinkpad-w541 /bsd: urndis0: urndis_decap invalid
buffer len 1 < minimum header 44
Jan  3 00:49:13 thinkpad-w541 last message repeated 8 times

The ThinkPad is connected over USB with a TP-Link M7350 LTE modem.
Internet is configured using /etc/hostname.urndis0 which contains only
the line dhcp. /etc/pf.conf is unmodified and, kept as after
installing 5.8 -release.

Thanks for answers.

OpenBSD 5.8 (GENERIC.MP) #1236: Sun Aug 16 02:31:04 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 33939300352 (32367MB)
avail mem = 32906813440 (31382MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7cd2d000 (68 entries)
bios0: vendor LENOVO version "GNET73WW (2.21 )" date 03/12/2015
bios0: LENOVO 20EFS00B00
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT
SSDT SSDT SSDT PCCT SSDT UEFI POAT ASF! BATB FPDT UEFI
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) EXP3(S4)
XHCI(S3) EHC1(S3) EHC2(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.92 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
cpu4 at mainbus0: apid 4 (application processor)
cpu4: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 0, core 2, package 0
cpu5 at mainbus0: apid 5 (application processor)
cpu5: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu5: 256KB 64b/line 8-way L2 cache
cpu5: smt 1, core 2, package 0
cpu6 at mainbus0: apid 6 (application processor)
cpu6: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu6:

Re: wle200nx WiFi card on apu2b4 - athn0: Device timeout

[Kapfhammer, Stefan]

Hello,

first of all I want to wish everyone on the list a happy new year and best
wishes.

I have now checked hardware: card has contact and ground, removed sma
cabling,
checked for defective contacts on sma and antennas. Everything seems ok.

Installed fresh 5.9-current (2015-12-28)
Installed cat6 network cable from homerouter to APU2 at em0
Left network config off

10.3.12.45 homerouter as default gw and nameserver
10.3.12.70 APU2 em0 fixed IP
10.10.10.1 APU2 athn0 wifi hostap IP

Did

echo "pf=\"NO\"" > /etc/rc.conf.local
pfctl -d
ifconfig em0 inet 10.3.12.70 netmask 255.255.255.0 up
route add default 10.3.12.45
echo nameserver 10.3.12.45 > /etc/resolv.conf

ping 10.3.12.45 works
traceroute google.de works

Did

ifconfig athn0 inet 10.10.10.1 netmask 255.255.255.0 \
media autoselect mediaopt hostap nwid APU2TestNet \
wpakey my-Socks!are-GREY chan 1 up

Result:

athn0: Device timeout

ifconfig athn0 switches between chan 1 (status: active) and chan 36 (status:
no network)

ifconfig athn0 debug shows

athn0: creating ibss
athn0: synchronized with 04:f0:21:14:ca:c0 ssid "APU2TestNet" channel 1
start 1Mb short preamble long slot time

Is the card, sma cabling or the antennas defect? Driver problem?
Anyone else with this problem?

Friendly regards,

Stefan




-Ursprüngliche Nachricht-
Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im Auftrag von
Kapfhammer, Stefan
Gesendet: Mittwoch, 30. Dezember 2015 21:22
An: Mihai Popescu ; misc@openbsd.org
Betreff: Re: wle200nx WiFi card on apu2b4 - athn0: Device timeout

Hello Mihai,

I installed the current snapshot 2015-12-28 and the corresponding
athn-firmware for 5.9 Here is the output from dmesg and the debug output
from 'ifconfig athn0 debug'
'ifconfig athn0 scan' got result 'none' but I am connected with my
BlackBerry Classic and my notebook (Toshiba Portege Z930-12J). The scan with
my NB shows 7 active AP's.
I got the same error 'athn0: Device timeout' with -current.

Here are the outputs.

Friendly regards, Stefan


--dmesg--

OpenBSD 5.9-beta (GENERIC.MP) #1783: Sun Dec 27 17:08:42 MST 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4261076992 (4063MB)
avail mem = 4127813632 (3936MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdffb7020 (7 entries)
bios0: vendor coreboot version "APU2A_20150928-13-gdfdf4a2-dirty" date
11/06/2015
bios0: PC Engines apu2
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S2 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC HEST SSDT SSDT HPET
acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4)
UOH1(S3) UOH3(S3) UOH5(S3) XHC0(S4)
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD GX-412TC SOC, 998.25 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
S
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POP
C
NT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AM
C
R8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line
16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD GX-412TC SOC, 998.14 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
S
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POP
C
NT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AM
C
R8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line
16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: AMD GX-412TC SOC, 998.14 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLU
S
H,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POP
C
NT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AM
C
R8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,ITSC,BMI1
cpu2: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line
16-way L2 cache
cpu2: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu2: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: AMD GX-412TC SOC, 998.14 MHz
cpu3:

Intel S5000PSL with recent OpenBSD

[Denis Fondras]

Hello,

I have 2 servers with an Intel S5000PSL motherboard and dual Intel Xeon L5420
CPU. When I boot a "recent" OpenBSD (>4.4) it hangs on "wskbd0 at pckbd0:
console keyboard, using wsdisplay1". I tried to disable xhci and acpi without
luck. I have the latest BIOS.

Anything I could try ?

Thank you in advance,
Denis

dmesg from 4.4 :
OpenBSD 4.4 (RAMDISK_CD) #114: Tue Aug 12 17:28:42 MDT 2008
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 2666741760 (2543MB)
avail mem = 2583240704 (2463MB)
RTC BIOS diagnostic error 9
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x9fa32000 (69 entries)
bios0: vendor Intel Corporation version "S5000.86B.15.00.0101.110920101604" 
date 11/09/2010
bios0: Rackable Systems Inc. S5000PSL
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP APIC SPCR HPET MCFG SSDT SSDT SSDT
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 12 (PC32)
acpiprt2 at acpi0: bus 11 (PEX0)
acpiprt3 at acpi0: bus -1 (PEX1)
acpiprt4 at acpi0: bus -1 (PEX2)
acpiprt5 at acpi0: bus -1 (PEX3)
acpiprt6 at acpi0: bus 1 (PCIE)
acpiprt7 at acpi0: bus 5 (PCIX)
acpiprt8 at acpi0: bus 2 (PCIW)
acpiprt9 at acpi0: bus 3 (PCIO)
acpiprt10 at acpi0: bus -1 (PCIP)
acpiprt11 at acpi0: bus 4 (PCIQ)
acpiprt12 at acpi0: bus 7 (PCIF)
acpiprt13 at acpi0: bus 8 (PCIG)
acpiprt14 at acpi0: bus 9 (PCIH)
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel(R) Xeon(R) CPU L5420 @ 2.50GHz, 2494.09 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,xTPR,NXE,LONG
cpu0: 6MB 64b/line 16-way L2 cache
pci0 at mainbus0 bus 0: configuration mode 1
pchb0 at pci0 dev 0 function 0 "Intel 5000P Host" rev 0xb1
ppb0 at pci0 dev 2 function 0 "Intel 5000 PCIE x8" rev 0xb1
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci2 at ppb1 bus 2
ppb2 at pci2 dev 0 function 0 "Intel 6321ESB PCIE" rev 0x01
pci3 at ppb2 bus 3
ppb3 at pci2 dev 2 function 0 "Intel 6321ESB PCIE" rev 0x01
pci4 at ppb3 bus 4
em0 at pci4 dev 0 function 0 "Intel PRO/1000 PT (80003ES2)" rev 0x01: irq 5, 
address 00:15:17:c1:71:fc
em1 at pci4 dev 0 function 1 "Intel PRO/1000 PT (80003ES2)" rev 0x01: irq 11, 
address 00:15:17:c1:71:fd
ppb4 at pci1 dev 0 function 3 "Intel 6321ESB PCIE-PCIX" rev 0x01
pci5 at ppb4 bus 5
ppb5 at pci0 dev 3 function 0 "Intel 5000 PCIE" rev 0xb1
pci6 at ppb5 bus 6
ppb6 at pci0 dev 4 function 0 "Intel 5000 PCIE x8" rev 0xb1
pci7 at ppb6 bus 7
ppb7 at pci0 dev 5 function 0 "Intel 5000 PCIE" rev 0xb1
pci8 at ppb7 bus 8
ppb8 at pci0 dev 6 function 0 "Intel 5000 PCIE x8" rev 0xb1
pci9 at ppb8 bus 9
ppb9 at pci0 dev 7 function 0 "Intel 5000 PCIE" rev 0xb1
pci10 at ppb9 bus 10
pchb1 at pci0 dev 16 function 0 "Intel 5000 Error Reporting" rev 0xb1
pchb2 at pci0 dev 16 function 1 "Intel 5000 Error Reporting" rev 0xb1
pchb3 at pci0 dev 16 function 2 "Intel 5000 Error Reporting" rev 0xb1
pchb4 at pci0 dev 17 function 0 "Intel 5000 Reserved" rev 0xb1
pchb5 at pci0 dev 19 function 0 "Intel 5000 Reserved" rev 0xb1
pchb6 at pci0 dev 21 function 0 "Intel 5000 FBD" rev 0xb1
pchb7 at pci0 dev 22 function 0 "Intel 5000 FBD" rev 0xb1
ppb10 at pci0 dev 28 function 0 "Intel 6321ESB PCIE" rev 0x09: irq 10
pci11 at ppb10 bus 11
uhci0 at pci0 dev 29 function 0 "Intel 6321ESB USB" rev 0x09: irq 11
uhci1 at pci0 dev 29 function 1 "Intel 6321ESB USB" rev 0x09: irq 5
uhci2 at pci0 dev 29 function 2 "Intel 6321ESB USB" rev 0x09: irq 11
uhci3 at pci0 dev 29 function 3 "Intel 6321ESB USB" rev 0x09: irq 5
ehci0 at pci0 dev 29 function 7 "Intel 6321ESB USB" rev 0x09: irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb11 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xd9
pci12 at ppb11 bus 12
vga1 at pci12 dev 12 function 0 "ATI ES1000" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
"Intel 6321ESB LPC" rev 0x09 at pci0 dev 31 function 0 not configured
pciide0 at pci0 dev 31 function 1 "Intel 6321ESB IDE" rev 0x09: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
ahci0 at pci0 dev 31 function 2 "Intel 6321ESB AHCI" rev 0x09: irq 10, AHCI 1.1
scsibus0 at ahci0: 32 targets, initiator 32
"Intel 6321ESB SMBus" rev 0x09 at pci0 dev 31 function 3 not configured
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at mainbus0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at 

Re: Question about urndis_decap invalid buffer len 1 < minimum header 44

[Edgar Pettijohn]

On 01/02/16 18:03, Christoph R. Murauer wrote:

Hello !

Could someone tell me please, where I could find more informations
about the following message in /var/log/messages ?

Jan  3 00:48:38 thinkpad-w541 /bsd: urndis0: urndis_decap invalid
buffer len 1 < minimum header 44


I think its due to an ethernet header not being of the correct size.

Jan  3 00:49:13 thinkpad-w541 last message repeated 8 times

The ThinkPad is connected over USB with a TP-Link M7350 LTE modem.
Internet is configured using /etc/hostname.urndis0 which contains only
the line dhcp. /etc/pf.conf is unmodified and, kept as after
installing 5.8 -release.

Thanks for answers.

OpenBSD 5.8 (GENERIC.MP) #1236: Sun Aug 16 02:31:04 MDT 2015
 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 33939300352 (32367MB)
avail mem = 32906813440 (31382MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7cd2d000 (68 entries)
bios0: vendor LENOVO version "GNET73WW (2.21 )" date 03/12/2015
bios0: LENOVO 20EFS00B00
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT
SSDT SSDT SSDT PCCT SSDT UEFI POAT ASF! BATB FPDT UEFI
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) EXP3(S4)
XHCI(S3) EHC1(S3) EHC2(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.92 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
cpu4 at mainbus0: apid 4 (application processor)
cpu4: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 0, core 2, package 0
cpu5 at mainbus0: apid 5 (application processor)
cpu5: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT
cpu5: 256KB 64b/line 8-way L2 cache
cpu5: smt 1, core 2, package 0
cpu6 at mainbus0: apid 6 (application processor)
cpu6: Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz, 2793.54 MHz
cpu6:

filter-spamassassin

[Edgar Pettijohn]

I finally got around to trying out filter-spamassassin.  It appears to 
work correctly.  However, I was trying to change the default action from 
accept to reject. I've tried everything I can think of but continue to 
get syntax errors.  I assumed something like this would work:


filter spam spamassassin -s reject

listen on egress filter spam

But it didn't.

Any help is appreciated.

Edgar Pettijohn

Re: IPsec IKEv1 accepts non-matching phase 2 parameters

[Julian Hsiao]

On 2016-01-02 13:18:15 +, Stuart Henderson said:


See isakmpd.policy(5). It's an utter pain but it's necessary in order to
secure things with isakmpd.


Right, I eventually figured that out by having isakmpd dump out the 
isakmpd.conf(5) equivalent config.  Turns out "ike passive [...]" is 
transformed into "Passive-connections", and in isakmpd.conf(5):


Passive-connections
A list of IPsec "connection" names we recognize and accept initiations 
for. [...] Currently only the Local-ID and Remote-ID tags are looked at 
in those sections, as they are matched against the IDs given by the 
initiator.


Meaning that the Configuration parameter, which links to the remaining 
phase 2 options, are totally ignored!


FWIW, I worked out that the following policy will (mostly) enforce the 
phase 2 parameters I wanted:


Authorizer: "POLICY"
Conditions: app_domain == "IPsec policy" &&
   esp_auth_alg == "hmac-sha2-256" &&
   esp_enc_alg == "aes" &&
   esp_group_desc == "18" &&
   pfs == "yes" -> "true";

This is a pretty serious gotcha with using ipsecctl(8) / ipsec.conf(5) 
IMO, especially since the latter suggests you run isakmpd with -K 
option.



The other "fun" thing a client can do if it's
not restricted by keynote policy is to set "their" side of the tunnel to
something which diverts the wrong traffic - 0.0.0.0/0 is an obvious
example but rather unsubtle.


I'm not sure I completely follow.  Do you mean that the client has 
"from any to $SERVER_IP" instead of "from $CLIENT_IP to $SERVER_IP", 
resulting the client routing all its traffic to the server?


Incidentally, do you know if iked(8) (IKEv2) suffers from similar gotchas?

Thanks.

Julian Hsiao