howto use route-to with pf and carp

[niya levi]

hi

i have two firewalls running pf and carp,

i have apcupsd and ntp running on the firewalls,

both connect to apcupsd and ntp servers on my lan ,

the firewalls also send mail to my internal mail server at regular 
intervals,


the firewall when in slave mode loses all connectivity through the carp 
interface,


should i use a route-to rule to send it via the lan interface ?

if yes can someone show me an example of how the route-to rule would be 
written,


if no what would be the best way to go about this.

thanks

shadrock

Re: LibreSSL on old OpenBSD

[Eric Furman]

On Sat, Aug 13, 2016, at 01:36 PM, Roderick wrote:
> On Sat, 13 Aug 2016, Theo de Raadt wrote:
> 
> > We prefer creating a world that is simpler.  That is the practice
> > we follow with our bodies of code.
> >
> > You prefer backwards compat.  Fine, that is your choice. You can
> > apply that principle in your own code.
> >
> > Are we finished here?
> 
> It is not so simple. Of course I like simplicity, perhaps more than
> you. And more standards than backward compatibility: that is why
> I wondered that till now there is no standard. But programming
> is always ponderation, in many dimensions. You must decide for example
> between (run) time or space (memory), between security, performance
> or simplicity. Sure, with absolute goals there is no much to decide and
> no
> much discussion, and we are finished.


When are you going to realize that there are no such things as
standards?
They are and always have been a moving target.
What is standard today almost certainly will not be in the future.

Re: LibreSSL on old OpenBSD

[Mihai Popescu]

> But programming
> is always ponderation, in many dimensions. You must decide for example
> between (run) time or space (memory), between security, performance
> or simplicity. Sure, with absolute goals there is no much to decide and no
> much discussion, and we are finished.

> Rodrigo.

Total bullshit! I have seen this kind of statements to some of my
teachers in university: 100% bad theory and 0% good practice.
Are you able to decide "between security"? I think you are either
saying a joke or you have no idea about what you are talking about.
For your information, I think OpenBSD "decided" to have all together:
fast running, low memory footprint, secure, performant and simple.

And the authors of the code "decided" to offer this code to the rest
of the mortals. They also spent their time to package it and make it
simple to install for the ... same mortals, us. And so on. They have
no obligation for the rest of us, users of their code.
The situation is so free, that you can stop using their code and leave
for something different. The question is, will you do it?

Bye.

Re: arm on pandaboard fails

[Mihai Popescu]

I think it is better to use openbsd-arm@ list.

Thank you.

Re: arm on pandaboard fails

[Tuyosi Takesima]

thanks for advice of Juan and  Jonathan .

i try snapshots.
*now 8/13/2016* it can not reach the step of entrance of install .

so i try 5.8 by shell script
 ./comment-out.bat
get_and_burn-panda_XY.bat

 wget ftp://mirror.yandex.ru/pub/OpenBSD/$1.$2/armv7/miniroot-panda-$1$2.fs
 echo '---get---'
 ls *panda*.fs
 dd if=./miniroot-panda-$1$2.fs  of=/dev/rsd0c
 echo '---burned---'

but rebooting also fals .

->
ddb> trace
panic+0x18
scp=0xc03bf9bc rlv=0xc03bd000 (pool_do_get+0x260)
rsp=0xcc4cad58 rfp=0xcc4cad90
pool_do_get+0xc
scp=0xc03bcdac rlv=0xc03bc948 (pool_get+0x90)
rsp=0xcc4cad94 rfp=0xcc4cade4
r7=0xb81a6000 r6=0x0002 r5=0xc0708094 r4=0x0002
pool_get+0x10
scp=0xc03bc8c8 rlv=0xc0537a58 (pmap_enter+0x484)
rsp=0xcc4cade8 rfp=0xcc4cae34
r8=0xb81a600e r7=0xb81a6000 r6=0x0001 r5=0xca59f838
r4=0x0002
pmap_enter+0xc
scp=0xc05375e0 rlv=0xc04e100c (uvm_fault+0x9fc)
rsp=0xcc4cae38 rfp=0xcc4caf58
r10=0x0001 r9=0xcc4cae84 r8=0x r7=0x
r6=0xca58b2ac r5=0xca58b2ac r4=0xc5214634
uvm_fault+0xc
scp=0xc04e061c rlv=0xc05333e4 (data_abort_handler+0x248)
rsp=0xcc4caf5c rfp=0xcc4cafb0
r10=0xcc4cafb4 r9=0xcc4c9000 r8=0x0001 r7=0xca5a0118
r6=0x0001 r5=0xca592a14 r4=0x4838
data_abort_handler+0xc
scp=0xc05331a8 rlv=0xc0532bb0 (address_exception_entry+0x50)
rsp=0xcc4cafb4 rfp=0xb2a0
r10=0x r9=0xb2a8 r8=0x r7=0x4cd6e388
r6=0x4cd6ec88 r5=0x0001 r4=0x
ddb>
panic+0x18
scp=0xc03bf9bc rlv=0xc03bd000 (pool_do_get+0x260)
rsp=0xcc4cad58 rfp=0xcc4cad90
ddb> ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
*29031  27053  27053  0  7 0x1sh
 27053  1  27053  0  30x8b  pause sh
 25014  0  0  0  3 0x14200  pgzerozerothread
  6099  0  0  0  3 0x14200  aiodoned  aiodoned
 27203  0  0  0  3 0x14200  syncerupdate
 12059  0  0  0  3 0x14200  cleaner   cleaner
   864  0  0  0  3 0x14200  reaperreaper
 29025  0  0  0  3 0x14200  pgdaemon  pagedaemon
 13319  0  0  0  3 0x14200  bored crypto
 15627  0  0  0  3 0x14200  pftm  pfpurge
 10623  0  0  0  3 0x14200  usbtskusbtask
 23133  0  0  0  3 0x14200  usbatsk   usbatsk
 18513  0  0  0  3 0x14200  mmctsksdmmc0
 19715  0  0  0  3 0x14200  bored softnet
 25386  0  0  0  3 0x14200  bored systqmp
 24708  0  0  0  3 0x14200  bored systq
  5111  0  0  0  3  0x40014200idle0
 20329  0  0  0  3 0x14200  kmalloc   kmthread
 1  0  1  0  30x82  wait  init
 0 -1  0  0  3 0x10200  scheduler swapper

<---

i should wait for the next snapshot .
---
regards

Re: LibreSSL on old OpenBSD

[Roderick]

On Sat, 13 Aug 2016, Theo de Raadt wrote:


We prefer creating a world that is simpler.  That is the practice
we follow with our bodies of code.

You prefer backwards compat.  Fine, that is your choice. You can
apply that principle in your own code.

Are we finished here?


It is not so simple. Of course I like simplicity, perhaps more than
you. And more standards than backward compatibility: that is why
I wondered that till now there is no standard. But programming
is always ponderation, in many dimensions. You must decide for example
between (run) time or space (memory), between security, performance
or simplicity. Sure, with absolute goals there is no much to decide and no
much discussion, and we are finished.

Rodrigo.

Re: LibreSSL on old OpenBSD

[Theo de Raadt]

> And if the whole is a technical progress, is a more complicated
> thing. I preffer to take a constant from sys/params.h at
> compile time than getting it with a call of sysconf() at run time.
> The older standards arose perhaps from considerations that
> today are forgotten or play no role anymore. Later one will have different
> prefferences and new standards. As Ted said: standards change.
> And we will always be "porting" software.

We prefer creating a world that is simpler.  That is the practice
we follow with our bodies of code.

You prefer backwards compat.  Fine, that is your choice. You can
apply that principle in your own code.

Are we finished here?

Re: LibreSSL on old OpenBSD

[Roderick]

I thank you, you got what I wanted to know.

I also thank Peter Hansteen, Stuart Henderson, Ted Unangst and
Alex Bochmann for their polite and serious answers. Also Theo for his
polite recomendation for my happyness: I will think about it.

On Fri, 12 Aug 2016, Philip Guenther wrote:


Yes, the previous situation with  and 
was confusing (code was including the wrong header and not getting the


Well, it was necessary to substitute  with
, and to include types.h before including socket.h
or uio.h. What is necessary and the changes can be recognised by comparing
the man pages of byteorder, socket and readv in the many versions
of OpenBSD, as well of 4.4BSD and of FreeBSD. It seems there is till
now no standard, LibreSSL will not compile in FreeBSD 10.3 out of the
box (according to the man pages).

It seems that you see the progress in that there is now a de jure
POSIX standard that OpenBSD will follow acribically, instead of
a de facto BSD standard (if there is such).

And if the whole is a technical progress, is a more complicated
thing. I preffer to take a constant from sys/params.h at
compile time than getting it with a call of sysconf() at run time.
The older standards arose perhaps from considerations that
today are forgotten or play no role anymore. Later one will have different
prefferences and new standards. As Ted said: standards change.
And we will always be "porting" software.

In any case, this was not a problem (a problem is for example the
Flag AI_ADDRCONFIG for getaddrinfo() in tls/tls_client.c or a lot of
warnings in compiling in tls directory).

Rodrigo.

Re: System broken? - No, kbd key stuck (try other hw first)

[lists]

Fri, 12 Aug 2016 21:01:23 +0200 Stefan Wollny 
[...]
> Maybe it is a hardware issue, likely not OpenBSD-related...
> Since the night before last my system writes "q"s where ever possible...

Hi Stefan,

It must be a hardware issue as already advised -- misplaced support call.

Most probably you dropped something on this key some time ago, it is very
frequently used, or simply the first one to malfunction.  This looks like
a keyboard problem, most probably you have the key stuck.  I've seen this
before, on laptop keyboards mostly.  The solution would be to detach this
internal keyboard's flat ribbon cable from the system main board, order a
new one and use an external USB keyboard in the meantime.  Or, take it to
a service repair (shop, if under warranty) where these steps will be done
for you at a premium cost.  If you can, take out & clone the storage disk
prior to going for repair and put it back in place.  When out of warranty
take the system for repair without storage disk, or you'll get data lost.

I'd recommend you rely on machines that are not tightly packed, for work.
Or even better have a spare one, sync there your data & continue happily.
For future such sessions call hardware/vendor support, and get some rest.

OpenBSD FAQ1 - Introduction to OpenBSD (Platforms: Selecting hardware)
[http://www.openbsd.org/faq/faq1.html#Platforms]

Kind regards,
Anton

> Startup is not possible because at the "boot: " prompt very fast "q"s
> are printed that would be taken as input if  is hit. (BIOS,
> not UEFI)
> 
[...]
> 
> Unless s.o. has an idea about how to solve this issue I will have to
> send this laptop to the manufacturer as I still have guarantee. It is
> just that since today I urgently need particularly this machine. Very
> frustrated... (I use a Linux box instead with an awfully bad screen).
> 
> 
> Any hint is welcome.
> 
> 
> TIA.
> 
> 
> Best,
> STEFAN

Re: 5.9: vmx0: device timeout

[mxb]

Hey,
it would be nice to define “network load”.
I have several VMs running 5.8-stable/5.9-stable/current without seeing this.

//mxb

> On 11 aug. 2016, at 21:44, Kurt Mosiejczuk  wrote:
>
> I've noticed that for 5.9, any VMs (in VMware) using vmx(4), end up putting
> "vmx0: device timeout" into the dmesg a bunch when under network load.
>
> I switched one of the VMs to vic(4) and the messages stop.  Another VM that
> I haven't gotten to upgrading from 5.8 to 5.9 yet doesn't show this in its
> dmesg and it's our reasonably busy web server.
>
> Anyone else see this?  I noticed there were a bunch of changes to vmx(4)
> after 5.8 as part of the network mpsafe work.
>
> dmesg below.
>
> --Kurt
>
>
> OpenBSD 5.9 (GENERIC) #8: Thu Jul 14 20:12:37 CEST 2016
>
jas...@stable-59-amd64.mtier.org:/binpatchng/work-binpatch59-amd64/src/sys/ar
ch/amd64/compile/GENERIC
> real mem = 1056899072 (1007MB)
> avail mem = 1020764160 (973MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
> bios0: vendor Phoenix Technologies LTD version "6.00" date 09/17/2015
> bios0: VMware, Inc. VMware Virtual Platform
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
> acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
S12F(S3) S13F(S3) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz, 3093.38 MHz
> cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,PO
PCNT,AES,XSAVE,AVX,HV,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 65MHz
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
> acpimcfg0 at acpi0 addr 0xf000, bus 0-127
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpibat0 at acpi0: BAT1 not present
> acpibat1 at acpi0: BAT2 not present
> acpiac0 at acpi0: AC unit online
> acpibtn0 at acpi0: SLPB
> acpibtn1 at acpi0: LID_
> pvbus0 at mainbus0: VMware
> vmt0 at pvbus0
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
> ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
> pci1 at ppb0 bus 1
> pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
> pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
> pciide0: channel 0 disabled (no drives)
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus1 at atapiscsi0: 2 targets
> cd0 at scsibus1 targ 0 lun 0:  ATAPI
5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
disabled
> "VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured
> vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> mpi0 at pci0 dev 16 function 0 "Symbios Logic 53c1030" rev 0x01: apic 1 int
17
> mpi0: 0, firmware 1.3.41.32
> scsibus2 at mpi0: 16 targets, initiator 7
> sd0 at scsibus2 targ 0 lun 0:  SCSI2 0/direct
fixed
> sd0: 20480MB, 512 bytes/sector, 41943040 sectors
> mpi0: target 0 Sync at 160MHz width 16bit offset 127 QAS 1 DT 1 IU 1
> ppb1 at pci0 dev 17 function 0 "VMware PCI" rev 0x02
> pci2 at ppb1 bus 2
> ppb2 at pci0 dev 21 function 0 "VMware PCIE" rev 0x01
> pci3 at ppb2 bus 3
> vmx0 at pci3 dev 0 function 0 "VMware VMXNET3" rev 0x01: apic 1 int 18,
address 00:50:56:8c:71:d1
> ppb3 at pci0 dev 21 function 1 "VMware PCIE" rev 0x01
> pci4 at ppb3 bus 4
> ppb4 at pci0 dev 21 function 2 "VMware PCIE" rev 0x01
> pci5 at ppb4 bus 5
> ppb5 at pci0 dev 21 function 3 "VMware PCIE" rev 0x01
> pci6 at ppb5 bus 6
> ppb6 at pci0 dev 21 function 4 "VMware PCIE" rev 0x01
> pci7 at ppb6 bus 7
> ppb7 at pci0 dev 21 function 5 "VMware PCIE" rev 0x01
> pci8 at ppb7 bus 8
> ppb8 at pci0 dev 21 function 6 "VMware PCIE" rev 0x01
> pci9 at ppb8 bus 9
> ppb9 at pci0 dev 21 function 7 "VMware PCIE" rev 0x01
> pci10 at ppb9 bus 10
> ppb10 at pci0 dev 22 function 0 "VMware PCIE" rev 0x01
> pci11 at ppb10 bus 11
> ppb11 at pci0 dev 22 function 1 "VMware PCIE" rev 0x01
> pci12 at ppb11 bus 12
> ppb12 at pci0 dev 22 function 2 "VMware PCIE" rev 0x01
> pci13 at ppb12 bus 13
> ppb13 at pci0 dev 22 function 3 "VMware PCIE" rev 0x01
> pci14 at ppb13 bus 14
> ppb14 at pci0 dev 22 function 4 

Re: LibreSSL on old OpenBSD

[Martin Schröder]

2016-08-12 23:28 GMT+02:00 Philip Guenther :
> Yes, the previous situation with  and 
> was confusing (code was including the wrong header and not getting the

Thanks. Finally an answer after days of shouting.

Best
   Martin

Re: arm on pandaboard fails

[Jonathan Gray]

On Fri, Aug 12, 2016 at 05:02:49PM +0200, Juan Francisco Cantero Hurtado wrote:
> On Fri, Aug 12, 2016 at 08:59:51PM +0900, Tuyosi Takesima wrote:
> > Hi all .
> > i report this .
> > 
> > i take photos .
> > 
> > they are on
> > http://akita-arm.blogspot.jp/2016/08/pandaboard-openbsd.html
> > 
> > i am looking forward to meet openbsd 60 's armv7 .
> 
> Don't waste your time with old releases on arm boards. Use -current, the
> arm support is quite better now.

When released 6.0 should be fine on pandaboard but the -current snapshot
built on the 10th of August isn't.

Wait for the next snapshot which will have
http://marc.info/?l=openbsd-cvs=147088043212134=2
which is required due to ampintc now attaching to fdt.

Re: cvsweb: headers of revision files are shown in plain text

[Philip Guenther]

On Sat, Aug 13, 2016 at 12:43 AM, Alessandro DE LAURENZIS
 wrote:
...
> Actually, my trial on -current was too quick; maybe there was something in
> the browser's cache... Anyhow, I confirm that cvsweb works flawlessly in 
> -current.
>
> Now: any chance to have this working on the 5.9 machine? I tried to upgrade
> httpd(8) only (compiling from -current source), but i still see the 
> misbehaviour;
> maybe some other libs involved?

"To have it working on the 5.9 machine, upgrade the 5.9 machine to run 6.0"

(Figuring out which fix in the last 6 months fixed this would take
*someone's* brain power.  If it matters to you, why aren't you
contributing that research to the OpenBSD community instead of asking
someone else to do that work?  It's simple: just take your 5.9 box and
walk it forward diff by diff until you find the change that fixed
things!  If you had been tracking -current on a regular basis then
this wouldn't hard to answer..but now you're basically asking people
to try to remember something from up to 6 months ago.  Do you remember
the *side-effects* of stuff you dealt with 3 months ago?  4 months
ago?  5 months ago?)

Re: X "si" keyboard layout changes in recent snapshots

[Matej Nanut]

On 13 August 2016 at 03:05, Walter Alejandro Iglesias
 wrote:
> Probably what you're experiencing is a side effect of that changes.

Yes! Great find. I reverted the patch in that message, and it started
working. There are no additional errors.

We're apparently using the head git version, not the 1.3.1 tag, as
this change hasn't made it into a release yet.

I reported this in the discussion on their bugzilla[0].

[0]: https://bugs.freedesktop.org/show_bug.cgi?id=57242#c36

Re: cvsweb: headers of revision files are shown in plain text

[Alessandro DE LAURENZIS]

Hello naddy,

On Fri, 12 Aug 2016 19:20:12 + (UTC)
Christian Weisgerber  wrote:

> On 2016-08-12, Alessandro DE LAURENZIS 
> wrote:
> 
> > Out of idea.  
> 
> I have no idea either.  I run cvsweb on a local machine.  It just
> works.  /etc/rc.conf.local:

Actually, my trial on -current was too quick; maybe there was something in
the browser's cache... Anyhow, I confirm that cvsweb works flawlessly in 
-current.

Now: any chance to have this working on the 5.9 machine? I tried to upgrade
httpd(8) only (compiling from -current source), but i still see the 
misbehaviour;
maybe some other libs involved?

-- 
Alessandro DE LAURENZIS
[mailto:jus...@atlantide.t28.net]
LinkedIn: http://it.linkedin.com/in/delaurenzis