Following patch or stable branch on Octeon
Hi Misc, I run bunch of EdgeRouter Lite in production and I just scored EdgeRouter 4. I was wondering what people do to keep their ER machines patched or even possibly following stable? Shamefully I have to admit that up until now I just run release on ER Lite as it is only used as a simple office firewall. The fact that ER 4 has a bit more muscle made me think that I could perhaps try to apply patches at least for the things which don't require full kernel rebuild. I am curios what machines are used by project to build Octeon binaries? What about packages now the mips64 port is gone? I also noticed that Octeon 6.6 install documentation mostly speaks about ER Lite. ER 4 is super easy to boot from the built in USB. I am still debating weather to use USB storage or onboard 4GB eMMC flash storage. I installed 6.6 on USB but I am getting md5 checksum error when I try to reboot the device. Setting boot parameters manually works OK. I will try with new USB device and try to fiddle boot parameters a bit but it could be that I am hitting USB related bugs or that U-boot prefers onboard flash storage. Best, Predrag
relayd doesn't load keypair with two listen statements
Hi All,
When using the following config for relayd, the keypair is not loaded
twice.
Without 'keypair' and using the default way, .crt and
.crt in /etc/ssl and /etc/ssl/private it's working as
expected.
Is this expected behavior?
###
table { 127.0.0.1 }
ext_v4 = "46.xx.xx.130"
ext_v6 = "2a03::xxx::130"
http protocol httpfilter {
tcp { nodelay, sack }
pass request quick path "/.well-known/acme-challenge/*" forward
to
}
http protocol httpsfilter {
tcp { nodelay, sack }
tls { keypair test.high5.nl, ciphers
"kEECDH:!AESGCM:!aNULL:!SHA1:!MD5:@STRENGTH", no client-renegotiation }
}
relay default {
listen on $ext_v4 port 80
listen on $ext_v6 port 80
protocol httpfilter
forward to port 80
forward to port 3129
}
relay default_tls {
listen on $ext_v4 port 443 tls
listen on $ext_v6 port 443 tls
protocol httpsfilter
forward to port 443
}
###
test# relayd -d -
startup
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
relay_load_certfiles: using certificate /etc/ssl/test.high5.nl.crt
relay_load_certfiles: using private key
/etc/ssl/private/test.high5.nl.key
/etc/relayd.conf:22: cannot load certificates for relay default_tls4:443
socket_rlimit: max open files 1024
pfe: filter init done
hce exiting, pid 30862
pfe exiting, pid 39056
ca exiting, pid 87123
ca exiting, pid 32013
ca exiting, pid 78073
relay exiting, pid 24340
relay exiting, pid 4410
relay exiting, pid 14486
amdgpu test ends up with blank screen
Dear Listeners, I have tried out to run Radeon RX 570 Nitro+ 8GB graphics card on Supermicro X9DRi-F mainboard, see the dmesg output below. (There is no Xorg.log to send ...) Messages stop with black screen just before initializing kernel modesetting (POLARIS10 0x1002:0x67DF 0x1DA2:0xE366 0xEF). amdgpu_irq_add_domain: stub amdgpu_device_resize_fb_bar: stub amdgpu: [powerplay] Failed to retrieve minimum clocks. amdgpu0: 1600x1200, 32bpp wsdisplay1 at amdgpu0 wsdisplay1: screen 0-5 added (std, vt100 emulation) ... machine still responsive over network ... clean shutdown ... graphics card removed ... switched back to onboard graphics With best regards and many thanks to the developers, Jens OpenBSD 6.6 (GENERIC.MP) #3: Thu Nov 21 03:20:01 MST 2019 r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 274826579968 (262095MB) avail mem = 266484756480 (254139MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec0c0 (136 entries) bios0: vendor American Megatrends Inc. version "3.3" date 07/12/2018 bios0: Supermicro X9DR3-F acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC FPDT MCFG SRAT SLIT HPET PRAD SPMI SSDT EINJ ERST HEST BERT DMAR acpi0: wakeup devices P0P9(S1) EUSB(S4) USBE(S4) PEX0(S4) PEX1(S1) PEX2(S1) PEX3(S1) PEX4(S1) PEX5(S1) PEX6(S1) PEX7(S1) NPE1(S1) NPE2(S1) GBE_(S4) I350(S4) NPE3(S1) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz, 2200.33 MHz, 06-2d-07 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz, 2200.01 MHz, 06-2d-07 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz, 2200.01 MHz, 06-2d-07 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz, 2200.01 MHz, 06-2d-07 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 3, package 0 cpu4 at mainbus0: apid 8 (application processor) cpu4: Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz, 2200.01 MHz, 06-2d-07 cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 0, core 4, package 0 cpu5 at mainbus0: apid 10 (application processor) cpu5: Intel(R) Xeon(R) CPU E5-2660 0 @ 2.20GHz, 2200.01 MHz, 06-2d-07 cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,PAGE1GB,RDTSCP,LONG,LAHF,PERF,ITSC,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN cpu5: 256KB 64b/line 8-way L2 cache cpu5: smt 0, core 5, package 0 cpu6 at mainbus0: apid 12
Re: OpenBSD pf - redirect all DNS queries to local DNS server
On 2019-12-19, Anthony O' Brien wrote:
> Long time reader, first time writing in...
>
>> The big question: Is there any DOC for OpenBSD about this? What pf rules
>> needed to redirect any DNS server (ex.: 8.8.8.8 or 1.1.1.1) requests to
> the
>> DNS server running on the ROUTER, coming from the CLIENTS?
>
> You can use rdr-to[0] with pf to redirect all DNS queries to the DNS
> resolver running on the router. A rule in pf.conf would look something like:
>
> pass in on $int_if proto { udp , tcp } from any to any port domain \
> rdr-to $dns_server port domain
>
> Ted Unangst has short write-up about turning your network inside out to do
> just this[1].
>
> [0]: https://man.openbsd.org/pf.conf.5#rdr-to
> [1]:
> https://flak.tedunangst.com/post/turn-your-network-inside-out-with-one-pfconf-trick
>
Just remember what you've done - if you ever try to troubleshoot a
broken nameserver or something while using this connection the hijacking
might cause some confusion!
Re: thank you for 6.6 and bsd.rd
"Theo de Raadt" writes: > Jonathan Thornburg wrote: > >> Being able to copy the new (6.6) bsd.rd to an existing filesystem on the >> (running) old OpenBSD system, then boot that bsd.rd to install, was >> really really nice. Thank you! > > well you missed out > > for 6.5 onwards, all you had to was type > > sysmerge > sysupgrade > > for 6.6 onwards you'll only need sysupgrade I really appreciated that and I wanted to donate or buy a summer white men's medium long sleeve polo shirt with OpenBSD Cyberpunk artwork. See the store for SpaceX or ULA merchandise for an idea. The payment mechanism for making a donation isn't as easy as Wikipedia's or the Internet Archive's; and the shopping experience isn't as easy as a Shopify-like polished frontend. As a use case, I was able to navigate Core Electronics¹ to buy a Raspberry Pi 4 B with Ice Tower Cooler but failed to discover the PoE option I never knew I really, really wanted and forgot to include Ethernet cable. Thank you! ¹ https://core-electronics.com.au example of useable shopping experience by a little startup I am a happy customer of. -- VanL.
Re: thank you for 6.6 and bsd.rd
Theo de Raadt-2 wrote > Jonathan Thornburg > jthorn4242@ > wrote: > >> I recently reinstalled my main laptop (which was at 6.5-stable/amd64) >> with 6.6/amd64. Almost everything "just worked", and the things that >> didn't were 3rd-party stuff not from OpenBSD. A big thank-you to >> everyone! >> >> And... a specific itch-you-scratched-very-nicely I'd like to praise: >> >> For the past few years I've usually (re)installed OpenBSD by burning a >> boot DVD and then booting that. But this time I found myself with the >> combination of a broken built-in cd/dvd drive, and a computer which >> didn't >> seem to want to boot from USB even after fiddling with bios settings. >> Being able to copy the new (6.6) bsd.rd to an existing filesystem on the >> (running) old OpenBSD system, then boot that bsd.rd to install, was >> really really nice. Thank you! > > well you missed out > > for 6.5 onwards, all you had to was type > > sysmerge > sysupgrade > > for 6.6 onwards you'll only need sysupgrade If I'm not mistaken there was a big discussion some years back with some guy, Rico or something, who suggested that OpenBSD got something similar to apt from Debian. I remember everyone telling him that was a bad idea and eventually Theo asked him to shut up, and oh, now we kindda have it. Go figured, not such a bad idea after all. -- Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html
Re: thank you for 6.6 and bsd.rd
On 2019-12-20, "Theo de Raadt" wrote: > well you missed out > > for 6.5 onwards, all you had to was type > > sysmerge > sysupgrade I think that was intended to read syspatch sysupgrade > for 6.6 onwards you'll only need sysupgrade -- Christian "naddy" Weisgerber na...@mips.inka.de
