Re: S3 Virge support on IBM T23 for 6.6

[Janne Johansson]

Den ons 15 apr. 2020 kl 23:29 skrev Paolo Aglialoro :

> Is this a hint that soon i386 architecture will be deprecated?
> Considering that supported hw (at least graphics) is going more and more to
> overlap with amd64, at the very end i386 would remain only for some
> routerboards.
>

i386 has seen a fair share of deprecations, from the actual 386 CPUs and
486s without FPU, to machines with 8,16,32,64M ram for whom reordering libs
and kernel isn't really doable with recent OpenBSD releases.

-- 
May the most significant bit of your life be positive.

Re: S3 Virge support on IBM T23 for 6.6

[lists]

Wed, 15 Apr 2020 23:26:44 +0200 Paolo Aglialoro 
> Thank you for the explanation, Otto.
> 
> Is this a hint that soon i386 architecture will be deprecated?

Hello Paolo,

Considering that it's worth reading the reply without misinterpreting anything,
it is here quoting this again:  "What other OS maintainers do is their choice".
Let's not invent reasons to claim if it does not work for you then nobody else.

Kind regards,
Anton Lazarov
MScEng EECSIT

> Considering that supported hw (at least graphics) is going more and more to
> overlap with amd64, at the very end i386 would remain only for some
> routerboards.
> 
> On Wed, Apr 15, 2020 at 8:14 PM Otto Moerbeek  wrote:
> 
> > On Wed, Apr 15, 2020 at 04:55:04PM +0200, Paolo Aglialoro wrote:
> >  
> > > Hello,
> > >
> > > I read from the 6.5 to 6.6 upgrade guide that the following files:
> > >
> > >
> > > */usr/X11R6/lib/modules/drivers/s3_drv.la 
> > > /usr/X11R6/lib/modules/drivers/s3_drv.so
> > > /usr/X11R6/lib/modules/drivers/s3virge_drv.la 
> > > /usr/X11R6/lib/modules/drivers/s3virge_drv.so/usr/X11R6/man/man4/s3.4
> > > /usr/X11R6/man/man4/s3virge.4*
> > >
> > > are being deleted as "retired". Does this mean that my IBM T23 will stop
> > > its X-life at 6.5 or is its S3 Virge video card supported in some other
> > > decent way (VESA or whatever)? I would be glad to know it *before* trying
> > > this upgrade.
> > >
> > > If the sad answer would be "no more support", could I ask why this,
> > > together with several i686 still working boxes, would be dropped while
> > > other OSs aren't doing so?
> > >
> > > Thanks  
> >
> >
> >
> > http://cvsweb.openbsd.org/xenocara/driver/Makefile?rev=1.74&content-type=text/x-cvsweb-markup
> >
> > explains it:
> >
> > "Unlink a number of old video drivers from the build.
> >
> > The corresponding hardware is out of date, barely useable
> > with modern systems and their code is not maintained.
> > ok sthen@"
> >
> > We have a very limited numnbers of volunteers. In general, code is a
> > liability, not an asset. What other OS maintainers do is their choice.
> >
> > -Otto
> >  

Re: Unbound Notice: "sendto failed: No buffer space available"

[William Ahern]

On Wed, Apr 15, 2020 at 10:53:49PM +0200, Ben wrote:

> I have exactly one device - an Apple smartphone - within one of the
> subnets, that Unbound is not able to send "some" data. The log tells us
> "sendto failed: No buffer space available". Beside the error message,
> the device seems to work without any issues. It gets its DNS queries
> resolved. And it is the only device triggering this unbound behaviour.

AFAIU, ENOBUFS happens when the NIC transmit queue is full. Have you looked
at the interface statistics to see if there are many dropped packets? Try,
e.g.,

  $ netstat -ni

> 
> WHAT HAS BEEN DONE SO FAR:

> (4) pf.conf
> bnd_flows = "1024"
> bnd_qlimit = "1024"
> # respective queue where the traffic from router to device should pass
> queue int_guests parent int_ingress bandwidth $int_guests max
> $int_guests_max flows $bnd_flows qlimit $bnd_qlimit

I don't have any experience with queueing, but you might try disabling it to
rule it out. Without knowing anything about the implementation, I wouldn't
be surprised if it dropped UDP packets in a way that triggered ENOBUFS,
resembling (or emulating) the behavior of a full TX queue.

Re: I see you guys are full of shit when it comes to one thing:

[Aaron Mason]

This isn't the airport, no need to announce your departure.

On Wed, Apr 15, 2020 at 3:27 PM zap  wrote:
>
> you  think proprietary softwatre is secure as much as linux loves being
> shit.
>
>
> I had hoped you guys had better self respect, and had some moral
> integrity within.
>
> And if you think i sound sad for dissing GNU, I was going to hold this
> back, but your fucking attitudes are shit as are your attempts to  block
> software that could be useful just because you get into an argument with
> people. (Palemoon) :P
>
> Same with wine!
>
> Please by all means get me off your damn list.  You guys are as bad as
> the linux organization.
>
> and while your all at it, since your unwilling to understand the truth
> that proprietary software sucks, just go wank yourselves somewhere.
>
> I really don't care about  being on this list anymore.  You guys are
> fucking heartless.  That's a fact.
>
> And Theo, if I said anything nice about you, please forget I said
> anything.  I don't take kindly to hostile assholes who refuse to be civil.
>
>
> Sigh... I guess trying to praise you for the good you guys do is just
> not constructive.  I see you guys live in a bubble of your own choosing.
>
> Wee proprietary software totally doesn't have any flaws or
> weaknesses!  GNU has the right to be shit, same with Linux! and BSD can
> refuse software that could otherwise benefit their users just because it
> has a license you hate! GOD damn
>
>
> Smell you later assholes.
>


-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

RE: I see you guys are full of shit when it comes to one thing:

[zeurkous]

"zap"  wrote:
> Also, by all means, please do ban me if you want.

Me's never seen anyone on the list outright banned... However, replies
to at least one thread have been (and are perhaps still being) filtered
out. That thread involved a {loonie,troll} excessively cross-posting
rather explosive allegations (wy worse than your outburst). 

Medoesn't really agree w/ the filtering, though meunderstands it.

> I really couldn't care
> less.  you guys need to get off your own pedestal.

Yeah well, lots of humans put themselves on pedestals... that's far from
unique to the OpenBSD project.

Again, please calm down. Even if theo & co. can't be nice, *we* can be
nice and thus make things nicer for everyone.

Take care,

 --zeurkous.

-- 
Friggin' Machines!

RE: I see you guys are full of shit when it comes to one thing:

[zeurkous]

"zap"  wrote:
> you  think proprietary softwatre is secure as much as linux loves being
> shit. 
>
>[and it just went downhill from there...]

Please calm down. Somtimes mefeels the way you do, so meunderstands...
however, me'd advise not to make a public scene.

  --zeurkous.

P.S.: Things *are*, currently, shit.

-- 
Friggin' Machines!

RE: passive-aggressive questions

[zeurkous]

theo wrote:
> Nothing you are saying has any relevance to the use of OpenBSD.

As much as one might wish it were, OpenBSD is *not* an island: the
place of OpenBSD in the world *is* a relevant issue. Real life, y'know.

> The chatter is useless.

You just can't stand to see yourself being criticised (no news there).

> Stop it.

Ah, you've come out of 'denial' and passed into 'anger'. Anyone wanna
bet when he moves on to 'bargaining'?

Theo: you are free not take notice of any of this. Mesuggests that you
consider using that freedom (aka: just plonk it if it you don't like
it). Your position is not under attack (at least not by me).

--zeurkous. 

-- 
Friggin' Machines!

RE: passive-aggressive questions

[zeurkous]

"j3s"  wrote:
> On 4/14/20 11:02 PM, zap wrote:
>> I'll be honest, i like libre software, but, libre software that is
>> insecure, aka redhat's bs, openssl, java, etc... is barely better than
>> proprietary software.
>
> this is crap.

That stuff sure shares a lot of traits w/ one's typical proprietary
product: fluffy obscurity, bugginess, ridiculous design flaws, lack of
plain common sense, etc. 

>> unix philosphy should have been kept in linux.  Because it wasn't,
>> well... Linux and GNU for that matter are going to take a hit again and
>> again, till they learn their damn lessons.
>
> GNU isn't a collective of children to be punished. They're programmers
> volunteering their time and you sound like a sad person for treating
> them this way.

,s/programmers/advocates/

> But also, Theo is right, none of this relates to OpenBSD;

Doesn't it, really? Comparison w/ the outside world is on of the most
useful critical tools that me's aware of. 

> it seems like
> you just want a pedestal to piss on others from. This is not that place.

Medidn't observe zap do that (at least not yet).

  --zeurkous.

P.S. to zap: the courtesy copy of the prev msg got rejected by your
 mail swerver; either you do not exist (as it claims), or volny is
 fscking up somehow. Either way, consider yourself informed. 

-- 
Friggin' Machines!

RE: passive-aggressive questions

[zeurkous]

Haai,

"zap"  wrote:
>
> I think theo is about the same as Linus in how foul he can get...

As meobserved, Theo's agression is more of passive kind. Dunno if that's
an improvement...

> but on the other hand, he at least doesn't wreck his software with
> pointless things like redhat's crap, systemd for example, he  seems to
> prefer the keep it simple stupid approach from what I have seen. I much
> prefer security over complexity.

No argument from me there.

> I'll be honest, i like libre software, but, libre software that is
> insecure, aka redhat's bs, openssl, java, etc... is barely better than
> proprietary software.

Me first question is always: if it breaks, can me feasibly fix it? Only
if so, me's satisfied (that still means that most of BSD fails the
test, but it ain't exactly a perfect world... it has humans in it, after
all).

> unix philosphy should have been kept in linux.  Because it wasn't,
> well... Linux and GNU for that matter are going to take a hit again and
> again, till they learn their damn lessons.

Learn their lessons? They won't. Just like Theo won't (me'll be glad to
be proven wrong).

> Very few linux people have learned this lesson.  Hyperbola is the only
> one I know of that realizes linux is a dead end. I would hope you guys
> would feel honored by this fact, but oh well.

No, he's not the only one. But UNIX has become a dead end as well (me'll
spare you that rant), for different reasons.

> Either way, I do have respect for you guys. Even if you don't realize it.

Mehasn't doubted that.

--zeurkous.

-- 
Friggin' Machines!

Re: S3 Virge support on IBM T23 for 6.6

[Riccardo Mottola]

Ciao Paolo,

Paolo Aglialoro wrote:
> */usr/X11R6/lib/modules/drivers/s3_drv.la 
> /usr/X11R6/lib/modules/drivers/s3_drv.so
> /usr/X11R6/lib/modules/drivers/s3virge_drv.la 
> /usr/X11R6/lib/modules/drivers/s3virge_drv.so/usr/X11R6/man/man4/s3.4
> /usr/X11R6/man/man4/s3virge.4*
>
> are being deleted as "retired". Does this mean that my IBM T23 will stop
> its X-life at 6.5 or is its S3 Virge video card supported in some other
> decent way (VESA or whatever)? I would be glad to know it *before* trying
> this upgrade.
>
> If the sad answer would be "no more support", could I ask why this,
> together with several i686 still working boxes, would be dropped while
> other OSs aren't doing so?

I fear so. You might play with framebuffer.

the S3 Virge driver has always been problematic though, very little
maintained. I have it usable on Linux, but, you need to hack your Xorg
file and tweak some accelerations options and essentially restrict
yourself to 16bit (or 24bit without most accel, which is even worse).

Unfortunately other drivers which were perfectly working, like the
Neomagic, which were culled. Sure, even older than the S3 driver, but
perfectly working.

The issue is mostly "upstream" (well.. lack of thereof).

A pity indeed. Kills some old nice laptops around..


Riccardo

Re: S3 Virge support on IBM T23 for 6.6

[Paolo Aglialoro]

Thank you for the explanation, Otto.

Is this a hint that soon i386 architecture will be deprecated?
Considering that supported hw (at least graphics) is going more and more to
overlap with amd64, at the very end i386 would remain only for some
routerboards.

On Wed, Apr 15, 2020 at 8:14 PM Otto Moerbeek  wrote:

> On Wed, Apr 15, 2020 at 04:55:04PM +0200, Paolo Aglialoro wrote:
>
> > Hello,
> >
> > I read from the 6.5 to 6.6 upgrade guide that the following files:
> >
> >
> > */usr/X11R6/lib/modules/drivers/s3_drv.la 
> > /usr/X11R6/lib/modules/drivers/s3_drv.so
> > /usr/X11R6/lib/modules/drivers/s3virge_drv.la 
> > /usr/X11R6/lib/modules/drivers/s3virge_drv.so/usr/X11R6/man/man4/s3.4
> > /usr/X11R6/man/man4/s3virge.4*
> >
> > are being deleted as "retired". Does this mean that my IBM T23 will stop
> > its X-life at 6.5 or is its S3 Virge video card supported in some other
> > decent way (VESA or whatever)? I would be glad to know it *before* trying
> > this upgrade.
> >
> > If the sad answer would be "no more support", could I ask why this,
> > together with several i686 still working boxes, would be dropped while
> > other OSs aren't doing so?
> >
> > Thanks
>
>
>
> http://cvsweb.openbsd.org/xenocara/driver/Makefile?rev=1.74&content-type=text/x-cvsweb-markup
>
> explains it:
>
> "Unlink a number of old video drivers from the build.
>
> The corresponding hardware is out of date, barely useable
> with modern systems and their code is not maintained.
> ok sthen@"
>
> We have a very limited numnbers of volunteers. In general, code is a
> liability, not an asset. What other OS maintainers do is their choice.
>
> -Otto
>

Unbound Notice: "sendto failed: No buffer space available"

[Ben]

PROBLEM: only one specific device continuously triggers Unbound notice
VERSION: OpenBSD 6.6
FLAVOR: stable
LATEST PATCH: "024: SECURITY FIX: April 7, 2020"
DMESG: attached as "dmesg.txt"
UNBOUND LOG: attached as "unbound.log"


Dear community.

After studying what I could find on this topic, it seems that I am
unable to understand what my problem exactly is. In hope you might set
some light on this for me.

I have exactly one device - an Apple smartphone - within one of the
subnets, that Unbound is not able to send "some" data. The log tells us
"sendto failed: No buffer space available". Beside the error message,
the device seems to work without any issues. It gets its DNS queries
resolved. And it is the only device triggering this unbound behaviour.


WHAT HAS BEEN DONE SO FAR:

(1) Ping from router to device is possible

(2) login.conf
unbound:\
:openfiles=2048:\

(3) sysctl.conf
kern.bufcachepercent=80
net.inet.udp.recvspace=655360
net.inet.udp.sendspace=655360

(4) pf.conf
bnd_flows = "1024"
bnd_qlimit = "1024"
# respective queue where the traffic from router to device should pass
queue int_guests parent int_ingress bandwidth $int_guests max
$int_guests_max flows $bnd_flows qlimit $bnd_qlimit


As experts may already suspect, the listed changed are wild guesses not
understanding the core of the issue.

Any suggestions?

Cheers.

Ben
OpenBSD 6.6 (GENERIC.MP) #7: Thu Mar 12 11:55:22 MDT 2020

r...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4277010432 (4078MB)
avail mem = 4134674432 (3943MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.51 @ 0xdfeea000 (31 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 08/25/2007
bios0: Supermicro PDSMi
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP MCFG APIC BOOT ASF! SSDT
acpi0: wakeup devices DEV1(S5) EXP1(S5) PXHA(S5) EXP5(S5) EXP6(S5) PCIB(S5) 
KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) USB1(S4) USB2(S4) USB3(S4) USB4(S4) EUSB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xf000, bus 0-14
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU 3050 @ 2.13GHz, 2128.28 MHz, 06-0f-02
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
cpu0: 2MB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 265MHz
cpu0: mwait min=64, max=64, C-substates=0.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU 3050 @ 2.13GHz, 2128.01 MHz, 06-0f-02
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
cpu1: 2MB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0: apid 3 pa 0xfec1, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (DEV1)
acpiprt2 at acpi0: bus 9 (EXP1)
acpiprt3 at acpi0: bus 10 (PXHA)
acpiprt4 at acpi0: bus 13 (EXP5)
acpiprt5 at acpi0: bus 14 (EXP6)
acpiprt6 at acpi0: bus 15 (PCIB)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpipci0 at acpi0 PCI0: _OSC failed
acpicmos0 at acpi0
"PNP0A05" at acpi0 not configured
acpibtn0 at acpi0: PWRB
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel E7230 Host" rev 0xc0
ppb0 at pci0 dev 1 function 0 "Intel E7230 PCIE" rev 0xc0: msi
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: msi
pci2 at ppb1 bus 9
ppb2 at pci2 dev 0 function 0 "Intel 6702PXH PCIE-PCIX" rev 0x09
pci3 at ppb2 bus 10
"Intel IOxAPIC" rev 0x09 at pci2 dev 0 function 1 not configured
ppb3 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: msi
pci4 at ppb3 bus 13
em0 at pci4 dev 0 function 0 "Intel 82573E" rev 0x03: msi, address 
00:30:48:92:24:b0
ppb4 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: msi
pci5 at ppb4 bus 14
em1 at pci5 dev 0 function 0 "Intel 82573L" rev 0x00: msi, address 
00:30:48:92:24:b1
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 2 int 23
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 2 int 19
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 2 int 18
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 2 int 16
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 2 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
ppb5 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pc

broken link on openssh/legacy.htnl

[Alex Naumov]

Hello,

there is one broken link on the openssh/legacy.html page:
OSSH -> ftp://ftp.pdc.kth.se/pub/krypto/ossh/

Cheers,
Alex

Useful cwm patch [was: When will be created a great desktop experience for OpenBSD?]

[Dumitru Moldovan]

On Tue, Oct 29, 2019 at 10:43:26AM +0100, Walter Alejandro Iglesias wrote:


I like cwm(1) but it's still a bit green and isn't getting enough
attention, I had to insist to get this first patch committed:

 https://marc.info/?l=openbsd-tech&m=149182817427598&w=2

This second one is still pending (no response from the maintainer so
far):

 https://marc.info/?l=openbsd-tech&m=155931484124288&w=2


Apologies for resurrecting a dead and buried thread, but this second
patch is actually really useful.  Have tested it for a few months as a
single patch to my 6.6 cwm, it works so good I actually forgot about it.

CC'ing cwm maintainer in the hope he'll consider it.  Thanks!

MultiPath / ADD_PATH for bgpd

[Richard Chivers]

Hi,

Just wondering if anyone can help.

I saw back in late 2018 that there were some initial plans for ADD_PATH and
Multipath in bgpd, it was in a list on a slide right after the portable
version. https://youtu.be/4gOoPxGKKjA?t=1500

Does anyone know if there are still plans in this area, or if there has
been any progress, we are really interested to explore using this in a
project we are working on, and just keen to understand if it may be coming?

Thanks

Richard

Traffic inspection with relayd

[Cornelius Jubjub]

Hello all,

First off, I hope everyone is staying happy, healthy and sane in these
difficult times.

I've been working on a little side project involving some IoT devices
and I'm in the need of a HTTPS MITM proxy so I can do some traffic
analysis. I'm running OpenBSD 6.6 as my firewall at home doing NAT and
providing some other network plumbing (great term btw!). I have been
exploring relayd to do this intercept on the firewall. Currently I have
this config for a tls proxy:

log connection

http protocol httpfilter {
return error
pass
match url log

tls ca key "/etc/ssl/private/ca.key" password "stinkbutt"
tls ca cert "/etc/ssl/ca.crt"
}

relay tlsmitm {
listen on 127.0.0.1 port 8443 tls
protocol httpfilter
forward with tls to destination
}

EOF

The issues I'm having are two fold, first off I can't, for the life of
me get anything to appear in the log (/var/log/daemon) except for the
usual daemon start and stops. Secondly, I'd really like to dump all of
the traffic al la tcpdump but I don't really see a place to do so (no
unencrypted data passes through an interface AFAIK).

I'm hoping someone might be able to steer me in the right direction
and maybe let me know if I'm using the wrong tool for the job.

Thank you,

CJ

Re: Switchable graphics intel/ati - Fatal error during GPU init

[Riccardo Mottola]

Hi!

Hemno Sapients wrote:
>> If I try to run X11, it does not even attempt radeon and simply runs on
>> intel i965.
>>
>> Am I missing some firmware? "fw_update" did not download me anything new.
>> Or... some other "trick" ?
>>
>> Thanks,
>>
>> Riccardo
>>
> I don't think OpenBSD's build of X.Org supports PRIME.
>

by PRIME you mean this dual-GPU setup, an integrated and a discrete one?

I don't expect the dirty tricks of using both at the same time (special
HP drivers attempt this and it goes havoc on windows too)

Just when I know I have the laptop plugged in power, I'd like to start
X11 on the faster graphics. Even a reboot is perfectly fine for me.

I notice the error already in the console - so the issue is not X.Org,
but in DRM itself, not while loading X.org


Riccardo

Re: S3 Virge support on IBM T23 for 6.6

[Otto Moerbeek]

On Wed, Apr 15, 2020 at 04:55:04PM +0200, Paolo Aglialoro wrote:

> Hello,
> 
> I read from the 6.5 to 6.6 upgrade guide that the following files:
> 
> 
> */usr/X11R6/lib/modules/drivers/s3_drv.la 
> /usr/X11R6/lib/modules/drivers/s3_drv.so
> /usr/X11R6/lib/modules/drivers/s3virge_drv.la 
> /usr/X11R6/lib/modules/drivers/s3virge_drv.so/usr/X11R6/man/man4/s3.4
> /usr/X11R6/man/man4/s3virge.4*
> 
> are being deleted as "retired". Does this mean that my IBM T23 will stop
> its X-life at 6.5 or is its S3 Virge video card supported in some other
> decent way (VESA or whatever)? I would be glad to know it *before* trying
> this upgrade.
> 
> If the sad answer would be "no more support", could I ask why this,
> together with several i686 still working boxes, would be dropped while
> other OSs aren't doing so?
> 
> Thanks


http://cvsweb.openbsd.org/xenocara/driver/Makefile?rev=1.74&content-type=text/x-cvsweb-markup

explains it:

"Unlink a number of old video drivers from the build.

The corresponding hardware is out of date, barely useable
with modern systems and their code is not maintained.
ok sthen@"

We have a very limited numnbers of volunteers. In general, code is a
liability, not an asset. What other OS maintainers do is their choice.

-Otto

Re: WLAN throughput less 10Mb/s

[Stefan Sperling]

On Wed, Apr 15, 2020 at 06:45:26AM -0700, 0x6d6174 wrote:
> Hi everyone.
> 
> I'm running also an APU2 board with an Atheros wlan chipset:
> 
> athn0 at pci5 dev 0 function 0 "Atheros AR9281" rev 0x01: apic 5 int 16
> athn0: AR9280 rev 2 (2T2R), ROM rev 22, address XX:XX:XX:XX:XX:XX
> 
> I also used an ALIX board with an Atheros wlan chipset (AR9280).
> >From OpenBSD 6.0 to 6.6 (-stable) (iirc OpenBSD 5.9 had a slightly better
> performance) the wlan performance didn't change for me. 
> 
> I use the following test setup:
> 
> PC <---   100mbps / 1gbps lan ---> ALIX / APU2 board <--- Atheros wlan --->
> Notebook
> 
> # cat /etc/hostname.athn0
> media autoselect mode 11g mediaopt hostap chan 3
> nwid test wpa wpakey wpasecret
> wpaprotos wpa2 wpaciphers ccmp wpagroupcipher ccmp powersave
> up
> 
> 
> For simplicity I disable pf and use a bridge interface that uses the lan and
> wlan interfaces. Also I always send files with scp from my PC to my notebook
> for performance measurements.

Thanks, this is interesting.

Can you try your test again without WPA?
OpenBSD's athn(4) driver does not offload crypto to hardware yet.
I suspect this explains your observations below.

> The ALIX board has a wlan throughput of about 2.4 - 3.2 mbps while the APU2
> has a wlan throughput of about 12 - 14 mbps. I noticed by running top -S,
> that if I transfer lets say a 1000MB file, then for both boards softnet has
> a CPU usage of 100%, thus I suspected that the wlan bandwidth for an Atheros
> chip correlates to the CPU usage of softnet (because the APU2 board has a
> better CPU it has a higher wlan throughput). If I send a 1000MB file from
> one lan interface to another lan interface, then softnet has a CPU usage of
> about 20% and the file transfer has a throughput of almost 1gbps. Thus I
> suspect the high CPU usage of softnet has something to do with the TX
> performance of the atheros driver implementation.
> 
> For a quick test I enabled pf and used traffic sharping to reduce the wlan
> troughput:
> queue std on "athn0" bandwidth 5M max 10M default
> 
> Now when I transfer a file softnet has a CPU usage of about 70-73% for the
> APU2 board (the wlan throughput is about 10 - 11 mbps).
> 
> Also I found an interesting performance report, that pfSense could reach
> about 90 mbps with the same hardware that I have (APU2 board with the same
> wlan card) see [1], unfortunately I don't have the time to verify it. If
> that's true, then the next step I want to do is a diff of the driver
> implementations and hopefully understand why pfSense has a much higher
> throughput.
> 
> [1]
> https://teklager.se/en/knowledge-base/compex-wle200nx-wle600vx-benchmark/
> 
> best regards,
> Mat
> 
> 
> 
> --
> Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html
> 
> 

Re: Reduce attack surface - Tomcat and guacamole...

[Stuart Henderson]

On 2020-04-14, Steve Williams  wrote:
> Guacamole (I believe) needs to run under something like tomcat to serve 
> up the java war file & application.

I looked at this before - it also requires guacamole-server to be built
(written in C), it requires mutexes shared between different processes
(pthread_mutexattr_setpshared(foo, PTHREAD_PROCESS_SHARED) which
isn't supported in OpenBSD's thread library.

But what you can do is run guacamole elsewhere and have a reverse http
proxy running on OpenBSD doing http auth and feeding connections across.

> So, I was thinking of using some form of authpf to open up pf rules when 
> I needed to access systems remotely.
>
> But, I don't want to open up Tomcat to the world when I'm using 
> guacamole, so is it possible to have authpf tweak pf rules so that the 
> originating IP address of the ssh session would be the only one that 
> could access Tomcat?

That is exactly what authpf normally does anyway.

> I was thinking even httpd in front of tomcat with httpd authentication, 
> but that doesn't seem to make sense to me at a high level.
>
> I was looking at relayd but it doesn't seen to have any authentication 
> mechanism built in.

httpd can't proxy connections to another http server. relayd can but as
you say doesn't have a way to add http authentication. You can do this
with nginx, haproxy or Apache httpd though.

S3 Virge support on IBM T23 for 6.6

[Paolo Aglialoro]

Hello,

I read from the 6.5 to 6.6 upgrade guide that the following files:


*/usr/X11R6/lib/modules/drivers/s3_drv.la 
/usr/X11R6/lib/modules/drivers/s3_drv.so
/usr/X11R6/lib/modules/drivers/s3virge_drv.la 
/usr/X11R6/lib/modules/drivers/s3virge_drv.so/usr/X11R6/man/man4/s3.4
/usr/X11R6/man/man4/s3virge.4*

are being deleted as "retired". Does this mean that my IBM T23 will stop
its X-life at 6.5 or is its S3 Virge video card supported in some other
decent way (VESA or whatever)? I would be glad to know it *before* trying
this upgrade.

If the sad answer would be "no more support", could I ask why this,
together with several i686 still working boxes, would be dropped while
other OSs aren't doing so?

Thanks

Re: WLAN throughput less 10Mb/s

[0x6d6174]

Hi everyone.

I'm running also an APU2 board with an Atheros wlan chipset:

athn0 at pci5 dev 0 function 0 "Atheros AR9281" rev 0x01: apic 5 int 16
athn0: AR9280 rev 2 (2T2R), ROM rev 22, address XX:XX:XX:XX:XX:XX

I also used an ALIX board with an Atheros wlan chipset (AR9280).
>From OpenBSD 6.0 to 6.6 (-stable) (iirc OpenBSD 5.9 had a slightly better
performance) the wlan performance didn't change for me. 

I use the following test setup:

PC <---   100mbps / 1gbps lan ---> ALIX / APU2 board <--- Atheros wlan --->
Notebook

# cat /etc/hostname.athn0
media autoselect mode 11g mediaopt hostap chan 3
nwid test wpa wpakey wpasecret
wpaprotos wpa2 wpaciphers ccmp wpagroupcipher ccmp powersave
up


For simplicity I disable pf and use a bridge interface that uses the lan and
wlan interfaces. Also I always send files with scp from my PC to my notebook
for performance measurements.

The ALIX board has a wlan throughput of about 2.4 - 3.2 mbps while the APU2
has a wlan throughput of about 12 - 14 mbps. I noticed by running top -S,
that if I transfer lets say a 1000MB file, then for both boards softnet has
a CPU usage of 100%, thus I suspected that the wlan bandwidth for an Atheros
chip correlates to the CPU usage of softnet (because the APU2 board has a
better CPU it has a higher wlan throughput). If I send a 1000MB file from
one lan interface to another lan interface, then softnet has a CPU usage of
about 20% and the file transfer has a throughput of almost 1gbps. Thus I
suspect the high CPU usage of softnet has something to do with the TX
performance of the atheros driver implementation.

For a quick test I enabled pf and used traffic sharping to reduce the wlan
troughput:
queue std on "athn0" bandwidth 5M max 10M default

Now when I transfer a file softnet has a CPU usage of about 70-73% for the
APU2 board (the wlan throughput is about 10 - 11 mbps).

Also I found an interesting performance report, that pfSense could reach
about 90 mbps with the same hardware that I have (APU2 board with the same
wlan card) see [1], unfortunately I don't have the time to verify it. If
that's true, then the next step I want to do is a diff of the driver
implementations and hopefully understand why pfSense has a much higher
throughput.

[1]
https://teklager.se/en/knowledge-base/compex-wle200nx-wle600vx-benchmark/

best regards,
Mat



--
Sent from: http://openbsd-archive.7691.n7.nabble.com/openbsd-user-misc-f3.html

Re: OpenBSD and Banana PI or armv7 in general

[Mihai Popescu]

try a...@openbsd.org list

OpenBSD and Banana PI or armv7 in general

[jeanfrancois]

Good day folks,


I  have sucessfully installed and configured a Beagle Bone Black,
and using the GPIO on it, though it has to be configures in lower
userlevel  ;  We plan to implement a small utility using a Banana
PI in the future.

A few insights could be helpful, is this a work  in  progress  or
has a good support already, checked the f.a.q., is gpio function‐
al (assuming yes but not listed) ?

Does "halt ‐p" function, would you recommend  this  soc  for  new
projects  ie mature enough or may be a more relevant choice in
armv7 ?

Regards,

Jean‐François Simon

Re: Reduce attack surface - Tomcat and guacamole...

[Sriram Narayanan]

On Wed, 15 Apr 2020 at 11:56 AM, Steve Williams <
st...@williamsitconsulting.com> wrote:

>
>
> On 14/04/2020 4:13 p.m., Sriram Narayanan wrote:
>
>
>
> On Wed, 15 Apr 2020 at 6:03 AM, Steve Williams <
> st...@williamsitconsulting.com> wrote:
>
>> Hi,
>>
>> For a R&D project, I am trying to get guacamole working to be able to
>> access systems on my home network remotely.
>>
>> Guacamole (I believe) needs to run under something like tomcat to serve
>> up the java war file & application.
>>
>> I really don't want to have Tomcat exposed to the Internet without some
>> kind of authentication in front of it.
>>
>> I was thinking of running Tomcat bound to localhost and using pf to
>> redirect to it, but that doesn't add any security.
>>
>> So, I was thinking of using some form of authpf to open up pf rules when
>> I needed to access systems remotely.
>>
>> But, I don't want to open up Tomcat to the world when I'm using
>> guacamole, so is it possible to have authpf tweak pf rules so that the
>> originating IP address of the ssh session would be the only one that
>> could access Tomcat?
>>
>> Is there something better that could be done?
>>
>> I was thinking even httpd in front of tomcat with httpd authentication,
>> but that doesn't seem to make sense to me at a high level.
>>
>> I was looking at relayd but it doesn't seen to have any authentication
>> mechanism built in.
>>
>> Does anyone have some inspiration on how to provide a level of security
>> before packets even hit Tomcat?
>
>
> I suggest a VPN or Tomcat client cert auth on a non standard high port (
> to reduce the noise from standard scans ).
>
> — Ram
>
>
> Hi,
>
> The VPN doesn't work as I won't always have my own computer with me.  I am
> mobile, so sometimes a client's office where the network is locked down and
> I cannot use my own laptop.
>
> For similar reasons  using a non standard high port, won't necessarily
> work from a client's office.  Additionally, I am trying to not expose
> Tomcat directly to the Internet and I don't really believe in security
> through obscurity (non standard high port).
>

Then consider adding MFA to httpd (over TLS) which will act as a reverse
proxy to the Tomcat instance. Your MFA could be a combination of password
and some HMAC system that has server and mobile side component ( Authy).

I haven’t tried the server side config on OpenBSD, so you’ll need to figure
out whether such modules build.

Ram



>
> Thanks for the input!
>
> Cheers,
> Steve W.
>

Re: Reduce attack surface - Tomcat and guacamole...

[Robert Degen]

Hi,

ich i understand right, think about putting a apache or nginx webserver in 
front, let him terminate the SSL connection including some authentication for 
example client certificates or at least http basic auth.

The as you said, let the tomcat/jboss/whatever servlet container bind against 
loopback and configure the apache/nginx to proxy-forward or better AJP-proxy to 
the local service.

That should be a pretty common setup.

I use this setup even with let's encrypt SSL certs - but I use the non-default 
DNS verification because I don't want to open up the webserver while 
configuring it. You will need a customizable DNS for this, not necessarily on 
the hosts' ISP network, abut a full DNS somewhere.

Out of experience I do active blocking of full IP ranges due do massive 
try/error brute force guessing attacks. This may not be the "right" way, but 
when the target audience is restricted anyways this reduces "noise" like a lot.

If you're unfamiliar will all these hosting stuff, you should definitely 
consider using a managed service. There are affordable commercial hosting 
services available where you upload your WAR file and go... you gotta look for 
"managed java hosting" or similar. It really does save time if the environment 
fits what you need. If you don't have much experience the do-it-yourself way is 
expensive and can end in disaster easily, so I hope you know what you're doing 
:)

br
robert



On Tue, Apr 14, 2020 at 02:40:09PM -0600, Steve Williams wrote:
> Hi,
> 
> For a R&D project, I am trying to get guacamole working to be able to access
> systems on my home network remotely.
> 
> Guacamole (I believe) needs to run under something like tomcat to serve up
> the java war file & application.
> 
> I really don't want to have Tomcat exposed to the Internet without some kind
> of authentication in front of it.
> 
> I was thinking of running Tomcat bound to localhost and using pf to redirect
> to it, but that doesn't add any security.
> 
> So, I was thinking of using some form of authpf to open up pf rules when I
> needed to access systems remotely.
> 
> But, I don't want to open up Tomcat to the world when I'm using guacamole,
> so is it possible to have authpf tweak pf rules so that the originating IP
> address of the ssh session would be the only one that could access Tomcat?
> 
> Is there something better that could be done?
> 
> I was thinking even httpd in front of tomcat with httpd authentication, but
> that doesn't seem to make sense to me at a high level.
> 
> I was looking at relayd but it doesn't seen to have any authentication
> mechanism built in.
> 
> Does anyone have some inspiration on how to provide a level of security
> before packets even hit Tomcat?
> 
> Thanks,
> Steve Williams
>