Re: TSO support and performance gain

[mabi]

On Friday, April 5th, 2024 at 8:32 PM, Jan Klemkow  wrote:

> Pure sending will saturate your interface 1/10 Gbit/s. So, it depends
> on your traffic source. The receiving speed of the opposite interface
> will be the bottleneck of the em(4)/bnxt(4) sending interface. Also
> the speed of your disk, when you send local files over network.
> 
> TSO in general just helps with bulk traffic like Downloads. If your
> firewall just handles many small TCP connections, it wont help you that
> much.

Thank you both Jan and Claudio for your answers. I understand now that in my 
specific use case there is hardly any advantage.

Best,
Mabi

TSO support and performance gain

[mabi]

Hi,

First thank you for another great OpenBSD release. I just updated my home 
firewall today and was wondering about the performance of TSO support on bnxt 
and em interfaces which have been added to the 7.5 release...

Does anyone know roughly the performance gains by having TSO support on these 
NICs enabled?

Best regards,
Mabi

Re: PF rate limiting options valid for UDP?

[mabi]

--- Original Message ---
On Wednesday, July 19th, 2023 at 10:58 PM, Stuart Henderson 
 wrote:

> For rules that pass traffic to your authoritative DNS servers,
> I don't think you need much longer than the time taken to answer a
> query. So could be quite a bit less.

Right good point, I will add custom state timeouts for this specific UDP pass 
rule on port 53.

> Usually carp/ospf will enter the state table before the machines start
> seeing large amounts of packets and stay there, which is what you would
> normally want. If the state table is full, you have more problem
> opening new connections that require state to be added than you do
> maintaining existing ones.
> 
> fwiw I typically use this on ospf+carp machines, "pass quick proto
> {carp, ospf} keep state (no-sync) set prio 7"

That's very interesting, I never realized there was a simple priority system 
ready to use in PF without the need of setting up any queues. Probably the "set 
prio 7" option on OSPF+CARP pass rules will juts do the trick and I will 
definitely also implement this. 

> DNS server software is written with this type of traffic in mind, and
> has more information available (from inside the DNS request packet)
> to make a decision about what to do with it, than is available in a
> general-purpose packet filter like PF.
> 
> Also it stores the tracking information in data structures that have
> been chosen to make sense for this use (and common DNS servers default
> to masking on common subnet sizes, reducing the amount they have to
> store compared to tracking the full IP address).
> 
> http://man.openbsd.org/nsd.conf#rrl
> https://bind9.readthedocs.io/en/latest/reference.html#response-rate-limiting
> https://www.knot-dns.cz/docs/2.4/html/reference.html#module-rrl

Too bad I use PowerDNS, it does not seem to offer much parameters related to 
rate-limiting for UDP but for TCP I found at least max-tcp-connections. Maybe 
it's time for a change as Gabor mentions his tests in his reply (thanks btw!)...

Re: PF rate limiting options valid for UDP?

[mabi]

--- Original Message ---
On Wednesday, July 19th, 2023 at 9:32 PM, Stuart Henderson 
 wrote:

> If PF is struggling as it is, there's a good chance it will buckle
> completely if it has to do source tracking too

That is also something I thought might be the case :|

> Did you already tweak timeouts for the rule passing UDP DNS traffic?
> Defaults are 60s/30s/60s for udp.first, udp.single and udp.multiple
> respectively, that is much too high for a very busy DNS server -
> you can set them on the specific rule itself rather than changing
> defaults for all rules. For an auth server which is expected to
> respond quickly they can be cranked way down.

Yes, this at least I did since quite some time now and use the following 
timeout settings:

set timeout udp.first 20
set timeout udp.multiple 20
set timeout udp.single 10

Do you think I could go even lower? When I check the PF state entries during 
such a DDoS I see mostly states with the "SINGLE" state.
 
> (If that is still too many states, I wonder if your network might
> actually be happier if you "pass quick proto udp to $server port 53 no
> state" and "pass quick proto udp from $server port 53 no state" right at
> the top of the ruleset).

That's actually an excellent idea to bypass PF states and hence consume less 
resources... Next thing to try out. I was also thinking I should use "no state" 
with CARP and OSPF rules in pf.conf so that in case the PF state table entries 
is full it does not prevent such important protocols to function. What do you 
think, would that also work?

> Are you already using your DNS server's response rate limiting features?

Not yet, as I still believe I should stop as much as possible such traffic at 
the firewall before it even reaches the network behind my firewall. So at the 
software/daemon/service level it would be my last line of defense.

Re: PF rate limiting options valid for UDP?

[mabi]

--- Original Message ---
On Wednesday, July 19th, 2023 at 12:40 PM, Stuart Henderson 
 wrote:

> I don't think you understood what I wrote then - they are the
> opposite of helpful here.

No, I do understand what you wrote but I should have explained my case in more 
details. Behind my OpenBSD firewall I have two authoritative DNS servers and 
because of recent DDoS originating from >12k IPs against UDP port 53 on these 
two servers the whole network behind the firewall gets unresponsive or has a 
high packet loss because there is over 2 million states in the PF states table 
during the attack. So in my specific case I don't care that cloudflare or other 
external DNS servers can not query my DNS authoritative servers for a few 
seconds or minutes but I do care a lot that my whole rest of my network and 
servers behind the OpenBSD firewall stays responsive. It's a trade-off I can 
totally accept and welcome. Furthermore when I have so many state entries due 
to a DDoS on UDP port 53, CARP breaks as well as the OSPF sessions with my 
border routers because it can not communicate properly within the defined 
timeouts.

Re: PF rate limiting options valid for UDP?

[mabi]

--- Original Message ---
On Tuesday, July 18th, 2023 at 10:59 PM, Stuart Henderson 
 wrote:


> PF's state-tracking options are only for TCP. (Blocking an IP
> based on number of connections from easily spoofed UDP is a good
> way to let third parties prevent your machine from communicating
> with IPs that may well get in the way i.e. trigger a "self DoS").

What a pitty, these kind of rate limiting options for UDP would have  been 
quite useful.

> You may be interested in looking into L7 methods of mitigating
> problems from high rates of DNS queries - for example dnsdist
> allows a lot of flexibility in this area.

Thanks for the hint about dnsdist, it looks powerful. Still whenever possible I 
would rather avoid having an extra piece of software and instead have that 
traffic controlled more upstream so ideally on the firewall directly.

PF rate limiting options valid for UDP?

[mabi]

Hello,

>From the following documentation, I am trying to figure out which PF tracking 
>options are also valid for UDP but unfortunately it is not quite clear to me: 

https://man.openbsd.org/pf.conf.5#Stateful_Tracking_Options

My goal would be to do add rate limiting options to a PF UDP pass rule in order 
to limit DDoS/DoS attacks on port 53.

Interesting would be especially the "max-src-states" option. Is this option 
also valid for UDP?

Is it also possible to use the "overload" option with UDP in order to add 
source IPs into a table of attackers which I will then block?

That would be for an OpenBSD 7.3 firewall.

Best regards,
Mabi

Re: carp status master on both firewalls

[mabi]

--- Original Message ---
On Friday, April 14th, 2023 at 7:14 AM, Janne Johansson  
wrote:

> Not impossible to have switches(*) that dislike/filter/bug on
> multicast too I guess, so I would suggest rigging the carps up (at
> least temporary) with carppeer against the "real" ip of the remote
> ext_if to make carp use normal unicast ip for sync and just see if it
> helps. If it does, it is related to the boxes ability to talk
> multicast and you would have to either stick with carppeer setup, or
> "fix" the multicast issue, which can be hard to pin down where exactly
> it is.

Thank you Janne for pointing out the switch. I would have never thought about 
that. So indeed, I just upgraded my Cisco Catalyst 2960L switch the latest IOS 
version of 2022 and now the 2nd firewall correctly reports backup as status. I 
was running an IOS version from 2018. Strangely enough both firewalls are 
connected to that switch with both carp0 to the public VLAN and both carp1 to 
the private VLAN so I would have expected the same odd double master status on 
both carp interfaces and not just on carp0. But anyway it works now.

Re: carp status master on both firewalls

[mabi]

--- Original Message ---
On Friday, April 14th, 2023 at 10:50 AM, Markus Wernig  
wrote:

Thank you Markus for your answer, as mentioned to Janne it was the switch the 
problem. For the sake of documenting I answered your questions below.

> - Do the two fw actually have a link on their carp0 carpdev interfaces?

Yes.

> If both are master, both should be sending out CARP advertisements, so
> I'd try to run tcpdump on both external interfaces and look for those:
> tcpdump -n -e -i carp0 proto carp

I did that yesterday and for both firewalls I could see the CARPv2 
advertisements.

> - Did you enable CARP preemption? Try setting these via sysctl:
> net.inet.carp.preempt=1
> net.inet.carp.log=3

I have CARP preemption enabled but my carp log level is 2 and not 3.

> - In your config one fw has carpdev em2, the other carpdev em0. Could be
> OK, or could be an error.

Well spotted but indeed it is correct, both firewalls have different hardware 
and the first interface on the first firewall is em2 whereas on the 2nd 
firewall it is em0.

carp status master on both firewalls

[mabi]

Hello,

I am running two OpenBSD 7.3 firewalls with pfsync and CARP for redundancy and 
have one carp interface carp0 for the public internet and one carp interface 
carp1 for my private (NAT) internal network. The private carp interface has 
status master on the first firewall and status backup on the 2nd firewall so 
all good here but for my external carp interface both firewalls show master as 
status so I suspect I have something wrong here in my config or it is a bug.

The config is below for reference:

/etc/hostname.carp0 on fw1

inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em2 pass password 
advskew 1
inet alias x.x.x.115 0xfff0
inet alias x.x.x.116 0xfff0

/etc/hostname.carp0 on fw2
 
inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em0 pass password 
advskew 128
inet alias x.x.x.115 0xfff0
inet alias x.x.x.116 0xfff0

On both firewalls I have added the following in /etc/pf.conf:

pass on { $ext_if $int_if } proto carp keep state (no-sync)

Did anyone already encounter this issue or has any idea what might be wrong?

Best regards,
Mabi

reboot after kernel panic on 7.2

[mabi]

Hello

Is it possible to have OpenBSD 7.2 automatically reboot after a kernel panic 
happens?

I tried setting: 

ddb.panic=0

but it does not reboot automatically.

As I am affected by the pfsync issue which leads to a kernel panic on OpenBSD 
7.2 so I would like the firewall to reboot as soon as this happens.

Best,
Mabi

Re: pf adaptive syncookie

[mabi]

‐‐‐ Original Message ‐‐‐
On Friday, December 18, 2020 6:13 PM, Stuart Henderson  
wrote:

> And if it's anything like when I try it, you'll see some TCP connections
> failing when it is active too. Not everything fails. but e.g. if I have
> "set syncookies always" on a router, and run "ftp -o- 
> http://www.facebook.com/;
> from a machine behind it, it fails every time (it appears to connect
> immediately, but of course that's just syncookies - I never get a response
> after making a request over it until I disblae syncookies again).
> In that case where syncookies are active but things are failing I see
> PROXY and SYN_SENT states in pfctl -ss e.g.
>
> all tcp 157.240.221.35:80 <- 82.68.199.130:16476 PROXY:DST
> all tcp 82.68.199.130:16476 -> 157.240.221.35:80 SYN_SENT:CLOSED
>
> So I strongly recommend trying it with 'always' and see if things are
> broken for you. Otherwise if you set 'adaptive' you may get an unpleasant
> surprise sometime maybe much later when they do actually trigger.

Thanks for the tip. I just tried it on my OpenSD 6.7 firewall at home and 
exactly as you say I can't connect to facebook.com anymore (same for 
instagram.com). This is really weird, do you have any idea why? Is it a bug in 
the implementation of syncookies in OpenBSD or facebook.com doing weird things 
with TCP?

Re: pf adaptive syncookie

[mabi]

‐‐‐ Original Message ‐‐‐
On Friday, December 18, 2020 10:48 AM, Stuart Henderson  
wrote:

> It's something like "what % of max allowed states is half-open tcp".
> Watch out as there are some bugs in this area, definitely thewith
> accounting of half-open connections can be wildly off sometimes
> (triggering adaptive syncookies when they shouldn't really be triggered)
> and I think also with the behaviour when they're active, I have had
> it trigger spuriously and then a bunch of connections failing when
> triggered, so monitor it carefully if you enable this.

Thank you for your precisions.

This means that if I want to start using syncookies when I have over 40'000 
half-open tcp states and stop using it when it is back down to 30'000 halt-open 
tcp states I would use the following pf.conf parameter:

set syncookies adaptive (start 4%, end 3%)

Note that my max allowed states is set to 1'000'000.

I guess this is better even if somehow imprecise than having syncookies set to 
"always"...

What is the best way to monitor the usage of adaptive syncookies? In the output 
of "pfctl -si" I don't see any relevant metric for syncookies.

pf adaptive syncookie

[mabi]

Hi,

I see quite some syn flood packets on my OpenBSD firewall filling up the state 
table for nothing. So I thought let's try the pf's adaptive syncookies. I am 
just not quite sure what the percentage used by start and stop relate to.

In the pf.conf man page the following is written:

"pf will enable syncookie mode when a given percentage of the state table is 
used up by half-open TCP connections..."

That "given percentage" does it compare the "half-open tcp" value of the state 
table (as seen in "pfctl -si") with the amount of "current entries" in the 
state table? or does it compare it with the limit of maximum states I have 
defined in my pf.conf (value of "set limit states") ?

Thank you in advance for any precisions.

Regards,
Mabi

Re: limit UDP connection rate with PF pass rule

[mabi]

‐‐‐ Original Message ‐‐‐
On Tuesday, November 17, 2020 11:50 PM, Stuart Henderson  
wrote:

> These packets are most likely sent from spoofed source addresses.
>
> Assuming this is the case, the address you are seeing on the packets
> would not be the attacker but the victim.

That totally makes sense because why would google be sending me all these DNS 
packets from different IP addresses from their network.

Here is an example of packet which was logged by Bro (now called Zeek) on my 
NSM and there are tons of these during a time window of 3 minutes:

{"ts":"2020-11-17T14:02:00.059396Z","uid":"CD5YJQ2eVZKX6bhyoj","id.orig_h":"74.125.18.1","id.orig_p":51423,"id.resp_h":"","id.resp_p":53,"proto":"udp","trans_id":39451,"rcode":3,"rcode_name":"NXDOMAIN","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false}

> PF doesn't support this type of request rate limiting on UDP
> connections. It's a bit dangerous to do so because in many cases it's
> trivial to spoof UDP packets and blocking packets from a source on the
> basis of this can result in you DoS'ing yourself. This isn't such a
> problem with TCP because only someone on the network path between
> you and the supposed source address (i.e. someone with access to
> the ACK packets) is likely to be able to successfully spoof packets.

I understand and that's what I thought. So there is no much point in me trying 
to add "max-src-states 10" for example to my pass in rule for DNS UDP traffic 
to my DNS servers.


> To mitigate this you might like to read the manual for your
> authoritative nameserver software about RRL (response rate limiting),
> many support it directly (including BIND and NSD), if not then you could
> front-end with something that can handle it itself like dnsdist.
>
> The DNS RRL techniques typically still reply to a proportion of queries
> (either directly with the answer, or with a "retry over TCP" response
> code) reducing impact if the source IP is also used by real queries as
> well as the attack traffic.

I've been looking into that in the past and as I am using PowerDNS 4.0.3 the 
only valid config parameters I could find and which I already have in place are 
the following:

overload-queue-length=1
max-tcp-connections=5

There is as far as I know no such parameter as "max-udp-connections".

limit UDP connection rate with PF pass rule

[mabi]

Hello,

On my DNS authoritative servers which are behind an OpenBSD 6.6 firewall I just 
saw some weird UDP high volume traffic on port 53 my these DNS servers coming 
from Google (e.g. 74.125.18.1 or 172.253.214.111).

These few IPs generated around 5200 requests/second on my DNS servers so I was 
wondering if one can also limit the rate of requests in PF on UDP traffic such 
as can be done with TCP (using max-src-nodes, max-src-conn, etc)?

Looking at the documentation (https://www.openbsd.org/faq/pf/filter.html) it 
only mentions TCP. So I deduct that it is simply not possible to somehow limit 
the rate of UDP connections with PF, am I right here?

Regards,
Mabi

Re: fw_update issue with colon in URL

[mabi]

‐‐‐ Original Message ‐‐‐
On Wednesday, July 15, 2020 12:49 PM, Theo Buehler  wrote:

> One server had an incorrect config. This should be fixed now.

Thanks for your notification, so I didn't go mad ;) I can confirm, it works 
like a charm. Thanks again for fixing!

fw_update issue with colon in URL

[mabi]

Hello,

I just updated from 6.6 to 6.7 and the fw_update part failed so I tried to run 
it manually and get:

$ sudo fw_update -n
http://firmware.openbsd.org/firmware/6.7/: no such dir
Couldn't find updates for intel-firmware-20191115v0

It looks like I have a colon ":" at the end of the URL which of course makes 
the URL invalid. Now how could this happen? and in which file do I fix that?

Regards,
Mabi

Re: msyscall error during boot

[mabi]

‐‐‐ Original Message ‐‐‐
On Friday, July 10, 2020 10:18 PM, Jurjen Oskam  wrote:

> Did you update your packages? I ran into the same issue when I forgot to 
> update
> the packages after upgrading the system.

Yes, I did run a "pkg_add -u". I have found more details and actually it is the 
"rake" command, part of the ruby-2.5.8 which outputs this error message at boot 
because I am starting a Ruby rack web server for an API using "rake" command in 
/etc/rc.local.

msyscall error during boot

[mabi]

Hello,

I just upgraded one of my vmd virtual machine from OpenBSD 6.6 to 6.7 using 
sysupgrade and noticed a new msyscall error message I have never seen before 
during reboot as you can see below:

...
preserving editor files.
starting network daemons: sshd smtpd httpd.
starting package daemons: dovecot postgresql php72_fpm netsnmpd.
msyscall a35ee0ce000 a3000 error
msyscall a35187dd000 a5000 error
starting local daemons: cron.
Thu Jul  9 08:07:15 CEST 2020

Any ideas where this could come from? and if it is bad?

The VMD host itself also runs OpenBSD 6.7.

Regards,
Mabi

Re: using aggr interface instead of trunk

[mabi]

Hi Iain,

‐‐‐ Original Message ‐‐‐
On Wednesday, May 13, 2020 7:55 PM, Iain R. Learmonth  wrote:

> More details are at:https://marc.info/?l=openbsd-cvs=156229058006706=2

I actually already read that one after seeing the announcement on undeadly.org 
iirc ;)

> Assuming you mean trunk, not tun, yes.

Right, thanks for spotting that, I meant trunk of course.

> I don't see mention of any aggr fixes in the 6.7 changelog, so I guess it 
> didn't have any disasters in it. Others are using it on production systems.

Nice to hear that, I will give it a shot as soon as I upgrade to 6.6 my HA CARP 
cluster of two OpenBSD firewalls. I might first try using it on one of the two 
firewalls so that I can easily switch to the other firewall in any case of 
issue.

using aggr interface instead of trunk

[mabi]

Hello,

I am currently running OpenBSD 6.5 as firewall with two ix interfaces inside a 
trunk interface with LACP protocol. On top of that I have a few vlan interfaces 
so it's basically (ix -> trunk -> vlan).

Now I saw that OpenBSD has a new interface specifically for LACP which is 
called aggr. As I will soon be upgrading to OpenBSD 6.6 I was wondering if it 
is the right time to switch from trunk to the new aggr interface?

>From what I understand the new aggr interface has mainly 2 advantages: it is 
>multi-processor safe and it should be faster than the tun interface. Is this 
>correct?

And last point because aggr is pretty new, is it already safe to use it for a 
production firewall?

Best regards,
Mabi

Re: OpenBSD VPS hoster with unlimited/limited nonfiltered traffic

[mabi]

‐‐‐ Original Message ‐‐‐
On Friday, April 10, 2020 12:59 PM, Dumitru Moldovan  wrote:


> Vultr is close to that. Last time I created a new VPS with them, I
> think they filtered port 25, but it was no big deal to get rid of that.
>
> Still running 2 productions VMs on Vultr, they are cheap, have great
> support, and reasonable uptimes. Not OpenBSD-based unfortunately, even
> though they support it officially.

Here https://oriented.net/server/openbsd-virtual-machine they provide OpenBSD 
native VPS and traffic seems to be unlimited/unfiltered.

Re: Time jumping forward issue under OpenBSD 6.6 VMM

[mabi]

‐‐‐ Original Message ‐‐‐
On Tuesday, March 3, 2020 8:52 PM, Jordan Geoghegan  wrote:

> The clocks are basically broken on vmm. The pvclock stuff is definitely
> an improvement, but it's still not there. There's still a ways to go
> before we have proper, reasonably accurate clocks for vmm guests.

Thanks Jordan for this info. For now I might just avoid VMM for time sensitive 
services and use bare metal with OpenBSD of course. I will for sure go back to 
VMM once the clock is more accurate.

Re: Time jumping forward issue under OpenBSD 6.6 VMM

[mabi]

‐‐‐ Original Message ‐‐‐
On Tuesday, March 3, 2020 5:58 PM, Ian Gregory  
wrote:

> I've had similar issues with timekeeping within guests of VMM,
> although there are improvements in -current with the pvclock time
> source. Since the fix below I now see occasional instances of the
> clock stepping by a few whole seconds (typically less than 8s) but
> it's much less frequent and the magnitude is within the bounds of what
> ntpd can correct.
>
> See 
> http://openbsd-archive.7691.n7.nabble.com/pvclock-stability-tp376946p377922.html
> for some backstory
>
> (aside: I see similar small occasional clock jumps of an integer
> number of seconds on OpenBSD-6.6 guests using tsc running on a VMware
> ESXi host)

Thank you Ian for your answer. Unfortunately I don't understand too much of 
that post you linked. But if I understand you correctly you are suggesting that 
I should change on my VM:

kern.timecounter.hardware=pvclock

and the drift or jumps should be better than with "tsc" ?

Time jumping forward issue under OpenBSD 6.6 VMM

[mabi]

Hello,

I am running an OpenBSD 6.6 VMM server with a few virtual machines also running 
6.6 and noticed that one of them which is running Dovecot 2.3.9 package outputs 
the following warning every few 10-15 seconds:

dovecot: imap: Warning: Time jumped forwards 28.294585 seconds

It looks like there is a time issue on that VM although I am running the 
default ntpd of OpenBSD 6.6 and I have added the following parameter into my 
/etc/sysctl.conf on that VM:

kern.timecounter.hardware=tsc

Is there anything else I can do to avoid this time issue in my VM?

Best regards,
Mabi

Re: Can't install OpenBSD 6.6 on apu4d4

[mabi]

‐‐‐ Original Message ‐‐‐
On Thursday, February 6, 2020 8:25 AM, Mischa  wrote:

> Before you boot do at boot> do:
>
> stty com0 115200
> set tty com0

Thanks Mischa! I should have thought about that but I couldn't remember having 
done this with previous APU models and OpenBSD versions.

Can't install OpenBSD 6.6 on apu4d4

[mabi]

Hi there,

I am trying to install OpenBSD 6.6 (install66.fs) from a USB key on a PC 
Engines apu4d4 box. Unfortunately the installer does not seem to start as it 
reboots after loading a few seconds of the bsd.rd image as you can see from my 
output below:

SeaBIOS (version rel-1.12.1.3-0-g300e8b7)

Press F10 key now for boot menu

Booting from Hard Disk...
Using drive 0, partition 3.
Loading..
probing: pc0 com0 com1 com2 com3 mem[639K 3325M 752M a20=on]
disk: hd0+ hd1+*
>> OpenBSD/amd64 BOOT 3.45
boot>

cannot open hd0a:/etc/random.seed: No such file or directory
booting hd0a:/6.6/amd64/bsd.rd: 3732171+1537024+3885432+0+598016 [376562+128+455
544+303577]=0xa648d0
entry point at 0x8100100

PC Engines apu4
coreboot build 20202901
BIOS version v4.11.0.3


I upgraded the BIOS from v4.11.0.2 to v4.11.0.3 and tried another USB key but 
still the same happens.

Am I missing something here?

Regards,
Mabi

Re: sysupgrade to 6.6 failed at comp66.tgz

[mabi]

‐‐‐ Original Message ‐‐‐
On Friday, November 22, 2019 11:45 AM, Stuart Henderson  
wrote:

> A combination of things:
>
> -   You didn't install the comp set before

Thank you Stuart for your detailed mail. That's exactly it, I did not have 
comp65.tgz set installed as I just recently read on this mailing list that the 
best practice would be to install all sets, including the x* sets even if I 
don't need X on my servers. This is the only way that guarantees that such 
tools like sysupgrade can work properly. Lesson learnt live here ;-)

So thanks to your instructions I managed to upgrade to 6.6 using sysupgrade and 
it all worked well. Great work behind this sysupgrade tool!!

sysupgrade to 6.6 failed at comp66.tgz

[mabi]

Hi,

I just tried out sysupgrade on one of my OpenBSD 6.5 servers in order to 
upgrade automatically to 6.6 but unfortunately it failed at the comp66.tgz and 
rebooted (upgrade log below).

It looks like I am now running a half-upgraded hybrid OpenBSD 6.5/6.6 system. 
It also didn't manage to relink the kernel after reboot (log file below).

So I was wondering if anyone had any recommendations or insights to my 
following points:

- reason why it failed?
- what should I do now? retry to upgrade with sysupgrade?
- re-install the whole system?
- maybe sysupgrade needs to be patched to avoid this issue?

Best regards,
Mabi


*** output of upgrade log ***

Terminal type? [vt220] vt220
Available disks are: sd0.
Which disk is the root disk? ('?' for details) [sd0] sd0
Checking root filesystem (fsck -fp /dev/sd0a)... OK.
Mounting root filesystem (mount -o ro /dev/sd0a /mnt)... OK.
Force checking of clean non-root filesystems? [no] no
fsck -p f8bd514855ccf1e5.f... OK.
fsck -p f8bd514855ccf1e5.d... OK.
fsck -p f8bd514855ccf1e5.e... OK.
fsck -p f8bd514855ccf1e5.g... OK.
/dev/sd0a (f8bd514855ccf1e5.a) on /mnt type ffs (rw, local)
/dev/sd0f (f8bd514855ccf1e5.f) on /mnt/home type ffs (rw, local, nodev, nosuid)
/dev/sd0d (f8bd514855ccf1e5.d) on /mnt/tmp type ffs (rw, local, nodev, nosuid)
/dev/sd0e (f8bd514855ccf1e5.e) on /mnt/usr type ffs (rw, local, nodev, 
wxallowed)
/dev/sd0g (f8bd514855ccf1e5.g) on /mnt/var type ffs (rw, local, nodev, nosuid)

Let's upgrade the sets!
Location of sets? (cd0 disk http nfs or 'done') [http] disk
Is the disk partition already mounted? [yes] yes
Pathname to the sets? (or 'done') [6.6/amd64] /home/_sysupgrade/

Select sets by entering a set name, a file name pattern or 'all'. De-select
sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'.
[X] bsd   [X] base66.tgz[X] game66.tgz[X] xfont66.tgz
[X] bsd.mp[X] comp66.tgz[X] xbase66.tgz   [X] xserv66.tgz
[X] bsd.rd[X] man66.tgz [X] xshare66.tgz
Set name(s)? (or 'abort' or 'done') [done] done
Directory does not contain SHA256.sig. Continue without verification? [no] yes
Installing bsd  100% |**| 18250 KB00:00
Installing bsd.mp   100% |**| 18336 KB00:00
Installing bsd.rd   100% |**| 10058 KB00:00
Installing base66.tgz   100% |**|   236 MB00:36
Installing comp66.tgz81% |* | 58880 KB00:02 
ETAtar: Unable to remove directory ./usr/include/machine: Directory not empty
Installing comp66.tgz   100% |**| 72109 KB00:14
Installation of comp66.tgz failed. Continue anyway? [no] no


*** output of /usr/share/relink/kernel/GENERIC/relink.log ***

(SHA256) /bsd: FAILED

Failed to verify /bsd's checksum, therefore a randomly linked kernel (KARL)
is not being built. KARL can be re-enabled for next boot by issuing as root:

sha256 -h /var/db/kernel.SHA256 /bsd

Re: 'machine/cdefs.h' file not found when installing nokogiri gem

[mabi]

‐‐‐ Original Message ‐‐‐
On Saturday, November 16, 2019 2:38 PM, Stuart Henderson  
wrote:

> For native extensions, it's really best to install from packages.
>
> pkg_add ruby25-nokogiri

Thanks for the tip, I didn't think about that alternative. What puzzles me is 
that I managed to install that nokogiri gem on OpenBSD 6.4 using 'gem install' 
in the past. Will have to check with 6.6.

'machine/cdefs.h' file not found when installing nokogiri gem

[mabi]

Hi,

I am trying to install the nokogiri Ruby gem using "gem install nokogiri" and 
have the ruby-2.5.5 package from ports for that purpose installed.

Unfortunately it does not want to install complaining that the 
'machine/cdefs.h' header file can not be found. This header file is included on 
line 41 of /usr/include/sys/cdefs.h but is not present on my OpenBSD 6.5 
system. Am I missing something here?

I have pasted below the full error output from installing that gem if that is 
of any help.

Best regards,
Mabi


$ gem install nokogiri

Building native extensions. This could take a while...
ERROR:  Error installing nokogiri:
ERROR: Failed to build gem native extension.

current directory: /home/ma/.gem/gems/nokogiri-1.10.5/ext/nokogiri
/usr/local/bin/ruby25 -r ./siteconf20191116-77258-1qm6dzx.rb extconf.rb
checking if the C compiler accepts  -I /usr/local/include... *** extconf.rb 
failed ***
Could not create Makefile due to some reason, probably lack of necessary
libraries and/or headers.  Check the mkmf.log file for more details.  You may
need configuration options.

Provided configuration options:
--with-opt-dir
--without-opt-dir
--with-opt-include
--without-opt-include=${opt-dir}/include
--with-opt-lib
--without-opt-lib=${opt-dir}/lib
--with-make-prog
--without-make-prog
--srcdir=.
--curdir
--ruby=/usr/local/bin/$(RUBY_BASE_NAME)25
--help
--clean
--use-system-libraries
/usr/local/lib/ruby/2.5/mkmf.rb:456:in `try_do': The compiler failed to 
generate an executable file. (RuntimeError)
You have to install development tools first.
from /usr/local/lib/ruby/2.5/mkmf.rb:574:in `block in try_compile'
from /usr/local/lib/ruby/2.5/mkmf.rb:521:in `with_werror'
from /usr/local/lib/ruby/2.5/mkmf.rb:574:in `try_compile'
from extconf.rb:138:in `nokogiri_try_compile'
from extconf.rb:162:in `block in add_cflags'
from /usr/local/lib/ruby/2.5/mkmf.rb:632:in `with_cflags'
from extconf.rb:161:in `add_cflags'
from extconf.rb:416:in `'

To see why this extension failed to compile, please check the mkmf.log which 
can be found here:

  /home/ma/.gem/extensions/x86_64-openbsd/2.5/nokogiri-1.10.5/mkmf.log

extconf failed, exit code 1

Gem files will remain installed in /home/ma/.gem/gems/nokogiri-1.10.5 for 
inspection.
Results logged to 
/home/ma/.gem/extensions/x86_64-openbsd/2.5/nokogiri-1.10.5/gem_make.out

*** Content of the nokogiri-1.10.5/mkmf.log file below: ***

"cc -o conftest -I/usr/local/include/ruby-2.5/x86_64-openbsd 
-I/usr/local/include/ruby-2.5/ruby/backward -I/usr/local/include/ruby-2.5 -I. 
-DOPENSSL_NO_STATIC_ENGINE -I/usr/local/include   -O2 -pipe -fPIC  -I 
/usr/local/include conftest.c  -L. -L/usr/local/lib -Wl,-rpath,/usr/local/lib 
-L. -L/usr/local/lib -fstack-protector -Wl,-E -Wl,-rpath,/usr/local/lib 
-L/usr/local/lib -lruby25  -pthread -lgmp -lm   -lc "
In file included from conftest.c:1:
In file included from /usr/local/include/ruby-2.5/ruby.h:33:
In file included from /usr/local/include/ruby-2.5/ruby/ruby.h:29:
In file included from /usr/local/include/ruby-2.5/ruby/defines.h:112:
In file included from /usr/include/stdio.h:41:
/usr/include/sys/cdefs.h:41:10: fatal error: 'machine/cdefs.h' file not found
#include 
 ^
1 error generated.
checked program was:
/* begin */
1: #include "ruby.h"
2:
3: int main(int argc, char **argv)
4: {
5:   return 0;
6: }
/* end */

Re: IPsec bandwidth perf on APU4C4

[mabi]

‐‐‐ Original Message ‐‐‐
On Thursday, June 13, 2019 10:46 PM, Stuart Henderson  
wrote:

> 4.9.0.6 does have it enabled by default. I'm not sure about the 4.0.x releases
> and don't want to reboot mine to check now either :)

Finally managed to reboot my firewall box and so I can confirm that on my 
previous firmware (v4.0.24) the boost option was already enabled by default. I 
now upgraded to v4.9.0.6 but unfortunately as that boost option was already 
enabled I do not see any further improvements.

For reference here is the output of a "md5 -tt":

MD5 time trial.  Processing 10 1-byte blocks...
Digest = 766a2bb5d24bddae466c572bcabca3ee
Time   = 9.69 seconds
Speed  = 103199174.406605 bytes/second

Re: IPsec bandwidth perf on APU4C4

[mabi]

‐‐‐ Original Message ‐‐‐
On Wednesday, June 12, 2019 10:26 PM, Stuart Henderson  
wrote:

> If you're on an old BIOS revision for the APU (more than a couple of
> months old), try updating, they have enabled "core performance boost"
> which increases speed of a single core if the others are not under
> heavy load.
>
> I haven't done network benchmarks but there is a noticable improvement
> in some other things (md5 -tt goes from 12 -> 9 seconds).
>
> To update BIOS from OpenBSD, pkg_add flashrom and download the BIOS
> version for your board (https://pcengines.github.io/). Go to serial
> console and reboot in single-user mode (boot -s), mount -a, and run
> "flashrom --programmer internal -w apuX_vXXX.rom". Then reboot back
> as normal.
>
> If you'd like to compare benchmarks, the feature can be toggled
> from the setup menu in BIOS.
>
> https://blog.3mdeb.com/2019/2019-02-14-enabling-cpb-on-pcengines-apu2/

Thanks Stuart for the hint, that sounds fantastic. I bought my APU4 recently so 
it has a few months old BIOS (v4.0.24 to be precise) and based on the change 
log it also seems to include that "core performance boost". I need to reboot 
and check the BIOS settings first see if this new setting is enabled or not by 
default. I have the feeling it is not enabled. Anyway I think I will upgrade 
the BIOS to the latest v4.9.0.6.

Will keep you posted as soon as I check this but right no I can't reboot the 
box.

Re: IPsec bandwidth perf on APU4C4

[mabi]

‐‐‐ Original Message ‐‐‐
On Wednesday, June 12, 2019 11:34 AM, Daniel Gracia  wrote:

> Those look like reasonable numbers for the given scenario. Improving
> your IPsec bandwidth would take more horsepower than an APU box.
> Improving site-to-site encrypted VPN speed, asuming two APU boxes,
> would require switching from IPsec to something like a WireGuard VPN,
> available on -current as a package, but I'm not quite sure how much
> performance would be attainable on OpenBSD. Heard >500Mbps on
> APU3/Debian combo[1], but once again, don't believe everything you
> read on Internet.

Interesting article thanks Daniel. As you mention I am also under the 
impression that with my config I have maxed out that APU4 box.

It's quite hard to believe that on the same box WireGuard with Linux achieves 
5x more throughput, even considered that it would fully use all 4 cores, so I 
do take these numbers cautiously.

For now I'll stick to OpenBSD with iked, it's rock stable, easy to configure 
and "just" works.

Re: IPsec bandwidth perf on APU4C4

[mabi]

‐‐‐ Original Message ‐‐‐
On Tuesday, June 11, 2019 1:04 PM, Christian Weisgerber  
wrote:

> > childsa enc aes-128-gcm
>
> Correct.

For reference I now changed the childsa encryption cipher to aes-128-gcm and 
get 93 Mbit/s throughput instead of the 80 Mbit/s I saw with aes-256.

Better than nothing but still not quite optimal so I was wondering if anyone 
had already achieved better IPsec site-to-site bandwidth throughput with a PC 
Engines APU4 box?

I have a very simple site-2-site IPsec connection which basically is just the 
following config in my iked.conf file:

ikev2 active esp from $local_ip to $remote_ip local $local_ip peer $remote_ip 
childsa enc aes-128-gcm srcid $local_ip dstid $remote_ip
ikev2 active esp from $local_network to $remote_network local $local_ip peer 
$remote_ip childsa enc aes-128-gcm srcid $local_ip dstid $remote_ip

Cheers,
Mabi

Re: IPsec bandwidth perf on APU4C4

[mabi]

‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 7:09 PM, Christian Weisgerber  
wrote:

> No "auth". AES-GCM is an authenticated encryption algorithm, i.e.,
> it handles both encryption and authentication at the same time.
> Specifying an additional "auth" algorithm doesn't make sense.

Last question hopefully... Reading the iked.conf man page I conclude that all I 
need for that is to add to my ikev2 config is the following additional 
parameter:

childsa enc aes-128-gcm

is this correct?

Re: IPsec bandwidth perf on APU4C4

[mabi]

‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 7:09 PM, Christian Weisgerber  
wrote:

> No "auth". AES-GCM is an authenticated encryption algorithm, i.e.,
> it handles both encryption and authentication at the same time.
> Specifying an additional "auth" algorithm doesn't make sense.

Ahh now it all makes sense with the word "combo", thanks for precising this!

Re: IPsec bandwidth perf on APU4C4

[mabi]

‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 6:00 PM, Christian Weisgerber  
wrote:

> enc aes-128-gcm etc.

That part for the "enc" parameter makes sense to me but what about the "auth" 
parameter? Would you keep the default hmac-sha2-256? or which combination with 
the "enc aes-128-gcm" would be a good fit?

Re: IPsec bandwidth perf on APU4C4

[mabi]

‐‐‐ Original Message ‐‐‐
On Monday, June 10, 2019 4:49 PM, Christian Weisgerber  
wrote:

> It helps to understand that the authentication algorithm can require
> as much or more CPU than the encryption. HMAC-SHA2 is expensive.
> On hardware that has AES-NI support, like the APU2 family, AES-GCM
> is generally the fastest encryption/authentication combo.

Thanks for the tip regarding the cpu cost of the authentication algorithm. Now 
I was wondering how do you use the AES-GCM combo? I  can't find any auth or enc 
parameters mentioning that combo.

IPsec bandwidth perf on APU4C4

[mabi]

Hi,

I am currently testing a PC Engines APU4C4 with OpenBSD 6.5 and iked for an 
IPsec tunnnel between two sites which both have 1 Gbit/s uplink.

Bypassing the IPsec tunnel I get around 500 Mbit/s of bandwidth throughput 
which is quite satisfying. The bandwidth throughput over my IPsec tunnel 
achieves a max of 80 Mbit/s which I was sort of expecting with the default 
encryption settings (auth hmac-sha2-256 enc aes-256).

In order to increase bandwidth throughput over my IPsec tunnel I wanted to know 
what you guys think is a good compromise between performance and security? I 
was thinking for example of changing the encryption cipher to aes-128 instead 
of aes-256 and maybe blowfish? What would you recommend?

Anything else I should be looking at? maybe like a hardware crypto accellerator 
miniPCI card compatible with the APU4 and OpenBSD?

Cheers,
Mabi

Re: Upgrade procedure for VMM virtualization server

[mabi]

‐‐‐ Original Message ‐‐‐
On Monday, May 6, 2019 1:32 PM, Solene Rapenne  wrote:

> There are no order. But I would upgrade the host, then the VM, this
> requires only one downtime for the whole stack.

Thanks for confirming, I will then do so.

Upgrade procedure for VMM virtualization server

[mabi]

Hello,

Now that 6.5 is out I was wondering what is the best approach of upgrading my 
OpenBSD 6.4 VMM virtualization server, should I first upgrade the VMM 
hypervisor host from 6.4 to 6.5 and then afterwards the virtual machines from 
6.4 to 6.5? That would make sense to me but I just wanted to double check.

Best,
Mabi

Re: Upgrading a CARP firewall cluster

[mabi]

‐‐‐ Original Message ‐‐‐
On Tuesday, April 30, 2019 9:29 PM, Lyndon Nerenberg  wrote:

> On our systems, we run the 'a' machine as primary and the 'b' machine
> as backup. When upgrading, we do the 'b' machine first, since this
> doesn't disrupt the primary. After the 'b' machine is fully configured,
> monitor its state table to ensure it's consistent with the 'a'
> machine. Once you are convinced pf is staying in sync, demote the
> 'a' machine and upgrade it.

Thanks for your procedure tips, that's pretty much the same procedure I use 
except that I didn't even demote the "a" machine before upgrading it. Now I 
guess demoting the machine in question before upgrading it is the best practice 
and so I checked the OpenBSD FAQ about CARP and see different methods. The 
"carpdemote" way seems the cleanest way so as I have 8 carp interfaces all in 
the default carp group, should I simply run the following command:

$ ifconfig -g carp carpdemote 50

or what is your way of demoting the server before upgading it?

Regards,
Mabi

Re: Upgrading a CARP firewall cluster

[mabi]

‐‐‐ Original Message ‐‐‐
On Tuesday, April 30, 2019 11:20 AM, Igor Podlesny  wrote:

> CARP should be of no worries at all and PF state table's sync is
> easily verified.
> If after backup's upgrade-reboot it has roughly same amount of entries
> you can safely demote master and repeat procedure.
> Even if there were some major differences maximum what you could loose
> is connections state table.

Thank you Igor for the details. As you mention it doesn't really matter much if 
the connection state table gets lost in the worst case.

Upgrading a CARP firewall cluster

[mabi]

Hello,

I have an OpenBSD 6.3 firewall cluster made out of two nodes (one master, one 
backup) using CARP and pfsync. This cluster also makes use of trunk and vlan 
interfaces.

Now I would first like to upgrade the cluster to 6.4 and then to 6.5 and was 
wondering if it is possible to operate that cluster for a short amount of time 
having one node running 6.3 and the other node with 6.4 and then the same for 
going to 6.4 to 6.5.

Is this safe? or could there be any incompatibilities in carp/pfsync which 
would prevent me to do that upgrade in two steps while keeping everything 
online?

Cheers,
Mabi

Re: em interface fails to enter promiscuous mode when bridging on vlan interfaces

[mabi]

‐‐‐ Original Message ‐‐‐
On Thursday, February 21, 2019 12:55 AM, Jordan Geoghegan 
 wrote:

> I'm not sure if this has already been reported, or if it is indeed a
> bug, but the title pretty much sums it up.

Hi Jordan,

I have also reported this a while ago on this very same list and ended up 
assigning an IP address on that interface as a workaround. It would be great if 
a nicer fix for that could be found.

Also I would be interested to know if you also are loosing connection from time 
to time on your VMs? I have posted this a three weeks ago:

https://marc.info/?l=openbsd-misc=154904432526324=2

Cheers,
Mabi

Re: Turn off athn0

[mabi]

‐‐‐ Original Message ‐‐‐
On Monday, February 18, 2019 8:31 PM, Stefan Sperling  wrote:

> Yes, putting the interface down will disable radio.

Thanks Stefan for your answer, always so helpful and efficient ;-)

Turn off athn0

[mabi]

Hello,

I have an Atheros AR9280 miniPCI card acting as a WIFI hotspot on my OpenBSD 
firewall and would like to turn it off during a specific time window of the day.

To turn it completely off (no waves) would a crontab entry using the following 
command be enough?

ifconfig athn0 down

or do I need any other commands in order to switch it completely off?

Regards,
Mabi

Re: VMs loosing network connectivity for a few minutes on a daily basis

[mabi]

I was wondering if maybe this could have something to do with spanning tree on 
the bridge6 interface?

An ifconfig on the bridge6 interface shows the following spanning tree settings:

 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp

Do I really need spanning tree here? and would it be safe to disable it for a 
test?

Regards,
Mabi

‐‐‐ Original Message ‐‐‐
On Friday, February 1, 2019 7:02 PM, mabi  wrote:

> Hello,
>
> I am testing VMM/VMD on OpenBSD 6.4 with OpenBSD 6.4 virtual machines but 
> noticed that maybe around 2 times per day the VM loose their network 
> connectivity for a short amount of time of around 2-3 minutes. I currently 
> have 3 OpenBSD VM with very light load on them and it happens to all of them.
>
> The network connectivity recovers on its own or if I login through the 
> console to the VM and initiate for example a ping to the outside. The 
> host/hypervisor itself never looses connectivity.
>
> Now I presume there is either an issue with my network setup or maybe a bug 
> but I would rather think it has to do with my network setup. My network setup 
> on the OpenBSD host itself consists of two physical network devices (bnx0 + 
> bnx1) which I have bundled in a trunk (trunk0) in failover mode. Then on top 
> of my trunk I have two VLAN interfaces (vlan2 and vlan6). vlan2 is my private 
> network and vlan6 is my public facing network (internet). Then finally I have 
> a bridge interface (bridge6) with my vlan6 interface inside where my VM 
> connect to as they are directly available on the internet.
>
> So the whole chain of network interfaces from host to VM looks like this:
>
> [bnx0+bnx1]-[trunk0]-[vlan6]-[bridge6]-[tap0]-[vio0]
>
> My /etc/vm.conf looks like this:
>
> switch "uplink_vlan6" {
> interface bridge6
> }
>
> vm "obsd1vm" {
> memory 2G
> disk "/var/vmm/obsd1vm.qcow2"
>
> interface {
> switch "uplink_vlan6"
> lladdr fe:e1:bb:03:01:01
> }
> }
>
> My /etc/hostname.* files look like this:
>
> /etc/hostname.bnx0
> up
>
> /etc/hostname.bnx1
> up
>
> /etc/hostname.trunk0
> trunkproto failover trunkport bnx0 trunkport bnx1 up
>
> /etc/hostname.vlan2
> inet 192.168.1.56 255.255.255.0 192.168.1.255 vnetid 2 parent trunk0 
> description "private" up
>
> /etc/hostname.vlan6
> inet xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.255 vnetid 6 parent trunk0 
> description "public" up
>
> /etc/hostname.bridge6
> add vlan6
> up
>
> The hardware switch behind the host is a Cisco switch and the two ports 
> connected to the two hardware NICS of the server have both the following 
> config:
>
> interface Eth101/1/9
> switchport mode trunk
> switchport trunk native vlan 99
> switchport trunk allowed vlan 2,6
>
> Finally below is the output of ifconfig:
>
> bnx0: flags=8b43 mtu 
> 1500
>
> lladdr ---REMOVED---
> index 3 priority 0 llprio 3
> trunk: trunkdev trunk0
> media: Ethernet autoselect (1000baseT full-duplex,rxpause)
> status: active
>
>
> bnx1: flags=8b43 mtu 
> 1500
>
> lladdr ---REMOVED---
> index 4 priority 0 llprio 3
> trunk: trunkdev trunk0
> media: Ethernet autoselect (1000baseT full-duplex,rxpause)
> status: active
>
>
> bridge6: flags=41
>
> description: switch1-uplink_vlan6
> index 5 llprio 3
> groups: bridge
> priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
> vlan6 flags=3
>
> port 8 ifpriority 0 ifcost 0
> tap0 flags=3
>
> port 10 ifpriority 0 ifcost 0
>
>
> trunk0: flags=8943 mtu 1500
>
> lladdr ---REMOVED---
> index 6 priority 0 llprio 3
> trunk: trunkproto failover
> trunkport bnx1
> trunkport bnx0 master,active
> groups: trunk
> media: Ethernet autoselect
> status: active
>
>
> vlan2: flags=8843 mtu 1500
>
> lladdr ---REMOVED---
> description: private
> index 7 priority 0 llprio 3
> encap: vnetid 2 parent trunk0
> groups: vlan egress
> media: Ethernet autoselect
> status: active
> inet 192.168.1.56 netmask 0xff00 broadcast 192.168.1.255
>
>
> vlan6: flags=8943 mtu 1500
>
> lladdr ---REMOVED---
> description: public
> index 8 priority 0 llprio 3
> encap: vnetid 6 parent trunk0
> groups: vlan
> media: Ethernet autoselect
> status: active
> inet ---REMOVED--- netmask 0xff00

VMs loosing network connectivity for a few minutes on a daily basis

[mabi]

Hello,

I am testing VMM/VMD on OpenBSD 6.4 with OpenBSD 6.4 virtual machines but 
noticed that maybe around 2 times per day the VM loose their network 
connectivity for a short amount of time of around 2-3 minutes. I currently have 
3 OpenBSD VM with very light load on them and it happens to all of them.

The network connectivity recovers on its own or if I login through the console 
to the VM and initiate for example a ping to the outside. The host/hypervisor 
itself never looses connectivity.

Now I presume there is either an issue with my network setup or maybe a bug but 
I would rather think it has to do with my network setup. My network setup on 
the OpenBSD host itself consists of two physical network devices (bnx0 + bnx1) 
which I have bundled in a trunk (trunk0) in failover mode. Then on top of my 
trunk I have two VLAN interfaces (vlan2 and vlan6). vlan2 is my private network 
and vlan6 is my public facing network (internet). Then finally I have a bridge 
interface (bridge6) with my vlan6 interface inside where my VM connect to as 
they are directly available on the internet.

So the whole chain of network interfaces from host to VM looks like this:

[bnx0+bnx1]-[trunk0]-[vlan6]-[bridge6]-[tap0]-[vio0]


My /etc/vm.conf looks like this:

switch "uplink_vlan6" {
interface bridge6
}

vm "obsd1vm" {
memory 2G
disk "/var/vmm/obsd1vm.qcow2"

interface {
switch "uplink_vlan6"
lladdr fe:e1:bb:03:01:01
}
}

My /etc/hostname.* files look like this:

/etc/hostname.bnx0
up

/etc/hostname.bnx1
up

/etc/hostname.trunk0
trunkproto failover trunkport bnx0 trunkport bnx1 up

/etc/hostname.vlan2
 inet 192.168.1.56 255.255.255.0 192.168.1.255 vnetid 2 parent trunk0 
description "private" up

/etc/hostname.vlan6
inet xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.255 vnetid 6 parent trunk0 
description "public" up

/etc/hostname.bridge6
add vlan6
up

The hardware switch behind the host is a Cisco switch and the two ports 
connected to the two hardware NICS of the server have both the following config:

interface Eth101/1/9
  switchport mode trunk
  switchport trunk native vlan 99
  switchport trunk allowed vlan 2,6


Finally below is the output of ifconfig:

bnx0: flags=8b43 mtu 
1500
lladdr ---REMOVED---
index 3 priority 0 llprio 3
trunk: trunkdev trunk0
media: Ethernet autoselect (1000baseT full-duplex,rxpause)
status: active
bnx1: flags=8b43 mtu 
1500
lladdr ---REMOVED---
index 4 priority 0 llprio 3
trunk: trunkdev trunk0
media: Ethernet autoselect (1000baseT full-duplex,rxpause)
status: active
bridge6: flags=41
description: switch1-uplink_vlan6
index 5 llprio 3
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
vlan6 flags=3
port 8 ifpriority 0 ifcost 0
tap0 flags=3
port 10 ifpriority 0 ifcost 0
trunk0: flags=8943 mtu 1500
lladdr ---REMOVED---
index 6 priority 0 llprio 3
trunk: trunkproto failover
trunkport bnx1
trunkport bnx0 master,active
groups: trunk
media: Ethernet autoselect
status: active
vlan2:  flags=8843 mtu 1500
lladdr ---REMOVED---
description: private
index 7 priority 0 llprio 3
encap: vnetid 2 parent trunk0
groups: vlan egress
media: Ethernet autoselect
status: active
inet 192.168.1.56 netmask 0xff00 broadcast 192.168.1.255
vlan6: flags=8943 mtu 1500
lladdr ---REMOVED---
description: public
index 8 priority 0 llprio 3
encap: vnetid 6 parent trunk0
groups: vlan
media: Ethernet autoselect
status: active
inet ---REMOVED--- netmask 0xff00 broadcast ---REMOVED---
pflog0: flags=141 mtu 33136
index 9 priority 0 llprio 3
groups: pflog
tap0: flags=8943 mtu 1500
lladdr fe:e1:ba:d0:56:1c
description: vm1-if0-obsd1vm
index 10 priority 0 llprio 3
groups: tap
status: active

Last note, the host and VMs are all patched up to 013_unveil.

I hope I could provide here all the relevant details, if there is anything else 
I should add I would be happy to provide with more info.

Best regards,
Mabi

Re: 100% intr CPU state in OpenBSD 6.4 VM

[mabi]

‐‐‐ Original Message ‐‐‐
On Thursday, January 24, 2019 5:35 PM, Mike Larkin  wrote:

> I believe this to be an accounting error and has been discussed on the lists
> several times.
>

Sorry about that, now that you mention I remember also reading something on the 
list about that but could not find anything on ddg search.

I have an issue where my VM temporary loses network connection for a few 
seconds to a few minutes so I was wondering if it might have been related to 
the high amount of interrupts but in that case it is not. I will look in other 
directions...

100% intr CPU state in OpenBSD 6.4 VM

[mabi]

Hi,

I am testing VMM/VMD on an OpenBSD 6.4 host with an OpenBSD 6.4 as guest OS and 
noticed that on a fresh installation the CPU seems to be all the time 100% busy 
dealing with interrupts. Here is the relevant line from "top":

CPU states:  0.0% user,  0.0% nice,  0.0% sys,  0.0% spin,  100% intr,  0.0% 
idle

And the output of "vmstat" looks like this:
vmstat 1
 procsmemory   pagedisk traps  cpu
 r   s   avm fre  flt  re  pi  po  fr  sr sd0  int   sys   cs us sy id
 1  32   15M668M4   0   0   0   0   0   0  10212   14  0 99  1
 0  33   15M668M   12   0   0   0   0   0   0  21041   41  0 98  2
 0  33   15M668M7   0   0   0   0   0   0  20736   33  0 99  1
 0  33   15M668M7   0   0   0   0   0   0  21037   36  0 98  2
 0  33   15M668M7   0   0   0   0   0   0  20937   36  0 100  0

The "Interrupts" column in the output of "systat" looks like this:

Interrupts
276 total
virtio0
virtio1
15  virtio2
 com0
133 clock
128 rtc

This VM has nothing running yet, the only thing I did is to disable sndiod and 
change this kernel parameter so that the time in the VM is more accurate:

kern.timecounter.hardware=tsc

So my question here would be if this 100% interrupt usage is normal under an 
OpenBSD VM? or is there something I might be doing wrong?

Below I pasted the "dmesg" output of my VM. Let me know if more details are 
required.

Regards,
Mabi


OpenBSD 6.4 (GENERIC) #3: Thu Dec 20 18:31:57 CET 2018
r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1056956416 (1007MB)
avail mem = 1015816192 (968MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf1950 (10 entries)
bios0: vendor SeaBIOS version "1.11.0p0-OpenBSD-vmm" date 01/01/2011
bios0: OpenBSD VMM
acpi at bios0 not configured
cpu0 at mainbus0: (uniprocessor)
cpu0: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2396.03 MHz, 06-2c-02
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,HV,NXE,PAGE1GB,LONG,LAHF,ITSC,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
pvbus0 at mainbus0: OpenBSD
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00
virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00
viornd0 at virtio0
virtio0: irq 3
virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio1
scsibus1 at vioblk0: 2 targets
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 51200MB, 512 bytes/sector, 104857600 sectors
virtio1: irq 5
virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio2: address fe:e1:bb:ff:ff:ff
virtio2: irq 6
virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00
vmmci0 at virtio3
virtio3: irq 7
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo
com0: console
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (2c1a48e720407786.a) swap on sd0b dump on sd0b

Re: reorder_kernel: kernel relinking failed

[mabi]

‐‐‐ Original Message ‐‐‐
On Thursday, January 17, 2019 8:28 AM, mabi  wrote:

> As this system is new I might just re-install the VM today and keep you 
> posted.

Strange, I just re-installed the VM and now there are no relinking issues 
anymore. Maybe something went wrong during the installation...

Re: reorder_kernel: kernel relinking failed

[mabi]

‐‐‐ Original Message ‐‐‐
On Wednesday, January 16, 2019 11:48 PM, Mike Larkin  
wrote:

> Looks like your /usr/share/relink/kernel/GENERIC.MP/*.o files got trashed
> somehow? Or perhaps you ran out of space?

So in the GENERIC directory there are 1311 *.o files, exactly the same amount 
as another OpenBSD 6.4 VM which does not have this issue. Maybe one of these 
files are corrupt, I didn't test for integrity. My /usr partition is 5 GB and 
has 0.6 GB used so I don't think it's the space.

As this system is new I might just re-install the VM today and keep you posted.

reorder_kernel: kernel relinking failed

[mabi]

Hello,

While rebooting on a freshly new installed OpenBSD 6.4 VM (using VMM on an 
OpenBSD 6.4 server) I noticed that the kernel does not get relinked:

reorder_kernel: kernel relinking failed; see 
/usr/share/relink/kernel/GENERIC/relink.log

The content of the /usr/share/relink/kernel/GENERIC/relink.log file shows:

(SHA256) /bsd: OK
LD="ld" sh makegap.sh 0x
ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o ${OBJS}
ioconf.o:(.data+0x37b8): undefined reference to `lii_ca'
ioconf.o:(.data+0x37c0): undefined reference to `lii_cd'
ioconf.o:(.data+0x6ee0): undefined reference to `loopattach'
i915_dma.o:(.rodata+0x4d0): undefined reference to `i915_gem_userptr_ioctl'
i915_gem.o: In function `i915_gem_init':
/usr/src/sys/dev/pci/drm/i915/i915_gem.c:5411: undefined reference to 
`i915_gem_init_userptr'
*** Error 1 in /usr/share/relink/kernel/GENERIC (Makefile:985 'newbsd': @echo 
ld -T ld.script -X --warn-common -nopie -o newbsd '${SYSTEM_HE...)

Anyone has an idea what it could be?

My VM has only 1 GB of memory, maybe that's not enough?

Regards,
Mabi

short receive (0/4) from nfs server log messages

[mabi]

Hello,

I have an OpenBSD 6.4 box where I mount via NFS a share from an NFS server and 
I see a few of the following log messages in /var/log/messages (around 10 per 
day).

short receive (0/4) from nfs server nfsserver:/data/files

I was wondering if this is anything to worry about and what does it really mean?

That NFS share is mounted through my /etc/fstab as such:

nfsserver:/data/files /mnt nfs rw,nodev,nosuid,tcp,nordirplus 0 0

Regards,
Mabi

Re: VMs as real hosts on the same network

[mabi]

‐‐‐ Original Message ‐‐‐
On Friday, December 7, 2018 12:57 PM, Martin Sukany  wrote:

> could you post here your /etc/pf.conf rules?

Sure, it's actually the default OpenBSD 6.4 one as you can see below:

#   $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo

block return log# block stateless traffic
pass# establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild


See my previous mail answering Mischa, his solution of adding an IP to the VLAN 
interface solves my issue...

Re: VMs as real hosts on the same network

[mabi]

‐‐‐ Original Message ‐‐‐
On Friday, December 7, 2018 12:40 PM, Mischa  wrote:

> The VLAN does require an IP address as far as I am aware.

Thanks that worked. I now have network connectivity on my public VM VLAN. I saw 
that adding an IP to my VLAN interface automatically set the trunk interface to 
PROMISC.

I was trying to avoid "wasting" an IP address as there is no real need for an 
IP on that VLAN interface on the server itself. But if that's the only way I am 
fine with that :)

Re: VMs as real hosts on the same network

[mabi]

‐‐‐ Original Message ‐‐‐
On Friday, December 7, 2018 11:43 AM, Mischa  wrote:

> It might be as easy as adding: up
>
> cat /etc/hostname.bridge6
>
> ==
>
> add vlan6
> up
>
> By default the bridge interface is not brought up.
> You can also run: ifconfig bridge6 up

Good idea and I added "up" to my hostname.bridge6 file but it looks like it was 
already up (at least by doing an ifconfig bridge6 shows the "UP" flag). 
Neverthless to be on the safe side I rebooted the server but still not 
connectivity on the vlan6/bridge6 network for the VMs.

On the bridge6 interface I can see the DHCP request with tcpdump when the 
OpenBSD installer in the VM tries to fetch an IP address with DHCP:

11:59:35.672258 0.0.0.0.68 > 255.255.255.255.67:  xid:0xbafb375b [|bootp] [tos 
0x10]

Then on the DHCP server I can see the following in loop:

Dec  7 12:00:27 dhcpsrv dhcpd[18917]: DHCPDISCOVER from fe:e1:bb:01:01:01 via 
XXX.XXX.XXX.1
Dec  7 12:00:27 dhcpsrv dhcpd[18917]: DHCPOFFER on XXX.XXX.XXX.101 to 
fe:e1:bb:01:01:01 via XXX.XXX.XXX.1

The IP address ending with .1 is the gateway on my public network and the one 
ending with .101 is the IP which should be assigned to my OpenBSD VM.

It seems like the traffic is not flowing back to the VM itself.

I just found a very interesting behaviour by running tcpdump on pretty much all 
interfaces of my server to analyze the traffic at different levels and BINGO: 
as soon as I run tcpdump on my trunk0 interface the DHCP request goes through 
and my VM has network connectivity! But as soon as I stop tcpdump on the trunk 
interface: no more network connectivity...

Now as far as I know running tcpdump enables promiscous mode (PROMISC flag on 
the interface) and this should the reason why it works.

But now what does it mean for my setup, do I need to enable promiscuous mode on 
my trunk interface manually? and if yes how can I do that?

VMs as real hosts on the same network

[mabi]

Hello,

I am trying out VMM on an OpenBSD 6.4 server which has the following network 
interfaces defined:

[bnx0]+[bnx1]-->[trunk0]-->[vlan2]
[bnx0]+[bnx1]-->[trunk0]-->[vlan6]-->[bridge6]

The vlan2 is for the internal (management) network and vlan6 for the public 
(internet) network. I manage my server from vlan2 and would like to have my 
virtual machines on vlan6 which uses public IP addresses. For that purpose I 
have setup my /etc/hostname.* files as such:

hostname.bnx0 + hostname.bnx1:
up

hostname.trunk0:
trunkproto failover trunkport bnx0 trunkport bnx1 up

hostname.vlan2:
inet 192.168.1.5 255.255.255.0 192.168.1.255 vnetid 2 parent trunk0 description 
"private"

hostname.vlan6:
vnetid 6 parent trunk0 description "public" up

hostname.bridge6:
add vlan6

I am actually using Option 4 from the Networking chapter in the  virtualization 
FAQ (https://www.openbsd.org/faq/faq16.html) just that my setup has a redundant 
link (trunk0) and a VLAN (vlan6). So in theory that should work but 
unfortunately when I start a VM to install OpenBSD 6.4 from the bsd.rd boot 
file I do not have any network connectivity. I tried with DHCP first and in 
that case on the DHCP server I see the DHCPDISCOVER and DHCPOFFER 
requests/answer but there is never a DHCPACK. Then I tried assigning a static 
IP directly but still no network connectivity. I can't ping the default gateway 
of that public network. Checking with tcpdump on the firewall I can see the ARP 
who-has request and the ARP reply back the the VM but again it seems like the 
VM does not get it.

Here is my vm.conf conf file:

switch "uplink_vlan6" {
interface bridge6
}

vm "example" {
disable
memory 2G
boot "/home/admin/bsd.rd"
disk "/var/vmm/example.qcow2"

interface {
switch "uplink_vlan6"
lladdr fe:e1:bb:01:01:01
}
}

I have also totally disabled pf on that OpenBSD VMM server but that did not 
change anything (I am using the default pf.conf from the installation)

Any ideas what I might be doing wrong or forgetting?

Regards,
Mabi

Re: Dell PowerEdge R410 not booting 6.4

[mabi]

Indeed, I just created one huge "a" slice with 500 GB for my / root partition. 
I will try first to create a smaller/many slices...

@Kristjan: "entry point at ..." no it didn't even get to this line, it just 
rebooted at the line counting all these numbers, I think that it the very first 
line of the boot pricess if I am not mistaken.

‐‐‐ Original Message ‐‐‐
On Thursday, October 25, 2018 7:57 PM, diego righi  
wrote:

> did you make only one big a slice?
> try to put the i386 bootloader ;)
>
> On Thu, Oct 25, 2018, 18:20 mabi m...@protonmail.ch wrote:
>
> > Hi,
> > I just installed OpenBSD 6.4 on an older Dell PowerEdge R410 server. The
> > installation went fine but upon reboot I get to the "boot>" prompt then the
> > first line of the OpenBSD boot starts with all the numbers displaying but
> > like 2 seconds later the whole server reboots. Any idea what that could be?
> > This server is from around 2011 and has two Intel E5620 CPUs. I already
> > tried disabling hyperthreading, booting single user mode (boot -s), booting
> > the boot.sp image but so far no luck...
> > Regards,
> > Mabi

Dell PowerEdge R410 not booting 6.4

[mabi]

Hi,

I just installed OpenBSD 6.4 on an older Dell PowerEdge R410 server. The 
installation went fine but upon reboot I get to the "boot>" prompt then the 
first line of the OpenBSD boot starts with all the numbers displaying but like 
2 seconds later the whole server reboots. Any idea what that could be?

This server is from around 2011 and has two Intel E5620 CPUs. I already tried 
disabling hyperthreading, booting single user mode (boot -s), booting the 
boot.sp image but so far no luck...

Regards,
Mabi

vmm/vmd with Linux guest

[mabi]

Hello,

I just read the OpenBSD vmm/vmd Update slides from Mike Larkin and have the 
following 2 questions.

- it is mentioned that RHEL/CentOS is now supported and was wondering if Suse 
is also already supported or if it is planned? I had a try at SLES 12 as a 
guest on OpenBSD 6.3 but after the "Welcome to GRUB!" message on the console it 
is stuck.

- when enabling "vmctl log verbose" where do the log entries go? I checked 
/var/log/messages and daemon but did not see more verbose output while starting 
a vm. Or what would I do if I want to investigate further why a VM is stuck?

And by the way a big applause to those working on vmm/vmd for your great effort!

Regards,
Mabi

aesni/crypto related kernel panic on 6.3

[mabi]

Hi,

I finally replaced my old OpenBSD 5.0 firewall with 6.3 which also serves as a 
site-to-site VPN using now iked instead of isakmpd. The problem is that when I 
start a big transfer over the VPN to the remote site, also an OpenBSD 6.3 
firewall, the kernel panics. Crazy enough I tried to reproduce the problem to 
find out what it is related to and managed to even make both firewalls kernel 
panic at the same time. When this happens the hardware is frozen and won't take 
any input and won't even reboot automatically. I need to power it off and on 
again.

As I was logged into the serial console when I reproduced this problem I 
managed to get the following messages from the console:

fatal protection fault in supervisor mode
trap type 4 code 0 rip 8104d58a cs 8 rflags 10202 cr2  1dd9ec5f7c70 cpl 
a rsp 80002231ce28
panic: trap type 4, code=0, pc=8104d58a
Starting stack trace...
panic() at panic+0x11c
trap() at trap+0x688
--- trap (number 4) ---
memcpy(801be460,ff03a0f34188,0,0,16,a21ae232a3847235) at memcpy+0xa
aesni_process(ff03a0f34188) at aesni_process+0x124
crypto_invoke(8116ebc0) at crypto_invoke+0xd0
taskq_thread(0) at taskq_thread+0x67
end trace frame: 0x0, count: 251
End of stack trace.
syncing disks... 

​When this happened I just started to transfer over SSH a ZFS snapshot to the 
remote site using the IPSec VPN. The iked daemon was rekeying its SAs and then 
the kernel paniced...

Below I pasted the dmesg of the firewall corresponding to the kernel panic 
message above. I can't send now the dmesg of the remote firewall as I need to 
go on-site first. Please let me know if I should send any log files or other 
details.

Regards,
Mabi


OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17104490496 (16312MB)
avail mem = 16579031040 (15810MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec1e0 (85 entries)
bios0: vendor American Megatrends Inc. version "4.6.5" date 02/05/2015
bios0: INTEL Corporation DENLOW_REFRESH_WS
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT MCFG HPET SSDT SSDT ASF! SPCR 
DMAR EINJ ERST HEST BERT
acpi0: wakeup devices PEGP(S0) PEG0(S0) PEGP(S0) PEG1(S0) PEGP(S0) PEG2(S0) 
PXSX(S0) RP01(S0) PXSX(S0) RP02(S0) PXSX(S0) RP03(S0) PXSX(S0) RP04(S0) 
PXSX(S0) RP05(S0) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz, 3691.99 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
acpitimer0: recalibrated TSC frequency 3491911605 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz, 3691.45 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz, 3691.45 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz, 3691.45 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,

Re: pfstat package dependencies missing on 6.3 amd64

[mabi]

Sorry my bad these are actually system libraries and not packages missing. 
Indeed I do not have X tgz packages installed yet.
​​

‐‐‐ Original Message ‐‐‐

On April 16, 2018 3:48 PM, mabi <m...@protonmail.ch> wrote:

> ​​
> 
> Hello,
> 
> It looks like some package dependencies are missing on the package repository 
> of 6.3 amd64 or pfstat dependencies is broken. See below:
> 
> $ doas pkg_add -v pfstat
> 
> quirks-2.414 signed on 2018-03-28T14:24:37Z
> 
> quirks-2.414: ok
> 
> pfstat-2.5p2:libiconv-1.14p3: ok
> 
> pfstat-2.5p2:png-1.6.34: ok
> 
> pfstat-2.5p2:jpeg-1.5.3v0: ok
> 
> pfstat-2.5p2:tiff-4.0.9: ok
> 
> pfstat-2.5p2:giflib-5.1.4: ok
> 
> pfstat-2.5p2:libwebp-0.6.1p0: ok
> 
> Can't install gd-2.2.5p0 because of libraries
> 
> |library fontconfig.11.0 not found
> 
> | not found anywhere
> 
> |library freetype.28.2 not found
> 
> | not found anywhere
> 
> Direct dependencies for gd-2.2.5p0 resolve to png-1.6.34 jpeg-1.5.3v0 
> tiff-4.0.9 libiconv-1.14p3 libwebp-0.6.1p0
> 
> Full dependency tree is tiff-4.0.9 giflib-5.1.4 libwebp-0.6.1p0 
> libiconv-1.14p3 png-1.6.34 jpeg-1.5.3v0
> 
> Can't install pfstat-2.5p2: can't resolve gd-2.2.5p0
> 
> Extracted 12048693 from 12052934
> 
> Best regards,
> 
> Mabi

pfstat package dependencies missing on 6.3 amd64

[mabi]

Hello,

It looks like some package dependencies are missing on the package repository 
of 6.3 amd64 or pfstat dependencies is broken. See below:

$ doas pkg_add -v pfstat
quirks-2.414 signed on 2018-03-28T14:24:37Z
quirks-2.414: ok
pfstat-2.5p2:libiconv-1.14p3: ok
pfstat-2.5p2:png-1.6.34: ok
pfstat-2.5p2:jpeg-1.5.3v0: ok
pfstat-2.5p2:tiff-4.0.9: ok
pfstat-2.5p2:giflib-5.1.4: ok
pfstat-2.5p2:libwebp-0.6.1p0: ok
Can't install gd-2.2.5p0 because of libraries
|library fontconfig.11.0 not found
| not found anywhere
|library freetype.28.2 not found
| not found anywhere
Direct dependencies for gd-2.2.5p0 resolve to png-1.6.34 jpeg-1.5.3v0 
tiff-4.0.9 libiconv-1.14p3 libwebp-0.6.1p0
Full dependency tree is tiff-4.0.9 giflib-5.1.4 libwebp-0.6.1p0 libiconv-1.14p3 
png-1.6.34 jpeg-1.5.3v0
Can't install pfstat-2.5p2: can't resolve gd-2.2.5p0
Extracted 12048693 from 12052934

Best regards,
Mabi

Re: Listen-on parameter in iked.conf

[mabi]

On April 16, 2018 9:05 AM, Stuart Henderson  wrote:

> There is not, but the main place this is needed is for setting the
> 
> "from" address for outgoing packets. isakmpd uses the "default" address
> 
> for this, which is often wrong on a multihomed system so it's necessary
> 
> to bind to a particular address to fix this. iked (at least in the
> 
> last few releases) uses the address from "local" in the config instead,
> 
> so binding isn't needed in most cases.

I see, so as long as I use the "local" parameter in iked.conf with the local IP 
address which I use for my site-2-site VPN I am saying to iked to listen only 
on that IP address. Here would be my generic example for a site-2-site VPN 
between two OpenBSD firewalls:

ikev2 passive esp \
from $local_network to $remote_network local $local_ip peer $remote_ip \
srcid $local_ip

I was also wondering in the case of a site-2-site VPN should one side be in 
active mode and the other one in passive mode? or what is usually used for 
site-2-site VPN?

Listen-on parameter in iked.conf

[mabi]

Hello,

I just moved from isakmpd to iked and could not find the parameter name in 
iked.conf in order to tell iked on which IP it should listen. With isakmpd.conf 
I would use the following:

[General]
Listen-on=  123.123.123.123

Is there any equivalent with iked?

Regards,
Mabi

​​

Re: NTP issue on Lanner FW-7526B

[mabi]

Mhh thanks, totally forgot about that good old rdate. That did it and now ntp 
is happy in sync.
​

> Original Message 
>Subject: Re: NTP issue on Lanner FW-7526B
>Local Time: December 8, 2017 7:22 PM
>UTC Time: December 8, 2017 6:22 PM
>From: dan...@presscom.net
>To: misc@openbsd.org
>
>It is adjusting the time, but your clock is way off, so it try to do it
> slowly as to not mess any logs, but if you want to adjust it al at once
> and don't care about that for now
>
> rdate -n4 pool.ntp.org
>
> Simple.
>
>
>
> On 12/8/17 9:58 AM, mabi wrote:
>>Hi,
>>I have a new Lanner FW-7526B firewall loaded with OpenBSD 6.2. I must say 
>>it's a nice small firewall but unfortunately the ntp daemon does not seem to 
>>manage to set the time correctly with this hardware. The time is off by 
>>approximately 1:20h and every 2-3 minutes I see the following log entries:
>>Dec  9 14:26:10 fw ntpd[828]: adjusting local clock by -85381.687984s
>> Dec  9 14:29:53 fw ntpd[828]: adjusting local clock by -85380.584607s
>> Dec  9 14:31:33 fw ntpd[828]: adjusting local clock by -85380.084014s
>> Dec  9 14:33:12 fw ntpd[828]: adjusting local clock by -85379.589606s
>>​ntpctl reports:
>>4/4 peers valid, constraint offset -85442s, clock unsynced, clock offset is 
>>-85378257.156ms
>>Any ideas what could be wrong here? I use the default ntp.conf file delivered 
>>with OpenBSD 6.2.
>>In case I pasted below the dmesg output.
>>Regards,
>> Mabi
>>OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017
>>r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> real mem = 8559403008 (8162MB)
>> avail mem = 8292978688 (7908MB)
>> mpath0 at root
>> scsibus0 at mpath0: 256 targets
>> mainbus0 at root
>> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f52 (53 entries)
>> bios0: vendor American Megatrends Inc. version "5.6.5" date 02/26/2016
>> acpi0 at bios0: rev 2
>> acpi0: sleep states S0 S5
>> acpi0: tables DSDT FACP FPDT MCFG WDAT UEFI APIC BDAT HPET SSDT SPCR HEST 
>> BERT ERST EINJ
>> acpi0: wakeup devices PS2K(S0) PS2M(S0) PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) 
>> EHC1(S0)
>> acpitimer0 at acpi0: 3579545 Hz, 24 bits
>> acpimcfg0 at acpi0 addr 0xe000, bus 0-255
>> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>> cpu0 at mainbus0: apid 0 (boot processor)
>> cpu0: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.32 MHz
>> cpu0: 
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
>> cpu0: 1MB 64b/line 16-way L2 cache
>> cpu0: TSC frequency 1750324380 Hz
>> cpu0: smt 0, core 0, package 0
>> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
>> cpu0: apic clock running at 83MHz
>> cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
>> cpu1 at mainbus0: apid 2 (application processor)
>> cpu1: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
>> cpu1: 
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
>> cpu1: 1MB 64b/line 16-way L2 cache
>> cpu1: smt 0, core 1, package 0
>> cpu2 at mainbus0: apid 4 (application processor)
>> cpu2: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
>> cpu2: 
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
>> cpu2: 1MB 64b/line 16-way L2 cache
>> cpu2: smt 0, core 2, package 0
>> cpu3 at mainbus0: apid 6 (application processor)
>> cpu3: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
>> cpu3: 
>> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
>> cpu3: 1MB 64b/line 16-way L2 cache
>> cpu3: smt 0, core 3, package 0
>> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
>> acpihpet0 at acpi0: 14318179 Hz
>> acpiprt0 at acpi0: bus 0 (PCI

NTP issue on Lanner FW-7526B

[mabi]

Hi,

I have a new Lanner FW-7526B firewall loaded with OpenBSD 6.2. I must say it's 
a nice small firewall but unfortunately the ntp daemon does not seem to manage 
to set the time correctly with this hardware. The time is off by approximately 
1:20h and every 2-3 minutes I see the following log entries:

Dec  9 14:26:10 fw ntpd[828]: adjusting local clock by -85381.687984s
Dec  9 14:29:53 fw ntpd[828]: adjusting local clock by -85380.584607s
Dec  9 14:31:33 fw ntpd[828]: adjusting local clock by -85380.084014s
Dec  9 14:33:12 fw ntpd[828]: adjusting local clock by -85379.589606s

​ntpctl reports:

4/4 peers valid, constraint offset -85442s, clock unsynced, clock offset is 
-85378257.156ms

Any ideas what could be wrong here? I use the default ntp.conf file delivered 
with OpenBSD 6.2.

In case I pasted below the dmesg output.

Regards,
Mabi

OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017

r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8559403008 (8162MB)
avail mem = 8292978688 (7908MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f52 (53 entries)
bios0: vendor American Megatrends Inc. version "5.6.5" date 02/26/2016
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP FPDT MCFG WDAT UEFI APIC BDAT HPET SSDT SPCR HEST BERT 
ERST EINJ
acpi0: wakeup devices PS2K(S0) PS2M(S0) PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) 
EHC1(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.32 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: TSC frequency 1750324380 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 83MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEX1)
acpiprt2 at acpi0: bus 2 (PEX2)
acpiprt3 at acpi0: bus 3 (PEX3)
acpiprt4 at acpi0: bus 4 (PEX4)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpicpu2 at acpi0: C1(@1 halt!)
acpicpu3 at acpi0: C1(@1 halt!)
"PNP0003" at acpi0 not configured
"PNP0F03" at acpi0 not configured
"PNP0C33" at acpi0 not configured
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x1f0d rev 0x02
ppb0 at pci0 dev 1 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci1 at ppb0 bus 1
em0 at pci1 dev 0 function 0 "Intel I210 Fiber" rev 0x03: msi, address 
ppb1 at pci0 dev 2 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci2 at ppb1 bus 2
em1 at pci2 dev 0 function 0 "Intel I210 Fiber" rev 0x03: msi, address 
ppb2 at pci0 dev 3 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci3 at ppb2 bus 3
ppb3 at pci0 dev 4 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi
pci4 at ppb3 bus 4
athn0 at pci4 dev 0 function 0 "Atheros AR9281" rev 0x01: apic 2 int 23
athn0: AR9280 rev 2 (2T2R), ROM rev 16, addr

Atheros AR9300

[mabi]

Hi,

I just got myself a new firewall device (Lanner FW-7526) to replace my dying 
Soekris box. That new firewall shipped with an Atheros AR9300 wireless chip and 
just realized from the dmesg output and athn man page (OpenBSD 6.2) that this 
chip must not be supported (yet).

The dmesg output is the following:

"Atheros AR9300" rev 0x01 at pci4 dev 0 function 0 not configured

Is my conclusion here correct? or am I just missing a non-free firmware (though 
I ran the fw_update command already).

Best regards,
Mabi

acpidump at bootup blocking for 5 minutes

[mabi]

Hi,

I have a Nexcom 1150 
(http://www.nexcom.co.uk/Products/network-and-communication-solutions/intel-based-appliance/entry-level-appliance/network-communication-nsa-1150)
 which I use as Firewall and noticed that it takes up to 7 minutes to bootup. 
By commenting out some parts of the the /etc/rc boot file I could find out that 
the acpidump takes 5 minutes to run. So I just commented the following lines 
out to boot up faster:

if [[ -x /usr/sbin/acpidump ]]; then
 acpidump -o /var/db/acpi/
fi

Regards,
Mabi

Re: relayd TLS load balancer for multiple websites

[mabi]

Thanks for the pointer regarding SNI not being supported in relayd. I will go 
on and find another solution, probably HAproxy.

>  Original Message 
> Subject: Re: relayd TLS load balancer for multiple websites
> Local Time: September 28, 2017 3:02 PM
> UTC Time: September 28, 2017 1:02 PM
> From: mcmer-open...@tor.at
> To: mabi <m...@protonmail.ch>
> openbsd-misc <misc@openbsd.org>
>
> m...@protonmail.ch (mabi), 2017.09.28 (Thu) 13:32 (CEST):
>> I was wondering if it is possible to use relayd as load balancer with
>> TLS termination for multiple different websites residing on different
>> server.
>
> With a public IP per website: yes. Else: no.
>
> reyk@, 2014-07-24, "no SNI yet"
> https://marc.info/?l=openbsd-misc=140621533620964
>
> recent thread:
> https://marc.info/?l=openbsd-misc=150599591326006
>
> Marcus
>
> btw, protonmail"s "text/plain, base64, utf-8" reportedly keeps people
> from seeing these messages.

Re: relayd TLS load balancer for multiple websites

[mabi]

Thanks Bryan for your example.

I saw in your example you only use the example.com domain. I would be using 
multiple domains such as example1.com, example2.com, exampleX.com, and so on. 
Would it also work in that case? Again I suppose here that I need to have all 
these different domains in one single SSL certificate file, right?

On the relayd.conf man page I read that the second "forward to" config 
parameter in a "relay" entity is used as backup in case the first "forward to" 
table is down. So one could think in your config that your second "forward to 
" would be used as you backup table.

Finally what is the purpose of setting the Connection HTTP header to close as 
you have here below?

match request header set "Connection" value "close"

>  Original Message 
> Subject: Re: relayd TLS load balancer for multiple websites
> Local Time: September 28, 2017 2:21 PM
> UTC Time: September 28, 2017 12:21 PM
> From: bryanlhar...@gmail.com
> To: mabi <m...@protonmail.ch>
> openbsd-misc <misc@openbsd.org>
>
> Here is what I did, which I learned from the httpd & relayd book by Michael W 
> Lucas (I recommend).  I cannot remember why I set the top header options, I 
> must have been trying to learn about them.  The host ones are to figure out 
> the site and send the connection to the table above.
>
> ext_addr="..."
> int_addr="127.0.0.1"
> vm1_addr="192.0.2.11"
> vm2_addr="192.0.2.12"
> vm3_addr="192.0.2.13"
> vm4_addr="192.0.2.14"
>
> table  { $int_addr }
> table  {
>   $vm1_addr
>   $vm2_addr
>   $vm3_addr
>   $vm4_addr
> }
>
> # Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration
> http protocol https {
>   # playing with these options
>   match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
>   match request header append "X-Forwarded-By" value 
> "$SERVER_ADDR:$SERVER_PORT"
>   match request header set "Keep-Alive" value "$TIMEOUT"
>   match request header set "Connection" value "close"
>
>   match request header "Host" value "website.example.com" forward to 
>   match request header "Host" value "example.com" forward to 
>   match request header "Host" value "www.example.com" forward to 
>
> }
>
> relay wwwtls {
>   # Run as a SSL/TLS accelerator
>   listen on $ext_addr port 443 tls
>   protocol https
>
>   forward to  port 80 check tcp
>   forward to  port 80 mode loadbalance check tcp
> }
>
> V/r,
> Bryan
>
> On Thu, Sep 28, 2017 at 7:32 AM, mabi <m...@protonmail.ch> wrote:
>
>> Hi,
>>
>> I was wondering if it is possible to use relayd as load balancer with TLS 
>> termination for multiple different websites residing on different server.
>>
>> From reading the man page I understand that for this purpose I will need to 
>> use one "relay" entity per website which will then have its own "http 
>> protocol" entity. If this is correct, this means I will require one public 
>> IP address per website which seems to me a bit a waste hence my asking.
>>
>> The alternative would be to have one "relay" entity but this means I can 
>> only have one "http protocol" entity assigned to it from my understanding. 
>> This also means that I would have to have to use one single SSL certificate 
>> file which includes every CN for each of my website. My feeling tells me 
>> that this does not sound good practice. Then how would relayd know that 
>> website www.website1.com has to be forwarded to the hosts in  and 
>> that website www.website2.com has to be forwarded to the hosts in ? 
>> Would you in the "http protocol" entity filter using the HTTP "Host" header 
>> (such as SNI)?
>>
>> Sorry for all these questions but I am trying to find out the best way/good 
>> practice to setup a relayd TLS load balancer for a different 
>> websites/webapps/domains and can't find much documentation about this 
>> specific case.
>>
>> Note here that I will be using the acme-client for all of the domains.
>>
>> Thanks for your input.
>>
>> Best,
>> Mabi

relayd TLS load balancer for multiple websites

[mabi]

Hi,

I was wondering if it is possible to use relayd as load balancer with TLS 
termination for multiple different websites residing on different server.

From reading the man page I understand that for this purpose I will need to use 
one "relay" entity per website which will then have its own "http protocol" 
entity. If this is correct, this means I will require one public IP address per 
website which seems to me a bit a waste hence my asking.

The alternative would be to have one "relay" entity but this means I can only 
have one "http protocol" entity assigned to it from my understanding. This also 
means that I would have to have to use one single SSL certificate file which 
includes every CN for each of my website. My feeling tells me that this does 
not sound good practice. Then how would relayd know that website 
www.website1.com has to be forwarded to the hosts in  and that website 
www.website2.com has to be forwarded to the hosts in ? Would you in the 
"http protocol" entity filter using the HTTP "Host" header (such as SNI)?

Sorry for all these questions but I am trying to find out the best way/good 
practice to setup a relayd TLS load balancer for a different 
websites/webapps/domains and can't find much documentation about this specific 
case.

Note here that I will be using the acme-client for all of the domains.

Thanks for your input.

Best,
Mabi

Re: Fail2Ban filter for OpenSMTPD

[mabi]

My bad, I had maxretry set to 5 and lowered it for testing. Your filter works 
perfectly, thumbs up for this contribution!!

>  Original Message 
> Subject: Re: Fail2Ban filter for OpenSMTPD
> Local Time: August 23, 2017 5:31 PM
> UTC Time: August 23, 2017 3:31 PM
> From: m...@protonmail.ch
> To: Nicolas <nico...@shivaserv.fr>
> misc@openbsd.org <misc@openbsd.org>
>
> Hi Nicolas,
>
> Thank you very much for your OpenSMTPD Fail2Ban filter. I just tried it out 
> and it actually detects the IP address out of the log file as you can see 
> here:
>
> 2017-08-23 17:30:13,089 fail2ban.filter [298]: INFO[opensmtpd] 
> Found 1XX.2XX.5X.1XX
>
> but somehow does not manage add this IP address to be blocked by iptables. 
> Maybe my jail.conf entry for that filter is wrong, I currently added the 
> following entry:
>
> [opensmtpd]
> enabled = yes
> port = smtp
> logpath = /var/log/mail.log
>
> Any ideas? I am running Debian 9 as OS.
>
> Regards,
> Mabi
>
>>  Original Message 
>> Subject: Re: Fail2Ban filter for OpenSMTPD
>> Local Time: August 23, 2017 4:33 PM
>> UTC Time: August 23, 2017 2:33 PM
>> From: nico...@shivaserv.fr
>> To: misc@openbsd.org
>>
>> Hi
>>
>> I know some people was searching for fail2ban filters for opensmtpd.
>>
>> I had the same need, and I"ve created my own simple filter, I share it here 
>> if it can help.
>>
>> # Fail2Ban filter for opensmtpd
>> # Author: Nicolas Repentin
>> #
>>
>> [INCLUDES]
>>
>> # Read common prefixes. If any customizations available -- read them from
>> # common.local
>> before = common.conf
>>
>> [Definition]
>>
>> failregex = ^.*smtp event=connected address=.*\n.*smtp 
>> event=failed-command command="AUTH
>> LOGIN" result="503 5.5.1 Invalid command: Command not supported
>>
>> ignoreregex =
>>
>> [Init]
>> maxlines = 2
>>
>> It only work actually for this example:
>>
>> #Aug 23 10:48:54 myserver smtpd[17412]: abc813f0c6789766 smtp 
>> event=connected address=177.135.X.X
>> host=hidden.host.com
>> #Aug 23 10:48:55 myserver smtpd[17412]: abc813f0c6789766 smtp 
>> event=failed-command command="AUTH
>> LOGIN" result="503 5.5.1 Invalid command: Command not supported"
>>
>> Nicolas

Re: Fail2Ban filter for OpenSMTPD

[mabi]

Hi Nicolas,

Thank you very much for your OpenSMTPD Fail2Ban filter. I just tried it out and 
it actually detects the IP address out of the log file as you can see here:

2017-08-23 17:30:13,089 fail2ban.filter [298]: INFO[opensmtpd] 
Found 1XX.2XX.5X.1XX

but somehow does not manage add this IP address to be blocked by iptables. 
Maybe my jail.conf entry for that filter is wrong, I currently added the 
following entry:

[opensmtpd]
enabled = yes
port = smtp
logpath = /var/log/mail.log

Any ideas? I am running Debian 9 as OS.

Regards,
Mabi

>  Original Message 
> Subject: Re: Fail2Ban filter for OpenSMTPD
> Local Time: August 23, 2017 4:33 PM
> UTC Time: August 23, 2017 2:33 PM
> From: nico...@shivaserv.fr
> To: misc@openbsd.org
>
> Hi
>
> I know some people was searching for fail2ban filters for opensmtpd.
>
> I had the same need, and I"ve created my own simple filter, I share it here 
> if it can help.
>
> # Fail2Ban filter for opensmtpd
> # Author: Nicolas Repentin
> #
>
> [INCLUDES]
>
> # Read common prefixes. If any customizations available -- read them from
> # common.local
> before = common.conf
>
> [Definition]
>
> failregex = ^.*smtp event=connected address=.*\n.*smtp 
> event=failed-command command="AUTH
> LOGIN" result="503 5.5.1 Invalid command: Command not supported
>
> ignoreregex =
>
> [Init]
> maxlines = 2
>
> It only work actually for this example:
>
> #Aug 23 10:48:54 myserver smtpd[17412]: abc813f0c6789766 smtp event=connected 
> address=177.135.X.X
> host=hidden.host.com
> #Aug 23 10:48:55 myserver smtpd[17412]: abc813f0c6789766 smtp 
> event=failed-command command="AUTH
> LOGIN" result="503 5.5.1 Invalid command: Command not supported"
>
> Nicolas

Re: Dynamic IPv6

[mabi]

Hi Thomas,
Not using Cox here but in a similar setup here I use the dhcpcd package just 
for getting IPv6 from the ISP with SLAAC and prefix delegation. You will need 
to configure your /etc/dhcpcd.conf file to something looking like that:
noipv6rs
ipv6only
slaac private
nohook resolv.conf
interface em0
ipv6rs
iaid 1
ia_pd 2 em1/1
In that example em0 would be the WAN interface and em1 the LAN interface.
Good luck,
M.

>  Original Message 
> Subject: Dynamic IPv6
> Local Time: July 8, 2017 4:42 AM
> UTC Time: July 8, 2017 2:42 AM
> From: inq...@protonmail.com
> To: misc@openbsd.org 
> My ISP (Cox) supports IPv6 and I have this working on a MikroTik router--it 
> pulls an address and prefix, creates a default route, creates an address pool 
> for internal client, etc.
> I"ve been working to configure a similar setup in OpenBSD 6.1 and I"ve been 
> unable to even get the outside interface to pull an IPv6 address from Cox.
> I"ve been searching for some time today to find information on how to 
> configure this but there are many different "how tos" and not one of them has 
> worked for me.
> Can anyone point me to some definitive documentation for configuring this in 
> OpenBSD? Or advise as to how to set this up?
> Seems like it should be a pretty basic thing, but I just can"t seem to get it 
> right.
> I didn"t post any sample configs as I"ve tried many (many) different ways to 
> do this today and have removed all of those changes at this point.

DHCP server for IPv6

[mabi]

Hello,

Does anyone have any recommendations on which package to use on OpenBSD 6.1 for 
a DHCP server for IPv6? AKFAIK the default dhcpd does not do IPv6.

Regards,
M.

Re: /etc/mygate equivalent for IPv6?

[mabi]

Fantastic, that was an easy one. Somehow I missed that from the OpenBSD FAQ, 
must have skimmed it too fast...

So I guess here that I can have my IPv4 default gw and IPv6 default gw both on 
two different lines in the /etc/mygate file.

 Original Message 
Subject: Re: /etc/mygate equivalent for IPv6?
Local Time: June 6, 2017 9:50 PM
UTC Time: June 6, 2017 7:50 PM
From: knight@gmail.com
To: Janne Johansson <icepic...@gmail.com>
mabi <m...@protonmail.ch>, openbsd-misc <misc@openbsd.org>

for example:

fe80::1%carp0

:)

2017-06-06 16:48 GMT-03:00 Janne Johansson <icepic...@gmail.com>:
Just add the ipv6 gw ip to /etc/mygate.

2017-06-06 21:45 GMT+02:00 mabi <m...@protonmail.ch>:

> Hi,
>
> What is the "standard" approach for adding an IPv6 default gateway to an
> OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default
> route?
>
> There are no /etc/mygate6 file and as such for now I manually run:
>
> route -n add -inet6 default 
>
> Regards,
> Mabi

--
May the most significant bit of your life be positive.

Re: SNMP OID for free memory

[mabi]

Thanks Stuart for your input. In the pass I used the snmp daemon which comes 
with OpenBSD but I vaguely remember that some OID for my cacti graphs was 
missing so I switched to Net-SNMP which had this information. Can't remember 
though which OID that was and that was already a few years ago.

As you suggest I will give snmpd a shot again and see how it goes.

Regarding the script I was mentioning 
(https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py)
 have a look at line 51, there is the OID there for the free memory but in my 
setup it simply does not exist so I wonder where he got that OID from...

Regards,
M.

 Original Message 
Subject: Re: SNMP OID for free memory
Local Time: June 5, 2017 9:46 AM
UTC Time: June 5, 2017 7:46 AM
From: s...@spacehopper.org
To: misc@openbsd.org

On 2017-06-04, mabi <m...@protonmail.ch> wrote:
> Hi,
>
> I am using OpenBSD 6.1 the the Net-SNMP port in order to monitor the system 
> resources. I don't seem to find any OID for the free memory and was wondering 
> if this information is simply not made available in SNMP. Doing an snmpwalk 
> on the HOST-RESOURCES MIB for memory shows the following avaialble OIDs 
> related to memory:

Don't use net-snmp's snmpd on OpenBSD without a very good reason,
use snmpd from the base OS.

> HOST-RESOURCES-MIB::hrStorageDescr.1 = STRING: Physical memory
> HOST-RESOURCES-MIB::hrStorageDescr.2 = STRING: Real memory
> HOST-RESOURCES-MIB::hrStorageDescr.3 = STRING: Virtual memory
> HOST-RESOURCES-MIB::hrStorageDescr.8 = STRING: Shared virtual memory
> HOST-RESOURCES-MIB::hrStorageDescr.9 = STRING: Shared real memory
> HOST-RESOURCES-MIB::hrStorageDescr.10 = STRING: Swap space
> HOST-RESOURCES-MIB::hrStorageDescr.31 = STRING: /
>
> Any idea where the the free memory info would be hiding?

Whichever of the hrStorageUsed oids that relates to the memory you're
interested in, e.g. given the list above it would be hrStorageUsed.1 for
physical memory. Multiply it by the same-numbered hrStorageSize.

Here's an example from the base OS's snmpd, using snmptable to pull in
the relevant oids for the whole table and format the display.

$ snmptable -v2c -c public 127.0.0.1 hrStorageTable
SNMP table: HOST-RESOURCES-MIB::hrStorageTable

hrStorageIndex hrStorageType hrStorageDescr hrStorageAllocationUnits 
hrStorageSize hrStorageUsed hrStorageAllocationFailures
1 HOST-RESOURCES-MIB::hrStorageTypes.2 Physical memory 4096 Bytes 2069645 
1468114 0
2 HOST-RESOURCES-MIB::hrStorageTypes.2 Real memory 4096 Bytes 2082986 1481455 0
10 HOST-RESOURCES-MIB::hrStorageTypes.3 Swap space 4096 Bytes 1572863 0 0
31 HOST-RESOURCES-MIB::hrStorageTypes.4 / 4096 Bytes 520119 37923 0
32 HOST-RESOURCES-MIB::hrStorageTypes.4 /data 4096 Bytes 8254103 2292580 0
33 HOST-RESOURCES-MIB::hrStorageTypes.4 /home 4096 Bytes 31930799 10749150 0
34 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr 4096 Bytes 1546599 132582 0
35 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/X11R6 4096 Bytes 1028871 48383 0
36 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/local 4096 Bytes 8254103 4240627 0
37 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/src 4096 Bytes 1028871 271331 0
38 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/ports 4096 Bytes 2061047 523465 0
39 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/obj 4096 Bytes 12382807 1816114 0
40 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/xenocara 4096 Bytes 516007 179230 0
41 HOST-RESOURCES-MIB::hrStorageTypes.4 /var 4096 Bytes 8254103 879286 0
42 HOST-RESOURCES-MIB::hrStorageTypes.4 /distsrc 4096 Bytes 38701655 28351200 0
43 HOST-RESOURCES-MIB::hrStorageTypes.4 /var/www 4096 Bytes 4125399 660222 0
44 HOST-RESOURCES-MIB::hrStorageTypes.4 /var/www/htdocs/pub 512 Bytes 
2097669360 3955189904 0
45 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/Multimedia 512 Bytes 2097669360 
3955189904 0
46 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/Download 512 Bytes 2097669360 
3955189904 0
47 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/homes 512 Bytes 2097669360 
3955189904 0

> I found a script called check_snmp_openbsd.py 
> (https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py)
>  where the OID .1.3.6.1.4.1.11.2.3.1.1.7.0 is used for getting the free 
> memory but when I do an snmpget on my OpenBSD box this OID is not available.

I might have missed something but I don't see it actually using that
mem_free definition.

/etc/mygate equivalent for IPv6?

[mabi]

Hi,

What is the "standard" approach for adding an IPv6 default gateway to an 
OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default route?

There are no /etc/mygate6 file and as such for now I manually run:

route -n add -inet6 default 

Regards,
Mabi

SNMP OID for free memory

[mabi]

Hi,

I am using OpenBSD 6.1 the the Net-SNMP port in order to monitor the system 
resources. I don't seem to find any OID for the free memory and was wondering 
if this information is simply not made available in SNMP. Doing an snmpwalk on 
the HOST-RESOURCES MIB for memory shows the following avaialble OIDs related to 
memory:

HOST-RESOURCES-MIB::hrStorageDescr.1 = STRING: Physical memory
HOST-RESOURCES-MIB::hrStorageDescr.2 = STRING: Real memory
HOST-RESOURCES-MIB::hrStorageDescr.3 = STRING: Virtual memory
HOST-RESOURCES-MIB::hrStorageDescr.8 = STRING: Shared virtual memory
HOST-RESOURCES-MIB::hrStorageDescr.9 = STRING: Shared real memory
HOST-RESOURCES-MIB::hrStorageDescr.10 = STRING: Swap space
HOST-RESOURCES-MIB::hrStorageDescr.31 = STRING: /

Any idea where the the free memory info would be hiding?

I found a script called check_snmp_openbsd.py 
(https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py)
 where the OID .1.3.6.1.4.1.11.2.3.1.1.7.0 is used for getting the free memory 
but when I do an snmpget on my OpenBSD box this OID is not available.

Regards,
Mabi

A

Re: isakmpd listen address

[mabi]

Thanks so much I was looking at the wrong place and was expecting it to be a 
parameter...

 Original Message 
Subject: Re: isakmpd listen address
Local Time: May 25, 2017 9:06 PM
UTC Time: May 25, 2017 7:06 PM
From: hrv...@srce.hr
To: misc@openbsd.org

On 25.5.2017. 20:46, mabi wrote:
> Hello,
> I can't seem to find an option in isakmpd in order to have it listen only on 
> one interface or IP address respectively. Is there an option for that I am 
> not aware of? I just saw the -p option but that's for the port number.
> Thanks,
> M.
>

Hi,

create isakmpd.conf file

# ls -apl /etc/isakmpd/isakmpd.conf
-rw--- 1 root wheel 31 Oct 29 2015 /etc/isakmpd/isakmpd.conf

and edit like this:

# cat /etc/isakmpd/isakmpd.conf
[general]
Listen-on =em0

man isakmpd.conf

isakmpd listen address

[mabi]

Hello,
I can't seem to find an option in isakmpd in order to have it listen only on 
one interface or IP address respectively. Is there an option for that I am not 
aware of? I just saw the -p option but that's for the port number.
Thanks,
M.

Re: OpenBSD as a non-routing access point

[mabi]

Earlier this week on this mailing list someone recommended the following 
product:

https://www.olimex.com/Products/USB-Modules/USB-CAP/

I thought I will give it a try and ordered it...

 Original Message 
Subject: Re: OpenBSD as a non-routing access point
Local Time: April 8, 2017 4:43 PM
UTC Time: April 8, 2017 2:43 PM
From: open...@sirjorj.com
To: Stefan Sperling 
openbsd-misc 

> On Apr 8, 2017, at 3:38 AM, Stefan Sperling  wrote:
>
> On Fri, Apr 07, 2017 at 05:06:22PM -0500, Jordon wrote:
>> My new wifi adapter finally arrived today (AR9271) so I want to give hostap
a
>> try with its new 802.11n support.
>
>> Am I on the right track?
>
> No. AR9271 is a USB device, and unfortunately there are bugs in the
> driver that prevent hostap from working properly with USB devices.
>
> At least in my testing, the device sends no beacons. I have not yet
> found a way to fix it and am not currently investing more time into it.
> Perhaps it will get fixed some day.
>

Dang. Although, IIRC, beacons are what announce the presence of the access
point. I definitely saw it on the client machine, so I think that part was
working. But, yeah, anything beyond that is unsupported so I guess I’ll
have to get a PCIe one.

Thanks!
Jordon

Re: Topics for revised PF and networking tutorial

[mabi]

Dear Peter,

May I suggest the following topic of interest:

PF with VLAN interfaces (with LACP trunk interface behind) and CARP of course.

Regards,
M.

 Original Message 
Subject: Topics for revised PF and networking tutorial
Local Time: April 1, 2017 10:52 AM
UTC Time: April 1, 2017 8:52 AM
From: pe...@bsdly.net
To: misc@openbsd.org

Hi,

I thought I'd like to give you a heads up that there will be a "PF and
networking" tutorial at BSDCan 2017 in Ottawa this June.

The session will however not be the Nth rerun of the old one, we're
starting from scratch this time, and were looking for input on what to
include.

Do you have questions on PF and related matters, or are there specific
topics you would like to see covered?

We want to hear from you, either contact us directly at the reply-to
address use the list.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: athn0: device timeout (AR9271 USB 2.0 Wifi-key as hostap)

[mabi]

Hi Stefan
Thanks for your input. It looks like the g2k16 modifications to the athn code 
from awolk@ did not make it into the 6.0 release. So there is still hope for 
6.1 ;-)
I suppose here that running a wifi host access point from a USB key is not a 
good idea. What a shame my firewall does not have any PCI or miniPCI 
interfaces...
Regards
M.





 Original Message 
Subject: Re: athn0: device timeout (AR9271 USB 2.0 Wifi-key as hostap)
Local Time: January 23, 2017 11:28 PM
UTC Time: January 23, 2017 10:28 PM
From: s...@stsp.name
To: mabi <m...@protonmail.ch>, misc@openbsd.org <misc@openbsd.org>

On Mon, Jan 23, 2017 at 11:19:31PM +0100, Stefan Sperling wrote:
> On Mon, Jan 23, 2017 at 04:27:32PM -0500, mabi wrote:
> > Hi,
> > I have an Atheros AR9271 Wifi USB 2.0 key on my OpenBSD 6.0 firewall in 
> > order to use as an access point. Unfortunately it happens nearly every day 
> > that the athn0 device times out, kernel log:
> >
> > athn0: device timeout
> >
> > and the only way to make the wireless work again is to reboot the firewall. 
> > I was told this would get better with 6.0 but I can't see any difference. 
> > Any ideas what's wrong? Below I post my hostname.athn0 and dmesg.
> >
> > Cheers,
> > Mabi
>
> These are known issues with athn on USB and hostap.
> I have already spent a lot of time digging into this and never got anywhere.
> Eventually I decided to document this in the man page which you apparently
> missed:
>
> [[[
> ATHN(4) Device Drivers Manual ATHN(4)
>
> NAME
> athn Atheros IEEE 802.11a/b/g/n wireless network device
> [...]
> BUGS
> Host AP mode does not work with USB devices.
> ]]]
>
> Sorry. Anybody, please let me know if you find a way to fix it.

I now recall that awolk@ was working on a patch for a similar problem.
See http://undeadly.org/cgi?action=article=20160906004915 and
https://marc.info/?l=openbsd-misc=144895556213390=2 which I had
already forgotten about ever having written.

Not sure what happened to the patch and if it is ready by now.
Also not sure if it will actually fix your problem or if Adam's problem
was caused by something else. Hard to tell without actually testing things.

athn0: device timeout (AR9271 USB 2.0 Wifi-key as hostap)

[mabi]

Hi,
I have an Atheros AR9271 Wifi USB 2.0 key on my OpenBSD 6.0 firewall in order 
to use as an access point. Unfortunately it happens nearly every day that the 
athn0 device times out, kernel log:

athn0: device timeout

and the only way to make the wireless work again is to reboot the firewall. I 
was told this would get better with 6.0 but I can't see any difference. Any 
ideas what's wrong? Below I post my hostname.athn0 and dmesg.

Cheers,
Mabi

hostname.athn0:
inet 172.16.20.1 255.255.255.0
mediaopt hostap
nwid MYWLAN
chan 11
wpakey removed

dmesg:
Jan 14 17:24:32 fw1 /bsd: OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 
MDT 2016
Jan 14 17:24:32 fw1 /bsd: 
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Jan 14 17:24:32 fw1 /bsd: real mem = 4264185856 (4066MB)
Jan 14 17:24:32 fw1 /bsd: avail mem = 4130476032 (3939MB)
Jan 14 17:24:32 fw1 /bsd: mpath0 at root
Jan 14 17:24:32 fw1 /bsd: scsibus0 at mpath0: 256 targets
Jan 14 17:24:32 fw1 /bsd: mainbus0 at root
Jan 14 17:24:32 fw1 /bsd: bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f52c000 (52 
entries)
Jan 14 17:24:32 fw1 /bsd: bios0: vendor American Megatrends Inc. version 
"5.6.5" date 01/25/2016
Jan 14 17:24:32 fw1 /bsd: acpi0 at bios0: rev 2
Jan 14 17:24:32 fw1 /bsd: acpi0: sleep states S0 S5
Jan 14 17:24:32 fw1 /bsd: acpi0: tables DSDT FACP FPDT MCFG WDAT UEFI APIC BDAT 
HPET SSDT SPCR
Jan 14 17:24:32 fw1 /bsd: acpi0: wakeup devices PS2K(S0) PS2M(S0) PEX1(S0) 
PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0)
Jan 14 17:24:32 fw1 /bsd: acpitimer0 at acpi0: 3579545 Hz, 24 bits
Jan 14 17:24:32 fw1 /bsd: acpimcfg0 at acpi0 addr 0xe000, bus 0-255
Jan 14 17:24:32 fw1 /bsd: acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
Jan 14 17:24:32 fw1 /bsd: cpu0 at mainbus0: apid 0 (boot processor)
Jan 14 17:24:32 fw1 /bsd: cpu0: Intel(R) Atom(TM) CPU C2558 @ 2.40GHz, 2400.46 
MHz
Jan 14 17:24:32 fw1 /bsd: cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
Jan 14 17:24:32 fw1 /bsd: cpu0: 1MB 64b/line 16-way L2 cache
Jan 14 17:24:32 fw1 /bsd: cpu0: smt 0, core 0, package 0
Jan 14 17:24:32 fw1 /bsd: mtrr: Pentium Pro MTRR support, 8 var ranges, 88 
fixed ranges
Jan 14 17:24:32 fw1 /bsd: cpu0: apic clock running at 99MHz
Jan 14 17:24:32 fw1 /bsd: cpu0: mwait min=64, max=64, 
C-substates=0.2.0.0.0.0.3, IBE
Jan 14 17:24:32 fw1 /bsd: cpu1 at mainbus0: apid 2 (application processor)
Jan 14 17:24:32 fw1 /bsd: cpu1: Intel(R) Atom(TM) CPU C2558 @ 2.40GHz, 2399.99 
MHz
Jan 14 17:24:32 fw1 /bsd: cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
Jan 14 17:24:32 fw1 /bsd: cpu1: 1MB 64b/line 16-way L2 cache
Jan 14 17:24:32 fw1 /bsd: cpu1: smt 0, core 1, package 0
Jan 14 17:24:32 fw1 /bsd: cpu2 at mainbus0: apid 4 (application processor)
Jan 14 17:24:32 fw1 /bsd: cpu2: Intel(R) Atom(TM) CPU C2558 @ 2.40GHz, 2399.99 
MHz
Jan 14 17:24:32 fw1 /bsd: cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
Jan 14 17:24:32 fw1 /bsd: cpu2: 1MB 64b/line 16-way L2 cache
Jan 14 17:24:32 fw1 /bsd: cpu2: smt 0, core 2, package 0
Jan 14 17:24:32 fw1 /bsd: cpu3 at mainbus0: apid 6 (application processor)
Jan 14 17:24:32 fw1 /bsd: cpu3: Intel(R) Atom(TM) CPU C2558 @ 2.40GHz, 2399.99 
MHz
Jan 14 17:24:32 fw1 /bsd: cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
Jan 14 17:24:32 fw1 /bsd: cpu3: 1MB 64b/line 16-way L2 cache
Jan 14 17:24:32 fw1 /bsd: cpu3: smt 0, core 3, package 0
Jan 14 17:24:32 fw1 /bsd: ioapic0 at mainbus0: apid 2 pa 0xfec0, version 
20, 24 pins
Jan 14 17:24:32 fw1 /bsd: acpihpet0 at acpi0: 14318179 Hz
Jan 14 17:24:32 fw1 /bsd: acpiprt0 at acpi0: bus 0 (PCI0)
Jan 14 17:24:32 fw1 /bsd: acpiprt1 at acpi0: bus 1 (PEX1)
Jan 14 17:24:32 fw1 /bsd: acpiprt2 at acpi0: bus 2 (PEX2)
Jan 14 17:24:32 fw1 /bsd: acpiprt3 at acpi0: bus 3 (PEX3)
Jan 14 17:24:32 fw1 /bsd: acpiprt4 at acpi0: bus 4 (PEX4)
Jan 14 17:24:32 fw1 /bsd: acpicpu0 at acpi0: C1(@1 halt!)
Jan 14 17:24:32 fw1 /bsd: acpicpu1 at acpi0: C1(@1 halt!)
Jan 14 17:24:32 fw1 /bsd: acpicpu2 at acpi0: C1(@1 halt!)
Jan 14 17:24:32 fw1 /bsd: acpicpu3 at acpi0: C1(@1 halt!)
Ja

Re: Looking for Xen blkfront driver xbf(4) tests

[mabi]

Hi Mike,

Thanks for your explanations. So far I did not have any troubles with this 
specific domU with xbf enabled. I tried to run your shell script in order to 
found out the num-ring-pages property but somehow there must be a small issue 
with it as I get the following output (after having removed the "#" comment out 
on the first line with the for loop:

hostctl: ioctl: No such file or directory
sd0 32







Regards,
M.



 Original Message 
Subject: Re: Looking for Xen blkfront driver xbf(4) tests
Local Time: December 13, 2016 8:46 PM
UTC Time: December 13, 2016 7:46 PM
From: m...@belopuhov.com
To: mabi <m...@protonmail.ch>
misc@openbsd.org <misc@openbsd.org>

On Sun, Dec 11, 2016 at 05:09 -0500, mabi wrote:
> Hi,
>
> Thanks for your efforts and making OpenBSD work even better on
> Xen. I use Xen for all types of virtualization and started only
> recently using OpenBSD 6.0 as domU. My current test setup is a 2
> node redundant cluster with Xen 4.4.1 and Debian 8 with DRBD for
> sync-replication and ZFS (RAIDZ-1) as storage with 3 Seagate
> enterprise 7.2k SATA (ST5000NM0024) disks on each nodes.
>
> So far so good I managed to re-configure the current kernel and
> re-compiled it with xbf enabled and at reboot it immediately used
> the xbf driver and switched using sd instead of wd. You will find
> the output of my dmesg below.
>
> For now the only thing a tried out is a quick "dd" as I was
> wondering how much more write throughput I could get on my guests
> disk using xbf. As you can see below I get around 81 MB/s and I
> remember before using xbf I would get around 25 MB/s. The read
> throughput didn't change much, if I remember correctly I had in both
> cases with and without xbf around 60 MB/s.
>
> $ dd if=/dev/zero of=file2.xbf bs=1M count=1000
> 1000+0 records in
> 1000+0 records out
> 1048576000 bytes transferred in 12.277 secs (85405965 bytes/sec)
>
> Now is there anything else you would like to know/test or benchmarks
> you would like me to run? Keep in mind I am no dev but I am happy to
> help if it can make things progress with running OpenBSD even better
> on Xen.
>
> Cheers,
> Mabi
>

Hi,

Thanks for taking your time to test and report. There's nothing
special to test, just using the disk in a normal way is enough.
After a few reports from Nathanael Rensen several bugs have been
fixed.

I've looked through a bunch of Xen disk subsystem documents and
noted that one of the ways to improve performance is to use
persistent grants. However it would be nice to establish a
baseline, i.e. what kind of performance do NetBSD, FreeBSD and
Linux guests get out of Blkfront in the VM with the same
configuration on the same host compared to OpenBSD.

It's worth noting that MAXPHYS value limiting the size of an
individual I/O transfer is different on other systems.
Furthermore currently xbf(4) driver limits it further to 11
page segments (44k) since we don't support indirect requests
that potentially can get us extra 20k (MAXPHYS is 64k on
OpenBSD) but would add additional tax on grant table entries.

The other point of interest is the number of outstanding
requests configured by the driver. If not limited by the
host system, xbf(4) attempts to use 256 requests, but smaller
EC2 instances limit that to just 32 requests which can result
is large performance difference. To learn the amount of
configured outstanding requests a num-ring-pages property
must be queried:

# for xbf in $(hostctl device/vbd); do
dev=$(dmesg | grep $xbf | cut -f 1 -d ' ')
npages=$(hostctl device/vbd/$xbf/num-ring-pages)
if [ $? -eq 0 ]; then
echo $dev $((npages * 32))
else
echo $dev 32
fi
done

Output would look like so:

sd0 256
sd1 256
cd0 256

Cheers,
Mike

Re: Looking for Xen blkfront driver xbf(4) tests

[mabi]

Hi,
Thanks for your efforts and making OpenBSD work even better on Xen. I use Xen 
for all types of virtualization and started only recently using OpenBSD 6.0 as 
domU. My current test setup is a 2 node redundant cluster with Xen 4.4.1 and 
Debian 8 with DRBD for sync-replication and ZFS (RAIDZ-1) as storage with 3 
Seagate enterprise 7.2k SATA (ST5000NM0024) disks on each nodes.

So far so good I managed to re-configure the current kernel and re-compiled it 
with xbf enabled and at reboot it immediately used the xbf driver and switched 
using sd instead of wd. You will find the output of my dmesg below.

For now the only thing a tried out is a quick "dd" as I was wondering how much 
more write throughput I could get on my guests disk using xbf. As you can see 
below I get around 81 MB/s and I remember before using xbf I would get around 
25 MB/s. The read throughput didn't change much, if I remember correctly I had 
in both cases with and without xbf around 60 MB/s.

$ dd if=/dev/zero of=file2.xbf bs=1M count=1000
1000+0 records in
1000+0 records out
1048576000 bytes transferred in 12.277 secs (85405965 bytes/sec)

Now is there anything else you would like to know/test or benchmarks you would 
like me to run? Keep in mind I am no dev but I am happy to help if it can make 
things progress with running OpenBSD even better on Xen.

Cheers,
Mabi

OpenBSD 6.0-current (XBFTEST.MP) #0: Sat Dec 10 23:58:16 CET 2016
me@openbsds:/usr/src/sys/arch/amd64/compile/XBFTEST.MP
real mem = 1048571904 (999MB)
avail mem = 1012277248 (965MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfc001000 (12 entries)
bios0: vendor Xen version "4.4.1" date 09/08/2016
bios0: Xen HVM domU
acpi0 at bios0: rev 2
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC HPET WAET SSDT SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 48 pins
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz, 2400.34 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,XSAVE,AVX,F16C,RDRAND,HV,NXE,LONG,LAHF,ABM,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: failed to become ready
cpu1: failed to identify
acpihpet0 at acpi0: 6250 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
"PNP0F13" at acpi0 not configured
"PNP0303" at acpi0 not configured
"PNP0700" at acpi0 not configured
"PNP0501" at acpi0 not configured
"ACPI0007" at acpi0 not configured
"ACPI0007" at acpi0 not configured
pvbus0 at mainbus0: Xen 4.4
xen0 at pvbus0: features 0x705, 32 grant table frames, event channel 4
xbf0 at xen0 backend 0 chan 6: disk
scsibus1 at xbf0: 2 targets
sd0 at scsibus1 targ 0 lun 0: <Xen, phy hda 768, > SCSI3 0/direct fixed
sd0: 10240MB, 512 bytes/sector, 20971520 sectors
"vkbd" at xen0: device/vkbd/0 not configured
xnf0 at xen0: backend 0, event channel 7, address aa:00:00:20:01:0d
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 
wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 1 int 23
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: SMBus disabled
xspd0 at pci0 dev 2 function 0 "XenSource Platform Device" rev 0x01
vga1 at pci0 dev 3 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 1: density unknown
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
vmm at mainbus0 not configured
uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet" rev 
2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 

Re: An AR9280 as an Access Point

[mabi]

I am using an Atheros AR9281 in a Soekris box with OpenBSD 5.9 as access point 
and I am quite disappointed with it. Often I get disconnected from the access 
point and all I can see on the OpenBSD side is tons of timeout messages in the 
kernel log such as:






athn0: device timeout

I hope for you that that the AR9280 chip does a better job.


 Original Message 
Subject: An AR9280 as an Access Point
Local Time: October 11, 2016 6:04 PM
UTC Time: October 11, 2016 4:04 PM
From: physk...@tutanota.com
To: misc@openbsd.org

Hello!

I'd asked a related question on the OpenBSD subreddit, and someone
pointed me here. Hope this is appropriate.
https://www.reddit.com/r/openbsd/comments/56lzhu/which_wifi_card_to_make_an_access_point

Does anyone know how good a WiFi Access Point I could make of the
Atheros AR9280 card (Compex-wle200nx) offered by the guys at PC Engines:
http://www.pcengines.ch/wle200nx.htm

Thanks a lot!

Re: opensmtpd-extras-[clamav|spamassassin] packages in 6.0

[mabi]

Thanks Joerg. I wasn't aware that amavis would play nicely with OpenSMTPD, as 
such problem solved. I will simply use amavisd-new.




 Original Message 
Subject: Re: opensmtpd-extras-[clamav|spamassassin] packages in 6.0
Local Time: October 11, 2016 11:27 PM
UTC Time: October 11, 2016 9:27 PM
From: m...@umaxx.net
To: mabi <m...@protonmail.ch>
misc@openbsd.org <misc@openbsd.org>

> Am 10.10.2016 um 17:59 schrieb mabi <m...@protonmail.ch>:
>
> Hi,
>
> Just noticed that the OpenBSD 6.0 release does not include the
opensmtpd-extras-clamav nor the opensmtpd-extras-spamassassin packages. I
would like to upgrade my 5.9 OpenBSD mail gateway to 6.0 and was wondering if
I can use the old packages from 5.9 with 6.0?

No.

> Or what is the alternative to these two packages?

Various options. One could be to proxy mails through spampd and clamsmtp.
Amavisd might also be an option.

> Regards,
> Mabi

opensmtpd-extras-[clamav|spamassassin] packages in 6.0

[mabi]

Hi,

Just noticed that the OpenBSD 6.0 release does not include the 
opensmtpd-extras-clamav nor the opensmtpd-extras-spamassassin packages. I would 
like to upgrade my 5.9 OpenBSD mail gateway to 6.0 and was wondering if I can 
use the old packages from 5.9 with 6.0?

Or what is the alternative to these two packages?

Regards,
Mabi