Proposal for improvement of newsyslog.conf
Hi, I've noticed that newsyslog sends SIGHUP to syslogd on /var/log/wtmp rotation. But syslogd does not deal with the wtmp log file so there is no need for SIGHUP. I propose to make slightly changes to default newsyslog.conf file: 13c13 < /var/log/wtmp 644 7 *$W6D4 B --- > /var/log/wtmp 644 7 *$W6D4 B "" Is misc a proper mailing list, or shall I send this message to bugs? -- Антон Касимов / Anton Kasimov
Re: ipcomp does not work with IPv6 trafic
Actually ICMP6 works fine over ipcomp, but not TCP traffic. tcpdump -i enc0 shows that a SYN packet arrives without ipcomp. Please give advice on further diagnosing this problem. вт, 21 июл. 2020 г. в 14:05, Антон Касимов : > Adding ipcomp to earlier mentioned policy blocks IPv6 packets on the > receiving side. > tcpdump shows that packet is received on enc0 interface but not forwarded > to the endpoint. > > Adding ipv4 traffic selector allows to send IPv4 packets over ipcomp but > not IPv6. > > ipcomp is enabled on both sides. > > $ sysctl net.inet.ipcomp.enable > net.inet.ipcomp.enable=1 > > > -- Антон Касимов / Anton Kasimov
ipcomp does not work with IPv6 trafic
Adding ipcomp to earlier mentioned policy blocks IPv6 packets on the receiving side. tcpdump shows that packet is received on enc0 interface but not forwarded to the endpoint. Adding ipv4 traffic selector allows to send IPv4 packets over ipcomp but not IPv6. ipcomp is enabled on both sides. $ sysctl net.inet.ipcomp.enable net.inet.ipcomp.enable=1 пн, 20 июл. 2020 г. в 12:03, Антон Касимов : > I am using OpenBSD 6.7 > iked does not respect mixing ports in the source and the destination of > traffic selectors. > > Such policy in iked.conf > ikev2 "epsilon" active \ > proto tcp \ > from ::::30 to :::10::2 port 8000 \ > from ::::30 port postgresql to ::::/48 \ > from ::::30 port postgresql to ::::/48 \ > peer d.d.d > > Produces wrong flows (specifying only destination port from first > selector): > > flow esp in proto tcp from ::::/48 port 8000 to > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp in proto tcp from ::::/48 *port 8000* to > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp in proto tcp from ::::2 *port 8000* to > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from ::::30 to ::::/48 port > 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48 *port > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2 *port > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > > -- > Антон Касимов / Anton Kasimov > -- Антон Касимов / Anton Kasimov
Re: iked wrongly processes traffic selectors
Hi Tobias,
the patch works for me. Thanks.
пн, 20 июл. 2020 г. в 23:51, Tobias Heider :
> On Mon, Jul 20, 2020 at 12:03:57PM +0300, Антон Касимов wrote:
> > I am using OpenBSD 6.7
> > iked does not respect mixing ports in the source and the destination of
> > traffic selectors.
> >
> > Such policy in iked.conf
> > ikev2 "epsilon" active \
> > proto tcp \
> > from ::::30 to :::10::2 port 8000 \
> > from ::::30 port postgresql to ::::/48 \
> > from ::::30 port postgresql to ::::/48 \
> > peer d.d.d
> >
> > Produces wrong flows (specifying only destination port from first
> selector):
> >
> > flow esp in proto tcp from ::::/48 port 8000 to
> > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
> require
> > flow esp in proto tcp from ::::/48 *port 8000* to
> > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
> require
> > flow esp in proto tcp from ::::2 *port 8000* to
> > ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type
> require
> > flow esp out proto tcp from ::::30 to ::::/48
> port
> > 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48
> *port
> > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2
> *port
> > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
> >
> > --
> > Антон Касимов / Anton Kasimov
>
> Hi Anton,
>
> thanks for the report.
> Below is a diff that should fix your problem.
>
> Index: parse.y
> ===
> RCS file: /mount/openbsd/cvs/src/sbin/iked/parse.y,v
> retrieving revision 1.102
> diff -u -p -r1.102 parse.y
> --- parse.y 25 Jun 2020 13:05:58 - 1.102
> +++ parse.y 20 Jul 2020 20:06:53 -
> @@ -344,6 +344,7 @@ struct ipsec_addr_wrap {
> sa_family_t af;
> unsigned int type;
> unsigned int action;
> + uint16_t port;
> char*name;
> struct ipsec_addr_wrap *next;
> struct ipsec_addr_wrap *tail;
> @@ -353,8 +354,6 @@ struct ipsec_addr_wrap {
> struct ipsec_hosts {
> struct ipsec_addr_wrap *src;
> struct ipsec_addr_wrap *dst;
> - uint16_t sport;
> - uint16_t dport;
> };
>
> struct ipsec_filters {
> @@ -649,9 +648,9 @@ hosts : FROM host port TO host port
> {
> err(1, "hosts: calloc");
>
> $$->src = $2;
> - $$->sport = $3;
> + $$->src->port = $3;
> $$->dst = $5;
> - $$->dport = $6;
> + $$->dst->port = $6;
> }
> | TO host port FROM host port {
> struct ipsec_addr_wrap *ipa;
> @@ -667,9 +666,9 @@ hosts : FROM host port TO host port
> {
> err(1, "hosts: calloc");
>
> $$->src = $5;
> - $$->sport = $6;
> + $$->src->port = $6;
> $$->dst = $2;
> - $$->dport = $3;
> + $$->dst->port = $3;
> }
> ;
>
> @@ -2936,14 +2935,14 @@ create_ike(char *name, int af, uint8_t i
> flow->flow_src.addr_af = ipa->af;
> flow->flow_src.addr_mask = ipa->mask;
> flow->flow_src.addr_net = ipa->netaddress;
> - flow->flow_src.addr_port = hosts->sport;
> + flow->flow_src.addr_port = ipa->port;
>
> memcpy(>flow_dst.addr, >address,
> sizeof(ipb->address));
> flow->flow_dst.addr_af = ipb->af;
> flow->flow_dst.addr_mask = ipb->mask;
> flow->flow_dst.addr_net = ipb->netaddress;
> - flow->flow_dst.addr_port = hosts->dport;
> + flow->flow_dst.addr_port = ipb->port;
>
> ippn = ipa->srcnat;
> if (ippn) {
>
--
Антон Касимов / Anton Kasimov
iked wrongly processes traffic selectors
I am using OpenBSD 6.7 iked does not respect mixing ports in the source and the destination of traffic selectors. Such policy in iked.conf ikev2 "epsilon" active \ proto tcp \ from ::::30 to :::10::2 port 8000 \ from ::::30 port postgresql to ::::/48 \ from ::::30 port postgresql to ::::/48 \ peer d.d.d Produces wrong flows (specifying only destination port from first selector): flow esp in proto tcp from ::::/48 port 8000 to ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require flow esp in proto tcp from ::::/48 *port 8000* to ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require flow esp in proto tcp from ::::2 *port 8000* to ::::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require flow esp out proto tcp from ::::30 to ::::/48 port 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48 *port 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2 *port 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require -- Антон Касимов / Anton Kasimov
Missing description of the default proposals in iked.conf
The descriptions of the ikesa and childsa options contain the following statements: Possible values for auth, enc, prf, group, and the* default proposals* are described below in CRYPTO TRANSFORMS. If omitted, iked(8) will use the default proposals for the IKEv2 protocol. Possible values for auth, enc, group, esn, and the *default proposals* are described below in CRYPTO TRANSFORMS. If omitted, iked(8) will use the default proposals for the ESP or AH protocol. But CRYPTO TRANSFORMS has no description for default proposals. -- Антон Касимов / Anton Kasimov
Re: netstart: adding a vlan to a bridge fails to set parent interface of vlan to promisc?
I can confirm the same problem on 6.4 GENERIC.MP#364 amd64 Is there any solution?
