APU4 pf performance fluctuations

2021-06-18 Thread Anders Andersson
It is well known that the APU2/4 underperforms when used as a router
with OpenBSD, but I found that the throughput fluctuates quite a bit,
and I think it has to do with CPU allocation and interrupts. My
trivial setup simulating a home router/gateway:

hostname.em0:  dhcp
hostname.em1:  inet 10.3.2.1 255.255.255.0
pf.conf:
  pass
  match out on em0 inet from !(em0:network) to any nat-to (em0)

Nothing else is running on the router, and throughput is tested with a
simple iperf3 TCP benchmark between linux hosts on each side of the
router, capped att 600 Mbit/s to get a stable baseline: iperf3 -b600M
(that's just under the maximum throughput I saw, around 620 Mbit/s)

I noticed that the speed always starts at a clean 600 Mbit/s, then
eventually backs down to 4-500 Mbit/s, then back up again. The
interval is on the order of a minute, but varies greatly.

Looking at "systat cpu" during the transfer I noticed that during the
fast speed, CPU 1 and 2 were busy at 45% each, while CPU 0 was
handling interrupts at 25%.

CPUUser Nice  SystemSpin   InterruptIdle
0  0.0% 0.0%0.0%0.4%   25.0%   74.7%
1  0.0% 0.0%   45.3%1.0%0.0%   53.7%
2  0.0% 0.0%   44.7%0.8%0.0%   54.5%
3  0.0% 0.0%0.0%0.0%0.0%100%

This could go on for seconds up to minutes.

Eventually whatever was running on CPU 1 and 2 migrated up to CPU 0,
causing the bandwidth to drop down to 4-500 Mbit/s:

CPUUser Nice  SystemSpin   InterruptIdle
0  0.0% 0.0%   76.8%1.0%   22.2%0.0%
1  0.0% 0.0%0.0%0.0%0.0%100%
2  0.0% 0.0%0.0%0.0%0.0%100%
3  0.0% 0.0%0.0%0.0%0.0%100%


Now, waiting even further, I saw that the "System" load could
sometimes move back to an idle core, and then the speed would get back
to 600 Mbit/s again:

CPUUser Nice  SystemSpin   InterruptIdle
0  0.0% 0.0%0.2%0.2%   23.0%   76.6%
1  0.0% 0.0%   99.0%1.0%0.0%0.0%
2  0.0% 0.0%0.0%0.0%0.0%100%
3  0.0% 0.0%0.0%0.0%0.0%100%


I'm guessing that the interrupts are all tied to CPU 0 in hardware,
and that whatever process that handles the networking initially
selects one or more random idle core. Then, the system thinks "Aha, we
should run these on the same core that handles the interrupts", moves
them over, which then starves that core.

This tells me that the rumour that OpenBSD can't use more than one
core on this little device is not completely true. It works well for a
long time initially with the load shared between two cores, while a
third handles interrupts.

Does this make sense? Is there a way to enforce the "shared cores" behaviour?

// Anders



Re: Counting traffic of one host through an OpenBSD computer

2021-06-17 Thread Anders Andersson
On Thu, Jun 17, 2021 at 10:53 PM Ibsen S Ripsbusker
 wrote:
>
> My great and good friends,
>
> I want to know how much network traffic a Windows computer is
> responsible for. The Windows computer is connected to a switch,
> the switch is connected to a router running OpenBSD, and the router is
> connected eventually to the internet service provider.
>
>   Windows -- Switch  OpenBSD  ISP
>   Other computers --/
>
> How can I find out how many bytes this Windows computer sent or received
> through the router within some time period?
>
> I'm concerned only about communication with the internet, not
> communication between Windows and "other computers", so it suffices
> to count all bytes passing through the OpenBSD computer that originate
> from or are destined for the Windows computer.

I think this simple match rule in /etc/pf.conf does exactly what you need:

match out on egress from $windows_host label windows

Replace $windows_host with the local IP number of that host or set it
in a pf macro. This labels all the traffic matching the pattern. You
can look at the statistics using pfctl:

# pfctl -s labels
windows 11 212902 261910228 174124 259893752 38778 2016476 0

Obviously some scripting and cronjob required if you want this
automated in a nice format. man pfctl and pf.conf for more information



Re: OpenBSD and Shells.com

2021-02-13 Thread Anders Andersson
On Thu, Feb 11, 2021 at 11:13 PM Abel Abraham Camarillo Ojeda
 wrote:
>
> On Thu, Feb 11, 20210.00 at 4:00 PM Alex Lee  wrote:
>
> > Just wanted to check in on this one and see if there was a chance to chat.
> > Thanks!
> >
> > On Sun, Jan 24, 2021 at 3:07 PM Alex Lee  wrote:
> >
> > > Hi!  My name is Alex Lee, and I am hoping that we can partner with
> > > OpenBSD.  We offer virtual cloud computers that can be accessed from any
> > > web enabled device.  As we offer multiple OS options such as different
> > > Linux distros and Windows, it gives the user the opportunity to use the
> > OS
> > > they want on the device they want (I use Ubuntu Desktop on an iPad
> > Pro).  I
> > > was hoping that we could chat about a potential collaboration as our
> > > product can give folks an opportunity to test out OpenBSD without
> > > installing it on their hardware.  I know there are a lot of folks who are
> > > afraid to make the jump and this would be an easy way for them to get
> > > involved with OpenBSD.  Let me know if we could chat more!   Thanks.
> > >
> > > alex
> > >
> >
>
> As far as I know you don't need to ask permission to do that kind of
> service,
> or I don't understand what you're requesting

"I was hoping that we could chat about a potential collaboration"
usually means "How much are you willing to pay to have your name on
our front page". Not even sure that OP knows what OpenBSD is, it looks
like a template email and the website is shady.

They are trying to trademark the word "Shells" from what I can see
from the google preview, but the website doesn't show anything at all
without javascript.



Re: Integrating OpenBSD into Xen/Qubes

2020-10-16 Thread Anders Andersson
On Wed, Oct 14, 2020 at 8:24 PM  wrote:
>
> A number of people are working on integrating OpenBSD into Qubes.
>
> In particular, OpenBSD's hardening and mitigations are potentially very
> useful in talking to the NIC: Xen vulnerabilities have been repeatedly
> found that would allow a guest with PCI access to compromise the entire
> system, and on most machines the network card is a PCI device.

How could any hardening in OpenBSD protect from someone owning the
hardware? Or do you mean that an OpenBSD guest would run with
exclusive access to the NIC and then every other guest is routed
through that guest?



Re: [patch] calendar.music: Neil Peart 1952-2020

2020-06-22 Thread Anders Andersson
On Mon, Jun 22, 2020 at 3:44 PM Jason McIntyre  wrote:
>
> On Mon, Jun 22, 2020 at 08:31:34AM -0500, Carson Chittom wrote:
> >
> > Matthew J. C. Clarke  writes:
> >
> > >  01/08  Elvis Presley born in East Tupelo, Mississippi,
> > >  1935
> >
> > This caught my eye, being from Mississippi myself.
> >
> > As far as I know or can tell from searching online, there's no
> > such place as "East Tupelo".  This should be just "Tupelo" (my
> > preference) or "east Tupelo" (the Elvis Presley Birthplace Museum
> > does appear to be on the eastern side of Tupelo).
> >
>
> hi. i changed it to just "Tupelo".
> thanks,
>
> jmc

On a more serious note, why even bother with these files anymore? I'm
sure having your computer know the birth date of Elvis was useful and
novel 30 years ago, but today such a trivia list is just a bitrotting
museum piece that will get more and more out of date. IMO.

Instead of adding every musician, let's just nuke all the files except
calendar.openbsd and calendar.computer. They still seem relevant to an
operating system and to make sure there's always some examples to play
with.

...again, IM (not so humble) O.



Re: www unreachable

2020-06-15 Thread Anders Andersson
On Mon, Jun 15, 2020 at 11:45 AM Chris Bennett
 wrote:
>
> On Mon, Jun 15, 2020 at 09:43:03AM +0200, Thomas de Grivel wrote:
> > Hello,
> >
> > http://www.openbsd.org is unreachable.
> >
> > I wanted to know what's new in the current snapshots ?
> >
>
> I'm not sure about the website. You might have local DNS problems.
> Use dig to get the IP address (from a big nameserver like 8.8.8.8)
> and skip that problem.
>
> If you mean the current -release, yes the website is simplest in
> general terms only.
>
> If you mean -current, then the mailing lists and CVS are the right
> places to look. misc@ isn't very helpful, but tech@, etc. are excellent.
>
>
> DNS has problems in some places in the world. Usually just for hours.
> Annoying, but sites like OpenBSD have stable IP's and knowing that
> solves the problem quickly.
> If the site has a problem, someone else can clarify that.
>
> Chris Bennett

Are you saying it's working for you? Maybe you have a different route
to the website because it seems to be down on the Canadian side. I
presume you're in the US based on your domain name. :)



Re: unexpected behavior

2020-06-02 Thread Anders Andersson
On Tue, Jun 2, 2020 at 4:30 PM Sonic  wrote:
>
> Recently discovered (snapshot form May 30) having any hostname.if
> configured for dhcp, even if unplugged and inactive, prevents the
> default gateway defined in /etc/mygate from being set. Is this normal?

"/etc/mygate is processed after all interfaces have been configured.
If any hostname.if(5) files contain "dhcp" directives, IPv4 entries in
/etc/mygate will be ignored.  If they contain "autoconf" directives,
IPv6 entries will be ignored."

Exactly as documented.



Re: Article OpenBSD: Not Free Not Fuctional and Definetly Not Secure and BSD, the truth blog

2020-05-28 Thread Anders Andersson
On Thu, May 28, 2020 at 7:41 PM  wrote:
>
> On May 28, 2020 11:42 AM, Marc Espie  wrote:
>
>   On Thu, May 28, 2020 at 01:16:59AM -0300, Quantum Robin wrote:
>   > Hi,
>   >
>   > While surfing on the Google to learn more about OpenBSD, I
>   encountered this
>   > one: "OpenBSD: Not Free Not Fuctional and Definetly Not Secure (
>   > https://aboutthebsds.wordpress.com/2013/01/25/20/)
>   >
>   > Is the author telling the truth? Or just yet another anti-BSD
>   thing?
>   >
>
>   "At meetings, people are often physically attacked for having even a
>   minor disagreement with de Raadt"
>
>   Hyperbole much ?
>
>   Theo has been known to be fairly opiniated, but "physically
>   attacked"?
>
>   How can you take this guy seriously ?
>
>
> I found it pretty comical.

Agreed, thanks for the link, OP!

"Finally like all BSDs, third party applications are not audited for
vulnerabilities and research has show that nearly 3 out of 5 of the
applications are actually trojans." :D



Re: rc.conf.local sorted?

2020-05-27 Thread Anders Andersson
On Wed, May 27, 2020 at 1:16 AM Antoine Jacoutot  wrote:
>
> On Tue, May 26, 2020 at 05:16:44PM +0200, Why 42? The lists account. wrote:
> >
> > On Mon, May 25, 2020 at 04:51:51PM +0200, Antoine Jacoutot wrote:
> > > > ...
> > > > It looks as if the file has been sorted e.g.
> > > Did you use rcctl(8) ?
> >
> > Hi Antoine,
> >
> > You are correct, that does it. I checked the history and after the
> > upgrade I had run rcctl to enable sensorsd. Just tested it again and
> > running an rcctl enable or disable command causes all the lines of
> > /etc/rc.conf.local to be alphabetically sorted.
> >
> > That seems like a defect to me, what do you think?
>
> That's what you get when mixing helper tools and manuals edits.
> They can work together but only up to a certain point... and in this case,
> comments don't fly.
> As long as everything works functionnaly, then I'd say we're good and can live
> with it.

I think it warrants a short note in the manpage of rcctl or rc.conf
though. Although I have personally not had this happen to me, I did
not expect the behaviour and would have been equally surprised.



Re: Restore pf tables metadata after a reboot

2020-05-26 Thread Anders Andersson
On Tue, May 26, 2020 at 2:14 PM Walter Alejandro Iglesias
 wrote:
>
> I understand that this command:
>
>   # pfctl -t spam -T expire 
>
> Takes in care the "Cleared" date:
>
>   # pfctl -t spam -vT show
>  ___.___.22.65
>   Cleared: Mon May 25 16:10:22 2020
>  ___.___.167.62
>   Cleared: Mon May 25 16:10:22 2020
>   [...]
>
> Is there a way to save and restore tables metadata after a reboot
> preserving those dates?

Isn't this what pfctl -S and -L does?



Re: Why does OpenBSD still include Perl in its base installation?

2020-05-21 Thread Anders Andersson
On Thu, May 21, 2020 at 11:19 AM Dawid Czeluśniak
 wrote:
>
> Hi OpenBSD community,
>
> First of all, thank you for 6.7 release.
>
> I am a huge fan of minimal and custom installations
> as I mostly use OpenBSD to host simple HTTP servers.
...
> I would like to get your opinion on that.

>From what I've seen, those goals are not compatible with OpenBSD, as
in: You're just making it harder for you and anyone trying to help
debugging something if you change the default installation. I've seen
some wishes about even getting rid of the whole "sets" thing and just
install everything.

I tend to agree and would welcome such a move, because these days
we're talking about such a tiny amount of space in comparison. Even if
you're in a situation where you want to host thousands of virtual
OpenBSD machines and then maybe get some sort of gain from removing
those 50 MB, well, just use a CoW filesystem and clone the same base
install.

What I love with OpenBSD is that everything is just there  to be used,
there aren't 20 different filesystems, 20 different scripting
languages, 20 different web servers. I don't have to fiddle with
everything, it just works. There's the file system, perl, httpd, etc,
and they are well designed. Why would I want multiple different perls
when it is already so mature?



Re: Copyright upper or lower case (c)?

2020-05-19 Thread Anders Andersson
On Tue, May 19, 2020 at 9:10 AM Peter J. Philipp  wrote:
>
> Hi,
>
> Before I wrote this email I searched under marc.info and did a google search,
> but I didn't get a definitive answer.  I found this under openbsd.org:
>
> https://www.openbsd.org/policy.html
>
> Whoever put that together I thank thee.
>
> In code, I see the (c) and the (C) used interchangibly, I'm wondering if it's
> correct.  Here is an example of the ftp program in main.c:
>
> beta$ grep Copyright main.c
>  * Copyright (C) 1997 and 1998 WIDE Project.
>  * Copyright (c) 1985, 1989, 1993, 1994
>
> Let me know if either is correct.  I want to use it for guidance on my own
> project too.  Where I use a lower case (c).

You might as well write "(<)" or "[C]". Neither is a copyright mark an
any sense of the law, and using it does not do anything else than
informing the reader that you claim the rights - you already have the
rights even if you don't write anything. If you can only use ASCII,
the "most proper" way would be to spell out "Copyright", but that is
also just for information. As you can see, your example is using both
forms.



Re: Intel CPU (in)security

2020-05-14 Thread Anders Andersson
On Thu, May 14, 2020 at 1:54 PM  wrote:
>
> Please suggest what has been cleaned by moderators on the website:
>
> https://web.archive.org/web/20200514115002/https://www.reddit.com/r/openbsd/comments/gf7wip/how_secure_are_intel_cpus/fpshspb/

No.

But this link may be informative: https://libreboot.org/faq.html#intel

Inside every modern Intel CPU is a secondary CPU running an embedded
OS with direct access to nice things like all the RAM, AES
acceleration hardware, TMP etc. No one but intel (and by extension,
NSA) has access to the code running on that CPU, and it would be
trivial for it to check incoming packets for patterns that activates
for example storing crypto keys into a small embedded EEPROM that can
be read out after the police has raided your home. A firewall can't
stop this.

Fortunately, the people who could possibly order intel to do something
like this doesn't care about your pirated movies, and it would be a PR
nightmare if Intel actually used the power they have for anything less
than national security, since the risk of something leaking would be
too large.



Re: OpenBSD insecurity rumors from isopenbsdsecu.re

2020-05-11 Thread Anders Andersson
On Tue, May 12, 2020 at 7:19 AM  wrote:
>
> I would prefer to begin from grsecurity, but it is not available up to date 
> for my budget.
>
> I would also try HardenedBSD, but it is only amd64 now? And how many active 
> developers there are? one or two?
>
> OpenBSD looks as the only viable option for me right now, may be one another 
> is a systemd free distro like Devuan with a hardened kernel like by @anthrax, 
> but I am too unskilled even to understand what are improvements of @anthrax 
> kernel for me without a good doc for it in the existence, and on the other 
> hand OpenBSD is famous with its very good documentation.
>
> I guess it is a huge work to harden Linux installation to a level compared to 
> OpenBSD, there is some interesting work which is by Whonix but unfortunately 
> with systemd, and it seems someone from that community is referring to 
> isopenbsdsecu.re site, so it looks to me like a OpenBSD vs Whonix dispute, 
> excuse me if I am wrong.

You keep swallowing up buzzwords from completely random places without
taking the time to understand what everything means or how it affects
you.

There's no silver bullet. Figure out and enumerate *your* threat
model, then find a solution that you understand.



Re: RCS file ownership?

2020-04-29 Thread Anders Andersson
On Wed, Apr 29, 2020 at 7:46 PM Adam Thompson  wrote:
>
> When I use co(1) with "-l" to check out a file (and/or "ci -l") is there
> any way to preserve file ownership and *not* have it reset to the user
> running co(1) or ci(1)?
> I don't see anything in rcs(1), co(1) or ci(1) that even mentions the
> fact that the file will wind up owned by the user running the command.
> Ideas?  Pointers to documentation?

How could it possibly do anything else unless you always run co as root?



Re: _types.h: increase size of size_t

2020-04-24 Thread Anders Andersson
On Fri, Apr 24, 2020 at 4:47 AM Ian Sutton  wrote:
>
> Following the revalations made by a misc@ poster, I am happy to present
> the following patch which increases the width of size_t from "long" to
> "long long", which is twice the width as before, on all platforms. This
> has the effect of doubling the amount of available memory regardless of
> the physical capacity installed memory hardware. Additionally, it
> enables PAE on all 32 bit platforms without incurring performance costs.

This may go against a direct recommendation in the C standard for some
or all of these platforms.

"The types used for size_t and ptrdiff_t should not have an integer
conversion rank greater than that of signed long int unless the
implementation supports objects large enough to make this necessary."

Presumably the unnamed misc@ poster was unsafely mixing pointers and
integer types.



Re: news from my hacked box

2020-04-01 Thread Anders Andersson
On Wed, Apr 1, 2020 at 10:29 PM Cord  wrote:
>
> Hi,
> I found something that in my opinion are nearly evidences.
> For those who doesn't know my story please read past messages:
> https://marc.info/?a=15535526152=1=2
> Well, as I said previously my laptop was been hacked then I bought a new 
> laptop because my suspicious are that the uefi or other firmware was been 
> hacked (I reinstalled openbsd various times)
> The old laptop had a wifi usb dongle to connect to the wifi router.
> Now the new laptop has a wifi chip that works properly on opnebsd.
> The inner IF is iwm0.
> And I discovered differences on wifi performance between the on board IF and 
> the old usb dongle.
> Of course the tests were been made from exactly the same physical place.
> The following are the results (I used speedtest-cli):
> iwm0 with vpn download: 0,46 mbit/s upload: 0,55 mbit/s
> iwm0 without vpn download: 0,50 mbit/s upload: 2,53 mbit/s
> urtwn0 with vpn download: 20,88 mbit/s upload: 8,49 mbit/s
> urtwn0: without vpn download: 24,83 mbit/s upload 9,27 mbit/s
>
> The following are the results pinging 8.8.8.8 with -c 500:
> 500 packets transmitted, 500 packets received, 0.0% packet loss
> iwm0: round-trip min/avg/max/std-dev = 18.761/6372.615/72372.495/14987.007 ms
> urtwn0: round-trip min/avg/max/std-dev = 24.068/36.489/878.218/48.120 ms
>
> As I know the traffic shaping is configured by pf with pf.conf, the following 
> is my pf.conf (I'm sorry I'm not a genius of pf):
> ---/etc/pf.conf
> if="urtwn0"
> #if="iwm0"
> dns="{8.8.8.8}"
> myvpn="{x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x}"
> weird="{239.255.255.250, 224.0.0.1}"
> pany="{udp, tcp}"
> set skip on tun0
> set skip on lo
> set block-policy drop
> set loginterface $if
> block quick inet6
> block quick on $if from any to $weird
> pass quick proto icmp
> pass out quick on $if proto $pany from $if to $dns
> pass out quick on $if proto udp from $if to $myvpn
> pass out quick on $if proto tcp from $if to my01-other-vpn.com
> pass out quick on $if proto tcp from $if to my02-other-vpn.com
> pass out quick on $if proto tcp from $if to my03-other-vpn.com
> block drop in on ! lo0 proto tcp to port 6000:6010
> block drop out log proto {tcp udp} user _pbuild
> block log quick on $if
> --
>
> Other strange things that happens on my laptop are the following:
> 1) sometimes my openvpn (2 times on 5) fail authentication even I use a saved 
> file authentication data and pass it the data with --auth-user-pass 
> /my/path/pass
> Then in my opinion it's impossible fails the authentication.
> 2) sometimes KeePassXC fails authentication on random site. If I copy the 
> password and paste it by hand it works.
> 3) and of course there are people that can spy me and modify suggested videos 
> on youtube. Please do not comment this because I know it's very subjective.
>
> As I said previously in my opinion there is 0day on how is implemented the 
> tcp/ip stack in the kernel.
> And the vulnerability can be exploited by a mitm attack from the home router.
> Thank you Cord.

Hello Cord, and thank you for the interesting messages.

Just a thought: Do you have any wall paintings, and have you noticed
something different about them since you got hacked?

You see, I once talked to a man at the local library who was looking
for literature about computer viruses and he mentioned that the virus
had somehow spread out from the USB ports in his computer onto his
paintings, which had now become dull and grey. His family told him
that he was imagining things and refused to help him, that's why he
was at the library to search for information.

If your computer has been hacked, maybe it is by the same virus.

Kind regards,
Anders



Re: pf-badhost-0.3 released

2020-03-11 Thread Anders Andersson
On Tue, Mar 10, 2020 at 10:53 PM Jordan Geoghegan  wrote:
>
> pf-badhost and unbound-adblock are both now at version 0.3, released
> earlier today.
>
> Links to the scripts can be found here:
>
> www.geoghegan.ca/pfbadhost.html
> www.geoghegan.ca/unbound-adblock.html

Thanks, this looks very interesting! But maybe you can help answering
a question that popped up when I read your page about pf-badhost.

You mention that "Subnet aggregation is used to take the address list
and "aggregate" the addresses into the smallest possible
representation using CIDR blocks.", but I was under the assumption
that pf already did this for its tables to speed up lookups.

Is there anything preventing the aggregation code to run on every pf
table modification? Assuming an already sorted list, it shouldn't take
long to merge a new entry. Perhaps I've missed some use of pf tables
that makes this impossible or not applicable in the general case.



Re: size of size_t (diff angle)

2020-02-25 Thread Anders Andersson
On Tue, Feb 25, 2020 at 12:14 PM  wrote:
>
> Haai,
>
> The definition of size_t keeps biting me.
>
> Some background: in nnx, me's been using the equiv of caddr_t for
> counts. This works well; yet, while writing against existing code that
> uses size_t, an issue has surfaced.
>
> First of all, let us reflect upon the definition of size_t in C99.
>
> > size_t
> > which is the unsigned integer type of the result of the sizeof
> > operator;
>
> That's not very specific. It kind-of implies that SIZE_MAX (defined
> later in the standard) is the largest possible offset, but not
> necessarily the largest possible address. This reeks of i86 real mode
> semantics, obsolete (for general-purpose machines) already when the
> PDP-11 was new.

I think it's pretty clear, size_t is for the size of objects, not for
offsets or pointers. The C standard frowns upon mixing up pointers and
integers, to much grief from low-level developers.



> Is SIZE_MAX guaranteed to *not* be greater than the highest address?

I'm almost certain that C99 offers no such guarantees, since a pointer
to a float does not have to be the same size as a pointer to int, for
example. Maybe if you're being a little more specific. There are some
exceptions for void * and char *.

In fact, the standard only *recommends* that implementations keep
SIZE_MAX as small as possible but not smaller. Since it is only a
recommendation, it can be inferred that the standard acknowledges that
an implementation with SIZE_MAX > highest address is valid.

"The types used for size_t and ptrdiff_t should not have an integer
conversion rank greater than that of signed long int unless the
implementation supports objects large enough to make this necessary."

Or my interpretation: "Just because there is now a new and fancy
64-bit long long in C99 doesn't mean that you should make size_t a
long long just because you can, because it's pointless if your
compiler/target only has a 32-bit address space."



OpenBSD FAQ - Using S/Key - hash algorithm selection

2020-01-11 Thread Anders Andersson
While perusing the OpenBSD FAQ I came across the S/Key login system
and noticed that there are three possible hashing algorithms to choose
from: MD5, SHA1, and RIPEMD-160.

Instinctively I wouldn't want to use any of these. RIPEMD-160 seems
like the only one that hasn't been broken, but that's probably because
no one really cares as much as they do with MD5 and SHA1.

But of course, it depends on how they are used. Is this a case of when
it's fine to use them, or is it simply that nobody uses S/Key anymore
so there's no real incentive to change them?

Just being curious, I didn't even know S/Key existed until a few minutes ago.



Re: But there is Fossil...

2020-01-06 Thread Anders Andersson
On Mon, Jan 6, 2020 at 8:03 PM Stefan Sperling  wrote:
>
> On Mon, Jan 06, 2020 at 06:28:48PM +, go...@disroot.org wrote:
> > done reading that entire document, however, this is a topic about
> > OpenBSD choosing Git over Fossil, but the actual problem is
> > reimplementing Git (Game of Trees is a Git implementation just
> > like OpenGit) and that's ridiculous, however, having read
> > that PDF document I question: which of those problems are
> > present in Fossil, not Git? in presence of those problems,
> > why not wait for fix in Fossil instead of rushing to
> > reimplement Git? I always see the point in two things:
> > 1. using something existing
> > 2. innovating something new
> >
> > Game of Trees and OpenGit are not innovations, they are
> > implementations of existing innovation, if you've seen my
> > first message, I suggested option 1
>
> Look, if you don't like something why don't you just ignore it?
> Instead of wasting time by writing pointless messages which the
> many people on this list now have to delete from their inbox?
>
> The gameoftrees FAQ says:
> ""
> We don't need to hear your opinion that our project is pointless because
> Git is superior. Thank you!
> ""
> The same applies to Fossil or whatever else anyone thinks is superior.
>
> Why should I care about your opinion on what I should be working
> on in my spare time? It looks like you're just trying to annoy me.

One good thing with this trainwreck of a discussion is that it pointed
me to GoT. I've been looking for an alternative to CVS on my Amiga,
but git is too convoluted to even start trying to build on a
mostly-C89-semi-POSIX system. GoT seems like a much nicer starting
point.



dhcpd and unbound on a small LAN

2020-01-06 Thread Anders Andersson
I'm in the process of replacing an aging OpenWRT device on my home LAN
with an apu4d4 running OpenBSD as my personal router.

I would like to use unbound as a caching DNS server for my local
hosts, but I'm trying to figure out how to handle local hostnames. It
seems like a common scenario but I can't find a solution that feels
like the "right" way. I have two problems, one is trivial compared to
the other.


My first and very minor issue is that I would like to register my
static hosts in a more convenient way than what's currently offered by
unbound. From what I understand you would configure your local hosts
something like this:

local-zone: "home.lan." static
local-data: "laptop.home.lan.IN A 10.0.0.2"
local-data-ptr: "10.0.0.2  laptop.home.lan"

Every time information has to be entered twice there is room for error
and inconsistencies, so preferably this list should be automatically
generated from a simpler file, maybe /etc/hosts. I can of course
easily write such a script, but I'm wondering if there might be a
standard, go-to way of doing this.



My second and more difficult issue is that I can't seem to find a way
to feed information from the DHCP server into unbound, so that locally
assigned hosts can be queried by their hostnames. To clarify with an
example:

1. I install a new system and in the installation procedure I name it "alice".
2. "alice" asks for and receives an IP number from my DHCP server.
3. Every other machine can now connect to "alice" by name, assuming
that "alice" informed the DHCP server of its name when asking for an
address.

Currently this works because OpenWRT is using dnsmasq which is both a
caching DNS server and a DHCP server, so the left hand knows what the
right hand is doing. How can I solve this in OpenBSD base without
jumping through hoops?

Right now I'm considering something that monitors dhcpd.leases for
changes and updates a running unbound using unbound-control(8) but I
don't feel confident enough writing such a tool that does not miss a
lot of corner cases and handle startup/shutdown gracefully. I'm also
thinking that it can't be such an unusual use case, so someone surely
must have written such a tool already. I just haven't found any in my
search.

Or am I doing this the wrong way? I've now read about things like mDNS
and Zeroconf and Avahi and I'm just getting more and more confused.
Ideas are welcome!



Re: sysupgrade fails

2020-01-05 Thread Anders Andersson
On Sun, Jan 5, 2020 at 1:05 PM Christer Solskogen
 wrote:
>
> Sorry, I forgot to telll you that I run current. I was upgrading a snapshot
> from 1st of january to the latest one. But this has happened before (It
> looks like the last time sysupgrade did successfully work was 4th of
> December)
>
> On Sun, Jan 5, 2020 at 12:58 PM Christer Solskogen <
> christer.solsko...@gmail.com> wrote:
>
> > Hi!
> >
> > On one(out of two!) of my APUs sysupgrade fails, and I'm having trouble
> > understanding why.
> > This is what happens:
> >
> > Available disks are: sd0.
> > Which disk is the root disk? ('?' for details) [sd0] sd0
> > Checking root filesystem (fsck -fp /dev/sd0a)... OK.
> > Mounting root filesystem (mount -o ro /dev/sd0a /mnt)... OK.
> > Force checking of clean non-root filesystems? [no] no
> > umount: /mnt: Device busy
> > Can't umount sd0a!
> >
> > This does not happen if I run the upgrade manually by downloading a newer
> > bsd.rd and boot that.
> > This is a APU2c4 - My APU1 does not have this problem.
> >


Not sure if it's in any way related when it comes to doing a
sysupgrade compared to a clean install, but did you see this thread
and the corresponding BIOS upgrade?
http://openbsd-archive.7691.n7.nabble.com/APU2-fails-to-boot-on-OpenBSD-6-6-current-521-td379219.html

https://github.com/pcengines/coreboot/issues/356



Re: APU2 fails to boot on OpenBSD 6.6-current #521

2020-01-04 Thread Anders Andersson
On Sat, Jan 4, 2020 at 1:34 PM Mischa  wrote:
>
> On 20 Dec at 06:16, William Ahern  wrote:
> > On Fri, Dec 13, 2019 at 10:52:03PM +0100, Alexander Pluhar wrote:
> > >
> > > > Just upgraded my APU2 to the latest -current and it seems to hang on 
> > > > the disk.
> > > > It was fine running on -current #512.
> > >
> > > I encountered this problem on 6.6 stable with the latest syspatches 
> > > installed after
> > > updating the APU firmware[1] to 4.11.0.1.
> > >
> > > It worked again after downgrading to 4.10.0.3.
> > >
> > > [1] https://pcengines.github.io
> >
> > Here's the github ticket: https://github.com/pcengines/coreboot/issues/356
> > Looks like the culprit has been found and a fix submitted upstream.
> >
>
> 4.11.0.2 is released: https://pcengines.github.io/#mr-30

I can confirm that this solves the problem. Talk about bleeding edge.
I received my apu4c4 yesterday, tried to install OpenBSD on it today.
First time using an APU, and *of course* I was hit by this bug.
Fortunately I found the solution thanks to this email. After the
upgrade to 4.11.0.2 I could continue installing OpenBSD 6.6.

My apu4c4 was shipped from the store the same day as this patch came
out. Had I waited one more day I would have been blissfully unaware.
:)



Re: Suggestion: Replace Perl with Lua in the OpenBSD Base System

2020-01-01 Thread Anders Andersson
On Wed, Jan 1, 2020 at 4:51 AM Stuart Longland
 wrote:

> Perl 6 will be a major change though, more disruptive than the Python2→3
> mess was.  So we may be in for some "fun" in the near future.

Gotta stop this before it derails: perl 6 is not the next version of
perl 5. It's not compatible, it's not an upgrade, it's a completely
new language and does no longer even share the same name (renamed to
raku). There is no "perl 6" that will replace perl 5.



Re: perl popularity inside openbsd community? (Re: Suggestion: Replace Perl ...)

2019-12-31 Thread Anders Andersson
On Tue, Dec 31, 2019 at 4:30 PM Marc Chantreux
 wrote:
>
> On Tue, Dec 31, 2019 at 06:57:02AM -0600, Daniel Boyd wrote:
> > As one of the few remaining people out there who considers perl to be
> > their favorite language—starting to wonder if it’s just me and Larry
> > Wall at this point—I’d like to say that perl should stay in base on
> > its merits, all the perl-based system tools notwithstanding.
>
> one of the few remaining people ? is it so ? i really wonder ...
>
> Perl bashing is around the IT crowd for 20 decades and yet, when i
> compare with other dynamic langages:
>
> * perl is the only one who gives me the conciseness and spirit of unix
>   tools combined to the power of a dynamic langage (the only close one
>   is ruby, the next level is raku, the others look like jokes to me).
>   so as openbsd people seems to be confortable with this unix culture,
>   i'm inclined to think that perl is popular here.
> * CPAN is the best ecosystem to share code (metacpan is just awesome
>   compared to the other package sites, tooling is very good as well)
> * the popularity of perl around me don't reflect the "perl is dead" moto
>   we heard since so many years (yes: there is a decline but it's in
>   flavor of compiled langages. the only one who switched to python
>   made this choice for money reason)
>
> both perl and openbsd popularities are underestimated just because
> they still prefer mailing lists over stackoverflow (or other web
> services who try to buzz with some charts) and don't care that much
> about marketing. but still: i will be curious to know the perl
> popularity in the openbsd community.

Don't know if anyone cares because I'm not an OpenBSD dev (maybe some
day I'll find something useful to hack on), but perl is definitely my
go-to language. I agree with the "conciseness and spirit of unix
tools", it is something that I have thought about but have never been
able to formulate.

Of course its age is showing in some areas but in my experience, those
things are actually still worked on, and have been fixed without major
incompatibilities (python3 anyone?).

I remember a few years ago when I was briefly researching a
replacement for perl for my personal projects and I tried out python3
and ruby in parallel and ruby was definitely the winner there. I have
absolutely no idea why python even gained the popularity it has, it
felt like a random hack, especially compared to ruby. The only thing I
really miss from python is "yield".



Re: I want to use I2Pd on OpenBSD.

2019-05-16 Thread Anders Andersson
On Thu, May 16, 2019 at 1:36 AM  wrote:
>
> I2P (Invisible Internet Protocol) is a universal anonymous network layer.
> Ofcouse I2P(Java) is already exist on packages.
>
> but, I2P is Java application and so big.
>
> While Java I2P and i2pd are both clients for the I2P network.
>
> i2pd has some big differences and advantages:
> i2pd is just a router which you can use with other software through I2CP
> interface.
> i2pd does not require Java. It's written in C++.
> i2pd consumes less memory and CPU.
> i2pd can be compiled everywhere gcc or clang presented (including
> Raspberry and routers).
> i2pd has some major optimizations for faster cryptography which leads to
> less consumption of processor time and energy.

Ok, so why don't you use it if it already works everywhere? I don't
think I understand your problem, or is this mostly an ad for I2Pd?



Re: Code of Conduct location

2019-04-28 Thread Anders Andersson
On Sun, Apr 28, 2019 at 10:04 AM Martijn van Duren
 wrote:
>
> You mean something like this the following?
> https://www.openbsd.org/mail.html
>
> martijn@

This one sadly seems to be lacking from every code of conduct:
"Respect differences in opinion and philosophy".



Re: hacked for the second time

2019-04-03 Thread Anders Andersson
On Wed, Apr 3, 2019 at 8:58 PM Cord  wrote:
>
> Hi,
> I have some heavy suspect that my openbsd box was been hacked for the second 
> time in few weeks. The first time was been some weeks ago, I have got some 
> suspects and after few checks I have found that someone was been connected to 
> my vps via ssh on a non-standard port using my ssh key. The connection came 
> from a tor exit node. There were been 2 connections and up since 5 days. Now 
> I have some other new suspects because some private email seems knew from 
> others. Also I have found other open sessions on the web gui of my email 
> provider, but I am abolutely sure I have done the logout always.
> I am using just chrome+unveil and I haven't used any other script or opened 
> pdf (maybe I have opened 1 or 2 pdf from inside of chrome). I have used 
> epiphany *only* to open the webmail because chrome crash. My email provider 
> support html (obviously) but generally photo are not loaded. Ofcourse I have 
> pf enable and few service.
> I also use a vpn and I visit very few web site with chrome.. maybe 20 or 25 
> website just to read news. Sometimes I search things about openbsd.
> Anyone could help me ?
> Cord.


Sounds to me like you're letting someone else mess with your hardware
since you mention a VPS. I don't see how you could trust that in the
first place. They have complete access to every machine.



Re: Virtual interfaces with own MACs

2018-09-26 Thread Anders Andersson
On Wed, Sep 26, 2018 at 1:54 PM, Per-Olov Sjöholm  wrote:
> Hi
>
> I want to receive 2 IPs that are mine from the ISP (I have to supply 2 MACs) 
> over DHCP. They have a problem letting me add them permanent without dhcp as 
> their snooping blocks my connection if not using dhcp.
>
> I want to use just one physical interface as I do not have more 10Gbit 
> interfaces to spare. Also I want to use fake virtual MAC so I can switch 
> hardware without contacting the ISP.
>
> Is it possible in OpenBSD to create sub interfaces with different MACs on 
> them and use dhcp for both? How?
>
> In linux I think it can be done as:
> ip link add link eth0 address 00:11:11:11:11:11 eth0.1 type macvlan
> ifconfig eth0.1 up
> dhclient -v eth0.1
> ip link add link eth0 address 00:11:11:11:11:12 eth0.2 type macvlan
> ifconfig eth0.2 up
> dhclient -v eth0.2
>
>
>
> Is it possible to something similar to
>
> /etc/hostname.ix3
> up
>
> /etc/hostname.ix3:1
> !ifconfig SUBINT VIRTUAL_NEW_MAC SUBDEV $if Public IP  1”
> !dhclient ix3:1
>
>
> /etc/hostname.ix3:2
> !ifconfig SUBINT VIRTUAL_NEW_MAC SUBDEV $if Public IP  2”
> !dhclient ix3:2
>
>
> If so… What should they look like. Note that I want to provide the ISP the 
> virtual MACs and not the cards physical MAC…

Here is an old post of mine explaining what sounds like your exact
setup for the same reason:
http://openbsd-archive.7691.n7.nabble.com/Bridged-vether-interfaces-can-t-talk-to-each-other-multiple-routing-tables-td316937.html

I did get most of it working, but it was a long time ago and I never
used the router in "real life". I had issues communicating between the
domains. I'm not sure if those examples are good or bad but it could
be a starting point.



Re: Hellos from the Lands of Norway.

2017-12-09 Thread Anders Andersson
On Sat, Dec 9, 2017 at 5:21 AM, gwes  wrote:
> On 12/07/17 07:31, Ywe Cærlyn wrote:
>>
>> I saw AMDs "semi-custom" CPU email form and told them that I wanted a CPU,
>> that is clockspeed oriented, not cores (might aswell be singlecore with high
>> HZ), that could be using several instruction macros (combining two or
>> three), for max virtual clockspeed, and an optimizing compiler for this. And
>> wondered if an additional poweroff mode could be added to the binary stream
>> of 1 0, so that bitwise i/o and cpu scheduling could be done.
>>
>> If one could get the virtual clockspeed up to 12ghz, I think no regular
>> user would ever use more than a single core. And it´d be a megahit.
>> [...]
>>
> CPU clock speed != performance.
> [...]
>

You must be new to this thread and/or user. Ywe/Üwe is the biggest
troll this year. Either that, a bot, a mental patient with internet
connection, or an art project. Trying to decode his ramblings will
surely make you insane.



Re: openbsd code coverage

2017-12-09 Thread Anders Andersson
On Sat, Dec 9, 2017 at 12:46 PM, Rupert Gallagher  wrote:
> Code Coverage?

Type that into google instead, maybe you will get a better answer.



Re: OpenBSD and you

2017-05-09 Thread Anders Andersson
On Tue, May 9, 2017 at 10:22 PM, Peter N. M. Hansteen  wrote:
> And I was just reminded off-list that the remark markdown variant
> (https://github.com/gnab/remark) used for this presentation requires
> javascript enabled in your browser.
>
> Sorry about that.
>
> I'll be looking into workarounds, hopefully some can be found.

Thank you for caring!



Re: DHCP in vmm guest

2017-05-04 Thread Anders Andersson
On Thu, May 4, 2017 at 4:13 PM, Jiri B  wrote:
> On Thu, May 04, 2017 at 03:49:27PM +0200, Reyk Floeter wrote:
>> So you have the VM interface and the host interface on a bridge:
>> dhclient on the host "steals" all DHCP packets via BPF.
>>
>> Try to pkill dhclient on the host and the VM should be able to get DHCP.
>>
>> There is currently no solution for that, it is the way our dhclient works,
>> you can try to run the VM on a NAT'ed bridge or use "-L" local interfaces.
>
> What about using vether with bridge and having host's dhclient using
> vether?

That is my solution to the same problem. Essentially I've had to make
my "primary" interface into a vether. Without this bug, I could have
used em2 (in this case) directly. Now I use vether and em2 in a
bridge.



Re: Etnernal & infernal browser woes

2017-04-28 Thread Anders Andersson
On Fri, Apr 28, 2017 at 4:09 PM, Jyri Hovila [iki.fi]
 wrote:
>
>> Have you properly configured your user?
>
> As far as I know, raising the ulimit and being in the staff class can
> not possibly be the solution. Ulimit has to be raised unless one wants
> the browser(s) to constantly crash due to memory exhaustion, and that
> I havedone. But really: adding a normal user to staff class just to be
> able to run a browser properly is not in line with the secure by default
> approach, and should not (in my opinion) affect the performance in any
> way.

>From what I read, it seems as if the problems are mostly from when you
try websites which are heavy on javascript. Let me butt in as a grumpy
not-so-old man and point out that there's nothing even remotely
"secure by default" by even allowing javascript, considering its
horrible track record.

Perhaps this is one of the reasons for the disinterest with browser performance?



Re: Bridged vether interfaces can't talk to each other (multiple routing tables)

2017-04-27 Thread Anders Andersson
In case someone finds this thread in the future, I would like to add
that I have now received a possible solution to the problem
out-of-band. The solution is to use pair(4):

The following setup works for me, although it is a bit too convoluted:

# cat /etc/hostname.pair0
up

# cat /etc/hostname.pair1
rdomain 1 up patch pair0

# cat /etc/hostname.bridge0
add em2 add vether0 add pair0
!dhclient vether0
!dhclient pair1


In this setup, both vether0 and pair1 gets a separate IP address on
the same network but in different routing domains, but they can still
talk to each other over the patched pair+bridge.

This leads to the following mess, only possible to decipher with a
monospace font:

..-.  10.0.0.1  .-,(  ),-.
| bridge0|   em2   |dhcp server  .-(  )-.
|| (no ip) |--->  gateway   --->(internet)
|'-' __  '-(  ).-'
.---. .---.|[_...__...°] '-.( ).-'
|  vether0  | |   pair0   ||
| rdomain 0 | | rdomain 0 ||
|   dhcp| |  (no ip)  ||
| 10.0.0.2  | '---'|.---.
'---'---^--'|   pair1   |
|   | rdomain 1 |
'---patch---|   dhcp|
| 10.0.0.3  |
'---'

Still not sure if this is a good idea, but it is the solution to my
literal problem so I consider that one solved.







On Sat, Apr 22, 2017 at 3:49 AM, Anders Andersson <pipat...@gmail.com> wrote:
> === BACKGROUND ===
>
> I'm trying to set up an OpenBSD 6.1 server having two externally visible
> IP numbers through one physical network port, each IP mapping to a
> unique MAC address[1]. I have it mostly working, but my interfaces can't
> talk to each other.
>
> All traffic should use the primary IP, and most services should listen
> on that. The secondary IP should only be used on-demand for one or two
> services.
>
> Thinking that separate routing tables can solve this, I have configured
> my network like this[2][3]:
>
> # cat hostname.em2
> up
>
> # cat hostname.vether0
> lladdr 00:00:00:00:00:02
>
> # cat hostname.vether1
> lladdr 00:00:00:00:00:03 rdomain 1
>
> # cat hostname.bridge0
> add em2 add vether0 add vether1 up
> !dhclient vether0
> !dhclient vether1
>
> # cat sysctl.conf
> net.inet.ip.forwarding=1
>
> Leading to something like this[4]:
> (full post in monospace: http://paste.debian.net/928811 )
>
> ..-.  10.0.0.1  .-,(  ),-.
> | bridge0|   em2   |dhcp server  .-(  )-.
> || (no ip) |--->  gateway   --->(internet)
> |'-' __  '-(  ).-'
> |  |[_...__...°] '-.( ).-'
> .---.  .---.
> |  vether0  |  |  vether1  |
> | rdomain 0 |  | rdomain 1 |
> |   dhcp|  |   dhcp|
> | 10.0.0.2  |  | 10.0.0.3  |
> '---'--'---'
>
> Everything else should be the default, this is on a clean 6.1 install.
>
> This configuration works great, vether0 and vether1 both gets an IP
> number from my DHCP server, all traffic goes out on vether0 by default,
> but I can select vether1 manually:
>
> # traceroute -nvq1 10.0.0.1
> traceroute to 10.0.0.1 (10.0.0.1), 64 hops max, 40 byte packets
>  1  10.0.0.1 48 bytes to 10.0.0.2  0.994 ms
>
> # route -T1 exec traceroute -nvq1 10.0.0.1
> traceroute to 10.0.0.1 (10.0.0.1), 64 hops max, 40 byte packets
>  1  10.0.0.1 48 bytes to 10.0.0.3  0.984 ms
>
> I can also reach each IP from outside the box. They are going in on em2,
> through the bridge, and in to vether0 or vether1 respectively.
>
>
>
>
> === PROBLEM ===
>
> Now to my problem: I have no connection between vether0<->vether1.
>
> # traceroute -nvq1 10.0.0.3
> traceroute to 10.0.0.3 (10.0.0.3), 64 hops max, 40 byte...
>  1  *
>  2  *
> ^C
>
> If I listen with tcpdump on the bridge, I see lots of unanswered arp
> who-has:
>
> # tcpdump -nti bridge0
> tcpdump: listening on bridge0, link-type EN10MB
> arp who-has 10.0.0.3 tell 10.0.0.2
> arp who-has 10.0.0.3 tell 10.0.0.2
> ^C
>
> These packets even go out on em2 to my LAN, but no one ever answers. The
> same thing happens in reverse.
>
> I have experimented with these bridge settings:
> 'blocknonip' - adding or removing on members makes no difference
> 'discover' - should be the default, adding makes no difference
> 'learn' - should be the default, adding makes no difference
>
>
>
> 

Re: Bridged vether interfaces can't talk to each other (multiple routing tables)

2017-04-25 Thread Anders Andersson
On 22 April 2017 at 04:22, Edgar Pettijohn <ed...@pettijohn-web.com> wrote:
> On 04/21/17 20:49, Anders Andersson wrote:
>>
>> Now to my problem: I have no connection between vether0<->vether1.
>>
>>  # traceroute -nvq1 10.0.0.3
>>  traceroute to 10.0.0.3 (10.0.0.3), 64 hops max, 40 byte...
>>   1  *
>>   2  *
>>  ^C
>>
>> If I listen with tcpdump on the bridge, I see lots of unanswered arp
>> who-has:
>>
>>  # tcpdump -nti bridge0
>>  tcpdump: listening on bridge0, link-type EN10MB
>>  arp who-has 10.0.0.3 tell 10.0.0.2
>>  arp who-has 10.0.0.3 tell 10.0.0.2
>>  ^C
>
>
> Never done this, but maybe you need an arp proxy.  Not sure which $iface to
> put it on, but something like:
> # arp -s 10.0.0.2 00:00:00:00:00:02 pub
>
> may or may not help depending on if my understanding of what I read in the
> manual actually does what I think it will.

Thank you for the reply! I tried this, and it *does* help with the ARP
problem. However, it only moves the problem to the next stage.

# ping 10.0.0.3
PING 10.0.0.3 (10.0.0.3): 56 data bytes
^C

# tcpdump -nti vether1
tcpdump: listening on vether1, link-type EN10MB
10.0.0.2 > 10.0.0.3: icmp: echo request
10.0.0.2 > 10.0.0.3: icmp: echo request
10.0.0.2 > 10.0.0.3: icmp: echo request
^C

Now the pings are transmitted, and according to tcpdump, they are
received on the virtual interface, it's just that there's no reply.
Pinging the same interface from outside the box works great, the
packets are transported through the physical interface, through the
bridge, and ending up at the virtual interface which replies. Running
httpd on the interface in routing domain 1 also works from the
outside.

I probably have to trim this down to an even smaller example in order
to get any help, I realize that the initial mail was a bit much to
digest. I don't really *have* to connect between the interfaces, but I
expect that I will find a lot of problems with this setup in the
future unless I understand all the issues involved.

// Anders



Bridged vether interfaces can't talk to each other (multiple routing tables)

2017-04-21 Thread Anders Andersson
=== BACKGROUND ===

I'm trying to set up an OpenBSD 6.1 server having two externally visible
IP numbers through one physical network port, each IP mapping to a
unique MAC address[1]. I have it mostly working, but my interfaces can't
talk to each other.

All traffic should use the primary IP, and most services should listen
on that. The secondary IP should only be used on-demand for one or two
services.

Thinking that separate routing tables can solve this, I have configured
my network like this[2][3]:

# cat hostname.em2
up

# cat hostname.vether0
lladdr 00:00:00:00:00:02

# cat hostname.vether1
lladdr 00:00:00:00:00:03 rdomain 1

# cat hostname.bridge0
add em2 add vether0 add vether1 up
!dhclient vether0
!dhclient vether1

# cat sysctl.conf
net.inet.ip.forwarding=1

Leading to something like this[4]:
(full post in monospace: http://paste.debian.net/928811 )

..-.  10.0.0.1  .-,(  ),-.
| bridge0|   em2   |dhcp server  .-(  )-.
|| (no ip) |--->  gateway   --->(internet)
|'-' __  '-(  ).-'
|  |[_...__...°] '-.( ).-'
.---.  .---.
|  vether0  |  |  vether1  |
| rdomain 0 |  | rdomain 1 |
|   dhcp|  |   dhcp|
| 10.0.0.2  |  | 10.0.0.3  |
'---'--'---'

Everything else should be the default, this is on a clean 6.1 install.

This configuration works great, vether0 and vether1 both gets an IP
number from my DHCP server, all traffic goes out on vether0 by default,
but I can select vether1 manually:

# traceroute -nvq1 10.0.0.1
traceroute to 10.0.0.1 (10.0.0.1), 64 hops max, 40 byte packets
 1  10.0.0.1 48 bytes to 10.0.0.2  0.994 ms

# route -T1 exec traceroute -nvq1 10.0.0.1
traceroute to 10.0.0.1 (10.0.0.1), 64 hops max, 40 byte packets
 1  10.0.0.1 48 bytes to 10.0.0.3  0.984 ms

I can also reach each IP from outside the box. They are going in on em2,
through the bridge, and in to vether0 or vether1 respectively.




=== PROBLEM ===

Now to my problem: I have no connection between vether0<->vether1.

# traceroute -nvq1 10.0.0.3
traceroute to 10.0.0.3 (10.0.0.3), 64 hops max, 40 byte...
 1  *
 2  *
^C

If I listen with tcpdump on the bridge, I see lots of unanswered arp
who-has:

# tcpdump -nti bridge0
tcpdump: listening on bridge0, link-type EN10MB
arp who-has 10.0.0.3 tell 10.0.0.2
arp who-has 10.0.0.3 tell 10.0.0.2
^C

These packets even go out on em2 to my LAN, but no one ever answers. The
same thing happens in reverse.

I have experimented with these bridge settings:
'blocknonip' - adding or removing on members makes no difference
'discover' - should be the default, adding makes no difference
'learn' - should be the default, adding makes no difference



=== EXPECTATIONS ===

I expected that someone should answer those arp who-is requests, either
vether1 directly, or the bridge0 who should know which interfaces it
has. Is there something I must configure to make this work, or is my
plan flawed from the start?





=== INFORMATION ===

Various information that could help answer my question (trimmed
whitespace and boilerplate):

# route -n show -inet
Destination   Gateway   Flags Refs Use   Mtu Prio Iface
default   10.0.0.1  UGS  0   0 -8 vether0
224/4 127.0.0.1 URS  0   0 327688 lo0
10.0.0/24 10.0.0.2  UCn  1   0 -4 vether0
10.0.0.1  link#6UHLch1   1 -3 vether0
10.0.0.2  00:00:00:00:00:02 UHLl 0   0 -1 vether0
10.0.0.25510.0.0.2  UHb  0   0 -1 vether0
127/8 127.0.0.1 UGRS 0   0 327688 lo0
127.0.0.1 127.0.0.1 UHhl 1   2 327681 lo0

# route -T1 -n show -inet
Destination   Gateway   Flags Refs Use   Mtu Prio Iface
default   10.0.0.1  UGS  0  32 -8 vether1
10.0.0/24 10.0.0.3  UCn  1   4 -4 vether1
10.0.0.1  00:00:00:00:00:01 UHLch1   3 -3 vether1
10.0.0.3  00:00:00:00:00:03 UHLl 0   0 -1 vether1
10.0.0.25510.0.0.3  UHb  0   0 -1 vether1

# for if in bridge0 em2 vether{0,1}; do ifconfig $if; done
bridge0: flags=41
   description: Bridge for external virtual NICs
   index 9 llprio 3
   groups: bridge
   priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
   designated: id 00:00:00:00:00:00 priority 0
   em2 flags=3
   port 3 ifpriority 0 ifcost 0
   vether0 flags=3
   port 6 ifpriority 0 ifcost 0
   vether1 flags=3
   port 7 ifpriority 0 ifcost 0
   Addresses (max cache: 100, timeout: 240):
   00:00:00:00:00:01 em2 1 flags=0<>
em2: