Re: SSH Controlmaster holding devices

[Andy Bradford]

Thus said Courtney on Mon, 05 Feb 2024 12:55:20 -0800:

> I wasn't aware that it would still be impacted when leaving the cwd.

Your shell "left the  cwd" but the SSH process did  not. In other words,
don't start processes from  a mount point that you expect  to be able to
unmount later (or kill them first).

Andy

Re: Proper way to set PATH environment with SSH non-interactive command

[Andy Bradford]

Thus said "Andy Bradford" on 04 Feb 2024 08:39:27 -0700:

> But is there a file that I can modify that will cause the shell proper
> to load some kind of environment setup also for non-interactive shells
> started with -c?

[For the archives]

As it turns out,  given that the shell does not  itself read any profile
configuration  files  for  non-interactive  shells, I  can  just  update
/etc/login.conf using ~/bin in the path:

default:\
:path=~/bin /usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin 
/usr/local/sbin:\

Before:

$ ssh localhost env | grep PATH
amb@localhost's password: 
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin

After:

$ ssh localhost env | grep PATH
amb@localhost's password: 
PATH=/home/amb/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin

Arguably, this could  be done for a class that  is assigned to different
users for which  this should apply so not everyone  has this. Also, this
does  not impact  interactive shells  because, well,  interactive shells
read ~/.profile and consequently ENV applies.

Andy

Re: Proper way to set PATH environment with SSH non-interactive command

[Andy Bradford]

Thus said "Allan Streib" on Sun, 04 Feb 2024 20:54:26 -0500:

> Just send the full path to your  script in the ssh command, and set up
> the rest of the environment within the script.

Yes, this  too is an option.  It may actually  be the best option  in my
opinion. If the user knows that  their binary is found in a non-standard
path, then the simplest thing is to  specify the full path to the binary
and leave the environment alone.

Thanks,

Andy

Re: Proper way to set PATH environment with SSH non-interactive command

[Andy Bradford]

Thus said Kastus Shchuka on Sun, 04 Feb 2024 13:40:58 -0800:

>  SetEnv  Directly specify one or more environment variables and their
>  contents to be sent to the server.

Thank you this option looks like it could also work, except it's not one
of which a user with no  permissions can take advantage as the AcceptEnv
option is  disabled by default  on most servers  I imagine. So,  while a
normal user  can set  the environment for  interactive shells,  it seems
that for non-interactive shells, the  only viable solution is to prepend
each command  with the environment  to be set  (I see nothing  in ksh(1)
that suggests that  the environment of non-interactive  shells are under
the control of the user).

Also, I don't  seem to be succesful in making  SetEnv (or SendEnv) work.
I've reconfigured (and restarted) sshd_config to have:

AcceptEnv PATH

Then I configured ~/.ssh/config with:

Host localhost
  SetEnv PATH=/home/amb/bin:/bin:/usr/bin:/usr/local/bin


When I run "ssh -v localhost env"  I can see that the client sends the path:

debug1: channel 1: setting env PATH = 
"/home/amb/bin:/bin:/usr/bin:/usr/local/bin"
debug1: Sending command: env


But env reports the following PATH:

PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin

I also tried  using SendEnv but while the client  sends the environment,
the server seems to ignore it, even if I set the AcceptEnv pattern to *.

# sshd -T -C user=amb,host=localhost | grep acceptenv
acceptenv PATH

When I run "sshd -d -d" I see the following in the output:

debug2: Setting env 0: PATH=/home/amb/bin:/bin:/usr/bin:/usr/local/bin

So it  certainly looks like the  server is accepting the  path, however,
env still reports a different path. Is  this perhaps a bug? Maybe step 5
in LOGIN PROCESS  is overwriting the PATH that was  sent and received by
the server?

This is on OpenBSD 7.4.

Thanks,

Andy

Proper way to set PATH environment with SSH non-interactive command

[Andy Bradford]

Hello,

When using SSH to invoke a remote command via the syntax:

ssh remotehost remotecommand

The $HOME/.profile  is not used and  there appears to be  a very minimal
environment setup.  The PATH does  not include any components  that have
been added in .profile.

This is probably what step 5 in the LOGIN PROCESS is all about:

http://man.openbsd.org/sshd#LOGIN_PROCESS

According to the man page for sshd(8):

 After this, the client either requests an interactive shell or execution
 of a non-interactive command, which sshd will execute via the user's
 shell using its -c option.

So in the  case where an interactive  shell is chosen, the  PATH will be
set  according to  .profile, but  in  the case  where a  non-interactive
command is  chosen, a shell is  invoked with -c.  So I have a  script in
$HOME/bin (which  is defined in PATH  normally in .profile) which  I can
run when logged in interactively:

$ helloworld
HELLO WORLD

But when I try to run it as a non-interactive command, it fails:

$ ssh localhost helloworld
amb@localhost's password: 
ksh: helloworld: not found

Obviously, one way to do this is by calling the command like:

$ ssh localhost PATH=\$HOME/bin:\$PATH helloworld
amb@localhost's password: 
HELLO WORLD

This works and can be seen in ssh -v output as:

debug1: Sending command: PATH=$HOME/bin:$PATH helloworld

But is there a  file that I can modify that will  cause the shell proper
to load some  kind of environment setup also  for non-interactive shells
started with -c?

sshd does have  PermitUserEnvironment and that works,  however, it's not
enabled by default and  it's not a function of the  SHELL proper. From a
user  perspective, it  seems  that  the user  only  has  control of  the
environment when using interactive shells and there is no way to control
the environment for  non-interactive shells (from the  remote side). Are
these the only  2 options (PermitUserEnvironment or  prepend the command
with the environment) or is there something I'm missing from ksh(1)?

Thanks,

Andy

Re: qcad does not segfault when qtscript is compiled with -O0.

[Andy Bradford]

Thus said Stuart Henderson on Tue, 26 Dec 2023 23:25:42 +:

> This was already diagnosed and fixed in -current, see
> https://marc.info/?l=openbsd-ports=170160684730438=2

Indeed it was. While I do follow  ports@ I must not have noticed because
I only recently discovered the association with qtscript and -O0 today.

Thanks for the response.

Andy

qcad does not segfault when qtscript is compiled with -O0.

[Andy Bradford]

:1320
1320while (context) {
(gdb) print context
$11 = (QScriptContext *) 0x1

When I run it compiled with -O0 the value of that context pointer is 0x0
at  this same  moment  in  execution. Is  0x1  something  unique to  the
compiler that is trying to protect against bad code?

Is there other useful information that I can try to obtain to figure out
why it's crashing  or what it's doing wrong? Is  this perhaps a question
for the QCad community?

Thanks,

Andy

[1] https://marc.info/?l=openbsd-misc=166019212130315=2

Re: Default rdomain for CLI commands

[Andy Lemin]

A lot of interesting responses here!

And the correct answer goes to Claudio! ;)

Claudio correctly noted that if I am logging into the firewall via an SSH 
daemon running in a non-zero rdomain, then all commands I run in that SSH VTY 
will also be run under that rdomain :)

And I will do some more testing with my cronjobs to figure out why I had to add 
route -T0 exec to my crons, maybe I broke something in login.conf.

As always, thanks for your time and comments everyone! Always appreciated
Andy


> On 24 Oct 2023, at 18:51, Claudio Jeker  wrote:
> 
> On Tue, Oct 24, 2023 at 08:39:33AM -, Stuart Henderson wrote:
>>> On 2023-10-24, Andy Lemin  wrote:
>>> Hi all,
>>> 
>>> Just a quick question.
>>> 
>>> I have multiple rdomains. My outside rdomain (rdomain 0) has a single 
>>> default route to my ISP. And my internal rdomain 9 has multiple default 
>>> routes pointing to various pairX interfaces for some funky routing stuff.
>>> 
>>> Everything works beautifully, however, every command I type on the box 
>>> locally or over SSH which needs internet for example, is being executed 
>>> under the internal rdomain, not the edge rdomain.
>>> 
>>> So I have to run;
>>> ‘route -T0 exec syspatch’ for example.
>>> 
>>> How do I set/override the default rdomain for system level CLI commands?
>> 
>> The basic answer to your question is "set rtable in login.conf for the
>> relevant class". But that doesn't explain why your machine is not already
>> using rtable 0..
>> 
> 
> Because I think login.conf(5) is wrong. The default rtable is not 0. If
> rtable is not set the current rtable is not modified by login_cap(3).
> 
> --
> :wq Claudio
> 
> Index: login.conf.5
> ===
> RCS file: /cvs/src/share/man/man5/login.conf.5,v
> retrieving revision 1.70
> diff -u -p -r1.70 login.conf.5
> --- login.conf.531 Mar 2022 17:27:23 -1.70
> +++ login.conf.524 Oct 2023 08:41:21 -
> @@ -284,7 +284,7 @@ Initial priority (nice) level.
> Require home directory to login.
> .\"
> .Pp
> -.It rtable Ta number Ta Dv 0 Ta
> +.It rtable Ta number Ta "" Ta
> Rtable to be set for the class.
> .\"
> .Pp
> 

Re: Default rdomain for CLI commands

[Andy Lemin]

Hi Lyndon,
That is a good trick, I will try that.

But it is more of an unexpected nuisance as I’m expecting the default to be 
rdomain 0.

It seems to switch to use the rdomain with the most default routes which breaks 
things unexpectedly - for example many crontab commands break after adding 
routes, so now have to _always_ prefix with route -T0 exec (to support 
automated route changes etc).

This must be unexpected behaviour to change dynamically like this?

Thanks for your help, Andy.


> On 24 Oct 2023, at 14:09, Lyndon Nerenberg (VE7TFX/VE6BBM) 
>  wrote:
> 
> Andy Lemin writes:
> 
>> So I have to run;
>> ‘route -T0 exec syspatch’ for example.
>> 
>> How do I set/override the default rdomain for system level CLI commands?
> 
> If you're talking about running a bunch of interactive shell commands
> in rdomain 0, just 'route -T0 exec sh' to drop into a sub-shell in
> rdomain 0.
> 
> --lyndon

Default rdomain for CLI commands

[Andy Lemin]

Hi all,

Just a quick question.

I have multiple rdomains. My outside rdomain (rdomain 0) has a single default 
route to my ISP. And my internal rdomain 9 has multiple default routes pointing 
to various pairX interfaces for some funky routing stuff.

Everything works beautifully, however, every command I type on the box locally 
or over SSH which needs internet for example, is being executed under the 
internal rdomain, not the edge rdomain.

So I have to run;
‘route -T0 exec syspatch’ for example.

How do I set/override the default rdomain for system level CLI commands?

Thanks for your thoughts,
Andy.

Re: Delay in starting xterm via ssh after upgrade from 7.3 to 7.4

[Andy Bradford]

Thus said Roger Marsh on Thu, 19 Oct 2023 17:23:47 -:

> fixes the delay  problem, but was the delay  a predictable consequence
> of some change? Or perhaps the  entry should never have been expressed
> in the way that led to the delay?

Most likely the cause is an unexpected side effect of some other change.
There  have been  some interesting  changes  to SSH  with this  release,
perhaps try disabling:

http://man.openbsd.org/OpenBSD-7.4/ssh_config#ObscureKeystrokeTiming

I would be surprised  if this is actually the cause, but  it is a change
that was introduced and something that is easily tested.

You could also look through:

http://www.openbsd.org/plus74.html

See if any of the changes stand out as relevant and try to test them.

Andy

Re: OpenBSD Wireguard implementation not copying ToS from inner to outer WG header

[Andy Lemin]

> On 29 Sep 2023, at 00:09, Sonic  wrote:
> 
> 
> Hopefully not as dumb of a question as I suspect it might be.
> Does the generic...
> =
> match out on $ext_if inet proto tcp from ($ext_if) set prio (3, 7)
> match in  on $ext_if inet proto tcp to ($ext_if) set prio (3, 7)
> =
> ...take advantage of this patch when using wireguard or does the match need 
> to be applied to the wgx interface?

Hi.
I have a generic ‘match’ which does not specify interfaces or direction, and 
which sets prio, tos, and queue on all the important things. 
So yes, like your example but without direction or interface.

And of course use specific interface dependant rules to pass or drop things as 
needed.

Then as packets enter the inside Interface, the prio will be set. And when the 
packet gets to the wg interface, the prio is copied (with this patch), and 
finally the encrypted packet gets pulled out of the outside interface’s queue 
in prio order (there is more going on here, but you can assume prio order).

You will not currently be able to get the encrypted packet into any queue other 
than the ‘default’ queue as the packet tos flags and queue state labels are 
lost during encryption. But now that the prio is copied with this patch, at 
least your ACKs etc will be pulled from the one default queue first.

As this will be facing your internet connection (smaller than your LAN), you 
should still see a benefit even though TOS is not yet copied. The longer the 
pipe / greater the BDP, the more noticeable it will be.

Hope this helps, Andy.

Re: OpenBSD Wireguard implementation not copying ToS from inner to outer WG header

[Andy Lemin]

On 19 Sep 2023, at 20:07, Janne Johansson  wrote:Den sön 17 sep. 2023 kl 09:19 skrev Andrew Lemin :Hi,

I have been testing the Wireguard implementation on OpenBSD and noticed
that the ToS field is not being copied from the inner unencrypted header to
the outer Wireguard header, resulting in ALL packets going into the same PF
Prio / Queue.I think the original wireguard implementation defines it as a feature:You can see the lines at https://github.com/WireGuard/wireguard-linux/blob/stable/drivers/net/wireguard/send.c#L373they skip bringing it along to not leak that information to the outside.Hi,Yes totally agree that copying to the outer IP header should be configurable, so users have the choice to hide priority packets if required.For my use case I _would_ like to have it in the IP header as well, as I am not trying to achieve extreme privacy, but a high performance tunnel between sites over the internet.Allowing OpenBSD to prioritise internally makes sense to always be on however, as the ISP link is nearly always a lower speed.-- May the most significant bit of your life be positive.

Re: PF queue bandwidth limited to 32bit value

[Andy Lemin]

> On 15 Sep 2023, at 18:54, Stuart Henderson  wrote:
> 
> On 2023/09/15 13:40, Andy Lemin wrote:
>> Hi Stuart,
>> 
>> Seeing as it seems like everyone is too busy, and my workaround
>> (not queue some flows on interfaces with queue defined) seems of no
>> interest,
> 
> well, it might be, but I'm not sure if it will fit with how
> queues work..

Well I can only hope some more developers sees this :)

> 
>> and my current hack to use queuing on Vlan interfaces is
>> a very incomplete and restrictive workaround; Would you please be
>> so kind as to provide me with a starting point in the source code
>> and variable names to concentrate on, where I can start tracing from
>> beginning to end for changing the scale from bits to bytes?
> 
> maybe try hfsc.c, but overall there are quite a few files involved
> in queue definition and use from start to finish. or going from the
> other side start with how pfctl defines queues and follow through
> from there.
> 

Thank you, I will try (best effort as time permits), and see how far I get.. 
(probably not far ;)

Re: PF queue bandwidth limited to 32bit value

[Andy Lemin]

Hi Stuart,Seeing as it seems like everyone is too busy, and my workaround (not queue some flows on interfaces with queue defined) seems of no interest, and my current hack to use queuing on Vlan interfaces is a very incomplete and restrictive workaround;Would you please be so kind as to provide me with a starting point in the source code and variable names to concentrate on, where I can start tracing from beginning to end for changing the scale from bits to bytes?Thanks :)AndyOn 14 Sep 2023, at 19:34, Andrew Lemin  wrote:On Thu, Sep 14, 2023 at 7:23 PM Andrew Lemin  wrote:On Wed, Sep 13, 2023 at 8:35 PM Stuart Henderson  wrote:On 2023-09-13, Andrew Lemin  wrote:
> I have noticed another issue while trying to implement a 'prio'-only
> workaround (using only prio ordering for inter-VLAN traffic, and HSFC
> queuing for internet traffic);
> It is not possible to have internal inter-vlan traffic be solely priority
> ordered with 'set prio', as the existence of 'queue' definitions on the
> same internal vlan interfaces (required for internet flows), demands one
> leaf queue be set as 'default'. Thus forcing all inter-vlan traffic into
> the 'default' queue despite queuing not being wanted, and so
> unintentionally clamping all internal traffic to 4294M just because full
> queuing is needed for internet traffic.

If you enable queueing on an interface all traffic sent via that
interface goes via one queue or another.Yes, that is indeed the very problem. Queueing is enabled on the inside interfaces, with bandwidth values set slightly below the ISP capacities (multiple ISP links as well), so that all things work well for all internal users.However this means that inter-vlan traffic from client networks to server networks are restricted to 4294Mbps for no reason.. It would make a huge difference to be able to allow local traffic to flow without being queued/restircted. 

(also, AIUI the correct place for queues is on the physical interface
not the vlan, since that's where the bottleneck is... you can assign
traffic to a queue name as it comes in on the vlan but I believe the
actual queue definition should be on the physical iface).Hehe yes I know. Thanks for sharing though.I actually have very specific reasons for doing this (queues on the VLAN ifaces rather than phy) as there are multiple ISP connections for multiple VLANs, so the VLAN queues are set to restrict for the relevant ISP link etc.Also separate to the multiple ISPs (I wont bore you with why as it is not relevant here), the other reason for queueing on the VLANs is because it allows you to get closer to the 10Gbps figure..Ie, If you have queues on the 10Gbps PHY, you can only egress 4294Mbps to _all_ VLANs. But if you have queues per-VLAN iface, you can egress multiple times 4294Mbps on aggregate.Eg, vlans 10,11,12,13 on single mcx0 trunk. 10->11 can do 4294Mbps and 12->13 can do 4294Mbps, giving over 8Gbps egress in total on the PHY. It is dirty, but like I said, desperate for workarounds... :(  

"required for internet flows" - depends on your network layout.. the
upstream feed doesn't have to go via the same interface as inter-vlan
traffic.I'm not sure what you mean. All the internal networks/vlans are connected to local switches, and the switches have trunk to the firewall which hosts the default gateway for the VLANs and does inter-vlan routing.So all the clients go through the same VLANs/trunk/gateway for inter-vlan as they do for internet. Strict L3/4 filtering is required on inter-vlan traffic.I am honestly looking for support to recognise that this is a correct, valid and common setup, and so there is a genuine need to allow flows to not be queued on interfaces that have queues (which has many potential applications for many use cases, not just mine - so should be of interest to the developers?).Do you know why there has to be a default queue? Yes I know that traffic excluded from queues would take from the same interface the queueing is trying to manage, and potentially causes congestion. However with 10Gbps networking which is beyond common now, this does not matter when the queues are stuck at 4294MbpsDesperately trying to find workarounds that appeal.. Surely the need is a no brainer, and it is just a case of trying to encourage interest from a developer?Thanks :)

Re: SCRIPT_FILENAME not set to index file.

[Andy Bradford]

Thus said "Andy Bradford" on 19 Aug 2023 08:44:23 -0600:

> location "/books/*" {
> fastcgi socket "/run/tcl.sock"
> directory { index "index.tcl" }
> }

Responding to self for the archives  in case someone runs into a similar
challenge.

I think I've  figured out the problem. I was  combining too many options
into a single "location" rule. This works as expected:

location "/books/index.tcl" { fastcgi socket "/run/tcl.sock" }
location "/books/" { directory { index "index.tcl" } }
location "/books/*.tcl" { block }

Sorry for the noise.

Andy

SCRIPT_FILENAME not set to index file.

[Andy Bradford]

Hello,

I have the following configuration in httpd.conf:

location "/books/*" {
fastcgi socket "/run/tcl.sock"
directory { index "index.tcl" }
}

When I put the URL into  my browser https://localhost/books/ I get a 500
Internal Server Error. Looking at the  slowcgi logs, I see the following
being set:

2023-08-19 08:35:18.157737500 slowcgi: env[2], 
SCRIPT_FILENAME=/vhosts/ssl/books/
...
2023-08-19 08:35:18.157950500 slowcgi: fork: /vhosts/ssl/books/
2023-08-19 08:35:18.158928500 slowcgi: wait: /vhosts/ssl/books/

And in the httpd log I find:

slowcgi: execve /vhosts/ssl/books/: Permission denied

I   notice  that   if   I  put   the   full  URL   in   my  browser   as
https://localhost/books/index.html  it works  fine as  can be  seen from
this log entry:

2023-08-19 08:38:58.806406500 slowcgi: env[2], 
SCRIPT_FILENAME=/vhosts/ssl/books/index.tcl

Is  there some  confirmation I'm  missing  to make  httpd construct  the
SCRIPT_FILENAME properly when using a directory index?

Also, I notice that if  I put the URL https://localhost/books/bogus.html
I don't get a  404 or 403 but instead get a  500 and the SCRIPT_FILENAME
is again set  to /vhosts/ssl/books. I suspect  there's something missing
in my reading of the man page.

Thanks,

Andy

Re: IPsec "road warrior" VPN not getting set up properly.

[Andy Bradford]

Thus said Anthony Coulter on Thu, 06 Jul 2023 21:52:54 -0400:

> I would also suggest comparing the  "hackiness" of NDP proxying to the
> hackiness of NAT, which is how we solve this same problem in IPv4.

I realize  I'm coming in late  to this discussion, and  may not actually
have anything of value to add, but...

I'm not sure how NDP proxying and NAT  are related at all. I seems to me
that NDP proxying is more akin to proxy ARP than NAT:

http://man.openbsd.org/arp#s

Andy

qcad segfault on 7.1 amd64

[Andy Bradford]

uot; rev 0x11: apic 0 int 17
usb3 at ehci1: USB revision 2.0
uhub3 at usb3 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 
addr 1
piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x16: SMI
iic0 at piixpm0
spdmem0 at iic0 addr 0x52: 8GB DDR3 SDRAM PC3-12800
spdmem1 at iic0 addr 0x53: 8GB DDR3 SDRAM PC3-12800
azalia1 at pci0 dev 20 function 2 "AMD Hudson-2 HD Audio" rev 0x01: apic 0 int 
16
azalia1: codecs: Realtek ALC662
audio0 at azalia1
pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11
ppb1 at pci0 dev 20 function 4 "AMD Hudson-2 PCI" rev 0x40
pci2 at ppb1 bus 2
ohci2 at pci0 dev 20 function 5 "AMD Hudson-2 USB" rev 0x11: apic 0 int 18, 
version 1.0, legacy support
pchb4 at pci0 dev 24 function 0 "AMD 15h Link Cfg" rev 0x00
pchb5 at pci0 dev 24 function 1 "AMD 15h Address Map" rev 0x00
pchb6 at pci0 dev 24 function 2 "AMD 15h DRAM Cfg" rev 0x00
pchb7 at pci0 dev 24 function 3 "AMD 15h Misc Cfg" rev 0x00
pchb8 at pci0 dev 24 function 4 "AMD 15h CPU Power" rev 0x00
pchb9 at pci0 dev 24 function 5 "AMD 15h Misc Cfg" rev 0x00
usb4 at ohci0: USB revision 1.0
uhub4 at usb4 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 
addr 1
usb5 at ohci1: USB revision 1.0
uhub5 at usb5 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 
addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb6 at ohci2: USB revision 1.0
uhub6 at usb6 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 
addr 1
uhidev0 at uhub0 port 3 configuration 1 interface 0 "Holtek USB-HID Keyboard" 
rev 2.00/1.06 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd0 at ukbd0: console keyboard
uhidev1 at uhub0 port 3 configuration 1 interface 1 "Holtek USB-HID Keyboard" 
rev 2.00/1.06 addr 2
uhidev1: iclass 3/0
uhid0 at uhidev1: input=64, output=64, feature=0
uhidev2 at uhub0 port 3 configuration 1 interface 2 "Holtek USB-HID Keyboard" 
rev 2.00/1.06 addr 2
uhidev2: iclass 3/0, 4 report ids
uhid1 at uhidev2 reportid 1: input=1, output=0, feature=0
ucc0 at uhidev2 reportid 2: 18 usages, 13 keys, enum
wskbd1 at ucc0 mux 1
ums0 at uhidev2 reportid 3: 8 buttons, Z and W dir
wsmouse0 at ums0 mux 0
ukbd1 at uhidev2 reportid 4: no usable key codes array
uhidev3 at uhub0 port 4 configuration 1 interface 0 "Acrox AmazonBasics gaming 
mouse" rev 2.00/2.15 addr 3
uhidev3: iclass 3/1
ums1 at uhidev3: 5 buttons, Z and W dir
wsmouse1 at ums1 mux 0
uhidev4 at uhub0 port 4 configuration 1 interface 1 "Acrox AmazonBasics gaming 
mouse" rev 2.00/2.15 addr 3
uhidev4: iclass 3/1, 32 report ids
ukbd2 at uhidev4 reportid 1: 8 variable keys, 6 key codes
wskbd2 at ukbd2 mux 1
ucc1 at uhidev4 reportid 2: 897 usages, 18 keys, array
wskbd3 at ucc1 mux 1
uhid2 at uhidev4 reportid 4: input=63, output=63, feature=0
uhid3 at uhidev4 reportid 32: input=0, output=0, feature=50
ugen0 at uhub2 port 1 "Amazon Kindle" rev 2.00/2.16 addr 2
umass0 at uhub2 port 3 configuration 1 interface 0 "Generic USB2.0-CRW" rev 
2.00/57.13 addr 3
umass0: using SCSI over Bulk-Only
scsibus2 at umass0: 2 targets, initiator 0
sd2 at scsibus2 targ 1 lun 0:  removable 
serial.0bda015392657120
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (2efaa3fa93ca6a53.a) swap on sd0b dump on sd0b
radeondrm0: KAVERI
### AML PARSE ERROR (0xf98): Undefined name: \\_SB_.ALIB
error evaluating: \\_SB_.PCI0.VGA_.ATCS
radeondrm0: 1920x1200, 32bpp
wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0
wskbd1: connecting to wsdisplay0
wskbd2: connecting to wsdisplay0
wskbd3: connecting to wsdisplay0
wsdisplay0: screen 1-5 added (std, vt100 emulation)

Thanks,

Andy

secure.io domain

[Andy Booth]

Would you consider selling this domain?

-- 
Andy Booth

Telephone: (+350) 5600-2587
Email: a...@booth.com
Address: Booth.com, Ltd., Suite 4, 4 Giro's Passage, Gibraltar, GX11 1AA

"Knowledge speaks, but wisdom listens." - Jimi Hendrix

problems with outbound load-balancing (PF sticky-address for destination IPs)

[Andy Lemin]

Hi smart people :)

The current implementation of ‘sticky-address‘ relates only to a sticky source 
IP.
https://www.openbsd.org/faq/pf/pools.html

This is used for inbound server load balancing, by ensuring that all socket 
connections from the same client/user/IP on the internet goes to the same 
server on your local server pool.

This works great for ensuring simplified memory management of session artefacts 
on the application being hosted (the servers do not have to synchronise the 
users session data as extra sockets from that user will always connect to the 
same local server)

However sticky-address does not have an equivalent for sticky destination IPs. 
For example when doing outbound load balancing over multiple ISP links, every 
single socket is load balanced randomly. This causes many websites to break 
(especially cookie login and single-sign-on style enterprise services), as the 
first outbound socket will originate randomly from one of the local ISP IPs, 
and the users login session/SSO (on the server side) will belong to that first 
random IP.

When the user then browses to or uses another part of that same website which 
requires additional sockets, the additional sockets will pass the SSO 
credentials from the first socket, but the extra socket connection will again 
be randomly load-balanced, and so the remote server will reject the connection 
as it is originating from the wrong source IP etc.

Therefore can I please propose a “sticky-address for destination IPs” as an 
analogue to the existing sticky-address for source IPs?

This is now such a problem that we have to use sticky-address even on outbound 
load-balancing connections, which causes internal user1 to always use the same 
ISP for _everthing_ etc. While this does stop the breakage, it does not result 
in evenly distributed balancing of traffic, as users are locked to one single 
transit, for all their web browsing for the rest of the day after being 
randomly balanced once first-thing in the morning, rather than all users 
balancing over all transits throughout the day.

Another pain; using the current source-ip sticky-address for outbound 
balancing, makes it hard to drain transits for maintenance. For example without 
source sticky-address balancing, you can just remove the transit from the Pf 
rule, and after some time, all traffic will eventually move over to the other 
transits, allowing the first to be shut down for whatever needs. But with the 
current source-ip sticky-address, that first transit will take months to drain 
in a real-world situations..

lastly just as a nice-to-have, how feasible would a deterministic load 
balancing algorithm be? So that balancing selection is done based on the “least 
utilised” path?

Thanks for your time and consideration,
Kindest regards Andy



Sent from a teeny tiny keyboard, so please excuse typos.

Re: clock not set on boot

[Andy Goblins]

> From: "Theo de Raadt" 
>
> ntpd is run by default, and magically will correct the time almost 
> immediately.
>
> Some significant effort went into this a few years ago.
>
> However, the kernel message will always be there.  You can ignore it.
>
> Run ntpctl -s all, and you'll see the time has been corrected before
> significant daemons start.

ntpd is running, but the clock isn't getting corrected before significant 
daemons start. In fact, it's causing other daemons, like unbound, to fail.
$ ntpctl -s all
5/5 peers valid, constraint offset 5355740s, clock unsynced, clock offset is 
5355739014.329ms
...

/var/messages:
Oct  4 21:20:24 hostname ntpd[61157]: ntp engine ready
Oct  4 21:20:25 hostname ntpd[61157]: constraint reply from 9.9.9.9: offset 
5355740.057722
Oct  4 21:20:26 hostname unbound: [98456:0] notice: init module 0: validator
Oct  4 21:20:26 hostname unbound: [98456:0] notice: init module 1: iterator
Oct  4 21:20:26 hostname unbound: [98456:0] info: start of service (unbound 
1.11.0).
Oct  4 21:20:27 hostname ntpd[61157]: cancel settime because dns probe failed
Oct  4 21:20:27 hostname unbound: [25295:1] info: failed to prime trust anchor 
-- DNSKEY rrset is not secure . DNSKEY IN
...

Does ntpd need DNS to set the time? Because my reslov.conf points to 127.0.0.1 
and unbound needs the time before it will work properly.

Re: No xenocara for ATI Radeon HD 2400 XT

[Andy Bradford]

Thus said Jonathan Gray on Mon, 10 Aug 2020 23:54:54 +1000:

> For now we could just skip reading a disabled bios on RV610.

Thanks, that tweak seems to have gotten  past the problem and now X will
start:

initializing kernel modesetting (RV610 0x1002:0x94C1 0x1028:0x0D02 0x00).
radeondrm0: 1680x1050, 32bpp
wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0
wskbd1: connecting to wsdisplay0
wsdisplay0: screen 1-5 added (std, vt100 emulation)

I wonder what the difference is between i386 and amd64...

Thanks,

Andy

Re: No xenocara for ATI Radeon HD 2400 XT

[Andy Bradford]

Thus said Jonathan Gray on Sun, 09 Aug 2020 12:39:36 +1000:

> When this  came up previously running  i386 resulted in being  able to
> read the atombios. Can you confirm that is the case here?

Yes, this is the case. I installed OpenBSD 6.7 i386 to the same hardware
and  there is  no  error in  dmesg  and X  starts  up without  requiring
machdep.allowaperture to be set.

> The drm code in -current/snapshots has  been replaced by a new port of
> the linux 5.7 code so behaviour there may change.

I tried  the amd64 current/snapshot  from August 8  and it has  the same
problem.

I guess for now I can reinstall with i386 unless there is something else
that I should try for debugging. I can provide whatever is needed.

Thanks,

Andy

No xenocara for ATI Radeon HD 2400 XT

[Andy Bradford]

 X2, ATI Mobility Radeon HD 3870,
ATI Mobility Radeon HD 3870 X2, ATI Radeon HD3870 X2,
ATI FireGL V7700, ATI Radeon HD3690, AMD Firestream 9170,
ATI Radeon HD 4550, ATI Radeon RV710, ATI Radeon HD 4350,
ATI Mobility Radeon 4300 Series, ATI Mobility Radeon 4500 Series,
ATI FirePro RG220, ATI Mobility Radeon 4330, ATI RV630,
ATI Mobility Radeon HD 2600, ATI Mobility Radeon HD 2600 XT,
ATI Radeon HD 2600 XT AGP, ATI Radeon HD 2600 Pro AGP,
ATI Radeon HD 2600 XT, ATI Radeon HD 2600 Pro, ATI Gemini RV630,
ATI Gemini Mobility Radeon HD 2600 XT, ATI FireGL V5600,
ATI FireGL V3600, ATI Radeon HD 2600 LE,
ATI Mobility FireGL Graphics Processor, ATI Radeon HD 3470,
ATI Mobility Radeon HD 3430, ATI Mobility Radeon HD 3400 Series,
ATI Radeon HD 3450, ATI Radeon HD 3430, ATI FirePro V3700,
ATI FireMV 2450, ATI Radeon HD 3600 Series, ATI Radeon HD 3650 AGP,
ATI Radeon HD 3600 PRO, ATI Radeon HD 3600 XT,
ATI Mobility Radeon HD 3650, ATI Mobility Radeon HD 3670,
ATI Mobility FireGL V5700, ATI Mobility FireGL V5725,
ATI Radeon HD 3200 Graphics, ATI Radeon 3100 Graphics,
ATI Radeon HD 3300 Graphics, ATI Radeon 3000 Graphics, SUMO, SUMO2,
ATI Radeon HD 4200, ATI Radeon 4100, ATI Mobility Radeon HD 4200,
ATI Mobility Radeon 4100, ATI Radeon HD 4290, ATI Radeon HD 4250,
AMD Radeon HD 6310 Graphics, AMD Radeon HD 6250 Graphics,
AMD Radeon HD 6300 Series Graphics,
AMD Radeon HD 6200 Series Graphics, PALM, CYPRESS,
ATI FirePro (FireGL) Graphics Adapter, AMD Firestream 9370,
AMD Firestream 9350, ATI Radeon HD 5800 Series,
ATI Radeon HD 5900 Series, ATI Mobility Radeon HD 5800 Series,
ATI Radeon HD 5700 Series, ATI Radeon HD 6700 Series,
ATI Mobility Radeon HD 5000 Series, ATI Mobility Radeon HD 5570,
ATI Radeon HD 5670, ATI Radeon HD 5570, ATI Radeon HD 5500 Series,
REDWOOD, ATI Mobility Radeon Graphics, CEDAR, ATI FirePro 2270,
ATI Radeon HD 5450, CAYMAN, AMD Radeon HD 6900 Series,
AMD Radeon HD 6900M Series, Mobility Radeon HD 6000 Series, BARTS,
AMD Radeon HD 6800 Series, AMD Radeon HD 6700 Series, TURKS, CAICOS,
ARUBA, TAHITI, PITCAIRN, VERDE, OLAND, HAINAN, BONAIRE, KABINI,
MULLINS, KAVERI, HAWAII
[34.366] (II) VESA: driver for VESA chipsets: vesa
[34.368] (II) [KMS] drm report modesetting isn't supported.
[34.390] (EE) Screen 0 deleted because of no matching config section.
[34.390] (II) UnloadModule: "radeon"
[34.391] (II) Loading sub module "vbe"
[34.391] (II) LoadModule: "vbe"
[34.457] (II) Loading /usr/X11R6/lib/modules/libvbe.so
[34.508] (II) Module vbe: vendor="X.Org Foundation"
[34.509]compiled for 1.20.8, module version = 1.1.0
[34.509]ABI class: X.Org Video Driver, version 24.1
[34.509] (II) Loading sub module "int10"
[34.509] (II) LoadModule: "int10"
[34.511] (II) Loading /usr/X11R6/lib/modules/libint10.so
[34.700] (II) Module int10: vendor="X.Org Foundation"
[34.700]compiled for 1.20.8, module version = 1.0.0
[34.700]ABI class: X.Org Video Driver, version 24.1
[34.700] (II) VESA(0): initializing int10
[34.742] (EE) VESA(0): Cannot read int vect
[34.742] (II) UnloadModule: "vesa"
[34.742] (II) UnloadSubModule: "int10"
[34.742] (II) Unloading int10
[34.742] (II) UnloadSubModule: "vbe"
[34.742] (II) Unloading vbe
[34.743] (EE) Screen(s) found, but none have a usable configuration.
[34.743] (EE) 
Fatal server error:
[34.743] (EE) no screens found(EE) 
[34.743] (EE) 
Please consult the The X.Org Foundation support 
 at http://wiki.x.org
 for help. 
[34.743] (EE) Please also check the log file at "/var/log/Xorg.0.log" for 
additional information.
[34.743] (EE) 
[34.774] (EE) Server terminated with error (1). Closing log file.


Thanks,

Andy
-- 

When the whole  world is running towards  a cliff, he who  is running in
the opposite direction appears to have lost his mind. --- C. S. Lewis

TAI64 timestamp: 40005f2ed196

Re: Disable ftp in pkg_add syspatch sysupgrade

[Andy Lemin]

For completeness, I discovered I was having issues with downloading the sources 
for the sysupgrade command on my edge firewall also! So it was not limited to 
internet servers as first thought.

Since upgrading the 6.6 (had to run sysupgrade 4 times to get it to complete 
the downloads), the issues seems to have been resolved and now all packages are 
installing first time every time..

So I am not sure if this is just me or a 6.5 issue. Most likely the former ;)

Kind regards, Andy.



Sent from a teeny tiny keyboard, so please excuse typos

> On 31 Oct 2019, at 01:47, Stuart Henderson  wrote:
> 
>> On 2019-10-30, Andrew Lemin  wrote:
>> - But throws errors when I try and use flavours which is critical for
>> installing python for example (NB; This is a different error to before,
>> where I was getting 'timeout' instead of 'Invalid argument');
>> [HOME]root@testbsd1:/local#pkg_add python%2 py-pip python%3 py3-pip
>> py3-setuptools
>> quirks-3.124 signed on 2019-10-16T20:27:45Z
>> http://mirror.bytemark.co.uk/pub/OpenBSD/6.5/packages/amd64/py3-setuptools-40.0.0v0.tgz:
>> ftp: Receiving HTTP reply: Invalid argument
>> signify: gzheader truncated
>> Couldn't install py3-setuptools-40.0.0v0
> 
> Odd. Can you try replicating on 6.6?
> 
> Does "pkg_add py-pip py3-pip py3-setuptools" (i.e. allow pkg_add to
> find the dependencies by itself) work?
> 
> 

Re: Disable ftp in pkg_add syspatch sysupgrade

[Andy Lemin]

Hahaha
Thanks Theo, that made me smile.

But you have answered my question perfectly, albeit in a round about way.

Indeed it doesn’t matter what it is called, and would be clearer with a generic 
name, as we got caught out by a program calling another program with colliding 
name.

For example, Having ‘pkg_add’ call a program named ‘ftp’ to perform http and 
https downloads. But where errors in the ftp subprocess are printed by the 
pkg_add process, making it seem like pkg_add was failing on an ftp protocol 
request, rather than the ‘ftp’ client process failing (while doing an http 
call)..

So I think it was pretty fair for us to end up scratching our heads ;)

Thanks, Andy.


Sent from a teeny tiny keyboard, so please excuse typos

> On 30 Oct 2019, at 15:54, Theo de Raadt  wrote:
> 
> Andrew Lemin  wrote:
> 
>> To me this seems unusual (was expecting 'curl' or 'wget' etc to avoid code
>> duplication) and confusing? What do you think?
> 
> curl is not in openbsd
> 
> wget is not in openbsd
> 
> Maybe we should rename our downloading software to lemin, which is
> obviously a randomly chosen name with some obscure acronym we'll invent
> to back the name, being a name noone recognizes we can probably avoid
> assumptions as to what it does, whether it does ftp, or http, or https,
> or who knows what.  Of course such a strange name would also lead people
> to not discovering it, and make them install some monster software
> package off the internet with another strange name.
> 
> In summary I think it's turning into a shitty world with selection by
> meme.
> 
> 

Disable ftp in pkg_add syspatch sysupgrade

[Andy Lemin]

Hi guys,

Does anyone know if it is possible to completely disable ftp in the package 
management utilities; pkg_add, syspatch, sysupgrade etc?

My PKG_PATH references http:// urls, as does /etc/install. But I cannot stop 
these tools trying to use ftp which does not work! :(

Every time I try and install a bunch of packages, some work fine via http, and 
then some will fall back to ftp, which of course fails. 

However when I test the url for the package it reports it could not download, 
due to the ftp connect timeout, the download works fine via http etc. So it is 
very frustrating.

We cannot use ftpproxy as we use rdomains, and running the ftpproxy daemon 
within the rdomain that has the default route to the internet doesn’t seem to 
work. And generally speaking no one in my last two companies has ever asked me 
to make ftp work.

As ftp is very much dead in most cases, could we please stop using it for 
package management tools? :( I cannot update any of my OpenBSD servers which 
reside inside the firewall. Only the firewall itself get et updates because of 
the ftp dependence :(

Thanks for your time.
Andy.


Sent from a teeny tiny keyboard, so please excuse typos

Re: Building Unbound with Python module support

[Andy Lemin]

Hi Claudio,

I did actually try putting my python plugin and unboundmodule.py into the 
chroot, but I completely forgot that I would also need to install the rest of 
python into the chroot! Haha

Serves me right for working on it until 1am when I should should have been 
asleep and trying with fresh eyes the next day ;)

All working now. You guys are heros.

Thank you for the gentle nudges in the right direction.

Kindest regards.
Andy Lemin


Sent from a teeny tiny keyboard, so please excuse typos

> On 7 Aug 2019, at 09:01, Claudio Jeker  wrote:
> 
>> On Wed, Aug 07, 2019 at 08:44:07AM +0100, Andy Lemin wrote:
>> Morning Stuart,
>> 
>> So I’ve tested with the base build options properly, the initial errors I 
>> saw before have gone which is good. But I have a more fundamental issue with 
>> Unbound now sadly.
>> 
>> Swig successfully built “/usr/src/unbound/pythonmod/unboundmodule.py” and 
>> installed it to “/usr/local/lib/python2.7/site-packages/unboundmodule.py”.
>> 
>> However unbound is unable to find it, and the following errors are seen;
>> [HOME]root@bsd1:/var/unbound#/usr/local/sbin/unbound -c 
>> /var/unbound/etc/unbound.conf -dv
>> 
>> [1565135861] unbound[90497:0] notice: Start of unbound 1.9.3.
>> 
>> [1565135861] unbound[90497:0] debug: increased limit(open files) from 128 to 
>> 16478
>> 
>> [1565135861] unbound[90497:0] debug: creating udp4 socket 127.0.0.1 53
>> 
>> [1565135861] unbound[90497:0] debug: creating udp4 socket 10.10.1.5 53
>> 
>> [1565135861] unbound[90497:0] debug: creating unix socket 
>> /var/run/unbound.sock
>> 
>> [1565135861] unbound[90497:0] debug: switching log to syslog
>> 
>> Could not find platform independent libraries 
>> 
>> Could not find platform dependent libraries 
>> 
>> Consider setting $PYTHONHOME to [:]
>> 
>> Traceback (most recent call last):
>> 
>>  File "", line 1, in 
>> 
>> ImportError: No module named distutils.sysconfig
>> 
>> Traceback (most recent call last):
>> 
>>  File "", line 1, in 
>> 
>> NameError: name 'distutils' is not defined
>> 
>> Traceback (most recent call last):
>> 
>>  File "", line 1, in 
>> 
>> ImportError: No module named unboundmodule
>> 
>> 
>> 
>> I have tried all manner of values for PYTHONHOME and I have also tried 
>> 
>> --with-pythonmodule=/usr/local/lib/python2.7/site-packages
>> 
>> 
>> Searching around shows others have found the exact same issue;
>> https://nlnetlabs.nl/pipermail/unbound-users/2011-July/007371.html
>> 
>> What do you think about this in context of OpenBSD?
>> 
> 
> unbound does a chroot(2) by default ot /var/unbound and so anything in
> /usr/local is unreachable. Either install the python code into the chroot
> or try running unbound with chroot: "" (which disables chroot). See also
> unbound.conf(5) for more info about chroot.
> 
> 
>> Sent from a teeny tiny keyboard, so please excuse typos
>> 
>>> On 7 Aug 2019, at 00:03, Andy Lemin  wrote:
>>> 
>>> Hi Stuart,
>>> 
>>> Thanks for your reply.
>>> 
>>> So I put in some leg work to set myself up so I could build a new release 
>>> base system, and went digging.
>>> 
>>> And I found “/usr/src/usr.src/unbound/Makefile.bsd-wrapper” so I think I 
>>> have found the correct build options to match with the base builds 
>>> CONFIGURE_OPTS_UNBOUND
>>> 
>>> I will try again with these options tomorrow, and see if I have the same 
>>> errors.
>>> 
>>> “The default install can't include Python support, because the default 
>>> install of Unbound is in the base OS, and Python isn't.”
>>> 
>>> Facepalm.. Of course!
>>> 
>>> Is there a C plugin library? I would like to make this project 
>>> native/portable so other users can use this project without having to 
>>> rebuild Unbound?
>>> 
>>> Thanks Andy.
>>> 
>>> 
>>> Sent from a teeny tiny keyboard, so please excuse typos
>>> 
>>>>> On 6 Aug 2019, at 19:36, Stuart Henderson  wrote:
>>>>> 
>>>>> On 2019-08-06, Andy Lemin  wrote:
>>>>> Hi guys,
>>>>> 
>>>>> I’m just after some general advice as I feel like I’m doing something 
>>>>> wrong, and having to hack around too much for what I believe should be 
>>>>> simple.
>>>>> 
>>>>> I am de

Re: Building Unbound with Python module support

[Andy Lemin]

Morning Stuart,

So I’ve tested with the base build options properly, the initial errors I saw 
before have gone which is good. But I have a more fundamental issue with 
Unbound now sadly.

Swig successfully built “/usr/src/unbound/pythonmod/unboundmodule.py” and 
installed it to “/usr/local/lib/python2.7/site-packages/unboundmodule.py”.

However unbound is unable to find it, and the following errors are seen;
[HOME]root@bsd1:/var/unbound#/usr/local/sbin/unbound -c 
/var/unbound/etc/unbound.conf -dv

[1565135861] unbound[90497:0] notice: Start of unbound 1.9.3.

[1565135861] unbound[90497:0] debug: increased limit(open files) from 128 to 
16478

[1565135861] unbound[90497:0] debug: creating udp4 socket 127.0.0.1 53

[1565135861] unbound[90497:0] debug: creating udp4 socket 10.10.1.5 53

[1565135861] unbound[90497:0] debug: creating unix socket /var/run/unbound.sock

[1565135861] unbound[90497:0] debug: switching log to syslog

Could not find platform independent libraries 

Could not find platform dependent libraries 

Consider setting $PYTHONHOME to [:]

Traceback (most recent call last):

  File "", line 1, in 

ImportError: No module named distutils.sysconfig

Traceback (most recent call last):

  File "", line 1, in 

NameError: name 'distutils' is not defined

Traceback (most recent call last):

  File "", line 1, in 

ImportError: No module named unboundmodule



I have tried all manner of values for PYTHONHOME and I have also tried 

--with-pythonmodule=/usr/local/lib/python2.7/site-packages


Searching around shows others have found the exact same issue;
https://nlnetlabs.nl/pipermail/unbound-users/2011-July/007371.html

What do you think about this in context of OpenBSD?

Thanks again for your time.

Kind regards, Andy.



Sent from a teeny tiny keyboard, so please excuse typos

> On 7 Aug 2019, at 00:03, Andy Lemin  wrote:
> 
> Hi Stuart,
> 
> Thanks for your reply.
> 
> So I put in some leg work to set myself up so I could build a new release 
> base system, and went digging.
> 
> And I found “/usr/src/usr.src/unbound/Makefile.bsd-wrapper” so I think I have 
> found the correct build options to match with the base builds 
> CONFIGURE_OPTS_UNBOUND
> 
> I will try again with these options tomorrow, and see if I have the same 
> errors.
> 
> “The default install can't include Python support, because the default 
> install of Unbound is in the base OS, and Python isn't.”
> 
> Facepalm.. Of course!
> 
> Is there a C plugin library? I would like to make this project 
> native/portable so other users can use this project without having to rebuild 
> Unbound?
> 
> Thanks Andy.
> 
> 
> Sent from a teeny tiny keyboard, so please excuse typos
> 
>>> On 6 Aug 2019, at 19:36, Stuart Henderson  wrote:
>>> 
>>> On 2019-08-06, Andy Lemin  wrote:
>>> Hi guys,
>>> 
>>> I’m just after some general advice as I feel like I’m doing something 
>>> wrong, and having to hack around too much for what I believe should be 
>>> simple.
>>> 
>>> I am developing a simple Python plugin for Unbound, and the default Unbound 
>>> install on OpenBSD sadly wasn’t built with “—with-pythonmodule”.
>>> 
>>> So I grabbed the Unbound source code with a git clone from GitHub, 
>>> installed dependencies, and did “./configure —with-pythonmodule”, make, 
>>> make install etc..
>>> 
>>> So nothing special here. It installed to /usr/local/ rather than just /usr 
>>> etc, and so fiddled around with /etc/rc.d/unbound to make the rc scripts 
>>> start the custom one.
>>> 
>>> But I’m getting errors which requires some extra config settings to squash 
>>> when loading the same config as with the built in Unbound. ok maybe newer 
>>> unbound code..
>>> 
>>> But I am then also getting errors when trying to load the stock example 
>>> python plugin as per the source built sphinx docs.
>>> 
>>> I’m not at my computer at the moment so can’t share the exact errors, but 
>>> thought I’d ask as it feels like I’m missing something obvious!
>>> 
>>> Maybe I need some extra build options or static library references to make 
>>> it as smooth as the built in Unbound? Or maybe I should be using a 
>>> different source?
>>> 
>>> Any initial thoughts? I’ll post exact errors as soon as I can.
>> 
>> Initial thoughts are "did you use the same configure flags as much as 
>> possible
>> as the build in base". Really need to see the errors to be able to make any
>> more detailed suggestions.
>> 
>> The default install can't include Python support, because the default install
>> of Unbound is in the base OS, and Python isn't.
>> 
>> 

Re: Building Unbound with Python module support

[Andy Lemin]

Hi Stuart,

Thanks for your reply.

So I put in some leg work to set myself up so I could build a new release base 
system, and went digging.

And I found “/usr/src/usr.src/unbound/Makefile.bsd-wrapper” so I think I have 
found the correct build options to match with the base builds 
CONFIGURE_OPTS_UNBOUND

I will try again with these options tomorrow, and see if I have the same errors.

“The default install can't include Python support, because the default install 
of Unbound is in the base OS, and Python isn't.”

Facepalm.. Of course!

Is there a C plugin library? I would like to make this project native/portable 
so other users can use this project without having to rebuild Unbound?

Thanks Andy.


Sent from a teeny tiny keyboard, so please excuse typos

> On 6 Aug 2019, at 19:36, Stuart Henderson  wrote:
> 
>> On 2019-08-06, Andy Lemin  wrote:
>> Hi guys,
>> 
>> I’m just after some general advice as I feel like I’m doing something wrong, 
>> and having to hack around too much for what I believe should be simple.
>> 
>> I am developing a simple Python plugin for Unbound, and the default Unbound 
>> install on OpenBSD sadly wasn’t built with “—with-pythonmodule”.
>> 
>> So I grabbed the Unbound source code with a git clone from GitHub, installed 
>> dependencies, and did “./configure —with-pythonmodule”, make, make install 
>> etc..
>> 
>> So nothing special here. It installed to /usr/local/ rather than just /usr 
>> etc, and so fiddled around with /etc/rc.d/unbound to make the rc scripts 
>> start the custom one.
>> 
>> But I’m getting errors which requires some extra config settings to squash 
>> when loading the same config as with the built in Unbound. ok maybe newer 
>> unbound code..
>> 
>> But I am then also getting errors when trying to load the stock example 
>> python plugin as per the source built sphinx docs.
>> 
>> I’m not at my computer at the moment so can’t share the exact errors, but 
>> thought I’d ask as it feels like I’m missing something obvious!
>> 
>> Maybe I need some extra build options or static library references to make 
>> it as smooth as the built in Unbound? Or maybe I should be using a different 
>> source?
>> 
>> Any initial thoughts? I’ll post exact errors as soon as I can.
> 
> Initial thoughts are "did you use the same configure flags as much as possible
> as the build in base". Really need to see the errors to be able to make any
> more detailed suggestions.
> 
> The default install can't include Python support, because the default install
> of Unbound is in the base OS, and Python isn't.
> 
> 

Re: Best 1Gbe NIC

[Andy Lemin]

Thanks for your comments guys.

I’ve ordered some Intel NICs :)

I just wanted to make sure I was getting the best offload capability, but I 
agree with you Claudio ;)

Cheers, Andy.



Sent from a teeny tiny keyboard, so please excuse typos

> On 2 Aug 2019, at 19:09, Brian Brombacher  wrote:
> 
> I find cheap PCI-Express and PCI-X em(4) cards suffice for my needs.  990-992 
> Mbps with tcpbench.
> 
> 
>>> On Aug 2, 2019, at 11:26 AM, Claudio Jeker  wrote:
>>> 
>>> On Fri, Aug 02, 2019 at 12:28:58PM +0100, Andy Lemin wrote:
>>> Ahhh, thank you!
>>> 
>>> I didn’t realise this had changed and now the drivers are written with
>>> full knowledge of the interface.
>> 
>> That is an overstatement but we know for sure a lot more about these cards
>> then many other less open ones.
>> 
>>> So that would make Intel Server NICs (i350 for example) some of the best
>>> 1Gbe cards nowadays then?
>> 
>> They are well supported by OpenBSD as are many other server nics like bge
>> and bnx. I would not call them best, when it comes to network cards it
>> seems to be a race to the bottom. All chips have stuff in them that is
>> just not great. em(4) for example needs a major workaround because the
>> buffersize is specified by a bitfield. 
>> 
>> My view is more pessimistic, all network cards are shit there are just
>> some that are less shitty. Also I prefer to use em(4) over most other
>> gigabit cards.
>> 
>> -- 
>> :wq Claudio
>> 
>>> 
>>> Sent from a teeny tiny keyboard, so please excuse typos
>>> 
>>>>> On 2 Aug 2019, at 09:52, Jonathan Gray  wrote:
>>>>> 
>>>>> On Fri, Aug 02, 2019 at 09:19:09AM +0100, Andy Lemin wrote:
>>>>> Hi list,
>>>>> 
>>>>> I know this is a rather classic question, but I have searched a lot on 
>>>>> this again recently, and I just cannot find any conclusive up to date 
>>>>> information?
>>>>> 
>>>>> I am looking to buy the best 1Gbe NIC possible for OpenBSD and the only 
>>>>> official comments I can find relate to 3COM for ISA, or community 
>>>>> consensus towards Chelsio for 10Gbe.
>>>>> 
>>>>> I know Intel works ok and I???ve used the i350???s before, but my 
>>>>> understanding is that Intel still doesn???t provide the documentation for 
>>>>> their NICs and so the emX driver is reverse engineered.
>>>> 
>>>> This is incorrect.  Intel provides datasheets for Ethernet parts.
>>>> em(4) is derived from Intel authored code for FreeBSD supplied under a
>>>> permissive license.
>>>> 
>>>>> 
>>>>> And if I remember correctly some offload features were also disabled in 
>>>>> the emX driver a while back as some functions where found to be insecure 
>>>>> on die and so it was deemed safer to bring the logic back on CPU.
>>>>> 
>>>>> So I???m looking for the best 1Gbe NIC that supports the most 
>>>>> offloading/best driver support/performance etc.
>>>>> 
>>>>> Thanks, Andy.
>>>>> 
>>>>> PS; could we update the official supported hardware lists? ;)
>>>>> All the best.
>>>>> 
>>>>> 
>>>>> Sent from a teeny tiny keyboard, so please excuse typos
>>>>> 
>>> 
>> 
> 

Building Unbound with Python module support

[Andy Lemin]

Hi guys,

I’m just after some general advice as I feel like I’m doing something wrong, 
and having to hack around too much for what I believe should be simple.

I am developing a simple Python plugin for Unbound, and the default Unbound 
install on OpenBSD sadly wasn’t built with “—with-pythonmodule”.

So I grabbed the Unbound source code with a git clone from GitHub, installed 
dependencies, and did “./configure —with-pythonmodule”, make, make install etc..

So nothing special here. It installed to /usr/local/ rather than just /usr etc, 
and so fiddled around with /etc/rc.d/unbound to make the rc scripts start the 
custom one.

But I’m getting errors which requires some extra config settings to squash when 
loading the same config as with the built in Unbound. ok maybe newer unbound 
code..

But I am then also getting errors when trying to load the stock example python 
plugin as per the source built sphinx docs.

I’m not at my computer at the moment so can’t share the exact errors, but 
thought I’d ask as it feels like I’m missing something obvious!

Maybe I need some extra build options or static library references to make it 
as smooth as the built in Unbound? Or maybe I should be using a different 
source?

Any initial thoughts? I’ll post exact errors as soon as I can.

Thanks :)
Andy.





Sent from a teeny tiny keyboard, so please excuse typos

Re: Best 1Gbe NIC

[Andy Lemin]

Ahhh, thank you!

I didn’t realise this had changed and now the drivers are written with full 
knowledge of the interface.

So that would make Intel Server NICs (i350 for example) some of the best 1Gbe 
cards nowadays then?

Thanks :)
Andy


Sent from a teeny tiny keyboard, so please excuse typos

> On 2 Aug 2019, at 09:52, Jonathan Gray  wrote:
> 
>> On Fri, Aug 02, 2019 at 09:19:09AM +0100, Andy Lemin wrote:
>> Hi list,
>> 
>> I know this is a rather classic question, but I have searched a lot on this 
>> again recently, and I just cannot find any conclusive up to date information?
>> 
>> I am looking to buy the best 1Gbe NIC possible for OpenBSD and the only 
>> official comments I can find relate to 3COM for ISA, or community consensus 
>> towards Chelsio for 10Gbe.
>> 
>> I know Intel works ok and I???ve used the i350???s before, but my 
>> understanding is that Intel still doesn???t provide the documentation for 
>> their NICs and so the emX driver is reverse engineered.
> 
> This is incorrect.  Intel provides datasheets for Ethernet parts.
> em(4) is derived from Intel authored code for FreeBSD supplied under a
> permissive license.
> 
>> 
>> And if I remember correctly some offload features were also disabled in the 
>> emX driver a while back as some functions where found to be insecure on die 
>> and so it was deemed safer to bring the logic back on CPU.
>> 
>> So I???m looking for the best 1Gbe NIC that supports the most 
>> offloading/best driver support/performance etc.
>> 
>> Thanks, Andy.
>> 
>> PS; could we update the official supported hardware lists? ;)
>> All the best.
>> 
>> 
>> Sent from a teeny tiny keyboard, so please excuse typos
>> 

Best 1Gbe NIC

[Andy Lemin]

Hi list,

I know this is a rather classic question, but I have searched a lot on this 
again recently, and I just cannot find any conclusive up to date information?

I am looking to buy the best 1Gbe NIC possible for OpenBSD and the only 
official comments I can find relate to 3COM for ISA, or community consensus 
towards Chelsio for 10Gbe.

I know Intel works ok and I’ve used the i350’s before, but my understanding is 
that Intel still doesn’t provide the documentation for their NICs and so the 
emX driver is reverse engineered.

And if I remember correctly some offload features were also disabled in the emX 
driver a while back as some functions where found to be insecure on die and so 
it was deemed safer to bring the logic back on CPU.

So I’m looking for the best 1Gbe NIC that supports the most offloading/best 
driver support/performance etc.

Thanks, Andy.

PS; could we update the official supported hardware lists? ;)
All the best.


Sent from a teeny tiny keyboard, so please excuse typos

Re: DNS Race Condition on Boot

[Andy Lemin]

Hey guys.

Thanks for the ideas. Sadly I cannot use static IPs as we don’t control the 
domains.

I think I’ll use Otto’s suggestion as I am already doing that to provide a 
black hole table for the spamhaus drop list. So I’ll just enhance that script 
to manage some more tables 

After all, the current fqdns in pf.conf can still go out of date (pf only 
resolves dns -> IP once during rule apply). So this solves that too.

Cheers, Andy.



Sent from a teeny tiny keyboard, so please excuse typos

> On 4 Jul 2019, at 09:18, Otto Moerbeek  wrote:
> 
>> On Thu, Jul 04, 2019 at 09:14:19AM +0100, Andy Lemin wrote:
>> 
>> Hi guys,
>> 
>> Is anyone else aware of the Unbound and PF race condition that exists when 
>> FQDNs are used in pf.conf with a local Unbound server?
> 
> Yes, it's an obvious one isn't it?
> 
>> 
>> The issue occurs when pf starts before unbound, but where pf fails to start 
>> as it cannot resolve some DNS names.. and so unbound also fails to work when 
>> it is started later in the boot because pf failed to start..
>> 
>> The only solution I’ve found so far is to add some commands to /etc/rc.local 
>> (run end of boot) to temporarily disable (the failed) pf, restart unbound, 
>> and restart pf again now unbound is working.
>> 
>> Just wondering if anyone knows of a cleaner workaround? PS; Using an 
>> external DNS server in resolv.conf is not an option in this scenario.
> 
> Do not use DNS names in pf.conf. Use a IP addresses or a table filled
> from a file. Run some script to update the file periodically. If it
> changed kick pf.
> 
>-Otto
> 

DNS Race Condition on Boot

[Andy Lemin]

Hi guys,

Is anyone else aware of the Unbound and PF race condition that exists when 
FQDNs are used in pf.conf with a local Unbound server?

The issue occurs when pf starts before unbound, but where pf fails to start as 
it cannot resolve some DNS names.. and so unbound also fails to work when it is 
started later in the boot because pf failed to start..

The only solution I’ve found so far is to add some commands to /etc/rc.local 
(run end of boot) to temporarily disable (the failed) pf, restart unbound, and 
restart pf again now unbound is working.

Just wondering if anyone knows of a cleaner workaround? PS; Using an external 
DNS server in resolv.conf is not an option in this scenario.

Cheers, Andy.



Sent from a teeny tiny keyboard, so please excuse typos

ANN: pledge(1) security utility

[Andy Seniuk]

**SPLASH**  I've been made to walk the plank!
*hastily assembles flotilla of blowfish*

https://fremissant.net/pledge
https://marc.info/?l=openbsd-tech=155762556220352=2

Your captain (master?) has spoken, and you are not
allowed to know under which promises the processes on your
system are running (though you can try to grep for this
information in the sources if you have source).

Not even if you are root; and not even yourself (pid 0).

Or, you can run my patch and have all this and more, safely.
It is compliant with the pledge mandate that promises can
never be increased, and indeed with all the intricacies of
pledge(2) semantics.  [If it isn't, please send an email.]

I don't much care who runs it besides me, though I do sense
this is a pivotal project:  either everything I ever did will
get released after this, or silence.  This gesture in particular
was made to increase the security of my own system, learn some
systems programming, and above all as an expression of my
appreciation for UNIX generally.  If it helps others to any
of those things, so much the better.

I'll keep the project pages (link at top) up to date, and decide
the pledge(1) licence soon.  I've uploaded a patched amd64
kernel image (built from mid-April OpenBSD -current sources),
as well as compatible pledge(1) executable, in case you want to
play in a VM.  I've not installed 6.5 locally yet, but when I do
I'll update the available images.

If this work interests you, by all means feel free to contact
me privately, you probably won't find me on the lists.

Cheerio,
Andy.

Re: radeondrm failure on amd64 but not on i386?

[Andy Bradford]

root hub" rev 2.00/1.00 
addr 1
ppb4 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci5 at ppb4 bus 5
"AT/Lucent FW322 1394" rev 0x61 at pci5 dev 5 function 0 not configured
pcib0 at pci0 dev 31 function 0 "Intel 82801GH LPC" rev 0x01
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom 
removable
atapiscsi1 at pciide0 channel 0 drive 1
scsibus2 at atapiscsi1: 2 targets
cd1 at scsibus2 targ 0 lun 0:  ATAPI 5/cdrom 
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
cd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ahci0 at pci0 dev 31 function 2 "Intel 82801GR AHCI" rev 0x01: msi, AHCI 1.1
ahci0: port 0: 3.0Gb/s
ahci0: PHY offline on port 1
ahci0: PHY offline on port 2
ahci0: PHY offline on port 3
scsibus3 at ahci0: 32 targets
sd0 at scsibus3 targ 0 lun 0:  SCSI3 0/direct fixed 
t10.ATA_ST3250824AS_5ND4HD0K
sd0: 238418MB, 512 bytes/sector, 488281250 sectors
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: apic 8 int 17
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-5300CL5
spdmem1 at iic0 addr 0x51: 1GB DDR2 SDRAM non-parity PC2-5300CL5
spdmem2 at iic0 addr 0x52: 1GB DDR2 SDRAM non-parity PC2-5300CL5
spdmem3 at iic0 addr 0x53: 1GB DDR2 SDRAM non-parity PC2-5300CL5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
umass0 at uhub0 port 3 configuration 1 interface 0 "TEAC CA-200" rev 2.00/4.00 
addr 2
umass0: using SCSI over Bulk-Only
scsibus4 at umass0: 2 targets, initiator 0
sd1 at scsibus4 targ 1 lun 0:  SCSI0 0/direct 
removable
sd2 at scsibus4 targ 1 lun 1:  SCSI0 0/direct 
removable
sd3 at scsibus4 targ 1 lun 2:  SCSI0 0/direct 
removable
sd4 at scsibus4 targ 1 lun 3:  SCSI0 0/direct 
removable
umass1 at uhub0 port 7 configuration 1 interface 0 "SanDisk Cruzer Dial" rev 
2.10/1.00 addr 3
umass1: using SCSI over Bulk-Only
scsibus5 at umass1: 2 targets, initiator 0
sd5 at scsibus5 targ 1 lun 0:  SCSI4 0/direct 
removable serial.07815599450609104375
sd5: 14944MB, 512 bytes/sector, 30605312 sectors
uhidev0 at uhub2 port 2 configuration 1 interface 0 "Dell Dell KB216 Wired 
Keyboard" rev 2.00/33.08 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
uhidev1 at uhub2 port 2 configuration 1 interface 1 "Dell Dell KB216 Wired 
Keyboard" rev 2.00/33.08 addr 2
uhidev1: iclass 3/0, 5 report ids
uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 2: input=2, output=0, feature=0
uhid2 at uhidev1 reportid 5: input=0, output=0, feature=5
uhidev2 at uhub3 port 1 configuration 1 interface 0 "PixArt Lenovo USB Optical 
Mouse" rev 2.00/1.00 addr 2
uhidev2: iclass 3/1
ums0 at uhidev2: 3 buttons, Z dir
wsmouse0 at ums0 mux 0
vscsi0 at root
scsibus6 at vscsi0: 256 targets
softraid0 at root
scsibus7 at softraid0: 256 targets
root on sd5a (f2d5da28e9d59e44.a) swap on sd5b dump on sd5b
initializing kernel modesetting (RV610 0x1002:0x94C1 0x1028:0x0D02).
drm:pid0:r600_init *ERROR* Expecting atombios for R600 GPU
drm:pid0:radeondrm_attachhook *ERROR* Fatal error during GPU init
[TTM] Memory type 2 has not been initialized
drm0 detached
radeondrm0 detached
vga1 at pci1 dev 0 function 0 "ATI Radeon HD 2400 XT" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation), using wskbd0
wskbd1: connecting to wsdisplay0
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
wsmouse0 detached
ums0 detached
uhidev2 detached

Thanks,

Andy
-- 
TAI64 timestamp: 40005c1a6251

Re: radeondrm failure on amd64 but not on i386?

[Andy Bradford]

Thus said Allan Streib on Wed, 12 Dec 2018 14:09:06 -0500:

> Stillhavingthis   issueon-currentas   ofDec10.
> machdep.allowaperture=2  does   get  me  past  this,   but  am  seeing
> weird  behavior, some  regions  of screens/terminals  not painting  or
> refreshing.

As far as I'm  aware no progress has been made. It seems  to be having a
problem reading  the ATOM BIOS  and I haven't yet  figured out a  way to
dump out what it is reading to disk so it can be analyzed. Maybe some of
the commands  from the  other thread  on bugs@  will lead  to additional
information.

Another alternative,  if you  can, is  to use i386  instead of  amd64. I
found that on i386 it does correctly detect the ATOM BIOS.

Andy
-- 
TAI64 timestamp: 40005c1431b9

Re: PF Outbound traffic Load Balancing over multiple tun/openvpn interfaces/tunnels

[Andy Lemin]

he connected peer
>>>> ping -V 1 8.8.8.8
>>>> ping -V 2 8.8.8.8
>>>> 
>>>> Shows both VPN tunnels are definitely working independently with the
>>>> overlapping addressing :)
>>>> 
>>>> # Reverse routing - I have read in various places that PF's 'route-to' can
>>>> be used for jumping rdomains's in the forward path of the session, but the
>>>> reply packets need any matching route in the remote rdomain for the reply
>>>> destination (the matching route is to ensure in the reply packet is passed
>>>> through the routing table and gets into the PF processing, where PF can
>>>> manage the return back to the default rdomain etc.
>>>> 
>>>> But as I am using outbound NATing on the tunX interfaces, there is always a
>>>> matching route for the reply traffic. And so a route for the internal
>>>> subnet is not needed within rdomain 1 and 2.
>>>> 
>>>> 
>>>> # Finally ensure '/etc/pf.conf' contains something like;
>>>> if_ext = "em0"
>>>> if_int = "em1"
>>>> 
>>>> #CDR = 80 Down/20 Up
>>>> queue out_ext on $if_ext flows 1024 bandwidth 18M max 19M qlimit 1024
>>>> default
>>>> queue out_tun1 on tun1 flows 1024 bandwidth 17M max 18M qlimit 1024 default
>>>> queue out_tun2 on tun2 flows 1024 bandwidth 17M max 18M qlimit 1024 default
>>>> queue out_int on $if_srx flows 1024 bandwidth 74M max 78M qlimit 1024
>>>> default
>>>> 
>>>> #MTU = 1500
>>>> match proto tcp all scrub (no-df max-mss 1460) set prio (2,5)
>>>> match proto udp all scrub (no-df max-mss 1472) set prio (2,5)
>>>> match proto icmp all scrub (no-df max-mss 1472) set prio 7
>>>> 
>>>> #NAT all outbound traffic
>>>> match out on $if_ext from any to any nat-to ($if_ext)
>>>> match out on tun1 from any to any nat-to (tun1) rtable 1
>>>> match out on tun2 from any to any nat-to (tun2) rtable 2
>>>> 
>>>> #Allow outbound traffic on egress for vpn tunnel setup etc
>>>> pass out quick on { $if_ext } from self to any set prio (3,6)
>>>> 
>>>> #Load balance outbound traffic from internal network across tun1 and tun2 -
>>>> THIS IS NOT WORKING - IT ONLY USES FIRST TUNNEL
>>>> pass in quick on { $if_int } to any route-to { (tun1 10.8.8.1), (tun2
>>>> 10.8.8.1) } round-robin set prio (3,6)
>>>> 
>>>> #Allow outbound traffic over vpn tunnels
>>>> pass out quick on tun1 to any set prio (3,6)
>>>> pass out quick on tun2 to any set prio (3,6)
>>>> 
>>>> 
>>>> # Verify which tunnels are being used
>>>> systat ifstat
>>>> 
>>>> *This command shows that all the traffic is only flowing over the first
>>>> tun1 interface, and the second tun2 is never ever used.*
>>>> 
>>>> 
>>>> # NB; I have tried with and without 'set state-policy if-bound'.
>>>> 
>>>> I have tried all the load balancing policies; round-robin, random,
>>>> least-states and source-hash
>>>> 
>>>> If I change the 'route-to' pool to "{ (tun2 10.8.8.1), (tun1 10.8.8.1) }",
>>>> then only tun2 is used instead.. :(
>>>> 
>>>> So 'route-to' seems to only use the first tunnel in the pool.
>>>> 
>>>> Any advice on what is going wrong here. I am wondering if I am falling
>>>> victim to some processing-order issue with PF, or if this is a real bug?
>>>> 
>>>> Thanks, Andy.
> 

Re: radeondrm failure on amd64 but not on i386?

[Andy Bradford]

Thus said Allan Streib on Tue, 27 Nov 2018 15:51:57 -0500:

> The issue was also reported here, with no follups but more debug info:
> 
> https://marc.info/?l=openbsd-bugs=153398230416756=2

That seems  to be an identical  problem, but definitely with  more debug
info.

In my system, the card is also in a PCIe slot.

By the way, it  is possible to workaround the problem  to some extent by
just adding to sysctl.conf:

machdep.allowaperture=2

X will then start up, but it won't be using the firmware.

Andy
-- 
TAI64 timestamp: 40005bfeb246

Re: radeondrm failure on amd64 but not on i386?

[Andy Bradford]

Thus said Allan Streib on Sun, 25 Nov 2018 21:54:45 -0500:

> Same issue, also on a Dell machine with ATI Radeon HD 2400 XT.

After  Jonathan  suggested  adding   some  printf  debug  statements,  I
continued to do so and was able to see that the rdev->bios variable that
is being inspected  at lines 834--840 in radeon_bios.c  has neither ATOM
nor MOTA in the string at that address for amd64, but has ATOM for i386:

tmp = rdev->bios_header_start + 4;
if (!memcmp(rdev->bios + tmp, "ATOM", 4) ||
!memcmp(rdev->bios + tmp, "MOTA", 4)) {
rdev->is_atom_bios = true;
} else {
rdev->is_atom_bios = false;
}

I suppose additional debug might  involve writing the entire contents of
rdev->bios to a file and then hexdump it?

Andy
-- 
TAI64 timestamp: 40005bfb8e86

Re: radeondrm failure on amd64 but not on i386?

[Andy Bradford]

Thus said Jonathan Gray on Mon, 19 Nov 2018 20:42:46 +1100:

> > Thanks for the suggestion. Here's the additional output provided by your
> > patch:
> > 
> > radeon_atrm_get_bios false
> > radeon_acpi_vfct_bios false
> > igp_read_bios_from_vram false
> > radeon_read_bios false
> > radeon_read_disabled_bios true
> > drm:pid0:r600_init *ERROR* Expecting atombios for R600 GPU
> > drm:pid0:radeondrm_attachhook *ERROR* Fatal error during GPU init
> > [TTM] Memory type 2 has not been initialized
> > drm0 detached
> > radeondrm0 detached
> 
> Thanks, could you also show the i386 output with the patch?

The output on i386 looks pretty much the same except for the failure:

initializing kernel modesetting (RV610 0x1002:0x94C1 0x1028:0x0D02).
radeon_atrm_get_bios false
radeon_acpi_vfct_bios false
igp_read_bios_from_vram false
radeon_read_bios false
radeon_read_disabled_bios true
radeondrm0: 1680x1050, 32bpp
wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0

Thanks,

Andy
-- 
TAI64 timestamp: 40005bf2d8c2

Re: radeondrm failure on amd64 but not on i386?

[Andy Bradford]

Thus said Jonathan Gray on Sat, 17 Nov 2018 14:08:53 +1100:

> There are many  ways of getting an  atom bios it would  be helpfull to
> know which method is having trouble.

Thanks for the suggestion. Here's the additional output provided by your
patch:

radeon_atrm_get_bios false
radeon_acpi_vfct_bios false
igp_read_bios_from_vram false
radeon_read_bios false
radeon_read_disabled_bios true
drm:pid0:r600_init *ERROR* Expecting atombios for R600 GPU
drm:pid0:radeondrm_attachhook *ERROR* Fatal error during GPU init
[TTM] Memory type 2 has not been initialized
drm0 detached
radeondrm0 detached

Thanks,

Andy
-- 
TAI64 timestamp: 40005bf24e83

radeondrm failure on amd64 but not on i386?

[Andy Bradford]

inbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82945G Host" rev 0x00
ppb0 at pci0 dev 1 function 0 "Intel 82945G PCIE" rev 0x00: apic 8 int 16
pci1 at ppb0 bus 1
radeondrm0 at pci1 dev 0 function 0 "ATI Radeon HD 2400 XT" rev 0x00
drm0 at radeondrm0
radeondrm0: msi
azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x01: msi
azalia0: codecs: Sigmatel STAC9220/1
audio0 at azalia0
ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: apic 8 int 16
pci2 at ppb1 bus 2
ppb2 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: apic 8 int 16
pci3 at ppb2 bus 3
ppb3 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: apic 8 int 17
pci4 at ppb3 bus 4
em0 at pci4 dev 0 function 0 "Intel 82573L" rev 0x01: msi, address 
00:13:72:1a:ed:5c
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 8 int 21
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 8 int 22
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 8 int 18
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 8 int 23
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 8 int 21
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 
addr 1
ppb4 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1
pci5 at ppb4 bus 5
"AT/Lucent FW322 1394" rev 0x61 at pci5 dev 5 function 0 not configured
ichpcib0 at pci0 dev 31 function 0 "Intel 82801GH LPC" rev 0x01: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom 
removable
atapiscsi1 at pciide0 channel 0 drive 1
scsibus2 at atapiscsi1: 2 targets
cd1 at scsibus2 targ 0 lun 0:  ATAPI 5/cdrom 
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
cd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ahci0 at pci0 dev 31 function 2 "Intel 82801GR AHCI" rev 0x01: msi, AHCI 1.1
ahci0: port 0: 3.0Gb/s
ahci0: PHY offline on port 1
ahci0: PHY offline on port 2
ahci0: PHY offline on port 3
scsibus3 at ahci0: 32 targets
sd0 at scsibus3 targ 0 lun 0:  SCSI3 0/direct fixed 
t10.ATA_ST3250824AS_5ND4HD0K
sd0: 238418MB, 512 bytes/sector, 488281250 sectors
ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: apic 8 int 17
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-5300CL5
spdmem1 at iic0 addr 0x51: 1GB DDR2 SDRAM non-parity PC2-5300CL5
spdmem2 at iic0 addr 0x52: 1GB DDR2 SDRAM non-parity PC2-5300CL5
spdmem3 at iic0 addr 0x53: 1GB DDR2 SDRAM non-parity PC2-5300CL5
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
usb4 at uhci3: USB revision 1.0
uhub4 at usb4 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 
addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
umass0 at uhub0 port 3 configuration 1 interface 0 "TEAC CA-200" rev 2.00/4.00 
addr 2
umass0: using SCSI over Bulk-Only
scsibus4 at umass0: 2 targets, initiator 0
sd1 at scsibus4 targ 1 lun 0:  SCSI0 0/direct 
removable
sd2 at scsibus4 targ 1 lun 1:  SCSI0 0/direct 
removable
sd3 at scsibus4 targ 1 lun 2:  SCSI0 0/direct 
removable
sd4 at scsibus4 targ 1 lun 3:  SCSI0 0/direct 
removable
umass1 at uhub0 port 7 configuration 1 interface 0 "SanDisk Cruzer Dial" rev 
2.10/1.00 addr 3
umass1: using SCSI over Bulk-Only
scsibus5 at umass1: 2 targets, initiator 0
sd5 at scsibus5 targ 1 lun 0:  SCSI4 0/direct 
removable serial.07815599450609104375
sd5: 14944MB, 512 bytes/sector, 30605312 sectors
uhidev0 at uhub2 port 2 configuration 1 interface 0 "Dell Dell KB216 Wired 
Keyboard" rev 2.00/33.08 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
uhidev1 at uhub2 port 2 configuration 1 interface 1 "Dell Dell KB216 Wired 
Keyboard" rev 2.00/33.08 addr 2
uhidev1: iclass 3/0, 5 report ids
uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 2: input=2, output=0, feature=0
uhid2 at uhidev1 reportid 5: input=0, output=0, feature=5
uhidev2 a

Re: PF Outbound traffic Load Balancing over multiple tun/openvpn interfaces/tunnels

[Andy Lemin]

Hi Andreas,

Thanks for your reply. Sorry I should have been more clear.

I know that rdomains are the correct method with overlapping addressing.

The challenge is that I cannot figure out how to get openvpn to initialise it’s 
resulting tunX interface directly into the correct rdomain?

You normally move interfaces to an rdomain with; ‘ifconfig em1 rdomain 1’

However is there a way I can get openvpn to do this at the time of setting up 
the interface?

The problem is that you cannot just create the tunnel, and then move it over to 
an rdomain afterwards if there is already another conflicting tunnel in the 
default rdomain (as the tunnel just won’t come up due to the address conflict).

I realise I could redesign it so that there is never a tunX in the default 
rdomain, so that tunnels can be setup in the default and then moved over. But 
this feels rather flawed/restricting and not the proper way of doing things?

I would like to script the management of these tunnels, and so if there was a 
way of setting up the tunnel in its own rdomain directly that would be a lot 
more robust :)

Thanks for your time. Andy.



Sent from a teeny tiny keyboard, so please excuse typos.

> On 11 Sep 2018, at 21:59, Andreas Krüger  wrote:
> 
> Maybe rdomains?
> 
>> Den 11. sep. 2018 kl. 15.59 skrev Andrew Lemin :
>> 
>> Hi list,
>> 
>> I use an OpenVPN based internet access service (like NordVPN, AirVPN etc).
>> 
>> The issue with these public VPN services, is the VPN servers are always 
>> congested. The most I’ll get is maybe 10Mbits through one server.
>> 
>> Local connection is a few hundred mbps..
>> 
>> So I had the idea of running multiple openvpn tunnels to different servers, 
>> and load balancing outbound traffic across the tunnels.
>> 
>> Sounds simple enough..
>> 
>> However every vpn tunnel uses the same subnet and nexthop gw. This of course 
>> won’t work with normal routing.
>> 
>> So my question:
>> How can I use rdomains or rtables with openvpn clients, so that each VPN is 
>> started in its own logical VRF?
>> 
>> And is it then a case of just using PF to push the outbound packets into the 
>> various rdomains/rtables randomly (of course maintaining state)? LAN 
>> interface would be in the default rdomain/rtable..
>> 
>> My confusion is that an interface needs to be bound to the logical VRF, but 
>> the tunX interfaces are created dynamically by openvpn.
>> 
>> So I am not sure how to configure this within hostname.tunX etc, or if I’m 
>> even approaching this correctly?
>> 
>> Thanks, Andy.
>> 
> 

Re: Viewport for man.openbsd.org -- readability on phones

[Andy Kosela]

On Saturday, May 19, 2018, Mihai Popescu <mih...@gmail.com> wrote:

> > I don't understand what you are trying to say.
>
> I took and iPhone with iOS and Safari ( i think!) on it and pointed
> the browser to the current link of man pages [1]. All i can say is the
> layout is displayed on full display, not stretched.
> Text is fine, paragraphs are scaled ok, not even a simple problem. Font is
> fine.
>
> [1] https://man.openbsd.org/
>
>
I can second that.  It looks perfect on iPhone using Safari.

--Andy

Re: NFS keeps crashing

[Andy Kosela]

MB <iam...@gmail.com> wrote:

> Invest in a NetApp filer and do it the right way.  Plenty of options
> spectrascale glfs/cnfs lustre with DNE/IME why struggle with this hobby OS,
> seriously?
>
> On Sat, Apr 21, 2018, 1:31 AM MB <iam...@gmail.com> wrote:
>
> >
> > Why are you using ooenbsd for anything but a firewall.  Even then its
> > lagging way behind unless you deploying in a dentist office. Openbsd sucks
> > at pretty much everything else.  Sorry I come from corporate real world
> > experience not Soho stuff.  Use Linux.
> >

A couple of points:

  (1) Stop top-posting.
  (2) NetApp is using BSD nfs code.
  (3) I have run OpenBSD in a "corporate world" on a global scale and it
  usually outperforms everything else, including Linux, and
  definitely is much more stable and secure.
  (4) If OpenBSD "sucks" and you are on a mailing list that "sucks", your
  life must be truly miserable.

To the original author of this thread -- nfs is a UNIX technology,
originally made for Unix to Unix communication on a network.  Windows
client support came later and it is still not stellar.  Samba/CIFS is
what is a usual scenario here.  

But if you are serious about this and want to attract developers'
attention then please become familiar with sendbug(1).

  http://www.openbsd.org/report.html



--Andy

Re: van Sprundel

[Andy Lemin]

Hi.

That’s ok. This list is a place for open and honest conversation :)

My reaction was towards the article trying to say that BSD’s are dying, rather 
than against Van Sprundle or his research.

I’ve read through his slides before and I skim through the erratas each 
upgrade, but this article tries to bloat the truth in my eyes. 

So I’m asking the question as to where the reality lies as it stands today?

Linux is such a moving target with so much unnecessary complexity with SystemD, 
that in the bigger picture we can place far more more trust in the BSD’s.

It’s also a pretty serious allegation to cite so many vulnerabilities as still 
being unfixed today? Is this true?

Thanks for your reply :)

A



Sent from a teeny tiny keyboard, so please excuse typos

> On 28 Jan 2018, at 14:11, Hiltjo Posthuma <hil...@codemadness.org> wrote:
> 
>> On Sun, Jan 28, 2018 at 12:56:26PM +, Andy Lemin wrote:
>> Really, did he actually post any real vulnerabilities to OpenBSD!
>> 
>> This article has to be govt propaganda..
>> 
>> https://www.csoonline.com/article/3250653/open-source-tools/is-the-bsd-os-dying-some-security-researchers-think-so.amp.html
>> 
>> I was laughing with tears when I read this..
>> 
>> OpenBSD is the only OS I place any real trust in <3
>> 
>> Is probably the only OS they can’t hack.
>> 
>> And SystemD makes me want to both cry and scream at the same time.
>> 
>> A
>> 
>> 
>> Sent from a teeny tiny keyboard, so please excuse typos
> 
> Hey,
> 
> Maybe I shouldn't reply, but I feel this is insulting to the amazing work of
> Van Sprundel. I've also seen better nuanced articles about the same
> presentation talk.
> 
> Sources:
> - https://www.openbsd.org/errata60.html (the batch of patches on August 3 
> 2017).
> - http://undeadly.org/cgi?action=article=20170804053102
> - Slides: 
> https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf
> - https://www.openbsd.org/errata56.html (earlier work).
> 
> Please do more research before you post.
> 
> -- 
> Kind regards,
> Hiltjo

van Sprundel

[Andy Lemin]

Really, did he actually post any real vulnerabilities to OpenBSD!

This article has to be govt propaganda..

https://www.csoonline.com/article/3250653/open-source-tools/is-the-bsd-os-dying-some-security-researchers-think-so.amp.html

I was laughing with tears when I read this..

OpenBSD is the only OS I place any real trust in <3

Is probably the only OS they can’t hack.

And SystemD makes me want to both cry and scream at the same time.

A


Sent from a teeny tiny keyboard, so please excuse typos

Re: protonmail.com broken on OpenBSD 6.2-Stable with Firefox

[Andy Lowton]

> From: r...@protonmail.com
>
> Try this...
>
> javascript.options.asmjs: true
>
> Sent from ProtonMail Mobile

Changing the value from true to false resolved the issue for me.

Thank you for that.

Re: protonmail.com broken on OpenBSD 6.2-Stable with Firefox

[Andy Lowton]

>  Original Message 
> Subject: Re: protonmail.com broken on OpenBSD 6.2-Stable with Firefox
> Local Time: November 1, 2017 7:12 PM
> UTC Time: November 1, 2017 7:12 PM
> From: astr...@indiana.edu
> To: techay\@protonmail.com <tec...@protonmail.com>, vincent.de...@gmail.com
> misc@openbsd.org
>
> "tec...@protonmail.com" <tec...@protonmail.com> writes:
>
>> Do you happen to know what the issue with Firefox is with this website
>> on OpenBSD? I mean my guess is that it has to do with JavaScript in
>> some way but why now? It wasn"t like this on 6.1, so what changed?
>
> Firefox version went from 52 -> 56 in 6.1 -> 6.2.
>
> You might peruse the release notes for those firefox releases.
>
> Allan

I disagree about it it working in 6.1. protonmail hasn't worked for me using 
Firefox since 5.8 or 5.9. At one point the ESR worked but not the main version.

Cheers

Andy

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

[Andy Lemin]

Hi Stuart and Joel,

Just to confirm for others reading, you are very correct.

And patch 014_libcrypto has fixed this :) So just run syspatch (or openup) and 
you'll be working again.

Thanks for the commits ;)

PS; good to hear from you again Stuart! Long time.. I'm on this email now 
rather than andy@brandwatch, it's been a while since I've been around the 
lists. I knew I could rely on you amazing peeps.

Take care, happy summer. Andy


Sent from a teeny tiny keyboard, so please excuse typos

> On 3 Jul 2017, at 16:51, Joel Sing <j...@sing.id.au> wrote:
> 
>> On Tuesday 20 June 2017 23:26:10 Andrew Lemin wrote:
>> Hi,
>> 
>> Sadly in my testing it seems that CVE-2017-8301 (
>> http://seclists.org/oss-sec/2017/q2/145) is still broken with the
>> latest LibreSSL
>> (2.5.4) and OpenVPN 2.4.2.
>> 
>> Here is someone else reporting the same issue;
>> https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/13
>> 58/4
>> 
>> Of course I may have gotten this wrong somewhere, but for now it seems not
>> possible to use OpenVPN as a client with TLS static certificate based
>> server on OpenBSD.
>> 
>> Hope this helps clarify for anyone else finding the same issue until some
>> clever person does a fix.
>> 
>> 
>> Error same with latest;
>> 
>> Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL
>> (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017
>> 
>> Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10
>> 
>> Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed
>> certificate: < Cert Info >
>> 
>> Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL
>> routines:CONNECT_CR_CERT:certificate verify failed
>> 
>> Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error
>> 
>> Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read
>> error
>> 
>> Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed
>> 
>> Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process
>> restarting
> 
> This should be fixed on -current (via r1.30 of libcrypto/x509v3/v3_purp.c) - 
> you should also be able to workaround the issue by using different CNs for 
> the 
> CA and server certificates (they're likely identical in this case).

Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn

[Andy Lemin]

I've just found this hint on GitHub for the Openvpn compile options for 
Libressl;
https://gist.github.com/gsora/2b3e9eb31c15a356c7662b0f960e2995

So will try a build later tonight and share back here if that CVE is fixed.

Would prefer to rebuild with the same options as the packaged binary, and it 
occurred to me that I don't know how to find that on OpenBSD?

Thanks again :)


Sent from a teeny tiny keyboard, so please excuse typos

> On 20 Jun 2017, at 20:23, Andrew Lemin <andrew.le...@gmail.com> wrote:
> 
> Hi Misc,
> 
> Has anyone else come across any issues recently with Openvpn, Libressl and 
> TLS on OpenBSD 6.1?
> 
> I am using an .ovpn file with TLS auth static key and cert inline within the 
> file, to connect to VPN service. Running openvpn binary from command line 
> without any special params, just .ovpn file.
> 
> I have tested this is working fine on a Linux server with same config (using 
> Openssl), so the server side, CA and cert are fine etc.
> 
> I noticed on the Linux server the line; "Control Channel Authentication: 
> tls-auth using INLINE static key file", but I do not see this debug on the 
> OpenBSD version. Wondered if Libressl is not negotiating tls properly.
> 
> 
> I have since found CVE-2017-8301 which I believe is related. And confirmed 
> that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2
> 
> The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the OpenBSD 
> trees I can see 2.5.4 was cut around 1st of May..
> 
> I used MTier to grab all major patches etc, but LibreSSL not in patch list 
> yet. openvpn did have a minor.
> 
> So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL 
> etc.. However notice that openvpn is still linking to 2.5.2.
> 
> It would be great if someone would be kind enough to confirm if this CVE is 
> indeed the same issue, and if 2.5.4 includes the relevant fixes for it?
> 
> And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4 
> install?
> 
> Thanks for your time.
> Kind regards, Andy Lemin
> 
> 
> 
> Sent from a teeny tiny keyboard, so please excuse typos

Watch out for bad options in /var/run/rc.d/$daemon

[Andy Bradford]

Hello,

Since I couldn't find any reference  to this anywhere, I thought I would
put out a description of the problem in the event that someone else runs
into it with other daemons.

At one  point in time,  identd -l had a  different meaning than  it does
now. After upgrading,  I noticed that identd was not  running, thanks to
the following section in the daily output email:

Services that should be running but aren't:
identd

So I began investigating why it wasn't running and found the following 
in /var/log/messages:

Jan  3 22:46:56 obsd identd[80696]: h/auth: no address associated with name
Jan  3 22:46:56 obsd identd[84721]: child has gone

Looking at the output, it seemed  clear that something had changed, so I
looked at the man page for identd, and sure enough, -l is now different.
Previously, in /etc/rc.conf.local, I had:

identd_flags="-elh"

Which coincided  with the error message.  Clearly -lh meant that  it was
trying to look  up a host named h, which  doesn't exist, whereas before,
-l meant to log  to syslog. So, I removed the  -l from identd_flags, and
tried to  restart the daemon. Much  to my dismay, it  failed to restart,
even though I had corrected the problem in rc.conf.local.

As  it turns  out, after  further investigation,  I discovered  that the
flags get cached in /var/run/rc.d/identd:

$ cat /var/run/rc.d/identd 
daemon_class=daemon
daemon_flags=-elh
daemon_rtable=0
daemon_timeout=30
daemon_user=root
pexp=identd: (listen|resolver)

There's the offending -l that I thought I had removed!

I can see why now:

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/rc.subr?annotate=1.116

On line 109, the options that are cached in the _RC_RUNFILE override any
that were provided before rc_cmd() was called.

Not sure  if this is  a bug.  How often does  a command line  option get
repurposed for something else?

At any rate, I wanted to give a heads up to anyone else who might end up
with a daemon which refuses to restart, even after the options have been
corrected.

Andy
-- 
TAI64 timestamp: 4000586c8fd2

Re: Making sense of ktrace

[Andy Bradford]

Thus said Jeff Ross on Wed, 23 Nov 2016 15:42:08 -0700:

> The  stack may  indeed  be too  damaged--I get  the  following but  it
> doesn't look very helpful:

More likely the symbols were stripped.

Assuming this was installed from sources,  edit conf-cc and add -g, then
edit conf-ld and remove the -s:

$ head -1 conf-cc
cc -O2 -g
$ head -1 conf-ld
cc
$ 

Then recompile  and try  again (e.g.  get a  new core  file and  run gdb
again).

Andy
-- 
TAI64 timestamp: 4000583654c6

Re: Fan Speed - Supermicro

[Andy Lemin]

Just to share for others here.

This worked a treat! I never knew that on BMC based systems, the fan
control was taken away from the OS by IPMI like this.

Simply set it to "Optimal", and now the fan speed is controlled
automatically based on the different temperatures. Surprised this is the
default, but it is a server...

Cheers, Andy.



On Mon, Nov 21, 2016 at 2:10 PM, Delan Azabani <de...@azabani.com> wrote:

> At 19:11, Andy Lemin <a...@brandwatch.com> wrote:
> > but we cannot figure out how to control the fan speed at all.
>
> Every board in the X9DRW series should have a BMC with IPMI, and this
> is what controls your fans and other sensors. Plug in the management
> port (but not to a public or hostile network!) and if these settings
> haven’t been changed, you can go to >
> and log in with “ADMIN” and “ADMIN” (case sensitive, no quotes).
>
> From there, go to “Configuration” > “Fan Speed Mode” and change
“Full
> Speed Mode” to “Standard Mode” or “Optimal Mode”.
>
> You can do this over IPMI. Install sysutils/ipmitool. I don’t think
> the tool works with ipmi(4), so you’ll need to do this from one of
> your real interfaces to the management interface. Try this:
>
> # ipmitool -I lanplus -H  -U  -P  \
> raw 0x30 0x45 0
>
> If it works, you’ll see one of the following values:
>
> > 0 = Standard
> > 1 = Full
> > 2 = Optimal?
> > 3 = Minimal?
> > 4 = HeavyIO?
>
> Change the mode with this:
>
> # ipmitool [...] -P  raw 0x30 0x45 1 
>
> I have a Supermicro board, but it doesn’t run OpenBSD and I haven’t
> touched IPMI for some months now, so this guide might not be perfect.
>
> More reading:
>
> • http://supermicro.com/manuals/other/SMT_IPMI_Manual.pdf
> • https://www.supermicro.com/support/faqs/faq.cfm?faq=18025
> • https://siliconmechanics.zendesk.com/hc/en-us/articles/
> 201122989-Changing-fan-speeds-for-X9-X10-series-boards
> • https://forums.servethehome.com/index.php?resources/
> supermicro-x9-x10-x11-fan-speed-control.20/
> •
https://asgardahost.org/useful-raw-commands-for-supermicro-ipmi-modules/

Fan Speed - Supermicro

[Andy Lemin]

Hi,

I know this is probably a simple question, but we have searched, found very
little, and tried various things to no effect.

We have a Supermicro server running OpenBSD which is _screaming_ loud due
to fan noise.

BIOS is latest and power mode is "Balanced" (during POST it is nice and
quiet (how it should be).
As soon as the OpenBSD kernel kicks in the fans go to max.

We are running;
apmd -A
apm -A

And the performance is currently;

root@bsd1:~# sysctl | grep perf

hw.setperf=0

hw.perfpolicy=auto
But the fans are still at max.

I think the problem is that we dont have any sensors;

root@bsd1:~# sysctl | grep sensor

hw.sensors.cpu0.temp0=22.00 degC


Do we have to load something? Or enable a kernel module to get the controls?

Would be happy to run sensorsd and manually control the fan speed that way,
but we cannot figure out how to control the fan speed at all. So we cannot
even force it to slow down at the moment.

Thanks, Andy.


DMESG;

root@bsd1:~# dmesg
OpenBSD 6.0 (GENERIC.MP) #2: Mon Oct 17 10:22:47 CEST 2016
r...@stable-60-amd64.mtier.org:
/binpatchng/work-binpatch60-amd64/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34307653632 (32718MB)
avail mem = 33263423488 (31722MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec640 (146 entries)
bios0: vendor American Megatrends Inc. version "3.0c" date 03/24/2014
bios0: transtec_AG X9DRW
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC FPDT HPET PRAD SPMI SSDT EINJ ERST HEST BERT
DMAR MCFG
acpi0: wakeup devices PS2K(S1) PS2M(S1) P0P9(S1) EUSB(S4) USBE(S4) PEX0(S4)
PEX7(S4) NPE1(S4) NPE4(S4) NPE5(S4) NPE6(S4) NPE8(S4) NPEA(S4) NPE3(S4)
NPE7(S4) NPE9(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 2 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.49 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER
MS,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 1, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER
MS,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 2, package 0
cpu2 at mainbus0: apid 6 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.00 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER
MS,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 3, package 0
cpu3 at mainbus0: apid 8 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.00 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER
MS,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 4, package 0
cpu4 at mainbus0: apid 3 (application processor)
cpu4: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.00 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER
MS,SENSOR,ARAT
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 1, core 1, package 0
cpu5 at mainbus0: apid 5 (application processor)
cpu5: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.00 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER
MS,SENSOR,ARAT
cpu5: 

Re: SNMPD Source Address Issues

[andy]

Sent from a teeny tiny keyboard, so please excuse typos

> On 23 Sep 2016, at 20:24, Jeremie Courreges-Anglas <j...@wxcvbn.org> wrote:
>
> Andy Lemin <a...@brandwatch.com> writes:
>
>> Hi,
>>
>> TLDR; Is there a way of fixing the "source address" that SNMPD should use?
>>
>>
>> We are having issues with reply snmpd packets sourcing from the egress
>> interface and not the loopback interface which the poll request was sent
to
>> :(
>>
>> We have many GRE tunnels and various routes which traffic can take to and
>> from our OpenBSD boxes. As such we poll the loopback interfaces instead of
>> a specific interface, however the snmpwalk replies reply with the source
IP
>> of the egress interface and not the IP which was connected to.
>>
>> We tried setting "listen on $IP_Lo1" etc, and this seemed to work, but it
>> is unstable. That is, occasionally packets start being sourced from the
>> egress interface again when something changes until snmpd is restarted.
>
> I don't understand why binding on a loopback doesn't work.  What is
> "when something changes" here?

I haven't been able to figure that out yet. We have about 20 OpenBSD boxes,
and at some point or another, seemingly randomly, our monitoring system looses
connection to snmpd as it starts responding with the egress IP again and not
its loop back.

It's happened on about 4 or 5 out of the 20 so far. Restarting snmpd fixes it
each time.

And we still have the trap source IP problem as the monitoring system
(Observium) recognises the device by its loopback.

>
>> Also traps are always sourced from the Egress interface regardless of
>> "listen on", however our monitoring system only knows about the loopback
>> interface and so the traps are dropped.
>>
>> Cheers, Andy.
>
> --
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: Output Errors on VLAN interfaces

[Andy Lemin]

Hi Chris,

Sorry for the slow reply. Day job takes up most of my time.

Anyway, I finally added some logging into /usr/src/sys/net/if_vlan.c etc;

if (m == NULL) {

ifp->if_oerrors++;

printf("Output Error due to NULL mbuff\n");

continue;

}

}

if (if_enqueue(ifp0, m)) {

ifp->if_oerrors++;

printf("Output Error from if_enqueue\n");

continue;

}

ifp->if_opackets++;


Recompiled the kernel and rebooted onto it, and pushed traffic through it
(~50Mbps).

And sure enough every single instance of the VLAN Output drops is due
to "if_enqueue(ifp0,
m)" being TRUE. I edited if.c and again confirmed that IFQ_ENQUEUE does
return the error.

Traced it further back to ifq.c:ifq_enqueue_try(), and rv (from rv =
ifq->ifq_ops->ifqop_enq(ifq, m);)  is 55 for every one of the VLAN output
drops.


Needed some help from a colleague to figure out what
ifq->ifq_ops->ifqop_enq(ifq,
m) calls.

We believe is should be calling ifq.c:priq_enq(). Still dont understand
that glue part yet :( But after adding some logging on "if (ifq_len(ifq) >=
ifq->ifq_maxlen)" it doesn't seem to be that? So have either made a mistake
or gone as far as my knowledge can go? Any _pointers_ guys? ;)


We do use HFSC (and have done since 5.0 without issues), but only on the
physical interface, not on the VLANs.

The reason for this is so that we can _share_ the whole of the 10Gig
interface root bandwidth across all of the VLANs on the same physical .1q
trunk. This has worked great for years without VLAN output errors. I think
this started after 5.8 or 5.9.

I increased the qlimits from the default but that made no difference.


queue trunk_root on $if_trunk bandwidth 4294M

queue qlocal on $if_trunk parent trunk_root bandwidth 4.1G

queue local_kern on $if_trunk parent qlocal bandwidth 8M min 8M
burst 8M for 1000ms

queue local_pri on $if_trunk parent qlocal bandwidth 150M min 150M
burst 200M for 2500ms qlimit 500

queue local_data on $if_trunk parent qlocal bandwidth 4G min 1G
qlimit 1000

queue qwan on $if_trunk parent trunk_root bandwidth 190M

queue wan_rt on $if_trunk  parent qwan bandwidth 30M min 19M burst
38M for 5000ms

queue wan_int on $if_trunk parent qwan bandwidth 19M min 9M

queue wan_pri on $if_trunk parent qwan bandwidth 19M min 10M burst
25M for 2000ms

queue wan_vpn on $if_trunk parent qwan bandwidth 50M min 25M

queue wan_web on $if_trunk parent qwan bandwidth 29M min 10M burst
19M for 3000ms

queue wan_dflt on $if_trunk parent qwan bandwidth 19M min 10M burst
19M for 5000ms

queue wan_bulk on $if_trunk parent qwan bandwidth 20M max 100M
default

.

.

match out on INSIDE all received-on INSIDE queue (local_data,local_pri) set
prio (2,4)


So all traffic flowing from one VLAN to another (on the same trunk) are in
queues local_data and local_pri, however looking at the queue statistics
with systat queues 1, shows these large internal queues never drop a single
packet. Yet if_oerrors for the VLANs is still incrementing quite a lot for
most of our VLANs.


Hi Henning, whilst I have the code open, I am also going to have another go
at trying to find the missing 64bit counter/range check etc for the HFSC
queue size tomorrow (if I dont get dragged onto anything else).


Thanks for your time and help guys,

Kind regards, Andy Lemin



On Tue, Aug 9, 2016 at 2:48 AM, Chris Cappuccio <ch...@nmedia.net> wrote:

> Andy Lemin [a...@brandwatch.com] wrote:
> > The underlying trunk does not report any Rx or Tx errors at all.
> >
> > And the VLAN interfaces do not report any receive errors, only low rate
> > transmit errors.
> >
> > Also as a thought exercise, could anyone kindly explain/discuss how an
> > output error might even occur or be valid?
> >
>
> Look at /usr/src/sys/net/if_vlan.c, you'll find exactly two places where
> if_oerrors increments. Logically, both are in the vlan_start() routine.
> The first happens after vlan_inject fails. If vlan_inject returns a null
> mbuf, that appears to be a failure within m_prepend(), probably from
> failure to allocate memory for the new mbuf. Where's your dmesg? Are you
> using a card that does hw tagging? (If so, this isn't the codepath you're
> looking for.)
>
> If the failure is the new if_enqueue, it seems like ifq_enqueue would be
> calling priq_enq which would be returning a failure if the queue is full.
> Are you using hfsc?
>
> Chris

SNMPD Source Address Issues

[Andy Lemin]

Hi,

TLDR; Is there a way of fixing the "source address" that SNMPD should use?


We are having issues with reply snmpd packets sourcing from the egress
interface and not the loopback interface which the poll request was sent to
:(

We have many GRE tunnels and various routes which traffic can take to and
from our OpenBSD boxes. As such we poll the loopback interfaces instead of
a specific interface, however the snmpwalk replies reply with the source IP
of the egress interface and not the IP which was connected to.

We tried setting "listen on $IP_Lo1" etc, and this seemed to work, but it
is unstable. That is, occasionally packets start being sourced from the
egress interface again when something changes until snmpd is restarted.

Also traps are always sourced from the Egress interface regardless of
"listen on", however our monitoring system only knows about the loopback
interface and so the traps are dropped.

Cheers, Andy.

Re: OSPFD, setting point-to-point

[Andy Lemin]

Josh Grosse kindly sent me a message off list to confirm the question. So
let me just add a little more clarity so as to not waste anyones time.


This is purely an OSPFD thing and not a general networking question about
point-to-point links ;)

I am simply trying to tell OSPFD that only one other device is on this
interface, and so OSPFD can skip the DR/BDR election process and jump
straight to sharing LSA's etc.

This way the devices can converge their control planes _much_ quicker..

GRE interfaces do this automatically, and thus converge faster (even over
the internet) than the local ethernet p2p link. This causes local traffic
to briefly traverse another remote router via the GRE's for a moment,
whilst waiting for the local adjacency via the ethernet cable to finish
their election etc.


Thanks, Andy.



On Mon, Aug 8, 2016 at 5:12 PM, Andy Lemin <a...@brandwatch.com> wrote:

> Hi,
>
> Does anyone know if it is possible to set an ethernet crossover cable
> between two OpenBSD firewalls running OpenOSPFD as point-to-point?
>
> OpenOSPFD recognises GRE's as point-to-point so the logic is there for
> handling a point-to-point adjacency, but cannot see how to set this on the
> ethernet port?
>
> Thanks, Andy.

OSPFD, setting point-to-point

[Andy Lemin]

Hi,

Does anyone know if it is possible to set an ethernet crossover cable
between two OpenBSD firewalls running OpenOSPFD as point-to-point?

OpenOSPFD recognises GRE's as point-to-point so the logic is there for
handling a point-to-point adjacency, but cannot see how to set this on the
ethernet port?

Thanks, Andy.

Output Errors on VLAN interfaces

[Andy Lemin]

Hi guys,

Has anyone else seen issues with "output errors" occurring on only VLAN
interfaces since upgrading to 5.9? (and after using openup to get latest
kernel).

It does not happen on all VLAN interfaces, only ones under load.

The underlying trunk does not report any Rx or Tx errors at all.

And the VLAN interfaces do not report any receive errors, only low rate
transmit errors.


Also as a thought exercise, could anyone kindly explain/discuss how an
output error might even occur or be valid?

You would think that if the packet has been through the whole OpenBSD stack
that it should not have an error on output (input errors, yes, definitely
possible).

But if the packet was/is in error, why is it transmitting it at all, or not
being dropped before the output stage?

Thanks, Andy.

Re: How to handle different sections with new man.conf?

[Andy Bradford]

Thus said Ingo Schwarze on Fri, 01 Jul 2016 22:59:16 +0200:

> >>> manpath /usr/local/lib/tcl/tcl8.5/man
> >>> manpath /usr/local/lib/tcl/tcl8.6/man
> 
> That's not  necessarily a good idea;  it adds both directories  to the
> default search path,  so you may end up seeing  Tcl documentation when
> looking for something completely different.

I see. I was just blindly copying the old directories that I had defined
in man.conf  prior to the  upgrade without realizing that  they wouldn't
have the same effect.

The goal was  to have both sets  of man pages available but  allow me to
choose which version of the man pages to read from.

> Then again, nothing wrong with that if you do indeed want to have both
> Tcl dirs searched by default...

If  I understand  it, however,  I don't  really think  it will  have the
intended  effect, and  while they  would  both be  searched by  default,
matches would  always come from  tcl8.5 and  the only time  tcl8.6 would
match is when there  is a difference that exists in  tcl8.6 only but not
in tcl8.5.

> But i also said:
>
>   "So far, there is no noticeable demand -> KISS."

True enough. My  attempts at retaining prior behavior  are certainly not
``noticeable demand.' :-)

I'll toy around with shell aliases and see where that goes.

Thanks for looking at it.

Andy
-- 
TAI64 timestamp: 4000577dd304

How to handle different sections with new man.conf?

[Andy Bradford]

Hello,

Using OpenBSD 5.8-stable.

I used to have the following in /etc/man.conf:

tcl85   /usr/local/lib/tcl/tcl8.5/man/
tcl86   /usr/local/lib/tcl/tcl8.6/man/

Which  made it  easy to  view  one or  the  other by  using the  section
argument:

man tcl85 Tcl
man tcl86 Tcl

man(1) still appears to be documented to have this functionality:

 man [-acfhklw] [-C file] [-I os=name] [-K encoding] [-M path] [-m path]
 [-O option=value] [-S subsection] [-s section] [-T output] [-W level]
 [section] name ...
 ^

But I see no  way of expressing it in the new  man.conf or addressing it
in the  command line.  Here is what  I have added  according to  the new
man.conf(5):

manpath /usr/local/lib/tcl/tcl8.5/man
manpath /usr/local/lib/tcl/tcl8.6/man

But I don't see how to  use [section] anymore. man(1) does mention using
[-s section] with n  as the section, but that only  seems to display the
first match of tcl8.5 and does  not allow further granularity (as far as
I can tell).

Have I missed something in the man pages, or what am I doing wrong?

Thanks,

Andy
-- 
TAI64 timestamp: 4000576f0095

Re: is 'set prio' in pf unidirectional or bidirectional?

[Andy Lemin]

Ohh, Forgot to mention.. PF by default sets good ToS values on its CARP
heartbeats, but we use HP Procurve switches with DiffServ enabled.

By default with HP, HP maps the ToS value that PF uses for CARP by default,
into a low priority CoS queue! Yes really ;) Don't you just love HP. And on
many HP switches, you cannot modify this DiffServ <-> CoS mapping.

So the suggestion at the bottom is just to set a ToS that HP switches will
prioritise..

Have fun, all the best.

Andy Lemin


On Wed, Jun 15, 2016 at 8:18 PM, Andy Lemin <a...@brandwatch.com> wrote:

> Peter is quite right, to add some examples to his suggestion;
>
> tcpdump -nettti pflog0 <- Shows only dropped packets
> tcpdump -nettti em0 <- Shows all packets on the interface, including ToS
> values and VLAN ID etc.
> tcpdump -nettti vlanX <- Shows only packets on the VLAN without the extra
> info.
>
> Sure you can figure out the rest..
>
> There are also a few caveats to writing good PF QoS rules that some are
> not aware off. For example the PRIO value is copied into the VLAN header as
> the CoS value, but if it is an untagged VLAN the frame wont have a value as
> their is no VLAN header to store it in. I.e. PRIO is only transitive for
> connected VLAN subnets, beyond the nexthop you cannot control layer 2 CoS,
> only layer 3 QoS is transitive.
>
> Also PRIO is strictly speaking internal to the firewall, and it works for
> both ingress and egress, whereas queuing/shaping is egress only. Best to
> think of it as a priority picker or scheduler. I.e. packets get selected
> from the buffers for processing based on their priority whether they are
> input or output buffers (I am only 90% sure of this, so please correct me
> if I am wrong).
>
> Also common good practice assumes that you would normally want to use two
> prio values; E.g.
>
> pass quick on { $if_ext, $if_DMZ } proto { tcp, udp } from any to {
> $int_ip_dns0 } port { 53 } queue (wan_web,wan_pri) set prio (2,4)
> The first prio (2) is used for the payload packets in the session (ToS not
> set), and the second prio (4) is used for the control packets (ACKs etc
> because they have the ToS set). This again also sets the VLAN CoS correctly
> for each packet type in the same session.
>
> Another thing to be careful of is setting ToS yourself and using PRIO (and
> if using queues too). For example;
>
> match in proto tcp all scrub (no-df max-mss 1460)
>
> match in proto { udp, icmp } all scrub (no-df max-mss 1472)
>
> match out on { $if_ext } proto { tcp, udp } from any to {
>  } scrub (no-df max-mss 1420) set (tos ef, prio 7)
>
> The first two lines are just housekeeping. But the third line will set the
> ToS value EF on every single packet in the session (payload and ACKs) for
> the VoIP traffic. This means that the later pass rules will place all
> voip traffic into 'second' "queue" and second "priority".
>
> And if you didn't spot the clue in the first example, yes, I believe state
> does match returning traffic and does apply the prio to return traffic
> also. But you wont see it with tcpdump unless you are using VLANs to
> inspect the CoS field.
>
>
> In my first example you will also notice I have only one rule that matches
> traffic on both the inside and outside interfaces, so you need to make sure
> you are using the same queue names on both the inside and outside
> interfaces. This is done by adding the "on $if_ext" directive to your
> queues. E.g.
>
> queue ext_root on $if_ext bandwidth 800M
>
> queue qlocal on $if_ext parent ext_root bandwidth 600M
>
> queue local_kern on $if_ext parent qlocal bandwidth 6M min 6M
> burst 10M for 1000ms
>
> queue local_pri on $if_ext parent qlocal bandwidth 60M min 60M
>
> queue local_data on $if_ext parent qlocal bandwidth 510M min 100M
>
> queue qwan on $if_ext  parent ext_root bandwidth 190M
>
> queue wan_rt on $if_ext  parent qwan bandwidth 38M min 19M burst
> 38M for 5000ms
>
> queue wan_int on $if_ext parent qwan bandwidth 19M min 9M
>
> queue wan_pri on $if_ext parent qwan bandwidth 19M min 10M burst
> 25M for 2000ms
>
> queue wan_vpn on $if_ext parent qwan bandwidth 50M min 25M
>
> queue wan_web on $if_ext parent qwan bandwidth 19M min 10M burst
> 19M for 3000ms
>
> queue wan_dflt on $if_ext parent qwan bandwidth 19M min 10M burst
> 19M for 5000ms
>
> queue wan_bulk on $if_ext parent qwan bandwidth 20M max 50M
> default
>
>
> queue trunk_root on $if_trunk bandwidth 4294M
>
> queue qlocal on $if_trunk parent trunk_root bandwidth 4.1G
>
> queue local_kern on $if_trunk parent qlocal bandwidth 8M min 8M
&g

Re: is 'set prio' in pf unidirectional or bidirectional?

[Andy Lemin]

 the trunk interface,
and not each VLAN.

This way you can share your total download transit bandwidth across all
internal VLANs instead of having to divide it out across the VLANs. Hope
that makes sense.


Just for some extra reading I have attached a paper that explains HFSC (the
underlying queuing algorithm).

PF Queue "bandwidth" = Link Sharing Service Curve

PF Queue "min" = Realtime Service Curve

PF Queue "burst" = Short-term realtime service curve for delay target

PF queue "for" = time 't' for burst (delay target to be achieved within
this initial period).

And I have also attached a PF Packet Flow diagram I made (it's not 100%
accurate, I need to update it but it should help).


And lastly just for fun if you are using CARP with busy layer 2 networks
where you are having problems with heartbeat delay, this solves that, again
not perfect, just ideas for you;

pass out quick proto carp keep state (no-sync) queue local_kern set (prio 7,
tos ef)

pass in quick proto carp keep state (no-sync) set (prio 7, tos ef)

pass out quick inet6 proto carp from { fe80::/10 } to { ff00::/8 } keep
state (no-sync) queue local_kern set (prio 7, tos ef)

pass in quick inet6 proto carp from { fe80::/10 } to { ff00::/8 } keep
state (no-sync) set (prio 7, tos ef)

pass quick on { $if_pfsync_dev } proto pfsync keep state (no-sync) set
(prio 7, tos ef)


Kind regards, Andy.




On Wed, Jun 15, 2016 at 11:02 AM, Peter N. M. Hansteen <pe...@bsdly.net>
wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> This is one of the cases where the best possible answer is, "tcpdump
> is your friend".
>
> You have outlined a number of test cases. It would be really useful if
> you try each one of them, and use tcpdump to record and identify the
> effects of each one. It's worth noting that tcpdump with the right
> options is able to display information such as the packets's ToS and
> which rule in the loaded PF rule set the packet matched.
>
> If you run those tests properly and report your findings, I'm sure it
> will be appreciated.
>
> - --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
> iQIcBAEBCAAGBQJXYSecAAoJELJiGF9h4DyeghcP/RZQeJ/4P8cj6DUoBhSw7HuZ
> q0t8fgnnyfw7ItkWGP6WayW9aT7oMfR9XdgX3jn/jFBLj8aW55K1i/v4PbXFJTkB
> yjnJ1WJN7fohVSYOYyfnjxCxw2RdGbcVUZpYkFCfIzsKPTxsuJynJyR7i6Ke8dYE
> 5FiF68oqhKq0yAiHcE91UlMVFH/v8NAy3crzkeK1yjgYK3sU5dVs0H7D/qR8Zlfe
> fmOO9SqDDcvMMn/7c6bQ9sHKBXSsHizZcf//yuQseSXv9ttsl/3XZyUEhS3fyqNt
> WKw80vNwQ7MJShOFqjn12G+j72s0kaSkiDEi93rXUZJxsoD28Vn6dyBJhcrWFtfr
> eEOwuyp82FiNabAvn3StzkKE+cAQ01Kag0hFhgwx/u1sD/9K31B9J8IiMpSIplFV
> tx4jfWBh1MjadAu3DIvHINYzEPoaju4zUY1mh840l5Wz7SpaBUyeJce0eNtA3n6Z
> pbpZQsi9mHCP7MOR2b+RvzcjFc4m5XoiLz29aMQDzeLj4GzroY9H0ramWchqbj1y
> BXKtFNgOglKIkjickdlSnzahFAf53r5T6vv1KY7Ea4Z5PP88e8OiXdcJqiuJlo0T
> c9VXE5cCy37i21ZPV4YK3LsuiCxMVuGtQ63B/OnP1kX34NVoatpZz6gcx5Y62MWA
> rsxLSEMFHSJuoJzgGF7j
> =mgmr
> -END PGP SIGNATURE-
>
>

-- 
*Download our latest free guide here 
<https://www.brandwatch.com/competitive-intelligence-guide/>*

[demime 1.01d removed an attachment of type application/pdf which had a name of 
A Hierarchical Fair Service Curve Algorithm.pdf]

[demime 1.01d removed an attachment of type application/pdf which had a name of 
OpenBSDPFPacketFlow-Jan2016.pdf]

Re: pf changes port on udp nat-to and rdr-to reply packets (RTP stream)

[Andy Lemin]

Because of this "Remember that static-port means you can't have two
machines behind the same NAT using the same source port and destination.",
you should instead probably use "binat-to" as a good practice.

This will help force you to not be able to accidentally reuse the same
public IP for another internal server.
SIP uses a lot of ports, and so it really does need its own public IP with
a one to one mapping to the private IP.

If you have remote SIP phone clients that need to run over the gateway too
(not just a SIP trunk), the following helped us keep client
registrations alive;

set timeout { udp.first 1200, udp.single 600, udp.multiple 1800 }

Cheers, Andy.




On Thu, Jun 9, 2016 at 11:40 PM, Stuart Henderson <s...@spacehopper.org>
wrote:

> On 2016-06-09, Markus Wernig <liste...@wernig.net> wrote:
> > On 06/09/2016 08:03 PM, Bryan Vyhmeister wrote:
> >> On Thu, Jun 9, 2016, at 10:48 AM, Markus Wernig wrote:
> >>> Short question:
> >>> How do I prevent pf from changing the source port of outgoing natted
> udp
> >>> packets?
> >>
> >> Did you look at static-port in pf.conf(5)?
> >
> > Argh! I had overlooked that. Shame. Works now.
>
> Remember that static-port means you can't have two machines behind
> the same NAT using the same source port and destination.
>
> If it's OK to change the source port as long as it ends up within
> a certain port range, you can do something like 'nat-to $address port
> 8000:9000'.
>
>

-- 
*Download our latest free guide here 
<https://www.brandwatch.com/competitive-intelligence-guide/>*

5.9 is the best release yet, very excited for 6.0 - but worried some things will be missing that will ruin the fanfare

[Andy Lemin]

Not to say previous releases haven't been as great (they all are), but I
must say that 5.9 really does feel like a huge step towards a massive
milestone (well done), and 6.0 will hopefully be the release that kills the
GIANT lock for OpenBSD as a firewall. So really thank you..


For ourselves, the biggest anticlimax for OpenBSD 6.0 would be, still no
64bit support for the Queue size.. :(
OpenBSD can shift traffic at well above 4.2Gbps now, so it's such a shame
to be superficially limited to 4Gbps still :(


And a small, but "nice to have" would be; Bandwidth defined as percentages
of the parent queue.


Just wishing, nothing else ;)

Humbly yours, Andy.

Possible SNMPD Bug - IF-MIB::ifInDiscards (and maybe ifOutDiscards) report the same value for every single interface :(

[Andy Lemin]

Hi list :)

We have noticed our monitoring systems are reporting and alerting the wrong
data for OpenBSD Interface Discards since adding all the OpenBSD firewalls
to our new Monitoring system.

And we have proven that it is SNMPD which is returning the same value for
every single interface with;

root@intermap:/opt/observium# snmpwalk -v2c -c  10.10.4.3
IF-MIB::ifInDiscards
IF-MIB::ifInDiscards.1 = Counter32: 10837445
IF-MIB::ifInDiscards.2 = Counter32: 10837445
IF-MIB::ifInDiscards.3 = Counter32: 10837445
IF-MIB::ifInDiscards.4 = Counter32: 10837468
IF-MIB::ifInDiscards.5 = Counter32: 10837468
IF-MIB::ifInDiscards.6 = Counter32: 10837468
IF-MIB::ifInDiscards.7 = Counter32: 10837468
IF-MIB::ifInDiscards.8 = Counter32: 10837468
IF-MIB::ifInDiscards.9 = Counter32: 10837468
IF-MIB::ifInDiscards.10 = Counter32: 10837468
IF-MIB::ifInDiscards.11 = Counter32: 10837468
IF-MIB::ifInDiscards.12 = Counter32: 10837468
IF-MIB::ifInDiscards.13 = Counter32: 10837468
IF-MIB::ifInDiscards.14 = Counter32: 10837468
IF-MIB::ifInDiscards.15 = Counter32: 10837468
IF-MIB::ifInDiscards.16 = Counter32: 10837468
IF-MIB::ifInDiscards.17 = Counter32: 10837468
IF-MIB::ifInDiscards.18 = Counter32: 10837468
IF-MIB::ifInDiscards.19 = Counter32: 10837468

So it seems impossible to track down which interface is discarding packets?


We have a few firewalls which experience a _lot_ of Discards. This in
itself is not terrible, but we would really like to know on which interface
they are occurring, and ideally why so many, and resolve if possible. Other
firewalls are low figures and so just normal network traffic.

"netstat -s" is great, but that is system wide and only shows a single
discard counter. Is there a command that will show me a summary (like
netstat -s) of the individual reasons for Discarded packets etc, even
globally? (Buffer full, Queue Drops, Unknown VLAN etc..).


Example from our monitoring;

​
As always, Humbly thank you for your time and great efforts :)
Cheers, Andy.

[demime 1.01d removed an attachment of type image/png which had a name of 
OpenBSD Packet Discards.png]

Re: hostname.carp - CARP Bootup Woes Correct layout / format for >=5.9 - man page for hostname.carp

[Andy Lemin]

Just if it helps anyone else having similar problems with CARP (was hoping
someone would make a comment about the man page for hostname.carp if it is
going to be so fussy about the order of parameters).

- Anyway for a hostname.carpX file, the mandatory "carpdev" must always be
the first parameter, and if you are using "carppeer", it must come after
the IP addresses;

hostname.carp1;
carpdev ix0 advbase 2 advskew 10 pass carppass vhid 1
inet 10.2.1.254 255.255.255.0 10.2.1.255
carppeer 10.2.1.253

- If your CARP interfaces "carpdev" is a VLAN, the vlandev must also always
be the first parameter. And if you are using IPv6 you seem to also need the
"eui64" to stop all v6 errors even though the link-local is created just by
defining an inet6;

hostname.carp11;
carpdev vlan11 advbase 2 advskew 10 pass carppass vhid 11
inet 10.2.11.254 255.255.255.0 10.2.11.255
inet6 2a12:12e0:2:11::254 64
inet6 eui64
carppeer 10.2.11.253

hostname.vlan11;
vlandev ix0 vlan 11
inet 10.2.11.252 255.255.255.0 10.2.11.255
inet6 2a12:12e0:2:11::252 64
inet6 eui64
group INSIDE

The above examples work perfectly. At boot up, the CARP interfaces
gracefully start INIT->Backup (without a Master flap), and no errors are
seen in dmesg.

This is not obvious after working with the ifconfig commands, and there is
no man so I hope this helps some people :)

Cheers, All the best, Andy.





On Wed, May 18, 2016 at 11:24 AM, Andy Lemin <a...@brandwatch.com> wrote:

> Hi Martin,
>
> Thanks for your suggestion.
>
> Indeed it does clear the SIOCAIFADDR errors, however there are new errors
> and the config is more unstable :(
>
> - New boot errors are; "carp0: master_down event in INIT state"
>
> - Instability after the firewall has booted; CARP statuses initialise as
> Backup (and don't go Master temporarily) as they should do. Great..
> But, if we now run "sh /etc/netstart" to make any change, the CARP
> interfaces fall into "status: invalid" and cannot be made functional
> again until another reboot.
>
>
> The previous config with the SIOCAIFADDR errors is more stable, because
> at least we can run "sh /etc/netstart" and make changes to the firewall
> without needing a reboot each time?
>
> What do you think is going on?
> And just to play devils advocate, why is there not a man page for
> hostname.carp?
>
> New hostname.carp0
> carpdev ix0 advbase 2 advskew 10 carppeer 10.255.12.3 pass testpass vhid
> 212
> inet 10.255.12.1 255.255.255.0 10.255.12.255
> inet6 2a00:77e0:255:12::1 64
> inet6 eui64
> description "4D_CDC_VPLS"
>
> Cheers, Andy.
>
>
> On Tue, May 17, 2016 at 5:37 PM, Martin Pieuchot <m...@openbsd.org> wrote:
>
>> On 17/05/16(Tue) 16:37, Andy Lemin wrote:
>> > Hi Misc,
>> >
>> > Since 5.9 (maybe earlier), we noticed that our CARP interfaces no longer
>> > behave as before, don't initialise properly on boot up, and throw
>> errors at
>> > boot.
>> >
>> > I know there has been lots of changes, especially IPv6. So hopefully
>> this
>> > is a simple question and I'm just being stupid, and unable to find a man
>> > page that explains the correct format for hostname.carp ?
>> >
>> >
>> > Otherwise if their really is no man page for hostname.carp, then could
>> > someone please point us in the right direction.
>> >
>> > - Using the following examples;
>> > hostname.ix0
>> > inet 10.255.12.2 255.255.255.0 10.255.12.255
>> > inet6 2a00:77e0:255:12::2 64
>> > inet6 eui64
>> > description "BACKHAUL"
>> > !route add -net 10.1.0.0/16 10.255.12.254
>> >
>> > hostname.carp0
>> > inet 10.255.12.1 255.255.255.0 10.255.12.255
>> > inet6 2a00:77e0:255:12::1 64
>> > advbase 2 advskew 10 carpdev ix0 carppeer 10.255.12.3 pass testpass
>> vhid 212
>> > inet6 eui64
>> > description "BACKHAUL"
>> >
>> > - The following errors at boot are seen multiple times;
>> > ifconfig: SIOCAIFADDR: Invalid argument
>>
>> That's because you're trying to add addresses *before* configuring
>> a "carpdev" (parent) interface.

Re: hostname.carp - CARP Bootup Woes Correct layout / format for >=5.9 - man page for hostname.carp

[Andy Lemin]

Hi Martin,

Thanks for your suggestion.

Indeed it does clear the SIOCAIFADDR errors, however there are new errors
and the config is more unstable :(

- New boot errors are; "carp0: master_down event in INIT state"

- Instability after the firewall has booted; CARP statuses initialise as
Backup (and don't go Master temporarily) as they should do. Great..
But, if we now run "sh /etc/netstart" to make any change, the CARP
interfaces fall into "status: invalid" and cannot be made functional again
until another reboot.


The previous config with the SIOCAIFADDR errors is more stable, because at
least we can run "sh /etc/netstart" and make changes to the firewall
without needing a reboot each time?

What do you think is going on?
And just to play devils advocate, why is there not a man page for
hostname.carp?

New hostname.carp0
carpdev ix0 advbase 2 advskew 10 carppeer 10.255.12.3 pass testpass vhid 212
inet 10.255.12.1 255.255.255.0 10.255.12.255
inet6 2a00:77e0:255:12::1 64
inet6 eui64
description "4D_CDC_VPLS"

Cheers, Andy.


On Tue, May 17, 2016 at 5:37 PM, Martin Pieuchot <m...@openbsd.org> wrote:

> On 17/05/16(Tue) 16:37, Andy Lemin wrote:
> > Hi Misc,
> >
> > Since 5.9 (maybe earlier), we noticed that our CARP interfaces no longer
> > behave as before, don't initialise properly on boot up, and throw errors
> at
> > boot.
> >
> > I know there has been lots of changes, especially IPv6. So hopefully this
> > is a simple question and I'm just being stupid, and unable to find a man
> > page that explains the correct format for hostname.carp ?
> >
> >
> > Otherwise if their really is no man page for hostname.carp, then could
> > someone please point us in the right direction.
> >
> > - Using the following examples;
> > hostname.ix0
> > inet 10.255.12.2 255.255.255.0 10.255.12.255
> > inet6 2a00:77e0:255:12::2 64
> > inet6 eui64
> > description "BACKHAUL"
> > !route add -net 10.1.0.0/16 10.255.12.254
> >
> > hostname.carp0
> > inet 10.255.12.1 255.255.255.0 10.255.12.255
> > inet6 2a00:77e0:255:12::1 64
> > advbase 2 advskew 10 carpdev ix0 carppeer 10.255.12.3 pass testpass vhid
> 212
> > inet6 eui64
> > description "BACKHAUL"
> >
> > - The following errors at boot are seen multiple times;
> > ifconfig: SIOCAIFADDR: Invalid argument
>
> That's because you're trying to add addresses *before* configuring
> a "carpdev" (parent) interface.

hostname.carp - CARP Bootup Woes Correct layout / format for >=5.9 - man page for hostname.carp

[Andy Lemin]

Hi Misc,

Since 5.9 (maybe earlier), we noticed that our CARP interfaces no longer
behave as before, don't initialise properly on boot up, and throw errors at
boot.

I know there has been lots of changes, especially IPv6. So hopefully this
is a simple question and I'm just being stupid, and unable to find a man
page that explains the correct format for hostname.carp ?


Otherwise if their really is no man page for hostname.carp, then could
someone please point us in the right direction.

- Using the following examples;
hostname.ix0
inet 10.255.12.2 255.255.255.0 10.255.12.255
inet6 2a00:77e0:255:12::2 64
inet6 eui64
description "BACKHAUL"
!route add -net 10.1.0.0/16 10.255.12.254

hostname.carp0
inet 10.255.12.1 255.255.255.0 10.255.12.255
inet6 2a00:77e0:255:12::1 64
advbase 2 advskew 10 carpdev ix0 carppeer 10.255.12.3 pass testpass vhid 212
inet6 eui64
description "BACKHAUL"

- The following errors at boot are seen multiple times;
ifconfig: SIOCAIFADDR: Invalid argument

- The firewall boots up immediately as CARP Master, causing multi-Master :(

- Running "pfctl -sr -vv" shows it's running the default ruleset, even
though rc.conf (pf=YES) is default and "/etc/rc" shows it should load the
PF rules..

We believe this to be the cause of the multi-master as running "pfctl -f
/etc/pf.conf" and "sh /etc/netstart" resolves it and CARP goes Backup.

I have added the following lines to "/etc/rc.local" so that the firewall
can at least be rebooted (but only after carp goes INIT -> MASTER ->
BACKUP);
pfctl -f /etc/pf.conf
sh /etc/netstart

- Lastly Errors and Discards are now also being occasionally seen on the
CARP interfaces - Is there a change to the SNMPD and do we have to update
our MIBs?
Or if it is legit, what circumstances would a CARP interface see errors or
discards?


Thank you kindly in advanced for your time and thoughts.
Cheers, Andy.


NB; We have been running CARP without problems since OpenBSD 4.9.
We have read; http://www.openbsd.org/faq/upgrade59.html, upgrade58,
upgrade57 and upgrade56
We know about "man hostname.if" but this does not include any carp
examples, syntax, or general implementation (how ifconfig maps in etc) for
hostname.carp.

Re: OT: Looking for email host with qmail like minus-addressing for custom domain

[Andy Bradford]

Thus said Gilles Chehade on Thu, 03 Mar 2016 22:48:57 +0100:

> > I don't see this as necessarily an argument for or against - vs +
> > 
> 
> too bad, it means my friend jean-pierre  will not be able to be hosted
> by you if you already host my other friend jean ;-)

This is  true, obviously. If one  user has jean and  jean-* then clearly
jean-pierre@  is already  taken. That  doesn't  mean I  cannt host  your
friend jean-pierre, it just means  he cannot have jean-pierre@, maybe he
will settle for  jean_pierre@ or jean+pierre@, or  any other combination
that suits him and allowed by the hosting software/MTA.

Given the  predominence of @gmail.com  email addresses, clearly  this is
not a problem for  the majority of people in the  email world. There can
only  ever be  one  jean-pie...@gmail.com, right?  Which  means if  your
friend jean-pierre has jean-pie...@gmail.com, then necessarily my friend
jean-pierre cannot also have jean-pie...@gmail.com. Bummer.

Andy
-- 
TAI64 timestamp: 400056d916f3

Re: OT: Looking for email host with qmail like minus-addressing for custom domain

[Andy Bradford]

Thus said "Constantine A. Murenin" on Thu, 03 Mar 2016 15:09:46 -0600:

> > The MTA will decide who will get foo-bar@.
>
> How? A /dev/mind RPC? :-)

Because the MTA is configured to handle it? :-)

> And what happens if a "conflicting" user gets created after a mail was
> sent, but before it was delivered? "This behaviour is undefined"?

I'm not exactly sure what you mean by conflicting...

The MTA,  again, will already be  configured to deal with  addresses and
mapping them  to users. And the  behavior is not undefined.  If an email
address exists  and the MTA  knows about the  email address it  will get
delivered if  the username configured to  receive it exists. If  the MTA
knows about it, but the OS doesn't  know about it, the MTA will queue it
up until the local user who is supposed to receive it is created. If the
username exists  and the MTA doesn't  have an email address  for it, the
email will bounce.

My MTA  can handle both +  and - for  email addresses and can  map email
addresses to local users in any fashion that the OS supports.

For example,  let's assume  I have  a local  user named  foo and  I have
assigned an email address foo@ and  I have configured that email address
to accept  wildcard extensions (e.g.  foo-*@ gets delivered  to username
test). Then, I create a local  user named foo-bar. Clearly now, I cannot
give the  local username foo-bar  an email address of  foo-bar@ because,
well,  that  is already  superceded  by  test's  wildcard claim  on  the
address. Assuming that I had to  give the user that username, what email
address could I give him? Anything I want,  as long as it is not part of
foo-*@

I have the following mapping which permits username foo to receive email
for foo@, foo-*@, and foo+*@, and another mapping which permits username
foo-bar to receive email for foo_bar@ and foo_bar-*@:

=foo:foo:1004:1004:/home/foo:-::
+foo-:foo:1004:1004:/home/foo:-::
+foo+:foo:1004:1004:/home/foo:-::
=foo_bar:foo-bar:1003:1003:/home/foo-bar:-::
+foo_bar:foo-bar:1003:1003:/home/foo-bar:-::

Is this  sensible to  do? Who knows,  but the point  is, just  because -
exists in usernames  doesn't necessarily mean that it  shouldn't be used
in email  extensions. Must there  be a one-to-one mapping  between email
addresses and  local usernames? In  many systems  it is typical  for the
email address to not even remotely resemble a local username.

Thanks,

Andy
-- 
TAI64 timestamp: 400056d912b2

Re: OT: Looking for email host with qmail like minus-addressing for custom domain

[Andy Bradford]

Thus said Gilles Chehade on Thu, 03 Mar 2016 10:14:48 +0100:

> Who should get mail for foo-bar@ ?

The MTA will decide who will get foo-bar@.

> This just doesn't happen with + because:

It also doesn't happen with an MTA that can figure these things out.

I don't see this as necessarily an argument for or against - vs +

Andy
-- 
TAI64 timestamp: 400056d8a13e

Re: Industrial use of line printers, does/would your company/organization use them with our lpd?

[Andy Bradford]

Thus said Chris Cappuccio on Thu, 18 Feb 2016 17:09:38 -0800:

> aren't there  plenty of simple  pre-processor scripts that  people are
> using  with lp  to  turn whatever  into some  output  for simple  dumb
> printers? CUPS is so annoying and stupid, it's not even funny

Perhaps apsfilter?

Andy
--
TAI64 timestamp: 400056c676d2

Re: Industrial use of line printers, does/would your company/organization use them with our lpd?

[Andy Bradford]

Thus said Tobias Ulmer on Wed, 17 Feb 2016 19:51:28 +0100:

> No really, it is outdated beyond rescue.

But  it does  work  (at  least in  some  configurations).  To enable  my
PostScript  printers,  all  I  have  to  do is  add  a  single  line  to
/etc/printcap... well, maybe 2 lines.

printer:\
:lp=:rm=printer:rp=lp:sd=/var/spool/output/printer:\
:lf=/var/log/lpd-errs:sh:

That's it. Can  it be more simple?  CUPs is a nightmare,  however it too
works if one wants to spend the time with it.

For non-PostScript  printers, it would  be nice to  be able to  just use
:if:  in  the  printcap  (which  I  do  use  successfully  with  another
non-PostScript printer):

:if=/var/spool/output/printer/filter

Of course,  this would require the  ability to figure out  what kinds of
things need to go  into the filter. I suppose this is  one of the things
that CUPs tries to solve but without the simplicity of :if:

Anyway,  just  some  musings.  Is  there anyone  else  out  there  using
lpr/lpd/lprm from base? Maybe I'm the only one?

Thanks,

Andy
-- 
TAI64 timestamp: 400056c556b3

Re: 64 Queue Size, ARC routing, MP Networking, OpenBSD 5.9

[Andy Lemin]

Thanks guys :)

As always I will report back on testing results. I have a lot of DR traffic
(multiple TB's daily) I can push through this to see how it fairs..

Thanks Andy.

On Tue, Feb 9, 2016 at 4:33 PM, Stuart Henderson <s...@spacehopper.org>
wrote:

> On 2016/02/09 08:22, Chris Cappuccio wrote:
> > Andy Lemin [a...@brandwatch.com] wrote:
> > >
> > > >ART not ARC. It's not enabled by default, you'll need to build
> > > a new kernel to use it.
> > >
> > > Any clues how to enable "ART" when building? ;)
> > >
> >
> > Put "option ART" in your kernel config, that's it. It seems to work in
> various
> > corner cases but won't be enabled by default until after 5.9 because
> "seems"
> > isn't good enough at this stage.
>
> Last time I tried it, minidlna broke (upnp multicast). I'll have to
> try it again sometime..

Re: 64 Queue Size, ARC routing, MP Networking, OpenBSD 5.9

[Andy Lemin]

Hi Stuart,

Good to hear from you! Hope you are well.

>> 1) Will 5.9 have a 64bit integer for the queue sizes, or are we still
>> limited to ~4294M?

> There haven't been any changes in that area.

Hi Henning, with the current MP works in progress this limit is about to
become a very superficial bottleneck for a lot of people?

I know it hasn't been as issue in the past as no one could get close to
4.3Gbps anyway.. Do you think you will find time to change this to a 64bit
on -current soon?


>> 2) When 5.9 comes out, will the new ARC routing table be enabled by
>> default? If not can we turn it on without building from source?

>ART not ARC. It's not enabled by default, you'll need to build
a new kernel to use it.

Any clues how to enable "ART" when building? ;)


>> 3) Does anyone know which parts of the Network stack will have MP support
>> in 5.9?
>> MP NIC Interrupts, yes/no?
>> MP Network Stack, yes/no?
>> MP Queueing, yes/no?
>> MP PF, yes/no?
>> HW Offloading and other general MP NIC driver stuff (em(), ix()) yes/no?
>> Any other important parts needing MP?

Knowing these would be helpful to gauge performance expectations in
testing..

Hahaha, yes. Managing Commercial Firewalls = Shoot me now!


PS; I have also updated the OpenBSD Packet Flow diagram some more;
https://www.lucidchart.com/publicSegments/view/06b87350-b11c-4732-a72c-5842126d9058

Please fire over any corrections please.

I haven't had an answer to this query though, can anyone help?

"

I would suggesting adding a box for "Address & Port Translation
(nat-to, rdr-to, binat-to, af-to)" right after "State Generate"
in both ingress and egress, and have the "state exists" path merge
into that step.

I'll bow to your knowledge if you tell me this is correct, but isn't the
state created *after* the nat-to/rdr-to etc is applied as the state stores
both the inside IP and the outside IP etc? Or does this second box also
append this extra info to the state that was created at the previous step
(Packet Filtering)?

Thanks everyone,
Andy.


On Sun, Feb 7, 2016 at 9:06 PM, Stuart Henderson <s...@spacehopper.org>
wrote:

> On 2016-02-07, Andy Lemin <a...@brandwatch.com> wrote:
> > Hi everyone,
> >
> > Just a couple very quick 5.9 questions;
> >
> >
> > 1) Will 5.9 have a 64bit integer for the queue sizes, or are we still
> > limited to ~4294M?
>
> There haven't been any changes in that area.
>
> > 2) When 5.9 comes out, will the new ARC routing table be enabled by
> > default? If not can we turn it on without building from source?
>
> ART not ARC. It's not enabled by default, you'll need to build
> a new kernel to use it.
>
> > 3) Does anyone know which parts of the Network stack will have MP support
> > in 5.9?
> > MP NIC Interrupts, yes/no?
> > MP Network Stack, yes/no?
> > MP Queueing, yes/no?
> > MP PF, yes/no?
> > HW Offloading and other general MP NIC driver stuff (em(), ix()) yes/no?
> > Any other important parts needing MP?
> >
> >
> > It is difficult to understand where we are currently. I know we are
> > excitingly close with the MP work (and thank you again for such amazing
> > work!), but we need to know for business decision reasons because simply
> we
> > are growing faster than OpenBSD's performance is, and we also have a new
> > VP.
> >
> > So I'm deeply saddened to realise that if the MP networking commits do
> not
> > make it in to get us above 4Gbps in 5.9 we will have to say goodbye to
> > OpenBSD for good (I really seriously don't want too because OpenBSD is
> > better than *any* firewalls out there, but we are still a business and
> need
> > to make money, and we need more than 2-4Gbps).
> >
> > NB; 4Gbps is all we've managed on our current hardware class and 2Gbps
> with
> > PF enabled.
> >
> > Hardware:
> > Supermicro X9DRW-iF
> > 4x 1866 DDR3 DIMMS
> > Cpu0/1: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, Turbo+ enabled =
> 3600.01
> > MHz (Virtualisation, Hyperthreading and extra Cores disabled)
> > Intel 82599 10Gbps NICs
> >
> >
> > We need to be getting closer to 8Gbps with PF enabled by this summer, or
> > I've been told to replace OpenBSD with something faster.. FreeBSD can max
> > the 10G ports, but FBSD is not good enough for us in many other ways, so
> > would mean a move to commercial firewalls (Hurghh).
> >
> > I REALLY don't want to have to walk away from OpenBSD in my current job
> :_(
> >
> > Cheers, Andy.
> >
> > Thanks everyone, and good luck on these big changes..
> >
> >
>
> Good luck with the commercial firewalls!

[demime 1.01d removed an attachment of type application/pdf which had a name of 
OpenBSDPFPacketFlow-Jan2016.pdf]

64 Queue Size, ARC routing, MP Networking, OpenBSD 5.9

[Andy Lemin]

Hi everyone,

Just a couple very quick 5.9 questions;


1) Will 5.9 have a 64bit integer for the queue sizes, or are we still
limited to ~4294M?

2) When 5.9 comes out, will the new ARC routing table be enabled by
default? If not can we turn it on without building from source?

3) Does anyone know which parts of the Network stack will have MP support
in 5.9?
MP NIC Interrupts, yes/no?
MP Network Stack, yes/no?
MP Queueing, yes/no?
MP PF, yes/no?
HW Offloading and other general MP NIC driver stuff (em(), ix()) yes/no?
Any other important parts needing MP?


It is difficult to understand where we are currently. I know we are
excitingly close with the MP work (and thank you again for such amazing
work!), but we need to know for business decision reasons because simply we
are growing faster than OpenBSD's performance is, and we also have a new
VP.

So I'm deeply saddened to realise that if the MP networking commits do not
make it in to get us above 4Gbps in 5.9 we will have to say goodbye to
OpenBSD for good (I really seriously don't want too because OpenBSD is
better than *any* firewalls out there, but we are still a business and need
to make money, and we need more than 2-4Gbps).

NB; 4Gbps is all we've managed on our current hardware class and 2Gbps with
PF enabled.

Hardware:
Supermicro X9DRW-iF
4x 1866 DDR3 DIMMS
Cpu0/1: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, Turbo+ enabled = 3600.01
MHz (Virtualisation, Hyperthreading and extra Cores disabled)
Intel 82599 10Gbps NICs


We need to be getting closer to 8Gbps with PF enabled by this summer, or
I've been told to replace OpenBSD with something faster.. FreeBSD can max
the 10G ports, but FBSD is not good enough for us in many other ways, so
would mean a move to commercial firewalls (Hurghh).

I REALLY don't want to have to walk away from OpenBSD in my current job :_(

Cheers, Andy.

Thanks everyone, and good luck on these big changes..

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

[Andy Bradford]

Thus said Tati Chevron on Fri, 11 Dec 2015 13:16:23 +:

> On the other hand, if somebody  actually received a fake OpenBSD CD in
> the mail, and it was discovered, it  would be a huge news story within
> the IT industry. A bad download, much less so.

My OpenBSD  5.7 CD arrived  with a green  label affixed to  the shipping
packaging  that claimed  it had  been inspected  by some  U.S.A. customs
department. It had actually been opened and resealed and the green label
placed on it to inform me of said tampering.

Did anything change? Is this a fake  CD? Who knows. I do know that there
was an extra CD in the shipment by The OpenBSD Store, apparently because
there were problems with first stamping of the CD.

Hopefully signify will protect in this case.

Andy
-- 
TAI64 timestamp: 4000566c62a4

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

[Andy Bradford]

Thus said Jason Barbier on Tue, 08 Dec 2015 10:14:37 -0800:

> It is a  read only site, the  privacy you seek is breached  as soon as
> you make a DNS call to openbsd.org

Not  to mention  the Subject  on the  SSL certificate  will most  likely
be  www.openbsd.org, and  perhaps  there's  also SNI,  all  of which  is
transmitted in the plain.

If one wants privacy on a website then more is required than just HTTPS.

Andy
-- 
TAI64 timestamp: 4000566a5669

Re: random.seed question

[Andy Bradford]

Thus said Paul de Weerd on Thu, 26 Nov 2015 15:54:11 +0100:

> I'd recommend trying  to keep such changes to a  minimum: this will be
> overwritten when you upgrade and it becomes a maintenance burden.

Do files  in /etc  no longer  undergo a round  of sysmerge  before being
written?

Thanks,

Andy
-- 
TAI64 timestamp: 400056575beb

Re: LPR/LPD does not run filters

[Andy Bradford]

Thus said Jona Joachim on Sun, 25 Oct 2015 15:11:01 +0100:

> I was  tired of CUPS so  I decided keep  it simple and stupid  and use
> lpd/lpr. Strangely, things  don't work out as expected.  It seems that
> lpd never executes input filters.

I have a system  running standard lpd on OpenBSD 5.3  which works with a
filter. I have:

lp|parallel:\
:lp=/dev/lpa0:\
:br#57600:\
:rm=:\
:rp=:\
:mx#0:\
:sd=/var/spool/output/parallel:\
:lf=/var/log/lpd-errs:\
:sh:\
:if=/var/spool/output/parallel/filter

So at least as of OpenBSD 5.3 filters worked just find with the standard
lpd. I cannot say  for newer versions as I have not  yet upgraded, but I
don't know why it should cease to work.

Andy
-- 
TAI64 timestamp: 4000562d5f56

64 Queue Sizes in OpenBSD 5.8

[Andy Lemin]

Hi,

Is their any news whether we'll have 64bit PF queue sizes soon?

Our link between our Primary and DR DCs needs more than 4.2Gbps, but we
cannot shape traffic above this due to the 32bit queues.

Simply we need to impose shaping to ensure the CDR is not breached. We
really need to upgrade the CDR to 6Gbps, but the penalties for taking our
95% percentile above the CDR are very expensive.

Cheers, Andy.

Re: Maybe OT: OpenSSH connection failure unless verbose

[Andy Bradford]

Thus said Quartz on Sat, 01 Aug 2015 19:00:56 -0400:

 good day:
 ssh user@server = works just like it should

What about ssh -v user@server on a good day? And more specifically, if
you run ssh -v on both a good  day and a bad day, what does diff between
the two outputs show?

Andy
-- 
TAI64 timestamp: 400055bd5813

Re: Audio Boost for Sndio

[Andy Bradford]

Thus said tekk on Sat, 11 Jul 2015 08:30:00 -0700:

  So e.g. mixerctl -v inputs.dac-0:1=255 sets it to 174,174?
 
 Exactly. inputs.dac-{0:1,2:3}=$value_above_174 simply sets it to 174.

It would be  more helpful if instead of describing  the problem that you
would just copy/paste the result of  running the command and report that
in an email.

For example:

$ mixerctl -v record.adc-0:1=255
record.adc-0:1: 120,120 - 248,248

Thanks,

Andy
-- 
TAI64 timestamp: 400055a14376

Re: PF Packet Flow Diagram

[Andy Lemin]

Hi Ryan,

 On 28 Jun 2015, at 04:04, Ryan McBride mcbr...@openbsd.org wrote:

 This is nice, I hope you'll share the editable source file as well.

Currently just scribbling it together on Lucidchart. Its nothing clever like
LaTeX source ;)

However I can only add a couple of editors? I would be more than happy to give
edit rights to anyone who is better informed about this stuff so we can get a
good and up-to-date flow diagram which can be publicly shared?


 A few comments:

 rdr  nat happen as part of packet filtering now, not as separate
 ruleset evaluations.

Awesome, thanks. I have changed this can you check it looks right?

http://postimg.org/image/l172i1vmx/ http://postimg.org/image/l172i1vmx/
or
http://s12.postimg.org/40o69dilp/Open_BSD_Packet_Flow.png
http://s12.postimg.org/40o69dilp/Open_BSD_Packet_Flow.png

Its scruffy but its getting there :)

  They can both occur on ingress as well as
 egress packet paths; (binat in pf.conf gets expanded to a pair of
 nat  rdr rules).

 pf now does af translation (NAT64) as well, see af-to in pf.conf(4)

Amazing, thank you.


 I would suggesting adding a box for Address  Port Translation
 (nat-to, rdr-to, binat-to, af-to) right after State Generate
 in both ingress and egress, and have the state exists path merge
 into that step.

I'll bow to your knowledge if you tell me this is correct, but isn't the state
created after the nat-to and rdr-to is applied as the state stores both the
inside IP and the outside IP etc.
Of does this second box also append this extra info to the state that was
created at the previous step (Packet Filtering)?

I haven't added this yet..



 On Thu, Jun 25, 2015 at 10:15:08AM +0100, Andy Lemin wrote:
 Surprised I've not had any replies for this?
 http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg
 http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg

Thanks you so much for your time, I'm all ears for more ?? :)

Re: pf nat and routing question

[Andy Lemin]

Hi,

We do exactly the same thing for our wifi network. Users on wifi can *only*
use public IP addresses.

The solution is easy, you just have to consider where you do your nat'ing;

You can't do bin-at, so you will need nat-to and rdr-to rules to make it
work.

E.g. The following line translates the public IP to the internal IP regardless
of whether to connection ingresses the firewall from the outside web, or
from your internal wifi network
match in proto tcp from any to { $ext_ip_rc5 } port { https } rdr-to
$int_ip_lard

But the nat-to is only needed on the outside interface
match out on { $if_ext } from { $int_ip_lard } to any nat-to $ext_ip_rc5

And so you will need three rules..

Ingress pass rule on the external interface, another ingress pass rule on the
wifi interface, and an egress pass rule on the DMZ interface where the server
is.

If the internal server is on the same LAN as the internal clients that *have
to use the public IP address, then an extra nat-to rule is needed.

Keep the same ingress rdr-to rule to translate the public to the private, but
you will also need an extra nat-to rule as the packet egresses the firewall to
make all connection look like they have come from the firewall.
This ensure that when the server replies, it replies back to the firewall, who
then replies back to the internal client.

Without this rule the internal server would just reply to the internal client
directly, meaning the firewall only sees the forward traffic and won't be able
to update its states properly and things won't work.

PS; Make sure to be carful about what internal firewall IP you NAT to, and you
need to remember that this limits the number of connections to the internal
server, as everyone (from internal) will appear to come from the firewall
which has a limited number of source ports...

EG; This ensure that if a firewall failover happens (with CARP) that all still
works :)
pass out on $if_lan from ($if_lan:network) to $server nat-to (carp1)

Hope this helps. A


 On 24 Jun 2015, at 12:16, Marko Cupać marko.cu...@mimar.rs wrote:

 Hi,

 my setup is actually more complicated, but for purpose of this mail I
 am going to try and keep it simple.

 My firewall redirects requests to some service from the Internet to
 server on private network:

 pass in on $ext_if inet proto tcp from any to $srv-pub port $service rdr-to
$srv-priv

 Internet hosts can access service without problem via its public IP
 address.

 Clients on internal network can access service without problem via its
 private IP address.

 Now, I have some clients on internal network who are forbidden
 communication with private address space, so they need to access
 service via its public IP address. Unfortunately this does not work.

 Hopefully someone already had this problem and will be able to point me
 in the right direction.

 Regards,
 --
 Marko Cupać
 https://www.mimar.rs/

Re: PF Packet Flow Diagram

[Andy Lemin]

Hi,

 On 25 Jun 2015, at 10:31, Jiri B ji...@devio.us wrote:

 On Thu, Jun 25, 2015 at 10:15:08AM +0100, Andy Lemin wrote:
 Surprised I've not had any replies for this?
 http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg
 http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg

 I copied this from a diagram I found some years ago which has been
photocopied
 a few times and is now intelligible, so thought I'd quickly re-do it.

 I can't believe nothing has changed in 5 years (I think thats when the
 original I saw was dated).

 Anyway, I try and message Henning directly and get his thoughts, and I'll
post
 back here once its got his approval.

 Cheers, Andy.

 IIRC pf packet flow is also influenced by routing which is done
 before pf. That's why local sourced traffic for remote destination
 cannot be redirected back to local host.

Could you help me understand this a little better? How do you mean traffic
locally originated by the firewall cannot be redirected?

I understand FIB routing is only done after ingress processing (if no
route-to is found on an matching inbound direction route).


 If you would get more info and incorporate routing factor into diagram
 it would be great ;)

I know! :) It would be great if this was as complete as possible as it would
be really helpful to both those just starting out and the more experienced
alike.

I would also like to understand the processing for virtual interfaces? I.e.
should their be a separate Egress Processing chain for enc0

Also is policy based routing (created by IPSec encX tunnels) processed before
and/or independently from rdomain routing?

I also don't know how packet Labels and Tags are processed?

I've done a little more to it;
http://s27.postimg.org/4ul9nayvn/Open_BSDPFPacket_Flow.jpg
http://s27.postimg.org/4ul9nayvn/Open_BSDPFPacket_Flow.jpg

 j.

Re: pf nat and routing question

[Andy Lemin]

 On 25 Jun 2015, at 15:46, Marko Cupać marko.cu...@mimar.rs wrote:
 
 On Wed, 24 Jun 2015 08:17:15 -0400
 Michel Blais mic...@targointernet.com wrote:
 
 The solution seem his explain on this link
 
 ‎http://www.openbsd.org/faq/pf/rdr.html#reflect
 
 On Thu, 25 Jun 2015 14:50:42 +0100
 Andy Lemin a...@brandwatch.com wrote:
 
 Hi,
 
 We do exactly the same thing for our wifi network. Users on wifi can
 *only* use public IP addresses.
 
 The solution is easy, you just have to consider where you do your
 nat'ing;
 
 Michel, Andy,
 
 thank you for your suggestions.
 
 I went for http://www.openbsd.org/faq/pf/rdr.html#tcpproxy
 
 I'm satisfied with result.

Cool, but you are using a big hammer (not a sledge ;) for a nut.. And your CPU 
knows the difference. If load is v.small, then irelevant.

 
 Regards,
 -- 
 Marko Cupać
 https://www.mimar.rs/

Re: PF Packet Flow Diagram

[Andy Lemin]

Surprised I've not had any replies for this?
http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg
http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg

I copied this from a diagram I found some years ago which has been photocopied
a few times and is now intelligible, so thought I'd quickly re-do it.

I can't believe nothing has changed in 5 years (I think thats when the
original I saw was dated).

Anyway, I try and message Henning directly and get his thoughts, and I'll post
back here once its got his approval.

Cheers, Andy.


 On 23 Jun 2015, at 14:27, Andy Lemin a...@brandwatch.com wrote:

 Haha, Oops! thanks Doug..

 Here it is instead..

 http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg
http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg

 Cheers, Andy.


 On 23 Jun 2015, at 14:13, Doug Hogan d...@acyclic.org
mailto:d...@acyclic.org wrote:

 On Tue, Jun 23, 2015 at 11:56:17AM +0100, Andy Lemin wrote:
 I was updating an old copy of the PF flow diagram I had lying around and
 thought I'd post here quickly for comments / additions / corrections?

 Would be nice to update this and make it comprehensive as possible.

 [demime 1.01d removed an attachment of type application/pdf which had a
name of OpenBSDPFPacketFlow.pdf]
 [demime 1.01d removed an attachment of type image/jpeg which had a name of
OpenBSDPFPacketFlow.jpeg]

 The attachments were stripped when sent to the list.

Re: PF Packet Flow Diagram

[Andy Lemin]

Haha, Oops! thanks Doug..

Here it is instead..

http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg
http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg

Cheers, Andy.


 On 23 Jun 2015, at 14:13, Doug Hogan d...@acyclic.org wrote:

 On Tue, Jun 23, 2015 at 11:56:17AM +0100, Andy Lemin wrote:
 I was updating an old copy of the PF flow diagram I had lying around and
 thought I'd post here quickly for comments / additions / corrections?

 Would be nice to update this and make it comprehensive as possible.

 [demime 1.01d removed an attachment of type application/pdf which had a
name of OpenBSDPFPacketFlow.pdf]
 [demime 1.01d removed an attachment of type image/jpeg which had a name of
OpenBSDPFPacketFlow.jpeg]

 The attachments were stripped when sent to the list.

Re: HA / load balancing / fail-over using CARP

[Andy Lemin]

Hi, You can already do active-active CARP with OpenBSD. I believe it hashes by
the MAC address (the MAC hash dictates which firewall responds to an ARP for
the gateway IP).

However you may have issues with states and state synchronisation depending on
the pps and firewall hardware performance, meaning you might be forced to
enable sloppy states, or at the very least enable defer on pfsync. But
allowing sloppy states is bad as it throws away a significant proportion of
OpenBSD's awesome TCP security.

In short, it is *much* better to buy hardware where each firewall on its own
is able to handle the full load, and run in active-backup mode.
Generally speaking, I've always found the layer 2 high availability provided
by CARP to be rock solid, and if you want to do full stateful firewalling,
this is your only sensible choice.

If you have no need for full statefull firewalling then you can do
active-active at layer 3 using OSPF etc for the HA, and enable defer and
sloppy and your all done.
It depends on what network feeds you are connected to and what your
requirements are.

http://www.openbsd.org/papers/pfsync_v5.pdf
http://www.openbsd.org/papers/pfsync_v5.pdf

NB; We run Transtec servers with are just custom built Supermicro servers with
a 3.5GHz E5-2609v2 CPU (with only two cores enabled and Turbo Plus enabled
giving us two 3.7GHz cores).
The highest I have seen these do with 10gig NICs is almost 1Mpps with PF
enabled.

So their is little excuse for people to complain about OpenBSD PF performance
unless you are talking about higher than 10gig networking.

But with all the work the devs are doing at the moment freeing up parts of the
kernel from the BIG LOCK
(http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/
http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/), it won't be
much longer before the Network stack goes MP too (it is happening but its not
trivial). After which discussions on throughput and performance really do
become a moot point, and instead we'll start seeing big enterprises start
using OpenBSD and pushing for things like an Openflow agent ;)

So in short, stay active-backup, and sleep better :)

Hope this helps.
Cheers, Andy.

Just for fun; https://events.yandex.com/events/ruBSD/2013/talks/104/
https://events.yandex.com/events/ruBSD/2013/talks/104/



 On 22 Jun 2015, at 09:08, Romain FABBRI romain.fab...@alienconsulting.net
wrote:

 Not sure you really want to do that but you could achieve some IP or MAC
Load Balancing using this kind of setup :
http://www.kernel-panic.it/openbsd/carp/carp4.html

 -Message d'origine-
 De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de
Aviolat Romain
 Envoyé : lundi 22 juin 2015 09:40
 À : 'misc@openbsd.org' (misc@openbsd.org)
 Objet : HA / load balancing / fail-over using CARP

 Dear OpenBSD community,

 I'll deploy a new redundant firewalls setup in few weeks (waiting for the
hardware...). It'll be composed of two 1U supermicro servers and few
additional 10GbE nics.

 The idea was to use CARP + pfsync as the fail-over mechanism.

 I already deployed that few time in the past, and we're pretty happy with
this setup; maintenance is easy and the setup is rock solid.

 The only disadvantage IMHO is that there is no way to achieve load balancing
between the members of the CARP cluster, one machine is always working while
the other is idle. I could define some VLANs on top of CARP interfaces to be
MASTER on routerA and some on routerB but still it's not real load balancing.

 So before making the same setup again I wanted to have your input about
that, maybe I'm not aware of other ways to achieve HA/load-balancing using
OpenBSD ?

 Thanks for your help !

 Romain Aviolat
 Senior System Administrator - RD and ops Infrastructure Kudelski Security -
Kudelski Group rte de Genève 22-24, 1033 Cheseaux, SWITZERLAND
 +41 21 732 03 79

Re: HA / load balancing / fail-over using CARP

[Andy Lemin]

Hi,

 On 23 Jun 2015, at 10:50, Aviolat Romain romain.avio...@nagra.com wrote:

 Hi Andy,

 Thanks for your detailed answer.

 Yes we are doing statefull firewalling and we want to keep it like that, we
of course plan to have servers that are able to take the full load in case of
failure of the other.

 We don’t have yet requirements to go higher than the actual 1Mpps limit
(around 500Mbit/s for standard web traffic), but we would be pleased to have
MP supported on the Network stack !

Their is no hardcoded limit, it is purely down to the single core CPU
performance and packet size that dictates the achievable throughput.
We would have enabled only one core if it were't for the fact that we're
running so many daemons too. OpenBSD is pretty sensible when it comes to
scheduling user land stuff and so daemons rarely get in the way of your PF
busy core.


 I’ll follow your advice and stay in active-backup mode for now.

Doesn't mean you should't try active-active out (in a lab)..
But if you're only talking 500mbps, stick with steady and stable ;)


 Romain

 From: Andy Lemin [mailto:a...@brandwatch.com]
 Sent: mardi 23 juin 2015 11:25
 To: Romain FABBRI
 Cc: Aviolat Romain; 'misc@openbsd.org' (misc@openbsd.org)
 Subject: Re: HA / load balancing / fail-over using CARP

 Hi, You can already do active-active CARP with OpenBSD. I believe it hashes
by the MAC address (the MAC hash dictates which firewall responds to an ARP
for the gateway IP).

 However you may have issues with states and state synchronisation depending
on the pps and firewall hardware performance, meaning you might be forced to
enable sloppy states, or at the very least enable defer on pfsync. But
allowing sloppy states is bad as it throws away a significant proportion of
OpenBSD's awesome TCP security.

 In short, it is *much* better to buy hardware where each firewall on its own
is able to handle the full load, and run in active-backup mode.
 Generally speaking, I've always found the layer 2 high availability provided
by CARP to be rock solid, and if you want to do full stateful firewalling,
this is your only sensible choice.

 If you have no need for full statefull firewalling then you can do
active-active at layer 3 using OSPF etc for the HA, and enable defer and
sloppy and your all done.
 It depends on what network feeds you are connected to and what your
requirements are.

 http://www.openbsd.org/papers/pfsync_v5.pdf
http://www.openbsd.org/papers/pfsync_v5.pdf

 NB; We run Transtec servers with are just custom built Supermicro servers
with a 3.5GHz E5-2609v2 CPU (with only two cores enabled and Turbo Plus
enabled giving us two 3.7GHz cores).
 The highest I have seen these do with 10gig NICs is almost 1Mpps with PF
enabled.

 So their is little excuse for people to complain about OpenBSD PF
performance unless you are talking about higher than 10gig networking.

 But with all the work the devs are doing at the moment freeing up parts of
the kernel from the BIG LOCK
(http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/
http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/), it won't be
much longer before the Network stack goes MP too (it is happening but its not
trivial). After which discussions on throughput and performance really do
become a moot point, and instead we'll start seeing big enterprises start
using OpenBSD and pushing for things like an Openflow agent ;)

 So in short, stay active-backup, and sleep better :)

 Hope this helps.
 Cheers, Andy.

 Just for fun; https://events.yandex.com/events/ruBSD/2013/talks/104/
https://events.yandex.com/events/ruBSD/2013/talks/104/



 On 22 Jun 2015, at 09:08, Romain FABBRI romain.fab...@alienconsulting.net
mailto:romain.fab...@alienconsulting.net wrote:

 Not sure you really want to do that but you could achieve some IP or MAC
Load Balancing using this kind of setup :
http://www.kernel-panic.it/openbsd/carp/carp4.html
http://www.kernel-panic.it/openbsd/carp/carp4.html

 -Message d'origine-
 De : owner-m...@openbsd.org mailto:owner-m...@openbsd.org
[mailto:owner-m...@openbsd.org mailto:owner-m...@openbsd.org] De la part de
Aviolat Romain
 Envoyé : lundi 22 juin 2015 09:40
 À : 'misc@openbsd.org mailto:misc@openbsd.org' (misc@openbsd.org
mailto:misc@openbsd.org)
 Objet : HA / load balancing / fail-over using CARP

 Dear OpenBSD community,

 I'll deploy a new redundant firewalls setup in few weeks (waiting for the
hardware...). It'll be composed of two 1U supermicro servers and few
additional 10GbE nics.

 The idea was to use CARP + pfsync as the fail-over mechanism.

 I already deployed that few time in the past, and we're pretty happy with
this setup; maintenance is easy and the setup is rock solid.

 The only disadvantage IMHO is that there is no way to achieve load balancing
between the members of the CARP cluster, one machine is always working while
the other is idle. I could define some VLANs on top of CARP interfaces to be
MASTER on routerA and some on routerB

PF Packet Flow Diagram

[Andy Lemin]

Hi,

I was updating an old copy of the PF flow diagram I had lying around and
thought I'd post here quickly for comments / additions / corrections?

Would be nice to update this and make it comprehensive as possible.

[demime 1.01d removed an attachment of type application/pdf which had a name of 
OpenBSDPFPacketFlow.pdf]

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
OpenBSDPFPacketFlow.jpeg]

Re: missing snmp OID's

[Andy Lemin]

Hi Stuart,

Thanks for this. However I think I'm still missing something.. Sorry ;)

On 24 Apr 2015, at 00:37, Stuart Henderson s...@spacehopper.org wrote:

 On 2015-04-23, andy a...@brandwatch.com wrote:
 Hi,

 This should be a simple one ;)

 I have configured and started snmpd, and then used snmpwalk (snmpwalk
 -v2c -c public 127.0.0.1:161 .) to walk the oid tree, and the only branch
 I see is OPENBSD-PF-MIB. Tested on 5.6.

 I don't seem to see any output for OPENBSD-BASE-MIB.txt,
 OPENBSD-CARP-MIB.txt, OPENBSD-MEM-MIB.txt, OPENBSD-RELAYD-MIB (pending
 5.7), and OPENBSD-SENSORS-MIB.txt.

 What do we need to do to enable these? Or is snmpwalk just missing them?
 I'm being dumb?

 Cheers, Andy.


 You need to start the walk from a suitable location. If no OID argument
 is present, snmpwalk will search the subtree rooted at SNMPv2-SMI::mib-2
 (including any MIB object values from other MIB modules, that are
 defined as lying within this subtree).

 The following examples assume that you have the OpenBSD MIBs loaded (these
 are setup by default in the net-snmp package, but you'll need to add them
 yourself if querying from another OS).

 $ snmpwalk -v2c -c public localhost SNMPv2-MIB::sysORID
 SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::mib-2
 SNMPv2-MIB::sysORID.2 = OID: IP-MIB::ip
 SNMPv2-MIB::sysORID.3 = OID: IP-FORWARD-MIB::ipForward
 SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmp
 SNMPv2-MIB::sysORID.5 = OID: BRIDGE-MIB::dot1dBridge
 SNMPv2-MIB::sysORID.6 = OID: HOST-RESOURCES-MIB::host
 SNMPv2-MIB::sysORID.7 = OID: IF-MIB::ifMIB
 SNMPv2-MIB::sysORID.8 = OID: SNMPv2-SMI::enterprises.2021.13.15
 SNMPv2-MIB::sysORID.9 = OID: OPENBSD-BASE-MIB::pfMIBObjects
 SNMPv2-MIB::sysORID.10 = OID: OPENBSD-BASE-MIB::sensorsMIBObjects
 SNMPv2-MIB::sysORID.11 = OID: OPENBSD-BASE-MIB::memMIBObjects
 SNMPv2-MIB::sysORID.12 = OID: OPENBSD-BASE-MIB::carpMIBObjects
 SNMPv2-MIB::sysORID.13 = OID: SNMPv2-SMI::snmpModules.10.2.1
 SNMPv2-MIB::sysORID.14 = OID: SNMPv2-SMI::snmpModules.15.1.1

So SNMPv2-MIB::sysORID shows me all of the OID roots the system offers :)

[LIVE]root@ar1301:/usr/local/share/snmp/mibs# snmpwalk -v2c -c public
127.0.0.1:161 SNMPv2-MIB::sysORID
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::mib-2
SNMPv2-MIB::sysORID.2 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.3 = OID: IP-FORWARD-MIB::ipForward
SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmp
SNMPv2-MIB::sysORID.5 = OID: BRIDGE-MIB::dot1dBridge
SNMPv2-MIB::sysORID.6 = OID: HOST-RESOURCES-MIB::host
SNMPv2-MIB::sysORID.7 = OID: IF-MIB::ifMIB
SNMPv2-MIB::sysORID.8 = OID: SNMPv2-SMI::enterprises.2021.13.15
SNMPv2-MIB::sysORID.9 = OID: OPENBSD-BASE-MIB::pfMIBObjects
SNMPv2-MIB::sysORID.10 = OID: OPENBSD-BASE-MIB::sensorsMIBObjects
SNMPv2-MIB::sysORID.11 = OID: OPENBSD-BASE-MIB::memMIBObjects
SNMPv2-MIB::sysORID.12 = OID: OPENBSD-BASE-MIB::carpMIBObjects
SNMPv2-MIB::sysORID.13 = OID: SNMPv2-SMI::snmpModules.10.2.1
SNMPv2-MIB::sysORID.14 = OID: SNMPv2-SMI::snmpModules.15.1.1

 $ snmpwalk -v2c -c public localhost OPENBSD-BASE-MIB::carpMIBObjects
 OPENBSD-CARP-MIB::carpAllow.0 = INTEGER: true(1)
 OPENBSD-CARP-MIB::carpPreempt.0 = INTEGER: 0
 OPENBSD-CARP-MIB::carpLog.0 = INTEGER: false(2)
 OPENBSD-CARP-MIB::carpIfNumber.0 = INTEGER: 0
 OPENBSD-CARP-MIB::carpIpPktsRecv.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpIp6PktsRecv.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpPktDiscardsForBadInterface.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpPktDiscardsForWrongTtl.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpPktShorterThanHeader.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpPktDiscardsForBadChecksum.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpPktDiscardsForBadVersion.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpPktDiscardsForTooShort.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpPktDiscardsForBadAuth.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpPktDiscardsForBadVhid.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpPktDiscardsForBadAddressList.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpIpPktsSent.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpIp6PktsSent.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpNoMemory.0 = Counter64: 0
 OPENBSD-CARP-MIB::carpTransitionsToMaster.0 = Counter64: 0

 You can use iso.org.dod.internet.private.enterprises.openBSD to show all
of
 the vendor OIDs. And you can use snmpctl rather than Net-SNMP; e.g.

I tried this, but I don't see all of the OID's, I only see OPENBSD-PF-MIB at
iso.org.dod.internet.private.enterprises.openBSD;

[LIVE]root@ar1301:/usr/local/share/snmp/mibs# snmpctl walk 127.0.0.1 oid
iso.org.dod.internet.private.enterprises.openBSD | wc -l
1289
[LIVE]root@ar1301:/usr/local/share/snmp/mibs# snmpwalk -v2c -c public
127.0.0.1:161 OPENBSD-PF-MIB::pfMIBObjects | wc -l
1290
[LIVE]root@ar1301:/usr/local/share/snmp/mibs# snmpwalk -v2c -c public
127.0.0.1:161 .1.3.6.1.4.1.30155 | wc -l
1290

The output from these 3 commands is the same (I.e. only the PF-MIB).

Is there a single command that will show/walk every single OID and value snmpd
provides?


 $ snmpctl walk sym oid