Re: PC Engines APU platform EOL

[infoomatic]

is anyone aware of such a nice little device with low power consumption
and ECC memory? The alternatives mentioned so far just offer normal RAM
options...

Re: BSD and kubernetes

[infoomatic]

Kubernetes' philosophy quite contradicts to OpenBSDs. Also, Kubernetes
builds upon Linux technologies. Porting that stuff alone to OpenBSD
would mean a great deal of work, and again does not really fit OpenBSDs
developers ideas. The resources of OpenBSD is just a tiny fraction of
that of kubernetes alone, so in my opinion and probably in theirs also
they should keep doing what they have done for a long time and what they
are good at: focus on OpenBSDs development (and of course their other
projects!). The good part: anyone interested in that could just grab the
source and start hacking together Kubernetes for OpenBSD, though that
work is probably overwhelming.

Being a heavy kubernetes user myself I would not choose OpenBSD in order
to run kubernetes, because I choose OpenBSD for different
reasons/requirements. What's the sense of simply putting tremendous
effort in copying a solution that is already out there, noone wants
OpenBSD to become a Linux-clone, it would be wasted energy. A metaphor:
while both systems are a kind of mobile housing, I do not want my
lightweight trekking tent to become a mongolian yurt overnight.


On 03.03.23 19:33, Ken Young wrote:

Hello,

I am a BSD user and also a user of kubernetes.
It seems the BSD community has no much interest in docker/k8s integration.
Is it true? and why?

Thanks.

Re: IKEV2 two devices can connect but only one can make traffic

[infoomatic]

On 12.04.22 15:26, Łukasz Moskała wrote:

I remember talking with network engineer at one company I used to work at.
We used fortigate firewalls, and I asked why are we using SSLVPN instead of 
ipsec-based vpn, as both were supported.

He said something along the lines of "ipsec does not work when there are two devices 
connecting from the same IP so this would be issue for us when two admins were on the 
same public wifi, or lived together"



I could not resolve this issue myself at around the release of OpenBSD
6.0, I had to use one public external IPv4 address per client connecting
to an IPSec endpoint, and when our pool of addresses was depleted we
unfortunately were forced to use #commercialfirewall.

Re: OpenBSD benchmarks

[infoomatic]

imho benchmarking only makes sense for your scenario, so I recommend
benchmarking the ruleset you intend to use on that device.

Also: what are you benchmarking against, and what is your setup (nat,
bridge etc.)?


On 04.04.22 21:50, Nicolas Goy wrote:

Hello,

I'd like to make some 10gbit/s benchmarks for an OpenBSD based router.

I was wondering if there was some "standard" pf ruleset I could use to
have a meaningful metric.

Also, I'm curious if anymody is aware of such existing benchmarks.

Regards

Re: Question about cryptography software compatibility on OpenBSD

[infoomatic]

I agree with Janne. Almost always it is more of a compliance topic than
a technical topic.

I did work for  where we provided crypto/digital signature
stuff to government and institutions I won't name, and e.g. the
constraint for choosing an operating system for a platform was almost
always certification, e.g. at least EAL4 ... certified hardware to
certified software, everything in a chain. So if you are ready to take a
bunch of cash approach a hardware manufacturer and a certification
authority and get your whole platform certified, then you can sell it to
big corps and govs - thats sad, but the way you have to go.

Good luck!


On 15.10.21 11:14, Janne Johansson wrote:

Den fre 15 okt. 2021 kl 11:01 skrev soko.tica :

Hello list,
I have a question about cryptography software compatibility on OpenBSD.
I have a wild guess about the answer, but I need it to be more reliable.
The target audience are lawyers, since I want to launch a legal battle in

Then you need lawyer-speak, not answers from technical people.
Those two overlap very little.


My wild guess is as follows:
1) OpenBSD includes cryptography capabilities/software in its kernel.

yes, some.


2) Most other operating systems had not included cryptography
capabilities/software in its kernel.

Depends on when "had" is in time. Nowadays, they probably all do.


3) Providers of public digital signatures offer software (a
one-size-fits-all Java “blob”) that should add cryptography capabilities to
the operating system.

No, they don't add it to the OS, they expose crypto functionality to
other programs. Big difference.

I know of no OS that would reach out to java in order to get crypto
inside the kernel, and if it's not in the kernel, then any other
random program would not necessarily pick up that there is a bad/evil
blob installed somewhere that gives you poor crypto unless it actively
looks for it, so just by adding java-crypto-something in a folder it
might not be used by anything else that doesn't specifically ask for
exactly this.


4) OpenBSD doesn’t allow such technically inferior software to meddle with
its superior cryptography capabilities included in kernel.

Value added statement, and mostly irrelevant to court cases I guess.


5) The proper technical solution would be that providers of public digital
signatures offer digital signatures adjusted to OpenBSD technical
solutions, including offering software not being under the minimal
cryptography standards of OpenBSD. (A side note, hash function of all
offered public digital signatures in Serbia are SHA-1.)
Am I somewhere wrong in my wild guess?

Yes, you are assuming too much in the last part.

It is not impossible for other OSes to have
better,faster,more-formally-verified,more-legal-where-I-am-located
crypto routines in their OSes which might be a preferred solution
somewhere.
While openbsd has the crypto it requires for its needs, those needs
are not guaranteed to (always) overlap with all the other requirements
that are set in different places around the world. One example could
be russian computers wanting certain algorithms like GOST in various
forms, or US computers needing FIPS-140 validation even if that in
certain cases lowers the overall security (hard to get fixes and
patches into such a setup)

Re: Large Filesystem

[infoomatic]

On 28.11.20 05:51, Nick Holland wrote:
> I've heard that from a lot of people.
> And yet, those same people, when pressed, will tell you that a ZFS-equipped
> system will crash much more often than simpler file systems.  That's one
> heck of a real penalty to pay for a theoretical advantage.
>
> I've setup some cool stuff using ZFS (dynamically sized partitions,
> snapshots, zfs sends of snapshots to other machines, etc), but man, I
> spent a comical amount of time babysitting and fixing file system
> problems.  The 1980s are over, file systems should Just Work now.
> If you are babysitting them constantly, something ain't right.  If
> someone wants to add a ZFS-like "scrubbing" feature to ffs, I'd be all
> for it. But not for the penalties that come with ZFS.

no idea what you did but I have never had problems on ZFS (in ~ 10
years, 250 servers, few PB of storage) with Solaris and FreeBSD, Linux yes.

Other than that I can just highly recommend reconsidering ZFS, my
experience was: bit rot on modern high density disks _is_ a problem.
sorry for offtopic.

Re: How many IPs can I block before taking a performance hit?

[infoomatic]

We have ~30,000 entries in our table  blocking networks and
single ip addresses, all in all at the moment exactly 169,471,974 hosts
being blocked. No idea what your criteria is for "performance impact",
but we have no issues.


On 12.08.20 14:11, Alan McKay wrote:
> Hey folks,
>
> This is one that is difficult to test in a test environment.
>
> I've got OpenBSD 6.5 on a relatively new pair of servers each with 8G RAM.
>
> With some scripting I'm looking at feeding block IPs to the firewalls
> to block bad-guys in near real time, but in theory if we got attacked
> by a bot net or something like that, it could result in a few thousand
> IPs being blocked.  Possibly even 10s of thousands.
>
> Are there any real-world data out there on how big of a block list we
> can handle without impacting performance?
>
> We're doing the standard /etc/blacklist to load a table and then have
> a block on the table right at the top of the ruleset.
>
> thanks,
> -Alan
>

Re: A concerning commit which breaks compatibility

[infoomatic]

this is probably due to the recent social discussion about the black
lives matter movement. engineers around the world show their support to
this movement against racism by various measurs, e.g. adjusting their
code of conduct/rules etc. In many cases, "blacklist" should not relate
to something negative/weak/bad because this could lead to conscious or
unconscious negative behaviour against people of different skin tones.


On 23.07.20 23:54, goldeneagle96 wrote:
> Hello OpenBSD devs. It has come to my attention that a mysterious commit
> , unlogged by CVS, has appeared. This commit changes language, breaking
> compatibility on header and source files.
> Thankfully, it was logged by the Github mirror.
> The commit's author is the Github username "djmdjm", and the one who
> okayed it was "markus@".
> Please, I ask of you and specially of Theo to look at this strange
> commit, and decide what to do about it.
> Its link is 
> https://github.com/openbsd/src/commit/5bde2954c180034a27b079acaff46073dc75139b
> cc @misc @tech

Re: HD OpenBSD Artwork

[infoomatic]

that's aweseome! Thanks!


On 16.07.20 15:43, Ben Jahmine wrote:
>> Is there somewhere to get higher resolution OpenBSD artwork?
>>
>> I see the stuff on the website,  and it's great,  but on my 8k screen it's
>> kind of like a postage stamp in the middle.
>>
>> Do higher Res copies exist somewhere?  Can they be made available?
> Scale to your needs.
>
> Cheers
>
> Ben

Re: how to mount phone?

[infoomatic]

also: you can use the app termux if you want some nice terminal programs
... I rsync all my files from my phone to my computer.


On 14.07.20 13:11, Abel Abraham Camarillo Ojeda wrote:
> On Tue, Jul 14, 2020 at 5:07 AM Jan Stary  wrote:
>
>> On Jul 13 14:39:35, justinkm...@gmail.com wrote:
>>> Just wishing to mount my phone to access photos.
>>> Here's the output from dmesg:
>>> ugen0 at uhub0 port 3 "Alcatel U50? Alcatel U50?" rev 2.00/3.10 addr 2
>>> Any ideas on how this might be mounted??
>> I believe phone OSes go out of their way to _not_ expose
>> the storage as an umass. You need a dedicated app to do
>> things as fundamental as copying a file.
>>
>>
> I think you can use adb (in packages) to copy more "easily"
> (without installing third-party apps on phone):
>
> https://developer.android.com/studio/command-line/adb#copyfiles

Re: How do I set up a Wi-Fi access point (using APU2)?

[infoomatic]

it seems you skipped the firewall part of the document you were
referring, you need NAT connections.


On 05.06.20 18:50, Richard Ulmer wrote:
> Hi,
> I got myself an APU2E2 and am trying to set it up as a router. To learn
> how to do this I'm mostly following the "Building a Router" FAQ [1]. For
> simplicity's sake I'm only using em0 and athn0. This is my setup:
>
>   .---.
> .--.  ..  |   APU2| ))) client1
> | Internet | <--> | ISP-Router | <--> | em0 athn0 | ))) client2
> `--'  `'  `---'
>
> I want the clients, that are connected to athn0 to be able to access the
> internet, but it doesn't work. What works is this:
>
> 1. I can connect my laptop to athn0, ping the IP of athn0 and even the
>IP of em0. Pinging the ISP-Router doesn't work.
> 2. If I connect my laptop to the ISP-Router, I can ping em0.
> 3. When I am on the router (via ssh or COM-Port) I can ping em0, athn0
>the ISP-Router, openbsd.org, ...
>
> So what I can't figure out is why I can't ping the ISP-Router and
> servers on the internet, when I'm connected to athn0. My APU2 setup is:
>
> $ sysctl net.inet.ip.forwarding
> net.inet.ip.forwarding=1
> $ cat /etc/mygate
> # This is the ISP-Router:
> 192.168.178.1
> $ cat /etc/hostname.em0
> inet 192.168.178.2 255.255.255.0 192.168.178.255
> up
> $ cat /etc/hostname.athn0
> media autoselect mode 11n mediaopt hostap chan 36
> nwid  wpakey 
> inet 192.168.3.1 255.255.255.0
> $ cat /etc/pf.conf
> pass in log (all)
> $ cat /etc/rc.conf.local
> dhcpd_flags=athn0
> $ cat /etc/dhcpd.conf
> subnet 192.168.3.0 netmask 255.255.255.0 {
> option routers 192.168.3.1;
> option domain-name-servers 192.168.178.1;
> range 192.168.3.20 192.168.3.100;
> }
>
> I'm an absolute noob when it comes to network configuration, so the
> problem is probably something really stupid, but I can't figure it out.
> I'll appreciate any hint!
>
> Greetings,
> Richard Ulmer
>
> [1] https://www.openbsd.org/faq/pf/example1.html
>

Re: Article OpenBSD: Not Free Not Fuctional and Definetly Not Secure and BSD, the truth blog

[infoomatic]

I just don't get it why some people put so much energy into bashing a
free product instead of just ignoring it if they really hate it. The
time would have been better spent on supporting/improving OpenBSD or
another project.


On 28.05.20 13:20, Ian Darwin wrote:
> On Thu, May 28, 2020 at 02:21:49PM +1000, Aaron Mason wrote:
>> On Thu, May 28, 2020 at 2:20 PM Quantum Robin  
>> wrote:
>>> While surfing on the Google to learn more about OpenBSD, I encountered this
>>> one: "OpenBSD: Not Free Not Fuctional and Definetly Not Secure (
>>> https://aboutthebsds.wordpress.com/2013/01/25/20/)
>>>
>>> Is the author telling the truth? Or just yet another anti-BSD thing?
>> If it has to tell you it's "the truth" in its title, it probably isn't.
> If it can't spell "Functional", it probably isn't.
>

Re: upgrade 6.6 -> 6.7

[infoomatic]

Hi,

yes of course! All systems are running amd64 with 768MB or 1GB ram, I
used sysupgrade to upgrade.

The tool works, however, a short notice before rebooting would be nice.
The last thing I saw was upgrading the firmware, then the ssh-connection
stalled (system rebooted). After the upgrade I just thought: wow, that
was fast!

Linux/KVM was straight forward, "like on real hardware".

FreeBSD/bhyve virtualization technology basically uses 2 components: the
bootloader and the hypervisor.

It needs some manual steps (using bhyve-grub as bootloader):

*) sysupgrade -n, then shutdown

*) vm.conf usually has a line like 'grub_run0="kopenbsd -h com0 -r sd0a
/bsd"' - use /bsd.upgrade instead of /bsd - this can also be configured
in grub boot menu

*) Upgrade finishes and reboots again automatically, so in grub use /bsd
again. Using the vm.conf method you need to force the shutdown because
the system is trying to boot /bsd.upgrade again which of course
vanished. (so use /bsd in vm.conf again and start the vm)


So for manual upgrade editing the boot config in grub menu is simple, if
you do automated upgrades going via the vm.conf stuff might be preferable.


Regards,

infoomatic


On 19.05.20 21:25, Ottavio Caruso wrote:
> You might want to share how you did it. bsd.rd, sysupgrade, manual
> upgrade?

upgrade 6.6 -> 6.7

[infoomatic]

Hi,

just for info: Upgrading from 6.6 to 6.7 worked without flaws on my
OpenBSD VMs on Linux/KVM and FreeBSD/bhyve hypervisors! 6.7 feels faster
and snappier! Thanks to you all for your hard work!

Regards,

infoomatic

wireguard on i386

[infoomatic]

Hi,

I realized wireguard is not available as binary package for i386. Since
this is my only 32bit machine I would setup 32bit VM to build the
package. Is it possible to compile it from ports for 32bit? (or is the
missing package a sign that it's not available for 32bit architecture?)

thanks,

infoomatic

Re: multihomed routing issue

[infoomatic]

what exactly are you trying to achieve, or: why not use azure firewall?


On 26.04.20 17:27, 4642 wrote:
> Hi, I have created a OpenBSD 6.6 VM in the Azures cloud that I plan to use as 
> a Firewall, I had planned on using carp but I can't get it working in Azure 
> so I think I can use an Internal load balancer to achieve my aim of having 
> two redundany OBSD Firewalls in Azure. The problem I have is that the Azure 
> Internal Load Balancer requires a health probe to work. So I create a load 
> balancer health probe and set it to the SSH service on my FW Host and set it 
> to every 5 seconds. I can see the traffic on my FW but the health probe 
> doesn't work and I think it's because the traffic from the Azure discover ip 
> "168.63.129.16" that is doing the probe is coming from within the azure 
> nextwork, hitting my internal nic and then onto the ssh service ? and then 
> finally leaving but on the external interface.
>
> tcpdump -n -e -ttt -i pflog0  -v
> tcpdump: WARNING: snaplen raised from 116 to 160
> tcpdump: listening on pflog0, link-type PFLOG
> Apr 26 15:59:30.082436 rule 1/(match) [uid 0, pid 44293] block out on hvn0: 
> [orig src 10.x.x.36:22, dst 168.63.129.16:54762] 10.x.x.4.65324 > 
> 168.63.129.16.54762: S [bad tcp cksum 9d0b! -> 9e14] 252441079:252441079(0) 
> ack 3958895254 win 16384  (DF) (ttl 64, 
> id 2960, len 52, bad ip cksum 0! -> 52f0)
>
> Rule 1 = block log all
> 168.63.129.16 = Azure Discovery Address
> 10.x.x.4  = My External IP on hvn0
> 10.x.x.36 = My Internal IP on hvn1
>
> I tried changing the state rules to allow the traffic out on the external 
> interface and I thought I had it working earlier today by changing 
> state-policy from if-bound to floating but I can't reproduce that again for 
> some reason...  anyway it didn't seem to work.
> I think I really just need to force the traffic back out the Internal 
> interface but I just don't know how to do that ?
>
> If anyone could help me it would be really appreciated.
> Thanks
>
> Keith

Re: Reduce attack surface - Tomcat and guacamole...

[infoomatic]

some questions do arise:

1.) is the device which you intend to use under your control?

2.) how would you like to access systems in your home network


as for me I have a VPN service on my server so I can access all my
systems from a device I own when I am on the road. This saves me from
installing java and the like ... even a plain ssh reverse tunnel can
solve lots of those issues.


On 14.04.20 22:40, Steve Williams wrote:
> Hi,
>
> For a R project, I am trying to get guacamole working to be able to
> access systems on my home network remotely.
>
> Guacamole (I believe) needs to run under something like tomcat to
> serve up the java war file & application.
>
> I really don't want to have Tomcat exposed to the Internet without
> some kind of authentication in front of it.
>
> I was thinking of running Tomcat bound to localhost and using pf to
> redirect to it, but that doesn't add any security.
>
> So, I was thinking of using some form of authpf to open up pf rules
> when I needed to access systems remotely.
>
> But, I don't want to open up Tomcat to the world when I'm using
> guacamole, so is it possible to have authpf tweak pf rules so that the
> originating IP address of the ssh session would be the only one that
> could access Tomcat?
>
> Is there something better that could be done?
>
> I was thinking even httpd in front of tomcat with httpd
> authentication, but that doesn't seem to make sense to me at a high
> level.
>
> I was looking at relayd but it doesn't seen to have any authentication
> mechanism built in.
>
> Does anyone have some inspiration on how to provide a level of
> security before packets even hit Tomcat?
>
> Thanks,
> Steve Williams
>

Re: openbsd.org down?

[infoomatic]

not reachable for days now in Austria, Germany, Czech Republic


On 13.04.20 11:01, SP2L Tom wrote:
> Greetings.
>
>
> It was and it is still up
> At least, I can reach OpenBSD site.
>
>
> Best regards.
> Tom
>
> W 13 kwietnia 2020 10:23:18 Sebastien Marie  napisał:
>
>> On Mon, Apr 13, 2020 at 10:14:00AM +0300, Ilya Mitrukov wrote:
>>> Hi,
>>> flushing the caches doesn't help and it's still unavailable.
>>>
>>> Does anybody know where to report the issue?
>>> (I'd look at openbsd.org but ... )
>>
>> I suppose there is one or two openbsd developers which follow this
>> list. So they
>> might already know.
>>
>> Thanks.
>> --
>> Sebastien Marie
>
>
>

Re: Does Intel driver supports Intel g31?

[infoomatic]

I suggest you read on the documentation instead of throwing one-line
questions to the mailing list.

The documentation is excellent, just look for the information you need.

https://man.openbsd.org/

https://openports.se/


On 11.04.20 15:58, Nikita Stepanov wrote:
> Does Intel driver supports Intel g31?

Re: Can openbsd run Linux binaries?

[infoomatic]

No. But a lot of the software you might know from Linux is available via
ports and packages.


On 11.04.20 11:57, Nikita Stepanov wrote:
> Can openbsd run Linux binaries?

Re: secure MTA (was: news from ...)

[infoomatic]

On 09.04.20 11:55, Rudolf Leitgeb wrote:
> As soon as your server does anything useful, it will
> present an attack vector to the outside world, and one needs to
> be aware of it.
>
just to add to your argument: your server does not even have to do
anything ... the interface driver or just the tcp ip stack can also be
vulnerable. e.g. I hit the nasty bug in OpenBSD 6.0 where ipv6 router
advertisements did crash my freshly installed boxes remotely ... this
was one of those "WTF" moments when you stand in front of your racks and
see 4 kernel panics at the same time. And where there is such a bug,
there might be a possibility to inject a payload and execute stuff.

Re: Hosting a CDN question

[infoomatic]

varnish does not bring down the network latency if users are sitting on
the other end of the world...


On 17.03.20 08:48, Wayne Oliver wrote:

On 2020/03/16 12:26, Flipchan wrote:

Hey all,

My company needs to put up a cdn for fast hosting of javascript,
images and css for websites, and then i would need something faster
then httpd.


Does anyone here run a cdn for static website content?

If so what software did u use to set it up ?

have a good one
Sincerely
Filip



What about sticking a caching server/s in front of your httpd instance/s.
e.g. https://varnish-cache.org/

Re: do i need to configure mkinitcpio.conf for my md array ?

[infoomatic]

what do you want to achieve?

If you want to access the array from OpenBSD then I see no possibility
with this configuration.

If you want a dual-boot system I suggest you configure the 4-disk raid
in OpenBSD and in arch linux you could use a VM and use hardware
passthrough to access the data.


Am 16.01.20 um 13:10 schrieb Shadrock Uhuru:

i have just configured my 4 disk raid 10 array with mdadm,
the filesystem is ext4 unencrypted
and arch is installed on a separate disk,
do i need to reconfigure mkinitcpio.conf for my md array so that the
array is assembled and started at boot,
all the examples i've seen have arch installed on the raid array
including the example in tne wiki
https://wiki.archlinux.org/index.php/RAID
i have not reboot the new array yet so i would like to make sure
everything necessary is configure before i do that.

shadrock

Re: OpenBSD's extremely poor network/disk performance?

[infoomatic]

just out of curiosity: did you do the FreeBSD test on ZFS with
compression enabled?


Am 09.01.20 um 15:22 schrieb Hamd:

Joe, are you a joke? Please stop insulting me, this is not
my/your_personal_fancy_forum.

This will be my last post here in misc.

Default setups, no config. changes.
Just patches installed.
Same hardware.

FreeBSD:
freebsd@test:~ # time sh -c "dd if=/dev/zero of=test.tmp bs=4k count=5
&& sync"
5+0 records in
5+0 records out
20480 bytes transferred in 0.239590 secs (854792500 bytes/sec)
0.000u 0.195s 0:00.25 76.0% 22+198k 0+1568io 0pf+0w

Result: *854.79 MB/s disk speed*

freebsd@test:~ # uname -a
FreeBSD test.local 12.1-RELEASE-p1 FreeBSD 12.1-RELEASE-p1 GENERIC  amd64

OpenBSD:
test$ time sh -c "dd if=/dev/zero of=test.tmp bs=4k count=5 && sync"
5+0 records in
5+0 records out
20480 bytes transferred in 12.303 secs (16645247 bytes/sec)
 0m12.32s real 0m00.13s user 0m01.28s system

Result: *16.64 MB/s disk speed*

test$ uname -a
OpenBSD test.local 6.6 GENERIC#3 amd64

You all guys, please don't get me wrong in any way, I truly adore
cleanness, stability and security of OpenBSD, huge efforts of all the dev
team is really, much appreciated!

I agree when it comes to OpenBSD, of course, security comes FIRST. But in
2020, a speed of 16 megabytes per second...hurts the users. A lot.

I really wish I could do contribute the code somehow..*sighs

Regards.




Joe Greco , 8 Oca 2020 Çar, 18:29 tarihinde şunu yazdı:


On Wed, Jan 08, 2020 at 05:57:37PM +0300, Hamd wrote:

Under less than 24 hours, after my post, the misc has received 2 or 3

brand

new questions/posts regarding slow*.

Well, in the case of my issue, I am reasonably certain that this isn't
an issue with LibreSSL.  I raised it as an issue of simply not knowing
how to get it to do what I need at the speeds it is clearly capable
of, on i386.  It works fine and at approximately OpenSSL speeds on
amd64.


The problem is, well, obviously not me, personally.

I beg to differ.

Your repurposing my question for your own ends in an attempt to
categorize it as an general OpenBSD performance issue is, in my
opinion, full of **it.

This is not helpful to those of us who are asking legitimate
questions of those who are more familiar with these projects.
I know I've made a dumb mistake of some sort and I was hoping
someone would point it out.

If you do not like the product, don't use it.  Or submit a patch
to fix it.

... JG
--
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"The strain of anti-intellectualism has been a constant thread winding its
way
through our political and cultural life, nurtured by the false notion that
democracy means that 'my ignorance is just as good as your
knowledge.'"-Asimov

Re: OpenBSD's extremely poor network/disk performance?

[infoomatic]

1.) OpenBSD never stated that ultimate performance is their goal, but
clean maintainable code is, and thus in case of a compromise the
developers will choose clean code over performance.

2.) to quote Breandan Gregg: "All benchmarks are wrong until proven
otherwise"

3.) It's 2020 and you quote a benchmark from 2018?

4.) The code is right there, you are invited to improve the situation.


Am 07.01.20 um 15:35 schrieb Hamd:


It's 2020 and it's -still- sad to see OpenBSD -still- has the
lowest/poorest (general/overall) performance ever:
https://www.phoronix.com/scan.php?page=article=8-linux-bsd=1

My reference is not -only- that url, of course. My reference is my OpenBSD,
giving ~8 MB/s file transfer/network/disk speed.

A Linux distro, on the same computer (dual boot), providing 89 MB/s speed.

(Longest) sad story of the year: When it comes to OpenBSD; security -
great! Performance - horrible! I truly wish it was much better..

No, I'm not a fan of Calomel.

Re: Traffic prioritization inside VPN

[infoomatic]

I can recommend using queues in pf ... very simple and effective.


https://man.openbsd.org/pf.conf#QUEUEING


Am 02.01.20 um 15:12 schrieb radek:

Hello,

I have the following scenario:
[box_rac][fw_rac] <--iked site-to-site--> [fw_krz]--[box_krz]

[box_rac] pulls (rsync) "big data" from [box_krz] through VPN.
I need to put this traffic to the total background, making way for any other 
packets going through VPN, NICs, from/to any other boxes on both sides.

I tried to do it by "catching" this traffic on [fw_rac]/[fw_krz] by specific 
rules [1] and setting the lowest priority fot it.
Unfortunately it doesn't seem to work as expected. Bandwidth seems to be shared 
roughly equally with other traffic (tested with pushing data (netcat) through 
VPN in the same time).

I would appreciate your advice or any clues on what I have done wrong. Thank 
you.

[fw_rac] and [fw_krz] have analogical rulesets [2].

[1]
[fw_rac]:
pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state

[fw_krz]:
pass out quick on enc0 from $box_krz to $box_rac set prio (0, 0) keep state

[2] pf.conf [fw_rac]:
ext_if  = "vr0"
lan_rac_if  = "vr2" #
lan_rac_local   = $lan_rac_if:network # 10.0.15.0/24
backup_if   = "vr3" #
backup_local= $backup_if:network # 10.0.115/24

box_rac = "10.0.115.151"
box_krz = "10.0.100.151"

set fingerprints "/dev/null"
set skip on { lo, enc0 }
set block-policy drop
set optimization normal
set ruleset-optimization basic
antispoof quick for {lo0, $lan_rac_if, $backup_if }
match out log on $ext_if inet proto { tcp, udp, icmp } from { $lan_rac_local, 
$backup_local } nat-to $ext_if set prio (3, 7)
block all
match out all scrub (no-df random-id)
pass out on egress keep state

pass out quick on enc0 from $box_rac to $box_krz set prio (0, 0) keep state
pass out quick on $ext_if from $box_rac to $box_krz set prio (0, 0) keep state

pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio (3, 
7) keep state

ssh_port= "1071"
table  const { $bud, $rdk_wy, $rdk_mon, $krz_wan, 10.0.2.0/24, 
10.0.15.0/24, 10.0.100.0/24 }
table  persist counters
block from 
pass in log quick inet proto tcp from  to $ext_if port $ssh_port 
flags S/SA \
 set prio (7, 7) keep state \
 (max-src-conn 15, max-src-conn-rate 2/10, overload  flush 
global)

icmp_types  = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types \
 set prio (7, 7) keep state

table  const { $krz_wan }
pass out quick on egress proto esp from (egress:0) to
   set prio (6, 7) keep state
pass out quick on egress proto udp from (egress:0) to  port {500, 
4500} set prio (6, 7) keep state
pass  in quick on egress proto esp from  to (egress:0)   
   set prio (6, 7) keep state
pass  in quick on egress proto udp from  to (egress:0) port {500, 
4500} set prio (6, 7) keep state

pass in on egress proto udp from any to (egress:0) port {isakmp,ipsec-nat-t} 
set prio (6,7) keep state
pass in on egress proto {ah,esp} set prio (6,7) keep state
block return in on ! lo0 proto tcp to port 6000:6010

Re: off-topic

[infoomatic]

here is another version:

https://github.com/notqmail/notqmail

I switched to postfix long time ago, never looked back.


Am 30.12.19 um 14:09 schrieb Gustavo Rios:

Is qmail dead ?

Does anyone here use openbsd with qmail+ldap ?

Re: crash of OpenBSD 6.3 -stable (amd64 MP kernel) - unswapping kills connections

[Infoomatic]

thats good news, thanks Philip for the info! In the meantime I disabled
swap (as well as ntopng) on my firewalls - this is of course not needed
on a firewall and was just a left-over from the initial default install.
regards,infoomatic Gesendet: Freitag, 27. April 2018 um 13:50 Uhr
Von: "Philip Guenther" <guent...@gmail.com>
An: Infoomatic <infooma...@gmx.at>
Cc: "OpenBSD Misc" <misc@openbsd.org>
Betreff: Re: crash of OpenBSD 6.3 -stable (amd64 MP kernel) - unswapping
kills connectionsOn Thu, Apr 26, 2018 at 11:21 PM, Infoomatic 
<infooma...@gmx.at>
wrote:

  thanks for your input! Actually, I was never really satisfied with
  the stability of ntopng, so this problem of the memory leak does not
  really surprise me. However, when killing the process, which also
  means freeing swap space, I think it is not an expected behaviour
  that the system does not handle any tcp/ip or icmp connections any
  more until the swap space is fully freed (which, in my case when
  ntopng used 3 out of 4GB swap, lastet for nearly 20 minutes). IMHO,
  unswapping a process should not influence network connectivity that
  much.

You're correct that we don't want the clean up of an exiting process to
affect network processing.  The issue is that our UVM is still under the
kernel lock; work into using more fine-grained locking there has begun
but nothing has really hit the tree yet. Philip Guenther

Re: crash of OpenBSD 6.3 -stable (amd64 MP kernel) - unswapping kills connections

[Infoomatic]

Hi Stuart,

thanks for your input! Actually, I was never really satisfied with the 
stability of ntopng, so this problem of the memory leak does not really 
surprise me. However, when killing the process, which also means freeing swap 
space, I think it is not an expected behaviour that the system does not handle 
any tcp/ip or icmp connections any more until the swap space is fully freed 
(which, in my case when ntopng used 3 out of 4GB swap, lastet for nearly 20 
minutes). IMHO, unswapping a process should not influence network connectivity 
that much.

Regards,
infoomatic


> Gesendet: Donnerstag, 26. April 2018 um 16:10 Uhr
> Von: "Stuart Henderson" <s...@spacehopper.org>
> An: misc@openbsd.org
> Betreff: Re: crash of OpenBSD 6.3 -stable (amd64 MP kernel) - unswapping 
> kills connections
>
> On 2018-04-26, Infoomatic <infooma...@gmx.at> wrote:
> > Hi,
> >
> > Today I discovered some interesting details: I guess ntopng has a memory 
> > leak, thus eating all my 4GB RAM and some 3GB swap - this appeared in the 
> > morning, so after all the backups and heavy traffic occured.
> > When I fired up a rcctl stop ntopng the ssh connection stalled. The 
> > firewall could not handle further connections, and established connections 
> > dropped. The system could not answer to ping packets etc.
> > This now also happened on a 2nd machine. After 20 minutes (when I was in a 
> > taxi to the datacenter) I could login again and realized that ntopng was 
> > stopped and swap was freed.
> >
> > I have now disabled ntopng. I kindly ask the devs to take a look at this! 
> > If you need a testsetup for this or if I can do anything, just contact me.
> 
> First off, it's not a big surprise to have a hanging machine if you
> run it out of memory.
> 
> ntopng is not really stable. There is a newer version upstream but it
> crashes very often with certain packet types suggesting bugs in the packet
> parsers.
> 
> If you run ntopng at all, I would recommend you only run it while you
> need to investigate traffic, not leave it running unattended permanently.
> 
> It might also be a good idea to set login.conf limits for it, if you
> start it via the rc.d script you can add an "ntopng" class with say
> datasize=2500M.
> 
> 
> 

Re: crash of OpenBSD 6.3 -stable (amd64 MP kernel) - unswapping kills connections

[Infoomatic]

Hi,

Today I discovered some interesting details: I guess ntopng has a memory leak, 
thus eating all my 4GB RAM and some 3GB swap - this appeared in the morning, so 
after all the backups and heavy traffic occured.
When I fired up a rcctl stop ntopng the ssh connection stalled. The firewall 
could not handle further connections, and established connections dropped. The 
system could not answer to ping packets etc.
This now also happened on a 2nd machine. After 20 minutes (when I was in a taxi 
to the datacenter) I could login again and realized that ntopng was stopped and 
swap was freed.

I have now disabled ntopng. I kindly ask the devs to take a look at this! If 
you need a testsetup for this or if I can do anything, just contact me.

Regards,
infoomatic



> Gesendet: Mittwoch, 25. April 2018 um 15:25 Uhr
> Von: Infoomatic <infooma...@gmx.at>
> An: misc@openbsd.org, b...@openbsd.org
> Betreff: crash of OpenBSD 6.3 -stable (amd64 MP kernel)
>
> Hi folks,
> 
> Unfortunately this is not a complete bugreport since I could not retrieve 
> relevant information, however [1] is the dmesg.
> I upgraded to the new OpenBSD 6.3 version on monday, however, today it 
> crashed - better: it hung completely. I could not reach it any more via ssh, 
> a ping needed 15 seconds instead of 19ms, and only some packets arrived at 
> the host - but the network was normal.
> The machine runs the standard services from the default install plus httpd 
> and relayd, and also third party software: OpenVPN, scanlogd and ntopng.
> 
> In the sysctl.conf I have set ddb.panic=0.
> 
> When I was physically standing in front of the machine I was expecting to see 
> some messages on the screen, or even ddb, so to get some info for the devs, 
> but this was not the case.
> I plugged in a PS/2 keyboard with an USB-adapter and promptly got on my 
> screen (without the "date hostname" - took this from the log):
> Apr 25 13:28:21 dorie /bsd: uhub0: device problem, disabling port 1
> 
> I tried another USB port and got:
> Apr 25 13:29:34 dorie /bsd: uhub0: device problem, disabling port 10
> 
> The keyboard was not working on the machine, so I grabbed another one. I 
> plugged it in and suddenly the monitor was filled up with messages which kept 
> flooding and did not stop:
> scsi_xfer pool exhausted!
> 
> I then had to reset the machine. 
> 
> I also found suspicious messages in the log at about the time when the 
> machine got irresponsive:
> Apr 25 11:23:00 dorie relayd[31883]: rsae_send_imsg: poll timeout
> Apr 25 11:23:00 dorie relayd[96425]: rsae_send_imsg: poll timeout
> Apr 25 11:23:11 dorie relayd[39081]: rsae_send_imsg: poll timeout
> Apr 25 11:23:16 dorie relayd[96425]: rsae_send_imsg: poll timeout
> Apr 25 11:23:28 dorie relayd[96425]: relay: proc_dispatch: relay 1 got 
> invalid imsg 59 peerid -1 from ca 1
> Apr 25 11:23:34 dorie relayd[31883]: rsae_send_imsg: poll timeout
> Apr 25 11:23:42 dorie relayd[31883]: relay: pipe closed
> Apr 25 11:23:43 dorie relayd[39081]: rsae_send_imsg: imsg_flush: Broken pipe
> Apr 25 11:23:44 dorie relayd[39081]: relay: pipe closed
> 
> Maybe some devs have an idea where to look for a bug. Any tipps how to deal 
> with this matter in the future?
> 
> TIA and regards,
> infoomatic
> 
> 
> [1] 
> OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4238319616 (4041MB)
> avail mem = 4102795264 (3912MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xebb80 (74 entries)
> bios0: vendor American Megatrends Inc. version "0801" date 08/20/2014
> bios0: Thomas-Krenn.AG P9D-MV(X) Series
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT SSDT MCFG HPET SSDT SSDT 
> BERT DMAR EINJ ERST HEST
> acpi0: wakeup devices PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) 
> PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S4) EHC2(S4) 
> XHC_(S4) HDEF(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU E3-1230L v3 @ 1.80GHz, 2594.38 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT,MELTDOWN
> cpu0: 256KB 64b/line 8-way L2 cache
> acpitimer0: recalibrated TSC frequency 

crash of OpenBSD 6.3 -stable (amd64 MP kernel)

[Infoomatic]

Hi folks,

Unfortunately this is not a complete bugreport since I could not retrieve 
relevant information, however [1] is the dmesg.
I upgraded to the new OpenBSD 6.3 version on monday, however, today it crashed 
- better: it hung completely. I could not reach it any more via ssh, a ping 
needed 15 seconds instead of 19ms, and only some packets arrived at the host - 
but the network was normal.
The machine runs the standard services from the default install plus httpd and 
relayd, and also third party software: OpenVPN, scanlogd and ntopng.

In the sysctl.conf I have set ddb.panic=0.

When I was physically standing in front of the machine I was expecting to see 
some messages on the screen, or even ddb, so to get some info for the devs, but 
this was not the case.
I plugged in a PS/2 keyboard with an USB-adapter and promptly got on my screen 
(without the "date hostname" - took this from the log):
Apr 25 13:28:21 dorie /bsd: uhub0: device problem, disabling port 1

I tried another USB port and got:
Apr 25 13:29:34 dorie /bsd: uhub0: device problem, disabling port 10

The keyboard was not working on the machine, so I grabbed another one. I 
plugged it in and suddenly the monitor was filled up with messages which kept 
flooding and did not stop:
scsi_xfer pool exhausted!

I then had to reset the machine. 

I also found suspicious messages in the log at about the time when the machine 
got irresponsive:
Apr 25 11:23:00 dorie relayd[31883]: rsae_send_imsg: poll timeout
Apr 25 11:23:00 dorie relayd[96425]: rsae_send_imsg: poll timeout
Apr 25 11:23:11 dorie relayd[39081]: rsae_send_imsg: poll timeout
Apr 25 11:23:16 dorie relayd[96425]: rsae_send_imsg: poll timeout
Apr 25 11:23:28 dorie relayd[96425]: relay: proc_dispatch: relay 1 got invalid 
imsg 59 peerid -1 from ca 1
Apr 25 11:23:34 dorie relayd[31883]: rsae_send_imsg: poll timeout
Apr 25 11:23:42 dorie relayd[31883]: relay: pipe closed
Apr 25 11:23:43 dorie relayd[39081]: rsae_send_imsg: imsg_flush: Broken pipe
Apr 25 11:23:44 dorie relayd[39081]: relay: pipe closed

Maybe some devs have an idea where to look for a bug. Any tipps how to deal 
with this matter in the future?

TIA and regards,
infoomatic


[1] 
OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4238319616 (4041MB)
avail mem = 4102795264 (3912MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xebb80 (74 entries)
bios0: vendor American Megatrends Inc. version "0801" date 08/20/2014
bios0: Thomas-Krenn.AG P9D-MV(X) Series
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT SSDT MCFG HPET SSDT SSDT BERT 
DMAR EINJ ERST HEST
acpi0: wakeup devices PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) 
PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) GLAN(S4) EHC1(S4) EHC2(S4) 
XHC_(S4) HDEF(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E3-1230L v3 @ 1.80GHz, 2594.38 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
acpitimer0: recalibrated TSC frequency 1795841682 Hz
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E3-1230L v3 @ 1.80GHz, 2594.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E3-1230L v3 @ 1.80GHz, 2594.00 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0:

Re: Performance issues as KVM guest?

[Infoomatic]

Hi Stefan,

Thanks a lot, that solved the problem! 
However, I still wonder why the difference in cputime consumption between a 
FreeBSD KVM and a OpenBSD KVM (both just a basic install) is so huge ... now I 
see 643min on OpenBSD vs 46min on FreeBSD.

Regards,
Robert

> Gesendet: Freitag, 12. Januar 2018 um 12:48 Uhr
> Von: "Stefan Fritsch" <s...@sfritsch.de>
> An: Infoomatic <infooma...@gmx.at>
> Cc: misc@openbsd.org
> Betreff: Re: Performance issues as KVM guest?
>
> Hi, I don't see this issue on my Debian system, but please try two things: * 
> disable kvm_intel.preemption_timer on the host (see 
> /sys/module/kvm_intel/parameters/preemption_timer ) This seems to be buggy in 
> linux 4.10 and newer * enable hpet in the vm config: Make sure there is no in 
> your libvirt xml (or don't pass -ho-hpet to qemu). Unfortunately, newer 
> libvirt versions seem to disable hpet by default. Different issue: If you 
> remove the USB controllers, the CPU load on the host will reduce by a few 
> percent (~ 3%). Add and remove all other usb controller sections. Just 
> removing the usb controller sections without adding the 'none' makes libvirt 
> add them back (this is stupid). Cheers, Stefan On Fri, 12 Jan 2018, 
> Infoomatic wrote: > Same problem here. While we did have significant 
> differences in cpu > usage between FreeBSD and OpenBSD (basic OS without 
> configuration: > FreeBSD ~ 33min CPU time, OpenBSD ~ 474min CPU time - both 
> started at > the same time), with the latest kernel patches for Ubuntu 17.04 
> (our > test environments all run Ubuntu 17.04 for KVM VMs), OpenBSD now 
> becomes > practically unusable: as soon as I su or login on the console with 
> su, > cpu usage is at 100% - the system freezes. :-/ guess we need some > 
> dedicated BSD machines to host some test-VMs ;-) > > Regards, > Robert > > > 
> > Gesendet: Donnerstag, 11. Januar 2018 um 20:32 Uhr > > Von: "Kirill 
> Miazine" > > An: misc@openbsd.org > > Betreff: Re: Performance issues as KVM 
> guest? > > > > * Kent Watsen [2018-01-11 17:38]: > > [...] > > > > > Since my 
> hosting provider https://www.bytemark.co.uk/cloud-hosting/ > > > > > patched 
> for Meltdown last weekend I'm seeing significant performance > > > > > issues 
> with an OpenBSD virtual instance there. It seems okay after a > > > > > fresh 
> reboot but then progressively returns to being very slow: for > > > > > 
> example "sleep 1" may take four seconds, then five, six, seven, then > > > > 
> > rather more. Curiously it does tend to be an integral multiplier. > > > > > 
> > > > > > I wondered, is anybody else seeing significant performance problems 
> with > > > > > OpenBSD (or other BSDs) virtual instances since Meltdown 
> patching? Is > > > > > there anything to tweak at my end or am I reliant on 
> the provider? > > > > > > > > > > -- Mark > > > > > > > > > There are a ton 
> of threads talking about this issue, and it's not meltdown > > > > specific. 
> Please search the archives. > > > > > > > > -ml > > > > > > [...] > > > Also, 
> Mark, could you say some more about the issue.  For instance, how long > > > 
> after a reboot does it take until you start to notice the issue, and how > > 
> > quickly does it get worse? > > > > I'm another customer of Bytemark 
> experiencing the same issue. I'm taking > > care of one VM there and I'm 
> primarly noticing it in two situations: > > sleep() takes a long time (e.g. 
> sleep(1) might take up to 40 seconds) > > and the clock slows down. > > > > 
> Right now, 9 hours after reboot, the clock on VM is 3 hours behind real > > 
> clock. And sleep(1) takes 13 secs: > > > > km@buildfarm ~ $ time sleep 1 > > 
> 0m13.85s real 0m00.00s user 0m00.01s system > > > > This all started after 
> the host was patched and VM rebooted. > > > > Bytemark guys are looking at 
> the issue and doing their own debugging. > > Here're findings so far: > > > > 
> I spun a few OpenBSD VMs up and left them overnight - looks like the > > 
> clock isn't drifting but there's still the 'time sleep 1' issue. > > My 
> testing results seemed to concur with User_4574's, virtio was slowing > > 
> down only a few minutes after a fresh install whereas compatibility > > would 
> stick at 1s, jump to 2s, etc. > > > > > > Thanks, > > > Kent > > > > > > > -- 
> > > -- Kirill Miazine > > > > > >

Re: Performance issues as KVM guest?

[Infoomatic]

Same problem here.
While we did have significant differences in cpu usage between FreeBSD and 
OpenBSD (basic OS without configuration: FreeBSD ~ 33min CPU time, OpenBSD ~ 
474min CPU time - both started at the same time), with the latest kernel 
patches for Ubuntu 17.04 (our test environments all run Ubuntu 17.04 for KVM 
VMs), OpenBSD now becomes practically unusable: as soon as I su or login on the 
console with su, cpu usage is at 100% - the system freezes. :-/ guess we need 
some dedicated BSD machines to host some test-VMs ;-)

Regards,
Robert


> Gesendet: Donnerstag, 11. Januar 2018 um 20:32 Uhr
> Von: "Kirill Miazine" 
> An: misc@openbsd.org
> Betreff: Re: Performance issues as KVM guest?
>
> * Kent Watsen [2018-01-11 17:38]:
> [...]
> > > > Since my hosting provider https://www.bytemark.co.uk/cloud-hosting/
> > > > patched for Meltdown last weekend I'm seeing significant performance
> > > > issues with an OpenBSD virtual instance there. It seems okay after a
> > > > fresh reboot but then progressively returns to being very slow: for
> > > > example "sleep 1" may take four seconds, then five, six, seven, then
> > > > rather more. Curiously it does tend to be an integral multiplier.
> > > > 
> > > > I wondered, is anybody else seeing significant performance problems with
> > > > OpenBSD (or other BSDs) virtual instances since Meltdown patching? Is
> > > > there anything to tweak at my end or am I reliant on the provider?
> > > > 
> > > > -- Mark
> > > > 
> > > There are a ton of threads talking about this issue, and it's not meltdown
> > > specific. Please search the archives.
> > > 
> > > -ml
> > > 
> [...]
> > Also, Mark, could you say some more about the issue.  For instance, how long
> > after a reboot does it take until you start to notice the issue, and how
> > quickly does it get worse?
> 
> I'm another customer of Bytemark experiencing the same issue. I'm taking
> care of one VM there and I'm primarly noticing it in two situations:
> sleep() takes a long time (e.g. sleep(1) might take up to 40 seconds)
> and the clock slows down.
> 
> Right now, 9 hours after reboot, the clock on VM is 3 hours behind real
> clock. And sleep(1) takes 13 secs:
> 
> km@buildfarm ~ $ time sleep 1
> 0m13.85s real 0m00.00s user 0m00.01s system
> 
> This all started after the host was patched and VM rebooted.
> 
> Bytemark guys are looking at the issue and doing their own debugging.
> Here're findings so far:
> 
> I spun a few OpenBSD VMs up and left them overnight - looks like the
> clock isn't drifting but there's still the 'time sleep 1' issue.
> My testing results seemed to concur with User_4574's, virtio was slowing
> down only a few minutes after a fresh install whereas compatibility
> would stick at 1s, jump to 2s, etc.   
>  
> > 
> > Thanks,
> > Kent
> > 
> 
> -- 
> -- Kirill Miazine 
> 
>

Microsoft VPN - multiple users behind OpenBSD Firewall

[Infoomatic]

Hello,

First: thanks for OpenBSD 6.2, another great release ... and oooh, boy, 
upgrading is such a joy! Its awesome cause its painless and is done faster than 
even booting most full blown operating systems.

Second, my problem:
We have 2 roadwarriors doing projects for another company, and they should 
connect to their Microsoft based VPN Service.
However, we are experiencing a weird problem that only one of them can connect 
at the same time.
Its no problem with their service, using mobile phone tethering both can 
connect simultaneously.

I have tried both with net.inet.gre.allow and net.inet.gre.wccp enabled and 
disabled, but it does not work.
The rule is basically:

pass out quick on $if_int proto {tcp udp gre} from any to $customer_ip nat-to 
$ext_ip

which of course also allows Port 1723.

I have no idea about the configuration on their server, and found various 
discussions e.g. "multiple pptp pass-through on pf" from 2007 and others about 
10 years back.
Whats the current state of this? Do I really need a proxy like poptop?

thanks in advance,
infoomatic

Re: OpenBSD 6.1/i386 hangs on reboot

[Infoomatic]

I have tried the latest snapshot and ... thanks for fixing this! reboot and 
shutdown are now working again on my 16 year old notebook!


> Gesendet: Freitag, 12. Mai 2017 um 22:06 Uhr
> Von: Infoomatic <infooma...@gmx.at>
> An: "OpenBSD Misc" <misc@openbsd.org>
> Betreff: OpenBSD 6.1/i386 hangs on reboot
>
> I wanted to try to resolve the issue I just posted and tried to reboot, 
> however the machine hangs and shows:
> 
> syncing disks... done
> ehci0: reset timeout
> rebooting...
> 
> even pushing the power button long does not switch off the machin, I have to 
> unplug the powersupply and remove the battery. Anyone with the same errors?
> 
> 

OpenBSD fuzzy testing

[Infoomatic]

Hi,
As nowadays I read quite a lot of projects being fuzzy tested or 
vulnerabilities detected by fuzzy testing, I am quite curious: what is the 
status of OpenBSD kernel/base system concerning fuzzy testing?
Is there a plan on using the Google fuzzer? thanks

regards,
infoomatic

Re: bridge/vether0 not working - BUG?

[Infoomatic]

Hello,

Last week I did an update of this 6.1 machine. Somehow, the machine ignores 
/etc/mygate (one line with ipv4 gateway, one line with ipv6 gateway).
After the reboot I could not connect to the box. Luckily I could ssh into one 
of the bridged hosts "behind" the OpenBSD 6.1 machine, and from there I could 
log into the OpenBSD 6.1 machine via its external IP-Address.

So, in addition to the machine ignoring IP aliases in /etc/hostname.vether0 
(well, it shows the IP aliases via ifconfig, but the pf rules are only working 
after an explicit "ifconfig vether0 inet alias ...") , it now ignores also 
/etc/mygate.
Adding "ifconfig vether0 inet alias XXX netmask XXX" and "route add default 
XXX" to /etc/rc.local was the workaround, however, I think this is not expected 
behaviour.

regards, 
infoomatic


> Gesendet: Dienstag, 09. Mai 2017 um 18:37 Uhr
> Von: Infoomatic <infooma...@gmx.at>
> An: "OpenBSD Misc" <misc@openbsd.org>
> Betreff: Re: bridge/vether0 not working - BUG?
>
> > > > does it work when you put - inet alias X.X.X.Y 255.255.255.255 ?
> > > 
> > > unfortunately not. It's the same effect as with 255.255.255.224: working 
> > > locally on the subnet, but not when routing is involved.
> > > Thanks anyway for this idea!
> > 
> > Guess I was to fast! After a few minutes it was working (did not do 
> > anything in the meantime!).
> > The fun fact: I did a reboot with the .224 netmask in the file enabled 
> > again and it also worked. This is weird, maybe someone could explain this 
> > (why the .255 netmask?) to me, I have no clue why this now works and what 
> > causes this behaviour.
> > 
> 
> This is weird. I was too fast again. Something is really strange here. It is 
> working on incoming stuff, e.g. also in pf on rules like 
> "pass in quick inet proto tcp from any to X.X.X.Y port 4422 rdr-to 
> 192.168.1.3 port 22"
> 
> However, outgoing is not working.
> "pass out quick from 192.168.1.3 to any nat-to X.X.X.Y" is NOT WORKING, but 
> when I use the main ip-address X.X.X.X it is working.
> 
> Now the weird part:
> As soon as I remove any alias in the /etc/hostname.vether0 and fire up 
> "ifconfig vether0 inet alias X.X.X.Y netmask 255.255.255.224", the pf-rules 
> work as expected supporting nat-to with any of the firewalls external 
> ip-addresses. Could this be a bug?
> 
> Any further enlightenment would be highly appreciated, thanks!
> 
>

Re: OpenBSD 6.1/i386 iwi0 problems

[Infoomatic]

> iwi(4) was entirely broken since the WPA security patch for 6.0.
> I made it work again for 6.1 but also saw these firmware errors occasionally.
> But I thought these errors were already present in 6.0 and before. It looks
> like that's not the case, and there is even more left to fix...

OK, thanks for the info. Now I am not sure it did work in 6.0, maybe I haven't 
used wifi in 6.0, but it worked in 5.9.

@G: "media autoselect mode 11g" did not resolve the problems but thanks for the 
suggestion

OpenBSD 6.1/i386 hangs on reboot

[Infoomatic]

I wanted to try to resolve the issue I just posted and tried to reboot, however 
the machine hangs and shows:

syncing disks... done
ehci0: reset timeout
rebooting...

even pushing the power button long does not switch off the machin, I have to 
unplug the powersupply and remove the battery. Anyone with the same errors?

OpenBSD 6.1/i386 iwi0 problems

[Infoomatic]

hi,
I upgraded my old notebook to 6.1. However, I am experiencing hickups with wifi 
(no problems with 6.0)
some lines in dmesg:

iwi0 at pci1 dev 13 function 0 "Intel PRO/Wireless 2200BG" rev 0x05: irq 11, 
address 00:
.
iwi0: fatal firmware error
iwi0: timeout waiting for master
iwi0: fatal firmware error
iwi0: timeout waiting for master
iwi0: fatal firmware error
iwi0: fatal firmware error
iwi0: fatal firmware error
iwi0: timeout waiting for master
iwi0: unknown authentication state 1

Any advice?

Re: bridge/vether0 not working - BUG?

[Infoomatic]

> > > does it work when you put - inet alias X.X.X.Y 255.255.255.255 ?
> > 
> > unfortunately not. It's the same effect as with 255.255.255.224: working 
> > locally on the subnet, but not when routing is involved.
> > Thanks anyway for this idea!
> 
> Guess I was to fast! After a few minutes it was working (did not do anything 
> in the meantime!).
> The fun fact: I did a reboot with the .224 netmask in the file enabled again 
> and it also worked. This is weird, maybe someone could explain this (why the 
> .255 netmask?) to me, I have no clue why this now works and what causes this 
> behaviour.
> 

This is weird. I was too fast again. Something is really strange here. It is 
working on incoming stuff, e.g. also in pf on rules like 
"pass in quick inet proto tcp from any to X.X.X.Y port 4422 rdr-to 192.168.1.3 
port 22"

However, outgoing is not working.
"pass out quick from 192.168.1.3 to any nat-to X.X.X.Y" is NOT WORKING, but 
when I use the main ip-address X.X.X.X it is working.

Now the weird part:
As soon as I remove any alias in the /etc/hostname.vether0 and fire up 
"ifconfig vether0 inet alias X.X.X.Y netmask 255.255.255.224", the pf-rules 
work as expected supporting nat-to with any of the firewalls external 
ip-addresses. Could this be a bug?

Any further enlightenment would be highly appreciated, thanks!

Re: bridge/vether0 not working

[Infoomatic]

> > does it work when you put - inet alias X.X.X.Y 255.255.255.255 ?
> 
> unfortunately not. It's the same effect as with 255.255.255.224: working 
> locally on the subnet, but not when routing is involved.
> Thanks anyway for this idea!

Guess I was to fast! After a few minutes it was working (did not do anything in 
the meantime!).
The fun fact: I did a reboot with the .224 netmask in the file enabled again 
and it also worked. This is weird, maybe someone could explain this (why the 
.255 netmask?) to me, I have no clue why this now works and what causes this 
behaviour.

Re: bridge/vether0 not working

[Infoomatic]

> Von: "Hrvoje Popovski" 
> > /etc/hostname.vether0: 
> > up media autoselect
> > inet X.X.X.X 255.255.255.224 NONE
> > inet alias X.X.X.Y 255.255.255.224
> 
> 
> does it work when you put - inet alias X.X.X.Y 255.255.255.255 ?

unfortunately not. It's the same effect as with 255.255.255.224: working 
locally on the subnet, but not when routing is involved.
Thanks anyway for this idea!

bridge/vether0 not working

[Infoomatic]

Hi,

In my setup I use 4 ethernet ports for my firewall: 1 for the external, 1 
bridged for bridged hosts in the same external subnet, 2 as trunk to the 
internal network. I want to slowly migrate some (its not possible for all) of 
the hosts with external ip-addresses to the internal net. Thus, the firewall 
gets the external ip-address and uses pf (rdr-to, nat-to) to map this to the 
internal host.

I have a similar setup working like this (other ip-addresses, and no trunk for 
internal hosts, the rest is the same), but this beast is just not working. The 
primary external interface of the firewall works, but all other ip-address on 
vether0 are just working locally on the subnet, they seem to ignore the route. 
I am using OpenBSD 6.1 on amd64 with the latest patches applied via syspatch 
(thanks for that tool ;-)

netstat -nr shows:
X.X.X.0/27   X.X.X.X  UCPn   221427 - 4 vether0
X.X.X.0/27   X.X.X.Y  UCPn   00 - 4 vether0

/etc/hostname.bridge0:
add em0
add em1
add vether0
blocknonip em0
blocknonip em1
blocknonip vether0
up

/etc/hostname.vether0: 
up media autoselect
inet X.X.X.X 255.255.255.224 NONE
inet alias X.X.X.Y 255.255.255.224

If I fire up a "ifconfig vether0 inet alias X.X.X.Y netmask 255.255.255.224" I 
get a dmesg of "arpresolve: X.X.X.1: route contains no arp information". (what 
exactly means this message?)
However, if I delete the last line in /etc/hostname.vether0 (containing the 
alias statement), and then manually do a "ifconfig vether0 inet alias X.X.X.Y 
netmask 255.255.255.224" everything is fine and works as expected.

I am curious in this matter, and would really appreciate someone sharing 
his/her knowlegde to enlight a newcomer, thanks!

Kind regards,
infoomatic

Re: I can't connect to openbsd.org in most cases.

[Infoomatic]

I can confirm this for the https site

> Gesendet: Dienstag, 04. April 2017 um 11:04 Uhr
> Von: "Luke Small" 
> An: openbsd-misc 
> Betreff: I can't connect to openbsd.org in most cases.
>
> I have an openbsd vm on a windows 7 host, windows 7 asus, iPhone, and
> Android phone. Only the iPhone 7+ seems to be able to connect to openbsd.org
> correctly without getting a https validation error. they are all going
> through the same wifi router.
> 
> I am running firefox on everything. Safari also worked on iPhone.

Re: Running OpenBSD on Hypervisor

[Infoomatic]

Hi,

I have not experienced any problems virtualizing OpenBSD with KVM, Xen,
HyperV, VMware.
I have done various performance tests over the years and found KVM to be the
best performing, most stable platform for our environment.
Those non-scientific tests simulated some of our typical workloads - web
platforms (php,js,python), databases, filesystem, running various
stuff in a single VM up to 8 different VMs... they were performed on entry
level server hardware though: maximum 2 CPU sockets, max 128GB
RAM with max 8 SSD/SAS disks.

Haven't tested bhyve yet, but I don't expect it to be faster or more stable
than KVM (if you ignore frequent kernel updates ;-)

regards



> Gesendet: Mittwoch, 08. März 2017 um 16:07 Uhr
> Von: "Markus Rosjat" 
> An: "misc@openbsd.org" 
> Betreff: Running OpenBSD on Hypervisor
>
> Hi there,
>
> just like to get opinions or examples of OpenBSd as guest on a
> hypervisor. I had it running on a VMware Host but since the free version
> is missing quiet a lot features I was wondering where to look at. I also
> tried Hyper-V from MS and this looks qiet ok. So if the "virtual" guys
> like to share there expericence it would be nice. Im open for every
> thing so KVM or BHive are points Ive looked at but haven't tried for now.
>
> thanks for the input
>
> regards
> --

Re: increased load average

[Infoomatic]

> Gesendet: Freitag, 03. März 2017 um 15:53 Uhr
> This is known behaviour from current.
>

OK, thanks for the info. I have no problem with the load so far, just did not
have an idea where it did come from since vmstat did not show anything unusual
compared to running -stable.

increased load average

[Infoomatic]

Hi,
I have got "QOTOM Mini PC" with a 4-core "Intel(R) Celeron(R) CPU J1900 @ 
1.99GHz, 2000.45 MHz" CPU and 8GB RAM acting as firewall for a 12MBit 
synchronous connection and routing all traffic to our datacenter via OpenVPN.
Since the upgrade yesterday from -stable to -current, the load average jumped 
from about 0.2 to 1.7. There hasn't been changes in our userbase (<10 users) or 
anything else, is this a known problem? I use the MP kernel.

regards,
infoomatic

Re: kernel panic in OpenBSD 6.0-stable

[Infoomatic]

> At least two bugs leading to this panic have been fixed post 6.0.  I'd
> suggest you to upgrade to -current where it should work as expected.  If
> not, please send a new bug report to bugs@.

Thanks a lot! This is awesome, you manage to fix bugs faster than I can report 
them ;-)
I guess I won't have problems with -current, otherwise I will report!

kernel panic in OpenBSD 6.0-stable

[Infoomatic]

Hi,

I have "managed" go get a kernel panic in OpenBSD 6.0 -stable (from 
GENERIC.MP). Unfortunately I cannot provide you with lots of information, but 
here is what I have:

The panic occured twice on an IBM X3550 server (CPU: Intel(R) Xeon(R) CPU 
E5-2603 0 @ 1.80GHz, with 4GB RAM and Intel I350 Gigabit Network chips onboard) 
and once in a VM which was
hosted inside Linux KVM with the e1000 as network interface.
The IBM server was configured to act as bridged and routed firewall, so we had 
a hostname.bridge0 (with blocknonip) with em0 and em1 interfaces and vether0 
(having the main external ip-address of the firewall and some alias addresses 
that are routed through into the internal network) and vether1 (having the 
primary internal ip-adress) - some hosts on the network are not of my 
responsibility so they stayed with an external ip address (and thus we need 
bridging).
We carefully planned the migration from Linux/iptables to OpenBSD/PF (which is 
really a joy to use, kudos to you devs for making me happy and enjoying the 
time spent with PF and the rest of the system), but after we switched, the 
hardware got a panic at night (and so did I). I could not even type via 
USB-keyboard in ddb. And since it was already in production I did not have time 
to fiddle around and get it working, a restart was needed. See picture [1]

The second crash occured when I did a "ifconfig vether0 alias EX.TE.RN.IP 
netmask 255.255.255.240", this time I have switched on ddb.panic=0, but the 
server did not restart and was hung - no USB keyboard again. See pic [2]

The third crash was in a VM, where I was playing around. Here, I did not have a 
bridge configuration, but a "ifconfig em1 alias XX.XX.XX.XX netmask 
255.255.255.0" resulted in picture [3], this time again without being able to 
type in the VM. We had to switch back to the old Linux based firewall, but in 
the VM I have not managed to reproduce this.

I would appreciate any tipps, comments or info in this matter, I am willing to 
help if more information is needed or if I can do anything to support a dev to 
fix this problem.

regards,
infoomatic

[1] https://postimg.org/image/5ogvhmc45/
[2] https://postimg.org/image/mmx6f1nxv/
[3] https://postimg.org/image/687wqsh8j/

openiked troubles during conn

[Infoomatic]

Hello,

I hope someone could point me in the right direction with my problem I am 
facing with openiked on a 64bit OpenBSD 6.0-stable. I want to connect two 
bridged firewalls, however, it seems the connection cannot be fully 
established. I tried with pf disabled but that did not change anything. 2 
physical interfaces are configured in the bridge with 2 vether interfaces (one 
being the external IP and one being the internal IP e.g.192.168.201.1)
In the logs I only get:

Feb 15 23:34:02 stage03 iked[3379]: ikev2_recv: IKE_SA_INIT request from 
initiator 11.11.11.11:500 to 33.33.33.33:500 policy 'testing' id 0, 518 bytes
Feb 15 23:34:02 stage03 iked[3379]: ikev2_msg_send: IKE_SA_INIT response from 
33.33.33.33:500 to 11.11.11.11:500 msgid 0, 446 bytes

UDP Ports 500 and 4500 can be reached on both ends, but the connection does not 
get across this point.

The configuration /etc/iked.conf is very simple:
ikev2 "testing" active esp \
from 192.168.101.0/24 to 192.168.201.0/24 \
local 11.11.11.11 peer 33.33.33.33 \
psk thisisjustatestpassword

with "passive" and the IP-addresses switched on the other end, 11.11.11.11 and 
33.33.33.33 obviously changed for posting here.

On the passive host, with "iked -d -vv -f /etc/iked.conf" I do get the output 
in [1], on the active host, I get [2].

Maybe I just cannot see the obvious problem, however, any advice is highly 
appreciated. 

Thanks,
robert


[1]
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ikev2 "testing" passive esp inet from 192.168.201.0/24 to 192.168.101.0/24 
local 33.33.33.33 peer 11.11.11.11 ikesa enc aes-256,aes-192,aes-128,3des prf 
hmac-sha2-256,hmac-sha1 auth hmac-sha2-256,hmac-sha1 group 
modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 
auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 
0x7468697369736a757374617465737470617373776f7264
/etc/iked.conf: loaded 1 configuration rules
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
ikev2_recv: IKE_SA_INIT request from initiator 11.11.11.11:500 to 
33.33.33.33:500 policy 'testing' id 0, 518 bytes
ikev2_recv: ispi 0x175fc9692a413ed6 rspi 0x
ikev2_policy2id: srcid FQDN/stage03.testing length 18
ikev2_pld_parse: header ispi 0x175fc9692a413ed6 rspi 0x 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 518 
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 120
ikev2_pld_sa: more 0 reserved 0 length 116 proposal #1 protoid IKE spisize 0 
xforms 12 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048_256 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0x175fc9692a413ed6 0x 
11.11.11.11:500
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0x175fc9692a413ed6 0x 
33.33.33.33:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x, require 0x 

Re: openiked + rc.conf.local

[Infoomatic]

> Do you get any more output if you do "rcctl -f -d start iked"?
the output is:
doing _rc_parse_conf
doing _rc_quirks
iked_flags empty, using default ><
doing _rc_parse_conf /var/run/rc.d/iked
doing _rc_quirks
doing rc_check
iked
doing rc_pre
configuration OK

and then the terminal is blocked again

> What happens if you press ^T to get status (assuming common
> shell setup)? Or if you don't get anything useful there, what
> is shown in the WAIT column in top for iked? ("top -g iked" if
> you have lots running and need to cut it down)
^T does not do anything (standard installation without further config),
top lists 4 processes, one running as root (parent) with "wait" and the other 
three processes (control, ca, ikev2) with "kqread" in the wait-column.

> It might be useful to include your config file (obviously masking
> anything sensitive, but try to avoid hiding anything that might be
> important..).
the exact configuration (does not matter if active or passive):
ikev2 "test" active esp \
from 10.85.0.0/24 to 10.86.0.0/24 \
local 10.85.0.2 peer 10.86.0.2 \
psk thisisjustatestpassword

sysctl is not touched except:
net.inet.ip.forwarding=1

Thanks in advance!

Re: openiked + rc.conf.local

[Infoomatic]

> On Mon, Sep 26, 2016 at 02:17:35PM +0200, Infoomatic wrote:
> > also, the already running endpoint did not receive any packets.
> 
> Nobody on this list can run ifconfig, route, and tcpdump on *your* box
> to figure out where you're losing packets...

this is not a connectivity issue.
To clarify: when I start the daemon manually as mentioned in my first mail, 
everything is fine.

However, when I try to start it automatically via rc.conf.local it just 
interrupts the boot sequence and further daemons like ssh are not started, I 
cannot even login on terminal locally. 
The same happens when I try to do a "rcctl -f start iked" (I need -f since I 
cannot use it with rc.conf.local because this leaves me with an unusable 
system)- it hangs and "ctrl+c"/ SIGNAL 15 does not give me my terminal back, I 
have to kill -9 the iked to use the terminal again where I tried to start iked 
via rcctl. 
When using iked_flags="-v", and doing "rcctl start iked" the same happens, but 
opposite to my expection I did not get _any_ logs to /var/log/daemon.

There really seems something wrong here ... this should not happen in any way.

Re: openiked + rc.conf.local

[Infoomatic]

> On Mon, Sep 26, 2016 at 01:56:20PM +0200, Infoomatic wrote:
> > ipsec=YES in rc.conf.local does not change anything, and appending
> > "ikelifetime 60" to iked.conf neither.
> 
> ipsec=YES and /etc/ipsec.conf are for use with isakmpd.
> 
> iked does not use ipsec.conf. 

that's what I thought, but wasn't quite sure so I just tried the
ipsec=YES in rc.conf.local

> It seems you came to this list before gathering actual evidence of
> what's going on. So I'd suggest you run tcpdump on your interfaces
> to figure out what's going on with the IKE session when it's in that
> non-working state, based on packets being passed around.
> You could also enable verbose mode at the other end and check the
> logs there to obtain more information.

I also tried with "-v" flags which did not write anything to
/var/log/daemon, also, the already running endpoint did not receive any
packets.

openiked + rc.conf.local

[Infoomatic]

Hi,
I am trying to get an sit-to-site ipsec tunnel to work with openiked.
The configuration seems quite easy, testing also works.
The iked.conf is:
ikev2 "test" esp \
from 192.168.1.1 to 192.168.3.1 \
from 192.168.1.0/24 to 192.168.3.0/24 \
local 192.168.1.1 peer 192.168.3.1 \
psk thisisjustatest

The other endpoint is the passive one. 
/sbin/iked -f /etc/iked.conf -dvv
just works and shows the connection established.

However, rc.conf.local containing
iked_flags=
just keeps the box hanging:
"starting early daemons: syslogd pflogd ntpd iked"

and there is no timeout, the box cannot be reached via ssh any more.
iked_flags="-v" does not give me any information, iked_flags=YES delivers
the same behavior. Do I need some additional configuration in ipsec.conf?
"rcctl get iked" shows an "iked_timeout=30", I guess that should be the
timeout on startup, but I did not find any exact info on that.

ipsec=YES in rc.conf.local does not change anything, and appending
"ikelifetime 60" to iked.conf neither.

PF is configured to pass everything, nothing else is configured. The network
is configured with a bridge0 containing 2 interfaces of which the
external one has the (simulated) external ip address and the internal
interface has an internal ip addres, both only ipv4.
The system is Openbsd 6.0 -stable including the patches until (and
including) 006.

I am quite sure this is just a minor detail I have overseen, however,
I would really appreciate your help! Thanks!

infoomatic