Re: Trying to access /dev/ttyUSB0 device from VM

[Rob Schmersel]

On Sun, 17 Mar 2024 10:25:17 -0400
Stephen Wiley  wrote:

> Since it's just UART it probably wouldn't be too hard to use openpty
> to to pass it through over the network. I wouldn't be surprised if
> someone else already did this.
> 
> On Sun, Mar 17, 2024 at 02:09:11PM +, Chris Narkiewicz wrote:
> > Hardware passthrough is not supported by vmd.
> > 
> > Best regards,
> > Chris Narkiewicz
> > 
> 

There is socat in ports (https://openports.pl/path/net/socat)

Re: Trying to access /dev/ttyUSB0 device from VM

[Rob Schmersel]

On Sun, 17 Mar 2024 19:42:13 +0800
Sadeep Madurange  wrote:

> Hello,
> 
> I set up a Linux VM on OpenBSD hoping to flash ESP32 programs from the
> Linux VM. However when I plug the MCU in, I can't see it in the /dev
> directory.
> 
> Is what I'm trying to do even possible (accessing UART-over-USB
> devices from a VM), and if so, is there anything special I need to
> do, e.g., when I start the VM?
> 

This is not supported at the moment as mentioned in the FAQ:
https://www.openbsd.org/faq/faq16.html

Re: mailman on OpenBSD - linking problem

[Rob Schmersel]

On Mon, 11 Mar 2024 21:16:05 +0300
Mark  wrote:

> On Mon, Mar 11, 2024 at 11:16 AM Michael Hekeler 
> wrote:
> 
> > I don't know this mailman script but...
> > Why did you strip first component from the request?
> > Are these cgi's in /usr/local/lib/mailman/cgi-bin/admin or in
> > /var/www/usr/local/lib/mailman/cgi-bin/admin?
> > What is your chroot setting in httpd.conf?
> > And IF you changed httpd chroot how do you start slowcgi(8)?
> > What/where is socket? Where is path?
> >
> >  
> Hi Michael,
> 
> What does "request strip 1" actually do in that case?
> The cgi files are in /usr/local/lib/mailman/cgi-bin/
> chroot setting in httpd.conf: chroot "/"
> Slowcgi starts with: slowcgi_flags="-p /" and it's socket path is:
> /var/www/run/slowcgi.sock
> 
> Slowcgi and httpd works fine. However two things I'd like to know;
> 
> As I asked, what does "request strip 1" do and if I really need that?
> 
> Secondly; how to combine two locations into one? So that;
> "/admin" and "/admin/" would get captured both.

you would have 2 locations like this
location match "/admin" {
request rewrite "/admin/"
}
location "/admin/" {
...
}

you should be able to generalize the 1st match to add a / to every
request not having a / at the end when it is not pointing to a file
(*.html/png/...) with something like this (note I've not tested this,
so use at own risk :) )

location match "([^.]+)[^/]$" {
request rewrite "%1/"
}

Re: Using wayland on OpenBSD

[Rob Schmersel]

On Sat, 25 Nov 2023 17:15:21 +0100
quen...@schibler.fr  wrote:

> I would like to develop a wayland app on OpenBSD, and I was wondering
> if it was already possible to use wayland on a snapshot version. The
> only requirement I have is to be able to run firefox, I obviously
> don't expect anything to be stable and I will be happy to help by
> providing feedback/bug report.
> 
> - Quentin Schibler
> 
Have a look here:
https://www.openbsd.org/papers/eurobsdcon2023-matthieu-wayland-openbsd.pdf

Re: How Do I Get The OpenBSD Install Procedure To Stop Trashing My Bootloader?

[Rob Schmersel]

On Thu, 13 Jul 2023 13:53:24 -0500 (EDT)
"Jay F. Shachter"  wrote:

> Esteemed Colleagues:
> 
> Every time I install OpenBSD (the latest version, 7.3), it trashes
> GRUB, and renders my computer unbootable.  I am guessing, and please
> correct me if I am wrong, that this is because OpenBSD puts its
> subpartition table in disk storage that has not been given to it.
> 
> The internal hard drive is an MBR-partitioned disk belonging to a
> computer that is configured to do Legacy boot.  Microsoft Windows,
> Linux, and Haiku are already installed.  Microsoft Windows uses all
> three primary partitions for itself, because that is what Windows
> does, and every other operating system has to find a place for itself
> within the extended partition.
> 
> The bootloader is GRUB2, and has been, since I installed the Linux
> system.  The Linux system resides on two logical volumes (root and
> swap) carved out of an LVM volume group that resides on the first
> logical slice of the extended partition (which Linux calls /dev/sda5).
> GRUB2 boots it by means of:
> 
>  insmod lvm
>  set root=(lvm/m5-springdale)
>  linux /boot/vmlinuz root=/dev/m5/springdale
>  initrd /boot/initramfs.img
> 
> Haiku resides on the third logical slice of the extended partition,
> which in Linux is called /dev/sda7, and is booted by means of:
> 
>  set root=(hd0,7)
>  chainloader +1
> 
> OpenBSD was installed -- repeatedly -- in the second logical slice of
> the extended partition, which in Linux is called /dev/sda6 (and I
> intend to install NetBSD in /dev/sda9, I have a very subtle sense of
> humor), and there is already a stanza in my GRUB menu that has been
> made ready for it:
> 
>  set root=(hd0,6)
>  chainloader +1
> 
> although I am also ready to boot it by means of kopenbsd, if
> necessary.
> 
> I never got to execute that stanza in the GRUB menu, however, because
> the OpenBSD installation has always rendered my system unbootable.  It
> just didn't boot, not even into the GRUB menu.  I had to repair my
> system by booting from a recovery CD, mounting /dev/m5/springdale on,
> e.g., /mnt, furnishing /mnt with appropriate proc, sys and dev
> filesystems, doing a chroot to /mnt, and then doing a "grub2-install
> /dev/sda".  Which failed, complaining, inter alia, about a disk with
> multiple partition tables.  But if I did
> 
>   dd if=/dev/zero of=/dev/sda bs=512 skip=1 count=2
> 
> then grub2-install ceased complaining about a disk with multiple
> partition tables, and it succeeded, and I could then reboot into the
> GRUB menu.  But now OpenBSD was unbootable.
> 
> All of this has led me reasonably to theorize that OpenBSD puts its
> subpartition table outside of the area that belongs to it, which is
> the second logical slice of the extended partition, which is where I
> tell it to install itself -- in particular, that it puts its
> subpartition table near the MBR table, which is an area of disk that
> does not belong to it, but, rather, to GRUB, which is, consequently,
> trashed.
> 
> If this is what is happening, then it is totally bogus.
> 
> I have nothing against subpartitioning.  Linux doesn't do it, but many
> respectable operating systems do, like FreeBSD, NetBSD, and Solaris,
> although Solaris, practically speaking, is usually installed so as to
> use ZFS rather than UFS, so the entire concept of subpartitioning is
> obsolete.
> 
> (Parenthetically, when is OpenBSD going to support ZFS, and join the
> category of operating systems in which I can do serious work, i.e.,
> Solaris, Linux, FreeBSD, and NetBSD?  NetBSD didn't use to be in that
> category, because its implementation of ZFS was brain-damaged, but
> now it has a good implementation of ZFS, and now it is a member in
> good standing of the category of operating systems in which I can do
> serious work.  OpenBSD is not, and in that regard it resembles Haiku,
> or SkyOS, or Icaros, and that is regrettable, because OpenBSD has
> other good features that would otherwise make me want to use it for
> serious work.  But I digress.)
> 
> But my FreeBSD systems manage to do subpartitioning without trashing
> GRUB and rendering my computers unbootable.  I assume that is because
> FreeBSD doesn't overwrite disk storage that doesn't belong to it, but
> that, rather, it keeps its subpartition table in the area of disk
> where it has been told to install itself.
> 
> Now, I do not know for certain that OpenBSD overwrites parts of GRUB
> with its subpartition table.  I am only theorizing, based on strong
> circumstantial evidence.  What I do know is that every time I install
> OpenBSD, it renders my computer unbootable.  How do I get it to stop
> doing that?
> 
> Thank you in advance for any and all replies.
> 
> Jay F. Shachter
> 6424 North Whipple Street
> Chicago IL  60645-4111
> (1-773)7613784   landline
> 

Re: OT: Running SOFTRAID on PCEngine APU2 via mPCIe to M.2 convertor board for NVME 2230 or 2242

[Rob Schmersel]

On Sun, 21 May 2023 07:28:25 -0400
Daniel Ouellet  wrote:

> Hi,
> 
> Anyone ever was able to find a mPCIe to M.2 convertor board on Amazon 
> that works for using M.2 NVME 2230 or 2242 drives or even M.2 SATA 
> (NGFF) in the APU2 like this:
> 
> https://github.com/TobleMiner/M.2-NVMe-SSD-to-miniPCIe-adapter
> 
> Scroll to the end and see the picture of the drives inside the APU2.
> 
> The mSATA goes in the J12 slot as explained below (URL), but the J13
> and J14 are mPCIe slot, so it should be possible with the proper
> adapter to also have an M.2 drives in this small box.
> 
> https://github.com/pcengines/apu2-documentation/blob/master/docs/APU_mPCIe_capabilities.md
> 
> Then may be I can run softraid on my OpenBSD APU2.
> 
> I would very much appreciated if anyone happen to know the model that 
> they use or know that is working.
> 
> Amazon have a very long list, but the description isn't to useful and 
> describe for use with USB, or wireless card and there is so many 
> different keys type, etc.
> 
> Many thanks for your time.
> 
> Daniel
> 

It is not amazon, but here you can find one on ali express:
https://www.aliexpress.com/item/1005004641053693.html?spm=a2g0o.detail.114.6.3a686a9ashFQUL=pcDetailBottomMoreOtherSeller=1007.40050.281175.0_id=1007.40050.281175.0=1007.40050.281175.0=ece8abbc-347c-47df-9c76-c292adefc4c1&_t=gps-id:pcDetailBottomMoreOtherSeller,scm-url:1007.40050.281175.0,pvid:ece8abbc-347c-47df-9c76-c292adefc4c1,tpp_buckets:668%232846%238109%231935_npi=3%40dis%21SEK%2166.65%2151.34%21%21%21%21%21%402101c5a716846710151784711e0835%211229942424882%21rec%21SE%211684149259

Re: URNDIS Phone Tethering

[Rob Turner]

I was reluctant to send this direct to the b...@openbsd.org distro - but would 
that be a better destination that this distro?

On Thu, Apr 27, 2023 at 12:39:11AM +0800, Rob Turner wrote:
> Good evening,
> 
> I'm new to OpenBSD and would like some help debugging this issue if possible. 
> On OpenBSD and Android 13 there is an issue with the URNDIS connection 
> dropping packets as soon as you try to do anything beyond basic pinging.  
> I've attached an email I found to b...@openbsd.org.  The issue does not occur 
> with the same phone and laptop running Alpine, or using a different phone 
> running Android 11, so it appears isolated to this specific combination.  
> Happy to provide any debug information requested as I'm keen to get mobile 
> data service.  Its a new laptop (Thinkpad Z13) whose soldered Wifi is 
> unsupported - and the only wifi dongle I could get working is only running at 
> ~8 Mbs.
> 
> Thanks in advance,
> 
> Rob 

> From openbsd-bugs  Sun Jun 06 15:37:33 2021
> From: Janne Johansson 
> Date: Sun, 06 Jun 2021 15:37:33 +
> To: openbsd-bugs
> Subject: Re: URNDIS phone tethering doesn't work AMD64 and I386 6.9 OpenBSD
> Message-Id:  gmail ! com>
> X-MARC-Message: https://marc.info/?l=openbsd-bugs=162299390130161
> 
> Sounds a lot like MTU issues.
> 
> Den l=C3=B6r 5 juni 2021 kl 12:27 skrev Zen Floater2  .com>:
> >
> > I can ping and do DNS lookups but can't get any TCP through this interfac=
> e
> > anymore.
> > lynx, fw_update, pkg_add,,, nothing works through urndis cell
> > phone tethering anymore.
> >
> > Charlie
> 
> 
> 
> --=20
> May the most significant bit of your life be positive.

URNDIS Phone Tethering

[Rob Turner]

Good evening,

I'm new to OpenBSD and would like some help debugging this issue if possible. 
On OpenBSD and Android 13 there is an issue with the URNDIS connection dropping 
packets as soon as you try to do anything beyond basic pinging.  I've attached 
an email I found to b...@openbsd.org.  The issue does not occur with the same 
phone and laptop running Alpine, or using a different phone running Android 11, 
so it appears isolated to this specific combination.  Happy to provide any 
debug information requested as I'm keen to get mobile data service.  Its a new 
laptop (Thinkpad Z13) whose soldered Wifi is unsupported - and the only wifi 
dongle I could get working is only running at ~8 Mbs.

Thanks in advance,

Rob 
>From openbsd-bugs  Sun Jun 06 15:37:33 2021
From: Janne Johansson 
Date: Sun, 06 Jun 2021 15:37:33 +
To: openbsd-bugs
Subject: Re: URNDIS phone tethering doesn't work AMD64 and I386 6.9 OpenBSD
Message-Id: 
X-MARC-Message: https://marc.info/?l=openbsd-bugs=162299390130161

Sounds a lot like MTU issues.

Den l=C3=B6r 5 juni 2021 kl 12:27 skrev Zen Floater2 :
>
> I can ping and do DNS lookups but can't get any TCP through this interfac=
e
> anymore.
> lynx, fw_update, pkg_add,,, nothing works through urndis cell
> phone tethering anymore.
>
> Charlie



--=20
May the most significant bit of your life be positive.

Re: Change (spoof) MAC address

[Rob Schmersel]

On Tue, 03 Jan 2023 07:40:21 +0100
"Bodie"  wrote:

> On Mon Jan 2, 2023 at 8:53 PM CET, Rob Schmersel wrote:
> > On Mon, 2 Jan 2023 13:44:30 +0100
> > Tomaž Kokolj  wrote:
> >  
> > > Hi everyone,
> > > 
> > > I've requested a static IP from my ISP a long time ago and I
> > > figured out that my ISP binds my IP based on a MAC address which
> > > is connected to my WAN port.
> > > 
> > > I was thinking about switching from Debian Linux to OpenBSD on my
> > > router, but I can't figure out how to change my MAC address.
> > > 
> > > I've tried the the following configurations for my
> > > /etc/hostname.em0 (I'm testing this in VirtualBox):
> > > #
> > > inet autoconf lladdr 00:11:22:33:44:55
> > > #
> > > 
> > > #
> > > lladdr 00:11:22:33:44:55
> > > inet autoconf
> > > #
> > > 
> > > #
> > > inet autoconf
> > > lladdr 00:11:22:33:44:55
> > > #
> > > In all of those configurations, my lladdr gets changed to
> > > 00:11:22:33:44:55 but the inet line is missing from ifconfig which
> > > means that my network isn't working.
> > > 
> > > I have found this old (2012) blog post:
> > > https://andrewmemory.wordpress.com/2012/12/06/changing-mac-address-on-openbsd/
> > > 
> > > Which suggested:
> > > "Linux has /etc/network/interfaces, and OpenBSD has
> > > /etc/hostname.if. I just changed my /etc/hostname.vr1 to:
> > > 
> > > dhcp lladdr 00:11:22:33:44:55
> > > 
> > > and I was requesting an IP address using my new MAC address"
> > > 
> > > If I do that my inet line is present and my network/internet is
> > > working, but my lladdr line isn't changed.
> > > 
> > > Any suggestions?
> > > 
> > > Best regards,
> > > Tomaz  
> >
> > My ISPs (one at the house, one at my son's apartment) have the same
> > setup and I'm using this in /etc/hostname.em0  
> > > lladdr 00:11:22:33:44:55
> > > inet autoconf  
> >
> > This will give the correct IP address in both cases.
> >
> > Good luck  
> 
> Which is interesting that it works as man page talks about this
> format:
> 
> IPv4 dynamic addressing via DHCP is requested using "inet autoconf"
> inet autoconf [ifconfig_options]
> 

The ISP has not really set a static ip, but uses dhcp server to set a
fixed IP address based on your MAC address. You can configure such in
dhcpd.conf with something like the following:

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
range 192.168.1.24 192.168.1.200;
# Network
# example host
host  {
fixed-address 192.168.1.250;
hardware ethernet 00:11:22:33:44:55;
}


 

Re: Change (spoof) MAC address

[Rob Schmersel]

On Mon, 2 Jan 2023 13:44:30 +0100
Tomaž Kokolj  wrote:

> Hi everyone,
> 
> I've requested a static IP from my ISP a long time ago and I figured
> out that my ISP binds my IP based on a MAC address which is connected
> to my WAN port.
> 
> I was thinking about switching from Debian Linux to OpenBSD on my
> router, but I can't figure out how to change my MAC address.
> 
> I've tried the the following configurations for my /etc/hostname.em0
> (I'm testing this in VirtualBox):
> #
> inet autoconf lladdr 00:11:22:33:44:55
> #
> 
> #
> lladdr 00:11:22:33:44:55
> inet autoconf
> #
> 
> #
> inet autoconf
> lladdr 00:11:22:33:44:55
> #
> In all of those configurations, my lladdr gets changed to
> 00:11:22:33:44:55 but the inet line is missing from ifconfig which
> means that my network isn't working.
> 
> I have found this old (2012) blog post:
> https://andrewmemory.wordpress.com/2012/12/06/changing-mac-address-on-openbsd/
> 
> Which suggested:
> "Linux has /etc/network/interfaces, and OpenBSD has /etc/hostname.if.
> I just changed my /etc/hostname.vr1 to:
> 
> dhcp lladdr 00:11:22:33:44:55
> 
> and I was requesting an IP address using my new MAC address"
> 
> If I do that my inet line is present and my network/internet is
> working, but my lladdr line isn't changed.
> 
> Any suggestions?
> 
> Best regards,
> Tomaz

My ISPs (one at the house, one at my son's apartment) have the same
setup and I'm using this in /etc/hostname.em0
> lladdr 00:11:22:33:44:55
> inet autoconf

This will give the correct IP address in both cases.

Good luck

Possible typo in fw_update

[Rob Whitlock]

On line 408, fw_update has the expression ${LOCALSRC:#file:}. The parameter
substitution ${name:#word} is not documented in the manual page for ksh yet
its behavior seems to be equivalent to ${LOCALSRC#file:}. Assuming this is
a typo, a patch is provided to remove the colon. If it is not a typo, could
someone explain what this syntax does?

Is this was a typo however, and this parameter substitution is not
officially supported, why did ksh not complain?

Rob

diff --git usr.sbin/fw_update/fw_update.sh usr.sbin/fw_update/fw_update.sh
index 4b77d4c7bd7..dbc80257228 100644
--- usr.sbin/fw_update/fw_update.sh
+++ usr.sbin/fw_update/fw_update.sh
@@ -405,7 +405,7 @@ if [ "$LOCALSRC" ]; then
FWURL="${LOCALSRC}"
LOCALSRC=
else
-   LOCALSRC="${LOCALSRC:#file:}"
+   LOCALSRC="${LOCALSRC#file:}"
! [ -d "$LOCALSRC" ] &&
echo "The path must be a URL or an existing directory"
>&2 &&
exit 1

xset doesn't work in Xsetup_0

[Rob Whitlock]

At xenodm's login screen pressing the Fn key makes a beep. I put the lines

${exec_prefix}/bin/xset b off > /xset.stdout 2> /xset.stderr
echo "Error code: $?" > xset.ret

at the end of /etc/X11/xenodm/Xsetup_0 yet the Fn key still makes a beep.
There is no output from either stdin or stdout and it returns 0. How can I
disable the beep? xset works correctly in ~/.xsession.

Thanks

Robert

Re: White noise with audio over headphones

[Rob Whitlock]

On Wed, Jun 15, 2022 at 11:27 PM Alexandre Ratchov  wrote:

> On Wed, Jun 15, 2022 at 02:59:40PM -0500, Rob Whitlock wrote:
> > I have a Lenovo T450 that plays audio over the speakers and headphones
> but
> > when the headphones are used there is some white noise playing all the
> time
> > as well as the audio. This white noise is not there with Windows 10 or
> > Linux. OpenBSD recognizes the audio codec as a Realtek ALC292 but Linux
> and
> > the spec sheet for my laptop say it's a Realtek ALC3232. I suspect this
> > might be causing the error but I'm not sure how to fix it. There was no
> > mention of an ALC3232 in /usr/src/sys/dev/pci/azalia_codec.c while there
> > was for ALC292.
> >
>
> Hi,
>
> Could you try:
>
> mixerctl inputs.mix2_source=dac-0:1
>
> and check if noise level changes?
>

That did the trick. Thanks! What made you think of this suggestion?

White noise with audio over headphones

[Rob Whitlock]

I have a Lenovo T450 that plays audio over the speakers and headphones but
when the headphones are used there is some white noise playing all the time
as well as the audio. This white noise is not there with Windows 10 or
Linux. OpenBSD recognizes the audio codec as a Realtek ALC292 but Linux and
the spec sheet for my laptop say it's a Realtek ALC3232. I suspect this
might be causing the error but I'm not sure how to fix it. There was no
mention of an ALC3232 in /usr/src/sys/dev/pci/azalia_codec.c while there
was for ALC292.

I am running a snapshot that is a few days old.

Here is the output of mixerctl -av when the headphones are plugged in:

inputs.dac-0:1=126,126
inputs.dac-2:3=126,126
record.adc-2:3_mute=off  [ off on ]
record.adc-2:3=124,124
record.adc-0:1_mute=off  [ off on ]
record.adc-0:1=124,124
inputs.mix_source=spkr3,mic2,beep  { spkr3 mic2 beep }
inputs.mix_spkr3=120,120
inputs.mix_mic2=120,120
inputs.mix_beep=120,120
inputs.mix2_source=dac-0:1,mix  { dac-0:1 mix }
inputs.mix3_source=dac-2:3,mix  { dac-2:3 mix }
inputs.mix4_source=dac-0:1,dac-2:3  { dac-0:1 dac-2:3 }
inputs.mic=85,85
outputs.spkr_source=mix3  [ mix2 mix3 ]
outputs.spkr_mute=on  [ off on ]
outputs.spkr_eapd=on  [ off on ]
outputs.hp_source=mix2  [ mix2 mix3 ]
outputs.hp_mute=off  [ off on ]
outputs.hp_boost=off  [ off on ]
outputs.hp_eapd=on  [ off on ]
outputs.spkr2_source=mix2  [ mix2 mix3 ]
outputs.spkr2_mute=off  [ off on ]
outputs.spkr2_boost=off  [ off on ]
outputs.spkr2_eapd=on  [ off on ]
inputs.spkr3=85,85
inputs.mic2=85,85
outputs.mic2_dir=input-vr80  [ none input input-vr0 input-vr50 input-vr80
input-vr100 ]
record.adc-0:1_source=mic  [ spkr3 mic2 beep mix mic ]
record.adc-2:3_source=spkr3  [ spkr3 mic2 beep mix ]
outputs.hp_sense=plugged  [ unplugged plugged ]
outputs.mic2_sense=plugged  [ unplugged plugged ]
outputs.spkr_muters=hp  { hp }
outputs.master=126,126
outputs.master.mute=off  [ off on ]
outputs.master.slaves=dac-0:1,dac-2:3,spkr,hp,spkr2  { dac-0:1 dac-2:3 spkr
hp spkr2 }
record.volume=124,124
record.volume.mute=off  [ off on ]
record.volume.slaves=adc-2:3,adc-0:1  { adc-2:3 adc-0:1 mic spkr3 mic2 }
record.enable=sysctl  [ off on sysctl ]

Here is the dmesg:

OpenBSD 7.1-current (GENERIC.MP) #580: Mon Jun 13 10:13:31 MDT 2022
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8441913344 (8050MB)
avail mem = 8168697856 (7790MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xccbfd000 (66 entries)
bios0: vendor LENOVO version "JBET73WW (1.37 )" date 08/14/2019
bios0: LENOVO 20BU000EUS
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC ASF! HPET ECDT APIC MCFG SSDT SSDT SSDT SSDT
SSDT SSDT SSDT SSDT SSDT PCCT SSDT TCPA SSDT UEFI MSDM BATB FPDT UEFI DMAR
acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpiec0 at acpi0
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz, 2195.27 MHz, 06-3d-04
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz, 2194.93 MHz, 06-3d-04
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,RDSEED,ADX,SMAP,PT,SRBDS_CTRL,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz, 2194.93 MHz, 06-3d-04
cpu2:

Re: documentation

[Rob Schmersel]

On Tue, 24 May 2022 12:36:50 -0300
Gustavo Rios  wrote:

> Hi folks,
> 
> I would like to download a pdf version of the faq and pf guide for
> openbsd 7.1. May some one here point me where i could fetch the pdf
> documentation from ?
> 
> Thanks a lot.
> 

You might try wkhtmltopdf

Re: Can't attach gdb to cwm

[Rob Whitlock]

On Thu, Mar 10, 2022 at 1:01 PM Rob Whitlock  wrote:

> On Wed, Mar 9, 2022 at 11:20 PM Philip Guenther 
> wrote:
>
>> On Wed, Mar 9, 2022 at 8:28 AM Rob Whitlock 
>> wrote:
>>
>>> I'm trying to attach gdb to an already running cwm but I get the
>>> following
>>> error:
>>>
>>> ptrace: Invalid argument.
>>>
>>> Why am I getting this error? Also, I have already set
>>> kern.global_ptrace=1,
>>> and both cwm and gdb are being run by the same user. This problem occurs
>>> both with the gdb in base and the gdb/egdb in ports.
>>>
>>
>> Let me guess: the cwm process is an ancestor of the shell where you're
>> invoking gdb.  We don't permit that as the reparenting done by ptrace()
>> would create a loop in the process tree, which breaks assumptions by both
>> kernel and userspace programs.  If that's the case, run gdb from an ssh
>> session or something like that.
>>
>> Hmm, I guess I never updated the ptrace(2) manpage to mention that...
>>
>> Philip Guenther
>>
>
> Thanks, that fixed the problem. I decided to go about breaking the loop in
> the process tree in a slightly different (maybe some would say quick and
> dirty) way, which I'll describe here in case someone else has this problem.
> If you start an xterm from your ~/.xsession (or whatever startup script
> you're using) and do *not* exec your window manager, then that xterm will
> not be a child of your window manager. If you then try to attach gdb to
> your window manager, you won't get the error. In order to not have to
> restart your X session in case you close that special xterm, you can put
> the command to run xterm in a loop.
>
> while true; do xterm; done &
> cwm # not "exec cwm"
>
> Robert
>

It seems this was more "quick and dirty" than I realized, as the
backgrounded loop doesn't exit when X does, so it's probably better to just
ignore this way of doing it and use ssh like Philip Gunther said.

Robert

Re: Can't attach gdb to cwm

[Rob Whitlock]

On Wed, Mar 9, 2022 at 11:20 PM Philip Guenther  wrote:

> On Wed, Mar 9, 2022 at 8:28 AM Rob Whitlock  wrote:
>
>> I'm trying to attach gdb to an already running cwm but I get the following
>> error:
>>
>> ptrace: Invalid argument.
>>
>> Why am I getting this error? Also, I have already set
>> kern.global_ptrace=1,
>> and both cwm and gdb are being run by the same user. This problem occurs
>> both with the gdb in base and the gdb/egdb in ports.
>>
>
> Let me guess: the cwm process is an ancestor of the shell where you're
> invoking gdb.  We don't permit that as the reparenting done by ptrace()
> would create a loop in the process tree, which breaks assumptions by both
> kernel and userspace programs.  If that's the case, run gdb from an ssh
> session or something like that.
>
> Hmm, I guess I never updated the ptrace(2) manpage to mention that...
>
> Philip Guenther
>

Thanks, that fixed the problem. I decided to go about breaking the loop in
the process tree in a slightly different (maybe some would say quick and
dirty) way, which I'll describe here in case someone else has this problem.
If you start an xterm from your ~/.xsession (or whatever startup script
you're using) and do *not* exec your window manager, then that xterm will
not be a child of your window manager. If you then try to attach gdb to
your window manager, you won't get the error. In order to not have to
restart your X session in case you close that special xterm, you can put
the command to run xterm in a loop.

while true; do xterm; done &
cwm # not "exec cwm"

Robert

Can't attach gdb to cwm

[Rob Whitlock]

I'm trying to attach gdb to an already running cwm but I get the following
error:

ptrace: Invalid argument.

Why am I getting this error? Also, I have already set kern.global_ptrace=1,
and both cwm and gdb are being run by the same user. This problem occurs
both with the gdb in base and the gdb/egdb in ports.

Error on xenocara.tar.gz extraction

[Rob Whitlock]

Attempting to extract xenocara.tar.gz while avoiding root proviliges as
described here https://www.openbsd.org/faq/faq5.html#wsrc, I ran into an
error, shown below:

0 thinkpad$ pwd
/usr/xenocara
0 thinkpad$ ls -a

.  ..
0 thinkpad$ tar xzf /home/rob/openbsd_files/7.0/xenocara.tar.gz

tar: Access/modification time set failed on: .: Operation not permitted
1 thinkpad$ ls -a
.  3RDPARTY   Makefile   data   docfont   share
.. CVSREADME dist   driver libutil
.gitignore MODULESappdistribetcproto  xserver
0 thinkpad$ cd ..
0 thinkpad$ ls -ld xenocara
drwxrwxr-x  16 root   wsrc512 Jan 12 21:43 xenocara
0 thinkpad$ id
uid=1001(rob) gid=1001 groups=1001, 0(wheel), 9(wsrc)
0 thinkpad$

Running ktrace on tar shows that tar is trying to set the mtime of ., which
corresponds to /usr/xenocara, with the function futimens, which fails.
According to the man page for futimens, if the times argument is non-NULL,
which is the case here, then the caller must be the owner of the file or
the superuser. For an unprivileged user, this is not the case, as, although
/usr/xenocara has group wsrc, it has owner root.

Running tar tzf xenocara.tar.gz shows an entry for . which seems to be
causing this problem. If you instead run tar xzf xenocara.tar.gz -s
'/^\.$//' to omit only the . entry when extracting, there is no more error.
There is a side effect to adding this -s option, which is that
/usr/xenocara's mtime gets updated to the time the tarball extraction took
place, as opposed to the time that was recorded for . in the tarball. I
don't know whether updating /usr/xenocara to the mtime that was recorded in
the tarball was intentional behavior or not.

If updating the mtime of /usr/xenocara was not intentional behavior, it
would seem to me that the fix for this problem would be to not include the
. directory when making the tarball xenocara.tar.gz. I was unable to locate
any code that was responsible for creating xenocara.tar.gz so I have not
included a diff. If anybody could tell me where that code is then that
would be appreciated.

As another issue, extracting ports.tar.gz as a non-privileged user in /usr,
as described in the document whose address is given above, results in
failure due to lack of permission, as a normal user does not have access to
create the /usr/ports directory.

I am running a snapshot of OpenBSD 7.0 that is only a few days old.

Re: What password manager do you recommend?

[Rob Schmersel]

On Fri, 7 Jan 2022 14:53:33 -0500
fo...@dnmx.org wrote:

> Hello. I hope this these types of questions are okay for an mailing
> list.. I completely understand if they are not..
> 
> There's password-store, but it does need some shitty dependencies..
> Then there's opm, but since it doesn't seem to be popular
> fuck-knows-who if it's secure(ish)..
> 
> If I were to use password-store, I'd have dmenu pipe in the query,
> then just pipe the password to `xclip -i -selection clipboard` which
> is a decent setup I guess..
> 

I use bitwarden, plays nice with all devices used in my family (bought
the premium service for backup, but you can run that yourself)

Re: Disk partition not recognized

[Rob Whitlock]

On Mon, Dec 27, 2021 at 7:28 PM Rob Whitlock  wrote:

> Thanks for the work tracking down the problems. I reformatted the hard
> drive to see if that would do anything and then I installed OpenBSD 7.0
> like you suggested and it started working. I used Disk Utility in MacOS
> 10.15.7 Catalina, and when I reformatted it I got some errors from Disk
> Utility. My guess is that Disk Utility is doing something incorrectly.
>

Correction: I reformatted it with diskutil, but I have since reformatted it
with Disk Utility and it shows up in OpenBSD 7.0 as well.

Re: Disk partition not recognized

[Rob Whitlock]

On Sat, Dec 25, 2021 at 8:46 AM Crystal Kolipe 
wrote:

> OK, the issue lies with the four byte checksum at offset 0x58 in sector 1.
>
> Testing on OpenBSD 7.0 release and using your GPT:
>
> The kernel enters spoofgptlabel and reads sector 1.
>
> When we call gpt_chk_parts, the calculated checksum comes to 0x0BE89E52,
> whereas the on-disk checksum is 0x3F7A886C, as you can see in the hexdumps.
>
> Note that the on-disk checksum is stored in little-endian format.
>
> As a result, gpt_chk_parts returns EINVAL.  When control returns to
> spoofgptlabel, it doesn't read the partitions contained within, and goes on
> to try to read the second GPT at sector dsize-1, which in your case is
> sector 9767541167.
>
> That's the reason why you don't see the non-OpenBSD partitions in your,
> (spoofed), disklabel, the on-disk checksum of the partition entries does
> not match the calculated checksum, so the kernel considers the GPT to be
> invalid.
>
> If you want to test removing the call to gpt_chk_parts, thereby forcing
> the kernel to parse whatever it finds and ignoring any checksum errors, the
> attached diffs should allow you to do that.  As you said that you were
> still running OpenBSD 6.9, I've produced a diff against that too, including
> the change in line 609 that I mentioned earlier, but it's untested.  There
> were other changes to this code between 6.9 and 7.0 that I have not really
> looked at.
>
> On OpenBSD 7.0, with the diff applied, I am able to parse the GPT that you
> supplied.
>
> I doubt that a kernel option to disable the checksum verification would be
> appropriate or welcome, but I don't know how common the problem is.
>

Thanks for the work tracking down the problems. I reformatted the hard
drive to see if that would do anything and then I installed OpenBSD 7.0
like you suggested and it started working. I used Disk Utility in MacOS
10.15.7 Catalina, and when I reformatted it I got some errors from Disk
Utility. My guess is that Disk Utility is doing something incorrectly.

Re: Disk partition not recognized

[Rob Whitlock]

On Thu, Dec 23, 2021 at 3:24 PM Crystal Kolipe 
wrote:

> Again, there is nothing there that would stop it working.
>
> You have an MBR partition of type EE starting on sector 1, which is what is
> checked for in gpt_chk_mbr, so unless I'm overlooking something it's
> probably chocking in gpt_chk_hdr due to something unexpected in the GPT
> header,
> (LBA block 1).
>

Here is LBA block 1:

0200: 4546 4920 5041 5254  0100 5c00   EFI PART\...
0210: 34b3 c118   0100     4...
0220: aed9 3046 0200  2200     ..0F"...
0230: 8dd9 3046 0200  69b0 0a57 6918 ed44  ..0Fi..Wi..D
0240: 911b a568 af12 75ff 0200     ...h..u.
0250: 8000  8000  6c88 7a3f    l.z?
0260:          
0270:          
0280:          
0290:          
02a0:          
02b0:          
02c0:          
02d0:          
02e0:          
02f0:          
0300:          
0310:          
0320:          
0330:          
0340:          
0350:          
0360:          
0370:          
0380:          
0390:          
03a0:          
03b0:          
03c0:          
03d0:          
03e0:          
03f0:          

Re: Disk partition not recognized

[Rob Whitlock]

On Thu, Dec 23, 2021 at 2:14 PM Crystal Kolipe 
wrote:

> On Thu, Dec 23, 2021 at 01:15:52PM -0500, Rob Whitlock wrote:
> > On Thu, Dec 23, 2021 at 12:22 PM Crystal Kolipe <
> kolip...@exoticsilicon.com>
> > wrote:
> >
> > > If the spoofed label does not include your non-OpenBSD partitions,
> then for
> > > some reason the kernel is not parsing the data from the GPT, and we
> will
> > > presumably need a hexdump of the GPT to see why.
> > >
> >
> > Here is the GPT (the third sector on the disk):
>
> There is nothing unusual about these GPT entries.  Every field apart from
> the
> partition serial numbers is identical to what would be written by creating
> the
> layout you described in your first email using OpenBSD fdisk.
>
> When I create this exact layout, the spoofed disklabel includes the
> non-OpenBSD
> partitions.
>
> I suspect that your MBR is trashed.  Can you send a dump of the first
> sector,
> LBA 0?
>

Sure, here it is.

:          
0010:          
0020:          
0030:          
0040:          
0050:          
0060:          
0070:          
0080:          
0090:          
00a0:          
00b0:          
00c0:          
00d0:          
00e0:          
00f0:          
0100:          
0110:          
0120:          
0130:          
0140:          
0150:          
0160:          
0170:          
0180:          
0190:          
01a0:          
01b0:        00fe  
01c0:  eefe  0100  feff    
01d0:          
01e0:          
01f0:        55aa  ..U.

Re: Disk partition not recognized

[Rob Whitlock]

On Thu, Dec 23, 2021 at 12:22 PM Crystal Kolipe 
wrote:

> If the spoofed label does not include your non-OpenBSD partitions, then for
> some reason the kernel is not parsing the data from the GPT, and we will
> presumably need a hexdump of the GPT to see why.
>

Here is the GPT (the third sector on the disk):

0400: 2873 2ac1 1ff8 d211 ba4b 00a0 c93e c93b  (s*..K...>.;
0410: 864c bda4 7d17 024e a9f9 afc5 1ade 8d87  .L..}..N
0420: 2800    2740 0600    (...'@..
0430:     4500 4600 4900 2000  E.F.I. .
0440: 5300 7900 7300 7400 6500 6d00 2000 5000  S.y.s.t.e.m. .P.
0450: 6100 7200 7400 6900 7400 6900 6f00 6e00  a.r.t.i.t.i.o.n.
0460:          
0470:          
0480: a2a0 d0eb e5b9 3344 87c0 68b6 b726 99c7  ..3D..h..&..
0490: e5c7 5771 8f97 434a 96af fa66 4871 0488  ..Wq..CJ...fHq..
04a0: 0048 0600   ffd7 3046 0200   .H0F
04b0:          
04c0:          
04d0:          
04e0:          
04f0:          
0500:          
0510:          
0520:          
0530:          
0540:          
0550:          
0560:          
0570:          
0580:          
0590:          
05a0:          
05b0:          
05c0:          
05d0:          
05e0:          
05f0:          

Re: Disk partition not recognized

[Rob Whitlock]

On Thu, Dec 23, 2021 at 1:15 AM Theo de Raadt  wrote:
>
> Crystal Kolipe  wrote:
>
> > On Tue, Dec 21, 2021 at 06:04:28PM -0500, Rob Whitlock wrote:
> > > A problem seems to be that there is no disklabel entry for the ExFAT
> > > partition.
> >
> > You probably wrote a BSD disklabel to the disk before creating the
ExFAT partition.
> >
> > If there is no on-disk disklabel, the kernel will create one in memory
based on information from other partitioning schemes, (MBR, GPT).  So in
this case, as you change those MBR or GPT partitions, those changes will be
reflected in the disklabel that the kernel sees.
> >
> > Once you actually write a disklabel to the disk, that on-disk disklabel
is then used in place of calculating one each time the disk is attached,
and the automatic parsing of MBR and GPT partition information stops.
> >
> > To solve your problem, you need to add the details of the ExFAT
partition to the BSD disklabel.  You can either do that manually with the
disklabel command, or since you do not have any OpenBSD partitions on the
disk, you could overwrite the on-disk disklabel, allow the kernel to
generate one automatically with the correct information, then optionally
force it to be written to the disk by running disklabel and entering 'w' at
the interactive prompt.
>
> This can be investigated with
>
>  disklabel -d
>
> (BTW, when the disklabel is constructed from other information on the
disk,
> we call it a "spoofed label")

I would like to avoid modifying the data on the disk. Is there a way to use
disklabel to update the in-core copy of the disklabel with a spoofed label,
without also writing it to disk? I see in the disklabel(5) manual page that
the DIOCSDINFO ioctl updates the in-core copy, so it seems it should be
technically possible, but I don't see how to do it with the disklabel(8)
program. My understanding of disklabel -d is that it gives you a default
disklabel to start with, but does not affect how or where the disklabel is
written.

Re: Disk partition not recognized

[Rob Whitlock]

On Wed, Dec 22, 2021 at 5:23 AM Crystal Kolipe 
wrote:

> On Tue, Dec 21, 2021 at 06:04:28PM -0500, Rob Whitlock wrote:
> > A problem seems to be that there is no disklabel entry for the ExFAT
> > partition.
>
> You probably wrote a BSD disklabel to the disk before creating the ExFAT
> partition.
>

I formatted the disk on a MacOS system, so I'm pretty sure there is no
disklabel on the disk.


> If there is no on-disk disklabel, the kernel will create one in memory
> based on information from other partitioning schemes, (MBR, GPT).  So in
> this case, as you change those MBR or GPT partitions, those changes will be
> reflected in the disklabel that the kernel sees.
>
> Once you actually write a disklabel to the disk, that on-disk disklabel is
> then used in place of calculating one each time the disk is attached, and
> the automatic parsing of MBR and GPT partition information stops.
>
> To solve your problem, you need to add the details of the ExFAT partition
> to the BSD disklabel.  You can either do that manually with the disklabel
> command, or since you do not have any OpenBSD partitions on the disk, you
> could overwrite the on-disk disklabel, allow the kernel to generate one
> automatically with the correct information, then optionally force it to be
> written to the disk by running disklabel and entering 'w' at the
> interactive prompt.
>

I would like to not modify the on-disk contents. Is there a way to get
OpenBSD to recognize the partition without writing things to the disk?

Disk partition not recognized

[Rob Whitlock]

I have two disks, one an MBR partitioned 1TB external SSD, and the other a
GPT partitioned 5TB external HDD. Both have a single ExFAT partition on
them and both have the same contents. Both show up as sd1 under "sysctl
hw.disknames" (when plugged in one at a time, that is). I am able to mount
the MBR partitioned SSD with the command

mount.exfat-fuse /dev/sd1i /mnt

however when I try the same command with the GPT partitioned HDD I get the
error

FUSE exfat 1.2.8
ERROR: failed to open '/dev/sd1i': Device not configured.

I checked that the /dev/sd1i block device exists. I am running OpenBSD 6.9.
Here's the output of disklabel sd1

# /dev/rsd1c:
type: SCSI
disk: SCSI disk
label: Expansion Desk
duid: 
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 608001
total sectors: 9767541167
boundstart: 0
boundend: 9767541167
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize   cpg]
  c:   97675411670  unused


Here's the output of fdisk -v sd1
Primary GPT:
Disk: sd1   Usable LBA: 34 to 9767541133 [9767541167 Sectors]
GUID: 570ab069-1869-44ed-911b-a568af1275ff
   #: type [   start: size ]
  guid name

   0: EFI Sys  [  40:   409600 ]
  a4bd4c86-177d-4e02-a9f9-afc51ade8d87 EFI System Partition

   1: FAT12[  411648:   9767129088 ]
  7157c7e5-978f-4a43-96af-fa6648710488


Secondary GPT:
Disk: sd1   Usable LBA: 34 to 9767541133 [9767541167 Sectors]
GUID: 570ab069-1869-44ed-911b-a568af1275ff
   #: type [   start: size ]
  guid name

   0: EFI Sys  [  40:   409600 ]
  a4bd4c86-177d-4e02-a9f9-afc51ade8d87 EFI System Partition

   1: FAT12[  411648:   9767129088 ]
  7157c7e5-978f-4a43-96af-fa6648710488


MBR:
Disk: sd1 geometry: 267349/255/63 [4294961685 Sectors]
Offset: 0 Signature: 0xAA55
Starting Ending LBA Info:
 #: id  C   H   S -  C   H   S [   start:size ]
---
 0: EE  0   0   2 - 267349  89   3 [   1:  4294967294 ] EFI GPT

 1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused

 2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused

 3: 00  0   0   0 -  0   0   0 [   0:   0 ] unused


A problem seems to be that there is no disklabel entry for the ExFAT
partition. Additionally, xxd successfully reads the first few sectors of
/dev/sd1c so I don't think the hardware is the issue.

How can I mount the HDD ExFAT partition?

Thanks!

Rob

Re: miniroot.img boot-looping on rpi-4b

[Rob Whitlock]

Nothing is connected to the Pi except the USB-C for power, the SD
card, and the 3 serial wires.

On 5/9/21, Justin Yang  wrote:
> Do you have any USB disks connected to your pi? If so, try to remove that
> and boot again to see if it works.
>
> On Sunday, May 9, 2021, Rob Whitlock  wrote:
>
>> Hello,
>>
>> I am trying to install OpenBSD 6.9 on a Raspberry Pi 4B. I copied
>> miniroot69.img to the SD card with this command:
>>
>> dd if=miniroot69.img of=/dev/rdisk2 bs=1m
>>
>> I put it in the Pi and upon boot it fails with this error message
>> printed out through serial:
>>
>> U-Boot 2021.01 (Apr 16 2021 - 15:39:01 +1000)
>>
>> DRAM:  1.9 GiB
>> RPI 4 Model B (0xb03114)
>> MMC:   mmcnr@7e30: 1, emmc2@7e34: 0
>> Loading Environment from FAT... ** No partition table - mmc 0 **
>> In:serial
>> Out:   serial
>> Err:   serial
>> Net:   eth0: ethernet@7d58
>> PCIe BRCM: link up, 5.0 Gbps x1 (SSC)
>> starting USB...
>> Bus xhci_pci: probe failed, error -110
>> No working controllers found
>> Hit any key to stop autoboot:  0
>> switch to partitions #0, OK
>> mmc0 is current device
>> ** Bad device specification :1 bootfstype **
>> "Synchronous Abort" handler, esr 0x9604
>> elr: 0009197c lr : 000930c8 (reloc)
>> elr: 3b36d97c lr : 3b36f0c8
>> x0 : 6d63625f646e7320 x1 : 5f656c62
>> x2 : 3b3d30a0 x3 : 0001
>> x4 : 3afe9fe0 x5 : 
>> x6 : 3b3d30a0 x7 : 3b3d30b0
>> x8 : 3afea070 x9 : 0008
>> x10: 3b3d07f2 x11: 3af64780
>> x12:  x13: 0004
>> x14: 3af4be58 x15: 
>> x16: 4110 x17: 2285e5950900a046
>> x18: 3af57da0 x19: 3afe9940
>> x20: 0811 x21: 0811
>> x22:  x23: 
>> x24:  x25: 
>> x26: 0028 x27: 0003
>> x28:  x29: 3af4bac0
>>
>> Code: 2a1b03e1 97e5 2a0003f8 140d (f8777800)
>> Resetting CPU ...
>>
>> resetting ...
>>
>> Any help would be appreciated.
>>
>> Rob
>>
>>
>
> --
> Justin Yang
>

miniroot.img boot-looping on rpi-4b

[Rob Whitlock]

Hello,

I am trying to install OpenBSD 6.9 on a Raspberry Pi 4B. I copied
miniroot69.img to the SD card with this command:

dd if=miniroot69.img of=/dev/rdisk2 bs=1m

I put it in the Pi and upon boot it fails with this error message
printed out through serial:

U-Boot 2021.01 (Apr 16 2021 - 15:39:01 +1000)

DRAM:  1.9 GiB
RPI 4 Model B (0xb03114)
MMC:   mmcnr@7e30: 1, emmc2@7e34: 0
Loading Environment from FAT... ** No partition table - mmc 0 **
In:serial
Out:   serial
Err:   serial
Net:   eth0: ethernet@7d58
PCIe BRCM: link up, 5.0 Gbps x1 (SSC)
starting USB...
Bus xhci_pci: probe failed, error -110
No working controllers found
Hit any key to stop autoboot:  0
switch to partitions #0, OK
mmc0 is current device
** Bad device specification :1 bootfstype **
"Synchronous Abort" handler, esr 0x9604
elr: 0009197c lr : 000930c8 (reloc)
elr: 3b36d97c lr : 3b36f0c8
x0 : 6d63625f646e7320 x1 : 5f656c62
x2 : 3b3d30a0 x3 : 0001
x4 : 3afe9fe0 x5 : 
x6 : 3b3d30a0 x7 : 3b3d30b0
x8 : 3afea070 x9 : 0008
x10: 3b3d07f2 x11: 3af64780
x12:  x13: 0004
x14: 3af4be58 x15: 
x16: 4110 x17: 2285e5950900a046
x18: 3af57da0 x19: 3afe9940
x20: 0811 x21: 0811
x22:  x23: 
x24:  x25: 
x26: 0028 x27: 0003
x28:  x29: 3af4bac0

Code: 2a1b03e1 97e5 2a0003f8 140d (f8777800)
Resetting CPU ...

resetting ...

Any help would be appreciated.

Rob

Re: bwfm NVRAM file

[Rob Schmersel]

On Fri, 13 Mar 2020 16:41:41 +0100
Patrick Wildt  wrote:

> On Fri, Mar 13, 2020 at 12:12:18PM +0100, Rob Schmersel wrote:
> > Hello,
> > 
> > In order to use a SDIO based bwfm device a "NVRAM" configuration
> > file will be needed besides the firmware file. This configuration
> > file is expected to be in the /etc/firmware directory, in the form
> > of brcmfmac{chip}-sdio.txt OR brcmfmac{chip}-sdio.nvram
> > 
> > The need for this configuration file is not described in the man
> > page. However the device will not be usable without one and an
> > error message will be shown in the dmesg:
> >   "failed loadfirmware of file: brcmfmac{chip}-sdio.txt"
> > 
> > Can I suggest to below attached patch. 
> > 
> > I'm a bit unsure on how to indicate where the configuration file
> > comes from: Under Linux it is recommended that you read the NVRAM
> > contents from EFI, which I don't think is possible to do under
> > OpenBSD
> > 
> > Hunting down the configuration file through your favorite search
> > engine can be a frustrating excercise, although you can find them
> > occasionally included in a windows driver or a linux distro.
> > 
> > Question: Are there plans to include the NVRAM files in
> > bwfm_firmware package?  
> 
> It all depends!  The NVRAM file is board-design-specific.  So, let's
> assume OpenBSD and NetBSD would each build their own machine, using
> the same chip and firmware.  The NVRAM file contains a configuration
> for the chip, so that it e.g. can limit TX/antenna gain or whatever.
> This is important for stuff like CE certification.  There are quite a
> few settings, so it's very likely that the one board's chip needs a
> different configuration than the other one's chip.
> 
> So where do we get this file?  If it's an x86-based machine, it's
> likely they stored it as EFI variable.  In OpenBSD, so far only the
> ARM ports support calling into the Runtime Services using efi(4).
> Since we don't have support for efi(4) on x86, OpenBSD cannot read
> the EFI variables.  For that you'll have to boot Linux, or some
> other OS that has that feature.  On some other x86 machines, the
> vendor might provide the file as part of a Windows firmware package.
> 
> Is it different on ARMs?  Well, yes, but not sure if worse or even
> better.  The NVRAM file can usually be found on the vendor's Github.
> 
> linux-firmware.git has started collecting and distributing some of
> the files.  So that will be a helpful source for us.  Otherwise we
> will have to collect them ourselves.
> 
> For ARM there's still one commit left so that we can supply per-
> board NVRAM files more easily.  In essence: We're working on it!
> 
> Patrick
> 

Aah I did not find linux-firmware.git during my search, most likely as
I was looking for bcm43341 nvram. That is not there :)

for reference attahced the file I got through the windows driver for
this specific mini pc from china

BR/Rob


#AP6234_NVRAM_V1.2_20140820_WIN8.1
manfid=0x2d0
prodid=0x0653
vendid=0x14e4
devid=0x4386
boardtype=0x0653
boardrev=0x1203
boardnum=22
macaddr=00:90:4c:c5:12:38
sromrev=3
#boardflags: 
# bit 19 3tswitch:   2.4GHz FEM: SP3T switch share with BT
# bit 16 nopa:   no external pa
#keep original 0x200
boardflags=0x0090201
xtalfreq=37400
nocrc=1
ag0=255
aa2g=1
ccode=CN
pa0itssit=0x20
#PA parameters for 2.4GHz
#pa0b0=6957 default
pa0b0=6727 
pa0b1=-858
pa0b2=-178
tssifloor2g=69
# rssi params for 2.4GHz
rssismf2g=0xf
rssismc2g=0x8
rssisav2g=0x1
cckPwrOffset=3

# rssi params for 5GHz
rssismf5g=0xf
rssismc5g=0x7
#rssisav5g=0x1
rssisav5g=0x3

#PA parameters for lower a-band
#pa1lob0=5659 default
pa1lob0=5859
#pa1lob0=5659
pa1lob1=-693
pa1lob2=-178
tssifloor5gl=77

#PA parameters for midband
pa1b0=5372 
#pa1b0=5172
pa1b1=-671
pa1b2=-212
tssifloor5gm=77

#PA paramasdeters for high band
#pa1hib0=5320 default
pa1hib0=5620
#pa1hib1=-963
pa1hib1=-663
pa1hib2=-179
tssifloor5gh=74

rxpo5g=0
maxp2ga0=72
#  19.5dBm max; 18dBm target
#Per rate power back-offs for g band, in .5 dB steps. Set it once you
have the right numbers. cck2gpo=0x
ofdm2gpo=0x
# R54 16dBm; R48 17dBm; others 18dBm
mcs2gpo0=0x
# M0~ M4 17dBm
mcs2gpo1=0x
# M5M6 15dBm; M7 14.5dBm
#max power for 5G
maxp5ga0=68
# 16dBm target; 17.5dBm Max 
maxp5gla0=68
maxp5gha0=68
#Per rate power back-offs for a band, in .5 dB steps. Set it once you
have the right numbers. ofdm5gpo=0x
# R54 13.5dBm
ofdm5glpo=0x
ofdm5ghpo=0x
mcs5gpo0=0x
# M0~M4 16dBm (1dB higher than ofdm)
mcs5gpo1=0x
# M5M6 13.5dBm; M7 12dBm
mcs5glpo0=0x
mcs5glpo1=0x
mcs5ghpo0=0x
mcs5ghpo1=0x
# Parameters for DAC2x mode and ALPF bypass
# RF SW Truth Table: ctrl0 for BT_TX; ctrl1 or 5G Tx; ctrl2 for 5G Rx;
Ctrl3

Re: bwfm NVRAM file

[Rob Schmersel]

On Fri, 13 Mar 2020 13:41:48 +0100
Stefan Sperling  wrote:

> On Fri, Mar 13, 2020 at 12:12:18PM +0100, Rob Schmersel wrote:
> > Question: Are there plans to include the NVRAM files in
> > bwfm_firmware package?  
> 
> Yes, this is being worked on. See these recent commits by Patrick:
> https://marc.info/?l=openbsd-cvs=158357502421524=2
> https://marc.info/?l=openbsd-cvs=158348413626641=2
> https://marc.info/?l=openbsd-cvs=158348535827039=2
> 
> I am not involved but it sounds like this issue could be resolved
> in time for the next release. But please have patience.

perfect :)

bwfm NVRAM file

[Rob Schmersel]

Hello,

In order to use a SDIO based bwfm device a "NVRAM" configuration file
will be needed besides the firmware file. This configuration file is
expected to be in the /etc/firmware directory, in the form of
 brcmfmac{chip}-sdio.txt OR brcmfmac{chip}-sdio.nvram

The need for this configuration file is not described in the man page.
However the device will not be usable without one and an error message
will be shown in the dmesg:
  "failed loadfirmware of file: brcmfmac{chip}-sdio.txt"

Can I suggest to below attached patch. 

I'm a bit unsure on how to indicate where the configuration file comes from:
Under Linux it is recommended that you read the NVRAM contents from
EFI, which I don't think is possible to do under OpenBSD

Hunting down the configuration file through your favorite search engine
can be a frustrating excercise, although you can find them
occasionally included in a windows driver or a linux distro.

Question: Are there plans to include the NVRAM files in bwfm_firmware
package?

Index: share/man/man4/bwfm.4
===
RCS file: /cvs/src/share/man/man4/bwfm.4,v
retrieving revision 1.10
diff -u -p -u -r1.10 bwfm.4
--- share/man/man4/bwfm.4   10 Nov 2019 14:10:41 -  1.10
+++ share/man/man4/bwfm.4   11 Mar 2020 15:41:49 -
@@ -77,10 +77,18 @@ driver can be configured at runtime with
 or on boot with
 .Xr hostname.if 5 .
 .Sh FILES
-The driver needs a firmware file which is loaded when the driver
-attaches.
+The 
+.Nm
+driver needs a firmware file which is loaded when the 
+.Nm
+driver attaches.
 A prepackaged version of the firmware can be installed using
 .Xr fw_update 1 .
+.Pp
+sdmmc connected devices need in addition a NVRAM configuration file,
+which is also loaded when the 
+.Nm
+driver attaches.
 .Sh EXAMPLES
 The following example scans for available networks:
 .Pp

add HISTORY to ldap.1

[Rob Pierce]

Ok?

Index: ldap.1
===
RCS file: /cvs/src/usr.bin/ldap/ldap.1,v
retrieving revision 1.7
diff -u -p -r1.7 ldap.1
--- ldap.1  3 Jul 2018 10:10:09 -   1.7
+++ ldap.1  3 Jul 2018 19:19:21 -
@@ -233,6 +233,11 @@ Match Group ldapusers
 .%R RFC 4516
 .%T Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator
 .Re
+.Sh HISTORY
+The
+.Nm
+program first appeared in
+.Ox 6.4 .
 .Sh AUTHORS
 .An -nosplit
 The

ber.3 diff from last ber source commit

[Rob Pierce]

I mistakenly committed modifications to the ber.3 man page (in snmpd).

This man page is currently not linked into the build.

I am sending this diff post-commit for visibility only.

A work in progress. Comments welcome.

Regards,

Index: ber.3
===
RCS file: /cvs/src/usr.sbin/snmpd/ber.3,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -p -r1.13 -r1.14
--- ber.3   1 Oct 2013 12:48:27 -   1.13
+++ ber.3   29 Jun 2018 15:18:03 -  1.14
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ber.3,v 1.13 2013/10/01 12:48:27 reyk Exp $
+.\" $OpenBSD: ber.3,v 1.14 2018/06/29 15:18:03 rob Exp $
 .\"
 .\" Copyright (c) 2007, 2012 Reyk Floeter 
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 1 2013 $
+.Dd $Mdocdate: June 29 2018 $
 .Dt BER 3
 .Os
 .Sh NAME
@@ -25,8 +25,10 @@
 .Nm ber_replace_elements ,
 .Nm ber_add_sequence ,
 .Nm ber_add_set ,
+.Nm ber_add_enumerated ,
 .Nm ber_add_integer ,
 .Nm ber_get_integer ,
+.Nm ber_get_enumerated ,
 .Nm ber_add_boolean ,
 .Nm ber_get_boolean ,
 .Nm ber_add_string ,
@@ -40,10 +42,12 @@
 .Nm ber_add_eoc ,
 .Nm ber_get_eoc ,
 .Nm ber_add_oid ,
+.Nm ber_add_noid ,
 .Nm ber_add_oidstring ,
 .Nm ber_get_oid ,
 .Nm ber_oid2ber ,
 .Nm ber_string2oid ,
+.Nm ber_oid_cmp ,
 .Nm ber_printf_elements ,
 .Nm ber_scanf_elements ,
 .Nm ber_get_writebuf ,
@@ -54,7 +58,7 @@
 .Nm ber_free_elements ,
 .Nm ber_calc_len ,
 .Nm ber_set_application ,
-.Nm ber_set_writecallback
+.Nm ber_set_writecallback ,
 .Nm ber_free
 .Nd parse ASN.1 with Basic Encoding Rules
 .Sh SYNOPSIS
@@ -78,6 +82,10 @@
 .Ft "int"
 .Fn "ber_get_integer" "struct ber_element *root" "long long *val"
 .Ft "struct ber_element *"
+.Fn "ber_add_enumerated" "struct ber_element *prev" "long long val"
+.Ft "int"
+.Fn "ber_get_enumerated" "struct ber_element *root" "long long *val"
+.Ft "struct ber_element *"
 .Fn "ber_add_boolean" "struct ber_element *prev" "int bool"
 .Ft "int"
 .Fn "ber_get_boolean" "struct ber_element *root" "int *bool"
@@ -104,6 +112,8 @@
 .Ft "struct ber_element *"
 .Fn "ber_add_oid" "struct ber_element *prev" "struct ber_oid *oid"
 .Ft "struct ber_element *"
+.Fn "ber_add_noid" "struct ber_element *prev" "struct ber_oid *oid, int n"
+.Ft "struct ber_element *"
 .Fn "ber_add_oidstring" "struct ber_element *prev" "const char *string"
 .Ft "int"
 .Fn "ber_get_oid" "struct ber_element *root" "struct ber_oid *oid"
@@ -111,6 +121,8 @@
 .Fn "ber_oid2ber" "struct ber_oid *oid" "u_int8_t *buf" "size_t size"
 .Ft "int"
 .Fn "ber_string2oid" "const char *string" "struct ber_oid *oid"
+.Ft "int"
+.Fn "ber_oid_cmp" "struct ber_oid *oid" "struct ber_oid *oid"
 .Ft "struct ber_element *"
 .Fn "ber_printf_elements" "struct ber_element *prev" "char *format" "..."
 .Ft "int"
@@ -153,6 +165,8 @@ using the
 .Fn ber_add_set ,
 .Fn ber_add_integer ,
 .Fn ber_get_integer ,
+.Fn ber_add_enumerated ,
+.Fn ber_get_enumerated ,
 .Fn ber_add_boolean ,
 .Fn ber_get_boolean ,
 .Fn ber_add_string ,
@@ -182,11 +196,12 @@ struct ber_oid {
 .Ed
 .Pp
 .Fn ber_add_oid ,
+.Fn ber_add_noid ,
 .Fn ber_add_oidstring ,
 .Fn ber_get_oid ,
 .Fn ber_oid2ber ,
-.Fn ber_oid_cmp ,
 .Fn ber_string2oid
+.Fn ber_oid_cmp ,
 .Sh FORMAT STRINGS
 .Fn ber_printf_elements ,
 .Fn ber_scanf_elements
@@ -203,6 +218,7 @@ struct ber_oid {
 .Sh RETURN VALUES
 Upon successful completion
 .Fn ber_get_integer ,
+.Fn ber_get_enumerated ,
 .Fn ber_get_boolean ,
 .Fn ber_get_string ,
 .Fn ber_get_nstring ,
@@ -225,6 +241,9 @@ The
 .Nm ber
 manpage first appeared in
 .Ox 4.3 .
+.Sh STANDARDS
+ITU-T Recommendation X.690, also known as ISO/IEC 8825-1:
+Information technology - ASN.1 encoding rules.
 .Sh AUTHORS
 .An -nosplit
 The
@@ -234,5 +253,13 @@ library was written by
 .An Marc Balmer Aq Mt m...@openbsd.org
 and
 .An Reyk Floeter Aq Mt r...@openbsd.org .
+.Sh CAVEATS
+Only the subset of
+.Nm ber
+data types specified above are supported.
+.Pp
+Indefinite length
+.Nm ber
+encoding is not supported.
 .Sh BUGS
 This manpage is a stub.

Re: dhclient release a lease?

[Rob Schmersel]

On Mon, 14 May 2018 19:36:12 -0400
Quartz  wrote:

> > Currently there is no facility in dhclient(8) to issue RELEASE
> > messages. I had no recollection of adding such a thing, and a
> > quick  
> 
> > confirmed there is no DHCPRELEASE related code.  
> 
> Ergh. OK thanks, that's super annoying that it's not there.
> 
> >Which
> > signal(s) are used elsewhere to trigger RELEASE? Goggle is not
> > coughing up an obvious answer. :-)  
> 
> It varies, IIRC on at least on other linux or bsd distro sending HUP 
> took a more literal approach ("hang up and leave") and sent a DHCP 
> release before nuking its lease cache, and I'm pretty sure somewhere 
> else you could send "SIGUSR2" or something.
> 

On Red Hat/Debian  (and derivatives) they use dhclient which has a -r
switch to release the lease. From the man page:

-r Release  the  current  lease and stop the running DHCP client as
previously recorded in the PID file. When shutdown via this method
dhclient-script will be executed with the specific  reason  for
calling the  script set.  The client normally doesn't release the
current lease as this is not required by the DHCP protocol but some
cable ISPs require their clients to notify the server if they wish  to
release an assigned IP address.

Re: event.3: libevent no longer prints to stderr

[Rob Pierce]

On Fri, Aug 04, 2017 at 07:53:19PM +0200, Ingo Schwarze wrote:
> Hi Rob,
> 
> thanks for looking at libevent documentation.  It is in dire need
> of improvements in multiple respects.
> 
> Rob Pierce wrote on Fri, Aug 04, 2017 at 10:21:16AM -0400:
> 
> > As of the last commit to src/lib/libevent/log.c the library
> > no longer prints to stderr.  Update man page accordingly.
> > 
> > Ok?
> 
> But honestly, i'm not convinced that this patch is right.
> 
> Look at event.c.  EVENT_SHOW_METHOD is still inspected (line 154),
> and if it is set, the library does issue a message.
> 
> But looking at the code and at the documentation, i instantly
> see lots and lots of issues that need fixing.  Unsorted:
> 
>  * EVENT_SHOW_METHOD ought to be documented in the ENVIRONMENT
>section.  The section name "ADDITIONAL NOTES" is bogus.
> 
>  * If you document an ENVIRONMENT variable, you should also say
>which value(s) it is supposed to have (in this case, the value
>is ignored, and even an empty value counts as "set", which is
>not at all obvious).
> 
>  * The information is missing that that the variable is ignored
>in setuid and setgid programs as defined by issetugid(2).
> 
>  * Talking about "displaying" something is useless in library
>documentation.  You also have to explain where the message
>will appear.  Certainly not on stdout, right?
> 
>  * In this case, the message won't appear anywhere at all by default,
>not even in the system logs.
> 
>  * To make *any* messages from libevent appear anywhere at all,
>the application program has to supply a logging callback
>function using the public interface function
>event_set_log_callback(3).  Unfortunately, man -k tells me
>that function isn't documented anywhere at all.
>A classic case of user-level RTFS...  :-(

... and there it is! Thanks Ingo. I didn't go deep enough.

>  * Don't you dare add yet more functions to event(3).
>It is already of excessive size and conflating documentation for
>classes of functions almost unrelated to each other - like,
>what's the point of having signal_set(3) and bufferevent_read(3)
>in the same manual page?
> 
> I dimly remeber that somebody tried and started to clean this mess
> up some years ago, but wasn't persistent enough to go anywhere with
> it.  If you want to look at that and don't find it instantly, i can
> dig it up for you.  Or you can simply start from scratch, the old
> discussion didn't go so far that much would be lost starting over.
> 
> If you want to tackle this, expect several days of work,
> involving much reading of code.

I will put it on my list!

Regards,

Rob

> Yours,
>   Ingo
> 
> 
> > Index: event.3
> > ===
> > RCS file: /cvs/src/lib/libevent/event.3,v
> > retrieving revision 1.53
> > diff -u -p -r1.53 event.3
> > --- event.3 29 Jun 2017 01:25:59 -  1.53
> > +++ event.3 4 Aug 2017 14:08:44 -
> > @@ -517,10 +517,6 @@ by setting the environment variable
> >  or
> >  .Va EVENT_NOSELECT ,
> >  respectively.
> > -By setting the environment variable
> > -.Va EVENT_SHOW_METHOD ,
> > -.Nm libevent
> > -displays the kernel notification method that it uses.
> >  .Sh RETURN VALUES
> >  Upon successful completion
> >  .Fn event_add

event.3: libevent no longer prints to stderr

[Rob Pierce]

As of the last commit to src/lib/libevent/log.c the library no longer prints to
stderr. Update man page accordingly.

Ok?

Index: event.3
===
RCS file: /cvs/src/lib/libevent/event.3,v
retrieving revision 1.53
diff -u -p -r1.53 event.3
--- event.3 29 Jun 2017 01:25:59 -  1.53
+++ event.3 4 Aug 2017 14:08:44 -
@@ -517,10 +517,6 @@ by setting the environment variable
 or
 .Va EVENT_NOSELECT ,
 respectively.
-By setting the environment variable
-.Va EVENT_SHOW_METHOD ,
-.Nm libevent
-displays the kernel notification method that it uses.
 .Sh RETURN VALUES
 Upon successful completion
 .Fn event_add

getifaddrs.3 xref to if_nameindex

[Rob Pierce]

if_nameindex(3) references getifaddrs(3). A getifaddrs(3) xref back to
if_nameindex might be helpful. I found it the hard way.

Rob

Index: getifaddrs.3
===
RCS file: /cvs/src/lib/libc/net/getifaddrs.3,v
retrieving revision 1.21
diff -u -p -r1.21 getifaddrs.3
--- getifaddrs.321 Nov 2015 07:48:10 -  1.21
+++ getifaddrs.323 Jul 2017 16:54:33 -
@@ -133,6 +133,7 @@ or
 .Sh SEE ALSO
 .Xr ioctl 2 ,
 .Xr socket 2 ,
+.Xr if_nameindex 3 ,
 .Xr sysctl 3 ,
 .Xr netintro 4 ,
 .Xr ifconfig 8

ifstated.conf.5 diff

[Rob Pierce]

I am not sure that it makes sense to mention implementation details in the man
page in this regard (i.e. libevent). If people want to know the details, they
can read the source code.

In any event, true and false are not reserved words.

Regards,

Rob

Index: ifstated.conf.5
===
RCS file: /cvs/src/usr.sbin/ifstated/ifstated.conf.5,v
retrieving revision 1.9
diff -u -p -r1.9 ifstated.conf.5
--- ifstated.conf.5 24 Apr 2012 14:56:09 -  1.9
+++ ifstated.conf.5 7 Jul 2017 13:36:22 -
@@ -101,10 +101,7 @@ net = '( "ping -q -c 1 -w 1 192.168.0.1 
 .Sh TESTS AND EVENTS
 .Xr ifstated 8
 delegates the process of testing to libevent which associates a value with
-every test, in this case
-.Em true
-or
-.Em false .
+every test, in this case true or false .
 Whenever the value of a test associated with the current state changes,
 an event is triggered and the state's body is processed.
 .Sh STATE DEFINITIONS

missing punctuation in hifn.4 and hardclock.9

[Rob Pierce]

Stumbled across these in my travels.

Rob

Index: man4/hifn.4
===
RCS file: /cvs/src/share/man/man4/hifn.4,v
retrieving revision 1.50
diff -u -p -r1.50 hifn.4
--- man4/hifn.4 10 Dec 2015 21:00:51 -  1.50
+++ man4/hifn.4 27 Sep 2016 04:27:25 -
@@ -36,7 +36,7 @@
 The
 .Nm
 driver supports various cards containing the Hifn 7751, Hifn 7811, Hifn 7951,
-Hifn 7955, Hifn 7956, or Hifn 9751 chipsets, such as
+Hifn 7955, Hifn 7956, or Hifn 9751 chipsets, such as:
 .Bl -tag -width namenamenamena -offset indent
 .It Invertex AEON
 Comes as 128KB SRAM model, or 2MB DRAM model.

Index: man9/hardclock.9
===
RCS file: /cvs/src/share/man/man9/hardclock.9,v
retrieving revision 1.11
diff -u -p -r1.11 hardclock.9
--- man9/hardclock.93 Apr 2016 06:43:59 -   1.11
+++ man9/hardclock.927 Sep 2016 04:27:39 -
@@ -47,7 +47,7 @@ is an opaque, machine dependent structur
 previous machine state.
 .Pp
 .Fn hardclock
-performs a variety of time related housekeeping tasks, such as
+performs a variety of time related housekeeping tasks, such as:
 .Bl -bullet -offset indent
 .It
 If the current process has virtual or profiling interval

Re: minor updates to radiusd.8

[Rob Pierce]

New diff excluding the history section.

Rob

Index: radiusd.8
===
RCS file: /cvs/src/usr.sbin/radiusd/radiusd.8,v
retrieving revision 1.6
diff -u -p -r1.6 radiusd.8
--- radiusd.8   25 Aug 2015 01:12:59 -  1.6
+++ radiusd.8   18 Sep 2016 16:32:01 -
@@ -29,6 +29,12 @@ The
 .Nm
 daemon implements the RADIUS protocol.
 .Pp
+.Nm
+can be enabled during system boot by setting the following in
+.Pa /etc/rc.conf.local :
+.Pp
+.Dl radiusd_flags=\&"\&"
+.Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl d
@@ -49,7 +55,10 @@ Only check the configuration file for va
 Default configuration file.
 .El
 .Sh SEE ALSO
-.Xr radiusd.conf 5
+.Xr radiusd.conf 5 ,
+.Xr radiusctl 8 ,
+.Xr rc.conf 8
+.Sh STANDARDS
 .Rs
 .%R RFC 2865
 .%T "Remote Authentication Dial In User Service (RADIUS)"

minor updates to radiusd.8

[Rob Pierce]

Index: radiusd.8
===
RCS file: /cvs/src/usr.sbin/radiusd/radiusd.8,v
retrieving revision 1.6
diff -u -p -r1.6 radiusd.8
--- radiusd.8   25 Aug 2015 01:12:59 -  1.6
+++ radiusd.8   18 Sep 2016 15:10:26 -
@@ -29,6 +29,12 @@ The
 .Nm
 daemon implements the RADIUS protocol.
 .Pp
+.Nm
+can be enabled during system boot by setting the following in
+.Pa /etc/rc.conf.local :
+.Pp
+.Dl radiusd_flags=\&"\&"
+.Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl d
@@ -49,9 +55,17 @@ Only check the configuration file for va
 Default configuration file.
 .El
 .Sh SEE ALSO
-.Xr radiusd.conf 5
+.Xr radiusd.conf 5 ,
+.Xr radiusctl 8 ,
+.Xr rc.conf 8
+.Sh STANDARDS
 .Rs
 .%R RFC 2865
 .%T "Remote Authentication Dial In User Service (RADIUS)"
 .%D June 2000
 .Re
+.Sh HISTORY
+The
+.Nm
+program first appeared in
+.Ox 5.8 .

some more single user mode in /etc/rc

[Rob Pierce]

I wasn't actually looking for this, but stumbled across it while reviewing
/etc/rc.

Rob

Index: rc
===
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.486
diff -u -p -r1.486 rc
--- rc  10 Jul 2016 09:08:18 -  1.486
+++ rc  5 Sep 2016 14:54:47 -
@@ -262,7 +262,7 @@ do_fsck() {
 stty status '^T'
 
 # Set shell to ignore SIGINT (2), but not children; shell catches SIGQUIT (3)
-# and returns to single user after fsck.
+# and returns to single-user mode after fsck.
 trap : 2
 trap : 3   # Shouldn't be needed.
 
@@ -289,9 +289,9 @@ if [[ $1 == shutdown ]]; then
echo warning: cannot write random seed to disk
fi
 
-   # If we are in secure level 0, assume single user mode.
+   # If we are in secure level 0, assume single-user mode.
if (($(sysctl -n kern.securelevel) == 0)); then
-   echo 'single user: not running shutdown scripts'
+   echo 'single-user mode: not running shutdown scripts'
else
pkg_scripts=${pkg_scripts%%*( )}
if [[ -n $pkg_scripts ]]; then

fix inconsistent man page use of "single user mode"

[Rob Pierce]

init.8 currently has six instances of "single-user mode" and three instances
of "single-user shell", so fix the two "single user mode" outliers.

Also, correct the only other two instances of man pages with "single user
mode" in afterboot.8 and netstart.8.


Index: init.8
===
RCS file: /cvs/src/sbin/init/init.8,v
retrieving revision 1.47
diff -u -p -r1.47 init.8
--- init.8  4 Sep 2011 18:20:48 -   1.47
+++ init.8  5 Sep 2016 12:24:32 -
@@ -68,7 +68,7 @@ file as explained in the
 .Xr rc 8
 manual.
 .It Fl s
-Boot directly into single user mode.
+Boot directly into single-user mode.
 .El
 .Pp
 Single-user mode is also entered if the boot scripts fail.
@@ -265,7 +265,7 @@ When starting a window system or
 the login class
 .Dq default
 is used.
-No resource changes are made when entering single user mode.
+No resource changes are made when entering single-user mode.
 .Sh FILES
 .Bl -tag -width /etc/rc.securelevel -compact
 .It Pa /dev/console

Index: afterboot.8
===
RCS file: /cvs/src/share/man/man8/afterboot.8,v
retrieving revision 1.156
diff -u -p -r1.156 afterboot.8
--- afterboot.8 2 Sep 2016 12:17:33 -   1.156
+++ afterboot.8 5 Sep 2016 12:29:10 -
@@ -386,7 +386,7 @@ For example:
 .Ss System command scripts
 The
 .Pa /etc/rc.*\&
-scripts are invoked at boot time, after single user mode has exited,
+scripts are invoked at boot time, after single-user mode has exited,
 and at shutdown.
 The whole process is controlled, more or less, by the master script
 .Pa /etc/rc .

Index: netstart.8
===
RCS file: /cvs/src/share/man/man8/netstart.8,v
retrieving revision 1.20
diff -u -p -r1.20 netstart.8
--- netstart.8  5 Dec 2015 18:43:12 -   1.20
+++ netstart.8  5 Sep 2016 12:29:10 -
@@ -38,7 +38,7 @@
 .Nm
 is the command script that is invoked by
 .Xr rc 8
-during an automatic reboot and after single user mode is exited;
+during an automatic reboot and after single-user mode is exited;
 it performs network initialization.
 .Pp
 The

Consistent case and full stop in rc.8

[Rob Pierce]

Index: rc.8
===
RCS file: /cvs/src/share/man/man8/rc.8,v
retrieving revision 1.42
diff -u -p -r1.42 rc.8
--- rc.821 Nov 2015 19:43:50 -  1.42
+++ rc.85 Sep 2016 11:34:57 -
@@ -194,11 +194,11 @@ not to run
 .Xr fsck 8
 during the next boot.
 .It Pa /var/run/dmesg.boot
-copy of
+Copy of
 .Xr dmesg 8
 saved by
 .Nm rc
-at boot time
+at boot time.
 .El
 .Sh SEE ALSO
 .Xr sysctl.conf 5 ,

s/separate/separated/ in pledge.2

[Rob Pierce]

Index: pledge.2
===
RCS file: /cvs/src/lib/libc/sys/pledge.2,v
retrieving revision 1.34
diff -u -p -r1.34 pledge.2
--- pledge.21 Sep 2016 10:06:30 -   1.34
+++ pledge.25 Sep 2016 11:08:34 -
@@ -126,7 +126,7 @@ once.
 .Pp
 The
 .Ar promises
-is specified as a string, with space separate keywords:
+is specified as a string, with space separated keywords:
 .Bl -tag -width "tmppath" -offset indent
 .It Va "stdio"
 The following system calls are permitted to allow most basic functions

use router instead of forwarding gateway in faq6.html

[Rob Pierce]

The Background sections in both the Networking and PF - Building a Router FAQ
use the term "router" as oppose to "forwarding gateway".

As such, be consistent with the corresponding title in faq6.html.

This may also be less confusing if relayd(8) is mentioned as providing
application layer gateway functionality as suggested in my last diff sent to
tech@.

Alternatively, if "forwarding gateway" remains, consider referencing IP and/or
network layer / layer 3 in the title.

Regards,

Rob

Index: faq6.html
===
RCS file: /cvs/www/faq/faq6.html,v
retrieving revision 1.383
diff -u -p -r1.383 faq6.html
--- faq6.html   15 Aug 2016 02:22:13 -  1.383
+++ faq6.html   4 Sep 2016 13:37:14 -
@@ -400,8 +400,7 @@ localhostLOCALHOST  UH
 BASE-ADDRESS.MCA LOCALHOST  U
 
 
-Setting up your OpenBSD box as a forwarding
-gateway
+Setting up your OpenBSD box as a router
 
 
 This is covered in more detail here.

Re: remove password advice in afterboot.8 and passwd.1

[Rob Pierce]

> From: "Jason McIntyre" <j...@kerhand.co.uk>
> To: "misc" <misc@openbsd.org>
> Sent: Monday, April 18, 2016 2:03:26 AM
> Subject: Re: remove password advice in afterboot.8 and passwd.1

> On Sun, Apr 17, 2016 at 11:23:14PM -0400, Rob Pierce wrote:
> > Stop giving password advice. Instead, make a general statement about 
> > password
> > strength in passwd.1.

> > Rob


> i don;t see why we should not try to give advice.

After reading https://marc.info/?t=14173169791=1=2 (and other articles)
I thought maybe the advice provided was no longer as relevant as it once was,
and that this advice would require maintenance in two separate documents.

However, after continued reading on the topic, maybe it is still strong advice
that will stand the test of time, good information for new users, and consistent
enough across both manual pages.

Not sure.

Rob

remove password advice in afterboot.8 and passwd.1

[Rob Pierce]

Stop giving password advice. Instead, make a general statement about password
strength in passwd.1.

Rob

Index: afterboot.8
===
RCS file: /cvs/src/share/man/man8/afterboot.8,v
retrieving revision 1.153
diff -u -p -r1.153 afterboot.8
--- afterboot.8 8 Dec 2015 13:36:05 -   1.153
+++ afterboot.8 18 Apr 2016 03:18:04 -
@@ -103,10 +103,6 @@ Change the password for the root user.
 (Note that throughout the documentation, the term
 .Dq superuser
 is a synonym for the root user.)
-Choose a password that has digits and special characters
-as well as from the upper and lower case alphabet.
-Do not choose any word in any language.
-It is common for an intruder to use dictionary attacks.
 Type the following command to change it:
 .Pp
 .Dl $ doas passwd root
@@ -594,6 +590,7 @@ is contained within
 .Xr doas 1 ,
 .Xr ksh 1 ,
 .Xr man 1 ,
+.Xr passwd 1 ,
 .Xr pkg_add 1 ,
 .Xr ps 1 ,
 .Xr vi 1 ,

Index: passwd.1
===
RCS file: /cvs/src/usr.bin/passwd/passwd.1,v
retrieving revision 1.44
diff -u -p -r1.44 passwd.1
--- passwd.126 Nov 2015 19:01:47 -  1.44
+++ passwd.118 Apr 2016 03:18:42 -
@@ -49,13 +49,10 @@ First, the user is prompted for their cu
 If the current password is correctly typed, a new password is requested.
 The new password must be entered twice to avoid typing errors.
 .Pp
-The new password should be at least six characters long and not
-purely alphabetic.
-Its total length must be less than
+Password strength is a function of length and complexity.
+The total password length must be less than
 .Dv _PASSWORD_LEN
 (currently 128 characters).
-A mixture of both lower and uppercase letters, numbers, and
-meta-characters is encouraged.
 .Pp
 The quality of the password can be enforced by specifying an external
 checking program via the

Re: man pages diff

[Rob Pierce]

> From: "Alexander Hall" <alexan...@beard.se>
> To: "Jason McIntyre" <j...@kerhand.co.uk>, "misc" <misc@openbsd.org>
> Cc: "Ingo Schwarze" <schwa...@usta.de>
> Sent: Saturday, April 9, 2016 4:15:10 AM
> Subject: Re: man pages diff

> On April 7, 2016 10:40:24 PM GMT+02:00, Jason McIntyre <j...@kerhand.co.uk>
> wrote:
> >On Thu, Apr 07, 2016 at 10:13:02PM +0200, Ingo Schwarze wrote:
> >> Hi,

> >> Jason McIntyre wrote on Thu, Apr 07, 2016 at 08:35:52PM +0100:
> >> > On Thu, Apr 07, 2016 at 03:15:01PM -0400, Rob Pierce wrote:

> >> >> Change "super user" to "superuser".

> >> > hmm. you have the weight of the man pages behind you, since they
> >> > overwhelmingly use "superuser".

> >> In that case, ...

> >> > the trouble is, i don;t think "super
> >> > user" is wrong, and i'm reluctant to do this...

I just noticed this in afterboot.1 under the "Root password" section:

"Note that throughout the documentation, the term "superuser" is a synonym for
the root user."

Rob

Re: diff for help.1

[Rob Pierce]

> From: "Pavan Maddamsetti" <pavan.maddamse...@gmail.com> 
> To: "misc" <misc@openbsd.org> 
> Sent: Friday, April 15, 2016 10:55:28 PM 
> Subject: Re: diff for help.1 
> 
> Why not ed? 

vi(1) mentions ex(1) which is maybe good enough for a new user. 

Both the "Welcome to OpenBSD" email message as well as help.1 reference man
and highlight the -k option, so maybe that is enough. Running man -k editor
lists them all. 

When I reviewed help.1, given the other commands presented (e.g. cd, ls,
cat) I would have expected some mention of a text editor to help a new
user/admin (though afterboot.1 does reference vi(1) under SEE ALSO).

Rob

Re: diff for help.1

[Rob Pierce]

On Fri, Apr 15, 2016 at 04:16:59PM -0400, Rob Pierce wrote:
> Recent FAQ cleanup lost a reference to mg(1) (section 2.2).
> 
> Text editors seem fundamental enough to include in help.1.
> 
> While here, make consistent use of references to command arguments (Ar).
> 
> Rob

Sorry - clean diff with stray comments removed.

Rob

Index: help.1
===
RCS file: /cvs/src/share/man/man1/help.1,v
retrieving revision 1.1
diff -u -p -r1.1 help.1
--- help.1  27 Mar 2015 01:59:26 -  1.1
+++ help.1  15 Apr 2016 23:40:33 -
@@ -88,7 +88,7 @@ in the system password file
 .It Cm man
 Interface to the system manual pages.
 For any of the commands listed below, type
-.Ic man 
+.Ic man Ar command
 for detailed information on what it does and how to use it.
 .It Cm pwd
 Print working directory.
@@ -109,12 +109,18 @@ Type
 for a detailed listing.
 .It Cm cat
 Although it has many more uses,
-.Ic cat filename
+.Ic cat Ar filename
 will print the contents of a plain-text file to the screen.
+.It Cm vi
+Edit text files.
+For example,
+.Ic vi Ar filename .
+See also
+.Xr mg 1 .
 .It Cm mkdir
 Make a directory.
 For example,
-.Ic mkdir foobar .
+.Ic mkdir Ar dirname .
 .It Cm rmdir
 Remove a directory.
 .It Cm rm

diff for help.1

[Rob Pierce]

Recent FAQ cleanup lost a reference to mg(1) (section 2.2).

Text editors seem fundamental enough to include in help.1.

While here, make consistent use of references to command arguments (Ar).

Rob

Index: help.1
===
RCS file: /cvs/src/share/man/man1/help.1,v
retrieving revision 1.1
diff -u -p -r1.1 help.1
--- help.1  27 Mar 2015 01:59:26 -  1.1
+++ help.1  15 Apr 2016 20:14:16 -
@@ -88,7 +88,7 @@ in the system password file
 .It Cm man
 Interface to the system manual pages.
 For any of the commands listed below, type
-.Ic man 
+.Ic man Ar command
 for detailed information on what it does and how to use it.
 .It Cm pwd
 Print working directory.
@@ -109,12 +109,20 @@ Type
 for a detailed listing.
 .It Cm cat
 Although it has many more uses,
-.Ic cat filename
+.Ic cat Ar filename
 will print the contents of a plain-text file to the screen.
+.It Cm vi
+Edit text files.
+.\" For example,
+.\" .Ic vi Ar filename .
+For example,
+.Ic vi Ar filename .
+See also
+.Xr mg 1 .
 .It Cm mkdir
 Make a directory.
 For example,
-.Ic mkdir foobar .
+.Ic mkdir Ar dirname .
 .It Cm rmdir
 Remove a directory.
 .It Cm rm

add "route" promise to pledge.2

[Rob Pierce]

I wasn't sure of where to put it in the list.

How is this?

Rob

Index: pledge.2
===
RCS file: /cvs/src/lib/libc/sys/pledge.2,v
retrieving revision 1.27
diff -u -p -r1.27 pledge.2
--- pledge.211 Mar 2016 06:36:51 -  1.27
+++ pledge.27 Apr 2016 20:00:19 -
@@ -80,7 +80,8 @@ Only the
 and
 .Dv FIONBIO
 operations are allowed by default.
-Use of the "tty" and "ioctl" promises receive more ioctl requests.
+Use of the "tty", "ioctl", "route", "pf" and "audio" promises receive more 
ioctl
+requests.
 .Pp
 .It Xr chmod 2
 .It Xr fchmod 2
@@ -493,6 +494,21 @@ process:
 .Xr setrlimit 2 ,
 .Xr getpriority 2 ,
 .Xr setpriority 2 .
+.It Va "route"
+Allows a subset of
+.Xr ioctl 2
+operations on network interfaces:
+.Pp
+.Dv SIOCGIFADDR ,
+.Dv SIOCGIFFLAGS ,
+.Dv SIOCGIFMETRIC ,
+.Dv SIOCGIFGMEMB ,
+.Dv SIOCGIFRDOMAIN ,
+.Dv SIOCGIFDSTADDR_IN6 ,
+.Dv SIOCGIFNETMASK_IN6 ,
+.Dv SIOCGNBRINFO_IN6 ,
+.Dv SIOCGIFINFO_IN6 ,
+.Dv SIOCGIFMEDIA .
 .It Va "pf"
 Allows a subset of
 .Xr ioctl 2

man pages diff

[Rob Pierce]

Change "super user" to "superuser".

Rob

Index: src/share/man/man4/pty.4
===
RCS file: /cvs/src/share/man/man4/pty.4,v
retrieving revision 1.21
diff -u -p -r1.21 pty.4
--- src/share/man/man4/pty.421 Nov 2015 08:04:20 -  1.21
+++ src/share/man/man4/pty.47 Apr 2016 19:12:07 -
@@ -298,7 +298,7 @@ device nodes following the naming conven
 .Ox .
 Since
 .Pa ptm
-impersonates the super user for some operations it needs to perform
+impersonates the superuser for some operations it needs to perform
 to complete the allocation of a pseudo terminal, the
 .Pa /dev
-directory must also be writeable by the super user.
+directory must also be writeable by the superuser.

Index: src/share/man/man5/login.conf.5
===
RCS file: /cvs/src/share/man/man5/login.conf.5,v
retrieving revision 1.62
diff -u -p -r1.62 login.conf.5
--- src/share/man/man5/login.conf.5 30 Mar 2016 06:58:06 -  1.62
+++ src/share/man/man5/login.conf.5 7 Apr 2016 19:12:07 -
@@ -683,7 +683,7 @@ to indicate if the user is in group whee
 Some authentication types require the user to be in group wheel when using
 the
 .Xr su 1
-program to become super user.
+program to become superuser.
 .El
 .Pp
 When the authentication program is executed,

Index: src/usr.sbin/cron/crontab.1
===
RCS file: /cvs/src/usr.sbin/cron/crontab.1,v
retrieving revision 1.33
diff -u -p -r1.33 crontab.1
--- src/usr.sbin/cron/crontab.1 26 Oct 2015 15:50:06 -  1.33
+++ src/usr.sbin/cron/crontab.1 7 Apr 2016 19:12:07 -
@@ -65,7 +65,7 @@ be listed in the
 .Pa /var/cron/cron.deny
 file in order to use
 .Nm .
-If neither of these files exists then only the super user
+If neither of these files exists then only the superuser
 will be allowed to use
 .Nm .
 .Em NOTE :

faq4.html

[Rob Pierce]

It looks like the cdrkit web site has been down for a while.

Point to the debian package instead, or maybe delete altogether?

Rob

Index: faq4.html
===
RCS file: /cvs/www/faq/faq4.html,v
retrieving revision 1.439
diff -u -p -r1.439 faq4.html
--- faq4.html   1 Apr 2016 15:25:47 -   1.439
+++ faq4.html   2 Apr 2016 14:15:51 -
@@ -266,7 +266,7 @@ In OpenBSD, you can create a CD from an 
 
 Modern Windows and Macintosh systems can directly create CDs from ISO images.
 On Linux or other Unix-like systems, use applications such as
-http://www.cdrkit.org/;>cdrkit.
+https://packages.debian.org/source/sid/cdrkit;>cdrkit.
 
 4.3.3 - Floppies

Re: faq12.html

[Rob Pierce]

> From: "Nick Holland" 
> To: "misc" 
> Sent: Wednesday, March 30, 2016 12:14:23 PM
> Subject: Re: faq12.html

> On 03/30/16 08:49, Theo Buehler wrote:
> >> -The Zaurus has very little current available on its USB port, so many
> >> +The Zaurus has very little currently available on its USB port, so many

> > electrical current?

> both what is there and "electrical current" are/would be precisely
> correct, but "power" might be a more understood word.

> Nick.
I must admit that was a bit of helicopter editing on my part, so it caught me 
off guard. 

Changing "little" to "low" would solve any ambiguity. 

I am embarrassed to say that I studied electrical circuits way back when... 

Re: faq12.html

[Rob Pierce]

> From: "Theo Buehler" 
> To: "misc" 
> Sent: Wednesday, March 30, 2016 8:50:20 AM
> Subject: Re: faq12.html

> > -The Zaurus has very little current available on its USB port, so many
> > +The Zaurus has very little currently available on its USB port, so many

> electrical current?

> > USB devices will not work if they are directly attached to it.
> > You will need to use a powered USB hub to run these devices.
Yes, my mistake. Sorry for the noise. 

faq12.html

[Rob Pierce]

For your consideration.

Index: faq12.html
===
RCS file: /cvs/www/faq/faq12.html,v
retrieving revision 1.125
diff -u -p -r1.125 faq12.html
--- faq12.html  29 Mar 2016 01:27:39 -  1.125
+++ faq12.html  30 Mar 2016 12:30:48 -
@@ -662,7 +662,7 @@ on SIMH page.
 
 12.7.1 - USB devices aren't working properly
 
-The Zaurus has very little current available on its USB port, so many
+The Zaurus has very little currently available on its USB port, so many
 USB devices will not work if they are directly attached to it.
 You will need to use a powered USB hub to run these devices.

reference ipsec.conf in ipsec.4 under SEE ALSO?

[Rob Pierce]

I think it make sense for ipsec.4 to reference it's own configuration file 
under SEE ALSO.

Index: ipsec.4
===
RCS file: /cvs/src/share/man/man4/ipsec.4,v
retrieving revision 1.83
diff -u -p -r1.83 ipsec.4
--- ipsec.4 16 Feb 2015 16:38:54 -  1.83
+++ ipsec.4 18 Mar 2016 20:51:05 -
@@ -378,6 +378,7 @@ allocations).
 .\".Xr ipcomp 4 ,
 .Xr options 4 ,
 .Xr iked 8 ,
+.Xr ipsec.conf 5 ,
 .Xr ipsecctl 8 ,
 .Xr isakmpd 8 ,
 .Xr sysctl 8

minor corrections diff for 59.html

[Rob Pierce]

Some punctuation, case and grammer corrections along with a few hrefs.

For your consideration.

Index: 59.html
===
RCS file: /cvs/www/59.html,v
retrieving revision 1.72
diff -u -p -r1.72 59.html
--- 59.html 16 Mar 2016 19:10:52 -  1.72
+++ 59.html 18 Mar 2016 19:48:20 -
@@ -120,7 +120,7 @@ to 5.9.
 driver now supports sector mode for eMMC devices, such as those found 
on
 some BeagleBone Black boards.
 The http://www.openbsd.org/cgi-bin/man.cgi?query=cnmac;>cnmac(4)
-driver now supports checksum offloading
+driver now supports checksum offloading.
 The http://www.openbsd.org/cgi-bin/man.cgi?query=ipmi;>ipmi(4)
 driver now supports OpenIPMI compatible character device.
 ...
@@ -171,7 +171,7 @@ to 5.9.
 
 Userland programs were audited so that they could be properly annotated
 with pledge(2).
-This resulted in design changes such as
+This resulted in design changes such as:
 
 
 addition of
@@ -206,17 +206,17 @@ to 5.9.
 
 SMP network stack improvements:
 
-The task processing incoming packets can now runs mostly in parallel
+The task processing incoming packets can now run mostly in parallel
 of the rest of the kernel, this include:
 
 http://www.openbsd.org/cgi-bin/man.cgi?query=carp;>carp(4),
 http://www.openbsd.org/cgi-bin/man.cgi?query=trunk;>trunk(4),
 http://www.openbsd.org/cgi-bin/man.cgi?query=vlan;>vlan(4)
 and other pseudo-driver with the exception of
-http://www.openbsd.org/cgi-bin/man.cgi?query=bridge;>bridge(4)
-Ethernet decapsulation, ARP processing and MPLS forwarding path
+http://www.openbsd.org/cgi-bin/man.cgi?query=bridge;>bridge(4).
+Ethernet decapsulation, ARP processing and MPLS forwarding path.
 http://www.openbsd.org/cgi-bin/man.cgi?query=bpf;>bpf(4)
-filter matching
+filter matching.
 
 The Rx and Tx rings of the
 http://www.openbsd.org/cgi-bin/man.cgi?query=ix;>ix(4),
@@ -228,10 +228,10 @@ to 5.9.
 http://www.openbsd.org/cgi-bin/man.cgi?query=gem;>gem(4),
 http://www.openbsd.org/cgi-bin/man.cgi?query=re;>re(4) and
 http://www.openbsd.org/cgi-bin/man.cgi?query=cas;>cas(4)
-drivers can now be processed in parallel of the rest of the kernel
+drivers can now be processed in parallel of the rest of the kernel.
 The Rx ring of the
 http://www.openbsd.org/cgi-bin/man.cgi?query=cnmac;>cnmac(4)
-driver can now be processed in parallel of the rest of the kernel
+driver can now be processed in parallel of the rest of the kernel.
 
 
 
@@ -401,13 +401,20 @@ to 5.9.
 and reduce dynamic linking overhead.
 Handle intra-thread kills via new
 http://www.openbsd.org/cgi-bin/man.cgi?query=thrkill;>thrkill(2)
-system call to tighten pledge(2) restrictions and improve 
pthread_kill(3)
-and pthread_cancel(3) compliance.
+system call to tighten
+http://www.openbsd.org/cgi-bin/man.cgi?query=pledge;>pledge(2).
+restrictions and improve
+http://www.openbsd.org/cgi-bin/man.cgi?query=pthread_kill;>pthread_kill(3)
+and
+http://www.openbsd.org/cgi-bin/man.cgi?query=pthread_cancel;>pthread_cancel(3)
+compliance.
 Added http://www.openbsd.org/cgi-bin/man.cgi?query=getpwnam_shadow;>
 getpwnam_shadow(3)
 and http://www.openbsd.org/cgi-bin/man.cgi?query=getpwuid_shadow;>
 getpwuid_shadow(3)
-to permit tighter pledge(2) restrictions.
+to permit tighter
+http://www.openbsd.org/cgi-bin/man.cgi?query=pledge;>pledge(2).
+restrictions.
 Added support to
 http://www.openbsd.org/cgi-bin/man.cgi?query=ktrace;>ktrace(1)
 the arguments to
@@ -525,7 +532,7 @@ to 5.9.
 based on draft-rsa-dsa-sha2-256-03.txt and
 draft-ssh-ext-info-04.txt.
   http://www.openbsd.org/cgi-bin/man.cgi?query=ssh;>ssh(1):
-Add an AddKeysToAgent client option which can be set to
+add an AddKeysToAgent client option which can be set to
 yes, no, ask, or confirm, and
 defaults to no.  When enabled, a private key that is used
 during authentication will be added to
@@ -578,7 +585,7 @@ to 5.9.
 http://www.openbsd.org/cgi-bin/man.cgi?query=sshd;>sshd(8):
 refine compatibility workarounds for WinSCP.
   Fix a number of memory faults (double-free, free of uninitialised
-memory, etc) in
+memory, etc.) in
 http://www.openbsd.org/cgi-bin/man.cgi?query=ssh;>ssh(1)
 and
 http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen;>ssh-keygen(1).
@@ -676,7 +683,7 @@ to 5.9.
 http://www.openbsd.org/cgi-bin/man.cgi?query=sshd;>sshd(8):
 fix some option parsing memory 

Re: reference ipsec.conf in ipsec.4 under SEE ALSO?

[Rob Pierce]

> From: "Jason McIntyre" <j...@kerhand.co.uk>
> To: "misc" <misc@openbsd.org>
> Sent: Friday, March 18, 2016 5:40:07 PM
> Subject: Re: reference ipsec.conf in ipsec.4 under SEE ALSO?

> On Fri, Mar 18, 2016 at 04:59:29PM -0400, Rob Pierce wrote:
>> I think it make sense for ipsec.4 to reference it's own configuration file 
>> under
> > SEE ALSO.


> fixed, thanks. but note SEE ALSO is sorted by section first, so it should
> be after the options Xr.

> jmc
I totally missed that, thanks! 

Rob 

Re: httpd syscall 72

[Rob Pierce]

>From Stuart in response to a previous inquiry:

Rob

> >> If you need a working version, the diffs aren't committed yet, so you can
> >> rebuild httpd from source and it should work fine.
> >> 
> > Thanks for the info Ted. I'm currently rebuilding the src, following the 
> > "5 - Building the System from Source" page. I just want to ask another 
> > question, can I just rebuild only the httpd from source? Thanks again.
> 
> Yes,
> 
> $ cd /usr/src/usr.sbin/httpd
> $ cvs up -PdA
> $ make obj && make depend && make
> $ su root -c 'make install'
> 

Thank you very much Stuart!

Re: iked ikev2 x509 authentication problem - no valid local certificate found

[Rob]

Sorry about the delay in replying.

I’ve finally managed to get things to work.  The patch, or rather upgrading to 
the latest iked in head helped.  Removing the 
‘ServerCertificateIssuerCommonName’ option from the Apple profile was the key 
bit that was causing problems.  According to the official docs [1], adding 
ServerCertificateIssuerCommonName should cause the VPN client to send a 
certificate request to the server based on the CA, but was actually stopping 
the ‘cert’ part of the server side validation from completing.

As a side point it seems that IOS 9.0.2 works as expected, but El Capitan 
10.11.1 (beta2) has a segmentation fault after connecting that causes the 
connection, after successful validation, to drop.  

So, for the record, using certs on IOS 9.0.2 work correctly without having to 
do any password validation. However, the latest El Capitan 10.11.1 beta fails 
due to an Apple side issue.

Thanks for all of you help.

Rob


[1] 
https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html



> On 1 Oct 2015, at 20:37, m...@alumni.chalmers.se wrote:
> 
> http://marc.info/?l=openbsd-tech=144362542514318=2
> <http://marc.info/?l=openbsd-tech=144362542514318=2>
> 
>> On 1 okt. 2015, at 21:25, Rob <lists-openbsd@somerandom.net> wrote:
>> 
>> Hi,
>> 
>> I’m a little stuck getting two different clients connected to my OpenBSD
>> 5.7 (i386) VPN ikev2 server.  I suspect the clients are at fault as I can
>> get past the error when connecting one OpenBSDs iked to another iked.
>> 
>> FWIW the clients are both Apple, one IOS 9.1 device and one OSX 10.11.1
>> laptop, so I’m a little stuck with the VPN client I can use.
>> 
>> I have the following configuration:
>> 
>> ikev2 "road_warrior" passive esp \
>>   from 192.168.20.0/24 to 192.168.40.0/24 \
>>   local 192.168.20.4 peer any \
>>   ikesa enc aes-128 prf hmac-sha2-256 \
>>   auth hmac-sha2-256 group modp2048 \
>>   childsa enc aes-128 auth hmac-sha2-256 \
>>   srcid "local.example.net \
>>   dstid "peer.example.net" \
>>   config address 192.168.40.10/29 \
>>   config netmask 255.255.255.0 \
>>   config name-server 192.168.20.53 \
>>   config protected-subnet 192.168.40.0/24
>> 
>> (IPs and names have been changed to protect the innocent)
>> 
>> I have keys installed as follows:
>> 
>> /etc/iked/ca/example.net.crt
>> /etc/iked/certs/local.example.net.crt
>> /etc/iked/private/local.key
>> /etc/iked/pubkeys/fqdn/peer.example.net
>> /etc/iked/local.pub
>> 
>> 
>> I believe the client isn’t sending the certificate request, but I
>> could be completely wrong, the error appears to be:
>> 
>> ikev2_sa_negotiate: score 4
>> sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
>> sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa
>> sa_state: cannot switch: AUTH_SUCCESS -> VALID
>> config_free_proposals: free 0x77286c80
>> ca_getreq: no valid local certificate found
>> 
>> The client is sending peer.example.net.crt to the server, which gets
>> validated correctly:
>> 
>> ca_validate_cert: /C=UK/L=London/O=Example Net/CN=peer.example.net ok
>> ikev2_dispatch_cert: peer certificate is valid
>> sa_stateflags: 0x1c -> 0x1e certvalid,auth,authvalid,sa (required 0x1f
> cert,certvalid,auth,authvalid,sa)
>> 
>> I’ve been at this for a number of days and am completely stuck, so if
>> anyone has any ideas/advice/clue-sticks I’d be very grateful.  If you
>> need any further log information please let me know.
>> 
>> 
>> thanks
>> 
>> Rob

Re: OS X 10.11 'El Capitan' IKEv2

[Rob]

Search for a utility on the App Store, by Apple called: Apple Configurator.  
This lets you generate a profile that allows you to set more of the VPN 
configuration than is available via the Network preference utility.  It says 
IKEv2 is only for IOS, but it successfully installs on OSX.  I’ve been using 
the profiles on El Capitan 10.11.x and IOS 9.x.  Unfortunately, it gets a lot 
further, but fails to complete due to ’no valid local certificate’ - I’ve not 
to find the fix for this, despite some links being posted to a patch in this 
list.

FWIW the profiles worked correctly with OpenSWAN on FreeBSD.

> On 3 Oct 2015, at 05:40, matthew j weaver  wrote:
> 
>> On Aug 17, 2015, at 5:39 AM, Reyk Floeter  wrote:
>> 
>> On Sun, Aug 16, 2015 at 11:28:24PM +0300, Or Elimelech wrote:
>>> Hello misc,
>>> 
>>> Has anyone connected successfully between the new OS X ikev2 impl.
>>> To an OpenBSD box?
>>> 
>> 
>> No, we don't have the beta.
>> 
>> Reyk
> 
>  I’ve put some hours into it. Doesn’t work out of the box (no surprises).
> 
>  Right now, as far as I can tell, OS X sends a real dubious proposal. That 
> results in iked (rightly) not sending an auth response.
> 
> 
> ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid ESP spisize 4 
> xforms 3 spi 0x00c7832b
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> [...]
> ikev2_match_proposals: xform 1 <-> 2 (4): INTEGR HMAC_SHA1_96 (keylength 0 
> <-> 0)
> ikev2_match_proposals: xform 1 <-> 2 (2): ESN NONE (keylength 0 <-> 0)
> ikev2_sa_negotiate: score 0
> ikev2_ike_auth_recv: no proposal chosen
> ikev2_resp_recv: failed to send auth response
> 
> 
>  I’ve not yet surfaced where the ikev2 proposal/policy configs hide in OS X.
> 
>  cheers
>  weaver

Re: OS X 10.11 'El Capitan' IKEv2

[Rob]

Not unless Apple have release the App Store for OpenBSD ;-).

Try the following links: 
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile & 
https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html.
 That should be enough to show for you to set up a correct profile.


> On 3 Oct 2015, at 11:49, Ted Unangst <t...@tedunangst.com> wrote:
> 
> Rob wrote:
>> Search for a utility on the App Store, by Apple called: Apple Configurator.
> 
> does it run on openbsd..?

Re: OpenBSD sendfile

[Rob]

On Fri, 2 Oct 2015 07:38:28 + (UTC)
Stuart Henderson  wrote:

> On 2015-09-30, Bogdan Andu  wrote:
> > If one needs this linux-like crap, sendfile,and cannot disable it,
> > how is he suppose to handle it?
> 
> Run it on linux?
> 
> I'm surprised Yaws needs it though, from what it says on their website
> it looks optional.
> 

Sendfile support IS optional, from the include.mk:

ifeq ($(HAVE_SENDFILE),true)
  ERLC_GENERIC_FLAGS += -DHAVE_SENDFILE
endif

ifeq ($(HAVE_ERLANG_SENDFILE),true)
  ERLC_GENERIC_FLAGS += -DHAVE_ERLANG_SENDFILE
endif

So check what is happening and send a report to YAWS if sendfile seems
to be mandatory on OpenBSD, as then there is a bug in the makefile
generation.

iked ikev2 x509 authentication problem - no valid local certificate found

[Rob]

Hi,

I’m a little stuck getting two different clients connected to my OpenBSD
5.7 (i386) VPN ikev2 server.  I suspect the clients are at fault as I can
get past the error when connecting one OpenBSDs iked to another iked.

FWIW the clients are both Apple, one IOS 9.1 device and one OSX 10.11.1
laptop, so I’m a little stuck with the VPN client I can use.

I have the following configuration:

ikev2 "road_warrior" passive esp \
from 192.168.20.0/24 to 192.168.40.0/24 \
local 192.168.20.4 peer any \
ikesa enc aes-128 prf hmac-sha2-256 \ 
auth hmac-sha2-256 group modp2048 \
childsa enc aes-128 auth hmac-sha2-256 \
srcid "local.example.net \
dstid "peer.example.net" \
config address 192.168.40.10/29 \
config netmask 255.255.255.0 \
config name-server 192.168.20.53 \
config protected-subnet 192.168.40.0/24

(IPs and names have been changed to protect the innocent)

I have keys installed as follows:

/etc/iked/ca/example.net.crt
/etc/iked/certs/local.example.net.crt
/etc/iked/private/local.key
/etc/iked/pubkeys/fqdn/peer.example.net
/etc/iked/local.pub


I believe the client isn’t sending the certificate request, but I
could be completely wrong, the error appears to be:

ikev2_sa_negotiate: score 4
sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f 
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0x77286c80
ca_getreq: no valid local certificate found

The client is sending peer.example.net.crt to the server, which gets
validated correctly:

ca_validate_cert: /C=UK/L=London/O=Example Net/CN=peer.example.net ok
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x1c -> 0x1e certvalid,auth,authvalid,sa (required 0x1f 
cert,certvalid,auth,authvalid,sa)

I’ve been at this for a number of days and am completely stuck, so if
anyone has any ideas/advice/clue-sticks I’d be very grateful.  If you
need any further log information please let me know.


thanks

Rob

Re: update/upgrade

[Rob Pierce]

On Sun, Sep 20, 2015 at 10:36:12PM -0400, Quartz wrote:
> >Does your embedded storage run NOR/NAND or something like SDHC Memory
> >Cards?
> >
> >If your systems are running SDHC you can easily create clones with a
> >laptop&  the DD utility.
> 
> A couple of them do, but it doesn't matter in this case. The main issue with
> compiling is that it can effectively knock the system offline for hours
> which isn't acceptable. Any process that involves shutting the machine off
> or booting into a separate OS image has the same problem.
> 
> It's just a question of minimizing downtime.

If availability is critical you might consider redundancy with CARP/pfsync.

Re: anoncvs.html.head

[Rob Pierce]

> Thanks Stuart. I am preparing a new diff which I will send shortly.

I am holding off on sending the next diff until I figure out how to ensure
that my diff does not get mangled by my email client. In particular, a
hash (#) in an HTML anchor tag seems to get hosed by my zimbra web client.

Playing with fetchmail, sendmail and mutt on my new OpenBSD desktop.

Almost there...

Rob

anoncvs.html.head

[Rob Pierce]

Simplified diff for consideration.

I kept the change from "file sets" to "source files" as "file sets" has
special meaning in the OpenBSD installation process.

Also, only href the first instances of cvs(1).

Regards,

Index: anoncvs.html.head
===
RCS file: /cvs/www/build/mirrors/anoncvs.html.head,v
retrieving revision 1.42
diff -u -p -r1.42 anoncvs.html.head
--- anoncvs.html.head   2 Sep 2015 13:11:30 -   1.42
+++ anoncvs.html.head   14 Sep 2015 01:01:28 -
@@ -39,7 +39,7 @@ source repositories:
 
   src - Houses all source code for the OpenBSD Operating System.
   ports - Houses the OpenBSD 
Ports.
-  www - Houses all OpenBSD web pages. (Including this one).
+  www - Houses all OpenBSD web pages (including this one).
   xenocara - Houses OpenBSD's active X.org v7 source tree.
   X11 and XF4 - Houses OpenBSD's adaptation of the
   http://www.XFree86.org/;>XFree86-3 and XFree86-4
@@ -135,17 +135,18 @@ Assuming the downloaded files, src.t
 
 
 
-Not all people will wish to unpack all the file sets, but as the system
+Not all people will wish to unpack all the source files, but as the system
 must be kept in sync, you will generally need to set up all trees.
 
 
-You can also just use cvs(1) to "checkout" the source repository
+You can also just use
+http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/cvs.1?query=cvs
+to "checkout" the source repository
 for you. This is discussed in the next section.
 
 
 After this, /usr/src will be a nice checkout area where all
-http://www.openbsd.org/cgi-bin/man.cgi?query=cvssektion=1format=html;>
-cvs(1) commands will work properly.
+cvs(1) commands will work properly.
 
 Using CVS to Get and Update your 
 Source Tree
@@ -166,10 +167,10 @@ CVS server you are going to use.  A list
 
 
 Once you have chosen which Anonymous CVS Server you will
-use, you can start using cvs. For those of you
+use, you can start using cvs(1). For those of you
 who have CDs you can start with the CVS checkout that is on the CD by using
 the method above to get the sources onto your system.
-If you don't have a CD handy, use the method below to checkout the sources.
+If you don't have a CD handy, use the method below to checkout the sources:
 
 
 First, start out by `get'-ing an initial tree:
@@ -210,9 +211,11 @@ Confirm this, and the fingerprint will t
...
 
 
+
 Note that the above format with SHA256 fingerprints was added after the
 release of OpenBSD 5.6; older versions only use MD5 fingerprints.
 
+
  Anytime afterwards, to `update' this tree:
  (If you are following current):
 
@@ -234,7 +237,7 @@ to merge changes in.
  NOTE:
 If you are updating a source tree that you initially fetched
 from a different server, or from a CD, you must
-add the -d [cvsroot] option to cvs.
+add the -d [cvsroot] option to cvs:
 
# cd /usr/src
# cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd
@@ -299,7 +302,7 @@ operation and get thoroughly involved in
 before getting "commit" access -- as a result of showing useful
 skills and high quality results they will naturally later be given
 developer access.
-As well, people providing patches can create their "diff"s relative
+As well, people providing patches can create their diffs relative
 to the CVS tree, which will ease integration.
 
 Example usages for cvs(1)

Re: Question about quotation rules

[Rob Pierce]

Hey Anthony,

- Original Message -
> From: "Anthony J. Bentley" <anth...@anjbe.name>
> To: "Rob Pierce" <r...@2keys.ca>
> Cc: "misc" <misc@openbsd.org>
> Sent: Saturday, September 12, 2015 12:26:04 AM
> Subject: Re: Question about quotation rules

> Hi Rob,
> 
> Rob Pierce writes:
>> Good evening,
>> 
>> Is there a written/unwritten rule for using quotation marks? Do man pages and
>>  web pages follow the same rules?
>> 
>> When would I use 'this', "this", `this', ``this'', “this“, etc.?
> 
> Generally:
> 
> In manuals, use .Dq and .Sq for double and single quotes.
> 
> In www, use " and '.
> 
> 
> There are some other macros in mdoc(7) that generate quote marks (.Qq
> and friends), when you specifically need straight quotes (e.g., code
> listings) and can't just type " directly (e.g., on a macro line).
> 
> For personal webpages I use UTF-8 quotes (U+2019/A, U+201C/D) directly.
> But for pages with many authors, like www.openbsd.org, it's best to go
> with what's simple and works: " and '. Keep the burden on authors light.
> The text is what's important.
> 
> `` '' is an artifact. The only place they look balanced is on the console
> and in troff's PDF output. Everywhere else (such as the xterm and firefox
> defaults) has displayed this unbalanced for years. " looks better and is
> easier to type.
> 
> --
> Anthony J. Bentley

Great - that is the guidance I was looking for. Thanks!

Re: Question about quotation rules

[Rob Pierce]

- Original Message -
> From: "Random832" <random...@fastmail.com>
> To: "misc" <misc@openbsd.org>
> Sent: Friday, September 11, 2015 8:09:10 PM
> Subject: Re: Question about quotation rules

> Rob Pierce <r...@2keys.ca> writes:
> 
>> Good evening,
>>
>> Is there a written/unwritten rule for using quotation marks? Do man
>> pages and web pages follow the same rules?
>>
>> When would I use 'this', "this", `this', ``this'', “this“, etc.?
>>
>> I guess this can be both a source problem as well as a display problem.
>>
>> Any suggestions regarding reasonable expectations for web page/man
>> page consistency?
> 
> There are macros for quotes in manpages in mdoc(7). The rendering is
> device-dependent - on terminals, it will be unicode quotation marks in
> unicode locales, and ``this'' in non-unicode locales.

Ok - thanks for your response. I have been looking at mdoc...

security.html

[Rob Pierce]

Simplified diff. Full stop and standard unidirectional quotation marks.

Rob

Index: security.html
===
RCS file: /cvs/www/security.html,v
retrieving revision 1.422
diff -u -p -r1.422 security.html
--- security.html   2 Jul 2015 05:49:04 -   1.422
+++ security.html   14 Sep 2015 03:25:38 -
@@ -112,7 +112,7 @@ skills.
 Some members of our security auditing team worked for Secure Networks,
 the company that made the industry's premier network security scanning
 software package Ballista (Secure Networks got purchased by Network
-Associates, Ballista got renamed to Cybercop Scanner, and well...)
+Associates, Ballista got renamed to Cybercop Scanner, and well...).
 That company did a lot of security research, and thus fit in well
 with the OpenBSD stance.  OpenBSD passed Ballista's tests with flying
 colours since day 1.
@@ -126,8 +126,8 @@ have fixed many simple and obvious carel
 and only months later discovered that the problems were in fact
 exploitable.  (Or, more likely someone on
 http://online.securityfocus.com/archive/1;>BUGTRAQ
-would report that other operating systems were vulnerable to a `newly
-discovered problem', and then it would be discovered that OpenBSD had
+would report that other operating systems were vulnerable to a "newly
+discovered problem", and then it would be discovered that OpenBSD had
 been fixed in a previous release).  In other cases we have been saved
 from full exploitability of complex step-by-step attacks because we
 had fixed one of the intermediate steps.  An example of where we
@@ -165,7 +165,7 @@ written somewhere, but perhaps not taken
 The Reward
 
 Our proactive auditing process has really paid off.  Statements like
-``This problem was fixed in OpenBSD about 6 months ago'' have become
+"This problem was fixed in OpenBSD about 6 months ago" have become
 commonplace in security forums like
 http://online.securityfocus.com/archive/1;>BUGTRAQ.

Re: anoncvs.html.head

[Rob Pierce]

- Original Message -
> From: "Stuart Henderson" <s...@spacehopper.org>
> To: "misc" <misc@openbsd.org>
> Sent: Saturday, September 12, 2015 11:58:29 AM
> Subject: Re: anoncvs.html.head

> On 2015-09-11, Rob Pierce <r...@2keys.ca> wrote:
>>src - Houses all source code for the OpenBSD Operating System.
>>ports - Houses the OpenBSD 
>> Ports.
>> -  www - Houses all OpenBSD web pages. (Including this one).
>> +  www - Houses all OpenBSD web pages (including this one).
> 
> I like that
> 
>>xenocara - Houses OpenBSD's active X.org v7 source tree.
>>X11 and XF4 - Houses OpenBSD's adaptation of the
>>http://www.XFree86.org/;>XFree86-3 and XFree86-4
>> @@ -122,7 +122,7 @@ with only one part of the tree.  The two
>>  which contains the files used to create the kernel, and src.tar.gz
>>  which contains all the other "userland" utilities.
>>  In general, however, you will usually want both of them installed.
>> -Assuming the downloaded files, src.tar.gz,
>> +Assuming the downloaded files src.tar.gz,
>> sys.tar.gz and xenocara.tar.gz are in /usr:
> 
> I think this was OK as it was
> 
>> 
>> -Not all people will wish to unpack all the file sets, but as the system
>> +Not all people will wish to unpack all the source file, but as the system
>>  must be kept in sync, you will generally need to set up all trees.
> 
> and this (and the new sentence doesn't quite make sense)
> 
>> 
>> -You can also just use cvs(1) to "checkout" the source repository
>> +You can also just use
>> +> href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvssektion=1format=html;>cvs(1)
>> +to "checkout" the source repository
>>  for you. This is discussed in the next section.
> 
> OK I guess, though I don't think we need to hyperlink every instance of
> a program name
> 
>> @@ -160,16 +162,12 @@ from the errata>  For more information on these "flavors" of OpenBSD, see
>> here.
>>  
>> -Once you have decided which tree to follow, you must choose which 
>> Anonymous
>> -CVS server you are going to use.  A list of these servers is
>> -below.
>> -
>> 
>> -Once you have chosen which Anonymous CVS Server you 
>> will
>> -use, you can start using cvs. For those of you
>> +Once you have decided which tree to follow, and which > href="#CVSROOT">Anonymous CVS Server you will
> 
> Please try and keep <80 columns in the source file where sensible
> 
>> +use, you can start using > href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvssektion=1format=html;>cvs(1).
>> For those of you
>>  who have CDs you can start with the CVS checkout that is on the CD by using
>>  the method above to get the sources onto your 
>> system.
>> -If you don't have a CD handy, use the method below to checkout the sources.
>> +If you don't have a CD handy, use the method below to checkout the sources:
>>  
>> 
>> First, start out by `get'-ing an initial tree:
>> @@ -210,9 +208,11 @@ Confirm this, and the fingerprint will t
>>  ...
>> 
>>  
>> +
>>  Note that the above format with SHA256 fingerprints was added after the
>>  release of OpenBSD 5.6; older versions only use MD5 fingerprints.
>>  
>> +
>>  Anytime afterwards, to `update' this tree:
>>  (If you are following current):
>> 
>> @@ -234,7 +234,7 @@ to merge changes in.
>>  NOTE:
>>  If you are updating a source tree that you initially fetched
>>  from a different server, or from a CD, you must
>> -add the -d [cvsroot] option to cvs.
>> +add the -d [cvsroot] option to cvs:
>> 
>>  # cd /usr/src
>>  # cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd
>> @@ -295,11 +295,11 @@ directory, and a subsequent update will
>>  
>> 
>>  The anoncvs service gives fledgling developers a chance to learn CVS
>> -operation and get thoroughly involved in the development process
>> +operations and get thoroughly involved in the development process
> 
> "operation" already seem ok
> 
>>  before getting "commit" access -- as a result of showing useful
>>  skills and high quality results they will naturally later be given
>>  developer access.
>> -As well, people providing patches can create their "diff"s relative
>> +As well, people providing patches can create their diffs relative
>>  to the CVS tree, which will ease integration.
>>  
> > Example usages for cvs(1)

Thanks Stuart. I am preparing a new diff which I will send shortly.

Re: anoncvs.html.head

[Rob Pierce]

Thanks Benny. I will review again and resubmit.

Some responses in-line below.

- Original Message -
> From: "Benny Lofgren" <bl-li...@lofgren.biz>
> To: "misc" <misc@openbsd.org>
> Sent: Saturday, September 12, 2015 8:01:58 AM
> Subject: Re: anoncvs.html.head

> Hi Rob,
> 
> On 2015-09-12 01:15, Rob Pierce wrote:
>> This diff is a resend against the correct file:
>>  - some punctuation, line spacing and minor grammar fixes
>>  - "file sets" has a special meaning, so don't refer to src.tar.gz,
>>  xenocara.tar.gc,ports.tar.gz as "file sets"
>>  - cvs(1) hrefs
>>  - "diffs" is already used earlier on the page, so don't quote it
>> Index: anoncvs.html.head
>> ===
>> RCS file: /cvs/www/build/mirrors/anoncvs.html.head,v
>> retrieving revision 1.42
>> diff -u -p -r1.42 anoncvs.html.head
>> --- anoncvs.html.head2 Sep 2015 13:11:30 -   1.42
>> +++ anoncvs.html.head11 Sep 2015 22:10:15 -
> 
> Just a few comments inline below. I think you posted this or a similar
> diff to tech@ the other day, so maybe this is in the wrong place, but
> I'll leave the comment as well in misc@ to avoid confusion.
> 
> 
> ...
>> @@ -135,11 +135,13 @@ Assuming the downloaded files, src.t
>>  
>>  
>>  
>> -Not all people will wish to unpack all the file sets, but as the system
>> +Not all people will wish to unpack all the source file, but as the system
> 
> I think "source files" (plural), alternatively "all of the source file"
> depending on your intention?

Yes, I missed that - thanks.

> 
>>  must be kept in sync, you will generally need to set up all trees.
>>  
>>  
>> -You can also just use cvs(1) to "checkout" the source repository
>> +You can also just use
>> +> href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvssektion=1format=html;>cvs(1)
>> +to "checkout" the source repository
> 
> Is that the correct URL? The use of "sektion" (which is a Swedish,
> Danish or German spelling :-) ) instead of "sec" caught my eye.
> 
> When I do the same search directly from www.openbsd.org I get this:
> 
> http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/cvs.1?query=cvs=1
> 
> (I realize that the link you used is the same one already used elsewhere
> in this page. But even if I copy and paste that link into my browser,
> the web server redirects it to the one I pasted here. Maybe there is
> some legacy stuff going on here, perhaps a server side change not yet
> reflected in all of the html pages?)

I will look into that. I must admit that I tend to grab existing text to
complete an href, but in the future I will do the lookup and grab the
actual URL. I was wondering were sektion came from!

>>  for you. This is discussed in the next section.
>>  
>>  
>> @@ -160,16 +162,12 @@ from the errata>  For more information on these "flavors" of OpenBSD, see
>>  here.
>>  
>> -Once you have decided which tree to follow, you must choose which 
>> Anonymous
>> -CVS server you are going to use.  A list of these servers is
>> -below.
>> -
>>  
>> -Once you have chosen which Anonymous CVS Server you 
>> will
>> -use, you can start using cvs. For those of you
>> +Once you have decided which tree to follow, and which > href="#CVSROOT">Anonymous CVS Server you will
>> +use, you can start using > href="http://www.openbsd.org/cgi-bin/man.cgi?query=cvssektion=1format=html;>cvs(1).
>> For those of you
> 
> I don't know about you or the developers, but personally I kind of
> prefer the original wording and paragraph division, except I would
> change the second paragraph's repetitious use of "Once you have..." to
> something like "When you have..." instead.

Ok. I should stay away from "style" changes, and stick to obvious corrections
and/or functional text changes. This just seemed a bit awkward to me.

> 
> 
> And maybe remove the second href to the cvs server list. I don't know
> about official policy here, but having several identical links so close
> to each other in a text always confuses me and makes me click on all of
> them, only to be annoyed I end up in the same place. :-)
> 
> One objection to this would be that people who only read the second
> paragraph in this example would miss the link altogether. I would then
> contend that if you don't have the habit and patience of reading ALL the
> relevant parts of a given piece of documentation

Re: ftp.html

[Rob Pierce]

Thanks Stuart - I totally missed that! I will also correct my anoncvs.html diff 
and resend against the correct file(s). Appreciate the response.

How about this?

Index: ftp.html.head
===
RCS file: /cvs/www/build/mirrors/ftp.html.head,v
retrieving revision 1.21
diff -u -p -r1.21 ftp.html.head
--- ftp.html.head   25 Jul 2015 19:16:47 -  1.21
+++ ftp.html.head   11 Sep 2015 21:09:36 -
@@ -61,7 +61,7 @@ upgrade your system very quickly.
 Download via
   HTTP/FTP
 
-OpenBSD can be also easily installed via HTTP or FTP.
+OpenBSD can also be obtained via HTTP or FTP.
 Typically you need a single small piece of boot media (e.g., a boot floppy)
 and then the rest of the files can be installed from a number of locations,
 including directly off the Internet.

Re: anoncvs.html.head

[Rob Pierce]

See attached.

- Original Message -
From: "Rob Pierce" <r...@2keys.ca>
To: "misc" <misc@openbsd.org>
Sent: Friday, September 11, 2015 6:30:33 PM
Subject: anoncvs.html.head

This diff is a resend against the correct file:

 - some punctuation, line spacing and minor grammar fixes
 - "file sets" has a special meaning, so don't refer to src.tar.gz, 
xenocara.tar.gc,ports.tar.gz as "file sets"
 - cvs(1) hrefs
 - "diffs" is already used earlier on the page, so don't quote it

Rob
Index: anoncvs.html.head
===
RCS file: /cvs/www/build/mirrors/anoncvs.html.head,v
retrieving revision 1.42
diff -u -p -r1.42 anoncvs.html.head
--- anoncvs.html.head   2 Sep 2015 13:11:30 -   1.42
+++ anoncvs.html.head   11 Sep 2015 22:10:15 -
@@ -39,7 +39,7 @@ source repositories:
 
   src - Houses all source code for the OpenBSD Operating System.
   ports - Houses the OpenBSD 
Ports.
-  www - Houses all OpenBSD web pages. (Including this one).
+  www - Houses all OpenBSD web pages (including this one).
   xenocara - Houses OpenBSD's active X.org v7 source tree.
   X11 and XF4 - Houses OpenBSD's adaptation of the
   http://www.XFree86.org/;>XFree86-3 and XFree86-4
@@ -122,7 +122,7 @@ with only one part of the tree.  The two
 which contains the files used to create the kernel, and src.tar.gz
 which contains all the other "userland" utilities.
 In general, however, you will usually want both of them installed.
-Assuming the downloaded files, src.tar.gz,
+Assuming the downloaded files src.tar.gz,
 sys.tar.gz and xenocara.tar.gz are in /usr:
 
 
@@ -135,11 +135,13 @@ Assuming the downloaded files, src.t
 
 
 
-Not all people will wish to unpack all the file sets, but as the system
+Not all people will wish to unpack all the source file, but as the system
 must be kept in sync, you will generally need to set up all trees.
 
 
-You can also just use cvs(1) to "checkout" the source repository
+You can also just use
+http://www.openbsd.org/cgi-bin/man.cgi?query=cvssektion=1format=html;>cvs(1)
+to "checkout" the source repository
 for you. This is discussed in the next section.
 
 
@@ -160,16 +162,12 @@ from the erratahere.
 
-Once you have decided which tree to follow, you must choose which Anonymous
-CVS server you are going to use.  A list of these servers is
-below.
-
 
-Once you have chosen which Anonymous CVS Server you will
-use, you can start using cvs. For those of you
+Once you have decided which tree to follow, and which Anonymous CVS Server you will
+use, you can start using http://www.openbsd.org/cgi-bin/man.cgi?query=cvssektion=1format=html;>cvs(1).
 For those of you
 who have CDs you can start with the CVS checkout that is on the CD by using
 the method above to get the sources onto your system.
-If you don't have a CD handy, use the method below to checkout the sources.
+If you don't have a CD handy, use the method below to checkout the sources:
 
 
 First, start out by `get'-ing an initial tree:
@@ -210,9 +208,11 @@ Confirm this, and the fingerprint will t
...
 
 
+
 Note that the above format with SHA256 fingerprints was added after the
 release of OpenBSD 5.6; older versions only use MD5 fingerprints.
 
+
  Anytime afterwards, to `update' this tree:
  (If you are following current):
 
@@ -234,7 +234,7 @@ to merge changes in.
  NOTE:
 If you are updating a source tree that you initially fetched
 from a different server, or from a CD, you must
-add the -d [cvsroot] option to cvs.
+add the -d [cvsroot] option to cvs:
 
# cd /usr/src
# cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd
@@ -295,11 +295,11 @@ directory, and a subsequent update will 
 
 
 The anoncvs service gives fledgling developers a chance to learn CVS
-operation and get thoroughly involved in the development process
+operations and get thoroughly involved in the development process
 before getting "commit" access -- as a result of showing useful
 skills and high quality results they will naturally later be given
 developer access.
-As well, people providing patches can create their "diff"s relative
+As well, people providing patches can create their diffs relative
 to the CVS tree, which will ease integration.
 
 Example usages for cvs(1)

anoncvs.html.head

[Rob Pierce]

This diff is a resend against the correct file:

 - some punctuation, line spacing and minor grammar fixes
 - "file sets" has a special meaning, so don't refer to src.tar.gz, 
xenocara.tar.gc,ports.tar.gz as "file sets"
 - cvs(1) hrefs
 - "diffs" is already used earlier on the page, so don't quote it

Rob


Index: anoncvs.html.head
===
RCS file: /cvs/www/build/mirrors/anoncvs.html.head,v
retrieving revision 1.42
diff -u -p -r1.42 anoncvs.html.head
--- anoncvs.html.head   2 Sep 2015 13:11:30 -   1.42
+++ anoncvs.html.head   11 Sep 2015 22:10:15 -
@@ -39,7 +39,7 @@ source repositories:
 
   src - Houses all source code for the OpenBSD Operating System.
   ports - Houses the OpenBSD 
Ports.
-  www - Houses all OpenBSD web pages. (Including this one).
+  www - Houses all OpenBSD web pages (including this one).
   xenocara - Houses OpenBSD's active X.org v7 source tree.
   X11 and XF4 - Houses OpenBSD's adaptation of the
   http://www.XFree86.org/;>XFree86-3 and XFree86-4
@@ -122,7 +122,7 @@ with only one part of the tree.  The two
 which contains the files used to create the kernel, and src.tar.gz
 which contains all the other "userland" utilities.
 In general, however, you will usually want both of them installed.
-Assuming the downloaded files, src.tar.gz,
+Assuming the downloaded files src.tar.gz,
 sys.tar.gz and xenocara.tar.gz are in /usr:
 
 
@@ -135,11 +135,13 @@ Assuming the downloaded files, src.t
 
 
 
-Not all people will wish to unpack all the file sets, but as the system
+Not all people will wish to unpack all the source file, but as the system
 must be kept in sync, you will generally need to set up all trees.
 
 
-You can also just use cvs(1) to "checkout" the source repository
+You can also just use
+http://www.openbsd.org/cgi-bin/man.cgi?query=cvssektion=1format=html;>cvs(1)
+to "checkout" the source repository
 for you. This is discussed in the next section.
 
 
@@ -160,16 +162,12 @@ from the erratahere.
 
-Once you have decided which tree to follow, you must choose which Anonymous
-CVS server you are going to use.  A list of these servers is
-below.
-
 
-Once you have chosen which Anonymous CVS Server you will
-use, you can start using cvs. For those of you
+Once you have decided which tree to follow, and which Anonymous CVS Server you will
+use, you can start using http://www.openbsd.org/cgi-bin/man.cgi?query=cvssektion=1format=html;>cvs(1).
 For those of you
 who have CDs you can start with the CVS checkout that is on the CD by using
 the method above to get the sources onto your system.
-If you don't have a CD handy, use the method below to checkout the sources.
+If you don't have a CD handy, use the method below to checkout the sources:
 
 
 First, start out by `get'-ing an initial tree:
@@ -210,9 +208,11 @@ Confirm this, and the fingerprint will t
...
 
 
+
 Note that the above format with SHA256 fingerprints was added after the
 release of OpenBSD 5.6; older versions only use MD5 fingerprints.
 
+
  Anytime afterwards, to `update' this tree:
  (If you are following current):
 
@@ -234,7 +234,7 @@ to merge changes in.
  NOTE:
 If you are updating a source tree that you initially fetched
 from a different server, or from a CD, you must
-add the -d [cvsroot] option to cvs.
+add the -d [cvsroot] option to cvs:
 
# cd /usr/src
# cvs -d anon...@anoncvs.ca.openbsd.org:/cvs -q up -Pd
@@ -295,11 +295,11 @@ directory, and a subsequent update will 
 
 
 The anoncvs service gives fledgling developers a chance to learn CVS
-operation and get thoroughly involved in the development process
+operations and get thoroughly involved in the development process
 before getting "commit" access -- as a result of showing useful
 skills and high quality results they will naturally later be given
 developer access.
-As well, people providing patches can create their "diff"s relative
+As well, people providing patches can create their diffs relative
 to the CVS tree, which will ease integration.
 
 Example usages for cvs(1)

[demime 1.01d removed an attachment of type text/x-patch which had a name of 
cvs.diff.anoncvs.html.head]

Question about quotation rules

[Rob Pierce]

Good evening,

Is there a written/unwritten rule for using quotation marks? Do man pages and 
web pages follow the same rules?

When would I use 'this', "this", `this', ``this'', “this“, etc.?

I guess this can be both a source problem as well as a display problem.

Any suggestions regarding reasonable expectations for web page/man page 
consistency?

U+0022  QUOTATION MARK  "
U+0027  APOSTROPHE  '
U+0060  GRAVE ACCENT`
U+00B4  ACUTE ACCENT´ 
U+2018  LEFT SINGLE QUOTATION MARK  ‘
U+2019  RIGHT SINGLE QUOTATION MARK ’
U+201C  LEFT DOUBLE QUOTATION MARK  “
U+201D  RIGHT DOUBLE QUOTATION MARK ”

Many thanks.

Rob

Re: ftp.html

[Rob Pierce]

Agreed about the word order. How about this?

Index: ftp.html
===
RCS file: /cvs/www/ftp.html,v
retrieving revision 1.673
diff -u -p -r1.673 ftp.html
--- ftp.html25 Jul 2015 19:24:18 -  1.673
+++ ftp.html11 Sep 2015 12:30:18 -
@@ -61,7 +61,7 @@ upgrade your system very quickly.
 Download via
   HTTP/FTP
 
-OpenBSD can be also easily installed via HTTP or FTP.
+OpenBSD can also be easily obtained via HTTP or FTP.
 Typically you need a single small piece of boot media (e.g., a boot floppy)
 and then the rest of the files can be installed from a number of locations,
 including directly off the Internet.

ftp.html

[Rob Pierce]

Reword since FTP is no longer used for installation (although the files can 
still be obtained via FTP).

Index: ftp.html
===
RCS file: /cvs/www/ftp.html,v
retrieving revision 1.673
diff -u -p -r1.673 ftp.html
--- ftp.html25 Jul 2015 19:24:18 -  1.673
+++ ftp.html11 Sep 2015 12:30:18 -
@@ -61,7 +61,7 @@ upgrade your system very quickly.
 Download via
   HTTP/FTP
 
-OpenBSD can be also easily installed via HTTP or FTP.
+OpenBSD can be also easily obtained via HTTP or FTP.
 Typically you need a single small piece of boot media (e.g., a boot floppy)
 and then the rest of the files can be installed from a number of locations,
 including directly off the Internet.

faq2.html

[Rob Pierce]

A few full stops and some line spacing.

Rob

Index: faq2.html
===
RCS file: /cvs/www/faq/faq2.html,v
retrieving revision 1.127
diff -u -p -r1.127 faq2.html
--- faq2.html   2 Jul 2015 05:49:04 -   1.127
+++ faq2.html   10 Sep 2015 14:47:30 -
@@ -117,7 +117,7 @@ a message body of "help".
 
 Your subscription to the OpenBSD mail lists can also be maintained through
 the web interface at
-http://lists.openbsd.org;>http://lists.openbsd.org
+http://lists.openbsd.org;>http://lists.openbsd.org.
 
 
 Some of the more popular OpenBSD mailing lists
@@ -345,7 +345,7 @@ characters?
 
 
 This is helpful to get the man page straight, with no non-printable
-characters.
+characters.
 Example:
 
 
@@ -641,7 +641,7 @@ ddb> show panic
 ddb> 
 
 
-In this case, the panic string was "Kernel: page fault trap, code=0"
+In this case, the panic string was "Kernel: page fault trap, code=0".
 
 
 Special note for SMP systems:
@@ -709,7 +709,7 @@ ddb 
 
 This tells us what function calls lead to the crash.
 
-To find out the particular line of C code that caused the crash, you can do 
the following:
+To find out the particular line of C code that caused the crash, you can do 
the following:
 Find the source file where the crashing function is defined in.
 In this example, that would be pf_route() in sys/net/pf.c.
 Recompile that source file with debug information:
@@ -732,7 +732,7 @@ In the output, grep for the function nam
 
 
 Take this first hex number and add the offset from the 'Stopped at' line:
-0x7d88 + 0x263 == 0x7feb.
+0x7d88 + 0x263 == 0x7feb.
 Scroll down to that line
 (the assembler instruction should match the one quoted in the 'Stopped at' 
line),
 then up to the nearest C line number:

href in faq3.html

[Rob Pierce]

Regards,

Index: faq3.html
===
RCS file: /cvs/www/faq/faq3.html,v
retrieving revision 1.93
diff -u -p -r1.93 faq3.html
--- faq3.html   2 Jul 2015 05:49:04 -   1.93
+++ faq3.html   11 Sep 2015 01:15:20 -
@@ -139,7 +139,7 @@ CD is always closer than any mirror. Acc
 In the same directory as the installation sets, each mirror includes a file
 named SHA256 which contains checksums of the various installation files.  You
 can confirm that none of the downloaded files were mangled in transit using
-the sha256(1) command:
+the http://www.openbsd.org/cgi-bin/man.cgi?query=sha256sektion=1;>sha256(1)
 command:
 
 
 $ sha256 -c SHA256

PkgCheck.pm can't locate new

[Rob Fabry]

I'm trying to install OpenBSD on a new machine so I can learn how
to setup a
router, but running into a strange problem.

A Supermicro 5015A-H with Intel
Atom 330 at 1.6 GHz

When I tried to install the unbound package, it can't
find it
(even though it's in the directory, and the shell autocompletes
the
name)

# pkg_add unbound_1.4.20.tgz
Can't find package unbound_1.4.20.tgz
(adding multiple -v doesn't elaborate on the problem)

since the pkg_add
didn't work, I thought I'd try some
other pkg commands

# pkg_info
unbound_1.4.20.tgz
(works fine)

# pkg_check
Packing-list sanity: ok
Direct
dependencies: ok
Reverse dependencies: ok
Files from packages: ok
Can't locate
object method new via package OpenBSD::PkgSpec at
 /usr/libdata/perl5/OpenBSD/PkgCheck.pm line 713

I get the same error when I
try:
A. OpenBSD 5.4 amd64 install54.iso
B. OpenBSD 5.4 amd64 separate
sets54.tgz
C. OpenBSD 5.3 amd64 install54.iso
D. OpenBSD 5.4 i386
install54.iso

Any thoughts on what is this problem with finding method new
?

Re: A tricky pf + ecmp routing + squid question [Disregard - SOLVED]

[Rob Sheldon]

On 2013-06-03 4:07, Stuart Henderson wrote:


I've updated the README. In future please could you make sure that any
suggestions relating to ports are sent (or at least CC'd) to the 
MAINTAINER?
It's easy to miss things in the mailing lists (and a lot of developers 
don't

read misc regularly). Thanks.


Sure thing! Thanks for taking care of that.

- R.

--
[__ Robert Sheldon
[__ No Problem
[__ Information technology support and services
[__ (530) 575-0278

A tricky pf + ecmp routing + squid question

[Rob Sheldon]

I don't seem to be smart enough to figure this one out.

I have a firewall with six physical interfaces: three local network 
(wifi, lan, and dmz), and three external interfaces that have been set 
up with multipath routing and nat and all that good stuff.


I've been trying to get Squid up and running on this thing as a 
transparent www proxy, to no avail so far. After working with Amos 
Jeffries a bit, I found that Squid does a security check that compares 
the IP destination of the request to the hostname in the http request 
when in interception mode; since rdr-to rewrites a packet's destination 
address, Squid ends up trying to connect to itself and gives up with a 
forwarding loop error. (This is contrary to every single piece of 
documentation I've found so far on setting up Squid on OpenBSD ...)


The solution seems to be to use divert-to. But, I can't divert-to on 
outbound traffic on the external interfaces, I can't trap inbound 
traffic on the external interfaces coming from the internal network 
without breaking ecmp (I think?), and none of the internal interfaces 
wants to accept traffic with a destination IP outside their subnet, 
naturally.


So ... what do I do? Is there a way to set up a virtual interface and 
do something tricky and cool that won't make a mess of nat or outbound 
ecmp? Do I have to give up and put Squid on its own machine in the DMZ? 
(I'd rather not, that seems lame.) Is there something more 
straightforward that I'm missing?


I'd really appreciate any help. I've been working on this for several 
solid days now.


Thanks,

- R.

--
[__ Robert Sheldon
[__ No Problem
[__ Information technology support and services
[__ (530) 575-0278

Re: A tricky pf + ecmp routing + squid question [Disregard - SOLVED]

[Rob Sheldon]

Sorry for the noise.

OpenBSD 5.3 introduced Squid 3.2, which now checks the destination IP 
of inbound packets against the Host: header in interception mode. This 
breaks rdr-to, which makes nearly every howto online incorrect (joy). 
There was a minor error in the Squid docs which confused me (http_port 
must have IP-of-interface-to-listen on:port, e.g., http_port 
127.0.0.1:3129 intercept, instead of just http_port 3129 intercept as 
in the current docs), which caused the connection refused errors, which 
I stupidly misinterpreted.


FWIW, the Squid docs link to 
http://www.openbsd.org/cgi-bin/cvsweb/ports/www/squid/pkg/README-main?rev=1.1;content-type=text%2Fplain, 
which have http_port 127.0.0.1:3129 transparent as the example, but 
as of Squid 3.1, transparent was deprecated in favor of intercept: 
http://www.squid-cache.org/Doc/config/http_port/


- R.

--
[__ Robert Sheldon
[__ No Problem
[__ Information technology support and services
[__ (530) 575-0278

Re: A tricky pf + ecmp routing + squid question [Disregard - SOLVED]

[Rob Sheldon]

On 2013-06-02 2:35, Loïc BLOT wrote:

Hello rob,
i'm using squid since 3.1 on OpenBSD 5.2 with compiled sources (squid
3.2.5-9 and 3.3.4 at this time). I don't use an IP but the http_port
3129 as my configuration suggests:

http_port 3128
http_port 3129 intercept

And i have those rule in my PF

pass in quick proto tcp to { 10.X.1.1 10.X.1.2, 10.X.1.3 } port
{ $squid_port $squid_intercept_port http }
pass in quick inet proto tcp from { personnel captiveportal_auth }
to any port { 80 8080 } rdr-to 10.X.1.1 port $squid_intercept_port

And all works perfect :). I haven't tested on 5.3 because the BCM5720
which are disabled on 5.2 are enabled and cause problem on my second
squid server... but i don't think this cause a problem.


As a forward proxy or a reverse proxy? There's no way a Squid 3.2+ 
installation should work with rdr-to, unless:


- the sources were modified to disable the security check described by 
Amos in 
http://www.squid-cache.org/mail-archive/squid-users/201208/0374.html;


- or the destination IP of the requests matches the IP of the requested 
web server (reverse proxy, internal web server, or something).


Amos spelled out the code change in 3.2+ in the mail post above. rdr-to 
rewrites the destination IP in the request. If Squid receives a request 
for a host (e.g. a get request for / on www.google.com), and the DNS 
lookup for the requested host does not match the destination IP of the 
request (e.g. the request was rdr-to'd 10.5.1.1), then Squid will refuse 
to forward the request to www.google.com.


I can accept that maybe there's something going on that I still don't 
understand that's causing my particular configuration to require the 
listening IP in the http_port setting -- although I doubt it, I'm very 
very close to the configuration in the official Squid documentation at 
this point -- but I understand the rdr-to problem well enough now to 
assert that it won't work as intended except in a few specific cases.


- R.

--
[__ Robert Sheldon
[__ No Problem
[__ Information technology support and services
[__ (530) 575-0278

pf.conf: sticky-address causes page fault in this config

[Rob Sheldon]

I sent this in via sendbug() but am also posting it here in case I'm 
doing something obviously wrong.


I've got a fresh from-scratch plain-vanilla 5.2-generic i386 install 
with a mildly complex pf.conf file. Adding sticky-address to a single 
rule reliably causes a page fault whenever the file is loaded (either 
via pfctl or system boot). There's nothing else too wonky on this system 
(I haven't had time to mess it up yet).


The output from the page fault is:

uvm_fault(0xd0a11920, 0xd6c7b000, 0, 1) - e
kernel: page fault trap, code=0
Stopped at pf_test_rule+0xdbc:   mov1  
0xff70(%ebp),%eax

ddb

...I couldn't run trace because it hard-locked at that point. I just 
found the instructions for setting ddb.console, so if someone needs the 
trace output I can trigger it again, but I'd like to avoid it if 
reasonable.


I've appended the pf.conf file, with only minor changes to the external 
IP addresses (NNN.NNN.NNN.NNN), warts and all.


A quick search of the openbsd-misc archives didn't turn anything up 
either. Is this a known thing, maybe fixed in 5.3 or elsewhere, ...?


Thanks.

- R.

--

#   $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or 
net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between 
interfaces.


# Useful macros for this network
if_srv= rl0
if_dsl= rl1
if_sbb= re0
if_lan= fxp0
if_wifi   = dc0
if_ext= { $if_dsl $if_sbb }
if_int= { $if_lan $if_srv $if_wifi }
ip_dsl= NNN.NNN.NNN.NNN
ip_sbb= NNN.NNN.NNN.NNN
ip_ext= { $ip_dsl $ip_sbb }
gw_dsl= NNN.NNN.NNN.NNN
gw_sbb= NNN.NNN.NNN.NNN
net_lan   = 192.168.0.0/24
net_wifi  = 192.168.1.0/24
net_srv   = 192.168.10.0/24
net_int   = { 192.168.0.0/24 192.168.1.0/24 192.168.10.0/24 }
ip_mail   = 192.168.10.164
ip_lan= 192.168.0.1


# Default runtime options
set block-policy drop


# Block everything by default
block


# Redirect mail and webmail connections from external interfaces to the 
mail server.
# Connections from the internal network need to bypass the rest of the 
rules in this

#file to avoid getting mangled by routing later on.
pass in on $if_ext proto tcp from any to $ip_ext port { 25 80 110 143 
220 587 993 } rdr-to $ip_mail
pass in quick on { $if_lan $if_wifi } proto tcp from { $net_lan 
$net_wifi } to $ip_ext port { 25 80 110 143 220 587 993 } rdr-to 
$ip_mail



# Allow ssh connections to the firewall from the lan only.
pass in on $if_lan proto tcp from $net_lan to $if_lan port ssh


# Allow ssh connections to the srv interface from the firewall and 
local networks.

pass on $if_srv proto tcp from $net_lan to $net_srv port ssh


# Allow web connections to the srv interface from local and wifi 
networks.

pass on $if_srv proto tcp from $net_int to $net_srv port 80


# Allow traffic to go out over the external interface.
pass out on $if_ext


# Allow traffic in from the LAN to anything else.
pass in on $if_lan from $net_lan to ! $net_lan


# Allow traffic in from wifi to anything not on the local network.
pass in on $if_wifi from $net_wifi to ! 192.168.0.0/16


# Allow traffic from anywhere to the mail server on specific ports.
pass on $if_srv proto tcp from any to any port { 25 80 110 143 220 587 
993 }



# Load balancing.
pass in on $if_int from $net_int to { ! 192.168.0.0/16 } route-to { 
($if_sbb $gw_sbb), ($if_dsl $gw_dsl) } round-robin
#pass in on $if_int from $net_int to { ! 192.168.0.0/16 } route-to { 
$if_sbb $if_dsl } round-robin


# To cause pf_test_rule to crash, comment the above round-robin rule 
and uncomment the following:
#pass in on $if_int from $net_int to { ! 192.168.0.0/16 } route-to { 
($if_sbb $gw_sbb), ($if_dsl $gw_dsl) } round-robin sticky-address



# Send FTP and https connections out over only one of the interfaces; 
otherwise they may have trouble.
pass in on $if_int proto tcp from $net_int to { ! 192.168.0.0/16 } port 
{ ftp ftp-data https } route-to ($if_sbb $gw_sbb)



# Re-route load-balanced packets to their correct external interfaces.
pass out on $if_sbb from $if_dsl route-to ($if_dsl $gw_dsl)
pass out on $if_dsl from $if_sbb route-to ($if_sbb $gw_sbb)


# Block BitTorrent traffic. Sorry guys. :-/ (Do it from home.)
block proto { tcp udp } from any to any port {6881:6999, 6969}


# Exception for __.
pass proto { tcp udp } from any to ! 192.168.0.0/16 port 6996


# Dropbox
block to { 208.43.202.0/24, 199.47.216.0/22 }


# Facebook. Added 10-25-2012. Sorry guys.
block to { 31.13.64.0/18, 69.171.224.0/19, 66.220.144.0/20, 
69.63.176.0/20, 204.15.20.0/22, 65.201.208.24/29, 65.204.104.128/28, 
66.92.180.48/28, 66.93.78.176/29, 66.199.37.136/29 }
block to { 67.200.105.48/30, 74.119.76.0/22, 173.252.64.0/18, 
69.171.224.53, 69.171.228.74, 69.171.224.37, 69.171.237.32, 
66.220.149.88, 69.171.237.16, 69.171.234.37, 69.171.229.11 }

block to { 69.171.242.11, 66.220.149.11, 

faq6.html correction

[Rob Pierce]

For your consideration.

Rob

Index: faq6.html
===
RCS file: /cvs/www/faq/faq6.html,v
retrieving revision 1.300
diff -u -p -r1.300 faq6.html
--- faq6.html   16 Aug 2012 02:40:18 -  1.300
+++ faq6.html   1 Sep 2012 15:06:57 -
@@ -1882,7 +1882,7 @@ itself synchronized to, the
 a collection of publicly available time servers.
 Once your clock is accurately set, ntpd will hold it at a high
 degree of accuracy, however, if your clock is more than a few minutes
-off, it is ihighly/i recommended that you bring it to close to
+off, it is ihighly/i recommended that you bring it close to
 accurate initially, as it may take days or weeks to bring a very-off
 clock to sync.
 You can do this using the tt-s/tt option of ntpd(8) or any other

/etc/changelist update to comments

[Rob Pierce]

For your consideration.

Rob

Index: changelist
===
RCS file: /cvs/src/etc/changelist,v
retrieving revision 1.76
diff -u -p -r1.76 changelist
--- changelist  20 Sep 2012 12:51:43 -  1.76
+++ changelist  13 Oct 2012 23:32:41 -
@@ -3,7 +3,7 @@
 # List of files which the security script backs up and checks
 # for modifications.
 #
-# Files prefixed with a '+' will have their md5 checksums stored,
+# Files prefixed with a '+' will have their checksums stored,
 # not the actual files.
 #

Re: ss20's wanted for ports builds

[Rob Payne]

On 7/19/12 11:15 AM, Theo de Raadt wrote:
 On Mon, Jul 16, 2012 at 08:45:30PM +0200, [BG-Consulting] Elmar Bschorer 
 wrote:
 What do you mean with ss20?
 Actually a good question. At least for those old enough to remember the
 Soviet era SS-20 intermediate-range ballistic nucelar missiles.
 I'd like one of those too.


OK, admission of nerdiness:  All SS-20's were eliminated under the
Intermediate and Shorter-range Nuclear Forces Treaty (INF), beginning in
the late 80's and winding up during the early 90's, with final close-out
inspections of all inspectable sites during the mid 90's, approximately
at the same time as the START I Treaty kicked off.

I have a decorative serving tray made from the metal of an eliminated ss-20.

Off...topic?

-Rob Payne

Re: OpenBSD forked

[Rob Pierce]

11 1010101

- Original Message -
From: Peter J. Philipp p...@centroid.eu
To: Theo de Raadt dera...@cvs.openbsd.org
Cc: open...@laufenberg.ch, t...@tedunangst.com, misc@openbsd.org
Sent: Sunday, June 17, 2012 3:31:36 PM
Subject: Re: OpenBSD forked

Repost: Failed HP 360 Install from USB attached CD

[Rob Pierce]

Good afternoon,

My apologies - the previous post was a little mangled.

I have just attempted an install of the latest snapshot cd51.iso - dated 
07/04/2012 5:55:00 PM on some new HP 360 servers.

I am able to boot of the CD, but the boot hangs immediately after the following 
line is displayed:

   brgphy3 at bnx3 phy1: BCM5709 10/100/100baseT PHY, rev. 8

(see full dmesg below)

This is also the case when trying to install by booting off the OpenBSD 5.0 CD 
disk 1 (and cd50.iso).

I was able to install on the HP 360 servers by moving drives over from an HP 
120 (which didn't have the same problem) with BSD already installed, booting 
off bsd.rd from disk, and reinstalling over the network, and subsequent 
installations booting to bsd.rd on disk to sd1 and swapping drives, etc.

As such, I have OpenBSD 5.0 running on our HP 360 servers, but have never been 
able to boot and install from a USB attached CD (or USB memory stick).

I should mention that when installing I also have a USB attached key board in 
addition to the USB attached CD Drive (see dmesg output below).

This is an inconvenience more than anything, but it might point to some 
underlying issues?

Has anyone seen similar problems?

Many thanks.

Rob

= = = = = USB Keyboard attach, detach, and reattach = = = = =

uhidev2 at uhub4 port 1 configuration 1 interface 0 GASIA GASIA USB KB Pro 
rev 1.10/2.10 addr 2
uhidev2: iclass 3/1
ukbd1 at uhidev2: 8 modifier keys, 6 key codes
wskbd2 at ukbd1 mux 1
wskbd2: connecting to wsdisplay0
uhidev3 at uhub4 port 1 configuration 1 interface 1 GASIA GASIA USB KB Pro 
rev 1.10/2.10 addr 2
uhidev3: iclass 3/0, 2 report ids
uhid0 at uhidev3 reportid 1: input=2, output=0, feature=0
uhid1 at uhidev3 reportid 2: input=1, output=0, feature=0
wskbd2: disconnecting from wsdisplay0
wskbd2 detached
ukbd1 detached
uhidev2 detached
uhid0 detached
uhid1 detached
uhidev3 detached
uhidev2 at uhub4 port 1 configuration 1 interface 0 GASIA GASIA USB KB Pro 
rev 1.10/2.10 addr 2
uhidev2: iclass 3/1
ukbd1 at uhidev2: 8 modifier keys, 6 key codes
wskbd2 at ukbd1 mux 1
wskbd2: connecting to wsdisplay0
uhidev3 at uhub4 port 1 configuration 1 interface 1 GASIA GASIA USB KB Pro 
rev 1.10/2.10 addr 2
uhidev3: iclass 3/0, 2 report ids
uhid0 at uhidev3 reportid 1: input=2, output=0, feature=0
uhid1 at uhidev3 reportid 2: input=1, output=0, feature=0

= = = = = USB attached CD Drive = = = = =

wskbd2: disconnecting from wsdisplay0
wskbd2 detached
ukbd1 detached
uhidev2 detached
uhid0 detached
uhid1 detached
uhidev3 detached
uhidev2 at uhub4 port 1 configuration 1 interface 0 GASIA GASIA USB KB Pro 
rev 1.10/2.10 addr 2
uhidev2: iclass 3/1
ukbd1 at uhidev2: 8 modifier keys, 6 key codes
wskbd2 at ukbd1 mux 1
wskbd2: connecting to wsdisplay0
uhidev3 at uhub4 port 1 configuration 1 interface 1 GASIA GASIA USB KB Pro 
rev 1.10/2.10 addr 2
uhidev3: iclass 3/0, 2 report ids
uhid0 at uhidev3 reportid 1: input=2, output=0, feature=0
uhid1 at uhidev3 reportid 2: input=1, output=0, feature=0
umass0 at uhub1 port 7 configuration 1 interface 0 MediaTek Inc MT1836 rev 
2.00/0.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus3 at umass0: 2 targets, initiator 0
cd0 at scsibus3 targ 1 lun 0: HL-DT-ST, DVDRAM GP10NW20, 1.03 SCSI0 5/cdrom 
removable serial.0e8d1836B3H5824_
cd0 detached
scsibus3 detached
umass0 detached

= = = = = dmesg (USB devices were not present at reboot) = = = = =

OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz (GenuineIntel 686-class) 2.41 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACP

   
I,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,

   PDCM,DCA,SSE4.1,SSE4.2,POPCNT,AES
real mem  = 3747340288 (3573MB)
avail mem = 3675979776 (3505MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf, SMBIOS 
rev. 2.7 @  
  0xdf7fe000 (127 entries)
bios0: vendor HP version P68 date 05/05/2011
bios0: HP ProLiant DL360 G7
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP SPCR MCFG HPET  SPMI ERST APIC SRAT  BERT HEST 
DMAR SSDT SS
   DT SSDT SSDT SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 20 (application processor)
cpu1: Intel(R) Xeon

Re: Where to buy Lemote FuLoong MIPS boxes?

[Rob Schmersel]

On 12/17/2011 05:14 AM, Miod Vallat wrote:

Lemoteo manufacturer of FuLoong and Yeloong, does have an store on
www.taobao.com (http://loogson.taobao.com/), it's the official place to buy
FuLoong/YeeLoong here in China.

And they seem to sell Loongson 3A-based systems, unlike the dutch
reseller. But my nonexistent knowledge of the chinese language does not
help.

I would like to get a 3A-based system in order to extend the
OpenBSD/loongson port to these systems. (I also would like to get a 2G
system, but I am quite confident the existing codebase will run
unmodified on a 2G system, so that's not a priority).

If anyone, fluent in chinese, could tell me if I can indeed order a 3A
system from this site and have it shipped to western Europe, and
wouldn't mind assisting me to place an order, this would be greatly
appreciated.

TIA,
Miod (OpenBSD/loongson portmaster, in case you didn't notice)


They indicate that there are systems available, but you never know until you 
really try :). Anyway you can not get it shipped to Western Europe via the 
shop, they only allow China internal shipping. There are however some services 
available on separate sites that allow you to order in China and get it shipped 
anywhere in the world. A quick search will get you some links (typical: you 
read about it, but since you don't need it you do not bookmark it).

I would offer to be a courier as I'm flying home for Xmas, but I'm 
flying tomorrow morning and it is unfortunately to short to order and 
still get it here on time.


Regards
/Rob

Re: Where to buy Lemote FuLoong MIPS boxes?

[Rob Schmersel]

On 12/14/2011 03:44 AM, Nomen Nescio wrote:

The prices at the official European shop in the Netherlands are sky high.
I thought this was supposed to be a 150 dollar PC. Does anybody have a good
cheap source for these or other MIPS boxes? Thanks.


Even here in China it is difficult to find. Just did a search on 
www.taobao.com (chinese eBay) and only 2 vendors showed up:

http://s.taobao.com/search?q=2f6004rt=1323835584378

The fulong is selling for 1800 RMB, which is the same price as 
tekmote.nl is charging.


/Rob

Re: CDDL vs GPL and maybe some implications for BSD?

[Rob Payne]

Chris, feel free to get out of the US.  We do not need any apologists
here.  The free world would not be so without us.  Theo can adopt any
policy he wishes in his British Commonwealth.  No one gives a rat's
ass.  If his product is useful, I'll buy it.  OpenBSD continues in spite
of Theo's 'leadership.' 

Rob Payne

On 8/26/11 9:01 AM, Chris Bennett wrote:
 I have to support Theo on this. I am also an American.
 Have you noticed OpenBSD's policy on crypto work?
 No Americans due to fucked up US laws, not even if they live outside of US.

 Have you noticed a while back that Theo was looking for Hackathon sites and 
 said no US sites?

 Have you noticed world wide rioting and overthrowning of evil governments?
 Americans have become sheep, willing to put up with no jobs and no job making 
 policies.

 My family already has an apartment in Guatemala.
 We are leaving as soon I recover from my shoulder surgery and my Dad gets his 
 pensioner visa.

 I do not care to be stripped searched by flying in the US.
 We only travel by bus and train.

 Things are seriously screwed up here!

 Chris Bennett

nat-to and route-to specified in a single rule

[Rob Sessink]

Hello,

In a multi-homed setup I am trying to route out packets over the
secondary interface on which also NAT is done.
The environment consists of a OpenBSD 4.9 Firewall with 3 em interfaces,
connected to 2 DSL providers

em0: internal interface
em1: first DSL
em2: second DSL

I did dome testing with the understanding ruleset, where I have
specified a nat-to and route-to statement in a single rule
### rules ###
pass in  log on em0 from 192.168.1.118 nat-to (e2gress:0) route-to (em2
80.100.x.x)
pass out log on em2

### states ###
all icmp 74.125.77.104:8 - 80.100.x.x:54000 (192.168.1.118:9035)
0:0
all icmp 80.100.x.x:54000 - 74.125.77.104:8   0:0

This setup somewhat works. When pinging an upstream host, the packets
get send out over the secondary interface, but the first packet is
always dropped!
According to the pf.conf man page this rule specification is possible.
My question is this kind of rule specification allowed and intended to
be working in PF?

When splitting the nat-to / route-to statement in the ruleset everything
works fine.
### rules ###
pass in  log on em0 from 192.168.1.118 route-to (em2 80.100.x.x)
pass out log on em2 from 192.168.1.118 nat-to (em2:0)

### states ###
all icmp 74.125.77.104:8 - 192.168.1.118:8779   0:0
all icmp 80.100.x.x:9676 (192.168.1.118:8779) - 74.125.77.104:8
0:0

Regards Rob