Re: unbound signature expired

2024-03-18 Thread Stuart Henderson
On 2024-03-18, Evan Sherwood  wrote:
>> Wild guess, your time is off.
>
> Huh, I think you're right. `date` shows me 7 hours ahead of my timezone. 
>
> I restarted ntpd and I see no errors in /var/log/daemon, but the time is
> still off. I should be 1200 PDT but it's showing me as 1900 PDT (not
> UTC).
>
> What do I do to fix this? Pretty sure I had set my timezone to
> America/Los_Angeles when I installed OpenBSD.

ntpd will take ages to correct that much offset (it can set the clock
_forwards_ more quickly to the time of a trusted server at startup, but
not backwards). You can use rdate to jump the clock instead.

-- 
Please keep replies on the mailing list.



Re: UKC> disable "smth"

2024-03-16 Thread Stuart Henderson
On 2024-03-16, Nick Holland  wrote:
> IF you want to make changes to disk, use "config -ef" from
> the booted system, then write your changes to disk.  Then
> you can either use config -ef to re-enable a device, or just
> copy over an unmodified kernel.
>
> Be aware that altering the kernel binary will "break" the
> Kernal Address Re-Linking (KARL).  There are fixes for this,
> HOWEVER, I'm not sure what your goals are here in tweaking
> your kernel like this, but I'm guessing breaking KARL isn't
> your biggest problem you are about to create for yourself.

in the few cases where this does make sense: add to bsd.re-config(5)
and run /usr/libexec/reorder_kernel by hand

> This probably isn't something you want to be doing.

yep.


-- 
Please keep replies on the mailing list.



Re: mailman on OpenBSD - linking problem

2024-03-16 Thread Stuart Henderson
On 2024-03-16, Odhiambo Washington  wrote:
>
> On Sat, Mar 16, 2024 at 3:57=E2=80=AFPM Mark  wr=
> ote:
>
>> On Wed, Mar 13, 2024 at 5:44=E2=80=AFPM Odhiambo Washington  il.com>
>> wrote:
>>
>>>
>>> This is why I suggested he should run Mailman3 from the word go.
>>>
>>>
>>>
>> It looks almost impossible to setup Mailman3 on OpenBSD.
>>
>> No, this is not working at all;
>> https://xn--gckvb8fzb.com/mailman3-on-openbsd-71/
>>
>> Any other tutorial I could try?
>>
>> Thank you.
>>
>
> What exactly isn't working for you?

Yes, this is a key thing when asking questions. Saying "No, this is not
working at all" followed by a URL is not much help. Copy text from
a terminal, showing _what commands you ran_ and _what you saw_.

> The setup is actually pretty easy.

mailman itself should be fairly easy to get installed in a venv, but
mailman-web pulls in cryptography and that can be problematic sometimes.
Trying to build that via pip isn't working at the moment in -current:

  error: failed to run custom build command for `openssl-sys v0.9.99`
...
This crate is only compatible with OpenSSL (version 1.0.1
through 1.1.1, or 3), or LibreSSL 2.5 through 3.8.1, but a
different version of OpenSSL was found. The build is now
aborting due to this version mismatch.

- so you'll probably have better luck by installing py3-cryptography
from packages (when built in ports, openssl-sys is automatically
patched to fix this problem), and when you create the venv, use
--system-site-packages to allow the system package to be used.

*However*, if you're doing this on a system which already has various
python packages installed, using this may result in some conflicts with
other software, so if you run into problems from that and can't
uninstall the relevant package, you may need to use a fairly clean
machine.

(The ideal thing would be to get mailman updated to 3.x in ports,
but looking at 'pip list' after installing mailman and mailman-web
in a venv, there are 84 modules installed, getting on for 40 not
in ports yet, and some of the others probably need updating -
possibly with a ripple effect on other ports - so it's a lot of
work; running in a venv with most things installed via pip is
a saner option).


-- 
Please keep replies on the mailing list.



Re: Unable to get ip6 address

2024-03-16 Thread Stuart Henderson
On 2024-03-15, Hari  wrote:
> --MNLCWRX1LHJQ0WPDBV4OIGW5JIHZDB
> Content-Type: text/plain;
>  charset=utf-8
> Content-Transfer-Encoding: quoted-printable
>
> I have uses mtw wifi firmware=2E
>
> I don't know what do you mean by multicast=2E I works perfectly fine with =
> linux=2E

If you don't want to provide enough information that might give clues to
people who are trying to help (https://www.openbsd.org/report.html)
then I suggest you run Linux on it.


-- 
Please keep replies on the mailing list.



Re: Saving UKC> list output

2024-03-15 Thread Stuart Henderson
On 2024-03-15, Nick Holland  wrote:
> um...  your formatting is giving me Commodore VIC20(1)
> flashbacks...

There are way more than 22 chars in some of those lines :-)




Re: pf nat64 rule not matching

2024-03-15 Thread Stuart Henderson
On 2024-03-15, Evan Sherwood  wrote:
>
> Is there a way to configure this without hard-coding my IPv4 address?
> I do not think my IPv4 address from my ISP is static, thus my original
> interest in the ($wan:0) form.

I don't think there is at present. There are no "only use v4" or "only
use v6" addresses modifiers, and pf isn't figuring out for itself that
it only makes sense to use addresses from the relevant family for af-to
translation addresses (although it _does_ do this for nat-to).

>> Regarding the other rules and tests, the ::1 rule is wrong, packets
>> outgoing on the network won't have a ::1 address, try "!received-on
>> any", and packets sourced from the router itself won't hit the af-to
>> rule so tests need to be from another machine (and probably best use
>> different DNS servers not doing dns64 on the router).
>
> Thanks for this follow-up. You're right that I was trying to only target
> traffic that originated from the router itself with this rule. I had
> figured out that the tests needed to be from another machine, though
> that did take me a while.
>
> What are the reasons for doing dns64 on a different machine?

Ah I meant that the router should not use the local unbound dns64
resolver for its own traffic - otherwise it won't be able to reach v4
hosts because there won't be anything to handle the translation.
Either point it off-machine (ISP or public resolver) or run another
local resolver for its own traffic.

-- 
Please keep replies on the mailing list.



Re: Unable to get ip6 address

2024-03-15 Thread Stuart Henderson
On 2024-03-15, Hari  wrote:
>
> Well I read and tried to this as stated in faq=2E But it doesn't work, well=
>  ip6 does work if I trt ethernet but not with wifi=2E

At least send a dmesg so readers have some idea of the hardware involved.

One possible problem: IPv6 requires multicast for address resolution
which might not be working properly.




Re: pf nat64 rule not matching

2024-03-15 Thread Stuart Henderson via misc
On 2024-03-15, Tobias Fiebig via misc  wrote:
>
> Moin,
>>     # perform nat64 (NOT WORKING)
>>     pass in to 64:ff9b::/96 af-to inet from ($wan:0)
>
> Can you try if the same happens with a more specific rule (for
> testing)?
>
> i.e.:
>
> pass in on igc3 inet6 from "put actual v6 prefix here" to 64:ff9b::/96
> af-to inet from "actual IP on igc0"/32

"actual IP on igc0" is a good idea. If I try a similar rule without ()
using an interface with v4+v6 addresses, pfctl rejects it due to af
mismatch.

> I am suspecting that the missing inet6 may lead to some confusion.
> Alternatively, remove the block rules; URPF may be an issue here, if
> you lack a route for the /96.

"match log(matches)" and "tcpdump -neipflog0" is your friend for
figuring out which rules are used. I suspect the urpf too.

Regarding the other rules and tests, the ::1 rule is wrong, packets
outgoing on the network won't have a ::1 address, try "!received-on
any", and packets sourced from the router itself won't hit the af-to
rule so tests need to be from another machine (and probably best use
different DNS servers not doing dns64 on the router).




Re: 'xset' not authorized

2024-03-13 Thread Stuart Henderson
On 2024-03-13, ofthecentury  wrote:
> After poking around, it turns out you just need to
> add an environmental variable XAUTHORITY in XFCE terminal.
> 'export XAUTHORITY=$HOME/.Xauthority'
> Add it to $HOME/.xsession to make it permanent.

That's the default and you shouldn't need to set it explicitly unless
you've set $HOME to something strange.




Re: How to use randon outgoing network aliases?

2024-03-12 Thread Stuart Henderson
On 2024-03-12, Joel Carnat  wrote:
> Hi,
>
> I have a server with a single NIC but several IPs configured:
> # cat /etc/hostname.vio0
> inet 192.0.2.10 255.255.255.0
> inet alias 192.0.2.11 255.255.255.0
> inet alias 192.0.2.12 255.255.255.0
>
> The default gateway is set to 192.0.2.1 in /etc/mygate.
>
> I would like outgoing network traffic to randomely appear coming from 
> any of those IPs.

Can be done with PF nat-to: either one rule with an address pool, or
multiple rules with probabilities (e.g. for three: 33%, 50%, plus one
with no probability to catch the rest).




Re: files are going missing

2024-03-11 Thread Stuart Henderson
On 2024-03-11, beecdadd...@danwin1210.de  wrote:
>> Did you perhaps download these files to somewhere under /tmp or /var/tmp
>> or somewwhere else volatile like a memory file system and then reboot
>> before trying to access those downloads?
>
> didn't reboot, and I didn't mention but other files both from yt-dlp and
> the folder structure of torrenting are there, and yt-dlp said that video
> and other files are downloaded

Is it in /tmp though?

As well as most files being cleared at boot, old files are cleared daily.




Re: 'xset' not authorized

2024-03-09 Thread Stuart Henderson
On 2024-03-09, ofthecentury  wrote:
> For the droves who have/will have the same question:
> You can disable DPMS by tweaking the Xorg config
> out. First, get the monitor identifier from your
> /var/log/Xorg.0.log. Then, add a dpms.conf file to
> /usr/X11R6/share/X11/xorg.conf.d/ with this:
> Section "Monitor"
> Identifier "LVDS0"  [insert your monitor identifier]
> Option "DPMS" "false"
> EndSection
> Kill xenodm and launch xenodm again.
> Confirm by running 'xset q' that DPMS is disabled.
> Laptop screen will not shut off on you again.

"xset -dpms" and "xset s off" work fine for me..




Re: dmesg hangs 7.4

2024-03-09 Thread Stuart Henderson
Can you get dmesg out by another means (most likely, write to a usb stick)?

Any difference if you install a snapshot?

Anything special with the network setup?

Anything odd in dmesg on the box you're ssh'ing *from*?

On 2024-03-09, Laura Smith  wrote:
> Hi
>
> I've got a fresh install of 7.4 on a new box and am seeing a very weird 
> problem.
>
> If I enter "dmesg" I get a few lines of output and then it hangs and my ssh 
> connection gets dropped.  I ran syspatch, rebooted and the problem persists.  
>
> Example:
>
> # dmesg
> MX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP,CLFLUSHOPT,CLWB,PT,SHA,UMIP,PKU,WAITPKG,PKS,MD_CLEAR,IBT,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,IBRS_ALL,SKIP_L1DFL,MDS_NO,IF_PSCHANGE,TAA_NO,MISC_PKG_CT,ENERGY_FILT,DOITM,SBDR_SSDP_N,FBSDP_NO,PSDP_NO,RRSBA,OVERCLOCK,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
> cpu19: 32KB 64b/line 8-way D-cache, 64KB 64b/line 8-way I-cache, 2MB 64b/line 
> 16-way L2 cache, 30MB 64b/line 12-way L3 cache
> cpu19: smt 0, core 35, package 0
> cpu20 at mainbus0: apid 72 (application processor)
> cpu20: 12th Gen Intel(R) Core(TM) i9-12900TE, 3392.18 MHz, 06-97-02, patch 
> 0025
> Timeout, server 10.1.2.3 not responding.
>
>


-- 
Please keep replies on the mailing list.



Re: Cannot add gd

2024-03-09 Thread Stuart Henderson
On 2024-03-09, Sebastien Marie  wrote:
> Amarendra Godbole  writes:
>
>> I ran into this error today, while adding package gd on amd64 7.4 release...
>>
>> # pkg_add gd
>> quirks-6.160 signed on 2024-03-06T19:04:54Z
>> Can't install gd-2.3.3 because of libraries
>> |library fontconfig.13.1 not found
>> | not found anywhere
>> |library freetype.30.3 not found
>> | not found anywhere
>> Direct dependencies for gd-2.3.3 resolve to tiff-4.5.1 png-1.6.39
>> libwebp-1.3.1pl0 jpeg-2.1.5.1v0 libiconv-1.17
>> Full dependency tree is tiff-4.5.1 xz-5.4.4 png-1.6.39 libiconv-1.17
>> jpeg-2.1.5.1v0 zstd-1.5.5 giflib-5.2.1 libwebp-1.3.1pl0 lz4-1.9.4
>> Couldn't install gd-2.3.3
>> #
>>
>> This worked a week ago when installing on a similar setup, though I am
>> not sure what has changed. The fontconfig and freetype requirement
>> seems not listed in the subsequent direct and full dependency tree. Am
>> I missing something obvious?
>
> did you installed xbase74 set ?

I bet this is the problem.

See https://www.openbsd.org/faq/faq15.html#PkgInstall:
"Sometimes you may encounter an error like the one in the following
example" ... #1 under "There are several things to check"




Re: browser titlebar doesn't support emoji

2024-03-08 Thread Stuart Henderson
On 2024-03-08, Dan  wrote:
> Tested in 7.4 Xfce, Firefox and Badwolf titlebar don't support emojicon
> (tested: flags) like from the picture attached.

> --MP_/lkiChjrXvBrR91ZQdbF+m=B
> Content-Type: image/png
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename=browser_title.png
>
> iVBORw0KGgoNSUhEUgAAA6UAAADHCAYAAADh9fWKBmJLR0QA8wDzAPNl4f/dCXBI
> WXMAAAsTAAALEwEAmpwYAAAgAElEQVR42uy9d5wlR3k2+lRVd58zs5N3drRJmxVXWm0SylhIKAEK
> ljDI3M82QnwftsDGYGyS74clEw3X2CALAx/YxvbFNr4KRgYMAiusclokbZI2andmNk2O53RX1f2j
> +q1T3edM2N1ZoVDP/ua3M+d0qFzv86ZiZzZdpRljYIxBKQUACMMQAKC1zvxIKcEYA+ccLrTWUEpB
> CGG/M/eg6jr6n55F92itIYSwZaB3ArDfu5/RvQCglIKUMnM95xyMscw90ACQLTvVnX53y0nP1lo7
> 18C+V2sNqTQ4Z2CMIykLgHEACZRSYMyUBUym1ysopQEGcMEAaCil7XVuOyRJAimlrQeVn9VoS6qn
> eae5IggCKAUIEUApiTiOEYZhVd/l+8ZtA3o23ZNvCw2YuqTlllLa/qN+pXGllMqMDbefqNz0DIKp
> g0Icx4iiCEmSgHOOQlRAnMS2zlSmMAzBGEO5XLbjMQojSGXKRc+jdwRBkHkvlUMIUTX+qB5ascy4
> orrTvfTDOYfgAuOlcZxwwlyMjozg0OFDaGxsRLlcBuccQRBASpmZC/kxTm2WJIn9m66lz+h/mrel
> UsnOYyor1QMA4ji2bUbf03dRGGF0bBQXXXQ+TjtjCf7h736AUikBIFGIiojjxLateab5n9qvrlgH
> DV01Ht2xRX3mlkUIkVkLbHun19H7qO8457a96LMkSRBFEaSUmb6l8eeWhe5zxzjnHIyrmnNDSoko

Please don't send image attachments to this mailing list.

Most of the emoji fonts use PNG encoding which is not supported by OpenBSD's
build of freetype (needs to be built with libpng, which is in ports - whereas
libfreetype is in the xenocara tree, which cannot depend on things from ports).




Re: USB ethernet ure0 not working

2024-03-08 Thread Stuart Henderson
On 2024-03-08, ofthecentury  wrote:
> I made a little progress. I made routing table show now by
> setting re0 interface to down. It seems like everything is
> set up now to work, but I'm getting no internet connectivity.
> Here's the pastebin of dmesg/ifconfig/routes:
> https://pastebin.com/imXdfPqC

When people ask for a dmesg, they mean a complete dmesg.
And pastebin is more for things like IRC - better to include
the actual things directly in email, it's less annoying for readers.

> When I unplug the USB dongle, plug ethernet cable into
> re0 and set re0 to up, internet connectivity is there. So,
> why is the ure0 not working?

You have the same address range on re0 and ure0, and a default
route pointing out of re0.

> A separate question: why is ure0 interface not added to the
> egress group when the USB dongle is plugged in? I had to
> manually add it to egress because my pf firewall is configured
> to filter egress. Maybe there's an issue there somehow?

Interfaces automatically have the 'egress' group applied if there's
a default route pointing out of them. There's no default route
pointing out of ure0 so that's why.


-- 
Please keep replies on the mailing list.



Re: "FollowSymLinks" equivalent in httpd?

2024-03-08 Thread Stuart Henderson
On 2024-03-08, James Cook  wrote:
> On Fri, Mar 08, 2024 at 04:28:52PM +0300, Mark wrote:
>> Greetings.
>> 
>> Trying to figure out the mailman configuration on OpenBSD.
>> 
>> What is the equivalent of the following server block in httpd?
>> 
>> "
>> Options FollowSymLinks
>> AllowOverride None
>> "
>> 
>> Does the httpd even support following symlinks?

base httpd doesn't support _not_ following symlinks. 

> httpd follows symlinks for me. I just tried making a text file a.txt
> in /var/www/htdocs, and making a symlink with ln -s b.txt a.txt,
> and http://localhost/b.txt gets the content of a.txt.
>
> Keep in mind httpd by default runs chrooted to /var/www, so if you
> want to use absolute paths you will need to leave out /var/www. For
> example if you want c.txt to be a a symlink pointing to
> /var/www/htdocs/a.txt you could run
>
>   ln -s /htdocs/a.txt symlink_file_name.txt

And, importantly (given the config snippet), /var/lib/mailman won't be
accessible.


-- 
Please keep replies on the mailing list.



Re: Found bug, prepared patch, sent to bugs and tech, no response.

2024-03-07 Thread Stuart Henderson
You haven't done anything wrong, and the messages do show up.
I think there are just not many people who know this area, and
not many people running sasyncd to test your diff.


On 2024-03-07, Rafał Ramocki  wrote:
> Hello, 
>
> I've found bug on line between sasyncd and the kernel. I've investigated it, 
> found root cause and created a pach. I've posted bug report to [ 
> mailto:b...@openbsd.org | b...@openbsd.org ] with patch with my fix proposal. 
> Waited some time but not get any response. I've sent reminder - still 
> blackhole. Waited some time and sent similar information on [ 
> mailto:t...@openbsd.org | t...@openbsd.org ] . I'm waiting but still got no 
> response. Does anyone know is there something wrong with my correspondence 
> that make my messages invisible or maybe openbsd project does not have anyone 
> who could review my proposal and accept my patch or maybe there is some other 
> reason that I do not know a the moment? 
>
> My report to bugs: [ https://marc.info/?l=openbsd-bugs=170834352721352=2 
> | https://marc.info/?l=openbsd-bugs=170834352721352=2 ] 
> My report to tech: [ https://marc.info/?l=openbsd-tech=17089534351=2 
> | https://marc.info/?l=openbsd-tech=17089534351=2 ] 
>
>
> Best regards 
> Rafal Ramocki 
>
>


-- 
Please keep replies on the mailing list.



Re: Stopped at smu7_powergate_uvd+0x23 Question

2024-03-06 Thread Stuart Henderson
On 2024-03-06, Avon Robertson  wrote:
> 6.  Serial Console Info, and OpenBSD 7.4 dmesg.boot
>
> Output has been captured via a serial console from the problem machine
> from each of the installed snapshots on a subsequent cold boot.  Each
> set of captured information has shown that the machine has stopped at:
>
> smu7_powergate_uvd+0x23:  movb%dh,0xdb9(%rax)
>
> Other captured information from each of the snapshots is almost
> identical.

Including boot messages from a problematic kernel + diff between that
and the last working one + information about the crashes (at least:
panic message or other messages when it stopped, trace, ps) would be
helpful.

> The following set of captured information is from the last snapshot
> installed on the machine.  It is followed by dmesg.boot from a
> previously installed working 7.4 snapshot.
>
> The captured information plus the 7.4 snapshot are deliberately not
> included in this post as this email would be > 83k bytes.

An 83k email which includes the information necessary to tell what's going on 
is more useful than a shorter one which doesn't.

> My question is: should I send everything to b...@openbsd.org?

That's probably the best place to send it.



Re: Fwd: Disk encryption cipher

2024-03-06 Thread Stuart Henderson
On 2024-03-06, ofthecentury  wrote:
> Who's this psycho Jan Stary telling people new to OpenBSD not to use
> an appropriate public mailing list for legitimate questions?

Sadly some list members are a bit intolerant of things which are
perfectly valid topics for the list.

> Stop poluting the list with your bullshit.
>
> On Mar 06 12:16:26, ofthecent...@gmail.com wrote:
>> https://github.com/openbsd/src/blob/master/sys/dev/softraid.c
>> Judging by the source code it's aes-512-xts now.

So yes that's perfectly ok content for the list.

>> Such hard. Very cipher. Hacking can't. NSA oh no.

He does have a point here though.




Re: can't find PID

2024-03-05 Thread Stuart Henderson
On 2024-03-05, Raul Miller  wrote:
> If you want to track which executable was running which pid at a
> specific time, you need to put that information in a log, so you can
> associate pid and time with the executable path.

see accton(8), lastcomm(1)


-- 
Please keep replies on the mailing list.



Re: crawling network with ix driver when routing trafic

2024-03-04 Thread Stuart Henderson
On 2024-03-04, Pierre Peyronnel  wrote:
> On Mon, 4 Mar 2024 at 11:24, Claudio Jeker  wrote:
>
>>
>> Try to disable LRO on the ix(4) card:
>> ifconfig ix0 -tcplro
>>
>> Also could you try -current (with and without tcplro).
>>
>
> One sysupgrade -s later (see below), I can confirm that I have the same
> behaviour
> - slow with LRO
> - fast without LRO
>
> Now I need a way back to -stable
> Maybe when 7.5 is released ?

You can edit /usr/sbin/sysupgrade -

121 if $RELEASE && [[ ${_KERNV[1]} == '-beta' ]]; then
122 NEXT_VERSION=${_KERNV[0]}
123 else
124 NEXT_VERSION=$(echo ${_KERNV[0]} + 0.1 | bc)
125 fi

add NEXT_VERSION=7.5 after this, then you can run sysupgrade -r after release.

Alternatively run bsd.rd from release (when available) by hand.

(Maybe sysupgrade -f should work on versions which are detected as "release"
instead though...)



Re: disklabel and df -h don't show same size

2024-03-03 Thread Stuart Henderson
On 2024/03/03 13:06, beecdadd...@danwin1210.de wrote:
> is there no way to know how many rounds a drive needs to be decrypted? if

Easiest way is probably to modify the bootloader to print
it (in libsa). You could also check a hexdump of the softraid
header block but you'll need to figure out the layout.

> so, then that's good security but want to know how many rounds my computer
> would do, after the crypto has been created?
> I find -v gives you rounds and probably default rounds if you don't do -r,
> but I am too late to find out that now

You can't tell for sure from running bioctl afterwards, if the cpu was
throttled at the time the autodetect could have picked a lower number of
rounds. Adjust it with bioctl -P with an explicit setting for -r if you
want to be sure (this works on an existing softraid volume too).



Re: disklabel and df -h don't show same size

2024-03-03 Thread Stuart Henderson
On 2024-03-03, beecdadd...@danwin1210.de  wrote:
> On Sun, March 3, 2024 12:07 pm, Otto Moerbeek wrote:
>> On Sun, Mar 03, 2024 at 12:01:12PM -, beecdadd...@danwin1210.de
>> wrote:
>>
>>
>>> oh okay reserved for root? I ran those commands as root, or you mean
>>> something else? I didn't know overhead was that big.. so this is okay,
>>> then? thanks for very fast reply
>>
>> 3.5G meta data overhead is less than 1.5% of your partition. Not that
>> high, I'd say.
>
> 235-223 is 8G, not 3.5G?

238.5-235 = 3.5G (overhead)
235-223   = 12G  ~= 5% (reserved for root)

>> You can change that 5% by using tunefs, or when doing newfs from the
>> start).
>
> newfs from the start? I did newfs from the start?
> https://www.openbsd.org/faq/faq14.html#softraidcrypto
> is this not what you mean by newfs from the start?

You can change the 5% by using the -m flag when you newfs, or by running
tunefs on an existing filesystem (but it will need to be unmounted first).

 A fileystem has meta data overhead. That space is not avalailable for
  user files. Also, by default 5% of available space is reserved for
 root only. That fraction is represented in available space. See
 newfs(8).

-- 
Please keep replies on the mailing list.



Re: Need advice on “tcp proxy”

2024-03-02 Thread Stuart Henderson
On 2024-03-02, Kasak  wrote:
> Hello misc! There is a good manual on OpenBSD faq about redirection and 
> reflection, here it is: https://www.openbsd.org/faq/pf/rdr.html#tcpproxy
>
> I’m using nginx as tcp and udp proxy, but maybe there is another software, 
> more suitable for this task? 
> I need to redirect and reflect near 15 tcp ports and couple of udp. 
> I know I can do this with only pf, but I switched to nginx intentionally, 
> because this amount of ports made my pf config hard readable. 

As far as TCP goes, haproxy is possibly a bit better suited. It
doesn't do UDP though (and unlikely to in a generic way, see
https://github.com/haproxy/haproxy/issues/62).

Depending on which UDP protocols are used there might be better
alternatives though - for example if it's DNS then look at dnsdist.
UDP proxying in most cases needs to be protocol-aware.




Re: mirror.bytemark.co.uk appears to have removed all OpenBSD content?

2024-02-28 Thread Stuart Henderson
On 2024-02-28, Pontus Stenetorp  wrote:
> On Wed 28 Feb 2024, Stuart Henderson wrote:
>> On 2024-02-28, Pontus Stenetorp  wrote:
>> > On Tue 27 Feb 2024, Stuart Henderson wrote:
>> >> On 2024-02-27, Stuart Henderson  wrote:
>> >> > On 2024-02-27, Peter Kay  wrote:
>> >> >>
>> >> >> Just been to upgrade a rather old system I keep OpenBSD on for fun all
>> >> >> the way up from 6.9, and found bytemark no longer seem to be hosting
>> >> >> any OpenBSD content.
>> >> >
>> >> > That's why they have been removed from the mirrors list since 2022.
>> >> 
>> >> Oh hmm, seems I readded them as they had started working again, I'll drop 
>> >> them again.
>> >
>> > Since it has crossed my mind that scripting together some sort of "mirror 
>> > health" tool would be a fairly easy (yet probably valuable) contribution 
>> > to the community, is there currently anything akin to that in use by you 
>> > or others when maintaining the mirrors list? A few searches of mine turned 
>> > up empty, but it could equally well be that my search skills were lacking.
>> 
>> No need for another tool, we have mirmon and mirrorcheck.sh. The problem
>> is finding time to review results of checks, and making decisions
>> about what to include in ftp.html (for parts of the world with low
>> connectivity, a mirror which is slightly behind on snapshots can still
>> be very useful).
>
> Firstly, thank you of course for all your efforts maintaining the list. 
> Agreed about usefulness being very much circumstancial and thank you for 
> pointing me in the directions of two tools I have overlooked. mirmon is of 
> course net/mirmon in ports, but I have failed to locate mirrorcheck.sh in 
> both ports and src (even with a grep -ir), as well as with a web search. 
> Where does it live?

It's in the www tree.




Re: mirror.bytemark.co.uk appears to have removed all OpenBSD content?

2024-02-28 Thread Stuart Henderson
On 2024-02-28, Pontus Stenetorp  wrote:
> On Tue 27 Feb 2024, Stuart Henderson wrote:
>> On 2024-02-27, Stuart Henderson  wrote:
>> > On 2024-02-27, Peter Kay  wrote:
>> >>
>> >> Just been to upgrade a rather old system I keep OpenBSD on for fun all
>> >> the way up from 6.9, and found bytemark no longer seem to be hosting
>> >> any OpenBSD content.
>> >
>> > That's why they have been removed from the mirrors list since 2022.
>> 
>> Oh hmm, seems I readded them as they had started working again, I'll drop 
>> them again.
>
> Since it has crossed my mind that scripting together some sort of "mirror 
> health" tool would be a fairly easy (yet probably valuable) contribution to 
> the community, is there currently anything akin to that in use by you or 
> others when maintaining the mirrors list? A few searches of mine turned up 
> empty, but it could equally well be that my search skills were lacking.

No need for another tool, we have mirmon and mirrorcheck.sh. The problem
is finding time to review results of checks, and making decisions
about what to include in ftp.html (for parts of the world with low
connectivity, a mirror which is slightly behind on snapshots can still
be very useful).

-- 
Please keep replies on the mailing list.



Re: mirror.bytemark.co.uk appears to have removed all OpenBSD content?

2024-02-27 Thread Stuart Henderson
On 2024-02-27, Kirill A  Korinsky  wrote:
> On Tue, 27 Feb 2024 14:59:32 +0100,
> Kenneth Gober wrote:
>> 
>> Slightly off topic, but does anyone know of any archives that have
>> packages for 3.0, 3.1, 3.2, and/or 3.3?  Especially 3.0 -- the only
>> site I've ever found with 3.0 packages may have been incomplete.
>>
>
> https://mirror.leaseweb.com/pub/OpenBSD
>
> whcih also has rsync mirror BTW

That depends where you are, it is a geo distributed DNS and they use
different upstreams in different places, some fetch from ftp.eu (which has
many old versions, though not 3.0-3.3), others from ftp3.usa (which doesn't).




Re: mirror.bytemark.co.uk appears to have removed all OpenBSD content?

2024-02-27 Thread Stuart Henderson
On 2024-02-27, Stuart Henderson  wrote:
> On 2024-02-27, Peter Kay  wrote:
>> Just been to upgrade a rather old system I keep OpenBSD on for fun all
>> the way up from 6.9, and found bytemark no longer seem to be hosting
>> any OpenBSD content.
>
> That's why they have been removed from the mirrors list since 2022.

Oh hmm, seems I readded them as they had started working again, I'll drop them 
again.



Re: mirror.bytemark.co.uk appears to have removed all OpenBSD content?

2024-02-27 Thread Stuart Henderson
On 2024-02-27, Peter Kay  wrote:
> Just been to upgrade a rather old system I keep OpenBSD on for fun all
> the way up from 6.9, and found bytemark no longer seem to be hosting
> any OpenBSD content.

That's why they have been removed from the mirrors list since 2022.




Re: snmpd and route changes

2024-02-23 Thread Stuart Henderson
Not 100% sure but there's a chance that this will work how you expect in 
-current.

https://github.com/openbsd/src/commit/029c661593e4bba8652393dbb912eaf3b5031eec


On 2024-02-23, Marko Cupać  wrote:
> Hi,
>
> my OpenBSD firewall has static default route to the Internet over
> external interface, and gets routes to internal subnets by means of
> OSPF with Juniper switch over internal interface.
>
> Host on one of internal subnets queries snmpd listening on internal
> interface of OpenBSD firewall. When OSPF on OpenBSD firewall is
> up, requests arrive on internal interface, replies depart on internal
> interface - expected working situation.
>
> When OSPF on OpenBSD firewall go down (rcctl stop ospfd), requests
> still arrive on internal interface (switch has static default route
> over OpenBSD firewall), but as firewall has no longer route to internal
> subnet from which queries originate, it correctly tries to send replies
> over default route (external interface), which intentionally get
> blocked by pf.
>
> The problem is the fact that after OSPF on OpenBSD firewall comes up
> (rcctl start ospfd), snmpd continues to send replies over default
> route, not over more specific route learned over OSPF. Restarting snmpd
> results in picking up new route correctly.
>
> I am not 100% sure, but I think the same happens with pflow exports to
> the same host on internal subnet. It takes destroying pflow0 interface
> and netstart-ing it for picking up new route correctly.
>
> Anyone else encountered this? Could this be a bug? Or should I
> reconfigure something?
>
> PS: My setup is actually a bit more complicated (CARP pair, OSPF
> depends on carp interface, aggregated interfaces etc. but that should
> not affect the situation where snmpd sends traffic over default route
> and external interface even though routing table has more specific
> route over internal interface. I will gladly provide more details if
> needed.
>
> snmpd.conf (redacted):
>
> listen on udp 10.66.66.253 read snmpv3
> seclevel auth
> system contact "John Doe (john@example.org"
> system description "OpenBSD"
> system location "Somwhere"
> system name "fw2.example.org"
> user "example" authkey "thisisnotakey" auth hmac-sha1
>
> hostname.pflow0 (redacted):
>  
> flowsrc 10.66.66.253 flowdst 10.66.65.169:9996
> pflowproto 10
>
> route to host's subnet when OSPF is up (redacted):
>
> netstat -rn | grep 10.66.65.0
>
> 10.66.65.0/24 10.30.66.249   UG 0  957 -32 aggr0
>
> route -n get 10.66.65.0/24
>
>route to: 10.66.65.0
> destination: 10.66.65.0
>mask: 255.255.255.0
> gateway: 10.66.66.249
>   interface: aggr0
>  if address: 10.66.66.253
>priority: 32 (ospf)
>   flags: 
>  use   mtuexpire
> 7126 0 0
>
> ospfctl sh rib | grep 10.66.65.0
>
> 10.66.65.0/24 10.66.66.249   Intra-Area   Network   65536   20:32:27
>
> ospfctl sh fib | grep 10.66.65.0
>
> *O   32 10.66.65.0/24  10.66.66.249
>
> dmesg:
>
> OpenBSD 7.4 (GENERIC.MP) #0: Sun Oct 22 12:13:42 MDT 2023
> 
> r...@syspatch-74-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 17027289088 (16238MB)
> avail mem = 16491503616 (15727MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x788c5000 (241 entries)
> bios0: vendor HP version "P89" date 11/23/2021
> bios0: HP ProLiant DL360 Gen9
> efi0 at bios0: UEFI 2.4
> efi0: HP rev 0x25c00
> acpi0 at bios0: ACPI 5.0
> acpi0: sleep states S0 S5
> acpi0: tables DSDT FACP UEFI MCEJ SSDT HEST BERT ERST EINJ BGRT HPET PMCT 
> WDDT APIC MCFG SLIT SRAT SPMI RASF SPCR MSCT BDAT PCCT DMAR SSDT SSDT SSDT
> acpi0: wakeup devices PEX4(S4) BR05(S4) BR03(S4) BR07(S4)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 14318179 Hz
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU E5-2623 v4 @ 2.60GHz, 2597.06 MHz, 06-4f-01, patch 
> 0b40
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
> cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 256KB 
> 64b/line 8-way L2 cache, 10MB 64b/line 20-way L3 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Xeon(R) CPU E5-2623 v4 @ 2.60GHz, 

Re: Automatic OS updates

2024-02-21 Thread Stuart Henderson
Kernels with just "OpenBSD 7.5" will appear for some time before 
pub/OpenBSD/7.5/*/packages are available.


--
 Sent from a phone, apologies for poor formatting.

On 21 February 2024 20:36:39 Kirill A. Korinsky  wrote:


On Wed, 21 Feb 2024 21:11:05 +0100,
Stuart Henderson wrote:


If you're using sysupgrade -s, you also want -Dsnap in pkg_add.



After double check in man it seems not nessesary, let me quote:

%c  Expands to the string "snapshots" when running a -current or -beta
kernel, or if the command line option -D snap | -D snapshot is
specified.  Otherwise, %c expands to %v, which selects a release
version.

--
wbr, Kirill




Re: Automatic OS updates

2024-02-21 Thread Stuart Henderson
On 2024-02-21, b...@fea.st  wrote:
> FWIW if you guys want to yell at me for spreading bad ideas,
> I've posted how to do automatic updates here:
>
> https://openbsd.pages.dev/auto-updates/

If you're using sysupgrade -s, you also want -Dsnap in pkg_add.




Re: certbot in cron - best way?

2024-02-21 Thread Stuart Henderson
On 2024-02-20, Odhiambo Washington  wrote:
> This should work:
>
> 0 0,12 * * * /bin/sleep 1552 &&  rcctl stop httpd  && certbot renew &&
> rcctl start httpd

You might like to investigate ~ in crontab(5), e.g. "~ 0,12" and lose
the "sleep".

Wouldn't it be better to have certbot write files into a directory
served by httpd so you don't need the "rcctl stop" though?



Re: Automatic OS updates

2024-02-21 Thread Stuart Henderson
On 2024-02-20, obs...@loopw.com  wrote:
>
>
>> On Feb 20, 2024, at 2:31 AM, Thomas Schmidt  
>> wrote:
>> 
>> OP did indeed mean `sysupgrade`,
>
> which makes little sense _unless_ on -current, which will guarantee to break 
> this every sixth months when -current shifts about.
>
>> but fwiw, `syspatch && reboot` reboots
>> your system if a patch as applied. I got it in all of my servers'
>> cronjobs.
>
> Most of the patches don’t require a reboot.

Correct. Looking at the 7.4 patches, only 3 affect the kernel and
definitely need a reboot to get applied:

002_msplit - requires reboot
008_vmm - requires reboot
009_pf - requires reboot

Two where you don't really need to do anything other than apply
the patch:

003_patch
004_ospfd (because, if you're affected by it, then things
would be broken already)

The rest don't actually need a reboot, but do need *some* things
restarting if you're using them:

001_xserver
005_tmux
006_httpd
007_perl
010_xserver
011_ssh
012_xserver
013_unbound

(Also: had there been fixes to libraries - libc, libssl, etc - they
would be in this category too - you could figure out which long-running
processes would need to be restarted and do that).

However, considering the "*some* things need restarting" case, given
what is available from syspatch, rebooting is the only reasonable way
to automate making sure that anything needing a restart really is
restarted.

> This idea sounds horrible for uptime.  Sorry.  I’m not rebooting something 
> because a font was patched…

There is a fairly high bar for a fix to get turned into a syspatch.
Now, you might not be affected by every patched bug, and if you're
updating manually then you can make that decision. But this thread is
about automating, and the majority of syspatches do require processes
to be restarted in order to take effect.




Re: Ignore some USB devices

2024-02-19 Thread Stuart Henderson
On 2024-02-19, Kirill A  Korinsky  wrote:
> On Mon, 19 Feb 2024 23:09:35 +0100,
> Stuart Henderson wrote:
>> 
>> > I read that as it is impossible to blacklist a device, right?
>> 
>> Only by running a kernel where the driver's attach routine has been
>> modified to skip attaching the device e.g. if it matches certain
>> vendor/device id. OpenBSD doesn't have any other way to detach a USB
>> driver from a device.
>> 
>
> As an alternative solution, is it possible to enforce ugen to specific
> device by vendor and product IDs?
>
> I've tried:
>
>   $ doas config -e -o /bsd.new /bsd
>   ukc> find ugen
>   309 ugen* at uhub*|uhub* port -1 configuration -1 interface -1 vendor -1 
> product -1 release -1 flags 0x0
>   ukc> find uaudio
>   303 uaudio* at uhub*|uhub* port -1 configuration -1 interface -1 vendor -1 
> product -1 release -1 flags 0x0
>   ukc> add ugen
>   Device not complete number or * is missing
>   ukc> add ugen*
>   Clone Device (DevNo, 'q' or '?') ? 309
>   Insert before Device (DevNo, 'q' or '?') ? 303
>   303 ugen* at uhub*|uhub* port -1 configuration -1 interface -1 vendor -1 
> product -1 release -1 flags 0x0
>   ukc> change 303
>   303 ugen* at uhub*|uhub* port -1 configuration -1 interface -1 vendor -1 
> product -1 release -1 flags 0x0
>   change [n] y
>   port [-1] ?
>   configuration [-1] ?
>   interface [-1] ?
>   vendor [-1] ? 0x041e
>   product [-1] ? 0x3130
>   release [-1] ?
>   flags [0] ?
>   303 ugen* changed
>   303 ugen* at uhub*|uhub* port -1 configuration -1 interface -1 vendor 0x41e 
> product 0x3130 release -1 flags 0x0
>   ukc> find ugen*
>   303 ugen* at uhub*|uhub* disable port -1 configuration -1 interface -1 
> vendor 0x41e product 0x3130 release -1 flags 0x0
>   310 ugen* at uhub*|uhub* port -1 configuration -1 interface -1 vendor -1 
> product -1 release -1 flags 0x0
>   ukc> quit
>   Saving modified kernel.
>
> with no luck.
>

No - ugen acts as a fallback. If a USB device is claimed by another driver,
ugen won't get a chance to attach to it.

There is a common mechanism to recognise devices by vid/pid for special
handling - sometimes to prevent attaching - sometimes for other adaptations
which are needed. If you're interested, see sys/dev/usb/usb_quirks.c and look
at how UQ_BAD_HID is used to knock out devices which would normally be
claimed by uhid(4); you could use something similar to prevent e.g. uaudio
from attaching to a certain device. However, it would require compiling
the kernel to configure it.




Re: Ignore some USB devices

2024-02-19 Thread Stuart Henderson
On 2024-02-19, Kirill A  Korinsky  wrote:
> On Mon, 19 Feb 2024 22:32:18 +0100,
> Jan Stary wrote:
>> 
>> So get some normal headphones that plug into the laptop
>> (without creating a new device)
>> and simply connect the display when you want,
>> or don't connect it when you don't.
>> 
>
> I read that as it is impossible to blacklist a device, right?

Only by running a kernel where the driver's attach routine has been
modified to skip attaching the device e.g. if it matches certain
vendor/device id. OpenBSD doesn't have any other way to detach a USB
driver from a device.




Re: sysupgrade fails firmware fetch

2024-02-18 Thread Stuart Henderson
On 2024-02-18, Theo de Raadt  wrote:
> Kirill A. Korinsky  wrote:
>
>> On Sat, 17 Feb 2024 22:27:52 +0100,
>> Sonic wrote:
>> > 
>> > Seems it's looking for a 7.5 directory (-current apparently just moved
>> > to 7.5-beta) instead of the snapshot directory.
>> > 
>> 
>> And using snapshot directory fails because wrong signature:
>> 
>>   ~ $ doas fw_update -p http://firmware.openbsd.org/firmware/snapshots 
>>   fw_update: failed.
>>   signify: verification failed: checked against wrong key
>>   Signature check of SHA256.sig failed
>>   ~ $ 
>
> The heuristic in fw_update is weak.  Every 6 months there is a chance
> for someone to dig in and see if there is a better heuristic.

It's not too bad as long as the person building firmware tgz gets a
heads-up before the version number is updated.




Re: Out of memory error when build OpenBSD Base/LLVM

2024-02-18 Thread Stuart Henderson
On 2024-02-17, Shivam Gupta  wrote:
> Hi All,
>
> I recently installed OpenBSD OS on my ASUS laptop quad core pentium with 4
> GB RAM and 1 TB HDD.
>
> I was following the guide to build the system from source. But in `make
> build` step it gets a memory error when building LLVM. I tried other ways
> like make -j1 changing some build configuration in llvm's CMakelists.txt
> but nothing works.

The CMakelists.txt files are not used in the OpenBSD src tree.

> So I am seeking help if anything could be done here to complete the make
> build on this ASUS laptop.
>
> I do have another better ASUS TUF F15 laptop but there is some issue in the
> installation, kernel panic after I login in fresh install. So I am trying
> on this old laptop.

You may need to bump datasize values in login.conf for the class used by your
login user.

-- 
Please keep replies on the mailing list.



Re: Automatic OS updates

2024-02-16 Thread Stuart Henderson
On 2024-02-15, b...@fea.st  wrote:
> So I was curious, am I the only one using automatic OS updates
> in cron to keep the fish fresh and the bits dust free?
>
> I think I read somewhere that it's not recommended but I'm not
> running a server so it seems like a good idea to me.
>
> /etc/crontab: 
>
> # Example of job definition:
> # . minute (0 - 59)
> # |  .- hour (0 - 23)
> # |  |  .-- day of month (1 - 31)
> # |  |  |  .--- month (1 - 12) OR jan,feb,mar,apr ...
> # |  |  |  |  . day of week (0 - 6) (Sunday=0 or 7) OR 
> sun,mon,tue,wed,thu,fri,sat
> # |  |  |  |  |
> # *  *  *  *  * user-name command to be executed
>   0  3  *  *  * root  sysupgrade 

You should read upgrade notes (faq/current.html for -current,
faq/upgradeXX.html for releases) *before* upgrading.

For -current you should really be aware of commits (read src-changes)
so you can identify times which would be bad to update (often best to
hold off for a few days after a major library bump or major perl version
update in order that new packages are available).



-- 
Please keep replies on the mailing list.



Re: DNS resolution when 1st nameserver does not know

2024-02-15 Thread Stuart Henderson
On 2024-02-15, Rudolf Sykora  wrote:
> Josh Grosse  wrote:
>> On Thu, Feb 15, 2024 at 02:15:07PM +0100, rsyk...@disroot.org wrote:
>> > my computer is connected to a LAN, from which it obtains its
>> > IP and also local-DNS-server IP via DHCP. The latter is then
>> > inserted into /etc/resolv.conf by, I believe, resolvd. The
>> > computer is furthermore connected via wireguard VPN to
>> > another network with its own DNS server, serving the local
>> > IPs there. The DNS server in my LAN, of course, does not
>> > know the (non-public) IPs in the remote network. However, as
>> > it comes 1st in /etc/resolv.conf, the nameserver that comes
>> > next (I manually added it to the file) --- and which would
>> > know the answer --- is never asked. I can stop resolvd and
>> > use the DNS server within the VPN for all the traffic. But
>> > I'd still prefer to have most of the work done by the local
>> > DNS server, and only if it doesn't know I would ask the
>> > server in the VPN. Is there anything simple I can do?
>> 
>> Take a look at unwind(8) and unwind.conf(5).
>
>
> Ok. Creating /etc/unwind.conf with 
>
> forwarder {X.X.X.X} 
>
> where X.X.X.X is the IP address of the DNS server within the VPN,
> and turning on unwind with
>
> ;rcctl enable unwind
> ;rcctl start unwind
>
> does do something, in the sense that I get all the symbolic
> names resolved. But can I tell what DNS server was asked for
> the translation? --- so that I can check that it is the
> local nameserver (as obtained from the local DHCP server)
> that gets queried first and only when it does not know the
> answer, unwind asks VPN DNS server (X.X.X.X above) for the
> answer?

you can't do "fallback if domain doesn't exist in the first resolver",
but you can tell it to always use the forwarder for certain domains.
as well as configuring the forwarder, use something like "preference
autoconf" and "force forwarder {some.domain other.domain}".

-- 
Please keep replies on the mailing list.



Re: Improve support of Go

2024-02-15 Thread Stuart Henderson
On 2024-02-15, Kirill A  Korinsky  wrote:
> Here my point: it is deprected, but still in use for some large applications
> like Docker

That is using syscall from golang.org/x/sys/unix, not from go itself.
The vendored copy of x/sys/unix in docker-cli in the current ports tree
defines EBADMSG for some arch but not others. The newer vendored copy
in 25.0.3 defines it for all openbsd archs.




Re: CARP and VRRP compliance

2024-02-14 Thread Stuart Henderson
On 2024-02-13, Samuel Jayden  wrote:
> From the information provided in the link, it appears that CARP and VRRP
> protocols aren't inherently interoperable.

They are different protocols - they *had* to be different because VRRP
was subject to patents. And if carp was changed now, it wouldn't be
interoperable with existing carp installations.

> While Cisco may have attempted to address this by introducing a command
> like "disable-loop-detection carp" in its Nexus 1000V virtual router
> product, this solution unfortunately doesn't extend to standard router
> hardware, rendering it ineffective in many scenarios.

That's not about interop beteeen carp and vrrp speakers, it's about
using carp (or vrrp or hsrp or similar) on a port attached to the
'virtual switch'. See 'Information About Redundant Routing Protocols' on
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4_2_1_s_v_1_5_1/layer_2_switching/configuration/guide/n1000v_l2/n1000v_l2_7redundantroutingprot.html

> Is it feasible to achieve CARP and VRRP interoperability through a
> user-space application?

No. They are different protocols. For what you want to do, running VRRP
on the OpenBSD box might make some sense though. There are various
existing userland implementations of VRRP that might be able to run
on OpenBSD, probably with some work to port them - e.g. freevrrpd,
frr-vrrpd, vrrpd. Nothing already in the ports tree (if someone wanted
to try I'd suggest starting by looking at freevrrpd).

-- 
Please keep replies on the mailing list.



Re: ntpd: "DNS lookup tempfail" when running on an IPv6-only node

2024-02-14 Thread Stuart Henderson
On 2024-02-14, Willy Manga  wrote:
> I'm running ntp-4.2.8pl10p6 on openbsd7.4 .. I saw messages like this one

That's mostly not recommended, openntpd (in base) is generally a better
idea for OpenBSD systems...

> "ntpd[26862]: DNS lookup tempfail"

...though that looks like an openntpd message so you are probably running
it anyway and just have an unused package installed.

> This node is running with IPv6-only.
>
> Since I did not have IPv4, I initially only commented the constraint 
> with IPv4 . But it was not enough.
>
>
> Then I realised that pool.ntp.org doesn't include a  record.

That is ntppool's decision.

> I ended up by commenting the servers line and added several servers close 
> enough .
>
> I posted my question on github [1] and someone advised me to rely on 
> "2.openbsd.pool.ntp.org"
>
> Is it possible the default ntpd.conf file use something like
>
> "servers openbsd.pool.ntp.org" and of course have openbsd.pool.ntp.org 
> looking for IPv6 nodes?

openbsd.pool.ntp.org won't help, that doesn't have  records either.
That DNS zone is nothing to do with OpenBSD - as with pool.ntp.org itself
it is ntppool's decision whether they want to include .

You need to use one of the "2." pool addresses, e.g.

global:

2.pool.ntp.org

regional:

2.africa.pool.ntp.org
2.asia.pool.ntp.org
2.europe.pool.ntp.org
2.north-america.pool.ntp.org
2.oceania.pool.ntp.org
2.south-america.pool.ntp.org

"vendor":
2.openbsd.pool.ntp.org

Also e.g. time.cloudflare.com lists both A and  records.

-- 
Please keep replies on the mailing list.



Re: Improve support of Go

2024-02-13 Thread Stuart Henderson
On 2024/02/13 07:36, Theo de Raadt wrote:
> Stuart Henderson  wrote:
> 
> > On 2024-02-13, Kirill A  Korinsky  wrote:
> > > Good day,
> > >
> > > I'm updating go's syscall table to modern OpenBSD (7.4).
> > 
> > Save your time. Post-7.4 you cannot call syscall() any more.
> 
> The result seems to have nothing to do with syscalls.
> 
> It is the same as the build process for kdump: It is finding cpp definitions
> most of which are argument flags, but also a few structs in /usr/include, and
> making them available at some level inside the go ecosystem. So if in go you
> call a system call via the regular stub API, you may need those flags.  you 
> may
> also need them for some other higher-level function call?  go doesn't pull
> from /usr/include otherwise, does it?
> 
> 

Oh, yes those are still needed then, I'd forgotten they were part of the
same thing from last time I tried to get them updated ...



Re: Improve support of Go

2024-02-13 Thread Stuart Henderson
On 2024-02-13, Kirill A  Korinsky  wrote:
> Good day,
>
> I'm updating go's syscall table to modern OpenBSD (7.4).

Save your time. Post-7.4 you cannot call syscall() any more.

-- 
Please keep replies on the mailing list.



Re: Log files, OpenBSD and Zero click exploits

2024-02-13 Thread Stuart Henderson
On 2024-02-13, Peter N. M. Hansteen  wrote:
> On Tue, Feb 13, 2024 at 08:29:59AM +, jonathon575 wrote:
>> Kindly find below log entries generated from tcpdump of the pflog. The is a 
>> fresh install & updated openbsd 7.4, with bare-minimum installation 
>> configured for a firewall. There are no x* programs installed.
>> 
>> Feb 11 18:09:41.682345 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0xdd6a56bc
>> Feb 11 18:09:46.754493 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x963acc89
>> Feb 11 18:09:51.778525 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x93d9508d
>> Feb 11 18:09:56.835383 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x112cf65b
>> Feb 11 18:29:33.657009 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x639ed21a
>> Feb 11 18:29:33.657454 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0xb2fcd9b8
>> Feb 11 18:29:33.658140 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x8ae84cca
>> Feb 11 18:29:33.658808 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0xcbb881b7
>> Feb 11 18:29:33.659165 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x612a28f8
>> Feb 11 18:29:33.659416 rule 14/(match) block in on re0: 69.166.225.73.51820 
>> > wan-ip.60360: [wg] initiation from 0x49f595ec
>> 
>> wan-ip is my wan static ip address.
>> 
>> What does [wg] means? What does "initiation from 0xdd6a56bc"...etc. means? 
>
> These log entries mean that your system blocked attempts from 69.166.225.73 
> access to whatever wan-ip is. 
>
> Your system recognized the traffic as attempts to initiate a WireGuard (a 
> sort of vpn, see https://man.openbsd.org/wg 
> and links therein). The attempts were blocked.

Sending wireguard packets at you doesn't seem very likely to be
malicious, more likely wan-ip was previously used by someone for their
wireguard connections and it was reassigned to you.

> Some of the things you mention may require specialized tools, but please 
> invest some time in learning to
> properly interpret the output of the basic tools first.

accton(8) and the manpages referenced in accton's "SEE ALSO" might be
one place to start reading to log what's been run on a system.

aide (in packagea) might be useful for detecting changed files.


-- 
Please keep replies on the mailing list.



Re: Installing shellinabox on OpenBSD

2024-02-13 Thread Stuart Henderson
On 2024-02-12, Daniel Ouellet  wrote:
> Anyway in 2024 still not have a decent native ssh client on Window

Except it does, a port of openssh.



Re: Second Redis instance?

2024-02-06 Thread Stuart Henderson
On 2024-02-06, Louis Brauer  wrote:
>> Giving opportunity to use /usr/local/etc/redis-FOO.conf
>> /usr/local/etc/redis-BAR.conf respectively, as separate instances.
>>
>> How can I do the same under OpenBSD 7.4?
>
> You could just copy the /etc/rc.d/redis file to /etc/rc.d/redis2 and modify 
> the daemon_flags settings in it to use a separate config file.
>
> Then 
> - rcctl enable redis2 
> - rcctl start redis2
>
> I just tried that and it seems to work.

Not properly. See my reply.

-- 
Please keep replies on the mailing list.



Re: Entry in the list of UNIX and OpenBSD providers

2024-02-06 Thread Stuart Henderson
On 2024-02-06, Theobald, Gerd  wrote:
> we would be delighted to be included in your list of providers 
> https://www.openbsd.org/support.html#Germany as a professional training 
> provider for UNIX and OpenBSD, among others. Here follows the information in 
> the desired format.

> U https://www.it-schulungen.com

The OpenBSD course that I see when searching on the website
(https://www.it-schulungen.com/seminare/serversysteme/unix/openbsd/openbsd-kompaktkurs.html)
will need an update, systrace was removed in 2016.




Re: Second Redis instance?

2024-02-06 Thread Stuart Henderson
On 2024-02-06, Mark  wrote:
> Hi.
>
> I've redis-6.2.13 installed and running.
>
> I need to run a second Redis instance with a different .conf file.
>
> For instance, under FreeBSD, this is as easy as adding in rc.conf file;
>
> redis_profiles="foo bar"
>
> Giving opportunity to use /usr/local/etc/redis-FOO.conf
> /usr/local/etc/redis-BAR.conf respectively, as separate instances.
>
> How can I do the same under OpenBSD 7.4?
>
> Any help, ideas, tips & tricks would be appreciated,
> Kindest regards.

Unfortunately redis sets the process name in a way that doesn't allow
distinguishing multiple instances by matching the name with the command
line flags, and that's the only way that the rc.d framework allows
matching daemon processes to the script, so running multiple copies via
the rc.d framework won't work in a generic way.

(in the case of many other daemons, one can simply symlink the rc.d
script under a different name, and set flags separately for each name,
but that won't work here)..

You could copy /etc/rc.d/redis under a different name and modify it
so that pexp matches the process title when run with the alternative
config file, or otherwise run it outside of rc.d (e.g. from rc.local).

-- 
Please keep replies on the mailing list.



Re: Astertisk missing library

2024-02-06 Thread Stuart Henderson
On 2024-02-06, deich...@placebonol.com  wrote:
> are the libraries in the search path?

they're not normal library deps for the main binary, all dlopen()'d from
the relevant path.

> On February 5, 2024 10:54:38 AM MST, Peter Fraser  wrote:
>>I should also add the libraries re on my system, and nm says they contain the 
>>simples
>>I don't know why they are not loading.

maybe you'll get some clues by running with LD_DEBUG set in the
environment - there will be a *lot* of output so run under script(1).

or, try comparing /etc/asterisk with one of your working machines and
see what's different.

>>From: owner-m...@openbsd.org  On Behalf Of Stuart 
>>Henderson
>>Sent: Monday, February 5, 2024 7:15 AM
>>To: misc@openbsd.org
>>Subject: Re: Astertisk missing library
>>
>>On 2024-02-04, Peter Fraser  wrote:
>>> Asterisk 20.5.2 works for me two different amd64 computers that I upgraded 
>>> from 7.3  amd64  to 7.4.
>>...
>>> [Feb  4 10:33:11] NOTICE[107524]: loader.c:2405 load_modules: 280 modules 
>>> will be loaded.
>>> asterisk:/usr/local/lib/asterisk/modules/app_audiosocket.so: undefined 
>>> symbol 'ast_audiosocket_connect'
>>> asterisk:/usr/local/lib/asterisk/modules/app_audiosocket.so: undefined 
>>> symbol 'ast_audiosocket_init'
>>> asterisk:/usr/local/lib/asterisk/modules/app_audiosocket.so: undefined 
>>> symbol 'ast_audiosocket_send_frame'
>>> asterisk:/usr/local/lib/asterisk/modules/app_audiosocket.so: undefined 
>>> symbol 'ast_audiosocket_receive_frame'
>>
>>those are in res_audiosocket.so
>>
>>> asterisk:/usr/local/lib/asterisk/modules/app_speech_utils.so: undefined 
>>> symbol 'ast_speech_new'
>>> asterisk:/usr/local/lib/asterisk/modules/app_speech_utils.so: undefined 
>>> symbol 'ast_speech_destroy'
>>> asterisk:/usr/local/lib/asterisk/modules/app_speech_utils.so: undefined 
>>> symbol 'ast_speech_grammar_load'
>>> asterisk:/usr/local/lib/asterisk/modules/app_speech_utils.so: undefined 
>>> symbol 'ast_speech_grammar_unload'
>>> asterisk:/usr/local/lib/asterisk/modules/app_speech_utils.so: undefined 
>>> symbol 'ast_speech_grammar_activate'
>>
>>and those in res_speech.so
>>
>>> asterisk:/usr/local/lib/asterisk/modules/app_stasis.so: undefined symbol 
>>> 'stasis_app_exec'
>>
>>res_statis
>>
>>> asterisk:/usr/local/lib/asterisk/modules/chan_pjsip.so: undefined symbol 
>>> 'ast_sip_cli_traverse_objects'
>>> asterisk:/usr/local/lib/asterisk/modules/chan_pjsip.so: undefined symbol 
>>> 'ast_sip_cli_traverse_objects'
>>> asterisk:/usr/local/lib/asterisk/modules/chan_pjsip.so: undefined symbol 
>>> 'ast_sip_cli_traverse_objects'
>>> asterisk:/usr/local/lib/asterisk/modules/chan_pjsip.so: undefined symbol 
>>> 'ast_sip_cli_traverse_objects'
>>> asterisk:/usr/local/lib/asterisk/modules/chan_pjsip.so: undefined symbol 
>>> 'ast_sip_push_task_wait_servant'
>>
>>res_pjsip
>>
>>etc. I think you may be missing something in modules.conf. I'd probably start 
>>with a copy of /usr/local/share/examples/asterisk/default/modules.conf
>>and see if that works, then tweak from there.
>>
>>--
>>Please keep replies on the mailing list.
>>
>


-- 
Please keep replies on the mailing list.



Re: Astertisk missing library

2024-02-05 Thread Stuart Henderson
On 2024-02-04, Peter Fraser  wrote:
> Asterisk 20.5.2 works for me two different amd64 computers that I upgraded 
> from 7.3  amd64  to 7.4.
...
> [Feb  4 10:33:11] NOTICE[107524]: loader.c:2405 load_modules: 280 modules 
> will be loaded.
> asterisk:/usr/local/lib/asterisk/modules/app_audiosocket.so: undefined symbol 
> 'ast_audiosocket_connect'
> asterisk:/usr/local/lib/asterisk/modules/app_audiosocket.so: undefined symbol 
> 'ast_audiosocket_init'
> asterisk:/usr/local/lib/asterisk/modules/app_audiosocket.so: undefined symbol 
> 'ast_audiosocket_send_frame'
> asterisk:/usr/local/lib/asterisk/modules/app_audiosocket.so: undefined symbol 
> 'ast_audiosocket_receive_frame'

those are in res_audiosocket.so

> asterisk:/usr/local/lib/asterisk/modules/app_speech_utils.so: undefined 
> symbol 'ast_speech_new'
> asterisk:/usr/local/lib/asterisk/modules/app_speech_utils.so: undefined 
> symbol 'ast_speech_destroy'
> asterisk:/usr/local/lib/asterisk/modules/app_speech_utils.so: undefined 
> symbol 'ast_speech_grammar_load'
> asterisk:/usr/local/lib/asterisk/modules/app_speech_utils.so: undefined 
> symbol 'ast_speech_grammar_unload'
> asterisk:/usr/local/lib/asterisk/modules/app_speech_utils.so: undefined 
> symbol 'ast_speech_grammar_activate'

and those in res_speech.so

> asterisk:/usr/local/lib/asterisk/modules/app_stasis.so: undefined symbol 
> 'stasis_app_exec'

res_statis

> asterisk:/usr/local/lib/asterisk/modules/chan_pjsip.so: undefined symbol 
> 'ast_sip_cli_traverse_objects'
> asterisk:/usr/local/lib/asterisk/modules/chan_pjsip.so: undefined symbol 
> 'ast_sip_cli_traverse_objects'
> asterisk:/usr/local/lib/asterisk/modules/chan_pjsip.so: undefined symbol 
> 'ast_sip_cli_traverse_objects'
> asterisk:/usr/local/lib/asterisk/modules/chan_pjsip.so: undefined symbol 
> 'ast_sip_cli_traverse_objects'
> asterisk:/usr/local/lib/asterisk/modules/chan_pjsip.so: undefined symbol 
> 'ast_sip_push_task_wait_servant'

res_pjsip

etc. I think you may be missing something in modules.conf. I'd probably
start with a copy of /usr/local/share/examples/asterisk/default/modules.conf
and see if that works, then tweak from there.

-- 
Please keep replies on the mailing list.



Re: GNUstep back and base in OpenBSD 7.4 ARM

2024-02-04 Thread Stuart Henderson
On 2024-02-04, Tito Mari Francis Escaño  wrote:
> Hi misc,
> I was hoping to install GNUstep packages in ARM but it seems gnustep-back
> and gnustep-base are not yet available in ARM.
> I was under the impression that these are needed to start basic GNUstep
> development.

gnustep's libobjc2 failed to build on arm (32-bit), and afaik all the other 
gnustep
ports directly or indirectly depend on that.

http://build-failures.rhaalovely.net/arm/2023-11-23/x11/gnustep/libobjc2.log

armv7 is not a great development environment on OpenBSD, package builds
are pretty slow (over a month for a bulk build) so there's a slow turnaround
of finding out whether any changes result in breaking things on the arch,
and not many people have machines, so not many people are able to test fixes.

> Please advise what options are available to move forward.

You could try fixing the libobjc2 port, there's a chance that adding -fPIC
to CFLAGS might help.

-- 
Please keep replies on the mailing list.



Re: Astertisk missing library

2024-02-04 Thread Stuart Henderson
On 2024-02-03, Peter Fraser  wrote:
> Yes
>
> From pkg_info
>
> asterisk-20.5.2 open source multi-protocol PBX and telephony toolkit
...
>>The asterisk on a new system is missing a large number of symbols of the form:
>>
>>ast_sip_* ast_stir_* statis_app*
>>
>>I can't find what is missing, I assume some what a library dependency was 
>>missed, so my other Asterisk on other OpendBSD system are using the old 
>>version

Please show some actual error messages/logs. modules.conf might
be interesting too. Which machine arch are you using? Release or
snapshots?

20.5.2 works for me on a 7.4 amd64 system.

-- 
Please keep replies on the mailing list.



Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?

2024-02-03 Thread Stuart Henderson
On 2024-02-03, Mike Fischer  wrote:
>
>> Am 03.02.2024 um 03:44 schrieb Brian Conway :
>> 
>>> Why do you run such an outdated postfix snapshot?
>> 
>> That is the latest version that is supported/available in packages-stable:
>> 
>> https://cdn.openbsd.org/pub/OpenBSD/7.4/packages-stable/amd64/
>
> While we have not encountered the TLS issue with Gmail (see below) we are in 
> the same boat otherwise. postfix-3.8.20221007 seemed like the newest version 
> a while back and so we are running that version. Going back to 3.7.9 seems 
> like it may be a partial step backwards.

3.7.9 is a newer version than 3.8.20221007.

-- 
Please keep replies on the mailing list.



Re: New postfix-3.8.20221007p12 broken TLS for Gmail servers?

2024-02-03 Thread Stuart Henderson
On 2024-02-03, Mark  wrote:
> Hi again,
>
> I completely removed Postfix and installed the official stable package
> "postfix-3.7.9p0-sasl2-mysql", but the problem persists.

There is possibly still some conflict between openssl (required by
newer versions of postfix) and libressl (used by pretty much all of the
rest of the ports tree). I would suggest using a 3.5 version if you're
using one of the non-default flavoured versions of postfix and having
TLS-related problems and see if that helps (from 3.6 they started
requiring features from newer versions of openssl that haven't made it
into libressl yet).

>> https://github.com/openbsd/ports/blob/master/mail/postfix/snapshot/Makefile

the snapshot version of Postfix that is currently in the ports tree is
seriously outdated, I think it should probably be removed.



-- 
Please keep replies on the mailing list.



Re: Problem sound

2024-02-02 Thread Stuart Henderson
On 2024-02-02, Manfred Koch  wrote:
> Hi all,
>
> I'm a newbie in openbsd. I use the xfce Desktop but without sound. I 
> have enabled sndiod_enable=YES
> in /etc/rc.conf.local. Further I tried pulseaudio without success. 
> What's about dbus-daemon?
>
> Perhaps you can help me, to find a solution?

If you're trying to use audio over HDMI, AFAIK that won't work, you'll
need to use line out or headphone.

Otherwise: send a dmesg, it might give more clues. (Just paste the
complete dmesg straight into an email).

> Are you knowing a mailinglist for newbies in openbsd?

misc@ is just fine for this.


-- 
Please keep replies on the mailing list.



Re: tmux: mouse works in st but not in xterm

2024-02-01 Thread Stuart Henderson
On 2024-02-01, Omar Polo  wrote:
> On 2024/02/01 12:06:13 +0100, rsyk...@disroot.org wrote:
>> Dear list,
>> 
>> 
>> when I run tmux in xterm, the mouse support does not work.
>
> by default mouse support is disabled on xterm on OpenBSD.  No clue why,
> as I think it's useful.  The knob to enable it is
>
>   XTerm*allowMouseOps: true
>
> which is documented in xterm.

-
PatchSet 127
Date: 2021/10/31 18:38:43
Author: matthieu
Branch: HEAD
Tag: (none)
Log:
Disable mouse tracking by default.

This causes extra control sequences to be sent to the shell when an
application that has it enabled crashes. Discussed with deraadt@

Members:
Makefile:1.36->1.37
xterm.man:1.55->1.56

-




Re: Communication between hosts on different network interfaces

2024-01-30 Thread Stuart Henderson
On 2024-01-07, All  wrote:
> This is very much doable with DHCP one liner:
> add the following to your dhcpd.conf ((!) inside the block of your 
> 192.168.2.0/24 network)
> option classless-static-routes 192.168.3.0/24 192.168.2.1;
>
> This will install static route into all machines in 192.168.2.0/24 network.

On clients that follow the spec properly, that will *override* the
default routes so they will have a route to 192.168.3.0/24 but no
default route.

You need to include the default route too, for example (assuming that should go 
via 192.168.2.254),

option classless-static-routes 192.168.3.0/24 192.168.2.1, 0.0.0.0/0 
192.168.2.254;




Re: -current firefox segfault: pledge "", syscall 289

2024-01-29 Thread Stuart Henderson
On 2024-01-26, Kirill Miazine  wrote:
> here's how I can reproduce it here -- just by opening 
> https://domene.shop/login page and waiting some seconds:
>
> $ firefox https://domene.shop/login
> Exiting due to channel error.
> Exiting due to channel error.
> Exiting due to channel error.
> Exiting due to channel error.
> Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: 
> CompositorBridgeChild receives IPC close with reason=AbnormalShutdown 
> (t=5.06002) [GFX1-]: CompositorBridgeChild receives IPC close with 
> reason=AbnormalShutdown
> Exiting due to channel error.
> Abort trap (core dumped)
>
> should mention that this is inside Xvnc, and vnc logs has additional 
> error line:
>
> PCRE2 library was built without JIT support
>
> maybe Xvnc -- or PCRE -- are somehow contributing here

The firefox port uses pledge, which is incompatible with some things done
by the swrast DRI driver (any use of pledge disables the shm syscalls,
and it's unlikely that they will be added).

https://marc.info/?t=15510231321=1=2

You can either disable pledge in firefox (see the pkg-readme - no need to
recompile anything), or build a patched version of Mesa (the patch
in that thread will no longer work, but removing -DHAVE_SYS_SHM_H in
config.mk may do the trick - and if you go down that route, you'll
need to recompile it yourself after updates).


-- 
Please keep replies on the mailing list.



Re: plasmashell crashes when typing in the applications menu search bar

2024-01-25 Thread Stuart Henderson
On 2024/01/25 14:17, bi...@iscarioth.org wrote:
> Stuart Henderson  write :
> > That is ludicrous
> 
> 
> Ah, did I do something wrong because he only needs to setup staff groups 
> /etc/login.conf and then no need to use `sysctl kern.maxfiles` ?

Why on earth would it need to have over a hundred thousand files open
at the same time when typing in a search bar?



Re: plasmashell crashes when typing in the applications menu search bar

2024-01-25 Thread Stuart Henderson
On 2024-01-24, bi...@iscarioth.org  wrote:
> Hello Sylvain !
>
> If my assumption is correct (KDE open a huge number of files during
> the query), 
>
> So you had to increase the number of files open with
>
> > sysctl kern.maxfiles=102400

That is ludicrous




Re: socket core

2024-01-16 Thread Stuart Henderson
On 2024-01-16, Otto Moerbeek  wrote:
> On Tue, Jan 16, 2024 at 08:16:38AM +0100, Janne Johansson wrote:
>
>> Den tis 16 jan. 2024 kl 01:16 skrev Gustavo Rios :
>> > Hi folks.
>> > I have a simple question :  How many cores does OBSD support ?
>> 
>> amd64 says
>> 
>> #define MAXCPUS 64 /* bitmask */
>> 
>> but different arches have different limits.
>
> But do note that OpenBSD is not great in using many cores, expect it
> to not scale in a linear way. It's best to make decisison on actual
> measurments.

It can vary a lot depending on what you're actually doing on the
machine; pure computation will scale better than file access, for
example. Keep an eye on "spin" in top(1) while testing. If you're seeing
significant numbers for this, adding cores is not all that likely to
help.




Re: as cannot do endbr64 instructions (too old)

2024-01-10 Thread Stuart Henderson
Please send it to tech@

On 2024/01/10 13:18, Lorenz (xha) wrote:
> On Wed, Jan 03, 2024 at 08:50:43AM +0100, Lorenz (xha) wrote:
> > On Tue, Jan 02, 2024 at 08:32:00PM -0000, Stuart Henderson wrote:
> > > I can't say. Though I doubt there would much objection if it's clean and
> > > not a copy of a GPLv3-licensed upstream commit.
> > 
> > what about this?
> > 
> > i am not sure about the situation on arm64. it looks like newer gnu
> > assemblers don't like bti instructions unless explicitly enabled.
> > llvm seems to be using hint #34 for compatibility.
> > 
> > is /usr/bin/as the GNU assembler on arm64 aswell?
> > 
> > Index: include/opcode/i386.h
> > ===
> > RCS file: /cvs/src/gnu/usr.bin/binutils-2.17/include/opcode/i386.h,v
> > retrieving revision 1.11
> > diff -C5 -r1.11 i386.h
> > *** include/opcode/i386.h   9 Sep 2018 21:59:43 -   1.11
> > --- include/opcode/i386.h   3 Jan 2024 07:35:49 -
> > ***
> > *** 1532,1541 
> > --- 1532,1545 
> >   
> >   /* Intel PCID extension */
> >   {"invpcid", 2, 0x660f3882, X, CpuNEW|CpuNo64, 
> > Modrm|IgnoreSize|No_bSuf|No_wSuf|No_sSuf|No_qSuf|No_xSuf|NoRex64, { 
> > BaseIndex|Disp8|Disp16|Disp32|Disp32S, Reg32 } },
> >   {"invpcid", 2, 0x660f3882, X, CpuNEW|Cpu64, 
> > Modrm|IgnoreSize|No_bSuf|No_wSuf|No_sSuf|No_qSuf|No_xSuf|NoRex64, { 
> > BaseIndex|Disp8|Disp16|Disp32|Disp32S, Reg64 } },
> >   
> > + /* Intel Indirect Branch Tracking extensions */
> > + {"endbr64", 0, 0xF30F1E, 0xFA, Cpu64, NoSuf|ImmExt, { 0, 0, 0 } },
> > + {"endbr32", 0, 0xF30F1E, 0xFB, CpuNo64, NoSuf|ImmExt, { 0, 0, 0 } },
> > + 
> >   /* sentinel */
> >   {NULL, 0, 0, 0, 0, 0, { 0, 0, 0} }
> >   };
> >   #undef X
> >   #undef NoSuf
> > 
> 
> can someone take a look at this and maby commit if it is OK? i
> removed the endbr32 instruction from the patch because i don't think
> it will ever be needed on openbsd.
> 
> Index: gnu/usr.bin/binutils-2.17/include/opcode/i386.h
> ===
> RCS file: /cvs/src/gnu/usr.bin/binutils-2.17/include/opcode/i386.h,v
> retrieving revision 1.11
> diff -u -p -r1.11 i386.h
> --- gnu/usr.bin/binutils-2.17/include/opcode/i386.h   9 Sep 2018 21:59:43 
> -   1.11
> +++ gnu/usr.bin/binutils-2.17/include/opcode/i386.h   10 Jan 2024 12:15:36 
> -
> @@ -1534,6 +1534,9 @@ static const template i386_optab[] =
>  {"invpcid", 2, 0x660f3882, X, CpuNEW|CpuNo64, 
> Modrm|IgnoreSize|No_bSuf|No_wSuf|No_sSuf|No_qSuf|No_xSuf|NoRex64, { 
> BaseIndex|Disp8|Disp16|Disp32|Disp32S, Reg32 } },
>  {"invpcid", 2, 0x660f3882, X, CpuNEW|Cpu64, 
> Modrm|IgnoreSize|No_bSuf|No_wSuf|No_sSuf|No_qSuf|No_xSuf|NoRex64, { 
> BaseIndex|Disp8|Disp16|Disp32|Disp32S, Reg64 } },
>  
> +/* Intel Indirect Branch Tracking extensions */
> +{"endbr64", 0, 0xF30F1E, 0xFA, Cpu64, NoSuf|ImmExt, { 0, 0, 0 } },
> +
>  /* sentinel */
>  {NULL, 0, 0, 0, 0, 0, { 0, 0, 0} }
>  };



Re: File corruption on SSD disk

2024-01-10 Thread Stuart Henderson
On 2024-01-10, Randall Gellens  wrote:
> I'm running OpenBSD on a Protectli box as a router/firewall. The disk is 
> an SSD. Every now and then I reboot it ("sudo shutdown -r now") just to 
> make sure it comes back up. Several times it hung on disk errors that 
> the auto 'fsck' can't fix. I was able to manually run 'fsck' and answer 
> its prompts to clean up the problems, which sometimes were unreferenced 
> inodes or similar things. It deleted some files in /var. The system runs 
> OK, so perhaps the files aren't used in my minimal setup.
>
> I have two questions:
>
> (1) In "/etc/rc" I changed [fsck -p "$@"] to [fsck -f "$@"] in an 
> attempt to get it to force fix problems, so the system could recover 
> without someone manually doing it. That didn't work (it still stopped 
> startup with the disk errors), so I tried making it [do_fsck -f -y] but 
> that didn't work either. How does one make the system recover (e.g., how 
> would an unstaffed/dark computer  operations center do it)?

fsck -y is all you can do there.

> (2) Why would the system develop disk problems? Might the SSD be 
> failing? Should I proactively replace it? If I do replace it, should I 
> start fresh with a clean install versus cloning the current disk?

possibly. SSDs aren't exactly permanent storage either, even if not
failing (read about "bit rot") - magnetic HDDs too, though they're usually
considered to have a bit more longevity than SSDs in that respect. 

are temperatures in a safe range?

are your cables good and properly connected?

if replacing, you don't want to start from a clone of a suspicious drive.
you don't know if the data you're reading is good or not. I'd go for a
clean install, move config across, and review those config files.

> By the way, the SSD is a Samsung SSD 870 EVO 500GB (only using a tiny 
> bit of it). Micromat's Lifespan says it has 100% life left, and their 
> Tech Tools Pro found no bad blocks.

that will most likely be based on erase/write cycles and ignore other
possible effects.


-- 
Please keep replies on the mailing list.



Re: bioctl -v -P

2024-01-05 Thread Stuart Henderson
On 2024-01-05, Roderick  wrote:
> I get
>
> # bioctl -v -P wd0e
> bioctl: BIOCDISCIPLINE: inapeopriate ioctl for device
>
> Is it not possible to change the pass?
>
> What was supposed that I do under
>
> https://www.openbsd.org/faq/upgrade74.html#ConfigChanges
>
> ???

wd0e is not a softraid volume. Use the softraid volume,
e.g. sd1 or sd0 or similar.

-- 
Please keep replies on the mailing list.



Re: Script doesn't stop opensearch

2024-01-04 Thread Stuart Henderson
On 2024-01-03, Mik J  wrote:
> Hello,
>
> I don't understand how the startup/stop script works

It uses the string from pexp (as it was when the daemon was _started_;
changes to the rc script after startup are ignored) with pgrep(1) -xf to
identify the running process (and pkill -xf to actually signal it).

> I can confirm that the pid I see in /var/run/opensearch/opensearch.pid is the 
> same I see in ps ax | grep opensearch
>
> However when I want to stop the process
> # /etc/rc.d/opensearch stop
> Nothing happens

Show the contents of /var/run/rc.d/opensearch and the output of some
pgrep command that identifies the process (e.g. pgrep -lf opensearch).

> And I don't understand how this stop command would do something like that
> # kill -15 `cat /var/run/opensearch/opensearch.pid`

rc.d doesn't use pid files. If the daemon exited without cleaning the
file (e.g in a crash) the pid may have been re-used by another process.

-- 
Please keep replies on the mailing list.



Re: Script doesn't stop opensearch

2024-01-04 Thread Stuart Henderson
On 2024-01-04, Mike Fischer  wrote:
>
>> Am 04.01.2024 um 00:06 schrieb Mik J :
>> 
>> However when I want to stop the process
>> # /etc/rc.d/opensearch stop
>> Nothing happens
>
> try:
> # rcctl stop opensearch
>
> You are not supposed to ever call the /etc/rc.d/* scripts directly.

no, that's fine too.

-- 
Please keep replies on the mailing list.



Re: ignore dns dhcpleased

2024-01-03 Thread Stuart Henderson
On 2024-01-03, Peter Wens  wrote:
> Hi Otto,
>
> I checked it, and yes it's slaacd
>
> ...
> rdns_proposal_state_transition[vio0] PROPOSAL_NOT_CONFIGURED -> 
> PROPOSAL_CONFIGURED, timo: 3588
> gen_rdns_proposal: iface 1: fe80::f...
> ...
>
> Don't know how to disable this (e.g. vultr), so for now i disable resolvd.

If you want to force a specific server, that's often the right answer anyway.

An alternative is to use unwind with its config file.




Re: ProtectLi w/ OpenBSD

2024-01-03 Thread Stuart Henderson
On 2024-01-03, Kenneth Hendrickson  wrote:
> Is there any newer information than this:
> https://OpenBsdMailBox.blogspot.com/2023/05/protectli-vp2420-with-dasharo.html

That is exactly how a boot looks if you are on a device with serial console
and don't tell the boot loader to use the serial console.

stty com0 
set tty com0
boot


-- 
Please keep replies on the mailing list.



Re: How to access Xauthority for VNC Server

2024-01-02 Thread Stuart Henderson
On 2024-01-02, Adam Retter  wrote:
>
> XAUTHORITY=/etc/X11/xenodm/authdir/authfiles/A:0-r4dlnM x0vncserver
> -display :0 -PasswordFile ~/.vnc/passwd
>
> It is not clear to me how I can set this up so that x0vncserver can
> access the correctly named auth file each time the machine restarts,
> and also under which account it would be considered best practice to
> run x0vncserver... Should I run it under my user account, the `_x11`
> account, or an account created just for that purpose?
> Ideally the VNC Server would start during system startup also.

It won't help for system startup, but you can add the x0vncserver
command (backgrounded with &) from .xsession to run after login.
This would run as your uid and with X environment variables intact so
no faffing with XAUTHORITY needed.

(I would recommend listening to localhost only and connecting via ssh
port-forwarding; for unix VNC clients "-via $hostname localhost" runs
the ssh command for you).



-- 
Please keep replies on the mailing list.



Re: as cannot do endbr64 instructions (too old)

2024-01-02 Thread Stuart Henderson
On 2024-01-02, Lorenz (xha)  wrote:
> what is the reason to only include GPLv2 and not GPLv3?

The new license terms are not wanted for the base OS.

As with GCC, a newer GPLv3 version is available in ports.

> that "as" doesn't support modern instructions is starting to cause
> all sorts of nasty problems. the compiler backend of hare, QBE,
> recently had a patch accepted which adds IBT/BTI support and i
> prepared the stdlib to be able to deal with IBT/BTI.
>
> however, the patch was reverted yesterday with the reason that the
> standard openbsd toolchain doesn't support it. i would need to patch
> QBE to accept a cfi flag (i don't even know if it'd get accepted),
> which, again, would introduce new workarounds in hare for openbsd.

You could perhaps encode the bytes instead, like openssl does
specifically so it will work on other OS with old binutils too..
0xf3,0x0f,0x1e,0xfa

> if updating "as" is really not an option, would a patch adding support
> for endbr64 and the BTI equivilant be accepted?

I can't say. Though I doubt there would much objection if it's clean and
not a copy of a GPLv3-licensed upstream commit.

-- 
Please keep replies on the mailing list.



Re: Weird network performance with iwn(4)

2024-01-02 Thread Stuart Henderson
On 2024-01-02, Murat D. Kadyrov  wrote:
> On Thu, Dec 21, 2023 at 09:23:42AM +0100, Stefan Sperling wrote:
>> On Wed, Dec 20, 2023 at 07:54:47PM +, Lévai, Dániel wrote:
>> > Danel Levai wrote:
>> > > Stuart Henderson wrote:
>> > > > I checked for openwrt support but your AP has a relatively uncommon
>> > > > Realtek SoC and it seems fairly unlikely to happen so you're probably
>> > > > stuck with the vendor firmware.
>> > > >
>> > > > Maybe try forcing "mode 11n" or "mode 11g" with ifconfig and see if
>> > > > that's any better.
>> > >
>> > > Interestingly enough, "mode 11g" won't join the AP. 11n works and it's a 
>> > > steady
>> > > 300KByte/sec, it doesn't go up and down like with 11ac.
>> > >
>> > > Anyway, I'll see if I can find myself another AP to deploy here, maybe 
>> > > it's just some
>> > > fringe compatibility issue.
>> > >
>> > > Daniel
>> > 
>> > Just for the record, I totally missed trying the 2.4GHz SSID of this AP 
>> > (it has a different name). I was only trying 5GHz with all modes - no 
>> > wonder .11g wouldn't join (brain freeze)...
>> > So .11n actually works on 2.4GHz with this AP and iwm(4), and has a 
>> > download speed of around 1,5-2,0MByte.
>> > 
>> > Daniel
>> > 
>> > 
>> 
>> This means the performance issue is specific to 11ac mode, correct?
>
> 11ac mode supported by OpenBSD?

Yes, for quite a while now, on bwfm iwm iwx.


-- 
Please keep replies on the mailing list.



Re: Firefox, Chrome, Libreoffice bogus syscall on -current

2024-01-02 Thread Stuart Henderson
On 2024-01-01, Ax0n  wrote:
> On Fri, Dec 29, 2023 at 7:33 PM Stuart Henderson 
> wrote:
>
>> Pity, without the deletes a transcript of a run of pkg_add -u -v
>> might have shown why the packages didn't get updated. They should have,
>> and in most cases they do.
>>
>
> Here's the pkg_add -uiv output that I saved while removing stuff. There's a
> bit of detail there, maybe enough to unwind the problem?
>
> https://gist.github.com/n0xa/934776b75ef520738c0fca16aa8b1071
>

pkg_add needs at least -vvv to debug update issues. (There will be too
much output for nearly any scrollback buffer so will need running under
script(1) or alternative).

-- 
Please keep replies on the mailing list.



Re: Cannot PXE Boot PC Engines APU.1D4

2024-01-01 Thread Stuart Henderson
On 2024-01-01, Kenneth Hendrickson  wrote:
>  --- On Monday, January 1, 2024 at 06:10:57 AM EST, Stefan Sperling 
>  wrote:
>
>> Booting 7.4 or -current kernels with an old pxeboot binary won't work.
>> Make sure that both the kernel image and pxeboot originate from the
>> 7.4 release or -current.
>
>
> I was using pxeboot and bsd.rd from 7.4.

Did you create etc/boot.conf in the tftp server dir with the commands to
switch to serial console? (stty com0 , set tty com)

If that's not it, show what's displayed in the boot process.

-- 
Please keep replies on the mailing list.



Re: Firefox, Chrome, Libreoffice bogus syscall on -current

2023-12-29 Thread Stuart Henderson
On 2023-12-29, Ax0n  wrote:
> On Fri, Dec 29, 2023, 11:21 Theo de Raadt  wrote:
>
>> Then your machine is not -current, not by a long shot.
>>
>> We moved to libc.so.98.0 on Dec 12.
>>
>> At least two rounds of new packages have shown up since then.
>>
>> I do believe there are circumstances where pkg_add fails to update
>> library packages.
>
>
> It turns out there was a list of 100 some packages that couldn't be
> upgraded with pkg_add -u and I just wasn't reading it, as the heart of the
> message scrolled way off the screen.
>
> I programmatically pkg_delete'd those and those which relied upon them, and
> re-installed only what I really needed and all is well in the world once
> again.

Pity, without the deletes a transcript of a run of pkg_add -u -v
might have shown why the packages didn't get updated. They should have,
and in most cases they do.



Re: certbot with cloudflare dns-01 challenge

2023-12-28 Thread Stuart Henderson
On 2023-12-27, hammer2_zfs  wrote:
> Why "OpenBSD packages" did not have a py3-certbot-dns-cloudflare.

Because nobody was interested enough in it to write a port and get it
committed.



Re: Firefox, Chrome, Libreoffice bogus syscall on -current

2023-12-28 Thread Stuart Henderson
On 2023-12-27, Ax0n  wrote:
> I had been running #1471 since December 5th without issue, and this week
> upgraded to the latest snapshot (#1567) after which some apps such as
> Firefox won't run. They display "msyscall  a8000 error" followed by a
> core dump. dmesg(1) shows a bogus syscall. I did ensure that I had properly
> sysmerged and updated packages.I waited until the next snapshot hit
> mirrors, and verified that this issue persists with build #1572 and fresh
> packages as well. Lenovo X1 Carbon Gen 8. dmesg in body. I can put core
> dumps somewhere if it helps.

Not sure how much core dumps will help, but if you can try running
the binaries with problems with LD_DEBUG set in the environment (to
anything) and capture output (e.g. using script(1) as it will likely be
copious) that might give clues.

How are you updating packages / which mirror? Do you have anything left
in /usr/local/{bin,sbin,lib} etc which still reference any libc.so.97?

Are you doing anything unusual with LD_PRELOAD (e.g. using a socks
wrapper)?




Re: qcad does not segfault when qtscript is compiled with -O0.

2023-12-26 Thread Stuart Henderson
This was already diagnosed and fixed in -current, see
https://marc.info/?l=openbsd-ports=170160684730438=2
https://github.com/openbsd/ports/blob/e10f7e1a39f85873183c232462850449f777e16f/x11/qt5/qtscript/patches/patch-src_3rdparty_javascriptcore_JavaScriptCore_interpreter_CallFrame_h

On 2023-12-26, Andy Bradford 
 wrote:
> Hello,
>
> A  little  over a  year  ago  I  reported[1]  that qcad  started  having
> segfaults in 7.0  (or 7.1). I thought  I would try to debug  it today in
> 7.4 and  so enabled DEBUG_PACKAGES  and DEBUG variables in  the cad/qcad
> Makefile  and also  the x11/qt5/qtscript  Makefile hoping  to debug  the
> segfault. In the Makefile for both I set:
>
> DEBUG_PACKAGES=   ${BUILD_PACKAGES}
> DEBUG=-O0 -g
>
> Then I built  the packages, installed them and their  debug packages and
> hoped to capture  a segfault, but it doesn't  crash. Apparently enabling
> -O0 in qtscript's Makefile makes it  not crash. To test that hypothesis,
> I commented out the DEBUG line completely and rebuilt qtscript with just
> the  defaults  that  DEBUG_PACKAGES  inherits  and  sure  enough,  after
> installing that qtscript package built with -O2 qcad again crashes.
>
> (gdb) bt
> #0  0x03eae2f9a990 in QScriptEnginePrivate::mark (this=0x3eb4af54a80, 
> markStack=...) at 
> /usr/ports/pobj/qtscript-5.15.10/qtscript-everywhere-src-5.15.10/src/script/api/qscriptengine.cpp:1320
> #1  0x03eae2f14d6c in QTJSC::Heap::markRoots (this=0x3ea8c2129e8) at 
> /usr/ports/pobj/qtscript-5.15.10/qtscript-everywhere-src-5.15.10/src/3rdparty/javascriptcore/JavaScriptCore/runtime/Collector.cpp:1167
> #2  0x03eae2f13ac5 in QTJSC::Heap::reset (this=0x3ea8c2129e8) at 
> /usr/ports/pobj/qtscript-5.15.10/qtscript-everywhere-src-5.15.10/src/3rdparty/javascriptcore/JavaScriptCore/runtime/Collector.cpp:1269
> #3  QTJSC::Heap::allocate (this=0x3ea8c2129e8, s=) at 
> /usr/ports/pobj/qtscript-5.15.10/qtscript-everywhere-src-5.15.10/src/3rdparty/javascriptcore/JavaScriptCore/runtime/Collector.cpp:405
> #4  0x03eae2fa3ac2 in QTJSC::JSCell::operator new (size=56, 
> exec=) at 
> /usr/ports/pobj/qtscript-5.15.10/qtscript-everywhere-src-5.15.10/src/3rdparty/javascriptcore/JavaScriptCore/runtime/JSCell.h:167
> #5  QScriptEnginePrivate::newVariant (this=0x3eb4af54a80, value=...) at 
> /usr/ports/pobj/qtscript-5.15.10/qtscript-everywhere-src-5.15.10/src/script/api/qscriptengine.cpp:1797
> #6  0x03eae2fa51b5 in QScriptEngine::newVariant (this=, 
> value=...) at 
> /usr/ports/pobj/qtscript-5.15.10/qtscript-everywhere-src-5.15.10/src/script/api/qscriptengine.cpp:2233
> #7  0x03eade54f63f in qtscript_create_Qt_Axis_class 
> (engine=0x3eaf5f91770, clazz=...) at 
> ../../generated_cpp/com_trolltech_qt_core/qtscript_Qt.cpp:4157
> #8  0x03eade5445ee in qtscript_create_Qt_class (engine=0x3eaf5f91770) at 
> ../../generated_cpp/com_trolltech_qt_core/qtscript_Qt.cpp:8386
> #9  0x03eade62a327 in qtscript_initialize_com_trolltech_qt_core_bindings 
> (extensionObject=...) at 
> ../../generated_cpp/com_trolltech_qt_core/com_trolltech_qt_core_init.cpp:312
> #10 0x03eade3a1d9e in com_trolltech_qt_core_ScriptPlugin::initialize 
> (this=0x3eabb1f6100, key=..., engine=0x3eaf5f91770) at plugin.cpp:21
> #11 0x03eae2fabdf9 in QScriptEngine::importExtension (this=0x3eaf5f91770, 
> extension=...) at 
> /usr/ports/pobj/qtscript-5.15.10/qtscript-everywhere-src-5.15.10/src/script/api/qscriptengine.cpp:3769
> #12 0x03ea8abc35ab in RScriptHandlerEcma::RScriptHandlerEcma 
> (this=0x3eabb1e94e0) at RScriptHandlerEcma.cpp:434
> #13 0x03ea8abd4919 in RScriptHandlerEcma::factory () at 
> RScriptHandlerEcma.cpp:1074
> #14 0x03ead8eb2c3e in RScriptHandlerRegistry::createScriptHandler 
> (extension=...) at RScriptHandlerRegistry.cpp:67
> #15 0x03ead8eb2caf in RScriptHandlerRegistry::getGlobalScriptHandler 
> (extension=...) at RScriptHandlerRegistry.cpp:76
> #16 0x03e87ec05021 in main (argc=1, argv=0x7b524ae78618) at main.cpp:389
> (gdb) list
> 1315}
> 1316
> 1317if (q) {
> 1318QScriptContext *context = q->currentContext();
> 1319
> 1320while (context) {
> 1321JSC::ScopeChainNode *node = 
> frameForContext(context)->scopeChain();
> 1322JSC::ScopeChainIterator it(node);
> 1323for (it = node->begin(); it != node->end(); ++it) {
> 1324JSC::JSObject *object = *it;
>
> Stepping through with -O2, it seems to go through one or two iterations of a 
> while loop and then crashes:
>
> (gdb) print context
> $8 = (QScriptContext *) 0xf0800cd3288
> (gdb) print *context
> $9 = {d_ptr = 0x1}
> (gdb) next
> 1323for (it = node->begin(); it != node->end(); ++it) {
> (gdb) 
> 1324JSC::JSObject *object = *it;
> (gdb) 
> 1325if (object)
> (gdb) 
> 1326markStack.append(object);
> (gdb) 
> 1323  

Re: Freetype FT_CONFIG_OPTION_USE_PNG

2023-12-22 Thread Stuart Henderson
On 2023/12/22 07:11, Robert Palm wrote:
> Stuart, thank you.
> 
> Is it possible to builtin / bundle freetype with sdl2 / sdl2-ttf and enable 
> this option?
> 
> I think op@ did something similar with godot...
> 
> Am 21. Dez. 2023, um 22:29, Stuart Henderson  
> schrieb:
> 
> On 2023-12-21, Robert Palm  wrote:
> 
>  I wanted to ask if in xenocaras freetype the FT_CONFIG_OPTION_USE_PNG
>  is enabled.
> 
> It's not, afaik it can't be done unless libpng would be moved from ports 
> to xenocara.
> 

>From a quick look it seems that sdl2-ttf already uses a bundled copy of 
>freetype.



Re: Freetype FT_CONFIG_OPTION_USE_PNG

2023-12-21 Thread Stuart Henderson
On 2023-12-21, Robert Palm  wrote:
>
> I wanted to ask if in xenocaras freetype the FT_CONFIG_OPTION_USE_PNG  
> is enabled.

It's not, afaik it can't be done unless libpng would be moved from ports to 
xenocara.

-- 
Please keep replies on the mailing list.



Re: Post (snap) update emails: fsck errors and (in)security output

2023-12-21 Thread Stuart Henderson
On 2023-12-20, Why 42? The lists account.  wrote:
>
> Just tried the mount of /tmp manually from the command line at got:
> mount_mfs: mmap: Cannot allocate memory
>
> When I halved the size (memory) allocated (-s=2097152) it mounts
> successfully:
> mjoelnir:robb 20.12 19:50:02 # df -h /tmp
> Filesystem SizeUsed   Avail Capacity  Mounted on
> mfs:75507  1.9G1.0K1.8G 1%/tmp
>
> Strange that it used to work. One day (!) I'll re-partition and allocate
> a partition/slice of "real" storage to /tmp instead of using mfs.

login.conf used to allow unlimited datasize for the 'daemon' class. That was
changed to cap at 4G (IIRC that was a prerequisite before we were allowed to
bump MAXDSIZ but I don't remember all the details now). This affects things
started from rc - the things particularly likely to run into memory limits
here are fsck, mounting mfs filesystems, maybe also running dump or
restore from single user mode - also ports daemons, though in most cases
we now provide a separate /etc/login.conf.d/daemonname file which raises
limits where needed.

If you have plenty of RAM you may want to bump that value.




Re: XFCE Thunar filemanager core dumps ...

2023-12-21 Thread Stuart Henderson
On 2023-12-20, Why 42? The lists account.  wrote:
>
> On Wed, Dec 20, 2023 at 03:23:52PM -, Stuart Henderson wrote:
>> > ...
>> > When I started gdb (no expert) I noticed this "Dwarf error":
>> > mjoelnir:/tmp 20.12 12:04:38 % gdb -e /usr/local/bin/Thunar -c thunar.core
>> > GNU gdb 6.3
>> 
>> https://www.openbsd.org/faq/ports/ports.html#Backtrace
>
> Thanks. What I understood from there then was to install the debug
> package and run egdb + "bt". Hopefully that's what you had in mind.

Also install debug packages for relevant libraries - here, debug-glib2 and
debug-gtk+3 may be useful.

> Here's the resulting stack trace, the "optimized out" sounds a bit
> worrying :-):

That doesn't indicate a problem.

Probably best to move this to ports@ btw.

> (gdb) bt
> #0  0x084822eb0565 in g_node_traverse_pre_order () from 
> /usr/local/lib/libglib-2.0.so.4201.11
> #1  0x084822eb0577 in g_node_traverse_pre_order () from 
> /usr/local/lib/libglib-2.0.so.4201.11
> #2  0x084822eb0577 in g_node_traverse_pre_order () from 
> /usr/local/lib/libglib-2.0.so.4201.11
> #3  0x084570b35046 in thunar_tree_view_set_show_hidden 
> (view=0x848252483c0, show_hidden=) at thunar-tree-view.c:1990
> #4  thunar_tree_view_set_property (object=0x848252483c0, prop_id= out>, value=, pspec=) at thunar-tree-view.c:509
> #5  0x084827e3c82a in object_set_property () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #6  0x084827e3c5a8 in g_object_setv () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #7  0x084827e3d94b in g_object_set_property () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #8  0x084827e2cf19 in on_source_notify () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #9  0x084827e3442b in g_closure_invoke () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #10 0x084827e50f4c in signal_emit_unlocked_R.123 () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #11 0x084827e4ebab in signal_emit_valist_unlocked () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #12 0x084827e4f39f in g_signal_emit () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #13 0x084827e40a53 in g_object_dispatch_properties_changed () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #14 0x084827e3ae1c in g_object_notify_by_spec_internal () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #15 0x084570b43c07 in thunar_window_action_show_hidden 
> (window=0x848393b6760) at thunar-window.c:4727
> #16 0x0847e652dc4e in _gtk_marshal_BOOLEAN__OBJECT_UINT_FLAGS () from 
> /usr/local/lib/libgtk-3.so.2201.0
> #17 0x084827e3442b in g_closure_invoke () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #18 0x084827e4ff6d in signal_emit_unlocked_R () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #19 0x084827e4ec0f in signal_emit_valist_unlocked () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #20 0x084827e4f39f in g_signal_emit () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #21 0x0847e65498d2 in gtk_accel_group_activate () from 
> /usr/local/lib/libgtk-3.so.2201.0
> #22 0x0847e6549a24 in gtk_accel_groups_activate () from 
> /usr/local/lib/libgtk-3.so.2201.0
> #23 0x0847e686e048 in gtk_window_activate_key () from 
> /usr/local/lib/libgtk-3.so.2201.0
> #24 0x0847e6874325 in gtk_window_key_press_event () from 
> /usr/local/lib/libgtk-3.so.2201.0
> #25 0x0847e652ceb0 in _gtk_marshal_BOOLEAN__BOXED () from 
> /usr/local/lib/libgtk-3.so.2201.0
> #26 0x084827e3442b in g_closure_invoke () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #27 0x084827e50100 in signal_emit_unlocked_R () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #28 0x084827e4ec0f in signal_emit_valist_unlocked () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #29 0x084827e4f39f in g_signal_emit () from 
> /usr/local/lib/libgobject-2.0.so.4200.18
> #30 0x0847e684e22a in gtk_widget_event_internal () from 
> /usr/local/lib/libgtk-3.so.2201.0
> #31 0x0847e66ce1cf in gtk_propagate_event () from 
> /usr/local/lib/libgtk-3.so.2201.0
> #32 0x0847e66cdbe1 in gtk_main_do_event () from 
> /usr/local/lib/libgtk-3.so.2201.0
> #33 0x08477220a65b in _gdk_event_emit () from 
> /usr/local/lib/libgdk-3.so.2201.1
> #34 0x084772263c88 in gdk_event_source_dispatch () from 
> /usr/local/lib/libgdk-3.so.2201.1
> #35 0x084822ea320d in g_main_context_dispatch_unlocked () from 
> /usr/local/lib/libglib-2.0.so.4201.11
> #36 0x084822ea35ec in g_main_context_iterate_unlocked () from 
> /usr/local/lib/libglib-2.0.so.4201.11
> #37 0x084822ea369b in g_main_context_iteration () from 
> /usr/local/lib/libglib-2.0.so.4

Re: XFCE Thunar filemanager core dumps ...

2023-12-20 Thread Stuart Henderson
On 2023-12-20, Why 42? The lists account.  wrote:
>
> Hi All,
>
> I'm running XFCE on OpenBSD 7.4 GENERIC.MP#1535 amd64
>
> I pressed Control+h in thunar thinking that it would toggle the display
> of hidden files ( .dot files), but instead thunar core dumps:
> -rw---   1 robb  robb   20656304 Dec 19 21:02 thunar.core
>
> Would this be an OpenBSD (porting) issue, or something upstream?
>
> I don't see this behaviour on an adjacent Linux system (different
> versions of XFCE though). I have these versions:
> xfce-4.18.1 Xfce desktop meta-package (base installation)
> thunar-4.18.8   Xfce4 file manager
>
> When I started gdb (no expert) I noticed this "Dwarf error":
> mjoelnir:/tmp 20.12 12:04:38 % gdb -e /usr/local/bin/Thunar -c thunar.core
> GNU gdb 6.3

https://www.openbsd.org/faq/ports/ports.html#Backtrace



Re: Bridging firewall and ntpd

2023-12-19 Thread Stuart Henderson
On 2023-12-19, Karel Lucas  wrote:
>
> Hi all,
>
> I am creating a bridging firewall, and am wondering if it is possible to 
> use the ntp daemon to ensure that all log files are timed correctly. Is 
> there a way to achieve that despite the fact that the network 
> connections do not have an IP address?

Yes, e.g. with a gps unit and nmea(4)

If you want to fetch time over the network, however, the machine will
need to have network access.


-- 
Please keep replies on the mailing list.



Re: OpenBSD on Dell Wyse 3040 N10D - Successful installation and possible problem with ACPI

2023-12-19 Thread Stuart Henderson
On 2023-12-18, Luca Di Gregorio  wrote:
> The system booted, but I saw that it stopped unexpectedly after
> some time (hours or minutes) without any apparent reason.
>
> dmesg said 'acpicpu0 ... bad value ...'
> (Unfortunately I don't have a copy of this dmesg).

Use sendbug as root to create a bug report including acpi tables.
(you may want to sendbug -P > somefile and copy that elsewhere if the
machine isn't setup for email). Preferably with an unmodified kernel
so that the dmesg is complete.

Try to get a copy of the full error message too.

> So, I added these lines in /etc/bsd.re-config, to disable ACPI drivers at
> boot:
> disable acpi
> disable acpitz
> disable acpitz*
> disable acpicpu
> disable acpicpu*
> disable acpibat
> disable acpibat*
> disable acpipwrres
> disable acpipwrres*
> disable acpiprt*

why all these, when you only had an issue with acpicpu?

(since acpi is involved in so much of running the system, often
including thermal controls, that's best avoided).

> I'm not skilled enough to go further in the investigation, hopefully
> someone more skilled than me will go on deeper and discover
> the exact issue causing the unexpected stops.

I don't think there's enough information yet for somebody who doesn't
have the hardware to do anything to help.




Re: load balancing with rdomains

2023-12-17 Thread Stuart Henderson
On 2023-12-16, Petr Ročkai  wrote:
> Hi,
>
> On Sat, Dec 16, 2023 at 06:37:54PM +0100, Marko Cupać wrote:
>> pass in on em0 from (em0:network) to   probability 50% rtable 1
>> pass in on em0 from (em0:network) to   probability 50% rtable 2
>
> IIUIC these two only add up to 75% probability – you presumably want
> probability 50% on the second of the two (the first one then being a
> match for everything that the later rule doesn't take up).

exactly.

-- 
Please keep replies on the mailing list.



Re: load balancing with rdomains

2023-12-16 Thread Stuart Henderson
On 2023-12-15, Marko Cupać  wrote:
> Hi,
>
> I have a router whose LAN interface is in default rdomain 0, ISP1 in
> rdomain 1 and ISP2 in rdomain 2. Reason for this is a bit complicated,
> involves wireguard tunneling, I will give more details if needed.
>
> LAN hosts can access Internet over ISP1 by means of:
>
> pass in on $if_lan from ($if_lan:network) to  rtable 1
>
> Also over ISP2 if I change above line to:
>
> pass in on $if_lan from ($if_lan:network) to  rtable 2
>
> Is it possible to load-balance over both ISPs / rdomains?

See "probability" in pf.conf(5).

-- 
Please keep replies on the mailing list.



Re: OBS-Studio 26.1.0 and later

2023-12-12 Thread Stuart Henderson
On 2023-12-12, hammer2_zfs  wrote:
> I am scripts' kitty ;-)
> I was using OBS-Studio 26.1.0 for Streaming by OpenBSD 7.1.
> since 7.1 to now...
>
> recently, My USB device was gone...
> then, I tried install by pkg_add obs-stuido on OpenBSD 7.4...
> but, I couldn't get the OBS-Studio...
>
> I want to use the OBS-Studio...
> Why, close the support for OBS-Studio...

OBS-Studio has never been in the ports tree. You must have been using a
third party build or self-built binaries.

-- 
Please keep replies on the mailing list.



Re: VMs not rebooting

2023-12-12 Thread Stuart Henderson
On 2023-12-12, Steve Litt  wrote:
> I've been told by some that OpenBSD has no hardware-assisted VMs, and

That has been wrong since around 2012 when ldomd was added (on sparc64).
On amd64, vmm(4) was added in ~2015.

(_qemu_ on OpenBSD does not have hw virtualisation support, but that is
not the only way to do VMs).

> others that it does. Without hardware assisted VMs, a very slow
> software emulator is required making the guest seem like it's on a 14.4
> modem.
>
> So my question is, does vmm have hardware assist?

vmm(4) provides kernel support for hardware virtualisation on x86.
That is used (and required) by vmd(8).

-- 
Please keep replies on the mailing list.



Re: pkg_add - error while reading header / read short file / gzheader truncated

2023-12-09 Thread Stuart Henderson
On 2023/12/08 15:40, David Rinehart wrote:
> On Fri, 2023-12-08 at 08:37 +0000, Stuart Henderson wrote:
> > On 2023-12-07, David Rinehart  wrote:
> > > 
> > > I see the same with multiple installs - Started with 7.4.  No
> > > modification to default installurl.
> > 
> > The contents of the 'default' installurl depend on whuch mirror you
> > selected to install from.
> > 
> 
> I select "disk" for file sets and do not recall selecting a mirror.  I
> believe this puts https://cdn.openbsd.org/pub/OpenBSD in the file.
> 
> The issue may have started before 7.4, but was not seen at 7.3 release
> timeframe.
> 
> After giving it more thought, I believe I started seeing errors on
> package installation before 7.4 release.  I figured it was a web site
> issue because I'm running -stable and no patches seemed related (so
> more likely an external issue).  Then, the errors were familiar when I
> did reinstalls with 7.4.  The errors are temporary and the package
> installations will complete if run again, or maybe a couple times.
> 
> Thanks, for the reply and any help!

I suggest trying a mirror instead then, and see if there's any
difference. Pick one from www.openbsd.org/ftp.html.



Re: Weird network performance with iwn(4)

2023-12-08 Thread Stuart Henderson
I checked for openwrt support but your AP has a relatively uncommon
Realtek SoC and it seems fairly unlikely to happen so you're probably
stuck with the vendor firmware.

Maybe try forcing "mode 11n" or "mode 11g" with ifconfig and see if
that's any better.


On 2023-12-08, Lévai  Dániel  wrote:
> On Thursday, December 7th, 2023 at 17:10, Stefan Sperling  
> wrote:
>> 
>> 
>> On Thu, Dec 07, 2023 at 03:39:33PM +, Lévai, Dániel wrote:
>> 
>> > Hi all!
>> > 
>> > Recently my trusty T410 died (had iwn(4) in it) and had to switch to an 
>> > E450 - but this has iwm(4).
>> > Never had any issues with iwn(4) and iwm(4) seems to operate perfectly 
>> > fine in some scenarios, e.g. speedtest.net indicates 100/100Mbit down/up 
>> > speed.
>> 
>> > But downloading a base74.tgz set takes little more than 30 minutes - in 
>> > firefox and in console with ftp(1).
>> 
>> 
>> So you are getting 100/100 Mbit on iwm(4) in a speed test, and only 
>> downloading
>> base74.tgz is slow?
>
> Well, not quite - speedtest.net (whatever it does) seems to report good 
> results, browsing however is generally slow, but I can't really set precise 
> expectations for let's say "opening youtube.com". It's just slow compared to 
> other machines on the same network.
> The most concrete thing I could think of was to download the base set which 
> was surprisingly slow during the first upgrade after installation. That's why 
> I started to investigate; this I can measure and report.
>
> So generally speaking, everything is slow on iwm0 *except* what speedtest.net 
> seems to report.
>
>> The speed test being successful would imply that the wifi
>> layer is working just fine. If so then something else must be messing with
>> your base74.tgz download attempts.
>> 
>> What happens when you download base74.tgz over ethernet?
>
> No issue, perfect 100Mbit.
>
>> Or with iwm(4) via a different AP?
>> Or with iwm(4) via a different ISP?
>
> Thanks for the tips!
> I went ahead and tried my cell phone's mobile hotspot.
> Even though speedtest.net only reported 30/15Mbit down/up, the general 
> browsing experience was much better and managed to squeeze out 2-3MByte/sec 
> while downloading the base set from various mirrors.
>
> Switching back to my home AP seems to be the issue.
> It's a Zyxel NBG6615 (end of service by now, no newer firmware).
> Is there any debug sysctl's I can set on the laptop that could prove useful 
> in troubleshooting this? Maybe different settings for iwm(4) or the AP?
>
> Daniel
>
>


-- 
Please keep replies on the mailing list.



Re: Getting stuck on trying a fresh install to 7.4

2023-12-08 Thread Stuart Henderson
On 2023-12-07, Daniel Ouellet  wrote:
> On 12/7/23 7:37 AM, Stuart Henderson wrote:
>> On 2023-12-06, Daniel Ouellet  wrote:
>>>>> Any suggestion woudl be greattly appreciated.
>>>>
>>>> Old boot loaders cannot boot 7.4 kernels.
>>>> Upgrade your 6.7 system to 7.3 first (the usual advice to avoid
>>>> skipping releases during upgrades applies). Then upgrade to 7.4.
>> 
>> Specifically the interface used for communicating system
>> console information between the boot loader and the kernel was changed.
>> There was backwards compat but sadly it was removed after one single
>> release.
>> 
>> I think this brings the total number of people I know who have been
>> affected by this up to 6 now.
>> 
>>> I didn't care what's on it now. All fresh install will do.
>>> I have 22 to do. :(
>> 
>> You can copy a new bootloader to the old machines and run installboot.
>
> Hi Stuart,
>
> Just to be clear and to help others here.
>
> You are talking about these two files only right?
>
> /usr/mdec/boot
> /usr/sbin/installboot
>
> or should this one below be included too? I don't think it's needed, but 
> just want to be sure and make the info complete.
>
> /usr/mdec/biosboot

Assuming standard partition table not GPT: /usr/mdec/boot and
/usr/mdec/biosboot. *Not* /usr/sbin/installboot, the new binary
is unlikely to run on new OS.



Re: pkg_add - error while reading header / read short file / gzheader truncated

2023-12-08 Thread Stuart Henderson
On 2023-12-07, David Rinehart  wrote:
>
> I see the same with multiple installs - Started with 7.4.  No
> modification to default installurl.

The contents of the 'default' installurl depend on whuch mirror you
selected to install from.



Re: Raspberry Pi Installation media gives blank screen on boot

2023-12-08 Thread Stuart Henderson
On 2023-12-07, Vilyaem  wrote:
> Hello,
> I am in the process of turning a Void Linux 
> Raspberry Pi 3 B server to one that runs
> OpenBSD 7.4. 
>
> However, when attempting to
> begin the installation process,
> after the install media boots, the screen
> goes blank, nothing else happens afterwards,
> the keyboard lights still strangely react
> to caps lock and such. The HDMI monitor doesnt
> outright lose signal, the screen just remains
> black.
>
> I did the following steps.
>
> 1. Download miniroot74.img and install74.img from
> openbsd.org arm64
> 2. Write miniroot74.img to an SD card using dd
> doas dd if=miniroot74.img of=/dev/sdb
> 3. Write install74.img to a USB using dd
> doas dd if=install74.img of=/dev/sdb
> 4. Put in the SD card and USB
> 5. Start the Raspberry Pi

See "Install on Raspberry Pi" on
https://ftp.openbsd.org/pub/OpenBSD/7.4/arm64/INSTALL.arm64



Re: Getting stuck on trying a fresh install to 7.4

2023-12-07 Thread Stuart Henderson
On 2023-12-06, Daniel Ouellet  wrote:
>>> Any suggestion woudl be greattly appreciated.
>> 
>> Old boot loaders cannot boot 7.4 kernels.
>> Upgrade your 6.7 system to 7.3 first (the usual advice to avoid
>> skipping releases during upgrades applies). Then upgrade to 7.4.

Specifically the interface used for communicating system
console information between the boot loader and the kernel was changed.
There was backwards compat but sadly it was removed after one single
release.

I think this brings the total number of people I know who have been
affected by this up to 6 now.

> I didn't care what's on it now. All fresh install will do.
> I have 22 to do. :(

You can copy a new bootloader to the old machines and run installboot.

-- 
Please keep replies on the mailing list.



Re: pkg_add - error while reading header / read short file / gzheader truncated

2023-12-07 Thread Stuart Henderson
On 2023-12-07, Joe B  wrote:
> Hello Misc,
>
> I am configuring a couple of laptops for my kids, i had installed 70 with
> i3 and gcompris in them, its been a while since the last update so i
> decided to make a fresh install.
>
> So I installed 74 in both of them, used the autoinstall so the process was
> straightforward as always, rebooted, hw_update, syspatch, everything as
> expected.
>
> The problem comes when trying to install a package, i am trying just to of
> them: feh and gcompris, in both laptops, and i get the following errors,
> they are several since i do a few tries and then the problem goes and comes
> at different packages
>
> pkg_add: Ustar [package name, it is different every try, meaning
> lcms2-2.15.tgz, gstreamer, libass-] [?]: Error while reading header
> https://cdn.openbsd.org/pub/OpenBSD/7.4/packages/amd64/lame-3.100p1.tgz:
> Read short file
>
> My configuration are:
> 1 laptop, re0, trying pkg_add feh
> 1 laptop, iwn0, trying pkg_add gcompris
>
> both with the same results, maybe i should try in another LAN, but could it
> be a problem with the CDN server ?

pkg_add/ftp aren't good at retrying when network connections fail.
I'd think it's more likely a problem with your network connection
than the cdn server, but you could try one of the other mirrors
listed in www.openbsd.org/ftp.html (either set in /etc/installurl
or set in the PKG_PATH environment variable; you can just use the
hostname in the latter)


> Thank you for your time,
>
> --  Manuel Solis
>
>>>
>
> Hello,
>
> I'm new to openBSD about 3 days old. and I ran into the same issue as
> you. I would
>
> pkg_add something and I kept getting the header message. someone on
> IRC helped me
>
> Simple. change the cdn to another mirror
>
> look at https://www.openbsd.org/faq/faq15.html#Mirror
>
> Basically You find a mirror probably ftp like I did go to vim or nano
> /etc/installurl
>
> delete the cdn add another mirror and re-run the pkg_add you might
> need to pkg_delete
>
> the partial and then re-run. pkg_add After all that you might need
> pkg_add -u to see if the new mirror
>
> fixes all the other partials
>
>
> Hope this helps
>
>
> ~ Joe B
>


-- 
Please keep replies on the mailing list.



Re: 7.4 pfsync possible state update loop?

2023-12-04 Thread Stuart Henderson
On 2023-12-01, Christian Gut  wrote:
> Hi List,
>
> I just updated two carp/pfsync firewalls from 7.3 to 7.4. After updating the 
> second box I see a massive increase in traffic on the sync interface. I now 
> reproduced this with another pair of firewalls - same thing.
>
> Both firewall have three physical interfaces: external, internal and sync. 
> Sync interface is connected via ethernet cable directly. Syncinterface has an 
> ip address.
>
> Configuration of hostname.pfsync0:
> syncdev em2
> up
>
> The way I updated these boxes, lets call them primary and secondary:
>
> 1. update secondary to 7.4, including the change in hostname.pfsync0
> 2. change hostname.carp0 to promote to master - reboot
> 3. secondary is now master
> 4. update primary to 7.4
>=> traffic on syncif increases
>
> I tried so far - without any improvements:
> - reboot both machines after another
> - promote primary again
> - ifconfig pfsync0 down; pfctl -F states; ifconfig pfsync0 up

When you tried down/flush/up did you do it on both firewalls at the same
time? (i.e. down pfsync on both, then flush on both, then up pfsync)?

> I think they might see some kind of loop updating the states between each 
> other. Could someone point me to how I could diagnose further?

pfsync was largely rewritten between 7.3 and 7.4, we found one problem
like this but it was fixed before release.

Best way to proceed is probably to capture traffic on the pfsync
interface with tcpdump and see if it relates to any particular state/s
and if there's anything special about them or the rules that generate
them.

bugs@ might be a better place than misc@ to continue this.




Re: Thinkpad x260 not connecting to network

2023-12-02 Thread Stuart Henderson
On 2023-12-02, Mike Evron  wrote:
>
> Thanks for taking the time to look into this.  If there is any more info
> needed or if this should be formatted differently, please let me know.

Run "ifconfig iwm0 debug", try to connect, and send the full dmesg.


-- 
Please keep replies on the mailing list.



  1   2   3   4   5   6   7   8   9   10   >