Re: Machine age and OpenBSD - Thinkpad R51e

2021-06-19 Thread Stuart Henderson
On 2021-06-17, Jan Stary  wrote:
>
> Yes; but some Thinkpads' BIOSes contain a whitelist of sanctioned wifi
> cards, and will not boot with other cards. So sometimes you are kinda
> stuck with the original one, unless you find the exact compatibility
> list and get a supported card. Typically, I end up replacing a Broadcom
> wifi/bt card with one whitelisted iwn(4) or another.

You just pick one that was supplied as an option on the machine (or
use a patched bios). There are loads available on the second-hand market.



Re: Prometheus on OpenBSD - does it work?

2021-06-17 Thread Stuart Henderson
On 2021-06-15, Claudio Jeker  wrote:
> On Tue, Jun 15, 2021 at 04:24:08PM +0200, Julien Pivotto wrote:
>> Hello,
>> 
>> I am a Prometheus maintainer and we have received a bug regarding
>> Prometheus - prometheus would no longer work on OpenBSD since we
>> introduced MMAP:
>> 
>> https://github.com/prometheus/prometheus/issues/8877
>> https://github.com/prometheus/prometheus/issues/8799
>> 
>> I would like to know if the facts here are accurate and, on the
>> opposite, if there are happy openbsd users of Prometheus 2.19+.
>> 
>> I see that Prometheus 2.24 is packaged upstream, so I guess there are
>> users. Can you please interact with us so we can better understand the
>> situation at play.
>> 
>
> Unlike other OS OpenBSD does not automatically sync between mmap-ed memory
> of a file with any write() to the same file (OpenBSD has no unified
> cache). It requries use of msync(2) to make sure that mappings are
> properly updated.

The other option is to ensure that i/o is all done through mmap and not
use file access at all. For openldap/lmdb we deal with this by enforcing
setting MDB_WRITEMAP (based on a suggestion from Howard Chu); there are
trade-offs

"This is faster and uses fewer mallocs, but loses protection from
application bugs like wild pointer writes and other bad updates
into the database. Incompatible with nested transactions. Do not
mix processes with and without MDB_WRITEMAP on the same environment.
This can defeat durability mdb_env_sync etc)."

Some other software (dovecot, sqlite) wants to use mmap but has
alternative code; where we have noticed this we disable use of mmap.
Cyrus imapd had problems with this too, I'm not sure where they
ended up, that was handled 10+ years ago.

> While prometheus works, it also does not.

It is quite likely this is the case for some other software in ports.

Adding syncs feels a bit problematic to me. It's what is needed when
mixing file/mmap on OpenBSD, but is very difficult to ensure every case
is handled, especially in the face of changing code, and the problems
from missing them simply don't show up on most other OS. But there is
not an alternative without coherent mmap/file access (not *necessarily*
UBC, though that's a common way to do it).




Re: Color emojis

2021-06-17 Thread Stuart Henderson
On 2021-06-17, Francisco Fuentes  wrote:
> I have a little issue with my system (OpenBSD 6.9 amd64 with XFCE) and 
> that is that emojis aren't showing. I read fonts-conf(5) and created 
> with some help one for my own configuration but I haven't had luck so 
> far. I installed Noto Emoji font and the powerline ones from packages 
> but it didn't cause any effect.
>
> I need to be able to see emojis across the system, some people tend to 
> think that I wanna see them only on Firefox and they suggest stuff to do 
> in a specific system but I need to i.e. see color emojis in the terminal.
>
> What else do I need to check or is there some kind of incompatibility?
>
> Thanks
>
>

You will need a terminal that can use fallback fonts, and you'll need
to configure it to use the fonts you want in the priority order you
want.  XTerm doesn't allow this.

You can try at least rxvt-unicode, st, kitty, the various VTE-based
terminals (including gnome-terminal and many others). Some are
configured directly, some use fontconfig for it. I haven't tried using
them for emoji but have had success with fallback for various unicode
symbols and scripts that aren't supported by my usual font.




Re: Machine age and OpenBSD - Thinkpad R51e

2021-06-16 Thread Stuart Henderson
On 2021-06-16, Thomas Vetere  wrote:
> Hello everyone,
>
> I was looking to get a laptop to run OpenBSD. The one I am looking at in
> particular is the Thinkpad R51e (2005). I like this particular model
> because it does not come with any extra hardware that OpenBSD does not
> support in the first place (bluetooth, camera, etc.) My main concern is the
> longevity that this model would have going forward. I already have a '94
> Thinkpad that cannot run the latest OpenBSD well because hardware support
> was gradually dropped during code cleanups, etc (i.e. newer versions of X11
> removed support for my ancient graphics chip because it just wasn't worth
> the time to maintain the code). Does anyone know, given the age of that
> model, how many years I might get out of it with OpenBSD and its packaged
> software before hardware support starts to drop? What is a good rule of
> thumb for selecting a machine to run OpenBSD with respect to its age?
>
> Thank you for your help!
>

If you want to run some common packages like chromium or firefox on a
current version of OpenBSD: 0 years. (To be honest i386 hasn't really
been a great choice for running packages for probably 5+ years now).

You *really* want hardware with a CPU that can use an amd64 kernel.
Check the cpu model and look it up on intel's spec pages, check for
64-bit support. On some laptop ranges there are both 32-bit-only
and 64-bit-capable CPUs in the same range, but none of the CPUs
used on R51e are 64-bit.

I wouldn't suggest anything older than the X220/T420/T520 generation,
and those would be a bit of a push now. By this point they're old
enough you might need to do some hardware maintenance; maybe replace
things like fans, heatsink compound, etc.

By the way, the cameras do usually work, though if you particularly
want to avoid a camera there are some models that don't include them.
Probably getting hard to find now though, I think "no camera" was
usually a configure-to-order option rather than a standard spec.
Although OpenBSD doesn't support bluetooth, it doesn't get in the
way of anything. On X220 and maybe others if you particularly don't
want to have the hardware, you could just remove the daughtercard
that runs it (some people do this anyway to gain an additional USB
interface); maybe swap the wifi interface too, as some of them are
combined wifi+BT.




Re: Who is responsible for ports.su? (admittedly a non-canon resource)

2021-06-15 Thread Stuart Henderson
On 2021-06-15, Marc Espie  wrote:
> I think that his approach is doomed to fail.
>
> There are a lot of tricky parts to flavors and multipackages and 
> normalization.  If you don't use the actual ports/packages framework code,
> you have to figure it out all over again by yourself.
>
> and there are lots of gremlins.
>
> The official code is based off sqlports.
>
> See how many commits there were to that code... especially the tree-walker
> part and normalization part... that will give you an idea of everything
> that must be gotten precisely right to yield good results.
>
> (and btw, I initially wrote bogus code. I had a large debugging session
> with Robert Nagy until I got the normalization part correct!)
>
>

ports.su is based off sqlports too, but od.




Re: umb0 broke in 6.9

2021-06-14 Thread Stuart Henderson
On 2021/06/14 16:15, Paul B. Henson wrote:
> On Mon, Jun 14, 2021 at 08:07:15AM -0000, Stuart Henderson wrote:
> 
> > just add "#define UMB_DEBUG" to if_umb.c and send the full dmesg output.
> 
> Hmm, that's didn't work, I also needed to update umb_debug = 1 in the
> code? After that, I got a little output, full dmesg included below but
> the umb part looks like:

ah yes, thanks.

> umb0 at uhub0 port 3 configuration 1 interface 12 "Sierra Wireless,
> Incorporated Sierra Wireless MC7455 Qualcomm\M-. Snapdragon? X7 LTE-A"
> rev 2.10/0.06 addr 2
> umb0: NCM align=4 div=4 rem=0
> umb0: Only NTB16 format supported.
> umb0: -> snd MBIM_OPEN_MSG (tid 1)
> umb0: vers 1.0
> umb0: stop: reached state DOWN
> umb0: init: opening ...
> umb0: -> snd MBIM_OPEN_MSG (tid 2)
> umb0: init: opening ...
> umb0: -> snd MBIM_OPEN_MSG (tid 3)
> umb0: stop: reached state DOWN
> 
> This seems kind of like the original problem I had with the card when it
> was attached to the internal USB2 minipci slot rather than to the
> external USB3 one:
> 
> http://openbsd-archive.7691.n7.nabble.com/umb-device-SIM-has-no-PIN-td331358.html

ah, I was wondering if I'd broken something with the fcc auth change when
it moved to a combined quirks table (which is why I wanted that debug),
but reading that mail reminded me that EM7455 wasn't quite the same as
MC7455.. there were a few other changes in umb but looking at the
debug messages I don't think your device is using those.

> Maybe a change in the USB code broke it?

it's possible, there were changes to other parts of USB that did cause
problems for some umb devices, though the ones that were reported at the
time were fixed.

at this point if I had the device I'd probably try bisecting to try and
find when the problem started .. with 6.9 userland you can probably get
away with just booting the relevant older kernel for a test for probably
most/maybe all of the way back to 6.8. ftp.hostserver.de/archive has
daily amd64 snaps going back 3 months, which takes you before the umb
changes, but probably after some of the other usb stack changes. if it's
still failing with the earliest of those let me know and I can dig out
some older ones, or do a date-based checkout ("cvs up -D 2021/01/01"
etc) and try some builds yourself.


> 
> OpenBSD 6.9-stable (GENERIC.MP) #12: Mon Jun 14 15:54:43 PDT 2021
> r...@obsd-bld.pbhware.com:/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4261011456 (4063MB)
> avail mem = 4116484096 (3925MB)
> User Kernel Config
> UKC> disable Humsm
> 361 umsm* disabled
> UKC> quit
> Continuing...
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xcff9f020 (7 entries)
> bios0: vendor coreboot version "v4.6.3" date 20171030
> bios0: PC Engines PC Engines apu3
> acpi0 at bios0: ACPI 4.0
> acpi0: sleep states S0 S1 S2 S4 S5
> acpi0: tables DSDT FACP SSDT TCPA APIC HEST SSDT SSDT HPET
> acpi0: wakeup devices PWRB(S4) PBR4(S4) PBR5(S4) PBR6(S4) PBR7(S4) PBR8(S4) 
> UOH1(S3) UOH2(S3) UOH3(S3) UOH4(S3) UOH5(S3) UOH6(S3) XHC0(S4)
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD GX-412TC SOC, 998.40 MHz, 16-30-01
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
> cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 
> 16-way L2 cache
> cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
> cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: AMD GX-412TC SOC, 998.13 MHz, 16-30-01
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,IBS,SKINIT,TOPEXT,DBKP,PERFTSC,PCTRL3,ITSC,BMI1,XSAVEOPT
> cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 2MB 64b/line 
> 16-way L2 cache
> cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
> cpu1: DTLB 40 4KB entries fully associative, 8 4MB entries fully a

Re: umb0 broke in 6.9

2021-06-14 Thread Stuart Henderson
On 2021-06-13, Paul B. Henson  wrote:
> I just upgraded a box that has a cell data card in it and it no longer
> seems to work :(. The card is:
>
> umb0 at uhub0 port 3 configuration 1 interface 12 "Sierra Wireless,
> Incorporated Sierra Wireless MC7455 Qualcomm\M-. Snapdragon? X7 LTE-A"
> rev 2.10/0.06 addr 2
>
> The contents of /etc/hostname.umb0 are just:
>
>   apn r.ispsn
>
> The interface shows:
>
> umb0: flags=8811 mtu 1500
> index 6 priority 6 llprio 3
> roaming disabled registration unknown
> state down cell-class none
> SIM not initialized PIN required
> APN r.ispsn
> status: down
>
> There is no PIN on the SIM. It was working fine right before the upgrade.
> The only umb change I see in the changelog is:
>
> Added vid/pid table to umb(4) allowing matching to alternate configurations.
>
> I'm not sure what that means or if my config needs something changed to
> work again? Any suggestions appreciated. The card is in an external
> minipci adapter connected via USB3. The server is a PC Engines apu3 which
> actually has an internal minipci connector, but I couldn't get that to
> work as internally it was connected via USB2 and there were issues with
> that chipset. I vaguely recall it was actually failing something like
> this 8-/.
>
> Thanks...
>
>

Please build a kernel with UNB_DEBUG defined (easiest way is probably
just add "#define UMB_DEBUG" to if_umb.c and send the full dmesg output.
I don't think the changes made should affect your card but that would
let us check.




Re: autofs

2021-06-14 Thread Stuart Henderson

amd.

--
 Sent from a phone, apologies for poor formatting.
On 13 June 2021 23:23:34 Gustavo Rios  wrote:

avoid autofs ? or amd ?
Which should i avoid ?


Em dom., 13 de jun. de 2021 às 18:48, Stuart Henderson 
 escreveu:

On 2021-06-12, James Cook  wrote:

On Fri, Jun 11, 2021 at 11:04:15PM -0300, Gustavo Rios wrote:

Hi folks!

I have a questions regarding OpenBSD. Does it supports autofs  ?
Any reference regarding how to implement it?

Thanks in advance.

--
The lion and the tiger may be more powerful, but the wolves do not perform
in the circus


See amd(8). I have not used it or Linux's autofs, but I think they have the
same purpose.



They do, but they work quite differently; amd(8) uses a localhost NFSv2
mount. There are some issues with this, including a 2GB maximum file size.
You might do better to avoid it if possible.




--

The lion and the tiger may be more powerful, but the wolves do not perform 
in the circus




Re: Who is responsible for ports.su? (admittedly a non-canon resource)

2021-06-13 Thread Stuart Henderson
On 2021-06-13, ropers  wrote:
> Sorry to disturb, but does anyone know how to contact whoever is
> responsible for ports.su?
> An email address would be great, though I'm not sure if it's okay to
> post that on-list.  Perhaps it's okay to send that off-list?
>
> Thank you,
> Ian
>
>

It's Constantine Murenin, I'm not sure of working contact methods.

The only one of these 'ports browser' websites which is expected to
actually handle the ports tree correctly is https://openports.pl/
which runs a copy of ports-readmes-dancer (which is also in ports
if you'd like to run your own copy locally). Others are either
just completed outdated themselves (ports.su) or we've seen them
not parse things properly from the ports tree (openports.se).




Re: autofs

2021-06-13 Thread Stuart Henderson
On 2021-06-12, James Cook  wrote:
> On Fri, Jun 11, 2021 at 11:04:15PM -0300, Gustavo Rios wrote:
>> Hi folks!
>> 
>> I have a questions regarding OpenBSD. Does it supports autofs  ?
>> Any reference regarding how to implement it?
>> 
>> Thanks in advance.
>> 
>> -- 
>> The lion and the tiger may be more powerful, but the wolves do not perform
>> in the circus
>
> See amd(8). I have not used it or Linux's autofs, but I think they have the
> same purpose.
>

They do, but they work quite differently; amd(8) uses a localhost NFSv2
mount. There are some issues with this, including a 2GB maximum file size.
You might do better to avoid it if possible.



Re: openbgpd "depend on"

2021-06-11 Thread Stuart Henderson
On 2021-06-11, open...@kene.nu  wrote:
> Hello Stuart,
>
> I do set the carp address as nexthop. This works in a "traditional" L2
> environment as expected. However, to make a long story short, in a vxlan
> environment L2 redundancy protocols like carp that rely on gARP do not work
> as expected.
>
> So I need to have the backup firewall tell the router in some other way
> (bgp wise) that the path via it is worse compared with the master. The
> suggestion offered by Claudio would be spot on for my use case. I would
> argue others would benefit from this too as I am running a fairly standard
> symmetric vxlan routing clos setup.

I'm not quite sure I get what you're trying to do then - so instead of
using something which needs carp to work, you want to use something else
which also needs carp to work?




Re: Unconsistent two-level write speed bouncing on softraid RAID1 SSD's

2021-06-10 Thread Stuart Henderson
On 2021-06-10, Kent Watsen  wrote:
> The Crucial BX500 SSD uses SMR technology, which is best used for 
> infrequent-write applications.  
> For general-purpose, and especially NAS, applications, CMR technology should 
> be used. 

hmm, does SMR stand for something other than "shingled magnetic recording"
related to storage? that only relates to HD not SSD.

>> On Jun 10, 2021, at 6:20 AM, Xavier Sanchez  wrote:
>> 
>> Written from my laptop directly to the device and 
>> - good and constant read speed
>> - bouncing 7MB/s to high write speed

Bouncing between speeds is not impossible, SSDs often have faster cache
and do flash erase/programming in the background, until the cache is full.
But 7MB/s seems a bit too slow even then.




Re: openbgpd "depend on"

2021-06-10 Thread Stuart Henderson
On 2021-06-10, open...@kene.nu  wrote:
> Looks like the syntax is not valid and I cannot find any reference in the
> man pages either. Maybe am missing the intent of your reply. Is it intended
> as pseudo code that would pose as my intent or is it actually already
> possible to achieve this?

It's not yet implemented.

I didn't quite work out from your description what you'd like openbgpd
to do, but are you aware that you don't have to distribute a route which
points at "this router's IP address"? Some situations involving carp
routes can be dealt with by setting the nexthop as the carp address,
e.g. "network 192.0.2.0/29 set nexthop 10.100.2.1" Not sure if this
helps you but maybe.




Re: reposync:host key verification failed

2021-06-10 Thread Stuart Henderson
On 2021-06-09, Avon Robertson  wrote:
> On Tue, Jun 08, 2021 at 11:11:15AM +1200, Avon Robertson wrote:
>> On Mon, Jun 07, 2021 at 08:21:24PM -0000, Stuart Henderson wrote:
>> > On 2021-06-07, Avon Robertson  wrote:
>> > > $ make obj
>> > >===> ssh
>> > > /usr/src/usr.bin/ssh/ssh/obj -> /usr/obj/usr.bin/ssh/ssh
>> > > mkdir: /usr/obj/usr.bin: Permission denied
>> > > *** Error 1 in ssh (:61 'obj': @cd /usr/src/usr.bin/ssh/ssh;
>> > > umask 007;  here=`/bin/pwd`; bsdsrcdir=`cd /usr/src; /bin/pwd`;  s...)
>> > > *** Error 2 in /usr/src/usr.bin/ssh (:48 'obj': @for
>> > > entry in ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server
>> > > ssh-keys...)
>> > >
>> > > Mmmm. So looked first at permission in and below /usr/src. Found
>> > > permissions to be 700 with owner and group being aer:wsrc. As root,
>> > > # chmod -R 775 /usr/src
>> > > and tried 'make obj' again. The same error as above was output.
>> > 
>> > The "permission denied" is on /usr/obj.
>> > 
>> > > I do not rule out the possibility that my local /cvs repository has
>> > > been inadvertently corrupted by me.
>> > 
>> > unlikely.
>> > 
>> > > Theo, I am willing to install (not update) a later snapshot and try to
>> > > build a test kernel for you tomorrow; if you belief it likely my /cvs
>> > > repo is ok. If you think it likely that my repo is corrupt, I will
>> > > remove it and reinstall a local repo from scratch before trying to
>> > > build a test kernel for you.
>> > 
>> > I think at this point the best thing to do is simply update to a newer
>> > snapshot and try reposync again. (Update is fine, no need to reinstall).
>> > No need to build a kernel.
>> > 
>> > If there is still a failure then adjust permissions or group membership
>> > so you can write to /usr/obj (there are various methods that will work),
>> > and confirm that it works with a build of ssh fresh from cvs. But if I got
>> > my testing right then I think this is now working.
>> > 
>> > 
>> Many thanks Stuart.
>> Will do as you have suggested.
>> 
>> Regards Avon
>> -- 
>> 
>
> Hello Stuart and misc@,
> Installed new snaphot:
> $ uname -prsv
> OpenBSD 6.9 GENERIC.MP#58 amd64
>
> My script failed again with error:
> reposync: host key verification failed - see
> /var/db/reposync/known_hosts
>
> After executing
> $ cd /usr/src/usr.bin/ssh
> $ cvs up
> $ make obj
> $ make
> $ doas make install
> my script is working again without error.
>
> Thank you all for your help.
>
> Regards Avon
>
>

It should work OK with snapshots dated after 2021/06/08.

btw for future reference, the GENERIC.MP#58 isn't very useful for
identification; it's better to use "sysctl kern.version".




Re: web server security

2021-06-10 Thread Stuart Henderson
On 2021-06-10, Gustavo Rios  wrote:
> Hi folks!
>
> I am planning a web serve using openbsd as the os and using php. My
> question is: how to avoid any given user from implement an php script that
> will read some else file, since everything will run as the web server user
> and group ?
>
> thanks a lot.
>

The PHP scripts don't need to run as the same user and group. Use different
application pools in php-fpm.conf listening on different sockets, and have
the web server use the relevant socket for the website. You can even chroot
them separately if you think that will help.

e.g.

---
[global]
error_log = syslog
syslog.facility = daemon
log_level = notice

[user1]
user = user1
group = user1
listen = /var/www/run/php-fpm.user1.sock
pm = ondemand
pm.max_children = 20
pm.process_idle_timeout = 30s
chroot = /var/www

[user2]
user = user2
group = user2
listen = /var/www/run/php-fpm.user2.sock
pm = ondemand
pm.max_children = 20
pm.process_idle_timeout = 30s
chroot = /var/www
---

Quick warning to head off a possible problem you might run into in the
future though; you will need to make sure that the web server (not the
PHP interpreter) has read access to those files which _it_ needs (e.g.
static content). One way to do that is to add the www user to the
group for each user account (e.g. user1:*:1001:www, user2:*:1002:www,
in /etc/group). That works nicely for small setups but you will run
into a wall after a while because on OpenBSD a user account can only
be a member of up to 16 supplemental groups. (There are other ways
to handle this e.g. running multiple web server processes, but with
a bunch more complication).




Re: Howto measure pps at forwarding plane

2021-06-10 Thread Stuart Henderson
On 2021-06-10, Valdrin MUJA  wrote:
> Hello,
>
> I'm trying to figure out how much packets are being forwarded on my OpenBSD 
> firewall.
> Here a small script i wrote.
>
>
> #!/bin/sh
>
>
> VAL1=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print 
> $1}'`
>
> sleep 1
>
> VAL2=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print 
> $1}'`
>
>
> echo "$(($VAL2-$VAL1))"
>
>
> But i can not be sure if i am doing the right thing?
> Can anyone check it please.
> Thanks.
>

If you are only interested in IPv4 then yes that'll do it.
This would save some cpu cycles though:

VAL1=`netstat -s | awk '/packets forwarded/ { print $1; exit }'`




Re: bind dhcpd to IP address

2021-06-10 Thread Stuart Henderson
On 2021-06-10, Ralf Horstmann  wrote:
> Hi Valdrin,
>
> that setup works fine. You would use "ip helper-address" on the Ciscos to
> forward the DHCP requests to your OpenBSD box. The forwarded requests use the
> specified helper address as unicast destination. No need to have the VLANs
> present on your OpenBSD box.
>
> I'm running dhcpd without -u for that. dhcpd will pickup all packets with
> destination port 67 on the specified interface via bpf. No need to bind to a
> specific IP.

dhcpd will need to be listening on the interface containing the helper-address
though; if you don't want it to actually serve clients on that network, the
subnet declaration can be empty e.g. subnet 192.0.2.0 netmask 255.255.255.0 { }


> I understand your last question as: Can dhcpd provide leases for subnets when
> the dhcpd box has no IP addresses within the range? The answer is yes. You 
> will
> need subnet declarations for all pools in dhcpd.conf though.

The relay includes its own address on the client-facing interface in the
relayed DHCP request; dhcpd uses that to determine which subnet to use.




Re: FireFox crashing on credential submission

2021-06-07 Thread Stuart Henderson
On 2021-06-07, Ed Ahlsen-Girard  wrote:
> Has anyone else seen Firefox crashing when submitting web site
> credentials? This has been happening for about a week in snapshots.
>
> I'd submit a bug on Bugzilla, but that's one of the sites that
> generates a crash.
>
>
>

Start firefox from a terminal and show any messages printed before
it crashes.

Is there a coredump or any entry in dmesg at the time?

Send to po...@openbsd.org.



Re: Best practices mirroring large file-system hierarchies?

2021-06-07 Thread Stuart Henderson
On 2021-06-07, Michael Lowery Wilson  wrote:
> Greetings,
>
> My attempts at creating a local mirror of Project Gutenberg's ebooks under 
> OpenBSD 6.9 using openrsync following official instructions: 
> https://www.gutenberg.org/help/mirroring.html have been unsuccessful.
>
> Specifically I am using:
>
> openrsync -av --del aleph.gutenberg.org::gutenberg-epub /disk5/gutenberg/
>
> to sync 927606 files (approximately 440 GB), which then fails with the errors:
>
> openrsync: error: 39488: mkdirat: Too many links
> openrsync: error: rsync_uploader
> openrsync: error: rsync_receiver

I think this is because there are too many subdirectories in a single directory.
Each subdirectory's ".." link is a hardlink with the parent directory and
you run into LINK_MAX (32767).

$ rsync aleph.gutenberg.org::gutenberg-epub|wc -l 
   65559

By the way, openrsync is a poor choice when dealing with many
files/directories. It does not support the incremental file listing
method that rsync added in 3.0.0 so will use more memory at your
side and perhaps more importantly on the server you're fetching from
as it has to build and transfer the entire file list in one go.




Re: reposync:host key verification failed

2021-06-07 Thread Stuart Henderson
On 2021-06-07, Avon Robertson  wrote:
> $ make obj
>===> ssh
> /usr/src/usr.bin/ssh/ssh/obj -> /usr/obj/usr.bin/ssh/ssh
> mkdir: /usr/obj/usr.bin: Permission denied
> *** Error 1 in ssh (:61 'obj': @cd /usr/src/usr.bin/ssh/ssh;
> umask 007;  here=`/bin/pwd`; bsdsrcdir=`cd /usr/src; /bin/pwd`;  s...)
> *** Error 2 in /usr/src/usr.bin/ssh (:48 'obj': @for
> entry in ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server
> ssh-keys...)
>
> Mmmm. So looked first at permission in and below /usr/src. Found
> permissions to be 700 with owner and group being aer:wsrc. As root,
> # chmod -R 775 /usr/src
> and tried 'make obj' again. The same error as above was output.

The "permission denied" is on /usr/obj.

> I do not rule out the possibility that my local /cvs repository has
> been inadvertently corrupted by me.

unlikely.

> Theo, I am willing to install (not update) a later snapshot and try to
> build a test kernel for you tomorrow; if you belief it likely my /cvs
> repo is ok. If you think it likely that my repo is corrupt, I will
> remove it and reinstall a local repo from scratch before trying to
> build a test kernel for you.

I think at this point the best thing to do is simply update to a newer
snapshot and try reposync again. (Update is fine, no need to reinstall).
No need to build a kernel.

If there is still a failure then adjust permissions or group membership
so you can write to /usr/obj (there are various methods that will work),
and confirm that it works with a build of ssh fresh from cvs. But if I got
my testing right then I think this is now working.




Re: reposync:host key verification failed

2021-06-06 Thread Stuart Henderson
There are some diffs in ssh in snapshots, please try building ssh from
source rather than snapshot and see if it fixes things,

$ cd /usr/src/usr.bin/ssh
$ cvs up
$ make obj
$ make
$ doas make install


On 2021-06-06, Avon Robertson  wrote:
> Hello misc@,
> I have used a shell script containing the following statements since the
> 20th January 2021. It has executed without error until recently. The
> last error free execution was on the 30th May.
>
> #!/bin/ksh
> logfile="$HOME/var/log/updcvs"
> printf "\n$(date)\n" >> $logfile
> printf "Call reposync to update local /cvs repository\nOutput is logged to 
> $logfile\n"
> doas -u cvs /usr/local/bin/reposync rsync://anoncvs.au.openbsd.org/cvs /cvs 
> 2>&1 | /usr/bin/tee -a $logfile
> exit $?
>
> Using a previous snapshot, reposync began to report failures as shown in
> my log, on:
> Mon May 31 20:07:02 NZST 2021
> reposync: host key verification failed - see
> /var/db/reposync/known_hosts
>
> The same error was then recorded in my log on the 3rd, 4th, 5th, and
> 6th of June. The above known_hosts file does not exist on this machine.
> The FILES section of reposync(1) I have interpreted as meaning that the
> above known_hosts file, is not needed when the official keys exist in
> file /usr/local/share/reposync/ssh_known_hosts which they do on this
> machine.
>
> Hints as to where the problem is would be very appreciated. I have
> included a dmesg output on the off chance it will contain useful
> information.
>
> Regards Avon.
>
> OpenBSD 6.9-current (GENERIC.MP) #54: Sat Jun  5 09:41:12 MDT 2021
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 68647477248 (65467MB)
> avail mem = 66551521280 (63468MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xe8980 (59 entries)
> bios0: vendor American Megatrends Inc. version "F2" date 03/14/2018
> bios0: Gigabyte Technology Co., Ltd. X470 AORUS ULTRA GAMING
> acpi0 at bios0: ACPI 6.0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT CRAT CDIT SSDT MCFG HPET 
> SSDT UEFI BGRT IVRS SSDT SSDT WSMT
> acpi0: wakeup devices GPP0(S4) GPP1(S4) GPP3(S4) GPP4(S4) GPP5(S4) GPP6(S4) 
> GPP7(S4) GPP8(S4) GPP9(S4) GPPA(S4) GPPB(S4) GPPC(S4) GPPD(S4) GPPE(S4) 
> GPPF(S4) GP17(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 32 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: AMD Ryzen 7 2700X Eight-Core Processor, 3700.63 MHz, 17-08-02
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
> cpu0: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 
> 64b/line 8-way L2 cache
> cpu0: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
> cpu0: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 100MHz
> cpu0: mwait min=64, max=64, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: AMD Ryzen 7 2700X Eight-Core Processor, 3700.01 MHz, 17-08-02
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
> cpu1: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 
> 64b/line 8-way L2 cache
> cpu1: ITLB 64 4KB entries fully associative, 64 4MB entries fully associative
> cpu1: DTLB 64 4KB entries fully associative, 64 4MB entries fully associative
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 2 (application processor)
> cpu2: AMD Ryzen 7 2700X Eight-Core Processor, 3700.02 MHz, 17-08-02
> cpu2: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,MWAIT,SSSE3,FMA3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,NXE,MMXX,FFXSR,PAGE1GB,RDTSCP,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,OSVW,SKINIT,TCE,TOPEXT,CPCTR,DBKP,PCTRL3,MWAITX,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,RDSEED,ADX,SMAP,CLFLUSHOPT,SHA,IBPB,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
> cpu2: 64KB 64b/line 4-way I-cache, 32KB 64b/line 8-way D-cache, 512KB 
> 64b/line 8-way L2 cache
> cpu2: ITLB 64 4KB entries fully associative, 64 4MB 

Re: pflow on PE router

2021-06-06 Thread Stuart Henderson
On 2021-06-06, Patrick Dohman  wrote:
> Perhaps it has something to do with Citrix being a dinosaur.
> God forbid the powers that be choose on premise unix.
> Regards
> Patrick

Your message doesn't appear to relate in any way to the message to which you're 
replying.


>> On Jun 4, 2021, at 6:43 AM, Stuart Henderson  wrote:
>> 
>> On 2021/06/03 15:04, Chris Cappuccio wrote:
>>> Stuart Henderson [s...@spacehopper.org] wrote:
>>>> 
>>>> Oh watch out with sloppy. Keep an eye on your state table size.
>>> 
>>> Really? Wouldn't sloppy keep the state table smaller if anything since it's 
>>> tracking less specifically?
>>> 
>>> Anyways I use sloppy across four boxes that run in parallel with pfsync. 
>>> There could easily be 10,000 devices behind it at any given time. I keep my 
>>> state table limit at 1,000,000. It's around 300,000 during this lighter 
>>> traffic period today. I had to do sloppy after moving to several boxes in 
>>> parallel, I didn't notice sloppy making any significant difference?
>>> 
>>> Chris
>> 
>> The problem I had was in conjunction with synfloods. I didn't get
>> captures for everything to figure it out (it was in 2018 and my
>> network was in flames, with the full state table bgp sessions were
>> getting dropped / not reestablishing) but I think what happened was
>> this,
>> 
>> spoofed SYN to real server behind PF
>> SYN+ACK from server
>> 
>> and the state entry ended up as ESTABLISHED:ESTABLISHED where it
>> remained until the tcp.established timer expired (24h default
>> or 5h with "set optimization aggressive").
>> 
>> My "fix" was to move as much as possible to "pass XX flags any no state"
>> but that's clearly not going to help with what Denis would like to do.
>> (fwiw - I'm not doing flow monitoring regularly, but when I do it's
>> usually via sflow on switches instead, which solves some problems,
>> though it's only possible in some situations).
>> 
>
>



Re: pflow on PE router

2021-06-04 Thread Stuart Henderson
On 2021/06/03 15:04, Chris Cappuccio wrote:
> Stuart Henderson [s...@spacehopper.org] wrote:
> > 
> > Oh watch out with sloppy. Keep an eye on your state table size.
> 
> Really? Wouldn't sloppy keep the state table smaller if anything since it's 
> tracking less specifically?
> 
> Anyways I use sloppy across four boxes that run in parallel with pfsync. 
> There could easily be 10,000 devices behind it at any given time. I keep my 
> state table limit at 1,000,000. It's around 300,000 during this lighter 
> traffic period today. I had to do sloppy after moving to several boxes in 
> parallel, I didn't notice sloppy making any significant difference?
> 
> Chris

The problem I had was in conjunction with synfloods. I didn't get
captures for everything to figure it out (it was in 2018 and my
network was in flames, with the full state table bgp sessions were
getting dropped / not reestablishing) but I think what happened was
this,

 spoofed SYN to real server behind PF
 SYN+ACK from server

and the state entry ended up as ESTABLISHED:ESTABLISHED where it
remained until the tcp.established timer expired (24h default
or 5h with "set optimization aggressive").

My "fix" was to move as much as possible to "pass XX flags any no state"
but that's clearly not going to help with what Denis would like to do.
(fwiw - I'm not doing flow monitoring regularly, but when I do it's
usually via sflow on switches instead, which solves some problems,
though it's only possible in some situations).



Re: Mute, FnLock keyboard LEDs don't work

2021-06-04 Thread Stuart Henderson
On 2021-06-03, Subhaditya Nath  wrote:
> Hi
>
> I have noticed that the Speaker Mute LED and the FnLock LED doesn't work on my
> Thinkpad E495.
>
>
> Behaviour of Speaker mute button -
> ---
> When pressed, it toggles the output.mute parameter in sndioctl.
> The sound is muted/unmuted.
> The LED doesn't light up in either case.
>
>
> Behaviour of FnLock button -
> -
> (I am not aware of any command to toggle FnLock from the command line)
> When pressed, it toggles the state of FnLock. (ie. the button is working)
> The LED doesn't normally light up. But, if the laptop resumes from sleep with
> FnLock enabled, then the FnLock LED lights up. But, it doesn't turn off until
> the next sleep-resume cycle.
>
> ie. effectively, the FnLock LED does work, but it is not getting refreshed. It
> only gets refreshed when the laptop is sleep and then resume.
> (Sorry for my bad english)
>
> The "refresh" issue of FnLock LED was also persistent in the Linux kernel 
> till a
> few months ago. It was resolved only recently. See this -
>   https://bugzilla.kernel.org/show_bug.cgi?id=207841
>
>
>
> How can these issues be fixed?
>
>

I believe this is a firmware bug.

Untested (I don't have hardware) but from the comments in the kernel.org
bug ticket and other related discussion something like this might do the
trick for fnlock. Seems like it should be safe for older thinkpads too.

I wonder if running GMKS may possibly also update the speaker mute led
too, if so it could be called from the relevant code for that too.

Index: sys/dev/acpi/acpithinkpad.c
===
RCS file: /cvs/src/sys/dev/acpi/acpithinkpad.c,v
retrieving revision 1.68
diff -u -p -r1.68 acpithinkpad.c
--- sys/dev/acpi/acpithinkpad.c 31 Dec 2019 01:38:33 -  1.68
+++ sys/dev/acpi/acpithinkpad.c 4 Jun 2021 10:06:38 -
@@ -166,6 +166,7 @@ int thinkpad_brightness_up(struct acpith
 intthinkpad_brightness_down(struct acpithinkpad_softc *);
 intthinkpad_adaptive_change(struct acpithinkpad_softc *);
 intthinkpad_activate(struct device *, int);
+intthinkpad_get_mediakey_status(struct acpithinkpad_softc *);
 
 /* wscons hook functions */
 void   thinkpad_get_thinklight(struct acpithinkpad_softc *);
@@ -465,6 +466,10 @@ thinkpad_hotkey(struct aml_node *node, i
sc->sc_sens[THINKPAD_SENSOR_PORTREPL].status = 
SENSOR_S_OK;
break;
+   case THINKPAD_BUTTON_FN_TOGGLE:
+   /* force status led to update */
+   thinkpad_get_mediakey_status(sc);
+   break;
default:
/* unknown or boring event */
DPRINTF(("%s: unhandled event 0x%03llx\n", DEVNAME(sc),
@@ -642,6 +647,18 @@ thinkpad_activate(struct device *self, i
break;
}
return (0);
+}
+
+int
+thinkpad_get_mediakey_status(struct acpithinkpad_softc *sc)
+{
+   int ret;
+   int64_t res;
+
+   ret = aml_evalinteger(sc->sc_acpi, sc->sc_devnode, "GMKS", 0, NULL,
+   );
+
+   return ret;
 }
 
 void




Re: gaming extensions to the kernel

2021-06-04 Thread Stuart Henderson
On 2021-06-04, Alessandro Pistocchi  wrote:
> I have managed to create some exciting, gaming-specific extensions to
> the OpenBSD kernel, specifically for an arm64 raspberry pi 4.
>
> I would like to turn this into a product that people enjoy if possible
> and I would be happy to make something that benefits the OpenBSD
> community as well somehow. I am enjoying working on OpenBSD and am
> genuinely happy to give something back if I can.
>
> I started a discussion on other channels about this and got quite a
> bit of resistance, mainly because I wasn't planning to send diffs for
> what I am doing.
>
> My reasoning for not sending them is that the changes I made could
> create security issues for ordinary users, and I think that it would
> be a nightmare to maintain only to be able to play smoother games on a
> single platform, which in the grand scheme of things is quite small.
>
> To give you an idea, I am giving exclusive access to 3 out of 4 cpu
> cores to a game and I give the game quite a few pages of contiguous
> memory for the framebuffer. I give all that back to openbsd when the
> game ends. OpenBSD cannot interrupt the game on those 3 cores, it can
> only kill the game if needed. That's not stuff that should go into the
> official kernel, right?

Seems unlikely.

> What I was thinking was more like "I go on and try to make and sell my
> product and when I make money I donate a percentage of the profits to
> the OpenBSD Foundation".
>
> Is that acceptable? Or alternatively, what is the "right" way of doing
> something like that?

I don't think there's any issue with that. The license on the code is
deliberately non-restrictive. No requirement to make a donation but that
certainly would be a nice thing to do.




Re: pf, relayd, TCP keep alive and NAT, oh my!

2021-06-02 Thread Stuart Henderson
On 2021-06-02, Cameron Simpson  wrote:
> On 01Jun2021 20:43, Stuart Henderson  wrote:
>>On 2021-06-01, Cameron Simpson  wrote:
>>> If I had TCP keep alive turned on, both ends might tidy themselves up.
>>> I can't enable that on the clients (various mail readers) or,
>>> apparently, on the server configuration. I can't do it in PF because PF
>>> just copies packets. I can't seem to do it in relayd either, though that
>>> seems the obvious way to intercept the connection for this purpose.
>>
>>It looks like courier-imap does enable SO_KEEPALIVE if available.
>
> Hmm. Ok. I wonder how recent that is? I have 5.0.6 IIRC, and current is 
> 5.1.something.

A long time - it was there in the initial git commit when the files were
imported from svn, certainly before 5.0.6. 

https://github.com/svarshavchik/courier-libs/blame/142f42378608e593eb36ceb33895db99948427aa/tcpd/tcpd.c#L1238

>>$ grep . /proc/sys/net/ipv4/tcp_keepalive_*
>>/proc/sys/net/ipv4/tcp_keepalive_intvl:75
>>/proc/sys/net/ipv4/tcp_keepalive_probes:9
>>/proc/sys/net/ipv4/tcp_keepalive_time:7200
>>
>>7200s (2h) initially, then every 75 seconds. (OpenBSD default times are
>>long too; 14400 "slowhz" intervals = also 2h).
>
> Ah. A long time indeed. Yes, winding these down will help - the above 
> times are in the same magnitude as the time required to hit the 
> connection limits.

Yes - set in the days before stateful firewalls and NAT devices with limited
memory were more common, so the only thing they really needed to
protect against was connections building up from clients that had
crashed/powered off or with some broken
network parhs.




Re: pf questions

2021-06-01 Thread Stuart Henderson
On 2021-05-30, Dave Anderson  wrote:
> I’m setting up on 6.9-release a (for now) IPv4-only firewall with multiple 
> public addresses and multiple subnets behind it, and have a couple of 
> questions related to connections originating from the firewall itself to 
> which I haven’t found definitive answers.
>
> When not overridden (for example, by ‘ftp-proxy -a ’) which of the 
> public addresses will be chosen as the source address for connections to the 
> Internet originating on the firewall? It would make sense to me for the one 
> address not declared as an alias to always be chosen, but I haven’t found 
> anything that states this to be true. I want to (for example) keep traffic 
> from systems I control separate from that from the WiFi subnet (which I’ll 
> NAT to a different public address).

The interface address associated with the route used to reach the
destination. See "if address" in "route -n get $IP".

> I plan to use tags to control policy, initially tagging each new connection 
> based mostly (but not entirely) on which interface it arrives through. But, 
> unless I’m missing something, connections originating on the firewall can’t 
> be tagged this way since they don’t arrive through any interface. Which also 
> seems to mean that all policy decisions must be made outbound, since that’s 
> the only time that connections originating on the firewall will pass through 
> an interface. And I haven’t found any way of filtering on untagged 
> connections (something like ‘! tagged any’ would be nice). I’m sure that my 
> setup isn’t unique, so there must be a good way of dealing with this, but 
> I’ve no idea what it might be. Suggestions, please!

You might find "!received-on any" useful to allow a rule to match only
locally originated connections. I guess you could do something like
"match !received-on any tag local" if you want to attach a tag to those.




Re: pflow on PE router

2021-06-01 Thread Stuart Henderson
On 2021-05-30, Denis Fondras  wrote:
> Le Fri, May 28, 2021 at 03:30:58PM -0700, Chris Cappuccio a écrit :
>> You might try "set state-defaults pflow, sloppy", also in some scenarios you 
>> might need "set state-policy floating"
>> 
>> If "sloppy" fixes it, there may be some bugs to hunt.
>>
>
> "sloppy" seems to fix the issue. I will do more tests this week before 
> declaring
> victory :)
>
> Thank you Chris.
>
>

Oh watch out with sloppy. Keep an eye on your state table size.



Re: pf, relayd, TCP keep alive and NAT, oh my!

2021-06-01 Thread Stuart Henderson
On 2021-06-01, Cameron Simpson  wrote:
> If I had TCP keep alive turned on, both ends might tidy themselves up.  
> I can't enable that on the clients (various mail readers) or, 
> apparently, on the server configuration. I can't do it in PF because PF 
> just copies packets. I can't seem to do it in relayd either, though that 
> seems the obvious way to intercept the connection for this purpose.

It looks like courier-imap does enable SO_KEEPALIVE if available.
By default, keepalive timers are long; on a random Linux I had handy:

$ grep . /proc/sys/net/ipv4/tcp_keepalive_*
/proc/sys/net/ipv4/tcp_keepalive_intvl:75
/proc/sys/net/ipv4/tcp_keepalive_probes:9
/proc/sys/net/ipv4/tcp_keepalive_time:7200

7200s (2h) initially, then every 75 seconds. (OpenBSD default times are
long too; 14400 "slowhz" intervals = also 2h). 

> Plan B is to build the latest courier-imap from source if I find the 
> time, but there may be no build option for this. I guess a single 
> setsockopt() call in the source would be enough, _if_ that can be done 
> on the accept end, which I haven't checked.

https://tldp.org/HOWTO/TCP-Keepalive-HOWTO/addsupport.html but I don't think
you'll need it.

So you probably just need to lower tcp_keepalive_time, and perhaps adjust
tcp_keepalive_intvl. Note there is a tradeoff especially with mobile
clients; they will need to wake and transmit more often, so faster
keepalives will result in more battery/data use. 

> Plan B0 might be to disable IMAP IDLE support. Hmm.

Depends on timings whether that will help; think it's a last ditch effort
though, I think it will make things noticably worse for clients.




Re: nc(1) fails the tls handshake when destination ends with a full stop

2021-05-30 Thread Stuart Henderson
On 2021-05-30, Theo Buehler  wrote:
> On Sat, May 29, 2021 at 10:37:18PM -0400, Daniel Jakots wrote:
>> Hi,
>> 
>> $ nc -zvc openbsd.org 443 # works as expected
>> Connection to openbsd.org (129.128.5.194) 443 port [tcp/https] succeeded!
>> TLS handshake negotiated TLSv1.3/AEAD-AES256-GCM-SHA384 with host openbsd.org
>> [...]
>> 
>> $ nc -zvc openbsd.org. 443 # fails
>> Connection to openbsd.org. (129.128.5.194) 443 port [tcp/https] succeeded!
>> nc: tls handshake failed (handshake failed: error:1404B42E:SSL 
>> routines:ST_CONNECT:tlsv1 alert protocol version)
>
> $ nc -cvz -e openbsd.org openbsd.org. 443 # works
>
> Unless -e is given, nc uses 'destination' in its server name indication
> (SNI) extension.  By its specification, (RFC 6066, section 3) the SNI
> does not contain the trailing dot.

Should something (libtls perhaps; ftp(1) is affected too) strip the dot?
curl does handle this.




Re: pf: antispoof with dynamic IP address?

2021-05-23 Thread Stuart Henderson
On 2021-05-22, Mogens Jensen  wrote:
> On Friday, May 21, 2021 8:22 AM, Peter N. M. Hansteen  wrote:
>> quoting pf.conf(5):
>>
>> " The antispoof directive expands to a set of filter rules which will block
>> all traffic with a source IP from the network(s) directly connected to
>> the specified interface(s) from entering the system through any other
>> interface."
>>
>> This means essentially that the sample rules would fail to be effective
>> only if the interface you antispoof for has switched networks. I think
>> that is a relatively rare event for running firewalls and not doing a ruleset
>> reload.
>
> I'm still struggling with understanding why it works, please bear with
> me.
>
> Let's say I'm assigned dynamic IP address 192.0.2.5/24 from my ISP on
> external interface em0.
>
>   antispoof em0 inet
>
> Expands to:
>
>   block drop in on ! em0 inet from 192.0.2.0/24 to any
>   block drop in inet from 192.0.2.5 to any
>
> At some point when the IP lease is renewed, the ISP has assigned an
> address from another block e.g. 203.0.113.21/24. I would now think that
> the block rules created by antispoof are obsolete as they are not
> updated with the new address, but why should it still work without
> interface name in parentheses?
>
> Thanks.
>
> Mogens Jensen
>
>

"egress" is not really useful with antispoof anyway.

antispoof generates a set of rules to block packets with local network
addresses coming in on an unexpected interface (either the wrong
internal interface, or an external interface).

It does not generate rules to stop someone on an internal network
sending packets from another invalid address. For example even
listing all network interfaces in antispoof rules, someone on an
internal network can still send traffic with a source address
of (e.g.) 8.8.8.8.

To prevent that you'll need "block by default / allow specific source"
rules like "pass in on em0 from em0:network" (etc, for each interface),
or "block in from urpf-failed" (which does a dynamic route lookup;
simpler config but slightly higher per-connection overhead).




Re: Relayd TLS inspection and SNI

2021-05-21 Thread Stuart Henderson
On 2021-05-21, Martin  wrote:
> Hi,
>
> MITM is an ancient attack technique and it is not a good idea because it 
> breaks original cert chain. So client (application) will see that cert is 
> different on its end. Most people and apps reject connection to a resource 
> with fake cert which you're going to send to them.

This is about providing monitored/filtered internet access to systems
that are particularly configured to use it. The way this works is that
you install the MITM-signing certificate on the machines accessing the
web via that proxy. Typically in that case browsers automatically
disable certificate pinning if the cert is signed by a locally
administered CA.

> But you can use Squid for MITM as Stuart recommended, from my side
> HaProxy/Nginx can help you too to do this. For SNI Snort/Suricata can be
> useful but for TLS up to v1.2 only.
>
> Sniffing the traffic that way is a bad idea, most of services uses
> TLSv1.3 with encrypted SNI. So your work will disappear in months.

There aren't many services which require TLSv1.3 with encrypted SNI
yet, so the interception proxy can restrict to TLS 1.2 to bypass this.




Re: Relayd TLS inspection and SNI

2021-05-21 Thread Stuart Henderson
On 2021-05-18, BS Daemon  wrote:
>I like using the base OpenBSD utilities, and was
> wondering if I'm doing something wrong, if relayd could be made to
> support SNI for man-in-the-middle, or if there is an alternative
> tool for doing this which would work.

I can't help with relayd, but this does work with squid (and you can
filter on user-agent in ACLs).




Re: Kernel debugging without serial port?

2021-05-19 Thread Stuart Henderson
On 2021-05-19, Brennan Vincent  wrote:
> Hello,
>
> I have an x86_64 PC with no serial port - is it possible to run ddb 
> remotely via a PCI-express or USB serial port adapter? Or does it only 
> work on an actual motherboard serial port connection?

It is sometimes possible via PCIE but you will need to set the io base
address of the serial port manually with the "machine comaddr" boot
loader commamd. And I think there are some cases whwre this doesn't
work.

> If not, how do most kernel developers do their development work? In VMs, 
> or on older hardware that actually does have a real serial port?:

Various methods but machines with 'real' serial ports are definitely
commonly used and sought after. Servers with serial-over-lan are
sometimes used, as are standard consoles (ideally with important
information transcribed when passing to others; screenshots maybe as
a backup or for more detailed information).




Re: OpenBSD 6.9 and PHP version

2021-05-18 Thread Stuart Henderson
On 2021-05-18, Steve Williams  wrote:
> Hi,
>
> When I upgraded to OpenBSD 6.9 then did the pkg_add -u, I got 
> php-php-7.4.18 installed.
>
> How do I know if it's "safe" to delete the old php-7.3.28 and all the 
> associated modules?
>
> I know I'll have to migrate my ".ini" file changes to the new version 
> for both php and php_fpm, but other than that, how do I figure out if 
> anything is still calling 7.3?
>
> I have a simple build, roundcubemail, piwigo, nextcloud and a few others.
>
> Thanks,
> Steve W.
>
>

Roundcube and nextcloud are ok with 7.4. No idea about piwigo.



Re: Packages/libraries in disarray after sysupgrade

2021-05-14 Thread Stuart Henderson
On 2021-05-14, Marc Espie  wrote:
> On Thu, May 13, 2021 at 10:47:11PM +, tetrahe...@danwin1210.me wrote:
>> After upgrading 6.8->6.9 (stable, not current) using sysupgrade, I am
>> finding it not possible to install packages via pkg_add
>> 
>> When I try to install something, I get a series of errors like "> dependency library name>: bad major" or ": minor is too
>> small"
>> 
>> I am assuming I need to be installing new packages with `pkg_add -U` to
>> update the dependencies as needed. However, the manpage suggests this is not
>> desirable.
>
> Sometimes, base snapshots and package snapshots are slightly out of synch.
> this is what happened (rapid bumps to the crypto parts in base).

Not in -stable though..




Re: Editing boot.conf to set tty to fb0 in miniroot69.img

2021-05-11 Thread Stuart Henderson
On 2021-05-11, Paul W. Rankin  wrote:
> Hello,
>
> I am trying to install OpenBSD on a Raspberry Pi 4B without the 
> assistance of the serial console. The Pi firmware is set to boot from 
> USB. I have arm64 miniroot69 on a USB and the system boots; I see the 
> "BOOT>" prompt, but my USB keyboard does not appear to be recognised at 
> this point in boot, so I cannot interrupt and set tty to fb0. The boot 
> then proceeds to the serial console (i.e. blank screen).
>
> The thought occurred that it may be possible to change boot.conf in the 
> miniroot69 image to set tty to fb0 but so far my attempts have been 
> unsuccessful. I have tried...
>
> ...on my macOS system, I tried many variations of the following without 
> success:
>
> # qemu-system-aarch64 -machine raspi3 -hda /dev/disk2
> # qemu-system-aarch64 -machine virt -hda /dev/disk2
> # qemu-system-aarch64 -machine raspi3 -drive 
> file=miniroot69.img,format=raw
> # qemu-system-aarch64 -machine virt -drive file=/dev/disk2,format=raw
>
> The qemu system just presents a blank screen. Nothing on serial or 
> parallel screens.
>
> ...on my OpenBSD server, I tried mounting the miniroot69.img and 
> altering boot.conf directly:
>
> # vnconfig vnd0 miniroot69.img
> # mount /dev/vnd0a /mnt
>
> But this just presents:
>
> # ls -1
> bsd
> bsd.rd
>
> Does anyone have any suggestion of how I might achieve editing boot.conf 
> on the miniroot69 image or otherwise how to boot the Raspberry Pi 4B 
> into fb0?

That would go on the booted disk, not inside the ramdisk kernel, so

cd /mnt
mkdir etc
echo set tty fb0 > etc/boot.conf

Pretty sure I tested that scenario and it worked without boot.conf
though I'm not sure if it was with the pftf firmware or U-Boot.




Re: 'python3.8 setup.py install' gets 'ZIP does not support timestamps before 1980' at OpenBSD 6.9

2021-05-11 Thread Stuart Henderson
On 2021-05-10, Roger Marsh  wrote:
> After upgrading to OpenBSD 6.9 'ValueError: ZIP does not support timestamps 
> before 1980' exceptions started occuring when installing python packages by:
>
> 'python3.8 setup.py install --user' where the package was built by:
>
> 'python3.8 setup.py sdist --formats gztar' and extracted from the archive on 
> OpenBSD 6.9 by:
>
> 'tar xzf *.tar.gz'.

Python-created tars started storing timestamps in nanoseconds via pax
extension headers which tar in base doesn't handle. You'll need to use
another program to extract them for now; gtar works.



Re: Not possible to sysupgrade via snapshots right now?

2021-05-11 Thread Stuart Henderson
On 2021-05-09, Scott Vanderbilt  wrote:
> On 5/9/2021 4:04 AM, Stuart Henderson wrote:
>> On 2021-05-08, Scott Vanderbilt  wrote:
>>> Apologies if this is a question to which there is an obvious answer, but
>>> I could not find one in the sysupgrade man page, in the FAQ, or by Googling.
>>>
>>> Is it not possible to do a sysupgrade from 6.9-current to latest using
>>> snapshots at the moment? When I try, I get the following response from
>>> sysupgrade:
>> 
>> This can only have happened if you were running a "6.9" kernel and
>> not "6.9-current". You might still have the boot messages to confirm;
>> zgrep OpenBSD /var/log/messages*
>> 
>
> I can assure you with absolute certainty that this machine in question 
> was running 6.9-current prior to the attempt to run sysupgrade.

Can you have a look at the shell script which is /usr/sbin/sysupgrade and
see if you can figure out how? It doesn't seem possible to me (unless you're
doing something you didn't mention, like using sysupgrade -r).

> Is it possibly relevant that the upgrade files were "cached" to a host 
> on my LAN before the sysupgrade? I typically download all the upgrade 
> files to a local machine and sysupgrade that machine first. Then for two 
> other machines on my network, I sysupgrade with /etc/installurl pointing 
> to my local server. I do this to prevent multiple downloads from the 
> OpenBSD servers.

That's not a problem as long as the normal directory structure is used.

> Might having SHA256.sig come from one location while the other upgrade 
> files come from a second location possibly confuse sysupgrade?

If SHA256.sig doesn't match the signature of the other files in the
directory then it won't run the update, same as if a snapshot is only
partially updated on a mirror server (which happens sometimes).




Re: Not possible to sysupgrade via snapshots right now?

2021-05-09 Thread Stuart Henderson
On 2021-05-08, Scott Vanderbilt  wrote:
> Apologies if this is a question to which there is an obvious answer, but 
> I could not find one in the sysupgrade man page, in the FAQ, or by Googling.
>
> Is it not possible to do a sysupgrade from 6.9-current to latest using 
> snapshots at the moment? When I try, I get the following response from 
> sysupgrade:

This can only have happened if you were running a "6.9" kernel and
not "6.9-current". You might still have the boot messages to confirm;
zgrep OpenBSD /var/log/messages* 




Re: openssl cms -encrypt does not work with EC key/cert

2021-05-08 Thread Stuart Henderson
On 2021-05-08, Theodore Wynnychenko  wrote:
>
> Hello again:
>
> I am re-posting this message with additional information..
> While I have no expectation that there will be any reply, I am hopeful there
> may be.

Confirmed, and it also fails with OpenSSL 1.0.2u, but succeeds with
1.1.1k. I think perhaps this is just something that has been added
to newer OpenSSL but not added to LibreSSL yet.




Re: pf ipv6 source-routing 6.9

2021-05-08 Thread Stuart Henderson
On 2021-05-08, Bastien Durel  wrote:
> Le 08/05/2021 à 10:58, Stuart Henderson a écrit :
>> On 2021-05-08, Bastien Durel  wrote:
>>> Le 07/05/2021 à 22:50, Stuart Henderson a écrit :
>>>> On 2021-05-07, Bastien Durel  wrote:
>>>>> Hello,
>>>>>
>>>>> I have multiple ISPs plugged on my OpenBSD box, each one providing its
>>>>> IPv6 address space.
>>>>>
>>>>> I used to route outgoing streams with :
>>>>>
>>>>> net2_if = pppoe0
>>>>> ovh_v6_router = "(" $net2_if fe80::230:88ff:fe04:63c9 ")"
>>>>> ovh_v6_prefix = "2001:41d0:fe4b:ec00::0/56"
>>>>> table  const { $ovh_v6_prefix, $free_v6_prefix, 
>>>>> $ripe_v6_prefix }
>>>>> pass out on $net_if from $ovh_v6_prefix to ! route-to 
>>>>> $ovh_v6_router
>>>>> pass out on $tun_ifs from $ovh_v6_prefix to ! route-to 
>>>>> $ovh_v6_router
>>>>
>>>> This is no longer valid syntax for route-to. Check the 6.9 upgrade notes.
>>>>
>>>>
>>> I read the upgrade note, but there is nothing about IPv6 LL addresses
>>>
>>> As said in my previous e-mail :
>>>> I replaced ovh_v6_router by fe80::230:88ff:fe04:63c9%pppoe0
>> 
>> Does it work if you use the syntax suggested in the upgrade notes
>> for the example with "pass in on pppoe1 reply-to ..."?
>> 
>> 
> For incoming connections, I tried
>
> pass in on pppoe0 inet6 reply-to fe80::520f:80ff:fe65:8800%pppoe0 keep state
> pass in on pppoe0 inet6 reply-to fe80::520f:80ff:fe65:8800 keep state

Those aren't exactly expected to work (I don't think pf really
handles link locals)...

> pass in on pppoe0 inet6 reply-to (pppoe0:peer) keep state

...but I was hoping that this would (and it might possibly be a bug
that it doesn't).

>
> none of these worked
>



Re: pf ipv6 source-routing 6.9

2021-05-08 Thread Stuart Henderson
On 2021-05-08, Bastien Durel  wrote:
> Le 07/05/2021 à 22:50, Stuart Henderson a écrit :
>> On 2021-05-07, Bastien Durel  wrote:
>>> Hello,
>>>
>>> I have multiple ISPs plugged on my OpenBSD box, each one providing its
>>> IPv6 address space.
>>>
>>> I used to route outgoing streams with :
>>>
>>> net2_if = pppoe0
>>> ovh_v6_router = "(" $net2_if fe80::230:88ff:fe04:63c9 ")"
>>> ovh_v6_prefix = "2001:41d0:fe4b:ec00::0/56"
>>> table  const { $ovh_v6_prefix, $free_v6_prefix, $ripe_v6_prefix }
>>> pass out on $net_if from $ovh_v6_prefix to ! route-to 
>>> $ovh_v6_router
>>> pass out on $tun_ifs from $ovh_v6_prefix to ! route-to 
>>> $ovh_v6_router
>> 
>> This is no longer valid syntax for route-to. Check the 6.9 upgrade notes.
>> 
>> 
> I read the upgrade note, but there is nothing about IPv6 LL addresses
>
> As said in my previous e-mail :
> > I replaced ovh_v6_router by fe80::230:88ff:fe04:63c9%pppoe0

Does it work if you use the syntax suggested in the upgrade notes
for the example with "pass in on pppoe1 reply-to ..."?




Re: Openbsd 6.9 Default gateway

2021-05-08 Thread Stuart Henderson
On 2021-05-07, Irshad Sulaiman  wrote:
> Hi 
> How to set only one default gateway if I have multiple interface , one is 
> in DHCP and other in Static ip 
> I have set /etc/mygate 192.168.100.1 and hostname.em0 (DHCP) and 
> hostname.iwn0 (static 192.168.100.163 255.255.255.0)

Sounds like you want to request an address by DHCP, but ignore the gateway
handed out by the DHCP server; "ignore routers;" in dhclient.conf should
do the trick.




Re: pf ipv6 source-routing 6.9

2021-05-07 Thread Stuart Henderson
On 2021-05-07, Bastien Durel  wrote:
> Hello,
>
> I have multiple ISPs plugged on my OpenBSD box, each one providing its
> IPv6 address space.
>
> I used to route outgoing streams with :
>
> net2_if = pppoe0 
> ovh_v6_router = "(" $net2_if fe80::230:88ff:fe04:63c9 ")"
> ovh_v6_prefix = "2001:41d0:fe4b:ec00::0/56"
> table  const { $ovh_v6_prefix, $free_v6_prefix, $ripe_v6_prefix }
> pass out on $net_if from $ovh_v6_prefix to ! route-to 
> $ovh_v6_router
> pass out on $tun_ifs from $ovh_v6_prefix to ! route-to 
> $ovh_v6_router

This is no longer valid syntax for route-to. Check the 6.9 upgrade notes.




Re: bitcoind out of memory

2021-05-07 Thread Stuart Henderson
On 2021-05-07, yancy ribbens  wrote:
> I'm running 6.8 and trying to run bitcoind (C++), however, I continue to
> receive a core dump while running the application (out of memory).  The
> dmesg file is below.

Always surprises me when people are willing to run things like that as root..

> The application is running as root and I've set datasize-max and
> datasize-cur to infinity in the login.conf daemon section as I suspect the
> core dump is happening because of an upper memory bound enforced by the OS.

Did you logout and back in between updating login.conf and retrying?
(Needs to be a full logout; if you use an ssh persistent connection that
will need to be closed; if you use X that needs to be restarted).
Check what ulimit -a says.

> running the application \time -l twice shows the resident set size each
> time to be:
> 662128
> 650388
>
> I've also observed "top" while running and there is more than 1GB free and
> SWAP is not being used at the time it core dumps (out of memory).

If it requests an allocation which fails, that memory won't be "used" to
show up in top / time -l.

> Is this a problem with a login.conf parameter or something else?
>
> OpenBSD 6.8 (GENERIC.MP) #440: Sun Oct  4 18:33:20 MDT 2020
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
...
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN

LONG in the cpu capabilities line means that the hardware can usually run
amd64. That would give you a few hundred MB more physical memory, and much
more available memory address space (and a lot of software is only really
tested on 64-bit archs these days anyway..) So you might possibly like
to try that.




Re: fighting amplification attack --was: Re: pf: block drop not working

2021-05-07 Thread Stuart Henderson
No this is not possible. UDP is trivially spoofed (which is probably why 
you see the problem in the first place; the source IPs you see on the 
packets are the *victims* not the attacker). Doing this for UDP opens an 
easy DoS of your legitimate clients.


--
 Sent from a phone, apologies for poor formatting.
On 7 May 2021 09:54:58 Axel Rau  wrote:





Am 05.05.2021 um 16:20 schrieb Stuart Henderson :


This is usually best dealt with in your DNS server software e.g. by using
the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config
section in BIND.


Yes, I have this in place now, but I try to let the fw drop them:
This seems not working:
udp_inbound_dns_options = 'keep state (max-src-conn-rate 120/60, overload 
 flush global )'

…
pass in quick on $red_if proto udp from any to { $ns4, $ns5 } \
port { domain } tag RED_DMZ $udp_inbound_dns_options label "dns inbound"
Is this not possible with udp?

Axel

---
PGP-Key: CDE74120  ☀  computing @ chaos claudius




Re: Trying to understand/debug caldav vs. httpd issue

2021-05-07 Thread Stuart Henderson
On 2021-05-05, T. Ribbrock  wrote:
> Hi all,
>
> this may be a long shot, but I'm looking for someone who can give me a
> few pointers (if this is better posted to another list, please let me
> know as well).
>
> TL;DR: I am running into issues with a webdav/caldav client
> connecting to a Nextcloud instance running on OpenBSD httpd, so someone
> with a more intimate knowledge of httpd would probably already be a
> great help.

This is not a bad place to ask. Your description is good but anyone
looking into what's up will want to test, so if you could include
the test tools and a description of setup needed to reproduce that
would help. Including the tcpdump traces would help too. Don't worry
about the mail being long.

> Using tcpdump on the test server, I was able to determine some
> differences between the two test clients:
>
> The Perl-client seems to send both http-headers and the XML-body for the
> PROPFIND in one go, gets a 401 response and then re-issues the request
> with authorisation (which then succeeds).
>
> The Qt-client sends the http-headers first in one TCP-segment (I'm not
> too good on terminology...). Once that has happened, httpd already sends
> back the 401 - and *then* the Qt-client sends the XML-body in a second
> TCP-segment, causing the "400 Bad Request" response (I presume because
> httpd is expecting new headers at this point, not a content body).

It makes no difference to the HTTP protocol whether headers and body are
in separate TCP segments, but some software may handle things wrongly.
httpd uses libevent and it wouldn't be the first time libevent-based
software has problems with data in separate TCP segments (I have a
feeling we might have had a problem with ftp-proxy related to this
but can't find any details, perhaps it was never fixed),

> What I am now trying to figure out (and I neither know the relevant
> standards nor httpd well enough to do so) is whether this is something
> weird on the Qt side - or on the OpenBSD/httpd side so I can eventually
> provide input to the right people to hopefully get this fixed at some
> point.

Pretty sure it will be on the httpd side.




Re: I can’t get veb/vport to work with vmd.

2021-05-07 Thread Stuart Henderson
On 2021-05-06, Luke Small  wrote:
> I got it working. I have a pretty hefty amount of vether0 and
> vether0:network in my pf.conf that I changed to vport0 and vport0:network.
>
> That fixed every single thing!
>
> I somehow completely forgot about all the vether0 pf rules which isolates
> the the various local systems so VMs are isolated from being able to do
> anything malicious to any local systems.
>
> I silently redirect the VMs' dns and ntp calls to my OpenBSD services to
> harden them a bit too.
>
> -Luke
>

Make sure you remember you've done this when you try to debug a DNS
problem on the VMs. Recursive and authoritative DNS lookups aren't
interchangeable...

If you want to force a specific DNS server I recommend blocking others,
not silently redirecting.




Re: DHCPd - option capwap (code 138)

2021-05-07 Thread Stuart Henderson
On 2021-05-06, Radek  wrote:
> Hello,
> I want to use dhcpd server to push Wireless Controller's IP address to the 
> APs.
>
> According to this:
> http://systemnetworksecurity.blogspot.com/2013/02/adding-custom-options-in-isc-dhcpds.html
> https://www.secuvera.de/blog/capwap-dhcp-option-138-auf-isc-dhcpd-server-einrichten/
> I need to add *option capwap* to /etc/dhcpd.conf
>
> option capwap code 138 = ip-address; #Custom Option capwap
> option capwap 192.168.1.110; #WLAN-Controller-IP
>
> I can't find the capwap option in dhcp-options(5) i OpenBSD.
> How can I do what I need using other options/configuration? 
> Thanks!

It's a proper RFC protocol so we could add it to dhcpd. Possible
diff below, maybe it should be moved to the named part of
dhcp_option_default_priority too but there are other named options
which aren't listed so I've left that out for now.

CAPWAP is RFC5415, the DHCP option is defined in RFC5417.

Index: dhcp-options.5
===
RCS file: /cvs/src/usr.sbin/dhcpd/dhcp-options.5,v
retrieving revision 1.31
diff -u -p -r1.31 dhcp-options.5
--- dhcp-options.5  8 May 2019 22:00:55 -   1.31
+++ dhcp-options.5  7 May 2021 08:38:48 -
@@ -169,6 +169,13 @@ Some DHCP clients will support it, and o
 This option specifies the broadcast address in use on the client's subnet.
 Legal values for broadcast addresses are specified in section 3.2.1.3 of
 RFC 1122.
+.It Ic option capwap-ac Ar ip-address Oo , Ar ip-address ... Oc ;
+The
+.Ic capwap-ac
+option specifies a list of IP addresses of Wireless Access Controllers.
+These are used by Wireless Termination Points using the Control And
+Provisioning of Wireless Access Points (CAPWAP) protocol, RFC 5415.
+Addresses should be listed in order of preference.
 .It Ic option classless-static-routes Ar cidr ip-address Oo , Ar cidr 
ip-address ... Oc ;
 This option specifies a list of destination networks and the
 associated gateways.
Index: dhcp.h
===
RCS file: /cvs/src/usr.sbin/dhcpd/dhcp.h,v
retrieving revision 1.11
diff -u -p -r1.11 dhcp.h
--- dhcp.h  8 May 2019 22:00:55 -   1.11
+++ dhcp.h  7 May 2021 08:38:48 -
@@ -173,6 +173,7 @@ struct dhcp_packet {
 #define DHO_NDS_CONTEXT87
 #define DHO_DOMAIN_SEARCH  119
 #define DHO_CLASSLESS_STATIC_ROUTES121
+#define DHO_CAPWAP_AC  138
 #define DHO_TFTP_CONFIG_FILE   144
 #define DHO_VOIP_CONFIGURATION_SERVER  150
 #define DHO_CLASSLESS_MS_STATIC_ROUTES 249
Index: tables.c
===
RCS file: /cvs/src/usr.sbin/dhcpd/tables.c,v
retrieving revision 1.14
diff -u -p -r1.14 tables.c
--- tables.c8 May 2019 22:00:55 -   1.14
+++ tables.c7 May 2021 08:38:48 -
@@ -214,7 +214,7 @@ struct option dhcp_options[256] = {
{ "option-135", "X",_universe, 135 },
{ "option-136", "X",_universe, 136 },
{ "option-137", "X",_universe, 137 },
-   { "option-138", "X",_universe, 138 },
+   { "capwap-ac", "lA",_universe, 138 },
{ "option-139", "X",_universe, 139 },
{ "option-140", "X",_universe, 140 },
{ "option-141", "X",_universe, 141 },
@@ -404,6 +404,8 @@ unsigned char dhcp_option_default_priori
DHO_NETBIOS_SCOPE,
DHO_FONT_SERVERS,
DHO_X_DISPLAY_MANAGER,
+   DHO_CAPWAP_AC,
+   DHO_VOIP_CONFIGURATION_SERVER,
DHO_DHCP_PARAMETER_REQUEST_LIST,
DHO_DHCP_USER_CLASS_ID,
DHO_RELAY_AGENT_INFORMATION,/* Should be the last option. */
@@ -417,9 +419,9 @@ unsigned char dhcp_option_default_priori
100, 101, 102, 103, 104, 105, 106, 107, 108, 109,
110, 111, 112, 113, 114, 115, 116, 117, 118,
120,  122, 123, 124, 125, 126, 127, 128, 129,
-   130, 131, 132, 133, 134, 135, 136, 137, 138, 139,
+   130, 131, 132, 133, 134, 135, 136, 137,  139,
140, 141, 142, 143, 144, 145, 146, 147, 148, 149,
-   150, 151, 152, 153, 154, 155, 156, 157, 158, 159,
+151, 152, 153, 154, 155, 156, 157, 158, 159,
160, 161, 162, 163, 164, 165, 166, 167, 168, 169,
170, 171, 172, 173, 174, 175, 176, 177, 178, 179,
180, 181, 182, 183, 184, 185, 186, 187, 188, 189,



Re: Errors extracting ports and xenocara tarballs

2021-05-06 Thread Stuart Henderson
On 2021-05-06, Chris Zakelj  wrote:
> I'm getting an odd error trying to extract these two tarballs from 
> 6.9-RELEASE on a clean install.  I'm probably missing something obvious 
> but don't know what.  Starting with 
> https://www.openbsd.org/faq/faq5.html, I log in on the console, edit my 
> non-root user, and create the directory structure:
>
> # user mod -G wsrc czakelj
> # cd /usr
> # mkdir -p xenocara ports
> # chgrp wsrc xenocara ports
> # chmod 775 xenocara ports
>
> So far, so good. Next I go to https://www.openbsd.org/anoncvs.html, log 
> in non-root via SSH, and begin extracting:
>
> arcbuild$ cd /usr/src
> arcbuild$ tar xzf /home/czakelj/src.tar.gz
> arcbuild$ tar xzf /home/czakelj/sys.tar.gz
> arcbuild$ cd /usr
> arcbuild$ tar xzf /home/czakelj/ports.tar.gz
> tar: Access/modification time set failed on: ports: Operation not permitted
>
> I also get that same error attempting to extract xenocara.tar.gz. 
> Ideas/clues (other than "cheating" and using syspatch since I'm trying 
> to learn stuff after all)?  Thanks!
>
>

Your uid doesn't have access to write in /usr but does have access to
/usr/ports. Ignore it, the extraction should have worked ok. (I would not
bother with the tar though, and just use cvs to fetch the tree).



Re: fighting amplification attack --was: Re: pf: block drop not working

2021-05-05 Thread Stuart Henderson
On 2021-05-05, Axel Rau  wrote:
>> 
>> check the table name …
>
> But even with the correct table name I had to flush states to get it working.

That is expected. A state lookup is done before parsing the ruleset.
You can try clearing states with pfctl -k but there are some issues, it
doesn't always work.

> Does anyone has a script handy to update the table to black hole dns clients 
> which repeat same query with high frequency?

This is usually best dealt with in your DNS server software e.g. by using
the rrl-* configuration in NSD, see nsd.conf(5), or "rate-limit" config
section in BIND.




Re: isakmpd ignoring authentication metod

2021-05-05 Thread Stuart Henderson
On 2021-05-04, Giacomo Marconi  wrote:
> Hi all
>
> I have some openbsd boxes as vpn endpoint to a Palo Alto Pa-820.
>
> In my last VPN config (unsing 6.8) I see in the logs that isakmpd is 
> expexting RSA_SIG as authentication method, while in ipsec.conf I set the psk 
> value.

This usually means that the packets seen from the other side didn't
match your configuration (possibly a wrong IP or something) and
instead were matched by the implicit default phase 1 configuration
(which is 3DES-SHA-RSA_SIG)

If that doesn't give any clues, bump up logging in isakmpd. This
set of debug levels (worked out by studying source code) enables
most logs that are possible to do without being so noisy that
they're useless.

isakmpd_flags="-Kv -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30 
-D10=20"

Sometimes looking at captured packets is useful too. For phase 1
negotiation then just watching the network interface is usually
good

tcpdump -vvs1500 -i $interface port 500 or 4500 

(For problems with phase 2 nego you often need to enable isakmpd's
cleartext IKE packet capture via the isakmpd.fifo control socket
but you aren't that far).




Re: Q: dmesg: dt: 443 probes

2021-05-04 Thread Stuart Henderson
On 2021-05-04, Why 42? The lists account.  wrote:
>
> On Mon, May 03, 2021 at 12:59:27AM +0200, Patrick Wildt wrote:
>> > ...
>> > But when I do (as root): "sysctl kern.allowdt=1" it returns this error:
>> > sysctl: kern.allowdt: Operation not permitted
>> 
>> Similarly to kern.allowkmem, you can only set it when the securelevel is
>> still 'low'.  That's for security.  You need to add kern.allowdt=1 to
>> sysctl.conf, and then reboot.  Then it'll be enabled after reboot.
>
> Thanks Patrick! After the reboot I was able to experiment with btrace.
>
> Do you use it, do you have any examples that might help to get started?

Here's one example:
https://marc.info/?l=openbsd-bugs=158583371404603=2




Re: chroot x11 via Xephyr

2021-05-04 Thread Stuart Henderson
On 2021-05-03, u/Rogu3_AI  wrote:
> Hi, I have successfully populated a chroot with 69 filesets. You can
> refer to https://www.reddit.com/r/openbsd/comments/n2k475/chroot_help/
> to know what I'm talking about. My question is after successfully
> entering my chroot environment how can I forward x11 apps to to the
> hosts Xephyr window. I have successfully opened up a Xephyr window on
> the host 'Xephyr -ac :1 &'. Whenever I run 'DISPLAY=:1 xlock' inside the
> chroot it fails to open the display > ' Error: Can't open display: :1'.
> Kindly please correct if I'm wrong or refer to a source of information
> please.

What are you hoping to gain from doing this?

chroot can be useful if it restricts what the application running inside it
has access to, but outside of some special cases (ports development/builds
occasionally being one) populating it with enough files to run "full fat"
software negates most of the benefits..




Re: Can I do 4-26 snapshot to 6.9-stable safely?

2021-05-02 Thread Stuart Henderson
On 2021-05-02, jpeg bild  wrote:
> worked fine for me, its basically just reinstalling but with the same 
> configuration as your last install

"not supported" does not mean "_won't_ work", it means "if you try this
and break things, we aren't going to try and change anything to accommodate
you, and really don't expect help"

(there is of course no warranty anyway, but for things which are _supposed_
to work we'll usually try to look into them).

> On Sat May 1, 2021 at 6:42 PM CST, Ashton Fagg wrote:
>>
>> > On May 1, 2021, at 18:38, jpeg bild  wrote:
>> > 
>> > If you want to move back to stable, you would have to boot bsd.rd and
>> > select "Upgrade" in the prompt, then install from http with the correct
>> > path for 6.9-stable
>>
>> …except that’s not supported.
>>
>> Again, per the very first sentence:
>>
>> https://www.openbsd.org/faq/upgrade69.html
>
>

Golden rule with running snapshots around release time: if you want to move
to the standard release version / -stable afterwards, never upgrade to a
snapshot that has "-current" in the version string. You can easily check
after downloading by using what(1) on the kernel.

Care is needed with sysupgrade because after the kernel says "6.9" all you
can do is "sysupgrade -s" to upgrade to a snapshot. It's trivial to tweak
the shell script though.




Re: Can I do 4-26 snapshot to 6.9-stable safely?

2021-05-02 Thread Stuart Henderson
On 2021-05-02, Luke Small  wrote:
> I have a simple network setup of google fiber with a modem/router at
> 196.168.1.1 which the default pf.conf should work instead of my pretty
> complicated (for a home network) pf.conf . I have no clue why the bsd.rd
> doesn’t work anymore…unless the dhclient.conf which I’ve told to listen to
> localhost for unbound and dnscrypt-proxy is gumming things up.

That is not a simple network setup. If you point your machine at a
resolver on the local machine, what do you expect to happen when you're
in the install kernel and that resolver isn't running?




Re: BGP circular routing

2021-04-29 Thread Stuart Henderson
On 2021-04-29, Marko Cupać  wrote:
> I guess this is not related to bgpd, but I hope there are skilled
> network admins here who can give me advice.
>
> I have a problem with circular routing on a site which talks BGP with
> two upstream providers, with traffic to site which has static default
> route over third ISP:
>
>   --> ISP1 --> ISP3 --> 
> SITEASITEB
>   <-- ISP2 <-- ISP3 <--

Asymmetric routing (circular suggest that it's looping so you have
no working connecticity, which I tuink ks not what you're describing).

> I tried to prepend self / neighbor to ISP2 - no change (ISP1 has best
> routes for 99% of the prefixes, including to SITEB). I contacted ISP2,
> they said the problem is with ISP3. I contacted ISP3, they said ISP2
> announces my prefix (they're my LIR) so the best route is over them. I
> contacted ISP2 again, they said they prepended my prefix to ISP3, but
> situation is the same.
>
> Is it OK for ISP2 (my LIR) to announce and prepend my prefix? I thought
> I should be in control of that.
>
> Is there anything I can do about the situation?

You can't do much to control incoming traffic though you can sometimes
influence it. But you do control which routes you accept/prefer. If you
want to avoid the assymetric path, you need to prefer ISP2's announcwments
for SITEB, for example you could match and give it a higher localpref.

Is it causing a problem though? This is completely normal and expected
on the internet.

> Thank you in advance,
>



Re: .profile not being loaded (ksh) when opening shell in X

2021-04-27 Thread Stuart Henderson
On 2021-04-26, tetrahe...@danwin1210.me  wrote:
> I have some custom additions to my $PATH. They're defined in ~/.profile 
> and they are correctly loaded when I log in from a text console.
>
> When I log in to X (cwm) and open a terminal window, $PATH does not 
> contain the entries.
>
> I tried `chmod +x` on my .profile but that didn't help.
>
> Both the text console and the X terminal window are using ksh.
>
> When I call `/bin/ksh -l` then the resulting shell contains the correct 
> additions to $PATH.
>
> It looks like the custom $PATH is not being passed from the login shell 
> on downwards, since ~/.profile is only read by a login shell.

Seems that your terminal in X is not configured to run a login shell.
By default that is done for xterm via .Xdefaults in a new user's profile
directory (copied from /etc/skel) but if you use a different terminal
or have modified these files, that won't be used.

> ~/.kshrc is (according to ksh(1)) read by every spawning shell, but I 
> don't see any documentation or examples on the Internet where someone 
> defined their $PATH in ~/.kshrc ...

That is only if ENV is set.

> What's the correct way to set $PATH and have it stick no matter where 
> and when the shell is spawned?

If it's just PATH or some other environment variable, setting it for
the relevant class in /etc/login.conf is one option. But probably
simpler to configure your X terminal to run login shells.




Re: PPPoE mtu overwrites/ignores

2021-04-26 Thread Stuart Henderson
On 2021-04-25, Valdrin MUJA  wrote:
> As a grumpy person, I didn't believe at them and quickly installed npppd into 
> another computer and used it as pppoe-server but nothing changed. (I've set 
> mru as 1550 at npppd.conf)

npppd isn't a valid test as it does not support RFC 4638.




Re: w o w

2021-04-24 Thread Stuart Henderson
On 2021-04-24, ben  wrote:
> I apologize for my language, I shouldn't have stooped to Olive's level and 
> sent
> that to the mailing list.
>
> However I believe that if Olive thinks they have the right to berate this
> mailing list on how selfish we are then we have a right to tell them off for 
> it
> in a similar tone and demeanor.

If you must, but do it off list if you're going to. Otherwise please
just delete and move on, same for other content-free list posts, it's
easy enough to filter out/ignore the original mails but harder to filter
replies.




Re: mistype on https://www.openbsd.org/events.html

2021-04-23 Thread Stuart Henderson
On 2021-04-23, Olive Power  wrote:
> what is the "openbse" on events.html https://www.openbsd.org/events.html

https://www.openbsd.org/tshirts.html#5




Re: is the april 19 iso on planetunix official

2021-04-23 Thread Stuart Henderson
On 2021-04-23, Olive Power  wrote:
> obviously this cdn is on https://www.openbsd.org/ftp.html
> https://mirror.planetunix.net/pub/OpenBSD/6.9/
> i install it and find it signed and build by draat@ not the release@ build 
> machine
> interesting to see a current version go into a release cdn without a notice
>

Release date as shown on https://www.openbsd.org/69.html is 1 May,
anything you see this far in advance is not guaranteed to be final.

Signature is OK, it's a legitimate build of either 6.9 or something
very close to it, but it is possible that any files fetched early might
still change before release day.

You can treat it as a "near release snapshot", same as you might fetch
from the snapshots directory at this time, and it might be identical
but might not. If you install it then it's up to you to check that
things haven't changed on release day.

There is no such thing as a "release@ build machine".



Re: Release schedule/general product engineering

2021-04-23 Thread Stuart Henderson
On 2021-04-22, Andrew Grillet  wrote:
> I also can no longer find architecture-specific change logs (to see if
> work has been
> done that might affect Sparc64 installs, and make things different from when I
> installed 6.8 on this hardware last time).

These are often separated out per-arch in the release page.
6.9's is still a work in progress but you can check the current version
https://www.openbsd.org/69.html




Re: default Offset to 1MB boundaries for improved SSD (and Raid Virtual Disk) partition alignment

2021-04-21 Thread Stuart Henderson
On 2021-04-21, Kent Watsen  wrote:
>   - When ZFS is told to use the SSD, it starts the partition
>  on sector 256 (not the default sector 34) to ensure good
>  SSD NAND alignment.

The OS doesn't get all that close to the NAND layer with typical
computer component SSD drives, there is a layer in between doing
translation/wear levelling (and in some cases compression).
Black box proprietary code with presumably a fair bit of deep
magic involved. (Some OS do have more direct access to certain
types of flash devices that need OS control of wear-levelling;
OpenBSD doesn't and FFS is probably not the right filesystem for
this anyway).

There are different block sizes involved too; one is the size in
which writes can be done; the other is for erases which is typically
much larger.

If someone wants this badly enough then the starting point is to
show some figures for a situation which it improves. Benchmarks for
speed improvements. Maybe there's something in SSD SMART stats that
will give clues to whether it reduces write amplification.
(Then it needs repeating on different hardware; even different
firmware versions in an SSD could change how it behaves, let alone
differences between the various controller manufacturers).

I've written disklabel/fdisk diffs for this before, but I couldn't
figure out whether they actually helped anything.




Re: sndio: way to play and record from different devices?

2021-04-19 Thread Stuart Henderson
On 2021-04-19, Ax0n  wrote:
> I have a nice microphone attached to a USB sound device, but I'd like to
> rely on my computer's built-in line out for speakers from the same program
> (e.g. Audacity, Firefox). It feels like sndio might have some way to let
> programs use snd/0.play and snd/1.rec, or a way to make snd/1 the default
> device for record and snd/0 the default for play, or maybe even a virtual
> sound device, but I haven't been able to sort out how to make it work.
>
> Ideas?
>

see sndio(7) :-

ENVIRONMENT
   AUDIODEVICE  Audio device descriptor to use when no descriptor is
explicitly specified to a program.
   AUDIOPLAYDEVICE  Audio device descriptor to use for play-only mode when no
descriptor is explicitly specified to a program.  Overrides
AUDIODEVICE.
   AUDIORECDEVICE   Audio device descriptor to use for record-only mode when no
descriptor is explicitly specified to a program.  Overrides
AUDIODEVICE.




Re: WireGuard, keepalive time doubled?

2021-04-15 Thread Stuart Henderson
On 2021-04-14, Jan Johansson  wrote:
> Hello!
>
> I was experimenting with wireguard keepalive and noticed that
> keepalive packets seems to be sent on double the time that I have
> set which I find a bit unintuitive.

FWIW I'm using wgpka 75 with one peer in one place, and wgpka 50 with several 
peers
in another place, all work as expected here (fairly recent -current). Not sure 
what
might be different with your setup.




Re: Technical Documentation - CARP

2021-04-13 Thread Stuart Henderson
On 2021-04-13, Janne Johansson  wrote:
> Den tis 13 apr. 2021 kl 10:29 skrev jannick Weiss :
>> Hello,my name is Jannick Weiss and i am currently in the process of taking
>> my education as a datatechnician. As part of my education i have to do a
>> presentation on a self-elected subject and i have chosen to talk about CARP.
>>
>> It is my understanding that it is you (OpenBSD) that have developed CARP.
>> I am having trouble finding information about CARP, such as the different
>> states the protocol goes through or how the election of the master node
>> works specifically.
>> If you can provide any documentation on CARP it would be greatly
>> appreciated.
>
> https://www.openbsd.org/events.html lists a few talks some 15 years
> ago which focused on PF and Carp, those might help.

https://github.com/jedisct1/UCarp has some useful information.
There's no formal documentation for the protocol afaik.

> Googling "openbsd carp design" turned this PDF up,
> https://core.ac.uk/download/pdf/17210042.pdf from 2006 which perhaps
> dives a bit deeper.

It's a bit wrong though, I noticed it says "encrypted" - it's authenticated
but not encrypted. Doesn't go much into the protocol details either.




Re: Upgrade to 6.8 issues

2021-04-12 Thread Stuart Henderson
On 2021-04-11, Jeff Ross  wrote:
> Hi all,
>
> Just upgraded to 6.8 from 6.3 (yes, I know...) and now find a few of the 
> websites I'm hosting are no longer connecting to postgres because pear 
> DB is apparently no longer in ports.  Fortunately so far they all appear 
> to be *my* websites so no harm, no foul.
>
> The sites that I'm hosting through something like drupal7 or wordpress 
> are all fine--it's only the sites that I created a gazillion years ago 
> using pear DB that are really failing.
>
> Are there alternatives that I'm missing?
>
> Please, I really don't feel the need to move off apache2 just yet.
>
> Thanks,
>
> Jeff
>
>

I don't recall pear DB being in ports, could you have installed it separately
and just need to update it to work with current php?

Generally pear things doesn't get added to ports unless needed for some
particular application that is wanted in ports, but that is not so common these
days as php applications normally bundle their own 'vendored' dependencies.
To install them yourself you can use "pear install" (systemwide) or just for
a particular project via a dependency manager e.g. "composer".

(note pear DB is still available but no longer getting normal updates, see
https://pear.php.net/package/DB/, see https://pear.php.net/package/MDB2 for
similar current equivalent).
 



Re: Small/Mini 10Gbe Router Recommendation

2021-04-08 Thread Stuart Henderson
On 2021-04-07, Daniel Melameth  wrote:
> Looking to finally part with my legacy OpenBSD router and upgrade to
> something that can push more than 2Gbps out of a single port.  Since
> my switching equipment is still only 1Gbe, I also want something that
> has, at least, two Gbe ports.
>
> Any recommendations that work well with OpenBSD?  I am currently
> thinking 
> https://www.supermicro.com/en/products/system/Mini-ITX/SYS-E300-8D.cfm,
> but would like other opinions.

I have several routers using that same motherboard (been using them for
3-4 years), they work nicely and have a useful selection of NICs. dmesg below -
the onboard SFP+ are ix0/1, the ixl(4) in there are a PCIE card. DOM works ok
on the fibre ports ("ifconfig ix0 sff" etc).

Mine aren't in a good place on the network to test the speed of packet
forwarding (and those will vary quite a bit depending on configuration)
but should be good for what you're asking.

Note that the BMC defaults to sharing em0 if it doesn't have link on the
separate management port, you may want to change that to dedicated, it
can be done in config (or IIRC you can also change that setting by
poking at it with ipmitool/freeipmi if you enable ipmi in kernel config;
that also gets you additional sensors in hw.sensors rather than just
the cpu temperature).

(FWIW that one is in a nice 1U chassis with front-facing ports and dual
PSU - https://www.supermicro.com/en/products/chassis/1U/515/SC515-R407 -
not quite so mini but some of these are an 8h round trip away and sometimes
need to get remote hands to plug things in so these are good features for
my use).

Might not be an issue for your use but be aware the 40x28mm fans in
CSE-E300 are pretty whiny. You can change the power management profile
in bios config which helps, and the noctua 40x20 fans can be made to
work if that's not enough (though it's a bit of a faff and you will
need to find screws that work, noctua's usual rubber mounts won't
fit and their screw holes are weird sizes) but even with those changes
it's not the best chassis for a noise-sensitive location. The 1Ux19"
chassis aren't really quieter but the noise profile is more pleasant.

OpenBSD 6.8-current (GENERIC.MP) #284: Wed Jan 20 02:40:03 MST 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8464850944 (8072MB)
avail mem = 8192978944 (7813MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xed9b0 (46 entries)
bios0: vendor American Megatrends Inc. version "1.0c" date 10/31/2017
bios0: Supermicro X10SDV-TP8F
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT SPMI MCFG UEFI DBG2 HPET WDDT SSDT SSDT 
SSDT PRAD DMAR HEST BERT ERST EINJ
acpi0: wakeup devices IP2P(S4) EHC1(S4) EHC2(S4) RP07(S4) RP08(S4) BR1A(S4) 
BR1B(S4) BR2A(S4) BR2B(S4) BR2C(S4) BR2D(S4) BR3A(S4) BR3B(S4) BR3C(S4) 
BR3D(S4) RP01(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz, 2200.26 MHz, 06-56-03
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz, 2200.02 MHz, 06-56-03
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,PQM,RDSEED,ADX,SMAP,PT,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz, 2200.02 MHz, 06-56-03
cpu2: 

Re: ifconfig problem with >10 wireguard peers

2021-04-07 Thread Stuart Henderson
On 2021-04-07, Harald Dunkel  wrote:
> Hi folks,
>
> apparently ifconfig (openbsd 6.8) shows only 10 wireguard peers
> for wg0, even if hostname.wg0 defines 12 peers. This is pretty
> painful.
>
> Do you think it would be possible to increase this limitation to
> (lets say) 253?

I don't see that here:

# for i in `jot 500`; do ifconfig wg1 wgpeer `openssl rand -base64 32`; done 
# ifconfig wg1 | grep -c wgpeer
500

That is with -current, though I don't see anything which looks like it
would have changed since 6.8.



Re: relayd and EC tls - key size 832 is not supported

2021-04-06 Thread Stuart Henderson
On 2021-04-06, Chris Narkiewicz  wrote:
> TLS certificate has been generated using easyrsa, and it uses EC algo
> with secp384r1 curve.
>
> When I start relayd, it complains about unsupported key size:
>
> ca_engine_init: using RSA privsep engine
> ...
> ssl_ctx_fake_private_key: key size 832 not support

Since there is an "RSA privsep engune" and no "ECDSA privsep engine" I guess
this is not supported.

You can do this easily with nginx or I think also haproxy.




Re: acme-client, error 21 at 0 depth lookup:unable to verify the first certificate

2021-04-03 Thread Stuart Henderson
On 2021-04-03, open...@crw.name  wrote:
> Yeah, like that but Google was no help.
>
> Am 03.04.2021 19:10, schrieb Florian Obser:
>> https://xkcd.com/979/
>> 
>
>

But if you follow-up with information about what the problem was
and how you fixed it, then it might be helpful for someone who comes
along in the future.




Re: Iked windows client using certificates?

2021-04-02 Thread Stuart Henderson
On 2021-04-01, Justin Mayes  wrote:
> Hello everyone
>
> Just wanted to check my sanity after so many days. I have ikev2 setup working 
> for windows machine for a long time using the following. So, to repeat this 
> works, it connects fine.
>
> ikev2 passive esp \
> from 0.0.0.0/0 to 10.0.5.0/24 \

10.0.5.0/24 should be "to 0.0.0.0" in <=6.8, or "to dynamic" in -current/6.9

> peer any local 50.247.187.177 \
> srcid 50.247.187.177 \
> config address 10.0.5.0/24
>
> now I have a second windows client with a different certificate that I also 
> want to connect at the same time but client B will disconnect client A. I 
> need to add a dstid to this config to make specific entries for each machine 
> I believe using ASN1_DN such as this? Or is there better way for clients with 
> no fixed IP or FQDN?

It has been said that you should be able to match by dstid with iked,
but I have been unable to make that work.




Re: Gigenet Mirror x*69.tgz Failing to Verify Sets

2021-03-31 Thread Stuart Henderson
On 2021-03-30, Charlie Burnett  wrote:
> Hi,
> Currently the gigenet mirror is failing to verify for all four X packages
> on snapshot. They verify fine when I point it towards cdn.openbsd.org, but
> this is the case for both when trying to install from both bsd.rd and an
> install iso. This is in a VM but I wouldn't see how that'd affect it. Oddly
> enough, I just upgraded my personal machine earlier today without any
> issues. Not sure what would need to be done about it, but I figured someone
> oughta be told!
>
> Best Regards,
> Charlie Burnett
>

It happens with snapshots from time to time. Try another mirror or wait a while.



Re: [Ver3.6/3.9] Old version need help

2021-03-30 Thread Stuart Henderson
On 2021-03-30, cclai  wrote:
> Hello,
>
> I'm Hachi,
> Our company’s server uses the 3.6 and 3.9 version of the system, 
> Used for more than ten years,
> and there is a need to reinstall at present. 
>
> I have tried the file installation on FTP and failed. 
>> Russia (Moscow) ftp://mirror.yandex.ru/pub/OpenBSD/
>> cd39.iso
>
> So I hope that your organization can provide 
> an installation package "3.6 and 3.9 version" to solve the problem.
>
> It would be of great help to us.
> Thank you very much.
>
> Hachi
>

These releases are about 15 years past end-of-life and include security
vulnerabilities. See these errata pages, also many of the problems fixed
in subsequent releases will also apply to the versions you mention

https://www.openbsd.org/errata36.html
https://www.openbsd.org/errata39.html

These systems really ought to be rebuilt using something newer
(additionally, such old releases are unlikely to run correctly on
current hardware/VMs).




Re: The case of the phantom reboot

2021-03-28 Thread Stuart Henderson
On 2021-03-28, David Newman  wrote:
> On 3/28/21 4:58 AM, Kristjan Komloši wrote:
>
>> On 3/27/21 10:27 PM, David Newman wrote:
>>> OpenBSD 6.8 GENERIC#5 i386
>>>
>>> One of my systems rebooted at 03:01 local time today. I've seen kernel
>>> panics and bad hardware but I've never seen OpenBSD "just reboot" by
>>> itself, ever.
>>>
>>> There's no cron job that would do this. last(1) is no help; it shows the
>>> reboot command but not the shutdown that preceded it:
>>>
>>> root@ns ~ 4# last -f /var/log/wtmp.0
>>> reboot    ~ Sat Mar 27 03:01
>>> root  ttyp0    192.168.0.132    Wed Mar 24 11:23 - 11:23
>>> (00:00)
>>>
>>> wtmp.0 begins Wed Mar 24 11:23 2021
>>> root@ns ~ 5# last -f /var/log/wtmp.1
>>> root  ttyp0    192.168.0.132    Tue Mar 16 21:30 - 21:30
>>> (00:00)
>>> root  ttyp0    75.82.86.131 Tue Mar 16 13:14 - 21:30
>>> (08:15)
>>> root  ttyp0    75.82.86.131 Sun Mar 14 21:20 - 21:29
>>> (00:08)
>>> root  ttyp0    75.82.86.131 Sat Mar 13 17:42 - 21:13
>>> (03:31)
>>>
>>> The date gaps seem odd. I've ssh'd into this system multiple times
>>> between March 16-27. I don't see other signs of trouble in /var/log.
>>>
>>> I could use some help in looking for evidence of foul play, or "just" a
>>> hardware or software problem.
>>>
>>> Thanks in advance for further troubleshooting clues.
>>>
>>> dn
>>>
>> What kind of a machine is it running on? I remember having reboot
>> problems on certain HP and Supermicro servers with hardware watchdogs.
>
> This is a 10+-year-old Dell 1U server with a 2-GHz Celeron 440, part of
> a pair running CARP. Aside from having to replace spinning disks with
> SSDs a couple of years ago, they've been rock solid.
>
> I too have seen issues with Supermicros but that's with other OSs. I've
> never had a spontaneous reboot, on this system, and am concerned from
> the wtmp stuff above that this *may* have been triggered externally. I
> could use some clues in other things to check. Thanks.
>
> dn
>
>

The "reboot" wtmp entry is written by init(8).

It is something that could possibly be caused by bad hardware or a
glitch in the power feed amongst other options (the latter may affect
some machines differently than others)..

Perhaps it's worth enabling accounting in rc.conf.local to see if
you can figure out if any commands are executed around that time if
it happens again.




Re: cgit about-filter in chroot (httpd + slowcgi)

2021-03-28 Thread Stuart Henderson
On 2021-03-28, Kristaps Dzonsons  wrote:
 $ cat < my-cgit-filter.c
 #include 
 int
 main(void)
 {
  execl("/bin/lowdown", "lowdown", NULL);
return 1;
 }
 EOF

So essentially all this is doing is stripping off the command line
arguments.

 $ cc my-cgit-filter.c -o my-cgit-filter.c -static

output file overwrites the input file here ^^

> Instead of downloading, recompiling, and installing lowdown; then 
> building and installing a program that execs the downloaded lowdown; why 
> don't you cut out the first step and call through to the C API installed 
> with the lowdown port?  There's a full example in the EXAMPLES section 
> of lowdown_file(3).

Alternatively you can copy the lowdown binary from the package, along
with libc/libm/ld.so, into the chroot (which can be done from /etc/rc.local).
Then there's no need to recompile things for future lowdown updates.




Re: Layer2 Tunneling Over pppoe(4)

2021-03-27 Thread Stuart Henderson
On 2021-03-27, Valdrin Muja  wrote:
> Can we set up egre(4), etherip(4) or vxlan(4) tunnel over pppoe ?

Yes, but watch out for MTU problems especially if you have pppoe on
one endpoint and ethernet at the other. See pppoe(4) about RFC 4638,
if your provider supports this it may be useful. If not then you
may need to lower the MTU on the ethernet interface on the ethernet-
connected endpoint to match pppoe's MTU.




Re: Go programs only using one CPU core

2021-03-26 Thread Stuart Henderson
Hm, the boot messages have been pushed out by USB reattachments, but 
ncpuonline suggests it should work. Please try top -H rather than htop.


 PID  TID PRI NICE  SIZE   RES STATE WAIT  TIMECPU COMMAND
24659   276986  640  103M 2988K onproc/2  - 1:06 96.00% 
/tmp/go-build2844787704/b001/exe/main
24659   292856  640  103M 2988K onproc/3  - 1:06 95.80% 
/tmp/go-build2844787704/b001/exe/main


Re: Go programs only using one CPU core

2021-03-26 Thread Stuart Henderson
On 2021-03-26, Richard Ulmer  wrote:
> Hi,
> it seems to me like Go (from the lang/go port) does not utilize more
> than one CPU core on OpenBSD. Let's take this program, which may be run
> with `go run main.go`:
>
>   package main
>   func main() {
>   go work()
>   work()
>   }
>   func work() {
>   for i := 1; ; {
>   i *= 1
>   }
>   }
>
> The `go` directive starts a new goroutine, which I would expect to be
> put into it's own process here. However, using htop(1) I can see, that
> only one of my two cores gets load. Running the same program on Linux,
> two cores are utilized.
>
> Can someone explain to me why this is happening? Is there any way to
> make the program use both cores of my CPU?
>
> Best Regards,
> Richard Ulmer
>
>

It works for me (checked using top and pressing H to show threads).

Is your system actually dual-core or is it single core with hyperthreading?
(it's always worth including dmesg when asking a question, that would have
shown this)




Re: Adding accessibility for blind and low vision individuals to OpenBSD?

2021-03-25 Thread Stuart Henderson
For the installer, honestly I think the only sane way is to drive it
from another OS with an existing screen reader via serial console.

If Fenrir uses a terminal emulator library itself then it maybe possible
to get it to work with tmux, at least in a single window. It has a
"pipe-pane" command that sends the terminal output, including escape
sequences, to a process. It's normally used for logging but maybe
Fenrir could read input that way and using its terminal emulator
build up its own idea of what should be, so to say, on screen.

See Theo's comment about the RFC 1692 TMux protocol, that is unrelated.

On 2021/03/25 17:23, Ethin Probst wrote:
> If the tmux server uses the TMux protocol as described in RFC 1692, it
> (theoretically) shouldn't be too difficult to build a screen driver
> that can interact with it. The pty module uses the pyte terminal
> emulator library, so we might even be able to subclass the `Screen`
> class it exposes to make it easier. I'm not sure though.
> I'm a blind user myself, but this might not be easy in general. My
> original idea was to take the installer and make calls to espeak-ng
> for speech synthesis. It wouldn't provide full keyboard handling and
> all that, but it would at least speak the prompts. The problem is that
> I have no idea how well that'd work.
> 
> On 3/25/21, Stuart Henderson  wrote:
> > On 2021-03-23, Ethin Probst  wrote:
> >> Apologies if this is unnecessary sending of this, but I sent this to
> >> the tech OpenBSD mailing list (which might've not been the right list)
> >> so I'm re-sending it to this one just in case. (It might've gotten
> >> lost too.) The original email is below:
> >
> > It did go through but I think the problem is that nobody has a good answer.
> >
> >> So I've really wanted to try OpenBSD in a non-server configuration
> >> where I'm not installing over the internet on a remote server but on
> >> the local machine, but to my knowledge the OpenBSD installation media
> >> has no accessibility functionality whatsoever. (I'm not even sure if
> >> the installed system or any of the packages therein, such as in the
> >> ports collection, contains accessibility software.)
> >>
> >> Therefore, I'm wondering what it would take to add accessibility to
> >> the console portion of OpenBSD to begin with, as that as the simplest
> >> interface at the moment. The Orca screen reader may work on the
> >> desktop. There's a screen reader for the Linx console called
> >> Fenrir[1], but it may require functionality that is not available in
> >> OpenBSD, such as libevent. I've yet to try loading Fenrir on an
> >> installed OpenBSD system.
> >>
> >> Thoughts as to how this all could be achieved? I'm looking particular
> >> at screen readers; braille displays can be accomplished through
> >> something like brltty.
> >
> > libevent is not a problem, dozens of programs in the OpenBSD base
> > system use it already. The problem for Fenrir is that it can't read
> > the contents of the system console display, the OpenBSD kernel
> > doesn't have a way to do this.
> >
> > It might not be difficult to add a simple implementation of this,
> > but the challenge is doing it safely, especially around permissions and
> > access controls. Obviously a lot of care would be needed if it was to
> > become part of OpenBSD itself, screen contents are often sensitive.
> >
> > BRLTTY sidesteps this by not working with the system console on OpenBSD.
> > It relies on a patched old version of GNU Screen that makes the
> > contents of the buffer available over shared memory.
> > Obviously this isn't ideal but it's all we have for now.
> >
> > BRLTTY isn't just for Braille terminals, it does have some
> > text-to-speech features too, though I have no idea how well that
> > works in practice, I guess it will be primitive compared to
> > dedicated screen reader software, but maybe still useful.
> > I am not certain that the text-to-speech actually works in the
> > OpenBSD port though. At least basic functionality worked about
> > 2 years ago (I tested it with the X 'test' driver when working
> > on the screen-shm port).
> >
> > So, thinking about what else could be done. It might be possible to
> > modify Fenrir to interface with screen-shm like BRLTTY does. It wouldn't
> > give full system console access but still better than nothing.
> >
> > A more modern way would be to find a way to interface with tmux instead.
> > Still no direct system console access, but at least it's in the base
> > OS, it already deals with sharing access between login sessions,
> > and would be portable to many OS. And the basic tmux design with
> > separate client/server processes that communicate with each other
> > is a much better fit for doing this than GNU Screen which is a
> > single program.
> >
> >
> >
> 
> 
> -- 
> Signed,
> Ethin D. Probst



Re: blacklistd analogue

2021-03-25 Thread Stuart Henderson
On 2021-03-25, Kapetanakis Giannis  wrote:
> How about a distributed setup?

Not on OpenBSD yet but there is "crowdsec"




Re: Adding accessibility for blind and low vision individuals to OpenBSD?

2021-03-25 Thread Stuart Henderson
On 2021-03-23, Ethin Probst  wrote:
> Apologies if this is unnecessary sending of this, but I sent this to
> the tech OpenBSD mailing list (which might've not been the right list)
> so I'm re-sending it to this one just in case. (It might've gotten
> lost too.) The original email is below:

It did go through but I think the problem is that nobody has a good answer.

> So I've really wanted to try OpenBSD in a non-server configuration
> where I'm not installing over the internet on a remote server but on
> the local machine, but to my knowledge the OpenBSD installation media
> has no accessibility functionality whatsoever. (I'm not even sure if
> the installed system or any of the packages therein, such as in the
> ports collection, contains accessibility software.)
>
> Therefore, I'm wondering what it would take to add accessibility to
> the console portion of OpenBSD to begin with, as that as the simplest
> interface at the moment. The Orca screen reader may work on the
> desktop. There's a screen reader for the Linx console called
> Fenrir[1], but it may require functionality that is not available in
> OpenBSD, such as libevent. I've yet to try loading Fenrir on an
> installed OpenBSD system.
>
> Thoughts as to how this all could be achieved? I'm looking particular
> at screen readers; braille displays can be accomplished through
> something like brltty.

libevent is not a problem, dozens of programs in the OpenBSD base
system use it already. The problem for Fenrir is that it can't read
the contents of the system console display, the OpenBSD kernel
doesn't have a way to do this.

It might not be difficult to add a simple implementation of this,
but the challenge is doing it safely, especially around permissions and
access controls. Obviously a lot of care would be needed if it was to
become part of OpenBSD itself, screen contents are often sensitive.

BRLTTY sidesteps this by not working with the system console on OpenBSD.
It relies on a patched old version of GNU Screen that makes the
contents of the buffer available over shared memory.
Obviously this isn't ideal but it's all we have for now.

BRLTTY isn't just for Braille terminals, it does have some
text-to-speech features too, though I have no idea how well that
works in practice, I guess it will be primitive compared to
dedicated screen reader software, but maybe still useful.
I am not certain that the text-to-speech actually works in the
OpenBSD port though. At least basic functionality worked about
2 years ago (I tested it with the X 'test' driver when working
on the screen-shm port).

So, thinking about what else could be done. It might be possible to
modify Fenrir to interface with screen-shm like BRLTTY does. It wouldn't
give full system console access but still better than nothing.

A more modern way would be to find a way to interface with tmux instead.
Still no direct system console access, but at least it's in the base
OS, it already deals with sharing access between login sessions,
and would be portable to many OS. And the basic tmux design with
separate client/server processes that communicate with each other
is a much better fit for doing this than GNU Screen which is a
single program.




Re: blacklistd analogue

2021-03-24 Thread Stuart Henderson
On 2021-03-24, jeanpierre  wrote:
> Does there exist an OpenBSD analogue for FreeBSD's blacklistd daemon?
>
> For the sake of completeness: blacklistd is a daemon that, using pf
> anchors, blocks connections from abusive hosts to parctiular services
> (e.g. sshd) until they start behaving themselves again.
>
> I find it very useful for timming down log files.
>
> Regards,
> Jean-Pierre
>
>

sshguard (in ports) should do something like this.

sometimes PF's built-in source-tracking (max-src-conn-rate)
is good enough.

another way is to block all connections, except from specific
wanted IPs, or connections over VPN.




Re: aggr+vlan lost packets

2021-03-23 Thread Stuart Henderson
On 2021-03-22, Szél Gábor  wrote:
> Dear List!
>
> We make some tests, i think this is intel em driver (82571EB) bug!
>
>   * if i move aggr0 from em devices to bnx devices, everything will be fine!
> (only change trunkport from em to bnx)
>   * if i change intel network card to other intel network card with
> 82571EB chipset, not working.
>   * if i copy network interfaces config to another server (clear openbsd
> 6.8 install) with 6x Intel I210 network cards, everything will be fine!
>   * if i move SSD from working intel configuration server (I210) to
> PE210 (82571EB), not working.
>   * i tested with oBSD 6.7, the problem exists ., but before reinstall
> this server, on oBSD 6.1, LACP + 82571EB is working correctly.
>
> we have many-many OpenBSD (router, firewall) installations, but we have 
> not yet experienced this problem. If possible, we use intel network cards.
>

First off, it would be helpful to provide ifconfig output (preferably
in full) and lacp status from the switch. This might give some clues
immediately..

One big difference between trunk and aggr is that trunk always uses
promiscuous mode, aggr doesn't (unless other software forces it).
This means that it relies on filters on the NIC (e.g. received 
address filters / multicast filters) getting programmed correctly.
If this is caused by a NIC driver bug (or hardware bug not worked-
around properly by the driver) it's most likely in that area.

The NIC is normally (when not in promisc mode) programmed to
receive just packets sent to certain addresses. There's a small
table (receive address register RAR, 15 entries on this nic) where you
put a list of full destination MAC addresses to receive. If there are
a bunch of multicast addresses in use that exceeds this there's
another filter table used for these. Or it can be set to
"multicast promiscuous" where it uses the filter for normal traffic
but allows all multicast.

I'm not really a driver hacker but have an idea for one thing you
can try if nobody has a better idea. In if_em.c find this

1438 reg_rctl = E1000_READ_REG(>hw, RCTL);
1439 reg_rctl &= ~(E1000_RCTL_MPE | E1000_RCTL_UPE);
1440 ifp->if_flags &= ~IFF_ALLMULTI;
1441 
1442 if (ifp->if_flags & IFF_PROMISC || ac->ac_multirangecnt > 0 ||
1443 ac->ac_multicnt > MAX_NUM_MULTICAST_ADDRESSES) {
1444 ifp->if_flags |= IFF_ALLMULTI;
1445 reg_rctl |= E1000_RCTL_MPE;
1446 if (ifp->if_flags & IFF_PROMISC)
1447 reg_rctl |= E1000_RCTL_UPE;
1448 } else {

change 1442 to this

1442 if ( 1 || ifp->if_flags & IFF_PROMISC || ac->ac_multirangecnt > 0 
||

and build/install a new kernel. This will stop it using the multicast
filter and instead accept all multicast packets. If this fixes things
then the problem is likely to be with the multicast filter programming,
it varies a bit between models and might have missed some special case.
If not then, well, at least it rules that out ..

Another big difference is that trunk uses the MAC address from a member
interface, aggr creates a random address by default (you can force it to
a particular address with "lladdr aa:bb:cc:dd:ee:ff"). There's clearly
some problem in this area with 82571 em worked around in if_em_hw.c
(around line 7547). (locally administered address = where the MAC has
been reset). Perhaps it's not handled completely.

Of course if you need it working there is also the option to use
trunk instead of aggr, or to run something (e.g. tcpdump) to force
the nic into promiscuous mode, but it would be nice to get this
figured out..




Re: HP microsever gen 10 AMD x3216

2021-03-20 Thread Stuart Henderson
On 2021-03-20, Kihaguru Gathura  wrote:
> Hello,
>
> OpenBSD 6.8 amd64 iso installation hangs @
>
> _
> _
> _
> isa0 at mainbus0
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> _
>
>
> Any lead on this?
>
> Thanks,
>
> Kihaguru
>

Does it help to "boot -c" and "disable pckbc"?




Re: Q: pkg_add fails with: TLS handshake failure: ocsp verify failed: Undefined error ...

2021-03-19 Thread Stuart Henderson
In gmane.os.openbsd.misc, li...@y42.org wrote:
>
> Hi All,
>
> What would cause pkg_add -u to report this error?
>> https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: TLS handshake 
>> failure: ocsp verify failed: Undefined error: 0
>> https://ftp.fau.de/pub/OpenBSD/snapshots/packages/amd64/: empty
>> Couldn't find updates for ... a long list of (all?) installed packages ...
>
> Error 0?

There is some problem doing OCSP validation. It validates OK with openssl
1.0.2u and 1.1.1j but not with libressl. DFN run their own PKI and OCSP
responder so it might hit some edge case that isn't seen with other
responders.

> That directory, on fau.de, is not empty.
>
> I have just rebooted after running sysupgrade to arrive at:
>> OpenBSD mjoelnir.fritz.box 6.9 GENERIC.MP#416 amd64
>
> And as my next step I wanted to then upgrade my installed packages.
>
> Did I miss something?

pkg_add doesn't get a directory index from ftp(1), it's limited in what
it can do at that point.

Workarounds are,

use http (packages are signed anyway)
use a different mirror
set FETCH_CMD="ftp -S noverifytime" in the environment which disables OCSP

I've included certs below if someone wants to reproduce to debug it.

$ openssl ocsp -sha1 -issuer fau-ca.crt -cert fau-cert.crt -url 
http://ocsp.pca.dfn.de/OCSP-Server/OCSP -text -CAfile fau-ca.crt -no_nonce
[...]
Response Verify Failure
3535329314880:error:27FFF065:OCSP routines:CRYPTO_internal:certificate verify 
error:/usr/src/lib/libcrypto/ocsp/ocsp_vfy.c:141:Verify error:error number 1
fau-cert.crt: good
This Update: Mar 19 12:22:25 2021 GMT
Next Update: Mar 26 12:22:25 2021 GMT

$ eopenssl ocsp -sha1 -issuer fau-ca.crt -cert fau-cert.crt -header host 
ocsp.pca.dfn.de -url http://ocsp.pca.dfn.de/OCSP-Server/OCSP -text -CAfile 
fau-ca.crt -no_nonce
Response verify OK
fau-cert.crt: good
This Update: Mar 19 12:22:25 2021 GMT
Next Update: Mar 26 12:22:25 2021 GMT

$ eopenssl11 ocsp -sha1 -issuer fau-ca.crt -cert fau-cert.crt -header 
host=ocsp.pca.dfn.de -url http://ocsp.pca.dfn.de/OCSP-Server/OCSP -text -CAfile 
fau-ca.crt -no_nonce
Response verify OK
fau-cert.crt: good
This Update: Mar 19 12:22:25 2021 GMT
Next Update: Mar 26 12:22:25 2021 GMT


cat > fau-cert.crt << EOF
-BEGIN CERTIFICATE-
MIIKjTCCCXWgAwIBAgIMIKr6htHOf3G7wcorMA0GCSqGSIb3DQEBCwUAMIGNMQsw
CQYDVQQGEwJERTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVz
IERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4t
UEtJMSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBMB4XDTE5
MDMxNTEwMjI1MVoXDTIxMDYxNjEwMjI1MVowgZMxCzAJBgNVBAYTAkRFMQ8wDQYD
VQQIDAZCYXllcm4xETAPBgNVBAcMCEVybGFuZ2VuMTwwOgYDVQQKDDNGcmllZHJp
Y2gtQWxleGFuZGVyLVVuaXZlcnNpdGFldCBFcmxhbmdlbi1OdWVybmJlcmcxDTAL
BgNVBAsMBFJSWkUxEzARBgNVBAMMCmZ0cC5mYXUuZGUwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDw/LdY8/DG14NOIDqtJOsi14DwF6O7DHw11fqYuJZ6
3OBGOdHBRkTtUe2thjUny0LanvFLmuHqPzpYpDRuayTd156Rdr6dD5BpokVK6O/P
TzQSREYHX0VdGsqN5kLYSsXzVuYxjlWKLJxxWXDmKHQdYJpIePzIyrTM2Y9nQQKv
tq4y7EKaj7vFkRtRrX0opnJat33kip/KaWiAFhbJCIIy7Tjuh2sPJXYy9jigQ9OP
YLrzPNADkoUkOUaYp0LyUOcvIi4lY2/IdQZZfW59Lu9o8PcNSF262OFvTi55IoWP
sbuY6/h88XvycB8eqZTvToXIf9siAa/Hbf7xmTLnllOcegE9v5K6B9FSiuBEgcNe
bXFq0OTYHSjrqOzeohUa8b5n2M7kQyXi1bGjH/JwcnpAbjwkMK7rq3dWs7rnCBlN
fvoW/aSqjKgg5SCphl6YuxD49LqC5NIKqdqH/TbCbiVsXd/guM0HrEkGiAeNmqr+
HKvkRsr3fL7vwKEkitpC4jIG6XoDpqQskeS5bhsl49Sl9VsMfGTbr73Iv+A57Z5e
zQPjG0hBReC5bNP9DOoKYkGNzWMG7Z98sj6XmYO39Jpwo+GmXOX7dr2zQJ8lcTR6
J4uvNFZYDku2UC5Acm2+sbeibOApJCeZgwRUo9bGZx0DYZeHPKfoDwwiI6pqj20W
NQIDAQABo4IF4zCCBd8wWQYDVR0gBFIwUDAIBgZngQwBAgIwDQYLKwYBBAGBrSGC
LB4wDwYNKwYBBAGBrSGCLAEBBDARBg8rBgEEAYGtIYIsAQEEAwkwEQYPKwYBBAGB
rSGCLAIBBAMJMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG
CCsGAQUFBwMBMB0GA1UdDgQWBBRIst54HQp2KRkBTizEsSfkuCsuZDAfBgNVHSME
GDAWgBRrOpiL+fJTidrgrbIyHgkf6Ko7dDBEBgNVHREEPTA7ggpmdHAuZmF1LmRl
ghhmdHAucnJ6ZS51bmktZXJsYW5nZW4uZGWCE2Z0cC51bmktZXJsYW5nZW4uZGUw
gY0GA1UdHwSBhTCBgjA/oD2gO4Y5aHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4t
Y2EtZ2xvYmFsLWcyL3B1Yi9jcmwvY2FjcmwuY3JsMD+gPaA7hjlodHRwOi8vY2Rw
Mi5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NybC9jYWNybC5jcmww
gdsGCCsGAQUFBwEBBIHOMIHLMDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5wY2Eu
ZGZuLmRlL09DU1AtU2VydmVyL09DU1AwSQYIKwYBBQUHMAKGPWh0dHA6Ly9jZHAx
LnBjYS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIvY2FjZXJ0L2NhY2VydC5j
cnQwSQYIKwYBBQUHMAKGPWh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZGZuLWNhLWds
b2JhbC1nMi9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwggNcBgorBgEEAdZ5AgQCBIID
TASCA0gDRgB1AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABaYDg
Q5QDAEYwRAIgOHt1Qj3kWYPCYkOE+Yktck4NtASSAmwmyGJiAgUU0IECIE/f
4U8U/djAkLHekTpgIb/+2X/pvv2sZ7a8zr2PJd2zAHYAqucLfzy41WbIbC8Wl5yf
RF9pqw60U1WJsvd6AwEE880AAAFpgOBD1AAABAMARzBFAiANnF5N+jUtfc3NXPwO
4f1hTuQR3k1uPXQClzVqDfPkvwIhAM1NePQ2Ba71eYhQcnm059HMCGHRP8wElbsV
aAyCCOg2AHUAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAFpgOBE
lQAABAMARjBEAiB/jZNuQ4ctEzWi0evXQR4e0gwWbV/g+Sinqe9xvC16HgIgUgfx
PU7FeIV8s4fnjkHEz2vFFwaoTGhSl9U0LbXhagcAdgC72d+8H4pxtZOUI5eqkntH

Re: Subadressing sieve

2021-03-13 Thread Stuart Henderson
On 2021-03-13, Petr Ročkai  wrote:
> Dear Pascal,
>
> On Fri, Mar 12, 2021 at 10:52:15PM +0100, Pascal Huisman wrote:
>> I have sieve filtering setup threw lmtp to dovecot. Dovecot does the
>> filtering. It works. But for the subaddressing it doesn't.
>
> I think you might need to set 'rcpt-to' in smtpd.conf on the lmtpd line,
> otherwise the 'envelope' RCPT TO is your unix username, instead of the
> mail's envelope recipient. That said, you'll likely run into problems
> with extensions: many services reject + in the username part of a mail
> address.

You're usually better with - or . as the separator, as long as it doesn't
conflict with your actual in-use addresses.




Re: gold linker on OpenBSD

2021-03-12 Thread Stuart Henderson
On 2021-03-12, Riccardo Mottola  wrote:
> is the gold linker available for OpenBSD i386?

No.




Re: pf firewall bridge0 vether0 blocks DHCP for bridge interfaces connected to Windows

2021-03-11 Thread Stuart Henderson
On 2021-03-11, da...@hajes.org  wrote:
> Thanks for info Claudio.
>
> Unfortunately, I have read only "Networking FAQ" 
> https://www.openbsd.org/faq/faq6.html and there is no info about it.
>
> It would be great to update this page for dummies because just very few 
> read reference manuals line by line ;-) Most follow guides. I personally 
> write everything on my web like for children.

If you're not prepared to read manpages then OpenBSD is the wrong OS for you.

> My logic behind filtering was simple...bridge/vether handles all and 
> physical interfaces are in promiscuous mode. I have filtering for 
> vether0 but didn't imagine DHCP is still at physical interface level.
>
> pf.conf updated:
>
> set skip on em1-3

This logic does not match how PF+bridge(4) works.

> Only thing that still puzzles me where to filter...bridge0 or vether0. 
> 
> If I understand correctly, vether0 should be the interface for filtering 
> because it has got IP address assigned. Physical interfaces and bridge 
> should be treated as loopback...in other words, not filtered at all.

>From bridge(4):

NOTES
   Bridged packets pass through pf(4) filters once as input on the receiving
   interface and once as output on all interfaces on which they are forwarded.
   In order to pass through the bridge packets must pass any in rules on the
   input and any out rules on the output interface.  Packets may be blocked
   either entering or leaving the bridge.





Re: 6.8 with gnome boots to xterm after upgrade

2021-03-10 Thread Stuart Henderson
On 2021-03-10, Sivan !  wrote:
> Thank you. Please see inline:
>
> On Tue, 9 Mar 2021 at 13:03, Stuart Henderson  wrote:
>>
>> On 2021-03-08, Sivan !  wrote:
>> > Thank you.  One unresolved issue. While running fetch, there was an
>> > error pop up that said /usr directory is out of space, though an
>> > entire 250 GB nvme is for OpenBSD, almost with no user files, except
>> > for the ports tree that was being downloaded b the fetch command.
>> > When installing OpenBSD in a 250 GB nvme, I chose GPT and let the
>> > installer decide on partitions. But something went wrong.
>>
>> The disk is split into partitions. Run df -h to see what's free.
>
> This is what I see:
>
> bash-5.0$ df -h
> Filesystem SizeUsed   Avail Capacity  Mounted on
> /dev/sd2a  986M128M809M14%/
> /dev/sd2l  168G5.2G155G 3%/home
> /dev/sd2d  3.9G324M3.4G 9%/tmp
> /dev/sd2f  5.8G5.1G432M92%/usr
> /dev/sd2g  986M239M697M26%/usr/X11R6
> /dev/sd2h 19.4G4.9G   13.5G26%/usr/local
> /dev/sd2k  5.8G116M5.4G 2%/usr/obj
> /dev/sd2j  1.9G2.0K1.8G 0%/usr/src
> /dev/sd2e 15.3G   36.5M   14.5G 0%/var
>
>
>>
>> To convert "marketing capacity" for a drive (given in "decimal GB") into
>> usable capacity in binary GB (some people call this GiB), use this
>> calculation:
>>
>> (97696368+(1953504*(capacity-50)))/2048
>>
>> (The formula is from IDEMA LBA1-03 plus a conversion from 512-byte LBA
>> blocks to GB)
>>
>> So for 250GB
>>
>> (97696368+(1953504*(250-50)))/2048 = 238475.1796875
>
> Thank you. The issue is that in the bios I see two entries, the entry
> that is listed as
> "Samsung SSD 970 EVO Plus 250 GB (238476 MB)" is sometimes
> automatically selected to boot, the boot process halts with a one line
> "No active partition error. Then I have to get into bios to choose the line
> that says "line No 1:  UEFI OS (samsung SSD EVO 970 Plus 250 GB)" This
> is why I raised the 30 blocks / GB-MB issue.
>
>>
>> Then there's a little extra used for filesystem structures.
>>
>>
>> > It started with the warning:  Not all of the space available to
>> > /dev/nvme0n1 appears to be used, you can fix the GPT to use all the
>> > space (an extra 30 blocks) or
>> > continue with the current setting?
>>
>> 30 blocks is nothing. Leave this alone.
>
> Yes, I will leave the 30 blocks alone.
>>
>> > Does this imply that the 232.89 GiB is OpenBSD area, but somehow with
>> > "no active partition" which is perhaps the reason why there was an
>> > error message during fetch that said /usr directory is low on disk
>> > space ?
>>
>> You filled the partition holding /usr when you ran "make" in
>> /usr/ports/x11/gnome. Remove the build files with "rm -r /usr/ports/pobj"
>> (or remove /usr/ports completely if you don't need it).
>
> Before removing I looked for "pobj" under /usr/ports but did not find it:
>
> bash-5.0$ cd /usr/ports/
> bash-5.0$ ls
> CVS cad games   mathprint
> Makefilechinese geo metaproductivity
> README  comms   graphicsmiscsecurity
> archivers   converters  infrastructure  multimedia  shells
> astro   databases   inputmethodsnet sysutils
> audio   devel   japanesenewstelephony
> benchmarks  editors javaplan9   tests
> biology education   korean  plist   textproc
> books   emulators   langports.pub   www
> bulkfonts   mailports.sec   x11

Not sure what's in ports.pub and ports.sec but those aren't part of the
normal ports tree.. I think you just need to rm -r /usr/ports then,
or move it to another partition (e.g. you could move it to /home/ports
and set PORTSDIR=/home/ports in /etc/mk.conf; do not use a symlink).

> Is there a way of expanding the space in the /usr directory?

If you want that, I can only really suggest reinstalling with different
partition sizes and restore from backups.

It's *possible* to do some rearranging of partitions but it's delicate
and I think you would need to be more familiar enough with OpenBSD to do
that without breaking things.

>> The default auto-partitioning sizes do not give enough space to place
>> ports under /usr and build anything other than the smallest ports.

Normally I create an extra partition for /usr/ports when installing,
probably wants to be at least 10G, or more if you expect to build large
things from ports. But I only do that on machines where I do ports
development, otherwise I just use packages.



Re: sometimes graphics is slow, with high Xorg CPU usage

2021-03-09 Thread Stuart Henderson
On 2021-03-09, Aaron Miller  wrote:
> For some time now, my -CURRENT system will occasionally get into a
> state where graphics is slow to refresh and the Xorg uses ~50% of
> CPU. I notice this in Firefox or GVim when repeatedly pressing
> PgDn on a long site/file, and in Evolution (emails are slow to
> load, and text input is laggy when composing a message).
>
> OpenBSD 6.9-beta (GENERIC.MP) #366: Sun Feb 28 07:15:39 MST 2021

Update your snapshot and see how it goes.



Re: Flatbed scanner stopped wording - permissions problem?

2021-03-08 Thread Stuart Henderson
On 2021-03-08, Duncan Patton a Campbell  wrote:
>
>
> this is what I use
>
> doas -u root scanimage --mode gray  -x215 -y297 --resolution 300dpi -B > 
> fdsa.pnm
>
> which works with the perms asis.  xsane only worked as root for me 
> (across multple platforms/revs) so it's always been something that 
> needed a lot of setup/takedown to use.

So you could open up access in a targetted way to the relevant device,
which could just be done for a short period while scanning if you want
(just write a little wrapper script to make it easier), but instead you
prefer to avoid touching permissions and run code from sane-backends
plus these libraries as root:

WANTLIB += ${COMPILER_LIBCXX} c execinfo iconv jpeg lzma m png
WANTLIB += tiff usb-1.0 v4l1 v4l2 v4lconvert xml2 z zstd
 

(or a bunch more, for xsane).

I'm not really surprised (I thought this was exactly what would happen
when the default permissions on usb devices were tightened) but it
doesn't seem the best way..




Re: 6.8 with gnome boots to xterm after upgrade

2021-03-08 Thread Stuart Henderson
On 2021-03-08, Sivan !  wrote:
> Thank you.  One unresolved issue. While running fetch, there was an
> error pop up that said /usr directory is out of space, though an
> entire 250 GB nvme is for OpenBSD, almost with no user files, except
> for the ports tree that was being downloaded b the fetch command.
> When installing OpenBSD in a 250 GB nvme, I chose GPT and let the
> installer decide on partitions. But something went wrong.

The disk is split into partitions. Run df -h to see what's free.

To convert "marketing capacity" for a drive (given in "decimal GB") into
usable capacity in binary GB (some people call this GiB), use this
calculation:

(97696368+(1953504*(capacity-50)))/2048

(The formula is from IDEMA LBA1-03 plus a conversion from 512-byte LBA
blocks to GB)

So for 250GB

(97696368+(1953504*(250-50)))/2048 = 238475.1796875

Then there's a little extra used for filesystem structures.


> It started with the warning:  Not all of the space available to
> /dev/nvme0n1 appears to be used, you can fix the GPT to use all the
> space (an extra 30 blocks) or
> continue with the current setting?

30 blocks is nothing. Leave this alone.

> Does this imply that the 232.89 GiB is OpenBSD area, but somehow with
> "no active partition" which is perhaps the reason why there was an
> error message during fetch that said /usr directory is low on disk
> space ?

You filled the partition holding /usr when you ran "make" in
/usr/ports/x11/gnome. Remove the build files with "rm -r /usr/ports/pobj"
(or remove /usr/ports completely if you don't need it).

The default auto-partitioning sizes do not give enough space to place
ports under /usr and build anything other than the smallest ports.




Re: ikectl ca and subjectAltName for IKEv2 VPNs

2021-03-08 Thread Stuart Henderson
On 2021-03-04, David Newman  wrote:
> On 3/4/21 12:29 AM, Stuart Henderson wrote:
>
>> On 2021-03-04, David Newman  wrote:
>>> Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName
>>> in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The
>>> subjectAltName can be the same as the CN; it just has to be present.
>> 
>> Most IKE software has always needed this. (Web browsers also recently-ish
>> started needing it too).
>> 
>>> Questions about this:
>>>
>>> 1. Does the 'ikectl ca  certificate  create' command
>>> support creation of X.509 certs with a subjectAltName defined in
>>> addition to the CN?
>>>
>>> If so, what's the syntax?
>> 
>> It does this by default.
>
> Thanks, I hadn't realized that, and should have grep'd the cert for
> 'DNS:' before asking.
>
> And yet, an iOS client initiator still fails with an authentication
> error on the iOS side. 'ipsecctl -sa' on the OpenBSD responder looks
> fine, with a tunnel established.
>
> The server and client certs generated by 'ikectl sa' have alt names but
> the CA cert does not.
>
> Does it need one? I suspect an error in iOS VPN configuration, but just
> checking.

The CA cert doesn't need a subjectAlternativeName, only server certs
(and client certs, if used).

> One other thing about the client cert: The CN is for something like
> 'iphone.networktest.com', which is an FQDN for which I have not created
> a DNS record.
>
> Again, does it need one? This is for a road-warrior configuration that
> will come in from different IP addresses, so I'm unclear what
> name/address pair I'd use in the DNS.

It's just an identifier and doesn't need an actual DNS record.

It might be simpler to start with EAP-MSCHAPv2 then you can at least verify
that the server/CA certs are working as expected, and proceed to client
certs afterwards..




Re: IPv6 NDP Confusion with PF enabled

2021-03-08 Thread Stuart Henderson
On 2021-03-08, Antonino Sidoti  wrote:
> I am confused about how Neighbor Discovery is not working when the firewall 
> is on.

Check your blocked packets. You already have "log" on mpst block rules,
so look at either /var/log/pflog or live with tcpdump -e on the pflog0
interface.



Re: Flatbed scanner stopped wording - permissions problem?

2021-03-07 Thread Stuart Henderson
On 2021-03-07, Anthony Campbell  wrote:
>
> Hello misc@:
>
>
> My Epson Perfection 1650 has worked on -current for many months but in
> the last 3 days attempts to scan with xsane say: "Failed to start
> scanner: operation not supported".
>
> Scanimage -L shows the scanner is detected corectly.
>
> I have already made the permissions changes for usb as instructed in the
> sane-backend pkg-readme.
>
> I have added my user to the operator group without effect.
>
> This problem isn't only in -current. In two laptops running the i386
> -release version of OpenBSD things are even worse - scanimage will only
> detect the scanner as root in this case.
>
>
> I think this may be a permissions problem but I can't run xsane as root
> because this gives "cannot open display: 0:"
>
>
> Not having a working scanner is a major problem for me. Any suggestgions
> gratefully received.

As things stand it will need to access /dev/ugen* and possibly /dev/usb*
(chown/chmod); running MAKEDEV will reset permissions so you might want
to add that to rc.local/. Alternatively someone will need to write a
kernel driver for it and modify scanning software to work with that.



Re: 6.8 with gnome boots to xterm after upgrade

2021-03-04 Thread Stuart Henderson
On 2021-03-03, Sivan !  wrote:
> After sysupgrade -s,  during which there were two or more automatic
> reboots, freebsd, upgraded to 6.9 booted after asking password for ssh key,
> and started with xvterm console. Startx attempted to switch to gui, but
> returned errors.
>
> Please advise.
>
> Thank you
>

Make sure you have run sysmerge.

If that doesn't help then we need more than just "returned errors" - *what* 
errors?



Re: ikectl ca and subjectAltName for IKEv2 VPNs

2021-03-04 Thread Stuart Henderson
On 2021-03-04, David Newman  wrote:
> Apparently Apple iOS and iPadOS VPN clients now require a subjectAltName
> in the client cert, not just the CN, to set up IKEv2 VPN tunnels.* The
> subjectAltName can be the same as the CN; it just has to be present.

Most IKE software has always needed this. (Web browsers also recently-ish
started needing it too).

> Questions about this:
>
> 1. Does the 'ikectl ca  certificate  create' command
> support creation of X.509 certs with a subjectAltName defined in
> addition to the CN?
>
> If so, what's the syntax?

It does this by default.

> 2. Can a separate standalone CA just create the certs with the necessary
> SAN fields?

Yes.

> Is it as easy as just dropping the root cert, the client
> certs, and keys in these respective directories?
>
> /etc/iked/ca
> /etc/iked/certs
> /etc/iked/private
>
> If not, what else is needed? Thanks!

You don't need anything from the client (certificates or keys) on the server,
just the CA certificate, the server certificate, and the server private key.

This is fine if the certificates are signed directly by the CA (as would
often be the case if using your own standalone CA) but I haven't been able
to get this working for certs signed by an intermediate 'sub CA' as is
done for most commercial CAs.




  1   2   3   4   5   6   7   8   9   10   >