Re: pledge for sockets

[Janne Johansson]

2017-04-26 13:19 GMT+02:00 Luke Small :

> I'm not saying to alter pledge necessarily, maybe make new system call
> like pledge. There aren't any per-process pf rules that are applied.


If your daemon has a specific user, you can make such rules in PF.
The goal you stated can be reached already, why keep on suggesting new
syscalls?


-- 
May the most significant bit of your life be positive.

Re: pledge for sockets

[Janne Johansson]

I guess that representing something like
"block out user daemon_id" and
"pass out quick from any to specific_host port specific_port user daemon_id"
in terms of pledge() parameters would make it rather unwieldy, if you want
your fooDB to only be able to make outward connections to the designated
fooDB tcp port on a specific destination ip.

But its rather simple in PF already. And very flexible if you want to have
very advanced exceptions later on.


2017-04-26 13:38 GMT+02:00 Luke Small :

> Pledge will presumably have per process (including fork()ed process)
> **path limitations on rpath rpath and wpath calls, why not limitations on
> inet and unix?
>
> On Wed, Apr 26, 2017 at 6:26 AM Janne Johansson 
> wrote:
>
>> 2017-04-26 13:19 GMT+02:00 Luke Small :
>>
>>> I'm not saying to alter pledge necessarily, maybe make new system call
>>> like pledge. There aren't any per-process pf rules that are applied.
>>
>>
>> If your daemon has a specific user, you can make such rules in PF.
>> The goal you stated can be reached already, why keep on suggesting new
>> syscalls?
>>
>>
>> --
>> May the most significant bit of your life be positive.
>>
>


-- 
May the most significant bit of your life be positive.

Re: Pf with secondary DNS resolution

[Janne Johansson]

I would make those rules have a table, and a cronjob to feed the table with
the current ips that these hostnames resolve to.
But of course, that implies you trust the replies you get all the time from
that cronjob.


2017-05-03 22:16 GMT+02:00 Luke Small :

> Is it worthwhile to set up a hook for pf to load rules that have URLs after
> the network services that can resolve them come into effect?
>



-- 
May the most significant bit of your life be positive.

Re: Pf with secondary DNS resolution

[Janne Johansson]

2017-05-04 1:56 GMT+02:00 Luke Small :

> Four words Peter..."dynamic IP address". I'm sure that there are folks that
> ssh into machines that are on a dynamic IP address that don't have a modem
> on a power backup, or even possibly on an ISP that may down, possibly when
> they are out of town. I don't know if it is possible or already done, but
> you could have a computer check into a target machine that often changes
> the ip address or system while the firewall is locked down to only send
> messages to that remote machine and if it is compromised, can't send it
> anywhere else. Or you ssh into the machine and it only accepts incoming
> port 22 requests from a machine that has a dynamic url and listed in your
> pf.conf. maybe you could even signify in the pf.conf that the url will
> often have a different ip address and it could request that ip address
> every time it gets a hit on that rule or a maximum upperbound.
>

Also, if the problem really is "I need to log in from a remote machine on
an unknown ip and strict rules on not letting others in" then you have more
or less described a roadwarrior ipsec setup, so get some kind of VPN going
there with certs and secrets and you can travel around the world and know
that only your machine with the correct magic can connect to the stationary
resource(s).
That problem was solved a long time ago.

-- 
May the most significant bit of your life be positive.

Re: /etc/mygate equivalent for IPv6?

[Janne Johansson]

Just add the ipv6 gw ip to /etc/mygate.


2017-06-06 21:45 GMT+02:00 mabi :

> Hi,
>
> What is the "standard" approach for adding an IPv6 default gateway to an
> OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default
> route?
>
> There are no /etc/mygate6 file and as such for now I manually run:
>
> route -n add -inet6 default 
>
> Regards,
> Mabi




-- 
May the most significant bit of your life be positive.

Re: inquiring about setting wxallowed on /home mountpoint

[Janne Johansson]

2017-06-13 7:29 GMT+02:00 Josh Stephens :

> >> So my question is, will there be any security implications that I
> >> should be concerned about with setting wxallowed in /etc/fstab to the
> >> home mountpoint?
> >
> > Yes there is a security implication. From mount(8),
> > Turn it off and accept the consequences, and potential risks if you
> > like.  W|X memory isn't the only risk out there...
>
> Thank you Theo. After reading through your reply I would rather not
> deal with a potential risk. I decided to go down the path of adding a
> venv directory in /usr/local and giving my account as owner and wheel
> as group. This should allow the python binaries to stay in /usr/local
>

Now that you have a /usr/local/venv dir, why not add a small partition and
mount it over the venv/
dir and have wxallowed on it? Smallest possible WX surface.

-- 
May the most significant bit of your life be positive.

Re: bug tracking system for OpenBSD

[Janne Johansson]

2017-06-19 19:01 GMT+02:00 Philipp Buehler <
e1c1bac6253dc54a1e89ddc046585...@posteo.net>:

> Am 19.06.2017 18:51 schrieb Harald Dunkel:
>
>> some reliable response time
>>
>
> I've to decide between popcorn and other stuff with flames.
>
>
Entitlement is a strong feeling, it seems.


-- 
May the most significant bit of your life be positive.

Re: amd64 snapshot 6 July

[Janne Johansson]

2017-07-09 10:50 GMT+02:00 Mihai Popescu :

> Hello,
> Just installed amd64 snapshot, dated 6 July and there are a few
> problems at the start:
> starting early daemons: syslogd(failed) pflogdpflogd[3376]: [priv] msg
> PRIV_OPEN_LOG received ntpd(failed)
> ld.so: ftp: can't load library 'libtls.so.15.7'
> I will wait for another snapshot.
>
>
>
Same for i386 snap from same time period, will do the same there.



-- 
May the most significant bit of your life be positive.

Re: permission denied local nfs mount

[Janne Johansson]

Make sure pf isn't stopping any packets also.

2017-07-29 1:36 GMT+02:00 Allan Streib :

> 6.1 amd64 release
>
> My goal is to serve files from a directory in my home dir via httpd. As
> I understand it the way to do this is a local NFS mount in the httpd
> chroot.
>
> Basically following the FAQ for NFS I set up this:
>
> $ cat /etc/exports
> /home/astreib/work/new-site.org -ro -network=127.0.0.1
>
> $ showmount -e
> Exports list on localhost:
> /home/astreib/work/new-site.org127.0.0.1
>
> $ doas mount -t nfs 127.0.0.1:/home/astreib/work/new-site.org
> /var/www/htdocs/new-site
> mount_nfs: can't access /home/astreib/work/new-site.org: Permission denied
>
> Everyhing works if I remove the "-network=" from /etc/exports, i.e.:
>
> /home/astreib/work/new-site.org -ro 127.0.0.1
>
> I don't really understand why?
>
> Allan
>
>


-- 
May the most significant bit of your life be positive.

Re: expr / (( )) different behavior

[Janne Johansson]

0 is parsed as octal in places, so 09 would be bogus if octal.


2017-08-11 12:56 GMT+02:00 Alessandro DE LAURENZIS :

> Dear misc@ readers,
>
> I was doing a little exercise with integer arithmetics and noticed the
> following:
>
> [snip]
> $ echo $(expr -09 % 3)
> 0
> [snip]
>
> [snip]
> $ echo $((-09 % 3))
> sh: -09 % 3: bad number `09'
> [snip]
>
> bash seems to behave same way; just wondering if this inconsistency is
> expected...
>
> --
> Alessandro DE LAURENZIS
> [mailto:jus...@atlantide.t28.net]
> LinkedIn: http://it.linkedin.com/in/delaurenzis
>
>


-- 
May the most significant bit of your life be positive.

Re: expr / (( )) different behavior

[Janne Johansson]

2017-08-11 13:14 GMT+02:00 Alessandro DE LAURENZIS :

> Hi Janne,
> On Fri 11/08/2017 13:07, Janne Johansson wrote:
>
>> 0 is parsed as octal in places, so 09 would be bogus if octal.
>>
> [...]
>
> Thanks for the clarification; does that mean expr(1) can treat 10-base
> numbers only? No info in man page on this matter...
>

Well, I think the default would be for simple math stuff to only use base
10.
Then stuff like $(()) should perhaps say it accepts hex,octal or whatever
outside of that.
$ echo $(( 09 + 1))
ksh:  09 + 1: bad number `09'
$ echo $(( 08 + 1))
ksh:  08 + 1: bad number `08'
$ echo $(( 07 + 1))
8

I have used the "skip leading zeros" at times with expr in order to handle
possibly empty environment vars with stuff like:
sleep $(expr 0$MIGHT_HAVE_VALUE + 1) so that an unset env-var will not make
expr treat it like $(expr + 1) which would
be an error.

-- 
May the most significant bit of your life be positive.

Re: ftp.eu.openbsd.org no longer accepts anonymous ftp?

[Janne Johansson]

Will fix, have to handle strange 1:1 NAT after move to a new ftp.eu.


2017-08-19 12:16 GMT+02:00 Peter N. M. Hansteen :

> On 08/19/17 11:44, Andreas Thulin wrote:
> > Also, yesterday's
> >
> > # pkg_add -u
> >
> > failed for me, apparently for that same reason.
>
> Yes, that would happen. Then again, changing ftp:// to https:// in
> /etc/installurl would make pkg_add -u work.
>
> - P
> --
> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
> "Remember to set the evil bit on all malicious network traffic"
> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>
>


-- 
May the most significant bit of your life be positive.

Re: ftp.eu.openbsd.org no longer accepts anonymous ftp?

[Janne Johansson]

Fixed, now ftp works again, sorry for the glitch.


2017-08-20 19:33 GMT+02:00 Janne Johansson :

> Will fix, have to handle strange 1:1 NAT after move to a new ftp.eu.
>
>
> 2017-08-19 12:16 GMT+02:00 Peter N. M. Hansteen :
>
>> On 08/19/17 11:44, Andreas Thulin wrote:
>> > Also, yesterday's
>> >
>> > # pkg_add -u
>> >
>> > failed for me, apparently for that same reason.
>>
>> Yes, that would happen. Then again, changing ftp:// to https:// in
>> /etc/installurl would make pkg_add -u work.
>>
>> - P
>> --
>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
>> http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
>> "Remember to set the evil bit on all malicious network traffic"
>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>>
>>
>
>
> --
> May the most significant bit of your life be positive.
>



-- 
May the most significant bit of your life be positive.

Re: 6.1 fails to boot on a 486

[Janne Johansson]

A few quick tests on 6.1-i386 in a VM showed that 20M seems to be minimum
now, at 17-19M disk setup would segfault late in the installation and at
16M em0 couldn't get TX stuff allocated, so that failed even earlier.


2017-09-01 9:43 GMT+02:00 Mike Larkin :

> On Thu, Aug 31, 2017 at 11:57:40PM -0700, Mike Larkin wrote:
> > On Fri, Sep 01, 2017 at 01:04:40AM -0500, Andrew Daugherity wrote:
> > > I recently dug out of the closet my old IBM PS/2E, which had served as
> > > my firewall box from 2000ish-06, and was in fact the very first
> > > machine I ever installed OpenBSD on, to see if it still worked
> > > properly.  It did (after changing the CMOS battery), but booted into
> > > OpenBSD 4.1... yeah, just a *bit* out of date there.  The machine may
> > > not be of great use nowadays (I'd retired it when it couldn't keep up
> > > with my internet connection), but even as a retro-computing
> > > playground, running a 10-year-old/20-releases-ago version of OpenBSD
> > > is of no benefit.  Let's rectify that!
> > >
> > > 
> > > >> OpenBSD/i386 BOOT 3.31
> > > boot> hd0a:/bsd61.rd
> > > cannot open hd0a:/etc/random.seed: No such file or directory
> > > booting hd0a:/bsd61.rd: 3208120+1332224+3342348+0+446464
> > > [72+288736+277711]=0x87e694
> > > entry point at 0x2000d4
> > >
> > > Copyright (c) 1982, 1986, 1989, 1991, 1993
> > > The Regents of the University of California.  All rights
> reserved.
> > > Copyright (c) 1995-2017 OpenBSD. All rights reserved.
> https://www.OpenBSD.org
> > >
> > > OpenBSD 6.1 (RAMDISK_CD) #289: Sat Apr  1 13:58:25 MDT 2017
> > > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD
> > > fatal privileged instruction fault (0) in supervisor mode
> > > trap type 0 code 0 eip d03b1f7c cs d09f0008 eflags 10046 cr2 0 cpl 0
> > > panic: trap type 0, code=0, pc=d03b1f7c
> > >
> > > The operating system has halted.
> > > Please press any key to reboot.
> > > 
> > >
> > > Well, that's not good -- I didn't expect 6.1 to run particularly well
> > > on this, but I figured it would at least boot... how about 6.0?
> > >
> > >
> > > 
> > > booting hd0a:/bsd60.rd: 3211188+1318224+2061312+0+442368
> > > [72+298576+282894]=0x744144
> > > entry point at 0x2000d4
> > >
> > > Copyright (c) 1982, 1986, 1989, 1991, 1993
> > > The Regents of the University of California.  All rights
> reserved.
> > > Copyright (c) 1995-2016 OpenBSD. All rights reserved.
> http://www.OpenBSD.org
> > >
> > > OpenBSD 6.0 (RAMDISK_CD) #1864: Tue Jul 26 12:57:09 MDT 2016
> > > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD
> > > cpu0: Intel 486DX (486-class)
> > > real mem  = 16183296 (15MB)
> > > avail mem = 8122368 (7MB)
> > > mainbus0 at root
> > > bios0 at mainbus0: date 03/31/93
> > > pcibios at bios0 function 0x1a not configured
> > > bios0: ROM list: 0xc8000/0x1000 0xc9000/0x1000 0xca000/0x2000
> > > cpu0 at mainbus0: (uniprocessor)
> > > isa0 at mainbus0
> > > isadma0 at isa0
> > > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> > > fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
> > > com0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo
> > > com0: console
> > > pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> > > pckbd0 at pckbc0 (kbd slot)
> > > wskbd0 at pckbd0: console keyboard
> > > vga0 at isa0 port 0x3b0/48 iomem 0xa/131072
> > > wsdisplay0 at vga0 mux 1: console (80x25, vt100 emulation), using
> wskbd0
> > > wdc0 at isa0 port 0x1f0/8 irq 14
> > > wd0 at wdc0 channel 0 drive 0: 
> > > wd0: 16-sector PIO, LBA, 5729MB, 11733120 sectors
> > > wd0(wdc0:0:0): using BIOS timings
> > > npx0 at isa0 port 0xf0/16 irq 13
> > > pcic0 at isa0 port 0x3e0/2 iomem 0xd/16384
> > > pcic0 controller 0:  has sockets A and B
> > > pcic0 controller 1:  has sockets A and B
> > > pcmcia0 at pcic0 controller 0 socket 0
> > > pcmcia1 at pcic0 controller 0 socket 1
> > > pcmcia2 at pcic0 controller 1 socket 0
> > > ep1 at pcmcia2 function 0 "3Com, 3C574-TX Fast EtherLink PC Card, A"
> > > port 0x340/32, irq 3: address 00:10:4b:5f:20:c0
> > > tqphy0 at ep1 phy 0: 78Q2120 10/100 PHY, rev. 3
> > > pcmcia3 at pcic0 controller 1 socket 1
> > > ep2 at pcmcia3 function 0 "3Com, 3C574-TX Fast EtherLink PC Card, A"
> > > port 0x300/32, irq 9: address 00:60:08:93:80:48
> > > tqphy1 at ep2 phy 0: 78Q2120 10/100 PHY, rev. 3
> > > pcic0: irq 5, polling enabled
> > > softraid0 at root
> > > scsibus0 at softraid0: 256 targets
> > > root on rd0a swap on rd0b dump on rd0b
> > > erase ^?, werase ^W, kill ^U, intr ^C, status ^T
> > >
> > > Welcome to the OpenBSD/i386 6.0 installation program.
> > > (I)nstall, (U)pgrade, (A)utoinstall or (S)hell?
> > > 
> > >
> > > Seems fairly normal.  Did I miss something about 6.1 dropping 486
> > > support?  [/me checks i386.html... still says 486 or better!]
> > >
> > > Turns out that GENERIC can give us a little more useful information
> > > than RAMDISK_CD, as it drops into ddb:
> > >
> > >
> > > 
> > > boot> hd0a:/bsd.61
> > > cannot open hd0a

Re: TCP Window Scaling

[Janne Johansson]

Since 6.1 I think the max is 2M, and not 256k. Many programs will also
allow you to bump limits using setsockopt.


2017-09-14 11:15 GMT+02:00 Andreas Krüger :

> Hi All,
>
> I am wondering why there is no option to set the max tcp window
> scaling sizes for send and receive since version 4.9.
> I saw in the change log, that it was converted to auto scaling, but
> the max values are now hardcoded and removed from sysctl, for some
> reason?
>
> The problem is, I have two OpenBSD machines connected on WAN on 1
> gigabit, with a 17 ms delay between them, which means I need to have a
> bigger tcp scaling window than 256 KB to use the full 1 gigabit.
>
> How would i change these values? On FreeBSD you still have the option for
>
> net.inet.tcp.recvspace=262144
> net.inet.tcp.sendspace=262144
>
> Etc.
>
> Regards,
> Andreas
>
>


-- 
May the most significant bit of your life be positive.

Re: TCP Window Scaling

[Janne Johansson]

2017-09-14 13:08 GMT+02:00 Janne Johansson :

> Since 6.1 I think the max is 2M, and not 256k. Many programs will also
> allow you to bump limits using setsockopt.
>
>
>
httpd.conf:
server "secret.site" {
tcp {
socket buffer 2097152
}

rsyncd.conf:
 ...
socket options = SO_SNDBUF=2097152


-- 
May the most significant bit of your life be positive.

Re: TCP Window Scaling

[Janne Johansson]

2017-09-14 13:24 GMT+02:00 Andreas Krüger :

> How would i set i for ipsec tunnels or iperf etc. then?


IPSec isn't using tcp so you wouldn't be able to.
For iperf, you can read the manpage, like I have done for httpd/rsync.

  -w, --window n[KM]
  TCP window size (socket buffer size)


-- 
May the most significant bit of your life be positive.

Re: cron and desktop-computers

[Janne Johansson]

2017-09-15 14:48 GMT+02:00 Niels Kobschaetzki :

> Hi,
>
> today I wondered if I need anacron on my laptop. cron(8) states in the man
> page in the section "Daylight Saving Time and other time changes":
> "If time has moved forward, those jobs that would have run in the interval
> that has been skipped will be run immediately."
>
> Does that mean anacron is not needed and for example @daily-jobs will be
> executed on boot if the machine was off or in standby. Or other jobs that
> are scheduled while the machine is in standby/turned off?
>
>
I think "moved forward" wasn't meant to cover "I turned my machine off",
but rather "the admin or ntpd bumped the block by such an amount that
seconds would have been skipped".


-- 
May the most significant bit of your life be positive.

Re: Crypto softraid is supported on GPT/UEFI boot and not just on BIOS/MBR boot, right?

[Janne Johansson]

2017-09-29 3:31 GMT+02:00 Nick Holland :

>
> By that logic, we should have quit using cheap disks when they went over
> 32MB.  Or 120MB.  Or 504MB.  Or 128GB.  Or ...
> I have MBRs on 4TB SoftRaid volumes, works fine.
>
> fdisk, make the "entire" disk (welllthe first 2TB) OpenBSD.
> disklabel, change the boundaries of the OpenBSD part to be the entire
> disk.  Done.
>
>
I seem to recall that "trick" on the 2G boundary, or if it was the 8G IDE
limit, or the 33G.
disklabel being "better" than fdisk at accepting
larger-than-some-artificial-limit seems to
be a tradition. ;)


-- 
May the most significant bit of your life be positive.

Re: size of size_t

[Janne Johansson]

2017-10-12 20:04 GMT+02:00 :

> Hi,
>
> >> I just discovered, to my dismay, that size_t is only 32 bits, even on
> >> 64-bit processors.
> Okay, I don't have a 64-bit machine running OpenBSD to check -- but is
> 'long'
> 64-bits on those?


How did you manage to come to the first conclusion, given the second part
later?


-- 
May the most significant bit of your life be positive.

Re: macppc netboot

[Janne Johansson]

2017-10-18 0:47 GMT+02:00 Daniel Boyd :

> I'm attempting to install onto a G4 Cube with a busted CD-ROM drive.
> I've never done network booting before, so I'm sure I'm just missing
> something.
>

Make sure to read and follow ALL the steps in "man diskless" that has
anything to
do with PPC boots, don't cut corners, don't skip stuff that you think won't
be needed
and it will probably work for you. I had a bunch of odd platforms
netbooting a long
time ago, and the manpage worked every time for me, and the netbootings
failed
every time I did not read and follow it to the letter.

Also, having a tcpdump going might help, to see what actually gets asked for
in the tftp requests and so on.

-- 
May the most significant bit of your life be positive.

Re: dhclient expects IPv4 address in dhclient.conf

[Janne Johansson]

2018-05-02 16:06 GMT+02:00 Marc Peters :

> Hi misc,
> dhclient hates me. I would like to prepend an IPv6 nameserver in the
> dhclient configuration on my router when connecting to my ISP, but
> dhclient gives me following error:
>
> em1: /etc/dhclient.conf line 17: expecting IPv4 address.
> em1: prepend domain-name-servers "::1"
> em1: ^
> dhclient.conf ist plain simple:
> ~ $ grep -v "#" /etc/dhclient.conf
>
> supersede host-name "router";
>
> prepend domain-name-servers 127.0.0.1;
>
> prepend domain-name-servers "::1";
>
> Is this intended?
>
>
Seems common on other dhcpd's too:
https://lists.isc.org/pipermail/dhcp-users/2012-May/015511.html


-- 
May the most significant bit of your life be positive.

Re: dhclient expects IPv4 address in dhclient.conf

[Janne Johansson]

2018-05-02 18:07 GMT+02:00 Marc Peters :

> On Wed, May 02, 2018 at 04:24:50PM +0200, Janne Johansson wrote:
> > Seems common on other dhcpd's too:
> > https://lists.isc.org/pipermail/dhcp-users/2012-May/015511.html
> >
>
> ah, the option has a different name for IPv6 nameservers. Does the base
> dhclient recognize these different options, or do i have to give
> isc-dhcp-client a try for this?
>

Since manpage doesn't mention v6 namespace at all, I'd wager you would have
to
run something else to pick up v6 resolvers.

-- 
May the most significant bit of your life be positive.

Re: OpenBSD logo on my private hompage. It is allowed?

[Janne Johansson]

Den fre 8 juni 2018 kl 04:41 skrev Eric Furman :

> You can make and sell any product you want using OBSD.
> No fee or questions asked. Even Baby-Mulching Machines.
>

..and for that we are ever so thankful.

-- 
May the most significant bit of your life be positive.

Re: 20% package loss on CARP after upgrade to 6.3

[Janne Johansson]

Den ons 20 juni 2018 kl 19:59 skrev Henrik Dige Semark :

> Hey everybody,
>
> # Server 1
> My /etc/hostname.* for CARP's and pfsync + host adaptor:
> https://pastebin.com/vrtuPqnQ
> My /etc/pf.conf: https://pastebin.com/yhVkG4x4
>
> # Server 2
> My /etc/hostname.* for CARP's and pfsync + host adaptor:
> https://pastebin.com/a7fuM923
> My /etc/pf.conf: https://pastebin.com/xNr1TtZ7
>
> Any help or pointers would be fantastic.
> I have struggled with this for a week now and I'm running out of idears -
> the only solution I have right now is turning off the backup server.
>

You should have different advskew on  expected master and slave carps, no?

Also, we used to have something like 20 for master and 80 on slave so one
can place slaves before master, or master after slave if you want to signal
"I am still running but would like to hand over to the other if we can".


-- 
May the most significant bit of your life be positive.

Re: FTP login delay

[Janne Johansson]

Den ons 20 juni 2018 kl 23:28 skrev Maximilian Pichler <
maxim.pich...@gmail.com>:

> I've enabled ftpd and am experiencing very long delays (consistently
> 75 seconds) when logging in from localhost.
>
> Running nc reveals that the connection is accepted immediately, but
> the server waits before spitting out the 'ready' line:
>
> $ nc -4v localhost 21
> Connection to localhost 21 port [tcp/ftp] succeeded!
> <<...75 seconds go by...>>
> 220 zen-thought.my.domain FTP server ready.
>
> This smelled a lot like https://www.openbsd.org/faq/faq8.html#RevDNS,
> but of course localhost is in /etc/hosts (and /etc/resolv.conf has
> 'lookup file bind').
>

Try running the ftpd under a ktrace and then use kdump to see what it does
just before those 75 seconds?
RevDNS was a good guess though. ;)


-- 
May the most significant bit of your life be positive.

Re: 20% package loss on CARP after upgrade to 6.3

[Janne Johansson]

Den tors 21 juni 2018 kl 10:31 skrev Stefan Sperling :

> On Thu, Jun 21, 2018 at 10:07:06AM +0200, Janne Johansson wrote:
> > Den ons 20 juni 2018 kl 19:59 skrev Henrik Dige Semark :
> >
> > > Hey everybody,
> > >
> > > # Server 1
> > > My /etc/hostname.* for CARP's and pfsync + host adaptor:
> > > https://pastebin.com/vrtuPqnQ
> > > My /etc/pf.conf: https://pastebin.com/yhVkG4x4
> > >
> > > # Server 2
> > > My /etc/hostname.* for CARP's and pfsync + host adaptor:
> > > https://pastebin.com/a7fuM923
> > > My /etc/pf.conf: https://pastebin.com/xNr1TtZ7
> > >
> > > Any help or pointers would be fantastic.
> > > I have struggled with this for a week now and I'm running out of
> idears -
> > > the only solution I have right now is turning off the backup server.
> > >
> >
> > You should have different advskew on  expected master and slave carps,
> no?
>
> Looks to me like that is already the case (Server 1 is has advskew 0,
> Server 2 has advskew 100).
>

Oh damned, I might have looked at the same url twice. My bad.

-- 
May the most significant bit of your life be positive.

Re: clearing the disk cache

[Janne Johansson]

Den tis 3 juli 2018 kl 10:59 skrev Maximilian Pichler <
maxim.pich...@gmail.com>:

>
> > The buffer cache is implemented as two 2-queue and therefor a simple cat
> > bigfile will not fill the cache.
>
> What sort of data structure or algorithm is this? Any reference would
> be much appreciated.
>
>
>
2Q

https://www.tedunangst.com/flak/post/2Q-buffer-cache-algorithm


-- 
May the most significant bit of your life be positive.

Re: arm64 recommendation Pine64 or Rock64

[Janne Johansson]

Den sön 8 juli 2018 kl 07:04 skrev Predrag Punosevac :

>  I am in particularly keen on building an
> embedded computer which will use  Arduino UNO a microcontroller
> motherboard(s) to pool DHT22 AM2302 Digital Temperature And Humidity
> Measurement Sensor as well as HC-SR501 Human Sensor Module Pyroelectric
> Infrared. I see arduino-1.0.2p6v0.tgz among aarch64 packages so I am
> guessing somebody has already tried this. Any feed back on developing
> Arduino sketches from arm64 board?
>
>
I haven't tried it, but it should be doable.

Still, nothing prevents one from compiling the arduino hexes on another
machine and using avrdude on the arm64 to upload and later talk to the
Arduino if need be.
As for using openbsd (in my case on amd64) in general to develop arduino
stuff, it works great if you skip the IDE and use Makefiles to compile and
upload the code.

-- 
May the most significant bit of your life be positive.

Re: Julia on OpenBSD?

[Janne Johansson]

Den fre 13 juli 2018 kl 10:46 skrev Rudolf Sykora :

> Hello,
>
> has anyone any experience with running Julia (language)
> on OpenBSD? How difficult was it to set it up? (It isn't
> in the Ports.)
>
>
http://daemonforums.org/showthread.php?p=63134
the internet seems to point to bcallah@


-- 
May the most significant bit of your life be positive.

Re: autri(4) disabled by default

[Janne Johansson]

Den tis 31 juli 2018 kl 12:47 skrev Peter Kay :

> I see autri(4) is disabled by default in an amd64 kernel, probably
> others too, and has been for a very long time.
>
> I can't see any notice of why this is so, anyone know?
>
>
>
Seems like it came over with the initial amd64 port from i386, and noone
tested it on amd64, so it never got enabled but remained commented out.

-- 
May the most significant bit of your life be positive.

Re: Can't open /dev/bio on arm

[Janne Johansson]

Is there MAKEDEV things to add also?

Den sön 5 aug. 2018 09:15Jonathan Gray  skrev:

> On Sat, Aug 04, 2018 at 06:38:20PM +1000, Jonathan Gray wrote:
> > On Sat, Aug 04, 2018 at 05:37:11PM +1000, Jonathan Gray wrote:
> > > On Sat, Aug 04, 2018 at 09:33:45AM +0300, Kihaguru Gathura wrote:
> > > > Hi,
> > > >
> > > > I am getting message:  bioctl: Can't open /dev/bio: Device not
> configured
> > > >
> > > > No clue whatsoever on how to go about this. Please assist.
> > > >
> > > > Instructions
> > > > --
> > > > almandine# fdisk -iy sd0
> > > > Writing MBR at offset 0.
> > > > almandine# fdisk -iy sd1
> > > > Writing MBR at offset 0.
> > > > almandine# disklabel -E sd0
> > > > Label editor (enter '?' for help at any prompt)
> > > > > a
> > > > partition: [a]
> > > > offset: [64]
> > > > size: [15727571] *
> > > > FS type: [4.2BSD] RAID
> > > > > w
> > > > > q
> > > > No label changes.
> > > > almandine# disklabel sd0 > layout
> > > > almandine# disklabel -R sd1 layout
> > > > almandine# rm layout
> > > > almandine# bioctl -c 1 -l sd0a,sd1a softraid0
> > > > bioctl: Can't open /dev/bio: Device not configured
> > > > --
> > >
> > > softraid is not currently built as part of the ramdisk kernel on arm*
> > > also the case for landisk, loongson, luna88k, octeon, sgi, socppc
> >
> > bio as well
>
> And then someone needs to add support to armv7/arm64 efiboot to be able
> to boot from it like amd64, i386 and sparc64 can.
>
>

Re: IPv6 router advertisement rdns not working?

[Janne Johansson]

Den tors 13 sep. 2018 kl 18:49 skrev Mike Coddington :

> On Thu, Sep 13, 2018 at 06:15:28AM +0200, Sebastien Marie wrote:
> > On Wed, Sep 12, 2018 at 10:26:40PM -0500, Mike Coddington wrote:
> > >  However, if I decide to go with just IPv6 by
> > > simplifying my /etc/hostname.if file and using "inet6 autoconf" by
> > > itself, I cannot do any DNS lookups.
> > >
> > rad(8) has support for sending rdns information, but currently nothing
> > in base has support to get resolv.conf configured with such information.
>
> Good to know. I'll stop spinning my wheels. That might be a nice project
> for me to start tinkering with. Thank you!
>

Do mind that it is somewhat non-trivial to figure out a method of having
0,1,2,more
sources of resolver information that all want to update /etc/resolv.conf
when adding
or removing resolvers as your interfaces go up and down without stomping on
eachothers toes. But having code that gets the info from rad(8) would still
be a part
of that, so it would be interesting to have anyhow.

-- 
May the most significant bit of your life be positive.

Re: Routing stops after ipsec/gre tunnel activates

[Janne Johansson]

Den mån 1 okt. 2018 kl 16:56 skrev Kaya Saman :

> Hi,
> I've got an issue where something strange is happening with the routing
> table after establishing an ipsec connection it's quite hard to
> describe but what happens is that the tunnel establishes then routing
> goes down completely. The netstat -r command when run on the router just
> hangs and doesn't complete (show any routes).
>

Perhaps you can't reach your resolver, try running "netstat -rn" to prevent
netstat
from trying to resolve all ips and networks it lists.

-- 
May the most significant bit of your life be positive.

Re: 6.4 available but sources incorrect

[Janne Johansson]

Den tors 18 okt. 2018 kl 15:37 skrev Peter J. Philipp :
>
> Hi,
>
> I know the announcement hasn't made it out yet afaik.  But I want to give
> notice that on ftp.eu as well as cdn mirrors the sources don't check out.
> For one the key is the old 6.3 key and then it fails to signify.
>
> pub -x SHA256.sig-tgz ports.tar.gz
> <
> Signature Verified
> ports.tar.gz: FAIL
> upsilon$ rm *gz
> upsilon$ ls
> SHA256.sig  install64.iso
>
> I'm holding off on installing until this is fixed.  Thanks!  The amd64 
> binaries
> at least in the .iso from ftp.eu checked out fine on the 64 key.

New SHA256.sig out on ftp.eu. mirror now.

-- 
May the most significant bit of your life be positive.

Re: _writes_to_HOME directories in /

[Janne Johansson]

Den tors 18 okt. 2018 kl 19:55 skrev schwack :
>
> Was prepping for 6.4 upgrade and noticed a bunch of *_writes_to_HOME 
> directories in my root file systyem. (as shown below)
> All created on Sept 16th. Not sure what I might have been doing on the system 
> that day.

"building ports" most likely.

> Any thoughts on what these directories are, how they got there, and if safe 
> to delete?
>

yes.

Googling for openbsd writes_to_home points to bsd.port.mk, and the env
PORTHOME for which the manpage of bsd.port.mk
says:
PORTHOME
 Setting of env variable HOME for most shell invocations.  Default
 will trip ports that try to write into $HOME while building.

-- 
May the most significant bit of your life be positive.

Re: iked(8) bad-ip-version 7 (encap) error after 6.4 upgrade

[Janne Johansson]

Den 19 okt. 2018 kl 00:44 skrev Jason Tubnor :

> 09:14:42.281631 (authentic,confidential): SPI 0x03096f78: bad-ip-version 7
> (encap)

IPv7? I thought me using v6 was hipster enough, but the cool kids have
surpassed me by far.

(sorry for not helping with your actual issue though)
-- 
May the most significant bit of your life be positive.

Re: set owner/group: operation not permitted

[Janne Johansson]

Den ons 24 okt. 2018 kl 20:48 skrev Carlos Aguilar :
> Then, when I execute the following command as unprivileged user sg:
> sg:/home/sg$mv /var/www/cgi-bin/my-site/posts/messages/*.txt /tmp
> I got the following error message:
>
> mv:  /tmp/OneFile.txt:  set owner/group: Operation not permitted
>
> However, it does actually move the file and change the permissions
> accordingly:
>
> Under /tmp
>
> -rw-r--r--  1 sgwheel  6163795 Oct XX XX:XX OneFile.txt

What is your idea of "accordingly" ?
If you only ask it to move, it would not change user/group, but since
you are not
allowed to make files owned by someone else than you there, it gets your id,
and complains it can't make it www:www.

Since you are probably moving across filesystems, the mv becomes a "cp + rm",
and the cp part is redoing the file from scratch there.

-- 
May the most significant bit of your life be positive.

Re: OpenBSD site

[Janne Johansson]

Manual edits, no hurry to jump on this weeks fashionable web
framework, testing with lynx goes a long way to keep it simple and
readable.

Den lör 27 okt. 2018 kl 11:14 skrev misc nick :
>
> I was wondering how you maintain and update such high quality content in 
> OpenBSD's site.
> Do you manually edit html files, use a cms, or something else? I am asking to 
> shamelessly
> copy your best practices. ;-)
>
> Thanks,
> Nick
>


-- 
May the most significant bit of your life be positive.

Re: vmm(4) direct device resources access from guests

[Janne Johansson]

Den tors 1 nov. 2018 kl 08:53 skrev Denis :
>
> Is it possible to have full I/O access to PCI-express devices from guest
> OSes like Penguin?
>

https://www.openbsd.org/faq/faq16.html

-- 
May the most significant bit of your life be positive.

Re: CURRENT userland does not compile due to games/glorkz

[Janne Johansson]

Den mån 12 nov. 2018 kl 09:00 skrev Jyri Hovila [Turvamies.fi]
:
> Theo: > Upgrade to from a snap.
> Thanks, but: NO! XD
> Seriously: As crazy as it may sound, I'm very stubborn about following the 
> CURRENT without taking shortcuts.

It's not a shortcut, it is how it's done. It is not cheating, or
dodging or anything, the docs are very clear on that for any
non-trivial situation where you want to go to -current, you start with
upgrading into as recent snapshot as possible, then build from there.
Period. It's fine if you want to waste your own time, but this is the
one single method of getting out of many holes, like yours.

-- 
May the most significant bit of your life be positive.

Re: Using /32 resp. /128 netmask for carp ips

[Janne Johansson]

Den fre 23 nov. 2018 kl 18:50 skrev Joerg Streckfuss :
>
> Dear list,
>
> i want to know why it is good practice to use /32 netmask for ipv4
> respectively /128 netmask for ipv6 addresses on carp interfaces, while using 
> the
> "real" netmask for example /24 for a dedicated address on an interface.

So that the real interface gets used for outgoing traffic generated on
the boxes, like ntp,
syslog, mails and so forth, even if the carp currently is not up (ie not master)

-- 
May the most significant bit of your life be positive.

Re: Compiler warning in ctype.h

[Janne Johansson]

Den fre 6 mars 2020 kl 12:29 skrev Thomas de Grivel :

> Hello,
>
> I was using base gcc but switching to base clang fixes the warnings on
> -current at least.
> Is base gcc not supported anymore ?
>

I think you are supposed to use whatever gets used when you call "cc" on
the OpenBSD platform you are on, and if need be, get gcc from ports for an
uptodate version of it.
Since arches are moving from gcc into clang (at various speeds), its not
unthinkable for some of them to have both over the transition, but the
"supported" one is always the binary that gets run if you use "cc" for
compiler and nothing else.

-- 
May the most significant bit of your life be positive.

Re: S3 Virge support on IBM T23 for 6.6

[Janne Johansson]

Den ons 15 apr. 2020 kl 23:29 skrev Paolo Aglialoro :

> Is this a hint that soon i386 architecture will be deprecated?
> Considering that supported hw (at least graphics) is going more and more to
> overlap with amd64, at the very end i386 would remain only for some
> routerboards.
>

i386 has seen a fair share of deprecations, from the actual 386 CPUs and
486s without FPU, to machines with 8,16,32,64M ram for whom reordering libs
and kernel isn't really doable with recent OpenBSD releases.

-- 
May the most significant bit of your life be positive.

Re: S3 Virge support on IBM T23 for 6.6

[Janne Johansson]

Den tors 16 apr. 2020 kl 18:24 skrev Paolo Aglialoro :

> Thanks Janne for the tech insight.
> So, but for routerboards/CLI boxen, considering that this recent move
> hinders GUI for most P3s, the really viable ones remain P3s/K7s with
> different graphics boards (mostly desktop/tower) and early P4s without
> em64t.


If there was a huge userbase with tons of GUI i386s needing life support,
then perhaps they
can form a group and do the heavy lifting, since many hands make work light.
If there is one box in a corner with S3 virge, then it can just stop
updating and have a
$25 box firewall it off the internet so you can get away with having it
unpatched where it runs with its GUI.

-- 
May the most significant bit of your life be positive.

Re: Regarding randomized times in crontab

[Janne Johansson]

Den tors 16 apr. 2020 kl 20:22 skrev Andreas Kusalananda Kähäri <
andreas.kah...@abc.se>:

> On Thu, Apr 16, 2020 at 11:14:59AM -0600, Theo de Raadt wrote:
> > That is a lot of words to cover a simple concept:
> >
> > The specific random values are selected when cron(5) loads
> > the crontab file. New numbers are chosen when crontab -e is used.
> > If you understand that, the conclusions are obvious.
>
> Ah. Good. Then I know the restrictions.  The random times are random,
> but fixed for the lifetime of the cron daemon (or until the crontab is
> reloaded due to being edited).
>

It would be very weird otherwise, if the 24h random example was used, then
it chose 00:01,
ran your "bin/true" command and then re-randomized, it would most certainly
end up wanting
to run again, perhaps twice or more. So if it re-randomized after each
execution
it would have to keep a 24h timer going (in your example, a per-week, a
per-month timer also)
to make sure the newly randomized 11:12 time is actually tomorrows 11:12
and not the upcoming
one in this day. Also, re-randomization would also mean it could start your
one hour backup at 23:59
and once more in 00:01 the next day, which would cause lots of unexpected
chaos for anyone expecting
a daily one-hour job to not collide with itself.

-- 
May the most significant bit of your life be positive.

Re: List a package's dependencies

[Janne Johansson]

Den mån 20 apr. 2020 kl 15:08 skrev Marc Espie :

> On Sun, Apr 19, 2020 at 04:36:48PM +0200, Ingo Schwarze wrote:
> > Part of that is due to the unavoidable complexity
> > of the system.  Other parts may be influenced by the fact that
> > espie@ is not tedu@.
>
> I don't think tedu would do much better... or we would have a ports tree
> with only the 100 ports he's using, and nothing more.
>

My guess is i stuck running 6.3 on his SH machine:
https://ftp.eu.openbsd.org/pub/OpenBSD/6.3/packages/sh/

-- 
May the most significant bit of your life be positive.

Re: socket I/O on openbsd

[Janne Johansson]

You're still not telling what it is, where it came from, what it does.
Noone here can mind read you. We will not admit we can see what is on your
monitor, so .. step up to the challenge and show your work.

https://i.imgur.com/ArfmbAf.gif


Den ons 22 apr. 2020 kl 08:09 skrev Gustavo Rios :

> apx_connect is an wrapper for connect.
> apx_shutdown is an wrapper for shutdown
>
> Em qua., 22 de abr. de 2020 às 02:09, Stuart Longland
>  escreveu:
> >
> > On 22/4/20 11:48 am, Gustavo Rios wrote:
> > > Dear gentleman,
> > >
> > > i have the an ANSI C code that do the following:
> > >
> > > 0. open a socket
> > > 1. write data to the socket
> > > 2. close the writing end of the socket
> > > 3. read data from the socket
> > > 4. close the read end of the socket
> > >
> > > The the step number 4 returns an error, why ?
> > >
> > > Here it is (Only the relevant part of the code )
> > >
> > > if (!r) r = apx_connect(s, &sa);
> > > if (!r) r = pmp_set(&ap, 1ul, &bp);
> > > if (!r) r = pmpsend(s, &ap);
> > > if (!r) r = apx_shutdown(s, shut_wr);
> > > if (!r) r = pmprecv(&ap, s, &l);
> > > if (!r) r = apx_shutdown(s, shut_rd);
> > >
> >
> > Dumb question this way…
> >
> > > vk4msl-gap$ man apx_connect
> > > man: No entry for apx_connect in the manual.
> > > vk4msl-gap$ man apx_shutdown
> > > man: No entry for apx_shutdown in the manual.
> >
> > what's `apx_connect` and `apx_shutdown`?  There's some library here you
> > are not telling us about.
> > --
> > Stuart Longland (aka Redhatter, VK4MSL)
> >
> > I haven't lost my mind...
> >   ...it's backed up on a tape somewhere.
>
>

-- 
May the most significant bit of your life be positive.

Re: fw_update verify firmware?

[Janne Johansson]

Den tors 14 maj 2020 kl 06:27 skrev Mogens Jensen <
mogens-jen...@protonmail.com>:

> Normally I would just assume that fetched files are verified, but maybe
> in the case with fw_update, the rationale is that firmware files are
> binary blobs so we can't know if they are malicious anyway, therefore
> no reason to bother with verification.
>

It would be sad to mixup the fact that something is signed with a sort of
guarantee that it is without faults or without malice.
The signature proves it didn't change in transport since it was published,
nothing more.

-- 
May the most significant bit of your life be positive.

Re: OpenBSD 6.7 and ffs2 FAQs

[Janne Johansson]

Den tors 28 maj 2020 kl 07:51 skrev Matthias :

> On a fresh 6.7 installation, mount(8) shows 'type ffs'. Is there any way
> to figure out the version number?
>
>
https://undeadly.org/cgi?action=article;sid=20200326083657

-- 
May the most significant bit of your life be positive.

Re: Filling a 4TB Disk with Random Data

[Janne Johansson]

Den mån 1 juni 2020 kl 16:01 skrev Justin Noor :

> Hi Misc,
> Has anyone ever filled a 4TB disk with random data and/or zeros with
> OpenBSD?
> How long did it take? What did you use (dd, openssl)? Can you share the
> command that you used?
>

My /dev/random on decent x86_64 give out more or less same amount of data
(around 200MB/s) as spinning drives will accept, so you might aswell just
dd random to the raw device for it. At this speed, you are looking at ~5
hours of fun.

https://www.wolframalpha.com/input/?i=4+terabyte+at+200MB%2Fs

-- 
May the most significant bit of your life be positive.

Re: Filling a 4TB Disk with Random Data

[Janne Johansson]

Den fre 5 juni 2020 kl 09:23 skrev Roderick :

> Is not there a SCSI command "sanitize" for that?
> Can be issued with OpenBSD?
> Perhaps his disc supports it.
>

Then again, if you count how many hours it will take to securely erase a
disk, one might doubt the option of "just run this command and it will do
the same in 10 seconds". Might work, might not work. Both will result in a
drive that is hard to read out old data from, but which option gives
confidence?

-- 
May the most significant bit of your life be positive.

Re: New tool to (quickly) check for available package upgrades

[Janne Johansson]

Den ons 17 juni 2020 kl 17:04 skrev Marc Espie :

>
> > > > > The concept you need to understand is snapshot shearing.
> > > > > A full package snapshot is large enough that it's hard to
> guarantee that
> > > > > you will have a full snapshot on a mirror at any point in time.
> > > > > In fact, you will sometimes encounter a mix of two snapshots (not
> that often,
> > > > > recently, but still)
> > > > > Hence, the decision to not have a central index for all packages,
> but to
> > > > > keep (and trust) the actual meta-info within the packages proper.
> > > >
> > > > Sorry, I guess I should've responded to this as well. Isn't snapshot
> shearing going to be a problem regardless of the existence of a single
> central-index? For instance, pkg_add notices a chromium update, which
> requires a newer version of a dependency that hasn't been propagated to the
> mirror yet.
>
> > Even with snapshot shearing though, having this index file could provide
> a substantial speed upgrade. Instead of having to check *all* installed
> package's header for updates, you could use the index to know the subset of
> packages that you expect to have actually changed, and only download
> *those* packages' headers. If the expected "combined" sha of a given
> package doesn't match the index's version, then the mirror is clearly out
> of sync and we could abort an update as usual.
>
>
Do think of what you call "the index file" in terms of "I check/replace
some 100+G of snapshots and packages every 24h", at which point do you
replace that single file, before, under or after none,most,all packages for
your arch are replaced? Will it be synced when the copying passes "i" for
"index.txt" in that packages folder?

What happens if a sync gets cut off, restarted and/or if two syncs suddenly
run into eachother and replace files as they go?

What if a new batch of amd64/i386 files appears while one of the ongoing
syncs run, do you restart over and hope yet another new one doesn't appear
while that one is running?

This is the reality of snapshot package today:

du -sh snapshots/packages/*
34.5G snapshots/packages/aarch64
52.4G snapshots/packages/amd64
18.4G snapshots/packages/arm
44.1G snapshots/packages/i386
24.1G snapshots/packages/mips64
10.2G snapshots/packages/mips64el
26.7G snapshots/packages/powerpc
25.4G snapshots/packages/sparc64

Whatever limitations Marcs design has, it makes it possible for us
mirror admins to sync with some kind of best-effort while still giving most
openbsd users the ability to have pkg_add -u leave you with a working
package eco-system on a daily basis. If the cost is that it takes 40
minutes at night from crontab, then I would not trade a greppable file for
losing some or a lot of the above-mentioned gotchas that the current system
somehow actually handles.

Now if someone invents a decent piece of code to use http connection
pooling, quic/http3/rsync or whatever to speed up getting the required
info, I'm sure we mirror admins would be happy to add/edit our server
programs to serve it.

-- 
May the most significant bit of your life be positive.

Re: dhcpd synchronization: leases recovery after downtime

[Janne Johansson]

Den lör 18 juli 2020 kl 23:28 skrev Guy Godfroy :

> Hello,
>
> I am using two routers on OpenBSD (called mulder and scully), and I wish
> to make dhcpd listen on a carp interface between both of them. I am
> using the synchronization mechanism:
>

I noticed the same issue long time ago, but settled for just running two
unconnected dhcpds and made sure that
1) all fixed replies exist on both (and clients don't mind getting two
answers, they pick the first and stop listening for any extra replies)
and
2) dhcpd checks that ip's don't reply to ping (or exist in arp?) before
handing out an ip from a dynamic range

and this seems to cover most of my concerns, no client would get a
different offer from both dhcpds and ack both, and putting as many fixed
entries as possible on important hosts to make sure they would work in any
case.

-- 
May the most significant bit of your life be positive.

Re: static IPv6 setup is not working stable

[Janne Johansson]

I have a setup where the virtualization (KVM) combined with the networking
does present a IPv6 def-gw as both an fe80:: and
the more normal 2001:a:b:c:d::1/64 and where the 2001-v6 ip works far
better on virtual machines due to redundancy mac sync things on the network
side, and since the ndp list showed the fe80::1 had a VRRP/CARP-lookalike
mac, it could be the same.

In my case both bsd and linux IPv6-using VMs suffer from ndp "drops" where
it can take seconds for the discovery to figure the mac address out again
after a drop.

So if you can divine what the "real" v6 ip is of the default-gw, try
setting this hard in the conf or /etc/mygate and retry v6.


Den tors 6 aug. 2020 kl 14:46 skrev Matthias Schmidt :

> Hi,
>
> * kug1977 wrote:
> >
> > Is this something wrong configured on OpenBSD server or is this something
> > the provider has to check on the gateway side?
>
> I also have a VM at the exact same provider (netcup) and face
> the same problem.  Since all of my VMs at different providers are
> identical (base install + conf via ansible) and I don't see the issue at
> other providers (IONOS, Hetzner) I suspect it has nothing to do with
> OpenBSD...
>

-- 
May the most significant bit of your life be positive.

Re: static IPv6 setup is not working stable

[Janne Johansson]

No, I think in my case it is Juniper multichassis LAG (link aggregation
groups) getting confused by identical fe80::x for multiple local v6
networks, or something to that effect.

How does the traceroute6's look when it "works"? If you get a "real" v6
there you might (ab)use that as the gw ip?


Den tors 6 aug. 2020 kl 16:04 skrev kug1977 :

> Unfortuanatly, the Provider netcup doesn’t give out IPv6 gw address
> configuration other than fe80::1, so I cannot check these. But all
> virtualization there is based on KVM, too. So I guess the issue is with KVM?
>
>
> > On 06 Aug 2020, at 15:51, Janne Johansson  wrote:
> >
> > I have a setup where the virtualization (KVM) combined with the
> networking does present a IPv6 def-gw as both an fe80:: here> and the more normal 2001:a:b:c:d::1/64 and where the 2001-v6 ip works
> far better on virtual machines due to redundancy mac sync things on the
> network side, and since the ndp list showed the fe80::1 had a
> VRRP/CARP-lookalike mac, it could be the same.
> >
> > In my case both bsd and linux IPv6-using VMs suffer from ndp "drops"
> where it can take seconds for the discovery to figure the mac address out
> again after a drop.
> >
> > So if you can divine what the "real" v6 ip is of the default-gw, try
> setting this hard in the conf or /etc/mygate and retry v6.
> >
> >
> > Den tors 6 aug. 2020 kl 14:46 skrev Matthias Schmidt :
> > Hi,
> >
> > * kug1977 wrote:
> > >
> > > Is this something wrong configured on OpenBSD server or is this
> something
> > > the provider has to check on the gateway side?
> >
> > I also have a VM at the exact same provider (netcup) and face
> > the same problem.  Since all of my VMs at different providers are
> > identical (base install + conf via ansible) and I don't see the issue at
> > other providers (IONOS, Hetzner) I suspect it has nothing to do with
> > OpenBSD...
> >
> > --
> > May the most significant bit of your life be positive.
>
>

-- 
May the most significant bit of your life be positive.

Re: Should/will OpenBSD support ODROID-C4 board? (ARM A55)

[Janne Johansson]

Den tors 6 aug. 2020 kl 18:40 skrev :

> Hardkernel, a Korean company, make an alternative to the Raspberry Pi, the
> latest being the 'Odroid C4', CPU manufactured by Amlogic (American).
> I owned an ODROID board in the past and was impressed with the hardware.
> However, the software support for Linux is majorly lacking, and so quite
> buggy
> (basic things like USB, ethernet) unless using their self-released
> old-patched-up kernels.
>
> But perhaps this is an opportunity for OpenBSD? I don't know how much work
> it is
> to port OpenBSD to an ARM board, or if Hardkernel do a good job of making
> this
> task easy. I noticed the ODROID-N2 is supported by OpenBSD, which would
> give
> an indication (but the N2 has an A73 and so Spectre bugs).
>

Well, it is somewhat sad if they can't even get decent code in mainline for
linux, which I assume
was their intended target OS, the chances of getting support (or code, ha!)
for OpenBSD
seems very slim, or getting decent docs (which if they existed would have
allowed linux
to run fine on them too?) for the stuff around the cpu.

So it might get to work, but I would probably not have my hopes up too much
if it already did not
make it on linux.

-- 
May the most significant bit of your life be positive.

Re: Adding more syspatch platform.

[Janne Johansson]

Den ons 12 aug. 2020 kl 00:50 skrev Predrag Punosevac :

> Theo de Raadt  wrote:
> > No, it is a question of which additional platform, you avoided that
> > didn't you
>
> octeon is the only one I can think of.
>

I would volunteer doing the work and dedicating two octeons of mine for
building syspatches for the supported releases, I have enough of them for
it.

-- 
May the most significant bit of your life be positive.

Re: Microsoft's war on plain text email in open source

[Janne Johansson]

Den ons 26 aug. 2020 kl 21:17 skrev Mike Hammett :

> Text-only was great in 1985.
> Mike Hammett
> Intelligent Computing Solutions
> Midwest Internet Exchange
> The Brothers WISP
>

Being able to publish and/or send a really small file from computer A to
computer B unchanged in this day and age is still a required feat if you
want to appear as an internet professional.
It doesn't matter if it was "change spaces to tabs", "html made carriage
returns where a space was found" or if it was "make two - - chars into one
single utf-8 -- token" or "spell check/correction edited fnd_trgl_dsk() to
find_triangle_disk()" in your C function. You did not ship what you had
produced in that diff.

If you can't send data 100% with the tools of your choice, the blame is on
you, not on the recipient who did the checking FOR YOU and notified you
about mangled transmissions.

So when your file integrity check or vpn software says "we dropped the
incoming data due to broken checksums", the correct answer is not for the
receiving end to disable checksums. Really.
To even have to tell this to people...

-- 
May the most significant bit of your life be positive.

Re: Routing and forwarding: directly connected computers

[Janne Johansson]

Den tors 3 sep. 2020 kl 11:39 skrev Ernest Stewart <
erneststewar...@hotmail.com>:

> I have a local network with 5 computers:
>
> computer1)
> /etc/hostname.re0: 192.168.1.10 0xff00
>

Different netmask here?


> /etc/hostname.re1: 192.168.2.11 0x
> /etc/hostname.re2: 192.168.2.12 0x
> /etc/hostname.re3: 192.168.2.13 0x
> /etc/mygate:
> 192.168.1.1
>
>
> computer2)
> /etc/hostname.re0: 192.168.1.11 0x
>

..compared to here.


> /etc/hostname.re1: 192.168.2.14 0x
> /etc/mygate:
> 192.168.2.11
>
> computer3)
> /etc/hostname.re0: 192.168.1.12 0x
> /etc/mygate:
> 192.168.2.12
>
> computer4)
> /etc/hostname.re0: 192.168.1.13 0x
> /etc/mygate:
> 192.168.2.13
>
>
> computer5)
> /etc/hostname.re0: 192.168.1.14 0x
> /etc/mygate:
> 192.168.2.14
>
>
> Computer1's physical connections are like this:
> re0->ISP router(192.168.1.1)
>

Seems like you chose overlapping networks for your "internal" things and
the ISP router network. Don't do that.


> re1->Computer2 re0
> re2->Computer3 re0
> re3->Computer4 re0
>
> Computer2's re1 is connected to Computer5's re0.
>
>
-- 
May the most significant bit of your life be positive.

Re: Routing and forwarding: directly connected computers

[Janne Johansson]

Den tors 3 sep. 2020 kl 14:55 skrev Ernest Stewart <
erneststewar...@hotmail.com>:

> I was actually wondering about using netmask 0x for the external
> interface. As you noted, they are different networks, I just wanted to be
> able to use any 192.168/16 ip address in the internal network and use
> nat-to and rdr-to in Computer1 so every packet going to or from the ISP
> router comes from or goes to 192.168.1.10 (and block everything else).
>
> But still, that (external connections) is the last thing I am going to
> test. At the moment not even a ping from two directly connected computers
> that are actually sending and receiving the packets (according to tcpdump
> in both computers) seems to work...
>

The setup for computer01 is still weird, it thinks it has 4 interfaces on
the same identical network, because all the nets overlap,  except it
doesn't overlap physically because they are on separate cards. Just grab
any "how to build networks guide" and start using separate network
numbering for separate networks and things will work out better. The fifth
network card which points to your ISP device is smaller, but still inside
those 4 others, which also is a bad choice.

The way comp01 is set up on your first mail makes it equally valid for it
to send out a packet on any of the 5 network cards to try to reach
192.168.1.254 for instance. This is of course not how you set up a box with
5 networks (even if "the network" is just a cable from comp1-re1 to
comp2-re0)

-- 
May the most significant bit of your life be positive.

Re: Routing and forwarding: directly connected computers

[Janne Johansson]

Den tors 3 sep. 2020 kl 17:01 skrev Ernest Stewart <
erneststewar...@hotmail.com>:

> I forgot to say, in every computer I have /etc/sysctl.conf with
> "net.inet.ip.forwarding=1".
>
> And I insist, what shocks me the most is that tcpdump shows in both
> computers the right icmp packets but ping says 100% packets lost.
>

This part has far too little detail to be relevant. Sorry.
We can not divine from remote which of the interfaces you listened to, and
what you saw.

-- 
May the most significant bit of your life be positive.

Re: SCM

[Janne Johansson]

Den mån 22 juli 2019 kl 17:05 skrev Австин Ким :

> Hi,
>
> As someone completely new to OpenBSD the one immediate first impression
> that most peculiarly sticks out like a sore thumb to me is the Project’s
> use of CVS for source code management.   I am curious why the Project
> continues to use CVS and/or if developers have in the past considered
> migrating the codebase to a distributed SCM system like Mercurial which
> IMHO might make branching and merging easier on developers, especially more
> recent developers coming out of universities.  Is it because the Project
> prefers using a centralized versus distributed SCM system?  Or is it just
> because that’s just the way it has always been done and why change that?
> And would migration to something like hg be a possibility in the future
> that might possibly lower the psychological barrier of entry for newer
> developers?  (And btw this is meant as a sincere question with no intention
> to start a contentious debate; really just asking out of curiosity because
> seeing CVS diffs in the mailing lists was what visually jumped out most
> prominently to me for the first time; I’m sure after spending more time
> with OpenBSD it could be something I could just get used to.)
> Thanks for all the wonderful responses to my previous post which really
> helped me gain a better understanding of the Project!
>


As Nick Holland wrote here on the same topic:
https://marc.info/?l=openbsd-misc&m=136724343006024&w=2
the last quote is kind of telling it all:
---
Want to sell OpenBSD on an alternative?  Find a product that was really
crappy, switched development tools, and suddenly started rivaling
OpenBSD for quality for no reason other than the switch of development
tools.
---

-- 
May the most significant bit of your life be positive.

Re: SAD ( pkg_add does linux like stuff ie: not working, no explanation )

[Janne Johansson]

Den ons 28 aug. 2019 kl 16:06 skrev sven falempin :

> Maybe obvious ? if so why no message from the software ?
> # pkg_add php_curl
> [URLHERE] php-curl-7.2.17.tgz
>
> 
> LIKE WHY PLEASE ?
>

Given that the difference probably is - versus _ and that last sentence in
all caps, I'd say your problem is that the keyboard gives you shift or
CAPSLOCK at the wrong moments.

-- 
May the most significant bit of your life be positive.

Re: How can I remove sets installed by sysupgrade?

[Janne Johansson]

>
>  My reasoning behind NOT installing the X, Comp and Game sets have
> little
> to do with saving space, although I am using an 8GB SSD. I learned in my
> research that one of the most fundamental ways to improve network/system
> security is to minimize the attack surface by not installing unneeded
> software. If it isn't installed, any potential vulnerabilities, known or
> not, are irrelevant.
>

What is not irrelevant is the person/program that somehow has a shell on
your box can paste the required 500 bytes of hex data into "openssl base64
-d" to get a binary on your system, so removing the Comp set is one of
those "it would be super hard for me to imagine what I need to run a local
privilege escalation so it must require all these tools" whereas the
hackers that do own other boxes will already have the short_ASM_sequence*
tested locally and only need to get those over the same path the exploit
took in order to get a better foothold on your machine.

So removing comp sets just mean you can't patch locally when a scary
advisory comes out, it also means you need to special-case your sysupgrades
and those two choices will probably mean you will stay vulnerable for a
longer time just because you hoped leaving cc(1),as(1) and battlestar(6)
out of the box will "save" you.

Yes, I can imagine some few scenarios where it might, but as the other
reply you already got says, when you make your own box a surprise to
administer and reason about, you are making it worse already so the
comparisons about what choice is safer doesn't even start from the same
level.

*) SEE ALSO: https://en.wikipedia.org/wiki/SQL_Slammer

-- 
May the most significant bit of your life be positive.

Re: build error on octeon, 6.6

[Janne Johansson]

Den ons 6 nov. 2019 kl 23:36 skrev Christian Groessler :

> Hi,
> I've installed OpenBSD 6.6 on an EdgeRouter Lite. I wanted to rebuild
> the system.
>
> Maybe the machine has too little memory?
>
> routie$ swapctl -lk
> Device  1K-blocks UsedAvail Capacity  Priority
> /dev/sd0b  22077035824   18494616%0
> routie$
> routie$ sysctl -a | grep physmem
> hw.physmem=536870912
>

A while back when I needed/wanted to build ports-llvm on ERL, I added some
8G of swap over NFS (to an ssd-x86_64 server) which helps with large builds.
Takes ages, but works.

-- 
May the most significant bit of your life be positive.

Re: build error on octeon, 6.6

[Janne Johansson]

I wonder if this part is relevant:
c++: error: unable to execute command

Is there any permissions on /net that prevents execution?

I seems it wants to run stuff from here:

...
*** Error 254 in
/net/sirius/temp/routie-build/6.6/src/gnu/usr.bin/clang/libLLVM
(:67 'AMDGPUTargetMachine.o': @c++ -O2 -pipe -...)
*** Error 1 in /net/sirius/temp/routie-build/6.6/src/gnu/usr.bin/clang


> I've noticed that my /tmp partition might be too small (64M). I'm going
> to reinstall with bigger /tmp (1GB) and try again...
>


-- 
May the most significant bit of your life be positive.

Re: Home NAS

[Janne Johansson]

Den lör 16 nov. 2019 kl 22:49 skrev Karel Gardas :

> > I tried a home NAS with ZFS, then BTRFS. Those filesystems needs tons of
> RAM (~1 GB of RAM by TB of disk), preferably ECC.
>
> For NAS you prefer ECC anyway and 1 GB RAM consumption per 1 TB of drive
> is urban legend probably passed by folks using deduplication.


Or people who do not want to swap while doing extensive fsck of huge
partitions with lots of small files in them.
Most recommendations are based on all corner cases and not just the
happy-case when you stash a single movie on a nas over the home network.

Yes, dedup uses ram most of the time if it can, but other things do too.
Also, "excess" ram in these cases turn into read caches so its not lost on
you either.

-- 
May the most significant bit of your life be positive.

Re: SIGBUS on octeon for my program

[Janne Johansson]

There was a fix recently for the stack getting unaligned committed just
recently, do you have that?
If not, test on current.


Den ons 27 nov. 2019 kl 14:48 skrev Peter J. Philipp :

> Hi,
>
> My DNS program gets a SIGBUS when I execute it.  I have ktraced it, upped
> limits and searched in the mips64 source for answers, could this be a
> compiler
> problem?
>
> ktrace->
>  41651 dddctl   CALL  connect(6,0xfcacb0,16)
>  41651 dddctl   STRU  struct sockaddr { AF_INET, 192.168.177.2:10053 }
>  41651 dddctl   RET   connect 0
>  41651 dddctl   CALL  kbind(0xfc9b48,24,0x801d30cbade359aa)
>  41651 dddctl   RET   kbind 0
>  41651 dddctl   PSIG  SIGBUS SIG_DFL code BUS_ADRALN<1> addr=0xfca17d
> trapno=0
>  82637 dddctl   RET   wait4 41651/0xa2b3
> <---
>
> The SIGBUS code ADRALN I have found in /sys/arch/mips64/mips64/trap.c
> around
> line 463 on OpenBSD 6.6:
>
> >
> case T_ADDR_ERR_LD+T_USER:  /* misaligned or kseg access */
> case T_ADDR_ERR_ST+T_USER:  /* misaligned or kseg access */
> ucode = 0;  /* XXX should be PROT_something */
> signal = SIGBUS;
> sicode = BUS_ADRALN;
> break;
> <---
>
> I have also set the stack ulimit to 32K but no relief.  I'm stuck,
> wondering
> if you guys can help with interpreting this.
>
> My program can be downloaded with
>
> ftp https://delphinusdns.org/download/snapshot/delphinusdnsd-snapshot.tgz
>
> Where it's remade at midnight CET every day.
>
> As far as I know it should work on macppc although this particular function
> wasn't tested on macppc.  And it works on amd64 as I run this delphinusdnsd
> in production on my personal nameservers.  Getting this working on octeon
> would broaden my test network.
>
> Best Regards,
> -peter
>
>

-- 
May the most significant bit of your life be positive.

Re: Following patch or stable branch on Octeon

[Janne Johansson]

>
>  I was under impression that original octeon
> (mips64) packages were built on SGI hardware which is no longer
> supported so I was curios about new build machines. I am fully aware
> that mips64 packages are available for 6.6 even though I try to stick
> for most part with tools from the base.
>

Mips64 is the cpu arch, octeon is just one of the implementations of a
mips64 machine, so a package from any mips64 box would work (except
little-endian mips64le ones from loongson).
As for the original question, I do collect a bunch of octeons and go with
-current/snaps on them. The very far-apart breaks I experience are less a
problem than the joy of getting improvements quickly.
Almost all crashes get fixes (or reverts) in a day or so. Also, the more
often you upgrade your snaps, the easier it gets to back a few days worth
of kernel, as opposed to only updating once per year and then finding some
issue (like the sppp stack frame bug in 6.6 for octeons).

-- 
May the most significant bit of your life be positive.

Re: Awaiting a diff [was: Re: File systems...]

[Janne Johansson]

Den tors 9 jan. 2020 kl 02:11 skrev Ingo Schwarze :

>
> Are you aware that even Bob Beck@ is seriously scared of some
> parts of our file system code, and of touching some parts of it?
> Yes, this Bob Beck, who isn't really all that easily scared:
>
>   https://www.youtube.com/watch?v=GnBbhXBDmwU
>
> One of our most senior developers, regularly and continuously
> contributing since 1997, and among those who understand our
> file system code best.
>

And here I thought you would post thib@s talk literally named
"Things that makes Bob scream" from the f2k9/Slackathon conf:

https://www.youtube.com/watch?v=HTD9Gow1wTU

-- 
May the most significant bit of your life be positive.

Re: Awaiting a diff [was: Re: File systems...]

[Janne Johansson]

Den fre 10 jan. 2020 kl 10:55 skrev Consus :

> On 20:06 Thu 09 Jan, Marc Espie wrote:
> > It's been that way for ages. But no-one volunteered
> > to work on this.
>
> Anyone even knows about this? Aside from OpenBSD developers (who have
> their plates full already) how an average person can find out that there
> is rusty piece of code that should be taken care of?
>

By using the parts that OpenBSD is made up of, and not automatically moving
to other OSes as soon as you leave the comfort zone.
Guess that is how many ports gets added. $prg exist for $other_os but not
OpenBSD, someone does the work to make it run on OpenBSD and there you go.

-- 
May the most significant bit of your life be positive.

Re: FreeBSD daemon(8)-like command for OpenBSD

[Janne Johansson]

Den tors 30 jan. 2020 kl 21:08 skrev Patrick Kristiansen <
patr...@tamstrup.dk>:

> > Properly starting up a daemon process requires several steps, often
> > involving unveil(2), pledge(2), chroot(2), prviledge dropping,
> > sometimes fork+exec for privilege separation, and so on
>
> The process I need to run is written in Clojure and thus runs on the
> Java Virtual Machine. Do you have any suggestions on how to best go
> about making it "daemon-like"? I am not sure that I can call unveil(2),
> pledge(2) and chroot(2) from Clojure without some strange sorcery.


So not related to only Clojure but rather on runtimes that are large and
unwieldy,
this seems to be exactly why plegde() and unveil() came into being in
the first place, after seeing things that needs to do certain privileged
operations
at some early point, but because of design/runtime/hard-to-pledge or
whatever has
to run with the sum of all privileges, all capabilities at all times and at
the same time being exposed to potential hostile data.

I can fully see why Ingo would say "I would not run things like that
exposed",
partly because I figure he actually has a choice to not do it, but
regardless
of what electric fences you like (Selinux, capsicum, pledge/unveil, chroots)
if you create a huge monolith running in an environment which actively
prevents you from activating any kinds of protections, then I can see how
you would see some friction.

-- 
May the most significant bit of your life be positive.

Re: FreeBSD daemon(8)-like command for OpenBSD

[Janne Johansson]

Den fre 31 jan. 2020 kl 11:48 skrev Andrew Easton :

> On Fri, Jan 31, 2020 at 10:47:17AM +0100, Patrick Kristiansen wrote:
> > On Fri, Jan 31, 2020, at 09:29, Janne Johansson wrote:
> > > Den tors 30 jan. 2020 kl 21:08 skrev Patrick Kristiansen <
> patr...@tamstrup.dk>:
> > > >  > Properly starting up a daemon process requires several steps,
> > > >  > often involving unveil(2), pledge(2), chroot(2), prviledge
> > > >  > dropping, sometimes fork+exec for privilege separation, and so on
> > > >
> > > >  The process I need to run is written in Clojure and thus runs on the
> > > >  Java Virtual Machine. Do you have any suggestions on how to best go
> > > >  about making it "daemon-like"? I am not sure that I can call
> unveil(2),
> > > >  pledge(2) and chroot(2) from Clojure without some strange sorcery.
>
>
For the record, I am also interested in information on how pledge(2) and
> unveil(2) would interact with a "higher level language".


man OpenBSD::Pledge will show how you call pledge from perl (if you accept
that as a higher level language in this case), and it works mostly because
perl will not silently have tons of secret underlying operations so that
when
you ask perl to concatenate two strings, it will not open sockets and pipe
them to itself in order to do that, or write them to $TEMPDIR or some other
possible construct in order to make a simple operation suddenly require
file system access or socket binding capacity. The more weird (or generic)
your runtime is, the less chances will you get to be able to say "from now
on, I will not open any more files, sockets or call reboot()" because the
runtime may just do one of those, when garbage collecting or something.



> I would also
> be happy to learn more about how they interact with assembly.
>

I'm sure they interact equally well as with C, given that the C program that
calls pledge/unveil at that time is assembler.


> Concretely:
> Just to start off easy, how can I find conceptual documentation on
> what an operating system "process" is in OpenBSD and how deeply a libc
> is tied into that by design? As far as I am aware a process has the
>

libc isn't all that tied to a process, it's just that libc contains some
very neat
and useful functions (like wrapping calloc() over malloc()/mmap() so the
kernel
only exposes one single way for a process to allocate memory, but libc can
still
implement realloc(), calloc() and so on for you, using normal code and the
give-me-some-pages-of-RAM syscall.


> "current working directory" associated with it, in order to be able to
> resolve relative paths and is also where "environment variables" are
> stored.


Well, you can still reach the environment without libc, but libc makes it
easier for you, just like with the something*alloc() routines.


>
> (I am also still fuzzy on how intertwined an operating system and a CPU
> are. From my superficial understanding, e.g.  the operating system has
> to be aware of the MMU.


I think that is a completely separate dimension, but yes, given that the OS
controls and commands the MMU to do various things, it most certainly
is "aware" of it.

-- 
May the most significant bit of your life be positive.

Re: How to hide my server's IP?

[Janne Johansson]

Den mån 3 feb. 2020 kl 07:18 skrev Frank Beuth :

> Otherwise it would be possible for an attacker to, for example, hack
> your webapp to have it phone home to some external server controlled by
> the attacker.


..and in the request logs see where the request comes from so this
information is available here,
combined with the ip used for the actual hack. But the existence of
"ifconfig" means nothing to this
scenario, you can blindly send a icmp, udp or tcp packet to
packet-collectors-R-us.com and see the
ip there. There is exactly zero need to first figure out the local ip and
only then send out blind packets
to your collector.


> The attacker would thereby be able to find your IP
> address.
>

By the time your opponent is running code on your server, this piece of
information is probably the least interesting part of the whole puzzle.

-- 
May the most significant bit of your life be positive.

Re: How to hide my server's IP?

[Janne Johansson]

>
> Not sure I understand the whole hierarchy and flatness analogy, I'm very
> new to all of this, but what do I tell those who claim that this leaking of
> the IP poses a security risk and that they therefore should go with FreeBSD
> jails instead?
>

Use a VM if you need to win over "checkboxing security"

And refine the risk strategies, since the above conversation seem to be
centered around the concept of a hacker that

1. Someone successfully attacks your site over the internet, using your
outward facing IP A.A.A.A
2. Manages to run code on your webserver
3. May or may not divinate your internal IP B.B.B.B from that code.
4. The communicates information back to a server of their choice, perhaps
using a third (external) ip C.C.C.C or not

If you think #3 is the only important part, in a scenario where point 1,2
and 4 allows for full communication using the cirtcuit created using
A.A.A.A and C.C.C.C and full code execution inside your environment,
then you are not doing a very good job at risk assessment.

-- 
May the most significant bit of your life be positive.

Re: VLAN or aliases or? best way to isolate untrustable hosts in a small network

[Janne Johansson]

Den ons 5 feb. 2020 kl 13:07 skrev Denis :

> I've made two VLANs to automatically assign random IPs from a pool by
> dhcpd:
>

[...]


> # /etc/hostname.vlan101
> description 'WLAN attached untrusted hosts'
> inet 192.168.156.0/24 255.255.255.0 vlandev run0
>

VLANs and wifi sounds like a non-starter.

-- 
May the most significant bit of your life be positive.

Re: bad ip cksum 0! -> in enc interface

[Janne Johansson]

Den ons 5 feb. 2020 kl 21:01 skrev Riccardo Giuntoli :

> If i sniff traffic over enc0 interface I found a strange error about ip
> chksum:
>
>  (DF) (ttl 63, id 43164, len 52) (DF) (ttl 64, id 18753, len 72, bad ip
> cksum 0! -> c48a)
> This is the error as you can review.
>
> I cannot find solution in Internet and the real think is that in many
> others post people copy and paste packets and this error is visible but no
> one think that is in effect an error or do not speak about.
>

You often see 0 in packet checksum fields if the packet is heading out on a
device
which claims to do ipv4 checksum offloading in hardware. In such cases, the
OS will
not spend time doing software checksums, but the hardware will do it just
before the
packet leaves for the network, so that is why the software sniffer will see
0 there, but
the remote end (you do look for errors from both ends, right?) will see
something else
there.

-- 
May the most significant bit of your life be positive.

Re: bad ip cksum 0! -> in enc interface

[Janne Johansson]

Den ons 5 feb. 2020 kl 21:01 skrev Riccardo Giuntoli :

> I'm setting up a roadwarrior type ikev2 secure connection from .es to .uk.
> root@ganesha:/etc# cat hostname.enc0
>
> root@smigol:/etc# cat hostname.enc0
> inet 172.16.44.2/32
> up
>

Why are you setting up hostname.enc0?
What guide is recommending you to do that?


> I cannot find solution in Internet and the real think is that in many
> others post people copy and paste packets and this error is visible but no
> one think that is in effect an error or do not speak about.
>

Please set a vpn up like the openbsd faq on IPSec VPNs shows, and take it
from there.
It never mentions adding ip to enc0 (and that is not the purpose of enc0)
so I don't see why you should.

enc(4) is a debug and filtering tool not a config part of vpns.

-- 
May the most significant bit of your life be positive.

Re: Process Isolation

[Janne Johansson]

Den tors 6 feb. 2020 kl 10:22 skrev Charlie Burnett :

> Sorry if this has been answered before but I couldn't find a satisfactory
> answer searching for it, and this is more of an academic question. So
> security focused Linux distros like Qubes go to extremes to
> compartmentalize/isolate any and all programs it can. FreeBSD has it's jail
> program which is seemingly the gold standard for process isolation when you
> can't be bothered to go to the extent Qubes does. I've been trying to read
> as much OpenBSD source as I can as I find some of the security tricks
> y'all've come up with damn interesting. I know that once upon a time we had
> sysjail, but nowadays we have just have chroot which most systems do. What
> is OpenBSD's solution to this? I'm sure I've read through it I just didn't
> realize the purpose.
>
> I apologize if this was a question I've somehow missed the answer to!
>

Almost looks like you missed the question while posting the answer.
You list some-linux does X, fbsd does Y, obsd does Z (which you find damn
interesting!) and then ask "what is openbsds solution to this?".

As of now, Z is the list of mitigations openbsd does, and that is.. the
solution to "this".

-- 
May the most significant bit of your life be positive.

Re: strange dmesg

[Janne Johansson]

Den lör 8 feb. 2020 kl 11:31 skrev :

> Hi,
> I have some strange output from dmesg, what could be ?
> At the follwoing link I've posted some screenshots:
> https://postimg.cc/gallery/1o4wsaw74/
>

dmesg is contained in a memory buffer with (hopefully) room for more than
one dmesg, so you can get
previous versions listed when you run it. If the memory gets slightly
corrupted during reboots,
I guess the "other" dmesgs can come out as garbage, based on how memory
gets reused or
reallocated in the time between reboot and next boot when the OS isn't in
control of the
RAM.

-- 
May the most significant bit of your life be positive.

Re: IPsec and MTU / fragmentation

[Janne Johansson]

Den mån 10 feb. 2020 kl 11:58 skrev Simen Stavdal :

> Hi Lucas,
> Have you tried to manipulate the mss during conversation setup?
> This is done with the max-mss directive in pf.conf.
> Basically, it takes the three way handshake, and overrides the MSS value in
> the handshake to something lower than the default.
>

This might fix the http/ssh issues one might see, because both of those run
over TCP, but MSS fixups will not correct large UDP or icmp packets, or any
other non-TCP protocol one might run over that ipsec, so making sure the
traffic is below the MTU should be the end goal, not fixing 90% with pf.

-- 
May the most significant bit of your life be positive.

Re: IPsec and MTU / fragmentation

[Janne Johansson]

Den mån 10 feb. 2020 kl 12:15 skrev Simen Stavdal :

> True, but issue was related to downloading over http, which is over tcp.
> So, if http is your only concern I would go for this option.
>

To me, it sounds just a bit like "let this person notice the other errors
later".


> Most clients are configured with an MTU of their physical NIC
> capabilities, and sometimes even with jumbo support.
> MTU is a property of the OS in both ends, while MSS is a property of the
> packets that can be adjusted in-flight.
>
>
MTU is strictly a property of each and every interface in all the hops
between you and your endpoint and equally strictly is mss a property of
_tcp_ packets that can be adjusted. If you run another ipsec inside this
first ipsec tunnel-with-mss-fixed that second one would break, since ESP/AH
is not tcp and will not do the 3way handshake where PF can fix mss for it.
Or mosh, wireguard, or http/3 since they run over UDP.

Not trying to nitpick everything, but internet wasn't built on 1500 MTU
ethernet everywhere, in the old bad days you might go over PPP (576) or
SLIP (296) links at times and it still worked, so if your setups today
break if someone in your path limits you to 1476 or so, then we have
regressed quite a bit since the crap internet days.


> So, if you want to fix the MTU, you will have to configure that on the
> conversation parters and not in pf.
> So, while we agree on the principals, how do you suggest MTU is changed?
>

PMTU discovery would be one method, yes. Middle boxes that will not drop
icmp is part if this of course.


> Statically configured on each host? DHCP option?
>

This depends a bit on where you place your ipsec gw of course, but if you
can't set it on the tunnel (since ipsec on obsd isn't like openvpn or
gif/gre) you might need to set it on the interface where you take in the
traffic, if you can't set it on all clients going via the gw, which is a
believable scenario.


> This might fix the http/ssh issues one might see, because both of those
>> run over TCP, but MSS fixups will not correct large UDP or icmp packets, or
>> any other non-TCP protocol one might run over that ipsec, so making sure
>> the traffic is below the MTU should be the end goal, not fixing 90% with
>> pf.
>>
>

-- 
May the most significant bit of your life be positive.

Re: IPsec and MTU / fragmentation

[Janne Johansson]

Den mån 10 feb. 2020 kl 16:27 skrev Simen Stavdal :

> This is more a discussion about scalability and practical implementation.
> We both know that PMTU will work partly at best, your entire path back
> must support this, and also, the "offending" client must allow inbound
> control messages on their host firewall for this to work.
> And even if the packets are received by the client, will it support and
> adjust MSS? I have seen a lot of clients not adhering to standards.
>
> Modifying thousands of clients (via dhcp options for instance) to use a
> fixed MTU will affect other applications too (if you choose to go that
> route), not just the ones that need to traverse a tight ipsec tunnel.
> Would you adjust all your clients just because you had a single path using
> SLIP in your network?
>

I would want for noone to ever have to know the complete path, slip or no
slip.


> Point is, there is no perfect solution to this issue, there are just
> different ways of solving bits and bobs on the way.
> Adjust mss will work just fine for all tcp protocols, and no, not for UDP
> because it does not use a three way handshake (no MSS to adjust).
> In my opinion, max-mss works very well in most cases, especially when you
> have full control of the tunnel you are using (as is the case of Lucas'
> original question).
> We use it extensively in many of our applications in my workplace, and as
> of yet has not represented any big issues, so it is a practically good way
> to solve this issue.
>

I think the more complete solution is to run some gif/gre inside ipsec and
set low-enough MTU on that one, so it can correctly fragment incoming
packets, and optionally rebuild the packets at the remote end, while also
giving you an idea of "state" on the link so you optionally can run things
like routing daemons or something that cares about and acts on tunnel
state. This would cause even lower MTU, but still allow all kinds of
traffic and not just the "popular" one.

I am somewhat trying to care for the ones that make a site-2-site ipsec
which may work for the initial setup, and later find out that more than one
non-tcp kind of traffic doesn't work without understanding why ssh,http
works but not list-of-things-like
mosh,wireguard,quic,yet-another-layer-of-ipsec,hosting-udp-game doesn't.

As for UDP, there are options here too in pf.conf (like no-df), but
> personally I have not tested this, but it would be fun to try. It says it
> supports IPv4 (which would include TCP, UDP and ICMP).
> Would be interesting to find if UDP enforces DF in most cases.
>

no-df in PF more or less controls if it will silently drop fragments that
arrive which has DF set. Linux used/uses to send such udp, for much
enjoyment. "noone else should fragment, but I just did and you as the
packet checker can't know who did"

-- 
May the most significant bit of your life be positive.

Re: IPsec and MTU / fragmentation

[Janne Johansson]

Den mån 10 feb. 2020 kl 18:18 skrev Peter Müller :

> Hello Lucas,
> as far as I understood, setting MTU on encN interfaces is not supported
> since it is not mentioned by enc(4) and setting it manually fails:
>
> > machine# ifconfig enc0 mtu 1500
> > ifconfig: SIOCSIFMTU: Inappropriate ioctl for device
>

enc(4) interfaces are not to ipsec, what tun(4) is for OpenVPN.
It is not a config device per tunnel.

-- 
May the most significant bit of your life be positive.

Re: IPsec and MTU / fragmentation

[Janne Johansson]

Den mån 10 feb. 2020 kl 20:53 skrev Simen Stavdal :

> I think the more complete solution is to run some gif/gre inside ipsec and
>> set low-enough MTU on that one, so it can correctly fragment incoming
>> packets, and optionally rebuild the packets at the remote end, while also
>> giving you an idea of "state" on the link so you optionally can run things
>> like routing daemons or something that cares about and acts on tunnel
>> state. This would cause even lower MTU, but still allow all kinds of
>> traffic and not just the "popular" one.
>>
>
> So, how will your client/server know about this lower mtu? And df bit is
> set more often than not, so fragmentation is now allowed in a lot of cases.
> This is exactly the problem that started this thread...
>
>>
>>
If the inner gif/gre tunnel has a lower mtu, then it being a layer-3 tunnel
will be able to fragment all incoming ip before sending it into the ipsec,
which will not fragment for you.
The clients will not have to change, nor any other protocol that sends ip
via the double-tunnel.

-- 
May the most significant bit of your life be positive.

Re: IPsec and MTU / fragmentation

[Janne Johansson]

Den tis 11 feb. 2020 kl 10:25 skrev Simen Stavdal :

>  tunnel will be able to fragment all incoming ip before sending it into the
> ipsec, which will not fragment for you.
> The clients will not have to change, nor any other protocol that sends ip
> via the double-tunnel.>
>
> If a client and a server set up a new conversation over tcp.
> They both have an MTU of 1500 and DF=1
> How will you fragment this, even being a L3 tunnel?
>

You don't fragment DF=1 packets, you send "Fragmentation Needed and Don't
Fragment was Set" back if they don't fit, like any L3 box would do
regardless and they adapt or fail.
That is what you should get for setting DF=1

-- 
May the most significant bit of your life be positive.

Re: OpenBSD <> Commercial VPNs

[Janne Johansson]

Try ipsec, I hear some of the commercial offerings almost manage that too.


2015-10-10 19:21 GMT+02:00 Jack J. Woehr :

> Googled and not found much on connecting OpenBSD to proprietary VPN
> offerings.
>
> I looked at OpenVPN which conceptually resembles Fortinet but doesn't seem
> to have any way to connect to Fortinet SSL VPN.
>
> Any pointers or tips?
>
>
> --
> Jack J. Woehr # Science is more than a body of knowledge. It's a way of
> www.well.com/~jax # thinking, a way of skeptically interrogating the
> universe
> www.softwoehr.com # with a fine understanding of human fallibility. -
> Carl Sagan
>
>


-- 
May the most significant bit of your life be positive.

Re: Help with diff for Samsung 950 Pro NVMe (unable to map registers)

[Janne Johansson]

There is some preliminary work in the obsd tree also from dlg@:
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/dev/pci/nvme_pci.c


2015-11-17 3:00 GMT+01:00 Josh :

> Thanks Ted for the reply and the hint.
> After a bit of research, it seems the 950 Pro use a PCIe NVMe
> interface as opposed to the SM951 (already in the CVS tree) using PCIe
> AHCI interface.
> I did not find any mention of backwards compatibility with AHCI so far
> for the 950 Pro and might correlate with your assumption.
>
> A bit more research brought me to the nvme [1] driver found in
> FreeBSD. Was there any attempts into porting that?
> I am not a developer, but would be happy to help in testing patch/source
> code.
>
> Cheers,
>
> [1] https://www.freebsd.org/cgi/man.cgi?query=nvme&sektion=4
>
>
> On Mon, Nov 16, 2015 at 11:32 PM, Ted Unangst  wrote:
> > Josh wrote:
> >> Hi,
> >>
> >> Trying to get it recognized and initialized (Model Code MZ-V5P512BW)
> >> Using 16th November snapshot:
> >> ...snip... (full dmesg below)
> >> ppb2 at pci0 dev 28 function 4 "Intel 9 Series PCIE" rev 0xe3: msi
> >> pci3 at ppb2 bus 3
> >> vendor "Samsung", unknown product 0xa802 (class mass storage unknown
> >> subclass 0x08, rev 0x01) at pci3 dev 0 function 0 not configured
> >> ehci0 at pci0 dev 29 function 0 "Intel 9 Series USB" rev 0x03: apic 2
> int 23
> >> ...
> >>
> >> Applied the following diff:
> >>
> >> *** ahci_pci.c.orig Sat Mar 14 11:38:48 2015
> >> --- ahci_pci.c  Mon Nov 16 20:21:36 2015
> >> ***
> >> *** 152,157 
> >> --- 152,159 
> >> NULL,   ahci_samsung_attach },
> >> { PCI_VENDOR_SAMSUNG2,  PCI_PRODUCT_SAMSUNG2_SM951,
> >> NULL,   ahci_samsung_attach },
> >> +   { PCI_VENDOR_SAMSUNG2,  PCI_PRODUCT_SAMSUNG2_950PRO,
> >> +   NULL,   ahci_samsung_attach },
> >>
> >> { PCI_VENDOR_VIATECH,   PCI_PRODUCT_VIATECH_VT8251_SATA,
> >>   ahci_no_match,ahci_vt8251_attach }
> >
> > Does the 950 pro nvme support sata mode? The quirk for the interrupts
> isn't
> > anything like native nvme support. I imagine at some point newer drives
> are
> > going to stop pretending to have sata interfaces.
>
>


-- 
May the most significant bit of your life be positive.

Re: cdboot manpage

[Janne Johansson]

You do realize that what you are claiming differs from the part you quoted?


2015-12-03 10:08 GMT+01:00 Tati Chevron :

> The manual page for cdboot says:
>
> If no commands are given for a short time, cdboot will then attempt to
> load an OpenBSD kernel from the CD.  It first looks for the install
> kernel bsd.rd in the standard amd64 release directory (e.g.
> /3.6/amd64/bsd.rd), then for /bsd.
>
> This doesn't seem to match the observed behaviour - if /bsd.rd is not
> found, it drops to a boot prompt...
>
> --
> Tati Chevron
> Perl and FORTRAN specialist.
> SWABSIT development and migration department.
> http://www.swabsit.com
>
>


-- 
May the most significant bit of your life be positive.

Re: "# systrace -c1000:1000 kate" for privilege escalated editing?

[Janne Johansson]

2015-12-04 0:10 GMT+01:00 Luke Small :

> There must be some sort of kernel lock, because if you su - twice into the
> 1000 user, it won't open a x window either! I'm sure there is a
> conservative security policy at play,


X and switching users requires you to read up on xauth, always has.


-- 
May the most significant bit of your life be positive.

Re: [OT] 1st search engine for Internet-connected devices

[Janne Johansson]

Yeah, everyone know they are small:
http://www.rspb.org.uk/discoverandenjoynature/discoverandlearn/birdguide/families/tits.aspx


2015-12-04 17:32 GMT+01:00 Jan Stary :

> https://www.shodan.io/search?query=big+tits
> Exactly ONE hit. This can't be real.
>
>
> On Dec 03 23:35:32, skin...@britvault.co.uk wrote:
> > His ISP wrote:
> >
> > "Dude you have several hundred abuse emails,
> > what the fuck are you doing?"
> >
> > Wired wrote:
> >
> > "Shodan's big lesson is that the internet is more diverse than we think.
> > Think webserver, and you'll probably think of Apache or Microsoft, or
> > maybe Nginx, but Shodan's database of nearly 144 million webservers
> > shows that they're not the only ones out there - not by a long shot.
> > According to Shodan, Microsoft's Internet Information Server, or IIS,
> > runs about 8.5 million web servers, but that's dwarfed by one most
> > people have never heard of: Allegro Software Development's RomPager,
> > which runs on more than 22 million machines. IIS may run big websites
> > such as MSN.com, but RomPager runs on millions of routers, switches, and
> > printers."
> >
> > CNN wrote:
> >
> > "He found a car wash that could be turned on and off and a hockey rink
> > in Denmark that could be defrosted with a click of a button. A city's
> > entire traffic control system was connected to the Internet and could be
> > put into "test mode" with a single command entry. And he also found a
> > control system for a hydroelectric plant in France with two turbines
> > generating 3 megawatts each."
> >
> > The BBC wrote:
> >
> > "The US government has told thousands of companies to beef up protection
> > of computers which oversee power plants and other utilities.
> > The action comes after a survey revealed that thousands of these systems
> > can be found online.
> > The survey was carried out via a publicly available search engine that
> > pinpointed computers controlling critical infrastructure.
> > In total, the survey uncovered more than 500,000 potential targets."
> >
> > See: http://www.shodan.io
>
>


-- 
May the most significant bit of your life be positive.

Re: bsd.rd on Octeon ubnt_e200 doesn't fully boot

[Janne Johansson]

My ERL would not run SMP if coremask was 0x1 (ie, use only one cpu) so I
setenv:ed the bootmask to add coremask=0x3 so that the bsd.mp would find
both cores, otherwise it bombed while probing for the second.


2015-12-05 14:21 GMT+01:00 Daniel Ouellet :

> Not the end of the world, I was trying to see if I could boot OpenBSD on
> this version of the EdgeRouter Pro from Ubiquiti. I try the latest
> Octeon available just in case.
>
> I am still trying, but start to run out of idea and i do need to get
> some sleep now.
>
> Anyone have a possible Idea as what I may try to load this may be.
>
> Look like the processor may not be configure here, or may be I don't
> read it right:
>
> Anyway, this all from the start at the boot and then when it crash, it
> retry to boot and then keep cycling in.
>
> I just wanted to give this a trill as the box is nice and have 8 Gb
> ports, of witch 2 can also be SFP in a very small 1U may be 7 inch deep.
>
> Anyway, here it is.
>
> ==
>
>
> Octeon ubnt_e200# resetJumping to start of image at address 0xbfca
>
>
> U-Boot 2012.04.01 (UBNT Build ID: 4670715-g7c4b1d0) (Build time: May 27
> 2014 - 11:19:05)
>
> Skipping PCIe port 0 BIST, in EP mode, can't tell if clocked.
> Skipping PCIe port 1 BIST, reset not done. (port not configured)
> BIST check passed.
> UBNT_E200 r1:0, r2:15, serial #: 44D9E7410ECB
> MPR 13-00317-15
> Core clock: 1000 MHz, IO clock: 600 MHz, DDR clock: 533 MHz (1066 Mhz DDR)
> Base DRAM address used by u-boot: 0x8f80, size: 0x80
> DRAM: 2 GiB
> Clearing DRAM.. done
> Flash: 8 MiB
> Net:   octeth0, octeth1, octeth2, octeth3, octeth4, octeth5, octeth6,
> octeth7
> MMC:   Octeon MMC/SD0: 0
> USB:   USB EHCI 1.00
> scanning bus for devices... 2 USB Device(s) found
> Type the command 'usb start' to scan for USB storage devices.
>
> Hit any key to stop autoboot:  0
> (Re)start USB...
> USB:   USB EHCI 1.00
> scanning bus for devices... 2 USB Device(s) found
>scanning bus for storage devices... 1 Storage Device(s) found
> reading bsd.rd
>
> 7568951 bytes read
> Allocating memory for ELF segment: addr: 0x8100 (adjusted
> to: 0x100), size 0x768c20
> ## Loading big-endian Linux kernel with entry point: 0x8100 ...
> Bootloader: Done loading app on coremask: 0x1
> Starting cores 0x1
> Total DRAM Size 0x8000
> Bank 0 = 0x0176C000   ->  0x0FFF
> Bank 1 = 0x00041000   ->  0x00041FFF
> Bank 2 = 0x2000   ->  0x7FFFC001
> mem_layout[0] page 0x05DB -> 0x3FFF
> mem_layout[1] page 0x8000 -> 0x0001
> mem_layout[2] page 0x00104000 -> 0x00107FFF
> boot_desc->argv[1] = rootdev=/dev/sd0
> Initial setup done, switching console.
> boot_desc->desc_ver:7
> boot_desc->desc_size:400
> boot_desc->stack_top:0
> boot_desc->heap_start:0
> boot_desc->heap_end:0
> boot_desc->argc:2
> boot_desc->flags:0x5
> boot_desc->core_mask:0x1
> boot_desc->dram_size:2048
> boot_desc->phy_mem_desc_addr:0
> boot_desc->debugger_flag_addr:0xc84
> boot_desc->eclock:10
> boot_desc->boot_info_addr:0x1001f0
> boot_info->ver_major:1
> boot_info->ver_minor:3
> boot_info->stack_top:0
> boot_info->heap_start:0
> boot_info->heap_end:0
> boot_info->boot_desc_addr:0
> boot_info->exception_base_addr:0x1000
> boot_info->stack_size:0
> boot_info->flags:0x5
> boot_info->core_mask:0x1
> boot_info->dram_size:2048
> boot_info->phys_mem_desc_addr:0x48108
> boot_info->debugger_flags_addr:0
> boot_info->eclock:10
> boot_info->dclock:53300
> boot_info->board_type:20003
> boot_info->board_rev_major:0
> boot_info->board_rev_minor:15
> boot_info->mac_addr_count:8
> boot_info->cf_common_addr:0
> boot_info->cf_attr_addr:0
> boot_info->led_display_addr:0
> boot_info->dfaclock:0
> boot_info->config_flags:0x8
> Copyright (c) 1982, 1986, 1989, 1991, 1993
> The Regents of the University of California.  All rights reserved.
> Copyright (c) 1995-2015 OpenBSD. All rights reserved.
> http://www.OpenBSD.org
>
> OpenBSD 5.8-current (RAMDISK) #1: Thu Nov 26 17:33:10 CET 2015
> jas...@erl-2.jasper.la:/usr/src/sys/arch/octeon/compile/RAMDISK
> real mem = 2122907648 (2024MB)
> avail mem = 2106032128 (2008MB)
> mainbus0 at root
> cpu0 at mainbus0: Cavium OCTEON II CPU rev 0.1 1000 MHz, Software FP
> emulation
> cpu0: cache L1-I 512KB D 8KB 64 way, L2 1024KB 8 way
> clock0 at mainbus0: int 5
> iobus0 at mainbus0
> dwctwo0 at iobus0 base 0x118006800 irq 56cn30xxgmx0 at iobus0 base
> 0x118000800 irq 48
> unsupported octeon model: 0xd9301
> uar: ns16550, no working fifo
> com0: console
> com1 at uartbus0 base 0x118000c00 irq 35: ns16550, no working fifo
> root on rd0a swap on rd0b dump on rd0b
> WARNING: No TOD clock, believing file system.
> WARNING: CHECK AND RESET THE DATE!
> panic: pool_do_get: filepl free list modified: page 0x98041e984000;
> item addr 0x98041e984000; offset 0x0=0x0 != 0xc45e62c

Re: bsd.rd on Octeon ubnt_e200 doesn't fully boot

[Janne Johansson]

bootmask == bootcmd, typo.


2015-12-05 20:56 GMT+01:00 Janne Johansson :

> My ERL would not run SMP if coremask was 0x1 (ie, use only one cpu) so I
> setenv:ed the bootmask to add coremask=0x3
>


-- 
May the most significant bit of your life be positive.

Re: Empty MFS on root

[Janne Johansson]

2015-12-08 21:18 GMT+01:00 Alexander Hall :

> On December 8, 2015 4:21:16 PM GMT+01:00, Otto Moerbeek 
> wrote:
> >On Tue, Dec 08, 2015 at 03:03:14PM +, Tati Chevron wrote:
> >
> >> Currently, it's possible, (as root), to do something like:
> >> # mount_mfs -s 1g swap /
> >>
> >> which succeeds, and mounts the empty filesystem as the root
> >filesystem.
> >> This makes the machine inoperable and requires a physical reset,
> >without a clean shutdown, as no system binaries are available.
> >>
> >> Shouldn't we make mount_mfs error out in this case?
> >Why? Unix does not prevent you from doing stupid things in general.
> >Besides, a small variation (using -P) could be a proper and sane use
> >of mount_mfs on /
>
> FWIW, I don't think so, as the mfs is populated after being mounted.
>
>
>
Yeah, mount_mfs will need /bin/pax, and if you give -P a block device, it
will
use /mnt in order to mount the wanted device on so pax can read the files
out
of it, so / and /mnt can't be mfs-mounted upon with -P.


-- 
May the most significant bit of your life be positive.

Re: FAQ 3.3 - suggested copyright clarification diff

[Janne Johansson]

2015-12-20 19:11 GMT+01:00 Tati Chevron :

> On Sun, Dec 20, 2015 at 06:24:26PM +0100, ropers wrote:
>
>> But if I want to make my own bootable Blu-ray disc, for a single
>> architecture,
>>
> using the files on the discs I purchased, is it necessary, for example,
> to master it with the distribution files in a different location other than
> /5.8/amd64 , in order to make 'the CD layout' different?  Or is the fact
> that it's on a different type of optical media sufficient?
>
> Where is the line drawn?
>

You can pay a court room of legal professionals to figure that out. 8-/
Same goes for code, if you change a bit here and there, when is it your
code and not the original one? No simple answer there.

-- 
May the most significant bit of your life be positive.

Re: text-mode gui

[Janne Johansson]

2015-12-22 22:10 GMT+01:00 :



> deviation from line oriented interfaces
> for the installer is not the way it can be handled by other systems,
> meaning it's not the least common denominator that lends itself to
> machine processing and there is point in improving this but going in
> the reverse direction counter complexity and contrary to the topic
> statement, and towards simplification of the interface like controlled
> keyword subsets (don't confuse this with a domain specific language,
> think partitioning templates), though it does not mean it can not have
> more than one front end, yet modifying the installation process to
> accommodate use of multiple different types of installers is not
> efficient so far in terms of lack of resources.
>
>
People who write sentences like this one above should not be allowed to use
words
and terms like "simplificiation" and "don't confuse".
You have no idea what they mean.

Or, as the memes would have it:


​


--
May the most significant bit of your life be positive.

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
w82gz.jpg]

Re: if I were to make a pkg-add diff

[Janne Johansson]

2016-01-04 4:22 GMT+01:00 Luke Small :

> What I meant is, if a program sends a handful of pings to each mirror,
> would it think it is being spammed and shutdown any further connections.
>
>
What you meant was thousands of users sending handful of pings across
the world to a lot of the mirrors each time they (re)restart pkg_add?


-- 
May the most significant bit of your life be positive.

Re: syscall 5 "cpath" continues with octeon

[Janne Johansson]

2016-01-05 4:45 GMT+01:00 Fung :

> ---
> (OpenBSD 5.8-current (GENERIC) #1: Thu Nov 26 15:01:01 CET 2015)
> Octeon ubnt_e100# version
> U-Boot 1.1.1 (UBNT Build ID: 4670715-gbd7e2d7) (Build time: May 27 2014 -
> 11:16:22)
>
>
>
> 6. via http://www.tedunangst.com/flak/post/OpenBSD-on-ERL
> There’s no onboard clock, so you’ll need ntpd to keep the time straght.
> OpenBSD support is limited to 256MB RAM and a single CPU at this time.
>
>
I think you only need to set the coremask in the boot environment to 0x3
(instead of 0x1 which mine defaulted to) and point it to a bsd.mp
to get both CPUs. Worked for me at least on my ERL.

--
May the most significant bit of your life be positive.

Re: 5.9-beta upgrade stalled at base59.tgz 98% fetched, 51072 KB on first try, retry succeeds

[Janne Johansson]

2016-01-18 18:39 GMT+01:00 Peter N. M. Hansteen :

> For about the last week, I've been seeing this oddity with the amd64
> installer when doing snap to snap upgrades on my laptop.
>
> My routine for quite a while has been to fetch snapshots off the local
> mirror whenever I notice there's a new one, recently about once a day,
> then installing by booting the new bsd.rd and pointing at the local
> directory for sets. This is a procedure that has just worked(TM) for years.
>
> But as I mentioned earlier, for about the last week the installer has
> consistently stalled at base59.tgz 98%, 51072 KB fetched, and stayed
> that way for long enough that I'd Ctrl-C out to the bsd.rd shell and
> restart by typing 'upgrade' at the prompt. The upgrade then proceeds
> with no issues on the second attempt. That is, on the previous attempts
> over the last few days I've usually opted for the http (most local
> mirror) as the source for sets.
>

I've seen it also, but in a VirtualBox amd64 vm which I more or less blamed
VB for.

But very alike your situation, stalls at base(58).tgz and restarts of the
upgrade script allows it to run through.

In my case, always got the sets from ftp.eu.openbsd.org..

-- 
May the most significant bit of your life be positive.