Re: Install UEFI with softraid: How do I create the UEFI boot partition in the installer? And sth quirky in /install .

[Thomas Bohl]

> The standard way to install crypto is to go with the "(S)hell" option at boot.
> 
> In the MBR days it would be "fdisk -i sd0", now should be with the GPT option 
> on so "fdisk -ig sd0".
> 
> Doing this, importantly, no "EFI Sys" partition is created.

# dd if=/dev/zero of=/dev/sd0c bs=1m count=10
# fdisk -igy -b 960 sd0

Does that change anything?



smime.p7s
Description: S/MIME Cryptographic Signature

Re: lsof alternative for listing open files?

[Thomas Bohl]

Hello,

> I am aware of fuser and fstat but these seem to only give me inodes.

You can use
# find /foo -inum 123
to search for the corresponding file.

Re: netstat - process names

[Thomas Bohl]

Hi,

> I'm looking for a way to see which processes are listening
> on incoming tcp/udp connections.

fstat | grep internet

> Second, how can I verify what process is listening on ports
> 5022,8806 and 21164?

fstat | grep -e ":5022" -e ":8806" -e "21164"

Re: Resize keydisk (softraid) partition...

[Thomas Bohl]

Hi,

> Now i would like to shrink it somehow, what’s the best and safest way to do 
> it… ?

Like the FAQ says, make a backup of the key with
# dd bs=8192 skip=1 if=/dev/rsd1a of=backup-keydisk.img

Verify that backup-keydisk.img start with the string "marcCRAM".

Reformat sd1 or whatever to your likings (with size 960 for example).
Restore the key with
# dd bs=8192 seek=1 if=backup-keydisk.img of=/dev/rsd1a

Re: Running your own mail server

[Thomas Bohl]

> But the second (far more important) point I want to make is please *THINK 
> TWICE* if "running your own mail server" is something you are planning to do 
> on your home internet connection.

For all intents and purposes, sending emails from a private internet
connection directly to the receiving MX stopped working 15 years ago.
(People started blocking everything with "dial" or "dyn" in the reverse
DNS or HELO not being followed with the matching reverse DNS of the
connected IP.) It should be in all books and tutorials by now.
Word on the street has it that the IP networks of the cloud providers
are slowly getting burned too.

To live hassle-free you want your MX to have a static IP from a good
"commercial neighbourhood", with a reverse DNS that matches the SPF
entry and with your server's HELO greeting.
Check whether your IP is listed on a DNSBL
https://mxtoolbox.com/blacklists.aspx
Demand a different one from your provider if it is *before* you
associate your domain with it! (Or let the IP idle for a year or two.)
Plus: Thanks to Let's Encrypt and the super easy acme-client in base
there are no more excuses not to have a valid certificate.

Of course that is only true for your MX. You can host your mailboxes at
home as long as you relay through said MX.

OpenSMTPD + Dovecot (Sieve, IMAP, dsync) + Nextcloud(Calender, Contacts)
works for me for month without looking. (Be on the announce mailing
lists for security informations.)

PS, don't sneak through you kids thoughts. Not even by "only" scanning
for "troubling words".

Re: Running your own mail server

[Thomas Bohl]

Am 09.09.2018 um 15:36 schrieb flipchan:
> Randomly jumping into this thread , does anyone have a quick and easy way to 
> do auto matical responses to certain aliases in opensmtpd?
> 

Not with OpenSMTPD, but with Dovecot's Sieve
https://wiki2.dovecot.org/Pigeonhole/Sieve/Examples#Vacation_auto-reply

Uptime in seconds

[Thomas Bohl]

Hello,

for a shell script I needed the uptime in seconds. I came up with the 
following. I'm just wondering, is there an one-liner that does the same 
thing?


# Inspired by https://unix.stackexchange.com/a/270454
uptime=`ps -o etime= -p 1`
uptd=`echo $uptime | grep '-' | awk -F "-" '{print $1}'`

if [ "$uptd" == "" ]
then
    upth=`echo $uptime | awk -F ":" '{print $1}'`
    uptm=`echo $uptime | awk -F ":" '{print $2}'`
    upts=`echo $uptime | awk -F ":" '{print $3}'`

    if [ "$upts" == "" ]
    then
      upts=$uptm
      uptm=$upth
      upth=0
    fi

    uptimeseconds=$((10#$upts + 10#$uptm * 60 + 10#$upth * 3600))
else
    upth=`echo $uptime | awk -F "-" '{print $2}' | awk -F ":" '{print $1}'`
    uptm=`echo $uptime | awk -F "-" '{print $2}' | awk -F ":" '{print $2}'`
    upts=`echo $uptime | awk -F "-" '{print $2}' | awk -F ":" '{print $3}'`
    uptimeseconds=$((10#$upts + 10#$uptm * 60 + 10#$upth * 3600 + $uptd 
* 86400))

fi

echo $uptimeseconds

Re: Uptime in seconds

[Thomas Bohl]

$ echo $(( $(date +%s) - $(sysctl -n kern.boottime) ))
221493


Cool! Thank you

Re: OpenBSD smtpd to GoDaddy

[Thomas Bohl]

Am 26.04.2020 um 19:15 schrieb Philip Munts:
I'm trying to send email from OpenBSD 6.6 via GoDaddy's 
smtp.secureserver.net.  Unfortunately my GoDaddy SMTP username is 
"p...@munts.net" which doesn't seem to be a legal username for OpenBSD's 
smtpd.  I've tried every escaping mechanism for the @ character I can 
think of, but nothing has worked.


action "relay2GoDaddy" relay \
host smtps://f...@smtp.secureserver.net \
auth { foo = p...@munts.net:password }


HTH

Re: Openbsdstore.com - offline or powered off?

[Thomas Bohl]

Am 27.06.2020 um 13:32 schrieb Ruslanas Gžibovskis:

ok, cause I found it on openbsd.org/tshirt or shth like that.

is there a way, how to get openbsd tshirts, or just get it on aliexpress
with images of openbsd?


I don't know why https://www.openbsdstore.com/ is offline at the moment, 
but it is a redirect to https://teespring.com/stores/openbsd which is up 
and running. If you buy here profits will go to the artists.

Re: IPv6 problems

[Thomas Bohl]

Hello,


My hostname.vio0 looks like this:


dhcp

inet6 alias  64
 


You most likely need to add a route. Add something like this to your 
hostname file:

!route add -inet6 default fe80::1%vio0


Just in case you have the same problem. For whatever reason, after a 
reboot, I have to do this in order to get IPv6 traffic flowing:

ping6 -c 10 fe80::1%vio0

Re: OpenBSD -stable binary packages

[Thomas Bohl]

https://marc.info/?l=openbsd-announce&m=156577865917831&w=2

> We are pleased to announce that we now also provide selected binary
> packages for the most recent release. These are built from the -stable
> ports tree which receives security and a few other important fixes:

Thank you!
That is really cool.

Re: IPv6 problems

[Thomas Bohl]

I have taken a look at the website of my hosting provider.

My IPv6 gateway would be fe80::1.

When trying to add the route manually i get "network unreachable".


https://marc.info/?l=openbsd-misc&m=156572276103920&w=2

SCNR

Re: Package -stable updates

[Thomas Bohl]

In this thread I didn't understand what you update.

You said you run STABLE? So you update ports? ...or using m:tier?? ...?
Can somebody please tell me what are those "-stable updates for
packages"?


http://cdn.openbsd.org/pub/OpenBSD/6.5/packages-stable/amd64/
updated binary packages (with security fixes) for stable, as described here
https://marc.info/?l=openbsd-announce&m=156577865917831&w=2

Modifying installXX.iso via script

[Thomas Bohl]

Hello list,

I created an autoinstall bsd.rd (containing auto_install.conf and 
disklabel.conf) and a siteXX.tgz.


For example with the tool isomaster I can manually edit the 
install66.iso and add bsd.rd and site66.tgz to the directory 6.6/amd64. 
This modified ISO can be booted from real and virtual hardware. The 
unattended installation works and is really cool!


Now I want to go the extra step and automate the modification of the 
installXX.iso.


I tried the tool xorriso:
$ ls -l 6.6/amd64/
total 28544
-rwxr-xr-x  1 null  null  10299545 Nov 17 18:00 bsd.rd
-rw-r--r--  1 null  null   4680444 Nov 17 05:03 site66.tgz
$ xorriso -indev install66.iso -outdev install66a.iso -boot_image "any" 
"keep" -add 6.6/amd64/

[1]

This leads to this message when trying to boot:
CD-ROM: E0
Can't find /cdboot

I then moved cdboot from 6.6/amd64 to the root of the CD:
$ xorriso -indev install66.iso -outdev install66a.iso -boot_image "any" 
"keep" -move 6.6/amd64/cdboot cdboot -add 6.6/amd64/


This leads to this message when trying to boot:
CD-ROM: E0
Loading /CDBOOT
probing: pc0 mem[639KB 2046M a20=on]
disk: hd0+ cd0
>> OpenBSD/amd64 CDBOOT 3.44
boot>
cannot open cd0a:/etc/random.seed: No such file or directory
booting cd0a:/6.6/amd64/bsd.rd: open cd0a:/6.6/amd64/bsd.rd: No such 
file or dir

ectory
 failed(2). will try /6.6/amd64/bsd.rd
boot>

When I move bsd.rd to the root of the CD too, I can at least start the 
installation by typing

boot> bsd.rd

But it would be nice if that wouldn't be necessary.

When looking at the ISO files with isomatser, the only difference I can 
find is that

on the modified ISO the publisher information is in all caps.
I'm obviously doing something wrong. Any ideas or alternatives?


[1]
In case the full output is necessary:

$ xorriso -indev install66.iso -outdev install66a.iso -boot_image "any" 
"keep" -add 6.6/amd64/

xorriso 1.4.8 : RockRidge filesystem manipulator, libburnia project.

xorriso : NOTE : Loading ISO image tree from LBA 0
xorriso : UPDATE : 24 nodes read in 1 seconds
xorriso : NOTE : Detected El-Torito boot information which currently is 
set to be discarded

Drive current: -indev 'install66.iso'
Media current: stdio file, overwriteable
Media status : is written , is appendable
Boot record  : El Torito
Media summary: 1 session, 226537 data blocks,  442m data, 62.8g free
Volume id    : 'OpenBSD/amd64   6.6 Install CD'
Drive current: -outdev 'install66a.iso'
Media current: stdio file, overwriteable
Media status : is blank
Media summary: 0 sessions, 0 data blocks, 0 data, 62.8g free
Added to ISO image: directory '/6.6/amd64'='/home/null/OpenBSD66/6.6/amd64'
xorriso : UPDATE : 2 files added in 1 seconds
xorriso : NOTE : Keeping boot image unchanged
xorriso : UPDATE : Writing:   2000s    0.9%   fifo  43%  buf 50%
xorriso : UPDATE : Writing:  23513s   10.3%   fifo  84%  buf 50%   
32.1xD
xorriso : UPDATE : Writing:  45822s   20.0%   fifo  98%  buf 50%   
33.3xD
xorriso : UPDATE : Writing:  68243s   29.8%   fifo  99%  buf 50%   
33.5xD
xorriso : UPDATE : Writing:  93008s   40.6%   fifo 100%  buf 50%   
33.3xD
xorriso : UPDATE : Writing: 114511s   50.0%   fifo  99%  buf 50%   
32.1xD
xorriso : UPDATE : Writing: 133184s   58.2%   fifo  99%  buf 50%   
27.9xD
xorriso : UPDATE : Writing: 154835s   67.6%   fifo 100%  buf 50%   
32.3xD
xorriso : UPDATE : Writing: 176528s   77.1%   fifo  99%  buf 50%   
32.4xD
xorriso : UPDATE : Writing: 197248s   86.1%   fifo  99%  buf 50%   
30.9xD
xorriso : UPDATE : Writing: 218688s   95.5%   fifo 100%  buf 50%   
32.0xD

ISO image produced: 228822 sectors
Written to medium : 228992 sectors at LBA 32
Writing to 'install66a.iso' completed successfully.

Re: Modifying installXX.iso via script

[Thomas Bohl]

Am 17.11.2019 um 19:51 schrieb cho...@jtan.com:

Thomas Bohl writes:


Now I want to go the extra step and automate the modification of the
installXX.iso.


I have put an insane amount of work into exactly this, also with
an eye to portably directing the process to other operating systems
and hosting environments.


Thank you for your quick response. It works now. Even better that the 
tools in base are enough.




I'd be very interested to hear more about what your working on but


Nothing special. Only private stuff. I want to move from to-do lists to 
scripts. I believe the buzzword is "infrastructure as code" :-)




meanwhile I think the command you're looking for is some variant
on this:

mkiso() {


Thanks. For completeness what I did for now:
# vnconfig vnd0 install66.iso
# mount -t cd9660 /dev/vnd0c cd/
# cp -r cd cd2
# mkhybrid -a -R -T -L -l -d -D -N -o install66a.iso -vv -A "Unofficial 
OpenBSD 6.6 amd64 autoinstall CD" -P "Copyright (c) 2019 Theo de Raadt, 
The OpenBSD project" -p "Thomas Bohl " -V "Unofficial 
OpenBSD/amd64 6.6 CD" -b 6.6/amd64/cdbr -c 6.6/amd64/boot.catalog cd2

Re: Modifying installXX.iso via script

[Thomas Bohl]

Thanks. For completeness what I did for now:
# vnconfig vnd0 install66.iso
# mount -t cd9660 /dev/vnd0c cd/
# cp -r cd cd2

# cp bsd-mod.rd cd2/6.6/amd64/bsd.rd
# cp site66.tgz cd2/6.6/amd64/
# mkhybrid -a -R -T -L -l -d -D -N -o install66a.iso -vv -A "Unofficial 
OpenBSD 6.6 amd64 autoinstall CD" -P "Copyright (c) 2019 Theo de Raadt, 
The OpenBSD project" -p "Thomas Bohl " -V "Unofficial 
OpenBSD/amd64 6.6 CD" -b 6.6/amd64/cdbr -c 6.6/amd64/boot.catalog cd2

Re: FreeBSD daemon(8)-like command for OpenBSD

[Thomas Bohl]

But another use for daemon(8) is for its ability to detach the child
process from the controlling terminal 


If it is about a rc.d script, you can add

rc_bg=YES

to it.

Re: rdomain 0 and dafault route

[Thomas Bohl]

Am 12.10.2015 um 09:33 schrieb Holger Glaess:
> some trouble due the setup i have was to setup the default gw
> by mygate. ( for reboot )
>
> this is not possible depend on the cable setup with the dhcp client.

You don't really need mygate.

> netstart don´t care about rdomain in the case .
> you have to setup the default gw by rc.local.

You should be able to set it up with hostname.if. See the "!command"
section in the man page.

Just add

!route add default 192.168.0.254
!route -T 2 add default 192.168.2.254

or whatever you are up to.

Panic when copying files

[Thomas Bohl]

Hello,

when copying files from one harddisk to another, which are both
connected via the same SATA3 ASMedia ASM1061 controller, there
eventually will be a kernel panic on my setup. It's reproducible, but
the timing is different on each run of cp -R.
Copying files to a harddisk on the Intel controller works without a problem.

(Already tried two different hard disks. Could still be a hardware
issue, though.)

I was able to take pictures of ddb.

# uname -a
OpenBSD sw2.cve.local 5.9 GENERIC.MP#1778 amd64

# dmesg
OpenBSD 5.9-beta (GENERIC.MP) #1778: Wed Dec 23 18:23:06 MST 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17014210560 (16226MB)
avail mem = 16494436352 (15730MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xecec0 (18 entries)
bios0: vendor American Megatrends Inc. version "C1.60" date 12/15/2015
bios0: ASRock N3700-ITX
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT AAFT MCFG HPET SSDT SSDT SSDT
UEFI LPIT CSRT SSDT
acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) UR11(S1) UR12(S1)
UR13(S1) UR14(S1) XHC1(S4) HDEF(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4)
PXSX(S4) RP03(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.43 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 80MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.01 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.01 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.01 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus 4 (RP04)
acpiec0 at acpi0: not present
acpicpu0 at acpi0
C2: state 6: substate 8 >= num 3
C3: state 7: substate 4 >= num 3: C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0
C2: state 6: substate 8 >= num 3
C3: state 7: substate 4 >= num 3: C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0
C2: state 6: substate 8 >= num 3
C3: state 7: substate 4 >= num 3: C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0
C2: state 6: substate 8 >= num 3
C3: state 7: substate 4 >= num 3: C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: CLK0, resource for CAMD
acpipwrres1 at acpi0: CLK0, resource for CAM1
acpipwrres2 at acpi0: CLK1, resource for CAM2, CAM3
acpipwrres3 at acpi0: USBC, resource for XHC1
acpibat0 at acpi0: BAT0 not present
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpibtn0 at acpi0: LID0
acpibtn1 at acpi0: PWRB
acpibtn2 at acpi0: SLPB
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 1600 MHz: speeds: 1601, 1600, 1520, 1440, 1360,
1280, 1200, 1120, 1040, 960, 880, 800, 720, 640, 560, 480 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Braswell Host" rev 0x21
vga1 at pci0 dev 2 function 0 "Intel HD Graphics" rev 0x21
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ahci0 at pci0 dev 19 function 0 "Intel Braswell AHCI" rev 0x21: 

Softraid Keydisk reboot loop

[Thomas Bohl]

Hello,

I updated from 5.8-stabel to current today. (First just an update, than
because of the problem a fresh installation.) On 5.8-stabel I had a
working softraid boot setup with a USB-Stick as keydisk.

Now, if the keydisk is plugged in, the machine resets over and over
again. Unfortunately there is noting shown on screen to present here.
When the bootloader should show up there is just a beep sound (like when
the machine is power on) and than the BIOS comes again.

When the keydisk is unplugged the bootloader shows up and asks for a
password. (As intended.)

Does anyone else has that problem too?


# dmesg
OpenBSD 5.9-beta (GENERIC.MP) #1778: Wed Dec 23 18:23:06 MST 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17014210560 (16226MB)
avail mem = 16494436352 (15730MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xecec0 (18 entries)
bios0: vendor American Megatrends Inc. version "C1.60" date 12/15/2015
bios0: ASRock N3700-ITX
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT AAFT MCFG HPET SSDT SSDT SSDT
UEFI LPIT CSRT SSDT
acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) UR11(S1) UR12(S1)
UR13(S1) UR14(S1) XHC1(S4) HDEF(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4)
PXSX(S4) RP03(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.43 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 80MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.01 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.01 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Pentium(R) CPU N3700 @ 1.60GHz, 1600.01 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT
cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus 4 (RP04)
acpiec0 at acpi0: not present
acpicpu0 at acpi0
C2: state 6: substate 8 >= num 3
C3: state 7: substate 4 >= num 3: C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0
C2: state 6: substate 8 >= num 3
C3: state 7: substate 4 >= num 3: C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0
C2: state 6: substate 8 >= num 3
C3: state 7: substate 4 >= num 3: C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0
C2: state 6: substate 8 >= num 3
C3: state 7: substate 4 >= num 3: C1(1000@1 mwait.1), PSS
acpipwrres0 at acpi0: CLK0, resource for CAMD
acpipwrres1 at acpi0: CLK0, resource for CAM1
acpipwrres2 at acpi0: CLK1, resource for CAM2, CAM3
acpipwrres3 at acpi0: USBC, resource for XHC1
acpibat0 at acpi0: BAT0 not present
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpibtn0 at acpi0: LID0
acpibtn1 at acpi0: PWRB
acpibtn2 at acpi0: SLPB
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 1600 MHz: speeds: 1601, 1600, 1520, 1440, 1360,
1280, 1200, 1120, 1040, 960, 880, 800, 720, 640, 560, 480 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Braswell Host" rev 0x21
vga1 at pci0 dev 2 function 0 "Intel HD Graphics" rev 0x21
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen

heap full Re: Softraid Keydisk reboot loop

[Thomas Bohl]

Am 26.12.2015 um 23:18 schrieb Alexander Hall:
> On Sat, Dec 26, 2015 at 10:41:34PM +0100, Thomas Bohl wrote:
>> Hello,
>>
>> I updated from 5.8-stabel to current today. (First just an update, than
>> because of the problem a fresh installation.) On 5.8-stabel I had a
>> working softraid boot setup with a USB-Stick as keydisk.
>>
>> Now, if the keydisk is plugged in, the machine resets over and over
>> again. Unfortunately there is noting shown on screen to present here.
>> When the bootloader should show up there is just a beep sound (like when
>> the machine is power on) and than the BIOS comes again.
> 
> I'd say it seems your system is trying to boot off the keydisk. Make sure
> fdisk shows no flagged partition, or remote the flag by
> 
> fdisk:*1> flag 3
> Partition 3 marked active.
> fdisk:*1> flag 3 0
> Partition 3 flag value set to 0x0.
> 
> By then, 'p' should show no partition with an asterisk before it.
> 
> /Alexander

Thanks. Unfortunately that didn't do the trick.

I was able to get more information by reducing the number of harddisks
and taking video :-).

One disk:
System boots normally

Two disks:
booting sr0a:/bsd: 6823756heap full (0x9fba0+16384)
Screenshot http://s30.postimg.org/894owvh41/image.jpg
System resets

Three disks:
booting sr0a:/bsd: 6823756heap full (0x9fd98+16384)
Screenshot http://s14.postimg.org/3ty4m62lt/image.jpg
System resets

Four disks:
Black screen after BIOS
System resets

Re: Panic when copying files

[Thomas Bohl]

I tried EFI for a change. Same panic there:

# time cp -R /mnt/BackupDisk/Tag.0/a/b/c/* /home/c
panic: kernel diagnostic assertin "(cmd & AHCI_PREG_CMD_CR) == 0"
failed: files "../../../../dev/ic/ahci.c", line 2513
wsdisplay_switch2: not switching
Stopped at  Debugger+0x9:   leave
   TIDPIDUID PRFLAGS PFLAGS  CPU  COMMAND
Debugger() at Debugger+0x9
panic() at panic+0xfe
__assert() at __assert+0x25
ahci_port_read_ncp_error() at ahci_port_read_ncp_error+0x251
ahci_port_intr() at ahci_port_intr+0x73c
ahci_intr() at ahci_intr+0x5b
intr_handler() at intr_handler+0x67
Xintr_ioapic_edge23() at Xintr_ioapic_ewdsgdei2s3p+10axyc_9s
h-i-n-g  tc
h-i-n-g interrupt ---tc
tacchp2i:c pnuo_ti dslwei(t)c haitn ga
dw   2
:c pnuo_ti dslwei_tccyhcilneg(
cle+0x10  y
end trace frame: 0x0, count: 5

ddb{0}> trace
Debugger() at Debugger+0x9
panic() at panic+0xfe
__assert() at __assert+0x25
ahci_port_read_ncp_error() at ahci_port_read_ncp_error+0x251
ahci_port_intr() at ahci_port_intr+0x73c
ahci_intr() at ahci_intr+0x5b
intr_handler() at intr_handler+0x67
Xintr_ioapic_edge23() at Xintr_ioapic_edge23+0xc9
--- interrupt ---
acpicpu_idle() at acpicpu_idle+0x22d
cpu_idle_cycle() at cpu_idle_cycle+0x10
end trace frame: 0x0, count: -10

ddb{0}> mach ddbcpu 1
Stopped at  Debugger+0x9:   leave
Debugger() at Debugger+0x9
x86_ipi_handler() at x86_ipi_handler+0x76
Xresume_lapic_ipi()at Xresume_lapic_ipi+0x1c
--- interrupt ---
acpicpu_idle() at acpicpu_idle+0x22d
cpu_idle_cycle() at cpu_idle_cycle+0x10
end trace frame: 0x0, count: 10
ddb{1}> trace
Debugger() at Debugger+0x9
x86_ipi_handler() at x86_ipi_handler+0x76
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1c
--- interrupt ---
acpicpu_idle() at acpicpu_idle+0x22d
cpu_idle_cycle() at cpu_idle_cycle+0x10
end trace frame: 0x0, count: -5

ddb{1}> mach ddbcpu 2
Stopped at  Debugger+0x9:   leave
Debugger() at Debugger+0x9
x86_ipi_handler() at x86_ipi_handler+0x76
Xresume_lapic_ipi()at Xresume_lapic_ipi+0x1c
--- interrupt ---
acpicpu_idle() at acpicpu_idle+0x22d
cpu_idle_cycle() at cpu_idle_cycle+0x10
end trace frame: 0x0, count: 10
ddb{2}> trace
Debugger() at Debugger+0x9
x86_ipi_handler() at x86_ipi_handler+0x76
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1c
--- interrupt ---
acpicpu_idle() at acpicpu_idle+0x22d
cpu_idle_cycle() at cpu_idle_cycle+0x10
end trace frame: 0x0, count: -5

ddb{2}> mach ddbcpu 3
Stopped at  Debugger+0x9:   leave
Debugger() at Debugger+0x9
x86_ipi_handler() at x86_ipi_handler+0x76
Xresume_lapic_ipi()at Xresume_lapic_ipi+0x1c
--- interrupt ---
acpicpu_idle() at acpicpu_idle+0x22d
cpu_idle_cycle() at cpu_idle_cycle+0x10
end trace frame: 0x0, count: 10
ddb{3}> trace
Debugger() at Debugger+0x9
x86_ipi_handler() at x86_ipi_handler+0x76
Xresume_lapic_ipi() at Xresume_lapic_ipi+0x1c
--- interrupt ---
acpicpu_idle() at acpicpu_idle+0x22d
cpu_idle_cycle() at cpu_idle_cycle+0x10
end trace frame: 0x0, count: -5

ddb{3}> ps
   TID   PPID   PGRPUID  S   FLAGS  WAIT   COMMAND
  8960  15339   8960  0  3 0x3  bioait cp
 16465  18320  16465  0  30x83  poll   systat
 26860  0  0  0  3 0x14200  bored  srdis
 22457  1  22457  0  30x100083  ttyin  getty
 10940  1  10940  0  30x100083  ttyin  getty
 30641  1  30641  0  30x100083  ttyin  getty
 18320  1  18320  0  30x10008b  pause  ksh
 15339  1  15339  0  30x10008b  pause  ksh
  2381  1   2381  0  30x100098  pool   cron
 14885  1  14885 99  30x100090  pool   sndiod
 25921  1  25921110  30x100090  pool   sndiod
 19894  26249  26249 95  30x100090  kqread smtpd
 19281  26249  26249 95  30x100090  kqread smtpd
 10089  26249  26249 95  30x100090  kqread smtpd
 25084  26249  26249 95  30x100090  kqread smtpd
 24862  26249  26249 95  30x100090  kqread smtpd
 15496  26249  26249103  30x100090  kqread smtpd
 26249  1  26249  0  30x100090  kqread smtpd
 16966  1  16966  0  30x80  select sshd
 22068  28619  22385 83  30x100090  poll   ntpd
 28619  22385  22385 83  30x100090  poll   ntpd
 22385  1  22385  0  30x100080  poll   ntpd
  9328  28932  28932 74  30x100090  bpfpflogd
 28932  1  28932  0  30x80  netio  pflogd
  5510   9277   9277 73  30x100090  kqread syslogd
  9277  1   9277  0  30x100080  netio  syslogd
 12989  1  12989 77  30x100090  poll   dhclient
 28690  1  28690  0  30x80  poll   dhclient
 23316  0  0  0  3 0x14200  pgzero zerothread
  2296  0  0  0  3 0x14200  a

Re: Panic when copying files

[Thomas Bohl]

For the archive:
I changed the cabling.
RW disk on SATA3_A1
RO disk on SATA3_A2
(Instead of the other way around.)
Now no more kernel panic.

Re: Options for dealing with DES crypt password file

[Thomas Bohl]

> Are there any workarounds for me using the old DES password hashes, or do we 
> need to 'passwd ' for hundreds of users?
> 

You could give John the Ripper a try.

Re: WireGuard, Windows mobile laptop and pf.conf?

[Thomas Bohl]

Hi,


    wgport 53
Unbound is configured to only listen on the loopback interface, so that 
shouldn't be interfering...


But it does
https://www.mail-archive.com/misc@openbsd.org/msg175837.html

Re: Difficulty booting UEFI from DVD

[Thomas Bohl]

Hey guys. I'm trying to install OpenBSD on a laptop, but the UEFI boot
manager doesn't see the DVD.


Have you tried it with Secure Boot disabled?

Re: sysupgrade failure logs

[Thomas Bohl]

Hello,

Does sysupgrade leave any kind of logging behind which could help me to 
pinpoint why it is failing on one system while working on another 
apparently identical system?


You should get emails:

Subject: hostname upgrade response file
Subject: hostname upgrade log
Subject: hostname rc.sysmerge output
Subject: hostname rc.firsttime output

If you don't get them, my best guess would be that the system didn't 
boot the upgrade kernel. In that case check the /etc/boot.conf first.

For example

$ cat /etc/boot.conf
boot

prevents the upgrade kernel from being used.

(Because of that I have a simple "mv /etc/boot.conf 
/etc/boot.conf-Temp-sysupgrade", "mv /etc/boot.conf-Temp-sysupgrade 
/etc/boot.conf" in my Ansible upgrade script.)

Re: Global IPv4 with ARP and wireguard peers

[Thomas Bohl]

Has anyone tried to get something like this to work?


A few years ago I did basically the same thing with the VPN function of 
ssh using the tun(4) network pseudo-device. Let me check my notes...


It starts the same way:
1. Commenting out the public address in /etc/hostname.vio0

2. Create a /etc/hostname.tun0 with the public address. (And no route)
$ cat /etc/hostname.tun0
10.255.255.7 1.2.Public.IP netmask 255.255.255.255

3. But then it differs and goes to pf:

# $EDITOR /etc/pf.conf
...
ext_if = "vio0"
ext_ip = "1.2.Public.IP"
rdr_if = "tun0"
rdr_ip = "1.2.Public.IP"
rdr_ports = "{1234, 16882, 44666, 32872 }"
tcpudp = "{ tcp, udp }"

pass in on $ext_if proto $tcpudp from any to $ext_ip port $rdr_ports 
rdr-to $rdr_ip


# pfctl -f /etc/pf.conf

# sysctl net.inet.ip.forwarding=1
# $EDITOR /etc/sysctl.conf
...
net.inet.ip.forwarding=1


And on the client site:
# $EDITOR /etc/hostname.tun0
1.2.Public.IP 10.255.255.7 netmask 255.255.255.255
!route add default 10.255.255.7
# $EDITOR /etc/hostname.re0
Remove the IPv4 default route. The tunnel runs over IPv6.


Change the numbers and device a little bit.
HTH

Re: email dkim signing failing with 6.8

[Thomas Bohl]

Am 23.05.2021 um 12:32 schrieb flipchan:
Yeah, it was all working until I upgraded to 6.8, can someone else that 
is running opensmtpd with dkim send me their smtpd.conf? I assume I have 
written some rule wrong, not sure where doe


The config is all over the place. There is the rspamd filter and there 
is DKIM tagging with a match rules order that can't reach the tagging. 
It's like Martijn van Duren said, you are clearly using rspamd and not 
dkimproxy_out, which means your debugging is way off.



But thinks got easier anyway. Please install filter-dkimsign.
# pkg_add opensmtpd-filter-dkimsign
Remove everything dkim and rspamd from your current smtpd.conf.

Add

filter "dkimsg" proc-exec "filter-dkimsign -d example.com -s default \
-k /var/dkimproxy/default.private -c relaxed/relaxed" \
user _dkimsign group _dkimsign

and edit the line

listen on vio0 port 587 hostname example.com tls-require pki 
mail.example.com auth filter "rspamd"


to

listen on vio0 port 587 hostname example.com tls-require pki 
mail.example.com auth filter "dkimsg"



Or
# cat /etc/mail/smtpd.conf
table aliases file:/etc/mail/aliases

pki mail.example.com cert "/etc/ssl/mail.example.com.crt"
pki mail.example.com key "/etc/ssl/private/mail.example.com.key"

filter "dkimsg" proc-exec "filter-dkimsign -d example.com -s default \
-k /var/dkimproxy/default.private -c relaxed/relaxed" \
user _dkimsign group _dkimsign

listen on vio0 port 587 hostname example.com tls-require pki 
mail.example.com auth filter "dkimsg"

listen on vio0 port 25 hostname example.com tls pki mail.example.com

action "mbox" mbox alias 
action "relay" relay

match from any for domain example.com action "mbox"
match for local action "mbox"
match auth from any for any action "relay"


If you really need rspamd for spam filtering add it back in and add the 
filter only to "listen on vio0 port 25". Otherwise uninstall it, since 
even in "standby" it produces lots of DNS traffic.


HTH

Re: iked server/client OBSD/OBSD

[Thomas Bohl]

what is wrong? client side iked.conf:

ikev2 'roadwarrior' active esp \
 from dynamic to any \
 peer 45.77.223.7 \
 srcid roadwarrior \
 dstid server1.domain \
 request address any \
 iface lo1

# iked -dv
/etc/iked.conf: 43: invalid iface


lo1 must exist:
# ifconfig lo1 create


To create it at a reboot:
# touch /etc/hostname.lo1

Re: iked server/client OBSD/OBSD

[Thomas Bohl]

Questions about cert for roadwarrior and more? Why 192.168.1.79? i was
expecting 10.0.5.x please.


Why did you expect that?



spi=0xc166e8f236679cc9: recv IKE_SA_INIT res 0 peer 45.77.223.7:500 local
192.168.1.79:500, 255 bytes, policy 'roadwarrior'


192.168.1.79 is your local IP, which is on the interface with a link to 
the default gateway.


$ route -n show -inet


If you have multiple IPs and you want to force iked to use a specific 
one, you have to use "local":


local 10.0.5.x peer 45.77.223.7 \



spi=0xaf891eb37dd8f4cc: ca_getreq: no valid local certificate found for
FQDN/roadwarrior
spi=0xaf891eb37dd8f4cc: ca_getreq: using local public key of type RSA_KEY
spi=0xaf891eb37dd8f4cc: send IKE_AUTH req 1 peer 45.77.223.7:4500 local
192.168.1.79:4500, 947 bytes, NAT-T
spi=0xaf891eb37dd8f4cc: recv IKE_AUTH res 1 peer 45.77.223.7:4500 local
192.168.1.79:4500, 65 bytes, policy 'roadwarrior'
spi=0xaf891eb37dd8f4cc: sa_free: authentication failed notification from peer


Just a guess, since I have never worked with trusted public keys, but 
maybe you have to copy the clients local.pub it into

/etc/iked/pubkeys/fqdn/roadwarrior
(not /etc/iked/pubkeys/fqdn/roadwarrior/local.pub)
or
/etc/iked/pubkeys/ipv4/A.B.C.D
on the server.

iked RoadWarrior IPv6

[Thomas Bohl]

Hello,

I want to integrate a remote OpenBSD 7.2 machine into my local network. 
So it will be reachable via a local IPv4 address like 192.168.0.206. My 
local router and IPSec server is a LANCOM 1781EW+.


The setup works already, but only if iked uses IPv4 and not IPv6. (I 
have a working IPv6 setup with strongSwan on Android tough.)


# cat /etc/iked.conf
ikev2 "rathaus" active esp \
    from 192.168.0.0/24 to any \
    from dynamic to 192.168.0.0/24 \
    peer vpn.example.com \
    srcid o2@rathaus \
    psk "will-change-to-certs-if-testing-is-finished" \
    request address any \
    iface lo1

This config works if the peer entry is a IPv4 address or if 
vpn.example.com has only an A record. If vpn.example.com has an  
record or peer is a IPv6 address it will not work.



Working:
# iked -d
ikev2_init_ike_sa: initiating "rathaus"
spi=0x6fa20e5d5cc463ce: send IKE_SA_INIT req 0 peer 91.65.56.196:500 
local 0.0.0.0:500, 518 bytes
spi=0x6fa20e5d5cc463ce: recv IKE_SA_INIT res 0 peer 91.65.56.196:500 
local 192.168.1.210:500, 38 bytes, policy 'rathaus'

spi=0x6fa20e5d5cc463ce: sa_free: reinitiating with new DH group
ikev2_init_ike_sa: initiating "rathaus"
spi=0x22213067a8f10273: send IKE_SA_INIT req 0 peer 91.65.56.196:500 
local 0.0.0.0:500, 742 bytes
spi=0x22213067a8f10273: recv IKE_SA_INIT res 0 peer 91.65.56.196:500 
local 192.168.1.210:500, 487 bytes, policy 'rathaus'
spi=0x22213067a8f10273: send IKE_AUTH req 1 peer 91.65.56.196:4500 local 
192.168.1.210:4500, 327 bytes, NAT-T
spi=0x22213067a8f10273: recv IKE_AUTH res 1 peer 91.65.56.196:4500 local 
192.168.1.210:4500, 239 bytes, policy 'rathaus'

spi=0x22213067a8f10273: ikev2_ike_auth_recv: obtained lease: 192.168.0.206
spi=0x22213067a8f10273: ikev2_ike_auth_recv: obtained DNS: 192.168.1.254
spi=0x22213067a8f10273: ikev2_childsa_enable: loaded SPIs: 0xcffacc66, 
0xe1e53f59 (enc aes-256-gcm)
spi=0x22213067a8f10273: ikev2_childsa_enable: loaded flows: 
ESP-192.168.0.0/24=0.0.0.0/0(0)
spi=0x22213067a8f10273: established peer 
91.65.56.196:4500[UFQDN/o2@rathaus] local 
192.168.1.210:4500[UFQDN/o2@rathaus] policy 'rathaus' as initiator (enc 
aes-256-gcm group modp2048 prf hmac-sha2-256)



Not working:
# iked -vd
ikev2 "rathaus" active tunnel esp inet6 from 192.168.0.0/24 to 0.0.0.0/0 
from 0.0.0.0 to 192.168.0.0/24 local any peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821 ikesa enc aes-128-gcm enc aes-256-gcm 
prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 
group curve25519 group ecp521 group ecp384 group ecp256 group modp4096 
group modp3072 group modp2048 group modp1536 group modp1024 ikesa enc 
aes-256 enc aes-192 enc aes-128 enc 3des prf hmac-sha2-256 prf 
hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 auth 
hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 group curve25519 group 
ecp521 group ecp384 group ecp256 group modp4096 group modp3072 group 
modp2048 group modp1536 group modp1024 childsa enc aes-128-gcm enc 
aes-256-gcm group none esn noesn childsa enc aes-256 enc aes-192 enc 
aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth 
hmac-sha1 group none esn noesn srcid o2@rathaus lifetime 10800 bytes 
4294967296 psk 0xfoobar config address any iface lo1

ikev2_init_ike_sa: initiating "rathaus"
spi=0x12efeecdd9b0e8b6: send IKE_SA_INIT req 0 peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821:500 local :::500, 518 bytes
spi=0x12efeecdd9b0e8b6: recv IKE_SA_INIT res 0 peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821:500 local 
2003:c8:2721:cc00:f773:7319:68a6:8ed8:500, 38 bytes, policy 'rathaus'

spi=0x12efeecdd9b0e8b6: sa_free: reinitiating with new DH group
ikev2_init_ike_sa: initiating "rathaus"
spi=0x4657d2d35de226ed: send IKE_SA_INIT req 0 peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821:500 local :::500, 742 bytes
spi=0x4657d2d35de226ed: recv IKE_SA_INIT res 0 peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821:500 local 
2003:c8:2721:cc00:f773:7319:68a6:8ed8:500, 487 bytes, policy 'rathaus'


(Around this point the router reports: "IKEV2C_O2 connected")

spi=0x4657d2d35de226ed: send IKE_AUTH req 1 peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821:500 local 
2003:c8:2721:cc00:f773:7319:68a6:8ed8:500, 359 bytes
spi=0x4657d2d35de226ed: retransmit 1 IKE_AUTH req 1 peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821:500 local 
2003:c8:2721:cc00:f773:7319:68a6:8ed8:500
spi=0x4657d2d35de226ed: retransmit 2 IKE_AUTH req 1 peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821:500 local 
2003:c8:2721:cc00:f773:7319:68a6:8ed8:500
spi=0x4657d2d35de226ed: retransmit 3 IKE_AUTH req 1 peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821:500 local 
2003:c8:2721:cc00:f773:7319:68a6:8ed8:500
spi=0x4657d2d35de226ed: retransmit 4 IKE_AUTH req 1 peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821:500 local 
2003:c8:2721:cc00:f773:7319:68a6:8ed8:500
spi=0x4657d2d35de226ed: retransmit 5 IKE_AUTH req 1 peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821:500 local 
2003:c8:2721:cc00:f773:7319:68a6:8ed8:500
spi=0x4657d2d35de226ed: recv IKE_AUTH res 1 peer 
2a02:810d:0:bf:c816:fbf3:8a40:7821:500 local 
2003:c8:2721:cc00:f

Re: Disable amdgpu driver without a working keyboard in UKC?

[Thomas Bohl]

Hello,

I wanted to try that out by running the same `disable amdgpu` command in 
UKC, but neither the built-in keyboard nor my external keyboard work in 
UKC mode.


Is there an alternative way of disabling amdgpu when my keyboards don't 
work? Perhaps I can echo to some config file during the `boot>` prompt?


You could SSH into the machine or use the the install kernel to drop 
into a shell. From there you could create a bsd.re-config file.


man bsd.re-config

Re: iked RoadWarrior IPv6

[Thomas Bohl]

# cat /etc/iked.conf
ikev2 "rathaus" active esp \
     from 192.168.0.0/24 to any \
     from dynamic to 192.168.0.0/24 \
     peer vpn.example.com \
     srcid o2@rathaus \
     psk "will-change-to-certs-if-testing-is-finished" \
     request address any \
     iface lo1


I discovered that

peer vpn.example.com local 2003:c8:2721:cc00:f773:7319:68a6:8ed8

works. (Even though the logs show that this address is already used you 
have to explicitly mention it via "local" again.) Since "local" accepts 
a hostname, my workaround/solution is:


peer vpn.example.com local dyndns-client.example.com

Re: opensmtpd-filter-dkimsign-0.5

[Thomas Bohl]

Now dkimsign is failing and i have not been able to repair it, could
somebody please help?

# smtpd -d
info: OpenSMTPD 7.0.0 starting
dkimsign: Can't open key file (/etc/mail/dkim/agroena.org.private.key):
Permission denied
warn: lost processor: dkimsign exited abnormally
Exiting

# doas -u _dkimsign openssl genrsa -out /etc/mail/dkim/private.rsa.key 2048
/etc/mail/dkim/private.rsa.key: Permission denied
5824620405456:error:02FFF00D:system library:func(4095):Permission
denied:/usr/src/lib/libcrypto/bio/bss_file.c:257:fopen('/etc/mail/dkim/private.rsa.key',
'w')
5824620405456:error:20FFF002:BIO routines:CRYPTO_internal:system
lib:/usr/src/lib/libcrypto/bio/bss_file.c:259:


Please share

cat /etc/mail/smtpd.conf
ls -la /etc/mail/dkim/

Re: [SPAM] Re: opensmtpd-filter-dkimsign-0.5

[Thomas Bohl]

# openssl genrsa -out /etc/mail/dkim/agroena.org.private.key 2048


and

# chown _dkimsign:_dkimsign /etc/mail/dkim/agroena.org.private.key
# chmod 440 /etc/mail/dkim/agroena.org.private.key

Re: OpenIKE2 question

[Thomas Bohl]

Hello everyone.I'm planning to use OpenIKEv2 not just for VPN tunnel, but also 
to give client Internet access through that tunnel (none other for that 
client). Is it possible? Do I need additional config options or will default 
gateway become available on the system once connected to VPN?


Yes, and it also sets the DNS server to what the VPN server tells it to.

Re: Locking network card configuration

[Thomas Bohl]

Hello,


I suppose there is some argument that we should support hostname.MAC
files


Maybe a function in netstart right before vifscreate could be enough to 
achieve this? I creates this diff, against stable for now though, as a test.


Create a /etc/hostname.MAC file like you would create a /etc/hostname.if 
file. (MAC = lladdr as shown with ifconfig. Like 
/etc/hostname.08:00:27:14:26:0d)
/etc/netstart than creates a symbolic link to the corresponding 
hostname.if. If there is a hostname.if file it is not overwritten. The 
rest works the same.



--- netstartTue Sep 27 19:39:43 2022
+++ netstartTue Nov 22 03:39:49 2022
@@ -104,6 +104,21 @@ ifcreate() {
fi
 }

+# Symlink hostname.MAC to hostname.if.
+# Existing hostname.if-file (no symlink) wins.
+link_MAC_to_if() {
+   local _hn _mac _if
+
+   for _hn in /etc/hostname.??:??:??:??:??:??; do
+   _mac=`echo $_hn | cut -c 15-31`
+   _if=`ifconfig | grep -B 1 $_mac | head -n 1 | awk -F ": " 
'{print $1}'`
+   # Only create a symlink if /etc/hostname.$_if is not a normal 
file.
+   if [[ -h /etc/hostname.$_if ]] || [[ ! -e /etc/hostname.$_if 
]]; then
+   ln -fs /etc/hostname.$_mac /etc/hostname.$_if
+   fi
+   done
+}
+
 # Create interfaces for network pseudo-devices referred to by 
hostname.if files.

 # Optionally, limit creation to given interfaces only.
 # Usage: vifscreate [if ...]
@@ -356,6 +371,9 @@ if ifconfig lo0 inet6 >/dev/null 2>&1; then
 else
ip6kernel=NO
 fi
+
+# Symlink hostname.MAC to hostname.if.
+link_MAC_to_if

 # Create all the pseudo interfaces up front.
 vifscreate

Re: Locking network card configuration

[Thomas Bohl]

mac2dev() {
# This got long
ifconfig | while IFS= read _line; do
if [[ "$_line" = [a-z]!(\ *):* ]]; then
_dev=${_line%%:*}
elif [[ "$_line" = *lladdr*$1* && $_dev != vlan* ]]; then
echo $_dev
fi
done
}

_if=$(mac2dev "$_mac") # or just _if=$(mac2dev ${_hn#*.})


My solution would have been:

_if=`ifconfig | while read _line; do
[[ $_line == "lladdr "$_mac ]] && \
echo ${_lineabove%:*} && break
_lineabove=$_line
done`

I didn't know about vlan though.




Note that the vlan devices need to be excluded. Are there other
circumstances which could confuse this in ifconfig's output?


svlan

ikev2_resp_create_child_sa: no proposal chosen

[Thomas Bohl]

Hello,

I have several OpenBSD 7.2 connected to a commercial VPN-Router (LANCOM 
1781EW+) using iked. It works, except every time the Child SA 
negotiation starts, iked answers NO_PROPOSAL_CHOSEN to the router. Which 
leads to closed connections and a new IKE SA negotiation.

I don't understand this because the proposal looks supported to me.

# cat /etc/iked.conf
set dpd_check_interval 30

ikev2 "rathaus" active \
    from 192.168.0.0/24 to any \
    from dynamic to 192.168.0.0/24 \
    from dynamic to 192.168.11.55/32 \
    local 192.168.1.210 peer 88.14.XXX.YYY \
    srcid "/C=DE/ST=.../CN=o2.example.com" \
    dstid "/C=DE/ST=.../CN=vpn.example.com" \
    request address any \
    iface lo1


# iked -d
ikev2_init_ike_sa: initiating "rathaus"
spi=0xd2135463734ddcce: send IKE_SA_INIT req 0 peer 88.14.XXX.YYY:500 
local 192.168.1.210:500, 518 bytes
spi=0xd2135463734ddcce: recv IKE_SA_INIT res 0 peer 88.14.XXX.YYY:500 
local 192.168.1.210:500, 38 bytes, policy 'rathaus'

spi=0xd2135463734ddcce: sa_free: reinitiating with new DH group
ikev2_init_ike_sa: initiating "rathaus"
spi=0x0a131729beeb819a: send IKE_SA_INIT req 0 peer 88.14.XXX.YYY:500 
local 192.168.1.210:500, 742 bytes
spi=0x0a131729beeb819a: recv IKE_SA_INIT res 0 peer 88.14.XXX.YYY:500 
local 192.168.1.210:500, 487 bytes, policy 'rathaus'
spi=0x0a131729beeb819a: send IKE_AUTH req 1 peer 88.14.XXX.YYY:4500 
local 192.168.1.210:4500, 3144 bytes, NAT-T
spi=0x0a131729beeb819a: recv IKE_AUTH res 1 peer 88.14.XXX.YYY:4500 
local 192.168.1.210:4500, 2885 bytes, policy 'rathaus'

spi=0x0a131729beeb819a: ikev2_ike_auth_recv: obtained lease: 192.168.0.206
spi=0x0a131729beeb819a: ikev2_ike_auth_recv: obtained DNS: 192.168.1.254
spi=0x0a131729beeb819a: ikev2_childsa_enable: loaded SPIs: 0xc9b95a8c, 
0xd6296d4a (enc aes-256-gcm)
spi=0x0a131729beeb819a: ikev2_childsa_enable: loaded flows: 
ESP-192.168.0.0/24=0.0.0.0/0(0), ESP-192.168.0.206/32=192.168.0.0/24(0), 
ESP-192.168.0.206/32=192.168.11.55/32(0)
spi=0x0a131729beeb819a: established peer 
88.14.XXX.YYY:4500[ASN1_DN//C=DE/ST=.../CN=vpn.example.com] local 
192.168.1.210:4500[ASN1_DN//C=DE/ST=.../CN=o2.example.com] policy 
'rathaus' as initiator (enc aes-256-gcm group modp2048 prf hmac-sha2-256)



The VPN-Router eventually does this:

[VPN-Status] 2023/02/23 21:12:41,019  Devicetime: 2023/02/23 21:12:45,358
Soft lifetime event occurred for 'IPSEC-0-O2-PR0-L0-R0' (responder 
70/28800 sec  flags 0x0001)

  CHILD_SA ESP IPSEC_ESP Outbound-SPI 0x31B16169 Inbound-SPI 0x8F1A3175
Establishing CREATE_CHILD_SA exchange for IPSEC-0-O2-PR0-L0-R0 (O2)
CHILD_SA ('', '' ) entered to SADB
Peer O2: Constructing an CREATE_CHILD_SA-REQUEST for send
Soft-Event occurred for peer IPSEC-0-O2-PR0-L0-R0 (Responder, flags 
0x2001)

Starting a CHILD_SA rekeying for CHILD_SA:
Rekeyed SA:
  ESP outgoing [0x31B16169], incoming [0x8F1A3175]
+CHILD-SA:
  ESP-Proposal-1 My-SPI: 0xE9D1F2BD (5 transforms)
    ENCR : AES-GCM-16-256 AES-CBC-256
    INTEG: HMAC-SHA-256 HMAC-SHA1
    ESN  : NONE
+Rekeying TSi 0: (  0, 0-65535, 0.0.0.0-255.255.255.255)
+Rekeying TSr 0: (  0, 0-65535,   192.168.0.206-192.168.0.206  )
Message scheduled for retransmission (1) in 8.773356 seconds
Sending an CREATE_CHILD_SA-REQUEST of 217 bytes (responder encrypted)
Gateways: 88.14.XXX.YYY:4500-->84.17.XXX.ZZZ:4500, tag 0 (UDP)
SPIs: 0x6ECF7D9294CBC2A7FE91F645321E6EEE, Message-ID 0



Which iked response to with:

spi=0x0a131729beeb819a: recv CREATE_CHILD_SA req 0 peer 
88.14.XXX.YYY:4500 local 192.168.1.210:4500, 217 bytes, policy 'rathaus'

ikev2_resp_create_child_sa: no proposal chosen
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ENCR=AES_GCM_16-256
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ENCR=AES_CBC-256
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA2_256_128
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA1_96
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ESN=NONE
spi=0x0a131729beeb819a: ikev2_add_error: NO_PROPOSAL_CHOSEN
spi=0x0a131729beeb819a: send CREATE_CHILD_SA res 0 peer 
88.14.XXX.YYY:4500 local 192.168.1.210:4500, 65 bytes, NAT-T
spi=0x0a131729beeb819a: recv INFORMATIONAL req 1 peer 88.14.XXX.YYY:4500 
local 192.168.1.210:4500, 77 bytes, policy 'rathaus'

spi=0x0a131729beeb819a: ikev2_ikesa_recv_delete: received delete
spi=0x0a131729beeb819a: send INFORMATIONAL res 1 peer 88.14.XXX.YYY:4500 
local 192.168.1.210:4500, 57 bytes, NAT-T

spi=0x0a131729beeb819a: sa_free: received delete



I got desperate and tried adding this to iked.conf, which didn't help:

childsa group modp2048 \
childsa group modp2048 noesn\
childsa enc aes-256-gcm group modp2048 \
childsa enc aes-256-gcm group modp2048 noesn \
childsa enc aes-256 group modp2048 \
childsa enc aes-256 group modp2048 noesn \
childsa enc aes-256-gcm group modp2048 prf hmac-sha2-256 \
childsa enc aes-256-gcm group modp2048 prf hmac-sha2-256 noesn \
childsa enc aes-256 group modp2048 

Re: ikev2_resp_create_child_sa: no proposal chosen

[Thomas Bohl]

Thanks for your responses.


Try adding some non-modp2048 options. Maybe look at the SA installed
from the initial negotiation (ipsecctl -vvsa) for ideas.


I think this is the right answer. The log tells you what the other side sent:

spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ENCR=AES_CBC-256
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA2_256_128
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 INTEGR=HMAC_SHA1_96
spi=0x0a131729beeb819a: ikev2_log_proposal: ESP #1 ESN=NONE

There isn't any DH group for PFS here, so drop the modp2048 or add it on the
other side.


I tried countless different childsa lines, without success. Modp2048 
didn't show up because I deactivated PFS. I didn't knew this was 
correlated. Now it shows up:

ikev2_log_proposal: ESP #1 DH=MODP_2048

I than removed SHA1 and AES-CBC-256 from the IKE-/Child-SA hash/chiper 
list on the VPN-router. Having now only:

DH group: DH14 (MODP-2048)
PFS: Yes
IKE-/Child-SA: Chiper: AES-GCM-256, Hash: SHA-256
(Available settings are described here 
https://www.lancom-systems.com/docs/LCOS/Refmanual/EN/#topics/lanconfig_vpn_ikev2-ipsec_encryption.html 
)


And this line in iked.conf:
childsa enc aes-256-gcm group modp2048 \


At first it looks ok. iked reports:
spi=0xf3e9aaf0b7009e4e: recv CREATE_CHILD_SA req 0 peer 
88.14.XXX.YYY:4500 local 192.168.1.210:4500, 461 bytes, policy 'rathaus'
spi=0xf3e9aaf0b7009e4e: send CREATE_CHILD_SA res 0 peer 
88.14.XXX.YYY:4500 local 192.168.1.210:4500, 497 bytes, NAT-T
spi=0xf3e9aaf0b7009e4e: ikev2_childsa_enable: loaded SPIs: 0x2f843f59, 
0x18f271c6 (enc aes-256-gcm group modp2048)



But the VPN-Router has a IKE-I-General-failure 0x21ff. All of the sudden 
it's a problem that I only want to route specific networks?! IPSec is so 
exhausting.



For those who are interested, this is what the VPN-router reports:
...
[VPN-Status] 2023/02/25 02:01:49,268  Devicetime: 2023/02/25 02:01:49,040
Peer O2 [responder]: Received an CREATE_CHILD_SA-RESPONSE of 497 bytes 
(encrypted)

Gateways: 88.14.XXX.YYY:4500<--84.17.XXX.ZZZ:4500
SPIs: 0xF3E9AAF0B7009E4E6A017F990A97DF8F, Message-ID 0
  Determining best intersection for TSi
  Expected TS :(  0, 0-65535, 0.0.0.0-255.255.255.255)
  Received TS :(  0, 0-65535, 0.0.0.0-255.255.255.255)
  Intersection:(  0, 0-65535, 0.0.0.0-255.255.255.255)
  Determining best intersection for TSi
  Expected TS :(  0, 0-65535, 0.0.0.0-255.255.255.255)
  Received TS :(  0, 0-65535, 192.168.0.0-192.168.0.255  )
  Intersection:(  0, 0-65535, 192.168.0.0-192.168.0.255  )
  Determining best intersection for TSi
  Expected TS :(  0, 0-65535, 0.0.0.0-255.255.255.255)
  Received TS :(  0, 0-65535,   192.168.11.55-192.168.11.55  )
  Intersection:(  0, 0-65535,   192.168.11.55-192.168.11.55  )
  Best:(  0, 0-65535, 0.0.0.0-255.255.255.255)
  Determining best intersection for TSr
  Expected TS :(  0, 0-65535,   192.168.0.206-192.168.0.206  )
  Received TS :(  0, 0-65535, 192.168.0.0-192.168.0.255  )
  Intersection:(  0, 0-65535,   192.168.0.206-192.168.0.206  )
  Determining best intersection for TSr
  Expected TS :(  0, 0-65535,   192.168.0.206-192.168.0.206  )
  Received TS :(  0, 0-65535, 0.0.0.0-0.0.0.0)
  -No intersection
  Best:(  0, 0-65535,   192.168.0.206-192.168.0.206  )
-Received Traffic selectors are super set of proposed traffic selectors 
-> abort

Proposed TSi: (  0, 0-65535, 0.0.0.0-255.255.255.255)
Proposed TSr: (  0, 0-65535,   192.168.0.206-192.168.0.206  )

[VPN-Status] 2023/02/25 02:01:49,268  Devicetime: 2023/02/25 02:01:49,041
Hard lifetime event occurred for '' (initiator  flags 0x4008)
  CHILD_SA ESP
No IKE_SA found for

[VPN-Status] 2023/02/25 02:01:49,268  Devicetime: 2023/02/25 02:01:49,041
VPN: policy manager error indication: O2 (84.17.XXX.ZZZ), cause: 8703

[VPN-Status] 2023/02/25 02:01:49,268  Devicetime: 2023/02/25 02:01:49,048
VPN: Error: IKE-I-General-failure (0x21ff) for O2 (84.17.XXX.ZZZ) IKEv2

Re: ikev2_resp_create_child_sa: no proposal chosen

[Thomas Bohl]

But the VPN-Router has a IKE-I-General-failure 0x21ff. All of the sudden 
it's a problem that I only want to route specific networks?! IPSec is so 
exhausting.


I got it working. The trick is to have iked send the CREATE_CHILD_SA 
request / initiate the rekeying first. Either by having lower 
ikelifetime and lifetime values than on the VPN-router, or by setting 
higher values on the VPN-router than the iked standards.


I configured iked with halved values my LANCOM router uses. This is 
stable over time as well as over bytes transferred.


# cat /etc/iked.conf
set dpd_check_interval 30

ikev2 "rathaus" active \
from 192.168.0.0/24 to any \
from dynamic to 192.168.0.0/24 \
from dynamic to 192.168.11.55/32 \
local 192.168.1.210 peer IPv4.example.com \
childsa enc aes-256-gcm group modp2048 \
srcid "/C=DE/ST=.../CN=o2.example.local" \
dstid "/C=DE/ST=.../CN=vpn.example.com" \
ikelifetime 54000 \
lifetime 14400 bytes 1G \
request address any \
iface lo1

Re: Cannot connect to iked, authenticate fails

[Thomas Bohl]

Hello,


ikev2 "vpn" passive esp \
     from dynamic to 185.21.22.23/32 \
     local egress peer any \
     ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group 
modp2048 \

     childsa enc aes-256 auth hmac-sha2-256 group modp2048 \
     srcid 185.21.22.23 \
     dstid p7.local \
     config address 172.24.24.0/24 \
     config name-server 172.24.24.1 \





Any ideas / working config for a dynamic client hosting an iked on a VPS?


When using certificates I always use ASN1_DN for srcid and dstid. It 
should look something like this:


srcid "/C=DE/ST=Lower 
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=185.21.22.23/emailAddress=r...@openbsd.org 
" \
dstid "/C=DE/ST=Lower 
Saxony/L=Hanover/O=OpenBSD/OU=iked/CN=p7.local/emailAddress=r...@openbsd.org" 
\


(I have never used "ikectl ca", so I'm not sure what the files a called. 
But with something like this you should be able get the srcid/dstid-lines:

openssl x509 -subject -noout -in 185.21.22.23.crt
openssl x509 -subject -noout -in p7.local.crt)

Re: File system is full after using dd

[Thomas Bohl]

Am 15.04.2023 um 16:14 schrieb Lorenzo Torres:

Hello, I've run the dd command to wipe the data of an SD card:dd if=/dev/zero 
of=/dev/rsdb1c bs=1MAfter quite some time it crashed saying that the / 
filesystem is full and even after a reboot the same happens. Now I can't even 
run xorg because the fs is full. Any idea on why this happened?
You most likely wrote into a file and not onto the SD card. Just delete 
the file.

Re: Encrypted softraid - Operational question

[Thomas Bohl]

Hi

In a server with an encrypted root - server boots with key in USB stick, 
not passphrase.


Can I remove the USB stick with the key, after the server is up and 
running?


Yes



Will I have any problems doing that?


No. Though not at the moment, I used such a setup for years. Only 
inserting the stick for reboots.

Re: ffs and utf8

[Thomas Bohl]

Am 29.11.2014 um 13:20 schrieb frantisek holop:

i think i should clarify this a bit:
they show perfect in midnight commander, not in shell.

$ touch »´ÁÉǑÄ«
$ ls
??


# ls | cat
Will display the characters right.
Not entirely sure why though.

Re: problems with run wirless driver

[Thomas Bohl]

Is your SSID hidden? I had the same problem on 5.6-stable when the SSID 
was hidden. Thankfully I could change the AP behaviour. No more problems 
since. hth



Am 05.01.2015 um 11:30 schrieb Clemens Goessnitzer:

  Hello everyone,

I am running -current as of end-Decemberish. I am using a Ralink chip
powered wireless adapter (chip: Ralink RT3052), which should be
supported by the run driver. However, I get

# sh /etc/netstart run0
run0: no link ... sleeping

when I try to start the network (also at boot time, configured via
hostname.run0)

Although the network said it got no link at boot time, networking after
login works fine.

IPv6 gateway fe80::1 needs a ping to work

[Thomas Bohl]

Hello List,

my vServer hosting provider states the IPv6 default gateway as fe80::1.
To get IPv6 traffic flowing it's necessary to ping fe80::1 fist.

For now I help myself with the following line in crontab
@reboot sleep 10 && ping6 -c 10 fe80::1\%vio0 > /dev/null

It doesn't feel right though. Is there a better way?
ndp -s doesn't work because I'm unable to set set the R flag.


Apologies for the following information overload:

Freshly booted system:

# cat /etc/hostname.vio0
inet 5.45.103.6 255.255.252.0
!route add default 5.45.100.1

inet6 2a03:4000:6:f0::47/64
inet6 alias 2a03:4000:6:f0::47:e/64
!route add -inet6 default fe80::1%vio0


# ifconfig
lo0: flags=8049 mtu 32768
priority: 0
groups: lo
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff00
vio0: flags=8843 mtu 1500
lladdr 52:54:cf:85:a9:c9
priority: 0
groups: egress
media: Ethernet autoselect
status: active
inet 5.45.103.6 netmask 0xfc00 broadcast 5.45.103.255
inet6 fe80::5054:cfff:fe85:a9c9%vio0 prefixlen 64 scopeid 0x1
inet6 2a03:4000:6:f0::47 prefixlen 64
inet6 2a03:4000:6:f0::47:e prefixlen 64
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141 mtu 33144
priority: 0
groups: pflog


# ndp -na
NeighborLinklayer Address  Netif ExpireS Flags
2a03:4000:6:f0::47  52:54:cf:85:a9:c9   vio0 permanent R l
2a03:4000:6:f0::47:e52:54:cf:85:a9:c9   vio0 permanent R l
fe80::1%vio0(incomplete)vio0 expired   N
fe80::5054:cfff:fe85:a9c9%vio0  52:54:cf:85:a9:c9   vio0 permanent R l


# route -n show -inet6
Routing tables

Internet6:
DestinationGateway   Flags  Refs  Use   Mtu 
 Prio Iface
::/104 ::1   UGRS  00 32768 
8 lo0
::/96  ::1   UGRS  00 32768 
8 lo0
defaultfe80::1%vio0  UGS   00 - 
8 vio0
::1::1   UHl  140 32768 
1 lo0
::1::1   UH00 32768 
4 lo0
::127.0.0.0/104::1   UGRS  00 32768 
8 lo0
::224.0.0.0/100::1   UGRS  00 32768 
8 lo0
::255.0.0.0/104::1   UGRS  00 32768 
8 lo0
:::0.0.0.0/96  ::1   UGRS  00 32768 
8 lo0
2002::/24  ::1   UGRS  00 32768 
8 lo0
2002:7f00::/24 ::1   UGRS  00 32768 
8 lo0
2002:e000::/20 ::1   UGRS  00 32768 
8 lo0
2002:ff00::/24 ::1   UGRS  00 32768 
8 lo0
2a03:4000:6:f0::/64link#1UC00 - 
4 vio0
2a03:4000:6:f0::47 52:54:cf:85:a9:c9 UHLl  00 - 
1 lo0
2a03:4000:6:f0::47:e   52:54:cf:85:a9:c9 UHLl  00 - 
1 lo0
fe80::/10  ::1   UGRS  00 32768 
8 lo0
fe80::%vio0/64 link#1UC10 - 
4 vio0
fe80::1%vio0   link#1UHLc  10 - 
4 vio0
fe80::5054:cfff:fe85:a9c9%vio0 52:54:cf:85:a9:c9 UHLl  00 - 
1 lo0
fe80::%lo0/64  fe80::1%lo0   U 00 32768 
4 lo0
fe80::1%lo0fe80::1%lo0   UHl   00 32768 
1 lo0
fec0::/10  ::1   UGRS  00 32768 
8 lo0
ff01::/16  ::1   UGRS  00 32768 
8 lo0
ff01::%vio0/32 link#1UC00 - 
4 vio0
ff01::%lo0/32  ::1   UC00 32768 
4 lo0
ff02::/16  ::1   UGRS  00 32768 
8 lo0
ff02::%vio0/32 link#1UC00 - 
4 vio0
ff02::%lo0/32  ::1   UC00 32768 
4 lo0



# ping6 -vc 4 heise.de
PING6(56=40+8+8 bytes) 2a03:4000:6:f0::47:e --> 2a02:2e0:3fe:1001:302::
32 bytes from 2a03:4000:6::1: Neighbor Advertisement
32 bytes from 2a03:4000:6::1: Neighbor Advertisement
32 bytes from 2a03:4000:6::1: Neighbor Advertisement
64 bytes from 2a03:4000:6:f0::47:e: Destination Host Unreachable
Vr TC  Flow Plen Nxt Hlim
 6 00 0 0010  3a   40
2a03:4000:6:f0::47:e->2a02:2e0:3fe:1001:302::
ICMP6: type = 128, code = 0

32 bytes from 2a03:4000:6::1: Neighbor Advertisement
32 bytes from 2a03:4000:6::1: Neighbor Advertisement
32 bytes from 2a03:4000:6::1: Neighbor Advertisement
64 bytes from 2a03:4000:6:f0::47:e: Destination Host Unreachable
Vr TC  Flow Plen

Re: IPv6 gateway fe80::1 needs a ping to work

[Thomas Bohl]

Am 29.01.2015 um 11:44 schrieb Martin Pieuchot:

# ping6 -vc 4 heise.de
PING6(56=40+8+8 bytes) 2a03:4000:6:f0::47:e --> 2a02:2e0:3fe:1001:302::
32 bytes from 2a03:4000:6::1: Neighbor Advertisement


Could you tcpdump ICMP6 packets on vio0 at this moment?  I wonder if a
wrong target address can be used to craft NS messages for your gateway.


ping and tcpdump worked in parallel of course:

# ping6 -vc 4 heise.de
PING6(56=40+8+8 bytes) 2a03:4000:6:f0::47:e --> 2a02:2e0:3fe:1001:302::
32 bytes from 2a03:4000:6::1: Neighbor Advertisement
32 bytes from 2a03:4000:6::1: Neighbor Advertisement
32 bytes from 2a03:4000:6::1: Neighbor Advertisement
64 bytes from 2a03:4000:6:f0::47:e: Destination Host Unreachable
Vr TC  Flow Plen Nxt Hlim
 6 00 0 0010  3a   40
2a03:4000:6:f0::47:e->2a02:2e0:3fe:1001:302::
ICMP6: type = 128, code = 0

32 bytes from 2a03:4000:6::1: Neighbor Advertisement
32 bytes from 2a03:4000:6::1: Neighbor Advertisement
32 bytes from 2a03:4000:6::1: Neighbor Advertisement
64 bytes from 2a03:4000:6:f0::47:e: Destination Host Unreachable
Vr TC  Flow Plen Nxt Hlim
 6 00 0 0010  3a   40
2a03:4000:6:f0::47:e->2a02:2e0:3fe:1001:302::
ICMP6: type = 128, code = 0


--- heise.de ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss

# tcpdump -ni vio0 icmp6
tcpdump: listening on vio0, link-type EN10MB
23:37:43.456378 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff2f:5f: icmp6: 
neighbor sol: who has fe80::5054:e2ff:fe2f:5f
23:37:43.477928 2a03:4000:6:f0::47:e > ff02::1:ff00:1: icmp6: neighbor 
sol: who has fe80::1
23:37:43.479515 2a03:4000:6::1 > 2a03:4000:6:f0::47:e: icmp6: neighbor 
adv: tgt is fe80::1 [class 0xc0]
23:37:43.676146 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:44.456499 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:44.473219 2a03:4000:6:f0::47:e > ff02::1:ff00:1: icmp6: neighbor 
sol: who has fe80::1
23:37:44.474543 2a03:4000:6::1 > 2a03:4000:6:f0::47:e: icmp6: neighbor 
adv: tgt is fe80::1 [class 0xc0]
23:37:45.456340 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:45.473148 2a03:4000:6:f0::47:e > ff02::1:ff00:1: icmp6: neighbor 
sol: who has fe80::1
23:37:45.474440 2a03:4000:6::1 > 2a03:4000:6:f0::47:e: icmp6: neighbor 
adv: tgt is fe80::1 [class 0xc0]
23:37:45.675803 fe80::5054:9ff:fecd:f337 > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:46.483229 2a03:4000:6:f0::47:e > ff02::1:ff00:1: icmp6: neighbor 
sol: who has fe80::1
23:37:46.484412 2a03:4000:6::1 > 2a03:4000:6:f0::47:e: icmp6: neighbor 
adv: tgt is fe80::1 [class 0xc0]
23:37:46.675358 fe80::5054:9ff:fecd:f337 > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:46.941973 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff2f:5f: icmp6: 
neighbor sol: who has fe80::5054:e2ff:fe2f:5f
23:37:47.456517 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff2f:5f: icmp6: 
neighbor sol: who has fe80::5054:e2ff:fe2f:5f
23:37:47.483163 2a03:4000:6:f0::47:e > ff02::1:ff00:1: icmp6: neighbor 
sol: who has fe80::1
23:37:47.484248 2a03:4000:6::1 > 2a03:4000:6:f0::47:e: icmp6: neighbor 
adv: tgt is fe80::1 [class 0xc0]
23:37:47.566706 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:47.675297 fe80::5054:9ff:fecd:f337 > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:47.972090 fe80::5e5e:ab00:6603:66c0 > ff02::1:ff00:1: icmp6: 
neighbor sol: who has 2a03:4000:6:28::1 [class 0xc0]
23:37:48.457538 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff2f:5f: icmp6: 
neighbor sol: who has fe80::5054:e2ff:fe2f:5f
23:37:48.457560 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:48.483112 2a03:4000:6:f0::47:e > ff02::1:ff00:1: icmp6: neighbor 
sol: who has fe80::1
23:37:48.512246 2a03:4000:6::1 > 2a03:4000:6:f0::47:e: icmp6: neighbor 
adv: tgt is fe80::1 [class 0xc0]
23:37:48.974181 fe80::5e5e:ab00:6603:66c0 > ff02::1:ff00:1: icmp6: 
neighbor sol: who has 2a03:4000:6:28::1 [class 0xc0]
23:37:49.456515 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:49.975695 fe80::5e5e:ab00:6603:66c0 > ff02::1:ff00:1: icmp6: 
neighbor sol: who has 2a03:4000:6:28::1 [class 0xc0]
23:37:50.456432 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:50.879005 fe80::5054:9ff:fecd:f337 > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:51.504199 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:51.875435 fe80::5054:9ff:fecd:f337 > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
23:37:52.144556 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff2f:5f: icmp6: 
neighbor sol: who has fe80::5054

Re: IPv6 gateway fe80::1 needs a ping to work

[Thomas Bohl]

...

# ping6 -vc 4 heise.de
PING6(56=40+8+8 bytes) 2a03:4000:6:f0::47:e --> 2a02:2e0:3fe:1001:302::
32 bytes from fe80::5e5e:ab00:6603:66c0%vio0: Neighbor Solicitation
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=0 hlim=60 
dst=2a03:4000:6:f0::47:e%1 time=369.406 ms
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=1 hlim=60 
dst=2a03:4000:6:f0::47:e%1 time=4.321 ms
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=2 hlim=60 
dst=2a03:4000:6:f0::47:e%1 time=4.455 ms
16 bytes from 2a02:2e0:3fe:1001:302::, icmp_seq=3 hlim=60 
dst=2a03:4000:6:f0::47:e%1 time=4.319 ms


--- heise.de ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 4.319/95.625/369.406/158.067 ms

# tcpdump -ni vio0 icmp6
tcpdump: listening on vio0, link-type EN10MB
00:00:36.694713 fe80::5e5e:ab00:6603:66c0 > ff02::1:ff1d:dfba: icmp6: 
neighbor sol: who has 2a03:4000:6:5:5054:beff:fe1d:dfba [class 0xc0]
00:00:36.694734 fe80::5e5e:ab00:6603:66c0 > ff02::1:ff00:1: icmp6: 
neighbor sol: who has 2a03:4000:6:28::1 [class 0xc0]
00:00:36.799447 fe80::5054:9ff:fecd:f337 > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
00:00:36.899742 2a03:4000:6:5:5054:68ff:feb6:4061 > ff02::1:ff2f:5f: 
icmp6: neighbor sol: who has fe80::5054:e2ff:fe2f:5f
00:00:37.067329 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
00:00:37.067806 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff2f:5f: icmp6: 
neighbor sol: who has fe80::5054:e2ff:fe2f:5f
00:00:37.333587 2a03:4000:6:f0::47:e > 2a02:2e0:3fe:1001:302::: icmp6: 
echo request
00:00:37.694905 fe80::5e5e:ab00:6603:66c0 > ff02::1:ff00:1: icmp6: 
neighbor sol: who has 2a03:4000:6:28::1 [class 0xc0]
00:00:37.695671 fe80::5e5e:ab00:6603:66c0 > ff02::1:ff47:e: icmp6: 
neighbor sol: who has 2a03:4000:6:f0::47:e [class 0xc0]
00:00:37.695745 fe80::5054:cfff:fe85:a9c9 > fe80::5e5e:ab00:6603:66c0: 
icmp6: neighbor adv: tgt is 2a03:4000:6:f0::47:e
00:00:37.702868 2a02:2e0:3fe:1001:302:: > 2a03:4000:6:f0::47:e: icmp6: 
echo reply
00:00:37.800302 fe80::5054:9ff:fecd:f337 > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
00:00:37.956826 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
00:00:37.957192 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff2f:5f: icmp6: 
neighbor sol: who has fe80::5054:e2ff:fe2f:5f
00:00:38.342186 2a03:4000:6:f0::47:e > 2a02:2e0:3fe:1001:302::: icmp6: 
echo request
00:00:38.346271 2a02:2e0:3fe:1001:302:: > 2a03:4000:6:f0::47:e: icmp6: 
echo reply
00:00:38.956633 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
00:00:38.957097 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff2f:5f: icmp6: 
neighbor sol: who has fe80::5054:e2ff:fe2f:5f
00:00:39.331944 2a03:4000:6:f0::47:e > 2a02:2e0:3fe:1001:302::: icmp6: 
echo request
00:00:39.336217 2a02:2e0:3fe:1001:302:: > 2a03:4000:6:f0::47:e: icmp6: 
echo reply
00:00:40.331943 2a03:4000:6:f0::47:e > 2a02:2e0:3fe:1001:302::: icmp6: 
echo request
00:00:40.332243 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
00:00:40.336105 2a02:2e0:3fe:1001:302:: > 2a03:4000:6:f0::47:e: icmp6: 
echo reply
00:00:40.956649 fe80::b881:f46a:7c6a:f7eb > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b
00:00:40.973093 fe80::5054:9ff:fecd:f337 > ff02::1:ff00:ae7b: icmp6: 
neighbor sol: who has fe80::2ae:7bff:fe00:ae7b

^C
120 packets received by filter
0 packets dropped by kernel

Re: uxterm is showing UTF-8 chars with errors?

[Thomas Bohl]

Am 03.03.2015 um 17:58 schrieb Ted Unangst:

As a shortcut, filtering out just esc will prevent most terminal damage? I'm
not sure what other characters can do, though... I vageuly recall that the
intersection of utf-8 and xterm controls is unknowable.

poc diff:

Index: util.c
===
RCS file: /cvs/src/bin/ls/util.c,v
retrieving revision 1.16
diff -u -p -r1.16 util.c
--- util.c  21 Nov 2013 15:54:45 -  1.16
+++ util.c  3 Mar 2015 16:56:15 -
@@ -51,7 +51,7 @@ putname(char *name)
int len;

for (len = 0; *name; len++, name++)
-   putchar((!isprint((unsigned char)*name) && f_nonprint) ? '?' : 
*name);
+   putchar((*name == 0x1b && f_nonprint) ? '?' : *name);
return len;
  }




Thank you very much! Colorls still showed me ?? for the majority of 
characters. This patch works as expected.



If the filtering is done for security reasons I just want to humbly add 
that in many circumstances pressing the tab-key instead of enter will 
deliver a unsanitized file listing anyway. (By the shell I would assume.)

Re: sftp script put help

[Thomas Bohl]

Hello,

Am 16.05.2015 um 01:07 schrieb jungle Boogie:

I want to upload a file automatically with a cron job so I'm using the -b flag.



% sftp jungle@host
Connected to host.
sftp> cd home/jungle
sftp> put file_*.csv
Uploading  file_foo2015-05-15.csv to /usr/home/jungle/file_foo2015-05-15.csv
file_foo2015-05-15.csv


You can do it in a one-liner:

32 1 * * * printf "\%s\n\%s\n" "cd /home/jungle" "put /path/*.csv" | 
sftp jungle@host



regards

Re: IPv6 is not working at Hetzner

[Thomas Bohl]

Hello,

Am 22.05.2015 um 20:33 schrieb Heiko Zimmermann:

I have a server at Hetzner, but IPv6 is not working. IPv4 is all fine.


A dedicated or a virtual server? One needs fe80::1%re0 the other 
2a01:4f8:160:::1%re0 as the default gateway.

http://wiki.hetzner.de/index.php/Zusaetzliche_IP-Adressen/en#Gateway



$ ping6 ipv6.google.com
PING6(72=40+8+24 bytes) 2a01:4f8:160:::25 --> 2a00:1450:4001:80c::1002
^C
--> not working


Please post the results of
# ping6 -vc 5 google.com
# route -n show -inet6
# ndp -an

Re: IPv6 is not working at Hetzner

[Thomas Bohl]

Am 22.05.2015 um 21:54 schrieb Heiko Zimmermann:
> Hello Thomas,
>
> Am 22.05.2015 um 21:38 schrieb Thomas Bohl:> A dedicated or a virtual
> server? One needs fe80::1%re0 the other
>> 2a01:4f8:160:::1%re0 as the default gateway.
>> http://wiki.hetzner.de/index.php/Zusaetzliche_IP-Adressen/en#Gateway
>
> Dedicated.
> So my fe80::1 is correct?

Yes, but it's not in your routing table though.

>> # route -n show -inet6
>
> Internet6:
> DestinationGatewayFlags
>Refs  Use   Mtu  Prio Iface

> default2a01:4f8:160:4346::1   UGS
>   05 - 8 re0

Please try
# route delete -inet6 default
# route add -inet6 default fe80::1%re0

[demime 1.01d removed an attachment of type application/pkcs7-signature which 
had a name of smime.p7s]

Re: IPv6 is not working at Hetzner

[Thomas Bohl]

Am 22.05.2015 um 23:55 schrieb Heiko Zimmermann:

# route delete -inet6 default
# route add -inet6 default fe80::1%re0


It worked one time until reboot.


That is a problem I have too:
http://marc.info/?l=openbsd-misc&m=142249632125559&w=2

You first need to ping fe80::1%re0 in order to get it into the address 
mapping table. I tried static entries without luck. Try to add


@reboot sleep 10 && ping6 -c 10 fe80::1\%re0 > /dev/null

into your crontab. Works for me.



Could you advise me hostname.re0 and mygate ?


I don't use mygate. Just

!route add -inet6 default fe80::1%re0

in hostname.re0

Re: simple maiserver fail (postfix dovecot)

[Thomas Bohl]

Hello,

Am 23.05.2015 um 04:49 schrieb Tuyosi Takesima:

# telnet a.mydns.jp 143
Trying 192.168.100.101...
Connected to a.mydns.jp.
Escape character is '^]'.
Connection closed by foreign host.
~


What is the output of

# tail -f /var/log/maillog

when you try to connect?



  /etc/dovecot/dovecot.conf
-
protocols = imap
listen = *
mail_location = maildir:~/Maildir


Is that the full output of your dovecot.conf?



/etc/dnsmasq.conf <- is dns not nessesary ?


It is not necessary to run your own DNS.



i wonder 2 ponts.
1)
in  /usr/local/share/doc/dovecot/wiki/PasswordDatabase.PAM.txt
but no example about openBSD .

2)
in /etc/dovecot/conf.d/auth-system.conf.ext
# PAM authentication. Preferred nowadays by most systems.
# PAM is typically used with either userdb passwd or userdb static.
# REMEMBER: You'll need /etc/pam.d/dovecot file created for PAM
# authentication to actually work. 

i donot know how to make /etc/pam.d/dovecot


You don't need /etc/pam.d/dovecot on OpenBSD.

The correct settings should already be in the 
/etc/dovecot/conf.d/auth-system.conf.ext file:


...
# PAM-like authentication for OpenBSD.
# 
passdb {
  driver = bsdauth
...
# System users (NSS, /etc/passwd, or similiar). ...
userdb {
  # 
  driver = passwd
...

Re: simple maiserver fail (postfix dovecot)

[Thomas Bohl]

Am 24.05.2015 um 08:29 schrieb Tuyosi Takesima:

2)
  telnet a.mydns.jp 143
Trying 192.168.100.101...
Connected to a.mydns.jp.
Escape character is '^]'. --->no errot


The "* OK ... Dovecot ready."-Message is still missing.



(BUT after this what should i do ?)


http://en.wikipedia.org/wiki/Internet_Message_Access_Protocol#Dialog_example
Or you just use a Mail-Client.



May 24 15:03:54 a dovecot: master: Error: service(imap-urlauth-worker):
pipe() failed: Too many open files

May 24 15:03:54 a dovecot: master: Error: service(imap-urlauth): pipe()
failed: Too many open files
May 24 15:03:54 a dovecot: master: Error:
open(/var/dovecot/login-master-notify4da6a88940c548de) failed: Too many
open files


See the mail from Edgar Pettijohn III.



/etc/dovecot/dovecot.conf<

protocols = imap pop3 lmtp
listen = *

this is  the full output of my dovecot.conf.


The line

!include conf.d/*.conf

is missing.

Schenker S405 experience

[Thomas Bohl]

TL;DR: dmesg at the bottom. The machine works great. Thank you developers.


Hello,

I thought sharing a few data of my new laptop "Schenker S405" could
interest someone.

OpenBSD 5.8 (GENERIC.MP) #1235: Mon Aug 10 06:54:34 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP


BIOS:
UEFI can be and was disabled by default. Bought the system without OS
though. PXE boot works. Used it for the installation.


ACPI:
Closing the lid sets the system to sleep. Opening the lid will wake the
system up. The monitor will not come back on at first. You have to
switch terminals. But that works reliable.


Touchpad:
Must be touched when the bootloader comes up. Otherwise it will not be
recognized and will send arbitrary characters upon touching or clicking.


Sound:
In and out just works.


SD-Card reader:
Just works.


Ethernet:
Just works.


WLAN:
Pre install options were Intel Wireless-AC 3160 or 7260. So I ordered
without WLAN and bought a Ralink RT3090 (SilverStone ECW01) separately.
Works perfectly.


Fn-Keys:
What works out of the box:
  Sound controls
  Touchpad on/off
  Monitor off
  Webcam on/off
  Suspend
  Play/Pause
What doesn't:
  Monitor brightness
  (pictogram of a plain) WLAN on/off
  Switch monitor


USB 3.0 Ports:
I only have USB 2.0 devices. They all work except for a Samsung SE-506
portable Blu-ray writer. When plugged in directly:
uhub0: device problem, disabling port 1

It works when plugged in over a self-powered hub:
umass1 at uhub3
  port 1 configuration 1 interface 0 "MediaTek Inc MT1956" rev 2.00/0.00
addr 11
umass1: using ATAPI over Bulk-Only
scsibus5 at umass1: 2 targets, initiator 0
cd0 at scsibus5 targ 1 lun 0:  ATAPI
5/cdrom removable

So I assume a power issue.


Video playback:
Not accelerated at the moment but ok to watch in sort bursts. Nothing
for a whole movie. Can't really describe what I see. It looks smooth and
flickering at the same time. (Like not all parts of a picture are
updated a the same time.)
Only on videos with 3840x2160 you need to add -framedrop to mplayer or
the video will start to lack behind the audio.


Webcam:
'mplayer tv://' only returns a green screen:
MPlayer SVN-r37396 (C) 2000-2015 MPlayer Team

Playing tv://.
TV file format detected.
Selected driver: v4l2
  name: Video 4 Linux 2 input
  author: Martin Olschewski 
  comment: first try, more to come ;-)
v4l2: your device driver does not support VIDIOC_G_STD ioctl,
VIDIOC_G_PARM was used instead.
Selected device: Generic USB video class device
  Capabilities:  video capture  read/write  streaming
  supported norms:
  inputs: 0 = Camera Terminal;
  Current input: 0
  Current format: YUYV
v4l2: ioctl set format failed: Invalid argument
v4l2: ioctl set format failed: Invalid argument
v4l2: ioctl set format failed: Invalid argument
tv.c: norm_from_string(pal): Bogus norm parameter, setting default.
v4l2: ioctl enum norm failed: Inappropriate ioctl for device
Error: Cannot set norm!
Selected input hasn't got a tuner!
v4l2: ioctl set mute failed: Invalid argument
v4l2: ioctl streamon failed: Invalid argument
[VO_XV] It seems there is no Xvideo support for your video card
available.
[VO_XV] Run 'xvinfo' to verify its Xv support and read
[VO_XV] DOCS/HTML/en/video.html#xv!
[VO_XV] See 'mplayer -vo help' for other (non-xv) video out drivers.
[VO_XV] Try -vo x11.
==
Opening video decoder: [raw] RAW Uncompressed Video
Could not find matching colorspace - retrying with -vf scale...
Opening video filter: [scale]
Movie-Aspect is undefined - no prescaling applied.
[swscaler @ 0x10208b8b4000] bicubic scaler, from yuyv422 to bgra using
MMXEXT
VO: [x11] 640x480 => 640x480 BGRA
Selected video codec: [rawyuy2] vfm: raw (RAW YUY2)
==
Audio: no sound
Starting playback...
V:   0.0   2/  2 ??% ??% ??,?% 0 0
v4l2: ioctl set mute failed: Invalid argument
v4l2: 0 frames successfully processed, 0 frames dropped.


# sysctl hw
hw.machine=amd64
hw.model=Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz
hw.ncpu=4
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=sd0:3da24752d515020e
hw.diskcount=1
hw.sensors.cpu0.temp0=46.00 degC
hw.sensors.acpitz0.temp0=12.00 degC (zone temperature)
hw.sensors.acpitz1.temp0=27.80 degC (zone temperature)
hw.sensors.acpitz2.temp0=29.80 degC (zone temperature)
hw.sensors.acpibtn2.indicator0=On (lid open)
hw.sensors.acpiac0.indicator0=On (power supply)
hw.sensors.acpibat0.volt0=15.12 VDC (voltage)
hw.sensors.acpibat0.volt1=17.09 VDC (current voltage)
hw.sensors.acpibat0.current0=0.00 A (rate)
hw.sensors.acpibat0.amphour0=2.95 Ah (last full capacity)
hw.sensors.acpibat0.amphour1=0.29 Ah (warning capacity)
hw.sensors.acpibat0.amphour2=0.00 Ah (low capacity)
hw.sensors.acpibat0.amphour3=2.95 Ah (remaining capacity), OK
hw.sensors.acpibat0.amphour4=2.95 Ah (design capacity)
hw.sensors.acpibat0.raw0=0 (battery full), OK
hw.cpuspeed=500
hw.setperf=0
hw.vendor

Re: wtfs write error when running newfs

[Thomas Bohl]

Hi,

> root@poseidon:[~]> newfs sd1a
> newfs: wtfs: write error on block 160086527: No such file or directory

Does it work when you make the partition smaller than 160086527?

No hw.setperf on Intel Atom CPU D2550 64bit system

[Thomas Bohl]

Hello List,

I installed 5.5-current, both with i386 and amd64, on a ASRock
AD2550-ITX mainboard [1] which has a Intel Dual-Core Atom D2550 CPU on
board.
On the i386 version sysctl shows the MIB name hw.setperf and therefore
it's possible to throttle the CPU down. The amd64 version on the other
hand doesn't show hw.setpref and it's not possible to manipulate the
CPU speed through that value.

I have played around with the BIOS settings and haven't found something
that makes a difference.

It looks as if this problem isn't new. [2] Apart from sticking to i386
of course, is there anything I could try to manipulate the CPU speed?


amd64:
# dmesg
OpenBSD 5.5-current (GENERIC.MP) #85: Sun Apr 27 09:24:33 MDT 2014
t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4264722432 (4067MB)
avail mem = 4142473216 (3950MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb110 (17 entries)
bios0: vendor American Megatrends Inc. version "P1.30" date 10/22/2013
bios0: ASRock AD2550-ITX
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG AAFT HPET SSDT
acpi0: wakeup devices P0P8(S4) PS2K(S4) PS2M(S4) UAR1(S4) CIR_(S4) 
USB0(S4) USB1(S4) USB2(S4) USB3(S4) USB7(S4) PXSX(S4) RP01(S4) PXSX(S4) 
RP02(S4) PXSX(S4) RP03(S4) [...]

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU D2550 @ 1.86GHz, 1867.07 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC

cpu0: 512KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
cpu0: apic clock running at 133MHz
cpu0: mwait min=64, max=64, C-substates=0.1.0.0.0, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Atom(TM) CPU D2550 @ 1.86GHz, 1866.73 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC

cpu1: 512KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Atom(TM) CPU D2550 @ 1.86GHz, 1866.73 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC

cpu2: 512KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Atom(TM) CPU D2550 @ 1.86GHz, 1866.73 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC

cpu3: 512KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (P0P8)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus 2 (RP02)
acpiprt4 at acpi0: bus -1 (RP03)
acpiprt5 at acpi0: bus -1 (RP04)
acpicpu0 at acpi0
acpicpu1 at acpi0
acpicpu2 at acpi0
acpicpu3 at acpi0
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD02
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x0bf3 
rev 0x04
vga1 at pci0 dev 2 function 0 vendor "Intel", unknown product 0x0be2 rev 
0x0b

intagp at vga1 not configured
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: msi
pci1 at ppb0 bus 1
re0 at pci1 dev 0 function 0 "Realtek 8168" rev 0x06: RTL8168E/8111E-VL 
(0x2c80), msi, address bc:5f:f4:ea:a2:28

rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 5
ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: msi
pci2 at ppb1 bus 2
"ASMedia ASM1042 xHCI" rev 0x00 at pci2 dev 0 function 0 not configured
uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 4 int 23
uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: apic 4 int 19
uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: apic 4 int 18
uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x02: apic 4 int 16
ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x02: apic 4 int 23
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xe2
pci3 at ppb2 bus 3
pcib0 at pci0 dev 31 function 0 "Intel NM10 LPC" rev 0x02
ahci0 at pci0 dev 31 function 2 "In

Re: No hw.setperf on Intel Atom CPU D2550 64bit system

[Thomas Bohl]

Am 30.04.2014 05:23, schrieb Jonathan Gray:

On Tue, Apr 29, 2014 at 10:22:29PM +0200, Thomas Bohl wrote:

cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU D2550 @ 1.86GHz, 1867.07 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF,ITSC


We only do speedstep if the processor advertises that speedstep is
supported in cpuid (ie there should be a 'EST' flag above).

According to
http://ark.intel.com/products/65470/Intel-Atom-Processor-D2550-(1M-Cache-1_86-GHz)
it doesn't do speedstep as well.

i386 fakes a table with high/low values for older processors that
still have a fsb, which was mostly used before the code to fetch
tables from acpi was added.


Thank you for your explanation.
i386 it is then.

Re: No hw.setperf on Intel Atom CPU D2550 64bit system

[Thomas Bohl]

Am 01.05.2014 03:56, schrieb Jonathan Gray:

It wouldn't hurt to check with md5 -tt and/or a power meter
to see if there is actually a difference between
hw.setperf=0 and hw.setperf=100.



hw.setperf=100

16.5 Watt

# md5 -tt
MD5 time trial.  Processing 10 1-byte blocks...
Digest = 766a2bb5d24bddae466c572bcabca3ee
Time   = 39.389348 seconds
Speed  = 25387574.325932 bytes/second


hw.setperf=0

16.9 Watt

# md5 -tt
MD5 time trial.  Processing 10 1-byte blocks...
Digest = 766a2bb5d24bddae466c572bcabca3ee
Time   = 4.672665 seconds
Speed  = 214010634.188413 bytes/second


So the CPU actually gets slowed down quite heavily (apm shows 224 MHz).
But the system has a greater power consumption while doing so. (Now
that happens if you buy stuff in a hurry. I was aiming for a 10 Watt
system. My bad!)

Re: No hw.setperf on Intel Atom CPU D2550 64bit system

[Thomas Bohl]

Am 01.05.2014 05:51, schrieb Thomas Bohl:

Am 01.05.2014 03:56, schrieb Jonathan Gray:

It wouldn't hurt to check with md5 -tt and/or a power meter
to see if there is actually a difference between
hw.setperf=0 and hw.setperf=100.



hw.setperf=100

16.5 Watt

# md5 -tt
MD5 time trial.  Processing 10 1-byte blocks...
Digest = 766a2bb5d24bddae466c572bcabca3ee
Time   = 39.389348 seconds
Speed  = 25387574.325932 bytes/second


hw.setperf=0

16.9 Watt

# md5 -tt
MD5 time trial.  Processing 10 1-byte blocks...
Digest = 766a2bb5d24bddae466c572bcabca3ee
Time   = 4.672665 seconds
Speed  = 214010634.188413 bytes/second


So the CPU actually gets slowed down quite heavily (apm shows 224 MHz).
But the system has a greater power consumption while doing so. (Now
that happens if you buy stuff in a hurry. I was aiming for a 10 Watt
system. My bad!)




Sorry, I mixed up the md5 results.

hw.setperf=100

16.5 Watt

# md5 -tt
MD5 time trial.  Processing 10 1-byte blocks...
Digest = 766a2bb5d24bddae466c572bcabca3ee
Time   = 4.672665 seconds
Speed  = 214010634.188413 bytes/second


hw.setperf=0

16.9 Watt

# md5 -tt
MD5 time trial.  Processing 10 1-byte blocks...
Digest = 766a2bb5d24bddae466c572bcabca3ee
Time   = 39.389348 seconds
Speed  = 25387574.325932 bytes/second

IPv6 ULA routing stops working after 20 hours or so

[Thomas Bohl]

Hello,

I'm using ULAs for my local IPv6 networks. The hosts have internet 
access via the router doing NPTv6.


After around 20 to 24 hours of uptime the OpenBSD hosts (three in total) 
are no longer able to reach the IPv6 internet. A restart of the affected 
hosts usually helps. In rare cases a double restart is required. Linux 
and Windows don't show this problem.


Any ideas? What information should I provide in order to debug this further?

# uname -a
OpenBSD mail1 7.5 GENERIC#79 amd64

# cat /etc/hostname.vio0
# BEGIN ANSIBLE MANAGED BLOCK IPv6
inet6 -soii
inet6 autoconf
# END ANSIBLE MANAGED BLOCK IPv6
# BEGIN ANSIBLE MANAGED BLOCK IPv4
inet 172.17.17.2 255.255.255.252
!route add default 172.17.17.1
# END ANSIBLE MANAGED BLOCK IPv4


When things are working:

# uptime
 5:11PM  up 9 mins, 1 user, load averages: 0.00, 0.01, 0.00


# ifconfig vio0
vio0: 
flags=648843 
mtu 1500

    lladdr bc:24:11:10:52:72
    index 1 priority 0 llprio 3
    groups: egress
    media: Ethernet autoselect
    status: active
    inet6 fe80::be24:11ff:fe10:5272%vio0 prefixlen 64 scopeid 0x1
    inet 172.17.17.2 netmask 0xfffc broadcast 172.17.17.3
    inet6 fd00:172:17:170:be24:11ff:fe10:5272 prefixlen 64 autoconf 
pltime 604644 vltime 2591844
    inet6 fd00:172:17:170:1fa3:a3db:db4a:707d prefixlen 64 autoconf 
temporary pltime 74422 vltime 172248



# ping6 -vn -c 3 google.com
PING google.com (fd00:172:17:170:1fa3:a3db:db4a:707d --> 
2a00:1450:4005:801::200e): 56 data bytes

64 bytes from 2a00:1450:4005:801::200e: icmp_seq=0 hlim=114 time=27.533 ms
64 bytes from 2a00:1450:4005:801::200e: icmp_seq=1 hlim=114 time=30.263 ms
64 bytes from 2a00:1450:4005:801::200e: icmp_seq=2 hlim=114 time=30.143 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 27.533/29.313/30.263/1.260 ms


# traceroute6 -vn google.com
traceroute6 to google.com (2a00:1450:4005:801::200e), 64 hops max, 60 
byte packets
 1  fd00:172:17:170:2a0:57ff:fe3a:ac77 68 bytes to 
fd00:172:17:170:1fa3:a3db:db4a:707d  0.227 ms  0.159 ms  0.136 ms
 2  2a02:810d:1:bf::3 68 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  
13.606 ms 2a02:810d:1:bf::2 68 bytes to 
fd00:172:17:170:1fa3:a3db:db4a:707d  15.823 ms 2a02:810d:1:bf::3 68 
bytes to fd00:172:17:170:1fa3:a3db:db4a:707d 14.467 ms

 3  * * *
 4  * * *
 5  * * *
 6  2001:4860:1:1::2a4 68 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  
16.263 ms  12.806 ms  14.327 ms
 7  * 2001:4860:0:1::839f 68 bytes to 
fd00:172:17:170:1fa3:a3db:db4a:707d  15.828 ms *

 8  * * *
 9  2001:4860::c:4003:4958 152 bytes to 
fd00:172:17:170:1fa3:a3db:db4a:707d  27.715 ms  29.765 ms  30.264 ms
10  2001:4860::c:4002:f990 152 bytes to 
fd00:172:17:170:1fa3:a3db:db4a:707d  31.119 ms 2001:4860::c:4002:f991 
152 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  29.906 ms 
2001:4860::c:4002:f990 152 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  
36.316 ms
11  2001:4860::c:4001:ebf 152 bytes to 
fd00:172:17:170:1fa3:a3db:db4a:707d  29.679 ms 2001:4860::c:4002:7869 
152 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  33.901 ms  31.045 ms
12  2001:4860::9:4001:ecb 68 bytes to 
fd00:172:17:170:1fa3:a3db:db4a:707d  29.68 ms 2001:4860::9:4001:ec0 68 
bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  29.575 ms 
2001:4860::9:4001:ecb 68 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  
36.681 ms
13  2001:4860:0:1::6b65 68 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  
29.283 ms * *
14  2001:4860:0:1::6b65 68 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  
30.595 ms 2a00:1450:4005:801::200e 68 bytes to 
fd00:172:17:170:1fa3:a3db:db4a:707d  40.122 ms 2001:4860:0:1::6b65 68 
bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  30.369 ms



# route -n show -inet6
Routing tables

Internet6:
Destination Gateway Flags   Refs  
Use Mtu  Prio Iface
default fe80::2a0:57ff:fe3a:ac77%vio0   UGS    0    8 
- 8 vio0
::/96 ::1 UGRS   0    0 
32768 8 lo0
::1 ::1 UHhl  10   20 
32768 1 lo0
:::0.0.0.0/96 ::1 UGRS   
0    0 32768 8 lo0
2002::/24 ::1 UGRS   0    0 
32768 8 lo0
2002:7f00::/24 ::1 UGRS   
0    0 32768 8 lo0
2002:e000::/20 ::1 UGRS   
0    0 32768 8 lo0
2002:ff00::/24 ::1 UGRS   
0    0 32768 8 lo0
fd00:172:17:170::/64 fd00:172:17:170:be24:11ff:fe10:5272 UCPn   
0    1 - 4 vio0
fd00:172:17:170::/64 fd00:172:17:170:1fa3:a3db:db4a:707d UCPn   
0    0 - 4 vio0
fd00:172:17:170:1fa3:a3db:db4a:707d 
bc:24:11:10:52:72   UHLl   0  193 - 1 vio0
fd00:172:17:170:be24:11ff:fe10:5272 
bc:24:11:10:52:72   UH

Re: IPv6 ULA routing stops working after 20 hours or so

[Thomas Bohl]

Sorry for top post.

Are you doing any filtering of ICMP6 with PF?


I don't think so, it is the standard rule set:

# pfctl -s rules
block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
block return out log proto tcp all user = 55
block return out log proto udp all user = 55



I assume your router is also doing rad to hand out slaac to clients?


The router is doing router advertisements and slaacd handels it on the 
OpenBSD side.


# rcctl stop slaacd
# slaacd -vd
IMSG_OPEN_ICMP6SOCK
open_icmp6sock: 0
iface_state_transition[vio0] IF_DOWN -> IF_INIT, timo: 4
send_solicitation(1)
send_solicitation(1)
ICMPv6 type(134), code(0) from fe80::2a0:57ff:fe3a:ac77%vio0 of length 112
configure_dfr: 1
dfr_proposal_state_transition[vio0] PROPOSAL_NOT_CONFIGURED -> 
PROPOSAL_CONFIGURED, timo: 1788

gen_dfr_proposal: iface 1: fe80::2a0:57ff:fe3a:ac77%vio0
configure_address: 1
iface_state_transition[vio0] IF_INIT -> IF_BOUND, timo: -1
addr_proposal_state_transition[vio0] PROPOSAL_NOT_CONFIGURED -> 
PROPOSAL_CONFIGURED, timo: 604788

gen_address_proposal: iface 1: fd00:172:17:170:be24:11ff:fe10:5272
configure_address: 1
iface_state_transition[vio0] IF_BOUND -> IF_BOUND, timo: -1
addr_proposal_state_transition[vio0] PROPOSAL_NOT_CONFIGURED -> 
PROPOSAL_CONFIGURED, timo: 61448

gen_address_proposal: iface 1: fd00:172:17:170:5689:59a3:3153:d825
rdns_proposal_state_transition[vio0] PROPOSAL_NOT_CONFIGURED -> 
PROPOSAL_CONFIGURED, timo: 1788

gen_rdns_proposal: iface 1: fe80::2a0:57ff:fe3a:ac77%vio0
failed to send route message: File exists
configure_interface: vio0
Setting MTU to 1500
configure_interface: vio0
RTM_NEWADDR: vio0[1]
RTM_CHGADDRATTR: fd00:172:17:170:5689:59a3:3153:d825 -  autoconf temporary


Maybe I should let slaacd run in the foreground till IPv6 stops working 
and see if that give out clues.





Jason.

Sent from my iPhone


On 23 Jun 2024, at 2:27 AM, Thomas Bohl  wrote:

Hello,

I'm using ULAs for my local IPv6 networks. The hosts have internet access via 
the router doing NPTv6.

After around 20 to 24 hours of uptime the OpenBSD hosts (three in total) are no 
longer able to reach the IPv6 internet. A restart of the affected hosts usually 
helps. In rare cases a double restart is required. Linux and Windows don't show 
this problem.

Any ideas? What information should I provide in order to debug this further?

# uname -a
OpenBSD mail1 7.5 GENERIC#79 amd64

# cat /etc/hostname.vio0
# BEGIN ANSIBLE MANAGED BLOCK IPv6
inet6 -soii
inet6 autoconf
# END ANSIBLE MANAGED BLOCK IPv6
# BEGIN ANSIBLE MANAGED BLOCK IPv4
inet 172.17.17.2 255.255.255.252
!route add default 172.17.17.1
# END ANSIBLE MANAGED BLOCK IPv4


When things are working:

# uptime
  5:11PM  up 9 mins, 1 user, load averages: 0.00, 0.01, 0.00


# ifconfig vio0
vio0: 
flags=648843
 mtu 1500
 lladdr bc:24:11:10:52:72
 index 1 priority 0 llprio 3
 groups: egress
 media: Ethernet autoselect
 status: active
 inet6 fe80::be24:11ff:fe10:5272%vio0 prefixlen 64 scopeid 0x1
 inet 172.17.17.2 netmask 0xfffc broadcast 172.17.17.3
 inet6 fd00:172:17:170:be24:11ff:fe10:5272 prefixlen 64 autoconf pltime 
604644 vltime 2591844
 inet6 fd00:172:17:170:1fa3:a3db:db4a:707d prefixlen 64 autoconf 
temporary pltime 74422 vltime 172248


# ping6 -vn -c 3 google.com
PING google.com (fd00:172:17:170:1fa3:a3db:db4a:707d --> 
2a00:1450:4005:801::200e): 56 data bytes
64 bytes from 2a00:1450:4005:801::200e: icmp_seq=0 hlim=114 time=27.533 ms
64 bytes from 2a00:1450:4005:801::200e: icmp_seq=1 hlim=114 time=30.263 ms
64 bytes from 2a00:1450:4005:801::200e: icmp_seq=2 hlim=114 time=30.143 ms

--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 27.533/29.313/30.263/1.260 ms


# traceroute6 -vn google.com
traceroute6 to google.com (2a00:1450:4005:801::200e), 64 hops max, 60 byte 
packets
  1  fd00:172:17:170:2a0:57ff:fe3a:ac77 68 bytes to 
fd00:172:17:170:1fa3:a3db:db4a:707d  0.227 ms  0.159 ms  0.136 ms
  2  2a02:810d:1:bf::3 68 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  13.606 
ms 2a02:810d:1:bf::2 68 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  15.823 ms 
2a02:810d:1:bf::3 68 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d 14.467 ms
  3  * * *
  4  * * *
  5  * * *
  6  2001:4860:1:1::2a4 68 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  16.263 
ms  12.806 ms  14.327 ms
  7  * 2001:4860:0:1::839f 68 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  
15.828 ms *
  8  * * *
  9  2001:4860::c:4003:4958 152 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  
27.715 ms  29.765 ms  30.264 ms
10  2001:4860::c:4002:f990 152 bytes to fd00:172:17:170:1fa3:a3db:db4a:707d  
31.119 ms 2001:4860::c:4002:f991 152 bytes to 
fd00:172:17:170:1fa3:a3db:db4a:707d  29.906 ms 2001:4860::c:4002:f990 152 bytes 
to fd00:172:17:170:1fa3:a3db:db4a:707d  36.316 ms
11  2001:48

Re: IPv6 ULA routing stops working after 20 hours or so

[Thomas Bohl]

Maybe I should let slaacd run in the foreground till IPv6 stops working 
and see if that give out clues.


The output of slaacd looks completely normal. Like this over and over again:

ICMPv6 type(134), code(0) from fe80::2a0:57ff:fe3a:ac77%vio0 of length 112
update_iface_ra_dfr, dfr state: PROPOSAL_CONFIGURED, rl: 1800
dfr_proposal_state_transition[vio0] PROPOSAL_CONFIGURED -> 
PROPOSAL_CONFIGURED, timo: 1788

update_iface_ra_prefix, addr state: PROPOSAL_CONFIGURED
updating address
configure_address: 1
iface_state_transition[vio0] IF_BOUND -> IF_BOUND, timo: -1
addr_proposal_state_transition[vio0] PROPOSAL_CONFIGURED -> 
PROPOSAL_CONFIGURED, timo: 60477

update_iface_ra_prefix, addr state: PROPOSAL_CONFIGURED
updating address
configure_address: 1
iface_state_transition[vio0] IF_BOUND -> IF_BOUND, timo: -1
addr_proposal_state_transition[vio0] PROPOSAL_CONFIGURED -> 
PROPOSAL_CONFIGURED, timo: 604788

update_iface_ra_rdns, rdns state: PROPOSAL_CONFIGURED, rl: 1800
rdns_proposal_state_transition[vio0] PROPOSAL_CONFIGURED -> 
PROPOSAL_CONFIGURED, timo: 1788

configure_interface: vio0
configure_interface: vio0


I also dug into the debug output of my router.
Echo request goes out, reply comes back and is routed/forwarded to the 
OpenBSD host.


[IPv6-Router] 2024/06/23 18:03:27,197  Devicetime: 2024/06/23 
18:03:27,639 [INTERNET (14)]

IP packet, scope global, routing tag 0:
  IPv6: 2a00:1450:4005:801::200e -> 
2a02:810d:5fc0:f2a:bb4d:6e1a:d2f:c576, Payload-Len: 64

  ICMP: Echo (ping) reply (129), ID: 18553, Seq: 0
--> Firewall: accepted, forwarded unicast via HOST_MAIL1 (6)


(The log-output is indistinguishable from when it is working.) Yet I 
don't see them arriving with tcpdump:


# tcpdump -n -i vio0 ip6
tcpdump: listening on vio0, link-type EN10MB
18:29:38.703181 fe80::be24:11ff:fe10:5272.46404 > 
fe80::2a0:57ff:fe3a:ac77.53: 29603+ ? google.com.(28) [flowlabel 
0xe0681]
18:29:38.731683 fe80::2a0:57ff:fe3a:ac77.53 > 
fe80::be24:11ff:fe10:5272.46404: 29603 1/0/0 [|domain]
18:29:38.731839 fd00:172:17:170:c57c:a20c:2d74:124 > 
2a00:1450:4005:801::200e: icmp6: echo request
18:29:39.740141 fd00:172:17:170:c57c:a20c:2d74:124 > 
2a00:1450:4005:801::200e: icmp6: echo request
18:29:40.740110 fd00:172:17:170:c57c:a20c:2d74:124 > 
2a00:1450:4005:801::200e: icmp6: echo request
18:29:42.980121 fe80::be24:11ff:fe10:5272 > fe80::2a0:57ff:fe3a:ac77: 
icmp6: neighbor sol: who has fe80::2a0:57ff:fe3a:ac77
18:29:42.980551 fe80::2a0:57ff:fe3a:ac77 > fe80::be24:11ff:fe10:5272: 
icmp6: neighbor adv: tgt is fe80::2a0:57ff:fe3a:ac77
18:29:43.731733 fe80::2a0:57ff:fe3a:ac77 > fe80::be24:11ff:fe10:5272: 
icmp6: neighbor sol: who has fe80::be24:11ff:fe10:5272
18:29:43.731774 fe80::be24:11ff:fe10:5272 > fe80::2a0:57ff:fe3a:ac77: 
icmp6: neighbor adv: tgt is fe80::be24:11ff:fe10:5272

^C
47 packets received by filter
0 packets dropped by kernel



Again if I restart the host it works (for about a day):

# tcpdump -n -i vio0 ip6
tcpdump: listening on vio0, link-type EN10MB
18:36:23.536231 fe80::be24:11ff:fe10:5272.40542 > 
fe80::2a0:57ff:fe3a:ac77.53: 31164+ ? google.com.(28) [flowlabel 
0xb2311]
18:36:23.578447 fe80::2a0:57ff:fe3a:ac77.53 > 
fe80::be24:11ff:fe10:5272.40542: 31164 1/0/0 [|domain]
18:36:23.579030 fd00:172:17:170:202c:9944:920d:70dd > 
2a00:1450:4005:801::200e: icmp6: echo request
18:36:23.612097 fe80::2a0:57ff:fe3a:ac77 > ff02::1:ff0d:70dd: icmp6: 
neighbor sol: who has fd00:172:17:170:202c:9944:920d:70dd
18:36:23.612132 fe80::be24:11ff:fe10:5272 > fe80::2a0:57ff:fe3a:ac77: 
icmp6: neighbor adv: tgt is fd00:172:17:170:202c:9944:920d:70dd
18:36:23.612433 2a00:1450:4005:801::200e > 
fd00:172:17:170:202c:9944:920d:70dd: icmp6: echo reply
18:36:24.580102 fd00:172:17:170:202c:9944:920d:70dd > 
2a00:1450:4005:801::200e: icmp6: echo request
18:36:24.612662 2a00:1450:4005:801::200e > 
fd00:172:17:170:202c:9944:920d:70dd: icmp6: echo reply
18:36:25.580090 fd00:172:17:170:202c:9944:920d:70dd > 
2a00:1450:4005:801::200e: icmp6: echo request
18:36:25.611510 2a00:1450:4005:801::200e > 
fd00:172:17:170:202c:9944:920d:70dd: icmp6: echo reply

^C
79 packets received by filter
0 packets dropped by kernel


Strange






On 23 Jun 2024, at 2:27 AM, Thomas Bohl 
 wrote:


Hello,

I'm using ULAs for my local IPv6 networks. The hosts have internet 
access via the router doing NPTv6.


After around 20 to 24 hours of uptime the OpenBSD hosts (three in 
total) are no longer able to reach the IPv6 internet. A restart of 
the affected hosts usually helps. In rare cases a double restart is 
required. Linux and Windows don't show this problem.


Any ideas? What information should I provide in order to debug this 
further?


# uname -a
OpenBSD mail1 7.5 GENERIC#79 amd64

# cat /etc/hostname.vio0
# BEGIN ANSIBLE MANAGED BLOCK IPv6
inet6 -soii
inet6 autoconf
# END ANSIBLE MANAGED BLOCK IPv6
# BEGIN ANSIBLE MANAGED BLOCK IPv4
inet 17

Re: IPv6 ULA routing stops working after 20 hours or so

[Thomas Bohl]

Am 23.06.2024 um 19:05 schrieb Crystal Kolipe:

On Sun, Jun 23, 2024 at 06:42:10PM +0200, Thomas Bohl wrote:

(The log-output is indistinguishable from when it is working.) Yet I don't
see them arriving with tcpdump:

# tcpdump -n -i vio0 ip6
tcpdump: listening on vio0, link-type EN10MB
18:29:38.703181 fe80::be24:11ff:fe10:5272.46404 >
fe80::2a0:57ff:fe3a:ac77.53: 29603+ ? google.com.(28) [flowlabel
0xe0681]
18:29:38.731683 fe80::2a0:57ff:fe3a:ac77.53 >
fe80::be24:11ff:fe10:5272.46404: 29603 1/0/0 [|domain]
18:29:38.731839 fd00:172:17:170:c57c:a20c:2d74:124 >
2a00:1450:4005:801::200e: icmp6: echo request


Are you sure that the router had a valid NDP entry for
fd00:172:17:170:c57c:a20c:2d74:124 at this point?



The router doesn't have a valid NDP entry. It has a NDP entry for an 
address ifconfig says is deprecated. If I force the use of this 
deprecated address with "ping -I" the response are received.


I have to verify if it always stops if pltime reaches zero.

Re: IPv6 ULA routing stops working after 20 hours or so

[Thomas Bohl]

Am 23.06.2024 um 19:50 schrieb Thomas Bohl:
The router doesn't have a valid NDP entry. It has a NDP entry for an 
address ifconfig says is deprecated. If I force the use of this 
deprecated address with "ping -I" the response are received.


I have to verify if it always stops if pltime reaches zero.


It doesn't always stop immediately if pltime reaches zero and a new 
temporary address is generated. Only sometimes. But in the long run it 
eventually will fail and never recover.


It has to be a NDP problem. I'm not sure who is at fault. My guess would 
be the router, because its traces will start outputting a 
xx:xx:xx:xx:xx:xx mac address (that is not me anonymizing it):


(fd00:172:17:174:d468:28ab:498e:5d0e is the new autoconf temporary 
address on the OpenBSD host.)


[ND-CACHE] 2024/06/24 23:06:17,088  Devicetime: 2024/06/24 
23:06:17,077[info] : ND state on interface HOST_O4 changed
fe80::91:51ff:fe40:c93f iface HOST_O4 lladdr 02:91:51:40:c9:3f 
(BUNDLE-1,3) host DELAY src fe80::2a0:57ff:fe3a:ac77


[ND-CACHE] 2024/06/24 23:06:17,127  Devicetime: 2024/06/24 
23:06:17,105[info] : outgoing packet on HOST_O4
target: fd00:172:17:174:d468:28ab:498e:5d0e, source: 
fe80::2a0:57ff:fe3a:ac77
fd00:172:17:174:d468:28ab:498e:5d0e iface HOST_O4 lladdr 
xx:xx:xx:xx:xx:xx host INIT src fe80::2a0:57ff:fe3a:ac77


[ND-CACHE] 2024/06/24 23:06:17,127  Devicetime: 2024/06/24 
23:06:17,105[info] : ND state on interface HOST_O4 changed
fd00:172:17:174:d468:28ab:498e:5d0e iface HOST_O4 lladdr 
xx:xx:xx:xx:xx:xx host INCOMPLETE src fe80::2a0:57ff:fe3a:ac77


[ND-CACHE] 2024/06/24 23:06:20,109  Devicetime: 2024/06/24 
23:06:20,105[info] : ND state on interface HOST_O4 changed
fd00:172:17:174:d468:28ab:498e:5d0e iface HOST_O4 lladdr 
xx:xx:xx:xx:xx:xx host UNREACHABLE src fe80::2a0:57ff:fe3a:ac77



I just don't get why Linux and Windows don't have the same problem. I 
try to collect more tcpdump and log-data.

Re: IPv6 static host address inside dynamic network

[Thomas Bohl]

Am 02.09.2024 um 22:21 schrieb Chris Ross:

I’m trying to move from a static IPv6 network to a dynamic allocation from an
ISP.  The hard part is that some of my hosts have secondary addresses for
specific services to use.  I need to find a way to listen to router adverts
but then manually add an alias with a static lower 64 bits.  Looking for
suggestions.


I used https://aloof.de/f/IPv6Aliases-en.sh for many years.
HTH

Re: IPv6 static host address inside dynamic network

[Thomas Bohl]

Am 14.10.2024 um 17:47 schrieb Chris Ross:




On 2024-09-10 19:20:13, Thomas Bohl  wrote:
I used https://aloof.de/f/IPv6Aliases-en.sh for many years.
HTH


Apologies that I missed this earlier, Thomas.  I took a look at this now,
and it does do very much what I want.  I have been trying to find something
event-based, rather than polling, but this is a good tool if I go that
route.  Thank you.

But, I do notice something looking at it and my openbsd system; the
command-set that produces “publicIPv6Net” seems wrong.  Specifically,
it runs “sort -u” on the networks and then “tail -n 1”, proportedly
because newer networks are listed at the bottom.

First, sort loses ordering.


You are right. I see that my first version from 2018 didn't had it. I 
can't remember why I added it.




 Second, on my system the last address
output by "route -n show -inet6 | grep ::/64” is not the current
one.  Actually, that list seems also to be sorted lexographically
even before running sort.  I think “route show” lists them in
address-order, not time-order.


Again you seem to be right and I don't remember if it ever was 
different. The comment for tail at least implies it.
What a bummer. I used this script for 5 years on 6 machines and never 
had a problem. But now that I no longer use it myself I maybe should 
delete it or at least no longer promote it.