Re: CVS confusion
On Sat, Oct 11, 2014 at 02:08:12AM +, Steven Surdock wrote: I'm trying to follow -stable ports, but CVSWEB appears inconsistent. If I look at ports/lang/php/5.4 for OPENBSD_5_5 (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/?only_with_tag=OPENBSD_5_5) it shows the following: Makefile 1.16.2.1 4 months jasper security update to php-5.4.28 ok sthen@ If look at the Makefile (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/Makefile?only_with_tag=OPENBSD_5_5) it shows a Revision of 1.16.2.3 and the last note says security update to 5.4.30; ok jasper@). If I look at Rev. 1.16.2.1 (from the first page above), it shows version 5.4.28 If I grab a copy via CVS, I get 5.4.32. $ cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_5 -P ports/lang/php/5.4 Which is the correct php 5.4 for OpenBSD 5.5-stable? -Steve S. Looks like a bug in cvsweb. Makefile 1.16.2.3 is the newest revision in the OPENBSD_5_5 branch. You can see that if you click Makefile in the page displayed by your first url. -Otto
Re: Trying to get suspend to RAM working on an X31
* Mike Larkin mlar...@azathoth.net [141010 11:18]: On Fri, Oct 10, 2014 at 10:01:18AM -0700, John Magolske wrote: Upon issuing the `zzz` command, the screen turns off, the machine spins down and the little crescent-moon sleep indicator lights up. But when woken, the screen comes up frozen with lots of vertical stripes. Blind-typing comands into the console has no effect (e.g. `zzz` from a root console then `halt -p` after the awakening attempt). boot -c , disable radeondrm (and also disable auto xdm start). See if you can zzz/resume from the console without radeondrm running. That will at least give us a place to start. Another thing you can try is seeing if the machine is in ddb on resume for some reason. Try a few (3 or 4) bo re commands (enter after each). See if the machine reboots, and if so you might have clues in dmesg after reboot. Thanks, that made a difference. Appears to be suspending to RAM -- hard drive spins down, crescent-moon indicator lights up, screen goes black...but then the backlight comes back on while remaining in sleep mode. Closing and opening the lid brings it back to life promptly with no stripes on the screen, everything is working fine. I just repeated this reliably about 10 times in a row. Now if I could figure out how to keep the backlight from coming back on immediately after the suspend. Also wondering how much I'd be giving up by forgoing DRM in my case with this mobility radeon 7000. Rebooted, then suspended to the frozen screen with vertical stripes, tried the suggested `bo re` ... but no, that screen is frozen solid. Regards, John -- John Magolske http://B79.net/contact
Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?
On 10/10/14 23:34, Stuart Henderson wrote: oops, missed your sysctl -a output (I wasn't expecting to see it, well done ;-) net.inet.ip.ifq.drops=140720 You would probably benefit from increasing net.inet.ip.ifq.maxlen, maybe double it once or twice and see if net.inet.ip.ifq.drops stops increasing. Our users too experience some disconnects. We have a firewall with a large PF config (a lot of rules and queues) and a 500 Mbps Internet connection. Here is some info: # uptime 10:16AM up 47 days, 18:52, 1 user, load averages: 0.90, 0.82, 0.77 # sysctl net.inet.ip.ifq net.inet.ip.ifq.len=0 net.inet.ip.ifq.maxlen=1536 net.inet.ip.ifq.drops=3158576 # sysctl kern.netlivelocks kern.netlivelocks=12031149 In pf we set limit states 100 and states always remain below 20 (we graph them). Complete dmesg, sysctl, and netstat -i follows. Kernel is GENERIC (no MP) only change is HZ=1000 (for queues accuracy). Any idea of what could be the problem and how to solve it? Thanks. # dmesg OpenBSD 5.5-stable (NMFW) #1: Fri Aug 22 11:11:29 CEST 2014 giann...@legolas.neomedia.it:/usr/src/sys/arch/amd64/compile/NMFW real mem = 8530317312 (8135MB) avail mem = 8294674432 (7910MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec0f0 (76 entries) bios0: vendor American Megatrends Inc. version 2.0 date 04/24/2014 bios0: Supermicro X10SLL-F acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT SSDT SSDT MCFG HPET SSDT SSDT SPMI DMAR EINJ ERST HEST BERT acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP05(S4) GLAN(S4) EHC1(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz, 3600.16 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEG0) acpiprt2 at acpi0: bus -1 (PEG1) acpiprt3 at acpi0: bus -1 (PEG2) acpiprt4 at acpi0: bus 2 (RP01) acpiprt5 at acpi0: bus 4 (RP02) acpiec0 at acpi0: Failed to read resource settings acpicpu0 at acpi0: C1, PSS acpipwrres0 at acpi0: PG00, resource for PEG0 acpipwrres1 at acpi0: PG01, resource for PEG1 acpipwrres2 at acpi0: PG02, resource for PEG2 acpipwrres3 at acpi0: FN00, resource for FAN0 acpipwrres4 at acpi0: FN01, resource for FAN1 acpipwrres5 at acpi0: FN02, resource for FAN2 acpipwrres6 at acpi0: FN03, resource for FAN3 acpipwrres7 at acpi0: FN04, resource for FAN4 acpitz0 at acpi0: critical temperature is 105 degC acpitz1 at acpi0: critical temperature is 105 degC acpibat0 at acpi0: BAT0 not present acpibat1 at acpi0: BAT1 not present acpibat2 at acpi0: BAT2 not present acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB acpibtn2 at acpi0: LID0 acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD1F ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep 3600 MHz: speeds: 3601, 3600, 3400, 3200, 3000, 2800, 2600, 2400, 2200, 2000, 1800, 1600, 1400, 1200, 1000, 800 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel Xeon E3-1200 v3 Host rev 0x06 ppb0 at pci0 dev 1 function 0 Intel Core 4G PCIE rev 0x06: msi pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 Intel 82571EB rev 0x06: apic 8 int 16, address 00:26:55:d0:32:42 em1 at pci1 dev 0 function 1 Intel 82571EB rev 0x06: apic 8 int 17, address 00:26:55:d0:32:43 Intel 8 Series xHCI rev 0x05 at pci0 dev 20 function 0 not configured em2 at pci0 dev 25 function 0 Intel I217-LM rev 0x05: msi, address 00:25:90:46:61:b5 ehci0 at pci0 dev 26 function 0 Intel 8 Series USB rev 0x05: apic 8 int 16 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb1 at pci0 dev 28 function 0 Intel 8 Series PCIE rev 0xd5: msi pci2 at ppb1 bus 2 ppb2 at pci2 dev 0 function 0 ASPEED Technology AST1150 PCI rev 0x03 pci3 at ppb2 bus 3 vga1 at pci3 dev 0 function 0 ASPEED Technology AST2000 rev 0x30 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb3 at pci0 dev 28 function 1 Intel 8 Series PCIE rev 0xd5: msi pci4 at ppb3 bus 4 em3 at pci4 dev 0 function 0 Intel I210 rev 0x03: msi, address
Re: Shadow TCP stacks
moved to misc@; it's still not on-topic, but this message may be somewhat interesting On Fri, Oct 10, 2014 at 07:31:50PM -0400, Ian Grant wrote: I want to try to implement some form of concealed port knocking in OpenBSD, along the lines of Martin Kirsch: https://gnunet.org/sites/default/files/ma_kirsch_2014_0.pdf Looking through the abstract and introduction, that's just port knocking. As the paper points out, Port knocking is a well-known technique to hide TCP servers from port scanners. (The thesis does aim at security against a global eavesdropper, which is not traditionally a goal of port knocking; and the implementation does try hard to work with existing software, which is nice. I don't think port knocking is actually useful - see below - but this does look like a competent execution of its concept.) The application is electronic democracy. I want to demonstrate how it is possible to do secure comms. over untrusted networks and hardware. But it *isn't* possible to do secure comms from/to compromised hardware; that is what compromised means. Note that the thesis above merely aims at cryptographic port knocking; a global adversary can still just read the unencrypted traffic. The thesis also requires a pre-shared key; if you have a PSK, why not use real crypto (e.g. a VPN) instead? Also, note that securely pre-sharing keys is a pain even in a small group of friends; there is no way you can scale that to every human in the world. I hope to be able do this by carrying out a global referendum. See http://livelogic.blogspot.com/2014/10/the-foundation-parts-iii-iii.html A very quick read shows that you want to do, roughly, electronic voting. A number of proposals exists to achieve secure (or verifiable) electronic voting; I believe you should be able to find fairly accessible introductions to the cryptographic scheme proposed by Ron Rivest (of RSA fame). No proposal that I'm aware of even contemplates using compromised hardware, though, and all proposals assume a functioning census. My plan is to use a virtual interface which magically shows behind the physical interface when connections are made with the right ISN key in the SYN packet. If the ISN is not one of the 'knocks' then the connection sees the ordinary physical interface. Then I want to make a connection between applications and the TCP stack so that the knocks can be determined only by data from within the VPN. Then the knocks will vary non-deterministically. To bootstrap into the VPN a machine will need a direct trusted connection to another machine which is already in the VPN, and which can send it the initial knock key sequence which will allow it to handshake into the VPN, and thereafter have a connection. The VPN will be tunneled over TCP and/or IP datagram connections. Within the VPN the routing and representation of data within real TCP network packets will also vary non-deterministically according to data passed over the VPN. The VPN will be used for trusted core protocols for authentication, key-exchange and verification. So it need not carry such high volumes of traffic The bulk of data will be carried over the exposed network. If anyone here has a better idea, or any other useful advice (even if it's this has already been done! or It won't work, but please explain exactly why.) or pointers: I am new to this game: I have never seriously looked at network protocol driver code in OpenBSD or any other OS. This is way too large; start with something *much* smaller. Very smart people have been working on the kind of things you're thinking about for decades; you're not going to solve this in a weekend, or in just a hundred lifetimes. Some things that you may find interesting: - http://curvecp.org/: djb's encrypt the whole internet scheme. One useful first contribution might be to get the efficiency measurements that http://curvecp.org/efficiency.html promises; this is not easy. - Tor is the most realistic choice for internet anonymity at the moment; there are plenty of issues with it, but it's something. Consider setting up a tor node; do not set up an exit node without consulting an appropriate legal professional. - the global poor are getting more and more access to mobile (dumb-)phones; consider things like http://en.wikipedia.org/wiki/M-Pesa. It has been very hard for the open source world to do much of anything in this area, since (a) it's desperately uncool and (b) telecom companies are hesitant to allow any arbitrary code on their devices. Nonetheless, some (extremely ambitious) projects might be worthwhile: + try turning Karsten Nohl's research into something like Cydia, a platform for rooting SIM cards and installing custom applications on them. Again, consult a legal professional; this is definitely not legal everywhere. + create an e-voting application and bring it to market with the telecom operators'
Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?
On Fri, 10 Oct 2014 21:28:25 + (UTC) Stuart Henderson s...@spacehopper.org wrote: Hi Stuart Many thanks for the input, i do have access to the servers too. I was going to suggest that you might have asymmetric routing causing split states i.e. one firewall seeing inbound packets, one seeing outbound, in which case ifconfig pfsync0 defer might help, but (assuming you weren't just seeing issues from connections which had been setup before disabling one firewall) the above test would seem to rule that out .. I think we had less connection drops with only one firewall, but they didn't disappear. Pfsync is configured to use unicast, the defer option is present: # cat /etc/hostname.pfsync0 up syncif vlan123 defer syncpeer xx.xx.xx.xx You are correct, the routing can be asymmetric in our case. What does the output of sysctl kern.netlivelocks net.inet.ip.ifq look like? net.inet.ip.ifq.maxlen was set to 256 i've changed it to 768. I'll look if the values in net.inet.ip.ifq.drops change. Kind regards, Daniel
Re: edge router lite promt-less boot
Hi, On Fri, Sep 26, 2014 at 08:49:36PM -0700, Rusty wrote: Good morning misc/ I purchased a couple of ubequitys edgerouter lite boxes. And while the ubequity os is ok (better than most small home routers anyhow) I quickly started missing my obsd, this is why I bought them after all. I am fine netbooting for the time being. however are there any hints to skip the prompt for the root device? you know the one asking for root device: This is configured in sys/kern/subr_disk.c. You can hardcode some of your ethernet ports (e.g., cnmac0) there. However take if you use the same source tree to build to compile from other archs than octeon, because this file is used in all archs. Be sure to put your changes inside #ifdef CPU_OCTEON . I have this in my tree, but take it at your own risk and to be clear: it is a nasty workaround. The only use case for my EdgeMax is for hacking. I would not use them in production until USB supported be concluded, but it is up to you. Regards, Rafael Neves Index: sys/kern/subr_disk.c === RCS file: /cvs/src/sys/kern/subr_disk.c,v retrieving revision 1.170 diff -u -p -r1.170 subr_disk.c --- sys/kern/subr_disk.c14 Sep 2014 14:17:25 - 1.170 +++ sys/kern/subr_disk.c11 Oct 2014 14:28:23 - @@ -1462,11 +1462,18 @@ setroot(struct device *bootdv, int part, printf()); } printf(: ); +#ifdef CPU_OCTEON + char *dsklbuf = cnmac0; + printf(%s\n, dsklbuf); + strlcpy(buf, dsklbuf, sizeof buf); + len = strlen(buf); +#else s = splhigh(); cnpollc(TRUE); len = getsn(buf, sizeof(buf)); cnpollc(FALSE); splx(s); +#endif /* CPU_OCTEON */ if (strcmp(buf, exit) == 0) reboot(exitflags); if (len == 0 bootdv != NULL) { I would also welcome any hints on updating a diskless set. My current method is based roughly on the install script. detar sets preserving permissions(excepting etc??.tgz) reboot into arches bsd.rd to rebuild device nodes reboot and run sysmerge to merge etc??.tgz full serial boot log: Looking for valid bootloader image Jumping to start of image at address 0xbfc8 U-Boot 1.1.1 (UBNT Build ID: 4493936-g009d77b) (Build time: Sep 20 2012 - 15:48:51) BIST check passed. UBNT_E100 r1:2, r2:14, serial #: DC9FDB803A4D Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate) DRAM: 512 MB Clearing DRAM... done Flash: 4 MB Net: octeth0, octeth1, octeth2 USB: (port 0) scanning bus for devices... 1 USB Devices found scanning bus for storage devices... Device 0: Vendor: Prod.: USB DISK 2.0 Rev: PMAP Type: Removable Hard Disk Capacity: 3700.6 MB = 3.6 GB (7579008 x 512) 0 Interface 0 has 3 ports (RGMII) Using octeth0 device TFTP from server 192.168.16.5; our IP address is 192.168.16.16 Filename 'bsd.sp.octeon'. Load address: 0x9f0 Loading: octeth0: Up 1000 Mbps Full duplex (port 0) ### [76/276] done Bytes transferred = 3734226 (38fad2 hex), 9855 Kbytes/sec ELF file is 64 bit Allocating memory for ELF segment: addr: 0x8100 (adjusted to: 0x100), size 0x3bfc70 Allocated memory for ELF segment: addr: 0x8100, size 0x3bfc70 Processing PHDR 0 Loading 334bf8 bytes at 8100 Clearing 8b078 bytes at 81334bf8 ## Loading Linux kernel with entry point: 0x8100 ... Bootloader: Done loading app on coremask: 0x1 Total DRAM Size 0x2000 Bank 0 = 0x013C - 0x0FFF mem_layout[0] page 0x04F0 - 0x3FFF boot_desc-argv[1] = root=/dev/cnmac0 Initial setup done, switching console. boot_desc-desc_ver:7 boot_desc-desc_size:400 boot_desc-stack_top:0 boot_desc-heap_start:0 boot_desc-heap_end:0 boot_desc-argc:2 boot_desc-flags:0x5 boot_desc-core_mask:0x1 boot_desc-dram_size:512 boot_desc-phy_mem_desc_addr:0 boot_desc-debugger_flag_addr:0xa44 boot_desc-eclock:5 boot_desc-boot_info_addr:0x1001f0 boot_info-ver_major:1 boot_info-ver_minor:2 boot_info-stack_top:0 boot_info-heap_start:0 boot_info-heap_end:0 boot_info-boot_desc_addr:0 boot_info-exception_base_addr:0x1000 boot_info-stack_size:0 boot_info-flags:0x5 boot_info-core_mask:0x1 boot_info-dram_size:512 boot_info-phys_mem_desc_addr:0x24108 boot_info-debugger_flags_addr:0 boot_info-eclock:5 boot_info-dclock:26600 boot_info-board_type:20002 boot_info-board_rev_major:2 boot_info-board_rev_minor:14 boot_info-mac_addr_count:3 boot_info-cf_common_addr:0 boot_info-cf_attr_addr:0
Re: CVS confusion
On Sat, Oct 11, 2014 at 08:55, Otto Moerbeek wrote: On Sat, Oct 11, 2014 at 02:08:12AM +, Steven Surdock wrote: I'm trying to follow -stable ports, but CVSWEB appears inconsistent. If I look at ports/lang/php/5.4 for OPENBSD_5_5 (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/?only_with_tag=OPENBSD_5_5) it shows the following: Makefile 1.16.2.1 4 months jasper security update to php-5.4.28 ok sthen@ If look at the Makefile (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/Makefile?only_with_tag=OPENBSD_5_5) it shows a Revision of 1.16.2.3 and the last note says security update to 5.4.30; ok jasper@). If I look at Rev. 1.16.2.1 (from the first page above), it shows version 5.4.28 If I grab a copy via CVS, I get 5.4.32. $ cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_5 -P ports/lang/php/5.4 Which is the correct php 5.4 for OpenBSD 5.5-stable? -Steve S. Looks like a bug in cvsweb. Makefile 1.16.2.3 is the newest revision in the OPENBSD_5_5 branch. You can see that if you click Makefile in the page displayed by your first url. There's also a typo in the last commit message, which adds to the fun. It says 5.4.30 but should say 5.4.32.
Zenocara Intel Crestline Graphics
I have the opportunity to purchase a Dell laptop with Intel Crestline Graphics hardware. Crestline appears to be marketing speak for: intel GM965/GMA X3100 Can someone advice me as to the likelihood of using the h/w or will I be limitied to the framebuffer? Mr. Google has failed me. Ray
Re: Zenocara Intel Crestline Graphics
Raymond Lillard [r...@prosysmeg.com] wrote: I have the opportunity to purchase a Dell laptop with Intel Crestline Graphics hardware. Crestline appears to be marketing speak for: intel GM965/GMA X3100 Can someone advice me as to the likelihood of using the h/w or will I be limitied to the framebuffer? You should have full accelerated support with inteldrm