Re: if I were to make a pkg-add diff

[Mihai Popescu]

I'll say we should go for the spaceship project ... with lasers.

Re: if I were to make a pkg-add diff

[Theo de Raadt]

>I'll say we should go for the spaceship project ... with lasers.

Index: pkg_add.1
===
RCS file: /cvs/src/usr.sbin/pkg_add/pkg_add.1,v
retrieving revision 1.134
diff -u -p -u -r1.134 pkg_add.1
--- pkg_add.1   4 Nov 2015 16:59:58 -   1.134
+++ pkg_add.1   4 Jan 2016 01:36:44 -
@@ -20,7 +20,7 @@
 .Os
 .Sh NAME
 .Nm pkg_add
-.Nd install software package distributions
+.Nd install software package distributions with lasers
 .Sh SYNOPSIS
 .Nm pkg_add
 .Bk -words

pkg_add is easy.  The spaceship is harder.

Re: if I were to make a pkg-add diff

[Luke Small]

I just got consistent internet for my laptop and got the ftp and sed  call
pipes and stuff to work. What I want to know is if I make multiple fork()
to execl() ping calls, should I limit the number of a standard
argument-free call to my pkg_ping to 8 or so threads which pings each of
the mirrors 9 or so times(and calculate the median latency) at 1 ping per
second, or will the mirrors have ping firewall rules that relegate such a
machine to a spam anchor in the of rules? I was thinking about having ftp
download a small package to determine download speeds, but I wonder whether
if I did that on a specific file, whether the results may be skewed by
inconsistent squid or similar program caching often downloaded files on
mirrors.
On Dec 27, 2015 18:17, "Luke Small"  wrote:

> Even though I don't have an internet connection for my laptop I
> started the C program that pipes an execl call from ftp, to sed, (like
> the suggestions
> offered earlier in the thread, and back to the parent and it will use
> kqueue to test the pipe buffer capacities to a local buffer (I love
> kqueue) It could probably use the existing ftp() and maybe ping()
> to deal with all the network protocols, interfaces and ports. I don't
> want to sound like I'm bragging. I just really appreciate the help.
>
> -Luke

Re: Errors in compiling the /usr/src

[Theo de Raadt]

You are building using the wrong procedures.

You didn't do your homework, and it blew up in your face.  Then you
wrote a few paragraphs.  Then I replied.  That is the whole sad story.

Hundreds of people succeed daily.

>Because there seemed to be more patches than normal in 5.8, and I am lazy and
>there was lots of time over the holidays.
>I thought I would compile the all the source rather than do the patches
>piecemeal.
>
>I have never tried to compile all the source, I ran into some errors.
>
>First: Several make files 's have .sh files which must be executed. Those
>files done have X permission on them.
> I took the simple approach to fix them just chmod all the .sh
>files to 755.
>
>Second: usr.sbin/rpc.statd needs  a sm_inter.h  which it cannot find the one
>at seems to be correct ./lib/librpcsvc/sm_inter.h
>
>Third: gnu/lib/libiberty needs a config.h which it cannot find.
>
>At this point, I decided to just update the modules given in the patches.

Re: apache 2.4 - Missing mod_cgid.so?

[Stuart Henderson]

On 2016-01-03, Lawrence Wieser  wrote:
> Claudio Jeker  diehard.n-r-g.com> writes:
>
>> You may try to build your own version with adding --enable-cgi in the
>> Makefile configure flags. It seems that even configure tells that
>> --enable-cgi is the default it seems it is not. Go figure...
>> 
>> Also mod_cgid.so should be built but seems to be missing. mod_cgid.so is
>> the module that should be used with the worker or event MPM.
>> 
>> So maybe try something like this diff.
>
> Claudio,
>
> Is there a corrected package available? Or is the diff to the port the best 
> option? I've always  relied on packages and never actually built from ports.

Snapshot packages have this, but if you're on 5.8, the diff to the port is
the best option.

Re: apache 2.4 - Missing mod_cgid.so?

[Lawrence Wieser]

Stuart Henderson  spacehopper.org> writes:

> 
> On 2016-01-03, Lawrence Wieser  gmail.com> wrote:
> > Claudio Jeker  diehard.n-r-g.com> writes:
> >
> >> You may try to build your own version with adding --enable-cgi in the
> >> Makefile configure flags. It seems that even configure tells that
> >> --enable-cgi is the default it seems it is not. Go figure...
> >> 
> >> Also mod_cgid.so should be built but seems to be missing. mod_cgid.so is
> >> the module that should be used with the worker or event MPM.
> >> 
> >> So maybe try something like this diff.
> >
> > Claudio,
> >
> > Is there a corrected package available? Or is the diff to the port the best 
> > option? I've always  relied on packages and never actually built from ports.
> 
> Snapshot packages have this, but if you're on 5.8, the diff to the port is
> the best option.
> 
> 

Thanks Stuart. I am on the 5.8 release. Just pulled down the ports tree 
from -stable and did a `make update` in `ports/www/apache2-httpd`. 
(The diff seems to have been applied in -stable.) Apache is now running 
fine with mod_cgid. 

I appreciate the quick help.

Errors in compiling the /usr/src

[Peter Fraser]

Because there seemed to be more patches than normal in 5.8, and I am lazy and
there was lots of time over the holidays.
I thought I would compile the all the source rather than do the patches
piecemeal.

I have never tried to compile all the source, I ran into some errors.

First: Several make files 's have .sh files which must be executed. Those
files done have X permission on them.
 I took the simple approach to fix them just chmod all the .sh
files to 755.

Second: usr.sbin/rpc.statd needs  a sm_inter.h  which it cannot find the one
at seems to be correct ./lib/librpcsvc/sm_inter.h

Third: gnu/lib/libiberty needs a config.h which it cannot find.

At this point, I decided to just update the modules given in the patches.

Re: apache 2.4 - Missing mod_cgid.so?

[Lawrence Wieser]

Claudio Jeker  diehard.n-r-g.com> writes:

> You may try to build your own version with adding --enable-cgi in the
> Makefile configure flags. It seems that even configure tells that
> --enable-cgi is the default it seems it is not. Go figure...
> 
> Also mod_cgid.so should be built but seems to be missing. mod_cgid.so is
> the module that should be used with the worker or event MPM.
> 
> So maybe try something like this diff.

Claudio,

Is there a corrected package available? Or is the diff to the port the best 
option? I've always  relied on packages and never actually built from ports.

Thanks,
   Lawrence

Re: 5.8: Cannot communicate with iDrac6 once OpenBSD boots (Broadcom BCM5709 via bnx)

[Matt Adams]

Thank you for the explanation (Stuart) and helpful patch (Ted). I will 
try something like that until I have the opportunity to upgrade to 
iDrac6 Enterprise (dedicated NIC).


Cheers,

Matt

Re: if I were to make a pkg-add diff

[Luke Small]

What I meant is, if a program sends a handful of pings to each mirror,
would it think it is being spammed and shutdown any further connections. I
didn't mean to say that I want to connect the pkg_ping program to a of
anchor. I tried an initial localhost pinging,  pkg_ping program in
virtualbox using 32 MB RAM and it worked; while it froze trying to open
pico in the console. It wouldn't need to use much resources and would use
kqueue, which isn't available in any other language other than C, in the
base as far as I'm aware. I use kqueue to easily store a custom struct with
the pipe() values, list pointers and such in *udata. It intermittently
reads from pipes from all the spawned ping threads to conserve memory,
reads the individual lantency output and stores the ping time value in a
single linked list to be transferred to an array to be sorted by qsort so
that the median value is determined by its position in the sorted array. It
actually doesn't directly call any sockets or anything that hasn't been
audited in the base it just reads individual characters from pipes until
EOF so far.

Re: High interrupt load using 5.8 Release GENERIC i386 on Acer Aspire 3630 laptop

[Mike Larkin]

On Sun, Dec 27, 2015 at 01:55:30PM +, peter.foster.li...@gmail.com wrote:
> Hi,
> 
> I have installed 5.8 Release GENERIC i386 on an Acer Aspire 3630
> laptop. Even when the system is almost completely idle, `top'
> consistently reports an interrupt load in the range 75%--80%.
> Admittedly this hardware is more than 8 years old, nevertheless I
> believe the load is unusually high, based on limited experience with
> installing the same version of OpenBSD on a lower-spec i586 machine.
> Is it possible that CPU cycles are being wasted due to the system
> being mis-configured? If so, does anyone have any suggestions on how
> to reduce the observed load?

Can you build a kernel with ACPI_DEBUG enabled and try that?

We've seen stuck GPEs in the past, and judging that you have only seen
a single (eg, 1) ACPI interrupt, that's a bit suspect.

-ml

> 
> dmesg:
> 
> OpenBSD 5.8 (GENERIC) #0: Sat Dec 26 21:32:37 GMT 2015
> pe...@rebelene.home:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Intel(R) Celeron(R) M processor 1.60GHz ("GenuineIntel"
> 686-class) 1.61 GHz
> cpu0: 
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,TM,PBE,NXE,PERF
> real mem  = 467091456 (445MB)
> avail mem = 445419520 (424MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: date 03/20/06, BIOS32 rev. 0 @ 0xfd600, SMBIOS rev.
> 2.31 @ 0x1bdfb000 (35 entries)
> bios0: vendor Acer version "3A22" date 03/20/06
> bios0: Acer, inc. Aspire 3630
> acpi0 at bios0: rev 0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC SSDT
> acpi0: wakeup devices PCI0(S5) LAN_(S5) MODM(S3) KBC_(S4) USB0(S3)
> USB1(S3) USB2(S3) USB3(S3)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiec0 at acpi0
> acpicpu0 at acpi0: !C3(@900 io@0x8015), !C2(@90 io@0x8014), C1(@1 halt!)
> acpitz0 at acpi0: critical temperature is 97 degC
> acpiac0 at acpi0: AC unit online
> acpibat0 at acpi0: BAT1 not present
> acpibtn0 at acpi0: LID_
> acpibtn1 at acpi0: PWRB
> acpibtn2 at acpi0: SLPB
> bios0: ROM list: 0xc/0xc000 0xcc000/0xa000! 0xdc000/0x8000!
> pci0 at mainbus0 bus 0: configuration mode 1 (bios)
> pchb0 at pci0 dev 0 function 0 "SiS 661 PCI" rev 0x11
> sisagp0 at pchb0
> agp0 at sisagp0: aperture at 0xe000, size 0x200
> ppb0 at pci0 dev 1 function 0 "SiS 648FX AGP" rev 0x00
> pci1 at ppb0 bus 1
> vga1 at pci1 dev 0 function 0 "SiS 6330 VGA" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> pcib0 at pci0 dev 2 function 0 "SiS 85C503 System" rev 0x25
> pciide0 at pci0 dev 2 function 5 "SiS 5513 EIDE" rev 0x00: 661: DMA,
> channel 0 configured to compatibility, channel 1 configured to
> compatibility
> wd0 at pciide0 channel 0 drive 0: 
> wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus1 at atapiscsi0: 2 targets
> cd0 at scsibus1 targ 0 lun 0:  ATAPI
> 5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> "SiS 7013 Modem" rev 0xa0 at pci0 dev 2 function 6 not configured
> auich0 at pci0 dev 2 function 7 "SiS 7012 AC97" rev 0xa0: apic 1 int
> 18, SiS7012 AC97
> ac97: codec id 0x414c4770 (Avance Logic ALC203 rev 0)
> ac97: codec features headphone, 20 bit DAC, 18 bit ADC, No 3D Stereo
> audio0 at auich0
> ohci0 at pci0 dev 3 function 0 "SiS 5597/5598 USB" rev 0x0f: apic 1
> int 20, version 1.0, legacy support
> ohci1 at pci0 dev 3 function 1 "SiS 5597/5598 USB" rev 0x0f: apic 1
> int 21, version 1.0, legacy support
> ehci0 at pci0 dev 3 function 3 "SiS 7002 USB" rev 0x00: apic 1 int 23
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 "SiS EHCI root hub" rev 2.00/1.00 addr 1
> sis0 at pci0 dev 4 function 0 "SiS 900 10/100BaseTX" rev 0x91: apic 1
> int 19, address 00:16:36:58:b8:c3
> rlphy0 at sis0 phy 13: RTL8201L 10/100 PHY, rev. 1
> cbb0 at pci0 dev 6 function 0 "ENE CB-1410 CardBus" rev 0x01: apic 1 int 19
> bwi0 at pci0 dev 11 function 0 "Broadcom BCM4318" rev 0x02: apic 1 int
> 17, address 00:16:ce:59:63:f8
> isa0 at pcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pms0: Synaptics touchpad, firmware 6.2
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> usb1 at ohci0: USB revision 1.0
> uhub1 at usb1 "SiS OHCI root hub" rev 1.00/1.00 addr 1
> usb2 at ohci1: USB revision 1.0
> uhub2 at usb2 "SiS OHCI root 

5.8: uvideo has support for Logitech QuickCam Pro 5000 but ugen0 attaches instead

[Matt Adams]

Hi,

I noted that uvideo has support for the Logitech QuickCam Pro 5000 - a 
piece of hardware that I have. However, ugen appears to attach to this 
device instead of allowing the special firmware (installed via "# 
fw_install uvideo") to configure /dev/video0 or /dev/video1, even though 
those two device files are present in the system.


For example:

-bash-4.3$ luvcview
luvcview version 2.0
Video driver: x11
A window manager is available
video /dev/video0
ERROR opening V4L interface
: Device not configured

Is there something that I am missing here or is my webcam not actually 
supported?


-bash-4.3$ ls -l /dev/video*
lrwxr-xr-x  1 root  wheel 6 Dec 24 00:09 /dev/video -> video0
crw-rw-rw-  1 root  wheel   44,   0 Dec 24 00:09 /dev/video0
crw-rw-rw-  1 root  wheel   44,   1 Dec 24 00:09 /dev/video1

Thanks,

Matt

-- usbdevs -v below

Controller /dev/usb0:
addr 1: high speed, self powered, config 1, EHCI root hub(0x), 
Intel(0x8086), rev 1.00

 port 1 powered
 port 2 powered
 port 3 addr 2: high speed, self powered, config 1, product 
0x2514(0x2514), Standard Microsystems(0x0424), rev 0.00

  port 1 powered
  port 2 powered
 port 4 powered
Controller /dev/usb1:
addr 1: high speed, self powered, config 1, EHCI root hub(0x), 
Intel(0x8086), rev 1.00

 port 1 powered
 port 2 powered
 port 3 powered
 port 4 powered
 port 5 addr 2: high speed, power 500 mA, config 1, QuickCam Pro 
5000(0x08c5), Logitech(0x046d), rev 0.05, iSerialNumber 87C33093

 port 6 powered
 port 7 powered
 port 8 powered
Controller /dev/usb2:
addr 1: full speed, self powered, config 1, UHCI root hub(0x), 
Intel(0x8086), rev 1.00

 port 1 powered
 port 2 addr 2: full speed, self powered, config 1, product 
0x7000(0x7000), ATEN International(0x0557), rev 1.00
  port 1 addr 3: low speed, power 100 mA, config 1, Type 6 
Keyboard(0x0005), Fujitsu Component(0x0430), rev 1.02

  port 2 powered
  port 3 powered
  port 4 powered
Controller /dev/usb3:
addr 1: full speed, self powered, config 1, UHCI root hub(0x), 
Intel(0x8086), rev 1.00

 port 1 powered
 port 2 powered
Controller /dev/usb4:
addr 1: full speed, self powered, config 1, UHCI root hub(0x), 
Intel(0x8086), rev 1.00

 port 1 powered
 port 2 powered
Controller /dev/usb5:
addr 1: full speed, self powered, config 1, UHCI root hub(0x), 
Intel(0x8086), rev 1.00

 port 1 powered
 port 2 powered
Controller /dev/usb6:
addr 1: full speed, self powered, config 1, UHCI root hub(0x), 
Intel(0x8086), rev 1.00

 port 1 powered
 port 2 addr 2: low speed, self powered, config 1, Back-UPS RS 1300 LCD 
FW:838.H5 .D USB FW:H5(0x0002), American Power Conversion(0x051d), rev 
1.01, iSerialNumber JB0721002454

Controller /dev/usb7:
addr 1: full speed, self powered, config 1, UHCI root hub(0x), 
Intel(0x8086), rev 1.00

 port 1 powered
 port 2 powered


-- dmesg below

OpenBSD 5.8 (GENERIC.MP) #1236: Sun Aug 16 02:31:04 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 25739890688 (24547MB)
avail mem = 24955904000 (23799MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xcf49c000 (85 entries)
bios0: vendor Dell Inc. version "6.4.0" date 07/23/2013
bios0: Dell Inc. PowerEdge T710
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC SPCR HPET DMAR MCFG WD__ SLIC ERST HEST 
BERT EINJ SRAT TCPA SSDT

acpi0: wakeup devices PCI0(S5) PCI1(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU X5680 @ 3.33GHz, 3458.46 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,SENSOR,ARAT

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 132MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU X5680 @ 3.33GHz, 3458.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,SENSOR,ARAT

cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU X5680 @ 3.33GHz, 3458.00 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,POPCNT,AES,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,SENSOR,ARAT

cpu2: 256KB 64b/line 8-way L2 cache

Error in package courier-imap-4.16.2 current Jan 1 amd64

[Theodore Wynnychenko]

Hello
I am not sure if this is the correct list, but...

I recently installed courier from packages.
After installing courier-imap; I tried to start it with "rcctl start
courier_imap", and it seemed to hang.
So, I tried running /usr/local/libexec/imapd.rc directly, and saw an endless
loop of "-".
Eventually, found in /usr/local/bin/makedat, near the end, it had:

get_access | docidr | yes - "$tmpfile" "$dstfile" || exit 1

I was confused by the "yes"; looked up the man page, and saw it was the
offending command.
It seems, the line should be:

get_access | docidr | /usr/local/libexec/makedatprog - "$tmpfile"
"$dstfile" || exit 1

or something like that.

I don't really know exactly "how" to submit a diff (I was barely able to
discover the problem); but I wanted to point this out.

Thanks
Ted

Re: Question about urndis_decap invalid buffer len 1 < minimum header 44

[Christoph R. Murauer]

> On 01/02/16 18:03, Christoph R. Murauer wrote:
>> Hello !
>>
>> Could someone tell me please, where I could find more informations
>> about the following message in /var/log/messages ?
>>
>> Jan  3 00:48:38 thinkpad-w541 /bsd: urndis0: urndis_decap invalid
>> buffer len 1 < minimum header 44
>
> I think its due to an ethernet header not being of the correct size.

Thanks for your answer.
I think, the message came because this device doesn't work with the
urndis driver. It is no complain against the driver or OpenBSD - I
simple like to know, what causes the message (a Android table before,
doesn't show the message). Because all other things works in round 99%
and, the device itself provides no options to change.

>> Jan  3 00:49:13 thinkpad-w541 last message repeated 8 times
>>
>> The ThinkPad is connected over USB with a TP-Link M7350 LTE modem.
>> Internet is configured using /etc/hostname.urndis0 which contains
>> only
>> the line dhcp. /etc/pf.conf is unmodified and, kept as after
>> installing 5.8 -release.

I tried to add to pf.conf the line

match in all scrub (no-df max-mss 1440)

from The book of pf without a result (maybe it was the wrong idea).

At the end, I added one TP-Link USB micro Wi-Fi adapter and the
message wasn't shown again. It is not perfect but it works (it is
simple the wrong hardware).

Re: Intel S5000PSL with recent OpenBSD

[Denis Fondras]

> Is it possible to disable extra cores in the BIOS ?
> There was a thread on tech@ where someone had a boot issue with a Xeon CPU :
> http://marc.info/?l=openbsd-tech=145150510526745=2
> 

Thank you for the thread, I saw it and tried but without luck.
Anyway I have resolved the problem. It was the second CPU that was causing the
problem. With only one CPU, it works like a charm with all the cores enabled.

Re: Connect to OpenVPN from OpenBSD

[Mik J]

Priviet,
I would advice you to use the openvpn from the ports. I imported the
configuration from my windows clients a few days ago and I have been to make
it work in a few minutes.One of the first question is, what does the remote
end supports.

Le Samedi 2 janvier 2016 18h09, Jiri B  a écrit :



 On Sat, Jan 02, 2016 at 08:55:35PM +0500, ? ??? wrote:
> Is it possible to connect to OpenVPN (riseup.net) from OpenBSD without
> installing openvpn client to OpenBSD?

No, you need OpenVPN package as it uses its own homemade SSL-VPN
protocol.

> I don't understand all this vpn-technologies very well, but know that
> OpenBSD has built-in vpn-services/clients, so I don't want to install
> openvpn-client if it possible to use software distributed/developed
> with/by OpenBSD.

OpenBSD supports IPSec etc...

j.

Re: filter-spamassassin

[Joerg Jung]

On Sat, Jan 02, 2016 at 07:21:13PM -0600, Edgar Pettijohn wrote:
> I finally got around to trying out filter-spamassassin.  It appears to work
> correctly.  However, I was trying to change the default action from accept
> to reject. I've tried everything I can think of but continue to get syntax
> errors.  I assumed something like this would work:
> 
> filter spam spamassassin -s reject

You need to quote the args: filter spam spamassassin "-s reject" 
 
> listen on egress filter spam
> 
> But it didn't.
> 
> Any help is appreciated.
> 
> Edgar Pettijohn

Re: IPsec IKEv1 accepts non-matching phase 2 parameters

[Stuart Henderson]

On 2016-01-03, Julian Hsiao  wrote:
> On 2016-01-02 13:18:15 +, Stuart Henderson said:
>
>> See isakmpd.policy(5). It's an utter pain but it's necessary in order to
>> secure things with isakmpd.
>
> Right, I eventually figured that out by having isakmpd dump out the 
> isakmpd.conf(5) equivalent config.  Turns out "ike passive [...]" is 
> transformed into "Passive-connections", and in isakmpd.conf(5):
>
> Passive-connections
> A list of IPsec "connection" names we recognize and accept initiations 
> for. [...] Currently only the Local-ID and Remote-ID tags are looked at 
> in those sections, as they are matched against the IDs given by the 
> initiator.
>
> Meaning that the Configuration parameter, which links to the remaining 
> phase 2 options, are totally ignored!
>
> FWIW, I worked out that the following policy will (mostly) enforce the 
> phase 2 parameters I wanted:
>
> Authorizer: "POLICY"
> Conditions: app_domain == "IPsec policy" &&
> esp_auth_alg == "hmac-sha2-256" &&
> esp_enc_alg == "aes" &&
> esp_group_desc == "18" &&
> pfs == "yes" -> "true";
>
> This is a pretty serious gotcha with using ipsecctl(8) / ipsec.conf(5) 
> IMO, especially since the latter suggests you run isakmpd with -K 
> option.

Yes, it's a big and nasty gotcha.

>> The other "fun" thing a client can do if it's
>> not restricted by keynote policy is to set "their" side of the tunnel to
>> something which diverts the wrong traffic - 0.0.0.0/0 is an obvious
>> example but rather unsubtle.
>
> I'm not sure I completely follow.  Do you mean that the client has 
> "from any to $SERVER_IP" instead of "from $CLIENT_IP to $SERVER_IP", 
> resulting the client routing all its traffic to the server?

Exactly. The traffic can be controlled with PF (allowing to to prevent a
malicious client from actually seeing it), but once it has been 'abstracted'
by the IPsec flow it can't be sent back to the proper destination.

> Incidentally, do you know if iked(8) (IKEv2) suffers from similar gotchas?

Unsure, I can't use iked(8) in the normal places I use IPsec, iked sends
UDP packets without binding, often resulting in it using the wrong source
IP address on a multihomed host - and in other places I need IKEv1+L2TP
for some connections so I am stuck with only being able to use isakmpd.

I suspect iked is better than isakmpd at requiring a specific mode without
complex config, but I don't see how to configure it to restrict subnets
unless you know the IP address of the peer at all, whereas with isakmpd
it is there (though needs arcane knowledge to use it).

I'm not a fan of keynote but one way or another there needs to be some
way to feed in information about the connection and (certificate|psk)
into some configurable logic that allows a decision to be made whether
to allow it to succeed. As mentioned above, PF isn't enough for this
as IPsec is flow-based on OpenBSD, and even if it was route-based,
really the connection should be rejected rather than just blocking
packets - and keynote does provide a way to do this.

A lesser but still important issue with ipsec.conf(5), and I think
it's the same for iked.conf(5), is that you can't do things like "allow
either AES or 3DES" - this is supported by isakmpd.conf and is useful
if you have various clients on dynamic IPs, some of which support AES
which you'd like them to use if possible, and others which only
support 3DES.