L2TP/IPSec via npppd won't work with Android 6.0.1
Hello, I don't mean to bring up an old thread, but I was wondering if anyone else was experiencing issues with OpenBSD 5.8 and Android 6.0.1 (preferably the version on the Nexus line of devices) connecting to ipsec/l2tp. I had this working late last year some time and hadn't used it in a few months. When I went to use it again a few days ago it didn't work at all. After rebooting my phone and even trying it on my tablet that coincidentally runs the exact same version of stock Android 6.0.1, it too didn't work there. I have confirmed some interesting behavior. First if I tweak the ipsec.conf stanza to something like: > ike passive esp transport \ > proto udp from X.X.X.X to any port 1701 \ > main auth "hmac-sha2-256" enc "aes-256" group "modp1024" \ > quick auth "hmac-sha2-s256" enc "aes-256" group "modp1024" \ > psk "redacted" It creates an IPSEC SA and flow as shown by ipsecctl -s all, but npppd never sees a connection attempt and tcpdumping enc0 shows no traffic and ultimately the connection fails. If I modify it to hmac-md5, aes, modp2048 I can get my Chromebook with latest updates to connect successfully. If I modify it to hmac-sha2-256, aes-256, modp2048 I can get an iPhone with iOS 9.3 to connect successfully. If I modify it to hmac-sha, aes, modp2048 I can get a Windows 10 box to connect successfully. If I restore it to hmac-sha1, aes, modp1024 I can get an older Android tablet (one of my kid's) to connect successfully. What else can I do to troubleshoot this? Because I signed up to a free 1 day trial of some Internet based VPN provider and successfully was able to connect to their IPSEC/L2TP VPN using my Android phone so I know it works. It must just be a recent change in Android (or during the OpenBSD 5.7->5.8) update that is causing this incompatibility that makes it almost work. Any help would be greatly appreciated. Sly
Re: Supermicro X11SSL-F freezes probing USB 3
On Mon, Mar 28, 2016 at 03:06:39PM -0400, Sonic wrote: > If I wait long enough the install will finally finish booting but the > keyboard (no ps2 ports) doesn't work. Could I trouble you to be more specific as to the duration of "long enough" :)? I think my patience ran out after about 15-20 minutes. So it eventually boots without disabling xhci, but the USB doesn't work in the end anyway? I'm installing via an IPMI virtual serial port so the lack of keyboard isn't really an issue for me, I can live without USB but as the box won't be going live for a few weeks I thought I'd see if any devs wanted me to try anything on it before I just moved forward without USB support. I've got -current set up to ready to patch and compile to test stuff on it if I can. It would be nice to get it working for situations like yours where it's needed. I booted a FreeBSD 10.2 livecd on it, and that initialized the xhci chipset fine and usb devices seem to work ok. I tried to compare the drivers, they share a bit in common but they're also quite different and it doesn't help that I'm not really a low level driver guy 8-/. I'm sure the new Skylake stuff just needs some minor tweak to make it happy. Thanks...
forwarding sound as well as video
I sometimes remote to my snapshot desktop from a WIndows laptop and it would be interesting if sound could come along (I use Putty). Does anybody so this? -- Edward Ahlsen-Girard Ft Walton Beach, FL
Re: WAPBL?
Walter Neto wrote: > > Hi, > > I'm not working on it for a while. Sadly I am with no time, but trying > to escape to return. :( > This is most regrettable. I was following your work on porting WAPBL and the correspondence on tech@openbsd with great interest. Do you think that a help from OpenBSD foundation could enable you to resume the work on porting WAPBL? Predrag > 2016-03-26 16:27 GMT-03:00 Martijn Rijkeboer : > > Hi, > > > > Just out of curiosity, what has happend with WAPBL? There were some > patches > > floating around on tech@ in the last months of 2015, but then it > became > > quiet. I'm not complaining just curious. > > > > Kind regards, > > > > > > Martijn Rijkeboer
Re: Ipsec from OpeBSD to StrongSwan/Linux
Adam Smith wrote: > >> I'm trying to set up a VPN connection between two machines, one >running >> StrongSwan on Linux, and the other OpenBSD 5.8. OpenBSD is set to >start >> the vpn connection. >> >> Am I doing something wrong? Or is there any thing I missed? >> Any help would be really appreciated. > >For questions about OpenVPN setups, imho, the best place to ask for help >is the \ >openvpn-users' mailing list. Subscribe to it and you can ask your >questions there. \ >The main URL is: > >https://sourceforge.net/p/openvpn/mailman/ > >Regards. > >Adam English is not my native tongue so maybe I am missing something in your message Adam but OP seems to be interested in IPSec connection from an OpenBSD box to StrongSwan/Linux implementation of IPSec. Why are you pointing him to OpenVPN mailing list. OpenVPN is unrelated VPN technology based on OpenSSL. Predrag
Re: Ipsec from OpeBSD to StrongSwan/Linux
Hi Adam! I'm using ipsec, not openvpn my friend. On Mar 28, 2016 8:40 PM, "Adam Smith" wrote: > >--- victor.med...@cloudvoice.io wrote: > > > >From: Victor E Medina M > >To: misc@openbsd.org > >Subject: Ipsec from OpeBSD to StrongSwan/Linux > >Date: Mon, 28 Mar 2016 17:35:02 -0430 > > > > > >First of all thanks for such a nice OS! > >It's my first post, I'm from Venezuela. > > Bienvenido to our mailing list. > > Yes, OpenBSD has been recommended by the EU as one of the FOSS to use. > > >I'm trying to set up a VPN connection between two machines, one running > >StrongSwan on Linux, and the other OpenBSD 5.8. OpenBSD is set to start > >the vpn connection. > > > >Am I doing something wrong? Or is there any thing I missed? > >Any help would be really appreciated. > > For questions about OpenVPN setups, imho, the best place to ask for help > is the openvpn-users' mailing list. Subscribe to it and you can ask your > questions there. The main URL is: > > https://sourceforge.net/p/openvpn/mailman/ > > Regards. > > Adam > http://www.DCpages.com
Re: Octeon - Rhino Labs SDNA
Chris Jones [cjo...@autonomic.ca] wrote: > Good evening, > > Just wondering if any of the OpenBSD devs on the list could provide any > feedback about these network appliances based on the Octeon III 7xxx > processors. Are these devices something that may be supported with the > current Octeon port? > > http://www.rhinolabsinc.com/category/network-appliances/ > I don't think Octeon II systems are fully supported yet, ethernet isn't finished yet. It's likely that Octeon III will leave similar issues.
Re: OS is leaking DNS
>--- chr...@openbsd.org wrote: > >From: Christopher Zimmermann >To: "Adam Smith" >Subject: Re: OS is leaking DNS >Date: Mon, 28 Mar 2016 21:58:09 +0200 > >Hi Adam, Guten Tag, Christoph >I am Christopher from Tübingen, Germany. Tübingen? Wow... it used to be the place where most avant-garde theologians of the (Christian) Bible hail from and whose views the Vatican and ultra-conservative Protestants have consistently labeled as heresies. I wonder if the Tübingen of the 21st century still produces eminent theologians? >What you need to fix the "DNS >leakage" to your ISP is a line like this in dhclient.conf: > >supersede domain-name-servers 8.8.4.4, 85.214.20.141, 213.73.91.35; Danke schoen fur Ihre Hilfe. >But note that DNS traffic is usually not encrypted; so if you mistrust >your ISP, you'll need a proxy. Since you list openvpn, you are probably >using it to connect to a proxy? I don't know the differences between a proxy and a VPN gateway/server. Some use the two terms interchangeably. I bought a subscription from a commercial VPN vendor. A comparative chart of the various VPN vendors can be found at https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAeQjuQPU4BVzbOigT0xebxTOw/htmlview?pref=2&pli=1&sle=true#gid=0 The contributor's username on Reddit is ThatOnePrivacyGuy Regards, Adam http://www.DCpages.com
Re: Ipsec from OpeBSD to StrongSwan/Linux
>--- victor.med...@cloudvoice.io wrote: > >From: Victor E Medina M >To: misc@openbsd.org >Subject: Ipsec from OpeBSD to StrongSwan/Linux >Date: Mon, 28 Mar 2016 17:35:02 -0430 > > >First of all thanks for such a nice OS! >It's my first post, I'm from Venezuela. Bienvenido to our mailing list. Yes, OpenBSD has been recommended by the EU as one of the FOSS to use. >I'm trying to set up a VPN connection between two machines, one running >StrongSwan on Linux, and the other OpenBSD 5.8. OpenBSD is set to start >the vpn connection. > >Am I doing something wrong? Or is there any thing I missed? >Any help would be really appreciated. For questions about OpenVPN setups, imho, the best place to ask for help is the openvpn-users' mailing list. Subscribe to it and you can ask your questions there. The main URL is: https://sourceforge.net/p/openvpn/mailman/ Regards. Adam http://www.DCpages.com
ThinkPad X260 or other Skylake Laptop
I am considering purchasing a ThinkPad X260 for OpenBSD use. I am aware that inteldrm(4) does not yet support Skylake chips (Broadwell support is not perfect yet either). I presume wsfb(4) should work decently at least but I am wondering if anyone currently has an X260 and is using it for OpenBSD. Is there a way screen brightness can still be adjusted in some form even with wsfb(4)? I know my X230 has hardware methods for adjusting brightness but lots has changed with the X240, X250, and X260. I am also aware that the Intel 8260 wireless chipset does not yet work (perhaps support could be added to iwm(4) or maybe I can replace the 8260 with a 7260) but I am more concerned about the reports of problems with xhci(4) with Skylake systems. Has anyone had any experience with a Skylake laptop and OpenBSD? Thank you. Bryan
Ipsec from OpeBSD to StrongSwan/Linux
Hi guys! First of all thanks for such a nice OS! It's my first post, I'm from Venezuela. I'm trying to set up a VPN connection between two machines, one running StrongSwan on Linux, and the other OpenBSD 5.8. OpenBSD is set to start the vpn connection. This is the setup: OpenBSD|--->| LINUX/StrongSwan 5 10.0.1.240 || 10.0.1.220 NET/INTER:192.168.100.0/29 I'm seeing the connection established but I can't ping to a machine behind Linux network. My ipsec.conf ike esp from 10.0.1.240/32 to 192.168.100.0/29 peer 10.0.1.220 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group modp1024 \ psk "zRmzouKsYEBMYrKMX16bkwazXV21cV8zFIA6LHzt" My pf.conf set skip on lo block return# block stateless traffic pass# establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 pass on enc0 Output from "ipsecctl -s all" FLOWS: flow esp in from 192.168.100.0/29 to 10.0.1.240 peer 10.0.1.220 srcid 10.0.1.240/32 dstid 10.0.1.220/32 type use flow esp out from 10.0.1.240 to 192.168.100.0/29 peer 10.0.1.220 srcid 10.0.1.240/32 dstid 10.0.1.220/32 type require SAD: esp tunnel from 10.0.1.220 to 10.0.1.240 spi 0x99442db4 auth hmac-sha1 enc 3des-cbc esp tunnel from 10.0.1.240 to 10.0.1.220 spi 0xc15117e3 auth hmac-sha1 enc 3des-cbc My ipsec.conf (linux side just in case) conn openbsd-test left=10.0.1.220 leftsubnet=192.168.100.0/29 leftid=10.0.1.220 leftfirewall=yes right=10.0.1.240 rightid=10.0.1.240 ike=3des-sha-modp1024! esp=3des-sha-modp1024! auto=add Am I doing something wrong? Or is there any thing I missed? Any help would be really appreciated. Victor Medina.
Re: Supermicro X11SSL-F freezes probing USB 3
On Mon, Mar 28, 2016 at 2:36 PM, Sonic wrote: > Exact same problem here with a Dell PowerEdge R230 and snapshot > downloaded today. If I wait long enough the install will finally finish booting but the keyboard (no ps2 ports) doesn't work. Disabling xhci via UKC on boot also kills the keyboard. Chris
Re: Supermicro X11SSL-F freezes probing USB 3
On Mon, Mar 7, 2016 at 12:48 AM, Paul B. Henson wrote: xhci probe won > xhci0 at pci0 dev 20 function 0 "Intel 100 Series xHCI" rev 0x31: msi probing for usb* usb probe returned 1 usb probe won > usb0 at xhci0: USB revision 3.0 probing for uhub* uhub probe returned 10 uhub probe won > uhub0 at usb0 "Intel xHCI root hub" rev 3.00/1.00 addr 1 > [system freezes here] Exact same problem here with a Dell PowerEdge R230 and snapshot downloaded today. Chris
Re: OS is leaking DNS
>From: > Sebastien Marie >To:Adam Smith >Cc:misc@openbsd.org >Received-On: Today 09:17 >Subject: Re: OS is leaking DNS >More... > Hi Sebastien, >without seeing any configuration files it is a bit complex to be sure... Did you mean the configuration file of *.ovpn? Well, the contents of my *.ovpn file are as follows: start of config file-- remote 50.149.115.121 1194 tcp-client client tls-client dev tun auth-user-pass auth.txt resolv-retry infinite mute-replay-warnings nobind persist-key persist-tun ns-cert-type server verb 1 remote-cert-tls server setenv CLIENT_CERT 0 -BEGIN CERTIFICATE- {{{suppressed on request by VPN vendor}}} -END CERTIFICATE- end of config file-- >with my magic hat, my interpretation is: > - you don't configure specific options in dhclient.conf, so when your > ISP send to you the DNS list, dhclient(8) adds it to /etc/resolv.conf Thanks for telling me that. I know it now. > - you added your preferred public DNS servers in resolv.conf.tail, so > these addresses will be *at bottom* I see > - your /etc/resolv.conf should look like: > >nameserver ISP-DNS-address >nameserver preferred-public-DNS-address According to your above example, my ISP will handle DNS resolutions and if it is unable to do it, then my preferred DNS resolvers will take over the job, is that correct? >I think what you want is to override the DNS addresses provided by your >ISP. It could be done using dhclient.conf, with the following line for >example: > > supersede domain-name-servers 8.8.8.8; My question: if I override/supercede my ISP's DNS servers, how will I be able to surf or ping websites the very first time I try to connect to the internet? You know, as in, for example, like after booting up OpenBSD, I launch Firefox browser and try to surf to www.unhcr.org >Take a look at dhclient.conf(5) man page for more information. > > supersede option option-value; > Use option-value for the given option, regardless of the value > supplied by the server. I did read that man page at least three times and am still clueless. I wish to let you know that I don't have formal training in IT and English is not my native language. Regards. Adam http://www.DCpages.com
Re: OS is leaking DNS
Thanks for your explanation, Michael. Regards. Adam --- mm...@mykolab.com wrote: From: Michael McConville To: Adam Smith Cc: misc@openbsd.org Subject: Re: OS is leaking DNS Date: Mon, 28 Mar 2016 03:02:12 -0400 Adam Smith wrote: > Relevant info: > > 1. OpenBSD-amd64 snapshot (install59.iso) with sha256sum of >5e8020ce150e0fba17b1eef7acc8c27d10845288b9d8c82315bd6826dc94669d and >dated March 27, 2016 >(installed OpenBSD as desktop OS) > 2. openvpn-2.3.10 > 3. firefox > 4. enabled DHCP during installation of OS > 5. edit /etc/resolv.conf.tail to include my preferred public DNS servers > 6. computer connects directly to cable modem supplied by ISP, meaning >my machine receives dynamic IP addresses from my ISP > 7. computer is standalone, not part of network > > After my computer is connected to VPN tunnel, I start Firefox and surf > to https://www.dns-oarc.net/oarc/services/dnsentropy where I click on > the button that says "Test My DNS". > > The IP address of my ISP appears in the results. It means that OpenBSD > operating system leaks DNS. > > How to fix the problem, please? See resolv.conf.tail(5). Its contents are *appended* to /etc/resolv.conf, so if your DHCP lease suggests a DNS server, your system will try that one before those listed in /etc/resolv.conf.tail. http://www.DCpages.com
Re: OS is leaking DNS
>From: > Adam Thompson >To:ken...@dcemail.com >Received-On: Today 08:43 >Subject: Re: OS is leaking DNS >More... > >dhclient(8) is writing the ISP-supplied nameservers into resolv.conf >*before* your local options in resolv.conf.tail. Thanks for your explanation. I did consult the man page on dhclient.conf and owing to my lack of IT knowledge and English not being my native language, I have difficulty in understanding what it states. >You can override this behaviour in dhclient.conf(5). See the example in >the manpage for a way to prepend or override "domain-name-servers" >instead of using resolv.conf.tail. I read the man page on dhclient.conf (URL: http://man.openbsd.org/OpenBSD-current/man5/dhclient.conf.5) and I am still clueless. Based on the example given on that webpage, I adapted it into two samples which are the following: Sample #1 backoff-cutoff 2; initial-interval 1; link-timeout 10; reboot 0; retry 10; select-timeout 0; timeout 30; interface "em0" { prepend domain-name-servers 127.0.0.1; request subnet-mask, broadcast-address, routers, domain-name, domain-name-servers, host-name; require routers, subnet-mask, domain-name-servers; } Sample #2 backoff-cutoff 2; initial-interval 1; link-timeout 10; reboot 0; retry 10; select-timeout 0; timeout 30; interface "em0" { prepend domain-name-servers 50.116.40.226 107.170.95.180; request subnet-mask, broadcast-address, routers, domain-name, domain-name-servers, host-name; require routers, subnet-mask, domain-name-servers; } My questions: (A) Sample #1 is essentially the same as resolving DNS requests via DHCP, isn't it? For a standalone computer, 127.0.0.1 resolves via the DNS resolver of my ISP, yes? (B) In Sample #2, how is my computer able to connect to 50.116.40.226 without first going through my ISP's DNS resolver? I am sorry if my question is somewhat noobish. I have very limited knowledge of networking and DNS resolution. >I don't know what the OpenVPN client does to resolv.conf, but likely >something similar. The source code for OpenVPN client (Community Edition) is available for inspection. The URL to download it is https://swupdate.openvpn.org/community/releases/openvpn-2.3.10.zip >But I know its config files let you override DNS >server settings, too, because I've had to do so myself. Please show me how you do it. Thanks in advance. >Override instead of appending to get the >desired behaviour. (Netflix, I assume? ) Wrong assumption. From time to time my job requires me to work for a few weeks in an authoritarian regime where even a cursory visit to a website can get me in trouble with their laws, the penalty for which is jail time or deportation. >Any two machines >connected to each other (e.g. your PC and your cable modem) constitute >"a network". See what I mean? You yourself have shown that I am null where IT knowledge is concerned. >Given the complexities you are causing yourself, I would suggest running >something like dnsmasq (in ports, IIRC) as your local recursing >nameserver, then having all three of the above components merely point >to 127.0.0.1. Then configure dnsmasq correctly. If you have dbus (also >in ports, *sigh*) installed and dnsmasq built with dbus control option, >you can dynamically change its behaviour on the fly (e.g. what upstream >nameserver to forward queries to). Or you could just restart it manually >each time. Terms like "local recursing nameserver" are technical jargon to me. Even if I understood what it meant, I wouldn't know how to configure the three components to point to 127.0.0.1 By the way, which three components were you referring to? I saw only two: dhclient, nameservers Would you be so kind as to show me how to do the stuff you described above, viz.: - run dnsmasq as my local recursing nameserver - three components point to 127.0.0.1 - configure dnsmasq correctly - how to tell if my dnsmasq is built with dbus control option - how to dynamically change its behaviour on the fly Thanks in advance. Adam http://www.DCpages.com
Re: WAPBL?
Hi, I'm not working on it for a while. Sadly I am with no time, but trying to escape to return. :( 2016-03-26 16:27 GMT-03:00 Martijn Rijkeboer : > Hi, > > Just out of curiosity, what has happend with WAPBL? There were some patches > floating around on tech@ in the last months of 2015, but then it became > quiet. I'm not complaining just curious. > > Kind regards, > > > Martijn Rijkeboer
Re: patch: fix usage of mkstemp() in rdistd
On Mon, 28 Mar 2016 10:19:12 +0200, Paul Kelly wrote: > On 03/28/16 04:05, Todd C. Miller wrote: > > I think it's best to just check the parent directories first and > > then create the temp name. > > > > - todd > > This works for me and avoids my hacking around with new. I added a few > extra destination directories and it seems to hold up OK. Thanks! Another option is to just open the file directly after creating the intermediate directories. This is effectively what used to happen before mkstemp(3) was changed to return an error when no Xs are found in the format. That way you still save a stat call when there directories already exist (the common case). - todd Index: server.c === RCS file: /cvs/src/usr.bin/rdistd/server.c,v retrieving revision 1.40 diff -u -p -u -r1.40 server.c --- server.c22 Dec 2015 08:48:39 - 1.40 +++ server.c28 Mar 2016 12:35:53 - @@ -752,7 +752,7 @@ recvfile(char *new, opt_t opts, int mode */ if ((f = mkstemp(new)) < 0) { if (errno != ENOENT || chkparent(new, opts) < 0 || - (f = mkstemp(new)) < 0) { + (f = open(new, O_CREAT|O_EXCL|O_RDWR, S_IRUSR|S_IWUSR)) < 0) { error("%s: create failed: %s", new, SYSERR); return; } @@ -1163,7 +1163,7 @@ recvlink(char *new, opt_t opts, int mode */ if (mktemp(new) == NULL || symlink(dbuf, new) < 0) { if (errno != ENOENT || chkparent(new, opts) < 0 || - mktemp(new) == NULL || symlink(dbuf, new) < 0) { + symlink(dbuf, new) < 0) { error("%s -> %s: symlink failed: %s", new, dbuf, SYSERR); return;
Re: Tcpdump on pflow0 failed, understanding (or not) the pflow0 pseudo device
On Saturday 26 March 2016 18:54:25 Kapetanakis Giannis wrote: > On 26/03/16 17:02, Eike Lantzsch wrote: > > Hi: > > > > For learning purposes I want to set up collecting NetFlow data from my > > small office router (5.8 release on a PC-Engines Alix 2D13 device). > > I'm trying to follow > > http://bsdly.blogspot.ca/2014/02/yes-you-too-can-be-evil-network.html > > and I have Peter N. M. Hansteen's fine Book of PF (3) at hand - chapter 9 > > "Collecting NetFlow Data with pflow(4)". > > However I seem to have a hard time to understand some details. > > > > I set up > > /etc/pf.conf > > # options: > > set state-defaults pflow > > > > and > > /etc/hostname.pflow0 > > > > and get this: > > > > # ifconfig pflow0 > > pflow0: flags=41 mtu 1448 > > > > priority: 0 > > pflow: sender: 192.168.12.1 receiver: 192.168.12.31:9995 version: > > 10 > > groups: pflow > > > > 192.168.12 is my internal small network. I plan to set up a collector on > > 192.168.12.31, which is an OpenBSD-vm on my work station. > > (Did I get this right? Or should I use the address which I get from my ISP > > as a souce address?) > > > > However > > # tcpdump -nettti pflow0 > > tcpdump: Failed to open bpf device for pflow0: Device not configured > > > > In /dev/ I got bpf0 up to bpf9 > > > > I did not set up a collector right now - just wanted to see if I get any > > NetFlow data. > > > > What did I miss setting up the pflow pseudo-device? > > Try > tcpdump -i vr0 host 192.168.12.31 and port 9995 > if vr0 is the interface to 192.168.1.31 > > G Thank you Giannis! That interface would be vether0, vr0 is facing my ISP. No, there are no UDP packets for 192.168.12.31:9995. Does pflow have a problem with virtual ethernet interfaces? I bridged vr1, athn0 and vether0 I will try to use vr2 for pflow, using another network just for that purpose. There is another NIC available in the computer with the VM with the collector so that I will be able to catch the data later on - if I ever get the sensor to work ... Eike
Re: libc issues on last snapshot
Solved for me on build 1459134312. Thanks.
Re: patch: fix usage of mkstemp() in rdistd
On 03/28/16 04:05, Todd C. Miller wrote: > I think it's best to just check the parent directories first and > then create the temp name. > > - todd This works for me and avoids my hacking around with new. I added a few extra destination directories and it seems to hold up OK. Thanks! paul@tiger:~/workspace/push/cm: /usr/bin/rdist -L syslog=all -d HOST=aspireone aspireone: updating host aspireone aspireone: ./scripts: installing aspireone: scripts: mkdir aspireone: ./scripts/util: installing aspireone: ./scripts/install: installing aspireone: ./scripts/files: installing aspireone: ./hosts/aspireone/etc/doas.conf: installing aspireone: staging: mkdir aspireone: staging/etc: mkdir aspireone: staging/etc/one: mkdir aspireone: staging/etc/one/two: mkdir aspireone: staging/etc/one/two/three: mkdir aspireone: ./hosts/aspireone/etc/rc.conf.local: installing aspireone: cmdspecial "./scripts/install" > Index: server.c > === > RCS file: /cvs/src/usr.bin/rdistd/server.c,v > retrieving revision 1.40 > diff -u -p -u -r1.40 server.c > --- server.c 22 Dec 2015 08:48:39 - 1.40 > +++ server.c 28 Mar 2016 02:01:32 - > @@ -750,12 +750,9 @@ recvfile(char *new, opt_t opts, int mode >/* > * Create temporary file > */ > - if ((f = mkstemp(new)) < 0) { > - if (errno != ENOENT || chkparent(new, opts) < 0 || > - (f = mkstemp(new)) < 0) { > - error("%s: create failed: %s", new, SYSERR); > - return; > - } > + if (chkparent(new, opts) < 0 || (f = mkstemp(new)) < 0) { > + error("%s: create failed: %s", new, SYSERR); > + return; >} > >/* > @@ -1161,13 +1158,10 @@ recvlink(char *new, opt_t opts, int mode >/* > * Make new symlink using a temporary name > */ > - if (mktemp(new) == NULL || symlink(dbuf, new) < 0) { > - if (errno != ENOENT || chkparent(new, opts) < 0 || > - mktemp(new) == NULL || symlink(dbuf, new) < 0) { > - error("%s -> %s: symlink failed: %s", new, dbuf, > - SYSERR); > - return; > - } > + if (chkparent(new, opts) < 0 || mktemp(new) == NULL || > + symlink(dbuf, new) < 0) { > + error("%s -> %s: symlink failed: %s", new, dbuf, SYSERR); > + return; >} > >/*
Re: patch: fix usage of mkstemp() in rdistd
I had a request for more information about how to replicate this. Here's a stripped back example that demonstrates the problem. paul@tiger:~/workspace/push/cm: cat ./distfile ./hosts/aspireone/etc/doas.conf -> ${HOST} install staging/etc ; paul@tiger:~/workspace/push/cm: cat ./hosts/aspireone/etc/doas.conf # This is a dummy file. First attempt fails to create a file if two new directories have been created: paul@tiger:~/workspace/push/cm: /usr/bin/rdist -L syslog=all -d HOST=aspireone aspireone: updating host aspireone aspireone: ./hosts/aspireone/etc/doas.conf: installing aspireone: staging: mkdir aspireone: staging/etc: mkdir aspireone: REMOTE ERROR: staging/etc/rdist9lu2tvqg: create failed: Invalid argument aspireone: updating of aspireone finished Second pass succeeds: paul@tiger:~/workspace/push/cm: /usr/bin/rdist -L syslog=all -d HOST=aspireone aspireone: updating host aspireone aspireone: ./hosts/aspireone/etc/doas.conf: installing aspireone: updating of aspireone finished dmesg from the remote machine: OpenBSD 5.8-stable (GENERIC.MP) #1: Thu Nov 12 09:27:53 CET 2015 paul@buildbox:/usr/src/sys/arch/i386/compile/GENERIC.MP RTC BIOS diagnostic error 80 cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM,MO VBE,LAHF,PERF,SENSOR real mem = 1596956672 (1522MB) avail mem = 1552547840 (1480MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: date 10/06/08, SMBIOS rev. 2.4 @ 0xe9180 (32 entries) bios0: vendor Acer version "v0.3309" date 10/06/2008 bios0: Acer AOA150 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT HPET APIC MCFG ASF! SLIC BOOT acpi0: wakeup devices P32_(S4) UHC1(S3) UHC2(S3) UHC3(S3) UHC4(S3) ECHI(S3) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) AZAL(S0) MODM(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 132MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.0.2, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Atom(TM) CPU N270 @ 1.60GHz ("GenuineIntel" 686-class) 1.60 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,xTPR,PDCM,MO VBE,LAHF,PERF,SENSOR ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 5 (P32_) acpiprt2 at acpi0: bus 1 (EXP1) acpiprt3 at acpi0: bus 2 (EXP2) acpiprt4 at acpi0: bus 3 (EXP3) acpiprt5 at acpi0: bus 4 (EXP4) acpiec0 at acpi0 acpicpu0 at acpi0: !C3(100@57 io@0x416), !C2(500@1 io@0x414), C1(1000@1 halt), PSS acpicpu1 at acpi0: !C3(100@57 io@0x416), !C2(500@1 io@0x414), C1(1000@1 halt), PSS acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpibtn2 at acpi0: SLPB acpibat0 at acpi0: BAT1 not present acpiac0 at acpi0: AC unit online acpivideo0 at acpi0: OVGA bios0: ROM list: 0xc/0xec00! cpu0: Enhanced SpeedStep 1596 MHz: speeds: 1600, 1333, 1066, 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82945GME Host" rev 0x03 vga1 at pci0 dev 2 function 0 "Intel 82945GME Video" rev 0x03 intagp0 at vga1 agp0 at intagp0: aperture at 0x6000, size 0x1000 inteldrm0 at vga1 drm0 at inteldrm0 inteldrm0: 1024x600 wsdisplay0 at vga1 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) "Intel 82945GM Video" rev 0x03 at pci0 dev 2 function 1 not configured azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x02: msi azalia0: codecs: Realtek ALC268 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x02: apic 4 int 16 pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 1 "Intel 82801GB PCIE" rev 0x02: apic 4 int 17 pci2 at ppb1 bus 2 2:0:0: mem address conflict 0xfffe/0x2 re0 at pci2 dev 0 function 0 "Realtek 8101E" rev 0x02: RTL8102EL (0x2480), msi, address 00:1e:68:cc:c0:06 rlphy0 at re0 phy 7: RTL8201L 10/100 PHY, rev. 1 ppb2 at pci0 dev 28 function 2 "Intel 82801GB PCIE" rev 0x02: apic 4 int 18 pci3 at ppb2 bus 3 wpi0 at pci3 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02: msi, MoW1, address 00:1c:bf:a9:21:f8 ppb3 at pci0 dev 28 function 3 "Intel 82801GB PCIE" rev 0x02: apic 4 int 19 pci4 at ppb3 bus 4 uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x02: apic 4 int 16 uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x02: apic 4 int 17 uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x02: apic 4 int 18 uhci3 at pci0 dev 29
About STABLE ports
hello, I would submit to you the problem I encounter when compiling firefox-ESR. I'm running OpenBSD 5.8-stable (GENERIC.MP) #1, and my port tree is sync with STABLE. I would add that before compiling firefox-esr, all other software were installed in binary form (pkg_add). I tried 2 times to compile unsuccessfully with the same error message. Here is an extract of my log file : Do I have first to reinstall all my software from ports ?? Thanks for your help !! Building package for cmake-3.2.3p1 Create /usr/ports/packages/amd64/all/cmake-3.2.3p1.tgz Error: Libraries in packing-lists in the ports tree and libraries from installed packages don't match Error 1 in /usr/ports/devel/cmake (/usr/ports/infrastructure/mk/bsd.port.mk:3244 'wantlib-args') *** Error 1 in /usr/ports/devel/cmake (/usr/ports/infrastructure/mk/bsd.port.mk:1956 '/usr/ports/packages/amd64/all/cmake-3.2.3p1.tgz') *** Error 1 in /usr/ports/devel/cmake (/usr/ports/infrastructure/mk/bsd.port.mk:2508 '_internal-package') *** Error 1 in /usr/ports/devel/cmake (/usr/ports/infrastructure/mk/bsd.port.mk:2488 'package') *** Error 1 in /usr/ports/devel/cmake (/usr/ports/infrastructure/mk/bsd.port.mk:1969 '/var/db/pkg/cmake-3.2.3p1/+CONTENTS') *** Error 1 in /usr/ports/devel/cmake (/usr/ports/infrastructure/mk/bsd.port.mk:2488 'install') *** Error 1 in /usr/ports/devel/llvm (/usr/ports/infrastructure/mk/bsd.port.mk:2112 '/usr/ports/pobj/llvm-3.5.20140228/.dep-STEM-ge-3.2.3p1-devel-cmake') *** Error 1 in /usr/ports/devel/llvm (/usr/ports/infrastructure/mk/bsd.port.mk:2575 '/usr/ports/pobj/llvm-3.5.20140228/.extract_done') *** Error 1 in /usr/ports/devel/llvm (/usr/ports/infrastructure/mk/bsd.port.mk:1952 '/usr/ports/packages/amd64/all/llvm-3.5.20140228p34.tgz') *** Error 1 in /usr/ports/devel/llvm (/usr/ports/infrastructure/mk/bsd.port.mk:2508 '_internal-package') *** Error 1 in /usr/ports/devel/llvm (/usr/ports/infrastructure/mk/bsd.port.mk:2488 'package') *** Error 1 in /usr/ports/devel/llvm (/usr/ports/infrastructure/mk/bsd.port.mk:1969 '/var/db/pkg/llvm-3.5.20140228p34/+CONTENTS') *** Error 1 in /usr/ports/devel/llvm (/usr/ports/infrastructure/mk/bsd.port.mk:2488 'install') *** Error 1 in . (/usr/ports/infrastructure/mk/bsd.port.mk:2112 '/usr/ports/pobj/firefox-esr-38.7.1/.dep-STEM-ge-3.5.20140228p27-devel-llvm') *** Error 1 in /usr/ports/www/firefox-esr (/usr/ports/infrastructure/mk/bsd.port.mk:2488 'all')
Re: OS is leaking DNS
On Sun, Mar 27, 2016 at 11:12:38PM -0700, Adam Smith wrote: > Hi, > > Relevant info: > > 1. OpenBSD-amd64 snapshot (install59.iso) with sha256sum of > 5e8020ce150e0fba17b1eef7acc8c27d10845288b9d8c82315bd6826dc94669d and dated > March 27, 2016 > (installed OpenBSD as desktop OS) > 2. openvpn-2.3.10 > 3. firefox > 4. enabled DHCP during installation of OS > 5. edit /etc/resolv.conf.tail to include my preferred public DNS servers > 6. computer connects directly to cable modem supplied by ISP, meaning my > machine receives dynamic IP addresses from my ISP > 7. computer is standalone, not part of network > > After my computer is connected to VPN tunnel, I start Firefox and surf to > https://www.dns-oarc.net/oarc/services/dnsentropy where I click on the button > that says "Test My DNS". > > The IP address of my ISP appears in the results. It means that OpenBSD > operating system leaks DNS. I tend to saying that OpenBSD does what you ask for :) > How to fix the problem, please? without seeing any configuration files it is a bit complex to be sure... with my magic hat, my interpretation is: - you don't configure specific options in dhclient.conf, so when your ISP send to you the DNS list, dhclient(8) adds it to /etc/resolv.conf - you added your preferred public DNS servers in resolv.conf.tail, so these addresses will be *at bottom* - your /etc/resolv.conf should look like: nameserver ISP-DNS-address nameserver preferred-public-DNS-address - so when a program asks for resolving an address, libc works as documented in resolv.conf: "If there are multiple servers, the resolver library queries them in the order listed". as resolv.conf.tail is at bottom, these DNS addresses are used when the first (ISP DNS) addresses failed. I think what you want is to override the DNS addresses provided by your ISP. It could be done using dhclient.conf, with the following line for example: supersede domain-name-servers 8.8.8.8; Take a look at dhclient.conf(5) man page for more information. supersede option option-value; Use option-value for the given option, regardless of the value supplied by the server. I hope it helps. -- Sebastien Marie
Re: OS is leaking DNS
Adam Smith wrote: > Relevant info: > > 1. OpenBSD-amd64 snapshot (install59.iso) with sha256sum of >5e8020ce150e0fba17b1eef7acc8c27d10845288b9d8c82315bd6826dc94669d and >dated March 27, 2016 >(installed OpenBSD as desktop OS) > 2. openvpn-2.3.10 > 3. firefox > 4. enabled DHCP during installation of OS > 5. edit /etc/resolv.conf.tail to include my preferred public DNS servers > 6. computer connects directly to cable modem supplied by ISP, meaning >my machine receives dynamic IP addresses from my ISP > 7. computer is standalone, not part of network > > After my computer is connected to VPN tunnel, I start Firefox and surf > to https://www.dns-oarc.net/oarc/services/dnsentropy where I click on > the button that says "Test My DNS". > > The IP address of my ISP appears in the results. It means that OpenBSD > operating system leaks DNS. > > How to fix the problem, please? See resolv.conf.tail(5). Its contents are *appended* to /etc/resolv.conf, so if your DHCP lease suggests a DNS server, your system will try that one before those listed in /etc/resolv.conf.tail.