Re: OpenBSD/octeon and "OpenBSD/patches/6.0/common/002_perl.patch.sig"
>In patch "OpenBSD/patches/6.0/common/002_perl.patch.sig" I've found >references to two paths that appear to not exist in OpenBSD/octeon: > >* /usr/libdata/perl5/octeon-openbsd/5.20.3/IO >* /usr/libdata/perl5/octeon-openbsd/5.20.3/IO/Socket > >Instead, there are: > >* /usr/libdata/perl5/mips64-openbsd/5.20.3/IO >* /usr/libdata/perl5/mips64-openbsd/5.20.3/IO/Socket > >The following change seems to resolve this issue, at least on octeon and >i386: > >-/usr/libdata/perl5/`machine`-openbsd/5.20.3/IO >+/usr/libdata/perl5/`arch -s`-openbsd/5.20.3/IO > >-/usr/libdata/perl5/`machine`-openbsd/5.20.3/IO/Socket >+/usr/libdata/perl5/`arch -s`-openbsd/5.20.3/IO/Socket Strange noone else noticed this for so many months. Anyways, it is not that important. I won't reroll a 6.0 errata for something so minor. We'll keep an eye out for next time.
OpenBSD/octeon and "OpenBSD/patches/6.0/common/002_perl.patch.sig"
Hello, In patch "OpenBSD/patches/6.0/common/002_perl.patch.sig" I've found references to two paths that appear to not exist in OpenBSD/octeon: * /usr/libdata/perl5/octeon-openbsd/5.20.3/IO * /usr/libdata/perl5/octeon-openbsd/5.20.3/IO/Socket Instead, there are: * /usr/libdata/perl5/mips64-openbsd/5.20.3/IO * /usr/libdata/perl5/mips64-openbsd/5.20.3/IO/Socket The following change seems to resolve this issue, at least on octeon and i386: -/usr/libdata/perl5/`machine`-openbsd/5.20.3/IO +/usr/libdata/perl5/`arch -s`-openbsd/5.20.3/IO -/usr/libdata/perl5/`machine`-openbsd/5.20.3/IO/Socket +/usr/libdata/perl5/`arch -s`-openbsd/5.20.3/IO/Socket -- Cheers, Pawel Waga
iked, AES-GCM and certificates
Hi Guys, While I personally haven't used OpenBSD for almost 20 years, I'm glad it's still around and strong when I need it most. Thank you. Ok, so I have about 45 students and teachers that I would like to create a VPN for. I've looked at the alternatives and iked it is. Our environment is mainly macOS/iOS. I'm not by any means an expert in VPNs or crypto for that matter, but I'm a software engineer so I think I can figure this out. With that in mind, I've created an etc/iked.conf file that looks like this: ikev2 "school" passive esp from 0.0.0.0/0 to 192.168.1.0/24 \ local 7.7.7.7 peer any \ ikesa enc aes-128-gcm auth hmac-sha2-256 group ecp256 \ childsa enc aes-128-gcm auth hmac-sha2-256 group ecp256 \ ecdsa256 config address 192.168.1.0/24 \ config name-server 192.168.1.1 config access-server 192.168.1.1 Here are my questions: Strongswan has the concept of virtualips to deal with "road warriors." Would the range as I have set it up in my iked.conf deal with road warriors using say iPhones with IPs that I can't possibly hardcode? In other words, will an IP from that range be assigned to the devices connecting? My second question is dealing with certificates and ikectl: In the ikectl man pages there's an example: To create the certificate authority: # ikectl ca vpn create To create the certificates for the peers: # ikectl ca vpn certificate 10.1.2.3 create # ikectl ca vpn certificate 10.1.2.4 create # ikectl ca vpn certificate 10.1.2.5 create Add the host as a VPN peer: # ikectl ca vpn install # ikectl ca vpn certificate 10.1.2.3 install Export the certificate and CAs for the peers: # ikectl ca vpn certificate 10.2.3.4 export # ikectl ca vpn certificate 10.3.4.5 export Create the tarballs and extract them to /etc/iked/ 10.2.3.4# tar -C /etc/iked -xzpf 10.2.3.4.tgz 10.3.4.5# tar -C /etc/iked -xzpf 10.3.4.5.tgz Questions: When I create a certificate as in: # ikectl ca vpn certificate 10.1.2.4 create Is 10.1.2.4 hypothetically one of the IPs in the range that was used in iked.conf? Last but not least, if I were to change the name of the certificate(s) from say 10.1.2.4.pem to one more descriptive, say... janesmith.pem, will it still match the IKEV2 identity when the device tries to connect? Thanks in advance guys, Jose
Re: syspatch dhcpd
2017-05-03 17:52 GMT+03:00 Christer Solskogen: > On May 3, 2017 15:34, "Renaud Allard" wrote: > > Hello, > > Since I installed all the new patches with syspatch I get this in the logs: > May 3 15:30:22 isildur dhcpd[79314]: pf pipe closed > May 3 15:30:22 isildur dhcpd[79314]: pf pipe error: Broken pipe > May 3 15:30:22 isildur dhcpd[11508]: pf pipe error: Broken pipe > May 3 15:30:22 isildur dhcpd[79314]: pf pipe error: Broken pipe > May 3 15:30:22 isildur last message repeated 2 times > > This happens many times per second and of course fills the logs partition. > I don't see anything obvious in the patch code which would cause this > tough. > I got the same problem here. 2Gb of /var/log/ was filled in few seconds. from /src/usr.sbin/dhcpd/pfutils.c for (;;) { pfd[0].fd = pfpipe[0]; pfd[0].events = POLLIN; if ((nfds = poll(pfd, 1, -1)) == -1) if (errno != EINTR) log_warn("poll"); /* Maybe we should break from infinite loop??? */ if (nfds > 0 && (pfd[0].revents & POLLHUP)) log_warnx("pf pipe closed"); if (nfds > 0 && (pfd[0].revents & POLLIN)) { memset(, 0, l); r = atomicio(read, pfpipe[0], , l); if (r != l) log_warn("pf pipe error"); -- /unk
Re: DHCP in vmm guest
> On 04.05.2017, at 16:13, Jiri Bwrote: > > On Thu, May 04, 2017 at 03:49:27PM +0200, Reyk Floeter wrote: >> So you have the VM interface and the host interface on a bridge: >> dhclient on the host "steals" all DHCP packets via BPF. >> >> Try to pkill dhclient on the host and the VM should be able to get DHCP. >> >> There is currently no solution for that, it is the way our dhclient works, >> you can try to run the VM on a NAT'ed bridge or use "-L" local interfaces. >> >> Reyk > > What about using vether with bridge and having host's dhclient using > vether? > > What about having dhcrelay and relaying VM's dhcp to upstream dhcp server? > > j. You should also try "local interface" or "-L" with -current. It doesn't need bridge or vether or dhcpd, just forwarding and pf on the host. Reyk
Re: DHCP in vmm guest
This is why I love misc@. And Francois: If I had known a few days ago what Reyk just said, I would have noted it. I should probably go back and edit my blog post. I spent 4 or 5 hours myself trying unsuccessfully bridge it. I had it working once in -CURRENT in October, but never could figure it out once I upgraded to 6.1. IO must've manually assigned an address back then, whereas I was using dhclient on bge0 last week. On Thu, May 4, 2017 at 8:49 AM, Reyk Floeterwrote: > dhclient on the host "steals" all DHCP packets via BPF. > >
Re: DHCP in vmm guest
On Thu, May 4, 2017 at 4:13 PM, Jiri Bwrote: > On Thu, May 04, 2017 at 03:49:27PM +0200, Reyk Floeter wrote: >> So you have the VM interface and the host interface on a bridge: >> dhclient on the host "steals" all DHCP packets via BPF. >> >> Try to pkill dhclient on the host and the VM should be able to get DHCP. >> >> There is currently no solution for that, it is the way our dhclient works, >> you can try to run the VM on a NAT'ed bridge or use "-L" local interfaces. > > What about using vether with bridge and having host's dhclient using > vether? That is my solution to the same problem. Essentially I've had to make my "primary" interface into a vether. Without this bug, I could have used em2 (in this case) directly. Now I use vether and em2 in a bridge.
Re: DHCP in vmm guest
On Thu, May 04, 2017 at 03:49:27PM +0200, Reyk Floeter wrote: > So you have the VM interface and the host interface on a bridge: > dhclient on the host "steals" all DHCP packets via BPF. > > Try to pkill dhclient on the host and the VM should be able to get DHCP. > > There is currently no solution for that, it is the way our dhclient works, > you can try to run the VM on a NAT'ed bridge or use "-L" local interfaces. > > Reyk What about using vether with bridge and having host's dhclient using vether? What about having dhcrelay and relaying VM's dhcp to upstream dhcp server? j.
Re: DHCP in vmm guest
So you have the VM interface and the host interface on a bridge: dhclient on the host "steals" all DHCP packets via BPF. Try to pkill dhclient on the host and the VM should be able to get DHCP. There is currently no solution for that, it is the way our dhclient works, you can try to run the VM on a NAT'ed bridge or use "-L" local interfaces. Reyk > On 04.05.2017, at 14:51, Francois Stephanywrote: > > Hi, > > I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has > access to the network via tap and bridge. The host uses a wired connection > and gets its network address with DHCP. > > Here's my /etc/vm.conf: > > switch "vms_switch" { >interface bridge0 >add bge0 > } > > vm "vm.test" { >memory 1G >boot /home/fstephany/bsd.rd >disk /var/vms/fstephany/vmtest-disk.img >owner fstephany >interface tap { >switch "vms_switch" >} >disable > } > > > I've stopped vmd with #rcctl stop vmd > and started it manually: > > # vmd -dvv > startup > /etc/vm.conf:4: switch "vms_switch" registered > /etc/vm.conf:15: vm "vm.test" registered (disabled) > vm_priv_brconfig: interface bridge0 description switch1-vms_switch > vm_priv_brconfig: interface bridge0 add bge0 > vmd_configure: not creating vm vm.test (disabled) > vm_opentty: vm vm.test tty /dev/ttyp1 uid 0 gid 4 mode 620 > vm_priv_ifconfig: interface tap0 description vm1-if0-vm.test > vm_priv_ifconfig: interface bridge0 add tap0 > vm.test: started vm 1 successfully, tty /dev/ttyp1 > loadfile_elf: loaded ELF kernel > run_vm: initializing hardware for vm vm.test > virtio_init: vm "vm.test" vio0 lladdr fe:e1:bb:d1:6d:23 > run_vm: starting vcpu threads for vm vm.test > vcpu_reset: resetting vcpu 0 for vm 5 > run_vm: waiting on events for VM vm.test > i8259_write_datareg: master pic, reset IRQ vector to 0x20 > i8259_write_datareg: slave pic, reset IRQ vector to 0x28 > vcpu_exit_i8253: channel 0 reset, mode=7, start=11932 > virtio_blk_io: device reset > virtio_net_io: device reset > vionet queue notify - no space, dropping packet > vionet queue notify - no space, dropping packet > vionet queue notify - no space, dropping packet > vionet queue notify - no space, dropping packet > vionet queue notify - no space, dropping packet > virtio_net_io: device reset > > > Here's what happens when the installer tries to get a network address: > > # vmctl status > ID PID VCPUS MAXMEM CURMEM TTYOWNER NAME >1 - 11.0G - -fstephany vm.test > # vmctl start vm.test -c > Connected to /dev/ttyp1 (speed 9600) > > Copyright (c) 1982, 1986, 1989, 1991, 1993 >The Regents of the University of California. All rights reserved. > Copyright (c) 1995-2017 OpenBSD. All rights reserved. > https://www.OpenBSD.org > > OpenBSD 6.1-current (RAMDISK_CD) #41: Tue May 2 21:13:30 MDT 2017 >dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD > real mem = 1056964608 (1008MB) > avail mem = 1021235200 (973MB) > mainbus0 at root > bios0 at mainbus0 > acpi at bios0 not configured > cpu0 at mainbus0: (uniprocessor) > cpu0: Intel(R) Celeron(R) CPU G1610T @ 2.30GHz, 2295.33 MHz > cpu0: > FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,XSAVE,HV,NXE,LONG,LAHF,FSGSBASE,SMEP,ERMS > cpu0: 256KB 64b/line 8-way L2 cache > pvbus0 at mainbus0: OpenBSD > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00 > virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00 > viornd0 at virtio0 > virtio0: irq 3 > virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00 > vioblk0 at virtio1 > scsibus0 at vioblk0: 2 targets > sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed > sd0: 4096MB, 512 bytes/sector, 8388608 sectors > virtio1: irq 5 > virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 > vio0 at virtio2: address fe:e1:bb:d1:6d:23 > virtio2: irq 7 > virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00 > virtio3: no matching child driver; not configured > isa0 at mainbus0 > com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo > com0: console > softraid0 at root > scsibus1 at softraid0: 256 targets > root on rd0a swap on rd0b dump on rd0b > > erase ^?, werase ^W, kill ^U, intr ^C, status ^T > > Welcome to the OpenBSD/amd64 6.1 installation program. > (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I > At any prompt except password prompts you can escape to a shell by > typing '!'. Default answers are shown in []'s and are selected by > pressing RETURN. You can exit this program at any time by pressing > Control-C, but this can leave your system in an inconsistent state. > > Terminal type? [vt220] > System hostname? (short form, e.g. 'foo') vmtest > > Available network interfaces are: vio0 vlan0. > Which network interface do you wish to configure? (or
Re: DHCP in vmm guest
That was it. Thanks! I've set a fixed IP address to bg0 in the host: # ifconfig bge0 192.168.0.9 255.255.255.0 Now the guest can DHCP: # vmctl start vm.test -c Connected to /dev/ttyp1 (speed 9600) Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2017 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.1-current (RAMDISK_CD) #41: Tue May 2 21:13:30 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 1056964608 (1008MB) avail mem = 1021235200 (973MB) mainbus0 at root bios0 at mainbus0 acpi at bios0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Celeron(R) CPU G1610T @ 2.30GHz, 2295.37 MHz cpu0: FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,XSAVE,HV,NXE,LONG,LAHF,FSGSBASE,SMEP,ERMS cpu0: 256KB 64b/line 8-way L2 cache pvbus0 at mainbus0: OpenBSD pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00 virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00 viornd0 at virtio0 virtio0: irq 3 virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00 vioblk0 at virtio1 scsibus0 at vioblk0: 2 targets sd0 at scsibus0 targ 0 lun 0:SCSI3 0/direct fixed sd0: 4096MB, 512 bytes/sector, 8388608 sectors virtio1: irq 5 virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 vio0 at virtio2: address fe:e1:bb:d1:44:af virtio2: irq 7 virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00 virtio3: no matching child driver; not configured isa0 at mainbus0 com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo com0: console softraid0 at root scsibus1 at softraid0: 256 targets root on rd0a swap on rd0b dump on rd0b erase ^?, werase ^W, kill ^U, intr ^C, status ^T Welcome to the OpenBSD/amd64 6.1 installation program. (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I At any prompt except password prompts you can escape to a shell by typing '!'. Default answers are shown in []'s and are selected by pressing RETURN. You can exit this program at any time by pressing Control-C, but this can leave your system in an inconsistent state. Terminal type? [vt220] System hostname? (short form, e.g. 'foo') vmtest Available network interfaces are: vio0 vlan0. Which network interface do you wish to configure? (or 'done') [vio0] IPv4 address for vio0? (or 'dhcp' or 'none') [dhcp] DHCPDISCOVER on vio0 - interval 1 DHCPOFFER from 192.168.0.1 (6c:b0:ce:3f:2e:b7) DHCPREQUEST on vio0 to 255.255.255.255 DHCPACK from 192.168.0.1 (6c:b0:ce:3f:2e:b7) bound to 192.168.0.13 -- renewal in 1800 seconds. IPv6 address for vio0? (or 'autoconf' or 'none') [none] Do you have any idea how to avoid this issue? On Thu, May 4, 2017 at 3:27 PM, trondd wrote: > On Thu, May 4, 2017 8:51 am, Francois Stephany wrote: > > Hi, > > > > I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has > > access to the network via tap and bridge. The host uses a wired > connection > > and gets its network address with DHCP. > > > > Here's my /etc/vm.conf: > > > > switch "vms_switch" { > > interface bridge0 > > add bge0 > > } > > > > vm "vm.test" { > > memory 1G > > boot /home/fstephany/bsd.rd > > disk /var/vms/fstephany/vmtest-disk.img > > owner fstephany > > interface tap { > > switch "vms_switch" > > } > > disable > > } > > > > > > I've stopped vmd with #rcctl stop vmd > > and started it manually: > > > > # vmd -dvv > > startup > > /etc/vm.conf:4: switch "vms_switch" registered > > /etc/vm.conf:15: vm "vm.test" registered (disabled) > > vm_priv_brconfig: interface bridge0 description switch1-vms_switch > > vm_priv_brconfig: interface bridge0 add bge0 > > vmd_configure: not creating vm vm.test (disabled) > > vm_opentty: vm vm.test tty /dev/ttyp1 uid 0 gid 4 mode 620 > > vm_priv_ifconfig: interface tap0 description vm1-if0-vm.test > > vm_priv_ifconfig: interface bridge0 add tap0 > > vm.test: started vm 1 successfully, tty /dev/ttyp1 > > loadfile_elf: loaded ELF kernel > > run_vm: initializing hardware for vm vm.test > > virtio_init: vm "vm.test" vio0 lladdr fe:e1:bb:d1:6d:23 > > run_vm: starting vcpu threads for vm vm.test > > vcpu_reset: resetting vcpu 0 for vm 5 > > run_vm: waiting on events for VM vm.test > > i8259_write_datareg: master pic, reset IRQ vector to 0x20 > > i8259_write_datareg: slave pic, reset IRQ vector to 0x28 > > vcpu_exit_i8253: channel 0 reset, mode=7, start=11932 > > virtio_blk_io: device reset > > virtio_net_io: device reset > > vionet queue notify - no space, dropping packet > > vionet queue notify - no space, dropping packet > > vionet queue notify - no space, dropping packet > > vionet queue notify - no space, dropping packet > > vionet queue notify - no space, dropping packet > > virtio_net_io: device reset
Incorrect file destination when logging with syslogd
Hi all, I have an internal LAN syslogd server (recently upgraded to 6.1) since a couple of years. It was successfully logging an old 2611XM cisco router, now logs a dell switch and the new 2851 cisco router which swapped the old one. PROBLEM: while the dell switch correctly logs in the designated file, the new cisco router logs on /var/log/messages instead of writing in its designated file. Relevant config on C2851: logging trap debugging logging facility local1 logging 10.0.0.234 Relevant config in /etc/rc.conf.local: # rcctl get syslogd syslogd_class=daemon syslogd_flags=-u -a /var/spool/postfix/dev/log syslogd_rtable=0 syslogd_timeout=30 syslogd_user=root Relevant config in /etc/syslog.conf #local0.debug /var/log/c2611xm.log local1.debug/var/log/c2851.log local2.debug/var/log/switch.log Output of /etc/pf.conf: set skip on lo pass in quick inet proto udp from {10.0.0.100, 10.0.0.101} to any port 514 # syslog pass in quick inet from any to any port 123 pass block return in on ! lo0 proto tcp to port 6000:6010 What could the problem with local1.debug be? Thanks
Re: DHCP in vmm guest
The dhcp is running on the modem/router provided by my ISP. That makes me think that I've setup a rule in its web interface so the OpenBSD host always get the same IP address. On Thu, May 4, 2017 at 3:27 PM, Jiri Bwrote: > > I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has > > access to the network via tap and bridge. The host uses a wired > connection > > and gets its network address with DHCP. > > where is dhcpd running? on the host? have you tried tcpdump to see if dhcp > discover traffic is visible there? > > j. >
Re: DHCP in vmm guest
> I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has > access to the network via tap and bridge. The host uses a wired connection > and gets its network address with DHCP. where is dhcpd running? on the host? have you tried tcpdump to see if dhcp discover traffic is visible there? j.
Re: DHCP in vmm guest
On Thu, May 4, 2017 8:51 am, Francois Stephany wrote: > Hi, > > I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has > access to the network via tap and bridge. The host uses a wired connection > and gets its network address with DHCP. > > Here's my /etc/vm.conf: > > switch "vms_switch" { > interface bridge0 > add bge0 > } > > vm "vm.test" { > memory 1G > boot /home/fstephany/bsd.rd > disk /var/vms/fstephany/vmtest-disk.img > owner fstephany > interface tap { > switch "vms_switch" > } > disable > } > > > I've stopped vmd with #rcctl stop vmd > and started it manually: > > # vmd -dvv > startup > /etc/vm.conf:4: switch "vms_switch" registered > /etc/vm.conf:15: vm "vm.test" registered (disabled) > vm_priv_brconfig: interface bridge0 description switch1-vms_switch > vm_priv_brconfig: interface bridge0 add bge0 > vmd_configure: not creating vm vm.test (disabled) > vm_opentty: vm vm.test tty /dev/ttyp1 uid 0 gid 4 mode 620 > vm_priv_ifconfig: interface tap0 description vm1-if0-vm.test > vm_priv_ifconfig: interface bridge0 add tap0 > vm.test: started vm 1 successfully, tty /dev/ttyp1 > loadfile_elf: loaded ELF kernel > run_vm: initializing hardware for vm vm.test > virtio_init: vm "vm.test" vio0 lladdr fe:e1:bb:d1:6d:23 > run_vm: starting vcpu threads for vm vm.test > vcpu_reset: resetting vcpu 0 for vm 5 > run_vm: waiting on events for VM vm.test > i8259_write_datareg: master pic, reset IRQ vector to 0x20 > i8259_write_datareg: slave pic, reset IRQ vector to 0x28 > vcpu_exit_i8253: channel 0 reset, mode=7, start=11932 > virtio_blk_io: device reset > virtio_net_io: device reset > vionet queue notify - no space, dropping packet > vionet queue notify - no space, dropping packet > vionet queue notify - no space, dropping packet > vionet queue notify - no space, dropping packet > vionet queue notify - no space, dropping packet > virtio_net_io: device reset > > > Here's what happens when the installer tries to get a network address: > > # vmctl status >ID PID VCPUS MAXMEM CURMEM TTYOWNER NAME > 1 - 11.0G - -fstephany vm.test > # vmctl start vm.test -c > Connected to /dev/ttyp1 (speed 9600) > > Copyright (c) 1982, 1986, 1989, 1991, 1993 > The Regents of the University of California. All rights reserved. > Copyright (c) 1995-2017 OpenBSD. All rights reserved. > https://www.OpenBSD.org > > OpenBSD 6.1-current (RAMDISK_CD) #41: Tue May 2 21:13:30 MDT 2017 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD > real mem = 1056964608 (1008MB) > avail mem = 1021235200 (973MB) > mainbus0 at root > bios0 at mainbus0 > acpi at bios0 not configured > cpu0 at mainbus0: (uniprocessor) > cpu0: Intel(R) Celeron(R) CPU G1610T @ 2.30GHz, 2295.33 MHz > cpu0: > FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,XSAVE,HV,NXE,LONG,LAHF,FSGSBASE,SMEP,ERMS > cpu0: 256KB 64b/line 8-way L2 cache > pvbus0 at mainbus0: OpenBSD > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00 > virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00 > viornd0 at virtio0 > virtio0: irq 3 > virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00 > vioblk0 at virtio1 > scsibus0 at vioblk0: 2 targets > sd0 at scsibus0 targ 0 lun 0:SCSI3 0/direct > fixed > sd0: 4096MB, 512 bytes/sector, 8388608 sectors > virtio1: irq 5 > virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 > vio0 at virtio2: address fe:e1:bb:d1:6d:23 > virtio2: irq 7 > virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00 > virtio3: no matching child driver; not configured > isa0 at mainbus0 > com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo > com0: console > softraid0 at root > scsibus1 at softraid0: 256 targets > root on rd0a swap on rd0b dump on rd0b > > erase ^?, werase ^W, kill ^U, intr ^C, status ^T > > Welcome to the OpenBSD/amd64 6.1 installation program. > (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I > At any prompt except password prompts you can escape to a shell by > typing '!'. Default answers are shown in []'s and are selected by > pressing RETURN. You can exit this program at any time by pressing > Control-C, but this can leave your system in an inconsistent state. > > Terminal type? [vt220] > System hostname? (short form, e.g. 'foo') vmtest > > Available network interfaces are: vio0 vlan0. > Which network interface do you wish to configure? (or 'done') [vio0] > IPv4 address for vio0? (or 'dhcp' or 'none') [dhcp] > DHCPDISCOVER on vio0 - interval 1 > DHCPDISCOVER on vio0 - interval 2 > DHCPDISCOVER on vio0 - interval 2 > DHCPDISCOVER on vio0 - interval 2 > DHCPDISCOVER on vio0 - interval 2 > DHCPDISCOVER on vio0 - interval 2 > No acceptable DHCPOFFERS received. > No working leases in persistent database - sleeping. >
problem with external disk on 6.1
Hello! There is a problem with my WD external disk on 6.1. on 6.0 there are no problems. dmesg: nightlord@work:[~]% dmesg OpenBSD 6.1 (GENERIC.MP) #5: Thu Apr 13 11:26:43 MSK 2017 r...@work.nightbbs.ru:/usr/obj/sys/arch/amd64/compile/GENERIC.MP real mem = 2056990720 (1961MB) avail mem = 1990025216 (1897MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe9f80 (85 entries) bios0: vendor Hewlett-Packard version "786G1 v01.08" date 08/25/2008 bios0: Hewlett-Packard HP Compaq dc7900 Small Form Factor acpi0 at bios0: rev 0 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC ASF! MCFG TCPA SLIC HPET DMAR acpi0: wakeup devices COM1(S4) PCI0(S4) PEG1(S4) PEG2(S4) IGBE(S4) PCX1(S4) PCX2(S4) PCX5(S4) PCX6(S4) HUB_(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) USB6(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 Duo CPU E8500 @ 3.16GHz, 3159.08 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR cpu0: 6MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 332MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 Duo CPU E8500 @ 3.16GHz, 3158.73 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR cpu1: 6MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xf400, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG1) acpiprt2 at acpi0: bus -1 (PEG2) acpiprt3 at acpi0: bus 32 (PCX1) acpiprt4 at acpi0: bus -1 (PCX2) acpiprt5 at acpi0: bus 48 (PCX5) acpiprt6 at acpi0: bus -1 (PCX6) acpiprt7 at acpi0: bus 7 (HUB_) acpicpu0 at acpi0: !C2(500@17 mwait.3@0x10), C1(1000@1 mwait.1) acpicpu1 at acpi0: !C2(500@17 mwait.3@0x10), C1(1000@1 mwait.1) "PNP0F13" at acpi0 not configured "PNP0303" at acpi0 not configured "PNP0501" at acpi0 not configured "PNP0700" at acpi0 not configured "PNP0003" at acpi0 not configured acpibtn0 at acpi0: PBTN "PNP0C14" at acpi0 not configured cpu0: unknown Enhanced SpeedStep CPU, msr 0x0616492206004922 cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 3159 MHz: speeds: 24333, 2000 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Q45 Host" rev 0x03 inteldrm0 at pci0 dev 2 function 0 "Intel Q45 Video" rev 0x03 drm0 at inteldrm0 intagp0 at inteldrm0 agp0 at intagp0: aperture at 0xe000, size 0x1000 inteldrm0: msi inteldrm0: 1280x1024, 32bpp wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) "Intel Q45 Video" rev 0x03 at pci0 dev 2 function 1 not configured "Intel Q45 HECI" rev 0x03 at pci0 dev 3 function 0 not configured pciide0 at pci0 dev 3 function 2 "Intel Q45 PT IDER" rev 0x03: DMA (unsupported), channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide0: using apic 1 int 18 for native-PCI interrupt pciide0: channel 0 ignored (not responding; disabled or no drives?) pciide0: channel 1 ignored (not responding; disabled or no drives?) puc0 at pci0 dev 3 function 3 "Intel Q45 KT" rev 0x03: ports: 1 com com4 at puc0 port 0 apic 1 int 17: ns16550a, 16 byte fifo com4: probed fifo depth: 15 bytes em0 at pci0 dev 25 function 0 "Intel ICH10 D BM LM" rev 0x02: msi, address 00:23:7d:4e:a2:5c uhci0 at pci0 dev 26 function 0 "Intel 82801JD USB" rev 0x02: apic 1 int 20 uhci1 at pci0 dev 26 function 1 "Intel 82801JD USB" rev 0x02: apic 1 int 21 uhci2 at pci0 dev 26 function 2 "Intel 82801JD USB" rev 0x02: apic 1 int 22 ehci0 at pci0 dev 26 function 7 "Intel 82801JD USB" rev 0x02: apic 1 int 22 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 "Intel 82801JD HD Audio" rev 0x02: msi azalia0: codecs: Analog Devices AD1884A audio0 at azalia0 ppb0 at pci0 dev 28 function 0 "Intel 82801JD PCIE" rev 0x02: msi pci1 at ppb0 bus 32 ppb1 at pci0 dev 28 function 4 "Intel 82801JD PCIE" rev 0x02: msi pci2 at ppb1 bus 48 uhci3 at pci0 dev 29 function 0 "Intel 82801JD USB" rev 0x02: apic 1 int 20 uhci4 at pci0 dev 29 function 1 "Intel 82801JD USB" rev 0x02: apic 1 int 21 uhci5 at pci0 dev 29 function 2 "Intel 82801JD USB" rev 0x02: apic 1 int 22 ehci1 at pci0 dev 29 function 7 "Intel 82801JD USB" rev 0x02: apic 1 int 20 usb1 at ehci1: USB revision 2.0 uhub1 at
Re: syspatch on diskless fails (stat -qf %Sd / issue)
On Wed, May 03, 2017 at 07:37:11PM +0200, Andreas Kusalananda Kähäri wrote: > On Wed, May 03, 2017 at 11:54:13AM +0200, Antoine Jacoutot wrote: > > On Wed, May 03, 2017 at 11:39:48AM +0200, Andreas Kusalananda Kähäri wrote: > > > Hi, > > > > > > syspatch seems to work fine for keeping my ordinary server and router on > > > -stable, thanks! > > > > > > However, on my diskless workstation it doesn't work so well: > > > > > > Get/Verify syspatch61-001_dhcpd.tgz 100% |*| 71733 > > > 00:00 > > > Installing patch 001_dhcpd > > > /usr/sbin/syspatch: ??=1147776: not found > > > > The error message could be improved but syspatch does the right thing here. > > It properly aborts because it's not designed to work on a diskless system. > > > [cut] > > > How may I apply the binary patch on the diskless system, alternatively, > > > how do I apply it to the diskless system's files on its file server? > > Ok, so that is fine. > > I then tried to run syspatch in a chroot on the diskless client's > fileserver, which is a complete 6.1-release installation. > > This resulted in syspatch exiting without an error, but also without > doing anything. > > After a bit of investigation, I found that it was becasuse the unpriv > shell function generated an error upon invoking su: > > su: approval failure: Undefined error: 0 It turned out this was because of not properly re-mounting the partition with the "suid" mount option. Kudos to Antoine Jacoutot for spending time to reproduce this and getting back to me. Sorry for my confusion about this, I should have spotted my mistake. All sorted now. Regards, Kusalananda
DHCP in vmm guest
Hi, I'm new to OpenBSD and I'm trying a simple setup where a VMM guest has access to the network via tap and bridge. The host uses a wired connection and gets its network address with DHCP. Here's my /etc/vm.conf: switch "vms_switch" { interface bridge0 add bge0 } vm "vm.test" { memory 1G boot /home/fstephany/bsd.rd disk /var/vms/fstephany/vmtest-disk.img owner fstephany interface tap { switch "vms_switch" } disable } I've stopped vmd with #rcctl stop vmd and started it manually: # vmd -dvv startup /etc/vm.conf:4: switch "vms_switch" registered /etc/vm.conf:15: vm "vm.test" registered (disabled) vm_priv_brconfig: interface bridge0 description switch1-vms_switch vm_priv_brconfig: interface bridge0 add bge0 vmd_configure: not creating vm vm.test (disabled) vm_opentty: vm vm.test tty /dev/ttyp1 uid 0 gid 4 mode 620 vm_priv_ifconfig: interface tap0 description vm1-if0-vm.test vm_priv_ifconfig: interface bridge0 add tap0 vm.test: started vm 1 successfully, tty /dev/ttyp1 loadfile_elf: loaded ELF kernel run_vm: initializing hardware for vm vm.test virtio_init: vm "vm.test" vio0 lladdr fe:e1:bb:d1:6d:23 run_vm: starting vcpu threads for vm vm.test vcpu_reset: resetting vcpu 0 for vm 5 run_vm: waiting on events for VM vm.test i8259_write_datareg: master pic, reset IRQ vector to 0x20 i8259_write_datareg: slave pic, reset IRQ vector to 0x28 vcpu_exit_i8253: channel 0 reset, mode=7, start=11932 virtio_blk_io: device reset virtio_net_io: device reset vionet queue notify - no space, dropping packet vionet queue notify - no space, dropping packet vionet queue notify - no space, dropping packet vionet queue notify - no space, dropping packet vionet queue notify - no space, dropping packet virtio_net_io: device reset Here's what happens when the installer tries to get a network address: # vmctl status ID PID VCPUS MAXMEM CURMEM TTYOWNER NAME 1 - 11.0G - -fstephany vm.test # vmctl start vm.test -c Connected to /dev/ttyp1 (speed 9600) Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2017 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.1-current (RAMDISK_CD) #41: Tue May 2 21:13:30 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 1056964608 (1008MB) avail mem = 1021235200 (973MB) mainbus0 at root bios0 at mainbus0 acpi at bios0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Celeron(R) CPU G1610T @ 2.30GHz, 2295.33 MHz cpu0: FPU,VME,DE,PSE,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,XSAVE,HV,NXE,LONG,LAHF,FSGSBASE,SMEP,ERMS cpu0: 256KB 64b/line 8-way L2 cache pvbus0 at mainbus0: OpenBSD pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00 virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00 viornd0 at virtio0 virtio0: irq 3 virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00 vioblk0 at virtio1 scsibus0 at vioblk0: 2 targets sd0 at scsibus0 targ 0 lun 0:SCSI3 0/direct fixed sd0: 4096MB, 512 bytes/sector, 8388608 sectors virtio1: irq 5 virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 vio0 at virtio2: address fe:e1:bb:d1:6d:23 virtio2: irq 7 virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00 virtio3: no matching child driver; not configured isa0 at mainbus0 com0 at isa0 port 0x3f8/8 irq 4: ns8250, no fifo com0: console softraid0 at root scsibus1 at softraid0: 256 targets root on rd0a swap on rd0b dump on rd0b erase ^?, werase ^W, kill ^U, intr ^C, status ^T Welcome to the OpenBSD/amd64 6.1 installation program. (I)nstall, (U)pgrade, (A)utoinstall or (S)hell? I At any prompt except password prompts you can escape to a shell by typing '!'. Default answers are shown in []'s and are selected by pressing RETURN. You can exit this program at any time by pressing Control-C, but this can leave your system in an inconsistent state. Terminal type? [vt220] System hostname? (short form, e.g. 'foo') vmtest Available network interfaces are: vio0 vlan0. Which network interface do you wish to configure? (or 'done') [vio0] IPv4 address for vio0? (or 'dhcp' or 'none') [dhcp] DHCPDISCOVER on vio0 - interval 1 DHCPDISCOVER on vio0 - interval 2 DHCPDISCOVER on vio0 - interval 2 DHCPDISCOVER on vio0 - interval 2 DHCPDISCOVER on vio0 - interval 2 DHCPDISCOVER on vio0 - interval 2 No acceptable DHCPOFFERS received. No working leases in persistent database - sleeping. IPv6 address for vio0? (or 'autoconf' or 'none') [none] Here's ifconfig when the VM is running. The bridge is there with bge0 and tap0: # ifconfig lo0: flags=8049 mtu 32768 index 4 priority 0 llprio 3 groups: lo inet6 ::1 prefixlen 128
Re: After applying patches, kernel version is slower?
On Thu, May 04, 2017 at 07:49:04AM +, Stuart Henderson wrote: > On 2017-05-04, C. L. Martinezwrote: > > Hi all, > > > > I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a > > strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns: > > > > OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64 > > > > .. and in an OpenBSD 6.1 host with patches applied: > > > > OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64 > > > > Any idea why?? > > > > They're built on a different machine. (The number after GENERIC# shows > how many builds were done in that directory since it was cleaned.) > > Check the date in "sysctl kern.version". > Ahh ... Ok, many thanks for the info Stuart. -- Greetings, C. L. Martinez
Relayd: session timeout
Hey list, I have following relay configured on two-node setup. Each node acts as MASTER for one IP and BACKUP for another. The opposite on the second node. tcp protocol tcp_proto { tcp { nodelay, sack, socket buffer 65536, backlog 128 } } relay rabbitmq { listen on $VIP1 port 5672 listen on $VIP2 port 5672 protocol tcp_proto # session timeout 10800 forward to port 5672 mode roundrobin check tcp forward to port 5672 mode roundrobin check tcp } Default timeout is 600s (10 min). In my test I have a client requesting data from a machine(web1) sitting behind this relay(node1). web1 has its def gw pointed to node1, e.g. NAT:ed. node1, obviously, have EXT and INT interfaces, VIP1 and VIP2 been external ones. What I see in tcpdump running on both EXT and INT interfaces is a tcp stream between client and web1 via node1 - PUSH ACK. At some point (600s) node1 cuts the connection (FIN seen in tcpdump). Question is this expected behavior? As states in PF are updated due to continuous tcp stream, session shouldn’t be cut, right? Any clues? node1 runs 6.0-stable Br mxb
Re: After applying patches, kernel version is slower?
On 2017-05-04, C. L. Martinezwrote: > Hi all, > > I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a > strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns: > > OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64 > > .. and in an OpenBSD 6.1 host with patches applied: > > OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64 > > Any idea why?? > They're built on a different machine. (The number after GENERIC# shows how many builds were done in that directory since it was cleaned.) Check the date in "sysctl kern.version".
Re: Pf with secondary DNS resolution
2017-05-04 1:56 GMT+02:00 Luke Small: > Four words Peter..."dynamic IP address". I'm sure that there are folks that > ssh into machines that are on a dynamic IP address that don't have a modem > on a power backup, or even possibly on an ISP that may down, possibly when > they are out of town. I don't know if it is possible or already done, but > you could have a computer check into a target machine that often changes > the ip address or system while the firewall is locked down to only send > messages to that remote machine and if it is compromised, can't send it > anywhere else. Or you ssh into the machine and it only accepts incoming > port 22 requests from a machine that has a dynamic url and listed in your > pf.conf. maybe you could even signify in the pf.conf that the url will > often have a different ip address and it could request that ip address > every time it gets a hit on that rule or a maximum upperbound. > Also, if the problem really is "I need to log in from a remote machine on an unknown ip and strict rules on not letting others in" then you have more or less described a roadwarrior ipsec setup, so get some kind of VPN going there with certs and secrets and you can travel around the world and know that only your machine with the correct magic can connect to the stationary resource(s). That problem was solved a long time ago. -- May the most significant bit of your life be positive.
Re: Pf with secondary DNS resolution
The main problem you need to solve or work around is the situation where the name you want to resolve doesn't at *ruleset load* and you end up with an invalid ruleset. In sane setups, the system would then run with either the default rules (check /etc/rc) or the previous version of your ruleset. The easiest way to compensate for IP addresses that may change and avoid reloading the rules is to stick the possibly-changing addresses into tables that your rules reference, and run a script that resolves the names you're interested in and updates (replaces) table contents with the result of that script at whatever intervals you need (this is what cron was made for). That script could even put the results into files that you can then use as source for the initial values for table contents. Basically I think your scenario is easily solved with a reasonably structured set of PF rules and some fairly straightforward scripting involving host and pfctl commands. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
After applying patches, kernel version is slower?
Hi all, I have applied the recent patches for OpenBSD 6.1 in two hosts and I see a strange behavior. In a non-patched OpenBSD 6.1 host, uname -a returns: OpenBSD tnobsd02.mydom.org 6.1 GENERIC#19 amd64 .. and in an OpenBSD 6.1 host with patches applied: OpenBSD extobsd01.mydom.org 6.1 GENERIC#4 amd64 Any idea why?? -- Greetings, C. L. Martinez
Re: Pf with secondary DNS resolution
Am 4. Mai 2017 08:39:51 MESZ schrieb Janne Johansson: >I would make those rules have a table, and a cronjob to feed the table >with >the current ips that these hostnames resolve to. Same here. >But of course, that implies you trust the replies you get all the time >from >that cronjob. > Is there no DNSsec enabled dynamic DNS service? ;) When you can't trust your (upstream) DNS server a whole new world of ugly hacks will open up. How about sharing signed files via SyncThing? ^^ Regards, Florian > >2017-05-03 22:16 GMT+02:00 Luke Small : > >> Is it worthwhile to set up a hook for pf to load rules that have URLs >after >> the network services that can resolve them come into effect? >>
Re: Pf with secondary DNS resolution
I would make those rules have a table, and a cronjob to feed the table with the current ips that these hostnames resolve to. But of course, that implies you trust the replies you get all the time from that cronjob. 2017-05-03 22:16 GMT+02:00 Luke Small: > Is it worthwhile to set up a hook for pf to load rules that have URLs after > the network services that can resolve them come into effect? > -- May the most significant bit of your life be positive.