IPv6 over PPPoE with Plusnet/QSC, IP6CP message gets rejected?

[Folkert Saathoff]

hello list,

i'm hoping somebody can tell me how to correctly configure PPPoE IPv6 address 
negotiation, or can at least point me towards the relevant literature. it's 
rather unclear to me what configuration options there are for inet6 over pppoe.


my german ISP (Plusnet, used to be QSC) has assigned to my contract a /64 WAN 
prefix. the inet6 address of my pppoe0 interface needs to be negotiated during 
the PPPoE handshake. this however does not happen, my pppoe0 interface shows
only the link-local inet6 address after running /etc/netstart.sh pppoe0



the ISP engineers have provided me with a pcap file of a working handshake, 
presumably from a non-BSD client. they show the pppoe client sending a IP6CP 
Conf-Request message to the server, and the server responding with a IP6CP 
Conf-Request message on its own. after that, NDP RA and DHCPv6 messages handle 
the actual WAN and LAN prefix negotiation.


when i capture the PPPoE handshake on my OpenBSD machine, i can also see a 
IP6CP 
Conf-Request message from my client to the server, however in response the 
server sends a Prot-Reject LCP message, apparently confused by the clients 
message.


comparing the initial Conf-Request messages between the working and failing
scenario, i notice that the working message has a length of 46 bytes, while the
message that was rejected has a length of only 22 bytes. i also note that a
subsequent IP6CP Term-Request sent by my client was likewise rejected by the
server.


so it seems that my OpenBSD 6.5 pppoe client is not speaking the exact dialect
of IP6CP that the pppoe server expects. 



* is the Conf-Request message sent by OpenBSD pppoe(8) a well-formed IP6CP 
message?

* are there any configuration options available to tweak the IP6CP behaviour of 
pppoe(8)? 

* does anybody happen to have a working configuration for Plusnet GmbH / QSC? :)



many thanks!
/f






WORKING SCENARIO:
client > server, ethertype PPPoE S (0x8864), length 60: PPPoE  [ses 0x26f1] 
IP6CP (0x8057), length 16: IP6CP, Conf-Request (0x01), id 1, length 16
encoded length 14 (=Option(s) length 10)
  Interface-ID Option (0x01), length 10: 32e4:dbff:fe34:4000
0x:  1100 26f1 0010 8057 0101 000e 010a 32e4  ..&W..2.
0x0010:  dbff fe34 4000 3108 0045 6000 36ba c500  ...4@.1..E`.6...
0x0020:  00fe 11c7 2a5c c582 3b36     *\..;6
server > client, ethertype PPPoE S (0x8864), length 64: PPPoE  [ses 0x26f1] 
IP6CP (0x8057), length 16: IP6CP, Conf-Request (0x01), id 1, length 16
encoded length 14 (=Option(s) length 10)
  Interface-ID Option (0x01), length 10: 0212:efff:fe71:3afa
0x:  1100 26f1 0010 8057 0101 000e 010a 0212  ..&W
0x0010:  efff fe71 3afa       ...q:...
0x0020:           
0x0030:   ..




FAILING SCENARIO:
client > server, ethertype PPPoE S (0x8864), length 36: PPPoE  [ses 0x3175] 
IP6CP 
(0x8057), length 16: IP6CP, Conf-Request (0x01), id 6, length 16
encoded length 14 (=Option(s) length 10)
  Interface-ID Option (0x01), length 10: d235:2d95:d846:ef19
0x:  1100 3175 0010 8057 0106 000e 010a d235  ..1u...W...5
0x0010:  2d95 d846 ef19   -..F..
server > client, ethertype PPPoE S (0x8864), length 60: PPPoE  [ses 0x3175] LCP 
(0
xc021), length 22: LCP, Prot-Reject (0x08), id 30, length 22
encoded length 20 (=Option(s) length 16)
  Rejected IP6CP Protocol (0x8057)
  Rejected Packet
0x:  0106 000e 010a d235 2d95 d846 ef19 
0x0010:  
0x:  1100 3175 0016 c021 081e 0014 8057 0106  ..1u...!.W..
0x0010:  000e 010a d235 2d95 d846 ef19    .5-..F..
0x0020:           ..
client > server, ethertype PPPoE S (0x8864), length 26: PPPoE  [ses 0x3175] 
IP6CP (0x8057), length 6: IP6CP, Term-Request (0x05), id 8, length 6
0x:  1100 3175 0006 8057 0508 0004..1u...W
server > client, ethertype PPPoE S (0x8864), length 60: PPPoE  [ses 0x3175] LCP 
(0xc021), length 12: LCP, Prot-Reject (0x08), id 31, length 12
encoded length 10 (=Option(s) length 6)
  Rejected IP6CP Protocol (0x8057)
  Rejected Packet
0x:  0508 0004  
0x:  1100 3175 000c c021 081f 000a 8057 0508  ..1u...!.W..
0x0010:  0004         
0x0020:       dc18 2eef   ..









uname -a:
OpenBSD feedface.com 6.5 GENERIC.MP#5 amd64


cat /etc/hostname.pppoe0:
inet 0.0.0.0 255.255.255.255 NONE \
  pppoedev em2 \
  authproto pap \
  authname 'cpe...@qsc-wia-vdsl.de' \
  authkey 'XXX' \
  up
dest 0.0.0.1
#inet6 eui64
inet6 -autoconfprivacy
inet6 autoconf
!/sbin/route add  

OpenBGPd announce fulltables +default

[Tom Smyth]

Hello,
I notice that in the current manual
there is an option to  export none, default-route  with the
explanation below in the manual

export (none|default-route)If set to none, no UPDATE messages will be
sent to the neighbor. If set to default-route, only the default route
will be announced to the neighbor. When export is modified the
neighbor session needs to be reset to become active.

I was wondering is there an easy way to announce the default + full
tables for BGP customers who want to choose to migrate from default
routing to full table without contacting me ...

something inside me says it would be wrong to add 0.0.0.0/0 network
(although if memory serves me correctly previous versions of OpenBGPd
would politely decline to do that :) and filter the crap out of that
for upstream Transit and Peers (non Customers ) ...

-- 
Kindest regards,
Tom Smyth.

Re: OpenBSD Hangs On

[Tom Smyth]

Hi Jinn
This issue we came across a few years ago ,
it affects certain versions of KVM / Proxmox...
if you disable Intel Preemption timer...  in the Hypervisor  Linux  kernel
if you do a search misc lists ... with KVM and freeze and OpenBSD
you will see lots of discussions and the exact settings to put in the KVM
Hypervisor
it may relieve your situation..


Thanks
Tom Smyth

On Mon, 22 Jun 2020 at 14:30, jin 
wrote:

> Hello
>
> I've a virtual appliance on kvm and it hangs on every 3 days
> period approximately. The problem been there since its installation which
> was in March. When it happens, I can only make hard shutdown/reboot to
> recover my system from this issue because the system doesn't respond me.
> I'm using version 6.6 of OpenBSD and i already applied the all syspatches.
> I'm not certain but it looks like the problem could be related with syslog
> deamon.  May be it is too early to make an assumption but log messages
> (/var/log/messages) show that syslog daemon keeps restarting itself in 4
> hours periods.
>
> Could someone please point me to how to increase verbosity of the logs ?
> I'ld like to dig myself as much as possible.
>
> Fatih
> Sincerely
>
> dmesg output
>
> OpenBSD 6.6 (GENERIC) #7: Thu Mar 12 10:32:29 MDT 2020
> r...@syspatch-66-amd64.openbsd.org:
> /usr/src/sys/arch/amd64/compile/GENERIC
> real mem = 1056817152 (1007MB)
> avail mem = 1012228096 (965MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5940 (9 entries)
> bios0: vendor SeaBIOS version "
> rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org"
> date 04/01/2014
> bios0: QEMU Standard PC (i440FX + PIIX, 1996)
> acpi0 at bios0: ACPI 1.0
> acpi0: sleep states S3 S4 S5
> acpi0: tables DSDT FACP APIC HPET
> acpi0: wakeup devices
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Westmere E56xx/L56xx/X56xx (Nehalem-C), 2295.15 MHz, 06-2c-01
> cpu0:
>
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,HV,NXE,LONG,LAHF,ARAT,MELTDOWN
> cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
> 64b/line 16-way L2 cache
> cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
> cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 1000MHz
> ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins
> acpihpet0 at acpi0: 1 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!)
> "ACPI0006" at acpi0 not configured
> acpipci0 at acpi0 PCI0: _OSC failed
> acpicmos0 at acpi0
> "PNP0A06" at acpi0 not configured
> "PNP0A06" at acpi0 not configured
> "PNP0A06" at acpi0 not configured
> "QEMU0002" at acpi0 not configured
> "ACPI0010" at acpi0 not configured
> cpu0: using IvyBridge MDS workaround
> pvbus0 at mainbus0: KVM
> pvclock0 at pvbus0
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
> pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
> pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel
> 0 wired to compatibility, channel 1 wired to compatibility
> pciide0: channel 0 disabled (no drives)
> pciide0: channel 1 disabled (no drives)
> uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
> piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int
> 9
> iic0 at piixpm0
> vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
> vio0 at virtio0: address 52:54:00:a5:1f:57
> virtio0: msix shared
> eap0 at pci0 dev 4 function 0 "Ensoniq AudioPCI" rev 0x00: apic 0 int 11
> audio0 at eap0
> midi0 at eap0: 
> virtio1 at pci0 dev 5 function 0 "Qumranet Virtio Storage" rev 0x00
> vioblk0 at virtio1
> scsibus1 at vioblk0: 2 targets
> sd0 at scsibus1 targ 0 lun 0: 
> sd0: 51200MB, 512 bytes/sector, 104857600 sectors
> virtio1: msix shared
> virtio2 at pci0 dev 6 function 0 "Qumranet Virtio Memory Balloon" rev 0x00
> viomb0 at virtio2
> virtio2: apic 0 int 10
> isa0 at pcib0
> isadma0 at isa0
> fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard, using wsdisplay0
> pms0 at pckbc0 (aux slot)
> wsmouse0 at pms0 mux 0
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> usb0 at uhci0: USB revision 1.0
> uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev
> 1.00/1.00 addr 1
> uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet"
> rev 2.00/0.00 addr 2
> uhidev0: iclass 3/0
> ums0 at 

Re: [patch] calendar.music: Neil Peart 1952-2020

[Theo de Raadt]

Anders Andersson  wrote:

> On Mon, Jun 22, 2020 at 3:44 PM Jason McIntyre  wrote:
> >
> > On Mon, Jun 22, 2020 at 08:31:34AM -0500, Carson Chittom wrote:
> > >
> > > Matthew J. C. Clarke  writes:
> > >
> > > >  01/08  Elvis Presley born in East Tupelo, Mississippi,
> > > >  1935
> > >
> > > This caught my eye, being from Mississippi myself.
> > >
> > > As far as I know or can tell from searching online, there's no
> > > such place as "East Tupelo".  This should be just "Tupelo" (my
> > > preference) or "east Tupelo" (the Elvis Presley Birthplace Museum
> > > does appear to be on the eastern side of Tupelo).
> > >
> >
> > hi. i changed it to just "Tupelo".
> > thanks,
> >
> > jmc
> 
> On a more serious note, why even bother with these files anymore? I'm
> sure having your computer know the birth date of Elvis was useful and
> novel 30 years ago, but today such a trivia list is just a bitrotting
> museum piece that will get more and more out of date. IMO.
> 
> Instead of adding every musician, let's just nuke all the files except
> calendar.openbsd and calendar.computer. They still seem relevant to an
> operating system and to make sure there's always some examples to play
> with.
> 
> ...again, IM (not so humble) O.

stop wasting our time

Re: [patch] calendar.music: Neil Peart 1952-2020

[Anders Andersson]

On Mon, Jun 22, 2020 at 3:44 PM Jason McIntyre  wrote:
>
> On Mon, Jun 22, 2020 at 08:31:34AM -0500, Carson Chittom wrote:
> >
> > Matthew J. C. Clarke  writes:
> >
> > >  01/08  Elvis Presley born in East Tupelo, Mississippi,
> > >  1935
> >
> > This caught my eye, being from Mississippi myself.
> >
> > As far as I know or can tell from searching online, there's no
> > such place as "East Tupelo".  This should be just "Tupelo" (my
> > preference) or "east Tupelo" (the Elvis Presley Birthplace Museum
> > does appear to be on the eastern side of Tupelo).
> >
>
> hi. i changed it to just "Tupelo".
> thanks,
>
> jmc

On a more serious note, why even bother with these files anymore? I'm
sure having your computer know the birth date of Elvis was useful and
novel 30 years ago, but today such a trivia list is just a bitrotting
museum piece that will get more and more out of date. IMO.

Instead of adding every musician, let's just nuke all the files except
calendar.openbsd and calendar.computer. They still seem relevant to an
operating system and to make sure there's always some examples to play
with.

...again, IM (not so humble) O.

Re: [patch] calendar.music: Neil Peart 1952-2020

[Jason McIntyre]

On Mon, Jun 22, 2020 at 08:31:34AM -0500, Carson Chittom wrote:
>  
> Matthew J. C. Clarke  writes: 
>  
> >  01/08  Elvis Presley born in East Tupelo, Mississippi, 
> >  1935 
> 
> This caught my eye, being from Mississippi myself.
> 
> As far as I know or can tell from searching online, there's no 
> such place as "East Tupelo".  This should be just "Tupelo" (my 
> preference) or "east Tupelo" (the Elvis Presley Birthplace Museum 
> does appear to be on the eastern side of Tupelo).
> 

hi. i changed it to just "Tupelo".
thanks,

jmc

Re: [patch] calendar.music: Neil Peart 1952-2020

[Carson Chittom]

Matthew J. C. Clarke  writes: 

 01/08	Elvis Presley born in East Tupelo, Mississippi, 
 1935 


This caught my eye, being from Mississippi myself.

As far as I know or can tell from searching online, there's no 
such place as "East Tupelo".  This should be just "Tupelo" (my 
preference) or "east Tupelo" (the Elvis Presley Birthplace Museum 
does appear to be on the eastern side of Tupelo).

OpenBSD Hangs On

[jin]

Hello

I've a virtual appliance on kvm and it hangs on every 3 days
period approximately. The problem been there since its installation which
was in March. When it happens, I can only make hard shutdown/reboot to
recover my system from this issue because the system doesn't respond me.
I'm using version 6.6 of OpenBSD and i already applied the all syspatches.
I'm not certain but it looks like the problem could be related with syslog
deamon.  May be it is too early to make an assumption but log messages
(/var/log/messages) show that syslog daemon keeps restarting itself in 4
hours periods.

Could someone please point me to how to increase verbosity of the logs ?
I'ld like to dig myself as much as possible.

Fatih
Sincerely

dmesg output

OpenBSD 6.6 (GENERIC) #7: Thu Mar 12 10:32:29 MDT 2020
r...@syspatch-66-amd64.openbsd.org:
/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1056817152 (1007MB)
avail mem = 1012228096 (965MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5940 (9 entries)
bios0: vendor SeaBIOS version "rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org"
date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Westmere E56xx/L56xx/X56xx (Nehalem-C), 2295.15 MHz, 06-2c-01
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,x2APIC,POPCNT,AES,HV,NXE,LONG,LAHF,ARAT,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 11, 24 pins
acpihpet0 at acpi0: 1 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0: _OSC failed
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
cpu0: using IvyBridge MDS workaround
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel
0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 0 int 11
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int
9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Bochs VGA" rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 52:54:00:a5:1f:57
virtio0: msix shared
eap0 at pci0 dev 4 function 0 "Ensoniq AudioPCI" rev 0x00: apic 0 int 11
audio0 at eap0
midi0 at eap0: 
virtio1 at pci0 dev 5 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio1
scsibus1 at vioblk0: 2 targets
sd0 at scsibus1 targ 0 lun 0: 
sd0: 51200MB, 512 bytes/sector, 104857600 sectors
virtio1: msix shared
virtio2 at pci0 dev 6 function 0 "Qumranet Virtio Memory Balloon" rev 0x00
viomb0 at virtio2
virtio2: apic 0 int 10
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb0 at uhci0: USB revision 1.0
uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev
1.00/1.00 addr 1
uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet"
rev 2.00/0.00 addr 2
uhidev0: iclass 3/0
ums0 at uhidev0: 3 buttons, Z dir
wsmouse1 at ums0 mux 0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (496659ef9c4468e2.a) swap on sd0b dump on sd0b
WARNING: / was not properly unmounted
fd0 at fdc0 drive 1: density unknown
syncing disks... done
rebooting...
OpenBSD 6.6 (GENERIC) #0: Thu Jun  4 15:26:25 MDT 2020
t...@syspatch-66-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1056817152 (1007MB)
avail mem = 1012228096 (965MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5940 (9 entries)
bios0: 

OpenSMTPd can't sent mail behind IKEv2 NAT

[Martin]

I have working smtp server on OBSD 6.6 which did it's job successfully using 
egress server's IP before IPsec iked tunnel has been implemented.

/etc/mail/smtpd.conf
...
# smptd bound on server's egress interface (early setup with clearnet IP config 
without IPsec)
table sources {1.2.3.4}
table helonames {1.2.3.4 = smtp.domain.tld}
...

Now all server's traffic goes trough IKEv2 gateway with NAT, and smtpd runs on 
the same server, but now behind IPsec NAT.

The goal is that smtpd should send/receive mail trough IPsec tunnel. smtpd 
receives mail successfully but can't send mail trough IPsec tunnel.

Once mail is sent by mail agent, mailq reports "No valid route to destination". 
I tried to bind smtpd to localhost and IPsec server's local NAT interface in 
smtpd.conf but unsuccessfully:
...
table sources {127.0.0.1}
table helonames {4.3.2.1 = smtp.another-domain.tld}
...

I suppose smtpd uses system default routing table for delivering mail, instead 
of using IPsec gateway. And binding smtpd to localhost or IPsec NAT interface 
can't solve the problem.

Any suggestions what can be missed or misconfigured?

Martin

Re: OpenBSD Readonly File System

[Mogens Jensen]

Tuesday, June 9, 2020 7:59 AM, Vertigo Altair  wrote:

> Hi Misc,
> I have a firewall device and I'm using OpenBSD on it.

Last year I had to configure an OpenBSD 6.5 firewall for use in a
remote location, and was concerned about power loss corrupting the
filesystem and making the system unbootable without manual
intervention. As I did not want to modify OpenBSD in unsupported ways,
I decided to test what kind of damage power loss could do, by
randomly removing and applying power to the firewall, many many times.

What I found was that 99% of the time, the system would just repair the
filesystem and boot without problems, but if by chance the power was
removed at a short time window during kernel relinking, the kernel
would become corrupt and leave the system completely unbootable and
not easy to repair. It was suggested to me that I tried to mount root
partition with the sync option, so I arranged the partition layout in a
way that would make it feasible and added the option to fstab.

Only other problem I found, was that a few times after removing power
when writing a large file, the system would require me to run fsck -y
manually, this is by design, but I decided it was more important to me
that the system could boot unattended, with a minuscule risk of
completely ruining the filesystem, so I wrote a small unsupported patch
for the rc script (sorry if the formatting gets messed up by posting):

The patch has only been tested on OpenBSD 6.5.

---
Index: src/etc/rc
===
RCS file: /cvs/src/etc/rc,v
retrieving revision 1.536
diff -u -p -u -p -r1.536 rc
--- src/etc/rc  1 Apr 2019 11:39:46 -   1.536
+++ src/etc/rc  20 Aug 2019 22:47:49 -
@@ -1,5 +1,8 @@
 #  $OpenBSD: rc,v 1.536 2019/04/01 11:39:46 tedu Exp $

+# NOTE: The do_fsck() function has been patched to run 'fsck -y' if an
+#  automatic file system check fails with exit code 8.
+
 # System startup script run by init on autoboot or after single-user.
 # Output and error are redirected to console by init, and the console is the
 # controlling terminal.
@@ -271,8 +274,14 @@ do_fsck() {
echo "Reboot failed; help!"
exit 1
;;
-   8)  echo "Automatic file system check failed; help!"
-   exit 1
+   8)  echo "Automatic file system check failed; trying fsck -y"
+   fsck -y
+   case $? in
+   0)  ;;
+   *)  echo "Could not repair file system unattended; help!"
+   exit 1
+   ;;
+   esac
;;
12) echo "Boot interrupted."
exit 1
---

After mounting root filesystem with sync option and applying the patch,
I was no longer able to make the system unbootable by power loss in my
test setup. It may be possible, but the risk is now so small that it is
not a concern for me and the risk of something else breaking is
probably bigger. During operation in remote location, the system has
always been able to completely boot after a power loss so far.

So while it was not possible for me to not make any unsupported
modifications at all, I think it is a very small change compared to
have read only filesystems. Anyone who knows OpenBSD, will be able to
manage the firewall without special instructions.


Regards,
Mogens Jensen