Re: i386, parallel port permission error?

2020-08-16 Thread Theo de Raadt 
Stuart Henderson  wrote:

> On 2020-08-17, Doug Moss  wrote:
> >
> > Is it possible with OpenBSD i386 to use the parallel port for lcdproc?
> >
> > More specifically:
> > Did something change at OpenBSD i386 between 5.9 and 6.0
> > related to parallel port / lpt hardware permissions?
> >
> > Up to OpenBSD i386 5.9,
> > I used to be able to have a working case-LCD-screen
> > with lcdproc-0.5.7, driver=hd44780, winamp wiring, with 'allowaperture'.
> > At OpenBSD i386 6.0 and after, it fails.
> 
> I think this is due to kernel memory access restrictions that were added.
> Setting sysctl kern.allowkmem=1 before securelevel is raised bypasses them
> but of course weakens protections.

Oh good god, it's not lpt access, but direct hardware access?

I think we should not be encouraging people to use kern.allowkmem for
anything like this.

Re: Protectli FW1 with Intel 82583V - Interfaces errors and latency spike issue

2020-08-16 Thread Stuart Henderson 
On 2020-08-17, Gabri Tofano  wrote:
 FRW-FW1# netstat -i
 NameMtu   Network Address  Ipkts   IfailOpkts 
 Ofail Colls
 em0 1500xx:xx:xx:xx:xx:xx1317600  2351   466114 
 0 0
 em0 1500  74.215.235/ xxx.xxx.xxx.xxx  1317600  2351   466114 
 0 0
 em1 1500xx:xx:xx:xx:xx:xx39278218   1199871 
 1 0
 em1 1500  172.16.200. 172.16.200.1 39278218   1199871 
 1 0

"fail" isn't the same thing as interface errors, you can break it out into
"dropped" (-d) and "errors" (-e).

 Looking at the Cisco 3560G where the ports are connected there are no 
 errors at all.

Not surprising as the (errors/drops) are at input on the OpenBSD system.

 Here the dmesg output:

These may give clues:

systat mbuf | cat
pfctl -si
netstat -m
vmstat -m

 
 OpenBSD 6.7 (GENERIC.MP) #2: Thu Jun  4 09:55:08 MDT 2020
   
 r...@syspatch-67-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
 real mem = 4163854336 (3970MB)
 avail mem = 4025044992 (3838MB)
 mpath0 at root
 scsibus0 at mpath0: 256 targets
 mainbus0 at root
 bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xecea0 (51 entries)
 bios0: vendor American Megatrends Inc. version "5.6.5" date 
 10/24/2018
 bios0: Protectli FW1
 acpi0 at bios0: ACPI 5.0
 acpi0: sleep states S0 S3 S4 S5
 acpi0: tables DSDT FACP APIC FPDT FIDT MCFG LPIT HPET SSDT SSDT SSDT 
 UEFI
 acpi0: wakeup devices PS2K(S3) PS2M(S3) XHC1(S4) RP01(S4) PXSX(S4) 
 RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) BRCM(S0)
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 cpu0 at mainbus0: apid 0 (boot processor)
 cpu0: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.47 MHz, 06-37-09
 cpu0: 
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
 cpu0: 1MB 64b/line 16-way L2 cache
 cpu0: smt 0, core 0, package 0
 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
 cpu0: apic clock running at 83MHz
 cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
 cpu1 at mainbus0: apid 2 (application processor)
 cpu1: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.01 MHz, 06-37-09
 cpu1: 
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
 cpu1: 1MB 64b/line 16-way L2 cache
 cpu1: smt 0, core 1, package 0
 cpu2 at mainbus0: apid 4 (application processor)
 cpu2: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.03 MHz, 06-37-09
 cpu2: 
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
 cpu2: 1MB 64b/line 16-way L2 cache
 cpu2: smt 0, core 2, package 0
 cpu3 at mainbus0: apid 6 (application processor)
 cpu3: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.01 MHz, 06-37-09
 cpu3: 
 FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
 cpu3: 1MB 64b/line 16-way L2 cache
 cpu3: smt 0, core 3, package 0
 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 87 pins
 acpimcfg0 at acpi0
 acpimcfg0: addr 0xe000, bus 0-255
 acpihpet0 at acpi0: 14318179 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpiprt1 at acpi0: bus 1 (RP01)
 acpiprt2 at acpi0: bus 2 (RP02)
 acpiprt3 at acpi0: bus 3 (RP03)
 acpiprt4 at acpi0: bus 4 (RP04)
 acpiec0 at acpi0: not present
 acpicpu0 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), 
 C1(1000@1 mwait.1), PSS
 acpicpu1 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), 
 C1(1000@1 mwait.1), PSS
 acpicpu2 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), 
 C1(1000@1 mwait.1), PSS
 acpicpu3 at acpi0: C3(10@1500 mwait.1@0x52), C2(10@500 mwait.1@0x51), 
 C1(1000@1 mwait.1), PSS
 acpipwrres0 at acpi0: PLPE

i386, parallel port permission error?

2020-08-16 Thread Doug Moss 


Is it possible with OpenBSD i386 to use the parallel port for lcdproc?

More specifically:
Did something change at OpenBSD i386 between 5.9 and 6.0
related to parallel port / lpt hardware permissions?

Up to OpenBSD i386 5.9,
I used to be able to have a working case-LCD-screen
with lcdproc-0.5.7, driver=hd44780, winamp wiring, with 'allowaperture'.
At OpenBSD i386 6.0 and after, it fails.



I have a computer case with a builtin LCD screen.
(Actually a VFD - vacuum fluorescent display)
Silverstone LC03V, has a Samsung 16T202DA1E, which uses the HD44780 protocol
with a cable from the 14 pins on the 16T202DA1E connected to a parallel
port DB25 in the 'winamp' pin wiring style.
The motherboard is an Intel D2700MUD with a parallel port on back panel.


Stripped to the essentials:
- install OpenBSD i386
- lcdproc-0.5.7.tar.gz from sourceforge
compile from source, because package does not include proper hd44780,
and I only needed the LCDd server and the hd44780.so driver
./configure --sysconfdir=/etc/ --enable-drivers=hd44780
cd shared; make
cd server; make
only need:
 LCDd (to /usr/local/sbin )
 hd44780.so (/usr/local/lib/lcdproc )
 created a simple /etc/LCDd.conf, including importantly
 Driver=hd44780, ConnectionType=winamp


For OpenBSD i386 (5.8 and 5.9), there seemed to be a permissions issue on the 
0x378.
So the tweak that I had to use in the past was to 'allowaperture'
/etc/sysctl.conf
machdep.allowaperture=1


by OS release:
5.9/i386   fail: hd44780: cannot get IO-permission for 0x378: Operation not 
permitted
5.9/i386  w/sysctl.conf machdep.allowaperture=1  :  ***works***

(for the following these are with machdep.allowaperture=1)
6.0/i386   fail: hd44780: cannot get IO-permission for 0x378: No such file or 
directory
6.1/i386   fail: hd44780: cannot get IO-permission for 0x378: No such file or 
directory
6.3/i386   fail: hd44780: cannot get IO-permission for 0x378: No such file or 
directory
6.7/i386   fail: hd44780: cannot get IO-permission for 0x378: No such file or 
directory

I noted that previously (5.8 and 5.9), without allowaperture,
there was a warning "Operation not permitted" that was fixed with 
'allowaperture'.
After 6.0, the warning says "No such file or directory"


Also I saw some web pages suggesting 'securelevel' may be a problem
for low level device interfacing, so I tried
6.0/i386 with /etc/rc.securelevel
/usr/local/sbin/LCDd -u root -r 5

This still fails.

Could tell me if they know about this parallel port issue and if there is a fix?

Thanks very much




/var/log/messages has:
LCDd: LCDd version 0.5.7 starting
LCDd: Built on Aug  2 2020, protocol version 0.3, API version 0.5
LCDd: Using Configuration File: /etc/LCDd.conf
LCDd: Set report level to 5, output to syslog
LCDd: Server forking to background
LCDd: Listening for queries on 127.0.0.1:13666
LCDd: HD44780: using ConnectionType: winamp
LCDd: hd44780: Using hd44780_default charmap
LCDd: hd44780: cannot get IO-permission for 0x378: No such file or directory
LCDd: Driver [hd44780] init failed, return code -1
LCDd: Module /usr/local/lib/lcdproc/hd44780.so could not be loaded
LCDd: Could not load driver hd44780
LCDd: There is no output driver
LCDd: Critical error while initializing, abort



dmesg for OpenBSD 5.9 i386:
OpenBSD 5.9 (GENERIC.MP) #1616: Fri Feb 26 01:28:13 MST 2016
    dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
RTC BIOS diagnostic error 80
cpu0: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz ("GenuineIntel" 686-class) 2.13 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF,PERF,ITSC,SENSOR,ARAT
real mem  = 3206651904 (3058MB)
avail mem = 3132657664 (2987MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 12/27/11, SMBIOS rev. 2.7 @ 0xbf298000 (28 entries)
bios0: vendor Intel Corp. version "MUCDT10N.86A.0067.2011.1227.1232" date 
12/27/2011
bios0: Intel Corporation D2700MUD
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT APIC MCFG HPET
acpi0: wakeup devices SLT1(S4) PS2M(S4) PS2K(S4) UAR1(S3) UAR2(S3) USB0(S3) 
USB1(S3) USB2(S3) USB3(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) 
PXSX(S4) RP03(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
cpu0: apic clock running at 132MHz
cpu0: mwait min=64, max=64, C-substates=0.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz ("GenuineIntel" 686-class) 2.13 GHz
cpu1: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF,PERF,ITSC,SENSOR,ARAT
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pin

Re: Firefox Security 2020

2020-08-16 Thread Stuart Henderson 
On 2020-08-14, Kevin Chadwick  wrote:
> With the recent news. I decided to take a look again at Firefox and after a 
> days
> use on multiple systems, it even seems to be faster than Chrome.
>
> I notice significant work on pledge support. Does anyone know if it's 
> comparable
> to Chrome on that front now or still held back by not being designed with
> isolation in mind?

Run "ps -O pledge" with both running and see what you think. (Shorter
pledge list = more restricted).

Re: CPU usage of httpd+slowcgi

2020-08-16 Thread Stuart Henderson 
On 2020-08-16, Kihaguru Gathura  wrote:
> Hi,
>
> It depends on the workload. I'd have thought for most things the max
>> really usable at the moment is probably somewhere in the region of 4-8
>> cpu cores before kernel locking gets in the way too much.
>>
>> FWIW sparc64 ports builds are now done on T4 and they're really fast.
>> I think (but am not 100% sure) that this is carved into ldoms so the
>> number of cores visible to each OpenBSD instance is limited (so
>> contention between cores in the kernel is also limited).
>>
>>
> Up to how many cores will it be guaranteed that kernel locking 'will not
> get too much in the way' for hardware running a single instance of OpenBSD
> under heavy workload?
>
> Kind Regards,
>
> Kihaguru.
>

There are no guarantees.

Re: i386, parallel port permission error?

2020-08-16 Thread Stuart Henderson 
On 2020-08-17, Doug Moss  wrote:
>
> Is it possible with OpenBSD i386 to use the parallel port for lcdproc?
>
> More specifically:
> Did something change at OpenBSD i386 between 5.9 and 6.0
> related to parallel port / lpt hardware permissions?
>
> Up to OpenBSD i386 5.9,
> I used to be able to have a working case-LCD-screen
> with lcdproc-0.5.7, driver=hd44780, winamp wiring, with 'allowaperture'.
> At OpenBSD i386 6.0 and after, it fails.

I think this is due to kernel memory access restrictions that were added.
Setting sysctl kern.allowkmem=1 before securelevel is raised bypasses them
but of course weakens protections.

Re: Tunefs(8)

2020-08-16 Thread Aaron Mason 
On Tue, Aug 11, 2020 at 2:07 AM Rupert Gallagher  wrote:
>
> Omit the last line of the manual, because there is no need for it.
>

Well of course there's no need for it, but why on Earth should that
mean that it shouldn't be there?

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse

Re: i386, parallel port permission error?

2020-08-16 Thread Theo de Raadt 
You'll need to chown/chmod it narrowly to the uid who wants to use it.
You want to constrain use of the device driver as much as you can.

>Is it possible with OpenBSD i386 to use the parallel port for lcdproc?
>
>More specifically:
>Did something change at OpenBSD i386 between 5.9 and 6.0
>related to parallel port / lpt hardware permissions?
>
>Up to OpenBSD i386 5.9,
>I used to be able to have a working case-LCD-screen
>with lcdproc-0.5.7, driver=hd44780, winamp wiring, with 'allowaperture'.
>At OpenBSD i386 6.0 and after, it fails.
>
>
>
>I have a computer case with a builtin LCD screen.
>(Actually a VFD - vacuum fluorescent display)
>Silverstone LC03V, has a Samsung 16T202DA1E, which uses the HD44780 protocol
>with a cable from the 14 pins on the 16T202DA1E connected to a parallel
>port DB25 in the 'winamp' pin wiring style.
>The motherboard is an Intel D2700MUD with a parallel port on back panel.
>
>
>Stripped to the essentials:
>- install OpenBSD i386
>- lcdproc-0.5.7.tar.gz from sourceforge
>compile from source, because package does not include proper hd44780,
>and I only needed the LCDd server and the hd44780.so driver
>./configure --sysconfdir=/etc/ --enable-drivers=hd44780
>cd shared; make
>cd server; make
>only need:
> LCDd (to /usr/local/sbin )
> hd44780.so (/usr/local/lib/lcdproc )
> created a simple /etc/LCDd.conf, including importantly
> Driver=hd44780, ConnectionType=winamp
>
>
>For OpenBSD i386 (5.8 and 5.9), there seemed to be a permissions issue on the 
>0x378.
>So the tweak that I had to use in the past was to 'allowaperture'
>/etc/sysctl.conf
>machdep.allowaperture=1
>
>
>by OS release:
>5.9/i386   fail: hd44780: cannot get IO-permission for 0x378: Operation not 
>permitted
>5.9/i386  w/sysctl.conf machdep.allowaperture=1  :  ***works***
>
>(for the following these are with machdep.allowaperture=1)
>6.0/i386   fail: hd44780: cannot get IO-permission for 0x378: No such file 
>or directory
>6.1/i386   fail: hd44780: cannot get IO-permission for 0x378: No such file 
>or directory
>6.3/i386   fail: hd44780: cannot get IO-permission for 0x378: No such file 
>or directory
>6.7/i386   fail: hd44780: cannot get IO-permission for 0x378: No such file 
>or directory
>
>I noted that previously (5.8 and 5.9), without allowaperture,
>there was a warning "Operation not permitted" that was fixed with 
>'allowaperture'.
>After 6.0, the warning says "No such file or directory"
>
>
>Also I saw some web pages suggesting 'securelevel' may be a problem
>for low level device interfacing, so I tried
>6.0/i386 with /etc/rc.securelevel
>/usr/local/sbin/LCDd -u root -r 5
>
>This still fails.
>
>Could tell me if they know about this parallel port issue and if there is a 
>fix?
>
>Thanks very much
>
>
>
>
>/var/log/messages has:
>LCDd: LCDd version 0.5.7 starting
>LCDd: Built on Aug  2 2020, protocol version 0.3, API version 0.5
>LCDd: Using Configuration File: /etc/LCDd.conf
>LCDd: Set report level to 5, output to syslog
>LCDd: Server forking to background
>LCDd: Listening for queries on 127.0.0.1:13666
>LCDd: HD44780: using ConnectionType: winamp
>LCDd: hd44780: Using hd44780_default charmap
>LCDd: hd44780: cannot get IO-permission for 0x378: No such file or directory
>LCDd: Driver [hd44780] init failed, return code -1
>LCDd: Module /usr/local/lib/lcdproc/hd44780.so could not be loaded
>LCDd: Could not load driver hd44780
>LCDd: There is no output driver
>LCDd: Critical error while initializing, abort
>
>
>
>dmesg for OpenBSD 5.9 i386:
>OpenBSD 5.9 (GENERIC.MP) #1616: Fri Feb 26 01:28:13 MST 2016
>    dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
>RTC BIOS diagnostic error 80
>cpu0: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz ("GenuineIntel" 686-class) 2.13 GHz
>cpu0: 
>FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,LAHF,PERF,ITSC,SENSOR,ARAT
>real mem  = 3206651904 (3058MB)
>avail mem = 3132657664 (2987MB)
>mpath0 at root
>scsibus0 at mpath0: 256 targets
>mainbus0 at root
>bios0 at mainbus0: date 12/27/11, SMBIOS rev. 2.7 @ 0xbf298000 (28 entries)
>bios0: vendor Intel Corp. version "MUCDT10N.86A.0067.2011.1227.1232" date 
>12/27/2011
>bios0: Intel Corporation D2700MUD
>acpi0 at bios0: rev 2
>acpi0: sleep states S0 S3 S4 S5
>acpi0: tables DSDT FACP SSDT APIC MCFG HPET
>acpi0: wakeup devices SLT1(S4) PS2M(S4) PS2K(S4) UAR1(S3) UAR2(S3) USB0(S3) 
>USB1(S3) USB2(S3) USB3(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) 
>PXSX(S4) RP03(S4) [...]
>acpitimer0 at acpi0: 3579545 Hz, 24 bits
>acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>cpu0 at mainbus0: apid 0 (boot processor)
>mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
>cpu0: apic clock running at 132MHz
>cpu0: mwait min=64, max=64, C-substates=0.1, IBE
>cpu1 at mainbus0: apid 2 (application processor)
>cpu1: Intel(R) Atom(TM) CPU D2700 @ 2.13GHz ("GenuineIntel" 686-class) 2

Re: Protectli FW1 with Intel 82583V - Interfaces errors and latency spike issue

2020-08-16 Thread Steve Woodward 
Were you able to resolve this issue?

> On Jun 10, 2020, at 15:59, obs...@loopw.com wrote:
> 
> I have a small fleet of protectli firewalls, all of them with em nics.  Only 
> the units i’ve upgraded to 6.7 are showing interface errors, where 6.6 is 
> definitely not.
> 
> 
>> On Jun 8, 2020, at 5:30 PM, Gabri Tofano  wrote:
>> 
>> Hi all,
>> 
>> I'm sending this e-mail since I have found other users in this mailing-list 
>> using the same device without issues.
>> 
>> I'm using a "Protectli FW1" with FreeBSD 12.1 amd64 as a firewall which is 
>> serving me with great performances and no issues at all. The appliance has 4 
>> Intel Gigabit 82583V Ethernet NIC ports which are working very well under 
>> FreeBSD 12.1. I have used PFsense as well prior to FreeBSD and it worked 
>> without issues too.
>> 
>> I took the decision to move to OpenBSD 6.7 amd64 in order to benefit of the 
>> latest pf (and other) features but unfortunately the OS is giving me an 
>> issue which I guess is related to the NIC drivers; When I was connected via 
>> ssh I felt some glitches meanwhile I was typing/moving around with the 
>> editor, so I started to ping the inside interface from my wired connected pc 
>> and found out that time to time the appliance is responding with a 100+/200+ 
>> ms response (I have cut some 1ms reply to make it shorter):
>> 
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=163ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time<1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=2ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time<1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time<1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=3ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time<1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=43ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time<1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time<1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time<1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time<1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=4ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=1ms TTL=254
>> Reply from 172.16.200.1: bytes=32 time=257ms TTL=254
>> 
>> With FreeBSD 12.1 is steady at <1/1ms all the time and even under load.
>> 
>> As an online gamer as well, I felt the glitches meanwhile playing few online 
>> FPS games using OpenBSD 6.7 on the appliance. Looking at the interface 
>> statistics on OpenBSD I found out that inbound/outbound errors are present 
>> (this has been taken after few minutes of a reinstall to test it again):
>> 
>> FRW-FW1# netstat -i
>> NameMtu   Network Address  Ipkts   IfailOpkts Ofail 
>> Colls
>> em0 1500xx:xx:xx:xx:xx:xx1317600  2351   466114 0  
>>0
>> em0 1500  74.215.235/ xxx.xxx.xxx.xxx  1317600  2351   466114 0  
>>0
>> em1 1500xx:xx:xx:xx:xx:xx39278218   1199871 1  
>>0
>> em1 1500  172.16.200. 172.16.200.1 39278218   1199871 1  
>>0
>> em2 1500xx:xx:xx:xx:xx:xx156055 1  
>>0
>> em2 1500  172.16.103/ 172.16.103.254   156055 1  
>>0
>> em3*1500xx:xx:xx:xx:xx:xx 0 0 0 0  
>>0
>> enc0*   0 0 0 0 0  
>>0
>> pflog0  33136 0 0 0 0  
>>0
>> 
>> Looking at the Cisco 3560G where the ports are connected there are no errors 
>> at all. I have also doublechecked the drivers and the firmware installed by 
>> fw_update are the following:
>> 
>> vmm-firmware-1.11.0p2
>> inteldrm-firmware-20181218
>> intel-firmware-20200508v0
>> 
>> I have done multiple reinstall with different OS to make sure that this is 
>> related to OpenBSD 6.7 itself and found the following:
>> 
>> PFsense 2.4.5: no issues at all
>> FreeBSD 12.1: no issues at all
>> OPNsense: interface errors
>> OpenBSD: interface errors and interface latency spikes
>> 
>> I have also swapped the ethernet cables and

Re: npppd failed enable pipex: Invalid argument

2020-08-16 Thread Vitaliy Makkoveev 



> On 10 Aug 2020, at 14:00, Marko Cupać  wrote:
> 
>>> On 4 Aug 2020, at 17:04, Marko Cupać  wrote:
>>> 
>>> Hi,
>>> 
>>> I have recently upgraded (actually installed from scratch and copied
>>> config files) one of my firewalls from 6.6 to 6.7, and (sys)patched
>>> it to 017_dix. Everything works great except my npppd setup. It
>>> starts fine, but upon connecting over pptp I get the following
>>> records in log:
>>> (...)
>>> Aug  4 15:48:48 nat2 npppd[66557]: ppp id=0 layer=base failed
>>> enable pipex: Invalid argument
>> 
>> On Tue, 4 Aug 2020 18:31:44 +0300
>> Vitaliy Makkoveev  wrote:
>> 
>> In kernel timeout was disabled for pppx(4). Remove please
>> "idle-timeout”.
> 
> Sorry for late reply, I haven't had the chance to test until now. That
> was it, after removing idle-timeout, npppd accepts pptp connections.
> 
> Once again you saved me with npppd, thank you!

Hello Marko.

Can I propose you to try upcoming 6.8? We moved pppac(4) and pppx(4)
output processing out of kernel lock. pppx(4) output is still serialised
by netlock, but I hope we'll made it per-cpu before 6.8 release.

Also, for curiosity reasons, what is your pppx(4) clients count?

Re: CPU usage of httpd+slowcgi

2020-08-16 Thread Kihaguru Gathura 
Hi,

It depends on the workload. I'd have thought for most things the max
> really usable at the moment is probably somewhere in the region of 4-8
> cpu cores before kernel locking gets in the way too much.
>
> FWIW sparc64 ports builds are now done on T4 and they're really fast.
> I think (but am not 100% sure) that this is carved into ldoms so the
> number of cores visible to each OpenBSD instance is limited (so
> contention between cores in the kernel is also limited).
>
>
Up to how many cores will it be guaranteed that kernel locking 'will not
get too much in the way' for hardware running a single instance of OpenBSD
under heavy workload?

Kind Regards,

Kihaguru.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

2020-08-16 Thread hisacro 
On Sun, Aug 16, 2020 at 02:34:27PM -0400, trondd wrote:
 
> Oh, I see what you're doing.  BOTH listen lines are active in the second
> server block.  When you connect to port 443 with that config, which TLS
> settings does it use?  I want to guess that because you're lisening on
> port 8000 without tls first, the listen with tls is skipped along with the
> tls block below it.

No, listen TLS isn't skipped for sub.domain.tld 

>> This indeed listen on same address ($ext_ip) and same port (443)
>> and works as intended with different cipher and ecdhe.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

2020-08-16 Thread trondd 
On Sun, August 16, 2020 1:23 pm, hisacro wrote:
> Aug 16, 2020, 11:44 AM by tro...@kagu-tsuchi.com:
>
>> Because it's not the same IP and port anymore. You can only have one
>> thing listening on an ip+port
>
> I got a working httpd config with same IP and same Port
>
> server "domain.tld" {
>   listen on $ext_ip tls port 443
> tls {
> certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key"
> ciphers "HIGH:!AES128:!kRSA:!aNULL"
> ecdhe "P-384,P-256,X25519"
> }
> }
> server "sub.domain.tld" {
>   listen on 0.0.0.0 port 8000 # confusion?
>   listen on $ext_ip tls port 443
> tls {
>   certificate "/etc/ssl/domain.tld.fullchain.pem"
> key "/etc/ssl/private/domain.tld.key
>  }
> }
>
> This indeed listen on same address ($ext_ip) and same port (443)
> and works as intended with different cipher and ecdhe.
> Note: only when I add listen on 0.0.0.0 port 8000
>
>>Httpd allows you to configure multiple
>>"servers" for subdomains but in reality there is one actual server
>>listening and it has to know what parameters to use
>
> Sorry, I don't understand your reasoning because
> shouldn't httpd work the same way with or without extra listen on 0.0.0.0
>

Oh, I see what you're doing.  BOTH listen lines are active in the second
server block.  When you connect to port 443 with that config, which TLS
settings does it use?  I want to guess that because you're lisening on
port 8000 without tls first, the listen with tls is skipped along with the
tls block below it.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

2020-08-16 Thread hisacro 
Aug 16, 2020, 11:44 AM by tro...@kagu-tsuchi.com:

> Because it's not the same IP and port anymore. You can only have one
> thing listening on an ip+port

I got a working httpd config with same IP and same Port

server "domain.tld" {
listen on $ext_ip tls port 443
tls {
certificate "/etc/ssl/domain.tld.fullchain.pem"
key "/etc/ssl/private/domain.tld.key"
ciphers "HIGH:!AES128:!kRSA:!aNULL"
ecdhe "P-384,P-256,X25519"
}
}
server "sub.domain.tld" {
listen on 0.0.0.0 port 8000 # confusion?
listen on $ext_ip tls port 443
tls {
certificate "/etc/ssl/domain.tld.fullchain.pem"
key "/etc/ssl/private/domain.tld.key
 }
}

This indeed listen on same address ($ext_ip) and same port (443)
and works as intended with different cipher and ecdhe.
Note: only when I add listen on 0.0.0.0 port 8000

>Httpd allows you to configure multiple
>"servers" for subdomains but in reality there is one actual server
>listening and it has to know what parameters to use
 
Sorry, I don't understand your reasoning because 
shouldn't httpd work the same way with or without extra listen on 0.0.0.0

Re: httpd - bypass tls misconfig different ciphers, ecdhe

2020-08-16 Thread hisacro 
Aug 16, 2020, 7:50 AM by tro...@kagu-tsuchi.com:

>>On Sat, Aug 15, 2020 at 04:13:51PM -0700, hisacro wrote:
> 
>> $ doas httpd -nv
>> server "sub.domain.tld": tls configuration mismatch on same address/port
>> 
>> instead of defining same cipher and ecdhe, uncommenting
>> "listen on 0.0.0.0 port 8080"
>> bypasses this error
>> 
>> I'm unsure what causes this, can someone shed some light?
>
>It's what the error says. You're listening twice on the same ip and port
>but with different tls blocks.

Though I have emphasized enough (even on title), re-stating 

Why does having a listen statement on  port 
bypasses tls misconfiguration.