Re: make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)

[Kent Watsen]

> Does /usr/lib/crt0.o exist? If it doesn't did tar complete successfully?

I’ve since scrubbed that install, but I did check before for the file and noted 
that it was not present.  Interestingly, the file is in the TGZ, so something 
happened…

$ tar -tzvf comp70.tgz | grep /usr/lib/crt0.o 
-r--r--r--  0 root   bin  2544 Sep 30 16:00 ./usr/lib/crt0.o


> Maybe try:
> 
> # tar -C / -xzphf comp70.tgz || echo "somethings broken"
> 
> You may have run out of disk space or something similar and just didn't 
> notice. Thats my best guess.

It was a 4GB partition, so unlikely an out of disk issue.  That said, there’s a 
chance that the extraction terminated prematurely for other reasons, which your 
suggestion would help catch - thanks for the suggestion!



Kent

Re: make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)

[Kent Watsen]

> As you're the one in possession of the system with the nonstandard
> configuration you're the best person to figure out what's different
> between that and a normally installed system.

My bad, I thought it was supported to install filesets this way, but I don’t 
see this approach discussed on openbsd.org  now.


> It does seem an unusual requirement to have a system which cannot have
> comp sets, but that is still ok to fetch a file from the internet and
> untar it as root without verifying the signify(1) signature and hash.

Point.  I already have SHA256 in the directory, so easy to add.


> Had you considered building the binary on a non production system
> instead?

I did, but since it worked with 6.9 before, figured I’d try that route first.


Thanks,
Kent

Re: make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)

[Edgar Pettijohn]

On 10/31/21 2:23 PM, Kent Watsen wrote:

The “httpd-plus” [1] patch installs just find when a fresh 7.0 install selects packages "base", 
"bsd", "bsd.rd", "bsd.mp", “comp”, and “man”.

However, when a fresh 7.0 install selects all the same packages except “comp”, 
and then subsequently adds the “comp” package via the command:

(cd /root && curl -s -O https://cdn.openbsd.org/pub/OpenBSD/7.0/amd64/comp70.tgz 
&& cd / && tar xzvphf /root/comp70.tgz)

The installation of the "httpd-plus" patch fails with the following snippet:


Building and installing httpd-plus binary and manpage ...
/usr/src/usr.sbin/httpd/obj -> /usr/obj/usr.sbin/httpd
make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)


Does /usr/lib/crt0.o exist? If it doesn't did tar complete successfully? 
Maybe try:


# tar -C / -xzphf comp70.tgz || echo "somethings broken"

You may have run out of disk space or something similar and just didn't 
notice. Thats my best guess.



Edgar


Stop in /usr/src/usr.sbin/httpd
Restoring original sources ... Done.
Installing httpd-plus failed (exitcode: 2).

This logic worked on 6.9, what’s the difference?  Why can’t /usr/lib/crt0.o be 
found or made?  How to get past this error without needing to install the 
“comp” package during installation?

PS: I don’t want “comp” on the production system. After installing “httpd-plus”, I run the 
following command to remove it: (cd /root && for i in `tar -tzvf /root/comp70.tgz | awk 
'{print $NF}'`; do rm -rf $i; done) && rm /root/comp70.tgz

[1] https://github.com/mpfr/httpd-plus/tree/7.0-stable

Thanks,
Kent

syspatch on raspberry pi 3. new kernel?

[Joe Barnett]

I just ran syspatch on my Raspberry Pi 3 running OpenBSD 7.0 and the 
patches initially appeared to have been applied successfully, including 
creating a new kernel and printing the message to reboot to use the new 
kernel.


Upon reboot, motd, dmesg, and "sysctl kern.version" still report what I 
believe to be the original kernel:


OpenBSD 7.0 (GENERIC) #1280: Thu Sep 30 16:31:07 MDT 2021
dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC

That said, the new /bsd (and /bsd.booted) are dated today, as would be 
expected following syspatch.  The result of "sha256 /bsd" matches the 
data in /var/db/kernel.SHA256 (file also dated today as would be 
expected).  What else?  I have also run "syspatch -R" to remove the 
updates, rebooted, then ran syspatch again with the same results.  And 
it seems that /etc/motd is not being updated on boot on this system as I 
think usually happens.  /var/run/dmesg.boot does appear to be updated 
with each boot.  /usr/share/relink/kernel/GENERIC.MP/relink.log appears 
normal:


(SHA256) /bsd: OK
LD="ld" sh makegap.sh 0xd4d4d4d4 gapdummy.o
ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o 
${OBJS}

textdatabss dec hex
10566181611208  829392  12006781b7357d
mv newbsd newbsd.gdb
ctfstrip -S -o newbsd newbsd.gdb
rm -f bsd.gdb
mv -f newbsd bsd
install -F -m 700 bsd /bsd && sha256 -h /var/db/kernel.SHA256 /bsd

Kernel has been relinked and is active on next reboot.

SHA256 (/bsd) = 
1e457ddd75e56de0b8cc01607a5d0be6903be07ee0c2baeb440e823a253e68a0


Running syspatch on two other systems (an old Alix/i386 and a vm at 
vultr.com) resulted in expected results:


OpenBSD 7.0 (GENERIC) #1: Fri Oct 29 12:02:30 MDT 2021

r...@syspatch-70-i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC


OpenBSD 7.0 (GENERIC) #1: Fri Oct 29 12:02:41 MDT 2021

r...@syspatch-70-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC


Any ideas will be greatly appreciated.  Am I missing any steps here?

Thanks,

Joe

Following is the latest dmesg from this rpi3:

OpenBSD 7.0 (GENERIC) #1280: Thu Sep 30 16:31:07 MDT 2021
dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC
real mem  = 956735488 (912MB)
avail mem = 894844928 (853MB)
random: boothowto does not indicate good seed
mainbus0 at root: Raspberry Pi 3 Model B Rev 1.2
cpu0 at mainbus0 mpidr 0: ARM Cortex-A53 r0p4
cpu0: 32KB 64b/line 2-way L1 VIPT I-cache, 32KB 64b/line 4-way L1 
D-cache

cpu0: 512KB 64b/line 16-way L2 cache
cpu0: CRC32,ASID16
apm0 at mainbus0
efi0 at mainbus0: UEFI 2.8
efi0: Das U-Boot rev 0x20210100
simplefb0 at mainbus0: 656x416, 32bpp
wsdisplay0 at simplefb0 mux 1
wsdisplay0: screen 0-5 added (std, vt100 emulation)
"system" at mainbus0 not configured
"axi" at mainbus0 not configured
simplebus0 at mainbus0: "soc"
bcmclock0 at simplebus0
bcmmbox0 at simplebus0
bcmgpio0 at simplebus0
bcmaux0 at simplebus0
bcmdmac0 at simplebus0: DMA0 DMA2 DMA4 DMA5 DMA8 DMA9 DMA10
bcmintc0 at simplebus0
bcmrng0 at simplebus0
pluart0 at simplebus0: console
bcmsdhost0 at simplebus0: 250 MHz base clock
sdmmc0 at bcmsdhost0: 4-bit, sd high-speed, mmc high-speed, dma
dwctwo0 at simplebus0
bcmdog0 at simplebus0
bcmtemp0 at simplebus0
"local_intc" at simplebus0 not configured
sdhc0 at simplebus0
sdhc0: SDHC 3.0, 200 MHz base clock
sdmmc1 at sdhc0: 4-bit, sd high-speed, mmc high-speed
simplebus1 at simplebus0: "firmware"
"clocks" at simplebus1 not configured
"expgpio" at simplebus1 not configured
"power" at simplebus0 not configured
"mailbox" at simplebus0 not configured
"gpiomem" at simplebus0 not configured
"fb" at simplebus0 not configured
"vcsm" at simplebus0 not configured
"virtgpio" at simplebus0 not configured
"clocks" at mainbus0 not configured
"phy" at mainbus0 not configured
"arm-pmu" at mainbus0 not configured
agtimer0 at mainbus0: 19200 kHz
"leds" at mainbus0 not configured
"fixedregulator_3v3" at mainbus0 not configured
"fixedregulator_5v0" at mainbus0 not configured
"bootloader" at mainbus0 not configured
dt: 445 probes
usb0 at dwctwo0: USB revision 2.0
sdmmc0: can't enable card
uhub0 at usb0 configuration 1 interface 0 "Broadcom DWC2 root hub" rev 
2.00/1.00 addr 1
uhub1 at uhub0 port 1 configuration 1 interface 0 "Standard Microsystems 
product 0x9514" rev 2.00/2.00 addr 2

bwfm0 at sdmmc1 function 1
manufacturer 0x02d0, product 0xa9a6 at sdmmc1 function 2 not configured
smsc0 at uhub1 port 1 configuration 1 interface 0 "Standard Microsystems 
SMSC9512/14" rev 2.00/2.00 addr 3

smsc0: address b8:27:eb:8b:a1:c7
ukphy0 at smsc0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 
0x0001f0, model 0x000c
umass0 at uhub1 port 5 configuration 1 interface 0 "SanDisk Cruzer Fit" 
rev 2.10/1.00 addr 4

umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0:  removable 
serial.07815571750216101493

sd0: 7632MB, 512 bytes/sector, 15630336 sectors
vscsi0 at root
scsibus1 at vscsi0: 256 targets

Re: make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)

[Stuart Henderson]

On 2021-10-31, Kent Watsen  wrote:
> Thanks Theo. 
>
> No debate about needing comp, only how it's installed…or maybe I 
> misunderstand what you mean by “the script”?

As you're the one in possession of the system with the nonstandard
configuration you're the best person to figure out what's different
between that and a normally installed system.

>>> However, when a fresh 7.0 install selects all the same packages except 
>>> “comp”, and then subsequently adds the “comp” package via the command:
>>> 
>>>(cd /root && curl -s -O 
>>> https://cdn.openbsd.org/pub/OpenBSD/7.0/amd64/comp70.tgz && cd / && tar 
>>> xzvphf /root/comp70.tgz)

>>> PS: I don’t want “comp” on the production system. After installing 
>>> “httpd-plus”, I run the following command to remove it: (cd /root && for i 
>>> in `tar -tzvf /root/comp70.tgz | awk '{print $NF}'`; do rm -rf $i; done) && 
>>> rm /root/comp70.tgz

It does seem an unusual requirement to have a system which cannot have
comp sets, but that is still ok to fetch a file from the internet and
untar it as root without verifying the signify(1) signature and hash.

Had you considered building the binary on a non production system
instead?


-- 
Please keep replies on the mailing list.

Re: make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)

[Kent Watsen]

Thanks Theo. 

No debate about needing comp, only how it's installed…or maybe I misunderstand 
what you mean by “the script”?

Cheers,
Kent


> On Oct 31, 2021, at 3:38 PM, Theo de Raadt  wrote:
> 
> From the script
> 
> make obj && make && make install
> 
> Which uses the whole toolchain.
> 
> You need comp.  You don't have a choice.
> 
> Kent Watsen  wrote:
> 
>> The “httpd-plus” [1] patch installs just find when a fresh 7.0 install 
>> selects packages "base", "bsd", "bsd.rd", "bsd.mp", “comp”, and “man”.
>> 
>> However, when a fresh 7.0 install selects all the same packages except 
>> “comp”, and then subsequently adds the “comp” package via the command:
>> 
>>(cd /root && curl -s -O 
>> https://cdn.openbsd.org/pub/OpenBSD/7.0/amd64/comp70.tgz && cd / && tar 
>> xzvphf /root/comp70.tgz)
>> 
>> The installation of the "httpd-plus" patch fails with the following snippet:
>> 
>>   
>>Building and installing httpd-plus binary and manpage ...
>>/usr/src/usr.sbin/httpd/obj -> /usr/obj/usr.sbin/httpd
>>make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)
>>Stop in /usr/src/usr.sbin/httpd
>>Restoring original sources ... Done.
>>Installing httpd-plus failed (exitcode: 2).
>> 
>> This logic worked on 6.9, what’s the difference?  Why can’t /usr/lib/crt0.o 
>> be found or made?  How to get past this error without needing to install the 
>> “comp” package during installation?
>> 
>> PS: I don’t want “comp” on the production system. After installing 
>> “httpd-plus”, I run the following command to remove it: (cd /root && for i 
>> in `tar -tzvf /root/comp70.tgz | awk '{print $NF}'`; do rm -rf $i; done) && 
>> rm /root/comp70.tgz
>> 
>> [1] https://github.com/mpfr/httpd-plus/tree/7.0-stable
>> 
>> Thanks,
>> Kent
>> 
>> 

Re: openrsync --exclude only works locally

[Jan Stary]

On Oct 31 21:39:20, nathan...@dalliard.ch wrote:
> Jan Stary  wrote:
> > On Oct 31 21:25:00, nathan...@dalliard.ch wrote:
> > > Jan Stary  wrote:
> > > > On Oct 31 19:10:52, nathan...@dalliard.ch wrote:
> > > > > $ openrsync --rsync-path=openrsync -r --exclude text1.txt s1:test .
> > > > 
> > > > That syncs the remote s1:test to the local ./test
> > > > 
> > > > > $ ssh s1 ls test
> > > > > text1.txt
> > > > > text2.txt
> > > > 
> > > > Of course text1.txt is still at the _source_.
> > > 
> > > and in the local ./test folder:
> > > 
> > > $ ls test/
> > > text1.txt  text2.txt
> > > 
> > > it is excluded when done from local to local
> > > it is excluded when done from local to remote
> > > 
> > > it is not excluded when done from remote to local
> > 
> > Are you sure it is not there from a previous sync?
> > If you manualy remove the local ./test/text1.txt,
> > will the next sync still put it there?
> > 
> > remote$ mkdir /tmp/dir
> > remote$ touch /tmp/dir/{foo,bar}
> > 
> > local$ openrsync -av remote:/tmp/dir/ /tmp/ dir/
> > Transfer starting: 3 files
> > dir/
> > dir/bar (0 B, 100.0% downloaded)
> > dir/foo (0 B, 100.0% downloaded)
> > Transfer complete: 180 B sent, 52 B read, 0 B file size
> > 
> > local$ rm /tmp/dir/foo
> > local$ openrsync -av --exclude foo remote:/tmp/dir/ /tmp/dir/ 
> > Transfer starting: 2 files
> > Transfer complete: 78 B sent, 21 B read, 0 B file size
> > 
> > local$ ll /tmp/dir/ 
> > total 0
> > -rw-r--r--  1 hans  wheel  0 Oct 31 21:30 bar
> 
> you are using rsync:
> --rsync-path=program
> Run program on the remote host instead of the default rsync.

Ah, right. I see the same now.

Re: openrsync --exclude only works locally

[Jan Stary]

On Oct 31 21:25:00, nathan...@dalliard.ch wrote:
> Jan Stary  wrote:
> > On Oct 31 19:10:52, nathan...@dalliard.ch wrote:
> > > $ openrsync --rsync-path=openrsync -r --exclude text1.txt s1:test .
> > 
> > That syncs the remote s1:test to the local ./test
> > 
> > > $ ssh s1 ls test
> > > text1.txt
> > > text2.txt
> > 
> > Of course text1.txt is still at the _source_.
> 
> and in the local ./test folder:
> 
> $ ls test/
> text1.txt  text2.txt
> 
> it is excluded when done from local to local
> it is excluded when done from local to remote
> 
> it is not excluded when done from remote to local

Are you sure it is not there from a previous sync?
If you manualy remove the local ./test/text1.txt,
will the next sync still put it there?

remote$ mkdir /tmp/dir
remote$ touch /tmp/dir/{foo,bar}

local$ openrsync -av remote:/tmp/dir/ /tmp/ dir/
Transfer starting: 3 files
dir/
dir/bar (0 B, 100.0% downloaded)
dir/foo (0 B, 100.0% downloaded)
Transfer complete: 180 B sent, 52 B read, 0 B file size

local$ rm /tmp/dir/foo
local$ openrsync -av --exclude foo remote:/tmp/dir/ /tmp/dir/ 
Transfer starting: 2 files
Transfer complete: 78 B sent, 21 B read, 0 B file size

local$ ll /tmp/dir/ 
total 0
-rw-r--r--  1 hans  wheel  0 Oct 31 21:30 bar

Re: openrsync --exclude only works locally

[Jan Stary]

On Oct 31 19:10:52, nathan...@dalliard.ch wrote:
> Jan Stary  wrote:
> > > from local to remote this works, but not from remote to local
> > 
> > So what is your exact command line and what is the pattern?
> > 
> > Jan
> 
> $ openrsync --rsync-path=openrsync -r --exclude text1.txt s1:test .

That syncs the remote s1:test to the local ./test

> $ ssh s1 ls test
> text1.txt
> text2.txt

Of course text1.txt is still at the _source_.

Jan

Re: make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)

[Theo de Raadt]

>From the script

 make obj && make && make install

Which uses the whole toolchain.

You need comp.  You don't have a choice.

Kent Watsen  wrote:

> The “httpd-plus” [1] patch installs just find when a fresh 7.0 install 
> selects packages "base", "bsd", "bsd.rd", "bsd.mp", “comp”, and “man”.
> 
> However, when a fresh 7.0 install selects all the same packages except 
> “comp”, and then subsequently adds the “comp” package via the command:
> 
>   (cd /root && curl -s -O 
> https://cdn.openbsd.org/pub/OpenBSD/7.0/amd64/comp70.tgz && cd / && tar 
> xzvphf /root/comp70.tgz)
> 
> The installation of the "httpd-plus" patch fails with the following snippet:
> 
>
>   Building and installing httpd-plus binary and manpage ...
>   /usr/src/usr.sbin/httpd/obj -> /usr/obj/usr.sbin/httpd
>   make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)
>   Stop in /usr/src/usr.sbin/httpd
>   Restoring original sources ... Done.
>   Installing httpd-plus failed (exitcode: 2).
> 
> This logic worked on 6.9, what’s the difference?  Why can’t /usr/lib/crt0.o 
> be found or made?  How to get past this error without needing to install the 
> “comp” package during installation?
> 
> PS: I don’t want “comp” on the production system. After installing 
> “httpd-plus”, I run the following command to remove it: (cd /root && for i in 
> `tar -tzvf /root/comp70.tgz | awk '{print $NF}'`; do rm -rf $i; done) && rm 
> /root/comp70.tgz
> 
> [1] https://github.com/mpfr/httpd-plus/tree/7.0-stable
> 
> Thanks,
> Kent
> 
> 

make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)

[Kent Watsen]

The “httpd-plus” [1] patch installs just find when a fresh 7.0 install selects 
packages "base", "bsd", "bsd.rd", "bsd.mp", “comp”, and “man”.

However, when a fresh 7.0 install selects all the same packages except “comp”, 
and then subsequently adds the “comp” package via the command:

(cd /root && curl -s -O 
https://cdn.openbsd.org/pub/OpenBSD/7.0/amd64/comp70.tgz && cd / && tar xzvphf 
/root/comp70.tgz)

The installation of the "httpd-plus" patch fails with the following snippet:

   
Building and installing httpd-plus binary and manpage ...
/usr/src/usr.sbin/httpd/obj -> /usr/obj/usr.sbin/httpd
make: don't know how to make /usr/lib/crt0.o (prerequisite of: httpd)
Stop in /usr/src/usr.sbin/httpd
Restoring original sources ... Done.
Installing httpd-plus failed (exitcode: 2).

This logic worked on 6.9, what’s the difference?  Why can’t /usr/lib/crt0.o be 
found or made?  How to get past this error without needing to install the 
“comp” package during installation?

PS: I don’t want “comp” on the production system. After installing 
“httpd-plus”, I run the following command to remove it: (cd /root && for i in 
`tar -tzvf /root/comp70.tgz | awk '{print $NF}'`; do rm -rf $i; done) && rm 
/root/comp70.tgz

[1] https://github.com/mpfr/httpd-plus/tree/7.0-stable

Thanks,
Kent

Re: openrsync --exclude only works locally

[Jan Stary]

On Oct 31 17:26:40, nathan...@dalliard.ch wrote:
> hello jan
> 
> Jan Stary  wrote:
> > /usr/bin/openrsync -av --del --exclude '*.media.*' /backup/ remote:/backup/
> from local to remote this works, but not from remote to local

So what is your exact command line and what is the pattern?

Jan

Re: pf and tap interfaces

[tech-lists]

On Sun, Oct 31, 2021 at 10:13:06AM -0600, Theo de Raadt wrote:


you are asking a freebsd question on an openbsd mailing list.

come on



You may have missed my response to Sebastian:

In-Reply-To: 
On Sun, Oct 31, 2021 at 03:59:40PM +, tech-lists wrote:

[...]


All I'm really asking at this stage is "is this possible". I'm asking
that because I've looked in the pf section of the manual and have not
found an example (yet) close enough to my enquiry.

I think here it'd be better to ask firstly in an entirely OpenBSD 7.0
context. Like, OpenBSD has vmm now, its equivalent to bhyve. If you
wanted to allow port 22 to the host *only* but allow all traffic to the
guest, on another IP, can it be done in OpenBSD 7.0 pf on the host?


--
J.


signature.asc
Description: PGP signature

Re: pf and tap interfaces

[Theo de Raadt]

tech-lists  wrote:

> On Sun, Oct 31, 2021 at 09:33:54AM -0600, Theo de Raadt wrote:
> >tech-lists  wrote:
> >
> >> I'm asking this here because I'm trying to do this with FreeBSD but
> >> their pf has diverged a lot from OpenBSD's
> >
> >that is incorrect history.
> >
> >It is hard to see how 'absolutely minimal maintainance' can result in
> >divergence.
> 
> yep. I should have said 'OpenBSD's pf has significantly evolved since ...'
> 
> >At some point, pf's state table data structures were rewritten completely.
> >
> >You are better off adjusting your expectations.  You can be foiled by
> >differences at any point.
> 
> Yes. At this stage it's more of an "is it even possible y/n"

you are asking a freebsd question on an openbsd mailing list.

come on

Re: pf and tap interfaces

[tech-lists]

On Sun, Oct 31, 2021 at 09:33:54AM -0600, Theo de Raadt wrote:

tech-lists  wrote:


I'm asking this here because I'm trying to do this with FreeBSD but
their pf has diverged a lot from OpenBSD's


that is incorrect history.

It is hard to see how 'absolutely minimal maintainance' can result in
divergence.


yep. I should have said 'OpenBSD's pf has significantly evolved since ...'


At some point, pf's state table data structures were rewritten completely.

You are better off adjusting your expectations.  You can be foiled by
differences at any point.


Yes. At this stage it's more of an "is it even possible y/n"
--
J.


signature.asc
Description: PGP signature

Re: pf and tap interfaces

[tech-lists]

Hi,

On Sun, Oct 31, 2021 at 04:23:58PM +0100, Sebastian Benoit wrote:


Maybe you could describe a bit more what you are trying to do.


I'm trying to protect, with pf, a freebsd host running bhyve guests. The
guests use tap interfaces. They are in the same network as the host (but
with different IPs) and the IPs are routable. 
They're all web servers, accessible from the internet.


So for example I'd like to block all on the host and just allow port 22. 
I don't want pf to process the tap interfaces at all, as all of the

guests run their own firewalls.

So far on freebsd with their pf, I've been unable to do this. 
I was wondering if the pf on openbsd can, as it has evolved
significantly from when it was incorporated into FreeBSD. 

A way around my problem may be to have openbsd as a guest in a 
bhyve instance, as pci passthru is now available in that circumstance.

But first I need to find whether it is possible to allow traffic on say
tap0 but block all traffic apart from ssh on igb0 (for example).

I understand that bridge and tap are "special" interfaces, in that they 
are not simply clones. And yet they are like clones, in that rules 
affecting the hardware interface also seem to affect the tap interface,

from what I've so far seen.

All I'm really asking at this stage is "is this possible". I'm asking
that because I've looked in the pf section of the manual and have not
found an example (yet) close enough to my enquiry. 

I think here it'd be better to ask firstly in an entirely OpenBSD 7.0 
context. Like, OpenBSD has vmm now, its equivalent to bhyve. If you

wanted to allow port 22 to the host *only* but allow all traffic to the
guest, on another IP, can it be done in OpenBSD 7.0 pf on the host?

--
J.


signature.asc
Description: PGP signature

Re: pf and tap interfaces

[Theo de Raadt]

tech-lists  wrote:

> I'm asking this here because I'm trying to do this with FreeBSD but
> their pf has diverged a lot from OpenBSD's

that is incorrect history.

It is hard to see how 'absolutely minimal maintainance' can result in
divergence.

At some point, pf's state table data structures were rewritten completely.

You are better off adjusting your expectations.  You can be foiled by
differences at any point.

Re: pf and tap interfaces

[Sebastian Benoit]

tech-lists(tech-li...@zyxst.net) on 2021.10.31 15:10:57 +:
> Hello misc@
> 
> Generically, can OpenBSD [7.0] apply rules to *just* the ethernet
> interface, ignoring the bridge and tap interfaces? Can it do this
> natively or is a VLAN required as well? Or something else?
> 
> I'm asking this here because I'm trying to do this with FreeBSD 
> but their pf has diverged a lot from OpenBSD's, and what I thought 
> would work does not. skip on $tap_ifs has unexpected results in that
> traffic still gets blocked on the guest.
> 
> If OpenBSD's pf does work for my use case, then a way to solving my
> issue may be to have an OpenBSD guest in the FreeBSD host managing the
> pf for the host as bhyve has pci passthru. The other way would be to put
> a firewall box in front of the freebsd host.

Maybe you could describe a bit more what you are trying to do.

pf and tap interfaces

[tech-lists]

Hello misc@

Generically, can OpenBSD [7.0] apply rules to *just* the ethernet
interface, ignoring the bridge and tap interfaces? Can it do this
natively or is a VLAN required as well? Or something else?

I'm asking this here because I'm trying to do this with FreeBSD 
but their pf has diverged a lot from OpenBSD's, and what I thought 
would work does not. skip on $tap_ifs has unexpected results in that

traffic still gets blocked on the guest.

If OpenBSD's pf does work for my use case, then a way to solving my
issue may be to have an OpenBSD guest in the FreeBSD host managing the
pf for the host as bhyve has pci passthru. The other way would be to put
a firewall box in front of the freebsd host.

thanks,
--
J.


signature.asc
Description: PGP signature

Re: OpenBSD as wireless access point

[beebeetles]

I believe he meant (11g), or (11a with channel >= 36).

On 10/31/21 10:18, rahul deshmukh wrote:

Hi Stefan,

I was able to connect even though on 11g and channel 36 give me invalid
argument at boot time.

On Sun, 31 Oct, 2021, 7:35 pm rahul deshmukh, 
wrote:


If I change mode I am getting as invalid argument for channel and mode

ifconfig : SOICS80211CHANNEL: invalid argument

On Sun, 31 Oct, 2021, 7:10 pm Stefan Sperling,  wrote:


On Sun, Oct 31, 2021 at 11:36:21PM +0530, rahul deshmukh wrote:

Hi Team,
I have configured OpenBSD as wireless access point but somehow i am

unable

to connect to access point from mobile or other clients. below is my

config.


myhost$ cat /etc/hostname.ral0


media autoselect mode 11b mediaopt hostap chan 11


Why mode 11b?  Try 11g, or 11a with a channel >= 36.

Re: OpenBSD as wireless access point

[rahul deshmukh]

Hi Stefan,

I was able to connect even though on 11g and channel 36 give me invalid
argument at boot time.

On Sun, 31 Oct, 2021, 7:35 pm rahul deshmukh, 
wrote:

> If I change mode I am getting as invalid argument for channel and mode
>
> ifconfig : SOICS80211CHANNEL: invalid argument
>
> On Sun, 31 Oct, 2021, 7:10 pm Stefan Sperling,  wrote:
>
>> On Sun, Oct 31, 2021 at 11:36:21PM +0530, rahul deshmukh wrote:
>> > Hi Team,
>> > I have configured OpenBSD as wireless access point but somehow i am
>> unable
>> > to connect to access point from mobile or other clients. below is my
>> config.
>> >
>> > myhost$ cat /etc/hostname.ral0
>> >
>> >
>> > media autoselect mode 11b mediaopt hostap chan 11
>>
>> Why mode 11b?  Try 11g, or 11a with a channel >= 36.
>>
>

Re: OpenBSD as wireless access point

[Stefan Sperling]

On Sun, Oct 31, 2021 at 11:36:21PM +0530, rahul deshmukh wrote:
> Hi Team,
> I have configured OpenBSD as wireless access point but somehow i am unable
> to connect to access point from mobile or other clients. below is my config.
> 
> myhost$ cat /etc/hostname.ral0
> 
> 
> media autoselect mode 11b mediaopt hostap chan 11

Why mode 11b?  Try 11g, or 11a with a channel >= 36.

OpenBSD as wireless access point

[rahul deshmukh]

Hi Team,
I have configured OpenBSD as wireless access point but somehow i am unable
to connect to access point from mobile or other clients. below is my config.

myhost$ cat /etc/hostname.ral0


media autoselect mode 11b mediaopt hostap chan 11
nwid "someid" wpakey "somepassword"
inet 192.168.2.1 255.255.255.0

myhost# cat /etc/dhcpd.conf


subnet 192.168.2.0 netmask 255.255.255.0 {
option routers 192.168.2.1;
option domain-name-servers 192.168.2.1;
range 192.168.2.2 192.168.2.254;
}

my ifconfig output
---
ral0: flags=8843 mtu 1500
lladdr 0c:84:dc:a0:a8:73
index 4 priority 4 llprio 3
groups: wlan
media: IEEE802.11 autoselect mode 11b hostap
status: active
ieee80211: nwid rdxnet chan 11 bssid 0c:84:dc:a0:a8:73 -65dBm wpakey
wpaprotos wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher ccmp
inet 192.168.2.1 netmask 0xff00 broadcast 192.168.2.255

my PF output
Home01# cat /etc/pf.conf


# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

#set skip on lo

block return # block stateless traffic
pass # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
#wifi = "ral0"
#table  { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 192.168.0.0/16
198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 }
#set block-policy drop
#set loginterface egress
#set skip on lo0
#match in all scrub (no-df random-id max-mss 1440)
#match out on egress inet from !(egress:network) to any nat-to (egress:0)
#antispoof quick for { egress $wifi }
#block in quick on egress from  to any
#block return out quick on egress from any to 
#block all
#pass out quick inet
#pass in on { $wifi } inet

could you please help me is there anything i am missing for authentication?
-- 
Thank you
-
Rahul Deshmukh

Re: Sony UWA-BR100 patch to recognize AR9280+AR7010 Atheros based USB card

[Stefan Sperling]

On Sun, Oct 24, 2021 at 03:01:29PM +, Martin wrote:
> Patch has been updated to use correct files and tested on a live system. 
> Please add it to tree.
> 
> Thanks.

Committed now. Thank you!  Sorry it took so long.

Re: openrsync --exclude only works locally

[Jan Stary]

On Oct 29 07:52:05, nathan...@dalliard.ch wrote:
> hello everyone
> 
> wasn't sure this is intended behaviour of openrsync or "good enough"
> for a bugreport to b...@openbsd.org, thats why i first wanted to
> mention it here
> 
> i am running -current and 'openrsync -r --exclude file' seems to
> work for me running it locally. but as soon as i try it over ssh
> it doesn't exclude anything and syncs the whole directory. i tried
> the same command with rsync and it works without a problem over ssh

Quoting directly from my daily.local,
this syncs everything in /backup except the *.media.* files:

/usr/bin/openrsync -av --del --exclude '*.media.*' /backup/ remote:/backup/

Can you please post the output of that, including the -v ?
What exactly is your excluded pattern? (Surely not 'file'.)

Jan

> (using '--exclude-from=file' doesn't change the behaviour)
> 
> on another note related to openrsync: the manpage doesn't mention
> how 'pattern' should look like in '--exclude pattern' or '--include
> pattern'. wouldn't that be something that should be in the manpage?
> 
> regards
> nathanael
> 
> 

Re: proper way to grow softraid partition

[kasak]

29.10.2021 15:33, Nick Holland пишет:

On 10/27/21 1:11 PM, kasak wrote:

Hello misc!

I want to replace my two 2TB hdd, joined in raid1.

I have two 4TB drives, and I want to replace smaller drives with them.

it wouldn't be a problem, if i had some spare sata ports, but in my pc i
have only one left.

So, I can attach only one of this 4 tb drives at the same time.


I think, maybe I can attach new 4 tb drive to old raid as a third
volume, wait for it "repair",


Unfortunately, unless something changed when I wasn't looking, you can't
change the number of drives in a softraid RAID1 after creation.  I really
wish you could.


and then remove 2 tb drives, add one more 4 tb and "repair" raid again.

I don't know, will this operation actually grow my partition, or it is a
bad idea from the beginning?


nope, you would end up with a 2T RAID partition on a 4G drive. Which is
fine, except you didn't achieve your goal.


Alternate, can i create raid 1 volume from just one drive, rsync files
between raids and after add another disk?


Again, you can't change the number of drives in a softraid RAID1 set 
after

creation.  And you can't change the size of a softraid partition.

What I would (and have) done is this, assuming this is your only computer
available:
* extract both your 2T drives.
* insert both 4T drives, build a RAID1 set.
* Insert ONE of the old 2T drives and ONE of the 4T drives into your 
system.
On boot, you end up with two degraded arrays...but that will work for 
your

purposes!
* Copy the data from the old disks to the new disks
* Change fstab
* Remove the old 2T disk, and replace with the 4T disk left over, rebuild
the degraded array onto the 4T disk.
* DONE!

Now...since you have ONE spare port still, I'd actually cheat and remove
one 2T disk, and put both new disks in place, build the array, and copy
over. Fix fstab, remove the old 2T disk, done.


Thank you very much for detailed explanation!
I will go this way!
HOWEVER, something else to consider -- from later messages, sounds 
like you
have a non-RAID boot drive and RAID data drives.  I SUSPECT you could 
build
out your new 4T array as a bootable softraid and move your boot drive 
data
AND the 2T of old data all to the one 4T array and still have a lot of 
new

space (a basic OpenBSD install is barely noticeable in a 4T disk!).  Now
you have redundancy in both boot and data, and one less disk, which 
will be

a small power reduction, and one less point of failure.

Nick.

Re: nested virtualization with vmm on hyper-v

[Peter J. Philipp]

On Sat, Oct 30, 2021 at 08:56:53PM -0700, Mike Larkin wrote:
[cut]
> I told Microsoft years ago that their implementation of legacy event injection
> was broken. This is how we inject interrupts in vmm(4). They either didn't
> understand, or didn't care. Since hyper-v doesn't deliver our injected event,
> no interrupts are delivered to the VM and as soon as interrupts are enabled
> in autoconf, you hang.
> 
> Note: KVM and VMware do it correctly.
> 
> -ml
> 

Hi Mike,

Thanks for the explanation.  I guess I can pack up the configs, for this host.
I have a laptop that can do vmm on native OpenBSD, but it's not always on.

Best Regards,
-peter