Re: Default rdomain for CLI commands

2023-10-23 Thread Philipp Buehler

Am 24.10.2023 03:08 schrieb Andy Lemin:

So I have to run;
‘route -T0 exec syspatch’ for example.


but 0 is the "default"!?

How do I set/override the default rdomain for system level CLI 
commands?


route -T9 exec /bin/ksh

everything in that shell will be in rdomain 9


HTH,
PS: or tmux ..
--
pb



USB serial local getty terminal re-prompts for login on any input

2023-10-23 Thread Morgan Aldridge
(Not subscribed to misc@, so please CC me in all replies.)

I've got an odd situation that I'm having trouble getting to the bottom of,
but I'll first admit that I haven't been able to yet rule out a hardware
issue and I also may currently be too close to the problem (despite
sleeping on it several times):

I have an external VT100 terminal connected to my 2015 13in MacBook Air
running OpenBSD amd64/7.4-release/stable via a Keyspan/Tripp-Lite USA-19HS
USB to DB-9 serial adapter. The USA-19HS uses ukspan(4) which was added in
6.6. I've added a ttys(5) line, HUPed INIT, have run ttyflags(8) (more
specifics below), have the terminal configured for 9600 8N1 with no flow
control, and the terminal does display the login prompt generated by
getty(8). Unfortunately, regardless of what input is provided on the
terminal, getty(8) just sends a new login prompt.

I only have the one USA-19HS, one specific original serial cable, and the
terminal, all the exact set that were used approximately 10 years ago.
Though, at that time I was connecting it to an Intel MacBook Pro running
some version of Mac OS X with the Keyspan drivers installed and similarly
using getty. I have performed hardware repairs on the terminal, so -- again
-- I can't yet rule out hardware issues and certainly not driver issues.

dmesg (trimmed; full at the end, including `usbdevs -v` output):

```
ukspan0 at uhub3 port 3 "Keyspan, a division of InnoSys Inc. Keyspan
USA-19H" rev 1.10/1.00 addr 20
ucom1 at ukspan0: usb0.1.00334.
```

/etc/ttys

```
console "/usr/libexec/getty std.9600"   vt220   off secure
ttyU1   "/usr/libexec/getty std.9600"   vt100   on local
```

Per ttys(5), whenever I modify /etc/ttys, I do the following:

```
doas kill -HUP 1
doas ttyflags -va
doas ttyflags -p ttyU1
pgrep -fl ttyU1
top -g ttyU1
```

I've found it more reliable -- when making changes -- to specifically set
my ttys(5) line to 'off', perform the aforementioned steps, then change the
line to 'on' and repeat.

I have experimented with the following with no change in the underlying
issue of the terminal showing the login prompt, but each character input
causing the login prompt to be resent:

- ttys(5) 'secure' option (shouldn't be necessary, since I don't intend to
authenticate as root)
- ttys(5) 'local' option
- ttys(5) 'softcar' option (shouldn't be necessary, since I am getting a
connection; see [0])
- either "no flow control" or "software flow control" enabled on the
terminal
- ttys(5) 'rtscts' option with "hardware flow control" enabled on the
terminal
- ttys(5) 'mdmbug' option with "hardware flow control" enabled on the
terminal
- ttys(5) 'rtscts' and 'mdmbug' options with "hardware flow control"
enabled on the terminal

I also tried specifying 'cuaU1' device instead of 'ttyU1' for all of the
above (see [1]) with no change, other than `ttysflags -a` saying the device
is busy and not setting any flags.

I have tried different speeds, writing custom gettytab(5) lines to change
various XON/XOFF settings and "software flow control" enabled on the
terminal.

My next steps, when I have time and in no particular order, are to:

- Retry various experiments with getty(8) off and using cu(1) to connect
directly to the terminal, sending characters back and forth from each end
- Try on a couple other pieces of amd64 & i386 hardware running OpenBSD
which have built-in serial (they need upgrades to 7.4 and I don't recall
the state of serial hardware support)
- Order a USB to DB-9 serial adapter with genuine FTDI chips (that may rule
out driver issues, but would also likely let me test under macOS on my M1
Mac mini)
- Test and map the pinouts on the original serial cable

I'm really only looking for confirmation that the source[2] I used to
refresh my memory on software (XON/XOFF) vs hardware (RTS/CTS and/or
DTR/DCD) flow control is reasonably accurate and if my description of this
issue jumps out to you as any likely cause.

Thanks in advance for any thoughts or suggestions,

Morgan

[0] 
[1] 
[2] 

OpenBSD 7.4 (GENERIC.MP) #1397: Tue Oct 10 09:02:37 MDT 2023
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8469352448 (8077MB)
avail mem = 8192921600 (7813MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x8afac000 (33 entries)
bios0: vendor Apple Inc. version "195.0.0.0.0" date 06/11/2020
bios0: Apple Inc. MacBookAir7,2
efi0 at bios0: UEFI 1.1
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP HPET APIC SBST ECDT SSDT SSDT SSDT SSDT SSDT SSDT
SSDT SSDT DMAR MCFG
acpi0: wakeup devices PEG0(S3) EC__(S3) HDEF(S3) RP01(S3) RP02(S3) RP03(S4)
ARPT(S4) RP05(S3) RP06(S3) SPIT(S3) XHC1(S3) ADP1(S3) LID0(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 

Default rdomain for CLI commands

2023-10-23 Thread Andy Lemin
Hi all,

Just a quick question.

I have multiple rdomains. My outside rdomain (rdomain 0) has a single default 
route to my ISP. And my internal rdomain 9 has multiple default routes pointing 
to various pairX interfaces for some funky routing stuff.

Everything works beautifully, however, every command I type on the box locally 
or over SSH which needs internet for example, is being executed under the 
internal rdomain, not the edge rdomain.

So I have to run;
‘route -T0 exec syspatch’ for example.

How do I set/override the default rdomain for system level CLI commands?

Thanks for your thoughts,
Andy.




subscribe misc@openbsd.org

2023-10-23 Thread Komodo
 

Re: squid replacement

2023-10-23 Thread Lyndon Nerenberg (VE7TFX/VE6BBM)
Sean Kamath writes:

> Just which hosts and ports?  No caching?

Sorry, I should have given a better description ...

We proxy http, https, and rsync.  squid functions as a simple L7
relay for those protocols.  The purpose of the proxy is to restrict
1) which internal hosts can establish outbound connections in the
first place, and 2) which hosts they can connect to.  E.g., our
admin hosts that handle billing can only connect to our payment
processor's services.  The server that front-ends the internal help
desk can only connect to hubscout.  Etc.  Pretty simple, we just
don't want to make it easy for people to exfiltrate data if they
do manage to get a foothold inside.

There's also the issue of most of our internal infrastructure servers
running in 1918 address space.  We don't NAT at the border, so the
proxy is their only way out (again, by design).

> Kinda sounds like a pf.conf solution. . .  Maybe with relay to relay everythi
> ng through a firewall?

That's how we used to do it.  The problem is upstream services
change their IP addresses on a surprisingly frequent basis, and
they don't always let people know this is happening.  By using the
proxy, I no longer have to hardwire and keep track of IP addresses.
The squid ACLs serve as the L7 "firewall", and we have a single
rule on the border firewall that allows the proxy host unfettered
access to ports 80, 443, and 873.

--lyndon



Feature request for pf: allow embedding IPv4 into source address of af-to IPv6 packets (like SIIT/EAMT/NAT46)

2023-10-23 Thread Jason Healy
Congratulations on a successful 7.4 release!

I'm writing with a gentle feature request for pf; I asked about this 
functionality a long time ago and have seen a few other related questions on 
the list since then.  Now that I've played with another NAT64 implementation 
(Jool), I think I can articulate myself a little better.

Summary: request to modify pf to support the following syntax to embed IPv4 
address in IPv6 source addresses after af-to translation:

  pass in inet af-to inet6 from /96 to 

This would require modifying the "from" portion of the af-to to look for a mask 
of /96 (or smaller) on the from address and take the actions below.  In the 
line above, everything you see is currently supported except for the "/96" on 
the "from" address.  If the mask is greater or omitted (e.g. /128) then the 
current behavior is used, making it backwards-compatible when omitted.

If a /96 on the "from" is detected, the packet is translated between families 
as currently, with one modification: the packet source address will have the 
IPv4 source address embedded in the lower 32 bits of the IPv6 source address.

Example:

In practice, this syntax would also typically include a matching portion for 
the original IPv4 destination address so traffic destined for a particular IPv4 
destination can be forwarded to a specific IPv6 node.  Thus, a typical 
invocation would be like:

  pass in inet to 192.0.2.10 af-to inet6 from 64:ff9b::/96 to 2001:db8:b::10

The line above would result in a packet with IPv4 source 203.0.113.42 and 
destined for 192.0.2.10 being translated to have IPv6 source 64:ff9b::cb00:712a 
and destination 2001:db8:b::10.

Discussion:

This would allow PF to support SIIT EAMT / SIIT-DC behavior (sometimes called 
"NAT46").  The use case here would be a dual-stack pf box at the network edge, 
and servers behind it with IPv6-only connectivity.  IPv4 requests from the 
internet would hit the pf box, be translated and forwarded over IPv6 to the 
servers.  Because the IPv6 address contains the embedded IPv4 source address, 
logging and analysis on the server would have access to the full source 
address, rather than all traffic being "squashed" to a single IPv6 source.

It would be the responsibility of the network operator to ensure return traffic 
(to 64:ff9b::/96 in the above example) is routed back to the pf box.

I feel pf is the best place to add this functionality (rather than relayd or 
other code) because it is already capable of performing the family translation, 
and only needs to have the address-embedding functionality added for source 
addresses (it already exists for destination addresses).  Thus, the necessary 
concepts are already in place elsewhere in the code; they need to be replicated 
for source addresses.

Specifically, pf can already map an IPv4 *destination* address into the lower 
32 bits of an IPv6 address using af-to:

  pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96

This supports CLAT-type functionality where IPv4 traffic needs to be sent to a 
PLAT (typically network edge).

Additionally, pf can currently translate IPv4 traffic from any host to a 
specific destination:

  pass in inet to 192.0.2.10 af-to inet6 from 2001:db8:a::1 to 2001:db8:b::10

However, this relies on pf's state table much like traditional NAT44: all 
traffic is arbitrarily mapped to a new source address and the destination 
server sees only the pf box's address as the source of the traffic.

This request is to enable IPv4 /96 embedding on the *source* address; nodes 
that come after the translation will be able to see the full IPv4 source 
address embedded in the IPv6 address.  Because the entire IPv4 address space 
can be embedded in a single IPv6 /96 prefix, no information is lost and so the 
translation does not require state (the return traffic can be turned back into 
IPv4 by simply un-embedding the IPv4 address).  However, I recognize that pf 
may only operate in a stateful manner due to the way af-to is implemented, and 
state may be desirable for other pf functionality.  However, even without truly 
being "stateless", the address embedding would support the same functionality 
as true SIIT implementation.

Syntax changes would be minimal; pfctl would need to recognize a /96 on the 
source "from" for the af-to and activate the embedding behavior.  As embedding 
is already implemented for destinations of /96, I'm hoping there is some 
opportunity for reuse.  If a /96 is not seen on the "from" specification, then 
pf's current behavior can be used.

A small backwards compatibility issue exists in that the current af-to source 
specification allows addresses with a mask other than /128.  However, so far as 
I can tell, any mask is ignored and only the specified address is used at the 
present time, so anyone specifying that in their config is using an unsupported 
mask option.

Unfortunately, I am no C hacker, so I am unable to formulate a patch that would 
add this behavior.  

Re: Fwd: install74.iso

2023-10-23 Thread Robert Palm
Thank you.

Am 23. Okt. 2023, 21:36, um 21:36, Theo de Raadt  schrieb:
>In the next few snapshots, an ISO file will start to show up.
>
>I won't be testing it.  You will.  Privately let me know how it goes
>and
>I'll make more tweaks to it.
>
>There may be problems with bootblocks, etc.  At this time I don't know
>what
>it will take to get it right.
>
>Robert Palm  wrote:
>
>> Thanks!
>>
>> Indeed, Dan has a point here as e.g. with hetzner you can easily ask
>for an .iso to add for your machine and use that for installation.
>>
>> With the .img format you need to use the rescue console, dd the .img
>yourself and restart which is effort.
>>
>> So, I would welcome an .iso, too if possible and align with other
>archs?
>>
>> Am 23. Okt. 2023, 21:08, um 21:08, Ampie Niemand
> schrieb:
>> >On Mon, Oct 23, 2023 at 07:27:18PM +0200, Robert Palm wrote:
>> >> As this list is not very active I forward your mail to misc@
>> >>
>> >> Am 21. Okt. 2023, 16:59, um 16:59, Dan 
>> >schrieb:
>> >> >Hi folks,
>> >> >
>> >> >Is there a technical reason why the project is not providing
>> >> >installation ISOs for the arm64 architecture?
>> >
>> >I'm pretty sure install74.img and miniroot74.img is provided
>instead.
>> >The idea is that you 'burn' that to a USB stick / thumb drive and
>boot
>> >with
>> >that. I think that this category initially had mostly Pi's so there
>was
>> >no
>> >need for CDROMs.
>> >
>> >> >
>> >> >The easiest way to install OpenBSD on a new cloud virtual machine
>> >for
>> >> >me would be to mount cd74.iso and boot.
>> >> >
>> >> >Could someone give me some pointers for turning the arm bsd.rd
>> >> >installation ramdisk kernel into a minimal CD-ROM image?
>> >> >
>> >> >
>> >> >Thank you,
>> >> >Dan
>> >>
>> >
>> >-Ampie
>>



Re: Fwd: install74.iso

2023-10-23 Thread Theo de Raadt
In the next few snapshots, an ISO file will start to show up.

I won't be testing it.  You will.  Privately let me know how it goes and
I'll make more tweaks to it.

There may be problems with bootblocks, etc.  At this time I don't know what
it will take to get it right.

Robert Palm  wrote:

> Thanks!
> 
> Indeed, Dan has a point here as e.g. with hetzner you can easily ask for an 
> .iso to add for your machine and use that for installation.
> 
> With the .img format you need to use the rescue console, dd the .img yourself 
> and restart which is effort.
> 
> So, I would welcome an .iso, too if possible and align with other archs?
> 
> Am 23. Okt. 2023, 21:08, um 21:08, Ampie Niemand  
> schrieb:
> >On Mon, Oct 23, 2023 at 07:27:18PM +0200, Robert Palm wrote:
> >> As this list is not very active I forward your mail to misc@
> >>
> >> Am 21. Okt. 2023, 16:59, um 16:59, Dan 
> >schrieb:
> >> >Hi folks,
> >> >
> >> >Is there a technical reason why the project is not providing
> >> >installation ISOs for the arm64 architecture?
> >
> >I'm pretty sure install74.img and miniroot74.img is provided instead.
> >The idea is that you 'burn' that to a USB stick / thumb drive and boot
> >with
> >that. I think that this category initially had mostly Pi's so there was
> >no
> >need for CDROMs.
> >
> >> >
> >> >The easiest way to install OpenBSD on a new cloud virtual machine
> >for
> >> >me would be to mount cd74.iso and boot.
> >> >
> >> >Could someone give me some pointers for turning the arm bsd.rd
> >> >installation ramdisk kernel into a minimal CD-ROM image?
> >> >
> >> >
> >> >Thank you,
> >> >Dan
> >>
> >
> >-Ampie
> 



Re: Fwd: install74.iso

2023-10-23 Thread Robert Palm
Thanks!

Indeed, Dan has a point here as e.g. with hetzner you can easily ask for an 
.iso to add for your machine and use that for installation.

With the .img format you need to use the rescue console, dd the .img yourself 
and restart which is effort.

So, I would welcome an .iso, too if possible and align with other archs?

Am 23. Okt. 2023, 21:08, um 21:08, Ampie Niemand  schrieb:
>On Mon, Oct 23, 2023 at 07:27:18PM +0200, Robert Palm wrote:
>> As this list is not very active I forward your mail to misc@
>>
>> Am 21. Okt. 2023, 16:59, um 16:59, Dan 
>schrieb:
>> >Hi folks,
>> >
>> >Is there a technical reason why the project is not providing
>> >installation ISOs for the arm64 architecture?
>
>I'm pretty sure install74.img and miniroot74.img is provided instead.
>The idea is that you 'burn' that to a USB stick / thumb drive and boot
>with
>that. I think that this category initially had mostly Pi's so there was
>no
>need for CDROMs.
>
>> >
>> >The easiest way to install OpenBSD on a new cloud virtual machine
>for
>> >me would be to mount cd74.iso and boot.
>> >
>> >Could someone give me some pointers for turning the arm bsd.rd
>> >installation ramdisk kernel into a minimal CD-ROM image?
>> >
>> >
>> >Thank you,
>> >Dan
>>
>
>-Ampie



Re: a2ps error; printing utf8 to a postscipt printer

2023-10-23 Thread Jan Stary
On Oct 23 17:22:37, rsyk...@disroot.org wrote:
> after upgrading to OpenBSD 7.4 (as far as I can tell),
> a2ps program stopped working:

Do you mean specificaly the upgrade of the base system,
or the ugraded a2ps package? I doubt the _system_ upgrade
itself broke a2ps ...

> ;a2ps /home/ruda/mnt/tarkil/SIMUL/acceptance/accept1detE0.ijs  

What an ijs file and how does a2ps know it's a plain text file?
Is that the default?

> [/home/ruda/mnt/tarkil/SIMUL/acceptance/accept1detE0.ijs (plain): 2 pages on 
> 1 sheet]
> Usage: a2ps-lpr-wrapper [-d printer] FILE...
> a2ps: received SIGPIPE

Who is the caller of a2ps-lpr-wrapper?
Does a2ps itselt call it? Or some script you have?
What your /etc/printcap ?

> It seems to me that a2ps-lpr-wrapper expects a FILE argument,
> while a2ps (which invokes the wrapper?) does not supply one...
> 
> Has anybody else had this issue?
> Thanks for comments.
> 
> Loosely related: What program do you use to print utf8
> encoded text file to a postscipt printer? (Neither a2ps, nor
> enscript does it.

u2ps is in ports.

> At this moment I either remove any
> diacritics with 'recode -f utf8..flat ...',

Or you can iconv -t to some encoding that a2ps supports.

Jan



Re: Fwd: install74.iso

2023-10-23 Thread Ampie Niemand
On Mon, Oct 23, 2023 at 07:27:18PM +0200, Robert Palm wrote:
> As this list is not very active I forward your mail to misc@
> 
> Am 21. Okt. 2023, 16:59, um 16:59, Dan  schrieb:
> >Hi folks,
> >
> >Is there a technical reason why the project is not providing
> >installation ISOs for the arm64 architecture?

I'm pretty sure install74.img and miniroot74.img is provided instead. 
The idea is that you 'burn' that to a USB stick / thumb drive and boot with 
that. I think that this category initially had mostly Pi's so there was no
need for CDROMs.

> >
> >The easiest way to install OpenBSD on a new cloud virtual machine for
> >me would be to mount cd74.iso and boot.
> >
> >Could someone give me some pointers for turning the arm bsd.rd
> >installation ramdisk kernel into a minimal CD-ROM image?
> >
> >
> >Thank you,
> >Dan
> 

-Ampie



Fwd: install74.iso

2023-10-23 Thread Robert Palm
As this list is not very active I forward your mail to misc@

Am 21. Okt. 2023, 16:59, um 16:59, Dan  schrieb:
>Hi folks,
>
>Is there a technical reason why the project is not providing
>installation ISOs for the arm64 architecture?
>
>The easiest way to install OpenBSD on a new cloud virtual machine for
>me would be to mount cd74.iso and boot.
>
>Could someone give me some pointers for turning the arm bsd.rd
>installation ramdisk kernel into a minimal CD-ROM image?
>
>
>Thank you,
>Dan



Re: AAAA entry for openbsd.org

2023-10-23 Thread Mikhail
On Mon, Oct 23, 2023 at 07:58:08AM +0200, Armin Jenewein wrote:
> No idea what you perceive here as a "rant", my apologies if that seemed
> like one to you, that's not my intention.
> 
> FWIW both ftplist1.openbsd.org and ftplist2.openbsd.org have no 
> entry, either.
> 
> I don't see what I need to prove here. That's 3 hosts already that don't
> have an  DNS record, so if you're on an IPv6-only link, you can't
> access these. I didn't check ALL the mirrors that the installer has in
> the list, but the one popping up in my list as ftp.spline.de doesn't
> have one, either, so that's just number four.
> 
> With prices for IPv4 addresses are starting to increase, it surprises me
> that this is still such a heated topic. Nobody asks about removing
> IPv4-connectivity here. Nobody wants to break functionaly for v4-only
> users.
> 
> I did try installing OpenBSD in v6-only networks, yes. On an IPv6-only
> host it doesn't even suggest a mirror to download from.
> 
> My initial mail was about  this one here, nevertheless:
> 
> $ ping6 openbsd.org
> ping6: no address associated with name
> $
> 
> The fact that all the other hosts I mentioned are v4-only doesn't change
> that situation in any way.

I think ipv6 just expand attack surface for the services for very little
benefit, if you're really interested in fixing installation case, maybe
patch for the installer will be the right direction



Question about rdomains/rtables

2023-10-23 Thread tetrosalame

Hello misc,

I'm playing with rdomain/rtable on OpenBSD 7.4 and I'm a bit confused 
about the relation between rdomains and rtables.


If I got rdomain(4) right, the two facilities are designed so that a 
rdomain can hold 0-255 rtables. Even rdomain 0 -no rdomain configured- 
can hold several rtables. IP addresses can overlap if configured in 
different rdomains.


In my mind the design is somehow "hierarchical"

rdomain 0
|--> rtable 0
|--> rtable 1
|...
|--> rtable 255

rdomain 1
|--> rtable 0
|--> rtable 1
|...
|--> rtable 255

but in practice, since there's no utility to add more rtables beyond the 
default one per rdomain, in the current implementation OS tools (pf, 
route, ifconfig, daemons etc...) take advantage of these facilities in a 
"flat" way:


rdomain 0
|--> rtable 0

rdomain 1
|--> rtable 0

and so on, where rtables are numbered after their containing rdomain. 
Documentation refers to rdomains when it's appropriate to think about a 
logical segment of the routing space, while it refers to rtables when 
the concept is "do something with routing table number XXX".


So while in theory one should think about rdomains first and then about 
the rtables that belong to each of them, in current usage they're the 
same thing: $tool -T $number and don't bother.


But...I read the slides presented by Peter Hessler (thank you) at 
EuroBSD 2012 and everything was clear...well, until I came to slide 16 
and pf ruleset "pass in on rdomain 2 rtable 4" (1). I'm puzzled: how can 
I "create" rtable 4 inside rdomain 2?


Thanks and I apologize for my lack of brevity.

f.

1: 
https://www.openbsd.org/papers/eurobsd2012/phessler-rdomains/mgp00016.html




Re: Delay in starting xterm via ssh after upgrade from 7.3 to 7.4

2023-10-23 Thread Andy Bradford
Thus said Roger Marsh on Thu, 19 Oct 2023 17:23:47 -:

> fixes the delay  problem, but was the delay  a predictable consequence
> of some change? Or perhaps the  entry should never have been expressed
> in the way that led to the delay?

Most likely the cause is an unexpected side effect of some other change.
There  have been  some interesting  changes  to SSH  with this  release,
perhaps try disabling:

http://man.openbsd.org/OpenBSD-7.4/ssh_config#ObscureKeystrokeTiming

I would be surprised  if this is actually the cause, but  it is a change
that was introduced and something that is easily tested.

You could also look through:

http://www.openbsd.org/plus74.html

See if any of the changes stand out as relevant and try to test them.

Andy



Re: Crash on TOSHIBA PORTEGE Z30-A laptop

2023-10-23 Thread wesley
> If there isn't a newer BIOS that resolves this, I would tend to return the 
> box as not suitable.



This is the case, there’s no BIOS update.

Thank you very much, anyway.

Cheers,


/Wesley

 

De : Philip Guenther  
Envoyé : lundi 23 octobre 2023 00:39
À : wes...@technicien.io
Cc : b...@openbsd.org; misc@openbsd.org
Objet : Re: Crash on TOSHIBA PORTEGE Z30-A laptop

 

On Sat, Oct 21, 2023 at 2:27 AM mailto:wes...@technicien.io> > wrote:

Hi Philip,

Thank you very much for your answer.

I tried to disable all options (+devices) possible. Same issue.
And what's about disable acpi in the kernel using the bsd.re-config?

 

As Mike and Theo noted, this will certainly cause problems.

 

 

Do you think If I replace the wireless card by somthing else, It could resolve 
this issue?

 

Very unlikely.  The problem is the stack depth of the ACPI processing.  The 
crash you saw had the wifi interrupt occur during the ACPI processing but it 
could just as well happen with some other device interrupting the ACPI 
processing.

 

If there isn't a newer BIOS that resolves this, I would tend to return the box 
as not suitable.

 

 

Phlip Guenther



a2ps error; printing utf8 to a postscipt printer

2023-10-23 Thread rsykora
Dear list,


after upgrading to OpenBSD 7.4 (as far as I can tell),
a2ps program stopped working:

;a2ps /home/ruda/mnt/tarkil/SIMUL/acceptance/accept1detE0.ijs  
[/home/ruda/mnt/tarkil/SIMUL/acceptance/accept1detE0.ijs (plain): 2 pages on 1 
sheet]
Usage: a2ps-lpr-wrapper [-d printer] FILE...
a2ps: received SIGPIPE

It seems to me that a2ps-lpr-wrapper expects a FILE argument,
while a2ps (which invokes the wrapper?) does not supply one...

Has anybody else had this issue?
Thanks for comments.

Loosely related: What program do you use to print utf8
encoded text file to a postscipt printer? (Neither a2ps, nor
enscript does it. At this moment I either remove any
diacritics with 'recode -f utf8..flat ...', or open the
file in gedit and print from there. I heard there is
'paps' and 'cedilla' programs, but neither is in ports
and I failed to compile the former as cloned from github.)


Ruda



Re: AAAA entry for openbsd.org

2023-10-23 Thread Theo de Raadt
Martin Schröder  wrote:

> Am Mo., 23. Okt. 2023 um 17:14 Uhr schrieb Theo de Raadt 
> :
> > Martin Schröder  wrote:
> >
> > > Am Mo., 23. Okt. 2023 um 16:54 Uhr schrieb Theo de Raadt 
> > > :
> > > > So many, many words demanding that I configure my networks for ipv6.
> > >
> > > "is there any reason openbsd.org still has no  entry at the end of 
> > > 2023?"
> > >
> > > So the reason is "Theo doesn't want to configure his networks for v6"?
> >
> > Martin, what is the reason for your response?
> 
> I'm using OpenBSD, I've configured my network for v6 and I think the
> question is valid
> and hasn't received an answer. And I would accept a simple "yes" as an
> answer from you.


Are you my boss?  If you are not, what is your role here that allows you
to speak to me like that?








Re: AAAA entry for openbsd.org

2023-10-23 Thread Martin Schröder
Am Mo., 23. Okt. 2023 um 17:14 Uhr schrieb Theo de Raadt :
> Martin Schröder  wrote:
>
> > Am Mo., 23. Okt. 2023 um 16:54 Uhr schrieb Theo de Raadt 
> > :
> > > So many, many words demanding that I configure my networks for ipv6.
> >
> > "is there any reason openbsd.org still has no  entry at the end of 
> > 2023?"
> >
> > So the reason is "Theo doesn't want to configure his networks for v6"?
>
> Martin, what is the reason for your response?

I'm using OpenBSD, I've configured my network for v6 and I think the
question is valid
and hasn't received an answer. And I would accept a simple "yes" as an
answer from you.

Best
Martin



Re: AAAA entry for openbsd.org

2023-10-23 Thread Theo de Raadt
Martin Schröder  wrote:

> Am Mo., 23. Okt. 2023 um 16:54 Uhr schrieb Theo de Raadt 
> :
> > So many, many words demanding that I configure my networks for ipv6.
> 
> "is there any reason openbsd.org still has no  entry at the end of 2023?"
> 
> So the reason is "Theo doesn't want to configure his networks for v6"?

Martin, what is the reason for your response?



Re: AAAA entry for openbsd.org

2023-10-23 Thread Raul Miller
OpenBSD is a volunteer organization.

If you want to volunteer to host an ipv6 mirror, I think the licensing
already allows that.

Please correct me if I'm wrong.

Thanks,

-- 
Raul

On Mon, Oct 23, 2023 at 2:00 AM Armin Jenewein  wrote:
>
> No idea what you perceive here as a "rant", my apologies if that seemed
> like one to you, that's not my intention.
>
> FWIW both ftplist1.openbsd.org and ftplist2.openbsd.org have no 
> entry, either.
>
> I don't see what I need to prove here. That's 3 hosts already that don't
> have an  DNS record, so if you're on an IPv6-only link, you can't
> access these. I didn't check ALL the mirrors that the installer has in
> the list, but the one popping up in my list as ftp.spline.de doesn't
> have one, either, so that's just number four.
>
> With prices for IPv4 addresses are starting to increase, it surprises me
> that this is still such a heated topic. Nobody asks about removing
> IPv4-connectivity here. Nobody wants to break functionaly for v4-only
> users.
>
> I did try installing OpenBSD in v6-only networks, yes. On an IPv6-only
> host it doesn't even suggest a mirror to download from.
>
> My initial mail was about  this one here, nevertheless:
>
> $ ping6 openbsd.org
> ping6: no address associated with name
> $
>
> The fact that all the other hosts I mentioned are v4-only doesn't change
> that situation in any way.
>
> ~ Armin
>
>
>
>
> On 23-10-22 19:29:28, Philip Guenther wrote:
> > On Sun, Oct 22, 2023 at 6:53 PM Armin Jenewein  wrote:
> >
> > > Hi.
> > >
> > > On 23-10-22 15:47:45, Kastus Shchuka wrote:
> > > > On Sun, Oct 22, 2023 at 10:29:08PM +0200, Armin Jenewein wrote:
> > > > > Hi,
> > > > >
> > > > > as I'm almost 100% sure adding IPv6 connectivity to the openbsd.org
> > > > > host
> > > > > wouldn't introduce side-effects for IPv4 users: is there any reason
> > > > > openbsd.org still has no  entry at the end of 2023?
> > > >
> > > > Why do you need it?
> > >
> > > Because it's extremely inconvenient to have manually type in the name of
> > > a mirror that I know has an  entry. The installer won't even be able
> > > to download the mirror list because of the reason I mentioned. It tries
> > > to talk to openbsd.org which obviously fails.
> >
> >
> > See, this is why being clear about What Fine Problem You're Trying To Solve
> > is important: AFAICT the installer tries to fetch the mirror list from
> > ftplist1.openbsd.org and not from openbsd.org.
> >
> > Can you confirm that your _actual_ request is to have the installer be able
> > to get the mirror list when on an IPv6-only host?
> >
> > (Please don't rant at people who try to help, particularly when doing
> > exactly what you requested would NOT HAVE HELPED, unless you *want* people
> > to drop you in their kill-file as "not worth trying to help".)
> >
> >
> > Philip Guenther
>
> --
>
>   ,_^_.
> \- -/
>  \_/ \ Armin Jenewein
>  |O o |
>  |_  <   )  3 )
>  / \ /
> /-__,__-\
>
>
>
>
>



Re: AAAA entry for openbsd.org

2023-10-23 Thread Martin Schröder
Am Mo., 23. Okt. 2023 um 16:54 Uhr schrieb Theo de Raadt :
> So many, many words demanding that I configure my networks for ipv6.

"is there any reason openbsd.org still has no  entry at the end of 2023?"

So the reason is "Theo doesn't want to configure his networks for v6"?

Best
 Martin



Re: AAAA entry for openbsd.org

2023-10-23 Thread Theo de Raadt
So many, many words demanding that I configure my networks for ipv6.

Armin Jenewein  wrote:

> No idea what you perceive here as a "rant", my apologies if that seemed
> like one to you, that's not my intention.
> 
> FWIW both ftplist1.openbsd.org and ftplist2.openbsd.org have no 
> entry, either.
> 
> I don't see what I need to prove here. That's 3 hosts already that don't
> have an  DNS record, so if you're on an IPv6-only link, you can't
> access these. I didn't check ALL the mirrors that the installer has in
> the list, but the one popping up in my list as ftp.spline.de doesn't
> have one, either, so that's just number four.
> 
> With prices for IPv4 addresses are starting to increase, it surprises me
> that this is still such a heated topic. Nobody asks about removing
> IPv4-connectivity here. Nobody wants to break functionaly for v4-only
> users.
> 
> I did try installing OpenBSD in v6-only networks, yes. On an IPv6-only
> host it doesn't even suggest a mirror to download from.
> 
> My initial mail was about  this one here, nevertheless:
> 
> $ ping6 openbsd.org
> ping6: no address associated with name
> $
> 
> The fact that all the other hosts I mentioned are v4-only doesn't change
> that situation in any way.
> 
> ~ Armin
> 
> 
> 
> 
> On 23-10-22 19:29:28, Philip Guenther wrote:
> > On Sun, Oct 22, 2023 at 6:53 PM Armin Jenewein  wrote:
> > 
> > > Hi.
> > >
> > > On 23-10-22 15:47:45, Kastus Shchuka wrote:
> > > > On Sun, Oct 22, 2023 at 10:29:08PM +0200, Armin Jenewein wrote:
> > > > > Hi,
> > > > >
> > > > > as I'm almost 100% sure adding IPv6 connectivity to the openbsd.org
> > > > > host
> > > > > wouldn't introduce side-effects for IPv4 users: is there any reason
> > > > > openbsd.org still has no  entry at the end of 2023?
> > > >
> > > > Why do you need it?
> > >
> > > Because it's extremely inconvenient to have manually type in the name of
> > > a mirror that I know has an  entry. The installer won't even be able
> > > to download the mirror list because of the reason I mentioned. It tries
> > > to talk to openbsd.org which obviously fails.
> > 
> > 
> > See, this is why being clear about What Fine Problem You're Trying To Solve
> > is important: AFAICT the installer tries to fetch the mirror list from
> > ftplist1.openbsd.org and not from openbsd.org.
> > 
> > Can you confirm that your _actual_ request is to have the installer be able
> > to get the mirror list when on an IPv6-only host?
> > 
> > (Please don't rant at people who try to help, particularly when doing
> > exactly what you requested would NOT HAVE HELPED, unless you *want* people
> > to drop you in their kill-file as "not worth trying to help".)
> > 
> > 
> > Philip Guenther
> 
> -- 
> 
>   ,_^_.
> \- -/
>  \_/ \ Armin Jenewein
>  |O o |
>  |_  <   )  3 )
>  / \ /
> /-__,__-\
> 
> 
> 
> 
> 
 



Re: 7.3 -> 7.4 WireGuard AllowedIPs stopped working

2023-10-23 Thread Pierre Peyronnel
@Stefan
> Maybe this 'wg' tool just doesn't display the config correctly?

Good catch, especially after I read the other reply.

@obs...@loopw.com
> are you certain that you upgraded your userland packages after upgrading?

Good catch, I forgot to go through the "After the upgrade" section
which is where I was supposed to run the pkg_add -u
Duh myself.

And thank you both for the advice, I'll move it all to hostname.wg0,
one less dependency in the chain.

Conclusion:
bsd# ifconfig wg0 wgkey 'xxx' wgpeer 'xxx' wgpsk 'xxx' wgaip '10.x.x.10/32'
bsd#
bsd# ifconfig wg0
wg0: flags=80c3 mtu 1420
index 5 priority 0 llprio 3
wgport 51820
wgpubkey xxx
wgpeer xxx
wgpsk (present)
tx: 0, rx: 0
wgaip 10.x.x.10/32
groups: wg
inet 10.x.x.x netmask 0xff00 broadcast 10.x.x.255
bsd#



Re: Delay in starting xterm via ssh after upgrade from 7.3 to 7.4

2023-10-23 Thread Roger Marsh
Philip,

Thanks for reply,

On Sun, 22 Oct 2023 14:39:37 -0700
Philip Guenther  wrote:

> If this had been observed _during_ 7.4 development then it would have been
> simpler to isolate what set of changes caused it.  Since that didn't happen
> you'll have to debug this yourself on the affected systems.  For starters,
> I would suggest turning up ssh logging with the -v option and capturing
> that to a file and comparing the output on working and not working
> systems.  Or ktrace the stuttering processes and see when kdump -T output
> shows as the operations where the delays occurred.
> 
I am planning to binary chop my way through the 7.4 development part of the CVS 
repository, assuming there is a revision before which the problem never occurs 
and after which the problem always occurs, but as yet do not know how long each 
build and test step will take.

Plenty of time, starting now, to see where your suggestions lead.

> 
> As for your "should I have never been doing these this way?" question,
> that's unanswerable without knowing _why_ you had written them that way.
> Using -Y instead of -X to disable XSecurity enforcement?  Why tunnel X
> instead of have the remote client connect directly to the X server?  You
> wrote those to solve some problem, changing that means going back and
> reopening that question, which is probably a distraction from the "why did
> the latency change" question.
> 
Distraction: yes.  But at least you did not say writing the things that way is 
wrong because ..., which I thought was a possibility.

I did get to connecting directly to the X server a couple years ago, I think, 
following private message suggestions on another problem.  However it turned 
out that moving the Xclient role disks to the older hardware on which they now 
sit proved simpler and effective but not perfect.
> 
>

Roger

 
> On Sun, Oct 22, 2023 at 7:22 AM Roger Marsh  wrote:
> 
> > On Thu, 19 Oct 2023 17:23:47 +
> > Roger Marsh  wrote:
> >  
> > > Hi,
> > >
> > > After upgrade from 7.3 to 7.4 (on both boxes) the xterm session for this  
> > entry in .fvwmrc (on monitor):  
> > >
> > > 'Exec exec ssh -Y opendev xterm -title roger@opendev'
> > >
> > > takes several seconds to deliver the xterm window, while I did not  
> > notice any delay before upgrade.  
> > >
> > > For other usernames on opendev the .fvwmrc entry is like (without the  
> > '-X' for most usernames other than grading):  
> > >
> > > 'Exec exec xterm -title grading@opendev -e ssh -X grading@opendev'
> > >
> > > and I do not notice any delay after upgrade compared with before upgrade.
> > >
> > > Expressing the 'roger@opendev' entry as:
> > >
> > > 'Exec exec xterm -title roger@opendev -e ssh -Y roger@opendev'
> > >
> > > fixes the delay problem, but was the delay a predictable consequence of  
> > some change?  Or perhaps the entry should never have been expressed in the
> > way that led to the delay?  
> > >
> > > Below are dmsesg and pkg_info for both boxes involved.
> > >
> > > Roger  
> >
> > ...
> > dmesg and pkg_info for monitor and opendev snipped.
> > ...
> >
> > Hi,
> >
> > Later I saw opening files with Python's Idle editor suffers the same
> > pattern of slow response, in terms of serving up the file edit window, as
> > seen with xterm.  Scrolling through an editor window is slower too, and
> > stutters, compared with what was seen when both boxes were at 7.3 (PgUp and
> > PgDn buttons are what I used).
> >
> > One box (gash) had not been upgraded to 7.4 (because I thought it did not
> > have OpenBSD disks).  It was modified, in particular adding Python Idle and
> > Chromium, to see what happens when 7.3 has the Xserver role and 7.4 the
> > Xclient role; and the other way round.
> >
> >   Idle
> > XserverXclient   Display file window   Scrolling
> >   7.47.3   slow stutter
> >   7.37.4   quicksmooth
> >   7.47.4   slow stutter
> >   7.37.3   quicksmooth (from
> > memory: confirmed on reverting)
> >Same 7.4 boxquicksmooth
> >
> > Idle is started by 'Exec exec ssh -Y  idle3.10' in .fvwmrc file.
> > Chromium is started by 'Exec exec ssh -X @ chrome' in
> > .fvwmrc file.
> >
> > This behaviour with Python persuades me to revert the OpenBSD 7.4 box
> > (monitor) in the Xserver role to 7.3 until 7.4 or later provides more
> > acceptable response times.
> >
> > Chromium seemed unaffected except for slow response when typing in the URL
> > bar on the separate 7.4 Xserver box.  I thought I could mostly avoid this
> > by starting to use bookmarks, but the effect on Python matters more.
> >
> > Apologies for going off-topic by discussing Python and Chromium rather
> > than xterm: but the Python stuff changes my attitude to the problem from
> > minor annoyance to something which needs an immediate workaround.
> >
> > Below are 

support new

2023-10-23 Thread Solène Rapenne

0
C France
P Bretagne
T Rennes
Z 35000
O Consultant
I Solne Rapenne
M sol...@lambda-solene.eu
U https://www.lambda-solene.eu/
N OpenBSD/FreeBSD/Linux consulting, support, training and system 
administration. Software packaging.



smtpd and honeypot (rspamd)

2023-10-23 Thread kasak

Hello misc!
I'm trying to make honeypot with smtpd and rspamd

here is some cut from my smtpd.conf:

table honeypot file:/etc/mail/traps
action "trap" mda "/usr/local/bin/rspamc -f 1 -w 10 fuzzy_add"
match !from src  for rcpt-to  action "trap"

the table contains some spoiled adresses from my domain,

and in my action I try to feed mails directly to rspamc, but it looks 
like there is a problem here :(


Oct 23 06:38:06 gater smtpd[71376]: 09ca23ebba479031 smtp failed-command 
command="RCPT TO: " result="550 Invalid recipient: 
"


some experiments showed me, that "normal" delivery methods (for example 
maildir) work fine, and problem is probably in my "action" rule.


Maybe someone have ideas about it?



Re: AAAA entry for openbsd.org

2023-10-23 Thread Kapetanakis Giannis
If you're looking for a mirror to install/update

ftp.cc.uoc.gr runs on both IPv4/IPv6 and is listed in official mirrors.

http://ftp.cc.uoc.gr/mirrors/OpenBSD/

G

On 23/10/2023 08:58, Armin Jenewein wrote:
> No idea what you perceive here as a "rant", my apologies if that seemed
> like one to you, that's not my intention.
>
> FWIW both ftplist1.openbsd.org and ftplist2.openbsd.org have no 
> entry, either.
>
> I don't see what I need to prove here. That's 3 hosts already that don't
> have an  DNS record, so if you're on an IPv6-only link, you can't
> access these. I didn't check ALL the mirrors that the installer has in
> the list, but the one popping up in my list as ftp.spline.de doesn't
> have one, either, so that's just number four.
>
> With prices for IPv4 addresses are starting to increase, it surprises me
> that this is still such a heated topic. Nobody asks about removing
> IPv4-connectivity here. Nobody wants to break functionaly for v4-only
> users.
>
> I did try installing OpenBSD in v6-only networks, yes. On an IPv6-only
> host it doesn't even suggest a mirror to download from.
>
> My initial mail was about  this one here, nevertheless:
>
> $ ping6 openbsd.org
> ping6: no address associated with name
> $
>
> The fact that all the other hosts I mentioned are v4-only doesn't change
> that situation in any way.
>
> ~ Armin
>
>
>
>
> On 23-10-22 19:29:28, Philip Guenther wrote:
>> On Sun, Oct 22, 2023 at 6:53 PM Armin Jenewein  wrote:
>>
>>> Hi.
>>>
>>> On 23-10-22 15:47:45, Kastus Shchuka wrote:
 On Sun, Oct 22, 2023 at 10:29:08PM +0200, Armin Jenewein wrote:
> Hi,
>
> as I'm almost 100% sure adding IPv6 connectivity to the openbsd.org
> host
> wouldn't introduce side-effects for IPv4 users: is there any reason
> openbsd.org still has no  entry at the end of 2023?
 Why do you need it?
>>> Because it's extremely inconvenient to have manually type in the name of
>>> a mirror that I know has an  entry. The installer won't even be able
>>> to download the mirror list because of the reason I mentioned. It tries
>>> to talk to openbsd.org which obviously fails.
>>
>> See, this is why being clear about What Fine Problem You're Trying To Solve
>> is important: AFAICT the installer tries to fetch the mirror list from
>> ftplist1.openbsd.org and not from openbsd.org.
>>
>> Can you confirm that your _actual_ request is to have the installer be able
>> to get the mirror list when on an IPv6-only host?
>>
>> (Please don't rant at people who try to help, particularly when doing
>> exactly what you requested would NOT HAVE HELPED, unless you *want* people
>> to drop you in their kill-file as "not worth trying to help".)
>>
>>
>> Philip Guenther