Re: my first patch

[Maria Morisot]

> that you're using correct lengths though, it is possible to get things
> wrong and break programs.

I was careful to look at the buffer lengths being written and to match them in 
strlcpy and snprintf. I peeked at the source for instances of strcpy and found 
a lot in xenocara; less in the main source tree.

I'm willing to change these but I need to know how to submit the altered files 
and since it's my first time contributing, I'd love if someone could double 
check a bit of my work.

Re: my first patch

[Maria Morisot]

Basically I just changed all instances of strcpy and sprintf to use strlcpy and 
snprintf, because the compiler said to.
> 
> This sort of change should go upstream rather than in ports. Be careful
> that you're using correct lengths though, it is possible to get things
> wrong and break programs.

What does upstream mean, in the main source tree? I would have guessed that 
such changes were already implemented in the main system.

I just want to be a productive member and my programming experience is limited. 
If someone can point me to work that makes a difference doing menial tasks, I'd 
be more than happy to be a code janitor.

OpenBSD xen and AWS

[All]

Hi,

There was a time when we could run OpenBSD on AWS.
Antoine Jacoutot did a great work to make that possible.
These days, xnf0 interface is not being initialized. Xen is being
identified as Xen 4.11 (12?) but no xnf interfaces are sowing up
after boot. NetBSD has xennet0 being initiated and FreeBSD (I guess) xnb.

Did anyone else faced similar problem? 

Re: Iked between OpenBSD and Linux (raspberry pi)

[readme]

On Tue, Oct 24, 2023 at 10:56:40PM +0200, Tobias Heider wrote:
>> > > ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
>> > >   from 10.88.0.0/22 to 10.88.12.0/24 \
>> > >   from 203.0.113.92 to 10.88.12.0/24 \
>> > >   peer any local 203.0.113.92 \
>> > >   ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
>> > >childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
>> > >   srcid openbsd-server.example.com dstid linux-client.example.com \
>> > >   lifetime 3600 bytes 1G \
>> > >   psk "123123123" \
>> > >   tag "$name-$id"
>> > > 
>> > > Updated client configuration
>> > > 
>> > > ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \
>> > >   from 10.88.12.0/24 to 10.88.0.0/22 \
>> > >   from 10.88.12.0/24 to 203.0.113.92 \
>> > >   peer openbsd-server.example.com \
>> > >   ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
>> > >childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
>> > >   srcid linux-client.example.com dstid openbsd-server.example.com \
>> > >   lifetime 3600 bytes 1G \
>> > >   psk "123123123" \
>> > >   tag "$name-$id"
>> 
>> Does it work if you remove the second "from ... to" line? It looks like the 
>> SA
>> payload is malformed, so the flows are the most likely cause.
>
>No that is probably not it.
>
>> > > ikev2_next_payload: length 72 nextpayload SA
>> > > ikev2_add_proposals: length 0
>
>This suggests that it might be the "childsa" option . What happens if you
>use the default for that on both machines?
>

Hi Tobias,

It looks like that fixed the issue; here are flows and logs from both
sides of the connection. Thanks!

SERVER FLOWS

# ipsecctl -sa

FLOWS:
flow esp in from 10.88.12.0/24 to 10.88.0.0/22 peer 192.0.51.56 srcid 
FQDN/openbsd-server.example.com dstid FQDN/linux-client.example.com type require
flow esp in from 10.88.12.0/24 to 203.0.113.92 peer 192.0.51.56 srcid 
FQDN/openbsd-server.example.com dstid FQDN/linux-client.example.com type require
flow esp out from 10.88.0.0/22 to 10.88.12.0/24 peer 192.0.51.56 srcid 
FQDN/openbsd-server.example.com dstid FQDN/linux-client.example.com type require
flow esp out from 203.0.113.92 to 10.88.12.0/24 peer 192.0.51.56 srcid 
FQDN/openbsd-server.example.com dstid FQDN/linux-client.example.com type require

SAD:
esp tunnel from 203.0.113.92 to 192.0.51.56 spi 0xbafd01bf auth hmac-sha2-384 
enc aes-256
esp tunnel from 192.0.51.56 to 203.0.113.92 spi 0xe1da3202 auth hmac-sha2-384 
enc aes-256

CLIENT FLOWS

# ikectl show sa
iked_sas: 0x8ca860 rspi 0xe78e9293b9763424 ispi 0x0836db2645d57812 
172.20.10.7:4500->203.0.113.92:4500[] 
ESTABLISHED i natt udpecap nexti (nil) pol 0x8cbf48
  sa_childsas: 0x8f3650 ESP 0xe1da3202 out 172.20.10.7:4500 -> 
203.0.113.92:4500 (L) B=(nil) P=0x8f36c0 @0x8ca860
  sa_childsas: 0x8f36c0 ESP 0xbafd01bf in 203.0.113.92:4500 -> 172.20.10.7:4500 
(LA) B=(nil) P=0x8f3650 @0x8ca860
  sa_flows: 0x8f2e90 ESP out 10.88.0.0/22 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860
  sa_flows: 0x8f2ab0 ESP out 10.88.12.0/24 -> 10.88.0.0/22 [0]@-1 (L) @0x8ca860
  sa_flows: 0x8f2ca0 ESP in 10.88.0.0/22 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860
  sa_flows: 0x8f3460 ESP out 203.0.113.92/32 -> 10.88.12.0/24 [0]@-1 (L) 
@0x8ca860
  sa_flows: 0x8f3080 ESP out 10.88.12.0/24 -> 203.0.113.92/32 [0]@-1 (L) 
@0x8ca860
  sa_flows: 0x8f3270 ESP in 203.0.113.92/32 -> 10.88.12.0/24 [0]@-1 (L) 
@0x8ca860
iked_activesas: 0x8f36c0 ESP 0xbafd01bf in 203.0.113.92:4500 -> 
172.20.10.7:4500 (LA) B=(nil) P=0x8f3650 @0x8ca860
iked_activesas: 0x8f3650 ESP 0xe1da3202 out 172.20.10.7:4500 -> 
203.0.113.92:4500 (L) B=(nil) P=0x8f36c0 @0x8ca860
iked_flows: 0x8f2ca0 ESP in 10.88.0.0/22 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860
iked_flows: 0x8f3270 ESP in 203.0.113.92/32 -> 10.88.12.0/24 [0]@-1 (L) 
@0x8ca860
iked_flows: 0x8f2ab0 ESP out 10.88.12.0/24 -> 10.88.0.0/22 [0]@-1 (L) @0x8ca860
iked_flows: 0x8f3080 ESP out 10.88.12.0/24 -> 203.0.113.92/32 [0]@-1 (L) 
@0x8ca860
iked_flows: 0x8f2e90 ESP out 10.88.0.0/22 -> 10.88.12.0/24 [0]@-1 (L) @0x8ca860
iked_flows: 0x8f3460 ESP out 203.0.113.92/32 -> 10.88.12.0/24 [0]@-1 (L) 
@0x8ca860
iked_dstid_sas: 0x8ca860 rspi 0xe78e9293b9763424 ispi 0x0836db2645d57812 
172.20.10.7:4500->203.0.113.92:4500[] 
ESTABLISHED i natt udpecap nexti (nil) pol 0x8cbf48



SERVER iked log

# iked -dvv
create_ike: using unknown for peer linux-client.example.com
ikev2 "LINUX-CLIENT_INET4_LAN" passive tunnel esp inet from 10.88.0.0/22 to 
10.88.12.0/24 from 203.0.113.92 to 10.88.12.0/24 local 203.0.113.92 peer any 
ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 childsa enc aes-128-gcm 
enc aes-256-gcm group none esn noesn childsa enc aes-256 enc aes-192 enc 
aes-128 auth hmac-sha2-256 auth hmac-sha2-384 auth hmac-sha2-512 auth hmac-sha1 
group none esn noesn srcid openbsd-server.example.com dstid 
linux-client.example.com lifetime 3600 bytes 1073741824 psk 
0x313233313233313233 tag "$name-$id"
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY 

Re: Iked between OpenBSD and Linux (raspberry pi)

[Tobias Heider]

> > > ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
> > >   from 10.88.0.0/22 to 10.88.12.0/24 \
> > >   from 203.0.113.92 to 10.88.12.0/24 \
> > >   peer any local 203.0.113.92 \
> > >   ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
> > >childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
> > >   srcid openbsd-server.example.com dstid linux-client.example.com \
> > >   lifetime 3600 bytes 1G \
> > >   psk "123123123" \
> > >   tag "$name-$id"
> > > 
> > > Updated client configuration
> > > 
> > > ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \
> > >   from 10.88.12.0/24 to 10.88.0.0/22 \
> > >   from 10.88.12.0/24 to 203.0.113.92 \
> > >   peer openbsd-server.example.com \
> > >   ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
> > >childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
> > >   srcid linux-client.example.com dstid openbsd-server.example.com \
> > >   lifetime 3600 bytes 1G \
> > >   psk "123123123" \
> > >   tag "$name-$id"
> 
> Does it work if you remove the second "from ... to" line? It looks like the SA
> payload is malformed, so the flows are the most likely cause.

No that is probably not it.

> > > ikev2_next_payload: length 72 nextpayload SA
> > > ikev2_add_proposals: length 0

This suggests that it might be the "childsa" option . What happens if you
use the default for that on both machines?

Re: Iked between OpenBSD and Linux (raspberry pi)

[Tobias Heider]

On Tue, Oct 24, 2023 at 10:42:11PM +0200, Tobias Heider wrote:
> On Tue, Oct 24, 2023 at 03:35:57PM -0500, rea...@catastrophe.net wrote:
> > On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote:
> > [..]
> > >$ uname -a
> > >OpenBSD openbsd-server 7.4 GENERIC#1336 amd64
> > >
> > >ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
> > >  from 10.88.0.0/22 to 10.88.12.0/24 \
> > >  from 203.0.113.92 to 10.88.12.0/24 \
> > >  peer any local openbsd-server.example.com \
> > >  ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
> > >   childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
> > >  srcid openbsd-server.example.com dstid linux-client.example.com \
> > >  ikelifetime 4h \
> > >  psk "123123123" \
> > >  tag "$name-$id"
> > >
> > >Client configuration
> > >
> > ># uname -a
> > >Linux linux-client 6.1.14-v7+ #1633 SMP Thu Mar  2 11:02:03 GMT 2023 
> > >armv7l GNU/Linux
> > >
> > >ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \
> > >  from 10.88.12.0/24 to 10.88.0.0/22 \
> > >  from 10.88.12.0/24 to 203.0.113.92 \
> > >  peer 203.0.113.92 \
> > >  ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
> > >   childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
> > >  srcid openbsd-server.example.com dstid linux-client.example.com \
> > >  ikelifetime 4h \
> > >  psk "123123123" \
> > >  tag "$name-$id"
> 
> One thing that is clearly wrong are the IDs. The client should probably use:
> 
>srcid linux-client.example.com dstid openbsd-server.example.com \

urgh just saw that you already fixed that.

> 
> > 
> > 
> > So some of these were a bit backwards. I fixed the configurations but am 
> > now seeing the following on the server side:
> > 
> > Oct 24 15:22:10 openbsd-server iked[12052]: spi=0x84023eb6ab6a9d33: 
> > ikev2_resp_recv: failed to parse message
> > 
> > Updated server configuration
> > 
> > ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
> >   from 10.88.0.0/22 to 10.88.12.0/24 \
> >   from 203.0.113.92 to 10.88.12.0/24 \
> >   peer any local 203.0.113.92 \
> >   ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
> >childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
> >   srcid openbsd-server.example.com dstid linux-client.example.com \
> >   lifetime 3600 bytes 1G \
> >   psk "123123123" \
> >   tag "$name-$id"
> > 
> > Updated client configuration
> > 
> > ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \
> >   from 10.88.12.0/24 to 10.88.0.0/22 \
> >   from 10.88.12.0/24 to 203.0.113.92 \
> >   peer openbsd-server.example.com \
> >   ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
> >childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
> >   srcid linux-client.example.com dstid openbsd-server.example.com \
> >   lifetime 3600 bytes 1G \
> >   psk "123123123" \
> >   tag "$name-$id"

Does it work if you remove the second "from ... to" line? It looks like the SA
payload is malformed, so the flows are the most likely cause.

> > 
> > 
> > Full logs are below
> > 
> > Server Logs
> > 
> > # iked -dvv
> > policy_lookup: setting policy 'LINUX-CLIENT_INET4_LAN'
> > spi=0xb825bd62181aa707: recv IKE_SA_INIT req 0 peer 192.0.51.245:23804
> > local 203.0.113.92:500, 330 bytes, policy 'LINUX-CLIENT_INET4_LAN'
> > ikev2_recv: ispi 0xb825bd62181aa707 rspi 0x
> > ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23
> > ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0x
> > nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
> > 330 response 0
> > ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40
> > ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0
> > xforms 3 spi 0
> > ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> > ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> > ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> > ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512
> > ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140
> > ikev2_pld_ke: dh group ECP_521 reserved 0
> > ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36
> > ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length
> > 16
> > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> > 28
> > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> > ikev2_nat_detection: peer source 0xb825bd62181aa707 0x
> > 192.0.51.245:23804
> > ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
> > ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> > 28
> > ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> > ikev2_nat_detection: peer destination 0xb825bd62181aa707 0x
> > 203.0.113.92:500
> > ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 

Re: Iked between OpenBSD and Linux (raspberry pi)

[Tobias Heider]

On Tue, Oct 24, 2023 at 03:35:57PM -0500, rea...@catastrophe.net wrote:
> On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote:
> [..]
> >$ uname -a
> >OpenBSD openbsd-server 7.4 GENERIC#1336 amd64
> >
> >ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
> >  from 10.88.0.0/22 to 10.88.12.0/24 \
> >  from 203.0.113.92 to 10.88.12.0/24 \
> >  peer any local openbsd-server.example.com \
> >  ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
> >   childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
> >  srcid openbsd-server.example.com dstid linux-client.example.com \
> >  ikelifetime 4h \
> >  psk "123123123" \
> >  tag "$name-$id"
> >
> >Client configuration
> >
> ># uname -a
> >Linux linux-client 6.1.14-v7+ #1633 SMP Thu Mar  2 11:02:03 GMT 2023 armv7l 
> >GNU/Linux
> >
> >ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \
> >  from 10.88.12.0/24 to 10.88.0.0/22 \
> >  from 10.88.12.0/24 to 203.0.113.92 \
> >  peer 203.0.113.92 \
> >  ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
> >   childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
> >  srcid openbsd-server.example.com dstid linux-client.example.com \
> >  ikelifetime 4h \
> >  psk "123123123" \
> >  tag "$name-$id"

One thing that is clearly wrong are the IDs. The client should probably use:

   srcid linux-client.example.com dstid openbsd-server.example.com \

> 
> 
> So some of these were a bit backwards. I fixed the configurations but am 
> now seeing the following on the server side:
> 
> Oct 24 15:22:10 openbsd-server iked[12052]: spi=0x84023eb6ab6a9d33: 
> ikev2_resp_recv: failed to parse message
> 
> Updated server configuration
> 
> ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
>   from 10.88.0.0/22 to 10.88.12.0/24 \
>   from 203.0.113.92 to 10.88.12.0/24 \
>   peer any local 203.0.113.92 \
>   ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
>childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
>   srcid openbsd-server.example.com dstid linux-client.example.com \
>   lifetime 3600 bytes 1G \
>   psk "123123123" \
>   tag "$name-$id"
> 
> Updated client configuration
> 
> ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \
>   from 10.88.12.0/24 to 10.88.0.0/22 \
>   from 10.88.12.0/24 to 203.0.113.92 \
>   peer openbsd-server.example.com \
>   ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
>childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
>   srcid linux-client.example.com dstid openbsd-server.example.com \
>   lifetime 3600 bytes 1G \
>   psk "123123123" \
>   tag "$name-$id"
> 
> 
> Full logs are below
> 
> Server Logs
> 
> # iked -dvv
> policy_lookup: setting policy 'LINUX-CLIENT_INET4_LAN'
> spi=0xb825bd62181aa707: recv IKE_SA_INIT req 0 peer 192.0.51.245:23804
> local 203.0.113.92:500, 330 bytes, policy 'LINUX-CLIENT_INET4_LAN'
> ikev2_recv: ispi 0xb825bd62181aa707 rspi 0x
> ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23
> ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0x
> nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
> 330 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40
> ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0
> xforms 3 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140
> ikev2_pld_ke: dh group ECP_521 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36
> ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length
> 16
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0xb825bd62181aa707 0x
> 192.0.51.245:23804
> ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
> 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0xb825bd62181aa707 0x
> 203.0.113.92:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> proposals_negotiate: score 3
> proposals_negotiate: score 0
> proposals_negotiate: score 0
> proposals_negotiate: score 0
> proposals_negotiate: score 0
> proposals_negotiate: score 0
> proposals_negotiate: score 0
> proposals_negotiate: score 3
> 

Re: my first patch

[Jan Stary]

On Oct 24 22:09:02, a...@caoua.org wrote:
> faad -w file.m4a | cat >file.wav
> results in a file with zero-size data chunk (because faad couldn't
> seek to the beginning of the file to fixup the header). aucat,
> audacious, audacity and sox can't play it; mpv, and ffplay can

SoX's play --ignore-length can play it.

Re: Iked between OpenBSD and Linux (raspberry pi)

[readme]

On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote:
[..]
>$ uname -a
>OpenBSD openbsd-server 7.4 GENERIC#1336 amd64
>
>ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
>  from 10.88.0.0/22 to 10.88.12.0/24 \
>  from 203.0.113.92 to 10.88.12.0/24 \
>  peer any local openbsd-server.example.com \
>  ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>   childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>  srcid openbsd-server.example.com dstid linux-client.example.com \
>  ikelifetime 4h \
>  psk "123123123" \
>  tag "$name-$id"
>
>Client configuration
>
># uname -a
>Linux linux-client 6.1.14-v7+ #1633 SMP Thu Mar  2 11:02:03 GMT 2023 armv7l 
>GNU/Linux
>
>ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \
>  from 10.88.12.0/24 to 10.88.0.0/22 \
>  from 10.88.12.0/24 to 203.0.113.92 \
>  peer 203.0.113.92 \
>  ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>   childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>  srcid openbsd-server.example.com dstid linux-client.example.com \
>  ikelifetime 4h \
>  psk "123123123" \
>  tag "$name-$id"


So some of these were a bit backwards. I fixed the configurations but am 
now seeing the following on the server side:

Oct 24 15:22:10 openbsd-server iked[12052]: spi=0x84023eb6ab6a9d33: 
ikev2_resp_recv: failed to parse message

Updated server configuration

ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
  from 10.88.0.0/22 to 10.88.12.0/24 \
  from 203.0.113.92 to 10.88.12.0/24 \
  peer any local 203.0.113.92 \
  ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
   childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
  srcid openbsd-server.example.com dstid linux-client.example.com \
  lifetime 3600 bytes 1G \
  psk "123123123" \
  tag "$name-$id"

Updated client configuration

ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \
  from 10.88.12.0/24 to 10.88.0.0/22 \
  from 10.88.12.0/24 to 203.0.113.92 \
  peer openbsd-server.example.com \
  ikesa enc aes-256-gcm-12 prf hmac-sha2-512 group ecp521 \
   childsa enc aes-256-gcm prf hmac-sha2-512 group ecp521 \
  srcid linux-client.example.com dstid openbsd-server.example.com \
  lifetime 3600 bytes 1G \
  psk "123123123" \
  tag "$name-$id"


Full logs are below

Server Logs

# iked -dvv
policy_lookup: setting policy 'LINUX-CLIENT_INET4_LAN'
spi=0xb825bd62181aa707: recv IKE_SA_INIT req 0 peer 192.0.51.245:23804
local 203.0.113.92:500, 330 bytes, policy 'LINUX-CLIENT_INET4_LAN'
ikev2_recv: ispi 0xb825bd62181aa707 rspi 0x
ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23
ikev2_pld_parse: header ispi 0xb825bd62181aa707 rspi 0x
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length
330 response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40
ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0
xforms 3 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140
ikev2_pld_ke: dh group ECP_521 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload VENDOR critical 0x00 length 36
ikev2_pld_payloads: payload VENDOR nextpayload NOTIFY critical 0x00 length
16
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xb825bd62181aa707 0x
192.0.51.245:23804
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length
28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xb825bd62181aa707 0x
203.0.113.92:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
proposals_negotiate: score 3
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 0
proposals_negotiate: score 3
policy_lookup: setting policy 'LINUX-CLIENT_INET4_LAN'
spi=0xb825bd62181aa707: sa_state: INIT -> SA_INIT
proposals_negotiate: score 3
sa_stateok: SA_INIT flags 0x, require 0x 
sa_stateflags: 0x -> 0x0020 sa (required 0x )
spi=0xb825bd62181aa707: ikev2_sa_keys: DHSECRET with 66 bytes
ikev2_sa_keys: SKEYSEED with 64 bytes
spi=0xb825bd62181aa707: ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 64 bytes
ikev2_prfplus: T2 with 64 

Re: ImageMagick fails on OpenBSD 7.4 fresh install

[Stuart Henderson]

On 2023-10-22, Mark  wrote:
> pkg_add ImageMagick-6.9.12.88p0 gives me;
>
> (after fetching few libraries)
>
> "Can't install ImageMagick-6.9.12.88p0: can't resolve
> djvulibre-3.5.28p1,libheif-1.16.2p0"
>
> and then;
> "Couldn't install ImageMagick-6.9.12.88p0 djvulibre-3.5.28p1
> libheif-1.16.2p0."
>
> This is a fresh OpenBSD 7.4 amd64 release. My installurl is pointed to
> cdn.openbsd.org/pub/OpenBSD.
>
> Any other php packages were installed fine. But both pecl80-imagick-3.7.0p1
> and ImageMagick fail.
>
> Some idea would be much appreciated!

There was an issue with the gtk-update-icon-cache update between 7.3 and
7.4 (switching from gtk+3 to gtk+4) which causes this.

Try simply rerunning pkg_add -u, it has fixed things for me.

-- 
Please keep replies on the mailing list.

Re: Iked between OpenBSD and Linux (raspberry pi)

[Tobias Heider]

Hi,

On Tue, Oct 24, 2023 at 03:06:41PM -0500, rea...@catastrophe.net wrote:
> I have a small raspberry pi device that I'd like to connect to a 7.4
> machine with iked(8) and PSK auth, to start. The rpi device is going 
> to be on a mobile network and behind a small NAT device. 
> 
> I haven't had any problem with the following configurations between 
> two OpenBSD devices, but the rpi fails to connect with a similar config.
> 
> Has anyone gotten a rpi connected to a 7.4 (or whatever other version 
> running iked(8)) with the available OpenIKED package?
> 
> Thanks for any help in advance.

Can you add verbose server logs too? I don't see any obvious incompatibility.

- Tobias

> 
> 
> Server configuration
> 
> $ uname -a
> OpenBSD openbsd-server 7.4 GENERIC#1336 amd64
> 
> ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
>   from 10.88.0.0/22 to 10.88.12.0/24 \
>   from 203.0.113.92 to 10.88.12.0/24 \
>   peer any local openbsd-server.example.com \
>   ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>   srcid openbsd-server.example.com dstid linux-client.example.com \
>   ikelifetime 4h \
>   psk "123123123" \
>   tag "$name-$id"
> 
> Client configuration
> 
> # uname -a
> Linux linux-client 6.1.14-v7+ #1633 SMP Thu Mar  2 11:02:03 GMT 2023 armv7l 
> GNU/Linux
> 
> ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \
>   from 10.88.12.0/24 to 10.88.0.0/22 \
>   from 10.88.12.0/24 to 203.0.113.92 \
>   peer 203.0.113.92 \
>   ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
>   srcid openbsd-server.example.com dstid linux-client.example.com \
>   ikelifetime 4h \
>   psk "123123123" \
>   tag "$name-$id"
> 
> 
> Server logs
> 
> openbsd-server# tail /var/log/daemon
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: recv 
> IKE_SA_INIT req 0 peer 192.0.51.213:59458 local 203.0.113.92:500, 338 bytes, 
> policy 'LINUX-CLIENT_INET4_LAN'
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: send 
> IKE_SA_INIT res 0 peer 192.0.51.213:59458 local 203.0.113.92:500, 338 bytes
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: recv IKE_AUTH 
> req 1 peer 192.0.51.213:54016 local 203.0.113.92:4500, 320 bytes, policy 
> 'LINUX-CLIENT_INET4_LAN'
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: 
> ikev2_ike_auth_recv: no compatible policy found
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: 
> ikev2_send_auth_failed: authentication failed for
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: send IKE_AUTH 
> res 1 peer 192.0.51.213:54016 local 203.0.113.92:4500, 96 bytes, NAT-T
> Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: sa_free: 
> authentication failed
> 
> Client logs
> 
> linux-client# iked -ddvv
> create_ike: using unknown for peer linux-client.example.com
> ikev2 "OPENBSD-SERVER_INET4_NETS" active tunnel esp inet from 10.88.12.0/24 
> to 10.88.0.0/22 from 10.88.12.0/24 to 203.0.113.92 local any peer 
> 203.0.113.92 ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group 
> ecp521 childsa enc aes-256 auth hmac-sha2-512 group ecp521 noesn srcid 
> openbsd-server.example.com dstid linux-client.example.com ikelifetime 14400 
> lifetime 10800 bytes 4294967296 psk 
> 0x746869732d69732d612d6c6f6e672d746573742d70772d39 tag "$name-$id"
> /etc/iked.conf: loaded 1 configuration rules
> ca_privkey_serialize: type ECDSA length 121
> ca_pubkey_serialize: type ECDSA length 91
> config_getpolicy: received policy
> config_getpfkey: received pfkey fd 3
> ca_privkey_to_method: type ECDSA method ECDSA_256
> ca_getkey: received private key type ECDSA length 121
> ca_getkey: received public key type ECDSA length 91
> ca_dispatch_parent: config reset
> ca_reload: local cert type ECDSA
> config_getocsp: ocsp_url none tolerate 0 maxage -1
> ikev2_dispatch_cert: updated local CERTREQ type ECDSA length 0
> config_getcompile: compilation done
> config_getsocket: received socket fd 4
> config_getsocket: received socket fd 5
> config_getsocket: received socket fd 6
> config_getsocket: received socket fd 7
> config_getstatic: dpd_check_interval 60
> config_getstatic: no enforcesingleikesa
> config_getstatic: no fragmentation
> config_getstatic: mobike
> config_getstatic: nattport 4500
> config_getstatic: no stickyaddress
> ikev2_init_ike_sa: initiating "OPENBSD-SERVER_INET4_NETS"
> ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 140 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload VENDOR
> ikev2_next_payload: length 16 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x55dc1e4f08b3ac60 0x 
> 0.0.0.0:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local 

Re: my first patch

[Stuart Henderson]

On 2023-10-24, Lucretia  wrote:
> I made my first patch!
>
> To devel/dwz, I'm not sure how to submit it, or if it's even useful to anyone.
>
> Basically I just changed all instances of strcpy and sprintf to use strlcpy 
> and snprintf, because the compiler said to.

This sort of change should go upstream rather than in ports. Be careful
that you're using correct lengths though, it is possible to get things
wrong and break programs.

Re: my first patch

[Alexandre Ratchov]

On Wed, Oct 25, 2023 at 12:06:05AM +0600, Maria Morisot wrote:
> 
> I don't have a test machine and I'm trying to keep my installation
> as simple as possible, but if anyone wants to try piping a wav file
> into mplayer or ffplay, I'd be interested in the results. Does it
> work?

faad -o file.wav file.m4a

results in a file.wav that aucat and most players can play.

faad -w file.m4a | cat >file.wav

results in a file with zero-size data chunk (because faad couldn't
seek to the beginning of the file to fixup the header). aucat,
audacious, audacity and sox can't play it; mpv, and ffplay can

Here's a diff for aucat to cope with such files:

  - if the header indicates zero-size data chunk, try to play the data
until the end of the file is reached

  - if there are small sections to skip (padding for alignement or
meta info), then read it instead of using lseek(2)

  - short reads are allowed for pipes, so when reading the headers,
retry if needed.

please test

Index: afile.c
===
RCS file: /cvs/src/usr.bin/aucat/afile.c,v
diff -u -p -r1.12 afile.c
--- afile.c 27 Mar 2023 15:36:18 -  1.12
+++ afile.c 24 Oct 2023 20:05:30 -
@@ -217,14 +217,60 @@ be32_set(be32_t *p, unsigned int v)
 }
 
 static int
+afile_readseg(struct afile *f, void *addr, size_t size)
+{
+   ssize_t n;
+
+   /*
+* retry as pipes may return fewer bytes than requested
+*/
+   while (size > 0) {
+   n = read(f->fd, addr, size);
+   if (n == 0 || n == -1)
+   return 0;
+   addr = (char *)addr + n;
+   size -= n;
+   f->curpos += n;
+   }
+   return 1;
+}
+
+static int
+afile_setpos(struct afile *f, off_t pos)
+{
+   static char unused[512];
+   off_t off = pos - f->curpos;
+
+   /*
+* seek only if needed (to avoid errors with pipes)
+*/
+   if (off != 0) {
+   /*
+* to skip few bytes only (padding, meta-info), simply read
+* them instead of using lseek(2)
+*/
+   if (off > 0 && off <= sizeof(unused)) {
+   log_puts("reading\n");
+   return afile_readseg(f, unused, off);
+   }
+
+   log_puts("seeking\n");
+   if (lseek(f->fd, pos, SEEK_SET) == -1)
+   return 0;
+   f->curpos = pos;
+   }
+   return 1;
+}
+
+static int
 afile_readhdr(struct afile *f, void *addr, size_t size)
 {
-   if (lseek(f->fd, 0, SEEK_SET) == -1) {
+   if (!afile_setpos(f, 0)) {
log_puts(f->path);
log_puts(": failed to seek to beginning of file\n");
return 0;
}
-   if (read(f->fd, addr, size) != size) {
+   if (!afile_readseg(f, addr, size)) {
log_puts(f->path);
log_puts(": failed to read header\n");
return 0;
@@ -301,7 +347,7 @@ afile_wav_readfmt(struct afile *f, unsig
}
if (csize > WAV_FMT_EXT_SIZE)
csize = WAV_FMT_EXT_SIZE;
-   if (read(f->fd, , csize) != csize) {
+   if (!afile_readseg(f, , csize)) {
log_puts(f->path);
log_puts(": failed to read format chunk\n");
return 0;
@@ -377,7 +423,7 @@ afile_wav_readhdr(struct afile *f)
log_puts(": missing data chunk\n");
return 0;
}
-   if (read(f->fd, , sizeof(chunk)) != sizeof(chunk)) {
+   if (!afile_readseg(f, , sizeof(chunk))) {
log_puts(f->path);
log_puts(": failed to read chunk header\n");
return 0;
@@ -389,7 +435,15 @@ afile_wav_readhdr(struct afile *f)
fmt_done = 1;
} else if (memcmp(chunk.id, wav_id_data, 4) == 0) {
f->startpos = pos + sizeof(riff) + sizeof(chunk);
-   f->endpos = f->startpos + csize;
+   if (csize > 0)
+   f->endpos = f->startpos + csize;
+   else {
+   if (log_level >= 2) {
+   log_puts(f->path);
+   log_puts(": reading to end-fo-file\n");
+   }
+   f->endpos = -1; /* read until EOF */
+   }
break;
} else {
 #ifdef DEBUG
@@ -404,7 +458,7 @@ afile_wav_readhdr(struct afile *f)
 * next chunk
 */
pos += sizeof(struct wav_chunk) + csize;
-   if (lseek(f->fd, sizeof(riff) + pos, SEEK_SET) == -1) {
+   if (!afile_setpos(f, sizeof(riff) + pos)) {
log_puts(f->path);

Iked between OpenBSD and Linux (raspberry pi)

[readme]

I have a small raspberry pi device that I'd like to connect to a 7.4
machine with iked(8) and PSK auth, to start. The rpi device is going 
to be on a mobile network and behind a small NAT device. 

I haven't had any problem with the following configurations between 
two OpenBSD devices, but the rpi fails to connect with a similar config.

Has anyone gotten a rpi connected to a 7.4 (or whatever other version 
running iked(8)) with the available OpenIKED package?

Thanks for any help in advance.


Server configuration

$ uname -a
OpenBSD openbsd-server 7.4 GENERIC#1336 amd64

ikev2 "LINUX-CLIENT_INET4_LAN" passive esp \
  from 10.88.0.0/22 to 10.88.12.0/24 \
  from 203.0.113.92 to 10.88.12.0/24 \
  peer any local openbsd-server.example.com \
  ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
   childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
  srcid openbsd-server.example.com dstid linux-client.example.com \
  ikelifetime 4h \
  psk "123123123" \
  tag "$name-$id"

Client configuration

# uname -a
Linux linux-client 6.1.14-v7+ #1633 SMP Thu Mar  2 11:02:03 GMT 2023 armv7l 
GNU/Linux

ikev2 "OPENBSD-SERVER_INET4_NETS" active esp \
  from 10.88.12.0/24 to 10.88.0.0/22 \
  from 10.88.12.0/24 to 203.0.113.92 \
  peer 203.0.113.92 \
  ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
   childsa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 \
  srcid openbsd-server.example.com dstid linux-client.example.com \
  ikelifetime 4h \
  psk "123123123" \
  tag "$name-$id"


Server logs

openbsd-server# tail /var/log/daemon
Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: recv 
IKE_SA_INIT req 0 peer 192.0.51.213:59458 local 203.0.113.92:500, 338 bytes, 
policy 'LINUX-CLIENT_INET4_LAN'
Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: send 
IKE_SA_INIT res 0 peer 192.0.51.213:59458 local 203.0.113.92:500, 338 bytes
Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: recv IKE_AUTH 
req 1 peer 192.0.51.213:54016 local 203.0.113.92:4500, 320 bytes, policy 
'LINUX-CLIENT_INET4_LAN'
Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: 
ikev2_ike_auth_recv: no compatible policy found
Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: 
ikev2_send_auth_failed: authentication failed for
Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: send IKE_AUTH 
res 1 peer 192.0.51.213:54016 local 203.0.113.92:4500, 96 bytes, NAT-T
Oct 24 14:46:14 obsd-server iked[6925]: spi=0x55dc1e4f08b3ac60: sa_free: 
authentication failed

Client logs

linux-client# iked -ddvv
create_ike: using unknown for peer linux-client.example.com
ikev2 "OPENBSD-SERVER_INET4_NETS" active tunnel esp inet from 10.88.12.0/24 to 
10.88.0.0/22 from 10.88.12.0/24 to 203.0.113.92 local any peer 203.0.113.92 
ikesa enc aes-256 prf hmac-sha2-512 auth hmac-sha2-512 group ecp521 childsa enc 
aes-256 auth hmac-sha2-512 group ecp521 noesn srcid openbsd-server.example.com 
dstid linux-client.example.com ikelifetime 14400 lifetime 10800 bytes 
4294967296 psk 0x746869732d69732d612d6c6f6e672d746573742d70772d39 tag 
"$name-$id"
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type ECDSA length 121
ca_pubkey_serialize: type ECDSA length 91
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
ca_privkey_to_method: type ECDSA method ECDSA_256
ca_getkey: received private key type ECDSA length 121
ca_getkey: received public key type ECDSA length 91
ca_dispatch_parent: config reset
ca_reload: local cert type ECDSA
config_getocsp: ocsp_url none tolerate 0 maxage -1
ikev2_dispatch_cert: updated local CERTREQ type ECDSA length 0
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getstatic: dpd_check_interval 60
config_getstatic: no enforcesingleikesa
config_getstatic: no fragmentation
config_getstatic: mobike
config_getstatic: nattport 4500
config_getstatic: no stickyaddress
ikev2_init_ike_sa: initiating "OPENBSD-SERVER_INET4_NETS"
ikev2_policy2id: srcid FQDN/openbsd-server.example.com length 23
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 140 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload VENDOR
ikev2_next_payload: length 16 nextpayload NOTIFY
ikev2_nat_detection: local source 0x55dc1e4f08b3ac60 0x 
0.0.0.0:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x55dc1e4f08b3ac60 0x 
203.0.113.92:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x55dc1e4f08b3ac60 rspi 0x 
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 338 
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 

Re: my first patch

[Maria Morisot]

I don't have a test machine and I'm trying to keep my installation as simple as 
possible, but if anyone wants to try piping a wav file into mplayer or ffplay, 
I'd be interested in the results. Does it work?

Re: relayd and large POST requests

[Michael Hekeler]

> Hi,
> 
> I'm running a setup on OpenBSD 7.3 (amd64, 16GB RAM) with relayd,
> varnish, httpd and php-fpm. When uploading a large >2GB file through
> ...
> 
> 
> /etc/relayd.conf:
> 
> table  { 127.0.0.1 }
> 
> log connection
> 
> http protocol "https" {
> tls keypair "server"
> return error
> pass
> }
> 
> relay "mysite4" {
> listen on xxx port 443 tls
> protocol "https"
> forward to  port 8443 check tcp
> }
> 

before going any deeper in investigating the behaviour I would suggest
to configure this setup with using redirection.
I think you are better with just forwarding on layer 3.

Or did I miss something? Why did you choose relay here? 

Re: my first patch

[Maria Morisot]

> You're right. The .wav headers require to lseek(2) within the file
> which doesn't work on a pipes. It could work on certain files which
> headers are placed in a way lseek(2) doesn't need to move the file
> pointer.

> You could try to modify aucat to skip the lseek(2) calls if it
> wouldn't change the file pointer.  Possibly call read(2) and discard
> few bytes when the file pointer moves forward by few bytes only (iirc
> .wav needs data to be aligned).

Forgive me if I'm dense, but I'm a better artist than I am a programmer. I'm 
trying to follow you though. I understand why you cannot seek in a pipe, but I 
do not understand why that affects playback of a MS Wav file through a pipe. 
Aren't the headers kept in the front, and my understanding is maybe you can 
grab enough bytes to check if a header is present. I thought wav is just a raw 
sample with a small header. I'd think a quick check for header wouldn't upset 
playback for raw samples without one.

Re: Question about rdomains/rtables

[tetrosalame]

Il 24/10/2023 11:55, Marcus MERIGHI ha scritto:


I'm playing with rdomain/rtable on OpenBSD 7.4 and I'm a bit confused about
the relation between rdomains and rtables.


you do not mention reading rtable(4)/rdomain(4), online here:

 https://man.openbsd.org/rtable


[...]

I'm sorry, I should have been more clear: I read the relevant manpage 
but, as Claudio Jeker kindly pointed out, I got it upside down.

Thank you,

f

Re: Question about rdomains/rtables

[tetrosalame]

Il 24/10/2023 12:22, Claudio Jeker ha scritto:

On Mon, Oct 23, 2023 at 06:08:37PM +0200, tetrosalame wrote:

Hello misc,

I'm playing with rdomain/rtable on OpenBSD 7.4 and I'm a bit confused about
the relation between rdomains and rtables.

If I got rdomain(4) right, the two facilities are designed so that a rdomain
can hold 0-255 rtables. Even rdomain 0 -no rdomain configured- can hold
several rtables. IP addresses can overlap if configured in different
rdomains.


No, this is not right. rtables are part of rdomains. So rdomain 0 has
rtable 0. rdomain 1 uses rtable 1. rdomain 2 uses rtable 2 and so on.


[...]



This is a wrong view. The system has 255 rtables. You can make an rtable
an rdomain when the rtable is using itself to lookup link local addresses.

So the visualisation is the other way around:

rtable 0 => rdomain 0
rtable 1 => rdomain 1
rtable 2 => rdomain 2
...
rtable 42 => rdomain 0
...

In this case the tables 0, 1, 2 are rdomains while table 42 is just an
alternate routing table for rdomain 0.


Thank you for your explanation, much appreciated. Time to trash my fine 
handwritten diagrams and start over drawing I guess...I couldn't be more 
wrong.


--
f

Re: my first patch

[Alexandre Ratchov]

On Tue, Oct 24, 2023 at 09:15:57PM +0600, Maria Morisot wrote:
> It is my understanding that wav files contain the headers necessary for a 
> program to adjust the audio settings for play, or to do the software process 
> necessary to reformat the input to the audio device.
> 
> It doesn't make sense to have the wav headers if they aren't going to be 
> used. Tell me if I'm wrong.
> 
> I'm not very good at C but I'm willing to try to fix aucat to adjust wav 
> output in response to the headers if that's something that seems like it's 
> broken.
> 

You're right. The .wav headers require to lseek(2) within the file
which doesn't work on a pipes. It could work on certain files which
headers are placed in a way lseek(2) doesn't need to move the file
pointer.

You could try to modify aucat to skip the lseek(2) calls if it
wouldn't change the file pointer.  Possibly call read(2) and discard
few bytes when the file pointer moves forward by few bytes only (iirc
.wav needs data to be aligned).

HTH

Re: my first patch

[Maria Morisot]

It is my understanding that wav files contain the headers necessary for a 
program to adjust the audio settings for play, or to do the software process 
necessary to reformat the input to the audio device.

It doesn't make sense to have the wav headers if they aren't going to be used. 
Tell me if I'm wrong.

I'm not very good at C but I'm willing to try to fix aucat to adjust wav output 
in response to the headers if that's something that seems like it's broken.

But I did find an alternate solution. I just "-o /dev/audio0" in faad, and use 
"-f 2" (raw pcm); this works and seems to play at 44100 because it sounds good 
to me. Not sure how to check default playrate or change it via command line, so 
this works out of the box:

gethsemane$ faad -f 2 -o /dev/audio Tori_Amos/The_Beekeeper/03*.m4a
--
Code is poetry.

> On Oct 24, 2023, at 21:03, Alexandre Ratchov  wrote:
> 
> On Tue, Oct 24, 2023 at 05:10:53PM +0600, Lucretia wrote:
>> 
>> a bit off-topic, but:
>> gethsemane$ faad -w Tori_Amos/The_Beekeeper/03* | aucat -i - -h wav
>> makes Tori sound like Minnie Mouse. How can I fix this?
>> 
> 
> you've make faad and aucat use the same data format, ex:
> 
> faad -d -f2 -w foobar.m4a | aucat -e s16 -i -
> 
> possibly use the -r option if the rate is not 48kHz (which is aucat
> default). Alternatively, output in a temporary .wav file and play it
> after it's decoded

Re: my first patch

[Alexandre Ratchov]

On Tue, Oct 24, 2023 at 05:10:53PM +0600, Lucretia wrote:
> 
> a bit off-topic, but:
> gethsemane$ faad -w Tori_Amos/The_Beekeeper/03* | aucat -i - -h wav
> makes Tori sound like Minnie Mouse. How can I fix this?
> 

you've make faad and aucat use the same data format, ex:

faad -d -f2 -w foobar.m4a | aucat -e s16 -i -

possibly use the -r option if the rate is not 48kHz (which is aucat
default). Alternatively, output in a temporary .wav file and play it
after it's decoded

Re: Parallel PF

[Samuel Jayden]

I shared a naive user experience. I didn't mean to be rude. Anyway, thank
you for reading and responding.

On Tue, Oct 24, 2023 at 5:46 PM Irreverent Monk  wrote:

> The standard response is - show your code.  If you sit down and think
> about it, isn't it rude to go to a project to tell them that they must
> prioritize what they are doing for what you want...?
>
> On Tue, Oct 24, 2023 at 6:40 AM Samuel Jayden 
> wrote:
>
>> Hello dear OpenBSD team,
>>
>> I'm sure that something like parallel IP forwarding and increasing the
>> number of softnet kernel tasks to 4 is definitely being considered on the
>> PF side too, but I would like to express my concern about timing. Do you
>> have any schedule for this?
>>
>> I think one of the common prayers of all OpenBSD users is that PF will
>> speed up. Thank you for reading and my best regards.
>>
>> --
>> Sam
>>
>

Re: Parallel PF

[Irreverent Monk]

The standard response is - show your code.  If you sit down and think about
it, isn't it rude to go to a project to tell them that they must prioritize
what they are doing for what you want...?

On Tue, Oct 24, 2023 at 6:40 AM Samuel Jayden 
wrote:

> Hello dear OpenBSD team,
>
> I'm sure that something like parallel IP forwarding and increasing the
> number of softnet kernel tasks to 4 is definitely being considered on the
> PF side too, but I would like to express my concern about timing. Do you
> have any schedule for this?
>
> I think one of the common prayers of all OpenBSD users is that PF will
> speed up. Thank you for reading and my best regards.
>
> --
> Sam
>

my first patch

[Lucretia]

I made my first patch!

To devel/dwz, I'm not sure how to submit it, or if it's even useful to anyone.

Basically I just changed all instances of strcpy and sprintf to use strlcpy and 
snprintf, because the compiler said to.

This is like crack cocaine to me.

a bit off-topic, but:
gethsemane$ faad -w Tori_Amos/The_Beekeeper/03* | aucat -i - -h wav
makes Tori sound like Minnie Mouse. How can I fix this?

--
Google doesn't need to
know every time I fart.

Re: AAAA entry for openbsd.org

[Tobias Fiebig]

Moin,

On Mon, 2023-10-23 at 20:52 +0300, Mikhail wrote:
> I think ipv6 just expand attack surface for the services for very
> little benefit, ...

Well,... there is a ton of reasons one may not want to deploy v6; I
disagree, but well, my boxes are dual-stack through-and-through; My
network, my rules, your network your rules, and the rest comes to
opinions*.

But could we please stop with the "IPv6 is a security risk"-thing?

Yes, it is if you do not conf your systems properly (e.g., only v4
firewalling and binding $backend globally). Then again, so is OpenSSH
if you think allowing root logins with a password and setting the root
password to "root" is a good thing to do.

But honestly, then you have a whole bunch of different issues.

OpenBSD has an awesome v6 stack; I have several prod boxes on v6 only,
and it just works (granted, installed via an in-AS mirror, so never hit
the mirror list thing).

With best regards,
Tobias

*And on opinions: What should motivate _everyone_ to get on v6 ASAP is
that it would end the business model of some rather annoying IPv4
address traders (I acknowledge there are also not-annoying ones who
would be affected, but that is a sacrifice i am willing to make. ;-)).

Re: support new

[Wesley MOUEDINE ASSABY]

Hello Ingo,

Parfait, merci beaucoup.

Regards,

Wesley

-Message d'origine-
De : Ingo Schwarze  
Envoyé : mardi 24 octobre 2023 15:35
À : Wesley MOUEDINE ASSABY 
Cc : misc@openbsd.org
Objet : Re: support new

Hi Wesley,

Wesley MOUEDINE ASSABY wrote on Tue, Oct 24, 2023 at 02:06:47PM +0400:

> 0
> C France
> P REUNION
> T Sainte Clotilde
> Z 97490
> O Consultant
> I Wesley Mouedine Assaby
> M wes...@mouedine.net  U 
> https://www.mouedine.net N OpenBSD consulting, services like 
> mailserver, web hosting, firewall and vpn.

Committed with s/vpn/VPN/, the spelling familiar from OpenBSD manual pages.
I removed all information from your old entry that you no longer included in
your new entry.

The new entry is now online here, please check:

  https://www.openbsd.org/support.html#France

Yours,
  Ingo

Re: support new

[Ingo Schwarze]

Hi Wesley,

Wesley MOUEDINE ASSABY wrote on Tue, Oct 24, 2023 at 02:06:47PM +0400:

> 0
> C France
> P REUNION
> T Sainte Clotilde
> Z 97490
> O Consultant
> I Wesley Mouedine Assaby
> M wes...@mouedine.net  
> U https://www.mouedine.net
> N OpenBSD consulting, services like mailserver, web hosting, firewall and
> vpn.

Committed with s/vpn/VPN/, the spelling familiar from OpenBSD manual
pages.  I removed all information from your old entry that you no longer
included in your new entry.

The new entry is now online here, please check:

  https://www.openbsd.org/support.html#France

Yours,
  Ingo

Re: Fwd: install74.iso

[Dan]

On Mon, 23 Oct 2023, at 22:33, Theo de Raadt wrote:
> In the next few snapshots, an ISO file will start to show up.

Thank you. 

May I ask that the team also start building the bootstrapping cd74.iso, not 
just the full install74.iso? 


Regards,
Dan 


>> >> Am 21. Okt. 2023, 16:59, um 16:59, Dan 
>> >schrieb:
>> >> >Hi folks,
>> >> >
>> >> >Is there a technical reason why the project is not providing
>> >> >installation ISOs for the arm64 architecture?
>> >> >The easiest way to install OpenBSD on a new cloud virtual machine
>> >for
>> >> >me would be to mount cd74.iso and boot.
>> >> >
>> >> >Could someone give me some pointers for turning the arm bsd.rd
>> >> >installation ramdisk kernel into a minimal CD-ROM image?

Re: Question about rdomains/rtables

[Claudio Jeker]

On Mon, Oct 23, 2023 at 06:08:37PM +0200, tetrosalame wrote:
> Hello misc,
> 
> I'm playing with rdomain/rtable on OpenBSD 7.4 and I'm a bit confused about
> the relation between rdomains and rtables.
> 
> If I got rdomain(4) right, the two facilities are designed so that a rdomain
> can hold 0-255 rtables. Even rdomain 0 -no rdomain configured- can hold
> several rtables. IP addresses can overlap if configured in different
> rdomains.

No, this is not right. rtables are part of rdomains. So rdomain 0 has
rtable 0. rdomain 1 uses rtable 1. rdomain 2 uses rtable 2 and so on.

Now it is possible to assign an extra rtable to an rdomain but as you
found out there is no tool right now to allow this for any rdomain != 0.

Doing this properly would probably require some new route(4) messages so
that userland daemons can act on this as well. I never really needed this
flexibility so I never implemented it.
 
> In my mind the design is somehow "hierarchical"
> 
> rdomain 0
> |--> rtable 0
> |--> rtable 1
> |...
> |--> rtable 255
> 
> rdomain 1
> |--> rtable 0
> |--> rtable 1
> |...
> |--> rtable 255
> 
> but in practice, since there's no utility to add more rtables beyond the
> default one per rdomain, in the current implementation OS tools (pf, route,
> ifconfig, daemons etc...) take advantage of these facilities in a "flat"
> way:
> 
> rdomain 0
> |--> rtable 0
> 
> rdomain 1
> |--> rtable 0

This is a wrong view. The system has 255 rtables. You can make an rtable
an rdomain when the rtable is using itself to lookup link local addresses.

So the visualisation is the other way around:

rtable 0 => rdomain 0
rtable 1 => rdomain 1
rtable 2 => rdomain 2
...
rtable 42 => rdomain 0
...

In this case the tables 0, 1, 2 are rdomains while table 42 is just an
alternate routing table for rdomain 0.

> 
> and so on, where rtables are numbered after their containing rdomain.
> Documentation refers to rdomains when it's appropriate to think about a
> logical segment of the routing space, while it refers to rtables when the
> concept is "do something with routing table number XXX".
> 
> So while in theory one should think about rdomains first and then about the
> rtables that belong to each of them, in current usage they're the same
> thing: $tool -T $number and don't bother.
> 
> But...I read the slides presented by Peter Hessler (thank you) at EuroBSD
> 2012 and everything was clear...well, until I came to slide 16 and pf
> ruleset "pass in on rdomain 2 rtable 4" (1). I'm puzzled: how can I "create"
> rtable 4 inside rdomain 2?

That rule matches packets on rdomain 2 and uses rtable 4 (which can be an
rdomain) to forward the packets.
 
> Thanks and I apologize for my lack of brevity.
> 
> f.
> 
> 1:
> https://www.openbsd.org/papers/eurobsd2012/phessler-rdomains/mgp00016.html
> 

-- 
:wq Claudio

Parallel PF

[Samuel Jayden]

Hello dear OpenBSD team,

I'm sure that something like parallel IP forwarding and increasing the
number of softnet kernel tasks to 4 is definitely being considered on the
PF side too, but I would like to express my concern about timing. Do you
have any schedule for this?

I think one of the common prayers of all OpenBSD users is that PF will
speed up. Thank you for reading and my best regards.

--
Sam

support update

[Wesley MOUEDINE ASSABY]

Please, can you remove my old entry < AISE-INFORMATIQUE > in < France >
area.

Thank's !

 

support new

[Wesley MOUEDINE ASSABY]

0

C France

P REUNION

T Sainte Clotilde

Z 97490

O Consultant

I Wesley Mouedine Assaby

M wes...@mouedine.net  

U https://www.mouedine.net

N OpenBSD consulting, services like mailserver, web hosting, firewall and
vpn.

 

 

 

Re: Question about rdomains/rtables

[Marcus MERIGHI]

Hello f., 

t...@seiruote.it (tetrosalame), 2023.10.23 (Mon) 18:08 (CEST):
> I'm playing with rdomain/rtable on OpenBSD 7.4 and I'm a bit confused about
> the relation between rdomains and rtables.

you do not mention reading rtable(4)/rdomain(4), online here:

https://man.openbsd.org/rtable

It has a section on "Routing tables" and one on "Routing domains" and
the confirmation of your finding that "No tool is available to assign
more than one rtable to an rdomain other than to the default one (0)."

Marcus

> If I got rdomain(4) right, the two facilities are designed so that a rdomain
> can hold 0-255 rtables. Even rdomain 0 -no rdomain configured- can hold
> several rtables. IP addresses can overlap if configured in different
> rdomains.
> 
> In my mind the design is somehow "hierarchical"
> 
> rdomain 0
> |--> rtable 0
> |--> rtable 1
> |...
> |--> rtable 255
> 
> rdomain 1
> |--> rtable 0
> |--> rtable 1
> |...
> |--> rtable 255
> 
> but in practice, since there's no utility to add more rtables beyond the
> default one per rdomain, in the current implementation OS tools (pf, route,
> ifconfig, daemons etc...) take advantage of these facilities in a "flat"
> way:
> 
> rdomain 0
> |--> rtable 0
> 
> rdomain 1
> |--> rtable 0
> 
> and so on, where rtables are numbered after their containing rdomain.
> Documentation refers to rdomains when it's appropriate to think about a
> logical segment of the routing space, while it refers to rtables when the
> concept is "do something with routing table number XXX".
> 
> So while in theory one should think about rdomains first and then about the
> rtables that belong to each of them, in current usage they're the same
> thing: $tool -T $number and don't bother.
> 
> But...I read the slides presented by Peter Hessler (thank you) at EuroBSD
> 2012 and everything was clear...well, until I came to slide 16 and pf
> ruleset "pass in on rdomain 2 rtable 4" (1). I'm puzzled: how can I "create"
> rtable 4 inside rdomain 2?
> 
> Thanks and I apologize for my lack of brevity.
> 
> f.
> 
> 1:
> https://www.openbsd.org/papers/eurobsd2012/phessler-rdomains/mgp00016.html

Re: X session doesn't survive zzz

[Ampie Niemand]

On Wed, Oct 18, 2023 at 11:11:54AM +0200, Jan Stary wrote:
> This is current/amd64 on a PC (dmesg below).
> After a resume from zzz inside a running X session,
> I am greeted with the xenodm login screen
> into which I cannot login: the keyboard does nothing
> (is it the USB keyboard not reattaching properly?).
> 
> Loging in on the console, I see that the X session
> and the X applications (firefox, xterms) are dead.
> On the other hand, the mplayer that has been zzz'ed
> inside a tmux session starts playing again.
> 
> After restarting xenodm with rcctl restart xenodm,
> I can log in and everything seems to work again.
> 
> See the dmesg below, including the zzz and resume,
> and the full X log up to here. How can I debug this?
> 
>   Jan
> 
> 
> OpenBSD 7.4-current (GENERIC.MP) #1406: Sun Oct 15 10:34:05 MDT 2023
> dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8285454336 (7901MB)
> avail mem = 8014598144 (7643MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0100 (36 entries)
> bios0: vendor Award Software International, Inc. ???version "F3" date 
> 03/31/2011???
> bios0: Gigabyte Technology Co., Ltd. H67MA-USB3-B3

You are a little behind with your BIOS version. It looks like up to version F8 
is
available on the support website:

https://www.gigabyte.com/Motherboard/GA-H67MA-USB3-B3-rev-10/support#support-dl-bios

I would start with that.
-Ampie

> acpi0 at bios0: ACPI 1.0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP HPET MCFG ASPT SSPT EUDS MATS TAMG APIC SSDT
> acpi0: wakeup devices PCI0(S5) PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) 
> PEX5(S5) PEX6(S5) PEX7(S5) HUB0(S5) UAR1(S3) USBE(S3) USE2(S3) AZAL(S5)
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 14318179 Hz
> acpimcfg0 at acpi0
> acpimcfg0: addr 0xf400, bus 0-63
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat

Re: USB serial local getty terminal re-prompts for login on any input

[Crystal Kolipe]

On Mon, Oct 23, 2023 at 11:37:10PM -0400, Morgan Aldridge wrote:
> I have experimented with the following with no change in the underlying
> issue of the terminal showing the login prompt, but each character input
> causing the login prompt to be resent:

If you short the tx/rx lines at the DE-9 end and then access the serial
device using /usr/bin/cu on the OpenBSD machine, does your input
reliably each back to you?  Or are some characters lost or garbled?

(Obviously remove or disable the ttys line for this test.)

You might need to short rts/cts and dtr/dsr as well depending on your
hardware handshaking setup.

Re: Default rdomain for CLI commands

[Pierre Emeriaud]

Le mar. 24 oct. 2023 à 03:24, Andy Lemin  a écrit :

> How do I set/override the default rdomain for system level CLI commands?
>

You can do that at ssh level. From sshd_config(5):

 RDomain
 Specifies an explicit routing domain that is applied after
 authentication has completed.  The user session, as well as any
 forwarded or listening IP sockets, will be bound to this
 rdomain(4).  If the routing domain is set to %D, then the
domain
 in which the incoming connection was received will be applied.

I like having this prompt to know where I am:
(rtable 2) [me@mymachine]:~$ echo $PS1
(rtable $(id -R)) [\u@\h]:\w\$

Re: Default rdomain for CLI commands

[Claudio Jeker]

On Tue, Oct 24, 2023 at 08:39:33AM -, Stuart Henderson wrote:
> On 2023-10-24, Andy Lemin  wrote:
> > Hi all,
> >
> > Just a quick question.
> >
> > I have multiple rdomains. My outside rdomain (rdomain 0) has a single 
> > default route to my ISP. And my internal rdomain 9 has multiple default 
> > routes pointing to various pairX interfaces for some funky routing stuff.
> >
> > Everything works beautifully, however, every command I type on the box 
> > locally or over SSH which needs internet for example, is being executed 
> > under the internal rdomain, not the edge rdomain.
> >
> > So I have to run;
> > ‘route -T0 exec syspatch’ for example.
> >
> > How do I set/override the default rdomain for system level CLI commands?
> 
> The basic answer to your question is "set rtable in login.conf for the
> relevant class". But that doesn't explain why your machine is not already
> using rtable 0..
> 

Because I think login.conf(5) is wrong. The default rtable is not 0. If
rtable is not set the current rtable is not modified by login_cap(3).

-- 
:wq Claudio

Index: login.conf.5
===
RCS file: /cvs/src/share/man/man5/login.conf.5,v
retrieving revision 1.70
diff -u -p -r1.70 login.conf.5
--- login.conf.531 Mar 2022 17:27:23 -  1.70
+++ login.conf.524 Oct 2023 08:41:21 -
@@ -284,7 +284,7 @@ Initial priority (nice) level.
 Require home directory to login.
 .\"
 .Pp
-.It rtable Ta number Ta Dv 0 Ta
+.It rtable Ta number Ta "" Ta
 Rtable to be set for the class.
 .\"
 .Pp

Re: Default rdomain for CLI commands

[Claudio Jeker]

On Tue, Oct 24, 2023 at 06:56:33PM +1100, Andy Lemin wrote:
> Hi Lyndon,
> That is a good trick, I will try that.
> 
> But it is more of an unexpected nuisance as I’m expecting the default to
> be rdomain 0.

No rdomains are inherited. Once a process runs in rdomain X all childs
will also be in rdomain X. With this logging in via sshd will inherit the
rdomain of the sshd process.

Now you could look into login.conf(5) and try forcing rtable to 0 for your
login class. If the login respects the settings you will get rdomain 0 all
the time.
 
> It seems to switch to use the rdomain with the most default routes which
> breaks things unexpectedly - for example many crontab commands break
> after adding routes, so now have to _always_ prefix with route -T0 exec
> (to support automated route changes etc).

No it does not.
 
> This must be unexpected behaviour to change dynamically like this?

There is no dynamic change. As said the rdomain is inherited over fork.
It is set probably by the rc.d script and from there on it sticks to that.
 
> Thanks for your help, Andy.
> 
> 
> > On 24 Oct 2023, at 14:09, Lyndon Nerenberg (VE7TFX/VE6BBM) 
> >  wrote:
> > 
> > Andy Lemin writes:
> > 
> >> So I have to run;
> >> ‘route -T0 exec syspatch’ for example.
> >> 
> >> How do I set/override the default rdomain for system level CLI commands?
> > 
> > If you're talking about running a bunch of interactive shell commands
> > in rdomain 0, just 'route -T0 exec sh' to drop into a sub-shell in
> > rdomain 0.
> > 
> > --lyndon
> 

-- 
:wq Claudio

Re: Default rdomain for CLI commands

[Stuart Henderson]

On 2023-10-24, Andy Lemin  wrote:
> Hi all,
>
> Just a quick question.
>
> I have multiple rdomains. My outside rdomain (rdomain 0) has a single default 
> route to my ISP. And my internal rdomain 9 has multiple default routes 
> pointing to various pairX interfaces for some funky routing stuff.
>
> Everything works beautifully, however, every command I type on the box 
> locally or over SSH which needs internet for example, is being executed under 
> the internal rdomain, not the edge rdomain.
>
> So I have to run;
> ‘route -T0 exec syspatch’ for example.
>
> How do I set/override the default rdomain for system level CLI commands?

The basic answer to your question is "set rtable in login.conf for the
relevant class". But that doesn't explain why your machine is not already
using rtable 0..

-- 
Please keep replies on the mailing list.

Re: a2ps error; printing utf8 to a postscipt printer

[rsykora]

Jan Stary  wrote:
> On Oct 23 17:22:37, rsyk...@disroot.org wrote:
> > 
> > Loosely related: What program do you use to print utf8
> > encoded text file to a postscipt printer? (Neither a2ps, nor
> > enscript does it.
> 
> u2ps is in ports.

Great. It seems to work for me.

Thanks.

Ruda

Re: AAAA entry for openbsd.org

[Stuart Henderson]

On 2023-10-23, Philip Guenther  wrote:
> See, this is why being clear about What Fine Problem You're Trying To Solve
> is important: AFAICT the installer tries to fetch the mirror list from
> ftplist1.openbsd.org and not from openbsd.org.

The installer writes out its own /etc/hosts file with the known address
of ftplist1 so simply adding an  to the DNS zone won't help.

But then, to make it work somewhat nicely for the uncommon case of v6
only without v4 or NAT64, the installer would really need to probe for
working v4, working v6, and show an appropriate subset of the mirror
list.

But what is "working v6" anyway? Even though it's 14 years since the
famous HE/Cogent cake, you still can't reach chunks of the internet
(including c.root-servers.net) from HE, and other chunks over Cogent. So
the definition and testing to detect that is not trivial.

umb(4): no removal of IP addr after provider based IP renewal

[Stefan Kapfhammer]

Hello OpenBSD team & developers,

first of all, thank you for release 7.4.

I am using the umb(4) interface for a temporary ad-hoc router
with a SIM card from Mobile Vikings in Belgium.

It works well with pppd(8) / chat(8) and every 24 hours, after
the mobile provider changes the IP addr, it gets a new IPv4 addr.

(BIG thank you, for make it happen, that the umb(4) devices are
also accessible with umsm(4)/ucom(4).umb0: 
flags=808851 mtu 1500
index 10 priority 6 llprio 3
roaming enabled registration home network
state up cell-class LTE rssi -101dBm speed 572Mbps up 572Mbps down
SIM initialized PIN valid (3 attempts left)
subscriber-id 2060100 ICC-id 89323000
device EM12-G IMEI 8697100 firmware EM12GPAR01A21M4G
APN INTERNET.PROXIMUS.BE provider Mobile Vikings provider-id 20601
dns 80.201.237.238 80.201.237.239
groups: egress
status: active
inet 100.92.87.146 --> 100.92.87.145 netmask 0xfffc
inet 100.85.225.238 --> 100.85.225.237 netmask 0xfffc


To the problem:

Once the provider changes the IP addr every night at around 0:00h,
I get a second IP addr on umb0, what confuses routing.

The workaround here is only
ifconfig umb0 down
sh -x /etc/netstart umb0
rcctl restart unbound

The system is a fresh installed OpenBSD 7.4 with recent firmware.

How can this be solved?

Best regards,
Stefan Kapfhammer

Re: a2ps error; printing utf8 to a postscipt printer

[rsykora]

Antoine Jacoutot  wrote:
> On Mon, Oct 23, 2023 at 05:22:37PM +0200, rsyk...@disroot.org wrote:
> > Dear list,
> > 
> > 
> > after upgrading to OpenBSD 7.4 (as far as I can tell),
> > a2ps program stopped working:
> > 
> > ;a2ps /home/ruda/mnt/tarkil/SIMUL/acceptance/accept1detE0.ijs  
> > [/home/ruda/mnt/tarkil/SIMUL/acceptance/accept1detE0.ijs (plain): 2 pages 
> > on 1 sheet]
> > Usage: a2ps-lpr-wrapper [-d printer] FILE...
> > a2ps: received SIGPIPE
> > 
> > It seems to me that a2ps-lpr-wrapper expects a FILE argument,
> > while a2ps (which invokes the wrapper?) does not supply one...
> > 
> > Has anybody else had this issue?
> > Thanks for comments.
> > 
> > Loosely related: What program do you use to print utf8
> > encoded text file to a postscipt printer? (Neither a2ps, nor
> > enscript does it. At this moment I either remove any
> > diacritics with 'recode -f utf8..flat ...', or open the
> > file in gedit and print from there. I heard there is
> > 'paps' and 'cedilla' programs, but neither is in ports
> > and I failed to compile the former as cloned from github.)
> 
> See https://savannah.gnu.org/bugs/?64047
> I will cook up a patch.

Yes, that's it. Thanks!
I confirm that applying of the patch there worked form me.
(It's essentially a removal of one line in a2ps-lpr-wrappe.)

Ruda

Re: Default rdomain for CLI commands

[Andy Lemin]

Hi Lyndon,
That is a good trick, I will try that.

But it is more of an unexpected nuisance as I’m expecting the default to be 
rdomain 0.

It seems to switch to use the rdomain with the most default routes which breaks 
things unexpectedly - for example many crontab commands break after adding 
routes, so now have to _always_ prefix with route -T0 exec (to support 
automated route changes etc).

This must be unexpected behaviour to change dynamically like this?

Thanks for your help, Andy.


> On 24 Oct 2023, at 14:09, Lyndon Nerenberg (VE7TFX/VE6BBM) 
>  wrote:
> 
> Andy Lemin writes:
> 
>> So I have to run;
>> ‘route -T0 exec syspatch’ for example.
>> 
>> How do I set/override the default rdomain for system level CLI commands?
> 
> If you're talking about running a bunch of interactive shell commands
> in rdomain 0, just 'route -T0 exec sh' to drop into a sub-shell in
> rdomain 0.
> 
> --lyndon

Re: a2ps error; printing utf8 to a postscipt printer

[Antoine Jacoutot]

On Mon, Oct 23, 2023 at 05:22:37PM +0200, rsyk...@disroot.org wrote:
> Dear list,
> 
> 
> after upgrading to OpenBSD 7.4 (as far as I can tell),
> a2ps program stopped working:
> 
> ;a2ps /home/ruda/mnt/tarkil/SIMUL/acceptance/accept1detE0.ijs  
> [/home/ruda/mnt/tarkil/SIMUL/acceptance/accept1detE0.ijs (plain): 2 pages on 
> 1 sheet]
> Usage: a2ps-lpr-wrapper [-d printer] FILE...
> a2ps: received SIGPIPE
> 
> It seems to me that a2ps-lpr-wrapper expects a FILE argument,
> while a2ps (which invokes the wrapper?) does not supply one...
> 
> Has anybody else had this issue?
> Thanks for comments.
> 
> Loosely related: What program do you use to print utf8
> encoded text file to a postscipt printer? (Neither a2ps, nor
> enscript does it. At this moment I either remove any
> diacritics with 'recode -f utf8..flat ...', or open the
> file in gedit and print from there. I heard there is
> 'paps' and 'cedilla' programs, but neither is in ports
> and I failed to compile the former as cloned from github.)

See https://savannah.gnu.org/bugs/?64047
I will cook up a patch.

-- 
Antoine

Re: X session doesn't survive zzz

[Jan Stary]

On Oct 22 17:02:50, guent...@gmail.com wrote:
> I would start by removing X from the picture and verify that suspend and
> resume are working (or not) when X is not running.  Are USB devices failing
> to reattach or coming back in some weird mode which isn't working?  Can you
> ssh in?

Without X running, everything seems to resume fine. For completeness,
this is what /var/log/messages says about the suspend and resume.

Oct 23 16:37:59 box apmd: system suspending
Oct 23 16:37:59 box apmd: battery status: absent. external power status: not 
known. estimated battery life 0%
Oct 23 16:38:23 box /bsd: ukbd0: was console keyboard
Oct 23 16:38:23 box /bsd: wskbd0 detached
Oct 23 16:38:23 box /bsd: ukbd0 detached
Oct 23 16:38:23 box /bsd: uhidev0 detached
Oct 23 16:38:23 box /bsd: wskbd1: disconnecting from wsdisplay0
Oct 23 16:38:23 box /bsd: wskbd1 detached
Oct 23 16:38:23 box /bsd: ucc0 detached
Oct 23 16:38:23 box /bsd: uhid0 detached
Oct 23 16:38:23 box /bsd: wskbd2: disconnecting from wsdisplay0
Oct 23 16:38:23 box /bsd: wskbd2 detached
Oct 23 16:38:23 box /bsd: ucc1 detached
Oct 23 16:38:23 box /bsd: uhidev1 detached
Oct 23 16:38:23 box /bsd: wsmouse0 detached
Oct 23 16:38:23 box /bsd: ums0 detached
Oct 23 16:38:23 box /bsd: uhidev2 detached
Oct 23 16:38:23 box /bsd: uhub3 detached
Oct 23 16:38:23 box /bsd: uhub0 detached
Oct 23 16:38:23 box /bsd: uhub1 detached
Oct 23 16:38:23 box /bsd: uhub4 detached
Oct 23 16:38:23 box /bsd: uhub2 detached
Oct 23 16:38:23 box /bsd: uhub0 at usb0 configuration 1 interface 0 "Intel EHCI 
root hub" rev 2.00/1.00 addr 1
Oct 23 16:38:23 box /bsd: uhub1 at usb1 configuration 1 interface 0 "Etron xHCI 
root hub" rev 3.00/1.00 addr 1
Oct 23 16:38:23 box /bsd: uhub2 at usb2 configuration 1 interface 0 "Intel EHCI 
root hub" rev 2.00/1.00 addr 1
Oct 23 16:38:23 box apmd: system resumed from sleep
Oct 23 16:38:23 box apmd: battery status: absent. external power status: not 
known. estimated battery life 0%
Oct 23 16:38:24 box /bsd: uhub3 at uhub0 port 1 configuration 1 interface 0 
"Intel Rate Matching Hub" rev 2.00/0.00 addr 2
Oct 23 16:38:25 box /bsd: uhidev0 at uhub3 port 5 configuration 1 interface 0 
"Logitech USB Keyboard" rev 1.10/64.00 addr 3
Oct 23 16:38:25 box /bsd: uhidev0: iclass 3/1
Oct 23 16:38:25 box /bsd: ukbd0 at uhidev0: 8 variable keys, 6 key codes
Oct 23 16:38:25 box /bsd: wskbd0 at ukbd0: console keyboard, using wsdisplay0
Oct 23 16:38:25 box /bsd: uhidev1 at uhub3 port 5 configuration 1 interface 1 
"Logitech USB Keyboard" rev 1.10/64.00 addr 3
Oct 23 16:38:25 box /bsd: uhidev1: iclass 3/0, 3 report ids
Oct 23 16:38:25 box /bsd: ucc0 at uhidev1 reportid 1: 2 usages, 3 keys, enum
Oct 23 16:38:25 box /bsd: wskbd1 at ucc0 mux 1
Oct 23 16:38:25 box /bsd: wskbd1: connecting to wsdisplay0
Oct 23 16:38:25 box /bsd: uhid0 at uhidev1 reportid 2: input=1, output=0, 
feature=0
Oct 23 16:38:25 box /bsd: ucc1 at uhidev1 reportid 3: 21 usages, 14 keys, enum
Oct 23 16:38:25 box /bsd: wskbd2 at ucc1 mux 1
Oct 23 16:38:25 box /bsd: wskbd2: connecting to wsdisplay0
Oct 23 16:38:26 box /bsd: uhidev2 at uhub3 port 6 configuration 1 interface 0 
"Genius Optical Mouse" rev 1.10/1.00 addr 4
Oct 23 16:38:26 box /bsd: uhidev2: iclass 3/1
Oct 23 16:38:26 box /bsd: ums0 at uhidev2: 3 buttons, Z dir
Oct 23 16:38:26 box /bsd: wsmouse0 at ums0 mux 0
Oct 23 16:38:26 box /bsd: uhub4 at uhub2 port 1 configuration 1 interface 0 
"Intel Rate Matching Hub" rev 2.00/0.00 addr 2

(I have tried three times, the messages are identical.)

> If that's working fine, then bring X back into the picture but capture
> /var/log/Xorg.0.log both before suspending and then after resuming (ssh in
> if necessary) and see what X is falling over on.

See below for the X logs of a working and nonworking resume.

Reproducibly, X resumes fine if I suspend from a console:
ctrl-alt-f1 and zzz from there, ctrl-zlt-f5 after resume;
firefox and all the xterms are still running.

Reproducibly, X fails to resume when I zzz from an xterm,
i.e. suspend from within the running X. The diff in X log
suggests it's the kbd encoding that fails (-good +bad):

-(II) config/wscons: checking input device /dev/wskbd
-(II) wskbd: using layout us
-(II) LoadModule: "kbd"
-(II) Loading /usr/X11R6/lib/modules/input/kbd_drv.so
-(II) Module kbd: vendor="X.Org Foundation"
-   compiled for 1.21.1.8, module version = 2.0.0
-   Module class: X.Org XInput Driver
-   ABI class: X.Org XInput driver, version 24.4
-(II) Using input driver 'kbd' for '/dev/wskbd'
-(**) /dev/wskbd: always reports core events
-(**) /dev/wskbd: always reports core events
-(**) Option "Protocol" "standard"
-(**) Option "XkbRules" "base"
-(**) Option "XkbModel" "pc105"
-(**) Option "XkbLayout" "us"
-(II) XINPUT: Adding extended input device "/dev/wskbd" (type: KEYBOARD, id 6)
+(WW) wskbd: ioctl(WSKBDIO_GETENCODING) failed: Inappropriate ioctl for device

Once I rcctl restart xenodm, everything works again,
except the previously running X clients are dead.

Re: AAAA entry for openbsd.org

[Parodper]

> If you want to volunteer to host an ipv6 mirror, I think the
> licensing already allows that.

There are already IPv6-enabled mirrors. The issue is that
{ftplist1.,ftplist2.,''}openbsd.org doesn't have IPv6, so it can't fetch
a list of them.