7.5: wireguard problem after running "ifconfig wg0 -wgpeer xxxx..."
Hi folks, I've got >20 wgpeer entries in hostname.wg0 on my VPN gateway (OpenBSD 7.5), each for a road-warrior laptop running Linux, MacOS or Windows. After removing 3 peers on the command line last Thursday (using ifconfig wg0 -wgpeer 9AQR8zfadzA+fF5UsRCLNHd6Ljs= for each) some of the remaining connections became unusable. Some road-warriors could initiate their connections, but ping didn't work. "wg show" showed the connection on the gateway. After 2 mins the laptop disconnected and tried again. After rebooting the VPN gateway the problem is gone and all laptops can connect again (AFAICT). I understand that this is hard to reproduce, so this is more some kind of FYI. Regards Harri
Re: fw_update
On 2024-05-02 21:25:00, Stuart Henderson wrote: You have an old fw_update(1) manual lying around which should be removed. It moved to fw_update(8). "Moved"? And yet another BTW: https://man.openbsd.org/OpenBSD-7.5/ seems to be forgotten. Regards Harri
Re: fw_update
On 2024-04-30 13:25:39, Страхиња Радић wrote: Дана 24/04/30 01:12PM, Kirill A. Korinsky написа: You may download it by hand and install as fw_update /path/to/firmware.tgz BTW, this is in fw_update(8). man 8 fw_update /SYNOPSIS Another BTW: # fw_update -i fw_update: unknown option -- -i usage: fw_update [-adFnv] [-p path] [driver | file ...] The man page says SYNOPSIS fw_update [-adinv] [-p path] [driver ...] What is -F supposed to do? What happened to the -i?
Re: USB keyboard quirks may not be properly catered to in bsd.rd kernels
The keyboard is a Newmen GM610 Gaming Keyboard I shot on amazon. Regards Harri
Re: bad first impression [ ...] Fwd: [HUNSN RJ43: USB keyboard lost at boot time]
On 2024-04-26 10:31:17, Stuart Henderson wrote: So another keyboard works with this machine, and this keyboard works with other machines. Not exactly. In the meantime I tried the keyboard on another host (some ancient O-series Zotac box) with the same result: At the boot prompt the keyboard still works, but once the kernel is booted the keyboard is dead and has to be connected to another USB port. The Zotac host is 10 years old, the RJ43 was released just a few months ago. Both are Intel hosts with Intel chipsets, though. If necessary I can provide dmesg output of this host as well, as soon as I have access to the hardware again. Regards Harri
Re: bad first impression of OpenBSD at install time
On 2024-04-25 17:51:59, Claudio Jeker wrote: Without providing at least a dmesg of that system there is no way we can help you. It is not even clear what kind of system or arch it is? See my post from 2024-04-20. Regards Harri
Re: what became of "apmd -C"?
On 2024-04-24 09:30:29, Stuart Henderson wrote:
To get similar to previous behaviour, you can either install obsdfreqd
from packages (userland monitoring, similar to old old apmd -C), or
some people run with a kernel patch like this:
Index: kern/sched_bsd.c
===
RCS file: /cvs/src/sys/kern/sched_bsd.c,v
diff -u -p -r1.91 sched_bsd.c
--- kern/sched_bsd.c30 Mar 2024 13:33:20 - 1.91
+++ kern/sched_bsd.c24 Apr 2024 07:18:01 -
@@ -603,7 +603,7 @@ setperf_auto(void *v)
if (cpu_setperf == NULL)
return;
- if (hw_power) {
+ if (0 && hw_power) {
speedup = 1;
goto faster;
}
Its too bad that saving power by default (without battery mode)
cannot be configured via sysctl anymore. I have installed obsfreqd,
of course.
Thank you for the reply
Harri
bad first impression of OpenBSD at install time
Hi folks, I posted this before, without any response from the community: At the boot> prompt of the installer image my USB keyboard still works, but at the install prompt the keyboard is ignored. I cannot press "i" to actually install OpenBSD. Fortunately I am with BSD since Ultrix and SunOS 4.0.3. I've seen worse. But if this would have been my first impression of OpenBSD I had given it the boot and used Linux instead. Regards Harri
what became of "apmd -C"?
Hi folks, https://www.openbsd.org/faq/upgrade57.html doesn't mention it, so I wonder what became of "apmd -C"? The man page for OpenBSD 5.7 silently dropped this option, but even apmd of 7.5 still accepts it. ? Regards Harri
HUNSN RJ43: USB keyboard lost at boot time
Hi folks, This morning I've got a HUNSN RJ43 network appliance with N100 and 4 2.5Gbit network interfaces. Problem: The keyboard is lost at boot time. It still worked at the boot> prompt, but in OpenBSD's installer menu or at the login prompt it is ignored. I have to pull it out and plug it into another socket to make OpenBSD 7.5 recognize it, but even this workaround fails sometimes. *If* it works, then usbdevs shows (before and after): pablo# usbdevs -vv Controller /dev/usb0: addr 01: 8086: Intel, xHCI root hub super speed, self powered, config 1, rev 1.00 driver: uhub0 port 01: .02a0 power Rx.detect port 02: .02a0 power Rx.detect port 03: .0503 connect enabled recovery port 04: .02a0 power Rx.detect port 05: 0011.02a0 power Rx.detect port 06: .02a0 power Rx.detect port 07: .02a0 power Rx.detect port 08: .02a0 power Rx.detect port 09: .02a0 power Rx.detect port 10: .02a0 power Rx.detect port 11: .02a0 power Rx.detect port 12: .02a0 power Rx.detect port 13: .02a0 power Rx.detect port 14: .02a0 power Rx.detect port 15: .02a0 power Rx.detect port 16: .02a0 power Rx.detect addr 02: 05e3:0748 Generic, USB Storage high speed, power 500 mA, config 1, rev 12.09, iSerial 1209 driver: umass0 # plug it in pablo# usbdevs -vv Controller /dev/usb0: addr 01: 8086: Intel, xHCI root hub super speed, self powered, config 1, rev 1.00 driver: uhub0 port 01: .02a0 power Rx.detect port 02: .02a0 power Rx.detect port 03: .0503 connect enabled recovery port 04: .02a0 power Rx.detect port 05: 0011.02a0 power Rx.detect port 06: .0103 connect enabled recovery port 07: .02a0 power Rx.detect port 08: .02a0 power Rx.detect port 09: .02a0 power Rx.detect port 10: .02a0 power Rx.detect port 11: .02a0 power Rx.detect port 12: .02a0 power Rx.detect port 13: .02a0 power Rx.detect port 14: .02a0 power Rx.detect port 15: .02a0 power Rx.detect port 16: .02a0 power Rx.detect addr 02: 05e3:0748 Generic, USB Storage high speed, power 500 mA, config 1, rev 12.09, iSerial 1209 driver: umass0 addr 03: 12c9:6001 SINO WEALTH, Newmen Bluetooth Keyboard full speed, power 500 mA, config 1, rev 30.04 driver: uhidev0 driver: uhidev1 (I know it says Bluetooth, but its connected via cable. No BT dongle involved.) dmesg shows on detecting the keyboard: uhidev0 at uhub0 port 6 configuration 1 interface 0 "SINO WEALTH Newmen Bluetooth Keyboard" rev 1.10/30.04 addr 3 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd0 at ukbd0: console keyboard, using wsdisplay0 uhidev1 at uhub0 port 6 configuration 1 interface 1 "SINO WEALTH Newmen Bluetooth Keyboard" rev 1.10/30.04 addr 3 uhidev1: iclass 3/0, 13 report ids uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0 ucc0 at uhidev1 reportid 2: 573 usages, 20 keys, array wskbd1 at ucc0 mux 1 wskbd1: connecting to wsdisplay0 uhid1 at uhidev1 reportid 5: input=0, output=0, feature=5 ukbd1 at uhidev1 reportid 6: 120 variable keys, 0 key codes wskbd2 at ukbd1 mux 1 wskbd2: connecting to wsdisplay0 uhid2 at uhidev1 reportid 9: input=0, output=0, feature=255 uhid3 at uhidev1 reportid 10: input=0, output=0, feature=41 uhid4 at uhidev1 reportid 11: input=0, output=0, feature=255 uhid5 at uhidev1 reportid 12: input=0, output=0, feature=255 ums0 at uhidev1 reportid 13: 5 buttons, Z and W dir wsmouse0 at ums0 mux 0 Another 15+ years old USB keyboard works out of the box, so maybe the keyboard is to blame here. It worked fine on other hosts running OpenBSD 7.4 or 7.5, though. BIOS had been reset to the defaults. dmesg output is attached, of course. Every helpful idea is highly appreciated. I would be glad to help to track down this problem. HarriOpenBSD 7.5 (RAMDISK_CD) #76: Wed Mar 20 15:53:54 MDT 2024 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 34069209088 (32490MB) avail mem = 33032028160 (31501MB) random: good seed from bootblocks mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.5 @ 0x73ba9000 (117 entries) bios0: vendor American Megatrends International, LLC. version "5.27" date 03/07/2024 bios0: Default string Default string acpi0 at bios0: ACPI 6.4Undefined scope: \\_SB_.PC00.TXHC.RHUB.SS01 Undefined scope: \\_SB_.PC00.TXHC.RHUB.SS02 acpi0: tables DSDT FACP FIDT SSDT SSDT SSDT SSDT HPET APIC MCFG SSDT UEFI NHLT LPIT SSDT SSDT DBGP DBG2 SSDT DMAR FPDT SSDT SSDT SSDT SSDT TPM2 BGRT PHAT WSMT acpihpet0 at acpi0: 1920 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor)
Re: smtpd[68513]: warn: lost processor: spamassassin exited abnormally
Hi Omar, On 2023-11-09 18:22:41, Omar Polo wrote: I've committed the update and backported to -STABLE so the fixed package should appear in the next days. Thanks for the report and sorry for the breakage I highly appreciate your fast response and the fix you have provided. Regards Harri
Re: smtpd[68513]: warn: lost processor: spamassassin exited abnormally
Hi Omar, sorry for the delay, but I have good news: The patch seems to work. Of course I will continue to watch it. Thank you very much Harri
Re: smtpd[68513]: warn: lost processor: spamassassin exited abnormally
On 2023-11-05 10:21:10, Omar Polo wrote: Can you try the following diff to see if it helps? I will try this evening after work, stay tuned. Its been a while since I used CVS. Regards Harri
smtpd[68513]: warn: lost processor: spamassassin exited abnormally
Hi folks, since OpenBSD 7.4 the spamassassin filter seems to be broken. On the first EMail opensmtpd dies with a message in maillog saying Nov 5 08:59:23 mhost smtpd[60460]: bcc4f33a095bb28e smtp connected address=xx.xx.xx.xx host=mail.example.com Nov 5 08:59:23 mhost filter-spamassassin[7782]: bcc4f33a095bb28e protocol report 0.7 Nov 5 08:59:23 mhost filter-spamassassin[7782]: exit Nov 5 08:59:23 mhost smtpd[68513]: warn: lost processor: spamassassin exited abnormally Nov 5 08:59:23 mhost smtpd[68513]: Exiting smtpd is configured according to /usr/local/share/doc/pkg-readmes/\ opensmtpd-filter-spamassassin (except for the tls option): xname = "mailhost.example.de" pki $xname cert "/etc/ssl/example.de/fullchain.pem" pki $xname key "/etc/ssl/example.de/privkey.pem" pki $xname dhe auto filter "spamassassin" proc-exec "filter-spamassassin" listen on all tls pki $xname filter "spamassassin" listen on socket filter "spamassassin" : : If I kick out the tls stuff, it is still broken. Can anybody reproduce this? Every helpful hint is highly appreciated. Harri
Re: 7.4 and hostname.pfsync7
On 2023-10-16 07:59:06, Peter Hessler wrote: On 2023 Oct 16 (Mon) at 07:53:37 +0200 (+0200), Harald Dunkel wrote: :/etc/hostname.vlan111: :vnetid 111 :parent re0 You need to add "up" here. The "up" in hostname.vlan111 makes no difference for the configuration of the pfsync0 interface, I have tried, see attachments. BTW, the error message on the console in the "bad" case is : starting network ifconfig: pfsync0: SIOCSIFFLAGS: Device not configured reordering: ld.so libc libcrypto sshd. ifconfig: pfsync0: SIOCSIFFLAGS: Device not configured : Regards Harri /etc/hostname.vlan111: vnetid 111 parent re0 up /etc/hostname.pfsync0: syncdev vlan111 up vlan111: flags=8843 mtu 1500 lladdr 00:01:2e:55:c7:10 index 6 priority 0 llprio 3 encap: vnetid 111 parent re0 txprio packet rxprio outer groups: vlan media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active pfsync0: flags=41 mtu 1500 index 5 priority 0 llprio 3 encap: parent vlan111 pfsync: syncdev: vlan111 maxupd: 128 defer: off groups: carp pfsync /etc/hostname.vlan111: vnetid 111 parent re0 up /etc/hostname.pfsync0: syncdev vlan111 up vlan111: flags=8843 mtu 1500 lladdr 00:01:2e:55:c7:10 index 6 priority 0 llprio 3 encap: vnetid 111 parent re0 txprio packet rxprio outer groups: vlan media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active pfsync0: flags=41 mtu 1500 index 5 priority 0 llprio 3 encap: parent vlan111 pfsync: syncdev: vlan111 maxupd: 128 defer: off groups: carp pfsync /etc/hostname.vlan111: vnetid 111 parent re0 up /etc/hostname.pfsync0: up syncdev vlan111 vlan111: flags=8843 mtu 1500 lladdr 00:01:2e:55:c7:10 index 6 priority 0 llprio 3 encap: vnetid 111 parent re0 txprio packet rxprio outer groups: vlan media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active pfsync0: flags=41 mtu 1500 index 5 priority 0 llprio 3 encap: parent vlan111 pfsync: syncdev: vlan111 maxupd: 128 defer: off groups: carp pfsync /etc/hostname.vlan111: vnetid 111 parent re0 up /etc/hostname.pfsync0: up syncdev vlan111 vlan111: flags=8843 mtu 1500 lladdr 00:01:2e:55:c7:10 index 6 priority 0 llprio 3 encap: vnetid 111 parent re0 txprio packet rxprio outer groups: vlan media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active pfsync0: flags=0<> mtu 1500 index 5 priority 0 llprio 3 encap: parent none groups: carp pfsync
Re: 7.4 and hostname.pfsync7
Hi folks, sorry, I had hoped somebody knew the answer and that the man page could be fixed. I have just limited test equipment for verification, so I have setup a vlan interface for pfsync and tried some combinations. Result: Apparently there is no difference between up syncdev vlan111 and syncdev vlan111 up and syncdev vlan111 up in this setup, but up syncdev vlan111 seems weird, according to the output of ifconfig. Detailed results are attached. Hope this helps. Regards Harri /etc/hostname.vlan111: vnetid 111 parent re0 /etc/hostname.pfsync0: syncdev vlan111 up vlan111: flags=8002 mtu 1500 lladdr 00:01:2e:55:c7:10 index 6 priority 0 llprio 3 encap: vnetid 111 parent re0 txprio packet rxprio outer groups: vlan media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active pfsync0: flags=41 mtu 1500 index 5 priority 0 llprio 3 encap: parent vlan111 pfsync: syncdev: vlan111 maxupd: 128 defer: off groups: carp pfsync /etc/hostname.vlan111: vnetid 111 parent re0 /etc/hostname.pfsync0: syncdev vlan111 up vlan111: flags=8002 mtu 1500 lladdr 00:01:2e:55:c7:10 index 6 priority 0 llprio 3 encap: vnetid 111 parent re0 txprio packet rxprio outer groups: vlan media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active pfsync0: flags=41 mtu 1500 index 5 priority 0 llprio 3 encap: parent vlan111 pfsync: syncdev: vlan111 maxupd: 128 defer: off groups: carp pfsync /etc/hostname.vlan111: vnetid 111 parent re0 /etc/hostname.pfsync0: up syncdev vlan111 vlan111: flags=8002 mtu 1500 lladdr 00:01:2e:55:c7:10 index 6 priority 0 llprio 3 encap: vnetid 111 parent re0 txprio packet rxprio outer groups: vlan media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active pfsync0: flags=41 mtu 1500 index 5 priority 0 llprio 3 encap: parent vlan111 pfsync: syncdev: vlan111 maxupd: 128 defer: off groups: carp pfsync /etc/hostname.vlan111: vnetid 111 parent re0 /etc/hostname.pfsync0: up syncdev vlan111 vlan111: flags=8002 mtu 1500 lladdr 00:01:2e:55:c7:10 index 6 priority 0 llprio 3 encap: vnetid 111 parent re0 txprio packet rxprio outer groups: vlan media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active pfsync0: flags=0<> mtu 1500 index 5 priority 0 llprio 3 encap: parent none groups: carp pfsync
7.4 and hostname.pfsync7
Hi folks, I learned that pfsync has been rewritten for 7.4 and that up syncdev em7 doesn't work anymore. What about up syncdev em7 (one line), as suggested in the current pfsync(4)? Regards Harri
mg wishlist: vertical split
Hi folks, would it be possible to introduce a vertical split window (Ctrl-X 3) in mg, similar to horizontal split? I am really missing this feature. Vertical split allows me to work with similar files (shown side-by-side) much more efficiently. Regards Harri
improve wireguard logging, please?
Hi folks, would it be possible to improve wireguard logging in OpenBSD? A message like Receiving handshake initiation from peer 17 in /var/log/messages of 2 weeks ago isn't really helpful. Who the heck was peer 17? For forensic measures in case of an incident I need the peers public key at that time. The first 16 or 10 chars should do. The current contents of /etc/hostname.wg0 or some internal numbering in the kernel is insufficient. Regards Harri
Re: 7.3 on Zotac O1520 makes it unbootable
On 2023-06-18 09:03:02, Harald Dunkel wrote:
Hi folks,
if I install 7.3 on a Zotac O1520 on its internal SATA disk (MBR or UEFI),
then the system gets stuck during BIOS self test on the following reboots.
Without removing the disk I cannot even enter BIOS or select a boot media.
Surely OpenBSD is not to blame here. But its a pity. I'd loved to use it as
a cool desktop PC running a cool OS.
I haven't had a chance to get the usual dmesg output yet, but I wonder if
somebody has an idea by looking at the technical data on
https://www.zotac.com/product/mini_pcs/oi520
?
BTW, there are no BIOS updates.
This seems to be related to fdisk. If I partition the disk
on Linux to create sd0{a..d}, then OpenBSD boots fine. Surely
a BIOS problem.
Regards
Harri
7.3 on Zotac O1520 makes it unbootable
Hi folks, if I install 7.3 on a Zotac O1520 on its internal SATA disk (MBR or UEFI), then the system gets stuck during BIOS self test on the following reboots. Without removing the disk I cannot even enter BIOS or select a boot media. Surely OpenBSD is not to blame here. But its a pity. I'd loved to use it as a cool desktop PC running a cool OS. I haven't had a chance to get the usual dmesg output yet, but I wonder if somebody has an idea by looking at the technical data on https://www.zotac.com/product/mini_pcs/oi520 ? BTW, there are no BIOS updates. Regards Harri
Re: 7.3: high network latency every couple of seconds. Carp?
Please ignore this duplicate post and reply to the other thread on this mailing list. I had used my private EMail account by accident. Regards Harri
7.3: high network latency every couple of seconds. Carp?
Hi folks,
Using 7.3 on a HA gateway ("redgatea" and "redgateb", one external
network, 2 internal networks, carp on all interfaces) I see a high
network latency for incoming network traffic every couple of seconds.
Trying to ping redgatea from redgateb over the pfsync interface, for
example:
redgateb # ping 192.168.23.2
PING 192.168.23.2 (192.168.23.2): 56 data bytes
64 bytes from 192.168.23.2: icmp_seq=0 ttl=255 time=0.585 ms
64 bytes from 192.168.23.2: icmp_seq=1 ttl=255 time=48.559 ms
64 bytes from 192.168.23.2: icmp_seq=2 ttl=255 time=153.323 ms
64 bytes from 192.168.23.2: icmp_seq=3 ttl=255 time=0.233 ms
64 bytes from 192.168.23.2: icmp_seq=4 ttl=255 time=0.230 ms
64 bytes from 192.168.23.2: icmp_seq=5 ttl=255 time=0.227 ms
64 bytes from 192.168.23.2: icmp_seq=6 ttl=255 time=1.001 ms
64 bytes from 192.168.23.2: icmp_seq=7 ttl=255 time=1.253 ms
64 bytes from 192.168.23.2: icmp_seq=8 ttl=255 time=0.224 ms
64 bytes from 192.168.23.2: icmp_seq=9 ttl=255 time=0.229 ms
64 bytes from 192.168.23.2: icmp_seq=10 ttl=255 time=0.231 ms
64 bytes from 192.168.23.2: icmp_seq=11 ttl=255 time=0.228 ms
64 bytes from 192.168.23.2: icmp_seq=12 ttl=255 time=0.267 ms
64 bytes from 192.168.23.2: icmp_seq=13 ttl=255 time=259.893 ms
64 bytes from 192.168.23.2: icmp_seq=14 ttl=255 time=364.299 ms
64 bytes from 192.168.23.2: icmp_seq=15 ttl=255 time=0.228 ms
64 bytes from 192.168.23.2: icmp_seq=16 ttl=255 time=0.230 ms
64 bytes from 192.168.23.2: icmp_seq=17 ttl=255 time=0.231 ms
64 bytes from 192.168.23.2: icmp_seq=18 ttl=255 time=1.349 ms
64 bytes from 192.168.23.2: icmp_seq=19 ttl=255 time=1.113 ms
64 bytes from 192.168.23.2: icmp_seq=20 ttl=255 time=0.232 ms
64 bytes from 192.168.23.2: icmp_seq=21 ttl=255 time=0.232 ms
64 bytes from 192.168.23.2: icmp_seq=22 ttl=255 time=0.225 ms
64 bytes from 192.168.23.2: icmp_seq=23 ttl=255 time=0.223 ms
64 bytes from 192.168.23.2: icmp_seq=24 ttl=255 time=0.224 ms
64 bytes from 192.168.23.2: icmp_seq=25 ttl=255 time=469.175 ms
64 bytes from 192.168.23.2: icmp_seq=26 ttl=255 time=571.747 ms
64 bytes from 192.168.23.2: icmp_seq=27 ttl=255 time=0.253 ms
64 bytes from 192.168.23.2: icmp_seq=28 ttl=255 time=0.225 ms
64 bytes from 192.168.23.2: icmp_seq=29 ttl=255 time=0.229 ms
64 bytes from 192.168.23.2: icmp_seq=30 ttl=255 time=0.227 ms
64 bytes from 192.168.23.2: icmp_seq=31 ttl=255 time=1.222 ms
64 bytes from 192.168.23.2: icmp_seq=32 ttl=255 time=0.995 ms
64 bytes from 192.168.23.2: icmp_seq=33 ttl=255 time=0.238 ms
64 bytes from 192.168.23.2: icmp_seq=34 ttl=255 time=0.238 ms
64 bytes from 192.168.23.2: icmp_seq=35 ttl=255 time=0.230 ms
64 bytes from 192.168.23.2: icmp_seq=36 ttl=255 time=0.230 ms
64 bytes from 192.168.23.2: icmp_seq=37 ttl=255 time=679.469 ms
64 bytes from 192.168.23.2: icmp_seq=38 ttl=255 time=781.050 ms
64 bytes from 192.168.23.2: icmp_seq=39 ttl=255 time=0.221 ms
64 bytes from 192.168.23.2: icmp_seq=40 ttl=255 time=0.240 ms
^C
--- 192.168.23.2 ping statistics ---
41 packets transmitted, 41 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.221/81.489/781.050/195.848 ms
There is no switch involved in this pfsync connection, just a
single cable from NIC to NIC.
I see the same performance problem for incoming traffic on all
other network interfaces of redgatea and redgateb, MASTER and
BACKUP, even on the external connection. For outgoing traffic
(eg if I try to ping a 3rd host *from* redgateb) there is a
performance impact, too, but it is much lower:
redgateb# ping 10.100.100.101
PING 10.100.100.101 (10.100.100.101): 56 data bytes
64 bytes from 10.100.100.101: icmp_seq=0 ttl=64 time=0.291 ms
64 bytes from 10.100.100.101: icmp_seq=1 ttl=64 time=0.241 ms
64 bytes from 10.100.100.101: icmp_seq=2 ttl=64 time=0.235 ms
64 bytes from 10.100.100.101: icmp_seq=3 ttl=64 time=0.246 ms
64 bytes from 10.100.100.101: icmp_seq=4 ttl=64 time=1.176 ms
64 bytes from 10.100.100.101: icmp_seq=5 ttl=64 time=1.479 ms
64 bytes from 10.100.100.101: icmp_seq=6 ttl=64 time=0.220 ms
64 bytes from 10.100.100.101: icmp_seq=7 ttl=64 time=0.231 ms
64 bytes from 10.100.100.101: icmp_seq=8 ttl=64 time=0.228 ms
64 bytes from 10.100.100.101: icmp_seq=9 ttl=64 time=0.229 ms
64 bytes from 10.100.100.101: icmp_seq=10 ttl=64 time=0.242 ms
64 bytes from 10.100.100.101: icmp_seq=11 ttl=64 time=0.230 ms
64 bytes from 10.100.100.101: icmp_seq=12 ttl=64 time=0.244 ms
64 bytes from 10.100.100.101: icmp_seq=13 ttl=64 time=0.236 ms
64 bytes from 10.100.100.101: icmp_seq=14 ttl=64 time=0.236 ms
64 bytes from 10.100.100.101: icmp_seq=15 ttl=64 time=0.231 ms
64 bytes from 10.100.100.101: icmp_seq=16 ttl=64 time=1.465 ms
64 bytes from 10.100.100.101: icmp_seq=17 ttl=64 time=1.089 ms
64 bytes from 10.100.100.101: icmp_seq=18 ttl=64 time=0.220 ms
64 bytes from 10.100.100.101: icmp_seq=19 ttl=64 time=0.220 ms
64 bytes from 10.100.100.101: icmp_seq=20 ttl=64 time=0.233 ms
64 bytes from 10.100.100.101: icmp_seq=21 ttl=64 time=0.222 ms
^C
--- 10.100.100.101 ping statistics ---
22 packets transmitted,
openbsd on nanopi R5C?
Hi folks, has anybody succeeded in running OpenBSD on the Nanopi R5C? https://wiki.friendlyelec.com/wiki/index.php/NanoPi_R5C I haven't bought the hardware yet. The R5S is in OpenBSD's supported hardware list on ARM. Regards Harri
mg: problem with large directory names and open new file
Hi folks, If I have opened a file in a subdirectory with a very long path (larger than the terminal width) and if try to open a new file using ^x^f, then mg seems to be confused. The long path is cut off in the Find File dialog. Only the first chars are shown. The filename I enter is not shown while typing. I have to use ^a^e in the dialog buffer to refresh it. Do you think the input string in the Find File dialog could be scrolled horizontally instead? Terminal is an xterm 80x24. No UTF-8 or other peculiarities are involved. Sample session: mkdir -p /tmp/axaxaxaxaxaxax ls -1a >/tmp/axaxaxaxaxaxax/x1.txt find . -print >/tmp/axaxaxaxaxaxax/x2.txt mg /tmp/axaxaxaxaxaxax/x1.txt # try to open x2.txt using ^x^f Regards Harri
mailx in pipeline mode: add fields to the EMail header?
Hi folks, is there some way for OpenBSD's mailx (reading an EMail to send from stdin) to add fields to the EMail header, e.g. Auto-Submitted: auto-generated for generated EMails, according to the recommendation in RFC 3834? Or maybe Precedence: bulk Maybe some custom fields like X-monitoring-severity: disaster ? This could help to avoid a lot of unnecessary vacation responses, support automatic filtering, etc. The mailx command line could be echo hello | \ mailx -s hello -a "Auto-Submitted: auto-generated" j...@example.com I thought about making "Auto-Submitted: auto-generated" the default for reading an EMail from stdin (if its not a tty), but this might break existing code. Regards Harri
Re: Ctrl key doesn't interrupt boot
On 2022-11-14 13:54:18, Nick Holland wrote: Wild guess, but I suspect that your BIOS isn't setting the marker that /boot uses to see the pressing of the CTRL key on your system with a USB keyboard. /boot is pretty much dependent upon your system BIOS doing The Right Thing, as the OS hasn't loaded yet. So other than looking at Other Things, I'm not sure there's an OpenBSD fix for this. Do you think it would be possible to introduce a 3sec timeout to press the fabulous "any" key on pc0 to avoid that boot switches over to com0? Apparently boot can read the USB keyboard if the boot prompt is not redirected to com0. Does your machine accept a PS/2 keyboard? If so, does CTRL work as expected there? No PS/2 socket. Its an Axiomtek network appliance. Regards Harri
Ctrl key doesn't interrupt boot
Hi folks, according to boot(8) holding the Ctrl key is supposed to interrupt boot before /etc/boot.conf is read. But it doesn't. I see boot's message on VGA that it switches over to serial (as mentioned in boot.conf), and then it doesn't boot for a reason I would like to investigate. The screen stays black. I am sure that console redirection is turned off in the BIOS. OpenBSD is version 7.2. USB Keyboard. Every helpful hint is highly appreciated. Harri
Re: sysmerge: what is [leave it for later] good for, actually?
Hi Amit, On 2022-10-22 18:29:35, Amit Kulkarni wrote: You chose later, so now do a "doas sysmerge", and merge it now? Ah, sorry, my bad. Apparently I wasn't root. Thank you for the hint Harri
using netstat without terminal
Hi folks, would it be possible to fix netstat for 7.3 wrt the assumed screen size, even if there is no terminal involved? Something like netstat -f inet6 -ln
sysmerge: what is [leave it for later] good for, actually?
Hi folks, sysmerge noted that I had modified my /etc/newsyslog.conf. Since I didn't had time for this while other important services were not merged yet I chose the default [leave it for later]. Problem is, when I came back later (after a reboot), sysmerge didn't show me that newsyslog.conf still had to be merged. Wouldn't you agree that this is error-prone? Being "too late" is quite unexpected. Regards Harri
"fast" reboot without BIOS involved?
Hi folks, would it be possible to add some kind of "fast reboot" to OpenBSD? * shutdown all userspace * run boot, using the old kernel to load a new one * start init again The "traditional" reboot gives me a downtime of 2 to 3 minutes on some hosts, before the boot prompt is shown. I would like to avoid that, esp. after a syspatch. Regards Harri
Re: Howto do "a detailed cleanup with the aid of the sysclean package"?
Hi folks, I think the main problem is pretty easy to describe: OpenBSD loses track about what it had installed and cannot clean up its own files on a system upgrade. Regards Harri
Re: Howto do "a detailed cleanup with the aid of the sysclean package"?
On 2022-04-20 21:25:49, Ryan Kavanagh wrote: On Wed, Apr 20, 2022 at 08:39:09PM +0200, Harald Dunkel wrote: sysclean lists 4180 files and directories on my home server Could you please elaborate how sysclean is going to help me to keep my openbsd hosts clean? How is the usage model of this tool? Here's what I do: 1) List all of the directories or files I want sysclean to ignore in /etc/sysclean.ignore (format is documented in sysclean(8)). Got that. 2) Run "sysclean" to list all files that are obsolete. Check. 3) Manually review the output. If it contains files that are not obsolete, goto 1. Too many files to be a practical approach. If I would know each and every file to keep or to throw away, then I don't need sysclean. Not to mention that an important file or directory for the current release might become obsolete in a future release. Maintaining sysclean.ignore is unsustainable. You have to start from scratch with each release for each host running OpenBSD. Thats a lot of error-prone work. 4) Delete the files / directories listed in sysclean's output. Won't do. Regards Harri
Howto do "a detailed cleanup with the aid of the sysclean package"?
Hi folks, the upgrade guide claims A detailed cleanup can be done with the aid of the sysclean package. sysclean lists 4180 files and directories on my home server, including mail directories, config files of various external packages, generated files, .git directories, etc. A lot of stuff I wouldn't like to lose. Apparently it also lists a lot of old crap, but since it lists *so many* important files I don't trust it at all. Could you please elaborate how sysclean is going to help me to keep my openbsd hosts clean? How is the usage model of this tool? Thank you very much in advance Harri
RC version internal available only?
Hi folks, I would like to upgrade to OpenBSD beta on a Zotac O-series PC. I found the snapshots directory, but the upgrade71 document appears to be missing. Do you think it could be included into the snapshots directory, next to the INSTALL.amd64 file, for example? It could encourage more people to try out the beta. Just a suggestion, of course. Regards Harri
Re: who is writing to a deleted file?
On 2022-03-18 16:36:18, Janne Johansson wrote: Den fre 18 mars 2022 kl 16:29 skrev Harald Dunkel : How can I find out which process is eating up disk space, without killing it, of course? fstat(8) can help, # fstat | sort -n -k 9 to get the largest open file at the bottom, third column is the PID. Confirmed, thank you very much Harri
who is writing to a deleted file?
Hi folks, something on my gateway (7.0) is hiding disk space, AFAICS: # du -hs / 3.4G/ # df -h / Filesystem SizeUsed Avail Capacity Mounted on /dev/sd0a 31.5G5.6G 24.3G19%/ How can I find out which process is eating up disk space, without killing it, of course? Regards Harri
Re: pkg_add -u fails with "failed to open CA file '/etc/ssl/cert.pem': Permission denied"
I highly appreciate the carefulness, but the error message doesn't indicate a user "_pkgfetch", nor is it mentioned on pkg_add(1). Please reconsider my suggestion made on 2022-01-14: > In general, if there is a permission problem due to file system > access bits, then it would be wise to include euid and egid in > the error message. Thank you very much Harri
Re: pkg_add -u fails with "failed to open CA file '/etc/ssl/cert.pem': Permission denied"
On 2022-01-17 18:02:25, Marc Espie wrote: Lol. cert.pem only contains public certificates. Insisting on only root being able to read it means you are going to run code as root which doesn't require it. That seems way more unreasonable than your original assumption. I am not arguing about the access permissions (which I screwed up), but I wonder why pkg_add run by root failed with EPERM? Actually root was the only one *permitted* to access this file. Thats not an error. If there was another user account involved, then show me.
pkg_add -u fails with "failed to open CA file '/etc/ssl/cert.pem': Permission denied"
Hi folks, trying to upgrade the installed packages I get # pkg_add -u https://cdn.openbsd.org/pub/OpenBSD/7.0/packages-stable/amd64/: TLS connect failure: failed to open CA file '/etc/ssl/cert.pem': Permission denied https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: TLS connect failure: failed to open CA file '/etc/ssl/cert.pem': Permission denied https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: empty Couldn't find updates for bash-5.1.8 bzip2-1.0.8p0 ... How comes? I am root. And openssl x509 -in /etc/ssl/cert.pem shows that I can read the certificate. This happens on 2 OpenBSD hosts. On 5 others there is no such problem. All use 7.0. http/tcp and https/tcp are not blocked by some forgotten pf rules. Every helpful hint is highly appreciated. Harri
Re: pkg_add -u fails with "failed to open CA file '/etc/ssl/cert.pem': Permission denied"
On 2022-01-14 10:42:56, Harald Dunkel wrote: Hi folks, trying to upgrade the installed packages I get # pkg_add -u https://cdn.openbsd.org/pub/OpenBSD/7.0/packages-stable/amd64/: TLS connect failure: failed to open CA file '/etc/ssl/cert.pem': Permission denied https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: TLS connect failure: failed to open CA file '/etc/ssl/cert.pem': Permission denied https://cdn.openbsd.org/pub/OpenBSD/7.0/packages/amd64/: empty Couldn't find updates for bash-5.1.8 bzip2-1.0.8p0 ... chmod a+rx /etc/ssl did the trick, but this doesn't look reasonable. In general, if there is a permission problem due to file system access bits, then it would be wise to include euid and egid in the error message. Harri
Re: did 70-006_x509 break ikectl ca ?
Hi Tobias, I kicked out the whole PKI including keys and self-signed certificate and tried again. The new keys and certificates work, but looking at the signatures, expiration dates, access rights and all the other usual suspects the old chain should have worked, too. Its still unresolved and it might come back. Regards Harri On 2021-12-13 20:28:11, Tobias Heider wrote: On Sun, Dec 12, 2021 at 10:01:20PM +0100, Harald Dunkel wrote: Hi folks, since syspatch 70-006_x509 and a reboot IKEv2 between 2 OpenBSD clusters (2 hosts on each end, carp interface, passive by default, managed via sasyncd) appears to be broken. /var/log/messages says Dec 12 21:40:28 gate5a iked[57676]: spi=0x5a7c2732b4b355e6: ikev2_dispatch_cert: peer certificate is invalid certificates have been generated using ikectl ca. How comes? I haven't changed the ca or the ike configuration since 6.8. Unfortunately rolling back the syspatch or issuing new certificates did not help. I am stuck and desperate. Every helpful comment is highly appreciated. Harri Hi Harald, i haven't heard of any problems with the syspatch you mention and I didn't manage to reproduce your problem on my 7.0 machine. From your description I'm assuming all four machines are running syspatched 7.0. Some ideas: - to verify that this is a libcrypto problem, try 'openssl verify -CAfile /path/to/ca /path/to/cert' and see if still fails. - You are saying newly generated certs don't work. Did you modify '/etc/ssl/ikeca.cnf'? If yes, see if it works with the original config. - This is just a guess, but there were a several changes in recent libcrypto versions that made the certificate parsing stricter. Does your cert maybe have multiple extensions of the same type (e.g. multiple subjectAltNames)? This is all I can say without seeing the actual certificates and/or iked log. - Tobias -- Dipl.-Ing. Harald Dunkel | Muehlenbachstr. 3| keep it simple 52134 Herzogenrath, Germany | +49 2407 565 105 |
did 70-006_x509 break ikectl ca ?
Hi folks, since syspatch 70-006_x509 and a reboot IKEv2 between 2 OpenBSD clusters (2 hosts on each end, carp interface, passive by default, managed via sasyncd) appears to be broken. /var/log/messages says Dec 12 21:40:28 gate5a iked[57676]: spi=0x5a7c2732b4b355e6: ikev2_dispatch_cert: peer certificate is invalid certificates have been generated using ikectl ca. How comes? I haven't changed the ca or the ike configuration since 6.8. Unfortunately rolling back the syspatch or issuing new certificates did not help. I am stuck and desperate. Every helpful comment is highly appreciated. Harri
Re: use pfctl to reread /etc/mail/spamd-white table
On 2021-10-28 12:06:24, Zé Loff wrote: From the man page: For the add, delete, replace, and test commands, the list of addresses can be specified either directly on the command line and/or in an unformatted text file, using the -f flag. So: pfctl -t spamd-white -T add -f /etc/mail/spamd-white should do it. I am deeply sorry; I was too blind to see. Thank you very much for the pointer. Regards Harri
use pfctl to reread /etc/mail/spamd-white table
Hi folks, my pf.conf contains table persist file "/etc/mail/spamd-white" I understand that I can add and delete hosts from the table manually later, but on very large tables this is pretty painful. There is a high risk that the table has just been flushed and is not up-to-date yet, while the next EMail comes in. Would it be possible to add some magic to pfctl -T to reread the whole table from file and hand it off to pf in an atomic operation? Regards Harri
improving wireguard debug & monitor capabilities?
Hi folks, if I turn on debugging for wg0, then I get a lot of lines in /var/log/messages like : Oct 20 10:23:50 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5 seconds, retrying (try 11) Oct 20 10:23:51 wggate /bsd: wg0: Receiving keepalive packet from peer 8 Oct 20 10:23:55 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5 seconds, retrying (try 12) Oct 20 10:23:55 wggate /bsd: wg0: Sending handshake initiation to peer 5 Oct 20 10:24:00 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5 seconds, retrying (try 13) Oct 20 10:24:05 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5 seconds, retrying (try 14) Oct 20 10:24:05 wggate /bsd: wg0: Sending handshake initiation to peer 5 Oct 20 10:24:06 wggate /bsd: wg0: Receiving handshake initiation from peer 8 Oct 20 10:24:06 wggate /bsd: wg0: Sending handshake response to peer 8 Oct 20 10:24:06 wggate /bsd: wg0: Receiving keepalive packet from peer 8 Oct 20 10:24:06 wggate /bsd: wg0: Sending keepalive packet to peer 8 Oct 20 10:24:10 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5 seconds, retrying (try 15) Oct 20 10:24:10 wggate /bsd: wg0: Sending handshake initiation to peer 5 Oct 20 10:24:16 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5 seconds, retrying (try 16) Oct 20 10:24:16 wggate /bsd: wg0: Sending keepalive packet to peer 8 Oct 20 10:24:18 wggate /bsd: wg0: Receiving handshake initiation from peer 1 Oct 20 10:24:18 wggate /bsd: wg0: Sending handshake response to peer 1 Oct 20 10:24:21 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5 seconds, retrying (try 17) Oct 20 10:24:21 wggate /bsd: wg0: Sending handshake initiation to peer 5 Oct 20 10:24:22 wggate /bsd: wg0: Receiving handshake initiation from peer 1 Oct 20 10:24:22 wggate /bsd: wg0: Sending handshake response to peer 1 Oct 20 10:24:22 wggate /bsd: wg0: Receiving keepalive packet from peer 1 Oct 20 10:24:22 wggate /bsd: wg0: Sending keepalive packet to peer 1 Oct 20 10:24:26 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5 seconds, retrying (try 18) Oct 20 10:24:26 wggate /bsd: wg0: Sending handshake initiation to peer 5 Oct 20 10:24:31 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5 seconds, retrying (try 19) Oct 20 10:24:31 wggate /bsd: wg0: Sending handshake initiation to peer 5 Oct 20 10:24:36 wggate /bsd: wg0: Handshake for peer 5 did not complete after 5 seconds, retrying (try 20) Oct 20 10:24:36 wggate /bsd: wg0: Sending handshake initiation to Oct 20 10:24:41 wggate /bsd: wg0: Receiving keepalive packet from peer 5 Oct 20 10:24:41 wggate /bsd: wg0: Receiving handshake initiation from peer 5 Oct 20 10:24:41 wggate /bsd: wg0: Sending handshake response to peer 5 Oct 20 10:24:41 wggate /bsd: wg0: Receiving keepalive packet from peer 5 Oct 20 10:24:41 wggate /bsd: wg0: Sending keepalive packet to peer 5 Oct 20 10:24:41 wggate /bsd: wg0: Sending keepalive packet to peer 8 Oct 20 10:24:58 wggate /bsd: wg0: Receiving keepalive packet from peer 8 Oct 20 10:24:59 wggate /bsd: wg0: Receiving keepalive packet from peer 1 Oct 20 10:25:12 wggate /bsd: wg0: Receiving keepalive packet from peer 8 Oct 20 10:25:22 wggate /bsd: wg0: Receiving handshake initiation from peer 14 Oct 20 10:25:22 wggate /bsd: wg0: Sending handshake response to peer 14 Oct 20 10:25:22 wggate /bsd: wg0: Receiving keepalive packet from peer 14 Oct 20 10:25:22 wggate /bsd: wg0: Sending keepalive packet to peer 14 Oct 20 10:25:37 wggate /bsd: wg0: Receiving keepalive packet from peer 8 Oct 20 10:25:54 wggate /bsd: wg0: Receiving keepalive packet from peer 8 Oct 20 10:25:57 wggate /bsd: wg0: Receiving keepalive packet from peer 1 : Sorry to say, but this is pretty much useless, esp on a wireguard VPN gateway. wireguard itself appears to be rock-solid. If there is something to debug, then its either the key pair, or the network connection to the road-warrior, but without remote IP address/port number this is really challenging. Would it be possible to replace Oct 20 10:24:59 wggate /bsd: wg0: Receiving keepalive packet from peer 1 by Oct 20 10:24:59 wggate /bsd: wg0: [:] Receiving keepalive packet from peer 1 in the DPRINTF macro (if_wg.c)? My favorite would be some extended monitoring for wireguard, showing a short hash of the peer's public key next to the ip address/port number with some information like "connection established", "disconnected", "no keepalive", "reconnecting from a different IP", etc. Something that could help to support and monitor a VPN gateway for (lets say) >100 road- warriors. Thank you very much in advance Harri
Re: Can't figure out what's taking up space on /
On 8/5/21 11:13 AM, Bastien Durel wrote: Since then, I put the mount points directories immutable (before mount) fremen# mkdir /tmp/foo fremen# chflags schg /tmp/foo fremen# touch /tmp/foo/bar touch: /tmp/foo/bar: Operation not permitted fremen# ls -loa /tmp/foo total 8 drwxr-xr-x 2 root wheel schg 512 Aug 5 11:01 . drwxrwxrwt 14 root wheel -512 Aug 5 11:01 .. fremen# mount /dev/vnd0a /tmp/foo/ fremen# touch /tmp/foo/bar fremen# ls -lao /tmp/foo/ total 8 drwxr-xr-x 2 root wheel - 512 Aug 5 11:10 . drwxrwxrwt 14 root wheel - 512 Aug 5 11:10 .. -rw-r--r-- 1 root wheel - 0 Aug 5 11:10 bar Regards, Cool idea Harri
pf question: IPv6 prefix changed, how to tell pf?
Hi folks,
Deutsche Telekom gives me a new /56 prefix for my internal net and
a new /64 prefix for the external connection on every reboot of my
modem. The old internal prefix is not routed anymore. Question is,
how can I tell pf to use the new prefix?
There are a few constants in my pf.conf file, e.g.
myhost = "{ 2001:db8:1f21:1c03:123:4567:89ab:cdef ... }"
Currently they have to be edited on every prefix change. Workaround
is to regenerate pf.conf from a template or to use pfctl to modify
some tables on the fly, but actually I would like to write something
like
p1 = (re1:prefix)
myhost = "{ $p1::123:4567:89ab:cdef ... }"
in my pf.conf.
The man page mentions "prefix" only for address family translation
(please excuse if I am too blind to see), so I wonder what is best
practice here?
Regards
Harri
Re: 6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""
On 6/21/21 5:42 PM, naib+li...@xn--bimann-cta.de wrote: You wrote: since the upgrade to 6.9 at the weekend opensmtpd complains smtp cert-check result="no certificate presented" for incoming EMails. Again, this is just a notification from the server, that no client certificates were sent in case of client tls authentication. Wouldn't you agree that this message is misleading? The current message doesn't tell whose certificate is missing. Instead, I would suggest to write something like peer did not authenticate via client certificate into the log file. This has nothing to do with your second issue: Diagnostic-Code: X-Postfix; TLS is required, but was not offered by host mail.example.de I'd say that you can safely ignore the previous message. Instead, I'd suggest trying to debug OpenSMTPD with -dT all (or -dT transfer) and look at the output. If there is something wrong with your certs or config, it'll be shown there. OK, I will check. Thanx very much for your help Regards Harri
Re: 6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""
PS: The peer is very picky wrt TLS, thats why this is an important problem. The peer log file shows : Diagnostic-Code: X-Postfix; TLS is required, but was not offered by host mail.example.de[10.145.142.10] Return-Path: Received: from mout01.posteo.de (unknown [10.0.0.65]) by mout01.posteo.de (Postfix) with ESMTPS id CDAFB1A014F for ; Mon, 21 Jun 2021 10:31:44 +0200 (CEST) : So how comes that my MTA suddenly does not offer TLS, even though the listen lines say xname = "mail.example.de" pki $xname cert "/etc/ssl/public/mail.example.de.chain.pem" pki $xname key "/etc/ssl/private/smtpd.key.pem" pki $xname dhe auto listen on lo0 tls pki $xname listen on internal tls pki $xname listen on external tls pki $xname Regards Harri
Re: 6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""
On 6/21/21 12:52 PM, n...@xn--bimann-cta.de wrote: since the upgrade to 6.9 at the weekend opensmtpd complains smtp cert-check result="no certificate presented" for incoming EMails. opensmtpd.conf and the certificate chain Hello. This is because clients are not providing a tls client certificate for authentication. See: https://www.mail-archive.com/misc@opensmtpd.org/msg05280.html Looking at my certificate I see X509v3 extensions: X509v3 Authority Key Identifier: keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2 X509v3 Subject Key Identifier: F7:5D:C6:13:97:9B:F8:D4:49:9E:EC:36:E1:B3:26:C2:12:BD:D2:8C X509v3 Subject Alternative Name: DNS:*.example.de, DNS:example.de, DNS:mail.example.de X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication : Looks fine to me. Not to mention that it did work for OpenBSD 6.8, using the same certificate chain and looking at the same 2 MTAs. OpenBSD 6.8: : Jun 13 07:28:31 gate5a smtpd[28825]: 5b12b1c3d9362d18 smtp connected address=199.185.178.25 host=mail.openbsd.org Jun 13 07:28:32 gate5a smtpd[28825]: 5b12b1c3d9362d18 smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256 Jun 13 07:28:33 gate5a smtpd[28825]: 5b12b1c3d9362d18 smtp message msgid=b493cde6 size=5248 nrcpt=1 proto=ESMTP Jun 13 07:28:33 gate5a smtpd[28825]: 5b12b1c3d9362d18 smtp envelope evpid=b493cde6b4306880 from= to= Jun 13 07:28:43 gate5a smtpd[28825]: 5b12b1c3d9362d18 smtp disconnected reason=quit : OpenBSD 6.9: : Jun 21 15:08:29 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp connected address=199.185.178.25 host=mail.openbsd.org Jun 21 15:08:30 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp tls ciphers=TLSv1.3:AEAD-AES256-GCM-SHA384:256 Jun 21 15:08:30 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp cert-check result="no certificate presented" Jun 21 15:08:31 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp message msgid=acf4c26b size=2087 nrcpt=1 proto=ESMTP Jun 21 15:08:31 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp envelope evpid=acf4c26b733f72fa from= to= Jun 21 15:08:41 gate5a smtpd[5083]: dd4992e9e4b2a33d smtp disconnected reason=quit : ? Every helpful comment is highly appreciated Harri
6.9 regression: opensmtpd complains "smtp cert-check result=\"no certificate presented\""
Hi folks,
since the upgrade to 6.9 at the weekend opensmtpd complains
smtp cert-check result="no certificate presented"
for incoming EMails. opensmtpd.conf and the certificate chain
hasn't changed. There is only a single MX defined in DNS (for
both "example.com" and "example.de"), matching the certificate.
The FAQs for the openbsd upgrade state for opensmtpd
Configurations that use only a single certificate do not need updating.
Did I miss something here? Every helpful comment is highly appreciated.
Harri
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.
# https://man.openbsd.org/OpenBSD-6.9/smtpd.conf.5
xname = "mail.example.de"
pki $xname cert "/etc/ssl/public/mail.example.de.chain.pem"
pki $xname key "/etc/ssl/private/smtpd.key.pem"
pki $xname dhe auto
#
# ca can be used to introduce another root CA authority. Intermediate
# certs should be appended to the client certificate, instead.
#
# ca $xname cert "/etc/ssl/public/DigiCertCA.crt"
listen on lo0 tls pki $xname
listen on internal tls pki $xname
listen on external tls pki $xname
smtp max-message-size 128M
table aliases db:/etc/mail/aliases.db
#
# permitted hosts: srvvm01, gate4a/b
table trusted_mta {192.168.96.11 192.168.96.22 192.168.98.246 192.168.98.248 }
table at_example{"@example.de", "@example.com"}
table example {"example.de", "example.com"}
table spf_protection_outlook_com
file:/etc/mail/spf_protection_outlook_com
table external_mta file:/etc/mail/external_mta
action "local" mbox alias
action "relay_example" relay host smtp://mailhost.ac.example.de helo
"mail.example.de"
action "relay_external" relay src { 10.145.142.10
2001:db8:13b0:::60 } helo "mail.example.de"
#
# first match wins, default is to reject.
#
# "from local" and "for local" are the defaults, but it is good practice to not
# omit these statements.
#
match from localfor local
action "local"
match from localfor domain
action "relay_example"
match from localfor any
action "relay_external"
match from src for domain
action "relay_example"
match from src for domain
action "relay_example"
match from srcfor domain
action "relay_example"
match from src for any
action "relay_external"
match from any mail-fromfor any
reject
match from any for domain
action "relay_example"
# the rest is rejected by default
match from any for any reject
Re: 6.9 + 001: uvm_fault
On 5/17/21 12:27 AM, Antonino Sidoti wrote: Hi, I also have this issue on a fresh install of 6.9 amd64. I reported it as a bug last week to “bugs” mail list with all appropriate information. I can confirm that plugging in a monitor will allow my system to boot. I did not have the 001 patch installed. I have sent a metoo on this list, but there was no response. If OpenBSD becomes unreliable on such basic tasks as a reboot after installing the most recent security patches, this won't make OpenBSD more popular. Regards Harri
6.9 + 001: uvm_fault
Hi folks,
after installing syspatch 001 the reboot showed:
:
scsibus3 at softraid0: 256 targets
root on sd0a (614daaae133f0ac5.a) swap on sd0b dump on sd0b
uvm_fault(0x82186300, 0xb8, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at i915_ggtt_pin+0x29: movq0xb8(%rdi),%r12
ddb{0}>
ddb{0}> show panic
kernel page fault
uvm_fault(0x82186300, 0xb8, 0, 1) -> e
i915_ggtt_pin(0,1,20) at i915_ggtt_pin+0x29
end trace frame: 0x8252dbf0, count: 0
ddb{0}> trace
i915_ggtt_pin(0,1,20) at i915_ggtt_pin+0x29
gen6_ppgtt_pin(8061fc00) at gen6_ppgtt_pin+0x7c
__intel_context_do_pin(fd827bfc3c00) at __intel_context_do_pin+0xca
intel_engines_init(8010bc38) at intel_engines_init+0x4b5
intel_gt_init(8010bc38) at intel_gt_init+0x130
i915_gem_init(80107000) at i915_gem_init+0xa3
i915_driver_probe(80107000,81fe0e40) at i915_driver_probe+0x7ed
inteldrm_attachhook(80107000) at inteldrm_attachhook+0x43
config_process_deferred_mountroot() at config_process_deferred_mountroot+0x6b
main(0) at main+0x733
end trace frame: 0x0, count: -10
ddb{0}> show registers
rdi0
rsi 0x1__ALIGN_SIZE+0xf000
rbp 0x8252dbb0end+0x12dbb0
rbx 0x80645340
rdx 0x20
rcx 0x82185964proc0+0x4
rax0
r8 0x11
r90x82046210rw_ops+0x10
r10 0x
r11 0x1b5e3813e69555ca
r12 0xfffc
r13 0xfffc
r14 0x8061fc00
r15 0x20
rip 0x8166db89i915_ggtt_pin+0x29
cs 0x8
rflags 0x10286__ALIGN_SIZE+0xf286
rsp 0x8252db50end+0x12db50
ss 0x10
i915_ggtt_pin+0x29: movq0xb8(%rdi),%r12
The next reboot got stuck before entering the debugger:
ddb{0}> boot reboot
rebooting...
boot>
NOTE: random seed is being reused.
booting hd0a:/bsd: 14415144+3220488+34+0+1171456
[1008375+128+1145856+866050]=0x1526a80
entry point at 0x81001000
[ using 3021440 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2021 OpenBSD. All rights reserved. https://www.OpenBSD.org
OpenBSD 6.9 (GENERIC.MP) #473: Mon Apr 19 10:40:28 MDT 2021
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8478871552 (8086MB)
avail mem = 8206532608 (7826MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xecef0 (51 entries)
bios0: vendor American Megatrends Inc. version "5.11" date 04/08/2016
bios0: Default string Default string
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT CSRT
acpi0: wakeup devices BRC1(S0) XHC1(S4) HDEF(S4) RP01(S4) PXSX(S4) RP02(S4)
PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1600.37 MHz, 06-4c-04
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 80MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1599.95 MHz, 06-4c-04
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1599.97 MHz, 06-4c-04
cpu2:
Re: 6.9 + 001: uvm_fault
And another attempt, see attachment. Seems I have to power cycle to make it boot. Regards Harri OpenBSD/amd64 (redgatea.red.aixigo.de) (tty00) login: root Password: Last login: Sun May 16 11:45:27 on ttyp0 from 2a00:fe0:30:60::7a OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. You have mail. redgatea# sysupgrade Fetching from https://cdn.openbsd.org/pub/OpenBSD/6.9/amd64/ SHA256.sig 100% |*| 2144 00:00 Signature Verified INSTALL.amd64 100% || 43523 00:00 base69.tgz 100% |*| 291 MB00:16 bsd 100% |*| 20423 KB00:02 bsd.mp 100% |*| 20515 KB00:02 bsd.rd 100% |*| 4107 KB00:01 comp69.tgz 100% |*| 85958 KB00:06 game69.tgz 100% |*| 2741 KB00:00 man69.tgz100% |*| 7560 KB00:01 xbase69.tgz 100% |*| 29789 KB00:03 xfont69.tgz 100% |*| 39342 KB00:04 xserv69.tgz 100% |*| 18351 KB00:02 xshare69.tgz 100% |*| 4502 KB00:01 Verifying sets. Fetching updated firmware. Upgrading. stopping package daemons: dnsmasq zabbix_agentd. syncing disks... done carp: carp0 demoted group carp by 1 to 1 (carpdev) carp: carp0 demoted group external by 1 to 1 (carpdev) carp: carp0 demoted group externalcarp by 1 to 1 (carpdev) carp: carp0 demoted group egress by 1 to 1 (carpdev) carp: carp1 demoted group carp by 1 to 2 (carpdev) carp: carp1 demoted group internal by 1 to 1 (carpdev) carp: carp2 demoted group carp by 1 to 3 (carpdev) carp: carp2 demoted group yellow by 1 to 1 (carpdev) rebooting... 919 3939 19 99 19³¹) 391919 219993 39 932192921 219919219 21939931 919 91921¹þÞWÞ×Þ1BBBÂB"BBBÂBBBRBÂ>> OpenBSD/amd64 BOOT 3.52 boot> booting hd0a:/bsd.upgrade: 3818189+1590272+3878376+0+704512 [109+288+28]=0x989530 entry point at 0x81001000 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2021 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.9 (RAMDISK_CD) #456: Mon Apr 19 10:47:37 MDT 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 8478871552 (8086MB) avail mem = 8217878528 (7837MB) random: good seed from bootblocks mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xecef0 (51 entries) bios0: vendor American Megatrends Inc. version "5.11" date 04/08/2016 bios0: Default string Default string acpi0 at bios0: ACPI 5.0 acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT CSRT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1680.44 MHz, 06-4c-04 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,SENSOR,ARAT,MELTDOWN cpu0: 1MB 64b/line 16-way L2 cache cpu0: apic clock running at 79MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (RP01) acpiprt2 at acpi0: bus 2 (RP02) acpiprt3 at acpi0: bus 3 (RP03) acpiprt4 at acpi0: bus 4 (RP04) acpiec0 at acpi0: not present acpicmos0 at acpi0 acpipci0 at acpi0 PCI0: 0x0004 0x0011 0x0001 "INTCF1C" at acpi0 not configured "PNP0C0E" at acpi0 not configured "PNP0C0B" at acpi0 not configured acpicpu at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpitz at acpi0 not configured cpu0: using Silvermont MDS workaround pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Braswell Host" rev 0x35
Re: 6.9 + 001: uvm_fault
PS: The next power cycle went fine, see attachment. Regards Harri boot> NOTE: random seed is being reused. booting hd0a:/bsd: 14415144+3220488+34+0+1171456 [1008375+128+1145856+866050]=0x1526a80 entry point at 0x81001000 [ using 3021440 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2021 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.9 (GENERIC.MP) #473: Mon Apr 19 10:40:28 MDT 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8478871552 (8086MB) avail mem = 8206532608 (7826MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xecef0 (51 entries) bios0: vendor American Megatrends Inc. version "5.11" date 04/08/2016 bios0: Default string Default string acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT CSRT acpi0: wakeup devices BRC1(S0) XHC1(S4) HDEF(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1680.41 MHz, 06-4c-04 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu0: 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 80MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1679.95 MHz, 06-4c-04 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu1: 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1599.97 MHz, 06-4c-04 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu2: 1MB 64b/line 16-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1599.96 MHz, 06-4c-04 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu3: 1MB 64b/line 16-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (RP01) acpiprt2 at acpi0: bus 2 (RP02) acpiprt3 at acpi0: bus 3 (RP03) acpiprt4 at acpi0: bus 4 (RP04) acpiec0 at acpi0: not present acpicmos0 at acpi0 acpipci0 at acpi0 PCI0: 0x0004 0x0011 0x0001 "INTCF1C" at acpi0 not configured acpibtn0 at acpi0: SLPB "PNP0C0B" at acpi0 not configured acpicpu0 at acpi0: C1(@1 halt!), PSS acpicpu1 at acpi0: C1(@1 halt!), PSS acpicpu2 at acpi0: C1(@1 halt!), PSS acpicpu3 at acpi0: C1(@1 halt!), PSS acpipwrres0 at acpi0: ID3C, resource for ISP3 acpipwrres1 at acpi0: CLK0, resource for CAMD acpipwrres2 at acpi0: CLK0, resource for CAM1 acpipwrres3 at acpi0: CLK1, resource for CAM2, CAM3 acpipwrres4 at acpi0: USBC, resource for XHC1 acpipwrres5 at acpi0: FN00, resource for FAN0 acpitz0 at acpi0: critical temperature is 95 degC acpivideo0 at acpi0: GFX0 acpivout0 at acpivideo0: DD1F cpu0: using VERW MDS workaround cpu0: Enhanced SpeedStep 1680 MHz: speeds: 1601, 1600, 1520, 1440, 1360, 1280, 1200, 1120, 1040, 960, 880, 800, 720, 640, 560, 480 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Braswell Host" rev 0x35 inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics" rev 0x35 drm0 at inteldrm0 inteldrm0: msi, CHERRYVIEW, gen 8 ahci0 at pci0 dev 19 function 0 "Intel Braswell AHCI" rev 0x35: msi, AHCI
Re: 6.9 + 001: uvm_fault
PPS: I got a similar panic on another host after installing syspatch 001, see attachment. Regards Harri Last login: Sat May 15 21:46:44 on ttyp0 from 2a00:fe0:30:60::7a OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. You have mail. redgatea# syspatch redgatea# sysupgrade Fetching from https://cdn.openbsd.org/pub/OpenBSD/6.9/amd64/ SHA256.sig 100% |*| 2144 00:00 Signature Verified INSTALL.amd64 100% || 43523 00:00 base69.tgz 100% |*| 291 MB00:15 bsd 100% |*| 20423 KB00:02 bsd.mp 100% |*| 20515 KB00:03 bsd.rd 100% |*| 4107 KB00:00 comp69.tgz 100% |*| 85958 KB00:06 game69.tgz 100% |*| 2741 KB00:00 man69.tgz100% |*| 7560 KB00:01 xbase69.tgz 100% |*| 29789 KB00:03 xfont69.tgz 100% |*| 39342 KB00:04 xserv69.tgz 100% |*| 18351 KB00:02 xshare69.tgz 100% |*| 4502 KB00:00 Verifying sets. Fetching updated firmware. vmm-firmware-1.11.0p2->1.11.0p3: ok intel-firmware-20200508v0->20200616v0: ok inteldrm-firmware-20181218->20200421: ok Read shared items: ok Upgrading. stopping package daemons: dnsmasq zabbix_agentd. syncing disks... done carp: carp0 demoted group carp by 1 to 1 (carpdev) carp: carp0 demoted group external by 1 to 1 (carpdev) carp: carp0 demoted group externalcarp by 1 to 1 (carpdev) carp: carp0 demoted group egress by 1 to 1 (carpdev) carp: carp1 demoted group carp by 1 to 2 (carpdev) carp: carp1 demoted group internal by 1 to 1 (carpdev) carp: carp2 demoted group carp by 1 to 3 (carpdev) carp: carp2 demoted group yellow by 1 to 1 (carpdev) rebooting... 19223219ò73þ×ÞWÞ×Þ!BÒB""BBBÂ""BBBÂ>> OpenBSD/amd64 BOOT 3.52 boot> booting hd0a:/bsd.upgrade: 3818189+1590272+3878376+0+704512 [109+288+28]=0x989530 entry point at 0x81001000 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2021 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.9 (RAMDISK_CD) #456: Mon Apr 19 10:47:37 MDT 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 8478871552 (8086MB) avail mem = 8217878528 (7837MB) random: good seed from bootblocks mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xecef0 (51 entries) bios0: vendor American Megatrends Inc. version "5.11" date 04/08/2016 bios0: Default string Default string acpi0 at bios0: ACPI 5.0 acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT CSRT acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1600.33 MHz, 06-4c-04 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,SENSOR,ARAT,MELTDOWN cpu0: 1MB 64b/line 16-way L2 cache cpu0: apic clock running at 79MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (RP01) acpiprt2 at acpi0: bus 2 (RP02) acpiprt3 at acpi0: bus 3 (RP03) acpiprt4 at acpi0: bus 4 (RP04) acpiec0 at acpi0: not present acpicmos0 at acpi0 acpipci0 at acpi0 PCI0: 0x0004 0x0011 0x0001 "INTCF1C" at acpi0 not configured "PNP0C0E" at acpi0 not configured "PNP0C0B" at acpi0 not configured acpicpu at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpipwrres at acpi0 not configured acpitz at acpi0 not configured cpu0: using Silvermont MDS workaround pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel Braswell Host" rev 0x35 vga1 at pci0 dev 2
Re: ifconfig problem with >10 wireguard peers
On 4/7/21 7:44 PM, Stuart Henderson wrote: On 2021-04-07, Harald Dunkel wrote: Do you think it would be possible to increase this limitation to (lets say) 253? I don't see that here: Sorry, my bad. Some lines in my hostname.wg0 were commented out. I didn't notice. We are evaluating wireguard on an OpenBSD gateway in a road-warrior setup for almost 3 months by now. It works very well. Regards Harri
ifconfig problem with >10 wireguard peers
Hi folks, apparently ifconfig (openbsd 6.8) shows only 10 wireguard peers for wg0, even if hostname.wg0 defines 12 peers. This is pretty painful. Do you think it would be possible to increase this limitation to (lets say) 253? Thank you very much in advance Harri
Re: pflogd write /var/run/mypflogdinstance.pid?
On 12/13/20 8:32 PM, Theo de Raadt wrote: If a pflogd dies because of a bug, the pid listed in the file may be reused, and then your kill `cat pidfile` will kill the incorrect process. I understand your concern, but as written before, I am not asking to drop pkill support. How about adding a static -uuid option to the pflogd command line (instead of "-p /var/run/pflogd.pid"), to be shown in the process list as well? Of course pflogd should ignore this uuid option. Its only purpose is to support pkill/pgrep. This would be a much more reliable and easy to use search pattern for pkill/ pgrep than the executable name or the interface name. Regards Harri
Re: pflogd write /var/run/mypflogdinstance.pid?
On 12/13/20 7:10 PM, Theo de Raadt wrote: And I'm suggesting the arguments should look like this: pflogd: [priv] -s 160 -i pflog0 -f /var/log/pflog (pflogd) pflogd: [running] -s 160 -i pflog0 -f /var/log/pflog (pflogd) That might allow more accurate pkill targetting. Wouldn't you admit that this appears to be very fragile? If I add some flags to the pflogd command line then I have to verify the pkill commands in newsyslog.conf again. Newsyslog doesn't tell if pkill doesn't find anything to send a HUP to. Not to mention that the "-s 160" is not set with "rcctl set flags". Apparently there is some magic code somewhere else. If this code is changed, then this might break the newsyslog configuration as well. Sorry to say, buts its obscure and error-prone. My point is that a pid file on a volatile file system is much more reliable than pkill/pgrep. I am not asking you to drop pkill/pgrep, but I am missing the old -p option to pflogd. At least OpenBSD is not alone with this problem. On Debian there is a tool "/bin/pidof", trying to guess the pid of a daemon to kill by looking at the process list as well. Its part of the sysv init environment. For years I wondered how comes that daemons in my containers silently got killed. They were visible in the parent's process list and were found by pidof. Regards Harri
Re: pflogd write /var/run/mypflogdinstance.pid?
On 12/7/20 7:19 PM, Theo de Raadt wrote: Yep. It is possible we need a better strategy --- like placing *all* original argv in the [priv] title. If you change the pflogd command line in the process list, what is supposed to happen to the existing code using pkill or pgrep, expecting the *old* line?
Re: pflogd write /var/run/mypflogdinstance.pid?
On 12/7/20 7:43 AM, Theo de Raadt wrote:
We've put some work into making programs not damage their argv. If you
provide a strong set of arguments to the programs you start, you may be
able to pkill with a more fullsize pattern, increasing the accuracy.
AFAICS pflogd rewrites the command line. This is what I saw this morning
for using symlinks:
{root@gate6a:etc 510} ps auxww | grep pflogd
root 8647 0.0 0.0 716 576 ?? IU 27Nov200:00.00 pflogd0:
[priv] (pflogd)
_pflogd 44379 0.0 0.0 772 652 ?? Sp 27Nov200:19.26 pflogd0:
[running] -s 160 -i pflog0 -f /var/log/pflog0 (pflogd)
root 23720 0.0 0.0 732 596 ?? IU 27Nov200:00.00 pflogd1:
[priv] (pflogd)
_pflogd 22050 0.0 0.0 772 660 ?? Sp 27Nov200:22.99 pflogd1:
[running] -s 160 -i pflog1 -f /var/log/pflog1 (pflogd)
root 52274 0.0 0.0 724 588 ?? IU 27Nov200:00.00 pflogd2:
[priv] (pflogd)
_pflogd 26070 0.0 0.0 772 564 ?? Sp 27Nov200:15.02 pflogd2:
[running] -s 160 -i pflog2 -f /var/log/pflog2 (pflogd)
root 10820 0.0 0.0 732 576 ?? IU 27Nov200:00.00 pflogd3:
[priv] (pflogd)
_pflogd 75291 0.0 0.0 772 564 ?? Sp 27Nov200:14.70 pflogd3:
[running] -s 160 -i pflog3 -f /var/log/pflog3 (pflogd)
root 87921 0.0 0.0 108 280 p0 R+/36:03AM0:00.00 grep pflogd
newsyslog has to kill -HUP the processes owned by root. See that there
is just "pflogd" possible as a search pattern for pkill? Using "pflogd3"
as a search pattern didn't work, so I had to replace the symlinks by
hard links to make "pflogd3" show up in the process table.
Surely I am not askting to drop pkill or pgrep. But an optional
argument -p in pflogd shouldn't hurt. Nobody is forced to use it.
(Not to mention that "pkill pflogd" would kill a process "pflogdsample"
as well, so there is still a risk for killing the wrong process.)
About the PIDs: Maybe a systctl like
kernel.pid_max = 4194303
known from other OSes could help to reduce the risk for PID conflicts.
If you store the PID files on a volatile file system, so you can be sure
they are gone on the next reboot, anyway.
Just a suggestion, of course. Please keep on your good work
Regards
Harri
pflogd write /var/run/mypflogdinstance.pid?
Hi folks, I have to run several pflogd in parallel. To make pkill (i.e. newsyslog) work it seems to be necessary to create hard links pflogd1, pflogd2 etc., pointing to /sbin/pflogd. Soft links don't work, because they don't show up in the process table. This introduces new problems on the next upgrade of pflogd. Its unreliable and error-prone. (I lost 2 weeks of logfiles due to this.) Would it be possible for pflogd to support a command line option -p /var/run/mypflogdinstance.pid, as common for other daemons? Without "-p" no pid file has to be written, as it is now. I know this flag was present in ancient OpenBSD versions, but I never understood why such a reliable feature had been dropped in advance of the undependable pkill. Thanx in advance Harri
Re: pflogd: Corrupted log file, move it away
Hi folks,
On 11/28/20 5:13 PM, Stuart Henderson wrote:
It is easy enough to add the filename, but adding that to the log
might suggest to users that things are setup to handle multiple pflogd
processes and that is not the case.
Various parts of the system would need changing in order to handle this.
Currently there is no way to distinguish between multiple "priv" processes
as the process title doesn't show the command-line flags. In order to
support multiple pflogd processes this would need adding, then the rc.d
scripts and default newsyslog.conf entry would need updating to use them.
I have to admit that this was my fault. There were 2 pflogd writing to
/var/log/pflog, AFAICS. The other 2 were not even started.
To support 4 pflog interfaces I had to create 4 symlinks in /sbin
ln -s pflogd /sbin/pflogd0
ln -s pflogd /sbin/pflogd1
ln -s pflogd /sbin/pflogd2
ln -s pflogd /sbin/pflogd3
and to create 4 rc scripts in /etc/rc.d, e.g /etc/rc.d/pflogd2:
#!/bin/ksh
daemon="/sbin/pflogd2"
. /etc/rc.d/rc.subr
pexp="pflogd2: \[priv\]"
rc_pre() {
if pfctl -si | grep -q Enabled; then
ifconfig pflog2 create
if ifconfig pflog2; then
ifconfig pflog2 up
else
return 1
fi
else
return 1
fi
}
rc_cmd $1
Each pflogd had to be configured accordingly using rcctl, e.g.
rcctl enable pflogd2
rcctl set pflogd2 flags "-i pflog2 -f /var/log/pflog2"
rcctl start pflogd2
(Be careful, if you disable and enable the service, then you have to
set the flags again.)
Finally I had to add the new log files to newsyslog.conf:
/var/log/pflog0 600 7 65536 24 ZB "pkill -HUP -u root -U
root -t - -x pflogd0"
/var/log/pflog1 600 7 65536 24 ZB "pkill -HUP -u root -U
root -t - -x pflogd1"
/var/log/pflog2 600 7 65536 24 ZB "pkill -HUP -u root -U
root -t - -x pflogd2"
/var/log/pflog3 600 7 65536 24 ZB "pkill -HUP -u root -U
root -t - -x pflogd3"
Hope this is helpful to anybody.
Regards
Harri
pflogd: Corrupted log file, move it away
Hi folks,
I got a bazillion of error messages in /var/log/daemon
:
Nov 27 08:33:25 gate6a pflogd[26893]: Corrupted log file.
Nov 27 08:33:25 gate6a pflogd[26893]: Invalid/incompatible log file, move it
away
Nov 27 08:33:25 gate6a pflogd[26893]: Logging suspended: open error
Nov 27 08:33:32 gate6a pflogd[2985]: Corrupted log file.
Nov 27 08:33:32 gate6a pflogd[2985]: Invalid/incompatible log file, move it away
Nov 27 08:33:32 gate6a pflogd[2985]: Logging suspended: open error
:
Problem is, pflogd doesn't tell which one. I am logging to /var/log/\
pflog{0..3}. Nothing else but pflogd is writing these files. They are
rotated every hour, using the default
/var/log/pflog 600 3 250 * ZB "pkill -HUP -u root -U root -t - -x
pflogd"
in /etc/newsyslog.conf. crontab entry:
0 * * * * /usr/bin/newsyslog
I can't remember having seen this problem for 6.7.
(Not to mention that syslog should try to avoid printing the same
message again and again.)
I am legally bound to provide log files, so this is a huge problem.
Every insightful comment is highly appreciated.
Harri
address lists in iked.conf?
Hi folks, would it be possible to support address lists in iked.conf(5), similar to ipsec.conf(5)? Regards Harri
Re: packet filter question
On 11/13/20 2:06 PM, Harald Dunkel wrote: Hi folks, if it is allowed to ask a question about packet filter here? Found it, please ignore. Harri
packet filter question
Hi folks,
if it is allowed to ask a question about packet filter here?
Please take a look at the attached pf.conf file. Problem is
that incoming traffic from a host in (internal:network) to an
external host port is passed in rule 86 (thats one of the
debproxy lines)
pass $log0 quick proto tcp from (internal:network) to $debproxy port
$debproxy_port
but then its blocked for outgoing in the default rule 0.
# tcpdump -envi pflog0 host 172.19.96.126
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
13:19:46.286235 rule 86/(match) [uid 0, pid 10501] pass in on em1: 10.150.1.32.37024
> 172.19.96.126.3142: S [tcp sum ok] 1742174933:1742174933(0) win 64240 (DF) (ttl 64, id 58124, len 60)
13:19:46.286263 rule 0/(match) [uid 0, pid 10501] block out on em0: 10.150.1.32.37024 >
172.19.96.126.3142: S [tcp sum ok] 1742174933:1742174933(0) win 64240 (DF) (ttl 63, id 47021, len 60, bad ip
cksum 3f68! -> 6bc7)
^C
294 packets received by filter
0 packets dropped by kernel
Rule 86 explicitly says "pass quick", not "pass in quick". The
tcpdump line shows that the outgoing packet is still filtered
using the IP address bound to (internal:network) as for the
incoming packet. How comes that this rule 86 is not applied for
the outgoing packet?
The workaround is to add a tag in rule 86 and to add a line
pass out quick tagged ALLOWED
But thats ugly.
Every insightful comment is highly appreciated
Harri
#
# gate6a/b firewall configuration
#
# to watch pf at work use 'tcpdump -nettt -i pflog0'
# to check the rule numbers use 'pfctl -gsr | grep ^@'
# to check built in tables use something like
#
# pfctl -a _pf -s Tables
# pfctl -a _pf -t self -T show
# pfctl -a _pf -t internal:network -T show
#
# The groups are assigned in /etc/hostname.$ifname. There are also a
# few predefined groups, depending on the interface type, see ifconfig(8).
# Here is a list, as used in this pf config file
#
# egress: the interface with the default gateway
# external: the interface to access the internet
# public: public IP address range to access the containers
# internal: local IP address range to access the nodes
# switches: local IP address range to access the switches and idracs
# dblan: local IP address range to access the databases
#
# external, public, internal, switches and dblan are mutually exclusive
#
# special groups:
#
# carpdev:interface running carp protocol
# pfsyncdev: interface running pfsync protocol
# carp: interface *is* a carp interface
#
# Please keep this list up to date.
# ==
# macros for logging
# ==
# we surely need some policy for logging. How about this:
log0= "log (to pflog0)" # "regular" traffic (passed or blocked)"
log1= "log (to pflog1)" # traffic to or from public network
log2= "log (to pflog2)" # unused
log3= "log (to pflog3)" # exclusively for spamlogd (unused)
logd= "log (to pflog0)" # verbose
# logd = ""
# ==
# runtime options
# ==
set block-policy return # default: drop
set fingerprints "/etc/pf.os" # /etc/pf.os
set limit states 10 # default: 10
set limit tables 1000 # default: 1000
set limit table-entries 20 # default: 20
set limit frags 65536 # default: platform dependent
set limit src-nodes 1 # default: unknown
set loginterface egress # default: none
set optimization normal # default: normal
set reassemble yes # default: yes
set ruleset-optimization basic # default: basic
set skip on { lo }
# set state-defaults ...
# set state-policy if-bound # default: floating
set syncookies never# default: never
set timeout udp.first 240 # default: 60
set timeout udp.single 120 # defualt: 30
set timeout udp.multiple 240# default: 60
# ==
# IP addresses and ports
# ==
ssh_port= "{ ssh 1023 }"
http_port = "{ http https }"
smtp_host = "{ 10.150.1.1 }"
smtp_port = "{ smtp }"
debproxy= "{ 172.19.96.126 10.150.1.32 }"
debproxy_port = 3142
dns_host= "any"
ntp_host= "any"
oracle_port = "{ 1521 }"
zabbix_agent= 10050 # Zabbix Agent port
zabbix_trapper = 10051 # Zabbix Server port
#
Re: question about hostname.carp
On 11/5/20 9:25 AM, Stuart Henderson wrote: but I prefer this multi-line vhid 41 pass secret advbase 1 advskew 0 carpdev em1 inet 10.0.1.1/24 Thats much better. I was using this "one line for all" thing following some ancient examples. Thanx very much Harri
iked vs IPsec failover (carp & sasyncd)
Hi folks, wrt IPsec failover via sasyncd and carp: sasyncd(8) and iked(8) don't seem to tell, but I would guess that all hosts on the carp interface have to share the private key to support renegotiation. How can I tell iked which private key to use, instead of local.key? Is there a similar naming scheme as for the foreign public keys? Every insightful comment is highly appreciated Harri
question about hostname.carp
Hi folks
short question about hostname.carp1: Is it
inet 10.0.1.1 0xff00 NONE vhid 41 pass secret carpdev em1 advbase 1
advskew 0
or
inet 10.0.1.1 0xff00 vhid 41 pass secret carpdev em1 advbase 1
advskew 0
?
Using ifconfig I get
% ifconfig carp1 -inet
% ifconfig carp1 inet 10.0.1.1 0xff00 NONE vhid 41 pass secret
carpdev em1 advbase 1 advskew 0
ifconfig: NONE: bad value
but if I omit the NONE in hostname.carp1, then its not accepted at boot
time, either ("status: invalid"). And worst of all, for carp2 it is the
other way.
Maybe I am too blind to see, but every insightful comment is highly
appreciated.
Harri
6.8: page fault
Hi folks,
after applying the recent 4 syspatches for 6.8 one (of 5) openBSD
host ran into the kernel debugger. I missed the error message, but
on a reboot there was a page fault. On another reboot there was no
problem any more. log is attached.
I would be glad to help, but I need some advice how to proceed
if the page fault happens again. Every helpful comment is highly
appreciated.
Harri
{hdunkel@dpcl082:~ 07:14:57 (local) 501} ssh -x -p 3011
ad...@ts02.peppercon.aixigo.de
ddb{2}>
ddb{2}> boot reboot
rebooting...
ÿü 21929
Ùê612 312193129b2192129I
39 39393
2129219929
9191292131119219
31293933199991{kþÞ×Þ× !"BBB@ÂB""BBBÂ"BBBÂ>> OpenBSD/amd64
BOOT 3.52
boot>
NOTE: random seed is being reused.
booting hd0a:/bsd: 14415144+3195912+344096+0+880640
[1004551+128+1138200+861220]=0x14d6ac8
entry point at 0x81001000
[ using 3005128 bytes of bsd ELF symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California. All rights reserved.
Copyright (c) 1995-2020 OpenBSD. All rights reserved. https://www.OpenBSD.org
OpenBSD 6.8 (GENERIC.MP) #1: Tue Nov 3 09:06:04 MST 2020
r...@syspatch-68-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8478871552 (8086MB)
avail mem = 8206848000 (7826MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0xecef0 (51 entries)
bios0: vendor American Megatrends Inc. version "5.11" date 04/08/2016
bios0: Default string Default string
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT SSDT UEFI LPIT CSRT
acpi0: wakeup devices BRC1(S0) XHC1(S4) HDEF(S4) RP01(S4) PXSX(S4) RP02(S4)
PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1680.39 MHz, 06-4c-04
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu0: 1MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 79MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1679.95 MHz, 06-4c-04
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu1: 1MB 64b/line 16-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1599.97 MHz, 06-4c-04
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu2: 1MB 64b/line 16-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Celeron(R) CPU N3160 @ 1.60GHz, 1599.96 MHz, 06-4c-04
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,TSC_ADJUST,SMEP,ERMS,MD_CLEAR,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN
cpu3: 1MB 64b/line 16-way L2 cache
cpu3: smt 0, core 3, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (RP01)
acpiprt2 at acpi0: bus 2 (RP02)
acpiprt3 at acpi0: bus 3 (RP03)
acpiprt4 at acpi0: bus 4 (RP04)
acpiec0 at acpi0: not present
acpicmos0 at acpi0
acpipci0 at acpi0 PCI0: 0x0004 0x0011 0x0001
"INTCF1C" at acpi0 not configured
acpibtn0 at acpi0: SLPB
"PNP0C0B" at acpi0 not configured
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpicpu1 at acpi0: C1(@1 halt!), PSS
acpicpu2 at acpi0: C1(@1 halt!), PSS
acpicpu3 at acpi0: C1(@1 halt!), PSS
acpipwrres0 at acpi0: ID3C, resource for ISP3
acpipwrres1 at acpi0: CLK0, resource for CAMD
acpipwrres2 at acpi0: CLK0, resource for CAM1
acpipwrres3 at acpi0: CLK1, resource for
Re: suggestion for the installer
On 10/29/20 3:38 PM, Nick Holland wrote:
On 2020-10-29 08:00, Harald Dunkel wrote:
Hi folks,
do you think it would be possible for the installer to show
an eye-catching warning, if "ifconfig" reports "no carrier"
for the network port to configure?
Just a suggestion, of course
Harri
Why?
Because accidents happen. You plugin a cable in the left
socket and em0 turns out to be the right one. Imagine a
network appliance with ports labeled eth{1..8} instead
of eth{0..7}.
Sorry for asking
Harri
suggestion for the installer
Hi folks, do you think it would be possible for the installer to show an eye-catching warning, if "ifconfig" reports "no carrier" for the network port to configure? Just a suggestion, of course Harri
Re: sysupgrade --download ?
Hi Theo, sorry, I missed that. I have associated "-n" with dry-run mode. Thanx for the hint Harri
sysupgrade --download ?
Hi folks, I stumbled over a bad mirror for sysupgrade. Would it be possibe to add an option "-d" to sysupgrade, to just download and verify the required files? A subsequent call without "-d" should verify the signatures in the download directory again and proceed. I would like to make sure download works at usual business hours, and to do the "real upgrade" with minimal effort at night time when nobody gets disturbed by restarting the gateway. Just a suggestion, of course. Keep on your good work. Harri
Re: Inphi CS4223 for 4x 10GbE SFP+
Hi folks, below you can find the summary of "openssl speed" on the network appliance. Speed is not amazing, but AFAIU "openssl speed" is single-threaded. The CPU has 8 cores (no hyperthreading). Assuming IPsec encryption/decryption is running in kernel space, I wonder if the OpenBSD kernel can make use of the 8 cores for running several IPsec connections in parallel? Does it use AES? Regards Harri Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.40 MHz, 06-5f-01 8 cores LibreSSL 3.2.2 built on: date not available options:bn(64,64) rc4(16x,int) des(idx,cisc,16,int) aes(partial) idea(int) blowfish(idx) compiler: information not available The 'numbers' are in 1000s of bytes per second processed. type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes md2 0.00 0.00 0.00 0.00 0.00 md4 13724.16k45836.82k 115244.57k 185000.74k 224988.79k md5 12057.24k44613.25k 136613.93k 278648.09k 399437.57k hmac(md5)12879.60k47239.51k 141646.50k 283716.38k 400684.06k sha1 14261.27k48934.66k 126469.61k 210988.57k 261128.85k rmd1607478.71k19132.30k36135.97k46448.78k50673.37k rc4 221676.80k 361020.98k 420244.07k 435180.27k 439858.69k des cbc 24940.07k25926.00k26213.89k26296.73k26323.26k des ede3 9125.12k 9257.70k 9296.80k 9306.83k 9310.58k idea cbc 19172.98k19989.11k20185.22k20235.06k20251.39k seed cbc 0.00 0.00 0.00 0.00 0.00 rc2 cbc 6654.11k 6724.98k 6744.20k 6749.21k 6752.28k rc5-32/12 cbc0.00 0.00 0.00 0.00 0.00 blowfish cbc 28152.30k29404.87k29758.43k29873.58k29907.60k cast cbc 32971.96k34915.95k35399.95k35561.38k35606.62k aes-128 cbc 42748.35k47506.54k49266.14k 123527.74k 124700.75k aes-192 cbc 36277.25k39905.49k41139.80k 103818.63k 105167.86k aes-256 cbc 31742.60k34425.15k35314.65k90007.22k90667.21k camellia-128 cbc45902.96k76808.12k92168.33k97341.92k 98943.57k camellia-192 cbc40179.04k62497.28k72516.04k75711.36k 76659.16k camellia-256 cbc40040.61k62499.19k72515.95k75711.36k 76678.21k sha256 17433.04k41804.06k73496.15k90807.03k97541.95k sha512 14251.64k57007.97k93895.44k 133096.53k 152066.38k whirlpool13191.30k28503.96k47912.31k57710.39k61385.57k aes-128 ige 42754.84k44870.36k45810.90k45989.51k46038.50k aes-192 ige 36277.18k38005.20k38754.83k38883.08k38926.97k aes-256 ige 31741.82k33237.39k33254.74k33254.83k33255.17k ghash 325142.67k 836113.05k 1256164.95k 1443524.30k 1517196.50k aes-128 gcm 42352.61k 149903.52k 379077.66k 617644.48k 751160.13k aes-256 gcm 40132.77k 141596.79k 342723.27k 538803.63k 641956.15k chacha20 poly130512735.36k48161.34k91694.86k 119161.28k 130459.64k signverifysign/s verify/s rsa 512 bits 0.000215s 0.23s 4643.0 44006.6 rsa 1024 bits 0.000546s 0.53s 1830.9 18834.8 rsa 2048 bits 0.003018s 0.000164s331.4 6113.8 rsa 4096 bits 0.028494s 0.000586s 35.1 1705.6 signverifysign/s verify/s dsa 512 bits 0.000324s 0.000219s 3083.5 4561.2 dsa 1024 bits 0.000518s 0.000409s 1929.2 2447.1 dsa 2048 bits 0.001207s 0.001104s828.6905.7 signverifysign/s verify/s 160 bit ecdsa (secp160r1) 0.0015s 0.0011s671.4870.5 192 bit ecdsa (nistp192) 0.0018s 0.0014s562.5724.7 224 bit ecdsa (nistp224) 0.0023s 0.0018s433.5569.6 256 bit ecdsa (nistp256) 0.0026s 0.0020s379.7503.0 384 bit ecdsa (nistp384) 0.0051s 0.0035s196.5284.0 521 bit ecdsa (nistp521) 0.0102s 0.0066s 97.8151.6 163 bit ecdsa (nistk163) 0.0085s 0.0058s118.3171.9 233 bit ecdsa (nistk233) 0.0208s 0.0142s 48.0 70.4 283 bit ecdsa (nistk283) 0.0355s 0.0237s 28.1 42.2 409 bit ecdsa (nistk409) 0.0970s 0.0646s 10.3 15.5 571 bit ecdsa (nistk571) 0.2271s 0.1517s 4.4 6.6 163 bit ecdsa (nistb163) 0.0084s 0.0056s118.6177.1 233 bit ecdsa (nistb233) 0.0208s 0.0140s 48.2 71.3 283 bit ecdsa (nistb283) 0.0355s 0.0242s 28.1 41.3 409 bit ecdsa (nistb409) 0.0972s 0.0646s 10.3 15.5 571 bit ecdsa (nistb571) 0.2267s 0.1518s 4.4 6.6 op op/s 160 bit ecdh (secp160r1) 0.0013s774.4 192 bit ecdh (nistp192) 0.0015s648.7 224 bit ecdh (nistp224) 0.0020s492.4 256 bit ecdh
Re: Inphi CS4223 for 4x 10GbE SFP+
On 10/19/20 4:40 PM, Stuart Henderson wrote: On 2020-10-19, Harald Dunkel wrote: Hi folks, I am about to order 2 network appliances, providing an "Inphi CS4223 for 4x 10GbE SFP+". dmesg would be of interest :) See attachment. Product web site: https://www.ibase.com.tw/english/ProductDetail/NetworkAppliance/FWA8506 OpenBSD 6.8 booted from USB cdrom and installed fine. I didn't try the USB installer image. The host was preconfigured with serial console enabled. 115200 8N1. There was no VGA adapter included. There is no bezel for a VGA socket, either. There is however a bezel for a PCI card included. Hope this helps Regards Harri OpenBSD 6.8 (GENERIC.MP) #98: Sun Oct 4 18:13:26 MDT 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 17132859392 (16339MB) avail mem = 16598568960 (15829MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7f2f4000 (52 entries) bios0: vendor American Megatrends Inc. version "5.13" date 03/06/2018 bios0: Default string Default string acpi0 at bios0: ACPI 6.1 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP FPDT FIDT MCFG WDAT ECDT APIC BDAT HPET UEFI SSDT DMAR SPCR HEST BERT ERST EINJ WSMT acpi0: wakeup devices PEX2(S4) XHC1(S4) LAN0(S4) LAN1(S4) LAN2(S4) LAN3(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpiec0 at acpi0 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.39 MHz, 06-5f-01 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 2MB 64b/line 16-way L2 cache cpu0: cannot disable silicon debug cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 25MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.00 MHz, 06-5f-01 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 2MB 64b/line 16-way L2 cache cpu1: cannot disable silicon debug cpu1: smt 0, core 2, package 0 cpu2 at mainbus0: apid 8 (application processor) cpu2: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.00 MHz, 06-5f-01 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 2MB 64b/line 16-way L2 cache cpu2: cannot disable silicon debug cpu2: smt 0, core 4, package 0 cpu3 at mainbus0: apid 12 (application processor) cpu3: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.00 MHz, 06-5f-01 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 2MB 64b/line 16-way L2 cache cpu3: cannot disable silicon debug cpu3: smt 0, core 6, package 0 cpu4 at mainbus0: apid 16 (application processor) cpu4: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.00 MHz, 06-5f-01 cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,IBRS,IBPB,STIBP,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu4: 2MB 64b/line 16-way L2 cache cpu4: cannot disable silicon debug cpu4: smt 0, core 8, package 0 cpu5 at mainbus0: apid 20 (application processor) cpu5: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2195.0
Re: Inphi CS4223 for 4x 10GbE SFP+
On 10/19/20 9:46 PM, Stuart Henderson wrote: On 2020-10-19, Harald Dunkel wrote: What would these bypass problems look like? Hopefully the bypass feature can be turned off/ignored. If there are problems then possibly 2 of the ports either won't work or will be connected directly to 2 of the other ports until a magic command is sent somehow (either gpio or via some memory mapped io port I guess, I don't know the hardware). You mean the bypass might be active, even though its not configured and power is on? That sounds like a fatal problem to me. Is this restricted to OpenBSD or are other operating systems affected as well? Regards Harri
Re: Inphi CS4223 for 4x 10GbE SFP+
On 10/19/20 4:36 PM, Stuart Henderson wrote: On 2020-10-19, Tom Smyth wrote: Hi Harald, check the Atom processor and make sure that it is not one of those ones that fail after a while (some electrical issue) ... It isn't. Anyway, some more precise information about the affected models would be highly appreciated. Regards Harri
Re: Inphi CS4223 for 4x 10GbE SFP+
On 10/19/20 4:40 PM, Stuart Henderson wrote: I can't say for sure but I think there's a high chance that the 10G will work, and at least some of the 1G will work, but you might run into problems with the 1G "bypass" ports. dmesg would be of interest :) Of course. The host are already on the way. I will post the dmesg output asap. What would these bypass problems look like? Hopefully the bypass feature can be turned off/ignored. Anything else I should look for? Regards Harri
Inphi CS4223 for 4x 10GbE SFP+
Hi folks, I am about to order 2 network appliances, providing an "Inphi CS4223 for 4x 10GbE SFP+". Does this ring a bell? Is this already supported by 6.8? Other technical specs can be found on https://www.ibase.com.tw/english/ProductDetail/NetworkAppliance/FWA8506 BTW, congratulations to the new release Regards Harri
Re: Router advertisements for dynamic IPv6 prefix
On 10/14/20 10:18 AM, Stuart Henderson wrote: On 2020-10-11, Henrik Friedrichsen wrote: Hey, my ISP provides connectivity via PPPoE. An IPv6 prefix is handed out via DHCPv6 PD, which my OpenBSD gateway passes on to clients with the help of router advertisements using rad. This works fine until the ISP disconnects me after 24h (force disconnect on ISP side). The gateway receives a new prefix via prefix delegation and rad advertises it in the local network. So far so good. However, as The IPv6 protocol does not have the necessary features to reliably cope with this setup. (Neither does IPv4 for that matter). I am affected by the same problem, even though my provider (Deutsche Telekom) resets the IPv6 prefix only once in a while. Wasn't there some RFC saying that the ISP has to (or should?) route both prefixes til the old prefix expires and that the forcible disconnect is allowed only for hardware failures or something similar? Resetting the prefix every 24h doesn't sound like that. Maybe there are better ISPs available at your site? Another option might be to NAT your internal net. Unlike NAT for IPv4 you could introduce a one-to-one mapping between internal and external IPv6 addresses and port numbers. Regards Harri
sasyncd questions about shared secret
Hi folks, question about sasyncd, because the man page doesn't tell: (Please excuse if I am too blind to see.) Do all sasync daemons on all peers have to share the same secret, or is it just the sasync daemons on the same carp interface? Where would I have to look for error messages indicating an invalid shared secret? Every enlightening comment is highly appreciated. Harri
spamd vs IPv6
Hi folks, spamd(8) still mentions 127.0.0.1, but no indication of IPv6 support. Looking on Google for "openbsd spamd ipv6" gives me some entries of 2015 and 2016, but no up-to-date information. Please excuse if I am too blind to see. I am a big fan of spamd, but I wonder is spamd in a dead-end wrt IP address families? Would you recommend "IPv4 only" for EMail? Regards Harri
net.inet.ip6.forwarding=1 ?
Hi folks, congrats to the new release. Question about https://www.openbsd.org/faq/upgrade67.html: Shouldn't it be net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1 Thats what I found in my sysctl.conf (before upgrade). Regards Harri
Re: sysupgrade (Was: Re: Kernel crash in OpenBSD 6.5)
On 8/1/19 2:33 PM, Maurice McCarthy wrote: In the past it was not uncommon for non-X programs in base to have dependencies in Xenocara. Are you certain that this is no longer so? Yup
sysupgrade (Was: Re: Kernel crash in OpenBSD 6.5)
Hi folks, On 7/30/19 3:08 PM, Hrvoje Popovski wrote: try to update both boxes to latest snapshot at least because in snapshot you have excellent tool called sysupgrade ... you will love it :) with this tool you can upgrade os to latest snapshot without any problem over ssh :) This is cool. Due to space and speed restrictions (compact flash card) and to reduce downtime I would like to avoid the games and the Xwindow "balast" on my gateways. Does sysupgrade recognize the tar balls that are already installed, or does it become a "sysinstall" in this case? Sorry for asking, but the man page https://man.openbsd.org/sysupgrade doesn't tell. Thanx in advance Harri
6.5: rc.firsttime failed, how to restart?
Hi folks, after the upgrade to 6.5 rc.firsttime was lucky to send me an EMail: Path to firmware: http://firmware.openbsd.org/firmware/6.5/ Installing: inteldrm-firmware intel-firmware vmm-firmware rtwn-firmware http://firmware.openbsd.org/firmware/6.5/: ftp: firmware.openbsd.org: no address associated with name http://firmware.openbsd.org/firmware/6.5/: empty Can't find inteldrm-firmware Can't find intel-firmware Can't find vmm-firmware Can't find rtwn-firmware Checking for available binary patches... ftp: ftp.halifax.rwth-aachen.de: no address associated with name Apparently it is a bad idea to remove it if it didn't succeed. My assumption is that the network connection to my DSL provider is not ready yet when rc.firsttime is run. This could be improved for 6.6. Maybe you should set a marker in the filesystem instead, indicating that rc.firsttime was already run. The upgrade procedure could remove the marker. Harri
Re: 6.5 on EdgeRouter Lite: 1 CPU offline?
Hi Tobias, On 4/25/19 7:45 PM, Tobias Ulmer wrote: > On Thu, Apr 25, 2019 at 06:14:04PM +0200, Harald Dunkel wrote: >> >> Next it seems that one CPU is offline somehow. ??? >> >> chester# sysctl -a | grep -i cpu >> kern.ccpu=1948 >> hw.ncpu=1 >> hw.cpuspeed=500 >> hw.ncpufound=2 >> hw.ncpuonline=1 > > https://ftp.openbsd.org/pub/OpenBSD/6.5/octeon/INSTALL.octeon > > search for numcores > Thanx for the hint. Its the first time I try OpenBSD on Octeon (using https://codeghar.com/blog/openbsd-network-gateway-on-edgerouter-lite.html instead of the official documentation; shame on me). I just wonder why numcores is 1 by default, even for bsd.mp? The printenv on the boot prompt showed numcores=2. You have to admit that this is quite unexpected. Every insightful comment is highly appreciated. Harri
6.5 on EdgeRouter Lite: 1 CPU offline?
There is a suspicious message dev/ksyms: Symbol table not valid. Next it seems that one CPU is offline somehow. ??? chester# sysctl -a | grep -i cpu kern.ccpu=1948 hw.ncpu=1 hw.cpuspeed=500 hw.ncpufound=2 hw.ncpuonline=1 Regards Harri - Looking for valid bootloader image Jumping to start of image at address 0xbfc8 U-Boot 1.1.1 (UBNT Build ID: 4670715-gbd7e2d7) (Build time: May 27 2014 - 11:16:22) BIST check passed. UBNT_E100 r1:2, r2:18, f:4/71, serial #: 788A207F2E7E MPR 13-00318-18 Core clock: 500 MHz, DDR clock: 266 MHz (532 Mhz data rate) DRAM: 512 MB Clearing DRAM... done Flash: 4 MB Net: octeth0, octeth1, octeth2 USB: (port 0) scanning bus for devices... 1 USB Devices found scanning bus for storage devices... Device 0: Vendor: JetFlash Prod.: Transcend 32GB Rev: 1100 Type: Removable Hard Disk Capacity: 30128.0 MB = 29.4 GB (61702144 x 512) 0 reading bsd .. 6025929 bytes read ELF file is 64 bit Allocating memory for ELF segment: addr: 0x8100 (adjusted to: 0x100), size 0x5b3bd0 Allocated memory for ELF segment: addr: 0x8100, size 0x5b3bd0 Processing PHDR 0 Loading 51ffd8 bytes at 8100 Clearing 93bf8 bytes at 8151ffd8 ## Loading Linux kernel with entry point: 0x8100 ... Bootloader: Done loading app on coremask: 0x1 bootmem desc 0x24108 version 3.0 avail phys mem 0x00100290 - 0x00fffce0 avail phys mem 0x015b3bd0 - 0x0810 avail phys mem 0x08100010 - 0x0fffdc00 avail phys mem 0x00041000 - 0x00041ff0 Total DRAM Size 0x2000 mem_layout[0] page 0x0041 -> 0x03FF mem_layout[1] page 0x056D -> 0x2040 mem_layout[2] page 0x2041 -> 0x3FFFInitial setup done, switching console. boot_desc->desc_ver:7 boot_desc->desc_size:400 boot_desc->stack_top:0 boot_desc->heap_start:0 boot_desc->heap_end:0 boot_desc->argc:2 boot_desc->flags:0x5 boot_desc->core_mask:0x1 boot_desc->dram_size:512 boot_desc->phy_mem_desc_addr:0 boot_desc->debugger_flag_addr:0xa44 boot_desc->eclock:5 boot_desc->boot_info_addr:0x1001f0 boot_info->ver_major:1 boot_info->ver_minor:2 boot_info->stack_top:0 boot_info->heap_start:0 boot_info->heap_end:0 boot_info->boot_desc_addr:0 boot_info->exception_base_addr:0x1000 boot_info->stack_size:0 boot_info->flags:0x5 boot_info->core_mask:0x1 boot_info->dram_size:512 boot_info->phys_mem_desc_addr:0x24108 boot_info->debugger_flags_addr:0 boot_info->eclock:5 boot_info->dclock:26600 boot_info->board_type:20002 boot_info->board_rev_major:2 boot_info->board_rev_minor:18 boot_info->mac_addr_count:3 boot_info->cf_common_addr:0 boot_info->cf_attr_addr:0 boot_info->led_display_addr:0 boot_info->dfaclock:0 boot_info->config_flags:0x8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2019 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 6.5 (GENERIC.MP) #0: Mon Apr 15 07:34:41 UTC 2019 visa@octeon:/usr/src/sys/arch/octeon/compile/GENERIC.MP real mem = 536870912 (512MB) avail mem = 523730944 (499MB) mainbus0 at root: board 20002 rev 2.18 cpu0 at mainbus0: CN50xx CPU rev 0.1 500 MHz, Software FP emulation cpu0: cache L1-I 32KB 4 way D 16KB 64 way, L2 128KB 8 way clock0 at mainbus0: int 5 octcrypto0 at mainbus0 iobus0 at mainbus0 simplebus0 at iobus0: "soc" octciu0 at simplebus0 cn30xxsmi0 at simplebus0 com0 at simplebus0: ns16550a, 64 byte fifo com0: console dwctwo0 at iobus0 base 0x118006800 irq 56 usb0 at dwctwo0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Octeon DWC2 root hub" rev 2.00/1.00 addr 1 octrng0 at iobus0 base 0x14000 irq 0 cn30xxgmx0 at iobus0 base 0x118000800 cnmac0 at cn30xxgmx0: RGMII, address 78:8a:20:7f:2e:7e atphy0 at cnmac0 phy 7: AR8035 10/100/1000 PHY, rev. 2 cnmac1 at cn30xxgmx0: RGMII, address 78:8a:20:7f:2e:7f atphy1 at cnmac1 phy 6: AR8035 10/100/1000 PHY, rev. 2 cnmac2 at cn30xxgmx0: RGMII, address 78:8a:20:7f:2e:80 atphy2 at cnmac2 phy 5: AR8035 10/100/1000 PHY, rev. 2 /dev/ksyms: Symbol table not valid. umass0 at uhub0 port 1 configuration 1 interface 0 "JetFlash Mass Storage Device" rev 2.10/11.00 addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets, initiator 0 sd0 at scsibus0 targ 1 lun 0: SCSI4 0/direct removable serial.85641000DC26LWBM6WGN sd0: 30128MB, 512 bytes/sector, 61702144 sectors vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root scsibus2 at softraid0: 256 targets boot device: sd0 root on sd0a (5b378c9023bdff5d.a) swap on sd0b dump on sd0b WARNING: No TOD clock, believing file system. WARNING: CHECK AND RESET THE DATE! Automatic boot in progress:
OpenBSD on Macbook 12" 2017?
Hi folks, does it work, OpenBSD on a 12" Macbook 2017? I tried Linux once, but keyboard and trackpad were not working, so I kept MacOS. Looking on Google I found just Macbook Airs and Pros. Hopefully I wasn't too blind to see. Every helpful comment is highly appreciated Harri
Re: is pfsync loosing data on reboot?
Hi folks, On 2/1/19 1:00 PM, Sebastian Benoit wrote: Janne Johansson(icepic...@gmail.com) on 2019.02.01 12:49:53 +0100: Yes, it will get a full dump since it has zero pre-existing knowledge of the current situation regarding states. I think carp will delay itself until the sync is done, so it will not try to take over even if it has lower advskew than the other, until the sync is complete. depending on the setting of sysctl net.inet.carp.log, carp(4) will log what it (and pfsync) does. I highly appreciate your response. Regards Harri
is pfsync loosing data on reboot?
Hi folks, I have a question about pfsync protocol in a master-backup firewall configuration (OpenBSD 6.3 and 6.4): If I reboot (let's say) the backup host, will it receive the whole set of state information again, when it gets back online? Hopefully I am not too blind to see, but pfsync(4) doesn't tell. Every helpful comment is highly appreciated. Harri
Re: 6.3 just died (not for the first time)
Hi Peter, please check the threads on the b...@openbsd.org mailing list. The patch posted by Martin Pieuchot seemst to help. Its running on my hosts for 5 days without any hiccup. Hope this helps Harri
6.3 just died (not for the first time)
Hi folks,
6.3 just died. Last words:
login: kernel: protection fault trap, code=0
Stopped at export_sa+0x5c: movl0(%rcx),%ecx
ddb{0}> show panic
the kernel did not panic
ddb{0}> trace
export_sa(10,800033445e70) at export_sa+0x5c
pfkeyv2_expire(813d4c00,813d4c00) at pfkeyv2_expire+0x14e
tdb_timeout(800033446020) at tdb_timeout+0x39
softclock_thread(0) at softclock_thread+0xc6
end trace frame: 0x0, count: -4
ddb{0}> show registers
rdi 0x800033445e98
rsi 0x813d4c00
rbp 0x800033445e70
rbx 0x800033445e98
rdx 0x81abdff0cpu_info_full_primary+0x1ff0
rcx 0xdeadbeefdeadbeef
rax 0x81387510
r8 0x120
r90x81aa58d8netlock
r10 0x
r11 0x800033445ea0
r12 0x81387500
r13 0x3
r14 0x813d4c00
r15 0x90
rip 0x8121fefcexport_sa+0x5c
cs 0x8
rflags 0x10282__ALIGN_SIZE+0xf282
rsp 0x800033445e70
ss 0x10
export_sa+0x5c: movl0(%rcx),%ecx
ddb{0}> ps
PID TID PPIDUID S FLAGS WAIT COMMAND
74371 82200 1 0 30x82 ttyopngetty
64133 371566 1 0 30x100083 ttyin getty
73177 400616 1 0 30x100083 ttyin getty
2198 160363 1 0 30x100083 ttyin getty
66943 62449 1 0 30x100083 ttyin getty
77195 409193 1 0 30x100083 ttyin getty
30152 89639 1 0 30x100083 ttyin getty
54326 20290 1 0 30x100098 poll cron
813086330 1 0 30x80 kqreadapmd
21604 251912 61088 74 30x100092 bpf pflogd
61088 386173 1 0 30x80 netio pflogd
38994 395332 22137623 30x90 nanosleep zabbix_agentd
92334 256603 22137623 30x90 selectzabbix_agentd
5776 303931 22137623 30x90 netconzabbix_agentd
71818 109922 22137623 30x90 selectzabbix_agentd
28432 430198 22137623 30x90 nanosleep zabbix_agentd
55014 131036 54187 74 30x100092 bpf pflogd
54187 404660 1 0 30x80 netio pflogd
32954 132161 74424 74 30x100092 bpf pflogd
74424 72323 1 0 30x80 netio pflogd
22137 193504 1623 30x90 wait zabbix_agentd
230166037 1 0 30x80 poll openvpn
27849 148250 1 0 30x80 poll openvpn
78572 192037 1 0 30x80 poll openvpn
83974 209100 1 0 30x80 poll openvpn
1297 379204 1 99 30x100090 poll sndiod
72635 52767 1110 30x100090 poll sndiod
59204 423537 1 62 30x100090 bpf spamlogd
51694 290283 46867 62 30x100090 piperdspamd
76899 369277 46867 62 30x100090 poll spamd
46867 52758 1 62 30x100090 nanosleep spamd
51631 64028 1109 30x90 kqreadftp-proxy
74489 238300 13002 95 30x100092 kqreadsmtpd
69227 383337 13002103 30x100092 kqreadsmtpd
95912 255952 13002 95 30x100092 kqreadsmtpd
52092 398675 13002 95 30x100092 kqreadsmtpd
15268 264170 13002 95 30x100092 kqreadsmtpd
23823 51587 13002 95 30x100092 kqreadsmtpd
13002 289905 1 0 30x100080 kqreadsmtpd
39875 399764 1 0 30x80 selectsshd
84492 73143 16575 68 70x90sasyncd
16575 267935 1 0 30x80 selectsasyncd
5600 244082 24905 68 70x10isakmpd
24905 484997 1 0 30x80 netio isakmpd
15412 155977 1 0 30x100080 poll ntpd
71665 62722 35888 83 30x100092 poll ntpd
35888 382324 1 83 30x100092 poll ntpd
79699 454922 42559 74 30x100092 bpf pflogd
42559 472293 1 0 30x80 netio pflogd
90864 469513 67456 73 30x100090 kqreadsyslogd
67456 146341 1 0 30x100082 netio syslogd
54377 194590 79772115 30x100092 kqreadslaacd
81742 432607 79772115 30x100092 kqreadslaacd
79772 398085 1 0 30x80 kqread
netstat: IPv6 addresses are cut off
Hi folks, netstat cuts off the IPv6 addresses. Sample: # netstat -f inet6 -ln | cat Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp6 0 0 2001:db8:30:7e::.25*.*LISTEN tcp6 0 0 2001:db8:13b0:ff.25*.*LISTEN tcp6 0 0 fe80::fd10:ed0b:.25*.*LISTEN tcp6 0 0 2001:db8:13b0:ff.25*.*LISTEN tcp6 0 0 fe80::6b40:ec1:6.25*.*LISTEN tcp6 0 0 2001:db8:30:7a::.25*.*LISTEN tcp6 0 0 fe80::b6dc:f912:.25*.*LISTEN tcp6 0 0 2001:db8:30:7d::.25*.*LISTEN tcp6 0 0 fe80::26a:cab5:9.25*.*LISTEN tcp6 0 0 fe80::bce1:3eb3:.25*.*LISTEN tcp6 0 0 2001:db8:30:60::.25*.*LISTEN tcp6 0 0 fe80::3d13:32fb:.25*.*LISTEN tcp6 0 0 2001:db8:30:7a::.25*.*LISTEN tcp6 0 0 fe80::f5c5:bc1e:.25*.*LISTEN tcp6 0 0 2001:db8:30:7d::.25*.*LISTEN tcp6 0 0 2001:db8:30:7e::.25*.*LISTEN tcp6 0 0 2001:db8:30:60::.25*.*LISTEN tcp6 0 0 fe80::8e60:fc3b:.25*.*LISTEN tcp6 0 0 fe80::1%lo0.25 *.*LISTEN tcp6 0 0 ::1.25 *.*LISTEN tcp6 0 0 *.1023 *.*LISTEN Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) udp6 0 0 2001:db8:13b0:ff.1194 *.* udp6 0 0 *.**.* udp6 0 0 *.**.* udp6 0 0 2001:db8:13b0:ff.443 *.* Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) ip6 0 0 *.**.*58 You can imagine that remote addresses are cut off in a similar way, making the tool pretty useless for IPv6. Of course I get the same problem if stdout is bound to a 300 column terminal. Do you think this could be improved? Linux' netstat supports an option "--wide", for example. A custom output format might be helpful, too. Regards Harri
packet filter: table of tables ?
Hi folks,
how can I combine tables into large tables, instead of using inefficient
variables? AFAIU I can modify tables using the pfctl command line, but
something like this in pf.conf would be nice
table const persist { 172.12.127.0/24 172.12.124.0/24
172.12.120.0/24 2001:db8:2::/64 }
table{ internal:network }
Every helpful comment is highly appreciated
Harri
