gmane.os.openbsd.misc

Re: Policy Based Routing/pfctl help

Stuart Henderson — 2013-05-21T22:31:46

For states created by outgoing traffic, you're looking for "route-to".
You may also need "reply-to" if you have incoming traffic to that address
where replies should also be forced via that path.

e.g.

pass in from <network-X> route-to 10.1.1.1< at >vlan9

OpenBSD doesn't have the "pfctl -m" syntax you mention, but looking at
Apple's manpage I don't think it does what you expect. It looks like it
is meant for merging "set" options, but it doesn't say what effect
it has on the ruleset; for all I can tell it might well replace the
whole ruleset with the single rule you're piping to it. Probably
better to write the ruleset in a pf.conf file and load that.
Unlike ipfw, PF normally treats the whole ruleset as a unit and
switches to a new ruleset atomically, if you want something other
than this (e.g. on-the-fly replacing of certain rules under script
control) you would normally use an "anchor" so that other rules can
be left alone.

Re: ospfd loopback advertisment failure (adjacency fail?)

Claudio Jeker — 2013-05-21T21:23:55

I found some issues with the diff but I hope to be able to sit down
somewhen and fix those problems I identified. The cisco I tested against
seems to behave not like a rfc point-to-point interface (some messages I
expected to be sent to the multicast address where unicast, etc.)

I would be interested in some tcpdumps of extreme doing ospf to see if
they behave the same.

Re: ospfd loopback advertisment failure (adjacency fail?)

Hrvoje Popovski — 2013-05-21T21:00:03

Hi,

sorry for delay, we are in the middle of the network migration from
cisco to extreme and i thought when everything calms down to test it
with cisco and extreme equipment. I'm planning to test it next week.

Re: a sftp user can enter into a directory which he does not have rights

Jiri B — 2013-05-21T20:23:00

Ah... this was forgotten for mpd, anyway this is not the case, see
with 700 mode. Is sftp just pretending to enter that directory?

sftp> cd /
sftp> ls -l
drwxr-xr-x    2 0        0             512 May 21 18:43 dev
drwx------   12 1000     1000          512 May 21 18:32 jirib
drwxr-xr-x   10 1000     1000          512 May 21 18:32 pub
sftp> cd jirib
sftp> ls -al
remote readdir("/jirib"): Permission denied

vs

$ id
uid=1000(jirib) gid=1000(jirib) groups=1000(jirib), 0(wheel), 5(operator), 9(wsrc)
$ cd /home/toruser
ksh: cd: /home/toruser - Permission denied
$ ls -ld /home/toruser
drwx------  18 toruser  toruser  1024 May 21 20:00 /home/toruser/

j.

Re: a sftp user can enter into a directory which he does not have rights

Eugene Yunak — 2013-05-21T20:09:42

You should (re)read your unix manuals. Execution permission on a directory
means it can be traversed. What you observe is the correct behaviour for
any system with POSIX file permissions.

Re: a sftp user can enter into a directory which he does not have rights

Philip Guenther — 2013-05-21T19:59:55

Reeeeeally.

$ ls -l
total 8
drwx-----x  2 2000      2000   512 May 21 12:57 foo
$ id
uid=1000(guenther) gid=1000(guenther) groups=1000(guenther), 0(wheel)
$ cd foo
$ ls -l
ls: .: Permission denied
$


Executable by processes that have neither uid 1000 or gid 1000.
What's the problem?


Philip Guenther

a sftp user can enter into a directory which he does not have rights

Jiri B — 2013-05-21T19:52:49

I'm very surprised to see something like this. Comparing with
normal unix filesystem, 'sftpuser' would not even enter such
directory. Is this OK?

* sftpuser has only group 'sftpuser'

$ sftp sftpuser< at >localhost 
Connected to localhost.
sftp> cd /
sftp> ls -l
drwxr-xr-x    2 0        0             512 May 21 18:43 dev
drwx-----x   12 1000     1000          512 May 21 18:32 jirib
drwxr-xr-x   10 1000     1000          512 May 21 18:32 pub
sftp> cd jirib
sftp> pwd
Remote working directory: /jirib
sftp> ls -al
remote readdir("/jirib"): Permission denied

j.

Re: HD4000 problems

Jean Lucas — 2013-05-21T18:08:26

Well sending an archive to misc is just silly... http://filebin.ca/htF9pCQ6fHD/yoga.tgz

Jean Lucas <horsefish< at >lavabit.com> wrote:

Policy Based Routing/pfctl help

Aaron Dewell — 2013-05-21T17:58:14

Hey all,

I know this is slightly off-topic on this list, I'm hoping the OpenBSD answer will be "close enough" to the MacOS X (10.8) answer that I'll get what I need done.  I have gotten zero replies from the Apple communities, so I'm asking here.  That said, here's what I'm trying to accomplish.

This server has 5 VLAN tagged interfaces (already set up and reachable).
First one holds the default route (used for administration).
Ostinato (traffic generator) is installed.
The other 4 VLAN interfaces are to be used for traffic generation/receiving.

What I want is for traffic sourced (via Ostinato) from a particular IP address to be sent via it's own VLAN interface to it's own router.  I have accomplished this on Linux (the far end of this test) using:

ip route add default via <gateway-X> dev ethX table X
ip rule add from <network-X> table X priority X

Research online suggests that this used to work before ipfw was deprecated:

ipfw add X fwd <gateway-X> ip from <IP-address-X> to any

(I did try this, and nothing actually happened.)

Further searching led me to this as the possible OpenBSD answer:

route -T X add 0.0.0.0/0 -iface <gateway-X>
echo pass in from <network-X> to 0.0.0.0/0 rtable X | pfctl -mf -

However, this particular version of the OS does not support the -T option to route, so I presume that multiple tables are not supported.  However, that step may be not needed.

Reading the pfctl man page made my brain hurt.  :-)  It seems a very functional utility and able to do many, many things, but it's so far away from things I have used in the past (mostly Linux) that the learning curve seems steep.

I'm thinking maybe the extra routing table is not strictly necessary in this application, and that pfctl (which in this case is directly from OpenBSD) might be able to do exactly what I want it to do by itself.  To that end, I'm hoping someone could give me some hints on the syntax I need to feed it to make this work.

Thanks in advance!  I appreciate any and all suggestions.

Aaron

Re: how long should CD orders take?

Salim Shaw — 2013-05-21T17:55:00

The OpenBSD project is severely under staffed in terms of shipping 
merchandise. You're not the only one waiting on purchased items. I 
humbly suggest being patient as the group is trying to address large 
quantities of orders and not enough help. The is the case at least with 
the Calgary, Canada location.

I'm waiting on an order to be filled also, from almost a month ago. So 
we have to be a little more patient than normal.


On 05/21/2013 01:34 PM, Peter J. Philipp wrote:

Re: how long should CD orders take?

mxb — 2013-05-21T17:52:01

Try openbsdeurope.com next time. I already got mine. Last week.

//mxb

On 21 maj 2013, at 19:26, Peter J. Philipp <pjp< at >centroid.eu> wrote:

HD4000 problems

Jean Lucas — 2013-05-21T17:47:33

I've an (Intel) HD4000 and from the point that inteldrm was added to current, X freezes on launch, and have to SSH in to reboot nicely. Read a post with a similar problem; reducing video memory to <128 MB was the trick to have X start on current.

I'm running yesterdays (20th May) -current, on a Lenovo Yoga 13, and there is no option for video memory in the BIOS. For 5.3 release however, X starts when I disable DPTF ( Intel dynamic platform & thermal framework). 5.2 release worked fine with this enabled.

Question: is there a kernel option to reduce video memory used by the OS to see if the workaround is valid?

Back to the point, X -configure returns a Segmentation fault 0x28, and when just running startx, Xorg.0.log reveals Output LVDS1 has no monitor section. (Note: 5.2 & 5.3 release returned same segfault, though X worked flawlessly with startx)

A few snapshots back, X would start after booting single-user and rebooting, though failure-success rate was around 4:1. When it would start, running xbacklight would freeze X again. Also idling too long would cause X to freeze.

Files attached: X -configure and startx logs, and pcidump

Best,
Jean

[demime 1.01d removed an attachment of type application/x-gtar which had a name of yoga.tgz]

Re: how long should CD orders take?

Peter J. Philipp — 2013-05-21T17:34:28

I just mailed them before this.  Since it's 7:30PM I think they won't 
reply until tomorrow morning.

-peter

Re: how long should CD orders take?

noah pugsley — 2013-05-21T17:31:55

What does the bookstore say the problem is?

how long should CD orders take?

Peter J. Philipp — 2013-05-21T17:26:11

I ordered my CD through a german bookstore that is listed at 
www.openbsd.org/orders.html.  Only it's now the 21st of May and my 
computers have all been upgraded via FTP around the 1st of May.  And I 
still have no CD (and no stickers).

Last year they were slow as well, which leads me to believe that the 
store is sloppy in its orders.  Can someone confirm that the CD's have 
all been sent out from Calgary?  It's really a shame that I must use 
resources of OpenBSD when not needed, my order went in around the end of 
March 2013 and there was lots of time to deliver this as a pre-order.

-peter

Re: smtpd setup

Scott — 2013-05-21T16:20:46

Thanks for chiming in Gilles.

It's ironic that because of trying to minimize noise to the list, I create
more. The rest of the conf is at the beginning of the thread, but I'll be
sure to include entire outputs in the future; sorry.

Anyway, it wasn't my conf. Your comment about my MX question got me
searching, and I found that my secrets file wanted google's
application-specific password (your choice of wording is what triggered the
thought).

Thanks for the help.

-Scott

On May 21, 2013 12:30 AM, "Gilles Chehade" <gilles< at >poolp.org> wrote:
could be
I've
manpage

Re: openospfd vs bird vs quagga etc on OpenBSD for OSPF interoperating with IOS XE (v4 & v6)

Gregory Edigarov — 2013-05-21T09:42:11

I've used it some time ago for ospf, because of interface wildcarding.

OT: trying to install vortex-idx in OpenBSD 5.3

C. L. Martinez — 2013-05-21T07:53:33

Hi all,

 I am trying to compile vortex-ids
(http://sourceforge.net/projects/vortex-ids/?source=directory) under
OpenBSD 5.3, but this error is returned:

vortex.c: In function 'errors_thread':
vortex.c:686: error: '__NR_gettid' undeclared (first use in this function)
vortex.c:686: error: (Each undeclared identifier is reported only once
vortex.c:686: error: for each function it appears in.)
vortex.c:693: error: 'cpu_set_t' undeclared (first use in this function)
vortex.c:693: error: expected ';' before 'csmask'
vortex.c:694: error: 'csmask' undeclared (first use in this function)
vortex.c: In function 'stats_thread':
vortex.c:768: error: '__NR_gettid' undeclared (first use in this function)
vortex.c:776: error: 'cpu_set_t' undeclared (first use in this function)
vortex.c:776: error: expected ';' before 'csmask'
vortex.c:777: error: 'csmask' undeclared (first use in this function)
vortex.c: In function 'conn_writer':
vortex.c:950: error: '__NR_gettid' undeclared (first use in this function)
vortex.c:958: error: 'cpu_set_t' undeclared (first use in this function)
vortex.c:958: error: expected ';' before 'csmask'
vortex.c:959: error: 'csmask' undeclared (first use in this function)
vortex.c: In function 'main':
vortex.c:1917: error: '__NR_gettid' undeclared (first use in this function)
vortex.c:1925: error: 'cpu_set_t' undeclared (first use in this function)
vortex.c:1925: error: expected ';' before 'csmask'
vortex.c:1926: error: 'csmask' undeclared (first use in this function)

I have installed libnet-1.1.2.1p0, glib2-2.34.3 and libnids-1.24 packages.

Compile options are:

gcc -I/usr/local/include -I/data/soft/libpcap/include -L/usr/local/lib
-L/data/soft/libpcap/lib -O3 vortex.c -o vortex -lnids -lnet
-lgthread-2.0 -lpcap

I have tried with this modified version also:

https://github.com/ckane/vortex-dev

 ... but without luck.

Any idea??

Re: smtpd setup

Gilles Chehade — 2013-05-21T07:30:16

Hi,

On Mon, May 20, 2013 at 03:49:20PM -0700, Scott wrote:

You really need to show more than just one line of configuration.
OpenSMTPD uses a first-match approach, if any rule better describes the
envelope before the rule you're showing, then we will not be able to
understand the issue.

Also, "No MX could be reached" means that no MX willing to accept the
envelope could be reached. That can mean you have invalid credentials
and that none of the MX you contacted have accepted to establish a
session with you.

Re: smtpd setup

Scott — 2013-05-20T22:49:20

To relay to gmail, I added the following to smtpd.conf:
table secrets db:/etc/mail/secrets.db
accept for any relay via tls+auth://gmail1<at>smtp.gmail.com:587 \
  auth <secrets>

And created secrets and ran makemap. secrets contains:
gmail1 userid<at>gmail.com:mypassword

These settings are grammatically identical to what's in man smtpd.conf.

test email to userid<at>gmail.com gets hung in the queue. mailq results:

c7940bdbb495c038|local|mta|auth|scott<at>foo.bar.org|userid<at>gmail.com
|userid<at>gmail.com|1368880609|1369226209|0|22|pending|7232|No MX could be
reached

Google's MX record? That would indicate I goofed the URL I think; but I've
checked it a million times (I get a bit neurotic when these simplistic
things don't work and replace strings with identical strings from a manpage
or search result just to make sure I'm not being dyslexic).

What's wrong with my configs?

-Scott

Re: Porting RTL8723AU

Stuart Henderson — 2013-05-20T21:57:04

you clearly haven't read realtek's typical driver code ;)