edward wandasiewicz | 9 Oct 22:14 2015

Boot on a device with only one video mode 1280 x 850 x 16

Is it possible to boot OpenBSD on a device which only has one video
mode available through the BIOS?

At present, we boot in text mode via vga(4) and wscons(4).

If we have a machine compatible with inteldrm(4), it attaches, and the
dmesg output is then set to the highest resolution.

Is it possible to boot with no dmesg output during the VGA text mode,
but then once we attach to inteldrm(4), as if by magic, we get the
dmesg output and can login.

At present, with only one video mode on an inteldrm(4) compatible
machine, the kernel boots, and then hangs / freezes.
Basically, no dmesg output. Just sits there...

Is it possible to say, okay, we have a resolution that's not
compatible for VGA console text mode, but if we can attach to
inteldrm(4) successfully, we can continue with booting?

Or is it a case of a bad BIOS design in the first place, and it would
be a case of making bad coding practice following someone else's bad
coding practice, which is a mess.

The machine in question is a Google Chromebook Pixel 2, which only has
one video resolution available of 1280 x 850 x 16 in the BIOS. It has
a Broadwell i7 processor.

vbeinfo command in Grub2 lists just one value of 1280 x 850 x 16.

(Continue reading)

Martín Ferco | 9 Oct 17:04 2015

Private cloud hosting recommendations

Hi misc,

I'm looking for alternatives to host our OpenBSD web frontends off-site. Up
until now we've been using AWS for contingecy, but as you may well know,
they only support Linux and Windows instances. We already have a couple of
OpenBSD frontends on-site, and getting all our frontends to be OpenBSD
would be ideal (instead of using Linux as contingency in AWS).

So I'm trying to find similar solutions to AWS, but with OpenBSD
capabilities. So far the only I've found is rootbsd. I've looked at
arpnetworks but they don't seem to offer private cloud hosting from what
I've seen.

Another importat thing for us is to have a private network that we can
connect to our main site and AWS using a VPN. rootbsd does seem to offer
this as well.

Ideally, I'd like something that runs an ESXi Hypervisor, which is what
we'be been using on-site with good results. rootbsd seems to offer a mix of
Xen and KVM, but I don't have experience with those. KVM seems to work fine
with OpenBSD from what I've read though.

Do you know or can recommend other private cloud providers? rootbsd does
seem to offer every thing we need, but I'm a bit concerned about them
being, probably, a small sized company. I know they won't be AWS, but it
would be reassuring if someone commented on them, especially if they have
experience running a private cloud with them. I started to look at VMware
vcloud air, but haven't heard from him yet, and was starting to take a look
at virtustream -- they seem to offer ESXi hypervisors as well as VMware
vloud air.
(Continue reading)

Kapetanakis Giannis | 9 Oct 13:41 2015

pf table counters


Is there a problem with table counters and NAT? I don't have any 
counters at all.

I have a table <nat_users> which has counters enabled
# pfctl -sT -v|grep nat_users
--a-r-C nat_users

I also have pf rules that reference this table.

 <at> 100 pass out quick on vlan123 inet proto tcp from <nat_users:4> port > 
1023 to ! <nat_exclude:5> port > 1023 flags S/SA nat-to xx.xx.xx.xx/29 
source-hash 0xkey

I also have states created from this rule

#pfctl -ss -vv|grep "rule 100"
    age 04:00:49, expires in 23:59:43, 1150:1431 pkts, 163312:103039 
bytes, rule 100
    age 04:00:35, expires in 23:53:03, 60:35 pkts, 3266:1980 bytes, rule 100
    age 00:06:10, expires in 00:10:00, 15:1 pkts, 4544:60 bytes, rule 100

However I don't have counters on the table's entries.

# pfctl -t nat_users -vTshow
         Cleared:     Thu Sep 24 14:13:08 2015
(Continue reading)

Holger Glaess | 9 Oct 06:22 2015

kernel panic


what kind of information you need more ?


Stopped at      0:ehci0: unrecoverable error, controller halted
panic: kernel diagnostic assertion "ci->ci_fpcurproc == p" failed: file 
"../../../../arch/i386/isa/npx.c", line 881
       Stopped at      Debugger+0x7:   leave
Debugger(d09fe02c,f51cfdd4,d09d8f30,f51cfdd4,d709bfc8) at Debugger+0x7
panic(d09d8f30,d0957746,d0b0522f,d0b0532c,371) at panic+0x71
__assert(d0957746,d0b0532c,371,d0b0522f,d0bbb160) at __assert+0x2e
npxsave_proc(d7216744,0,f51cfe58,d03b9029,40) at npxsave_proc+0x5a
cpu_exit(d7216744,d7215000,d709b00c,0,1) at cpu_exit+0x2a
exit1(d7216744,4,1,d03b3844,40,4,1,0) at exit1+0x22c
sigexit(d7216744,4,0,0,21fc000) at sigexit+0x76
postsig(4,0,808f05d0,63,21de800) at postsig+0x28a
userret(d7216744) at userret+0x49
alltraps(ffffffff,ffffffff,ffffffff,ffffffff,ffffffff) at alltraps+0x2e
uvm_fault(0xd0bbb0a0, 0xd000, 0, 1) -> e
kernel: page fault trap, code=0
Stopped at      trap+0x18:      movl    0x2c(%esi),%edi
trap() at trap+0x18
--- trap (number 32) ---
http://www.openbsd.org/ddb.html describes the minimum info required in bug
reports.  Insufficient info makes it difficult to find and fix bugs.
(Continue reading)

Markus Rosjat | 8 Oct 11:06 2015

verification spamd and traffic

Hi there,

I have a spamd running in greylisting mode and maintain my own blacklist 
that I update manually. So far so good yesterday I just did a quite 
radical adding to my blacklist :) and I noticed my outgoing traffic 
jumped from around 500mb per day to 3,2gb per day. I checked the traffic 
with tcpdump and it was no strange traffic going on just my mailports 
and the 25 for the spamd. So my question is, could the radical adding of 
IPs cause this (and yeah its a lot because I added some ranges)?  As far 
as I understand it when some IP is on a blacklist it get redirected to 
spamd right away by pf and then I get some traffic going on. If a IP is 
not on the blacklist and not known Greylisting jumps in an sends the 
server away to come back later to decide if it goes through or on the 
blacklist. So by adding a lot of possible spammer on a black list in the 
first place I generate traffic with them.

Could someone confirm this ?



Markus Rosjat    fon: +49 351 8107223    mail: rosjat <at> ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

fon: +49 351 8107220   fax: +49 351 8107227

Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your
(Continue reading)

Christer Solskogen | 8 Oct 10:36 2015

match rules and priorities


I'm having a bit trouble understanding match rules and priorities. I
have a lot of traffic on other ports than http and https, but I want
to have top priority on them instead of the others.

So I have these rules:
match proto tcp to port { ftp, http, https, 3129 } set prio 7
match proto tcp from port { ftp, http, https, 3129 } set prio 7

Do I need them both? And where in pf.conf should they be? I've tried
having them on top, and on bottom, but still I get very low speeds for
downloads on http.

OpenBSD 5.8-current (GENERIC.MP) #1419: Sun Oct  4 12:28:54 MDT 2015



Hrvoje Popovski | 8 Oct 01:20 2015

unlocking em - unable to fill any rx descriptors

Hi all,

i have fairly simple setup with receiver connected to em2 and sender
connected to em3. Both em are Intel I350. Setup is without pf with these


with if_em.c revisions 1.307 and 1.306 i can trigger
em2: unable to fill any rx descriptors
when doing ifconfig em2 down/up (receiver side) while generating
traffic. i can't trigger this with ifconfig em3 down/up (sender side) or
destroying bridge and enabling it. this is reproducible.

with bridged setup when doing ifconfig em2 down/up i'm getting rx
descriptors log and bridge stops bridging traffic until doing this:
stop generating traffic
ifconfig em2 down
ifconfig em3 down
ifconfig bridge0 destroy
ifconfig em2 up
ifconfig em3 up
sh netstart bridge0
start generating traffic

with routed setup when doing ifconfig em2 down/up traffic is not
forwarded until
(Continue reading)

Scott Vanderbilt | 7 Oct 21:18 2015

httpd syscall 72

Running latest snapshot (amd64), I get a 'sycall 72' message when 
attempting to start httpd, e.g.:

     httpd(10043): syscall 72

I'm pretty sure this started with snapshots after Sept. 27.

Might anyone have an idea where I can start to look for the problem?


# /etc/rc.d/httpd start
# tail /var/log/daemon | grep httpd
Oct  7 12:07:45 aeneas httpd[12798]: startup
Oct  7 12:07:45 aeneas httpd[17646]: server exiting, pid 17646
Oct  7 12:07:45 aeneas httpd[12212]: server exiting, pid 12212
Oct  7 12:07:45 aeneas httpd[10633]: server exiting, pid 10633
Oct  7 12:07:45 aeneas httpd[12798]: parent terminating, pid 12798
# httpd -nvd
configuration OK
# cat /etc/httpd.conf
server "default" {
listen on $ext_ip port 80
#listen on $ext_ip tls port 443
(Continue reading)

Adam Wolk | 7 Oct 18:53 2015

bgpd not starting since Oct 5 snapshot (tame related?)

Hi misc <at> ,

I noticed that my bpgd is down after the reboot with the following new
messages in dmesg:

bgpd(13184): sysctl 6: 4 17 0 0 3 0
bgpd(13184): syscall 202

The message appears on boot:

starting network daemons: sshd bgpd ssmtpdbgpd(13184): sysctl 6: 4 17 0
0 3 0
bgpd(13184) syscall 202
 httpd sndiod.
starting package daemons: .....

No more appearances after the bootup sequence.

kern.version=OpenBSD 5.8-current (GENERIC) #1332: Mon Oct  5 01:01:28
MDT 2015
deraadt <at> amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC

Previous snapshot I used was from September 24th and I didn't notice
that message. Though I might have missed it since I disabled spamd a
while ago which was the only reason bgpd is running on this host
(synchronizing white-listed hosts).

Though rc.conf.local still contains:

(Continue reading)

M Wheeler | 7 Oct 16:51 2015

CD's arrived

CD's arrived today UK. Thanks again.

Denis Fondras | 7 Oct 16:16 2015

Bulkget & snmpd


I'm using snmpd from base on 5.8 and while playing with snmpbulkget (from
net-snmp), I noticed a weirdness.

* 'snmpbulkget -v2c -c public iso.' is ok
* 'snmpbulkget -v2c -c public iso.' is ok

By "ok", I mean it returns the correct MIB results. However,

* 'snmpbulkget -v2c -c public iso.
 iso.' is not ok :
 iso. = STRING: "em0"
 iso. = STRING: "OpenBSD test.my.domain 5.8 GENERIC#3 i386"
 iso. = OID: iso.
 iso. = Timeticks: (217) 0:00:02.17
 iso. = STRING: "root <at> test.my.domain"
 iso. = STRING: "test.my.domain"
 iso. = ""
 iso. = INTEGER: 74
 iso. = Timeticks: (0) 0:00:00.00
 iso. = INTEGER: 1
 iso. = INTEGER: 2

As you can see, only the first sub-OID of iso. is returned.
It seems that the loop surrounding mps_getbulkreq() in snmpe.c is breaking
the return of multiple OIDs but I can't find where exactly lies the bug.

(Continue reading)