Re: Error deleting directory /usr/local/include/qgpgme: Directory not empty

On Sat Sep 21, 2024 at 11:37:38AM GMT, Stuart Henderson wrote:
> Surely those headers should be in the qt subpackage not -main?
>

Yes, it makes sense. New diff:

diff --git a/security/gpgme/Makefile b/security/gpgme/Makefile
index fdb25f89307..cba7d07eb8c 100644
--- a/security/gpgme/Makefile
+++ b/security/gpgme/Makefile
@@ -5,7 +5,7 @@ VERSION = 1.23.2
DISTNAME = gpgme-${VERSION}
PKGNAME-main = gpgme-${VERSION}
PKGNAME-qt = gpgme-qt-${VERSION}
-REVISION = 0
+REVISION = 1

CATEGORIES = security devel

diff --git a/security/gpgme/pkg/PLIST-main b/security/gpgme/pkg/PLIST-main
index 3efc0f5fd05..4398d6f5b0f 100644
--- a/security/gpgme/pkg/PLIST-main
+++ b/security/gpgme/pkg/PLIST-main
@@ -2,9 +2,7 @@
bin/gpgme-config
@bin bin/gpgme-json
@bin bin/gpgme-tool
-include/QGpgME/WKDRefreshJob
include/gpgme.h
-include/qgpgme/wkdrefreshjob.h
@info info/gpgme.info
@static-lib lib/libgpgme.a
lib/libgpgme.la
diff --git a/security/gpgme/pkg/PLIST-qt b/security/gpgme/pkg/PLIST-qt
index 7d638c750ed..d4a8a90793b 100644
--- a/security/gpgme/pkg/PLIST-qt
+++ b/security/gpgme/pkg/PLIST-qt
@@ -1,3 +1,4 @@
+@conflict gpgme-<1.23.2p1
include/QGpgME/
include/QGpgME/AbstractImportJob
include/QGpgME/AddExistingSubkeyJob
@@ -47,6 +48,7 @@ include/QGpgME/VerifyDetachedJob
include/QGpgME/VerifyOpaqueJob
include/QGpgME/WKDLookupJob
include/QGpgME/WKDLookupResult
+include/QGpgME/WKDRefreshJob
include/QGpgME/WKSPublishJob
include/gpgme++/
include/gpgme++/configuration.h
@@ -143,6 +145,7 @@ include/qgpgme/verifydetachedjob.h
include/qgpgme/verifyopaquejob.h
include/qgpgme/wkdlookupjob.h
include/qgpgme/wkdlookupresult.h
+include/qgpgme/wkdrefreshjob.h
include/qgpgme/wkspublishjob.h
lib/cmake/Gpgmepp/
lib/cmake/Gpgmepp/GpgmeppConfig.cmake

Re: Error deleting directory /usr/local/include/qgpgme: Directory not empty

(will need @conflicts)

-- 

  Sent from a phone, apologies for poor formatting.

On 21 September 2024 11:37:38 Stuart Henderson <stu@spacehopper.org> wrote:

Surely those headers should be in the qt subpackage not -main?

-- 

  Sent from a phone, apologies for poor formatting.

On 21 September 2024 09:38:56 Rafael Sadowski <rafael@sizeofvoid.org> wrote:

I came across the following message when removing qt6-qtbase

(BTW typing 100 times "y" sucks. Why we have no " -y, --yes"?)

Error deleting directory /usr/local/include/qgpgme: Directory not empty

Error deleting directory /usr/local/include/QGpgME: Directory not empty

I think we need to add the directories into -main or should we remove

them in -qt?

diff --git a/security/gpgme/Makefile b/security/gpgme/Makefile

index fdb25f89307..cba7d07eb8c 100644

--- a/security/gpgme/Makefile

+++ b/security/gpgme/Makefile

@@ -5,7 +5,7 @@ VERSION = 1.23.2

 DISTNAME = gpgme-${VERSION}

 PKGNAME-main = gpgme-${VERSION}

 PKGNAME-qt = gpgme-qt-${VERSION}

-REVISION = 0

+REVISION = 1

 

 CATEGORIES = security devel

 

diff --git a/security/gpgme/pkg/PLIST-main b/security/gpgme/pkg/PLIST-main

index 3efc0f5fd05..ed7bcd69580 100644

--- a/security/gpgme/pkg/PLIST-main

+++ b/security/gpgme/pkg/PLIST-main

@@ -2,8 +2,10 @@

 bin/gpgme-config

 @bin bin/gpgme-json

 @bin bin/gpgme-tool

+include/QGpgME/

 include/QGpgME/WKDRefreshJob

 include/gpgme.h

+include/qgpgme/

 include/qgpgme/wkdrefreshjob.h

 @info info/gpgme.info

 @static-lib lib/libgpgme.a

Re: Error deleting directory /usr/local/include/qgpgme: Directory not empty

Surely those headers should be in the qt subpackage not -main?

-- 

  Sent from a phone, apologies for poor formatting.

On 21 September 2024 09:38:56 Rafael Sadowski <rafael@sizeofvoid.org> wrote:

I came across the following message when removing qt6-qtbase

(BTW typing 100 times "y" sucks. Why we have no " -y, --yes"?)

Error deleting directory /usr/local/include/qgpgme: Directory not empty

Error deleting directory /usr/local/include/QGpgME: Directory not empty

I think we need to add the directories into -main or should we remove

them in -qt?

diff --git a/security/gpgme/Makefile b/security/gpgme/Makefile

index fdb25f89307..cba7d07eb8c 100644

--- a/security/gpgme/Makefile

+++ b/security/gpgme/Makefile

@@ -5,7 +5,7 @@ VERSION = 1.23.2

 DISTNAME = gpgme-${VERSION}

 PKGNAME-main = gpgme-${VERSION}

 PKGNAME-qt = gpgme-qt-${VERSION}

-REVISION = 0

+REVISION = 1

 

 CATEGORIES = security devel

 

diff --git a/security/gpgme/pkg/PLIST-main b/security/gpgme/pkg/PLIST-main

index 3efc0f5fd05..ed7bcd69580 100644

--- a/security/gpgme/pkg/PLIST-main

+++ b/security/gpgme/pkg/PLIST-main

@@ -2,8 +2,10 @@

 bin/gpgme-config

 @bin bin/gpgme-json

 @bin bin/gpgme-tool

+include/QGpgME/

 include/QGpgME/WKDRefreshJob

 include/gpgme.h

+include/qgpgme/

 include/qgpgme/wkdrefreshjob.h

 @info info/gpgme.info

 @static-lib lib/libgpgme.a

Re: Error deleting directory /usr/local/include/qgpgme: Directory not empty

On Sat, 21 Sep 2024 10:38:19 +0200,
Rafael Sadowski <rafael@sizeofvoid.org> wrote:
>
> I came across the following message when removing qt6-qtbase
> (BTW typing 100 times "y" sucks. Why we have no " -y, --yes"?)
>

Why does not

yes | ...

work here?

--
wbr, Kirill

Re: roadmap for more privsep in pkgland

Marc Espie writes:
> Here's the basic pkg_add change, very lightly tested for now.
> Not that many lines, considering :)

The manpage changes make sense to me.

Typo:

> + my $o = $class->new_owned_objet($args);

"pkg_add docbook" (with its @tag libxml2/rebuild) has problems:

Running tags|*************************************************************|100%C
an't exec "CODE(0xb87b7be2958)": No such file or directory at /usr/libdata/perl5/OpenBSD/Log.pm line 107.
system(CODE(0xb87b7be2958), /bin/sh, -c, /usr/local/share/libxml2/rebuild) was not run: No such file or directory exit(0)
Running tags: ok

Error deleting directory /usr/local/include/qgpgme: Directory not empty

I came across the following message when removing qt6-qtbase
(BTW typing 100 times "y" sucks. Why we have no " -y, --yes"?)

Error deleting directory /usr/local/include/qgpgme: Directory not empty
Error deleting directory /usr/local/include/QGpgME: Directory not empty

I think we need to add the directories into -main or should we remove
them in -qt?

diff --git a/security/gpgme/Makefile b/security/gpgme/Makefile
index fdb25f89307..cba7d07eb8c 100644
--- a/security/gpgme/Makefile
+++ b/security/gpgme/Makefile
@@ -5,7 +5,7 @@ VERSION = 1.23.2
DISTNAME = gpgme-${VERSION}
PKGNAME-main = gpgme-${VERSION}
PKGNAME-qt = gpgme-qt-${VERSION}
-REVISION = 0
+REVISION = 1

CATEGORIES = security devel

diff --git a/security/gpgme/pkg/PLIST-main b/security/gpgme/pkg/PLIST-main
index 3efc0f5fd05..ed7bcd69580 100644
--- a/security/gpgme/pkg/PLIST-main
+++ b/security/gpgme/pkg/PLIST-main
@@ -2,8 +2,10 @@
bin/gpgme-config
@bin bin/gpgme-json
@bin bin/gpgme-tool
+include/QGpgME/
include/QGpgME/WKDRefreshJob
include/gpgme.h
+include/qgpgme/
include/qgpgme/wkdrefreshjob.h
@info info/gpgme.info
@static-lib lib/libgpgme.a

Re: vxlan(4) Between Three Sites

ah, sorry, i didnt realise you were running VMs and wanted them on the
same network. youll definitely need veb and vport in this situation.

Well, I can't figure out any other use case where vxlan(4) is useful,

other than connecting VMs to the same subnet (e.g. 192.168.3.0/24)

but hosted on different sites (PublicIP1, PublicIP2, ...).

Actually, I use vxlan for another scenario.

I implemented some point-to-point tunnels with vxlan where the

2 endpoints are NATed by the 2 domestic routers. In my case, routers

support NAT only for UDP and TCP, not GRE or any other tunneling

protocol. The normal way in this scenario would be with IKEv2 or wireguard,

but I do it with vxlan only because I don't need encryption on the

p2p tunnels, that should be considered as an exception, not the best practice.

 

> I see that OpenBSD set the same port as the Destination Port,
> that is, 4789 for every outcoming packets.
>
> Do you think it's possible to optimize in this way?

yes, but there are more useful optimisations that are a higher priority
for me to do first. ecmp for vxlan in our stack isnt going to give you a
speed increase today.

 

Ok, I see

Re: pkgconfig errors

Дана 24/09/20 11:43PM, Jesse Lawton написа:
> Its *huge*, like 57 mb
> too big haha

pkg-config --debug --cflags fontconfig >pkgconfig.debug.full 2>&1
{ head -n 30 pkgconfig.debug.full
printf "----8< snip >8----\n"
tail -n 30 pkgconfig.debug.full; } >pkgconfig.debug.short

Then attach pkgconfig.debug.short (it should be around 4KB).

Using ffmpeg to record x11 screen & audio

Hi folks,

Attempting to do a screen capture (x11) including audio; say chrome is
playing a video clip and I want to capture a portion of the screen
along with the audio.

Quick search shows following example:

ffmpeg -f x11grab -probesize 32M -thread_queue_size 32 -i :0 \
-f sndio -thread_queue_size 32 -i snd/0 \
-codec:v libx264rgb -crf 0 -preset ultrafast \
-codec:a pcm_s16le \
raw.mkv

Unfortunately, play back of raw.mkv file using ffplay, there is no
audible audio.

Also, this command captures the entire screen. I am only interested in
capturing a portion of the screen, so my modified command is:

ffmpeg -f x11grab -s:0 640x480 -framerate 25 -i :0.0+100+50 -f sndio
-i snd/0 -crf 0 -preset ultrafast out.mp4

With this, the capture is at offset 100+50 and a size of 640x480.
Still no audio (unsurprisingly).

Can someone give me a hint as to how to get audio to record as well?

Cheers,
--patrick



ffmpeg details while playing raw.mkv
Input #0, matroska,webm, from '/tmp/raw.mkv': 0KB sq= 0B f=0/0
Metadata:
ENCODER : Lavf58.76.100
Duration: 00:00:49.33, start: 0.000000, bitrate: 10079 kb/s
Stream #0:0: Video: h264 (High 4:4:4 Predictive), gbrp(tv, gbr/unknown/unknown
, progressive), 1366x768, 29.25 fps, 29.25 tbr, 1k tbn, 58.50 tbc
(default) Metadata:
ENCODER : Lavc58.134.100 libx264rgb
DURATION : 00:00:49.333000000
Stream #0:1: Audio: pcm_s16le, 48000 Hz, 2 channels, s16, 1536 kb/s (default)
Metadata:
ENCODER : Lavc58.134.100 pcm_s16le
DURATION : 00:00:48.981000000
29.27 A-V: -0.122 fd= 11 aq= 763KB vq= 5676KB sq= 0B f=0/0

Re: vxlan(4) Between Three Sites

On Fri, Sep 20, 2024 at 09:27:03AM +0200, Luca Di Gregorio wrote:
> It seems it's not working for me.
>
> I got rid off veb3 and vport3
> I added the ip address to vxlan3
>
> # ifconfig vxlan3
> vxlan3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1450
> lladdr fe:e1:ba:d1:2b:00
> index 6 llprio 3
> encap: vnetid 13133 parent gif0 txprio 0 rxprio outer
> groups: vxlan
> tunnel: inet PublicIP:4789 --> 239.13.13.3 ttl 255 nodf
> Addresses (max cache: 100, timeout: 240):
> inet 192.168.3.11 netmask 0xffffff00 broadcast 192.168.3.255
>
> I modified /etc/vm.conf in this way, setting vxlan3 as "my_switch":
> # cat /etc/vm.conf
>
> switch "my_switch" {
> # interface veb3
> interface vxlan3
> }
>
> vm "vm11_1" {
> memory 1024M
> disable
> disk /home/vms/vm11_1.qcow2
> interface { switch "my_switch" }
> boot device disk
> }
>
> I see:
> # vmd -n
> vmd: /etc/vm.conf:5: invalid switch interface: vxlan3
ah, sorry, i didnt realise you were running VMs and wanted them on the
same network. youll definitely need veb and vport in this situation.

>
>
> You mentioned that you modified VXLAN interface.
> I think that it could be optimized even better.
> RFC7348 says (Linux does this way):
> - Source Port: It is recommended that the UDP source port number
> be calculated using a hash of fields from the inner packet --
> one example being a hash of the inner Ethernet frame's headers.
> This is to enable a level of entropy for the ECMP/load-
> balancing of the VM-to-VM traffic across the VXLAN overlay.
> When calculating the UDP source port number in this manner, it
> is RECOMMENDED that the value be in the dynamic/private port
> range 49152-65535 [RFC6335].
>
> I see that OpenBSD set the same port as the Destination Port,
> that is, 4789 for every outcoming packets.
>
> Do you think it's possible to optimize in this way?

yes, but there are more useful optimisations that are a higher priority
for me to do first. ecmp for vxlan in our stack isnt going to give you a
speed increase today.

>
>
> Il giorno ven 20 set 2024 alle ore 03:32 David Gwynne <david@gwynne.id.au>
> ha scritto:
>
> > On Thu, Sep 19, 2024 at 10:05:37PM +0200, Luca Di Gregorio wrote:
> > > PublicIP1
> > > -----------
> > > # cat /etc/hostname.vxlan3
> > > tunnel PublicIP1:4789 239.13.13.3
> > > parent gif0
> > > vnetid 13133
> > > tunnelttl 255
> > > mtu 1450
> > > up
> > >
> > > # cat /etc/hostname.gif0
> > > mtu 1480
> > > 10.13.11.2 10.13.11.1 netmask 255.255.255.252
> > > tunnel PublicIP1 PublicIP3
> > > up
> > >
> > > # cat /etc/hostname.vport3
> > > mtu 1450
> > > inet 192.168.3.11 0xffffff00
> > > up
> > >
> > > # cat /etc/hostname.veb3
> > > add vxlan3
> > > add vport3
> > > up
> > >
> > >
> > >
> > > PublicIP2
> > > ------------
> > > # cat /etc/hostname.vxlan3
> > > tunnel PublicIP2:4789 239.13.13.3
> > > parent gif1
> > > vnetid 13133
> > > tunnelttl 255
> > > mtu 1450
> > > up
> > >
> > > # cat /etc/hostname.gif1
> > > mtu 1480
> > > 10.13.12.2 10.13.12.1 netmask 0xfffffffc
> > > tunnel PublicIP2 PublicIP3
> > > up
> > >
> > > # cat /etc/hostname.vport3
> > > mtu 1450
> > > inet 192.168.3.12 0xffffff00
> > > up
> > >
> > > # cat /etc/hostname.veb3
> > > add vxlan3
> > > add vport3
> > > up
> >
> > a veb with a single port (vxlan in this case) and a single vport
> > is unecessary. you can move the IP config to the vxlan interface and get
> > the same functionality without the overhead of having to switch the
> > packets through the veb to the vport.
> >
> > historically a vxlan had to be part of a bridge to support dynamic
> > endpoint learning, but i rewrote vxlan to be able to do that itself.
> >

Re: Emails sent from ISP this server rented from (supposedly bare metal) are not shown in maillog. How can this be?

I made a mistake, sorry for the noise.
My distrust of this company has to due with them having a cloned copy of
a still bootable but failing hard drive with sensitive information
during service. May or may not be relevant.


--
Sorry,
Chris Bennett

Re: Emails sent from ISP this server rented from (supposedly bare metal) are not shown in maillog. How can this be?

On Fri, Sep 20, 2024, Chris Bennett wrote:

> I am recieving emails fine and logged, except for the ones the isp is
> sending to me at this server. Those are just showing up not logged.

Have you looked at the Received: headers of those messages?
They should give you a hint how the mails got to you.

BTW: "showing up" means they are in the local mail store?

--
Address is valid for this mailing list only, please do not reply
to it directly, but to the list.

Re: Emails sent from ISP this server rented from (supposedly bare metal) are not shown in maillog. How can this be?

Sorry, I wrote the subject a little bit unclear.

I am recieving emails fine and logged, except for the ones the isp is
sending to me at this server. Those are just showing up not logged.


--
Regards,
Chris Bennett

Emails sent from ISP this server rented from (supposedly bare metal) are not shown in maillog. How can this be?

I had a break in on both servers from this company that resulted in a
mountain of outgoing spam. I powered off the other one in LA. I did a
fresh install on this one and I have tail -f /var/log/maillog running in
tmux watching it carefully and constantly since then.

Now these emails are the only ones arriving and not seen in the maillog.

I am very concerned about this.
What should I make of this?

Discussing the break in is a topic well worth discussing at a later
date, but I need to know what to make of what is happening right now.

Any help is appreciated and if I need to I will move elsewhere.

--
Regards,
Chris Bennett

Re: vxlan(4) Between Three Sites

On Fri, Sep 20, 2024 at 11:24:47AM +1000, David Gwynne wrote:
> On Thu, Sep 19, 2024 at 09:48:15AM -0700, Bryan Vyhmeister wrote:
> > On Wed, Sep 18, 2024 at 11:17:45AM +1000, David Gwynne wrote:
<snip>
> > Once I realized wg(4) wouldn't work, my solution was to use a gif(4)
> > tunnel or etherip(4) bridged with veb(4) to a vport(4) but I think the
> > gif(4) solution is simpler. Either solution worked fine for ospfd and
> > ospf6d as well as BGP over IPv4 and IPv6. Is there a performance benefit
> > with etherip(4) and vport(4) rather than gif(4)?
>
> gif over dedicated ethernet links seems unecessary becase you should
> already have working IP connectivity. how does it help your situation?

This is actually something completely different. I am running BGP over
several internet links that would not support BGP from the provider so
running a tunnel back to a datacenter for multihoming. You're right,
that would be a waste.

<snip>
> > I'm still not clear on exactly what protected accomplishes with veb(4).
> > You mentioned that prevents loops but I don't understand how.
> >
> > Essentially, at this point, I think I can have etherip(4) links between
> > each site maybe in a close to fully meshed layout particularly back to
> > site A and, as long as I put the etherip(4) interfaces into the veb(4)
> > as protected, I will not have loops? Is that a correct understanding of
> > what you said?
>
> it's about what happens when you have broadcast/multicast/unknown
> unicast traffic in a full mesh topology.
>
> if a broadcast packet enters the veb at site A, it will flood the packet
> to the etherip links to both site B and site C. site B will then flood
> the broadcast packets to it's physical port and the link to site C. site
> C will then flood that broadcast packet to it's physical port and the
> link to site A. site A will then flood the packet to it's physical port
> and the link to site B, and so on.
>
> putting the etherip links at each site in the same protected domain
> prevents it flooding traffic from etherip links to other etherip links,
> which should be unecessary because the site that got the original
> broadcast traffic should have already flooded it to all sites anyway.

Thank you for the explanation. I will test it out and see if I can get
it to work the way I want.

Bryan

Remove telegram-purple

Telegram-purple, as well as every libtgl-based application, does not
work anymore (i tested).

Port's page[1] says it is abandoned since 2021 and may or may not work
(it did for some time, but now does not). It points to a new project
for a libpurple plugin based on the last newest Telegram API:
tdlib-purple[2], which is supposed to work until Telegram decides to
change it all again.

I wrote a port for net/tdlib-purple and updated the net/tdlib port in
order for it to compile. I am going to send those on other emails.

[1]: https://github.com/majn/telegram-purple
[2]: https://github.com/BenWiederhake/tdlib-purple

--
Lucas de Sena

Re: OpenBSD support for Mac Mini M2 ?

On Thu, Sep 19, 2024 at 06:18:25PM -0400, J Doe wrote:
> Hi list,
>
> I see in the FAQ that the Apple Mac Mini M2 is a supported platform[0]
> and that the WiFi is supported via: bwfmv(4). I had two questions about
> WiFi support:
>
> 1. Is Host AP mode supported on the Mac Mini M2? The man pages appear
> to imply that this is supported, but I wanted to double-check.

I am running OpenBSD an a Mac mini M2 Pro. It serves as my OpenBSD
desktop and arm64 test system. The WiFI chip on mine is not supported at
all although some work was done in the past but has run into some
issues. The bwfm(4) man page lists many other revisions but the BCM4387
is the last one of the list. The M2 Pro Mac mini has the BCM4388. I
asked about this support myself here:

https://marc.info/?l=openbsd-tech&m=172107926804965&w=2

I am not positive that the regular M2 uses the same WiFi chipset as the
M2 Pro but I suspect it does.

As Stuart also responded, I would use an external AP rather than trying
to do hostap. There are a fair amount of good options out there these
days that will be faster and more reliable for you. If you are trying to
avoid some vendor firmware, you could potentially run OpenWRT on an
older UniFi AP or something like that which works pretty well and is
something I have tested also.

> 2. Does: bwfmv(4) also support the 10 Gigabit mode that is available as
> an option for the Mac Mini M2 ?[1] I am aware that OpenBSD may not
> support full bandwidth at 10 Gbps, but would it support a bandwidth
> higher than 1 Gbps if the 10Gbps option is selected when purchasing a Mini ?

As for the aq(4) 10Gbps ethernet port, it should work but there might be
some quirks. There was a long thread about Mac Studio support a while
back where some of these things were worked out but I can't locate it at
the moment.

Here is a Mac mini M2 report though without aq(4) on the Mac mini M2.

https://marc.info/?l=openbsd-arm&m=171760575012201&w=2

I have a Mac mini M1 with aq(4) 10Gbps ethernet but have not had a
chance to test OpenBSD on it since it is in use for video production. I
will see if I can get to that at some point.

The apldrm(4) support works pretty well but is kind of slow with
dragging windows around and so forth. The screen redraw is slow during
that operation although I'm testing on a 5120x2160 monitor at 30 Hz
which might make it worse. It is not like having a nice inteldrm(4)
supported graphics card but the Apple Silicon platforms work remarkably
well considering how difficult modern Apple hardware can be.

Bryan

Re: VLC; 7.6-beta AMD64 Sept. 17th

> On 2024/09/18 13:33, Byron Campbell - WA4GEG wrote:
>>
>> Turns out that VLC had "hardware acceleration" set to automatic. I assume
>> that it is shipped that way, since I generally have no need to alter the
>> default settings. And the problem is indeed due to the VA-API stuff as
>> Stuart suspected.
>>
>> I got it to work by going into VLC's settings > Tools, Prefs., Input/Codecs
>> tab, and set the "hardware acceleration" to disable. Then VLC stopped
>> seg-faulting and plays both MP4 files and one test DVD okay.
>>
>> Interestingly, VLC with hardware acceleration set to automatic, works just
>> fine in my OpenBSD 7.5 box.
>
> OpenBSD didn't support hardware acceleration VA-API until after 7.5.
> AFAIK it's currently enabled in FFmpeg, mpv and vlc and disabled in
> other ports where it was noticed that they might pick it up.
>
> I think we could probably do with some kind of mention in the 7.6
> upgrade notes, both to help people track down problems like this,
> and to help them get it used on Intel systems (where it seems to work
> pretty well).
>

A few more quick checks to test the selection of VLC's Input/Codecs,
see below.

Both audio and video play fine when VLC's Tools, Prefs., Input Codecs
are set to either "disable" or to the "VA-API video decoder via DRM".

dmesg indicates:

radeondrm0: CEDAR
radeon_audio_component_init: stub
radeondrm0: 1920x1080, 32bpp
wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0
wskbd1: connecting to wsdisplay0
wskbd2: connecting to wsdisplay0
wsdisplay0: screen 1-5 added (std, vt100 emulation)

Yet when VLC's "automatic" Input/Codecs chooses the "Mesa Gallium driver
23.3.6 for AMD CEDAR" it doesn't play the video portion of MP4 files.

Let me know if there is anything else I can do to be of help.

-Byron


====================================================================
VLC: Tools, Prefs., Input Codecs: VA-API video decoder via DRM

Audio and Video portions plays normally:

$ vlc
VLC media player 3.0.20 Vetinari (revision 3.0.20-0-g6f0d0ab126b)
[00000b586f6d7680] main libvlc: Running vlc with the default interface.
Use 'cvlc' to use vlc without interface.
[00000b58d44ffe60] main playlist: playlist is empty
libva info: VA-API version 1.22.0
libva info: Trying to open /usr/X11R6/lib/modules/dri/r600_drv_video.so
libva info: Found init function __vaDriverInit_1_22
libva info: va_openDriver() returns 0
====================================================================

VLC: Tools, Prefs., Input Codecs: VA-API video decoder

Audio plays but not the video:

$ vlc
VLC media player 3.0.20 Vetinari (revision 3.0.20-0-g6f0d0ab126b)
[000001e10ba725a0] main libvlc: Running vlc with the default interface.
Use 'cvlc' to use vlc without interface.
[000001e106f24ca0] main playlist: playlist is empty
libva info: VA-API version 1.22.0
libva info: Trying to open /usr/X11R6/lib/modules/dri/r600_drv_video.so
libva info: Found init function __vaDriverInit_1_22
libva info: va_openDriver() returns 0
[000001e146e47060] avcodec decoder: Using Mesa Gallium driver 23.3.6 for
AMD CEDAR (DRM 2.50.0 / 7.6, LLVM 16.0.6) for hardware decoding
=====================================================================

Re: VLC; 7.6-beta AMD64 Sept. 17th

On 2024/09/18 09:38, Byron Campbell - WA4GEG wrote:
>
> Okay, launched VLC from terminal. Here's the output when attempting to play
> an MP4, and audio plays but not the video portion:
>
> $ vlc
> VLC media player 3.0.20 Vetinari (revision 3.0.20-0-g6f0d0ab126b)
> [00000d0660d53220] main libvlc: Running vlc with the default interface. Use
> 'cvlc' to use vlc without interface.
> [00000d0660d64ca0] main playlist: playlist is empty
> libva info: VA-API version 1.22.0
> libva info: Trying to open /usr/X11R6/lib/modules/dri/r600_drv_video.so
> libva info: Found init function __vaDriverInit_1_22
> libva info: va_openDriver() returns 0
> [00000d06e842d060] avcodec decoder: Using Mesa Gallium driver 23.3.6 for AMD
> CEDAR (DRM 2.50.0 / 7.6, LLVM 16.0.6) for hardware decoding
...
> radeondrm0 at pci3 dev 0 function 0 "ATI Radeon HD 5450" rev 0x00
> drm0 at radeondrm0
> radeondrm0: msi

I only have machines with Intel graphics handy - in that case things
are working fine for me with or without hardware decoding (to actually
use it there requires the intel-media-driver package to be installed).

I'm not familiar with how it works with AMD and wasn't keeping a close
eye when VA-API was brought in but based on your debug messages it seems
that it's included directly in the driver in xenocara so that programs
supporting it will try to use it automatically without installing any
extra packages.


On 2024/09/18 13:33, Byron Campbell - WA4GEG wrote:
>
> Turns out that VLC had "hardware acceleration" set to automatic. I assume
> that it is shipped that way, since I generally have no need to alter the
> default settings. And the problem is indeed due to the VA-API stuff as
> Stuart suspected.
>
> I got it to work by going into VLC's settings > Tools, Prefs., Input/Codecs
> tab, and set the "hardware acceleration" to disable. Then VLC stopped
> seg-faulting and plays both MP4 files and one test DVD okay.
>
> Interestingly, VLC with hardware acceleration set to automatic, works just
> fine in my OpenBSD 7.5 box.

OpenBSD didn't support hardware acceleration VA-API until after 7.5.
AFAIK it's currently enabled in FFmpeg, mpv and vlc and disabled in
other ports where it was noticed that they might pick it up.

I think we could probably do with some kind of mention in the 7.6
upgrade notes, both to help people track down problems like this,
and to help them get it used on Intel systems (where it seems to work
pretty well).

Re: x11/tk/8.6: Missing headers in package?

On 2024/09/20 14:10, Stuart Cassoff wrote:
> With Tcl, it's always been possible to do that; Tcl is not Python or whatever.
> This sort of backwards compatibility exists with/is a feature of Tcl.

except togl is seemingly touching Tk internals rather than public
interfaces so that is perhaps not reliable.

> Extensions built against 8.5 should be able to be loaded into 8.6 without problem.
> Certainly worth trying, imo.

togl uses TkWindow structs which are one of the things which changed
between 8.5 and 8.6 in tkInt.h. Though I guess it might get lucky as the
added members in this struct were at the end (and it doesn't seem to use
one of the structs where there were bigger changes like TkDisplay) ...

> Stu
>
>
> On Friday, September 20, 2024 at 09:29:54 a.m. EDT, Stuart Henderson <stu@spacehopper.org>
> wrote:
>
>
> On 2024/09/20 12:43, Stuart Cassoff wrote:
>
> > Private files aren't meant to be installed. They're in the 8.5 package mostly for historical
> > reasons or older ports.
> > Instead of using MODULES you could try setting BUILD_DEPENDS for 8.5 and WANTLIB and
> > RUN_DEPENDS for 8.6.
> > Something like that, maybe other vars as well.
>
>
> That (building against private headers for an old Tk version which isn't
> the version running the extension) seems like a worse idea than building
> against current version private headers (whether they come from a :patch
> target or from the package).
>
>

Re: x11/tk/8.6: Missing headers in package?

With Tcl, it's always been possible to do that; Tcl is not Python or whatever.

This sort of backwards compatibility exists with/is a feature of Tcl.

Extensions built against 8.5 should be able to be loaded into 8.6 without problem.

Certainly worth trying, imo.

Stu

On Friday, September 20, 2024 at 09:29:54 a.m. EDT, Stuart Henderson <stu@spacehopper.org> wrote:

On 2024/09/20 12:43, Stuart Cassoff wrote:

> Private files aren't meant to be installed. They're in the 8.5 package mostly for historical
> reasons or older ports.
> Instead of using MODULES you could try setting BUILD_DEPENDS for 8.5 and WANTLIB and
> RUN_DEPENDS for 8.6.
> Something like that, maybe other vars as well.

That (building against private headers for an old Tk version which isn't
the version running the extension) seems like a worse idea than building
against current version private headers (whether they come from a :patch
target or from the package).

Re: x11/tk/8.6: Missing headers in package?

On 2024/09/20 12:43, Stuart Cassoff wrote:
> Private files aren't meant to be installed. They're in the 8.5 package mostly for historical
> reasons or older ports.
> Instead of using MODULES you could try setting BUILD_DEPENDS for 8.5 and WANTLIB and
> RUN_DEPENDS for 8.6.
> Something like that, maybe other vars as well.

That (building against private headers for an old Tk version which isn't
the version running the extension) seems like a worse idea than building
against current version private headers (whether they come from a :patch
target or from the package).

Re: pkgconfig errors

Дана 24/09/19 10:55PM, Jesse Lawton написа:
> Check attachment.
>
> Thanks
> Jesse Lawton

The attachment pkgconfig-debug.txt that was attached to the message you
sent offlist is 0 bytes in size. If you want to redirect stderr to a
file, you'd need to do something like

pkg-config --debug --cflags fontconfig >pkgconfig-debug.txt 2>&1

and then attach pkgconfig-debug.txt.

Re: x11/tk/8.6: Missing headers in package?

Private files aren't meant to be installed. They're in the 8.5 package mostly for historical reasons or older ports.

Instead of using MODULES you could try setting BUILD_DEPENDS for 8.5 and WANTLIB and RUN_DEPENDS for 8.6.

Something like that, maybe other vars as well.

Stu

On Friday, September 20, 2024 at 04:41:12 a.m. EDT, Stuart Henderson <stu@spacehopper.org> wrote:

On 2024/09/19 17:12, Stuart Cassoff wrote:

> Depending on the software it may be possible to build against 8.5 and load into/run with 8.6.

Is there a difference between 8.5 and 8.6 regarding whether it's ok to
include private headers in the package?

Re: unbound(8) + host(1) + AAAA-only issue

From what I understand, the newer versions of unbound(8) in -current (to be shipped in OpenBSD 7.6) will mask the perceived problem with host(1)?

And the way host(1) now behaves, aborting at the first SERVFAIL, might be intentional due to misbehaving DNS forwarders encountered in the past?

I'm not sure that I would agree to this logic, but I can live with it.


Thanks for everyones help in clarifying what is going on.

Mike


> Am 20.09.2024 um 14:26 schrieb Mike Fischer <fischer+obsd@lavielle.com>:
>
>
>> Am 20.09.2024 um 13:56 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>>
>> On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
>>>
>>>> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>>>>
>>>>> From what you've shown I can only assume the auth servers are broken
>>>> and probably refusing to respond for A (rather than an empty NOERROR
>>>> response).
>>>
>>> I agree, that is probably the root cause.
>>>
>>> So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
>>>
>>> Note: I tried looking at the source code of host(1) but I can't figure out how it works.
>>
>> I think it's generally been fairly common to regard a fqdn (or a fqdn
>> + server combination) as failing if any RRset for that fqdn fails with
>> certain errors.
>>
>> Certainly there have been problems in the past where a client has made
>> an AAAA request, the recursive NS has received no response (usually in
>> this case because the site was using one of the common load-balancing
>> auth servers that were broken in this way) and negatively cached this
>> against the fqdn, then a followup A request has failed.
>
> So you are saying, this behaviour of host(1) is intentional?
>
>
> [snip]
>
>>
>>>> If you show the real hostname, maybe someone can figure it out in
>>>> more detail.
>>>
>>> This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
>>> test.fwml42.v6.rocks
>>>
>>> $ dig +short test.fwml42.v6.rocks aaaa
>>> 2001:db8::dead:beaf
>>> $ host test.fwml42.v6.rocks
>>> Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
>>
>> Well that's interesting.
>>
>> Querying any of the auth servers directly with host or dig, I do get
>> what looks like a sensible response to A queries
>>
>> $ host test.fwml42.v6.rocks. ns1.dynv6.com.
>> Using domain server:
>> Name: ns1.dynv6.com.
>> Address: 95.216.144.82#53
>> Aliases:
>>
>> test.fwml42.v6.rocks has IPv6 address 2001:db8::dead:beaf
>> $ host -t a test.fwml42.v6.rocks. ns1.dynv6.com.
>> Using domain server:
>> Name: ns1.dynv6.com.
>> Address: 95.216.144.82#53
>> Aliases:
>>
>> test.fwml42.v6.rocks has no A record
>>
>> Testing with unbound 1.20.0 or 1.21.0 and there's no problem.
>>> From unbound (1.18.0) I get various of these,
>>
>> unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: exceeded the maximum nameserver nxdomains
>> unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. A IN>: all servers for this domain failed, at zone v6.rocks. from 2a01:4f9:c010:95b:: nodata answer
>> unbound: [71830:1] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: all servers for this domain failed, at zone v6.rocks. from 95.216.144.82 nodata answer
>>
>> I see this in changelog for 1.19.0 -
>>
>> Fix #946: Forwarder returns servfail on upstream response noerror no data.
>>
>> - the problem this fixes was introduced in 1.18.0 - this doesn't
>> look from the description like it should be directly relevant (as no
>> forwarder is involved), but it seems quite a similar situation.
>> #946 is https://github.com/NLnetLabs/unbound/issues/946
>
> So the dynv6.com NS and unbound(8) in 7.5 stable (Version 1.18.0) may be involved in triggering this?
>
> That leaves the question of how clients such as host(1) should deal with this situation. But that is already being discussed above.
>
>
> Mike

Re: unbound(8) + host(1) + AAAA-only issue

> Am 20.09.2024 um 14:03 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>
> On 2024-09-20, Stuart Henderson <stu.lists@spacehopper.org> wrote:
>> On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
>>>

[snip]


>> Well that's interesting.
>>
>> Querying any of the auth servers directly with host or dig, I do get
>> what looks like a sensible response to A queries
>
> Same with base and package versions of host(1), FWIW.

Which is what I am using. OpenBSD 7.5 stable, unbound 1.18.0.

[snip]


> Hmm, and also going up a level to this which has both A and AAAA:
>
> $ host fwml42.v6.rocks.
> fwml42.v6.rocks has address 79.226.210.86
> fwml42.v6.rocks has IPv6 address 2003:e4:f33:1d00:30ab:221d:6b6d:7d96
> Host fwml42.v6.rocks not found: 2(SERVFAIL)
>
> with this logged:
>
> unbound: [93237:0] error: SERVFAIL <fwml42.v6.rocks. MX IN>: all servers for this domain failed, at zone v6.rocks. from 2a01:4f8:1c1c:4c96:: nodata answer

Basically the same situation just that the order of queries is A, AAAA, MX and since MX is last the IPs are shown.


Mike

Re: unbound(8) + host(1) + AAAA-only issue

> Am 20.09.2024 um 13:56 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>
> On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
>>
>>> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>>>
>>>> From what you've shown I can only assume the auth servers are broken
>>> and probably refusing to respond for A (rather than an empty NOERROR
>>> response).
>>
>> I agree, that is probably the root cause.
>>
>> So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
>>
>> Note: I tried looking at the source code of host(1) but I can't figure out how it works.
>
> I think it's generally been fairly common to regard a fqdn (or a fqdn
> + server combination) as failing if any RRset for that fqdn fails with
> certain errors.
>
> Certainly there have been problems in the past where a client has made
> an AAAA request, the recursive NS has received no response (usually in
> this case because the site was using one of the common load-balancing
> auth servers that were broken in this way) and negatively cached this
> against the fqdn, then a followup A request has failed.

So you are saying, this behaviour of host(1) is intentional?


[snip]

>
>>> If you show the real hostname, maybe someone can figure it out in
>>> more detail.
>>
>> This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
>> test.fwml42.v6.rocks
>>
>> $ dig +short test.fwml42.v6.rocks aaaa
>> 2001:db8::dead:beaf
>> $ host test.fwml42.v6.rocks
>> Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
>
> Well that's interesting.
>
> Querying any of the auth servers directly with host or dig, I do get
> what looks like a sensible response to A queries
>
> $ host test.fwml42.v6.rocks. ns1.dynv6.com.
> Using domain server:
> Name: ns1.dynv6.com.
> Address: 95.216.144.82#53
> Aliases:
>
> test.fwml42.v6.rocks has IPv6 address 2001:db8::dead:beaf
> $ host -t a test.fwml42.v6.rocks. ns1.dynv6.com.
> Using domain server:
> Name: ns1.dynv6.com.
> Address: 95.216.144.82#53
> Aliases:
>
> test.fwml42.v6.rocks has no A record
>
> Testing with unbound 1.20.0 or 1.21.0 and there's no problem.
>> From unbound (1.18.0) I get various of these,
>
> unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: exceeded the maximum nameserver nxdomains
> unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. A IN>: all servers for this domain failed, at zone v6.rocks. from 2a01:4f9:c010:95b:: nodata answer
> unbound: [71830:1] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: all servers for this domain failed, at zone v6.rocks. from 95.216.144.82 nodata answer
>
> I see this in changelog for 1.19.0 -
>
> Fix #946: Forwarder returns servfail on upstream response noerror no data.
>
> - the problem this fixes was introduced in 1.18.0 - this doesn't
> look from the description like it should be directly relevant (as no
> forwarder is involved), but it seems quite a similar situation.
> #946 is https://github.com/NLnetLabs/unbound/issues/946

So the dynv6.com NS and unbound(8) in 7.5 stable (Version 1.18.0) may be involved in triggering this?

That leaves the question of how clients such as host(1) should deal with this situation. But that is already being discussed above.


Mike

Re: unbound(8) + host(1) + AAAA-only issue

> Am 20.09.2024 um 13:13 schrieb Peter Hessler <phessler@theapt.org>:
>
> On 2024 Sep 20 (Fri) at 12:45:08 +0200 (+0200), Mike Fischer wrote:
> :
> :> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
> :>
> :>> From what you've shown I can only assume the auth servers are broken
> :> and probably refusing to respond for A (rather than an empty NOERROR
> :> response).
> :
> :I agree, that is probably the root cause.
> :
> :So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
> :
> :Note: I tried looking at the source code of host(1) but I can't figure out how it works.
> :
> :
> :> AAAA-only is a somewhat rare case and IPv6 has only been supported in
> :> DNS since 2008 or so, it takes time to get the bugs worked out
> :> especially in custom DNS software like is probably used for a dynamic
> :> dns zone.
> :
> :Yes, a mere 18 years is rather new ;-)
> :
> :
> :> If you show the real hostname, maybe someone can figure it out in
> :> more detail.
> :
> :This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
> :test.fwml42.v6.rocks
> :
> :$ dig +short test.fwml42.v6.rocks aaaa
> :2001:db8::dead:beaf
> :$ host test.fwml42.v6.rocks
> :Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
> :$
> :
>
> I also have a real hostname that only has IPv6 but it works fine for me
> with host and dig. v6.bsd.network, and jane.theapt.org. Feel free to
> look at how the servers reply for comparision.
>
> I run one of the auth nameservers with nsd, and the other two are ran by
> some friends also using open source auth servers.

Unfortunately I have no way to influence the dynv6.com service or even know what software they are using.

As I mentioned, another v6-only hostname with completely different domain and nameservers works fine. So the issue is likely triggered by the response of the dynv6.com NS to a request for a non-existing A record.

However my point is that the SERVFAIL response should not cause host(1) to give up on requesting other (AAAA) RRsets.


Mike

Re: unbound(8) + host(1) + AAAA-only issue

> Am 20.09.2024 um 13:08 schrieb Otto Moerbeek <otto@drijf.net>:
>
> On Fri, Sep 20, 2024 at 12:45:08PM +0200, Mike Fischer wrote:
>
>>
>>> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>>>
>>>> From what you've shown I can only assume the auth servers are broken
>>> and probably refusing to respond for A (rather than an empty NOERROR
>>> response).
>>
>> I agree, that is probably the root cause.
>>
>> So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
>>
>> Note: I tried looking at the source code of host(1) but I can't figure out how it works.
>>
>>
>>> AAAA-only is a somewhat rare case and IPv6 has only been supported in
>>> DNS since 2008 or so, it takes time to get the bugs worked out
>>> especially in custom DNS software like is probably used for a dynamic
>>> dns zone.
>>
>> Yes, a mere 18 years is rather new ;-)
>>
>>
>>> If you show the real hostname, maybe someone can figure it out in
>>> more detail.
>>
>> This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
>> test.fwml42.v6.rocks
>>
>> $ dig +short test.fwml42.v6.rocks aaaa
>> 2001:db8::dead:beaf
>> $ host test.fwml42.v6.rocks
>> Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
>> $
>
> Here host just succeeds with that name (not using unbound as resolver
> but PowerDNS recursor)
>
> $ host test.fwml42.v6.rocks
> test.fwml42.v6.rocks has IPv6 address 2001:db8::dead:beaf
>
> A tip to investigate further: use -v with host (it shows more
> details), don't use +short with dig (it hides useful information).
>
> -Otto

Alright:

$ dig test.fwml42.v6.rocks aaaa
; <<>> dig 9.10.8-P1 <<>> test.fwml42.v6.rocks aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12016
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test.fwml42.v6.rocks. IN AAAA

;; ANSWER SECTION:
test.fwml42.v6.rocks. 60 IN AAAA 2001:db8::dead:beaf

;; Query time: 49 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 20 14:00:25 CEST 2024
;; MSG SIZE rcvd: 77

$ host -v test.fwml42.v6.rocks
Trying "test.fwml42.v6.rocks"
Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
Received 38 bytes from 127.0.0.1#53 in 467 ms

$


And for competeness:
$ dig test.fwml42.v6.rocks a

; <<>> dig 9.10.8-P1 <<>> test.fwml42.v6.rocks a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15149
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test.fwml42.v6.rocks. IN A

;; Query time: 287 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Sep 20 14:02:14 CEST 2024
;; MSG SIZE rcvd: 49

$


Mike

Re: unbound(8) + host(1) + AAAA-only issue

On 2024-09-20, Stuart Henderson <stu.lists@spacehopper.org> wrote:
> On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
>>
>>> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>>>
>>>> From what you've shown I can only assume the auth servers are broken
>>> and probably refusing to respond for A (rather than an empty NOERROR
>>> response).
>>
>> I agree, that is probably the root cause.
>>
>> So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
>>
>> Note: I tried looking at the source code of host(1) but I can't figure out how it works.
>
> I think it's generally been fairly common to regard a fqdn (or a fqdn
> + server combination) as failing if any RRset for that fqdn fails with
> certain errors.
>
> Certainly there have been problems in the past where a client has made
> an AAAA request, the recursive NS has received no response (usually in
> this case because the site was using one of the common load-balancing
> auth servers that were broken in this way) and negatively cached this
> against the fqdn, then a followup A request has failed.
>
>>> AAAA-only is a somewhat rare case and IPv6 has only been supported in
>>> DNS since 2008 or so, it takes time to get the bugs worked out
>>> especially in custom DNS software like is probably used for a dynamic
>>> dns zone.
>>
>> Yes, a mere 18 years is rather new ;-)
>
> ;)
>
>>> If you show the real hostname, maybe someone can figure it out in
>>> more detail.
>>
>> This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
>> test.fwml42.v6.rocks
>>
>> $ dig +short test.fwml42.v6.rocks aaaa
>> 2001:db8::dead:beaf
>> $ host test.fwml42.v6.rocks
>> Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
>
> Well that's interesting.
>
> Querying any of the auth servers directly with host or dig, I do get
> what looks like a sensible response to A queries

Same with base and package versions of host(1), FWIW.

> $ host test.fwml42.v6.rocks. ns1.dynv6.com.
> Using domain server:
> Name: ns1.dynv6.com.
> Address: 95.216.144.82#53
> Aliases:
>
> test.fwml42.v6.rocks has IPv6 address 2001:db8::dead:beaf
> $ host -t a test.fwml42.v6.rocks. ns1.dynv6.com.
> Using domain server:
> Name: ns1.dynv6.com.
> Address: 95.216.144.82#53
> Aliases:
>
> test.fwml42.v6.rocks has no A record
>
> Testing with unbound 1.20.0 or 1.21.0 and there's no problem.
> From unbound (1.18.0) I get various of these,
>
> unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: exceeded the maximum nameserver nxdomains
> unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. A IN>: all servers for this domain failed, at zone v6.rocks. from 2a01:4f9:c010:95b:: nodata answer
> unbound: [71830:1] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: all servers for this domain failed, at zone v6.rocks. from 95.216.144.82 nodata answer
>
> I see this in changelog for 1.19.0 -
>
> Fix #946: Forwarder returns servfail on upstream response noerror no data.
>
> - the problem this fixes was introduced in 1.18.0 - this doesn't
> look from the description like it should be directly relevant (as no
> forwarder is involved), but it seems quite a similar situation.
> #946 is https://github.com/NLnetLabs/unbound/issues/946

Hmm, and also going up a level to this which has both A and AAAA:

$ host fwml42.v6.rocks.
fwml42.v6.rocks has address 79.226.210.86
fwml42.v6.rocks has IPv6 address 2003:e4:f33:1d00:30ab:221d:6b6d:7d96
Host fwml42.v6.rocks not found: 2(SERVFAIL)

with this logged:

unbound: [93237:0] error: SERVFAIL <fwml42.v6.rocks. MX IN>: all servers for this domain failed, at zone v6.rocks. from 2a01:4f8:1c1c:4c96:: nodata answer

--
Please keep replies on the mailing list.

Re: unbound(8) + host(1) + AAAA-only issue

On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
>
>> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>>
>>> From what you've shown I can only assume the auth servers are broken
>> and probably refusing to respond for A (rather than an empty NOERROR
>> response).
>
> I agree, that is probably the root cause.
>
> So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
>
> Note: I tried looking at the source code of host(1) but I can't figure out how it works.

I think it's generally been fairly common to regard a fqdn (or a fqdn
+ server combination) as failing if any RRset for that fqdn fails with
certain errors.

Certainly there have been problems in the past where a client has made
an AAAA request, the recursive NS has received no response (usually in
this case because the site was using one of the common load-balancing
auth servers that were broken in this way) and negatively cached this
against the fqdn, then a followup A request has failed.

>> AAAA-only is a somewhat rare case and IPv6 has only been supported in
>> DNS since 2008 or so, it takes time to get the bugs worked out
>> especially in custom DNS software like is probably used for a dynamic
>> dns zone.
>
> Yes, a mere 18 years is rather new ;-)

;)

>> If you show the real hostname, maybe someone can figure it out in
>> more detail.
>
> This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
> test.fwml42.v6.rocks
>
> $ dig +short test.fwml42.v6.rocks aaaa
> 2001:db8::dead:beaf
> $ host test.fwml42.v6.rocks
> Host test.fwml42.v6.rocks not found: 2(SERVFAIL)

Well that's interesting.

Querying any of the auth servers directly with host or dig, I do get
what looks like a sensible response to A queries

$ host test.fwml42.v6.rocks. ns1.dynv6.com.
Using domain server:
Name: ns1.dynv6.com.
Address: 95.216.144.82#53
Aliases:

test.fwml42.v6.rocks has IPv6 address 2001:db8::dead:beaf
$ host -t a test.fwml42.v6.rocks. ns1.dynv6.com.
Using domain server:
Name: ns1.dynv6.com.
Address: 95.216.144.82#53
Aliases:

test.fwml42.v6.rocks has no A record

Testing with unbound 1.20.0 or 1.21.0 and there's no problem.
From unbound (1.18.0) I get various of these,

unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: exceeded the maximum nameserver nxdomains
unbound: [93237:0] error: SERVFAIL <test.fwml42.v6.rocks. A IN>: all servers for this domain failed, at zone v6.rocks. from 2a01:4f9:c010:95b:: nodata answer
unbound: [71830:1] error: SERVFAIL <test.fwml42.v6.rocks. NS IN>: all servers for this domain failed, at zone v6.rocks. from 95.216.144.82 nodata answer

I see this in changelog for 1.19.0 -

Fix #946: Forwarder returns servfail on upstream response noerror no data.

- the problem this fixes was introduced in 1.18.0 - this doesn't
look from the description like it should be directly relevant (as no
forwarder is involved), but it seems quite a similar situation.
#946 is https://github.com/NLnetLabs/unbound/issues/946



--
Please keep replies on the mailing list.

Re: unbound(8) + host(1) + AAAA-only issue

On 2024 Sep 20 (Fri) at 12:45:08 +0200 (+0200), Mike Fischer wrote:
:
:> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
:>
:>> From what you've shown I can only assume the auth servers are broken
:> and probably refusing to respond for A (rather than an empty NOERROR
:> response).
:
:I agree, that is probably the root cause.
:
:So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
:
:Note: I tried looking at the source code of host(1) but I can't figure out how it works.
:
:
:> AAAA-only is a somewhat rare case and IPv6 has only been supported in
:> DNS since 2008 or so, it takes time to get the bugs worked out
:> especially in custom DNS software like is probably used for a dynamic
:> dns zone.
:
:Yes, a mere 18 years is rather new ;-)
:
:
:> If you show the real hostname, maybe someone can figure it out in
:> more detail.
:
:This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
:test.fwml42.v6.rocks
:
:$ dig +short test.fwml42.v6.rocks aaaa
:2001:db8::dead:beaf
:$ host test.fwml42.v6.rocks
:Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
:$
:

I also have a real hostname that only has IPv6 but it works fine for me
with host and dig. v6.bsd.network, and jane.theapt.org. Feel free to
look at how the servers reply for comparision.

I run one of the auth nameservers with nsd, and the other two are ran by
some friends also using open source auth servers.


:
:Thanks!
:Mike
:
:>
:>
:> On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
:>> I am seeing a weird result on some OpenBSD 7.5 stable amd64 systems:
:>>
:>> The servers are running a local unbound(8) and /etc/resolv.conf is configured to use 127.0.0.1.
:>> $ cat /etc/resolv.conf nameserver 127.0.0.1
:>> lookup file bind
:>> $
:>>
:>> /var/unbound/etc/unbound.conf is almost default. Only the listening addresses and access limitations have been modified. Name resolution generally works fine on the hosts.
:>>
:>> I have a DNS hostname, call it test.example.dynv6.net, for which only an AAAA record exists. The authoritative name servers don't use DNSSEC.
:>>
:>> Results:
:>> $ host test.example.dynv6.net
:>> Host test.example.dynv6.net not found: 2(SERVFAIL)
:>> $
:>>
:>> $ dig +short test.example.dynv6.net aaaa
:>> 2001:db8::dead:beaf
:>> $
:>>
:>> But for a different hostname (on a different domain, different nameservers, again with only an AAAA record, no A record, no DNSSEC), host(1) returns the IPv6 address as expected.
:>>
:>> Both host(1) and dig(1) should be using the local unbound(8).
:>>
:>> So why isn't host(1) showing the IPv6 address for test.example.dynv6.net? Is this a bug in host(1) or am I doing something wrong?
:>>
:>> How can I debug this to find the root cause?
:>>
:>>
:>> I have added »log-servfail: yes« to /var/unbound/etc/unbound.conf and /var/log/daemon shows entries such as these, when the problem happens:
:>> Sep 20 10:23:03 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 95.216.144.82 nodata answer
:>> Sep 20 10:24:10 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 2a01:4f8:1c1c:4c96:: nodata answer
:>>
:>> So the problem seems to happen when host(1) tries to resolve the IPv4 address. Apparently once it fails it does not try to resolve the IPv6 address?
:>>
:>>
:>> Thanks!
:>> Mike
:>>
:>
:>
:> --
:> Please keep replies on the mailing list.
:>
:
:

--
It has just been discovered that research causes cancer in rats.

Re: unbound(8) + host(1) + AAAA-only issue

On Fri, Sep 20, 2024 at 12:45:08PM +0200, Mike Fischer wrote:

>
> > Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
> >
> >> From what you've shown I can only assume the auth servers are broken
> > and probably refusing to respond for A (rather than an empty NOERROR
> > response).
>
> I agree, that is probably the root cause.
>
> So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?
>
> Note: I tried looking at the source code of host(1) but I can't figure out how it works.
>
>
> > AAAA-only is a somewhat rare case and IPv6 has only been supported in
> > DNS since 2008 or so, it takes time to get the bugs worked out
> > especially in custom DNS software like is probably used for a dynamic
> > dns zone.
>
> Yes, a mere 18 years is rather new ;-)
>
>
> > If you show the real hostname, maybe someone can figure it out in
> > more detail.
>
> This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
> test.fwml42.v6.rocks
>
> $ dig +short test.fwml42.v6.rocks aaaa
> 2001:db8::dead:beaf
> $ host test.fwml42.v6.rocks
> Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
> $

Here host just succeeds with that name (not using unbound as resolver
but PowerDNS recursor)

$ host test.fwml42.v6.rocks
test.fwml42.v6.rocks has IPv6 address 2001:db8::dead:beaf

A tip to investigate further: use -v with host (it shows more
details), don't use +short with dig (it hides useful information).

-Otto

Re: unbound(8) + host(1) + AAAA-only issue

> Am 20.09.2024 um 12:13 schrieb Stuart Henderson <stu.lists@spacehopper.org>:
>
>> From what you've shown I can only assume the auth servers are broken
> and probably refusing to respond for A (rather than an empty NOERROR
> response).

I agree, that is probably the root cause.

So that would cause host(1) to abort looking for other RRsets? Is that not a bug in host(1)?

Note: I tried looking at the source code of host(1) but I can't figure out how it works.


> AAAA-only is a somewhat rare case and IPv6 has only been supported in
> DNS since 2008 or so, it takes time to get the bugs worked out
> especially in custom DNS software like is probably used for a dynamic
> dns zone.

Yes, a mere 18 years is rather new ;-)


> If you show the real hostname, maybe someone can figure it out in
> more detail.

This is an example hostname I created at dynv6.com for the purpose of figuring out this issue:
test.fwml42.v6.rocks

$ dig +short test.fwml42.v6.rocks aaaa
2001:db8::dead:beaf
$ host test.fwml42.v6.rocks
Host test.fwml42.v6.rocks not found: 2(SERVFAIL)
$


Thanks!
Mike

>
>
> On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
>> I am seeing a weird result on some OpenBSD 7.5 stable amd64 systems:
>>
>> The servers are running a local unbound(8) and /etc/resolv.conf is configured to use 127.0.0.1.
>> $ cat /etc/resolv.conf nameserver 127.0.0.1
>> lookup file bind
>> $
>>
>> /var/unbound/etc/unbound.conf is almost default. Only the listening addresses and access limitations have been modified. Name resolution generally works fine on the hosts.
>>
>> I have a DNS hostname, call it test.example.dynv6.net, for which only an AAAA record exists. The authoritative name servers don't use DNSSEC.
>>
>> Results:
>> $ host test.example.dynv6.net
>> Host test.example.dynv6.net not found: 2(SERVFAIL)
>> $
>>
>> $ dig +short test.example.dynv6.net aaaa
>> 2001:db8::dead:beaf
>> $
>>
>> But for a different hostname (on a different domain, different nameservers, again with only an AAAA record, no A record, no DNSSEC), host(1) returns the IPv6 address as expected.
>>
>> Both host(1) and dig(1) should be using the local unbound(8).
>>
>> So why isn't host(1) showing the IPv6 address for test.example.dynv6.net? Is this a bug in host(1) or am I doing something wrong?
>>
>> How can I debug this to find the root cause?
>>
>>
>> I have added »log-servfail: yes« to /var/unbound/etc/unbound.conf and /var/log/daemon shows entries such as these, when the problem happens:
>> Sep 20 10:23:03 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 95.216.144.82 nodata answer
>> Sep 20 10:24:10 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 2a01:4f8:1c1c:4c96:: nodata answer
>>
>> So the problem seems to happen when host(1) tries to resolve the IPv4 address. Apparently once it fails it does not try to resolve the IPv6 address?
>>
>>
>> Thanks!
>> Mike
>>
>
>
> --
> Please keep replies on the mailing list.
>

Re: unbound(8) + host(1) + AAAA-only issue

From what you've shown I can only assume the auth servers are broken
and probably refusing to respond for A (rather than an empty NOERROR
response).

AAAA-only is a somewhat rare case and IPv6 has only been supported in
DNS since 2008 or so, it takes time to get the bugs worked out
especially in custom DNS software like is probably used for a dynamic
dns zone.

If you show the real hostname, maybe someone can figure it out in
more detail.


On 2024-09-20, Mike Fischer <fischer+obsd@lavielle.com> wrote:
> I am seeing a weird result on some OpenBSD 7.5 stable amd64 systems:
>
> The servers are running a local unbound(8) and /etc/resolv.conf is configured to use 127.0.0.1.
> $ cat /etc/resolv.conf nameserver 127.0.0.1
> lookup file bind
> $
>
> /var/unbound/etc/unbound.conf is almost default. Only the listening addresses and access limitations have been modified. Name resolution generally works fine on the hosts.
>
> I have a DNS hostname, call it test.example.dynv6.net, for which only an AAAA record exists. The authoritative name servers don't use DNSSEC.
>
> Results:
> $ host test.example.dynv6.net
> Host test.example.dynv6.net not found: 2(SERVFAIL)
> $
>
> $ dig +short test.example.dynv6.net aaaa
> 2001:db8::dead:beaf
> $
>
> But for a different hostname (on a different domain, different nameservers, again with only an AAAA record, no A record, no DNSSEC), host(1) returns the IPv6 address as expected.
>
> Both host(1) and dig(1) should be using the local unbound(8).
>
> So why isn't host(1) showing the IPv6 address for test.example.dynv6.net? Is this a bug in host(1) or am I doing something wrong?
>
> How can I debug this to find the root cause?
>
>
> I have added »log-servfail: yes« to /var/unbound/etc/unbound.conf and /var/log/daemon shows entries such as these, when the problem happens:
> Sep 20 10:23:03 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 95.216.144.82 nodata answer
> Sep 20 10:24:10 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 2a01:4f8:1c1c:4c96:: nodata answer
>
> So the problem seems to happen when host(1) tries to resolve the IPv4 address. Apparently once it fails it does not try to resolve the IPv6 address?
>
>
> Thanks!
> Mike
>


--
Please keep replies on the mailing list.

unbound(8) + host(1) + AAAA-only issue

I am seeing a weird result on some OpenBSD 7.5 stable amd64 systems:

The servers are running a local unbound(8) and /etc/resolv.conf is configured to use 127.0.0.1.
$ cat /etc/resolv.conf nameserver 127.0.0.1
lookup file bind
$

/var/unbound/etc/unbound.conf is almost default. Only the listening addresses and access limitations have been modified. Name resolution generally works fine on the hosts.

I have a DNS hostname, call it test.example.dynv6.net, for which only an AAAA record exists. The authoritative name servers don't use DNSSEC.

Results:
$ host test.example.dynv6.net
Host test.example.dynv6.net not found: 2(SERVFAIL)
$

$ dig +short test.example.dynv6.net aaaa
2001:db8::dead:beaf
$

But for a different hostname (on a different domain, different nameservers, again with only an AAAA record, no A record, no DNSSEC), host(1) returns the IPv6 address as expected.

Both host(1) and dig(1) should be using the local unbound(8).

So why isn't host(1) showing the IPv6 address for test.example.dynv6.net? Is this a bug in host(1) or am I doing something wrong?

How can I debug this to find the root cause?


I have added »log-servfail: yes« to /var/unbound/etc/unbound.conf and /var/log/daemon shows entries such as these, when the problem happens:
Sep 20 10:23:03 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 95.216.144.82 nodata answer
Sep 20 10:24:10 xxx unbound: [70725:0] error: SERVFAIL <test.example.dynv6.net. A IN>: all servers for this domain failed, at zone dynv6.net. from 2a01:4f8:1c1c:4c96:: nodata answer

So the problem seems to happen when host(1) tries to resolve the IPv4 address. Apparently once it fails it does not try to resolve the IPv6 address?


Thanks!
Mike

Re: OpenBSD support for Mac Mini M2 ?

On 2024-09-19, J Doe <general@nativemethods.com> wrote:
> Hi list,
>
> I see in the FAQ that the Apple Mac Mini M2 is a supported platform[0]
> and that the WiFi is supported via: bwfmv(4). I had two questions about
> WiFi support:
>
> 1. Is Host AP mode supported on the Mac Mini M2? The man pages appear
> to imply that this is supported, but I wanted to double-check.

I have a feeling the wifi may not work particularly reliably on the
M2 machines at all in the first place. On the M2 macbook pro it's not
supported at all yet. No idea about hostap on these.

My usual advice for wifi: if you want an AP, buy an AP.

> 2. Does: bwfmv(4) also support the 10 Gigabit mode that is available as
> an option for the Mac Mini M2 ?[1] I am aware that OpenBSD may not
> support full bandwidth at 10 Gbps, but would it support a bandwidth
> higher than 1 Gbps if the 10Gbps option is selected when purchasing a Mini ?

The 10Gb nic is aq(4) and AFAIK it should work.


--
Please keep replies on the mailing list.

Re: x11/tk/8.6: Missing headers in package?

On 2024/09/19 17:12, Stuart Cassoff wrote:
> Depending on the software it may be possible to build against 8.5 and load into/run with 8.6.

Is there a difference between 8.5 and 8.6 regarding whether it's ok to
include private headers in the package?

Re: vxlan(4) Between Three Sites

It seems it's not working for me.

I got rid off veb3 and vport3

I added the ip address to vxlan3

# ifconfig vxlan3
vxlan3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1450
        lladdr fe:e1:ba:d1:2b:00
        index 6 llprio 3
        encap: vnetid 13133 parent gif0 txprio 0 rxprio outer
        groups: vxlan
        tunnel: inet PublicIP:4789 --> 239.13.13.3 ttl 255 nodf
        Addresses (max cache: 100, timeout: 240):
        inet 192.168.3.11 netmask 0xffffff00 broadcast 192.168.3.255

I modified /etc/vm.conf in this way, setting vxlan3 as "my_switch":

# cat /etc/vm.conf

switch "my_switch" {
        # interface veb3
        interface vxlan3
}

vm "vm11_1" {
        memory 1024M
        disable
        disk /home/vms/vm11_1.qcow2
        interface { switch "my_switch" }
        boot device disk
}

I see:

# vmd -n
vmd: /etc/vm.conf:5: invalid switch interface: vxlan3

You mentioned that you modified VXLAN interface.

I think that it could be optimized even better.

RFC7348 says (Linux does this way):

-  Source Port:  It is recommended that the UDP source port number
         be calculated using a hash of fields from the inner packet --
         one example being a hash of the inner Ethernet frame's headers.
         This is to enable a level of entropy for the ECMP/load-
         balancing of the VM-to-VM traffic across the VXLAN overlay.
         When calculating the UDP source port number in this manner, it
         is RECOMMENDED that the value be in the dynamic/private port
         range 49152-65535 [RFC6335].

I see that OpenBSD set the same port as the Destination Port,

that is, 4789 for every outcoming packets.

Do you think it's possible to optimize in this way?

Il giorno ven 20 set 2024 alle ore 03:32 David Gwynne <david@gwynne.id.au> ha scritto:

On Thu, Sep 19, 2024 at 10:05:37PM +0200, Luca Di Gregorio wrote:
> PublicIP1
> -----------
> # cat /etc/hostname.vxlan3
> tunnel PublicIP1:4789 239.13.13.3
> parent gif0
> vnetid 13133
> tunnelttl 255
> mtu 1450
> up
>
> # cat /etc/hostname.gif0
> mtu 1480
> 10.13.11.2 10.13.11.1 netmask 255.255.255.252
> tunnel PublicIP1 PublicIP3
> up
>
> # cat /etc/hostname.vport3
> mtu 1450
> inet 192.168.3.11 0xffffff00
> up
>
> # cat /etc/hostname.veb3
> add vxlan3
> add vport3
> up
>
>
>
> PublicIP2
> ------------
> # cat /etc/hostname.vxlan3
> tunnel PublicIP2:4789 239.13.13.3
> parent gif1
> vnetid 13133
> tunnelttl 255
> mtu 1450
> up
>
> # cat /etc/hostname.gif1
> mtu 1480
> 10.13.12.2 10.13.12.1 netmask 0xfffffffc
> tunnel PublicIP2 PublicIP3
> up
>
> # cat /etc/hostname.vport3
> mtu 1450
> inet 192.168.3.12 0xffffff00
> up
>
> # cat /etc/hostname.veb3
> add vxlan3
> add vport3
> up

a veb with a single port (vxlan in this case) and a single vport
is unecessary. you can move the IP config to the vxlan interface and get
the same functionality without the overhead of having to switch the
packets through the veb to the vport.

historically a vxlan had to be part of a bridge to support dynamic
endpoint learning, but i rewrote vxlan to be able to do that itself.

Re: OpenBSD support for Mac Mini M2 ?

On Sep 20, 2024, at 02:19, J Doe <general@nativemethods.com> wrote:

On Sep 19, 2024, at 18:46, J Doe <general@nativemethods.com> wrote:

Hi list,

I see in the FAQ that the Apple Mac Mini M2 is a supported platform[0]
and that the WiFi is supported via: bwfmv(4).  I had two questions about
WiFi support:

1. Is Host AP mode supported on the Mac Mini M2?  The man pages appear
to imply that this is supported, but I wanted to double-check.

2. Does: bwfmv(4) also support the 10 Gigabit mode that is available as
an option for the Mac Mini M2 ?[1]  I am aware that OpenBSD may not
support full bandwidth at 10 Gbps, but would it support a bandwidth
higher than 1 Gbps if the 10Gbps option is selected when purchasing a Mini ?

Thanks,

- J


Links

[0]:    https://www.openbsd.org/arm64.html
[1]:    https://www.apple.com/shop/buy-mac/mac-mini

A small correction .. wifi is via bwfm(4) and not bwfmv(4) (not sure where I picked up that extra v).

- J

Wow, I just noticed another error in my original message:

The 10 GB option is for wired Ethernet.  So my second question should be is 10 Gbps supported by OpenBSD via the wired Ethernet adaptor ?

Thanks again,

- J

Re: OpenBSD support for Mac Mini M2 ?

On Sep 19, 2024, at 18:46, J Doe <general@nativemethods.com> wrote:

Hi list,

I see in the FAQ that the Apple Mac Mini M2 is a supported platform[0]
and that the WiFi is supported via: bwfmv(4).  I had two questions about
WiFi support:

1. Is Host AP mode supported on the Mac Mini M2?  The man pages appear
to imply that this is supported, but I wanted to double-check.

2. Does: bwfmv(4) also support the 10 Gigabit mode that is available as
an option for the Mac Mini M2 ?[1]  I am aware that OpenBSD may not
support full bandwidth at 10 Gbps, but would it support a bandwidth
higher than 1 Gbps if the 10Gbps option is selected when purchasing a Mini ?

Thanks,

- J


Links

[0]:    https://www.openbsd.org/arm64.html
[1]:    https://www.apple.com/shop/buy-mac/mac-mini

A small correction .. wifi is via bwfm(4) and not bwfmv(4) (not sure where I picked up that extra v).

- J

Re: enc0 without MULTICAST flag

I achieved to implement the site-to-site vpn via sec0.

ospfd works on sec0.

A couple of comments:

when sec0 is created, the default mtu is 1280.

I changed this value to 1500 and tested with

ping -D -s .... 

I see that the max mtu is 1446, when the underlay network has mtu 1500.

So, a scrub ( max-mss 1406 ) should be configured in PF for outgoing connections.

sec0 is quite better than enc0 in this: enc0 has max mtu 1444.

Anyway, AFAIK, sec(4) is a quite new interface, so, I'm wondering if a fragment

reassembly could be possible, to reach max mtu 1500 on sec0.

Other interfaces, such as vxlan(4), do fragment reassembly.

Here you can find my configurations for testing.

Host1

------

# cat /etc/iked.conf
ikev2 "server1_rsa" passive \
        from 192.168.4.0/30 to 192.168.4.0/30 \
        local 192.168.3.111 peer 192.168.3.121 \
        srcid server1.domain \
        iface sec0

# cat /etc/hostname.sec0
mtu 1446
192.168.4.1 192.168.4.2 netmask 0xfffffffc
up

Host2

------

# cat /etc/iked.conf
ikev2 'server2_rsa' active \
        from 192.168.4.0/30 to 192.168.4.0/30 \
        peer 192.168.3.111 \
        srcid server2.domain \
        iface sec0

# cat /etc/hostname.sec0
mtu 1446
192.168.4.2 192.168.4.1 netmask 0xfffffffc
up

Il giorno ven 20 set 2024 alle ore 03:16 David Gwynne <david@gwynne.id.au> ha scritto:

On Thu, Sep 19, 2024 at 10:57:42PM +0200, Luca Di Gregorio wrote:
> I'm running 7.5, I see this alert:
>
> # ifconfig sec0 create
> # ifconfig sec0 tunnel 169.254.229.42/30 169.254.229.41

sorry, this should read:

# ifconfig sec0 inet 169.254.229.42/30 169.254.229.41

i just committed a fix to the manpage.

> ifconfig: error in parsing address string: non-recoverable failure in name
> resolution
>
> I can't configure sec0
>
> Il giorno gio 19 set 2024 alle ore 21:32 Luca Di Gregorio <lucdig@gmail.com>
> ha scritto:
>
> > Thanks a lot,
> >
> > I'll try it tomorrow. Unfortunately I won't attend EuroBSDCon,
> > anyway, thanks a lot for the invite.
> >
> > Il giorno gio 19 set 2024 alle ore 21:23 Jason Tubnor <jason@tubnor.net>
> > ha scritto:
> >
> >> Use sec(4) for this. Don???t use enc for anything except inspection. If you
> >> are at EuroBSDCon this weekend, come to my talk as I???ll be diving into this
> >> exact subject.
> >>
> >> Cheers,
> >>
> >> Jason.
> >>
> >> Sent from my iPhone
> >>
> >> On 19 Sep 2024, at 7:16???PM, Luca Di Gregorio <lucdig@gmail.com> wrote:
> >>
> >> ???
> >> I configured a site-to-site vpn with ike2,
> >> it works for unicast traffic.
> >>
> >> I need to enable ospf on the 2 hosts via enc0, but
> >> ifconfig enc0 shows:
> >>
> >> enc0: flags=41<UP,RUNNING>
> >>         index 2 priority 0 llprio 3
> >>         groups: enc
> >>         status: active
> >>         inet .......
> >>
> >> So, ospfd shows, in /var/log/daemon:
> >>
> >>   ospfd[53563]: if_join_group: error IP_ADD_MEMBERSHIP, interface enc0
> >> address 224.0.0.5: Can't assign requested address
> >>
> >> How can I set the flag MULTICAST on enc0?
> >> man ifconfig doesn't say how to to it.
> >>
> >>