Tag Archives: patches

OpenVPN 2.3.17 on OpenBSD 6.0

On Jun 21, the OpenVPN team released an update for the 2.3.x and 2.4.x branches that resolved some newly discovered security vulnerabilities. The OpenVPN team recommends that users “upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible“.

OpenBSD 6.0–which was released Sep 1 2016 and is still receiving security updates to the base system as per OpenBSD’s policy–shipped with a package for OpenVPN 2.3.11. Below you will find a patch and instructions for using the ports system to upgrade to version 2.3.11. Note that if you’re running OpenBSD 6.1, the ports tree has been updated to 2.4.3 so all you need to do is “cvs up” and “make install”.

Instructions:

  1. Follow the OpenBSD FAQ for instructions on how to download, verify, and extract the ports tree on your machine.
  2. Then:
% cd ports/net/openvpn
% patch < ~/openvpn-2.3.17p0.diff
% make install

RANCID and the Octothorpe

RANCID (Really Awesome New Cisco confIg Differ) is a tool for automating the collection of hardware and configuration data from network devices. I recently upgraded an installation from version 2.3.1 to 2.3.8. And naturally, because I didn’t have a ton of time to devote to this, stuff broke. It stopped pulling data from some switches. Not all switches, mind, that would be too easy to troubleshoot. Only some.

Continue reading RANCID and the Octothorpe

Net-SNMP 5.6.1 Missing hrSystemProcesses OID

I just upgraded a couple of machines to OpenBSD 4.9 and noticed the hrSystemProcesses OID was not being returned by Net-SNMP 5.6.1 (from the 4.9 ports/packages collection) .

jwk@theta:~% snmpwalk -v2c -c public theta .1.3.6.1.2.1.25.1.6.0
SNMPv2-SMI::mib-2.25.1.6.0 = No Such Instance currently exists 
    at this OID

I know for sure this worked on OpenBSD 4.8/Net-SNMP 5.4.2.1.

Turns out there is a bug in Net-SNMP 5.6.1 (bug 3166568) that’s causing this. It’s been fixed in their SVN tree. If you download this patch, place it into your ports/net/net-snmp/patches/ directory and recompile the port, you’ll be good to go.

NetPacket PERL Module Enhancements

NetPacket provides a base class for a cluster of modules related to decoding and encoding of network protocol packets. Each NetPacket descendent module knows how to encode and decode packets for the network protocol it implements. Protocols that NetPacket can encode/decode include IPv4, TCP, UDP, ICMP, Ethernet, and ARP.

I’ve written three additional modules for NetPacket that allow the encoding/decoding of IPv6, ICMPv6, and OpenBSD’s Packet Filter binary log files. I’ve also made numerous changes to existing modules, including fixing spelling mistakes, bug fixes, and documentation enhancements.

If you’re using OpenBSD, you can install the p5-NetPacket port/package which already contains the patches outlined below.

IPv6 Modules

The IPv6 modules allow for the encoding/decoding of IPv6 and ICMPv6 packets. These modules, like the modules that make up the NetPacket distribution, can be used to analyze tcpdump or Wireshark packet captures that contain IPv6/ICMPv6 packets.

Some example code might look like this:

#!/usr/bin/perl -w

use strict;
use Net::PcapUtils;
use NetPacket::Ethernet qw(:strip);
use NetPacket::IPv6;

sub process_pkt {
  my ($user, $hdr, $pkt) = @_;

  my $ip6_obj = NetPacket::IPv6->decode(eth_strip($pkt));
  print("$ip6_obj->{src_ip} -> $ip6_obj->{dest_ip} ");
  print("$ip6_obj->{nxt}\n");
}

Net::PcapUtils::loop(\&process_pkt, FILTER => 'ip6');

This code snippet starts a packet capture and looks for IPv6 packets (the FILTER keyword). Each packet seen is passed to the process_pkt function where the source IP, destination IP, and the “next header” value are output. The output would look similar to this:

2001:618:4cfa:a00:0:0:1:a00 -> 2001:b40d:44:62:0:0:0:276 58

The perlpod documentation that comes with the modules explains all of the data fields that get decoded as well as the object methods. Use the perldoc NetPacket::IPv6 and perldoc NetPacket::ICMPv6 commands to view the documentation.

OpenBSD Packet Filter Module

OpenBSD’s Packet Filter firewall software stores its log files as a libpcap packet dump. This is a binary file format and cannot be read by humans. Additional software is needed to parse and format the log files for analysis and viewing. The PFLog NetPacket module that I’ve written allows for decoding of this binary data.

Some example code might look like this:

#!/usr/bin/perl

use strict;
use Net::Pcap;
use NetPacket;
use NetPacket::IP;
use NetPacket::PFLog;

sub analyze_dump {
  my ($user_data, $header, $packet) = @_;
  my $pflog = NetPacket::PFLog->decode($packet);
  my $ip = NetPacket::IP->decode($pflog->{data});
  print "$pflog->{action} $pflog->{dir} on $pflog->{ifname}";
  print " $ip->{src_ip} -> $ip->{dest_ip}\n";
}

my ($pcap_t, $pcaperr);
$pcap_t = Net::Pcap::open_offline("/var/log/pflog", \$pcaperr);
Net::Pcap::loop($pcap_t, -1, \&analyze_dump, "");
Net::Pcap::close($pcap_t);

This code snippet opens the PF log file /var/log/pflog iterates through each packet in the log and prints the action taken on the packet (pass or block), the packet direction (in or out), the interface name, and the source and destination IP address. The output would look similar to this:

pass in on rl0 172.16.0.2 -> 172.16.0.3

The perlpod documentation that comes with the module explains all of the data fields that get decoded as well as the PFLog object methods. Use the “perldoc NetPacket::PFLog” command to view the documentation.

Download

The code is distributed as a patch to the NetPacket distribution.

Apply the patch:

% patch < netpacket-1.4.4.diff

Build NetPacket as per the INSTALL file.

If you’re an OpenBSD user, then you can simply install the net/p5-NetPacket port and be done. The patches are installed automatically (although the port may not always have the most up-to-date version of the patch).