sole instance of a process

[Pete Vickers]

Hi,

I suspect this may be the wrong list for this question. However although 
strictly it's a Bourne shell script query, it only seem to act up under OpenBSD 
(for me).

Essentially I have a job which needs to be run periodically. So I have a shell 
script to do the necessary commands, and this is scheduled via (root's) crontab.
It is however very important that multiple instances of the job are not run 
concurrently (e.g. if an previous invocation hung), and so the script should 
detect this upon invocation before proceeding.

I don't want a single long running job (which could e.g. sleep between loops) 
for various reasons. And I also don't like PID files and other fragile locking 
hacks.


So down to business, below is the gist of my script. Most of the time it 
appears to run fine. However occasionally (once every couple of days?) it 
reports via email that a duplicate process is detected, but the included ps 
listing shows no other instance. I don't believe that this is just due to an 
old instance exiting in the small time window between the pgrep, and the ps 
invocations.  So basically I guess there is an error in my script or it's 
logic, or something else I'm not seeing.

Any hit with the clue bat gratefully received.



#!/bin/sh
#
#
SHOUT=/usr/bin/logger -i -t MYPERIODICJOB
#
#
# Ensure another instance of this is not running
#
MYNAME=`basename $0`
MYPID=$$
#
/usr/bin/pgrep -fu root $MYNAME | /usr/bin/grep -v $MYPID  \
{
$SHOUT HELP - duplicate process detected $? ; \
ps -axjwww | mail -s HELP MYPERIODICJOB $MYPID $MYNAME $PPID 
m...@example.com ; \
exit 1 ;
 }

#
#
# starting doing useful stuff here..
#


Disclaimer: I know my scripting is far from optimal...


/Pete

Re: 'newer' Qlogic HBA support on amd64

[Pete Vickers]

Hi,

Sorry for the delay. I finally upgraded the box (very quick and easy process - 
nice ) and the HBA is now attached by the qle driver. However whilst it 'sees' 
the SAN disk behind it, it remain unable to talk to it.
 

# uname -mrv 
5.5 GENERIC.MP#315 amd64


# dmesg | egrep -i qle|scsibus1
qle0 at pci8 dev 0 function 0 QLogic ISP2432 rev 0x02: msi
qle0: bad startup mboxes: 0 0
qle0: firmware rev 4.0.20, attrs 0x2
scsibus1 at qle0: 2048 targets, WWPN 50060b66644e, WWNN 50060b66644f
sd1 at scsibus1 targ 130 lun 0: DGC, RAID 5, 0223 SCSI2 0/direct fixed 
naa.600601601b662700d837603da8efe011
sd2 at scsibus1 targ 131 lun 0: DGC, RAID 5, 0223 SCSI2 0/direct fixed 
naa.600601601b662700d837603da8efe011


sd1  sd2 : Are these duplicates due to redundant paths in SAN fabric ?


# fdisk sd1 
fdisk: DIOCGPDINFO: Input/output error
fdisk: Can't get disk geometry, please use [-chs] to specify.



# pcidump  -v 19:0:0
 19:0:0: QLogic ISP2432
0x: Vendor ID: 1077 Product ID: 2432
0x0004: Command: 0147 Status: 0010
0x0008: Class: 0c Subclass: 04 Interface: 00 Revision: 02
0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 10
0x0010: BAR io addr: 0x5000/0x0100
0x0014: BAR mem 64bit addr: 0xfdff/0x4000
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 103c Product ID: 7040
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 07 Min Gnt: 00 Max Lat: 00
0x0044: Capability 0x01: Power Management
0x004c: Capability 0x10: PCI Express
Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4
0x0064: Capability 0x05: Message Signaled Interrupts (MSI)
0x0074: Capability 0x03: Vital Product Data (VPD)
0x007c: Capability 0x11: Extended Message Signaled Interrupts (MSI-X)

e.g. http://filedownloads.qlogic.com/files/datasheets/32359/83432-580-00D.pdf



(let me know if you want list spam with full dmesg).


/Pete


On 13. mars 2014, at 18:48, Ted Unangst t...@tedunangst.com wrote:

 On Thu, Mar 13, 2014 at 18:44, Pete Vickers wrote:
 Hi,
 I have a an amd64 server (HP DL360 G5), with an Qlogic FC HBA in it. It
 appears to be based on the ISP2400 series, and isp man page says the
 driver only supports up to the ISP2300 series. However the driver appears
 to try to attach the device irrespective (and fail). Does anyone know how
 different the 2400 series are, or if there is work in progress to support
 them ?
 
 In 5.5 and later, that's supported by the qle driver. The isp driver
 is being broken into parts (qlw, qla, qle) depending on generation.
 I'd try a snapshot. It should work better. And if it doesn't work,
 we'd like to know.

'newer' Qlogic HBA support on amd64

[Pete Vickers]

Hi,
I have a an amd64 server (HP DL360 G5), with an Qlogic FC HBA in it. It appears 
to be based on the ISP2400 series, and isp man page says the driver only 
supports up to the ISP2300 series. However the driver appears to try to attach 
the device irrespective (and fail). Does anyone know how different the 2400 
series are, or if there is work in progress to support them ?

thanks

/Pete

Some relevant info below:


$ dmesg | grep isp0
isp0 at pci8 dev 0 function 0 QLogic ISP2432 rev 0x02: apic 8 int 17
isp0: Polled Mailbox Command (0x8) Timeout (10us)
isp0: Polled Mailbox Command (0x8) Timeout (10us)
isp0: Mailbox Command 'ABOUT FIRMWARE' failed (TIMEOUT)


# pcidump -v 19:0:0
 19:0:0: QLogic ISP2432
0x: Vendor ID: 1077 Product ID: 2432
0x0004: Command: 0147 Status ID: 0010
0x0008: Class: 0c Subclass: 04 Interface: 00 Revision: 02
0x000c: BIST: 00 Header Type: 00 Latency Timer: 00 Cache Line Size: 10
0x0010: BAR io addr: 0x5000/0x0100
0x0014: BAR mem 64bit addr: 0xfdff/0x4000
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 103c Product ID: 7040
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 07 Min Gnt: 00 Max Lat: 00
0x0044: Capability 0x01: Power Management
0x004c: Capability 0x10: PCI Express
Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4
0x0064: Capability 0x05: Message Signaled Interrupts (MSI)
0x0074: Capability 0x03: Vital Product Data (VPD)
0x007c: Capability 0x11: Extended Message Signaled Interrupts (MSI-X)


$ dmesg | head  


OpenBSD 5.3 (GENERIC.MP) #62: Tue Mar 12 18:21:20 MDT 2013
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP


# sysctl hw  
hw.machine=amd64
hw.model=Intel(R) Xeon(R) CPU E5420 @ 2.50GHz
hw.ncpu=4
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=sd0:20008a7ae6c37c52,cd0:
hw.diskcount=2
hw.sensors.cpu0.temp0=37.00 degC
hw.sensors.cpu1.temp0=37.00 degC
hw.sensors.cpu2.temp0=37.00 degC
hw.sensors.cpu3.temp0=37.00 degC
hw.sensors.acpitz0.temp0=8.30 degC (zone temperature)
hw.sensors.ciss0.drive0=online (sd0), OK
hw.cpuspeed=2500
hw.setperf=100
hw.vendor=HP
hw.product=ProLiant DL360 G5
hw.physmem=4292161536
hw.usermem=4292136960
hw.ncpufound=4
hw.allowpowerdown=1

Re: OpenBSD 5.0-current (GENERIC) #65: Thu Nov 3 00:58:36 MDT 2011

[Pete Vickers]

On 20. jan. 2012, at 01.50, Martin Pelikan wrote:

 ... better alternative:

 echo 'export PKG_PATH=ftp://ftp.XX.openbsd.org/pub/OpenBSD/`uname
-r`/packages/`uname -m`/'  ~/.profile

 for -release and -stable, or

 echo 'export
PKG_PATH=ftp://ftp.XX.openbsd.org/pub/OpenBSD/snapshots/packages/`uname -m`/'
 ~/.profile



Instead, why not solve the general case rather than specific cases. Since the
install script now guesses location for nearest mirror for install source ( 
TZ etc), then I don't see why it couldn't setup a sane default PKG_PATH in
/etc/profile (can be easily overidden in ~/.profile if desired) at install
time. This should ofcourse use the correct arch  version (if it's a snapshot
then set the PKG_PATH as such) and be derived from the install source.

- I know this breaks for mirrors site which carry only install images not
packages, this can be combated with: 'pkg_add -v' should maybe announce which
site it's using, to aid debugging (and be referenced in SASQ).

- people that install snapshots, and then don't keep up with -current, will
possibly (probably) get broken packages. That applies with or without this
change. Again 'pkg_add -v' could grep for /snapshot/ in the PKG_PATH, and if
present, proceed, but with a one line warning (or alternatively stop unless a
new -D keyword to force snapshot packages was supplied).



/Pete

Re: Add Route at Boot Time

[Pete Vickers]

add a line like !/sbin/route what via where to your /etc/hostname.vr1 file



On 20. jan. 2012, at 15.29, Hendrickson, Kenneth wrote:

 +--+
 |   Firewall   |
 |  | .33.34.35.97
 | vr0dhcpd |  |  |  |  |  Wired Network
 | 172.24.10.21 |--+--+--+--+- 172.24.10/24
 |  |
 |  |   +-+
 | vr1  |   | Wireless Router |
 | 172.24.20.1  |---| 172.24.20.2 |Wireless Network
 |  |   | 192.168.2.1 |--- 192.168.2/24
 |  |   |   dhcpd |
 |  |   +-+
 | vr2  |
 | 172.24.30.1  |- Future Use
 |  |
 |  |   +-+
 | vr3 dhclient |---|   Cable Modem   |--- Internet Cloud
 +--+   +-+
 
 Problem.  I need to manually do:
route add -inet 192.168.2.0/24 172.24.20.2
 
 How do I get this done automagically at boot time?
 What man pages do I need to (re-)read?
 
 Thanks,
 Ken

Re: OpenBSDd functionality equal to neighbor allowas-in?

[Pete Vickers]

SOO can be used for loop detection, but only if your bgp peerings don't strip
extended communities.

another dirty hack would be to get the peer to aggregate your 'remote'
prefixes towards you (without as-set) to conceal the ASN. beware that ebgp
routes are prefered over ibgp by default though - this is a gun  and your
feet look tempting.

/Pete


On 6. jan. 2012, at 22:01, Stuart Henderson s...@spacehopper.org wrote:

 On 2012-01-06, Donald Reichert silvershadow...@gmx.de wrote:
 Hi list,

 I'd like to replace some Ciscos by OpenBSD machines.

 On the routers I have configured the possibility to span networks from our
own AS over peerings, Cisco speak: neighbor x.x.x.x allowas-in

 This is needed for disjunct networks.

 I didn't find a clue how to do this with OpenBGPd - any hints?

 Thanks,

 Donald

 Not currently possible, it will need code changes. Normally this check
 is done to prevent route loops. It shouldn't be too hard to naively hack
 this type of option into place, but I'm not sure what else might need
 to be done to avoid loops.

BFD (a la. RFC5880/5881)

[Pete Vickers]

Hi,

Just a quick question to see if anyone's working on implementing the above on
OpenBSD, and in particular it's integration with OpenBGPD/OpenOSPF ? Note that
this is not a 'please can I have this feature for free' or suchlike, merely a
tentative status query. (BFD is appearing more  more frequently in the
multi-vendor environments some of my OpenBSD boxen reside in).

thanks,

/Pete

Re: problem running named in non 0 rdomain

[Pete Vickers]

On 1. jan. 2012, at 23.40, Stuart Henderson wrote:

 On 2012-01-01, Pete Vickers p...@systemnet.no wrote:
 snippet from /etc/named-gn.conf :
 controls {
   inet 10.20.30.2 port 954 allow {10.20.30.2;} keys {rndc-key;};
 };

 then it also fails and complains thus:

 Jan  1 09:01:49 ns0 named[8504]: [child]: disallowed port 954
 Jan  1 09:01:49 ns0 named[8504]: /etc/named-gn.conf:19: couldn't add
command
 channel 10.20.30.2#954: permission denied
 Jan  1 09:01:49 ns0 named[8504]: running

 So I guess that named's (unprivileged?) child does not honour (inherit?)
the
 parent's rdomain, and thus cannot bind to either rdomain '0' or '1',
 succesfully ?

 The child process only allows binding to ports 53/953/921, see
 usr.sbin/bind/lib/isc/unix/privsep.c line 190.

 I'm pretty sure the child will be inheriting the rdomain from the process
 which forked it.


ahh. Indeed. Once I used an approved port, it appear happy even in the
non-defualt table:

root@ns0 ~ # route -T 1 exec rndc -s 10.20.30.2 status
number of zones: 3
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running


thanks for the clue.

/Pete

problem running named in non 0 rdomain

[Pete Vickers]

Hi,

I am having difficulty running named in a non-default rdomain, on the
following platform:

root@ns0 ~ # uname -a
OpenBSD ns0.whatever 5.0 GENERIC#36 sparc64


I have an interface in a rdomain '1':


root@ns0 ~ # ifconfig bge1 | head -1
bge1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 rdomain 1
mtu 1500

and happy:

root@ns0 ~ # ping -c 1 -V 1 10.20.30.2
PING 10.20.30.2 (10.20.30.2): 56 data bytes
64 bytes from 10.20.30.2: icmp_seq=0 ttl=255 time=0.215 ms



However, when I try to start the named daemon in that rdomain with the
following command:


# route -T 1 exec /usr/sbin/named -4 -i /var/run/named-gn.pid -c
/etc/named-gn.conf


the daemon starts successfully, but cannot open a control port on the loopback
interface, and complains thus:

Jan  1 09:12:19 ns0 named[23519]: [child]: disallowed port 954
Jan  1 09:12:19 ns0 named[23519]: /etc/named-gn.conf:21: couldn't add command
channel 127.0.0.1#954: address not available


This is fair enough I guess since the loopback interface is in the default
rdomain, and is thus unavailable to named process.


However if I instead explicitly configure the control port to be on the
correct interface (IP address), thus:


snippet from /etc/named-gn.conf :
controls {
   inet 10.20.30.2 port 954 allow {10.20.30.2;} keys {rndc-key;};
};


then it also fails and complains thus:

Jan  1 09:01:49 ns0 named[8504]: [child]: disallowed port 954
Jan  1 09:01:49 ns0 named[8504]: /etc/named-gn.conf:19: couldn't add command
channel 10.20.30.2#954: permission denied
Jan  1 09:01:49 ns0 named[8504]: running


So I guess that named's (unprivileged?) child does not honour (inherit?) the
parent's rdomain, and thus cannot bind to either rdomain '0' or '1',
succesfully ?

To make matters worse, since I can't now use rndc to reload zones on the fly,
I tried to HUP the named process, but this also fails miserably (since it
appears to re-read the default config file instead)

Is this a bug, or am I doing something silly ?  (Suggestions regarding using
other DNS daemons are not really helpful unless they are 1. in base, 2. can
host both recursive  master services on the same IP/port)

thanks  happy new year !


/Pete

Re: Performance problems with OpenBSD 4.9 under ESXi 5

[Pete Vickers]

On 1. nov. 2011, at 00.15, carlopmart wrote:

 On 10/31/2011 10:01 PM, Tyler Morgan wrote:
 Hi, I setup four 4.9-RELEASE installs under ESXi 5.0.0:

 amd64 as Other
 amd64 as FreeBSD
 i386 as Other
 i386 as FreeBSD

 All 4 got 512megs of RAM, unlimited use of the 8 available CPU cores,
 and totally default installs other than stress from ports.

 After installing I ran stress --cpu 8 --io 4 --vm 2 --vm-bytes 128M
 --hdd 4 --hdd-bytes 128M --timeout 60s in an infinite loop for a few
 hours. Then I let them sit for a couple days. Then I the stress loops
 again for a few hours with 3 days of uptime. I verified the stress was
 pegging 95%+ of all CPU, doing about 75% of what the RAID array is
 capable of in disk read/write, and as much RAM as I'd let it have -- all
 verified using ESXi's standard host monitoring.

 At the end of testing, I have no unusual messages in dmesg, a normal
 0.5ish load when idle, and no noticed performance issues on all four
 virtual machines.

 The ESXi host is a 3.5 year old SuperMicro server from Penguin Linux
 with 2xXeon X5365s, 32Gigs of ECC DDR3, and an Adaptec RAID controller.
 I can get a real dmesg out of the ESXi host if anyone wants it, and
 someone already provided a dmesg of 4.9-RELEASE under VMWare, but I can
 also provide those if desired.


 ESXi 3.5?? Can you test with ESXi 4 U2??


I have some OpenBSD AMD64 (as 'other-64bit') VMs running fine for months under
ESX 4.1.0 e.g:


# sysctl hw
hw.machine=amd64
hw.model=Intel(R) Xeon(R) CPU X5650 @ 2.67GHz
hw.ncpu=2
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=cd0:,sd0:c71fe08ce57dfde4,sd1:4af057f745d341a4
hw.diskcount=3
hw.sensors.acpiac0.indicator0=On (power supply)
hw.sensors.vmt0.timedelta0=-0.001828 secs, OK, Tue Nov  1 11:45:20.995
hw.cpuspeed=2659
hw.vendor=VMware, Inc.
hw.product=VMware Virtual Platform
hw.version=None
hw.serialno=VMware-xx
hw.uuid=xx
hw.physmem=3220111360
hw.usermem=3220094976
hw.ncpufound=2

Re: [OpenBGPd] - removing private AS from AS path

[Pete Vickers]

On 29. aug. 2011, at 12.22, Laurent CARON wrote:

 Hi,

 I wonder if it is possible to remove a private AS from the AS path while
 using OpenBGPd.

 IOS black magic for this would be:
 # neighbor $NEIGH remove-private-AS


slightly OT, but IIRC that IOS command only strips a _pure_ private AS path.
If the AS_PATH is a mixture of private and public ASNs, then it is not
modified. (Cisco regard such AS_PATHs as a config error, to be corrected not
hidden).

/Pete

Sun Ultra45 4.9R crashes loading kernel...

[Pete Vickers]

Hi,

trying to boot my Sun Ultra45 workstation from install49.iso results in this:



ok reset-all


Sun Ultra 45 Workstation, No Keyboard
Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
OpenBoot 4.22.19, 8192 MB memory installed, Serial #69377208.
Ethernet address 0:14:4f:22:9c:b8, Host ID: 84229cb8.




ok boot cdrom
Boot device: /pci@1e,60/pci@0/pci@1/pci@0/ide@1f/cdrom@0,0:f  File and
args:
OpenBSD IEEE 1275 Bootblock 1.3
.. OpenBSD BOOT 1.4
Trying bsd...
Booting /pci@1e,60/pci@0/pci@1/pci@0/ide@1f/cdrom@0,0:f/bsd
3785400@0x100+7496@0x139c2b8+3255032@0x180+939272@0x1b1aaf8
symbols @ 0xfefbc240 65 start=0x100
console is /ebus@1f,464000/serial@2,80
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2011 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 4.9 (RAMDISK) #517: Wed Mar  2 07:49:10 MST 2011
dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/RAMDISK
real mem = 8589934592 (8192MB)
avail mem = 8447508480 (8056MB)
mainbus0 at root: Sun Ultra 45 Workstation
cpu0 at mainbus0: SUNW,UltraSPARC-IIIi (rev 3.4) @ 1600 MHz
cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64
b/l)
memory-controller at mainbus0 not configured
pyro0 at mainbus0: Fire, rev 3, ign 780, bus A 2 to 12
pyro0: dvma map c000-
pci0 at pyro0
ppb0 at pci0 dev 0 function 0 PLX PEX 8532 rev 0xaa
pci1 at ppb0 bus 3
ppb1 at pci1 dev 1 function 0 PLX PEX 8532 rev 0xaa
pci2 at ppb1 bus 4
ppb2 at pci2 dev 0 function 0 Acer Labs M5249 PCI-PCI rev 0x00
pci3 at ppb2 bus 5
ohci0 at pci3 dev 28 function 0 Acer Labs M5237 USB rev 0x03: ivec 0x780,
version 1.0, legacy support
ohci1 at pci3 dev 28 function 1 Acer Labs M5237 USB rev 0x03: ivec 0x780,
version 1.0, legacy support
ohci2 at pci3 dev 28 function 2 Acer Labs M5237 USB rev 0x03: ivec 0x780,
version 1.0, legacy support
ehci0 at pci3 dev 28 function 3 Acer Labs M5239 USB2 rev 0x01: ivec 0x781
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Acer Labs EHCI root hub rev 2.00/1.00 addr 1
Acer Labs M5455 Audio rev 0x21 at pci3 dev 29 function 0 not configured
Acer Labs M7101 Power rev 0x00 at pci3 dev 30 function 1 not configured
pciide0 at pci3 dev 31 function 0 Acer Labs M5229 UDMA IDE rev 0xc8: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using ivec 0x784 for native-PCI interrupt
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: MATSHITA, DVD-RAM UJ-845S, D100 ATAPI 5/cdrom
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 Acer Labs OHCI root hub rev 1.00/1.00 addr 1
usb2 at ohci1: USB revision 1.0
uhub2 at usb2 Acer Labs OHCI root hub rev 1.00/1.00 addr 1
usb3 at ohci2: USB revision 1.0
uhub3 at usb3 Acer Labs OHCI root hub rev 1.00/1.00 addr 1
ppb3 at pci1 dev 2 function 0 PLX PEX 8532 rev 0xaa
pci4 at ppb3 bus 6
ppb4 at pci4 dev 0 function 0 ServerWorks PCIE-PCIX rev 0xb3
pci5 at ppb4 bus 7
bge0 at pci5 dev 4 function 0 Broadcom BCM5715 rev 0xa2, BCM5715 A1
(0x9001): ivec 0x796, address 00:14:4f:22:9c:b8
brgphy0 at bge0 phy 1: BCM5714 10/100/1000baseT/SX PHY, rev. 0
bge1 at pci5 dev 4 function 1 Broadcom BCM5715 rev 0xa2, BCM5715 A1
(0x9001): ivec 0x797, address 00:14:4f:22:9c:b9
brgphy1 at bge1 phy 1: BCM5714 10/100/1000baseT/SX PHY, rev. 0
ppb5 at pci1 dev 3 function 0 PLX PEX 8532 rev 0xaa: ivec 0x796
pci6 at ppb5 bus 8
ppb6 at pci1 dev 8 function 0 PLX PEX 8532 rev 0xaa: ivec 0x794
pci7 at ppb6 bus 9
ppb7 at pci1 dev 9 function 0 PLX PEX 8532 rev 0xaa
pci8 at ppb7 bus 10
ppb8 at pci8 dev 0 function 0 Intel 41210 PCIE-PCIX rev 0x09
pci9 at ppb8 bus 11
mpi0 at pci9 dev 1 function 0 Symbios Logic SAS1064 rev 0x02: ivec 0x78f
scsibus1 at mpi0: 63 targets
sd0 at scsibus1 targ 0 lun 0: SEAGATE, ST914602SSUN146G, 0603 SCSI3 0/direct
fixed
sd0: 140009MB, 512 bytes/sec, 286739329 sec total
ppb9 at pci8 dev 0 function 2 Intel 41210 PCIE-PCIX rev 0x09
pci10 at ppb9 bus 12
radeonfb0 at pci10 dev 2 function 0 ATI Radeon VE rev 0x00
radeonfb0: SUNW,375-3290, 1152x900
wsdisplay0 at radeonfb0
wsdisplay0: screen 0 added (std, sun emulation)
pyro1 at mainbus0: Fire, rev 3, ign 7c0, bus B 2 to 255
pyro1: dvma map c000-
pci11 at pyro1
ebus0 at mainbus0: ign 7c0
flashprom at ebus0 addr 0-1f not configured
rtc0 at ebus0 addr 10-1f: bq4802
com0 at ebus0 addr 80-87 ivec 0x8: st16650, no working fifo
com0: console
com1 at ebus0 addr 0-7 ivec 0x8: st16650, no working fifo
env-monitor at ebus0 addr 0-41 not configured
i2c at ebus0 addr 80-81 ivec 0x1 not configured
power at ebus0 addr e0-e1 ivec 0x3 not configured
i2c at mainbus0 not configured
i2c at mainbus0 not configured
i2c at mainbus0 not configured
ppm at mainbus0 not configured
data error type 32 sfsr=80800c sfva=4004fba0001 afsr=1008000500
afva=7f8100012c0 

Re: relayd.conf and multiple webservers on the inside

[Pete Vickers]

depending on your dns name flexability, another possible alternative is to use
site names like bob.example.com and alice.example.com then you can run both
via a single wildcard SSL cert *.example.com on the single IP address.


/Pete


On 14. apr. 2011, at 20:45, Matthew Dempsky matt...@dempsky.org wrote:

 On Thu, Apr 14, 2011 at 11:36 AM, Matthew Dempsky matt...@dempsky.org
wrote:
 On Thu, Apr 14, 2011 at 11:09 AM, Kevin Chadwick ma1l1i...@yahoo.co.uk
wrote:
 Are you sure you want to do this. Do you want any ssl on these sites,
 because you'll need ugly :port on your ssl urls if you do.

 Using Subject Alternative Names, you can get a single SSL certificate
 that covers multiple hostnames.

 Alternatively, if someone adds SNI support to relayd, then you could
 still use multiple distinct SSL certificates as well.  The version of
 OpenSSL in base already supports SNI.

 Also, both of these solutions assume relayd is the SSL termination
 point for both web sites.  If instead you want the backends to be
 responsible for handling SSL, then yeah, you need to use separate IP
 addresses or ports.

Re: Support for Intel X520-T2 10GbaseT cards

[Pete Vickers]

.

 It is based on the 82599 chipset, so why wouldn't it? My mistake, is
 seems..

 I get an unknown product 0x151c error in dmesg (see below).

 So now we have a pair of these cards and the obvious question is of
course,
 will they be supported?

 I realize that I should have checked this before I bought it,
 but as Intel claims in the specs
 (http://www.intel.com/Assets/PDF/prodbrief/318349-004.pdf)
 it is supported by FreeBSD and I believe that's from where the driver was
 ported.

 I'm very grateful for any input.

 This is a diff against -current not 4.8 but perhaps it applies there as
well:

 you'll have to apply this from /usr/src/sys/dev/pci and then
 run 'make' in the directory to regenerate the pcidevs headers

 Index: pcidevs
 ===
 RCS file: /cvs/src/sys/dev/pci/pcidevs,v
 retrieving revision 1.1590
 diff -u -p -r1.1590 pcidevs
 --- pcidevs   26 Jan 2011 07:09:09 -  1.1590
 +++ pcidevs   15 Mar 2011 17:31:38 -
 @@ -2492,6 +2492,7 @@ product INTEL 82580_SGMII   0x1511  82580 S
 product INTEL 82580_COPPER_DUAL   0x1516  I340-T2 (82580)
 product INTEL 82599_KX4_MEZZ  0x1514  10GbE KX4 (82599)
 product INTEL 82576_NS_SERDES 0x1518  82576NS SerDes
 +product INTEL 82599_T3_LOM   0x151c  82599 T3
 product INTEL 82576_QUAD_CU_ET2   0x1526  PRO/1000 QP (82576)
 product INTEL 80960RP_ATU 0x1960  80960RP ATU
 product INTEL 82840_HB0x1a21  82840 Host
 Index: if_ix.c
 ===
 RCS file: /cvs/src/sys/dev/pci/if_ix.c,v
 retrieving revision 1.46
 diff -u -p -r1.46 if_ix.c
 --- if_ix.c   10 Nov 2010 15:23:25 -  1.46
 +++ if_ix.c   15 Mar 2011 17:31:39 -
 @@ -68,7 +68,8 @@ const struct pci_matchid ixgbe_devices[]
   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_COMBO_BACKPLANE },
   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_CX4 },
   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_SFP },
 - { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_SFP_EM }
 + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_SFP_EM },
 + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82599_T3_LOM }
 };

 /*
 @@ -1251,6 +1252,10 @@ ixgbe_identify_hardware(struct ix_softc
   case PCI_PRODUCT_INTEL_82598EB_XF_LR:
   sc-hw.mac.type = ixgbe_mac_82598EB;
   sc-optics = IFM_10G_LR;
 + break;
 + case PCI_PRODUCT_INTEL_82599_T3_LOM:
 + sc-hw.mac.type = ixgbe_mac_82599EB;
 + sc-optics = IFM_10G_T;
   break;
   case PCI_PRODUCT_INTEL_82598AT_DUAL:
   case PCI_PRODUCT_INTEL_82598AT:


Pete Vickers

p...@systemnet.no |  +47 48 17 91 00

SystemNet AS

/etc/hosts comments update

[Pete Vickers]

Now that the IPv4 address space if fully allocated, perhaps it's time to
update the comments in /etc/hosts ? Here is my attempt at a reasonably concise
update:



# Assignments from RFC5735 (supersedes RFC1918)
#
# Allocated for use as the Internet host loopback address:
#   127.0.0.0/8
#
# Allocated for communication between hosts on a single link. Hosts obtain
# these addresses by auto-configuration (in the absence of DHCP):
#   169.254.0.0/16
#
# Addresses within these blocks do not legitimately appear on the public
Internet
# and can be used without any coordination with IANA or an Internet registry:
#   10.0.0.0/8  private networks
#   172.16.0.0/12   private networks
#   192.168.0.0/16  private networks
#   192.0.2.0/24documentation/examples
#   198.51.100.0/24 documentation/examples
#   203.0.113.0/24  documentation/examples
#   198.18.0.0/15   benchmark interconnect testing
#
# Full assignments details are available here:
# http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt
#



More contentiously, this is an IPv6 counterpart:



# Allocated for use as the Internet host loopback address:
#   ::1/128
#
# Allocated special purpose address blocks:
#   fe80::/10  Link local addresses (auto-configured)
#   fc00::/7   Unique local address (private networks)
#   2001:db8::/32  documentation/examples
#   2001:2::/48benchmark interconnect testing
#
# Full assignments details are available here:
#
http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast
-address-assignments.txt



Note that I interpret the aim of these comments as an aide-memoire, rather
than a tutorial on IP addressing schemes, so it's intentionally brief.


/Pete

Re: /etc/hosts comments update

[Pete Vickers]

On 22. feb. 2011, at 16.22, Joachim Schipper wrote:

 On Tue, Feb 22, 2011 at 03:04:25PM +0100, Pete Vickers wrote:
 Now that the IPv4 address space if fully allocated, perhaps it's time to
 update the comments in /etc/hosts ? Here is my attempt at a reasonably
concise
 update:

 # Assignments from RFC5735 (supersedes RFC1918)
 #
 # Allocated for use as the Internet host loopback address:
 #   127.0.0.0/8
 #
 # Allocated for communication between hosts on a single link. Hosts obtain
 # these addresses by auto-configuration (in the absence of DHCP):
 #   169.254.0.0/16
 #
 # Addresses within these blocks do not legitimately appear on the public
 Internet
 # and can be used without any coordination with IANA or an Internet
registry:
 #   10.0.0.0/8  private networks
 #   172.16.0.0/12   private networks
 #   192.168.0.0/16  private networks
 #   192.0.2.0/24documentation/examples
 #   198.51.100.0/24 documentation/examples
 #   203.0.113.0/24  documentation/examples
 #   198.18.0.0/15   benchmark interconnect testing
 #
 # Full assignments details are available here:
 #
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt
 #



 More contentiously, this is an IPv6 counterpart:

 Note that I interpret the aim of these comments as an aide-memoire, rather
 than a tutorial on IP addressing schemes, so it's intentionally brief.

 I think your IPv4 text unwisely suggests that using e.g. 192.0.2.0/24
 for your own stuff is okay. That's true only until you put a device with
 an appropriate list of unroutable IPs on your network, etc.

All those prefixes are 'unroutable' on the public Internet, and 'routable' on
private internetworks at the admin's discretion. 192.0.2.0/24 is no different
to the other
addresses:  RFC5735 says ... do not legitimately appear on the public
Internet and can be used without any coordination with IANA or an Internet
registry.



 Also, if you're going to be exhaustive, you missed at least multicast.

hence my comment about being intentionally brief.


 Why do you feel this is useful?


It appears to me that the existing 'listing' is half complete, so I proposed a
more through version, obviously another alternative would be to remove these
bits altogether:

# RFC 1918 specifies that these networks are internal.
# 10.0.0.0  10.255.255.255
# 172.16.0.0172.31.255.255
# 192.168.0.0   192.168.255.255


   Joachim




/Pete














Pete Vickers

p...@systemnet.no |  +47 48 17 91 00

SystemNet AS

Re: nat static-port option

[Pete Vickers]

On 3. feb. 2011, at 17.37, Bret S. Lambert wrote:

 On Thu, Feb 03, 2011 at 07:31:01AM -0800, Johan Beisser wrote:
 On Feb 3, 2011, at 5:17, Martin SchrC6der mar...@oneiros.de wrote:
 
 2011/2/3 Bret Lambert bret.lamb...@gmail.com:
 Counting my toaster?
 
 Your toaster has an IP?
 
 
 Yours doesn't?
 
 
 He's got IPv6! His *cockroaches' toasters* have IPs!
 


He don't appear to 'have' IPv6...

http://www.ris.ripe.net/dashboard/24640


/Pete

Options iCON401 USB 'modem' needs umass-umsm tickle ?

[Pete Vickers]

Hi,

My Option iCON401 (aka GI401) [1], appears to require tickling to re-appear as
a umsm instead of the initial umass. Can someone point me at the file/list to
add the IDs to, too invoke this ?

thanks

/Pete


$ usbdevs -dv -f /dev/usb0

Controller /dev/usb0:
addr 1: high speed, self powered, config 1, EHCI root hub(0x),
Intel(0x8086), rev 1.00
  uhub0
 port 1 addr 2: high speed, power 500 mA, config 1, Globetrotter HSUPA
Modem(0x7401), Option N.V.(0x0af0), rev 0.00, iSerialNumber Serial Number
   umass0



Under Mac OS.X it creates 4 serial lines:

mbp:~ pete$ ls- l /dev/tty.GI*
crw-rw-rw-  1 root  wheel   11,   8 Jan 26 22:35 /dev/tty.GI401 App
crw-rw-rw-  1 root  wheel   11,  10 Jan 26 22:35 /dev/tty.GI401 Control
crw-rw-rw-  1 root  wheel   11,   6 Jan 26 22:35 /dev/tty.GI401 Diag
crw-rw-rw-  1 root  wheel   11,  12 Jan 26 22:35 /dev/tty.GI401 Modem


[1] http://www.option.com/en/products/products/usb-modems/icon401

Re: secure popa3d

[Pete Vickers]

No problem with inbuilt pop3d. Some hints for you:


$ grep pop3  /etc/inetd.conf
127.0.0.1:pop3  stream  tcp nowait  root/usr/sbin/popa3d
popa3d

$ pkg_info | grep stunnel
stunnel-4.20SSL encryption wrapper for standard network daemons

$ grep -A 3 pop3s  /etc/stunnel/stunnel.conf
[pop3s]
accept  = 995
connect = 127.0.0.1:110


/Pete



On 21. jan. 2011, at 12.49, OpenBSD Geek wrote:

 Hi,

 I'm trying to build a mailserver with OpenBSD, Sendmail, cyrus-sasl, and
 popa3d. All works good. And thank you for all replies (for sendmail
 question).

 Is there a way to secure popa3d, except using TCPWrappers (tcpd) ?

 Thank you for your help.

 Wesley M.

NAT64 via pf/OpenBSD

[Pete Vickers]

Hi,

We're currently deploying some IPv6 connectivity (no flame wars please), and
need to provide a suitable transition solution for IPv6 only clients to access
IPv4 services. At a bare minimum generic TCP/UDP/ICMP services should be
supported for large pools of users. I'm aware of Reyk's work here:
http://marc.info/?l=openbsd-cvsm=121676868023535w=2 but IFAIKT this doesn't
address several of our requirements.

The most appropriate solution appears to be stateful NAT64 (with DNS64 to
support it), as described in these RFC drafts:

http://tools.ietf.org/html/draft-ietf-behave-v6v4-xlate-stateful-12
http://tools.ietf.org/html/draft-ietf-behave-dns64-11


Some time ago a NAT64 implementation employing pf  an OpenBSD kernel patch
was released by Viagenie, (together with DNS64 patches for bind/unbound) :

http://ecdysis.viagenie.ca/download.html

However major changes to pf have occurred since 4.6 and thus it has suffered
from bit rot. Note however that it is released under a BSD license.

So given all of this background are any of the devs interested in bringing
these patches up to date, and ideally incorporating them into the tree ? If
financial motivation is required, then drop me a note off-list please.


Finally I'd just like to say that I (like most other network engineers)
dislike IPv6, but am increasingly required to work with it. Therefore I
believe that this functionality would be a valuable addition to the swiss army
knife of IP networking that OpenBSD has become.


thanks,


/Pete

Re: IVI support ?

[Pete Vickers]

For v6 clients to access v4 services, see this RFC:

http://tools.ietf.org/html/draft-ietf-behave-v6v4-xlate-stateful-12


Implemented on OpenBSD via pf  BIND patches:

http://ecdysis.viagenie.ca/


/Pete




On 12. okt. 2010, at 13.01, Xavier Beaudouin wrote:

 Hello,

 About IPv6 and IPv4 access, my company want to kill dual stack stuff or
limit
 them to minimum possible if possible and avoid subnetting that loose
 unfortunatly ips every time.

 Our idea is to have all our system to be IPv6 only native and when an IPv4
 wants to access to an IPv6 service, IVI can do the translation (this is not
 magic, but the idea is to provide specific IPv6 hosts to be visible
outside
 the IPv6 internet). So I get on IVI : IPv4 - IPv6 mapping :
 http://www.ivi2.org/

 There is draft about that :
 http://tools.ietf.org/html/draft-xli-behave-ivi-07

 Does OpenBSD has somewhat support about this draft ? or can we do that
using
 OpenBSD standard tools (eg pf or relayd ?).

 I really don't want to us to rely on Linux, so  That's why I'm asking
 question about that... Since OpenBSD is really network toolbox
 (OpenOSPF/BGP. etc).

 This can help to get a internet with v6 ready ?

 Regards,
 xavier


Pete Vickers

p...@systemnet.no |  +47 48 17 91 00

SystemNet AS

OpenSSHd

[Pete Vickers]

Hi,

I'm trying to set up a box such that normal users are chroot'd to their home
directories, and can only use sftp. I have added this to the config file 
restarted sshd:


r...@container ~ tail /etc/ssh/sshd_config
#
#
#
# all non-wheel users should be chrooted to their home and sftp only
#
Match Group !wheel
ForceCommand internal-sftp
ChrootDirectory %h
AllowTcpForwarding no
X11Forwarding no


However normal users are still not chrooted, and can still ssh into the box.
Any clues what I'm doing wrong ? Google seems to hint that the chroot
directory might have to be owned by root, but that seems strange, since users
couldn't then write files in their own home ?


/Pete

Re: OpenSSHd

[Pete Vickers]

On 13. sep. 2010, at 13.17, Joachim Schipper wrote:

 On Mon, Sep 13, 2010 at 10:59:56AM +0200, Pete Vickers wrote:
 I'm trying to set up a box such that normal users are chroot'd to their
home
 directories, and can only use sftp.

 Any clues what I'm doing wrong ? Google seems to hint that the chroot
 directory might have to be owned by root, but that seems strange,
 since users couldn't then write files in their own home ?

 A chroot jail where the new root isn't owned by the root user is
 effectively impossible to secure. Set the home directories to
 /home/user/files and chroot to /home/user, or somesuch.




Hmm. Messy. But even if I set like this:

r...@container ~ tail /etc/ssh/sshd_config
# all non-wheel users should be chrooted to home and sftp only
#
Match Group !wheel
ForceCommand internal-sftp
ChrootDirectory /home
AllowTcpForwarding no
X11Forwarding no


r...@container ~ ls -la /home
total 28
drwxr-xr-x   7 rootwheel   512 Sep 10 12:46 .
drwxr-xr-x  14 rootwheel   512 Jul 25 13:43 ..
drwxr-xr-x   3 fredfred512 Sep 10 12:05 fred
...


normal users can still ssh in, and are not chroot'd. What am I doing wrong ?


/Pete

Re: OpenSSHd

[Pete Vickers]

ahh. that works perfectly, thanks !

/Pete



On 13. sep. 2010, at 18.25, Andy Bradford wrote:

 Thus said Pete Vickers on Mon, 13 Sep 2010 16:32:08 +0200:
 
 Match Group !wheel
 
 Forget my last suggestion. :-)  Just make a pattern-list and use:
 
 Match Group *,!wheel
 
 Andy

Re: cardbus on sparc64

[Pete Vickers]

: Capability 0x01: Power Management
0x: 04751180 02100047 06070080 00024000
0x0010: 03002000 02dc 2200 f000
0x0020:  f000  fffc
0x0030:  fffc  07c00100
0x0040: 010114ef 0001  
0x0050:    
0x0060:    
0x0070:    
0x0080: 0001  04630463 
0x0090:    
0x00a0:    
0x00b0:    
0x00c0: 010114ef   
0x00d0:    fe0a0001
0x00e0: 24c04000   
0x00f0:    
#

 inserted card here



# data error type 32 sfsr=0 sfva=4fdcc010 afsr=8800 afva=1fe0102
tf=0x4000f9c9800
panic: data fault: pc=1408748 addr=4fdcc010 sfsr=0

kdb breakpoint at 1442b20
Stopped at  Debugger+0x4:   nop
RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!


ddb trace
data_access_error(4000f9c9800, 400, 1fe0102, 8800, 4fdcc010, 0) at
data
_access_error+0xd8
trapbase_sun4v(0, 2, 0, 1531180, 1, e0018040) at trapbase_sun4v+0x87a8
pci_conf_read(, 0, 0, 0, 1800, 1800) at pci_conf_read+0x28
cardbus_attach_card(0, 40009776000, 0, 1515000, 0, 4e195a0) at
cardbus_atta
ch_card+0xc0
cardslot_event(1400, 4e3fc80, 18bba00, 1886f88, 0, 0) at
cardslot_event+0x2
00
workq_thread(180ff28, 400097be6c0, 1515b20, 1513fb8, 1, e0018040) at
workq_thre
ad+0x28
proc_trampoline(0, 0, 0, 0, 0, 0) at proc_trampoline+0x4


ddb ps
   PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
 26645  1  26645  0  3  0x4082  ttyin sh
13  0  0  0  30x100200  bored crypto
12  0  0  0  30x100200  aiodoned  aiodoned
11  0  0  0  30x100200  syncerupdate
10  0  0  0  30x100200  cleaner   cleaner
 9  0  0  0  30x100200  reaperreaper
 8  0  0  0  30x100200  pgdaemon  pagedaemon
 7  0  0  0  30x100200  pftm  pfpurge
 6  0  0  0  30x100200  usbtskusbtask
 5  0  0  0  30x100200  usbevtusb0
*4  0  0  0  70x100200syswq
 3  0  0  0  3  0x40100200idle0
 2  0  0  0  30x100200  kmalloc   kmthread
 1  0  1  0  3  0x4080  wait  init
 0 -1  0  0  3 0x80200  scheduler swapper
ddb




/Pete





On 25. aug. 2010, at 20.22, Bret S. Lambert wrote:

 On Wed, Aug 25, 2010 at 08:12:34PM +0200, Pete Vickers wrote:
 I have a SunBlade100 running 4.7RELEASE which I stuck a PCI/Cardbus
adapter
 in; and it appears to be recognised in dmesg:

 . . .
 cbb0 at pci1 dev 2 function 0 Ricoh 5C475 CardBus rev 0x80: ivec 0x7d5
 cardslot0 at cbb0 slot 0 flags 0
 cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x20
 pcmcia0 at cardslot0
 . . .

 (full dmesg at foot)


 However whenever I insert a card into the adapter the machine panics. The
same
 happen if I insert the card before boot, whereupon it panics midway
through
 booting. I have tried various WLAN and GPRS cards.

 Before I go collecting ddb trace/ps is this the expected behaviour ( e.g.
a
 known endien issue or suchlike) ?

 I'm gonna say not.

 Trace/ps would give me something to do while I ignore packing my apartment.


 BTW, I notice that PR3871 addressed the adapter itself (at least in i386).



 /Pete



 full dmesg:

 console is keyboard/display
 Copyright (c) 1982, 1986, 1989, 1991, 1993
  The Regents of the University of California.  All rights reserved.
 Copyright (c) 1995-2010 OpenBSD. All rights reserved.
http://www.OpenBSD.org

 OpenBSD 4.7 (GENERIC) #258: Wed Mar 17 23:40:34 MDT 2010
   dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC
 real mem = 805306368 (768MB)
 avail mem = 767369216 (731MB)
 mainbus0 at root: Sun Blade 100 (UltraSPARC-IIe)
 cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 502 MHz
 cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external
(64
 b/l)
 psycho0 at mainbus0: pci108e,a001, impl 0, version 0, ign 7c0
 psycho0: bus range 0-1, PCI bus 0
 psycho0: dvma map c000-dfff
 pci0 at psycho0
 ebus0 at pci0 dev 12 function 0 Sun RIO EBus rev 0x01
 flashprom at ebus0 addr 0-f not configured
 clock1 at ebus0 addr 0-1fff: mk48t59
 ebus1 at pci0 dev 7 function 0 Acer Labs M1533 ISA rev 0x00
 dma at ebus1 addr 0- ivec 0x2a not configured
 power0 at ebus1 addr 800-82f ivec 0x20
 com0 at ebus1 addr 3f8-3ff ivec 0x2b

Re: Checking Routes/Gateways For Good Connection

[Pete Vickers]

On 26. aug. 2010, at 00.18, Don Tek wrote:

 I've recently implemented a firewall with two internet connections using
multipath routing and round-robin outbound load balancing.

 I am looking for a solution from the shell to detect failure of these two
internet gateways so I can force routing and pf changes from a script.

 I need something more robust than simply checking to see if the interface is
up or down.

 I have managed a solution using traceroute that allows me to accomplish half
of my goal.  I can detect a failure and down that route, however, once I
delete the default route from the routing table for the failed connection, I
can no longer test it with traceroute.  This is because it doesn't appear to
me that OpenBSD's traceroute allows forcing an interface to work on.

 I am looking for better solutions from some of you more experienced users.
Any suggestions are welcome.

 don..



Taking a look at the bigger picture, the 'correct' way to do this is to have
redundancy at the firewall level as well at ISP link level. This gives higher
availability, and makes your problem much easier. If you have a single ISP
link per firewall then link testing is simple. Redundancy/LB is then managed
by CARP between the two firewalls' _inside_ interfaces.

/Pete

cardbus on sparc64

[Pete Vickers]

I have a SunBlade100 running 4.7RELEASE which I stuck a PCI/Cardbus adapter
in; and it appears to be recognised in dmesg:

. . .
cbb0 at pci1 dev 2 function 0 Ricoh 5C475 CardBus rev 0x80: ivec 0x7d5
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x20
pcmcia0 at cardslot0
. . .

(full dmesg at foot)


However whenever I insert a card into the adapter the machine panics. The same
happen if I insert the card before boot, whereupon it panics midway through
booting. I have tried various WLAN and GPRS cards.

Before I go collecting ddb trace/ps is this the expected behaviour ( e.g. a
known endien issue or suchlike) ?

BTW, I notice that PR3871 addressed the adapter itself (at least in i386).



/Pete



full dmesg:

console is keyboard/display
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2010 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 4.7 (GENERIC) #258: Wed Mar 17 23:40:34 MDT 2010
   dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC
real mem = 805306368 (768MB)
avail mem = 767369216 (731MB)
mainbus0 at root: Sun Blade 100 (UltraSPARC-IIe)
cpu0 at mainbus0: SUNW,UltraSPARC-IIe (rev 1.4) @ 502 MHz
cpu0: physical 16K instruction (32 b/l), 16K data (32 b/l), 256K external (64
b/l)
psycho0 at mainbus0: pci108e,a001, impl 0, version 0, ign 7c0
psycho0: bus range 0-1, PCI bus 0
psycho0: dvma map c000-dfff
pci0 at psycho0
ebus0 at pci0 dev 12 function 0 Sun RIO EBus rev 0x01
flashprom at ebus0 addr 0-f not configured
clock1 at ebus0 addr 0-1fff: mk48t59
ebus1 at pci0 dev 7 function 0 Acer Labs M1533 ISA rev 0x00
dma at ebus1 addr 0- ivec 0x2a not configured
power0 at ebus1 addr 800-82f ivec 0x20
com0 at ebus1 addr 3f8-3ff ivec 0x2b: ns16550a, 16 byte fifo
com1 at ebus1 addr 2e8-2ef ivec 0x2b: ns16550a, 16 byte fifo
gem0 at pci0 dev 12 function 1 Sun ERI Ether rev 0x01: ivec 0x7c6, address
00:03:ba:08:46:e8
ukphy0 at gem0 phy 1: Generic IEEE 802.3u media interface, rev. 1: OUI
0x0010dd, model 0x0002
Sun FireWire rev 0x01 at pci0 dev 12 function 2 not configured
ohci0 at pci0 dev 12 function 3 Sun USB rev 0x01: ivec 0x7e4, version 1.0,
legacy support
alipm0 at pci0 dev 3 function 0 Acer Labs M7101 Power rev 0x00: 223KHz
clock
iic0 at alipm0
max1617 at alipm0 addr 0x18 skipped due to alipm0 bugs
scm001 at alipm0 addr 0x20 skipped due to alipm0 bugs
spdmem0 at iic0 addr 0x50: 256MB SDRAM ECC PC133CL2
spdmem1 at iic0 addr 0x51: 256MB SDRAM ECC PC133CL2
spdmem2 at iic0 addr 0x52: 256MB SDRAM ECC PC133CL2
autri0 at pci0 dev 8 function 0 Acer Labs M5451 Audio rev 0x01: ivec 0x7e3
ac97: codec id 0x41445348 (Analog Devices AD1881A)
ac97: codec features headphone, Analog Devices Phat Stereo
audio0 at autri0
midi0 at autri0: 4DWAVE MIDI UART
pciide0 at pci0 dev 13 function 0 Acer Labs M5229 UDMA IDE rev 0xc3: DMA,
channel 0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: using ivec 0x7cc for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0: WDC WD200BB-60DGA0
wd0: 16-sector PIO, LBA, 9541MB, 19541088 sectors
atapiscsi0 at pciide0 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: ATAPI, DVD A DH20A4H, QP59 ATAPI 5/cdrom
removable
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 4
pciide0: channel 1 disabled (no drives)
ppb0 at pci0 dev 5 function 0 DEC 21152 PCI-PCI rev 0x03
pci1 at ppb0 bus 1
ral0 at pci1 dev 1 function 0 Ralink RT2560 rev 0x01: ivec 0x7ca, address
00:11:50:a8:c8:a2
ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525
cbb0 at pci1 dev 2 function 0 Ricoh 5C475 CardBus rev 0x80: ivec 0x7d5
cardslot0 at cbb0 slot 0 flags 0
cardbus0 at cardslot0: bus 2 device 0 cacheline 0x0, lattimer 0x20
pcmcia0 at cardslot0
machfb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27
machfb0: ATY,RageXL, 1280x1024
wsdisplay0 at machfb0 mux 1: console (std, sun emulation)
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 Sun OHCI root hub rev 1.00/1.00 addr 1
uhidev0 at uhub0 port 2 configuration 1 interface 0 Sun Microsystems Type 6
Keyboard rev 1.00/1.01 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes, country code 19
wskbd0 at ukbd0: console keyboard, using wsdisplay0
uhidev1 at uhub0 port 4 configuration 1 interface 0 Sun Microsystems Type 6
Mouse rev 1.00/1.02 addr 3
uhidev1: iclass 3/1
ums0 at uhidev1: 3 buttons
wsmouse0 at ums0 mux 0
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
bootpath: /p...@1f,0/i...@d,0/d...@0,0
root on wd0a swap on wd0b dump on wd0b

Re: X default screen resolution on sparc64

[Pete Vickers]

On 27. juli 2010, at 15.09, Pete Vickers wrote:

 Hi,

 From dmesg, the graphics card in my Sun blade100 is:

 machfb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27
 machfb0: ATY,RageXL, 1280x1024

 which is connected via DVI cable to a Sun monitor #365-1429. This monitor
 supports 1280x1...@60hz. However starting X without a config file only run
it
 at 800x600. These line appears relevant in the Xorg log file:


 (II) MACH64(0): default monitor: Using default hsync range of 31.50-37.90
 kHz
 (II) MACH64(0): default monitor: Using default vrefresh range of
50.00-70.00
 Hz
 ...
 (II) MACH64(0): Not using default mode 1280x1024 (hsync out of range)


 I thought that one of the big advantages of DVI was that the card could
query
 the monitor to discover the supported modes automatically ? Is there any
 commands I can use to enable such probing ? or do I can to create an entire
 cfg file to manually enable a higher resolution ? Is there any way to
 automatically generate a basic config file to subsequently edit ?



To answer my own question for the sake of the archive, you can ofcourse just
write a partial /etc/X11/xorg.conf, and let the defaults provide the rest.
This was all that was necessary for me:


Section Device
 Identifier  ATI Rage XL
 Driver  ati
 BusID   PCI:0:19:0
 Option  composite_sync True
 Option  reference_clock 29.5MHz
EndSection

Section Monitor
 Identifier Sun L9ZF
 # 31.5 kHz to 81.1 kHz Horizantal
 # 56.0 Hz to 76.0 Hz Vertical
 HorizSync 32-81
 VertRefresh 56-76
EndSection

Section Screen
 Identifier Default Screen
 Device ATI Rage XL
 Monitor Sun L9ZF
 DefaultDepth 16
  SubSection Display
  Depth 16
  Modes 1280x1024
  EndSubSection
EndSection
===

X default screen resolution on sparc64

[Pete Vickers]

Hi,

From dmesg, the graphics card in my Sun blade100 is:

machfb0 at pci0 dev 19 function 0 ATI Rage XL rev 0x27
machfb0: ATY,RageXL, 1280x1024

which is connected via DVI cable to a Sun monitor #365-1429. This monitor
supports 1280x1...@60hz. However starting X without a config file only run it
at 800x600. These line appears relevant in the Xorg log file:


(II) MACH64(0): default monitor: Using default hsync range of 31.50-37.90
kHz
(II) MACH64(0): default monitor: Using default vrefresh range of 50.00-70.00
Hz
...
(II) MACH64(0): Not using default mode 1280x1024 (hsync out of range)


I thought that one of the big advantages of DVI was that the card could query
the monitor to discover the supported modes automatically ? Is there any
commands I can use to enable such probing ? or do I can to create an entire
cfg file to manually enable a higher resolution ? Is there any way to
automatically generate a basic config file to subsequently edit ?


thanks,



/Pete



Xorg.log  dmesg follow:



r...@blade100 ~ cat /var/log/Xorg.0.log
(--) Using wscons driver

X.Org X Server 1.6.5
Release Date: 2009-10-11
X Protocol Version 11, Revision 0
Build Operating System: OpenBSD 4.7 sparc64
Current Operating System: OpenBSD blade100.my.domain 4.7 GENERIC#258 sparc64
Build Date: 15 March 2010  06:22:14PM

Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: /var/log/Xorg.0.log, Time: Tue Jul 27 14:37:09 2010
(II) Loader magic: 0x1b20
(II) Module ABI versions:
X.Org ANSI C Emulation: 0.4
X.Org Video Driver: 5.0
X.Org XInput driver : 4.0
X.Org Server Extension : 2.0
(II) Loader running on openbsd
(--) PCI: (0:0:3:0) 10b9:7101:: Acer Labs M7101 Power rev 0
(--) PCI:*(0:0:19:0) 1002:4752:: ATI Rage XL rev 39, Mem @
0x0400/16777216, 0x00426000/4096, I/O @ 0x0b00/256, BIOS @
0x/131072
(==) Using default built-in configuration (12 lines)
(==) --- Start of built-in configuration ---
Section Device
Identifier  Builtin Default ati Device 0
Driver  ati
EndSection
Section Screen
Identifier  Builtin Default ati Screen 0
Device  Builtin Default ati Device 0
EndSection
Section ServerLayout
Identifier  Builtin Default Layout
Screen  Builtin Default ati Screen 0
EndSection
(==) --- End of built-in configuration ---
(==) ServerLayout Builtin Default Layout
(**) |--Screen Builtin Default ati Screen 0 (0)
(**) |   |--Monitor default monitor
(**) |   |--Device Builtin Default ati Device 0
(==) No monitor specified for screen Builtin Default ati Screen 0.
Using a default monitor configuration.
(==) Not automatically adding devices
(==) Not automatically enabling devices
(==) FontPath set to:
/usr/X11R6/lib/X11/fonts/misc/,
/usr/X11R6/lib/X11/fonts/TTF/,
/usr/X11R6/lib/X11/fonts/OTF,
/usr/X11R6/lib/X11/fonts/Type1/,
/usr/X11R6/lib/X11/fonts/100dpi/,
/usr/X11R6/lib/X11/fonts/75dpi/
(==) ModulePath set to /usr/X11R6/lib/modules
(==) |--Input Device default pointer
(==) |--Input Device default keyboard
(==) The core pointer device wasn't specified explicitly in the layout.
Using the default mouse configuration.
(==) The core keyboard device wasn't specified explicitly in the layout.
Using the default keyboard configuration.
(II) System resource ranges:
(II) LoadModule: extmod
(II) Loading /usr/X11R6/lib/modules/extensions//libextmod.so
(II) Module extmod: vendor=X.Org Foundation
compiled for 1.6.5, module version = 1.0.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension MIT-SCREEN-SAVER
(II) Loading extension XFree86-VidModeExtension
(II) Loading extension XFree86-DGA
(II) Loading extension DPMS
(II) Loading extension XVideo
(II) Loading extension XVideo-MotionCompensation
(II) Loading extension X-Resource
(II) LoadModule: dbe
(II) Loading /usr/X11R6/lib/modules/extensions//libdbe.so
(II) Module dbe: vendor=X.Org Foundation
compiled for 1.6.5, module version = 1.0.0
Module class: X.Org Server Extension
ABI class: X.Org Server Extension, version 2.0
(II) Loading extension DOUBLE-BUFFER
(II) LoadModule: glx
(II) Loading /usr/X11R6/lib/modules/extensions//libglx.so
(II) Module glx: vendor=X.Org Foundation
compiled for 1.6.5, module version = 1.0.0
ABI class: X.Org Server Extension, version 2.0
(==) AIGLX enabled
(II) Loading extension GLX
(II) LoadModule: dri
(II) Loading /usr/X11R6/lib/modules/extensions//libdri.so
(II) Module dri: vendor=X.Org Foundation

Re: Multiple VLANs in the same subnet on different Routing Domains

[Pete Vickers]

It only affect traffic via that next hop, but yes. Without a more complete
description from the OP it's tricky to say weather that's acceptable or not.


However attaching the problem from a different angle, if all that is needed is
a measure of connectivity to the example remote host, then maybe he could use
traceroute instead to gather the statistics from. The advantage here is that
he could employ traceroute's '-g' option to specify which gateway to use for
that probe.


/Pete



On 24. juli 2010, at 23.14, Philip Guenther wrote:

 On Sat, Jul 24, 2010 at 5:30 AM, Pete Vickers peter.vick...@gmail.com
wrote:
 if your testing host is in the same subnet as the 3 gateways' inside
interfaces, then your probe script can just overwrite the ARP entry for the
next hop to each of the gateways in turn. no need to do any layer 3 changes at
all.

 So you're suggesting that he do it so that each change affects all the
 processes on the system and all network connections instead of
 limiting it to the pings that need the change?  Umm, kay...


 Philip Guenther

h/w accelerated packet forwarding/filtering

[Pete Vickers]

Hi,

I seem to recall that there was some discussion (in a Claudio presentation
IIRC) about OBSD potentially supporting h/w based forwarding at some time in
the distant future.

At a first glance, this (NetFPGA) project appears to be the kind of thing
that's needed to kick start such an activity:

http://netfpga.org/foswiki/bin/view/NetFPGA/OneGig/LearnMore


And the license appears to be appropriate (BSD style) at least for the
exisiting code, not sure about the h/w docs.

http://netfpga.org/foswiki/bin/view/NetFPGA/OneGig/License


So, my question is, if there is currently any interest by any of the devs,
such that it would be worth my while to try organise a donation pot ( ~1k USD)
and  ordering/transporting a couple to them ?


http://www.digilentinc.com/Products/Detail.cfm?Prod=NETFPGANav1=ProductsNav
2=Programmable


(Alternatively this email can rot in the misc@ archive, so that next time
someone wonders, the answer will be ready google'able)



/Pete

Re: Multiple VLANs in the same subnet on different Routing Domains

[Pete Vickers]

if your testing host is in the same subnet as the 3 gateways' inside
interfaces, then your probe script can just overwrite the ARP entry for the
next hop to each of the gateways in turn. no need to do any layer 3 changes at
all.


/Pete


Den 24. juli 2010 kl. 12:56 skrev Philip Guenther guent...@gmail.com:

 On Thu, Jul 22, 2010 at 9:15 AM,  sslay...@iom.com wrote:
 ...
 Ok so my problem is this. We have a single monitoring host that needs to
send
 outbound traffic (ICMP) via the 4 different Firewalls to the _SAME_ remote
 address. e.g. Send ICMP to www.apple.com via FW1 then send ICMP via FW2 to
 www.apple.com, FW3 etc.

 The idea is to check the Firewalls and their upstream connectivity not the
end
 host per se.

 To achieve this I've tried the following:

 Create 4 VLAN interfaces all on the same VLAN as the shared subnet using
 alternate IP's but on different routing domains.

 Hmm.  I don't think you need different routing domain, but rather only
 different routing tables.  You only need to override the outbound
 routing and not create a separation behind interfaces.


 i.e. Vlan no. 10 :

 hostname.vlan101 - inet 10.11.12.1 255.255.255.0 NONE vlan 10 vlandev bge0
 rdomain 1
 hostname.vlan102 - inet 10.11.12.2 255.255.255.0 NONE vlan 10 vlandev bge0
 rdomain 2

 Umm, what?  Put yourself in the kernel's position.  A packet with vlan
 tag of 10 is received on the bge0 physical interface: what interface
 and routing domain should it show up in?  That's a layer 2 decision
 that the kernel has to make _without_ considering the src or dest IP
 addresses.  Given that, do you see why your interface definitions
 there are in conflict?


 ...
 If I create the 1st VLAN/rdomain everything works perfectly however as soon
as I
 add the 2nd vlan interface traffic on both vlans stops. Destroying the 2nd
vlan
 instance restores traffic.

 Yeah, that meets my expectations.


 The host is running OpenBSD i386 Generic 4.7 (release). Sorry no DMESG as
yet
 but I can get this and anything else if need be tomorrow.

 Is what I'm trying to do possible? Any help is much appreciated.

 Let me make sure I understand the problem.  You have a system where
 you sometimes want to route packets out an interface according to
 rules other than the normal rules, but you don't need to do any
 separation of interfaces as far as forwarding or binding of addresses
 goes?  If so, then I believe you only need to create distinct routing
 tables and not actual routing domains.  To do that, you need
 1) *one* interface bound to the correct physical device and vlan,
   *in the default routing domain*,
 2) the 'route -T' commands from your message (to create the
   alternative routing tables), and
 3) the 'ping -V' commands from your original message (to use
   those alternatives).

 I also strongly advise you to upgrade to -current.  No, really.
 Claudio spent a chunk of time at c2k10 helping Peter and I understand
 the distinction between rtables and rdomains...and in the process of
 explaining and then fixing the naming in the source tree, he found
 some issues in the implementation.  (If you really want to understand
 something, explain it to someone else)  Here's the action shot of
 that explanation from jcr's article at undeadly.org:
http://www.designtools.org/OpenBSD/c2k10/debate3-l.jpg

 You're using with something that's being actively updated by the
 developer; staying current is staying sane.


 Philip Guenther

Re: Sierra Wireless MC5720 Modem

[Pete Vickers]

the full AT command sets are available somewhere here:

http://www.google.com/search?q=at.commands+site:3gpp.org


Note that a large number of the 'modems' these days, expose two serial
interfaces, and only one will listen for AT commands, until correct
initialisation is done...


/Pete



On 16. juni 2010, at 07.25, Dunceor wrote:

 On Wed, Jun 16, 2010 at 5:56 AM, J.C. Roberts list-...@designtools.org
 wrote:
 On Mon, 14 Jun 2010 20:17:44 -0500 Marco Peereboom sl...@peereboom.us
 wrote:

 Anyone got:
 umsm0 at uhub7 port 2 configuration 1 interface 0 Sierra Wireless
 Sierra Wireless MC5720 Modem rev 1.10/0.01 addr 2 ucom0 at umsm0
 To work on OpenBSD?

 I get basically no output from the modem using this in /etc/remote:
 mobile:\
 B  B  B  B  :at=hayes:dv=/dev/cuaU0:dv=/dev/ttya:tc=direct:tc=unixhost:

 # sudo tip remote
 connected

 And then I can type AT all day long and get no response. B The modem
 isn't activated but I don't want to go spend money on activating it
 unless I know if that is what is causing it to not respond.

 Something else weird is that if I fart enough with tip and stuff to
 get to the modem and reboot with it on it hangs the IO subsytem. B Not
 sure why a serial port is sitting on IPL_BIO but that is a different
 story.


 As mentioned off list, a vast number of the early data card designs
 actually have *multiple* serial ports, but only one of them is usable as
 a typical AT-Command modem. The other serial ports on the device(s) can
 only speak proprietary protocols and are used for BS Management and
 Monitoring functions (e.g. constantly checking/reporting signal
 strength). The umsm man page clearly mentions these other unusable
 ports since there's no definitive way to tell which port is usable as a
 modem.

 If a serial port on the device does not respond to AT commands, you have
 the wrong port. If it's the only available port on the device, then you
 need to tweak the umsm sources to make it look for multiple ports on
 your device. If after finding all the available ports on a device, you
 cannot find a port that talks AT commands, then either the device is
 broken or you need some secret sauce to make the device go back to
 speaking normal AT commands (rather being in proprietary mode).

 Additionally, many modems support profiles which is a fancy way to say
 the firmware in the device remembers the settings you previously gave
 it. Clearing the various types of profiles/settings is often
 vendor/device specific. Some of the more common AT commands for
 resetting a device are:

 B  B  B  B ATZ
 B  B  B  B ATF
 B  B  B  B AT+CFUN=1

 Since you will need access to a MS-windows system to do the required
 activation nonsense before the device will work with a given providers
 network, you should look at the device to see what *.inf file is being
 used to define how the device is controlled.

 For example, the Pantech (ZTC) UMW190 I have here uses the
 C:\windows\inf\oem33.inf file as its definition (seeable through device
 properties or Modem/PPP logging if enabled). Look in said file for the
 Reset entry to figure out the proper AT command..

 By comparison, Sierra Wireless is one of the most open source friendly
 of all the data card vendors so digging around for their docs or
 looking how the specific device shows up (number/type of ports) in linux
 might be real helpful. Dan Williams has done a lot of work on the
 various data card devices in linux, including some degree of reverse
 engineering of the proprietary protocols which the unusable ports
 typically speak.

 http://blogs.gnome.org/dcbw/


 Ya, ya, I know... (insert linux rant), but they do have some good info
 and it may be helpful.

 B  B  B  B jcr

 --
 The OpenBSD Journal - http://www.undeadly.org



 All Ericsson based modems can be reseted with AT+CFUN=1 (or if you
 want you can AT+CFUN=0 to turn it off and then AT+CFUN=4 to turn it on
 in UMTS mode).
 A lot of other cards support this also.

 BR
 Dunceor

Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration

[Pete Vickers]

Hi,

Transport mode IPSec has many legit uses. The first one which springs to mind
is gateway-gateway encryption, over which you can use your favourite tunneling
protocol e.g.  L2TP or GRE. Especially useful if you're transporting multicast
traffic over the VPN.

Also one of the most popular remote access VPN solutions (works 'out of the
box' on Windows, OS.X  Cisco routers) is L2TP over IPSec. This provides
both static  dynamically addressed clients with an IPSec tunnel back to the
VPN server, over which L2TP is tunneled, providing DHCP for tunnel IP
addressing, and multi-protocol (IPX or IPv6 anyone ?) support.


It's also ideal for ubiquitous IP level any to any encryption if you spend the
effort on key management issues.


/Pete


On 31. mai 2010, at 18.56, Toni Mueller wrote:


 I'd say that transport mode is a design error in IPSEC and should be
 avoided at all costs. It also complicates network setup quite a bit,
 imho.


 Kind regards,
 --Toni++

Re:

[Pete Vickers]

This works for me with kernel ppp:

http://archive.psg.com/gprs-vickers.txt


/Pete


On 23. mai 2010, at 02.52, J.C. Roberts wrote:

 On Sat, 22 May 2010 22:08:57 +0200 patrick kristensen
 kristensenpatri...@gmail.com wrote:
 Thanks for taking the time to answer and your fast replies.


 Actually, ppp and TDMA/CDMA are nice break from the other headaches I've
 been trying to solve. ;)

 First of all, you either haven't mentioned the name of your service
 provider, or I forgot what it was. Either way, it matters.

 From what I can tell, you're in Spain, and I'm not familiar with the
 providers there.

 Ted Roby recently posted his config for Virgin Mobile:
 http://marc.info/?l=openbsd-techm=127285929411780w=2

 The above may not help, but it's nice to see working examples.

 In absence of cdce (using ue0 as ethernet interface (and minicom) to
 connect to isp) i have tried several ppp and pppd configurations to
 get a working internet connection on -release with no success.

 The following is my ppp (# ppp -auto movistar) and pppd (# pppd call
 movistar) attempts.

 Since pppd(8) is in the kernel, it can be faster, but since ppp(8) is
 in userland, it can be much easier to work with when figuring things
 out. Once you figure out how to make things work with ppp(8), you can
 easily write a new config for pppd(8).



 /etc/ppp/ppp.conf  (appended to ppp.conf.sample)

 movistar:
  set device /dev/cuaU0
  set speed 460800
  set timeout 0
  set dial ABORT BUSY TIMEOUT 5 \
  \\ \
  AT OK-AT-OK \
  AT+CFUN=1 OK-AT-OK \
  AT+CPIN? +CPIN:\\sREADY-AT+CPIN\\\\\\-OK \

 The above looks wrong. Not all wireless service providers and not
 all cellular wireless devices require using the Personal Identification
 Number (PIN) when making a connection. And worse, the responses you
 can get varies from device to device. (see below)

 Also, it is unwise to post your PIN to a public mailing list. It's not
 too dangerous without the IMEI and MEID device, but it's still not a
 good idea.

  AT+CGDCONT=1,\\\IP\\\,\\\movistar.es\\\ OK \

 The above is most likely wrong. The AT+CGDCONT= command sets the primary
 CONText of the device and the network it is attaching to. The first
 value argument states whether or not the device can be reconfigured (1),
 or cannot be reconfigured (3). The second argument is a string which
 defines the protocol used on the network. The third argument is also
 a string and it defines the Packet Data Network (PDN) name or Access
 Point Name (APN).

 As far as I know movistar.es is not the proper name of any Packet Data
 Network (PDN) or Access Point Name (APN). For example Virgin Mobile uses
 VDATA as the APN/PDN name, while AirTel uses airtelgprs.com as the name
 and of course, what your provider uses is unknown.

 You need to be careful with this setting since many providers have multiple
 data networks. With Verizon here in the silicon valley, I can choose from
 three different data networks (actually four if you count EVDO Rel. 0 as a
 different network than EVDO Rev. A).

  ATDT*99***1#


 The above is wrong because it has no timeout or 'CONNECT'. Also, you should
 have noticed the leading double quote () which is prematurely ending
 your chat script *BEFORE* the required number is dialed. The above should
be:

   \\dATDT*99***1# TIMEOUT 30 CONNECT

 The leading \\d gives a two second delay before calling. It may or may
not
 be necessary with your hardware/provider.


  set mtu maximum 750

 The above is most likely wrong.

  resolv rewrite

 The above is often unnecessary to get things working, but rewriting
 /etc/resolv.conf is mostly a matter of personal choice/needs. The
 command you have below, namely `enable dns` should suffice.

  set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0.
  add default HISADDR
  enable dns

 #./.



 /var/log/ppp.log

 May 22 17:57:51 x200s ppp[8742]: Phase: Using interface: tun0
 May 22 17:57:51 x200s ppp[8742]: Phase: deflink: Created in closed
 state May 22 17:57:51 x200s ppp[8742]: tun0: Command: default: set
 device /dev/cuaU0 May 22 17:57:51 x200s ppp[8742]: tun0: Command:
 default: set speed 460800 May 22 17:57:51 x200s ppp[8742]: tun0:
 Command: default: set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 
 AT OK-AT-OK ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT
 May 22 17:57:51 x200s ppp[8742]: tun0: Command: movistar: set
 device /dev/cuaU0 May 22 17:57:51 x200s ppp[8742]: tun0: Command:
 movistar: set speed 460800 May 22 17:57:51 x200s ppp[8742]: tun0:
 Command: movistar: set timeout 0 May 22 17:57:51 x200s ppp[8742]:
 tun0: Command: movistar: set dial ABORT BUSY TIMEOUT 5
AT OK-AT-OK AT
 +CFUN=1 OK-AT-OK AT+CPIN? +CPIN:\\sREADY-AT+CPIN\\7291\\-OK AT
 +CGDCONT=1,\\IP\\,\\movistar.es\\ OK ATDT*99***1# May 22 17:57:51
 x200s ppp[8742]: tun0: Command: movistar: set mtu maximum 750 May 22
 17:57:51 x200s 

Re: nested vlans: safe to use?

[Pete Vickers]

something like this:

http://www.openbsd.org/papers/asiabsdcon2010_vether/index.html

especially page 6/7...


/Pete



On 11. mai 2010, at 13.45, Toni Mueller wrote:

 Hi,
 
 I've been trying to figure out whether I can use OpenBSD in a nested
 vlan scenario. I'm looking at a data centre where I want to get two
 wires, each carrying several vlans, and funneling them home across a
 WAN link. Various switch vendors claim to be able to do it, but I
 couldn't really figure out what the current state of affairs wrt.
 OpenBSD is. On the other side of the wires or fibres, I'll be talking
 to Junipers, Ciscos (6509), and/or Foundy switches and/or routers on
 the other side(s).
 
 The desired setup looks like this:
 
  data centre LAN --- switch --- WAN --- home (OpenBSD)
 
 I want to run at least three vlans across the WAN link, and need to
 keep the vlans strictly separated. I also need to do traffic shaping on
 a per-vlan basis. :/
 
 
 TIA!
 
 
 
 Kind regards,
 --Toni++

Re: Source Overview

[Pete Vickers]

In keeping with your 'lets get something up on there to point the whiners at',
how about adding this:

* Add support for RFC5837 to OpenBSD's IP stack.

This could be suitable task since it presumably has 'cool factor'  is an
easily definable task, and is not trivial to write.


/Pete




On 22. apr. 2010, at 01.51, Daniel Ouellet wrote:

 I simply requested the account on that persons system because I offered to
 help maintain the task list.  I've not been contacted so I assume they're
 not interested.

 You are not the only one with limited time. Sorry for the late reply, but
also I wanted to provide details as to why.

 Your text was:

 If you provide me an account and if everyone is OK sending me minimally
 formatted TODO lists I will gladly be the point of contact and maintain
that
 list.

 What qualifies as minimally formatted?

 1) Each item on a separate line prepended with a *.
 2) (OPTIONAL) If you want, order them by importance.

 I will attempt to clean-up grammar and spelling.
 

 The short of it is that in it if you look at it. It add more work to the
developers by asking them to send in stuff. They already have it done for
some. So, why duplicate the list. It will just get out of sync and obsolete
very soon. Plus they have a list, so I think the most logical and efficient
way to do it would be just like this:

 1. Name

 2. Very short blurb for area the todo cover

 3. URL to the developers list.

 And that's it.

 Nothing more is needed. Frankly if a developer spend time making a todo list
and publish it, then it must be some what maintain when ever they have time.
Asking to add more management to track it and maintain yet an additional list
is wrong in my book. Plus I am still not convince it's helpful, but never the
less I would sure be welcome to be proven wrong.

 The only think that this gives me as an idea that may have some merit is
that a list of user group might be good to have and I can add that to the
site. But again, that should be as minimal as possible.

 City, state or province, country, language and URL to the site for the
group. If no URL, then some details could be added and that may actually get
some usage may be.

 But keeping the time needed to maintain anything like this is a plus and not
required any more from the developers have to be the goal. But again, I am not
sure it's even good, but like I said, I am not oppose to. Like everyone else I
have very little time and I didn't reply before, nor this morning to your
email at 5:32AM when I saw it at 7:30 AM EST as I just finish an other project
and I do need to get some sleep sometime as little as it might be and I have
some kind of a life too and kids to take care of as well.

 So, sorry for the delay.

 Like I said, I am not doing a perfect job and I will admit that, but I try.
Better then most anyway that asked and do nothing.

 I will continue off list for the rest as there is no point on doing it
here.

 I already saved the email from Alexandre Ratchov for his list that he sent
to m...@. Just didn't have time to post it yet, but it will.

 Now I need to go feed the kids, so more delay on my part.

 Best,

 Daniel

Re: PF: antispoof vs URPF

[Pete Vickers]

On 31. mars 2010, at 20.01, Claudio Jeker wrote:

 On Wed, Mar 31, 2010 at 08:08:01PM +0300, Eugene Yunak wrote:
 On 31 March 2010 19:27, N. Arley Dealey arley.dea...@gmail.com wrote:
 It would appear to me that antispoof and URPF achieve similar results. Is
 there a reason to prefer one over the other?

 Not at all. antispoof blocks ip packets that came in from the wrong
 interface, while URPF blocks packets from aliens (no entry in
 routing table for the source address). Just look at the output of
 pfctl -sr


 Not at all. URPF does not only check if a route exists it also checks that
 the route is pointing to the interface the packet came in.

 Antispoof is only for the LAN while URPF is actually capable of tracking
 stuff further down. This is at the same time the problem of URPF if you
 have asymetric routing URPF fails. Antispoof works in this case since it
 is hard to get asymetric routing on the LAN.

 --
 :wq Claudio



uRPF (at least recent incarnations of it) can be /configured/ to drop packets
based of presence of /either/ :

- a matching FIB prefix outbound on the same interface the packet arrived on
(strict mode)
- a matching FIB prefix outbound on any interface (loose mode)

you can also mask uRPF effect to only a subset of packets/prefixes with an
ACL.


pretty extensive explanation here:

http://www.cisco.com/web/about/security/intelligence/urpf.pdf


/Pete

Re: A small research paper - Thoughts about Cisco.

[Pete Vickers]

On 11. mars 2010, at 12.13, TS Lura wrote:

 Dear OpenBSD community,

 I'm doing a small research paper on Cisco and try to find out if they are
 evil or not in relative to open/free source/standards, and business
 practice. Eg. locking people to their product line aka the MS way.

 I'm sending this mail to you guys because I think many of you know allot
 about networking, and the networking industry. I'm hoping that someone
would
 be kind and share some of their impressions of Cisco with me.

 My hypothesis is that Cisco is following the best business practice in
 relation to proprietary and open/free source.
 To answer this hypothesis I'm trying to find out if Cisco is using their
 proprietary solution when there is a better open/free  alternative.

 My preliminary thoughts is taken from what I have perceived, that Cisco
 makes a proprietary solution to give them a edge and uniqueness in the
 marked which they can harvest capital from. And when that solution has
 become commonplace they switch over to non-proprietary solutions to become
 more interoperable and thus stay competitive.

 First, Is this reasonable observation?
 Second, Are there any deviations from this trend? If so, why?


 I'm very grateful for any reply I get.


 Kind regards,

 TSLura.


Hi,

Lots of flame-bait in there, which at least I am happily ignoring. Couple of
interesting points though:

1. Time to market, it's normally 'do it yourself' in private first, then open
source later. E.g. Cisco did ISL first until 802.1Q was later established as
the standard, and adopted by them.

2. Throughbred solutions, e.g. some (most?) products are a mix match of
proprietary  open source, e.g. see this link for open source software
incorporated into a particular Cisco product:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/license/fwsmoslic.html


/Pete

Re: any known working configuration of OpenBGPd and CARP ?

[Pete Vickers]

On 7. mars 2010, at 00.07, Claudio Jeker wrote:

 On Sat, Mar 06, 2010 at 06:52:24PM +0100, Rogier Krieger wrote:
 On Sat, Mar 6, 2010 at 17:26, PP;QQ P(P8P?P8QP8P=
 chipits...@gmail.com
 wrote:
 no, I want routes exactly to carp.

 That sounds odd. Routes are something different than what particular
 host responds to frames directed to a specific hardware address.

 If I understand the rest of your description correctly, you want only
 the master bgpd to have sessions and to somehow distribute its routes
 to the backup(s), with the backups starting with that 'state' and
 initiate connections to your BGP peers whenever a master goes down. I
 doubt that'll work.

 In your scenario, if your master goes down, there are no longer any
 BGP sessions up with any of your peers. If I'm not mistaken, that will
 cause them to withdraw the prefixes you previously advertised from
 their tables and no longer forward traffic to you.


 Right, as soon as the master dies the routes will be withdrawn (there may
 be some overlap since it is possible that carp switches before bgpd
 realizes the loss). At the moment it is not possible to have a real backup
 router running. I have some ideas and partial diffs that will allow backup
 CARP nodes to preload tables. Main problem is that we need graceful
 restart for this but most peers (as in cizzzcoee) are not able to assist
 graceful restart.

 Btw. I'm looking for a device that is capable of doing graceful restarts
 (as for example some foundry) to test my diff against. Would be great if I
 could get access to a lab router to play with.

 When your new master is promoted, it will set up a new session with
 your peers. This is probably not the sort of failover you want to see
 happening in production.


 That's why you have multiple bgpd routers with redundant pathes.

 --
 :wq Claudio



Not 100% sure what you mean by ...are not able to assist..., but IOS
supports BGP graceful restart as per RFC4724. e.g.:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftbgpnsf.html
#wp1049642


/Pete

Re: kern.maxclusters: 6144 - ?

[Pete Vickers]

On 26. feb. 2010, at 11.58, Claudio Jeker wrote:

 On Fri, Feb 26, 2010 at 11:30:30AM +0100, Pete Vickers wrote:
 On 26. feb. 2010, at 03.01, Aaron Mason wrote:

 On Thu, Feb 25, 2010 at 10:04 AM, Pete Vickers p...@systemnet.no wrote:
 Hi,

 A proxy (squid) server running i368/4.6RELEASE with around 800 users,
what
 would be a reasonable value to increase  kern.maxclusters too, to cure
this
 :


 r...@proxy-s ~ grep mcl   /var/log/messages
 Dec 10 10:13:43 proxy-s /bsd: WARNING: mclpools limit reached; increase
 kern.maxclusters
 Dec 10 11:06:07 proxy-s /bsd: WARNING: mclpools limit reached; increase
 kern.maxclusters
 Dec 15 13:41:48 proxy-s /bsd: WARNING: mclpools limit reached; increase
 kern.maxclusters


 r...@proxy-s ~ sysctl kern.maxclusters
 kern.maxclusters=6144


 r...@proxy-s ~ netstat -m
 4098 mbufs in use:
   1131 mbufs allocated to data
   2962 mbufs allocated to packet headers
   5 mbufs allocated to socket names and addresses
 1084/6152/6144 mbuf 2048 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max)
 14176 Kbytes allocated to network (22% in use)
 0 requests for memory denied
 0 requests for memory delayed
 0 calls to protocol drain routines


 something like kern.maxclusters=1 or ?



 /Pete



 Only you can answer that, Pete.

 Try increasing it gradually until the errors go away.  And if the
 error returns, increase it again.  If it makes your system unstable,
 lower it until it returns to stability.  Increments (and decrements,
 if necessary) of 256 would probably be wise.

 Getting the right balance with any system is all about trial and error
 - trying different things until things are running smoothly - or
 acceptably so in some situations.  It's also about the balance between
 workability and stability.  Sometimes you just can't have your cake
 and eat it too - stability must be the priority.

 My $0.02 there.

 --
 Aaron Mason - Programmer, open source addict
 I've taken my software vows - for beta or for worse


 Hi,


 Indeed, the only problem is that if it's too low, then the system hangs.

 I guess only the network hangs. Since there is no clusters available to be
 used by drivers or other sockets. Normaly the system should not hangup
 itself because of that.

 Presumably if it's too high, then the 'system instability' manifests
itself
 has hanging too, so it's tricky to tell which way to go, once you deviate
from
 the norm ...


 Yes, if set too high you can run out the kernel of memory (physical or
 virtual) which is normaly causing a panic or freze.

 Anyway for the archives I'm trying 8192 currently, hopefully that will
reduce
 the crashes...


 6016 mbufs in use:
2151 mbufs allocated to data
3860 mbufs allocated to packet headers
5 mbufs allocated to socket names and addresses
 1979/5664/8192 mbuf 2048 byte clusters in use (current/peak/max)
 0/8/8192 mbuf 4096 byte clusters in use (current/peak/max)
 0/8/8192 mbuf 8192 byte clusters in use (current/peak/max)
 0/8/8192 mbuf 9216 byte clusters in use (current/peak/max)
 0/8/8192 mbuf 12288 byte clusters in use (current/peak/max)
 0/8/8192 mbuf 16384 byte clusters in use (current/peak/max)
 0/8/8192 mbuf 65536 byte clusters in use (current/peak/max)
 14048 Kbytes allocated to network (38% in use)


 Your allocationg a max of 8192 2k buffers or 4096 4k pages or 16MB of
 memory. On a modern system with  1GB of memory everything below 64MB or
 128k clusters should work if you don't fiddle with other knobs that rob
 all memory from the kernel.

 --
 :wq Claudio



okay, sounds reasonable. I've also 'fiddled with other knobs' too, so I hope
my kern.maxclusters at 8192 should not cause exhaustion conjunction with:


net.inet.ip.ifq.maxlen=512
net.inet.tcp.recvspace=262144
net.inet.tcp.sendspace=262144
kern.maxfiles=8192
kern.maxclusters=8192


BTW, when the system runs out of (these?) resources, it sometimes prevents SSH
access or squid use, but still keeps a CARP peering alive, preventing failover
to it's backup partner, which is somewhat frustrating (I know I could script
around this).  On other occasions, it drops into ddb , which at least allows
the CARP backup to take over duties. (I know I should file a bug report for
this)



/Pete

Sun Fire 880 phantom disks

[Pete Vickers]

Hei,


Upon booting either 4.6-RELEASE or 4.7-BETA on my SunFire 880 causes the
kernel it to 'see' twice the correct number of physical disk. Further if I
install the o/s  using bsd.rd on to sd0, then upon reboot the kernel can't
find the root disk. However if I install on sd12 then booting etc is fine.

the machine has physically 12 disks (36GB FC-AL), which appear to be
duplicated as sd0-sd11 and sd12-23.


r...@sf880 ~sysctl hw.disknames
hw.disknames=cd0,sd0,sd1,sd2,sd3,sd4,sd5,sd6,sd7,sd8,sd9,sd10,sd11,sd12,sd13,
sd14,sd15,sd16,sd17,sd18,sd19,sd20,sd21,sd22,sd23



compare disk serial numbers :

r...@sf880 ~bioctl  sd0
sd0: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0N1K67214DE8J
r...@sf880 ~bioctl  sd1
sd1: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0JHHX7214DDNK

r...@sf880 ~bioctl  sd12
sd12: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0N1K67214DE8J
r...@sf880 ~bioctl  sd13
sd13: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0JHHX7214DDNK





full dmesg:


console is /p...@9,70/e...@1/ser...@1,40:a
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2009 OpenBSD. All rights reserved.  http://www.OpenBSD.org

OpenBSD 4.6 (GENERIC.MP) #53: Thu Jul  9 21:50:16 MDT 2009
dera...@sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC.MP
real mem = 4294967296 (4096MB)
avail mem = 4140875776 (3949MB)
mainbus0 at root: Sun Fire 880
cpu0 at mainbus0: SUNW,UltraSPARC-III (rev 5.4) @ 750 MHz
cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 8192K external
(512 b/l)
cpu1 at mainbus0: SUNW,UltraSPARC-III (rev 5.4) @ 750 MHz
cpu1: physical 32K instruction (32 b/l), 64K data (32 b/l), 8192K external
(512 b/l)
memory-controller at mainbus0 not configured
memory-controller at mainbus0 not configured
schizo0 at mainbus0: Schizo, version 4, ign 200, bus B 0 to 1
schizo0: dvma map c000-
pci0 at schizo0
siop0 at pci0 dev 1 function 0 Symbios Logic 53c875 rev 0x04: ivec 0x21c,
using 4K of on-board RAM
scsibus0 at siop0: 16 targets, initiator 7
cd0 at scsibus0 targ 6 lun 0: TOSHIBA, DVD-ROM SD-M1401, 1009 SCSI2 5/cdrom
removable
ppb0 at pci0 dev 5 function 0 DEC 21154 PCI-PCI rev 0x05
pci1 at ppb0 bus 1
isp0 at pci1 dev 4 function 0 QLogic ISP2200 rev 0x05: ivec 0x218
isp0: Board Type 2200, Chip Revision 0x5, loaded F/W Revision 2.2.6
scsibus1 at isp0: 512 targets
sd0 at scsibus1 targ 0 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd0: 34732MB, 512 bytes/sec, 71132959 sec total
sd1 at scsibus1 targ 1 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd1: 34732MB, 512 bytes/sec, 71132959 sec total
sd2 at scsibus1 targ 2 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd2: 34732MB, 512 bytes/sec, 71132959 sec total
sd3 at scsibus1 targ 3 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd3: 34732MB, 512 bytes/sec, 71132959 sec total
sd4 at scsibus1 targ 4 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd4: 34732MB, 512 bytes/sec, 71132959 sec total
sd5 at scsibus1 targ 5 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd5: 34732MB, 512 bytes/sec, 71132959 sec total
ses0 at scsibus1 targ 6 lun 0: SUNW, SUNWGS INT FCBPL, 9222 SCSI3
13/enclosure services fixed
sd6 at scsibus1 targ 7 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd6: 34732MB, 512 bytes/sec, 71132959 sec total
sd7 at scsibus1 targ 8 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd7: 34732MB, 512 bytes/sec, 71132959 sec total
sd8 at scsibus1 targ 9 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd8: 34732MB, 512 bytes/sec, 71132959 sec total
sd9 at scsibus1 targ 10 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd9: 34732MB, 512 bytes/sec, 71132959 sec total
sd10 at scsibus1 targ 11 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3
0/direct fixed
sd10: 34732MB, 512 bytes/sec, 71132959 sec total
sd11 at scsibus1 targ 12 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3
0/direct fixed
sd11: 34732MB, 512 bytes/sec, 71132959 sec total
isp1 at pci1 dev 5 function 0 QLogic ISP2200 rev 0x05: ivec 0x219
isp1: Board Type 2200, Chip Revision 0x5, loaded F/W Revision 2.2.6
scsibus2 at isp1: 512 targets
schizo1 at mainbus0: Schizo, version 4, ign 200, bus A 0 to 0
schizo1: dvma map c000-
pci2 at schizo1
gem0 at pci2 dev 1 function 0 Sun GEM rev 0x01: ivec 0x200, address
00:03:ba:08:de:01
gentbi0 at gem0 phy 0: Generic ten-bit interface, rev. 0
isp2 at pci2 dev 2 function 0 QLogic ISP2200 rev 0x05: ivec 0x204
isp2: Board Type 2200, Chip Revision 0x5, loaded F/W Revision 2.2.6
scsibus3 at isp2: 512 targets
sd12 at scsibus3 targ 0 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd12: 34732MB, 512 bytes/sec, 71132959 sec total
sd13 at scsibus3 targ 1 lun 0: SEAGATE, ST336605FSUN36G, 0438 SCSI3 0/direct
fixed
sd13: 34732MB, 512 bytes/sec, 71132959 sec total
sd14 at scsibus3 targ 2 lun 0: SEAGATE, ST336605FSUN36G, 0438 

Re: Sun Fire 880 phantom disks

[Pete Vickers]

Hi,

The 880 is stock from Sun. I've done no hardware plumbing on it.

According to http://docs.sun.com/app/docs/doc/806-7338-10/6jg7hm79b?a=view

You can use multipathing software to switch I/O operations from one I/O
controller to another to prepare for DR operations. With a combination of DR
and multipathing software, you can remove, replace, or deactivate a PCI
controller card with no interruption to system operation. Note that this
requires redundant hardware; that is, the system must contain an alternate I/O
controller that is connected to the same device(s) as the card being removed
or replaced

So the disk bus is connected to two controllers for redundancy, and Solaris
obviously deals with this accordingly. I guess I should config a controller
away to stop OpenBSD seeing it ? In the longer term perhaps OpenBSD scsi layer
could examine disk serial numbers, and avoid assigning device IDs to
subsequent disks with the same serial number ?


{2} ok devalias
cdrom/p...@8,70/s...@1/d...@6,0:f
tape /p...@8,70/s...@1/t...@4,0
scsix/p...@8,70/s...@1
disk /p...@8,60/SUNW,q...@2/f...@0,0/d...@0,0
disk0/p...@8,60/SUNW,q...@2/f...@0,0/d...@0,0
disk1/p...@8,60/SUNW,q...@2/f...@0,0/d...@1,0
disk2/p...@8,60/SUNW,q...@2/f...@0,0/d...@2,0
disk3/p...@8,60/SUNW,q...@2/f...@0,0/d...@3,0
disk4/p...@8,60/SUNW,q...@2/f...@0,0/d...@4,0
disk5/p...@8,60/SUNW,q...@2/f...@0,0/d...@5,0
disk6/p...@8,60/SUNW,q...@2/f...@0,0/d...@8,0
disk7/p...@8,60/SUNW,q...@2/f...@0,0/d...@9,0
disk8/p...@8,60/SUNW,q...@2/f...@0,0/d...@a,0
disk9/p...@8,60/SUNW,q...@2/f...@0,0/d...@b,0
disk10   /p...@8,60/SUNW,q...@2/f...@0,0/d...@c,0
disk11   /p...@8,60/SUNW,q...@2/f...@0,0/d...@d,0
scsi /p...@8,60/SUNW,q...@2
net  /p...@9,70/netw...@1,1
gem  /p...@8,60/netw...@1
flash/p...@9,70/e...@1/flashp...@0,0
idprom   /p...@9,70/e...@1/i...@1,500030/idp...@0,a0
nvram/p...@9,70/e...@1/i...@1,500030/nv...@0,a0
i2c3 /p...@9,70/e...@1/i...@1,500030
i2c2 /p...@9,70/e...@1/i...@1,50002e
bbc1 /p...@9,70/e...@1/b...@1,50
i2c1 /p...@9,70/e...@1/i...@1,30
i2c0 /p...@9,70/e...@1/i...@1,2e
bbc0 /p...@9,70/e...@1/b...@1,0
rsc-console  /p...@9,70/e...@1/rsc-cons...@1,3083f8
rsc-control  /p...@9,70/e...@1/rsc-cont...@1,3062f8
ttyb /p...@9,70/e...@1/ser...@1,40:b
ttya /p...@9,70/e...@1/ser...@1,40:a
pci9b/p...@9,70
pci9a/p...@9,60
pci8b/p...@8,70
pci8a/p...@8,60
ebus /p...@9,70/e...@1
name aliases




/Pete




On 1. mars 2010, at 19.40, Kenneth R Westerback wrote:

 On Mon, Mar 01, 2010 at 03:56:22PM +0100, Pete Vickers wrote:
 Hei,


 Upon booting either 4.6-RELEASE or 4.7-BETA on my SunFire 880 causes the
 kernel it to 'see' twice the correct number of physical disk. Further if I
 install the o/s  using bsd.rd on to sd0, then upon reboot the kernel can't
 find the root disk. However if I install on sd12 then booting etc is fine.

 the machine has physically 12 disks (36GB FC-AL), which appear to be
 duplicated as sd0-sd11 and sd12-23.

 Do you have the disk in a loop that includes both ports on the 2200? That
 could explain why the disks are seen twice. And I believe only one WWN
 is saved from the boot so if it sees the same disk on the other port
 it may be lost.

  Ken



 r...@sf880 ~sysctl hw.disknames

hw.disknames=cd0,sd0,sd1,sd2,sd3,sd4,sd5,sd6,sd7,sd8,sd9,sd10,sd11,sd12,sd13,
 sd14,sd15,sd16,sd17,sd18,sd19,sd20,sd21,sd22,sd23



 compare disk serial numbers :

 r...@sf880 ~bioctl  sd0
 sd0: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0N1K67214DE8J
 r...@sf880 ~bioctl  sd1
 sd1: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0JHHX7214DDNK

 r...@sf880 ~bioctl  sd12
 sd12: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0N1K67214DE8J
 r...@sf880 ~bioctl  sd13
 sd13: SEAGATE, ST336605FSUN36G, 0438, serial 3FP0JHHX7214DDNK





 full dmesg:


 console is /p...@9,70/e...@1/ser...@1,40:a
 Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
 Copyright (c) 1995-2009 OpenBSD. All rights reserved.
http://www.OpenBSD.org

 OpenBSD 4.6 (GENERIC.MP) #53: Thu Jul  9 21:50:16 MDT 2009

dera...@sparc64.openbsd.org:/usr

Re: Sun Fire 880 phantom disks

[Pete Vickers]

Hi,

Just FYI:


{2} ok  setenv boot-device disk0 disk1
boot-device =   disk0 disk1


this boots disk0 or fails over to disk1.


/Pete



On 1. mars 2010, at 20.14, philippe aubry wrote:

 In the openfirmware env you can save only one device to boot if I remember
 correctly. 

Re: kern.maxclusters: 6144 - ?

[Pete Vickers]

On 26. feb. 2010, at 03.01, Aaron Mason wrote:

 On Thu, Feb 25, 2010 at 10:04 AM, Pete Vickers p...@systemnet.no wrote:
 Hi,

 A proxy (squid) server running i368/4.6RELEASE with around 800 users, what
 would be a reasonable value to increase  kern.maxclusters too, to cure this
:


 r...@proxy-s ~ grep mcl   /var/log/messages
 Dec 10 10:13:43 proxy-s /bsd: WARNING: mclpools limit reached; increase
 kern.maxclusters
 Dec 10 11:06:07 proxy-s /bsd: WARNING: mclpools limit reached; increase
 kern.maxclusters
 Dec 15 13:41:48 proxy-s /bsd: WARNING: mclpools limit reached; increase
 kern.maxclusters


 r...@proxy-s ~ sysctl kern.maxclusters
 kern.maxclusters=6144


 r...@proxy-s ~ netstat -m
 4098 mbufs in use:
1131 mbufs allocated to data
2962 mbufs allocated to packet headers
5 mbufs allocated to socket names and addresses
 1084/6152/6144 mbuf 2048 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 4096 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 8192 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 9216 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 12288 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 16384 byte clusters in use (current/peak/max)
 0/8/6144 mbuf 65536 byte clusters in use (current/peak/max)
 14176 Kbytes allocated to network (22% in use)
 0 requests for memory denied
 0 requests for memory delayed
 0 calls to protocol drain routines


 something like kern.maxclusters=1 or ?



 /Pete



 Only you can answer that, Pete.

 Try increasing it gradually until the errors go away.  And if the
 error returns, increase it again.  If it makes your system unstable,
 lower it until it returns to stability.  Increments (and decrements,
 if necessary) of 256 would probably be wise.

 Getting the right balance with any system is all about trial and error
 - trying different things until things are running smoothly - or
 acceptably so in some situations.  It's also about the balance between
 workability and stability.  Sometimes you just can't have your cake
 and eat it too - stability must be the priority.

 My $0.02 there.

 --
 Aaron Mason - Programmer, open source addict
 I've taken my software vows - for beta or for worse


Hi,


Indeed, the only problem is that if it's too low, then the system hangs.
Presumably if it's too high, then the 'system instability' manifests itself
has hanging too, so it's tricky to tell which way to go, once you deviate from
the norm ...

Anyway for the archives I'm trying 8192 currently, hopefully that will reduce
the crashes...


6016 mbufs in use:
2151 mbufs allocated to data
3860 mbufs allocated to packet headers
5 mbufs allocated to socket names and addresses
1979/5664/8192 mbuf 2048 byte clusters in use (current/peak/max)
0/8/8192 mbuf 4096 byte clusters in use (current/peak/max)
0/8/8192 mbuf 8192 byte clusters in use (current/peak/max)
0/8/8192 mbuf 9216 byte clusters in use (current/peak/max)
0/8/8192 mbuf 12288 byte clusters in use (current/peak/max)
0/8/8192 mbuf 16384 byte clusters in use (current/peak/max)
0/8/8192 mbuf 65536 byte clusters in use (current/peak/max)
14048 Kbytes allocated to network (38% in use)


/Pete

kern.maxclusters: 6144 - ?

[Pete Vickers]

Hi,

A proxy (squid) server running i368/4.6RELEASE with around 800 users, what
would be a reasonable value to increase  kern.maxclusters too, to cure this :


r...@proxy-s ~ grep mcl   /var/log/messages
Dec 10 10:13:43 proxy-s /bsd: WARNING: mclpools limit reached; increase
kern.maxclusters
Dec 10 11:06:07 proxy-s /bsd: WARNING: mclpools limit reached; increase
kern.maxclusters
Dec 15 13:41:48 proxy-s /bsd: WARNING: mclpools limit reached; increase
kern.maxclusters


r...@proxy-s ~ sysctl kern.maxclusters
kern.maxclusters=6144


r...@proxy-s ~ netstat -m
4098 mbufs in use:
1131 mbufs allocated to data
2962 mbufs allocated to packet headers
5 mbufs allocated to socket names and addresses
1084/6152/6144 mbuf 2048 byte clusters in use (current/peak/max)
0/8/6144 mbuf 4096 byte clusters in use (current/peak/max)
0/8/6144 mbuf 8192 byte clusters in use (current/peak/max)
0/8/6144 mbuf 9216 byte clusters in use (current/peak/max)
0/8/6144 mbuf 12288 byte clusters in use (current/peak/max)
0/8/6144 mbuf 16384 byte clusters in use (current/peak/max)
0/8/6144 mbuf 65536 byte clusters in use (current/peak/max)
14176 Kbytes allocated to network (22% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines


something like kern.maxclusters=1 or ?



/Pete

Re: network performance problems

[Pete Vickers]

Hi,

I think you misunderstand me, I was not trying to argue that Cisco's firewall
offerings are any better or worse than OpenBSD based solutions.  I was merely
pointing out that:

-  A _correctly_configured_ Cisco 6500/7600 SUP is not vulnerable to a few
Mbps of multicast traffic as alleged by claudio. (unless someone has a new
non-disclosed attack).

- 6500/7600 can do HW stateful FWing, e.g. FWSM (which is not a line card) ,
but which is obviously a different budget the a PC running OpenBSD.




/Pete



On 18. feb. 2010, at 05.18, David Gwynne wrote:

 a lot of the features you list below are only useful or usable at the
 switching layer, and therefore not really fair when compared to what
openbsd
 can do. eg, the dhcp snooping is done on the switches at the client access
 layer to prevent rouge dhcp servers on an l2 network. unless you put
openbsd
 bridges between each of your client machines and the switch then you cant
do
 that on openbsd.

 the feature you do list that is worth comparing is the acl stuff. it is
true
 that on cisco gear you can filter packets (emphasis on packets) in
hardware,
 which is extremely fast, however, you can only filter on attributes of each
 individual packet. if you want to do stateful filtering though (ie, filter
 streams/flows of packets), then its a completely different story.

 personally the decision between openbsd and cisco for stateful filtering
comes
 down to three factors: speed, cost, and the quality/usability of the
 implementation.

 i find it far easier to manage openbsd boxes, and i really love the
features
 available to me in pf. i guess im biased since i have some code in there
now.
 i havent had the opportunity to do a speed test between a cisco and my
current
 openbsd firewalls, but i would be extremely surprised if the performance of
 the cisco scaled at the same rate as the price when compared to the openbsd
 boxes. so to me openbsd wins based on cost vs performance, and on usability
 and features. i can do 200 or 300k pps on openbsd systems we bought 2 or 3
 years ago for about 5 grand. im not sure cisco sell a stateful firewall
module
 for 5 grand.

 dlg

 On 18/02/2010, at 12:05 AM, Tomas Bodzar wrote:

 I'm not an expert in this area, but it looks like OpenBSD can do some
 parts too and for much more lower price.

 DHCP snooping

 From info on Cisco page it looks like simple combination of
 lists/macros for blocking/allowing certain ports. Tables are possible
 with OpenBSD too and you can limit flow rate of packets too

 Dynamic ARP Inspection

 If I'm not wrong then pf(4) don't operate on this layer, but then
 good, secure and simple design come to game

 IP Source Guard

 sounds like antispoof quick for

 Unicast Reverse Path Forwarding (URPF)

 sounds like block in quick from urpf-failed to any   # use with care

 Access Control Lists

 something like SELinux and similar? It's first thing which every good
 sysadmin turn off because of unneeded complexity and often bugs too.
 If I read this :

 More generally, security ACLs can be used to protect against source
 address spoofing or to restrict network access to only legitimate
 sources, networks, and applications. For example, ACLs should be used
 to deny private address space at the ingress of the Internet and
 perform some filtering in the campus such that packets can only
 originate from customer-assigned addresses. ACLs should also be used
 to deny unused multicast addresses, to prevent multicast DoS attacks.
 Another interesting example is that of MAC ACLs which could be used to
 deny packets with invalid IP versions.

 then I can say that all of this is possible with pf(4) without need for
ACL


 Quality of Service

 don't know much about this in OpenBSD, but sounds like at least
 something similar is possible with this
 http://www.openbsd.org/faq/pf/queueing.html

 Port security

 buy HW which is capable to avoid CAM overflow

 CONTROL PLANE AND MANAGEMENT PLANE PROTECTION

 some parts looks like possible with pf(4) some not, but as I said this
 must be confirmed by someone who knows much more

 Built-In Special-Case CPU Rate Limiters

 read users' stories and try pf(4) you will see that it can handle DoS very
 well



 It's quite long reading, but for me it looks like it's not needed to
 spend so much money in most cases.

 On Wed, Feb 17, 2010 at 2:21 PM, Pete Vickers p...@systemnet.no wrote:
 On 17. feb. 2010, at 08.47, Claudio Jeker wrote:

 On Wed, Feb 17, 2010 at 03:35:24AM +0200, Kapetanakis Giannis wrote:
 On 17/02/10 03:16, FRLinux wrote:

 Mmmh, you picked my interest here. You mentioned your cisco 6500 but I
 guess you are going to use only gigabit NICs, so you have no need on
 the 10gb range? Just asking, not trying to start a war :)

 Cheers,
 Steph


 ps. the cisco crawled when I enabled IOS firewall features (statefull).
 Firewall interface == $35K come one now... Too much money!


 The 6500 and 7600 cisco systems are not able to do stateful firewalling
 in HW

Re: network performance problems

[Pete Vickers]

On 17. feb. 2010, at 08.47, Claudio Jeker wrote:

 On Wed, Feb 17, 2010 at 03:35:24AM +0200, Kapetanakis Giannis wrote:
 On 17/02/10 03:16, FRLinux wrote:

 Mmmh, you picked my interest here. You mentioned your cisco 6500 but I
 guess you are going to use only gigabit NICs, so you have no need on
 the 10gb range? Just asking, not trying to start a war :)

 Cheers,
 Steph


 ps. the cisco crawled when I enabled IOS firewall features (statefull).
 Firewall interface == $35K come one now... Too much money!


 The 6500 and 7600 cisco systems are not able to do stateful firewalling
 in HW and have also issues with stuff like netflow exports. Unless you buy
 the super expensive line cards. Even the big SUP boards come with a tiny
 CPU running at the speed of a loongson -- those can be killed with a few
 Mbps of multicast traffic.

 --
 :wq Claudio


Just to balance the anti-cisco viewpoint:

If you want to do deep packet stuff in HW, then Cisco offer the FWSM  ACE 
NAM modules for 6500/7600.

The SUPs (meant for switching/routing, not FWing) support CoPP (control-plane
policing) in HW, which should be configured to prevent abusive traffic hitting
the CPU, this (amongst a large list of others) includes high PPS multicast.
For example see:

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_p
aper0900aecd802ca5d6.html


/Pete

Re: is the Lemote Yeeloong available in the US?

[Pete Vickers]

presumably this is no worse than any other firmware, just that since it's open
source you can actually see it ?

is it just me or does the Fuloong
(http://www.lemote.com/english/fuloong.html) look like a perfect car-puter,
since it has 12V power requirements, S-video  audio output, and IR receiver
?

/Pete



On 5. feb. 2010, at 00.49, Aaron Mason wrote:

 On Fri, Feb 5, 2010 at 3:42 AM, Miod Vallat m...@online.fr wrote:
 ..
 You do not want to tinker with the firmware. The stock PMON2000 does not
 support these machines, so you'll need to start with the pmon code
 provided by Lemote, and saying that it is in a dire need of cleaning is
 an understatement.

Re: MacBook Air SSD not found

[Pete Vickers]

Hi,

Thanks for the patch - good idea. However

Since the firmware on the MacBook Air in question does not recognise non-OSX
(HFS+) USB memory sticks, I could only test this patch by applying it on
another machine's tree, then 'make release' and burning the created cd47.iso
to a CDROM. Upon booting from the CDROM on the 'Air, it just hangs at the SSD
disk detection line in dmesg. Further if I 'boot -c' to try to enable verbose
booting in UKC, then it just sits at the UKC prompt, due to the fact that
neither the internal or a USB keyboard work at that point.

any ideas ?



/Pete






On 29. jan. 2010, at 20.15, Brynet wrote:

 Hi,

 Perhaps it's unrelated to your problem, but you could try forcing your
 SATA controller into AHCI mode.. maybe you'll see your drive then.

 -Bryan.

 Index: dev/pci/ahci.c
 ===
 RCS file: /cvs/src/sys/dev/pci/ahci.c,v
 retrieving revision 1.158
 diff -N -u dev/pci/ahci.c
 --- dev/pci/ahci.c21 Jan 2010 10:16:44 -  1.158
 +++ dev/pci/ahci.c29 Jan 2010 19:11:12 -
 @@ -442,6 +442,8 @@

   { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801H_RAID,
   NULL,   NULL },
 + { PCI_VENDOR_INTEL, PCI_PRODUCT_INTEL_82801HBM_SATA,
 + NULL,   NULL },

   { PCI_VENDOR_NVIDIA,PCI_PRODUCT_NVIDIA_MCP65_AHCI_2,
   NULL,   ahci_nvidia_mcp_attach },

MacBook Air SSD not found

[Pete Vickers]

Hi,

neither 4.6 or 4.7snapshot find the SSD HDD in my macbook air. These dmesg
entries are about as far as it gets:

pciide0 at pci0 dev 31 function 1 Intel 82801HBM IDE rev 0x03: DMA, channel
0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 Intel 82801HBM SATA rev 0x03: DMA, channel
0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 1 int 18 (irq 5) for native-PCI interrupt


anyone any ideas ?


full dmesg below


/Pete


OpenBSD 4.7-beta (RAMDISK_CD) #314: Wed Jan 27 19:36:45 MST 2010
t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Core(TM)2 Duo CPU P7700 @ 1.80GHz (GenuineIntel 686-class)
1.80 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
xTPR
real mem  = 2104373248 (2006MB)
avail mem = 2032103424 (1937MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/29/05, SMBIOS rev. 2.4 @ 0xe (39
entries)
bios0: vendor Apple Inc. version MBA11.88Z.00BB.B03.0803171226 date
03/17/08
bios0: Apple Inc. MacBookAir1,1
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT SSDT
SSDT
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 199MHz
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (RP05)
acpiprt2 at acpi0: bus 3 (PCIB)
bios0: ROM list: 0xc/0xee00!
memory map conflict 0xf00f8000/0x1000
memory map conflict 0xfed1c000/0x4000
memory map conflict 0xfffa/0x3
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel GM965 Host rev 0x03
vga1 at pci0 dev 2 function 0 Intel GM965 Video rev 0x03
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
Intel GM965 Video rev 0x03 at pci0 dev 2 function 1 not configured
uhci0 at pci0 dev 26 function 0 Intel 82801H USB rev 0x03: apic 1 int 20
(irq 10)
uhci1 at pci0 dev 26 function 1 Intel 82801H USB rev 0x03: apic 1 int 16
(irq 11)
ehci0 at pci0 dev 26 function 7 Intel 82801H USB rev 0x03: apic 1 int 21
(irq 9)
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
Intel 82801H HD Audio rev 0x03 at pci0 dev 27 function 0 not configured
ppb0 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x03: apic 1 int 16
(irq 255)
pci1 at ppb0 bus 1
ppb1 at pci0 dev 28 function 4 Intel 82801H PCIE rev 0x03: apic 1 int 16
(irq 255)
pci2 at ppb1 bus 2
Broadcom BCM4321 rev 0x05 at pci2 dev 0 function 0 not configured
uhci2 at pci0 dev 29 function 0 Intel 82801H USB rev 0x03: apic 1 int 16
(irq 11)
uhci3 at pci0 dev 29 function 1 Intel 82801H USB rev 0x03: apic 1 int 18
(irq 5)
uhci4 at pci0 dev 29 function 2 Intel 82801H USB rev 0x03: apic 1 int 21
(irq 9)
ehci1 at pci0 dev 29 function 7 Intel 82801H USB rev 0x03: apic 1 int 20
(irq 10)
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xf3
pci3 at ppb2 bus 3
ichpcib0 at pci0 dev 31 function 0 Intel 82801HBM LPC rev 0x03: PM disabled
pciide0 at pci0 dev 31 function 1 Intel 82801HBM IDE rev 0x03: DMA, channel
0 configured to native-PCI, channel 1 configured to native-PCI
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 31 function 2 Intel 82801HBM SATA rev 0x03: DMA, channel
0 configured to native-PCI, channel 1 configured to native-PCI
pciide1: using apic 1 int 18 (irq 5) for native-PCI interrupt
Intel 82801H SMBus rev 0x03 at pci0 dev 31 function 3 not configured
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb6 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
rd0: fixed, 3800 blocks
umass0 at uhub1 port 1 configuration 1 interface 0 Apple Inc. MacBook Air
SuperDrive rev 2.00/12.21 addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, initiator 0
cd0 at scsibus0 targ 1 lun 0: OPTIARC, DVD RW AD-5630A, 1CHQ SCSI0 5/cdrom
removable
Apple Inc. Built-in iSight rev 2.00/1.89 addr 3 at uhub1 port 4 not
configured
uhub7 at uhub4 port 2 Apple Inc. BRCM2046 Hub rev 2.00/1.00 addr 2
uhidev0 at uhub6 port 1 configuration 1 interface 0 Apple Computer, Inc. IR
Receiver rev 2.00/0.16 addr 2
uhidev0: iclass 3/0, 

Re: Which laptops do the developers use?

[Pete Vickers]

My MacBookPro with a recent snapshot works pretty good:


# sysctl hw.product
hw.product=MacBookPro2,2

# ifconfig athn0
athn0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:19:e3:d9:96:9b
priority: 4
groups: wlan egress
media: IEEE802.11 autoselect (OFDM54 mode 11g)
status: active
ieee80211: nwid  chan 10 bssid 00:23:04:c9:7f:60 41dB wpapsk
0x wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp wpagroupcipher
tkip
inet6 fe80::219:e3ff:fed9:969b%athn0 prefixlen 64 scopeid 0x2
inet 192.0.2.160 netmask 0xff00 broadcast 192.0.2.255

(sometimes takes a couple of ifconfig up/down to wake up)


startx works perfectly at full resolution:

# grep -i xres  /var/log/Xorg.0.log
XRes: 1440, YRes: 900, DotClock: 96310


/Pete






# cat /var/run/dmesg.boot
OpenBSD 4.6-current (GENERIC.MP) #391: Fri Jan 15 14:55:45 MST 2010
t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 CPU T7600 @ 2.33GHz (GenuineIntel 686-class) 2.33
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
xTPR
real mem  = 2131234816 (2032MB)
avail mem = 2056310784 (1961MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/29/05, SMBIOS rev. 2.4 @ 0xe (40
entries)
bios0: vendor Apple Inc. version MBP22.88Z.00A5.B07.0708131242 date
08/13/07
bios0: Apple Computer, Inc. MacBookPro2,2
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP HPET APIC MCFG ASF! SBST ECDT SSDT SSDT SSDT
acpi0: wakeup devices ADP1(S3) LID0(S3) PXS1(S4) PXS2(S4) USB1(S3) USB2(S3)
USB3(S3) USB4(S3) USB7(S3) EC__(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 166MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 CPU T7600 @ 2.33GHz (GenuineIntel 686-class) 2.33
GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
xTPR
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEGP)
acpiprt2 at acpi0: bus 2 (RP01)
acpiprt3 at acpi0: bus 3 (RP02)
acpiprt4 at acpi0: bus 4 (RP03)
acpiprt5 at acpi0: bus 12 (PCIB)
acpiec0 at acpi0
acpicpu0 at acpi0: C3, C2, C1, PSS
acpicpu1 at acpi0: C3, C2, C1, PSS
acpiac0 at acpi0: AC unit online
acpibtn0 at acpi0: LID0
acpibtn1 at acpi0: PWRB
acpibtn2 at acpi0: SLPB
acpibat0 at acpi0: BAT0 model 14127832176087873 type 14127832377542988 oem
14127833101004627
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD01
acpivout1 at acpivideo0: DD02
acpivout2 at acpivideo0: DD03
acpivout3 at acpivideo0: DD04
acpivout4 at acpivideo0: DD05
bios0: ROM list: 0xc/0xfa00
cpu0: Enhanced SpeedStep 2328 MHz: speeds: 2333, 2167, 2000, 1833, 1667, 1500,
1333, 1000 MHz
memory map conflict 0x7ff0/0x10
memory map conflict 0xf00f8000/0x1000
memory map conflict 0xfed1c000/0x4000
memory map conflict 0xfffb/0x3
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 82945GM Host rev 0x03
ppb0 at pci0 dev 1 function 0 Intel 82945GM PCIE rev 0x03: apic 1 int 16
(irq 11)
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 ATI Radeon Mobility X1600 rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
radeondrm0 at vga1: apic 1 int 16 (irq 11)
drm0 at radeondrm0
vendor Intel, unknown product 0x27a3 (class DASP subclass Time and
Frequency, rev 0x03) at pci0 dev 7 function 0 not configured
azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: apic 1
int 22 (irq 10)
azalia0: codecs: Sigmatel STAC9220/1
audio0 at azalia0
ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: apic 1 int 17
(irq 11)
pci2 at ppb1 bus 2
mskc0 at pci2 dev 0 function 0 Marvell Yukon 88E8053 rev 0x22, Yukon-2 EC
rev. A3 (0x2): apic 1 int 16 (irq 11)
msk0 at mskc0 port A: address 00:17:f2:d8:f0:8d
eephy0 at msk0 phy 0: 88E Gigabit PHY, rev. 2
ppb2 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: apic 1 int 16
(irq 11)
pci3 at ppb2 bus 3
athn0 at pci3 dev 0 function 0 Atheros AR5418 rev 0x01: apic 1 int 17 (irq
10), address 00:19:e3:d9:96:9b
athn0: MAC AR5418 rev 2, RF AR5133 (2T3R), ROM rev 4
ppb3 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x02: apic 1 int 18
(irq 11)
pci4 at ppb3 bus 4
uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: apic 1 int 23
(irq 11)
uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: apic 1 int 19
(irq 11)
uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: apic 1 int 18
(irq 11)
uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: apic 1 int 16
(irq 

mute CARP with i368/4.6 on HP ProLiant DL380 G5

[Pete Vickers]

Hi,

Whilst setting up a H/A service on a pair of RELEASE4.6/i386 (+ bind/ssl
patches) machines, I observe that both become carp master concurrently.
Debugging shows that the carp master does not appear to transmit carp
announcements:


r...@gins0 ~tcpdump -i bnx0 -n proto carp
tcpdump: listening on bnx0, link-type EN10MB
^C [after 30 seconds]
16 packets received by filter
0 packets dropped by kernel
r...@gins0 ~


anyone any ideas ? (all other comms work fine over the link e.g. SSH, DNS,
ping etc.)



relevant config  dmesg follows:

s/123.456/my.correct.prefix/

r...@gins0 ~cat /etc/hostname.bnx0
inet 123.456.250.16 255.255.255.128

r...@gins0 ~cat /etc/hostname.carp0
inet 123.456.250.18 255.255.255.128
vhid 1 advskew 100 carpdev bnx0
description *** Gi NS H/A ***

r...@gins0 ~ifconfig bnx0
bnx0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu
1500
lladdr 00:1e:0b:bd:fa:12
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 123.456.250.16 netmask 0xff80 broadcast 123.456.250.127
inet6 fe80::21e:bff:febd:fa12%bnx0 prefixlen 64 scopeid 0x3

r...@gins0 ~ifconfig carp0
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:01
description: *** Gi NS H/A ***
priority: 0
carp: MASTER carpdev bnx0 vhid 1 advbase 1 advskew 100
groups: carp
inet 123.456.250.18 netmask 0xff80 broadcast 123.456.250.127
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5



dmesg:



r...@gins0 ~cat /var/run/dmesg.boot
OpenBSD 4.6 (GENERIC) #0: Thu Jan 24 03:03:58 CET 2008
r...@gins0:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686-class) 2.84
GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,EST,TM2,CX16,
xTPR
real mem  = 3487485952 (3325MB)
avail mem = 3382898688 (3226MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @ 0xf,
SMBIOS rev. 2.4 @ 0xee000 (71 entries)
bios0: vendor HP version P56 date 01/24/2008
bios0: HP ProLiant DL380 G5
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC  BERT HEST
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 333MHz
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpimadt0: unknown apic structure type ff
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 2 (IPTA)
acpiprt2 at acpi0: bus 4 (IPTB)
acpiprt3 at acpi0: bus 11 (IPE1)
acpiprt4 at acpi0: bus 14 (IPE2)
acpiprt5 at acpi0: bus 17 (IPE3)
acpiprt6 at acpi0: bus 10 (IPE4)
acpiprt7 at acpi0: bus 9 (PT02)
acpiprt8 at acpi0: bus 6 (PT03)
acpiprt9 at acpi0: bus 19 (PT04)
acpiprt10 at acpi0: bus 23 (PT06)
acpiprt11 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 31 degC
bios0: ROM list: 0xc/0xb000 0xcc400/0x4000! 0xd0400/0x1800
0xe6000/0x2000!
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1
pci1 at ppb0 bus 9
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 10
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 11
ppb3 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01
pci4 at ppb3 bus 14
ppb4 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01
pci5 at ppb4 bus 17
ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci6 at ppb5 bus 18
ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1
pci7 at ppb6 bus 6
ciss0 at pci7 dev 0 function 0 Hewlett-Packard Smart Array rev 0x03: apic 8
int 18 (irq 10)
ciss0: 1 LD, HW rev 3, FW 4.12/4.12, 64bit fifo
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/direct fixed
sd0: 139979MB, 512 bytes/sec, 286677120 sec total
ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1
pci8 at ppb7 bus 19
ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0xb1
pci9 at ppb8 bus 22
ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0xb1
pci10 at ppb9 bus 23
ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0xb1
pci11 at ppb10 bus 26
pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0xb1
pchb2 at pci0 dev 16 function 1 Intel 5000 Error Reporting rev 0xb1
pchb3 at pci0 dev 16 function 2 Intel 5000 Error Reporting rev 0xb1
pchb4 at pci0 dev 17 function 0 Intel 5000 Reserved rev 0xb1
pchb5 at pci0 dev 19 function 0 Intel 5000 Reserved rev 0xb1
pchb6 at pci0 dev 21 function 0 Intel 5000 FBD rev 0xb1
pchb7 at pci0 

Re: mute CARP with i368/4.6 on HP ProLiant DL380 G5

[Pete Vickers]

Hi,

r...@gins0 ~grep pf /etc/rc.conf.local
pf=NO   # Packet filter / NAT


switches are fine, and couldn't affect outgoing packets anyway.

/Pete


On 12. jan. 2010, at 12.55, Rogier Krieger wrote:

 On Tue, Jan 12, 2010 at 12:14, Pete Vickers p...@systemnet.no wrote:
 Debugging shows that the carp master does not appear to transmit carp
 announcements:

 Neither does it seem to receive any announcements. A silly question,
 are you blocking CARP advertisements on the interfaces? Since a
 pf.conf output appears to be missing, that may be the issue.

 Another cause may be present in switches; on some of our older Cisco
 equipment a configuration with port security (if memory serves) caused
 us trouble. Try if a direct cable or dumb switch/hub lets packets flow
 if PF is not the source of the problem.

 All that is assuming that the basics were set up properly.

 Hope that helps,

 Rogier

 --
 If you don't know where you're going, any road will get you there.

Re: mute CARP with i368/4.6 on HP ProLiant DL380 G5

[Pete Vickers]

this is with the other machine powered off, so it's config is  
irrelevant.






Den 12. jan. 2010 kl. 17.08 skrev Ben Calvert b...@flyingwalrus.net:


pete -

pls send /etc/hostname.carp0 from the other machine.

On Jan 12, 2010, at 3:14 AM, Pete Vickers wrote:


Hi,

Whilst setting up a H/A service on a pair of RELEASE4.6/i386 (+  
bind/ssl
patches) machines, I observe that both become carp master  
concurrently.

Debugging shows that the carp master does not appear to transmit carp
announcements:


r...@gins0 ~tcpdump -i bnx0 -n proto carp
tcpdump: listening on bnx0, link-type EN10MB
^C [after 30 seconds]
16 packets received by filter
0 packets dropped by kernel
r...@gins0 ~


anyone any ideas ? (all other comms work fine over the link e.g.  
SSH, DNS,

ping etc.)



relevant config  dmesg follows:

s/123.456/my.correct.prefix/

r...@gins0 ~cat /etc/hostname.bnx0
inet 123.456.250.16 255.255.255.128

r...@gins0 ~cat /etc/hostname.carp0
inet 123.456.250.18 255.255.255.128
vhid 1 advskew 100 carpdev bnx0
description *** Gi NS H/A ***

r...@gins0 ~ifconfig bnx0
bnx0:  
flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST

mtu

1500
  lladdr 00:1e:0b:bd:fa:12
  priority: 0
  groups: egress
  media: Ethernet autoselect (1000baseT full-duplex)
  status: active
  inet 123.456.250.16 netmask 0xff80 broadcast  
123.456.250.127

  inet6 fe80::21e:bff:febd:fa12%bnx0 prefixlen 64 scopeid 0x3

r...@gins0 ~ifconfig carp0
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
  lladdr 00:00:5e:00:01:01
  description: *** Gi NS H/A ***
  priority: 0
  carp: MASTER carpdev bnx0 vhid 1 advbase 1 advskew 100
  groups: carp
  inet 123.456.250.18 netmask 0xff80 broadcast  
123.456.250.127

  inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5



dmesg:



r...@gins0 ~cat /var/run/dmesg.boot
OpenBSD 4.6 (GENERIC) #0: Thu Jan 24 03:03:58 CET 2008
  r...@gins0:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686- 
class) 2.84

GHz
cpu0:

FPU, 
V86, 
DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS


H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- 
CPL,VMX,EST,TM2,CX16,

xTPR
real mem  = 3487485952 (3325MB)
avail mem = 3382898688 (3226MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/31/99, BIOS32 rev. 0 @  
0xf,

SMBIOS rev. 2.4 @ 0xee000 (71 entries)
bios0: vendor HP version P56 date 01/24/2008
bios0: HP ProLiant DL380 G5
acpi0 at bios0: rev 2
acpi0: tables DSDT FACP SPCR MCFG HPET SPMI ERST APIC  BERT HEST
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 333MHz
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpimadt0: unknown apic structure type ff
acpiprt0 at acpi0: bus 1 (IP2P)
acpiprt1 at acpi0: bus 2 (IPTA)
acpiprt2 at acpi0: bus 4 (IPTB)
acpiprt3 at acpi0: bus 11 (IPE1)
acpiprt4 at acpi0: bus 14 (IPE2)
acpiprt5 at acpi0: bus 17 (IPE3)
acpiprt6 at acpi0: bus 10 (IPE4)
acpiprt7 at acpi0: bus 9 (PT02)
acpiprt8 at acpi0: bus 6 (PT03)
acpiprt9 at acpi0: bus 19 (PT04)
acpiprt10 at acpi0: bus 23 (PT06)
acpiprt11 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature 31 degC
bios0: ROM list: 0xc/0xb000 0xcc400/0x4000! 0xd0400/0x1800
0xe6000/0x2000!
ipmi at mainbus0 not configured
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Intel 5000P Host rev 0xb1
ppb0 at pci0 dev 2 function 0 Intel 5000 PCIE rev 0xb1
pci1 at ppb0 bus 9
ppb1 at pci1 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci2 at ppb1 bus 10
ppb2 at pci2 dev 0 function 0 Intel 6321ESB PCIE rev 0x01
pci3 at ppb2 bus 11
ppb3 at pci2 dev 1 function 0 Intel 6321ESB PCIE rev 0x01
pci4 at ppb3 bus 14
ppb4 at pci2 dev 2 function 0 Intel 6321ESB PCIE rev 0x01
pci5 at ppb4 bus 17
ppb5 at pci1 dev 0 function 3 Intel 6321ESB PCIE-PCIX rev 0x01
pci6 at ppb5 bus 18
ppb6 at pci0 dev 3 function 0 Intel 5000 PCIE rev 0xb1
pci7 at ppb6 bus 6
ciss0 at pci7 dev 0 function 0 Hewlett-Packard Smart Array rev  
0x03: apic

8

int 18 (irq 10)
ciss0: 1 LD, HW rev 3, FW 4.12/4.12, 64bit fifo
scsibus0 at ciss0: 1 targets
sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 4.12 SCSI3 0/ 
direct

fixed

sd0: 139979MB, 512 bytes/sec, 286677120 sec total
ppb7 at pci0 dev 4 function 0 Intel 5000 PCIE x8 rev 0xb1
pci8 at ppb7 bus 19
ppb8 at pci0 dev 5 function 0 Intel 5000 PCIE rev 0xb1
pci9 at ppb8 bus 22
ppb9 at pci0 dev 6 function 0 Intel 5000 PCIE x8 rev 0xb1
pci10 at ppb9 bus 23
ppb10 at pci0 dev 7 function 0 Intel 5000 PCIE rev 0xb1
pci11 at ppb10 bus 26
pchb1 at pci0 dev 16 function 0 Intel 5000 Error Reporting rev 0xb1
pchb2 at pci0 dev 16 function 1 Intel 5000 Error

Re: how to fresh raidframe install on an already raidframe system?

[Pete Vickers]

you don't really need to soft raid the boot partition, since you can just put
it on both physical disk, and set the system to boot from either, with
something like this:


ok setenv boot-device disk0 disk1


/pete



On 3. jan. 2010, at 18.03, Kent Watsen wrote:

 Hi,

 I have a Netra T1 (sparc64) running 3.9 with raidframe on root.  Being such
an old system, I decided to do a fresh install, so I boot the 4.6 cdrom and
install the system on the first disk (sd0).  Rebooting again brings the 4.6 up
fine so I compile and install a new raidframe-enabled kernel.  Rebooting again
produces many core dumps - `uname -a` says 4.6, but the filesystem is from the
old 3.9 raid - the new raidframe kernel must have found the raid set on the
2nd disk.  Physically ejecting the second disk (sd1) and rebooting gives a
clean boot, but now, of course, I don't have the second disk to install the
raid set on...

 What do other people do?  - rewrite the disklabel on the second disk so
raidframe won't try to use the 2nd disk? - put a new/temporary /etc/raid0.conf
file to configure raidframe to ignore the 2nd disk?  Is it even possible to
compile/install 4.6 on top of a raidframe set avoiding the need to reconfigure
it at all?

 PS: I looked into softraid for a while, as its recommended in FAQ 14, before
realizing that it didn't support raid on the root disk.  This was especially
confusing as its man page lists softraid0 at root while not specifically
saying that it doesn't support raiding the /root disk.  Maybe the FAQ and man
page could be more clear on these points?


 Thanks,
 Kent

HP IPMI

[Pete Vickers]

Hi,

I have a HP (Compaq) ProLiant DL380 G5 which, according to dmesg,  
incorporates IPMI.


# grep IPMI /var/run/dmesg.boot
Hewlett-Packard IPMI rev 0x00 at pci16 dev 4 function 6 not configured

# pcidump -v 1:4:6
Domain /dev/pci:
 1:4:6: Hewlett-Packard IPMI
0x: Vendor ID: 103c Product ID: 3302
0x0004: Command: 0002 Status ID: 0290
0x0008: Class: 0c Subclass: 07 Interface: 01 Revision: 00
0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line  
Size: 00

0x0010: BAR mem 32bit addr: 0xf7ef
0x0014: BAR empty ()
0x0018: BAR empty ()
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 103c Product ID: 3305
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 01 Line: 05 Min Gnt: 00 Max Lat: 00
0x00f0: Capability 0x01: Power Management


Is the IPMI abstraction (mentioned in ipmi(4)) such that support for  
additional devices is little more than adding PCI vendor/product id to  
the attach code? or is a proprietary interface ?


/Pete


# sysctl hw
hw.machine=i386
hw.model=Intel(R) Xeon(R) CPU E5440 @ 2.83GHz (GenuineIntel 686-class)
hw.ncpu=1
hw.byteorder=1234
hw.pagesize=4096
hw.disknames=sd0,cd0
hw.diskcount=2
hw.sensors.acpitz0.temp0=8.30 degC (zone temperature)
hw.sensors.cpu0.temp0=38.00 degC
hw.sensors.ciss0.drive0=online (sd0), OK
hw.cpuspeed=2834
hw.vendor=HP
hw.product=ProLiant DL380 G5
hw.serialno=CZC8100BSS
hw.uuid=34353835-3633-435a-4338-313030425353
hw.physmem=3487485952
hw.usermem=3487473664

(entire dmesg already forwarded to dmesg@ )

Re: bgpd help!!

[Pete Vickers]

How about aggregation? That's a nice knob to have (I use it quite  
often). The atomic-aggregate option cold be used legitimately (see  
RFC4271) to hide an (RFC1918) AS in some circumstances.



/Pete




On 16. des.. 2009, at 10.29, Claudio Jeker wrote:


On Wed, Dec 16, 2009 at 09:55:40AM +0100, Henning Brauer wrote:

* Stuart Henderson s...@spacehopper.org [2009-12-16 02:31]:

On 2009-12-16, Doran Mori dhm...@gmail.com wrote:

Have you tried looking at the filter rules in bgpd.conf(5)?

Off the top of my head something like:
 deny to isp ip { AS 65xxx }


the OP is probably looking for something that strips private AS out
of the path, but still advertises them, which isn't supported.


we really gotta fix that.



I'm not a big fan of molesting AS pathes. This cries for doom in a way
only Bob may find the right words for. Blocking sure, reannouncing  
with a
new path maybe but just removing AS from pathes is evil and the  
routing

loop fairy will come to you and sprinkle your network with its magic
powder.

Do we need to add every stupid button a cizzcoee has?
--
:wq Claudio

Re: bgpd help!!

[Pete Vickers]

On 16. des.. 2009, at 22.36, Martin Hein wrote:


On Wed, 16 Dec 2009 11:19:33 -0700
Andy Nguyen andy.ngu...@cityofthornton.net wrote:

If I configure community as Martin
suggested this will also take out the path to my network.  Thanks.


If your real AS is transit only for your prefix it wont work.

Your real AS should announce your prefix. The private AS should  
announce

subnets of the prefix.

I do it all the time.

/Martin




doing that may black hole traffic upon public AS -- private AS  
connectivity issues.  I prefer conditional advertisement achieved by  
aggregation.


/Pete

X default setting

[Pete Vickers]

Hi,

Having just installed 4.6 on my sunblade100 I'm truly very impressed  
by the recent advances in OpenBSD's X implementation - after a very  
rapid run through the improved install script, X started flawlessly  
with a usable (and accelerated) session. The automatic correct  
keyboard layout is just the icing on the cake :-)


There is just one thing I did to sanitise the config, however. I  
realise everyone has their own preferences, and don't want to start a  
religious X war, but how about adding the following:


in  /etc/X11/xdm/Xsetup_0  a line xsetroot -solid gray above the  
xconsole entry ?


( or is there a better place or way to prevent the eye ache of the  
default X background ? )




/Pete

Re: X default setting

[Pete Vickers]

someone else also just pointed out the diagnostic properties of eye  
ache pattern off-list too.

So I guess it's  ~/.xinitrc in site.tgz for me then.

/Pete



On 19. nov.. 2009, at 21.24, J.C. Roberts wrote:



As long as you promise not to hate me for taking the other side of
things, the default background in X is actually important. It's called
the root weave and there are a few similar important backgrounds  
which

are at least equally displeasing, if not more so. The reason why they
are important is because they make it extremely easy for you to
visually detect problems in your screen output. --It might be ugly,  
but

regularly appreciating ugly has many benefits.

Let's say you fumble-finger an xrandr(1) command and change your  
display

settings to something that might damage your display. Having the root
weave visible might just save you the expense of replacing your  
monitor.


If you do insist on changing it, use the ~/.xinitrc for your user  
rather

than making a system-wide change.

--
J.C. Roberts

Re: help please, my real memory is disappearing

[Pete Vickers]

alternatively you could run/spawn ftpd from inetd, which will  
presumably mean that all the resources will be 'returned' as soon as  
the connection closes. However significant performance hit on a busy  
ftp server.


/Pete



On 17. nov.. 2009, at 10.25, Artur Grabowski wrote:


MK pub...@kubikcz.net writes:


1. Is it normal that memory is not freed after I kill ftpd daemon?


yes. because the ftp daemon didn't allocate it.

2. Is it normal ftpd can take about 800MB of real memory while  
serving

GET requests? (only 1 client is able to consume that portion of
memory)


If you serve 800MB of file data through ftpd then yes.


3. Is it normal that this memory seems to be lost from the system?


yes. The keyword here is seems.

The memory is used for caching the file contents in case you decide to
read those files again. It's reused for more useful things when it's
needed.

//art



Pete Vickers

p...@systemnet.no |  +47 48 17 91 00

SystemNet AS

Re: help please, my real memory is disappearing

[Pete Vickers]

You're right, I should have read the email more carefully / drank more  
coffee.


/Pete





On 17. nov.. 2009, at 13.11, Artur Grabowski wrote:


No. It will not solve any problem (ignoring that there was no problem
in the first place).

//art

Pete Vickers p...@systemnet.no writes:


alternatively you could run/spawn ftpd from inetd, which will
presumably mean that all the resources will be 'returned' as soon as
the connection closes. However significant performance hit on a busy
ftp server.

/Pete



On 17. nov.. 2009, at 10.25, Artur Grabowski wrote:


MK pub...@kubikcz.net writes:


1. Is it normal that memory is not freed after I kill ftpd daemon?


yes. because the ftp daemon didn't allocate it.


2. Is it normal ftpd can take about 800MB of real memory while
serving
GET requests? (only 1 client is able to consume that portion of
memory)


If you serve 800MB of file data through ftpd then yes.


3. Is it normal that this memory seems to be lost from the system?


yes. The keyword here is seems.

The memory is used for caching the file contents in case you  
decide to

read those files again. It's reused for more useful things when it's
needed.

//art



Pete Vickers

p...@systemnet.no |  +47 48 17 91 00

SystemNet AS

perf problems with 4.6/i386 bsd.sp squid-2.7.STABLE6 from packages

[Pete Vickers]

Hi,

I have performance problems on the above platform. After some time the  
proxy runs very slowly, and console becomes slow to respond.  No  
observable difference between bsd.sp or bsd.mp
See tweaks applied below. Since I've tried without them first, but  
e.g. squid exhausted filedescriptors, replies with 'don't do that',  
are not as useful as 'try this instead' or 'debugging  
suggestions...' ;-)
Appears to be neither disk I/O or CPU bound, and buffer utilisation  
appear normal too.



H/W: HP DL360 G4p with a single fibre NIC (em) in use.
S/W OpenBSD 4.6/i386 bsd.sp from CD,  squid-2.7.STABLE6 from packages.


r...@proxy-s ~tail /etc/sysctl.conf
...
net.inet.tcp.ecn=1
net.inet.ip.ifq.maxlen=512
net.inet.tcp.ackonpush=1
net.inet.tcp.recvspace=262144
net.inet.tcp.sendspace=262144
net.inet.udp.recvspace=262144
net.inet.udp.sendspace=262144
kern.maxfiles=8192



r...@proxy-s ~more /etc/login.conf
...
daemon:\
:ignorenologin:\
:datasize=infinity:\
:maxproc=infinity:\
:openfiles=2448:\
:stacksize=8M:\
:localcipher=blowfish,8:\
:tc=default:
...



r...@proxy-s ~head /etc/squid/squid.conf
...
max_filedescriptors 2048
cache_mem 384 MB
cache_dir ufs /var/squid/cache 12048 16 256
...




r...@proxy-s ~netstat -m
4172 mbufs in use:
1201 mbufs allocated to data
2966 mbufs allocated to packet headers
5 mbufs allocated to socket names and addresses
915/2266/6144 mbuf 2048 byte clusters in use (current/peak/max)
0/8/6144 mbuf 4096 byte clusters in use (current/peak/max)
0/8/6144 mbuf 8192 byte clusters in use (current/peak/max)
0/8/6144 mbuf 9216 byte clusters in use (current/peak/max)
0/8/6144 mbuf 12288 byte clusters in use (current/peak/max)
0/8/6144 mbuf 16384 byte clusters in use (current/peak/max)
0/8/6144 mbuf 65536 byte clusters in use (current/peak/max)
6208 Kbytes allocated to network (46% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines





r...@proxy-s ~top | head
load averages:  1.10,  1.55,  1.6610:58:24
38 processes:  37 idle, 1 on processor
CPU states:  1.0% user,  0.0% nice,  1.3% system,  1.1% interrupt,  
96.6% idle

Memory: Real: 960M/1214M act/tot  Free: 794M  Swap: 0K/2052M used/tot

  PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU  
COMMAND
20479 _squid-50  950M  949M sleep biowait  20:11  6.30%  
squid
 5193 _squid-60  228K  540K sleep piperd0:12  0.00%  
unlinkd
11123 _snmpd 20  548K 1008K sleep kqread0:00  0.00%  
snmpd
  276 root   20  984K 1728K sleep select0:00  0.00%  
sendmail





r...@proxy-s ~systat vmstat


   1 usersLoad 1.50 1.88 1.78  Thu Nov 12  
10:55:40 2009


memory totals (in KB)PAGING   SWAPPING  
Interrupts
   real   virtual free   in  out   in  out  
2013 total
Active   982620982620   809216   ops 
100 clock
All 1247164   1247164  2910412   pages  
1856 em0
  
57 ciss0

Proc:r  d  s  wCsw   Trp   Sys   Int   Sof  Flt   forks
1 18  1025 5  8876  1913   102   36   fkppw
  fksvm
   3.4%Int   4.0%Sys   3.0%Usr   0.0%Nic  89.6%Idle   pwait
|||||||||||   relck
||== rlkok
  noram
Namei Sys-cacheProc-cacheNo-cache   1 ndcpy
Calls hits%hits %miss   % fltcp
  399  341   8556  14   2 zfod
  cow
Disks   sd0   cd0   fd0 17136 fmin
seeks   22848 ftarg
xfers57   itarg
speed  579K 1 wired
  sec   0.3   pdfre
  pdscn
  pzidle
  112 kmapent





r...@proxy-s ~netstat -iI em0 | egrep Name|Link
NameMtu   Network Address  Ipkts IerrsOpkts  
Oerrs Colls
em0 1500  Link  00:11:0a:57:0f:4c 33078650 0  
40412499 0 0



###
Squid stats (after 8 hours of traffic) :

Squid Object Cache: Version 2.7.STABLE6
Start Time: Wed, 11 Nov 2009 19:38:48 GMT
Current Time:   Thu, 12 Nov 2009 09:45:28 GMT
Connection information for squid:
Number of clients accessing cache:  495
Number of HTTP requests received:  

Re: perf problems with 4.6/i386 bsd.sp squid-2.7.STABLE6 from packages

[Pete Vickers]

Hi,

Well earlier I got the filedescriptor shortage squid warning, so I  
progressively increased it the max_filedescriptors to 2048, and the  
warning no longer occurs, also I can see in the squid diagnostics that  
it's not using more than 1700. So I'm pretty sure it's not that.  
However I upped it to 4096 just incase. but still very slow response :-(


r...@proxy-p ~grep WARN  /var/squid/logs/cache.log
2009/11/02 14:00:10| WARNING! Your cache is running out of  
filedescriptors
2009/11/02 14:00:26| WARNING! Your cache is running out of  
filedescriptors



/Pete






On 12. nov.. 2009, at 12.16, Comete wrote:


Hi,

i had a similar problem with our configuration, and i resolved this  
by setting this in /etc/squid/squid.conf


max_filedescriptors 4096

Very good performances now ;)

Pete Vickers a icrit :

Hi,
I have performance problems on the above platform. After some time  
the proxy runs very slowly, and console becomes slow to respond.   
No observable difference between bsd.sp or bsd.mp
See tweaks applied below. Since I've tried without them first, but  
e.g. squid exhausted filedescriptors, replies with 'don't do that',  
are not as useful as 'try this instead' or 'debugging  
suggestions...' ;-)
Appears to be neither disk I/O or CPU bound, and buffer utilisation  
appear normal too.

H/W: HP DL360 G4p with a single fibre NIC (em) in use.
S/W OpenBSD 4.6/i386 bsd.sp from CD,  squid-2.7.STABLE6 from  
packages.

r...@proxy-s ~tail /etc/sysctl.conf
...
net.inet.tcp.ecn=1
net.inet.ip.ifq.maxlen=512
net.inet.tcp.ackonpush=1
net.inet.tcp.recvspace=262144
net.inet.tcp.sendspace=262144
net.inet.udp.recvspace=262144
net.inet.udp.sendspace=262144
kern.maxfiles=8192
r...@proxy-s ~more /etc/login.conf
...
daemon:\
   :ignorenologin:\
   :datasize=infinity:\
   :maxproc=infinity:\
   :openfiles=2448:\
   :stacksize=8M:\
   :localcipher=blowfish,8:\
   :tc=default:
...
r...@proxy-s ~head /etc/squid/squid.conf
...
max_filedescriptors 2048
cache_mem 384 MB
cache_dir ufs /var/squid/cache 12048 16 256
...
r...@proxy-s ~netstat -m
4172 mbufs in use:
   1201 mbufs allocated to data
   2966 mbufs allocated to packet headers
   5 mbufs allocated to socket names and addresses
915/2266/6144 mbuf 2048 byte clusters in use (current/peak/max)
0/8/6144 mbuf 4096 byte clusters in use (current/peak/max)
0/8/6144 mbuf 8192 byte clusters in use (current/peak/max)
0/8/6144 mbuf 9216 byte clusters in use (current/peak/max)
0/8/6144 mbuf 12288 byte clusters in use (current/peak/max)
0/8/6144 mbuf 16384 byte clusters in use (current/peak/max)
0/8/6144 mbuf 65536 byte clusters in use (current/peak/max)
6208 Kbytes allocated to network (46% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
r...@proxy-s ~top | head
load averages:  1.10,  1.55,  1.6610:58:24
38 processes:  37 idle, 1 on processor
CPU states:  1.0% user,  0.0% nice,  1.3% system,  1.1% interrupt,  
96.6% idle

Memory: Real: 960M/1214M act/tot  Free: 794M  Swap: 0K/2052M used/tot
 PID USERNAME PRI NICE  SIZE   RES STATE WAIT  TIMECPU  
COMMAND
20479 _squid-50  950M  949M sleep biowait  20:11  6.30%  
squid
5193 _squid-60  228K  540K sleep piperd0:12  0.00%  
unlinkd
11123 _snmpd 20  548K 1008K sleep kqread0:00  0.00%  
snmpd
 276 root   20  984K 1728K sleep select0:00  0.00%  
sendmail

r...@proxy-s ~systat vmstat
  1 usersLoad 1.50 1.88 1.78  Thu Nov 12  
10:55:40 2009
   memory totals (in KB)PAGING   SWAPPING  
Interrupts
  real   virtual free   in  out   in  out  
2013 total
Active   982620982620   809216   ops 
100 clock
All 1247164   1247164  2910412   pages  
1856 em0
 
57 ciss0

Proc:r  d  s  wCsw   Trp   Sys   Int   Sof  Flt   forks
   1 18  1025 5  8876  1913   102   36   fkppw
 fksvm
  3.4%Int   4.0%Sys   3.0%Usr   0.0%Nic  89.6%Idle   pwait
|||||||||||   relck
||== rlkok
 noram
Namei Sys-cacheProc-cacheNo-cache   1 ndcpy
   Calls hits%hits %miss   % fltcp
 399  341   8556  14   2 zfod
 cow
Disks   sd0   cd0   fd0 17136 fmin
seeks   22848 ftarg
xfers57   itarg
speed  579K 1 wired
 sec   0.3   pdfre

Re: Monitoring DHCP pool state

[Pete Vickers]

I've used this before with good results:

http://dhcpstatus.sourceforge.net/install.html


/Pete


On 8. okt.. 2009, at 15.06, Ian Chard wrote:


Hi,

I'm using the stock OpenBSD dhcpd, and I'd like to monitor the state  
of the pool (how many addresses in use/available).  Is there any way  
of doing this without writing a parser for /var/db/dhcpd.leases?   
Would I be better off using a different dhcpd?


Thanks
- Ian

--
Ian Chard, Senior Unix and Network Gorilla | E:  
ian.ch...@sers.ox.ac.uk
Systems and Electronic Resources Service   | T:  80587 / (01865)  
280587
Oxford University Library Services | F:  (01865)  
242287

Re: Sendmail and SMTPAuth

[Pete Vickers]

I had trouble with the getpwent flag, so since the same box also does  
IMAP*


this works for me:

$ cat /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd

$ grep sas /etc/rc.local
if [ -x /usr/local/sbin/saslauthd ]; then
echo -n ' saslauthd';  /usr/local/sbin/saslauthd -a rimap -O  
127.0.0.1 -V


$ pkg_info | grep -e sas -e imap
cyrus-sasl-2.1.22p2-db4 RFC  SASL (Simple Authentication and  
Security Layer)
imap-uw-2007-plaintext University of Washington IMAP4rev1/POP2/POP3  
mail servers


(old versions I know...)

[*] actually IMAP listens on loopback (for squirrelmail), and IMAPS on  
external i/fs via stunnel.




just to save you hours of sendmail joy, excerpt from:  /usr/share/ 
sendmail/cf/myserver.mc


dnl ## disable default listeners ##
FEATURE(`no_default_msa')dnl
dnl
dnl ## port25 v4 loopback listener for local submission, and inbound  
passed spamd ##

DAEMON_OPTIONS(`Family=inet, Address=127.0.0.1, Name=MTA, M=EA')dnl
dnl
dnl ## port587 for roaming submission with a=auth E=disable ETRN ##
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=587, Name=MSA,  
M=Ea')dnl

dnl
dnl ## port 465 for SMTP o/SSL for MS clients - s=SSL
DAEMON_OPTIONS(`Family=inet, Address=0.0.0.0, Port=465, Name=MSCRAP,  
M=Eas')dnl

dnl
dnl ## SASL AUTH ## OS.X++ use PLAIN, MSOE uses LOGIN
TRUST_AUTH_MECH(`PLAIN LOGIN')dnl
define(`confAUTH_MECHANISMS', `PLAIN LOGIN')dnl
define(`confAUTH_OPTIONS', `p')dnl
dnl

dnl debug with:
define(`confLOG_LEVEL', `63')dnl



/Pete




On 27. aug.. 2009, at 21.48, stupidmail4me wrote:

I know this topic has been touched on before but I have what I  
believe is a simple question.


Instead of creating a SASL password db and having to keep two  
password databases in check I want SASL to use OpenBSD's password  
file. There's no definitive answer so I want to try and put it out  
there.


In /usr/local/lib/sasl2/Sendmail.conf I would have pwcheck_method:  
saslauthd. This would tell Sendmail to use saslauthd to authenticate  
SMTP connections. I would start saslauthd with the -a getpwent flag  
to have it check not against a SASL password database but against  
the system database.


Are my assumptions correct?

Re: BGP and NATting to multiple ISPs

[Pete Vickers]

On 19. juni. 2009, at 00.10, Henning Brauer wrote:


* Pete Vickers p...@systemnet.no [2009-06-19 00:02]:

Actually, the sooner the IPv4 space  gets used up the
better, then everyone will have to migrate to IPvShit, and be done  
with

it.


that doesn't solve a single problem.
in return, you get a plethora of new ones on top.

--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting - Hamburg   
Amsterdam




Once 'everyone' is solely 'on' v6, then v4 space not a concern.

As lots of folks (and I'm one of them) here point out v6 has many many  
issues, but premature v4 exhaustion / v6 migration, would force these  
issues to be resolved a lot quicker.



/Pete

Re: BGP and NATting to multiple ISPs

[Pete Vickers]

On 19. juni. 2009, at 00.40, Ted Unangst wrote:

On Thu, Jun 18, 2009 at 5:54 PM, Pete Vickersp...@systemnet.no  
wrote:
nah, you maybe right technically with the data-center argument, but  
not
politically. Everyone has the 'right' to proper redundancy for H/A  
if they
want/need it. Actually, the sooner the IPv4 space  gets used up the  
better,

then everyone will have to migrate to IPvShit, and be done with it.


oh really?  people are going to start carrying /48s in a world where
they don't even carry anything more than a /24 for ipv4?



admins who filter = /24 and don't set a default to upsteam [1],  
generally get what they deserve - since they are blackholing potential  
customers.


If their employer is so cash strapped they can't afford the ASIC space  
for a full table, then presumably their market share  b/w usage are  
such that they can hold the table in software instead. (dumb north  
american routing policies excepted)




[1] Or 0.0.0.0/1 and 128.0.0.0/1 across links, or somesuch.


/Pete

Re: BGP and NATting to multiple ISPs

[Pete Vickers]

On 18. juni. 2009, at 19.45, Karl O. Pinc wrote:




What's the best way to solve this problem?



stop trying to bodge it, and get some PI space.

/Pete

Re: BGP and NATting to multiple ISPs

[Pete Vickers]

nah, you maybe right technically with the data-center argument, but  
not politically. Everyone has the 'right' to proper redundancy for H/A  
if they want/need it. Actually, the sooner the IPv4 space  gets used  
up the better, then everyone will have to migrate to IPvShit, and be  
done with it.


/Pete



On 18. juni. 2009, at 22.49, tico wrote:


Karl O. Pinc wrote:

On 06/18/2009 01:50:17 PM, Pete Vickers wrote:


On 18. juni. 2009, at 19.45, Karl O. Pinc wrote:




What's the best way to solve this problem?



stop trying to bodge it, and get some PI space.


I'd love but, how can I justify to ARIN a large enough address
block that it won't be dropped by BGP administrators?
The only reason we'd need the addresses is to muti-home.
ARIN says you can get a /22 for multihoming if you can justify their  
25% / 50% usage as spelled out in their numbering policy.

https://www.arin.net/policy/nrpm.html#four322

If you can't justify that, then get a /24 of PA space from a  
provider that *will* allow you to reannounce that /24 via an  
additional transit and *will* provide you with an LOA that you can  
provide to that additional transit operator.


The number of networks that filter prefixes smaller than /22 don't  
appear to be that numerous IMHO, but if they do, your /24 will still  
be reachable as they'll see the larger /19 or whatever from your  
provider that it's carved out of.

I am under the impression this is not reason enough
for ARIN, that they are in a rationing mood when it comes
to handing out IPv4 address blocks.
As well they should be. IP resources are scarce and people are  
wasteful and greedy.
Most offices don't need BGP multihoming, or any sort of inbound  
multihoming at all-- just outbound which is easily done without the  
assistance of the ISPs themselves or ARIN by using NAT and upstream- 
failover features commonly found in most routers.
Most world-accessible servers that are important enough to need  
inbound multihoming should be sitting in a datacenter which has  
significantly more professionally-managed multihoming than small  
offices.


And before the flaming starts, remember that I said most.
Cheers,
Tico


Karl k...@meme.com
Free Software:  You don't pay back, you pay forward.
-- Robert A. Heinlein

Re: IMPORTANT, DO THIS OR YOUR E-MAIL WON'T WORK

[Pete Vickers]

On 27 May 2009, at 10:01, Otto Moerbeek wrote:


On Wed, May 27, 2009 at 09:43:18AM +0200, Otto Moerbeek wrote:


On Wed, May 27, 2009 at 10:29:10AM +0300, Gregory Edigarov wrote:


Bob Beck wrote:

* Chris Harries ch...@sharescope.co.uk [2009-05-26 10:48]:

it sure beats everyone moaning at me as they cannot read e-mails  
clearly
marked IMPORTANT, DO THIS OR YOUR E-MAIL WONT WORK, then moaning  
when their

email doesn't work



IMPORTANT, DO THIS OR YOUR E-MAIL WON'T WORK

We are refreshing our openbsd mailing lists to ensure that the list
memberships correctly match our business process and security  
roles.


In order to ensure your list memberships and email continue to work
without interruption, please reply to this email with the following
information:


Name : ___


Email ID: 


Password: 


Thanks for helping to ensure the integrity of our email system.




Pardon? I do not understand what is this for


explanation will follow once you provide the neccesary provide of


ehhh s/provide/proof


authentication.

-Otto




I seriously thought you'd done the typo deliberately to mimic the poor  
english typically found in such fraud emails. LoL.


/Pete

Re: MPLS status questions.

[Pete Vickers]

On 30 Apr 2009, at 00:14, Daniel Ouellet wrote:


Joe S wrote:
What's really frustrating here are the network admins I work with  
that

are trying to migrate from ipsec vpns to MPLS because it's easier
and just as secure.


Well, I am not sure that it would be very convincing to them, but I  
guess a somewhat good argument to use might be as simple as asking  
them if they would replace IPSec tunnel/VPN on a big switch WAN/LAN  
network with only VLan tag instead?


That's about what they say isn't it? Scary.

May not be a very good example, but I think the analogy between them  
is somewhat valuable in idea and concept anyway.


But again, the norm looks like these days is to only consider  
security after the fact and react to it instead of being proactive  
on it.


See what they say.

Best,

Daniel





you don't use telnet even over an IPSec WAN do you ? end-to-end  
security (e.g. TLS/SSL) is your friend here. It's the only way to  
actively verify link security


and once you're in an SSH session (with properly verified keys), you  
don't care who's watching the stream


/Pete

Re: correction to gre(4) man page

[Pete Vickers]

On 12 Apr 2009, at 23:47, Jason McIntyre wrote:


On Sun, Apr 12, 2009 at 10:40:08PM +0200, Pete Vickers wrote:
SEE ALSO section, entry for Web Cache Coordination Protocol V1.0,  
link

is broken. A suitable replacement is:

http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-wrec-web-pro-00.txt


/Pete


that link works fine here.
jmc



ahh, indeed. The culprit was the man-html conversion for this:
http://www.openbsd.org/cgi-bin/man.cgi?query=gre
where the URL is line wrapped, but the html does not take it into  
account.


thanks for pointing it out.

/Pete

correction to gre(4) man page

[Pete Vickers]

SEE ALSO section, entry for Web Cache Coordination Protocol V1.0, link  
is broken. A suitable replacement is:


http://www.ietf.org/proceedings/99jul/I-D/draft-ietf-wrec-web-pro-00.txt


/Pete

Re: European orders

[Pete Vickers]

A public statement from him (Wim) would be appropriate now I believe.  
Especially informing all of us who have pre-ordered the latest release  
via him what will happen with our orders, and importantly when he will  
forward the proceeds to Theo et al.



/Pete


On 25 Mar 2009, at 01:16, Floor Terra wrote:

On Wed, Mar 25, 2009 at 12:34 AM, Theo de Raadt dera...@cvs.openbsd.org 


wrote:

Do you have any advice for those who allready ordered? Or should we

contact

the distributor?


Sorry, but I don't know that yet. B We'll see, I suppose.



Wim called me 20 minutes ago and explained the situation to me.
If you have any questions just mail him or give him a call.

--
Floor Terra flo...@gmail.com
www: http://brobding.mine.nu/

Re: feature request OpenBGPD: route server ability to disable best path selection

[Pete Vickers]

The 'standard' (for at least one vendor's definition of standard) way  
to get around this, is to slap a different route distinguisher (RD) on  
each of the desired 'duplicate' paths. BGP then sees these as  
individual paths and will happily communicate both concurrently.


Separate but related, is the ability to import both RD's into the same  
VRF on the recipient of the BGP peering, and thus into the routing  
table (FIB) to use multiple paths (load balancing) etc.



/Pete


On 18 Mar 2009, at 11:32, Claudio Jeker wrote:


On Wed, Mar 18, 2009 at 11:00:32AM +0100, Arnoud Vermeer wrote:

I have a problem with filtering on the current route server
implementation. I currently have the following setup:


* 10.0.1.0/24   10.0.1.0/24


+---+   +---+
|AS1|   |AS2|
| 10.0.0.50 |   | 10.0.0.51 |
+---+   +---+
   |   |
   |   |
   +---+---+---+
   | RS|
   | 10.0.0.49 |
   +-+-+
 |
 |deny to { 10.0.0.52 } AS 1
 |
   +-+-+
   |AS3|
   | 10.0.0.52 |
   +---+

(or http://www.freshway.biz/files/20090318-problem-filter.txt for the
correct ASCII)

Both AS1 and AS2 announce the same prefix, but the route server  
selects
the AS1 path because of the lower nexthop value. Now I add a filter  
to
AS3. I deny to send any prefixes to AS3 that match AS1. Now AS3  
doesn't
receive the 10.0.1.0/24 prefix at all. It should however receive it  
from

AS2.

Quagga overcomes this problem by making a per-filtered-peer RIB and  
then

do best path selection
(http://www.quagga.net/docs/docs-multi/Description-of-the-Route-Server-model.html 
).
I think this is just an ugly and complicated work-around as it  
doesn't

solve the core of the problem.

In my eyes the best solution will be to disable the best-path- 
selection

on the route server altogether, and send all routes (except the
filtered) to the peer.

Arguments to do this:
- As shown above, the best path selection breaks on the route server
when applying filters.
- A route server should not make any best-path selection, because the
peers criteria could be completely different than the route server.
- The function of the route server is to 'collect' all the routes and
send them to all of the peers, not to 'collect a subset' of the  
routes

and send that to its peers.

I would love to hear your thoughts on this subject. Would it be  
hard to

implement this feature?



BGP only supports one path per prefix and peer. If you send multiple  
ones
as you propose the later ones will overwrite the first one no matter  
what.
To support your idea we would need a per-filtered-peer local-RIB  
because

the route-server needs to do the best path selection for the peer.

--
:wq Claudio

Re: Ramifications of blocking SYN+FIN TCP packets

[Pete Vickers]

Hi,

What about Postel's 'be liberal in what you accept' ?  What about  
peers/intermediate system that have for example bugs which  
accidentally set FIN flags (ISP's broken traffic shaping/limiting  
device anyone ?).  If pf can safely cleanse such legitimate traffic,  
then why block it ?


Blindly implementing 'orders' from PCI etc is just wrong - to do so is  
only encouraging such bad practices. Instead reject their demands,  
using whatever appeals process is available. Only when enough  
technical staff do so will it be fixed.


All such regulations should be of the style where both of these are  
permitted:

- I am a stupid admin, so I'll just blindly follow them
and
- I am a competent admin, so I'll use my judgement to best protect my  
net



How about this, for a fun response:  We don't want to drop such  
'special' traffic, since if we do so, then an attacker can deduce that  
we have implemented PCI guidelines, which in turn implies we have CC  
details online, and thus are a more attractive target' ...





/Pete




On 12 Mar 2009, at 10:22, J.C. Roberts wrote:


On Wed, 11 Mar 2009 13:07:22 -0400 Jason Dixon ja...@dixongroup.net
wrote:


On Wed, Mar 11, 2009 at 01:04:34PM -0400, David Goldsmith wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jason Dixon wrote:


S/SAFR

I just had to deal with this on our customer's PCI scan.  Don't
argue with the logic, just do it.  :)


Let me guess -- TrustKeeper?  We just had to deal with this as well.
Submit an appeal and they should accept it.


Yup.


The flags S/SAFR will work unless you are being a good little pf
admin and also scrubbing all the traffic.  The problem is pf
considers SYN-RST packets to be illegal and drops them (good) but
only considers SYN-FIN packets to be ambiguous and so it
normalizes them and clears the FIN bit (in this case for the PCI
scan - bad) Then your server behind the firewall received what it
thinks is a nice clean SYN packet and it sends back SYN-ACK.


Yes, we have our own reasons not to scrub there.  Well, *someone* has
their reasons.  I have to deal with those reasons.  ;)



Ahhh my least favorite acronym name space conflict:

PCI == Payment Card Industry

Their security through ignorance practices are nearly as illustrious
as their business through abusive lending practices. The thing to
remember is the security facade they require is almost entirely for  
the

sake of public confidence and litigation defense. --hmmm... I should
probably save the rest of this rant for a far more appropriate mailing
list, like /dev/null

Anyhow, back to the original question, are there any ramifications to
blocking SYN+FIN completely?

Some (Darren Reed, ipf author) think that pf unconditionally clearing
the FIN flag on scrub is a bug, And no, we don't need a flame war  
about
whether or not Darren is right, but none the less, it's still good  
to

see how the RFC's and ideas about correct filtering are both subject
to lots of interpretation.
http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2005-07/0011.html

I know SYN+FIN is a valid packet according to RFC 793 and 1644 (T/ 
TCP),

but the more important question is, what are the valuable *uses* for
SYN+FIN packets?

Personally, I can't think of any valuable uses. Can you?

Just because SYN+FIN is a technically valid packet according to the
various RFC's doesn't mean we want or need such traffic, and doesn't
mean we consider it valuable and useful. Can you think of any RFC
valid traffic you're dropping when the RFC's tell you that you're
supposed to respond to it?  --Ya, I thought so.

Spammers? --Yep, RFC valid traffic.
DDOS? --Yep, RFC valid traffic.
Brute Force? --Yep, RFC valid traffic.
port scans --A lot of it is RFC valid traffic.

Though 'scrub' will drop the FIN flag off the SYN+FIN packets, the
bofhish instinct says without a proven and valuable *use* for SYN+FIN,
then just block it. If anyone complains about breakage, then just  
point

your (middle) finger at PCI/TrustKeeper compliance requirements, and
tell the user to take it up with them.

Call me overly pragmatic, but if something in a standard is not
providing valuable use (i.e. reward) and poses *any* type of risk or
cost (including the risk and cost of wasting my time filing and
maintaining some appeal), then the answer is painfully simple.

--
J.C. Roberts

Re: HP Proliant DL385 with Squid at a Gigabit-switch - bad network performance

[Pete Vickers]

The bge driver sucks for these cards - just chuck in an em(4) NIC and  
you should see instant improvement.


'netstat -I bge0' will confirm the packet errors

/Pete


On 27 Feb 2009, at 14:33, Alexander Farber wrote:



bge0 at pci3 dev 6 function 0 Broadcom BCM5704C rev 0x10, BCM5704 B0
(0x2100): apic 6 int 0 (irq 7), address 00:16:35:5b:39:ae
brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci3 dev 6 function 1 Broadcom BCM5704C rev 0x10, BCM5704 B0
(0x2100): apic 6 int 1 (irq 10), address 00:16:35:5b:39:ad

Re: relayd: rdr instead of proxy mode?

[Pete Vickers]

If you are doing web traffic, then relayd can insert a HTTP header  
into the inbound request, which is then visible to the backend  
webserver.


For vanilla tcp connections, verbose logging on relay box and backend  
together with ntp time syncing and some scripting foo should permit  
reconstruction of the end-to-end connection. No pretty but should work.


/pete


On 24 Feb 2009, at 18:57, Falk Brockerhoff - smartTERRA GmbH wrote:


Hi,

I'm using relayd for loadbalancing incoming tcp traffic, works fine  
like a charme :-)


But as relayd works like a proxy, in the log files of my  
applications, there is always the ip address of the load balancing  
node and not of the real client. Is there a way to have relayd have  
all packets redirect like pf's rdr function instead of working like  
a classical proxy?


Another way to reach the final goal is touse pf with rdr statements,  
but in this case I haven't any check if the target node is available  
or not.


Both solutions only make half of the way I want to go - any idea,  
hints, suggestions?


Regards,

Falk

Re: SOCKS proxy

[Pete Vickers]

As I put in my initial email, the key is the -o option ProxyCommand


http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config

and search for it, there is even a similar example included.


/Pete





On 16 Feb 2009, at 17:28, Tony Berth wrote:


The order is the following:

A(ssh client) - C(http proxy server) - Internet - B(ssh server  
with static

IP)

Now A can't access the Internet. I can only run a browser on that  
machine
which includes the details from C and only then I can surf/have  
access to

the Internet only on ports 80 and 443!

As a result ssh from A to B doesn't work.

If I use putty on A and define the details of C in the putty proxy  
dialog

box, I can open a ssh session to B.

So the question is, how does this action of putty gets translated  
into an
ssh command? Which flag should I use from the ssh command line in  
order to

achieve the same result?

Thanks

Tony

On Fri, Feb 13, 2009 at 2:05 PM, Pete Vickers p...@systemnet.no  
wrote:



Hmm, I can't grok you problem description, since it's ambiguous.


there are serveral devices here:

A. ssh client
B. ssh server
C. http(s) proxy server
D. http(s) proxy client (web browser)


I thought you mean A+D were one device, C was an interim device,  
and B

was the remote device.

Do you instead mean A+C are the same device ? or that B+C are the  
same

device ?

B+C on the same device seems to make the most sense, I guess. - eg.
you want the tunnel your http sessions over your ssh sessions, and  
use
a proxy server (e.g. squid) on your ssh server device. in which  
case a

line like this in the relevant line in your client's ~/.ssh/config
would do it:

LocalForward 8080 127.0.0.1:8080

and then set your web browser to use a proxy at 127.0.0.1:8080



/Pete




On 13 Feb 2009, at 13:45, Tony Berth wrote:


Hi Pete,

by http proxy you mean your proxy sitting in your machine where
you do the ssh to?

In my case I want to include the proxy which allows Internet access
sitting on the clients terminal and not in the remore machine.

Thanks

Tony

On Fri, Feb 13, 2009 at 1:31 PM, Pete Vickers p...@systemnet.no
wrote:
Hi,


If your just trying to do an SSH connect via a http proxy, then I do
something like this:

[p...@air] ~ cat  ~/.ssh/pconn.sh
#!/bin/bash
# pconn.sh

LF=$'\015'

CMD=CONNECT $1:$2 HTTP/1.0
echo yyy${CMD}yyy 2

(echo $CMD$LF
echo
cat ) |
nc proxy_server_ip_address 8080 | (
while read L  [ ! -z ${L%$LF} ]; do echo xxx${L%$LF}xxx 2;
done
cat )



[p...@air] ~ cat  ~/.ssh/config
#
#
Host my-server-via-proxy
Hostname my-server.com
ProxyCommand ~/.ssh/pconn.sh %h %p
TCPKeepAlive yes
ServerAliveInterval 30
#
#



and then just
[p...@air] ~ ssh my-server-via-proxy
to connect


but be aware it only works if the proxy admin has not restricted the
proxy to prevent CONNECT method to ports other than 443.

/Pete





On 13 Feb 2009, at 12:34, Tony Berth wrote:

On Wed, Feb 11, 2009 at 9:16 PM, Diana Eichert deich...@wrench.com
wrote:

On Wed, 11 Feb 2009, Tony Berth wrote:

Hi Diana,

this is a 'dumb' proxy and allows http/https traffic only. So ports
80 and
443!

What I'm after is the ssh command I have to issue in order to open a
connection from 'a1' to 'a3'! If I read correctly, in case I would
have
used
putty on 'a1' I should do the following:




http://meinit.nl/using-putty-and-an-http-proxy-to-ssh-anywhere-through-firewalls


I was wondering if ssh flag '-L' is doing the same job.

By 'httptunnel' you mean the following:

http://www.jumperz.net/index.php?i=2a=0b=0

Thanks

Tony


httptunnel nows refers to more than one software project to tunnel  
tcp

traffic via an http proxy.

take a look at SSH(1) -C
and   SSH_CONFIG(5)   LocalCommand


if I'm reading correctly, ssh -C requests compression of the data  
and

ssh_config LocalCommand specifies a command AFTER I was able to make
the
connection!

Sorry, but I don't understand how this 2 things are related to my
problem!

The proxy is blocking me before any connection can be stablished. I
want to
include the data of that proxy in my ssh command in order to make  
the

connection but how can I achieve that?

Thanks for your help

Tony

Re: SOCKS proxy

[Pete Vickers]

Hi,


If your just trying to do an SSH connect via a http proxy, then I do  
something like this:


[p...@air] ~ cat  ~/.ssh/pconn.sh
#!/bin/bash
# pconn.sh

LF=$'\015'

CMD=CONNECT $1:$2 HTTP/1.0
echo yyy${CMD}yyy 2

(echo $CMD$LF
echo
cat ) |
nc proxy_server_ip_address 8080 | (
while read L  [ ! -z ${L%$LF} ]; do echo xxx${L%$LF}xxx 2; done
cat )



[p...@air] ~ cat  ~/.ssh/config
#
#
Host my-server-via-proxy
Hostname my-server.com
ProxyCommand ~/.ssh/pconn.sh %h %p
TCPKeepAlive yes
ServerAliveInterval 30
#
#



and then just
[p...@air] ~ ssh my-server-via-proxy
to connect


but be aware it only works if the proxy admin has not restricted the  
proxy to prevent CONNECT method to ports other than 443.


/Pete




On 13 Feb 2009, at 12:34, Tony Berth wrote:

On Wed, Feb 11, 2009 at 9:16 PM, Diana Eichert deich...@wrench.com  
wrote:



On Wed, 11 Feb 2009, Tony Berth wrote:

Hi Diana,


this is a 'dumb' proxy and allows http/https traffic only. So  
ports 80 and

443!

What I'm after is the ssh command I have to issue in order to open a
connection from 'a1' to 'a3'! If I read correctly, in case I would  
have

used
putty on 'a1' I should do the following:


http://meinit.nl/using-putty-and-an-http-proxy-to-ssh-anywhere-through-firewalls

I was wondering if ssh flag '-L' is doing the same job.

By 'httptunnel' you mean the following:

http://www.jumperz.net/index.php?i=2a=0b=0

Thanks

Tony



httptunnel nows refers to more than one software project to tunnel  
tcp

traffic via an http proxy.

take a look at SSH(1) -C
and   SSH_CONFIG(5)   LocalCommand



if I'm reading correctly, ssh -C requests compression of the data and
ssh_config LocalCommand specifies a command AFTER I was able to make  
the

connection!

Sorry, but I don't understand how this 2 things are related to my  
problem!


The proxy is blocking me before any connection can be stablished. I  
want to

include the data of that proxy in my ssh command in order to make the
connection but how can I achieve that?

Thanks for your help

Tony

Re: SOCKS proxy

[Pete Vickers]

Hmm, I can't grok you problem description, since it's ambiguous.


there are serveral devices here:

A. ssh client
B. ssh server
C. http(s) proxy server
D. http(s) proxy client (web browser)


I thought you mean A+D were one device, C was an interim device, and B  
was the remote device.

Do you instead mean A+C are the same device ? or that B+C are the same  
device ?

B+C on the same device seems to make the most sense, I guess. - eg.  
you want the tunnel your http sessions over your ssh sessions, and use  
a proxy server (e.g. squid) on your ssh server device. in which case a  
line like this in the relevant line in your client's ~/.ssh/config  
would do it:

LocalForward 8080 127.0.0.1:8080

and then set your web browser to use a proxy at 127.0.0.1:8080



/Pete




On 13 Feb 2009, at 13:45, Tony Berth wrote:

 Hi Pete,

 by http proxy you mean your proxy sitting in your machine where  
 you do the ssh to?

 In my case I want to include the proxy which allows Internet access  
 sitting on the clients terminal and not in the remore machine.

 Thanks

 Tony

 On Fri, Feb 13, 2009 at 1:31 PM, Pete Vickers p...@systemnet.no  
 wrote:
 Hi,


 If your just trying to do an SSH connect via a http proxy, then I do  
 something like this:

 [p...@air] ~ cat  ~/.ssh/pconn.sh
 #!/bin/bash
 # pconn.sh

 LF=$'\015'

 CMD=CONNECT $1:$2 HTTP/1.0
 echo yyy${CMD}yyy 2

 (echo $CMD$LF
 echo
 cat ) |
 nc proxy_server_ip_address 8080 | (
 while read L  [ ! -z ${L%$LF} ]; do echo xxx${L%$LF}xxx 2;  
 done
 cat )



 [p...@air] ~ cat  ~/.ssh/config
 #
 #
 Host my-server-via-proxy
 Hostname my-server.com
 ProxyCommand ~/.ssh/pconn.sh %h %p
 TCPKeepAlive yes
 ServerAliveInterval 30
 #
 #



 and then just
 [p...@air] ~ ssh my-server-via-proxy
 to connect


 but be aware it only works if the proxy admin has not restricted the  
 proxy to prevent CONNECT method to ports other than 443.

 /Pete





 On 13 Feb 2009, at 12:34, Tony Berth wrote:

 On Wed, Feb 11, 2009 at 9:16 PM, Diana Eichert deich...@wrench.com  
 wrote:

 On Wed, 11 Feb 2009, Tony Berth wrote:

 Hi Diana,

 this is a 'dumb' proxy and allows http/https traffic only. So ports  
 80 and
 443!

 What I'm after is the ssh command I have to issue in order to open a
 connection from 'a1' to 'a3'! If I read correctly, in case I would  
 have
 used
 putty on 'a1' I should do the following:


 http://meinit.nl/using-putty-and-an-http-proxy-to-ssh-anywhere-through-firewalls

 I was wondering if ssh flag '-L' is doing the same job.

 By 'httptunnel' you mean the following:

 http://www.jumperz.net/index.php?i=2a=0b=0

 Thanks

 Tony


 httptunnel nows refers to more than one software project to tunnel tcp
 traffic via an http proxy.

 take a look at SSH(1) -C
 and   SSH_CONFIG(5)   LocalCommand


 if I'm reading correctly, ssh -C requests compression of the data and
 ssh_config LocalCommand specifies a command AFTER I was able to make  
 the
 connection!

 Sorry, but I don't understand how this 2 things are related to my  
 problem!

 The proxy is blocking me before any connection can be stablished. I  
 want to
 include the data of that proxy in my ssh command in order to make the
 connection but how can I achieve that?

 Thanks for your help

 Tony

tcpdump additions : paid work

[Pete Vickers]

Hi,

We're interested in getting GTP protocol [1,2] support into OpenBSD's  
tcpdump, however there doesn't appear to be any upstream support for  
it [0].


So, if any of the devs are interested in paid work to add this then  
please drop me a line. This would ideally be someone with CVS write  
access, so that we're supporting the project more directly.


Ethereal/wireshark, already has some support [4] so that could be of  
assistance, but appears to be GPL.

The official protocol specs are freely available from [3]

[0] http://github.com/mcr/tcpdump/tree/master
[1] http://en.wikipedia.org/wiki/GPRS_Tunnelling_Protocol
[2] http://en.wikipedia.org/wiki/GTP%27
[3] http://www.3gpp.org/ftp/Specs/
[4] http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/packet-gtp.c




/Pete

Re: Failover bridge(4) with RSTP

[Pete Vickers]

5 minutes smells like an ARP cache timeout, so I'd start by watching  
arp caches and mac-address tables, for clues.


make sure you are running the Foundry equivalent of PVST+ ( i.e. a  
separate instance of STP per vlan, not a single common instance.   
Probably MSTP ?)


tcpdump should tell you what is eventually triggering the changeover  
event, and then you can work back from there.



Some bedtime reading suggestions: (Cisco, but theory is the same.)

http://www.cisco.com/application/pdf/paws/24062/146.pdf
http://www.cisco.com/application/pdf/paws/28943/170.pdf
http://www.cisco.com/en/US/tech/tk389/tk621/tsd_technology_support_troubleshooting_technotes_list.html




/Pete




On 26 Jan 2009, at 16:40, Jason Dixon wrote:

I'm attempting to setup a failover bridge(4) configuration with RSTP  
for

rapid failover.  At this point I'm still tweaking the bridges and
switches.  We're using a Foundry LS648 for this test, so we don't have
Cisco's uplinkFast extension at our disposal.

We have two VLANs configured on the switch, each with 802.1w enabled  
and
functioning normally.  Plugged into each VLAN is a single client and  
one

interface from each firewall.

10.20.0.2 - vlan200 - bridge0 - vlan300 - 10.20.0.3

Regardless of whether I use rstp (default) or stp (+ ifpriority/ 
ifcost)
on the bridges, it always takes ~5 minutes to failover.  I noticed  
that

with stp enabled on the physical interfaces, the switch would
immediately show the correct bridge as the forwarding root.  With the
default rstp, the switch shows all ports as designated forwarding.

I've also tried disabling learning on the internal interfaces and  
adding

static entries for 10.20.0.3, but this has no effect on the recovery
time.

Any suggestions on getting a rapid failover working?

Thanks,

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Re: Etherchannel OpenBSD?

[Pete Vickers]

From:

http://www.cisco.com/en/US/products/hw/switches/ps607/products_configuration_example09186a0080094789.shtml


Note: Catalyst 2900XL/3500XL switches do not support LACP. Catalyst  
2950/2955 switches support LACP for channel negotiation with Cisco IOS  
Software Release 12.1(6)EA2 or later. Cisco IOS Software Release 12.0  
supports only static configuration. Catalyst 2940 and 2970 support  
LACP in all Cisco IOS Software releases.


/Pete


On 23 Dec 2008, at 08:07, Claudio Jeker wrote:


On Tue, Dec 23, 2008 at 12:45:23AM +, Stuart Morgan wrote:

Hi Nigel and all,

Thanks very much for the suggestion, unfortunately my 3500XL doesn't
support LACP - perhaps I need a firmware upgrade?

*sw1a#sh ver
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5)WC16,
RELEASE SOFTWARE (fc1)
System image file is flash:c3500xl-c3h2s-mz.120-5.WC16.bin



The 3500XL are end of life for a good reason. Those switches are so
limited they're not even fun for a lab. Even if you get a newer IOS  
image

for them I doubt they will support LACP.

--
:wq Claudio

Re: Per User Bandwidth Limiting

[Pete Vickers]

Indeed, I believe whilst c3750 support traffic-shaping, the c3550 does  
not.


BTW, instead of assigning a /30 per user as wasting 75% of your IP  
address space, try looking that the 'private vlan' IOS command, which  
should allow you to use much bigger subnets and still control the user- 
user traffic.


/Pete






On 14 Dec 2008, at 13:10, Marco Matarazzo wrote:


Hi Justin,

I have an ISP situation where there is about 1000 users sitting  
behind Cisco
3550 switches.  Each port is 1 user and is configured with an  
individual
VLAN where each VLAN is assigned a small network subnet and  
corresponding

DHCP scope.

The problem is that it seems (so I have been told) is these 3550's  
will not

effectively bandwidth limit at the port level.  Incoming bandwith is
limited
as configured, but outgoing is not.  So, I am looking at a pf  
solution but
google is not turning up any specific information for such a  
situation.




This is not true. It's more tricky, but you can actually limit both  
inbound
and outbound at the port level, and it's quite effective too. Of  
course
OpenBSD is capable of that too, but for 1000 vlans you'll have to  
split the
load across multiple firewalls (or multiple cluster of firewalls)  
since
there're hardcoded limits on the number of queues you can create  
(256 cbqs
and 64 hfsc if I remember well, it's been discussed in the past  
however!)


The config for the 3550 is something like this:

Define the class-maps (all-in and all-out are different because of  
hardware

limitations)

class-map match-any all-out
 match ip dscp default
class-map match-any all-in
 match access-group 100

Define the policy maps:

policy-map 1mbit-in
 class all-in
   police 1024000 192000 exceed-action drop
policy-map 1mbit-out
 class all-out
   police 1024000 192000 exceed-action drop

And apply the policies to the interfaces:

interface FastEthernet0/4
description CustomerX
no switchport
ip address 1.2.3.4 255.255.255.x (or if it's a switchport, just  
switchport

mode access and then switchport access vlan x)
ip rip advertise 3
no cdp enable
service-policy input 1mbit-in
service-policy output 1mbit-out

Also note that this is rate-limiting, not bandwidth shaping, but it  
may fit

your requirements!

Cheers,
]\/[arco

Re: Longest Uptime?

[Pete Vickers]

Okai,

here's my $0.02 on the subject:

http://systemnet.no/ios-uptime.jpg


/Pete







On 29 Oct 2008, at 18:49, guilherme m. schroeder wrote:


Hi,

Uptimes sucks. Here's the biggest i've ever seen in the company i  
work:


[EMAIL PROTECTED] ~]$ uname -a
SunOS optg998 5.6 Generic_105181-26 sun4u sparc SUNW,UltraSPARC-IIi- 
cEngine

[EMAIL PROTECTED] ~]$ uptime
 3:40pm  up 2639 day(s), 13:50,  1 user,  load average: 0.08, 0.07,  
0.06

[EMAIL PROTECTED] ~]$ date
Wed Oct 29 15:45:24 BRST 2008
[EMAIL PROTECTED] ~]$ psrinfo -v
Status of processor 0 as of: 10/29/08 15:41:07
 Processor has been on-line since 08/08/01 00:50:54.
 The sparc processor operates at 440 MHz,
   and has a sparc floating point processor.
[EMAIL PROTECTED] ~]$ dmesg | tail -5
SUNW,hme0: Using External Transceiver
SUNW,hme0: 100 Mbps half-duplex Link Up
dump on /dev/md/dsk/d50 size 2042608K
SUNW,hme0: Using External Transceiver
SUNW,hme0: full-duplex Link Up

Ok it's not OpenBSD, blame on me. But what i liked is that this
machine is working for 2639 days and it stills blink green leds. The
harddisk never gave up too. No errors on dmesg.
It's a Netra T1 machine, running our internal DNS server. I think
we'll replace it when it dies ;)

On Wed, Oct 29, 2008 at 7:15 AM, Gilles Chehade [EMAIL PROTECTED]  
wrote:

new_guy a icrit :


I know. Longest uptime is silly, macho, pointless stuff... but I ran
across
an old SunOS 2.6 box that had been up for 387 days. It had been  
hacked.

The
only reason it was not an open mail relay is that /var was full.  
So, I
thought to myself, I bet I could run an OpenBSD box for that  
amount of

time
or longer without getting hacked and without doing much to it. Just
wondering what's the longest OpenBSD uptime some folks on misc  
have seen?


Thanks



It is not the size of your uptime that matters, it is what you do  
with it.


Gilles

Re: BSD Port from OpenJDK

[Pete Vickers]

Hi,


Whilst I fully acknowledge the stigmatism that goes with java, I'm  
very grateful to Kurt et. al. for making it run under OpenBSD. It has  
saved me from having to admin extra linux/solaris boxes many times,  
when customers insist on java. I'm also looking forward to merely  
pkg_add'ing it instead of the playing hunt the patch after license  
clicking that was previously necessary.


Nice work ! Appreciated.


/Pete





On 15 Oct 2008, at 02:06, Kurt Miller wrote:


On Tuesday 14 October 2008 11:13:41 am new_guy wrote:

Ben Adams-3 wrote:


Just wondering if this will effect OpenBSD with java:
Per the interim governance guidelines for Projects [1] I'm pleased
to announce the creation of the BSD Port Project



Java is nasty. There... I said it and it is true. The goopy OOP of  
Java will
tarnish anything it touches. Personally, I hope Java (in all of its  
virtual
glory) never makes it into OpenBSD at all. Real men will cry man  
tears when

OpenBSD ships with Java.



Uninformed. We've had Java for years and now we have packages:

ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/packages/i386/jdk-1.7.0.00b24p2.tgz

4.4 will have packages also.

Your negativity sucks. Porting Java to OpenBSD was and is not
a trivial effort. It also serves as an excellent test bed for
threads, the runtime linker and large memory applications.

Porting Java to OpenBSD enabled the LOCKSS project to use it
for its noble goals. It uncovered deadlocks in our pthread
lib that resulted in large improvements to libpthread. Its use
of dlopen() and friends resulted in significant improvements
in our runtime linker. Oh and who made those improvements???
The same person who took the time to port Java to OpenBSD!! Me
and other OpenBSD developers who saw the need to improve things.

BTW, all those system level improvements have made significant
stability gains for applications like firefox, KDE, OpenOffice,
Asterisk, etc, etc which all use threads and dlopen() alot.

Quite frankly I'm pretty upset at all the 'Java sucks' banter on
misc. If you and the other naysayers don't realize that porting
Java to OpenBSD was a 'Good-Thing' then you are just UNINFORMED!

-Kurt

Re: Using trunk(4) to put a router in a switch ring

[Pete Vickers]

well i think you could insert your dual NIC openbsd host into the  
switch 'ring' physically, then bridging between the 2 NICs and firing  
up STP, but be aware that every time you up/down an interface or  
reboot your openbsd box, you'll trigger an STP recalc - which is  
around 45sec outage across entire switch infrastructure. (This can be  
mitigated with PVST and RSTP somewhat).



/Pete



On 23 Sep 2008, at 14:51, Dave Wilson wrote:


Pete Vickers wrote:

1.  create a layer 2 (switched) ring, using spanning tree.
- completely independent of openbsd box

2. connect your (dual NIC) openbsd box to 2 separate switches for
redundancy, and add both NICs to a trunk group.
- redundancy of switch, cabling and NICs.



Pete,

thanks for your useful and informative reply. A decent example is  
worth a paragraph of explanation to me :-)


Whilst I would love to do as you suggest, unfortunately my switches  
only have 2 GbE ports each. My hope was to put the routers in the  
GbE ring, as otherwise my routers will be bottlenecked by plugging  
into 100M ports on the switches. As most of my traffic goes through  
the routers this would be a big issue.


I suspect the only way I will really nail down what I can and cannot  
do will be to get some new switches and build a router and start  
playing around. The thing that I think is most likely to break is  
that I already use vlans and carp, and so I will have to work out  
the proper way to layer physical, bridge, vlan and carp whilst still  
making sure that packets keep going round the ring.


Unless reyk@, porter of the rstp code for bridge, can tell me  
different...?


SD

Re: Using trunk(4) to put a router in a switch ring

[Pete Vickers]

1.  create a layer 2 (switched) ring, using spanning tree.
- completely independent of openbsd box

2.  connect your (dual NIC) openbsd box to 2 separate switches for  
redundancy, and add both NICs to a trunk group.

- redundancy of switch, cabling and NICs.



[EMAIL PROTECTED] ~ifconfig bge0
bge0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu  
1500

lladdr 00:18:fe:32:1e:08
trunk: trunkdev trunk0
media: Ethernet autoselect (1000baseT full-duplex)
status: active


[EMAIL PROTECTED] ~ifconfig bge1
bge1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu  
1500

lladdr 00:18:fe:32:1e:08
trunk: trunkdev trunk0
media: Ethernet autoselect (1000baseT full-duplex)
status: active


[EMAIL PROTECTED] ~ifconfig trunk0
trunk0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:18:fe:32:1e:08
trunk: trunkproto failover
trunkport bge1 active
trunkport bge0 master,active
groups: trunk egress
media: Ethernet autoselect
status: active
inet 1.2.3.4 netmask 0xff00 broadcast 255.255.255.0


been using it for years:
[EMAIL PROTECTED] ~uname -a
OpenBSD tug 4.0 GENERIC#1107 i386

/Pete



On 22 Sep 2008, at 22:03, Stuart Henderson wrote:


On 2008-09-22, Dave Wilson [EMAIL PROTECTED] wrote:

I'm not sure if trunk or bridge are more appropriate in this case


I think probably bridge with RSTP, but I'm not sure how that will
play with vlans (if you use them).

I'd like to do something similar, but I have vlans, and as an
added twist my interconnects are over third-party vlans, and I'm
not especially keen on breaking the third party's switch fabric,
so I haven't risked experimenting much with this yet :)

nagios check_via_ssh on (chroot) OpenBSD

[Pete Vickers]

Does anyone have it running in nagios chroot environment ?

[EMAIL PROTECTED] / ldd  /usr/local/libexec/nagios/check_by_ssh
/usr/local/libexec/nagios/check_by_ssh:
StartEnd  Type Open Ref GrpRef Name
  exe  10   0  /usr/local/libexec/ 
nagios/check_by_ssh
052b6000 252ba000 rlib 01   0  /usr/local/lib/ 
libintl.so.4.0
0e276000 2e352000 rlib 01   0  /usr/local/lib/ 
libiconv.so.4.0

0e739000 2e76d000 rlib 01   0  /usr/lib/libc.so.43.0
0fc4 0fc4 rtld 01   0  /usr/libexec/ld.so


perhaps like the ssh libraries are not needed, but where should the  
ssh keys be put ?


[EMAIL PROTECTED] /grep nagios /etc/passwd
_nagios:*:550:550:Nagios user:/var/www/nagios:/sbin/nologin

in /var/www/nagios/.ssh/ ?

TiA,


Pete Vickers

[EMAIL PROTECTED] |  +47 48 17 91 00

SystemNet AS

Re: Is it necessary to recompile OS to apply security patch?

[Pete Vickers]

Hi,

Assuming the box is only a DNS server, then the simplest  easiest (in
my option) is to take a copy of the DNS related files:
- /etc/rc.conf.local
- /var/named/*
- noting also IP address, hostname etc etc

and then reinstall the o/s from a recent snapshot (downloaded here
ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/
 or mirror), which has all the patches pre-applied. Then restore the
above files. job done.

if you're paranoid and unexperienced in unix, then grab a spare
machine to do a dry run on that.

/Pete



On 29 Jul 2008, at 18:16, skogzort wrote:


Hello,
I know nothing/very little about OpenBSD or UNIX. I have been tasked
with
updating our OpenBSD DNS server with a security fix (Vulnerability
Note
VU#800113- Multiple DNS implementations vulnerable to cache
poisoning).

In order to do this it appears that I have to download the source code
re-compile the entire OS. Recompiling the OS seems to involve a lot
of steps.
Before I continue to read through them all, I just want to confirm
that it is
actually necessary to do all of this, simply to apply a security
patch:

Down load the tree..
Pre load the tree..
Build the Kernel..
Build the userland..
Etc.

The only thing we use the server for is DNS. I dont know what
flavor we are
running, since its on a production server I assume it will be *
release or *
stable, either way from what Ive read so far it looks like in order
to apply
this security patch I will have to update it to * stable, which
seems to
require that the entire OS be recompiled. Is this correct?

Is it true that the only way to apply this patch is to recompile the
entire
OS, and go through all the steps above? I dont mind doing all this
since it
will give me a chance to learn, its just that the more steps I have
to take,
the more chances there are for mistakes. I want to be sure that the
way I plan
to do the update is the simplest. Im only familiar with Windows,
where you
just push a button to apply a security patch and you dont even have
to reboot
the server, so I was thinking that I may be misunderstanding what Im
reading.

Thanks very much for your time and any info

Kyle

Re: eeepc via usb pen

[Pete Vickers]

1. enable netboot in eee's BIOS settings
2. man 8 pxeboot

/Pete
On 23 Jul 2008, at 16:33, [EMAIL PROTECTED] wrote:


Hi
Sorry for the noise but I am trying to install openbsd an an eeepc  
via a usb pen. I have managed to install 4.(1 or 2) in the past but  
do not seem to be able to get the 4.3 install to boot off a pen. I  
know I could (hopefully) un-tar the files from the install4.3.iso  
mounted with loopback on another *nix and copy the fs then configure  
everything and dd the mbr (or something like that); the closest i  
have got is a kernel panic saying boot too old upgrade when I try to  
boot bsd.rd via grub. But is there an easier way (without buying a  
usb cdrom) to boot the usb pen as a install source

or take any action in reliance on its content.
***

***
This email has been checked for known viruses.
***

Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning

[Pete Vickers]

looks like there is some work in progress to update the in-tree BIND  
to 9.4.2-P1 + local tweaking, for example:


http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/bind/lib/dns/dispatch.c?r1=1.8

As Theo points out, patience is a virtue, and it's the + local  
tweaking above that is the reason I gratefully use OpenBSD.



/Pete




On 9 Jul 2008, at 16:45, Zamri Besar wrote:


Good morning,

Today, I'm received alert from one of my friends regarding to
Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable
to cache poisoning.
http://www.kb.cert.org/vuls/id/800113

I checked the above site, and found that most of the *BSD status are
unknown. Is this bug affected OpenBSD default bind dns?

I'm don't know either the above bug is similar to this thread or not.
http://marc.info/?l=openbsd-miscm=118539211412877w=2

--
Thank you.

Yours truly,

Zamri Besar

DNS patch

[Pete Vickers]

Does this mean we should expect one soon ?


http://securosis.com/publications/CERT%20Advisory.doc


/Pete

Re: OpenBSD project goals

[Pete Vickers]

nah, real men wrote a program to write their thesis for them ;-)

/Pete



On 24 Jun 2008, at 22:29, Martin Schrvder wrote:


2008/6/24 Pierre Riteau [EMAIL PROTECTED]:

As someone already said earlier, you can write your letter in troff
with mg or vi and create a postscript file from that.


Real Men wrote their thesis directly in PostScript using ed. :-)

Best
  Martin

Re: pass pasword to ssh

[Pete Vickers]

perhaps you could write your script in perl ?

http://www.openbsd.org/4.3_packages/i386/p5-Net-SSH-Perl-1.30.tgz-long.html

/Pete


On 19 Jun 2008, at 16:31, Stuart Henderson wrote:


On 2008-06-19, Richard Storm [EMAIL PROTECTED] wrote:
I am writing script, that would ssh to switch and dump  
configuration in file.


1) Since it is switch, i have no way to make use of public key
authentication, because I have no way to store pubkey on switch.


Which switch? On my HP switches I can just sftp the public
keys in (and fetch the config back out the same way...)


What is the cleanest way to pass password to ssh?


Not sure about cleanest, but expect (in packages/ports) works ok.
You can generate a script with autoexpect and manually edit it.

Re: OT: App to get detailed http measurements

[Pete Vickers]

I've had good results with SIEGE

http://www.joedog.org/

/Pete




On 14 Jun 2008, at 12:55, Mikolaj Kucharski wrote:


Hi,

This is off topic, but does anyone know preferably commandline utility
with which I could test HTTP server? What interests me is repeated
connections and stats how long it took dns resolv, tcp connect, send
request and finaly download of data.

Really appreciate any tips. Thanks.

--
best regards
q#

nagios monitoring of a remote openntp service

[Pete Vickers]

Hi,

Has anybody gotten Nagois' check_ntp_* to play nicely with a remote  
openntp service ? It appears to  rely upon services not implemented  
in openntp ?


/Pete