Re: serious watchdog timeout issues with em driver

[Kapetanakis Giannis]

On 08/12/15 21:47, Kapetanakis Giannis wrote:


The event happened only once and it's network recovered after a few 
seconds. no reboot.


G


Well that didn't last long.
Today I found the server hanged at ddb after a new watchdog timeout on em0.
Keyboard was not working so I could not get all the info.

I wrote on paper:
uvm_fault(0xd0ba3660, 0xefffe000, 0, 1) -> d
kernel: page fault trap, code=0
Stopped at bpf_m_xhalt+0x6f: movzwl 0(%esi),%eax

G

Re: Empty MFS on root

[Janne Johansson]

2015-12-08 21:18 GMT+01:00 Alexander Hall :

> On December 8, 2015 4:21:16 PM GMT+01:00, Otto Moerbeek 
> wrote:
> >On Tue, Dec 08, 2015 at 03:03:14PM +, Tati Chevron wrote:
> >
> >> Currently, it's possible, (as root), to do something like:
> >> # mount_mfs -s 1g swap /
> >>
> >> which succeeds, and mounts the empty filesystem as the root
> >filesystem.
> >> This makes the machine inoperable and requires a physical reset,
> >without a clean shutdown, as no system binaries are available.
> >>
> >> Shouldn't we make mount_mfs error out in this case?
> >Why? Unix does not prevent you from doing stupid things in general.
> >Besides, a small variation (using -P) could be a proper and sane use
> >of mount_mfs on /
>
> FWIW, I don't think so, as the mfs is populated after being mounted.
>
>
>
Yeah, mount_mfs will need /bin/pax, and if you give -P a block device, it
will
use /mnt in order to mount the wanted device on so pax can read the files
out
of it, so / and /mnt can't be mfs-mounted upon with -P.


-- 
May the most significant bit of your life be positive.

Re: Octeon snapshots

[Paul Irofti]

> [1]: https://www.mail-archive.com/tech%40openbsd.org/msg26048.html

You have to use the octeon native objcopy by building the cross
compiler:

  # cd /usr/src
  # make -f Makefile.cross TARGET=octeon cross-gcc

And then use the objcopy from

  /usr/cross/octeon/usr/mips64-unknown-openbsd5.8/bin/objcopy

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

[Craig Skinner]

On 2015-12-08 Tue 12:06 PM |, szs wrote:
> So with letsencrypt here, how about making the main site
> default to https? Is this a good idea or is this a great idea?
> 

Copy & Paste from 2013: "OpenBSD site SSL"
http://marc.info/?t=13815459562=1=2

Please don't.

That would slow it down & eliminate cachability - increasing network
load & costs.

Encryption soaks up CPU time & electricty costs,
leaving less money for hackathons, etc, etc...

There's no personal data & no point.

Anyway, THIS email is being sent in clear text from Scotland to Canada.
It will also be archived and published on several public websites.

-- 
Miksch's Law:
If a string has one end, then it has another end.

Re: Octeon snapshots

[Alexis de BRUYN]

Hi Everybody,

Has anyone successfully installed on a D-Link DSR-500N (HW A1)?

I have tried again with the last snapshot, and I am still stuck [1].

Thanks,

[1]: https://www.mail-archive.com/tech%40openbsd.org/msg26048.html

On 12/06/15 05:54, Daniel Ouellet wrote:

On 12/5/15 8:01 PM, jungle Boogie wrote:

On 5 December 2015 at 01:36, Daniel Ouellet  wrote:

I very much appreciate it.



I appreciate this too, but I can't complete the install. I tried an
update and now an install.

Like the first time, I'm following the network boot instructions here:
ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/INSTALL.octeon

I can get the bsd.rd file fine from my server and boot into the installer.

This is the problem:
Available disks are: sd0.
Which disk is the root disk? ('?' for details) [sd0]
Disk: sd0   geometry: 1946/255/63 [31266816 Sectors]
Offset: 0   Signature: 0xAA55
 Starting Ending LBA Info:
  #: id  C   H   S -  C   H   S [   start:size ]
---
*0: 0C  0   1   2 -  2  11   9 [  64:   32768 ] Win95 FAT32L
  1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
  2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
  3: A6  2  11  10 -   1946  68  42 [   32832:31233984 ] OpenBSD
Use (W)hole disk, use the (O)penBSD area or (E)dit the MBR? [OpenBSD]
The auto-allocated layout for sd0 is:
#size   offset  fstype [fsize bsize  cpg]
   a:   464.9M32832  4.2BSD   2048 163841 # /
   b:   465.1M   984896swap
   c: 15267.0M0  unused
   d:   735.8M  1937472  4.2BSD   2048 163841 # /tmp
   e:  1080.7M  316  4.2BSD   2048 163841 # /var
   f:  1284.9M  5657696  4.2BSD   2048 163841 # /usr
   g:   742.9M  8289120  4.2BSD   2048 163841 # /usr/X11R6
   h:  2817.8M  9810624  4.2BSD   2048 163841 # /usr/local
   i:16.0M   64   MSDOS
   j:  1178.0M 15581408  4.2BSD   2048 163841 # /usr/src
   k:  1607.9M 17993856  4.2BSD   2048 163841 # /usr/obj
   l:  4872.9M 21286848  4.2BSD   2048 163841 # /home
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a]
disklabel(27018): syscall 5 "cpath"
Abort trap


What's syscall 5 cpath and why does it cause an abort trap?

I've tried with two different thumb drives with the same abort trap message.

Thanks!


Well I can't say what you did or didn't do.

Below there is WAY more information then needed.

But I just did it again all the way and here are all the steps by steps
I did and here is what my layout is before I started:

# fdisk sd0
Disk: sd0   geometry: 1946/255/63 [31266816 Sectors]
Offset: 0   Signature: 0xAA55
 Starting Ending LBA Info:
  #: id  C   H   S -  C   H   S [   start:size ]
---
*0: 0C  0   1   2 -  2  11   9 [  64:   32768 ]
Win95 FAT32L
  1: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
  2: 00  0   0   0 -  0   0   0 [   0:   0 ] unused
  3: A6  2  11  10 -   1946  68  42 [   32832:31233984 ] OpenBSD

# disklabel sd0
# /dev/rsd0c:
type: SCSI
disk: SCSI disk
label: Cruzer Fit
duid: 55072c2137c3a4e7
flags:
bytes/sector: 512
sectors/track: 63
tracks/cylinder: 255
sectors/cylinder: 16065
cylinders: 1946
total sectors: 31266816
boundstart: 32832
boundend: 31266816
drivedata: 0

16 partitions:
#size   offset  fstype [fsize bsize  cpg]
   a:  105958432832  4.2BSD   2048 163841 # /
   b:  1044229  1092416swap   # none
   c: 312668160  unused
   d:  2104480  2136672  4.2BSD   2048 163841 # /tmp
   e: 10474368  4241152  4.2BSD   2048 163841 # /var
   f:  2088448 14715520  4.2BSD   2048 163841 # /var/log
   g: 10474400 16803968  4.2BSD   2048 163841 # /usr
   h:  3988448 27278368  4.2BSD   2048 163841 # /home
   i:32768   64   MSDOS

And here are the step by step:

# mount_msdos /dev/sd0i /mnt
# cd /mnt
# ls -al
total 22664
drwxr-xr-x   1 root  wheel16384 Dec 31  1979 .
drwxr-xr-x  13 root  wheel  512 Dec  5 00:11 ..
-rwxr-xr-x   1 root  wheel  4020931 Nov 14 17:29 bsd
-rwxr-xr-x   1 root  wheel  7562057 Nov 14 17:29 bsd.rd

# ftp ftp://ftp.openbsd.org/pub/OpenBSD/snapshots/octeon/bsd.rd
Connected to openbsd.sunsite.ualberta.ca.
220 openbsd.srv.ualberta.ca FTP server ready.
...
Retrieving 

kerberos

[Friedrich Locke]

What is/are the alternative(ies) for kerberos on openbsd ? (Since is was
removed from the distribution).

Thanks.

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

[Anthony J. Bentley]

Kevin Chadwick writes:
> The cvs page fingerprint page could be https enabled, however you can
> use googles cache over https, also buy a CD to help the project greatly
> would do far more for world security than TLS everywhere and even look
> at mailing list archives over https as a web of trust.
> 
> ISPs snooping is a compelling reason but not enough for me to adopt
> HSTS, a VPN makes more sense. I changed my ISP instead though ;).

There are valid complaints about HTTPS (generally involving the CA
system, sthen brought some of them up), but some of these responses are
just ridiculous. I mean, really? "ISPs snooping is a compelling reason
but not enough for me to adopt SSH instead of telnet, a VPN makes more
sense."

And you would trust signify keys from Google Cache? Come on.

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

[Giancarlo Razzolini]

Em 08-12-2015 23:23, Stuart Henderson escreveu:
> I wasn't aware that
> it lets you disregard the CAs though

Once the client has the two certs pinned (the primary and the backup),
if a malicious CA try to impersonate the server using a forged (although
perfectly valid) certificate, the client shouldn't connect to it,
because it already has the fingerprint pinned. It is the same rationale
as ssh host keys, trust on first use.

But, by the way this thread evolved, we're beating a dead horse here now.

Cheers,
Giancarlo Razzolini

Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/

[Kevin Chadwick]

> In the case of www.openbsd.org, using HTTPS isn't so much about
> privacy as it is about integrity. Yes, signify(1) is a thing, but
> using HTTPS in addition to it would make release and package
> downloads more difficult to tamper with.

Well packages usually come from mirrors which I know from before
signify most don't offer https.

All you would achieve now is to make it more likely that people
couldn't patch security holes in their systems due to mirrors going
down.

> Another attack currently possible against www.openbsd.org is changing
> the https://openbsdstore.com links to http://openbsdstore.com, and
> running sslstrip on that. Or the PayPal links...

So use HSTS, nope because now users don't bother checking as they
have a false sense of security and when they find a site that doesn't
use HSTS they miss the downgrade. Also users still need to check the
domain is correct so checking if the bar is bright green like with the
xombrero browser that does things properly mutes any point.

> (For the record, I highly approve of many https efforts, but think
> that https everywhere would be an utter disaster.)

Here hear

The cvs page fingerprint page could be https enabled, however you can
use googles cache over https, also buy a CD to help the project greatly
would do far more for world security than TLS everywhere and even look
at mailing list archives over https as a web of trust.

ISPs snooping is a compelling reason but not enough for me to adopt
HSTS, a VPN makes more sense. I changed my ISP instead though ;).

-- 

KISSIS - Keep It Simple So It's Securable

Re: kerberos

[Kapetanakis Giannis]

On 09/12/15 15:13, Friedrich Locke wrote:

What is/are the alternative(ies) for kerberos on openbsd ? (Since is was
removed from the distribution).

Thanks.


Don't know if you can compile it, but the commit-remove msg is all time 
classic :)


http://marc.info/?l=openbsd-cvs=139816103911227=2

G

Re: kerberos

[Jiri B]

On Wed, Dec 09, 2015 at 11:13:40AM -0200, Friedrich Locke wrote:
> What is/are the alternative(ies) for kerberos on openbsd ? (Since is was
> removed from the distribution).

I use kerberos from ports every day with FF. Unfortunatelly
other apps from ports don't have krb flavor so you either
have to recompile it yourself or just live without krb support.

j.

Re: kerberos

[Antoine Jacoutot]

On Wed, Dec 09, 2015 at 11:13:40AM -0200, Friedrich Locke wrote:
> What is/are the alternative(ies) for kerberos on openbsd ? (Since is was
> removed from the distribution).

It depends on your exact needs, but there's:
ports/security/heimdal
ports/sysutils/login_krb5

-- 
Antoine

Re: Empty MFS on root

[Ted Unangst]

Alexander Hall wrote:
> 
> I've been thinking about having mount_mfs mounting the new mfs in some
> temporary place prior to /bin/pax the lot into it, and then unmount it
> and mount it into its final destination. I guess I just have not had
> any use for that yet. :-)

This would be beneficial for a number of reasons. The current race condition
isn't very nice.

Re: Empty MFS on root

[Alexander Hall]

On Wed, Dec 09, 2015 at 09:02:25AM +0100, Janne Johansson wrote:
> 2015-12-08 21:18 GMT+01:00 Alexander Hall :
> 
> > On December 8, 2015 4:21:16 PM GMT+01:00, Otto Moerbeek 
> > wrote:
> > >On Tue, Dec 08, 2015 at 03:03:14PM +, Tati Chevron wrote:
> > >
> > >> Currently, it's possible, (as root), to do something like:
> > >> # mount_mfs -s 1g swap /
> > >>
> > >> which succeeds, and mounts the empty filesystem as the root
> > >filesystem.
> > >> This makes the machine inoperable and requires a physical reset,
> > >without a clean shutdown, as no system binaries are available.
> > >>
> > >> Shouldn't we make mount_mfs error out in this case?
> > >Why? Unix does not prevent you from doing stupid things in general.
> > >Besides, a small variation (using -P) could be a proper and sane use
> > >of mount_mfs on /
> >
> > FWIW, I don't think so, as the mfs is populated after being mounted.
> >
> >
> >
> Yeah, mount_mfs will need /bin/pax, and if you give -P a block device, it
> will
> use /mnt in order to mount the wanted device on so pax can read the files
> out
> of it, so / and /mnt can't be mfs-mounted upon with -P.

I've been thinking about having mount_mfs mounting the new mfs in some
temporary place prior to /bin/pax the lot into it, and then unmount it
and mount it into its final destination. I guess I just have not had
any use for that yet. :-)

/Alexander

> 
> 
> -- 
> May the most significant bit of your life be positive.

Re: Octeon snapshots

[Alexis de BRUYN]

On 12/09/15 12:58, Paul Irofti wrote:

[1]: https://www.mail-archive.com/tech%40openbsd.org/msg26048.html


You have to use the octeon native objcopy by building the cross
compiler:

   # cd /usr/src
   # make -f Makefile.cross TARGET=octeon cross-gcc

And then use the objcopy from

   /usr/cross/octeon/usr/mips64-unknown-openbsd5.8/bin/objcopy



Thank you Paul. bsd.rd is now booting.

--
Alexis de BRUYN

kerberos

[Friedrich Locke]

I am a little outdated, but was heimdal removed from the bsd world or it
was just moved from the base system to the ports collection ?

Thanks.

authentication infra structure

[Friedrich Locke]

If you had about 10k users and 5k machine how would you manage
authenticating issues? Keep in mind that this is a very heterogenous
environment with ldap, ftp, smtp, pop3, traditional unix boxes etc 

Re: kerberos

[Nigel Taylor]

On 12/09/15 17:45, Friedrich Locke wrote:
> I am a little outdated, but was heimdal removed from the bsd world or it
> was just moved from the base system to the ports collection ?
> 
> Thanks.
> 
> 
Ports

/usr/ports/security/heimdal

Re: cyrus-sasl2

[Kurt Mosiejczuk]

On Wed, Dec 09, 2015 at 04:15:07PM -0200, Friedrich Locke wrote:
> Does security/cyrus-sasl2 include support for GSSAPI (I am in need of
> kerberos) ?

Not currently.  They removed that support when they kicked Heimdal out
of base.

One of my spare time projects is looking how to put that back in as a 
flavor for the port.

--Kurt

cyrus-sasl2

[Friedrich Locke]

Does security/cyrus-sasl2 include support for GSSAPI (I am in need of
kerberos) ?

Thanks in advance.

Re: cyrus-sasl2

[Kurt Mosiejczuk]

On Wed, Dec 09, 2015 at 10:31:01PM +0100, Antoine Jacoutot wrote:
> On Wed, Dec 09, 2015 at 01:32:31PM -0500, Kurt Mosiejczuk wrote:
> > On Wed, Dec 09, 2015 at 04:15:07PM -0200, Friedrich Locke wrote:
> > > Does security/cyrus-sasl2 include support for GSSAPI (I am in need of
> > > kerberos) ?

> > Not currently.  They removed that support when they kicked Heimdal out
> > of base.

> > One of my spare time projects is looking how to put that back in as a 
> > flavor for the port.

> I can take care of that.

That would be fantastic, thank you very much!

--Kurt

Disabling dedicated GPU on Macbook Pro

[Joris Vanhecke]

I have tried to get an OpenBSD desktop running on my MacBookPro10,1 (the
first Retina model).
But I only get VESA working on a terrible res while the machine is
running extremely hot.
This is the case for most (all?) MacBook's with 2 GPUs.

On linux (and osx recovery mode?) one can use this script to disable the
dedicated gpu and only use the integrated, intel gpu:
https://github.com/0xbb/gpu-switch

Could something like this help start the intel driver on OpenBSD?

Thanks!

Re: authentication infra structure

[Devin Reade]

--On Wednesday, December 09, 2015 05:25:14 PM -0200 Friedrich Locke
 wrote:

> If you had about 10k users and 5k machine how would you manage
> authenticating issues? Keep in mind that this is a very heterogenous
> environment with ldap, ftp, smtp, pop3, traditional unix boxes etc 

You've already got the key to that solution (LDAP).  Do you mean
things like provisioning and credential management?  I've not used it,
but you might want to look at FreeIPA.  Although it uses KDC at the
core, IIRC you can have LDAP-only clients authenticate to it.

Once you have the core, then you need to look at the service-specific
docs (your ftp server, MDA, etc) as to how to wire them into LDAP.

Of course, with that many machines I hope you're already using some
kind of automated provisioning for at least configuration (puppet,
cfengine, etc).

Devin

Re: cyrus-sasl2

[Antoine Jacoutot]

On Wed, Dec 09, 2015 at 01:32:31PM -0500, Kurt Mosiejczuk wrote:
> On Wed, Dec 09, 2015 at 04:15:07PM -0200, Friedrich Locke wrote:
> > Does security/cyrus-sasl2 include support for GSSAPI (I am in need of
> > kerberos) ?
> 
> Not currently.  They removed that support when they kicked Heimdal out
> of base.
> 
> One of my spare time projects is looking how to put that back in as a 
> flavor for the port.

I can take care of that.

-- 
Antoine

Re: authentication infra structure

[Jiri B]

On Wed, Dec 09, 2015 at 01:21:19PM -0700, Devin Reade wrote:
> --On Wednesday, December 09, 2015 05:25:14 PM -0200 Friedrich Locke
>  wrote:
> 
> > If you had about 10k users and 5k machine how would you manage
> > authenticating issues? Keep in mind that this is a very heterogenous
> > environment with ldap, ftp, smtp, pop3, traditional unix boxes etc 
> 
> You've already got the key to that solution (LDAP).  Do you mean
> things like provisioning and credential management?  I've not used it,
> but you might want to look at FreeIPA.  Although it uses KDC at the
> core, IIRC you can have LDAP-only clients authenticate to it.

IIUC FreeIPA does require sssd and pam, thus out of luck on
OpenBSD.

j.

Interaction seen between dhcp renewal and iked session forcing it to try to switch to NAT-T and die form then on.

[Daniel Ouellet]

Sorry for the long details here.

It may be relevant or related to some comment I have seen in regards to
DHCP client killing traffic in the last few days on tech@ I have seen
and that may be it might be useful.

If not just ignore as i am still digging why iked session are unstable
long term.

But what is sure and seen n the logs is that somehow a perfectly stable
iked session with somehow after running well try for no reason to switch
to NAT-T when at the same time I see DHCP renewal or request on the
originating side of the iked session.

The only thing I can think of is that somehow because of the timing of
the dhcp renewal, one side of the iked didn't receive a confirmation
back and then initiate a NAT-T instead, then it was receive after the
DHCP renewal process was completed and then somehow the iked session
never recover from tit because it try to do nat from this point and
there isn;t any NAT in the path.

Logs appear to show this is the common elements I have seen a few times
so far and it appear to always be the common factor on an otherwise
perfectly stable and running iked session.

So, I think I may have found why my IKEDv2 doesn't stay up long term,
but i am not sure how to go around it yet.

Somehow the remote IKED node, even if program for passive mode, down the
road it will send a request for NAT-T to the originating side of the
session on a perfectly stable session.

I can't fugue out why it would even do that, but I see it in the logs.

Then form that point on, the session will never recover at all until I
actually simply restart the session on the active side of the session.

Log from remote session. Look at teh last two lines from the extract here.


Dec  9 14:28:24 tunnel iked[15183]: ikev2_recv: IKE_SA_INIT request from
initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id 0,
534 bytes
Dec  9 14:28:24 tunnel iked[15183]: ikev2_msg_send: IKE_SA_INIT response
from 66.63.5.250:500 to 108.56.142.37:500 msgid 0, 437 bytes
Dec  9 14:28:24 tunnel iked[15183]: ikev2_recv: IKE_AUTH request from
initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id 1,
800 bytes
Dec  9 14:28:24 tunnel iked[15183]: ikev2_msg_send: IKE_AUTH response
from 66.63.5.250:500 to 108.56.142.37:500 msgid 1, 768 bytes
Dec  9 14:28:24 tunnel iked[15183]: sa_state: VALID -> ESTABLISHED from
108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet'
Dec  9 15:21:05 tunnel iked[15183]: ikev2_recv: CREATE_CHILD_SA request
from initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id
2, 288 bytes
Dec  9 15:21:05 tunnel iked[15183]: ikev2_msg_send: CREATE_CHILD_SA
response from 66.63.5.250:500 to 108.56.142.37:500 msgid 2, 240 bytes
Dec  9 15:21:05 tunnel iked[15183]: ikev2_recv: INFORMATIONAL request
from initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id
3, 80 bytes
Dec  9 15:21:05 tunnel iked[15183]: ikev2_pld_delete: deleted 1 spis
Dec  9 15:21:05 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL
response from 66.63.5.250:500 to 108.56.142.37:500 msgid 3, 80 bytes
Dec  9 16:16:25 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL
request from 66.63.5.250:500 to 108.56.142.37:500 msgid 0, 80 bytes
Dec  9 16:16:25 tunnel iked[15183]: ikev2_recv: INFORMATIONAL response
from initiator 108.56.142.37:500 to 66.63.5.250:500 policy 'Ouellet' id
0, 80 bytes
Dec  9 16:20:25 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL
request from 66.63.5.250:4500 to 108.56.142.37:4500 msgid 1, 80 bytes, NAT-T
Dec  9 16:20:25 tunnel iked[15183]: ikev2_recv: INFORMATIONAL response
from initiator 108.56.142.37:4500 to 66.63.5.250:4500 policy 'Ouellet'
id 1, 80 bytes
Dec  9 16:31:25 tunnel iked[15183]: ikev2_msg_send: INFORMATIONAL
request from 66.63.5.250:4500 to 108.56.142.37:4500 msgid 2, 80 bytes, NAT-T


And then from that point on, it will ONLY try to use NAT-T and never go
back to the normal setup, not even try it as the original side somehow
see it as good. and if you do ipsecctl -sa, you see that it appear to be
up. But from that point on, no matter what traffic is not flowing
anymore and stop exactly from that point forward and never recover until
done manually.

Now this may be a coincidence, but it appear to happen when there is a
DHCP renewal on the source side, even if that's NOT on the interface
where the session is on.

Looks like a message was receive to but may be not reply to, then a
NAT-T message arrive after that point and then all went dead until
manually reset.

Strange thing is why a DHCP renewal on a different interface affect
traffic on an other interface that also operate with DHCP, BUT is not in
the process of renewal at that point?

Is it possible that all interface that are configure with DHCP are
affected when one of them is in a renewal cycle.

I saw a few DHCP commit in the last few days and one comment form Bob@
regarding DHCP session dying etc.
Tjois may not have anything to do with it, but I thought that may be it
may have, or becasue of the events I see and the cvs 

Re: Chelsio T4 10g adapters support ?

[David Gwynne]

> On 10 Dec 2015, at 12:28, Brendan Horan  wrote:
>
> Hi,
>
> I am looking at building a system running OpenBSD to deal with 10g
networks.
>
> It would seem there is good support for Intel cards via the "ix" driver.
> However I was looking at Chelsio cards.
> It seems the "che" driver only supports T3 series and the PE9000 cards.
>
> However the T3 series is PCIe 1.1,
> not exactly useful on a dual port 10gbe card.
> Thus I was looking at the T4 series cards.
>
> Would there be much needed to get one of them working on OpenBSD ?
> If the answer to that is "no clue",
> would the card make a good donation to someone at OpenBSD?
> FreeBSD has support for T4 cards if that helps.
>
> I am still unsure if I want this card or an Intel card at this point.
>
> Thanks for your time

you want an ix(4) for now.

there's a few 10g chips we dont have support for yet, but developer time is
more of a constraint than lack of hardware at the moment.

dlg

Chelsio T4 10g adapters support ?

[Brendan Horan]

Hi,

I am looking at building a system running OpenBSD to deal with 10g networks.

It would seem there is good support for Intel cards via the "ix" driver.
However I was looking at Chelsio cards.
It seems the "che" driver only supports T3 series and the PE9000 cards.

However the T3 series is PCIe 1.1, 
not exactly useful on a dual port 10gbe card.
Thus I was looking at the T4 series cards.

Would there be much needed to get one of them working on OpenBSD ?
If the answer to that is "no clue", 
would the card make a good donation to someone at OpenBSD?
FreeBSD has support for T4 cards if that helps.

I am still unsure if I want this card or an Intel card at this point.

Thanks for your time