Re: bgpd.conf rules changed?
Hi Claudio, On Mon, Dec 19, 2022 at 01:10:15PM +0100, Claudio Jeker wrote: > You update from a very old version of OpenBGPD. true. Your tips worked a treat, though, and adjusting the config wasn't too difficult. Thanks a lot, Toni
bgpd.conf rules changed?
Hi, I am trying to upgrade an OpenBSD based BGP router from an old version to 7.2. But on OpenBSD 7.2, the config file results in several errors, despite the man page not indicating any thing "obvious". Eg. I get syntax errors on softreconfig in yes softreconfig out yes announce self announce all announce default-route I also get errors on tcp md5sig password somesecrethere if the secret contains special characters. I have tried to comment the softreconfig lines, but can't do away with the 'announce' statements. Is there some overview about what changed over the course of time, and possibly, some better error messages to help diagnose the errors? Thanks a lot, Toni
Re: carp + 5.1/5.2 woes [PARTIALLY SOLVED]
Hi, thanks for the insight. On Thu, Jan 03, 2013 at 01:37:38AM +, Stuart Henderson wrote: On 2013-01-02, Toni Mueller openbsd-m...@oeko.net wrote: /bsd: in6_ifloop_request: ADD operation failed for 3ffe:3ffe::0001 (errno=17) 17 is EEXIST - see errno(2) for a list of these - there's probably a loopback route hanging around after destroying the interface, check in netstat -rnfinet6, you could try deleting it.. this happens exactly the moment when the carp interface that has an IPv4 address assigned to it, goes into BACKUP state. /bsd: nd6_na_input: duplicate IP6 address fe80:0008::0200:5eff:fe00:0102 Yes, that happens ;) I can I ignore these, and/or can I safely remove the link-local addresses that seem to be lifted from the physical CARP device? /bsd: arpresolve: 10.0.0.1: route without link local address I've seen this before, I think it was on a router with a (non-/32) address on both the parent interface and the carp interface, though I have a few routers doing exactly that which don't see it.. (Normally it's recommended to use /32 on the carp interface, but that's not going to work if you are announcing it into ospf). Ok. I do not use OSPF (only BGP), so I set all interfaces to IP address/ netmask of the connected network (eg. 32 for the IPv6 network). Someone tracked down another situation where this can happen, http://marc.info/?l=openbsd-miscm=121455393316796w=2 I therefore would expect the problem to show up for the IPv6-only CARP interface (ie, carp2) after that went down and refused to come up again, until the next reboot. But the error message specified the IPv4 address for a carp interface that is actually there, up, and *should* be working. Is this a known problem, or is it just me, that CARP interfaces come up only once? Kind regards, --Toni++
carp + 5.1/5.2 woes
Hi, I have a setup with three machines, all i386, and all plugged into one switch: A: 5.1 (IPv4: master) B: 5.0 (IPv4: backup) C: 5.2 (IPv4: master, IPv6: backup) Each host has two IPv4 carp interfaces, all on one interface (carp0 and carp1), and host C has an additional carp2 with only an IPv6 address (no IPv4). Now, A + B work nicely with two carp interfaces (IPv4), but A+C do not. While the carp interface for IPv6 goes into MASTER mode, as expected, if I change the advskew on A, the IPv4 interfaces don't go into MASTER mode, but stay in BACKUP mode instead, no matter what: Eg. from C: # cat /etc/hostname.carp* # carp0: inet 10.0.0.1 255.255.248.0 10.0.7.255 vhid 1 advskew 100 pass pass1 carpdev em0 # carp1: inet 10.1.1.1 255.255.255.0 10.1.1.255 vhid 2 advskew 100 pass pass2 carpdev em0 # carp2: inet6 3ffe:3ffe::1 32 vhid 3 advskew 100 pass pass3 carpdev em0 With this setup, carp1 will stay in BACKUP mode when I say ifconfig carp1 advskew 120 on A, while on B, it would go into MASTER immediately. I also have trouble taking carp2 down and up again, like in ifconfig carp2 down; ifconfig carp2 up. The result is that carp2 does no longer respond to any packets sent to 3ffe:3ffe::1. Sending to the IPv6 address bound to em0 continues to work like a charm, though. Saying ifconfig carp2 destroy; sh /etc/netstart carp2 - which I thought would re-create the carp2 pseudy-device from scratch, does also not work, but elicits the following error message from the kernel: /bsd: in6_ifloop_request: ADD operation failed for 3ffe:3ffe::0001 (errno=17) There are error messages related to duplicate IPv6 addresses, mentioning the link-local auto-generated IPv6 address, which is the same for all carp interfaces, eg: /bsd: nd6_na_input: duplicate IP6 address fe80:0008::0200:5eff:fe00:0102 Touring the logs, I also find related error messages that I could not yet make sense of: /bsd: arpresolve: 10.0.0.1: route without link local address The mentioned address is being advertised by A as the master, and intended to be switched around by the CARP mechanism (works with A+B). On C, I have pf disabled. On all three systems, I have bgpd enabled. On A, I have pf enabled with these rules: # pfctl -s r block drop in quick on egress proto tcp from sshguard to any ... pass quick on em0 proto carp all keep state (no-sync) pass quick on em1 proto carp all keep state (no-sync) When I reboot the machine, the states of the CARP interface(s) are being set correctly, but I don't know how to change them thereafter, as described above. The desired target state is to have A + C as a pair of CARP'ed routers for both IPv4 and IPv6. What am I doing wrong? TIA! Kind regards, --Toni++
Re: carp + 5.1/5.2 woes
Hi, On Wed, Jan 02, 2013 at 04:53:02PM +0100, Patrick Lamaiziere wrote: Le Wed, 2 Jan 2013 13:39:25 +0100, Toni Mueller openbsd-m...@oeko.net a écrit : With this setup, carp1 will stay in BACKUP mode when I say ifconfig carp1 advskew 120 on A, while on B, it would go into MASTER immediately. Hmm, did you check the value of the carp demote counter? # ifconfig -g carp I just checked. The result is the same on all three machines: # ifconfig -g carp carp: carp demote count 0 Kind regards, --Toni++
Re: carp + 5.1/5.2 woes
Hi, On Wed, Jan 02, 2013 at 05:47:23PM +, Stuart Henderson wrote: On 2013-01-02, Toni Mueller openbsd-m...@oeko.net wrote: A: 5.1 (IPv4: master) B: 5.0 (IPv4: backup) C: 5.2 (IPv4: master, IPv6: backup) Is this 5.0 release or is it something close to 5.0? the (working!) 5.0 machine runs # uname -m -r -s -v OpenBSD 5.0 GENERIC#43 i386 The other machines were installed/upgraded from the official CDs. Kind regards, --Toni++
Re: carp + 5.1/5.2 woes [PARTIALLY SOLVED]
Hi, I have just discovered that I made a configuration error that had resulted in the undesired, but correct, carp behaviour for IPv4. Ie, OpenBSD operates as desired for this case. That leaves these questions open: On Wed, Jan 02, 2013 at 01:39:25PM +0100, Toni Mueller wrote: I also have trouble taking carp2 down and up again, like in ifconfig carp2 down; ifconfig carp2 up. The result is that carp2 does no longer respond to any packets sent to 3ffe:3ffe::1. Sending to the IPv6 address bound to em0 continues to work like a charm, though. Saying ifconfig carp2 destroy; sh /etc/netstart carp2 - which I thought would re-create the carp2 pseudy-device from scratch, does also not work, but elicits the following error message from the kernel: /bsd: in6_ifloop_request: ADD operation failed for 3ffe:3ffe::0001 (errno=17) There are error messages related to duplicate IPv6 addresses, mentioning the link-local auto-generated IPv6 address, which is the same for all carp interfaces, eg: /bsd: nd6_na_input: duplicate IP6 address fe80:0008::0200:5eff:fe00:0102 Touring the logs, I also find related error messages that I could not yet make sense of: /bsd: arpresolve: 10.0.0.1: route without link local address I would still be glad to find that I simply configured junk, instead of running into real bugs... Kind regards, --Toni++
ISAKMPD question: ID-type ASN1_...?
Hi, I've run into an interoperability problem with an Astaro, which does not like our certificate. The certificate basically looks like ... Subject: C=DE, L=..., CN=IP-number ... Subject Alternative Name: IPv4 Address: IP-number ... Now the Astaro is said to require an ID type of ASN1-DN, when used in conjunction with X.509 certificates, but it also appears that OpenBSD can't send that to the remote side. Or am I wrong? TIA! Kind regards, --Toni++
Re: ISAKMPD question: certificates shipped?
Hi Stu, On Sun, Dec 04, 2011 at 11:24:24AM +, Stuart Henderson wrote: I don't see any code changes that would result in a different presentation order of certificates between 4.8 and 5.0.. tcpdump traces of the negotiation from 4.8 and 5.0 might be useful, as might logs from the 3rd party and maybe isakmpd, though I'll be the first to admit isakmpd logging is pretty impenetrable; I find setting this on the command line gives a fairly good balance of information: thank you for your statement. Currently, the problem looks as follows: If isakmpd is configured to use [X509-Certificates] Private-key-directory= /etc/isakmpd/private the documentation suggests that it will select one out of a set of keys to use, depending on the actual configuration of the connections. This does not seem to work with road warrior connections (= Passive-Connections). In that case, the road warrior seems to get no certificate, then decides that it's unsafe to connect to the gateway. The desired behaviour is to ship the certificate which is appropriate for this connection (it's configured as the local-id for those connections, so...). Specifying Private-key = somefile.key fixes this problem, but removes the option to use several keys, which is bad. There's another unresolved issue in this area, which I don't yet have enough data to fathom. Kind regards, --Toni++
ISAKMPD question: certificates shipped?
Hi, I'm running into a problem with OpenBSD 5.0 and isakmpd. A config that works on 4.8, doesn't work on 5.0: the client is denied access, allegedly due to OpenBSD shipping the wrong (X.509) certificate, or certificates in the wrong order. The (3rd party) claim is that it might ship the CA certificate, followed by the server certificate. It would be very nice if someone could shed some light to this. TIA! Kind regards, --Toni++
Re: query bug reports?
Hi, On Thu, Oct 13, 2011 at 09:40:42AM +0200, Toni Mueller wrote: My vote would go for Redmine (use together with thin), which has a if the project wants to use/try it, I can offer my help with this one. Please contact me off-list. Kind regards, --Toni++
query bug reports?
Hi, today I wanted to research open bug reports for OpenBSD, using this link in lieu of anything linked from the homepage: http://www.openbsd.org/query-pr.html But when I submit the form, I only get an error message that the CGI was not found. Where should I be looking instead, please? Kind regards, --Toni++
4.9/amd64: kernel crash with temperhum
Hi, today I experienced a kernel crash on a machine with the temperhum device. The crash message indicates that the driver uthum was responsible, but since the machine is physically inaccessible to me, I only have a screenshot. Is it still worth reporting, scribbling from a handset screenshot, despite not having the 'ps' and 'trace' outputs? Kind regards, --Toni++
Re: query bug reports?
Hi Daniel, On Thu, Oct 13, 2011 at 09:10:22AM +0200, LEVAI Daniel wrote: On Thu, Oct 13, 2011 at 09:01:51 +0200, Toni Mueller wrote: today I wanted to research open bug reports for OpenBSD, using this link in lieu of anything linked from the homepage: http://marc.info/?l=openbsd-miscm=131109305204483w=2 thank you very much! Ok... what's a bug tracker that doesn't suck, then? I'm not aware of anything that looks like usable specs. After reading the thread, I would like to chime in, though: Roundup: Semi-dead, and, imho, very limited and cumbersome functionality and extendability. I'm a user of it myself. My vote would go for Redmine (use together with thin), which has a vastly superiour architecture, a lively community, and a plethora of plugins (esp. a working plugin architecture). I use that, too. Kind regards, --Toni++
ipsec: failure after upgrade
Hi, I have lan1 -- gw1 --- internet --- gw2 -- lan2 The setup has been working for years. Now I upgraded one side to 4.9, while the other - so far - is still at 4.6 (I know... :( ). After that, no connection gets established anymore: 1.2.3.4: OpenBSD 4.6 4.3.2.1: OpenBSD 4.9 13:18:25.029033 1.2.3.4.isakmp 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 767f6d9ce0fa3890- msgid: len: 184 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = RSA_SIG attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute KEY_LENGTH = 128 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) (ttl 63, id 42430, len 212) 13:18:25.035893 4.3.2.1.isakmp 1.2.3.4.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 767f6d9ce0fa3890-7779887f9d620aeb msgid: len: 184 payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 44 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = RSA_SIG attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 attribute KEY_LENGTH = 128 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) (ttl 64, id 42377, len 212) 13:15:45.230823 1.2.3.4.isakmp 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 8d07fcf0a2492be7-915168361b6b77c1 msgid: len: 228 payload: KEY_EXCH len: 132 payload: NONCE len: 20 payload: NAT-D len: 24 payload: NAT-D len: 24 (ttl 63, id 43396, len 256) 13:15:45.246177 4.3.2.1.isakmp 1.2.3.4.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 8d07fcf0a2492be7-915168361b6b77c1 msgid: len: 228 payload: KEY_EXCH len: 132 payload: NONCE len: 20 payload: NAT-D len: 24 payload: NAT-D len: 24 (ttl 64, id 4863, len 256) 13:15:45.457272 1.2.3.4.isakmp 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted cookie: 8d07fcf0a2492be7-915168361b6b77c1 msgid: len: 1292 (ttl 63, id 44981, len 1320) 13:15:52.479525 1.2.3.4.isakmp 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted cookie: 8d07fcf0a2492be7-915168361b6b77c1 msgid: len: 1292 (ttl 63, id 43438, len 1320) 13:16:01.501279 1.2.3.4.isakmp 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted cookie: 8d07fcf0a2492be7-915168361b6b77c1 msgid: len: 1292 (ttl 63, id 54363, len 1320) 13:16:12.516937 1.2.3.4.isakmp 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted cookie: 8d07fcf0a2492be7-915168361b6b77c1 msgid: len: 1292 (ttl 63, id 19766, len 1320) 13:16:25.537550 1.2.3.4.isakmp 4.3.2.1.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT encrypted cookie: 8d07fcf0a2492be7-915168361b6b77c1 msgid: len: 1292 (ttl 63, id 36623, len 1320) As you can see, there is no SHA2 problem present (see 47.html). Switching the phase2 hash to ripemd didn't help. Any ideas about what to do? The reason for not yet upgrading everything is that road warriors (NCP) are stopped dead in much the same way like shown above, when running against 4.9 (but not if they work against lower versions of OpenBSD, including 4.8). If I could verify that they'll work, I'd uprade rather sooner than later. Kind regards, --Toni++
Re: ipsec: failure after upgrade [SOLVED]
Hi, I solved the site-site part of it. It turned out to be a typo somewhere. :( But the mobile issue is still open. Kind regards, --Toni++
Re: Custom bsd.rd contents
Hi, On Sun, 27.02.2011 at 18:52:28 -0500, Adam Van Ymeren adam.v...@gmail.com wrote: I'm trying to modify the contents of the ram disk in a bsd.rd kernel. Is there any documentation on this process? Or can anyone point in my a good direction to start looking? you might find this example interesting: http://nbender.com/install.netboot/install.html Kind regards, --Toni++
CARP and routing
Hi, I discover that CARP and routing don't always mix well: Internet --- host1 host2 If host1 and host2 have a CARP interface with the same IP, then packets destined for that IP don't ever reach host2, even if the interface on host1 is in BACKUP state. Kind regards, --Toni++
Re: CARP and routing
On Thu, 25.11.2010 at 13:15:06 +, Michal mic...@sharescope.co.uk wrote: On 25/11/10 12:22, Toni Mueller wrote: I discover that CARP and routing don't always mix well: Internet --- host1 host2 Wait, do you mean; Host1 Internet --- | Host 2 No, I mean Internet --- host1 --- host2. I'm just digging the code to find the place where the kernel decides that a given IP is his, and would appreciate pointers. Kind regards, --Toni++
Re: CARP and routing
On Thu, 25.11.2010 at 14:29:39 +, Michal mic...@sharescope.co.uk wrote: Because your setup should rather look like this? Internet --- switch --- host1 --- switch --- LAN + --- host2 + This is what I was trying to get at...the way you draw your diagram, I can't understand what your trying to do with carp if you have internet -- host1 -- host2 I have a low-resources application running on host2 which I'd like to be available at all times, but would prefer to not have it on host1 in general. I also have Internet --- switch --- host1 --- switch --- LAN + --- host3 + but this is not very relevant in this context. Ok, a better picture would be Internet --- switch --- host1 --- switch --- host2 + --- host3 + Kind regards, --Toni++
Re: Unattended OpenBSD Installation
Hi Nick, On Sun, 14.11.2010 at 11:31:52 -0700, Nick Bender nben...@gmail.com wrote: I am currently working on the next version which is much better - it meets all your requirements. I'm calling it redux and I'm including the readme below. this is great news! Any chance to get this into the mainline, someday? What's left to do is additional testing, documentation, and updating for any changes in 4.8 (it is working now against 4.7). I have a use case, so if you want me to test something... ;) Kind regards, --Toni++
[OT] Re: relayd port to linux
On Fri, 05.11.2010 at 16:54:00 +0100, Aleksandar Lazic al-open...@none.at wrote: due to the fact that openssh and some other parts of openbsd are ported to linux maybe you can tell me if you plan to make a openrelayd which is able to compile on linux. I'am willing to try it by my self, maybe you can help me to miss the most common pitfalls ;-). Look at HA-Proxy.
Re: Linux or OpenBSD
On Wed, 24.11.2010 at 21:30:05 +0100, ropers rop...@gmail.com wrote: On 23 November 2010 13:52, Toni Mueller openbsd-m...@oeko.net wrote: I usually have a use case that can be satisfied with one XOR the other system So, not with both? You have weird use cases. I don't think so. See eg. these simple examples: I prefer Linux if I need 1. Web hosting supporting eg. the de_DE.utf8 locale: Impossible with OpenBSD, no-brainer with Linux (This may have changed in 4.8, didn't have time to look into this, yet). 2. ISDN support - OpenBSD has none (for me, a requirement for eg. a PBX) :/ I prefer OpenBSD if I need 3. Firewall/VPNs... I find that OpenBSD really shines in this area, compared to Linux, and appears to be much more secure, too. 4. Routers... :) You are welcome to comment on ways to replace Linux with OpenBSD or vice versa in these use cases. Kind regards, --Toni++
Re: Linux or OpenBSD
Hi, On Sun, 24.10.2010 at 08:20:35 +0530, Siju George sgeorge...@gmail.com wrote: On Sat, Oct 23, 2010 at 7:18 PM, Toni Mueller openbsd-m...@oeko.net wrote: Also, Linux is better supported by hardware vendors, and/or much less picky about hardware than OpenBSD is. Not always is it ? of course, my statement reflects only my experience. Which is about what you read. I have had toswitch from Linux to OpenBSD twice just because of hardware support. For me, it's just the other way round. But leaving that aside, I usually have a use case that can be satisfied with one XOR the other system, and so I try to adapt the hardware to the requirements wherever possible. -- Kind regards, --Toni++
Re: Linux or OpenBSD
Hi, On Sat, 23.10.2010 at 10:36:54 -0500, Marco Peereboom sl...@peereboom.us wrote: On Oct 23, 2010, at 8:48, Toni Mueller openbsd-m...@oeko.net wrote: Also, Linux is better supported by hardware vendors, and/or much less picky about hardware than OpenBSD is. If you consider the garbage these vendors call drivers then sure. The only debate really comes down to smp and flash. nope. I regularly see hardware which is supposed to be good, and which gives no problems under Linux, which causes a lot of problems under OpenBSD. I'm just about to throw away a bunch of recent machines that worked fine with older OpenBSDs, but horribly crash with later releases, up to the point that they even refuse to boot. -- Kind regards, --Toni++
Re: em(4) detailed errors
Hi, On Thu, 18.11.2010 at 16:38:55 +0100, Manuel Guesdon ml+openbsd.m...@oxymium.net wrote: Is there a way to get detailed em(4) device errors without having to recompile kernel with EM_DEBUG ? I try to find in-errors reason(s) but netstat only gives errors as a sum of dropped_pkts + stats.rxerrc + stats.crcerrs + sc-stats.algnerrc +... as far as I can see :-( I'm having a similar problem. On one 4x em(4) machine, I get a lot of input errors and, much more serious, intermittend packet loss, but only on one interface out of two with similar traffic levels (~1-4kpps per direction). After reading the latest em(4) threads, I also found this very strange thing, which must have been automatically configured: # ifconfig em3 em3: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:30:48:94:0b:21 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,master) ^ status: active I'm unsure about how to remove this feature from this (physical) interface, and the machine uses none of carp, pfsync or sasync. The hardware for this interface is em3 at pci5 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 2 int 17 (irq 11), address 00:30:48:94:0b:21 as detected by OpenBSD 4.8-stable (i386). The ability to selectively enable or disable debugging for individual devices at runtime would be a great feature, from a sysadmin's perspective. -- Kind regards, --Toni++
Re: em(4) detailed errors
Hi, On Tue, 23.11.2010 at 11:07:40 -0500, Ted Unangst ted.unan...@gmail.com wrote: On Tue, Nov 23, 2010 at 10:02 AM, Otto Moerbeek o...@drijf.net wrote: On Tue, Nov 23, 2010 at 03:16:57PM +0100, Toni Mueller wrote: # ifconfig em3 em3: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 B B B B lladdr 00:30:48:94:0b:21 B B B B priority: 0 B B B B media: Ethernet autoselect (1000baseT full-duplex,master) ^ B B B B status: active I would rather investigate why the PROMISC and ALLMULTI flags are set on this interface. trunked? thanks for your input. No, the interface is configured in a very straightforward way without any bells and whistles. It has a four IPv4 addresses, plus one auto-generated IPv6 address (link layer local). I don't use briding and didn't enable multicast in /etc/sysctl.conf, either. There are also no processes specifically using this interface (ie, no tcpdump or similar). This is the whole process list: $ ps ax PID TT STAT TIME COMMAND 1 ?? Is 0:00.01 /sbin/init 2399 ?? Is 0:00.00 ntpd: [priv] (ntpd) 19341 ?? I 0:00.09 ntpd: ntp engine (ntpd) 12690 ?? I 0:00.01 ntpd: dns engine (ntpd) 11247 ?? Is 0:00.02 /usr/sbin/sshd -u0 2024 ?? Is 0:00.31 cron 32158 ?? Ss 0:01.19 sendmail: accepting connections (sendmail) 24559 ?? Ss 0:17.55 bgpd: parent (bgpd) 12368 ?? S 0:15.77 bgpd: session engine (bgpd) 18994 ?? S 1:05.98 bgpd: route decision engine (bgpd) 8611 ?? Ss 0:02.39 ifstated -v 11105 ?? S 0:05.28 syslogd -n -a /var/www/dev/log -a /var/empty/dev/log 27237 ?? Is 0:00.03 syslogd: [priv] (syslogd) 27968 ?? S 0:00.51 pflogd: [running] -s 256 -i pflog0 -f /var/log/pflog (pflogd) 13936 ?? Is 0:00.05 pflogd: [priv] (pflogd) 31560 ?? Ss 0:00.39 sshd: u...@ttyp0 (sshd) 29917 ?? Ss 0:00.44 sshd: u...@ttyp1 (sshd) 29148 p0 Ss+ 0:00.03 bash 16540 p1 Ss 0:00.04 bash 28953 p1 R+/10:00.00 ps -ax 17757 C0- S 0:00.53 runsvdir -P /var/service log: ... 9629 C0 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC0 397 C1 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC1 25085 C2 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC2 32349 C3 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC3 12522 C5 Is+ 0:00.00 /usr/libexec/getty std.9600 ttyC5 $ None of these suggests to me that ALLMULTI or PROMISC should be on, and ifconfig's man page doesn't suggest that I can easily turn them off. If you have any suggestions about how to debug this, I'm all ears. TIA! Kind regards, --Toni++
Re: Linux or OpenBSD
Hi, On Tue, 23.11.2010 at 17:45:16 +0100, Alexander Schrijver alexander.schrij...@gmail.com wrote: Why don't you run linux on them? You aren't being very environmentally aware are you? I don't understand what you mean with this remark. The application that I use these machines for requires OpenBSD, so there is very little point in running Linux on them. Also, throw out doesn't mean that I put these machines into the dustbin, it only means that I have to remove them from this task. Kind regards, --Toni++
Re: Linux or OpenBSD
Hi, On Tue, 23.11.2010 at 10:55:30 -0500, and...@msu.edu and...@msu.edu wrote: Toni, have you published a list of the hardware thats been causing you problems? sorry, no I didn't think of it, yet. But I have posted to this list about some of them, most prominently the small PCs with C7 chips. My experience has been different. Sure, newer hardware can have things like an ethernet chip that isn't yet supported, but that gets fixed over time in the vast majority of cases. Overall though, i386 stuff just works for me. I'm usually aware of things that are work in progress, and don't complain. But my experience has been just rather mixed. Apologies if you've already done this. Knowing what things out there that don't (yet) work would benefit everyone, I think. Agreed. The machines which I remember right now have been EOL'ed a few months ago. My dealer also only found out when I asked for a BIOS upgrade (go figure). A dmesg is included below. What's really scary for me is that one particular machine works, while the next refuses to boot, and the next after that crashes somewhere along the way. They're all supposed to be the same and have been purchased in one batch, too, but in fact they are very individual items (except for the machine below, this one came separately). And then, one works with OpenBSD 4.4, the next also works with OpenBSD 4.5, but crashes on OpenBSD 4.6, and so on. That's really hellish for me (but I blame the HW manufacturer)! Linux, also recent Linux, works fine on all of these, as far as I've tested them. My impression is that Linux generally copes better with this kind of stuff, just because of much wider exposure and much bigger manpower, but that's nothing to blame OpenBSD for. Kind regards, --Toni++ OpenBSD 4.7 (GENERIC) #1: Sun May 30 16:44:59 CEST 2010 r...@w3.oeko.net:/usr/S/src.47/sys/arch/i386/compile/GENERIC cpu0: VIA Eden Processor 1200MHz (CentaurHauls 686-class) 1.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2,xTPR real mem = 1005940736 (959MB) avail mem = 965959680 (921MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/15/08, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @ 0xfc0c0 (47 entries) bios0: vendor American Megatrends Inc. version 080014 date 10/15/2008 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC MCFG OEMB HPET SSDT acpi0: wakeup devices PS2K(S3) PS2M(S3) USB1(S3) USB2(S3) USB3(S3) LAN1(S4) PCI1(S4) PCI2(S4) PCI3(S4) SLPB(S4) PWRB(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: RNG AES AES-CTR SHA1 SHA256 RSA cpu0: apic clock running at 99MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 3, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus 2 (P0P2) acpicpu0 at acpi0: PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0xe600 0xce800/0x1000 0xcf800/0x1000 0xd0800/0x1000 0xe7000/0x800! cpu0: Enhanced SpeedStep 1198 MHz: speeds: 1200, 400 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 VIA CX700 Host rev 0x10 viaagp0 at pchb0: v3 agp0 at viaagp0: aperture at 0xf000, size 0x1000 pchb1 at pci0 dev 0 function 1 VIA CX700 Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA CX700 Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA CX700 Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA CX700 Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA CX700 Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8377 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 VIA S3 UniChrome Pro II IGP rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) rl0 at pci0 dev 8 function 0 Realtek 8139 rev 0x10: apic 1 int 16 (irq 10), address 44:4d:50:03:0e:d6 rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci0 dev 11 function 0 Realtek 8139 rev 0x10: apic 1 int 19 (irq 11), address 44:4d:50:32:08:19 rlphy1 at rl1 phy 0: RTL internal PHY pciide0 at pci0 dev 15 function 0 VIA CX700 IDE rev 0x00: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) wd0 at pciide0 channel 1 drive 0: WDC WD800BEVE-00A0HT0 wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x90: apic 1 int 20 (irq 10) ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x90: apic 1 int 23 (irq 11) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 VIA EHCI root hub rev 2.00/1.00 addr 1 viapm0 at pci0 dev 17 function 0 VIA CX700 ISA rev 0x00 iic0 at viapm0 pchb6 at pci0 dev 17 function 7 VIA VX700 Host rev 0x00 ppb1 at pci0 dev 19 function 0 VIA CX700 Host rev 0x00 pci2 at ppb1 bus 2 azalia0 at pci2 dev 1 function 0 VIA HD Audio rev 0x10:
Re: Linux or OpenBSD
Hi, On Tue, 23.11.2010 at 14:09:48 -0500, daniel holtzman d...@redmountainfarm.net wrote: Perhaps one or more developers would be curious about the crashes? Why not donate the machines instead of throw them out? ok. I'm not the owner, only the janitor, for these machines. Unless I figure out a way to put them back to life, in which case the owner may decide to keep them, I'll try to ship the surplus to interested developers (please talk to me offline if you're interested). Kind regards, --Toni++
Re: Can't reach www.openbsd.org
Hi, On Tue, 02.11.2010 at 13:40:44 +0100, Guillaume DualC) g.du...@otasc.org wrote: try it : http://openbsd.org it's (probably) not the same, and (worse!) it doesn't help with all the configurations that contain www.openbsd.org. Kind regards, --Toni++
Re: Linux or OpenBSD
On Wed, 22.09.2010 at 15:47:02 -0400, Brad Tilley b...@16systems.com wrote: Either will work fine so long as you purchase good NICs and avoid cutting-edge (untested) hardware. The only things Linux does noticeably better is: * Dealing with SMP * Dealing with lot's and lot's of RAM * Dealing with huge file-systems Also, Linux is better supported by hardware vendors, and/or much less picky about hardware than OpenBSD is. If you are indifferent between the hackishness of iptables and the elegance of pf, then go with Linux because of the better hardware, and keep your fingers crossed that none of the security problems hit you (you're going to build a firewall, after all, right?). Kind regards, --Toni++
Re: which monitoring do you use (on OpenBSD)
Hi, On Sat, 14.08.2010 at 23:49:49 -0700, Bryan Irvine sparcta...@gmail.com wrote: understand. Also, the OP wanted something that he can run on OpenBSD and Zenoss runs on Linux. hmmm from my perspective, Zenoss looks like an ordinary Zope application, and should therefore run on OpenBSD as well. Kind regards, --Toni++
Re: iked(8) and ikectl(8)
Hi, On Thu, 03.06.2010 at 23:06:58 +0200, Reyk Floeter r...@openbsd.org wrote: IPsec. In difference to isakmpd(8), which supports the ISAKMP/Oakley a.k.a. IKEv1 protocol, iked(8) only supports the IKEv2 protocol at present. The IKEv2 protocol in RFC 4306 has been simplified and provides many benefits over ISAKMP/IKEv1. this means... (1) that only either iked OR isakmpd can run on one box? (2) on one IP, but share the same box? (3) or that iked has a dispatch mechanism to forward IKEv1 connections to a bystanding isakmpd, and cooperate with it to allow for using both types of connections on one IP? My guess is that it's (1), but my preference would be (3), of course. -- Kind regards, --Toni++
Re: Activating ip6.forwarding and accept_rtadv at the same time
Hi, On Mon, 06.09.2010 at 11:18:57 +1000, Olivier Mehani sht...@ssji.net wrote: On Sun, Sep 05, 2010 at 03:49:43PM -0400, Simon Comeau Martel wrote: You received a /64 for your router interface ? Or are you in a /64 subnet with other customers ? The setup sounds weird to me. To what address is your ISP forwarding that /56 ? Yeah, it's a bit strange. But it's their IPv6 beta; very few customers are in it right now. I guess they won't give so much address space in the long run. Well, supposedly, end-users should receive /48s from their ISPs [0]. the rules seem to have changed in the meantime, at least in Europe: http://www.ripe.net/ripe/docs/ipv6-policy.html#assignment_size Kind regards, --Toni++
Re: OBSD 4.7 and Via C7 motherboards problem
Hi, thanks for the answer! On Sat, 14.08.2010 at 09:45:30 +, Stuart Henderson s...@spacehopper.org wrote: If they are indeed different bios versions (you can probably tell from the dmesg lines that you do see, as the BIOS version is printed quite early), and you can get something that can run flashrom booted on them, you can extract bios from a working one and flash it to a non-working one... (double-check they are the same motherboard though). I have no way to check for the same motherboard, except by disasembling the device and trusting any printed information that might or might not be there. But it's worth a try. My supplier is already looking into this issue of possible BIOS uppgrades. On 2010-08-13, Toni Mueller openbsd-m...@oeko.net wrote: Having said that, what is the current common wisdom for reliable small CPE boxes that are reliable enough to be safely upgraded remotely, and will be safe to upgrade for several upcoming releases? Alix? X7SLA? Depends totally what you're looking for... I'm looking for a low-power box that can handle up to some 15-20 MBit/s of IPSEC traffic with ease, has two or more nics, and not much else. I'd prefer to have 1 gig of RAM, though. Low power means that I really want to stay below 30 watts, but preferably come close to 10 watts. The current machines with C7, 1 gig of RAM and notebook drive suck some 22 watts. Kind regards, --Toni++
Re: which monitoring do you use (on OpenBSD)
On Fri, 13.08.2010 at 14:36:21 +0100, Kevin Chadwick ma1l1i...@yahoo.co.uk wrote: What do people think of monit. Ok, I'll chime in: What do people think of Zenoss and splunk? I'm so far leaning twoards trying Zenoss, but it surely has a high barrier-of-entry, and I'm only interested in splunk for comparison. Kind regards, --Toni++
Re: OBSD 4.7 and Via C7 motherboards problem
Hi Stuart, thanks for the idea. On Thu, 12.08.2010 at 12:09:02 +, Stuart Henderson s...@spacehopper.org wrote: Guessing based on very little information, but they probably have different BIOSes. Unfortunately, as I just hear, the manufacturer dropped support for these machines. My supplier also only learnt it when he asked the manufacturer for a new BIOS version. Having said that, what is the current common wisdom for reliable small CPE boxes that are reliable enough to be safely upgraded remotely, and will be safe to upgrade for several upcoming releases? Kind regards, --Toni++
Re: OBSD 4.7 and Via C7 motherboards problem
Hi, On Sun, 01.08.2010 at 13:49:07 -0700, Peter Merritt pwmerr...@weirdwater.org wrote: I have a firewall that has been running several versions of OpenBSD successfully, the last being 4.6. After installing 4.7, I could not get the firewall to pass any traffic from the lan side. I'm experiencing a very similar problem. My machines have trouble running 4.7. No matter what I tried, I arrive at memory address conflict 0xfb 0x100 or similar - it scrolls by too fast before the screen goes blank, and I can only make the machine responsive again by hitting the power button. The miracle is: On some machines, there is absolutely no problem, but on others, everything breaks. The machines themselves should be all of exactly the same make, although different batches of it. On the machines where the problem occurs, it even occurs with the bsd.rd kernel. :/ Below you find a dmesg of one of the working machines (naturally, since I couldn't get one out of the broken ones). Kind regards, --Toni++ OpenBSD 4.7 (GENERIC) #1: Sun May 30 16:44:59 CEST 2010 r...@w3.oeko.net:/usr/S/src.47/sys/arch/i386/compile/GENERIC cpu0: VIA Eden Processor 1200MHz (CentaurHauls 686-class) 1.20 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2,xTPR real mem = 1005940736 (959MB) avail mem = 965959680 (921MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 10/15/08, BIOS32 rev. 0 @ 0xf0010, SMBIOS rev. 2.5 @ 0xfc0c0 (47 entries) bios0: vendor American Megatrends Inc. version 080014 date 10/15/2008 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC MCFG OEMB HPET SSDT acpi0: wakeup devices PS2K(S3) PS2M(S3) USB1(S3) USB2(S3) USB3(S3) LAN1(S4) PCI1(S4) PCI2(S4) PCI3(S4) SLPB(S4) PWRB(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: RNG AES AES-CTR SHA1 SHA256 RSA cpu0: apic clock running at 99MHz ioapic0 at mainbus0: apid 1 pa 0xfec0, version 3, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (P0P1) acpiprt2 at acpi0: bus 2 (P0P2) acpicpu0 at acpi0: PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB bios0: ROM list: 0xc/0xe600 0xce800/0x1000 0xcf800/0x1000 0xd0800/0x1000 0xe7000/0x800! cpu0: Enhanced SpeedStep 1198 MHz: speeds: 1200, 400 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 VIA CX700 Host rev 0x10 viaagp0 at pchb0: v3 agp0 at viaagp0: aperture at 0xf000, size 0x1000 pchb1 at pci0 dev 0 function 1 VIA CX700 Host rev 0x00 pchb2 at pci0 dev 0 function 2 VIA CX700 Host rev 0x00 pchb3 at pci0 dev 0 function 3 VIA CX700 Host rev 0x00 pchb4 at pci0 dev 0 function 4 VIA CX700 Host rev 0x00 pchb5 at pci0 dev 0 function 7 VIA CX700 Host rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8377 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 VIA S3 UniChrome Pro II IGP rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) rl0 at pci0 dev 8 function 0 Realtek 8139 rev 0x10: apic 1 int 16 (irq 10), address 44:4d:50:03:0e:d6 rlphy0 at rl0 phy 0: RTL internal PHY rl1 at pci0 dev 11 function 0 Realtek 8139 rev 0x10: apic 1 int 19 (irq 11), address 44:4d:50:32:08:19 rlphy1 at rl1 phy 0: RTL internal PHY pciide0 at pci0 dev 15 function 0 VIA CX700 IDE rev 0x00: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility pciide0: channel 0 disabled (no drives) wd0 at pciide0 channel 1 drive 0: WDC WD800BEVE-00A0HT0 wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 5 uhci0 at pci0 dev 16 function 0 VIA VT83C572 USB rev 0x90: apic 1 int 20 (irq 10) ehci0 at pci0 dev 16 function 4 VIA VT6202 USB rev 0x90: apic 1 int 23 (irq 11) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 VIA EHCI root hub rev 2.00/1.00 addr 1 viapm0 at pci0 dev 17 function 0 VIA CX700 ISA rev 0x00 iic0 at viapm0 pchb6 at pci0 dev 17 function 7 VIA VX700 Host rev 0x00 ppb1 at pci0 dev 19 function 0 VIA CX700 Host rev 0x00 pci2 at ppb1 bus 2 azalia0 at pci2 dev 1 function 0 VIA HD Audio rev 0x10: apic 1 int 17 (irq 5) azalia0: codecs: VIA/0x1708 audio0 at azalia0 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 VIA UHCI root hub rev 1.00/1.00 addr 1 isa0 at mainbus0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pcppi0 at isa0 port 0x61 midi0 at pcppi0: PC speaker spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 wbsio0 at isa0 port 0x4e/2: W83697HF rev 0x12 wbsio0 port 0xa60/2 not configured npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 mtrr: Pentium Pro MTRR support vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root root on wd0a swap on wd0b dump on wd0b
4.7: my error, or system error?
Hi, I've recompiled my system(s) several times in order to follow -stable, but (now?) see this problem: # savecore -v /var/crash/ dumpoff = 4838922240 (9451020 * 512) savecore: /bsd: kvm_dump_mkheader: invalid magic in cpu_hdr savecore: no core dump # savecore -v /var/crash/ dumpoff = 16386560 (32005 * 512) savecore: /bsd: kvm_dump_mkheader: invalid magic in cpu_hdr savecore: no core dump I see it on both i386 and amd64 systems. Since this appears to be very close to bug #1461, which was declared fixed years ago, I'm wondering whether I did something stupid while compiling the system(s), or if the bug has re-appeared. I'd also like to know whether the OpenBSD developers prefer to have such vague messages in Gnats, or whether they prefer them here on the list. TIA! Kind regards, --Toni++
Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration
Hi, On Sun, 23.05.2010 at 11:41:27 +0200, Martin PelikC!n martin.peli...@gmail.com wrote: It really depends on what you need - most road warriors are okay with transport mode (where obviously DHCP doesn't make any sense). If I'd say that transport mode is a design error in IPSEC and should be avoided at all costs. It also complicates network setup quite a bit, imho. Kind regards, --Toni++
4.7/pf: table changes ignored until reloading the rule set?
Hi, I have a problem with tables in pf in that I can add addresses and/or network blocks to tables and don't get them recognized until I reload the filter rules. Example: # pfctl -T a -t extra-oekonet-dst 172.16.19.0/24 1/1 addresses added. # pfctl -T s -t extra-oekonet-dst 172.16.19.0/24 ... # /sbin/pfctl -s s |grep 172.16.19 # /usr/sbin/tcpdump -ni pflog0 tcpdump: listening on pflog0, link-type PFLOG 18:51:10.097656 192.168.1.6 172.16.19.129: icmp: echo request (DF) 18:51:11.097422 192.168.1.6 172.16.19.129: icmp: echo request (DF) 18:51:12.097379 192.168.1.6 172.16.19.129: icmp: echo request (DF) ^C 45 packets received by filter 0 packets dropped by kernel # /sbin/pfctl -f pf.conf pfctl: warning: namespace collisions with 44 global tables. # After the last command, traffic starts to move between 192.168.1.6 and 172.16.19.129. I thought that pf should pick up changes in the tables at once and not require reloading the rule set. The machine where I took this example from, runs 4.7-stable/i386, but I saw this problem on 4.6 hosts, too. Any ideas about what might cause this problem? Kind regards, --Toni++
Re: nested vlans: safe to use?
Hi, On Wed, 12.05.2010 at 01:09:55 +, Stuart Henderson s...@spacehopper.org wrote: First talk to your wan provider, they might either be able to allocate you a couple of vlans that they'll carry for you, or do QinQ (i.e. you feed the provider plain vlans, and they appear directly at the other side). I would very much prefer to abstain from reshuffling vlans in the remote data centre. If possible, I'll try to arrange for non-overlapping vlan ids, which would solve the immediate problem, but could allow for unauthorized use of vlans (eg. what if someone reconfigures their vlan stuff, and suddenly their packets enter the wrong vlan?). I need to prevent this scenario. Using QinQ directly would be much better. The carrier said that they will transport all packets up to 64k per frame fully transparently, w/o any alteration. I need to re-hash the frametype issue, though. In-tree, there is the option of 'ifconfig vlanXXX vlandev vlanYYY which might get you somewhere. This uses the same ethertype on inner and outer vlans and doesn't interoperate with other vendors vlan stacking, but you might be able to do something with it (or maybe you'll just confuse your providers switches). So I can't change the frame types on a per-vlan basis, eg. to match their respective switches' expectations... hmmm. There's also a diff at http://www.mail-archive.com/misc@openbsd.org/msg65694.html that switches ethertype so you can interoperate with other vendors QinQ (it will need updating for -current). Thanks for pointing this out! I'll have a close look. But usually you just feed plain vlans to the wan provider and they handle translation or stacking.. ?!? I also need to do traffic shaping on a per-vlan basis. This does seem to work but I'm under the impression that queueing should be done on the physical interface (vlandev). I don't know how useful this really is. I need to limit and/or reserve bandwidth of individual vlans on the (one) wan pipe. Kind regards, --Toni++
Re: nested vlans: safe to use?
Hi, On Wed, 12.05.2010 at 14:23:18 +0200, Pete Vickers p...@systemnet.no wrote: http://www.openbsd.org/papers/asiabsdcon2010_vether/index.html especially page 6/7... thanks, but... I may have mis-stated the problem. I have no bandwidth or fragmentation problem, but rather a configuration problem in a Metro-LAN-like setting. Oh... and I forgot to add CARP into the mix - I want to automatically fail over the whole stack of vlans to a second router of mine when one interface fails. Kind regards, --Toni++
Re: nested vlans: safe to use?
On Wed, 12.05.2010 at 19:48:47 +0100, Stuart Henderson s...@spacehopper.org wrote: But usually you just feed plain vlans to the wan provider and they handle translation or stacking.. ?!? If they're doing nested vlans (tag stacking), usually you feed them frames, they add their own tag to get the frames across their network, and decapsulate when they handover to you. Erm, this sounds backwards to me. I am the guy who needs to stack some - possibly already stacked - vlans at the remote end, in the data centre, and then feed this into the pipe (easy), and decapsulate multiple times at home, and encapsulate everything at home before sending it out through the wan pipe again, to be decapsulated in the data centre and distributed to various other people there. -- Kind regards, --Toni++
nested vlans: safe to use?
Hi, I've been trying to figure out whether I can use OpenBSD in a nested vlan scenario. I'm looking at a data centre where I want to get two wires, each carrying several vlans, and funneling them home across a WAN link. Various switch vendors claim to be able to do it, but I couldn't really figure out what the current state of affairs wrt. OpenBSD is. On the other side of the wires or fibres, I'll be talking to Junipers, Ciscos (6509), and/or Foundy switches and/or routers on the other side(s). The desired setup looks like this: data centre LAN --- switch --- WAN --- home (OpenBSD) I want to run at least three vlans across the WAN link, and need to keep the vlans strictly separated. I also need to do traffic shaping on a per-vlan basis. :/ TIA! Kind regards, --Toni++
Re: OT - UML, can someone state that it works ?
On Wed, 05.05.2010 at 14:31:32 -0500, Walter Goulet wgou...@gmail.com wrote: I think the UML the OP is referring to is Unified Modeling Language and Rational Unified Process. I think this solves it: On Wed, May 5, 2010 at 2:25 PM, Lars Nooden lars.cura...@gmail.com wrote: :P ;) Kind regards, --Toni++
Re: OT - UML, can someone state that it works ?
Hi, I'm not an OpenBSD developer, but would like to chime in anyway: On Wed, 05.05.2010 at 16:08:47 -0300, Christiano F. Haesbaert haesba...@haesbaert.org wrote: I'm really sick of hearing about UML/RUP and all this boulshit about software engineering in my university. Many of those things are not really bullshit, but they aim at vastly different environments and goals than most free software does. My feeling is that someone wrote it, never implemented it, and for some stupid reason, the industry/academia bought it. For RUP, the people who wrote it, had a company running for some years before being bought out by IBM, where they now produce subsequent versions of their software, and hone their theories. I'm too lazy to pull out facts to make similar statements about UML, but these tools imho address different prob So as I regard the openbsd folks as highly skilled developers, No doubt about that, but Is my impression completely wrong ? Do any of you believe in it ? what kind of confidence do you want for, say, your pacemaker? Or for a satellite system? Or a worldwide money transfer system? Or your car's ABS brake? Want to trust millions or billions of dollars and/or human lives, including your own, to the genius of a handful of people? And if so, how do you want to scale? Or how do you want to pass governmental requirements before being allowed to let the software run? Would people like OpenBSD developers probably are, be equally successful in such regulated enviroments, even if they wanted to be in there in the first place? Kind regards, --Toni++
Re: addendum: 4.7 causes different problem Re: spurious need to frag messages
Hi, On Wed, 17.03.2010 at 17:48:21 +0100, Toni Mueller openbsd-m...@oeko.net wrote: On Mon, 15.03.2010 at 19:10:12 +0100, Toni Mueller openbsd-m...@oeko.net wrote: # pfctl -s a |grep mss # ifconfig|grep mtu|grep -v 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33152 enc0: flags=41UP,RUNNING mtu 1536 pflog0: flags=141UP,RUNNING,PROMISC mtu 33152 # And that's it... Sample message from tcpdump: 19:03:59.805030 1.2.3.4 5.6.7.8: icmp: 1.2.3.20 unreachable - need to frag (mtu 1420) for 5.6.7.8.80 1.2.3.20.59495: 2079874237 [|tcp] (DF) (ttl 243, id 22121, len 1500) (ttl 255, id 23060, len 56) I've rebooted the machine, and the problem went away. I don't know for how long, though. after doing this now for some time, I go out on a limb and say that this is a memory management problem somewhere in the realm of 'pf', as the problem apparently correllates to the amount of traffic pushed. If someone is willing to help me debug this, please contact me off-list. Thank you! -- Kind regards, --Toni++
-current i386 (#501): massive performance drop from #448
Hi, going from #448 (March 16th) to #501 (April 8th), I noticed a sharp drop in performance. The problem manifests itself in the machine frequently becoming very sluggish wrt. network performance. In numbers, this means that the packet loss rate jumps to more than a felt 90% for more than a minute. I didn't find anything in the logs. The machine ran mostly fine using #448 for about two weeks immediately before, using the exact same configuration. The machine is supposed to move around 10-20 megabits per second across four interfaces, plus handle some 10-20 lightly loaded VPN tunnels, and usually has a CPU utilization roughly between 10 and 50%, maybe 35% on average. For amd64, I have much better experience with #148 from March 30th, although the much more powerful hardware may simply be hiding the problem. I have no good console access to this machine (it's remote), and playing is not well supported, either. Below you find the dmesg for the problematic machine, but with the ok kernel. -- Kind regards, --Toni++ OpenBSD 4.7 (GENERIC.MP) #448: Wed Mar 10 12:15:21 MST 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) 4 CPU 1.80GHz (GenuineIntel 686-class) 1.80 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM real mem = 268005376 (255MB) avail mem = 250957824 (239MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 04/02/02, BIOS32 rev. 0 @ 0xfb330, SMBIOS rev. 2.3 @ 0xf0800 (37 entries) bios0: vendor Award Software International, Inc. version 6.00 PG date 04/02/2002 bios0: Supermicro P4SBR/P4SBE acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xdf84 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde90/240 (13 entries) pcibios0: PCI Exclusive IRQs: 5 9 10 11 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371SB ISA rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x5600 0xce000/0x1000 0xcf000/0x1000 cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82845 Host rev 0x04 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xe400, size 0x40 ppb0 at pci0 dev 1 function 0 Intel 82845 AGP rev 0x04 pci1 at ppb0 bus 1 ppb1 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x05 pci2 at ppb1 bus 2 ppb2 at pci2 dev 1 function 0 Intel S21152BB PCI-PCI rev 0x00 pci3 at ppb2 bus 3 ste0 at pci3 dev 4 function 0 D-Link Systems 550TX rev 0x15: irq 11, address 00:0d:88:53:23:3c ukphy0 at ste0 phy 1: Generic IEEE 802.3u media interface, rev. 0: OUI 0x0090c3, model 0x0004 ste1 at pci3 dev 5 function 0 D-Link Systems 550TX rev 0x15: irq 11, address 00:0d:88:53:23:3d ukphy1 at ste1 phy 1: Generic IEEE 802.3u media interface, rev. 0: OUI 0x0090c3, model 0x0004 ste2 at pci3 dev 6 function 0 D-Link Systems 550TX rev 0x15: irq 10, address 00:0d:88:53:23:3e ukphy2 at ste2 phy 1: Generic IEEE 802.3u media interface, rev. 0: OUI 0x0090c3, model 0x0004 ste3 at pci3 dev 7 function 0 D-Link Systems 550TX rev 0x15: irq 11, address 00:0d:88:53:23:3f ukphy3 at ste3 phy 1: Generic IEEE 802.3u media interface, rev. 0: OUI 0x0090c3, model 0x0004 ahc0 at pci2 dev 5 function 0 Adaptec AIC-7899 U160 rev 0x01: irq 10 scsibus0 at ahc0: 16 targets, initiator 7 sd0 at scsibus0 targ 0 lun 0: FUJITSU, MAN3184MC, 0109 SCSI3 0/direct fixed sd0: 17522MB, 512 bytes/sec, 35885448 sec total ahc1 at pci2 dev 5 function 1 Adaptec AIC-7899 U160 rev 0x01: irq 11 scsibus1 at ahc1: 16 targets, initiator 7 fxp0 at pci2 dev 6 function 0 Intel 8255x rev 0x08, i82559: irq 9, address 00:30:48:51:58:54 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci2 dev 7 function 0 Intel 8255x rev 0x08, i82559: irq 5, address 00:30:48:51:58:55 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4 vga1 at pci2 dev 8 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ichpcib0 at pci0 dev 31 function 0 Intel 82801BA LPC rev 0x05: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 Intel 82801BA IDE rev 0x05: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus2 at atapiscsi0: 2 targets cd0 at scsibus2 targ 0 lun 0: MATSHITA, CD-ROM CR-177, 7T0D ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 31 function 2 Intel 82801BA USB rev 0x05: irq 10 ichiic0 at pci0 dev 31 function 3 Intel 82801BA SMBus rev 0x05: irq 11 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 256MB SDRAM non-parity PC133CL2 uhci1 at pci0 dev 31 function 4 Intel 82801BA USB rev 0x05: irq 11 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at
Re: Howto Create a Auto-Extract Package with Shell Script tar ?
Hello, On Sat, 10.04.2010 at 09:17:53 +0800, Aaron Lewis aaron.lewis1...@gmail.com wrote: Firstly i need to compress my fonts to a Font_Name.tar.bz2 , if i want to put the extract script and Font_Name.tar.bz2 together , a single bundle , howto archive it ? Right now , i tried to append the Archive to the script file , Then try to read through the `setup file' except for the first 5 lines. maybe you can use or tweak 'shar' to do what you want. $ man shar Kind regards, --Toni++
Re: -current (#448): starts dropping packets after a while
Hi, this should have gone into the thread 'spurious need to frag messages'. Sorry for opening a new thread. On Wed, 31.03.2010 at 13:36:48 +0200, Toni Mueller openbsd-m...@oeko.net wrote: recently, a problem with OpenBSD has popped up over here that manifests itself in random connection failures after some time. Network diagram: workstation (1) --- (3b) firewall (3a) --- Internet --- www.example.com (2) You surf from your workstation to www.example.com. On the firewall, you can see packets flowing, on the exterior interface. (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) and so on. Everything works just fine. Now, with nothing changed except for the firewall being up some days (currently: 13 days), and having pushed some traffic already, connections start to fail: On (3a), you see almost the same packet sequence like shown above, shortened for brevity: (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1)- point where the connection fails (2) - (1) (2) - (1) (2) - (1) (2) - (1) but on (3b), you see: (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) and then nothing more, like if the web server on the other side had stopped sending packets. I can't see the packets on pflog0, either, and using slightly different networking to bypass the firewall, everything works still fine, but fixing the problem involves powering down the firewall. Simply rebooting it w/o powering it down, does not fix the problem. investigating further, the firewall starts to send ICMP packets on (3a) to the other sides (2), claiming that 1.2.3.4 92.122.217.187: icmp: 1.2.3.24 unreachable - need to frag (mtu 1420) Which is wrong. I've verified that the complete path supports an MTU of 1500 bytes. FWIW, the machines 1.2.3.4 and 1.2.3.24 are connected via a 100MBit/s Ethernet (machine - switch - machine, 10 m of cabling). I've also verified the pf configuration, and there's nothing in there that lowers the MTU: # grep -v '^#' pf* |grep -F 1420 pf.os:4096:64:0:44:M1420: NewtonOS:2.1::NewtonOS 2.1 # This problem first occurred for us with 4.6-stable on both i386 and amd64, and now also occurred on -current with kernel 448 on i386. I'm underway trying to get yet-more-recent stuff installed to see whether the problem is fixed. Experimenting with several variations of OpenBSD, like 4.6-stable and some snapshots yields that with ever more recent versions of -current, the problem seems to deteriorate, going down from almost two weeks with kernel #448 on i386 to less than one week with kernel #148 on amd64, with about no change in configuration except adding a few more packet filter rules, currently around 500-600 after replacing many macros with tables. The machine has moved some 300-400 mio packets since booting about six days ago. I'm probably going to try yesterday's snapshot, too. Since I also swapped in a brand new, bigger machine to do the job, I am confident that there is no hardware problem involved. The remaining idea from my side is to suspect some kind of kernel memory corruption. Unfortunately, I can so far only detect the problem on the outside of the network by observing the packets emitted by the machine(s) in question, but I failed to find a way to diagnose the problem from within the machine(s) itself (except for using tcpdump, which is a bit besides the point). -- Kind regards, --Toni++
-current amd64 (#178): NO PROPOSAL CHOSEN
Hi, while playing around with the latest code as of today, off of CVS's HEAD, I find that it sometimes takes considerable time to establish a connection to a static peer, and while negotiating, the two isakmpds sometimes send NO_PROPOSAL_CHOSEN to each other. After a while, it suddenly works. Normally, the connection should come up immediately after one proposal packet from each isakmpd. Both sides are OpenBSD -current amd64, but one side is about a week older. I don't recall this behaviour from earlier versions of OpenBSD. -- Kind regards, --Toni++
feature request: fallback boot image
Hi, it would be great to be able to specify a fallback kernel in case booting a new kernel fails - esp. if one needs to work on a remote site w/o hands-on support. TIA! Kind regards, --Toni++
Re: feature request: fallback boot image
Hi, On Fri, 02.04.2010 at 06:50:00 -0500, Chris Bennett ch...@bennettconstruction.biz wrote: If you are talking about an upgrade then cp bsd bsd.backup before install should do it. Then use boot boot /bsd.backup after a failed upgrade. I thought about the case where the new kernel won't boot and I don't have a console and power switch to reboot the machine and/or select a different kernel. It would be nice if I could say something like (in grub) fallback /bsd.backup. As I said, this is only relevant if I'm working remotely. Kind regards, --Toni++
Re: feature request: fallback boot image
On Fri, 02.04.2010 at 08:44:56 -0500, Chris Bennett ch...@bennettconstruction.biz wrote: If you don't have access to a console remotely, then exactly how would you type fallback /bsd.backup? I would like to see a configuration option in /etc/boot.conf that I could use to specify a fallback kernel before I reboot to a new kernel. As said, eg. Grub supports such a mechanism, although I don't know for sure how powerful it really is. I haven't used GRUB myself. Does it support remote access? Afaik, yes, but that's not the point. According to the documentation, grub detects if a kernel does not boot correctly, and then proceeds to automatically boot up to two different kernels after resetting the machine (ie, finally fails after three unsuccessful attempts). Perhaps you should get an ISP with technicians or remote IP-KVM access. Remote does not have to mean ISP or Hosting, it could also mean some remote site where you do something which requires a computer, but has nothing to do with Internet. Eg. I once saw a company that produces remote sensoring and data acquisition equipment and collects data over the Internet. These machines need to be serviced remotely, too, and in that case, often no personell whatsoever was within reach of at least a day of travelling of the affected sites. Kind regards, --Toni++
Re: feature request: fallback boot image
Hi, On Fri, 02.04.2010 at 15:50:36 +0200, Paul de Weerd we...@weirdnet.nl wrote: What do you mean the new kernel won't boot ? I mean that, for whatever reason, the kernel does not reach full multi-user capabilities within some timeout (say, 5 minutes). there, the bootloader will automagically try /bsd. So if you have 'set image mybsd' in your /etc/boot.conf (which is frowned upon, mind you; certain things assume that your kernel is always /bsd) and /mybsd is A _bad_ assumption, imho, but see below. I'll probably try to figure out why this is deemed to be a good idea. No need to repeat last year's discussion about it, which I didn't follow close enough to fully understand the issue. May seem like a nice idea at first, but it doesn't sound very portable to me. Ok... then I should probably try to figure out how to boot OpenBSD by non-BSD-supplied boot loaders (eg. grub). The boot.conf stuff is platform specific - a workaround for broken bioses. sparc64 machines, for example, just read the kernel image name from their boot configuration and load that, no boot.conf needed at all. Understood. Thanks for the summary. Kind regards, --Toni++
Re: feature request: fallback boot image
On Fri, 02.04.2010 at 22:20:46 +0200, Henning Brauer lists-open...@bsws.de wrote: * Toni Mueller openbsd-m...@oeko.net [2010-04-02 12:25]: it would be great to be able to specify a fallback kernel in case booting a new kernel fails how exactly does the bootloader notice your new kernel sitting in ddb? Good question. I'm not familiar with the boot process, but would assume that the boot loader could set up a timer that triggers an interrupt if not cleared after some time. The interrupt handler, installed by the boot loader, would do something that the boot loader recognizes to select a different kernel at the next reboot. In PCs, there's afaik a mandatory BIOS routine that can be used to issue a warm boot that would preserve some parts of memory. The kernel would clear the timer or diverting the interrupt handler after booting successfully, or if the user asked for entering ddb. -- Kind regards, --Toni++
Re: question wrt. -current
Hi, On Wed, 31.03.2010 at 17:12:30 -0700, Philip Guenther guent...@gmail.com wrote: The i386 build has been around a lot longer than amd64, so comparing absolutes doesn't reveal the relative rate. that doesn't sound compelling to me, as, afair, the serial numbers are reset on every release. Eg. I can see this on one machine: $ what /bsd.old /bsd.old OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008 Now, with -current, serial numbers for i386 are in the range of 4xx, which is much lower than 698. You don't say _why_ it would matter to you, so I can't answer _whether_ it would matter to you. What problem are you trying to solve? I am interested in how these things work internally in your project, and I also wondered whether I'd done something wrong (eg. inadvertantly fetched stale code), as, at first, I assumed that all these builds should occur in sync. Now, when I was reporting problems, the large difference in serial number struck me as odd, and curiosity set in. Kind regards, --Toni++
Re: httpd segmentation fault
Hi, On Wed, 31.03.2010 at 22:10:08 +0300, Ozgur Kazancci ozgur.kazan...@info.uvt.ro wrote: - Toni Mueller openbsd-m...@oeko.net wrote: On Wed, 31.03.2010 at 14:03:06 -0400, Devin Ceartas nacred...@gmail.com wrote: I suppose it should be 5.2.11 or later my machine running 4.6 stable has 5.2.12 installed from ports looking into CVS, it turns out that 5.2.10 is in 4.6-release, while 5.2.12 is in 4.6-stable. 5.2.12 in 4.6-stable? Weird. I've fetched the stable ports few minutes ago; cd /usr cvs -d$CVSROOT checkout -r OPENBSD_4_6 -P ports but; # make search name=php5-core Port: php5-core-5.2.10 Still 5.2.10.. Might be an outdated cvs server, maybe? It is; anon...@obsd.cec.mtu.edu:/cvs. I took the info from here: http://www.openbsd.org/cgi-bin/cvsweb/ports/www/php5/Makefile.inc Please look at revision 1.26.2.2, which should be near the top of the page: Revision 1.26.2.2: download - view: text, markup, annotated - select for diffs Wed Dec 23 01:07:26 2009 UTC (3 months, 1 week ago) by william Branches: OPENBSD_4_6 ^ Diff to: previous 1.26.2.1: preferred, coloured; branchpoint 1.26: preferred, coloured; next MAIN 1.27: preferred, coloured Changes since revision 1.26.2.1: +4 -4 lines MFC: SECURITY FIX php5-5.2.12 ok robert@ Kind regards, --Toni++
-current (GENERIC.MP#148 amd64): cannot load anchor from file
Hi, I'm trying to run my pf setup on the latest -current/amd64 like this: # pfctl -n -f pf.conf (gives no error or warning) # pfctl -f pf.conf pfctl: pfctl_rules pfctl: load anchors pfctl: DIOCXROLLBACK: Invalid argument The only anchor statments I have are these: # grep anchor pf.conf anchor ipsecrules load anchor ipsecrules from /etc/pf.conf.ipsec # And since I thought I could isolate the problem by emptying the to-be loaded file and then put the rules back one-by-one until I hit the error, I started out with this, but still got the error message above: # ls -l pf.conf.ipsec -rw--- 1 root wheel 0 Apr 1 11:19 pf.conf.ipsec IOW, the error is produced by the load anchor statement shown above, which is not uncovered by running a syntax check on the file, also not using -v. Kind regards, --Toni++
feature request: ifconfig emX clear
Hi, I'd like to be able to clear the counters of interfaces, similar to clear counters in Cisco lingo. TIA! Kind regards, --Toni++
Re: -current (GENERIC.MP#148 amd64): cannot load anchor from file
Hi, thanks for answering! On Thu, 01.04.2010 at 10:28:16 -0700, Philip Guenther guent...@gmail.com wrote: This is generally caused by mismatched kernel and userland. How confident are you that yours were built from the same/matching sources? I installed these files from my installation server, to which I downloaded a snapshot: $ sha256sum bsd.mp /tmp/sbin/pfctl d033f27afacc2c7b226a55ed5e8641510921723880d6adbd0d1365ae1e25ad98 bsd.mp 41823dcad3b42f7a89a7b5c44c0b0798a317e2bb2663dcb53f2358dd7a9930c7 /tmp/sbin/pfctl This version of pfctl is contained in this base set: $ sha256sum base47.tgz 94e7322961eb9c23a1ea52aa17580aff14127e82afcc251ac9c0543d973ebba1 base47.tgz On the installed system, I find these files: $ cksum -a sha256 /bsd /sbin/pfctl SHA256 (/bsd) = d033f27afacc2c7b226a55ed5e8641510921723880d6adbd0d1365ae1e25ad98 SHA256 (/sbin/pfctl) = 41823dcad3b42f7a89a7b5c44c0b0798a317e2bb2663dcb53f2358dd7a9930c7 IOW, the checksums match, and they also match with the values specified in the SHA256 file that I downloaded from the same source, so I'm confident that the programs should have been built from the same sources. Kind regards, --Toni++
-current (#448): starts dropping packets after a while
Hi, recently, a problem with OpenBSD has popped up over here that manifests itself in random connection failures after some time. Network diagram: workstation (1) --- (3b) firewall (3a) --- Internet --- www.example.com (2) You surf from your workstation to www.example.com. On the firewall, you can see packets flowing, on the exterior interface. (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) and so on. Everything works just fine. Now, with nothing changed except for the firewall being up some days (currently: 13 days), and having pushed some traffic already, connections start to fail: On (3a), you see almost the same packet sequence like shown above, shortened for brevity: (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1)- point where the connection fails (2) - (1) (2) - (1) (2) - (1) (2) - (1) but on (3b), you see: (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) (2) - (1) (1) - (2) and then nothing more, like if the web server on the other side had stopped sending packets. I can't see the packets on pflog0, either, and using slightly different networking to bypass the firewall, everything works still fine, but fixing the problem involves powering down the firewall. Simply rebooting it w/o powering it down, does not fix the problem. It doesn't really matter which site www.example.com is (it starts for several sites at once, anyway), and, over time, the problem affects ever more sites until the firewall is hardly usable at all. But s1.wp.com is usually amongst the first sites to fail. This problem first occurred for us with 4.6-stable on both i386 and amd64, and now also occurred on -current with kernel 448 on i386. I'm underway trying to get yet-more-recent stuff installed to see whether the problem is fixed. The experience of the problem being fixed by a thorough power-cycle suggests that there may be some underlying memory corruption problem. I'd very much appreciate hints for how to go about debugging this, and/or can probably be remote controlled to do some testing. TIA! Kind regards, --Toni++
question wrt. -current
Hi, comparing the build dates and serial numbers of kernels, I get the impression that amd64 kernels are only built once in a while, so to say, compared to i386 kernels, because the #148 kernel for amd64 is much more recent than the #448 one for i386. Right? Wrong? Does it matter, and if so, how/why? Kind regards, --Toni++
Re: httpd segmentation fault
Hi, On Wed, 31.03.2010 at 14:03:06 -0400, Devin Ceartas nacred...@gmail.com wrote: I suppose it should be 5.2.11 or later my machine running 4.6 stable has 5.2.12 installed from ports looking into CVS, it turns out that 5.2.10 is in 4.6-release, while 5.2.12 is in 4.6-stable. -- Kind regards, --Toni++
Re: 4.7: doesn't route IPSEC traffic very well
Hi, On Wed, 17.03.2010 at 16:26:39 -0500, Todd T. Fries t...@fries.net wrote: Try s/hmac-sha2-256/hmac-sha1/ until you have updated all your firewalls. Also try seeing http://www.openbsd.org/faq/current.html#20100110 .. thanks to all who helped out to solve this particular case of PEBCAK. Kind regards, --Toni++
addendum: 4.7 causes different problem Re: spurious need to frag messages
Hi, On Mon, 15.03.2010 at 19:10:12 +0100, Toni Mueller openbsd-m...@oeko.net wrote: # pfctl -s a |grep mss # ifconfig|grep mtu|grep -v 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33152 enc0: flags=41UP,RUNNING mtu 1536 pflog0: flags=141UP,RUNNING,PROMISC mtu 33152 # And that's it... Sample message from tcpdump: 19:03:59.805030 1.2.3.4 5.6.7.8: icmp: 1.2.3.20 unreachable - need to frag (mtu 1420) for 5.6.7.8.80 1.2.3.20.59495: 2079874237 [|tcp] (DF) (ttl 243, id 22121, len 1500) (ttl 255, id 23060, len 56) I've rebooted the machine, and the problem went away. I don't know for how long, though. -- Kind regards, --Toni++
4.7: doesn't route IPSEC traffic very well
Hi, I've installed the latest snapshot, with kernel bsd.mp#488, on a machine that has several IPSEC connections to handle, some fixed (branch offices), some for road warriors. The setup per se runs well for several years, but after this upgrade, traffic to the branch offices stopped. I checked one of the branch office's firewalls, which runs a slightly older version of OpenBSD, that the encryped packets arrive on the WAN interface. So I conclude that the gateway, running the snapshot, pushes the packets out ok (I can observe these packets on the gateway's enc0 interface, too, so confidence is high). In the branch office's gateway, using 'netstat -rnf encap', I see all the entries that there used to be, but I see _NO_ packets on its enc0 interface. Ideas about how to debug these, are most welcome! Kind regards, --Toni++
Re: pfctl(8): unclear docs
Hi, On Wed, 17.03.2010 at 16:24:42 +0100, Henning Brauer lists-open...@bsws.de wrote: -A, -O, -R are bullshit and I'll happily remove them. soon. that's ok with me. I thought that changing the docs was the less-intrusive thing to do, and I have no experience with ipf, so that certainly wasn't on my mind. TIA! -- Kind regards, --Toni++
Re: 4.7: doesn't route IPSEC traffic very well
Darn, I should write better messages. So here goes an important addendum: On Wed, 17.03.2010 at 17:55:34 +0100, Toni Mueller openbsd-m...@oeko.net wrote: I've installed the latest snapshot, with kernel bsd.mp#488, on a machine that has several IPSEC connections to handle, some fixed (branch offices), some for road warriors. The setup per se runs well for several years, but after this upgrade, traffic to the branch offices stopped. I checked one of the branch office's firewalls, which runs a slightly older version of OpenBSD, that the encryped packets arrive on the WAN interface. So I conclude that the gateway, running the snapshot, pushes the packets out ok (I can observe these packets on the gateway's enc0 interface, too, so confidence is high). In the branch office's gateway, using 'netstat -rnf encap', I see all the entries that there used to be, but I see _NO_ packets on its enc0 interface. This was binary-upgrading an existing machine from 4.6-stable to -current, including 'sysmerge', and it is i386 (again). Traffic from and to road warriors is unaffected by the problem, only traffic to networks (with a netmask 32 - I can only test /16 so far). If you want me to test something, that can probably be arranged. -- Kind regards, --Toni++
Re: pfctl(8): unclear docs
Hi, On Tue, 16.03.2010 at 07:37:42 +0001, Jason McIntyre j...@kerhand.co.uk wrote: On Mon, Mar 15, 2010 at 10:35:23PM +0100, Toni Mueller wrote: An optimizer (or any other such device) which is on by default and claims to not change semantics, should imho be transparent to the user, but this one isn't. If you have other uses of disabling the optimizer except for debugging pf, I'd really like to hear. sorry, you've lost me with the optimiser stuff ;) why are you discussing that? ok, I'll try again: matteo pointed me to an article which says that the problem can be bypassed by using an option to pfctl that disables the optimiser, which is enabled by default. I think that any device that automatically works on the user's input should not alter the documented semantics of what the user input, and on which the user relies. On the contrary, such devices should imho be transparent to the user, but obviously, this optimiser isn't because its use is not orthogonal to the other options of 'pfctl'. Also (I didn't mention this before), since the use of tables is advocated in about any docs (counting statements on this list in for this purpose) that I've read so far, with the optimiser being on by default, using '-R' alone should presently be impossible in the majority of real-world use cases. Therefore I advocate changing the documentation or the implementation to highlight this case of non-orthogonality. Better now? -- Kind regards, --Toni++
pfctl(8): unclear docs
Hi,
I've just run into the following problem on a 4.6 box:
/etc/pf.conf (excerpt):
table rfc1918 const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
block out on $extif from rfc1918
# /sbin/pfctl -F rules -R -f pf.conf
rules cleared
pfctl: Must enable table loading for optimizations
# /sbin/pfctl -s r
#
Imho, this interaction should be documented in the man page. One needs
to specify '-Tl', or else no rules will be loaded.
TIA!
Kind regards,
--Toni++
Re: pfctl(8): unclear docs
Hi, On Mon, 15.03.2010 at 12:22:35 +0100, matteo filippetto matteo.filippe...@gmail.com wrote: for me it works good ... just don't use -R option http://kerneltrap.org/mailarchive/openbsd-misc/2007/4/6/147502 thanks for this link. Not using -R is not too good, either, as on this particular box, reloading everything results in a severance of all existing connections. A clarification in the docs is imho the way to go. My 'nroff' is almost nonexistant, but here's a diff: --- pfctl.8.origWed Jun 11 09:23:36 2008 +++ pfctl.8 Mon Mar 15 12:53:04 2010 @@ -354,7 +354,9 @@ Only print errors and warnings. .It Fl R Load only the filter rules present in the rule file. -Other rules and options are ignored. +Other rules and options are ignored. If you are using +tables, you need to also specify one of -T load or +-o none. .It Fl r Perform reverse DNS lookups on states when displaying them. .It Fl s Ar modifier Kind regards, --Toni++
spurious need to frag messages
Hi, one of my OpenBSD 4.6 boxen starts sending out need to fragment messages to other hosts, w/o me seeing the reason. # pfctl -s a |grep mss # ifconfig|grep mtu|grep -v 1500 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33152 enc0: flags=41UP,RUNNING mtu 1536 pflog0: flags=141UP,RUNNING,PROMISC mtu 33152 # And that's it... IOW: There are only physical interfaces with an MTU of 1500 bytes present, and there are no mss-meddling packet filter rules present. Nevertheless, the machine started to send out random fragmentation messages to ever more hosts around the internet, resulting in more and more websites becoming inaccessible. Sample message from tcpdump: 19:03:59.805030 1.2.3.4 5.6.7.8: icmp: 1.2.3.20 unreachable - need to frag (mtu 1420) for 5.6.7.8.80 1.2.3.20.59495: 2079874237 [|tcp] (DF) (ttl 243, id 22121, len 1500) (ttl 255, id 23060, len 56) The machine in question serves as a firewall, and it can (did) happen that eg. one machine in the DMZ can access a certain foreign host, while some other can't access the same foreign host. The only consistency to be observed is that connectivity gradually deteriorates, so that eventually, no machine in the DMZ can access a certain host, while the number of inaccessible foreign hosts steadily increases. The machine runs OpenBSD 4.6-stable/amd64. What gives? Kind regards, --Toni++
Re: pfctl(8): unclear docs
Hi, On Mon, 15.03.2010 at 13:04:04 +, Jason McIntyre j...@kerhand.co.uk wrote: doesn;t Other rules and options are ignored. already cover this? may be. But then, you are possibly only too deeply entrenched in this stuff to see the problem. furthermore, since -T has a load command, should we really expect -R to load tables? Should it really need to? My guess was that tables would usually have been loaded already when one goes to selectively reloads the rules, and either of spelling out that they need to be loaded explicitly, stating that, by default, the already-loaded tables are being used, or that they are being ignored, or that the whole command fails would imho be a good thing. Ok. I go out on a limb and say that explicit is better than implicit, in a lot of cases, and would welcome the short explanation OR the modification of the command to also load tables (which would require amending the man page, too). I admit that I was unaware of the rule optimizer until it bit me into my bottom half. I mean, I usually don't care, from a user perspective, whether there is something optimizing my stuff, and consider this kind of breakage as a (an almost) hidden gotcha. An optimizer (or any other such device) which is on by default and claims to not change semantics, should imho be transparent to the user, but this one isn't. If you have other uses of disabling the optimizer except for debugging pf, I'd really like to hear. -- Kind regards, --Toni++
ipsecctl(8): delete by SPI index?
Hi, I dimly remember that it was possible to delete flows by specifying their SPI index in the SADB, but when I say # ipsecctl -d 0x12345678 with 0x12345678 being a number obtained by running # ipsecctl -v -ss I only get back an error message. If I say ipsecctl -sf and feed one of these lines to 'ipsecctl -d', like in # ipsecctl -d 'flow esp in from 10.1.10.10 to 10.2.0.22 peer 1.2.3.4 srcid 5.6.7.8/32 dstid 1.2.3.4/32 type use' it bails out, too. Now I'm confused. :( I'd prefer to delete flows by SPI index, if possible... Help is greatly appreciated! Kind regards, --Toni++
Re: Easy money with OpenBSD OpenBGPd?
Hi, technical issues aside, On Sat, 13.03.2010 at 15:24:30 +, Sevan / Venture37 ventur...@gmail.com wrote: I was reading the arstechnica article on the internet filtering that's now in place in New Zealand they mentioned that the appliance they're using called a Whitebox which uses a BSD-Unix Anyone know more about the OS used in this system?? what do you want to know? How to make money bypassing government villains? Or how to make money being a thug? Kind regards, --Toni++
Re: sysctl(3)
Hi, On Fri, 12.03.2010 at 13:21:45 +0001, Jason McIntyre j...@kerhand.co.uk wrote: On Thu, Mar 11, 2010 at 12:23:22AM +0100, Toni Mueller wrote: what exactly is missing from sysctl(3)? the sections I read seem to exhaustively list the settings that can be used with the 'mib' parameter, but not for PF_KEY. ok, PF_KEY is now documented. thank you! -- Kind regards, --Toni++
Re: sysctl(3)
Hi Otto, On Thu, 11.03.2010 at 07:08:24 +0100, Otto Moerbeek o...@drijf.net wrote: On Thu, Mar 11, 2010 at 12:23:22AM +0100, Toni Mueller wrote: Btw, in the snapshot of today, the sysctl(3) man page is absent: $ find . -name 'sysctl*' ./cat8/sysctl.0 ./cat5/sysctl.conf.0 $ Did you install the comp set? It's in there: $ tar ztf comp47.tgz | grep syscl ./usr/include/sys/sysctl.h ./usr/share/man/cat3/sysctl.0 thanks for the heads-up! No, I only installed the 'man' package on a different machine than the one I am working on (not OpenBSD, either). But I'll now grab 'comp' too and see if that helps. -- Kind regards, --Toni++
Re: sysctl(3)
On Thu, 11.03.2010 at 14:31:46 +0100, Toni Mueller openbsd-m...@oeko.net wrote: But I'll now grab 'comp' too and see if that helps. I've now looked at the man page in -current, and it does not cover the leaves below PF_KEY. -- Kind regards, --Toni++
sysctl(3)
Hi, while digging into my problem with bogus SADB entries, I noticed that sysctl(3) is incomplete, and the online man page doesn't show up (I only get sysctl(8) to see when accessing this link: http://www.openbsd.org/cgi-bin/man.cgi?query=sysctlapropos=0sektion=3manpath=OpenBSD+Currentarch=i386format=html ). If someone with appropriate knowledge and powers could fix these problems, eg. before 4.7, that would be great. TIA! Kind regards, --Toni++
Re: sysctl(3)
Hi, On Wed, 10.03.2010 at 21:48:38 +0001, Jason McIntyre j...@kerhand.co.uk wrote: what exactly is missing from sysctl(3)? the sections I read seem to exhaustively list the settings that can be used with the 'mib' parameter, but not for PF_KEY. Btw, in the snapshot of today, the sysctl(3) man page is absent: $ find . -name 'sysctl*' ./cat8/sysctl.0 ./cat5/sysctl.conf.0 $ as to why the cgi thing returns the section page, i'll let someone else explain (i.e. i don't know). Thanks. -- Kind regards, --Toni++
IPSEC: trying to understand ipsec.conf(5)
Hi,
I'm running an IPSEC setup using iskampd.conf + isakmpd.policy, and
would like to move to using ipsec.conf instead.
First off, I noticed that, if isakmpd is running w/o the '-K' switch,
running 'ipsecctl -f somefile' results in a problem accessing
/var/run/isakmpd.fifo, with a file does not exist error.
I have cobbled together a very simple configuration, derived from the
classic East-West style config files that I already use (and which work
great). In /etc/isakmpd/certs I have the public part of an X.509
certificate for all affected parties, esp. the IPSEC peers, named like
this:
1.2.3.4.crt for a peer with id type IPV4_ADDR and an IP number of
1.2.3.4. For mobile users, I have certificates in the same directory
named u...@example.com.crt for an UFQDN id of u...@example.com.
In /etc/isakmpd/private I have the machine's own private key file,
corresponding to their id (eg. 1.2.3.4.key for a VPN gateway).
The tunnels are all set up mostly the same way, using main mode, X.509
certificates for authentication, PFS, tunnel mode, and IKE
configuration in case of mobile users.
To test my new ipsec.conf file, I temporarily moved the
isakmpd.{conf,policy} files out of the way, restarted isakmpd with -K,
and ran ipsecctl -f my-ipsec.conf file, which reads like this,
following the example closely:
ike esp from 172.17.16.0/24 to 172.17.0/20 peer 1.2.3.4 \
srcid 1.2.3.5 dstid 1.2.3.4
ike esp from 1.2.3.5 to 1.2.3.4 \
srcid 1.2.3.5 dstid 1.2.3.4
The tunnel doesn't come up, and the log files (-DA=90) shows:
Default ike_phase_1_recv_ID: received remote ID other than expected 1.2.3.4
Collecting some packets I can see:
17:33:56.358776 1.2.3.4.500 1.2.3.5.500: [udp sum ok] isakmp v1.0 exchange
ID_PROT
cookie: 10e2114ec84c8a9d-2cd65760e925dc55 msgid: len: 1292
payload: ID len: 12 type: IPV4_ADDR = 1.2.3.4
payload: CERT len: 992
payload: SIG len: 260 [ttl 0] (id 1, len 1320)
The ID is both in the CN and the subjectAltName attribute of the
certificate involved.
I've also tried without the 'srcid' and 'dstid' specifiers, as the man
page says that, in this case, the IP number(s) are taken as IDs, but
still no luck.
What gives?
Kind regards,
--Toni++
Re: IPSEC: trying to understand ipsec.conf(5)
Hi, On Sun, 24.01.2010 at 17:47:22 +0100, Toni Mueller openbsd-m...@oeko.net wrote: First off, I noticed that, if isakmpd is running w/o the '-K' switch, running 'ipsecctl -f somefile' results in a problem accessing /var/run/isakmpd.fifo, with a file does not exist error. scratch that - this is bogus, and only a side effect of isakmpd not finding the file when running w/o -K. Sorry I forgot to delete it before sending the original message. -- Kind regards, --Toni++
Re: IPSEC: bad checksum
Hi, On Thu, 21.01.2010 at 21:48:01 +, Christian Weisgerber na...@mips.inka.de wrote: Toni Mueller openbsd-m...@oeko.net wrote: today I see tons of these on a 4.6-stable/amd64 machine (sample): 17:21:00.848135 esp 1.1.1.1 2.2.2.2 spi 0x54d46678 seq 132642 len 84 (DF) (ttl 64, id 49897, len 104, bad cksum 0! differs by 8b3c) This looks like outgoing packets on an interface that does IPv4 header checksumming in hardware. tcpdump sees the packets before the checksum is actually filled in. This has nothing to do with IPsec. thanks for the explanation. I didn't think of it, but it's a bge(4) interface. Kind regards, --Toni++
IPSEC: bad checksum
Hi, today I see tons of these on a 4.6-stable/amd64 machine (sample): 17:21:00.848135 esp 1.1.1.1 2.2.2.2 spi 0x54d46678 seq 132642 len 84 (DF) (ttl 64, id 49897, len 104, bad cksum 0! differs by 8b3c) 17:21:00.859630 esp 2.2.2.2 1.1.1.1 spi 0x87b9932c seq 89638 len 324 (ttl 46, id 63366, len 344) 17:21:00.860346 esp 1.1.1.1 2.2.2.2 spi 0x54d46678 seq 132643 len 324 [tos 0xb8] (ttl 64, id 40719, len 344, bad cksum 0! differs by ed6e) 17:21:00.866788 esp 2.2.2.2 1.1.1.1 spi 0x87b9932c seq 89639 len 1028 (ttl 46, id 22841, len 1048) 17:21:00.867366 esp 1.1.1.1 2.2.2.2 spi 0x54d46678 seq 132644 len 84 (DF) (ttl 64, id 58626, len 104, bad cksum 0! differs by 6923) 17:21:00.874786 esp 2.2.2.2 1.1.1.1 spi 0x87b9932c seq 89640 len 756 (ttl 46, id 57720, len 776) 17:21:00.888078 esp 2.2.2.2 1.1.1.1 spi 0x87b9932c seq 89641 len 324 (ttl 46, id 50367, len 344) 17:21:00.890475 esp 1.1.1.1 2.2.2.2 spi 0x54d46678 seq 132645 len 324 [tos 0xb8] (ttl 64, id 11430, len 344, bad cksum 0! differs by 5fd8) 17:21:00.912343 esp 1.1.1.1 2.2.2.2 spi 0x54d46678 seq 132646 len 84 (DF) (ttl 64, id 28840, len 104, bad cksum 0! differs by dd7d) 17:21:00.918568 esp 2.2.2.2 1.1.1.1 spi 0x87b9932c seq 89642 len 324 (ttl 46, id 19061, len 344) 17:21:00.920435 esp 1.1.1.1 2.2.2.2 spi 0x54d46678 seq 132647 len 324 [tos 0xb8] (ttl 64, id 33521, len 344, bad cksum 0! differs by 98d) 17:21:00.949296 esp 2.2.2.2 1.1.1.1 spi 0x87b9932c seq 89643 len 324 (ttl 46, id 24659, len 344) 17:21:00.950417 esp 1.1.1.1 2.2.2.2 spi 0x54d46678 seq 132648 len 324 [tos 0xb8] (ttl 64, id 56867, len 344, bad cksum 0! differs by ae5a) 17:21:00.959740 esp 2.2.2.2 1.1.1.1 spi 0x87b9932c seq 89644 len 84 (ttl 46, id 12621, len 104) 17:21:00.977666 esp 2.2.2.2 1.1.1.1 spi 0x87b9932c seq 89645 len 324 (ttl 46, id 30599, len 344) The 2.2.2.2 machine runs an older version of OpenBSD, but is now slated to be upgraded RSN now. Kind regards, --Toni++
SOLVED: Re: Feature request: pf + set-tos, Re: IPSEC ECN: no-go?
Hi,
On Sat, 09.01.2010 at 13:09:29 -0500, Ted Unangst ted.unan...@gmail.com wrote:
On Sat, Jan 9, 2010 at 11:40 AM, Toni Mueller openbsd-m...@oeko.net wrote:
# /sbin/pfctl -n -f pf.conf.test
pf.conf.test:23: illegal tos value (null)
Best guess: sbin/pfctl/parse.y
thanks, Ted, this worked quite nicely. For the record, in
http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/pfctl/parse.y.diff?r1=1.561;r2=1.562
there are two places where there a condition changed to allow a zero as
a value, around line 3300 and line 3320, like this:
| NUMBER{
$$ = $1;
- if (!$$ || $$ 255) {
+ if ($$ 255) {
yyerror(illegal tos value %s, $1);
YYERROR;
}
If one changes this condition and recompiles pfctl, the value '0x0' (at
least) can be used in a rule. I didn't have success using this global
rule:
match in all tos 3 scrub (set-tos 0x0)
That was ineffective for me, but I don't know why.
Instead, I had to augment a regular pass rule to make this work:
pass quick on { $ext_if0, $ext_if1, $ext_if2, $int_if } all flags any no state
tos 3 scrub (set-tos 0x0)
The complete ruleset on this router looks like this:
# pfctl -s r
match in all tos 0x03 scrub (set-tos 0x00)
match in all scrub (no-df)
pass quick on bge1 all tos 0x03 no state scrub (set-tos 0x00)
pass quick on art0 all tos 0x03 no state scrub (set-tos 0x00)
pass quick on art1 all tos 0x03 no state scrub (set-tos 0x00)
pass quick on fxp0 all tos 0x03 no state scrub (set-tos 0x00)
pass in on bge0 all flags S/SA keep state
block drop out on bge0 all
HTH,
--Toni++
Re: Recommend T1 Card for 4.6
Hi, On Wed, 06.01.2010 at 22:19:55 +0100, David Coppa dco...@gmail.com wrote: man 4 art these cards are almost great, but I don't know where to purchase any. Otherwise, I'd get two or three more myself. My only current problem with these cards is that they don't support in-depth line diagnostics as do Cisco's Serial interfaces. -- Kind regards, --Toni++
Re: ldconfig: default path?
Hi, On Wed, 30.12.2009 at 18:17:24 +0100, Marc Espie es...@nerim.net wrote: I don't know about a long list of directories. These days, there are at most 5 ports that do this kind of annoying shit. Toni, this looks like hyperbolic speech to me. 4 or 5 doesn't amount to long list. I'll re-check, but think I had many more than five directories on that list, and as Antti already noted, php5 build directories amongst them. -- Kind regards, --Toni++
Re: IPSEC bringing down networking 1.1
Hi, On Tue, 05.01.2010 at 12:44:49 -0800, Jeff Simmons jsimm...@goblin.punk.net wrote: fw:$ netstat -nr tip: netstat -rnf encap results elided Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) expected ecap routes elided 0/00 0/00 0 gatewayIP/50/use/in 0/00 0/00 0 gatewayIP/50/require/out I've seen this routing entry, too, only _immediately_ after connect, and am *very* interested in talking to qualified people to solve this issue. Imho, this issue has nothing to do with Sonicwall or Cisco. Now, if that means what I think it means, You think correctly. -- Kind regards, --Toni++
Re: Feature request: pf + set-tos, Re: IPSEC ECN: no-go?
Hi, [ will cross-post this to tech@ ] On Mon, 05.10.2009 at 18:47:10 +0200, Toni Mueller openbsd-m...@oeko.net wrote: On Thu, 01.10.2009 at 12:21:19 +0200, Toni Mueller openbsd-m...@oeko.net wrote: Searching around, I found that this question was already raised by Martin Hedenfalk well over a year ago (http://marc.info/?l=openbsd-miscm=121127258816047w=2), but he got no answer. scrub in all tos 3 set-tos 0 with 4.6, this would be: match in all tos 3 scrub (set-tos 0) or match in all tos 3 scrub (set-tos 0x0) The first alternative yields: # /sbin/pfctl -n -f pf.conf.test pf.conf.test:23: illegal tos value (null) And the second alternative yields: # /sbin/pfctl -n -f pf.conf.test pf.conf.test:23: illegal tos value 0x0 Where, in the source code, should I go to attempt to fix this? TIA! -- Kind regards, --Toni++
Re: Recommend T1 Card for 4.6
Hi, On Wed, 06.01.2010 at 14:45:42 -0800, Noah Pugsley noa...@bendtel.com wrote: A little off topic but why trying to get rid of the Cisco? Other than the power/size/noise or to simplify your setup, less links in the chain, etc.. I use OpenBSD for everything I can, and some things I shouldn't but an ebay 2600 + WIC is dirt cheap getting a Cisco that can run a few full tables is always *expensive* - a 2600 doesn't cut it there, and getting something better is really not justified at T1 (or E1) speed. Plus, you can't get spare parts readily, have to rely on Cisco getting patches out, etc.pp., and a Soekris + art(4) card as a CPE device is still smaller and much less power-consuming than a Cisco. -- Kind regards, --Toni++
Re: ldconfig: default path?
Hi Dale, hi Theo, On Tue, 29.12.2009 at 11:55:55 -0600, Dale Rahn dr...@dalerahn.com wrote: On Tue, Dec 29, 2009 at 06:03:48PM +0100, Toni Mueller wrote: I've just seen a program fail to work, saying that it can't load a shared library (but a different one on each invocation - this is an SMP machine). Then I found out that /usr/local/lib was not part of the scanned directories. Looking into I have now discovered that I overlooked the setting of /usr/local/lib in /etc/rc. But it seems to mean that I have to re-run ldconfig every time I install a new shared library, or programs depending on it won't find it. Why the program reported a different library name missing on every invocation (out of the set of libs it wants, that is), I still don't know. Will use the debugging technique you mention below. http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ld.so/ldconfig/library.c?rev=1.2;content-type=text%2Fplain I see this: #define DEFAULT_PATH /usr/lib:/usr/X11R6/lib:/usr/local/qte/lib shlib.c:#define STANDARD_SEARCH_DIRS/usr/lib is the define you are really looking for. Ok. The DEFAULT_PATH is part of the never really used 'prebind' system, much like prelink on linux. I guess that I need to do some background reading to make sense of this. The system normally adds additional search paths that can be displayed using: ldconfig -r | head -2 Thanks for the idea. It turns out that my systems emit long lists of directories that include directories within my ports tree, from ports I built. I'm not so sure that this is what I want (what if I run 'make clean' there?). I also don't see how these directories got in the search path in the first place. The tool only uses /usr/lib to be as conservative as possible, it allows the user (or startup environment) to control the addition of other directories. I didn't fiddle with ldconfig's startup environment and expected the search path to be as the system had set them. However this does not explain the original problem you were having, I would suggest running the application with 'LD_DEBUG' environment set eg: LD_DEBUG='' a.out [args] I'll try to reproduce the problem shortly. -- Kind regards, --Toni++
ldconfig: default path?
Hi, I've just seen a program fail to work, saying that it can't load a shared library (but a different one on each invocation - this is an SMP machine). Then I found out that /usr/local/lib was not part of the scanned directories. Looking into http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ld.so/ldconfig/library.c?rev=1.2;content-type=text%2Fplain I see this: #define DEFAULT_PATH /usr/lib:/usr/X11R6/lib:/usr/local/qte/lib (the man page didn't tell me what the default paths were) It would be nice if someone could enlighten me about why there's a provision for Qt, and why /usr/local/lib is not part of the default path. TIA! Kind regards, --Toni++
Re: shutdown and reboot sometimes ignored?
Hi, On Sun, 22.11.2009 at 23:03:10 +0100, Joachim Schipper joac...@joachimschipper.nl wrote: On Sun, Nov 22, 2009 at 10:00:05PM +0100, Peter J. Philipp wrote: On Sun, Nov 22, 2009 at 09:20:46PM +0100, Toni Mueller wrote: for several releases of OpenBSD, I now have encountered the problem that I can say shutdown -r now, or halt, or reboot, and nothing appears to happen, except for some messages on the associated terminals. Sometimes, it works after saying it multiple times, and literally after minutes, and on otherwise idle boxen. I had something like this on vmware when switching from workstation 6 to workstation 7. Basically what happened was that vic1 (second ethernet) was left in no carrier state on a vmnet that didn't exist. When I finally noticed it and made a proper vmnet for it, the reboot or halt problem went away. Perhaps you have an interface in no carrier state? That alone isn't enough - I frequently halt my laptop with no network cable attached (to re0), and never noticed any particularly long waits. I forgot to say that I was only talking about real hardware machines, not virtual machines. On the machine I saw it last, there are two bge(4) and two em(4) interfaces, and they are all active (HP G380 or so). I also forgot to specify what long means. It means that there can easily be 5-15 minutes before the actual shutdown appears to finally trigger, but since I have my shell back in the meantime, and thus tried to issue the command several times in a row (usually, issuing the shutdown command immediately renders the shell unresponsive), I can't say which invocation actually did the trick. This is especially discomforting when already running on UPS battery and/or working with remote systems... TIA! -- Kind regards, --Toni++
Re: shutdown and reboot sometimes ignored?
Hi, On Mon, 23.11.2009 at 10:04:20 -0600, Chris Bennett ch...@bennettconstruction.biz wrote: If you are running PostgreSQL, and aren't running as root, you will need to use sudo shutdown -r now or /etc/rc.shutdown will hang ?? you mean, if I am not running PostgreSQL as root? I usually log in as a regular user, then su to root, then do stuff (really old-fashioned). In the most recent example, PostgreSQL was not involved. I even turned off several things, so the only big service running should have been squid. Anyway, squid is configured to shut down after 30 seconds, so there's still a gap of several minutes between first issuing the command and actually shutting down. As I said, this happens irregularly, or at least, I didn't detect a pattern yet. Most of the time, I can shutdown or reboot the affected machines without any problems, but sometimes, they just hang. Kind regards, --Toni++
shutdown and reboot sometimes ignored?
Hi, for several releases of OpenBSD, I now have encountered the problem that I can say shutdown -r now, or halt, or reboot, and nothing appears to happen, except for some messages on the associated terminals. Sometimes, it works after saying it multiple times, and literally after minutes, and on otherwise idle boxen. Ideas about what I can do to pinpoint the problem, are most welcome! -- Kind regards, --Toni++
art(4): seeking new and used cards
Hi, if someone has to sell known-good Accom cards, I'm very much interested in purchasing some. Please contact me off-list. TIA! -- Kind regards, --Toni++
make release w/o make build?
Hi, I'm wondering about the options when I want to make a release, and would like some insight into the build process. Background: During a release's lifetime, I want to create a set of new installation tarballs for -stable, to be able to (re-) install machines with all relevant patches already included right from the start. In the following, I assume a build machine, which is already mostly, or completely, up to date and/or not directly connected to the Internet. In FAQ#5, I read this (abbreviated): 1. cvs update 2. create and boot a new kernel 3. clean out cruft 4. make obj 5. make distib-dirs 6. make build 7. divert DESTDIR and make release What I wonder is whether some of these steps can be skipped within a release, which would result in big savings in compile time. For one, I expect (but don't know) that the kernel api does not change during a release, and thus generally to be able to skip step 2. Secondly, step 5+6 should also be roughly NOPs within a release, except for the cases where the toolchain is affected. I'm particularly interested in the relationship between steps 6 and 7, though, which take up by far the most amount of time. If you also want to explain why make needs step 3, which is also very slow on my machine(s), instead of properly updating the object files, I'm all ears, too. Thirdly, I'm interested in whether steps 4-6 can be collapsed into one step. TIA! Kind regards, --Toni++
