Re: CEF / MLS (WAS: Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?)
On Sun, Oct 21, 2007 at 09:23:39PM -0400, Brian A Seklecki (Mobile) wrote: On Mon, 2007-10-22 at 00:12 +0100, Tony Sarendal wrote: On 10/21/07, Henning Brauer [EMAIL PROTECTED] wrote: I'll throw this out there since its been something on my mind for a while: Hardware VLAN tagging, TOE offload, IP/UDP/TCP Checksum offload, interface polling are all ways to accelerate packet forwarding. How about a standards-based hardware-software API equivalent to Cisco's CEF or MLS? We have hardware VLAN tagging support on many interfaces. TOE helps not a single bit on routers and I don't trust TOE just think about it. TOE is a TCP/IP stack in HW. With every network card generation we get new features. DMA, IP checksumming, TCP checksumming and each and every of these much simpler functions where cursed with tons of bugs. I think there are probably 2 network cards that do the checksumming right, all others have some more or less noticable bugs in them. So do you think that the HW designers will create a correct TOE engine? How about a standards-based hardware-software API equivalent to Cisco's CEF or MLS? standards-based? with cisco? Cisco is not even able to follow standards for easy stuff like VLAN etc. CEF is a pure software gimmick. MLS needs a Layer-3 capable switch chip which does all the work with its CAM. If you get me a PCI card with a L3 switching chip on it including a 500k entries CAM plus docu I will write a driver for it. The basics: - layer 3 or layer 4 state (flow) is identified and established using software IP-forwarding. - the software dynamically programs the switching hardware backplane ASIC to accelerate forwarding the flow w/o software further inspection (Including Fragment Reassembly, etc.) Fragment Reassembly does not happen in the forwarding plane, it happens on the end system. By doing flow based forwarding on the router you're no longer able to do all the additional checks that pf(4) is doing in its stateful forwarding path. There is probably a huge market out there for a commodity standards based hardware (if it could be done) I doubt it, the necessary HW is just to expensive and complex. -- :wq Claudio
Re: MAXDSIZ 1GB memory limit for process
On 10/21/07, Richard Storm [EMAIL PROTECTED] wrote: Is it possible to bypass this limit somehow? depends, but if it's easy to bypass a limit, it's not much of a limit. Do you plan to increase this limit? i don't think so.
Re: Can't read authpf rules with pfctl
2007/10/22, Jeff Simmons [EMAIL PROTECTED]: [...] firewall:~#pfctl -a '*' -sr anchor * all { pfctl: DIOCGETRULES: Invalid argument } Am I misreading the man page in assuming that both of these commands should return the block line that the authme login set up, or is something else going on? Use pftcl -vsA, it will return you the anchors nested in authpf/* like: authpf authpf/user(pid) authpf/anotheruser(pid) The use pfctl -a 'authpf/user(pid)' -sr to display user's rules. f.
Odd FFS behavior
Hi there, I have an odd one for you here. Im trying to copy music from a hard disk(FFS) mounted on /mnt/media. I can play the music with mplayer just fine, but cp seems to refuse to believe that the files exist. Whats going on? ---8--- # fsck /mnt/media ** /dev/rwd1a (NO WRITE) ** Last Mounted on /mnt/media ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ** Phase 5 - Check Cyl groups 50647 files, 14741198 used, 24829133 free (1229 frags, 3103488 blocks, 0.0% frag mentation) # pwd /mnt/media/OGG/devil_sold_his_soul # find a_fragile_hope/ a_fragile_hope/ a_fragile_hope/at_the_end_of_the_tunnel.ogg a_fragile_hope/as_the_storm_unfolds.ogg a_fragile_hope/dawn_of_the_first_day.ogg a_fragile_hope/awaiting_the_flood.ogg a_fragile_hope/between_two_words.ogg a_fragile_hope/sirens_chant.ogg a_fragile_hope/hope.ogg a_fragile_hope/in_the_absence_of_light.ogg a_fragile_hope/in_absense_of_light.ogg a_fragile_hope/the_starting.ogg a_fragile_hope/the_coroner.ogg # cp -r a_fragile_hope /mnt/usb cp: /mnt/usb/a_fragile_hope/the_coroner.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/as_the_storm_unfolds.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/dawn_of_the_first_day.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/awaiting_the_flood.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/between_two_words.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/sirens_chant.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/hope.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/in_the_absence_of_light.ogg: No such file or directo ry cp: /mnt/usb/a_fragile_hope/in_absense_of_light.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/the_starting.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/at_the_end_of_the_tunnel.ogg: No such file or direct ory -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
About Xen: maybe a reiterative question but ..
Hi all, I know that time to time somebody do the same question, but I need to know it: is it planned at some point to release a paravirtualized xen kernel for OpenBSD 4.3 or 4.4??? In March'08 I need to virtualize two openbsd servers under xen (host doesn't supports HVM guests). But if it is not possible, I will migrate to NetBSD ... Many thanks. -- CL Martinez carlopmart {at} gmail {d0t} com
Re: Odd FFS behavior
On Mon, 22 Oct 2007, Edd Barrett wrote: Hi there, I have an odd one for you here. Im trying to copy music from a hard disk(FFS) mounted on /mnt/media. I can play the music with mplayer just fine, but cp seems to refuse to believe that the files exist. Whats going on? Does your target dir /mnt/usb exist? -Otto ---8--- # fsck /mnt/media ** /dev/rwd1a (NO WRITE) ** Last Mounted on /mnt/media ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ** Phase 5 - Check Cyl groups 50647 files, 14741198 used, 24829133 free (1229 frags, 3103488 blocks, 0.0% frag mentation) # pwd /mnt/media/OGG/devil_sold_his_soul # find a_fragile_hope/ a_fragile_hope/ a_fragile_hope/at_the_end_of_the_tunnel.ogg a_fragile_hope/as_the_storm_unfolds.ogg a_fragile_hope/dawn_of_the_first_day.ogg a_fragile_hope/awaiting_the_flood.ogg a_fragile_hope/between_two_words.ogg a_fragile_hope/sirens_chant.ogg a_fragile_hope/hope.ogg a_fragile_hope/in_the_absence_of_light.ogg a_fragile_hope/in_absense_of_light.ogg a_fragile_hope/the_starting.ogg a_fragile_hope/the_coroner.ogg # cp -r a_fragile_hope /mnt/usb cp: /mnt/usb/a_fragile_hope/the_coroner.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/as_the_storm_unfolds.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/dawn_of_the_first_day.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/awaiting_the_flood.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/between_two_words.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/sirens_chant.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/hope.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/in_the_absence_of_light.ogg: No such file or directo ry cp: /mnt/usb/a_fragile_hope/in_absense_of_light.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/the_starting.ogg: No such file or directory cp: /mnt/usb/a_fragile_hope/at_the_end_of_the_tunnel.ogg: No such file or direct ory -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: MAXDSIZ 1GB memory limit for process
On 10/22/07, Ted Unangst [EMAIL PROTECTED] wrote: On 10/21/07, Richard Storm [EMAIL PROTECTED] wrote: Is it possible to bypass this limit somehow? depends, but if it's easy to bypass a limit, it's not much of a limit. Is there possible workarounds for my program to allocate more memory than 1GB? Do you plan to increase this limit? i don't think so. Don't you think, that now when we have 64bit platform and RAM gets very cheap, it would be really needed to increase this limit?
Re: Odd FFS behavior
On 22/10/2007, Otto Moerbeek [EMAIL PROTECTED] wrote: Does your target dir /mnt/usb exist? It does. I copied another album onto an SD mounted there and listened to it on the way to work today. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: Odd FFS behavior
On Mon, 22 Oct 2007, Edd Barrett wrote: On 22/10/2007, Otto Moerbeek [EMAIL PROTECTED] wrote: Does your target dir /mnt/usb exist? It does. I copied another album onto an SD mounted there and listened to it on the way to work today. Show a ls -la of the source dir and a stat(1) of the dir and at least one of the problem files. -Otto
Re: CEF / MLS (WAS: Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?)
* Brian A Seklecki (Mobile) [EMAIL PROTECTED] [2007-10-22 03:26]: On Mon, 2007-10-22 at 00:12 +0100, Tony Sarendal wrote: On 10/21/07, Henning Brauer [EMAIL PROTECTED] wrote: I'll throw this out there since its been something on my mind for a while: Hardware VLAN tagging, TOE offload, IP/UDP/TCP Checksum offload, interface polling are all ways to accelerate packet forwarding. How about a standards-based hardware-software API equivalent to Cisco's CEF or MLS? The basics: - layer 3 or layer 4 state (flow) is identified and established using software IP-forwarding. - the software dynamically programs the switching hardware backplane ASIC to accelerate forwarding the flow w/o software further inspection (Including Fragment Reassembly, etc.) There is probably a huge market out there for a commodity standards based hardware (if it could be done) not exactly a new idea. have a diff? :) it is incredibly hard. we're slowly moving into a direction where this becomes easier. slowly. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?
* Tony Sarendal [EMAIL PROTECTED] [2007-10-22 01:19]: On 10/21/07, Henning Brauer [EMAIL PROTECTED] wrote: well, you can go stateful up to a certain point and handle stuff above stateless (better than dropping), like pass out on X from $foo pass in on X to $foo pass out on X from $foo keep state(max 1) To design a reliable IP network I would need the devices to be able to handle the desired pps rate even when that state limit is exceeded. so? where is the contradiction here? Many routing devices have over the years achieved good performance by different flow caching methods, we have over the years also learnt that this is a bad thing in uncontrolled environments like the Internet. no, that is entirely bullshit, sorry. if flow cahcing allows your device to work more efficient in the usual case, hey, excellent, you would be dumb to not use it. this does NOT save you from either leaving enough headroom that you can heandle the packet rate when exceeding your state limit or at least know about and live with the limitation. A reliable IP router is wirespeed and stateless. There is no getting around that. oh really. I say it is bullshit. there is no single wirespeed in all circumstances router on the market, not even for fast ethernet. that is a marketing gag. a 10 MBit/s stream of correctly and purposefully craftet packets brings each and every router you can buy to its knees. if it works like an OpenBSD machine with stateful filters which prefers established states in the overload case, it doesn't suffer as badly as the stateless ones. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: CEF / MLS (WAS: Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?)
* Claudio Jeker [EMAIL PROTECTED] [2007-10-22 08:17]: Fragment Reassembly does not happen in the forwarding plane, it happens on the end system. By doing flow based forwarding on the router you're no longer able to do all the additional checks that pf(4) is doing in its stateful forwarding path. and we don't actually need these on a non-edge router. I'd go so far to say they hurt in that case. There is probably a huge market out there for a commodity standards based hardware (if it could be done) I doubt it, the necessary HW is just to expensive and complex. I totlly agree with the statement that there is a hugfhe market for that - but getting supported, fully working hardware at reasonable prices for it is indeed a gigantic challenge. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Odd FFS behavior
On Mon, 22 Oct 2007, Otto Moerbeek wrote: On Mon, 22 Oct 2007, Edd Barrett wrote: On 22/10/2007, Otto Moerbeek [EMAIL PROTECTED] wrote: Does your target dir /mnt/usb exist? It does. I copied another album onto an SD mounted there and listened to it on the way to work today. Show a ls -la of the source dir and a stat(1) of the dir and at least one of the problem files. Hello, perhaps output of the following will be more useful: mount |grep /mnt/usb df /mnt/usb df -i /mnt/usb ls -la /mnt/usb fsck /mnt/usb The cp program complains about the target files, not the source. Regards, David
Re: Routing iTunes sharing across subnets using OpenBSD
On 22/10/2007, at 12:41 AM, Arnaud Bergeron wrote: 2007/10/21, Damon Schultz [EMAIL PROTECTED]: Greetings, How would one go about routing multicast DNS packets (e.g. used for iTunes sharing neighbourhood discovery) between two different subnets sharing an OpenBSD router and secured by ipsec(4)? So far from multicast(4) I have determined I need to /sbin/sysctl net.inet.ip.mforwarding=1 and I will most likely need to NAT the packets to alter their source address using pf(4) to fool the mDNS client into believing the peers are on the same subnet - but it's what comes inbetween about which I'm not certain. Do I need to employ mrouted(8)? This is my first foray into the bizarre world of IP multicasting... All the HOWTOs I've seen so far describing how to share iTunes libraries across different subnets (e.g. http://wiki.mt-daapd.org/ wiki/SSH_Tunnel ) employ an ssh tunnel and a client-side mDNS proxy but I can't help but feel that with a network under my control and OpenBSD routing everything there must be a more elegant solution? Any assistance or advice will be appreciated. For iTunes sharing you will need a protocol forwarder listening on both networks and pasing the traffic. You don't need this in the general case of multicast IP traffic, but iTunes has special provision to not share across networks. For the software to do that, I know Network Beacon but it only works on OS X. You may also be able to use howl (which is in ports) to advertise the iTunes shares of one network on the other. Thanks for your response. I'm aware that iTunes filters traffic outside of its subnet, I'm thinking a pf.conf(5) rule something like nat on enc0 inet proto udp from $subnet_A to 224/4 port = 5353 - $subnet_B_gateway static-port might successfully fool iTunes into not filtering the traffic. This wouldn't successfully route the packet, however, as my routing table shows 224/4 127.0.0.1 which I guess means that multicasted traffic needs the assistance of mrouted(8) or the like to find its destination. Or could I use the route-to option in pf.conf(5) to do this without the complication of running a multicast routing daemon, something like pass in on enc0 route-to ( enc0 $subnet_B ) inet from $subnet_A to 224/4 I'll experiment with that a bit, but any assistance in the mean time would be appreciated. Regards, Damon
Re: Odd FFS behavior
David Vasek [EMAIL PROTECTED] writes: On Mon, 22 Oct 2007, Otto Moerbeek wrote: On Mon, 22 Oct 2007, Edd Barrett wrote: On 22/10/2007, Otto Moerbeek [EMAIL PROTECTED] wrote: Does your target dir /mnt/usb exist? It does. I copied another album onto an SD mounted there and listened to it on the way to work today. Show a ls -la of the source dir and a stat(1) of the dir and at least one of the problem files. Hello, perhaps output of the following will be more useful: mount |grep /mnt/usb df /mnt/usb df -i /mnt/usb ls -la /mnt/usb fsck /mnt/usb The cp program complains about the target files, not the source. better use `cp -R' rather than `cp -r'. The man page of cp(1) says so. Regards, David -- And God spake unto Moses, and said unto him, I am the LORD: -- Exodus 6:2
Re: BIND
[redirecting to [EMAIL PROTECTED] On Mon, Oct 22, 2007 at 07:10:11PM +0800, Regie H. Saberon wrote: | Hi to all, I just want to ask if BIND is already chrooted on OBSD 4.1? from named(8) : When invoked without arguments, named will fork into two processes for privilege separation.chroot() to /var/named, read the default configurationfile /var/named/etc/named.conf, read any initial data, and lis- ten for queries. The privileged process will communicate with the child and bind to privileged ports on its behalf. See CAVEATS section below. | Can someone give me a good wiki about OpenBSD as Domain Name Server. Again, try named(8). What is it that you want, exactly ? Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: BIND
Thanks for quick response, I want to set-up a Primary Domain Name Server, so that I hosts my own domain. Is there any good wiki that I can follow? -Original Message- From: Paul de Weerd [mailto:[EMAIL PROTECTED] Sent: Monday, October 22, 2007 7:13 PM To: Regie H. Saberon Cc: misc@openbsd.org Subject: Re: BIND [redirecting to [EMAIL PROTECTED] On Mon, Oct 22, 2007 at 07:10:11PM +0800, Regie H. Saberon wrote: | Hi to all, I just want to ask if BIND is already chrooted on OBSD 4.1? from named(8) : When invoked without arguments, named will fork into two processes for privilege separation.chroot() to /var/named, read the default configurationfile /var/named/etc/named.conf, read any initial data, and lis- ten for queries. The privileged process will communicate with the child and bind to privileged ports on its behalf. See CAVEATS section below. | Can someone give me a good wiki about OpenBSD as Domain Name Server. Again, try named(8). What is it that you want, exactly ? Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: BIND
the named(8) man page is quiet excellent, if it doesn't cover what you need, try googling for some bind stuff, most of the hits you get will be for Linux, but the named.conf examples are in all likelihood still relevant. Thanks, Josh On 10/22/07, Regie H. Saberon [EMAIL PROTECTED] wrote: Thanks for quick response, I want to set-up a Primary Domain Name Server, so that I hosts my own domain. Is there any good wiki that I can follow? -Original Message- From: Paul de Weerd [mailto:[EMAIL PROTECTED] Sent: Monday, October 22, 2007 7:13 PM To: Regie H. Saberon Cc: misc@openbsd.org Subject: Re: BIND [redirecting to [EMAIL PROTECTED] On Mon, Oct 22, 2007 at 07:10:11PM +0800, Regie H. Saberon wrote: | Hi to all, I just want to ask if BIND is already chrooted on OBSD 4.1? from named(8) : When invoked without arguments, named will fork into two processes for privilege separation.chroot() to /var/named, read the default configurationfile /var/named/etc/named.conf, read any initial data, and lis- ten for queries. The privileged process will communicate with the child and bind to privileged ports on its behalf. See CAVEATS section below. | Can someone give me a good wiki about OpenBSD as Domain Name Server. Again, try named(8). What is it that you want, exactly ? Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?
On 10/22/07, Henning Brauer [EMAIL PROTECTED] wrote: * Tony Sarendal [EMAIL PROTECTED] [2007-10-22 01:19]: On 10/21/07, Henning Brauer [EMAIL PROTECTED] wrote: well, you can go stateful up to a certain point and handle stuff above stateless (better than dropping), like pass out on X from $foo pass in on X to $foo pass out on X from $foo keep state(max 1) To design a reliable IP network I would need the devices to be able to handle the desired pps rate even when that state limit is exceeded. so? where is the contradiction here? No contradiction. If the requirement is to be wirespeed the forwarding performance under ideal conditions is not relevant. Many routing devices have over the years achieved good performance by different flow caching methods, we have over the years also learnt that this is a bad thing in uncontrolled environments like the Internet. no, that is entirely bullshit, sorry. if flow cahcing allows your device to work more efficient in the usual case, hey, excellent, you would be dumb to not use it. this does NOT save you from either leaving enough headroom that you can heandle the packet rate when exceeding your state limit or at least know about and live with the limitation. A Cisco6509 SUPA1/MSFC2 could do around 10Mpps under normal conditions, but not even 500kpps when flow count exceeded what it could handle in hardware. Good boxes for the internal network, horrible for the datacenter or internet core/edge. Are the 10Mpps they can do relevant if the policy states all devices should be be wirespeed ? If we were to use them would we enable the mls switching anyway? Probably. A reliable IP router is wirespeed and stateless. There is no getting around that. oh really. I say it is bullshit Are you officially stating that the added complexity of stateful forwarding does not increase the likelyhood of unpredictable behaviour ? . there is no single wirespeed in all circumstances router on the market, not even for fast ethernet. that is a marketing gag. a 10 MBit/s stream of correctly and purposefully craftet packets brings each and every router you can buy to its knees. if it works like an OpenBSD machine with stateful filters which prefers established states in the overload case, it doesn't suffer as badly as the stateless ones. Something as simple as being able to forward packets independently of the source/destination pattern and protocol hardly qualifies as the specific/unknown case where you can make a 80Mpps per line card CRS-1's not even forward 10Mbps. OpenBSD once shipped with a remote root compromise, this was addressed. When we find new scenarios that can prevent the routers from performing as expected we try to address that. There will always be unknown corner cases showing up, and that we need to handle. We do not give up and go out and buy Ford Pinto's just because there is a possibility of a new Mercedes blowing up from a slight nudge from behind. No need to get aggressive, Henning. I don't agree with you. I say that a stateless device in general is more reliable than a stateful one. Regards Tony
Re: MAXDSIZ 1GB memory limit for process
Do you plan to increase this limit? i don't think so. Could somebody explain the reason for the 1 GB maximum datasize per process in OpenBSD? Is this a limit on the heap size of a process, or is it stack size + heap size? I can imagine how this limit might arise on a 32-bit system, since a maximum of 4 GB of memory can be addressed by 32-bits. Perhaps (and this is pure speculation on my part), OpenBSD reserves one bit of every address for some security-related purpose, leaving only 2 GB of addressable memory? And since memory needs to be used for more than just the data of a single userland process, the 1 GB per process limit would make some sense. Am I even close in this hypothesis? How does the maximum datasize work on 64-bit systems?
Help with LiveCD/LIveDVD
Hello all, Please CC to me directly as I am offlist... I am building a LiveCD/LiveDVD based on OpenBSD 4.1 snapshot. I know this is an unofficial page, but I followed the instructions here: http://openbsd-wiki.org/index.php?title=LiveCD I'm using 4.1 because of the libraries required on the LiveDVD. This LiveDVD is used for in-house hardware diagnostics with customized programs written for BSD. I thought it would be easier to boot from CD rather than installing OpenBSD on every machine we need to use as a hardware testbed. The only changes I made to the above instructions were to copy the backup/{} directories instead of tar'ing them and unzipping them. Everything works fine until the hang on boot with the message: Loading CBDR.. The disc then fails to boot. Relevant info: --- I'm burning a re-writable DVD using the above instructions The mkisofs command to burn the image is as follows: /usr/local/bin/mkisofs -no-iso-translate -R -T -allow-leading-dots -l -d -D -N -v -b cdbr -no-emul-boot -c boot.catalog -o /tmp/livecd.iso /livecd Any help would be greatly appreciated. I'm pushing against a deadline, so any tips / pointers / suggestions are also appreciated. Ted Goodridge
Re: machine which freeze with openbsd 4.2
On Sun, Oct 21, 2007 at 09:32:36PM +0200, Matthieu Herrb wrote: On 10/21/07, Firas Kraiem [EMAIL PROTECTED] wrote: Nicolas Letellier wrote: Firas Kraiem a icrit : Salut ;) I have the very same problem on my laptop (running 4.2) and I've discovered that the freezings stop if I'm not using the built-in NIC (Realtek Gigabit 8169) but use an USB wifi adapter instead. If you also have a Realtek, maybe it could be due to a bug in the re driver ? Firas Are you sure about what you are saying ? I have already a laptop with this NIC and I have this problem; It means that there is a bug with gigabit realtek 8169 ? Nicolas That's what I saw on mine, anyway. Try to boot it without using using the NIC (i.e. delete /etc/hostname.re0) and see if the freezes stop. Firas I see the re(4) hanging my machine problem too. There are at least three open bug reports related to re hanging when used at gigabit speeds. You might try forcing it to 100baseTX. -- Mark
Re: Help with LiveCD/LIveDVD
On 10/22/07, Ted M. Goodridge, Jr. [EMAIL PROTECTED] wrote: Hello all, Please CC to me directly as I am offlist... Relevant info: --- I'm burning a re-writable DVD using the above instructions The mkisofs command to burn the image is as follows: /usr/local/bin/mkisofs -no-iso-translate -R -T -allow-leading-dots -l -d -D -N -v -b cdbr -no-emul-boot -c boot.catalog -o /tmp/livecd.iso /livecd Any help would be greatly appreciated. I'm pushing against a deadline, so any tips / pointers / suggestions are also appreciated Have you tested the .iso in QEMU? Have you tried it on different hardware? Maybe it's because it's a DVD (DVDs might need more drivers than the boot loader has? Maybe try cdboot instead of cdbr? -Nick
Re: BIND
On 10/22/07, Regie H. Saberon [EMAIL PROTECTED] wrote: Thanks for quick response, I want to set-up a Primary Domain Name Server, so that I hosts my own domain. Is there any good wiki that I can follow? You have a few options. - http://www.isc.org/index.pl?/sw/bind/index.php - look at the Administrator Reference Manual. - Have a look at the default configuration under /var/named/etc/ and /var/named/master/; the configuration is essentially already in place (all you need to do is add your zone data) and you've got a functioning DNS server which is authoritative for your zone(s). - Pick up the book DNS and BIND (http://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574) which is a nearly necessary reference for BIND administrators. - Follow relevant advice from http://www.cymru.com/Documents/secure-bind-template.html if you want additional hardening instructions / best practice for your server. DS
Performance problem with CF card on AMD CS5536 IDE
Hi list, I have got an interesting problem here. When I use a CF card on Geode LX-800 board, the performance is extremely low (about 1MB/s for reading). I suppose it is not a hardware problem: Under windows, the performance of read/writes on the CF is fine. This is what I get in dmesg: pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Turbo Industrial CF Card wd0: 1-sector PIO, LBA, 1983MB, 4062240 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) (Using a more or less standard 4.1 - kernel) so I guess the kernel is recognizing the controller OK. If I use a standard harddisk under OpenBSD, the performance is fine, too. (I do not have the according dmesg for this, but I can get one if that helps) The same behaviour occurs with other boards (for example the new ALIX board from pcengines). Any ideas?
Re: Help with LiveCD/LIveDVD
qemu doesn't work for some reason. Anytime I try and use qemu I get the error Cannot initialize SDL library... Yes, I have tried it in different hardware. What exactly do cdbr and cdboot do? I get the screen that says OpenBSD boot loader (with the hardware fd1 etc listed), with the Loading /CDBOOT above it and it just hangs. cdbr is listed in the installation instructions as the cdboot loader. cdboot is the second stage boot loader IIRC. Don't hesitate to correct me if I'm wrong here. The help is apprecitated. I'm not trying to make install media (that would actually be easy), just boot this liveCD. Has anyone else gotten a LiveDVD to work? Ted On Mon, 22 Oct 2007 09:21:06 -0500, Nick Guenther [EMAIL PROTECTED] wrote: On 10/22/07, Ted M. Goodridge, Jr. [EMAIL PROTECTED] wrote: Hello all, Please CC to me directly as I am offlist... Relevant info: --- I'm burning a re-writable DVD using the above instructions The mkisofs command to burn the image is as follows: /usr/local/bin/mkisofs -no-iso-translate -R -T -allow-leading-dots -l -d -D -N -v -b cdbr -no-emul-boot -c boot.catalog -o /tmp/livecd.iso /livecd Any help would be greatly appreciated. I'm pushing against a deadline, so any tips / pointers / suggestions are also appreciated Have you tested the .iso in QEMU? Have you tried it on different hardware? Maybe it's because it's a DVD (DVDs might need more drivers than the boot loader has? Maybe try cdboot instead of cdbr? -Nick -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Re: Performance problem with CF card on AMD CS5536 IDE
On Oct 22 16:28:49, Stefan Klein wrote: I have got an interesting problem here. When I use a CF card on Geode LX-800 board, the performance is extremely low (about 1MB/s for reading). I suppose it is not a hardware problem: Under windows, the performance of read/writes on the CF is fine. This is what I get in dmesg: pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Turbo Industrial CF Card wd0: 1-sector PIO, LBA, 1983MB, 4062240 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) (Using a more or less standard 4.1 - kernel) so I guess the kernel is recognizing the controller OK. If I use a standard harddisk under OpenBSD, the performance is fine, too. (I do not have the according dmesg for this, but I can get one if that helps) The same behaviour occurs with other boards (for example the new ALIX board from pcengines). Any ideas? I am running an ALIX/4.1 with 2G CF card as its sole storage, and mounting with noatime and softupdates helped the speed a lot. Jan
Re: Help with LiveCD/LIveDVD
Just an update...it hangs on the message Loading /CDBOOT not cdbr as previously posted. Sorry about that. CC me directly as I am offlist. Ted Goodridge -- Hello all, Please CC to me directly as I am offlist... I am building a LiveCD/LiveDVD based on OpenBSD 4.1 snapshot. I know this is an unofficial page, but I followed the instructions here: http://openbsd-wiki.org/index.php?title=LiveCD I'm using 4.1 because of the libraries required on the LiveDVD. This LiveDVD is used for in-house hardware diagnostics with customized programs written for BSD. I thought it would be easier to boot from CD rather than installing OpenBSD on every machine we need to use as a hardware testbed. The only changes I made to the above instructions were to copy the backup/{} directories instead of tar'ing them and unzipping them. Everything works fine until the hang on boot with the message: Loading CBDR.. The disc then fails to boot. Relevant info: --- I'm burning a re-writable DVD using the above instructions The mkisofs command to burn the image is as follows: /usr/local/bin/mkisofs -no-iso-translate -R -T -allow-leading-dots -l -d -D -N -v -b cdbr -no-emul-boot -c boot.catalog -o /tmp/livecd.iso /livecd Any help would be greatly appreciated. I'm pushing against a deadline, so any tips / pointers / suggestions are also appreciated. Ted Goodridge -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
Re: Help with LiveCD/LIveDVD
cdbr is listed in the installation instructions as the cdboot loader. cdboot is the second stage boot loader IIRC. Don't hesitate to correct me if I'm wrong here. Oh, no, that sounds about right, I guess. The help is apprecitated. I'm not trying to make install media (that would actually be easy), just boot this liveCD. Has anyone else gotten a LiveDVD to work? Ted If you make a LiveCD (not DVD) does it work? The How-to says you can use this to build a LiveDVD. I thought that the bios booted the same if it was a dvd or a cd...? I really need the space a DVD offers. Does the CD boot loader have trouble with DVDs? Ted
Re: Help with LiveCD/LIveDVD
On 10/22/07, Ted M. Goodridge, Jr. [EMAIL PROTECTED] wrote: On Mon, 22 Oct 2007 09:21:06 -0500, Nick Guenther [EMAIL PROTECTED] wrote: On 10/22/07, Ted M. Goodridge, Jr. [EMAIL PROTECTED] wrote: Hello all, Please CC to me directly as I am offlist... Relevant info: --- I'm burning a re-writable DVD using the above instructions The mkisofs command to burn the image is as follows: /usr/local/bin/mkisofs -no-iso-translate -R -T -allow-leading-dots -l -d -D -N -v -b cdbr -no-emul-boot -c boot.catalog -o /tmp/livecd.iso /livecd Any help would be greatly appreciated. I'm pushing against a deadline, so any tips / pointers / suggestions are also appreciated Have you tested the .iso in QEMU? Have you tried it on different hardware? Maybe it's because it's a DVD (DVDs might need more drivers than the boot loader has? Maybe try cdboot instead of cdbr? -Nick qemu doesn't work for some reason. Anytime I try and use qemu I get the error Cannot initialize SDL library... Is SDL installed right? Wait.. are you running in X or console? Qemu needs graphics. Yes, I have tried it in different hardware. What exactly do cdbr and cdboot do? I get the screen that says OpenBSD boot loader (with the hardware fd1 etc listed), with the Loading /CDBOOT above it and it just hangs. cdbr is listed in the installation instructions as the cdboot loader. cdboot is the second stage boot loader IIRC. Don't hesitate to correct me if I'm wrong here. Oh, no, that sounds about right, I guess. The help is apprecitated. I'm not trying to make install media (that would actually be easy), just boot this liveCD. Has anyone else gotten a LiveDVD to work? Ted If you make a LiveCD (not DVD) does it work? -Nick
Re: machine which freeze with openbsd 4.2
On 21/10/2007, Matthieu Herrb [EMAIL PROTECTED] wrote: On 10/21/07, Firas Kraiem [EMAIL PROTECTED] wrote: Nicolas Letellier wrote: Firas Kraiem a icrit : Salut ;) I have the very same problem on my laptop (running 4.2) and I've discovered that the freezings stop if I'm not using the built-in NIC (Realtek Gigabit 8169) but use an USB wifi adapter instead. If you also have a Realtek, maybe it could be due to a bug in the re driver ? Firas Are you sure about what you are saying ? I have already a laptop with this NIC and I have this problem; It means that there is a bug with gigabit realtek 8169 ? Nicolas That's what I saw on mine, anyway. Try to boot it without using using the NIC (i.e. delete /etc/hostname.re0) and see if the freezes stop. Firas I see the re(4) hanging my machine problem too. One more data point: cnst@ found out that having lots of multicast traffic on you local net (Mac OS X machines, IPv6,...) greatly increases the probability of such hangs happening. Actually, that's what you told me. :) I simply noticed that the machine reliably freezes every time I power up my iBook with OS X. kernel/5504: re(4) on ASUS V3-P5G965 Core 2 Duo ... http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yesnumbers=5504 FWIW, I've also noticed that sftp'ing the machine from a Windows box on the same local network can reliably freeze it, too. (Although non-sftp ssh sessions never caused the machine to freeze.) One other interesting point is that it appears that only one processor would freeze (e.g. sometimes it is still possible to login from the console and do a few things until the box is totally frozen). FreeBSD 7.0 re(4) does not appear to be affected by this bug (insofar as the machine doesn't freeze). Cheers, Constantine.
Re: machine which freeze with openbsd 4.2
Hello everybody, thanks to all for your responses ! I have a laptop and a desktop. They have an 8169 NIC realtek... And these 2 machines freeze. When i disabling these NIC, i have no problems. In this page http://www.openbsd.org/i386.html, the chipset 8169 is not written. I think it doesn't work 'well'. So, in my laptop, I use wifi, and in the desktop, i bought another NIC :-) Thanks to everybody who help me ! Nicolas Mark Zimmerman a icrit : On Sun, Oct 21, 2007 at 09:32:36PM +0200, Matthieu Herrb wrote: On 10/21/07, Firas Kraiem [EMAIL PROTECTED] wrote: Nicolas Letellier wrote: Firas Kraiem a icrit : Salut ;) I have the very same problem on my laptop (running 4.2) and I've discovered that the freezings stop if I'm not using the built-in NIC (Realtek Gigabit 8169) but use an USB wifi adapter instead. If you also have a Realtek, maybe it could be due to a bug in the re driver ? Firas Are you sure about what you are saying ? I have already a laptop with this NIC and I have this problem; It means that there is a bug with gigabit realtek 8169 ? Nicolas That's what I saw on mine, anyway. Try to boot it without using using the NIC (i.e. delete /etc/hostname.re0) and see if the freezes stop. Firas I see the re(4) hanging my machine problem too. There are at least three open bug reports related to re hanging when used at gigabit speeds. You might try forcing it to 100baseTX. -- Mark -- Nicolas Letellier, administrateur systhmes Site personnel : http://nicoelro.net Curriculum-vitae : http://nletellier.info OpenBSD - free, functional and secure
Re: Performance problem with CF card on AMD CS5536 IDE
pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: Turbo Industrial CF Card wd0: 1-sector PIO, LBA, 1983MB, 4062240 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) This looks normal. I've yet to find a CF-IDE Adpater combination that makes it into full Ultra-DMA mode 4. CF Media is generally slower than modern high perf. disks, depending a lot on the manufactuer quality. For my bsd-appliance project, I use CF media strictly for booting a MD/RD kernel image. If you're doing a full-install on the CF card, you've got the wrong approach. You're going to nuke your CF media with all of that atime update and IO cache flush overhead. There's no progress(1) in OpenBSD yea, so I'm not sure about the exact speed, but I'm able to un-pax(1) a 20-60 meg kernel image into MFS /usr in about 10 seconds. ARInfotek AMD-Geode 800 SBC (500MHz) ~BAS IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?
* Tony Sarendal [EMAIL PROTECTED] [2007-10-22 14:59]: On 10/22/07, Henning Brauer [EMAIL PROTECTED] wrote: * Tony Sarendal [EMAIL PROTECTED] [2007-10-22 01:19]: On 10/21/07, Henning Brauer [EMAIL PROTECTED] wrote: well, you can go stateful up to a certain point and handle stuff above stateless (better than dropping), like pass out on X from $foo pass in on X to $foo pass out on X from $foo keep state(max 1) To design a reliable IP network I would need the devices to be able to handle the desired pps rate even when that state limit is exceeded. so? where is the contradiction here? No contradiction. If the requirement is to be wirespeed the forwarding performance under ideal conditions is not relevant. with the amount of states you can handle, I don't think it is a limit very relevant in practice. Or, in other words, if you need to handle so many more flows than we can handle statefully, you are at a point where you cannot realisticly use a commodity hardware router any more. Many routing devices have over the years achieved good performance by different flow caching methods, we have over the years also learnt that this is a bad thing in uncontrolled environments like the Internet. no, that is entirely bullshit, sorry. if flow cahcing allows your device to work more efficient in the usual case, hey, excellent, you would be dumb to not use it. this does NOT save you from either leaving enough headroom that you can heandle the packet rate when exceeding your state limit or at least know about and live with the limitation. A Cisco6509 SUPA1/MSFC2 could do around 10Mpps under normal conditions, but not even 500kpps when flow count exceeded what it could handle in hardware. Good boxes for the internal network, horrible for the datacenter or internet core/edge. and I bet I can make up a 10 or maybe 100 Kpps stream that makes it fall over. A reliable IP router is wirespeed and stateless. There is no getting around that. oh really. I say it is bullshit Are you officially stating that the added complexity of stateful forwarding does not increase the likelyhood of unpredictable behaviour ? yes. the state tracking is not THAT difficult and very very very mature. there is no single wirespeed in all circumstances router on the market, not even for fast ethernet. that is a marketing gag. a 10 MBit/s stream of correctly and purposefully craftet packets brings each and every router you can buy to its knees. if it works like an OpenBSD machine with stateful filters which prefers established states in the overload case, it doesn't suffer as badly as the stateless ones. Something as simple as being able to forward packets independently of the source/destination pattern and protocol hardly qualifies as the specific/unknown case where you can make a 80Mpps per line card CRS-1's not even forward 10Mbps. i can't parse what you wanna say here. OpenBSD once shipped with a remote root compromise, this was addressed. When we find new scenarios that can prevent the routers from performing as expected we try to address that. There will always be unknown corner cases showing up, and that we need to handle. which is totally independent from specific implementations. this is true for each and every piece of hard software available. No need to get aggressive, Henning. I'm not aggressive :) I don't agree with you. I say that a stateless device in general is more reliable than a stateful one. and I say that is totally poop. It is a marketing lie. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: RAIDFrame woes with -current. Seeking debug advice
Josh, I experienced this same problem during a recent migration to RAIDframe Auto-configuration. I had a RAID 1 root auto-configured RAID set, and a RAID 0 auto-configured set. The source tree I was using dates back to August 5th so it is obviously outside of your 12-hour window. However, I pinpointed my hang due to a CD-ROM being connected to the IDE port on the motherboard. Without the CD-ROM drive, the RAIDframe Auto-configure would proceed as expected. I don't know if this will help, considering I do not have a dmesg on hand. The server is already deployed and I cannot experiment with CD-ROM drive insertion/removal. I can tell you that the offending CD-ROM drive is a LITE-ON CD-ROM Drive model LTN-483S if that is of any consequence. And yes, RAID_AUTOCONFIG is set in the kernel config. Without it, the RAIDframe would proceed as expected with or without the CD-ROM drive. -Brian Josh Grosse wrote: [snip] The symptom: hang after normal kernel message: Kernelized RAIDframe Activated [snip] atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: LITE-ON, DVDRW SHW-160P6S, PS01 SCSI0 5/cdrom removable [snip] [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Help with LiveCD/LIveDVD
On 10/22/07, Ted M. Goodridge, Jr. [EMAIL PROTECTED] wrote: cdbr is listed in the installation instructions as the cdboot loader. cdboot is the second stage boot loader IIRC. Don't hesitate to correct me if I'm wrong here. Oh, no, that sounds about right, I guess. The help is apprecitated. I'm not trying to make install media (that would actually be easy), just boot this liveCD. Has anyone else gotten a LiveDVD to work? Ted If you make a LiveCD (not DVD) does it work? The How-to says you can use this to build a LiveDVD. I thought that the bios booted the same if it was a dvd or a cd...? I really need the space a DVD offers. Yeah you'd think that. But don't trust it. Does the CD boot loader have trouble with DVDs? It might. Who knows? CDs are a much more standard technology. Try it first with CDs and make sure that works. Always work from a known good, right? You could always netboot (PXE) these computers, you know. -Nick
Update features on PF(OpenBSD4.2)
hi folks, I saw this performance issue with pf on a AMD64firewall: below is the link http://www.nabble.com/firewall-is-very-slow%2C-something%27s-wrong-t4572653i20.html it states that pf on 4.2 performs much better than in 4.1. having said this, is it possible to be able to just update pf's feature instead of going through the entire OS upgrade? since im really going after the features of pf, and happy with how 4.1 is. any comments are awesomely appreciated. thanks, -beavis
Re: Performance problem with CF card on AMD CS5536 IDE
On 10/22/07, Brian A. Seklecki [EMAIL PROTECTED] wrote: For my bsd-appliance project, I use CF media strictly for booting a MD/RD kernel image. If you're doing a full-install on the CF card, you've got the wrong approach. You're going to nuke your CF media with all of that atime update and IO cache flush overhead. In a word: bullshit In more words: I've been running production devices for 5yrs with CF mounted rw. I use async and noatime so it feels faster, not prolong the longevity of the card. A couple of months ago a took an older (ca. 2004) 256M sandisk card, and ran iogen on it for a month; I put several terabytes through it and the card is just fine. I'm sure it'll fail catastrophically when all the spare sectors give out, but how is that different from a spinning magnetic disk? Try it sometime. CF may still be slow, but it's not unreliable. There's no progress(1) in OpenBSD yea, so I'm not sure about the exact speed, but I'm able to un-pax(1) a 20-60 meg kernel image into MFS /usr in about 10 seconds. ARInfotek AMD-Geode 800 SBC (500MHz) ~BAS ftp -Vm -o - file:///path/to/i386/base42.tgz | tar -C /mnt/cfdisk -zxpf - CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: em(4) - IFCAP_VLAN_MTU IFCAP_VLAN_HWTAGGING ?
On 10/22/07, Henning Brauer [EMAIL PROTECTED] wrote: * Tony Sarendal [EMAIL PROTECTED] [2007-10-22 14:59]: On 10/22/07, Henning Brauer [EMAIL PROTECTED] wrote: * Tony Sarendal [EMAIL PROTECTED] [2007-10-22 01:19]: On 10/21/07, Henning Brauer [EMAIL PROTECTED] wrote: well, you can go stateful up to a certain point and handle stuff above stateless (better than dropping), like pass out on X from $foo pass in on X to $foo pass out on X from $foo keep state(max 1) To design a reliable IP network I would need the devices to be able to handle the desired pps rate even when that state limit is exceeded. so? where is the contradiction here? No contradiction. If the requirement is to be wirespeed the forwarding performance under ideal conditions is not relevant. with the amount of states you can handle, I don't think it is a limit very relevant in practice. Or, in other words, if you need to handle so many more flows than we can handle statefully, you are at a point where you cannot realisticly use a commodity hardware router any more. Many routing devices have over the years achieved good performance by different flow caching methods, we have over the years also learnt that this is a bad thing in uncontrolled environments like the Internet. no, that is entirely bullshit, sorry. if flow cahcing allows your device to work more efficient in the usual case, hey, excellent, you would be dumb to not use it. this does NOT save you from either leaving enough headroom that you can heandle the packet rate when exceeding your state limit or at least know about and live with the limitation. A Cisco6509 SUPA1/MSFC2 could do around 10Mpps under normal conditions, but not even 500kpps when flow count exceeded what it could handle in hardware. Good boxes for the internal network, horrible for the datacenter or internet core/edge. and I bet I can make up a 10 or maybe 100 Kpps stream that makes it fall over. A reliable IP router is wirespeed and stateless. There is no getting around that. oh really. I say it is bullshit Are you officially stating that the added complexity of stateful forwarding does not increase the likelyhood of unpredictable behaviour ? yes. the state tracking is not THAT difficult and very very very mature. there is no single wirespeed in all circumstances router on the market, not even for fast ethernet. that is a marketing gag. a 10 MBit/s stream of correctly and purposefully craftet packets brings each and every router you can buy to its knees. if it works like an OpenBSD machine with stateful filters which prefers established states in the overload case, it doesn't suffer as badly as the stateless ones. Something as simple as being able to forward packets independently of the source/destination pattern and protocol hardly qualifies as the specific/unknown case where you can make a 80Mpps per line card CRS-1's not even forward 10Mbps. i can't parse what you wanna say here. OpenBSD once shipped with a remote root compromise, this was addressed. When we find new scenarios that can prevent the routers from performing as expected we try to address that. There will always be unknown corner cases showing up, and that we need to handle. which is totally independent from specific implementations. this is true for each and every piece of hard software available. No need to get aggressive, Henning. I'm not aggressive :) I don't agree with you. I say that a stateless device in general is more reliable than a stateful one. and I say that is totally poop. It is a marketing lie. I didn't get that opinion from marketing. No matter, we disagree, lets leave it at that. /Tony
Re: Update features on PF(OpenBSD4.2)
On Mon, Oct 22, 2007 at 10:20:41AM -0600, Beavis wrote: | hi folks, | |I saw this performance issue with pf on a AMD64firewall: below is the link | | http://www.nabble.com/firewall-is-very-slow%2C-something%27s-wrong-t4572653i2 0.html | | it states that pf on 4.2 performs much better than in 4.1. having said | this, is it possible to be able to just update pf's feature instead of | going through the entire OS upgrade? since im really going after the | features of pf, and happy with how 4.1 is. Some of the improvements are outside of pf (some drivers have had drastic improvements), so only updating pf may not even get you all the new performance improvements that were made between 4.1 and 4.2. However, since pf is part of the kernel, the short answer to your question is no. You must upgrade the kernel to be able to use the new pf. The new kernel requires new userland, so that too must be upgraded. If you really want, and are a highly qualified coder, you could try to backport the improvements to 4.1. You'll find that upgrading is way (and i do mean *WAY*) easier than doing this work. If you are such a skilled programmer, your time is probably better spent doing other useful stuff (maybe improve pf even more). The upgrade will take you a coupe of minutes to an hour, depending on your exact situation. The backport will take you probably about six months and a team of dedicated OpenBSD developers. You will at the end be left with something that is not OpenBSD 4.1 anymore. How (and when) are you going to upgrade that ? Unless you consider this backport-thing a fun excercise, I would recommend against doing it. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Update features on PF(OpenBSD4.2)
On 10/22/07, Beavis [EMAIL PROTECTED] wrote: hi folks, I saw this performance issue with pf on a AMD64firewall: below is the link http://www.nabble.com/firewall-is-very-slow%2C-something%27s-wrong-t4572653i20.html it states that pf on 4.2 performs much better than in 4.1. having said this, is it possible to be able to just update pf's feature instead of going through the entire OS upgrade? since im really going after the features of pf, and happy with how 4.1 is. I am not certain understand the negative impact of a full 4.2 upgrade Sam Fourman Jr.
Re: Odd FFS behavior
I have experienced similar behaviour, except that, with me, after I do an archive extraction, or a file concatenation of many files, while the file system only shows one set of files, additional files which were deleted after the extraction, continue to be listed as existing when I try to do operations on the directory as a whole. $ cp -R dir new/ Failure! Cannot copy some non-existent file. $ cp -R dir/*.x new/ Works. It is very strange. -- ((name Aaron Hsu) (email/xmpp [EMAIL PROTECTED]) (phone 703-597-7656) (site http://www.aaronhsu.com;)) [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Update features on PF(OpenBSD4.2)
thanks for the reply guys, I currently run CARP and pfsync on both boxes (upgrade can be done with less downtime) though i haven't tried to stress test my setup, i guess this upgrade is do-able. instead of coding (im not a coder). regards, -beavis On 10/22/07, Paul de Weerd [EMAIL PROTECTED] wrote: On Mon, Oct 22, 2007 at 10:20:41AM -0600, Beavis wrote: | hi folks, | |I saw this performance issue with pf on a AMD64firewall: below is the link | | http://www.nabble.com/firewall-is-very-slow%2C-something%27s-wrong-t4572653i20.html | | it states that pf on 4.2 performs much better than in 4.1. having said | this, is it possible to be able to just update pf's feature instead of | going through the entire OS upgrade? since im really going after the | features of pf, and happy with how 4.1 is. Some of the improvements are outside of pf (some drivers have had drastic improvements), so only updating pf may not even get you all the new performance improvements that were made between 4.1 and 4.2. However, since pf is part of the kernel, the short answer to your question is no. You must upgrade the kernel to be able to use the new pf. The new kernel requires new userland, so that too must be upgraded. If you really want, and are a highly qualified coder, you could try to backport the improvements to 4.1. You'll find that upgrading is way (and i do mean *WAY*) easier than doing this work. If you are such a skilled programmer, your time is probably better spent doing other useful stuff (maybe improve pf even more). The upgrade will take you a coupe of minutes to an hour, depending on your exact situation. The backport will take you probably about six months and a team of dedicated OpenBSD developers. You will at the end be left with something that is not OpenBSD 4.1 anymore. How (and when) are you going to upgrade that ? Unless you consider this backport-thing a fun excercise, I would recommend against doing it. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: MAXDSIZ 1GB memory limit for process
Richard Storm schrieb: On 10/22/07, Ted Unangst [EMAIL PROTECTED] wrote: On 10/21/07, Richard Storm [EMAIL PROTECTED] wrote: Is it possible to bypass this limit somehow? depends, but if it's easy to bypass a limit, it's not much of a limit. Is there possible workarounds for my program to allocate more memory than 1GB? http://monkey.org/openbsd/archive/misc/0412/msg01039.html So mmap seems to be the way. Greetings Markus
Re: MAXDSIZ 1GB memory limit for process
On Mon, Oct 22, 2007 at 07:17:02PM +0200, Markus Hennecke wrote: Richard Storm schrieb: On 10/22/07, Ted Unangst [EMAIL PROTECTED] wrote: On 10/21/07, Richard Storm [EMAIL PROTECTED] wrote: Is it possible to bypass this limit somehow? depends, but if it's easy to bypass a limit, it's not much of a limit. Is there possible workarounds for my program to allocate more memory than 1GB? http://monkey.org/openbsd/archive/misc/0412/msg01039.html So mmap seems to be the way. it's outdated. mmap is counted into dsiz limit now. cu -- paranoic mickey (my employers have changed but, the name has remained)
Re: USB Disk problems
On 18/10/07 10:28 Edwards, David (JTS) wrote: Hi, I'm trying to use USB disks as backup devices and I'm finding that I have problems when I plug in more than two USB drives. I'm using 250G laptop disks powered from the USB cable. Is anyone else seeing this sort of problem? Would an upgrade to 4.2 help? FWIW, I have one USB disc where the external power feed goes nowhere. If I try to run it on an external feed, a light will come up but the drive still feeds on the USB. Also the power brick you are using could be broken/miswired. Can you verify power consumption on the external feed for the drives/HUB? Mayby by using a laboratory power supply or an ampermeter? regards tilo
Re: Help with LiveCD/LIveDVD
Hi, I hope you succeed. I'd be very itnerested in a live cd/dvd for obsd. As you say, it's ideal to test hardware, but I don't have to time to do it myself. Btw, why obsd 4.1? Do you plan to upload the iso to some site? There were some projects, like quetzal and olivebsd, but they died, I think. good luck, Pau 2007/10/22, Ted M. Goodridge, Jr. [EMAIL PROTECTED]: Hello all, Please CC to me directly as I am offlist... I am building a LiveCD/LiveDVD based on OpenBSD 4.1 snapshot. I know this is an unofficial page, but I followed the instructions here: http://openbsd-wiki.org/index.php?title=LiveCD I'm using 4.1 because of the libraries required on the LiveDVD. This LiveDVD is used for in-house hardware diagnostics with customized programs written for BSD. I thought it would be easier to boot from CD rather than installing OpenBSD on every machine we need to use as a hardware testbed. The only changes I made to the above instructions were to copy the backup/{} directories instead of tar'ing them and unzipping them. Everything works fine until the hang on boot with the message: Loading CBDR.. The disc then fails to boot. Relevant info: --- I'm burning a re-writable DVD using the above instructions The mkisofs command to burn the image is as follows: /usr/local/bin/mkisofs -no-iso-translate -R -T -allow-leading-dots -l -d -D -N -v -b cdbr -no-emul-boot -c boot.catalog -o /tmp/livecd.iso /livecd Any help would be greatly appreciated. I'm pushing against a deadline, so any tips / pointers / suggestions are also appreciated. Ted Goodridge
Re: MAXDSIZ 1GB memory limit for process
On 10/22/07, Richard Storm [EMAIL PROTECTED] wrote: Is there possible workarounds for my program to allocate more memory than 1GB? you can mmap a large file with PROT_SHARED. this doesn't count as data, since you are in essence providing your own swap file for it. Don't you think, that now when we have 64bit platform and RAM gets very cheap, it would be really needed to increase this limit? i think the problem is more about what MAXDSIZ is used for than its value. it's not as simple as just bumping a number. and changing the meaning of a number is no easy change either. for the most part, the limit doesn't affect many people.
Re: Help! I'm having Linux foisted on me! (PF queuing woes)
Joshua Smith wrote: Out of curiosity what are these two extremely rare cases? [snip] One example off the top of my head (and ipsec.conf(5)) is the enc0 interface. You wouldn't set your state-policy to this, but each individual rule would use if-bound to prevent traffic from going out your egress when an IPsec SA is removed/expires before the state is removed/expires (think isakmpd and the various reasons an SA can disappear). Of course, if I am wrong and if-bound shouldn't be used in this case, ipsec.conf(5) should be updated appropriately. -Brian [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: cp(1) bug ?
On 22 Oct 2007 01:30:57 +0200, Artur Grabowski [EMAIL PROTECTED] wrote: Tom Van Looy [EMAIL PROTECTED] writes: on unix everything is a file? s/unix/Plan 9/g http://en.wikipedia.org/wiki/Plan_9_from_Bell_Labs no, it's not. It's the dumbed down truth so that you can explain to random people what the hell Unix is, or rather to make them have a dumb look on their face and nod. A process is not a file, a memory region is not a file, the sysctl tree is not a file, there's plenty of stuff that is as far from files as you can get. Many directory operations are explicitly not done on file descriptors because it would be too complicated. //art -- www.ropersonline.com
Re: About Xen: maybe a reiterative question but ..
On 22/10/2007, carlopmart [EMAIL PROTECTED] wrote: Hi all, I know that time to time somebody do the same question, but I need to know it: is it planned at some point to release a paravirtualized xen kernel for OpenBSD 4.3 or 4.4??? It already exists. You can run OpenBSD DomUs (ie. run OpenBSD as a Xen guest**), but AFAIK you still can't run OpenBSD Dom0s (ie. run OpenBSD as a Xen host**). See http://www.ropersonline.com/openbsd/xen/ ** This is a flawed metaphor, because Xen is a _hypervisor_, NOT an emulator. The Domain U installs are not really running as guest OSes, and the Domain zero installations are not really running as host OSes. But you need at least one Dom0 (which when I last looked into this still could not be OpenBSD) and you can install OpenBSD as a DomU. I know very little, apart from having been curious once. If you want to know more, you probably really should talk to Christoph Egger, who did the actual porting work. Thanks and regards, --ropers
Re: About Xen: maybe a reiterative question but ..
On 10/22/07, ropers [EMAIL PROTECTED] wrote: On 22/10/2007, carlopmart [EMAIL PROTECTED] wrote: Hi all, I know that time to time somebody do the same question, but I need to know it: is it planned at some point to release a paravirtualized xen kernel for OpenBSD 4.3 or 4.4??? It already exists. You can run OpenBSD DomUs (ie. run OpenBSD as a Xen guest**), but AFAIK you still can't run OpenBSD Dom0s (ie. run OpenBSD as a Xen host**). See http://www.ropersonline.com/openbsd/xen/ ** This is a flawed metaphor, because Xen is a _hypervisor_, NOT an emulator. The Domain U installs are not really running as guest OSes, and the Domain zero installations are not really running as host OSes. But you need at least one Dom0 (which when I last looked into this still could not be OpenBSD) and you can install OpenBSD as a DomU. So that means that OpenBSD has code in it right now that detects if it's running under Xen and paravirtualizes itself? -Nick
Re: BIND
Hello everybody, May i suggest : http://www.zytrax.com/books/dns/ DNS for Rocket Scientists This Open Source Guide is about DNS and (mostly) BIND 9.x on Linux (Fedora Core), BSD's (FreeBSD, OpenBSD and NetBSD) and Windows (Win 2K, XP, Server 2003). It is meant for newbies, Rocket Scientist wannabees and anyone in between. With regards, Jean-philippe. Regie H. Saberon a icrit : Thanks for quick response, I want to set-up a Primary Domain Name Server, so that I hosts my own domain. Is there any good wiki that I can follow?
Biometrics
I've been looking for some time now for biometric software for openbsd, to work in XDM or KDM. I need it to support Keytronic F-SCAN-K001US, if nothing exists, I guess its back to a regular keyboard. I dont think I can run Bio-Logon 3.0 through wine as a system proccess like that, so Im just looking for some kind of biometric software, suite, or project that supports my keyboard/scanner. Thanks, Cyrus
Re: MAXDSIZ 1GB memory limit for process
On 10/22/07, Ted Unangst [EMAIL PROTECTED] wrote: On 10/22/07, Richard Storm [EMAIL PROTECTED] wrote: Is there possible workarounds for my program to allocate more memory than 1GB? you can mmap a large file with PROT_SHARED. this doesn't count as data, since you are in essence providing your own swap file for it. Does implementing PROT_SHARED workaround will work just like RAM or the disk will be hit even if swaping will not happen? Don't you think, that now when we have 64bit platform and RAM gets very cheap, it would be really needed to increase this limit? i think the problem is more about what MAXDSIZ is used for than its value. it's not as simple as just bumping a number. and changing the meaning of a number is no easy change either. for the most part, the limit doesn't affect many people. Thank you for explanation, however it is hard to understand is it possible to increase it or not use for memory allocation, or is it hardware limit(!?)
Re: About Xen: maybe a reiterative question but ..
On 22/10/2007, Nick Guenther [EMAIL PROTECTED] wrote: On 10/22/07, ropers [EMAIL PROTECTED] wrote: On 22/10/2007, carlopmart [EMAIL PROTECTED] wrote: Hi all, I know that time to time somebody do the same question, but I need to know it: is it planned at some point to release a paravirtualized xen kernel for OpenBSD 4.3 or 4.4??? It already exists. You can run OpenBSD DomUs (ie. run OpenBSD as a Xen guest**), but AFAIK you still can't run OpenBSD Dom0s (ie. run OpenBSD as a Xen host**). See http://www.ropersonline.com/openbsd/xen/ ** This is a flawed metaphor, because Xen is a _hypervisor_, NOT an emulator. The Domain U installs are not really running as guest OSes, and the Domain zero installations are not really running as host OSes. But you need at least one Dom0 (which when I last looked into this still could not be OpenBSD) and you can install OpenBSD as a DomU. So that means that OpenBSD has code in it right now that detects if it's running under Xen and paravirtualizes itself? -Nick Not as far as I know, but I know very little. AFAIK, it's still necessary to clone the Mercurial ( http://en.wikipedia.org/wiki/Mercurial_%28software%29 ) VCS ( http://en.wikipedia.org/wiki/Version_control_system ) as described here: http://www.ropersonline.com/openbsd/xen/openbsd-xen-howto As far as I gathered, Christoph's effort has not been widely publicised and may not even be known to even some hard core OpenBSD people. I also seemed to gather that at some point there might have been some concerns regarding running OpenBSD as a DomU or similar, because it removes some of the security benefits, so there might be a trade-off there. A DomU is not the same as a true standalone server, though I personally would welcome the incorporation of Christoph's code into OpenBSD, if only because I hope to save hosting costs and still run OpenBSD. But I could be very wrong in all of the above, and I don't want to start rumours. If you want to get proper, authoritative answers, you should probably ask Theo and Christoph (though it might benefit the archives to cc the misc list). Thanks and regards, --ropers
Re: About Xen: maybe a reiterative question but ..
On 22/10/2007, ropers [EMAIL PROTECTED] wrote: On 22/10/2007, Nick Guenther [EMAIL PROTECTED] wrote: On 10/22/07, ropers [EMAIL PROTECTED] wrote: On 22/10/2007, carlopmart [EMAIL PROTECTED] wrote: Hi all, I know that time to time somebody do the same question, but I need to know it: is it planned at some point to release a paravirtualized xen kernel for OpenBSD 4.3 or 4.4??? It already exists. You can run OpenBSD DomUs (ie. run OpenBSD as a Xen guest**), but AFAIK you still can't run OpenBSD Dom0s (ie. run OpenBSD as a Xen host**). See http://www.ropersonline.com/openbsd/xen/ ** This is a flawed metaphor, because Xen is a _hypervisor_, NOT an emulator. The Domain U installs are not really running as guest OSes, and the Domain zero installations are not really running as host OSes. But you need at least one Dom0 (which when I last looked into this still could not be OpenBSD) and you can install OpenBSD as a DomU. For what it's worth, I plan on setting up a Xen box with an Ubuntu Dom0 and an OpenBSD DomU Real Soon Now, as soon as I get my trashpile computer fixed. (It's currently running Ubuntu with faulty RAM, because I got ripped off by some US-Americans* via ebay, and I can't afford to throw more money at it to fix it, because I'm now long term ill AND on wellfare**... yadda, yadda, whine, whine ;-P ) Anyway, I plan on telling the misc list if and when I manage to set this up. Of course, dmesgs will be included. --ropers * and if you don't mind me saying it: fucking scam artist Septics. No honor or integrity. ** The Gods be praised for EU wellfare states. The Seppos don't know what they're missing. :D
OpenBSD aio(2) support
Hi misc@, Just wondering, is there still no support for the aio(2) programming interface in OpenBSD? (Running 4.1 and I cannot find it) In January 2003 it was being worked on, but what is the status now? http://marc.info/?l=openbsd-miscm=104213994204389w=2 -- Daniel
Re: About Xen: maybe a reiterative question but ..
On 10/22/07, Nick Guenther [EMAIL PROTECTED] wrote: On 10/22/07, ropers [EMAIL PROTECTED] wrote: On 22/10/2007, carlopmart [EMAIL PROTECTED] wrote: Hi all, I know that time to time somebody do the same question, but I need to know it: is it planned at some point to release a paravirtualized xen kernel for OpenBSD 4.3 or 4.4??? yum It already exists. You can run OpenBSD DomUs (ie. run OpenBSD as a Xen guest**), but AFAIK you still can't run OpenBSD Dom0s (ie. run OpenBSD as a Xen host**). See http://www.ropersonline.com/openbsd/xen/ true But you need at least one Dom0 (which when I last looked into this still could not be OpenBSD) and you can install OpenBSD as a DomU. Only recently using HVM, not paravirtualization So that means that OpenBSD has code in it right now that detects if it's running under Xen and paravirtualizes itself? no I would like to vouch for openbsd working great as a guest, but my guest has crashed a dozen times. However I think this is due to the debian linux dom0 having broken sata code for the controller in use. dom0's dmesg is filled with debug statements from sata related places in the kernel that should never be printed. We're in a messy de-centralized linux development world trying to get a stable dom0 patched together. It sucks. The paravirtualization port appears dead to me. I've tried to keep up on it, but the guy's blog no longer mentions it, his repository is often down, and when it is up the commits do not appear to be very frequent. Also his blog hasn't mentioned it in a year or more. http://hg.recoil.org/openbsd-xen-sys.hg http://anil.recoil.org/blog/
Re: RAIDFrame woes with -current. Seeking debug advice
On Mon, Oct 22, 2007 at 11:29:16AM -0400, Brian wrote: Josh, I experienced this same problem during a recent migration to RAIDframe Auto-configuration. I had a RAID 1 root auto-configured RAID set, and a RAID 0 auto-configured set. The source tree I was using dates back to August 5th so it is obviously outside of your 12-hour window. However, I pinpointed my hang due to a CD-ROM being connected to the IDE port on the motherboard. Without the CD-ROM drive, the RAIDframe Auto-configure would proceed as expected. I don't know if this will help, considering I do not have a dmesg on hand. The server is already deployed and I cannot experiment with CD-ROM drive insertion/removal. I can tell you that the offending CD-ROM drive is a LITE-ON CD-ROM Drive model LTN-483S if that is of any consequence. And yes, RAID_AUTOCONFIG is set in the kernel config. Without it, the RAIDframe would proceed as expected with or without the CD-ROM drive. I received patches to rf_openbsdkintf.c which were designed to stop the CD probe, from several people. They were not effective circumventions, so that's not this particular problem. I have narrowed it down to a one hour range of patches. Ken Westerback is pursuing the issue for me.
Re: About Xen: maybe a reiterative question but ..
On 23/10/2007, Jeff Quast [EMAIL PROTECTED] wrote: The paravirtualization port appears dead to me. I've tried to keep up on it, but the guy's blog no longer mentions it, his repository is often down, and when it is up the commits do not appear to be very frequent. Also his blog hasn't mentioned it in a year or more. http://hg.recoil.org/openbsd-xen-sys.hg http://anil.recoil.org/blog/ Anil Madhavapeddy was Christoph's Google Summer of Code 2006 _mentor_. Christoph Egger did all or most of the work. Cf. here: http://code.google.com/soc/2006/xensource/about.html If people don't have Christoph's email address and want it, email me off-list. I'm not sure if it's polite to make Christoph's email address hit the archives where a thousand address harvesting bots can pick it up. OTOH, Christoph's address can be found via Google. Also, I think it's more or less useless to speculate on the state of the port -- much better to simply ask Christoph what the story is. Who knows, if there turns out to be real interest here, maybe the code can still be put to use in a way similar to what Nick suggested. --ropers
Re: About Xen: maybe a reiterative question but ..
On 23/10/2007, Jeff Quast [EMAIL PROTECTED] wrote: I would like to vouch for openbsd working great as a guest, but my guest has crashed a dozen times. However I think this is due to the debian linux dom0 having broken sata code for the controller in use. dom0's dmesg is filled with debug statements from sata related places in the kernel that should never be printed. We're in a messy de-centralized linux development world trying to get a stable dom0 patched together. It sucks. This is what I meant to hint at earlier: Running an OpenBSD DomU in connection with, say, a Linux Xen Dom0 possibly makes that OpenBSD installation subject to bugs in the hypervisor/Dom0, and that may be unavoidable. The question is, is that a worthwhile trade-off? Is this a reason not to support Xen? Or should the user be given that option regardless of the inherent limitations and consequences? --ropers
Re: USB Disk problems
-Original Message- From: Tilo Stritzky [mailto:[EMAIL PROTECTED] Sent: Tuesday, 23 October 2007 3:07 AM To: Edwards, David (JTS) Cc: misc@openbsd.org Subject: Re: USB Disk problems On 18/10/07 10:28 Edwards, David (JTS) wrote: Hi, I'm trying to use USB disks as backup devices and I'm finding that I have problems when I plug in more than two USB drives. I'm using 250G laptop disks powered from the USB cable. Is anyone else seeing this sort of problem? Would an upgrade to 4.2 help? FWIW, I have one USB disc where the external power feed goes nowhere. If I try to run it on an external feed, a light will come up but the drive still feeds on the USB. Also the power brick you are using could be broken/miswired. Well this seems to have given me the hint that I needed! I haven't been using external power to the USB disks so far. The reason is that I originally purchased external 250G external laptop drives so that the admin dude wouldn't have to worry about plugging in a power cable as well as the USB cable. This seemed like a good idea at the time. The disks came with an external power cable but it's a second USB cable with a power plug on the end instead of a mini USB. During testing, I tried using these power supply cables on the disks but it didn't seem to have any effect. After reading your mail, I tried again but this time plugging the external USB power cable _into_a_different_server_ and it seems to have worked! I can now plug in 3 disks reliably. So it seems that on a HP ProLiant DL360 (G5) using USB powered external drives, you can only reliably plug in two drives before you start having power supply problems to the USB disks. The fix is to provide external power to the third drive (at least). gob smack It seems that the whole USB bus including front panel ports, rear panel ports and all external hubs (even if separately powered) are electrically one single unit which can only provide enough power to run two external disks. /gob smack ciao dave --- Dave Edwards