Re: benchmarks
On Apr 17 22:07:13, Rodrigo Mosconi wrote: Hi all, I'm interested on some benchmarks, specially with network/PF. For example: What's the maximum bandwidth that a soekris (or alix) can handle safely as a firewall? (with and without ipsec, how long the rule set are) Peter Hallin exposed a configuration that can handle near a 1Gbps on bridge mode. Peter, how much traffic your new firewall handle? On the branded servers (Dell, HP, IBM, etc), how best traffic one firewall can handle? These are some questions. Some of these information can help me to advocate OpenBSD based solution at work, starting with firewall. Just as comment, some linuxes (argh) fw can't handle as much as 100Mbps on Dells (R200 or R400). I always save my money in the bank with the fastest safeboxes.
Lanzamiento Estrategia Google (ID:243807)
Lanzamiento de la Estrategia Google... da click aqum La Estrategia Google la forma mas sencilla y efectiva de aumentar tus ventas usando Internet. Hola Recientemente iniciamos nuestra Estrategia Google. Da click en la liga para ver la Lanzamiento, aprovecha estar oportunidad para promoverte en Google. Lanzamiento de la Estrategia Google... da click aqum
AUN PUEDES IR A CANCUN ESTAS VACACIONES DESDE 2,999 MN EL MEJOR TODO INCLUIDO DE LA RIVERA MAYA
OCCIDENTAL HOTELES SI NO PUEDE VISUALIZAR DE CLICK AQUI OCCIDENTAL GRAND XCARET - LA JOYA DE LA RIVERA MAYA- ESPECTACULARES PAQUETES DE LUJO DESDE - 2,999 - www.occidentalvcescapes.com CODIGO DE PROMOCION PSERRANO Si no desea recibir maacute;s correos haga clic aquiacute; Declaracioacute;n de privacidad
DNS reverse lookup from ip to CNAME
Hi list. I'm making a program that maps some ip address to a specified dns. My problem is relative to CNAME record. Supposing we have google ip, generated from a program, and we don't know that this ip is pointing to www.google.it. This program try to get hostname and give that the specified ip points to: fra07s07-in-f103.1e100.net. This name is obtained from gethostbyaddr(); There is a method to know that fra07s07-in-f103.1e100.net is pointed from www.google.it? Try to do the simple dns query to www.google.it, i get ; DiG 9.7.3 www.google.it ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 58155 ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.google.it. IN A ;; ANSWER SECTION: www.google.it. 327389 IN CNAME www.google.com. www.google.com. 586589 IN CNAME www.l.google.com. www.l.google.com. 165 IN A 209.85.148.104 www.l.google.com. 165 IN A 209.85.148.105 www.l.google.com. 165 IN A 209.85.148.106 www.l.google.com. 165 IN A 209.85.148.147 www.l.google.com. 165 IN A 209.85.148.99 www.l.google.com. 165 IN A 209.85.148.103 ;; AUTHORITY SECTION: google.com. 282625 IN NS ns2.google.com. google.com. 282625 IN NS ns3.google.com. google.com. 282625 IN NS ns1.google.com. google.com. 282625 IN NS ns4.google.com. ;; ADDITIONAL SECTION: ns3.google.com. 240988 IN A 216.239.36.10 ns4.google.com. 240988 IN A 216.239.38.10 ns1.google.com. 240988 IN A 216.239.32.10 ns2.google.com. 240988 IN A 216.239.34.10 ;; Query time: 0 msec ;; SERVER: 10.1.1.5#53(10.1.1.5) ;; WHEN: Mon Apr 18 11:54:33 2011 ;; MSG SIZE rcvd: 311 It said that www.google.it is a cname that point to www.google.com, that point to www.l.google.com and that www.l.google.com. points to some addresses. Supposing that I have 209.85.148.104 ip, is possible (only knowing the ip) go back to the CNAME record www.google.it? I've tried this: dig -x 209.85.148.104: ; DiG 9.7.3 -x 209.85.148.104 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 64966 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;104.148.85.209.in-addr.arpa. IN PTR ;; ANSWER SECTION: 104.148.85.209.in-addr.arpa. 69495 IN PTR fra07s07-in-f104.1e100.net. ;; AUTHORITY SECTION: 148.85.209.in-addr.arpa. 70180 IN NS ns4.google.com. 148.85.209.in-addr.arpa. 70180 IN NS ns3.google.com. 148.85.209.in-addr.arpa. 70180 IN NS ns1.google.com. 148.85.209.in-addr.arpa. 70180 IN NS ns2.google.com. ;; ADDITIONAL SECTION: ns4.google.com. 240552 IN A 216.239.38.10 ns1.google.com. 240552 IN A 216.239.32.10 ns2.google.com. 240552 IN A 216.239.34.10 ns3.google.com. 240552 IN A 216.239.36.10 ;; Query time: 0 msec ;; SERVER: 10.1.1.5#53(10.1.1.5) ;; WHEN: Mon Apr 18 12:01:49 2011 ;; MSG SIZE rcvd: 231 and then, query the google dns: dig @ns1.google.com -x 209.85.148.104 ; DiG 9.7.3 @ns1.google.com -x 209.85.148.104 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 62862 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;104.148.85.209.in-addr.arpa. IN PTR ;; ANSWER SECTION: 104.148.85.209.in-addr.arpa. 86400 IN PTR fra07s07-in-f104.1e100.net. ;; Query time: 46 msec ;; SERVER: 216.239.32.10#53(216.239.32.10) ;; WHEN: Mon Apr 18 12:02:15 2011 ;; MSG SIZE rcvd: 85 and this is the max level that I can obtain. I've tried also with another domain (www.cnr.it) and using this method, I can get from ip address that it points to www.cnr.it, The only difference is that in cnr dns, www.cnr.it is not a cname record but IN record. Could someone point me in the right direction? Thanks in advance
Re: not boot panic: trap type 6, code=2, pc=d032a644c
This diff fixed the problem. Thanks! Maybe this is a silly question but this diff its applied on the latest snapshot iso?
IPSec between 4.8 and 4.9
I have IPSec with manual flow between two 4.8 box, and all is work great. I can't in one moment setup two 4.9, and I want to ask: can I change one side of IPSec on 4.9?
Re: benchmarks
2011/4/18 Richard Toohey richardtoo...@paradise.net.nz: On 18/04/2011, at 1:07 PM, Rodrigo Mosconi wrote: Hi all, I'm interested on some benchmarks, specially with network/PF. On the general performance: http://www.openbsd.org/faq/pf/perf.html For example: What's the maximum bandwidth that a soekris (or alix) can handle safely as a firewall? (with and without ipsec, how long the rule set are) Why limit yourself to (low-end) machines? Budget constraints? Space constraints? Or it might to cool to play with these devices? (I thought so too, but in the end easier to whack in an old Dell Optiplex - as is often recommended on this list.) Space and noise constriants. Also can be cool to play with one ^^. Peter Hallin exposed a configuration that can handle near a 1Gbps on bridge mode. Peter, how much traffic your new firewall handle? On the branded servers (Dell, HP, IBM, etc), how best traffic one firewall can handle? Which goes fastest? Ford or Holden? What NICs are in those machines? At work (a IDC), we use Dell Rxx series. But its stuck, I think the problems are the broadcom NICs Also some customers have 200MBps or more bandwidth hired. And next, a new one (contract already signed), will use more than 1 GBps These are some questions. What does traffic mean? Is your traffic the same as mine? I will avoid to use this word... Some of these information can help me to advocate OpenBSD based solution at work, starting with firewall. Just as comment, some linuxes (argh) fw can't handle as much as 100Mbps on Dells (R200 or R400). pf is fast enough for me at my work. It might not be fast enough for you at your work. I agree What are your requirements? The biggest goal: A gigabit+ capable firewall Thanks for any comments, Probably not what you were after, but that's the repeated advice I see around here - only YOU can answer this question. I know, I just want some comments and advices and opinions. And don't forget to read this (and buy the book) http://home.nuug.no/~peter/pf/en/ I already bought the book, I liked Mosconi
Re: Intel 10GbE SFP+ (82599) and vlan
On 15.4.2011 12:49, Reyk Floeter wrote: On Thu, Apr 14, 2011 at 04:37:31PM +, Stuart Henderson wrote: 01:20:38.556705 802.1Q vid 0 pri 0 802.1Q vid 123 pri 0 arp who-has 10.3.3.2 tell 10.3.3.1 your config is OK, something is broken there. I guess this will make it function but it's not a correct fix. well, it works fine on the 82598 (heavily tested and used in production here) but seems to be broken on the 82599. it is either a hardware bug on the 82599 or related to the fact that it uses slighlty different advanced descriptors. this should be a more accurate workaround for now (until we're able to fix it on the 82599): #if NVLAN 0 if (hw-mac.type == ixgbe_mac_82598EB) ifp-if_capabilities |= IFCAP_VLAN_HWTAGGING; #endif Index: if_ix.c === RCS file: /cvs/src/sys/dev/pci/if_ix.c,v retrieving revision 1.50 diff -u -p -r1.50 if_ix.c --- if_ix.c 13 Apr 2011 00:14:18 - 1.50 +++ if_ix.c 14 Apr 2011 16:36:58 - @@ -1453,7 +1453,7 @@ ixgbe_setup_interface(struct ix_softc *s ifp-if_capabilities = IFCAP_VLAN_MTU; #if NVLAN 0 - ifp-if_capabilities |= IFCAP_VLAN_HWTAGGING; +// ifp-if_capabilities |= IFCAP_VLAN_HWTAGGING; #endif #ifdef IX_CSUM_OFFLOAD hello, i have found this datasheet: http://download.intel.com/design/network/datashts/82599_datasheet.pdf maybe it's worth something maybe not ... 7.4.3.1 Adding 802.1q Tags on Transmits Software might instruct the 82599 to insert an 802.1q VLAN tag on a per-packet basis. If the VLE bit in the transmit descriptor is set to 1b, then the 82599 inserts a VLAN tag into the packet that it transmits over the wire. The Tag Protocol Identifier b TPID (VLAN Ether Type) field of the 802.1q tag comes from the DMATXCTL.VT, and the Tag Control Information (TCI) of the 802.1q tag comes from the VLAN field of the legacy transmit descriptor or the VLAN Tag field of the advanced data transmit descriptor. 7.4.3.2 Stripping 802.1q Tags on Receives Software might instruct the 82599 to strip 802.1q VLAN tags from received packets. The policy whether to strip the VLAN tag is configurable per queue. If the RXDCTL.VME bit for a given queue is set to 1b, and the incoming packet is an 802.1q VLAN packet (that is, its Ethernet Type field matched the VLNCTRL.VET), then the 82599 strips the 4-byte VLAN tag from the packet, and stores the TCI in the VLAN Tag field of the receive descriptor. The 82599 also sets the VP bit in the receive descriptor to indicate that the packet had a VLAN tag that was stripped. If the RXDCTL.VME bit is not set, the 802.1q packets can still be received if they pass the receive filter, but the VLAN tag is not stripped and the VP bit is not set. -- /hrvoje
pf: Load Balancing Outgoing traffic over multiple WAN-connections with something like sticky address
Hello list, is it possible to make outgoing traffic load-balance in a way that connections from the same internal IP to the same external IP always use the same WAN-connection (at least until the The example under http://www.openbsd.org/faq/pf/pools.html#outexample circumvents it by using only one connection. It would be nice if I could use something like: pass in on $int_if from $lan_net \ route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \ round-robin \ target-hash using round-robin sticky-address or source-hash obviously does not work, since there is not a single redirection address but *two*. Is there any other workaround than hardwiring only one connection? Marcus
Re: not boot panic: trap type 6, code=2, pc=d032a644c
On Mon, Apr 18, 2011 at 07:57:20AM -0600, Orestes LeaL R. wrote: This diff fixed the problem. Thanks! Maybe this is a silly question but this diff its applied on the latest snapshot iso? Any committed code will be present in any snapshot dated after the commit. Allowing for any timezone oddities. Ken
Re: DNS reverse lookup from ip to CNAME
On Mon, Apr 18, 2011 at 12:10:31PM +0200, Alessandro Baggi wrote: Hi list. I'm making a program that maps some ip address to a specified dns. My problem is relative to CNAME record. : Supposing that I have 209.85.148.104 ip, is possible (only knowing the ip) go back to the CNAME record www.google.it? : Could someone point me in the right direction? It is as far as I know impossible. A PTR record points to the canonical name. One host can have several IP addresses but every IP address can hence only have one canonical name. A CNAME record is supposed to resolve to a canonical name, but often enough there is one or more extra indirections before you reach it. There can be CNAME records in any domain so you can not find all resolving to a given canonical name unless searching the _whole_ DNS. Thanks in advance -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Re: Citrix ICAclient hangs whole PC with latest i386 PC
Try this, let me know what happens. Index: linux_exec.c === RCS file: /cvs/src/sys/compat/linux/linux_exec.c,v retrieving revision 1.33 diff -u -p -r1.33 linux_exec.c --- linux_exec.c5 Apr 2011 15:44:40 - 1.33 +++ linux_exec.c18 Apr 2011 13:50:37 - @@ -197,14 +197,17 @@ linux_e_proc_exit(struct proc *p) void linux_e_proc_fork(struct proc *p, struct proc *parent) { - struct linux_emuldata *emul = p-p_emuldata; - struct linux_emuldata *p_emul = parent-p_emuldata; + struct linux_emuldata *emul; + struct linux_emuldata *p_emul; /* Allocate new emuldata for the new process. */ p-p_emuldata = NULL; /* fork, use parent's vmspace (our vmspace may not be setup yet) */ linux_e_proc_init(p, parent-p_vmspace); + + emul = p-p_emuldata; + p_emul = parent-p_emuldata; emul-my_set_tid = p_emul-child_set_tid; emul-my_clear_tid = p_emul-child_clear_tid;
Re: Citrix ICAclient hangs whole PC with latest i386 PC
Hi, can do that tomorrow. On Mon, Apr 18, 2011 at 4:57 PM, Paul Irofti p...@irofti.net wrote: Try this, let me know what happens. Index: linux_exec.c === RCS file: /cvs/src/sys/compat/linux/linux_exec.c,v retrieving revision 1.33 diff -u -p -r1.33 linux_exec.c --- linux_exec.c B B B B 5 Apr 2011 15:44:40 - B B B 1.33 +++ linux_exec.c B B B B 18 Apr 2011 13:50:37 - @@ -197,14 +197,17 @@ linux_e_proc_exit(struct proc *p) B void B linux_e_proc_fork(struct proc *p, struct proc *parent) B { - B B B struct linux_emuldata *emul = p-p_emuldata; - B B B struct linux_emuldata *p_emul = parent-p_emuldata; + B B B struct linux_emuldata *emul; + B B B struct linux_emuldata *p_emul; B B B B /* Allocate new emuldata for the new process. */ B B B B p-p_emuldata = NULL; B B B B /* fork, use parent's vmspace (our vmspace may not be setup yet) */ B B B B linux_e_proc_init(p, parent-p_vmspace); + + B B B emul = p-p_emuldata; + B B B p_emul = parent-p_emuldata; B B B B emul-my_set_tid = p_emul-child_set_tid; B B B B emul-my_clear_tid = p_emul-child_clear_tid;
OpenBSD-Wiki.org
Due to an circumstances beyond my control, I'm not longer able to host / maintain /work with OpenBSD-Wiki.org. I was in the process of updating it when some personal issues came up. I'm interested in passing this off to someone else who may be interested. I'll help migrate it, get things back up and going -- if help is needed / wanted. I'm not subscribed to the list, so send an email to this email. -- Kennith (Kenny) Mann
Re: [OT] DNS reverse lookup from ip to CNAME
On Mon, Apr 18, 2011 at 04:26:12PM +0200, Raimo Niskanen wrote: On Mon, Apr 18, 2011 at 12:10:31PM +0200, Alessandro Baggi wrote: Hi list. I'm making a program that maps some ip address to a specified dns. My problem is relative to CNAME record. : Supposing that I have 209.85.148.104 ip, is possible (only knowing the ip) go back to the CNAME record www.google.it? It is as far as I know impossible. A PTR record points to the canonical name. One host can have several IP addresses but every IP address can hence only have one canonical name. A CNAME record is supposed to resolve to a canonical name, but often enough there is one or more extra indirections before you reach it. There can be CNAME records in any domain so you can not find all resolving to a given canonical name unless searching the _whole_ DNS. Yes, DNS doesn't (need or) support this. I'm pretty sure that there are some databases of IP - name mappings, though, presumably compiled by finding valid hostnames and looking up their IPs. Joachim -- PotD: net/transmission,-qt - lightweight BitTorrent client with Qt interface http://www.joachimschipper.nl/
Aviso a Todos los Mexicanos
Aviso a #t odoslosmexicanos Este sitio fue creado para que todos los mexicanos se expresen sobre la situaciC3n que vivimos respecto de las telecomunicaciones en MC)xico. Expresiones en video o escritas. Este sitio se conecta al canal de Yo utube todoslosmexicanos.org, a los comentarios de ustedes en nuestro twitter o a los Hashtags que ustedes nos envCan y obviamente a los comentarios directos que hacen en la pC!gina. El dCa 6 de abril fuimos vCctimas de distintas acciones en contra de nuestro sitio. De la misma forma fuimos informados que dos de los videos integrados al canal de Youtube todoslosmexicanos.org fueron bloqueados, como menciona el diario Re forma. Dichos videos se colocan por ustedes, como muchos otros videos, en Youtube y estC!n sujetos a las reglas de ese sitio. Es cuestiC3n de Yo utube definir si se mantienen o no los videos que contienen las libres opiniones de la gente. Hemos fortalecido la estructura del sitio para enfrentar estos ataques y vamos a seguir trabajando para que la censura que nos desean imponer no tenga C)xito y el sitio siga arriba para que todos los mexicanos se puedan expresar sobre la situaciC3n de las telecomunicaciones en MC)xico. No a la censura. Todo MC)xico es territorio de to dos los mexicanos. Siguenos: ww w.todoslosmexicanos.com #t odoslosmexicanos Yo utube.com/todoslosmexicanosorg Fa cebook.com/todoslosmexicanos [IMAGE] Si ya no deseas recibir este newsletter, date de baja aqui.
Paredes Cup
A presente e-newsletter destina-se znica e exclusivamente a informar e nco pode ser considerada SPAM. De acordo com a legislagco internacional que regulamenta o correio electrsnico, o e-mail nco podera ser considerado SPAM quando incluir uma forma do receptor ser removido da lista. Caso o seu nome faga parte da nossa lista por engano, desde ja apresentamos as nossas desculpas. Dado que o processo de remogco i automatico, pedimos o favor de verificar qual o e-mail onde receberam a nossa e-newsletter antes de solicitar a remogco Se nco deseja continuar a receber a nossa e-newsletter, clique Cancelar subscrigco [demime 1.01d removed an attachment of type image/jpeg which had a name of package paredes cup baixa.jpg]
Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)
Hi all, A number of you may have noticed the recent flurry of activity, leading to stuff like bigmem being turned on.. Some more good stuff is coming soon (my amd64 at my house is using 7 gigabyes of memory for buffer cache, and I'm doing builds without touching disks..). Some really cool stuff is being worked on and is coming to a source tree near you soon. However, I'd like to take the opportunity to remind you all, that the project does depend on CD and shirt sales to keep it alive. Yes you may not use a CD all the time, but the latest one is pretty cool. So, short answer? go buy a CD. pre-orders are a little slow this release, and we need to see some more activity in that area. Then maybe I'll stop worrying about it and commit that thing that will make your amd64 use even more buttloads of memory too! So - yes we like donations, but we also like CD sales.. now is the time to help out. Thanks -Bob
vnconfig wd1 disklabel dissapearing
I've done the following and at first I didn't mail in case it was a weird vmware bug but it does exactly the same thing on real hardware. Someone mentioned fairly recently in 'equivalent of Linux mount -o bind' which should interest a recent poster a little, that you could use /dev/wd* directly with vnconfig which seemed faster and easier, it is not in the man page so maybe there is something lucky or hit and miss when it works and so hopefully someone will know straight away and make me look stupid as to why I'm at a loss with what I've found. I've used wd1c as an immovable object in disklabel which is working but figured I should atleast report the following in case it isn't expected. Should I use an image file on wd1a instead of /dev/wd1c? Drives zeroed /sbin/vnconfig -ck svnd0 /dev/wd1c /sbin/disklabel -E svnd0 /sbin/newfs /dev/rsvnd0a /sbin/newfs /dev/rsvnd0d /sbin/vnconfig -ck svnd1 /dev/wd0l /sbin/disklabel -E svnd1 /sbin/newfs /dev/rsvnd1a reboot, I guess disklabel -c would do the same wd0l and svnd1 work fine (disklabels visible and work fine) I have to recreate the disklabel for wd1 and svnd0 after which it works fine untill the next reboot (data accessed). p.s. I am using bioctl for some things but here they are small and currently non performance critical, so I went for blowfish.
Re: vnconfig wd1 disklabel dissapearing
Oops forgot, it occured on vmware and a physical box but was 4.8 stable on both. Shall I grab a snapshot, as I say I've worked it a different way and maybe this was the wrong way of using vnconfig anyway.
Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)
On Mon, 18 Apr 2011 13:39:19 -0600, Bob Beck b...@obtuse.com wrote: Hi all, So, short answer? go buy a CD. pre-orders are a little slow this release, and we need to see some more activity in that area. Then maybe I'll stop worrying about it and commit that thing that will make your amd64 use even more buttloads of memory too! I've just ordered my CD set and a hoodie. Sorry for not doing it sooner - you guy certainly deserve it. If I meet you in person, remind me to buy you a drink or three :-) Patsy
vnconfig wd1 disklabel dissapearing
Date was wrong resent for those that sort by date and not receipt order, sorry for duplicates. I've done the following and at first I didn't mail in case it was a weird vmware bug but it does exactly the same thing on real hardware. Someone mentioned fairly recently in 'equivalent of Linux mount -o bind' which should interest a recent poster a little, that you could use /dev/wd* directly with vnconfig which seemed faster and easier, it is not in the man page so maybe there is something lucky or hit and miss when it works and so hopefully someone will know straight away and make me look stupid as to why I'm at a loss with what I've found. I've used wd1c as an immovable object in disklabel which is working but figured I should atleast report the following in case it isn't expected. Should I use an image file on wd1a instead of /dev/wd1c? Drives zeroed /sbin/vnconfig -ck svnd0 /dev/wd1c /sbin/disklabel -E svnd0 /sbin/newfs /dev/rsvnd0a /sbin/newfs /dev/rsvnd0d /sbin/vnconfig -ck svnd1 /dev/wd0l /sbin/disklabel -E svnd1 /sbin/newfs /dev/rsvnd1a reboot, I guess disklabel -c would do the same wd0l and svnd1 work fine (disklabels visible and work fine) I have to recreate the disklabel for wd1 and svnd0 after which it works fine untill the next reboot (data accessed). p.s. I am using bioctl for some things but here they are small and currently non performance critical, so I went for blowfish.
Re: benchmarks
Rodrigo Mosconi [open...@mosconi.mat.br] wrote: Hi all, I'm interested on some benchmarks, specially with network/PF. How about this...With GENERIC -current amd64 kernel, I'm getting almost 800Mbps on a single FTP transfer between two 1Gbit-connected boxes with em controllers and mfi RAID backed with 6xSATA on each box. This is with boxes that are already busy with day-to-day activity. The limitation has gone from the networking code to the mfi controller and associated disk activity, nice to see I think. Removing NIC driver interrupt loops and IPL_BIO in ppb was a big win. Transfers are a lot slower with my mpi two disk RAID 1 boxes, but using less hard disks is a lot slower than 1Gbps ethernet. Need to try with mfs next. It pays to do it right, MCLGETI without loops in x_intr is proving to be a much better idea than what FreeBSD did with the polling hacks. I wonder what kind of packet per second limitations people see now with bge, em, bnx, ix, vr, the common drivers, with and without pf enabled. PF enabled should be faster now that it doesn't recalculate IP checksums mid-stream ! -- the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)
On Mon, 18 Apr 2011, Bob Beck wrote: Hi all, A number of you may have noticed the recent flurry of activity, leading to stuff like bigmem being turned on.. Some more good stuff is coming soon (my amd64 at my house is using 7 gigabyes of memory for buffer cache, and I'm doing builds without touching disks..). Some really cool stuff is being worked on and is coming to a source tree near you soon. However, I'd like to take the opportunity to remind you all, that the project does depend on CD and shirt sales to keep it alive. Yes you may not use a CD all the time, but the latest one is pretty cool. So, short answer? go buy a CD. pre-orders are a little slow this release, and we need to see some more activity in that area. This may tie in to something I've noticed -- it's less than two weeks to the official release date of 4.9 but there's no sign that the CDs are shipping yet. While there's no obligation for them to arrive before that date, usually we hear earlier than this that they're shipping. Is there some delay? Then maybe I'll stop worrying about it and commit that thing that will make your amd64 use even more buttloads of memory too! So - yes we like donations, but we also like CD sales.. now is the time to help out. My set was ordered as soon as the order page went up, but (since, for the first time in far too long, I've got some spare cash) I'll see about also making a donation. Not that I have any particular standing, but FWIW, y'all please order a CD set if you haven't already done so. OpenBSD has served me well for quite a few years, and I'd really like to see it continue -- and continue to improve. Dave -- Dave Anderson d...@daveanderson.com
Packages security updates
Hi, the FAQ says: When serious bugs or security flaws are discovered in third party software, they are fixed in the *-stable* branch of the ports tree. Remember that the lifecycle is 1 release: only the current and last release are updated Does it mean: 1) 4.8-stable and -current have security updates for packages. or 2) 4.7-stable and 4.8-stable have security updates for packages. ? Thanks.
Re: Packages security updates
On Mon, 18 Apr 2011 23:45:10 +0200 enclair wifiencl...@gmail.com wrote: Hi, the FAQ says: When serious bugs or security flaws are discovered in third party software, they are fixed in the *-stable* branch of the ports tree. Remember that the lifecycle is 1 release: only the current and last release are updated Does it mean: 1) 4.8-stable and -current have security updates for packages. or 2) 4.7-stable and 4.8-stable have security updates for packages. ? Thanks. none of those two options. no packages (, yet). if someone gets around to it, the updated port will be in the -stable ports tree, still have to build it yourself. and if you are not running the latest -release or -current, in most cases you are doing it wrong. :)
Re: benchmarks
Chris, don't forget to mention that they are simplifying the buffer cache (and bigmem!) so that when the attempted switch to rthreads comes, there will be far less hassles compared to FreeBSD or NetBSD, which literally took 2-5 years to perfect. Read Matt Dillon's interview linked from wikipedia. Read the section on buffer cache http://kerneltrap.org/node/8 Linux and the other BSD's with so much commercial support (not Dfly!) just recently getting rid of Big Giant Lock, so OpenBSD is not that far behind. Stick with OpenBSD and see how 'fast' it continues to run. Good luck. On Mon, 18 Apr 2011, Chris Cappuccio wrote: Rodrigo Mosconi [open...@mosconi.mat.br] wrote: Hi all, I'm interested on some benchmarks, specially with network/PF. How about this...With GENERIC -current amd64 kernel, I'm getting almost 800Mbps on a single FTP transfer between two 1Gbit-connected boxes with em controllers and mfi RAID backed with 6xSATA on each box. This is with boxes that are already busy with day-to-day activity. The limitation has gone from the networking code to the mfi controller and associated disk activity, nice to see I think. Removing NIC driver interrupt loops and IPL_BIO in ppb was a big win. Transfers are a lot slower with my mpi two disk RAID 1 boxes, but using less hard disks is a lot slower than 1Gbps ethernet. Need to try with mfs next. It pays to do it right, MCLGETI without loops in x_intr is proving to be a much better idea than what FreeBSD did with the polling hacks. I wonder what kind of packet per second limitations people see now with bge, em, bnx, ix, vr, the common drivers, with and without pf enabled. PF enabled should be faster now that it doesn't recalculate IP checksums mid-stream ! -- the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Re: benchmarks
Amit Kulkarni [amitk...@gmail.com] wrote: Chris, don't forget to mention that they are simplifying the buffer cache (and bigmem!) so that when the attempted switch to rthreads comes, there will be far less hassles compared to FreeBSD or NetBSD, which literally took 2-5 years to perfect. Read Matt Dillon's interview linked from wikipedia. Read the section on buffer cache http://kerneltrap.org/node/8 Linux and the other BSD's with so much commercial support (not Dfly!) just recently getting rid of Big Giant Lock, so OpenBSD is not that far behind. Stick with OpenBSD and see how 'fast' it continues to run. rthreads isn't going to help with kernel locking... i didn't think that much effort was going towards splitting the kernel across CPUs, is there something i'm missing here?
Re: Sun blade 1500 experiences ?
Sunblade1000 for a desktop. I run OpenBSD on it at times. Mach64 card 1024x768. if you have a better card then the graphics should be better. You can do a lot more with it than just run emacs. --- On Fri, 4/15/11, Christiano F. Haesbaert haesba...@haesbaert.org wrote: From: Christiano F. Haesbaert haesba...@haesbaert.org Subject: Sun blade 1500 experiences ? To: OpenBSD Questions misc@openbsd.org Date: Friday, April 15, 2011, 7:24 PM Hi there, I'm consider buying a sun blade 1500, mainly cause I found a great deal on our local ebay. I was thinking in replacing my aging ultra 5 as my local server, but it turns out it seems like a nice desktop system. Is anyone using a similar machine for desktop ? How is performance in general (Considering X and such) ? Anyone tried 1680 x 1050 ? I'm a heavy emacs user, other than that, I don't run any other significant program (cpu/mem/io) (only mutt, irssi e cia...). Here are the specs: http://www.sun.com/desktop/workstation/sunblade1500/specs.xml Well, I'm getting it anyway, if not for desktop for my server replacement (2x 64bit pci :-)) Does anyone has a dmesg for that ? Thanks
Re: vnconfig wd1 disklabel dissapearing
On Mon, Apr 18, 2011 at 09:56:45AM +, Kevin Chadwick wrote: I've done the following and at first I didn't mail in case it was a weird vmware bug but it does exactly the same thing on real hardware. Someone mentioned fairly recently in 'equivalent of Linux mount -o bind' which should interest a recent poster a little, that you could use /dev/wd* directly with vnconfig which seemed faster and easier, it is not in the man page so maybe there is something lucky or hit and miss when it works and so hopefully someone will know straight away and make me look stupid as to why I'm at a loss with what I've found. I've used wd1c as an immovable object in disklabel which is working but figured I should atleast report the following in case it isn't expected. Should I use an image file on wd1a instead of /dev/wd1c? Yes. Never use 'c' for anything permanent. It is the kernel's and not yours. Ken Drives zeroed /sbin/vnconfig -ck svnd0 /dev/wd1c /sbin/disklabel -E svnd0 /sbin/newfs /dev/rsvnd0a /sbin/newfs /dev/rsvnd0d /sbin/vnconfig -ck svnd1 /dev/wd0l /sbin/disklabel -E svnd1 /sbin/newfs /dev/rsvnd1a reboot, I guess disklabel -c would do the same wd0l and svnd1 work fine (disklabels visible and work fine) I have to recreate the disklabel for wd1 and svnd0 after which it works fine untill the next reboot (data accessed). p.s. I am using bioctl for some things but here they are small and currently non performance critical, so I went for blowfish.
Re: a GOOD idea to harden OpenSSH!
On Wed, Mar 30, 2011 at 03:22, Alexander Schrijver alexander.schrij...@gmail.com wrote: It's a great way to keep someone out of their own system. Huh? Wouldn't securely backing up the RSA keys prevent this? If you are mindful enough to use keys in the first place and don't back up such critical data, wouldn't you deserve to be locked out until someone can cart over an IP KVM? -William
Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)
A number of you may have noticed the recent flurry of activity, leading to stuff like bigmem being turned on.. Some more good stuff is coming soon (my amd64 at my house is using 7 gigabyes of memory for buffer cache, and I'm doing builds without touching disks..). Some really cool stuff is being worked on and is coming to a source tree near you soon. However, I'd like to take the opportunity to remind you all, that the project does depend on CD and shirt sales to keep it alive. Yes you may not use a CD all the time, but the latest one is pretty cool. So, short answer? go buy a CD. pre-orders are a little slow this release, and we need to see some more activity in that area. This may tie in to something I've noticed -- it's less than two weeks to the official release date of 4.9 but there's no sign that the CDs are shipping yet. While there's no obligation for them to arrive before that date, usually we hear earlier than this that they're shipping. Is there some delay? Wow -- watch out, or you will kill the message. I note you are inside North America. Packages inside North America can make it to their destination in 3 days, 4 days tops. It is April 18. What are you talking about? Your CD order will arrive around the release time. Probably before, as is usual, though noone ever promised that! As well, I know that other distributors (including Liam in England) will soon have CDs ready so that there can be a 'coordinated release'. People on the other continents need to get a chance to be the first at bragging. Let's backtrack. Bob is bringing up an important point (he mentioned it publically after I mentioned it privately to him earlier, so I know where this comes from). Year on year, when it comes to money that keeps the project going, nothing much has changed in this project. I think people should contrast our track record of 'good product' to our 'inability to sell out'. Unlike everyone else in the open source industry, we continue to operate on donations and CD sales (money). We have kept donations and money seperated. Donations fund the things they can easily fund, and money funds the things they can fund easily; we all know there are business/taxation rules to be followed. The donations primarily fund the hackathons (5-6 a year these days) and travel assistance for the less fortunate developers to those hackathons. Great things come from those donations, from those hackathons we are all running code that came out of them. None of us can contest that. But without CD and tshirt sales, other parts of the project are in trouble -- the things that are more difficult to fund out of donations. And there is a further relationship: If not enough CDs are sold in a release, there may be no further CDs made after that. If there are no CDs made or sold, I don't know what will happen. I doubt donations could help us ever again bootstrap a CD release process again. I don't know where various aspects of the project would go. Of course everyone knows that part of the CD sales become my salary (keeping me away from working for companies writing non-free software perhaps, though I doubt I am employable). But that is only fair. All of you eat, too. I spend more time in front a keyboard than most of you... If things went bad financially, I don't know how I would cope with such a big change. I doubt the user community has a plan for that, either. If you are receiving this mail you are using OpenBSD or the other things that our developer community have made, so please be considerate and help us continue. The donations are one thing, and thank you -- but please remember that the sales component has to be there too. I am only a part of the CD sales money. CD sales money keeps the electrons flowing through cvs.openbsd.org. Trust me, it is critical. Not that I have any particular standing, but FWIW, y'all please order a CD set if you haven't already done so. OpenBSD has served me well for quite a few years, and I'd really like to see it continue -- and continue to improve. Exactly -- let us continue doing this.
Re: vnconfig wd1 disklabel dissapearing
On Mon, Apr 18, 2011 at 09:56:45AM +, Kevin Chadwick wrote: I've done the following and at first I didn't mail in case it was a weird vmware bug but it does exactly the same thing on real hardware. Someone mentioned fairly recently in 'equivalent of Linux mount -o bind' which should interest a recent poster a little, that you could use /dev/wd* directly with vnconfig which seemed faster and easier, it is not in the man page so maybe there is something lucky or hit and miss when it works and so hopefully someone will know straight away and make me look stupid as to why I'm at a loss with what I've found. I've used wd1c as an immovable object in disklabel which is working but figured I should atleast report the following in case it isn't expected. Should I use an image file on wd1a instead of /dev/wd1c? Yes. Never use 'c' for anything permanent. It is the kernel's and not yours. Ken is right. 'c' is the special partition that is the whole disk no matter what the disklabel says.
Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)
On Mon, 18 Apr 2011, Theo de Raadt wrote: A number of you may have noticed the recent flurry of activity, leading to stuff like bigmem being turned on.. Some more good stuff is coming soon (my amd64 at my house is using 7 gigabyes of memory for buffer cache, and I'm doing builds without touching disks..). Some really cool stuff is being worked on and is coming to a source tree near you soon. However, I'd like to take the opportunity to remind you all, that the project does depend on CD and shirt sales to keep it alive. Yes you may not use a CD all the time, but the latest one is pretty cool. So, short answer? go buy a CD. pre-orders are a little slow this release, and we need to see some more activity in that area. This may tie in to something I've noticed -- it's less than two weeks to the official release date of 4.9 but there's no sign that the CDs are shipping yet. While there's no obligation for them to arrive before that date, usually we hear earlier than this that they're shipping. Is there some delay? Wow -- watch out, or you will kill the message. My apologies if my reply had any such effect; it certainly wasn't intended to do that. I note you are inside North America. Packages inside North America can make it to their destination in 3 days, 4 days tops. It is April 18. What are you talking about? Your CD order will arrive around the release time. Probably before, as is usual, though noone ever promised that! As I said, I believe that OpenBSD's only obligation is to get the pre-order CD sets to us by the release date (and even that isn't absolute, given that shit happens). I was just interested in / curious about why the pre-order process seemed to be working a bit differently from the way it usually has. As well, I know that other distributors (including Liam in England) will soon have CDs ready so that there can be a 'coordinated release'. People on the other continents need to get a chance to be the first at bragging. Thanks for the explanation. Dave Let's backtrack. Bob is bringing up an important point (he mentioned it publically after I mentioned it privately to him earlier, so I know where this comes from). Year on year, when it comes to money that keeps the project going, nothing much has changed in this project. I think people should contrast our track record of 'good product' to our 'inability to sell out'. Unlike everyone else in the open source industry, we continue to operate on donations and CD sales (money). We have kept donations and money seperated. Donations fund the things they can easily fund, and money funds the things they can fund easily; we all know there are business/taxation rules to be followed. The donations primarily fund the hackathons (5-6 a year these days) and travel assistance for the less fortunate developers to those hackathons. Great things come from those donations, from those hackathons we are all running code that came out of them. None of us can contest that. But without CD and tshirt sales, other parts of the project are in trouble -- the things that are more difficult to fund out of donations. And there is a further relationship: If not enough CDs are sold in a release, there may be no further CDs made after that. If there are no CDs made or sold, I don't know what will happen. I doubt donations could help us ever again bootstrap a CD release process again. I don't know where various aspects of the project would go. Of course everyone knows that part of the CD sales become my salary (keeping me away from working for companies writing non-free software perhaps, though I doubt I am employable). But that is only fair. All of you eat, too. I spend more time in front a keyboard than most of you... If things went bad financially, I don't know how I would cope with such a big change. I doubt the user community has a plan for that, either. If you are receiving this mail you are using OpenBSD or the other things that our developer community have made, so please be considerate and help us continue. The donations are one thing, and thank you -- but please remember that the sales component has to be there too. I am only a part of the CD sales money. CD sales money keeps the electrons flowing through cvs.openbsd.org. Trust me, it is critical. Not that I have any particular standing, but FWIW, y'all please order a CD set if you haven't already done so. OpenBSD has served me well for quite a few years, and I'd really like to see it continue -- and continue to improve. Exactly -- let us continue doing this. -- Dave Anderson d...@daveanderson.com