Re: benchmarks

[Jan Stary]

On Apr 17 22:07:13, Rodrigo Mosconi wrote:
 Hi all,
 
 I'm interested on some benchmarks, specially with network/PF.
 
 For example:
 
 What's the maximum bandwidth that a soekris (or alix) can handle safely as a
 firewall? (with and without ipsec, how long the rule set are)
 
 Peter Hallin exposed a configuration that can handle near a 1Gbps on bridge
 mode.  Peter, how much traffic your new firewall handle?
 
 On the branded servers (Dell, HP, IBM, etc), how best traffic one firewall
 can handle?
 
 These are some questions.
 
 Some of these information can help me to advocate OpenBSD based solution at
 work, starting with firewall.  Just as comment, some linuxes (argh) fw can't
 handle as much as 100Mbps on Dells (R200 or R400).

I always save my money in the bank with the fastest safeboxes.

Lanzamiento Estrategia Google (ID:243807)

[Lanzamiento Google VCT]

Lanzamiento de la Estrategia Google... da click aqum

La Estrategia Google la forma mas sencilla y efectiva de aumentar tus
ventas usando Internet.

Hola

Recientemente iniciamos nuestra Estrategia Google.

Da click en la liga para ver la Lanzamiento, aprovecha estar oportunidad
para promoverte en Google.

Lanzamiento de la Estrategia Google... da click aqum

AUN PUEDES IR A CANCUN ESTAS VACACIONES DESDE 2,999 MN EL MEJOR TODO INCLUIDO DE LA RIVERA MAYA

[OCCIDENTAL GRDN XCARET]

OCCIDENTAL HOTELES







  

  SI NO PUEDE VISUALIZAR DE CLICK AQUI
  OCCIDENTAL GRAND XCARET - LA JOYA DE LA RIVERA MAYA- ESPECTACULARES 
PAQUETES DE LUJO DESDE - 2,999 - www.occidentalvcescapes.com  
  CODIGO DE PROMOCION PSERRANO

  
  

  

  
  



  
  




  
  

  



  





Si no desea recibir maacute;s correos haga clic aquiacute;
Declaracioacute;n de privacidad

DNS reverse lookup from ip to CNAME

[Alessandro Baggi]

Hi list. I'm making a program that maps some ip address to a specified 
dns. My problem is relative to CNAME record.
Supposing we have google ip, generated from a program, and we don't know 
that this ip is pointing to www.google.it. This program try to get 
hostname and give that the specified ip points to:


 fra07s07-in-f103.1e100.net.


This name is obtained from gethostbyaddr();

There is a method to know that  fra07s07-in-f103.1e100.net is pointed 
from www.google.it?


Try to do the simple dns query to www.google.it, i get

;  DiG 9.7.3  www.google.it
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 58155
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.google.it. IN  A

;; ANSWER SECTION:
www.google.it.  327389  IN  CNAME   www.google.com.
www.google.com. 586589  IN  CNAME   www.l.google.com.
www.l.google.com.   165 IN  A   209.85.148.104
www.l.google.com.   165 IN  A   209.85.148.105
www.l.google.com.   165 IN  A   209.85.148.106
www.l.google.com.   165 IN  A   209.85.148.147
www.l.google.com.   165 IN  A   209.85.148.99
www.l.google.com.   165 IN  A   209.85.148.103

;; AUTHORITY SECTION:
google.com. 282625  IN  NS  ns2.google.com.
google.com. 282625  IN  NS  ns3.google.com.
google.com. 282625  IN  NS  ns1.google.com.
google.com. 282625  IN  NS  ns4.google.com.

;; ADDITIONAL SECTION:
ns3.google.com. 240988  IN  A   216.239.36.10
ns4.google.com. 240988  IN  A   216.239.38.10
ns1.google.com. 240988  IN  A   216.239.32.10
ns2.google.com. 240988  IN  A   216.239.34.10

;; Query time: 0 msec
;; SERVER: 10.1.1.5#53(10.1.1.5)
;; WHEN: Mon Apr 18 11:54:33 2011
;; MSG SIZE  rcvd: 311

It said that www.google.it is a cname that point to www.google.com, that 
point to www.l.google.com and that www.l.google.com. points to some 
addresses.
Supposing that I have 209.85.148.104 ip, is possible (only knowing the 
ip) go back to the CNAME record www.google.it?


I've tried this:

dig -x 209.85.148.104:

;  DiG 9.7.3  -x 209.85.148.104
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 64966
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;104.148.85.209.in-addr.arpa.   IN  PTR

;; ANSWER SECTION:
104.148.85.209.in-addr.arpa. 69495 IN   PTR fra07s07-in-f104.1e100.net.

;; AUTHORITY SECTION:
148.85.209.in-addr.arpa. 70180  IN  NS  ns4.google.com.
148.85.209.in-addr.arpa. 70180  IN  NS  ns3.google.com.
148.85.209.in-addr.arpa. 70180  IN  NS  ns1.google.com.
148.85.209.in-addr.arpa. 70180  IN  NS  ns2.google.com.

;; ADDITIONAL SECTION:
ns4.google.com. 240552  IN  A   216.239.38.10
ns1.google.com. 240552  IN  A   216.239.32.10
ns2.google.com. 240552  IN  A   216.239.34.10
ns3.google.com. 240552  IN  A   216.239.36.10

;; Query time: 0 msec
;; SERVER: 10.1.1.5#53(10.1.1.5)
;; WHEN: Mon Apr 18 12:01:49 2011
;; MSG SIZE  rcvd: 231

and then, query the google dns:

 dig @ns1.google.com -x 209.85.148.104

;  DiG 9.7.3  @ns1.google.com -x 209.85.148.104
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 62862
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;104.148.85.209.in-addr.arpa.   IN  PTR

;; ANSWER SECTION:
104.148.85.209.in-addr.arpa. 86400 IN   PTR fra07s07-in-f104.1e100.net.

;; Query time: 46 msec
;; SERVER: 216.239.32.10#53(216.239.32.10)
;; WHEN: Mon Apr 18 12:02:15 2011
;; MSG SIZE  rcvd: 85

and this is the max level that I can obtain.
I've tried also with another domain (www.cnr.it) and using this method, 
I can get from ip address that it points to www.cnr.it, The only 
difference is that in cnr dns, www.cnr.it is not a cname record but IN 
record.


Could someone point me in the right direction?

Thanks in advance

Re: not boot panic: trap type 6, code=2, pc=d032a644c

[Orestes LeaL R.]

This diff fixed the problem. Thanks!



Maybe this is a silly question but this diff its applied on the latest  
snapshot iso?

IPSec between 4.8 and 4.9

[lilit-aibolit]

I have IPSec with manual flow between two 4.8 box, and all is work great.
I can't in one moment setup two 4.9, and I want to ask: can I change one 
side of IPSec

on 4.9?

Re: benchmarks

[Rodrigo Mosconi]

2011/4/18 Richard Toohey richardtoo...@paradise.net.nz:
 On 18/04/2011, at 1:07 PM, Rodrigo Mosconi wrote:

 Hi all,

 I'm interested on some benchmarks, specially with network/PF.


 On the general performance:

 http://www.openbsd.org/faq/pf/perf.html

 For example:

 What's the maximum bandwidth that a soekris (or alix) can handle safely as
a
 firewall? (with and without ipsec, how long the rule set are)

 Why limit yourself to (low-end) machines?  Budget constraints?  Space
constraints?  Or it might to cool to play with these devices?  (I thought so
too, but in the end easier to whack in an old Dell Optiplex - as is often
recommended on this list.)
Space and noise constriants.  Also can be cool to play with one ^^.



 Peter Hallin exposed a configuration that can handle near a 1Gbps on
bridge
 mode.  Peter, how much traffic your new firewall handle?

 On the branded servers (Dell, HP, IBM, etc), how best traffic one firewall
 can handle?

 Which goes fastest?  Ford or Holden?

 What NICs are in those machines?

At work (a IDC), we use Dell Rxx series.  But its stuck, I think the
problems are the broadcom NICs

Also some customers have 200MBps or more bandwidth hired.  And next, a
new one (contract already signed), will use more than 1 GBps

 These are some questions.

 What does traffic mean?  Is your traffic the same as mine?
I will avoid to use this word...

 Some of these information can help me to advocate OpenBSD based solution
at
 work, starting with firewall.  Just as comment, some linuxes (argh) fw
can't
 handle as much as 100Mbps on Dells (R200 or R400).


 pf is fast enough for me at my work.

 It might not be fast enough for you at your work.
I agree

 What are your requirements?
The biggest goal: A gigabit+ capable firewall


 Thanks for any comments,


 Probably not what you were after, but that's the repeated advice I see
around here - only YOU can answer this question.
I know, I just want some comments and advices and opinions.


 And don't forget to read this (and buy the book)

 http://home.nuug.no/~peter/pf/en/
I already bought the book, I liked


 Mosconi

Re: Intel 10GbE SFP+ (82599) and vlan

[Hrvoje Popovski]

On 15.4.2011 12:49, Reyk Floeter wrote:

On Thu, Apr 14, 2011 at 04:37:31PM +, Stuart Henderson wrote:

01:20:38.556705 802.1Q vid 0 pri 0 802.1Q vid 123 pri 0 arp who-has
10.3.3.2 tell 10.3.3.1


your config is OK, something is broken there. I guess this will make
it function but it's not a correct fix.



well, it works fine on the 82598 (heavily tested and used in
production here) but seems to be broken on the 82599.  it is either a
hardware bug on the 82599 or related to the fact that it uses slighlty
different advanced descriptors.  this should be a more accurate
workaround for now (until we're able to fix it on the 82599):

#if NVLAN  0
 if (hw-mac.type == ixgbe_mac_82598EB)
 ifp-if_capabilities |= IFCAP_VLAN_HWTAGGING;
#endif


Index: if_ix.c
===
RCS file: /cvs/src/sys/dev/pci/if_ix.c,v
retrieving revision 1.50
diff -u -p -r1.50 if_ix.c
--- if_ix.c 13 Apr 2011 00:14:18 -  1.50
+++ if_ix.c 14 Apr 2011 16:36:58 -
@@ -1453,7 +1453,7 @@ ixgbe_setup_interface(struct ix_softc *s
ifp-if_capabilities = IFCAP_VLAN_MTU;

  #if NVLAN  0
-   ifp-if_capabilities |= IFCAP_VLAN_HWTAGGING;
+// ifp-if_capabilities |= IFCAP_VLAN_HWTAGGING;
  #endif

  #ifdef IX_CSUM_OFFLOAD




hello,

i have found this datasheet:

http://download.intel.com/design/network/datashts/82599_datasheet.pdf

maybe it's worth something maybe not ...



7.4.3.1 Adding 802.1q Tags on Transmits

Software might instruct the 82599 to insert an 802.1q VLAN tag on a 
per-packet basis. If the VLE bit in the transmit descriptor is set to 
1b, then the 82599 inserts a VLAN tag into the packet that it transmits
over the wire.   The Tag Protocol Identifier b TPID (VLAN Ether Type) 
field of the 802.1q tag comes from the DMATXCTL.VT, and the Tag Control 
Information (TCI) of the 802.1q tag comes from the VLAN field of the 
legacy transmit descriptor or the VLAN Tag field of the advanced data 
transmit descriptor.




7.4.3.2 Stripping 802.1q Tags on Receives

Software might instruct the 82599 to strip 802.1q VLAN tags from 
received packets. The policy whether to strip the VLAN tag is 
configurable per queue. If the RXDCTL.VME bit for a given queue is set 
to 1b, and the incoming packet is an 802.1q VLAN
packet (that is, its Ethernet Type field matched the VLNCTRL.VET), then 
the 82599 strips the 4-byte VLAN tag from the packet, and stores the TCI 
in the VLAN Tag field of the receive descriptor. The 82599 also sets the 
VP bit in the receive descriptor to indicate that the packet had a VLAN 
tag that was stripped. If the RXDCTL.VME bit is not set, the 802.1q 
packets can still be received if they pass the receive filter, but the 
VLAN tag is not stripped and the VP bit is not set.



--
/hrvoje

pf: Load Balancing Outgoing traffic over multiple WAN-connections with something like sticky address

[Marcus Mülbüsch]

Hello list,

   is it possible to make outgoing traffic load-balance in a way that 
connections from the same internal IP to the same external IP always use 
the same WAN-connection (at least until the


   The example under
 http://www.openbsd.org/faq/pf/pools.html#outexample
circumvents it by using only one connection. It would be nice if I could 
use something like:


pass in on $int_if from $lan_net \
route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } \
round-robin \
target-hash

using round-robin sticky-address or source-hash obviously does not 
work, since there is not a single redirection address but *two*.


Is there any other workaround than hardwiring only one connection?

Marcus

Re: not boot panic: trap type 6, code=2, pc=d032a644c

[Kenneth R Westerback]

On Mon, Apr 18, 2011 at 07:57:20AM -0600, Orestes LeaL R. wrote:
 This diff fixed the problem. Thanks!
 
 
 Maybe this is a silly question but this diff its applied on the
 latest snapshot iso?
 

Any committed code will be present in any snapshot dated after the
commit. Allowing for any timezone oddities.

 Ken

Re: DNS reverse lookup from ip to CNAME

[Raimo Niskanen]

On Mon, Apr 18, 2011 at 12:10:31PM +0200, Alessandro Baggi wrote:
 Hi list. I'm making a program that maps some ip address to a specified 
 dns. My problem is relative to CNAME record.
:
 Supposing that I have 209.85.148.104 ip, is possible (only knowing the 
 ip) go back to the CNAME record www.google.it?
 
:
 
 Could someone point me in the right direction?

It is as far as I know impossible.

A PTR record points to the canonical name.

One host can have several IP addresses but every IP address
can hence only have one canonical name.

A CNAME record is supposed to resolve to a canonical name,
but often enough there is one or more extra indirections
before you reach it.

There can be CNAME records in any domain so you can not find all
resolving to a given canonical name unless searching the _whole_ DNS.

 
 Thanks in advance

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Re: Citrix ICAclient hangs whole PC with latest i386 PC

[Paul Irofti]

Try this, let me know what happens.

Index: linux_exec.c
===
RCS file: /cvs/src/sys/compat/linux/linux_exec.c,v
retrieving revision 1.33
diff -u -p -r1.33 linux_exec.c
--- linux_exec.c5 Apr 2011 15:44:40 -   1.33
+++ linux_exec.c18 Apr 2011 13:50:37 -
@@ -197,14 +197,17 @@ linux_e_proc_exit(struct proc *p)
 void
 linux_e_proc_fork(struct proc *p, struct proc *parent)
 {
-   struct linux_emuldata *emul = p-p_emuldata;
-   struct linux_emuldata *p_emul = parent-p_emuldata;
+   struct linux_emuldata *emul;
+   struct linux_emuldata *p_emul;
 
/* Allocate new emuldata for the new process. */
p-p_emuldata = NULL;
 
/* fork, use parent's vmspace (our vmspace may not be setup yet) */
linux_e_proc_init(p, parent-p_vmspace);
+
+   emul = p-p_emuldata;
+   p_emul = parent-p_emuldata;
 
emul-my_set_tid = p_emul-child_set_tid;
emul-my_clear_tid = p_emul-child_clear_tid;

Re: Citrix ICAclient hangs whole PC with latest i386 PC

[Tomas Bodzar]

Hi,

can do that tomorrow.

On Mon, Apr 18, 2011 at 4:57 PM, Paul Irofti p...@irofti.net wrote:
 Try this, let me know what happens.

 Index: linux_exec.c
 ===
 RCS file: /cvs/src/sys/compat/linux/linux_exec.c,v
 retrieving revision 1.33
 diff -u -p -r1.33 linux_exec.c
 --- linux_exec.c B  B  B  B 5 Apr 2011 15:44:40 - B  B  B  1.33
 +++ linux_exec.c B  B  B  B 18 Apr 2011 13:50:37 -
 @@ -197,14 +197,17 @@ linux_e_proc_exit(struct proc *p)
 B void
 B linux_e_proc_fork(struct proc *p, struct proc *parent)
 B {
 - B  B  B  struct linux_emuldata *emul = p-p_emuldata;
 - B  B  B  struct linux_emuldata *p_emul = parent-p_emuldata;
 + B  B  B  struct linux_emuldata *emul;
 + B  B  B  struct linux_emuldata *p_emul;

 B  B  B  B /* Allocate new emuldata for the new process. */
 B  B  B  B p-p_emuldata = NULL;

 B  B  B  B /* fork, use parent's vmspace (our vmspace may not be setup yet)
*/
 B  B  B  B linux_e_proc_init(p, parent-p_vmspace);
 +
 + B  B  B  emul = p-p_emuldata;
 + B  B  B  p_emul = parent-p_emuldata;

 B  B  B  B emul-my_set_tid = p_emul-child_set_tid;
 B  B  B  B emul-my_clear_tid = p_emul-child_clear_tid;

OpenBSD-Wiki.org

[Kenny]

Due to an circumstances beyond my control, I'm not longer able to host
/ maintain /work with OpenBSD-Wiki.org. I was in the process of
updating it when some personal issues came up.
I'm interested in passing this off to someone else who may be
interested. I'll help migrate it, get things back up and going -- if
help is needed / wanted.
I'm not subscribed to the list, so send an email to this email.

-- Kennith (Kenny) Mann

Re: [OT] DNS reverse lookup from ip to CNAME

[Joachim Schipper]

On Mon, Apr 18, 2011 at 04:26:12PM +0200, Raimo Niskanen wrote:
 On Mon, Apr 18, 2011 at 12:10:31PM +0200, Alessandro Baggi wrote:
  Hi list. I'm making a program that maps some ip address to a specified 
  dns. My problem is relative to CNAME record.
 :
  Supposing that I have 209.85.148.104 ip, is possible (only knowing the 
  ip) go back to the CNAME record www.google.it?
 
 It is as far as I know impossible.
 
 A PTR record points to the canonical name.
 
 One host can have several IP addresses but every IP address
 can hence only have one canonical name.
 
 A CNAME record is supposed to resolve to a canonical name,
 but often enough there is one or more extra indirections
 before you reach it.
 
 There can be CNAME records in any domain so you can not find all
 resolving to a given canonical name unless searching the _whole_ DNS.

Yes, DNS doesn't (need or) support this. I'm pretty sure that there are
some databases of IP - name mappings, though, presumably compiled by
finding valid hostnames and looking up their IPs.

Joachim

-- 
PotD: net/transmission,-qt - lightweight BitTorrent client with Qt interface
http://www.joachimschipper.nl/

Aviso a Todos los Mexicanos

[Todos Los Mexicanos]

Aviso a #t odoslosmexicanos

Este sitio fue creado para que todos los mexicanos se expresen sobre la
situaciC3n que vivimos respecto de las telecomunicaciones en MC)xico.
Expresiones en video o escritas. Este sitio se conecta al canal de Yo
utube todoslosmexicanos.org, a los comentarios de ustedes en nuestro
twitter o a los Hashtags que ustedes nos envCan y obviamente a los
comentarios directos que hacen en la pC!gina.

El dCa 6 de abril fuimos vCctimas de distintas acciones en contra de
nuestro sitio. De la misma forma fuimos informados que dos de los videos
integrados al canal de Youtube todoslosmexicanos.org fueron bloqueados,
como menciona el diario Re forma. Dichos videos se colocan por ustedes,
como muchos otros videos, en Youtube y estC!n sujetos a las reglas de ese
sitio. Es cuestiC3n de Yo utube definir si se mantienen o no los videos
que contienen las libres opiniones de la gente.

Hemos fortalecido la estructura del sitio para enfrentar estos ataques y
vamos a seguir trabajando para que la censura que nos desean imponer no
tenga C)xito y el sitio siga arriba para que todos los mexicanos se
puedan expresar sobre la situaciC3n de las telecomunicaciones en MC)xico.
No a la censura. Todo MC)xico es territorio de to dos los mexicanos.

Siguenos:

ww w.todoslosmexicanos.com

#t odoslosmexicanos

Yo utube.com/todoslosmexicanosorg

Fa cebook.com/todoslosmexicanos

[IMAGE]
Si ya no deseas recibir este newsletter, date de baja aqui.

Paredes Cup

[Paredes Hotel]

A presente e-newsletter destina-se znica e exclusivamente a informar e nco
pode ser considerada SPAM. De acordo com a legislagco internacional que
regulamenta o correio electrsnico, o e-mail nco podera ser considerado SPAM
quando incluir uma forma do receptor ser removido da lista. Caso o seu nome
faga parte da nossa lista por engano, desde ja apresentamos as nossas
desculpas. Dado que o processo de remogco i automatico, pedimos o favor de
verificar qual o e-mail onde receberam a nossa e-newsletter antes de solicitar
a remogco





Se nco deseja continuar a receber a nossa e-newsletter, clique Cancelar
subscrigco

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
package paredes cup baixa.jpg]

Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

[Bob Beck]

 Hi all,

   A number of you may have noticed the recent flurry of activity,
leading to stuff
like bigmem being turned on.. Some more good stuff is coming soon (my amd64
at my house is using 7 gigabyes of memory for buffer cache, and I'm doing builds
without touching disks..).  Some really cool stuff is being worked on
and is coming
to a source tree near you soon.

   However, I'd like to take the opportunity to remind you all, that
the project does
depend on CD and shirt sales to keep it alive.  Yes you may not use a
CD all the
time, but the latest one is pretty cool.

  So, short answer? go buy a CD.  pre-orders are a little slow this
release, and we need
to see some more activity in that area.

  Then maybe I'll stop worrying about it and commit that thing that
will make your
amd64 use even  more buttloads of memory too!

   So - yes we like donations, but we also like CD sales.. now is the
time to help out.

Thanks

-Bob

vnconfig wd1 disklabel dissapearing

[Kevin Chadwick]

I've done the following and at first I didn't mail in case it was a
weird vmware bug but it does exactly the same thing on real hardware.

Someone mentioned fairly recently in 'equivalent of Linux mount -o
bind' which should interest a recent poster a little, that you could
use /dev/wd* directly with vnconfig which seemed faster and easier, it
is not in the man page so maybe there is something lucky or hit and
miss when it works and so hopefully someone will know straight away and
make me look stupid as to why I'm at a loss with what I've found.

I've used wd1c as an immovable object in disklabel which is working but
figured I should atleast report the following in case it isn't
expected. Should I use an image file on wd1a instead of /dev/wd1c?



Drives zeroed

/sbin/vnconfig -ck svnd0 /dev/wd1c
/sbin/disklabel -E svnd0
/sbin/newfs /dev/rsvnd0a
/sbin/newfs /dev/rsvnd0d

/sbin/vnconfig -ck svnd1 /dev/wd0l
/sbin/disklabel -E svnd1
/sbin/newfs /dev/rsvnd1a

reboot, I guess disklabel -c would do the same

wd0l and svnd1 work fine (disklabels visible and work fine)

I have to recreate the disklabel for wd1 and svnd0 after which it works
fine untill the next reboot (data accessed).



p.s. I am using bioctl for some things but here they are small and
currently non performance critical, so I went for blowfish. 

Re: vnconfig wd1 disklabel dissapearing

[Kevin Chadwick]

Oops forgot, it occured on vmware and a physical box but was 4.8 stable
on both. Shall I grab a snapshot, as I say I've worked it a different
way and maybe this was the wrong way of using vnconfig anyway.

Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

[Patsy]

On Mon, 18 Apr 2011 13:39:19 -0600, Bob Beck b...@obtuse.com wrote:

Hi all,
  So, short answer? go buy a CD.  pre-orders are a little slow this
release, and we need
to see some more activity in that area.

  Then maybe I'll stop worrying about it and commit that thing that
will make your
amd64 use even  more buttloads of memory too!



I've just ordered my CD set and a hoodie. Sorry for not doing it
sooner - you guy certainly deserve it. If I meet you in person,
remind me to buy you a drink or three :-)

Patsy

vnconfig wd1 disklabel dissapearing

[Kevin Chadwick]

Date was wrong resent for those that sort by date and not receipt order,
sorry for duplicates.

I've done the following and at first I didn't mail in case it was a
weird vmware bug but it does exactly the same thing on real hardware.

Someone mentioned fairly recently in 'equivalent of Linux mount -o
bind' which should interest a recent poster a little, that you could
use /dev/wd* directly with vnconfig which seemed faster and easier, it
is not in the man page so maybe there is something lucky or hit and
miss when it works and so hopefully someone will know straight away and
make me look stupid as to why I'm at a loss with what I've found.

I've used wd1c as an immovable object in disklabel which is working but
figured I should atleast report the following in case it isn't
expected. Should I use an image file on wd1a instead of /dev/wd1c?



Drives zeroed

/sbin/vnconfig -ck svnd0 /dev/wd1c
/sbin/disklabel -E svnd0
/sbin/newfs /dev/rsvnd0a
/sbin/newfs /dev/rsvnd0d

/sbin/vnconfig -ck svnd1 /dev/wd0l
/sbin/disklabel -E svnd1
/sbin/newfs /dev/rsvnd1a

reboot, I guess disklabel -c would do the same

wd0l and svnd1 work fine (disklabels visible and work fine)

I have to recreate the disklabel for wd1 and svnd0 after which it works
fine untill the next reboot (data accessed).



p.s. I am using bioctl for some things but here they are small and
currently non performance critical, so I went for blowfish. 

Re: benchmarks

[Chris Cappuccio]

Rodrigo Mosconi [open...@mosconi.mat.br] wrote:
 Hi all,
 
 I'm interested on some benchmarks, specially with network/PF.
 

How about this...With GENERIC -current amd64 kernel, I'm getting almost 800Mbps 
on a single FTP transfer between two 1Gbit-connected boxes with em controllers 
and mfi RAID backed with 6xSATA on each box.  This is with boxes that are 
already busy with day-to-day activity.  The limitation has gone from the 
networking code to the mfi controller and associated disk activity, nice to see 
I think.

Removing NIC driver interrupt loops and IPL_BIO in ppb was a big win.

Transfers are a lot slower with my mpi two disk RAID 1 boxes, but using less 
hard disks is a lot slower than 1Gbps ethernet.  Need to try with mfs next.

It pays to do it right, MCLGETI without loops in x_intr is proving to be a 
much better idea than what FreeBSD did with the polling hacks.

I wonder what kind of packet per second limitations people see now with bge, 
em, bnx, ix, vr, the common drivers, with and without pf enabled.  PF enabled 
should be faster now that it doesn't recalculate IP checksums mid-stream !

-- 
the preceding comment is my own and in no way reflects the opinion of the Joint 
Chiefs of Staff

Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

[Dave Anderson]

On Mon, 18 Apr 2011, Bob Beck wrote:

 Hi all,

   A number of you may have noticed the recent flurry of activity,
leading to stuff like bigmem being turned on.. Some more good stuff is
coming soon (my amd64 at my house is using 7 gigabyes of memory for
buffer cache, and I'm doing builds without touching disks..).  Some
really cool stuff is being worked on and is coming to a source tree
near you soon.

   However, I'd like to take the opportunity to remind you all, that
the project does depend on CD and shirt sales to keep it alive.  Yes
you may not use a CD all the time, but the latest one is pretty cool.

  So, short answer? go buy a CD.  pre-orders are a little slow this
release, and we need to see some more activity in that area.

This may tie in to something I've noticed -- it's less than two weeks to
the official release date of 4.9 but there's no sign that the CDs are
shipping yet.  While there's no obligation for them to arrive before
that date, usually we hear earlier than this that they're shipping.  Is
there some delay?

  Then maybe I'll stop worrying about it and commit that thing that
will make your amd64 use even more buttloads of memory too!

   So - yes we like donations, but we also like CD sales.. now is the
time to help out.

My set was ordered as soon as the order page went up, but (since, for
the first time in far too long, I've got some spare cash) I'll see about
also making a donation.

Not that I have any particular standing, but FWIW, y'all please order a
CD set if you haven't already done so.  OpenBSD has served me well for
quite a few years, and I'd really like to see it continue -- and
continue to improve.

Dave

-- 
Dave Anderson
d...@daveanderson.com

Packages security updates

[enclair]

Hi,

the FAQ says:

When serious bugs or security flaws are discovered in third party software,
they are fixed in the *-stable* branch of the ports tree. Remember that the
lifecycle is 1 release: only the current and last release are updated

Does it mean:

1) 4.8-stable and -current have security updates for packages.

or

2) 4.7-stable and 4.8-stable have security updates for packages.

?

Thanks.

Re: Packages security updates

[roberth]

On Mon, 18 Apr 2011 23:45:10 +0200
enclair wifiencl...@gmail.com wrote:

 Hi,
 
 the FAQ says:
 
 When serious bugs or security flaws are discovered in third party
 software, they are fixed in the *-stable* branch of the ports tree.
 Remember that the lifecycle is 1 release: only the current and last
 release are updated
 
 Does it mean:
 
 1) 4.8-stable and -current have security updates for packages.
 
 or
 
 2) 4.7-stable and 4.8-stable have security updates for packages.
 
 ?
 
 Thanks.
 

none of those two options.
no packages (, yet).
if someone gets around to it, the updated port will be in the -stable
ports tree, still have to build it yourself.
and if you are not running the latest -release or -current, in most
cases you are doing it wrong. :)

Re: benchmarks

[Amit Kulkarni]

Chris, don't forget to mention that they are simplifying the buffer cache (and 
bigmem!) so that when the attempted switch to rthreads comes, there will be far 
less hassles 
compared to FreeBSD or NetBSD, which literally took 2-5 years to perfect. Read 
Matt Dillon's interview linked from wikipedia. Read the section on buffer cache

http://kerneltrap.org/node/8

Linux and the other BSD's with so much commercial support (not Dfly!) just 
recently getting rid of Big Giant Lock, so OpenBSD is not that far behind. 
Stick with OpenBSD and see how 'fast' it continues to run.

Good luck.

On Mon, 18 Apr 2011, Chris Cappuccio wrote:

 Rodrigo Mosconi [open...@mosconi.mat.br] wrote:
  Hi all,
  
  I'm interested on some benchmarks, specially with network/PF.
  
 
 How about this...With GENERIC -current amd64 kernel, I'm getting almost 
 800Mbps on a single FTP transfer between two 1Gbit-connected boxes with em 
 controllers and mfi RAID backed with 6xSATA on each box.  This is with boxes 
 that are already busy with day-to-day activity.  The limitation has gone from 
 the networking code to the mfi controller and associated disk activity, nice 
 to see I think.
 
 Removing NIC driver interrupt loops and IPL_BIO in ppb was a big win.
 
 Transfers are a lot slower with my mpi two disk RAID 1 boxes, but using less 
 hard disks is a lot slower than 1Gbps ethernet.  Need to try with mfs next.
 
 It pays to do it right, MCLGETI without loops in x_intr is proving to be a 
 much better idea than what FreeBSD did with the polling hacks.
 
 I wonder what kind of packet per second limitations people see now with bge, 
 em, bnx, ix, vr, the common drivers, with and without pf enabled.  PF enabled 
 should be faster now that it doesn't recalculate IP checksums mid-stream !
 
 -- 
 the preceding comment is my own and in no way reflects the opinion of the 
 Joint Chiefs of Staff

Re: benchmarks

[Chris Cappuccio]

Amit Kulkarni [amitk...@gmail.com] wrote:
 Chris, don't forget to mention that they are simplifying the buffer cache 
 (and bigmem!) so that when the attempted switch to rthreads comes, there will 
 be far less hassles 
 compared to FreeBSD or NetBSD, which literally took 2-5 years to perfect. 
 Read Matt Dillon's interview linked from wikipedia. Read the section on 
 buffer cache
 
 http://kerneltrap.org/node/8
 
 Linux and the other BSD's with so much commercial support (not Dfly!) just 
 recently getting rid of Big Giant Lock, so OpenBSD is not that far behind. 
 Stick with OpenBSD and see how 'fast' it continues to run.
 

rthreads isn't going to help with kernel locking...

i didn't think that much effort was going towards splitting the kernel across 
CPUs, is there something i'm missing here?

Re: Sun blade 1500 experiences ?

[Super Biscuit]

Sunblade1000 for a desktop. I run OpenBSD on it at times. Mach64 card
1024x768. if you have a better card then  the graphics should be better.
You can do a lot more with it than just run emacs.


--- On Fri, 4/15/11, Christiano F. Haesbaert haesba...@haesbaert.org wrote:

From: Christiano F. Haesbaert haesba...@haesbaert.org
Subject: Sun blade 1500 experiences ?
To: OpenBSD Questions misc@openbsd.org
Date: Friday, April 15, 2011, 7:24 PM

Hi there,

I'm consider buying a sun blade 1500, mainly cause I found a great
deal on our local ebay.
I was thinking in replacing my aging ultra 5 as my local server, but
it turns out it seems like a nice desktop system.
Is anyone using a similar machine for desktop ?
How is performance in general (Considering X and such) ? Anyone tried
1680 x 1050 ?
I'm a heavy emacs user, other than that, I don't run any other
significant program (cpu/mem/io) (only mutt, irssi e cia...).
Here are the specs:
http://www.sun.com/desktop/workstation/sunblade1500/specs.xml
Well, I'm getting it anyway, if not for desktop for my server
replacement (2x 64bit pci :-))
Does anyone has a dmesg for that ?

Thanks

Re: vnconfig wd1 disklabel dissapearing

[Kenneth R Westerback]

On Mon, Apr 18, 2011 at 09:56:45AM +, Kevin Chadwick wrote:
 I've done the following and at first I didn't mail in case it was a
 weird vmware bug but it does exactly the same thing on real hardware.
 
 Someone mentioned fairly recently in 'equivalent of Linux mount -o
 bind' which should interest a recent poster a little, that you could
 use /dev/wd* directly with vnconfig which seemed faster and easier, it
 is not in the man page so maybe there is something lucky or hit and
 miss when it works and so hopefully someone will know straight away and
 make me look stupid as to why I'm at a loss with what I've found.
 
 I've used wd1c as an immovable object in disklabel which is working but
 figured I should atleast report the following in case it isn't
 expected. Should I use an image file on wd1a instead of /dev/wd1c?

Yes. Never use 'c' for anything permanent. It is the kernel's and not
yours.

 Ken

 
 
 
 Drives zeroed
 
 /sbin/vnconfig -ck svnd0 /dev/wd1c
 /sbin/disklabel -E svnd0
 /sbin/newfs /dev/rsvnd0a
 /sbin/newfs /dev/rsvnd0d
 
 /sbin/vnconfig -ck svnd1 /dev/wd0l
 /sbin/disklabel -E svnd1
 /sbin/newfs /dev/rsvnd1a
 
 reboot, I guess disklabel -c would do the same
 
 wd0l and svnd1 work fine (disklabels visible and work fine)
 
 I have to recreate the disklabel for wd1 and svnd0 after which it works
 fine untill the next reboot (data accessed).
 
 
 
 p.s. I am using bioctl for some things but here they are small and
 currently non performance critical, so I went for blowfish. 

Re: a GOOD idea to harden OpenSSH!

[swilly]

On Wed, Mar 30, 2011 at 03:22, Alexander Schrijver
alexander.schrij...@gmail.com wrote:
 It's a great way to keep someone out of their own system.

Huh? Wouldn't securely backing up the RSA keys prevent this? If you
are mindful enough to use keys in the first place and don't back up
such critical data, wouldn't you deserve to be locked out until
someone can cart over an IP KVM?

-William

Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

[Theo de Raadt]

A number of you may have noticed the recent flurry of activity,
 leading to stuff like bigmem being turned on.. Some more good stuff is
 coming soon (my amd64 at my house is using 7 gigabyes of memory for
 buffer cache, and I'm doing builds without touching disks..).  Some
 really cool stuff is being worked on and is coming to a source tree
 near you soon.
 
However, I'd like to take the opportunity to remind you all, that
 the project does depend on CD and shirt sales to keep it alive.  Yes
 you may not use a CD all the time, but the latest one is pretty cool.
 
   So, short answer? go buy a CD.  pre-orders are a little slow this
 release, and we need to see some more activity in that area.
 
 This may tie in to something I've noticed -- it's less than two weeks to
 the official release date of 4.9 but there's no sign that the CDs are
 shipping yet.  While there's no obligation for them to arrive before
 that date, usually we hear earlier than this that they're shipping.  Is
 there some delay?

Wow -- watch out, or you will kill the message.  I note you are inside
North America.  Packages inside North America can make it to their
destination in 3 days, 4 days tops.  It is April 18.  What are you
talking about?  Your CD order will arrive around the release time.
Probably before, as is usual, though noone ever promised that!

As well, I know that other distributors (including Liam in England)
will soon have CDs ready so that there can be a 'coordinated release'.
People on the other continents need to get a chance to be the first at
bragging.

Let's backtrack.  Bob is bringing up an important point (he mentioned
it publically after I mentioned it privately to him earlier, so I know
where this comes from).

Year on year, when it comes to money that keeps the project going,
nothing much has changed in this project.  I think people should
contrast our track record of 'good product' to our 'inability to sell
out'.  Unlike everyone else in the open source industry, we continue
to operate on donations and CD sales (money).

We have kept donations and money seperated.  Donations fund the
things they can easily fund, and money funds the things they can
fund easily; we all know there are business/taxation rules to be
followed.  The donations primarily fund the hackathons (5-6 a year
these days) and travel assistance for the less fortunate developers to
those hackathons.  Great things come from those donations, from those
hackathons we are all running code that came out of them.  None of us
can contest that.

But without CD and tshirt sales, other parts of the project are in
trouble -- the things that are more difficult to fund out of
donations.  And there is a further relationship: If not enough CDs
are sold in a release, there may be no further CDs made after that.
If there are no CDs made or sold, I don't know what will happen.  I
doubt donations could help us ever again bootstrap a CD release
process again.  I don't know where various aspects of the project
would go.  Of course everyone knows that part of the CD sales become
my salary (keeping me away from working for companies writing non-free
software perhaps, though I doubt I am employable).  But that is only
fair.  All of you eat, too.  I spend more time in front a keyboard
than most of you...

If things went bad financially, I don't know how I would cope with
such a big change.  I doubt the user community has a plan for that,
either.  If you are receiving this mail you are using OpenBSD or the
other things that our developer community have made, so please be
considerate and help us continue.  The donations are one thing, and
thank you -- but please remember that the sales component has to be
there too.

I am only a part of the CD sales money.  CD sales money keeps the
electrons flowing through cvs.openbsd.org.  Trust me, it is critical.

 Not that I have any particular standing, but FWIW, y'all please order a
 CD set if you haven't already done so.  OpenBSD has served me well for
 quite a few years, and I'd really like to see it continue -- and
 continue to improve.

Exactly -- let us continue doing this.

Re: vnconfig wd1 disklabel dissapearing

[Theo de Raadt]

 On Mon, Apr 18, 2011 at 09:56:45AM +, Kevin Chadwick wrote:
  I've done the following and at first I didn't mail in case it was a
  weird vmware bug but it does exactly the same thing on real hardware.
  
  Someone mentioned fairly recently in 'equivalent of Linux mount -o
  bind' which should interest a recent poster a little, that you could
  use /dev/wd* directly with vnconfig which seemed faster and easier, it
  is not in the man page so maybe there is something lucky or hit and
  miss when it works and so hopefully someone will know straight away and
  make me look stupid as to why I'm at a loss with what I've found.
  
  I've used wd1c as an immovable object in disklabel which is working but
  figured I should atleast report the following in case it isn't
  expected. Should I use an image file on wd1a instead of /dev/wd1c?
 
 Yes. Never use 'c' for anything permanent. It is the kernel's and not
 yours.

Ken is right.  'c' is the special partition that is the whole disk no
matter what the disklabel says.

Re: Like OpenBSD? Like to see new stuff happening? You really need to order a CD today :)

[Dave Anderson]

On Mon, 18 Apr 2011, Theo de Raadt wrote:

A number of you may have noticed the recent flurry of activity,
 leading to stuff like bigmem being turned on.. Some more good stuff is
 coming soon (my amd64 at my house is using 7 gigabyes of memory for
 buffer cache, and I'm doing builds without touching disks..).  Some
 really cool stuff is being worked on and is coming to a source tree
 near you soon.
 
However, I'd like to take the opportunity to remind you all, that
 the project does depend on CD and shirt sales to keep it alive.  Yes
 you may not use a CD all the time, but the latest one is pretty cool.
 
   So, short answer? go buy a CD.  pre-orders are a little slow this
 release, and we need to see some more activity in that area.

 This may tie in to something I've noticed -- it's less than two weeks to
 the official release date of 4.9 but there's no sign that the CDs are
 shipping yet.  While there's no obligation for them to arrive before
 that date, usually we hear earlier than this that they're shipping.  Is
 there some delay?

Wow -- watch out, or you will kill the message.

My apologies if my reply had any such effect; it certainly wasn't
intended to do that.

 I note you are inside
North America.  Packages inside North America can make it to their
destination in 3 days, 4 days tops.  It is April 18.  What are you
talking about?  Your CD order will arrive around the release time.
Probably before, as is usual, though noone ever promised that!

As I said, I believe that OpenBSD's only obligation is to get the
pre-order CD sets to us by the release date (and even that isn't
absolute, given that shit happens).  I was just interested in / curious
about why the pre-order process seemed to be working a bit differently
from the way it usually has.

As well, I know that other distributors (including Liam in England)
will soon have CDs ready so that there can be a 'coordinated release'.
People on the other continents need to get a chance to be the first at
bragging.

Thanks for the explanation.

Dave

Let's backtrack.  Bob is bringing up an important point (he mentioned
it publically after I mentioned it privately to him earlier, so I know
where this comes from).

Year on year, when it comes to money that keeps the project going,
nothing much has changed in this project.  I think people should
contrast our track record of 'good product' to our 'inability to sell
out'.  Unlike everyone else in the open source industry, we continue
to operate on donations and CD sales (money).

We have kept donations and money seperated.  Donations fund the
things they can easily fund, and money funds the things they can
fund easily; we all know there are business/taxation rules to be
followed.  The donations primarily fund the hackathons (5-6 a year
these days) and travel assistance for the less fortunate developers to
those hackathons.  Great things come from those donations, from those
hackathons we are all running code that came out of them.  None of us
can contest that.

But without CD and tshirt sales, other parts of the project are in
trouble -- the things that are more difficult to fund out of
donations.  And there is a further relationship: If not enough CDs
are sold in a release, there may be no further CDs made after that.
If there are no CDs made or sold, I don't know what will happen.  I
doubt donations could help us ever again bootstrap a CD release
process again.  I don't know where various aspects of the project
would go.  Of course everyone knows that part of the CD sales become
my salary (keeping me away from working for companies writing non-free
software perhaps, though I doubt I am employable).  But that is only
fair.  All of you eat, too.  I spend more time in front a keyboard
than most of you...

If things went bad financially, I don't know how I would cope with
such a big change.  I doubt the user community has a plan for that,
either.  If you are receiving this mail you are using OpenBSD or the
other things that our developer community have made, so please be
considerate and help us continue.  The donations are one thing, and
thank you -- but please remember that the sales component has to be
there too.

I am only a part of the CD sales money.  CD sales money keeps the
electrons flowing through cvs.openbsd.org.  Trust me, it is critical.

 Not that I have any particular standing, but FWIW, y'all please order a
 CD set if you haven't already done so.  OpenBSD has served me well for
 quite a few years, and I'd really like to see it continue -- and
 continue to improve.

Exactly -- let us continue doing this.


-- 
Dave Anderson
d...@daveanderson.com