Re: Narcicism?

[Tony Abernethy]

Something about gladly making fools suffer as opposed to gladly suffering
fools.
Actually they are a lot kinder and gentler than I would be.

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of John
Tate
Sent: Thursday, December 01, 2011 1:28 AM
To: misc
Subject: Narcicism?

I think I've found a bug in the OpenBSD crowd. They bug the hell out of me
and my little mistakes.

I am not talking about people who actually have a solution, but I can't
seem to ask anything on this list without parrots coming along picking on
me. I think some people just hang out here because it's the most anal bunch
of hackers ever, in recorded history. What are your experiences?

Is it true that occasionally we attract people who either love bullying or
are just lazy and pretending to be one of the clever?

It just figures some of these people sit on the list, and email you poorly
researched crap with no answers contain.

If you hate a question, it truly doesn't belong, bug me.

But if you just can't answer a question, ignore it.

John Tate.

Note: Yes, it's not my list.

--
www.johntate.org

Re: Narcicism?

[Andres Perera]

http://johntate.org/fact/johntate

"I now have 7 years of experience in FreeBSD/OpenBSD"

On Thu, Dec 1, 2011 at 2:58 AM, John Tate  wrote:
> I think I've found a bug in the OpenBSD crowd. They bug the hell out of me
> and my little mistakes.
>
> I am not talking about people who actually have a solution, but I can't
> seem to ask anything on this list without parrots coming along picking on
> me. I think some people just hang out here because it's the most anal bunch
> of hackers ever, in recorded history. What are your experiences?
>
> Is it true that occasionally we attract people who either love bullying or
> are just lazy and pretending to be one of the clever?
>
> It just figures some of these people sit on the list, and email you poorly
> researched crap with no answers contain.
>
> If you hate a question, it truly doesn't belong, bug me.
>
> But if you just can't answer a question, ignore it.
>
> John Tate.
>
> Note: Yes, it's not my list.
>
> --
> www.johntate.org

Narcicism?

[John Tate]

I think I've found a bug in the OpenBSD crowd. They bug the hell out of me
and my little mistakes.

I am not talking about people who actually have a solution, but I can't
seem to ask anything on this list without parrots coming along picking on
me. I think some people just hang out here because it's the most anal bunch
of hackers ever, in recorded history. What are your experiences?

Is it true that occasionally we attract people who either love bullying or
are just lazy and pretending to be one of the clever?

It just figures some of these people sit on the list, and email you poorly
researched crap with no answers contain.

If you hate a question, it truly doesn't belong, bug me.

But if you just can't answer a question, ignore it.

John Tate.

Note: Yes, it's not my list.

-- 
www.johntate.org

Re: Packet filter log tools

[John Tate]

On Thu, Dec 1, 2011 at 5:32 PM, Jan Stary  wrote:

> On Dec 01 12:23:30, John Tate wrote:
> > If no such thing exists, perhaps I should make one,
>
> Absolutely. Let us know when it is done.
>
> > I am looking for a project.
>
> Ah, so sysutils/cdrtools is already up to the latest release?
>
Here I'll write a patch: rm -rf /usr/ports/sysutils/cdrutils

Nobody needs that tool, I'm putting this back on the list hoping you are
removed, troll.




-- 
www.johntate.org

mplayer problems

[Luis Useche]

Hi Guys,

Is anyone having problems lately with mplayer? After my last update of
packages mplayer alternates between these two errors:

(0)$ mplayer
mplayer: can't load library 'liborc-0.4.so.4.0'
(0)$ mplayer
mplayer: can't load library 'libenca.so.0.0'

I also tried to compile from ports without success:

Missing library for orc-0.4>=0.0

Any advice?

Thanks,
Luis.

Re: bad link for bind's named server patch for Openbsd 5.0 -stable

[Daniel Ouellet]

What patch you want.

http://ftp.openbsd.org/pub/OpenBSD/patches/5.0/common/

There isn't one yet, no bug yet.

Hmmm.

Or if oyu look here:

http://openbsd.org/errata50.html

You will see clearly that it said:

None yet!

Hmmm...



On 11/30/11 8:30 PM, Ralph W Siegler wrote:

So 5.0 has its very first patch to -stable, but the link
http://ftp.openbsd.org/pub/OpenBSD/patches/5.0/common/001_bind.patch   goes
nowhere.  Could someone please fix that?  Thanks!

Re: bad link for bind's named server patch for Openbsd 5.0 -stable

[Daniel Ouellet]

What you are looking at here:

http://www.openbsd.org/errata50.html

May not have replicated everywhere yet.

Give it a day or two.

Daniel


On 11/30/11 8:30 PM, Ralph W Siegler wrote:

So 5.0 has its very first patch to -stable, but the link
http://ftp.openbsd.org/pub/OpenBSD/patches/5.0/common/001_bind.patch   goes
nowhere.  Could someone please fix that?  Thanks!

bad link for bind's named server patch for Openbsd 5.0 -stable

[Ralph W Siegler]

So 5.0 has its very first patch to -stable, but the link
http://ftp.openbsd.org/pub/OpenBSD/patches/5.0/common/001_bind.patch   goes
nowhere.  Could someone please fix that?  Thanks!

Packet filter log tools

[John Tate]

OpenBSD Misc,

What tools can you guys recommend for browsing through a pf log? GUI not
needed, ideally, something a bit like webalizer that spits out HTML. If no
such thing exists, perhaps I should make one, I am looking for a project.

John Tate

-- 
www.johntate.org

Re: [Soekris] Fwd: mSATA failure on 6501 w/ OpenBSD 5.0

[Jonathan Gray]

Do you have a way to reproduce this?  I have a 6501 with 2GB msata
and haven't seen the problem here.

On Mon, Nov 28, 2011 at 02:45:41PM -0800, Christopher LILJENSTOLPE wrote:
> Greetings,
>
>   Any thoughts as to how to get around this - it's only been up for a few
days.
> Rebooting my home router every 24 hours is not spouse endearing behavior :)
>
>   Chris
>
> On 28Nov2011, at 14.30, Chris Cappuccio wrote:
>
> > here is the key error message. it means your whole ahci disk has
disappeared
> (and anything you can still run is happening from cache.)
> >
> > --
> > ahci0: stopping the port, softreset slot 31 was still active.
> > ahci0: failed to reset port during timeout handling, disabling it
> > --
> >
> > likely a reboot will fix it. this is a known problem with ahci driver and
> intel ahci controllers.
> >
> > the "failed to reset port" and "softreset slot was still active" problems
> become really obvious once you start maxing out disks on an ahci controller
> with a softraid array. they rarely present problems in normal use! but, the
> SSD sata drive may evoke different behavior for some reason. i think
> continuous runs of iogen over a RAID1 array might bring out similar issues
all
> by itself, even with regular hard disks
> >
> > dragonflybsd's port of openbsd's ahci driver has incorporated several of
> workarounds for problems directly related to this. (reset this when that
> happens, etc..) that might be a good place to start looking, if you can
easily
> reproduce the problem then you would know quickly when a ported fix from
their
> driver has helped.
>
> --
> ff/g?
> Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc
> Current vCard here: https://www.asgaard.org/~cdl/cdl.vcf

Re: mSATA failure on 6501 w/ OpenBSD 5.0

[Christopher LILJENSTOLPE]

Greetings guys,

I'm the original reporter, comments in line...

One other comment, when I got back to the console and rebooted, the entire
drive was scrodded.  I haven't seen an fsck like that in quite some time.
Unable to really come up as an operational system.  Basically re-pxe'd boot.rd
and re-installled.  I scribbled over the drive before the install without any
issues.  The drive checked.

On 29Nov2011, at 04.10, Remco wrote:

> Chris Cappuccio wrote:
>
>> here is the key error message. it means your whole ahci disk has
>> disappeared (and anything you can still run is happening from cache.)
>>
>> --
>> ahci0: stopping the port, softreset slot 31 was still active.
>> ahci0: failed to reset port during timeout handling, disabling it
>> --
>>
>> likely a reboot will fix it. this is a known problem with ahci driver and
>> intel ahci controllers.
>
> I am not so sure this is a driver problem.
>
> I think I accidentilly "emulated" this problem the other day on my desktop
> system (not a 6501):
> Nov 28 16:38:44 ws0001 /bsd: ahci1: stopping the port, softreset slot 31
was
> still active.
> Nov 28 16:38:44 ws0001 /bsd: ahci1: failed to reset port during timeout
> handling, disabling it
>
> I have this external drive bay connected through e-SATA. After unmounting
> the drive I switched off the external drive's power. Running disklabel on
> the drive resulted in the above failures, which I guess makes sense, after
> all, I made the drive "disappear".

The drive is a transcend 16 GB mSATA that's installed on the motherboard - not
really some way for it to "go away"

>
>>
>> the "failed to reset port" and "softreset slot was still active" problems
>> become really obvious once you start maxing out disks on an ahci
>> controller with a softraid array. they rarely present problems in normal
>> use! but, the SSD sata drive may evoke different behavior for some reason.
>> i think continuous runs of iogen over a RAID1 array might bring out
>> similar issues all by itself, even with regular hard disks
>>
>
> Maxing out disks sounds like having more activity on the disks, possibly
> making them draw more power. Could these errors relate to bad power cabling
> or insufficient power supply ?
>
> If multiple disks with an insufficiently powered system are the problem,
one
> solution might be a power supply that can deliver more power, another
> possible solution might be using external drive bays, each having their own
> power supply.
>
> For stuff purely SSD related, a motherboard BIOS update and/or SSD firmware
> update may help as well.

The power supply is running about 40% of max rated - and the drive is SSD a
small SSD, so I don't think that it could be the power supply.

Current BIOS on the 6501 (an update is coming, but current for right now).
SSD is brand new, and has the latest transcend firmware (as far as I can
tell).


Chris

>

--
ff/g?
Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc
Current vCard here: https://www.asgaard.org/~cdl/cdl.vcf

ISAKMPD question: certificates shipped?

[Toni Mueller]

Hi,

I'm running into a problem with OpenBSD 5.0 and isakmpd. A config that
works on 4.8, doesn't work on 5.0: the client is denied access,
allegedly due to OpenBSD shipping the wrong (X.509) certificate, or
certificates in the wrong order. The (3rd party) claim is that it might
ship the CA certificate, followed by the server certificate.

It would be very nice if someone could shed some light to this.

TIA!


Kind regards,
--Toni++

Re: how to find dependencies when building a new kernel

[Jan Stary]

On Nov 30 10:26:46, T. Valent wrote:
> sure will solve what you have understood to be my problem. But what
> really annoys me here is that I'm not taken seriously when I say "this
> isn't an option". Why don't you just believe my words instead of
> permanently speaking about things that I explicitly said are impossible?

Because if someone simply says "this is impossible", it is only
natural to ask "why is that impossible?". How does that annoy you?

(Solving your problem is impossible. Really.
Don't waste your time asking why.)

> Did you read my mail in which I said that the hardware cannot be
> changed? A new flashcard would be a change in hardware.

So the 32MB storage is a CF card? Don't be surprised that
people ask, because it begs the question (no really, it does):
why can't you put a bigger CF card in there that would
just hold GENERIC? No, really: why? Answering this question
will take a few minutes of our time.

> I think you know
> that. You just don't take my words seriously and keep talking about
> things that I already said are not possible in this project. Why discuss
> this? From my point of view it's not me wasting your time, but it's you
> wasting your time, because you don't really care about what I said.
> 
> The overall project is about updating multiple systems

How many multiple systems?

> that are in
> production. By _just_ using just a software update. Changes in hardware
> are not an option.

Putting, say, a bigger CF card in them is a change in hardware, granted.
Would that change eliminate the need for the whole process of
maintaining custom kernels and custom stripped down systems?
If not, why?

> dmesg output of any of these devices would be possible, but like I said
> it's a very stripped down environment. dmesg is not part of it. I'd have
> to setup an old system with dmsg on it,

So, at some point, you had a system on it that had dmesg(1).
How long does it take to put that system on it again and run
dmesg(1)? (That's not a rhetorical question that wants to be
sarcastic - that's an honest question). Generally, how long
does it take to put a new system in, once it is built?

> then export the output, just to
> convince you of what I've done in the past. Then, after I've proven my
> point with this dmesg output, we'd be no step further,

Yes we would: we would know your hardware from OpenBSD's point of view.

> because like I
> said often enough now, I'm not interested in a hint like "add this line
> to your config", but I want to learn about what steps to do, next time I
> run into the same problem (which I probably will with the next OpenBSD
> release that I want to migrate the systems to).
> If you can help me by explaining where to look and what to read to learn
> how to build the smallest custom kernels possible, I'd be happy.

You have been told several times already: strip GENERIC down to what
will fit on your system. Start with things you definitely do not need
(sound? wifi?), then continue with the rest. If things break, put
the last thing that you removed back there. It is a way to arrive
at the smallest possible kernel that works for you. Isn't it?

Re: Something similar to Soekris boards, for server applications

[David Riley]

On Nov 30, 2011, at 2:18 PM, Mehma Sarja wrote:

> I'm putting a Supermicro Atom D510 in the field as a SSD-based firewall and
boot server for 158 users. And a Supermicro D525 as a file server with a 1 TB
drive. Where they are going, they have power issues and low-power systems,
with a UPS, might just survive. Each is maxed out with 4GB RAM. And I am also
keeping one application per machine for simple maintenance and 'safeguard'
performance.

I should also note that if you're considering an Atom N550, it has a limit of
2GB RAM (which is odd, considering it's 64-bit running DDR3 and its
predecessor, the N525, maxes out at 4GB of DDR2).  Crucial seems to think
that's not the case, and I can't convince them otherwise.

- Dave

Re: how to find dependencies when building a new kernel

[Jan Stary]

On Nov 30 18:15:30, Torsten Valentin wrote:
> > dmesg is the lazy way to get this info, the same info is written to
> > /var/log/messages during boot.  Are you saying your system is so
> > stripped down you don't even log anything?
> 
> Yep. And because the only persistent memory is Flash (32MB, which
> quickly dies if you permanently write to it), the whole system runs
> inside a RAMDISK only.
> And there is no terminal or ssh. Modifying the
> system means setting up a new system with modified /sbin/init each time.

So: your machine has 32MB of Flash storage that holds the entire
system. On boot, it all gets loaded as a RAMDISK. Right?

Question: how do you actually put a new system onto that
Flash storage? What kind of Flash storage is it? (I suppose
it's not a CF card or an USB flash drive that you would
plug out, put an image on it, and plug in.)

> Hard to believe, I know, but what people do with OpenBSD is sometimes
> quite different from what you know from "usual systems".

It certainly sounds interesting. Out of curiosity: what do these
system do? Are their routers? Rocket launchers?

> I can provide a dmesg from a virtual machine that we use for testing
> purposes, but obviously that's not the same as the system that the
> kernel is going to be running on later in production environment. But,
> hey, yet, I haven't been able to compile the kernel on this testing
> machine, either. I explain this so elaborately because I know I'd
> otherwise get replies like: "What did you tell us about having little
> memory and such, this is a usual virtual machine and therefor you've got
> no need to use a custom kernel..." ;-) You know what I mean... My goal
> is to have kernel config files that will do on both, the virtual machine
> for testing and the production environment. Being able to compile a
> custom kernel on this VM would be a good first step. From there on I
> could add the drivers I need on the production machine and that way get
> closer to a final solution...
> 
> I'm very curious how dmesg will help...

A dmesg from the actual machine would; really, it would.

Re: pf and includes

[Adriaan]

On Wed, Nov 30, 2011 at 9:22 AM, Peter Hallin  wrote:
> Hello,
>
> I have some issues with pf.conf and includes that perhaps someone could
> shed some light on.
>
> Where I work, we use bridging firewalls with multiple tagged vlans
> passing the bridges, and filtering is done on the vlan interfaces.
> Normally we have around 10-20 vlans on each machine, and we have a LOT
> of rules in pf.conf. To make configuration a little easier I'm beginning
> to look at how to separate the vlans into multiple configs, one for each
> vlan, and then include them all from pf.conf.
>
> I would want to have all macros, options and rules for each vlan in a
> separate file, but also i would like to use macros from one config in
> rules in another file. To clarify what I'm getting at, here's an
> example:
>
> ##
>
> /etc/vlan500.conf:
>
> DB="192.168.0.10/32"
>
> block log on vlan500
> pass in quick on vlan500 from $Webserver to $DB port 3306
> pass out on vlan500
>
> ##
>
> /etc/vlan1000.conf:
>
> Webserver="192.168.1.20/32"
>
> block log on vlan1000
> pass in quick on vlan1000 from any to $Webserver port 80
> pass out on vlan1000
>
> ##
>
> /etc/pf.conf
>
> include "/etc/vlan500.conf"
> include "/etc/vlan1000.conf"
>
> ##
>
> The above example would not work, as pfctl will look at the rules in
> vlan500.conf before looking at the macros in vlan1000.conf and it will
> throw an error that the $Webserver macro is not defined.
>
> If I change the order of the includes in pf.conf, it will work, but of
> course of I try to use macros from vlan1000.conf for rules in
> vlan500.conf, the problem will arise again.
>
> One way to solve it would be to put all the macros in, say,
> /etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure
> they are included before the rules in pf.conf, but that seems
> inconvenient to me.
>
> What is the common practice for using includes? Is there a way to get
> pfctl to read ALL macros from ALL files before looking at the rules?
>
> I would be happy to hear some suggestions.
>
> Thanks, Peter
>

You could use a Makefile to concatenate a pf.conf from separate files.
This can give more flexibility than provided by "include" :
-

$ cat vlan500

#macroes
DB="192.168.0.10/32"
Webserver="192.168.1.20/32"
#macroes_end

# --- vlan500
block log on vlan500
pass in quick on vlan500 inet proto tcp from $Webserver to $DB port 3306
pass out on vlan500

$ cat vlan1000

#macroes
DB="192.168.0.10/32"
#macroes_end

# --- vlan1000
block log on vlan1000
pass in quick on vlan1000 inet proto tcp from any to $Webserver port 80
pass out on vlan1000

$ cat Makefile

pf.conf: macroes_unique vlan500.conf vlan1000.conf
cat ${.ALLSRC} > ${.TARGET}

vlan1000.conf:  vlan1000
sed -e '/#macroes/,/#macroes_end/d' ${.ALLSRC}  > ${.TARGET}

vlan1000.mac: vlan1000
sed -ne '/#macroes/,/#macroes_end/p' ${.ALLSRC} > ${.TARGET}

vlan500.conf:  vlan500
sed -e '/#macroes/,/#macroes_end/d' ${.ALLSRC}  > ${.TARGET}

vlan500.mac: vlan500
sed -ne '/#macroes/,/#macroes_end/p' ${.ALLSRC} > ${.TARGET}

macroes_unique: vlan500.mac vlan1000.mac
echo "# Macro definitions" >${.TARGET}
sort -u ${.ALLSRC} | sed -e '/#macroes/d' >> ${.TARGET}

clean:
rm -f *.conf *.mac macroes_unique


$ make clean
rm -f *.conf *.mac macroes_unique

$ make
sed -ne '/#macroes/,/#macroes_end/p' vlan500 > vlan500.mac
sed -ne '/#macroes/,/#macroes_end/p' vlan1000 > vlan1000.mac
echo "# Macro definitions" >macroes_unique
sort -u vlan500.mac vlan1000.mac | sed -e '/#macroes/d' >> macroes_unique
sed -e '/#macroes/,/#macroes_end/d' vlan500  > vlan500.conf
sed -e '/#macroes/,/#macroes_end/d' vlan1000  > vlan1000.conf
cat macroes_unique vlan500.conf vlan1000.conf > pf.conf

$ cat pf.conf

# Macro definitions
DB="192.168.0.10/32"
Webserver="192.168.1.20/32"

# --- vlan500
block log on vlan500
pass in quick on vlan500 inet proto tcp from $Webserver to $DB port 3306
pass out on vlan500

# --- vlan1000
block log on vlan1000
pass in quick on vlan1000 inet proto tcp from any to $Webserver port 80
pass out on vlan1000

---
So the Makefile collects macroes defined in the vlan500 and vlan1000
files  and after eliminating any duplicates, stuffs them into the
"macroes_unique" file.

The "vlan500" and "vlan1000", after stripping the macroes, become
"vlan500.conf" and "vlan1000.conf".
The  "pf.conf" Makefile target then concatenates the "macroes_unique"
and the vlan*.conf files to the final pf.conf.

BTW http://www.freebsd.org/doc/en_US.ISO8859-1/books/pmake/index.html
has a nice HTML version of the BSD make documentation.

Adriaan

Re: Something similar to Soekris boards, for server applications

[Mehma Sarja]

I'm putting a Supermicro Atom D510 in the field as a SSD-based firewall 
and boot server for 158 users. And a Supermicro D525 as a file server 
with a 1 TB drive. Where they are going, they have power issues and 
low-power systems, with a UPS, might just survive. Each is maxed out 
with 4GB RAM. And I am also keeping one application per machine for 
simple maintenance and 'safeguard' performance.


Mehma
===

On 11/30/11 10:12 AM, Bentley, Dain wrote:

I second that. I run an atom 330 with two gigs of RAM and two 500gig drives in
a raid for development server at home is a 1u case. It performs great and its
low power

Re: Something similar to Soekris boards, for server applications

[David Riley]

On Nov 30, 2011, at 1:12 PM, Bentley, Dain wrote:

> I second that. I run an atom 330 with two gigs of RAM and two 500gig drives
in
> a raid for development server at home is a 1u case. It performs great and
its
> low power

My router runs an Atom Mini-ITX board.  Nothing heavy duty, but it's a
dual-core Atom (N550, dual-core 64-bit with Hyperthreading, so OpenBSD sees it
as 4 cores).  Jetway also has a really neat "daughterboard" system which is
basically a small 66 MHz PCI risier card; my router runs on the 3 Intel NIC
daughtercard they have (leaving an extra 2 Realtek ports).

It also has a Mini-PCIe slot, which I fitted with a wireless card (currently
the Centrino Advanced-N 6230, which doesn't work with OpenBSD and I don't have
time to work on the driver ATM).  If you're running a server, you could fit
whatever you wanted in there that goes in a Mini-PCIe slot (crypto card,
etc).

My particular board is the NC9C-550, which I've been happy with (though the
BIOS is really badly done; you have to turn off the energy saving feature in
the BIOS to make it turn on at AC power restoration, which is just stupid).
I've been otherwise quite happy with it.

- Dave

Re: Something similar to Soekris boards, for server applications

[Bentley, Dain]

I second that. I run an atom 330 with two gigs of RAM and two 500gig drives in
a raid for development server at home is a 1u case. It performs great and its
low power

Regards,
Dain Bentley

-Original Message-
From: Jason Crawford [ja...@purebsd.net]
Received: Wednesday, 30 Nov 2011, 12:33pm
To: misc@openbsd.org [misc@openbsd.org]
Subject: Re: Something similar to Soekris boards, for server applications

On 11/30/11 11:27, Sime Ramov wrote:
> Hello, I am looking for something in the spirit of Soekris boards, but
> more suited for server applications, e.g. for hosting Django apps.
>
> Current net6501 is maxed out at 2 GB of RAM and 1.6 Ghz *single-core*
> (two threads) atom.
>
> The reason I am considering Soekris is because dedicated servers are
> often underused and idling. Few GB of memory, anemic processor and SSD
> gets one a surprisingly long way, especially with properly chosen stack
> and caching.
>
> So the general idea is: one Django app = one Soekris board. This is much
> better than virtualization (bare metal forever) or putting more apps on
> a big server.
>
> Some apps would run great on this, but a more powerful CPU and more
> memory would be needed for more demanding workloads.
>
> Any recommendations for similar, but a bit more powerful and versatile
> hardware (think one app = one hardware device)? Thanks.
>

Maybe look at this:

http://www.newegg.com/Product/Product.aspx?Item=N82E16816101364

It's cheaper, has twice the RAM, 6 SATA ports, 1.8GHz Atom dual core.
Oh, and rackmount case.

--
Jason

Re: Something similar to Soekris boards, for server applications

[Sime Ramov]

Hi,

* Jason Crawford  [2011-11-30 12:27-0500]:
> Maybe look at this:
> http://www.newegg.com/Product/Product.aspx?Item=N82E16816101364

I know about that one, it's not bad but I would like to fit two boards
in 1U. Which is exactly what kerberos.si is doing for Soekris with
their housings.

Supermicro is also having interesting Pentium based offerings.

I am hoping there is something more aking to this[1], but a bit more
powerfull than net6501.

[1]: http://kerberos.si/ENG/Soekris19.htm

Re: Something similar to Soekris boards, for server applications

[Sime Ramov]

* Christiano F. Haesbaert  [2011-11-30 14:39-0200]:
> You may consider the new AMD E-350, the "fusion" ones, they're very
> low-power and might suit you. They're very, very cheap, I've never
> used them, but sounds a better alternative than the atom.

Fusion stuff is consumer tech. Other than AMD embedded stuff (which
isn't so bad) I am not sure is there a good fit currently for what
I'm after.

Re: how to find dependencies when building a new kernel

[Torsten Valentin]

> Would you be able to use TFTP to try booting test kernels off a
> remote machine? 

Nope. I try every attempt with a hardware flash drive which I generate
for that test machine. But I've got to get the kernel basically running
on my test VM, then another not that damn small hardware. Once this is
working, I just need to add one more network driver or so and that
should be it. At least it it worked for me in the past.

Re: Something similar to Soekris boards, for server applications

[Jason Crawford]

On 11/30/11 11:27, Sime Ramov wrote:
> Hello, I am looking for something in the spirit of Soekris boards, but
> more suited for server applications, e.g. for hosting Django apps.
> 
> Current net6501 is maxed out at 2 GB of RAM and 1.6 Ghz *single-core*
> (two threads) atom.
> 
> The reason I am considering Soekris is because dedicated servers are
> often underused and idling. Few GB of memory, anemic processor and SSD
> gets one a surprisingly long way, especially with properly chosen stack
> and caching.
> 
> So the general idea is: one Django app = one Soekris board. This is much
> better than virtualization (bare metal forever) or putting more apps on
> a big server.
> 
> Some apps would run great on this, but a more powerful CPU and more
> memory would be needed for more demanding workloads.
> 
> Any recommendations for similar, but a bit more powerful and versatile
> hardware (think one app = one hardware device)? Thanks.
> 

Maybe look at this:

http://www.newegg.com/Product/Product.aspx?Item=N82E16816101364

It's cheaper, has twice the RAM, 6 SATA ports, 1.8GHz Atom dual core.
Oh, and rackmount case.

--
Jason

Re: how to find dependencies when building a new kernel

[David Riley]

On Nov 30, 2011, at 12:15 PM, Torsten Valentin wrote:

>> dmesg is the lazy way to get this info, the same info is written to
>> /var/log/messages during boot.  Are you saying your system is so
>> stripped down you don't even log anything?
>
> Yep. And because the only persistent memory is Flash (32MB, which
> quickly dies if you permanently write to it), the whole system runs
> inside a RAMDISK only. And there is no terminal or ssh. Modifying the
> system means setting up a new system with modified /sbin/init each time.

Would you be able to use TFTP to try booting test kernels off a remote
machine?  That's how I tend to do it when I'm trying not to write to flash on
my routers while I'm building test kernels.  You only have to change flags in
the bootloader (of course, I have no idea how feasible that is for you,
either; when you say there's no terminal, I assume you probably can't do that
except through /etc/boot.conf).


- Dave

Re: how to find dependencies when building a new kernel

[Torsten Valentin]

> dmesg is the lazy way to get this info, the same info is written to
> /var/log/messages during boot.  Are you saying your system is so
> stripped down you don't even log anything?

Yep. And because the only persistent memory is Flash (32MB, which
quickly dies if you permanently write to it), the whole system runs
inside a RAMDISK only. And there is no terminal or ssh. Modifying the
system means setting up a new system with modified /sbin/init each time.

Hard to believe, I know, but what people do with OpenBSD is sometimes
quite different from what you know from "usual systems". I said it's
embedded stuff. I said hardware cannot be changed. I said I cannot
easily provide this info. There certainly is a way, but it's not worth
the effort.

I can provide a dmesg from a virtual machine that we use for testing
purposes, but obviously that's not the same as the system that the
kernel is going to be running on later in production environment. But,
hey, yet, I haven't been able to compile the kernel on this testing
machine, either. I explain this so elaborately because I know I'd
otherwise get replies like: "What did you tell us about having little
memory and such, this is a usual virtual machine and therefor you've got
no need to use a custom kernel..." ;-) You know what I mean... My goal
is to have kernel config files that will do on both, the virtual machine
for testing and the production environment. Being able to compile a
custom kernel on this VM would be a good first step. From there on I
could add the drivers I need on the production machine and that way get
closer to a final solution...

I'm very curious how dmesg will help...

OpenBSD 5.0 (GENERIC) #43: Wed Aug 17 10:10:52 MDT 2011
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz ("GenuineIntel"
686-class) 3 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,SSE3,SSSE3,CX16,SSE4.1
real mem  = 267907072 (255MB)
avail mem = 253472768 (241MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/22/09, BIOS32 rev. 0 @ 0xfd780,
SMBIOS rev. 2.4 @ 0xe0010 (98 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 09/22/2009
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3)
S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00P(S3)
Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U
(S3) Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3)
Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3)
Z01A(S3) Z01B(S3) P2P1(S3) S1F0(S3) S2F
0(S3) S3F0(S3) S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3)
Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3) Z00W(S3)
Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z0
11(S3) Z012(S3) Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3)
Z019(S3) Z01A(S3) Z01B(S3) P2P2(S3) S1F0(S3) S2F0(S3) S3F0(S3) S4F0(S3)
S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S
9F0(S3) Z00P(S3) Z00Q(S3) Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3) Z00V(S3)
Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3) Z012(S3) Z013(S3)
Z014(S3) Z015(S3) Z016(S3) Z017(S3)
Z018(S3) Z019(S3) Z01A(S3) Z01B(S3) P2P3(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) Z00P(S3) Z00Q(S3)
Z00R(S3) Z00S(S3) Z00T(S3) Z00U(S3)
 Z00V(S3) Z00W(S3) Z00X(S3) Z00Y(S3) Z00Z(S3) Z010(S3) Z011(S3) Z012(S3)
Z013(S3) Z014(S3) Z015(S3) Z016(S3) Z017(S3) Z018(S3) Z019(S3) Z01A(S3)
Z01B(S3) PE40(S3) S1F0(S3) PE50(S3
) S1F0(S3) PE60(S3) S1F0(S3) PE70(S3) S1F0(S3) PE80(S3) S1F0(S3)
PE90(S3) S1F0(S3) PEA0(S3) S1F0(S3) PEB0(S3) S1F0(S3) PEC0(S3) S1F0(S3)
PED0(S3) S1F0(S3) PEE0(S3) S1F0(S3) PE41(S
3) S1F0(S3) PE42(S3) S1F0(S3) PE43(S3) S1F0(S3) PE44(S3) S1F0(S3)
PE45(S3) S1F0(S3) PE46(S3) S1F0(S3) PE47(S3) S1F0(S3) PE51(S3) S1F0(S3)
PE52(S3) S1F0(S3) PE53(S3) S1F0(S3) PE54(
S3) S1F0(S3) PE55(S3) S1F0(S3) PE56(S3) S1F0(S3) PE57(S3) S1F0(S3)
PE61(S3) S1F0(S3) PE62(S3) S1F0(S3) PE63(S3) S1F0(S3) PE64(S3) S1F0(S3)
PE65(S3) S1F0(S3) PE66(S3) S1F0(S3) PE67
(S3) S1F0(S3) PE71(S3) S1F0(S3) PE72(S3) S1F0(S3) PE73(S3) S1F0(S3)
PE74(S3) S1F0(S3) PE75(S3) S1F0(S3) PE76(S3) S1F0(S3) PE77(S3) S1F0(S3)
PE81(S3) S1F0(S3) PE82(S3) S1F0(S3) PE8
3(S3) S1F0(S3) PE84(S3) S1F0(S3) PE85(S3) S1F0(S3) PE86(S3) S1F0(S3)
PE87(S3) S1F0(S3) PE91(S3) S1F0(S3) PE92(S3) S1F0(S3) PE93(S3) S1F0(S3)
PE94(S3) S1F0(S3) PE95(S3) S1F0(S3) PE
96(S3) S1F0(S3) PE97(S3) S1F0(S3) PEA1(S3) S1F0(S3) PEA2(S3) S1F0(S3)
PEA3(S3) S1F0(S3) PEA4(S3) S1F0(S3) PEA5(S3) S1F0(S3) PEA6(S3) S1F0(S3)
PEA7(S3) S1F0(S3) PEB1(S3) S1F0(S3) P
EB2(S3) S1F0(S3) PEB3(S3) S1F0(S3) PEB4(S3) S1F0(S3) PEB5(S3) S1F0(S3)
PEB6(S3) S1F0(S3) PEB7(S3) S1F0(S3) SLPB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: ap

Re: softraid(4): how to reassemble a volume

[Mattieu Baptiste]

On Wed, Nov 30, 2011 at 5:16 PM, Joel Sing  wrote:
> On Wednesday 30 November 2011, Mattieu Baptiste wrote:
>> Hi all,
>>
>> I'm trying to reassemble a softraid(4) volume, created with the 'force'
>> flag. When I'm trying:
>> # bioctl -C force -c C -l /dev/sd1a softraid0
>> softraid0: chunk sd1a already in use
>> bioctl: ioctl: Invalid argument
>>
>> According to the manpage, '-c' flag only seems to create the volume,
>> and not simply assemble it. I don't see anything else to reassemble a
>> volume. What's the correct way, if any ? Is it supported ?
>
> The -c flag creates a volume - if these are chunks have no metadata then it
> will create new metadata, otherwise it will reassemble the volume from the
> existing metadata.

Thanks for the explanation Joel.
My crypto volume was created with 'noauto' (not 'force'). I was trying
to reassemble with 'force' which effectively reinitialise metadata.
Now everything is ok.


-- 
Mattieu Baptiste
"/earth is 102% full ... please delete anyone you can."

Re: Natural Link Building Experts..

[Sonia Mehra]

Hi, 

Hope you are doing well.

I haven't heard back from you, just wondering if you are interested in any
of our services.

We do theme based link building which has a direct impact not only on the
page rank of your client but on the rankings is well. 

Also, we have a unique quality control protocol implemented wherein all the
links are quality checked thrice before sending it to the client.

If you are Interested in Then Let Me Know I would Happy to send You Price
etc.

We can also offer you Flexible Payment Option.

Kind Regards,

 

Sonia Mehra

 

 

 

From: Sonia Mehra [mailto:soniamehra...@gmail.com] 
Sent: Tuesday, November 29, 2011 10:00 PM
To: 'misc@openbsd.org'
Subject: Natural Link Building Experts..

 

Dear Site Owner,

 

Link Building is done for: 

 

1. Improving Page Rank.

2. Improving the Rankings in search engines.

3. To increase targeted Traffic to the Site.

 

However All these benefits lead to one goal: ''Increase in Sale''

 

Link Building is one of the most significant aspects of the off page
optimization process and is a major determinant of the popularity of your
site. 

 

For search engines, back links or links pointing to your website indicate
that you are 'hot' in the online marketplace.

 

Why choose us: Because all our links would be -

 

1. Theme based relevant links

2. Manually built 

3. Only from quality sites

4. Permanent links 

5. Search Engine friendly 

6. Full report of the exact placement for verification

 

We have a track record of building more than 1, 80,000 links in the year
2010-2011 and have successfully completed more than 300 campaigns all one
way.

 

Contact us today to know more about our natural link building services with
more detail.

 

Kind regards

Sonia Mehra

Online Marketing Consultant

 

Note:  This email is not spam, it was manually sent by us, our sole purpose
being to introduce ourselves to you with no obligation on your part. Your
email address was found to be publicly available on your website and it has
not been added to any list. We consider this to be a polite way to contact
you and apologize sincerely if you have been inconvenienced in any way. We
are obliged to offer you an 'OPT-OUT' from future mailings from us; should
you wish to exercise this right, please reply with "OPT-OUT" in the subject
field.

Re: Something similar to Soekris boards, for server applications

[Christiano F. Haesbaert]

On 30 November 2011 14:27, Sime Ramov  wrote:
> Hello, I am looking for something in the spirit of Soekris boards, but
> more suited for server applications, e.g. for hosting Django apps.
>
> Current net6501 is maxed out at 2 GB of RAM and 1.6 Ghz *single-core*
> (two threads) atom.
>
> The reason I am considering Soekris is because dedicated servers are
> often underused and idling. Few GB of memory, anemic processor and SSD
> gets one a surprisingly long way, especially with properly chosen stack
> and caching.
>
> So the general idea is: one Django app = one Soekris board. This is much
> better than virtualization (bare metal forever) or putting more apps on
> a big server.
>
> Some apps would run great on this, but a more powerful CPU and more
> memory would be needed for more demanding workloads.
>
> Any recommendations for similar, but a bit more powerful and versatile
> hardware (think one app = one hardware device)? Thanks.
>
>

You may consider the new AMD E-350, the "fusion" ones, they're very
low-power and might suit you.
They're very, very cheap, I've never used them, but sounds a better
alternative than the atom.

Something similar to Soekris boards, for server applications

[Sime Ramov]

Hello, I am looking for something in the spirit of Soekris boards, but
more suited for server applications, e.g. for hosting Django apps.

Current net6501 is maxed out at 2 GB of RAM and 1.6 Ghz *single-core*
(two threads) atom.

The reason I am considering Soekris is because dedicated servers are
often underused and idling. Few GB of memory, anemic processor and SSD
gets one a surprisingly long way, especially with properly chosen stack
and caching.

So the general idea is: one Django app = one Soekris board. This is much
better than virtualization (bare metal forever) or putting more apps on
a big server.

Some apps would run great on this, but a more powerful CPU and more
memory would be needed for more demanding workloads.

Any recommendations for similar, but a bit more powerful and versatile
hardware (think one app = one hardware device)? Thanks.

Re: softraid(4): how to reassemble a volume

[Joel Sing]

On Wednesday 30 November 2011, Mattieu Baptiste wrote:
> Hi all,
>
> I'm trying to reassemble a softraid(4) volume, created with the 'force'
> flag. When I'm trying:
> # bioctl -C force -c C -l /dev/sd1a softraid0
> softraid0: chunk sd1a already in use
> bioctl: ioctl: Invalid argument
>
> According to the manpage, '-c' flag only seems to create the volume,
> and not simply assemble it. I don't see anything else to reassemble a
> volume. What's the correct way, if any ? Is it supported ?

The -c flag creates a volume - if these are chunks have no metadata then it 
will create new metadata, otherwise it will reassemble the volume from the 
existing metadata.

DO NOT use -C force unless you want to completely reinitialise the metadata 
for the volume - in the case of a crypto volume you will generate new 
metadata with new disk keys, rendering your existing data unreadable.

The error message you are getting is telling you that sd1a is already in use - 
bioctl softraid0 will probably tell you where it is being used (your volume 
is either already assembled, or it is part of another volume).
-- 

"Reason is not automatic. Those who deny it cannot be conquered by it.
 Do not count on them. Leave them alone." -- Ayn Rand

Re: usb device causes system crash (ucomstart: null oxfer)

[Amit Kulkarni]

> panic message:
>
> uvm_fault(0xd0a2c8c0, 0x1000, 0, 1) -> e
> kernel: page fault trap, code=0
> Stopped at  usb_allocmem+0x14f: cmpl%ebx,0(%eax)

I also have a similar panic message. My solution is to disable ehci
from my GENERIC. stupid but it works on this NVIDIA USB controller.
jakemsr@ knows about this problem.


> On Tuesday, November 29, 2011 7:14 PM, "Byron Klippert"
>  wrote:
>> I managed to capture trace and ps output from ddb>
>>
>> Is this a worthy cause to investigate further or should I take the
>> advice of others and move on to real(tm) hardware. It would be a shame
>> given the distasteful argument "well it works fine under "
>>
>> ddb> trace
>> usb_allocmem(d800,2,0,d101c740,d101c700) at usb_allocmem+0x14f
>> ehci_allocm(d800,d101c740,2,d079d66e,101c754) at ehci_allocm+0x27
>> usbd_transfer(d101c700,d1109900,0,1388,d75b3d74) at usbd_transfer+0xbb
>> usbd_do_request_flags_pipe(d1109900,d1109880,d75b3d74,d75b3dce,4) at
>> usbd_do_request_flags_pipe+0xbb
>> usbd_do_request_flags(d1109900,d75b3d74,d75b3dce,4,d75b3d7c) at
>> usbd_do_request_flags+0x3c
>> usbd_get_string_desc(d1109900,1,1,d75b3dce,d75b3ecc) at
>> usbd_get_string_desc+0x5e
>> usbd_get_string(d1109900,1,d3487487,7f,d0ae9220) at usbd_get_string+0x74
>> usbd_devinfo_vp(d1109900,d3487487,7f,d3487408,7f) at
>> usbd_devinfo_vp+0x165
>> usbd_fill_deviceinfo(d1109900,d3487400,1,1,0) at
>> usbd_fill_deviceinfo+0x53
>> usbd_fill_di_task(d3487400,20,d098f0af,0,d54f362c) at
>> usbd_fill_di_task+0x43
>> usb_task_thread(d54f362c) at usb_task_thread+0xb1
>> Bad frame pointer: 0xd0ba0e48
>>
>> ddb> ps
>>PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
>>  11732   5036  11732  0  3  0x4000  endtask   usbdevs
>>  18220  17676  18220   1000  3  0x4080  kqreadtmux
>>  17676  13203  17676   1000  3  0x4080  pause ksh
>>  13203  24243  24243   1000  3   0x180  selectsshd
>>  24243   7551  24243  0  3  0x4180  netio sshd
>>  30142  13825  18365   1000  3  0x4080  ttyin more
>>  13825  18365  18365   1000  3  0x4080  pause sh
>>  18365  28650  18365   1000  3  0x4080  wait  man
>>  28650  29160  28650   1000  3  0x4080  pause ksh
>>  24368  29160  24368   1000  3  0x4080  ttyin ksh
>>  11053  19990  11053  0  3  0x4080  ttyin vi
>>  19990  29160  19990   1000  3  0x4080  pause ksh
>>  16050  14405  14405 67  3   0x180  netconhttpd
>>  21227  29160  21227   1000  3  0x4080  ttyin ksh
>>   5036  29160   5036   1000  3  0x4080  pause ksh
>>  29160  1  29160   1000  2   0tmux
>>  30544  14405  14405 67  3   0x180  netconhttpd
>>   1510  14405  14405 67  3   0x180  netconhttpd
>>  16181  14405  14405 67  3   0x180  netconhttpd
>>  15339  1  15339  0  3  0x4080  ttyin getty
>>   8516  14405  14405 67  3   0x180  netconhttpd
>>276  14405  14405 67  3   0x180  netconhttpd
>>   9801  14405  14405 67  3   0x180  netconhttpd
>>  22942  1  22942  0  30x80  selectcron
>>  29745  1  29745  0  3   0x180  selectinetd
>>  14405  1  14405  0  30x80  selecthttpd
>>761  1761  0  3 0x40180  selectsendmail
>>   7551  1   7551  0  30x80  selectsshd
>>   6224  1   6224  0  30x80  poll  ntpd
>>  15671  25737  15671 83  3   0x180  poll  ntpd
>>  25737  1  25737 83  3   0x180  poll  ntpd
>>   1898  14567  14567 74  3   0x180  bpf   pflogd
>>  14567  1  14567  0  30x80  netio pflogd
>>  24868500500 73  2   0x180syslogd
>>500  1500  0  30x88  netio syslogd
>>  31551  1  31551 77  3   0x180  poll  dhclient
>>  13676  1  25110  0  30x80  poll  dhclient
>>  13732  1  13732  0  30x80  mfsidlmount_mfs
>>   5311  1   5311  0  30x80  mfsidlmount_mfs
>>  16196  1  16196  0  30x80  mfsidlmount_mfs
>> 13  0  0  0  30x100200  aiodoned  aiodoned
>> 12  0  0  0  30x100200  syncerupdate
>> 11  0  0  0  30x100200  cleaner   cleaner
>> 10  0  0  0  30x100200  reaperreaper
>>  9  0  0  0  30x100200  pgdaemon  pagedaemon
>>  8  0  0  0  30x100200  bored crypto
>>  7  0  0  0  30x100200  pftm  pfpurge
>> *6  0  0  0  70x100200usbtask
>>  5  0  0  0  30x100200  usbatsk   usbatsk
>>  4 

Re: pf and includes

[Guido Tschakert]

Am 30.11.2011 09:22, schrieb Peter Hallin:
> Hello,
> 
> I have some issues with pf.conf and includes that perhaps someone could
> shed some light on.
> 
> Where I work, we use bridging firewalls with multiple tagged vlans 
> passing the bridges, and filtering is done on the vlan interfaces. 
> Normally we have around 10-20 vlans on each machine, and we have a LOT 
> of rules in pf.conf. To make configuration a little easier I'm beginning
> to look at how to separate the vlans into multiple configs, one for each
> vlan, and then include them all from pf.conf.
> 
> I would want to have all macros, options and rules for each vlan in a
> separate file, but also i would like to use macros from one config in 
> rules in another file. To clarify what I'm getting at, here's an
> example:
> 
> ##
> 
> /etc/vlan500.conf:
> 
> DB="192.168.0.10/32"
> 
> block log on vlan500
> pass in quick on vlan500 from $Webserver to $DB port 3306
> pass out on vlan500
> 
> ##
> 
> /etc/vlan1000.conf:
> 
> Webserver="192.168.1.20/32"
> 
> block log on vlan1000
> pass in quick on vlan1000 from any to $Webserver port 80
> pass out on vlan1000
> 
> ##
> 
> /etc/pf.conf
> 
> include "/etc/vlan500.conf"
> include "/etc/vlan1000.conf"
> 
> ##
> 
> The above example would not work, as pfctl will look at the rules in
> vlan500.conf before looking at the macros in vlan1000.conf and it will 
> throw an error that the $Webserver macro is not defined.
> 
> If I change the order of the includes in pf.conf, it will work, but of 
> course of I try to use macros from vlan1000.conf for rules in 
> vlan500.conf, the problem will arise again.
> 
> One way to solve it would be to put all the macros in, say,
> /etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure
> they are included before the rules in pf.conf, but that seems
> inconvenient to me.
> 
> What is the common practice for using includes? Is there a way to get 
> pfctl to read ALL macros from ALL files before looking at the rules?
> 
> I would be happy to hear some suggestions.
> 
> Thanks, Peter
> 

How about a definition.conf with all your (Name,IP-Adress)-Pairs which
is included first in your pf.conf, so your vlan.confs only include
the rules but no definitions.

guido

Re: problem making IPv6 address from rtadvd prefix

[Christian Weisgerber]

Douglas Maus  wrote:

> Also, is having the rtsold daemon running all the time required?

No.

> If you have hostname.if with rtsol to set the route at boot,
> do you have to run rtsold?

No.

IPv6 routers regularly broadcast advertisements.  If you have
net.inet6.ip6.accept_rtadv set to 1, these advertisements will be
automatically processed by the kernel.  You only need to run rtsol
to request a router advertisement right now, so you won't have to
wait ten minutes.  In other words, running rtsol once at startup
(from hostname.if) is enough.

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: how to find dependencies when building a new kernel

[Diana Eichert]

On Wed, 30 Nov 2011, T. Valent wrote:

SNIP

dmesg output of any of these devices would be possible, but like I said
it's a very stripped down environment. dmesg is not part of it. I'd have
to setup an old system with dmsg on it, then export the output, just to



dmesg is the lazy way to get this info, the same info is written to
/var/log/messages during boot.  Are you saying your system is so
stripped down you don't even log anything?

diana

Past hissy-fits are not a predictor of future hissy-fits.
Nick Holland(06 Dec 2005)

Re: [5.0] pkg_add too many FTP connections

[Brett]

On Wed, 30 Nov 2011 11:37:18 +0100
Patrick Lamaiziere  wrote:

> Hello,
> 
> I'm trying to update packages with pkg_add via ftp :
> 
> # pkg_add -ui  
> Error from
> ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gperf-3.0.4.tgz 421
> There are too many connections from your internet address. ftp: Can't
> connect or login to host `ftp.irisa.fr'
> Error from
> ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gtar-1.26p0.tgz 421
> There are too many connections from your internet address. ftp: Can't
> connect or login to host `ftp.irisa.fr'
> ...
> 
> Is there a way to limit the number of FTP connections for pkg_add?
> 
> Thanks, regards.
> 

Maybe try a different mirror. I get messages like that when I download
from ftp://mirror.internode.on.net/pub/OpenBSD/ , but not when I switch
to the other ftp sites.

protecting NFS on IPsec gateway

[Christopher Zimmermann]

Hi!

I want to secure my wlan using IPsec. The simplified setup looks like this:

172.26.153.0/24 .1 public ip
  (wlan clients) --- athn0[OpenBSD gateway]pppoe0 -- ((internet))
IPsec

This works fine so far. But now I want to secure my OpenBSD gateway
which also runs NFS. How can I block NFS packets on the encrypted link
while still allowing ssh, ftp and the like on the encrypted link?
On enc0 I can see only ipencap packets which cannot be filtered by pf.


Christopher

Re: [5.0] pkg_add too many FTP connections

[Patrick Lamaiziere]

Le Wed, 30 Nov 2011 12:35:40 +0100,
Marc Espie  a icrit :

> Fix your proxy/connection. pkg_add keeps one ftp connection alive,
> not more, but it does interrupt connections brutally as soon as it
> has the information it wants.
> 
> All such problems come from stale ftp connections, there's something
> flaky in your network setup that means ftp.irisa.fr does not see the
> severed connections.

Thanks Marc, 

Could it be that this ftp server (irisa) is near from here (1Gbit) and
doesn't have the time to see that the connection was dropped?

I don't have any problem with other mirror (ex ftp://fr.openbsd.org)

Thanks, regards.

Re: [5.0] pkg_add too many FTP connections

[Marc Espie]

On Wed, Nov 30, 2011 at 06:18:54AM -0600, Chris Bennett wrote:
> I found two different problems that seemed to be cured in two different ways.
> Your network may be the problem. I have access to two different wifi sources.
> They are both different connections completely and at the same location.
> Changing to the other one cures the problem.
> 
> I also found that changing from ftp sources to http sources seems to help a 
> lot.
> 

Of course it does, http is a much simpler protocol than ftp, proxy-wise.
- one simple connection
- no funky behavior based on telnet urgent stuff to interrupt connections.

Those two details are very often handled WRONG by various servers, client
and proxy.

Re: [5.0] pkg_add too many FTP connections

[Chris Bennett]

I found two different problems that seemed to be cured in two different ways.
Your network may be the problem. I have access to two different wifi sources.
They are both different connections completely and at the same location.
Changing to the other one cures the problem.

I also found that changing from ftp sources to http sources seems to help a lot.



On Wed, Nov 30, 2011 at 11:37:18AM +0100, Patrick Lamaiziere wrote:
> Hello,
> 
> I'm trying to update packages with pkg_add via ftp :
> 
> # pkg_add -ui  
> Error from
> ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gperf-3.0.4.tgz 421
> There are too many connections from your internet address. ftp: Can't
> connect or login to host `ftp.irisa.fr'
> Error from
> ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gtar-1.26p0.tgz 421
> There are too many connections from your internet address. ftp: Can't
> connect or login to host `ftp.irisa.fr'
> ...
> 
> Is there a way to limit the number of FTP connections for pkg_add?
> 
> Thanks, regards.

ssh vpn

[Manuel Giraud]

Hi,

I've set up an openssh based vpn as described in ssh(1). Now, I want to
send all my traffic through this pipe. So I've put the following nat
rules on both ends of the pipe:
match out on em0 from tun0:network nat-to (em0)

and modified the client route table like this:
route add  
route change default 10.1.1.1 # <--- IP on tun0

It works as needed but now I need to access a service (e.g. a www
server) on  and the www port is filtered by . How
can I do this? (I've tried some rdr-to and route-to rules on specific
port without success).
-- 
Manuel Giraud

Re: [5.0] pkg_add too many FTP connections

[Marc Espie]

On Wed, Nov 30, 2011 at 11:37:18AM +0100, Patrick Lamaiziere wrote:
> Hello,
> 
> I'm trying to update packages with pkg_add via ftp :
> 
> # pkg_add -ui  
> Error from
> ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gperf-3.0.4.tgz 421
> There are too many connections from your internet address. ftp: Can't
> connect or login to host `ftp.irisa.fr'
> Error from
> ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gtar-1.26p0.tgz 421
> There are too many connections from your internet address. ftp: Can't
> connect or login to host `ftp.irisa.fr'
> ...
> 
> Is there a way to limit the number of FTP connections for pkg_add?

Fix your proxy/connection. pkg_add keeps one ftp connection alive, not more,
but it does interrupt connections brutally as soon as it has the information
it wants.

All such problems come from stale ftp connections, there's something flaky
in your network setup that means ftp.irisa.fr does not see the severed
connections.

Re: [5.0] pkg_add too many FTP connections

[Marc Espie]

On Wed, Nov 30, 2011 at 12:04:10PM +0100, Dmitrij Czarkoff wrote:
> On Wed, Nov 30, 2011 at 11:37 AM, Patrick Lamaiziere
>  wrote:
> > Is there a way to limit the number of FTP connections for pkg_add?
> 
> The number of FTP connections corresponds to the number of packages.
> Your mirror just doesn't allow enough connections to update all of
> them, or You've tried too many times.

Nope, probably all wrong.

Re: how to find dependencies when building a new kernel

[T. Valent]

Thanks to everybody. I'll dig deeper into the config files soon. For now
I think we've got it discussed as much as is possible in a ML.

Re: problem making IPv6 address from rtadvd prefix

[Raimo Niskanen]

On Tue, Nov 29, 2011 at 07:59:41PM -0500, Douglas Maus wrote:
> Followup:
> (sorry for unconventional thread posting and the delay -
> learning OpenBSD is my very late night hobby
> so I'm not subscribed to the misc list)
> 
> 3 persons posted with suggestions (mherrb, stu, and raimo)
> 
> mherrb wrote:
> >A few stuff to check:
> >
> >- you say you modified sysctl.conf, but did you execute the sysctl
> >command or rebooted to have those changes taken into account ?
> 
> 
> I rebooted, then checked by running 'sysctl net.inet6' to confirm changes
> so, not that.
> 
> 
> 
> 
> >- what does the 'rtsol -d' command report when executed ? (it will
> >manually trigger a router sollicitation)
> 
> and raimo also suggested:
> >Try (see rtsold(8)):
> ># pkill -USR1 rtsold
> ># cat /var/run/rtsold.dump
> \
> >  Interface re0
> >probe interval: infinity
> >no probe timer
> >interface status: active
> >other config: off
> >rtsold status: IDLE
> >carrier detection: available
> >probes: 0, dadcount = 0
> >no timer
> >number of valid RAs: 11940
> 
> 
> here's my rtsol
> $ sudo rtsol -d re0
> checking if re0 is ready...
> re0 is ready
> send RS on re0, whose state is 2
> received RA from fe80::00a1:b1ff:fea1:b1e1 on re0, state is 2
> stop timer for re0
> there is no timer
> 
> and here is my rtsold.dump
> Interface re0
>   probe interval: infinity
>   no probe timer
>   interface status: active
>   other config: on
>   rtsold status: IDLE
>   carrier detection: available
>   probes: 0, dadcount = 0
>   no timer
>   number of valid RAs: 2
> 
> It seems to see the RA
> however, this doesn't say anything about processing the prefix.
> Is there any toggle/flag to get it to output debug info about the prefix?
> 
> And what is this 'other config'? I've googled it, and can't find enough
> to educate myself.

I do not know what is causing your symptoms, but have not run out of
hints completely yet (but almost).

rtsold takes -f and -D flags that might be useful.

Maybe a ktrace of rtsold could give more info.

'other config' is actually mentioned in the man page for rtsold.

Just a guess, if your Apple router perhaps uses this
"Other Configuration" flag and you have not supplied an
-O switch to rtsold maybe it gets confused and does not
complete its tasks (setting the IPv6 address).

Note that your routing table in a previous mail had got
your expected prefix to the right link, probably the work
of rtsold...


> 
> Also, is having the rtsold daemon running all the time required?
> If you have hostname.if with rtsol to set the route at boot,
> do you have to run rtsold?
> I guess that would be useful on large dynamic networks, but
> simple home networks, would the absence of rtsold be a problem?
> I was not aware of that from reading the man pages for hostname.if
> and rtsol(d).

Again, guessing, but... since router advertisements has a lifetime
timeout value suggests it might have to be re-run (or preferably
run in the background) during the host's uptime.

> 
> 
> 
> 
> 
> mherrb further suggested:
> >But you may have a crappy ethernet switch or hub in the path that
> >blocks or damages  multicast frames. I've had such a device it the
> >past. Replacing it by a little more expensive switch fixed my v6 SLAAC
> >issues.
> 
> A) The switch is an HP Procurve 1410-16G (not inexpensive)
> B) The MacOSX machines in my network are not having a problem
> configuring with the proper prefix, so I don't think it is the switch
> 
> 
> 
> 
> stu wrote:
> >no dmesg.
> 
> okay - sorry - I've put it at the bottom of this post
> (always seems to me like a waste of electrons)
> 
> 
> >I suspect some re(4) don't do multicast correctly. does it start
> >working if you leave tcpdump running on the interface?
> 
> When I let tcpdump run for a couple minutes before to snag the route
> solicitation and advertisement - no help.
> How long of a time are you suggesting?
> 
> 
> >for your obfuscated MAC addresses, did you just change them in the
> >email or did you set them on the nic with ifconfig lladdr?
> 
> no, I did not set them with ifconfig
> I just fudged them in the email to hide my MAC
> (don't most people do that - make up DEAD:BEEF:CAFE:BABE etc?)
> 
> 
> 
> 
> So, still no luck.
> I also tried setting IPv4 to do dhcp in hostname.re0 instead of the
> fixed address like in my original email, and rebooted several times,
> but still no help.
> 
> Other thoughts?
> 
> thank you for your offers of help and advice
> 
> 
> 
> 
> 
> dmesg:
> OpenBSD 5.0 (GENERIC.MP) #59: Wed Aug 17 10:19:44 MDT 2011
> dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
> cpu0: Intel(R) Atom(TM) CPU 330 @ 1.60GHz ("GenuineIntel" 686-class) 1.61 GHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,A
> CPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,TM2,SSSE3,CX16,xTPR,PDC
> M,MOVBE
> real mem  = 2138238976 (2039MB)
> avail mem = 2093182976 (1996MB)
> mainbus0 at root
> bios0 a

Re: [5.0] pkg_add too many FTP connections

[Dmitrij Czarkoff]

On Wed, Nov 30, 2011 at 11:37 AM, Patrick Lamaiziere
 wrote:
> Is there a way to limit the number of FTP connections for pkg_add?

The number of FTP connections corresponds to the number of packages.
Your mirror just doesn't allow enough connections to update all of
them, or You've tried too many times.

-- 
Dmitrij D. Czarkoff

[5.0] pkg_add too many FTP connections

[Patrick Lamaiziere]

Hello,

I'm trying to update packages with pkg_add via ftp :

# pkg_add -ui  
Error from
ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gperf-3.0.4.tgz 421
There are too many connections from your internet address. ftp: Can't
connect or login to host `ftp.irisa.fr'
Error from
ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gtar-1.26p0.tgz 421
There are too many connections from your internet address. ftp: Can't
connect or login to host `ftp.irisa.fr'
...

Is there a way to limit the number of FTP connections for pkg_add?

Thanks, regards.

Re: how to find dependencies when building a new kernel

[T. Valent]

Stuart,

I really don't want to be misunderstood: I really appreciate the help
that's being offered from various users of this ML.

However, the following is somewhat off topic as it does not contribute
to the thread itself.


>> Because of the permanent repeating of "USE THE GENERIC KERNEL"
> not worth wasting other people's time
> on solving if you aren't prepared to do it yourself.

I'm not with you here. I'm really doing my best to try and learn how to
solve my problems myself. I'm just asking for help and explanations to
things that I don't understand. As far as I understand, that's what MLs
are about.


> Alternatively: here's a nickel, get a flashcard from sometime later
> than 2005...

I really understand that a lot of people are asking stupid questions in
MLs and I'm pretty sure I've done so myself quite often. I take this as
an explanation why you keep telling me things of which you probably are
sure will solve what you have understood to be my problem. But what
really annoys me here is that I'm not taken seriously when I say "this
isn't an option". Why don't you just believe my words instead of
permanently speaking about things that I explicitly said are impossible?
Did you read my mail in which I said that the hardware cannot be
changed? A new flashcard would be a change in hardware. I think you know
that. You just don't take my words seriously and keep talking about
things that I already said are not possible in this project. Why discuss
this? From my point of view it's not me wasting your time, but it's you
wasting your time, because you don't really care about what I said.

The overall project is about updating multiple systems that are in
production. By _just_ using just a software update. Changes in hardware
are not an option.

dmesg output of any of these devices would be possible, but like I said
it's a very stripped down environment. dmesg is not part of it. I'd have
to setup an old system with dmsg on it, then export the output, just to
convince you of what I've done in the past. Then, after I've proven my
point with this dmesg output, we'd be no step further, because like I
said often enough now, I'm not interested in a hint like "add this line
to your config", but I want to learn about what steps to do, next time I
run into the same problem (which I probably will with the next OpenBSD
release that I want to migrate the systems to).

If you can help me by explaining where to look and what to read to learn
how to build the smallest custom kernels possible, I'd be happy. If not,
well, without any sarcasm: please don't waste your valuable time with
this thread.

T.

softraid(4): how to reassemble a volume

[Mattieu Baptiste]

Hi all,

I'm trying to reassemble a softraid(4) volume, created with the 'force' flag.
When I'm trying:
# bioctl -C force -c C -l /dev/sd1a softraid0
softraid0: chunk sd1a already in use
bioctl: ioctl: Invalid argument

According to the manpage, '-c' flag only seems to create the volume,
and not simply assemble it. I don't see anything else to reassemble a
volume. What's the correct way, if any ? Is it supported ?

-- 
Mattieu Baptiste
"/earth is 102% full ... please delete anyone you can."

Potencializa tus habilidades, Personal Branding para Ejecutivos.

[Susana Hernandez]

1328602

[IMAGE]

Personal Branding. Desarrolla tu marca personal.

Si esta informacisn no compete a su area y la considera de valor le
agradecemos compartirla. 

Pms Capacitacisn Efectiva de Mixico es una empresa Registrada ante la
STPS

Trabajamos con expertos en la materia para poder brindar herramientas
tacticas, vanguardistas y de facil aplicacisn.

Este entrenamiento cuenta con 100% Garantma de Satisfaccisn.

!Reciba la informacisn completa! Por favor responda este e-mail con los
datos siguientes

Empresa

Nombre

Telifono

Email

Nzmero de Interesados

En breve recibira temario, reseqa de expositor y tarifas.

Si lo prefiere comunmquese a los telifonos donde con gusto uno de
nuestros ejecutivos le atendera.

Telifonos: (0133) 8851-2365, (0133) 8851-2741 con mas de 10 lmneas.

Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico

Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico  S.C. Derechos
Reservados.
E-Mail MARKETING SERVICE POWERED BY MEDIAMARKETING.

Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de
Mixico o bien un usuario le refiris para recibir este boletmn.
Como usuario de Pms de Mixico, en este acto autoriza de manera expresa
que Pms de Mixico le puede contactar vma correo electrsnico u otros
medios.
ALTO, si en esta ocasisn la informacisn recibida no fue de su interis
pero desea recibir informacisn personalizada en relacisn a otros temas
favor de indicarlo.
Si usted ha recibido este mensaje por error, haga caso omiso de el y de
antemano una sincera disculpa por la molestia, reporte su cuenta
respondiendo este correo con el subject BAJABRAND
Unsubscribe to this mailing list, reply a blank message with the subject
UNSUBSCRIBE BAJABRAND
Tenga en cuenta que la gestisn de nuestras bases de datos es de suma
importancia para nosotros y no es intencisn de la empresa la
inconformidad del receptor, nuestra intencisn es promover herramientas de
utilidad para el adiestramiento profesional.

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
personal branding.jpg]

Re: pf and includes

[quartz]

> One way to solve it would be to put all the macros in, say,
> /etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure
> they are included before the rules in pf.conf, but that seems
> inconvenient to me.

that might be your best option. you can use something like pfctl to parse
rules without loading them, but I don't think the reverse is possible.

you're probably not this lucky, but assuming all your macros are just
name/ip pairs like in the example, you might be able to get away with
storing them all in /etc/hosts or setting up a dns forwarder.

Re: usb device causes system crash (ucomstart: null oxfer)

[Daniel Gracia]

At the very least you're seeing some errors. In my case, the USB/serial 
adapters -uticom, uftdi and uplcom- would fail without notice. Ports 
would open, but with no TX/RX. Detaching/reattaching won't bring them 
back to live; only rebooting.


If your project has deadline, search for a PCI/ePCI serial board and enjoy!

I have around some of those untrustful interfaces and would like to take 
a look at that usb code in a near future.


El 30/11/2011 4:14, Byron Klippert escribis:

I managed to capture trace and ps output from ddb>

Is this a worthy cause to investigate further or should I take the
advice of others and move on to real(tm) hardware. It would be a shame
given the distasteful argument "well it works fine under "

ddb>  trace
usb_allocmem(d800,2,0,d101c740,d101c700) at usb_allocmem+0x14f
ehci_allocm(d800,d101c740,2,d079d66e,101c754) at ehci_allocm+0x27
usbd_transfer(d101c700,d1109900,0,1388,d75b3d74) at usbd_transfer+0xbb
usbd_do_request_flags_pipe(d1109900,d1109880,d75b3d74,d75b3dce,4) at
usbd_do_request_flags_pipe+0xbb
usbd_do_request_flags(d1109900,d75b3d74,d75b3dce,4,d75b3d7c) at
usbd_do_request_flags+0x3c
usbd_get_string_desc(d1109900,1,1,d75b3dce,d75b3ecc) at
usbd_get_string_desc+0x5e
usbd_get_string(d1109900,1,d3487487,7f,d0ae9220) at usbd_get_string+0x74
usbd_devinfo_vp(d1109900,d3487487,7f,d3487408,7f) at
usbd_devinfo_vp+0x165
usbd_fill_deviceinfo(d1109900,d3487400,1,1,0) at
usbd_fill_deviceinfo+0x53
usbd_fill_di_task(d3487400,20,d098f0af,0,d54f362c) at
usbd_fill_di_task+0x43
usb_task_thread(d54f362c) at usb_task_thread+0xb1
Bad frame pointer: 0xd0ba0e48

ddb>  ps
PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
  11732   5036  11732  0  3  0x4000  endtask   usbdevs
  18220  17676  18220   1000  3  0x4080  kqreadtmux
  17676  13203  17676   1000  3  0x4080  pause ksh
  13203  24243  24243   1000  3   0x180  selectsshd
  24243   7551  24243  0  3  0x4180  netio sshd
  30142  13825  18365   1000  3  0x4080  ttyin more
  13825  18365  18365   1000  3  0x4080  pause sh
  18365  28650  18365   1000  3  0x4080  wait  man
  28650  29160  28650   1000  3  0x4080  pause ksh
  24368  29160  24368   1000  3  0x4080  ttyin ksh
  11053  19990  11053  0  3  0x4080  ttyin vi
  19990  29160  19990   1000  3  0x4080  pause ksh
  16050  14405  14405 67  3   0x180  netconhttpd
  21227  29160  21227   1000  3  0x4080  ttyin ksh
   5036  29160   5036   1000  3  0x4080  pause ksh
  29160  1  29160   1000  2   0tmux
  30544  14405  14405 67  3   0x180  netconhttpd
   1510  14405  14405 67  3   0x180  netconhttpd
  16181  14405  14405 67  3   0x180  netconhttpd
  15339  1  15339  0  3  0x4080  ttyin getty
   8516  14405  14405 67  3   0x180  netconhttpd
276  14405  14405 67  3   0x180  netconhttpd
   9801  14405  14405 67  3   0x180  netconhttpd
  22942  1  22942  0  30x80  selectcron
  29745  1  29745  0  3   0x180  selectinetd
  14405  1  14405  0  30x80  selecthttpd
761  1761  0  3 0x40180  selectsendmail
   7551  1   7551  0  30x80  selectsshd
   6224  1   6224  0  30x80  poll  ntpd
  15671  25737  15671 83  3   0x180  poll  ntpd
  25737  1  25737 83  3   0x180  poll  ntpd
   1898  14567  14567 74  3   0x180  bpf   pflogd
  14567  1  14567  0  30x80  netio pflogd
  24868500500 73  2   0x180syslogd
500  1500  0  30x88  netio syslogd
  31551  1  31551 77  3   0x180  poll  dhclient
  13676  1  25110  0  30x80  poll  dhclient
  13732  1  13732  0  30x80  mfsidlmount_mfs
   5311  1   5311  0  30x80  mfsidlmount_mfs
  16196  1  16196  0  30x80  mfsidlmount_mfs
 13  0  0  0  30x100200  aiodoned  aiodoned
 12  0  0  0  30x100200  syncerupdate
 11  0  0  0  30x100200  cleaner   cleaner
 10  0  0  0  30x100200  reaperreaper
  9  0  0  0  30x100200  pgdaemon  pagedaemon
  8  0  0  0  30x100200  bored crypto
  7  0  0  0  30x100200  pftm  pfpurge
*6  0  0  0  70x100200usbtask
  5  0  0  0  30x100200  usbatsk   usbatsk
  4  0  0  0  30x100200  bored syswq
  3  0  0  0  3  0x40100

pf and includes

[Peter Hallin]

Hello,

I have some issues with pf.conf and includes that perhaps someone could
shed some light on.

Where I work, we use bridging firewalls with multiple tagged vlans 
passing the bridges, and filtering is done on the vlan interfaces. 
Normally we have around 10-20 vlans on each machine, and we have a LOT 
of rules in pf.conf. To make configuration a little easier I'm beginning
to look at how to separate the vlans into multiple configs, one for each
vlan, and then include them all from pf.conf.

I would want to have all macros, options and rules for each vlan in a
separate file, but also i would like to use macros from one config in 
rules in another file. To clarify what I'm getting at, here's an
example:

##

/etc/vlan500.conf:

DB="192.168.0.10/32"

block log on vlan500
pass in quick on vlan500 from $Webserver to $DB port 3306
pass out on vlan500

##

/etc/vlan1000.conf:

Webserver="192.168.1.20/32"

block log on vlan1000
pass in quick on vlan1000 from any to $Webserver port 80
pass out on vlan1000

##

/etc/pf.conf

include "/etc/vlan500.conf"
include "/etc/vlan1000.conf"

##

The above example would not work, as pfctl will look at the rules in
vlan500.conf before looking at the macros in vlan1000.conf and it will 
throw an error that the $Webserver macro is not defined.

If I change the order of the includes in pf.conf, it will work, but of 
course of I try to use macros from vlan1000.conf for rules in 
vlan500.conf, the problem will arise again.

One way to solve it would be to put all the macros in, say,
/etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure
they are included before the rules in pf.conf, but that seems
inconvenient to me.

What is the common practice for using includes? Is there a way to get 
pfctl to read ALL macros from ALL files before looking at the rules?

I would be happy to hear some suggestions.

Thanks, Peter

Re : how to find dependencies when building a new kernel

[Mik J]

Hello,

> De : Kevin Chadwick 
> Split your config in
half, choose the half you think is most likely to
> cause the problem and diff
that half back to defaults and compile.

Just to ack what Kevin says. You're
trying to add and remove too many different things at once.
First take the
Generic kernel and add the driver that you wanted, compile. Then remove
unecessary drivers from one type of hardware (for example soundcards),
compile, repeat the process with other drivers (joysticks, scanners...). Make
sure that you backup all working config files and restart from the last config
that worked.
The other way is to do like you did, add and remove options from
the Generic kernel (keep a copy of it) but it requires the ability to
understand the output when the compilation fails.
Also if you understood what
Vitali wrote, it should be quite straight forward to remove options in the
kernel and then be able to compile it smoothly.

I used to run a Custom kernel
and removed as many options as I could but when something went wrong (in most
cases I wanted to install a new software) I always wondered if that was due to
my kernel, so each time I had to reboot on Generic and restarted to
troubleshoot from there. Now I just find it more convenient to run Generic
since I don't have specific requirements.

However, I think that it's not a
reason to say "don't compile a Custom kernel" (this is not a troll). It's part
of a "general OpenBSD knowledge" to be able to build a Custom kernel. And this
is different from "I've built a Custom kernel, it compiled fine, but the
system acts funny/wrong sometimes".

Have a nice day