Re: xfsdump INTERRUPT
Hi, mkdir /mnt/fap mkdir /mnt/hr20 mount -t xfs -o rtdev=/dev/sda3 /dev/sda2 /mnt/fap mount -t xfs -o rtdev=/dev/sdb3 /dev/sdb2 /mnt/fap You mount both devices to the same destination /mnt/fap Regards, Erwin
suspend on Thinkpad T40
This is current/i386 on a Thinkpad T40 (dmesg below). It's an APM machine; no acpi. I am running apmd -A, and have scripts in /etc/apm/ that just go logger -f /var/log/messages $0 apm -S indeed puts the machine to standby, but comes right back up itself. Is that intended? Nov 20 09:11:49 ibm root: /etc/apm/standby Nov 20 09:12:02 ibm root: /etc/apm/resume Nov 20 09:12:02 ibm apmd: system resumed from APM sleep Suspend mostly works, trigerred either by an explicit apm -s, or Fn+F4, or closing the lid. Nov 20 09:25:41 ibm root: /etc/apm/suspend Nov 20 09:26:16 ibm root: /etc/apm/resume Nov 20 09:26:16 ibm apmd: system resumed from APM sleep After a successfull resume, everything seems to be in order, including X and open connections (haven't tested wifi though). Mostly means that it _usually_ resumes back up, by either pressing the power button or pressing Fn. But sometimes it doesn't. The only pattern I have spotted is that it fails to resume back if it has been suspended for longer: after two minutes of suspend, it always comes back; after ten minutes of suspend, it never comes back. What could be causing that? The exact method of suspending (lid, button, Fn+F4) seems to be irrelevant to this; the method of waking up too: when it happens, there is no reaction to nothing. The only way to get back up then is to remove the power and battery and have a rough awakening. Being on AC or not, or plugging AC in or out during the sleep doesn't seem to make a difference either. Also, I have machdep.lidsuspend=0, but the machine still suspends when I close the lid - is that intended? Are there other settings that regulate when a suspend happens, possibly something that overrides machdep.lidsuspend? Hibernate (apm -Z or Fn+F12) never happens. Fn+F12 however makes the low beep that Fn+F4 makes, so perhaps it is attempting something; there is nothing in the logs though. The console/xterm says System will enter hibernate mode momentarily. but nothing happens after that. I understand that the suspend/hibernate subsystem is currently being heavily worked on, particularly on i386, and I want to thank the people improving that. Is there something specific I should test or report? Thank you for your time Jan OpenBSD 5.2-current (GENERIC) #87: Sat Nov 17 13:27:31 MST 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) M processor 1500MHz (GenuineIntel 686-class) 1.50 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,TM,PBE,EST,TM2,PERF real mem = 267317248 (254MB) avail mem = 251985920 (240MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/18/07, BIOS32 rev. 0 @ 0xfd750, SMBIOS rev. 2.33 @ 0xe0010 (61 entries) bios0: vendor IBM version 1RETDRWW (3.23 ) date 06/18/2007 bios0: IBM 237382G apm0 at bios0: Power Management spec V1.2 acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xfd6e0/0x920 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdea0/272 (15 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #6 is the last bus bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd1000/0x1000 0xdc000/0x4000! 0xe/0x1 cpu0 at mainbus0: (uniprocessor) cpu0: Enhanced SpeedStep 1496 MHz: speeds: 1500, 1400, 1200, 1000, 800, 600 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) 0:31:1: io address conflict 0x5800/0x8 0:31:1: io address conflict 0x5808/0x4 0:31:1: io address conflict 0x5810/0x8 0:31:1: io address conflict 0x580c/0x4 pchb0 at pci0 dev 0 function 0 Intel 82855PM Host rev 0x03 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xd000, size 0x1000 ppb0 at pci0 dev 1 function 0 Intel 82855PM AGP rev 0x03 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon Mobility M7 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: irq 11 drm0 at radeondrm0 uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x01: irq 11 uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x01: irq 11 uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x01: irq 11 ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x01: irq 11 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb1 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0x81 pci2 at ppb1 bus 2 2:0:0: mem address conflict 0xb000/0x1000 2:0:1: mem address conflict 0xb100/0x1000 cbb0 at pci2 dev 0 function 0 TI PCI1520 CardBus rev 0x01: irq 11 cbb1 at pci2 dev 0 function 1 TI PCI1520 CardBus rev 0x01: irq 11 em0 at pci2 dev 1 function 0 Intel PRO/1000MT (82540EP) rev 0x03: irq 11, address 00:0d:60:7f:83:fa ipw0 at pci2 dev 2 function 0 Intel PRO/Wireless 2100 rev 0x04: irq 11, address 00:0c:f1:16:9b:b8 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at
Re: ftp(1) errors on an HTTPS url
On 2012-11-18, Rodolfo Gouveia rgouv...@cosmico.net wrote: On Fri, Nov 16, 2012 at 08:23:40PM +, Rodolfo Gouveia wrote: Hello, It seems that https://www.prelude-ids.org doesn't play well with the ftp(1). I normally get an 'improper response': $ ftp -v -d https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz host www.prelude-ids.org, port (null), path attachments/download/241/libprelude-1.0.1.tar.gz, save as libprelude-1.0.1.tar.gz. Trying 88.190.33.136... Requesting https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz received 'f' ftp: Improper response from www.prelude-ids.org Tried this with wget and got: $ wget https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz --2012-11-18 19:34:08-- https://www.prelude-ids.org/attachments/download/241/libprelude-1.0.1.tar.gz Resolving www.prelude-ids.org (www.prelude-ids.org)... 88.190.33.136 Connecting to www.prelude-ids.org (www.prelude-ids.org)|88.190.33.136|:443... connected. ERROR: cannot verify www.prelude-ids.org's certificate, issued by `/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=EssentialSSL CA': Unable to locally verify the issuer's authority. To connect to www.prelude-ids.org insecurely, use `--no-check-certificate'. So maybe the problem is the certificate? No this is just because /etc/ssl/cert.pem is hopelessly out of date. You can use the one from http://curl.haxx.se/docs/caextract.html :- # ftp -o/etc/ssl/cert.pem http://curl.haxx.se/ca/cacert.pem (this is a repackaged version of the Mozilla certificate store). This particular URL is from a port that I'm working on so I'll be using wget for FETCH_CMD. FETCH_CMD may not be used in a port Makefile, it's a user setting only, this file would need to be mirrored for now (if the license permits). One thing I noticed is that if I connect with openssl s_client and make a GET or HEAD request using the HOST header, this server does a renegotiation. Not sure why (doesn't seem to be SNI). But in any event ftp(1) doesn't seem to handle it very well.. ... HEAD / HTTP/1.0 HOST: www.prelude-ids.org depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2 verify error:num=20:unable to get local issuer certificate verify return:0 read R BLOCK HTTP/1.1 200 OK Date: Tue, 20 Nov 2012 12:29:19 GMT Server: Apache ...
Re: suspend on Thinkpad T40
On Tue, Nov 20, 2012 at 2:55 AM, Jan Stary h...@stare.cz wrote: This is current/i386 on a Thinkpad T40 (dmesg below). It's an APM machine; no acpi. I am running apmd -A, and have scripts in /etc/apm/ that just go ... Suspend mostly works, trigerred either by an explicit apm -s, or Fn+F4, or closing the lid. ... After a successfull resume, everything seems to be in order, including X and open connections (haven't tested wifi though). Mostly means that it _usually_ resumes back up, by either pressing the power button or pressing Fn. But sometimes it doesn't. The only pattern I have spotted is that it fails to resume back if it has been suspended for longer: after two minutes of suspend, it always comes back; after ten minutes of suspend, it never comes back. ... Also, I have machdep.lidsuspend=0, but the machine still suspends when I close the lid - is that intended? Are there other settings that regulate when a suspend happens, possibly something that overrides machdep.lidsuspend? Perhaps the BIOS is controlling this. Hibernate (apm -Z or Fn+F12) never happens. Fn+F12 however makes the low beep that Fn+F4 makes, so perhaps it is attempting something; there is nothing in the logs though. The console/xterm says System will enter hibernate mode momentarily. but nothing happens after that. I understand that the suspend/hibernate subsystem is currently being heavily worked on, particularly on i386, and I want to thank the people improving that. Is there something specific I should test or report? While hibernation is being worked on, a fair amount of that work focuses on ACPI hibernate--APM hibernate is not the focus (and this is handled by the BIOS on my ThinkPad). That said, my T42p suspends and hibernates mostly without incident--including Wi-Fi--but there were some things I needed to do for the BIOS-based hibernate to work and they revolved around the tphdisk package.
Re: ftp(1) errors on an HTTPS url
On Tue, Nov 20, 2012 at 12:43:38PM +, Stuart Henderson wrote: So maybe the problem is the certificate? No this is just because /etc/ssl/cert.pem is hopelessly out of date. You can use the one from http://curl.haxx.se/docs/caextract.html :- # ftp -o/etc/ssl/cert.pem http://curl.haxx.se/ca/cacert.pem (this is a repackaged version of the Mozilla certificate store). Cool. I thought that could be the problem (outdated certificate store) but look further. This particular URL is from a port that I'm working on so I'll be using wget for FETCH_CMD. FETCH_CMD may not be used in a port Makefile, it's a user setting only, this file would need to be mirrored for now (if the license permits). I'll check that. Thanks!
Four no
Just look at this beautiful name for command-line parameter: -Wno-non-virtual-dtor Again, step by step: Warnings No Non Virtual De- structor No, Non, Virtual and De-. Four times no. Excellent example of brilliant software (all of the lang, compiler and piece of shit being built) design, isn't it? :) -- WBR, Vadim Zhukov
Re: OpenBSD hangs when i unplug USB disk
Marcos Ariel Laufer wrote: On 11/18/2012 12:35 PM, Paul de Weerd wrote: On Thu, Nov 15, 2012 at 01:04:02PM -0300, Marcos Laufer wrote: | I did this quite often a couple of weeks ago. Haven't tried for a | while (no need) and have upgraded to newer snaps a bunch of times | since. Tonight I'll confirm I can unplug safely on the latest snap. | | Thank you Paul, i look forward for the results of your testing tonight. Apologies for the late response; my Thursday plans got changed at the last minute. However, I've verified that unplugging works fine with the latest snapshot. So no regressions from my POV. Paul 'WEiRD' de Weerd Damn, why mine isn't working fine then? Do you have i386 or AMD? I'll try latest 5.1 and 5.2 tomorrow and see what happens. Ok , i've just tried it on a OpenBSD 5.1 and unplugging the USB works just fine, no crash, no freeze. The weird thing and i don't understand why, is that you guys had good results with old OpenBSD versions and i didn't. Regards, Marcos
Re: OpenBSD hangs when i unplug USB disk
On Mon, Nov 19, 2012 at 06:14:49PM -0300, Marcos Ariel Laufer wrote: | However, I've verified that unplugging works fine with the latest | snapshot. So no regressions from my POV. | | Damn, why mine isn't working fine then? Do you have i386 or AMD? | I'll try latest 5.1 and 5.2 tomorrow and see what happens. I've tested all currently connected disks on my machine: sd0 at scsibus1 targ 1 lun 0: WD, My Passport 0740, 1003 SCSI4 0/direct fixed sd1 at scsibus2 targ 1 lun 0: WD, My Passport 0748, 1010 SCSI4 0/direct fixed sd2 at scsibus3 targ 1 lun 0: WD, My Passport 0730, 1015 SCSI4 0/direct fixed sd3 at scsibus4 targ 1 lun 0: WD, My Passport 070A, 1032 SCSI2 0/direct fixed sd4 at scsibus5 targ 1 lun 0: WD, My Passport 0748, 1010 SCSI4 0/direct fixed sd5 at scsibus6 targ 1 lun 0: WD, My Passport 0748, 1010 SCSI4 0/direct fixed which is running: kern.version=OpenBSD 5.2-current (GENERIC.MP) #112: Tue Nov 13 12:57:16 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP and I've not been able to reproduce the issue (dmesg with detach and re-attach cycle for all disks included below). In the past, I ran i386 on another machine which also used a My Password disk (1008) and did not have this issue there either, so I don't think it's an i386-only problem... Cheers, Paul 'WEiRD' de Weerd OpenBSD 5.2-current (GENERIC.MP) #112: Tue Nov 13 12:57:16 MST 2012 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2144333824 (2044MB) avail mem = 2064830464 (1969MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0450 (76 entries) bios0: vendor Dell Inc. version 2.1.0 date 12/04/2006 bios0: Dell Inc. OptiPlex 745 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC BOOT ASF! MCFG HPET SLIC SSDT SSDT SSDT acpi0: wakeup devices VBTN(S4) PCI0(S5) PCI4(S5) PCI2(S5) PCI3(S5) PCI1(S5) PCI5(S5) PCI6(S5) MOU_(S3) USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz, 2658.43 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF cpu0: 4MB 64b/line 16-way L2 cache cpu0: apic clock running at 265MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 CPU 6700 @ 2.66GHz, 2658.07 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF,PERF cpu1: 4MB 64b/line 16-way L2 cache ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 8 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 4 (PCI4) acpiprt1 at acpi0: bus 2 (PCI2) acpiprt2 at acpi0: bus -1 (PCI3) acpiprt3 at acpi0: bus 1 (PCI1) acpiprt4 at acpi0: bus 3 (PCI5) acpiprt5 at acpi0: bus -1 (PCI6) acpiprt6 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: PSS acpicpu1 at acpi0: PSS acpibtn0 at acpi0: VBTN cpu0: Enhanced SpeedStep 2658 MHz: speeds: 2667, 2400, 2133, 1867, 1600 MHz memory map conflict 0x7fe03c00/0x1fc400 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel 82Q965 Host rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82Q965 PCIE rev 0x02: msi pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon X1300 Pro rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: apic 8 int 16 drm0 at radeondrm0 ATI Radeon X1300 Pro Sec rev 0x00 at pci1 dev 0 function 1 not configured uhci0 at pci0 dev 26 function 0 Intel 82801H USB rev 0x02: apic 8 int 16 uhci1 at pci0 dev 26 function 1 Intel 82801H USB rev 0x02: apic 8 int 17 ehci0 at pci0 dev 26 function 7 Intel 82801H USB rev 0x02: apic 8 int 22 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 azalia0 at pci0 dev 27 function 0 Intel 82801H HD Audio rev 0x02: msi azalia0: codecs: Analog Devices AD1983 audio0 at azalia0 ppb1 at pci0 dev 28 function 0 Intel 82801H PCIE rev 0x02: msi pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 4 Intel 82801H PCIE rev 0x02: msi pci3 at ppb2 bus 3 bge0 at pci3 dev 0 function 0 Broadcom BCM5754 rev 0x02, BCM5754/5787 A2 (0xb002): apic 8 int 16, address 00:18:8b:6a:6d:87 brgphy0 at bge0 phy 1: BCM5787 10/100/1000baseT PHY, rev. 0 uhci2 at pci0 dev 29 function 0 Intel 82801H USB rev 0x02: apic 8 int 23 uhci3 at pci0 dev 29 function 1 Intel 82801H USB rev 0x02: apic 8 int 17 uhci4 at pci0 dev 29 function 2 Intel 82801H USB rev 0x02: apic 8 int 18 ehci1 at pci0 dev 29 function 7 Intel 82801H USB rev 0x02: apic 8 int 23 usb1 at ehci1: USB revision 2.0 uhub1 at usb1 Intel EHCI root hub rev
Re: xfsdump INTERRUPT
That was just a mistake in the posting, sorry. I retried it just in case, and had the same result with the line corrected. mount -t xfs -o rtdev=/dev/sdb3 /dev/sdb2 /mnt/hr20 Best, J. On Nov 20, 2012, at 3:38 AM, Erwin Schliske-3 [via OpenBSD] ml-node+s7691n219236...@n7.nabble.com wrote: Hi, mkdir /mnt/fap mkdir /mnt/hr20 mount -t xfs -o rtdev=/dev/sda3 /dev/sda2 /mnt/fap mount -t xfs -o rtdev=/dev/sdb3 /dev/sdb2 /mnt/fap You mount both devices to the same destination /mnt/fap Regards, Erwin If you reply to this email, your message will be added to the discussion below: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219236.html To unsubscribe from xfsdump INTERRUPT, click here. NAML -- View this message in context: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219258.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: OpenBSD hangs when i unplug USB disk
On 2012 Nov 20 (Tue) at 12:45:09 -0300 (-0300), Marcos Laufer wrote: :Ok , i've just tried it on a OpenBSD 5.1 and unplugging the USB works :just fine, no crash, no freeze. : :The weird thing and i don't understand why, is that you guys had good :results with old OpenBSD versions and i didn't. : No, nobody bothered with older versions. We run -current, or 5.1 at the latest. -- Did you know that Spiro Agnew is an anagram of Grow a Penis?
Re: OpenBSD hangs when i unplug USB disk
Peter Hessler wrote: On 2012 Nov 20 (Tue) at 12:45:09 -0300 (-0300), Marcos Laufer wrote: :Ok , i've just tried it on a OpenBSD 5.1 and unplugging the USB works :just fine, no crash, no freeze. : :The weird thing and i don't understand why, is that you guys had good :results with old OpenBSD versions and i didn't. : No, nobody bothered with older versions. We run -current, or 5.1 at the latest. I'm sorry, but some people bothered, even asked me to send info because this worked with old versions of the OS to them and not to me. So i guess it has something to do with the firmware on the disk, i don't really know. But if it works on 5.1 then that's enough for me.
Re: Replacing Apache with nginx
On Mon, Nov 19, 2012 at 04:42:57PM -0300, Martín Ferco wrote: I can see that some files have been updated by the OpenBSD team, reading README.OpenBSD in the source directory. One of those changes seems to have been the inclusion of the -u flag to chroot nginx (I'm not entirely sure about this, but I can't find that switch in a 1.2.5 release for CentOS). Good caught! Has it gone through an audit process of some sort by the OpenBSD team? I think that was performed for the Apache code, and patches were applied because of that. Human resources are limited. Last, but not least, is there a recommended way to compile/add modules to nginx? I had to modify the Makefile.bsd-wrapper to do that, as it looke like the only way to add 3rd party modules to it. Is there a suggested way to do that? /usr/ports/www/nginx jirib
Re: xfsdump INTERRUPT
On Mon, Nov 19, 2012 at 02:10:09PM -0800, rlinsurf wrote: I'm trying to use xfsdump to copy all the files from my home DVR to a bigger hard drive. You sent probably to bad list, this is linux stuff. jirib
Re: xfsdump INTERRUPT
Can you tell me which list it belongs in? Best, J. On Nov 20, 2012, at 3:59 PM, Jiri B-2 [via OpenBSD] ml-node+s7691n219270...@n7.nabble.com wrote: On Mon, Nov 19, 2012 at 02:10:09PM -0800, rlinsurf wrote: I'm trying to use xfsdump to copy all the files from my home DVR to a bigger hard drive. You sent probably to bad list, this is linux stuff. jirib If you reply to this email, your message will be added to the discussion below: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219270.html To unsubscribe from xfsdump INTERRUPT, click here. NAML -- View this message in context: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219271.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
Re: relayd and header directives
I'm seeing this exact same issue after upgrading a firewall this
afternoon; any use of the header(); function in PHP with SSL is causing
a big 500 Internal Server Error page to be displayed by relayd, while
the other firewall (which I'm now holding out on upgrading) is having no
issues at all when it's the CARP master:
Nov 20 13:06:23 fw02 relayd[4423]: relay wwwssl, session 134 (2 active), 0,
***.***.127.152 - 192.168.21.218:443, invalid (500 Internal Server Error)
Nov 20 13:06:26 fw02 relayd[32703]: relay wwwssl, session 166 (1 active), 0,
***.***.114.27 - 192.168.21.207:443, invalid (500 Internal Server Error)
Nov 20 13:06:27 fw02 relayd[5856]: relay wwwssl, session 207 (2 active), 0,
***.***.192.47 - 192.168.21.218:443, invalid (500 Internal Server Error)
Nov 20 13:06:30 fw02 relayd[32703]: relay wwwssl, session 167 (1 active), 0,
***.***.130.66 - 192.168.21.213:443, invalid (500 Internal Server Error)
Nov 20 13:06:34 fw02 relayd[20956]: relay wwwssl, session 191 (1 active), 0,
***.***.127.152 - 192.168.21.218:443, invalid (500 Internal Server Error)
Any suggestions?
Thanks,
Andrew Klettke
Systems Admin
Optic Fusion
On 11/15/2012 04:04 AM, Bogdan Andu wrote:
Hello,
I looked briefly in relay.c file and it seems that in the function
void relay_read_http/2 - which is called only in ssl context - the following
piece of code produces the error:
} else if ((cre-method ==
HTTP_METHOD_DELETE ||
cre-method == HTTP_METHOD_GET ||
cre-method == HTTP_METHOD_HEAD ||
cre-method == HTTP_METHOD_OPTIONS ||
cre-method ==
HTTP_METHOD_POST ||
cre-method == HTTP_METHOD_PUT ||
cre-method == HTTP_METHOD_RESPONSE)
strcasecmp(Content-Length, pk.key) == 0) {
/*
* Need to read data from
the client after the
* HTTP header.
* XXX What about non-standard clients not using
* the carriage return? And some browsers seem to
* include the line length in the content-length.
*/
cre-toread =
strtonum(pk.value, 0, ULLONG_MAX, errstr);
if
(errstr) {
relay_close_http(con, 500, errstr,
0);
goto abort;
}
pk.value contains a value that cannot be converted to a number, hence the
function strtonum sets the error invalid in errstr, which appears in this
log message:
relayd www_ssl, session 1 (1 active), 0, 10.10.11.66 -
127.0.0.1:8080, invalid
I think the problem is that the variable pk.value
contains whatever follows after the header Content-Length.
For example, curl
sends this header to the server:
$ curl -XPOST -k
-vhttps://server/cgi-bin/query -d'param1=val1param2=val2'
** SSL
handshake***
POST /cgi-bin/query HTTP/1.1
User-Agent: curl/7.27.0
Host:
server
Accept: */*
Content-Length: 23
Content-Type:
application/x-www-form-urlencoded
The code stops reading further key:value
header entries when encounters Content-Length, and any entry, like
Content-Type: application/x-www-form-urlencoded, that follows is accumulated
in pk.value, and cannot be converted to number becasue contains alfanumeric
characters
yielding the error invalid, in conversion, while pk.key remains
with value Content-Length.
What is curious enough is that a plain http
request does not even calls this function, and that is why is working.
Bogdan
From: Bogdan Andu bo...@yahoo.com
To:
Sebastian Benoit be...@openbsd.org; misc@openbsd.org misc@openbsd.org
Cc: r...@openbsd.org r...@openbsd.org
Sent: Thursday, November 15, 2012
9:36 AM
Subject: Re: relayd and header directives
Hello,
In the meanwhile I
have discovered the following issues:
[WITH SSL]:
1) No headers directives
are allowed - the session is reported as invalid
2)
If the POST arguments are
sent as usual, like this:
$ curl -XPOST -k -v
https://server/cgi-bin/query
-d'param1=val1param2=val2'
relayd reports the
session invalid:
relayd
www_ssl, session 1 (1 active), 0, 10.10.11.66 -
127.0.0.1:8080, invalid
and
the local web server is not accessed
3) If the
POST argumenst are converted
into GET like this:
$ curl -XPOST -k -v
https://server/cgi-bin/query?param1=val1¶m2=val2'
everything work ok.
Although there are sessions reported as invalid, the dialog with local web
server
works, and the respons returns to the client
[WITHOUT SSL]
Everything
work as expected with and without header directives
So, if the
relayd does
not makes ssl offloading seems that everything work ok. I suspect
there must
be something with ssl processing.
The machine is in trunk0 setup
with link
failover in dual stack. So the relayd listens on both IPv4 and IPv6.
With or
without SSL offloading I cannot change
Re: Replacing Apache with nginx
On Mon, Nov 19, 2012 at 04:42:57PM -0300, Martín Ferco wrote: I can see that some files have been updated by the OpenBSD team, reading README.OpenBSD in the source directory. One of those changes seems to have been the inclusion of the -u flag to chroot nginx (I'm not entirely sure about this, but I can't find that switch in a 1.2.5 release for CentOS). No, the -u flag DISABLES the default chroot. From the manpage: -u By default nginx will chroot(2) to the home directory of the user running the daemon, typically ``www'', or to the home directory of user in nginx.conf. The -u option disables this behaviour, and returns nginx to the original unsecure behaviour. This is the same approach as in OpenBSD's Apache. Don't use the -u flag unless you know what you're doing and have an excellent reason. Nicolai
PF altq and limiting traffic among multiple interfaces
Hi, Searched for this for a while. Found below old post, without answer. Is this actually possible to setup that way? From http://marc.info/?l=openbsd-pfm=112015092309886w=2 List: openbsd-pf Subject:Altq - limiting traffic among multiple interfaces From: Jonathan Camenisch alaythia () gmail ! com Date: 2005-06-30 14:15:55 Message-ID: fd5fdde005063007153fc4c2c2 () mail ! gmail ! com In our organization, I'd like to use Altq to keep any one process (download or whatever) from hogging bandwidth and degrading performance for others. It's more complicated than I expected, though, and I haven't been able to find an example that's much like my environment (I'd be glad to publish mine if I could get it working well). Here's the layout: Office (internal) subnet DMZ | / [fxp0] [fxp1] Internet ---[fxp4]OpenBSD/pf firewall [fxp2] [fxp3] | \ Guest class 1 subnet Guest class 2 subnet We have sort of a conference center, so we're providing access for guests as well as offices. Hence all the subnets. We also host some of our own web sites on the DMZ. Now to make it more complicated, our fractional T1 provides 512Kb of *total* bandwidth. That is, the total of upload *and* download bandwidth can never exceed 512Kb. Ideally, I would like to set up a single 512k queue and divy it up (with cbq) among all traffic that passes in or out of fxp4, regardless of which interface it exits. (I'd really like to allow borrowing among all directions.) But as far as I know, there's no way to do exactly that. What I'm hoping someone could suggest is, what's the best I can do? That is, how can I get the best utilization out of my limited connection while preventing anything from hogging it? Forgive me if I'm overlooking information that's already available. I'm afraid my brain's gotten a little scrambled trying to adapt the altq model to this scenario. Thank you for your time! Jonathan -- best regards q#
Re: relayd and header directives
A little more info; turns out this is happening on any POST when you
have the option ``header change Connection to close`` in your http
protocol stanza, and not necessarily when the header(); function is
called, as I previously thought. Here's the simple script I was using to
test:
?php
echo form method=POST action=\index.php\;
echo input type=\hidden\ name=\hidden\ value=\1\;
echo input type=\submit\ name=\submit\ value=\submit\;
echo /form;
?
Clicking the submit button instantly gets me a 500 error from relayd
in 5.2 when my http protocol is defined like so:
http protocol httpssl {
header append $REMOTE_ADDR to X-Forwarded-For
header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By
header change Keep-Alive to $TIMEOUT
header change Connection to close
tcp { nodelay, sack, socket buffer 65536, backlog 128 }
return error
ssl { sslv3, tlsv1, no sslv2, ciphers
HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM }
}
Commenting out the ``header change Connection to close`` option makes
everything work just fine, as far as I can tell.
Thanks,
Andrew Klettke
Systems Admin
Optic Fusion
253-830-2943
On 11/20/2012 02:31 PM, Andrew Klettke wrote:
I'm seeing this exact same issue after upgrading a firewall this
afternoon; any use of the header(); function in PHP with SSL is
causing a big 500 Internal Server Error page to be displayed by
relayd, while the other firewall (which I'm now holding out on
upgrading) is having no issues at all when it's the CARP master:
Nov 20 13:06:23 fw02 relayd[4423]: relay wwwssl, session 134 (2
active), 0, ***.***.127.152 - 192.168.21.218:443, invalid (500
Internal Server Error)
Nov 20 13:06:26 fw02 relayd[32703]: relay wwwssl, session 166 (1
active), 0, ***.***.114.27 - 192.168.21.207:443, invalid (500
Internal Server Error)
Nov 20 13:06:27 fw02 relayd[5856]: relay wwwssl, session 207 (2
active), 0, ***.***.192.47 - 192.168.21.218:443, invalid (500
Internal Server Error)
Nov 20 13:06:30 fw02 relayd[32703]: relay wwwssl, session 167 (1
active), 0, ***.***.130.66 - 192.168.21.213:443, invalid (500
Internal Server Error)
Nov 20 13:06:34 fw02 relayd[20956]: relay wwwssl, session 191 (1
active), 0, ***.***.127.152 - 192.168.21.218:443, invalid (500
Internal Server Error)
Any suggestions?
Thanks,
Andrew Klettke
Systems Admin
Optic Fusion
On 11/15/2012 04:04 AM, Bogdan Andu wrote:
Hello,
I looked briefly in relay.c file and it seems that in the function
void relay_read_http/2 - which is called only in ssl context - the
following
piece of code produces the error:
} else if ((cre-method ==
HTTP_METHOD_DELETE ||
cre-method == HTTP_METHOD_GET ||
cre-method == HTTP_METHOD_HEAD ||
cre-method == HTTP_METHOD_OPTIONS ||
cre-method ==
HTTP_METHOD_POST ||
cre-method == HTTP_METHOD_PUT ||
cre-method == HTTP_METHOD_RESPONSE)
strcasecmp(Content-Length, pk.key) == 0) {
/*
* Need to read data from
the client after the
* HTTP header.
* XXX What about non-standard clients not
using
* the carriage return? And some browsers
seem to
* include the line length in the
content-length.
*/
cre-toread =
strtonum(pk.value, 0, ULLONG_MAX, errstr);
if
(errstr) {
relay_close_http(con, 500, errstr,
0);
goto abort;
}
pk.value contains a value that cannot be converted to a number, hence
the
function strtonum sets the error invalid in errstr, which appears
in this
log message:
relayd www_ssl, session 1 (1 active), 0, 10.10.11.66 -
127.0.0.1:8080, invalid
I think the problem is that the variable pk.value
contains whatever follows after the header Content-Length.
For example, curl
sends this header to the server:
$ curl -XPOST -k
-vhttps://server/cgi-bin/query -d'param1=val1param2=val2'
** SSL
handshake***
POST /cgi-bin/query HTTP/1.1
User-Agent: curl/7.27.0
Host:
server
Accept: */*
Content-Length: 23
Content-Type:
application/x-www-form-urlencoded
The code stops reading further key:value
header entries when encounters Content-Length, and any entry, like
Content-Type: application/x-www-form-urlencoded, that follows is
accumulated
in pk.value, and cannot be converted to number becasue contains
alfanumeric
characters
yielding the error invalid, in conversion, while pk.key remains
with value Content-Length.
What is curious enough is that a plain http
request does not even calls this function, and that is why is working.
Bogdan
From: Bogdan Andu bo...@yahoo.com
To:
Sebastian Benoit be...@openbsd.org; misc@openbsd.org
Re: PF altq and limiting traffic among multiple interfaces
I'm no pro (and I've never seen a connection that had a transfer cap
applied to upstream+downstream), but if I was limited to 512 kb/s up+down,
I'd want to:
1) Prioritize ACKs to limit getting hammered with retransmits
2) Throttle guests tightly but allow them to borrow from other queues; not
too much, as if we allow 256k upstream we're probably getting back a lot
more bottlenecked up on the downstream. PF can't control how much data hits
the downstream except by limiting the upstream.
3) Have an upstream router that supports ECN/RED :P
4) Use the fancy HFSC scheduler! (huzzah)
For example:
altq on $ext_if bandwidth 128Kb hfsc queue { ack, dns, hipri, def, guest1,
guest2 }
queue ack bandwidth 60% priority 6 qlimit 200 hfsc (realtime 30% ecn)
queue dns bandwidth 10% priority 5 qlimit 200 hfsc (realtime 20% ecn)
queue hipri bandwidth 10% priority 4 qlimit 150 hfsc (realtime 20% ecn)
queue def bandwidth 10% priority 2 qlimit 100 hfsc (realtime 20% ecn
default)
queue guest1 bandwidth 5% priority 0 qlimit 50 hfsc (upperlimit 15% red)
queue guest2 bandwidth 5% priority 0 qlimit 50 hfsc (upperlimit 15% red)
block in all
block out on $ext_if
block out log on $int_if
block out log on $guest1_if
block out log on $guest2_if
block out log on $dmz_if
# Now to allow some traffic. For example, let's allow DNS traffic out unto
the internets at priority 5, and its TCP ACKs at priority 6:
pass out on $ext_if proto {tcp udp} from any to any port 53 queue (dns, ack)
Haven't tried it, but I imagine that that ruleset beats the hell out of
plain old filtering from the end users' perspective. You'll obviously need
to add all the packet filtering rules for it to work, but that would be my
first shot at the queueing.
Note that all the queues except guest1 and guest2 are allowed to borrow
bandwidth up to 100% of the 256kb queue, but guest1 and guest2 are
restricted to a max of 15% of that (so the 2 guest nets can do a max of 30%
of total outbound).
Note also that we're limiting outbound traffic to 128kb because outbound +
inbound are rate limited to 512k. Might actually have to reduce that a
little to speed things up once it gets congested; play with it and see!
Also, there's a high probability that something about this is wrong/stupid,
as it's untested, but I'm sure someone will correct me. ;)
On Tue, Nov 20, 2012 at 5:45 PM, Mikolaj Kucharski
miko...@kucharski.namewrote:
Hi,
Searched for this for a while. Found below old post, without answer. Is
this actually possible to setup that way?
From http://marc.info/?l=openbsd-pfm=112015092309886w=2
List: openbsd-pf
Subject:Altq - limiting traffic among multiple interfaces
From: Jonathan Camenisch alaythia () gmail ! com
Date: 2005-06-30 14:15:55
Message-ID: fd5fdde005063007153fc4c2c2 () mail ! gmail ! com
In our organization, I'd like to use Altq to keep any one process
(download or whatever) from hogging bandwidth and degrading
performance for others. It's more complicated than I expected, though,
and I haven't been able to find an example that's much like my
environment (I'd be glad to publish mine if I could get it working
well). Here's the layout:
Office (internal) subnet DMZ
| /
[fxp0] [fxp1]
Internet ---[fxp4]OpenBSD/pf firewall
[fxp2] [fxp3]
| \
Guest class 1 subnet Guest class 2 subnet
We have sort of a conference center, so we're providing access for
guests as well as offices. Hence all the subnets. We also host some of
our own web sites on the DMZ.
Now to make it more complicated, our fractional T1 provides 512Kb of
*total* bandwidth. That is, the total of upload *and* download
bandwidth can never exceed 512Kb.
Ideally, I would like to set up a single 512k queue and divy it up
(with cbq) among all traffic that passes in or out of fxp4, regardless
of which interface it exits. (I'd really like to allow borrowing among
all directions.)
But as far as I know, there's no way to do exactly that. What I'm
hoping someone could suggest is, what's the best I can do? That is,
how can I get the best utilization out of my limited connection while
preventing anything from hogging it?
Forgive me if I'm overlooking information that's already available.
I'm afraid my brain's gotten a little scrambled trying to adapt the
altq model to this scenario. Thank you for your time!
Jonathan
--
best regards
q#
Re: PF altq and limiting traffic among multiple interfaces
Mikolaj,
Before I get into this, do you really have a connection where your total
bandwidth in both directions is pooled? If so you will need to modify my
approach somewhat, as I've not been in that situation myself.
For reference, my full rule set for my home network appears at the end of this
message.
PF only queues on outbound traffic, so to shape your traffic in both directions
you must be operating PF in a router or bridge configuration. People sometimes
make the mistake of thinking that this means that PF cannot queue download
traffic. As I said earlier, PF cannot queue inbound traffic on an interface.
There is a difference between queuing inbound traffic and queuing download,
because inbound traffic relates to an interface while download is applied as a
perspective dependent concept. With the correct configuration, you can
configure your external interface to queue packets for upload and your
internal interface to queue packets for download. I use quotes to indicate
that these terms are relative to the perspective of a machine behind your
router on your internal network.
In short, the problem with keeping state across interfaces (PF's default) is
that it makes it impractical, if not impossible, to have packets in different
queues on both your internal and external network interfaces. To fix this, you
need to configure PF to keep state on a per interface basis. This is done with
a declaration in PF of set state-policy if-bound.
Once that is done, a little extra work needs to be done with your pass rules.
1. You will have to determine a way to identify the priority of new packets
that you wish to pass in from your internal network, such as by IP, IP range,
VLAN, or real interface. On each of those pass in rules you will assign the
packet to the corresponding queue on the external interface and tag the packet
with an identifier for the type of queuing it needs.
2. On your external interface you will need pass out rules that sort the
traffic according to how they were tagged by the internal interface pass in
rule. The pass out rule will assign the packet to the corresponding queue on
the internal interface.
3. The mechanism of keeping state will take care of the rest.
4. If you plan to have any open ports on your external interface (ssh, http,
bittorrent), you will need to repeat the above using the external interface in
step 1, and the internal interface in step 2.
5. You will also need at least one rule to allow packets to pass out from each
interface on the router/bridge machine itself. You can queue these specifically
or let them go to the default queue. The examples of this in my rule set below
should be evident if you take the time to understand it.
You might also want to read a question I asked a few days ago on this list. It
will help you to understand a strange limitation I've encountered with this
type of configuration. See
http://marc.info/?l=openbsd-miscm=135325644931124w=2 if you are interested.
No one has responded to that message, so I am not sure if the defect exists in
my rule set or in PF itself. My intuition tells me that PF is the problem, but
my experience tells me that my intuition cannot be trusted in these matters. :)
I hope this is what you were looking for.
Breen Ouellette
---
# PF optimized for home router.
# UPDATED: 2012-Nov-17
###
# Preamble:
# REMEMBER: Enable the following line in /etc/sysctl.conf:
# net.inet.ip.forwarding=1
# Blocked1Hr table requires matching crontab entry to expire blocked IPs:
# * * * * * pfctl -t Blocked1Hr -T expire 3600
/dev/null 21
# Filtering of ssh abusers also requires that sshd_config is updated to listen
on ports 10 and 16.
ExtIf = em1
ExtIP = (em1)
IntIf = em0
VLAN1If = vlan1
VLAN1Net = vlan1:network
VLAN2If = vlan2
VLAN2Net = vlan2:network
AthenaIP = 172.16.0.1
ScreenerIP = 172.16.0.2
LGO2XIP = 192.168.0.100
SkypeIP = 192.168.0.50
table authpf_users persist
table Blocked1Hr persist
table SSHBlockedOnce persist
table SSHBlockedTwice persist
table SSHBlockedPerm persist
table CdnNets const persist file /etc/cdn_nets.pftable
table MartianNets const persist file /etc/martian_nets.pftable
table SSHAllowedIPs const persist file /etc/ssh_ips.pftable
# Internal network queuing.
altq on $IntIf cbq bandwidth 5250Kb queue \
{ LGO2X_DL, PC_DL, Skype_DL, TV_DL, WiFi_DL }
queue LGO2X_DL bandwidth 650Kb priority 2 cbq(borrow ecn)
queue PC_DL bandwidth 1500Kb priority 1 cbq(borrow ecn default)
queue Skype_DL bandwidth 100Kb priority 2 cbq(ecn)
queue TV_DL bandwidth 2000Kb priority 1 cbq(borrow ecn)
queue WiFi_DL bandwidth 1000Kb priority 1 cbq(borrow ecn)
# ISP network queuing.
altq on $ExtIf cbq bandwidth 550Kb queue \
{ ACK_UL, LGO2X_UL, PC_UL, Skype_UL, TV_UL, WiFi_UL }
# 27400bps ACK_UL is required for each 1Mbps of total download bandwitdh,
# assuming a 40bit ACK packet size. Real world results may vary and
Re: xfsdump INTERRUPT
http://lmgtfy.com/?q=xfs+mailing+list On Tue, Nov 20, 2012 at 01:08:03PM -0800, rlinsurf wrote: Can you tell me which list it belongs in? Best, J. On Nov 20, 2012, at 3:59 PM, Jiri B-2 [via OpenBSD] ml-node+s7691n219270...@n7.nabble.com wrote: On Mon, Nov 19, 2012 at 02:10:09PM -0800, rlinsurf wrote: I'm trying to use xfsdump to copy all the files from my home DVR to a bigger hard drive. You sent probably to bad list, this is linux stuff. jirib If you reply to this email, your message will be added to the discussion below: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219270.html To unsubscribe from xfsdump INTERRUPT, click here. NAML -- View this message in context: http://openbsd.7691.n7.nabble.com/xfsdump-INTERRUPT-tp219224p219271.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
