Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?

[Nicolas Christener]

Hi

First, thank you Paul and Andy for your input! I'm very thankful for
your effort!

On Thu, 2014-10-09 at 16:08 +0100, Andy wrote:
> I have seen this when the allowed number or states is too low and PF 
> clears the idle states too early..
> 
> See http://www.openbsd.org/faq/pf/options.html;
> set optimization/option/

We already had "optimization" set to "conservative" and we also followed
[1] to be sure that we don't hit the state table limit.
The state table limit is set to 300k and we're seeing around 110k states
per average and no massiv peaks.

But what we do see is the following quite high number - could this be a
problem (pfctl -s info)?:
# pfctl -s info 
state-mismatch   90777051.4/s
congestion  22280.0/s

Some settings from our pf.conf which could be related:
set block-policy return
set debug urgent
set fingerprints "/etc/pf.os"
set limit states 30
set limit src-nodes 5
set loginterface none
set optimization conservative
set reassemble no
set ruleset-optimization basic
set state-policy floating
set timeout frag 30
set timeout interval 10

So according to Paul the problem lays somewhere in pf itself, should we
fill a bug in that case? Or can we do something more to make sure that
the problem isn't on our side?

Thanks again for your help and have a nice day!

Kind regards,
Nicolas

[1]
http://www.packetmischief.ca/2011/02/17/hitting-the-pf-state-table-limit/

PF monitoring

[BARDOU Pierre]

Hello,

I'm looking for performance indicators to be warned if my PF firewall is about
to be overwhelmed.
I heard about congestion in pfctl -si, net.inet.ip.ifq.drops and
kern.netlivelocks.

I searched the man pages pfctl(8) and sysctl(3), but I didn't found a clear
explanation of what these number means.
Could someone around here clarify that please ?

Many thanks

--
Cordialement,

Pierre BARDOU
Ingénieur réseau - P2I Infrastructure
05 67 69 71 84
[Description : Logo MiPih COUL transparent.gif]
MiPih
12, rue Michel Labrousse - BP93668
31036 TOULOUSE Cedex 1
www.mipih.fr

[cid:image002.png@01CFE47A.06EA5FC0] Avant d'imprimer cet e-mail, pensons à
l'environnement

[demime 1.01d removed an attachment of type image/png which had a name of 
image001.png]

[demime 1.01d removed an attachment of type image/png which had a name of 
image002.png]

Alix, pppoe(VDSL), extremely low upload speed

[Mark Patruck]

I'm running 5.6-current on a Alix 2c3. The box is connected
via pppoe(4) and VDSL 50Mbit down/10Mbit up - max-mss is set
to 1440.

Running a few speed tests, i get almost always > 50.000kbit/s
down, but not more than 400-600kbit/s up.

Just for testing purposes, i started httpd(8) and tried to
download a 1MB test file over the internet from another machine.

$ ftp http://1.2.3.4/test1MB
Trying 1.2.3.4...
Requesting http://1.2.3.4/test1MB

After about 8 seconds it shows 128KB, then...few seconds later...
--stalled--few seconds later 256KB--stalled--

65 seconds later, the download has finished.

The same configuration (freshly installed OpenBSD 5.6-current) on
another Alix 2c3 shows exactly the same issues...download fine,
upload < 600kbit/s.

Just to make sure there is nothing wrong with cabling, VDSL modem,
i tried the same configuration on an older Celeron laptop with
ale(4) nic...no issues at all. I get around 8.000kbit/s.

Any clues? (vr(4) issues?) 


-- 
Mark Patruck ( mark at wrapped.cx )
GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74  F644 0D3C F66F F286 5E51

http://www.wrapped.cx

Re: Alix, pppoe(VDSL), extremely low upload speed

[Stefan Sperling]

On Fri, Oct 10, 2014 at 12:23:36PM +0200, Mark Patruck wrote:
> I'm running 5.6-current on a Alix 2c3. The box is connected
> via pppoe(4) and VDSL 50Mbit down/10Mbit up - max-mss is set
> to 1440.
> 
> Running a few speed tests, i get almost always > 50.000kbit/s
> down, but not more than 400-600kbit/s up.
> 
> Just for testing purposes, i started httpd(8) and tried to
> download a 1MB test file over the internet from another machine.
> 
> $ ftp http://1.2.3.4/test1MB
> Trying 1.2.3.4...
> Requesting http://1.2.3.4/test1MB
> 
> After about 8 seconds it shows 128KB, then...few seconds later...
> --stalled--few seconds later 256KB--stalled--
> 
> 65 seconds later, the download has finished.
> 
> The same configuration (freshly installed OpenBSD 5.6-current) on
> another Alix 2c3 shows exactly the same issues...download fine,
> upload < 600kbit/s.
> 
> Just to make sure there is nothing wrong with cabling, VDSL modem,
> i tried the same configuration on an older Celeron laptop with
> ale(4) nic...no issues at all. I get around 8.000kbit/s.
> 
> Any clues? (vr(4) issues?) 

I don't think vr(4) is your problem.
>From a net5501 soekris (similar hardware) I can download 6 megabytes
per second of a file on the soekris' hard disk via a LAN-facing vr(4)
interface, served over HTTP with nginx (on 5.6-stable).

You could run measurements with tcpbench(1) to rule out problems
at the network/driver layer. In my testing an Alix.2d2 lx800 (running
5.6-stable too) is slightly faster with tcpbench (Avg Mbps: 92.490)
than the net5501 (Avg Mbps: 86.949), both using vr(4) interfaces
connected to a gigabit switch.

Perhaps it's worth mentioning that the vr(4) interfaces are part
of a bridge(4). I'm not sure if that affects throughput but if
it does plain vr(4) interfaces could be faster.

Re: Alix, pppoe(VDSL), extremely low upload speed

[Mark Patruck]

I also get around 6MB/s when using the Alix 2c3 as a simple
router. Problem seems to be the combination... 

vr2 -> vlan7 (vlandev vr2) -> pppoe0 (dev vlan7)

I also don't thing the Alix is too slow. As i said...50.000kbit/s
down via pppoe0 works w/o issues.

On Fri, Oct 10, 2014 at 01:10:39PM +0200, Stefan Sperling wrote:
> On Fri, Oct 10, 2014 at 12:23:36PM +0200, Mark Patruck wrote:
> > I'm running 5.6-current on a Alix 2c3. The box is connected
> > via pppoe(4) and VDSL 50Mbit down/10Mbit up - max-mss is set
> > to 1440.
> > 
> > Running a few speed tests, i get almost always > 50.000kbit/s
> > down, but not more than 400-600kbit/s up.
> > 
> > Just for testing purposes, i started httpd(8) and tried to
> > download a 1MB test file over the internet from another machine.
> > 
> > $ ftp http://1.2.3.4/test1MB
> > Trying 1.2.3.4...
> > Requesting http://1.2.3.4/test1MB
> > 
> > After about 8 seconds it shows 128KB, then...few seconds later...
> > --stalled--few seconds later 256KB--stalled--
> > 
> > 65 seconds later, the download has finished.
> > 
> > The same configuration (freshly installed OpenBSD 5.6-current) on
> > another Alix 2c3 shows exactly the same issues...download fine,
> > upload < 600kbit/s.
> > 
> > Just to make sure there is nothing wrong with cabling, VDSL modem,
> > i tried the same configuration on an older Celeron laptop with
> > ale(4) nic...no issues at all. I get around 8.000kbit/s.
> > 
> > Any clues? (vr(4) issues?) 
> 
> I don't think vr(4) is your problem.
> From a net5501 soekris (similar hardware) I can download 6 megabytes
> per second of a file on the soekris' hard disk via a LAN-facing vr(4)
> interface, served over HTTP with nginx (on 5.6-stable).
> 
> You could run measurements with tcpbench(1) to rule out problems
> at the network/driver layer. In my testing an Alix.2d2 lx800 (running
> 5.6-stable too) is slightly faster with tcpbench (Avg Mbps: 92.490)
> than the net5501 (Avg Mbps: 86.949), both using vr(4) interfaces
> connected to a gigabit switch.
> 
> Perhaps it's worth mentioning that the vr(4) interfaces are part
> of a bridge(4). I'm not sure if that affects throughput but if
> it does plain vr(4) interfaces could be faster.
> 

-- 
Mark Patruck ( mark at wrapped.cx )
GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74  F644 0D3C F66F F286 5E51

http://www.wrapped.cx

Re: packet filter: question about parentheses around "self"

[Harald Dunkel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 10/08/14 21:44, Henning Brauer wrote:
> * Harald Dunkel  [2014-10-07 13:46]:
>> A related question: I wonder how well "(self)" and "(group)" perform, 
>> compared to tables listing IP addresses? Is (self) evaluated every time for 
>> each rule using it, once per connection, in certain intervals, or only if 
>> one of the network interfaces are actually changed?
> 
> the latter, they are tables internally that get updated on changes.
> 

One last question: Wouldn't it be reasonable to make "(...)" the
default for pf?


Thanx very much anyway. Keep on your good work
Harri
iQEcBAEBCAAGBQJUN8XcAAoJEAqeKp5m04HL31cH/21HQeDjwxCQGpt4zVB8My6C
sGF00xN+cCbMvB2pLby0F4nTTJZMnvlvJWiBiDhWFA0PwhKXE/1qKZ34dthYmArg
XF68LHViv08XlPN3qagw9hTdCPnLGmBcd0Qd4Sx6MjR17zmCpy0AtqzST8X7qYX5
lpZTd4VkkF3ylzAEHuND6LiU2+qCrS1Fo+El5KLEH63xsXTc4E6UBQ3OUfYrx4VE
R2rB+wDKwRqPXvamUsGtmSfgzt6Ei0LyNhGQ/BbMNqY+CGYMvmkViaNubtpw9r3e
pFvfdBTsyJsI7BxQ0uw0tV6qSW7dQliJZkG9GFO63YZ4ktpL56gdWeTTUVbFJO4=
=Wx/w
-END PGP SIGNATURE-

Re: Alix, pppoe(VDSL), extremely low upload speed

[Christopher Zimmermann]

On Fri, 10 Oct 2014 13:19:00 +0200 Mark Patruck  wrote:

> I also get around 6MB/s when using the Alix 2c3 as a simple
> router. Problem seems to be the combination...
>
> vr2 -> vlan7 (vlandev vr2) -> pppoe0 (dev vlan7)

vr + vlan makes me think of this:

http://marc.info/?l=openbsd-tech&m=136042402201839&w=2

> I also don't thing the Alix is too slow. As i said...50.000kbit/s
> down via pppoe0 works w/o issues.
>
> On Fri, Oct 10, 2014 at 01:10:39PM +0200, Stefan Sperling wrote:
> > On Fri, Oct 10, 2014 at 12:23:36PM +0200, Mark Patruck wrote:
> > > I'm running 5.6-current on a Alix 2c3. The box is connected
> > > via pppoe(4) and VDSL 50Mbit down/10Mbit up - max-mss is set
> > > to 1440.
> > >
> > > Running a few speed tests, i get almost always > 50.000kbit/s
> > > down, but not more than 400-600kbit/s up.
> > >
> > > Just for testing purposes, i started httpd(8) and tried to
> > > download a 1MB test file over the internet from another machine.
> > >
> > > $ ftp http://1.2.3.4/test1MB
> > > Trying 1.2.3.4...
> > > Requesting http://1.2.3.4/test1MB
> > >
> > > After about 8 seconds it shows 128KB, then...few seconds later...
> > > --stalled--few seconds later 256KB--stalled--
> > >
> > > 65 seconds later, the download has finished.
> > >
> > > The same configuration (freshly installed OpenBSD 5.6-current) on
> > > another Alix 2c3 shows exactly the same issues...download fine,
> > > upload < 600kbit/s.
> > >
> > > Just to make sure there is nothing wrong with cabling, VDSL modem,
> > > i tried the same configuration on an older Celeron laptop with
> > > ale(4) nic...no issues at all. I get around 8.000kbit/s.
> > >
> > > Any clues? (vr(4) issues?)
> >
> > I don't think vr(4) is your problem.
> > From a net5501 soekris (similar hardware) I can download 6 megabytes
> > per second of a file on the soekris' hard disk via a LAN-facing
> > vr(4) interface, served over HTTP with nginx (on 5.6-stable).
> >
> > You could run measurements with tcpbench(1) to rule out problems
> > at the network/driver layer. In my testing an Alix.2d2 lx800
> > (running 5.6-stable too) is slightly faster with tcpbench (Avg
> > Mbps: 92.490) than the net5501 (Avg Mbps: 86.949), both using vr(4)
> > interfaces connected to a gigabit switch.
> >
> > Perhaps it's worth mentioning that the vr(4) interfaces are part
> > of a bridge(4). I'm not sure if that affects throughput but if
> > it does plain vr(4) interfaces could be faster.
> >
>
> --
> Mark Patruck ( mark at wrapped.cx )
> GPG key 0xF2865E51 / 187F F6D3 EE04 1DCE 1C74  F644 0D3C F66F F286
> 5E51
>
> http://www.wrapped.cx
>


--
http://gmerlin.de
OpenPGP: http://gmerlin.de/christopher.pub
F190 D013 8F01 AA53 E080  3F3C F17F B0A1 D44E 4FEE

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]

Where is the 'tar' source code?

[Alan McKay]

Hey folks,

I'm experiencing some really bizarre behavior with tar when trying to
pass it a list of files with the -I option, and I want to look at the
source code but alas it is not in the tree that I can find.

Yet the machine having the issue was built on this very same build machine.

I'd expect it to be here :

root@openbsd-build32
/usr/src # which tar
/bin/tar

root@openbsd-build32
/usr/src/bin # ls
CVS   chio  date  echo  kill
md5   pax   rmstty
Makefile  chmod ddedksh
mkdir psrmail sync
Makefile.inc  cpdfexpr  ln
mtpwd   rmdir systrace
cat   csh   domainnamehostname  ls
mvrcp   sleep test

root@openbsd-build32
/usr/src # find . -name tar

thanks,
-Alan

-- 
"Don't eat anything you've ever seen advertised on TV"
 - Michael Pollan, author of "In Defense of Food"

OpenBSD -current AHCI on HP Probook 450 G0

[Atanas Vladimirov]

Hi,
This is the first time when I try to install OpenBSD on a such hardware.
I used bsd.rd to install it on a usb flash drive. After reboot I choose 
to boot from the usb drive.

Bootloader can't load bsd kernel and the laptop restarts without error.
If I change SATA mode in BIOS from AHCI to IDE I can boot from the usb 
drive.


# dmesg with SATA in IDE mode

OpenBSD 5.6-current (GENERIC.MP) #407: Thu Oct  9 00:51:33 MDT 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4119818240 (3928MB)
avail mem = 4001447936 (3816MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xb7e7e000 (31 entries)
bios0: vendor Hewlett-Packard version "68IRF Ver. F.01" date 03/29/2013
bios0: Hewlett-Packard HP ProBook 450 G0
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP HPET APIC MCFG ASF! SSDT SSDT SSDT FPDT BGRT 
SSDT SSDT
acpi0: wakeup devices LANC(S5) EHC1(S3) EHC2(S3) XHC_(S3) PCIB(S5) 
RP02(S4) ECF0(S4) RP03(S4) RP04(S5) WNIC(S5) RP06(S5) NIC_(S5) RP07(S4) 
RP08(S4) HST1(S5)

acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i3-3120M CPU @ 2.50GHz, 2494.64 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,AVX,F16C,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS

cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i3-3120M CPU @ 2.50GHz, 2494.34 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,AVX,F16C,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS

cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i3-3120M CPU @ 2.50GHz, 2494.34 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,AVX,F16C,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS

cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i3-3120M CPU @ 2.50GHz, 2494.34 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,XSAVE,AVX,F16C,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS

cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus -1 (PEGP)
acpiprt1 at acpi0: bus -1 (PCIB)
acpiprt2 at acpi0: bus 1 (RP01)
acpiprt3 at acpi0: bus 2 (RP03)
acpiprt4 at acpi0: bus 3 (RP04)
acpiprt5 at acpi0: bus 4 (RP06)
acpiprt6 at acpi0: bus 0 (PCI0)
acpiec0 at acpi0
acpicpu0 at acpi0: C2, C1, PSS
acpicpu1 at acpi0: C2, C1, PSS
acpicpu2 at acpi0: C2, C1, PSS
acpicpu3 at acpi0: C2, C1, PSS
acpipwrres0 at acpi0: APPR, resource for HDEF
acpipwrres1 at acpi0: COMP, resource for COM1
acpipwrres2 at acpi0: LPP_, resource for LPT0
acpitz0 at acpi0: critical temperature is 128 degC
acpitz1 at acpi0: critical temperature is 128 degC
acpitz2 at acpi0: critical temperature is 128 degC
acpitz3 at acpi0: critical temperature is 128 degC
acpitz4 at acpi0: critical temperature is 128 degC
acpitz5 at acpi0: critical temperature is 128 degC
acpitz6 at acpi0: critical temperature is 128 degC
acpitz7 at acpi0: critical temperature is 128 degC
acpibat0 at acpi0: BAT0 model "Primary" serial 00190 2013/05/22 type 
LIon oem "Hewlett-Packard"

acpibat1 at acpi0: BAT1 not present
acpiac0 at acpi0: AC unit online
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: LID_
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD02
cpu0: Enhanced SpeedStep 2494 MHz: speeds: 2500, 2400, 2300, 2200, 2100, 
2000, 1900, 1800, 1700, 1600, 1500, 1400, 1300, 1200 MHz

pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 3G Host" rev 0x09
vga1 at pci0 dev 2 function 0 "Intel HD Graphics 4000" rev 0x09
intagp at vga1 not configured
inteldrm0 at vga1
drm0 at inteldrm0
drm: Memory usable by graphics device = 2048M
inteldrm0: 1366x768
wsdisplay0 at vga1 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"

Re: Where is the 'tar' source code?

[Ingo Schwarze]

/usr/src/bin/pax/

Re: Where is the 'tar' source code?

[David Coppa]

On Fri, Oct 10, 2014 at 2:29 PM, Alan McKay  wrote:
> Hey folks,
>
> I'm experiencing some really bizarre behavior with tar when trying to
> pass it a list of files with the -I option, and I want to look at the
> source code but alas it is not in the tree that I can find.
>
> Yet the machine having the issue was built on this very same build machine.
>
> I'd expect it to be here :
>
> root@openbsd-build32
> /usr/src # which tar
> /bin/tar
>
> root@openbsd-build32
> /usr/src/bin # ls
> CVS   chio  date  echo  kill
> md5   pax   rmstty
> Makefile  chmod ddedksh
> mkdir psrmail sync
> Makefile.inc  cpdfexpr  ln
> mtpwd   rmdir systrace
> cat   csh   domainnamehostname  ls
> mvrcp   sleep test
>
> root@openbsd-build32
> /usr/src # find . -name tar
>
> thanks,
> -Alan

It's src/bin/pax

Ciao,
David
-- 
"If you try a few times and give up, you'll never get there. But if
you keep at it... There's a lot of problems in the world which can
really be solved by applying two or three times the persistence that
other people will."
-- Stewart Nelson

Re: Where is the 'tar' source code?

[Daniel Cegiełka]

ln /bin/pax /bin/tar?

Re: Where is the 'tar' source code?

[Alan McKay]

Aha, should have figured to look for a link!

Anyway, I solved my problem without looking at source code.
There was a blank line in the file I was using with -I, and that
caused tar/pax to barf.

Gathering useful information before replacing a Debian box with OpenBSD

[Adam Wolk]

Hi,

I have an old MSI Wind U100 netbook that currently runs Debian and I
want to replace it with an OpenBSD installation. Debian currently
handles nicely all the devices that I need in order to use the netbook.
I am OK with any of it (even the crucial ones) being unsupported on
OpenBSD. This is not a critical machine and I am pretty much devoted to
start working on the code base if anything happens to be missing.

In order to prepare for such circumstances I wanted to grab as much
information as possible that could help me diagnose and work on any
missing device support. My ideas so far are grabbing:
- lspci -vvv
- lsmod
- lsusb
- dmesg -k
- /proc/cpuinfo
- dpkg -l

Is there anything else that could be useful when encountering a device
that worked on Debian if it happened not to work on OpenBSD that would
help me attempt of adding it myself (ie. porting a driver)

It's of course possible that everything will work out of the box but
nonetheless I think such a list could be useful :)

Regards,
-- 
  Adam Wolk
  adam.w...@koparo.com

Re: Gathering useful information before replacing a Debian box with OpenBSD

[Josh Grosse]

On 2014-10-10 10:17, Adam Wolk wrote:


...In order to prepare for such circumstances I wanted to grab as much
information as possible that could help me diagnose and work on any
missing device support. My ideas so far are grabbing:
- lspci -vvv
- lsmod
- lsusb
- dmesg -k
- /proc/cpuinfo
- dpkg -l...
...It's of course possible that everything will work out of the box but
nonetheless I think such a list could be useful :)


Far easier would be to just install onto external, bootable media, such 
as

a USB stick.  Guidance can be found in the FAQ at:

http://www.openbsd.org/faq/faq14.html#flashmemLive

Any recognized devices that do not have drivers will be noted as "not
configured" in OpenBSD's dmesg output.

If you don't want to install or don't have bootable external mass 
storage, the
installation system can be booted from any valid media and used without 
running
the install script.  However, the installation system uses the RAMDISK 
kernel
which  does not contain the full complement of drivers found in the 
GENERIC kernels.

Re: Gathering useful information before replacing a Debian box with OpenBSD

[David Coppa]

On Fri, Oct 10, 2014 at 4:17 PM, Adam Wolk  wrote:
> Hi,
>
> I have an old MSI Wind U100 netbook that currently runs Debian and I
> want to replace it with an OpenBSD installation.

This is one of the best supported machines I own.
Seriously.

Ciao,
David
-- 
"If you try a few times and give up, you'll never get there. But if
you keep at it... There's a lot of problems in the world which can
really be solved by applying two or three times the persistence that
other people will."
-- Stewart Nelson

Re: rrdtool troubles after 5.4->5.5 upgrade

[Steven Surdock]

Cacti magically started showing the recent data, even though 'rrdtool dump' 
shows dates that are quite wrong.  I'm wondering nfsen breaking is related...

-Steve S.

-Original Message-
From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of 
Steven Surdock
Sent: Thursday, October 9, 2014 2:41 PM
To: misc@openbsd.org
Subject: rrdtool troubles after 5.4->5.5 upgrade

As required for the upgrade I exported all my rrd's and they appear correct, 
but when I performed a 'restore' on the upgraded 5.5 system the dates appeared 
to become advanced by 136 years.

These are for Cacti and interestingly, cacti shows graphs for the old data, but 
not for data collected after the upgrade.  The rrd's are being updated, but 
with a recent date.


--5.4 EXPORTED RRD-
   
 AVERAGE 
 1  


 5.00e-01 



 6.0147896722e+02 
 NaN 
 NaN 
 0 


 2.1042432308e+02 
 NaN 
 NaN 
 0 



  
1.6942546263e+02  1.0782825095e+02 
  
1.3230701552e+02  8.5905507986e+01 
  
1.5090053841e+03  5.1040593693e+02 
  
4.3326648631e+02  1.7794450478e+02 
  
5.0533918152e+01  6.0539432673e+01 
  
6.0977588814e+01  6.1744402908e+01 
  
5.0497766741e+01  8.6521608203e+01 
  
5.586560e+01  6.660450e+01 
  
4.1272303359e+01  5.2785814360e+01 

--5.5 RESTORED then EXPORTED RRD-


AVERAGE
1 


5.00e-01



6.0147896722e+02
NaN
NaN
0


2.1042432308e+02
NaN
NaN
0



 
1.6942546263e+021.0782825095e+02
 
1.3230701552e+028.5905507986e+01
 
1.5090053841e+035.1040593693e+02
 
4.3326648631e+021.7794450478e+02
 
5.0533918152e+016.0539432673e+01
 
6.0977588814e+016.1744402908e+01
 
5.0497766741e+018.6521608203e+01
 
5.586560e+016.660450e+01


-Steve S.

nfsen on 5.5

[Steven Surdock]

Anybody successfully using nfsen?

It was working on 5.4 (except for the portTracker plugin) and now under 5.5
the rrd's are not being updated.  I uninstalled and re-initialized and still
no luck.

-Steve S.

Trying to get suspend to RAM working on an X31

[John Magolske]

Hi,

I have an X31 ThinkPad on which I've installed OpenBSD. Everything
seems to be working fine, with the exception of suspend to RAM.

cat /etc/rc.conf.local
apmd_flags="-C"

Upon issuing the `zzz` command, the screen turns off, the machine
spins down and the little crescent-moon "sleep" indicator lights up.
But when woken, the screen comes up frozen with lots of vertical
stripes. Blind-typing comands into the console has no effect (e.g.
`zzz` from a root console then `halt -p` after the awakening attempt).

I've tried `zzz` from X as well as from the console, tried
`disable acpithinkpad` & `disable acpi` (independently from each
other) after "boot> -c", fiddled various settings in the BIOS...but
in all cases there is the same frozen screen with vertical stripes.

Because I've also had no luck getting suspend to work under Debian
(Stable & Testing), I'm thinking the issue might be an old graphics
card that's no longer supported. I realize this machine is over 10
years old and at some point dev effort must focus on more recent
hardware... but I just wanted to check & see if there's something else
to try that might get suspend working here.

Though a pretty meager machine performance-wise by today's standards,
from a physicality standpoint the X31 is IMO one of the nicest compact
laptops out there. Very nice keyboard (better key action than the
X201s I type this) and I like the "tall-screen" format (the low-res is
fine for me with the right bitmap font). And it has enough power for
my basic needs (running a shell, tmux, mutt, vim, elinks, ncmpcpp etc).

Anyhow, just trying to squeeze some more life out of this ThinkPad.
If I can't get suspend to work, maybe I'll look into swapping out the
mobo with something lightweight like a Pandaboard...

BTW -- this is my first experience with OpenBSD, and I have to say the
installation was incredibly straightforward and easy to understand.
Really liking what I see so far!

Thanks for any suggestions,

John



dmesg:

OpenBSD 5.5 (GENERIC) #276: Wed Mar  5 09:57:06 MST 2014
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) M processor 1600MHz ("GenuineIntel" 686-class) 1.60 
GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,TM,PBE,EST,TM2,PERF
real mem  = 1341026304 (1278MB)
avail mem = 1306816512 (1246MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 09/22/05, BIOS32 rev. 0 @ 0xfd750, SMBIOS 
rev. 2.33 @ 0xe0010 (57 entries)
bios0: vendor IBM version "1QET97WW (3.02 )" date 09/22/2005
bios0: IBM 2885PWU
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SSDT ECDT TCPA BOOT
acpi0: wakeup devices LID_(S3) SLPB(S3) UART(S3) PCI0(S3) PCI1(S4) DOCK(S4) 
USB0(S3) USB1(S3) AC9M(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (AGP_)
acpiprt2 at acpi0: bus 2 (PCI1)
acpiprt3 at acpi0: bus -1 (DOCK)
acpicpu0 at acpi0: C3, C2, C1, PSS
acpipwrres0 at acpi0: PUBS, resource for USB0, USB1, USB7
acpitz0 at acpi0: critical temperature is 91 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpibat0 at acpi0: BAT0 model "IBM-08K8040" serial16 type LION oem "SANYO"
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
acpidock0 at acpi0: GDCK not docked (0)
bios0: ROM list: 0xc/0x1 0xd/0x1000 0xd1000/0x1000 0xdc000/0x4000! 
0xe/0x1
cpu0 at mainbus0: (uniprocessor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: Enhanced SpeedStep 1599 MHz: speeds: 1600, 1400, 1200, 1000, 800, 600 MHz
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "Intel 82855PM Host" rev 0x03
intelagp0 at pchb0
agp0 at intelagp0: aperture at 0xd000, size 0x1000
ppb0 at pci0 dev 1 function 0 "Intel 82855PM AGP" rev 0x03
pci1 at ppb0 bus 1
radeondrm0 at pci1 dev 0 function 0 "ATI Radeon Mobility M6" rev 0x00
drm0 at radeondrm0
radeondrm0: irq 3
uhci0 at pci0 dev 29 function 0 "Intel 82801DB USB" rev 0x01: irq 3
uhci1 at pci0 dev 29 function 1 "Intel 82801DB USB" rev 0x01: irq 6
uhci2 at pci0 dev 29 function 2 "Intel 82801DB USB" rev 0x01: irq 5
ehci0 at pci0 dev 29 function 7 "Intel 82801DB USB" rev 0x01: irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb1 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0x81
pci2 at ppb1 bus 2
2:0:0: mem address conflict 0xb000/0x1000
2:0:1: mem address conflict 0xb100/0x1000
cbb0 at pci2 dev 0 function 0 "Ricoh 5C476 CardBus" rev 0xaa: irq 3
cbb1 at pci2 dev 0 function 1 "Ricoh 5C476 CardBus" rev 0xaa: irq 5
"Ricoh 5C552 Firewire" rev 0x02 at pci2 dev 0 function 2 not configured
em0 at pci2 dev 1 function 0 "Intel 82540EP" rev 0x03: irq 3, address 
00:0d:60:80:8a:0d
ipw0 at pci2 dev 2 function 0 "Intel PRO/Wireless 2100" rev 0x04: irq 5, 
address 00:0c:f

Re: Trying to get suspend to RAM working on an X31

[Mike Larkin]

On Fri, Oct 10, 2014 at 10:01:18AM -0700, John Magolske wrote:
> Hi,
> 
> I have an X31 ThinkPad on which I've installed OpenBSD. Everything
> seems to be working fine, with the exception of suspend to RAM.
> 
> cat /etc/rc.conf.local
> apmd_flags="-C"
> 
> Upon issuing the `zzz` command, the screen turns off, the machine
> spins down and the little crescent-moon "sleep" indicator lights up.
> But when woken, the screen comes up frozen with lots of vertical
> stripes. Blind-typing comands into the console has no effect (e.g.
> `zzz` from a root console then `halt -p` after the awakening attempt).
> 
> I've tried `zzz` from X as well as from the console, tried
> `disable acpithinkpad` & `disable acpi` (independently from each
> other) after "boot> -c", fiddled various settings in the BIOS...but
> in all cases there is the same frozen screen with vertical stripes.
> 
> Because I've also had no luck getting suspend to work under Debian
> (Stable & Testing), I'm thinking the issue might be an old graphics
> card that's no longer supported. I realize this machine is over 10
> years old and at some point dev effort must focus on more recent
> hardware... but I just wanted to check & see if there's something else
> to try that might get suspend working here.
> 
> Though a pretty meager machine performance-wise by today's standards,
> from a physicality standpoint the X31 is IMO one of the nicest compact
> laptops out there. Very nice keyboard (better key action than the
> X201s I type this) and I like the "tall-screen" format (the low-res is
> fine for me with the right bitmap font). And it has enough power for
> my basic needs (running a shell, tmux, mutt, vim, elinks, ncmpcpp etc).
> 
> Anyhow, just trying to squeeze some more life out of this ThinkPad.
> If I can't get suspend to work, maybe I'll look into swapping out the
> mobo with something lightweight like a Pandaboard...
> 
> BTW -- this is my first experience with OpenBSD, and I have to say the
> installation was incredibly straightforward and easy to understand.
> Really liking what I see so far!
> 
> Thanks for any suggestions,
> 
> John
> 
> 

boot -c , disable radeondrm (and also disable auto xdm start).

See if you can zzz/resume from the console without radeondrm running.

That will at least give us a place to start.

Another thing you can try is seeing if the machine is in ddb on resume
for some reason. Try a few (3 or 4) "bo re"  commands (enter after each). See
if the machine reboots, and if so you might have clues in dmesg after 
reboot.

-ml

Re: nfsen on 5.5

[Josh Grosse]

On Fri, Oct 10, 2014 at 04:52:18PM +, Steven Surdock wrote:
> Anybody successfully using nfsen?
> 
> It was working on 5.4 (except for the portTracker plugin) and now under 5.5
> the rrd's are not being updated.  I uninstalled and re-initialized and still
> no luck.
> 
> -Steve S.
> 
I've been using it since before 5.5, and it works fine for me.  Two 
considerations:

If your webserver is chrooted, rrdtool must be included in the chroot, per
/usr/local/share/doc/pkg-readmes/rrdtool-*. The rrdtool-chroot script
makes this easy.

Your pflow(4) device must use a version of netflow protocol compatible with 
nfcapd, which are versions 1,5,7, and 9.  The pflow driver supports protocol
versions 5 and 10.  Use 5, which is the default.

Re: nfsen on 5.5

[Josh Grosse]

On Fri, Oct 10, 2014 at 01:16:17PM -0400, I wrote:
> Your pflow(4) device must use a version of netflow protocol compatible with 
> nfcapd, which are versions 1,5,7, and 9.  The pflow driver supports protocol
> versions 5 and 10.  Use 5, which is the default.

For clarity, protocol version 9 is still available in 5.5, but was removed
for 5.6, expected to be released November 1.  

Re: nfsen on 5.5

[Steven Surdock]

> -Original Message-
> From: Josh Grosse [mailto:j...@jggimi.homeip.net]
> Sent: Friday, October 10, 2014 1:16 PM
> To: Steven Surdock
> Cc: misc@openbsd.org
> Subject: Re: nfsen on 5.5
> 
> On Fri, Oct 10, 2014 at 04:52:18PM +, Steven Surdock wrote:
> > Anybody successfully using nfsen?
> >
> > It was working on 5.4 (except for the portTracker plugin) and now
> > under 5.5 the rrd's are not being updated.  I uninstalled and
> > re-initialized and still no luck.
> >
> > -Steve S.
> >
> I've been using it since before 5.5, and it works fine for me.  Two
> considerations:
> 
> If your webserver is chrooted, rrdtool must be included in the chroot, per
> /usr/local/share/doc/pkg-readmes/rrdtool-*. The rrdtool-chroot script
> makes this easy.
> 
> Your pflow(4) device must use a version of netflow protocol compatible
> with nfcapd, which are versions 1,5,7, and 9.  The pflow driver supports
> protocol versions 5 and 10.  Use 5, which is the default.

Not chrooted.  Flow records are being updated and stored correctly. The RRD and 
associated PNGs aren't being updated.  I can still use the rrd generated images 
to look at flows.  I've never gotten PortTracker working as it says it segfault 
in the log.

Re: nfsen on 5.5

[Josh Grosse]

On Fri, Oct 10, 2014 at 05:46:40PM +, Steven Surdock wrote:

> Not chrooted.  Flow records are being updated and stored correctly. The 
> RRD and associated PNGs aren't being updated.  I can still use the rrd 
> generated images to look at flows.  I've never gotten PortTracker working 
> as it says it segfault in the log.
 
I've never used PortTracker, as I do not have sufficient capacity on the 
nfsen collector.  It is described as experimental, also.

I am running a very simple configuration, collecting flows from two
firewalls.  The webserver is chrooted nginx, so my database is
inside /var/www with a symbolic link in /var/db, as directed by the nfsen 
pkg-readme. 

Here's my nfsen.conf, with comments removed


$BASEDIR = "/usr/local";
$BINDIR="${BASEDIR}/bin";
$LIBEXECDIR="${BASEDIR}/libdata/perl5/site_perl/NfSen";
$CONFDIR="/etc";
$HTMLDIR= "/var/www/htdocs/nfsen";
$DOCDIR="${BASEDIR}/share/doc/nfsen";
$VARDIR="/var/db/nfsen";
$PROFILESTATDIR="${VARDIR}/profiles-stat";
$PROFILEDATADIR="${VARDIR}/profiles-data";
$BACKEND_PLUGINDIR="${BASEDIR}/lib/nfsen/plugins";
$FRONTEND_PLUGINDIR="${HTMLDIR}/plugins";
$PREFIX  = '/usr/local/bin';
$USER= "_nfcapd";
$WWWUSER  = "www";
$WWWGROUP = "www";
$BUFFLEN = 20;
$SUBDIRLAYOUT = 1;
$ZIPcollected= 1;
$ZIPprofiles = 1;
$PROFILERS = 2;
$DISKLIMIT = 98;
$PROFILERS = 6;
%sources = (

);
$low_water = 90;
$syslog_facility = 'local3';
@plugins = (
);
%PluginConf = (
demoplugin => {
param2 => 42,
param1 => { 'key' => 'value' },
},
otherplugin => [ 
'mary had a little lamb' 
],
);
$MAIL_FROM   = 'nf...@jggimi.homeip.net';
$SMTP_SERVER = 'localhost';
$MAIL_BODY   = q{ 
Alert '@alert@' triggered at timeslot @timeslot@
};
1;

Re: nfsen on 5.5

[Stan Gammons]

On Oct 10, 2014 12:48 PM, "Steven Surdock" 
wrote:
>
> > -Original Message-
> > From: Josh Grosse [mailto:j...@jggimi.homeip.net]
> > Sent: Friday, October 10, 2014 1:16 PM
> > To: Steven Surdock
> > Cc: misc@openbsd.org
> > Subject: Re: nfsen on 5.5
> >
> > On Fri, Oct 10, 2014 at 04:52:18PM +, Steven Surdock wrote:
> > > Anybody successfully using nfsen?
> > >
> > > It was working on 5.4 (except for the portTracker plugin) and now
> > > under 5.5 the rrd's are not being updated.  I uninstalled and
> > > re-initialized and still no luck.
> > >
> > > -Steve S.
> > >
> > I've been using it since before 5.5, and it works fine for me.  Two
> > considerations:
> >
> > If your webserver is chrooted, rrdtool must be included in the chroot,
per
> > /usr/local/share/doc/pkg-readmes/rrdtool-*. The rrdtool-chroot script
> > makes this easy.
> >
> > Your pflow(4) device must use a version of netflow protocol compatible
> > with nfcapd, which are versions 1,5,7, and 9.  The pflow driver supports
> > protocol versions 5 and 10.  Use 5, which is the default.
>
> Not chrooted.  Flow records are being updated and stored correctly. The
RRD and associated PNGs aren't being updated.  I can still use the rrd
generated images to look at flows.  I've never gotten PortTracker working
as it says it segfault in the log.
>

Does syslog have a message saying "unable to create graph: no such file or
directory?  That's what is happening for me on the Oct 3 snapshot of
OpenBSD 5.6  I figured it was operator malfunction :)

Stan

Re: nfsen on 5.5

[Steven Surdock]

> -Original Message-
> From: Stan Gammons [mailto:sg063...@gmail.com]
> 
> On Oct 10, 2014 12:48 PM, "Steven Surdock" 
> wrote:
> >
> > > -Original Message-
> > > From: Josh Grosse [mailto:j...@jggimi.homeip.net]
> > >
> > > On Fri, Oct 10, 2014 at 04:52:18PM +, Steven Surdock wrote:
> > > > Anybody successfully using nfsen?
> > > >
> > > > It was working on 5.4 (except for the portTracker plugin) and now
> > > > under 5.5 the rrd's are not being updated.  I uninstalled and
> > > > re-initialized and still no luck.
> > > >
> > > > -Steve S.
> > > >
> > > I've been using it since before 5.5, and it works fine for me.  Two
> > > considerations:
> > >
> > > If your webserver is chrooted, rrdtool must be included in the chroot,
> per
> > > /usr/local/share/doc/pkg-readmes/rrdtool-*. The rrdtool-chroot script
> > > makes this easy.
> > >
> > > Your pflow(4) device must use a version of netflow protocol compatible
> > > with nfcapd, which are versions 1,5,7, and 9.  The pflow driver
> supports
> > > protocol versions 5 and 10.  Use 5, which is the default.
> >
> > Not chrooted.  Flow records are being updated and stored correctly. The
> RRD and associated PNGs aren't being updated.  I can still use the rrd
> generated images to look at flows.  I've never gotten PortTracker working
> as it says it segfault in the log.
> >
> Does syslog have a message saying "unable to create graph: no such file or
> directory?  That's what is happening for me on the Oct 3 snapshot of
> OpenBSD 5.6  I figured it was operator malfunction :)

I have only one source (OBSD 5.5).  'messages' shows only information shorty 
after starting nfsen.  I can't gracefully stop nfsen as it just hangs when I 
try to do so.

/var/log/daemon:
Oct 10 15:00:12 builder02 nfcapd[27716]: Ident: 'wall' Flows: 1966, Packets: 
14157, Bytes: 8823380, Sequence Errors: 0, Bad Packets: 0
Oct 10 15:00:12 builder02 nfcapd[27716]: Total ignored packets: 0
Oct 10 15:05:11 builder02 nfcapd[27716]: Ident: 'wall' Flows: 2540, Packets: 
6518, Bytes: 1422175, Sequence Errors: 0, Bad Packets: 0
Oct 10 15:05:11 builder02 nfcapd[27716]: Total ignored packets: 0

/var/log/messages:
Oct 10 11:19:57 builder02 nfsen[20794]: Behind schedule
Oct 10 11:19:57 builder02 nfsen[20794]: expected exit of child Comm 
Server[1931]. Process died.
Oct 10 11:20:10 builder02 nfsen[8882]: Error reading channel stat information. 
Missing key 'first'

Re: [BULK] Re: nfsen on 5.5

[Steven Surdock]

> -Original Message-
> From: Josh Grosse [mailto:j...@jggimi.homeip.net]
> 
> On Fri, Oct 10, 2014 at 05:46:40PM +, Steven Surdock wrote:
> 
> > Not chrooted.  Flow records are being updated and stored correctly.
> > The RRD and associated PNGs aren't being updated.  I can still use the
> > rrd generated images to look at flows.  I've never gotten PortTracker
> > working as it says it segfault in the log.
> 
> I've never used PortTracker, as I do not have sufficient capacity on the
> nfsen collector.  It is described as experimental, also.
> 
> I am running a very simple configuration, collecting flows from two
> firewalls.  The webserver is chrooted nginx, so my database is inside
> /var/www with a symbolic link in /var/db, as directed by the nfsen pkg-
> readme.
> 
> Here's my nfsen.conf, with comments removed
> 
> 
> $BASEDIR = "/usr/local";
> $BINDIR="${BASEDIR}/bin";
> $LIBEXECDIR="${BASEDIR}/libdata/perl5/site_perl/NfSen";
> $CONFDIR="/etc";
> $HTMLDIR= "/var/www/htdocs/nfsen";
> $DOCDIR="${BASEDIR}/share/doc/nfsen";
> $VARDIR="/var/db/nfsen";
> $PROFILESTATDIR="${VARDIR}/profiles-stat";
> $PROFILEDATADIR="${VARDIR}/profiles-data";
> $BACKEND_PLUGINDIR="${BASEDIR}/lib/nfsen/plugins";
> $FRONTEND_PLUGINDIR="${HTMLDIR}/plugins";
> $PREFIX  = '/usr/local/bin';
> $USER= "_nfcapd";
> $WWWUSER  = "www";
> $WWWGROUP = "www";
> $BUFFLEN = 20;
> $SUBDIRLAYOUT = 1;
> $ZIPcollected  = 1;
> $ZIPprofiles   = 1;
> $PROFILERS = 2;
> $DISKLIMIT = 98;
> $PROFILERS = 6;
> %sources = (
> 
> );
> $low_water = 90;
> $syslog_facility = 'local3';
> @plugins = (
> );
> %PluginConf = (
>   demoplugin => {
>   param2 => 42,
>   param1 => { 'key' => 'value' },
>   },
>   otherplugin => [
>   'mary had a little lamb'
>   ],
> );
> $MAIL_FROM   = 'nf...@jggimi.homeip.net';
> $SMTP_SERVER = 'localhost';
> $MAIL_BODY = q{
> Alert '@alert@' triggered at timeslot @timeslot@ }; 1;

Mine is nearly identical...

$BASEDIR = "/usr/local";
$BINDIR="${BASEDIR}/bin";
$LIBEXECDIR="${BASEDIR}/libdata/perl5/site_perl/NfSen";
$CONFDIR="/etc";
$HTMLDIR= "/var/www/htdocs/nfsen";
$DOCDIR="${BASEDIR}/share/doc/nfsen";
$VARDIR="/var/db/nfsen";
$PROFILESTATDIR="${VARDIR}/profiles-stat";
$PROFILEDATADIR="${VARDIR}/profiles-data";
$BACKEND_PLUGINDIR="${BASEDIR}/lib/nfsen/plugins";
$FRONTEND_PLUGINDIR="${HTMLDIR}/plugins";
$PREFIX  = '/usr/local/bin';
$USER= "_nfcapd";
$WWWUSER  = "www";
$WWWGROUP = "www";
$BUFFLEN = 20;
$SUBDIRLAYOUT = 1;
$ZIPcollected= 1;
$ZIPprofiles = 1;
$PROFILERS = 2;
$DISKLIMIT = 95;
$PROFILERS = 6;
%sources = (
);
$low_water = 90;
$syslog_facility = 'local3';
@plugins = (
);
%PluginConf = (
);
$MAIL_FROM   = 'ssud...@engineered-net.com';
$SMTP_SERVER = 'localhost';
$MAIL_BODY   = q{
Alert '@alert@' triggered at timeslot @timeslot@
};
1;

Re: NAT logging and limits using pf

[Stuart Henderson]

On 2014-10-08, Henning Brauer  wrote:
> * Stuart Henderson  [2014-10-05 22:49]:
>> Normal PF logging isn't particularly well-suited to CGNAT-type requirements,
>> in order to record both the internal address and the nat mapping you need
>> to log both the inbound and outbound packets and piece it together from the
>> two separate log entries.
>
> nope, pflog has both the original and the rewritten address(es).
>

Oh, it's hidden behind -v in tcpdump, that makes it simpler
(my other comments about using port ranges if possible may still
be useful though, if you aren't *required* to keep such detailed
packet logs).

Re: nfsen on 5.5

[Stuart Henderson]

On 2014-10-10, Josh Grosse  wrote:
>
> If your webserver is chrooted, rrdtool must be included in the chroot, per
> /usr/local/share/doc/pkg-readmes/rrdtool-*. The rrdtool-chroot script
> makes this easy.

It seems (from future posts in the thread) that this isn't the case
here, but I'd just like to get it in the archives - after updating
OS/packages to a newer version, you must also re-run this script to
update rrdtool and support files in the chroot.

Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?

[Stuart Henderson]

On 2014-10-09, Nicolas Christener  wrote:
> Besides those steps we also disabled one of the boxes by stopping ospf
> and removing the carp interfaces - however, the disconnects didn't go
> away. 

I was going to suggest that you might have asymmetric routing causing
"split states" i.e. one firewall seeing inbound packets, one seeing
outbound, in which case "ifconfig pfsync0 defer" might help, but
(assuming you weren't just seeing issues from connections which
had been setup before disabling one firewall) the above test would
seem to rule that out ..

What does the output of "sysctl kern.netlivelocks net.inet.ip.ifq"
look like?

Re: Connection drop (i.e. IRC) caused by pf/pfsync/carp/...?

[Stuart Henderson]

oops, missed your sysctl -a output (I wasn't expecting to see it,
well done ;-)

net.inet.ip.ifq.drops=140720

You would probably benefit from increasing net.inet.ip.ifq.maxlen,
maybe double it once or twice and see if net.inet.ip.ifq.drops stops
increasing.

Re: rc.conf issue on upgrade from 5.5 to 5.6

[Stuart Henderson]

On 2014-10-09, Jason Tubnor  wrote:
> Hi,
>
> I was just testing upgrades prior to the 5.6 release and noticed items
> in the rc.conf.local were being ignored.  A bit of digging, I noticed,
> rc.subr had some changes and more importantly there were quite a few
> changes to rc.conf.
>
> Cutting to the chase, replacing rc.conf from the upgraded 5.5 machine
> with the 5.6_BASE fixed the issue and items were being picked up in
> the rc.conf.local again.
>
> Just thought I would point it out as rc.conf isn't replaced when using
> the upgrade feature in the 5.6 release.
>
> Cheers,
>
> Jason.
>
>

Yep. You *have* to run sysmerge for this upgrade or you will have broken rc 
scripts.

Re: Route-to with a dynamic 'next hop'

[Stuart Henderson]

On 2014-10-09, Justin Mayes  wrote:
> Ok I got it working. Here is what I did
>
> Enabled multipath routing (sysctl)
> Added the relayd anchor to pf.conf
> Created a relayd.conf with this in it
>
> gw1="fxp0"
> gw2="fxp1"
>
> table  { $gw1 ip ttl 1, $gw2 ip ttl 1 } 
> router "uplinks" { 
>   route 0.0.0.0/0 
>   forward to  check icmp
> }

Your relayd test here just pings your own interface's local IP addresses.
For example if fxp0's address is 10.0.0.2, it is pinging 10.0.0.2.
"ifconfig fxp0 down" will cause it to be detected, but it won't even
notice you pulling out the cable. Also I don't believe it will track
your dynamic address.

One thing you could do in your situation is to use a route-to for the
connection where you have a static address, and use a "probability"
PF rule to load balance, allowing other traffic to be hit the normal
default route.

Another thing you could do is to use multiple route tables, and
similarly use pf rules to direct traffic to use one table or another.

For failover you can have some external checker (maybe run from ifstated,
or maybe a simple shell script run from cron) that adjusts the PF ruleset
as appropriate. You could either switch the whole ruleset out by pointing
pfctl -f to a different file, or put the relevant route-to pieces in
an anchor.

Re: Firewall: Where is the bottleneck?

[Stuart Henderson]

On 2014-10-09, Andy  wrote:
> NB; This is the old syntax for queues and I strongly recommend reading 
> the 3rd edition of "The book of PF" (A must read for *anyone* new or old 
> to OpenBSD and PF) :) and using the new syntax

N.B. the "oldqueue" syntax goes away in 5.6, if you are writing a new
config you definitely should use the new stuff..

Re: rc.conf issue on upgrade from 5.5 to 5.6

[Alan McKay]

On Fri, Oct 10, 2014 at 5:35 PM, Stuart Henderson  wrote:
> Yep. You *have* to run sysmerge for this upgrade or you will have broken rc 
> scripts.

Note to self ...

-- 
"Don't eat anything you've ever seen advertised on TV"
 - Michael Pollan, author of "In Defense of Food"

Re: rc.conf issue on upgrade from 5.5 to 5.6

[Bernte]

On 10/10/14 22:35, Stuart Henderson wrote:
> Yep. You *have* to run sysmerge for this upgrade or you will have broken rc 
> scripts.

Just wondering: now that sysmerge seems to the main supported method for
upgrading the etc directories, are there any plans to have it
automagically run at the end of the upgrade script? At least optionally?
This would simplify the 'upgrade guide' instructions, which is always
welcome.

Bernd

Re: [BULK] Re: nfsen on 5.5

[Stan Gammons]

On Oct 10, 2014 2:16 PM, "Steven Surdock" 
wrote:
>
> > -Original Message-
> > From: Josh Grosse [mailto:j...@jggimi.homeip.net]
> >
> > On Fri, Oct 10, 2014 at 05:46:40PM +, Steven Surdock wrote:
> >
> > > Not chrooted.  Flow records are being updated and stored correctly.
> > > The RRD and associated PNGs aren't being updated.  I can still use the
> > > rrd generated images to look at flows.  I've never gotten PortTracker
> > > working as it says it segfault in the log.
> >
> > I've never used PortTracker, as I do not have sufficient capacity on the
> > nfsen collector.  It is described as experimental, also.
> >
> > I am running a very simple configuration, collecting flows from two
> > firewalls.  The webserver is chrooted nginx, so my database is inside
> > /var/www with a symbolic link in /var/db, as directed by the nfsen pkg-
> > readme.
> >
> > Here's my nfsen.conf, with comments removed
> >
> >
> > $BASEDIR = "/usr/local";
> > $BINDIR="${BASEDIR}/bin";
> > $LIBEXECDIR="${BASEDIR}/libdata/perl5/site_perl/NfSen";
> > $CONFDIR="/etc";
> > $HTMLDIR= "/var/www/htdocs/nfsen";
> > $DOCDIR="${BASEDIR}/share/doc/nfsen";
> > $VARDIR="/var/db/nfsen";
> > $PROFILESTATDIR="${VARDIR}/profiles-stat";
> > $PROFILEDATADIR="${VARDIR}/profiles-data";
> > $BACKEND_PLUGINDIR="${BASEDIR}/lib/nfsen/plugins";
> > $FRONTEND_PLUGINDIR="${HTMLDIR}/plugins";
> > $PREFIX  = '/usr/local/bin';
> > $USER= "_nfcapd";
> > $WWWUSER  = "www";
> > $WWWGROUP = "www";
> > $BUFFLEN = 20;
> > $SUBDIRLAYOUT = 1;
> > $ZIPcollected  = 1;
> > $ZIPprofiles   = 1;
> > $PROFILERS = 2;
> > $DISKLIMIT = 98;
> > $PROFILERS = 6;
> > %sources = (
> >
> > );
> > $low_water = 90;
> > $syslog_facility = 'local3';
> > @plugins = (
> > );
> > %PluginConf = (
> >   demoplugin => {
> >   param2 => 42,
> >   param1 => { 'key' => 'value' },
> >   },
> >   otherplugin => [
> >   'mary had a little lamb'
> >   ],
> > );
> > $MAIL_FROM   = 'nf...@jggimi.homeip.net';
> > $SMTP_SERVER = 'localhost';
> > $MAIL_BODY = q{
> > Alert '@alert@' triggered at timeslot @timeslot@ }; 1;
>
> Mine is nearly identical...
>
> $BASEDIR = "/usr/local";
> $BINDIR="${BASEDIR}/bin";
> $LIBEXECDIR="${BASEDIR}/libdata/perl5/site_perl/NfSen";
> $CONFDIR="/etc";
> $HTMLDIR= "/var/www/htdocs/nfsen";
> $DOCDIR="${BASEDIR}/share/doc/nfsen";
> $VARDIR="/var/db/nfsen";
> $PROFILESTATDIR="${VARDIR}/profiles-stat";
> $PROFILEDATADIR="${VARDIR}/profiles-data";
> $BACKEND_PLUGINDIR="${BASEDIR}/lib/nfsen/plugins";
> $FRONTEND_PLUGINDIR="${HTMLDIR}/plugins";
> $PREFIX  = '/usr/local/bin';
> $USER= "_nfcapd";
> $WWWUSER  = "www";
> $WWWGROUP = "www";
> $BUFFLEN = 20;
> $SUBDIRLAYOUT = 1;
> $ZIPcollected= 1;
> $ZIPprofiles = 1;
> $PROFILERS = 2;
> $DISKLIMIT = 95;
> $PROFILERS = 6;
> %sources = (
> );
> $low_water = 90;
> $syslog_facility = 'local3';
> @plugins = (
> );
> %PluginConf = (
> );
> $MAIL_FROM   = 'ssud...@engineered-net.com';
> $SMTP_SERVER = 'localhost';
> $MAIL_BODY   = q{
> Alert '@alert@' triggered at timeslot @timeslot@
> };
> 1;
>

I see you don't have anything in %sources (   );   My /etc/nfsen.conf has
the default entries.  Maybe that's part of my problem.

Stan

Re: [BULK] Re: nfsen on 5.5

[Steven Surdock]

> -Original Message-
> From: Stan Gammons [mailto:sg063...@gmail.com]
> 
...
> > %sources = (
> > );
> > $low_water = 90;
> > $syslog_facility = 'local3';
> > @plugins = (
> > );
> > %PluginConf = (
> > );
> > $MAIL_FROM   = 'ssud...@engineered-net.com';
> > $SMTP_SERVER = 'localhost';
> > $MAIL_BODY       = q{
> > Alert '@alert@' triggered at timeslot @timeslot@
> > };
> > 1;
> >
> I see you don't have anything in %sources (   );   My /etc/nfsen.conf has
> the default entries.  Maybe that's part of my problem.

That was bad grepping on my part.  "wall" is my firewall from which I am 
exporting flows...

%sources = (
'wall'=> { 'port' => '9995', 'col' => '#ff', 'type' => 'netflow' },
#'upstream1'=> { 'port' => '9995', 'col' => '#ff', 'type' => 
'netflow' },
#'peer1'=> { 'port' => '9996', 'IP' => '172.16.17.18' },
#'peer2'=> { 'port' => '9996', 'IP' => '172.16.17.19' },
);

Re: combination of ssh port fowarding and pf redirection

[stan]

On Thu, Oct 09, 2014 at 07:27:37AM -0300, Giancarlo Razzolini wrote:
> On 08-10-2014 18:25, stan wrote:
> > Anyone have any sugestions as to how to make this work?
> Did you try the suggestion I gave you off list, of making two ssh
> connections? Also, you could provide more details of your setup? Both
> your e-mails trying to explain it, were confusing. I think I understood
> what you want, but I'm not sure.
> 
> Cheers
> 
> 
Thought i replied to this one, but I do not see it

First, sorry  missed your offline reply, the accont this s tied to gets a
lot of spam.

In any case, I wrote this p to try to carify the issue.


I am having trouble establishing a ssh tunnell to an OpenBSD 5.5 machine. Here 
is the command I am running on the remoote macine:

ssh -v -v -v -g -f -L 6030:phfw1:5432 stan@phfw1 -N

The targer OpneBSD machine is in the DNS and resolves corectly as phfw1

Here is the /etc/ssh/sshd_config file from the OpenBSD machine:


#   $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile  .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
UseLogin no
UsePrivilegeSeparation sandbox  # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
PermitTunnel yes
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem   sftp/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server


When I run the command I get hte following output


Script started on Thu 09 Oct 2014 01:58:55 PM EDT
]0;s...@plabws1.mcn.chs: ~stan@plabws1:~$ ./tst2
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /home/stan/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to phfw1 [10.209.142.152] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/stan/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/stan/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/stan/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/stan/.ssh/id_dsa" as a RSA1 public key
debug1: identity file /home/stan/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/stan/.ssh/id_dsa-c

Re: nfsen on 5.5

[Steven Surdock]

> -Original Message-
> From: Stan Gammons [mailto:sg063...@gmail.com]
> 
> On Oct 10, 2014 12:48 PM, "Steven Surdock" 
> wrote:
> >
> > > -Original Message-
> > > From: Josh Grosse [mailto:j...@jggimi.homeip.net]
> > >
> > > On Fri, Oct 10, 2014 at 04:52:18PM +, Steven Surdock wrote:
> > > > Anybody successfully using nfsen?
> > > >
> > > > It was working on 5.4 (except for the portTracker plugin) and now
> > > > under 5.5 the rrd's are not being updated.  I uninstalled and
> > > > re-initialized and still no luck.
> > > >
> > > > -Steve S.
> > > >
> > > I've been using it since before 5.5, and it works fine for me.  Two
> > > considerations:
> > >
> > > If your webserver is chrooted, rrdtool must be included in the chroot,
> per
> > > /usr/local/share/doc/pkg-readmes/rrdtool-*. The rrdtool-chroot script
> > > makes this easy.
> > >
> > > Your pflow(4) device must use a version of netflow protocol compatible
> > > with nfcapd, which are versions 1,5,7, and 9.  The pflow driver
> supports
> > > protocol versions 5 and 10.  Use 5, which is the default.
> >
> > Not chrooted.  Flow records are being updated and stored correctly. The
> RRD and associated PNGs aren't being updated.  I can still use the rrd
> generated images to look at flows.  I've never gotten PortTracker working
> as it says it segfault in the log.
> >
> Does syslog have a message saying "unable to create graph: no such file or
> directory?  That's what is happening for me on the Oct 3 snapshot of
> OpenBSD 5.6  I figured it was operator malfunction :)

I may have pooched myself.  I upgraded from a -stable build system that I use 
and it appears that that system is a little lost.  In comparing -stable ports I 
noticed it was running php-5.4.32. Since the latest php for 5.5 is 5.4.30 I 
suspect my build system got out of sync.  I re-installed 5.5 release on my 
system with 5.5 release packages and nfsen seems to be working.  Thanks for the 
insight and guidance.

Re: nfsen on 5.5

[Stan Gammons]

On 10/10/14 20:12, Steven Surdock wrote:

-Original Message-
From: Stan Gammons [mailto:sg063...@gmail.com]

On Oct 10, 2014 12:48 PM, "Steven Surdock" 
wrote:

-Original Message-
From: Josh Grosse [mailto:j...@jggimi.homeip.net]

On Fri, Oct 10, 2014 at 04:52:18PM +, Steven Surdock wrote:

Anybody successfully using nfsen?

It was working on 5.4 (except for the portTracker plugin) and now
under 5.5 the rrd's are not being updated.  I uninstalled and
re-initialized and still no luck.

-Steve S.


I've been using it since before 5.5, and it works fine for me.  Two
considerations:

If your webserver is chrooted, rrdtool must be included in the chroot,

per

/usr/local/share/doc/pkg-readmes/rrdtool-*. The rrdtool-chroot script
makes this easy.

Your pflow(4) device must use a version of netflow protocol compatible
with nfcapd, which are versions 1,5,7, and 9.  The pflow driver

supports

protocol versions 5 and 10.  Use 5, which is the default.

Not chrooted.  Flow records are being updated and stored correctly. The

RRD and associated PNGs aren't being updated.  I can still use the rrd
generated images to look at flows.  I've never gotten PortTracker working
as it says it segfault in the log.
Does syslog have a message saying "unable to create graph: no such file or
directory?  That's what is happening for me on the Oct 3 snapshot of
OpenBSD 5.6  I figured it was operator malfunction :)

I may have pooched myself.  I upgraded from a -stable build system that I use 
and it appears that that system is a little lost.  In comparing -stable ports I 
noticed it was running php-5.4.32. Since the latest php for 5.5 is 5.4.30 I 
suspect my build system got out of sync.  I re-installed 5.5 release on my 
system with 5.5 release packages and nfsen seems to be working.  Thanks for the 
insight and guidance.


Glad you got it going.

I got rid of the unable to create graph messages, but I still have a 
couple of problems I haven't figured out. One being getting php to work 
with nginx?  Does one need to use php-fpm?



Stan

Re: nfsen on 5.5

[Steven Surdock]

> -Original Message-
> From: Stan Gammons [mailto:sg063...@gmail.com]
> 
... 
> Glad you got it going.
> 
> I got rid of the unable to create graph messages, but I still have a
> couple of problems I haven't figured out. One being getting php to work
> with nginx?  Does one need to use php-fpm?

I am still using the native Apache/httpd.  It is my understanding that you do 
need to use php-fpm with nginx.

CVS confusion

[Steven Surdock]

I'm trying to follow -stable ports, but CVSWEB appears inconsistent.

If I look at ports/lang/php/5.4 for OPENBSD_5_5 
(http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/?only_with_tag=OPENBSD_5_5)
 it shows the following:

Makefile   1.16.2.1   4 months   jasper   security   update to php-5.4.28 ok 
sthen@

If look at the Makefile 
(http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/Makefile?only_with_tag=OPENBSD_5_5)
 it shows a Revision of 1.16.2.3 and the last note says "security update to 
5.4.30; ok jasper@).

If I look at Rev. 1.16.2.1 (from the first page above), it shows version 5.4.28

If I grab a copy via CVS, I get 5.4.32.
$ cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_5 -P 
ports/lang/php/5.4

Which is the "correct" php 5.4 for OpenBSD 5.5-stable?

-Steve S.

Re: rc.conf issue on upgrade from 5.5 to 5.6

[Theo de Raadt]

> On 10/10/14 22:35, Stuart Henderson wrote:
> > Yep. You *have* to run sysmerge for this upgrade or you will have broken rc 
> > scripts.
> 
> Just wondering: now that sysmerge seems to the main supported method for
> upgrading the etc directories, are there any plans to have it
> automagically run at the end of the upgrade script? At least optionally?
> This would simplify the 'upgrade guide' instructions, which is always
> welcome.

Well, kind of. Few parts to this:

- We probably will not return to the "run it in chroot" model we tried before
- It would be nice if there were no questions for the most obvious transitions
- Maybe split it into parts, so that some parts can be run (silently?) at the
  tail of the upgrade script, without needing chroot because it uses nothing
  fancy?

A few developers need to talk at a future hackathon and hash this out.

Re: CVS confusion

[Otto Moerbeek]

On Sat, Oct 11, 2014 at 02:08:12AM +, Steven Surdock wrote:

> I'm trying to follow -stable ports, but CVSWEB appears inconsistent.
> 
> If I look at ports/lang/php/5.4 for OPENBSD_5_5 
> (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/?only_with_tag=OPENBSD_5_5)
>  it shows the following:
> 
> Makefile   1.16.2.1   4 months   jasper   security   update to php-5.4.28 ok 
> sthen@
> 
> If look at the Makefile 
> (http://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/lang/php/5.4/Makefile?only_with_tag=OPENBSD_5_5)
>  it shows a Revision of 1.16.2.3 and the last note says "security update to 
> 5.4.30; ok jasper@).
> 
> If I look at Rev. 1.16.2.1 (from the first page above), it shows version 
> 5.4.28
> 
> If I grab a copy via CVS, I get 5.4.32.
> $ cvs -qd anon...@anoncvs.ca.openbsd.org:/cvs get -rOPENBSD_5_5 -P 
> ports/lang/php/5.4
> 
> Which is the "correct" php 5.4 for OpenBSD 5.5-stable?
> 
> -Steve S.

Looks like a bug in cvsweb. Makefile 1.16.2.3 is the newest revision in the
OPENBSD_5_5 branch. You can see that if you click Makefile in the page
displayed by your first url.

-Otto