netflow + carp + nat problem
hello, I use OpenBSD 5.5 as a firewall gateway. I also use nfsen/nfdump as the netflow collector/analyzer. pf.conf enables netflow for every pf rule (set state-defaults pflow). On the netflow collector host, when I analyse traffic using nfdump, some packets are missing. But on the firewall, tcpdump shows there is traffic for these missing packets. The missing packets are using a carp interface and are natted. The IP used for the nat is an alias, not the main IP address of the carp interface. Do you know if there a problem with netflow + carp alias + nat ? -- Jean-Yves Boisiaud - Alcor Consulting 24, rue de la Glycine 49250 Saint Remy la Varenne +33 6 63 71 73 46
Re: No closing quote
Jason Adams wrote: On 11/09/2014 02:30 PM, h410g3n wrote: I encountered the same problem. You must have just upgraded from 5.5 and forgot to run sysmerge, right? :D Jason Adams wrote: Everytime /etc/netstart runs I get a no closing quote message. Hate to obsess about trivialities but wondering If I've messed something up. All interfaces seem to work just fine. Did upgrade. Did NOT forget to run sysmerge. That's the google answer, but its not the REAL answer. It appeared here before the edit/update of my /etc/rc.conf.local files
Re: iked without psk
On 6 November 2014 10:19, Peter J. Philipp p...@centroid.eu wrote: Hi, Since my upgrade on saturday to 5.6 my iked stopped working with psk. I've disabled it by now but the config was something of the order of: ikev2 active esp from 192.168.179.1 to 192.168.179.10 psk icutwithanulu! ikev2 active esp from 192.168.179.10 to 192.168.179.1 psk icutwithanulu! And this had worked before 5.6. It even worked when I upgraded the first firewall and the other firewall was still 5.5. But two firewalls with 5.6 it stopped working. I'm looking for pointers on how to make rsa keys work. I followed the manpage of ikectl but the IPSEC doesn't establish itself and I get: Nov 6 10:17:36 venus iked[15811]: ca_getreq: no valid local certificate found Any hints would be appreciated. -peter hi, psk is now fixed in current. there are two other ways to authenticate hosts: rsa pubkeys (a recent addition - works the same way as in isakmpd) and x.509 certificates. both these options do not require any special config options (it's rsa actually, but that's the default) and will be hooked up on startup. the procedure to setup x.509 certificates is described in ikectl(8) and i would strongly suggest using this tool. regarding rsa keys: i have just committed a man page update taken from isakmpd(8) but essentially it's just an hostA# scp /etc/iked/local.pub root@hostB:/etc/iked/pubkeys/ipv4/host.A.IP.Addr hostB# scp /etc/iked/local.pub root@hostA:/etc/iked/pubkeys/ipv4/host.B.IP.Addr and off you go. the important part is to keep your srcids and dstids sane, for instance if you're installing pubkeys under /ipv4/ you should use IPv4 IDs in the iked.conf. hope this helps and please try with -current iked again.
USB ports not working on a mid-2012 MacBookAir5,1
Hi, Now that xhci is enabled in -current I gave the snapshots a try again on my 11 mid-2012 MacBook Air. The system has USB3 ports but it seems that these are not detected so it is left without any working ports. snippets from dmesg http://imgur.com/9b1xZA9 http://imgur.com/OKzAfGe dmesg http://imgur.com/fugXWyT http://imgur.com/934GJhS http://imgur.com/M4P3xkO The usb devices section from the OS X system_profiler USB: USB 3.0 SuperSpeed Bus: Host Controller Location: Built-in USB Host Controller Driver: AppleUSBXHCI PCI Device ID: 0x1e31 PCI Revision ID: 0x0004 PCI Vendor ID: 0x8086 Bus Number: 0x0a USB 3.0 Hi-Speed Bus: Host Controller Location: Built-in USB Host Controller Driver: AppleUSBXHCI PCI Device ID: 0x1e31 PCI Revision ID: 0x0004 PCI Vendor ID: 0x8086 Bus Number: 0x0a USB Hi-Speed Bus: Host Controller Location: Built-in USB Host Controller Driver: AppleUSBEHCI PCI Device ID: 0x1e2d PCI Revision ID: 0x0004 PCI Vendor ID: 0x8086 Bus Number: 0x1a Hub: Product ID: 0x0024 Vendor ID: 0x8087 (Intel Corporation) Version: 0.00 Speed: Up to 480 Mb/sec Location ID: 0x1a10 / 2 Current Available (mA): 500 Current Required (mA): 0 FaceTime HD Camera (Built-in): Product ID: 0x8510 Vendor ID: 0x05ac (Apple Inc.) Version: 80.25 Serial Number: Speed: Up to 480 Mb/sec Manufacturer: Apple Inc. Location ID: 0x1a11 / 3 Current Available (mA): 500 Current Required (mA): 500 USB Hi-Speed Bus: Host Controller Location: Built-in USB Host Controller Driver: AppleUSBEHCI PCI Device ID: 0x1e26 PCI Revision ID: 0x0004 PCI Vendor ID: 0x8086 Bus Number: 0x1d Hub: Product ID: 0x0024 Vendor ID: 0x8087 (Intel Corporation) Version: 0.00 Speed: Up to 480 Mb/sec Location ID: 0x1d10 / 2 Current Available (mA): 500 Current Required (mA): 0 Hub: Product ID: 0x2512 Vendor ID: 0x0424 (SMSC) Version: b.b3 Speed: Up to 480 Mb/sec Location ID: 0x1d18 / 3 Current Available (mA): 500 Current Required (mA): 2 Apple Internal Keyboard / Trackpad: Product ID: 0x024b Vendor ID: 0x05ac (Apple Inc.) Version: 2.19 Speed: Up to 12 Mb/sec Manufacturer: Apple Inc. Location ID: 0x1d182000 / 5 Current Available (mA): 500 Current Required (mA): 40 BRCM20702 Hub: Product ID: 0x4500 Vendor ID: 0x0a5c (Broadcom Corp.) Version: 1.00 Speed: Up to 12 Mb/sec Manufacturer: Apple Inc. Location ID: 0x1d181000 / 4 Current Available (mA): 500 Current Required (mA): 94 Bluetooth USB Host Controller: Product ID: 0x821f Vendor ID: 0x05ac (Apple Inc.) Version: 1.31 Speed: Up to 12 Mb/sec Manufacturer: Apple Inc. Location ID: 0x1d181300 / 8 Current Available (mA): 500 Current Required (mA): 0 Sevan / Venture37
Question about /etc/mail post 5.6 upgrade
Hello, I recently upgraded from 5.5 to 5.6. I was surprised to see that the various apparently sendmail-specific files in /etc/mail are not in the ‘Files to delete and move’ list in upgrade56.html, now that sendmail is no longer in base. I suspect that either there are other reasons to keep the contents of this directory as-is post 5.6 upgrade, or I missed a step in the upgrade guide. I’m new to OpenBSD, so clue sticks are welcome. - Eric
Re: Question about /etc/mail post 5.6 upgrade
On 11/8/2014 10:43 PM, Eric Lalonde wrote: I recently upgraded from 5.5 to 5.6. I was surprised to see that the various apparently sendmail-specific files in /etc/mail are not in the ‘Files to delete and move’ list in upgrade56.html, now that sendmail is no longer in base. I suspect that either there are other reasons to keep the contents of this directory as-is post 5.6 upgrade, or I missed a step in the upgrade guide. I’m new to OpenBSD, so clue sticks are welcome. These changes came after 5.6 was RTM, and are reflected in -current as of 15 September or so. See http://www.openbsd.org/faq/current.html.
Re: USB ports not working on a mid-2012 MacBookAir5,1
Hello Sevan, On 10/11/14(Mon) 15:45, Sevan / Venture37 wrote: Now that xhci is enabled in -current I gave the snapshots a try again on my 11 mid-2012 MacBook Air. The system has USB3 ports but it seems that these are not detected so it is left without any working ports. snippets from dmesg http://imgur.com/9b1xZA9 http://imgur.com/OKzAfGe dmesg http://imgur.com/fugXWyT http://imgur.com/934GJhS http://imgur.com/M4P3xkO Could you please post the dmesg inline in text next time? Having to search thru 6 pictures in a browser is not something I'm fan of :) xhci(4) is not yet enabled in the RAMDISK* kernels, because I'd prefer to squash some more bugs with people really tracking -current 8) Either you've to install -current or come back in a few weeks, it'll be there. Martin
Re: Sun/Cassini Quad Gigabit Card Not Detected
I've made progress. OpenBSD now recognizes the four cas NIC's and detects active/no carrier, but won't pass any traffic. I suspect that it's because the mac addr (lladdr) is all zero's Doubt it is all zero. I suspect you will find that they have been changed to the kernel to somewhat random values. Which means, different each time.
Re: Sun/Cassini Quad Gigabit Card Not Detected
Here's why I think that they're zero. Should I look somewhere else? # ifconfig cas cas0: flags=28863UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:00:00:00:00:00 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 172.16.103.1 netmask 0x broadcast 172.16.255.255 cas1: flags=28822BROADCAST,NOTRAILERS,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:00:00:00:00:00 priority: 0 media: Ethernet autoselect (none) status: no carrier cas2: flags=28822BROADCAST,NOTRAILERS,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:00:00:00:00:00 priority: 0 media: Ethernet autoselect (none) status: no carrier cas3: flags=28822BROADCAST,NOTRAILERS,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:00:00:00:00:00 priority: 0 media: Ethernet autoselect (none) status: no carrier On Mon, Nov 10, 2014 at 11:10:32AM -0700, Theo de Raadt wrote: I've made progress. OpenBSD now recognizes the four cas NIC's and detects active/no carrier, but won't pass any traffic. I suspect that it's because the mac addr (lladdr) is all zero's Doubt it is all zero. I suspect you will find that they have been changed to the kernel to somewhat random values. Which means, different each time. --
Re: question about hosts.equiv and ssh
On Fri, Nov 07, 2014 at 09:14:05PM -0500, System Administrator wrote: In OpenBSD 5.6, the prototype and man-page for hosts.equiv(5) have disappeared. However, this file is still referenced in sshd_config(5) and (if I'm searching the sources correctly) in /usr/src/usr.bin/ssh auth-rhosts.c which is included in the sshd/Makefile. Is the removal accidental or an indication that its use is deprecated? If the latter, what is the [new] recommended best practices for HostBasedAuthentication within a cluster of trusted servers? Thanks in advance. hi! back in april i asked about the refs to this file in the ssh docs. damien miller told me hosts.equiv is still relevant to host-based logins using key authentication, and that the reference should definitely stay. and the removal of hosts.equiv(5) was not accidental. i couldn;t comment on best practices, but i believe the docs are correct. it could be that ssh(1) etc. need to explain a bit more about how hosts.equiv work, but i'm not sure. The openssh sub-tree is a bit special. openssh also runs on other systems, obviously. Sometimes openssh has support for a feature, but use of that feature has been deprecated in OpenBSD. In that case, the openssh manual pages need to continue talking about the feature, since it is still relevant on other systems.
Re: Sun/Cassini Quad Gigabit Card Not Detected
# arp -a # arp -a firewall-x.usedmoviefinder.com (172.16.103.1) at 00:00:00:00:00:00 on cas0 static # netstat -in NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls lo0 32768 Link 0 00 0 0 lo0 32768 ::1/128 ::1 0 00 0 0 lo0 32768 fe80::%lo0/ fe80::1%lo0 0 00 0 0 lo0 32768 127/8 127.0.0.10 00 0 0 bge01500 Link 00:0c:76:4e:5d:6e 104457 0 1546 0 0 bge01500 172.16/16 172.16.157.192 104457 0 1546 0 0 cas01500 Link 00:00:00:00:00:00 106705 0 148 0 0 cas01500 172.16/16 172.16.103.1106705 0 148 0 0 cas1* 1500 Link 00:00:00:00:00:000 00 0 0 cas2* 1500 Link 00:00:00:00:00:000 00 0 0 cas3* 1500 Link 00:00:00:00:00:000 00 0 0 enc0* 0 Link 0 00 0 0 pflog0 33192 Link 0 0 2566 0 0 On Mon, Nov 10, 2014 at 11:16:00AM -0700, Theo de Raadt wrote: Yes, but look in arp -a and also in netstat -in
Re: netflow + carp + nat problem
jean-yves boisiaud jean-yves.boisi...@alcor-consulting.fr writes: I also use nfsen/nfdump as the netflow collector/analyzer. pf.conf enables netflow for every pf rule (set state-defaults pflow). One of the more common mistakes in configs using set state-defaults is to assume that the default will append itself to rules where you add other state options (such as state tracking). If you have rules with specific state options, check that you have the pflow option in there too. It's by no means certain that this is your problem, rather something to check and if needed eliminate. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Static routing question
Hi This is a part of the output containing the static routes related to *bnx0* , *bnx1 *, i was trying to make a static route for the 189.92.72.11 pointing to *bnx1* but without success, is it possible ? below the routes is the output of ifconfig these interfaces, i'm gonna try a bridge also. Thank all of you for the responses. Regards Dante F. B. Colò default189.92.72.9UGS 5746 674637542 - 8 bnx0 189.92.72.8/29 link#5 UC 30 - 4 bnx0 189.92.72.9f4:0f:1b:20:4b:20 UHLc 10 - 4 bnx0 189.92.72.10 00:10:18:9d:31:84 UHLc 0 42 - 4 lo0 189.92.72.11 link#5 UHLc 01 - 4 bnx0 204.31.112/24 link#2 C 00 - 4 bge1 204.31.112.24/29 link#2 C 10 - 4 bge1 204.31.112.26 00:25:64:3c:de:76 UHLc 0 34 - 4 lo0 224/4 127.0.0.1 URS00 33200 8 lo0 bnx1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 00:10:18:9d:31:86 priority: 0 media: Ethernet autoselect (1000baseT full-duplex) status: active inet 189.92.72.11 netmask 0xfff8 broadcast 189.92.72.15 bnx0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1400 lladdr 00:10:18:9d:31:84 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex) status: active inet6 fe80::210:18ff:fe9d:3184%bnx0 prefixlen 64 scopeid 0x5 inet 189.92.72.10 netmask 0xfff8 broadcast 189.92.72.15 On 11/7/14 4:18 AM, rjc wrote: On Thu, Nov 06, 2014 at 04:12:20PM EST, Dante F. B. Colò wrote: Hello everyone Hi Dante, I'm trying to setup some static routes on a openbsd 4.9 box for some public addresses , the machine has two ethernet cards *bnx0 ***and *bnx1 ***, *bnx0* is attached to a Cisco internet router and *bnx1*** is connected to a switch, both interfaces have public addresses of the same range , *bnx1 *appears has absolutely no communication , i took a look at the static routes and there is a route for the subnet that it goes to *bnx0* , i'm trying to add a static route for the ip address pointing to the***bnx1 *without pass gateway using *-iface* parameter but always returns Network unreachble, someone can help me or give some tips to fix this ? for many here this is probably a nooby question, we also have some firewall Linux boxes that i'm gonna migrate to openbsd but first i have to solve this. First and foremost, if you ask any questions regarding networking, you should include the content of: /etc/hostname.bnx{0,1} /etc/mygate # if it exists and you're not using DHCP Please also include the output of: router show and any commands exactly as you enter them. That would be a good place to start - BTW, this information should have been included in the first email. Regards, rjc P.S. 4.9? Isn't it time to upgrade? ;^)
Re: Static routing question
As I said before. _This_ _Is_ _Not_ _Possible_. Period. On 2014 Nov 10 (Mon) at 17:30:50 -0200 (-0200), Dante F. B. Col? wrote: :Hi : :This is a part of the output containing the static routes related to :*bnx0* , *bnx1 *, i was trying to make a static route for the :189.92.72.11 pointing to *bnx1* but without success, is it possible ? No. You CANNOT do that. :bnx1: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 : lladdr 00:10:18:9d:31:86 : priority: 0 : media: Ethernet autoselect (1000baseT full-duplex) : status: active : inet 189.92.72.11 netmask 0xfff8 broadcast 189.92.72.15 : :bnx0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1400 : lladdr 00:10:18:9d:31:84 : priority: 0 : groups: egress : media: Ethernet autoselect (1000baseT full-duplex) : status: active : inet6 fe80::210:18ff:fe9d:3184%bnx0 prefixlen 64 scopeid 0x5 : inet 189.92.72.10 netmask 0xfff8 broadcast 189.92.72.15 : -- You have acquired a scroll entitled 'irk gleknow mizk'(n).--More-- This is an IBM Manual scroll.--More-- You are permanently confused. -- Dave Decot
symon: mbuf() failed (508)
Hi, After the upgrade to the recent snapshot I got many symon: mbuf() failed (508) in /var/log/messages. # cat /etc/symon.conf monitor { cpu(0), cpu(1), cpu(2), cpu(3), mem, if(vlan41), if(vlan81), pf, mbuf, sensor(cpu0.temp0), sensor(nvt0.temp1), sensor(nvt0.temp2), sensor(nvt0.fan0), sensor(nvt0.fan1), sensor(softraid0.drive0), io(sd0), io(sd1), io(sd2), df(sd2a), df(sd2d), df(sd2e), df(sd2f), df(sd0d), df(sd0e), df(sd0f) } stream to 127.0.0.1 2100 # dmesg OpenBSD 5.6-current (GENERIC.MP) #547: Mon Nov 10 08:50:13 MST 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 6416760832 (6119MB) avail mem = 6242119680 (5952MB) warning: no entropy supplied by boot loader mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9ac00 (37 entries) bios0: vendor American Megatrends Inc. version 2.0b date 11/07/2013 bios0: Supermicro X8ST3 acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB HPET DMAR SSDT EINJ BERT ERST HEST acpi0: wakeup devices P0P1(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) USB2(S4) USB5(S4) EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) GBE_(S4) P0P4(S4) P0P5(S4) P0P6(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz, 3067.09 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz, 3066.66 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz, 3066.66 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz, 3066.66 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG,LAHF,PERF,ITSC cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 8, remapped to apid 1 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 8 (P0P1) acpiprt2 at acpi0: bus 6 (P0P4) acpiprt3 at acpi0: bus 7 (P0P5) acpiprt4 at acpi0: bus -1 (P0P6) acpiprt5 at acpi0: bus -1 (P0P7) acpiprt6 at acpi0: bus -1 (P0P8) acpiprt7 at acpi0: bus -1 (P0P9) acpiprt8 at acpi0: bus 1 (NPE1) acpiprt9 at acpi0: bus -1 (NPE2) acpiprt10 at acpi0: bus 2 (NPE3) acpiprt11 at acpi0: bus -1 (NPE4) acpiprt12 at acpi0: bus 3 (NPE5) acpiprt13 at acpi0: bus -1 (NPE6) acpiprt14 at acpi0: bus 4 (NPE7) acpiprt15 at acpi0: bus -1 (NPE8) acpiprt16 at acpi0: bus 5 (NPE9) acpiprt17 at acpi0: bus -1 (NPEA) acpicpu0 at acpi0: C3, C1, PSS acpicpu1 at acpi0: C3, C1, PSS acpicpu2 at acpi0: C3, C1, PSS acpicpu3 at acpi0: C3, C1, PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep 3067 MHz: speeds: 3068, 3067, 2933, 2800, 2667, 2533, 2400, 2267, 2133, 2000, 1867, 1733, 1600 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel X58 Host rev 0x22 ppb0 at pci0 dev 1 function 0 Intel X58 PCIE rev 0x22: msi pci1 at ppb0 bus 1 ppb1 at pci0 dev 3 function 0 Intel X58 PCIE rev 0x22: msi pci2 at ppb1 bus 2 ppb2 at pci0 dev 5 function 0 Intel X58 PCIE rev 0x22: msi pci3 at ppb2 bus 3 ppb3 at pci0 dev 7 function 0 Intel X58 PCIE rev 0x22: msi pci4 at ppb3 bus 4 ppb4 at pci0 dev 9 function 0 Intel X58 PCIE rev 0x22: msi pci5 at ppb4 bus 5 Intel X58 Misc rev 0x22 at pci0 dev 20 function 0 not configured Intel X58 GPIO rev 0x22 at pci0 dev 20 function 1 not configured Intel X58 RAS rev 0x22 at pci0 dev 20 function 2 not configured Intel X58 Throttle rev 0x22 at pci0 dev 20 function 3 not configured Intel X58 QuickData rev 0x22 at pci0
Re: USB ports not working on a mid-2012 MacBookAir5,1
Just to follow up, I apologised to Martin off list regarding the dmesg photos. Reason for the photos was that this laptop only has 2x USB ports a thunderbolt port as expansion but unfortunately the USB ports are not working hence resorting to photos. Then I remembered that my previous attempt of successfully installing OpenBSD on here involved a thunderbolt cinema display, the gigabit ethernet port on the display was detected as bge(4) and functioned. I no longer have access to a cinema display but do have a thunderbolt gigabit ethernet adapter which I hadn't tried yet. Worked a treat, I was able to boot the laptop from a USB flash drive perform a network install via the bge(4) interface. the thunderbolt adapter is only detected if it's attached prior to booting the kernel, I guess this is because it crosses over several areas and is not seen as a detachable device? If you do disconnect it after booting, the system hard locks needing a power cycle. sleep resume works except in X where on resume the trackpad goes crazy. USB wise, I have a verbatim usb 2 flash drive which works fine, my other flash drives do not, (kernel reports: xhci0: NULL xfer pointer, uhub0: device problem, disabling port 1 urtwn(4) interface is detected but doesn't appear to work. OpenBSD 5.6-current (GENERIC.MP) #547: Mon Nov 10 08:50:13 MST 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP RTC BIOS diagnostic error b1clock_battery,config_unit,memory_size real mem = 8475713536 (8083MB) avail mem = 8246259712 (7864MB) warning: no entropy supplied by boot loader mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe (54 entries) bios0: vendor Apple Inc. version MBA51.88Z.00EF.B02.1211271028 date 11/27/2012 bios0: Apple Inc. MacBookAir5,1 acpi0 at bios0: rev 2 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP HPET APIC SBST ECDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT DMAR MCFG acpi0: wakeup devices P0P2(S4) PEG2(S4) EC__(S4) HDEF(S4) RP02(S4) ARPT(S4) RP05(S4) EHC1(S4) EHC2(S4) XHC1(S4) ADP1(S4) LID0(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-3667U CPU @ 2.00GHz, 1895.95 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i7-3667U CPU @ 2.00GHz, 1895.70 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Core(TM) i7-3667U CPU @ 2.00GHz, 1895.70 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 1, core 0, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i7-3667U CPU @ 2.00GHz, 1895.70 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ERMS cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 acpiec0 at acpi0 acpimcfg0 at acpi0 addr 0xe000, bus 0-153 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P2) acpiprt2 at acpi0: bus -1 (PEG2) acpiprt3 at acpi0: bus 2 (RP02) acpiprt4 at acpi0: bus 3 (RP05) acpicpu0 at acpi0: C3, C1, PSS acpicpu1 at acpi0: C3, C1, PSS acpicpu2 at acpi0: C3, C1, PSS acpicpu3 at acpi0: C3, C1, PSS acpibat0 at acpi0: BAT0 model 3545797981023400290 type 3545797981528607052 oem 3545797981528673619 acpiac0 at acpi0: AC unit online acpibtn0 at acpi0: LID0 acpibtn1 at acpi0: PWRB acpibtn2 at acpi0: SLPB acpivideo0 at acpi0: IGPU acpivout0 at acpivideo0: DD02 cpu0: Enhanced
Re: netflow + carp + nat problem
On Mon, Nov 10, 2014 at 2:36 AM, jean-yves boisiaud jean-yves.boisi...@alcor-consulting.fr wrote: I use OpenBSD 5.5 as a firewall gateway. I also use nfsen/nfdump as the netflow collector/analyzer. pf.conf enables netflow for every pf rule (set state-defaults pflow). On the netflow collector host, when I analyse traffic using nfdump, some packets are missing. But on the firewall, tcpdump shows there is traffic for these missing packets. The missing packets are using a carp interface and are natted. The IP used for the nat is an alias, not the main IP address of the carp interface. Do you know if there a problem with netflow + carp alias + nat ? Are you using pflowproto 10 by any chance? When doing this with 5.5 and nfdump-1.6.10 I noticed many Sequence Errors in nfcapd's logs and had to revert to pflowproto 5 to have accurate traffic accounting (I have not yet checked to see if this issue is present in 5.6 and nfdump-1.6.12).
munin plugin to watch pf queues
Hi all I came up with a munin plugin to monitor pf queues, so here it is, in case anyone cares. I'm a pretty shitty scripter, so suggestions and comments are mostly welcome, either by mail or on https://gist.github.com/zeloff/60ec3b546fcab6e1c8cf Cheers Zé -- #!/bin/sh # POD documentation : =cut =head1 NAME pf_queue_ - Munin plugin to monitor OpenBSD's pf queues. =head1 APPLICABLE SYSTEMS OpenBSD 5.5 and newer =head1 CONFIGURATION [pf_queue*] user root Use the .env settings to override the defaults. =head1 USAGE Can be used to present different graphs. Use ln -s for that name in the plugins directory to enable the graph. pf_queue_bytes - traffic in each queue, in bytes pf_queue_packets - traffic in each queue, in packets pf_queue_qlength - queued packets, per queue =head1 AUTHOR Ze Loff =head1 LICENSE BSD =cut if test $1 = autoconf ; then if test ! -f $conf; then echo no ($conf does not exist) exit 1 fi if [ $(uname -s) = OpenBSD ]; then echo yes exit 0 fi fi if test $1 = suggest ; then echo bytes echo packets echo qlength exit 0 fi # get type id=`echo $0 | sed -e 's/^.*pf_queue_//'` if test $idx = x; then id=bytes fi if test $1 = config ; then case $id in bytes) echo graph_title pf queue traffic in bytes echo graph_args --base 1024 -l 0 echo graph_vlabel bytes passed (+) and dropped (-) per ${graph_period} echo graph_category pf for q in `pfctl -vs queue | awk '/^queue/ { print $2 }'`; do echo dropped_$q.label $q\ndropped_$q.type COUNTER\ndropped_$q.graph no\n echo $q.label $q\n$q.type COUNTER\n$q.negative dropped_$q\n done for pq in `pfctl -vs queue | awk '/^queue/ { for (i = 1; i = NF; i++) { if ($i == parent) print $(i+1) }}' | uniq`; do echo $pq.graph no\ndropped_$pq.graph no\n done echo graph_info Traffic passed and dropped per queue, in bytes ;; packets) echo graph_title pf queue traffic in packets echo graph_args --base 1000 -l 0 echo graph_vlabel packets passed (+) and dropped (-) per ${graph_period} echo graph_category pf for q in `pfctl -vs queue | awk '/^queue/ { print $2 }'`; do echo dropped_$q.label $q\ndropped_$q.type COUNTER\ndropped_$q.graph no\n echo $q.label $q\n$q.type COUNTER\n$q.negative dropped_$q\n done for pq in `pfctl -vs queue | awk '/^queue/ { for (i = 1; i = NF; i++) { if ($i == parent) print $(i+1) }}' | uniq`; do echo $pq.graph no\ndropped_$pq.graph no\n done echo graph_info Traffic passed and dropped in each queue, in packets ;; qlength) echo graph_title pf queue size echo graph_args --base 1000 -l 0 echo graph_vlabel packets in queue echo graph_category pf for q in `pfctl -vs queue | awk '/^queue/ { print $2 }'`; do echo $q.label $q\n$q.type GAUGE done for pq in `pfctl -vs queue | awk '/^queue/ { for (i = 1; i = NF; i++) { if ($i == parent) print $(i+1) }}' | uniq`; do echo $pq.graph no\ndropped_$pq.graph no\n done echo graph_info Packets waiting in each queue ;; esac exit 0 fi case $id in bytes) pfctl -vs queue | awk '/^queue/{ q=$2 } /pkts/(NR2){ print q.value $5\ndropped_q.value $10 }' ;; packets) pfctl -vs queue | awk '/^queue/{ q=$2 } /pkts/(NR2){ print q.value $3\ndropped_q.value $8 }' ;; qlength) pfctl -vs queue | awk '/^queue/{ q=$2 } /qlength/(NR2){ sub(/, , $3); print q.value $3 }' ;; esac
Re: Firewall: Where is the bottleneck?
Hi Hrvoje, nestat -i shows nothing special. NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls lo0 33152 Link 91235 091235 0 0 lo0 33152 localhost/1 localhost91235 091235 0 0 lo0 33152 fe80::%lo0/ fe80::1%lo0 91235 091235 0 0 lo0 33152 localhost localhost91235 091235 0 0 em0 1500 Link 00:25:90:a6:08:52 16371757334772 297519394073 0 0 em0 1500 megagw06a.o megagw06a.ohb-sys 16371757334772 297519394073 0 0 em0 1500 fe80::%em0/ fe80::225:90ff:fe 16371757334772 297519394073 0 0 em1 1500 Link 00:25:90:a6:08:53 297512809627 489 163342615216 0 0 em1 1500 10.242.13/2 10.242.13.1 297512809627 489 163342615216 0 0 em1 1500 fe80::%em1/ fe80::225:90ff:fe 297512809627 489 163342615216 0 0 em2*1500 Link 00:25:90:a6:08:540 00 0 0 em3*1500 Link 00:25:90:a6:08:550 00 0 0 enc0* 0 Link 0 00 0 0 pflog0 33152 Link 0 0 146527095 0 0 I will try to have a maintenance window for the upgrade. Thanks for the help, Patrick Am 04.11.2014 um 23:22 schrieb Hrvoje Popovski hrv...@srce.hr: out of curiosity, could you post netstat -i if you can, why don't you upgrade bios and install openbsd 5.6
Re: Turning off Nvidia GPU card in Optimus configuration
On Sun, Nov 09, 2014 at 11:01:32AM +0100, Lampshade wrote: Hi I was trying half year ago to use OpenBSD 5.5, but system heated my laptop. I have Intel and Nvidia GPU in laptop. I can not disable Nvidia GPU via BIOS. Laptop always exposes and enables two GPUs by default. OpenBSD does not disabled Nvidia GPU, so it heated laptop. I have tried OpenBSD 5.6 and it still heats my laptop. On Linux Nvidia's GPU is disabled automatically. I wanted to find how to disable my card manually, I used acpi_call Linux module (on Linux of course). In my laptop script turn_off_gpu.sh is disabling GPU when I strip methods variable to: methods= \_SB.PCI0.PEG0.PEGP._OFF and enables when: methods= \_SB.PCI0.PEG0.PEGP._ON Is there any way in OpenBSD to send first (disabling) command to hardware? It is the only reason I don't use OpenBSD. Maybe somebody can write few lines of code and I will compile kernel for myself? References: http://linux-hybrid-graphics.blogspot.com/2010/07/u ??? ch-onoff.html https://github.com/mkottman/acpi_call The right way to handle this IMO isn't to provide a generic way to evaluate arbitrary AML methods. That way lies madness. A better solution is to create an actual driver for nvidia0 or whatever and have that driver do nothing except disable the hardware by evaluating the method referenced above and likely also putting the device in D3 from the PCI side. Your diff to implement said functionality is certainly welcome.
Re: httpd slowcgi notes
Hi All, With httpd as of 5.6 I do not understand how to make cgi script work eg just bgokg installed by default at address /cgi-bin/bgplg ==httpd.conf== prefork 2 server local { listen on egress port 80 } server local-fastcgi { listen on egress port 80 fastcgi } ==EOF== /etc/rc.d/httpd start /etc/rc.d/slowcgi -f start Resulting in Not Found /cgi-bin/bgplg Whereas the httpd server normally serves other html files of the htdocs directlry, except /bgplg Could you help me with the miss here ? Regards J.F.
Re: nsd_flags
Hi, David Dahlberg wrote on Fri, Nov 07, 2014 at 08:11:50AM +: Am Donnerstag, den 06.11.2014, 21:24 +0100 schrieb Maurice Janssen: I suppose the comment in rc.conf should be: for normal use: Just like most other services. Is that correct? It doesn't really matter, IMHO. Both are OK. Maybe all the for normal use comments should be removed, because, well, by definition, the default flags are the flags for normal use. But i'm not going to spend time on pushing that right now. A look into rc.subr: | eval _rcflags=\${${_name}_flags} [..] | [ -n ${_rcflags} ] daemon_flags=${_rcflags} Seems that you are correct. Default flags are used when the script is not configured in rc.conf.local (i.e. started by distribution default, script started with -f or package script), or when flags=. Yes. So how do you define a service to start without any flags set? Seems up to 5.5 you would have to set ${daemon}_flags= . But does this still work with the parsed rc.conf.local from 5.6? Yes. | _val=${_l##*([!=])=*([[:blank:]])} | _val=${_val%%#*} | _val=${_val%%*([[:blank:]])} | # remove leading and trailing quotes (backwards compat) | [[ $_val == @(\*\|\'*\') ]] _val=${_val#?} _val=${_val%?} Looks like _val is being trimmed. So should still work as backwards compat. Yes, the comment about backwards compat is slightly misleading, needed to preserve trailing blanks might be nearer the mark. For me the question is, whether there is a usecase for starting a rc.d script (which has defined default) flags without any flags. identd(8) starts with -e by default, and you might wish to start it without any flags, for example. If so, the line [ -n ${_rcflags} ] daemon_flags=${_rcflags} should probably be changed to just daemon_flags=${_rcflags} No, that would result in *never* running with default flags, not even when _rcflags == . The line is correct as it stands. Note: $ [ -n ]; echo $? 0 $ [ -n ]; echo $? 1 Yours, Ingo
Re: iked without psk
On Mon, Nov 10, 2014 at 02:06:33PM +0100, Mike Belopuhov wrote: hi, psk is now fixed in current. there are two other ways to authenticate hosts: rsa pubkeys (a recent addition - works the same way as in isakmpd) and x.509 certificates. both these options do not require any special config options (it's rsa actually, but that's the default) and will be hooked up on startup. the procedure to setup x.509 certificates is described in ikectl(8) and i would strongly suggest using this tool. regarding rsa keys: i have just committed a man page update taken from isakmpd(8) but essentially it's just an hostA# scp /etc/iked/local.pub root@hostB:/etc/iked/pubkeys/ipv4/host.A.IP.Addr hostB# scp /etc/iked/local.pub root@hostA:/etc/iked/pubkeys/ipv4/host.B.IP.Addr and off you go. the important part is to keep your srcids and dstids sane, for instance if you're installing pubkeys under /ipv4/ you should use IPv4 IDs in the iked.conf. hope this helps and please try with -current iked again. Hi, I downloaded and installed -current's iked this morning and installed the local.pub files; I'm happy to report: Nov 11 08:37:51 venus iked[5335]: sa_state: VALID - ESTABLISHED from 192.168.179.10:500 to 192.168.179.1:500 policy 'policy1' Thank you very very much MikeB! And thank you to the other fellow in this thread too! I'm a very happy camper, and aes encrypted again! -peter