pf, bridge and vether: interface with no group

[Clemens Goessnitzer]

Hello misc,

I noticed a strange behaviour with pf, when having three interfaces
connected with a bridge(4) device, where two are assigned to the group
wlan and one to no group at all. I have two WLAN interfaces, athn0 and
athn1, and three wired interfaces, re0 to re2. (re2 is not used ATM.)

re0 is connected to my ISP router, re1 to a switch to provide NAT and
DHCP for my LAN. However, if re1 is not assigned to any group, DHCP
requests will be blocked by pf, and those from athnN will pass.

Here is the output of ifconfig (with re1 being in the "test" group, so
that DHCP is working for my client):

$ ifconfig
lo0: flags=8049 mtu 32768
priority: 0
groups: lo
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff00
re0: flags=8843 mtu 1500
lladdr 00:0d:b9:3f:e2:e4
priority: 0
groups: external egress
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 192.168.0.10 netmask 0xff00 broadcast 192.168.0.255
re1: flags=8b43
mtu 1500
lladdr 00:0d:b9:3f:e2:e5
priority: 0
groups: test
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
re2: flags=8802 mtu 1500
lladdr 00:0d:b9:3f:e2:e6
priority: 0
media: Ethernet autoselect (10baseT half-duplex)
status: no carrier
athn0: flags=8943 mtu 1500
lladdr 04:f0:21:17:36:e4
priority: 4
groups: wlan
media: IEEE802.11 autoselect (autoselect mode 11a hostap)
status: active
ieee80211: nwid obsd50 chan 44 bssid 04:f0:21:17:36:e4 wpakey
 wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp
wpagroupcipher tkip
athn1: flags=8943 mtu 1500
lladdr 04:f0:21:17:40:76
priority: 4
groups: wlan
media: IEEE802.11 autoselect (autoselect mode 11g hostap)
status: active
ieee80211: nwid obsd24 chan 1 bssid 04:f0:21:17:40:76 wpakey
 wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,ccmp
wpagroupcipher tkip
enc0: flags=0<>
priority: 0
groups: enc
status: active
vether0: flags=8943 mtu 1500
lladdr fe:e1:ba:d0:fa:76
priority: 0
groups: vether internal
media: Ethernet autoselect
status: active
inet 10.0.0.1 netmask 0xff00 broadcast 10.0.0.255
bridge0: flags=41
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
rstp
re1 flags=3
port 2 ifpriority 0 ifcost 0
athn0 flags=3
port 4 ifpriority 0 ifcost 0
athn1 flags=3
port 5 ifp
vether0 flags=3
port 8 ifpriority 0 ifcost 0
pflog0: flags=141 mtu 33144
priority: 0
groups: pflog

In the hostname.athnN files, there is:

# cat /etc/hostname.athn0
media autoselect mode 11a mediaopt hostap
chan CHAN
nwid NWID
wpakey WPAKEY
up

My pf rules file:

# cat /etc/pf.conf
#   $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

### some macros ###
client_out = "{ ssh, domain, imap, imaps, auth, nntp, http, https,
cvspserver, submission }"
udp_services = "{ ssh, domain, ntp, bootps, bootpc }"
icmp_types = "{ echoreq, echorep, unreach }"

### clean network traffic ###
set skip on lo
match in scrub (no-df max-mss 1440)
antispoof quick for { external, internal }

### bruteforce table ###
table  persist
block drop quick from 

### icmp rules ###
pass quick log (all) inet proto icmp all icmp-type $icmp_types

### block all by default ###
block drop log
block return log (all) from internal:network

### high priority for dns requests ###
match out proto { tcp, udp } to port domain set prio (6, 7)

### rules for firewall ###
# allow dns requests
pass quick on external inet proto { tcp, udp } from self to port domain
pass quick inet proto { tcp, udp } to port domain

# allow incoming ssh connections with bruteforce protection
pass quick log inet proto { tcp, udp } to 192.168.0.10 port ssh keep
state \
  (max-src-conn 15, max-src-conn-rate 3/15, overload  flush
global)

### rules for internal network ###
pass inet proto { tcp, udp } from internal:network to port $udp_services
pass inet proto udp from internal:network to port 33433:33626
pass inet proto tcp from internal:network to port $client_out

### nat from internal network ###
match out on external inet from internal:network to any nat-to (external:0)


So, if I specify a group for 

Re: question about fprintf()

[Todd C. Miller]

On Mon, 15 Feb 2016 21:08:20 +0300, Alexei Malinin wrote:

> But can fprintf() set errno to EINTR if a program has no signal handlers
> (i. e. there are default handlers for all signals)?
> For example what will happen with fprintf() in a program with default
> signal dispositions if the program's window size changes (SIGWINCH)?

In that case the write(2) system call will be restarted and fprintf(3)
will continue without error.

 - todd

PPPoE / isakmpd race

[Christopher Snell]

Hi,

I recently set up a site-to-site IPsec VPN on an OpenBSD firewall/router
that connects to the public Internet via PPPoE.  I've noticed that the VPN
does not come up properly upon system boot because of what appears to be a
race condition between the PPPoE connection and isakmpd start.  I say
"race" but it's really a race that isakmpd always wins.

When isakmpd starts up, I see this in the logs:

Feb 14 23:42:24 sainthelena isakmpd[27969]: udp_create: no matching
listener found
Feb 14 23:42:24 sainthelena isakmpd[27969]: exchange_establish: transport
"udp" for peer "peer-XX.XXX.XX.X" could not be created

If I kill isakmpd and start it again manually, then run 'ipsecctl -f
/etc/ipsec.conf', the VPN comes up and functions correctly.

I am still very new to IPSec and PPPoE under OpenBSD but I suspect that the
failure is happening because the external interface (pppoe0) does not yet
have a PPP session established and has no IP to bind to.

I've tried removing isakmpd_flags from rc.conf.local and starting isakmpd
via a ! command in /etc/hostname.pppoe0 but that didn't seem to work--same
results.   I suspect this is because ifconfig does not block when the PPP
connection is first set up and the isakmpd is executing prematurely.

I'm curious if anybody has any work-arounds or if this is something that
should be formally reported to bugs@.

--
My /etc/ipsec.conf, sanitized:

ike dynamic esp from { 10.50.0.0/24 } to { 10.20.0.0/22 10.40.0.0/24
10.240.0.0/22 10.176.0.0/12 \
   10.239.0.0/22 10.208.0.0/12
10.21.0.0/22 172.24.96.0/22 \
10.30.0.0/20 10.70.0.0/24
10.80.0.0/22 172.20.0.0/22 } \
peer XXX..com \
main auth hmac-sha1 enc aes-256 group modp1024 lifetime 8h \
quick auth hmac-sha1 enc aes-256 group none lifetime 1h \
srcid AA.AAA.AAA dstid XX.XXX.XX.X psk "SECRET_HERE"


--
My /etc/hostname.pppoe0, sanitized:

inet 0.0.0.0 255.255.255.255 NONE \
   pppoedev vlan0 authproto pap \
   authname 'XXX@' authkey 'SECRET_HERE' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

--
My /etc/rc.conf.local:

dhcpd_flags=em1 em2
pf=YES
isakmpd_flags="-K"
ipsec=YES


--
My /etc/isakmpd/isakmpd.conf:
NOTE: I've tried using the interface name here (pppoe0) in lieu of my IP
address.  I've also removed this file entirely.  All variants produce the
same results


[General]
Listen-on=63.226.194.238


--
dmesg:


OpenBSD 5.9 (GENERIC.MP) #1870: Mon Feb  8 17:34:23 MST 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2130640896 (2031MB)
avail mem = 2061930496 (1966MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 07/30/2013
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
S12F(S3) S13F(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 1999.98 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,HV,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 65MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,HV,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 1999.98 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,XSAVE,AVX,HV,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5-2620 0 @ 

Re: Accessing USB with OpenBSD 5.7/amd64

[Neil Hughes]

On 13/02/2016 20:11, jla wrote:


Same issue for me. Did you get any answer?


This looks like the same issue I hit a while ago 
() - the dmesg in 
the original post is similar enough that it's probably the same 
motherboard (makes sense...HP vs. Compaq).


About 18 months after my post, when I needed USB access via OpenBSD on 
this box, I just bought a £6 Konig PCI card off Amazon (NEC chipset, as 
suggested).


--
Neil Hughes

Re: Will Softraid RAID1 read from the fastest mirror/-s / supports user-specified device read priority order, nowadays? Takes broken disk out of use?

[Karel Gardas]

> ..And therefore you need enterprise disks because they behave "cleanly", as
> when using those only, essentially full softraid QoS is maintained at all
> times.

Interesting! I've understand Nick excellent email in completely
reversed sense. I understood it in "use consumer drives which fail
really slowly and with degraded performance which will give you a
chance to notice it at all. With enterprise, your drives may fail too
quickly so there is a danger of failing drive in a array which is just
rebuilding after another drive failure few hours ago".

Re: fsck_ffs mystic

[Otto Moerbeek]

On Mon, Feb 15, 2016 at 09:16:57AM -0600, Todd wrote:

> Can you boot into bsd.rd and try fdisk?

I guess you mean fsck_ffs?

Also, it's easy to boot into single use mode (-s at the boot prompt),
or drop to single user mode when running multi-user (shutdown now). 

Then you unmount filesystems (if needed) and fsck:

# umount -a
# fsck 

-Otto

> 
> On Mon, Feb 15, 2016 at 8:08 AM, lilit-aibolit 
> wrote:
> 
> > On 02/15/2016 04:03 PM, Josh Grosse wrote:
> >
> >> On 2016-02-15 07:57, lilit-aibolit wrote:
> >>
> >>> Hi list.
> >>> After unclear shutdown I've booted in single user mode
> >>> by typing "boot -s".
> >>> I executed "fsck -fp" and "fsck -fy" few times and got
> >>> no problem, see screenshot here:
> >>>
> >>> http://i.piccy.info/i9/f7bced6083e3f77d29dc832102147bfd/1455540839/795750/999296/image1.jpg
> >>>
> >>> But after reboot with normal login I got next.
> >>> How can I fix errors and why they aren't fixed in single mode?
> >>>
> >>> # fsck_ffs -f /dev/sd0e
> >>> ** /dev/rsd0e (NO WRITE)
> >>>
> >>
> >>
> >> See the words "NO WRITE" in that message?  This happens because you
> >> are attempting to fsck(8) a *mounted* file system.
> >>
> >> Yes, it's true. But I can't unmount /var under normal boot.
> > And then why errors haven't been fixed or even detected in single mode,
> > where partitions are unmounted.

Re: pkg.conf edit on -current #1870

[Raf Czlonka]

On Mon, Feb 15, 2016 at 06:17:39PM GMT, Andrew wrote:
> GENERIC.MP #1870 amd64
> 
> FWIW: Last night did a clean (re) installl using the toronto.edu mirror.
> 
> boot> boot hd0a:/bsd.rd
> 
> Puffy  loaded up fine -- but no packages.
> 
> I edited my /etc/pkg.conf
> 
> from:
> 
>  ... toronto.edu/pub/OpenBSD/%c/packages/%a/
> 
> to:
> 
>  toronto.edu/pub/OpenBSD/snapshots/packages/%a/
> 
> ---
> 
> Thanks as always to Theo and to all the past and current devs -- have
> a great week ahead !!
> 

Hi Andrew,

You're not the first and, most likely, not the last either ;^)
https://marc.info/?l=openbsd-tech=142554965809503

Read: "this snapshot, or whereabouts, will be the new release".

Regards,

Raf

Re: fsck_ffs mystic

[Chris Cappuccio]

lilit-aibolit [lilit-aibo...@mail.ru] wrote:
> Thank you. This is definitely the case then.
> I didn't know that fsck could produce fake errors while running on mounted
> fs.

fsck requires exclusive control of the underlying disk partition. When
the partition is mounted, the kernel shares control. fsck + the kernel
is not yet designed to work properly. In the future we might have some
background fsck support for ffs (if someone works on it!!)

Re: sshfs man page, -o idmap=user

[Daniel Boyd]

That was what I figured since it's relatively new.

Unfortunately, because of this, I have been unable to get sshfs working
in any meaningful way.  Regardless of whether I run sshfs as root
or as a regular user (with kern.usermount=1), I can't access any
of the files.  I don't see a way to change the user mapping
or the umask with the fuse limitations you mention.  Perhaps I'm
missing something...?

This is easy for me to say since I have no idea how difficult it would
be to implement, but this feature strikes me as something that would
be highly useful, integrated as a core feature in OpenSSH.  NFS strikes
me as a ripe candidate for the OpenSMTPD/OpenNTPD/OpenHTTPD treatment.
It is complicated, arcane, and requires several open ports.  Integrated
sshfs-like functionality in OpenSSH would seem to me to be a good NFS
replacement.

On Sun, Feb 14, 2016 at 1:40 PM, Stuart Henderson 
wrote:

> On 2016-02-12, Daniel Boyd  wrote:
> > I am having this same issue.  I also tried adding the -d switch
> > to see if that would shed any light.
> >
> > $ sshfs -d -o idmap=user ...
> > command-line line 0: Bad number.
> > remote host has disconnected
> >
> > $ sshfs -d -o idmap=file,uidfile=myuidfile,gidfile=mygidfile ...
> > command-line line 0: Bad number.
> > remote host has disconnected
> >
> > Any ideas?  I'm also running 5.8.
> >
> > Thanks!
> > Daniel
> >
> >
>
> iirc the option-parsing needs something from the OS that OpenBSD probably
> doesn't
> have (FUSE on OpenBSD is still missing some bits).

Re: Will Softraid RAID1 read from the fastest mirror/-s / supports user-specified device read priority order, nowadays? Takes broken disk out of use?

[Tinker]

Constantine,

Just basically followup to say that I agree with you.

On 2016-02-15 17:41, Constantine A. Murenin wrote:

On 13 February 2016 at 08:50, Tinker  wrote:

Hi,

1)
http://www.openbsd.org/papers/asiabsdcon2010_softraid/softraid.pdf 
page 3
"2.2 RAID 1" says that it reads "on a round-robin basis from all 
active

chunks", i.e. read operations are spread evenly across disks.


Yes, that's still the case today:

..

There are presently no optimisations in-tree, but


the softraid policies are so simple that it's really easy to hack it up 
to do

something else that you may want.


That is awesome.

Since then did anyone implement selective reading based on experienced 
read

operation time, or a user-specified device read priority order?


That would make the code less readable!  :-)


That is indeed an excellent reason for not adding an additional feature 
- couldn't agree with you more.


Added complexity is (the root of all) 'evil'.

That would allow Softraid RAID1 based on 1 SSD mirror + 1 SSD mirror + 
1 HDD
mirror, which would give the best combination of IO performance and 
data

security OpenBSD would offer today.


Not sure what'd be the practical point of such a setup.  Your writes
will still be limited by the slowest component, and IOPS specs are
vastly different between SSDs and HDDs.  (And modern SSDs are no
longer considered nearly as unreliable as they once were.)


Yeah. I'm half-unwillingly starting to agree with that (discussed in 
depth with Nick in the previous email).



2)
Also if there's a read/write failure (or excessive time consumption 
for a
single operation, say 15 seconds), will Softraid RAID1 learn to take 
the

broken disk out of use?


A failure in a softraid1 chunk will result in the chunk being taken 
offline.
(What constitutes a failure is most likely outside of softraid's 
control.)


My best understanding today is that Nick clarified this in the previous 
post, that is, he clarified that softraid doesn't actually have any IO 
operation timeouts, and IO lag will not lead to softraid plugging out a 
disk - only a disconnect or specific disk failure SMART command from the 
underlying disk will have that effect on softraid (of causing that 
respective physical disk to be automatically disconnected).


..And therefore you need enterprise disks because they behave "cleanly", 
as when using those only, essentially full softraid QoS is maintained at 
all times.


Best regards,
Tinker

Re: question about fprintf()

[Alexei Malinin]

On 02/15/16 20:27, Todd C. Miller wrote:
> On Mon, 15 Feb 2016 19:22:59 +0300, Alexei Malinin wrote:
>
>> Please tell me can fprintf() set errno to EINTR?
> Yes, it is possible but see below.
>
>> I have not found assignments such as "errno=EINTR" in libc sources
>> (src/lib/libc/stdio, amd64 OpenBSD-5.6 ) but I'm not sure.
>>
>> fprintf()'s man page does not say anything about errno but POSIX.1 says,
>> "If an output error was encountered, these functions shall return a
>> negative value and set /errno/ to indicate the error."
> If a signal handler is installed without the SA_RESTART flag set,
> the write(2) system call may fail with errno set to EINTR.  The
> fprintf(3) function uses write(2) (deep) under the covers to write
> to a file or terminal.  The signal(3) function always sets the
> SA_RESTART flag unless siginterrupt(3) has been used to make system
> calls interruptible.  If the sigaction(2) system call is used,
> SA_RESTART must be explicitly set in sa_flags.

Thank you for the explanation, Todd.

But can fprintf() set errno to EINTR if a program has no signal handlers
(i. e. there are default handlers for all signals)?
For example what will happen with fprintf() in a program with default
signal dispositions if the program's window size changes (SIGWINCH)?


--
Alexei

pkg.conf edit on -current #1870

[Andrew]

GENERIC.MP #1870 amd64

FWIW: Last night did a clean (re) installl using the toronto.edu mirror.

boot> boot hd0a:/bsd.rd

Puffy  loaded up fine -- but no packages.

I edited my /etc/pkg.conf

from:

 ... toronto.edu/pub/OpenBSD/%c/packages/%a/

to:

 toronto.edu/pub/OpenBSD/snapshots/packages/%a/

---

Thanks as always to Theo and to all the past and current devs -- have
a great week ahead !!

Re: Will Softraid RAID1 read from the fastest mirror/-s / supports user-specified device read priority order, nowadays? Takes broken disk out of use?

[Tinker]

Dear Nick,

On 2016-02-15 05:29, Nick Holland wrote:

On 02/13/16 11:49, Tinker wrote:

Hi,

1)
http://www.openbsd.org/papers/asiabsdcon2010_softraid/softraid.pdf 
page

3 "2.2 RAID 1" says that it reads "on a round-robin basis from all
active chunks", i.e. read operations are spread evenly across disks.

Since then did anyone implement selective reading based on experienced
read operation time, or a user-specified device read priority order?


That would allow Softraid RAID1 based on 1 SSD mirror + 1 SSD mirror + 
1
HDD mirror, which would give the best combination of IO performance 
and

data security OpenBSD would offer today.


I keep flip-flopping on the merits of this.
At one point, I was with you, thinking, "great idea!  Back an 
expensive,

fast disk with a cheap disk".

Currently, I'm thinking, "REALLY BAD IDEA".  Here's my logic:

There's no such thing as an "expensive disk" anymore.  A quick look

..

of "fast" storage to make their very few business apps run better.  No
question in their mind, it was worth it.  Now we do much more with our
computers and it costs much less.  The business value of our investment
should be much greater than it was in 1982.

And ignoring hardware, it is.  Companies drop thousands of dollars on
consulting and assistance and think nothing of it.  And in a major
computer project, a couple $1000 disks barely show as a blip on the
budget.  Hey, I'm all about being a cheap bastard whenever possible, 
but

this just isn't a reasonable place to be cheap, so not somewhere I'd
suggest spending developer resources.


Also ... it's probably a bad idea for functional reasons.  You can't
just assume that "slower" is better than "nothing" -- very often, it's
indistinguishable from "nothing".  In many cases, computer systems that
perform below a certain speed are basically non-functional, as tasks 
can

pile up on them faster than they can produce results.  Anyone who has
dealt with an overloaded database server, mail server or firewall will
know what I'm saying here -- at a certain load, they go from "running
ok" to "death spiral", and they do it very quickly.

If you /need/ the speed of an SSD, you can justify the cost of a pair 
of

'em.  If you can't justify the cost, you are really working with a
really unimportant environment, and you can either wait for two cheap
slow disks or skip the RAID entirely.

How fast do you need to get to your porn, anyway?


I technically agree with you -


What lead me to think about SDD+HDD was the idea of having on the same 
mountpoint a hybrid-SSD-HDD storage where the "important stuff" would be 
automatically in the SSD and the "less important" on the HDD.


This symmetry would mean that those two data sets could be stored within 
one and the same directory structure, which would be really handy, and 
archiving of unused files would be implicit.


I understand that ZFS is quite good at delivering this. LSI MegRaid 
cards are good at that as long as the "important stuff" is forever 
<512GB, which is not the case, duh.


This whole idea has a really exotic, unpredictable, ""stinking"" edge to 
it though. Your "slower" is generally as bad as "nothing" allegory 
combined with the market price situation, makes all sense -


So, even if kind of unwillingly, I must agree with your reasoning.



(now ... that being said, part of me would love a tmpfs / disk RAID1,
one that would come up degraded, and the disk would populate the RAM
disk, writes would go to both subsystems, reads would come from the RAM
disk once populated.  I could see this for some applications like CVS
repositories or source directories where things are "read mostly", and
typically smaller than a practical RAM size these days, and as there 
are

still a few orders of magnitude greater performance in a RAM disk than
an SSD and this will likely remain true for a while, there are SOME
applications where this could be nice)


Wait.. you mean you would like OpenBSD to implement read cache that is 
"100% caching agressive" rather than the current "buffer cache" which 
has "dynamic caching agressiveness" - I don't understand how this could 
make sense, can you please clarify?



2)
Also if there's a read/write failure (or excessive time consumption 
for

a single operation, say 15 seconds), will Softraid RAID1 learn to take
the broken disk out of use?


As far as I am aware, Softraid (like most RAID systems, hw or sw) will
deactivate a drive which reports a failure.  Drives which go super slow
(i.e., always manage to get the data BEFORE the X'th retry at which 
they
would toss an error) never report an error back, so never deactivate 
the

drive.

Sound implausible?  Nope.  It Happens.  Frustrating as heck when you
have this happen to you until you figure it out.  In fact, one key
feature of "enterprise" and "RAID" grade disks is that when they hop
off-line and throw an error fast and early, to prevent this problem
(some "NAS" grade disks may do this.  Or they may just see your credit

Re: question about fprintf()

[Todd C. Miller]

On Mon, 15 Feb 2016 19:22:59 +0300, Alexei Malinin wrote:

> Please tell me can fprintf() set errno to EINTR?

Yes, it is possible but see below.

> I have not found assignments such as "errno=EINTR" in libc sources
> (src/lib/libc/stdio, amd64 OpenBSD-5.6 ) but I'm not sure.
> 
> fprintf()'s man page does not say anything about errno but POSIX.1 says,
> "If an output error was encountered, these functions shall return a
> negative value and set /errno/ to indicate the error."

If a signal handler is installed without the SA_RESTART flag set,
the write(2) system call may fail with errno set to EINTR.  The
fprintf(3) function uses write(2) (deep) under the covers to write
to a file or terminal.  The signal(3) function always sets the
SA_RESTART flag unless siginterrupt(3) has been used to make system
calls interruptible.  If the sigaction(2) system call is used,
SA_RESTART must be explicitly set in sa_flags.

 - todd

question about fprintf()

[Alexei Malinin]

Hello.

Please tell me can fprintf() set errno to EINTR?


I have not found assignments such as "errno=EINTR" in libc sources
(src/lib/libc/stdio, amd64 OpenBSD-5.6 ) but I'm not sure.

fprintf()'s man page does not say anything about errno but POSIX.1 says,
"If an output error was encountered, these functions shall return a
negative value and set /errno/ to indicate the error."


-- 
Alexei Malinin

Re: fsck_ffs mystic

[lilit-aibolit]

On 02/15/2016 04:43 PM, Josh Grosse wrote:

On 2016-02-15 09:08, lilit-aibolit wrote:

On 02/15/2016 04:03 PM, Josh Grosse wrote:



See the words "NO WRITE" in that message?  This happens because you
are attempting to fsck(8) a *mounted* file system.


Yes, it's true. But I can't unmount /var under normal boot.
And then why errors haven't been fixed or even detected in single mode,
where partitions are unmounted.


When you are in a normal multi-user boot, daemons are running with 
files open in /var,
and in particular, /var/run.  The warnings you get from fsck() relate 
to all of these

open files.

Your filesystem was repaired, and is now working properly.  You are 
only seeing these
messages because you are running fsck() against a mounted filesystem 
with open files.





Thank you. This is definitely the case then.
I didn't know that fsck could produce fake errors while running on 
mounted fs.

Re: fsck_ffs mystic

[Todd]

Can you boot into bsd.rd and try fdisk?

On Mon, Feb 15, 2016 at 8:08 AM, lilit-aibolit 
wrote:

> On 02/15/2016 04:03 PM, Josh Grosse wrote:
>
>> On 2016-02-15 07:57, lilit-aibolit wrote:
>>
>>> Hi list.
>>> After unclear shutdown I've booted in single user mode
>>> by typing "boot -s".
>>> I executed "fsck -fp" and "fsck -fy" few times and got
>>> no problem, see screenshot here:
>>>
>>> http://i.piccy.info/i9/f7bced6083e3f77d29dc832102147bfd/1455540839/795750/999296/image1.jpg
>>>
>>> But after reboot with normal login I got next.
>>> How can I fix errors and why they aren't fixed in single mode?
>>>
>>> # fsck_ffs -f /dev/sd0e
>>> ** /dev/rsd0e (NO WRITE)
>>>
>>
>>
>> See the words "NO WRITE" in that message?  This happens because you
>> are attempting to fsck(8) a *mounted* file system.
>>
>> Yes, it's true. But I can't unmount /var under normal boot.
> And then why errors haven't been fixed or even detected in single mode,
> where partitions are unmounted.

Re: Network isolation of process using rdomain rtable

[Lampshade]

It seems it is starting to  work.
Server command:
/usr/local/bin/sudo -u user /usr/bin/nc -4 -k -l 172.10.0.2 9191

Commands for programs I would like to intercept/redirect:
#!/bin/sh
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -n -v 172.10.0.2 9191

random port
#!/bin/sh
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -n -v 172.10.0.2 9192

random IP and port (this is Google, don't hack)
#!/bin/sh
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -n -v 212.191.227.88 80


#cat pf.conf:
pass in quick  on pair2 inet proto tcp from pair1 \
rdr-to pair2 port 9191 keep state (floating)
pass in
pass out

#pfctl -sr 
pass in quick on pair2 inet proto tcp from 172.10.0.1 \
to any flags S/SA tag rdr_tor_tcp rdr-to 172.10.0.2 port 9191
pass in all flags S/SA
pass out all flags S/SA


Should I also do nat-to (source nat like in nftables)
or maybe it is not necessary?
Is there any possibility of packet leaks? I mean that this \
pf rules/ruleset will not match some packet and packet \
could go to Internet instead of local socket?
I would like to prevent that. I am better with not sending
packet anywhere than send to Internet.

Re: fsck_ffs mystic

[Josh Grosse]

On 2016-02-15 09:08, lilit-aibolit wrote:

On 02/15/2016 04:03 PM, Josh Grosse wrote:



See the words "NO WRITE" in that message?  This happens because you
are attempting to fsck(8) a *mounted* file system.


Yes, it's true. But I can't unmount /var under normal boot.
And then why errors haven't been fixed or even detected in single mode,
where partitions are unmounted.


When you are in a normal multi-user boot, daemons are running with files 
open in /var,
and in particular, /var/run.  The warnings you get from fsck() relate to 
all of these

open files.

Your filesystem was repaired, and is now working properly.  You are only 
seeing these
messages because you are running fsck() against a mounted filesystem 
with open files.

Re: fsck_ffs mystic

[lilit-aibolit]

On 02/15/2016 04:03 PM, Josh Grosse wrote:

On 2016-02-15 07:57, lilit-aibolit wrote:

Hi list.
After unclear shutdown I've booted in single user mode
by typing "boot -s".
I executed "fsck -fp" and "fsck -fy" few times and got
no problem, see screenshot here:
http://i.piccy.info/i9/f7bced6083e3f77d29dc832102147bfd/1455540839/795750/999296/image1.jpg 



But after reboot with normal login I got next.
How can I fix errors and why they aren't fixed in single mode?

# fsck_ffs -f /dev/sd0e
** /dev/rsd0e (NO WRITE)



See the words "NO WRITE" in that message?  This happens because you
are attempting to fsck(8) a *mounted* file system.


Yes, it's true. But I can't unmount /var under normal boot.
And then why errors haven't been fixed or even detected in single mode,
where partitions are unmounted.

Re: fsck_ffs mystic

[Josh Grosse]

On 2016-02-15 07:57, lilit-aibolit wrote:

Hi list.
After unclear shutdown I've booted in single user mode
by typing "boot -s".
I executed "fsck -fp" and "fsck -fy" few times and got
no problem, see screenshot here:
http://i.piccy.info/i9/f7bced6083e3f77d29dc832102147bfd/1455540839/795750/999296/image1.jpg

But after reboot with normal login I got next.
How can I fix errors and why they aren't fixed in single mode?

# fsck_ffs -f /dev/sd0e
** /dev/rsd0e (NO WRITE)



See the words "NO WRITE" in that message?  This happens because you
are attempting to fsck(8) a *mounted* file system.

fsck_ffs mystic

[lilit-aibolit]

Hi list.
After unclear shutdown I've booted in single user mode
by typing "boot -s".
I executed "fsck -fp" and "fsck -fy" few times and got
no problem, see screenshot here:
http://i.piccy.info/i9/f7bced6083e3f77d29dc832102147bfd/1455540839/795750/999296/image1.jpg

But after reboot with normal login I got next.
How can I fix errors and why they aren't fixed in single mode?

# fsck_ffs -f /dev/sd0e
** /dev/rsd0e (NO WRITE)
** Last Mounted on /var
** Phase 1 - Check Blocks and Sizes
INCORRECT BLOCK COUNT I=3663757 (4 should be 0)
CORRECT? no

** Phase 2 - Check Pathnames
UNALLOCATED  I=415876  OWNER=_ups MODE=100644
SIZE=5 MTIME=Feb 15 14:40 2016
FILE=/db/nut/upsd.pid

REMOVE? no

UNALLOCATED  I=415958  OWNER=_nfcapd MODE=100644
SIZE=6 MTIME=Feb 15 14:40 2016
FILE=/www/var/db/nfsen/run/p.pid

REMOVE? no

UNALLOCATED  I=432062  OWNER=_nfcapd MODE=100644
SIZE=6 MTIME=Feb 15 14:40 2016
FILE=/www/var/db/nfsen/run/nfsend.pid

REMOVE? no

UNALLOCATED  I=432064  OWNER=_nfcapd MODE=140755
SIZE=0 MTIME=Feb 15 14:40 2016
FILE=/www/var/db/nfsen/run/nfsen.comm

REMOVE? no

UNALLOCATED  I=432034  OWNER=_nfcapd MODE=100644
SIZE=0 MTIME=Feb 15 14:40 2016
FILE=/www/var/db/nfsen/profiles-data/live/upstream1/nfcapd.current

REMOVE? no

** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
UNREF FILE I=2468495  OWNER=root MODE=100444
SIZE=15177 MTIME=Feb 15 14:13 2016
CLEAR? no

UNREF FILE I=3663757  OWNER=root MODE=100600
SIZE=0 MTIME=Feb 15 14:41 2016
CLEAR? no

** Phase 5 - Check Cyl groups
SUMMARY INFORMATION BAD
SALVAGE? no

BLK(S) MISSING IN BIT MAPS
SALVAGE? no

FREE BLK COUNT(S) WRONG IN SUPERBLK
SALVAGE? no

82047 files, 4617855 used, 10860496 free (39552 frags, 1352618 blocks, 
0.3% fragmentation)

Network isolation of process using rdomain rtable

[Lampshade]

012345678901234567890123456789012345678901234567890123456789
Hello,
OpenBSD current amd64
I would like to isolate application from network and also
to make sure that every packet goes to certain port at
certain IP address.
On Linux I achieved that using network namespace,  veth,
iptables (destination nat) or nftables (dnat and snat).

So far I have pair of pair devices:
cat /etc/hostname.pair*
inet 172.10.0.1 255.255.255.0 172.10.0.255 rdomain 1 \
description "An isolated Ethernet"
inet 172.10.0.2 255.255.255.0 172.10.0.255

patched together
ifconfig pair1 patch pair2

with default route:
route -T1 add default 172.10.0.2

Commands for programs:
Server
/usr/local/bin/sudo -u user /usr/bin/nc -4 -k -l 172.10.0.2 9191

Commands for programs I would like to intercept/redirect:
Client 1 (port is the same):
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -v 172.10.0.2 9191
Client 2 (port must be also redirected):
/usr/local/bin/sudo /sbin/route -T1 exec /usr/local/bin/sudo \
-u user /usr/bin/nc -4 -v 172.10.0.2 9192

I struggle with pf rules. Now I have something like that,
but probably wrong:
pass out  quick on pair1 inet  proto tcp from 172.10.0.1  \
rdr-to 172.10.0.2 port 9040  keep state (floating)
pass out  quick on pair1 inet  proto udp from 172.10.0.1  \
rdr-to 172.10.0.2 port 9053  keep state (floating)

pass in quick log (all, to pflog0) on pair2 inet proto tcp  \
to 172.10.0.2  nat-to pair1
pass in quick log (all, to pflog0) on pair2 inet proto udp  \
to 172.10.0.2 nat-to pair1

pass in
pass out
pass out on {pair1,pair2}
pass in  on  {pair1,pair2}

I have tried with various other pf rules, rtable option,
but none of that had worked.
Do I need rdr-to and nat-to (like in nftables) or
I just could use rdr-to (like in iptables)?
What pf rules should I use?

Re: 64 Queue Size, ARC routing, MP Networking, OpenBSD 5.9

[Andy Lemin]

Thanks guys :)

As always I will report back on testing results. I have a lot of DR traffic
(multiple TB's daily) I can push through this to see how it fairs..

Thanks Andy.

On Tue, Feb 9, 2016 at 4:33 PM, Stuart Henderson 
wrote:

> On 2016/02/09 08:22, Chris Cappuccio wrote:
> > Andy Lemin [a...@brandwatch.com] wrote:
> > >
> > > >ART not ARC. It's not enabled by default, you'll need to build
> > > a new kernel to use it.
> > >
> > > Any clues how to enable "ART" when building? ;)
> > >
> >
> > Put "option ART" in your kernel config, that's it. It seems to work in
> various
> > corner cases but won't be enabled by default until after 5.9 because
> "seems"
> > isn't good enough at this stage.
>
> Last time I tried it, minidlna broke (upnp multicast). I'll have to
> try it again sometime..

Re: Will Softraid RAID1 read from the fastest mirror/-s / supports user-specified device read priority order, nowadays? Takes broken disk out of use?

[Constantine A. Murenin]

On 13 February 2016 at 08:50, Tinker  wrote:
> Hi,
>
> 1)
> http://www.openbsd.org/papers/asiabsdcon2010_softraid/softraid.pdf page 3
> "2.2 RAID 1" says that it reads "on a round-robin basis from all active
> chunks", i.e. read operations are spread evenly across disks.

Yes, that's still the case today:

http://bxr.su/o/sys/dev/softraid_raid1.c#sr_raid1_rw

345rt = 0;
346ragain:
347/* interleave reads */
348chunk = sd->mds.mdd_raid1.sr1_counter++ %
349sd->sd_meta->ssdi.ssd_chunk_no;
350scp = sd->sd_vol.sv_chunks[chunk];
351switch (scp->src_meta.scm_status) {

356case BIOC_SDOFFLINE:

359if (rt++ < sd->sd_meta->ssdi.ssd_chunk_no)
360goto ragain;

There are presently no optimisations in-tree, but the softraid
policies are so simple that it's really easy to hack it up to do
something else that you may want.

>
> Since then did anyone implement selective reading based on experienced read
> operation time, or a user-specified device read priority order?

That would make the code less readable!  :-)

>
>
> That would allow Softraid RAID1 based on 1 SSD mirror + 1 SSD mirror + 1 HDD
> mirror, which would give the best combination of IO performance and data
> security OpenBSD would offer today.

Not sure what'd be the practical point of such a setup.  Your writes
will still be limited by the slowest component, and IOPS specs are
vastly different between SSDs and HDDs.  (And modern SSDs are no
longer considered nearly as unreliable as they once were.)

>
> 2)
> Also if there's a read/write failure (or excessive time consumption for a
> single operation, say 15 seconds), will Softraid RAID1 learn to take the
> broken disk out of use?

A failure in a softraid1 chunk will result in the chunk being taken
offline.  (What constitutes a failure is most likely outside of
softraid's control.)

C.