Re: Ask ospfd
On Tue, Feb 02, 2021 at 12:06:37PM +0700, Adiwangsa Kusumah wrote: > Dear All, > > I have topology as below: > > UP1 UP2 > \ / > \ / > OBSD6.6 > /\ > /\ > OSPF1OSPF2 > > > I use openbgpd to upstream and openospfd to internal > I want my openbsd send 0.0.0.0/0 to my ospf (single area) > > At my bgpd.conf I add > network 0.0.0.0/0 > > Ay my ospfd I tri to add > redistribute default > and/or > redistribute 0.0.0.0/0 > > when i check my ospf, there is no 0.0.0.0 send to my internal network > > ospfctl sh database self-originated > > Link ID Adv Router Age Seq# Checksum > 10. xxx.xxx.248 103.xxx.xxx.11 1225 0x8048 0x2471 > 10. xxx.xxx.252 103. xxx.xxx.11 1225 0x804a 0xf797 > 103. xxx.xxx.72103. xxx.xxx.11 1225 0x8048 0xe1c4 > 103. xxx.xxx.60 103. xxx.xxx.11 1225 0x804a 0x858d > 103. xxx.xxx.12 103. xxx.xxx.11 1225 0x804a 0x3b05 > > Is that any additional configuration at my bgpd.conf or my ospfd.conf? > Your advice will be appreciated. > ospfd(4) redistribute requires that the corresponding route is present in the routing table (route -n get default). This is not the case for bgpd(8). So make sure that you have a default route in kernel routing table. -- :wq Claudio
Ask ospfd
Dear All, I have topology as below: UP1 UP2 \ / \ / OBSD6.6 /\ /\ OSPF1OSPF2 I use openbgpd to upstream and openospfd to internal I want my openbsd send 0.0.0.0/0 to my ospf (single area) At my bgpd.conf I add network 0.0.0.0/0 Ay my ospfd I tri to add redistribute default and/or redistribute 0.0.0.0/0 when i check my ospf, there is no 0.0.0.0 send to my internal network ospfctl sh database self-originated Link ID Adv Router Age Seq# Checksum 10. xxx.xxx.248 103.xxx.xxx.11 1225 0x8048 0x2471 10. xxx.xxx.252 103. xxx.xxx.11 1225 0x804a 0xf797 103. xxx.xxx.72103. xxx.xxx.11 1225 0x8048 0xe1c4 103. xxx.xxx.60 103. xxx.xxx.11 1225 0x804a 0x858d 103. xxx.xxx.12 103. xxx.xxx.11 1225 0x804a 0x3b05 Is that any additional configuration at my bgpd.conf or my ospfd.conf? Your advice will be appreciated. Thx & regards, ps: When I use frrouting, I got 0.0.0.0 to my ospf
Re: relayd + pfsync
On 02/02/2021 05:18, Jordan Geoghegan wrote: Hello, I had a question about using relayd with pfsync. I have a small gateway/load-balancer set up with relayd, carp and pfsync plus BGPd for IP failover, and everything is working great. I was pleasantly surprised at how easy it was to get pfsync tunnelled over wireguard. Things failover perfectly, and I'm happy as a clam. I however do have a question about some pfsync/relayd details that I'm not fully clear on: With all the plumbing being done with relayd and all the associated TCP/TLS/HTTP(s) checks it's doing, it ends up setting up and tearing down a decent number of connections on a recurring basis. I know in PF you can use the "no-sync" keyword to prevent states created by certain rules from being synced across the wire, but I haven't found a way to do this with rules/states generated by relayd. It's probably largely irrelevant in the grand scheme of things, but I found it slightly irritating having hundreds or thousands of state table entries experiencing constant churn while being synced over the wire. Having the noise from the relayd connectivity checks syncing back and forth makes using tcpdump on a pfsync interface much less convenient. All these state table entries will never be used should the machine fail-over, as all the connectivity checks are initiated from the local IP address, rather that the CARP address. So I guess what I'm trying to ask is: Is there a way to have relayd not sync it's TCP/TLS/etc connectivity checks via pfsync? I was hoping to get a sanity check here so I can confirm weather or not I'm totally off base here. I currently have "keep state (no-sync)" peppered throughout my config for rules I want excluded from pfsync, as the pf config is quite simple. Maybe I'm missing something obvious, but is there a "sync" option? ie the ability to manually specify exactly which rules/states you want synced? Would some sort of rule like "pass out on $int_if proto tcp to any user _relayd keep state (no-sync)" do what I want, or would that also catch the traffic I'm trying to load balance as well? Any insight or advice would be much appreciated. P.S Sorry for the wall of text Regards, Jordan Hi, As you said, you can use the no-sync. Relayd checks don't create any pf rules. Only the listen creates rules pfctl -sr -a'relayd/ldap' pass in quick on rdomain 0 inet proto tcp from any to x.x.x.x port = 636 flags S/SA keep state (tcp.established 4200) tag RELAYD_ldap rdr-to port 1636 least-states sticky-address local checks from LB to hosts can have the no-sync. I have these in my config # checks from LB pass out quick on $ldap_if proto tcp from ($ldap_if) to ($ldap_if:network) port {1389, 1636} keep state (no-sync) Maybe you have another rule (out on $ldap_if) before, that allows the traffic? I handle incoming traffic (to LB) with pftag on relayd.conf and I specifically allow them on out direction. # client rules pass out quick on $ldap_if tagged RELAYD_ldap keep state (tcp.established 4200) G
relayd + pfsync
Hello, I had a question about using relayd with pfsync. I have a small gateway/load-balancer set up with relayd, carp and pfsync plus BGPd for IP failover, and everything is working great. I was pleasantly surprised at how easy it was to get pfsync tunnelled over wireguard. Things failover perfectly, and I'm happy as a clam. I however do have a question about some pfsync/relayd details that I'm not fully clear on: With all the plumbing being done with relayd and all the associated TCP/TLS/HTTP(s) checks it's doing, it ends up setting up and tearing down a decent number of connections on a recurring basis. I know in PF you can use the "no-sync" keyword to prevent states created by certain rules from being synced across the wire, but I haven't found a way to do this with rules/states generated by relayd. It's probably largely irrelevant in the grand scheme of things, but I found it slightly irritating having hundreds or thousands of state table entries experiencing constant churn while being synced over the wire. Having the noise from the relayd connectivity checks syncing back and forth makes using tcpdump on a pfsync interface much less convenient. All these state table entries will never be used should the machine fail-over, as all the connectivity checks are initiated from the local IP address, rather that the CARP address. So I guess what I'm trying to ask is: Is there a way to have relayd not sync it's TCP/TLS/etc connectivity checks via pfsync? I was hoping to get a sanity check here so I can confirm weather or not I'm totally off base here. I currently have "keep state (no-sync)" peppered throughout my config for rules I want excluded from pfsync, as the pf config is quite simple. Maybe I'm missing something obvious, but is there a "sync" option? ie the ability to manually specify exactly which rules/states you want synced? Would some sort of rule like "pass out on $int_if proto tcp to any user _relayd keep state (no-sync)" do what I want, or would that also catch the traffic I'm trying to load balance as well? Any insight or advice would be much appreciated. P.S Sorry for the wall of text Regards, Jordan
Re: rdsetroot and gzip'd bsd.rd
On Mon, 01 Feb 2021 18:18:43 -0700, "Theo de Raadt" wrote: > Should rdsetroot be able to edit gzip'd files? I am not sure about > that. Yeah, I don't think so either. gzip(1) can be easily used to uncompress it beforehand. But the result is still that rdsetroot on -current is not able to extract a bsd.rd even when given an uncompressed bsd.rd (i.e. a "ELF 64-bit LSB executable, x86-64, version 1" bsd.rd).
Re: rdsetroot and gzip'd bsd.rd
Should rdsetroot be able to edit gzip'd files? I am not sure about that. BTW, at least one arch bsd.rd's has been gzip'd over the decades, so this is simply an observation on a common architecture, it has been with us forever. Daniel Jakots wrote: > Hi, > > Running -current amd64, I fetched a -current amd64 bsd.rd, then run > $ rdsetroot -x bsd.rd ramdisk > rdsetroot: bsd.rd: not an elf > > I didn't expect that, so I run file on it which said > bsd.rd: gzip compressed data, max compression, from Unix > > I naively tried to gunzip it: > $ mv bsd.rd bsd.rd.gz && gunzip bsd.rd.gz > $ file bsd.rd > bsd.rd: ELF 64-bit LSB executable, x86-64, version 1 > > so I ran rdsetroot again > $ rdsetroot -x bsd.rd ramdisk > rdsetroot: symbol table not found > > > I guess it's because of > https://github.com/openbsd/src/commit/aa6c3ec2488169493ed4877eea65efb00c967050 > > > Is it because now bsd.rd is stripped and rdsetroot needs to be updated > to not expect a symbol table? Or am I missing something? > > > Cheers, > Daniel >
rdsetroot and gzip'd bsd.rd
Hi, Running -current amd64, I fetched a -current amd64 bsd.rd, then run $ rdsetroot -x bsd.rd ramdisk rdsetroot: bsd.rd: not an elf I didn't expect that, so I run file on it which said bsd.rd: gzip compressed data, max compression, from Unix I naively tried to gunzip it: $ mv bsd.rd bsd.rd.gz && gunzip bsd.rd.gz $ file bsd.rd bsd.rd: ELF 64-bit LSB executable, x86-64, version 1 so I ran rdsetroot again $ rdsetroot -x bsd.rd ramdisk rdsetroot: symbol table not found I guess it's because of https://github.com/openbsd/src/commit/aa6c3ec2488169493ed4877eea65efb00c967050 Is it because now bsd.rd is stripped and rdsetroot needs to be updated to not expect a symbol table? Or am I missing something? Cheers, Daniel
Re: amdgpu unstable atm
On Mon, Jan 25, 2021 at 05:33:22PM +0900, rgc wrote: > misc@ > > pkg_add -u; sysupgrade -ks this morning > i see firefox-esr pull a new gtk (iirc) build ... quirks-3.517 > on firefox is visualsource.net playing commit videos > seems to be working good now ... and it seems firefox is more snappier > > i still see these on xconsole > > [drm] *ERROR* Error in DP aux read transaction, not writing source specific > > data > > [drm] *ERROR* Error in DP aux read transaction, not writing source specific > > data > but no hangs or crashes at the moment. > > ~ rgc > misc@ it's been a few days some crashes still occured .. one time i've already killed firefox-esr and was just using stterm when X crashed. in the meantime, i've done a BIOS update. i have SVM (AMDs vmm support) enabled which automatically shares 1Gb to iGPU. and running pkg_add -u and sysupgrade every other day. kern.version=OpenBSD 6.8-current (GENERIC.MP) #302: Sat Jan 30 21:51:53 MST 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP running spyder3 and firefox-esr at the same time, no issues so far ~ rgc
Re: "No O/S" after drive replacement with / on raid1
On Sun, Jan 31, 2021 at 09:47:22PM +0300, Serge wrote: > Hello. > > I use 2 disks in mirror with root partition on softraid. > Say they are sd0a and sd1a and SR is sd2. > For example sd0 fails. I shutdown system, replace failed drive, > boot from good one, copy layout, rebuild array, all disks online > and system is up and running. > Then sd1 fails. I shutdown system, replace sd1, power on and... > > Using drive 0, partition 3. > No O/S > _ > > > Reading manuals, faqs and mailing lists led me to the following: > I reproduce the issue and after replacement first failed drive run > # installboot -v sd2 > > After that I can boot successfully from both drives. > > Unfortunately I can not find this solution (is it a solution?) Yes, this is the right solution. Installboot writes the bootloader to all chunks. If a chunk is replaced with a fresh disk this disk won't carry a boot loader unless installboot is run again.
Re: seeing carp interface state change for unknown reason ; cluestick hunting
> On 1 Feb 2021, at 6:02 pm, Bryan Stenson wrote: > > Hi all - > > I'm trying to setup a pair of ERL3 octeon routers in master/standby > mode via carp/pfsync to route traffic from my internal lan to the > internet. I've seen strange behavior wrt carp on these machines, so > in an attempt to reduce the problem, I've removed one completely. > > Even with only a single box (ERL3-01) on the network configured as a > carp member, the carp interface state periodically changes (as seen > from ifstated(8)). > > I'm wondering if disconnecting the other ERL3 device is a valid isolated test. > 1. Will/might this cause issues with the carp device, as it cannot > determine state from any other host? If carp state flaps around while it is the only device on the network, that would imply the parent device is flapping around. > 2. Will/might this cause issues as it cannot send/receive pfsync > updates (the other node is disconnected). pfsync doesn't really care about carp state. > 3. Is there something else in my setup causing carp to fail here? I'd be running "route monitor" and looking for link state changes on the carp parent interface. > 4. Could this be hardware/temperature related to this ERL3? Wouldn't > I see an additional error in dmesg if the physical device (cnmac2) > failed periodically? > > I'd appreciate any pointers here...I feel like I'm missing something dumb. My first ideas are above. If it turns out the carp parent is stable we can try come up with something else. dlg > > Thanks in advance. > > Bryan > > Here are some of my configs. If I've missed including something > critical to help describe my setup, please let me know and I'll add > it. > > ## Help me OBSD-Misc Kenobi. You're my only hope. ## > > erl3-01# uname -a > OpenBSD erl3-01.siliconvortex.com 6.8 GENERIC#522 octeon > > erl3-01# dmesg > ... > carp1: state transition: BACKUP -> MASTER > carp1: state transition: BACKUP -> MASTER > carp1: state transition: BACKUP -> MASTER > carp1: state transition: BACKUP -> MASTER > carp1: state transition: BACKUP -> MASTER > carp1: state transition: BACKUP -> MASTER > > erl3-01# tail mbox > Mon, 1 Feb 2021 06:49:26 + (UTC) > From: Charlie Root > Date: Mon, 1 Feb 2021 06:49:25 + (UTC) > To: root@localhost > Subject: carp master changed > Message-ID: <515eb74cff427...@erl3-01.siliconvortex.com> > Status: RO > > master is now erl3-01.siliconvortex.com > > > erl3-01# sysctl -a | grep carp > net.inet.carp.allow=1 > net.inet.carp.preempt=1 > net.inet.carp.log=2 > > erl3-01# cat /etc/hostname.carp1 > #carp for lan side > 192.168.122.1/23 carpdev vlan100 vhid 1 pass somethinglongandsecret > > erl3-01# cat /etc/hostname.vlan100 > vnetid 100 parent cnmac2 > up > > erl3-01# cat /etc/hostname.cnmac2 > inet 192.168.1.253 255.255.254.0 > > erl3-01# cat /etc/hostname.pfsync0 > up syncdev cnmac1 > > erl3-01# cat /etc/hostname.cnmac1 > inet 10.10.200.1 255.255.255.252 > > erl3-01# cat /etc/ifstated.conf > # Initial State > init-state auto > > # Macros > if_carp_up="carp1.link.up" > if_carp_down="!carp1.link.up" > > state auto { > if $if_carp_up { >set-state master > } > > if $if_carp_down { >set-state backup > } > } > > state master { > init { >run "echo master is now `hostname` | mail -s 'carp master changed' > root@localhost" > } > > if $if_carp_down { >set-state backup > } > } > > state backup { > init { >run "echo backup is now `hostname` | mail -s 'carp master changed > root@localhost" > } > > if $if_carp_up { >set-state master > } > } > > erl3-01# cat /etc/pf.conf > # adopted from https://www.openbsd.org/faq/pf/example1.html > wan_dev = cnmac0 > lan_dev = cnmac2 > carp_dev = vlan100 > pfsync_dev = cnmac1 > table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ >172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ >192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\ >203.0.113.0/24 } > > # carp > pass quick on $lan_dev proto carp keep state (no-sync) > > # pfsync > pass quick on $pfsync_dev proto pfsync keep state (no-sync) > > set block-policy drop > set loginterface $wan_dev > set skip on lo0 > > match in all scrub (no-df random-id max-mss 1440) > > # redirect DNS queries to localhost > pass in quick on { $carp_dev $lan_dev } proto { udp tcp } from any to > any port domain rdr-to 192.168.1.253 port domain > > # NAT to the world > match out on $wan_dev inet from !($wan_dev:network) to any nat-to ($wan_dev:0) > > antispoof quick for { $wan_dev } > > # martians > block in quick on $wan_dev from to any > block return out quick on $wan_dev from any to > > block all > > # manage buffer bloat > queue outq on $wan_dev flows 1024 bandwidth 3M max 3M qlimit 1024 default > queue inq on $lan_dev flows 1024 bandwidth 45M max 45M qlimit 1024 default > > pass out quick inet > > pass in on { $carp_dev $lan_dev } inet >
ospfd adv 0.0.0.0/0
HI all, I get openbgpd and openospfd at same openbsd 6.6server I want my ospf adv 0.0.0.0/0 to my network. I put network 0.0.0.0/0 at bgpd.confI put redistribute default at ospfd.cong ospfctl sh database self-originated Link ID Adv Router Age Seq# Checksum10. xxx.xxx.248 103.xxx.xxx.11 1225 0x8048 0x247110. xxx.xxx.252 103. xxx.xxx.11 1225 0x804a 0xf797103. xxx.xxx.72 103. xxx.xxx.11 1225 0x8048 0xe1c4103. xxx.xxx.60 103. xxx.xxx.11 1225 0x804a 0x858d103. xxx.xxx.12 103. xxx.xxx.11 1225 0x804a 0x3b05103. xxx.xxx.40 103. xxx.xxx.11 1225 0x804a 0x2a47103. xxx.xxx.44 103. xxx.xxx.11 1225 0x8049 0x046a103. xxx.xxx.48 103. xxx.xxx.11 1225 0x8049 0xdb8e103. xxx.xxx.128 103. xxx.xxx.11 1785 0x806f 0x2aad Just link in my frrrouting: sh ip ospf database self-originate OSPF Router with ID (103. xxx.xxx.3) Router Link States (Area 0.0.0.0) Link ID ADV Router Age Seq# CkSum Route0.0.0.0 103. xxx.xxx.3 1365 0x8020 0x9beb E2 0.0.0.0/0 [0x0]10. xxx.xxx.252 103. xxx.xxx.3 545 0x801f 0xc0cf E2 10. xxx.xxx.252/30 [0x0]103. xxx.xxx.216 103. xxx.xxx.3 515 0x801f 0x0114 E2 103. xxx.xxx.216/30 [0x0]103. xxx.xxx.3 103. xxx.xxx.3 745 0x801f 0x9cad E2 103. xxx.xxx.3/32 [0x0] Regards
seeing carp interface state change for unknown reason ; cluestick hunting
Hi all - I'm trying to setup a pair of ERL3 octeon routers in master/standby mode via carp/pfsync to route traffic from my internal lan to the internet. I've seen strange behavior wrt carp on these machines, so in an attempt to reduce the problem, I've removed one completely. Even with only a single box (ERL3-01) on the network configured as a carp member, the carp interface state periodically changes (as seen from ifstated(8)). I'm wondering if disconnecting the other ERL3 device is a valid isolated test. 1. Will/might this cause issues with the carp device, as it cannot determine state from any other host? 2. Will/might this cause issues as it cannot send/receive pfsync updates (the other node is disconnected). 3. Is there something else in my setup causing carp to fail here? 4. Could this be hardware/temperature related to this ERL3? Wouldn't I see an additional error in dmesg if the physical device (cnmac2) failed periodically? I'd appreciate any pointers here...I feel like I'm missing something dumb. Thanks in advance. Bryan Here are some of my configs. If I've missed including something critical to help describe my setup, please let me know and I'll add it. ## Help me OBSD-Misc Kenobi. You're my only hope. ## erl3-01# uname -a OpenBSD erl3-01.siliconvortex.com 6.8 GENERIC#522 octeon erl3-01# dmesg ... carp1: state transition: BACKUP -> MASTER carp1: state transition: BACKUP -> MASTER carp1: state transition: BACKUP -> MASTER carp1: state transition: BACKUP -> MASTER carp1: state transition: BACKUP -> MASTER carp1: state transition: BACKUP -> MASTER erl3-01# tail mbox Mon, 1 Feb 2021 06:49:26 + (UTC) From: Charlie Root Date: Mon, 1 Feb 2021 06:49:25 + (UTC) To: root@localhost Subject: carp master changed Message-ID: <515eb74cff427...@erl3-01.siliconvortex.com> Status: RO master is now erl3-01.siliconvortex.com erl3-01# sysctl -a | grep carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=2 erl3-01# cat /etc/hostname.carp1 #carp for lan side 192.168.122.1/23 carpdev vlan100 vhid 1 pass somethinglongandsecret erl3-01# cat /etc/hostname.vlan100 vnetid 100 parent cnmac2 up erl3-01# cat /etc/hostname.cnmac2 inet 192.168.1.253 255.255.254.0 erl3-01# cat /etc/hostname.pfsync0 up syncdev cnmac1 erl3-01# cat /etc/hostname.cnmac1 inet 10.10.200.1 255.255.255.252 erl3-01# cat /etc/ifstated.conf # Initial State init-state auto # Macros if_carp_up="carp1.link.up" if_carp_down="!carp1.link.up" state auto { if $if_carp_up { set-state master } if $if_carp_down { set-state backup } } state master { init { run "echo master is now `hostname` | mail -s 'carp master changed' root@localhost" } if $if_carp_down { set-state backup } } state backup { init { run "echo backup is now `hostname` | mail -s 'carp master changed root@localhost" } if $if_carp_up { set-state master } } erl3-01# cat /etc/pf.conf # adopted from https://www.openbsd.org/faq/pf/example1.html wan_dev = cnmac0 lan_dev = cnmac2 carp_dev = vlan100 pfsync_dev = cnmac1 table { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24\ 203.0.113.0/24 } # carp pass quick on $lan_dev proto carp keep state (no-sync) # pfsync pass quick on $pfsync_dev proto pfsync keep state (no-sync) set block-policy drop set loginterface $wan_dev set skip on lo0 match in all scrub (no-df random-id max-mss 1440) # redirect DNS queries to localhost pass in quick on { $carp_dev $lan_dev } proto { udp tcp } from any to any port domain rdr-to 192.168.1.253 port domain # NAT to the world match out on $wan_dev inet from !($wan_dev:network) to any nat-to ($wan_dev:0) antispoof quick for { $wan_dev } # martians block in quick on $wan_dev from to any block return out quick on $wan_dev from any to block all # manage buffer bloat queue outq on $wan_dev flows 1024 bandwidth 3M max 3M qlimit 1024 default queue inq on $lan_dev flows 1024 bandwidth 45M max 45M qlimit 1024 default pass out quick inet pass in on { $carp_dev $lan_dev } inet