Re: bridge(4) question new network setup

[patrick keshishian]

On 1/21/23, David Gwynne  wrote:
> On Sat, Jan 21, 2023 at 01:32:18PM -0800, patrick keshishian wrote:
>> On 1/20/23, Hrvoje Popovski  wrote:
>> > On 20.1.2023. 20:09, patrick keshishian wrote:
>> >> Hello,
>> >>
>> >> I am trying get a new ISP setup working.  The Router is
>> >> causing some pain.  There is a /28 public block assigned.
>> >> The DSL router can't be configured in transparent bridge
>> >> mode (they say).  It holds on to one of the /28 addresses.
>> >>
>> >> The setup looks something like this:
>> >> (and hopefully the ascii "art" remains intact from gmail)
>> >>
>> >>( internet )
>> >> |
>> >> | [WAN IP]
>> >>   +-o--+
>> >>  / DSL ROUTER / <-- Transparent bridge mode NOT possible
>> >> +-o--+
>> >>   | [ one of /28 Public IPs = $dslgw_ip ]
>> >>   |
>> >>   |
>> >>   | $ext
>> >> +-o--+
>> >> ||
>> >> | OpenBSD/pf o--- ( rest of /28 Public IP network )
>> >> || $dmz  (DMZ: httpd, smtpd, ...)
>> >> +-o--+
>> >>  $lan | [10.x.x.1]
>> >>   |
>> >> ( 10.x.x.x network )
>> >>
>> >>
>> >> As far as networking goes, I need to be spoken to as if I'm
>> >> a fledgling.
>> >>
>> >> I want to do the obvious: use OpenBSD/pf(4) to:
>> >>  - Filter traffic from $ext to $dmz
>> >>  - Filter traffic from $dmz outbound
>> >>  - Filter traffic from $lan (10.x.x.x) to $dmz
>> >>  - NAT traffic from $lan (10.x.x.x) outbound to internet
>> >>
>> >>
>> >> I'm bridge(4)-ing $ext and $dmz.  Which means I must give
>> >> one of the /28 public IP addresses to either $ext or $dmz
>> >> to be able to do:
>> >>
>> >> # route add default $dslgw_ip
>> >>
>> >> (!?)
>> >>
>> >> Am I missing something?
>> >> Is there a better way to configure things?
>> >>
>> >> Thanks,
>> >> --patrick
>> >>
>> >
>> > Hi,
>> >
>> > If your ext interface is in same subnet as that /28 from your ISP then
>> > you could:
>> >
>> > - use veb(4) to bridge ext, dmz and vport(4) interface and add default
>> > route to dslgw_ip. vport is ip interface for veb
>>
>> I started out looking at veb(4) but I wasn't confident
>> how I could filter traffic in/out of $dmz.  Also, the
>> description of vport(4) which states "packets traversing
>> vport interfaces appear to travel in the opposite direction
>> to packets travelling over other ports" confused me even
>> more.  So I started using bridge(4).
>
> When you add a port to veb(4), it takes it over completely and by
> default it only uses it to switch traffic at layer 2 (Ethernet).
> In other words, by default veb(4) does not run pf against packets
> on ports.
>
> vport is an exception because it operates as if it is a normal
> ethernet interface plugged into a switchport, it's just that the
> switch in this situation is veb, and the other ports on that switch
> are the non-vport interfaces you added to the veb.

Thanks for taking the time to explain in these two paragraphs.
I definitely have a better sense of veb/vport now.

> So, by default veb lets you build a switch out of other interfaces
> in the system, and vport lets you plug the kernel network stack
> into that virtual switch. Because packets from a normal switch coming
> into a normal physical interface go in to the network stack, that is
> also how it behaves with vport. ie, you write rules in pf like this for
> packets coming from a veb into a vport:
>
>   pass in on vport0 inet tcp from any to port ssh

Nice.

> If you do enable IP filtering on veb (ie, you ifconfig veb0 link1 as per
> the ifconfig manpage), then packets coming from the "wire" into the
> interface are filtered by pf too. This means that if a packet is coming
> from the wire and is destined to your network stack via a vport
> interface, it will be going through pf twice: once when it comes into
> the physical interface and again when it goes over vport.
>
> pf is not designed for a packet to be processed twice. TCP packets in
> particular going through pf twice will confuse the window tracking. If
> you're doing NAT or something like that, it can also get confused.
>
> So if you're going to enable link1 on veb(4), you need to either skip pf
> on the vport interface, or put the veb and vport into different rdomains
> so pf will keep separate the states for them.
>
> It is doable and supported, you just need to be mindful of this
> semantic.
>
> I found running pf on bridge(4) to be a nightmare, cos every interface
> you add as a port on bridge kind of acts as two ports, one that goes to
> the wire and another that goes to the stack, but it's hard to say which
> will happen and what the right way to filter it is. veb(4) taking over
> interfaces completely and not running pf by default is in large part
> because of this pain I had with bridge.
>
>> > - or on ext interface put ip alias with ip addresses from /28 public
>> > range and than do binat-to or nat-to in pf to hosts in dmz
>> >
>> > or maybe i totally misunderstood you  :)
>>
>> I think you understood me fine. I'm just 

Re: bridge(4) question new network setup

[patrick keshishian]

On 1/21/23, David Gwynne  wrote:
> On Sat, Jan 21, 2023 at 01:46:34PM -0800, patrick keshishian wrote:
>> On 1/20/23, David Gwynne  wrote:
>> > On Fri, Jan 20, 2023 at 11:09:47AM -0800, patrick keshishian wrote:
>> >> Hello,
>> >>
>> >> I am trying get a new ISP setup working.  The Router is
>> >> causing some pain.  There is a /28 public block assigned.
>> >> The DSL router can't be configured in transparent bridge
>> >> mode (they say).  It holds on to one of the /28 addresses.
>> >
>> > i'm sure they say that, but that doesn't mean it's impossible. this
>> > will be a lot easier and more useful if you can get a dsl modem
>> > into bridge/transparent mode and do all the routing on your own
>> > box.
>>
>> OK. So the situation was a bit worse than I had actually
>> anticipated.  After I got the described setup configured
>> I noticed that the DSL Router/Modem wouldn't send out
>> any traffic unless it had an arp entry for the source.
>> e.g., nat-to an unassigned IP from the /28 wouldn't go out.
>>
>> Again, in my limited networking knowledge, it meant I had
>> to do proxy arp entries for /28 public IPs in the $dmz.
>> This was quite frustrating.
>>
>> So I started poking around in the DSL Router/modem settings
>> (cuing off your "doesn't mean it's impossible") and I
>> have it now acting as a transparent bridge!
>>
>> I spent most of Tues on the phone with their techs, and I
>> was assured that is not possible/unsupported.  Now maybe
>> they actually meant "unsupported" mode as far as their
>> support is concerned.
>>
>> But things seem to running as expect (so far)!  So thanks
>> for the bit of "encouragement"!
>
> Does that mean you have the WAN IP on your router now? And you can do
> whatever you want with the /28?

Yep!  And it made things so much easier to set up.

>> > that would also give you the option to do fun stuff like NOT putting
>> > the /28 onto an ethernet network so you could you use all 16 of the
>> > IPs on dmz hosts instead of losing some to network/broadcast/gateway.
>>
>> I am curious how you would go about doing what you suggest:
>> Using all 16 of /28.
>
> The simple (and currently best supported) way is to set up a tunnel
> interface for every IP in the /28 and connect the tunnel to the server
> providing the service. The router would have a config like this:
>
> ifconfig gif0 create
> ifconfig gif0 tunnel $router_lan_ip $server_lan_ip
> ifconfig gif0 inet $router_gif_ip $server_slash28_ip

A bit above my pay-grade.  I'll need to study this later on.

Thanks again for the hints/help!
--patrick


>>
>> Thanks for your reply,
>> --patrick
>>
>>
>> >> The setup looks something like this:
>> >> (and hopefully the ascii "art" remains intact from gmail)
>> >>
>> >>( internet )
>> >> |
>> >> | [WAN IP]
>> >>   +-o--+
>> >>  / DSL ROUTER / <-- Transparent bridge mode NOT possible
>> >> +-o--+
>> >>   | [ one of /28 Public IPs = $dslgw_ip ]
>> >>   |
>> >>   |
>> >>   | $ext
>> >> +-o--+
>> >> ||
>> >> | OpenBSD/pf o--- ( rest of /28 Public IP network )
>> >> || $dmz  (DMZ: httpd, smtpd, ...)
>> >> +-o--+
>> >>  $lan | [10.x.x.1]
>> >>   |
>> >> ( 10.x.x.x network )
>> >>
>> >>
>> >> As far as networking goes, I need to be spoken to as if I'm
>> >> a fledgling.
>> >>
>> >> I want to do the obvious: use OpenBSD/pf(4) to:
>> >>  - Filter traffic from $ext to $dmz
>> >>  - Filter traffic from $dmz outbound
>> >>  - Filter traffic from $lan (10.x.x.x) to $dmz
>> >>  - NAT traffic from $lan (10.x.x.x) outbound to internet
>> >>
>> >>
>> >> I'm bridge(4)-ing $ext and $dmz.  Which means I must give
>> >> one of the /28 public IP addresses to either $ext or $dmz
>> >> to be able to do:
>> >>
>> >> # route add default $dslgw_ip
>> >>
>> >> (!?)
>> >>
>> >> Am I missing something?
>> >> Is there a better way to configure things?
>> >>
>> >> Thanks,
>> >> --patrick
>> >>
>> >
>

Re: Weirdness with du/df/my brain (latter more likely)

[Steve Fairhead]

On 23/01/2023 00:37, Philip Guenther wrote:
You'll need to be specific about what rsync options you used, and 
perhaps eyeball what the manpage says about them.  For example, the 
description of the -a option has a specific warning which seems a 
plausible explanation of the expansion.


Apologies for being too brief. I was using:

/usr/local/bin/rsync -avz --delete src dest

There are no symlinks etc in the Maildir folder in question. I'm not 
sure if that's what you meant re warning.


Thanks,

Steve

--

--
  Steve Fairhead
 email: st...@fivetrees.com
   www: http://www.fivetrees.com
--

Re: Weirdness with du/df/my brain (latter more likely)

[Steve Fairhead]

On 22/01/2023 23:55, Alexis wrote:



  - Old machine: 49 GB
  - New machine: 188 GB

Figures as measured with du -sk, which I realise is sector-oriented,
but still... And yes, my boss does a *lot* of email.


i might well be barking up the wrong tree, but the first thing that 
comes to mind is inode usage. OpenBSD du(1) doesn't appear to have an 
inode-related option, but df(1) does; what numbers does `df -i` report 
in each case?


Old machine:
Filesystem  512-blocks  Used Avail Capacity iused   ifree 
%iused  Mounted on
/dev/sd0a   2130681584 1414199968 60994755270% 2632753 30977229 
8%   /home


New machine:
Filesystem  512-blocks  Used Avail Capacity iused   ifree 
%iused  Mounted on
/dev/sd0a   2130681584 1691626016 33252150484% 2679491 30930491 
8%   /s0


Thanks,

Steve

--

--
  Steve Fairhead
 email: st...@fivetrees.com
   www: http://www.fivetrees.com
--

Re: Weirdness with du/df/my brain (latter more likely)

[Steve Litt]

Zeljko Jovanovic said on Mon, 23 Jan 2023 01:25:56 +0100

>On 22.1.23. 22:06, Steve Fairhead wrote:   
>> 
>> I'm just puzzled, and clearly missing something. Can anyone
>> enlighten me as to the large (nearly 4*) discrepancy?
>> 
>> Thanks,
>> 
>> Steve  
>
>Since you have the same result after copying the files on the same
>machine, I would say that some of them are sparse, and you didn't
>preserve that.
>
>For openrsync, I searched the man page, and didn't find any mention of
>"sparse", so I don't know how it handles them.
>
>If you are using "original" rsync, try with -S flag.

Yes.

Other similar things to look at are hard links (-H), various symlink
options, --one-file-system (I know df doesn't follow symlinked mounts),
etc.

SteveT

Steve Litt 
Autumn 2022 featured book: Thriving in Tough Times
http://www.troubleshooters.com/bookstore/thrive.htm

Panic in 7.2 and snapshots at boot due to acpi bios error

[Jeff Roach]

Hi!  Really love OpenBSD and would like to get it working on my Samsung
Galaxy Book Flex2 Alpha.  NP730QDA-KA3US.  Just offering this up because I
can't send a dmesg.  I get a kernel panic at boot with the following screen,

https://photos.app.goo.gl/2NNHiTtG6LbTc5nx6

I believe it may be a bug in the acpi bios code for which there is no
firmware update.  It boots, linux, win 10/11, net and freebsds fine with
acpi errors.  I tried to disable acpi to see if I could get it installed
and the installer ran but could not find the ethernet, wifi or ssd.

Can anyone help with this?  I'd be glad to provide more info if there is a
way.

Thanks,

Jeff

Re: Weirdness with du/df/my brain (latter more likely)

[Steve Fairhead]

On 23/01/2023 02:23, Todd C. Miller wrote:

After yet more testing, I did a recursive copy of the old 49 GB Maildir
to a spare folder on the same home partition on the old machine. This
came up, again, as 188 GB.



You probably copied a large number of sparse files where the holes
got expanded.  If you use rsync with the -S flag (or use tar) you
should end up with a similar disk usage on the new machine.



I did actually consider this. I had tried (after deleting the copy):

rsync -avzS

No change - still 188 GB. So I've just tried (again after deleting the 
copy):


rsync -avS

... in case using compression somehow negated the sparse files setting. 
Again no change - still 188 GB.


Mysterious.

Thanks,

Steve
aka Baffled of Bursledon

--

--
  Steve Fairhead
fivetrees ltd - for the complete music service
   tel: (+44)(0)(23) 8056 9013
mobile: (+44)(0)(7899) 847346
 email: st...@fivetrees.com
   www: http://www.fivetrees.com
--

Re: do i need to move to veb?

[kasak]

22.01.2023 14:49, David Gwynne пишет:

On Sat, Jan 21, 2023 at 03:41:56PM +0300, kasak wrote:

Hello misc!

I'm using bridge for integrating remote clients to my network with this
simple config:

$ cat /etc/hostname.bridge0
add vether0
add em1
add tap1
up

I see in this commit that veb is supposed to replace bridge
https://marc.info/?l=openbsd-cvs&m=161405102019493&w=2

Does it make sense to move to veb for me, or not?
There is approximately 150 clients on the "em1" side and 10 on "tap1"

unless you're using pf to filter on em1 and tap1, then moving from
bridge and vether to veb and vport is simple. veb can be a lot faster
than bridge, so maybe that's a reason to try moving?

dlg


I've followed your advice and failed :(

I moved hostname.bridge0 to hostname.veb0, moved hostname.vether0 to 
hostname.vport0


and edit hostname.veb0 replacing add vether0 to add vport0

after reboot i cannot reach veb0 network :( ping answer "the network is 
down"

Re: do i need to move to veb?

[Hrvoje Popovski]

On 23.1.2023. 16:24, kasak wrote:
> 
> 22.01.2023 14:49, David Gwynne пишет:
>> On Sat, Jan 21, 2023 at 03:41:56PM +0300, kasak wrote:
>>> Hello misc!
>>>
>>> I'm using bridge for integrating remote clients to my network with this
>>> simple config:
>>>
>>> $ cat /etc/hostname.bridge0
>>> add vether0
>>> add em1
>>> add tap1
>>> up
>>>
>>> I see in this commit that veb is supposed to replace bridge
>>> https://marc.info/?l=openbsd-cvs&m=161405102019493&w=2
>>>
>>> Does it make sense to move to veb for me, or not?
>>> There is approximately 150 clients on the "em1" side and 10 on "tap1"
>> unless you're using pf to filter on em1 and tap1, then moving from
>> bridge and vether to veb and vport is simple. veb can be a lot faster
>> than bridge, so maybe that's a reason to try moving?
>>
>> dlg
>>
> I've followed your advice and failed :(
> 
> I moved hostname.bridge0 to hostname.veb0, moved hostname.vether0 to
> hostname.vport0
> 
> and edit hostname.veb0 replacing add vether0 to add vport0
> 
> after reboot i cannot reach veb0 network :( ping answer "the network is
> down"
> 
> 

Did you put "up" at the end of hostname.veb0 and maybe at the end of
hostname.vport0 ?

tcp_flags in pflow exports

[m]

After enabling pflow exports, is it possible to see TCP flags?

I think the answer might be no since 
grep -r pflow /usr/src led me to
/usr/src/sys/net/if_pflow.c which contains
flow1->tcp_flags = flow2->tcp_flags = 0

and I didn't see other changes to tcp_flags after
trying grep -r tcp_flags /usr/src.

Internet searches tell me many routers also don't export
TCP flags. 

Is it the case that there's no good reason to look for
anomalies such as packets with only SYN-RST set if 
our pf rules modulate state and would drop weird packets
anyway?

If adding this feature would be a worthy goal and might be
something a novice programmer such as your humble servant
could attempt, any advice about getting started would be
greatly appreciated.

Below are my attempts to see the TCP flags anyway. At the
very end is a question about collector software.

My router running OpenBSD 7.2 -current exports
flows, but when I view them on the collector
(also 7.2 -current):

e.g.

nfdump -o raw -r nfcapd.x

I get output like
low Record:
  Flags=  0x06 NETFLOW v10, Unsampled
...
  tcp flags=  0x00 

The "tcp flags" line always says 0x00 in all of the files. I had a
similar experience when setting up TCP control bit primitives (as
described in Network Flow Analysis by Michael W. Lucas, page 63)
in flow-tools on another collector before I switched to nfsen/nfdump:
filters that looked for only resets or syn-resets never caught
anything.

Even if I create a packet that I know only has a RST, for example,
I can see the flow but not the tcp flags.

On a Linux box (192.168.1.2) I ran nmap against my router:

sudo nmap --send-ip --scanflags RST -Pn -p 80 192.168.1.1

A tcpdump on my router 192.168.1.1 shows 

Jan 22 pass in on re2: 192.168.1.2.62851 > 192.168.1.1.80: R ...

and the corresponding flow after 

nfdump -o raw -r nfcap.X:

# === begin partial nfdump output  ===
Flow Record:
  Flags=  0x06 NETFLOW v10, Unsampled
  label=
  export sysid = 1
  size =76
...
 src addr =  192.168.1.2
  dst addr =  192.168.1.1
  src port = 62851
  dst port =80
  fwd status   = 0
  tcp flags=  0x00 
  biFlow Dir   =  0x00 arbitrary
  end reason   =  0x00
  proto= 6 TCP
  (src)tos = 0
  (in)packets  = 1
  (in)bytes=40
  input= 3
  output   = 0
  ip router=  192.168.2.1

# === end partial nfdump output  ===

But I think we'd want tcp flags to be 0x4.

In my router's pf.conf I have

# === begin part of router /etc/pf.conf ===
# egress is re3
match on egress scrub (no-df random-id max-mss 1440)
# === end part of router /etc/pf.conf ===

I wouldn't think that this scrubbing should affect
traffic that stays on interface re1. . . .

Here is the part where we allow the test packets through on 
the router and export them with pflow:

 === begin part of router /etc/pf.conf ===
pass log on re1 proto tcp from 192.168.1.2 to 192.168.1.1 \
flags any \
keep state (pflow) \
label "nmap tcp $srcport $dstport"
pass log on re1 proto udp from 192.168.1.2 to 192.168.1.1 \
flags any \
keep state (pflow) \
label "nmap udp $srcport $dstport"
pass log on re1 proto icmp from 192.168.1.2 to 192.168.1.1 \
flags any \
keep state (pflow) \
label "nmap icmp $srcport $dstport"
# === end part of router /etc/pf.conf ===

I've also tried modulate state and 
keep state (sloppy pflow).

I am exporting pflow over re2:

# === begin router /etc/hostname.pflow0
flowsrc 192.168.2.1 flowdst 192.168.2.2:9995
pflowproto 10
# === end router /etc/hostname.pflow0

I'm not sure how to more directly test the output of pflow since
it doesn't seem to be possible to tcpdump pflow0.

Thanks to Stuart Henderson for mentioning nfdump and ntopng
and to Peter Hansteen's for the Evil Network Overlord article. 

Just wondering also if anyone has experience with any other
collector software besides nfsen and flow-tools. I really
like ntopng's displays but I haven't figured out whether
it can only receive flow data from nprobe (which isn't
a package) or whether there's a way for it to get it from
my existing export over port 9995. I have some problems with
nfsen and PHP crashing that I'll save for another day . . . 

Re: do i need to move to veb?

[kasak]

23.01.2023 18:52, Hrvoje Popovski пишет:

On 23.1.2023. 16:24, kasak wrote:

22.01.2023 14:49, David Gwynne пишет:

On Sat, Jan 21, 2023 at 03:41:56PM +0300, kasak wrote:

Hello misc!

I'm using bridge for integrating remote clients to my network with this
simple config:

$ cat /etc/hostname.bridge0
add vether0
add em1
add tap1
up

I see in this commit that veb is supposed to replace bridge
https://marc.info/?l=openbsd-cvs&m=161405102019493&w=2

Does it make sense to move to veb for me, or not?
There is approximately 150 clients on the "em1" side and 10 on "tap1"

unless you're using pf to filter on em1 and tap1, then moving from
bridge and vether to veb and vport is simple. veb can be a lot faster
than bridge, so maybe that's a reason to try moving?

dlg


I've followed your advice and failed :(

I moved hostname.bridge0 to hostname.veb0, moved hostname.vether0 to
hostname.vport0

and edit hostname.veb0 replacing add vether0 to add vport0

after reboot i cannot reach veb0 network :( ping answer "the network is
down"



Did you put "up" at the end of hostname.veb0 and maybe at the end of
hostname.vport0 ?



Ah! There is was!

I forgot to add "up" to vport!
Now we know that it does not work without it :)

Thanks for help!

Re: Weirdness with du/df/my brain (latter more likely) - SOLVED

[Steve Fairhead]

On 22/01/2023 21:06, Steve Fairhead wrote:
After a lot of analysis, I found that all user folders (and all other 
folders/partitions) were near-enough identical on both machines, except 
for one - my boss's 😉 . After more analysis, I found that it was his 
Maildir (using dovecot) that was weird:


   - Old machine: 49 GB
   - New machine: 188 GB


Jan Stary solved it by asking "Have you tried -H to preserve 
hardlinks?". And no, I hadn't. Wasn't expecting any in a Maildir. I've 
learned something ;) - wahay!


New machine is now 49 GB too. And I've tweaked my rsync script to no 
longer use "-avz --delete", but "-avSH --delete".


Thanks, Jan!

Steve

--

--
  Steve Fairhead
 email: st...@fivetrees.com
   www: http://www.fivetrees.com
--

Re: Weirdness with du/df/my brain (latter more likely) - SOLVED

[Steve Fairhead]

On 23/01/2023 19:00, Steve Fairhead wrote:

On 22/01/2023 21:06, Steve Fairhead wrote:
After a lot of analysis, I found that all user folders (and all other 
folders/partitions) were near-enough identical on both machines, 
except for one - my boss's 😉 . After more analysis, I found that it 
was his Maildir (using dovecot) that was weird:


   - Old machine: 49 GB
   - New machine: 188 GB


Jan Stary solved it by asking "Have you tried -H to preserve 
hardlinks?". And no, I hadn't. Wasn't expecting any in a Maildir. I've 
learned something 😉 - wahay!


One more detail for the record: I've just learned that my boss uses a 
Mac to deal with mail - everyone else uses Windoze. May be significant, 
although I would have thought that Dovecot dealt with the actual 
storage... 


Steve

--

--
  Steve Fairhead
 email: st...@fivetrees.com
   www: http://www.fivetrees.com
--

Re: Weirdness with du/df/my brain (latter more likely)

[Steve Fairhead]

On 23/01/2023 01:47, NilsOla Nilsson wrote:

Possible explanation: if you have several hard links
pointing to the same file (inode) rsync will expand
those to separate files, unless you give the option -H


And you were quite right, and I apologise for missing this - I really 
wasn't expecting hard links in a Maildir. Same apology goes to Steve 
Litt, whose message I've not received (saw it just now on the marc.info 
board).


Thanks, chaps.

Steve

--

--
  Steve Fairhead
 email: st...@fivetrees.com
   www: http://www.fivetrees.com
--

Max number of NICs

[Lars Bonnesen]

How many physical NICs can you add to an OpenBSD host (vmx)

I am asking because I am running an OpenBSD on a VMware host but apparently
OpenBSD can only see 8 of them.

Can I raise the limit somehow?

Regards, Lars.

Re: Max number of NICs

[Tom Smyth]

as far as I know Vmware has a limit of 10 nics ...  per vm
can you send on a dmesg... of th emachine you are running...

have you tried setting the  nic type to Intel Pro1000 as a test ?

On Mon, 23 Jan 2023 at 23:09, Lars Bonnesen  wrote:
>
> How many physical NICs can you add to an OpenBSD host (vmx)
>
> I am asking because I am running an OpenBSD on a VMware host but apparently
> OpenBSD can only see 8 of them.
>
> Can I raise the limit somehow?
>
> Regards, Lars.



-- 
Kindest regards,
Tom Smyth.

Re: Max number of NICs

[Łukasz Moskała]

Dnia 23 stycznia 2023 23:54:21 CET, Lars Bonnesen  
napisał/a:
>How many physical NICs can you add to an OpenBSD host (vmx)
>
>I am asking because I am running an OpenBSD on a VMware host but apparently
>OpenBSD can only see 8 of them.
>
>Can I raise the limit somehow?
>
>Regards, Lars.


I think that some time ago there was the same question here on misc@, and if I 
remember correctly the workaround was to allow VLAN tagging on virtual 
interface, then use VLANs on VM with only one interface.

--
Łukasz Moskała

Re: Max number of NICs

[Theo de Raadt]

Łukasz Moskała  wrote:

> Dnia 23 stycznia 2023 23:54:21 CET, Lars Bonnesen  
> napisał/a:
> >How many physical NICs can you add to an OpenBSD host (vmx)
> >
> >I am asking because I am running an OpenBSD on a VMware host but apparently
> >OpenBSD can only see 8 of them.
> >
> >Can I raise the limit somehow?
> >
> >Regards, Lars.
> 
> 
> I think that some time ago there was the same question here on misc@, and if 
> I remember correctly the workaround was to allow VLAN tagging on virtual 
> interface, then use VLANs on VM with only one interface.


There is a very low-level concern about limited interrupt vectors. There
are other low-level issues in various drivers.  The question cannot be
answered because there are insufficient details in the question, and
even if sufficient details were provided, I do not believe there is
anyone who is going to do the investigation to provide an precise and
accurate answer.

I'm being fair...

Re: Panic in 7.2 and snapshots at boot due to acpi bios error

[Jason Tubnor]

From: owner-m...@openbsd.org  on behalf of Jeff Roach 

Sent: Monday, 23 January 2023 9:08 PM
To: misc@openbsd.org 
Subject: Panic in 7.2 and snapshots at boot due to acpi bios error 
 
Hi!  Really love OpenBSD and would like to get it working on my Samsung
Galaxy Book Flex2 Alpha.  NP730QDA-KA3US.  Just offering this up because I
can't send a dmesg.  

I believe it may be a bug in the acpi bios code for which there is no
firmware update.  It boots, linux, win 10/11, net and freebsds fine with
acpi errors.  


We hit this in the Lenovo ThinkStation m70s Gen 3 during hardware validation. A 
workaround was provided and allowed for more data to be sent but the workaround 
was not deemed to be acceptable.

Here is the original bug and thread:

https://marc.info/?l=openbsd-bugs&m=166674319711567&w=2

Good to see that it isn't only a Lenovo thing.

Re: Max number of NICs

[Nick Holland]

On 1/23/23 17:54, Lars Bonnesen wrote:

How many physical NICs can you add to an OpenBSD host (vmx)

I am asking because I am running an OpenBSD on a VMware host but apparently
OpenBSD can only see 8 of them.

Can I raise the limit somehow?

Regards, Lars.


may years ago (back in the 3.x days, iirc), someone asked me to jam
a machine full of NICs and see what happened.

Four 4-port dc(4) NICs (16 ports) plus one 3com 3c905 on the main
board later, I saw no issues, but then I lacked any use for a 17 port
machine.  If I recall properly, the person who asked me to do it was
expecting some kind of issue, but when I told him they were dc(4)s,
he was disappointed and said, "Well, of course those will work".

I had a machine for a while with something like ten or
eleven em(4)s in it, I had fired it up, don't recall seeing any
problems with it identifying all the ports (in fact, iirc, it found
a port on the MoBo that was not extended to the outside).  Again,
no issue, but after staring at the power hungry box for many years
and never doing anything with it, it finally got recycled.  Again,
that was many releases ago...so not sure how it applies today.

Current FW box is a old citrix appliance with a six port NIC and two
onboard ports, for eight em(4)s.

Nick.