Re: chmod change means dump(8) the file
On Thu, Jan 26, 2023 at 12:18:45AM +0100, Jan Stary wrote: > I have a large /media disk that I backup nightly using dump(8): > full level 0 on the Sun/Mon night, incrementals through the week. > The level 0 dump is huge, the incrementals are usualy trivial > unless I add something to /media. > > Yesterday I chmod'd a lot of the files, without making any other change. > That resulted in a huge level 2 dump; I suppose a chmod change counts > as a changed file, so they all got dumped anew, even though the content > of the file(s) has not changed. The filesystem has no way to tell that. e.g. there could be rm followed by inode re-use. So dump *has* to be conservative and consider both mtime and ctime changes. -Otto > > Is that intentional? It seems there is a lot of space to be saved > if it's "only" the metadata that have changed. Is that decided by > simply looking at the stat(2)? In particular, newer ctime is > just as good a reason to dump the _content_ as newer mtime? > > Jan >
Re: chmod change means dump(8) the file
On Wed, Jan 25, 2023 at 4:35 PM Jan Stary wrote:
> On Jan 26 00:18:45, h...@stare.cz wrote:
> > I have a large /media disk that I backup nightly using dump(8):
> > full level 0 on the Sun/Mon night, incrementals through the week.
> > The level 0 dump is huge, the incrementals are usualy trivial
> > unless I add something to /media.
> >
> > Yesterday I chmod'd a lot of the files, without making any other change.
> > That resulted in a huge level 2 dump; I suppose a chmod change counts
> > as a changed file, so they all got dumped anew, even though the content
> > of the file(s) has not changed.
> >
> > Is that intentional? It seems there is a lot of space to be saved
> > if it's "only" the metadata that have changed. Is that decided by
> > simply looking at the stat(2)? In particular, newer ctime is
> > just as good a reason to dump the _content_ as newer mtime?
>
> Seems so:
>
> /* Determine if given inode should be dumped */
> [...]
> if (CHECKNODUMP(dp) &&
> (DIP(dp, di_mtime) >= spcl.c_ddate ||
> DIP(dp, di_ctime) >= spcl.c_ddate)) {
>
Right: if the ctime is newer than the previous backup then you don't know
what else has changed: the contents could have been modified and then the
file's mtime backdated to before the previous backup. At that point the
ctime is the only indicator that the file no longer matches its backup.
(Of course, the second problem that follows from that limitation is that
the 'dump' format doesn't have a way to record inode-only info (like mode,
times, and flags) without also recording the file contents. So, even if
the filesystem provided enough info for dump to know that only the file's
mode had been changed, there's nothing it can do about it other than back
up the entire file.)
Philip Guenther
Re: chmod change means dump(8) the file
On Jan 26 00:18:45, h...@stare.cz wrote:
> I have a large /media disk that I backup nightly using dump(8):
> full level 0 on the Sun/Mon night, incrementals through the week.
> The level 0 dump is huge, the incrementals are usualy trivial
> unless I add something to /media.
>
> Yesterday I chmod'd a lot of the files, without making any other change.
> That resulted in a huge level 2 dump; I suppose a chmod change counts
> as a changed file, so they all got dumped anew, even though the content
> of the file(s) has not changed.
>
> Is that intentional? It seems there is a lot of space to be saved
> if it's "only" the metadata that have changed. Is that decided by
> simply looking at the stat(2)? In particular, newer ctime is
> just as good a reason to dump the _content_ as newer mtime?
Seems so:
/* Determine if given inode should be dumped */
[...]
if (CHECKNODUMP(dp) &&
(DIP(dp, di_mtime) >= spcl.c_ddate ||
DIP(dp, di_ctime) >= spcl.c_ddate)) {
chmod change means dump(8) the file
I have a large /media disk that I backup nightly using dump(8): full level 0 on the Sun/Mon night, incrementals through the week. The level 0 dump is huge, the incrementals are usualy trivial unless I add something to /media. Yesterday I chmod'd a lot of the files, without making any other change. That resulted in a huge level 2 dump; I suppose a chmod change counts as a changed file, so they all got dumped anew, even though the content of the file(s) has not changed. Is that intentional? It seems there is a lot of space to be saved if it's "only" the metadata that have changed. Is that decided by simply looking at the stat(2)? In particular, newer ctime is just as good a reason to dump the _content_ as newer mtime? Jan
Re: OpenBSD as a transparent switch filter
Hi Christian, if you have Port 20 and 21 isolated from each other ... ie in the same protected port group 0 on the switch... and ports 1-19 in a spearate protected port group eg 1 ports 1-19 can talk to either 20 or 21 and ports 20-21 cannot talk to each other (loop avoidance) then in openBSD Bridge you can add em0 and em1 to the same protected port group eg 3 you can do your filtering then... However... you have to contend with mac flaps on your OpenBSD Bridge (as broadcast traffic from clients will mean that client macs will be learned on both em0 and em1) anotther option and more granularly controlable ... to create 19 vlans... port 1 vlan1, access (untagged) port 2 vlan2 access (untagged) port 3 vlan3 access (untagged) ... .. port 19 vlan 19 access (untagged) make port 20 a trunk (tagged) port on the switch create 19 vlan interfaces in OpenBSD bridge them all together with port isolation or filtering you get around the hair pining etc... but your openbsd box will suffer if there is lots of broadcast traffic (copying frames to multiple ports can be challenging for your CPU) but if you are doing line rate stuff... you may just want to look at vlan maps / Vlan ACLs... (extend acls...) ... on the switch... one piece of advice... on this non standard layer 2 stuff (port isiolation on the switch and bridge is your friend always... in avoiding loops... watch the logs of the switch and cpu.. if the mac flaps are happinging you will see your switch logs (ususally ) moan about it watch your mac address table size and your hardware capacity on your switch...with this stuff... (know your switch hardware capacity and specs) i hope ths helps... On Wed, 25 Jan 2023 at 15:14, Cristian Danila wrote: > Thank you so much Tom and David for giving me ideas where I can dig more. > Definitely it is a good start in this journey and I am researching more. > I have exact same situation with Wireless, for the moment all the clients > are > isolated but I need to achieve the same, to filter between them. > I am evaluating also another idea(possible bad idea) like this: > > Switch having all the clients able to talk only with 2 ports: port 20 > and 21 but port 20 and 21 cannot talk direct > Having BSD setup with two NIC's em0 and em1 as transparent filter: veb, > em0 connected to port 20 > em1 connected to port 21 > > In short the only possible way to pass frames from one device to > another is just through port 20 and 21 > > I am aware about headache related to possible loops but I am curious > if it will work. > > > On Wed, Jan 25, 2023 at 2:33 PM Tom Smyth > wrote: > > > > Hey David... > > (I have learned so much from you over the years and used your gear so > maybe I can give a lttle back on this one ) > > > > "Correct use of Proxy arp" Gateway of layer 2 isolated network... > > clients cannot see or hear eachothers arp traffic or discovery traffic > or other broadcast nasties > > so gateway knows everyones correct arp entry (because it can see > everyone and everyone can see the gateway0 > > gateway knows correct arp entries for 2 example clients clienta and > clientb > > > > if client a wants to talk to client b ...they are isolated in layer 2 > ...so arp between them is not posible... > > enable proxy arp on gateway client a asks for clientbs mac address in > an arp request > > gateway responds to client a with gateway mac address for clientb Ip > address > > client a sends traffic for client b ip to gateway.mac .. gateway routes > the traffic to client b ip via its connected route and correct arp address > for client b > > client B asks for clienta mac address... in an arp request... > > gateway responds with an arp reply for clienta IP with its own mac > address > > client b sends traffic to client a ip to the gateway mac address, > > gateway routes the traffic to client a via its connected route + correct > arp entry for client a > > > > --- > > proxy arp is (kindof) useful in a lan gateway (LAN interface only) were > the IT admin hasnt a handle on routing and gives vpn clients an IP in the > same range as the Lan in the office.. > > Proxy arp allows the gateway to respond to arp requests for the vpn > client IP... (but it is no substitute for teaching an IT person how to > route and design/ number networks) > > > > ---incorrect use of proxy arp- > > EVERYWHERE ELSE ... (sorry for shouting ) > > > > ps I hate proxy arp ... but it is useful in allowing client - client > communications while minimising broadcast waste of bandwidth (on large > wireless access networks) > > > > > > > > > > On Tue, 24 Jan 2023 at 23:53, David Gwynne wrote: > >> > >> > >> > >> > On 25 Jan 2023, at 09:47, Tom Smyth > wrote: > >> > > >> > Hi David is that like a local proxy arp type setup (on typical > >> > networking gear) .. ? > >> > >> I’ve never had a clear idea about what proxy ARP is, and the only time > it comes up in converstaion is when people complain about p
Re: httpd(8) request rewrite - 500 internal server error
Oh. I should add that if all you want is a static redirect, this is a simpler
way of making that work. The first example I gave is in case you want to
redirect the contents of "/from/" as well.
server "localhost" {
listen on 127.0.0.1 port 80
location "/from/" {
block return 302 "$REQUEST_SCHEME://$HTTP_HOST/to/"
}
}
--
https://www.anthes.is/
Re: httpd(8) request rewrite - 500 internal server error
On 23/01/25 11:20, Lévai, Dániel wrote:
> Hi all,
>
> I was trying to do a basic path rewrite in httpd(8) on 7.2-stable, and I just
> can't see what I'm missing:
>
> httpd.conf:
> server "host" {
> listen on egress port 12345
>
> root "/htdocs"
>
> location "/" {
> request rewrite "/to/"
> }
> location "/*" {
> directory auto index
> }
> }
>
>
> Using http://host:12345/ slaps me with 500:
>
> server_response: rewrote /? -> /to/?
> "GET / HTTP/1.1" 500 0
> , /to/ (500 Internal Server Error)
>
>
> Accessing http://host:12345/to/ directly works, however:
>
> "GET /to/ HTTP/1.1" 200 538
> "GET /favicon.ico HTTP/1.1" 404 0
> , /favicon.ico (404 Not Found)
>
>
> I though maybe it was iffy because of the location containing only a slash
> (/), but using anything else like...:
> location "/from/" {
> request rewrite "/to/"
> }
>
> ... gives 500 too when accessing http://host:12345/from/
> Tried playing around with (adding/removing) the trailing '/' from the paths,
> but still no luck. I even tried the example at the end of httpd.conf(5) with
> "location match" and pattern/captures, but still the same.
>
> But "request rewrite" must be clearly working somehow, I just can't see
> what's missing.
>
> Any tips would be greatly appreciated!
>
>
> Daniel
>
If you're curious about the lower level details behind my explanation,
/usr/src/usr.sbin/httpd/server_file.c and /usr/src/usr.sbin/httpd/server_http.c
are enlightening here (though I might add that I don't actually know C; I pieced
this together by reading httpd(8) and httpd.conf(5), and using my more general
programming knowledge to infer some things).
The first thing I have to say is this: what reason is there for using "request
rewrite" over "block return"? httpd has distinct behavior for both, and that
means certain things may work differently from how you expect them to.
When using "request rewrite", that path is exact, and a final authority in a
sense. httpd is trusting that you know precisely where you're sending the
client. That means it's going to interpret what you tell it very literally,
since modifying a rewritten request carries more risk, and perform a file access
test. If httpd doesn't like the results of that test because the place you
pointed it to is actually a directory, it'll throw a 500 Internal Server Error.
This is one rewritten request, followed by one response.
When using "block return" with a destination URI, httpd does more than this. It
will immediately close the connection and send an error page along with an HTTP
Location header. This is the first request, followed by the first response. Then
the client may honor the Location header in the response and follow the
redirection. This is the second request, soon followed by a second response.
Due to differences in the way that "block return" operates, one thing httpd can
do is append the "directory index file" to the location or path if there's a
trailing slash ("index.html" is the default, so "/to/" would result in
"/to/index.html" for instance). It can also do directory auto indexing.
All of this is to say that if you don't have a specific reason to use "request
rewrite" instead of "block return", let a redirection handle it by using "block
return" with either a 301 Moved Permanently or a 302 Found. If you don't know
the difference, use a 302 Found for now.
Something like this could work depending on what you want to do (change the
server and listen statements to reflect your setup. If you need auto-indexing,
add it back in).
server "localhost" {
listen on 127.0.0.1 port 80
location match "/from/(.*)" {
block return 302 "$REQUEST_SCHEME://$HTTP_HOST/to/%1"
}
}
Note that the default root is "/htdocs", so if that's where you want your stuff
to be, you can leave that out. I prefer to create a separate directory since
/var/www/htdocs/bgplg exists by default, but that's just me.
--
https://www.anthes.is/
Re: Software RAID5 write performance
On 2023-01-24 17:40, Tom Smyth wrote: Hi Atanas, in general (not specific to RAID5 Softraid in OpenBSD... ) I would advise the following based on my own experience... Raid5 in hardware raid generally has poor write performance due the number of actual writes to disk per write operation to the raid controller ( parity reads and rewrites once you write to disks) see https://www.arcserve.com/blog/understanding-raid-performance-various-levels#:~:text=This%20means%20that%20a%20RAID,write%20performance%20is%20NX%2F4. becuase of the number of physical writes per raid device write... Raid5 and SSDs dont really go together... ... unless you like replacing SSD Disks in your arrays... suggest meet and potatoes RAID 1 or Raid 10 ... for ssd ... and you then dont suffer write penalties... associated with Raid 5... Thanks for your reply! It really makes sense, and it looks like I'll switch to RAID1. Best wishes, Atanas
Re: Software RAID5 write performance
On 2023-01-24 23:49, Tobias Fiebig wrote: Heho, So, do you use RAID5 and how it behaves on your side? Well, you found my reddit post. ;-) Since then, it kind-of became a non-issue (got a somewhat different infrastructure where OpenBSD is mostly in VMs). Still, the yolo-colo raid-10 (don't do that. seriously. At least not if you feel attached to your data or are not that much into restoring full offsite backups) had kind of OK performance. In any case, i'd like to take a look at that again $somewhen; I have an SSD-Only box sitting around which should make it into a rack in the next couple of weeks/months, and then i can give the raid5 on SSD (just to see where the bottlenecks are) a shot (well, r5-on-virt; But for a test setup, that should be ok-ish) With best regards, Tobias Thanks, Tobias! I'm really curious about the performance of SSDs, but I can wait. Please take your time, and I hope that you will share some results when the time comes :) Best wishes, Atanas
Re: OpenBSD as a transparent switch filter
Thank you so much Tom and David for giving me ideas where I can dig more.
Definitely it is a good start in this journey and I am researching more.
I have exact same situation with Wireless, for the moment all the clients are
isolated but I need to achieve the same, to filter between them.
I am evaluating also another idea(possible bad idea) like this:
Switch having all the clients able to talk only with 2 ports: port 20
and 21 but port 20 and 21 cannot talk direct
Having BSD setup with two NIC's em0 and em1 as transparent filter: veb,
em0 connected to port 20
em1 connected to port 21
In short the only possible way to pass frames from one device to
another is just through port 20 and 21
I am aware about headache related to possible loops but I am curious
if it will work.
On Wed, Jan 25, 2023 at 2:33 PM Tom Smyth wrote:
>
> Hey David...
> (I have learned so much from you over the years and used your gear so maybe I
> can give a lttle back on this one )
>
> "Correct use of Proxy arp" Gateway of layer 2 isolated network...
> clients cannot see or hear eachothers arp traffic or discovery traffic or
> other broadcast nasties
> so gateway knows everyones correct arp entry (because it can see everyone
> and everyone can see the gateway0
> gateway knows correct arp entries for 2 example clients clienta and clientb
>
> if client a wants to talk to client b ...they are isolated in layer 2 ...so
> arp between them is not posible...
> enable proxy arp on gateway client a asks for clientbs mac address in an arp
> request
> gateway responds to client a with gateway mac address for clientb Ip address
> client a sends traffic for client b ip to gateway.mac .. gateway routes the
> traffic to client b ip via its connected route and correct arp address for
> client b
> client B asks for clienta mac address... in an arp request...
> gateway responds with an arp reply for clienta IP with its own mac address
> client b sends traffic to client a ip to the gateway mac address,
> gateway routes the traffic to client a via its connected route + correct arp
> entry for client a
>
> ---
> proxy arp is (kindof) useful in a lan gateway (LAN interface only) were the
> IT admin hasnt a handle on routing and gives vpn clients an IP in the same
> range as the Lan in the office..
> Proxy arp allows the gateway to respond to arp requests for the vpn client
> IP... (but it is no substitute for teaching an IT person how to route and
> design/ number networks)
>
> ---incorrect use of proxy arp-
> EVERYWHERE ELSE ... (sorry for shouting )
>
> ps I hate proxy arp ... but it is useful in allowing client - client
> communications while minimising broadcast waste of bandwidth (on large
> wireless access networks)
>
>
>
>
> On Tue, 24 Jan 2023 at 23:53, David Gwynne wrote:
>>
>>
>>
>> > On 25 Jan 2023, at 09:47, Tom Smyth wrote:
>> >
>> > Hi David is that like a local proxy arp type setup (on typical
>> > networking gear) .. ?
>>
>> I’ve never had a clear idea about what proxy ARP is, and the only time it
>> comes up in converstaion is when people complain about problems it causes.
>> Do you have a definition of what you think it means before I say yes or no?
>>
>> >
>> > On Tue, 24 Jan 2023 at 23:45, David Gwynne wrote:
>> >>
>> >> I think you can do this on OpenBSD with
>> >> https://github.com/eait-itig/commarp and just routing on em0. I don’t
>> >> think any layer 2 things like bridge or veb are needed, and probably
>> >> won’t work anyway because as Claudio said, they don’t want to hairpin
>> >> anyway.
>> >>
>> >> That code doesn’t have any manpages unfortunately. commarp wants a config
>> >> file saying which interface it should run on and which IPs it should
>> >> intercept ARP for. eg:
>> >>
>> >> $ cat /etc/commarp.conf
>> >> interface em0 {
>> >>allow 192.168.1.16 - 192.168.1.254
>> >> }
>> >>
>> >> There’s no point rewriting ARP requests for the IP your router is using
>> >> on that subnet, or carp addresses on that subnet, etc.
>> >>
>> >>
>> >>> On 24 Jan 2023, at 22:16, Cristian Danila wrote:
>> >>>
>> >>> HI Tom,
>> >>>
>> >>> I am familiar with options you mentioned, veb, bridge and isolated ports.
>> >>> I am having another transparent filter based of veb also I am aware about
>> >>> protected members but my use case is different.
>> >>>
>> >>> Let me try to explain maybe with different words.
>> >>> OpenBSD box is having only one cable input, so what would be the
>> >>> benefit of having protected members?
>> >>> Protected members are isolating the communication between members of a
>> >>> bridge, in my case
>> >>> I have only one NIC, so if a bridge would be helpful, I can have a
>> >>> bridge with single member,
>> >>> therefore isolating that member from who?
>> >>> OpenBSD box has only one wire connected to a physical switch, so it
>> >>> can communicate with all members
>> >>> of the switch, but the physical switch itself do not permit
>>
Re: syslogd program logging
On 1/24/2023 11:13 PM, Alexis wrote: Shouldn't this actually be: !!dhcpd *.*/var/log/dhcpd !* at the start of the file? At least, that's my reading of syslog.conf(5): the two exclamation marks will cause a match on 'dhcpd' to _only_ result in the listed action (with no further evaluation of the file, and thus no further opportunities for logging to be done), and the '!*' means that further evaluation will happen if there _isn't_ such a match. Ah, I see now. I was just going from the example in syslog.conf, but this points me in the right direction. Thanks!
Intel nic on Dell R710: failed to allocate interrupt slot for PIC msix
Dear List, we have problems with Intel nics of type Intel X710 (10 GbE) on a Dell R740. In total we have three nics with four ports each. With the uprade to OpenBSD 6.8 we lost two ports (ixl11 and ixl12). Now we upraded iteratively to OpenBSD 7.1 an we lost another port (ixl10). The update to OpenBSD 7.2 is pending, but I don't want to risk losing another port. Cause seems to be a problem with the interrupt assignment. The relevant dmesg part is as fallows: ixl11 at pci12 dev 0 function 1 "Intel X710 SFP+" rev 0x02: port 2, FW 7.83.59945 API 1.9, ms1 failed to allocate interrupt slot for PIC msix pin -2135686911 ixl11: unable to establish interrupt 1 ixl12 at pci12 dev 0 function 2 "Intel X710 SFP+" rev 0x02: port 0, FW 7.83.59945 API 1.9, ms2 failed to allocate interrupt slot for PIC msix pin -2135686655 ixl12: unable to establish interrupt 1 ixl13 at pci12 dev 0 function 3 "Intel X710 SFP+" rev 0x02: port 1, FW 7.83.59945 API 1.9, ms3 failed to allocate interrupt slot for PIC msix pin -2135686399 ixl13: unable to establish interrupt 1 full dmesg: Booting from Hard drive C: Using drive 0, partition 3. Loading.. probing: pc0 com0 mem[624K 1266M 2M 398M 30720M a20=on] disk: hd0+ >> OpenBSD/amd64 BOOT 3.53 switching console to com0 >> OpenBSD/amd64 BOOT 3.53 booting hd0a:/bsd: 15639832+3699728+348192+0+1175552 [1126995+128+1220904+924861]=0x17074c0 entry point at 0x81001000 �[ using 3273920 bytes of bsd ELF symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2022 OpenBSD. All rights reserved. https://www.OpenBSD.org OpenBSD 7.1 (GENERIC.MP) #2: Fri Jan 20 13:16:22 MST 2023 t...@syspatch-71-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 33941528576 (32369MB) avail mem = 32895590400 (31371MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.2 @ 0x68e36000 (75 entries) bios0: vendor Dell Inc. version "2.10.2" date 02/24/2021 bios0: Dell Inc. PowerEdge R740 acpi0 at bios0: ACPI 6.1 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP SSDT TPM2 SSDT MCEJ WDAT SLIC HPET APIC MCFG MIGT MSCT PCAT PCCT RASFJ acpi0: wakeup devices XHCI(S4) RP17(S4) PXSX(S4) RP18(S4) PXSX(S4) RP19(S4) PXSX(S4) RP20(S4)] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 2399 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 2 (boot processor) cpu0: Intel(R) Xeon(R) Gold 5122 CPU @ 3.60GHz, 3692.05 MHz, 06-55-04 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,N cpu0: 256KB 64b/line 8-way L2 cache cpu0: cannot disable silicon debug cpu0: smt 0, core 1, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 24MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE cpu1 at mainbus0: apid 10 (application processor) cpu1: Intel(R) Xeon(R) Gold 5122 CPU @ 3.60GHz, 3691.34 MHz, 06-55-04 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,N cpu1: 256KB 64b/line 8-way L2 cache cpu1: cannot disable silicon debug cpu1: smt 0, core 5, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) Gold 5122 CPU @ 3.60GHz, 3691.33 MHz, 06-55-04 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,N cpu2: 256KB 64b/line 8-way L2 cache cpu2: cannot disable silicon debug cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 22 (application processor) cpu3: Intel(R) Xeon(R) Gold 5122 CPU @ 3.60GHz, 3691.33 MHz, 06-55-04 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,N cpu3: 256KB 64b/line 8-way L2 cache cpu3: cannot disable silicon debug cpu3: smt 0, core 11, package 0 cpu4 at mainbus0: apid 3 (application processor) cpu4: Intel(R) Xeon(R) Gold 5122 CPU @ 3.60GHz, 3691.32 MHz, 06-55-04 cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,N cpu4: 256KB 64b/line 8-way L2 cache cpu4: cannot disable silicon debug cpu4: smt 1, core 1, package 0 cpu5 at mainbus0: apid 11 (application processor) cpu5: Intel(R) Xeon(R) Gold 5122 CPU @ 3.60GHz, 3691.32 MHz, 06-55-04 cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,N cpu5: 256KB 64b/line 8-way L2 cache cpu5: cannot disable silicon debug cpu5: smt 1, core 5, package 0 cpu6 at mainbus0: apid 5 (application processor) cpu6: Intel(R) Xeon(R) Gold 5122 CPU @ 3.60GHz, 3691.32 MHz, 06-55-04 cpu6: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,N cpu6: 256KB 64b/line 8-way L2 cache cpu6: cannot disable silicon debug cpu6: smt 1, core 2, package 0 cpu7 at mainbus0: apid 23 (application processor) cpu7: Intel(R) Xeon(R) Gold 5122 CPU @
Re: OpenBSD as a transparent switch filter
Hey David...
(I have learned so much from you over the years and used your gear so maybe
I can give a lttle back on this one )
"Correct use of Proxy arp" Gateway of layer 2 isolated network...
clients cannot see or hear eachothers arp traffic or discovery traffic or
other broadcast nasties
so gateway knows everyones correct arp entry (because it can see everyone
and everyone can see the gateway0
gateway knows correct arp entries for 2 example clients clienta and clientb
if client a wants to talk to client b ...they are isolated in layer 2 ...so
arp between them is not posible...
enable proxy arp on gateway client a asks for clientbs mac address in an
arp request
gateway responds to client a with gateway mac address for clientb Ip address
client a sends traffic for client b ip to gateway.mac .. gateway routes
the traffic to client b ip via its connected route and correct arp address
for client b
client B asks for clienta mac address... in an arp request...
gateway responds with an arp reply for clienta IP with its own mac address
client b sends traffic to client a ip to the gateway mac address,
gateway routes the traffic to client a via its connected route + correct
arp entry for client a
---
proxy arp is (kindof) useful in a lan gateway (LAN interface only) were
the IT admin hasnt a handle on routing and gives vpn clients an IP in the
same range as the Lan in the office..
Proxy arp allows the gateway to respond to arp requests for the vpn client
IP... (but it is no substitute for teaching an IT person how to route and
design/ number networks)
---incorrect use of proxy arp-
EVERYWHERE ELSE ... (sorry for shouting )
ps I hate proxy arp ... but it is useful in allowing client - client
communications while minimising broadcast waste of bandwidth (on large
wireless access networks)
On Tue, 24 Jan 2023 at 23:53, David Gwynne wrote:
>
>
> > On 25 Jan 2023, at 09:47, Tom Smyth
> wrote:
> >
> > Hi David is that like a local proxy arp type setup (on typical
> > networking gear) .. ?
>
> I’ve never had a clear idea about what proxy ARP is, and the only time it
> comes up in converstaion is when people complain about problems it causes.
> Do you have a definition of what you think it means before I say yes or no?
>
> >
> > On Tue, 24 Jan 2023 at 23:45, David Gwynne wrote:
> >>
> >> I think you can do this on OpenBSD with
> https://github.com/eait-itig/commarp and just routing on em0. I don’t
> think any layer 2 things like bridge or veb are needed, and probably won’t
> work anyway because as Claudio said, they don’t want to hairpin anyway.
> >>
> >> That code doesn’t have any manpages unfortunately. commarp wants a
> config file saying which interface it should run on and which IPs it should
> intercept ARP for. eg:
> >>
> >> $ cat /etc/commarp.conf
> >> interface em0 {
> >>allow 192.168.1.16 - 192.168.1.254
> >> }
> >>
> >> There’s no point rewriting ARP requests for the IP your router is using
> on that subnet, or carp addresses on that subnet, etc.
> >>
> >>
> >>> On 24 Jan 2023, at 22:16, Cristian Danila wrote:
> >>>
> >>> HI Tom,
> >>>
> >>> I am familiar with options you mentioned, veb, bridge and isolated
> ports.
> >>> I am having another transparent filter based of veb also I am aware
> about
> >>> protected members but my use case is different.
> >>>
> >>> Let me try to explain maybe with different words.
> >>> OpenBSD box is having only one cable input, so what would be the
> >>> benefit of having protected members?
> >>> Protected members are isolating the communication between members of a
> >>> bridge, in my case
> >>> I have only one NIC, so if a bridge would be helpful, I can have a
> >>> bridge with single member,
> >>> therefore isolating that member from who?
> >>> OpenBSD box has only one wire connected to a physical switch, so it
> >>> can communicate with all members
> >>> of the switch, but the physical switch itself do not permit
> >>> communication between members as explained.
> >>> So it is a desire that OpenBSD box is the one that is making possible
> >>> communication between different
> >>> members of the switch through same wire.
> >>>
> >>> Let me try to draw it, I hope will help more
> >>>
> >>> DEVICE1 DEVICE2 DEVICE3
> >>>| | |
> >>>| | |
> >>> ---
> >>> PORT1 PORT2PORT3 PORT 20
> >>> | | |_|
> >>> | |_ |
> >>> |__ |
> >>> PHISICAL SWITCH DEVICE |
> >>> ---|
> >>> |
> >>> |
> >>> |
> >>> OPEN BSD BOX
> >>>
> >>>
> >>> Thank you.
> >>>
> >>>
> >>> On
httpd(8) request rewrite - 500 internal server error
Hi all,
I was trying to do a basic path rewrite in httpd(8) on 7.2-stable, and I just
can't see what I'm missing:
httpd.conf:
server "host" {
listen on egress port 12345
root "/htdocs"
location "/" {
request rewrite "/to/"
}
location "/*" {
directory auto index
}
}
Using http://host:12345/ slaps me with 500:
server_response: rewrote /? -> /to/?
"GET / HTTP/1.1" 500 0
, /to/ (500 Internal Server Error)
Accessing http://host:12345/to/ directly works, however:
"GET /to/ HTTP/1.1" 200 538
"GET /favicon.ico HTTP/1.1" 404 0
, /favicon.ico (404 Not Found)
I though maybe it was iffy because of the location containing only a slash (/),
but using anything else like...:
location "/from/" {
request rewrite "/to/"
}
... gives 500 too when accessing http://host:12345/from/
Tried playing around with (adding/removing) the trailing '/' from the paths,
but still no luck. I even tried the example at the end of httpd.conf(5) with
"location match" and pattern/captures, but still the same.
But "request rewrite" must be clearly working somehow, I just can't see what's
missing.
Any tips would be greatly appreciated!
Daniel
mg: problem with large directory names and open new file
Hi folks, If I have opened a file in a subdirectory with a very long path (larger than the terminal width) and if try to open a new file using ^x^f, then mg seems to be confused. The long path is cut off in the Find File dialog. Only the first chars are shown. The filename I enter is not shown while typing. I have to use ^a^e in the dialog buffer to refresh it. Do you think the input string in the Find File dialog could be scrolled horizontally instead? Terminal is an xterm 80x24. No UTF-8 or other peculiarities are involved. Sample session: mkdir -p /tmp/axaxaxaxaxaxax ls -1a >/tmp/axaxaxaxaxaxax/x1.txt find . -print >/tmp/axaxaxaxaxaxax/x2.txt mg /tmp/axaxaxaxaxaxax/x1.txt # try to open x2.txt using ^x^f Regards Harri
