Re: Request for Funding our Electricity
Dear Theo, Don't we do enough? You already do too much. Regarding the swag. The entire OpenBSD project now probably gets 1/4 of revenue out of CD Why don't you do for the website software downloads what you do for the CDs? Make users pay the downloads from the official website as you make them pay for the CDs. No need to change the license. No need to care about parallel free downloads, they will be there soon for poor users or smart users than can type openbsd download in a search engine. Add lifetime of OpenBSD updates without extra payment (a mailing-list can announce them). Add 30 days money-back guarantee! (any reason qualifies). Add invoice. Would that work every year? Every day. I doubt mindshare of this sort works repeatedly. No doubt it will work but I guess I'm the only one on earth to know that. Of course, I already ear all possible arguments claiming it can't work, it won't be free/open software anymore etc. Openbsd won't just be gratis from the homepage, that's all. It works for me for more than three years for a very small software much worse, much smaller, less well known than the OpenBSD system. That's the buying of OpenBSD CDs that made me think about this business model. I'm lazy so I didn't want the hard stuff of building and sending CDs. Numerically it works 100 times (yes a hundred times) better than a permanent call for donation, that's what I measured, how surprising!, that is what I still benefit every day. You won't have to sell CDs or teeshirts anymore, just coding, paying electricity and coders. -- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06
Re: Using hostnames in pf rules
Hi all, make a table, and have cron update the contents of this table with the result of the latest resolved ip. Thanks all three for your answers. -- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06
Using hostnames in pf rules
Hello, I need to use an hostname in a pf rule to allow a connection. The hostname is needed because the resolution is dynamic, it can change at any minute (TTL 60). Is there a flag to tell pf to resolve the name each time it tries to match this part? The domain name server is trusted and near/fast the pf host, The rules are written so that this rule is not read often. There's no no problem if pf slows down because of name resolution times. I've seen I can do it with an anchor and a script flushing/adding the hostname each minute or less, I ask if there's a way less complicated and more understandable (reading pf.conf). Thanks in advance. -- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06
Crash while loading pf.conf (quick in a load balance rule)
Hello,
I encountered a issue loading a pf.conf file
The syntax is correct but the loading crashed the system.
It happened in production via a network connection.
The issue is reproducible and I join a simplified pf.conf that still causes the
crash.
The system is now offline, I can play with it for several days in case
you're interested to debug the issue, by giving me directives or patches.
I'm not skilled enough to fix it myself in the source code.
No problem if you're not interested to debug it, may be it's
already fixed in current release. May be the rule itself is silly
but it shouldn't cause a crash.
Thanks in advance.
The kernel is the default one from a 5.2 install on i386
# uname -mrsv
OpenBSD 5.2 GENERIC#278 i386
The output from the console via serial port is:
root:~ 1# uvm_fault(0xd0a36200, 0xa64a000, 0, 1) - e
kernel: page fault trap, code=0
Stopped at pf_test_rule+0x82a: movl0(%edx),%eax
ddb
I'm not sure what I can safely do with this ddb prompt.
It looks like the crash comes from the quick of the load balance rule
pass in quick log on $int_if1 from $lan_if1 route-to ...
Here is the complete pf.conf that causes the crash:
cat /etc/pf.conf_both_up_bad
# $OpenBSD: pf.conf_both_up,v 1.2 2012/11/29 15:47:27 root Exp $
ext_if1=em3
ext_if2=em2
ext_gw1=192.168.103.1
ext_gw2=192.168.102.1
int_if1=em0
lan_if1=192.168.100.0/24
set skip on { lo em1 }
pass log
# Masquerading
pass out quick log on $ext_if1 proto { tcp udp icmp } from $lan_if1 to any
nat-to ($ext_if1) modulate state (if-bound)
pass out quick log on $ext_if2 proto { tcp udp icmp } from $lan_if1 to any
nat-to ($ext_if2) modulate state (if-bound)
# load balance outgoing traffic from internal network.
pass in quick log on $int_if1 from $lan_if1 route-to { ($ext_if1 $ext_gw1),
($ext_if2 $ext_gw2) } round-robin sticky-address
# route packets from any IPs on $ext_if1 to $ext_gw1 and the same for $ext_if2
and $ext_gw2
pass out log quick on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out log quick on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)
pass out quick log
# end
--
Au revoir, 09 51 84 42 42
Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06
Re: route -mpath and ping -I issue (with no pf)
Hello, Do you have any explanation for this routing inversion or a workaround/good practice to have a ping -I always working as intended? This is working as intended.. The ping always work without the -I for the same destination, no pf, no multiple route tables. just a classic routing table. The kernel sets the good source address from the routing table. In the case of ping -I the kernel does a choice and this choice is always good or always wrong depending of table order construction for the same destination. Could be clever. Let's forget it. -- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06
route -mpath and ping -I issue (with no pf)
Hello, I'm currently testing the multirouting on openbsd 5.2 It works basically but I encounter an issue with ping -I depending on the order the default routes are set. The context: interface em2: ip 192.168.102.2 gw 192.168.102.1 interface em3: ip 192.168.103.2 gw 192.168.103.1 In 3 separated windows I do a different ping to the same internet host window1: ping 91.121.112.202 window2: ping -I 192.168.102.2 91.121.112.202 window3: ping -I 192.168.103.2 91.121.112.202 The scenario that works for all 3 ping is: pfctl -d sysctl net.inet.ip.multipath=1 route flush route add -mpath default 192.168.103.1 route add -mpath default 192.168.102.1 The scenario that fails for the two ping -I it's the same as above except for the route order: pfctl -d sysctl net.inet.ip.multipath=1 route flushroute add -mpath default 192.168.102.1 route add -mpath default 192.168.103.1 When I do two tcpdump on each interface I see that when it fails the ping -I are just going on the wrong interface even if the routing table indicates the contrary. root@edsbull:~ 41# tcpdump -n -i em2 icmp tcpdump: listening on em2, link-type EN10MB 22:40:33.329554 192.168.103.2 91.121.112.202: icmp: echo request 22:40:34.339509 192.168.103.2 91.121.112.202: icmp: echo request 22:40:35.349485 192.168.103.2 91.121.112.202: icmp: echo request root@edsbull:~ 136# tcpdump -n -i em3 icmp tcpdump: listening on em3, link-type EN10MB 22:41:00.918982 192.168.102.2 91.121.112.202: icmp: echo request 22:41:01.928939 192.168.102.2 91.121.112.202: icmp: echo request 22:41:02.938915 192.168.102.2 91.121.112.202: icmp: echo request root@edsbull:~ 89# netstat -rn Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default192.168.102.1 UGSP 4 592 - 8 em2 default192.168.103.1 UGSP 1 483 - 8 em3 127.0.0.1 127.0.0.1 UH 00 33196 4 lo0 192.168.102/24 link#3 UC 10 - 4 em2 192.168.102.1 00:00:e8:12:43:21 UHLc 10 - 4 em2 192.168.103/24 link#4 UC 20 - 4 em3 192.168.103.1 00:07:cb:22:f8:52 UHLc 10 - 4 em3 Do you have any explanation for this routing inversion or a workaround/good practice to have a ping -I always working as intended? Thanks in advance. -- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06
copying software from the official iso
Hello, Can I do a dd if=/dev/cdrom of=obsd.iso and redistribute it ? (the audio track is away) -- Au revoir,02 99 64 31 77 06 20 79 76 06 Gilles Lamiral. France, Chavagne (35310) 08 72 27 33 66
Re: Two internet connections, carp and tun
Hello, You should consider getting more public IP addresses as you need three public addresses on each external connection, ideally. I can't. But I can put the two external interfaces on the same physical lan and add ip alias addresses. I can also plug other interfaces on the external lans since I have 5 physical interfaces on each box. ++ ++ | c1 |__|Internet| ++ ++ | | +--+ | carp if | +--+ | | +-++-+ | ob1 || ob2 | +-++-+ | | +--+ | carp if | +--+ |__| | +---+ | smtp1 | +---+ You could look at the pf I posted a couple of days ago, there is one slight problem with it and sending existing states, but everything else appears ok. I thank you very much for the link. The problem now is that ob1 and ob2 have two different internet access: - ob1 runs pppoe and gets its internet address via a tun0 interface on a physical sis0 interface. - ob2 is behind an adsl box doing the internet access and has an intRAnet address (on sis0), but everything arriving on the real public address is forwarded to ob2 so we can consider its intranet address 192.168.3.1 is equivalent to the internet address. So now the question is how can I tell ob2 and ob1 to have a working carp address on the ob1 tun0 ? May be I can't. Thanks in advance. -- Au revoir,02 99 64 31 77 06 20 79 76 06 Gilles Lamiral. France, Chavagne (35310) 08 72 27 33 66
Two internet connections, one intranet server.
Hello, I have 2 internet connections. Each one is handled by an Openbsd system. Each one has an intERnet address. Each one is doing NAT for the intRAnet hosts. I have a smtp server (not openbsd) inside the intRAnet, its ip address is for example 192.168.35.3. I want the smtp server be contacted by both public adresses on the internet. What can I do ? I want c1 be able to connect directly to the smtp1 host via ob1 or via ob2 depending on the ip used (ob1 or ob2). ++ ++ | c1 |__|Internet| ++ ++ | | | | | | +-++-+ | ob1 || ob2 | +-++-+ |__| | +---+ | smtp1 | +---+ Thanks in advance. -- Au revoir,02 99 64 31 77 06 20 79 76 06 Gilles Lamiral. France, Chavagne (35310) 08 72 27 33 66
