Re: segfault with stripped lib, works fine when non-stripped
Hey, On Tue, Jan 5, 2016 at 7:38 AM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2016-01-04, Jeremie Le Hen <j...@freebsd.org> wrote: >> Hi, >> >> Yeah... when you read that subject you probably had this weird gaze ô_Ò >> like I did when I came to that conclusion. >> >> I've been experiencing segfaults in milter-greylist on one of my MX >> running OpenBSD for a while. I contacted Stuart (cc'ed) about 6 months >> ago about this, but gave up because I couldn't manage to compile >> everything with the debugging symbols. This time after much struggle to >> compile the ports chain with them, I finally managed to run >> milter-greylist in gdb(1) with the hope to witness the live crash and >> get a detailed stacktrace... >> >> Except that even after tinkling Postfix, it never happened. This simply >> worked fine. So after some more tinkering I came to the following >> conclusion: if I run strip(1) on /usr/local/lib/libbind/libbind.so.5.0 >> to remove the debugging symbols, then it will crash with the stacktrace >> below. > > libbind in the package isn't stripped either, it's just that it isn't built > with debug symbols. So I'm not sure what's going on there. > > Note for anyone else looking: this is all rather dirty because there are > conflicts between symbols in libc and libbind. It works well enough for net/mtr > and for the test program spf_example in libspf2's distribution, but I suspect > using it as a milter in the address space of an MTA that's using the libc > resolver is pushing our luck too far. Alright, I finally got some time (vacations) to fix this. I got rid of the problem by removing the actually useless dependency over libbind. The binary has been running for one hour without crashing which was impossible previously. See the following patches for mail/libspf2 and mail/milter-greylist (I cc'ed Jakob, the maintainer): https://people.freebsd.org/~jlh/openbsd_mail_libspf2_no_libbind.diff https://people.freebsd.org/~jlh/openbsd_mail_milter-greylist_no_libbind.diff > > >> #0 0x1cc53e386d40 in memcpy (dst0=0x1cc5c48b7000, src0=Variable "src0" is not available. >> ) at /usr/src/lib/libc/string/memcpy.c:94 >> #1 0x1cc4f4d496d8 in __res_vinit () from /usr/local/lib/libbind/libbind.so.5.0 >> #2 0x1cc4f4d48bda in __res_ninit () from /usr/local/lib/libbind/libbind.so.5.0 >> #3 0x1cc50b181905 in SPF_dns_resolv_lookup (spf_dns_server=0x1cc5c48ab780, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns_resolv.c:261 >> #4 0x1cc50b180117 in SPF_dns_lookup (spf_dns_server=0x1cc5c48ab780, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns.c:141 >> #5 0x1cc50b180b16 in SPF_dns_cache_lookup (spf_dns_server=0x1cc5c48abc80, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns_cache.c:408 >> #6 0x1cc50b180117 in SPF_dns_lookup (spf_dns_server=0x1cc5c48abc80, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns.c:141 >> #7 0x1cc50b18e4e3 in SPF_server_get_record (spf_server=0x1cc5eb4154c0, spf_request=0x1cc5c48aeb00, spf_response=0x1cc5eb41b400, spf_recordp=0x1cc54f7c8700) at spf_server.c:351 >> #8 0x1cc50b18c959 in SPF_request_query_mailfrom (spf_request=0x1cc5c48aeb00, spf_responsep=0x1cc54f7c87a0) at spf_request.c:291 >> #9 0x1cc2ee1207ca in spf_check_internal (ad=0x1cc4f4c65948, as=AS_RCPT, ap=0x1cc54f7c8cd0, priv=0x1cc5c48af000) at spf.c:388 >> #10 0x1cc2ee120c17 in spf_check (ad=0x1cc4f4c65948, as=AS_RCPT, ap=0x1cc54f7c8cd0, priv=0x1cc5c48af000) at spf.c:524 >> #11 0x1cc2ee123a0d in acl_filter (stage=AS_RCPT, ctx=0x1cc5c48b2000, priv=0x1cc5c48af000) at acl.c:1902 >> #12 0x1cc2ee1069ae in real_envrcpt (ctx=0x1cc5c48b2000, envrcpt=0x1cc5eb41c280) at milter-greylist.c:601 >> #13 0x1cc2ee105de0 in mlfi_envrcpt (ctx=0x1cc5c48b2000, envrcpt=0x1cc5eb41c280) at milter-greylist.c:213 >> #14 0x1cc52bfaa46e in st_rcpt () from /usr/local/lib/libmilter.so.4.0 >> #15 0x1cc52bfab557 in mi_engine () from /usr/local/lib/libmilter.so.4.0 >> #16 0x1cc52bfaca10 in mi_handle_session () from /usr/local/lib/libmilter.so.4.0 >> #17 0x1cc52bfab7d9 in mi_thread_handle_wrapper () from /usr/local/lib/libmilter.so.4.0 >> #18 0x1cc5a247d90e in _rthread_start (v=Variable "v" is not available. >> ) at /usr/src/lib/librthread/rthread.c:145 >> #19 0x1cc53e33649b in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:75 >> #20 0x in ?? () > -- Jeremie Le Hen j...@freebsd.org
What's the proper way to add a "link-local" route?
Hi, My interface has a /32 IP address and the gateway is .254. Obviously I need to do something special with the routing table because the router is not accessible. Until 5.7 I used to add a direct route to the router and then add a default route as usual: # ifconfig em0 inet a.b.c.d/32 # route add -llinfo -iface -host a.b.c.254 a.b.c.254 -ifp em0 # route add dfault a.b.c.254 Then it broke on 5.8 and I had to switch to: # ifconfig em0 inet a.b.c.d/32 # route add -llinfo -iface -net default a.b.c.254 -ifp em0 But on 5.9, boths setups don't work: # ping a.b.c.254 PING a.b.c.254 (a.b.c.254): 56 data bytes ping: sendto: Invalid argument ping: wrote a.b.c.254 64 chars, ret=-1 Can anyone advise the proper way to do this please? Thanks! -- Jeremie Le Hen My PIN is the last four digits of Pi.
segfault with stripped lib, works fine when non-stripped
Hi, Yeah... when you read that subject you probably had this weird gaze ô_Ò like I did when I came to that conclusion. I've been experiencing segfaults in milter-greylist on one of my MX running OpenBSD for a while. I contacted Stuart (cc'ed) about 6 months ago about this, but gave up because I couldn't manage to compile everything with the debugging symbols. This time after much struggle to compile the ports chain with them, I finally managed to run milter-greylist in gdb(1) with the hope to witness the live crash and get a detailed stacktrace... Except that even after tinkling Postfix, it never happened. This simply worked fine. So after some more tinkering I came to the following conclusion: if I run strip(1) on /usr/local/lib/libbind/libbind.so.5.0 to remove the debugging symbols, then it will crash with the stacktrace below. Has anyone of you seen such a behavior in the past? #0 0x1cc53e386d40 in memcpy (dst0=0x1cc5c48b7000, src0=Variable "src0" is not available. ) at /usr/src/lib/libc/string/memcpy.c:94 #1 0x1cc4f4d496d8 in __res_vinit () from /usr/local/lib/libbind/libbind.so.5.0 #2 0x1cc4f4d48bda in __res_ninit () from /usr/local/lib/libbind/libbind.so.5.0 #3 0x1cc50b181905 in SPF_dns_resolv_lookup (spf_dns_server=0x1cc5c48ab780, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns_resolv.c:261 #4 0x1cc50b180117 in SPF_dns_lookup (spf_dns_server=0x1cc5c48ab780, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns.c:141 #5 0x1cc50b180b16 in SPF_dns_cache_lookup (spf_dns_server=0x1cc5c48abc80, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns_cache.c:408 #6 0x1cc50b180117 in SPF_dns_lookup (spf_dns_server=0x1cc5c48abc80, domain=0x1cc55122c1d0 "mydomain.org", rr_type=ns_t_spf, should_cache=1) at spf_dns.c:141 #7 0x1cc50b18e4e3 in SPF_server_get_record (spf_server=0x1cc5eb4154c0, spf_request=0x1cc5c48aeb00, spf_response=0x1cc5eb41b400, spf_recordp=0x1cc54f7c8700) at spf_server.c:351 #8 0x1cc50b18c959 in SPF_request_query_mailfrom (spf_request=0x1cc5c48aeb00, spf_responsep=0x1cc54f7c87a0) at spf_request.c:291 #9 0x1cc2ee1207ca in spf_check_internal (ad=0x1cc4f4c65948, as=AS_RCPT, ap=0x1cc54f7c8cd0, priv=0x1cc5c48af000) at spf.c:388 #10 0x1cc2ee120c17 in spf_check (ad=0x1cc4f4c65948, as=AS_RCPT, ap=0x1cc54f7c8cd0, priv=0x1cc5c48af000) at spf.c:524 #11 0x1cc2ee123a0d in acl_filter (stage=AS_RCPT, ctx=0x1cc5c48b2000, priv=0x1cc5c48af000) at acl.c:1902 #12 0x1cc2ee1069ae in real_envrcpt (ctx=0x1cc5c48b2000, envrcpt=0x1cc5eb41c280) at milter-greylist.c:601 #13 0x1cc2ee105de0 in mlfi_envrcpt (ctx=0x1cc5c48b2000, envrcpt=0x1cc5eb41c280) at milter-greylist.c:213 #14 0x1cc52bfaa46e in st_rcpt () from /usr/local/lib/libmilter.so.4.0 #15 0x1cc52bfab557 in mi_engine () from /usr/local/lib/libmilter.so.4.0 #16 0x1cc52bfaca10 in mi_handle_session () from /usr/local/lib/libmilter.so.4.0 #17 0x1cc52bfab7d9 in mi_thread_handle_wrapper () from /usr/local/lib/libmilter.so.4.0 #18 0x1cc5a247d90e in _rthread_start (v=Variable "v" is not available. ) at /usr/src/lib/librthread/rthread.c:145 #19 0x1cc53e33649b in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:75 #20 0x in ?? () -- Jeremie Le Hen j...@freebsd.org
Re: [Question] Building whitelists so that spamd greylisting can work without users perceiving delivery delays...
Hi Sarah, On 3/28/2013 10:52 AM, Sarah Caswell wrote: I had a question about greylisting (with spamd) in production. I've successfully run spamd on firewalls (as a frontend to either barracuda or SpamAssassin) and have really liked the reduction in SPAM volume. Unfortunately my employer's wife does not like the delays that this introduces into our mail delivery, since she uses email for quick turn-around communication. The main problem occurs with senders like Gmail, yahoo, hotmail, etc. ...i.e. all the senders that have large farms of smtp servers from which they can retry delivery after initial greylisting delay. I know this means I'm not doing proper whitelisting of those major sender domains, but I'm at a loss on how to best construct and maintain such a whitelist. Are there any up-to-date lists that already track the MTAs of these large mail providers? Or will this mostly be a DIY effort on my part? Any thoughts/insights/experiences would be greatly appreciated. I understand this email is about spamd(8), but I would like to mention milter-greylist though, I think it is worth for people searching the net for such a problem. You can build a ruleset to decide what you want to whitelist/greylist/blacklist. The documentation is good enough, sometimes a little bit terse, but you basically end up with a ruleset like this which is pretty straightforward to understand and powerfull enough: % # % # System config boilerplate skipped % ... % % # % # Some definitions. % list my network addr { \ % 127.0.0.1/8 \ % 10.0.0.0/8 \ % 1.2.3.4 \ # MX 1 % 5.6.7.8 \ # MX 2 % } % # provided by default % list broken mta addr { \ % 12.5.136.141/32\ # Southwest Airlines (unique sender) % 12.5.136.142/32\ # Southwest Airlines % ... % } % dnsrbl SPL-XBL zen.spamhaus.org 127.0.0.0/29 % dnsrbl PBL zen.spamhaus.org 127.0.0.10/31 % % # % # Now the ruleset % racl whitelist list my network % racl whitelist list broken mta % racl whitelist domain freebsd.org % racl whitelist domain openbsd.org % racl blacklist dnsrbl SPL-XBL msg Sorry, refused by SPL/XBL % racl whitelist spf pass % racl blacklist spf fail msg Sorry, your IP is refused by SPF % racl greylist dnsrbl PBL delay 30m autowhite 3d msg Please retry later minutes, you are caught by PBL % racl greylist default delay 5m autowhite 15d As a bonus, you can synchronize the greylist and auto-built whitelist between your different MXes. -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: Precisions on ZFS
Hi, I know that it has been requested to stop bother OpenBSD users with ZFS, but there are a few not-quite-right things that I want to precise. This will be my last post on the subject. On Thu, Feb 21, 2013 at 08:54:13PM -0500, goodb0fh wrote: On Feb 21, 2013, at 6:57 PM, Matthias Appel appel.matth...@gmail.com wrote: . That is what I wanted to sayso if there Is ZFS-a and ZFS-b, why call both of them ZFS? Historically there was a single ZFS in OpenSolaris (and Solaris). Other OSes, esp. FreeBSD, brought it in their code base. Then Oracle closed the source and put additional features. The other-ZFS that stayed opensource in illumos and gained additional features as well. So yes they are incompatible, they have the same name, this is annoying. But I don't think any of them is more legitimate to be called ZFS. I think (hope?) over time, people will prefix ZFS with something that describes the branch unambiguously, like Oracle ZFS on one hand and OSS ZFS / illumos ZFS on the other. ZFS has version numbers. They are backward but not forward compatible so newer code can mount older ZFS but not the other way round. As version increases, capabilities increases, from supporting compression, more compression options, dedup and finally, in the version in Solaris 11, encryption as well. All Illumos/opensolaris versions of ZFS do not support ZFS type encryption, sadly. This was true until Oracle closed the source because there was only one linear monotonically-increasing version number which clearly identified which features were available in the pool. Oracle basically ignores the other ZFS so they have stayed on the same track. On the other hand, illumos is well aware that this may be a problem in the future so, as Bryan Horstmann-Allen explained. That way there can be multiple ZFS versions, the feature flag will indicate which feature were supported when the pool was created. Regards, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: Precisions on ZFS (was: Millions of files in /var/www inode / out of space issue.)
On Wed, Feb 20, 2013 at 12:32:02AM +0100, Matthias Appel wrote: Yupp, I think, that's (beside the CDDL part of ZFS) it the major turn-off in any kind of productive enviroment. At the moment I don't know how FreeBSD handles the ZFS development, but maintaining a not-really-fully-ZFS besides Oracle is a no-go, IMHO. Maybe forking it and calling it whatever-name-you-want-FS, would be better (but would violate CDDL, as far as I can see).. If you want to have ZFS, you will have to bite the bullet and throw some $$$ on Oracles hive and get a fully licensed ZFS alongside with Solaris. If thats not an option, move along and choose someting different. So, long story short, I do not see any option to use ZFS on a free system. There are two versions of ZFS: Oracle's ZFS in Solaris 11 and the other ZFS, which is the open-source evolution of the latest ZFS from OpenSolaris. This open-source version is mainly developped within IllumOS, which can be considered as the OpenSolaris heir and is backed by the Nexenta company. Two others companies, Joyent and Delphix, also hired former Sun Solaris developers and are putting some efforts in it. FreeBSD basically pulls the changes from IllumOS regurlarly. A handful of bugfixes did go in the other direction though, but not that much. IIRC, I've also seen one or two bugfixes committed into FreeBSD that came from ZFS On Linux. -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: Precisions on ZFS (was: Millions of files in /var/www inode / out of space issue.)
On Thu, Feb 21, 2013 at 05:15:35PM -0500, Bryan Horstmann-Allen wrote: I apologize this is off-topic, but I'm somewhat close to the illumos project and would like to correct a few things. [...things corrected...] Well, thank you very much for correcting me and providing us high quality informations! Regards, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: [obsd] Re: Assigning an IP address to a bridge
Hello Marios, On Wed, Feb 13, 2013 at 10:36:34PM +0100, Marios Makassikis wrote: On 13 February 2013 20:28, Stuart Henderson s...@spacehopper.org wrote: On 2013/02/12 16:54, Jeremie Le Hen wrote: Thanks again for your review. http://people.chchile.org/~jlh/tmp/faq6.html http://people.chchile.org/~jlh/tmp/faq6.diff This looks fine to me, thank you. Unless there are any objections or other comments I will commit it soon. One minor comment: you don't *need* to reboot. Although it's a good practice to reboot after you're done setting things up to make sure you don't have any ephemeral configurations (that you will obviously have forgotten about when you reboot for some other reason and find you something is not working as expected). I fully agree on your comment. Provided this is explained in 6.2.5, perhaps the 'Reboot and voil?' line should be removed ? On the other hand, the section right before the one Jeremie wrote also recommends a reboot, so it is consistent in that way. ehis is one of the reason I put this line. Also, my reasoning was that people who are skilled enough to configure this manually (I mean, without a reboot) probably don't need to go through this document. -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: [obsd] Re: Assigning an IP address to a bridge
Hi, On Tue, Feb 12, 2013 at 04:54:33PM +0100, Jeremie Le Hen wrote: This is a remnant of the first version. Thanks again for your review. http://people.chchile.org/~jlh/tmp/faq6.html http://people.chchile.org/~jlh/tmp/faq6.diff What will happen next? Do I need to do some lobbying with a doc committer to see this patch hit the www tree, so it doesn't get lost? Thanks, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: [obsd] Re: Assigning an IP address to a bridge
On Tue, Feb 12, 2013 at 12:06:24AM +, Stuart Henderson wrote: On 2013-02-11, Jeremie Le Hen jere...@le-hen.org wrote: Hi list, What is the advised way to assign an IP address to a bridge(4) interface? http://marc.info/?l=openbsd-miscm=128268726102239w=2 Last thing: if it was documented, where should it be? I might spare some time to submit a documentation patch. This would be a really useful addition. It should probably go in http://www.openbsd.org/faq/faq6.html#Bridge Ideally make a cvs checkout of the faq: $ cvs -d anon...@anoncvs.spacehopper.org:/cvs get -P -d obsd-faq www/faq then edit faq6.html, and send a cvs diff. Thanks. Can you have a glance at the attached patch please? I am not aware of OpenBSD documentation rules, so excuse me if I broke any of them. Also, feel free to propose any better wording, English is not my primary language. If you want to look at the rendering: http://people.chchile.org/~jlh/tmp/faq6.html Regards, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons. [demime 1.01d removed an attachment of type text/x-diff]
Re: [obsd] Re: Assigning an IP address to a bridge
On Tue, Feb 12, 2013 at 12:30:32PM +, Stuart Henderson wrote: On 2013/02/12 12:49, Jeremie Le Hen wrote: Thanks. Can you have a glance at the attached patch please? I am not aware of OpenBSD documentation rules, so excuse me if I broke any of them. Also, feel free to propose any better wording, English is not my primary language. If you want to look at the rendering: http://people.chchile.org/~jlh/tmp/faq6.html The attachment is probably stripped in the copy to the mailing list so I will include it in full below however I will respond to points inline with the quoted text first. +Let's say we have a Soekris net5501, which has four +a href=http://www.openbsd.org/cgi-bin/man.cgi?query=vramp;sektion=4;vr(4)/a +interfaces, vr0 through vr3. We want to bridge all of them so the +Soekris box actually acts as a switch. hmm..I'd prefer not to give people the impression that bridging the ports on a soekris is really equivalent to using a switch if possible.. It might also be better to leave one interface out of the bridge (e.g. to use as an uplink to a router), of course people shouldn't blindly follow FAQ examples, but in the event they do, we probably don't want them to end up doing something like bridging their internal lan to a cable modem network segment.. But we also want to serve IP +addresses through DHCP from it, which requires to have an IP address +assigned to the bridge. No need to talk about the mechanism of assigning IP addresses in this paragraph, and this sentence talks about assigning an IP to the bridge, then the next paragraph says that you can't assign an IP to the bridge. So maybe just: We want to use dhcpd to serve IP addresses over the bridged interfaces. +p +It is not possible to assign an IP address to a maybe It is not possible to assign an IP address directly to a +a href=http://www.openbsd.org/cgi-bin/man.cgi?query=bridgesektion=4;bridge(4)/a +interface. The IP address should be added to one of the underlying s/underlying/member/, it's simpler and more consistent with ifconfig(8) wording. +interfaces, but we cannot use them as we are not guaranteed to have an +up link on them. With some Ethernet drivers indeed, dhcpd(8) will not +work unless there is a plugged cable. ...but we cannot use a physical interface as the link might be down, in which case the address would not be reachable. Probably skip the With some Ethernet drivers..? Fortunately, starting with +OpenBSD 4.7, there is a vitual Ethernet interface driver s/vitual/virtual/ [...] Rest looks good to me. Thanks for the quick review. Ok, I've updated the patch with your comments. Can you have another look please? http://people.chchile.org/~jlh/tmp/faq6.html http://people.chchile.org/~jlh/tmp/faq6.diff Thanks. Index: faq6.html === RCS file: /cvs/www/faq/faq6.html,v retrieving revision 1.304 diff -u -p -r1.304 faq6.html --- faq6.html 2 Nov 2012 11:25:12 - 1.304 +++ faq6.html 12 Feb 2013 14:03:46 - @@ -1295,7 +1295,7 @@ address, the bridge will pass network da maintainable (which can be a feature). p -h3An example of a bridge application/h3 +h3A simple example of a bridge application/h3 p One of my computer racks has a number of older systems, none of which @@ -1367,6 +1367,87 @@ directions. p That's it! Reboot, and you now have a functioning bridge. + +p +h3A bridge acting as a DHCP server/h3 + +p +Let's say we have a Soekris net5501, which has four +a href=http://www.openbsd.org/cgi-bin/man.cgi?query=vramp;sektion=4;vr(4)/a +interfaces, vr0 through vr3. We want to bridge vr1, vr2 and vr3 +together, leaving out vr0 for an uplink (a cable modem for instance). +We also want to serve IP addresses through DHCP over the bridged +interfaces. Being a DHCP server and an uplink router, the box needs to +have an IP address on the bridged network (contrary to the previous +example in which the bridging box was not visible on the network). + +p +It is not possible to assign an IP address directly to a +a href=http://www.openbsd.org/cgi-bin/man.cgi?query=bridgesektion=4;bridge(4)/a +interface. The IP address should be added to one of the member +interfaces, but we cannot use a physical interface as the link might be +down, in which case the address would not be reachable. Fortunately, +starting with OpenBSD 4.7, there is a virtual Ethernet interface driver +a href=http://www.openbsd.org/cgi-bin/man.cgi?query=vethersektion=4;vether(4)/a +that can be used for that purpose. We will add it to the bridge, assign +the IP address to it and make dhcpd(8) listen there. + +p +Notes: + +ul +liThe a href=#DHCPserverDHCP server configuration/a is not +described yet again in this section but the addressing scheme used here is +the same. +liThe will also be the uplink router for your bridged network, so we +will use IP address
Re: [obsd] Re: Assigning an IP address to a bridge
On Tue, Feb 12, 2013 at 03:13:09PM +, Stuart Henderson wrote: Generally looking very good, just a couple of tweaks: On 2013/02/12 15:06, Jeremie Le Hen wrote: +liThe a href=#DHCPserverDHCP server configuration/a is not +described yet again in this section but the addressing scheme used here is +the same. +liThe will also be the uplink router for your bridged network, so we s/The/This +will use IP address 192.168.1.1 to match the DHCP server configuration. +liWe will not cover the uplink, routing or firewalling configuration +here./li +/ul [..] +Then create the vether0 configuration: + +blockquotepre +$ bcat /etc/hostname.vether0/b +inet 192.168.1.2 255.255.255.0 192.168.1.255 If I understood the above paragraph correctly, this should be 192.168.1.1 shouldn't it? This is a remnant of the first version. Thanks again for your review. http://people.chchile.org/~jlh/tmp/faq6.html http://people.chchile.org/~jlh/tmp/faq6.diff Index: faq6.html === RCS file: /cvs/www/faq/faq6.html,v retrieving revision 1.304 diff -u -p -r1.304 faq6.html --- faq6.html 2 Nov 2012 11:25:12 - 1.304 +++ faq6.html 12 Feb 2013 15:52:19 - @@ -1295,7 +1295,7 @@ address, the bridge will pass network da maintainable (which can be a feature). p -h3An example of a bridge application/h3 +h3A simple example of a bridge application/h3 p One of my computer racks has a number of older systems, none of which @@ -1367,6 +1367,87 @@ directions. p That's it! Reboot, and you now have a functioning bridge. + +p +h3A bridge acting as a DHCP server/h3 + +p +Let's say we have a Soekris net5501, which has four +a href=http://www.openbsd.org/cgi-bin/man.cgi?query=vramp;sektion=4;vr(4)/a +interfaces, vr0 through vr3. We want to bridge vr1, vr2 and vr3 +together, leaving out vr0 for an uplink (a cable modem for instance). +We also want to serve IP addresses through DHCP over the bridged +interfaces. Being a DHCP server and an uplink router, the box needs to +have an IP address on the bridged network (contrary to the previous +example in which the bridging box was not visible on the network). + +p +It is not possible to assign an IP address directly to a +a href=http://www.openbsd.org/cgi-bin/man.cgi?query=bridgesektion=4;bridge(4)/a +interface. The IP address should be added to one of the member +interfaces, but we cannot use a physical interface as the link might be +down, in which case the address would not be reachable. Fortunately, +starting with OpenBSD 4.7, there is a virtual Ethernet interface driver +a href=http://www.openbsd.org/cgi-bin/man.cgi?query=vethersektion=4;vether(4)/a +that can be used for that purpose. We will add it to the bridge, assign +the IP address to it and make dhcpd(8) listen there. + +p +Notes: + +ul +liThe a href=#DHCPserverDHCP server configuration/a is not +described yet again in this section but the addressing scheme used here is +the same. +liThis will also be the uplink router for your bridged network, so we +will use IP address 192.168.1.1 to match the DHCP server configuration. +liWe will not cover the uplink, routing or firewalling configuration +here./li +/ul + +pFirst mark vr1, vr2 and vr3 as up: + +blockquotepre +$ bcat /etc/hostname.vr1/b +up +$ bcat /etc/hostname.vr2/b +up +$ bcat /etc/hostname.vr3/b +up +/pre/blockquote + +p +Then create the vether0 configuration: + +blockquotepre +$ bcat /etc/hostname.vether0/b +inet 192.168.1.1 255.255.255.0 192.168.1.255 +up +/pre/blockquote + +p +We configure the bridge interface to contain all the above +interfaces: + +blockquotepre +$ bcat /etc/hostname.bridge0/b +add vether0 +add vr1 +add vr2 +add vr3 +up +/pre/blockquote + +p +And finally we make dhcpd(8) listen on the vether0 interface: + +blockquotepre +$ bgrep ^dhcpd_flags= /etc/rc.conf.local/b +dhcpd_flags=vether0 +/pre/blockquote + +p +Reboot and voilagrave;! p h3Filtering on a bridge/h3 -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Assigning an IP address to a bridge
Hi list, What is the advised way to assign an IP address to a bridge(4) interface? I have the following: % # ifconfig bridge0 % bridge0: flags=41UP,RUNNING % groups: bridge % priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp % designated: id 00:00:00:00:00:00 priority 0 % vr3 flags=3LEARNING,DISCOVER % port 4 ifpriority 0 ifcost 0 % vr2 flags=3LEARNING,DISCOVER % port 3 ifpriority 0 ifcost 0 % vr1 flags=3LEARNING,DISCOVER % port 2 ifpriority 0 ifcost 0 % vr0 flags=3LEARNING,DISCOVER % port 1 ifpriority 0 ifcost 0 % Addresses (max cache: 100, timeout: 240): % 3c:62:00:67:6f:e1 vr0 1 flags=0 % 00:15:af:7f:89:94 vr0 0 flags=0 I glanced at bridge(4) and ifconfig(8) manpages without luck. The FAQ doesn't seem to document this as well. My feeling is that I should add my IP address to each physical interface belonging to the bridge. I came to that conclusion because if you want serve IP addresses with dhcpd(8) on that bridge, you have to tell dhcpd(8) to listen on each of these physical interfaces but it will refuse to start if it is there is no IP address assigned to an interface it should listen on. Maybe this setup is not supported? Last thing: if it was documented, where should it be? I might spare some time to submit a documentation patch. Thanks for your help. -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: OT using absolute paths in scripts
Hi Marc, On Sun, Jan 13, 2013 at 07:12:23PM +0100, Marc Espie wrote: On Sun, Jan 13, 2013 at 11:04:08AM -0600, Maximo Pech wrote: They mandate that on all shell scripts we have to use absolute paths for every single command. That does provide ways less security than setting the PATH to a system-only path at the beginning of your script. Can you elaborate on this? From a security point of view only, this looks to me as a draw. If you consider the portability issues then sure, setting PATH is better. Regards, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: [obsd] Re: OT using absolute paths in scripts
On Mon, Jan 14, 2013 at 02:16:24AM -0800, Philip Guenther wrote: On Mon, Jan 14, 2013 at 1:14 AM, Jeremie Le Hen jere...@le-hen.org wrote: On Sun, Jan 13, 2013 at 07:12:23PM +0100, Marc Espie wrote: On Sun, Jan 13, 2013 at 11:04:08AM -0600, Maximo Pech wrote: They mandate that on all shell scripts we have to use absolute paths for every single command. That does provide ways less security than setting the PATH to a system-only path at the beginning of your script. Can you elaborate on this? From a security point of view only, this looks to me as a draw. If you consider the portability issues then sure, setting PATH is better. You cut out his next paragraph which gives an example of why: Sure, you invoke programs with an absolute path, but have you checked that those programs don't invoke other programs with execvp ? Hard coding depends on you to actually hard code EVERYWHERE, including in paths and commands passed to *other* commands executed from the script that you write. If you screw up and miss one, you lose. Set PATH and you can't miss one. Oh yeah, sorry, I didn't notice the p suffix, I just thought of execve(2). Thanks for the clarification. Regards, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: [obsd] Re: trivial with echo command
On Mon, Dec 17, 2012 at 08:43:45PM -0800, Philip Guenther wrote: On Mon, Dec 17, 2012 at 5:14 PM, sven falempin sven.falem...@gmail.com wrote: So much to just print ... so: 1 echo is crap (not portable, not very usefull) 2 print is doing echo job in ksh print [-nprsu[n] | -R [-en]] [argument ...] (but this is completly different on pengouinOS) 3 printf is everywhere and works fine Ah, misc@, how I miss you... echo is perfectly safe and portable for printing, followed by a newline, a literal string that doesn't start with a minus sign. That happens to be a) a *really* common need, and b) a task solved by the historical echo command. If that's not what you need, you should be considering printf instead of writing a non-portable echo. True. Basically, in order to write portable schell scripts, I would advise to use `echo' for common message printing without anything fancy because it is very often implemented as a shell builtin command, so it has very little overhead compared to printf(1). Given this is probably 99% of use case, this is great. As long as you need to interpret special escape patterns, avoid printing a newline, or anything else, go for printf(1). One problem as you noted above is strings starting with a dash, some basic echo versions (like OpenBSD and Solaris ISTR) will just print it as is whereas more elaborated (and wrong IMHO) versions (Linux and FreeBSD) will try to interpreted the options after the dash: jlh@morgoth:~$ echo -d test -d test jlh@morgoth:~$ echo -e test test For this reason, if you really want portable code, use should use this instead of a bare `echo': myecho() { case $1 in -*) a=$*; printf '%s\n' $a ;; *) echo $* ;; esac } Regards, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: SSHD doesn't honor login.conf's setenv
Hi Martijn, On Tue, Dec 11, 2012 at 6:44 PM, Martijn van Duren m.vandu...@jonker.nl wrote: I'm a new to OpenBSD and BSD in general. On my new install I found that it is possible to set environment variables via the login.conf file. When trying I found out that those variables aren't honored if I log in via ssh. Setting the variables via setusercontext in a test-application and via the login command does work. Am I somehow missing a setting in sshd_config that ignores these settings or do I need to report this as a bug? One feature you've certainly seen in the manpage is the following: UseLogin Specifies whether login(1) is used for interactive login sessions. The default is ``no''. Note that login(1) is never used for remote command execution. Note also, that if this is enabled, X11Forwarding will be disabled because login(1) does not know how to handle xauth(1) cookies. If UsePrivilegeSeparation is specified, it will be disabled after authentication. However as you can see, it has some limitations that may be annoying. A quick look at ssh source code in src/usr.bin/ssh/ show that setusercontext(3) is hither and thither with various flags, but never with LOGIN_SETENV. I think it is possible to add such a call in session.c:d_setup_env(). I am surprised though that it has never been done before (likewise, I wonder why the other flags such as LOGIN_SETUMASK, LOGIN_SETRESOURCES and so on are not honored). There may be some history about this. Regards, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
ral(4) hard locks on 5.2
Hello, I have a Soekris net5501 in which I put a PCI Ralink wireless adapter. For months, I haven't used the wireless adapter -- it was using Ethernet -- at all and it worked like a charm (uptime 100 days). For a few days, I have used it as an access point but unfortunately I get very frequent hard locks (even the serial console is unresponsive). I'm looking for a way to debug this. Here is the relevant device: 0:14:0: Ralink RT2860 0x: Vendor ID: 1814 Product ID: 0601 0x0004: Command: 0117 Status ID: 0410 0x0008: Class: 02 Subclass: 80 Interface: 00 Revision: 00 0x000c: BIST: 00 Header Type: 00 Latency Timer: 40 Cache Line Size: 08 0x0010: BAR mem 32bit addr: 0xa001/0x0001 0x0014: BAR empty () 0x0018: BAR empty () 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 8001 0x002c: Subsystem Vendor ID: 17f9 Product ID: 0023 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 0a Min Gnt: 02 Max Lat: 04 0x0040: Capability 0x01: Power Management I'm clueless how to troubleshoot the problem. Do you have any hints about what could cause a general dead lock in the system ? Locked in a high SPL level? Thanks! Regards, -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: [obsd] Re: ral(4) hard locks on 5.2
Alexander, On Mon, Nov 26, 2012 at 10:45:16AM +0100, Alexander Hall wrote: On 11/26/12 09:44, Jeremie Le Hen wrote: Hello, I have a Soekris net5501 in which I put a PCI Ralink wireless adapter. For months, I haven't used the wireless adapter -- it was using Ethernet -- at all and it worked like a charm (uptime 100 days). For a few days, I have used it as an access point but unfortunately I get very frequent hard locks (even the serial console is unresponsive). I'm looking for a way to debug this. Here is the relevant device: 0:14:0: Ralink RT2860 0x: Vendor ID: 1814 Product ID: 0601 0x0004: Command: 0117 Status ID: 0410 0x0008: Class: 02 Subclass: 80 Interface: 00 Revision: 00 0x000c: BIST: 00 Header Type: 00 Latency Timer: 40 Cache Line Size: 08 0x0010: BAR mem 32bit addr: 0xa001/0x0001 0x0014: BAR empty () 0x0018: BAR empty () 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 8001 0x002c: Subsystem Vendor ID: 17f9 Product ID: 0023 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 0a Min Gnt: 02 Max Lat: 04 0x0040: Capability 0x01: Power Management I'm clueless how to troubleshoot the problem. Do you have any hints about what could cause a general dead lock in the system ? Locked in a high SPL level? First thing I'd look at is if the power supply is big enough. Since you didn't supply a dmesg, we can only guess what's in there. Dmesg is unavailable for now (too many ral(4) debugging messages in the ring buffer :)), I think I will have to reboot to get it. If you really need additional information from there, I will reboot it when I will be back at home. Here is the output of the pcidump command: Domain /dev/pci0: 0:1:0: AMD Geode LX 0:1:2: AMD Geode LX Crypto 0:6:0: VIA VT6105M RhineIII 0:7:0: VIA VT6105M RhineIII 0:8:0: VIA VT6105M RhineIII 0:9:0: VIA VT6105M RhineIII 0:14:0: Ralink RT2860 0:17:0: Hifn 7955/7954 0:20:0: AMD CS5536 ISA 0:20:2: AMD CS5536 IDE 0:21:0: AMD CS5536 USB 0:21:1: AMD CS5536 USB There is no hard-drive in the box, only a Compact Flash mounted read/only. -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: [obsd] Re: ral(4) hard locks on 5.2
On Mon, Nov 26, 2012 at 11:57:16AM +0100, Alexander Hall wrote: You might get away with /var/run/dmesg.boot No there unfortunately. I will look at this this evening. But the problem seems to have been lurking since at leat 4.4 from my searching in the archives. Besides, I use the adapter as a client without any freeze. Does the AP mode use really more power? -- Jeremie Le Hen Scientists say the world is made up of Protons, Neutrons and Electrons. They forgot to mention Morons.
Re: [obsd] Re: ral(4) hard locks on 5.2
On Mon, Nov 26, 2012 at 10:45:16AM +0100, Alexander Hall wrote: On 11/26/12 09:44, Jeremie Le Hen wrote: Hello, I have a Soekris net5501 in which I put a PCI Ralink wireless adapter. For months, I haven't used the wireless adapter -- it was using Ethernet -- at all and it worked like a charm (uptime 100 days). For a few days, I have used it as an access point but unfortunately I get very frequent hard locks (even the serial console is unresponsive). I'm looking for a way to debug this. Here is the relevant device: 0:14:0: Ralink RT2860 0x: Vendor ID: 1814 Product ID: 0601 0x0004: Command: 0117 Status ID: 0410 0x0008: Class: 02 Subclass: 80 Interface: 00 Revision: 00 0x000c: BIST: 00 Header Type: 00 Latency Timer: 40 Cache Line Size: 08 0x0010: BAR mem 32bit addr: 0xa001/0x0001 0x0014: BAR empty () 0x0018: BAR empty () 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 8001 0x002c: Subsystem Vendor ID: 17f9 Product ID: 0023 0x0030: Expansion ROM Base Address: 0x0038: 0x003c: Interrupt Pin: 01 Line: 0a Min Gnt: 02 Max Lat: 04 0x0040: Capability 0x01: Power Management I'm clueless how to troubleshoot the problem. Do you have any hints about what could cause a general dead lock in the system ? Locked in a high SPL level? First thing I'd look at is if the power supply is big enough. Since you didn't supply a dmesg, we can only guess what's in there. Here it is! How do you know if there is a power problem? If it happens there isn't, do you have any idea how I can track down what the problem is? Thanks. OpenBSD 5.2 (GENERIC) #278: Wed Aug 1 10:04:16 MDT 2012 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD 586-class) 500 MHz cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW real mem = 536408064 (511MB) avail mem = 516780032 (492MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 20/71/05, BIOS32 rev. 0 @ 0xfac40 pcibios0 at bios0: rev 2.0 @ 0xf/0x1 pcibios0: pcibios_get_intr_routing - function not supported pcibios0: PCI IRQ Routing information unavailable. pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc8000/0xa800 cpu0 at mainbus0: (uniprocessor) amdmsr0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (bios) io address conflict 0x6100/0x100 io address conflict 0x6200/0x200 pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x31 glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES vr0 at pci0 dev 6 function 0 VIA VT6105M RhineIII rev 0x96: irq 11, address 00:00:24:c9:29:78 ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr1 at pci0 dev 7 function 0 VIA VT6105M RhineIII rev 0x96: irq 5, address 00:00:24:c9:29:79 ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr2 at pci0 dev 8 function 0 VIA VT6105M RhineIII rev 0x96: irq 9, address 00:00:24:c9:29:7a ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 vr3 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 12, address 00:00:24:c9:29:7b ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063, model 0x0034 ral0 at pci0 dev 14 function 0 Ralink RT2860 rev 0x00: irq 10, address 00:0e:8e:14:5c:57 ral0: MAC/BBP RT2860 (rev 0x0101), RF RT2820 (MIMO 2T3R) hifn0 at pci0 dev 17 function 0 Hifn 7955/7954 rev 0x00: LZS 3DES ARC4 MD5 SHA1 RNG AES PK, 32KB dram, irq 15 glxpcib0 at pci0 dev 20 function 0 AMD CS5536 ISA rev 0x03: rev 3, 32-bit 3579545Hz timer, watchdog, gpio, i2c gpio0 at glxpcib0: 32 pins iic0 at glxpcib0 pciide0 at pci0 dev 20 function 2 AMD CS5536 IDE rev 0x01: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: SanDisk SDCFX3-2048 wd0: 4-sector PIO, LBA, 1953MB, 4001760 sectors wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 pciide0: channel 1 ignored (disabled) ohci0 at pci0 dev 21 function 0 AMD CS5536 USB rev 0x02: irq 7, version 1.0, legacy support ehci0 at pci0 dev 21 function 1 AMD CS5536 USB rev 0x02: irq 7 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1 isa0 at glxpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 spkr0 at pcppi0 nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS gpio1 at nsclpcsio0: 29 pins npx0 at isa0 port 0xf0/16: reported by CPUID
Re: Convergence time with carp(4)
Marco, Thank you for your reply. On Sun, Mar 25, 2007 at 12:52:18PM +0200, Marco Pfatschbacher wrote: On Fri, Mar 23, 2007 at 04:35:31PM +0100, Jeremie Le Hen wrote: [...] - We are using stock OpenBSD 4.0 for our test. [...] Without running ifconfig(8) too often, the convergence time is a few seconds but we managed to increase the delay up to 2 minutes with this trick. This is fixed in 4.0-stable, which you really should be using. (see http://www.openbsd.org/errata40.html#m_dup1). Either update via CVS or apply this patch: http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/in6.c.diff?r1=1.68r2=1.68.2.1 Thank you for this information. I'm using stock 4.0 release for testing purpose and I don't intend to use it in production. Btw, you might consider using ifstated(8) instead of scripting sth w/ ifconfig(8). I don't understand what you are saying here. I explicitely showed the commands which can lead to my setup. They are usually handled by netstart(8) and hostname.if(5). Moreover, I don't really see the point in using ifstated(8). As far as I understand, net.inet.carp.preempt matches the problem by raising advskew to 240 on all carp(4) interface whenever there is a failure. ifstated(8) would be useful if I had to run something upon state change. Am I wrong ? Best regards, -- Jeremie Le Hen jeremie at le-hen dot org ttz at chchile dot org
Convergence time with carp(4)
Hi list, Please Cc: me in your reply, I'm not subscribed. I'm setting up a redundant router using OpenBSD and carp(4), as you surely have already deduced :). The configuration is pretty simple: +-+ bnx0| |bnx1 +--| A |--+ | .251| |.251 | | . +-+ . | | .. | 192.168.0.0/24| carp0 carp1 |10.0.0.0/24 ---+ .254 .254 + | carp0 carp1 | | .. | | . +-+ . | | .252| |.252 | +--| B |--+ bnx0| |bnx1 +-+ A# ifconfig em0 inet 192.168.0.251 0xff00 A# ifconfig carp0 inet 192.168.0.254 0xff00 vhid 1 advskew 0 A# ifconfig em1 inet 10.0.0.251 0xff00 A# ifconfig carp1 inet 10.0.0.254 0xff00 vhid 2 advskew 0 A# sysctl net.inet.carp.preempt=1 B# ifconfig em0 inet 192.168.0.252 0xff00 B# ifconfig carp0 inet 192.168.0.254 0xff00 vhid 1 advskew 100 B# ifconfig em1 inet 10.0.0.252 0xff00 B# ifconfig carp1 inet 10.0.0.254 0xff00 vhid 2 advskew 100 B# sysctl net.inet.carp.preempt=1 - We are using stock OpenBSD 4.0 for our test. - pf(4) is disabled. - The network adapters are: Broadcom BCM5708 - The firewalls themselves are Dell PowerEdge 1950(!). This works quite well but sometimes we're experiencing some delay when we plug out or in one of the master's cable, seemlingly when we are running ifconfig(8) very oftern to check the carp(4) interface's state. Without running ifconfig(8) too often, the convergence time is a few seconds but we managed to increase the delay up to 2 minutes with this trick. Does anyone have any idea about what's the problem here ? Thank you. Best regards, -- Jeremie Le Hen jeremie at le-hen dot org ttz at chchile dot org
Cannot use ServerName with an Apache reverse proxy
Hi list, Please Cc: me in your reply, I'm not subscribed. Thanks. I've already sent this to Apache users' ML and was redirected here because it appears OpenBSD's httpd(8) is more or less heavily patched. According to them, this problem would not occur with a classical Apache (I couldn't test it yet, the computers are at work). I'm fiddling a bit with OpenBSD's default httpd(8) to create a very simple reverse proxy. Unfortunately, I'm experiencing a weird behaviour when I use the ServerName directive. The configuration file is straightforward: % ServerType standalone % ServerRoot /var/www % PidFile logs/httpd.pid % ScoreBoardFile logs/apache_runtime_status % % Listen 10.0.40.100:80 % % User www % Group www % Port 80 % ServerAdmin [EMAIL PROTECTED] % ServerName proxy.jeremie.vmware % % UseCanonicalName On % % LogLevel debug % % LogFormat %h %l %u %t \%r\ %s %b common % CustomLog logs/access_log common % % LoadModule proxy_module /usr/lib/apache/modules/libproxy.so % IfModule mod_proxy.c % ProxyPass / http://www.jeremie.vmware/ % ProxyPassReverse / http://www.jeremie.vmware/ % /IfModule When I comment out the ServerName directive, the reverse proxy works. When ServerName is used, it doesn't work anymore and I get the following error message in Firefox: % Proxy Error % The proxy server could not handle the request GET /. % % Reason: Host not found DNS names are correctly set: % tintin:/var/www/conf 223# host www.jeremie.vmware % www.jeremie.vmware is an alias for haddock80.jeremie.vmware. % haddock80.jeremie.vmware has address 10.0.80.200 % www.jeremie.vmware is an alias for haddock80.jeremie.vmware. % www.jeremie.vmware is an alias for haddock80.jeremie.vmware. % % tintin:/var/www/conf 224# host proxy.jeremie.vmware % proxy.jeremie.vmware is an alias for tintin40.jeremie.vmware. % tintin40.jeremie.vmware has address 10.0.40.100 % proxy.jeremie.vmware is an alias for tintin40.jeremie.vmware. % proxy.jeremie.vmware is an alias for tintin40.jeremie.vmware. As you can see, I asked for debug message in ErrorLog, but I can't see anything relevant. The only line issued when the query is made is : %[Thu Mar 15 18:40:40 2007] [debug] proxy_cache.c(0): No CacheRoot, %so no caching. Declining. Though this may appear quite off-topic, I tried to provide httpd.conf(5) with a CacheRoot directive, but this doesn't resolve my problem... Instead I have the following messages: % [Thu Mar 15 18:42:31 2007] [debug] proxy_cache.c(0): Request for % http://www.jeremie.vmware/, pragma_req=(unset), ims=0 % [Thu Mar 15 18:42:31 2007] [debug] proxy_util.c(0): File % /proxy/K/A/I/[EMAIL PROTECTED] not found % [Thu Mar 15 18:42:31 2007] [debug] proxy_cache.c(0): Local copy % not present or expired. Declining. Any clue will be welcome! Thank you. Regards, -- Jeremie Le Hen jeremie at le-hen dot org ttz at chchile dot org
Re: [fbsd] Re: [fbsd] Re: IPSEC documentation
Hi Phil, I personally find the gif(4)/transport mode setup neater than the single tunnel mode - though I am not aware of initial constrains when IPSec RFCs were written - especially because one can look after the traffic going through the VPN link in a very natural way. I forgot to add that though both setup basically achieve the same purpose, they are not compatible and one have to use IPSec tunnel mode in order to get non-BSD systems work. As Brian pointed out, FreeBSD indeed lacks the enc(4) interface which lives in OpenBSD. enc(4) is a kind of hook into the tunnel mode providing a natural interface to it. Linux (FreeS/WAN) has a similar concept with the ipsec interface type. IMHO, both modes are useful. On a very large VPN concentrator with many tunnels being created and destroyed all the time, and possible several hundred connections at any given time, the interface table become big. Usually with so many tunnels, typical for roaming clients, I'll filter on the source IP (the remote end) at the moment of leaving the interface. Yes indeed, you are right. I dare to Cc: misc@openbsd.org in order to get an answer about performances when there are a huge number of IPSec tunnels. One could argue that the gif/transport is cleaner in that it doesn't invent yet another interface type, but racoon/ipsec-tools isn't aware of it. The ideal would be to have the possibility of dynamically creating tun(4) devices representing the tunnel endpoints, if required, when phase2 has been established. Best regards, -- Jeremie Le Hen jeremie at le-hen dot org ttz at chchile dot org