Re: PF match counter seems to be hitting a limit
On Tue, 1 Feb 2011 17:45:52 -0500 Ted Unangst wrote: > On Tue, Feb 1, 2011 at 4:34 PM, Steve Johnson > wrote: > > I had forgotten to also include the sysctl changes that I had made > > as well, mostly based from calomel.org, which were the following: > > > > net.inet.ip.ttl=254 > > I love this. Bigger is better! > Size does matter... -- Massimo --
Re: It still doable to buy VIA padlock engine CPU?
On Wed, 20 Oct 2010 18:30:31 +0100 Kevin Chadwick wrote: > On Tue, 19 Oct 2010 18:45:18 +0200 > Massimo Lusetti wrote: > > > 1.5GHz VIA C7 CPU o an > > ATOM one? > > No idea what the acceleration on this board brings to the party, but > if you do then bare in mind that; > > 1 atom mhz != 1 traditional i386 mhz > > (see atom on wikipedia (varying types) for info) > > Maybe that tips the scales in your thought process? > Thanks to you and everyone answering, I'll dig a little more and hopefully I will do some tests on different boards. Cheers -- Massimo
Re: It still doable to buy VIA padlock engine CPU?
On Wed, 20 Oct 2010 11:35:19 +0200 Francesco Vollero wrote: > Did you already check here[1] ? :) I think I read misc@ daily plus tech@ and source-changes@ too and that's the reason I'm asking. I read (some time ago) VIA C7 has a crippled implementation of the crypto flow instruction (if memory serves were from djm@). I've more the 40 C7 boxes from 3/4 years ago serving us pretty well 24h but they're start to failing some due to lack of conditioning other due to lack of surge protection and so on... I cannot control the environment where they are settled I just can provide suggestions and directive... So I start to look around to find if it's the case to switch architecture/platform too and I guess I could ask for direct experience here in misc. Just to have more clue on argument, so any hint is appreciated. Cheers -- Massimo
Re: It still doable to buy VIA padlock engine CPU?
On Tue, 19 Oct 2010 18:32:48 + (UTC) Stuart Henderson wrote: > On 2010-10-19, Massimo Lusetti wrote: > > Does it still doable nowadays to buy VIA padlock engine equipped > > CPU/motherboard just to take advantage of the hw crypto > > acceleration? > > > > I mean, to do IPSec stuff it's better to use a 1.5GHz VIA C7 CPU o > > an ATOM one? > > To do fast IPsec AES, it's better to use core i5 and -current. Well, thanks for the info but I think I cannot use that kind of boxes in this specific environment cause I need fanless boxes. I've to replace Commell boards so I'm looking for something similar (maybe fanless too) with 2/3/4 nics I remember we chatted about this three/four years ago? Anyany thanks again for the pointer... Cheers -- Massimo
It still doable to buy VIA padlock engine CPU?
Does it still doable nowadays to buy VIA padlock engine equipped CPU/motherboard just to take advantage of the hw crypto acceleration? I mean, to do IPSec stuff it's better to use a 1.5GHz VIA C7 CPU o an ATOM one? Do anyone have any experience? Thanks in advantage -- Massimo
Re: How to use /dev/srandom
On Wed, 29 Sep 2010 11:16:53 -0600 Theo de Raadt wrote: > > It is more efficient. There is almost always enough entropy for > > arandom, and if there isn't, you would have a hard time detecting > > that. > > There is always enough. The generator will keep moving, until it has ^^^ Like "64K will be enough for everyone" ? ;) ... please put it in theo.c -- Massimo
Filter on a CARP (active/passive) firewall
Hi guys, I read on the OpenBSD PF's FAQ this statement: Ruleset Tips Filter the physical interface. As far as PF is concerned, network traffic comes from the physical interface, not the CARP virtual interface (i.e., carp0). So, write your rule sets accordingly. Don't forget that an interface name in a PF rule can be either the name of a physical interface or an address associated with that interface. For example, this rule could be correct: pass in on fxp0 inet proto tcp from any to carp0 port 22 but replacing the fxp0 with carp0 would not work as you desire. I would ask if using the group names instead of the physical interface has some draw backs, cause i find it easier to understand. I'm also giving the same group name to the carp interface so i can see all my IPs with ifconfig "group_name". Am I missing something abvious? Thanks -- Massimo
What a nice "theme" for the current hackathon!
... I think it deserve at least an undeadly article ;) Thanks guys! -- Massimo
Re: dhcpd knob
On Sat, 19 Jun 2010 11:08:29 -0600 Theo de Raadt wrote: > anyone is welcome to run the official isc stuff if they want. they're > also welcome to drink the water in india. we don't mind when other Please add this to theo.c ... it deserve it! -- Massimo
Re: iked(8) and ikectl(8)
On Fri, 4 Jun 2010 12:35:36 +0200 Reyk Floeter wrote: > but please a little bit before using it in production networks, > iked(8) is not fully ready yet ;-). I'm following your commit flow about it and is exiting, this is why I'm still with OpenBSD ;) -- Massimo
Re: iked(8) and ikectl(8)
On Thu, 3 Jun 2010 23:06:58 +0200 Reyk Floeter wrote: > This is a very brief summary, more information will follow. > > reyk > That's great! ... 4.7 is just behind the door and is already time to move on -current! I got 48 IPsec gateways which just await to be upgraded! Pretty nice! -- Massimo
Re: dmesg FW-8750 with 4G from 4.7-current
On Thu, 20 May 2010 16:07:31 +0200 Henning Brauer wrote: > argh, no. bigmem isn't useable as of now or it would be default. > > the difference being PCI space mostly. only have 32bit adressing ake > 4G for mem AND pci etc, ya know. yep, reading archives and commit logs I have come to the decision to leave it to the defaults. I expect to mail dmesg@ on monday or tuesday when the box will be released. Cheers -- Massimo
Re: dmesg FW-8750 with 4G from 4.7-current
On Wed, 19 May 2010 13:32:19 +0200 Robert wrote: > This is the expected behaviour. > Check the mailinglist-archives for details. (hint: "bigmem") Thanks for the hint, looking for infos. Thanks to others answering privately too, even the ones suggesting another MUA ;) Cheers -- Massimo
Re: dmesg FW-8750 with 4G from 4.7-current
On Wed, 19 May 2010 11:40:33 +0200 Massimo Lusetti wrote: > Hi guys, > I got a small issue with a FW-8750 which boots: > > OpenBSD 4.7-current (GENERIC.MP) #227: Wed Apr 28 11:55:45 MDT 2010 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > real mem = 3210477568 (3061MB) > avail mem = 3111297024 (2967MB) [..] > The machine bios sees 4G RAM while OpenBSD 4.7amd64 sees only 3G RAM > > Any clue is really appreciated, thanks I see the dmesg has been mangled by my mailer and/or cut&paste so here I attach dmesg from booting multi and single processor GENERIC hoping it will not be removed, thanks again for any hint. Cheers -- Massimo Lusetti [demime 1.01d removed an attachment of type application/octet-stream which had a name of dmesg] [demime 1.01d removed an attachment of type application/octet-stream which had a name of dmesg.mp]
dmesg FW-8750 with 4G from 4.7-current
T (82573L)" rev 0x00: apic 2 int 16 (irq 15), address 00:90:0b:18:57:17 uhci0 at pci0 dev 29 function 0 "Intel 82801I USB" rev 0x02: apic 2 int 23 (irq 14) uhci1 at pci0 dev 29 function 1 "Intel 82801I USB" rev 0x02: apic 2 int 19 (irq 10) ehci0 at pci0 dev 29 function 7 "Intel 82801I USB" rev 0x02: apic 2 int 23 (irq 14) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb11 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x92 pci12 at ppb11 bus 1 pcib0 at pci0 dev 31 function 0 "Intel 82801IO LPC" rev 0x02 pciide0 at pci0 dev 31 function 2 "Intel 82801I SATA" rev 0x02: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 2 int 19 (irq 10) for native-PCI interrupt wd0 at pciide0 channel 1 drive 0: wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors SSDSA2M080G2GC> wd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 6 ichiic0 at pci0 dev 31 function 3 "Intel 82801I SMBus" rev 0x02: apic 2 int 18 (irq 11) iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 2GB DDR2 SDRAM non-parity PC2-6400CL5 spdmem1 at iic0 addr 0x52: 2GB DDR2 SDRAM non-parity PC2-6400CL5 pciide1 at pci0 dev 31 function 5 "Intel 82801I SATA" rev 0x02: DMA, channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide1: using apic 2 int 19 (irq 10) for native-PCI interrupt usb1 at uhci0: USB revision 1.0 uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 it0 at isa0 port 0x2e/2: IT8718F rev 4, EC port 0xa10 mtrr: Pentium Pro MTRR support umass0 at uhub0 port 2 configuration 1 interface 0 "Cypress Semiconductor USB2.0 Storage Device" rev 2.00/0.01 addr 2 umass0: using SCSI over Bulk-Only scsibus0 at umass0: 2 targets, initiator 0 cd0 at scsibus0 targ 1 lun 0: SCSI0 5/cdrom removable uhidev0 at uhub1 port 1 configuration 1 interface 0 "SILITEK USB Keyboard" rev 1.10/2.00 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 modifier keys, 6 key codes wskbd0 at ukbd0: console keyboard, using wsdisplay0 uhidev1 at uhub1 port 1 configuration 1 interface 1 "SILITEK USB Keyboard" rev 1.10/2.00 addr 2 uhidev1: iclass 3/0, 2 report ids uhid0 at uhidev1 reportid 1: input=5, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=5, output=0, feature=4 vscsi0 at root scsibus1 at vscsi0: 256 targets softraid0 at root root on wd0a swap on wd0b dump on wd0b The machine bios sees 4G RAM while OpenBSD 4.7amd64 sees only 3G RAM Any clue is really appreciated, thanks Regards -- Massimo Lusetti
Re: Route modified dynamically
On Fri, 12 Mar 2010 14:55:51 +0100 Claudio Jeker wrote: > > > Wow that's a strange flag combo. Why is S & M set together? > > > Hmm. Another strange routing thing I need to have a loot at. > > > Most probably the cloning is done wrong. > > > > Hmm, does it have to be cloned? Couldn't this be the result of > > route add -host, and then receiving a redirect? > > > > Massimo, what command are you using to add these static routes? > > Yep, I simply added the route the usual openbsd way, inside hostname file without particular options: route add 10.0.0.1 10.10.10.10 > He adds static host routes and the redirect changes the gateway of the > static route. I think it would be better to add the redirect with a > high priority to the table so the original one is not modified. At > least something like this would work now. But this way the redirect don't take precedence over static one? Besides my particular case where the redirect point to a non usable gateway (which is indeed a bad configuration on the other side), should a redirect change a static route? Cheers -- Massimo
Re: Route modified dynamically
On Fri, 12 Mar 2010 01:43:39 +0100 Claudio Jeker wrote: > On Fri, Mar 12, 2010 at 12:28:33AM +, Stuart Henderson wrote: > > On 2010-03-10, Massimo Lusetti wrote: > > > Hi misc, > > > I got a 4.5 box which act as a perimeter ipsec routing gateway, > > > it has 682 flow (by ipsecctl -sf | wc -l). > > > > > > Some of this flow are up with a static route to the other point > > > of the ipsec tunnel and some of these routes are changing > > > dynamically (netstat shows UGHMS flags). > > > > > Wow that's a strange flag combo. Why is S & M set together? > Hmm. Another strange routing thing I need to have a loot at. > Most probably the cloning is done wrong. BTW I've settled the same default present in 4.6 for not-accepting icmp redirect and 4 days are passed without route modifications. Cheers -- Massimo
Re: Route modified dynamically
On Wed, 10 Mar 2010 09:44:36 +0100 Massimo Lusetti wrote: > Any hints is really appreciated. Should I stop accepting icmp redirect with the sysctl knobs as the changes in the 4.6 release? Cheers -- Massimo
Route modified dynamically
Hi misc, I got a 4.5 box which act as a perimeter ipsec routing gateway, it has 682 flow (by ipsecctl -sf | wc -l). Some of this flow are up with a static route to the other point of the ipsec tunnel and some of these routes are changing dynamically (netstat shows UGHMS flags). When these routes changes dynamically my tunnel fall cause i cannot reach my tunnel endpoint anymore. Probably these redirect are coming from some ciscozze with HSRP or something and I've already asked the ciscozze admin to look without any luck so I guess I've to do something on my side and I'm here to ask for hints. Should I have to elevate the priority of the static route ? Should I "block" redirects from the ciscozze gateway? BTW the issues is popped up when we deployed 4.5, with 4.3 we didn't notice it but I cannot guarantee something has changed on the other side. Any hints is really appreciated. Cheers -- Massimo
Re: Questions for OpenBGPd Developers
On Tue, 13 Oct 2009 02:12:04 +0200 Henning Brauer wrote: > and there's a reason why it is that way - I always found the idea of > making a bgp router out of a common unix box by adding a userland bgp > speaker only flawed. many things can only properly or at all be done > at kernel level or with kernel support. I guess that's apply to OpenOSPF and RIP too, right? Cheers -- Massimo
Re: c2k7 hackathon is over
On Sat, 02 Jun 2007 16:40:49 -0600 Theo de Raadt <[EMAIL PROTECTED]> wrote: > Hope you guys out there enjoy the changes that we've made. You can't imagine how much i enjoyed reading through commit logs. Amazing. Thank you! -- Massimo.run(); : is not an identifier
Re: UMTS card almost recognized
On Wed, 2 May 2007 21:48:38 +1000 Jonathan Gray <[EMAIL PROTECTED]> wrote: > Sounds like umsm(4) would be more likely to me. > > Can you send the output of "usbdevs -v"? Here you are: Controller /dev/usb0: addr 1: full speed, self powered, config 1, UHCI root hub(0x), Intel (0x8086), rev 1.00 port 1 powered port 2 powered Controller /dev/usb1: addr 1: full speed, self powered, config 1, UHCI root hub(0x), Intel (0x8086), rev 1.00 port 1 powered port 2 powered Controller /dev/usb2: addr 1: full speed, self powered, config 1, UHCI root hub(0x), Intel (0x8086), rev 1.00 port 1 powered port 2 powered Controller /dev/usb3: addr 1: full speed, self powered, config 1, UHCI root hub(0x), Intel (0x8086), rev 1.00 port 1 addr 2: low speed, power 98 mA, config 1, USB-PS/2 Optical Mouse (0xc00e), Logitech(0x046d), rev 11.10 port 2 powered Controller /dev/usb4: addr 1: high speed, self powered, config 1, EHCI root hub(0x), Intel (0x8086), rev 1.00 port 1 powered port 2 powered port 3 powered port 4 powered port 5 powered port 6 powered port 7 powered port 8 powered Controller /dev/usb5: addr 1: full speed, self powered, config 1, OHCI root hub(0x), Philips(0x1131), rev 1.00 port 1 powered port 2 addr 2: full speed, power 500 mA, config 1, ONDA CDMA Technologies MSM(0x6613), Qualcomm, Incorporated(0x05c6), rev 0.00 Thanks for your time. Regards -- Massimo.run(); Is sex dirty? Only if it's done right. -- Woody Allen, "All You Ever Wanted To Know About Sex"
UMTS card almost recognized
Hi all, with my own CDs i freshly installed 4.1 on my laptop, everything is working smootly expect for an UMTS PCMCIA card which is not totally recognized. I think this is similar to the ones supported by ubsa(4). This is the kernel messages obtained when i insert the PCMCIA card on a 4.1 GENERIC kernel. The card is marked as ONDA Mobile Communication H600 HSDPA/UMTS/GPRS Type MF330. Any hint/info is really appreaciated. If you would like to see the full dmesg (the same i posted to [EMAIL PROTECTED]) drop me a note ohci0 at cardbus0 dev 0 function 0 vendor "Philips", unknown product 0x1561 rev 0x11: irq 6, version 1.0 usb5 at ohci0: USB revision 1.0 uhub5 at usb5 uhub5: Philips OHCI root hub, rev 1.00/1.00, addr 1 uhub5: 2 ports with 2 removable, self powered ehci1 at cardbus0 dev 0 function 2 vendor "Philips", unknown product 0x1562 rev 0x11: irq 6 usb6 at ehci1: USB revision 2.0 uhub6 at usb6 uhub6: Philips EHCI root hub, rev 2.00/1.00, addr 1 uhub6: 2 ports with 2 removable, self powered ugen0 at uhub5 port 2 ugen0: Qualcomm, Incorporated ONDA CDMA Technologies MSM, rev 1.10/0.00, addr 2 Best regards -- Massimo.run(); And you can't get any Watney's Red Barrel, because the bars close every time you're thirsty...
Re: wireless ethernet adapters (seeking recommendations)
On Thu, 12 Apr 2007 10:04:44 +0200 Claudio Jeker <[EMAIL PROTECTED]> wrote: > I'm a big fan of acx(4) as AP. acx(4) has an excellent radio chip compared > to ral(4) PCI card I used before. There are some high power wi(4) that > make also very nice access points (11b only but strong signal). Do you know of any mini-PCI acx(4)? Thanks -- Massimo.run();
Re: bcw(4) is gone
On Mon, 9 Apr 2007 20:20:33 -0500 Marco Peereboom <[EMAIL PROTECTED]> wrote: > GPL is as free as communism. Please add this to fortune! -- Massimo.run(); She's the kind of girl who climbed the ladder of success wrong by wrong. -- Mae West
re(4) watchdog timeout on a LE-565
This[1] is from a LE-565 board which refuse to run normally when 2 or more network are attached to more then one re(4). As soon as i configure and connect an Ethernet cable to a second nic i get the "watchdog timeout" error at the bottom of the dmesg. No matter if i put traffic on wire or not. BTW with recents current SpeedStep has gained two more clock steps. Any hint is really appreciated. -- Massimo.run(); [1] OpenBSD 4.0-current (GENERIC) #1238: Mon Nov 27 07:21:29 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: VIA Esther processor 1000MHz ("CentaurHauls" 686-class) 1 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,CMOV,PAT,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,TM,SBF,SSE3,EST,TM2 cpu0: Enhanced SpeedStep 1000 MHz (844 mV): speeds: 1000, 800, 600, 400 MHz cpu0: RNG AES AES-CTR SHA1 SHA256 RSA real mem = 468152320 (457180K) avail mem = 418914304 (409096K) using 4256 buffers containing 23531520 bytes (22980K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(d2) BIOS, date 06/26/06, BIOS32 rev. 0 @ 0xf9ed0, SMBIOS rev. 2.3 @ 0xf (33 entries) apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xd274 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfd180/224 (12 entries) pcibios0: bad IRQ table checksum pcibios0: PCI BIOS has 13 Interrupt Routing table entries pcibios0: PCI Exclusive IRQs: 10 pcibios0: PCI Interrupt Router at 000:17:0 ("VIA VT8237 ISA" rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xd800! 0xd/0x1000 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 "VIA CN700 Host" rev 0x00 pchb1 at pci0 dev 0 function 1 "VIA CN700 Host" rev 0x00 pchb2 at pci0 dev 0 function 2 "VIA CN700 Host" rev 0x00 pchb3 at pci0 dev 0 function 3 "VIA PT890 Host" rev 0x00 pchb4 at pci0 dev 0 function 4 "VIA CN700 Host" rev 0x00 pchb5 at pci0 dev 0 function 7 "VIA CN700 Host" rev 0x00 ppb0 at pci0 dev 1 function 0 "VIA VT8377 AGP" rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 "VIA S3 Unichrome PRO IGP" rev 0x01: aperture at 0xf400, size 0x1000 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) rtw0 at pci0 dev 10 function 0 "Realtek 8185" rev 0x20: irq 10 rtw0: ver RTL8185, rtw0: could not recall EEPROM in 1us rtw0: could not recall EEPROM in 1us re0 at pci0 dev 11 function 0 "Realtek 8169" rev 0x10: irq 10, address 00:03:1d:03:97:bd rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 0 re1 at pci0 dev 12 function 0 "Realtek 8169" rev 0x10: irq 10, address 00:03:1d:03:97:be rgephy1 at re1 phy 7: RTL8169S/8110S PHY, rev. 0 re2 at pci0 dev 13 function 0 "Realtek 8169" rev 0x10: irq 10, address 00:03:1d:03:97:bf rgephy2 at re2 phy 7: RTL8169S/8110S PHY, rev. 0 re3 at pci0 dev 14 function 0 "Realtek 8169" rev 0x10: irq 10, address 00:03:1d:03:97:c0 rgephy3 at re3 phy 7: RTL8169S/8110S PHY, rev. 0 pciide0 at pci0 dev 15 function 0 "VIA VT6420 SATA" rev 0x80: DMA pciide0: using irq 10 for native-PCI interrupt pciide1 at pci0 dev 15 function 1 "VIA VT82C571 IDE" rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide1 channel 0 drive 0: wd0: 16-sector PIO, LBA, 29314MB, 60036480 sectors wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5 pciide1: channel 1 disabled (no drives) uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x81: irq 10 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x81: irq 10 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x81: irq 10 usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 16 function 3 "VIA VT83C572 USB" rev 0x81: irq 10 usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 16 function 4 "VIA VT6202 USB" rev 0x86: irq 10 usb4 at ehci0: USB revision 2.0 uhub4 at usb4 uhub4: VIA EHCI root hub, rev 2.00/1.00, addr 1 uhub4: 8 ports with 8 removable, self powered viapm0 at pci0 dev 17 function 0 "VIA VT8237 ISA" rev 0x00 iic0 at viapm0 lm1 at iic0 addr 0x2f: W83782D auvia0 at pci0 dev 17 function 5 "VIA VT8233 AC97" rev 0x60: irq 10 ac97: codec id 0x414c4760 (Avance Logic ALC655 rev 0) audio0 at auvia0 isa0 at mainbus0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 midi0 at pcppi0: spkr0 at pcppi0 l
Re: wpi fail to load firmware
On Fri, 2006-11-03 at 10:56 +0100, Massimo Lusetti wrote: > If i can do anything to help you debug this problem, please let me know, > I'll try. Could be this related? CVSROOT:/cvs Module name:src Changes by: [EMAIL PROTECTED] 2006/11/01 04:25:01 Modified files: sys/dev/pci: if_wpi.c Log message: fix firmware fatal errors on re-associations. reported and tested by Marc Winiger and dhartmei@ I did notice this commit only right now... -- Massimo.run();
wpi fail to load firmware
I'm really happy since i can now try to work with the wpi(4) on my laptop. I freshly installed 4.0 and got wpi0 at pci5 dev 0 function 0 "Intel PRO/Wireless 3945ABG" rev 0x02: irq 10, address 00:13:02:18:e5:b2 but as soon as i try ifconfig wpi0 up and the driver try to load the firware i got wpi0: timeout waiting for thermal sensors calibration wpi0: timeout waiting for thermal sensors calibration wpi0: fatal firmware error If i can do anything to help you debug this problem, please let me know, I'll try. As usual I've sent complete dmesg to dmesg@ but if you want it here i can paste it. Thanks for this great piece of software. -- Massimo "BSD guys are a lot like Linux guys, except they have kissed girls"
Re: Via C7 fully supported?
On Tue, 31 Oct 2006 07:12:51 -0700 (MST) Diana Eichert <[EMAIL PROTECTED]> wrote: > On Tue, 31 Oct 2006, Tom Cosgrove wrote: > > > Although they're not yet available, Wim is hoping to sell > > http://www.liantec.com/product/emboard/EMB-5740.htm soon. > > > > See http://www.kd85.com/liantec.html. > > > > Thanks > > > > Tom > > look like a more interesting choice than the commell I'm looking at, > http://www.commell.com.tw/Product/SBC/LV-669.HTM > The only thing thery're missing is the gpio, which could be usefull. Regards -- Massimo
Re: Actual network chipset
On Sat, 2006-10-14 at 09:59 +1000, Jonathan Gray wrote: > This is because the hardware presents the same number to the > kernel for 8169/8169S/8110S. The 8110S is designed > to be used on system boards, 8169 is the sort of thing that can > be found on pci cards. Thanks for the clarification. What sounds strange to me is that this is revealed from a SBC board, particularly, a Commell LE-565, even whose spec sheet and manuals always talks about RTL8110S-32 as the ethernet chipset. Regards -- Massimo.run();
Actual network chipset
Hi all, I wish to know actually which chipset this board has on, since the spec sheet says it has to be a RTL8110S-32 but after seeing the dmesg output I'm not so sure right now. This is from a 4.0-CURRENT from mid of September (14/09) re0 at pci0 dev 11 function 0 "Realtek 8169" rev 0x10: irq 10, address 00:03:1d:03:97:bd rgephy0 at re0 phy7: RTL8169S/8110S PHY, rev. 0 I cannot read on the chip itself since it is covered by a not removable heat dissipater Thanks for your time, best regards -- Massimo "BSD guys are a lot like Linux guys, except they have kissed girls"
Re: 'flags S/SA keep state' now the default
On Fri, 2006-10-06 at 11:36 +, Ryan McBride wrote: > I've just committed code based on a suggestion made by Daniel Hartmeier > to make flags S/SA keep state the default for rules. THANKS! -- Massimo.run();
Re: Experience with isakmpd/ipsec in production?
On Mon, 2006-08-21 at 15:43 +0200, Sven Ingebrigt Ulland wrote: > How long have you been running openbsd isakmpd/ipsec (in production)? We've been using them since 3.9 and got small quirks mostly due to our misunderstanding of protocols and implementations, a little also due to the initial lack of openbsd-standard-level documentation :) Any issue was resolved with a small search on code or mailing list archive or as a last resource asking directly to [EMAIL PROTECTED] Now we got a 10 node VPN lan based totally on -current as of mid of August with more the 70 tunnels in it. I will add 8 more peers during September. So far very happy with reliability and maintenance facility. A small side note, I'm waiting the 'fix' for totally take advantage of Via C3/C7 crypto features and hope they will be in for 4.0 or just a little after :) even if my users are very happy with the current performance. Regards -- Massimo.run();
Re: sokeris output
On Mon, 2006-07-24 at 02:33 -0300, Gustavo Rios wrote: > PS: If you have a kernel configuration file for exact that hardware, i > would enjoy too. Look at flashboot[1] source. [1] http://mindrot.org/flashboot.html -- Massimo.run();
Re: bsd.rd
On Mon, 2006-07-24 at 03:05 -0300, Gustavo Rios wrote: > What is the process one should pass through in order to have built a > bsd.rd kernel? I highly suggest you to look at flashboot. -- Massimo.run();
Re: Error building ntpd on -current
On Wed, 2006-07-05 at 17:38 +0200, Otto Moerbeek wrote: > What is the version of your libc? Check ls -l /usr/lib/libc.so.*, > newest version should be 39.2. > > $ nm /usr/lib/libc.so.39.2 | grep adjfreq > 000411f0 T _thread_sys_adjfreq > 000411f0 W adjfreq I'm building right now on the second box but it seems clear that that was the problem, just for the fact are you saying that On the box i'm building on right now i got this: libc.so.39.0 from 9th April and libc.so.39.1 from 1st June And if i understand correctly it's right to have that value before the build, i just have to have 39.2 after a successful build, right? > If the verison is not 39.2, or the above command gives no matches, > then you did not do a proper build. What could have been the problem? -- Massimo.run();
Re: Error building ntpd on -current
On Wed, 2006-07-05 at 16:41 +0200, Otto Moerbeek wrote: > You probably did not do a make build, but took a shortcut. No at all. I've followed precisely the procedure described here: http://www.openbsd.org/faq/faq5.html as I've always done before, I forgot to mention that the machine was a current from 10th June. Now I've upgraded that box to the latest snapshot and will do the same exactly procedure on the following box: OpenBSD 3.9-current (GENERIC) #0: Thu Jun 1 09:43:35 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz ("GenuineIntel" 686-class) 3.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,CNXT-ID,CX16 cpu0: unknown Enhanced SpeedStep CPU, msr 0x0f250f25 real mem = 1005088768 (981532K) avail mem = 909152256 (887844K) Just for the records, both machines (the one being reinstalled and the above one) where successfully updated from a snapshot of the 9th April. Thanks for your time. -- Massimo.run();
Error building ntpd on -current
I just updated from CVS today and cannot do a make build anymore. I successfully installed a booted a GENERIC kernel. OpenBSD 3.9-current (GENERIC) #3: Wed Jul 5 09:38:20 CEST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III ("GenuineIntel" 686-class) 602 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 133722112 (130588K) avail mem = 115286016 (112584K) but cannot build userland: cc -o ntpd ntpd.o buffer.o log.o imsg.o ntp.o ntp_msg.o parse.o config.o server.o client.o sensors.o util.o ntpd.o(.text+0x9ec): In function `ntpd_adjfreq': : undefined reference to `adjfreq' ntpd.o(.text+0xa44): In function `ntpd_adjfreq': : undefined reference to `adjfreq' ntpd.o(.text+0xc32): In function `readfreq': : undefined reference to `adjfreq' collect2: ld returned 1 exit status *** Error code 1 Stop in /usr/src/usr.sbin/ntpd (line 93 of /usr/share/mk/bsd.prog.mk). *** Error code 1 Stop in /usr/src/usr.sbin. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src (line 73 of Makefile). Any help is really appreciated. Thanks. -- Massimo
Re: IPSec unspec transport
On Mon, 2006-07-03 at 03:57 -0700, Clint Pachl wrote: > Agreed, that is not suitable and I don't do that. I guess I > misunderstood the point at which your failure was occurring. I believed > it to be initially or some short time after you started each end point. > In my experience, I am using IPSec to secure wireless clients to an AP. > In my first configuration, all clients and the AP were ike negotiators, > "active," and I was experiencing unspec transport. I changed the > ipsec.conf on the AP only to be a passive ike and ran the set of > commands I mentioned earlier and everything worked. > > I guess I assumed you changed your ipsec.conf, making one end point > passive, hence the set of commands to put every thing in sync. Sorry I > misunderstood. Well my problems are fortunately restricted to one end point and are random. I mean the tunnel could stay up 2/3 days then could fall randomly, then it come up again randomly some time after the fall, let say it may take from 10-20 minutes to hours. As said, before i setup max-mss on both peers to 1300 i got a lot of DF! packets so i gave guilt to them but even after (without any more fragmented packets) the tunnel keeps on falling, and i cannot see anything strange on the wire. I'm preparing a laptop to be put on the wire before the end point just to capture packets between the end point itself and the ISP's router. > Is the traffic the same on each line? I have had much success with ssh, > http, ftp, and ICMP traffic through my IPSec tunnel, however, X11 seems > to be unreliable. My problems are not with the protocols encapsulated within IPsec, my problems are with the tunnel and the SA falling... Regards -- Massimo
Re: IPSec unspec transport
On Mon, 2006-07-03 at 00:51 -0700, Clint Pachl wrote: > Are both end points trying to negotiate? Try using the "passive" keyword > on one endpoint: "ike passive esp ..." Yes both active. Does that should cause problems? > I have experienced the same issue. I don't know the details of what > exactly is happening, however, it seems to be a synchronization problem. > Here's what I have done to get rid of the "unspec transport" and setup > the proper flows and SAs: > > Execute on the "passive" box first, then the other: > # ipsecctl -F > # echo R > /var/run/isakmpd.fifo > # ipsecctl -f /etc/ipsec.conf I know how to put it up again and i actually use -d just to keep up others tunnel. Anyway you're telling me that every time your tunnel fall you are there to cast that command to bring it up again? That's not suitable... : What i really want to know (investigate) is what is causing this drops since they happen just on one line not in the other and the devices are all the same just as the OpenBSD version. To add infos i just dropped down the max-mss size to a lower value cause i was seeing a lot of DF! packets without that setting and now all packets aren't fragmented by the routers between my peers. Again i'm not so sure how this is related but digging through the problem i've discovered that the time the tunnel fall is near the time the ISP's router is negotiating its own wan IP address through PPPoA with the ISP's kerberos server. Does this sound resonable or it is totally unrelated? > > Also, make sure all IP addresses in ipsec.conf are reachable; check > netstat -rnfinet. Double checked. Thanks for your time -- Massimo
IPSec unspec transport
I got a VPN network which works quite well, i mean works very well thanks to OpenBSD and its implementation but i got one end point over the 6 running which causing me troubles. The configuration is done with ipsec.conf and is identical to others which works well. Here some example config: ike esp from $MY_NET to $OTHER_NET peer $VPN_PEER main auth hmac-md5 enc aes Isakmpd is started with no .conf and .policy just with -K and use IPv4 private/pubkeys as identifiers on public static IPs. This all on a OpenBSD 3.9-current (GENERIC-RD) #0: Tue Mar 28 12:41:04 EST 2006 >From the troubling VPN gateway and respectively from the central VPN gatewayt i (apparently randomly) got: unspec transport from x.y.w.z to z.w.y.x spi 0xa0a35d6a and the tunnel with the flows along falls. What unspec transport actually means? What could cause the above message? Any hint is really appreciated, thanks. -- Massimo
Re: VIA C7 hardware AES support in IPSEC(ctl)
On Thu, 2006-06-22 at 20:04 +0200, Hans-Joerg Hoexer wrote: > we are. It would be great if you could explain us a little more about this? BTW thanks for the great tool ipsecctl is! Ciao -- Massimo.run();
Re: Crypto acceleration (was: Re: VIA C7 hardware AES support in IPSEC(ctl))
On Fri, 2006-06-23 at 10:00 +0200, Markus Friedl wrote: > yes, the card needs to support all algorithms, > crypto_newsession() does this: > > /* >* The algorithm we use here is pretty stupid; just use the >* first driver that supports all the algorithms we need. Do >* a double-pass over all the drivers, ignoring software ones >* at first, to deal with cases of drivers that register after >* the software one(s) --- e.g., PCMCIA crypto cards. >* >* XXX We need more smarts here (in real life too, but that's >* XXX another story altogether). >*/ > > -m I was looking at this a while ago for an old setup which is still alive for test pourpose and needed attention just for this particular case. Thanks Christian and Markus for pointing this out. Regards. -- Massimo.run();
Re: VIA C7 hardware AES support in IPSEC(ctl)
On Wed, 2006-06-21 at 17:49 +0200, Bihlmaier Andreas wrote: > Sorry, for that but I thought it wouldn't matter: I dont mean to offend you, but... i think test environment matter. > All hosts are in the same network and can talk directly to each other, > but for unsecure protocols (NFS, HTTP) I run a VPN between them. > > host1 router host2 > 10.0.0.1 10.0.0.254 10.0.0.8// Real IP > // VPN > 10.2.0.1 10.2.0.254 10.2.0.8// alias used for VPN > > +-+ > host1---+ | > | Switch +--- router > host2---+ | > +-+ > Again you don't specify which host is what so i'm guessing here. Which is the C7? What the others box are? > I use "iperf -w 256k" for testing purposes. > The speed between hosts/router using their real IPs (-B 10.0.0.*) is > about 70-80 Mb/s. > > ~22 Mb/s between host1 and host2 using their VPN IPs. BTW i don't think you should spit on 22 Mb/s IPSec for a 500/600EURO box. For the records I got the same IPSec performance with C3 1GHz on rl(4) boxes. Sustained. -- Massimo.run();
Re: VIA C7 hardware AES support in IPSEC(ctl)
On Wed, 2006-06-21 at 13:48 +0200, Bihlmaier Andreas wrote: > I dont mean to offend you, but ... > Doh, I know that and these are VERY nice figures, BUT my problem is > that I have to slow (== no acceleration) speed in IPSEC. > I thought that OPenBSD would just make use of it (again in IPSEC) if it > detects it. You haven't specified the network setup and how did you conduced the tests. -- Massimo.run();
Re: Mail Server configuration question(s)
On Fri, 2006-06-09 at 13:55 +0100, Craig Skinner wrote: > When I worked for a small ISP that had 5000 domains, we found the best > thing to do was use passwd for auth as anything else was too slow. > > When an account was added via the website, a perl script would pull data > from SQL, generate passwd, postfix confs & reload postfix. You could > have cron run the script every 15 mins and only generate config files if > there was new data/accounts to remove. Well, 5000 domains and how many accounts/aliases/forwarders? -- Massimo.run();