from:"Vladimir"

Re: Profiling ifconfig

2021-12-17 Thread Vladimir Nikishkin

Profiling ifconfig was my first guess, I am not an experienced
programmer in any sense of the word.

I did the ktrace/kdump run, and the result is just 65 lines, most of
which seem normal (attached). The suspicious lines below:

```
78429 ifconfig 1639744429.761912 CALL  socket(AF_INET,0x2,0)
 78429 ifconfig 1639744429.761920 RET   socket 3
 78429 ifconfig 1639744429.761922 CALL  ioctl(3,SIOCGIFFLAGS,0xcc175b5b2a8)
 78429 ifconfig 1639744429.761925 RET   ioctl 0
 78429 ifconfig 1639744429.761926 CALL  ioctl(3,SIOCGIFXFLAGS,0xcc175b5b2a8)
 78429 ifconfig 1639744429.761927 RET   ioctl 0
 78429 ifconfig 1639744429.761928 CALL  ioctl(3,SIOCGIFMETRIC,0xcc175b5b2a8)
 78429 ifconfig 1639744429.761929 RET   ioctl 0
 78429 ifconfig 1639744429.761934 CALL  ioctl(3,SIOCBRDGRTS,0x7f7bda50)
 78429 ifconfig 1639744429.761936 RET   ioctl -1 errno 25 Inappropriate ioctl 
for device
 78429 ifconfig 1639744429.761937 CALL  ioctl(3,SIOCGIFMTU,0xcc175b5b2a8)
 78429 ifconfig 1639744429.761939 RET   ioctl 0
 78429 ifconfig 1639744429.761939 CALL  ioctl(3,SIOCGIFRDOMAIN,0xcc175b5b2a8)
 78429 ifconfig 1639744429.761942 RET   ioctl 0
 78429 ifconfig 1639744429.761943 CALL  ioctl(3,SIOCGIFLLPRIO,0xcc175b5b2a8)
 78429 ifconfig 1639744429.761944 RET   ioctl 0
 78429 ifconfig 1639744429.761945 CALL  ioctl(3,SIOCGIFFLAGS,0x7f7bda80)
 78429 ifconfig 1639744429.761946 RET   ioctl 0
 78429 ifconfig 1639744429.761947 CALL  ioctl(3,SIOCSIFFLAGS,0x7f7bda80)
 78429 ifconfig 1639744660.684179 RET   ioctl 0
 78429 ifconfig 1639744660.701556 CALL  
mprotect(0xcc385a48000,0x1000,0x3)

```

I have no idea what this means, to be honest.
ioctl(3,SIOCSIFFLAGS,0x7f7bda80) seems to be the one running for
231 second.

I looked at the code of if_vio.c, and it seems to be taking time at
calling vio_init (as there is not much more in this ioctl), however, I
do not know much about debugging kernel drivers, so suggestions welcome
:).

Is there a way to recompile it with profiling/tracing information, or
maybe just putting printfs manually around the most interesting lines
would be more productive?



ifconfig-kdump.result.2021-12-17_12-34
Description: Binary data


"Theo de Raadt"  writes:

> Claudio Jeker  wrote:
>
>> On Thu, Dec 16, 2021 at 03:55:43PM +0800, Vladimir Nikishkin wrote:
>> > Hello, everyone
>> > 
>> > Recently I had a problem: my system is losing network connectivity,
>> > although the interface (vio0 on KVM) seemed up. Restarting the
>> > connection with `ifconfig vio0 down` and `ifconfig vio0 up` restores the
>> > connection.
>> > 
>> > However, when I timed the execution, I found that the second `up` can
>> > take up to 15 minutes. (Hugely unexpected!) To find out where the
>> > program is waiting, I decided to recompile ifconfig from source with
>> > debugging and profiling support.
>> > 
>> > Slightly adjusting the commands provided by the Makefile, I came up with
>> > the following commands:
>> > 
>> > ```
>> > egcc -O0 -g -pg -fPIC  -Werror-implicit-function-declaration  -c ifconfig.c
>> > egcc -O0 -g -pg -fPIC  -Werror-implicit-function-declaration  -c brconfig.c
>> > egcc -O0 -g -pg -fPIC  -Werror-implicit-function-declaration  -c sff.c
>> > egcc  -g -pg -shared -pie -o ifconfig ifconfig.o brconfig.o sff.o -lc -pg
>> > ```
>> > 
>> > However, when I run ./ifconfig compiled like this, I am getting (besides
>> > the output of ifconfig itself) the following error message:
>> > 
>> > ```
>> > gmon.out: No such file or directory
>> > ```
>> > 
>> > I find this unexpected. Compiling and linking a simple helloworld with
>> > -pg -g seems to be working fine, and gmon.out is produced as expected.
>> > 
>> > What am I doing wrong? Is there something specific that needs to be
>> > permitted to profile ifconfig?
>> 
>> I doubt the problem is in ifconfig(8) itself but more an ioctl that takes
>> long to finish. Anyway for prfiling to work you need to neuter unveil() in
>> ifconfig. e.g. by changing the code. With unveil on the gmon.out file
>> written in the atexit handler can't be created.
>
> Wrong tool being used to debug a userland program.  It is better to attach
> a debugger to a -g executable.  Or use ktrace -di with kdump, to figure out
> what system calls it is stuck in.
>
> And I suspect you will quickly decide there is no problem in ifconfig..


-- 
Your sincerely,
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)

Profiling ifconfig

2021-12-16 Thread Vladimir Nikishkin

Hello, everyone

Recently I had a problem: my system is losing network connectivity,
although the interface (vio0 on KVM) seemed up. Restarting the
connection with `ifconfig vio0 down` and `ifconfig vio0 up` restores the
connection.

However, when I timed the execution, I found that the second `up` can
take up to 15 minutes. (Hugely unexpected!) To find out where the
program is waiting, I decided to recompile ifconfig from source with
debugging and profiling support.

Slightly adjusting the commands provided by the Makefile, I came up with
the following commands:

```
egcc -O0 -g -pg -fPIC  -Werror-implicit-function-declaration  -c ifconfig.c
egcc -O0 -g -pg -fPIC  -Werror-implicit-function-declaration  -c brconfig.c
egcc -O0 -g -pg -fPIC  -Werror-implicit-function-declaration  -c sff.c
egcc  -g -pg -shared -pie -o ifconfig ifconfig.o brconfig.o sff.o -lc -pg
```

However, when I run ./ifconfig compiled like this, I am getting (besides
the output of ifconfig itself) the following error message:

```
gmon.out: No such file or directory
```

I find this unexpected. Compiling and linking a simple helloworld with
-pg -g seems to be working fine, and gmon.out is produced as expected.

What am I doing wrong? Is there something specific that needs to be
permitted to profile ifconfig?

-- 
Your sincerely,
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)

(Feedback needed) openbsd and ulimits.

2021-08-29 Thread Vladimir Nikishkin

Hello, everyone.

I found this problem when trying to write some go on OpenBSD:

https://github.com/google/starlark-go/issues/382

OpenBSD enforces ulimits on virtual space, whereas many operating
systems do not. `starlark`, as, in fact, many other pieces of software,
casually allocate "all virtual space in 32 bits", because presumably
that does not hurt on other operating systems. Hence, software using
starlark compiles, but does not run.

What would be the best approach to make it work on OpenBSD?

I am not an expert on POSIX memory management in any sense of the word,
so please, those who are, comment on that issue.


-- 
Your sincerely,
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)

portgen does not handle go ports with capital letter in name

2021-08-22 Thread Vladimir Nikishkin

Dear all,

I tried to use portgen to semi-automatically generate a port for a go
project with a capital letter in the name.

It failed with a cryptic error. I commented out the code in Port.pm the
place which retries to generate a name for everything other than Perl
(p5), and it worked.

I thing Go.pm does not expect to be called the second time with a name.

Hope this helps.

-- 
Your sincerely,
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)

Re: (bug?) relayd forward to directives interfering

2021-08-13 Thread Vladimir Nikishkin



This has actually been reported before:

https://www.mail-archive.com/bugs@openbsd.org/msg14189.html

Jean-Pierre de Villiers  writes:

> On 21/08/11 04:34pm, Vladimir Nikishkin wrote:
>> I do not think my setup is related to "TLS Inspection".
>
> Apologies, my misunderstanding.  I always forget I divert traffic to to
> localhost in my setup.  Anyway,
>
>> There is no problem connecting to the TLS-enabled backend. The problem
>> appears when connecting to the HTTP backend, when, _at the same time_,
>> in the same relay there is another redirect to the TLS backend.
>
> Did you make sure to use the https scheme in your curl request?
> Something like:
>
>   $ curl https://domain.example/http
>
> The listener is still a TLS listener even if the backend uses only plain
> http.
>
> Sorry for the confusion.
>
> Regards,
> JP


-- 
Your sincerely,
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)

Re: (bug?) relayd forward to directives interfering

2021-08-11 Thread Vladimir Nikishkin

I do not think my setup is related to "TLS Inspection".

There is no problem connecting to the TLS-enabled backend. The problem
appears when connecting to the HTTP backend, when, _at the same time_,
in the same relay there is another redirect to the TLS backend.

On Wed, 11 Aug 2021 at 16:15, Jean-Pierre de Villiers
 wrote:
>
> On 21/08/11 02:40pm, Vladimir Nikishkin wrote:
> > However, if I keep "with tls", the requests to port 81 are going
> > encrypted, and are failing with the following message in relayd logs:
> > `SSL routines:ST_CONNECT:tlsv1 alert protocol version`,
> > `TLS handshake error: handshake failed:`.
>
> What you're currently attemting is referred to as TLS inspection in
> relayd.conf(5).  This is when one combines client and server modes.
>
> In order for TLS inspection to function properly the protocol options
> "ca cert" and "ca key" both need to be set.  Further details found in
> the "TLS Relays" and "Protocols" sections of relayd.conf(5).
>
> Regards,
> JP



-- 
Yours sincerely, Vladimir Nikishkin
(Sent from GMail web interface.)

(bug?) relayd forward to directives interfering

2021-08-10 Thread Vladimir Nikishkin

Hello, everyon

I have a super simple (sanitised) relayd.conf

```
$ext_ip = 192.168.1.1
table   { 127.0.0.1 }
table  { 127.0.0.1 }

http protocol "p-https" {
tls session tickets
tls keypair domain.example
tls ca file "/etc/ssl/cert.pem"
http websockets
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
return error
block
pass request path log "/http*"  forward to 
pass request path log "/https*" forward to 
pass response
}


relay "tlsforward" {
listen on $ext_ip port 443 tls
protocol "p-https"
forward to  port 81
forward with tls to  port 82
}
```

The the problem is with the second-to-last line.

If I remove "with tls",
then requests to 82 are forwarded unencrypted, and curl test reports
`curl: (52) Empty reply from server`. 

However, if I keep "with tls", the requests to port 81 are going
encrypted, and are failing with the following message in relayd logs:
`SSL routines:ST_CONNECT:tlsv1 alert protocol version`,
`TLS handshake error: handshake failed:`.

There should not be any TLS handshakes at port 81, because the backend
at port 81 is http-only.

Could someone verify that this is the case?
Is there anything I am missing here?

-- 
Your sincerely,
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)

iked choosing the wrong policy?

2021-07-26 Thread Vladimir Nikishkin

Hello, everyone.

This is my iked.conf:

```
ikev2 "for-phone" passive esp \
from any to 10.0.3.2/32 \
local egress peer any \
ikesa enc aes-256 prf hmac-sha2-256 auth hmac-sha2-256 group ecp256 \
childsa enc aes-256 auth hmac-sha2-256 prf hmac-sha2-256 group ecp256 \
srcid server.mine \
dstid phone.mine \
eap "mschap-v2" \
config address 10.0.3.2 \
config name-server 10.0.0.1 \
config netmask 255.255.255.255 \
config protected-subnet 10.0.0.0/24 \
config protected-subnet 10.0.1.0/24 \
config protected-subnet 10.0.2.0/24 \
tag "ROADW"

ikev2 "for-laptop" passive esp \
from any to 10.0.3.3/32 \
local egress peer any \
ikesa   enc aes-256   auth hmac-sha2-512 prf hmac-sha2-512 
group ecp521 \
childsa enc aes-256   auth hmac-sha2-512   
group ecp521 \
srcid server.mine \
dstid laptop.mine \
rsa \
config address 10.0.3.3 \
config name-server 10.0.0.1 \
config netmask 255.255.255.255 \
config protected-subnet 10.0.0.0/24 \
config protected-subnet 10.0.1.0/24 \
config protected-subnet 10.0.2.0/24 \
tag "ROADW" 
```

I expected the peer presenting itself as "phone.mine" get the first
policy (as long as it manages to authenticate by mschapv2), and the peer
presenting itself as "laptop.mine" to get the second policy.

However, what happens in reality is that both of them are being given the
second policy, and the phone fails to authenticate. If I comment out the
second policy, the phone successfully gets the first policy and
authenticates itself, but, obviously, the laptop does not work then.

How to correct the setup?

-- 
Your sincerely,
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)

Potential bug in /usr/sbin/ndp lines 316-364 with RTF_LLINFO

2021-07-08 Thread Vladimir Nikishkin

Hello, everyone.

I believe, ndp.c has a bug.

1. Line 319 defines a fresh m_rtmsg, and does not initialise it.
2. Therefore m_rtmsg.m_rtm should be empty or zero. (Or constant, I am
not very sure)
3. Line 329 defines rtm and makes it a pointer to a fresh (empty or
constant) m_rtmsg.m_rtm.
4. Nothing uses either m_rtmsg or rtm until lines 363+364.
5. On line 363, `if` checks that rtm->rtm_flags & RTF_LLINFO is true.
Effectively, it is checking that m_rtmsg.r_rtm.rtm_flags has some bit set.

This check is either checking an uninitialised, or a constant value. (I
am not very sure how fresh structures are initialised in OpenBSD) In
either case, it is not useful.

In effect, `ndp -s  ` always fails, because this check is
always false.

-- 
Your sincerely,
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)

ndp for ND (ipv6) proxying on /64 prefix is failing cryptically.

2021-07-07 Thread Vladimir Nikishkin

Hello, everyone

I am running an OpenBSD 6.9 Vultr node. Vultr is issuing /64 prefixes with
SLAAC. I have a few machines behind this node, connected via wireguard.

For simplicity, let us say that vio0 is the default interface,
configured the way Vultr suggests:

hostname.vio0
dhcp   
inet6 autoconf -temporary -soii

wireguard is configured like this:
hostname.wg0
inet6  128
!/usr/local/bin/wg setconf wg0 /etc/wireguard/server.conf

from the outside I cannot pint  ,
the response being
2401:c080:1c00:a4::33 icmp_seq=3 Destination unreachable: Address unreachable

If my understanding is correct, that is because wg0 cannot respond
to ND requests from the router.

Trying to set up proxy NDP, I am running ndp like thi:

ndp -s   temp proxy

If I understand correctly, this should make "vio0" announce the static
ip to the router. (the words "temp" and "proxy" seem to have no effect)

However, ndp errs:

ndp: set: cannot configure a new entry

There seems to have been a similar error in 2008:
http://openbsd-archive.7691.n7.nabble.com/error-with-ndp-only-on-sparc64-td200752.html
and
https://marc.info/?l=openbsd-ipv6&m=120731349004033&w=2

sysctl:
net.inet6.ip6.forwarding=1
but
net.inet6.ip6.accept_rtadv=0
seems to have disappeared.

What is it that I am doing wrong?
The nabble message mentions some bug in ndp, but it should have
disappeared long ago.

Perhaps, an FAQ entry related to ndp would be nice to have?
Ipv6 is supposed to have the adoption rate of 33%, not such an uncommon
thing any more.

-- 
Your sincerely,
Vladimir Nikishkin (MiEr, lockywolf)
(Laptop)

Re: what's wrong with /etc/netstart rum0 on 5.2

2012-12-05 Thread Vladimir Y.

On Wed, Dec 5, 2012 at 5:10 AM, lilit-aibolit  wrote:

> inet 192.168.55.254 255.255.255.0 NONE -inet6 media autoselect mode 11g \
> mediaopt hostap chan 8 nwid namewifi \
>

I'd use the 'wpakey' keyword in /etc/hostname.rum0 like so:

inet 192.168.55.254 255.255.255.0 NONE  media autoselect mode 11g \
mediaopt hostap chan 8 nwid namewifi wpakey blah-blah
up
-inet6

Seems to work for me with /etc/netstart rum0

-- 
#include "Vlad"

Re: gre mpls packet decapsulation (4.8/i386)

2010-11-08 Thread Vladimir Ostrovskiy

that's how this service is designed (what you see as pseudowire)
is there a roadmap for L2/pseudowire support?

cheers!
Vladimir

On Mon, Nov 8, 2010 at 10:08 AM, Claudio Jeker wrote:

>
> OK, those packets look like PWE3 encapsulated ethernet frames. mpe(4) only
> supports L3 IP/IPv6 traffic for now. So the only way out here is to use a
> L3 MPLS VPN.
>  :wq Claudio

Re: Bridge frame reassembly over gif/ipsec

2010-11-07 Thread Vladimir Ostrovskiy

Hi,

1. as far as my knowledge goes pure mpls packet should not be fragmented
2. i am unuware of IPSec encap of MPLS, maybe in GRE first?
but once such encap is done there is DF bit set.
3. maybe it will be easier to put additional routers on both endpoints
with interfaces set with an IP MTU, small enough?

cheers!
Vladimir

On Sun, Nov 7, 2010 at 11:02 PM, Doug Clements  wrote:

> Hi,
>   From the man page for bridge (4):
>
> If an IP packet is too large for the outgoing interface, the bridge
> will
> perform IP fragmentation.  This can happen when bridge members have
> different MTUs or when IP fragments are reassembled by pf.  Non-IP
> packets which are too large for the outgoing interface will be dropped.
>
> Is it somehow possible (maybe with different features?) to fragment a
> layer2 frame for reassembly on the other side of a bridge? This would
> be for use with MPLS, so using pf's scrub directive would not be
> applicable. The desired behavior would be to take in 1500 bytes of IP
> payload with an added MPLS label and transport this inside a gif/ipsec
> tunnel over the internet (with a wan-link MTU of 1500).
>
> --Doug

Re: gre mpls packet decapsulation (4.8/i386)

2010-11-05 Thread Vladimir Ostrovskiy

tcpdump -nvi vic1 -X ip proto 47

18:20:27.697032 gre 10.163.0.8 > 10.163.0.162: [] gre-proto-0x8847 (DF) (ttl
255, id 276, len 130)
: 4500 0082 0114 4000 ff2f 6449 0aa3 0008 e.@./dI.#..
0010: 0aa3 00a2  8847 032c 91ff 0016 4d40 .#."...G.,...M@
0020: 17f3 0050 5601 009e 8100 05e6 0800 4500 .s.PV..f..E.
0030: 0054 6891  ff01 3d28 0aa3 00a2 0aa3 .Th....=(.#.".#
0040: 0008 0800 17dc c975  4cd4 3cdb 000a .\Iu..LT<[..
0050: a1f1 0809 0a0b 0c0d 0e0f 1011 1213 1415 !q..
0060: 1617 1819 1a1b ..

tcpdump -nvi gre0 -X

18:20:27.697069 MPLS(label 13001, exp 0, ttl 255)
: 032c 91ff 0016 4d40 17f3 0050 5601 009e .,....@.s.pv...
0010: 8100 05e6 0800 4500 0054 6891  ff01 ...f..E..Th....
0020: 3d28 0aa3 00a2 0aa3 0008 0800 17dc c975 =(.#.".#.\Iu
0030:  4cd4 3cdb 000a a1f1 0809 0a0b 0c0d ..LT<[..!q..
0040: 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 
0050: 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d .. !"#$%&'()*+,-
0060: 2e2f 3031 3233 3435 3637 ./01234567





On Fri, Nov 5, 2010 at 6:13 PM, Stuart Henderson wrote:

> In gmane.os.openbsd.misc, you wrote:
> > see pcap's attached,
> >
> > On Fri, Nov 5, 2010 at 4:08 PM, Claudio Jeker  >wrote:
> >
> >> On Fri, Nov 05, 2010 at 03:43:07PM +0100, Vladimir Ostrovskiy wrote:
> >> > Hello All,
> >> >   a question:
> >>
> >> Please just include tcpdump -nvi vic1 -X and tcpdump -nvi gre0 -X
> output.
> >> Tcpdump is in base for a reason. Include route -n show -mpls as well
> >> please.
> >>
> >> AF 33 is MPLS and gre(4) so that seems to be OK.
> >> --
> >> :wq Claudio
> >
> > [demime 1.01d removed an attachment of type application/octet-stream
> which had a name of gre0-capture.pcap]
> >
> > [demime 1.01d removed an attachment of type application/octet-stream
> which had a name of vic1-capture.pcap]
> >
> >
>
> Just include the output from the commands Claudio showed, pasted into the
> email body (i.e. in-line text, not as an attachment).

Re: gre mpls packet decapsulation (4.8/i386)

2010-11-05 Thread Vladimir Ostrovskiy

forgot the routes

# route -n show -mpls
Routing tables

MPLS:
In label Out label Op Gateway Flags Refs Use Mtu Prio Interface
3 - LOCAL default UGT 0 0 - 56 vic0
16 - LOCAL 10.166.41.1 UGT 0 0 - 56 vic0
17 131071 SWAP 10.163.0.161 UGT 0 0 - 56 vic1
18 - LOCAL 192.168.255.1 UGT 0 0 33200 56 lo1
13000 - POP mpe0 T 0 0 - 4 mpe0
13001 - POP mpe1 T 0 14 - 4 mpe1



On Fri, Nov 5, 2010 at 4:08 PM, Claudio Jeker wrote:

> On Fri, Nov 05, 2010 at 03:43:07PM +0100, Vladimir Ostrovskiy wrote:
> > Hello All,
> >   a question:
>
> Please just include tcpdump -nvi vic1 -X and tcpdump -nvi gre0 -X output.
> Tcpdump is in base for a reason. Include route -n show -mpls as well
> please.
>
> AF 33 is MPLS and gre(4) so that seems to be OK.
> --
> :wq Claudio

Re: gre mpls packet decapsulation (4.8/i386)

2010-11-05 Thread Vladimir Ostrovskiy

see pcap's attached,

On Fri, Nov 5, 2010 at 4:08 PM, Claudio Jeker wrote:

> On Fri, Nov 05, 2010 at 03:43:07PM +0100, Vladimir Ostrovskiy wrote:
> > Hello All,
> >   a question:
>
> Please just include tcpdump -nvi vic1 -X and tcpdump -nvi gre0 -X output.
> Tcpdump is in base for a reason. Include route -n show -mpls as well
> please.
>
> AF 33 is MPLS and gre(4) so that seems to be OK.
> --
> :wq Claudio

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of gre0-capture.pcap]

[demime 1.01d removed an attachment of type application/octet-stream which had 
a name of vic1-capture.pcap]

gre mpls packet decapsulation (4.8/i386)

2010-11-05 Thread Vladimir Ostrovskiy

Hello All,
  a question:
   i have a setup where an mpls P router sends via GRE SDP (service delivery
path) traffic to an openbsd machine,
   acting as a PE, i need to have my traffic decapsulated to the original
payload (minus gre, minus mpls headers)
  however i have difficulties getting proper payload after a gre interface.

  following interfaces are configured. original ip addresses are replaced
with A and B.

vic1: flags=88843 mtu 1530
lladdr 00:50:56:01:00:9e
priority: 0
media: Ethernet autoselect
status: active
inet ___A___ netmask 0xfff8 broadcast __C__

gre0: flags=89011 mtu 1476
priority: 0
groups: gre
physical address inet  ___A___--> ___B___
inet ___A___--> ___B___netmask 0xff00

mpe1: flags=51 mtu 1500
priority: 0
mpls label: 13001
groups: mpe

lo1: flags=8049 mtu 33200
priority: 0
groups: lo
inet 192.168.255.1 netmask 0xff00

a packet comes in with following stack, as captured on the vic1. there in
MPLS header i have expected label 13001 which should be "poped", see
attachment, gre-mpls-packet.png,
however on the gre0 interface at the same time i see some family 33 header,
prepending the payload of original packet starting with the mpls header, see
attachment: data-packet.png

 i run a custom 4.8 kernel on i386 with MP, MPLS and mpe enabled

cheers!
Vladimir

[demime 1.01d removed an attachment of type image/png which had a name of 
gre-mpls-packet.png]

[demime 1.01d removed an attachment of type image/png which had a name of 
data-packet.png]

Re: OpenBSD Vim Programming FAQ

2010-10-08 Thread Vladimir Kirillov

On 11:43 Thu 12 Aug, Darrin Chandler wrote:
> On Thu, Aug 12, 2010 at 01:07:47PM +0200, Tomas Vavrys wrote:
> > 2010/8/12 Ingo Schwarze :
> > > Oh, and also note that "OpenBSD and vim" is a weird topic.  "OpenBSD
> > > and nvi" or "OpenBSD and mg" would seem more natural.  On the other
> > > hand, some people (including Marco) apparently like the topic, so it
> > > may be useful. B But don't feel disappointed if many people
> > > completely ignore your effort because you are focussing on a
> > > non-standard combination.
> > > 
> > Unfortunately there is at least 7 people who would like to see some
> > tutorial.
> 
> I do not think it's a weird topic, and I know of developers aside from
> Marco who use Vim (who have kindly shared some settings with me).

style(9):
Indentation is an 8 character tab.  Second level indents are four spaces.

while (cnt < 20)
z = a + really + long + statement + that + needs +
two + lines + gets + indented + four + spaces +
on + the + second + and + subsequent + lines;

How do you guys follow this rule in vim neatly?

Re: What does your environment look like?

2010-01-06 Thread Vladimir Kirillov

On 15:32 Tue 05 Jan, Jonathan Thornburg wrote:
> Very minimalist:
> 
> No xdm -- I login and type 'startx&;logout'.

startx() {
pgrep startx && wsconsctl display.focus=4 \
|| (/usr/X11R6/bin/startx >& ~/.startx.out &)
lock -pn
}

(zsh)


Might be useful and more convinient

Re: core dump files in invalid format on 4.3 (x86)

2009-10-09 Thread Vladimir Kirillov

iirc core dump format was changed to elf(5) sometime
around when PIE was imported, you probably need older gdb

On 20:38 Thu 08 Oct, openbsd.misc.tmp openbsd.misc.tmp wrote:
> Hi!
> 
> I have an application that in very seldom cases causes core dumps on about a
> dotzen machines that are located on customers sites.
> 
> What I have is application.core, but I cannot read this:
> 
> # gdb -c /home/me/application.core /home/me/application
> GNU gdb 6.3
> Copyright 2004 Free Software Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain
> conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB.  Type "show warranty" for details.
> This GDB was configured as "i386-unknown-openbsd4.3"...(no debugging symbols
> found)
> 
> "/home/me/application.core " is not a core dump: File format not recognized
> (gdb) quit
> 
> # file /home/me/application.core
> /home/me/application.core: data
> 
> Anybody got an idea how this can happen? What can I do with the file I have?
> 
> This happened more than once. Yet, all the .core files I was able to get
> were unusable to me. However, when I initiate a .core file by exiting the
> application intentionally with a signal, the resulting core files are OK.
> 
> Thanks in advance!
> 
> Regards,
> T.

Re: General RE-Build Question

2008-11-27 Thread Vladimir Kirillov

On 16:42 Thu 27 Nov, Morris, Roy wrote:
> Hmmm, thanks. I think I'll take the rm -r route.
> Sounds like I fracked something up for sure.
> 

cvsco from ports/devel/cvsutils might be a better way to fix a screwed
up tree then (less traffic).

-- 
Vladimir Kirillov

Re: relayd exits when disabling and enabling hosts

2008-11-11 Thread Vladimir

My recommendation is not to release software that hasn't had even the 
most basic testing. I would consider disabling/enabling basic 
functionality. I would consider relayd coredumps on state changes with 
4.3-RELEASE to be a huge no no. I thank you for your contribution 
however I am allowed to express my opinion over crappy software. I have 
Googled over issues that I laid out and they have been around for a 
while e.g. check Questions at


https://calomel.org/relayd.html

Therefore I said that relayd is alpha quality software at best. You are 
welcome to take offense at that however I am saying this so that people 
who may critically rely on this can make proper evaluation.


Vladimir

Reyk Floeter wrote:

my recommendation is to stay away from this list if you're not able to
send useful bug reports.  i use relayd in many production setups and
it works just fine; of course there are bugs but they can fixed or
reported.  anyway, i can verify your problem on cleaning up the pf
anchor,  i also did some changes before 4.4 here.

On Mon, Nov 10, 2008 at 03:15:22PM -0500, Vladimir wrote:
  
My recommendation is to stay away from relayd. I have had only bad 
experiences with it including a bad production outage. It fails on state 
changes, it fails on enabling or disabling hosts, it fails for no 
apparent reason. When it fails it doesn't clean up and you have to run 
manually something along these lines


for i in `pfctl -a 'relayd/*' -vvsA | sed 's,^.*relayd/,,'`
do
pfctl -a relayd/$i -Fa

etc. etc.

Vladimir

David Caro wrote:


first of all, sorry for my english (i'm spaniard)

i have two testing firewalls running OpenBSD 4.3 -release (fresh install),
with carp and pfsync configured and working, but when i disable one host
with 'relayctl host disable' and then enable it, relayd exits.
a screenshot of the relayd:
[EMAIL PROTECTED]:~]# relayd -d -vvv
startup
init_filter: filter init done
relay_privinit: adding relay web
init_tables: created 0 tables
protocol 0: name default
hce_notify_done: 192.168.4.11 (recv_icmp: done)
   flags: 0x0004
host 192.168.4.11, check icmp (0ms), state unknown -> up, availability
100.00%
   type: pfe_dispatch_imsg: state 1 for host 5 192.168.4.11
tcp
hce_notify_done: 192.168.4.12 (recv_icmp: done)
relay_init: max open files 1024
host 192.168.4.12, check icmp (0ms), state unknown -> up, availability
100.00%
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
adding 3 hosts from table pruebas:80
pfe_dispatch_imsg: state 1 for host 4 192.168.4.12
adding 3 hosts from table pruebas:80
adding 3 hosts from table pruebas:80
adding 3 hosts from table pruebas:80
adding 3 hosts from table pruebas:80
relay_launch: running relay web
hce_notify_done: 192.168.4.13 (recv_icmp: done)
relay_launch: running relay web
relay_launch: running relay web
relay_launch: running relay web
relay_launch: running relay web
host 192.168.4.13, check icmp (0ms), state unknown -> up, availability
100.00%
pfe_dispatch_imsg: state 1 for host 3 192.168.4.13
hce_notify_done: 192.168.4.11 (recv_icmp: done)
hce_notify_done: 192.168.4.12 (recv_icmp: done)
hce_notify_done: 192.168.4.13 (recv_icmp: done)
disable_host: disabled host 4
hce_notify_done: 192.168.4.11 (recv_icmp: done)
hce_notify_done: 192.168.4.13 (recv_icmp: done)
host 192.168.4.12, check icmp (0ms), state up -> down, availability 0.00%
hce_notify_done: 192.168.4.11 (recv_icmp: done)
hce_notify_done: 192.168.4.13 (recv_icmp: done)
enable_host: enabled host 4
hce_notify_done: 192.168.4.11 (recv_icmp: done)
hce_notify_done: 192.168.4.12 (recv_icmp: done)
host 192.168.4.12, check icmp (0ms), state unknown -> up, availability
33.33%
pfe_dispatch_imsg: host 4 => 0
hce_notify_done: 192.168.4.13 (recv_icmp: done)
fatal: pfe_dispatch_imsg: desynchronized
host check engine exiting
check_child: lost child: pf update engine exited
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
terminating


and the relayctl:
--
[EMAIL PROTECTED]:~]# relayctl show summary
Id  TypeNameAvlblty Status
0   relay   web active
1   table   pruebas:80  active (3
hosts up)
5   host192.168.4.11100.00% up
4   host192.168.4.12100.00% up
3   host192.168.4.13100.00% up
[EMAIL PROTECTED]:~]# relayctl host disable 4
command succeeded
[EMAIL PROTECTED]:~]# relayctl show summary
Id  TypeNameAvlblty Status
0   relay   web active
1   table   prue

Re: relayd exits when disabling and enabling hosts

2008-11-10 Thread Vladimir

My recommendation is to stay away from relayd. I have had only bad 
experiences with it including a bad production outage. It fails on state 
changes, it fails on enabling or disabling hosts, it fails for no 
apparent reason. When it fails it doesn't clean up and you have to run 
manually something along these lines


for i in `pfctl -a 'relayd/*' -vvsA | sed 's,^.*relayd/,,'`
do
pfctl -a relayd/$i -Fa

etc. etc.

Vladimir

David Caro wrote:

first of all, sorry for my english (i'm spaniard)

i have two testing firewalls running OpenBSD 4.3 -release (fresh install),
with carp and pfsync configured and working, but when i disable one host
with 'relayctl host disable' and then enable it, relayd exits.
a screenshot of the relayd:
[EMAIL PROTECTED]:~]# relayd -d -vvv
startup
init_filter: filter init done
relay_privinit: adding relay web
init_tables: created 0 tables
protocol 0: name default
hce_notify_done: 192.168.4.11 (recv_icmp: done)
flags: 0x0004
host 192.168.4.11, check icmp (0ms), state unknown -> up, availability
100.00%
type: pfe_dispatch_imsg: state 1 for host 5 192.168.4.11
tcp
hce_notify_done: 192.168.4.12 (recv_icmp: done)
relay_init: max open files 1024
host 192.168.4.12, check icmp (0ms), state unknown -> up, availability
100.00%
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
relay_init: max open files 1024
adding 3 hosts from table pruebas:80
pfe_dispatch_imsg: state 1 for host 4 192.168.4.12
adding 3 hosts from table pruebas:80
adding 3 hosts from table pruebas:80
adding 3 hosts from table pruebas:80
adding 3 hosts from table pruebas:80
relay_launch: running relay web
hce_notify_done: 192.168.4.13 (recv_icmp: done)
relay_launch: running relay web
relay_launch: running relay web
relay_launch: running relay web
relay_launch: running relay web
host 192.168.4.13, check icmp (0ms), state unknown -> up, availability
100.00%
pfe_dispatch_imsg: state 1 for host 3 192.168.4.13
hce_notify_done: 192.168.4.11 (recv_icmp: done)
hce_notify_done: 192.168.4.12 (recv_icmp: done)
hce_notify_done: 192.168.4.13 (recv_icmp: done)
disable_host: disabled host 4
hce_notify_done: 192.168.4.11 (recv_icmp: done)
hce_notify_done: 192.168.4.13 (recv_icmp: done)
host 192.168.4.12, check icmp (0ms), state up -> down, availability 0.00%
hce_notify_done: 192.168.4.11 (recv_icmp: done)
hce_notify_done: 192.168.4.13 (recv_icmp: done)
enable_host: enabled host 4
hce_notify_done: 192.168.4.11 (recv_icmp: done)
hce_notify_done: 192.168.4.12 (recv_icmp: done)
host 192.168.4.12, check icmp (0ms), state unknown -> up, availability
33.33%
pfe_dispatch_imsg: host 4 => 0
hce_notify_done: 192.168.4.13 (recv_icmp: done)
fatal: pfe_dispatch_imsg: desynchronized
host check engine exiting
check_child: lost child: pf update engine exited
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
terminating


and the relayctl:
--
[EMAIL PROTECTED]:~]# relayctl show summary
Id  TypeNameAvlblty Status
0   relay   web active
1   table   pruebas:80  active (3
hosts up)
5   host192.168.4.11100.00% up
4   host192.168.4.12100.00% up
3   host192.168.4.13100.00% up
[EMAIL PROTECTED]:~]# relayctl host disable 4
command succeeded
[EMAIL PROTECTED]:~]# relayctl show summary
Id  TypeNameAvlblty Status
0   relay   web active
1   table   pruebas:80  active (2
hosts up)
5   host192.168.4.11100.00% up
4   host192.168.4.12disabled
3   host192.168.4.13100.00% up
[EMAIL PROTECTED]:~]# relayctl host disable 4
command succeeded
[EMAIL PROTECTED]:~]# relayctl show summary
Id  TypeNameAvlblty Status
0   relay   web active
1   table   pruebas:80  active (2
hosts up)
5   host192.168.4.11100.00% up
4   host192.168.4.12disabled
3   host192.168.4.13100.00% up
[EMAIL PROTECTED]:~]# relayctl host enable 4
command succeeded
[EMAIL PROTECTED]:~]# relayctl show summary
Id  TypeNameAvlblty Status
0   relay   web active
1   table   pruebas:80

Re: NAT + IPsec problem

2008-11-06 Thread Vladimir

This is something I have struggled myself and don't have a good solution 
to. I actually asked a similar question to yours couple days ago :-(


http://marc.info/?l=openbsd-misc&m=122530349320838&w=2

Basically NATing stuff going through a VPN tunnel doesn't really work. I 
have followed the recipe from this post


http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

however I was unsuccessful. I have currently resorted to using a HAproxy 
to proxy the traffic.



Vladimir

BARDOU Pierre wrote:

Hello,
 
I am trying to setup an IPsec connection.

Here is the ipsec.conf :
ike esp from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35 \
   main auth hmac-sha1 enc aes-256 \
   quick auth hmac-sha1 enc aes-256 group modp1024 psk ""

Tunnels go up well :
flow esp in from 193.164.151.0/28 to 10.63.61.0/26 peer 193.164.151.35 srcid
212.99.28.26/32 dstid 10.3.2.2/32 type use
flow esp out from 10.63.61.0/26 to 193.164.151.0/28 peer 193.164.151.35
srcid 212.99.28.26/32 dstid 10.3.2.2/32 type require
esp tunnel from 193.164.151.35 to 212.99.28.26 spi 0x1fd5f292 auth hmac-sha1
enc aes
esp tunnel from 212.99.28.26 to 193.164.151.35 spi 0xa0b3fc57 auth hmac-sha1
enc aes

As my LAN is adressed using 10.31.0.0/16, I need to nat to 10.63.61.xxx
before the tunnel.
So I put this in my pf.conf :
nat from 10.31.30.1 to 193.164.151.1 -> 10.63.61.2

The problem is tha packets going from 10.31.30.1 to 193.164.151.1 don't go
through the tunnel, they are going to the internet.

Here is the pflog :
Nov 06 15:16:16.932324 rule 532/(match) pass in on bge0: 10.31.30.1 >
193.164.151.1: icmp: echo request
Nov 06 15:16:16.932362 rule 1/(match) block out on em0: 10.63.61.2 >
193.164.151.1: icmp: echo request

-> Packets are going out through em0 (my inet interface) instead of enc0

As pf doc says translation occurs before filtering, I don't understand why
pf can see my real adress (10.31.30.1).
And the most important : why outgoing packets -with "good" adresses- don't
go through the tunnel ? 
Have I misconfigured something ?


Thank you for your help

--
Cordialement,
 
Pierre BARDOU

CSIM - Bureau 012
 
Midi PyrC)nC)es Informatique HospitaliC(re

12 rue Michel Labrousse
BP93668
F-31036 Toulouse CEDEX 1
 
TC)l : 05 67 31 90 84

Fax : 05 34 61 51 00
Mail : [EMAIL PROTECTED]

NATing traffic going into the ipsec tunnel

2008-10-29 Thread Vladimir

We need to connect to a vendor's network over VPN however they are 
telling us we need to NAT all the traffic going to their network. They 
also want publicly addressable IPs as the NATed address (go figure). I 
have read extensively and looked at manuals but can't quite get it working


Set up is as follows

1.1.1.1 -> My network VPN endpoint
1.1.1.100 -> My NAT address (I took it off the $ext_if)

2.2.2.1 -> Vendor Network VPN endpoint
2.2.2.100 -> Vendor NAT address

Vendor is running a TCP service on 2.2.2.100:5000 that I am trying to 
access from my network.


I have set up a VPN tunnel which seems to be in place e.g. doing netstat 
-nr shows this


Encap:
Source Port  DestinationPort  Proto 
SA(Address/Proto/Type/Direction)

2.2.2.100/32   0 1.1.1.100/320 0 2.2.2.1/esp/use/in
1.1.1.100/32   0 2.2.2.100/32 0 0 
2.2.2.1/esp/require/out


Then per instructions in following document I did

http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

ifconfig lo1 1.1.1.100/32
route add 2.2.2.100/32 1.1.1.100

If I do that I can ping Vendor NAT address from the firewall itself but 
telnetting to port 2.2.2.100:5000 never connects.


Then I added

nat on lo1 from 10.0.8.0/24 to 2.2.2.100 -> 1.1.1.100

If I then try to ping 2.2.2.100 from e.g. 10.0.8.101 I get

From 10.0.8.254 icmp_seq=1 Time to live exceeded

If I try to telnet to 2.2.2.100:5000 I get

# telnet 2.2.2.100 5000
Trying 2.2.2.100...
telnet: connect to address 2.2.2.100: No route to host
telnet: Unable to connect to remote host: No route to host

If I try to sniff on lo1 I get

> tcpdump -vvv -i lo1
tcpdump: listening on lo1, link-type LOOP
13:14:40.279954 10.0.8.101.55173 > 2.2.2.100.3128: S [tcp sum ok] 
4262188680:4262188680(0) win 5840 0,nop,wscale 7> (DF) [tos 0x10] (ttl 63, id 3738, len 60)
13:14:40.279982 10.0.8.101.55173 > 2.2.2.100.3128: S [tcp sum ok] 
4262188680:4262188680(0) win 5840 0,nop,wscale 7> (DF) [tos 0x10] (ttl 62, id 21751, len 60)
13:14:40.279993 10.0.8.101.55173 > 2.2.2.100.3128: S [tcp sum ok] 
4262188680:4262188680(0) win 5840 0,nop,wscale 7> (DF) [tos 0x10] (ttl 61, id 29876, len 60)


I even tried assigning the 1.1.1.100 enc0 interface which enables me to 
connect to 2.2.2.100:5000 from the firewall but nat over enc0 doesn't work.


I would appreciate any help.

Thanks,


Vladimir

Re: azalia -- no sound on CURRENT

2008-10-24 Thread Vladimir Kirillov

On 00:57 Fri 24 Oct, Aaron Stellman wrote:
> Hello misc@,
> Compiled freshly checked out -current from 10/23/08 -- no sound.
> Looked through mixerctl and audioctl outputs, didn't find anything
> interesting.
> Downgraded azalia_codec.c to 1.49
>azalia.h to 1.15
>azalia.c to 1.55
> recompiled kernel -- sound works again.
> If needed, I could track down exact revision that causes the problem.
> Here's dmesg, GAMMA = GENERIC.MP + NTFS

Hi!
Show us the outputs of mixerctl -va and audioctl too please,

-- 
Vladimir Kirillov
http://darkproger.net

Re: uvm_mapent_alloc

2008-10-13 Thread Vladimir Kirillov

On 10:18 Mon 13 Oct, Artur Grabowski wrote:
> Wow. I'm impressed. So if I mailed you a random diff that you don't
> understand you'd happily apply it without having a single clue about
> what the diff does and who sent it?
> 
> Cool. Can I have your money and business without going through that
> hassle? Can't be bothered to make a malicious diff right now,
> haven't had coffee yet.

Whoops, sorry for just mailing the random diff, did it because one
familiar guy had the same problem on 4.3 and updating to current after
this uvm-related commit got into tree did the trick (probably getting to
-current could be the only right answer, not just playing with diffs)

My bad.

-- 
Vladimir Kirillov
http://darkproger.net

Re: uvm_mapent_alloc

2008-10-10 Thread Vladimir Kirillov

On 19:25 Fri 10 Oct, Beavis wrote:
> Vladimir,
> 
> Sorry to bother you but I tried to apply the patch on uvm_map.c
> 
> i copied the patch you gave me here and run
> 
> patch -p0 < uvm_map.patch
> 
> I get some rej. files. any pointers or help will be greatly
> appreciated from anyone.

or probably copy the diff to sys/uvm/ and apply it there...

-- 
Vladimir Kirillov
http://darkproger.net

Re: uvm_mapent_alloc

2008-10-10 Thread Vladimir Kirillov

On 19:25 Fri 10 Oct, Beavis wrote:
> Vladimir,
> 
> Sorry to bother you but I tried to apply the patch on uvm_map.c
> 
> i copied the patch you gave me here and run
> 
> patch -p0 < uvm_map.patch
> 
> I get some rej. files. any pointers or help will be greatly
> appreciated from anyone.
> 

you should do patch -p3 in /usr/src

but running -current might be better :)

-- 
Vladimir Kirillov
http://darkproger.net

Re: uvm_mapent_alloc

2008-10-10 Thread Vladimir Kirillov

On 14:44 Fri 10 Oct, Beavis wrote:
> thanks for the reply vladimir.
> 
> is it needed to upgrade my 4.3 stable to -current? isn't there a patch
> available for this?

The 4.3 uvm_map.c is 5 diffs far from this patch
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/uvm/uvm_map.c?r1=1.104#rev1.104
you can generate the diff yourself,
 cvs diff -r1.99 -r1.104 uvm_map.c

or here:

Index: uvm_map.c
===
RCS file: /cvs/src/sys/uvm/uvm_map.c,v
retrieving revision 1.99
retrieving revision 1.104
diff -u -p -r1.99 -r1.104
--- uvm_map.c   15 Sep 2007 10:10:37 -  1.99
+++ uvm_map.c   23 Sep 2008 13:25:46 -  1.104
@@ -1,4 +1,4 @@
-/* $OpenBSD: uvm_map.c,v 1.99 2007/09/15 10:10:37 martin Exp $ */
+/* $OpenBSD: uvm_map.c,v 1.104 2008/09/23 13:25:46 art Exp $   */
 /* $NetBSD: uvm_map.c,v 1.86 2000/11/27 08:40:03 chs Exp $ */
 
 /* 
@@ -98,6 +98,7 @@ static struct timeval uvm_kmapent_last_w
 static struct timeval uvm_kmapent_warn_rate = { 10, 0 };
 
 struct uvm_cnt uvm_map_call, map_backmerge, map_forwmerge;
+struct uvm_cnt map_nousermerge;
 struct uvm_cnt uvm_mlk_call, uvm_mlk_hint;
 const char vmmapbsy[] = "vmmapbsy";
 
@@ -538,6 +539,7 @@ uvm_map_init(void)
UVMCNT_INIT(map_backmerge, UVMCNT_CNT, 0, "# uvm_map() back merges", 0);
UVMCNT_INIT(map_forwmerge, UVMCNT_CNT, 0, "# uvm_map() missed forward",
0);
+   UVMCNT_INIT(map_nousermerge, UVMCNT_CNT, 0, "# back merges skipped", 0);
UVMCNT_INIT(uvm_mlk_call,  UVMCNT_CNT, 0, "# map lookup calls", 0);
UVMCNT_INIT(uvm_mlk_hint,  UVMCNT_CNT, 0, "# map lookup hint hits", 0);
 
@@ -726,6 +728,8 @@ uvm_map_p(struct vm_map *map, vaddr_t *s
 
if ((map->flags & VM_MAP_INTRSAFE) == 0)
splassert(IPL_NONE);
+   else
+   splassert(IPL_VM);
 
/*
 * step 0: sanity check of protection code
@@ -832,6 +836,15 @@ uvm_map_p(struct vm_map *map, vaddr_t *s
goto step3;
}
 
+   /*
+* Only merge kernel mappings, but keep track
+* of how much we skipped.
+*/
+   if (map != kernel_map && map != kmem_map) {
+   UVMCNT_INCR(map_nousermerge);
+   goto step3;
+   }
+
if (prev_entry->aref.ar_amap) {
error = amap_extend(prev_entry, size);
if (error) {
@@ -897,6 +910,8 @@ step3:
if ((flags & UVM_FLAG_OVERLAY) == 0)
new_entry->etype |= UVM_ET_NEEDSCOPY;
}
+   if (flags & UVM_FLAG_HOLE)
+   new_entry->etype |= UVM_ET_HOLE;
 
new_entry->protection = prot;
new_entry->max_protection = maxprot;
@@ -1098,6 +1113,45 @@ uvm_map_spacefits(struct vm_map *map, va
 }
 
 /*
+ * uvm_map_pie: return a random load address for a PIE executable
+ * properly aligned.
+ */
+
+#ifndef VM_PIE_MAX_ADDR
+#define VM_PIE_MAX_ADDR (VM_MAXUSER_ADDRESS / 4)
+#endif
+
+#ifndef VM_PIE_MIN_ADDR
+#define VM_PIE_MIN_ADDR VM_MIN_ADDRESS
+#endif
+
+#ifndef VM_PIE_MIN_ALIGN
+#define VM_PIE_MIN_ALIGN PAGE_SIZE
+#endif
+
+vaddr_t
+uvm_map_pie(vaddr_t align)
+{
+   vaddr_t addr, space, min;
+
+   align = MAX(align, VM_PIE_MIN_ALIGN);
+
+   /* round up to next alignment */
+   min = (VM_PIE_MIN_ADDR + align - 1) & ~(align - 1);
+
+   if (align >= VM_PIE_MAX_ADDR || min >= VM_PIE_MAX_ADDR)
+   return (align);
+
+   space = (VM_PIE_MAX_ADDR - min) / align;
+   space = MIN(space, (u_int32_t)-1);
+
+   addr = (vaddr_t)arc4random_uniform((u_int32_t)space) * align;
+   addr += min;
+
+   return (addr);
+}
+
+/*
  * uvm_map_hint: return the beginning of the best area suitable for
  * creating a new mapping with "prot" protection.
  */
@@ -1385,6 +1439,8 @@ uvm_unmap_remove(struct vm_map *map, vad
 
if ((map->flags & VM_MAP_INTRSAFE) == 0)
splassert(IPL_NONE);
+   else
+   splassert(IPL_VM);
 
/*
 * find first entry
@@ -1451,7 +1507,9 @@ uvm_unmap_remove(struct vm_map *map, vad
 * special case: handle mappings to anonymous kernel objects.
 * we want to free these pages right away...
 */
-   if (map->flags & VM_MAP_INTRSAFE) {
+   if (UVM_ET_ISHOLE(entry)) {
+   /* nothing to do! */
+   } else if (map->flags & VM_MAP_INTRSAFE) {
uvm_km_pgremove_intrsafe(entry->start, entry->end);
pmap_kremove(entry->start, len);
} else if (UVM_ET_ISOBJ(entry) &&
@@ -3697,9 +3755,8 @@ uvm_object_printit(uobj, full, pr)
 
 sta

Re: uvm_mapent_alloc

2008-10-10 Thread Vladimir Kirillov

On 13:42 Fri 10 Oct, Beavis wrote:
> Greetings,
> 
>I currently have a 4.3 running a modified kernel (disabled ACPI and
> APM because they hang on my HS20 Blade) I'm receiving the following
> Error:
> 
> uvm_mapent_alloc: out of static map entries
> 
> 
> Is there a way for me to adjust this through sysctl?
> 
> 
> 
> any help will be greatly appreciated. I run webservers on this box.
> 
> 

looks like this is fixed in -current, see
http://article.gmane.org/gmane.os.openbsd.cvs/79457

-- 
Vladimir Kirillov
http://darkproger.net

Re: microphone input for azalia?

2008-10-09 Thread Vladimir Kirillov

On 18:16 Thu 02 Oct, Alexandre Ratchov wrote:
> there seems to be a problem with the driver (afaik it should select
> other usable parameters instead of failing)

By the way, now this problem may be solved by these azalia(4) patches:
http://article.gmane.org/gmane.os.openbsd.tech/15986

they do work for me.

-- 
Vladimir Kirillov
http://darkproger.net

Re: Macbook Pro Bluetooth

2008-10-07 Thread Vladimir Kirillov

On 22:47 Tue 07 Oct, Aaron W. Hsu wrote:
> Hello,
> 
> Can anyone tell me whether the Macbook Pro's USB Bluetooth Adaptor is 
> supported? I get the following line from my dmesg:
> 
> ugen0 at uhub0 port 4 "Apple Computer Bluetooth" rev 2.00/0.0b addr 2
> 
> Unfortunately, I don't see any ubt device, even though I have enabled 
> it in my kernel. 
> 
> If the usb adaptor is not supported, what bluetooth adaptors are 
> supported? Does anyone have any recommendations?
> 
>   Aaron Hsu
> 

Which kernel are you using?
GENERIC has bluetooth disabled.

-- 
Vladimir Kirillov
http://darkproger.net

Re: Azalia configured but no audio

2008-10-05 Thread Vladimir Kirillov

On 14:45 Sun 05 Oct, Jairo Souto wrote:
> outputs.headphones.mute=off
> outputs.headphones.dir=output
> outputs.headphones.boos=off
> outputs.headphones.eapd=off
> outputs.speaker3.mute=off
> outputs.speaker3.dir=output
> outputs.speaker3.boost=off
> outputs.speaker3.eapd=off
> outputs.speaker4.mute=off

try these:
outputs.speaker3.eapd=on
outputs.headphones.eapd=on

they worked for me.

-- 
Vladimir Kirillov

Re: microphone input for azalia?

2008-10-02 Thread Vladimir Kirillov

On 16:37 Thu 02 Oct, Jacob Meuser wrote:
> hmm, you did
> 
> $ aucat -o file.raw
> $ aucat -i file.raw
> 
> and the sound played at the wrong rate?  try
> 
> $ aucat -R 48000 -o file.raw
> $ aucat -r 48000 -i file.raw
> 

didn't work for me.

-- 
Vladimir Kirillov

Re: microphone input for azalia?

2008-10-02 Thread Vladimir Kirillov

On 18:16 Thu 02 Oct, Alexandre Ratchov wrote:
> 
> there seems to be a problem with the driver (afaik it should select
> other usable parameters instead of failing)
> 
> you can workaround this by forcing it to use 44.1kHz, while
> resampling 22kHz -> 44.1kHz, as follows:
> 
>   aucat -r 22000 -i file.raw -u -R 44100
> 
aucat -r 8000 -i file.raw -u -R 44100
(i was recording with aucat -o file.raw)

this did the trick for me, i managed to hear what i say but it was also
very loud noise from the speakers, and the volume of noise depends on
how low the rate it (no noise on -r 44100 at all)


-- 
Vladimir Kirillov

Re: microphone input for azalia?

2008-10-02 Thread Vladimir Kirillov

On 14:31 Thu 02 Oct, Jacob Meuser wrote:
> > inputs.mic=127,127
> probably need to raise this to 255

Tried it,

> > inputs.sel.source=mic
> 
> what other sources are available?  use `mixerctl -v' to see the
> options.

inputs.sel.source=mic  [ mic speaker5 speaker6 speaker7 speaker3 headphones 
speaker ]

> > inputs.sel2.source=speaker3
> what other sources are available?  `mixerctl -v'
inputs.sel2.source=headphones  [ mic speaker5 speaker6 speaker7 speaker3 
headphones speaker2 ]
(same as inputs.sel.source)

> > inputs.usingdac=02
> > record.usingadc=07
> 
> do you have `08' as a choice here?  if I'm reading the datasheet right,
> inputs.sel corresponds to one of adc 07 or 08, inputs.sel2 corresponds
> to the other.  anyway, I'd wait to try fiddling with this last.
> raise the amp outputs first, check the sources, and if that fails,
> try a different adc.

I tried to play with it too, but it gave no effect.
BUT:

i played with mixerctl a little more:

inputs.mic: 127,127 -> 254,254
inputs.sel.source: headphones -> mic

and managed to record the sound, but the playback of it was too fast, i
could not hear any words (the 5-seconds record was played for ~0.7 sec).

i also could not lower the rate of playback:

$ aucat -r 22000 -i file.raw
/dev/audio: can't set audio params to s16le,0:1,22000Hz: Invalid
argument


-- 
Vladimir Kirillov

microphone input for azalia?

2008-10-02 Thread Vladimir Kirillov

Hi everyone!

I've been trying to record some sound using the microphone, but i failed.
azalia(4) manual has nothing about recording, unfortunately.
I played with aucat -i/-o to play record sound, but the result
file remained silent.

Is it possible to record sound right now?..
Thanks, in advance.

PS:
here is some information:

$ dmesg | grep azalia
azalia0 at pci0 dev 27 function 0 "Intel 82801H HD Audio" rev 0x03: apic 2 int 
22 (irq 10)
azalia0: codec[s]: Realtek/0x0268
audio0 at azalia0

$ mixerctl 
inputs.dac=192,192
inputs.dac2=126,126
inputs.mix.dac.mute=off
inputs.mix2.dac.mute=off
inputs.mix2.speaker8.m=off
inputs.mix3.dac2.mute=off
inputs.mix3.speaker8.m=off
inputs.mix3.dac.mute=off
outputs.speaker3.mute=off
outputs.speaker3.dir=output
outputs.speaker3.boost=off
outputs.speaker3.eapd=on
outputs.headphones.mute=on
outputs.headphones.dir=output
outputs.headphones.boos=off
outputs.headphones.eapd=on
outputs.speaker4.mute=off
outputs.mic.mute=off
inputs.mic=127,127
outputs.mic.dir=input
inputs.speaker5=127,127
outputs.speaker6.mute=off
inputs.speaker6=127,127
outputs.speaker6.dir=output
inputs.sel.source=mic
outputs.sel.mute=off
outputs.sel=120,120
inputs.sel2.source=speaker3
outputs.sel2.mute=off
outputs.sel2=120,120
inputs.usingdac=02
record.usingadc=07

$ audioctl
name=HD-Audio
version=1.0
config=azalia0
encodings=slinear_le:16,slinear_le:16
properties=full_duplex,independent
full_duplex=0
fullduplex=0
blocksize=8704
hiwat=7
lowat=5
output_muted=0
monitor_gain=0
mode=play
play.rate=44100
play.channels=2
play.precision=16
play.encoding=slinear_le
play.gain=192
play.balance=32
play.port=0x0
play.avail_ports=0x0
play.seek=52224
play.samples=5004800
play.eof=0
play.pause=0
play.error=0
play.waiting=0
play.open=1
play.active=1
play.buffer_size=65536
play.block_size=8704
play.errors=0
record.rate=44100
record.channels=2
record.precision=16
record.encoding=slinear_le
record.gain=127
record.balance=32
record.port=0x0
record.avail_ports=0x0
record.seek=0
record.samples=0
record.eof=0
record.pause=0
record.error=0
record.waiting=0
record.open=0
record.active=0
record.buffer_size=65536
record.block_size=8704
record.errors=0


-- 
Vladimir Kirillov

Re: alix help

2008-09-21 Thread Vladimir Kirillov

On 12:55 Sun 21 Sep, [EMAIL PROTECTED] wrote:
> /etc/boot.conf:
> set tty com0
> stty com0 38400

I think it's better to set com speed _before_ setting com0 as tty, it
can start throwing garbage into console, as it was spectated on soekris
net4801:

stty com0 38400
set tty com0

...

-- 
Vladimir Kirillov

Re: "suspend" command - curious of function

2008-09-19 Thread Vladimir Kirillov

On 16:40 Fri 19 Sep, Brian Drain wrote:
> What does the "suspend" command do?  I cannot find a man page on it, or
> entry in the FAQ, or anything useful in the mailing list archives or
> google (seems most deal with laptop suspend/restore).. When I type
> suspend at the cmd line, it drops me past the command line.  Can't ^C or
> ^Z or anything out of it.  Does it have a purpose?  This is being run
> from an i386 desktop and I have no real need for it, just curious about
> it's function.
> 

hi!

Looks like it's shell-related job control function, it is nothing
related to an OS.

in ksh(1) it is an alias:
suspend='kill -STOP $$'

for bash(1) it looks like this:
suspend [-f]
  Suspend  the  execution  of  this  shell  until  it
  receives  a SIGCONT signal.  The -f option says not
  to complain if this is a login shell; just  suspend
  anyway.  The return status is 0 unless the shell is
  a login shell and -f is not  supplied,  or  if  job
  control is not enabled.

-- 
Vladimir Kirillov

Re: Does OpenBSD have adjustkernel?

2008-09-14 Thread Vladimir Kirillov

On 15:37 Sun 14 Sep, Ling Xiaoheng wrote:
> Hey,guys:
> 
> In NetBSD its have adjustkernel perl script can custom your kernel
> configuration file,how about OpenBSD?
> I custom my OpenBSD kernel configuration and rebuild it,but in the
> dmesg I found
> 
> OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> 
> I rename my configuration file to OpenBSD,but in dmesg its also
> GENERIC,how can I change it?
> 
> 

Hi!

Try reading OpenBSD FAQ about compiling and read config(8)

--
Vladimir Kirillov

Re: 2200 MHz on a 2.00GHz

2008-09-02 Thread Vladimir Kirillov

47:14
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 2
uhci2 at pci0 dev 29 function 0 "Intel 82801H USB" rev 0x03: apic 2 int 23 (irq 
10)
uhci3 at pci0 dev 29 function 1 "Intel 82801H USB" rev 0x03: apic 2 int 19 (irq 
11)
uhci4 at pci0 dev 29 function 2 "Intel 82801H USB" rev 0x03: apic 2 int 18 (irq 
10)
ehci1 at pci0 dev 29 function 7 "Intel 82801H USB" rev 0x03: apic 2 int 23 (irq 
10)
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BAM Hub-to-PCI" rev 0xf3
pci4 at ppb3 bus 8
"O2 Micro Firewire" rev 0x02 at pci4 dev 5 function 0 not configured
sdhc0 at pci4 dev 5 function 2 "O2 Micro OZ711MP1 SDHC" rev 0x02: apic 2 int 22 
(irq 10)
sdmmc0 at sdhc0
"O2 Micro OZ711MP1 XDHC" rev 0x01 at pci4 dev 5 function 3 not configured
ichpcib0 at pci0 dev 31 function 0 "Intel 82801HBM LPC" rev 0x03: PM disabled
pciide0 at pci0 dev 31 function 1 "Intel 82801HBM IDE" rev 0x03: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0:  ATAPI 5/cdrom 
removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
ahci0 at pci0 dev 31 function 2 "Intel 82801HBM AHCI" rev 0x03: apic 2 int 18 
(irq 10), AHCI 1.1
ahci0: PHY offline on port 1
ahci0: PHY offline on port 2
scsibus1 at ahci0: 32 targets, initiator 32
sd0 at scsibus1 targ 0 lun 0:  SCSI3 0/direct fixed
sd0: 152627MB, 512 bytes/sec, 312581808 sec total
ichiic0 at pci0 dev 31 function 3 "Intel 82801H SMBus" rev 0x03: apic 2 int 18 
(irq 10)
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM
spdmem1 at iic0 addr 0x52: 1GB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb6 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
mtrr: Pentium Pro MTRR support
softraid0 at root
root on sd0a swap on sd0b dump on sd0b
kqemu: kqemu version 0x00010300 loaded, max locked mem=1043660kB
DDB symbols added: 188320 bytes


--
Vladimir Kirillov
http://darkproger.net

ponuda za posao

2008-01-09 Thread vladimir

Potovani
U prolici smo  da Vam ponudimo najnoviju mogicnost zarade.
Uskoro na naim prostorima pocinje da radi "Lyoness"
Na vrijeme zauzmite svoje mjesto u ovom perspektivnom poslu.
Uclanjenje je potpuno besplatno-nita ne rizikujete.
Informiite se http://lyonesszarada.50webs.com

Re: Internal loadbalancing

2007-10-21 Thread Vladimir


dane johansen wrote:

Probably you run into this situation:

client (10.0.5.233 <http://10.0.5.233>) -> firewall (10.0.5.200 
<http://10.0.5.200>) -> rdr -> server (10.0.5.81 <http://10.0.5.81>)


No servers see's that packet came in from the same subnet and goes 
directly to the client which does not expect reply from 10.0.5.81 
<http://10.0.5.81> it expects reply from 10.0.5.200 <http://10.0.5.200>.


You may want to read this:

http://www.openbsd.org/faq/pf/rdr.html#reflect



I figured out what the problem  is/was and the document you referenced 
helped me figure it out.


Basically my network is something like this


Internet   <--> ext_if <--> Machine <-->  vlan1/carp1 ( 10.0.1.0/24)
  |
   vlan50/carp50 ( 10.0.5.0/24)

I was basically trying to get clients from vlan1 to load balance across 
machines on vlan50. Initially I had


rdr pass on vlan50 proto tcp to 10.0.5.200 port $ports_web -> 10.0.5.81

This doesn't work since traffic destined from 10.0.1.0 never hits 
interface vlan50. I had to put a rdr on the interface traffic was coming 
in from e.g. vlan1 so the correct working configuration is


rdr pass on vlan1 proto tcp to 10.0.5.200 port $ports_web -> 10.0.5.81

Thanks,

Vladimir

Re: CARP devices do not see IP broadcasts #2

2007-10-17 Thread Vladimir


Heinrich Rebehn wrote:

I tried this again on real hardware - same result.

Is this expected behavior?
I assume there are PF rules you need to write up. Also DHCP broadcasts 
to 255.255.255.255 which will likely be handled by $ext_if so you have 
to somehow "attach" it to the carp interface. Googling this may help you


http://archives.neohapsis.com/archives/openbsd/2006-10/1206.html

Vladimir


In order to get familiar with CARP, i have set up a playground with 3 
machines under vmware. I noticed that the CARP devices do not see any 
IP broadcasts, so this would make CARP unusable for a DHCP server or 
anything else that needs to respond to IP broadcasts.


Is this expected behavior or may this be just a vmware anomaly?
(Yes, i did chmod 666 /dev/vmnet*)

I did not see anything about this in the docs.

Attached is the ifconfig output of one CARP machine plus its dmesg.
--

Heinrich Rebehn

University of Bremen
Physics / Electrical and Electronics Engineering
- Department of Telecommunications -

Phone : +49/421/218-4664
Fax   :-3341
lo0: flags=8049 mtu 33208
groups: lo
inet 127.0.0.1 netmask 0xff00
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
pcn0: 
flags=8b43 
mtu 1500

lladdr 00:0c:29:b9:64:69
media: Ethernet autoselect (autoselect)
inet6 fe80::20c:29ff:feb9:6469%pcn0 prefixlen 64 scopeid 0x1
enc0: flags=0<> mtu 1536
vlan0: flags=8943 mtu 
1496

lladdr 00:0c:29:b9:64:69
vlan: 10 priority: 0 parent interface: pcn0
groups: vlan
inet6 fe80::20c:29ff:feb9:6469%vlan0 prefixlen 64 scopeid 0x4
vlan1: flags=8943 mtu 
1496

lladdr 00:0c:29:b9:64:69
vlan: 11 priority: 0 parent interface: pcn0
groups: vlan
inet6 fe80::20c:29ff:feb9:6469%vlan1 prefixlen 64 scopeid 0x5
carp0: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:0a
carp: MASTER carpdev vlan0 vhid 10 advbase 1 advskew 1
groups: carp
inet6 fe80::200:5eff:fe00:10a%carp0 prefixlen 64 scopeid 0x6
inet 134.102.176.170 netmask 0xff00 broadcast 134.102.176.255
carp1: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:0b
carp: MASTER carpdev vlan1 vhid 11 advbase 1 advskew 1
groups: carp
inet6 fe80::200:5eff:fe00:10b%carp1 prefixlen 64 scopeid 0x7
inet 192.168.1.100 netmask 0xff00 broadcast 192.168.1.255
OpenBSD 4.2 (GENERIC) #1: Fri Sep 14 12:22:31 CEST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ ("AuthenticAMD" 
686-class, 1024KB L2 cache) 2.32 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3 


cpu0: AMD erratum 89 present, BIOS upgrade may be required
real mem  = 267939840 (255MB)
avail mem = 251437056 (239MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 04/17/06, BIOS32 rev. 0 @ 
0xfd880, SMBIOS rev. 2.31 @ 0xe0010 (45 entries)

bios0: vendor Phoenix Technologies LTD version "6.00" date 04/17/2006
bios0: VMware, Inc. VMware Virtual Platform
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 30102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xfd880/0x780
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf30/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:07:0 ("Intel 82371FB ISA" rev 
0x00)

pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000 0xdc000/0x4000! 
0xe/0x4000!

cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
piixpcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, 
channel 0 configured to compatibility, channel 1 configured to 
compatibility

wd0 at pciide0 channel 0 drive 0: 
wd0: 64-sector PIO, LBA, 1024MB, 2097152 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0:  
SCSI0 5/cdrom removable

cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: 
SMBus disabled

vga1 at pci0 dev 15 function 0 "VMware Virtual SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
bha3 at pci0 dev 16 function 0 "BusLogic MultiMaster" rev 0x01: irq 
11, BusLogic 9xxC SCSI

bha3: model BT-958, firmware 5.07B
bha3: sync, parity
scsibus1 at bha3: 8 targets
pcn0 at pci0 dev 17 function 0 "AMD 79c970 PCnet-PCI" rev 0x10, 
Am79c970A, rev 0: irq 9, address 00:0c:29:b9:64:69

isa0 at piixpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at p

Re: Internal loadbalancing

2007-10-16 Thread Vladimir


dane johansen wrote:

Probably you run into this situation:

client (10.0.5.233 <http://10.0.5.233>) -> firewall (10.0.5.200 
<http://10.0.5.200>) -> rdr -> server (10.0.5.81 <http://10.0.5.81>)


No servers see's that packet came in from the same subnet and goes 
directly to the client which does not expect reply from 10.0.5.81 
<http://10.0.5.81> it expects reply from 10.0.5.200 <http://10.0.5.200>.


You may want to read this:

http://www.openbsd.org/faq/pf/rdr.html#reflect


I obviously omitted the most pertinent information. My apologies.

client's IP is actually 10.0.1.50 coming from a different subnet so the 
path is really


client (10.0.1.50) -> firewall (10.0.1.1) -> firewall (10.0.5.200) ->  
rdr -> server (10.0.5.81 => gw is 10.0.5.1)




Vladimir

Internal loadbalancing

2007-10-16 Thread Vladimir

I have an existing firewall that already load balances our web server 
traffic from an external IP across two web servers that are on the 
internal network. I would like to set up "internal load balancing" since 
I have webservices internally I would like to provide to the rest of the 
cluster. These services should not be exposed to the external world. So 
for such a purpose I added an alias to an existing carp interface for 
10.0.5.200


carp50: flags=8843 mtu 1500
   lladdr 00:00:5e:00:01:96
   carp: MASTER carpdev vlan50 vhid 150 advbase 1 advskew 100
   groups: carp
   inet6 fe80::200:5eff:fe00:196%carp50 prefixlen 64 scopeid 0x10
   inet 10.0.5.1 netmask 0xff00 broadcast 10.0.5.255
   inet 10.0.5.200 netmask 0xff00 broadcast 10.0.5.255

I would like to "load balance" that traffic across two other web servers 
that are on e.g. 10.0.5.81 and 10.0.5.82. For the time being I added a 
following RDR rule


rdr pass on $if_local proto tcp to 10.0.5.200 port $ports_web -> 10.0.5.81

Unfortunately I can't connect to 10.0.5.200. For example if from another 
server on the network I do


$ telnet 10.0.5.81 80
Trying 10.0.5.81...
Connected to web1.local (10.0.5.81).
Escape character is '^]'.

However if I do

$ telnet 10.0.5.200 80
Trying 10.0.5.200...
telnet: connect to address 10.0.5.200: Connection refused
telnet: Unable to connect to remote host: Connection refused

Sniffing on carp50 shows no activity. I suppose there may be some 
"routing confusion" however I even tried setting up another totally 
different physical interface, created carp10 and IP 10.0.1.200 
redirecting to 10.0.5.81 with the same effect.


Any help would be appreciated.

Thanks,

Vladimir

Re: DHCP clients cannot connect to internet

2006-06-25 Thread vladimir plotnikov


Please provide output of:

#pfctl -s all

and

#sysctl net.inet.ip.forwarding

and your routing table:


On 6/25/06, FTP <[EMAIL PROTECTED]> wrote:

Hi there,

on a 3.9 newly installed box I started DHCPD. The clients do obtain an IP 
address but cannot go 'out' to the Internet.


--
Thank you.
Vladimir. Y. Plotnikov, http://www.smartwebco.com

Re: MySQL losts TCP connection.

2006-06-20 Thread vladimir plotnikov


Thank you, gays.
login.conf adapted and problem solved
(tested on mysqldump --all-databases >/dev/null)

MySQL losts TCP connection.

2006-06-20 Thread vladimir plotnikov


Hello!

I have installed OpenBSD 3.8 and MySQL server  4.0.24 (from ports)

From time to time (after high load) I got next - mysql drops connects

by TCP/IP (simple connection closed after telnet to port 3306) and
next in logs:
Few lines like
060620 14:51:06 [ERROR] /usr/local/libexec/mysqld: Can't find file: './tasktrack
er/mantis_news_table.frm' (errno: 9)

then, after I send HUP signal to mysqld process, I got next in error output:

Status information:

Current dir: /var/mysql/
Running threads: 2  Stack size: 196608
Current locks:
lock: 0x7ee75a24:

lock: 0x8bab9a24:

Then also a lot of locks (about 100 total locks listen)

and, finally, log ends width:
Key caches:
default
Buffer_size: 268435456
Block_size:   1024
Division_limit:100
Age_limit: 300
blocks used:  9524
not flushed: 0
w_requests:   3798
writes:   1898
r_requests: 346940
reads:2035


handler status:
read_key:   371358
read_next:  488795
read_rnd 14869
read_first:   2385
write:   34562
delete 341
update: 242660

Table status:
Opened tables:334
Open tables:  334
Open files:   664
Open streams:   0

Alarm status:
Active alarms:   2
Max used alarms: 61
Next alarm time: 28780



# cat /etc/sysctl.conf | grep -v "^#"
kern.maxfiles=2

#cat /etc/my.cnf |grep -v "^#"
[client]
port= 3306
socket  = /tmp/mysql.sock
[mysqld]
user = _mysql
open-files=2
set-variable = max_connections=300
set-variable = back_log=120
skip-locking
set-variable = key_buffer=256M
set-variable = max_allowed_packet=1M
set-variable = table_cache=512
set-variable = sort_buffer=1M
set-variable = record_buffer=1M
set-variable = myisam_sort_buffer_size=64M
set-variable = thread_cache=8
set-variable = thread_concurrency=2
log_slow_queries = slow_query.log
tmpdir = /tmp/
datadir = /var/mysql
[mysqldump]
quick
set-variable = max_allowed_packet=16M
[isamchk]
set-variable = key_buffer=128M
set-variable = sort_buffer=128M
set-variable = read_buffer=2M
set-variable = write_buffer=2M

[mysqlhotcopy]
interactive-timeout


Where is my error in configuration?
I tired to download and install fresh stable mysql-4 brach but I got
same result.
--
Thank you.
Vladimir. Y. Plotnikov,
http://www.smartwebco.com/

Dual home (IP + alias) gateway box and internal network

2006-05-09 Thread vladimir plotnikov


Hello!

I have small problem with dual homed gateway, below, tail of pf.ctl:
ext_if_a= "xl0"
ext_if_b= "xl0"
ext_gw_a= "aaa.bbb.ccc.ddd"
ext_gw_b= "zzz.xxx.ccc.vvv"

pass out route-to ($ext_if_a $ext_gw_a) from ($ext_if_a) \
   to !($ext_if_a:network) keep state
pass out route-to ($ext_if_b $ext_gw_b) from ($ext_if_b) \
   to !($ext_if_b:network) keep state

pass in reply-to ($ext_if_a $ext_gw_a) proto tcp flags S/SA tagged EXT_IF_A \
   keep state
pass in reply-to ($ext_if_b $ext_gw_b) proto tcp flags S/SA tagged EXT_IF_B \
   keep state

pass in reply-to ($ext_if_a $ext_gw_a) proto udp tagged EXT_IF_A \
   keep state
pass in reply-to ($ext_if_b $ext_gw_b) proto udp tagged EXT_IF_B \
   keep state


pass in on $ext_if_a reply-to ($ext_if_a $ext_gw_a) inet proto icmp \
   icmp-type echoreq code 0 keep state
pass in on $ext_if_a inet proto icmp from ($ext_if_a:network) \
   icmp-type echoreq code 0 keep state

pass in on $ext_if_b reply-to ($ext_if_b $ext_gw_b) inet proto icmp \
   icmp-type echoreq code 0 keep state
pass in on $ext_if_b inet proto icmp from ($ext_if_b:network) \
   icmp-type echoreq code 0 keep state

We attach both providers cables into one AT-8024 switch with same VLAN outlets.
So, I configure my interface at gateway for one IP address and one
alias address.
this host woring fine in both networks.

Then, I need to separate IP flow from internal network. Internal
network aslo, haves two small TCP network (/29) and one IP and alias
on every machine.

When I pass ping  from external hosts - all going fine.
When I try to telnet  22 - I got connection timed out.
But I see packets on external interface of my gateway.
Where I'm wrong?


--
Thank you.
Vladimir. Y. Plotnikov
http://www.smartwebco.com/

Source route with aliases.

2006-03-26 Thread vladimir plotnikov

Hello OpenBSD guru!

I just looking for solution for source route.
One interface connected to "smart" switch (network "A").
Second network ("B") from another ISP comes on _SAME_ UTP cable.
So, I can declare one main interface with default route (Network A).
But I need for leave another network (B) working (incoming traffic
only, but replies should pass to this network, of course).

What do think, it is possible, to use interface and alias for resolve
source routing?
No ways for create new one physical link for new one interface :-(.

--
Thank you.
Vladimir. Y. Plotnikov, http://www.smartwebco.com

Re: pf and ftp

2006-02-27 Thread vladimir plotnikov

Sorry, of course, this line exists in my config:

@4 pass in quick inet proto tcp from any to my.ip.address.com port =
ftp-data keep state
 [ Skip steps: i=44 d=50 f=44 p=44 sa=end sp=end da=12 ]
 [ queue: qname= qid=0 pqname= pqid=0 ]


On 2/27/06, edgarz <[EMAIL PROTECTED]> wrote:
> hi!
> you forgot port 20 (ftp-data)
>
>
> vladimir plotnikov wrote:
> > Hello!
> >
> > Sorry for stupid question.
> > part of pf.conf:
> > 
> > pass in on $ext_if proto tcp from any to any port 21 keep state
> > pass in on $ext_if proto tcp from any to any port > 49151  keep state
> > ...
> > block return-rst in log on $ext_if proto tcp all
> >
> >
> > Part of log file:
> > Feb 27 14:56:46.142988 rule 59/(match) block in on em0: a.b.c.d.54506
> >
> >>e.f.g.h.49887: [|tcp] (DF)
> >
> >
> > PF Debug output for rule #59:
> > @59 block return-rst in log on em0 proto tcp all
> >   [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
> >   [ queue: qname= qid=0 pqname= pqid=0 ]
> >
> > PF debug output for my FTP rule:
> > @48 pass in on em0 proto tcp from any to any port > 49151 keep state
> >   [ Skip steps: d=50 sa=end sp=end da=end ]
> >   [ queue: qname= qid=0 pqname= pqid=0 ]
> >
> > and rule #50:
> > @50 pass out all keep state
> >   [ Skip steps: f=end sa=end sp=end da=end ]
> >   [ queue: qname= qid=0 pqname= pqid=0 ]
> >
> >
> > sysctl:
> > net.inet.ip.porthifirst=49152
> > net.inet.ip.porthilast=65535
> >
> >
> > why I cannot establish FTP connection with host? where I wrong?
> >
> > same problem with udp/53:
> > pass in inet proto tcp from any to my.ip.address.com port = 53 keep
> > state #flags S/SA modulate state
> > block return-icmp in log on $ext_if proto udp all
> >
> > don't allows incoming connections from another host (dig server.name 
> > @this.host)
> >
> > thank you for help!
> >
> > --
> > Thank you.
> > Vladimir. Y. Plotnikov, http://www.smartwebco.com/  Cell Phone 
> > +420-774-311-015
> > ICQ: 24270826, skype ID: vladimirplotnikov
>


--
Thank you.
Vladimir. Y. Plotnikov, http://www.smartwebco.com/  Cell Phone +420-774-311-015
ICQ: 24270826, skype ID: vladimirplotnikov

pf and ftp

2006-02-27 Thread vladimir plotnikov

Hello!

Sorry for stupid question.
part of pf.conf:

pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 49151  keep state
...
block return-rst in log on $ext_if proto tcp all


Part of log file:
Feb 27 14:56:46.142988 rule 59/(match) block in on em0: a.b.c.d.54506
> e.f.g.h.49887: [|tcp] (DF)

PF Debug output for rule #59:
@59 block return-rst in log on em0 proto tcp all
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]

PF debug output for my FTP rule:
@48 pass in on em0 proto tcp from any to any port > 49151 keep state
  [ Skip steps: d=50 sa=end sp=end da=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]

and rule #50:
@50 pass out all keep state
  [ Skip steps: f=end sa=end sp=end da=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]


sysctl:
net.inet.ip.porthifirst=49152
net.inet.ip.porthilast=65535


why I cannot establish FTP connection with host? where I wrong?

same problem with udp/53:
pass in inet proto tcp from any to my.ip.address.com port = 53 keep
state #flags S/SA modulate state
block return-icmp in log on $ext_if proto udp all

don't allows incoming connections from another host (dig server.name @this.host)

thank you for help!

--
Thank you.
Vladimir. Y. Plotnikov, http://www.smartwebco.com/  Cell Phone +420-774-311-015
ICQ: 24270826, skype ID: vladimirplotnikov

Re: otherOS is to daemontools as openbsd is to ?

2006-02-26 Thread vladimir plotnikov

Hi!

Take look on FAQ pages: http://www.openbsd.org/faq/faq14.html#MountImage

On 2/26/06, Travis H. <[EMAIL PROTECTED]> wrote:
> Just curious, I recall hearing there was a clone of daemontools for
> OpenBSD, what was it called?
>
> TIA
> --
> Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
> GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484
>
>


--
Thank you.
Vladimir. Y. Plotnikov, http://www.smartwebco.com/. Cell Phone +420-774-311-015
ICQ: 24270826, skype ID: vladimirplotnikov

Promise PDC20378 and mirroring.

2005-12-30 Thread vladimir plotnikov

Hello!

As first: Happy coming New Year!

Does anybody know how I can use RAID Mirror on  PDC20378 card?

my configuration:
pci3 at ppb2 bus 3
pciide0 at pci3 dev 14 function 0 "Promise PDC20378" rev 0x02: DMA
wd0 at pciide0 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors
wd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 6
wd1 at pciide0 channel 1 drive 0: 
wd1: 16-sector PIO, LBA48, 114473MB, 234441648 sectors
wd1(pciide0:1:0): using BIOS timings, Ultra-DMA mode 6


on 1st drive few partitions with live data. We need to use mirror
feature for prevent data lost.

How we can setup hardware or software mirroring with leave 1st drive
live? without dump/restore ?


--
Thank you.
Vladimir. Y. Plotnikov, BasalPro + SmartWeb LTD. Cell Phone +420-774-311-015
ICQ: 24270826, skype ID: vladimirplotnikov

Re: CARP+Pfsync+Bind

2005-10-07 Thread Vladimir Potapov


Quoting ed <[EMAIL PROTECTED]>:


Zone transfers are on tcp/53, DNS lookups are 53/udp, so:

pass in on $ext_if proto udp from any to $DNS port 53 keep state

and if required:

pass in on $ext_if proto tcp from $ext_net to $DNS port 53 keep state

I use TinyDNS here, so we don't really need to transfer zones as its
handled with a single data file. CARP can be good with DNS.


Ok. This 2 servers DNS masters.
But if the one server will master(CARP master,not dns) and other CARP slave,
zones sends only from CARP master and I need some sync tool such as rsync to
syncing zones files between 2 master DNS servers(one master CARP and one slave
CARP)?
Or if I want to do load balancing with CARP, how it affect on BIND?

CARP+Pfsync+Bind

2005-10-06 Thread Vladimir Potapov

Hello everyone!

We have 1 server on which running firewall and DNS master service. And we
planned to install another server for load balancing and redudancy.
2 servers(each have running PF and BIND) will balancing load (or one will master
and other slave) for DNS and PF.
Does anyone protect DNS service via CARP and PFsync? Does it work? Whether there
can be problems(for example, with zones transfers, dns queries and other)?

58 matches

Mail list logo