How correctly build php subpackages from ports ?
When I try to build one or two subpackages for php 5.3 or 5.2, system try to build all available subpackages with their dependences. How I can avoid this ? I login to /usr/ports/lang/php/5.3 and make show=MULTI_PACKAGES this show me list available options and when I try to use: env SUBPACKAGE=-fpm make install System build and all subpackages. Iwas very puzzled by this behavior.
Re: install on softraid
Try to use dd with dev/zero on wd0d and wd1d it was successed. But bioctl return same error invalid metadata format. 10.04.2011 04:30, Marco Peereboom P?P8QP5Q: There is some garbage in the location where softraid looks for metadata. I got recently inspired to look at this because it looks like the force flag isn't always honored. For now do a couple of dd's from /dev/zero. On Sat, Apr 09, 2011 at 01:57:35PM +0300, irix wrote: Also I try to add wd0d and wd1d with same commad but system return me same error invalid metadata format. Why this error is happening ?
Re: install on softraid
Thanks Ted. All works fine now. May I use softraid 0+1 (raid10) discipline ?
Re: install on softraid
Also I try to add wd0d and wd1d with same commad but system return me same error invalid metadata format. Why this error is happening ?
install on softraid
Do you planning to remake installer script to allow install system to software raid from it ?
Re: install on softraid
When I try to build softraid0 during install with command bioctl -c 1 -l /dev/wd0a,/dev/wd1a softraid0 System return softraid0 invalid metadata format. How can I fix it ?
Re: traffic management
Hello Misc, All of a sudden started talking about some fixes. Have I mentioned somewhere that something needs to be corrected, or that something is not working? I just said about remaking to simplify the code. Alternatives queue was initially conceived as framework in which you can with minimal effort to connect disciplines to develop. With the existing code in the form pf/altq add a new discipline has been a daunting task, you need a heap of places to dopiski indicate the new variables need to finish the new syntax. I simply asked why the code altq not do the same as the code nat / rdr, scrub to remove it and greatly simplified. As an option to make altq separately from firewall. -- Best regards, irix mailto:i...@ukr.net
Re: traffic management
Hello Misc, Ideally this control altq the similarity in the tc tool in Linux. -- Best regards, irix mailto:i...@ukr.net
traffic management
Hello Misc, Are there any plans have changed in the system of traffic control? For example removal of code altq from pf and make a separate management interface traffic other than pf. Or replace altq to something else, more fast, simple and functional. Or revision of an existing traffic management system. -- Best regards, irix mailto:i...@ukr.net
Re: traffic management
Hello Misc, But at least you can say why? no kidding. As we've told irix before, it will not happen. -- Best regards, irix mailto:i...@ukr.net
JoBS - altq prototype implementation
Hello Misc, This algorithm (ALTQ_JOBS) allows extremely flexible control over traffic. Will its port in pf-based altq, from the old altqd? -- Best regards, irix mailto:i...@ukr.net
tcp proxy
Hello Misc, Maybe something to meet a simple tcp proxy with the function of bandwidth limiting the possibility of job parameters for each individual ip to work well on OpenBSD? -- Best regards, irix mailto:i...@ukr.net
Re: pf feature request
Hello Misc, It was a great number of disputes about shaping the incoming flow. This function is a solution to this dispute, she realizes that may be implemented according to RFC. And need it for example if you have a single ftp server and you want it to one of the ip on it to fill the data did not say faster than 2Mbit, and all the others at full speed. (without tunning ftpd) Or you have a narrow channel, for example in 128Kbit, and you are one of the SMTP server attempts to transmit e-mail to 200 megabytes, with all your feed traffic taken from smtp server, but this feature you can ask the remote server to send you e-mail is slower to have been free of the canal and you can open a http page. In doing so, no shaping, and queuing is organized and not over the coming traffic no action is performed. This option is apply is only for tcp traffic, according to rfc. Why? What's the use case? -HKS -- Best regards, irix mailto:i...@ukr.net
pf feature request
Hello Misc, Maybe the public interested in the idea to add in the pf function query at slowing the transfer of data to tcp protocol ? To attempt to reduce the speed of the incoming flow without altq. This function is designed exclusively for the tcp protocol, and must work under the rfc. Can I suggest an example of rule pass in on $ ext_if proto tcp from $ inetrnet to any port ftp keep state tcprequester 5Mb When an incoming tcp stream reach in 5Mbit, pf starts to ask the remote side to reduce speed. But at the same time, no queues are not being built, and no packets are discarded. pf only generates requests to reduce the speed of the sending party. -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello , And then you're going to add a dropper ? we already do some mitigation for that in certain drivers. $ cd /sys/dev; grep MCLGETI pci/* ic/* pci/if_bge.c: MCLGETI(m, M_DONTWAIT, sc-arpcom.ac_if, MCLBYTES); pci/if_bge.c: MCLGETI(m, M_DONTWAIT, sc-arpcom.ac_if, BGE_JLEN); pci/if_bnx.c: MCLGETI(m, M_DONTWAIT, sc-arpcom.ac_if, MCLBYTES); pci/if_em.c:MCLGETI(m, M_DONTWAIT, sc-interface_data.ac_if, MCLBYTES); pci/if_iwn.c: MCLGETI(data-m, M_DONTWAIT, NULL, IWN_RBUF_SIZE); pci/if_iwn.c: MCLGETI(m1, M_DONTWAIT, NULL, IWN_RBUF_SIZE); pci/if_ix.c:MCLGETI(m, M_DONTWAIT, sc-arpcom.ac_if, size); pci/if_msk.c: MCLGETI(m, M_DONTWAIT, sc_if-arpcom.ac_if, sc_if-sk_pktlen); pci/if_sis.c: MCLGETI(m_new, M_DONTWAIT, sc-arpcom.ac_if, MCLBYTES); pci/if_sk.c:MCLGETI(m, M_DONTWAIT, sc_if-arpcom.ac_if, SK_JLEN); pci/if_vic.c: MCLGETI(m0, M_DONTWAIT, NULL, m-m_pkthdr.len); pci/if_vic.c: MCLGETI(m, M_DONTWAIT, sc-sc_ac.ac_if, pktlen); pci/if_wpi.c: MCLGETI(data-m, M_DONTWAIT, NULL, WPI_RBUF_SIZE); pci/if_wpi.c: MCLGETI(m1, M_DONTWAIT, NULL, WPI_RBUF_SIZE); ic/gem.c: MCLGETI(m, M_DONTWAIT, sc-sc_arpcom.ac_if, MCLBYTES); ic/hme.c: MCLGETI(m, M_DONTWAIT, sc-sc_arpcom.ac_if, MCLBYTES); -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello , Today I felt CDNR in NetBSD-5 Works fine. No claims. Why write that does not work, I can not even guess. I use in NetBSD-2, and NetBSD-5. It works without reproach. interface pvc1 conditioner pvc1 ef_cdnr tbmeter 6M 64K passdrop filter pvc1 ef_cdnr 0 0 172.16.4.176 0 0 so, let's look at FreeBSD's manpage. ALTQ_CDNR Build the traffic conditioner. This option is meaningless at the moment as the conditioner is not used by any of the available disciplines or consumers. or a fairly recent NetBSD list post: The input limiter absolutely doesn't work under NetBSD-3, it seems, and I've found some other posts on the web that seem to confirm this. [...] I have a NetBSD-4 build of this box, which is an embeded system, which I could deploy in this application, but it's not a trivial exercise to do so. So, I'm wondering if anyone has used and can report whether the input traffic conditioner actually works to limit traffic on input traffic under NetBSD-4. ... -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello , In addition CDNR still has the 3 color marker, which, if slightly reworked,you can get a different dynamic shaper. For each color would be to set a speed, and switch between the colors would be implemented through traffic past in the ends of time. For example 10Mb/always 5Mb/10Gb (in 1 day) 1Mb/15Gb (in 2 day's) flush 1 day, (green yellow red)(reset couter) and an additional parameter discharging the counter, for example, to reset the counter 1 time per day . -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello , But under dynamic queues, I understand, the creation of a large number of dynamic patterns. For example creates template for the queue with an indication of the speed such as 512Kbit / s, and then creates template for the filter of which you can specify a subnet like 192.168.1.0/24 and this pattern break this subnet to the desired number of rules in this case, to 254, and under each This rule will create a dynamic part of the dynamic pattern of 512Kbit / s for each rule. On 2009-05-27, (private) HKS hks.priv...@gmail.com wrote: What? If you want to throttle all your clients to, say, 512Kb/sec, you need a stack of separate queues, and a stack of match rules for them. You can set them up individually via pfctl/pf.conf but it's a bit messy, you'd probably want to do part of it via some script or preprocessor. (I think using a shell script to generate a file to include would be viable though). Real dynamic queues would be created and destroyed on-the-fly which could help it scale a bit further, but I don't know how useful it would be, the first thing that comes to mind is memory use, but each extra queue doesn't use _all_ that much from the pool unless it's actively in-use. There might be problems other than memory when using a huge number of queues, I don't know, never used more than a handful here... something for someone who has a big setup to look at and profile, really. Similar constructions shaper frequently uses in local area networks ISP (in russia,ukraine), where one powerful computer can be up to 6-7 thousand clients. Use of these computers tend to linux or freebsd (with dummynet (real dynamic queues with src and dst masks:))) Here in such cases it is simply indispensable. I found the patches which allow you to add queues altq through pfctl (may be useful, and add to main tree :) ) http://dinar.yantel.ru/patches/openbsd/merge/ And this patch remove altq when interface is destroy http://dinar.yantel.ru/patches/openbsd/altq/patch_pf_if.c -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello Misc, since queueing only happens at output, that's going to be totally useless. it's not just a question of how altq distinguishes traffic, you're asking to totally change how altq works. Okey, i see. But I can not understand why you are sure that traffic can only outlet Shape , You can say that's silly to try to Shape traffic that came, but if it works it's worse than outgoing (if only for tcp) it is not stupid ? Assume that you are right and the traffic can Shape only outlet for what purpose then in other projects (freebsd, linux, netbsd) including the original altqd opportunity for shaping incoming traffic via CDNR has been included? This is not the presentation of claims or something else, I want to understand why you uperlis and do not want to see nothing else. if you have some requirement for features that altq+pf doesn't have at the moment, you have a few choices: - use different software that already does what you want. - pay someone to code the features. - code the features yourself. (if you don't code, this will require learning how to do that first, obviously). I did. But it pains me to see the obvious defects in my favorite system, and complete indifference on the part of developers to the obvious defects. but, unless you want to use altq on a server (rather than a router), there isn't really a problem with the queuing happening only on output. just give the queues on both interfaces the same name, then you can assign in both directions with a single rule. stupid example ruleset. not actually tested, but I have others like it, and it should be enough to give you the general idea. -- -- -- -- -- altq on bge0 cbq bandwidth 4000Kb queue { normal, slow, fast } altq on vlan5 cbq bandwidth 2Kb queue { normal, slow, fast } altq on vlan9 cbq bandwidth 1000Kb queue { normal, slow, fast } queue normal bandwidth 40% priority 4 cbq(default borrow) queue slow bandwidth 10% priority 1 queue fast bandwidth 50% priority 7 pass pass in proto icmp queue (slow) pass in proto tcp to port 22 queue (fast) -- -- -- -- -- (I think some people just look at a couple of example configs which use different queue names on interfaces and assume that it's necessary, but it isn't). Thanks, for this example. I did not know this. But under dynamic queues, I understand, the creation of a large number of dynamic patterns. For example creates template for the queue with an indication of the speed such as 512Kbit / s, and then creates template for the filter of which you can specify a subnet like 192.168.1.0/24 and this pattern break this subnet to the desired number of rules in this case, to 254, and under each This rule will create a dynamic part of the dynamic pattern of 512Kbit / s for each rule. -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello , * irix i...@ukr.net [2009-05-27 18:12]: But I can not understand why you are sure that traffic can only outlet Shape i can not understand why you want to shape outlets. you don't understand that inbound shaping doesn't work because you have obviously no idea how the network stack works. there is no suitable queue inbound to do any queueing on. the ipintrq is way too early. so to do any inbound shaping you had to insert another queueing step, which is as clever as drinking water from the dead sea when you're thirsty. or maybe one could rape the ipintrq somehow. but i don't and won't rape. by shaping the incoming traffic, I mean simple dropper without constructing queues. All that the above specified speed dropped until the flow becomes less than or equal to specified speed. That actually makes CDNR, which arrears. But it pains me to see the obvious defects in my favorite system, interestingly, in the 6 years since I did the altq/pf merge, you're the only one to see that obvious defect and complete indifference on the part of developers to the obvious defects. obviously the developers have no clue about what they are doing, and the milestones they have to meet by the contract they have with you understood the joke. Funny -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello Misc, May be someone better to write in a kind of pseudo device ifb (The Intermediate Functional Block device) like in linux, so you can cheat altq. Redirect incoming traffic from the physical device (fxp0) to a device (ifb0) and that it passed altq traffic considered as originating, and to this device (ifb0) we could use cbq or hfsc shedulers. -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello Misc, Or may be remove from altq distinguish incoming traffic or outgoing. What could box up to the queue as incoming and outgoing. -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello Misc, And it will be added to the main tree? * irix i...@ukr.net [2009-05-25 03:53]: About add some queue disciplines, I agree with you. But about completion of porting CNDR , about dynamic queues and about packet rate limit per state your position is not clear. Why CNDR porting froze in halfway, Why not bring to the end ? you are free to do it -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello Misc, Good, I understand your position, ok. I want to ask, will be shortly removed cbq? And when which will be supplemented pf.conf (5) of hfsc more detail and with examples ?? 2009/5/25 irix i...@ukr.net: And it will be added to the main tree? Let's see, no code, no mention of license, and no demonstration that it actually solves a/your problem. How can your question possibly be answered? Philip Guenther -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello Misc, Where i can find openbsd public roadmap ? * irix i...@ukr.net [2009-05-25 23:04]: I want to ask, will be shortly removed cbq? And when which will be supplemented pf.conf (5) of hfsc more detail and with examples ?? the date and time of all future changes is in our public roadmap, with precision to the second. each roadmap entry also has the diff attached that is going to be written and committed. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam -- Best regards, irix mailto:i...@ukr.net
pf, altq, packet rate
Hello Misc, I was wondering when i can't find packet rate limiting per state in pf. Number of state's per src ip, found. State rate limiting found. And packet rate limiting per one state (or packet rate limiting at all) don't found. This function will be added ? The altq project when was merged with pf,many functions have been removed (like queue disciplne's (blue, JoBB, wfq) and cdnr dropper), I assume that this had to be to simplify, but i don't understand Why cdnr (traffic conditioner) ported into the kernel but did not connect it to pf ? May be worth it finish until the end, as you think ? Over the past six years, the project altq was not added any new features. Although the project is fully prepared to little. There is a shortage of adding dynamic queues and the completion of porting cdnr and may be add some queue disciplines from altqd like blue, JoBB, as you think ? -- Best regards, irix mailto:i...@ukr.net
Re: pf, altq, packet rate
Hello Misc, About add some queue disciplines, I agree with you. But about completion of porting CNDR , about dynamic queues and about packet rate limit per state your position is not clear. Why CNDR porting froze in halfway, Why not bring to the end ? -- Best regards, irix mailto:i...@ukr.net
pf packet rate
Hello Misc, I was wondering when i can't find packet rate limiting per state in pf. Number of state's per src ip, found. State rate limiting found. And packet rate limiting per one state (or packet rate limiting at all) don't found. This function will be added ? -- Best regards, irix mailto:i...@ukr.net
Re: arp MiTM
Hello Misc, I am a customer and not the network administrator, and someone in the network makes MiTM attack, a network of billet in the uncontrolled swithes and ISP will not translate everything on the managed. Therefore, software implementation of this patch for openbsd. OpenBSD is most secure OS on the planet, but susceptible to a simple MiTM attack. How then can we talk about the security by default -- Best regards, irix mailto:i...@ukr.net
Where is Secure by default ?
Hello Misc, In www.openbsd.org wrote Only two remote holes in the default install, in more than 10 years!, this not true. I using OpenBSD like customer, not like administrator. And my OpenBSD were attacked, by simple MiTM attack in arp protocol. How then can we talk about the security by default For example, FreeBSD is decided very simply, with this patch http://freecap.ru/if_ether.c.patch When this is introduced in OpenBSD, so you can say with confidence that the system really Secure by default ? -- Best regards, irix mailto:i...@ukr.net
Re: arp MiTM
Hello Misc, On Mon, Mar 9, 2009 at 1:11 PM, irix i...@ukr.net wrote: ARP is insecure, no matter how many patches you apply or how many hacks you try. If you want something more secure, use 802.1X, use security on the switch, use IPv6+IPSec/SeND, etc. Sorry, if I been rude. I not administartor of network, i am client. And other client use MiTM. This network is use unmanaged switches, and ISP spit on it. That's why i try to find out to protect my workstation from MiTM, with out static arp entry. What would have been easy and transparent. Variant with the patch, I think the simplest and most effective. I am simply customer, and i try to find most simple solution. -- Best regards, irix mailto:i...@ukr.net
Re: arp MiTM
Hello Paul, The problem is that, I am not an administrator of the network. I am a client of the network. The network is built on the unmanaged switches. ISP to the problem do not care, so interested in this patch. May you help with patch on OpenBSD ? Monday, March 9, 2009, 3:02:23 PM, you wrote: PdW From a quick glance over the patch, it seems pretty useless unless you PdW also prevent MAC spoofing. You may want to look into port security for PdW your switches or 802.1x if this is a big concern to you. PdW Cheers, PdW Paul 'WEiRD' de Weerd PdW On Mon, Mar 09, 2009 at 02:11:38PM +0200, irix wrote: PdW | Hello Misc, PdW | PdW | How to protect your server from such attacks without the use of static arp entries? PdW | By freebsd 5.0 patch was written arp_antidote PdW (http://freecap.ru/if_ether.c.patch), PdW | somebody could port it on openbsd? PdW | PdW | Also, in freebsd it is possible to specify a flag through the ifconfig PdW | on the interface staticarp, while If the Address Resolution Protocol is enabled, PdW | the host will only reply to requests for its addresses, and will never send anyrequests. PdW | May you made this flag in openbsd ? PdW | -- PdW | Best regards, PdW | irix mailto:i...@ukr.net PdW | -- Best regards, irixmailto:i...@ukr.net
Re: arp MiTM
Hello Misc, Theo and other, thanks. -- Best regards, irix mailto:i...@ukr.net
altq merge
Hello Misc, When the final port altq in pf? And then in 2002 and stretches porting CDNR, the kernel ported in pf no. Here is an excerpt from the log of 16.12.2002 about altq Log message: switchover to pf-based altq. - remove files which are no longer used, or we don't have plans to support in pf in the near future. - remove altq ioctl related stuff. - convert the PRIQ, HFSC and RIO modules to pf-based altq. (these are not enabled in GENERIC, CDNR is not converted yet.) When you fully CDNR transfer? -- Best regards, irix mailto:i...@ukr.net
Re: altq merge
Hello Misc, In that freebsd list tell as in 2002 in OpenBSD list will merge. The options ALTQ_CDNR is a dummy at the moment. It introduces a function pointer in ip_input() that can be used as conditioner hook, but it is not used at the moment. There are plans to resurrect the conditioner, but it is not yet clear how and where. It might be a function of pf in the future. But since 2002 it has been 6 years and will merge and stand still. When the CDNR will merge in pf ??? -- Best regards, irix mailto:i...@ukr.net
altq all features of original altqd why do not provided ?????????? ?
Hello Misc, Will the return of the demon altqd in the main repository? Indeed, in the nucleus left all his ability and threw only the demon, if that included pf, it sells only half of what opportunities lie in the nucleus. For example conditioner(ALTQ_CDNR) and do not use blue(ALTQ_BLUE). If you can not recover himself daemon while to realize its full support in pf All possibilities are provided altqd? Total 6 features do not provided in pf. optionsALTQ# Manipulate network interfaces' output queues optionsALTQ_BLUE # Stochastic Fair Blue --not in pf optionsALTQ_CBQ# Class-Based Queueing optionsALTQ_CDNR # Diffserv Traffic Conditioner -- not in pf optionsALTQ_FIFOQ # First-In First-Out Queue --not in pf optionsALTQ_FLOWVALVE # RED/flow-valve (red-penalty-box) --not in pf optionsALTQ_HFSC # Hierarchical Fair Service Curve optionsALTQ_LOCALQ # Local queueing discipline --not in pf optionsALTQ_PRIQ # Priority Queueing optionsALTQ_RED# Random Early Detection optionsALTQ_RIO# RED with IN/OUT optionsALTQ_WFQ# Weighted Fair Queueing -- not in pf -- Best regards, irix mailto:i...@ukr.net
new future for altq in pf
Hello , Will there be realized in the pf + altq possibility of creating a dynamic queue in one rule that could create a queue using the masks for an entire subnet??? This is implemented in ipfw from FreeBSD, for example: reference mask 0x create your own channel 1M for each IP. / sbin / ipfw pipe 1 config bw 1000Kbit / s / sbin / ipfw queue 1 config pipe 1 weight 50 mask dst-ip 0x / sbin / ipfw add queue 1 ip from any to 192.168.0.1/24 -- Best regards, irix mailto:i...@ukr.net
Re: new future for altq in pf
Hello Misc, Sorry, for example /sbin/ipfw add pipe 1 config bw 128kbit/s mask src-ip 0x /sbin/ipfw add pipe 2 config bw 128kbit/s mask dst-ip 0x each ip in this pipes take individual channel 128Kbit -- Best regards, irix mailto:i...@ukr.net
libnet libnet_get_hwaddr problem
Hello Misc, I try to detect hwaddr from my nic via libnet 1.1 But my program detect incorrect hwaddr like this ca:0a:00:00:00:00 where i take mistake ??? OpenBSD 4.4-current (Generic) hwaddr.c -- #include stdlib.h #include stdio.h #include string.h #include unistd.h #include sys/types.h #include sys/socket.h #include netinet/in.h #ifdef __OpenBSD__ # include net/if.h # include net/if_arp.h #endif /* __OpenBSD__ */ #include libnet.h int main(int argc, char *argv[]) { libnet_t *ln; struct ether_addr *ha = NULL; char ebuf[LIBNET_ERRBUF_SIZE] = \0; if (!(ln = libnet_init(LIBNET_LINK_ADV, argv[1], ebuf))) { fprintf(stderr, %s, ebuf); exit(EXIT_FAILURE); } if ((ha = (struct ether_addr *) libnet_get_hwaddr(ln)) == NULL) { fprintf(stderr, %s, libnet_geterror(ln)); exit(EXIT_FAILURE); } printf(hwaddr: %s\n, ether_ntoa(ha)); libnet_destroy(ln); return 0; } --- -- Best regards, irix mailto:[EMAIL PROTECTED]