[PATCH] RFC 7194
Hi, RFC 7194 standardize the 6697/tcp port for IRC over SSL/TLS. Here is the diff: --- /etc/services Thu May 22 09:49:56 2014 +++ /etc/services.new Fri Aug 8 09:41:08 2014 @@ -256,6 +256,7 @@ sip5060/tcp# SIP sip5060/udp# SIP postgresql 5432/tcp# PostgreSQL +ircs-u 6697/tcp# Internet Relay Chat over TLS/SSL zabbix-agent 10050/tcp # Zabbix Agent zabbix-agent 10050/udp # Zabbix Agent zabbix-trapper 10051/tcp # Zabbix Trapper Have a nice day -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr
Re : Re: [PATCH] rdomain support on rc.d
Of course,
I have set the fewer modification on rc.subr because cases mentionned by Todd
are more rare. I think those cases must be handled by rc.local. (but i agree
with todd concept, but his modification is too big for majority of systems).
Loïc Blot,
Ingénieur systèmes UNIX, Sécurité et Réseaux
http://www.unix-experience.fr
Theo de Raadt dera...@cvs.openbsd.org a écrit :
Penned by Mike Belopuhov on 20140711 6:49.19, we have:
| On 11 July 2014 10:29, Antoine Jacoutot ajacou...@bsdfrog.org wrote:
| On Thu, Jul 10, 2014 at 06:51:01PM +0200, Lo��c BLOT wrote:
| Hello all,
| I use rdomains to split routing domains per company and also separate
| administration interfaces from routing interfaces on my routers (sshd,
| bacula, postfix and puppetd running on a dedicated rdomain)
|
| Actually there is a problem with rdomains, we need to modify /etc/rc.d
| scripts to add rdomain execution environment to the specified service.
| If rc.subr have support to rdomains, we can let the rc.d scripts clean.
|
| To resolve those rdomain issues, I created a patch and I added a new
| variable we could use on rc.conf(.local), ${_name}_rdomain. (This
| variable needs a signed integer and use an existing rdomain, this is
| checked by rc.subr.
|
| I want to contribute to OpenBSD and I give you this patch. If you have
| any suggestions to improve it, tell me.
|
| I don't use rdomain so someone knowledgeable should comment here.
| But it does look like a nice idea.
|
|
| having something like this would be really cool. in case you'll be
| tweaking the code, make sure that the route -T exec printf check
| is preserved. i would use true in this test however.
|
| as far as i can tell the daemon_rdomain bit that goes into the rc
| script is fine, however i'm not quite sure how can i start two
| daemons in different rdomains via rc.conf.local. looks like this
| diff doesn't handle this and allows only one instance in the
| ${_name}_rdomain rdomain. but sometimes you want multiple, say
| sshd in rdomain 0 and 1. daemon_rdomain flag allows me to go and
| create another rc.d/sshd-rdomain-1 script and stuff daemon_rdomain=1
| in there. but then i'd have to add it to the pkg_scripts... this
| is a minor issue that i see. perhaps ${_name}_rdomain should list
| multiple values, like sshd_rdomain=0,1,2,3.
multiple rdomain instances might even have different daemon_flags.
I think in addition to sshd_rdomain=0,1,2,3 the patch might handle
ssh_rdomain_0_flags=-C /etc/ssh/sshd_0_config. I'm guessing it
makes sense to add to sshd_flags= rather than over-write it, but
that's splitting hairs.
I've been wondering about how to implement what you've done, and
have ended up with 'route -T 3 exec /etc/rc.d/... -f' in /etc/rc.local.
I like this direction.
For crazy stuff, use /etc/rc.local
[PATCH] rdomain support on rc.d
Hello all,
I use rdomains to split routing domains per company and also separate
administration interfaces from routing interfaces on my routers (sshd,
bacula, postfix and puppetd running on a dedicated rdomain)
Actually there is a problem with rdomains, we need to modify /etc/rc.d
scripts to add rdomain execution environment to the specified service.
If rc.subr have support to rdomains, we can let the rc.d scripts clean.
To resolve those rdomain issues, I created a patch and I added a new
variable we could use on rc.conf(.local), ${_name}_rdomain. (This
variable needs a signed integer and use an existing rdomain, this is
checked by rc.subr.
I want to contribute to OpenBSD and I give you this patch. If you have
any suggestions to improve it, tell me.
--- /etc/rc.d/rc.subr.orig Thu Jul 10 17:34:18 2014
+++ /etc/rc.d/rc.subr Thu Jul 10 18:36:19 2014
@@ -54,7 +54,7 @@
}
rc_start() {
- ${rcexec} ${daemon} ${daemon_flags} ${_bg}
+ ${rcexec} ${_rdomain_cmd} ${daemon} ${daemon_flags} ${_bg}
}
rc_check() {
@@ -105,7 +105,7 @@
}
rc_cmd() {
- local _bg _n
+ local _bg _n _rdomain_cmd
[ $(id -u) -eq 0 ] || \
[ X${rc_usercheck} != XNO -a X$1 = Xcheck ] || \
@@ -134,6 +134,21 @@
rc_err $0: need -f to force $1 since
${_name}_flags=NO
exit 1
fi
+
+ printf '%d' ${daemon_rdomain} 1/dev/null 21
+ if [ ! $? -eq 0 ] || [ ${daemon_rdomain} -lt 0
]; then
+ rc_err $0: ${_name}_rdomain must be numeric and
signed. Found ${_name}_rdomain=${daemon_rdomain}
+ exit 1
+ fi
+
+ /sbin/route -T${daemon_rdomain} exec printf ''
1/dev/null 21
+ if [ ! $? -eq 0 ]; then
+ rc_err $0: rdomain ${daemon_rdomain} doesn't
exists.
+ exit 1
+ fi
+
+ _rdomain_cmd=$(printf '/sbin/route -T%d exec'
${daemon_rdomain})
+
[ -z ${INRC} ] rc_do rc_check exit 0
echo $_n ${INRC:+ }${_name}
while true; do # no real loop, only needed to break
@@ -203,22 +218,25 @@
eval _rcflags=\${${_name}_flags}
eval _rcuser=\${${_name}_user}
+eval _rcrdomain=\${${_name}_rdomain}
getcap -f /etc/login.conf ${_name} 1/dev/null 21 \
daemon_class=${_name}
[ -z ${daemon_class} ] daemon_class=daemon
[ -z ${daemon_user} ] daemon_user=root
+[ -z ${daemon_rdomain} ] daemon_rdomain=0
[ -n ${_RC_FORCE} ] [ X${_rcflags} = XNO ] unset _rcflags
[ -n ${_rcflags} ] daemon_flags=${_rcflags}
[ -n ${_rcuser} ] daemon_user=${_rcuser}
+[ -n ${_rcrdomain} ] daemon_rdomain=${_rcrdomain}
# sanitize
daemon_flags=$(printf ' %s' ${daemon_flags})
daemon_flags=${daemon_flags## }
readonly daemon_class
-unset _rcflags _rcuser
+unset _rcflags _rcuser _rcrdomain
pexp=${daemon}${daemon_flags:+ ${daemon_flags}}
rcexec=su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c
--
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr
Duplicate carp entries into routing table
Hi @tech, this week-end i got a strange bug into CARP. I'm using CARP as a MASTER/BACKUP configuration on two routers. Last week i upgraded from 5.2 to 5.5 (amd64), and since this event, i now have duplicated entries into my routing table (netstat -rnfinet): 25.14.43.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 It seems this appears after a flapping CARP event. In 5.2 and 5.4 routers i get, i never saw this event. I think this a 5.5 bug. If you want more informations, please tell me. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr
OpenBSD crash with pfsync
0x8b pause zsh
16621 21100 21100 1000 30x90 selectsshd
21100 18827 21100 0 30x92 poll sshd
281 1281 0 30x83 ttyin zsh
25447 25278 25278 85 30x90 kqreadospfd
14051 25278 25278 85 30x90 kqreadospfd
25278 1 25278 0 70x80ospfd
31710 1 31710 0 30x83 ttyin getty
32470 1 32470 0 30xb0 selectsendmail
5615 1 1 0 30x82 ttyopngetty
5443 1 5443 0 30x83 ttyin getty
3505 1 3505 0 30x83 ttyin getty
8557 1 8557 0 30x83 ttyin getty
11958 1 11958 0 30x83 ttyin getty
12563 1 12563 0 30x80 selectcron
7584 1 7584 0 30x80 mfsidlmount_mfs
30985 1 30985 99 30x90 poll sndiod
25451 9122 9122 90 30x90 kqreadospf6d
25870 9122 9122 90 30x90 kqreadospf6d
9122 1 9122 0 70x80ospf6d
31480 6321 6321 88 30x90 kqreadripd
7155 6321 6321 88 30x90 kqreadripd
6321 1 6321 0 70x80ripd
18827 1 18827 0 30x80 selectsshd
14598 20357 24225 83 30x90 poll ntpd
20357 24225 24225 83 30x90 poll ntpd
24225 1 24225 0 30x80 poll ntpd
28067 17824 17824 74 30x90 bpf pflogd
17824 1 17824 0 30x80 netio pflogd
13798 1 13798 0 30x80 mfsidlmount_mfs
29320 1 29320 0 30x80 mfsidlmount_mfs
295 0 0 0 3 0x4200 aiodoned aiodoned
30848 0 0 0 3 0x4200 syncerupdate
23216 0 0 0 3 0x4200 cleaner cleaner
9081 0 0 0 3 0x4200 reaperreaper
21355 0 0 0 3 0x4200 pgdaemon pagedaemon
10205 0 0 0 3 0x4200 bored crypto
11685 0 0 0 3 0x4200 pftm pfpurge
25229 0 0 0 3 0x4200 usbtskusbtask
6979 0 0 0 3 0x4200 usbatsk usbatsk
25806 0 0 0 3 0x40004200 acpi0 acpi0
20220 0 0 0 3 0x40004200idle3
9849 0 0 0 3 0x40004200idle2
31839 0 0 0 3 0x40004200idle1
27699 0 0 0 3 0x4200 bored sensors
6102 0 0 0 3 0x4200 bored systq
23721 0 0 0 3 0x4200 bored syswq
1853 0 0 0 3 0x40004200idle0
1 0 1 0 30x82 wait init
0 -1 0 0 3 0x200 scheduler swapper
ddb{1} show panic
the kernel did not panic
ddb{1} show registers
ds 0x23
es 0x23
fs 0x23
gs 0x23
rdi 0xe0
rsi 0x80943558
rbp 0x80002220db40
rbx 0x80002220da20
rdx0
rcx 0xdeadbeefdeadbeef
rax0
r80x80943558
r9 0
r100
r11 0xfe80bec840a4
r12 0x78
r13 0xfe80bec84078
r14 0x80901800
r15 0x80002220da10
rip 0x8124d659ip_output+0xdd9
cs 0x8
rflags 0x10282mp_pdirpa+0x19b
rsp 0x80002220d960
ss 0x10
ip_output+0xdd9:movq0(%rcx),%rax
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Network Engineer
http://www.unix-experience.fr
Re: OpenBSD crash with pfsync
Hi Martin,
i'm using IPv6 but not on the syncdev interface, on all my other
interfaces (CARP OSPF).
Here is the syncdev config:
inet 10.XX.XX.2 255.255.255.224 NONE
vlan 30 vlandev trunk1
and the pfsync config:
up
defer
syncdev vlan30
To precise how the bug happens, i have removed some other interfaces
before restarting it (a vlan57 and carp57 interfaces, childs of trunk1),
and also reloaded (without removing) the trunk1 interface.
Before do the ifconfig pfsync0 up i also saw that pfsync0 was down and
there is no syncdev (strange because the interface wasn't modified since
boot).
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Network Engineer
http://www.unix-experience.fr
Le jeudi 22 mai 2014 à 12:49 +0200, Martin Pieuchot a écrit :
Hello Loïc,
On 22/05/14(Thu) 11:11, Loïc Blot wrote:
Hi,
today i upgraded my primary router from OpenBSD 5.4 to OpenBSD 5.5 (i
follow the process described here:
http://www.openbsd.org/faq/upgrade55.html and this is my 5th upgrade
from 5.4 to 5.5 since the release).
After rebooting and doing the sysmerge without network copper cables, i
rebooted and set my carp pfsync interfaces to down before plugging the
cables. At this time, the router was in a CARP INIT mode, no problem.
Note: all the traffic was redirected to my second OpenBSD router (which
was upgraded at release time) 3 days ago, this routers hasn't any
problem and have exactly the same hardware and software configuration
(except some IPs).
After finishing the upgrading process, i have incremented the carpdemote
counter to force CARP to be in BACKUP mode and then i have set all my
carp interface to up. Then ifaces were in BACKUP mode. No problem since
there all was right, all services works fine, etc.
The last step i do is to do a ifconfig pfsync0 up and then a OpenBSD
crash.
Thanks for the report. How is your pfsync0 interface configured? Same
thing for its syncdev interface.
ddb{1} trace
ip_output() at ip_output+0xdd9
This is a use after free in IFP_TO_IA(), somehow one of the ifa pointer
on the list of your syncdev is now pointing to memory that has been freed:
rcx 0xdeadbeefdeadbeef
This should be pointing to `ifa_addr` which makes me believe that you
are hitting a reference counting bug because it should not be possible
to free an ifa which is still on the list of an ifp.
Can you easily reproduce this bug? Do you use IPv6? If yes does
setting -inet6 on the syncdev interface helps?
Martin
tmpfs vs mfs
Hi @tech i've migrated one of our squid server to OpenBSD 5.5 and i tested tmpfs. It works like a charm, great work, but i noticed than the mfs is faster than tmpfs. My benchs (with dd) are showing that tmpfs is slower than mfs. (/tmp: tmpfs | /var/squid/cache: mfs), i've done many dd to test it, and i always have the same results Writing performance dd if=/dev/zero of=/tmp/test.img bs=1024 count=100 100+0 records in 100+0 records out 102400 bytes transferred in 8.706 secs (117614588 bytes/sec) dd if=/dev/zero of=/var/squid/cache/test.img bs=1024 count=100 100+0 records in 100+0 records out 102400 bytes transferred in 3.044 secs (336379694 bytes/sec) Reading performance dd if=/var/squid/cache/test.img of=/dev/null bs=1000 1024000+0 records in 1024000+0 records out 102400 bytes transferred in 2.767 secs (370015585 bytes/sec) dd if=/tmp/test.img of=/dev/null bs=1000 1024000+0 records in 1024000+0 records out 102400 bytes transferred in 3.553 secs (288178274 bytes/sec) Then, what is the goal of tmpfs ? Replace mfs ? Create a tmpfs structure for some special dirs (like /dev, /tmp, /var/run...) ? If yes, is this new tmpfs structure into fstab will be used in -current and next release ? Thanks in advance -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr
Packet Filter nat-to issue
Hello,
i encounter a strange problem today on PF. I don't know if this i normal
but the result is illogic.
I have this rule:
pass out quick proto tcp from all_clients_v4 to port { smtp smtps 587
imap imaps pop3 pop3s } nat-to $natto_iface
Tables contain IPv4 addresses only.
After applying this rule (i added IPv6 support yesterday), those
protocols weren't NAT-ed by PF.
By investigating, i found this:
pfctl -sr | grep nat-to
pass out quick inet6 proto tcp from all_clients_v4 to any port = 465
flags S/SA nat-to __automatic_d309aaac_0 round-robin
Then i look at __automatic_d309aaac_0, because inet6 was strange !
pfctl -t __automatic_d309aaac_1 -T show
2001:660:3bbb:::2
fe80::92b1:1cad:fe18:ea18
To resolve this problem i added inet keyword to my rule.
Is this normal ? Maybe a fix was required on pf parser?
Have a nice day
--
Best regards,
Loïc BLOT, Engineering
UNIX Systems, Security and Network Engineer
http://www.unix-experience.fr
Re: bgpd: fib-priority
Hi Florian,
good job.
I think it's better to set minimum to RTP_CONNECTED+1 instead of
RTP_NONE+1
--
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr
Le samedi 09 novembre 2013 à 21:04 +, Florian Obser a écrit :
now with reload working; check RTP_NONE fib-priority = RTP_MAX
test reports / comments / OKs?
diff --git bgpd.c bgpd.c
index 9c48bb3..8ad95fe 100644
--- bgpd.c
+++ bgpd.c
@@ -43,7 +43,7 @@ int check_child(pid_t, const char *);
int send_filterset(struct imsgbuf *, struct filter_set_head *);
int reconfigure(char *, struct bgpd_config *, struct mrt_head *,
struct peer **);
-int dispatch_imsg(struct imsgbuf *, int);
+int dispatch_imsg(struct imsgbuf *, int, struct bgpd_config *);
int control_setup(struct bgpd_config *);
int rfd = -1;
@@ -276,12 +276,14 @@ main(int argc, char *argv[])
}
if (nfds 0 pfd[PFD_PIPE_SESSION].revents POLLIN) {
- if (dispatch_imsg(ibuf_se, PFD_PIPE_SESSION) == -1)
+ if (dispatch_imsg(ibuf_se, PFD_PIPE_SESSION, conf) ==
+ -1)
quit = 1;
}
if (nfds 0 pfd[PFD_PIPE_ROUTE].revents POLLIN) {
- if (dispatch_imsg(ibuf_rde, PFD_PIPE_ROUTE) == -1)
+ if (dispatch_imsg(ibuf_rde, PFD_PIPE_ROUTE, conf) ==
+ -1)
quit = 1;
}
@@ -359,7 +361,7 @@ main(int argc, char *argv[])
control_cleanup(conf.csock);
control_cleanup(conf.rcsock);
carp_demote_shutdown();
- kr_shutdown();
+ kr_shutdown(conf.fib_priority);
pftable_clear_all();
free(conf.listen_addrs);
@@ -468,7 +470,7 @@ reconfigure(char *conffile, struct bgpd_config *conf,
struct mrt_head *mrt_l,
while ((rr = SIMPLEQ_FIRST(ribnames))) {
SIMPLEQ_REMOVE_HEAD(ribnames, entry);
if (ktable_update(rr-rtableid, rr-name, NULL,
- rr-flags) == -1) {
+ rr-flags, conf-fib_priority) == -1) {
log_warnx(failed to load rdomain %d,
rr-rtableid);
return (-1);
@@ -505,7 +507,7 @@ reconfigure(char *conffile, struct bgpd_config *conf,
struct mrt_head *mrt_l,
while ((rd = SIMPLEQ_FIRST(rdom_l)) != NULL) {
SIMPLEQ_REMOVE_HEAD(rdom_l, entry);
if (ktable_update(rd-rtableid, rd-descr, rd-ifmpe,
- rd-flags) == -1) {
+ rd-flags, conf-fib_priority) == -1) {
log_warnx(failed to load rdomain %d,
rd-rtableid);
return (-1);
@@ -551,7 +553,7 @@ reconfigure(char *conffile, struct bgpd_config *conf,
struct mrt_head *mrt_l,
}
int
-dispatch_imsg(struct imsgbuf *ibuf, int idx)
+dispatch_imsg(struct imsgbuf *ibuf, int idx, struct bgpd_config *conf)
{
struct imsg imsg;
ssize_t n;
@@ -580,7 +582,8 @@ dispatch_imsg(struct imsgbuf *ibuf, int idx)
else if (imsg.hdr.len != IMSG_HEADER_SIZE +
sizeof(struct kroute_full))
log_warnx(wrong imsg len);
- else if (kr_change(imsg.hdr.peerid, imsg.data))
+ else if (kr_change(imsg.hdr.peerid, imsg.data,
+ conf-fib_priority))
rv = -1;
break;
case IMSG_KROUTE_DELETE:
@@ -589,7 +592,8 @@ dispatch_imsg(struct imsgbuf *ibuf, int idx)
else if (imsg.hdr.len != IMSG_HEADER_SIZE +
sizeof(struct kroute_full))
log_warnx(wrong imsg len);
- else if (kr_delete(imsg.hdr.peerid, imsg.data))
+ else if (kr_delete(imsg.hdr.peerid, imsg.data,
+ conf-fib_priority))
rv = -1;
break;
case IMSG_NEXTHOP_ADD:
@@ -652,13 +656,15 @@ dispatch_imsg(struct imsgbuf *ibuf, int idx)
if (idx != PFD_PIPE_SESSION)
log_warnx(couple request not from SE);
else
- kr_fib_couple(imsg.hdr.peerid);
+ kr_fib_couple(imsg.hdr.peerid,
+ conf-fib_priority);
break;
case IMSG_CTL_FIB_DECOUPLE:
if (idx != PFD_PIPE_SESSION)
log_warnx(decouple request not from SE);
else
- kr_fib_decouple(imsg.hdr.peerid
ospfd: fib-priority
Hi all,
sorry for to be late, but here is my ospfd patch for setting custom
routing priorities on ospfd (based on 5.4 sources)
My parse.y is more precise than Florian's, it allows priorities greater
than static routes (RTP_STATIC) and lower than RTP_MAX (63).
Also, when /etc/rc.d/ospfd reload is launched, fib is decouples,
priority changed and fib recoupled. It works nearly perfect.
The only missing point is that ospfctl sh fib shows both fib with old
and new prio (but real routing table only has new fib priority).
--- ../OpenBSD54/usr.sbin/ospfd/kroute.c2013-07-07 18:26:04.0
+0200
+++ ospfd/kroute.c 2013-11-07 17:26:58.395763302 +0100
@@ -254,7 +254,7 @@
kn-r.prefixlen = kroute[i].prefixlen;
kn-r.nexthop.s_addr = kroute[i].nexthop.s_addr;
kn-r.flags = kroute[i].flags | F_OSPFD_INSERTED;
- kn-r.priority = RTP_OSPF;
+ kn-r.priority = get_conf()-fib_priority;
kn-r.ext_tag = kroute[i].ext_tag;
rtlabel_unref(kn-r.rtlabel); /* for RTM_CHANGE */
kn-r.rtlabel = kroute[i].rtlabel;
@@ -278,7 +278,7 @@
kroute-rtlabel = rtlabel_tag2id(kroute-ext_tag);
- kr = kroute_find(kroute-prefix.s_addr, kroute-prefixlen, RTP_OSPF);
+ kr = kroute_find(kroute-prefix.s_addr, kroute-prefixlen,
get_conf()-fib_priority);
if (kr != NULL kr-next == NULL krcount == 1)
/* single path OSPF route */
action = RTM_CHANGE;
@@ -289,7 +289,7 @@
int
kr_delete_fib(struct kroute_node *kr)
{
- if (kr-r.priority != RTP_OSPF)
+ if (kr-r.priority != get_conf()-fib_priority)
log_warn(kr_delete_fib: %s/%d has wrong priority %d,
inet_ntoa(kr-r.prefix), kr-r.prefixlen, kr-r.priority);
@@ -308,7 +308,7 @@
struct kroute_node *kr, *nkr;
if ((kr = kroute_find(kroute-prefix.s_addr, kroute-prefixlen,
- RTP_OSPF)) == NULL)
+ get_conf()-fib_priority)) == NULL)
return (0);
while (kr != NULL) {
@@ -340,7 +340,7 @@
kr_state.fib_sync = 1;
RB_FOREACH(kr, kroute_tree, krt)
- if (kr-r.priority == RTP_OSPF)
+ if (kr-r.priority == get_conf()-fib_priority)
for (kn = kr; kn != NULL; kn = kn-next)
send_rtmsg(kr_state.fd, RTM_ADD, kn-r);
@@ -357,7 +357,7 @@
return;
RB_FOREACH(kr, kroute_tree, krt)
- if (kr-r.priority == RTP_OSPF)
+ if (kr-r.priority == get_conf()-fib_priority)
for (kn = kr; kn != NULL; kn = kn-next)
send_rtmsg(kr_state.fd, RTM_DELETE, kn-r);
@@ -410,7 +410,7 @@
kn = kr-next;
if (kr-serial != kr_state.fib_serial) {
- if (kr-r.priority == RTP_OSPF) {
+ if (kr-r.priority == get_conf()-fib_priority)
{
kr-serial = kr_state.fib_serial;
if (send_rtmsg(kr_state.fd,
RTM_ADD, kr-r) != 0)
@@ -1142,7 +1142,7 @@
bzero(hdr, sizeof(hdr));
hdr.rtm_version = RTM_VERSION;
hdr.rtm_type = action;
- hdr.rtm_priority = RTP_OSPF;
+ hdr.rtm_priority = get_conf()-fib_priority;
hdr.rtm_tableid = kr_state.rdomain; /* rtableid */
if (action == RTM_CHANGE)
hdr.rtm_fmask = RTF_REJECT|RTF_BLACKHOLE;
@@ -1373,7 +1373,7 @@
if (rtm-rtm_flags RTF_MPATH)
mpath = 1;
prio = rtm-rtm_priority;
- flags = (prio == RTP_OSPF) ?
+ flags = (prio == get_conf()-fib_priority) ?
F_OSPFD_INSERTED : F_KERNEL;
switch (sa-sa_family) {
@@ -1432,7 +1432,7 @@
!= NULL) {
/* get the correct route */
kr = okr;
- if ((mpath || prio == RTP_OSPF)
+ if ((mpath || prio == get_conf()-fib_priority)
(kr = kroute_matchgw(okr, nexthop)) ==
NULL) {
log_warnx(dispatch_rtmsg
@@ -1481,7 +1481,7 @@
kr-r.ifindex = ifindex;
kr-r.priority = prio;
- if (rtm-rtm_priority == RTP_OSPF) {
+ if (rtm-rtm_priority ==
get_conf()-fib_priority) {
log_warnx(alien OSPF route %s/%d,
inet_ntoa(prefix), prefixlen);
rv =
Re : Re: Improve routing functions
Hello, that's powerful but my improvement isn't for this use. It's only an improvement to route packets correctly, not dispatch charge. I'll give you a concrete example this evening. Loïc Blot, Ingénieur systèmes UNIX, Sécurité et Réseaux http://www.unix-experience.fr Stuart Henderson st...@openbsd.org a écrit : On 2013/11/01 19:57, sven falempin wrote: FreeBSD propose to have a specific routing table for a process, which is even more powerful. When the router has multiple gateway i guess when a source address is choose the route should be chosen given that. Nothing more. What use of this improvement do you imagine ?, of course you may want this traffic over this network(low latency) and the other one on another(high badnwith), put you may use pf for this, or specific route for the services. Writing about this make me think you want a route that select on the PORT instead of the IP. Is this madness ??? This is also known as policy based routing. I've being doing this with route-to in PF for ages, or alternatively you can use multiple route tables and rtable in PF to push certain traffic to using a certain table (either based on port number, or source address, or UID if it's a connection from the local machine, etc).
Re: Re : Re: Improve routing functions
Hi, then to explain my draft here is my own configuration, and why it could be useful to set custom priorities: OSPF Scheme: | - RT1 - | | - RT3 WAN | | OSPF AREA | | - RT2 - | | - RT4 RIP Scheme: | - RT1 - | WAN | | RIP AREA | - CISCO 45XX | - RT2 - | BGP Scheme: | - RT1 WAN | | - RT2 A first problem is my BGP default route, which was redistributed over OSPF, causes a looping route between RT1 and RT2 for outgoing packets (to WAN), because OSPF is prior on BGP. A second problem is routes obtained by RIP and redistributed over OSPF (by a custom patch which add redistribution of RIP routes to ospfd) has the same problem because OSPF is prior on RIP (i need to redistribute those RIP routes because the routes are distributed to remote networks over an GRE+IPSec link). Without the possibility to change the priorities (and dynamically is better than recompile the kernel and change constant values, it would be a great function to everybody want), it's impossible to solve this routing loop (i have patched ospfd to refuse adding some specific routes from specific hosts but it's not a proper solution, whereas it worked...). -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le dimanche 03 novembre 2013 à 18:01 +0100, Loïc Blot a écrit : Hello, that's powerful but my improvement isn't for this use. It's only an improvement to route packets correctly, not dispatch charge. I'll give you a concrete example this evening. Loïc Blot, Ingénieur systèmes UNIX, Sécurité et Réseaux http://www.unix-experience.fr Stuart Henderson st...@openbsd.org a écrit : On 2013/11/01 19:57, sven falempin wrote: FreeBSD propose to have a specific routing table for a process, which is even more powerful. When the router has multiple gateway i guess when a source address is choose the route should be chosen given that. Nothing more. What use of this improvement do you imagine ?, of course you may want this traffic over this network(low latency) and the other one on another(high badnwith), put you may use pf for this, or specific route for the services. Writing about this make me think you want a route that select on the PORT instead of the IP. Is this madness ??? This is also known as policy based routing. I've being doing this with route-to in PF for ages, or alternatively you can use multiple route tables and rtable in PF to push certain traffic to using a certain table (either based on port number, or source address, or UID if it's a connection from the local machine, etc). signature.asc Description: This is a digitally signed message part
Re : Re: Improve routing functions
Can you explain me what's the problem with m'y configuration ? I don't see what is the problem. Loïc Blot, Ingénieur systèmes UNIX, Sécurité et Réseaux http://www.unix-experience.fr Chris Cappuccio ch...@nmedia.net a écrit : Lo?c BLOT [loic.b...@unix-experience.fr] wrote: Hello sven, it's not a routing table problem, it's only a modification on route priorities, it's not the same thing. The two of you are solving totally different problems. Here is my example at work: I have BGP on the WAN, OSPF for my LAN (+ over GRE tunnels) and RIP to my CISCO catalyst 45XX. The problem is simple. I have two routers in this configuration. OSPF is prior on RIP. routes obtained by RIP are redistributed on OSPF (because my remote sites must know them). But OSPF is prior than RIP and then the two border routers want to pass by the other instead of using the RIP route. I have the same problem with BGP. default route is prior on OSPF than BGP. Then BGP must be prior on OSPF to don't loop default route between the two routers. You don't need a new knob in the system to fix this. You need to fix your configuration.
Improve routing functions
Hello @tech Congratulations for the 5.4 release. I want to explain a draft to improve a little routing administration on OpenBSD, maybe for 5.5. There is a lack on routing daemon, the possibility to change routing priorities for some protocols. At this time routing priority is a dedicated constant in the kernel. In some cases it's useful to change routing priority for a protocol to make it prior on another. To resolve this lack, two ways are possible: 1. Each routing daemon manage it's own priority itself, instead of using kernel priorities, and limits the minimum and maximum value. When we change the priority (for example bgpctl routing priority 10) all priorities. This is easy but a problem appears: the priority can be same as another running daemon (ospfd for example). How can we know other routing priorities ? 2. We need to change the utility of routing priority value in the messages to another thing: routing type. Then when a daemon register a route, he register route for its type (BGP/OSPF/RIP/MPLS) and the kernel apply a variable value. This value could be modified by sysctl (example sysctl -w net.routing.ospf_priority = 10) When we change the priority for a protocol, kernel will search all routes matching the protocol and apply the priority. Priority conflicts must be detected by the kernel. Do you know it's possible ? Is this interesting for future OpenBSD ? If OpenBSD team is interest i can start a patch in next weeks. Thanks for reading -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr signature.asc Description: This is a digitally signed message part
Re: Improve routing functions
Hello sven, it's not a routing table problem, it's only a modification on route priorities, it's not the same thing. Here is my example at work: I have BGP on the WAN, OSPF for my LAN (+ over GRE tunnels) and RIP to my CISCO catalyst 45XX. The problem is simple. I have two routers in this configuration. OSPF is prior on RIP. routes obtained by RIP are redistributed on OSPF (because my remote sites must know them). But OSPF is prior than RIP and then the two border routers want to pass by the other instead of using the RIP route. I have the same problem with BGP. default route is prior on OSPF than BGP. Then BGP must be prior on OSPF to don't loop default route between the two routers. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le vendredi 01 novembre 2013 à 19:57 -0400, sven falempin a écrit : FreeBSD propose to have a specific routing table for a process, which is even more powerful. When the router has multiple gateway i guess when a source address is choose the route should be chosen given that. Nothing more. What use of this improvement do you imagine ?, of course you may want this traffic over this network(low latency) and the other one on another(high badnwith), put you may use pf for this, or specific route for the services. Writing about this make me think you want a route that select on the PORT instead of the IP. Is this madness ??? route add smtp 1.2.3.4 On Fri, Nov 1, 2013 at 7:46 PM, Loïc BLOT loic.b...@unix-experience.frwrote: Hello @tech Congratulations for the 5.4 release. I want to explain a draft to improve a little routing administration on OpenBSD, maybe for 5.5. There is a lack on routing daemon, the possibility to change routing priorities for some protocols. At this time routing priority is a dedicated constant in the kernel. In some cases it's useful to change routing priority for a protocol to make it prior on another. To resolve this lack, two ways are possible: 1. Each routing daemon manage it's own priority itself, instead of using kernel priorities, and limits the minimum and maximum value. When we change the priority (for example bgpctl routing priority 10) all priorities. This is easy but a problem appears: the priority can be same as another running daemon (ospfd for example). How can we know other routing priorities ? 2. We need to change the utility of routing priority value in the messages to another thing: routing type. Then when a daemon register a route, he register route for its type (BGP/OSPF/RIP/MPLS) and the kernel apply a variable value. This value could be modified by sysctl (example sysctl -w net.routing.ospf_priority = 10) When we change the priority for a protocol, kernel will search all routes matching the protocol and apply the priority. Priority conflicts must be detected by the kernel. Do you know it's possible ? Is this interesting for future OpenBSD ? If OpenBSD team is interest i can start a patch in next weeks. Thanks for reading -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr signature.asc Description: This is a digitally signed message part
Working on PXE automated installation
Hello @tech. I want to share you my work to make OpenBSD automated installation possible. My approach is to load a configuration file based on DHCP option 225 (thanks to Nick's work). If this file is present and available (HTTP,FTP and TFTP are currently supported) the parser load variables to installation environment (pxe_*). If an error occurs at this time, installer comes back to normal mode. The configuration file designed variables on this patern: define_aiv pxe_myvar=value or (for multiple values): define_aiv pxe_mymultivar=value1 value2 (AIV is for automated installation value) Then, the installation process begins. To answers all questions i have added an extra argument to (_)ask*() functions which is the automated variables. It's the better approach for minimal changes. At this time i don't answers all questions, but all classic questions for an automated install by ethernet are answered. (for example if didn't have answers to WiFi or VLAN questions, but this is possible by adding a variable name ! Instead of Nick's work i don't patch the kernel itself because netboot interface is tagged and i can get it with regexp. The only thing is missing to get choice between a PXE automated install or a PXE manual install is, maybe, a boot.conf variable to set installation in an automatic mode. In my case automated install is forced by launching install pxe in the dot.profile. You'll find my patch here (based on 5.3) http://www.unix-experience.fr/wp-content/uploads/2013/08/OpenBSD-PXE-automatedinstall-0826131920GMT.diff A working configuration: http://www.unix-experience.fr/wp-content/uploads/2013/08/OpenBSD-PXE-autoinstall.conf And here is the PoC via a Youtube Video (5min30, sorry my Internet connection is slow): https://www.youtube.com/watch?v=rdcdcHhWtVQ Comments and review are welcome ! -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr signature.asc Description: This is a digitally signed message part
