[PATCH] RFC 7194
Hi, RFC 7194 standardize the 6697/tcp port for IRC over SSL/TLS. Here is the diff: --- /etc/services Thu May 22 09:49:56 2014 +++ /etc/services.new Fri Aug 8 09:41:08 2014 @@ -256,6 +256,7 @@ sip5060/tcp# SIP sip5060/udp# SIP postgresql 5432/tcp# PostgreSQL +ircs-u 6697/tcp# Internet Relay Chat over TLS/SSL zabbix-agent 10050/tcp # Zabbix Agent zabbix-agent 10050/udp # Zabbix Agent zabbix-trapper 10051/tcp # Zabbix Trapper Have a nice day -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr
Re : Re: [PATCH] rdomain support on rc.d
Of course, I have set the fewer modification on rc.subr because cases mentionned by Todd are more rare. I think those cases must be handled by rc.local. (but i agree with todd concept, but his modification is too big for majority of systems). Loïc Blot, Ingénieur systèmes UNIX, Sécurité et Réseaux http://www.unix-experience.fr Theo de Raadt dera...@cvs.openbsd.org a écrit : Penned by Mike Belopuhov on 20140711 6:49.19, we have: | On 11 July 2014 10:29, Antoine Jacoutot ajacou...@bsdfrog.org wrote: | On Thu, Jul 10, 2014 at 06:51:01PM +0200, Lo��c BLOT wrote: | Hello all, | I use rdomains to split routing domains per company and also separate | administration interfaces from routing interfaces on my routers (sshd, | bacula, postfix and puppetd running on a dedicated rdomain) | | Actually there is a problem with rdomains, we need to modify /etc/rc.d | scripts to add rdomain execution environment to the specified service. | If rc.subr have support to rdomains, we can let the rc.d scripts clean. | | To resolve those rdomain issues, I created a patch and I added a new | variable we could use on rc.conf(.local), ${_name}_rdomain. (This | variable needs a signed integer and use an existing rdomain, this is | checked by rc.subr. | | I want to contribute to OpenBSD and I give you this patch. If you have | any suggestions to improve it, tell me. | | I don't use rdomain so someone knowledgeable should comment here. | But it does look like a nice idea. | | | having something like this would be really cool. in case you'll be | tweaking the code, make sure that the route -T exec printf check | is preserved. i would use true in this test however. | | as far as i can tell the daemon_rdomain bit that goes into the rc | script is fine, however i'm not quite sure how can i start two | daemons in different rdomains via rc.conf.local. looks like this | diff doesn't handle this and allows only one instance in the | ${_name}_rdomain rdomain. but sometimes you want multiple, say | sshd in rdomain 0 and 1. daemon_rdomain flag allows me to go and | create another rc.d/sshd-rdomain-1 script and stuff daemon_rdomain=1 | in there. but then i'd have to add it to the pkg_scripts... this | is a minor issue that i see. perhaps ${_name}_rdomain should list | multiple values, like sshd_rdomain=0,1,2,3. multiple rdomain instances might even have different daemon_flags. I think in addition to sshd_rdomain=0,1,2,3 the patch might handle ssh_rdomain_0_flags=-C /etc/ssh/sshd_0_config. I'm guessing it makes sense to add to sshd_flags= rather than over-write it, but that's splitting hairs. I've been wondering about how to implement what you've done, and have ended up with 'route -T 3 exec /etc/rc.d/... -f' in /etc/rc.local. I like this direction. For crazy stuff, use /etc/rc.local
[PATCH] rdomain support on rc.d
Hello all, I use rdomains to split routing domains per company and also separate administration interfaces from routing interfaces on my routers (sshd, bacula, postfix and puppetd running on a dedicated rdomain) Actually there is a problem with rdomains, we need to modify /etc/rc.d scripts to add rdomain execution environment to the specified service. If rc.subr have support to rdomains, we can let the rc.d scripts clean. To resolve those rdomain issues, I created a patch and I added a new variable we could use on rc.conf(.local), ${_name}_rdomain. (This variable needs a signed integer and use an existing rdomain, this is checked by rc.subr. I want to contribute to OpenBSD and I give you this patch. If you have any suggestions to improve it, tell me. --- /etc/rc.d/rc.subr.orig Thu Jul 10 17:34:18 2014 +++ /etc/rc.d/rc.subr Thu Jul 10 18:36:19 2014 @@ -54,7 +54,7 @@ } rc_start() { - ${rcexec} ${daemon} ${daemon_flags} ${_bg} + ${rcexec} ${_rdomain_cmd} ${daemon} ${daemon_flags} ${_bg} } rc_check() { @@ -105,7 +105,7 @@ } rc_cmd() { - local _bg _n + local _bg _n _rdomain_cmd [ $(id -u) -eq 0 ] || \ [ X${rc_usercheck} != XNO -a X$1 = Xcheck ] || \ @@ -134,6 +134,21 @@ rc_err $0: need -f to force $1 since ${_name}_flags=NO exit 1 fi + + printf '%d' ${daemon_rdomain} 1/dev/null 21 + if [ ! $? -eq 0 ] || [ ${daemon_rdomain} -lt 0 ]; then + rc_err $0: ${_name}_rdomain must be numeric and signed. Found ${_name}_rdomain=${daemon_rdomain} + exit 1 + fi + + /sbin/route -T${daemon_rdomain} exec printf '' 1/dev/null 21 + if [ ! $? -eq 0 ]; then + rc_err $0: rdomain ${daemon_rdomain} doesn't exists. + exit 1 + fi + + _rdomain_cmd=$(printf '/sbin/route -T%d exec' ${daemon_rdomain}) + [ -z ${INRC} ] rc_do rc_check exit 0 echo $_n ${INRC:+ }${_name} while true; do # no real loop, only needed to break @@ -203,22 +218,25 @@ eval _rcflags=\${${_name}_flags} eval _rcuser=\${${_name}_user} +eval _rcrdomain=\${${_name}_rdomain} getcap -f /etc/login.conf ${_name} 1/dev/null 21 \ daemon_class=${_name} [ -z ${daemon_class} ] daemon_class=daemon [ -z ${daemon_user} ] daemon_user=root +[ -z ${daemon_rdomain} ] daemon_rdomain=0 [ -n ${_RC_FORCE} ] [ X${_rcflags} = XNO ] unset _rcflags [ -n ${_rcflags} ] daemon_flags=${_rcflags} [ -n ${_rcuser} ] daemon_user=${_rcuser} +[ -n ${_rcrdomain} ] daemon_rdomain=${_rcrdomain} # sanitize daemon_flags=$(printf ' %s' ${daemon_flags}) daemon_flags=${daemon_flags## } readonly daemon_class -unset _rcflags _rcuser +unset _rcflags _rcuser _rcrdomain pexp=${daemon}${daemon_flags:+ ${daemon_flags}} rcexec=su -l -c ${daemon_class} -s /bin/sh ${daemon_user} -c -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr
Duplicate carp entries into routing table
Hi @tech, this week-end i got a strange bug into CARP. I'm using CARP as a MASTER/BACKUP configuration on two routers. Last week i upgraded from 5.2 to 5.5 (amd64), and since this event, i now have duplicated entries into my routing table (netstat -rnfinet): 25.14.43.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 25.14.34.252/30 link#53UC 00 - 4 carp70 It seems this appears after a flapping CARP event. In 5.2 and 5.4 routers i get, i never saw this event. I think this a 5.5 bug. If you want more informations, please tell me. -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr
OpenBSD crash with pfsync
0x8b pause zsh 16621 21100 21100 1000 30x90 selectsshd 21100 18827 21100 0 30x92 poll sshd 281 1281 0 30x83 ttyin zsh 25447 25278 25278 85 30x90 kqreadospfd 14051 25278 25278 85 30x90 kqreadospfd 25278 1 25278 0 70x80ospfd 31710 1 31710 0 30x83 ttyin getty 32470 1 32470 0 30xb0 selectsendmail 5615 1 1 0 30x82 ttyopngetty 5443 1 5443 0 30x83 ttyin getty 3505 1 3505 0 30x83 ttyin getty 8557 1 8557 0 30x83 ttyin getty 11958 1 11958 0 30x83 ttyin getty 12563 1 12563 0 30x80 selectcron 7584 1 7584 0 30x80 mfsidlmount_mfs 30985 1 30985 99 30x90 poll sndiod 25451 9122 9122 90 30x90 kqreadospf6d 25870 9122 9122 90 30x90 kqreadospf6d 9122 1 9122 0 70x80ospf6d 31480 6321 6321 88 30x90 kqreadripd 7155 6321 6321 88 30x90 kqreadripd 6321 1 6321 0 70x80ripd 18827 1 18827 0 30x80 selectsshd 14598 20357 24225 83 30x90 poll ntpd 20357 24225 24225 83 30x90 poll ntpd 24225 1 24225 0 30x80 poll ntpd 28067 17824 17824 74 30x90 bpf pflogd 17824 1 17824 0 30x80 netio pflogd 13798 1 13798 0 30x80 mfsidlmount_mfs 29320 1 29320 0 30x80 mfsidlmount_mfs 295 0 0 0 3 0x4200 aiodoned aiodoned 30848 0 0 0 3 0x4200 syncerupdate 23216 0 0 0 3 0x4200 cleaner cleaner 9081 0 0 0 3 0x4200 reaperreaper 21355 0 0 0 3 0x4200 pgdaemon pagedaemon 10205 0 0 0 3 0x4200 bored crypto 11685 0 0 0 3 0x4200 pftm pfpurge 25229 0 0 0 3 0x4200 usbtskusbtask 6979 0 0 0 3 0x4200 usbatsk usbatsk 25806 0 0 0 3 0x40004200 acpi0 acpi0 20220 0 0 0 3 0x40004200idle3 9849 0 0 0 3 0x40004200idle2 31839 0 0 0 3 0x40004200idle1 27699 0 0 0 3 0x4200 bored sensors 6102 0 0 0 3 0x4200 bored systq 23721 0 0 0 3 0x4200 bored syswq 1853 0 0 0 3 0x40004200idle0 1 0 1 0 30x82 wait init 0 -1 0 0 3 0x200 scheduler swapper ddb{1} show panic the kernel did not panic ddb{1} show registers ds 0x23 es 0x23 fs 0x23 gs 0x23 rdi 0xe0 rsi 0x80943558 rbp 0x80002220db40 rbx 0x80002220da20 rdx0 rcx 0xdeadbeefdeadbeef rax0 r80x80943558 r9 0 r100 r11 0xfe80bec840a4 r12 0x78 r13 0xfe80bec84078 r14 0x80901800 r15 0x80002220da10 rip 0x8124d659ip_output+0xdd9 cs 0x8 rflags 0x10282mp_pdirpa+0x19b rsp 0x80002220d960 ss 0x10 ip_output+0xdd9:movq0(%rcx),%rax -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr
Re: OpenBSD crash with pfsync
Hi Martin, i'm using IPv6 but not on the syncdev interface, on all my other interfaces (CARP OSPF). Here is the syncdev config: inet 10.XX.XX.2 255.255.255.224 NONE vlan 30 vlandev trunk1 and the pfsync config: up defer syncdev vlan30 To precise how the bug happens, i have removed some other interfaces before restarting it (a vlan57 and carp57 interfaces, childs of trunk1), and also reloaded (without removing) the trunk1 interface. Before do the ifconfig pfsync0 up i also saw that pfsync0 was down and there is no syncdev (strange because the interface wasn't modified since boot). -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr Le jeudi 22 mai 2014 à 12:49 +0200, Martin Pieuchot a écrit : Hello Loïc, On 22/05/14(Thu) 11:11, Loïc Blot wrote: Hi, today i upgraded my primary router from OpenBSD 5.4 to OpenBSD 5.5 (i follow the process described here: http://www.openbsd.org/faq/upgrade55.html and this is my 5th upgrade from 5.4 to 5.5 since the release). After rebooting and doing the sysmerge without network copper cables, i rebooted and set my carp pfsync interfaces to down before plugging the cables. At this time, the router was in a CARP INIT mode, no problem. Note: all the traffic was redirected to my second OpenBSD router (which was upgraded at release time) 3 days ago, this routers hasn't any problem and have exactly the same hardware and software configuration (except some IPs). After finishing the upgrading process, i have incremented the carpdemote counter to force CARP to be in BACKUP mode and then i have set all my carp interface to up. Then ifaces were in BACKUP mode. No problem since there all was right, all services works fine, etc. The last step i do is to do a ifconfig pfsync0 up and then a OpenBSD crash. Thanks for the report. How is your pfsync0 interface configured? Same thing for its syncdev interface. ddb{1} trace ip_output() at ip_output+0xdd9 This is a use after free in IFP_TO_IA(), somehow one of the ifa pointer on the list of your syncdev is now pointing to memory that has been freed: rcx 0xdeadbeefdeadbeef This should be pointing to `ifa_addr` which makes me believe that you are hitting a reference counting bug because it should not be possible to free an ifa which is still on the list of an ifp. Can you easily reproduce this bug? Do you use IPv6? If yes does setting -inet6 on the syncdev interface helps? Martin
tmpfs vs mfs
Hi @tech i've migrated one of our squid server to OpenBSD 5.5 and i tested tmpfs. It works like a charm, great work, but i noticed than the mfs is faster than tmpfs. My benchs (with dd) are showing that tmpfs is slower than mfs. (/tmp: tmpfs | /var/squid/cache: mfs), i've done many dd to test it, and i always have the same results Writing performance dd if=/dev/zero of=/tmp/test.img bs=1024 count=100 100+0 records in 100+0 records out 102400 bytes transferred in 8.706 secs (117614588 bytes/sec) dd if=/dev/zero of=/var/squid/cache/test.img bs=1024 count=100 100+0 records in 100+0 records out 102400 bytes transferred in 3.044 secs (336379694 bytes/sec) Reading performance dd if=/var/squid/cache/test.img of=/dev/null bs=1000 1024000+0 records in 1024000+0 records out 102400 bytes transferred in 2.767 secs (370015585 bytes/sec) dd if=/tmp/test.img of=/dev/null bs=1000 1024000+0 records in 1024000+0 records out 102400 bytes transferred in 3.553 secs (288178274 bytes/sec) Then, what is the goal of tmpfs ? Replace mfs ? Create a tmpfs structure for some special dirs (like /dev, /tmp, /var/run...) ? If yes, is this new tmpfs structure into fstab will be used in -current and next release ? Thanks in advance -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr
Packet Filter nat-to issue
Hello, i encounter a strange problem today on PF. I don't know if this i normal but the result is illogic. I have this rule: pass out quick proto tcp from all_clients_v4 to port { smtp smtps 587 imap imaps pop3 pop3s } nat-to $natto_iface Tables contain IPv4 addresses only. After applying this rule (i added IPv6 support yesterday), those protocols weren't NAT-ed by PF. By investigating, i found this: pfctl -sr | grep nat-to pass out quick inet6 proto tcp from all_clients_v4 to any port = 465 flags S/SA nat-to __automatic_d309aaac_0 round-robin Then i look at __automatic_d309aaac_0, because inet6 was strange ! pfctl -t __automatic_d309aaac_1 -T show 2001:660:3bbb:::2 fe80::92b1:1cad:fe18:ea18 To resolve this problem i added inet keyword to my rule. Is this normal ? Maybe a fix was required on pf parser? Have a nice day -- Best regards, Loïc BLOT, Engineering UNIX Systems, Security and Network Engineer http://www.unix-experience.fr
Re: bgpd: fib-priority
Hi Florian, good job. I think it's better to set minimum to RTP_CONNECTED+1 instead of RTP_NONE+1 -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le samedi 09 novembre 2013 à 21:04 +, Florian Obser a écrit : now with reload working; check RTP_NONE fib-priority = RTP_MAX test reports / comments / OKs? diff --git bgpd.c bgpd.c index 9c48bb3..8ad95fe 100644 --- bgpd.c +++ bgpd.c @@ -43,7 +43,7 @@ int check_child(pid_t, const char *); int send_filterset(struct imsgbuf *, struct filter_set_head *); int reconfigure(char *, struct bgpd_config *, struct mrt_head *, struct peer **); -int dispatch_imsg(struct imsgbuf *, int); +int dispatch_imsg(struct imsgbuf *, int, struct bgpd_config *); int control_setup(struct bgpd_config *); int rfd = -1; @@ -276,12 +276,14 @@ main(int argc, char *argv[]) } if (nfds 0 pfd[PFD_PIPE_SESSION].revents POLLIN) { - if (dispatch_imsg(ibuf_se, PFD_PIPE_SESSION) == -1) + if (dispatch_imsg(ibuf_se, PFD_PIPE_SESSION, conf) == + -1) quit = 1; } if (nfds 0 pfd[PFD_PIPE_ROUTE].revents POLLIN) { - if (dispatch_imsg(ibuf_rde, PFD_PIPE_ROUTE) == -1) + if (dispatch_imsg(ibuf_rde, PFD_PIPE_ROUTE, conf) == + -1) quit = 1; } @@ -359,7 +361,7 @@ main(int argc, char *argv[]) control_cleanup(conf.csock); control_cleanup(conf.rcsock); carp_demote_shutdown(); - kr_shutdown(); + kr_shutdown(conf.fib_priority); pftable_clear_all(); free(conf.listen_addrs); @@ -468,7 +470,7 @@ reconfigure(char *conffile, struct bgpd_config *conf, struct mrt_head *mrt_l, while ((rr = SIMPLEQ_FIRST(ribnames))) { SIMPLEQ_REMOVE_HEAD(ribnames, entry); if (ktable_update(rr-rtableid, rr-name, NULL, - rr-flags) == -1) { + rr-flags, conf-fib_priority) == -1) { log_warnx(failed to load rdomain %d, rr-rtableid); return (-1); @@ -505,7 +507,7 @@ reconfigure(char *conffile, struct bgpd_config *conf, struct mrt_head *mrt_l, while ((rd = SIMPLEQ_FIRST(rdom_l)) != NULL) { SIMPLEQ_REMOVE_HEAD(rdom_l, entry); if (ktable_update(rd-rtableid, rd-descr, rd-ifmpe, - rd-flags) == -1) { + rd-flags, conf-fib_priority) == -1) { log_warnx(failed to load rdomain %d, rd-rtableid); return (-1); @@ -551,7 +553,7 @@ reconfigure(char *conffile, struct bgpd_config *conf, struct mrt_head *mrt_l, } int -dispatch_imsg(struct imsgbuf *ibuf, int idx) +dispatch_imsg(struct imsgbuf *ibuf, int idx, struct bgpd_config *conf) { struct imsg imsg; ssize_t n; @@ -580,7 +582,8 @@ dispatch_imsg(struct imsgbuf *ibuf, int idx) else if (imsg.hdr.len != IMSG_HEADER_SIZE + sizeof(struct kroute_full)) log_warnx(wrong imsg len); - else if (kr_change(imsg.hdr.peerid, imsg.data)) + else if (kr_change(imsg.hdr.peerid, imsg.data, + conf-fib_priority)) rv = -1; break; case IMSG_KROUTE_DELETE: @@ -589,7 +592,8 @@ dispatch_imsg(struct imsgbuf *ibuf, int idx) else if (imsg.hdr.len != IMSG_HEADER_SIZE + sizeof(struct kroute_full)) log_warnx(wrong imsg len); - else if (kr_delete(imsg.hdr.peerid, imsg.data)) + else if (kr_delete(imsg.hdr.peerid, imsg.data, + conf-fib_priority)) rv = -1; break; case IMSG_NEXTHOP_ADD: @@ -652,13 +656,15 @@ dispatch_imsg(struct imsgbuf *ibuf, int idx) if (idx != PFD_PIPE_SESSION) log_warnx(couple request not from SE); else - kr_fib_couple(imsg.hdr.peerid); + kr_fib_couple(imsg.hdr.peerid, + conf-fib_priority); break; case IMSG_CTL_FIB_DECOUPLE: if (idx != PFD_PIPE_SESSION) log_warnx(decouple request not from SE); else - kr_fib_decouple(imsg.hdr.peerid
ospfd: fib-priority
Hi all, sorry for to be late, but here is my ospfd patch for setting custom routing priorities on ospfd (based on 5.4 sources) My parse.y is more precise than Florian's, it allows priorities greater than static routes (RTP_STATIC) and lower than RTP_MAX (63). Also, when /etc/rc.d/ospfd reload is launched, fib is decouples, priority changed and fib recoupled. It works nearly perfect. The only missing point is that ospfctl sh fib shows both fib with old and new prio (but real routing table only has new fib priority). --- ../OpenBSD54/usr.sbin/ospfd/kroute.c2013-07-07 18:26:04.0 +0200 +++ ospfd/kroute.c 2013-11-07 17:26:58.395763302 +0100 @@ -254,7 +254,7 @@ kn-r.prefixlen = kroute[i].prefixlen; kn-r.nexthop.s_addr = kroute[i].nexthop.s_addr; kn-r.flags = kroute[i].flags | F_OSPFD_INSERTED; - kn-r.priority = RTP_OSPF; + kn-r.priority = get_conf()-fib_priority; kn-r.ext_tag = kroute[i].ext_tag; rtlabel_unref(kn-r.rtlabel); /* for RTM_CHANGE */ kn-r.rtlabel = kroute[i].rtlabel; @@ -278,7 +278,7 @@ kroute-rtlabel = rtlabel_tag2id(kroute-ext_tag); - kr = kroute_find(kroute-prefix.s_addr, kroute-prefixlen, RTP_OSPF); + kr = kroute_find(kroute-prefix.s_addr, kroute-prefixlen, get_conf()-fib_priority); if (kr != NULL kr-next == NULL krcount == 1) /* single path OSPF route */ action = RTM_CHANGE; @@ -289,7 +289,7 @@ int kr_delete_fib(struct kroute_node *kr) { - if (kr-r.priority != RTP_OSPF) + if (kr-r.priority != get_conf()-fib_priority) log_warn(kr_delete_fib: %s/%d has wrong priority %d, inet_ntoa(kr-r.prefix), kr-r.prefixlen, kr-r.priority); @@ -308,7 +308,7 @@ struct kroute_node *kr, *nkr; if ((kr = kroute_find(kroute-prefix.s_addr, kroute-prefixlen, - RTP_OSPF)) == NULL) + get_conf()-fib_priority)) == NULL) return (0); while (kr != NULL) { @@ -340,7 +340,7 @@ kr_state.fib_sync = 1; RB_FOREACH(kr, kroute_tree, krt) - if (kr-r.priority == RTP_OSPF) + if (kr-r.priority == get_conf()-fib_priority) for (kn = kr; kn != NULL; kn = kn-next) send_rtmsg(kr_state.fd, RTM_ADD, kn-r); @@ -357,7 +357,7 @@ return; RB_FOREACH(kr, kroute_tree, krt) - if (kr-r.priority == RTP_OSPF) + if (kr-r.priority == get_conf()-fib_priority) for (kn = kr; kn != NULL; kn = kn-next) send_rtmsg(kr_state.fd, RTM_DELETE, kn-r); @@ -410,7 +410,7 @@ kn = kr-next; if (kr-serial != kr_state.fib_serial) { - if (kr-r.priority == RTP_OSPF) { + if (kr-r.priority == get_conf()-fib_priority) { kr-serial = kr_state.fib_serial; if (send_rtmsg(kr_state.fd, RTM_ADD, kr-r) != 0) @@ -1142,7 +1142,7 @@ bzero(hdr, sizeof(hdr)); hdr.rtm_version = RTM_VERSION; hdr.rtm_type = action; - hdr.rtm_priority = RTP_OSPF; + hdr.rtm_priority = get_conf()-fib_priority; hdr.rtm_tableid = kr_state.rdomain; /* rtableid */ if (action == RTM_CHANGE) hdr.rtm_fmask = RTF_REJECT|RTF_BLACKHOLE; @@ -1373,7 +1373,7 @@ if (rtm-rtm_flags RTF_MPATH) mpath = 1; prio = rtm-rtm_priority; - flags = (prio == RTP_OSPF) ? + flags = (prio == get_conf()-fib_priority) ? F_OSPFD_INSERTED : F_KERNEL; switch (sa-sa_family) { @@ -1432,7 +1432,7 @@ != NULL) { /* get the correct route */ kr = okr; - if ((mpath || prio == RTP_OSPF) + if ((mpath || prio == get_conf()-fib_priority) (kr = kroute_matchgw(okr, nexthop)) == NULL) { log_warnx(dispatch_rtmsg @@ -1481,7 +1481,7 @@ kr-r.ifindex = ifindex; kr-r.priority = prio; - if (rtm-rtm_priority == RTP_OSPF) { + if (rtm-rtm_priority == get_conf()-fib_priority) { log_warnx(alien OSPF route %s/%d, inet_ntoa(prefix), prefixlen); rv =
Re : Re: Improve routing functions
Hello, that's powerful but my improvement isn't for this use. It's only an improvement to route packets correctly, not dispatch charge. I'll give you a concrete example this evening. Loïc Blot, Ingénieur systèmes UNIX, Sécurité et Réseaux http://www.unix-experience.fr Stuart Henderson st...@openbsd.org a écrit : On 2013/11/01 19:57, sven falempin wrote: FreeBSD propose to have a specific routing table for a process, which is even more powerful. When the router has multiple gateway i guess when a source address is choose the route should be chosen given that. Nothing more. What use of this improvement do you imagine ?, of course you may want this traffic over this network(low latency) and the other one on another(high badnwith), put you may use pf for this, or specific route for the services. Writing about this make me think you want a route that select on the PORT instead of the IP. Is this madness ??? This is also known as policy based routing. I've being doing this with route-to in PF for ages, or alternatively you can use multiple route tables and rtable in PF to push certain traffic to using a certain table (either based on port number, or source address, or UID if it's a connection from the local machine, etc).
Re: Re : Re: Improve routing functions
Hi, then to explain my draft here is my own configuration, and why it could be useful to set custom priorities: OSPF Scheme: | - RT1 - | | - RT3 WAN | | OSPF AREA | | - RT2 - | | - RT4 RIP Scheme: | - RT1 - | WAN | | RIP AREA | - CISCO 45XX | - RT2 - | BGP Scheme: | - RT1 WAN | | - RT2 A first problem is my BGP default route, which was redistributed over OSPF, causes a looping route between RT1 and RT2 for outgoing packets (to WAN), because OSPF is prior on BGP. A second problem is routes obtained by RIP and redistributed over OSPF (by a custom patch which add redistribution of RIP routes to ospfd) has the same problem because OSPF is prior on RIP (i need to redistribute those RIP routes because the routes are distributed to remote networks over an GRE+IPSec link). Without the possibility to change the priorities (and dynamically is better than recompile the kernel and change constant values, it would be a great function to everybody want), it's impossible to solve this routing loop (i have patched ospfd to refuse adding some specific routes from specific hosts but it's not a proper solution, whereas it worked...). -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le dimanche 03 novembre 2013 à 18:01 +0100, Loïc Blot a écrit : Hello, that's powerful but my improvement isn't for this use. It's only an improvement to route packets correctly, not dispatch charge. I'll give you a concrete example this evening. Loïc Blot, Ingénieur systèmes UNIX, Sécurité et Réseaux http://www.unix-experience.fr Stuart Henderson st...@openbsd.org a écrit : On 2013/11/01 19:57, sven falempin wrote: FreeBSD propose to have a specific routing table for a process, which is even more powerful. When the router has multiple gateway i guess when a source address is choose the route should be chosen given that. Nothing more. What use of this improvement do you imagine ?, of course you may want this traffic over this network(low latency) and the other one on another(high badnwith), put you may use pf for this, or specific route for the services. Writing about this make me think you want a route that select on the PORT instead of the IP. Is this madness ??? This is also known as policy based routing. I've being doing this with route-to in PF for ages, or alternatively you can use multiple route tables and rtable in PF to push certain traffic to using a certain table (either based on port number, or source address, or UID if it's a connection from the local machine, etc). signature.asc Description: This is a digitally signed message part
Re : Re: Improve routing functions
Can you explain me what's the problem with m'y configuration ? I don't see what is the problem. Loïc Blot, Ingénieur systèmes UNIX, Sécurité et Réseaux http://www.unix-experience.fr Chris Cappuccio ch...@nmedia.net a écrit : Lo?c BLOT [loic.b...@unix-experience.fr] wrote: Hello sven, it's not a routing table problem, it's only a modification on route priorities, it's not the same thing. The two of you are solving totally different problems. Here is my example at work: I have BGP on the WAN, OSPF for my LAN (+ over GRE tunnels) and RIP to my CISCO catalyst 45XX. The problem is simple. I have two routers in this configuration. OSPF is prior on RIP. routes obtained by RIP are redistributed on OSPF (because my remote sites must know them). But OSPF is prior than RIP and then the two border routers want to pass by the other instead of using the RIP route. I have the same problem with BGP. default route is prior on OSPF than BGP. Then BGP must be prior on OSPF to don't loop default route between the two routers. You don't need a new knob in the system to fix this. You need to fix your configuration.
Improve routing functions
Hello @tech Congratulations for the 5.4 release. I want to explain a draft to improve a little routing administration on OpenBSD, maybe for 5.5. There is a lack on routing daemon, the possibility to change routing priorities for some protocols. At this time routing priority is a dedicated constant in the kernel. In some cases it's useful to change routing priority for a protocol to make it prior on another. To resolve this lack, two ways are possible: 1. Each routing daemon manage it's own priority itself, instead of using kernel priorities, and limits the minimum and maximum value. When we change the priority (for example bgpctl routing priority 10) all priorities. This is easy but a problem appears: the priority can be same as another running daemon (ospfd for example). How can we know other routing priorities ? 2. We need to change the utility of routing priority value in the messages to another thing: routing type. Then when a daemon register a route, he register route for its type (BGP/OSPF/RIP/MPLS) and the kernel apply a variable value. This value could be modified by sysctl (example sysctl -w net.routing.ospf_priority = 10) When we change the priority for a protocol, kernel will search all routes matching the protocol and apply the priority. Priority conflicts must be detected by the kernel. Do you know it's possible ? Is this interesting for future OpenBSD ? If OpenBSD team is interest i can start a patch in next weeks. Thanks for reading -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr signature.asc Description: This is a digitally signed message part
Re: Improve routing functions
Hello sven, it's not a routing table problem, it's only a modification on route priorities, it's not the same thing. Here is my example at work: I have BGP on the WAN, OSPF for my LAN (+ over GRE tunnels) and RIP to my CISCO catalyst 45XX. The problem is simple. I have two routers in this configuration. OSPF is prior on RIP. routes obtained by RIP are redistributed on OSPF (because my remote sites must know them). But OSPF is prior than RIP and then the two border routers want to pass by the other instead of using the RIP route. I have the same problem with BGP. default route is prior on OSPF than BGP. Then BGP must be prior on OSPF to don't loop default route between the two routers. -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le vendredi 01 novembre 2013 à 19:57 -0400, sven falempin a écrit : FreeBSD propose to have a specific routing table for a process, which is even more powerful. When the router has multiple gateway i guess when a source address is choose the route should be chosen given that. Nothing more. What use of this improvement do you imagine ?, of course you may want this traffic over this network(low latency) and the other one on another(high badnwith), put you may use pf for this, or specific route for the services. Writing about this make me think you want a route that select on the PORT instead of the IP. Is this madness ??? route add smtp 1.2.3.4 On Fri, Nov 1, 2013 at 7:46 PM, Loïc BLOT loic.b...@unix-experience.frwrote: Hello @tech Congratulations for the 5.4 release. I want to explain a draft to improve a little routing administration on OpenBSD, maybe for 5.5. There is a lack on routing daemon, the possibility to change routing priorities for some protocols. At this time routing priority is a dedicated constant in the kernel. In some cases it's useful to change routing priority for a protocol to make it prior on another. To resolve this lack, two ways are possible: 1. Each routing daemon manage it's own priority itself, instead of using kernel priorities, and limits the minimum and maximum value. When we change the priority (for example bgpctl routing priority 10) all priorities. This is easy but a problem appears: the priority can be same as another running daemon (ospfd for example). How can we know other routing priorities ? 2. We need to change the utility of routing priority value in the messages to another thing: routing type. Then when a daemon register a route, he register route for its type (BGP/OSPF/RIP/MPLS) and the kernel apply a variable value. This value could be modified by sysctl (example sysctl -w net.routing.ospf_priority = 10) When we change the priority for a protocol, kernel will search all routes matching the protocol and apply the priority. Priority conflicts must be detected by the kernel. Do you know it's possible ? Is this interesting for future OpenBSD ? If OpenBSD team is interest i can start a patch in next weeks. Thanks for reading -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr signature.asc Description: This is a digitally signed message part
Working on PXE automated installation
Hello @tech. I want to share you my work to make OpenBSD automated installation possible. My approach is to load a configuration file based on DHCP option 225 (thanks to Nick's work). If this file is present and available (HTTP,FTP and TFTP are currently supported) the parser load variables to installation environment (pxe_*). If an error occurs at this time, installer comes back to normal mode. The configuration file designed variables on this patern: define_aiv pxe_myvar=value or (for multiple values): define_aiv pxe_mymultivar=value1 value2 (AIV is for automated installation value) Then, the installation process begins. To answers all questions i have added an extra argument to (_)ask*() functions which is the automated variables. It's the better approach for minimal changes. At this time i don't answers all questions, but all classic questions for an automated install by ethernet are answered. (for example if didn't have answers to WiFi or VLAN questions, but this is possible by adding a variable name ! Instead of Nick's work i don't patch the kernel itself because netboot interface is tagged and i can get it with regexp. The only thing is missing to get choice between a PXE automated install or a PXE manual install is, maybe, a boot.conf variable to set installation in an automatic mode. In my case automated install is forced by launching install pxe in the dot.profile. You'll find my patch here (based on 5.3) http://www.unix-experience.fr/wp-content/uploads/2013/08/OpenBSD-PXE-automatedinstall-0826131920GMT.diff A working configuration: http://www.unix-experience.fr/wp-content/uploads/2013/08/OpenBSD-PXE-autoinstall.conf And here is the PoC via a Youtube Video (5min30, sorry my Internet connection is slow): https://www.youtube.com/watch?v=rdcdcHhWtVQ Comments and review are welcome ! -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr signature.asc Description: This is a digitally signed message part