Re: disklabel/newfs problem?

[Otto Moerbeek]

On Mon, 6 Aug 2007, btmarshall wrote:

 Thank you,that has solved the problem.
 I didn't notice anything in the man page for newfs or the platform notes for
 sparc64. Did I miss this in the documentation somewhere?
 Thanks again!

this is an MI issue, and not documented afaik. I've always learned the
rule that block devices should be used only for mounting, and nothing
else, but that does not not seem to be documented as well, except for
st(4). 

The warning printed by newfs itself is not enough. I'm thinking about
either making the warning an error or automaticaly using the raw
device, like fsck does. 

-Otto

 
 
 Otto Moerbeek wrote:
  
  On Mon, 6 Aug 2007, btmarshall wrote:
  
  When I create a disklabel and newfs the filesystem more than a few gigs
  on
  either one of my Ultra1 sparc64 boxes, I can't mount them (mount_ffs:
  invalid parameter) until I run an fsck and fix the superblock.
  Here's an example:
  
  # disklabel -E sd0
  This platform requires that partition offsets/sizes be on cylinder
  boundaries.
  Partition offsets/sizes will be rounded to the nearest cylinder
  automatically.
  
  Initial label editor (enter '?' for help at any prompt)
   p
  device: /dev/rsd0c
  type: SCSI
  disk: SCSI disk
  label: ATLAS V 18 SCA
  bytes/sector: 512
  sectors/track: 425
  tracks/cylinder: 4
  sectors/cylinder: 1700
  cylinders: 20907
  total sectors: 35566499
  free sectors: 35566499
  rpm: 7200
  
  3 partitions:
  # sizeoffset  fstype [fsize bsize  cpg]
c:  35566499 0  unused  0 0  # Cyl 0 -
  20921*
   a
  partition: [a]
  offset: [0]
  size: [35566499] 
  Rounding to nearest cylinder: 3600
  FS type: [4.2BSD]
   a
  partition: [b]
  offset: [3600]
  size: [2232899]
  Rounding to nearest cylinder: 2232100
  FS type: [swap]
   w
   q
  No label changes.
  # newfs /dev/sd0a
  newfs: /dev/sd0a: not a character-special device
  
  This is your problem. Always create filesystems on the raw partitions
  (/dev/rsd0a in this case). I can reproduce your problem here, and it
  disappears if I use the correct device. 
  
  -Otto
  
  Warning: cylinder groups must have a multiple of 16 cylinders
  /dev/sd0a:  3600 sectors in 39216 cylinders of 2 tracks, 425
  sectors
  16276.2MB in 107 cyl groups (368 c/g, 152.73MB/g, 19584 i/g)
  super-block backups (for fsck -b #) at:
   32, 313280, 625632, 938880, 1251232, 1564480, 1876832, 2190080, 2502432,
  2815680, 3128032, 3441280, 3753632, 4066880,
   4379232, 4692480, 5004832, 5318080, 5630432, 5943680, 6256032, 6569280,
  6881632, 7194880, 7507232, 7820480, 8132832,
   8446080, 8758432, 9071680, 9384032, 9697280, 10009632, 10322880,
  10635232,
  10948480, 11260832, 11574080, 11886432, 12199680,
   12512032, 12825280, 13137632, 13450880, 13763232, 14076480, 14388832,
  14702080, 15014432, 15327680, 15640032, 15953280,
   16265632, 16578880, 16891232, 17204480, 17516832, 17830080, 18142432,
  18455680, 18768032, 19081280, 19393632, 19706880,
   20019232, 20332480, 20644832, 20958080, 21270432, 21583680, 21896032,
  22209280, 22521632, 22834880, 23147232, 23460480,
   23772832, 24086080, 24398432, 24711680, 25024032, 25337280, 25649632,
  25962880, 26275232, 26588480, 26900832, 27214080,
   27526432, 27839680, 28152032, 28465280, 28777632, 29090880, 29403232,
  29716480, 30028832, 30342080, 30654432, 30967680,
   31280032, 31593280, 31905632, 32218880, 32531232, 32844480, 33156832,
  # fsck /dev/sd0a
  ** /dev/rsd0a
  BAD SUPER BLOCK: MAGIC NUMBER WRONG
  
  LOOK FOR ALTERNATE SUPERBLOCKS? [Fyn?] y
  
  USING ALTERNATE SUPERBLOCK AT 32
  ** File system is already clean
  ** Last Mounted on
  ** Phase 1 - Check Blocks and Sizes
  ** Phase 2 - Check Pathnames
  ** Phase 3 - Check Connectivity
  ** Phase 4 - Check Reference Counts
  ** Phase 5 - Check Cyl groups
  1 files, 1 used, 8200710 free (14 frags, 1025087 blocks, 0.0%
  fragmentation)
  
  UPDATE STANDARD SUPERBLOCK? [Fyn?] y
  
  
  * FILE SYSTEM WAS MODIFIED *
  #
  
  I've run this on a vanilla 4.1 install, as well as a stable
  kernel/userland
  upgraded as of last night.
  
  Any clues?
  -- 
  View this message in context:
  http://www.nabble.com/disklabel-newfs-problem--tf4226020.html#a12021995
  Sent from the openbsd user - misc mailing list archive at Nabble.com.
  
  
  
 
 -- 
 View this message in context: 
 http://www.nabble.com/disklabel-newfs-problem--tf4226020.html#a12025401
 Sent from the openbsd user - misc mailing list archive at Nabble.com.

Re: Lenovo 8744-J2U - several questions

[Pierre Riteau]

Le 7 ao{t 07 ` 05:23, Frank Bax a icrit :


At 06:26 PM 8/6/07, Matthieu Herrb wrote:


On 8/6/07, Frank Bax [EMAIL PROTECTED] wrote:
 Just got a new Lenovo 8744-J2U laptop and installed the Aug.1
snapshot:

 1) When I shutdown X, text resolution is messed up.  Chars are
bigger, they
 are 40 per line, with wrap.  All Ctrl-Alt-Fn sessions are
affected.  If I
 issue a command like 'date', then hit enter several time, I find
that the
 command and its output are finally visible.

Since you're using the vesa driver, it means that the VESA BIOS on
your laptop is broken.
Check for updates on Lenovo's web site.

 2) ATI adapter is not recognized. Changing depth to 24 works;
but I can't
 seem to change resolution - always comes up 1280x1024; but this
is a 15.4
 widescreen display; which i believe should run at 1680x1050.

Again, broken bios. Lenovo should provide a bios with resolutions
matching the physical size of the screen.
Try using i915resolution from ports. It has been reported to work
with
other BIOSes too.



Thanks for the prompt response.  I updated BIOS from 1.08 to 1.11;
one line changed in dmesg.

$ diff dmesg_0803.txt dmesg_0806.txt
8c8
 bios0 at mainbus0: AT/286+ BIOS, date 04/30/07, BIOS32 rev. 0 @
0xfd6b0, SMBIOS rev. 2.4 @ 0xe0010 (68 entries)
---
 bios0 at mainbus0: AT/286+ BIOS, date 07/13/07, BIOS32 rev. 0 @
0xfd6b0, SMBIOS rev. 2.4 @ 0xe0010 (68 entries)


Still no change on initial problems though.

I tried 915resolution, but I'm thinking it's not compatible:

$ sudo /usr/local/sbin/915resolution -l
Intel 800/900 Series VBIOS Hack : version 0.5.2

Unable to open the BIOS file: Operation not permitted


IIRC it must be run in secure level -1.

From the description of the port :
Because 915resolution requires write access to /dev/mem, the system
must be
at a securelevel = 0.

Pierre Riteau





 vga1 at pci1 dev 0 function 0 vendor ATI, unknown product
0x71d4 rev 0x00

Oh and I forgot: this is a Mobility FireGL V5250, which is indeed not
supported by the current X.Org ati driver. It should be supported by
the new 'avivo'  driver, but this driver is not yet available for
OpenBSD.



Is there someplace where I can monitor OpenBSD status of this?

Re: Lenovo 8744-J2U - several questions

[Eric Elena]

Le lundi 06 aoC;t 2007 C  21:21 -0400, Stephan Andre' a C)crit :
 On Monday 06 August 2007 18:29:12 Matthieu Herrb wrote:
  On 8/6/07, Frank Bax [EMAIL PROTECTED] wrote:
   Just got a new Lenovo 8744-J2U laptop and installed the Aug.1 snapshot:
  
   vga1 at pci1 dev 0 function 0 vendor ATI, unknown product 0x71d4 rev
   0x00
 
  Oh and I forgot: this is a Mobility FireGL V5250, which is indeed not
  supported by the current X.Org ati driver. It should be supported by
  the new 'avivo'  driver, but this driver is not yet available for
  OpenBSD.
 
 Matthieu,  I'm also looking at the Lenovo T60.  Is the avivo driver
 ready for use, and how much effort is there in incorporating it 
 into Xenocara?   I'd really like a new laptop--my A31p is old.
 
 Thanks, STeve Andre'
 

I tested the avivo driver running linux, it works fine with a firegl
5200 card. There is only one trouble with DPMS: the screen displays
something weird when it switches off then switches on.
Running openbsd stable, I use the vesa driver but there is no problem
here.

Eric

Re: compat_freebsd shared library showstopper

[Michael Dexter]

On Monday 06 August 2007, Michael Dexter wrote:
 Anything else I should try?

Did you try installing the emulators/freebsd_lib port?

Yes. I failed to mention that in my checklist.

Michael.

Re: gdb - firefox debugging

[Tobias Ulmer]

On Mon, Aug 06, 2007 at 10:43:21PM -0700, J.C. Roberts wrote:
 I'm looking for all the needed steps to get firefox debug running in
 gdb. It's my first attempt at this and I've failed to the correct find
 the mozilla docs (assuming they exist) or details in the misc@, ports@
 or tech@ archives.
 
 From what I've learned, you're supposed to use the following switches
 with the /usr/bin/firefox shell script.
 
   $ firefox -g
 
 You can be more explicit by naming the binary and the debugger.
 
   $ firefox -g /usr/local/mozilla-firefox/firefox-bin -d gdb
 
 The two are equivalent.
 
 Once inside gdb, I know you need to handle some signals. I've tried all
 combinations of the following signals and handling (nostop etc) without
 any luck:
 
   (gdb) handle SIG32 nostop noprint pass
   (gdb) handle SIG33 nostop noprint pass
   (gdb) handle SIGPIPE nostop noprint pass
 
 
 The problem I'm having is the gdb session just stops, without error, and
 firefox never actually loads. It never stops in the same place twice
 but it always stops.
 example
   (gdb) run
   lots of output from debug flavor
   Reading in symbols for nsCSSStyleRule.cpp...done.
   Reading in symbols for nsJARURI.cpp...done.
   Reading in symbols for nsReadableUtils.cpp...done.
   Reading in symbols for nsCSSScanner.cpp...done.
   Reading in symbols for nsCSSParser.cpp...done.
   ++DOMWINDOW == 2
   Reading in symbols for jsscope.c...done.
   Reading in symbols for /usr/src/lib/libc/string/strdup.c...done.
   Reading in symbols for nsTraceRefcntImpl.cpp...done.
   Reading in symbols for nsXMLDocument.cpp...done.
 
 It just sits there like gdb has hit an invisible limit and is waiting
 for something, and yes, it's sitting in the wait state.
 (from top)
 25200 jcr  100  272M  270M idle wait 0:32  0.00% gdb
 16656 jcr  310 7344K   25M stop/0   -0:03  0.00% firefox-bin
 
 Reluctantly, I've tried kicking the kern.maxfiles sysctl up as high as
 20,000 but that's not the issue (I normally run the default).

Just guessing from my previous pleasant experience of debuging firefox:
increase ulimit - data to ~ 2GB
add swap until you have a total of ~2GB
I remember something like gdb alone eating 900MB.

Tobias

 [...]

Re: Intel Core 2 - errata pulled?!?

[Toni Mueller]

Hi,

On Wed, 27.06.2007 at 11:08:16 -0600, Theo de Raadt [EMAIL PROTECTED] wrote:
   http://download.intel.com/design/processor/specupdt/31327914.pdf

looks like intel pulled that paper. I'm unable to find it and would
like to receive a private copy.

 An easier summary document for some people to read:
 
   
 http://www.geek.com/images/geeknews/2006Jan/core_duo_errata__2006_01_21__full.gif

I can read only about errors with number in the lower 30'ies on that
image, which means, that I can't read about most in this list:

 Note that some errata like AI65, AI79, AI43, AI39, AI90, AI99 scare

Leaving these aside, I just discovered that the i386 compatibility page
does apparently not list _any_ current intel CPUs (eg. Pentium D),
and the question about whether recent Xeons still classify as Xeon in
this list has been raised.

So, is it right to conclude that only current AMD CPUs are supported,
and that recent intel CPUs are generally unsupported?

While I generally like AMD better, I'd like to purchase an intel system
with significant power (as a router, targetting 300kpps, that is), but
don't know which one I should get. If you have an alternative
suggestion for the best (in terms of power and reliability) AMD chip,
I'm all ears, too.

TIA!


Best,
--Toni++

systrace/sysjail wrappers security

[Richard Storm]

  In the First USENIX Workshop on Offensive Technologies (WOOT07)
there was presentation
by Robert N. M. Watson:
Exploiting Concurrency Vulnerabilities in System Call Wrappers

with exploit code included how to bypass restrictions:
http://www.watson.org/~robert/2007woot/2007usenixwoot-exploitingconcurrency.pdf

It seems that syscall wrappers are vulnerable on SMP systems and
conclusion states:
Don't use system call wrappers...
 ...unless willing to rewrite OS system call handler
 Do use a security framework integrated with the kernel's copying and
synchronization

I am using sysjail, so I am very interested how to mitigate attacks or
is there anything OpenBSD could change to mitigate these issues?

Re: Lenovo 8744-J2U - several questions

[Matthew Szudzik]

 Matthieu,  I'm also looking at the Lenovo T60.  Is the avivo driver

Get a T60 with the Intel graphics chipset and an XGA display.  You won't 
have any problems with X Windows.

Re: Intel Core 2 - errata pulled?!? [SOLVED]

[Toni Mueller]

Hi,

On Tue, 07.08.2007 at 16:22:08 +0200, Toni Mueller [EMAIL PROTECTED] wrote:
 On Wed, 27.06.2007 at 11:08:16 -0600, Theo de Raadt [EMAIL PROTECTED] wrote:
http://download.intel.com/design/processor/specupdt/31327914.pdf
 looks like intel pulled that paper. I'm unable to find it and would
 like to receive a private copy.

it appears that the URL has been updated, and I was unable to find it.
The current URL is

http://download.intel.com/design/processor/specupdt/31327916.pdf


Sorry for the noise.


Best,
--Toni++

Re: Lenovo 8744-J2U - several questions

[Matthieu Herrb]

On 8/7/07, Stephan Andre' [EMAIL PROTECTED] wrote:


 Matthieu,  I'm also looking at the Lenovo T60.  Is the avivo driver
 ready for use, and how much effort is there in incorporating it
 into Xenocara?   I'd really like a new laptop--my A31p is old.


The avivo driver needs X server 1.3 and libpciaccess to work. xserver
1.3 works on OpenBSD, but won't be in Xenocara for OpenBSD 4.2.
I'm working on libpciaccess but it is not in a working state yet.

Re: gdb - firefox debugging

[Kurt Miller]

On Tuesday 07 August 2007 1:43:21 am J.C. Roberts wrote:
 I'm looking for all the needed steps to get firefox debug running in
 gdb. It's my first attempt at this and I've failed to the correct find
 the mozilla docs (assuming they exist) or details in the misc@, ports@
 or tech@ archives.
 
 From what I've learned, you're supposed to use the following switches
 with the /usr/bin/firefox shell script.
 
   $ firefox -g
 
 You can be more explicit by naming the binary and the debugger.
 
   $ firefox -g /usr/local/mozilla-firefox/firefox-bin -d gdb
 
 The two are equivalent.
 
 Once inside gdb, I know you need to handle some signals. I've tried all
 combinations of the following signals and handling (nostop etc) without
 any luck:
 
   (gdb) handle SIG32 nostop noprint pass
   (gdb) handle SIG33 nostop noprint pass
   (gdb) handle SIGPIPE nostop noprint pass
 
 
 The problem I'm having is the gdb session just stops, without error, and
 firefox never actually loads. It never stops in the same place twice
 but it always stops.

Hi,

use 'set auto-solib-add off' to stop gdb from loading
symbols from all shared libs. then selectively load
shared lib symbols with 'shared libname' for placing
breakpoints or to get line numbers from 'bt'.

this technique is also needed to debug OOo issues.

-Kurt

Re: spamd - 250 return text

[Tom Bombadil]

As far as I understand from them, the sysadmin was showing the defer to
his boss using a telnet session, and the boss got pissed off, because
they are actually very diligent about their spam policies.

Anyways, I just wanted to know if it there was another way to change the
250 messages without changing the source code... I should have just not
mentioned my reasons. Sorry for that.

Thanks a lot for all the replies.
g.

Peter Fraser wrote:
 I think that the problem is a bad mail program at your clients,
 A user should not see the 250 status, it is not a
 failure of any sort but I have seen it as a return
 status sent to a user.
 
 Here is an example that I have seen from someone who sent us
 a message. The message failed and this is the status that they
 received:
 
 Reporting-MTA: dns; toq7.bellnexxia.net
 Arrival-Date: Fri, 20 Jul 2007 21:26:11 -0400
 Received-From-MTA: dns; Christine (64.230.70.248)
 Content-Type: text/plain
 
 Final-Recipient: RFC822; [EMAIL PROTECTED]
 Action: failed
 Status: 4.4.7
 Remote-MTA: dns; thinkage.ca
 Diagnostic-Code: smtp; 250 This is hurting you more than it is hurting me.

updating pf filter rules

[Austin Murphy]

I inherited a transparent bridging firewall running OpenBSD 3.8 and
pf.   I would like to add two new filter rules without disrupting the
current network traffic.  The pfctl man page did not seem to indicate
a way to load a single filter rule to a running configuration.

If I made a new file with a just the new rules and loaded it with
something like pfctl -f two.pf.rules.conf, would all the existing
filter rules be dropped and would only the two new rules be in effect?

Let's say I updated the existing config file, /etc/pf.conf, with my
new rules.  What would happen if I ran  pfctl -f /etc/pf.conf?

Would the existing state table be flushed?  Would there be a point in
this time frame where there were no filter rules loaded and packets
would get dropped?

Thanks,

Austin

Re: spamd - 250 return text

[stuart van Zee]

That's exactly why I tend to tell the pointy haired ones that it all 
works on the FM principle and never go into much depth about what that
means.

(note:  FM = Fucking Magic but they don't need to know that)

It was fun tho the first time the owner of the company I work for tried
to add an email account using a script that i created and flubbed the 
password on his sudo command.  He is technical in a microsquishy kinda 
way and thought that it was MY code that was telling him he had a brain
the size of a cabbage (or some such, the exact message is lost to time).
Boy, many zoggs fell prey to the snarlak that day.  He was pretty mad
and might even have fired me, but then he realized that he needed an 
email account added to the server and he would have to pay a crap load
more money than he is giving me to have someone come in and figure out
how.

s

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
 Tom Bombadil
 Sent: Tuesday, August 07, 2007 02:37 PM
 To: Peter Fraser
 Cc: 'misc@openbsd.org'
 Subject: Re: spamd - 250 return text
 
 
 As far as I understand from them, the sysadmin was showing the defer to
 his boss using a telnet session, and the boss got pissed off, because
 they are actually very diligent about their spam policies.
 
 Anyways, I just wanted to know if it there was another way to change the
 250 messages without changing the source code... I should have just not
 mentioned my reasons. Sorry for that.
 
 Thanks a lot for all the replies.
 g.
 
 Peter Fraser wrote:
  I think that the problem is a bad mail program at your clients,
  A user should not see the 250 status, it is not a
  failure of any sort but I have seen it as a return
  status sent to a user.
  
  Here is an example that I have seen from someone who sent us
  a message. The message failed and this is the status that they
  received:
  
  Reporting-MTA: dns; toq7.bellnexxia.net
  Arrival-Date: Fri, 20 Jul 2007 21:26:11 -0400
  Received-From-MTA: dns; Christine (64.230.70.248)
  Content-Type: text/plain
  
  Final-Recipient: RFC822; [EMAIL PROTECTED]
  Action: failed
  Status: 4.4.7
  Remote-MTA: dns; thinkage.ca
  Diagnostic-Code: smtp; 250 This is hurting you more than it is 
 hurting me.
 
 
 __ NOD32 2442 (20070807) Information __
 
 This message was checked by NOD32 antivirus system.
 http://www.eset.com

Re: updating pf filter rules

[Stuart Henderson]

On 2007/08/07 15:46, Austin Murphy wrote:
 If I made a new file with a just the new rules and loaded it with
 something like pfctl -f two.pf.rules.conf, would all the existing
 filter rules be dropped and would only the two new rules be in effect?

Yes.

 Let's say I updated the existing config file, /etc/pf.conf, with my
 new rules.  What would happen if I ran  pfctl -f /etc/pf.conf?

This would do what you want.

 Would the existing state table be flushed?

No. You'd need a -F something to flush things.

 Would there be a point in this time frame where there were no
 filter rules loaded and packets would get dropped?

No.

OpenBSD/hppa

[Mark Kettenis]

Over the last few weeks I've made some important improvements to the
OpenBSD/hppa port.  Support for newer B/C/J-class workstations was
added, and basically anything but the C8000 should just work.  I've
also fixed a rather critical bug, which makes machines with a PA-7200
CPU usable again (and makes machines with other CPU's much more
stable).  And last but not least, support for the NCR 53C720 Fast-Wide
SCSI found on many hppa machines has been added to siop(4).

With all these changes, I have reason to believe that most of the so
far unsupported D-class and K-class servers should just work, or will
work with just a small tweak to the code here and there.
Unfortunately I don't have such hardware myself, so if people have
access to one of these machines, could they give the latest snapshot a
go on them and send me (and [EMAIL PROTECTED]) a copy of the dmesg?

Thanks,

Mark

Re: systrace/sysjail wrappers security

[Kristaps Dzonsons]

 I am using sysjail, so I am very interested how to mitigate attacks or
 is there anything OpenBSD could change to mitigate these issues?

Until the kernel wrapper issues have been addressed, the sysjail
page has been updated to indicate that it SHOULD NOT be used 
(nor should any systrace(4) system, which, to the best of my
knowledge, is only systrace(1) and Xsystrace(1)).

Re: updating pf filter rules

[Mike Piety]

On Tue, 7 Aug 2007 15:46:41 -0400
Austin Murphy [EMAIL PROTECTED] wrote:

 I inherited a transparent bridging firewall running
 OpenBSD 3.8 and pf.   I would like to add two new filter
 rules without disrupting the current network traffic.  The
 pfctl man page did not seem to indicate a way to load a
 single filter rule to a running configuration.
 
 If I made a new file with a just the new rules and loaded
 it with something like pfctl -f two.pf.rules.conf, would
 all the existing filter rules be dropped and would only the
 two new rules be in effect?
 
 Let's say I updated the existing config file, /etc/pf.conf,
 with my new rules.  What would happen if I ran  pfctl
 -f /etc/pf.conf?
 
I'd suggest pfctl -n -f /etc/pf.conf

 Would the existing state table be flushed?  Would there be
 a point in this time frame where there were no filter rules
 loaded and packets would get dropped?
 
 Thanks,
 
 Austin

Re: updating pf filter rules

[RW]

On Tue, 7 Aug 2007 18:31:53 -0500, Mike Piety wrote:

On Tue, 7 Aug 2007 15:46:41 -0400
Austin Murphy [EMAIL PROTECTED] wrote:

 I inherited a transparent bridging firewall running
 OpenBSD 3.8 and pf.   I would like to add two new filter
 rules without disrupting the current network traffic.  The
 pfctl man page did not seem to indicate a way to load a
 single filter rule to a running configuration.
 
 If I made a new file with a just the new rules and loaded
 it with something like pfctl -f two.pf.rules.conf, would
 all the existing filter rules be dropped and would only the
 two new rules be in effect?
 
 Let's say I updated the existing config file, /etc/pf.conf,
 with my new rules.  What would happen if I ran  pfctl
 -f /etc/pf.conf?
 
I'd suggest pfctl -n -f /etc/pf.conf

Lazy me likes to be safe and does:
# pfctl -f /etc/pf.conf -n
and if has no error output:
up arrowbackspacebackspaceenter
loads the rules.



 Would the existing state table be flushed?  Would there be
 a point in this time frame where there were no filter rules
 loaded and packets would get dropped?
 
 Thanks,
 
 Austin


Rod/
From the land down under: Australia.
Do we look umop apisdn from up over?

Ethernet bridge over IPsec in OpenBSD 4.1

[Justin Lindberg]

I have not been able to get an Ethernet bridge over IPsec to work
in OpenBSD 4.1.  I have two machines running as NAT gateways with a
gif tunnel between them protected by IPsec ESP.  The internal
interfaces are both bridged to the gif tunnel.  I can ping either
gateway from the other over the tunnel, but the bridges are not
learning any MAC addresses from the gif side save that of the other
gateway.  When I try to ping a machine on one LAN from the opposite
gateway, the ARP who-is packets from the gateway will be forwarded
by the other gateway's bridge, but the reply packets do not seem to
be properly sent back over the gif interface by the bridge.

I noticed in the source repository the following comment in 
src/sys/net/if_bridge.c, revision 1.161

 make bridge(4) mark packets with M_PROTO1 if gif(4) needs to use
 etherip encapsulation; unbreaks remote ipsec bridges; ok claudio;
 additional testing Renaud Allard

Is this type of bridging broken in OpenBSD 4.1, or am I missing
something?  Is there a way to make this work while I am waiting for
4.2?  I had this exact same setup working in a previous version of
OpenBSD.  (I can't remember if it was 3.9 or 4.0.)

Re: Intel Core 2 - errata pulled?!?

[Chris Cappuccio]

Toni Mueller [EMAIL PROTECTED] wrote:
 
 Leaving these aside, I just discovered that the i386 compatibility page
 does apparently not list _any_ current intel CPUs (eg. Pentium D),
 and the question about whether recent Xeons still classify as Xeon in
 this list has been raised.

They are all supported and work fine, the web site simply does not keep up with
intel's marketing department.

Re: Intel Core 2 - errata pulled?!?

[Chris Black]

Chris Cappuccio wrote:

Toni Mueller [EMAIL PROTECTED] wrote:
  

Leaving these aside, I just discovered that the i386 compatibility page
does apparently not list _any_ current intel CPUs (eg. Pentium D),
and the question about whether recent Xeons still classify as Xeon in
this list has been raised.


The OpenBSD server hardware compatibility list at:
http://www.armorlogic.com/openbsd_information_server_compatibility_list.html
is pretty decent in terms of having dmesg's from current widely deployed 
Intel and AMD servers.