Can OpenBSD perform hard/soft real-time functions?
I tried googling for real-time computing with OpenBSD and all I found was reference to RTMX. In http://openbsd.org/products.html, it read: They (RTMX) have graciously donated the source code for these extensions, and these changes will be integrated into OpenBSD soon. In http://archives.neohapsis.com/archives/openbsd/2004-01/1001.html, it stated it was supposed to have been already implemented in OpenBSD release 3.2. It sure would be great knowing the OS we love is already for real-time as it's already enjoying great reputation as a secure platform. Thanks!
Installing from OpenZaurus
Hi, I've got OpenZaurus installed on my Zaurus 3200. I've been trying to install OpenBSD, but when I type: insmod zbsdmod.o I get the error: Error inserting zbsdmod.o: -1 invalid module format I found a post that seems to suggest that as OpenZaurus uses the 2.4 kernel, I can't install OpenBSD like this because it expects the 2.6 kernel: http://www.oesf.org/forums/lofiversion/index.php/t21729.html I also tried the ipkg file, but it still runs insmod. How can I install OpenBSD on my Zaurus? Will http://www.bbc.co.uk/ This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this.
Re: SOLVED? Re: 4.0 - 4.1 broke ipsec
On Fri, Sep 28, 2007 at 07:02:28AM +0200, Otto Moerbeek wrote: On Thu, 27 Sep 2007, Brian A. Seklecki wrote: Ok, it's running now. The cause was not the move from 4.0 - 4.1, but the move from a diskful to a diskless setup: The machine mounts its root fs via nfs. WHAT?!?!?! What the heck kind of security-minded sanity check would fail based on the underlying VFS? Did you eventually get a PR open on this? This has to do with a bug in isakmpd, where scanning a dir could skip files. The bug could only be triggered on nfs mounts. pr 5557 has been fixed in isakmpd/monitor.c rev 1.70 d_type is not passed over NFS, unless you mount with readdir+
Re: Can OpenBSD perform hard/soft real-time functions?
On Mon, Oct 01, 2007 at 02:07:19PM +0800, Tito Mari Francis Escaqo wrote: I tried googling for real-time computing with OpenBSD and all I found was reference to RTMX. In http://openbsd.org/products.html, it read: They (RTMX) have graciously donated the source code for these extensions, and these changes will be integrated into OpenBSD soon. In http://archives.neohapsis.com/archives/openbsd/2004-01/1001.html, it stated it was supposed to have been already implemented in OpenBSD release 3.2. It sure would be great knowing the OS we love is already for real-time as it's already enjoying great reputation as a secure platform. no, it isn't realtime. Processes cannot be preempted while running in kernel mode. Nethertheless, it is quite usable for applications that need few millisecond latency (such as audio/midi). -- Alexandre
Re: RAID1 powerloss - can parity rewrite be safely backgrounded?
Steve Shockley wrote: RedShift wrote: Anyone got any similar experiences with hardware RAID cards? Hardware RAID has always been misery for me. I've had two instances where older Adaptec RAID cards had a disk failure and then reverted to a week-old copy of the data. I'm not quite sure how that's possible, but having it happen on two different machines, at two different employers, in two different brands of servers (Dell, HP Netserver) made me a real believer in Adaptec. I've had generally good luck with Compaq/HP and LSI controllers. I'll give you a fairly realistic possible explanation: For whatever reason, at least some SCSI drives in at least some RAID systems (I saw a lot of it on SCSI Dell PERC cards) will just hop off-line. Nothing wrong with the drive, if you pull the drive out and put it back in, either in SW or physically, it will go back on-line and happily rebuild. Curiously, these same PERC cards also lacked any kind of beeper to let you know they were in any kind of degraded mode. They would turn the deactivated drive orange instead of green, but even that was in dispute with one of our offices which managed to have two drives fail in a RAID10 array and swore there were never any orange lights on the machine (I was checking!! Really!). SO, I suspect that one of your drives hopped off-line and no one noticed. A week later, the OTHER drive failed. Either the system was then rebooted or maybe it just figured, Hey, let's see if we can revive that other drive on its own, and ta-da, you are running with week old data. And no, I can't prove it... [rest of this isn't aimed at Steve...] RAID is a complexity, and complexity is the enemy of security and reliability. It *may* help protect against data loss. It *may* keep you running. It *may* also be the cause of the data loss or downtime. PROPERLY implemented, RAID can be a part of your event recovery process. It certainly can give you performance gains. But if you don't understand the system in your hands, it will most likely bite you hard at some point. Alternatives should be considered: many apps such as firewalls and DNS servers don't need/want RAID at all, as you can mirror entire MACHINES. At that point, the disk failure becomes a special case of system failure and you are ready for it. RAID becomes simply an unneeded complexity. For many systems, L. V. Lammert's rsync system (or even dump/restore) to a second disk in the system is wonderful. Done properly, it can be SUPERIOR to RAID for some apps, in that it gives you a roll-back if you make an error on a change or upgrade...and a number of other failure modes where you wish you could roll back to a previous version. The question of HW vs SW RAID is wrong. The question is understood vs. not understood RAID solutions. I understood very well the old Netware 3/4 software mirroring, and had complete faith in it, and had the experience to prove it on a number of cases. On the other hand, I saw a lot of systems that were completely hosed because people DIDN'T understand the system and expected magic to happen (or someone else to be on call) when the system failed. Same thing goes for HW RAID. HW RAID is easy to get running, but that usually means you have NO idea how it is really working, and that makes it less likely you will know how to get it back to fully functional state AFTER an event. In most (yes, really, I'm convinced it is the vast majority) cases, people make the error of thinking getting it running is the challenge. NO!! The point of RAID (and the rest of your system) is to keep your system serviceable AFTER something goes horribly wrong. What happens when the system goes down hard, how do you bring the system back to a happy state after a drive failure, what happens if you try to stick too small a drive in (yes, it won't work, but how will it inform you the new drive is one pseudo-cylinder smaller than the old ones? Knowing that will save you major headaches when it happens when you can no longer get the exact model of drive you had in place before...or the mfg changes the drive specs without changing the model number (yes, that happened to a friend of mine)). Moral: learn your RAID system. Whatever it is, you have to understand it. Nick.
php PDO drivers?
Hi, PDO seems to be enabled in the php5 package. Is there a package or packages for the PDO drivers, eg. php_pdo_mysql.so? /Johan
help
help -- Roger Sistla [EMAIL PROTECTED]
Re: php PDO drivers?
On Mon, 1 Oct 2007, Johan L wrote: PDO seems to be enabled in the php5 package. Is there a package or packages for the PDO drivers, eg. php_pdo_mysql.so? Starting from 4.2 there will be: php5-pdo_mysql-5.2.3.tgz php5-pdo_pgsql-5.2.3.tgz php5-pdo_sqlite-5.2.3.tgz -- Antti Harri
Re: To whom can I direct email for artwork use permission pls?
On 9/29/07, Tito Mari Francis Escaqo [EMAIL PROTECTED] wrote: I plan to prepare and produce a DVD version of 4.2 when available this November, complete with the packages, and I'd like to use some artworks as graphics, if not a basis for a custom-made one, for the DVD. Therefore, may I pls know to whom can I direct email to ask for permission to use them? Theo de Raadt. I took Permissions from him to use it for an article I wrote on OpenBSD. IIRC, there was once a thread here with heated exchange of words over usage of those artworks without due permission. I'm from the Philippines and high-speed internet access here is not yet common, so a DVD distribution would be a nice option and I hope to produce it. I look forward to a prompt reply. Thank you. Not sure if you will have much luck here :-) Kind Regards Siju
ipsec with carp
Hello all, I have two OpenBSD machines for a redundancy VPN-Gateway. They use carp to share one IP-Address and sasyncd to synchronize SAs and SPDs. I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't established and the error PAYLOAD_MALFORMED appears in the logs. With tcpdump I can see that the initial packet (isakmp v1.0 exchange ID_PROT) to establish the tunnel come from the host IP-Address and not from the carp address. Thanks in advance. Patrick
Re: To whom can I direct email for artwork use permission pls?
On 10/1/07, Siju George [EMAIL PROTECTED] wrote: On 9/29/07, Tito Mari Francis Escaqo [EMAIL PROTECTED] wrote: I plan to prepare and produce a DVD version of 4.2 when available this November, complete with the packages, and I'd like to use some artworks as graphics, if not a basis for a custom-made one, for the DVD. Therefore, may I pls know to whom can I direct email to ask for permission to use them? Theo de Raadt. I took Permissions from him to use it for an article I wrote on OpenBSD. IIRC, there was once a thread here with heated exchange of words over usage of those artworks without due permission. I'm from the Philippines and high-speed internet access here is not yet common, so a DVD distribution would be a nice option and I hope to produce it. I look forward to a prompt reply. Thank you. Not sure if you will have much luck here :-) To explain this more fully with the party line: the project supports itself via donations and selling CDs of releases. If you create DVDs to distribute you are hurting the project by discouraging the sale of CDs. You could volunteer to become a reseller, though (i.e. you buy a large shipment of CDs and sell them at cost to people in your country.) -nick
Re: To whom can I direct email for artwork use permission pls?
Hi! On Mon, Oct 01, 2007 at 10:50:05AM -0400, Nick Guenther wrote: [...] To explain this more fully with the party line: the project supports itself via donations and selling CDs of releases. If you create DVDs to distribute you are hurting the project by discouraging the sale of CDs. You could volunteer to become a reseller, though (i.e. you buy a large shipment of CDs and sell them at cost to people in your country.) Wouldn't it be win-win if people there could buy DVD (with more data on it, i.e. needing less downloads) and an agreement could be made that XX $ (enough to compensate for the not-sold CDs) for each DVD sold are paid to OpenBSD? Kind regards, Hannah.
Re: ipsec with carp
Patrick Hemmen wrote: Hello all, I have two OpenBSD machines for a redundancy VPN-Gateway. They use carp to share one IP-Address and sasyncd to synchronize SAs and SPDs. I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't established and the error PAYLOAD_MALFORMED appears in the logs. With tcpdump I can see that the initial packet (isakmp v1.0 exchange ID_PROT) to establish the tunnel come from the host IP-Address and not from the carp address. Thanks in advance. Patrick Maybe it's the humidity. Maybe it's something in your ipsec.conf file. Based on the info you have provided so far, both seem to be about as like as each other ;) ipsec.conf ifconfig -A maybe a quote from your dumps and perhaps a bit of logging info
Re: To whom can I direct email for artwork use permission pls?
Hannah Schroeter wrote: Hi! On Mon, Oct 01, 2007 at 10:50:05AM -0400, Nick Guenther wrote: [...] To explain this more fully with the party line: the project supports itself via donations and selling CDs of releases. If you create DVDs to distribute you are hurting the project by discouraging the sale of CDs. You could volunteer to become a reseller, though (i.e. you buy a large shipment of CDs and sell them at cost to people in your country.) Wouldn't it be win-win if people there could buy DVD (with more data on it, i.e. needing less downloads) and an agreement could be made that XX $ (enough to compensate for the not-sold CDs) for each DVD sold are paid to OpenBSD? Kind regards, Hannah. The real win-win is they buy official CD's, support OBSD, and thereby help ensure more OBSD is available to use.
Re: OpenBSD sticker considered cool by a layman
On 30.09-10:03, Anton Karpov wrote: [ ... ] The same here. I have wireframe puffy on the back of my car. VERY attractive: of course, if you were _really_ security conscious you would have cropped the license plate no ;-)
Re: ipsec with carp
Also: 1) Does the documentation in ipsec(4) / isakmpd.conf(5) / sasyncd.conf(5) imply that all policies / security associations should be between the CARP HA L3 address? 2) Is your isakmpd(8) binding to wildcard address? 3) Did this problem evolve with the implementation of sasyncd(8) or did your IPSEC never work? ~BAS On Mon, 2007-10-01 at 08:16 -0700, Dag Richards wrote: Patrick Hemmen wrote: Hello all, I have two OpenBSD machines for a redundancy VPN-Gateway. They use carp to share one IP-Address and sasyncd to synchronize SAs and SPDs. I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't established and the error PAYLOAD_MALFORMED appears in the logs. With tcpdump I can see that the initial packet (isakmp v1.0 exchange ID_PROT) to establish the tunnel come from the host IP-Address and not from the carp address. Thanks in advance. Patrick Maybe it's the humidity. Maybe it's something in your ipsec.conf file. Based on the info you have provided so far, both seem to be about as like as each other ;) ipsec.conf ifconfig -A maybe a quote from your dumps and perhaps a bit of logging info
Re: To whom can I direct email for artwork use permission pls?
On 10/1/07, Hannah Schroeter [EMAIL PROTECTED] wrote: Hi! On Mon, Oct 01, 2007 at 10:50:05AM -0400, Nick Guenther wrote: [...] To explain this more fully with the party line: the project supports itself via donations and selling CDs of releases. If you create DVDs to distribute you are hurting the project by discouraging the sale of CDs. You could volunteer to become a reseller, though (i.e. you buy a large shipment of CDs and sell them at cost to people in your country.) Wouldn't it be win-win if people there could buy DVD (with more data on it, i.e. needing less downloads) and an agreement could be made that XX $ (enough to compensate for the not-sold CDs) for each DVD sold are paid to OpenBSD? I thought of that, Hannah, but I concluded that Theo would not want to deal with the extra bureaucracy all that would entail. There would need to be some sort of legal agreement struck, and so forth. -Nick
Re: To whom can I direct email for artwork use permission pls?
Wouldn't it be win-win if people there could buy DVD (with more data on it, i.e. needing less downloads) and an agreement could be made that XX $ (enough to compensate for the not-sold CDs) for each DVD sold are paid to OpenBSD? No, it wouldn't. The project has already contemplated making DVD releases, but the fact is what we have fits currently on what we ship. Having said that CD sales are lagging badly this release, and are threatening the financial health of the project. If you want OpenBSD to continue, you should be buying official CD's. You certainly should not be worried about download volume, and misguided attempts to make your own releases and sell them only put the project in more financial duress. You want to help? go on to the CD site and order 20 or 40 and resell in the philippines - Don't try to pirate the artwork to make your own release and screw everything up. -Bob
PCC? GCC has crap optimization!
GCC has no idea about optimization even if the optimization is turned
to the maximum:
unsigned long long x(unsigned lo, unsigned hi)
{
return ((unsigned long long)hi 32) | lo;
}
gcc -O3 -c -o a.o a.c; objdump -d a.o:
0: 55 push %ebp
1: 89 e5 mov%esp,%ebp
3: 8b 4d 0cmov0xc(%ebp),%ecx
6: 53 push %ebx
7: 89 ca mov%ecx,%edx
9: 31 db xor%ebx,%ebx
b: 8b 4d 08mov0x8(%ebp),%ecx
e: 31 c0 xor%eax,%eax
10: 09 da or %ebx,%edx
^^^ %ebx is zero here, can be thrown out
12: 09 c8 or %ecx,%eax
^^^ %ax is zero here, can be replaced with mov
%ecx, %eax
14: 8b 1c 24mov(%esp),%ebx
17: c9 leave
18: c3 ret
After seeing this I am not sure if GCC has a peephole optimizer but if they
have they have to add following rules:
or reg1, reg2 where reg1 is containing 0 can be thrown out
or reg1, reg2 where reg2 is containing 0 can be replaced with mov reg1, reg2
and possibly further peephole optimized
After some manual rewrite the function shrinks significantly to:
55 push %ebp
89 e5 mov%esp,%ebp
8b 4d 0cmov0xc(%ebp),%edx
53 push %ebx
8b 4d 08mov0x8(%ebp),%eax
8b 1c 24mov(%esp),%ebx
c9 leave
c3 ret
CL
Re: OpenBSD sticker considered cool by a layman
[EMAIL PROTECTED] wrote: On 30.09-10:03, Anton Karpov wrote: [ ... ] The same here. I have wireframe puffy on the back of my car. VERY attractive: of course, if you were _really_ security conscious you would have cropped the license plate no ;-) we have 50cm diameter puffy stickers on both sides of our landrover defender. a real eyecatcher.
Re: OpenBSD sticker considered cool by a layman
On Mon, Oct 01, 2007 at 06:18:39PM +0200, Marc Balmer wrote: [EMAIL PROTECTED] wrote: On 30.09-10:03, Anton Karpov wrote: [ ... ] The same here. I have wireframe puffy on the back of my car. VERY attractive: of course, if you were _really_ security conscious you would have cropped the license plate no ;-) we have 50cm diameter puffy stickers on both sides of our landrover defender. a real eyecatcher. It's definitely an eyecatcher: http://www.stilyagin.com/OpenBSD/dsc02748.jpg Warning: large image!!! -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: Speed Problems Part 2
On 9/26/07, Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/09/26 13:50, rezidue wrote: Order a 4.2 CD and install it as soon as you get it. 4.2 removed many bottlenecks in the network stack. In the meanwhile check out for the ip ifq len: # sysctl net.inet.ip.ifq net.inet.ip.ifq.len=0 net.inet.ip.ifq.maxlen=256 net.inet.ip.ifq.drops=0 I bet your drops are non 0 and the maxlen is to small (256 is a better value for gigabit firewalls/routers). -- :wq Claudio I've gone through the 4.1 and 4.2 changes in hopes I would find some clear reason as to why I'm having these issues but I've not seen anything. At the last hackathon, there was a lot of work done on profiling and optimizing the path through the network stack/PF; you'll see more about this at http://www.openbsd.org/papers/cuug2007/mgp00012.html (and the following pages). What exactly is this queue? The odd thing is that I report a negative value for drops and it's counting down. The -ve is because it's a signed integer and has, on your system, exceeded the maximum value since bootup.. net.inet.ip.ifq.drops=-1381027346 I've put maxlen=256 and it seems to have slowed the count down. You might like to try bumping it up until it stops increasing (uh, decreasing. :-) And re-investigate when you get 4.2 (or make any other changes to the system). I've now got both of my edge routers running 4.1 and there is definitely a speed improvement over all. Unfortunately I can't seem to get drops to stop occurring and after hitting a traffic peak for the past three hours it looks like this: net.inet.ip.ifq.len=0 net.inet.ip.ifq.maxlen=4096 net.inet.ip.ifq.drops=1289636 About 100k existed before I managed to get drops to stop over the weekend with maxlen=2048 but that's only a small portion of the total count now. I'm afraid to raise maxlen but I'm tempted to see what value I would need to get this to stop. The box is peaking at about 180mbps, 30-40k pps. I still have plenty of resources available. In top I've only seen interrupts on cpu0 and it gets between 30-35 and goes back and forth to 0%. Here is a dmesg: revision 1.0 uhub0 at usb0 uhub0: AMD OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 3 ports with 3 removable, self powered ohci1 at pci1 dev 0 function 1 AMD 8111 USB rev 0x0b: irq 9, version 1.0, legacy support usb1 at ohci1: USB revision 1.0 uhpb1 at usb1 uhub1: AMD OHCI root hub, rev 1.00/1.00, addr 1 uhub1: 3 ports with 3 removable, self powered pciide0 at pci1 dev 5 function 0 CMD Technology SiI3114 SATA rev 0x02: DMA pciide0: using irq 10 for native-PCI interrupt pciide0: port 0: device present, speed: 1.5Gb/s wd0 at pciide0 channel 0 drive 0: WDC WD2500JS-19NCB1 wd0: 16-sector PIO LBA48, 238475MB, 488397168 sectors wd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 6 pciide0: port 1: device present, speed: 1.5Gb/s wd1 at pciide0 channel 1 drive 0: WDC WD2500JS-19NCB1 wd1: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd1(pciide0:1:0): using BIOS timings, Ultra-DMA mode 6 vga1 at pci1 dev 6 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) AMD 8111 LPC rev 0x05 at pci0 dev 7 function 0 not configured pciide1 at pci0 dev 7 function 1 AMD 8111 IDE rev 0x03: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide1 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, CD-RW CRX850E, 5YK3 SCSI0 5/cdrom removable cd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide1: channel 1 disabled (no drives) AMD 8111 SMBus rev 0x02 at pci0 dev 7 function 2 not configured AMD 8111 Power rev 0x05 at pci0 dev 7 function 3 not configured ppb1 at pci0 dev 10 function 0 AMD 8131 PCIX rev 0x12 pci2 at ppb1 bus 2 bge0 at pci2 dev 9 function 0 Broadcom BCM5704C rev 0x03, BCM5704 A3 (0x2003): irq 5, address 00:e0:81:40:bd:8e brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci2 dev 9 function 1 Broadcom BCM5704C rev 0x03, BCM5704 A3 (0x2003): irq 10, address 00:e0:81:40:bd:8f brgphy1 at bge1 phy 1: BCD5704 10/100/1000baseT PHY, rev. 0 AMD 8131 PCIX IOAPIC rev 0x01 at pci0 dev 10 function 1 not configured ppb2 at pci0 dev 11 function 0 AMD 8131 PCIX rev 0x12 pci3 at ppb2 bus 1 AMD 8131 PCIX IOAPIC rev 0x01 at pci0 dev 11 function 1 not configured pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb2 at pci0 dev 24 functian 2 AMD AMD64 DRAM Cfg rev 0x00 pchb3 at pci0 dev 24 function 3 AMD AMD64 Misc Cfg rev 0x00 pchb4 at pci0 dev 25 function 0 AMD AMD64 HyperTransport rev 0x00 pchb5 at pci0 dev 25 function 1 AMD AMD64 Address Map rev 0x00 pchb6 at pci0 dev 25 function 2 AMD AMD64 DRAM Cfg rev 0x00 pchb7 at pci0 dev 25 function 3 AMD AMD64 Misc Cfg rev 0x00 isa0 at mainbus0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0
Addendum to FAQ 4.8 - Multibooting OpenBSD/i386
If OpenBSD's MBR bootcode works for you (fdisk -u), you can hexedit it so that it will boot a fixed MBR partition (instead of the ``active'' one) if the user holds down either Alt key during boot. The marked byte at offset 0x35 tells the fixed MBR partition (04=first, 01=last). Offset 0x2B old: 03 new: 08 Offset 0x2E old: B0 07 E8 CB 00 80 0E B4 01 01 new: E8 1A 01 EB 05 83 F9 01 EB 17 ^^ Offset 0x148 old: 6C 64 20 42 49 4F 53 0D 0A 00 new: 0D 0A 00 C7 06 4D 00 EB E4 C3 Works with src/sys/arch/i386/stand/mbr/mbr.S revisions 1.19--1.21 (OpenBSD 3.5--4.2). The patched MBR bootcode will print MBR on floppy or o instead of MBR on floppy or old BIOS, and the user cannot force CHS reads by holding down Shift (biosboot(8)).
Ответ: OpenBSD sticker considered cool by a layman
i have nothing to hide ;) ps: landrover rocks... 2007/10/1, [EMAIL PROTECTED] [EMAIL PROTECTED]: On 30.09-10:03, Anton Karpov wrote: [ ... ] The same here. I have wireframe puffy on the back of my car. VERY attractive: of course, if you were _really_ security conscious you would have cropped the license plate no ;-)
Re: ipsec with carp
Ok. Before using carp/sasyncd the IPSEC tunnel had worked. The isakmpd daemon listen on all interfaces/ip addresses. I am illustrating my set up vpngw01: 10.10.10.101 carp: 10.10.10.1 -- INTERNET -- remote gateway: 192.168.1.1 vpngw02: 10.10.10.102 My machines are vpngw01 and 02. The IPSEC tunnel is negotiated between the addresses 10.10.10.1 and 192.168.1.1. But my master (vpngw01) tries to establish the IPSEC connection with the non-carp address 10.10.10.101. The other side is in passive mode. Thanks for the replies. Patrick Brian A. Seklecki schrieb: Also: 1) Does the documentation in ipsec(4) / isakmpd.conf(5) / sasyncd.conf(5) imply that all policies / security associations should be between the CARP HA L3 address? 2) Is your isakmpd(8) binding to wildcard address? 3) Did this problem evolve with the implementation of sasyncd(8) or did your IPSEC never work? ~BAS On Mon, 2007-10-01 at 08:16 -0700, Dag Richards wrote: Patrick Hemmen wrote: Hello all, I have two OpenBSD machines for a redundancy VPN-Gateway. They use carp to share one IP-Address and sasyncd to synchronize SAs and SPDs. I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't established and the error PAYLOAD_MALFORMED appears in the logs. With tcpdump I can see that the initial packet (isakmp v1.0 exchange ID_PROT) to establish the tunnel come from the host IP-Address and not from the carp address. Thanks in advance. Patrick Maybe it's the humidity. Maybe it's something in your ipsec.conf file. Based on the info you have provided so far, both seem to be about as like as each other ;) ipsec.conf ifconfig -A maybe a quote from your dumps and perhaps a bit of logging info
Re: ipsec with carp
You should be able to easily restrict the binding of the UDP/500 isakmp port in isakmpd(8) to the CARP HA ipaddr. Even if it has to bind as wildcard, you should be able to specify the source address to bind to transmit from. I just had this issue with mountd(8) on FreeBSD. Check the man pages for both isakmpd.conf(5) and isakmpd(8). ~BAS On Mon, 2007-10-01 at 19:40 +0200, Patrick Hemmen wrote: Ok. Before using carp/sasyncd the IPSEC tunnel had worked. The isakmpd daemon listen on all interfaces/ip addresses. I am illustrating my set up vpngw01: 10.10.10.101 carp: 10.10.10.1 -- INTERNET -- remote gateway: 192.168.1.1 vpngw02: 10.10.10.102 My machines are vpngw01 and 02. The IPSEC tunnel is negotiated between the addresses 10.10.10.1 and 192.168.1.1. But my master (vpngw01) tries to establish the IPSEC connection with the non-carp address 10.10.10.101. The other side is in passive mode. Thanks for the replies. Patrick Brian A. Seklecki schrieb: Also: 1) Does the documentation in ipsec(4) / isakmpd.conf(5) / sasyncd.conf(5) imply that all policies / security associations should be between the CARP HA L3 address? 2) Is your isakmpd(8) binding to wildcard address? 3) Did this problem evolve with the implementation of sasyncd(8) or did your IPSEC never work? ~BAS On Mon, 2007-10-01 at 08:16 -0700, Dag Richards wrote: Patrick Hemmen wrote: Hello all, I have two OpenBSD machines for a redundancy VPN-Gateway. They use carp to share one IP-Address and sasyncd to synchronize SAs and SPDs. I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't established and the error PAYLOAD_MALFORMED appears in the logs. With tcpdump I can see that the initial packet (isakmp v1.0 exchange ID_PROT) to establish the tunnel come from the host IP-Address and not from the carp address. Thanks in advance. Patrick Maybe it's the humidity. Maybe it's something in your ipsec.conf file. Based on the info you have provided so far, both seem to be about as like as each other ;) ipsec.conf ifconfig -A maybe a quote from your dumps and perhaps a bit of logging info -- Brian A. Seklecki [EMAIL PROTECTED] Collaborative Fusion, Inc. IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.
Re: Speed Problems Part 2
I decided to pump up maxlen to 8192 to see what would happen and I thought it actually has stopped the drops. Unfortunately I was under the impression they had stopped when I believe this was causing the count to not increase: WARNING: mclpool limit reached; increase kern.maxclusters I've pumped up kern.maxclusters to about 2.5x of it's original value and my drops have begun to increment again along with pf congestion which seems to go hand in hand. net.inet.ip.ifq.len=0 net.inet.ip.ifq.maxlen=8192 net.inet.ip.ifq.drops=1566435 I'd going to double again and I'll report my finding shortly. Again though , this seems over excessive. On 10/1/07, rezidue [EMAIL PROTECTED] wrote: I've now got both of my edge routers running 4.1 and there is definitely a speed improvement over all. Unfortunately I can't seem to get drops to stop occurring and after hitting a traffic peak for the past three hours it looks like this: net.inet.ip.ifq.len=0 net.inet.ip.ifq.maxlen=4096 net.inet.ip.ifq.drops=1289636
Mesaj trimis de pe serverul nostru www.cartipostale.ro !
Mesaj trimis de pe serverul nostru www.cartipostale.ro. Salut! O carte postala este intotdeauna binevenita. Un prieten drag s-a gandit ca este timpul sa iti trimita o carte postala pentru a sti ca el se gandeste la tine. Acesta s-a gandit ca o alegere potrivita ar fi site-ul nostru www.cartipostale.ro ! Alaturi de cartea postala aveti atasat si un mesaj. Aceasta este o parte din el: Salut ! A trecult mult timp de cand nu am mai auzit de tine si am zis ca ar fi bine sa iti trimit aceasta carte postala pentru a te mai inveseli un pic! Am aflat despre acest site cu carti postale de la niste prieteni de familie. Sper sa iti placa si tie. Pentru a primi aceasta cartea postala te rugam apasati pe adresa urmatoare http://www.cartipostale.ro/download.php?ursulet223.gif si de asemenea pentru a citi restul mesajului === Va multumim pentru ca ati ales serviciile oferite de www.cartipostale.ro !!! De asemenea puteti trimite si dumneavoastra o carte postala prietenilor pentru a le aduce o raza de bucurie in suflet!! Serviciile noastre sunt complet gratuite asa ca nu rata ocazia si da mai departe fiecarui prieten cate o carte postala! ==
bridge.4 suggested clarification
This addition to the bridge(4) man page may make it a little easier for novices to use the combination of a bridge and pf. diff -u bridge.4.a bridge.4 --- share/man/man4/bridge.4.a Mon Oct 1 15:31:04 2007 +++ share/man/man4/bridge.4Mon Oct 1 15:36:54 2007 @@ -96,6 +96,9 @@ .Xr ip6 4 datagram; if so, the datagram is run through the pf interface so that it can be filtered. +The datagram is sent to pf as input on the incoming interface and as output +on all interfaces on which it is forwarded. +The pf functionality never sees a packet attributed to the bridge interface. .Sh IOCTLS A .Nm Geoff Steckel
Re: bridge.4 suggested clarification
On Mon, Oct 01, 2007 at 03:42:29PM -0400, Geoff Steckel wrote: This addition to the bridge(4) man page may make it a little easier for novices to use the combination of a bridge and pf. diff -u bridge.4.a bridge.4 --- share/man/man4/bridge.4.a Mon Oct 1 15:31:04 2007 +++ share/man/man4/bridge.4Mon Oct 1 15:36:54 2007 @@ -96,6 +96,9 @@ .Xr ip6 4 datagram; if so, the datagram is run through the pf interface so that it can be filtered. +The datagram is sent to pf as input on the incoming interface and as output +on all interfaces on which it is forwarded. +The pf functionality never sees a packet attributed to the bridge interface. .Sh IOCTLS A .Nm i think this is described in more detail in the NOTES section of bridge(4). can you reread that section and see if it covers your diff and, if not, look at integrating your diff into the NOTES section instead? jmc
Re: Tool for HD analyzing
Calomel wrote: If you really want to check the drive and verify it has errors then check out the binary called badblocks. I do not believe OpenBSD has badblocks but you can use the cd distro system rescue cd and run badblocks from there without removing the drive from the current machine. NON-destructive BadBlock test (1gig ram in machine) badblocks -b 4096 -c 98304 -p 0 -s /dev/hda For a more detailed explanation http://calomel.org/badblocks_wipe.html After spending (most of) the weekend recovering a failed drive (XP), there's a few things about disks that are worth knowing. (ALSO READ ANY AND ALL BY NICK HOLLAND! -- He knows whereof) With a rescue CD (Don't use Windows without one) (OpenBSD's purpose in life is NOT rescuing Windows computers) ONE (only one) sector was unreadable (irrecoverable) A good disk cloned from bad-disk was very unusable. Running destructive badblocks showed that the disk had no errors. Until the disk further degrades, it will test out good. That disk is reserved with a EMERGENCY USE ONLY tag. If things work the way I think they work, the non-destructive read test will actually destroy ALL ability to tell that the disks had (past tense) errors. (remapping bad sectors) (This oughta be off-list, but where else can you get good info ;-) There's people on this list who actually know what I'm trying to talk about.
Re: You can't export non-ffs filesystems with NFS, and it isn't documented
Han Boetes wrote: Alexander Hall wrote: The problem is that nfs shares does not traverse file system mount points once initialized. Since nfs probably was started prior to mounting the msdos partition (with the noauto option in /etc/fstab), nfs would only share the contents of the mount point directory itself. A ``pkill -HUP mountd'' might help after mounting the msdos file system, in order to make mountd aware of the new file system overriding the mount point directory. I'm sorry, it doesn't work like you expect. I stand corrected at this point. The file system to share is not ultimately determined at the time of mountd start up or (re-)configuration. However, it seems to be determined at the time of the nfs mount, so if the mount was performed prior to mounting the msdos file system, the client would only have access to the parent file system. I could not read from your earlier posts if this was the case. Some minor testing seem to indicate that the ``kill -HUP'' makes no difference at all unless the exports file has been changed. On the OpenBSD server: ~% grep usb /etc/fstab /dev/sd0i /mnt/usb msdos rw,nodev,nosuid,noauto,noexec0 0 ~% grep usb /etc/exports /mnt/usb -maproot=han:nfs marsupilami ~% mount |grep usb /dev/sd0i on /mnt/usb type msdos (NFS exported, local, uid=1000, gid=0) ~% sudo pkill -HUP mountd ~% ls /mnt/usb foofile On the linux client: ~% mount G /mnt/usb haddock:/mnt/usb on /mnt/usb type nfs (rw,addr=172.16.11.1) ~% ls /mnt/usb I am not sure here either which mount (nfs vs msdos) was performed first. /Alexander
Re: ipsec with carp
Hi
The one time I remember getting that error was when I _thought_ I was
using certificates from /etc/isakmpd/{certsBprivate}, but still had a
local.pub and local.key from the installation lying around that got used
instead. Some more debug info (/var/log/daemon) would be helpful indeed.
krgds /m
Patrick Hemmen wrote:
Hello all,
I have two OpenBSD machines for a redundancy VPN-Gateway. They use
carp to share one IP-Address and sasyncd to synchronize SAs and SPDs.
I setup a ipsec-tunnel in /etc/ipsec.conf. The tunnel isn't
established and the error PAYLOAD_MALFORMED appears in the logs.
With tcpdump I can see that the initial packet (isakmp v1.0 exchange
ID_PROT) to establish the tunnel come from the host IP-Address and not
from the carp address.
wine question
I installed wine-990225p0 from packages on 4.1 and can run simple programs like sol and notepad. I have an old program I'm trying to run; but this program cannot find it's own files unless the current working directory is set to the directory where software was installed. It seems more recent wine versions support 'bat' files which would solve this; but this doesn't seem to work in this version. When I try: wine c://program.exe the software complains that it cannot open LIBS\FOXTOOLS.FLL This file is found at C:\\LIBS\FOXTOOLS.FLL Is there a way to run something like this on wine 990225?: cd program.exe If this is not workable on 990225; do current wine versions work on OpenBSD? Frank
Re: wine question
On Mon, 1 Oct 2007, Frank Bax wrote: If this is not workable on 990225; do current wine versions work on OpenBSD? No, porting latest version isn't trivial. There have been efforts to do this on ports@ but they aren't completed. Maybe someone will pick up the most recent port and finish it? 8-) -- Antti Harri
Question on upgrade path from 3.9 to 4.1 (pf, carp, etc.)
Hey list.. Im looking to upgrade my 3.9 boxes to 4.1. I plan on upgrading the standby boxes first, and am expecting them to still be paired up pf/carp/ospf-wise with the 3.9 active boxes while I burn them in. I know in the past I ran into an issue where there were differences between releases where pfsync wouldnt work(Im forgetting a bunch of details), but the point being when that had happened I needed to pull the trigger and upgrade the active firewalls at the same time as well. So, would pfsync work between a 3.9 and 4.1 box? Has the pf syntax changed at all? Or can I restore my pf.conf from the 3.9 install onto the 4.1 install without needing to make modifications? Would carp still work? Anyway, any gotchas in a 3.9+4.1 pair of firewalls?
Re: help
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Sistla Sent: Monday, 1 October 2007 9:09 PM To: misc@openbsd.org Subject: help help ---+--- ___ /^^[___ _ /|^++ |#___// ( -+ || ___-+/ ==_--'\ ~_|___|__ --- Dave Edwards
Re: Question on upgrade path from 3.9 to 4.1 (pf, carp, etc.)
kyle wrote: Hey list.. Im looking to upgrade my 3.9 boxes to 4.1. I plan on upgrading the standby boxes first, and am expecting them to still be paired up pf/carp/ospf-wise with the 3.9 active boxes while I burn them in. I know in the past I ran into an issue where there were differences between releases where pfsync wouldnt work(Im forgetting a bunch of details), but the point being when that had happened I needed to pull the trigger and upgrade the active firewalls at the same time as well. So, would pfsync work between a 3.9 and 4.1 box? Has the pf syntax changed at all? Or can I restore my pf.conf from the 3.9 install onto the 4.1 install without needing to make modifications? Would carp still work? Anyway, any gotchas in a 3.9+4.1 pair of firewalls? I'm not sure what you mean by burn them in -- these are existing machines, running 3.9..they've been burning in for over a year now. They work. Letting the standby boxes run 4.1 while all the traffic is going through the 3.9 boxes isn't doing any kind of testing at all. Do one box at a time, but keep moving, do them both. Don't split the machines like you are planning. You may have some issues on the 4.0 - 4.1 transition, as the PF rule interpretation has changed, though that won't be a pfsync issue, that's a rules issue, and your 4.0 rules may run a tiny bit differently in 4.1 (and usually, better. It may fix things you didn't know you had problems with!) Do your work off-hours. That way, if you do break a state, it wont matter much, and probably no one will notice. Even if you ignore the CARP/PF issues, if you screw up, less likely anyone will notice. Some notes from a PF and CARP developer for a FAQ article, er..I haven't written: -1) Make sure your aliases match on the carp interfaces between boxes. You don't want to have five IP addresses on carp0 on one box and three on the other. Trust me on this. 0) Make sure your PF rules are synced, both on disk and in use. 1) completely upgrade your secondary box 2) Edit the hostname.carp files on the primary to have a higher advskew than the secondary. Yes, edit the files. 3) reboot primary, secondary will take over, and because of step two above, primary will stay..er..secondary. IF there was going to be a problem, this is when it happens. 4) Test. If there is any problem, fix or restore hostname.carp* on primary and reboot, primary will take back over until you figure out what went wrong. 5) Upgrade primary, verify states are syncing. At this point, either move the stickers on the firewalls showing which is primary and which is secondary, or restore your advskew values. Either way, AFTER the upgrades are complete, make sure both firewalls have had a chance to be MASTER to make sure it all works. This is non-peak time, remember? This is when you do this kind of testing. Do this all in one sitting. Don't leave it mixed-versions. Do it this way, and you really risk only one bump in the process. Nick.
Re: Addendum to FAQ 4.8 - Multibooting OpenBSD/i386
Paul Stvber wrote: If OpenBSD's MBR bootcode works for you (fdisk -u), you can hexedit it so that it will boot a fixed MBR partition (instead of the ``active'' one) if the user holds down either Alt key during boot. The marked byte at offset 0x35 tells the fixed MBR partition (04=first, 01=last). Offset 0x2B old: 03 new: 08 Offset 0x2E old: B0 07 E8 CB 00 80 0E B4 01 01 new: E8 1A 01 EB 05 83 F9 01 EB 17 ^^ Offset 0x148 old: 6C 64 20 42 49 4F 53 0D 0A 00 new: 0D 0A 00 C7 06 4D 00 EB E4 C3 Works with src/sys/arch/i386/stand/mbr/mbr.S revisions 1.19--1.21 (OpenBSD 3.5--4.2). The patched MBR bootcode will print MBR on floppy or o instead of MBR on floppy or old BIOS, and the user cannot force CHS reads by holding down Shift (biosboot(8)). That's a neat trick, having done a lot of that kind of binary code modification back in the 1980s (in CP/M and DDT or DU) I gotta respect that, but I'm not putting that in the FAQ. :) It's a bit too hack-ish for the 21st. century. You are, however, on your way to a rather nifty boot selector. Finish it up (make your mod in source, write a maintenance program for it so you don't have to manually edit the sector and make the maintenance program open source and available for multiple platforms), and you have a nifty boot selector that works slicker than many big name ones for people who know what they are doing. (don't forget the logo, mascot, mail list and website. You are doing it in the wrong order, though -- you aren't supposed to do the coding first! :) Hint: Rather than using CTRL or ALT or SHIFT, try NumLock, CapsLock or ScrollLock. That way, you can tap the key and walk away if your machine takes an eternity to boot. Probably won't work for all systems (I suspect some will clear 'em all before the MBR is loaded) but beats waiting around for those that it does work with. I used to use this with a batch file that determined how an old DOS/Win3 machine I had would boot. Nick.
Re: OpenBSD sticker considered cool by a layman
On 10/1/07, Anton Karpov [EMAIL PROTECTED] wrote: i have nothing to hide ;) http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565
I need a new non-sucky laptop...
Through mysterious circumstances, my Thinkpad T42 disappeared in the Minneapolis airport today. I know it went into the xray machine. I know I didn't have it in my carry-on when I got home. When and where it went between those two points, I cannot say. I've called the airports, the airlines, the TSA security checkpoint and lost/found ... no joy. I'll continue bugging Them for the next couple of days, but I'm about ready to put my Monty Python hat on and say It is an ex-Laptop! Now with that tale out of the way, what's good for laptops these days? I'm likely to dual-boot windows so I can occasionally run IDA, Google Earth, BZFlag and various GPS tools... (which means that some kind of OpenGL support would be nice). Primarily (ie. except for an hour or so on patch tuesday) it'd be running openbsd. Things that might be nice to have: * DVD writer * working sound * onboard gbit net * a/b/g wireless * usb2 * a real serial port * working suspend/resume * accelerated X That's not too much to ask, is it? ;) If some nice people could help me find one, that would be just super. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
