Re: I'm embarassed. (Re: shell not reading login script)
On 平成 20/08/21, at 12:12, Philip Guenther wrote: 2008/8/20 Joel Rees [EMAIL PROTECTED]: export PROFMARKER=.profile would you believe I put that in .profile, like the marker said? setenv CSHMARKER .cshrc would you believe I put that in .cshrc? setenv LOGINMARKER .login would you believe I put that in .login? (hangs head in shame.) (Tilts head in puzzlement this time.) If you're wondering why the shotgun approach, I couldn't figure out, with my login shell set to sh, why the shell was behaving like csh. Still don't get it. Except, csh picks up one marker, sh and ksh pick up none. So I'm still puzzled I love how don't actually describe where you put those or which 'marker' did get 'picked up'. No wait, I actually find that really annoying. Why do people leave relevant facts out? I suppose you couldn't be bothered to read my rambling notes if I couldn't be bothered to dig into the archives to find your glorious contribution that I didn't know was there? Well, I read it and I thought about it and it sounds like what you're saying is that fvwm x11 sessions are giving me interactive shells instead of login shells? That .profile is not the same as .bash_profile? That it's probably not a good idea to have x11 sessions attempt to process the same script that starts up your login session when you login at a character terminal? I'll have to think about that for a while. I mean it sort of makes sense. X11 is going to need parameters set that would be at best superfluous in a console shell and could well get in the way. But right now I'm having a bit of a hard time imagining why I would want environment settings in a console sh shell that I wouldn't want in an x11 sh session shell. Unless I were logging in to the same user to write open office documents as I was logging in to start and stop various daemons. Which shouldn't really happen, but I suppose it does. Okay, it seems like I would want three separate places to specify startup parameters -- one file for login parameters that are independent of the shell, one set of files for parameters to X11, and one startup file for the specific shell. And you're telling me it doesn't work that way? ... etc. But none of the markers show up in a printenv, whether I simply start a new xterm, or go to the trouble of logging out and back in. Okay, you need to review the sh(1) and csh(1) manpages and read where they describe when the .profile or .cshrc and .login are read. Pay attention to the phrase login shell. Then go read the xterm(1) manpage and search for the phrase login shell. There are lots of things I need to do. (For one thing, I need to figure out why X11's keyboard stuff isn't even getting four kind of important keys into the keycode matrix at all. You can see my attempts at embarrassing myself on that subject in the ppc@ list.) Anyone willing to tell me what's wrong with my thinking here? 1) Failure to read the manpages Or the right parts of them in the right frame of mind, at any rate. 2) Failure to search the archives (I posted a long explanation of when the .profile is read vs $ENV recently.) Okay, so now I search at http://marc.info/?l=openbsd-misc for profile and I see a post with your name Re: Can't scp, ssh is slow to authenticate. http://marc.info/?l=openbsd-miscm=121705461723704w=2 Not sure why I should understand that problems with scp and ssh have anything directly to do with not knowing the right place to set shell variables, but your post is definitely there. Yeah, I could have spent yet another several hours or so trying to think of more things to look for in the man pages and at marc and wandering around in the results of random searches wondering which is relevant, and maybe I'd have stumbled onto that post. But I've found that spinning my wheels too long just makes the neighborhood smell of rubber. Sorry. I'm slow. Bad memory, too. Comes from my age, I suppose. But thanks for the pointers. Gives me something to think about, like whether I might reconsider whether getting stuck in twisty mazes in Fedora 9 is any worse than being stuck in twisty mazes in OpenBSD. Not trying to be threatening or insulting, I just don't have a lot of time left this summer, and the iBook install exposes more of the rough edges either way. All I'm looking for is a way to take some open source tools with me to the schools I teach English at without breaking my budget and alienating my wife and generating more used equipment for the landfill. Joel Rees (waiting for a 3+GHz ARM processor to come out, to test Steve's willingness to switch again.)
Re: Vlan Tag on Vlan Tag (l2tunneling)
* Insan Praja SW [EMAIL PROTECTED] [2008-08-21 05:25]: Hi Misc@, I Currently busting my a** to setup cizcoz catalyst 3550 to do dot1q tunneling over EoMPLS network. Its seem the only way to do it is to use this 3*50 Catalysts. But I'm curious, if I created a vlan interface over vlan interface on OBSD(ie, create a vlan interface over a phy_if, say vlan2 vlan id 2 and then create another vlan_if say vlan4 vlan id 4 over vlan2) does it make it compatible with sicko l2tunneling/dot1q-tunneling?. you can stack vlans. aka ifconfig vlan2 vlan 2 vlandev em0 ifconfig vlan4 vlan 4 vlandev vlan2 -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: bgpd extension handling capabilities
* Graeme Lee [EMAIL PROTECTED] [2008-08-21 03:31]: Henning Brauer wrote: * Graeme Lee [EMAIL PROTECTED] [2008-08-21 01:51]: I've had to connect to a new upstream peer which is advertising an IPv4 safi of 128 (MPLS-labelled VPN address) see http://www.iana.org/assignments/safi-namespace I've modified the source to temporarily ignore this (actually anything over 127) as it currently only accepts 1 thru 3. Once the session is established, everything works well. What I really need to know is if this is potentially A Huge Mistake, or should bgpd be able to ignore unsupported capabilities being advertised to it? the standards are pretty unclear about it, but the most logical interpretation is that we have to send back a notification telling the peer that we don't support this so capability negotiation actually works. what is the peer? first time i hear sth doens't work w/ capa negitiation... The peer is NexGen networks. I gather they're using an Alcatel OS/R. All I've done to work around this at present is extended the test in session.c to ignore mp_safi 128 after the first test fails. Otherwise I just get this in the log every 30 seconds: Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change Idle - Active, reason: Start Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change Active - OpenSent, reason: Connection opened Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): parse_capabilities: AFI IPv4, mp_safi 128 illegal Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change OpenSent - Idle, reason: OPEN message received oh. you're not talking about a capability but a safi. otoh i don't really remember the what the standards demand about that. we can probably ignore unknown safis there since that is just the neighbor telling us he would accept prefixes of that safi. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Vlan Tag on Vlan Tag (l2tunneling)
On 2008-08-21, Henning Brauer [EMAIL PROTECTED] wrote: * Insan Praja SW [EMAIL PROTECTED] [2008-08-21 05:25]: Hi Misc@, I Currently busting my a** to setup cizcoz catalyst 3550 to do dot1q tunneling over EoMPLS network. Its seem the only way to do it is to use this 3*50 Catalysts. But I'm curious, if I created a vlan interface over vlan interface on OBSD(ie, create a vlan interface over a phy_if, say vlan2 vlan id 2 and then create another vlan_if say vlan4 vlan id 4 over vlan2) does it make it compatible with sicko l2tunneling/dot1q-tunneling?. you can stack vlans. aka ifconfig vlan2 vlan 2 vlandev em0 ifconfig vlan4 vlan 4 vlandev vlan2 I think you have to take a hit on MTU, so this is probably better on gigabit interfaces that are configured for jumbo frames (using ifconfig to increase MTU configures them for jumbos). Cisco does something similar (qinq) but iirc they use a different ethertype, so it may not be directly compatible. I wish I had a spare ports on my obsd machine so I can try this out. You could really use another machine for testing ...
Re: Vlan Tag on Vlan Tag (l2tunneling)
On Thu, Aug 21, 2008 at 09:50:35AM +, Stuart Henderson wrote: | you can stack vlans. aka | | ifconfig vlan2 vlan 2 vlandev em0 | ifconfig vlan4 vlan 4 vlandev vlan2 | | | I think you have to take a hit on MTU, so this is probably better | on gigabit interfaces that are configured for jumbo frames (using | ifconfig to increase MTU configures them for jumbos). | | Cisco does something similar (qinq) but iirc they use a different | ethertype, so it may not be directly compatible. The standard specifies 0x88a8 for 'qinq' or 'stacked vlans' or 802.1ad (Provider Bridges). OpenBSD uses 0x8100 for both the outer and the inner ethertype (which may give interoperability issues with other vendors, don't know, don't have gear that supports it). Attached is a patch that adds ETHERTYPE_8021AD to ethertypes.h. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ Index: ethertypes.h === RCS file: /cvs/src/sys/net/ethertypes.h,v retrieving revision 1.9 diff -u -r1.9 ethertypes.h --- ethertypes.h5 May 2008 13:40:17 - 1.9 +++ ethertypes.h21 Aug 2008 11:22:02 - @@ -300,6 +300,7 @@ #defineETHERTYPE_LANPROBE 0x /* HP LanProbe test? */ #defineETHERTYPE_PAE 0x888E /* 802.1X Port Access Entity */ #defineETHERTYPE_AOE 0x88A2 /* ATA over Ethernet */ +#defineETHERTYPE_8021AD0x88A8 /* 802.1ad VLAN stacking */ #defineETHERTYPE_LLDP 0x88CC /* Link Layer Discovery Protocol */ #defineETHERTYPE_LOOPBACK 0x9000 /* Loopback */ #defineETHERTYPE_LBACK ETHERTYPE_LOOPBACK /* DEC MOP loopback */
Re: Vlan Tag on Vlan Tag (l2tunneling)
* Paul de Weerd [EMAIL PROTECTED] [2008-08-21 13:48]: On Thu, Aug 21, 2008 at 09:50:35AM +, Stuart Henderson wrote: | you can stack vlans. aka | | ifconfig vlan2 vlan 2 vlandev em0 | ifconfig vlan4 vlan 4 vlandev vlan2 | | | I think you have to take a hit on MTU, so this is probably better | on gigabit interfaces that are configured for jumbo frames (using | ifconfig to increase MTU configures them for jumbos). | | Cisco does something similar (qinq) but iirc they use a different | ethertype, so it may not be directly compatible. The standard specifies 0x88a8 for 'qinq' or 'stacked vlans' or 802.1ad (Provider Bridges). OpenBSD uses 0x8100 for both the outer and the inner ethertype (which may give interoperability issues with other vendors, don't know, don't have gear that supports it). Attached is a patch that adds ETHERTYPE_8021AD to ethertypes.h. no point in just doing that. a button to change the ether type would make sense. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: Vlan Tag on Vlan Tag (l2tunneling)
On Thu, Aug 21, 2008 at 01:49:18PM +0200, Henning Brauer wrote: * Paul de Weerd [EMAIL PROTECTED] [2008-08-21 13:48]: On Thu, Aug 21, 2008 at 09:50:35AM +, Stuart Henderson wrote: | you can stack vlans. aka | | ifconfig vlan2 vlan 2 vlandev em0 | ifconfig vlan4 vlan 4 vlandev vlan2 | | | I think you have to take a hit on MTU, so this is probably better | on gigabit interfaces that are configured for jumbo frames (using | ifconfig to increase MTU configures them for jumbos). | | Cisco does something similar (qinq) but iirc they use a different | ethertype, so it may not be directly compatible. The standard specifies 0x88a8 for 'qinq' or 'stacked vlans' or 802.1ad (Provider Bridges). OpenBSD uses 0x8100 for both the outer and the inner ethertype (which may give interoperability issues with other vendors, don't know, don't have gear that supports it). Attached is a patch that adds ETHERTYPE_8021AD to ethertypes.h. no point in just doing that. a button to change the ether type would make sense. If we stack vlan interfaces I don't see a real need for such a button. This could be figured out either at configuration time or on runtime. E.g. just check if the ethertype is 0x8100 and add the next vlan tag as 0x88a8. This would also allow to use a bridge for qinq setups. Because of this I think doing it on runtime is the best. -- :wq Claudio
ipsec vpn problem
Have a problem getting a vpn tunnel up between a zyxel vpn gw and my openbsd 4.3 system. /etc/ipsec.conf ike passive from any to any \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk openbsdrules Below follows output from cmd: isakmpd -d -DA=99 -K In the output is the line: 173307.589683 Exch 90 check_vendor_openbsd: bad size 20 != 16 which does not seem to cause any problems A then futher down the line: 173307.682833 Default sendmsg (14, 0xcfbd65a0, 0): Permission denied which does not have any lines before it which (to me) explains what goes wrong. These two lines is what I found strange, but I have no idea where to go from here. Thanks, Claus 173307.533538 Trpt 70 transport_setup: added 0x7ce24ac0 to transport list 173307.534309 Trpt 70 transport_setup: added 0x7ce24b00 to transport list 173307.535214 Trpt 50 virtual_clone: old 0x7ce24680 new 0x7ce249c0 (main is 0x7ce24ac0) 173307.536014 Trpt 70 transport_setup: virtual transport 0x7ce249c0 173307.536809 Trpt 95 transport_reference: transport 0x7ce249c0 now has 1 references 173307.537700 Mesg 90 message_alloc: allocated 0x83151280 173307.538473 Mesg 70 message_recv: message 0x83151280 173307.539310 Mesg 70 ICOOKIE: 4558dc89993e4538 173307.540292 Mesg 70 RCOOKIE: 173307.540993 Mesg 70 NEXT_PAYLOAD: SA 173307.541788 Mesg 70 VERSION: 16 173307.542575 Mesg 70 EXCH_TYPE: ID_PROT 173307.543469 Mesg 70 FLAGS: [ ] 173307.544277 Mesg 70 MESSAGE_ID: 173307.544951 Mesg 70 LENGTH: 128 173307.546067 Mesg 70 message_recv: 4558dc89 993e4538 01100200 0080 0d38 173307.547105 Mesg 70 message_recv: 0001 0001 002c 01010001 0024 0101 80010005 80020002 173307.548131 Mesg 70 message_recv: 80030001 80040002 800b0001 000c0004 00015180 0d14 afcad713 68a1f1c9 173307.549317 Mesg 70 message_recv: 6b8696fc 77570100 0018 62502774 9d5ab97f 5616c160 2765cf48 0a3b7d0b 173307.550011 SA 90 sa_find: no SA matched query 173307.550936 Mesg 50 message_parse_payloads: offset 28 payload SA 173307.551623 Mesg 50 message_parse_payloads: offset 84 payload VENDOR 173307.552429 Mesg 50 message_parse_payloads: offset 104 payload VENDOR 173307.553226 Mesg 60 message_validate_payloads: payload SA at 0x8315131c of message 0x83151280 173307.554202 Mesg 70 DOI: 1 173307.554834 Mesg 70 SIT: 173307.555797 Misc 95 conf_get_str: configuration value not found [Phase 1]: 195.184.124.220 173307.556514 Misc 95 conf_get_str: [Phase 1]:Default-peer-default 173307.557474 Misc 95 conf_get_str: [peer-default]:Configuration-mm-default 173307.558177 Misc 95 conf_get_str: configuration value not found [mm-default]:DOI 173307.558977 Misc 95 conf_get_str: [mm-default]:EXCHANGE_TYPE-ID_PROT 173307.559852 Misc 95 conf_get_str: [General]:Exchange-max-time-120 173307.560688 Timr 10 timer_add_event: event exchange_free_aux(0x7de79800) added last, expiration in 120s 173307.561565 Misc 95 conf_get_str: configuration value not found [peer-default]:Flags 173307.562379 Cryp 60 hash_get: requested algorithm 1 173307.563305 Exch 10 exchange_setup_p1: 0x7de79800 peer-default mm-default policy responder phase 1 doi 1 exchange 2 step 0 173307.564149 Exch 10 exchange_setup_p1: icookie 4558dc89993e4538 rcookie a42fec0b4dc4e6f0 173307.564962 Exch 10 exchange_setup_p1: msgid 173307.565751 Trpt 95 transport_reference: transport 0x7ce249c0 now has 2 references 173307.566558 SA 80 sa_reference: SA 0x7de79900 now has 1 references 173307.567493 SA 70 sa_enter: SA 0x7de79900 added to SA list 173307.568157 SA 80 sa_reference: SA 0x7de79900 now has 2 references 173307.568944 SA 60 sa_create: sa 0x7de79900 phase 1 added to exchange 0x7de79800 (peer-default) 173307.569762 SA 80 sa_reference: SA 0x7de79900 now has 3 references 173307.570682 Mesg 50 message_parse_payloads: offset 40 payload PROPOSAL 173307.571360 Mesg 50 message_parse_payloads: offset 48 payload TRANSFORM 173307.572180 Mesg 50 Transform 1's attributes 173307.572965 Mesg 50 Attribute ENCRYPTION_ALGORITHM value 5 173307.573733 Mesg 50 Attribute HASH_ALGORITHM value 2 173307.574508 Mesg 50 Attribute AUTHENTICATION_METHOD value 1 173307.575286 Mesg 50 Attribute GROUP_DESCRIPTION value 2 173307.576066 Mesg 50 Attribute LIFE_TYPE value 1 173307.576967 Mesg 50 Attribute LIFE_DURATION value 86400 173307.577715 Mesg 60 message_validate_payloads: payload PROPOSAL at 0x83151328 of message 0x83151280 173307.578680 Mesg 70 NO: 1 173307.579317 Mesg 70 PROTO: ISAKMP 173307.580124 Mesg 70 SPI_SZ: 0 173307.580923 Mesg 70 NTRANSFORMS: 1 173307.581695 Mesg 70 SPI: 173307.582492 Mesg 60 message_validate_payloads: payload TRANSFORM at 0x83151330 of message 0x83151280 173307.583461 Mesg 70 NO: 1 173307.584108 Mesg 70 ID: 1 173307.584860 Mesg 70 SA_ATTRS: 173307.585645 Mesg 60 message_validate_payloads: payload VENDOR at 0x83151354 of message 0x83151280 173307.586462 Mesg 70 ID: 173307.587267 Exch 10 dpd_check_vendor_payload: DPD capable peer
Re: Vlan Tag on Vlan Tag (l2tunneling)
* Claudio Jeker [EMAIL PROTECTED] [2008-08-21 16:11]: If we stack vlan interfaces I don't see a real need for such a button. switch vendors don't agree on the ethertype. it is configurable on all of them, and the defaults are different between vendors. as in: button needed. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: shell not reading login script
On Thu, Aug 21, 2008 at 10:30:32AM +0900, Joel Rees wrote: Added markers to each of .profile, login and .cshrc: PROFMARKER=.profile etc. But none of the markers show up in a printenv, whether I simply start a new xterm, or go to the trouble of logging out and back in. when i have stuff that i want to always be in my environment regardless of what i'm typing at (eg, login console, xterm, screen(1), etc), i put it all in a file and then i set and export ENV as being set to that file. seems to work very well with minimal effort. that might not really answer your sh/csh thing, but maybe it helps. fwiw i am using /bin/ksh. -- jared
Re: Vlan Tag on Vlan Tag (l2tunneling)
hi, On Thu, Aug 21, 2008 at 04:48:02PM +0200, Henning Brauer wrote: * Claudio Jeker [EMAIL PROTECTED] [2008-08-21 16:11]: If we stack vlan interfaces I don't see a real need for such a button. switch vendors don't agree on the ethertype. it is configurable on all of them, and the defaults are different between vendors. as in: button needed. for example, you can easilly change the default tag-type from 0x88a8 to old-style 0x8100 on hp switches, but it is a global setting: - on the switch: ProCurve Switch 5406zl(config)# qinq mixedvlan tag-type 0x8100 - or - ProCurve Switch 5406zl(config)# qinq svlan tag-type 0x8100 ... ProCurve Switch 5406zl(config)# interface a1-a2 unknown-vlans disable ProCurve Switch 5406zl(config)# svlan 100 tagged a1,a2 - on the OpenBSD hosts: a# ifconfig em0 up a# ifconfig vlan100 vlandev em0 a# ifconfig vlan200 vlandev vlan100 192.168.200.1 b# ifconfig em0 up b# ifconfig vlan100 vlandev em0 b# ifconfig vlan200 vlandev vlan100 192.168.200.2 b# ping 192.168.200.1 reyk
Re: Vlan Tag on Vlan Tag (l2tunneling)
On Thu, Aug 21, 2008 at 04:05:50PM +0200, Claudio Jeker wrote: no point in just doing that. a button to change the ether type would make sense. this is not trivial because it would require a change in the Rx path where it is currently matching the ethertype in ether_input() before calling vlan_input(). do you want to call vlan_input() for every other packet or do a configured type lookup all the time? and what if the user specifies an ethernet type that is conflicting with something else? i think it should really only be 0x8100 or 0x88a8. If we stack vlan interfaces I don't see a real need for such a button. This could be figured out either at configuration time or on runtime. E.g. just check if the ethertype is 0x8100 and add the next vlan tag as 0x88a8. This would also allow to use a bridge for qinq setups. Because of this I think doing it on runtime is the best. here is another approach defining QinQ-compliant interfaces as a new cloner type; so you can stack 0x88a8 devices as you wish and it doesn't need a new button in ifconfig. it also uses a dedicated vlan tag hash for Service VLANs to avoid tag/Id conflicts. # ifconfig em0 up # ifconfig svlan100 vlandev em0 # ifconfig vlan200 vlandev svlan100 192.168.2.100 reyk Index: share/man/man4/vlan.4 === RCS file: /cvs/src/share/man/man4/vlan.4,v retrieving revision 1.31 diff -u -p -r1.31 vlan.4 --- share/man/man4/vlan.4 26 Jun 2008 05:42:07 - 1.31 +++ share/man/man4/vlan.4 21 Aug 2008 19:18:42 - @@ -31,8 +31,9 @@ .Dt VLAN 4 .Os .Sh NAME -.Nm vlan -.Nd IEEE 802.1Q encapsulation/decapsulation pseudo-device +.Nm vlan , +.Nm svlan +.Nd IEEE 802.1Q/1AD encapsulation/decapsulation pseudo-devices .Sh SYNOPSIS .Cd pseudo-device vlan .Sh DESCRIPTION @@ -40,6 +41,10 @@ The .Nm Ethernet interface allows construction of virtual LANs when used in conjunction with IEEE 802.1Q-compliant Ethernet devices. +The +.Ic svlan +Ethernet interface allows contruction of IEEE 802.1AD-compliant +provider bridges. .Pp A .Nm @@ -83,6 +88,24 @@ option for more information. Following the vlan header is the actual ether type for the frame and length information. .Pp +An +.Ic svlan +interface is normally used for QinQ in 802.1AD-compliant provider bridges to +stack other +.Nm +interfaces on top of it. +It can be created using the +.Ic ifconfig svlan Ns Ar N Ic create +command or by setting up a +.Xr hostname.if 5 +configuration file for +.Xr netstart 8 . +The configuration is identical to the +.Nm +interface, the only differences are that it uses a different Ethernet +type (0x88a8) and an independent VLAN Id space on the parent +interface. +.Pp .Nm interfaces support the following unique .Xr ioctl 2 Ns s : @@ -104,7 +127,10 @@ interfaces use the following interface c The parent interface can handle full sized frames, plus the size of the vlan tag. .It IFCAP_VLAN_HWTAGGING -The parent interface will participate in the tagging of frames. +The parent interface will participate in the tagging of frames +(This is not supported by +.Ic svlan +interfaces). .El .Sh DIAGNOSTICS .Bl -diag @@ -150,6 +176,10 @@ and .Rs .%T IEEE 802.1Q standard .%O http://standards.ieee.org/getieee802/802.1.html +.Re +.Rs +.%T IEEE 802.1AD standard +.%O Provider Bridges, QinQ .Re .Sh AUTHORS Originally [EMAIL PROTECTED] Index: sys/net/ethertypes.h === RCS file: /cvs/src/sys/net/ethertypes.h,v retrieving revision 1.9 diff -u -p -r1.9 ethertypes.h --- sys/net/ethertypes.h5 May 2008 13:40:17 - 1.9 +++ sys/net/ethertypes.h21 Aug 2008 19:18:42 - @@ -300,6 +300,7 @@ #defineETHERTYPE_LANPROBE 0x /* HP LanProbe test? */ #defineETHERTYPE_PAE 0x888E /* 802.1X Port Access Entity */ #defineETHERTYPE_AOE 0x88A2 /* ATA over Ethernet */ +#defineETHERTYPE_QINQ 0x88A8 /* 802.1ad VLAN stacking */ #defineETHERTYPE_LLDP 0x88CC /* Link Layer Discovery Protocol */ #defineETHERTYPE_LOOPBACK 0x9000 /* Loopback */ #defineETHERTYPE_LBACK ETHERTYPE_LOOPBACK /* DEC MOP loopback */ Index: sys/net/if_bridge.c === RCS file: /cvs/src/sys/net/if_bridge.c,v retrieving revision 1.170 diff -u -p -r1.170 if_bridge.c --- sys/net/if_bridge.c 14 Jun 2008 21:46:22 - 1.170 +++ sys/net/if_bridge.c 21 Aug 2008 19:18:42 - @@ -2601,7 +2601,7 @@ bridge_fragment(struct bridge_softc *sc, goto dropit; #else etype = ntohs(eh-ether_type); - if (etype == ETHERTYPE_VLAN + if ((etype == ETHERTYPE_VLAN || etype == ETHERTYPE_QINQ) (ifp-if_capabilities IFCAP_VLAN_MTU) ((m-m_pkthdr.len - sizeof(struct ether_vlan_header)) = ifp-if_mtu)) { Index:
You've received A Hallmark E-Card!
Hallmark.comShop OnlineHallmark MagazineE-Cards MoreAt Gold Crown You have recieved A Hallmark E-Card. Hello! You have recieved a Hallmark E-Card. To see it, click here, There's something special about that E-Card feeling. We invite you to make a friend's day and send one. Hope to see you soon, Your friends at Hallmark Your privacy is our priority. Click the Privacy and Security link at the bottom of this E-mail to view our policy. Hallmark.com | Privacy Security | Customer Service | Store Locator
Re: Redundant WAN connections on 2 openBSD firewalls
Laurent CARON escreveu: Hi, I'm currently setting-up a fully redundant gateway under OpenBSD (4.3) with IPSEC, CARP, PF, SA Sync, ...) and would like to benefit of failover over 2 wans connections (for outgoing connections of course). I already have a round robin on the 2 external links: pass in log on $IntIf route-to { ($ExtIf_1 $ExtGw_1), ($ExtIf_2 $ExtGw_2) } round-robin from $IntNet to any and wish to be able to get true failover (if one connection goes down, all the trafic is handeled by a single one). An interesting look seems to be ifstatd. Did anyone setup such a gateway ? Thanks Laurent I did setup several gateways like this, but only on one firewall. With 2 firewalls, you have the additional complexity of ifstated no only checking if the wan link goes down, but you will have to put other thins into account, like the migration of them. ifstated is a state machine. It will do exactly what is told. There are some pitfalls, most of them regarding what must be done in the start of a state. Also, i recommend that you use snmp for checking if the wan connection went down. Most people ping external sites to accomplish that, but i don't recommend this. The modem/router/etc, can provide accurate information about the link, using snmp. I've been wanting to write a tutorial about using CARP+ifstated+pfsync+multi wan links. Didn't had time yet to do so. I can provide you some examples later, if you want. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Heron 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
PF redirection and pflogging
List, I am having some issues while redirecting traffic to port 80 on the $squid_server. I have this server serving two purpose: apache web server and squid server. I can definately get to the PROXY services fine but cannot get to the WWW (port 80) on the same server. Another issue is that when I try to actively look at the pflog by running tcpdump -n -e -ttt -i pflog0 , I don't get anything even when the traffic is passing and/or getting blocked. Any help is highly appreciated. thx. For this I have the following pf config: ext_if=sk0 int_if=gem0 pf_log=pflog0 webby set skip on enc0 set skip on gre0 external_ip=70.40.22.17 external_ips={70.40.22.17 70.40.22.18 70.40.22.19} external_net={70.40.22.17 70.40.22.18 70.40.22.19} internal_ip=172.16.10.10 internal_networks={172.16.10.0/24 172.16.100.0/24 172.16.200.0/24} webby_ip=70.40.22.18 webby_server=172.16.10.11 squid_ip=70.40.22.19 squid_server=172.16.10.12 # block_ip=70.40.22.20 block_server=172.16.10.12 ##TABLES table bruteforce persist table kiddies persist OPTIONS # set loginterface $ext_if set loginterface $int_if scrub in NAT/REDIRECTS nat on $ext_if from !($ext_if) to any - ($ext_if:0) # rdr pass on $ext_if proto tcp from any to $block_ip port 80 - $squid_server port 80 rdr pass on $ext_if proto tcp from any to $webby_ip port 80 - $webby_server port 80 rdr pass on $ext_if proto tcp from any to $webby_ip port 443 - $webby_server port 443 rdr pass on $ext_if proto tcp from any to $squid_ip port 3128 - $squid_server port 3128 rdr pass on $ext_if proto tcp from any to $squid_ip port 80 - $squid_server port 80 ## FILTERS # block log quick from bruteforce block log quick from kiddies block in log on $pf_log # pass in quick on $int_if pass out keep state pass in on $ext_if proto icmp from any to $external_ip keep state pass in on $ext_if proto tcp from any to $external_ip port ssh keep state pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state pass in on $ext_if proto tcp from any to $webby_ip port 443 keep state pass in log (all, to $pf_log) on $ext_if proto tcp from any to $squid_ip port 3128 keep state pass in on $ext_if proto tcp from any to $squid_ip port 80 keep state # pass in on $ext_if proto tcp from any to $block_ip port 80 keep state pass in on $ext_if proto tcp from any to $external_ips port 22 keep state pass inet proto tcp from any to $external_net port 22 flags S/SA keep state (max-src-conn 25, max-src-conn-rate 15/5, overload bruteforce flush global) # block in quick on $ext_if
Re: Redundant WAN connections on 2 openBSD firewalls
Giancarlo Razzolini wrote: I did setup several gateways like this, but only on one firewall. With 2 firewalls, you have the additional complexity of ifstated no only checking if the wan link goes down, but you will have to put other thins into account, like the migration of them. ifstated is a state machine. It will do exactly what is told. There are some pitfalls, most of them regarding what must be done in the start of a state. Also, i recommend that you use snmp for checking if the wan connection went down. Most people ping external sites to accomplish that, but i don't recommend this. The modem/router/etc, can provide accurate information about the link, using snmp. I've been wanting to write a tutorial about using CARP+ifstated+pfsync+multi wan links. Didn't had time yet to do so. I can provide you some examples later, if you want. I'll unfortunately have to ping for one wan connection since the router is the property of the ISP and they don't allow SNMP on it (though this seems to be an expensive cisco piece of hardware that supports it). I would be interested if you could provide me with details about the wan failover part (scripts, config files, ...) Thanks
Re: PF redirection and pflogging
Hallo! My guess is you dont get anything logged since you pass with rdr rules. Maybe it is cleaner to keep translation and filtering separate, e.g. have translation rules like this rdr on $ext_if proto tcp from any to $webby_ip port 80 - $webby_server port 80 And then you need to pass not to the external interface's ip address but to where is your so to say real server, e.g. rule pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state should rather read pass in on $ext_if proto tcp from any to $webby_server port 80 keep state And also note that rule like this works when there aint other rules what matches the package. Maybe it is more straight-forward at least for debugging to add to it 'quick' keyword which makes the rule match no matter what follows, like this pass in quick on $ext_if proto tcp from any to $webby_server port 80 keep state Imre Parvinder Bhasin wrote: List, I am having some issues while redirecting traffic to port 80 on the $squid_server. I have this server serving two purpose: apache web server and squid server. I can definately get to the PROXY services fine but cannot get to the WWW (port 80) on the same server. Another issue is that when I try to actively look at the pflog by running tcpdump -n -e -ttt -i pflog0 , I don't get anything even when the traffic is passing and/or getting blocked. Any help is highly appreciated. thx. For this I have the following pf config: ext_if=sk0 int_if=gem0 pf_log=pflog0 webby set skip on enc0 set skip on gre0 external_ip=70.40.22.17 external_ips={70.40.22.17 70.40.22.18 70.40.22.19} external_net={70.40.22.17 70.40.22.18 70.40.22.19} internal_ip=172.16.10.10 internal_networks={172.16.10.0/24 172.16.100.0/24 172.16.200.0/24} webby_ip=70.40.22.18 webby_server=172.16.10.11 squid_ip=70.40.22.19 squid_server=172.16.10.12 # block_ip=70.40.22.20 block_server=172.16.10.12 ##TABLES table bruteforce persist table kiddies persist OPTIONS # set loginterface $ext_if set loginterface $int_if scrub in NAT/REDIRECTS nat on $ext_if from !($ext_if) to any - ($ext_if:0) # rdr pass on $ext_if proto tcp from any to $block_ip port 80 - $squid_server port 80 rdr pass on $ext_if proto tcp from any to $webby_ip port 80 - $webby_server port 80 rdr pass on $ext_if proto tcp from any to $webby_ip port 443 - $webby_server port 443 rdr pass on $ext_if proto tcp from any to $squid_ip port 3128 - $squid_server port 3128 rdr pass on $ext_if proto tcp from any to $squid_ip port 80 - $squid_server port 80 ## FILTERS # block log quick from bruteforce block log quick from kiddies block in log on $pf_log # pass in quick on $int_if pass out keep state pass in on $ext_if proto icmp from any to $external_ip keep state pass in on $ext_if proto tcp from any to $external_ip port ssh keep state pass in on $ext_if proto tcp from any to $webby_ip port 80 keep state pass in on $ext_if proto tcp from any to $webby_ip port 443 keep state pass in log (all, to $pf_log) on $ext_if proto tcp from any to $squid_ip port 3128 keep state pass in on $ext_if proto tcp from any to $squid_ip port 80 keep state # pass in on $ext_if proto tcp from any to $block_ip port 80 keep state pass in on $ext_if proto tcp from any to $external_ips port 22 keep state pass inet proto tcp from any to $external_net port 22 flags S/SA keep state (max-src-conn 25, max-src-conn-rate 15/5, overload bruteforce flush global) # block in quick on $ext_if
FYI: Some gloating redditors are currently trolling OpenBSD
FYI: Some gloating redditors are currently trolling OpenBSD. See here for the details: http://www.reddit.com/r/programming/comments/6xelo/only_two_remote_holes_in_the_default_install_in/ I feel bad about spreading this nonsense further, but I felt I maybe should give everybody here a heads-up. --ropers
Re: FYI: Some gloating redditors are currently trolling OpenBSD
PS: Here is the URL they use to insert the HTML onto the resulting page: http://www.openbsd.org/cgi-bin/cvsweb/src/?sortby=%22%3E%3Ch1%20style=%22position:absolute;top:10px;font-size:150pt%22%3E%3Cblink%3EOnly%202%20Remote%20bugs%3C/blink%3E%3C/h1%3E 2008/8/21 ropers [EMAIL PROTECTED]: FYI: Some gloating redditors are currently trolling OpenBSD. See here for the details: http://www.reddit.com/r/programming/comments/6xelo/only_two_remote_holes_in_the_default_install_in/ I feel bad about spreading this nonsense further, but I felt I maybe should give everybody here a heads-up. --ropers
Re: FYI: Some gloating redditors are currently trolling OpenBSD
2008/8/21 ropers [EMAIL PROTECTED]: FYI: Some gloating redditors are currently trolling OpenBSD. See here for the details: http://www.reddit.com/r/programming/comments/6xelo/only_two_remote_holes_in_the_default_install_in/ I feel bad about spreading this nonsense further, but I felt I maybe should give everybody here a heads-up. --ropers 2008/8/21 ropers [EMAIL PROTECTED]: PS: Here is the URL they use to insert the HTML onto the resulting page: http://www.openbsd.org/cgi-bin/cvsweb/src/?sortby=%22%3E%3Ch1%20style=%22position:absolute;top:10px;font-size:150pt%22%3E%3Cblink%3EOnly%202%20Remote%20bugs%3C/blink%3E%3C/h1%3E PPS: For legibility: http://www.openbsd.org/cgi-bin/cvsweb/src/?sortby=;h1 style=position:absolute;top:10px;font-size:150ptblinkOnly 2 Remote bugs/blink/h1
Re: FYI: Some gloating redditors are currently trolling OpenBSD
On Thu, Aug 21, 2008 at 2:39 PM, ropers [EMAIL PROTECTED] wrote: http://www.openbsd.org/cgi-bin/cvsweb/src/?sortby=;h1 style=position:absolute;top:10px;font-size:150ptblinkOnly 2 Remote bugs/blink/h1 I find it more amusing that it's just injecting HTML in to what's being rendered. CVSWEB has a bug.
Re: Vlan Tag on Vlan Tag (l2tunneling)
Works for me. (haven't tested this very extensively yet, and only OpenBSD - OpenBSD ... nor did I try the tcpdump patches .. will do so later) Thanks Reyk, cool stuff ;) Paul 'WEiRD' de Weerd On Thu, Aug 21, 2008 at 09:34:12PM +0200, Reyk Floeter wrote: | On Thu, Aug 21, 2008 at 04:05:50PM +0200, Claudio Jeker wrote: | no point in just doing that. | | a button to change the ether type would make sense. | | | | this is not trivial because it would require a change in the Rx path | where it is currently matching the ethertype in ether_input() before | calling vlan_input(). do you want to call vlan_input() for every | other packet or do a configured type lookup all the time? and what if | the user specifies an ethernet type that is conflicting with something | else? i think it should really only be 0x8100 or 0x88a8. | | If we stack vlan interfaces I don't see a real need for such a button. | This could be figured out either at configuration time or on runtime. | E.g. just check if the ethertype is 0x8100 and add the next vlan tag as | 0x88a8. This would also allow to use a bridge for qinq setups. Because of | this I think doing it on runtime is the best. | | | here is another approach defining QinQ-compliant interfaces as a new | cloner type; so you can stack 0x88a8 devices as you wish and it | doesn't need a new button in ifconfig. it also uses a dedicated vlan | tag hash for Service VLANs to avoid tag/Id conflicts. | | # ifconfig em0 up | # ifconfig svlan100 vlandev em0 | # ifconfig vlan200 vlandev svlan100 192.168.2.100 | | reyk | | Index: share/man/man4/vlan.4 | === | RCS file: /cvs/src/share/man/man4/vlan.4,v | retrieving revision 1.31 | diff -u -p -r1.31 vlan.4 | --- share/man/man4/vlan.4 26 Jun 2008 05:42:07 - 1.31 | +++ share/man/man4/vlan.4 21 Aug 2008 19:18:42 - | @@ -31,8 +31,9 @@ | .Dt VLAN 4 | .Os | .Sh NAME | -.Nm vlan | -.Nd IEEE 802.1Q encapsulation/decapsulation pseudo-device | +.Nm vlan , | +.Nm svlan | +.Nd IEEE 802.1Q/1AD encapsulation/decapsulation pseudo-devices | .Sh SYNOPSIS | .Cd pseudo-device vlan | .Sh DESCRIPTION | @@ -40,6 +41,10 @@ The | .Nm | Ethernet interface allows construction of virtual LANs when used in | conjunction with IEEE 802.1Q-compliant Ethernet devices. | +The | +.Ic svlan | +Ethernet interface allows contruction of IEEE 802.1AD-compliant | +provider bridges. | .Pp | A | .Nm | @@ -83,6 +88,24 @@ option for more information. | Following the vlan header is the actual ether type for the frame and length | information. | .Pp | +An | +.Ic svlan | +interface is normally used for QinQ in 802.1AD-compliant provider bridges to | +stack other | +.Nm | +interfaces on top of it. | +It can be created using the | +.Ic ifconfig svlan Ns Ar N Ic create | +command or by setting up a | +.Xr hostname.if 5 | +configuration file for | +.Xr netstart 8 . | +The configuration is identical to the | +.Nm | +interface, the only differences are that it uses a different Ethernet | +type (0x88a8) and an independent VLAN Id space on the parent | +interface. | +.Pp | .Nm | interfaces support the following unique | .Xr ioctl 2 Ns s : | @@ -104,7 +127,10 @@ interfaces use the following interface c | The parent interface can handle full sized frames, plus the size | of the vlan tag. | .It IFCAP_VLAN_HWTAGGING | -The parent interface will participate in the tagging of frames. | +The parent interface will participate in the tagging of frames | +(This is not supported by | +.Ic svlan | +interfaces). | .El | .Sh DIAGNOSTICS | .Bl -diag | @@ -150,6 +176,10 @@ and | .Rs | .%T IEEE 802.1Q standard | .%O http://standards.ieee.org/getieee802/802.1.html | +.Re | +.Rs | +.%T IEEE 802.1AD standard | +.%O Provider Bridges, QinQ | .Re | .Sh AUTHORS | Originally [EMAIL PROTECTED] | Index: sys/net/ethertypes.h | === | RCS file: /cvs/src/sys/net/ethertypes.h,v | retrieving revision 1.9 | diff -u -p -r1.9 ethertypes.h | --- sys/net/ethertypes.h 5 May 2008 13:40:17 - 1.9 | +++ sys/net/ethertypes.h 21 Aug 2008 19:18:42 - | @@ -300,6 +300,7 @@ | #define ETHERTYPE_LANPROBE 0x /* HP LanProbe test? */ | #define ETHERTYPE_PAE 0x888E /* 802.1X Port Access Entity */ | #define ETHERTYPE_AOE 0x88A2 /* ATA over Ethernet */ | +#define ETHERTYPE_QINQ 0x88A8 /* 802.1ad VLAN stacking */ | #define ETHERTYPE_LLDP 0x88CC /* Link Layer Discovery Protocol */ | #define ETHERTYPE_LOOPBACK 0x9000 /* Loopback */ | #define ETHERTYPE_LBACK ETHERTYPE_LOOPBACK /* DEC MOP loopback */ | Index: sys/net/if_bridge.c | === | RCS file: /cvs/src/sys/net/if_bridge.c,v | retrieving revision 1.170 | diff -u -p -r1.170 if_bridge.c | ---
Re: FYI: Some gloating redditors are currently trolling OpenBSD
Impressive. No, really. Not only do they manage to deface cvsweb, but if you use the standard url, everything goes back to normal, meaning their exploit is self-hiding. Plus the files aren't modified, for augmented stealthiness (we're talking ninja-level stealthiness here). Sorry, I can't help you on this, my paladin's only lvl 15, this troll's at least lvl 57. I'll fake death and let it get bored On Thu, Aug 21, 2008 at 11:29 PM, ropers [EMAIL PROTECTED] wrote: FYI: Some gloating redditors are currently trolling OpenBSD. See here for the details: http://www.reddit.com/r/programming/comments/6xelo/only_two_remote_holes_in_the_default_install_in/ I feel bad about spreading this nonsense further, but I felt I maybe should give everybody here a heads-up. --ropers -- Vincent Dermiste Gross So, the essence of XML is this: the problem it solves is not hard, and it does not solve the problem well. -- Jerome Simeon Phil Wadler
Re: concerning directin in PF for enc0
On Wed, Aug 20, 2008 at 09:06:14AM +0200, Harald Dunkel wrote: http://www.kernel-panic.it/openbsd/vpn/vpn3.html#vpn-3.4 http://www.openbsd.org/cgi-bin/man.cgi?query=enc Ah, very nice. That first one is just what I was looking for. I had the first three sections already defined, but the 4th was the ticket. cheers. ryanc
Re: concerning directin in PF for enc0
On Thu, Aug 21, 2008 at 04:10:30PM -0700, Ryan Corder wrote: | On Wed, Aug 20, 2008 at 09:06:14AM +0200, Harald Dunkel wrote: | http://www.kernel-panic.it/openbsd/vpn/vpn3.html#vpn-3.4 | http://www.openbsd.org/cgi-bin/man.cgi?query=enc | | Ah, very nice. That first one is just what I was looking for. I had | the first three sections already defined, but the 4th was the ticket. To clarify, the first link above was what I needed. '4th' was in reference to the 4th PF example given on that page.
From address when using mail command
Everything with my sendmail and dovecot works great. But when I occasionally want to send a message using mail command, The From: address ends up as: [EMAIL PROTECTED] This is not a good address that someone can reply to. Where does mail obtain the From address? My best guess right now is perhaps the /etc/myname file which has b03ls15le.corenetworks.net in it. Reading man pages about /etc/myname file doesn't really make it clear (to me) what other contents it can have. Can I change it to my main server's address and not have a problem? Would this fix the mail From problem? Chris Bennett
Re: From address when using mail command
Hello Chris, From [EMAIL PROTECTED] Thu Aug 21 21:28:29 2008 From: Chris Bennett [EMAIL PROTECTED] Subject: From address when using mail command Everything with my sendmail and dovecot works great. But when I occasionally want to send a message using mail command, The From: address ends up as: [EMAIL PROTECTED] This is not a good address that someone can reply to. Sendmail is doing what it is supposed to here. It is sending out mail from your machine (b03ls15le.corenetworks.net) which are from user. Where does mail obtain the From address? Sendmail is attempting to send out mail from your machine, and it uses the information of your machine to identify itself. Moreover, since you are sending from account user, sendmail is also identifying your username as the user of the machine sending this mail. Reading man pages about /etc/myname file doesn't really make it clear (to me) what other contents it can have. You should leave those contents the same. Can I change it to my main server's address and not have a problem? Would this fix the mail From problem? If you did a search on this, you probably would have found out a lot more about what sendmail does and how it works. You also would have discovered some common solutions to this common misunderstanding. The reason this problem does not manifest itself when you are using other clients is probably because they either use their own smtp client to send mail to a SMART HOST, or they are changing the From header of your messages to reflect the settings of that client. Mail does not do that, but rather feeds a more spartan message to sendmail, which then inserts the relevant headers that it can derive from its configuration. I believe what you are trying to do is send mail from your machine, where your machine is not the main mail machine. In other words, another machine is the hosting mail server (not the exactly correct term). Chances are you are on a network which is not configured with an IP address which is likely to avoid the large Dynamic blacklists that many ISPs place on senders, so you don't even want to use your machine as the primary mail server. What you do want to do is use sendmail as a client to relay its non-local messages to another server which is your main mail server. Usually this server is provided by your ISP (whether your network or mail provider). The steps for this are: 1) Configure a SMART_HOST 2) [Possibly] configure authentication 3) [Possibly] configure username rewriting (2) is necessary if your SMTP server which you use to relay your mail from your machine to the rest of the world requires some kind of authentication. This is usually the case if you are using a mail provider that is different than your network provider, or if you have a separate SMART HOST outside of your network provider's mail server. (3) is required if you are going to be using a different username than the one that you are currently using. The method you choose to do this may depend on whether you need to rewrite just the username, the domain only, or both the username and the domain of the sender address. If you just need to change the domain, then usinge MASQUERADING will get the job done. If you are just doing username rewriting (you are not just doing this) you can get by with some other things. If you are doing both, then you will probably want either a combination of both MASQUERADING and GENERICS TABLES. GENERICS TABLES will allow you to map your local username to an external address. MASQUERADING will just change the domain name sendmail uses when sending out mail. There are many other options you will want to investigate. All of this must be done by choosing the right sendmail .mc configuration file, editing it appropriately, compiling it through m4 and placing it as directed into the correct location, restarting sendmail, and some possible (likely) other work. The instructions for conducting such interesting surgery on your system (it's more like putting on a little make-up than anything really serious) can be found in rather good detail in the op.txt manual for sendmail, and the configuration README in /usr/share/sendmail. In addition to this, you may be interested in a tutorial I wrote some time ago on this topic, which can be found at http://www.sacrideo.us/Sacrificum_Deo/Stuff_files/sendmail_openbsd.txt I hope this helps a little! As I mentioned, the rest is online. Aaron