Add 50$ to your account in 2 minutes .

[U.S. Bank]

You have one new message at US Bank.

From: Customer Service
Date:  10/12/2008
Subject: 5 questions survey. In return we will credit $50.00 to you!

To continue please click here to complete survey

U.S. Bancorp  Equal Housing Lender

securelevel(7) and gpioctl(8)

[Lars D . Noodén]

On Mon, 8 Dec 2008, Marc Balmer wrote:

NB:  not all arches have GPIO.


Thanks. Ok.  I see now.  The online pages return a result only for items 
present in all architectures.


The need for Securelevel 0 was mentioned.  Does that mean the device must 
operate in securelevel 0 in order to turn on and off one of the JP5 pins? 
Or just that they must be attached and then can be used for IO after 
switching to securelevel 1?


Also, can a custom kernal be avoided?  One appears to be needed in this 
note:

http://www.vnode.ch/reworking_gpio

Regards,
-Lars
Lars Nooden

Re: Toshiba ToPIC97 CardBus: couldn't map interrupt

[k z]

On Mon, Dec 8, 2008 at 9:52 PM, Daniel Melameth [EMAIL PROTECTED] wrote:
 On Mon, Dec 8, 2008 at 11:28 AM, k z [EMAIL PROTECTED] wrote:
 ne3 works but couldn't map interrupt errors do appear:

 cbb0 at pci0 dev 19 function 0 Toshiba ToPIC97 CardBus rev 0x20:
 couldn't map interrupt
 cbb1 at pci0 dev 19 function 1 Toshiba ToPIC97 CardBus rev 0x20:
 couldn't map interrupt

 You might want to try changing how the BIOS presents these slots, if
possible.

In BIOS, the Auto-select meant falling to CardBus/16 bit; setting value
to PCIC compatible has helped:

--- before.txt  Thu Oct  5 08:03:43 2006
+++ after.txt   Thu Oct  5 08:03:21 2006
@@ -9,12 +9,12 @@
 bios0 at mainbus0: AT/286+ BIOS, date 12/26/97, BIOS32 rev. 0 @ 0xfe95a
 apm0 at bios0: Power Management spec V1.2
 apm0: battery life expectancy 100%
-apm0: AC on, battery charge high, estimated 1:52 hours
+apm0: AC on, battery charge high, estimated 2:17 hours
 pcibios0 at bios0: rev 2.1 @ 0xf/0x1
 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf8e80/96 (4 entries)
 pcibios0: no compatible PCI ICU found: ICU vendor 0x product 0x
 pcibios0: Warning, unable to fix up PCI interrupt routing
-pcibios0: PCI bus #21 is the last bus
+pcibios0: PCI bus #0 is the last bus
 bios0: ROM list: 0xc/0x9800
 cpu0 at mainbus0: (uniprocessor)
 pci0 at mainbus0 bus 0: configuration mode 1 (bios)
@@ -24,8 +24,6 @@
 wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
 ohci0 at pci0 dev 11 function 0 NEC USB rev 0x02: irq 11, version 1.0
 Toshiba Fast Infrared Type O rev 0x21 at pci0 dev 17 function 0 not
configured
-cbb0 at pci0 dev 19 function 0 Toshiba ToPIC97 CardBus rev 0x20:
couldn't map interrupt
-cbb1 at pci0 dev 19 function 1 Toshiba ToPIC97 CardBus rev 0x20:
couldn't map interrupt
 usb0 at ohci0: USB revision 1.0
 uhub0 at usb0 NEC OHCI root hub rev 1.00/1.00 addr 1
 isa0 at mainbus0



OpenBSD 4.4-current (GENERIC) #1556: Fri Dec  5 18:09:01 MST 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium/MMX (GenuineIntel 586-class) 167 MHz
cpu0: FPU,V86,DE,PSE,TSC,MSR,MCE,CX8,MMX
cpu0: F00F bug workaround installed
real mem  = 33189888 (31MB)
avail mem = 22269952 (21MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/26/97, BIOS32 rev. 0 @ 0xfe95a
apm0 at bios0: Power Management spec V1.2
apm0: battery life expectancy 100%
apm0: AC on, battery charge high, estimated 2:17 hours
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf8e80/96 (4 entries)
pcibios0: no compatible PCI ICU found: ICU vendor 0x product 0x
pcibios0: Warning, unable to fix up PCI interrupt routing
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc/0x9800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 Toshiba PCI rev 0x2c
vga1 at pci0 dev 4 function 0 Chips and Technologies 6 rev 0xc6
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ohci0 at pci0 dev 11 function 0 NEC USB rev 0x02: irq 11, version 1.0
Toshiba Fast Infrared Type O rev 0x21 at pci0 dev 17 function 0 not configured
usb0 at ohci0: USB revision 1.0
uhub0 at usb0 NEC OHCI root hub rev 1.00/1.00 addr 1
isa0 at mainbus0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: TOSHIBA MK4310MAT
wd0: 16-sector PIO, LBA, 4126MB, 8452080 sectors
wd0(wdc0:0:0): using BIOS timings
wdc1 at isa0 port 0x170/8 irq 15
atapiscsi0 at wdc1 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets, initiator 7
cd0 at scsibus0 targ 0 lun 0: TEAC, CD-220EA, 7.0A ATAPI 5/cdrom removable
cd0(wdc1:0:0): using BIOS timings
sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.01
midi0 at sb0: SB MIDI UART
audio0 at sb0
opl0 at sb0: model OPL3
midi1 at opl0: SB Yamaha OPL3
wss0 at isa0 port 0x530/8 irq 10 drq 0: CS4231 or AD1845 (vers 4)
audio1 at wss0
pcppi0 at isa0 port 0x61
midi2 at pcppi0: PC speaker
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
pcic0 at isa0 port 0x3e0/2 iomem 0xd/65536
pcic0 controller 0: Intel 82365SL rev 1 has sockets A and B
pcmcia0 at pcic0 controller 0 socket 0
pcmcia1 at pcic0 controller 0 socket 1
ne3 at pcmcia1 function 0 corega K.K., corega Ether PCC-TD,  port
0x300/32, irq 3, address 
pcic0: irq 9, polling enabled
biomask e945 netmask e94d ttymask fbdf
softraid0 at root
root on wd0a swap on wd0b dump on wd0b



Sorry for the noise.

Re: securelevel(7) and gpioctl(8)

[Marc Balmer]

* Lars D. Noodin wrote:
 On Mon, 8 Dec 2008, Marc Balmer wrote:
 NB:  not all arches have GPIO.

 Thanks. Ok.  I see now.  The online pages return a result only for items
 present in all architectures.

 The need for Securelevel 0 was mentioned.  Does that mean the device must
 operate in securelevel 0 in order to turn on and off one of the JP5 pins?
 Or just that they must be attached and then can be used for IO after
 switching to securelevel 1?

The latter is the case.


 Also, can a custom kernal be avoided?  One appears to be needed in this
 note:
   http://www.vnode.ch/reworking_gpio

A custom kernel is no longer needed.


 Regards,
 -Lars
 Lars Nooden

--
Marc Balmer, Micro Systems, Wiesendamm 2a, Postfach, CH-4019 Basel,
Switzerland
http://www.msys.ch/ http://www.vnode.ch/   In God we trust, in C we
code.

The New Secure Operating System

[Sunnz]

The secure operating system standard will never be the same now that a
National Security Agency-certified OS has gone commercial, but few
mainstream enterprises today need an airtight OS tuned to run on
fighter jets. And many organizations aren't properly securing their
existing commercial OSes, anyway, security experts say.

http://www.darkreading.com/security/management/showArticle.jhtml?articleID=212201490

-- 
This e-mail may be confidential. You may not copy, forward or use any
part. Note that all disclaimers on the Internet are of zero legal
effectiveness however.
http://www.goldmark.org/jeff/stupid-disclaimers/

Routing issue with VPN tunnel

[do]

Hello,

I'm having some problems routing traffic through a isakmp
vpn tunnel.

I have a tunnel successfully set up between my OpenBSD 3.8
and a Cisco 7200 router.
I'm not good at ascii art, but here's how I see it:

$int_if = 10.0.0.1
$remote_host = 192.168.0.1

 
 $int_if  enc0  $ext_if | (internet)
   |   | $remote_gw ---
$remote_host
   |
   |
$internal_host



There are ACLs on the $remote_gw which only allow traffic
NATed with my $int_if ip. Hence this nat in pf.conf:
nat on enc0 inet from $int_net to $remote_host - $int_if


I've established that the flows exist:
# netstat -rn -f encap
$remote_host/32 0   $int_if/32  0   0  
$remote_gw/50/use/in
$int_if/32  0   $remote_host/32 0   0  
$remote_gw/50/require/out

# ipsecctl -s flow
flow esp in from $remote_host to $int_if peer $remote_gw
flow esp out from $int_if to $remote_host peer $remote_gw


What I CAN do is ping the $remote_host through the tunnel
from the $int_if with the following command:
# ping -I $int_if $remote_host

This works and replies are received!


But if if try pinging from the $internal_host:
c:\ ping $remote_host

This doesn't work. The packets are not sent through the
tunnel but to the internet.


I've tried this route-to line in pf.conf:
pass in log quick on $int_if route-to enc0 from $int_net to
$remote_host keep state

And by running tcpdump on pflog0 I can see that packets are
matched:
rule 16/(match) pass out on enc0: $int_if  $remote_host:
icmp: echo request

But no traffic is sent through the tunnel.


Why are pings sent from the $internal_host not matched to
the flow/route and sent through the corresponding tunnel? 

Any help is appreciated in resolving this issue!


- Danial

Re: The New Secure Operating System

[Felipe Alfaro Solana]

On Tue, Dec 9, 2008 at 4:14 PM, Sunnz [EMAIL PROTECTED] wrote:

 The secure operating system standard will never be the same now that a
 National Security Agency-certified OS has gone commercial, but few
 mainstream enterprises today need an airtight OS tuned to run on
 fighter jets. And many organizations aren't properly securing their
 existing commercial OSes, anyway, security experts say.


 http://www.darkreading.com/security/management/showArticle.jhtml?articleID=212201490


This article sounds like pure and cheap marketing to me. EAL certification
has never meant anything to me, except the vendor went through a
certification process. Has EAL certification to be renewed every year?
Windows has been certified EAL4+ and it has never (and probably will never)
been secure. RHEL is also EAL4+ and it also had security problems.

Commercial operating systems, as long as its source code is closed for
professionals to study it, will never be secure. This new operating system
is a commercial one and the Web page of the vendor doesn't look very open
source friendly.

Re: The New Secure Operating System

[Josh Grosse]

On Wed, 10 Dec 2008 02:14:34 +1100, Sunnz wrote
 The secure operating system standard will never be the same now...

This was slashdotted almost a month ago:

http://tech.slashdot.org/article.pl?sid=08/11/18/1949232

FSC Econel 100 S2 cannot install 4.4 stable

[Ivo Chutkin]

Hello to everyone,

I have problem installing 4.4 stable on FSC Econel 100 S2.
I try to use the RAID controller on board LSI Logic MegaRAID as RAID 1
After choosing install from (I)nstall, (U)pgrade or (S)hell?
OpenBSD reports  No disks found. 

Am I doing something wrong with it?

Or this is the problem?

 vendor Intel, unknown product 0x2925 (class mass storage subclass 
RAID, rev 0x02) at pci0 dev 31 function 2 not configured

Intel 82801I SMBus rev 0x02 at pci0 dev 31 function 3 not configured 

I appreciate your help.

Thanks,
Ivo


dmesg:

boot
booting cd0a:/4.4/i386/bsd.rd: 5155668+901212 [52+196208+181821]=0x623208
entry point at 0x200120

Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.
Copyright (c) 1995-2008 OpenBSD. All rights reserved. 
http://www.OpenBSD.org


OpenBSD 4.4-stable (RAMDISK_CD) #3: Sun Nov 16 18:13:33 CET 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/RAMDISK_CD
cpu0: Intel(R) Xeon(R) CPU E3110 @ 3.00GHz (GenuineIntel 686-class) 3 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR

real mem  = 1071964160 (1022MB)
avail mem = 1029955584 (982MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 03/19/08, BIOS32 rev. 0 @ 0xfdc02, 
SMBIOS rev. 2.4 @ 0x3feda000 (79 entries)
bios0: vendor FUJITSU SIEMENS // Phoenix Technologies Ltd. version 6.00 
R1.05.2679.A1 date 03/19/2008

bios0: FUJITSU SIEMENS ECONEL 100 S2
acpi0 at bios0: rev 0
acpi0: tables DSDT FACP TCPA EINJ HEST BERT SSDT ERST SSDT SSDT SPCR 
MCFG HPET APIC BOOT

acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PENA)
acpiprt2 at acpi0: bus -1 (PENB)
acpiprt3 at acpi0: bus -1 (PESA)
acpiprt4 at acpi0: bus -1 (PESB)
acpiprt5 at acpi0: bus 1 (PCIH)
bios0: ROM list: 0xc/0x9000 0xc9000/0x5800!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel 3200/3210 Host rev 0x01
em0 at pci0 dev 25 function 0 Intel ICH9 IGP AMT rev 0x02: irq 11, 
address 00:19:99:36:8e:4b

uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: irq 11
uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: irq 11
uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: irq 3
ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: irq 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1
uhci3 at pci0 dev 29 function 0 Intel 82801I USB rev 0x02: irq 5
uhci4 at pci0 dev 29 function 1 Intel 82801I USB rev 0x02: irq 11
uhci5 at pci0 dev 29 function 2 Intel 82801I USB rev 0x02: irq 11
ehci1 at pci0 dev 29 function 7 Intel 82801I USB rev 0x02: irq 5
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 Intel EHCI root hub rev 2.00/1.00 addr 1
ppb0 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x92
pci1 at ppb0 bus 1
skc0 at pci1 dev 5 function 0 D-Link Systems DGE-530T B1 rev 0x11, 
Yukon Lite (0x9): irq 11

sk0 at skc0 port A: address 00:1c:f0:d1:cd:a6
eephy0 at sk0 phy 0: Marvell 88E1011 Gigabit PHY, rev. 5
vga1 at pci1 dev 7 function 0 ATI ES1000 rev 0x02
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 Intel 82801IR LPC rev 0x02: PM disabled
vendor Intel, unknown product 0x2925 (class mass storage subclass 
RAID, rev 0x02) at pci0 dev 31 function 2 not configured

Intel 82801I SMBus rev 0x02 at pci0 dev 31 function 3 not configured
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 Intel UHCI root hub rev 1.00/1.00 addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 Intel UHCI root hub rev 1.00/1.00 addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb6 Intel UHCI root hub rev 1.00/1.00 addr 1
usb7 at uhci5: USB revision 1.0
uhub7 at usb7 Intel UHCI root hub rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ffed netmask ffed ttymask 
rd0: fixed, 3800 blocks
softraid0 at root
root on rd0a swap on rd0b dump on rd0b
erase ^?, werase ^W, kill ^U, intr ^C, status ^T

Re: The New Secure Operating System

[bofh]

On Tue, Dec 9, 2008 at 10:14 AM, Sunnz [EMAIL PROTECTED] wrote:
 The secure operating system standard will never be the same now that a
 National Security Agency-certified OS has gone commercial, but few
 mainstream enterprises today need an airtight OS tuned to run on
 fighter jets. And many organizations aren't properly securing their
 existing commercial OSes, anyway, security experts say.

Oh my god.  Let me migrate everything to this new secure OS immediately!


-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0feature=related

Re: XenServer 5 with OpenBSD

[Stephan A. Rickauer]

On Mon, 2008-12-08 at 14:27 -0600, Adam Douglas wrote:
 The biggest question is OpenBSD on XenServer 5 Enterprise consider
 production ready even if the errors cannot be resolved?

OpenBSD is, Xen isn't.

�dv

[Anita]

Szia

Par napja kirdezted hogy nem e tudok egy js letvlt#337;s oldalt. Is in
most talaltam egyet.

Tele van jobbnal jobb filmekkel, is olcss! 1 db sms elk|ldise utan 500
kb/sec-el tvltvttem napokig a legzjabb premier filmeket is mesiket!



K|ldj most SMS-t,is 5 nap helyet,25-vt adunk,ez jelenlegi akcisnk!



http://href.hu/x/7k7e

http://href.hu/x/7k7e



__

E-mail cmmed a Country jsvoltabsl ker|lt bele hmrlevil rendszer|nkbe.

Ha nem szeretnil tvbb ilyet kapni. Mrj a [EMAIL PROTECTED] email cmmre!

A k|ld#337; Fiktmv, kitalalt szemily, de az e-mail cmmen elirsz
benn|nket. 

Re: rx descriptor error

[Chris Smith]

On Tue, Dec 9, 2008 at 12:12 AM, David Gwynne [EMAIL PROTECTED] wrote:
 how strange. that line is printed if em(4) is unable to allocate
 any memory at all to put on the rx ring. ive never known the mbuf
 cluster allocator to fail.

 is this reproducable?

Yes, every boot provides the same error, even after compiling the
userland and running the makedev.

Chris

Re: The New Secure Operating System

[Adriaan]

On Tue, Dec 9, 2008 at 6:51 PM, bofh [EMAIL PROTECTED] wrote:
 On Tue, Dec 9, 2008 at 10:14 AM, Sunnz [EMAIL PROTECTED] wrote:
 The secure operating system standard will never be the same now that a
 National Security Agency-certified OS has gone commercial, but few
 mainstream enterprises today need an airtight OS tuned to run on
 fighter jets. And many organizations aren't properly securing their
 existing commercial OSes, anyway, security experts say.

 Oh my god.  Let me migrate everything to this new secure OS immediately!


Yea, you should  run this new secure OS under Xen or Vmware for even
more security ;)

=Adriaan=

Re: The New Secure Operating System

[bofh]

On Tue, Dec 9, 2008 at 7:53 PM, Adriaan [EMAIL PROTECTED] wrote:
 On Tue, Dec 9, 2008 at 6:51 PM, bofh [EMAIL PROTECTED] wrote:
 Oh my god.  Let me migrate everything to this new secure OS immediately!

 Yea, you should  run this new secure OS under Xen or Vmware for even
 more security ;)

Oh my, definitely yes.  After all, we all know from the experts that
another layer of abstraction only helps to keep us safe from the evil
hackers!

On a OT note, I found a documented case where vmotion is claimed to
have cause database corruption[1] according to my AV [EMAIL PROTECTED]  I'm
not sure exactly how the hell that can happen, but I'm sorta keeping
an eye on it - we use vmotion for our av management console too :(
Yes, from this vendor who said everything works fine when it doesn't.

*sigh*

[1]  Note - not necessarily DB corruption, but the symptoms are...
well... symptomatic :)
-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
This officer's men seem to follow him merely out of idle curiosity.
-- Sandhurst officer cadet evaluation.
Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks
factory where smoking on the job is permitted.  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0feature=related

Re: OpenBGPd kickstart

[Rod Whitworth]

Continuing the learning process: Since my last session on this I've had
lots of pointers to things I could research.  Particular thanks to
Stuart.

Man oh man, there are lots of monkeys typing junk that Google pads out
the useful search results with. 

Anyway there are some things that are a matter of judgement (or even
opinion) aided by experience. I don't have much of that in bgp-land so
I'd like to ask about a couple or so.

Redundancy: At first I would have thought that two identical routers in
a classical carp firewall hookup would have been a good choice. 

Henning has dealt with questions about that in various ways to suit the
poster's needs. None of those was quite like mine. 

I read his presentation with notes (at daemonnews) and the notes really
added quite a bit to the slides. Maybe that articel could be referenced
on the OpenBGPd website.

Searching found quite a few other ideas and our peering provider's
support guy is nervous about anything that is akin to VRRP(!)  I told
him it is way better but he offered I would not recommend going down
that path. I would prefer to allocate you a second ip on the IX and
have you run a separate BGP session from each router.

What would an experienced user do in this case? I've often wondered
about what happens when a carp box on standby fails. Does it / can it
be sensed/monitored by the master?

So is a pair of routers to the same three IXes a better choice? Without
carp? Can they balance any traffic? If not what happens? Do I need bgp
sessions between the two?

I don't need a how-to. Directions to take let me read and research
usually get me pretty close to working setups. 

I don't yet know the importance of all the bgpd.conf options. Later I
might post a copy of my intended version for target practice.  ;-) 
Filtering and preferencing sound important and I'm still trying to
figure out what filters I need that are not in the default
/etc/bgpd.conf.

TIA

Rod/




*** NOTE *** Please DO NOT CC me. I am subscribed to the list.
Mail to the sender address that does not originate at the list server is 
tarpitted. The reply-to: address is provided for those who feel compelled to 
reply off list. Thankyou.

Rod/
/earth: write failed, file system is full
cp: /earth/creatures: No space left on device

Re: OpenBSD 4.4 Console Will Not Clear

[Bret]

Greets

Denny Thanks for pointing out I had not CC'ed the misc list.
So here is the full reply with the solution I found for 7.3 - How do I 
clear the console each time a user logs out?
problem. See the second to last post for my solution. The FAQ just needs 
to be updated.


Bret

Denny White wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

  

Denny White wrote:


On Mon, Dec 08, 2008 at 03:56:21PM -0700, Bret spoke thusly:
  
  

Greetings

   I have been running OpenBSD as a firewall/router since 2.5 and 
have  never had any problem with Clearing the console each time a 
user logs  out. I have just installed 4.4 on a system that was 
running 4.0. I did a  complete install from the install CD off the 
ftp site(s). I then edited  /etc/gettytab the same way I have done 
many times before, following the  FAQ instructions. The console will 
not clear after logging out. I have  even rebooted and the same 
results. I thought I might have screwed the  file up editing it so I 
even did another clean install and ONLY  installed pico to edit 
/etc/gettytab just in case I somehow messed it up  using vi... still 
no go. Looked out on the net and found no reference to  this. Any 
Ideas?


Bret




I'm assuming you're referring to

http://www.openbsd.org/faq/faq7.html#ConsoleClear

i.e.,

To do this you must add a line in /etc/gettytab(5). Change the current
section:

P|Pc|Pc console:\
:np:sp#9600:

adding the line :cl=\E[H\E[2J: at the end, so that it ends up looking
like this:

P|Pc|Pc console:\
:np:sp#9600:\
:cl=\E[H\E[2J:


Now try changing

default:\
:np:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:

to

default:\
:np:im=\r\n%s/%m (%h) (%t)\r\n\r\n:sp#1200:cl=\E[H\E[2J:



Denny White

  
  

On Mon, Dec 08, 2008 at 09:20:24PM -0700, Bret spoke thusly:
  

Greets

I found that the ttys file now has:
ttyC0 /usr/libexec/getty std,9600
where it used to be:
ttyC0 /usr/libexec/getty Pc

so I changed the the following in /etc/gettytab:

2|std.9600|9600-baud:\
   :sp#9600:

To:

2|std.9600|9600-baud:\
   :sp#9600:\
   :cl=\E[H\E[2J:

and the console now clears every time.

Bret




You're absolutely right. Never noticed that. I ran into the same
problem as you when upgrading to 4.4  used the way I sent you.
Nice to know another way  another way to look at it. Thanks.
You really ought to post that to [EMAIL PROTECTED] I noticed you didn't cc
the list. Be nice to have it in the archives for others. Thanks
again, Bret.


Denny White

- -- 


 /\ASCII Ribbon Campaign
 \ /Respect for low technology.
  X Keep e-mail messages readable by any computer system.
 / \Keep it ASCII.
===
GnuPG key  : 0x1644E79A  |  http://wwwkeys.nl.pgp.net
Fingerprint: D0A9 AD44 1F10 E09E 0E67  EC25 CB44 F2E5 1644 E79A
===

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (OpenBSD)

iEYEARECAAYFAkk+DIIACgkQy0Ty5RZE55q+3wCfVQ9ZCY/72ZMnvtrguyF9DiRm
2f8AoMf8rPSz5nzGRDWoSxDPbcLyNeaV
=xf5j
-END PGP SIGNATURE-

Re: The New Secure Operating System

[Sunnz]

2008/12/10 Adriaan [EMAIL PROTECTED]:
 Oh my god.  Let me migrate everything to this new secure OS immediately!


 Yea, you should  run this new secure OS under Xen or Vmware for even
 more security ;)

 =Adriaan=


Hmm I don't know... they claim that Linux, Windows and VMware aren't
secure, they haven't mentioned Xen though I would think it would be in
the same boat as VMware.

-- 
This e-mail may be confidential. You may not copy, forward or use any
part. Note that all disclaimers on the Internet are of zero legal
effectiveness however.
http://www.goldmark.org/jeff/stupid-disclaimers/

Re: possible bug in OpenNTPD code?

[Anirban Sinha]

There is yet another bug in Openntpd. This is direct copy-paste from
openntpd code (ntpd.c:main()):

do {
if ((pid = wait(NULL)) == -1 
errno != EINTR  errno != ECHILD)
fatal(wait);
} while (pid != -1 || (pid == -1  errno == EINTR));

What this code intends to do is to reap all children and move on when
there are no more. Instead, it ends up blocking indefinitely even when
there are no children to reap!

The way I fixed the bug is by doing this:

Index: openntpd-src/ntpd.c
===
--- openntpd-src.orig/ntpd.c
+++ openntpd-src/ntpd.c
@@ -90,10 +90,11 @@ main(int argc, char *argv[])
 {
struct ntpd_conf lconf;
struct pollfdpfd[POLL_MAX];
-   pid_tchld_pid = 0, pid;
+   pid_tchld_pid = 0, pid=0;
const char  *conffile;
int  ch, nfds, timeout = INFTIM;
int  pipe_chld[2];
+   int  status;
extern char *__progname;

__progname = _compat_get_progname(argv[0]);
@@ -233,11 +234,11 @@ main(int argc, char *argv[])
if (chld_pid)
kill(chld_pid, SIGTERM);

-   do {
-   if ((pid = wait(NULL)) == -1 
-   errno != EINTR  errno != ECHILD)
-   fatal(wait);
-   } while (pid != -1 || (pid == -1  errno == EINTR));
+   if (chld_pid  (pid = waitpid(chld_pid, status, 0)) == -1 
+   errno != EINTR  errno != ECHILD)
+   fatal(wait);
+   if (pid !=-1)
+   log_info(child %d exited with return code %d, pid,
WEXITSTATUS(status));

msgbuf_clear(ibuf-w);
free(ibuf);


It forks one child anyway. So it suffices to reap that one child.

I hope I will get some response to this. If not, I will assume that
there is really no interest in fixing bugs in openntpd and in that case,
I will patch only our local copy of the ntpd codebase (as opposed to
reporting to the community).

Thanks,

Ani

-Original Message-
From: Anirban Sinha
Sent: Thursday, December 04, 2008 6:04 PM
To: 'misc@openbsd.org'
Subject: possible bug in OpenNTPD code?

Hi:

I am sort of digging my way through the OpenNTPD codebase for my work.
I
think I find a bug in the code. Please help me to understand the reason
if this is not a bug.

In function ntp_main() (ntp.c), we poll() to check if there are any
events of interest. We do this:

1. Check internal fds (PIPE_MAIN)
2. Then check PIPE_DNS fds
3. Then check PIPE_HOTPLUG fds

Next, for the server, we check all the fds we are listening on. And
then
finally, for nfs clients, we check the fds for the remote servers. Now,
there's the issue in this line;

for (j = 1; nfds  0  j  idx_peers; j++) {
...
}

Shouldn't the index start with 3? That is, shouldn't we do this:

for (j = 3; nfds  0  j  idx_peers; j++)

since, indices 0,1 and 2 correspond to the three checks I have written
above which are already done.

In other words, can we apply the following patch to fix the issue?

Index: ntpd/ntp.c
===
--- ntpd.orig/ntp.c
+++ ntpd/ntp.c
@@ -344,7 +344,7 @@ ntp_main(int pipe_prnt[2], struct ntpd_c
   sensor_hotplugevent(hotplugfd);
   }

-  for (j = 1; nfds  0  j  idx_peers; j++)
+  for (j = PFD_MAX; nfds  0  j  idx_peers; j++)
   if (pfd[j].revents  (POLLIN|POLLERR)) {
   nfds--;
   if (server_dispatch(pfd[j].fd, conf) ==
-1)



Thanks,

Ani

Re: possible bug in OpenNTPD code?

[Otto Moerbeek]

On Tue, Dec 09, 2008 at 08:10:20PM -0800, Anirban Sinha wrote:

 I hope I will get some response to this. If not, I will assume that
 there is really no interest in fixing bugs in openntpd and in that case,
 I will patch only our local copy of the ntpd codebase (as opposed to
 reporting to the community).

misc@ is probably not the most suited place to report bugs. Better use
[EMAIL PROTECTED]

Anyway, I'll take a look at your diffs.

-Otto

Re: possible bug in OpenNTPD code?

[Philip Guenther]

On Tue, Dec 9, 2008 at 8:10 PM, Anirban Sinha [EMAIL PROTECTED] wrote:
 There is yet another bug in Openntpd. This is direct copy-paste from
 openntpd code (ntpd.c:main()):

 do {
if ((pid = wait(NULL)) == -1 
errno != EINTR  errno != ECHILD)
fatal(wait);
} while (pid != -1 || (pid == -1  errno == EINTR));

 What this code intends to do is to reap all children and move on when
 there are no more. Instead, it ends up blocking indefinitely even when
 there are no children to reap!

How is it blocking indefinitely?  Is wait() not returning -1 with
errno == ECHILD when there are no children to reap?  What led you to
the conclusion that this code was blocking?  (What platform are you
running this on?)


 The way I fixed the bug is by doing this:
 +   if (chld_pid  (pid = waitpid(chld_pid, status, 0)) == -1 
 +   errno != EINTR  errno != ECHILD)
 +   fatal(wait);
 +   if (pid !=-1)
 +   log_info(child %d exited with return code %d, 
 pid,WEXITSTATUS(status));

This code fails to retry the waitpid() if it returns with EINTR.


Philip Guenther

Re: possible bug in OpenNTPD code?

[Todd Alan Smith]

On Tue, Dec 9, 2008 at 10:10 PM, Anirban Sinha [EMAIL PROTECTED] wrote:
 I hope I will get some response to this. If not, I will assume that
 there is really no interest in fixing bugs in openntpd and in that case,

Why would you assume that? That seems a bit hostile. Perhaps the
developers are a bit busy at the moment.

Re: possible bug in OpenNTPD code?

[Anirban Sinha]

How is it blocking indefinitely?  Is wait() not returning -1 with
errno == ECHILD when there are no children to reap?  What led you to
the conclusion that this code was blocking?  (What platform are you
running this on?)


Hmm, agreed. Looks like I was wrong with my analysis. In any case, I am
running the portable version of the ntpd on Linux. I am definitely
observing the parent still alive and blocked (sleeping) even when the
child is dead. I need to do some more digging on this.

Apologies.

Ani

Re: possible bug in OpenNTPD code?

[Anirban Sinha]

Why would you assume that? That seems a bit hostile. Perhaps the

developers are a bit busy at the moment.



True. I generally post on the Linux lists and I believe I am spoiled by getting 
quick responses from my postings. In future, I will remember to keep more 
patience.



Ani

Re: possible bug in OpenNTPD code?

[Otto Moerbeek]

On Wed, Dec 10, 2008 at 12:05:05AM -0600, Todd Alan Smith wrote:

 On Tue, Dec 9, 2008 at 10:10 PM, Anirban Sinha [EMAIL PROTECTED] wrote:
  I hope I will get some response to this. If not, I will assume that
  there is really no interest in fixing bugs in openntpd and in that case,
 
 Why would you assume that? That seems a bit hostile. Perhaps the
 developers are a bit busy at the moment.

Indeed it sounded hostile to me. Especially since the op is sending in a
buggy diff to code that is ok, afaiks.

-Otto

Re: possible bug in OpenNTPD code?

[Otto Moerbeek]

On Tue, Dec 09, 2008 at 09:57:25PM -0800, Philip Guenther wrote:

 On Tue, Dec 9, 2008 at 8:10 PM, Anirban Sinha [EMAIL PROTECTED] wrote:
  There is yet another bug in Openntpd. This is direct copy-paste from
  openntpd code (ntpd.c:main()):
 
  do {
 if ((pid = wait(NULL)) == -1 
 errno != EINTR  errno != ECHILD)
 fatal(wait);
 } while (pid != -1 || (pid == -1  errno == EINTR));
 
  What this code intends to do is to reap all children and move on when
  there are no more. Instead, it ends up blocking indefinitely even when
  there are no children to reap!
 
 How is it blocking indefinitely?  Is wait() not returning -1 with
 errno == ECHILD when there are no children to reap?  What led you to
 the conclusion that this code was blocking?  (What platform are you
 running this on?)
 
 
  The way I fixed the bug is by doing this:
  +   if (chld_pid  (pid = waitpid(chld_pid, status, 0)) == -1 
  +   errno != EINTR  errno != ECHILD)
  +   fatal(wait);
  +   if (pid !=-1)
  +   log_info(child %d exited with return code %d, 
  pid,WEXITSTATUS(status));
 
 This code fails to retry the waitpid() if it returns with EINTR.
 
 
 Philip Guenther

Philip is right. The code is ok as is. Besides, in current ntpd has
multiple children, so you one child argument is lost as well.

I'd take a look at your other diff later.

-Otto

Reminder: Call for Papers: AsiaBSDCon 2009 (deadline extended: Dec 20)

[Hiroki Sato]

Hello,

 This is a reminder of AsiaBSDCon 2009 paper submission and tutorial
 proposal deadline.  The deadline is extended to December 20, 2008.
 The next AsiaBSDCon will be held on 12-15 March 2009 in Tokyo.  You
 can find the details at:

  http://2009.asiabsdcon.org

 and the CFP can be found at:

  http://2009.asiabsdcon.org/cfp.html

 Please spread this to your friends in BSD communities and encourage
 them to attend (and write a paper), and let us know if you have a
 questions about the conference.  Thank you.

--
| Hiroki SATO

[demime 1.01d removed an attachment of type application/pgp-signature]