xenocara errors

[tonino-pablo]

I am running 4.7-current amd64, not sure what this means, I am guessing it is 
an issue with xf86-video-mga driver

Tpo; exit 1; fi
 gcc -DHAVE_CONFIG_H -I. -I/usr/xenocara/driver/xf86-video-mga/src -I.. 
-I/usr/X11R6/include/xorg -I/usr/X11R6/include/pixman-1 -I/usr/X11R6/include 
-I/usr/X11R6/include -I/usr/include/dev/pci/drm -I/usr/X11R6/include/X11/dri 
-O2 -pipe -MT mga_dri.lo -MD -MP -MF .deps/mga_dri.Tpo -c 
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c  -fPIC -DPIC -o 
.libs/mga_dri.o
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:50:21: mga_drm.h: No such 
file or directory
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c: In function 
`MGAWaitForIdleDMA':
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:323: error: `DRM_MGA_FLUSH' 
undeclared (first use in this function)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:323: error: (Each undeclared 
identifier is reported only once
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:323: error: for each function 
it appears in.)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:343: error: `DRM_MGA_RESET' 
undeclared (first use in this function)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c: In function 
`MGADRIBootstrapDMA':
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:552: error: syntax error 
before dma_bs
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:555: error: `dma_bs' 
undeclared (first use in this function)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:562: error: 
`DRM_MGA_DMA_BOOTSTRAP' undeclared (first use in this function)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c: In function 
`MGADRIKernelInit':
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:786: error: syntax error 
before init
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:794: error: `init' undeclared 
(first use in this function)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:794: error: `drm_mga_init_t' 
undeclared (first use in this function)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:796: error: `MGA_INIT_DMA' 
undeclared (first use in this function)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:827: error: `DRM_MGA_INIT' 
undeclared (first use in this function)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c: In function 
`MGADRICloseScreen':
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:1470: error: syntax error 
before init
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:1484: error: `init' 
undeclared (first use in this function)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:1484: error: `drm_mga_init_t' 
undeclared (first use in this function)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:1485: error: 
`MGA_CLEANUP_DMA' undeclared (first use in this function)
/usr/xenocara/driver/xf86-video-mga/src/mga_dri.c:1486: error: `DRM_MGA_INIT' 
undeclared (first use in this function)
*** Error code 1

Stop in /usr/xenocara/driver/xf86-video-mga/obj/src (line 382 of Makefile).
*** Error code 1

Stop in /usr/xenocara/driver/xf86-video-mga/obj (line 329 of Makefile).
*** Error code 1

Stop in /usr/xenocara/driver/xf86-video-mga/obj (line 236 of Makefile).
*** Error code 1

Stop in /usr/xenocara/driver/xf86-video-mga (line 142 of 
/usr/X11R6/share/mk/bsd.xorg.mk).
*** Error code 1

Stop in /usr/xenocara/driver/xf86-video-mga (line 203 of 
/usr/X11R6/share/mk/bsd.xorg.mk).
*** Error code 1

Stop in /usr/xenocara/driver (line 48 of /usr/share/mk/bsd.subdir.mk).
*** Error code 1

Stop in /usr/xenocara (line 48 of /usr/share/mk/bsd.subdir.mk).

Re: How to figure out the error location?

[Insan Praja SW]

Hi,
On Mon, 24 May 2010 12:31:56 +0700, Bret S. Lambert  
bret.lamb...@gmail.com wrote:



On Mon, May 24, 2010 at 12:52:39AM +0200, Roger Schreiter wrote:

Hi,

we've been running a BGP router on OpenBSD for
the months without problems.

Now it crashed two times within 4 days. After the
second crash, I could have a look on the screen:

   uvm_fault (0xd088cfc0, 0x6c4e2000, 0, 1) - e
   kernel: page fault trap, code=0
   Stopped at  pool_do_get+0x11b:   movl   0(%ebx),%eax

Is there any mean to figure out, which driver did cause
the problem?


Yes, by following the instructions which accompanied this message.

WTF is it with people unable to do that lately?


There is a 4xFE-NIC from D-Link (interface ste0 .. 3),
whose driver seems to be new at OpenBSD-4.6.



Maybe OOT, but I suggest your replace D-link 4xFE with something else.. It  
has some problem with PF. I've replace mine a long time ago.



Should I try updating to OpenBSD-4.7?


Regards,
Roger.



Regards,


Insan
--
insandotpraja(at)gmaildotcom

Re: mount_portal on 4.7+

[Joachim Schipper]

On Mon, May 24, 2010 at 03:07:27AM +0400, ba...@yandex.ru wrote:
 mount_portal work? if yes, then give some working(tested) example for fs, 
 please

To the best of my knowledge, it hasn't been seriously used/maintained in
ages. It may work, but use something else if at all possible.

Joachim

rdomain, mpe, ldpd, OpenBGPD and PF

[Insan Praja SW]

Hi Misc@,
Before I begin to test OpenBGPD mpls VPN support on current, is there any  
hints on route-leaking, and an example/hints to make a complete setup MPLS  
cloud and MPLS/VPN on a network.


In my later experiences using OpenBSD, I use pf with rtable to make a  
VPN-like network without isolation on the network. Now I need to know if  
there are ways to have a semi-isolated network when using rdomain or  
anything like it.


Thanks,



Insan Praja
--
insandotpraja(at)gmaildotcom

Re: 4.7 pf: quick and rdr-to/nat-to

[Rene Maroufi]

On Mon, May 24, 2010 at 01:24:26AM +0400, Vadim Jukov wrote:
 
 Then maybe, you'll show us output of:
 
 1. cat /etc/pf.conf
 2. pfctl -f /etc/pf.conf  pfctl -sr
 3. pfctl -o none -f /etc/pf.conf  pfctl -sr

Today it works without the quick. I don't know why, but it works now.

Sorry for the noise.

Cheers
Rene
-- 
Reni Maroufi
i...@maroufi.net

a secure web server

[Jozsi Vadkan]

I want to use a secure web server on OpenBSD.

It would serve only static html filest, no cgi, no php, etc.

It just have to be secure, no need to be fast, just secure [only using
it with https].

What would be the best web server software?

nginx?
apache?
lighthttpd?

Thank you for any proposals.

Have a nice day!

Re: a secure web server

[Dave Wilson]

On 24/05/2010 11:44, Jozsi Vadkan wrote:
 I want to use a secure web server on OpenBSD.
 
 It would serve only static html filest, no cgi, no php, etc.
 
 It just have to be secure, no need to be fast, just secure [only using
 it with https].
 
 What would be the best web server software?
 
 nginx?
 apache?
 lighthttpd?
 
 Thank you for any proposals.
 
 Have a nice day!
 

Handily, there happens to be just such a web server that comes as part
of the standard OpenBSD install. Secure, chrooted, supports SSL, sane
defaults out of the box. See man httpd(8), or take a look at
http://www.openbsd.org/cgi-bin/man.cgi?query=httpd

http://www.openbsd.org/faq/faq10.html#HTTPS will also help, and deals
specifically with setting up an SSL-enabled server.

As a side note, might I humbly recommend that in future a certain amount
of Googling, or even just browsing around the FAQ by hand, might bring
better results than just asking this list, which generally prefers to
focus on more complex issues, ie ones not already well-documented in the
man pages, the FAQ, and answered repeatedly in the archives of this list.

Cheers,

Si1entDave

-- 

Yes, I know, I've just defeated my own argument by giving him his
answers on a platter, and thus reinforcing said behaviour, but what the
hell, its a nice sunny day here in Coventry. I'm in a good mood :-)

Re: a secure web server

[Francesco Vollero]

Il 24/05/10 12.44, Jozsi Vadkan ha scritto:

I want to use a secure web server on OpenBSD.

   

It's a real generalistic idea.

It would serve only static html filest, no cgi, no php, etc.

It just have to be secure, no need to be fast, just secure [only using
it with https].

   

What you mean with secure?
Not vulnerable to any attacks?
Can resist to DDoS of thousands machines?
Noone found that you set asd or asdasd as root password?


What would be the best web server software?

nginx?
   
It's a reverse proxy and referring to proxy definition implement a light 
webserver. Have a small footprint and someone[1] say fast because 
implement nonblocking I/O.

apache?
   

maybe yes, but it's more than you need

lighthttpd?
   

better no.

Thank you for any proposals.

Have a nice day!

   

[1] https://calomel.org/nginx.html

Re: a secure web server

[Jordi Espasa Clofent]

http://www.openbsd.org/faq/faq1.html#Included

Our improved and secured version of the Apache 1.3 web server. The 
OpenBSD team has added default chrooting, privilege revocation, and 
other security-related improvements. Also includes mod_ssl and DSO 
support. 


The httpd included by default in the system is exactly what your are 
looking for.

;)

--
I must not fear. Fear is the mind-killer. Fear is the little-death that 
brings total obliteration. I will face my fear. I will permit it to pass 
over me and through me. And when it has gone past I will turn the inner 
eye to see its path. Where the fear has gone there will be nothing. Only 
I will remain.


Bene Gesserit Litany Against Fear.

Re:

[patrick kristensen]

2010/5/24 J.C. Roberts list-...@designtools.org:
 On Mon, 24 May 2010 00:00:07 +0200 patrick kristensen
 kristensenpatri...@gmail.com wrote:
 I have managed to get a working connection with the following script


 /etc/ppp/ppp.conf

 default:
  set log Phase Chat LCP IPCP CCP tun command
  set device /dev/cuaU0
  set speed 460800
  set dial ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \\ AT OK-AT-OK
 ATE1Q0 OK \\dATDT\\T TIMEOUT 40 CONNECT

 esp:
   set device /dev/cuaU0
   set speed 460800
   set timeout 0
   set dial ABORT BUSY TIMEOUT 5 \
   \\ \
   AT OK-AT-OK \
   AT+CPIN=\\\7291\\\ OK-AT-OK \
   AT+CFUN=1 OK-AT-OK \
   AT+CGDCONT=1,\\\IP\\\,\\\movistar.es\\\ OK-AT-OK \
   \\dATDT*99***1# TIMEOUT 30 CONNECT


   set ifaddr 0 81.47.192.13 255.255.255.255
   add default HISADDR
   enable dns

 # ./.

 Setting 'set ifaddr to 0.0.0.0/0 0.0.0.0/0 255.255.255.255' gave me an
 ipadress to MYADDR but i did not get a route.
 Setting 'set ifaddr 0.0.0.0/0 194.179.1.100 (which was DNS)
 255.255.255.255' made it possible to nslookup movistar.es.
 After nslookup the APN and hardcoding the ip to HISADDR i got a
 working connection.
 The APN (Movistar (Telefonica) Spain) is correct
 (http://www.vysoo.com/apn.php#415 and other sources). (I have not been
 able to find other data networks for movistar as with your example
 with Verizon)
 This setup works so far (i can ping external addresses).
 My understanding of ppp(8) is that it should have been enough to 'set
 ifaddr 0 0 255.255.255.255 (0)' and 'add default HISADDR' (if the
 CGDCONT is correct).
 I appreciate any input on the script and log.

 It seems your routing is hosed. As the ppp(8) manual states, if you
 use add it will not overwrite your default route (typically stored
 in /etc/mygate). When you want to overwrite the default route, you need
 to use add! such as:

add! default HISADDR

 Typically, you want to overwrite the default route, but note, you'll
 probably see some harmless warnings for routes that ppp cannot
 overwrite (such as IPv6 when it's not supported by your provider).

 As for setting up the interface addresses, you should define all four
 parts, rather than defining only three as you have done above.

set ifaddr 10.0.0.1/0 10.0.0.2/0 0.0.0.0 0.0.0.0
   part#1 part#2 part#3  part#4

 In your script above, your part#1 of 0 is *DEMANDING* that your
 address be 0.0.0.0/32 and nothing else, or in other words, you are
 *DEMANDING* that you become the default route for the remote system.
 Needless to say the remote system will just laugh at you and refuse
 to change it's default route (i.e. address your end as 0.0.0.0).

 Setting the netmask (part#3) to 0.0.0.0 forces ppp to assign an
 appropriate netmask. Since it is a point-to-point link and some
 operating systems/kernels do not understand a POINTTOPOINT netmask,
 you'll typically end up with 255.255.255.255 or 255.255.255.0 for the
 netmask of your tun0 interface *even* if the remote gateway address is
 outside of the netmask.

 Using part#4 is important. This the address you *SUGGEST* that your
 side should be, but you *DEMAND* your side gets and address defined by
 part#1 (the /0 netmask on part#1 says any IP address).

 Additionally, part#4 is also the trigger address when using '-auto'
 mode to connect or reconnect.

 Lastly, there's no point in defining 'device' 'speed' and 'dial' in the
 default: section of your config file since you are redefining them in
 the esp: section.

 Once you have the above corrected, look at your CHAP settings. Though
 you were able to negotiate IP addresses (according to the log), it
 seems your provider wanted to use CHAP authentication. If you made the
 previous corrections and you still cannot connect, then you may need
 to use CHAP:

set authname myusername
set authkey mypassword
set login

 Not all providers require PAP/CHAP authentication through 'authname'
 'authkey' and 'login' because the real authentication is being done by
 device identifiers (MEID and/or IMEI).

jcr

 --
 The OpenBSD Journal - http://www.undeadly.org


I used the 'add! default' and the 'TRIGGER ADDR' in several attempts
but removed them when they didnt seem to change anything, however i
understand that they should be there.

Setting 'set ifaddr 0.0.0.0/0 0.0.0.0-255.255.255.254 0.0.0.0 0.0.0.0'
works however i can still not set HISADDR to '0.0.0.0/0' to get an
ipaddres offer to HISADDR. I assume setting a range has the same
affect as setting HISADDR with changeable bits but i dont understand
why 0.0.0.0/0 or any variation doesnt give me an address.

These set ifaddr does not work
0.0.0.0/0 0.0.0.0/0 0.0.0.0 0.0.0.0
0.0.0.0/0 0.0.0.0/32 0.0.0.0 0.0.0.0
0.0.0.0 0.0.0.0 0.0.0.0.0 0.0.0.0
0.0.0.0/0 0.0.0.0/0 0.0.0.0 0.0.0.0/0
etc

These works
0.0.0.0/0 81.47.192.13 0.0.0.0 0.0.0.0
0.0.0.0/0 0.0.0.0-255.255.255.254 0.0.0.0 

Re: rdomain, mpe, ldpd, OpenBGPD and PF

[Claudio Jeker]

On Mon, May 24, 2010 at 05:23:00PM +0700, Insan Praja SW wrote:
 Hi Misc@,
 Before I begin to test OpenBGPD mpls VPN support on current, is
 there any hints on route-leaking, and an example/hints to make a
 complete setup MPLS cloud and MPLS/VPN on a network.
 
 In my later experiences using OpenBSD, I use pf with rtable to make
 a VPN-like network without isolation on the network. Now I need to
 know if there are ways to have a semi-isolated network when using
 rdomain or anything like it.

Passing traffic between VPNs is either done in pf(4) by setting the rtable
on a rule or by importing routes in BGP (import/export-target).
The first method is much more flexible but more static.

First of all you need the attached diff to play with the kernel MPLS part.
With that in you can start playing with the various parts.
1. You need to MPLS enable the interfaces that do MPLS
   In my test I use a vlan for this:
# more /etc/hostname.vlan2003 
vlan 2003 vlandev sis0
inet 10.83.128.26 255.255.255.248 NONE
mpls

2. Then it is best to have a loopback interface:
# more /etc/hostname.lo1
inet 10.83.66.23 255.255.255.255 NONE

3. LDP config:
router-id 10.83.66.23
distribution independent
retention liberal
advertisement unsolicited
interface lo1 {
}
interface vlan2003 {
}

4. I use ospfd as IGP, there is nothing special needed here.

5. create a rdomain 1:
# more /etc/hostname.vlan2017
rdomain 1
vlan 2017 vlandev sis0
inet 192.168.220.1 255.255.255.0

6. create a mpe(4) in rdomain 1:
# more /etc/hostname.mpe0
rdomain 1 mplslabel 543
inet 10.83.66.129 255.255.255.255

Note: it is necessary to have an IP on mpe(4) but it does not matter which
one you pick. I normaly use the loopback IP but maybe using the vlan2017
IP would be smarter.

7. BGP config:
AS 65003
router-id 10.83.66.23
listen on 10.83.66.23
rdomain 1 {
descr CUSTOMER1
rd 65003:1
import-target rt 65003:1
export-target rt 65003:1
depend on mpe0
network 192.168.220/24
}
group ibgp {
announce IPv4 unicast
announce IPv4 vpn
remote-as 65003
local-address 10.83.66.23
neighbor 10.83.66.2 {
descr c2
}
}

Start ospfd, bgpd, and ldpd and hope for the best (check that all sessions
come up). Setup something similar on a second system.
Use e.g. ping -V1 -I 192.168.220.1 192.168.221.1 to test the VPN.

It is possible to use gif/gre instead of LDP -- just use a gre interface
in point 1 and skip everyting that needs LDP.

-- 
:wq Claudio

Index: sbin/ifconfig/ifconfig.8
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.8,v
retrieving revision 1.200
diff -u -p -r1.200 ifconfig.8
--- sbin/ifconfig/ifconfig.87 May 2010 06:17:34 -   1.200
+++ sbin/ifconfig/ifconfig.824 May 2010 12:48:34 -
@@ -347,6 +347,11 @@ this directive is used to select between
 and 802.11g
 .Pq Dq 11g
 operating modes.
+.It Cm mpls
+Enable Multiprotocol Label Switching (MPLS) on the interface. It will be
+able to send and receive MPLS traffic.
+.It Fl mpls
+Disable MPLS on the interface.
 .It Cm mtu Ar value
 Set the MTU for this device to the given
 .Ar value .
Index: sbin/ifconfig/ifconfig.c
===
RCS file: /cvs/src/sbin/ifconfig/ifconfig.c,v
retrieving revision 1.232
diff -u -p -r1.232 ifconfig.c
--- sbin/ifconfig/ifconfig.c6 May 2010 12:58:40 -   1.232
+++ sbin/ifconfig/ifconfig.c6 May 2010 20:34:51 -
@@ -191,6 +191,7 @@ voidunsetmediaopt(const char *, int);
 void   setmediainst(const char *, int);
 void   settimeslot(const char *, int);
 void   timeslot_status(void);
+void   setifmpls(const char *, int);
 void   setmpelabel(const char *, int);
 void   setvlantag(const char *, int);
 void   setvlanprio(const char *, int);
@@ -346,6 +347,8 @@ const structcmd {
{ -rtlabel,   -1, 0,  setifrtlabel },
{ range,  NEXTARG,0,  setatrange },
{ phase,  NEXTARG,0,  setatphase },
+   { mpls,   IFXF_MPLS,  0,  setifxflags },
+   { -mpls,  -IFXF_MPLS, 0,  setifxflags },
{ mplslabel,  NEXTARG,0,  setmpelabel },
{ advbase,NEXTARG,0,  setcarp_advbase },
{ advskew,NEXTARG,0,  setcarp_advskew },
@@ -3252,6 +3255,7 @@ mpe_status(void)
printf(\tmpls label: %d\n, shim.shim_label);
 }
 
+/* ARGSUSED */
 void
 setmpelabel(const char *val, int d)
 {
Index: sys/conf/GENERIC

Re: rdomain, mpe, ldpd, OpenBGPD and PF

[Insan Praja SW]

Hi Claudio,
Thanks, I'll report back to you after I'm done with my first test.

On Mon, 24 May 2010 20:11:46 +0700, Claudio Jeker  
cje...@diehard.n-r-g.com wrote:



On Mon, May 24, 2010 at 05:23:00PM +0700, Insan Praja SW wrote:

Hi Misc@,
Before I begin to test OpenBGPD mpls VPN support on current, is
there any hints on route-leaking, and an example/hints to make a
complete setup MPLS cloud and MPLS/VPN on a network.

In my later experiences using OpenBSD, I use pf with rtable to make
a VPN-like network without isolation on the network. Now I need to
know if there are ways to have a semi-isolated network when using
rdomain or anything like it.


Passing traffic between VPNs is either done in pf(4) by setting the  
rtable

on a rule or by importing routes in BGP (import/export-target).
The first method is much more flexible but more static.

First of all you need the attached diff to play with the kernel MPLS  
part.

With that in you can start playing with the various parts.
1. You need to MPLS enable the interfaces that do MPLS
   In my test I use a vlan for this:
# more /etc/hostname.vlan2003
vlan 2003 vlandev sis0
inet 10.83.128.26 255.255.255.248 NONE
mpls

2. Then it is best to have a loopback interface:
# more /etc/hostname.lo1
inet 10.83.66.23 255.255.255.255 NONE

3. LDP config:
router-id 10.83.66.23
distribution independent
retention liberal
advertisement unsolicited
interface lo1 {
}
interface vlan2003 {
}

4. I use ospfd as IGP, there is nothing special needed here.

5. create a rdomain 1:
# more /etc/hostname.vlan2017
rdomain 1
vlan 2017 vlandev sis0
inet 192.168.220.1 255.255.255.0

6. create a mpe(4) in rdomain 1:
# more /etc/hostname.mpe0
rdomain 1 mplslabel 543
inet 10.83.66.129 255.255.255.255

Note: it is necessary to have an IP on mpe(4) but it does not matter  
which

one you pick. I normaly use the loopback IP but maybe using the vlan2017
IP would be smarter.

7. BGP config:
AS 65003
router-id 10.83.66.23
listen on 10.83.66.23
rdomain 1 {
descr CUSTOMER1
rd 65003:1
import-target rt 65003:1
export-target rt 65003:1
depend on mpe0
network 192.168.220/24
}
group ibgp {
announce IPv4 unicast
announce IPv4 vpn
remote-as 65003
local-address 10.83.66.23
neighbor 10.83.66.2 {
descr c2
}
}

Start ospfd, bgpd, and ldpd and hope for the best (check that all  
sessions

come up). Setup something similar on a second system.
Use e.g. ping -V1 -I 192.168.220.1 192.168.221.1 to test the VPN.

It is possible to use gif/gre instead of LDP -- just use a gre interface
in point 1 and skip everyting that needs LDP.


Thanks,


--
insandotpraja(at)gmaildotcom

problems with CARP

[Stefano Sasso]

Hi all,
I have some problems with CARP (I can't get it working).

this is my current configuration:

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1

# sysctl net.inet.carp
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=2

# cat /etc/hostname.carp1
inet 172.16.0.1 255.255.255.0 172.16.0.255 vhid 2 pass carppasswd carpdev em1

# cat /etc/hostname.em1
inet 172.16.0.3 255.255.255.0

(pf is disabled)

# ifconfig carp1
carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:02
priority: 0
carp: MASTER carpdev em1 vhid 2 advbase 1 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x8
inet 172.16.0.1 netmask 0xff00 broadcast 172.16.0.255

from the carp device I'm able to ping 172.16.0.1, but from a client I
can't (but I can ping 172.16.0.3).
But in the client I have an arp entry for 172.16.0.1 (correctly
referring to 00:0:5e:00:01:02)

when I tcpdump to em1 I can see carp advertisement:
16:47:21.223303 CARPv2-advertise 36: vhid=2 advbase=1 advskew=0
demote=0 (DF) [tos 0x10]
but when I tcpdump on carp1 I can't see anything.

any hint?

thanks,
stefano

Fırsat ürünlerinde yüzde 50 indirim ve kargo ücretsiz

[Halens]

Halens T|rkiye : Kvyalt} Mevki Cemal Ulusoy
Caddesi Asena Sok. No : 9 Kat : 3 34197
Yenibosna / ]stanbul T|rkiye
 CEO: Matthias Fink, Ticaret Sicil Numaras} 694704



HALENS DANI^MA HATTI
09:30 - 12:30 / 13:30 - 17:30
 i...@halens.com.tr








Telif hakk} 2009 Quelle T|rkiye tekstil ve
 Elektronik Online Shop Limited ^irketi'ne aittir.

Bu maili d|zg|n gvremiyorsan}z t}klay}n}z.
\yelikten g}kmak istiyorsan}z t}klay}n}z.
Tasar}m : Kollektif

Toshiba L505D-S5983 ACPI

[Michael Seney]

I have to disable ACPI in order to boot OpenBSD 4.7 on this laptop. I
don't really mind but can this harm the hardware?

Re: Toshiba L505D-S5983 ACPI

[Jan Stary]

On May 24 11:29:51, Michael Seney wrote:
 I have to disable ACPI in order to boot OpenBSD 4.7 on this laptop. I
 don't really mind but can this harm the hardware?

Of course; things burn. Nice laptop you got there ...
I can take it under my protection for $1000 a week.

Re: OpenBGP: 3 doubts regarding localpref, rib out and announcement

[Eduardo Meyer]

On Sun, May 23, 2010 at 3:10 PM, Henning Brauer lists-open...@bsws.de wrote:
 match to $peer_2 prefix X.Y.Z.0/23 set localpref +50

 But it wont work as I need. Please remember X.Y.Z.0/23 is announced by me.

 localpref for outgoing? that is useless. localpref is, well, local,
 and not transmitted to the peer. and since you're setting it outbound
 (after all route decisions) it is a noop.

I believe I was not clear. I need to set a certain prefix of mine with
a higher localpref. It's not expected to be transmitted to the peer,
it's a local router policy decision to set localpref for a local /23.

Today I do this with pf route-to.

pass route-to peer2_ip from x.y.z.0/23 to any

 sounds like you're after sh ri out nei foo

Thats excactly what I wanted, thank you a lot Brauer.


 Finally, my last doubt. I want to re-announce the bogon prefix I get
 from cymru projet to by internal BGP servers. I do announce all but
 the bogon list prefixes I get from cymru don't get announced. I
 managed to  set community delete NO_EXPORT since I believed the
 NO_EXPORT community cymru sends me is the cause of non-reannouncement
 on announce all desired behavior.
 However its still dont get announced to my peers.

 i bet this is an invalid nexthop case. set nexthop-self might be
 required.

That's why I like talking to whom knows. You are absolutely right,
thank you again :) I could export it setting it to a reachable
nexthop.

But now I tried something else which did not work.

My scenario:

group cymru {
 ...
 set community $myasn:6
 ...
 peer $cymru1 {
   ...
   ...
 }
 peer $cymru2 {
   ...
 }
}

#match from any community $myasn:6 set community delete NO_EXPORT #
[1] works great
match to $transit_peer1 community $myasn:6 set community delete
NO_EXPORT # [2] wont work, never gets deleted

My intention: export selectively what I get from group cymru, by
selectively removing the NO_EXPORT community.

If I comment [1] and uncomment [2] the rule wont match. [1] always match fine...

In fact I tested a number o rules and nome with match to .. set X
worked, when I am dealing with a prefix I got from someone else (not
announced by be).

What am I missing?


-- 
===
Eduardo Meyer
pessoal: dudu.me...@gmail.com
profissional: ddm.farmac...@saude.gov.br

Re: Toshiba L505D-S5983 ACPI

[Paul Irofti]

On Mon, May 24, 2010 at 11:29:51AM -0400, Michael Seney wrote:
 I have to disable ACPI in order to boot OpenBSD 4.7 on this laptop. I
 don't really mind but can this harm the hardware?
 

Why do you have to disable it? What's the panic/problem etc.

dmesg, acpidump...

Implementing ntop - Last Version

[Rovercy de Oliveira]

Hi all,



That's a pleasure got in the OpenBSD main list, that is my first time.
But I thing anyone has a question like that. The problem is: I am trying
to implement ntop in OpenBSD, but the version we have on repository
pkg is very old, and the interface of that version is a little bit
over. As we are a security company that offer OpenBSD as a service the
actual ntop is totally out of the customers expect.



I have already tried to compile the source code to OpenBSD, but it
doesn't works at all. So what is the hint in my case?



Thanks a lot in advanced!



Att,
--
Rovercy








Este comunicado, incluindo seus anexos, e de uso exclusivo do destinatario e
pode conter informacoes confidenciais e/ou privilegiadas. Se voce nao e o
destinatario  designado, qualquer uso, copia, divulgacao, veiculacao ou
distribuicao e estritamente proibida. Por favor notifique o remetente
imediatamente, respondendo este  email, apague esta mensagem e destrua todas
as copias.

This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If you are
not the intended recipient, please notify the sender immediately by return
e-mail, delete this communication and destroy all copies.

Recommended 802.11g adapter

[Piotr Komborski]

Hello,

I'm going to set OpenBSD based AP on ALIX board.  I've red ral(4) and ath(4)
manpages but mentioned mPCI card models are really hard to find on the
market. I found only Ralink RT2800 based Sparklan WMIR-200N which is too
expensive for me (60$).
Can anybody recommend me 802.11g miniPCI card that is able to work in host
AP mode?

regards

Piotr

Introducing Acrobat Dynamic PDF 2010

[Niki Buitenrust Hettema]

Experience a better way to connect people, ideas and 
information. 

Acrobat Dynamic PDF 2010 enables you to connect, interact, and engage in 
powerful new ways. Streamline how you work, collaborate more easily, and create 
high impact communications. Designed to meet the needs of today's business, 
Acrobat Dynamic PDF helps you get more done - easier, faster, better. 

Key features: 

+ Reliably create and distribute PDF documents and forms.
+ Protect documents and accelerate information exchange with PDF.
+ Deliver the richest, most engaging PDF communications anytime, 
anywhere. 

To learn more about new features and how to install this 
best-of-breed application, you can: 

+ Go to
http://signupway.ru/track/redirect.asp?siteid=4879aff=11994 
Acobat Dynamic PDF 2010
+ Get your options, download, install and boost your works productivity.
 
As a complementary, you are offered a chance to get a full 
version of Office suite for your office work convenience. 
http://signupway.ru/track/redirect.asp?siteid=4879aff=11994 

DOWNLOAD ACROBAT DYNAMIC PDF 2010 TODAY  

Thanks and best regards, 

Acrobat Dynamic PDF 

This email was sent by:
Steelcase Store
901 44th Street SE
Grand Rapids, MI, 49508-7505, US
Update Your Profile: 
http://cl.exct.net/profile_center.aspx?s=fe2b157070670c7b761175mid=fec1157470630074j=fe581575716c06797d13l=fe8c16797760077572jb=ffcf14ju=Update
 Your Profile: 
http://cl.exct.net/profile_center.aspx?s=fe2b157070670c7b761175mid=fec1157470630074j=fe581575716c06797d13l=fe8c16797760077572jb=ffcf14ju=

parution de Amarré à un corps-mort de Jean-Pierre Barbier Jardet

[info]

Madame, Monsieur,
Nous sommes heureux de vous informer de la parution de AmarrC) C  un
corps-mort de Jean-Pierre Barbier Jardet. Toutes les informations que vous
souhaiteriez recevoir concernant son acquisition sont consignC)es dans le
document que vous pourrez dC)rouler ci-aprC(s et au bas duquel nous vous
offrons la suite de cette missive.




Jean-Pierre Barbier-Jardet, psychanalyste, romancier, poC(te, est lbauteur
dbune Euvre forte, au style ciselC). Ses romans sont authentiquement un
thC)Ctre des passions de la chair et de la difficultC) dbC*tre. Sulfureux
parfois, ils associent et une analyse des sentiments dbune grande finesse et
une geste C)rotique tendue ; vaine ou non, la recherche de lbamour, dans sa
variante homosexuelle,  donne lieu C  une narration originale et intelligente.
Nous vous en conseillons vivement la lecture et plus particuliC(rement AmarrC)
C  un corps-mort.Collection LittC)rature.
CorrC)lats dans le genre chez Orizons (voir notre site et son catalogue) :
FranC'ois G. BUSSAC, Les GarC'ons sensibles
Patrick CARDON : Le Grand Ecart ou tous les garC'ons sbappellent Ali
GC)rard GLATT : LbImpasse HC)loC/se

Avec nos remerciements pour votre attention.
Daniel Cohen, directeur dbOrizons

editionsorizons.com

Paris, ce mois de mai 2010

Re:

[J.C. Roberts]

I realize you must be frustrated while learning something new, but I am
frustrated by you not paying attention. Now let's look at what I wrote
one more time:

  set ifaddr  10.0.0.1/0  10.0.0.2/0  0.0.0.0  0.0.0.0
  part#1  part#2  part#3   part#4

The first chunk of part#1, namely '10.0.0.1', says I want my IP address
to be 10.0.0.1 but the second chunk of part#1, namely the '/0', is a
netmask which says I will accept any IP address the remote system wants
me to use on my side.

The first chunk of part#2, namely '10.0.0.2', says I want the remote
side to use IP address 10.0.0.2 but the second chunk of part#2, namely
the '/0', says I will accept any IP address the remote system wants to
use on their side.

The IP addresses (and netmasks) stated in part#1 and part#2 are
important. They should never be the same, and they should never be set
to default route address ('0.0.0.0'). This is why two separate private
IP addresses are used in the above (10.0.0.1 and 10.0.0.2), and also why
the netmask '/0' in CIDR notation allows for the remote side to pick any
address it wants to use for *both* your IP address and its IP address.

If you forget the CIDR notation netmask on part#1 or part#2, you are
DEMANDING that the specified address be used, and if the other side
disagrees, your side will disconnect.

The part#3 is the netmask assigned on my side to the resulting
connection after we negotiate addresses. Links between two systems made
with Point to Point Protocol (ppp) are weird in comparison to typical
network links, and some operating systems do not have a specific
PointToPoint netmask in the network stack, so the netmask must be
faked. Using '0.0.0.0' as the part#3 netmask tells the ppp program to
use what is available and the result is ppp will typically set the
netmask to '255.255.255.255' automatically.

The part#4 is the trigger address which controls when ppp will try to 
establish a connection. Since we set part#4 to the equivalent of any
address namely '0.0.0.0' any attempt to contact another system will
result in ppp automatically establishing the connection. The thing to
realize is 0.0.0.0 is roughly equivalent to a default route.

The stuff you are doing is just plain wrong:

  set ifaddr 0.0.0.0/0  0.0.0.0-255.255.255.254  0.0.0.0  0.0.0.0
part#1  part#2  part#3   part#4

Prior to negotiating address, you are saying your IP address will
initially be 0.0.0.0 and the remote IP address will also initially be
0.0.0.0  The problem is, when two systems have the same IP address you
have a conflict. Additionally, since 0.0.0.0 equates to the default
route, this is very bad. Needless to say, the ppp(8) software is
compensating for your mistakes and doing the best it can with your
broken config.

In the second chunk of your part#1, namely '/0', this netmask says that
you will accept any IP address the other side wants you to use. This is
good.

In the second chunk of part#3, namely '-255.255.255.254' is using the
wrong syntax. The ppp(8) program might interpret this as a range of
addresses, or might interpret it as a pair of addresses, or it might
interpret it as a netmask. You should use simple CIDR notation as
described in the ppp man page. 

If ppp(8) is interpreting this bad second chunk of part#3 as a netmask,
the you are *DEMANDING* that the remote system use 0.0.0.0 or 0.0.0.1 as
its IP address, and if the remote side refuses to use one of those two
addresses, then you will disconnect.


jcr

Re:

[patrick kristensen]

I didn't get the importance of having different addresses in part#1
and #2 and assumed from 'ifconfig tun0' [ ... ] inet 95.124.11.167 --
10.0.0.2 netmask 0xfff [ ... ] that HISADDR did not change to a
valid one. I should have understood you were telling me the correct
syntax literally. I see that this configuration works and i understand
the syntax.
Sorry this took longer time than it should and thanks for following through.
I have found a great resource in 'Absolute OpenBSD: UNIX for the
Practical Paranoid' (ISBN 1886411999) and of course this was a great
first impression from this mailing list. I will try not to abuse it.
All the best to you

2010/5/24, J.C. Roberts list-...@designtools.org:

 I realize you must be frustrated while learning something new, but I am
 frustrated by you not paying attention. Now let's look at what I wrote
 one more time:

  set ifaddr  10.0.0.1/0  10.0.0.2/0  0.0.0.0  0.0.0.0
  part#1  part#2  part#3   part#4

 The first chunk of part#1, namely '10.0.0.1', says I want my IP address
 to be 10.0.0.1 but the second chunk of part#1, namely the '/0', is a
 netmask which says I will accept any IP address the remote system wants
 me to use on my side.

 The first chunk of part#2, namely '10.0.0.2', says I want the remote
 side to use IP address 10.0.0.2 but the second chunk of part#2, namely
 the '/0', says I will accept any IP address the remote system wants to
 use on their side.

 The IP addresses (and netmasks) stated in part#1 and part#2 are
 important. They should never be the same, and they should never be set
 to default route address ('0.0.0.0'). This is why two separate private
 IP addresses are used in the above (10.0.0.1 and 10.0.0.2), and also why
 the netmask '/0' in CIDR notation allows for the remote side to pick any
 address it wants to use for *both* your IP address and its IP address.

 If you forget the CIDR notation netmask on part#1 or part#2, you are
 DEMANDING that the specified address be used, and if the other side
 disagrees, your side will disconnect.

 The part#3 is the netmask assigned on my side to the resulting
 connection after we negotiate addresses. Links between two systems made
 with Point to Point Protocol (ppp) are weird in comparison to typical
 network links, and some operating systems do not have a specific
 PointToPoint netmask in the network stack, so the netmask must be
 faked. Using '0.0.0.0' as the part#3 netmask tells the ppp program to
 use what is available and the result is ppp will typically set the
 netmask to '255.255.255.255' automatically.

 The part#4 is the trigger address which controls when ppp will try to
 establish a connection. Since we set part#4 to the equivalent of any
 address namely '0.0.0.0' any attempt to contact another system will
 result in ppp automatically establishing the connection. The thing to
 realize is 0.0.0.0 is roughly equivalent to a default route.

 The stuff you are doing is just plain wrong:

  set ifaddr 0.0.0.0/0  0.0.0.0-255.255.255.254  0.0.0.0  0.0.0.0
part#1  part#2  part#3   part#4

 Prior to negotiating address, you are saying your IP address will
 initially be 0.0.0.0 and the remote IP address will also initially be
 0.0.0.0  The problem is, when two systems have the same IP address you
 have a conflict. Additionally, since 0.0.0.0 equates to the default
 route, this is very bad. Needless to say, the ppp(8) software is
 compensating for your mistakes and doing the best it can with your
 broken config.

 In the second chunk of your part#1, namely '/0', this netmask says that
 you will accept any IP address the other side wants you to use. This is
 good.

 In the second chunk of part#3, namely '-255.255.255.254' is using the
 wrong syntax. The ppp(8) program might interpret this as a range of
 addresses, or might interpret it as a pair of addresses, or it might
 interpret it as a netmask. You should use simple CIDR notation as
 described in the ppp man page.

 If ppp(8) is interpreting this bad second chunk of part#3 as a netmask,
 the you are *DEMANDING* that the remote system use 0.0.0.0 or 0.0.0.1 as
 its IP address, and if the remote side refuses to use one of those two
 addresses, then you will disconnect.


   jcr

Re: Recommended 802.11g adapter

[Alexander Kršek]

Hello,

I have Alix 2D3 (and another 2D13) with Tonze PC-620C miniPCI. It mostly
works ok, but I am still hunting some problem - one or two times for a
month it falls to ddb prompt. I build OpenBSD completelly from cvs just
about every month - it seems it is time for new build of -current.

Best regards,
Alexander

# ifconfig ral0
ral0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu
1500
lladdr 00:17:b7:30:41:ab
priority: 4
groups: wlan
media: IEEE802.11 autoselect mode 11g hostap
status: active
ieee80211: nwid  chan 7 bssid 00:17:b7:30:41:ab wpapsk
0x wpaprotos wpa1,wpa2 wpaakms psk wpaciphers ccmp wpagroupcipher
ccmp 100dBm
inet 192.168.254.1 netmask 0xff00 broadcast 192.168.254.255
inet  netmask 0xfff8 broadcast 

# dmesg
OpenBSD 4.7-current (FLASHRD) #19: Wed Apr 14 23:29:29 CEST 2010
r...@kraken.gremlin.cz:/usr/src/sys/arch/i386/compile/FLASHRD
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD
586-class) 499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem  = 268009472 (255MB)
avail mem = 247640064 (236MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 12/10/07, BIOS32 rev. 0 @ 0xfceb2
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe/0xa800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x33
glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10,
address 00:0d:b9:17:23:d4
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 10 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
address 00:0d:b9:17:23:d5
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 12,
address 00:0d:b9:17:23:d6
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
ral0 at pci0 dev 12 function 0 Ralink RT2561S rev 0x00: irq 9, address
00:17:b7:30:41:ab
ral0: MAC/BBP RT2561C, RF RT2527
glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 3,
32-bit 3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: CF CARD 4GB
wd0: 1-sector PIO, LBA, 3599MB, 7372512 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 15,
version 1.0, legacy support
ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1
biomask e1ef netmask ffef ttymask 
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
rd0: fixed, 6080 blocks
umass0 at uhub0 port 1 configuration 1 interface 0 Kingston
DataTraveler 2.0 rev 2.00/1.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0: Kingston, DataTraveler 2.0, 1.00 SCSI2
0/direct removable
sd0: 7643MB, 512 bytes/sec, 15654848 sec total
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
root on rd0a swap on rd0b dump on rd0b
clock: unknown CMOS layout


On Mon, 2010-05-24 at 22:10 +0200, Piotr Komborski wrote:
 Hello,
 
 I'm going to set OpenBSD based AP on ALIX board.  I've red ral(4) and ath(4)
 manpages but mentioned mPCI card models are really hard to find on the
 market. I found only Ralink RT2800 based Sparklan WMIR-200N which is too
 expensive for me (60$).
 Can anybody recommend me 802.11g miniPCI card that is able to work in host
 AP mode?
 
 regards
 
 Piotr

Re: Recommended 802.11g adapter

[Nenhum_de_Nos]

On Mon, May 24, 2010 17:10, Piotr Komborski wrote:
 Hello,

 I'm going to set OpenBSD based AP on ALIX board.  I've red ral(4) and
 ath(4)
 manpages but mentioned mPCI card models are really hard to find on the
 market. I found only Ralink RT2800 based Sparklan WMIR-200N which is too
 expensive for me (60$).
 Can anybody recommend me 802.11g miniPCI card that is able to work in host
 AP mode?

never tested on OpenBSD, but I have a ral usb nic that runs ok on freebsd
(pfsense), if you have usb on this alix.

http://www.tp-link.com/products/productDetails.asp?class=wlanpmodel=TL-WN321G

matheus

-- 
We will call you cygnus,
The God of balance you shall be

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

http://en.wikipedia.org/wiki/Posting_style

Re: Traffic redirect no longer working

[Lars Hecking]

lheck...@users.sourceforge.net writes:
  I've used the same pf.conf for years with only minimal changes, but 4.7
  broke it, and I can't seem to fix it.
 
  The OBSD machine is a firwall between a cable modem and a private IP LAN.
  Previously, I used these rules to allow ssh access from specific Internet
  hosts to a machine in the LAN:
 
 rdr on $ext_if proto tcp from $work_hosts to any port ssh - $ssh_host
 pass in quick on $ext_if proto tcp \
  from $work_hosts to $ssh_host port ssh flags S/SA modulate state
 
  In 4.7, I changed this to
 
 match in on $ext_if proto tcp from $work_hosts to any port ssh rdr-to 
 $ssh_host
 pass in quick on $ext_if proto tcp \
  from $work_hosts to $ssh_host port ssh flags S/SA modulate state
 
  What happens now when I try to connect to $ssh_host from the Internet is 
 quite
  weird:
  - no blocked packets are logged
  - on the firewall's LAN-side interface, a tcpdump shows the ssh connection
being forwarded to $ssh_host
  - on $ssh_host, tcpdump shows the incoming ssh connection
  - sshd on $ssh_host does not pick up
 
  I can ssh from the firewall to $ssh_host just fine; I haven't tested ssh
  from Internet to firewall (with suitable pass rule). What am I missing?
  I guess that some packet information isn't being rewritten correctly or
  completely.

 I still haven't gotten any further.

 Thanks to Scott, Neal, and Peter's BSDCan slides, I have rewritten chunks
 of pf.conf so that it's fully up to date wrt 4.7. The subject of my post
 is actually incorrect because the redirect is working, which I can verify
 with tcpdumps of the gateway external and internal interface, pflog, and
 tcpdump on the target host's interface.

 Looking at the tcpdumps in wireshark, I only see one-way traffic on the
 ssh port, i.e. only SYN, but no ACK. It doesn't matter whether the target
 is e.g a Linux or FreeBSD host. Any idea why this would be happening?
 
 I can ssh from the outside to the gw (with suitable pass rules), and from
 the gw to the internal host. All these observations taken together make
 it look like pf is mucking up the packets in transit.

 I'm stumped. All other aspects of the pf config appear to work fine.



---
This message and any attachments may contain Cypress (or its
subsidiaries) confidential information. If it has been received
in error, please advise the sender and immediately delete this
message.
---

Creating a mpe interface

[Robert Bruce Carleton]

I'm having trouble creating a mpe interface on OpenBSD 4.7.  What I've done so
far is recompile the kernel with option MPLS.  I've also enabled forwarding
and mpls in the /etc/sysctl.conf.  I've also been able to configure and start
ldpd and use ldpctl show to display the status of ldpd.  I used config -e
/bsd to enable the mpe driver.  I'm experimenting under Sun VirtualBox if
that makes a difference.

Going from mpe(4), I'm trying to run the command ifconfig mpe0 create.  It
throws the error SIOCIFCREATE: Invalid argument.  The mpe(4) man page
doesn't suggest any additional command line arguments.

Does anyone have any suggestions?

Thanks in advance,

--Bruce

Re: Creating a mpe interface

[Bret S. Lambert]

On Mon, May 24, 2010 at 05:34:18PM -0700, Robert Bruce Carleton wrote:
 I'm having trouble creating a mpe interface on OpenBSD 4.7.  What I've done so
 far is recompile the kernel with option MPLS.  I've also enabled forwarding
 and mpls in the /etc/sysctl.conf.  I've also been able to configure and start
 ldpd and use ldpctl show to display the status of ldpd.  I used config -e
 /bsd to enable the mpe driver.  I'm experimenting under Sun VirtualBox if
 that makes a difference.
 
 Going from mpe(4), I'm trying to run the command ifconfig mpe0 create.  It
 throws the error SIOCIFCREATE: Invalid argument.  The mpe(4) man page
 doesn't suggest any additional command line arguments.
 
 Does anyone have any suggestions?
 

$ grep -n mpe GENERIC 
105:#pseudo-device  mpe # MPLS PE interface
^

Uncomment that in sys/conf/GENERIC and recompile your kernel,
if you haven't already done so.

 Thanks in advance,
 
   --Bruce

Re:

[J.C. Roberts]

On Tue, 25 May 2010 00:54:53 +0200 patrick kristensen
kristensenpatri...@gmail.com wrote:
 2010/5/24, J.C. Roberts list-...@designtools.org:
 
  I realize you must be frustrated while learning something new, but
  I am frustrated by you not paying attention. Now let's look at what
  I wrote one more time:
 
   set ifaddr  10.0.0.1/0  10.0.0.2/0  0.0.0.0  0.0.0.0
   part#1  part#2  part#3   part#4
 
  The first chunk of part#1, namely '10.0.0.1', says I want my IP
  address to be 10.0.0.1 but the second chunk of part#1, namely the
  '/0', is a netmask which says I will accept any IP address the
  remote system wants me to use on my side.
 
  The first chunk of part#2, namely '10.0.0.2', says I want the remote
  side to use IP address 10.0.0.2 but the second chunk of part#2,
  namely the '/0', says I will accept any IP address the remote
  system wants to use on their side.
 
  The IP addresses (and netmasks) stated in part#1 and part#2 are
  important. They should never be the same, and they should never be
  set to default route address ('0.0.0.0'). This is why two separate
  private IP addresses are used in the above (10.0.0.1 and 10.0.0.2),
  and also why the netmask '/0' in CIDR notation allows for the
  remote side to pick any address it wants to use for *both* your IP
  address and its IP address.
 
  If you forget the CIDR notation netmask on part#1 or part#2, you are
  DEMANDING that the specified address be used, and if the other side
  disagrees, your side will disconnect.
 
  The part#3 is the netmask assigned on my side to the resulting
  connection after we negotiate addresses. Links between two systems
  made with Point to Point Protocol (ppp) are weird in comparison
  to typical network links, and some operating systems do not have a
  specific PointToPoint netmask in the network stack, so the netmask
  must be faked. Using '0.0.0.0' as the part#3 netmask tells the ppp
  program to use what is available and the result is ppp will
  typically set the netmask to '255.255.255.255' automatically.
 
  The part#4 is the trigger address which controls when ppp will try
  to establish a connection. Since we set part#4 to the equivalent of
  any address namely '0.0.0.0' any attempt to contact another
  system will result in ppp automatically establishing the
  connection. The thing to realize is 0.0.0.0 is roughly equivalent
  to a default route.
 
  The stuff you are doing is just plain wrong:
 
   set ifaddr 0.0.0.0/0  0.0.0.0-255.255.255.254  0.0.0.0  0.0.0.0
 part#1  part#2  part#3   part#4
 
  Prior to negotiating address, you are saying your IP address will
  initially be 0.0.0.0 and the remote IP address will also initially
  be 0.0.0.0  The problem is, when two systems have the same IP
  address you have a conflict. Additionally, since 0.0.0.0 equates to
  the default route, this is very bad. Needless to say, the ppp(8)
  software is compensating for your mistakes and doing the best it
  can with your broken config.
 
  In the second chunk of your part#1, namely '/0', this netmask says
  that you will accept any IP address the other side wants you to
  use. This is good.
 
  In the second chunk of part#2, namely '-255.255.255.254' is using
  the wrong syntax. The ppp(8) program might interpret this as a
  range of addresses, or might interpret it as a pair of addresses,
  or it might interpret it as a netmask. You should use simple CIDR
  notation as described in the ppp man page.
 
  If ppp(8) is interpreting this bad second chunk of part#2 as a
  netmask, the you are *DEMANDING* that the remote system use 0.0.0.0
  or 0.0.0.1 as its IP address, and if the remote side refuses to use
  one of those two addresses, then you will disconnect.
 
 
  jcr
 

 I didn't get the importance of having different addresses in part#1
 and #2 and assumed from 'ifconfig tun0' [ ... ] inet 95.124.11.167 --
 10.0.0.2 netmask 0xfff [ ... ] that HISADDR did not change to a
 valid one. I should have understood you were telling me the correct
 syntax literally. I see that this configuration works and i understand
 the syntax.

 Sorry this took longer time than it should and thanks for following
 through. I have found a great resource in 'Absolute OpenBSD: UNIX for
 the Practical Paranoid' (ISBN 1886411999) and of course this was a
 great first impression from this mailing list. I will try not to
 abuse it. All the best to you
 

Heck, in my last two paragraphs I put part#3 instead of part#2
(corrected above) but you still understood it. ;)

The Absolute OpenBSD is good but parts of it are now outdated, but this
is to be expected.

As for ppp(8), the ppp.conf file gives you full control of a a fairly
complex Finite State Machine (FSM), so the man page is long and takes
some effort to understand. Once you know the basics, ppp(8) becomes
*REALLY* useful for debugging and monitoring connections.


There are still a few minor problems with your chat