Squid slower compared to Linux how to boost it?
Hello, I'm migrating from an old Debian Wheezy 7.11 to OpenBSD 6.3. Although some of the bench numbers in favor of Obsd when I start using the proxy in general I feel more sluggishness (sometimes pages load slower) also elements might not load. BENCHMARK THROUGH WHEEZY PROXY == ab -n 1000 -c 50 -X : http://wiki.asterisk.org/ This is ApacheBench, Version 2.3 <$Revision: 1757674 $> Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/ Licensed to The Apache Software Foundation, http://www.apache.org/ Completed 100 requests Completed 200 requests Completed 300 requests Completed 400 requests Completed 500 requests Completed 600 requests Completed 700 requests Completed 800 requests Completed 900 requests Completed 1000 requests Finished 1000 requests Server Software:Apache/2.2.22 Server Hostname:wiki.asterisk.org Server Port:80 Document Path: / Document Length:317 bytes Concurrency Level: 50 Time taken for tests: 34.569 seconds Complete requests: 1000 Failed requests:0 Non-2xx responses: 1000 Total transferred: 639000 bytes HTML transferred: 317000 bytes Requests per second:28.93 [#/sec] (mean) Time per request: 1728.457 [ms] (mean) Time per request: 34.569 [ms] (mean, across all concurrent requests) Transfer rate: 18.05 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 26 28 2.2 27 46 Processing: 533 1662 157.6 16982050 Waiting: 532 1662 157.6 16982049 Total:563 1690 157.1 17262077 Percentage of the requests served within a certain time (ms) 50% 1726 66% 1734 75% 1747 80% 1755 90% 1783 95% 1819 98% 1831 99% 1869 100% 2077 (longest request) BENCHMARK THROUGH OBSD PROXY == Server Software:Apache/2.2.22 Server Hostname:wiki.asterisk.org Server Port:80 Document Path: / Document Length:317 bytes Concurrency Level: 50 Time taken for tests: 13.697 seconds Complete requests: 1000 Failed requests:0 Non-2xx responses: 1000 Total transferred: 596000 bytes HTML transferred: 317000 bytes Requests per second:73.01 [#/sec] (mean) Time per request: 684.852 [ms] (mean) Time per request: 13.697 [ms] (mean, across all concurrent requests) Transfer rate: 42.49 [Kbytes/sec] received Connection Times (ms) min mean[+/-sd] median max Connect: 26 71 185.2 341068 Processing: 166 550 700.53123840 Waiting: 165 320 151.13013296 Total:194 621 713.53463881 Percentage of the requests served within a certain time (ms) 50%346 66%358 75%375 80%392 90% 1855 95% 2326 98% 3382 99% 3871 100% 3881 (longest request) I use the proxy as proxy only without caching (cache dir is disabled) so that cannot impact performace, it is the same config but different versions: ii squid-langpack 20120616-1all Localized error pages for Squid ii squid3 3.1.20-2.2+deb7u3 amd64 Full featured Web Proxy cache (HTTP proxy) ii squid3-common 3.1.20-2.2+deb7u3 all Full featured Web Proxy cache (HTTP proxy) - common files ii squidguard 1.5-1 amd64 filter and redirector plugin for Squid VS [squid-3.5.27p1.tgz](https://ftp.openbsd.org/pub/OpenBSD/6.3/packages/amd64/squid-3.5.27p1.tgz) There is no firewall in either cases, the machines are VMs with the same specs: KVM 1x2.40GHz CPU + 1 GB ram. The cpu usage don't go higher even during the tests than 20-30%. As I said caching is turned off so file IO cannot be a bottleneck. Are there any tricks to boost my proxy performance on OpenBSD even more?
Re: iMacPro and OpenBSD, kernel panicking
On Mon, Jan 21, 2019 at 07:29:40PM -0800, Mike Larkin wrote: > On Tue, Jan 22, 2019 at 03:14:13AM +0100, Krystian Lewandowski wrote: > > Hello misc@, > > > > I’m trying to boot OpenBSD (current) on iMac Pro (iMacPro1,1). > > It’s Apple’s Xeon-W based PC with ECC memory. > > > > This machine is very picky when it comes to OS support. Obviously macOS is > > well > > supported and I don’t have problems with it, MS Windows on an > > external USB drive is stable as well. > > I tried whole BSD family, multiple Linux based distros and Illumos. The only > > Linux distribution I was able to boot and install was Clear Linux* - ended > > up with kernel > > panicking randomly, and regarding BSDs - I was able to install and boot > > FreeBSD > > but it randomly fails with a Machine Check Exceptions. > > > > The other interesting thing is infamous T2 chip in which iMac Pro is > > equipped - > > almost every crash ends up with BridgeOS crash report. > > > > I would consider OpenBSD assertion failures and FreeBSD MCA errors > > "UNCORR PCC GCACHE L2 ERR error" as valid if it wasn’t for rock stable > > macOS and > > MS Windows (and on both it’s pushed hard at times, for a few hours > > straight, incl. VMs). > > And my understanding is that this iMac Pro is no exception - other iMacs > > present > > similar behaviour (ending up with similar T2 chip Bridge OS crash reports). > > > > I tried to do my homework and installed OpenBSD on an external USB drive via > > VMWare Fusion and built kernel with DEBUG flag. > > External USB drive is the only option because of T2 chip. > > > > Tried to boot .SP kernel, tried to disable some devices - though probably > > doesn’t matter because I assume it’s crashing before autoconf is even > > involved. > > I also, tried to update microcode at boot on FreeBSD - someone suggested > > that > > via Twitter - didn’t help for at runtime MCA faults (CPU had most recent > > microcode). > > > > OpenBSD snapshot fails with: > > "fatal machine check in supervisor mode" > > "panic: trap type 18, code=0, pc=…" > > https://www.dropbox.com/s/birtxskxayjvxht/OpenBSD%20default%20kernel.jpeg?dl=0 > > > > This may be related to a set of recent changes I made. Can you try 6.4-RELEASE > and see if that still panics? > > -ml > Sorry, didn't see the other captures. The most recent crash may still be due to the recent changes though. The MCEs, well, that's another thing. Can you send me the output of "machine memory" from the boot> prompt please? -ml > > The only mention I found regarding this issue and potential solution - > > other than > > replacing potentially faulty CPU - was to turn off the BIOS option > > “Page directory cache”, for “older Linux kernels”: > > https://virtuallyfun.com/wordpress/2009/09/01/openbsd-amd64-fun/ > > But there is no standard BIOS or anything similar on this Apple PC. > > > > Debug kernel fails with something similar to: > > "kernel: machine check trap, code=0" > > "Stopped at uvm_pmr_assertvalid+0xd6: testq %rsi,%rsi" > > https://www.dropbox.com/s/08nvew3ajk5cs7e/OpenBSD%20DEBUG%20kernel.jpeg?dl=0 > > > > Other crashes (from different tries): > > https://www.dropbox.com/s/di4dbeju0uwyfvt/Crash%20default.jpeg?dl=0 > > https://www.dropbox.com/s/5pkf64afjnixv1b/Crash%20DEBUG.jpeg?dl=0 > > https://www.dropbox.com/s/q0dieiwkisj1ilr/Crash%20default%202.png?dl=0 > > > > PC reboots soon after (USB keyboard doesn’t work anyway). > > > > FreeBSD MSA crash: > > https://www.dropbox.com/s/66dmjjqhbwyd194/FreeBSD%20MCA.jpeg?dl=0 > > > > After a few weeks of throwing different OpenBSD kernels, BSD, Linux based > > distributions at this iMac I decided to post here, maybe someone would have > > an > > idea how to improve OpenBSD experience on this machine. ;) > > > > I understand that I just may be doomed and have to accept facts - either > > it’s broken > > by design or faulty CPU must be replaced, and it’s just a hobby project - > > especially > > I’d like to play/learn more about arm/arm64 boards and OpenBSD - > > but if there is even a slight chance to boot it on iMac… > > > > Thank you for any hint, > > Krystian > > > > I wasn't sure how I could share images, decided to use Dropbox. > > >
Re: iMacPro and OpenBSD, kernel panicking
On Tue, Jan 22, 2019 at 03:14:13AM +0100, Krystian Lewandowski wrote: > Hello misc@, > > I’m trying to boot OpenBSD (current) on iMac Pro (iMacPro1,1). > It’s Apple’s Xeon-W based PC with ECC memory. > > This machine is very picky when it comes to OS support. Obviously macOS is > well > supported and I don’t have problems with it, MS Windows on an > external USB drive is stable as well. > I tried whole BSD family, multiple Linux based distros and Illumos. The only > Linux distribution I was able to boot and install was Clear Linux* - ended up > with kernel > panicking randomly, and regarding BSDs - I was able to install and boot > FreeBSD > but it randomly fails with a Machine Check Exceptions. > > The other interesting thing is infamous T2 chip in which iMac Pro is equipped > - > almost every crash ends up with BridgeOS crash report. > > I would consider OpenBSD assertion failures and FreeBSD MCA errors > "UNCORR PCC GCACHE L2 ERR error" as valid if it wasn’t for rock stable macOS > and > MS Windows (and on both it’s pushed hard at times, for a few hours straight, > incl. VMs). > And my understanding is that this iMac Pro is no exception - other iMacs > present > similar behaviour (ending up with similar T2 chip Bridge OS crash reports). > > I tried to do my homework and installed OpenBSD on an external USB drive via > VMWare Fusion and built kernel with DEBUG flag. > External USB drive is the only option because of T2 chip. > > Tried to boot .SP kernel, tried to disable some devices - though probably > doesn’t matter because I assume it’s crashing before autoconf is even > involved. > I also, tried to update microcode at boot on FreeBSD - someone suggested that > via Twitter - didn’t help for at runtime MCA faults (CPU had most recent > microcode). > > OpenBSD snapshot fails with: > "fatal machine check in supervisor mode" > "panic: trap type 18, code=0, pc=…" > https://www.dropbox.com/s/birtxskxayjvxht/OpenBSD%20default%20kernel.jpeg?dl=0 > This may be related to a set of recent changes I made. Can you try 6.4-RELEASE and see if that still panics? -ml > The only mention I found regarding this issue and potential solution - other > than > replacing potentially faulty CPU - was to turn off the BIOS option > “Page directory cache”, for “older Linux kernels”: > https://virtuallyfun.com/wordpress/2009/09/01/openbsd-amd64-fun/ > But there is no standard BIOS or anything similar on this Apple PC. > > Debug kernel fails with something similar to: > "kernel: machine check trap, code=0" > "Stopped at uvm_pmr_assertvalid+0xd6: testq %rsi,%rsi" > https://www.dropbox.com/s/08nvew3ajk5cs7e/OpenBSD%20DEBUG%20kernel.jpeg?dl=0 > > Other crashes (from different tries): > https://www.dropbox.com/s/di4dbeju0uwyfvt/Crash%20default.jpeg?dl=0 > https://www.dropbox.com/s/5pkf64afjnixv1b/Crash%20DEBUG.jpeg?dl=0 > https://www.dropbox.com/s/q0dieiwkisj1ilr/Crash%20default%202.png?dl=0 > > PC reboots soon after (USB keyboard doesn’t work anyway). > > FreeBSD MSA crash: > https://www.dropbox.com/s/66dmjjqhbwyd194/FreeBSD%20MCA.jpeg?dl=0 > > After a few weeks of throwing different OpenBSD kernels, BSD, Linux based > distributions at this iMac I decided to post here, maybe someone would have an > idea how to improve OpenBSD experience on this machine. ;) > > I understand that I just may be doomed and have to accept facts - either it’s > broken > by design or faulty CPU must be replaced, and it’s just a hobby project - > especially > I’d like to play/learn more about arm/arm64 boards and OpenBSD - > but if there is even a slight chance to boot it on iMac… > > Thank you for any hint, > Krystian > > I wasn't sure how I could share images, decided to use Dropbox. >
iMacPro and OpenBSD, kernel panicking
Hello misc@, I’m trying to boot OpenBSD (current) on iMac Pro (iMacPro1,1). It’s Apple’s Xeon-W based PC with ECC memory. This machine is very picky when it comes to OS support. Obviously macOS is well supported and I don’t have problems with it, MS Windows on an external USB drive is stable as well. I tried whole BSD family, multiple Linux based distros and Illumos. The only Linux distribution I was able to boot and install was Clear Linux* - ended up with kernel panicking randomly, and regarding BSDs - I was able to install and boot FreeBSD but it randomly fails with a Machine Check Exceptions. The other interesting thing is infamous T2 chip in which iMac Pro is equipped - almost every crash ends up with BridgeOS crash report. I would consider OpenBSD assertion failures and FreeBSD MCA errors "UNCORR PCC GCACHE L2 ERR error" as valid if it wasn’t for rock stable macOS and MS Windows (and on both it’s pushed hard at times, for a few hours straight, incl. VMs). And my understanding is that this iMac Pro is no exception - other iMacs present similar behaviour (ending up with similar T2 chip Bridge OS crash reports). I tried to do my homework and installed OpenBSD on an external USB drive via VMWare Fusion and built kernel with DEBUG flag. External USB drive is the only option because of T2 chip. Tried to boot .SP kernel, tried to disable some devices - though probably doesn’t matter because I assume it’s crashing before autoconf is even involved. I also, tried to update microcode at boot on FreeBSD - someone suggested that via Twitter - didn’t help for at runtime MCA faults (CPU had most recent microcode). OpenBSD snapshot fails with: "fatal machine check in supervisor mode" "panic: trap type 18, code=0, pc=…" https://www.dropbox.com/s/birtxskxayjvxht/OpenBSD%20default%20kernel.jpeg?dl=0 The only mention I found regarding this issue and potential solution - other than replacing potentially faulty CPU - was to turn off the BIOS option “Page directory cache”, for “older Linux kernels”: https://virtuallyfun.com/wordpress/2009/09/01/openbsd-amd64-fun/ But there is no standard BIOS or anything similar on this Apple PC. Debug kernel fails with something similar to: "kernel: machine check trap, code=0" "Stopped at uvm_pmr_assertvalid+0xd6: testq %rsi,%rsi" https://www.dropbox.com/s/08nvew3ajk5cs7e/OpenBSD%20DEBUG%20kernel.jpeg?dl=0 Other crashes (from different tries): https://www.dropbox.com/s/di4dbeju0uwyfvt/Crash%20default.jpeg?dl=0 https://www.dropbox.com/s/5pkf64afjnixv1b/Crash%20DEBUG.jpeg?dl=0 https://www.dropbox.com/s/q0dieiwkisj1ilr/Crash%20default%202.png?dl=0 PC reboots soon after (USB keyboard doesn’t work anyway). FreeBSD MSA crash: https://www.dropbox.com/s/66dmjjqhbwyd194/FreeBSD%20MCA.jpeg?dl=0 After a few weeks of throwing different OpenBSD kernels, BSD, Linux based distributions at this iMac I decided to post here, maybe someone would have an idea how to improve OpenBSD experience on this machine. ;) I understand that I just may be doomed and have to accept facts - either it’s broken by design or faulty CPU must be replaced, and it’s just a hobby project - especially I’d like to play/learn more about arm/arm64 boards and OpenBSD - but if there is even a slight chance to boot it on iMac… Thank you for any hint, Krystian I wasn't sure how I could share images, decided to use Dropbox.
Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]
On Mon, 21 Jan 2019 11:08:02 +0100 Gilles Chehade wrote:
> I may sound a bit harsh, but starting a thread with "this is my last try
> or I'll switch" (as if it actually matters) right before telling someone
> who wants to help you that you actually tried _nothing_ then blaming the
> code improvements for a use-case that could have never worked because it
> not only uses the wrong _documented_ mechanism but also because the code
> to make your use-case work has never existed, kinds of irritates me.
>
> I don't get royalties on smtpd install, please install whatever software
> fits your use case, this is how proper engineering works.
First of all thank you Gilles (and all the others who contributed to
this project) for your amazing work on OpenSMTPD!
That said, there is a kind of sender rewriting mechanism in OpenSMTP.
Well, it works for me (tm) I'm not saying it's perfect, it might be an
overkill but at least it does what I want it to do. The conf is
included below (only the part for rewriting the sender
address):
o /etc/mail/smtpd.conf
listen on all tls pki my.domain auth-optional
listen on lo0 port 10030 smtps pki my.domain tag MASQ auth senders { foo =
masq@my.domain } masquerade
table masquser { "toto@my.domain" }
table masq-alias{ "toto@my.domain" = "t...@example.com" }
table secrets file:/etc/mail/secrets
action masq01 mbox virtual
action masq02 relay host smtps://masqlabel@127.0.0.1:10030 auth
mail-from "masq@my.domain"
match tag MASQ rcpt-to action masq01
match from any rcpt-to action masq02
o /etc/mail/secrets
masqlabel foo:asuperpassword
When a mail is received (listen on all):
- check if it is rejected
- if not, if the email if for toto@my.domain, forward it to the very
same OpenSMTP daemon on port 10030 using the authenticated user foo and
using masq@my.domain as the MAIL-FROM in the SMTP session (enveloppe)
- when an email is received on port 10030, tag it with the label MASQ.
The authenticated user is allowed to send an email as the user
masq@my.domain. The keyword masquerade modifies the From header (the
message itself) to match the address given in the SMTP session
- at that point, the sender address is rewritten both in the SMTP
session and the headers
- if the email is for toto@my.domain and is tagged with the label MASQ,
the virtual user address is expanded to the real email address
- continue like a normal message
There is probably room for improvement but I hope this helps.
Re: is there anything like pdfnup or pdfjam?
On 2019-01-21, Mike Coddington wrote: > On Mon, Jan 21, 2019 at 04:50:08PM +, rsyk...@disroot.org wrote: >> Dear list, >> >> I want to print a pdf, but with two pages put >> on one physical page. >> >> On linux, pdfnup or pdfjam can do it. >> >> I cannot find these for OpenBSD. >> What do you use then? > > It looks like pdfjam is included in the texlive package these days, Yes, as is pdfnup - "pkg_add pkglocatedb" then "pkglocate pdfjam". (For some reason the programs are in texlive_base but the manpages are in texlive_texmf-full).. > as well as being a standalone port in OpenBSD's ports collection. I don't see that?
Re: is there anything like pdfnup or pdfjam?
Hello Ruda, Personnally I'm doing it via the lp command in the cups package: lp -o number-up=2 filename Regards On 21 January 2019 17:50:08 CET, rsyk...@disroot.org wrote: >Dear list, > >I want to print a pdf, but with two pages put >on one physical page. > >On linux, pdfnup or pdfjam can do it. > >I cannot find these for OpenBSD. >What do you use then? > >Thanks >Ruda -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]
On 2019-01-21 04:08, Gilles Chehade wrote: In this test case, my translations map had: What is a translation map ? There is no such thing in OpenSMTPD (as of today). A virtual map that happened to be called . You're feeding the virtual table with invalid values. Apparently, yes. Also, this is a recipient translation mechanism, similar to aliases, and not a sender rewriting mechanism which we do not have at this point. [...] virtual _now_ only works on recipients, not senders ? the virtual code hasn't changed, it works the way it always did. there is no way it could ever do what you're describing or attempting to do given that it doesn't operate at all anywhere near the message. there is no way it has ever parsed: This is all very surprising to hear. The existing system works (somehow). So I am apparently misunderstanding what is happening, because with the configuration as shown, telling the various broken email senders to use that box as their mailhost _somehow_ fixes the bogus From: headers and envelopes. Oh, this just occurred to me as I'm writing: I really hope I didn't switch to a different MTA on that system years ago, and then just forgot to check which MTA was actually running. If that's the case, I'm not going to bother posting an update, because I'll be busy banging my head on the wall and then hiding in shame. I'm not convinced the new smtpd.conf grammar improves anything at all, but I assume it must help someone or it wouldn't have changed... but I believe my use case got thrown out with the bathwater, so to speak. Oh, well. :-( This is bullshit. The grammar doesn't reduce the functional scope, it can only expand it. I'm taking your word for it - you will know far better than I do! What you are describing has never existed in smtpd, there's never been code to translate sender addresses and there's a good reason for that: Good reasons aside, I still need to accommodate other vendor's broken mail implementations, because I can't fix them. I know of multiple reasons source rewriting is a bad idea, in general, but I get paid to make stuff work, not just say that it's broken. it not considered doable before the grammar change... But sure, blame it on the grammar. I believed that the grammar change had rendered my use case impossible because was now limited to local delivery methods. Clearly I was wrong... and not even in the way I thought I might be wrong. I may sound a bit harsh, but starting a thread with "this is my last try or I'll switch" (as if it actually matters) My apologies - that was meant to sound more like "I have a plan B so if this isn't possible, that's OK but I've wasted so much time on this I'm kinda running out of time, please tell me if I should just stop now and switch". I know *exactly* how much OpenBSD devs care if I use their code or not! I do not want to be "that asshole", although it seems I've succeeded again - sorry. Thank you for taking the time to reply. Now I'm going to go check that mail server a 7,000,000th time, this time to see what MTA is actually *running*, not just *configured*. I'm not sure whether I want it to be such a blatant mistake on my part or not... if yes, this all makes sense but I'm an idiot, whereas if no, then WTF, how is it working at all? FWIW: I am much happier with OpenSMTPd than with other MTAs because of its forward-declarative configuration syntax. Thank you for your work on bringing a modern, lean, secure(-er) MTA into existence. -Adam
Re: is there anything like pdfnup or pdfjam?
On Mon, Jan 21, 2019 at 04:50:08PM +, rsyk...@disroot.org wrote: > Dear list, > > I want to print a pdf, but with two pages put > on one physical page. > > On linux, pdfnup or pdfjam can do it. > > I cannot find these for OpenBSD. > What do you use then? It looks like pdfjam is included in the texlive package these days, as well as being a standalone port in OpenBSD's ports collection. I don't use this package, but try installing texlive and see if that gives you a usable pdfjam script. -- Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.
Re: is there anything like pdfnup or pdfjam?
On Mon, Jan 21, 2019 at 04:50:08PM +, rsyk...@disroot.org wrote: > Dear list, > > I want to print a pdf, but with two pages put > on one physical page. > > On linux, pdfnup or pdfjam can do it. > > I cannot find these for OpenBSD. > What do you use then? Both pdfnum and pdfjam are included with the texlive_base package. For 2-up printing, I use evince.
Re: Slow VPN Performance
Thank you Stuart and Christian. >In short, I'd use "childsa enc aes-128 auth hmac-md5" for maximum > throughput on this hardware. It gives me up to 700KB/s. > Try chacha20-poly1305 instead of aes-128-ctr, it may help a little. "childsa enc chacha20-poly1305" does the trick. It gives me up to 3MB/s. I think it is throughput I need, but what about security with CHACHA vs AES? Should I buy new routers ASAP and change enc to AES or stay calm with CHACHA? > Do you have any other hardware you can use? If buying new, apu2/apu4 > would be good/easy options for running OpenBSD on, but if you have > anything with enough NICs and AES (or at least PCLMUL) showing in > the cpu attach line in dmesg, run OpenBSD/amd64 on it, and use > suitable ciphers (try "quick enc aes-128-gcm"), it should be > way better than the 5501. No, I don't have any - that's the problem. I'm trying *not* to buy new APUs because it seems to be quite expensive (very small company, only 3 endusers at remote location). I think 3MB/s over VPN is sufficient. If not - I (they) will have no choice. Will APU.2D2 be OK for that purpose or other board, considering price/performance? https://www.pcengines.ch/apu2d2.htm > The best test would be run between LAN machines rather than the routers. > Generating traffic on the router itself means it's constantly switching > between kernel and userland which won't be helping. Still, your test is > good enough to show that things are much slower with IPsec enabled. True. I use LAN machine on the one side in my netcat tests, but I don't have any on the other side, so I have to use router. On Mon, 21 Jan 2019 13:52:41 + (UTC) Stuart Henderson wrote: > On 2019-01-21, Radek wrote: > > I changed default crypto to: > > > > ikev2 quick active esp from $local_gw to $remote_gw \ > > from $local_lan to $remote_lan peer $remote_gw \ > > ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \ > > childsa enc aes-128-ctr \ > > psk "pass" > > > > That increased VPN throughput up to 750KB/s but it is still too slow. > > Mayba some sysctl tweaks would also help with this? > > Try chacha20-poly1305 instead of aes-128-ctr, it may help a little. > I don't think any sysctl is likely to help. > > 750KB/s is maybe a bit slower than I'd expect but that 10+ year old > net5501 is *not* a fast machine. You might be able to squeeze a bit more > from it but probably not a lot, it won't be getting anywhere near your > line speed even with larger packets, and will be terribly overloaded > for small packets e.g. voip. > > Do you have any other hardware you can use? If buying new, apu2/apu4 > would be good/easy options for running OpenBSD on, but if you have > anything with enough NICs and AES (or at least PCLMUL) showing in > the cpu attach line in dmesg, run OpenBSD/amd64 on it, and use > suitable ciphers (try "quick enc aes-128-gcm"), it should be > way better than the 5501. > > >> To be more precise: > >> I use net/ifstat for current bw testing. > >> If I push data by netcat over public IPs, it is up to 5MB/s. > >> If I push data by netcat through VPN, it is up to 400KB/s. > >> Endusers in LANs also complain about VPN bw. > > The best test would be run between LAN machines rather than the routers. > Generating traffic on the router itself means it's constantly switching > between kernel and userland which won't be helping. Still, your test is > good enough to show that things are much slower with IPsec enabled. > > >> > is the HEADER compression activated ? > >> I do not know. How can I check it out? > > I don't know what compression that would be. There is ROHCoIPsec (RFC5856) > but OpenBSD doesn't support that. > > There is ipcomp (packet compression) which can be configured in iked, > but the last thing you want to do on this hardware is add more cpu load > by compressing. (it is not configured in the sample you sent). > -- radek
Re: doas called multiple times hangs
On Mon, Jan 21, 2019 at 11:06:58AM +0100, Dariusz Sendkowski wrote:
> I applied this patch, as is, to the stable sources and it works now.
> Thanks.
>
>
I've tested this patch too on 6.4 on amd64 and it seems fixed now.
Thanks Ted for the patch :)
A quick little program to reproduce the issue:
#include
#include
int
main(void)
{
int i;
for (i = 0; i < 2; ++i) {
printf("%d\n", i);
unveil("/nonexistant/ls", "x");
}
return 0;
}
>
> pon., 21 sty 2019 o 06:03 Ted Unangst napisał(a):
>
> > Ted Unangst wrote:
> > > Dariusz Sendkowski wrote:
> > > > Yes, it does.
> > > >
> > > > I extracted 'unveilcommands' function from doas.c and put it into a
> > > > standalone program to run it.
> > > > It turned out the result was the same as in doas command. When I
> > disable
> > > > unveil, then it works fine.
> > >
> > > This diff should fix the problem.
> >
> > Actually, miscalculation. This is a better diff. Sorry for the trouble.
> > Against current, but should be adaptable to stable.
> >
> > Index: vfs_syscalls.c
> > ===
> > RCS file: /cvs/src/sys/kern/vfs_syscalls.c,v
> > retrieving revision 1.310
> > diff -u -p -r1.310 vfs_syscalls.c
> > --- vfs_syscalls.c 3 Jan 2019 21:52:31 - 1.310
> > +++ vfs_syscalls.c 21 Jan 2019 04:57:17 -
> > @@ -92,6 +92,7 @@ int dofutimens(struct proc *, int, struc
> > int dounmount_leaf(struct mount *, int, struct proc *);
> > int unveil_add(struct proc *, struct nameidata *, const char *);
> > void unveil_removevnode(struct vnode *vp);
> > +void unveil_free_traversed_vnodes(struct nameidata *);
> > ssize_t unveil_find_cover(struct vnode *, struct proc *);
> > struct unveil *unveil_lookup(struct vnode *, struct proc *, ssize_t *);
> >
> > @@ -911,7 +912,7 @@ sys_unveil(struct proc *p, void *v, regi
> >
> > nd.ni_pledge = PLEDGE_UNVEIL;
> > if ((error = namei()) != 0)
> > - return (error);
> > + goto end;
> >
> > /*
> > * XXX Any access to the file or directory will allow us to
> > @@ -948,6 +949,10 @@ sys_unveil(struct proc *p, void *v, regi
> > vrele(nd.ni_vp);
> > if (nd.ni_dvp && nd.ni_dvp != nd.ni_vp)
> > vrele(nd.ni_dvp);
> > +
> > + pool_put(_pool, nd.ni_cnd.cn_pnbuf);
> > +end:
> > + unveil_free_traversed_vnodes();
> >
> > return (error);
> > }
> > Index: kern_unveil.c
> > ===
> > RCS file: /cvs/src/sys/kern/kern_unveil.c,v
> > retrieving revision 1.22
> > diff -u -p -r1.22 kern_unveil.c
> > --- kern_unveil.c 17 Jan 2019 03:26:19 - 1.22
> > +++ kern_unveil.c 21 Jan 2019 05:01:26 -
> > @@ -630,8 +630,6 @@ unveil_add(struct proc *p, struct nameid
> > done:
> > if (ret == 0)
> > unveil_add_traversed_vnodes(p, ndp);
> > - unveil_free_traversed_vnodes(ndp);
> > - pool_put(_pool, ndp->ni_cnd.cn_pnbuf);
> > return ret;
> > }
> >
> >
--
Kind regards,
Hiltjo
is there anything like pdfnup or pdfjam?
Dear list, I want to print a pdf, but with two pages put on one physical page. On linux, pdfnup or pdfjam can do it. I cannot find these for OpenBSD. What do you use then? Thanks Ruda
Re: Slow VPN Performance
On 2019-01-21, Radek wrote: > ikev2 quick active esp from $local_gw to $remote_gw \ > from $local_lan to $remote_lan peer $remote_gw \ > ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \ > childsa enc aes-128-ctr \ > psk "pass" > > That increased VPN throughput up to 750KB/s but it is still too slow. A net5501 is very slow by today's standards. I don't remember if that speed is expected. Assuming that encryption/decryption is the actual bottleneck: The phase 1 negotiation (ikesa) is only used when the encrypted channel is set up. Tweaking the parameters there has no effect on the performance of the actual data transfer, which is instead determined by the phase 2 (childsa) algorithms. The Geode LX CPU in the net5501 offers hardware acceleration for AES-128-CBC and nothing else. Not AES-192 or -256, not CTR mode. You can combine this with the cheapest authentication available, which is HMAC-MD5. The HMAC construction is not affected by the known vulnerabilities of MD5. In short, I'd use "childsa enc aes-128 auth hmac-md5" for maximum throughput on this hardware. -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: Slow VPN Performance
On 2019-01-21, Radek wrote: > I changed default crypto to: > > ikev2 quick active esp from $local_gw to $remote_gw \ > from $local_lan to $remote_lan peer $remote_gw \ > ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \ > childsa enc aes-128-ctr \ > psk "pass" > > That increased VPN throughput up to 750KB/s but it is still too slow. > Mayba some sysctl tweaks would also help with this? Try chacha20-poly1305 instead of aes-128-ctr, it may help a little. I don't think any sysctl is likely to help. 750KB/s is maybe a bit slower than I'd expect but that 10+ year old net5501 is *not* a fast machine. You might be able to squeeze a bit more from it but probably not a lot, it won't be getting anywhere near your line speed even with larger packets, and will be terribly overloaded for small packets e.g. voip. Do you have any other hardware you can use? If buying new, apu2/apu4 would be good/easy options for running OpenBSD on, but if you have anything with enough NICs and AES (or at least PCLMUL) showing in the cpu attach line in dmesg, run OpenBSD/amd64 on it, and use suitable ciphers (try "quick enc aes-128-gcm"), it should be way better than the 5501. >> To be more precise: >> I use net/ifstat for current bw testing. >> If I push data by netcat over public IPs, it is up to 5MB/s. >> If I push data by netcat through VPN, it is up to 400KB/s. >> Endusers in LANs also complain about VPN bw. The best test would be run between LAN machines rather than the routers. Generating traffic on the router itself means it's constantly switching between kernel and userland which won't be helping. Still, your test is good enough to show that things are much slower with IPsec enabled. >> > is the HEADER compression activated ? >> I do not know. How can I check it out? I don't know what compression that would be. There is ROHCoIPsec (RFC5856) but OpenBSD doesn't support that. There is ipcomp (packet compression) which can be configured in iked, but the last thing you want to do on this hardware is add more cpu load by compressing. (it is not configured in the sample you sent).
Re: does this affect acme-client?
On Mon, Jan 21, 2019 at 03:18:04PM +0100, Peter J. Philipp wrote: > Does this affect the acme-client? > > https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209 > > Regards, > -peter I don't think so, Peter. Per acme-client(1): "acme-client only implements the 'http-01' challenge type..."
Re: does this affect acme-client?
On Mon, 21 Jan 2019 15:18:04 +0100, "Peter J. Philipp" wrote: > Does this affect the acme-client? > > https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209 > > Regards, > -peter > To quote the man page "acme-client only implements the “http-01” challeng" so LE stopping sni-01 shouldn't change anything for acme-client(1) Cheers, Daniel
does this affect acme-client?
Does this affect the acme-client? https://community.letsencrypt.org/t/february-13-2019-end-of-life-for-all-tls-sni-01-validation-support/74209 Regards, -peter
Re: smtpd - does not send mails from daemon
I comment out 'match for any action "relay"' end it's ok :) thanks for the help W dniu 19.01.2019 o 12:46, Krzysztof Strzeszewski pisze: > Hi, > > what is wrong? > > https://krzy.ch/p/smtpd_error.txt > > Why I do not receive this message? Why this message is "from=<>"? I have > config "smtpd.conf" from man. > > _ > Krzych > > >
Re: smtpd - help needed tranlsating to new virtual map syntax [FIXED]
sorry, I obviously f-up my last mail, this one is fixed ;-) On Sun, Jan 20, 2019 at 04:14:05PM -0600, Adam Thompson wrote: > As it turns out, no, that doesn't work. > Trying to fix up broken sender mail domain-parts only simply gets me a "5.2.4 > Mailing list expansion problem" error, with no debug output to suggest why. > > In this test case, my translations map had: > > @bad.athompso.net @good.athompso.net > What is a translation map ? There is no such thing in OpenSMTPD (as of today). > in it. Obviously, this is a test setup :). > Smtpd.conf itself consisted of: > > listen on all received-auth > smtp max-message-size 100M > table translations file:/etc/mail/translations # ORIG->NEW > mappings > table allowed-hosts file:/etc/mail/allowed-hosts# Who can > connect? (bare IP addresses or CIDR subnets) > action translate lmtp "/var/run/lmtp.sock" virtual > # 1st pass on allowed rewrite mail > action forward forward-only > # and now it's not our problem anymore > match for any from local action forward # 2nd pass for > reinjected mail, this time just forward it > match for any from src action translate # inbound mail > - hand it to LMTP, translating as we go > > from table(5): Aliasing tables Aliasing tables are mappings that associate a recipient to one or many destinations. They can be used in two contexts: primary domain aliases and virtual domain mapping. [...] In a virtual domain context, the key is either a user part, a full email address or a catch all, following selection rules described in smtpd.conf(5), and the value is one or many recipients as described in aliases(5): user1 otheruser us...@example.org otheruser1,otheruser2 @example.orgotheru...@example.com @ catch...@example.com You're feeding the virtual table with invalid values. Also, this is a recipient translation mechanism, similar to aliases, and not a sender rewriting mechanism which we do not have at this point. > A cursory glance at the source code (yikes, it's been a long time since I was > a programmer) suggests that virtual now only works on recipients, not > senders. Which is too bad for me, as that means I'll have to switch at least > one box to use Postfix. > virtual _now_ only works on recipients, not senders ? the virtual code hasn't changed, it works the way it always did. there is no way it could ever do what you're describing or attempting to do given that it doesn't operate at all anywhere near the message. there is no way it has ever parsed: @bad.athompso.net @good.athompso.net and the only thing that changed is that such errors are now visible from the session as: 5.2.4 Mailing list expansion problem instead of an invalid recipient error like it probably did in 6.3 > I'm not convinced the new smtpd.conf grammar improves anything at all, but I > assume it must help someone or it wouldn't have changed... but I believe my > use case got thrown out with the bathwater, so to speak. Oh, well. :-( > This is bullshit. The grammar doesn't reduce the functional scope, it can only expand it. What you are describing has never existed in smtpd, there's never been code to translate sender addresses and there's a good reason for that: it not considered doable before the grammar change... But sure, blame it on the grammar. > (If anyone cares, the bad sender addresses are mostly alerts coming from > older Sun ALOMs and at least one Lexmark printer that also sends email with > broken From addresses.) > I may sound a bit harsh, but starting a thread with "this is my last try or I'll switch" (as if it actually matters) right before telling someone who wants to help you that you actually tried _nothing_ then blaming the code improvements for a use-case that could have never worked because it not only uses the wrong _documented_ mechanism but also because the code to make your use-case work has never existed, kinds of irritates me. I don't get royalties on smtpd install, please install whatever software fits your use case, this is how proper engineering works. -- Gilles Chehade @poolpOrg https://www.poolp.org tip me: https://paypal.me/poolpOrg
Re: doas called multiple times hangs
I applied this patch, as is, to the stable sources and it works now. Thanks. pon., 21 sty 2019 o 06:03 Ted Unangst napisał(a): > Ted Unangst wrote: > > Dariusz Sendkowski wrote: > > > Yes, it does. > > > > > > I extracted 'unveilcommands' function from doas.c and put it into a > > > standalone program to run it. > > > It turned out the result was the same as in doas command. When I > disable > > > unveil, then it works fine. > > > > This diff should fix the problem. > > Actually, miscalculation. This is a better diff. Sorry for the trouble. > Against current, but should be adaptable to stable. > > Index: vfs_syscalls.c > === > RCS file: /cvs/src/sys/kern/vfs_syscalls.c,v > retrieving revision 1.310 > diff -u -p -r1.310 vfs_syscalls.c > --- vfs_syscalls.c 3 Jan 2019 21:52:31 - 1.310 > +++ vfs_syscalls.c 21 Jan 2019 04:57:17 - > @@ -92,6 +92,7 @@ int dofutimens(struct proc *, int, struc > int dounmount_leaf(struct mount *, int, struct proc *); > int unveil_add(struct proc *, struct nameidata *, const char *); > void unveil_removevnode(struct vnode *vp); > +void unveil_free_traversed_vnodes(struct nameidata *); > ssize_t unveil_find_cover(struct vnode *, struct proc *); > struct unveil *unveil_lookup(struct vnode *, struct proc *, ssize_t *); > > @@ -911,7 +912,7 @@ sys_unveil(struct proc *p, void *v, regi > > nd.ni_pledge = PLEDGE_UNVEIL; > if ((error = namei()) != 0) > - return (error); > + goto end; > > /* > * XXX Any access to the file or directory will allow us to > @@ -948,6 +949,10 @@ sys_unveil(struct proc *p, void *v, regi > vrele(nd.ni_vp); > if (nd.ni_dvp && nd.ni_dvp != nd.ni_vp) > vrele(nd.ni_dvp); > + > + pool_put(_pool, nd.ni_cnd.cn_pnbuf); > +end: > + unveil_free_traversed_vnodes(); > > return (error); > } > Index: kern_unveil.c > === > RCS file: /cvs/src/sys/kern/kern_unveil.c,v > retrieving revision 1.22 > diff -u -p -r1.22 kern_unveil.c > --- kern_unveil.c 17 Jan 2019 03:26:19 - 1.22 > +++ kern_unveil.c 21 Jan 2019 05:01:26 - > @@ -630,8 +630,6 @@ unveil_add(struct proc *p, struct nameid > done: > if (ret == 0) > unveil_add_traversed_vnodes(p, ndp); > - unveil_free_traversed_vnodes(ndp); > - pool_put(_pool, ndp->ni_cnd.cn_pnbuf); > return ret; > } > >
Re: smtpd - help needed tranlsating to new virtual map syntax
On Sun, Jan 20, 2019 at 04:14:05PM -0600, Adam Thompson wrote: > As it turns out, no, that doesn't work. > Trying to fix up broken sender mail domain-parts only simply gets me a "5.2.4 > Mailing list expansion problem" error, with no debug output to suggest why. > > In this test case, my translations map had: > > @bad.athompso.net @good.athompso.net > What is a translation map ? There is no such thing in OpenSMTPD (as of today). > in it. Obviously, this is a test setup :). > Smtpd.conf itself consisted of: > > listen on all received-auth > smtp max-message-size 100M > table translations file:/etc/mail/translations # ORIG->NEW > mappings > table allowed-hosts file:/etc/mail/allowed-hosts# Who can > connect? (bare IP addresses or CIDR subnets) > action translate lmtp "/var/run/lmtp.sock" virtual > # 1st pass on allowed rewrite mail > action forward forward-only > # and now it's not our problem anymore > match for any from local action forward # 2nd pass for > reinjected mail, this time just forward it > match for any from src action translate # inbound mail > - hand it to LMTP, translating as we go > > from table(5): then tell the first people who attempts to help that yu//// Aliasing tables Aliasing tables are mappings that associate a recipient to one or many destinations. They can be used in two contexts: primary domain aliases and virtual domain mapping. [...] In a virtual domain context, the key is either a user part, a full email address or a catch all, following selection rules described in smtpd.conf(5), and the value is one or many recipients as described in aliases(5): user1 otheruser us...@example.org otheruser1,otheruser2 @example.orgotheru...@example.com @ catch...@example.com You're feeding the virtual table with invalid values. Also, this is a recipient translation mechanism, similar to aliases, and not a sender rewriting mechanism which we do not have at this point. > A cursory glance at the source code (yikes, it's been a long time since I was > a programmer) suggests that virtual now only works on recipients, not > senders. Which is too bad for me, as that means I'll have to switch at least > one box to use Postfix. > virtual _now_ only works on recipients, not senders ? the virtual code hasn't changed, it works the way it always did. there is no way it could ever do what you're describing or attempting to do given that it doesn't operate at all anywhere near the message. there is no way it has ever parsed: @bad.athompso.net @good.athompso.net and the only thing that changed is that such errors are now visible from the session as: 5.2.4 Mailing list expansion problem instead of an invalid recipient error like it probably did in 6.3 > I'm not convinced the new smtpd.conf grammar improves anything at all, but I > assume it must help someone or it wouldn't have changed... but I believe my > use case got thrown out with the bathwater, so to speak. Oh, well. :-( > This is bullshit. The grammar doesn't reduce the functional scope, it can only expand it. What you are describing has never existed in smtpd, there's never been code to translate sender addresses and there's a good reason for that: it not considered doable before the grammar change... But sure, blame it on the grammar. > (If anyone cares, the bad sender addresses are mostly alerts coming from > older Sun ALOMs and at least one Lexmark printer that also sends email with > broken From addresses.) > I may sound a bit harsh, but starting a thread with "this is my last try or I'll switch" Aliasing tables Aliasing tables are mappings that associate a recipient to one or many destinations. They can be used in two contexts: primary domain aliases and virtual domain mapping. [...] In a virtual domain context, the key is either a user part, a full email address or a catch all, following selection rules described in smtpd.conf(5), and the value is one or many recipients as described in aliases(5): user1 otheruser us...@example.org otheruser1,otheruser2 @example.orgotheru...@example.com @ catch...@example.com You're feeding the virtual table with invalid values. Also, this is a recipient translation mechanism, similar to aliases, and not a sender rewriting mechanism which we do not have at this point. > A cursory glance at the source code (yikes, it's been a long time since I was > a programmer) suggests that virtual now only works on recipients, not > senders. Which is too bad for me, as that
Re: Slow VPN Performance
I changed default crypto to:
ikev2 quick active esp from $local_gw to $remote_gw \
from $local_lan to $remote_lan peer $remote_gw \
ikesa auth hmac-sha1 enc aes-128 prf hmac-sha1 group modp1024 \
childsa enc aes-128-ctr \
psk "pass"
That increased VPN throughput up to 750KB/s but it is still too slow.
Mayba some sysctl tweaks would also help with this?
Any hint would be appreciated. Thank you.
$ ifstat -i vr0
vr0
KB/s in KB/s out
4.48100.64
24.14503.63
15.32237.62
0.33 6.32
27.37516.81
25.92548.57
25.36516.66
23.49514.80
30.79594.94
37.45583.15
34.16621.32
31.54653.58
31.40659.72
33.00667.91
40.15753.08
34.54738.35
32.15639.13
35.11621.26
34.78733.43
34.59728.21
On Fri, 18 Jan 2019 18:25:11 +0100
Radek wrote:
> To be more precise:
> I use net/ifstat for current bw testing.
> If I push data by netcat over public IPs, it is up to 5MB/s.
> If I push data by netcat through VPN, it is up to 400KB/s.
> Endusers in LANs also complain about VPN bw.
>
> > You should use curl + nginx (with tmpfs) or iperf for bw testing.
> I do not need to get very exact bw. My "netcat test" shows that data transfer
> over VPN is ~10 times slower.
>
> > Have you tried your NC on the loopback as a reference ?
> $ time nc -N 127.0.0.1 1234 < 50MB.test
> 0.054u 1.476s 0:10.54 14.4% 0+0k 1281+1io 0pf+0w
>
> > is the HEADER compression activated ?
> I do not know. How can I check it out?
>
> > just drop the all sendbug data if you actually want to help.
> OpenBSD 6.3 (GENERIC) #0: Wed Apr 25 16:38:25 CEST 2018
> rdk@RAC_fw63:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class)
> 500 MHz
> cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
> real mem = 536363008 (511MB)
> avail mem = 512651264 (488MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: date 20/80/26, BIOS32 rev. 0 @ 0xfac40
> pcibios0 at bios0: rev 2.0 @ 0xf/0x1
> pcibios0: pcibios_get_intr_routing - function not supported
> pcibios0: PCI IRQ Routing information unavailable.
> pcibios0: PCI bus #0 is the last bus
> bios0: ROM list: 0xc8000/0xa800
> cpu0 at mainbus0: (uniprocessor)
> mtrr: K6-family MTRR support (2 registers)
> amdmsr0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> 0:20:0: io address conflict 0x6100/0x100
> 0:20:0: io address conflict 0x6200/0x200
> pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
> glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
> vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address
> 00:00:24:cd:90:10
> ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x004063, model 0x0034
> vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address
> 00:00:24:cd:90:11
> ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x004063, model 0x0034
> vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address
> 00:00:24:cd:90:12
> ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x004063, model 0x0034
> vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address
> 00:00:24:cd:90:13
> ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
> 0x004063, model 0x0034
> glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
> 3579545Hz timer, watchdog, gpio, i2c
> gpio0 at glxpcib0: 32 pins
> iic0 at glxpcib0
> pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
> wired to compatibility, channel 1 wired to compatibility
> wd0 at pciide0 channel 0 drive 0:
> wd0: 1-sector PIO, LBA48, 7629MB, 15625216 sectors
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> pciide0: channel 1 ignored (disabled)
> ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version
> 1.0, legacy support
> ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
> usb0 at ehci0: USB revision 2.0
> uhub0 at usb0 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00
> addr 1
> isa0 at glxpcib0
> isadma0 at isa0
> com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> com0: console
> com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> pckbc0: unable to establish interrupt for irq 12
> pckbd0 at pckbc0 (kbd slot)
> wskbd0 at pckbd0: console keyboard
> pcppi0 at isa0 port 0x61
> spkr0 at pcppi0
> nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
> gpio1 at nsclpcsio0: 29 pins
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> usb1 at ohci0: USB revision 1.0
> uhub1 at usb1 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00
> addr 1
> ugen0 at uhub1 port 1 "American Power Conversion
