Re: [patch]: SSL_OP_NO_RENEGOTIATION vs SSL_OP_NO_CLIENT_RENEGOTIATION inconsistency
On Sun, Feb 05, 2023 at 03:59:38PM -0700, Ashlen wrote:
> (Can CC to tech@ or elsewhere if needed, I didn't know if it belonged here or
> there so I'm starting here)
Please do not send patches to misc. Many of us don't have the time and
nerves to dig through all the noise to see if there's anything worth
looking at.
> These files in the source tree are expecting SSL_OP_NO_RENEGOTIATION when only
> SSL_OP_NO_CLIENT_RENEGOTIATION is defined in lib/libssl/ssl.h.
>
> $ grep -Rl 'SSL_OP_NO_RENEGOTIATION'
> usr.sbin/unbound/util/net_help.c
> usr.sbin/unbound/smallapp/unbound-control.c
> usr.sbin/nsd/server.c
> usr.sbin/nsd/nsd-control.c
> sbin/unwind/libunbound/util/net_help.c
As you noted in your second mail, this is all third-party software. We
do not want patches in there that we can't upstream. So in principle I
would agree that your first patch is preferrable.
> $ grep -Rl 'SSL_OP_NO_CLIENT_RENEGOTIATION'
> lib/libssl/ssl_pkt.c
> lib/libssl/ssl.h
> lib/libssl/d1_pkt.c
> lib/libtls/tls_server.c
>
> Is this intentional?
Yes. SSL_OP_NO_CLIENT_RENEGOTIATION was introduced in LibreSSL in Jan '15
and does what it says: it turns off client-side renegotiation. I do not
know if it was intentially left undocumented.
https://github.com/openbsd/src/commit/0d3c1a5098b4e6a447e95479733e6abd9b485298
[If you look at the code you patch in ssl_pkt.c and d1_pkt.c, it's when
the server reads a legacy (TLSv1.2 or earlier) ClientHello, so no change
in behavior on the client side.]
Of note: at that point renegotiation could still be turned off via the
undocumented SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS. This is no longer
possible since it needs an access to ssl->s3->flags and ssl is now
opaque.
> I should note that OpenSSL uses SSL_OP_NO_RENEGOTIATION. At least two ports
> I've
> seen expect this and fail to disable client renegotiation as a result.
This was introduced a few months later in OpenSSL and it turns off both
client-initiated and server-initiated renegotiation. The reason for
adding this option was precisely that the opaque SSL in OpenSSL 1.1 did
no longer allow setting SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
https://github.com/openssl/openssl/commit/db0f35dda18403accabe98e7780f3dfc516f49de
The two options don't do the same thing, so renaming
SSL_OP_NO_CLIENT_RENEGOTIATION into SSL_OP_NO_RENEGOTIATION or vice
versa isn't correct.
> I don't know for sure which direction others would prefer to patch in, but I
> get
> the feeling it makes more sense to choose the approach that involves less
> future
> patching (renaming SSL_OP_NO_CLIENT_RENEGOTIATION to
> SSL_OP_NO_RENEGOTIATION).
If the two options were equivalent, another option would have been to
add one compat define to ssl.h:
#define SSL_OP_NO_RENEGOTIATION SSL_OP_NO_CLIENT_RENEGOTIATION
This way no other patching would be needed.
> I'll include both methods of patching, one in this mail and one in my reply to
> it.
There are a few things to consider.
1. Should we add SSL_OP_NO_RENEGOTIATION?
In my opinion your findings suggest that it should be done. It should
not be hard if you want to take a stab at it.
2. We can probably also remove SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS (except
from ssl3.h)
3. OpenSSL 3 have disabled client-side renegotation by default. Can we
do the same? (Also, they now have SSL_OP_ALLOW_CLIENT_RENEGOTIATION
let's ignore this for now...)
BoringSSL have intricate logic on when they allow renegotiation and when
they don't, depending on the ALPN among other things. Basically, they
allow it for TLSv1.2 with HTTP/1.1, but disable it once they know they
use HTTP/2. Should we do similar instead?
> (Also, should lib/libssl/man/SSL_CTX_set_options.3 also get patched? Unsure
> what
> to write there if so, as it depends on which solution makes more sense)
>
> Index: lib/libssl/ssl_pkt.c
> ===
> RCS file: /cvs/src/lib/libssl/ssl_pkt.c,v
> retrieving revision 1.65
> diff -u -p -u -p -r1.65 ssl_pkt.c
> --- lib/libssl/ssl_pkt.c 26 Nov 2022 16:08:56 - 1.65
> +++ lib/libssl/ssl_pkt.c 5 Feb 2023 22:49:15 -
> @@ -958,7 +958,7 @@ ssl3_read_handshake_unexpected(SSL *s)
> return -1;
> }
>
> - if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) {
> + if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) {
> ssl3_send_alert(s, SSL3_AL_FATAL,
> SSL_AD_NO_RENEGOTIATION);
> return -1;
> Index: lib/libssl/ssl.h
> ===
> RCS file: /cvs/src/lib/libssl/ssl.h,v
> retrieving revision 1.230
> diff -u -p -u -p -r1.230 ssl.h
> --- lib/libssl/ssl.h 26 Dec 2022 07:31:44 - 1.230
> +++ lib/libssl/ssl.h 5 Feb 2023 22:49:16 -
> @@ -402,7 +402,7 @@ typedef int (*tls_session_secret_cb_fn)(
> /* As server, disallow session resumption on renegotiation */
> #define
Re: [patch]: SSL_OP_NO_RENEGOTIATION vs SSL_OP_NO_CLIENT_RENEGOTIATION inconsistency
Here's the other way of patching it. I don't like this way as much because it
requires more work in the future (when updating unbound/nsd and ports).
Index: usr.sbin/nsd/nsd-control.c
===
RCS file: /cvs/src/usr.sbin/nsd/nsd-control.c,v
retrieving revision 1.17
diff -u -p -u -p -r1.17 nsd-control.c
--- usr.sbin/nsd/nsd-control.c 30 Jun 2022 10:49:39 - 1.17
+++ usr.sbin/nsd/nsd-control.c 5 Feb 2023 21:55:14 -
@@ -184,11 +184,11 @@ setup_ctx(struct nsd_options* cfg)
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3)
ssl_err("could not set SSL_OP_NO_SSLv3");
-#if defined(SSL_OP_NO_RENEGOTIATION)
+#if defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
/* disable client renegotiation */
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
- SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION)
- ssl_err("could not set SSL_OP_NO_RENEGOTIATION");
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION) &
+ SSL_OP_NO_CLIENT_RENEGOTIATION) !=
SSL_OP_NO_CLIENT_RENEGOTIATION)
+ ssl_err("could not set SSL_OP_NO_CLIENT_RENEGOTIATION");
#endif
if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM))
ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
Index: usr.sbin/nsd/server.c
===
RCS file: /cvs/src/usr.sbin/nsd/server.c,v
retrieving revision 1.49
diff -u -p -u -p -r1.49 server.c
--- usr.sbin/nsd/server.c 14 Nov 2022 21:09:32 - 1.49
+++ usr.sbin/nsd/server.c 5 Feb 2023 21:55:15 -
@@ -2003,11 +2003,11 @@ server_tls_ctx_setup(char* key, char* pe
return 0;
}
#endif
-#if defined(SSL_OP_NO_RENEGOTIATION)
+#if defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
/* disable client renegotiation */
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
- SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
- log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION) &
+ SSL_OP_NO_CLIENT_RENEGOTIATION) !=
SSL_OP_NO_CLIENT_RENEGOTIATION) {
+ log_crypto_err("could not set SSL_OP_NO_CLIENT_RENEGOTIATION");
SSL_CTX_free(ctx);
return 0;
}
Index: usr.sbin/unbound/smallapp/unbound-control.c
===
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-control.c,v
retrieving revision 1.25
diff -u -p -u -p -r1.25 unbound-control.c
--- usr.sbin/unbound/smallapp/unbound-control.c 20 Oct 2022 08:26:14 -
1.25
+++ usr.sbin/unbound/smallapp/unbound-control.c 5 Feb 2023 21:55:15 -
@@ -538,11 +538,11 @@ setup_ctx(struct config_file* cfg)
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3)
ssl_err("could not set SSL_OP_NO_SSLv3");
-#if defined(SSL_OP_NO_RENEGOTIATION)
+#if defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
/* disable client renegotiation */
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
- SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION)
- ssl_err("could not set SSL_OP_NO_RENEGOTIATION");
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION) &
+ SSL_OP_NO_CLIENT_RENEGOTIATION) !=
SSL_OP_NO_CLIENT_RENEGOTIATION)
+ ssl_err("could not set SSL_OP_NO_CLIENT_RENEGOTIATION");
#endif
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert))
ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
Index: usr.sbin/unbound/util/net_help.c
===
RCS file: /cvs/src/usr.sbin/unbound/util/net_help.c,v
retrieving revision 1.28
diff -u -p -u -p -r1.28 net_help.c
--- usr.sbin/unbound/util/net_help.c20 Oct 2022 08:26:14 - 1.28
+++ usr.sbin/unbound/util/net_help.c5 Feb 2023 21:55:15 -
@@ -989,11 +989,11 @@ listen_sslctx_setup(void* ctxt)
return 0;
}
#endif
-#if defined(SSL_OP_NO_RENEGOTIATION)
+#if defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
/* disable client renegotiation */
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
- SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
- log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION) &
+ SSL_OP_NO_CLIENT_RENEGOTIATION) !=
SSL_OP_NO_CLIENT_RENEGOTIATION) {
+ log_crypto_err("could not set SSL_OP_NO_CLIENT_RENEGOTIATION");
return 0;
}
#endif
@@ -1225,11 +1225,11 @@ void* connect_sslctx_create(char* key, c
[patch]: SSL_OP_NO_RENEGOTIATION vs SSL_OP_NO_CLIENT_RENEGOTIATION inconsistency
(Can CC to tech@ or elsewhere if needed, I didn't know if it belonged here or
there so I'm starting here)
These files in the source tree are expecting SSL_OP_NO_RENEGOTIATION when only
SSL_OP_NO_CLIENT_RENEGOTIATION is defined in lib/libssl/ssl.h.
$ grep -Rl 'SSL_OP_NO_RENEGOTIATION'
usr.sbin/unbound/util/net_help.c
usr.sbin/unbound/smallapp/unbound-control.c
usr.sbin/nsd/server.c
usr.sbin/nsd/nsd-control.c
sbin/unwind/libunbound/util/net_help.c
$ grep -Rl 'SSL_OP_NO_CLIENT_RENEGOTIATION'
lib/libssl/ssl_pkt.c
lib/libssl/ssl.h
lib/libssl/d1_pkt.c
lib/libtls/tls_server.c
Is this intentional?
I should note that OpenSSL uses SSL_OP_NO_RENEGOTIATION. At least two ports I've
seen expect this and fail to disable client renegotiation as a result.
I don't know for sure which direction others would prefer to patch in, but I get
the feeling it makes more sense to choose the approach that involves less future
patching (renaming SSL_OP_NO_CLIENT_RENEGOTIATION to SSL_OP_NO_RENEGOTIATION).
I'll include both methods of patching, one in this mail and one in my reply to
it.
(Also, should lib/libssl/man/SSL_CTX_set_options.3 also get patched? Unsure what
to write there if so, as it depends on which solution makes more sense)
Index: lib/libssl/ssl_pkt.c
===
RCS file: /cvs/src/lib/libssl/ssl_pkt.c,v
retrieving revision 1.65
diff -u -p -u -p -r1.65 ssl_pkt.c
--- lib/libssl/ssl_pkt.c26 Nov 2022 16:08:56 - 1.65
+++ lib/libssl/ssl_pkt.c5 Feb 2023 22:49:15 -
@@ -958,7 +958,7 @@ ssl3_read_handshake_unexpected(SSL *s)
return -1;
}
- if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) {
+ if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) {
ssl3_send_alert(s, SSL3_AL_FATAL,
SSL_AD_NO_RENEGOTIATION);
return -1;
Index: lib/libssl/ssl.h
===
RCS file: /cvs/src/lib/libssl/ssl.h,v
retrieving revision 1.230
diff -u -p -u -p -r1.230 ssl.h
--- lib/libssl/ssl.h26 Dec 2022 07:31:44 - 1.230
+++ lib/libssl/ssl.h5 Feb 2023 22:49:16 -
@@ -402,7 +402,7 @@ typedef int (*tls_session_secret_cb_fn)(
/* As server, disallow session resumption on renegotiation */
#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0x0001L
/* Disallow client initiated renegotiation. */
-#define SSL_OP_NO_CLIENT_RENEGOTIATION 0x0002L
+#define SSL_OP_NO_RENEGOTIATION0x0002L
/* If set, always create a new key when using tmp_dh parameters */
#define SSL_OP_SINGLE_DH_USE 0x0010L
/* Set on servers to choose the cipher according to the server's
Index: lib/libssl/d1_pkt.c
===
RCS file: /cvs/src/lib/libssl/d1_pkt.c,v
retrieving revision 1.127
diff -u -p -u -p -r1.127 d1_pkt.c
--- lib/libssl/d1_pkt.c 26 Nov 2022 16:08:55 - 1.127
+++ lib/libssl/d1_pkt.c 5 Feb 2023 22:49:16 -
@@ -644,7 +644,7 @@ dtls1_read_handshake_unexpected(SSL *s)
return -1;
}
- if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) {
+ if ((s->options & SSL_OP_NO_RENEGOTIATION) != 0) {
ssl3_send_alert(s, SSL3_AL_FATAL,
SSL_AD_NO_RENEGOTIATION);
return -1;
Index: lib/libtls/tls_server.c
===
RCS file: /cvs/src/lib/libtls/tls_server.c,v
retrieving revision 1.48
diff -u -p -u -p -r1.48 tls_server.c
--- lib/libtls/tls_server.c 19 Jan 2022 11:10:55 - 1.48
+++ lib/libtls/tls_server.c 5 Feb 2023 22:49:16 -
@@ -231,7 +231,7 @@ tls_configure_server_ssl(struct tls *ctx
goto err;
}
- SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
+ SSL_CTX_set_options(*ssl_ctx, SSL_OP_NO_RENEGOTIATION);
if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
tls_servername_cb) != 1) {
Re: Calculating VMs/CPU
On Sun, Feb 05, 2023 at 10:12:39PM +, Mike Larkin wrote: > On Sun, Feb 05, 2023 at 03:53:34PM -0500, Nick Holland wrote: > > On 2/4/23 17:31, latin...@vcn.bc.ca wrote: > > > Hello misc > > > > > > i am building an only VMD server: > > > > > > How could calculate the relation: CPU, Ram, Storage, VMs please? > > > > > > Thanks. > > > PD: > > > I have a Lenovo ThinkPad Edge 4 i3 cores, 500GB disk. 8GB Ram. > > > > > > > This is kinda virtualization 101 stuff, not really specific to OpenBSD. > > > > RAM: assume more than 1:1. The VM will require certain overhead, as will > > the base OS. So, if you want 2G VMs, you won't be getting four of them > > on your 8G machine. You might get three. (some VM systems support > > "thin provisioning" of RAM. This is really a great way to hurt yourself > > unless you really know what you -- and all your guest OSs -- are doing. > > And you are still really likely to hurt yourself). > > All vmm memory is wired, so do not overcommit memory with vmm/vmd. > > > > > Disk: Assume 1:1. Even if your VM system supports thin provisioning > > (OpenBSD doesn't appear to), don't. Assume you will use 100% of the > > Both supported formats (qcow2 and raw) are thin. But your advice is > sound; assume you will eventually use 100% of what you provision. Here's what I meant by that: $ /export/VMs> vmctl create -s 100g big.raw vmctl: raw imagefile created $ /export/VMs> du -h big.raw 192Kbig.raw $ /export/VMs> ls -la big.raw -rw--- 1 mlarkin wheel 107374182400 Feb 5 14:20 big.raw Same holds true for qcow2. -ml > > > disk you provision for a VM. Because you will. Thin provisioning VMs > > is generally a bad idea. > > > > CPU: Test, don't speculate. This is where you can get some benefit from > > resource sharing. You can also end up fooling yourself into thinking > > that 10 VMs that are usually 90% idle can share one CPU, because that > > 10% busy time? They are all working on the same task. > > > > > > In your case of a 4xi3 8g/500g, I suspect your machine will run out of > > RAM, CPU and then disk, in that order, though if you work at it, you > > can run out in any order you wish. :) > > > > But it is all how you define your VMs and what you do with it. Your > > host i3 could be maxed out with a web browser, so the VMs you run are > > going to have to be minimal and your expectations modest. > > > > Nick. > > >
Re: Calculating VMs/CPU
On Sun, Feb 05, 2023 at 03:53:34PM -0500, Nick Holland wrote: > On 2/4/23 17:31, latin...@vcn.bc.ca wrote: > > Hello misc > > > > i am building an only VMD server: > > > > How could calculate the relation: CPU, Ram, Storage, VMs please? > > > > Thanks. > > PD: > > I have a Lenovo ThinkPad Edge 4 i3 cores, 500GB disk. 8GB Ram. > > > > This is kinda virtualization 101 stuff, not really specific to OpenBSD. > > RAM: assume more than 1:1. The VM will require certain overhead, as will > the base OS. So, if you want 2G VMs, you won't be getting four of them > on your 8G machine. You might get three. (some VM systems support > "thin provisioning" of RAM. This is really a great way to hurt yourself > unless you really know what you -- and all your guest OSs -- are doing. > And you are still really likely to hurt yourself). All vmm memory is wired, so do not overcommit memory with vmm/vmd. > > Disk: Assume 1:1. Even if your VM system supports thin provisioning > (OpenBSD doesn't appear to), don't. Assume you will use 100% of the Both supported formats (qcow2 and raw) are thin. But your advice is sound; assume you will eventually use 100% of what you provision. > disk you provision for a VM. Because you will. Thin provisioning VMs > is generally a bad idea. > > CPU: Test, don't speculate. This is where you can get some benefit from > resource sharing. You can also end up fooling yourself into thinking > that 10 VMs that are usually 90% idle can share one CPU, because that > 10% busy time? They are all working on the same task. > > > In your case of a 4xi3 8g/500g, I suspect your machine will run out of > RAM, CPU and then disk, in that order, though if you work at it, you > can run out in any order you wish. :) > > But it is all how you define your VMs and what you do with it. Your > host i3 could be maxed out with a web browser, so the VMs you run are > going to have to be minimal and your expectations modest. > > Nick. >
Re: Calculating VMs/CPU
On 2/4/23 17:31, latin...@vcn.bc.ca wrote: Hello misc i am building an only VMD server: How could calculate the relation: CPU, Ram, Storage, VMs please? Thanks. PD: I have a Lenovo ThinkPad Edge 4 i3 cores, 500GB disk. 8GB Ram. This is kinda virtualization 101 stuff, not really specific to OpenBSD. RAM: assume more than 1:1. The VM will require certain overhead, as will the base OS. So, if you want 2G VMs, you won't be getting four of them on your 8G machine. You might get three. (some VM systems support "thin provisioning" of RAM. This is really a great way to hurt yourself unless you really know what you -- and all your guest OSs -- are doing. And you are still really likely to hurt yourself). Disk: Assume 1:1. Even if your VM system supports thin provisioning (OpenBSD doesn't appear to), don't. Assume you will use 100% of the disk you provision for a VM. Because you will. Thin provisioning VMs is generally a bad idea. CPU: Test, don't speculate. This is where you can get some benefit from resource sharing. You can also end up fooling yourself into thinking that 10 VMs that are usually 90% idle can share one CPU, because that 10% busy time? They are all working on the same task. In your case of a 4xi3 8g/500g, I suspect your machine will run out of RAM, CPU and then disk, in that order, though if you work at it, you can run out in any order you wish. :) But it is all how you define your VMs and what you do with it. Your host i3 could be maxed out with a web browser, so the VMs you run are going to have to be minimal and your expectations modest. Nick.
Re: LAN slow speed transfer
On Sat, Feb 04, 2023 at 04:40:42PM +1100, Darren Tucker wrote: > On Fri, 3 Feb 2023 at 22:40, Crystal Kolipe > wrote: > > On Fri, Feb 03, 2023 at 10:33:16PM +1100, Darren Tucker wrote: > > > Fast ethernet (100base-T) uses pins 1, 2, 3 & 6 > [...] > > But the output from ifconfig does suggest that the link was running with > > 1000baseT modulation: > > > > > media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) > > Good point! Dunno then. Although thinking more about this, given that we've eliminated the TCP window scaling issue now that we know that pf.conf hasn't been changed from the default, I'm wondering if the link was only running at 1000baseT when no data was being transferred, I.E. when the line was at rest, but when there was data being transferred it was dropping to 100baseT.
Re: How to announce over OSPF only one IP address
Hello,
I’d check the databases on both sides.
And flush/reload the config and fibs.
Then check again which link state advertisements are in the database.
To make sure you now get the /32 advertised.
Sent from my iPhone
> On 5 Feb 2023, at 21:15, Radek wrote:
>
> Hello Diederik, hello Tom,
> this is a simple lab/testing configuration, that's why there is no "passive"
> and other...
> The purpose of this configuration is to allow access to certain IP address
> and restrict access to the rest of the subnet.
> I can use PF to block/pass what I need... but I'm trying make sure if I can
> do it by announcing "not more than needed" over OSPF.
>
> "redistribute 10.1.111.11/32" seems to be what I need, but probally I missed
> something, because this option doesn't work for me as expected.
>
> $ cat /etc/ospfd.conf
> router-id 10.109.3.15
> redistribute 10.1.111.11/32
>
> area 0.0.0.0 {
>interface vr0
>interface vr3
> }
>
> Then, I can still see/ping other IPs in 10.1.111.0/24 from the far end
> network.
>
> On the far router I can see the whole subnet instead of somthing like " *O
>32 10.1.111.11/2410.109.3.15".
>
> $ ospfctl show fib
> flags: * = valid, O = OSPF, C = Connected, S = Static
> Flags Prio Destination Nexthop
> *S8 0.0.0.0/010.109.3.254
> *O 32 10.1.111.0/2410.109.3.15
>
> Any clues?
>
>> On Sat, 4 Feb 2023 23:16:57 +
>> Tom Smyth wrote:
>>
>> Hi Radek,
>>
>> it is better practice to add ospf network statements to ospfd.conf
>> (if you dont want to send / recieve ospf messages on an interface set the
>> interface to passive in ospfd.conf
>> avoid redistribute connected
>> (add the network you want to be added to your ospf network) and leave the
>> other network ommitted from your ospfd.conf
>>
>>
>> I hope this helps,
>>
>>
>>> On Sat, 4 Feb 2023 at 20:02, Radek wrote:
>>>
>>> Hello,
>>> is it possible to announce over OSPF only one (or a few specific) IP
>>> address instead of the whole subnet?
>>> If yes.. an ospfd.conf example would be appreciated.
>>>
>>> $ cat /etc/hostname.vr3
>>> inet 10.1.111.1 255.255.255.0
>>>
>>> $ cat /etc/ospfd.conf
>>> router-id 10.109.3.15
>>> redistribute connected
>>>
>>> area 0.0.0.0 {
>>>interface vr0
>>>interface vr3
>>> }
>>>
>>> Thanks,
>>> Radek
>>>
>>>
>>
>> --
>> Kindest regards,
>> Tom Smyth.
>
>
> Radek
>
Re: LAN slow speed transfer
Hi,
I don't think my pf.conf will reveal the root of the problem because I
never changed it, but maybe I'm wrong. Anyway, here it is:
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
block return # block stateless traffic
pass # establish keep-state
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
Best,
Vitor
Em sáb., 4 de fev. de 2023 às 10:57, vitmau...@gmail.com
escreveu:
>
> Hi,
>
> there are two things that still bother me. First, how the Windows
> machine was able to reach something around 30 MBytes/s of download
> rate with the faulty cable. It reached this speed through Ookla's
> Speedtest, though; maybe that is relevant information (don't really
> know how those tests work). Second, I cannot get more than 35 MBytes/s
> even on LAN transfer if the machines are linked through my ISP's
> router, even though it's advertised as a full gigabit router. I get
> something around 95 MBytes/s using my switch, though, so I think it's
> safe to say the router is somehow capped.
>
> Here are those outputs you guys requested. Those state mismatches on
> pfctl caught my attention, but I'm not sure about what they mean
> exactly. Thank you for the help.
>
> dmesg:
> OpenBSD 7.2 (GENERIC.MP) #6: Sat Jan 21 01:03:04 MST 2023
>
> r...@syspatch-72-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 6254428160 (5964MB)
> avail mem = 6047465472 (5767MB)
> random: good seed from bootblocks
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0100 (40 entries)
> bios0: vendor Itautec ST 4262, LTD 6.00 PG version "FC" date 08/21/2009
> bios0: Itautec S.A. Infoway
> acpi0 at bios0: ACPI 1.0
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP ASF! HPET MCFG APIC SSDT
> acpi0: wakeup devices PCI0(S5) PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5)
> PEX4(S5) PEX5(S5) HUB0(S5) UAR1(S3) UAR2(S3) IGBE(S4) USB0(S3)
> USB1(S3) USB2(S3) USB3(S3) USB4(S3) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpihpet0 at acpi0: 14318179 Hz
> acpimcfg0 at acpi0
> acpimcfg0: addr 0xd000, bus 0-255
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 2826.29 MHz, 06-17-0a
> cpu0:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
> cpu0: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 6MB
> 64b/line 24-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 332MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz, 2826.26 MHz, 06-17-0a
> cpu1:
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR,MELTDOWN
> cpu1: 32KB 64b/line 8-way D-cache, 32KB 64b/line 8-way I-cache, 6MB
> 64b/line 24-way L2 cache
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins, remapped
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpiprt1 at acpi0: bus 1 (PEX0)
> acpiprt2 at acpi0: bus -1 (PEX1)
> acpiprt3 at acpi0: bus -1 (PEX2)
> acpiprt4 at acpi0: bus -1 (PEX3)
> acpiprt5 at acpi0: bus -1 (PEX4)
> acpiprt6 at acpi0: bus -1 (PEX5)
> acpiprt7 at acpi0: bus 2 (HUB0)
> acpibtn0 at acpi0: PWRB
> acpipci0 at acpi0 PCI0
> acpicmos0 at acpi0
> com0 at acpi0 UAR1 addr 0x3f8/0x8 irq 4: ns16550a, 16 byte fifo
> com1 at acpi0 UAR2 addr 0x2f8/0x8 irq 3: ns16550a, 16 byte fifo
> acpicpu0 at acpi0: C1(@1 halt!), FVS, 2667, 2000 MHz
> acpicpu1 at acpi0: C1(@1 halt!), FVS, 2667, 2000 MHz
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel Q45 Host" rev 0x03
> inteldrm0 at pci0 dev 2 function 0 "Intel Q45 Video" rev 0x03
> drm0 at inteldrm0
> intagp0 at inteldrm0
> agp0 at intagp0: aperture at 0xe000, size 0x1000
> inteldrm0: apic 2 int 16, G45, gen 4
> "Intel Q45 Video" rev 0x03 at pci0 dev 2 function 1 not configured
> "Intel Q45 HECI" rev 0x03 at pci0 dev 3 function 0 not configured
> pciide0 at pci0 dev 3 function 2 "Intel Q45 PT IDER" rev 0x03: DMA
> (unsupported), channel 0 wired to native-PCI, channel 1 wired to
> native-PCI
> pciide0: using apic 2 int 18 for native-PCI interrupt
> pciide0: channel 0 ignored (not responding; disabled or no drives?)
> pciide0: channel 1 ignored (not responding; disabled or no drives?)
> puc0 at pci0 dev 3 function 3 "Intel Q45 KT" rev 0x03:
Re: How to announce over OSPF only one IP address
Hello Diederik, hello Tom,
this is a simple lab/testing configuration, that's why there is no "passive"
and other...
The purpose of this configuration is to allow access to certain IP address and
restrict access to the rest of the subnet.
I can use PF to block/pass what I need... but I'm trying make sure if I can do
it by announcing "not more than needed" over OSPF.
"redistribute 10.1.111.11/32" seems to be what I need, but probally I missed
something, because this option doesn't work for me as expected.
$ cat /etc/ospfd.conf
router-id 10.109.3.15
redistribute 10.1.111.11/32
area 0.0.0.0 {
interface vr0
interface vr3
}
Then, I can still see/ping other IPs in 10.1.111.0/24 from the far end network.
On the far router I can see the whole subnet instead of somthing like " *O
32 10.1.111.11/2410.109.3.15".
$ ospfctl show fib
flags: * = valid, O = OSPF, C = Connected, S = Static
Flags Prio Destination Nexthop
*S8 0.0.0.0/010.109.3.254
*O 32 10.1.111.0/2410.109.3.15
Any clues?
On Sat, 4 Feb 2023 23:16:57 +
Tom Smyth wrote:
> Hi Radek,
>
> it is better practice to add ospf network statements to ospfd.conf
> (if you dont want to send / recieve ospf messages on an interface set the
> interface to passive in ospfd.conf
> avoid redistribute connected
> (add the network you want to be added to your ospf network) and leave the
> other network ommitted from your ospfd.conf
>
>
> I hope this helps,
>
>
> On Sat, 4 Feb 2023 at 20:02, Radek wrote:
>
> > Hello,
> > is it possible to announce over OSPF only one (or a few specific) IP
> > address instead of the whole subnet?
> > If yes.. an ospfd.conf example would be appreciated.
> >
> > $ cat /etc/hostname.vr3
> > inet 10.1.111.1 255.255.255.0
> >
> > $ cat /etc/ospfd.conf
> > router-id 10.109.3.15
> > redistribute connected
> >
> > area 0.0.0.0 {
> > interface vr0
> > interface vr3
> > }
> >
> > Thanks,
> > Radek
> >
> >
>
> --
> Kindest regards,
> Tom Smyth.
Radek
Re: Calculating VMs/CPU
> On Sat, Feb 04, 2023 at 10:02:13PM -0800, latin...@vcn.bc.ca wrote: >> > On Sat, Feb 04, 2023 at 02:31:39PM -0800, latin...@vcn.bc.ca wrote: >> >> Hello misc >> >> >> >> i am building an only VMD server: >> >> >> >> How could calculate the relation: CPU, Ram, Storage, VMs please? >> >> >> >> Thanks. >> >> PD: >> >> I have a Lenovo ThinkPad Edge 4 i3 cores, 500GB disk. 8GB Ram. >> >> >> > >> > what are you planning on running? >> > >> >> Thanks for your attention: >> >> For now, only OpenBSD with connection to the world' the 3rd option i >> think. >> >> In the future: >> BSD and Linux! >> >> How can i get the related information please. I have installed OpenBSD >> 7.2 >> and it is a testing laptop. it is going to be reproduced on arented bare >> metal Server. >> >> >> >> > > I can't answer your question without knowing what you plan to run in the > VMs. > > Just don't overcommit RAM. > > -ml > I am sorry, but unable to comprehend your question: i have Openbsd 7.2, using that System, i am going to use vmd; creating the most VMs that are possible, but i have had a bad experience, with 64 GB of RAM, and 15 VMs, the system seems exhausted! That is why i would like to know how to calculate how many VMs i could run in my Laptop whitout a problem. Thanks.
Re: Q: Error: mount_mfs: mmap: Cannot allocate memory
On Sun, Feb 05, 2023 at 06:05:22PM +0100, Why 42? The lists account. wrote: > mount_mfs: mmap: Cannot allocate memory ... > The fstab file contains this mount entry for tmp: > swap /tmp mfs rw,nodev,nosuid,-s=16777216 0 0 This is 8 Gb, which exceeds the default value for datasize for the daemon class in /etc/login.conf. Have you changed /etc/login.conf from the default? > Did MFS filesystems go away, or have I screwed something up? You've screwed something up :).
XFCE screensaver strangeness ...
Hi All,
Recently I have noticed some XFCE screensaving weirdness e.g.
The XFCE desktop seems to ignore my preference for xscreensaver, but
rather always starts the xfce4-screensaver instead.
Currently I think I have disabled both in my settings and yet the xfce
saver is still getting started e.g.
mjoelnir:pkg-readmes 5.02 18:11:40 % find ~/.config/xfce4 -type f -exec grep -H
saver {} \;
...
/home/robb/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml:
/home/robb/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml:
/home/robb/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml:
/home/robb/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml:
/home/robb/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-screensaver.xml:
...
mjoelnir:pkg-readmes 5.02 18:17:31 % xfce4-screensaver-command -q
The screensaver is inactive
The screensaver is not inhibited
mjoelnir:pkg-readmes 5.02 18:20:44 % pstree -ws saver
-+= 1 root /sbin/init
\--- 87710 robb /usr/local/bin/xfce4-screensaver
Has anyone else noticed anything like this?
I can kill it and start the desired xscreensaver, but that seems to have
some problems of its own e.g.
I see some strange screen colourmap lookup issues when display
images. The last time I saw something similar was on Sun hardware
that could only display, for example, 256 colours at one time ...
Sometimes the login dialog box seems not to be displayed. I think it
is still "there", a few times I have been able to login "blind", by
simply typing my password ...
This is all running a recent snapshot on a Intel NUC 8i5 system e.g. in
dmesg I see:
inteldrm0 at pci0 dev 2 function 0 "Intel Iris Plus 655" rev 0x01
drm0 at inteldrm0
inteldrm0: msi, COFFEELAKE, gen 9
Are questions regarding XFCE better suited to the misc list, or ports?
Cheers,
Robb.
Q: Error: mount_mfs: mmap: Cannot allocate memory
Hi All, After an update to a recent snapshot on my desktop system, I noticed these mount_mfs messages at boot time: /dev/sd0h (7a1775fef773535e.h): file system is clean; not checking /dev/sd1j (281ef747da03afe7.j): file system is clean; not checking /dev/sd1k (281ef747da03afe7.k): file system is clean; not checking /dev/sd1l (281ef747da03afe7.l): file system is clean; not checking /dev/sd2c (67c92dad63883338.c): file system is clean; not checking mount_mfs: mmap: Cannot allocate memory kbd: keyboard mapping set to de.nodead keyboard.encoding -> de.nodead pf enabled kern.maxproc: 1310 -> 4000 kern.maxthread: 2620 -> 8000 kern.maxfiles: 7030 -> 16000 ddb.panic: 1 -> 0 kern.allowdt: 0 -> 1 starting network reordering: ld.so libc libcrypto sshd. starting early daemons: syslogd pflogd ntpd. starting RPC daemons: portmap mountd nfsd lockd statd. mount_mfs: mmap: Cannot allocate memory savecore: no core dump checking quotas: done. clearing /tmp kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. running rc.sysmerge starting network daemons: sshd sndiod. running rc.firsttime fw_update: added none; updated none; kept intel,inteldrm,vmm starting package daemons: messagebus postfix smartd pcscd avahi_daemon. starting local daemons: sensorsd cron xenodm. The fstab file contains this mount entry for tmp: swap /tmp mfs rw,nodev,nosuid,-s=16777216 0 0 I don't know when this first occurred. I first noticed it when I was investigating why chrome had started to log "filesystem full" messages: e.g. "/: write failed, file system is full.". Since the mfs mount of /tmp failed, it's now using the root fs as /tmp space, which doesn't have much free space. I'm currently running: OpenBSD mjoelnir.fritz.box 7.2 GENERIC.MP#1012 amd64 Did MFS filesystems go away, or have I screwed something up? Cheers, Robb.
Re: LAN slow speed transfer
On 2023-02-04, vitmau...@gmail.com wrote: > Here are those outputs you guys requested. Those state mismatches on > pfctl caught my attention, but I'm not sure about what they mean > exactly. Thank you for the help. It might help to show pf.conf then. If you're allowing it to create state on intermediate packets (usually by accidentally having packets passed by the implicit "pass flags any no state" rule which applies if there's no other matching rule), you can run into problems with TCP window scaling which might give the results you're seeing. The other bits you posted don't suggest any problems on the physical side.
Re: Unable to permanently mute OpenBSD keyboard
Many many thanks! It seems the solution is a combination of two commands and only working if added in rc.local(so no wsconsctl .conf) wsconsctl -f /dev/wskbd1 keyboard.bell.volume.default=0 wsconsctl -f /dev/wskbd1 keyboard.bell.volume=0 Thank you. On Sun, Feb 5, 2023 at 2:07 PM Crystal Kolipe wrote: > > On Sun, Feb 05, 2023 at 01:59:34PM +0200, Cristian Danila wrote: > > After many tried and attempts, I was not able to find a way to permanently > > disable openbsd keyboard "beep". Reading in different books about this: > > > > adding keyboard.bell.volume=0 into /etc/wsconsctl.conf > > adding wsconsctl -f /dev/wskbd1 keyboard.bell.volume=0 into /etc/rc.local > > > > Nothing really works permanently. > > > > I do use an KVM to control multiple machines and it seems these settings are > > persistent only till I switch to another machine and when I come back, > > beep is also back again. As far i see, when the keyboard/mouse are > > reconnected > > (due to kvm switch), the beep is back. > > > > Any idea if it is possible to mute it once forever? > > I'm not in front of a machine that I can test this on, but you could try: > > keyboard.bell.volume.default=0
Re: Unable to permanently mute OpenBSD keyboard
On Sun, Feb 05, 2023 at 01:59:34PM +0200, Cristian Danila wrote: > After many tried and attempts, I was not able to find a way to permanently > disable openbsd keyboard "beep". Reading in different books about this: > > adding keyboard.bell.volume=0 into /etc/wsconsctl.conf > adding wsconsctl -f /dev/wskbd1 keyboard.bell.volume=0 into /etc/rc.local > > Nothing really works permanently. > > I do use an KVM to control multiple machines and it seems these settings are > persistent only till I switch to another machine and when I come back, > beep is also back again. As far i see, when the keyboard/mouse are reconnected > (due to kvm switch), the beep is back. > > Any idea if it is possible to mute it once forever? I'm not in front of a machine that I can test this on, but you could try: keyboard.bell.volume.default=0
Unable to permanently mute OpenBSD keyboard
Hello, After many tried and attempts, I was not able to find a way to permanently disable openbsd keyboard "beep". Reading in different books about this: adding keyboard.bell.volume=0 into /etc/wsconsctl.conf adding wsconsctl -f /dev/wskbd1 keyboard.bell.volume=0 into /etc/rc.local Nothing really works permanently. I do use an KVM to control multiple machines and it seems these settings are persistent only till I switch to another machine and when I come back, beep is also back again. As far i see, when the keyboard/mouse are reconnected (due to kvm switch), the beep is back. Any idea if it is possible to mute it once forever? Thank you.
