REALTEK 8822CE internal WIFI
Dear all, I´m just a hobbyist, not a pro. The HP Stream 11 is what I need for my purpose, apart from not working internal WLAN: REALTEK 8822CE... I found out that the FreeBSD folks have a driver for REALTEKs devices, see below, rtw88 as of FreeBSD 13.2, rtw89 nowadays. Now may I ask you: Is it possible to use that driver for my OpenBSD 7.4. install? Is there a chance to see support for REALTEKs 88xx series in a future OpenBSD-version? Thank you so much for your advice, yours, Bernd dmesg: "REALTEK 8822CE" rev 0X00 at pci1 dev 0 function 0 not configured >From FreeBSD 13.2.: path: root/sys/modules/rtw88/Makefile blob: 67564332fa7ac42b472fbf1e708742656288828f (plain) (blame) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 DEVRTW88DIR=${SRCTOP}/sys/contrib/dev/rtw88 .PATH: ${DEVRTW88DIR} WITH_CONFIG_PM= 0 KMOD= if_rtw88 SRCS= main.c SRCS+= bf.c coex.c debug.c efuse.c fw.c mac.c mac80211.c SRCS+= pci.c phy.c ps.c regd.c SRCS+= rtw8723d.c rtw8723d_table.c rtw8723de.c # 11n SRCS+= rtw8821c.c rtw8821c_table.c rtw8821ce.c # 11ac SRCS+= rtw8822b.c rtw8822b_table.c rtw8822be.c # 11ac SRCS+= rtw8822c.c rtw8822c_table.c rtw8822ce.c # 11ac SRCS+= rx.c sar.c sec.c tx.c util.c .if defined(WITH_CONFIG_PM) && ${WITH_CONFIG_PM} > 0 SRCS+= wow.c CFLAGS+=-DCONFIG_PM=${WITH_CONFIG_PM} .endif # Other SRCS+= ${LINUXKPI_GENSRCS} SRCS+= opt_wlan.h opt_inet6.h opt_inet.h CFLAGS+=-DKBUILD_MODNAME='"rtw88"' CFLAGS+=-I${DEVRTW88DIR} CFLAGS+=${LINUXKPI_INCLUDES} CFLAGS+=-DCONFIG_RTW88_DEBUG #CFLAGS+= -DCONFIG_RTW88_DEBUGFS .include ===
Re: isakmpd ignoring contents of /etc/ipsec.conf
Am 2017-12-07 13:34, schrieb Jeremie Courreges-Anglas: On Thu, Dec 07 2017, Bernd <be...@kroenchenstadt.de> wrote: Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas: On Wed, Dec 06 2017, Bernd <be...@kroenchenstadt.de> wrote: [...] As a result, the IPSec tunnel can not be established. What did I overlook here? Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4 of DESCRIPTION. Hi, ipsec=YES is set in rc.conf.local: # cat /etc/rc.conf.local isakmpd_flags="-K" ipsec=YES # IPsec OK, then let's go back to your config: did you test it for validity? ritchie ~$ cat /tmp/ipsec.conf ike esp from any to any peer 192.0.2.1/27 \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ psk "myverygoodsecretPSK" ritchie ~$ ipsecctl -nvf /tmp/ipsec.conf /tmp/ipsec.conf: 1: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded ritchie ~$ Drop the /27 and ipsecctl(8) is happy. It seems weird to specify a netmask as a "peer", maybe you should reconsider what you're using "peer" for. Yes, thanks, it was indeed the netmask. Tunnel was up and running. However, in the meanwhile our customer forced us – "due to legal reasons" – to use Cisco equipment. Thanks Bernd
Re: isakmpd ignoring contents of /etc/ipsec.conf
Am 2017-12-06 18:26, schrieb Jeremie Courreges-Anglas: On Wed, Dec 06 2017, Bernd <be...@kroenchenstadt.de> wrote: Hi @misc, I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla OpenBSD 6.2 amd64 (dmesg below). My /etc/ipsec.conf looks like this: ike esp from any to any peer x.y.z.0/27 \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ psk "myverygoodsecretPSK" (As can be seen, I want the settings to be applied to a /27 network, from where the tunnel initiation is sent out of. I also tried to use a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec from there – it also failed.) isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set as its flag(s) in /etc/rc.conf.local However, it seems to ignore the settings made in ipsec.conf (without complaining about them, though): Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_768, expected MODP_1024 Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no compatible proposal found Dec 1 14:01:20 myhostname isakmpd[55480]: dropped message from x.y.z.1 port 500 due to notification type NO_PROPOSAL_CHOSEN For example, ENCRYPTION_ALGORITHM is clearly not what was set in /etc/ipsec.conf, but rather a default. Same applies to GROUP_DESCRIPTION and HASH_ALGORITHM. As a result, the IPSec tunnel can not be established. What did I overlook here? Looks like ipsec.conf(5) was not loaded, see the manpage, paragraph 4 of DESCRIPTION. Hi, ipsec=YES is set in rc.conf.local: # cat /etc/rc.conf.local isakmpd_flags="-K" ipsec=YES # IPsec # sysctl -a | grep ipsec net.inet.ip.ipsec-expire-acquire=30 net.inet.ip.ipsec-invalid-life=60 net.inet.ip.ipsec-pfs=1 net.inet.ip.ipsec-soft-allocs=0 net.inet.ip.ipsec-allocs=0 net.inet.ip.ipsec-soft-bytes=0 net.inet.ip.ipsec-bytes=0 net.inet.ip.ipsec-timeout=86400 net.inet.ip.ipsec-soft-timeout=8 net.inet.ip.ipsec-soft-firstuse=3600 net.inet.ip.ipsec-firstuse=7200 net.inet.ip.ipsec-enc-alg=aes net.inet.ip.ipsec-auth-alg=hmac-sha1 net.inet.ip.ipsec-comp-alg=deflate Best Bernd
isakmpd ignoring contents of /etc/ipsec.conf
Hi @misc, I'm trying to set up a site-to-site IPSec tunnel. I'm using vanilla OpenBSD 6.2 amd64 (dmesg below). My /etc/ipsec.conf looks like this: ike esp from any to any peer x.y.z.0/27 \ main auth hmac-sha2-256 enc aes-256 group modp2048 \ psk "myverygoodsecretPSK" (As can be seen, I want the settings to be applied to a /27 network, from where the tunnel initiation is sent out of. I also tried to use a fixed, single IP address, i.e. x.y.z.23, and tried to fire up IPSec from there – it also failed.) isakmpd is being started as described in ipsec.conf(5) et al: ``-K'' set as its flag(s) in /etc/rc.conf.local However, it seems to ignore the settings made in ipsec.conf (without complaining about them, though): Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_1536, expected MODP_1024 Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: AUTHENTICATION_METHOD: got PRE_SHARED, expected RSA_SIG Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: HASH_ALGORITHM: got MD5, expected SHA Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_768, expected MODP_1024 Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: HASH_ALGORITHM: got SHA2_256, expected SHA Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: GROUP_DESCRIPTION: got MODP_2048, expected MODP_1024 Dec 1 14:01:20 myhostname isakmpd[55480]: attribute_unacceptable: ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC Dec 1 14:01:20 myhostname isakmpd[55480]: message_negotiate_sa: no compatible proposal found Dec 1 14:01:20 myhostname isakmpd[55480]: dropped message from x.y.z.1 port 500 due to notification type NO_PROPOSAL_CHOSEN For example, ENCRYPTION_ALGORITHM is clearly not what was set in /etc/ipsec.conf, but rather a default. Same applies to GROUP_DESCRIPTION and HASH_ALGORITHM. As a result, the IPSec tunnel can not be established. What did I overlook here? Thanks in advance for any hints. Best Bernd
Re: sasyncd fails to start on system boot
Applying the patch has solved the issue. Thx a lot! - Original Message - > From: "Otto Moerbeek" <o...@drijf.net> > To: "Bornkessel, Bernd" <bernd.bornkes...@icp-companies.com> > Cc: misc@openbsd.org > Sent: Wednesday, March 30, 2016 7:58:48 AM > Subject: Re: sasyncd fails to start on system boot > On Wed, Mar 30, 2016 at 07:52:01AM +0200, Bornkessel, Bernd wrote: > >> Thank you for your response. >> Currently I'm running 5.8-stable. > > The fix wasn't commited to -stable, > > In 5.8-stabke you could apply the fix below, > > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/sasyncd/carp.c.diff?r1=1.13=1.14=h > > But 5.9 would be better. It is out since yesterday > > -Otto
Re: sasyncd fails to start on system boot
Thank you for your response. Currently I'm running 5.8-stable. - Original Message - > From: "Otto Moerbeek" <o...@drijf.net> > To: "Bornkessel, Bernd" <bernd.bornkes...@icp-companies.com> > Cc: misc@openbsd.org > Sent: Wednesday, March 30, 2016 7:04:25 AM > Subject: Re: sasyncd fails to start on system boot > On Tue, Mar 29, 2016 at 11:47:17PM +0200, Bornkessel, Bernd wrote: > >> Hi, >> >> I've got the problem that sasyncd fails to start on system boot. On the >> console >> screen I see: >> >> 'starting early daemons: syslogd pflogd ntpd isakmpd sasyncd(failed)' > > This souinds like a bug I fixed in 5.8. You are not telling which > version you are runing, but your best bet is to upgrade to 5.9. > > -Otto
Re: IKED/carp/sasyncd: Wrong source ip address/No IKEv2 response
Thank you for the response. Yes - I've also considered switching back to isakmpd, which has been working very well in the past. - Original Message - > From: "Stuart Henderson" <s...@spacehopper.org> > To: misc@openbsd.org > Sent: Tuesday, March 29, 2016 11:24:33 PM > Subject: Re: IKED/carp/sasyncd: Wrong source ip address/No IKEv2 response > On 2016-03-29, Bornkessel, Bernd <bernd.bornkes...@icp-companies.com> wrote: >> Unfortunately, although the log states that it uses the virtual carp >> ip as source ip address, the ip of the corresponding node dedicated >> interface is being used instead. > > iked generates some packets before binding, so they have whatever > source address is on the interface that holds the outgoing route to > the destination. > > Fixing this will either need what looks like fairly major work on > iked, or support for IP_SENDSRCADDR. > > This type of setup does work with isakmpd.
sasyncd fails to start on system boot
c5:e1:ab brgphy1 at bnx1 phy 1: BCM5709 10/100/1000baseT PHY, rev. 8 carp: carp0 demoted group carp by 1 to 129 (carpdev) carp: carp100 demoted group carp by 1 to 130 (carpdev) carp: carp101 demoted group carp by 1 to 131 (carpdev) carp: carp14 demoted group carp by 1 to 132 (carpdev) carp: carp16 demoted group carp by 1 to 133 (carpdev) carp: carp17 demoted group carp by 1 to 134 (carpdev) carp: carp18 demoted group carp by 1 to 135 (carpdev) carp: pfsync0 demoted group carp by 32 to 167 (pfsync init) carp: pfsync0 demoted group pfsync by 32 to 32 (pfsync init) carp: pfsync0 demoted group carp by 1 to 168 (pfsync bulk start) carp: pfsync0 demoted group pfsync by 1 to 33 (pfsync bulk start) carp: carp0 demoted group carp by -1 to 168 (carpdev) carp: carp100 demoted group carp by -1 to 39 (carpdev) carp: carp101 demoted group carp by -1 to 38 (carpdev) carp: pfsync0 demoted group carp by -1 to 37 (pfsync bulk done) carp: pfsync0 demoted group pfsync by -1 to 32 (pfsync bulk done) carp: pfsync0 demoted group carp by -32 to 5 (pfsync init) carp: pfsync0 demoted group pfsync by -32 to 0 (pfsync init) carp: carp14 demoted group carp by -1 to 4 (carpdev) carp: carp16 demoted group carp by -1 to 3 (carpdev) carp: carp17 demoted group carp by -1 to 2 (carpdev) carp: carp18 demoted group carp by -1 to 1 (carpdev) carp: carp14 demoted group carp by 1 to 2 (carpdev) carp: carp16 demoted group carp by 1 to 3 (carpdev) carp: carp17 demoted group carp by 1 to 4 (carpdev) carp: carp18 demoted group carp by 1 to 5 (carpdev) carp: carp14 demoted group carp by -1 to 4 (carpdev) carp: carp16 demoted group carp by -1 to 3 (carpdev) carp: carp17 demoted group carp by -1 to 2 (carpdev) carp: carp18 demoted group carp by -1 to 1 (carpdev) root@deffmfrw04-node0:~# Regards, Bernd
IKED/carp/sasyncd: Wrong source ip address/No IKEv2 response
0 len: 364 09:05:31.502453 rule 28.external.1/(match) pass out on vmx0: 1.1.3.2.500 > 1.1.4.2.500: isakmp v2.0 exchange IKE_SA_INIT cookie: fc1a7032dc6dca4f->6d6ec5e5ba4025e7 msgid: len: 376 09:05:35.066184 rule 28.external.1/(match) pass out on vmx0: 1.1.3.2.500 > 86.107.205.162.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 378d8ecfd7bed230->246bb1ec6d892871 msgid: len: 376 09:06:53.424084 rule 28.external.6/(match) pass in on vmx0: 1.1.4.2.500 > 1.1.3.1.500: isakmp v2.0 exchange IKE_SA_INIT cookie: fc1a7032dc6dca4f-> msgid: len: 364 09:08:03.045205 rule 28.external.6/(match) pass in on vmx0: 1.1.4.2.500 > 1.1.3.1.500: isakmp v2.0 exchange IKE_SA_INIT cookie: dbc919cbca8062f7-> msgid: len: 364 09:08:03.064505 rule 28.external.1/(match) pass out on vmx0: 1.1.3.2.500 > 1.1.4.2.500: isakmp v2.0 exchange IKE_SA_INIT cookie: dbc919cbca8062f7->7ab7b6186ba359a9 msgid: len: 376 ^C 462 packets received by filter 0 packets dropped by kernel root@fw-lab-01-node0:~# If I start IKED in passive mode to let sasyncd change the mode based on the carp status, the gateway doesn't even reply to the IKEv2 packets. Although I start IKED w/ verbose logging, I don't even see any logs after sasyncd has set the mode to active. root@fw-lab-01-node0:~# iked -dSvv ca_privkey_serialize: type RSA_KEY length 1190 ca_pubkey_serialize: type RSA_KEY length 270 ca_reload: local cert type RSA_KEY ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0 /etc/iked.conf: loaded 2 configuration rules config_getocsp: ocsp_url none config_getpolicy: received policy ikev2 "vpn_lab" passive esp inet from 172.20.0.0/16 to 172.16.0.0/16 from 172.21.0.0/16 to 172.16.0.0/16 local 1.1.3.1 peer 1.1.4.2 ikesa enc aes-256 prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256 group modp2048 srcid 1.1.3.1 dstid 1.1.4.2 ikelifetime 28800 lifetime 3600 bytes 536870912 psk * config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 7 config_getsocket: received socket fd 8 config_getmode: mode active -> passive config_getmode: mode passive -> active ^Ccontrol exiting, pid 97322 ikev2 exiting, pid 78182 ca exiting, pid 63356 parent terminating root@fw-lab-01-node0:~# root@fw-lab-01-node0:~# tcpdump -nei pflog0 port 500 or esp tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG 10:00:15.776540 rule 28.external.6/(match) pass in on vmx0: 1.1.4.2.500 > 1.1.3.1.500: isakmp v2.0 exchange IKE_SA_INIT cookie: 0ad123b899395d35-> msgid: len: 364 ^C 312 packets received by filter 0 packets dropped by kernel root@fw-lab-01-node0:~# My sasyncd.conf: # $OpenBSD: sasyncd.conf,v 1.1 2014/07/11 21:20:10 deraadt Exp $ # sample sasyncd configuration file # see sasyncd.conf(5) # IP addresses or hostnames of sasyncd(8) peers. #peer 172.20.0.2 #peer 172.20.0.3 #peer 172.20.0.4 peer 172.20.100.19 # Track master/slave state on this carp(4) interface. #interface carp1 interface carp0 # Shared AES key, 16/24/32 bytes. #sharedkey 0x349fec85c11f6b658d5c457d4668e035f11dfdccb849d5053a8763787b74db70 sharedkey * control iked Any help would be appreciated. Regards, Bernd
OpenIKED: Interoperability problem w/ Juniper SRX
t;-> 1.1.1.1] Added dependency on SA config blob with tunnelid = 131073 [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Successfully added ipsec SA PAIR [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Adding Phase2 Blob for Tunnel Id: 131073 SPI: 1130776013 [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] kmd_update_tunnel_interface: [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_update_tunnel_interface_by_ifname: update ifl st0.0 status UP [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_sa_done: local:2.2.2.2, remote:1.1.1.1 IKEv2 [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] IKE negotiation done for local:2.2.2.2, remote:1.1.1.1 IKEv2 with status: Error ok [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Parsing notification payload for local:2.2.2.2, remote:1.1.1.1 IKEv2 [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16389 [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Ignoring notification of type 16388 [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_pm_ike_sa_done: Success to create or find peer_entry for local:2.2.2.2:500, remote:1.1.1.1:500 in ike sa done [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] P1 SA 8381946 stop timer. timer duration 30, reason 1. [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] P1 SA 8381946 start timer. timer duration 28800, reason 2. [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] lifetime timers started for p1_sa index 8381946 (hard 28800, soft 28221 secs) [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Preparing phase1 HA blob for p1-sa 8381946 [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] iked_prepare_phase1_ha_blob: P1 SA 8381946, phase1_blob->lifetime 28800, p1_sa->lifetime 28800 [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Adding Phase 1 HA blob for P1 SA 8381946 [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] Inside iked_pm_ipsec_sa_done [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] IPSec negotiation done successfully for SA-CFG ipsec-vpn-corp for local:2.2.2.2, remote:1.1.1.1 IKEv2 [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] IPSec SA done callback. ed 10c4028. status: Error ok [Mar 16 08:52:06][2.2.2.2 <-> 1.1.1.1] ikev2_packet_destroy: F: IKE SA REFCNT: 1 Regards, Bernd
Typo on main html page
Hi - I know that I might be fussy, but Dillo complains about the following in the main index.html of www.openbsd.org: Index: index.html === RCS file: /cvs/www/index.html,v retrieving revision 1.689 diff -u -p -u -r1.689 index.html --- index.html 21 Feb 2016 05:19:08 - 1.689 +++ index.html 25 Feb 2016 22:21:21 - @@ -120,7 +120,7 @@ - + Regards, Bernd
Re: Lanp equivalent web server working on OpenBSD no Apache
On 30/01/16 21:10, bruce wrote: I've been working on this for several weeks now. Results with instructions can be seen here: http://tonyevil.zapto.org/serendipity/ Any feedback welcome. httpd is too new for this to be well documented, so here is my small contribution. Beyond the usual problems of posting HowTos (search the list archives), I find it remarkable that you give tedu access to your procmap command ... Bernd
Load balancing based on user-agent string? (relayd)
Hi, has anyone ever build this on relayd? If so, are you willing to share your config? E.g., I'd need users that use the Internet Exploder, Opera and Chrome redirected to Server A, while I need clients running Safari, Firefox and Vivaldi redirected to Server B. Thanks, Bernd
Current USB Wifi status
Hi, I would love to start using my OpenBSD router as access point. In 2013, it was noted that using USB with Hostap is not a very well supported: http://marc.info/?l=openbsd-miscm=136650077623629w=2 Has the situation changed? Are there current USB Wifi adapters available that run well in hostap mode? Any specific one that is easy to obtain? Thanks, Bernd
Re: Current USB Wifi status
On 07/08/15 10:38, Stefan Sperling wrote: AFAIK the man pages are all up to date and explain the current state on a per driver basis. I don't have anything to add to what the pages say. To summarize: For best hostap experience use a supported athn(4) device on PCI. That's what I use at home and it just works. Avoid USB for hostap if at all possible. Thank you very much for the answer. There is the usual problem that many of the devices listed are not available anymore, or there are numerous versions with the same device name where the manufacturer altered the chipset. I sometimes wish that store pages would be as clear as OpenBSD man pages. So, Stuart's comment is still valid. I will stop looking for a USB solution, and instead see if I can find a low power chassis with a PCI slot. While more expensive, it is probably money well invested. Thanks, Bernd
Re: Backup of OpenBSD to Linux box
Hi Paul, Thanks for the scripts. I have already started to write my own, but they have some good ideas and I appreciate the input. Cheers, Bernd On 16/06/15 13:29, Paul de Weerd wrote: I wrote my own script that uses rsync with --link-dest, which I dubbed 'lnbackup'. First some other scripts copy data to the backup disk (locally or remotely), just rsyncing the changes into a machines/ directory. Then lnbackup rsyncs all of machines/ to a new directory per day, with --link-dest set to the previous day's tree.
Re: Backup of OpenBSD to Linux box
On 15/06/15 13:06, Nick Holland wrote: My experience with third party differential backup systems wasn't that it had issues across OSs, but that it had issues across versions of the software. I consider that a complete failure. [...] Thanks to everybody who has answered. This was very helpful. My current three leads are using dump/restore via SSH, rsync and rsnapshot (which seems to be just a wrapper around rsync). I will try each one and have a look which one fits best. Cheers, Bernd
Backup of OpenBSD to Linux box
Hi - I have got an OpenBSD box, and I would like to create regular full backups of that box to a Linux server at a different location. The main purpose of this backup is to be able to restore the OpenBSD box on a severe hardware failure (HD corruption, fire, etc.). If possible, the backup should be incremental as I am somewhat bandwidth constrained between the two sites. There are a number of remote backup systems floating around (rdiff-backup, rsnapshot, etc.) and of course there are in-house solutions (dump/restore), though I don't know if these are interoperable. Is there somebody on the list who has a similar setup and could point me at a solution that works for him/her? Thanks, Bernd
Re: my experience with openbsdstore.com
On 11/04/15 14:01, IMAP List Administration wrote: Transfer Costs More Than Refund The next missive from openbsdstore.com was: Hopefully you should have received the €15 sent by post - unfortunately we had to send it in this way, as our bank wanted to charge us €20 to send it to you electronically! This can't be happening And in fact an envelope containing a 10 and a 5 euro note arrived somewhat later. As a little defence to the OpenBSD store guys: the banking system in the UK is by far the crappiest I have seen in whole of Europe. The banks are all intentionally incompetent and try to fool and trick you into using non-SEPA style money transfers wherever they can. Most UK citizens, even online shops, are misinformed and mistreated by their banks, with the result that the banks can charge horrendous fees and cheat on exchange rates. A little funny experience: my online banking system from HSBC shuts down accepting SEPA money transfers outside of regular business hours. I have to wait until Monday morning to _enter_ a SEPA money transfer. It looks like their CPUs get the weekend off. That is how crappy the UK banking system is. And the most scary thing: the people here think this is normal ... Bernd
Re: SHA256 fingerprints on AnonCVS web page
On 28/03/15 16:22, Christian Weisgerber wrote: Should they be added? Yes, they should, but we may have to wait until 5.7 is released for the mirror maintainers to update their machines. Ah, thanks for the clarification. Was not aware that they were that new. Bernd
SHA256 fingerprints on AnonCVS web page
Hi - I just tried to update my ports tree and got the following message, using openbsd.cs.fau.de as AnonCVS host: The authenticity of host 'openbsd.cs.fau.de (131.188.40.91)' can't be established. ECDSA key fingerprint is SHA256:gcWYMCjQHnmA97RT53MGCKp2kZ3pk5TZPFdYTJQl9/w. Unfortunately, the SHA256 fingerprints are not published on http://www.openbsd.org/anoncvs.html so I was not able to verify the host. Should they be added? Regards, Bernd
Intel 5th gen NUC graphics support
Hi - I just aquired an Intel NUC (NUC5i5RYK) to use as my main OpenBSD desktop system. After getting kernel panics when booting 5.6, using a SNAPSHOT seems to work well (panic was: lapic_set_lvt: bad pin value 228). The next hurdle I have to overcome is getting accelerated X to work. There is also no support for a framebuffer console (which is probably related). I think the critical part of the X11 output (full dump below) is: [30.163] (II) AIGLX: Screen 0 is not DRI2 capable [30.163] (EE) AIGLX: reverting to software rendering Is the new graphics chipset already supported in OpenBSD, and I just have the configuration wrong? Or will I have to wait for support? Anything I can do to help development? Thanks, Bernd PS: Two other observations: the kernel takes rather long to load (15 seconds) and I get this line of strange symbols in the dmesg below. DMESG: OpenBSD 5.7-current (GENERIC.MP) #895: Wed Mar 18 18:55:03 MDT 2015 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8453918720 (8062MB) avail mem = 8193765376 (7814MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec7b0 (86 entries) bios0: vendor Intel Corporation version RYBDWi35.86A.0137.2015.0107.1700 date 01/07/2015 bios0: \M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^? \M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^?\M^? acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT UEFI SSDT ASF! SSDT SSDT SSDT DMAR acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) PS2K(S3) PS2M(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.60 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.22 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 1 (application processor) cpu2: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.22 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 1, core 0, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i5-5250U CPU @ 1.60GHz, 2494.22 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,RDSEED,ADX,SMAP cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimadt0: bogus nmi for apid 0 acpimadt0: bogus nmi for apid 2 acpimadt0: bogus nmi for apid 1 acpimadt0: bogus nmi for apid 3 acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG0) acpiprt2 at acpi0: bus -1 (PEG1) acpiprt3 at acpi0: bus -1 (PEG2) acpiprt4 at acpi0: bus 1 (RP01) acpiprt5 at acpi0: bus -1 (RP02) acpiprt6 at acpi0: bus -1 (RP03) acpiprt7 at acpi0: bus 2 (RP04) acpiprt8 at acpi0: bus -1 (RP05) acpiprt9 at acpi0: bus -1 (RP06) acpiprt10 at acpi0: bus -1 (RP07) acpiprt11 at acpi0: bus -1 (RP08
Re: Software for time management calendar
On 24/03/15 02:01, Stuart Henderson wrote: On 2015-03-22, Lampshade lampsh...@poczta.fm wrote: What software you use for this purposes? CalenGoo, and vi. I really love to use 'owncloud' for that, thanks to the package maintainer. See: https://github.com/reyk/httpd/wiki/Running-ownCloud-with-httpd-on-OpenBSD Bernd
Intermediate cert in relayd?
Hi list, I'm planning to configure SSL offloading using relayd(8). The manpage for relayd.conf(5) states the following: ``If the ssl keyword is present, the relay will accept connections using the encrypted SSL protocol. The relay will attempt to look up a private key in /etc/ssl/private/address:port.key and a public certificate in /etc/ssl/address:port.crt, where address is the specified IP address and port is the specified port that therelay listens on. If these files are not present, the relay will continue to look in /etc/ssl/private/address.key and /etc/ssl/address.crt. See ssl(8) for details about SSL server certificates.'' However, I also got an intermediate certificate provided by my CA. Using it in Apache, e.g., is no problem, however I wonder how to get this configured in(to) relayd... any clues? Thanks best, Bernd
Re: Detailed statistics on em(4) driver
Hi, I've got problems with increasing Ierrs on several machines with several em(4) interfaces. Is there a way to get *detailed* information on these? # netstat -I em3 -d NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls Drop em3 1500 Link de:ad:be:ef 95655063 435896 63427593 0 00 em3 1500 fe80::%em3/ fe80::xx:ff:ffe 95655063 435896 63427593 0 00 is not that verbose. We hacked the kernel. The interface(s) just miss packets, see screenshot: http://imageshack.us/f/96/fkad.png/ Customer urged to move from OpenBSD to Ubuntu for BGP routing. Thanks in advance, Bernd
Detailed statistics on em(4) driver
Hi, I've got problems with increasing Ierrs on several machines with several em(4) interfaces. Is there a way to get *detailed* information on these? # netstat -I em3 -d NameMtu Network Address Ipkts IerrsOpkts Oerrs Colls Drop em3 1500 Link de:ad:be:ef 95655063 435896 63427593 0 00 em3 1500 fe80::%em3/ fe80::xx:ff:ffe 95655063 435896 63427593 0 00 is not that verbose. Thanks in advance, Bernd
OpenBGPd: AS path prepend for certain networks only?
Hi, running OpenBSD 5.3 (amd64) for BGP routing for more than one and a half years without any trouble -- thanks guys! However, as setups evolve, new questions may arise. As far as I get from the man pages, it's only possible 'globally' to apply prepending to AS paths: prepend-neighbor number Prepend the neighbor's AS number times to the AS path. prepend-self number Prepend the local AS number times to the AS path. I'd like to do this only for certain networks in our AS, to force ingress and egress traffic over a certain uplink -- leaving all other networks untouched by this. Is that possible with OpenBGPd? Thanks, Bernd
Re: munin-node not working from packages in 5.2
Hi again, Hi, just updated a machine (fresh installation from scratch) to OpenBSD 5.2 (amd64). munin-node-1.4.7p0 added via pkg_add throws this error in its log: 2012/11/07-14:08:42 CONNECT TCP Peer: [12.34.56.78]:20963 Local: [12.34.56.100]:4949 Use of uninitialized value in pattern match (m//) at /usr/local/libdata/perl5/site_perl/Net/Server.pm line 600. Use of uninitialized value in pattern match (m//) at /usr/local/libdata/perl5/site_perl/Net/Server.pm line 600. Is this a known issue? after having updated several machines to 5.3 now (all amd64), the issue persists. Am I the only one seeing this? Best, Bernd
munin-node not working from packages in 5.2
Hi, just updated a machine (fresh installation from scratch) to OpenBSD 5.2 (amd64). munin-node-1.4.7p0 added via pkg_add throws this error in its log: 2012/11/07-14:08:42 CONNECT TCP Peer: [12.34.56.78]:20963 Local: [12.34.56.100]:4949 Use of uninitialized value in pattern match (m//) at /usr/local/libdata/perl5/site_perl/Net/Server.pm line 600. Use of uninitialized value in pattern match (m//) at /usr/local/libdata/perl5/site_perl/Net/Server.pm line 600. Is this a known issue? Best, Bernd
SSH_CLIENT in recent OpenBSD releases
Hi, I've got to port some shell scripts which rely on env vars. One amongst those is $SSH_CLIENT. On OpenBSD 5.1 machines, I don't get what I'd assume to get: # echo $SSH_CLIENT It returns just a blank line. I re-tested this on an older development machine, running OpenBSD 4.6: # echo $SSH_CLIENT 123.45.67.89 34402 22 Is that an intended change in behavior (security related)? I didn't find a changelog entry, neither documentation. Thanks, Bernd
Re: SSH_CLIENT in recent OpenBSD releases
Am 2012-10-11 10:50, schrieb Paul de Weerd: On Thu, Oct 11, 2012 at 10:38:04AM +0200, Bernd wrote: | Hi, | | I've got to port some shell scripts which rely on env vars. One | amongst those is $SSH_CLIENT. | | On OpenBSD 5.1 machines, I don't get what I'd assume to get: | | # echo $SSH_CLIENT | | It returns just a blank line. This Works For Me (tm) on a snapshot I installed yesterday. I ssh into my machine and SSH_CLIENT contains the expected value. Weird. I tested on four amd64 5.1 machines, totally default setups, all the same phenomenon. | I re-tested this on an older development machine, running OpenBSD 4.6: | | # echo $SSH_CLIENT | 123.45.67.89 34402 22 | | Is that an intended change in behavior (security related)? I didn't | find a changelog entry, neither documentation. Can you confirm your shell initialization isn't clearing this environment variable ? Defaults everywhere, as on the machine(s) running earlier releases. Bernd Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/ [demime 1.01d removed an attachment of type application/pgp-signature]
Re: SSH_CLIENT in recent OpenBSD releases
Am 2012-10-11 10:38, schrieb Bernd: Hi, I've got to port some shell scripts which rely on env vars. One amongst those is $SSH_CLIENT. On OpenBSD 5.1 machines, I don't get what I'd assume to get: # echo $SSH_CLIENT It returns just a blank line. Logged in as normal user, became root via 'su -'. That triggers mentioned behavior, just using 'su' keeps it behaving as expected. Thanks, Bernd I re-tested this on an older development machine, running OpenBSD 4.6: # echo $SSH_CLIENT 123.45.67.89 34402 22 Is that an intended change in behavior (security related)? I didn't find a changelog entry, neither documentation. Thanks, Bernd
Re: SSH_CLIENT in recent OpenBSD releases
Am 2012-10-11 11:01, schrieb Otto Moerbeek: On Thu, Oct 11, 2012 at 10:54:05AM +0200, Otto Moerbeek wrote: On Thu, Oct 11, 2012 at 10:38:04AM +0200, Bernd wrote: Hi, I've got to port some shell scripts which rely on env vars. One amongst those is $SSH_CLIENT. On OpenBSD 5.1 machines, I don't get what I'd assume to get: # echo $SSH_CLIENT It returns just a blank line. I re-tested this on an older development machine, running OpenBSD 4.6: # echo $SSH_CLIENT 123.45.67.89 34402 22 Is that an intended change in behavior (security related)? I didn't find a changelog entry, neither documentation. Thanks, Bernd SSH_CONNECTION replaces SSH_CLIENT. See the commit below and https://bugzilla.mindrot.org/show_bug.cgi?id=384 Ehh, replace is not the right word. It's still there. Thanks for that hint, but still: # echo $SSH_CONNECTION # echo $SSH_CLIENT # On the older machines, interesingly (and 'of course'), both return sensible data. Bernd CVSROOT:/cvs Module name:src Changes by: stev...@cvs.openbsd.org 2002/09/12 13:50:36 Modified files: usr.bin/ssh: session.c ssh.1 Log message: add SSH_CONNECTION and deprecate SSH_CLIENT; bug #384. ok markus@ -Otto
Re: SSH_CLIENT in recent OpenBSD releases
Am 2012-10-11 11:29, schrieb Peter Hessler: On 2012 Oct 11 (Thu) at 11:15:24 +0200 (+0200), Bernd wrote: :Am 2012-10-11 10:38, schrieb Bernd: :Hi, : :I've got to port some shell scripts which rely on env vars. One :amongst those is $SSH_CLIENT. : :On OpenBSD 5.1 machines, I don't get what I'd assume to get: : :# echo $SSH_CLIENT : :It returns just a blank line. : :Logged in as normal user, became root via 'su -'. That triggers :mentioned behavior, just using 'su' keeps it behaving as expected. : $ man su ... - Same as the -l option (deprecated). ... -l Simulate a full login. The environment is discarded except for HOME, SHELL, PATH, TERM, LOGNAME, and USER. HOME and SHELL are modified as above. LOGNAME and USER are set to the target login. PATH is set to the value specified by the ``path'' entry in login.conf(5). TERM is imported from your current environment. The invoked shell is the target login's, and su will change directory to the target login's home directory. Known for decades, sure. Still wonder what changed. Machines are pretty extremely default setups. Bernd
Re: OpenBGP lost session
Am 2012-09-18 16:34, schrieb Stuart Henderson: On 2012-09-18, Bernd be...@kroenchenstadt.de wrote: Hi list, I've got two OpenBSD (5.1-STABLE, amd64) machines running OpenBGPd. Both of them are connected to two upstream providers each, furthermore there are (older) Ciscos, also connecteed to the same (!) upstream routers. Recently, both OpenBSD machines lost their BGP session to one of the upstream providers. On both machines the same upstream router was affected. Logs show this: Sep 17 17:25:35 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): sending notification: HoldTimer expired, unknown subcode 0 Sep 17 17:25:35 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Established - Idle, reason: HoldTimer expired Sep 17 17:25:43 hostname ospfd[5366]: desync; scheduling fib reload Sep 17 17:25:43 hostname ospfd[5366]: reloading interface list and routing table Sep 17 17:25:48 hostname bgpd[15513]: nexthop 12.23.34.45 now valid: directly connected Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Idle - Connect, reason: Start Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Connect - OpenSent, reason: Connection opened Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change OpenSent - OpenConfirm, reason: OPEN message received Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change OpenConfirm - Established, reason: KEEPALIVE message received Sep 17 17:26:20 hostname bgpd[15513]: nexthop 12.23.34.45 now valid: directly connected The Ciscos didn't see anything like this, their sessions didn't drop. Any clue what was going on? Thanks, Bernd Can't tell from this. Are you running the same hold times on your openbgp boxes as your ciscos? Hi, yes, it's 90 sec on the Ciscos as well as for BGPd (default is 90 sec). Best, Bernd
OpenBGP lost session
Hi list, I've got two OpenBSD (5.1-STABLE, amd64) machines running OpenBGPd. Both of them are connected to two upstream providers each, furthermore there are (older) Ciscos, also connecteed to the same (!) upstream routers. Recently, both OpenBSD machines lost their BGP session to one of the upstream providers. On both machines the same upstream router was affected. Logs show this: Sep 17 17:25:35 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): sending notification: HoldTimer expired, unknown subcode 0 Sep 17 17:25:35 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Established - Idle, reason: HoldTimer expired Sep 17 17:25:43 hostname ospfd[5366]: desync; scheduling fib reload Sep 17 17:25:43 hostname ospfd[5366]: reloading interface list and routing table Sep 17 17:25:48 hostname bgpd[15513]: nexthop 12.23.34.45 now valid: directly connected Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Idle - Connect, reason: Start Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change Connect - OpenSent, reason: Connection opened Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change OpenSent - OpenConfirm, reason: OPEN message received Sep 17 17:26:05 hostname bgpd[1638]: neighbor 12.23.34.45 (Upstream1): state change OpenConfirm - Established, reason: KEEPALIVE message received Sep 17 17:26:20 hostname bgpd[15513]: nexthop 12.23.34.45 now valid: directly connected The Ciscos didn't see anything like this, their sessions didn't drop. Any clue what was going on? Thanks, Bernd
OpenBGPd - how to blackhole traffic?
Hi list, I'd like to blackhole some traffic. For instance, my AS is 12.34.56.0/20, so 12.34.58.0 might be announced, but is not necessarily connected (internal routing via OSPFd). On Cisco one uses: ip route 0.0.0.0 0.0.0.0 Null0 This would throw any traffic headed to a network within my AS, which is *not* connected (via OSPF), onto the floor. Is there a way to achieve this on OpenBSD? Thanks in advance, Bernd
Re: TTL for backup hosts (relayd)
Am 2012-08-01 14:07, schrieb Sebastian Benoit: Bernd(be...@kroenchenstadt.de) on 2012.08.01 12:07:10 +0200: Hi, I got some redirects configured in relayd(8) which use backup ('fallback') hosts for the case all hosts in the 'main' table are down, e.g. due to maintenance. So, in this case, backup hosts get enabled and show a page like sorry, we're down for maintenance. This works fine; however, after the main table hosts (at least one) are back up and running (due to checks being successful again, or re-enabling them) sessions that went to the backup hosts don't go away. My primary thought was that sessions to fallback hosts would be flushed or time out as soon as the main table is active again, or at least after $timeout (default: 600s). Best, Bernd Hi Bernd, you might indeed have found a bug. I'll look into it. /Benno Hi, I found out that this problem does *not* persist when not using stickyness. I'll update the machines soon (not easy because under heavy load), and check if it still happens running 5.1. Thanks, Bernd
TTL for backup hosts (relayd)
Hi, I got some redirects configured in relayd(8) which use backup ('fallback') hosts for the case all hosts in the 'main' table are down, e.g. due to maintenance. So, in this case, backup hosts get enabled and show a page like sorry, we're down for maintenance. This works fine; however, after the main table hosts (at least one) are back up and running (due to checks being successful again, or re-enabling them) sessions that went to the backup hosts don't go away. My primary thought was that sessions to fallback hosts would be flushed or time out as soon as the main table is active again, or at least after $timeout (default: 600s). Best, Bernd --- pf.conf: set limit states 10 set limit src-nodes 10 set timeout src.track 1800 set timeout tcp.finwait 8 set timeout tcp.closing 90 set skip on lo EXT_IFS={ em1 vlan123 vlan456 vlan789 carp0 carp2 carp4 } # filter rules and anchor for ftp-proxy(8) #anchor ftp-proxy/* #pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021 pass in quick on em3 proto pfsync # anchor for relayd(8) anchor relayd/* pass# to establish keep-state # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 --- relayd.conf: interval 10 timeout 5000 # prefork 5 # only for relays log update host1_4=192.168.123.10 host2_4=192.168.123.11 host3_4=192.168.123.12 host_cdn1_4=192.168.123.20 host_cdn2_4=192.168.123.21 host_cdn3_4=192.168.123.22 # IPv4 table http4 { $host1_4 $host2_4 $host3_4 } table http4_fallback { $host_cdn1_4 $host_cdn2_4 $host_cdn3_4 } redirect http4 { listen on $ext4_blabla port 80 sticky-address forward to http4 port 80 check http /node-status digest 5aa701f6d550e8e109fb654c17cc05b11ef53bd3 forward to http4_fallback port 80 check tcp tag HTTP4 } --- OpenBSD 4.9 (GENERIC.MP) #819: Wed Mar 2 06:57:49 MST 2011 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2643709952 (2521MB) avail mem = 2559311872 (2440MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.5 @ 0x9f6a4000 (63 entries) bios0: vendor Intel Corp. version S3420GP.86B.01.00.0048.022120111423 date 02/21/2011 bios0: Intel Corporation S3420GP acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S5 acpi0: tables DSDT FACP APIC MCFG HPET SLIT SPCR WDDT SSDT SSDT HEST BERT ERST EINJ acpi0: wakeup devices MRP1(S5) GRP1(S5) G2P1(S5) G2P2(S5) G2P3(S5) G2P4(S5) MRP2(S5) MRP3(S4) MRP4(S4) EHC2(S5) PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX6(S5) PEX7(S5) EHC1(S5) IP2P(S5) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2400.36 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LO NG cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2399.97 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LO NG cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2399.97 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LO NG cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2399.97 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LO NG cpu3: 256KB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins acpimcfg0 at acpi0 addr 0xa000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (MRP1) acpiprt2 at acpi0: bus 2 (GRP1) acpiprt3 at acpi0: bus 3 (G2P1) acpiprt4 at acpi0: bus 6 (G2P2) acpiprt5 at acpi0: bus 9 (G2P3) acpiprt6 at acpi0: bus 10 (G2P4) acpiprt7 at acpi0: bus -1 (MRP3) acpiprt8 at acpi0: bus 11 (PEX0) acpiprt9 at acpi0: bus 12 (PEX4) acpiprt10 at acpi0: bus 13 (PEX6) acpicpu0 at acpi0: C3, C1, PSS acpicpu1 at acpi0: C3, C1, PSS acpicpu2 at acpi0: C3, C1, PSS acpicpu3 at acpi0: C3, C1, PSS acpibtn0 at acpi0: SLPB ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep 2399 MHz: speeds: 2395, 2394, 2261, 2128, 1995, 1862, 1729, 1596, 1463, 1330, 1197 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel Core DMI rev 0x11
Re: ad Re: using relayd in transparent mode
On 07/31/2012 12:39 AM, thus Stuart Henderson spake: On 2012-07-30, Berndbe...@kroenchenstadt.de wrote: Hi, is this proc.c privsep reorganization issue thing in relayd still a problem? http://marc.info/?l=openbsd-miscm=133293448804527 Best, Bernd Yes. Thanks for that information. I'll monitor CVS changes then. Best, Bernd
Re: Calomel.org
On 07/26/2012 06:55 AM, thus Shaka NKofo spake: I'm new to Open BSD but no stranger to *nix OSs. My question here is simple. I have been reading the man pages and documentation and have installed and setup a 5.1 box on my lan. Now after understanding its basic inner workings I wish to put it to heavy and good use. All I'm asking is that is it advisable to use some of the tutorials found on https://calomel.org/ as a sort of map to setup basic services like DNS and pf? I'm used to learning tech from scratch and mastering then using it but my work load is punishing and I would like to clean up DNS on my lan since the devices are just adding up too fast... Please I would appreciate your individual approaches and viewpoints on this matter. Thanks Shaka *fetching popcorn
Re: ss20's wanted for ports builds
On 07/17/2012 02:04 AM, thus Aaron Mason spake: I just had a look on eBay - I'm surprised to see them still attract decent money - $300 for a single processor 125MHz with 256mb RAM and 2x18GB drives (http://goo.gl/jKAyl). A bit out of my price range at the moment, otherwise I'd be right there. I could provide shell access to a SS20 with 256MByte RAM and two 75MHz SuperSPARC II CPUs. Bernd On Tue, Jul 17, 2012 at 6:19 AM, Matthew Dempskymatt...@dempsky.org wrote: On Mon, Jul 16, 2012 at 11:45 AM, [BG-Consulting] Elmar Bschorer elmar.bscho...@bugconsulting.de wrote: What sun sparc machine do you exactly need? What do you mean with ss20? SS20 stands for SPARCstation 20: http://en.wikipedia.org/wiki/SPARCstation_20
Re: ss20's wanted for ports builds
On 07/17/2012 08:32 AM, thus Matthew Dempsky spake: On Mon, Jul 16, 2012 at 11:17 PM, Berndbe...@kroenchenstadt.de wrote: I could provide shell access to a SS20 with 256MByte RAM and two 75MHz SuperSPARC II CPUs. The workload for the snapshot and ports build machines really requires full, local access. Well, console access would also be no problem -- except hands-on... Bernd
Re: ss20's wanted for ports builds
On 07/17/2012 08:49 AM, thus Otto Moerbeek spake: On Tue, Jul 17, 2012 at 08:37:19AM +0200, Bernd wrote: On 07/17/2012 08:32 AM, thus Matthew Dempsky spake: On Mon, Jul 16, 2012 at 11:17 PM, Berndbe...@kroenchenstadt.de wrote: I could provide shell access to a SS20 with 256MByte RAM and two 75MHz SuperSPARC II CPUs. The workload for the snapshot and ports build machines really requires full, local access. Well, console access would also be no problem -- except hands-on... Bernd It's not a good idea to do offical builds on a machine that isn't (physically) controlled by developers. Both from a practical and from a security point of view. Yikes. So no chance to get my chinese-modified SPARC into your project? ;) Okay, let's forget about that machine. -Otto Bernd
BPGd filter weirdness
Hi misc@, I have defined a group in bgpd.conf like this: iBGP_one=12.34.56.78 iBGP_two=12.34.56.79 group iBGP_Peers { remote-as 9876 neighbor $iBGP_one { descr iBGP_one } neighbor $iBGP_two { descr iBGP_two } local-address 12.34.56.66 announceall depend on em0 } Now, setting filters using that group does not work; setting filters based on the individual neighbor's IP address does work. allow quick from group iBGP_Peers # this does NOT work allow quick from 12.34.56.78 allow quick from 12.34.56.79 # works Running bgpd -nv -f /etc/bgpd.conf shows allow quick from group iBGP_Peers and allow quick from 12.34.56.78 allow quick from 12.34.56.79 respectively. Where's the difference? Thanks in advance, Bernd
Re: pf and ICMP in asymmetric routing setups
Am 2012-06-13 09:55, schrieb Insan Praja SW: Hi, On Wed, 13 Jun 2012 08:07:31 +0700, Stuart Henderson s...@spacehopper.org wrote: On 2012-06-12, Simon Perreault simon.perrea...@viagenie.ca wrote: On 2012-06-12 14:08, Bernd wrote: I've got two OpenBSD 5.1-stable/amd64 boxes employed which do all the routing for our AS (OpenBGPd and OpenOSPFd). I see asymmetric traffic (I thought it to be that way), which itself doesn't really create problems. However, I see problems with ICMP. pf seems to drop all but the first response from any of the hosts within our network (seen from the Internet). Any idea how to deal with this? As soon as I turn off pf, everything runs smoothly. Without having the details of your setup, the big principle is: pf is stateful (by default). Statefulness doesn't play well with asymmetric routing. I'm sure if you investigate a little bit more you'll discover it's not limited to ICMP. In the end the solution will be one of: remove statefulness, avoid asymmetric routing, or share state with pfsync. If using pfsync for this, you would want to look at defer, see pfsync(4). I think I had the same problem. Please visit http://marc.info/?l=openbsd-miscm=133957370427451w=2 I saw it and instantly wished I'd have seen your mail about 24 hours earlier... ;) Sloppy states might be more appropriate for this scenario though, and would let you use other things which require state tracking, e.g. pflow(4). Thanks, Insan Praja Best, Bernd
pf and ICMP in asymmetric routing setups
Hi list, I've got two OpenBSD 5.1-stable/amd64 boxes employed which do all the routing for our AS (OpenBGPd and OpenOSPFd). I see asymmetric traffic (I thought it to be that way), which itself doesn't really create problems. However, I see problems with ICMP. pf seems to drop all but the first response from any of the hosts within our network (seen from the Internet). Any idea how to deal with this? As soon as I turn off pf, everything runs smoothly. Best, Bernd
Re: pf and ICMP in asymmetric routing setups
Am 2012-06-12 20:24, schrieb Simon Perreault: On 2012-06-12 14:08, Bernd wrote: I've got two OpenBSD 5.1-stable/amd64 boxes employed which do all the routing for our AS (OpenBGPd and OpenOSPFd). I see asymmetric traffic (I thought it to be that way), which itself doesn't really create problems. However, I see problems with ICMP. pf seems to drop all but the first response from any of the hosts within our network (seen from the Internet). Any idea how to deal with this? As soon as I turn off pf, everything runs smoothly. Without having the details of your setup, the big principle is: pf is stateful (by default). Statefulness doesn't play well with asymmetric routing. I'm sure if you investigate a little bit more you'll discover it's not limited to ICMP. In the end the solution will be one of: remove statefulness, avoid asymmetric routing, or share state with pfsync. I thought of removing statefulness or using pfsync. I run quite a few load balancer setups that use, of course, pfsync and it runs like a charm. However, removing statefulness seems the more appropriate solution to me. Removing asymmetry isn't really an option, I guess, as there's more infrastructure than just my two core routers. My two cents: try to avoid statefulness on core routers. Move stateful elements to the edge, where routing is symmetric. What might be the easiest solution to have pf not care about states any longer -- using 'keep state sloppy'? Or disabling statefulness entirely (how?)? Simon Thanks, Bernd
TCP Out-of-order packets on a machine behind an OpenBGPd based router
Hi misc, I'm about to set up two OpenBGPd machines. At the moment they are each connected to two different upstream providers running OpenBGPd (and OpenOSFPd on the internal interfaces). Operating system is OpenBSD test-a.openbgp.bla.com 5.0 GENERIC.MP#0 amd64 (dmesg below) On a host reserved for testing (CentOS 6.2 x86_64), which sits logically (seen from the internet) behind those machines, in a otherwise empty /22, I see weird network problems (tcpdumping traffic on port 25, and loading it into wireshark for further analysis): Receiving mails (port 25, plain SMTP, a 3MiByte attachment) from an external mail server, which comes in via one of the new BGP machines, I see massive 'TCP out of order' messages in wireshark, as well as 'TCP Dup ACK' messages. This is on the testbed machine itself. On the OpenBGPd router, captured exactly the same traffic, all seems perfect. There are two Cisco switches sitting between test-a.openbgp.bla.com and the testbed mail server, all interfaces perfectly clean, no duplex problems, no underruns, no runts, nothing -- perfect. Traffic within my AS is also absolutely no problem, the Linux machine runs here perfectly as well. Any idea where to look? Thanks, Bernd $ dmesg OpenBSD 5.0-stable (GENERIC.MP) #0: Mon Mar 19 08:29:55 CET 2012 r...@bla.bla.bla:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 4285071360 (4086MB) avail mem = 4156882944 (3964MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9f000 (74 entries) bios0: vendor American Megatrends Inc. version 1.0c date 05/27/2010 bios0: Supermicro X8SIE acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC MCFG OEMB HPET GSCI SSDT EINJ BERT ERST HEST acpi0: wakeup devices P0P1(S4) P0P3(S4) P0P4(S4) P0P5(S4) P0P6(S4) BR1E(S4) PS2K(S4) PS2M(S4) USB0(S4) USB1(S4) USB2(S4) USB3(S4) USB4(S4) USB5(S4) USB6(S4) GBE_(S4) BR20(S4) BR21(S4) BR22(S4) BR23(S4) BR24(S4) BR25(S4) BR26(S4) BR27(S4) EUSB(S4) USBE(S4) SLPB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2400.35 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu0: 256KB 64b/line 8-way L2 cache cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2400.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu1: 256KB 64b/line 8-way L2 cache cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2400.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu2: 256KB 64b/line 8-way L2 cache cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU X3430 @ 2.40GHz, 2400.00 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,POPCNT,NXE,LONG cpu3: 256KB 64b/line 8-way L2 cache ioapic0 at mainbus0: apid 7 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 1, remapped to apid 7 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (P0P1) acpiprt2 at acpi0: bus 1 (P0P3) acpiprt3 at acpi0: bus -1 (P0P6) acpiprt4 at acpi0: bus 7 (BR1E) acpiprt5 at acpi0: bus 2 (BR20) acpiprt6 at acpi0: bus 3 (BR24) acpiprt7 at acpi0: bus 4 (BR25) acpiprt8 at acpi0: bus 5 (BR26) acpiprt9 at acpi0: bus 6 (BR27) acpicpu0 at acpi0: C3, C2, C1, PSS acpicpu1 at acpi0: C3, C2, C1, PSS acpicpu2 at acpi0: C3, C2, C1, PSS acpicpu3 at acpi0: C3, C2, C1, PSS acpibtn0 at acpi0: SLPB acpibtn1 at acpi0: PWRB ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep 2400 MHz: speeds: 2401, 2400, 2267, 2133, 2000, 1867, 1733, 1600, 1467, 1333, 1200 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel Core DMI rev 0x11 ppb0 at pci0 dev 3 function 0 Intel Core PCIE rev 0x11: msi pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 Intel PRO/1000 (82576) rev 0x01: msi, address 00:1b:21:b7:29:bc em1 at pci1 dev 0 function 1 Intel PRO/1000 (82576) rev 0x01: msi, address 00:1b:21:b7:29:bd Intel Core Management rev 0x11 at pci0 dev 8 function 0 not configured Intel Core Scratch rev 0x11 at pci0 dev 8 function 1 not configured Intel Core Control rev 0x11 at pci0 dev 8 function 2 not configured Intel Core Misc rev 0x11 at pci0 dev 8 function 3 not configured Intel Core QPI Link
Re: TCP Out-of-order packets on a machine behind an OpenBGPd based router
Am 2012-05-08 16:02, schrieb Stuart Henderson: On 2012-05-08, be...@kroenchenstadt.de be...@kroenchenstadt.de wrote: Hi misc, I'm about to set up two OpenBGPd machines. At the moment they are each connected to two different upstream providers running OpenBGPd (and OpenOSFPd on the internal interfaces). Operating system is OpenBSD test-a.openbgp.bla.com 5.0 GENERIC.MP#0 amd64 (dmesg below) On a host reserved for testing (CentOS 6.2 x86_64), which sits logically (seen from the internet) behind those machines, in a otherwise empty /22, I see weird network problems (tcpdumping traffic on port 25, and loading it into wireshark for further analysis): Receiving mails (port 25, plain SMTP, a 3MiByte attachment) from an external mail server, which comes in via one of the new BGP machines, I see massive 'TCP out of order' messages in wireshark, as well as 'TCP Dup ACK' messages. This is on the testbed machine itself. On the OpenBGPd router, captured exactly the same traffic, all seems perfect. There are two Cisco switches sitting between test-a.openbgp.bla.com and the testbed mail server, all interfaces perfectly clean, no duplex problems, no underruns, no runts, nothing -- perfect. Traffic within my AS is also absolutely no problem, the Linux machine runs here perfectly as well. Any idea where to look? Is PF in use? if so, have you done anything to make sure that you aren't running into problems due to stateful firewall only seeing half the packets (i.e. inbound via one machine, outbound via the other)? That's a point, I do have asymmetric routing at the moment, as only the (now active) Ciscos announce the /22 in question to the rest of the world. So, ingress traffic crosses my OpenBSD machine, while egress traffic does not. However, the problem remains if I issued 'pfctl -d'. (Specifically, if this is happening and unavoidable, you could look at 'defer' in pfsync, or sloppy states in PF). Thanks, Bernd $ dmesg [ snipped from quote, but thanks for including it :) ]
Re: NAT within VPN does not work (pf, isakmpd, rdomains)
:7c:14:2e 00:0c:29:89:77:e2 0800 74: 192.168.178.51 10.0.3.10: icmp: echo request 22:25:14.320296 00:0c:29:89:77:e2 00:00:5e:00:01:1e 0800 74: 10.0.3.10 192.168.178.51: icmp: echo reply 22:25:19.700501 00:0c:29:7c:14:2e 00:0c:29:89:77:e2 0800 74: 192.168.178.51 10.0.3.10: icmp: echo request 22:25:19.700711 00:0c:29:89:77:e2 00:00:5e:00:01:1e 0800 74: 10.0.3.10 192.168.178.51: icmp: echo reply 22:25:25.201630 00:0c:29:7c:14:2e 00:0c:29:89:77:e2 0800 74: 192.168.178.51 10.0.3.10: icmp: echo request 22:25:25.202011 00:0c:29:89:77:e2 00:00:5e:00:01:1e 0800 74: 10.0.3.10 192.168.178.51: icmp: echo reply 22:25:25.202229 00:0c:29:7c:14:2e 00:0c:29:89:77:e2 0800 70: 10.0.3.2 10.0.3.10: icmp: host 192.168.178.51 unreachable 22:25:30.701311 00:0c:29:7c:14:2e 00:0c:29:89:77:e2 0800 74: 192.168.178.51 10.0.3.10: icmp: echo request 22:25:30.701775 00:0c:29:89:77:e2 00:00:5e:00:01:1e 0800 74: 10.0.3.10 192.168.178.51: icmp: echo reply 22:25:30.701945 00:0c:29:7c:14:2e 00:0c:29:89:77:e2 0800 70: 10.0.3.2 10.0.3.10: icmp: host 192.168.178.51 unreachable ^C 51 packets received by filter 0 packets dropped by kernel # State table: # pfctl -vs state | grep icmp all icmp (2) 10.0.3.10:8 (10.0.15.10:8) - (2) 192.168.178.51:512 (192.168.178.51:512) 0:0 all icmp (2) 192.168.178.51:512 - (2) 10.0.3.10:8 0:0 # A corresponding pseudo route is in place in rdomain 2 (10.0.3.0/24) # route -T 2 -n show -inet Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface 10.0.3/24 link#3 UC 10 - 4 em2 10.0.3.1 10.0.3.1 UH 00 - 4 carp2 10.0.3.10 00:0c:29:89:77:e2 UHLc 2 565 - 4 em2 10.0.4/24 10.0.3.10 UGS00 - 8 em2 127.0.0.1 127.0.0.1 UH 20 33196 4 lo2 192.168.178/24 127.0.0.1 UGS0 16 33196 8 lo2 213.61.190.48/28 127.0.0.1 UGS00 33196 8 lo2 # Log of the remote gateway: Number: 654 Date: 7May2012 Interface: eth1 Source: 192.168.178.51 Destination:10.0.15.10 Protocol: icmp ICMP: Echo Request ICMP Type: 8 ICMP Code: 0 Encryption Scheme: IKE Encryption Methods: ESP: AES-256 + SHA1 VPN Peer Gateway: obsd (88.77.88.60) What am I doing wrong? Unfortunately NAT within VPNs is often requested by customers. I hope that its possible to get it running. Otherwise I probably have to use a crappy commercial product - which discomfits me... Thank you in advance! Cheers, Bernd -Urspr|ngliche Nachricht- Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im Auftrag von Bornkessel, Bernd [ICP DE - Schwalbach] Gesendet: Donnerstag, 3. Mai 2012 18:14 An: misc@openbsd.org Betreff: Re: NAT within VPN does not work (pf, isakmpd, rdomains) Hi, I did some further investigations on this issue and found out that ist has nothin' to do with isakmp or rdomains. The problem seems just to be related to pf. I did troubleshooting with a reduced config. em1: 10.0.3.1/24 rdomain 1 em2: 10.0.3.1/24 rdomain 2 Workstation1 (ws1): 10.0.3.10 attached to em1 Workstation2 (ws2): 10.0.3.10 attached to em2 Well, I missed the fact that unlike Check Point OpenBSD seems to have the same order for inspection modules on both incoming and outgoing interface (1. NAT, 2. Packet Filter). Nevertheless there seems to be still an issue with pf (or at least with my comprehension :) I started with the following pf config: block drop in log all match in on em1 from 10.0.3.0/24 to 10.0.5.0/24 rdr-to 10.0.3.0/24 bitmask match out on em1 from 10.0.3.0/24 to 10.0.3.0/24 nat-to 10.0.5.0/24 bitmask match in on em2 from 10.0.3.0/24 to 172.16.1.0/24 rdr-to 10.0.3.0/24 bitmask match out on em2 from 10.0.3.0/24 to 10.0.3.0/24 nat- to 172.16.1.0/24 bitmask pass in on em1 from 10.0.3.0/24 to 10.0.3.0/24 rtable 2 pass in on em2 from 10.0.3.0/24 to 10.0.3.0/24 rtable 1 pass out on em1 from 10.0.3.0/24 to 10.0.3.0/24 pass out on em2 from 10.0.3.0/24 to 10.0.3.0/24 Whe I tried to ping 10.0.5.10 from ws1 (10.0.3.10) or 172.16.1.10 from ws2 (10.0.3.10) the outgoing NAT (nat-to) wasn't done. But the packed was forwarded with the original NAT source. When I thought that NAT is done before filtering I changed the access part of the policy to: pass in on em1 from 10.0.3.0/24 to 10.0.3.0/24 rtable 2 pass in on em2 from 10.0.3.0/24 to 10.0.3.0/24 rtable 1 pass out on em1 from 10.0.5.0/24 to 10.0.3.0/24 pass out on em2 from 172.16.1.0/24 to 10.0.3.0/24 Everything I done fine now
Re: NAT within VPN does not work (pf, isakmpd, rdomains)
Hi, I did some further investigations on this issue and found out that ist has nothin' to do with isakmp or rdomains. The problem seems just to be related to pf. I did troubleshooting with a reduced config. em1: 10.0.3.1/24 rdomain 1 em2: 10.0.3.1/24 rdomain 2 Workstation1 (ws1): 10.0.3.10 attached to em1 Workstation2 (ws2): 10.0.3.10 attached to em2 Well, I missed the fact that unlike Check Point OpenBSD seems to have the same order for inspection modules on both incoming and outgoing interface (1. NAT, 2. Packet Filter). Nevertheless there seems to be still an issue with pf (or at least with my comprehension :) I started with the following pf config: block drop in log all match in on em1 from 10.0.3.0/24 to 10.0.5.0/24 rdr-to 10.0.3.0/24 bitmask match out on em1 from 10.0.3.0/24 to 10.0.3.0/24 nat-to 10.0.5.0/24 bitmask match in on em2 from 10.0.3.0/24 to 172.16.1.0/24 rdr-to 10.0.3.0/24 bitmask match out on em2 from 10.0.3.0/24 to 10.0.3.0/24 nat-to 172.16.1.0/24 bitmask pass in on em1 from 10.0.3.0/24 to 10.0.3.0/24 rtable 2 pass in on em2 from 10.0.3.0/24 to 10.0.3.0/24 rtable 1 pass out on em1 from 10.0.3.0/24 to 10.0.3.0/24 pass out on em2 from 10.0.3.0/24 to 10.0.3.0/24 Whe I tried to ping 10.0.5.10 from ws1 (10.0.3.10) or 172.16.1.10 from ws2 (10.0.3.10) the outgoing NAT (nat-to) wasn't done. But the packed was forwarded with the original NAT source. When I thought that NAT is done before filtering I changed the access part of the policy to: pass in on em1 from 10.0.3.0/24 to 10.0.3.0/24 rtable 2 pass in on em2 from 10.0.3.0/24 to 10.0.3.0/24 rtable 1 pass out on em1 from 10.0.5.0/24 to 10.0.3.0/24 pass out on em2 from 172.16.1.0/24 to 10.0.3.0/24 Everything I done fine now. But if NAT is applied before filtering, and the source address had been rewritten before the packet filter match, the packet should be dropped instead of being forwarded in the first case, shouldn't it? Thx in advance! Cheers, Bernd -Urspr|ngliche Nachricht- Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im Auftrag von Bornkessel, Bernd [ICP DE - Schwalbach] Gesendet: Mittwoch, 2. Mai 2012 15:47 An: misc@openbsd.org Betreff: NAT within VPN does not work (pf, isakmpd, rdomains) Hi, as we have to connect several customers and branches with overlapping routing/encryption domains, I started creating a box using the rdomain feature of OpenBSD. Routing between rdomains using pf is working flawlessly: NAT is applied in both directions and it works even with fully overlapping routing domains. Routing between rdomains and a VPN destination (isakmpd running in rdomain 0) is working as long as no NAT is tried to be applied. Network configuration of the OBSD box: # ifconfig lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33152 priority: 0 groups: lo inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9 inet 127.0.0.1 netmask 0xff00 em0: flags=8b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:7c:14:1a priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 88.77.88.61 netmask 0xfff0 broadcast 88.77.88.63 inet6 fe80::20c:29ff:fe7c:141a%em0 prefixlen 64 scopeid 0x1 em1: flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOIN ET6 rdomain 1 mtu 1500 lladdr 00:0c:29:7c:14:24 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.0.3.2 netmask 0xff00 broadcast 10.0.3.255 em2: flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOIN ET6 rdomain 2 mtu 1500 lladdr 00:0c:29:7c:14:2e priority: 0 media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 10.0.3.2 netmask 0xff00 broadcast 10.0.3.255 em3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:0c:29:7c:14:38 priority: 0 media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 192.168.230.2 netmask 0xfff0 broadcast 192.168.230.15 inet6 fe80::20c:29ff:fe7c:1438%em3 prefixlen 64 scopeid 0x4 enc0: flags=41UP,RUNNING priority: 0 groups: enc status: active lo1: flags=28049UP,LOOPBACK,RUNNING,MULTICAST,NOINET6 rdomain 1 mtu 33152 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 lo2: flags=28049UP,LOOPBACK,RUNNING,MULTICAST,NOINET6 rdomain 2 mtu 33152 priority: 0 groups: lo inet 127.0.0.1 netmask 0xff00 pfsync0: flags=41UP,RUNNING mtu 1500 priority: 0 pfsync: syncdev: em3 maxupd: 128 defer: off groups: carp pfsync pflog0: flags=141UP,RUNNING,PROMISC mtu 33152 priority: 0 groups: pflog carp0
NAT within VPN does not work (pf, isakmpd, rdomains)
: Quick Mode completion IKE IDs: subnet: 192.168.33.0 (mask= 255.255.255.0) and subnet: 10.0.15.0 (mask= 255.255.255.0) Source Key ID: 0x274763cc Destination Key ID: 0x02234fca Encryption Scheme: IKE Encryption Methods: ESP: AES-256 + SHA1 IKE Initiator Cookie: 4df1247f162befd5 IKE Responder Cookie: 3f45060c7024c41e IKE Phase2 Message ID: 19562ec3 VPN Peer Gateway: obsd (88.77.88.60) Subproduct: VPN VPN Feature:IKE Although everything looks fine a ping the remote site from a workstation on the local site (10.0.3/24) fails. In a trace on pflog0 I can see, that the packets match the correct rule but are not translated. # tcpdump -nei pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG 16:38:18.382729 rule 14/(match) match out on enc0: 10.0.3.10 192.168.33.51: icmp: echo request (DF) 16:38:19.391099 rule 14/(match) match out on enc0: 10.0.3.10 192.168.33.51: icmp: echo request (DF) 16:38:20.399146 rule 14/(match) match out on enc0: 10.0.3.10 192.168.33.51: icmp: echo request (DF) 16:38:21.407203 rule 14/(match) match out on enc0: 10.0.3.10 192.168.33.51: icmp: echo request (DF) 16:38:22.415234 rule 14/(match) match out on enc0: 10.0.3.10 192.168.33.51: icmp: echo request (DF) 16:38:23.423168 rule 14/(match) match out on enc0: 10.0.3.10 192.168.33.51: icmp: echo request (DF) 16:38:24.431330 rule 14/(match) match out on enc0: 10.0.3.10 192.168.33.51: icmp: echo request (DF) ^C 7 packets received by filter 0 packets dropped by kernel # # pfctl -sr -R 14 match out log on enc0 inet from 10.0.3.0/24 to 192.168.33.0/24 nat-to 10.0.15.0/24 bitmask static-port # # pfctl -s state | grep 192.168.33 all icmp 192.168.33.51:8 ((2) 192.168.33.51:8) - 10.0.3.10:1981 ((2) 10.0.3.10:1981) 0:0 # Thus the packet is dropped by the remote gateway: Number: 441 Date: 2May2012 Time: 14:33:12 Interface: eth0 Origin: gaia1 Type: Log Action: Drop Source: 10.0.3.10 Destination:192.168.33.51 Protocol: icmp Information:ICMP: Echo Request ICMP Type: 8 ICMP Code: 0 encryption failure: According to the policy the packet should not have been decrypted Encryption Scheme: IKE Encryption Methods: ESP: AES-256 + SHA1 VPN Peer Gateway: obsd (88.77.88.60) Subproduct: VPN VPN Feature:VPN Product:Security Gateway/Management Log ID: 404821 Product Family: Network Any hints and help is appreciated. Cheers, Bernd
Re: High CPU interrups, low network performace
On 2011-01-12, Bernd Bornkessel bbornkes...@dunkel.de wrote: unfortunately I'm facing a problem with my OBSD routers running 4.8-RELEASE With top I can see very high interrupt cpu states, when forwarding high packet rates. Is there much difference if you switch to GENERIC instead of GENERIC.MP? (probably installed as /bsd.sp; you can either rename the file, or type 'boot bsd.sp' at the boot prompt, or 'echo set image bsd.sp /etc/boot.conf') I cant see much difference running GENERIC. Maybe a little bit more throughput, but still with the cpu on fire.
High CPU interrups, low network performace
Hi misc, unfortunately I'm facing a problem with my OBSD routers running 4.8-RELEASE With top I can see very high interrupt cpu states, when forwarding high packet rates. Example: With nuttcp I generated traffic on systems connected to different router interfaces at the same time. It seems that the highest possible throughput is around 1.1 Gbps. CPU0 states: 0.0% user, 0.0% nice, 0.0% system, 94.8% interrupt, 5.2% idle CPU1 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle Memory: Real: 10M/60M act/tot Free: 1911M Swap: 0K/4095M used/tot The hardware we're using are Network appliances barebone from Axiomtek, NA-820 (http://axiomtek.com/products/ViewProduct.asp?view=429) that has 7 onboard Intel NICs 82573L. In the obsd man page for the em(4) driver I found that the mentioned chipset does not provide VLAN tag insertion and stripping as well as jumbo frames. But that doesn't seem to be the problem as using VLAN tagging doesn't change the interruot states much. The same with disabling pf and carp. As those appliances are very cheap I first thought that 1.1 Gbps trhoughput might be the maximum in any case. With a different OS on two of the boxes I get at least 2 Gbps with cpus 96% idle. But as I need pf, pflow, carp, ospfd (in future) this is not an option. In the list archives I found a case with high cpu interrups using em but if I got it right it was related to ALTQ - and unfortunately unsolved. Any suggestions? Please find the dmesg output below. Best regards and thanks in advance, Bernd OpenBSD 4.8 (GENERIC.MP) #335: Mon Aug 16 09:09:20 MDT 2010 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 2136866816 (2037MB) avail mem = 2066161664 (1970MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.2 @ 0xf0800 (39 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 04/30/2010 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP MCFG APIC acpi0: wakeup devices PEX0(S5) PEX1(S5) PEX2(S5) PEX3(S5) PEX4(S5) PEX5(S5) HUB0(S5) UAR1(S5) UAR2(S5) USB0(S1) USB1(S1) USB2(S1) USB3(S1) USBE(S1) AC97(S5) AZAL(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Pentium(R) Dual CPU E2220 @ 2.40GHz, 2400.38 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2 ,SSSE3,CX16,xTPR,PDCM,NXE,LONG cpu0: 1MB 64b/line 4-way L2 cache cpu0: apic clock running at 200MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) Dual CPU E2220 @ 2.40GHz, 2400.09 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2 ,SSSE3,CX16,xTPR,PDCM,NXE,LONG cpu1: 1MB 64b/line 4-way L2 cache ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (PEX0) acpiprt2 at acpi0: bus 3 (PEX1) acpiprt3 at acpi0: bus 4 (PEX2) acpiprt4 at acpi0: bus 5 (PEX3) acpiprt5 at acpi0: bus 6 (PEX4) acpiprt6 at acpi0: bus 7 (PEX5) acpiprt7 at acpi0: bus 8 (HUB0) acpicpu0 at acpi0 acpicpu1 at acpi0 acpitz0 at acpi0acpitz0: THRM: failed to read _TMP acpibtn0 at acpi0: PWRB pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel 82945G Host rev 0x02 ppb0 at pci0 dev 1 function 0 Intel 82945G PCIE rev 0x02: apic 4 int 16 (irq 7) pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 16 (irq 7), address 00:60:e0:4b:d2:a6 vga1 at pci0 dev 2 function 0 Intel 82945G Video rev 0x02 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0xc000, size 0x1000 inteldrm0 at vga1: apic 4 int 16 (irq 7) drm0 at inteldrm0 ppb1 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x01: apic 4 int 16 (irq 7) pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 16 (irq 7), address 00:60:e0:4b:d2:a7 ppb2 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x01: apic 4 int 17 (irq 5) pci3 at ppb2 bus 3 em2 at pci3 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 17 (irq 5), address 00:60:e0:4b:d2:a8 ppb3 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x01: apic 4 int 18 (irq 10) pci4 at ppb3 bus 4 em3 at pci4 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 18 (irq 10), address 00:60:e0:4b:d2:a9 ppb4 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x01: apic 4 int 19 (irq 11) pci5 at ppb4 bus 5 em4 at pci5 dev 0 function 0 Intel PRO/1000MT (82573L) rev 0x00: apic 4 int 19 (irq 11), address 00:60:e0:4b:d2:aa ppb5 at pci0 dev 28 function 4 Intel 82801G PCIE rev 0x01: apic 4 int 16 (irq 7) pci6 at ppb5 bus 6 em5 at pci6 dev
Pflow netflows exported twice for each connection?
Hi folks, I plan to move our core routers from FreeBSD to OpenBSD. Currently I use netgraph and ng_netflow on the FreeBSD machines for netflow accounting. As there is a netflow kernel implentation with pflow in OpenBSD, too, I decided to use this. Unfortunately I seems that flows are exported twice for each connection. The routers are running on OpenBSD 4.8 RELEASE (no patch applied) A quick example: I have a machine named bsd-01 (192.168.89.4) that collects the netflows using flowd (I have also used flow-tools with the same result). The test networks 192.168.89/24 and 192.168.92/24 are connected via the OpenBSD routers (HA pair with carp) which have pflow enabled for netflow accounting. /etc/hostname.pflow0: flowsrc 192.168.89.150 flowdst 192.168.89.4:2100 /etc/pf.conf: set skip on lo pass quick proto tcp from 192.168.89.55 to 192.168.92.55 port 5001 keep state (pflow) pass keep state block in on ! lo0 proto tcp to port 6000:6010 Now i generate some packets from 192.168.89.55 to 192.168.92.55 in order to get accounting data grabnebel:~# nuttcp -i1 192.168.92.55 108.2655 MB / 1.00 sec = 908.1545 Mbps 110.5109 MB / 1.00 sec = 927.0402 Mbps 111.6529 MB / 1.00 sec = 936.6258 Mbps 111.6529 MB / 1.00 sec = 936.6277 Mbps 111.6598 MB / 1.00 sec = 936.6641 Mbps 111.6529 MB / 1.00 sec = 936.5949 Mbps 111.6529 MB / 1.00 sec = 936.6212 Mbps 111.6529 MB / 1.00 sec = 936.6296 Mbps 111.6598 MB / 1.00 sec = 936.6632 Mbps 111.6529 MB / 1.00 sec = 936.5940 Mbps 1113.5000 MB / 10.01 sec = 932.8309 Mbps 5 %TX 20 %RX grabnebel:~# In pf's state table I see two records - one for each direction of the connection. rtr-fra-01# pfctl -vss | grep -A2 5001 all tcp 192.168.92.55:5001 - 192.168.89.55:41068 FIN_WAIT_2:FIN_WAIT_2 [638328050 + 5888] wscale 6 [1759713472 + 1636288] wscale 6 age 00:00:46, expires in 00:00:54, 806350:403706 pkts, 1209519584:20998868 bytes, rule 0, pflow all tcp 192.168.89.55:41068 - 192.168.92.55:5001 FIN_WAIT_2:FIN_WAIT_2 [1759713472 + 1636288] wscale 6 [638328050 + 5888] wscale 6 age 00:00:46, expires in 00:00:54, 806350:403706 pkts, 1209519584:20998868 bytes, rule 0, pflow rtr-fra-01# After the states have expired on the router the flows are exported to the collector and I can read them from the logfile. bsd-01# flowd-reader /var/log/flowd FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 agent [192.168.89.150] src [192.168.89.55]:41068 dst [192.168.92.55]:5001 packets 806350 octets 1209519584 FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 agent [192.168.89.150] src [192.168.92.55]:5001 dst [192.168.89.55]:41068 packets 403706 octets 20998868 FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 agent [192.168.89.150] src [192.168.89.55]:41068 dst [192.168.92.55]:5001 packets 806350 octets 1209519584 FLOW recv_time 2011-01-05T11:18:13.209625 proto 6 tcpflags 00 tos 00 agent [192.168.89.150] src [192.168.92.55]:5001 dst [192.168.89.55]:41068 packets 403706 octets 20998868 bsd-01# I can see that the accounted octects match the traffic data in the state table. But unfortunately it seems that both RX and TX traffic data are exported for each record which results in redundant accounting data. Correct me if I'm wrong but for correct traffic accounting there should be only one flow for RX and one for TX, shouldn't it? Any suggestions? Best regards and thanks in advance, Bernd
Re: Pflow netflows exported twice for each connection?
What happens if you limit this to one direction and/or interface? For example: pass out quick on egress proto tcp from 192.168.89.55 to 192.168.92.55 port 5001 keep state (pflow) Ok. Now it works, as long as the pflow rule is limited to (direction OR interface) AND no rule matching the packets from the opposite direction with pflow enabled follows. With only one rule in place I get one state table entry and perfect accounting data: /etc/pf.conf: set skip on lo pass out quick keep state (pflow) rtr-fra-01# pfctl -vss | grep -A2 5001 all tcp 192.168.89.55:38240 - 192.168.92.55:5001 FIN_WAIT_2:FIN_WAIT_2 [1261840914 + 2108288] wscale 6 [123438922 + 5888] wscale 6 age 00:00:12, expires in 00:01:28, 809292:405808 pkts, 1213932408:21122148 bytes, rule 0, pflow rtr-fra-01# bsd-01# flow-print bsdflow | grep 5001 192.168.89.55192.168.92.556 382405001 1213932408 809292 192.168.92.55192.168.89.556 5001 3824021122148 405808 bsd-01# Thx a lot! Regards, Bernd
Re: batch -f command does not know working directory info at invocation time
On Mon, Oct 05, 2009 at 12:55 -0700, Austin Hook wrote: According to the man pages for at (or batch): The working directory, the environment (except for the variables TERM, TERMCAP, DISPLAY, and _), and the umask are retained from the time of invocation. But, oddly enough, at the time of actual invocation it seems not to know this information: Script started on Mon Oct 5 12:09:21 2009 $ echo echo hello ee $ batch -f ee Cannot open input file: No such file or directory $ batch -f ~/ee commands will be executed using /bin/ksh job 1254766194.E at Mon Oct 5 12:09:54 2009 $ exit Script done on Mon Oct 5 12:10:00 2009 If the -f option requires a non-relative path spec. for the file, the manual does not say so, as far as I can see. Tested on 4.5 and 4.6. AFAICT from at(1), the code is still mostly T-Rex's implementation. You may want to have a look at https://launchpad.net/~at-ng for a reimplementation from scratch, The client side is mostly done (still using directories and signals for communication with atd) It doesn't build on openBSD though for reasons that will go away when switching to a C/S approach RSN. The server (atd) side will be working soon with communications using Unix domain sockets. Thanks for listening Siggy -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org+ |11 days until|bsb-at-psycho-dot-informationsanarchistik-dot-de| |www.Ubucon.de|or:bsb-at-psycho-dot-i21k-dot-de| +--- ceterum censeo javascriptum esse restrictam + [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: batch -f command does not know working directory info at invocation time
Hi Ted, better not wake up sleeping dogs :) On Mon, Oct 05, 2009 at 17:14 -0400, you wrote: On Mon, Oct 5, 2009 at 4:00 PM, Bernd Siggy Brentrup b...@free-it.org wrote: AFAICT from at(1), the code is still mostly T-Rex's implementation. You may want to have a look at https://launchpad.net/~at-ng for a reimplementation from scratch, The client side is mostly done I don't think one small bug is sufficient reason to replace a generally working BSD licensed program with a GPL one. The oldest sources by Thomas Koenig (aka T-Rex) I have at hand (3.1.8 iirc) definitely carry a GPL license statement. I'm curious in how far openBSD's source code for at differs to warrant a different license if at all possible. Up to now I only checked the manpage. btw, Debian's at package has collected ~60 open bug reports over the years, dunno if they apply to openBSD's at too. Regards Siggy -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org+ |10 days until|bsb-at-psycho-dot-informationsanarchistik-dot-de| |www.Ubucon.de|or:bsb-at-psycho-dot-i21k-dot-de| +--- ceterum censeo javascriptum esse restrictam + [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
at BSD licensed [was: batch -f command does not know working directory info at invocation time]
On Tue, Oct 06, 2009 at 01:30 +, Jacob Meuser wrote: On Tue, Oct 06, 2009 at 02:48:59AM +0200, Bernd Siggy Brentrup wrote: Hi Ted, better not wake up sleeping dogs :) On Mon, Oct 05, 2009 at 17:14 -0400, you wrote: On Mon, Oct 5, 2009 at 4:00 PM, Bernd Siggy Brentrup b...@free-it.org wrote: AFAICT from at(1), the code is still mostly T-Rex's implementation. You may want to have a look at https://launchpad.net/~at-ng for a reimplementation from scratch, The client side is mostly done I don't think one small bug is sufficient reason to replace a generally working BSD licensed program with a GPL one. The oldest sources by Thomas Koenig (aka T-Rex) I have at hand (3.1.8 iirc) definitely carry a GPL license statement. I'm curious in how far openBSD's source code for at differs to warrant a different license if at all possible. Up to now I only checked the manpage. http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.bin/at/LEGAL?rev=1.1 Thanks for this link which obviously clarifies the issue. I'm Cc'ing Joey Schulze who told me maintaining at for Debian was an upstream job too back in 2000. Regards Siggy -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org+ |10 days until|bsb-at-psycho-dot-informationsanarchistik-dot-de| |www.Ubucon.de|or:bsb-at-psycho-dot-i21k-dot-de| +--- ceterum censeo javascriptum esse restrictam +
Re: batch -f command does not know working directory info at invocation time
On Mon, Oct 05, 2009 at 19:35 -0600, Theo de Raadt wrote: On Mon, Oct 05, 2009 at 17:14 -0400, you wrote: On Mon, Oct 5, 2009 at 4:00 PM, Bernd Siggy Brentrup b...@free-it.org wrote: AFAICT from at(1), the code is still mostly T-Rex's implementation. You may want to have a look at https://launchpad.net/~at-ng for a reimplementation from scratch, The client side is mostly done I don't think one small bug is sufficient reason to replace a generally working BSD licensed program with a GPL one. The oldest sources by Thomas Koenig (aka T-Rex) I have at hand (3.1.8 iirc) definitely carry a GPL license statement. I'm curious in how far openBSD's source code for at differs to warrant a different license if at all possible. Up to now I only checked the manpage. btw, Debian's at package has collected ~60 open bug reports over the years, dunno if they apply to openBSD's at too. Really. How interesting. The word on the street is that your stuff is the biggest pile of shit. 400 bug reports, I hear. Or, wait, did you want to start a constructive discussion? It sure doesn't look like it. Let's keep it simple. Why don't you just go away, and stop acting the fool? If you answer your own questions, who is acting like an idiot then? The word goes Theo de Raadt himself is driving away ppl from using openBSD by pissing them of publicly. Bye Siggy -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org+ |10 days until|bsb-at-psycho-dot-informationsanarchistik-dot-de| |www.Ubucon.de|or:bsb-at-psycho-dot-i21k-dot-de| +--- ceterum censeo javascriptum esse restrictam +
Re: batch -f command does not know working directory info at invocation time
On Mon, Oct 05, 2009 at 20:47 -0600, Theo de Raadt wrote: The word goes Theo de Raadt himself is driving away ppl from using openBSD by pissing them of publicly. I am more than happy to drive away people who come to our mailing list trying to sell their wares. What exactly makes you think I'm trying to sell at-ng? Just to save you the hassle of looking it up yourself here's the text from the page I pointed at: | at-ng developers | | This team is about replacing the traditional *nix command suite at, | atq, atrm and batch with revamped versions. It starts from an old | unfinished rewrite from scratch of mine from 2001, for details see | the project page below. | | I'm open to any suggestions, help you may offer, translations c. | Provided you want to participate, join the team; if you only have | features you'd like to see incorporated, feel free to file a | wishlist bug against the project. In my understanding this is a request for input, modulo some hidden meaning I as a non-native english speaker may be missing. If this isn't acceptable on misc, I apologize. Regards Siggy -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org+ |10 days until|bsb-at-psycho-dot-informationsanarchistik-dot-de| |www.Ubucon.de|or:bsb-at-psycho-dot-i21k-dot-de| +--- ceterum censeo javascriptum esse restrictam +
Re: managing authorized_keys
On Tue, Sep 22, 2009 at 18:01 -0400, bofh wrote: On Tue, Sep 22, 2009 at 5:16 PM, neal hogan n...@lambdaserver.com wrote: I'd never say 'laf' before, so I did the usual and of course it is an acronym for many, many things . . . in this case I think it stands for 'LOL Anime Fanboys' -theFreeDictionary.com Am I far off? No idea. Been using it as a short form of laugh for years and years and years (I was on usenet 19 years ago, not sure if I started using it then) You may even have seen it from a native german speaker, 'laf' pronounced in german sounds almost identical to 'laugh' in oxford english what we learn at school. Siggy
Re: OT: Old School Unix vs. Modern Day Support Professionals - was (Defending OpenBSD Performance)
Sorry Brian to sort of hijack this new thread; until late last night I had no time to follow the original one and you don't attribute your opponent. On Thu, Sep 17, 2009 at 12:27 -0400, Brian Shackelford wrote: Correction, a professional OS that requires its users to be professionals. Not a bunch of whining windows update people that have to call IT to launch excel. In case you hadn't noticed we are old school UNIX users that don't mind fixing whatever problem is at hand. Including writing code or fixing a bug. This is why in the olden days your IT department was worth something and wasn't a bunch of monkeys reading a script. It is exactly your attitude that has ruined the computer industry. You have an odd definition of professional, and the kind of attitude that sounds like you haven't actually worked in the computer industry in a while. Dunno about Brian, I have been in the IT Business since 1969, I've seen it developing. With the advent of personal computers it first seemed that IT might provide real value to the masses. Anyone who still remembers AmigaOS? Generally, the computer industry is about providing services to end users. Correct, but: When m$ started to release unfinished products to meet a deadline imposed by marketing they together with intel won the battle, resulting in companies like digital equipment long ago or sgi not that long ago disappearing from the market. Nowadays I can't buy a solidly built computer anywhere, I have to design it by myself. In the old days of microprocessors that used to be a managable task for a single person, nowadays you have to find a large team of people capable of using their own brains instead of following prescribed pathes. And things like easy updates, specialisation of labour and all of that kind of stuff have made us an awful lot better at taht than 'old school UNIX' ever was. *ROTFL* guess who developed most of that easy upgrade stuff e.g. for Debian, every single person involved in that effort is an old style Unix professional; I wasn't among them but having been an unimportant Debian developer from '95 thru '04 I know them. You know it is interesting - having been in this industry for over 16 years - to see the attitudes of so many professionals in the IT industry. I make my living by fixing all the problems many of these so-called professionals cause when the work on things. It is so very troubling to get phone calls from people that have been laid off from their IT job in some of the large corporations where they commanded huge salaries and now they have opened their own business and are calling us for support because they don't have a clue about what it takes to actually do the work. I almost believe that the perception in this industry is if you can pronounce server, workstation, network, switch, hard drive, and a few other highly technical (btw - the should be read with sarcasm for you Microsoft folks out there) terms, that it is acceptable to call yourself an IT professional. Fact of the matter is that I have become convinced that those that know how to actually TROUBLESHOOT problems are in the very small minority in this industry. Don't get me wrong - I am by no means complaining - for it is how I get paid. I am just sick of so-called professionals with Master's Degrees in IT telling me that they are right and I am wrong because they think pushing a few buttons and having a degree makes them smarter than some of us that earned our experience. Old School Unix = People that KNOW what they are doing. I work with Macs, PC's, Windows, Novell, Mac OS, Linux, Unix, Windows, DOS (Yes some customers still use this), THEOS (anyone else heard of that one???). I have the certifications to prove my knowledge - but none of that means bupkiss if I can't fix a problem I have never seen before. The strength of Old-School Unix folks is their resourcefulness in fixing the problems they are faced with - whether they have seen that specific problem or not - without having to whine to everyone that it just doesn't work. If there is a problem -they fix it - sometimes that means writing code or hacking together a solution. I can't begin to tell you how many times a client has a call into Microsoft and we fix the problem hours (if not days) before Microsoft calls back simply by actually troubleshooting and researching the problem. Sometimes this means we actually (gasp) edit the registry. Now to bring this to the place of why this relates to OpenBSD. I love OpenBSD, we have some installs that have been in place for several years and I never even think about them. I lose sleep every night I go home when I think about all the Windows systems we manage, but I never even think about the OpenBSD boxes we have put in place. Performance - well three years running with no patches and never a problem and never been compromised. Let me see ANY
mutt: xterm_title conf var
Hi List, I'm absolutely new to openbsd so please bear with me if it's not the right place to ask my question. The box I installed 4.5 will be running headless so I'm logged in remotely on a color xterm. I rsynced mutt configuration from my Ubuntu box because it's also running mutt 1.5.18, most things work out as expected except for lack of colors, missing threading and convenient confvars xterm_set_titles and xterm_title that I use to display status information in the xterm title. I'll investigate the first 2 quirks later, as for ther xterm stuff my question is did you leave these out on purpose, they are missing in your muttrc(5) too (if so why) or should I check Ubuntu's resp. Debian's source code to see if they patched mutt. Thanks Siggy -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org+ |36 days until|Open Source in Northern Germany: www.free-it.org| |www.Ubucon.de|tech contact: bsb-at-free-dash-it-dot-de| +--- ceterum censeo javascriptum esse restrictam +
Re: mutt: xterm_title conf var
On Thu, Sep 10, 2009 at 07:21 -0400, Luis Useche wrote: I don't know if this solve your problem or you already did this, but you need to set the xterm in order to have colors for manuals or vim. Read from FAQ How do I get color man pages on XTerm?. Not reading the FAQ but trying after your hint: ^Z $ echo $TERM xterm $ TERM=xterm-color $ % ^L colors appear. I'll fix my .bashrc (resp. .zshrc asa zsh is installed). Thanks for your hint Siggy -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org+ |36 days until|bsb-at-psycho-dot-informationsanarchistik-dot-de| |www.Ubucon.de|or:bsb-at-psycho-dot-i21k-dot-de| +--- ceterum censeo javascriptum esse restrictam +
SOLVED: mutt: xterm_title conf var
On Thu, Sep 10, 2009 at 14:40 +0200, Joachim Schipper wrote: On Thu, Sep 10, 2009 at 09:43:24AM +0200, Bernd 'Siggy' Brentrup wrote: I'm fairly certain xterm_* is a Debian/Ubuntu improvement: at least, http://www.mutt.org/doc/devel/manual.html doesn't know about either option. If it's important to you, you may be able to get the patches from the Debian package to apply against OpenBSD's port. If find it quite convenient to see selected status in the xterm title while reading e.g. a crossposted mail. Colors do work, with a proper TERM setting (e.g. xterm-xfree86 or xterm-color; plain xterm doesn't work, since there are things that identify as xterm but don't handle color.) Try setting TERM properly and/or running env TERM=xterm-color mutt. Sorry you're too late to earn credit on this, Luis pointed me in the right direction before I saw your post :) Threading definitely works for me, although you can get some display issues if the characters sets used don't match. Feel free to ask for the details; your original post was sufficiently unclear that I cannot guess your problem. I was unclear on purpose because I wanted to investigate these problems myself. Solution is: on Debian systems default is 'sort=threads' while openbsd has 'sort=date'. After adding 'set sort=threads' to .muttrc this file now works on all my systems as I want it to. Thanks to all who responded on list or privately. Because one of the private ones stands out by being written in german I'll answer that one in a separate private mail. Impressed by the way this thread worked Siggy FYI: please visit https://launchpad.net/~bsb -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org+ |36 days until|bsb-at-psycho-dot-informationsanarchistik-dot-de| |www.Ubucon.de|or:bsb-at-psycho-dot-i21k-dot-de| +--- ceterum censeo javascriptum esse restrictam +
Re: Relevant article
On Thu, Sep 10, 2009 at 17:09 +, Daniel Bolgheroni wrote: Hi, since Nick Holland touched on the DESIGN aspect in his e-mail regarding supporting OpenBSD, I think this article pretty much reflects the reality here. http://www.osnews.com/story/22135/The_Problem_with_Design_and_Implementation Just think it's worth reading. What came to my mind while reading this article is an almost 30yo tale from the times of my first encounter with Unix release 6 on PDP11. I was studying CS at TU Berlin then and we had a OS Prof Siggi Schindler (he's the reason why I use the 'y') who also led a course on the ISO 7 layer model with practical applications. AFAIR everything essentially boiled down to having a *precise specification language*. If you have such a language the only thing left to do is building a machine that accepts this language as it's programming language. In this sense implementing a specification in any existing programming language is equivalent to implementing a subset of said machine on top of an existing one. Siggy -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org+ |36 days until|bsb-at-psycho-dot-informationsanarchistik-dot-de| |www.Ubucon.de|or:bsb-at-psycho-dot-i21k-dot-de| +--- ceterum censeo javascriptum esse restrictam + [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Relevant article
On Thu, Sep 10, 2009 at 23:15 +0200, Bernd Siggy Brentrup wrote: [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] Oops, in general I gpg-sign my mails with a detached signature but if it's this list's policy not to do so I'll refrain from it. Siggy -- O ascii ribbon campaign - stop html mail - www.asciiribbon.org+ |36 days until|bsb-at-psycho-dot-informationsanarchistik-dot-de| |www.Ubucon.de|or:bsb-at-psycho-dot-i21k-dot-de| +--- ceterum censeo javascriptum esse restrictam +
Chemnitzer Linuxtage 2009
Hey! There will be an OpenBSD booth at the Chemnitzer Linuxtage 2009 in Chemnitz, Germany. If there are any locals interested in helping at the booth please contact be...@openbsd.org or f...@openbsd.org privately. Thanks! Regards, Bernd
Re: 'Nother broken package - git-1.5.4.2
Marc Espie [Tue, Jul 15, 2008 at 11:30:28PM +0200] wrote: It's because of gitk which is a repository browser (or so http://git.or.cz/course/svn.html tells me). Annoying that there's no git-no_x11 but them's the breaks. Makes no sense. It's clearly a multi-package situation, not flavor. devel/git has a -x11 subpackage since 2008/04/01. Regards, Bernd
Re: Archiving pkg's added by pkg_add -u
Edd Barrett [Fri, Jan 25, 2008 at 10:20:50AM +] wrote: I was wondering if there is a way that pkg_add -u can save packages that it installs into a specified directory. I think I could save a lot of bandwidth if this were possible, as I have several machines to update with snapshots every 2 weeks or so. Just an idea. Read the pkg_add(1) manpage again and look for PKG_CACHE. Regards, Bernd
Re: How to find all package files
Russell Gadd [Mon, Jan 07, 2008 at 03:33:22PM +] wrote: I am new to OpenBSD and I am not sure what is the correct way to find packages. For example I have tried to install the xfce window manager, and at first I looked at the list of files in the packages list and there were a lot of files with xfce in the name / description. I looked for one which said something like this is the main package for xfce4 so that installing that and all dependencies would do the job, but couldn't find such a file. I resorted to looking for xfce in the INDEX and using all files where this was mentioned, i.e. forming a list with grep xfce INDEX | cut -d | -f 1 | sed 's/$/.tgz/g' /tmpdir/xfce4pkglist then pkg_add `cat /tmpdir/xfce4pkglist` I realise that for such a package there would be some parts which were optional, so needed to be separated out, but I thought there must be a more reliable way to determine which files to include. Is there a better way to do this? Set PKG_PATH and use 'pkg_info -Q xfce'. Bernd
5. Kieler Linux und Open Source Tage - Kiel/Germany
Hey folks! There will be an OpenBSD/OpenSSH booth at the 5. Kieler Linux und Open Source Tage (Sep 7/8) in Kiel/Germany. Are there any locals who want to join us? Mail me privately. Regards, Bernd
Re: searching packages? pkg_grep?
John N. Brahy [Thu, Aug 09, 2007 at 09:49:27AM -0700] wrote: If I don't have ports installed, is there a way to do a search of all the available package names to find one I'm looking for? Something like a pkg_grep... Read the pkg_info(1) manpage and look for the -Q option. Bernd
Re: nl_langinfo(CODESET) issue (on OpenBSD 4.0)
On Wed, 31 Jan 2007 20:23:04 +0100, William Yardley [EMAIL PROTECTED] wrote: I believe CODESET was added recently (3.8 didn't have the function), so just wondering if there's something missing here, or if this is considered not an issue. The problem has been solved. For the record, the solution is to replace 'nl_langinfo(CHARSET)' with 'locale_charset()' directly from iconv. There seems to be no standard that defines what nl_langinfo(CHARSET) should return and IANA names are not always seen as the optimal solution. 'locale_charset' should always return an IANA name. Bernd
nl_langinfo(CODESET) and iconv
Using OpenBSD 4.0 release: An IDE that I am trying to maintain for OpenBSD has been recently internationalized and is using the following line with 'iconv': x = iconv_open (UTF-8,nl_langinfo(CODESET)); On all other platforms that are supported, 'nl_langinfo (CODESET)' returns a string that cites a standard in a form that can be directly understood by iconv. OpenBSD returns the string 646 as a reference to iso646. Unfortunately, 'iconv -l' only knows the following names for this standard: ANSI_X3.4-1968 ANSI_X3.4-1986 ASCII CP367 IBM367 ISO-IR-6 ISO646-US ISO_646.IRV:1991 US US-ASCII CSASCII My questions: - Is there a specific reason why nl_langinfo(CODESET) is so brief with the codeset cited ? - Would it be possible to solve this problem for me on the OpenBSD side by either adapting nl_langinfo or adding '646' to the iconv package ? - Are there any suggestions on how I can solve this problem in a universal way, i.e. that does not make use of manual converting '646' to 'ISO646-US' or similar ? (perhaps references to other functions that print the codeset in a more usabel way) Any help would be appreciated, Regards, Bernd
Re: openbsd 4.0 ralink problem low operation range
On Thu, 14 Dec 2006 12:08:00 +0100, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: it seems nobody uses minipci ralink cards ... :-( I also have a ralink card (regular PCI used in a Soekris with OBSD 4.0), and I am experiencing similar problems - horribly low radio performace over short distances. The other Soekris with minipci ath card works flawlessly. I have to admit that I have not made further investigations into the problem, but I am definitely following this thread and would be very interested in any insights. Bernd
Re: java on openbsd
On Tue, 14 Nov 2006 16:42:39 +0100, Nick Guenther [EMAIL PROTECTED] wrote: Java's unsupported more or less. See the FAQ: http://openbsd.org/faq/faq8.html#Programming Due to Sun's restrictive SCSL license, OpenBSD cannot ship binary packages for the JDK. This means you will have to build it from ports. Note that you will need plenty of RAM for this build to succeed. Sorry :( I this information still current, now that Java has released the JDK under the terms of the GPL? https://openjdk.dev.java.net/ I really hope that there will be an improvement of the situation for OpenBSD soon, including proper Java packages. But I am not a lawyer, correct me if I am wrong. Bernd
Re: c.93.3 not found when installing packages
On Sun, 15 Oct 2006 20:00:45 +0200, Theo de Raadt [EMAIL PROTECTED] wrote: It is, libc bumps happen when functions change in interesting ways. Just out of curiosity: This is not an update to keep the libc version number in-sync with the OpenBSD release? It would have remained on 39 if there would not have been a change in the interface or semantics? Of course we only change the numbers for good reasons. Keeping it in sync because it is pretty? Don't be crazy. Thanks Theo. And a huge apology to Chris for quoting your private mail. I had not noticed that this one went just to me. Bernd
Re: c.93.3 not found when installing packages
On Fri, 13 Oct 2006 17:56:07 +0200, Joachim Schipper [EMAIL PROTECTED] wrote: It is, libc bumps happen when functions change in interesting ways. Just out of curiosity: This is not an update to keep the libc version number in-sync with the OpenBSD release? It would have remained on 39 if there would not have been a change in the interface or semantics? Bernd
Re: c.93.3 not found when installing packages
On Sun, 15 Oct 2006 20:03:55 +0200, Chris Kuethe [EMAIL PROTECTED] wrote: On 10/15/06, Bernd Schoeller [EMAIL PROTECTED] wrote: On Fri, 13 Oct 2006 17:56:07 +0200, Joachim Schipper [EMAIL PROTECTED] wrote: It is, libc bumps happen when functions change in interesting ways. Just out of curiosity: This is not an update to keep the libc version number in-sync with the OpenBSD release? It would have remained on 39 if there would not have been a change in the interface or semantics? http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/shlib_version Thank you for the link, though it does not answer my question. So I assume the answer to my question is: no, there would not be a bump in libc version number just to keep it in sync with the OpenBSD version number. Sorry for the noise, Bernd
c.93.3 not found when installing packages
Hello everybody, I am trying to do a fresh install using a current snapshot (tried it with the snapshot from yesterday and today) on i386. I am downloading from 'mirror.switch.ch' and 'ftp.de.openbsd.org'. After installation, I try to install some packages that I need (from pub/OpenBSD/snapshots/packages/i386). I get the report of a wrong libc available: - # pkg_add libiconv-1.9.2p3.tgz Can't install libiconv-1.9.2p3.tgz: lib not found c.39.3 Even by looking in the dependency tree: Maybe it's in a dependent package, but not tagged with @lib ? (check with pkg_info -K -L) If you are still running 3.6 packages, update them. - As expected the libc is c.40.0 I assume that because of the imminent release of OpenBSD 4.0, the packages are not properly updated. But I cannot remember to have seen an announcement. It might very well be that I have missed it, as the signal to noise ration on this mailinglist has not been too good recently. Do I have to switch to using ports? Any other fix for the problem? Bernd
Re: automate changing strcpy() to strlcpy()
On Fri, 22 Sep 2006 12:52:43 +0200, Siju George [EMAIL PROTECTED] wrote: I understand that the OpenBSD team has replaced strcpy() with strlcpy() in their tree. It has not been replaced, there is just a warning. How did you people do it? Do we have to manually go to each place and make the change or is there any tool to automate the process? strcpy is a common trap, as it relies on the implicit size of the target buffer, something that might be specified at a completely different location of the source code, if it is specified at all. So, whenever you are using strcpy, you are working with an implicit assumption that the target buffer is large enough. Check security mailinglists for how often people got this assumption wrong. Using strlcpy, you have to explicitly specify the size of the target buffer, requiring you to think about you buffer size and to look up the exact value. This has the advantage that: - You have to think about it. - You have to explicitly state what you thought, enabling others to follow your thoughts. - The system can prevent the worst at run-time by truncating strings. Of course, when you have to think then it means the system cannot do it for you. Bernd
Re: upgrading without physical access
On Fri, 22 Sep 2006 15:35:17 +0200, Nick Holland [EMAIL PROTECTED] wrote: [...] Build out a machine as similar to your remote machine as you can (and I don't just mean just the OpenBSD version[*]), back it up. Now, put it in another room, and upgrade it. If it works, restore, try it again. If it doesn't, walk over, figure out what went wrong, fix, and try again. Nick, you definetly have a good point. I nice way to create an identical local machine is by tar-piping your remote installation through an SSH connection directly onto a local disk (assuming you have created an identical disk layout first) [*]. You might probably want to exclude /usr/src, /usr/ports and other directories that you can not cause any problems. Also, if you just do not have a spare machine, qemu (or similar) might be helpful. Here, it is also easy to undo the process if you make a mistake. Bernd [*] Disclaimer: I have to admit, I never did this with an OpenBSD machine, only with a Linux one.
Re: OT hardware IDE RAID cards
On Wed, Aug 16, 2006 at 10:12:45AM +0100, Gaby Vanhegan wrote: On 16 Aug 2006, at 06:24, Theo de Raadt wrote: If you are stuck on SATA, the Areca stuff is a few weeks away from totally rocking. And it is cheap. I can see that these guys also freely provide API documentation and code: http://www.areca.com.tw/support/index/dc1120.htm Does this mean that it will be supported by bioctl soon? Is there any other way to understand Theo's comment? ;-) Bernd
Re: OpenBSD Gateway to replace old Linux gateway
On Thu, Jul 27, 2006 at 07:04:04AM -0700, Matt Radtke wrote: Your Linux box is very like running as a real bridge (set eth0 and eth1 as a brige) or a fake brige (running proxy-arp). Dear elaconta.com Webmaster, please post at least the output of 'ifconfig -a' and 'route -n' to this list. Otherwise this guessing of your configuration will continue ad infinitum - without any usable result. Bernd
Re: CD Creation question
On Tue, Jul 18, 2006 at 09:01:47AM -0400, Jeff Quast wrote: On 7/18/06, Rob Baldassano [EMAIL PROTECTED] wrote: So, Is there anyone out there that could provide me with the instructions on how to create a bootable CD from Windows, so that I can boot from the CD, and have the install media on the CD itself as well? You can burn cd39.iso from most any cd burning software in windows. Unfortunately, a brand new $200 version of microsoft windows does not offer this most simple of task by default. (Welcome to 1993) I only know of commercial software that supports this. However, some of these come with free 30 day trials that may meet your needs. I would start at one of those massive shareware sites and start downloading software in the 'cd burning' software category. AFAIK, there is a free cdrecord version for cygwin that you can use. Bernd
Re: Encrypting e-mails
On Mon, Jul 10, 2006 at 04:18:20PM -0400, stan wrote: it also has s/mime and gpg capabilities, is text based and does your laundry. I have used mutt for a while now and it does not do my laundry. You must have forgotten the optional mutt_laundry.config file ... which is - of course - not properly documented *sigh* Bernd
Re: htaccess + skey?
On Thu, Jul 06, 2006 at 01:33:52PM +0200, [EMAIL PROTECTED] wrote: Is there any way to combine htaccess with one-time-pads? Looks like a difficult task, as http is not session based. So, the brower would ask for a new OTP on every GET request. This means not only once per page, but multiple times per page if there are stylesheets and/or pictures involved. Does not seem feasable. Bernd
Re: questions on fork()
On Tue, Jul 04, 2006 at 03:27:17PM +0800, Edwin Eyan Moragas wrote: ey misc, from the fork(2) man pages: fork() causes creation of a new process. The new process (child process) is an exact copy of the calling process (parent process) except for the following: snip i have several questions/clarifications regarding this. 1) when it says exact copy, does this mean just a copy of the process? is it right to state that the memory allocated by the parent process is not accessible to the child process? Yes, copy is not the original (though normally Unix-OSs do a lazy copy-on-write after a fork). If you want shared memory between partent and child, have a look at shmat (2). 2) The child process has its own copy of the parent's descriptors. i take this to mean all file and socket descriptors which both parent and child can write and read to. am i correct? It means all file descriptors of the partent process at the time of the fork will be copied to the child process. As a result, there will be two processes able to write to the same file. You might have a look at pipe(2) to see the benefits of this. Bernd
First OpenBSD release of EiffelStudio 5.7
Hello everybody, we have prepared a first release of the development branch of EiffelStudio 5.7 for OpenBSD x86. EiffelStudio was released as GPL software on April 5th, 2006. It can be downloaded at http://eiffelsoftware.origo.ethz.ch/downloads/builds EiffelStudio is an IDE for the Eiffel programming language. Eiffel is an advanced object-oriented programming language that features concepts like Design by Contract or multiple inheritance. Eiffel is compiled to machine language via C code. The Eiffel language has been adopted by ISO as an international standard in 2006. EiffelStudio is a modern IDE that is maintained by Eiffel Software (www.eiffel.com). It has a history of 20 years of development and is moving ahead at a fast pace. Current features are the integration of a debugger, a round-trip UML/Bon editor, a GUI builder and some refactoring support. Programms written in Eiffel are normally highly portable between operating systems. In the long run, I would like to provide a usual port, that even might be integrated into the OpenBSD ports collection (still have to learn how to do ports, though). Currently, we only have a binary release for OpenBSD 3.9 on x86. It should be easy to target other hardware platforms using the provided PorterPackage, a precompiled to C version of the IDE and compiler. Please note again that the current release is based on the development branch (the last stable release was pre-GPL) and has many known issues. Any feedback is welcome, Bernd
Re: developing a backup strategy
On Mon, Jun 12, 2006 at 11:37:08PM +0530, Raja Subramanian wrote: Hi, On 6/12/06, prad [EMAIL PROTECTED] wrote: ... should i be thinking of incremental backups say with dump? does it make any sense to rsync the entire server drive? Check out rdiff-backup.sf.net. The website seems broken atm. I've use it to incrementally backup ~3TB of data on Linux boxen and am very happy with it. I can only backup this recommendation. rdiff-backup is a really nice tool that makes incremental backups as easy as scp, with all nice features like incremental transfers, complete history (what was that file again 2 months ago?), encrypted transfer, etc. Bernd
Re: they say openbsd is not as scalable as others
On Mon, May 29, 2006 at 07:50:35PM +0300, Antonios Anastasiadis wrote: [...] I use OpenBSD too for critical systems, but some guys here really need to wake up. Troll. Bernd
X2X on OpenBSD
Hello, I have a laptop (IBM X31, OpenBSD 3.9 release) that I would like to use as a slave for x2x. The package description states: x2x allows the keyboard and mouse on one (from) X dis- play to be used to control another (to) X display. Since x2x uses the XTEST extension, the to X display must support XTEST. From 'xdpyinfo', I assume that the XTEST extension is available in the X11 binary supplied with OpenBSD: [EMAIL PROTECTED]:~$ xdpyinfo -display :0.0 | grep XTEST XTEST Still, x2x fails to connect to the OpenBSD X server: [EMAIL PROTECTED]:~$ ssh -X uni x2x -west -from :0.0 x2x - error: display localhost:10.0 does not support the test extension This command should make it possible to control 'archon' from 'uni'. 'uni' is a Linux machine and I know that this is the machine that runs the actual binary; so there is a slight chance that this is a problem of incompatible x2x versions. The version of x2x used is: 1.27.svn.20060225-1 (Debian unstable package). Unfortunately I cannot check if the same problem occurs with an OpenBSD master. All I know is that Linux master and Linux slave works. My questions are: - Why does 'x2x' report XTEST not to be present, while 'xdpyinfo' reports it to be available? - Might this be a problem with incompatible 'x2x' versions? - Assuming that XTEST is really missing: What do I have to do to get the XTEST extension into the X11 binary? (Meaning: assuming that I follow FAQ 5.5 for recompiling X11, where to I have to enable XTEST?) Thanks for any help, Bernd xdpyinfo output on 'archon': name of display::0.0 version number:11.0 vendor string:The X.Org Foundation vendor release number:6090 X.Org version: 6.9.0 maximum request size: 16777212 bytes motion buffer size: 256 bitmap unit, bit order, padding:32, LSBFirst, 32 image byte order:LSBFirst number of supported pixmap formats:7 supported pixmap formats: depth 1, bits_per_pixel 1, scanline_pad 32 depth 4, bits_per_pixel 8, scanline_pad 32 depth 8, bits_per_pixel 8, scanline_pad 32 depth 15, bits_per_pixel 16, scanline_pad 32 depth 16, bits_per_pixel 16, scanline_pad 32 depth 24, bits_per_pixel 32, scanline_pad 32 depth 32, bits_per_pixel 32, scanline_pad 32 keycode range:minimum 8, maximum 255 focus: window 0x1e5, revert to PointerRoot number of extensions:29 BIG-REQUESTS DAMAGE DOUBLE-BUFFER DPMS Extended-Visual-Information GLX LBX MIT-SCREEN-SAVER MIT-SHM MIT-SUNDRY-NONSTANDARD RANDR RENDER SECURITY SGI-GLX SHAPE SYNC TOG-CUP X-Resource XC-APPGROUP XC-MISC XFIXES XFree86-Bigfont XFree86-DGA XFree86-Misc XFree86-VidModeExtension XInputExtension XKEYBOARD XTEST XVideo default screen number:0 number of screens:1 screen #0: print screen:no dimensions:1024x768 pixels (347x260 millimeters) resolution:75x75 dots per inch depths (7):16, 1, 4, 8, 15, 24, 32 root window id:0x44 depth of root window:16 planes number of colormaps:minimum 1, maximum 1 default colormap:0x20 default number of colormap cells:64 preallocated pixels:black 0, white 65535 options:backing-store NO, save-unders NO largest cursor:64x64 current input event mask:0xfa4031 KeyPressMask EnterWindowMask LeaveWindowMask KeymapStateMask StructureNotifyMask SubstructureNotifyMask SubstructureRedirectMask FocusChangeMask PropertyChangeMask ColormapChangeMask number of visuals:8 default visual id: 0x23 visual: visual id:0x23 class:TrueColor depth:16 planes available colormap entries:64 per subfield red, green, blue masks:0xf800, 0x7e0, 0x1f significant bits in color specification:6 bits visual: visual id:0x24 class:TrueColor depth:16 planes available colormap entries:64 per subfield red, green, blue masks:0xf800, 0x7e0, 0x1f significant bits in color specification:6 bits visual: visual id:0x25 class:TrueColor depth:16 planes available colormap entries:64 per subfield red, green, blue masks:0xf800, 0x7e0, 0x1f significant bits in color specification:6 bits visual: visual id:0x26 class:TrueColor depth:16 planes available colormap entries:64 per subfield red, green, blue masks:0xf800, 0x7e0, 0x1f significant bits in color specification:6 bits visual: visual id:0x27 class:DirectColor depth:16 planes available colormap entries:64 per subfield red, green, blue masks:0xf800, 0x7e0, 0x1f significant bits in color specification:6 bits visual: visual id
Re: X2X on OpenBSD
On Tue, May 16, 2006 at 11:19:15AM +0200, Jan Johansson wrote: Bernd Schoeller [EMAIL PROTECTED] wrote: [EMAIL PROTECTED]:~$ ssh -X uni x2x -west -from :0.0 x2x - error: display localhost:10.0 does not support the test extension Using -X with ssh creates an X forwarding tunnel that has some security features. Try using -Y which disables thease features. NOTE this makes your local computer more vunerable. That did the job. Thanks, Bernd
Re: copying software from the official iso
On Fri, Mar 24, 2006 at 12:43:59PM +0100, Gilles LAMIRAL wrote: Hello, Can I do a dd if=/dev/cdrom of=obsd.iso and redistribute it ? (the audio track is away) http://www.openbsd.org/faq/faq3.html#ISO *sigh* Bernd
Re: no internet with cable provider (videotron.ca)
On Tue, Mar 21, 2006 at 03:58:41AM -0500, Matthew Closson wrote: Yes, 5 minutes is the required amount of time to clear the cache on most cable modems I've worked with (Toshiba, 3com, Motorola, Terayon), 10 seconds will not do. Otherwise you could probably copy the MAC address off your win2k box and use that. Another option to find out if that caching is really the problem would be to download an OpenBSD live CD and start it on the Windows XP box and see what happens when you run dhclient. http://g.paderni.free.fr/olivebsd/ Bernd
Re: (newbie) a network related question
On Tue, Mar 14, 2006 at 02:20:15PM +0100, FTP wrote: but isn't a way to route and translate connections via a existing static IP address? To have 'internal' IPs acting as static in their own right? How do ISPs 'create' their own static IPs? Gee - we are talking about a huge area of topics here: First, ISP-ISP traffic is handled way differently compared to MyLittleComputer-ISP traffic (read up on the IP-protocol, PI-networks, BGP, OSPF, etc.) Second, you can always use NAT to translate your internal IP addresses and ports to different ports (under a single address) on you router, but that is probably what you already have and not what you want. Third, if you live in a house with a single address, you cannot publicly start announcing different addresses without the postal service knowing about it. If packets should arrive at your home, then you better make sure you write your street and number on the announcement, other things just won't work. Last but not least: _if_ your ADSL provider will assign and route multiple addresses to your router (for example a complete C network), then you can - of course - translate the different numbers into different numbers in your internal network. But then: why you are not using these IPs for your internal network directly? Bernd
dhclient generate resolv.conf somewhere else ?
Hello, my Soekris receives its WAN configuration with dhclient and serves as a NAT router for my home LAN. I need to forward DNS queries from the LAN to the WAN. I use pdnsd for this and it works like a charm. The problem that I have is: dhclient generates the DNS information that it receives and stores it into /etc/resolv.conf. But I would like to use pdnsd also for queries _on_ the router as well (nameserver 127.0.0.1 in resolv.conf). If I use supersede (in dhclient.conf) or dhclient.conf.tail, this work fine, but the information gathered by dhclient is lost. Instead I would like to store the nameserver information somewhere else, thus change pdnsd.conf to use (for example) /etc/resolv.conf.wan. Is there a possibility to instruct dhclient to use another file instead of resolv.conf? I have search in dhclient, dhclient.conf and the dhclient-script man page, and in the archives, but I have found no hint of what I should do. Is there any other way that I can get pdnsd working correctly with local queries redirected to pdnsd? Thanks for any help, Bernd