Re: OpenBGP - Saving Restoring routes, possible?
Eduardo Meyer P=P0P?P8QP0: Hello, I have setup OpenBGP doing full routing with 3 other peers, so I get around 240k routes from each peer. But if by some reason I have to restar bgpd, it takes up to 5 minutes so I can all routes updated again. Is there a way to save and later restore the RIB/FIB tables? Since the only problem on commodity hardware are the mobile parts, I am also settig up a SPARE router with carp, so if one gets down, the spare will assume. But resync'ing the tables is again, reason for a higher downtime. So if I could save the tables in a machine and restore it on the other, would be great. Can I do this? If you search back the mailing list archive, you'll find some setups i've proposed, which do exactly that - CARPed BGPs with no downtime for full BGP refresh. About your idea - saving / restoring routes - the very prime idea of BGP is just that - to NOT save routes, and to distribute them. Kind regards, Doichin
Re: harddisk impact on routing firewall performance/throughput
Darren Spiteri ??: On Feb 13, 2008 11:08 AM, Ted Unangst [EMAIL PROTECTED] wrote: On 2/12/08, Darren Spiteri [EMAIL PROTECTED] wrote: This is irrelevant on a firewall/router. Sorry, you are wrong. I can achieve much higher throughput per connected state by tweaking recvspace and sendspace. then your firewall isn't just a firewall or your measurements were done incorrectly. I don't know why or how this poorly documented sysctl works, but the result speaks for itself. Note the dramatic throughput increase of the parent. Could we have a look at those numbers, in fact?
Re: OpenBSD as Xen domU
ropers NAPISA: On 07/02/2008, NetOne - Doichin Dokov [EMAIL PROTECTED] wrote: NetOne - Doichin Dokov NAPISA: I'm trying to use Christopher's work, but I get the following errors when i try to make depend a xenU kernel: (...) Anyone any hints? Is it meant to be run on -current (I see the last changes in the hg are from 8 months ago, but...)? Or do I need to compile it under an i386 kernel (I'm currently trying with an amd64 one)? # uname -a OpenBSD border2.net1.cc 4.2 GENERIC.MP#1 amd64 Any help MUCH appreciated! Kind regards, Doichin Guess that counts for cross-compilings, so the answer is yes - i need an i386 kernel to compile this. Sorry for the fuzz... Yes. The port is i386 and sadly it never got much traction within the OpenBSD project, which --this is just my hunch-- may have led Christoph to unfortunately focus on other stuff instead of keeping current a port that the project seems to be lukewarm for at best. I'm not sure what OpenBSD version the currently available revision of the port targets -- possibly 4.0 or 4.1. If you want to go anywhere with this it would probably be best to google Christoph Egger's email address (it's out there). He can give you the real deal straight from the horse's mouth. If you use Christoph's port, I would be very interested in hearing about it. -- Maybe others, too. Maybe you could post to [EMAIL PROTECTED] Thanks and regards, --ropers Yup, I have successfully compiled the XENU kernel, I neither now which version it is, but it's 8 months old, I believe it was based on -current. The bad thing is that - when I try to run it with Xen, i get this: [EMAIL PROTECTED] xen]# xm create -c /etc/xen/net1-obsd.xm Using config file /etc/xen/net1-obsd.xm. Error: (22, 'Invalid argument') As far as I went with googling info about this error, it's something PAE related - my Xen dom0 is PAE enabled I think (I'm not very much into linux, but i have HIGHMEM_64G defined, also PAE is present in /proc/cpuinfo). Seems like the OpenBSD XENU kernel is not (or the vice versa - dom0 is non-PAE, and the OpenBSD kernel is PAE-enabled). In FreeBSD, there's a PAE option in the kernel config, but I don't find such one in the OpenBSD configs (I did not have enough time to investigate this, though, so I might have overlooked it). I'm using Xen 3.0.x, and my net1-obsd.xm config is: = name = net1-obsd memory = 256 disk = [ 'phy:/dev/mirror/fc1,sda1,w' ] vif = [ 'mac=00:16:3e:1b:04:c9, bridge=xenbr0' ] vnc=1 vncunused=1 vcpus=2 kernel = /boot/openbsd-xenu extra = boot_verbose,boot_single,vfs.root.mountfrom=ufs:/dev/md0,kern.hz=100 on_reboot = 'restart' on_crash= 'restart' == Maybe it's best to contact Christoph directly, but I don't know if he still works on this project (the ng repository seems dead for the last 8 months), and I don't want to annoy him if not needed, so if anyone has any ideas how to proceed with this, I would be grateful to receive their opinion knowledge. Kind regards, Doichin
Re: OpenBSD as Xen domU
ropers P=P0P?P8QP0: You can use Christoph Egger's OpenBSD/Xen port. No need to go HVM-only. Unfortunately, my own website is down right now and I haven't gotten around to fixing that, but the Wayback Machine has the relevant page: http://web.archive.org/web/20070403174105/http://ropersonline.com/openbsd/xen/ Also, search the misc archives. This question crops up fairly regularly. and each time most people don't seem to know of Christoph Egger's port (and each time I then try to tell people about it again -- if I catch the message, but I don't always do and sometimes things fall through the cracks here). Thanks and regards, --ropers On 07/02/2008, John Jackson [EMAIL PROTECTED] wrote: OpenBSD as DomU works using hardware virtualization for me. There's the occasional lockup that I haven't looked into too much. You can launch vncviewer to get a console. My working config is at the bottom. John On Wed, Feb 06, 2008 at 11:55:05PM +0100, Julien Cabillot wrote: It's work but I had really bad performances with the network (timeout on the interface re). Dmesg: http://www.openbsd-france.org/ml/archives/msg02494.html I found that setting the vif interface to 'model=ne2k_pci' helps with the timeouts. On jeu, 2008-02-07 at 00:29 +0200, NetOne - Doichin Dokov wrote: I'm looking to replace a Linux domU with a BSD one, preferably OpenBSD. Anyone any success running stable OpenBSD (FreeBSD would also suffice) as domU in a Xen system? If so, willing to share config / how-to / experience? Kind regards, Doichin Here's a working Xen config: = import os, re arch = os.uname()[4] if re.search('64', arch): arch_libdir = 'lib64' else: arch_libdir = 'lib' kernel = /usr/lib/xen/boot/hvmloader builder='hvm' memory = 256 name = obsd pae=0 vif = [ 'type=ioemu, mac=00:16:3e:7d:be:ef, model=ne2k_pci' ] disk = [ 'file:/disk/homer.disk,hda,w','file:/disk/obsd42_amd64.iso,ioemu:hdc:cdrom,r' ] device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm' boot='cd' sdl=0 vnc=1 vncviewer=0 nographic=0 stdvga=0 serial='pty' ne2000=1 audio=0 localtime=1 I'm trying to use Christopher's work, but I get the following errors when i try to make depend a xenU kernel: In file included from /usr/src/openbsd-xen-sys.hg/arch/xen/i386/machdep.c:129: /usr/src/openbsd-xen-sys.hg/dev/isa/isavar.h:138:33: machine/isa_machdep.h: No such file or directory In file included from /usr/src/openbsd-xen-sys.hg/arch/xen/i386/npx.c:66: /usr/src/openbsd-xen-sys.hg/dev/isa/isavar.h:138:33: machine/isa_machdep.h: No such file or directory It does complete, though. But when i try to make the kernel, I get *lots* of errors, starting with these: /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s: Assembler messages: /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:334: Error: suffix or operands invalid for `push' /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:335: Error: suffix or operands invalid for `popf' /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:472: Error: `(((1+2)* (112)))(%esi,%ecx,4)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:479: Error: `(%ebx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:485: Error: `(0x0001|0x0002)(%edx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:486: Error: `(%ebx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:491: Error: `(%ebx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:501: Error: `(%ebx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:506: Error: `(%ebx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:515: Error: `(((0)* (112))+832*4)(%esi)' is not a valid 64 bit base/index expression (and many more not in this file only, but also in vector.s, spl.s, mutex.S) Anyone any hints? Is it meant to be run on -current (I see the last changes in the hg are from 8 months ago, but...)? Or do I need to compile it under an i386 kernel (I'm currently trying with an amd64 one)? # uname -a OpenBSD border2.net1.cc 4.2 GENERIC.MP#1 amd64 Any help MUCH appreciated! Kind regards, Doichin
Re: OpenBSD as Xen domU
NetOne - Doichin Dokov P=P0P?P8QP0: ropers P=P0P?P8QP0: You can use Christoph Egger's OpenBSD/Xen port. No need to go HVM-only. Unfortunately, my own website is down right now and I haven't gotten around to fixing that, but the Wayback Machine has the relevant page: http://web.archive.org/web/20070403174105/http://ropersonline.com/openbsd/xen/ Also, search the misc archives. This question crops up fairly regularly. and each time most people don't seem to know of Christoph Egger's port (and each time I then try to tell people about it again -- if I catch the message, but I don't always do and sometimes things fall through the cracks here). Thanks and regards, --ropers On 07/02/2008, John Jackson [EMAIL PROTECTED] wrote: OpenBSD as DomU works using hardware virtualization for me. There's the occasional lockup that I haven't looked into too much. You can launch vncviewer to get a console. My working config is at the bottom. John On Wed, Feb 06, 2008 at 11:55:05PM +0100, Julien Cabillot wrote: It's work but I had really bad performances with the network (timeout on the interface re). Dmesg: http://www.openbsd-france.org/ml/archives/msg02494.html I found that setting the vif interface to 'model=ne2k_pci' helps with the timeouts. On jeu, 2008-02-07 at 00:29 +0200, NetOne - Doichin Dokov wrote: I'm looking to replace a Linux domU with a BSD one, preferably OpenBSD. Anyone any success running stable OpenBSD (FreeBSD would also suffice) as domU in a Xen system? If so, willing to share config / how-to / experience? Kind regards, Doichin Here's a working Xen config: = import os, re arch = os.uname()[4] if re.search('64', arch): arch_libdir = 'lib64' else: arch_libdir = 'lib' kernel = /usr/lib/xen/boot/hvmloader builder='hvm' memory = 256 name = obsd pae=0 vif = [ 'type=ioemu, mac=00:16:3e:7d:be:ef, model=ne2k_pci' ] disk = [ 'file:/disk/homer.disk,hda,w','file:/disk/obsd42_amd64.iso,ioemu:hdc:cdrom,r' ] device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm' boot='cd' sdl=0 vnc=1 vncviewer=0 nographic=0 stdvga=0 serial='pty' ne2000=1 audio=0 localtime=1 I'm trying to use Christopher's work, but I get the following errors when i try to make depend a xenU kernel: In file included from /usr/src/openbsd-xen-sys.hg/arch/xen/i386/machdep.c:129: /usr/src/openbsd-xen-sys.hg/dev/isa/isavar.h:138:33: machine/isa_machdep.h: No such file or directory In file included from /usr/src/openbsd-xen-sys.hg/arch/xen/i386/npx.c:66: /usr/src/openbsd-xen-sys.hg/dev/isa/isavar.h:138:33: machine/isa_machdep.h: No such file or directory It does complete, though. But when i try to make the kernel, I get *lots* of errors, starting with these: /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s: Assembler messages: /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:334: Error: suffix or operands invalid for `push' /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:335: Error: suffix or operands invalid for `popf' /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:472: Error: `(((1+2)* (112)))(%esi,%ecx,4)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:479: Error: `(%ebx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:485: Error: `(0x0001|0x0002)(%edx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:486: Error: `(%ebx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:491: Error: `(%ebx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:501: Error: `(%ebx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:506: Error: `(%ebx)' is not a valid 64 bit base/index expression /usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:515: Error: `(((0)* (112))+832*4)(%esi)' is not a valid 64 bit base/index expression (and many more not in this file only, but also in vector.s, spl.s, mutex.S) Anyone any hints? Is it meant to be run on -current (I see the last changes in the hg are from 8 months ago, but...)? Or do I need to compile it under an i386 kernel (I'm currently trying with an amd64 one)? # uname -a OpenBSD border2.net1.cc 4.2 GENERIC.MP#1 amd64 Any help MUCH appreciated! Kind regards, Doichin Guess that counts for cross-compilings, so the answer is yes - i need an i386 kernel to compile this. Sorry for the fuzz...
OpenBSD as Xen domU
I'm looking to replace a Linux domU with a BSD one, preferably OpenBSD. Anyone any success running stable OpenBSD (FreeBSD would also suffice) as domU in a Xen system? If so, willing to share config / how-to / experience? Kind regards, Doichin
Re: 3G/UMTS/HSDPA: best device(s)
Jacob Yocom-Piatt ??: am looking for a device that works with openbsd and will give broadband internet over cellular networks. it would be preferable that this device work in most of the jurisdictions listed in http://www.wireless.att.com/learn/international/dataconnect-global.jsp i am not sure about the extent of the support here and see that a number of devices are supported but advice on which gets best performance / coverage would be appreciated. if there are phones that can provide the service, i welcome those recommendations as well. cheers, jake Have a look at www.2n.cz and www.topex.ro , both companies are well known with their 3G routers.
Re: openBSD 4.2 and LSI raid
Rami Sik ??: Yes, I first started by setting up the raid and installing openBSD on top of it. All was fine until one of the disks failed. Then, I replaced the failed disk, and try to re-initiate the raid (mirroring) where I got stuck since the raid controller did not like the partitioning. However, I advanced one step further now: If you use fdisk to assign a different id to the openBSD partition (like 83 as suggested by Sun for the Linux installs), raid controller seems to start mirroring your disk to the second one. However, when you change your partition id from the default value of A6 to 83, openBSD could not boot. So, I am planning to play with the partition id so that I could set up the mirroring through LSI raid controller. Once it is done, I will revert the partition id back to its default value of A6. Then I will see if mirroring still works, and boots off of the second disk! Rami Sik The RAID controller *should not* care about partitions at all - WTF?! It's job is to duplicate the data and present the disks as one logical unit to the OS, and nothing more. You sure that is your problem? -Original Message- From: J.C. Roberts [mailto:[EMAIL PROTECTED] Sent: January 29, 2008 1:13 PM To: Rami Sik Cc: misc@openbsd.org Subject: Re: openBSD 4.2 and LSI raid On Monday 28 January 2008, Rami Sik wrote: I did a research and found the similar problem already reported for Linux installations, and Sun released a workaround for it. However, I cannot find anything about openBSD installations. At present, I've got two LSI RAID controllers here running OpenBSD (MegaRAID 150-6 SATA and MegaRAID i4 PATA). Though I don't know about your specific controler (1030), the normal answer is to create your logical drive in the controler setup and *THEN* install the operating system. From your description, it seems you're doing things backwards, namely installing the OS on one drive and then trying to create a miror. -jcr
Re: looking for openbsd friendly server vendor
Lord Sporkton ??: Perhaps i was wrong but i thought openbsd was only 32 bit for now? Yup, you're wrong. There's amd64 port, which runs fine on all x86 64-bit CPUs.
Re: Can an SSH alternative to WebDav be use on OpenBSD
Daniel Ouellet P=P0P?P8QP0: Thanks Thomas,' But that solution sis to be install on Windows server, witch I have kill all years ago and I am not going back. http://www.webdrive.com/products/webdrive/sysreq.html I sure appreciate your suggestion and time however. Thanks Daniel Thomas Althoff wrote: www.webdrive.com WebDrive has built-in support for the industry standard SSL protocol. When used in conjunction with secure WebDAV, FTP, FTPS, or SFTP servers, WebDrive will open an encrypted tunnel between the client computer and the remote server; giving you secure transmission of critical data over the Internet. WebDrive can also be used as an alternative to a corporate VPN. Install the WebDrive client and an SSL enabled server, and WebDrive can act as the VPN for your company; an efficient alternative to an expensive VPN and non-secure FTP client connections -Thomas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Ouellet Sent: den 24 januari 2008 23:59 To: misc@openbsd.org Subject: OT: Can an SSH alternative to WebDav be use on OpenBSD Hi, I need some possible suggestions if I may asked to not setup, or have to setup WebDav on OpenBSD to allow users to do their web folder stuff. It can be setup with ftp for example to allow them to map a folder in their network place on XP for example, but then they can't do the stupid save as and just for that, they want to use the WebDav. However, then it need to allow write access via http and the full load of issues that could with that when combine with php, etc. I only allow ssh access and in very special case, I had accepted ftp from specific locations control via PF, but because of the stupid save as, they are screaming for WebDav, or mod_dav, witch I really would like to avoid totally. I just don't see the benefit worth the risk required to allow it. May be I am wrong and someone could in light me, witch I would very much appreciate, but again, may be there is an alternative using SSH that I do not know. I provided WinSCP years ago and it sure works well, plus I can control access via ssh with PF too, witch I would loose introducing WebDav. I hate all these users that can only work using a GUI like interface all the time and fell they need everything to be done via http. Anyone can provide me some ideas, or alternative here as I am running out of them and being view as the asshole that always refuse flexibility for security is fine, but may be there is something I can do to keep it safe and give the winers a bone. I hate the Microsoft centric bias users that care less for security, but would also be the first to scream should there be compromise too. Any suggestions here? Sorry for the somewhat off topic question, but I need suggestion if there is any. Best, Daniel. I really didn't fully understand you - do you want or not to allow FTP acces, and why clients are not able to save as when using it? Do you mean that they need it mapped as a network drive? If so, they can use something like this: http://www.acs.uwosh.edu/novell/netdrive.htm to map the FTP account you provide to their own PC as a drive. Then they can use whatever they want to read/edit/write stuff. Sorry for the fuzz if i've misunderstood you. Kind regards, Doichin
Re: Concurrecnt PPPoE(4)?
Sunnz P=P0P?P8QP0: 2008/1/21, Sunnz [EMAIL PROTECTED]: route-to 2) pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any 3) pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any pass out on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from pppoe1:0 to any 4) pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any pass out on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from pppoe1:0 to any pass in on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from any to pppoe0:0 pass in on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from any to pppoe1:0 2) 3) and 4) works with traceroute and ping from the outside, but not ssh. Oh, what was I thinking!! it should be like pass out on pppoe1 route-to (pppoe0 (pppoe0:peer)) inet from pppoe0:0 to any ^^ Right? Ok I just tested that one out as well... does not work neither... (with 2,3,4) http://www.openbsd.org/faq/pf/pools.html#outgoing
Re: Reversing audio channels
Antti Harri P=P0P?P8QP0: On Sun, 20 Jan 2008, L. V. Lammert wrote: Ahh, .. swap the speakers or wires?? I still don't understand why such a simple thing isn't implemented in the software.. Yeah yeah missing the daemon other crap. I guess I'll have to swap the places of the speakers, it would have been better as is and swapped the output of sound card. It would be better to code what you want, instead of wonder and bark here oh, why is this not done?!. It would have taken you no more than 10 mins to reverse the cables. Oh - you can also try installing Windows and try to switch the channels there (and then go complain to Microsoft that you can't).
Re: Reversing audio channels
Antti Harri ??: On Sun, 20 Jan 2008, NetOne - Doichin Dokov wrote: It would have taken you no more than 10 mins to reverse the cables. Oh - you can also try installing Windows and try to switch the channels there (and then go complain to Microsoft that you can't). Haahaa. very funny. Now why would I rip a perfectly good cable? Or why would I waste lots of money on new speakers? Did I say to rip the cable? Grab a male and a female connector, cross-connect them, and you're done. Are you trying to say that OpenBSD's sound card support rocks and kicks ass? Do some research, even the devs acknowledge that it is not the best in the world. Am I? I'm writing in English, would you mind reading my statement again? Don't get me wrong, I appreciate their code and effort, it's idiots like you that I hate. Idiots are people that tend to classify other people withouth knowing anything about them. Now, read again and see who does that. PS. A small adapter that switches the cables would be okayish. See? You've got the solution by yourself. But waaait, it was a lot of a hell better to bark on the mailing list calling people names, wasn't it? Still wishing you the best, the Idiot
Re: Concurrecnt PPPoE(4)?
Sunnz P=P0P?P8QP0: Just wondering has anyone ever used 2 PPPoE(4) connections on one real interface and rather if it should work or not? I only have one account with my ISP but they gave me 2 logins and up 4 concurrent logins are allowed with their TOS. My hardware ethernet gem(4) is connected to a modem, with the modem running in bridge mode. I were able to establish one pppoe(4) connection which I can nat machines behind OBSD to the internet... and also ssh back to OBSD from the internet. Modem (Bridge) - OBSD - LAN But it doesn't work quite the way I wanted but I made 2 pppoe(4) connections, with hostname.pppoe0 and hostname.pppoe1 under /etc/. I were able to nat machines behind OBSD with either pppoe0 OR pppoe1. So are far as nat goes, it is fine. But I were only able to ssh to pppoe1's IP address from the internet, but not pppoe0's IP address. I also attempted to traceroute the 2 IP from the internet, only pppoe1's IP works. It is very surprising as nat works... where the 'response' must make its way back to pppoe0's Ip somehow... You only have one defautl gateway, so the last pppoe session established sets it up to it's interface. The behaviour you're observing is absolutely normal. You should dig into pf's route-to, packet tagging and state-keeping options if you need to ssh back to the machine on both interfaces, or do whatever you want _from the machine itself_. There are a lot of examples in the net (including one in the PF FAQ if i've not mistaken) on what is the proper way of setting up several uplinks as you want. Regards, Doichin
Re: So, is there a sure way to delete a file? (Was Re: UNIX way of undeleting files?)
bofh P=P0P?P8QP0: On Jan 19, 2008 1:27 PM, Ted Unangst [EMAIL PROTECTED] wrote: On 1/18/08, bofh [EMAIL PROTECTED] wrote: I think he means sshd. And it really doesn't matter, once you make install, you'll overwrite the vulnerable copy with the new one, and all the hardlinks won't matter, because they'd be linked to the new file. except that they won't. the point of a hard link is it points to the file, not the name. it's not a symlink. I don't get what you're talking about. If you overwrite the file (vulnerable sshd) with a new one, the file gets replaced. All the hardlinks would point to the new file. $ uname -a OpenBSD urd.spidernet.to 4.1 GENERIC#0 i386 $ echo apple test $ ln test test2 $ ls -l test* -rw-r--r-- 2 tai wheel 6 Jan 19 19:43 test -rw-r--r-- 2 tai wheel 6 Jan 19 19:43 test2 $ cat test test2 apple apple $ echo orange test2 $ cat test orange $ $ echo apples apples $ echo bananas bananas $ ln bananas whats_cooking $ mv bananas oranges $ echo oranges oranges $ cat whats_cooking oranges $ $ echo apples apples $ echo bananas bananas $ ln -s bananas whats_cooking $ mv bananas oranges $ cat whats_cooking cat: whats_cooking: No such file or directory $ echo bananas bananas $ cat whats_cooking bananas $ Mmm, yummy! Do you get it now? man ln(1) - it's all there.
OT: Call for help with fax testing
Hi all, This is waaay off-topic, but is the most obviuos way for me to seek this kind of help. We're currently testing a fax termination system over VoIP trunks, and need some test from international numbers (we're located in Bulgaria). All I'm asking is, if you are able to - send a fax to +359-86-510-214 (this is Bulgarian fixed phone, no premium rates, etc.), with something written - no matter what it is - just to see if they are correctly received. Please note that this will cost you money - as much as it costs you to call a Bulgarian land-line. If anyone can do that, I would highly appreciate it - if not - thank you anyways, and - again - sorry for the off-topic! Kind regards, Doichin Dokov
Re: OpenBSD 4.2 dhcpd(8)
[EMAIL PROTECTED] P=P0P?P8QP0: - Original Message - From: Tim Stewart [EMAIL PROTECTED] To: misc@openbsd.org Sent: Wednesday, January 16, 2008 9:29 AM Subject: OpenBSD 4.2 dhcpd(8) Hello all, Does anyone know which version of ISC DHCP that OpenBSD 4.2 uses for dhcpd(8)? I wasn't able to find any clue on the webpage or associated documentation. It feels a lot like a 2.x release based on the options available, but I just want to make sure. Thanks. -- -TimS I just started this OpenBSD ride. But Webmin 1.8 tells me DHCP is VER 3. OpenBSD uses it's own DHCPD, not the ISC one.
Re: need people to test this patch with acpi
Is this for -current only, or you need testing on 4.2 too? Marco Peereboom P=P0P?P8QP0: Please test this on all acpi capable machines and send me a dmesg if you see this in the dmesg: store from field!! If you see this panic or something similar: acpi0: tables DSDT FACP SLIC HPET APIC MCFG TCPA SSDT SSDT SSDT SSDT SSDT wrong setbufint type 2ca8 Called: \\_SB_.C003.C098.C155 arg0: 0xd17b7910 cnt:01 stk:00 objref: 0xd176d484 index: [\\_SB_.C06A] 0xd176d484 cnt:02 stk:00 field: bitpos=02e0 bitlen=00a0 ref1:d176c904 ref2:0 [Field] [\\_SB_.C043] 0xd176c904 cnt:32 stk:00 opregion: 00,3f7e7dc0,140 arg1: 0xd17b793c cnt:01 stk:00 objref: 0xd1756410 index: 0xd1756410 cnt:00 stk:60 integer: 0 local0: 0xd1756a10 cnt:00 stk:60 integer: 0 2c7d Called: \\_SB_.C003.C098._INI local0: 0xd1756410 cnt:00 stk:60 integer: 0 panic: aml_die aml_setbufint:983 please try this diff: Index: dsdt.c === RCS file: /cvs/src/sys/dev/acpi/dsdt.c,v retrieving revision 1.106 diff -u -p -r1.106 dsdt.c --- dsdt.c 2 Dec 2007 22:24:54 - 1.106 +++ dsdt.c 16 Jan 2008 20:20:27 - @@ -980,9 +980,10 @@ void aml_setbufint(struct aml_value *dst, int bitpos, int bitlen, struct aml_value *src) { - if (src-type != AML_OBJTYPE_BUFFER) + if (src-type != AML_OBJTYPE_BUFFER) { + aml_showvalue(src, 0); aml_die(wrong setbufint type %d\n, src-type); - + } #if 1 /* Return buffer type */ _aml_setvalue(dst, AML_OBJTYPE_BUFFER, (bitlen+7)3, NULL); @@ -1633,10 +1634,17 @@ aml_setvalue(struct aml_scope *scope, st struct aml_value tmpint; /* Use integer as result */ + memset(tmpint, 0, sizeof(tmpint)); if (rhs == NULL) { - memset(tmpint, 0, sizeof(tmpint)); rhs = _aml_setvalue(tmpint, AML_OBJTYPE_INTEGER, ival, NULL); } + else if (rhs-type == AML_OBJTYPE_BUFFERFIELD || +rhs-type == AML_OBJTYPE_FIELDUNIT) + { + printf(store from field!!\n); + aml_fieldio(scope, rhs, tmpint, ACPI_IOREAD); + rhs = tmpint; + } if (!is_local(scope, lhs)) lhs = aml_dereftarget(scope, lhs); @@ -1725,6 +1733,7 @@ aml_setvalue(struct aml_scope *scope, st dnprintf(10, setvalue.unknown: %x, lhs-type); break; } + aml_freevalue(tmpint); } /* Allocate dynamic AML value
Re: facts about OpenBSD
Nikns Siankin P=P0P?P8QP0: On Mon, Jan 14, 2008 at 01:14:07PM +0100, Peter N. M. Hansteen wrote: Nikns Siankin [EMAIL PROTECTED] writes: When we will meet in Riga, I will like to hear from you explanation, how does putting md5 checksum file *along* with installables on the same vulnerable channel, helps to make sure, that they are not backdoored ;] you don't have to wait that long. fetch the files from different mirrors. hahaha. yeah. different vulnerable mirror, while I'm MITM'ing your ISP. see ya -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. Go buy the CD set, Mr. Security - or you don't trust the postman either? Now - seriuosly - let's stop all the shit. The misc@ has been 99% flame these days... Regards, Doichin
Re: Improving disk reliability
Douglas A. Tutty ??: On Jan 8, 2008, at 6:29 AM, Douglas A. Tutty wrote: I know that the FAQ says to just use dump to make backups but what if you want a tape of a specific group of files for archiving? When last did the dump format change? Since it reads the filesystem directly, I'd assume that its filesystem-specific. What if you want portablility across OSs and file system types? Is there any more-or-less universal format? tar(1) with gzip(1). Re Amanda: for me, its likely too complex since I only have two boxes and one is a desktop only. Right now it runs its own backup script to create a tarball then the main box rsyncs that over to it. see? works fine. Amanda basically does that, without using ssh and without some kind of security (this may have changed recently). It also keeps a reference database for which file is stored on which tape, and a index on each tape of the contents. Well, right now, I just do full backups. Incrementals get rather tedius. Especially since they find new files but they don't notice a file that has been deleted. So I don't need a list of what files are in which tarball but rather just what date it is. A simple log: this tape, this date, this tarball. All in all, pretty smart design. The best thing out of the features AMANDA provides is this tidbit: everything is in gtar to keep things as a standard. As long as the archive format that it tells tar to use is compatible with whatever version of tar you go to use in 20 years; but that's another topic. Thanks, Doug. Bacula (www.bacula.org) is your friend. Regards, Doichin
Re: OpenBSD as DSL Router using hostname.pppoe0?
[EMAIL PROTECTED] P=P0P?P8QP0: Well with static IPs I've no problem either. It's just after the forced disconnect of the ISP and after pppoe0 got a new IP. Then NAT and routing fails. I solve this via a rule reload (after pppoe0 got a new IP) but that looks like some stonge-age method (seriously.. ). I just wonder if somebody else noticed this and if somebody may solved this in a different way. Kind regards, Sebastian I guess you use ($ext_if) - with brackets - instead of the IP address manually entered (which you obviously don't know). This way PF monitors the interface for changes of it's IP address and adjusts rules accordingly. You can verify if it does by doing a 'pfctl -s rules' after a reconnection, without first reloading the ruleset. The problem, though, is probably the states which were already created - they keep matching the old IP. Clearing of the state table should be sufficient, and I think this could be done with a macro in your hostname.pppoe0, like this: !pfctl -F state I've personally never had to do such things, so consider everything I say just as suggestions. Kind regards, Doichin
Re: OpenBSD as DSL Router using hostname.pppoe0?
[EMAIL PROTECTED] P=P0P?P8QP0: I guess you use ($ext_if) - with brackets - instead of the IP address manually entered (which you obviously don't know). This way PF monitors the interface for changes of it's IP address and adjusts rules accordingly. You can verify if it does by doing a 'pfctl -s rules' after a reconnection, without first reloading the ruleset. The problem, though, is probably the states which were already created - they keep matching the old IP. Clearing of the state table should be sufficient, and I think this could be done with a macro in your hostname.pppoe0, like this: !pfctl -F state I've personally never had to do such things, so consider everything I say just as suggestions. Kind regards, Doichin Well I added your macro right now but I'm unsure if hostname.pppoe0 is read everytime pppoe0 gets a disconnect (and later a new IP). I think hostname.pppoe0 is read once on boot and the rest is all in kernelspace then (Oh a disconnect! No worries lets try to reconnect...!). I might be wrong and I might understood the concept in a wrong way but hostname.pppoe0 gets called once (and just once) at boot. So how could this macro help after pppoe0 got a new IP? Or is the hostname.pppoe0 realy read once after pppoe0 got a disconnect?! I'm unsure of this, too, and the man pages of hostname.if and pppoe seem unclear about this. But I guess you're right - commands will be executed only on system boot or network restart. So far I never used such a macro because of my understanding it would have no effect (not even at boot time because pppoe0 sometimes has 2-3 secs no IP (the OS boots further, pf gets enabled) and then it has). You set $ext_if to pppoe0. Then by using ($ext_if) PF nows it has to lookup the IP address of the interface, and reflect changes to it back in the ruleset. So I guess at least at boot time it should be of help. The ! command in the hostname.pppoe0 file is irrelevant at boot - you don't have any states to flush. Regards, Doichin
Re: OpenBSD for routing firewalling a 100Mbit/s connection
Carl Roberso ??: NetOne - Doichin Dokov wrote: In fact, we use also a bit more complicated BGP setup. Don't know if it would be in any help for you Doichin, your practical, hands-on examples are true gold for me, really. Again, thank you very much for your help. My router/firewalls, after your tuning recommendations works flawlessly, I'm very pleased. Your load-balancing option is very interesting, and I'll investigate it further next week. As in any gateway solution traffic shaping / rate limiting is very important as you pointed out, I was wondering if it can be setup in OpenBSD something like ATM functional paradigm, where, after giving a global PCR for a dot1q trunk (ex. 40 Mbit/s), you can give to various VLANs PCRs MCRs (ex. VLAN 1 with 20Mbit/s PCR, 10Mbit/s MCR, and VLAN 2 with 40Mbit/s PCR, 30Mbit/s MCR). I tried hard to figure out a way to do this from the official documentation by hard-Googling (for hours), but without any success. Cheap rate-limiting in that way can be done, in a mad but cheap way, with a pair of old Cat 2924M with a ATM 155 and a Gigabit Ethernet module (switch, modules a GBIC are under $90 on ebay), crossed in ATM, so you connect the dot1q trunk in one switch, do the shaping at the LANE level, then extract shaped services on the other switch (as a trunk on GE, on on single ports), but.. of course.. it's really a dirty spaghetti-style solution. Have you any advice on making shaping on a OpenBSD router/firewall in a ATM-style? Yes, that's possible with OpenBSD and PF / ALTQ. You need the HFSC queueing algorithm. A very nice site with docs about this is http://www.probsd.net/pf/index.php/Main_Page Using HFSC, you can assign each queue a realtime rate (MCR) and an upperlimit (PCR), then setup the physical interface queue to the total bandwidth available. We use HFSC here for this, and it's performing quite fine, so if you need examples, just drop a line. Another good place for help is the #pf channel on the FreeNode IRC network. I also used to hang in there, but we've recently had problems with our main office building (part of the next building collapsed over it), so I'm personally not available very much lately. You can set up the vlans you want to shape on one physical interface. Remember that you configure ALTQ and all queues on the PHYSICAL interface, then you can use arbitrary PF rules to catch traffic and assign it to queues, NO MATTER on which interface. Read the docs, play with it and come back to the list when you need help. It would be good if you provide some conf files about your setup - how the interfaces are setup, what exactly you want to shape, etc. Regards, Doichin
Re: ibgp
Tom Bombadil ??: Greetings... We are trying to use a couple routers with carp and uplinks with 2 different providers. One router as master and another one slave. The slave getting all the routes from the master using IBGP. The problem is that when I bring to interface of the master down to test if the failover works, the slave deletes all the routes it got from the master. Is there any way of retaining those IBGP routes for sometime after the tcp connection is severed, or until the slave server (now master) can connect to the external peers and the get routes from them? Or... if anybody has any other hint for a more resilient setup, I'd be glad to hear. Thanks a bunch, g. Several days ago I wrote something on the topic, but not sure if it made it to the list: Carl Roberso wrote: NetOne - Doichin Dokov wrote: The BGP problem is solved by doing this: Thank you very much Doichin for pointing this out: all of you was so helpful! Best wishes!rt You're more than welcome! In fact, we use also a bit more complicated BGP setup. Don't know if it would be in any help for you, but i'll describe it here just for the thread to be complete in case anyone starts digging :) The configuration I described in my previous post (3 IPs per upstream provider, 2 dedicated, 1 CARP-shared) works flawlessly, BUT traffic goes only through one of the routers at a time. As we were not just routing, but also doing a lot of shaping, we wanted to loadbalance things and make both of the systems do some job when they are both up. So, the scheme grew from 3 to 4 IPs per upstream provider - 2 dedicated IPs for each firewall, and 2 CARP-shared IPs. Firewall #1 was default master for shared IP one, Firewall #2 was default master for shared IP two. Let's say the IPs are: Firewall #1 172.16.0.1 - static, not in CARP, used for BGP communication with upstream 172.16.0.3 - CARP shared, default master 172.16.0.4 - CARP shared, default slave Firewall #2 172.16.0.2 - static, not in CARP, used for BGP communication with upstream 172.16.0.3 - CARP shared, default slave 172.16.0.4 - CARP shared, default master Then, we told our provider to set nexthop to 172.16.0.3 for networks we sent to them with a community COMM1, and having nexthop set to 172.16.0.4 for networks we sent to them with a community COMM2. Then, in our BGP setup (equal on both firewalls, despite the IP address / router ID), all we had to do is mark half of the networks, which we wanted to go through Firewall #1 by default, with community COMM1, and the others to go to Firewall #2 by default, with community COMM2. Of course, you have to have similiar setup (though probably withouth BGP) on the internal side of the firewalls for things to work properly, again 2 CARP ifs and traffic originating from the networks routed to Firewall #1 and Firewall #2 sent to the very same machine, otherwise you run into state problems, shaping problems (if you do that on the machines, we do), and maybe something else i could not come up with now :) By the way, a nice new IP loadbalance option was recently added to CARP, which might obsolete the setup I describe, but I've not played with that yet. Whatever you choose to do, you could always come back for help in case you need it. Regards, Doichin
Re: Filteringon an IPSEC bridge
tim ??: Hello, I would like to know the way to filter on an IPSEC bridge. I would like to pass all trafic to and from each side of the bridge. I don't know which interfaces and protocols to use. I've looked all over, and seem to find minimal information on this. Sure could use a hand. Regards, Tim We don't know, either, unless you post some more details about your setup (interfaces' configs, pf.conf). Though, what you probably need is to set skip on the enc0 interface, and pass the ipsec traffic on the physical interface. Regards, D.
Re: How to test if pfsync is working?
Jake Conk P=P0P?P8QP0: Hello, I have pfsync setup between two servers and they're connected to each other through a cross over cable just as suggested in the faq. Now how do I test to make sure its working probably and rules and states are being synced up? I have ftp-proxy setup so if I connect to an a ftp server through ftp-proxy it should open that other ftp port on the server I'm going through as well as the server it's syncing pf with but how do I test that to make sure its working? Thanks, - Jake I believe pfsync synchronizes states only, not firewall rules. You could check whether it's running fine by watching the state table on the backup machine - if it shows state created on the other machine, then it's probably fine. 'man pfsync' is your friend, examples included. Regards, Doichin
Re: OpenBSD for routing firewalling a 100Mbit/s connection
Carl Roberso ??: Henning Brauer wrote: 6000 irq/s is not much. increase sysctl net.inet.ip.ifq.maxlen. Thank you v-e-r-y much Henning, this seems to have cured the problem. Another problem seems left, anyway. :( I'm running bgpd on both OpenBSD boxes: it's really a fine piece of software, but when dealing with a setup like mine (same box does PF BGP routing, from here the firewall), you can get in trouble when using one BGP session per-provider-per-firewall, and the uplink ISP get you some packets on firewall A, some others on firewall B (so, there isn't a priority on BGP session). Another similar problem arise when the firewall B becomes master, the firewall A stops to packets flow, but maybe it's BGP sessions remains acrive (the most active, or the really one with most priority, depends on the ISP).. and packet confusion starts. Of course a solutions seems to have a BGP session actived ONLY when a given firewall is active.. but this means that when instantly (without losing the TCP sessions) CARP help to switch to the secondary firewall.. everything will be blocked, waiting for the BGP session to download routes. Any of you guys has a hint also for this situation (that's having concurrent BGP sessions, but making sure that the master firewall gets all packets coming from all BGP sessions, without mangling with PF states)? Again, thank you in advance. The BGP problem is solved by doing this: You need 3 IPs for communicating with each provider. Let's say you have 172.16.0.1, 172.16.0.2 and 172.16.0.3 to communicate with ISP1. You setup 172.16.0.1 on Firewall #1, 172.16.0.2 on Firewall #2, and you set up 172.16.0.3 on both of them with CARP. Then you establish BGP sessions from 172.16.0.1 and 172.16.0.2 to your provider, and tell the provider to set next-hop for both of them to 172.16.0.3 This way both of the sessions are live, and traffic goes to the active machine. Once it fails, the other one takes over the common 172.16.0.3 and keeps receiving the traffic without waiting for BGP timeouts, nor BGP prefix download or something else. Do the same with ISP2 and you're ready to go. Regards, Doichin
Re: OpenBSD for routing firewalling a 100Mbit/s connection
Carl Roberso ??: Henning Brauer wrote: 6000 irq/s is not much. increase sysctl net.inet.ip.ifq.maxlen. Thank you v-e-r-y much Henning, this seems to have cured the problem. Another problem seems left, anyway. :( I'm running bgpd on both OpenBSD boxes: it's really a fine piece of software, but when dealing with a setup like mine (same box does PF BGP routing, from here the firewall), you can get in trouble when using one BGP session per-provider-per-firewall, and the uplink ISP get you some packets on firewall A, some others on firewall B (so, there isn't a priority on BGP session). Another similar problem arise when the firewall B becomes master, the firewall A stops to packets flow, but maybe it's BGP sessions remains acrive (the most active, or the really one with most priority, depends on the ISP).. and packet confusion starts. Of course a solutions seems to have a BGP session actived ONLY when a given firewall is active.. but this means that when instantly (without losing the TCP sessions) CARP help to switch to the secondary firewall.. everything will be blocked, waiting for the BGP session to download routes. Any of you guys has a hint also for this situation (that's having concurrent BGP sessions, but making sure that the master firewall gets all packets coming from all BGP sessions, without mangling with PF states)? Again, thank you in advance. And, about hte ifq.maxlen sysctl, a good indication you need to increase it is if the net.inet.ip.ifq.drops sysctl is increasing. It should stay at 0 or not increase anymore after you tuned the ifq.maxlen. Regards, Doichin
Re: Strange em(4) issues
Chris Cappuccio ??: i've got a pair of h8ssl-i boards that work fine at 133mhz. i have another set that i run at 66mhz, but only because that's the max the raid controller supports (some kind of LSI card. i like the areca better though) bge shows up as: bge0 at pci2 dev 3 function 0 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): irq 5, address 00:30:48:56:68:d4 brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci2 dev 3 function 1 Broadcom BCM5704C rev 0x10, BCM5704 B0 (0x2100): irq 9, address 00:30:48:56:68:d5 brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 In fact, the H8-SSL-I2 docs say the jumper is for the PCI-X slot, not for the PCI-X bus, so I guess the onboard BCM704C is unaffected of its settings. Anyways, if it is, or is not, it surely IS working fine, except for the input errors Stuart pointed he had, which i could confirm. I've not seen any problems with traffic flowing through them, though, but Stuart have had. Also, nobody claims the PCI-X is not workable on 133 MHz bus, what it seems like is there's a compatibility issues between recent Intel em(4)s and the ServerWorks HT-1000 (or this Supermicro board). In my opinion, it's too bad that hardware of exactly this two brands, which are none-the-less big names in the server market, are unable to play together nicely at 133 MHz. It's a shame! Regards, Doichin Stuart Henderson [EMAIL PROTECTED] wrote: On 2007/11/30 09:57, Girish Venkatachalam wrote: On 20:47:57 Nov 29, Stuart Henderson wrote: Been there, done that. If you use plaintext protocols (ftp or so) over the interface, you'll see random corruption visible in the data (e.g. directory listings). At 133MHz there's some corruption between motherboard and card. Disappears at 66MHz. Normally this would be masked by TCP checksums (you'd get packet loss, but it would mostly be corrected rather than pass corrupt packets up the stack), but the em(4) does offload TCP checksum processing to the card, so the checksum no longer covers the transfer over the PCI bus, hence the wierd protocol errors. TCP checksums or for that matter any checksum cannot catch *all* errors. Agreed, hence the mostly. Since there is a MAC computation for every packet, this will easily help you identify the problem. With this happening, you're lucky to get an ftp banner through without corruption, I don't think I ever had an SSH session setup. I already have two workarounds, one is to use the old quad em(4) with the IBM(Tundra) bridge (which work ok at 64x133 but the RJ45 sockets are the wrong way up to latch correctly in some of Supermicro's 1U cases), the other is to use the newer cards (Pericom bridge) at 66MHz. I haven't heard of this happen on other systems (and other 64x133 cards work), I suspect it's a hardware problem between H8SSL and the Pericom bridge chip.
Re: This list: CC and TO fields
L ??: When I reply to the group.. it puts the person's address and the groups address in TO/CC fields. Is it possible for the server to just send mail to the TO field to the group only, and not have a CC ? Is this on purpose, so that incase the list is ever down, the person gets the mail anyway? On my mailing lists that I manage I always turn this option off.. so that anyone who replies to the list only replies to the list but not the actual person too. Not a big deal, just wondering if this is by design and on purpose L505 Don't know about this mailing list in particular, but it's often done this way because sometimes people not on the mailing list occasionally send a mail to it without being suscribed to it. This makes sure they get all the related posts, though with the downside of subscribers of the mailing lists getting 2 mails for each reply on a thread they've started.
Re: OpenBSD for routing firewalling a 100Mbit/s connection
Carl Roberso ??: NetOne - Doichin Dokov wrote: The BGP problem is solved by doing this: Thank you very much Doichin for pointing this out: all of you was so helpful! Best wishes!rt You're more than welcome! In fact, we use also a bit more complicated BGP setup. Don't know if it would be in any help for you, but i'll describe it here just for the thread to be complete in case anyone starts digging :) The configuration I described in my previous post (3 IPs per upstream provider, 2 dedicated, 1 CARP-shared) works flawlessly, BUT traffic goes only through one of the routers at a time. As we were not just routing, but also doing a lot of shaping, we wanted to loadbalance things and make both of the systems do some job when they are both up. So, the scheme grew from 3 to 4 IPs per upstream provider - 2 dedicated IPs for each firewall, and 2 CARP-shared IPs. Firewall #1 was default master for shared IP one, Firewall #2 was default master for shared IP two. Let's say the IPs are: Firewall #1 172.16.0.1 - static, not in CARP, used for BGP communication with upstream 172.16.0.3 - CARP shared, default master 172.16.0.4 - CARP shared, default slave Firewall #2 172.16.0.2 - static, not in CARP, used for BGP communication with upstream 172.16.0.3 - CARP shared, default slave 172.16.0.4 - CARP shared, default master Then, we told our provider to set nexthop to 172.16.0.3 for networks we sent to them with a community COMM1, and having nexthop set to 172.16.0.4 for networks we sent to them with a community COMM2. Then, in our BGP setup (equal on both firewalls, despite the IP address / router ID), all we had to do is mark half of the networks, which we wanted to go through Firewall #1 by default, with community COMM1, and the others to go to Firewall #2 by default, with community COMM2. Of course, you have to have similiar setup (though probably withouth BGP) on the internal side of the firewalls for things to work properly, again 2 CARP ifs and traffic originating from the networks routed to Firewall #1 and Firewall #2 sent to the very same machine, otherwise you run into state problems, shaping problems (if you do that on the machines, we do), and maybe something else i could not come up with now :) By the way, a nice new IP loadbalance option was recently added to CARP, which might obsolete the setup I describe, but I've not played with that yet. Whatever you choose to do, you could always come back for help in case you need it. Regards, Doichin
Re: pflog filling up /var mount every 2-3 days!
Jake Conk P=P0P?P8QP0: Hello, I have my /var partitioned out to be 150mb which I thought was a enough but every 2-3 days it gets full because I end up with a pflog file that is ridiculously large! Right now I have one that is 53.6mb and I have gotten them larger like 100mb +!! Because of this my /var partition fills up and other programs have problems witting logs and stuff... Here is an example: $ ls -lah /var/log/ | grep pflog -rw--- 1 root wheel 98.0K Nov 30 18:02 pflog -rw--- 1 root wheel 53.6M Nov 30 02:00 pflog.0 -rw--- 1 root wheel 1.3M Nov 30 02:00 pflog.0.gz -rw--- 1 root wheel 2.2M Nov 30 01:00 pflog.1.gz -rw--- 1 root wheel 1.7M Nov 30 00:00 pflog.2.gz -rw--- 1 root wheel 1.7M Nov 29 23:00 pflog.3.gz -rw--- 1 root wheel 7.0M Nov 29 20:25 pflog.bad.630d9931 I have to keep coming here each couple of days to check if that is full and delete them. My question is, is this normal and I just created my /var mount too small? I think the fact that my pflog is that big is the actual problem, does anyone know of a way to fix this? Thanks, - Jake Perhaps you want to see what's inside it? Look at your pf.conf, see what you're logging and if you do need it to be logged. Remove anything unnecessary, setup newsyslogd to rotate it - there are plenty of options to solve your problem. It's all in the FAQ / man pages.
Re: Strange em(4) issues
First, thanks for the prompt reply! Stuart Henderson ??: On 2007/11/29 22:23, NetOne - Doichin Dokov wrote: Two weeks ago i bought an Intel Pro/1000MT dual Gbit NIC because i was gonna soon be in need for more ports in one of our 1U systems, Change the PCI jumper, which is currently probably on auto, to 64 bit 66MHz. You probably need to remove the PCIX card to reach it (unless they changed much of the design between the H8SSL and -I2, which I doubt). Yes, it's there. Right after the first PCI slot. Will do that in several hours, when most of the users go to sleep :) which has 2 onboard bge(4)s which are working quite nice. the 5704C bge(4) on my H8SSL are all disabled because of Ierrs in netstat -ni, maybe you are luckier :-) Nopes, I'm not: # netstat -in Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Colls {snip} bge0 1500 Link 00:30:48:57:c3:80 44867924 39723 42574046 1 0 bge0 1500 213.137.48. 213.137.48.1 44867924 39723 42574046 1 0 bge0 1500 fe80::%bge0 fe80::230:48ff:fe 44867924 39723 42574046 1 0 bge1 1500 Link 00:30:48:57:c3:81 45170081 33204 42551236 1 0 bge1 1500 fe80::%bge1 fe80::230:48ff:fe 45170081 33204 42551236 1 0 Despite seeing Ierrs, I do not see any performance and connectivity issues. What exactly does lead to having input errors on the bge(4)s? I mean, would they be usable for what I will need the two more ports for. This machine is gonna soon have a twin to be backed up with CARP, and i need the two additional interfaces on each of them for: 1) One interface for cross-connecting the machines to do pfsync 2) One interface to connect to a private networks and run bacula backups through (i want to use this couple of routers to do some backups at 4-5 a.m. when they are not busy at all) Using em(4)s for the real traffic, would the bge(4)s be suitable for pfsync and bacula backups with these errors they are experiencing? Or I should go get a quad port Intel (i wish i don't have to spend that much money, though) everything from it quite nice, fetch remote sites, etc. Suddenly the SSH connection was dropped with a message I've never seen before - Corrupted MAC header. Been there, done that. If you use plaintext protocols (ftp or so) over the interface, you'll see random corruption visible in the data (e.g. directory listings). At 133MHz there's some corruption between motherboard and card. Disappears at 66MHz. Normally this would be masked by TCP checksums (you'd get packet loss, but it would mostly be corrected rather than pass corrupt packets up the stack), but the em(4) does offload TCP checksum processing to the card, so the checksum no longer covers the transfer over the PCI bus, hence the wierd protocol errors. Affirmative. Exactly what I'm experiencing. dmesg errors during the problems with em(4)s devices: === em1: watchdog timeout -- resetting em1: watchdog timeout -- resetting pckbcintr: no dev for slot 1 pckbcintr: no dev for slot 1 dmesg bge(4) timeouts which happen from time to time: = bge0: watchdog timeout -- resetting bge1: watchdog timeout -- resetting mickey posted some diffs on tech@ relating to watchdog problems with bge and em, they might be worth a look. Are these what you're talking about, or there were any subsequent patches I could not find: http://article.gmane.org/gmane.os.openbsd.tech/14133 http://article.gmane.org/gmane.os.openbsd.tech/14134 If so, I will apply them and recompile. Again, thank you very much for the help. I highly appreciate it. $30 will be donated to the OpenBSD foundation, plus another copy of the 4.2 CD set bought (we'll need one for the new machine, no? :D). Regards, Doichin
Re: Strange em(4) issues
NetOne - Doichin Dokov ??: dmesg bge(4) timeouts which happen from time to time: = bge0: watchdog timeout -- resetting bge1: watchdog timeout -- resetting mickey posted some diffs on tech@ relating to watchdog problems with bge and em, they might be worth a look. Are these what you're talking about, or there were any subsequent patches I could not find: http://article.gmane.org/gmane.os.openbsd.tech/14133 http://article.gmane.org/gmane.os.openbsd.tech/14134 Those patches apply cleanly on 4.2 stable, but i get compile erros when trying to build the kernel: cc -Werror -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-uninitialized -Wno-format -Wno-main -Wno-sign-compare -Wstack-larger-than-2047 -mcmodel=kernel -mno-red-zone -fno-strict-aliasing -mno-sse2 -mno-sse -mno-3dnow -mno-mmx -msoft-float -fno-builtin-printf -fno-builtin-log -fno-omit-frame-pointer -O2 -pipe -nostdinc -I. -I/usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../.. -I/usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../../arch -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_35 -DCOMPAT_43 -DLKM -DFFS -DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DXFS -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DPORTAL -DINET -DALTQ -DINET6 -DIPSEC -DPPP_BSDCOMP -DPPP_DEFLATE -DMROUTING -DBOOT_CONFIG -DUSER_PCICONF -DAPERTURE -DPCIVERBOSE -DUSBVERBOSE -DWSDISPLAY_COMPAT_USL -DWSDISPLAY_COMPAT_RAWKBD -DWSDISPLAY_DEFAULTSCREENS=6 -DWSDISPLAY_COMPAT_PCVT -DONEWIREVERBOSE -DMULTIPROCESSOR -DMPBIOS -D_KERNEL -Damd64 -Dx86_64 -c /usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../../dev/pci/if_bge.c /usr/src/sys/dev/pci/if_bge.c: In function `bge_txeof': /usr/src/sys/dev/pci/if_bge.c:2472: error: stray '\231' in program /usr/src/sys/dev/pci/if_bge.c:2472: error: `bge_txcnt' undeclared (first use in this function) /usr/src/sys/dev/pci/if_bge.c:2472: error: (Each undeclared identifier is reported only once /usr/src/sys/dev/pci/if_bge.c:2472: error: for each function it appears in.) *** Error code 1 Stop in /usr/src/sys/arch/amd64/compile/GENERIC.MP (line 2517 of Makefile). I guess they're meant to be used on -current? Regards, Doichiin
Re: Strange em(4) issues
Stuart Henderson ??: gmane mangled them; mv the .orig files back and try these - http://marc.info/?m=119616849501476 http://marc.info/?m=119616948702986 the diffs are made against -current but probably work with stable too. Yup, you're right! Everything compiled fine. Will load the new kernel in several hours. Thanks again! Doichin On 2007/11/29 23:53, NetOne - Doichin Dokov wrote: NetOne - Doichin Dokov ??: dmesg bge(4) timeouts which happen from time to time: = bge0: watchdog timeout -- resetting bge1: watchdog timeout -- resetting mickey posted some diffs on tech@ relating to watchdog problems with bge and em, they might be worth a look. Are these what you're talking about, or there were any subsequent patches I could not find: http://article.gmane.org/gmane.os.openbsd.tech/14133 http://article.gmane.org/gmane.os.openbsd.tech/14134 Those patches apply cleanly on 4.2 stable, but i get compile erros when trying to build the kernel: cc -Werror -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-uninitialized -Wno-format -Wno-main -Wno-sign-compare -Wstack-larger-than-2047 -mcmodel=kernel -mno-red-zone -fno-strict-aliasing -mno-sse2 -mno-sse -mno-3dnow -mno-mmx -msoft-float -fno-builtin-printf -fno-builtin-log -fno-omit-frame-pointer -O2 -pipe -nostdinc -I. -I/usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../.. -I/usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../../arch -DDDB -DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_35 -DCOMPAT_43 -DLKM -DFFS -DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DXFS -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF -DMSDOSFS -DFIFO -DPORTAL -DINET -DALTQ -DINET6 -DIPSEC -DPPP_BSDCOMP -DPPP_DEFLATE -DMROUTING -DBOOT_CONFIG -DUSER_PCICONF -DAPERTURE -DPCIVERBOSE -DUSBVERBOSE -DWSDISPLAY_COMPAT_USL -DWSDISPLAY_COMPAT_RAWKBD -DWSDISPLAY_DEFAULTSCREENS=6 -DWSDISPLAY_COMPAT_PCVT -DONEWIREVERBOSE -DMULTIPROCESSOR -DMPBIOS -D_KERNEL -Damd64 -Dx86_64 -c /usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../../dev/pci/if_bge.c /usr/src/sys/dev/pci/if_bge.c: In function `bge_txeof': /usr/src/sys/dev/pci/if_bge.c:2472: error: stray '\231' in program /usr/src/sys/dev/pci/if_bge.c:2472: error: `bge_txcnt' undeclared (first use in this function) /usr/src/sys/dev/pci/if_bge.c:2472: error: (Each undeclared identifier is reported only once /usr/src/sys/dev/pci/if_bge.c:2472: error: for each function it appears in.) *** Error code 1 Stop in /usr/src/sys/arch/amd64/compile/GENERIC.MP (line 2517 of Makefile). I guess they're meant to be used on -current? Regards, Doichiin
Re: Strange em(4) issues
Stuart Henderson ??: On 2007/11/29 23:25, NetOne - Doichin Dokov wrote: First, thanks for the prompt reply! No problem, if I can save someone else the night I had in a cold datacentre working it out, some good came out of it :-) Nopes, I'm not: # netstat -in Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Colls {snip} bge0 1500 Link 00:30:48:57:c3:80 44867924 39723 42574046 1 0 bge0 1500 213.137.48. 213.137.48.1 44867924 39723 42574046 1 0 bge0 1500 fe80::%bge0 fe80::230:48ff:fe 44867924 39723 42574046 1 0 bge1 1500 Link 00:30:48:57:c3:81 45170081 33204 42551236 1 0 bge1 1500 fe80::%bge1 fe80::230:48ff:fe 45170081 33204 42551236 1 0 Despite seeing Ierrs, I do not see any performance and connectivity issues. What exactly does lead to having input errors on the bge(4)s? I mean, would they be usable for what I will need the two more ports for. I don't know what leads to them, but it's not cable/switch, I have tried numerous alternatives. I was running OSPF with fairly short timers over those interfaces, and had a lot of instability until I swapped over to em/sk cards. Most protocols are able to handle delays/loss a lot better than OSPF though. This machine is gonna soon have a twin to be backed up with CARP, and i need the two additional interfaces on each of them for: 1) One interface for cross-connecting the machines to do pfsync Beware split routing; if you only have one active set of BGP sessions (i.e. active/passive with 'depend on carpXX') there's no problem of that kind, but if you have live sessions on both boxes, you'll find that pfsync isn't designed to handle the case where inbound traffic goes one way, and outbound traffic the other, so you run into problems with stateful filtering (sequence number mismatch and maybe there were wscale problems too). mickey posted some diffs on tech@ relating to watchdog problems with bge and em, they might be worth a look. Are these what you're talking about, or there were any subsequent patches I could not find: http://article.gmane.org/gmane.os.openbsd.tech/14133 http://article.gmane.org/gmane.os.openbsd.tech/14134 Yes, those ones. Alternatively it may be a problem with interrupt routing (the fix for that on many machines is to enable acpi to set up interrupts according to the AML from the BIOS - this is more likely to have correct information than other methods of interrupt setup on newer machines, this is a large part of the reason for the ACPI work that has been happening in -current). While you build, don't forget this patch if you will use pfsync: ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/004_pf.patch Again, thank you very much for the help. I highly appreciate it. $30 will be donated to the OpenBSD foundation, plus another copy of the 4.2 CD set bought (we'll need one for the new machine, no? :D). That's nice, thank you :-) I've now switched the PCI-X slot to 66-bit / 66 MHz, and also applied the watchdog fix patches for em(4) and bge(4) to the kernel. The pf patch was already applied when it was out several days ago, just the system was not still rebooted as i do not use pfsync for now. Thanks for the hint, anyways. I'm still running with ACPI disabled, will see how far it would go and enable it if needed. Are there any performance penalty / boosts from using ACPI? Thanks again. Doichin
Monitoring OpenBGPD through SNMP
Hi, all In the past we used a Net-SNMP extension script to remotely monitor our quagga routers. Now that we use OpenBGPD, we needed to do the same. I could not find any work done on this matter through googleing and search the archives, so i took the script we used for quagga and changed it to work with OpenBGPD. In case anyone needs it, it's available here: http://mirror.net1.cc/projects/openbgpd-snmp/ Any feedback, comments suggestions are highly welcome! Regards, Doichin
Re: Getting CPU stats with SNMP
Insan Praja SW ??: On Tue, 27 Nov 2007 02:42:39 +0700, NetOne - Doichin Dokov [EMAIL PROTECTED] wrote: It seems net-snmp gives wrong data about CPU usage on OpenBSD. This is the data that i get (i've snipped some irrelevant OIDs) # snmpwalk -v2c -c community localhost .1.3.6.1.4.1.2021.11 UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 1196105427 UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 386973 UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 1179540172 UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 1196105427 UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 0 UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 1 UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 1179540171 These are the same counters, but after some minutes: # snmpwalk -v2c -c community localhost .1.3.6.1.4.1.2021.11 UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 1196105547 UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 633528 UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 1179540175 UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 1196105547 UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 0 UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 4 UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 1179540171 The SNMP data shows lots of NICE activity and nothing for interrupts. In the same time, top reports this: CPU0 states: 0.6% user, 0.0% nice, 1.0% system, 32.9% interrupt, 65.5% idle The SNMP counters seem completely irrelevant to CPU usage. Here's another example of two consecutive snmpwalks, executed right after each other: # snmpwalk -v2c -c community localhost .1.3.6.1.4.1.2021.11 UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 1196105672 UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 890340 UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 1179540175 UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 4294865120 UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 0 UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 0 UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 1297536800 # snmpwalk -v2c -c community localhost .1.3.6.1.4.1.2021.11 UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0 UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 100 UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 65536 UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 0 UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 1297536800 UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 4294865120 UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 0 UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 0 UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 1297536800 Counters are completely irrelevant, look at ssCpuRawUser and ssCpuRawNice. Am I doing something wrong? What is the proper way to get CPU stats off OpenBSD with net-snmp? I know the ticks are 10 000 by default on OpenBSD, so I'm dividing the values accordingly, but still i don't get proper stats. Anyone any ideas? Regards, Doichin # uname -a OpenBSD host.name.com 4.2 GENERIC.MP#0 amd64 Hi, You should really checkout this site http://www.packetmischief.ca/openbsd/snmp/ Cool.. cu, Insan Yup, I am using the patched net-snmp and am producing nice graphs with pf stats I need. Still no clue about how to get the CPU data, though. Looking at the added OPENBSD-* mibs, I don't see anything CPU related. Am I missing something? Regards, Doichin
Re: How do you start a non-standard daemon/program near end of boot?
Rob Lytle P=P0P?P8QP0: Hi, I've read all the relevant boot and rc type manuals and they only give a vague reference to starting programs with rc.local or rc.conf.local. I want to start wpa_supplicant and I haven't seen any variables for doing it. Some OS's have the /usr/local/etc/rc.d directory for such purposes. Thanks, Rob Just add arbitrary commands to /etc/rc.local - it is executed at the end of the boot process.
Re: Traffic accounting software
Yuri Spirin P=P0P?P8QP0: I need following features: - counting all traffic going in/out ISP interface; - web interface/gui client; - reports by day/week/month/custom total traffic in/out; These ones could be done with SNMP and Cacti - www.cacti.net Regards, Doichin
Re: Ideas about bidirectional traffic shaping
Ivo Chutkin ??: Hello to all here, I would be grateful if you share your ideas and experience with me. The problem is not related to OpenBSD as I do not use it yet in production environment, but I plan to go over it as soon as I finish my tests and feel comfortable with it. :-) Actually the developers have done grate job, thanks and keep the good work. I work for small ISP with clients over metro links. The problem is that I could not get outgoing traffic (from my clients to the Internet) shaped the correct way. I have 4 bgp sessions with different transit providers on 4 different interfaces, so sometimes I see outgoing traffic loads by single client over all 4 links which is 4 times this client should get :-( Is there a way to shape the outgoing traffic, for example, to total of 5Mbps to single client no mater which interface he uses to exit? Something like combined queue... not 5Mbps per interface. I was thinking about creating loopback interface for each client and put queues and redirect all traffic through it. Is there a point doing this? Currently it is single router setup. I hope I made it somehow clear. If you need additional info just let me know. Thanks for your time, Ivo This is how we do it: * all external links go over ONE physical interface, and each BGP session to each provider is on a different VLAN, but on the very same physical interface * as ALTQ works on physical interfaces, not vlans, we assign the queues on the physical interface that all VLANs to our carriers are configured on * all VLANs are assigned to group uplinks (or whatever you choose) * traffic is fed into queues from pf with rules like these : pass out on $ext_group_name from $client_ip to any queue $client_queue_out , where $ext_group_name is uplinks or whatever you've chosen, and $client_queue_out is a queue configured with altq on the physical interface * voila, it works! You should, though, keep in mind that states are kept on the establishment of the connection (flags S/SA), so you effectively need 4 rules (yes, four) to match all of the clients' inbound/outbound traffic. Something like this: pass in on $ext_group_name from any to $client_ip queue $client_queue_out pass out on $ext_group_name from $client_ip to any queue $client_queue_out pass in on $int_if from $client_ip to any queue $client_queue_in pass out on $int_if from any to $client_ip queue $client_queue_in That's because each state can shape effectively only one direction of the connection, thus we need states created on both interfaces. If you need further help, don't hesitate to contact me. Regards, Doichin
Re: Ideas about bidirectional traffic shaping
Stuart Henderson ??: On 2007/11/20 18:30, NetOne - Doichin Dokov wrote: pass in on $ext_group_name from any to $client_ip queue $client_queue_out pass out on $ext_group_name from $client_ip to any queue $client_queue_out pass in on $int_if from $client_ip to any queue $client_queue_in pass out on $int_if from any to $client_ip queue $client_queue_in queues on different interface can have the same name; this simplifies your ruleset considerably. Dunno if they can, but - if they do - i don't see what would it help in this case. Maybe I'm just dumb, would appreciate it if you shed some light on this. Regards, Doichin
Re: PF/ALTQ problem : using max states limits breaks queueing
Henning Brauer P=P0P?P8QP0: * NetOne - Doichin Dokov [EMAIL PROTECTED] [2007-11-07 01:57]: Hello, I have an OpenBSD 4.2 box set up to shape clients traffic. Each client gets limited by these 4 rules: pass in on $int_if from $client_ip to any queue client_in pass out on $int_if from any to $client_ip queue client_out pass in on $ext_if from any to $client_ip queue client_out pass out on $ext_if from $client_ip to any queue client_in Everything works fine. I now want to limit max states created by each client in each direction to 300, so i modified the rules to be: pass in on $int_if from $client_ip to any (max 300) queue client_in when a packet matches this rule, but there are already 300 states from this rule, the result is a non-match. you need to decide what to do with excess states and put rules in. it could be sth like block from $a to $b pass from $a to $b keep state (max 300) to block 'em. Yup, I gueesed I was wrong with something :) Thank you very much for the clarification. I'll test and report back later. I guess if it is this way, though, the documentation needs to be fixed. That's what the FAQ says here: http://www.openbsd.org/faq/pf/filter.html#stateopts max /number/ Limit the maximum number of state entries the rule can create to /number/. If the maximum is reached, packets that would normally create state are *dropped* until the number of existing states decreases. Regards, Doichin P.S. Henning Brauer: I first submitted this message directly to you instead of misc@, please excuse me for getting this twice.
Re: PF/ALTQ problem : using max states limits breaks queueing
NetOne - Doichin Dokov P=P0P?P8QP0: Henning Brauer P=P0P?P8QP0: * NetOne - Doichin Dokov [EMAIL PROTECTED] [2007-11-07 01:57]: Hello, I have an OpenBSD 4.2 box set up to shape clients traffic. Each client gets limited by these 4 rules: pass in on $int_if from $client_ip to any queue client_in pass out on $int_if from any to $client_ip queue client_out pass in on $ext_if from any to $client_ip queue client_out pass out on $ext_if from $client_ip to any queue client_in Everything works fine. I now want to limit max states created by each client in each direction to 300, so i modified the rules to be: pass in on $int_if from $client_ip to any (max 300) queue client_in when a packet matches this rule, but there are already 300 states from this rule, the result is a non-match. you need to decide what to do with excess states and put rules in. it could be sth like block from $a to $b pass from $a to $b keep state (max 300) to block 'em. Yup, I gueesed I was wrong with something :) Thank you very much for the clarification. I'll test and report back later. I guess if it is this way, though, the documentation needs to be fixed. That's what the FAQ says here: http://www.openbsd.org/faq/pf/filter.html#stateopts max /number/ Limit the maximum number of state entries the rule can create to /number/. If the maximum is reached, packets that would normally create state are *dropped* until the number of existing states decreases. Regards, Doichin P.S. Henning Brauer: I first submitted this message directly to you instead of misc@, please excuse me for getting this twice. Because I have no explicit block for traffic on top of the ruleset (because this machine is merely used for routingshaping only), doing this achieves what i want: block on $if from $a to $b flags any pass on $if from $a to $b keep state (max 300) queue $queue Though, I still see some unexpected behavior, e.g. doing this after loading the ruleset: echo set limit states 10 | pfctl -mf - seems to again make the traffic not limited (dunno why), but pfctl -F all -f /etc/pf.conf fixed it.
Re: avail mem is only 66% of real mem
Wade, Daniel ??: Any guess as to why I'm losing about 33% of my RAM? When you are only working with 32MB to start with every little bit counts. Thanks snip Maybe you have an onboard video, which uses RAM for video RAM? look at the BIOS settings.
Re: carp ip loadbalancing bug ?
holger glaess ??: hi i did the carp ip loadbalancing setup as describe at the man page. is there an known issue ? maybee that carp ip loadblancing have problems with /22 networks ? CARP loadbalancing by IP requires that your switch sends traffic to the common CARP IP to BOTH of your machines, otherwise it's not gonna work as assumed. ARP loadbalancing does not require this, but there's no other way to achieve this when you want to use IP loadbalancing.