Re: OpenBGP - Saving Restoring routes, possible?

[NetOne - Doichin Dokov]

Eduardo Meyer P=P0P?P8Q
P0:

Hello,

I have setup OpenBGP doing full routing with 3 other peers, so I get
around 240k routes from each peer. But if by some reason I have to
restar bgpd, it takes up to 5 minutes so I can all routes updated
again.

Is there a way to save and later restore the RIB/FIB tables?

Since the only problem on commodity hardware are the mobile parts, I
am also settig up a SPARE router with carp, so if one gets down, the
spare will assume. But resync'ing the tables is again, reason for a
higher downtime. So if I could save the tables in a machine and
restore it on the other, would be great.

Can I do this?
If you search back the mailing list archive, you'll find some setups 
i've proposed, which do exactly that - CARPed BGPs with no downtime for 
full BGP refresh.
About your idea - saving / restoring routes - the very prime idea of BGP 
is just that - to NOT save routes, and to distribute them.


Kind regards,
Doichin

Re: harddisk impact on routing firewall performance/throughput

[NetOne - Doichin Dokov]

Darren Spiteri ??:

On Feb 13, 2008 11:08 AM, Ted Unangst [EMAIL PROTECTED] wrote:
  

On 2/12/08, Darren Spiteri [EMAIL PROTECTED] wrote:


This is irrelevant on a firewall/router.


Sorry, you are wrong. I can achieve much higher throughput per
connected state by tweaking recvspace and sendspace.
  

then your firewall isn't just a firewall or your measurements were
done incorrectly.




I don't know why or how this poorly documented sysctl works, but the
result speaks for itself. Note the dramatic throughput increase of the
parent.

Could we have a look at those numbers, in fact?

Re: OpenBSD as Xen domU

[NetOne - Doichin Dokov]

ropers NAPISA:

On 07/02/2008, NetOne - Doichin Dokov [EMAIL PROTECTED] wrote:
  

NetOne - Doichin Dokov NAPISA:


I'm trying to use Christopher's work, but I get the following errors
when i try to make depend a xenU kernel:
(...)
Anyone any hints? Is it meant to be run on -current (I see the last
changes in the hg are from 8 months ago, but...)? Or do I need to
compile it under an i386 kernel (I'm currently trying with an amd64 one)?
# uname -a
OpenBSD border2.net1.cc 4.2 GENERIC.MP#1 amd64

Any help MUCH appreciated!

Kind regards,
Doichin

  

Guess that counts for cross-compilings, so the answer is yes - i need an
i386 kernel to compile this. Sorry for the fuzz...



Yes. The port is i386 and sadly it never got much traction within the
OpenBSD project, which --this is just my hunch-- may have led
Christoph to unfortunately focus on other stuff instead of keeping
current a port that the project seems to be lukewarm for at best. I'm
not sure what OpenBSD version the currently available revision of the
port targets -- possibly 4.0 or 4.1. If you want to go anywhere with
this it would probably be best to google Christoph Egger's email
address (it's out there). He can give you the real deal straight from
the horse's mouth. If you use Christoph's port, I would be very
interested in hearing about it. -- Maybe others, too. Maybe you could
post to [EMAIL PROTECTED]

Thanks and regards,
--ropers
  
Yup, I have successfully compiled the XENU kernel, I neither now which 
version it is, but it's 8 months old, I believe it was based on -current.

The bad thing is that - when I try to run it with Xen, i get this:
[EMAIL PROTECTED] xen]# xm create -c /etc/xen/net1-obsd.xm
Using config file /etc/xen/net1-obsd.xm.
Error: (22, 'Invalid argument')

As far as I went with googling info about this error, it's something PAE 
related - my Xen dom0 is PAE enabled I think (I'm not very much into 
linux, but i have HIGHMEM_64G defined, also PAE is present in 
/proc/cpuinfo).
Seems like the OpenBSD XENU kernel is not (or the vice versa - dom0 is 
non-PAE, and the OpenBSD kernel is PAE-enabled). In FreeBSD, there's a 
PAE option in the kernel config, but I don't find such one in the 
OpenBSD configs (I did not have enough time to investigate this, though, 
so I might have overlooked it).


I'm using Xen 3.0.x, and my net1-obsd.xm config is:
=
name = net1-obsd
memory = 256
disk = [ 'phy:/dev/mirror/fc1,sda1,w' ]
vif = [ 'mac=00:16:3e:1b:04:c9, bridge=xenbr0' ]
vnc=1
vncunused=1
vcpus=2
kernel = /boot/openbsd-xenu
extra = 
boot_verbose,boot_single,vfs.root.mountfrom=ufs:/dev/md0,kern.hz=100

on_reboot   = 'restart'
on_crash= 'restart'
==

Maybe it's best to contact Christoph directly, but I don't know if he 
still works on this project (the ng repository seems dead for the last 8 
months), and I don't want to annoy him if not needed, so if anyone has 
any ideas how to proceed with this, I would be grateful to receive their 
opinion  knowledge.


Kind regards,
Doichin

Re: OpenBSD as Xen domU

[NetOne - Doichin Dokov]

ropers P=P0P?P8Q
P0:

You can use Christoph Egger's OpenBSD/Xen port. No need to go
HVM-only. Unfortunately, my own website is down right now and I
haven't gotten around to fixing that, but the Wayback Machine has the
relevant page:
http://web.archive.org/web/20070403174105/http://ropersonline.com/openbsd/xen/

Also, search the misc archives. This question crops up fairly
regularly. and each time most people don't seem to know of Christoph
Egger's port (and each time I then try to tell people about it again
-- if I catch the message, but I don't always do and sometimes things
fall through the cracks here).

Thanks and regards,
--ropers

On 07/02/2008, John Jackson [EMAIL PROTECTED] wrote:
  

OpenBSD as DomU works using hardware virtualization for me.  There's
the occasional lockup that I haven't looked into too much.  You can
launch vncviewer to get a console.  My working config is at the bottom.

John

On Wed, Feb 06, 2008 at 11:55:05PM +0100, Julien Cabillot wrote:


It's work but I had really bad performances with the network (timeout on
the interface re).
Dmesg: http://www.openbsd-france.org/ml/archives/msg02494.html

  

I found that setting the vif interface to 'model=ne2k_pci' helps with
the timeouts.



On jeu, 2008-02-07 at 00:29 +0200, NetOne - Doichin Dokov wrote:
  

I'm looking to replace a Linux domU with a BSD one, preferably OpenBSD.
Anyone any success running stable OpenBSD (FreeBSD would also suffice)
as domU in a Xen system? If so, willing to share config / how-to /
experience?

Kind regards,
Doichin


Here's a working Xen config:
=
import os, re
arch = os.uname()[4]
if re.search('64', arch):
arch_libdir = 'lib64'
else:
arch_libdir = 'lib'
kernel = /usr/lib/xen/boot/hvmloader
builder='hvm'
memory = 256
name = obsd
pae=0
vif = [ 'type=ioemu, mac=00:16:3e:7d:be:ef, model=ne2k_pci' ]
disk = [ 
'file:/disk/homer.disk,hda,w','file:/disk/obsd42_amd64.iso,ioemu:hdc:cdrom,r' ]
device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
boot='cd'
sdl=0
vnc=1
vncviewer=0
nographic=0
stdvga=0
serial='pty'
ne2000=1
audio=0
localtime=1


I'm trying to use Christopher's work, but I get the following errors 
when i try to make depend a xenU kernel:


In file included from 
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/machdep.c:129:
/usr/src/openbsd-xen-sys.hg/dev/isa/isavar.h:138:33: 
machine/isa_machdep.h: No such file or directory

In file included from /usr/src/openbsd-xen-sys.hg/arch/xen/i386/npx.c:66:
/usr/src/openbsd-xen-sys.hg/dev/isa/isavar.h:138:33: 
machine/isa_machdep.h: No such file or directory


It does complete, though. But when i try to make the kernel, I get 
*lots* of errors, starting with these:

/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s: Assembler messages:
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:334: Error: suffix or 
operands invalid for `push'
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:335: Error: suffix or 
operands invalid for `popf'
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:472: Error: `(((1+2)* 
(112)))(%esi,%ecx,4)' is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:479: Error: `(%ebx)' 
is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:485: Error: 
`(0x0001|0x0002)(%edx)' is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:486: Error: `(%ebx)' 
is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:491: Error: `(%ebx)' 
is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:501: Error: `(%ebx)' 
is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:506: Error: `(%ebx)' 
is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:515: Error: `(((0)* 
(112))+832*4)(%esi)' is not a valid 64 bit base/index expression


(and many more not in this file only, but also in vector.s, spl.s, mutex.S)

Anyone any hints? Is it meant to be run on -current (I see the last 
changes in the hg are from 8 months ago, but...)? Or do I need to 
compile it under an i386 kernel (I'm currently trying with an amd64 one)?

# uname -a
OpenBSD border2.net1.cc 4.2 GENERIC.MP#1 amd64

Any help MUCH appreciated!

Kind regards,
Doichin

Re: OpenBSD as Xen domU

[NetOne - Doichin Dokov]

NetOne - Doichin Dokov P=P0P?P8Q
P0:

ropers P=P0P?P8Q
P0:

You can use Christoph Egger's OpenBSD/Xen port. No need to go
HVM-only. Unfortunately, my own website is down right now and I
haven't gotten around to fixing that, but the Wayback Machine has the
relevant page:
http://web.archive.org/web/20070403174105/http://ropersonline.com/openbsd/xen/ 



Also, search the misc archives. This question crops up fairly
regularly. and each time most people don't seem to know of Christoph
Egger's port (and each time I then try to tell people about it again
-- if I catch the message, but I don't always do and sometimes things
fall through the cracks here).

Thanks and regards,
--ropers

On 07/02/2008, John Jackson [EMAIL PROTECTED] wrote:
 

OpenBSD as DomU works using hardware virtualization for me.  There's
the occasional lockup that I haven't looked into too much.  You can
launch vncviewer to get a console.  My working config is at the bottom.

John

On Wed, Feb 06, 2008 at 11:55:05PM +0100, Julien Cabillot wrote:
   
It's work but I had really bad performances with the network 
(timeout on

the interface re).
Dmesg: http://www.openbsd-france.org/ml/archives/msg02494.html

  

I found that setting the vif interface to 'model=ne2k_pci' helps with
the timeouts.

   

On jeu, 2008-02-07 at 00:29 +0200, NetOne - Doichin Dokov wrote:
 
I'm looking to replace a Linux domU with a BSD one, preferably 
OpenBSD.
Anyone any success running stable OpenBSD (FreeBSD would also 
suffice)

as domU in a Xen system? If so, willing to share config / how-to /
experience?

Kind regards,
Doichin


Here's a working Xen config:
=
import os, re
arch = os.uname()[4]
if re.search('64', arch):
arch_libdir = 'lib64'
else:
arch_libdir = 'lib'
kernel = /usr/lib/xen/boot/hvmloader
builder='hvm'
memory = 256
name = obsd
pae=0
vif = [ 'type=ioemu, mac=00:16:3e:7d:be:ef, model=ne2k_pci' ]
disk = [ 
'file:/disk/homer.disk,hda,w','file:/disk/obsd42_amd64.iso,ioemu:hdc:cdrom,r' 
]

device_model = '/usr/' + arch_libdir + '/xen/bin/qemu-dm'
boot='cd'
sdl=0
vnc=1
vncviewer=0
nographic=0
stdvga=0
serial='pty'
ne2000=1
audio=0
localtime=1


I'm trying to use Christopher's work, but I get the following errors 
when i try to make depend a xenU kernel:


In file included from 
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/machdep.c:129:
/usr/src/openbsd-xen-sys.hg/dev/isa/isavar.h:138:33: 
machine/isa_machdep.h: No such file or directory

In file included from /usr/src/openbsd-xen-sys.hg/arch/xen/i386/npx.c:66:
/usr/src/openbsd-xen-sys.hg/dev/isa/isavar.h:138:33: 
machine/isa_machdep.h: No such file or directory


It does complete, though. But when i try to make the kernel, I get 
*lots* of errors, starting with these:

/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s: Assembler messages:
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:334: Error: suffix 
or operands invalid for `push'
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:335: Error: suffix 
or operands invalid for `popf'
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:472: Error: 
`(((1+2)* (112)))(%esi,%ecx,4)' is not a valid 64 bit base/index 
expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:479: Error: 
`(%ebx)' is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:485: Error: 
`(0x0001|0x0002)(%edx)' is not a valid 64 bit base/index 
expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:486: Error: 
`(%ebx)' is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:491: Error: 
`(%ebx)' is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:501: Error: 
`(%ebx)' is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:506: Error: 
`(%ebx)' is not a valid 64 bit base/index expression
/usr/src/openbsd-xen-sys.hg/arch/xen/i386/locore.s:515: Error: `(((0)* 
(112))+832*4)(%esi)' is not a valid 64 bit base/index expression


(and many more not in this file only, but also in vector.s, spl.s, 
mutex.S)


Anyone any hints? Is it meant to be run on -current (I see the last 
changes in the hg are from 8 months ago, but...)? Or do I need to 
compile it under an i386 kernel (I'm currently trying with an amd64 one)?

# uname -a
OpenBSD border2.net1.cc 4.2 GENERIC.MP#1 amd64

Any help MUCH appreciated!

Kind regards,
Doichin

Guess that counts for cross-compilings, so the answer is yes - i need an 
i386 kernel to compile this. Sorry for the fuzz...

OpenBSD as Xen domU

[NetOne - Doichin Dokov]

I'm looking to replace a Linux domU with a BSD one, preferably OpenBSD. 
Anyone any success running stable OpenBSD (FreeBSD would also suffice) 
as domU in a Xen system? If so, willing to share config / how-to / 
experience?


Kind regards,
Doichin

Re: 3G/UMTS/HSDPA: best device(s)

[NetOne - Doichin Dokov]

Jacob Yocom-Piatt ??:
am looking for a device that works with openbsd and will give 
broadband internet over cellular networks. it would be preferable 
that this device work in most of the jurisdictions listed in


http://www.wireless.att.com/learn/international/dataconnect-global.jsp

i am not sure about the extent of the support here and see that a 
number of devices are supported but advice on which gets best 
performance / coverage would be appreciated. if there are phones that 
can provide the service, i welcome those recommendations as well.


cheers,
jake

Have a look at www.2n.cz and www.topex.ro , both companies are well 
known with their 3G routers.

Re: openBSD 4.2 and LSI raid

[NetOne - Doichin Dokov]

Rami Sik ??:

Yes, I first started by setting up the raid and installing openBSD on
top of it. All was fine until one of the disks failed. Then, I replaced
the failed disk, and try to re-initiate the raid (mirroring) where I got
stuck since the raid controller did not like the partitioning.

However, I advanced one step further now: If you use fdisk to assign a
different id to the openBSD partition (like 83 as suggested by Sun for
the Linux installs), raid controller seems to start mirroring your disk
to the second one. However, when you change your partition id from the
default value of A6 to 83, openBSD could not boot. So, I am planning to
play with the partition id so that I could set up the mirroring through
LSI raid controller. Once it is done, I will revert the partition id
back to its default value of A6. Then I will see if mirroring still
works, and boots off of the second disk!


Rami Sik
  
The RAID controller *should not* care about partitions at all - WTF?! 
It's job is to duplicate the data and present the disks as one logical 
unit to the OS, and nothing more. You sure that is your problem?

-Original Message-
From: J.C. Roberts [mailto:[EMAIL PROTECTED]
Sent: January 29, 2008 1:13 PM
To: Rami Sik
Cc: misc@openbsd.org
Subject: Re: openBSD 4.2 and LSI raid

On Monday 28 January 2008, Rami Sik wrote:
  

I did a research and found the similar problem already reported for
Linux installations, and Sun released a workaround for it. However, I
cannot find anything about openBSD installations.



At present, I've got two LSI RAID controllers here running OpenBSD
(MegaRAID 150-6 SATA and MegaRAID i4 PATA).

Though I don't know about your specific controler (1030), the normal
answer is to create your logical drive in the controler setup and
*THEN* install the operating system.

From your description, it seems you're doing things backwards, namely
installing the OS on one drive and then trying to create a miror.

-jcr

Re: looking for openbsd friendly server vendor

[NetOne - Doichin Dokov]

Lord Sporkton ??:

Perhaps i was wrong but i thought openbsd was only 32 bit for now?
Yup, you're wrong. There's amd64 port, which runs fine on all x86 64-bit 
CPUs.

Re: Can an SSH alternative to WebDav be use on OpenBSD

[NetOne - Doichin Dokov]

Daniel Ouellet P=P0P?P8Q
P0:

Thanks Thomas,'

But that solution sis to be install on Windows server, witch I have 
kill all years ago and I am not going back.


http://www.webdrive.com/products/webdrive/sysreq.html

I sure appreciate your suggestion and time however.

Thanks

Daniel


Thomas Althoff wrote:

www.webdrive.com

WebDrive has built-in support for the industry standard SSL protocol.
When used in conjunction with secure WebDAV, FTP, FTPS, or SFTP servers,
WebDrive will open an encrypted tunnel between the client computer and
the remote server; giving you secure transmission of critical data over
the Internet. WebDrive can also be used as an alternative to a corporate
VPN. Install the WebDrive client and an SSL enabled server, and WebDrive
can act as the VPN for your company; an efficient alternative to an
expensive VPN and non-secure FTP client connections



-Thomas
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Daniel Ouellet
Sent: den 24 januari 2008 23:59
To: misc@openbsd.org
Subject: OT: Can an SSH alternative to WebDav be use on OpenBSD

Hi,

I need some possible suggestions if I may asked to not setup, or have to
setup WebDav on OpenBSD to allow users to do their web folder stuff. It
can be setup with ftp for example to allow them to map a folder in their
network place on XP for example, but then they can't do the stupid
save as and just for that, they want to use the WebDav. However, then
it need to allow write access via http and the full load of issues that
could with that when combine with php, etc.

I only allow ssh access and in very special case, I had accepted ftp
from specific locations control via PF, but because of the stupid save
as, they are screaming for WebDav, or mod_dav, witch I really would like
to avoid totally.

I just don't see the benefit worth the risk required to allow it.

May be I am wrong and someone could in light me, witch I would very much
appreciate, but again, may be there is an alternative using SSH that I
do not know.

I provided WinSCP years ago and it sure works well, plus I can control
access via ssh with PF too, witch I would loose introducing WebDav.

I hate all these users that can only work using a GUI like interface all
the time and fell they need everything to be done via http.

Anyone can provide me some ideas, or alternative here as I am running
out of them and being view as the asshole that always refuse flexibility
for security is fine, but may be there is something I can do to keep it
safe and give the winers a bone.

I hate the Microsoft centric bias users that care less for security, but
would also be the first to scream should there be compromise too.

Any suggestions here?

Sorry for the somewhat off topic question, but I need suggestion if
there is any.

Best,

Daniel.


I really didn't fully understand you - do you want or not to allow FTP 
acces, and why clients are not able to save as when using it? Do you 
mean that they need it mapped as a network drive? If so, they can use 
something like this:

http://www.acs.uwosh.edu/novell/netdrive.htm
to map the FTP account you provide to their own PC as a drive. Then they 
can use whatever they want to read/edit/write stuff.


Sorry for the fuzz if i've misunderstood you.

Kind regards,
Doichin

Re: Concurrecnt PPPoE(4)?

[NetOne - Doichin Dokov]

Sunnz P=P0P?P8Q
P0:

2008/1/21, Sunnz [EMAIL PROTECTED]:
  

route-to
2)
pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any

3)
pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any
pass out on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from pppoe1:0 to any

4)
pass out on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from pppoe0:0 to any
pass out on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from pppoe1:0 to any
pass in  on pppoe1 route-to (pppoe0 (pppoe0:0)) inet from any to pppoe0:0
pass in  on pppoe0 route-to (pppoe1 (pppoe1:0)) inet from any to pppoe1:0

2) 3) and 4) works with traceroute and ping from the outside, but not ssh.



Oh, what was I thinking!! it should be like

pass out on pppoe1 route-to (pppoe0 (pppoe0:peer)) inet from pppoe0:0 to any
  ^^

Right?

Ok I just tested that one out as well... does not work neither... (with 2,3,4)
  

http://www.openbsd.org/faq/pf/pools.html#outgoing

Re: Reversing audio channels

[NetOne - Doichin Dokov]

Antti Harri P=P0P?P8Q
P0:

On Sun, 20 Jan 2008, L. V. Lammert wrote:


Ahh, .. swap the speakers or wires??


I still don't understand why such a simple
thing isn't implemented in the software..
Yeah yeah missing the daemon  other crap.

I guess I'll have to swap the places of the speakers, it would
have been better as is and swapped the output of sound card.

It would be better to code what you want, instead of wonder and bark 
here oh, why is this not done?!.


It would have taken you no more than 10 mins to reverse the cables. Oh - 
you can also try installing Windows and try to switch the channels there 
(and then go complain to Microsoft that you can't).

Re: Reversing audio channels

[NetOne - Doichin Dokov]

Antti Harri ??:

On Sun, 20 Jan 2008, NetOne - Doichin Dokov wrote:

It would have taken you no more than 10 mins to reverse the cables. 
Oh - you can also try installing Windows and try to switch the 
channels there (and then go complain to Microsoft that you can't).


Haahaa. very funny. Now why would I rip a perfectly good cable?
Or why would I waste lots of money on new speakers?

Did I say to rip the cable? Grab a male and a female connector, 
cross-connect them, and you're done.

Are you trying to say that OpenBSD's sound card support rocks
and kicks ass? Do some research, even the devs acknowledge
that it is not the best in the world.


Am I? I'm writing in English, would you mind reading my statement again?

Don't get me wrong, I appreciate their code and effort,
it's idiots like you that I hate.
Idiots are people that tend to classify other people withouth knowing 
anything about them. Now, read again and see who does that.


PS. A small adapter that switches the cables would be okayish.
See? You've got the solution by yourself. But waaait, it was a lot of a 
hell better to bark on the mailing list calling people names, wasn't it?


Still wishing you the best,
the Idiot

Re: Concurrecnt PPPoE(4)?

[NetOne - Doichin Dokov]

Sunnz P=P0P?P8Q
P0:

Just wondering has anyone ever used 2 PPPoE(4) connections on one real
interface and rather if it should work or not?

I only have one account with my ISP but they gave me 2 logins and up 4
concurrent logins are allowed with their TOS.

My hardware ethernet gem(4) is connected to a modem, with the modem
running in bridge mode.

I were able to establish one pppoe(4) connection which I can nat
machines behind OBSD to the internet... and also ssh back to OBSD from
the internet.

Modem (Bridge) - OBSD - LAN

But it doesn't work quite the way I wanted but I made 2 pppoe(4)
connections, with hostname.pppoe0 and hostname.pppoe1 under /etc/.

I were able to nat machines behind OBSD with either pppoe0 OR pppoe1.
So are far as nat goes, it is fine.

But I were only able to ssh to pppoe1's IP address from the internet,
but not pppoe0's IP address.

I also attempted to traceroute the 2 IP from the internet, only
pppoe1's IP works.

It is very surprising as nat works... where the 'response' must make
its way back to pppoe0's Ip somehow...

  
You only have one defautl gateway, so the last pppoe session established 
sets it up to it's interface. The behaviour you're observing is 
absolutely normal. You should dig into pf's route-to, packet tagging and 
state-keeping options if you need to ssh back to the machine on both 
interfaces, or do whatever you want _from the machine itself_. There are 
a lot of examples in the net (including one in the PF FAQ if i've not 
mistaken) on what is the proper way of setting up several uplinks as you 
want.


Regards,
Doichin

Re: So, is there a sure way to delete a file? (Was Re: UNIX way of undeleting files?)

[NetOne - Doichin Dokov]

bofh P=P0P?P8Q
P0:

On Jan 19, 2008 1:27 PM, Ted Unangst [EMAIL PROTECTED] wrote:

  

On 1/18/08, bofh [EMAIL PROTECTED] wrote:


I think he means sshd.  And it really doesn't matter, once you make
  

install,


you'll overwrite the vulnerable copy with the new one, and all the
  

hardlinks


won't matter, because they'd be linked to the new file.
  

except that they won't.  the point of a hard link is it points to the
file, not the name.  it's not a symlink.




I don't get what you're talking about.  If you overwrite the file
(vulnerable sshd) with a new one, the file gets replaced.  All the hardlinks
would point to the new file.

$ uname -a
OpenBSD urd.spidernet.to 4.1 GENERIC#0 i386
$ echo apple  test
$ ln test test2
$ ls -l test*
-rw-r--r--  2 tai  wheel  6 Jan 19 19:43 test
-rw-r--r--  2 tai  wheel  6 Jan 19 19:43 test2
$ cat test test2
apple
apple
$ echo orange  test2
$ cat test
orange
$
  

$ echo apples  apples
$ echo bananas  bananas
$ ln bananas whats_cooking
$ mv bananas oranges
$ echo oranges  oranges
$ cat whats_cooking
oranges
$

$ echo apples  apples
$ echo bananas  bananas
$ ln -s bananas whats_cooking
$ mv bananas oranges
$ cat whats_cooking
cat: whats_cooking: No such file or directory
$ echo bananas  bananas
$ cat whats_cooking
bananas
$

Mmm, yummy! Do you get it now? man ln(1) - it's all there.

OT: Call for help with fax testing

[NetOne - Doichin Dokov]

Hi all,

This is waaay off-topic, but is the most obviuos way for me to seek this 
kind of help. We're currently testing a fax termination system over VoIP 
trunks, and need some test from international numbers (we're located in 
Bulgaria). All I'm asking is, if you are able to - send a fax to 
+359-86-510-214 (this is Bulgarian fixed phone, no premium rates, etc.), 
with something written - no matter what it is - just to see if they are 
correctly received. Please note that this will cost you money - as much 
as it costs you to call a Bulgarian land-line. If anyone can do that, I 
would highly appreciate it - if not - thank you anyways, and - again - 
sorry for the off-topic!


Kind regards,
Doichin Dokov

Re: OpenBSD 4.2 dhcpd(8)

[NetOne - Doichin Dokov]

[EMAIL PROTECTED] P=P0P?P8Q
P0:

- Original Message - From: Tim Stewart [EMAIL PROTECTED]
To: misc@openbsd.org
Sent: Wednesday, January 16, 2008 9:29 AM
Subject: OpenBSD 4.2 dhcpd(8)



Hello all,

Does anyone know which version of ISC DHCP that OpenBSD 4.2 uses for
dhcpd(8)? I wasn't able to find any clue on the webpage or associated
documentation.

It feels a lot like a 2.x release based on the options available, but
I just want to make sure.

Thanks.

--
-TimS


I just started this OpenBSD ride.
But Webmin 1.8 tells me DHCP is VER 3.


OpenBSD uses it's own DHCPD, not the ISC one.

Re: need people to test this patch with acpi

[NetOne - Doichin Dokov]

Is this for -current only, or you need testing on 4.2 too?

Marco Peereboom P=P0P?P8Q
P0:

Please test this on all acpi capable machines and send me a dmesg if you
see this in the dmesg: store from field!!

If you see this panic or something similar:
acpi0: tables DSDT FACP SLIC HPET APIC MCFG TCPA SSDT SSDT SSDT SSDT
SSDT
wrong setbufint type

2ca8 Called: \\_SB_.C003.C098.C155
   arg0: 0xd17b7910 cnt:01 stk:00 objref: 0xd176d484 index:
  [\\_SB_.C06A] 0xd176d484 cnt:02 stk:00 field: bitpos=02e0 bitlen=00a0
ref1:d176c904 ref2:0 [Field]
  [\\_SB_.C043] 0xd176c904 cnt:32 stk:00 opregion: 00,3f7e7dc0,140
   arg1: 0xd17b793c cnt:01 stk:00 objref: 0xd1756410 index:
  0xd1756410 cnt:00 stk:60 integer: 0
   local0: 0xd1756a10 cnt:00 stk:60 integer: 0
2c7d Called: \\_SB_.C003.C098._INI
   local0: 0xd1756410 cnt:00 stk:60 integer: 0
panic: aml_die aml_setbufint:983 


please try this diff:
Index: dsdt.c
===
RCS file: /cvs/src/sys/dev/acpi/dsdt.c,v
retrieving revision 1.106
diff -u -p -r1.106 dsdt.c
--- dsdt.c  2 Dec 2007 22:24:54 -   1.106
+++ dsdt.c  16 Jan 2008 20:20:27 -
@@ -980,9 +980,10 @@ void
 aml_setbufint(struct aml_value *dst, int bitpos, int bitlen,
 struct aml_value *src)
 {
-   if (src-type != AML_OBJTYPE_BUFFER)
+   if (src-type != AML_OBJTYPE_BUFFER) {
+   aml_showvalue(src, 0);
aml_die(wrong setbufint type %d\n, src-type);
-
+   }
 #if 1
/* Return buffer type */
_aml_setvalue(dst, AML_OBJTYPE_BUFFER, (bitlen+7)3, NULL);
@@ -1633,10 +1634,17 @@ aml_setvalue(struct aml_scope *scope, st
struct aml_value tmpint;
 
 	/* Use integer as result */

+   memset(tmpint, 0, sizeof(tmpint));
if (rhs == NULL) {
-   memset(tmpint, 0, sizeof(tmpint));
rhs = _aml_setvalue(tmpint, AML_OBJTYPE_INTEGER, ival, NULL);
}
+   else if (rhs-type == AML_OBJTYPE_BUFFERFIELD ||
+rhs-type == AML_OBJTYPE_FIELDUNIT)
+   {
+   printf(store from field!!\n);
+   aml_fieldio(scope, rhs, tmpint, ACPI_IOREAD);
+   rhs = tmpint;
+   }
 
 	if (!is_local(scope, lhs))

lhs = aml_dereftarget(scope, lhs);
@@ -1725,6 +1733,7 @@ aml_setvalue(struct aml_scope *scope, st
dnprintf(10, setvalue.unknown: %x, lhs-type);
break;
}
+   aml_freevalue(tmpint);
 }
 
 /* Allocate dynamic AML value

Re: facts about OpenBSD

[NetOne - Doichin Dokov]

Nikns Siankin P=P0P?P8Q
P0:

On Mon, Jan 14, 2008 at 01:14:07PM +0100, Peter N. M. Hansteen wrote:
  

Nikns Siankin [EMAIL PROTECTED] writes:



When we will meet in Riga, I will like to hear from you explanation,
how does putting md5 checksum file *along* with installables on the
same vulnerable channel, helps to make sure, that they are not backdoored ;]
  

you don't have to wait that long. fetch the files from different mirrors.


hahaha. yeah. different vulnerable mirror, while I'm MITM'ing your ISP.
see ya

  

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/
Remember to set the evil bit on all malicious network traffic
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.


Go buy the CD set, Mr. Security - or you don't trust the postman either?

Now - seriuosly - let's stop all the shit. The misc@ has been 99% flame 
these days...


Regards,
Doichin

Re: Improving disk reliability

[NetOne - Doichin Dokov]

Douglas A. Tutty ??:

On Jan 8, 2008, at 6:29 AM, Douglas A. Tutty wrote:


I know that the FAQ says to just use dump to make backups but what if
you want a tape of a specific group of files for archiving?  When last
did the dump format change?  Since it reads the filesystem directly,  
I'd

assume that its filesystem-specific.  What if you want portablility
across OSs and file system types?  Is there any more-or-less universal
format?
  

tar(1) with gzip(1).



Re Amanda:  for me, its likely too complex since I only have two boxes
and one is a desktop only.  Right now it runs its own backup script to
create a tarball then the main box rsyncs that over to it.
  

see? works fine.

Amanda basically does that, without using ssh and without some kind of  
security (this may have changed recently). It also keeps a reference  
database for which file is stored on which tape, and a index on each  
tape of the contents.





Well, right now, I just do full backups.  Incrementals get rather
tedius.  Especially since they find new files but they don't notice a
file that has been deleted.  So I don't need a list of what files are in
which tarball but rather just what date it is.  A simple log: this tape,
this date, this tarball.

  
All in all, pretty smart design. The best thing out of the features  
AMANDA provides is this tidbit: everything is in gtar to keep things  
as a standard.



As long as the archive format that it tells tar to use is compatible
with whatever version of tar you go to use in 20 years; but that's
another topic.

Thanks,

Doug.

  

Bacula (www.bacula.org) is your friend.

Regards,
Doichin

Re: OpenBSD as DSL Router using hostname.pppoe0?

[NetOne - Doichin Dokov]

[EMAIL PROTECTED] P=P0P?P8Q
P0:

Well with static IPs I've no problem either.
It's just after the forced disconnect of the ISP and after pppoe0 got a
new IP. Then NAT and routing fails. I solve this via a rule reload (after
pppoe0 got a new IP) but that looks like some stonge-age method
(seriously.. ).

I just wonder if somebody else noticed this and if somebody may solved
this in a different way.


Kind regards,
Sebastian
I guess you use ($ext_if) - with brackets - instead of the IP address 
manually entered (which you obviously don't know). This way PF monitors 
the interface for changes of it's IP address and adjusts rules 
accordingly. You can verify if it does by doing a 'pfctl -s rules' after 
a reconnection, without first reloading the ruleset.


The problem, though, is probably the states which were already created - 
they keep matching the old IP. Clearing of the state table should be 
sufficient, and I think this could be done with a macro in your 
hostname.pppoe0, like this:

!pfctl -F state

I've personally never had to do such things, so consider everything I 
say just as suggestions.


Kind regards,
Doichin

Re: OpenBSD as DSL Router using hostname.pppoe0?

[NetOne - Doichin Dokov]

[EMAIL PROTECTED] P=P0P?P8Q
P0:

I guess you use ($ext_if) - with brackets - instead of the IP address
manually entered (which you obviously don't know). This way PF monitors
the interface for changes of it's IP address and adjusts rules
accordingly. You can verify if it does by doing a 'pfctl -s rules' after
a reconnection, without first reloading the ruleset.

The problem, though, is probably the states which were already created -
they keep matching the old IP. Clearing of the state table should be
sufficient, and I think this could be done with a macro in your
hostname.pppoe0, like this:
!pfctl -F state

I've personally never had to do such things, so consider everything I
say just as suggestions.

Kind regards,
Doichin



Well I added your macro right now but I'm unsure if hostname.pppoe0 is
read everytime pppoe0 gets a disconnect (and later a new IP). I think
hostname.pppoe0 is read once on boot and the rest is all in kernelspace
then (Oh a disconnect! No worries lets try to reconnect...!).

I might be wrong and I might understood the concept in a wrong way but
hostname.pppoe0 gets called once (and just once) at boot. So how could
this macro help after pppoe0 got a new IP?
Or is the hostname.pppoe0 realy read once after pppoe0 got a disconnect?!
  
I'm unsure of this, too, and the man pages of hostname.if and pppoe seem 
unclear about this. But I guess you're right - commands will be executed 
only on system boot or network restart.

So far I never used such a macro because of my understanding it would have
no effect (not even at boot time because pppoe0 sometimes has 2-3 secs no
IP (the OS boots further, pf gets enabled) and then it has).
  
You set $ext_if to pppoe0. Then by using ($ext_if) PF nows it has to 
lookup the IP address of the interface, and reflect changes to it back 
in the ruleset. So I guess at least at boot time it should be of help.
The ! command in the hostname.pppoe0 file is irrelevant at boot - you 
don't have any states to flush.


Regards,
Doichin

Re: OpenBSD for routing firewalling a 100Mbit/s connection

[NetOne - Doichin Dokov]

Carl Roberso ??:

NetOne - Doichin Dokov wrote:
  
In fact, we use also a bit more complicated BGP setup. Don't know if it 
would be in any help for you





Doichin, your practical, hands-on examples are true gold for me, really.
Again, thank you very much for your help.

My router/firewalls, after your tuning recommendations works flawlessly,
I'm very pleased.
Your load-balancing option is very interesting, and I'll investigate it
further next week.

As in any gateway solution traffic shaping / rate limiting is very important
as you pointed out, I was wondering if it can be setup in OpenBSD something
like ATM functional paradigm, where, after giving a global PCR for a dot1q
trunk (ex. 40 Mbit/s), you can give to various VLANs PCRs  MCRs (ex. VLAN 1
with 20Mbit/s PCR, 10Mbit/s MCR, and VLAN 2 with 40Mbit/s PCR, 30Mbit/s
MCR).

I tried hard to figure out a way to do this from the official documentation
 by hard-Googling (for hours), but without any success.

Cheap rate-limiting in that way can be done, in a mad but cheap way, with
a pair of old Cat 2924M with a ATM 155 and a Gigabit Ethernet module
(switch, modules  a GBIC are under $90 on ebay), crossed in ATM, so you
connect the dot1q trunk in one switch, do the shaping at the LANE level,
then extract shaped services on the other switch (as a trunk on GE, on on
single ports), but.. of course.. it's really a dirty spaghetti-style
solution.

Have you any advice on making shaping on a OpenBSD router/firewall in a
ATM-style?
  
Yes, that's possible with OpenBSD and PF / ALTQ. You need the HFSC 
queueing algorithm. A very nice site with docs about this is 
http://www.probsd.net/pf/index.php/Main_Page
Using HFSC, you can assign each queue a realtime rate (MCR) and an 
upperlimit (PCR), then setup the physical interface queue to the total 
bandwidth available.
We use HFSC here for this, and it's performing quite fine, so if you 
need examples, just drop a line. Another good place for help is the #pf 
channel on the FreeNode IRC network. I also used to hang in there, but 
we've recently had problems with our main office building (part of the 
next building collapsed over it), so I'm personally not available very 
much lately.
You can set up the vlans you want to shape on one physical interface. 
Remember that you configure ALTQ and all queues on the PHYSICAL 
interface, then you can use arbitrary PF rules to catch traffic and 
assign it to queues, NO MATTER on which interface.
Read the docs, play with it and come back to the list when you need 
help. It would be good if you provide some conf files about your setup - 
how the interfaces are setup, what exactly you want to shape, etc.


Regards,
Doichin

Re: ibgp

[NetOne - Doichin Dokov]

Tom Bombadil ??:

Greetings...

We are trying to use a couple routers with carp and uplinks with 2
different providers. One router as master and another one slave. The
slave getting all the routes from the master using IBGP.

The problem is that when I bring to interface of the master down to test
if the failover works, the slave deletes all the routes it got from the
master.

Is there any way of retaining those IBGP routes for sometime after the
tcp connection is severed, or until the slave server (now master) can
connect to the external peers and the get routes from them?

Or... if anybody has any other hint for a more resilient setup, I'd be
glad to hear.

Thanks a bunch,
g.
  
Several days ago I wrote something on the topic, but not sure if it made 
it to the list:


Carl Roberso wrote:

NetOne - Doichin Dokov wrote:

The BGP problem is solved by doing this:



Thank you very much Doichin for pointing this out: all of you was so
helpful!

Best wishes!rt

You're more than welcome!

In fact, we use also a bit more complicated BGP setup. Don't know if it 
would be in any help for you, but i'll describe it here just for the 
thread to be complete in case anyone starts digging :)
The configuration I described in my previous post (3 IPs per upstream 
provider, 2 dedicated, 1 CARP-shared) works flawlessly, BUT traffic goes 
only through one of the routers at a time. As we were not just routing, 
but also doing a lot of shaping, we wanted to loadbalance things and 
make both of the systems do some job when they are both up.
So, the scheme grew from 3 to 4 IPs per upstream provider - 2 dedicated 
IPs for each firewall, and 2 CARP-shared IPs. Firewall #1 was default 
master for shared IP one, Firewall #2 was default master for shared IP two.

Let's say the IPs are:
Firewall #1

172.16.0.1 - static, not in CARP, used for BGP communication with upstream
172.16.0.3 - CARP shared, default master
172.16.0.4 - CARP shared, default slave

Firewall #2

172.16.0.2 - static, not in CARP, used for BGP communication with upstream
172.16.0.3 - CARP shared, default slave
172.16.0.4 - CARP shared, default master

Then, we told our provider to set nexthop to 172.16.0.3 for networks we 
sent to them with a community COMM1, and having nexthop set to 
172.16.0.4 for networks we sent to them with a community COMM2.
Then, in our BGP setup (equal on both firewalls, despite the IP address 
/ router ID), all we had to do is mark half of the networks, which we 
wanted to go through Firewall #1 by default, with community COMM1, and 
the others to go to Firewall #2 by default, with community COMM2.
Of course, you have to have similiar setup (though probably withouth 
BGP) on the internal side of the firewalls for things to work properly, 
again 2 CARP ifs and traffic originating from the networks routed to 
Firewall #1 and Firewall #2 sent to the very same machine, otherwise you 
run into state problems, shaping problems (if you do that on the 
machines, we do), and maybe something else i could not come up with now :)


By the way, a nice new IP loadbalance option was recently added to CARP, 
which might obsolete the setup I describe, but I've not played with that 
yet.


Whatever you choose to do, you could always come back for help in case 
you need it.


Regards,
Doichin

Re: Filteringon an IPSEC bridge

[NetOne - Doichin Dokov]

tim ??:

Hello,

I would like to know the way to filter on an IPSEC bridge. I would like to pass 
all trafic to and from each side of the bridge. I don't know which interfaces 
and protocols to use. I've looked all over, and seem to find minimal 
information on this. Sure could use a hand.

Regards,

Tim 
We don't know, either, unless you post some more details about your 
setup (interfaces' configs, pf.conf).


Though, what you probably need is to set skip on the enc0 interface, and 
pass the ipsec traffic on the physical interface.


Regards,
D.

Re: How to test if pfsync is working?

[NetOne - Doichin Dokov]

Jake Conk P=P0P?P8Q
P0:

Hello,

I have pfsync setup between two servers and they're connected to each
other through a cross over cable just as suggested in the faq. Now how
do I test to make sure its working probably and rules and states are
being synced up? I have ftp-proxy setup so if I connect to an a ftp
server through ftp-proxy it should open that other ftp port on the
server I'm going through as well as the server it's syncing pf with
but how do I test that to make sure its working?

Thanks,
- Jake
  

I believe pfsync synchronizes states only, not firewall rules.
You could check whether it's running fine by watching the state table on 
the backup machine - if it shows state created on the other machine, 
then it's probably fine.

'man pfsync' is your friend, examples included.

Regards,
Doichin

Re: OpenBSD for routing firewalling a 100Mbit/s connection

[NetOne - Doichin Dokov]

Carl Roberso ??:

Henning Brauer wrote:
  

6000 irq/s is not much.
increase sysctl net.inet.ip.ifq.maxlen.




Thank you v-e-r-y much Henning, this seems to have cured the problem.

Another problem seems left, anyway. :(

I'm running bgpd on both OpenBSD boxes: it's really a fine piece of
software, but when dealing with a setup like mine (same box does PF  BGP
routing, from here the firewall), you can get in trouble when using one
BGP session per-provider-per-firewall, and the uplink ISP get you some
packets on firewall A, some others on firewall B (so, there isn't a priority
on BGP session). Another similar problem arise when the firewall B becomes
master, the firewall A stops to packets flow, but maybe it's BGP sessions
remains acrive (the most active, or the really one with most priority,
depends on the ISP).. and packet confusion starts.

Of course a solutions seems to have a BGP session actived ONLY when a
given firewall is active.. but this means that when instantly (without
losing the TCP sessions) CARP help to switch to the secondary firewall..
everything will be blocked, waiting for the BGP session to download routes.

Any of you guys has a hint also for this situation (that's having concurrent
BGP sessions, but making sure that the master firewall gets all packets
coming from all BGP sessions, without mangling with PF states)?

Again, thank you in advance.
  

The BGP problem is solved by doing this:
You need 3 IPs for communicating with each provider. Let's say you have 
172.16.0.1, 172.16.0.2 and 172.16.0.3 to communicate with ISP1.
You setup 172.16.0.1 on Firewall #1, 172.16.0.2 on Firewall #2, and you 
set up 172.16.0.3 on both of them with CARP.
Then you establish BGP sessions from 172.16.0.1 and 172.16.0.2 to your 
provider, and tell the provider to set next-hop for both of them to 
172.16.0.3
This way both of the sessions are live, and traffic goes to the active 
machine. Once it fails, the other one takes over the common 172.16.0.3 
and keeps receiving the traffic without waiting for BGP timeouts, nor 
BGP prefix download or something else.

Do the same with ISP2 and you're ready to go.

Regards,
Doichin

Re: OpenBSD for routing firewalling a 100Mbit/s connection

[NetOne - Doichin Dokov]

Carl Roberso ??:

Henning Brauer wrote:
  

6000 irq/s is not much.
increase sysctl net.inet.ip.ifq.maxlen.




Thank you v-e-r-y much Henning, this seems to have cured the problem.

Another problem seems left, anyway. :(

I'm running bgpd on both OpenBSD boxes: it's really a fine piece of
software, but when dealing with a setup like mine (same box does PF  BGP
routing, from here the firewall), you can get in trouble when using one
BGP session per-provider-per-firewall, and the uplink ISP get you some
packets on firewall A, some others on firewall B (so, there isn't a priority
on BGP session). Another similar problem arise when the firewall B becomes
master, the firewall A stops to packets flow, but maybe it's BGP sessions
remains acrive (the most active, or the really one with most priority,
depends on the ISP).. and packet confusion starts.

Of course a solutions seems to have a BGP session actived ONLY when a
given firewall is active.. but this means that when instantly (without
losing the TCP sessions) CARP help to switch to the secondary firewall..
everything will be blocked, waiting for the BGP session to download routes.

Any of you guys has a hint also for this situation (that's having concurrent
BGP sessions, but making sure that the master firewall gets all packets
coming from all BGP sessions, without mangling with PF states)?

Again, thank you in advance.
  
And, about hte ifq.maxlen sysctl, a good indication you need to increase 
it is if the net.inet.ip.ifq.drops sysctl is increasing. It should stay 
at 0 or not increase anymore after you tuned the ifq.maxlen.


Regards,
Doichin

Re: Strange em(4) issues

[NetOne - Doichin Dokov]

Chris Cappuccio ??:

i've got a pair of h8ssl-i boards that work fine at 133mhz.  i have
another set that i run at 66mhz, but only because that's the max the raid
controller supports (some kind of LSI card.  i like the areca better though)

bge shows up as:

bge0 at pci2 dev 3 function 0 Broadcom BCM5704C rev 0x10, BCM5704 B0 
(0x2100): irq 5, address 00:30:48:56:68:d4
brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci2 dev 3 function 1 Broadcom BCM5704C rev 0x10, BCM5704 B0 
(0x2100): irq 9, address 00:30:48:56:68:d5
brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
  
In fact, the H8-SSL-I2 docs say the jumper is for the PCI-X slot, not 
for the PCI-X bus, so I guess the onboard BCM704C is unaffected of its 
settings. Anyways, if it is, or is not, it surely IS working fine, 
except for the input errors Stuart pointed he had, which i could 
confirm. I've not seen any problems with traffic flowing through them, 
though, but Stuart have had.
Also, nobody claims the PCI-X is not workable on 133 MHz bus, what it 
seems like is there's a compatibility issues between recent Intel em(4)s 
and the ServerWorks HT-1000 (or this Supermicro board). In my opinion, 
it's too bad that hardware of exactly this two brands, which are 
none-the-less big names in the server market, are unable to play 
together nicely at 133 MHz. It's a shame!


Regards,
Doichin

Stuart Henderson [EMAIL PROTECTED] wrote:
  

On 2007/11/30 09:57, Girish Venkatachalam wrote:


On 20:47:57 Nov 29, Stuart Henderson wrote:
 
  

Been there, done that. If you use plaintext protocols (ftp or so)
over the interface, you'll see random corruption visible in the
data (e.g. directory listings).

At 133MHz there's some corruption between motherboard and card.
Disappears at 66MHz.

Normally this would be masked by TCP checksums (you'd get packet
loss, but it would mostly be corrected rather than pass corrupt
packets up the stack), but the em(4) does offload TCP checksum
processing to the card, so the checksum no longer covers the
transfer over the PCI bus, hence the wierd protocol errors.


TCP checksums or for that matter any checksum cannot catch *all* errors.
  

Agreed, hence the mostly.



Since there is a MAC computation for every packet, this will easily help
you identify the problem.
  

With this happening, you're lucky to get an ftp banner through without
corruption, I don't think I ever had an SSH session setup.

I already have two workarounds, one is to use the old quad em(4) with
the IBM(Tundra) bridge (which work ok at 64x133 but the RJ45 sockets
are the wrong way up to latch correctly in some of Supermicro's 1U cases),
the other is to use the newer cards (Pericom bridge) at 66MHz.

I haven't heard of this happen on other systems (and other 64x133 cards
work), I suspect it's a hardware problem between H8SSL and the Pericom
bridge chip.

Re: This list: CC and TO fields

[NetOne - Doichin Dokov]

L ??:
When I reply to the group.. it puts the person's address and the 
groups address in TO/CC fields.


Is it possible for the server to just send mail to the TO field to the 
group only, and not have a CC ?


Is this on purpose, so that incase the list is ever down, the person 
gets the mail anyway?


On my mailing lists that I manage I always turn this option off.. so 
that anyone who replies to the list only replies to the list but not 
the actual person too.

Not a big deal, just wondering if this is by design and on purpose

L505

Don't know about this mailing list in particular, but it's often done
this way because sometimes people not on the mailing list occasionally
send a mail to it without being suscribed to it. This makes sure they
get all the related posts, though with the downside of subscribers of
the mailing lists getting 2 mails for each reply on a thread they've
started.

Re: OpenBSD for routing firewalling a 100Mbit/s connection

[NetOne - Doichin Dokov]

Carl Roberso ??:

NetOne - Doichin Dokov wrote:
  

The BGP problem is solved by doing this:




Thank you very much Doichin for pointing this out: all of you was so
helpful!

Best wishes!rt
  

You're more than welcome!

In fact, we use also a bit more complicated BGP setup. Don't know if it 
would be in any help for you, but i'll describe it here just for the 
thread to be complete in case anyone starts digging :)
The configuration I described in my previous post (3 IPs per upstream 
provider, 2 dedicated, 1 CARP-shared) works flawlessly, BUT traffic goes 
only through one of the routers at a time. As we were not just routing, 
but also doing a lot of shaping, we wanted to loadbalance things and 
make both of the systems do some job when they are both up.
So, the scheme grew from 3 to 4 IPs per upstream provider - 2 dedicated 
IPs for each firewall, and 2 CARP-shared IPs. Firewall #1 was default 
master for shared IP one, Firewall #2 was default master for shared IP two.

Let's say the IPs are:
Firewall #1

172.16.0.1 - static, not in CARP, used for BGP communication with upstream
172.16.0.3 - CARP shared, default master
172.16.0.4 - CARP shared, default slave

Firewall #2

172.16.0.2 - static, not in CARP, used for BGP communication with upstream
172.16.0.3 - CARP shared, default slave
172.16.0.4 - CARP shared, default master

Then, we told our provider to set nexthop to 172.16.0.3 for networks we 
sent to them with a community COMM1, and having nexthop set to 
172.16.0.4 for networks we sent to them with a community COMM2.
Then, in our BGP setup (equal on both firewalls, despite the IP address 
/ router ID), all we had to do is mark half of the networks, which we 
wanted to go through Firewall #1 by default, with community COMM1, and 
the others to go to Firewall #2 by default, with community COMM2.
Of course, you have to have similiar setup (though probably withouth 
BGP) on the internal side of the firewalls for things to work properly, 
again 2 CARP ifs and traffic originating from the networks routed to 
Firewall #1 and Firewall #2 sent to the very same machine, otherwise you 
run into state problems, shaping problems (if you do that on the 
machines, we do), and maybe something else i could not come up with now :)


By the way, a nice new IP loadbalance option was recently added to CARP, 
which might obsolete the setup I describe, but I've not played with that 
yet.


Whatever you choose to do, you could always come back for help in case 
you need it.


Regards,
Doichin

Re: pflog filling up /var mount every 2-3 days!

[NetOne - Doichin Dokov]

Jake Conk P=P0P?P8Q
P0:

Hello,

I have my /var partitioned out to be 150mb which I thought was a
enough but every 2-3 days it gets full because I end up with a pflog
file that is ridiculously large! Right now I have one that is 53.6mb
and I have gotten them larger like 100mb +!! Because of this my /var
partition fills up and other programs have problems witting logs and
stuff... Here is an example:

$ ls -lah /var/log/ | grep pflog
-rw---   1 root  wheel  98.0K Nov 30 18:02 pflog
-rw---   1 root  wheel  53.6M Nov 30 02:00 pflog.0
-rw---   1 root  wheel   1.3M Nov 30 02:00 pflog.0.gz
-rw---   1 root  wheel   2.2M Nov 30 01:00 pflog.1.gz
-rw---   1 root  wheel   1.7M Nov 30 00:00 pflog.2.gz
-rw---   1 root  wheel   1.7M Nov 29 23:00 pflog.3.gz
-rw---   1 root  wheel   7.0M Nov 29 20:25 pflog.bad.630d9931

I have to keep coming here each couple of days to check if that is
full and delete them. My question is, is this normal and I just
created my /var mount too small? I think the fact that my pflog is
that big is the actual problem, does anyone know of a way to fix this?

Thanks,
- Jake
Perhaps you want to see what's inside it? Look at your pf.conf, see what 
you're logging and if you do need it to be logged. Remove anything 
unnecessary, setup newsyslogd to rotate it - there are plenty of options 
to solve your problem. It's all in the FAQ / man pages.

Re: Strange em(4) issues

[NetOne - Doichin Dokov]

First, thanks for the prompt reply!

Stuart Henderson ??:

On 2007/11/29 22:23, NetOne - Doichin Dokov wrote:
  
Two weeks ago i bought an Intel Pro/1000MT dual Gbit NIC because i was gonna 
soon be in need for more ports in one of our 1U systems,



Change the PCI jumper, which is currently probably on auto,
to 64 bit 66MHz. You probably need to remove the PCIX card to
reach it (unless they changed much of the design between the
H8SSL and -I2, which I doubt).

  

Yes, it's there. Right after the first PCI slot. Will do that in several
hours, when most of the users go to sleep :)

which has 2 onboard bge(4)s which are working quite nice.



the 5704C bge(4) on my H8SSL are all disabled because of Ierrs
in netstat -ni, maybe you are luckier :-)
  

Nopes, I'm not:
# netstat -in
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Colls
{snip}
bge0 1500 Link 00:30:48:57:c3:80 44867924 39723 42574046 1 0
bge0 1500 213.137.48. 213.137.48.1 44867924 39723 42574046 1 0
bge0 1500 fe80::%bge0 fe80::230:48ff:fe 44867924 39723 42574046 1 0
bge1 1500 Link 00:30:48:57:c3:81 45170081 33204 42551236 1 0
bge1 1500 fe80::%bge1 fe80::230:48ff:fe 45170081 33204 42551236 1 0

Despite seeing Ierrs, I do not see any performance and connectivity
issues. What exactly does lead to having input errors on the bge(4)s?
I mean, would they be usable for what I will need the two more ports
for. This machine is gonna soon have a twin to be backed up with CARP,
and i need the two additional interfaces on each of them for:
1) One interface for cross-connecting the machines to do pfsync
2) One interface to connect to a private networks and run bacula backups
through (i want to use this couple of routers to do some backups at 4-5
a.m. when they are not busy at all)
Using em(4)s for the real traffic, would the bge(4)s be suitable for
pfsync and bacula backups with these errors they are experiencing? Or I
should go get a quad port Intel (i wish i don't have to spend that much
money, though)

everything from it quite nice, fetch remote sites, etc. Suddenly the SSH 
connection was dropped with a message I've never seen before - Corrupted MAC 
header.



Been there, done that. If you use plaintext protocols (ftp or so)
over the interface, you'll see random corruption visible in the
data (e.g. directory listings).

At 133MHz there's some corruption between motherboard and card.
Disappears at 66MHz.

Normally this would be masked by TCP checksums (you'd get packet
loss, but it would mostly be corrected rather than pass corrupt
packets up the stack), but the em(4) does offload TCP checksum
processing to the card, so the checksum no longer covers the
transfer over the PCI bus, hence the wierd protocol errors.

  

Affirmative. Exactly what I'm experiencing.

dmesg errors during the problems with em(4)s devices:
===
em1: watchdog timeout -- resetting
em1: watchdog timeout -- resetting
pckbcintr: no dev for slot 1
pckbcintr: no dev for slot 1

dmesg bge(4) timeouts which happen from time to time:
=
bge0: watchdog timeout -- resetting
bge1: watchdog timeout -- resetting



mickey posted some diffs on tech@ relating to watchdog
problems with bge and em, they might be worth a look.
  

Are these what you're talking about, or there were any subsequent
patches I could not find:
http://article.gmane.org/gmane.os.openbsd.tech/14133
http://article.gmane.org/gmane.os.openbsd.tech/14134

If so, I will apply them and recompile.

Again, thank you very much for the help. I highly appreciate it. $30
will be donated to the OpenBSD foundation, plus another copy of the 4.2
CD set bought (we'll need one for the new machine, no? :D).

Regards,
Doichin

Re: Strange em(4) issues

[NetOne - Doichin Dokov]

NetOne - Doichin Dokov ??:

dmesg bge(4) timeouts which happen from time to time:
=
bge0: watchdog timeout -- resetting
bge1: watchdog timeout -- resetting


mickey posted some diffs on tech@ relating to watchdog
problems with bge and em, they might be worth a look.

Are these what you're talking about, or there were any subsequent
patches I could not find:
http://article.gmane.org/gmane.os.openbsd.tech/14133
http://article.gmane.org/gmane.os.openbsd.tech/14134

Those patches apply cleanly on 4.2 stable, but i get compile erros when 
trying to build the kernel:
cc -Werror -Wall -Wstrict-prototypes -Wmissing-prototypes 
-Wno-uninitialized -Wno-format -Wno-main -Wno-sign-compare 
-Wstack-larger-than-2047 -mcmodel=kernel -mno-red-zone 
-fno-strict-aliasing -mno-sse2 -mno-sse -mno-3dnow -mno-mmx -msoft-float 
-fno-builtin-printf -fno-builtin-log -fno-omit-frame-pointer -O2 -pipe 
-nostdinc -I. -I/usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../.. 
-I/usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../../arch -DDDB 
-DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DCRYPTO 
-DSYSVMSG -DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_35 -DCOMPAT_43 
-DLKM -DFFS -DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS 
-DMFS -DXFS -DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DNFSCLIENT -DNFSSERVER 
-DCD9660 -DUDF -DMSDOSFS -DFIFO -DPORTAL -DINET -DALTQ -DINET6 -DIPSEC 
-DPPP_BSDCOMP -DPPP_DEFLATE -DMROUTING -DBOOT_CONFIG -DUSER_PCICONF 
-DAPERTURE -DPCIVERBOSE -DUSBVERBOSE -DWSDISPLAY_COMPAT_USL 
-DWSDISPLAY_COMPAT_RAWKBD -DWSDISPLAY_DEFAULTSCREENS=6 
-DWSDISPLAY_COMPAT_PCVT -DONEWIREVERBOSE -DMULTIPROCESSOR -DMPBIOS 
-D_KERNEL -Damd64 -Dx86_64 -c 
/usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../../dev/pci/if_bge.c

/usr/src/sys/dev/pci/if_bge.c: In function `bge_txeof':
/usr/src/sys/dev/pci/if_bge.c:2472: error: stray '\231' in program
/usr/src/sys/dev/pci/if_bge.c:2472: error: `bge_txcnt' undeclared (first 
use in this function)
/usr/src/sys/dev/pci/if_bge.c:2472: error: (Each undeclared identifier 
is reported only once

/usr/src/sys/dev/pci/if_bge.c:2472: error: for each function it appears in.)
*** Error code 1

Stop in /usr/src/sys/arch/amd64/compile/GENERIC.MP (line 2517 of Makefile).

I guess they're meant to be used on -current?

Regards,
Doichiin

Re: Strange em(4) issues

[NetOne - Doichin Dokov]

Stuart Henderson ??:

gmane mangled them; mv the .orig files back and try these -

http://marc.info/?m=119616849501476
http://marc.info/?m=119616948702986

the diffs are made against -current but probably work with stable too.
  

Yup, you're right! Everything compiled fine. Will load the new kernel in
several hours.
Thanks again!

Doichin

On 2007/11/29 23:53, NetOne - Doichin Dokov wrote:
  

NetOne - Doichin Dokov ??:


dmesg bge(4) timeouts which happen from time to time:
=
bge0: watchdog timeout -- resetting
bge1: watchdog timeout -- resetting
  

mickey posted some diffs on tech@ relating to watchdog
problems with bge and em, they might be worth a look.


Are these what you're talking about, or there were any subsequent
patches I could not find:
http://article.gmane.org/gmane.os.openbsd.tech/14133
http://article.gmane.org/gmane.os.openbsd.tech/14134

  
Those patches apply cleanly on 4.2 stable, but i get compile erros when 
trying to build the kernel:
cc -Werror -Wall -Wstrict-prototypes -Wmissing-prototypes -Wno-uninitialized 
-Wno-format -Wno-main -Wno-sign-compare -Wstack-larger-than-2047 
-mcmodel=kernel -mno-red-zone -fno-strict-aliasing -mno-sse2 -mno-sse 
-mno-3dnow -mno-mmx -msoft-float -fno-builtin-printf -fno-builtin-log 
-fno-omit-frame-pointer -O2 -pipe -nostdinc -I. 
-I/usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../.. 
-I/usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../../arch -DDDB 
-DDIAGNOSTIC -DKTRACE -DACCOUNTING -DKMEMSTATS -DPTRACE -DCRYPTO -DSYSVMSG 
-DSYSVSEM -DSYSVSHM -DUVM_SWAP_ENCRYPT -DCOMPAT_35 -DCOMPAT_43 -DLKM -DFFS 
-DFFS2 -DFFS_SOFTUPDATES -DUFS_DIRHASH -DQUOTA -DEXT2FS -DMFS -DXFS 
-DTCP_SACK -DTCP_ECN -DTCP_SIGNATURE -DNFSCLIENT -DNFSSERVER -DCD9660 -DUDF 
-DMSDOSFS -DFIFO -DPORTAL -DINET -DALTQ -DINET6 -DIPSEC -DPPP_BSDCOMP 
-DPPP_DEFLATE -DMROUTING -DBOOT_CONFIG -DUSER_PCICONF -DAPERTURE 
-DPCIVERBOSE -DUSBVERBOSE -DWSDISPLAY_COMPAT_USL -DWSDISPLAY_COMPAT_RAWKBD 
-DWSDISPLAY_DEFAULTSCREENS=6 -DWSDISPLAY_COMPAT_PCVT -DONEWIREVERBOSE 
-DMULTIPROCESSOR -DMPBIOS -D_KERNEL -Damd64 -Dx86_64 -c 
/usr/src/sys/arch/amd64/compile/GENERIC.MP/../../../../dev/pci/if_bge.c

/usr/src/sys/dev/pci/if_bge.c: In function `bge_txeof':
/usr/src/sys/dev/pci/if_bge.c:2472: error: stray '\231' in program
/usr/src/sys/dev/pci/if_bge.c:2472: error: `bge_txcnt' undeclared (first use 
in this function)
/usr/src/sys/dev/pci/if_bge.c:2472: error: (Each undeclared identifier is 
reported only once

/usr/src/sys/dev/pci/if_bge.c:2472: error: for each function it appears in.)
*** Error code 1

Stop in /usr/src/sys/arch/amd64/compile/GENERIC.MP (line 2517 of Makefile).

I guess they're meant to be used on -current?

Regards,
Doichiin

Re: Strange em(4) issues

[NetOne - Doichin Dokov]

Stuart Henderson ??:

On 2007/11/29 23:25, NetOne - Doichin Dokov wrote:
  

First, thanks for the prompt reply!



No problem, if I can save someone else the night I had in a
cold datacentre working it out, some good came out of it :-)

  

Nopes, I'm not:
# netstat -in
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Colls
{snip}
bge0 1500 Link 00:30:48:57:c3:80 44867924 39723 42574046 1 0
bge0 1500 213.137.48. 213.137.48.1 44867924 39723 42574046 1 0
bge0 1500 fe80::%bge0 fe80::230:48ff:fe 44867924 39723 42574046 1 0
bge1 1500 Link 00:30:48:57:c3:81 45170081 33204 42551236 1 0
bge1 1500 fe80::%bge1 fe80::230:48ff:fe 45170081 33204 42551236 1 0

Despite seeing Ierrs, I do not see any performance and connectivity
issues. What exactly does lead to having input errors on the bge(4)s?
I mean, would they be usable for what I will need the two more ports
for.



I don't know what leads to them, but it's not cable/switch, I have
tried numerous alternatives. I was running OSPF with fairly short
timers over those interfaces, and had a lot of instability until
I swapped over to em/sk cards. Most protocols are able to handle
delays/loss a lot better than OSPF though.

  

This machine is gonna soon have a twin to be backed up with CARP,
and i need the two additional interfaces on each of them for:
1) One interface for cross-connecting the machines to do pfsync



Beware split routing; if you only have one active set of BGP
sessions (i.e. active/passive with 'depend on carpXX') there's
no problem of that kind, but if you have live sessions on
both boxes, you'll find that pfsync isn't designed to handle
the case where inbound traffic goes one way, and outbound
traffic the other, so you run into problems with stateful
filtering (sequence number mismatch and maybe there were
wscale problems too).

  

mickey posted some diffs on tech@ relating to watchdog
problems with bge and em, they might be worth a look.
  
  

Are these what you're talking about, or there were any subsequent
patches I could not find:
http://article.gmane.org/gmane.os.openbsd.tech/14133
http://article.gmane.org/gmane.os.openbsd.tech/14134



Yes, those ones. Alternatively it may be a problem with
interrupt routing (the fix for that on many machines is to
enable acpi to set up interrupts according to the AML from
the BIOS - this is more likely to have correct information
than other methods of interrupt setup on newer machines,
this is a large part of the reason for the ACPI work that
has been happening in -current).

While you build, don't forget this patch if you will use pfsync:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/004_pf.patch

  

Again, thank you very much for the help. I highly appreciate it. $30
will be donated to the OpenBSD foundation, plus another copy of the 4.2
CD set bought (we'll need one for the new machine, no? :D).



That's nice, thank you :-)

  
I've now switched the PCI-X slot to 66-bit / 66 MHz, and also applied 
the watchdog fix patches for em(4) and bge(4) to the kernel.
The pf patch was already applied when it was out several days ago, just 
the system was not still rebooted as i do not use pfsync for now. Thanks 
for the hint, anyways.
I'm still running with ACPI disabled, will see how far it would go and 
enable it if needed. Are there any performance penalty / boosts from 
using ACPI?


Thanks again.

Doichin

Monitoring OpenBGPD through SNMP

[NetOne - Doichin Dokov]

Hi, all

In the past we used a Net-SNMP extension script to remotely monitor our 
quagga routers. Now that we use OpenBGPD, we needed to do the same. I 
could not find any work done on this matter through googleing and search 
the archives, so i took the script we used for quagga and changed it to 
work with OpenBGPD.

In case anyone needs it, it's available here:
http://mirror.net1.cc/projects/openbgpd-snmp/

Any feedback, comments  suggestions are highly welcome!

Regards,
Doichin

Re: Getting CPU stats with SNMP

[NetOne - Doichin Dokov]

Insan Praja SW ??:
On Tue, 27 Nov 2007 02:42:39 +0700, NetOne - Doichin Dokov 
[EMAIL PROTECTED] wrote:


It seems net-snmp gives wrong data about CPU usage on OpenBSD. This 
is the data that i get (i've snipped some irrelevant OIDs)


# snmpwalk -v2c -c community localhost .1.3.6.1.4.1.2021.11
UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 1196105427
UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 386973
UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 1179540172
UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 1196105427
UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 0
UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 1
UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 1179540171

These are the same counters, but after some minutes:
# snmpwalk -v2c -c community localhost .1.3.6.1.4.1.2021.11
UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 1196105547
UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 633528
UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 1179540175
UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 1196105547
UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 0
UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 4
UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 1179540171

The SNMP data shows lots of NICE activity and nothing for interrupts. 
In the same time, top reports this:
CPU0 states: 0.6% user, 0.0% nice, 1.0% system, 32.9% interrupt, 
65.5% idle


The SNMP counters seem completely irrelevant to CPU usage. Here's 
another example of two consecutive snmpwalks, executed right after 
each other:

# snmpwalk -v2c -c community localhost .1.3.6.1.4.1.2021.11
UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 1196105672
UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 890340
UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 1179540175
UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 4294865120
UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 0
UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 0
UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 1297536800
# snmpwalk -v2c -c community localhost .1.3.6.1.4.1.2021.11
UCD-SNMP-MIB::ssCpuUser.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuSystem.0 = INTEGER: 0
UCD-SNMP-MIB::ssCpuIdle.0 = INTEGER: 100
UCD-SNMP-MIB::ssCpuRawUser.0 = Counter32: 65536
UCD-SNMP-MIB::ssCpuRawNice.0 = Counter32: 0
UCD-SNMP-MIB::ssCpuRawSystem.0 = Counter32: 1297536800
UCD-SNMP-MIB::ssCpuRawIdle.0 = Counter32: 4294865120
UCD-SNMP-MIB::ssCpuRawWait.0 = Counter32: 0
UCD-SNMP-MIB::ssCpuRawKernel.0 = Counter32: 0
UCD-SNMP-MIB::ssCpuRawInterrupt.0 = Counter32: 1297536800

Counters are completely irrelevant, look at ssCpuRawUser and 
ssCpuRawNice.


Am I doing something wrong? What is the proper way to get CPU stats 
off OpenBSD with net-snmp? I know the ticks are 10 000 by default on 
OpenBSD, so I'm dividing the values accordingly, but still i don't 
get proper stats. Anyone any ideas?


Regards,
Doichin

# uname -a
OpenBSD host.name.com 4.2 GENERIC.MP#0 amd64


Hi,
You should really checkout this site 
http://www.packetmischief.ca/openbsd/snmp/

Cool..

cu,

Insan

Yup, I am using the patched net-snmp and am producing nice graphs with 
pf stats I need. Still no clue about how to get the CPU data, though. 
Looking at the added OPENBSD-* mibs, I don't see anything CPU related. 
Am I missing something?


Regards,
Doichin

Re: How do you start a non-standard daemon/program near end of boot?

[NetOne - Doichin Dokov]

Rob Lytle P=P0P?P8Q
P0:

Hi,

I've read all the relevant boot and rc type manuals and they only give
a vague reference to starting programs with
rc.local or rc.conf.local.   I want to start wpa_supplicant and I
haven't seen any variables for doing it.  Some OS's have
the /usr/local/etc/rc.d directory for such purposes.

Thanks,  Rob

  
Just add arbitrary commands to /etc/rc.local - it is executed at the end 
of the boot process.

Re: Traffic accounting software

[NetOne - Doichin Dokov]

Yuri Spirin P=P0P?P8Q
P0:

I need following features:
- counting all traffic going in/out ISP interface;
- web interface/gui client;
- reports by day/week/month/custom total traffic in/out;

These ones could be done with SNMP and Cacti - www.cacti.net

Regards,
Doichin

Re: Ideas about bidirectional traffic shaping

[NetOne - Doichin Dokov]

Ivo Chutkin ??:

Hello to all here,
I would be grateful if you share your ideas and experience with me.
The problem is not related to OpenBSD as I do not use it yet in 
production environment, but I plan to go over it as soon as I finish 
my tests and feel comfortable with it. :-)
Actually the developers have done grate job, thanks and keep the good 
work.

I work for small ISP with clients over metro links.
The problem is that I could not get outgoing traffic (from my clients 
to the Internet) shaped the correct way. I have 4 bgp sessions with 
different transit providers on 4 different interfaces, so sometimes I 
see outgoing traffic loads by single client over all 4 links which is 
4 times this client should get :-(
Is there a way to shape the outgoing traffic, for example, to total of 
5Mbps to single client no mater which interface he uses to exit? 
Something like combined queue... not 5Mbps per interface.


I was thinking about creating loopback interface for each client and 
put queues and redirect all traffic through it.

Is there a point doing this?
Currently it is single router setup.

I hope I made it somehow clear. If you need additional info just let 
me know.


Thanks for your time,
Ivo


This is how we do it:
* all external links go over ONE physical interface, and each BGP 
session to each provider is on a different VLAN, but on the very same 
physical interface
* as ALTQ works on physical interfaces, not vlans, we assign the queues 
on the physical interface that all VLANs to our carriers are configured on

* all VLANs are assigned to group uplinks (or whatever you choose)
* traffic is fed into queues from pf with rules like these : pass out on 
$ext_group_name from $client_ip to any queue $client_queue_out , where 
$ext_group_name is uplinks or whatever you've chosen, and 
$client_queue_out is a queue configured with altq on the physical interface

* voila, it works!

You should, though, keep in mind that states are kept on the 
establishment of the connection (flags S/SA), so you effectively need 4 
rules (yes, four) to match all of the clients' inbound/outbound traffic. 
Something like this:

pass in on $ext_group_name from any to $client_ip queue $client_queue_out
pass out on $ext_group_name from $client_ip to any queue $client_queue_out
pass in on $int_if from $client_ip to any queue $client_queue_in
pass out on $int_if from any to $client_ip queue $client_queue_in

That's because each state can shape effectively only one direction of 
the connection, thus we need states created on both interfaces.


If you need further help, don't hesitate to contact me.

Regards,
Doichin

Re: Ideas about bidirectional traffic shaping

[NetOne - Doichin Dokov]

Stuart Henderson ??:

On 2007/11/20 18:30, NetOne - Doichin Dokov wrote:
  

pass in on $ext_group_name from any to $client_ip queue $client_queue_out
pass out on $ext_group_name from $client_ip to any queue $client_queue_out
pass in on $int_if from $client_ip to any queue $client_queue_in
pass out on $int_if from any to $client_ip queue $client_queue_in



queues on different interface can have the same name; this simplifies
your ruleset considerably.

  
Dunno if they can, but - if they do - i don't see what would it help in 
this case. Maybe I'm just dumb, would appreciate it if you shed some 
light on this.


Regards,
Doichin

Re: PF/ALTQ problem : using max states limits breaks queueing

[NetOne - Doichin Dokov]

Henning Brauer P=P0P?P8Q
P0:

* NetOne - Doichin Dokov [EMAIL PROTECTED] [2007-11-07 01:57]:
  

Hello,

I have an OpenBSD 4.2 box set up to shape clients traffic. Each client gets 
limited by these 4 rules:


pass in on $int_if from $client_ip to any queue client_in
pass out on $int_if from any to $client_ip queue client_out
pass in on $ext_if from any to $client_ip queue client_out
pass out on $ext_if from $client_ip to any queue client_in

Everything works fine. I now want to limit max states created by each 
client in each direction to 300, so i modified the rules to be:


pass in on $int_if from $client_ip to any (max 300) queue client_in



when a packet matches this rule, but there are already 300 states from 
this rule, the result is a non-match. you need to decide what to do 
with excess states and put rules in. it could be sth like


block from $a to $b
pass  from $a to $b keep state (max 300)

to block 'em.

  

Yup, I gueesed I was wrong with something :) Thank you very much for the
clarification. I'll test and report back later. I guess if it is this
way, though, the documentation needs to be fixed.
That's what the FAQ says here:
http://www.openbsd.org/faq/pf/filter.html#stateopts

max /number/
   Limit the maximum number of state entries the rule can create to
   /number/. If the maximum is reached, packets that would normally
   create state are *dropped* until the number of existing states
   decreases.

Regards,
Doichin

P.S. Henning Brauer: I first submitted this message directly to you 
instead of misc@, please excuse me for getting this twice.

Re: PF/ALTQ problem : using max states limits breaks queueing

[NetOne - Doichin Dokov]

NetOne - Doichin Dokov P=P0P?P8Q
P0:

Henning Brauer P=P0P?P8Q
P0:

* NetOne - Doichin Dokov [EMAIL PROTECTED] [2007-11-07 01:57]:
 

Hello,

I have an OpenBSD 4.2 box set up to shape clients traffic. Each 
client gets limited by these 4 rules:


pass in on $int_if from $client_ip to any queue client_in
pass out on $int_if from any to $client_ip queue client_out
pass in on $ext_if from any to $client_ip queue client_out
pass out on $ext_if from $client_ip to any queue client_in

Everything works fine. I now want to limit max states created by 
each client in each direction to 300, so i modified the rules to be:


pass in on $int_if from $client_ip to any (max 300) queue client_in



when a packet matches this rule, but there are already 300 states 
from this rule, the result is a non-match. you need to decide what to 
do with excess states and put rules in. it could be sth like


block from $a to $b
pass  from $a to $b keep state (max 300)

to block 'em.

  

Yup, I gueesed I was wrong with something :) Thank you very much for the
clarification. I'll test and report back later. I guess if it is this
way, though, the documentation needs to be fixed.
That's what the FAQ says here:
http://www.openbsd.org/faq/pf/filter.html#stateopts

max /number/
   Limit the maximum number of state entries the rule can create to
   /number/. If the maximum is reached, packets that would normally
   create state are *dropped* until the number of existing states
   decreases.

Regards,
Doichin

P.S. Henning Brauer: I first submitted this message directly to you 
instead of misc@, please excuse me for getting this twice.


Because I have no explicit block for traffic on top of the ruleset 
(because this machine is merely used for routingshaping only), doing 
this achieves what i want:

 block on $if from $a to $b flags any
 pass on $if from $a to $b keep state (max 300) queue $queue

Though, I still see some unexpected behavior, e.g. doing this after 
loading the ruleset:

 echo set limit states 10 | pfctl -mf -
seems to again make the traffic not limited (dunno why), but pfctl -F 
all -f /etc/pf.conf fixed it.

Re: avail mem is only 66% of real mem

[NetOne - Doichin Dokov]

Wade, Daniel ??:

Any guess as to why I'm losing about 33% of my RAM?
When you are only working with 32MB to start with every little bit counts.
Thanks
  
snip
  
Maybe you have an onboard video, which uses RAM for video RAM? look at 
the BIOS settings.

Re: carp ip loadbalancing bug ?

[NetOne - Doichin Dokov]

holger glaess ??:

hi

i did the carp ip loadbalancing setup as describe at the man page.


is there an known issue ? maybee that carp ip loadblancing have problems with 
/22 networks ?

  
CARP loadbalancing by IP requires that your switch sends traffic to the 
common CARP IP to BOTH of your machines, otherwise it's not gonna work 
as assumed. ARP loadbalancing does not require this, but there's no 
other way to achieve this when you want to use IP loadbalancing.