Re: How to analyse excessive PF states?
Le Sat, 22 Oct 2016 18:12:37 +0200, Federico Giannicia écrit : > We have a firewall with OpenBSD 6.0 amd64 that handles about 1.5 Gbps > of traffic. > > I noticed that from a few weeks the number of states is increased > from around 250.000 to almost 2 millions (no change in PF config)! > > At the same time the firewall started loosing a few packets (around > 1-2%, with peeks of 4%). Maybe this is due to too many states to > handle? Hard to tell for the number of states but you have some PF congestions, which is bad. Did you try to augment the sysctl net.inet.ip.ifq.maxlen ? In my previous setup that helped a bit against congestion (net.inet.ip.ifq.maxlen=2048). Regards,
Re: pf, bridge and vether: interface with no group
Le Tue, 16 Feb 2016 13:05:51 +0100, Clemens Goessnitzera écrit : Ok I think : the pf.conf rule ### rules for internal network ### pass inet proto { tcp, udp } from internal:network to port $udp_services is expanded to pass inet proto udp from 10.0.0.0/24 to any port = 22 pass inet proto udp from 10.0.0.0/24 to any port = 53 pass inet proto udp from 10.0.0.0/24 to any port = 123 pass inet proto udp from 10.0.0.0/24 to any port = 67 pass inet proto udp from 10.0.0.0/24 to any port = 68 For DHCP, the source IP is 0.0.0.0 so this does not match. If re1 is a member of the group internal how this rule is expanded ? (may be there is something with "if:network' when the interface does not have an IP address and a network.) Regards,
Re: pf, bridge and vether: interface with no group
Le Tue, 16 Feb 2016 00:10:41 +0100, Clemens Goessnitzera écrit : > Hello misc, Hi ... > So, if I specify a group for re1, everything is working as expected. > However, if re1 is not a member of any group, DHCP request are blocked > by pf, as tcpdump shows. Is this intended behaviour? Or have I done > something wrong in my ruleset? hmmm may be the output of the ruleset loaded by pf will help. # pfctl -sr Regards
Re: Firewall cluster.
Le Wed, 09 Jul 2014 20:33:47 +0200, Mxher o...@mxher.fr a écrit : Hello, I'm doing few more tests and now I'm wondering if this is possible to disallow CARP to have some resources on serverA and others on serverB? You can use ifstated to implement your own logic. I have a pair of firewall, the first is the normal master, the second is the backup. If a problem occurs on the first, carp allows the second to become master. But then, ifstated running on the first fw disallows carp to prevent it to become master again (even if a problem occurs on the second). To make the first master again, someone must, by hand, check the situation and enable carp on it. This is because the failover depends on some BGP sessions here. Regards,
Re: unlink utility
Le Wed, 26 Mar 2014 12:19:25 +0100, Dmitrij D. Czarkoff czark...@gmail.com a écrit : Hello, For some reason POSIX X/Open Systems Interfaces option requires 'unlink' utility to be present in operating system. Sure, it does nothing that 'rm' doesn't already do, but given that 'unlink' is already used in some scripts, I wonder if it would be benefitial for OpenBSD to include such utility. FWIW a simple implementation follows. On FreeBSD /bin/unlink is a link to /bin/rm /* * Test for the special case where the utility is called as * unlink, for which the functionality provided is greatly * simplified. */ if ((p = strrchr(argv[0], '/')) == NULL) p = argv[0]; else ++p; if (strcmp(p, unlink) == 0) { while (getopt(argc, argv, ) != -1) usage(); argc -= optind; argv += optind; if (argc != 1) usage(); rm_file(argv[0]); exit(eval); } } else if (unlink(*(argv+1))) { Hmm the code in rm does more than a simple unlink(2). Regards,
Re: Snmpd question
Le Wed, 12 Feb 2014 11:25:58 -0600, Bales, Tracy tracy.ba...@williams.com a écrit : Hello, Is it possible to have a shell script modify the contents of a user defined OID that is setup in snmpd.conf? I would like to have a cron event run a shell script and that script modify the OID values so that a remote SNMP server can monitor the changes using SNMP gets and mgets. I do not want to use SNMP traps. Thanks for any feedback! I don't know if snmpd can do this, I use net-snmpd (in ports) to pass user OID values. Regards,
Re: OpenBSD as a router on Oracle T5120
Le Mon, 20 Jan 2014 18:59:02 -0200, Eduardo Meyer dudu.me...@gmail.com a écrit : hello, I am doing some basic testings on the above mentioned scenario and I am stuck on some limits which I consider to be very low: I cannot get more than 27Kpps and 200Mbit/s routing performance without starting to loose packets. ... All 6 network cards are Intel 82571EB which support MSI-X and should, in theory support IRQ balance. MSI are disabled on this chipset since OpenBSD 5.2... You can try to renabled MSI in em(4), here this helps a lot (on amd64). Check the thread (5.3) load problem on em(4) MSI / interrupt ? on misc@ https://www.mail-archive.com/misc@openbsd.org/msg123743.html Regards, patch on 5.3: --- /usr/src/sys/dev/pci/if_em.c.orig Tue Oct 1 14:45:36 2013 +++ /usr/src/sys/dev/pci/if_em.cTue Oct 1 14:48:52 2013 @@ -337,7 +337,7 @@ * Only use MSI on the newer PCIe parts, with the exception * of 82571/82572 due to Byte Enables 2 and 3 Are Not Set errata */ - if (sc-hw.mac_type = em_82572) + if (sc-hw.mac_type em_82571) sc-osdep.em_pa.pa_flags = ~PCI_FLAGS_MSI_ENABLED; /* Parameters (to be read from user) */
Re: (5.3) load problem on em(4) MSI / interrupt ?
Le Tue, 1 Oct 2013 08:37:09 + (UTC), Stuart Henderson s...@spacehopper.org a écrit : Hello, On 2013-10-01, Patrick Lamaiziere patf...@davenulle.org wrote: Hello, With OpenBSD 5.3, our firewall does not handle our network load well. We loose around 5% of packets and netstat shows a lot of Ierr. That worked much better with 5.1. There was a change to not enable MSI on 82572 chipset on our Intel card ( Intel PRO/1000 QP (82571EB) rev 0x06) in 5.2 : http://freshbsd.org/commit/openbsd/a47ca448720823019bc6c618bf178a47fd1af73a My question is: could it be the cause of our load problem ? 5.1: em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: msi, address 00:15:17:ed:98:9d em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: msi, address 00:15:17:ed:98:9c em2 at pci6 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: msi, address 00:15:17:ed:98:9f em3 at pci6 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: msi, address 00:15:17:ed:98:9e 5.3 (on another box with the same hardware): em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 13, address 00:15:17:ed:98:65 em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 6, address 00:15:17:ed:98:64 em2 at pci6 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 15, address 00:15:17:ed:98:67 em3 at pci6 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 13, address 00:15:17:ed:98:66 We don't have any problem with this card, how can we re-enable MSI (without reverting this change)? Simplest way to test is to just revert that change in your source tree.. That will identify whether this issue is due to disabling MSI, or whether it's due to one of the many other changes between 5.1 and 5.3.. Sure... Well sorry for the delay I was able to test with MSI enabled only the last week. On OpenBSD 5.3 With MSI enabled we don't lose too many packets and the firewall perform like they did on OpenBSD 5.1. Is it possible to re-enable MSI on this type of network card? Our firewall don't handle the load at all without MSI. pcidump -v of the card: 6:0:0: Intel PRO/1000 QP (82571EB) 0x: Vendor ID: 8086 Product ID: 10a5 0x0004: Command: 0007 Status ID: 0010 0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 06 0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 10 0x0010: BAR mem 32bit addr: 0xd628/0x0002 0x0014: BAR mem 32bit addr: 0xd62a/0x0002 0x0018: BAR io addr: 0xecc0/0x0020 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 8086 Product ID: 10a5 0x0030: Expansion ROM Base Address: d620 0x0038: 0x003c: Interrupt Pin: 02 Line: 0e Min Gnt: 00 Max Lat: 00 0x00c8: Capability 0x01: Power Management 0x00d0: Capability 0x05: Message Signaled Interrupts (MSI) 0x00e0: Capability 0x10: PCI Express Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4 6:0:1: Intel PRO/1000 QP (82571EB) 0x: Vendor ID: 8086 Product ID: 10a5 0x0004: Command: 0007 Status ID: 0010 0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 06 0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 10 0x0010: BAR mem 32bit addr: 0xd62c/0x0002 0x0014: BAR mem 32bit addr: 0xd62e/0x0002 0x0018: BAR io addr: 0xece0/0x0020 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 8086 Product ID: 10a5 0x0030: Expansion ROM Base Address: d620 0x0038: 0x003c: Interrupt Pin: 01 Line: 0f Min Gnt: 00 Max Lat: 00 0x00c8: Capability 0x01: Power Management 0x00d0: Capability 0x05: Message Signaled Interrupts (MSI) 0x00e0: Capability 0x10: PCI Express Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4 7:0:0: Intel PRO/1000 QP (82571EB) 0x: Vendor ID: 8086 Product ID: 10a5 0x0004: Command: 0007 Status ID: 0010 0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 06 0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 10 0x0010: BAR mem 32bit addr: 0xd618/0x0002 0x0014: BAR mem 32bit addr: 0xd61a/0x0002 0x0018: BAR io addr: 0xdcc0/0x0020 0x001c: BAR empty () 0x0020: BAR empty () 0x0024: BAR empty () 0x0028: Cardbus CIS: 0x002c: Subsystem Vendor ID: 8086 Product ID: 10a5 0x0030: Expansion ROM Base Address: d610 0x0038: 0x003c: Interrupt Pin: 02 Line: 0b Min Gnt: 00 Max
Re: (5.3) load problem on em(4) MSI / interrupt ?
Le Mon, 09 Dec 2013 12:31:04 +, Stuart Henderson s...@spacehopper.org a écrit : Hello, I don't think msi can be re-enabled for this part in OpenBSD, the reason it's disabled is that there is a bug in the 82571/2 chips (errata 63 in http://www.intel.co.uk/content/dam/www/public/us/en/documents/specification-updates/82571eb-82572ei-gbe-controller-spec-update.pdf) and the symptom in affected machines is that the card doesn't transmit at all, so unless someone else has a clever idea I think this will need to remain a local patch. I agree, I've read the bug report (http://openbsd.7691.n7.nabble.com/Intel-PRO-1000-PF-em-network-card-not-working-with-MSI-on-Dell-R610-td195975.html) and we use a later bios on our R610, may be it fix this issue : bios0: vendor Dell Inc. version 2.1.15 date 09/02/2010 bios0: Dell Inc. PowerEdge R610 (the number of erratas for this card is incredible!) Thanks, regards.
Re: OpenBSD and NetFlow
Le Tue, 03 Dec 2013 17:05:59 +0100, Alexis VACHETTE avache...@sisteer.com a écrit : Hi everyone, Hello, I would like to share an issue with one of my OpenBSD Firewall which is present in my company. Everything was working fine until a server crash this last week-end. We have setup the netflow protocol with the pseudo device pflow0. If I understand well, you see the outgoing netflow packets on pflow0 but not on the physical interface with tcpdump ? I've tried on OpenBSD 5.1, tcpdump shows the netflow packets on both interfaces. Regards.
(5.3) load problem on em(4) MSI / interrupt ?
Hello, With OpenBSD 5.3, our firewall does not handle our network load well. We loose around 5% of packets and netstat shows a lot of Ierr. That worked much better with 5.1. There was a change to not enable MSI on 82572 chipset on our Intel card ( Intel PRO/1000 QP (82571EB) rev 0x06) in 5.2 : http://freshbsd.org/commit/openbsd/a47ca448720823019bc6c618bf178a47fd1af73a My question is: could it be the cause of our load problem ? 5.1: em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: msi, address 00:15:17:ed:98:9d em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: msi, address 00:15:17:ed:98:9c em2 at pci6 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: msi, address 00:15:17:ed:98:9f em3 at pci6 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: msi, address 00:15:17:ed:98:9e 5.3 (on another box with the same hardware): em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 13, address 00:15:17:ed:98:65 em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 6, address 00:15:17:ed:98:64 em2 at pci6 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 15, address 00:15:17:ed:98:67 em3 at pci6 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 13, address 00:15:17:ed:98:66 We don't have any problem with this card, how can we re-enable MSI (without reverting this change)? Thanks, regards.
carp demote count in 5.3 (change since 5.1)
Hello, I'm upgrading our firewalls to OpenBSD 5.3 (with erratas) from 5.1 : As far I can see now, the firewall (without any problem) starts with a carp demote count = 33. On 5.1 the demote count was = 0 looks like the 33 comes with a pfsync bulk start Jul 29 13:51:01 ucop2 /bsd: carp: pfsync0 demoted group pfsync by 1 to 33 (pfsync bulk start) Questions - is it the intented behavior? - how to fix this? - why 33 instead 42? While I'm here, it would be nice to be abble to set the demote counter with an absolute value, we use it to demote the master if BGP fails. Thanks. Regards carp log on 5.1 Jul 29 14:04:44 ucop2 /bsd: carp1: state transition: BACKUP - INIT Jul 29 14:04:44 ucop2 /bsd: carp16: state transition: BACKUP - INIT Jul 29 14:04:44 ucop2 /bsd: carp2: state transition: BACKUP - INIT Jul 29 14:04:44 ucop2 /bsd: carp26: state transition: BACKUP - INIT Jul 29 14:04:44 ucop2 /bsd: carp3: state transition: BACKUP - INIT Jul 29 14:04:44 ucop2 /bsd: carp4: state transition: BACKUP - INIT Jul 29 14:04:44 ucop2 /bsd: carp5: state transition: BACKUP - INIT Jul 29 14:21:49 ucop2 /bsd: carp1: state transition: INIT - BACKUP Jul 29 14:21:49 ucop2 /bsd: carp16: state transition: INIT - BACKUP Jul 29 14:21:49 ucop2 /bsd: carp2: state transition: INIT - BACKUP Jul 29 14:21:49 ucop2 /bsd: carp26: state transition: INIT - BACKUP Jul 29 14:21:49 ucop2 /bsd: carp26: state transition: BACKUP - INIT Jul 29 14:21:49 ucop2 /bsd: carp26: state transition: INIT - BACKUP Jul 29 14:21:49 ucop2 /bsd: carp: carp3 demoted group carp by 1 to 129 (carpdev) Jul 29 14:21:49 ucop2 /bsd: carp: carp4 demoted group carp by 1 to 130 (carpdev) Jul 29 14:21:49 ucop2 /bsd: carp: carp5 demoted group carp by 1 to 131 (carpdev) Jul 29 14:21:49 ucop2 /bsd: carp: pfsync0 demoted group carp by 1 to 132 (pfsync bulk start) Jul 29 14:21:49 ucop2 /bsd: carp: pfsync0 demoted group pfsync by 1 to 1 (pfsync bulk start) Jul 29 14:21:49 ucop2 /bsd: carp3: state transition: INIT - BACKUP Jul 29 14:21:49 ucop2 /bsd: carp: carp3 demoted group carp by -1 to 131 (carpdev) Jul 29 14:21:49 ucop2 /bsd: carp4: state transition: INIT - BACKUP Jul 29 14:21:49 ucop2 /bsd: carp: carp4 demoted group carp by -1 to 130 (carpdev) Jul 29 14:21:49 ucop2 /bsd: carp5: state transition: INIT - BACKUP Jul 29 14:21:49 ucop2 /bsd: carp: carp5 demoted group carp by -1 to 129 (carpdev) Jul 29 14:21:49 ucop2 /bsd: carp: pfsync0 demoted group carp by -1 to 128 (pfsyncdev) Jul 29 14:21:49 ucop2 /bsd: carp: pfsync0 demoted group pfsync by -1 to 0 (pfsyncdev) carp demote = 0 carp log on 5.3 Jul 29 13:51:01 ucop2 /bsd: carp1: state transition: INIT - BACKUP Jul 29 13:51:01 ucop2 /bsd: carp16: state transition: INIT - BACKUP Jul 29 13:51:01 ucop2 /bsd: carp2: state transition: INIT - BACKUP Jul 29 13:51:01 ucop2 /bsd: carp26: state transition: INIT - BACKUP Jul 29 13:51:01 ucop2 /bsd: carp26: state transition: BACKUP - INIT Jul 29 13:51:01 ucop2 /bsd: carp26: state transition: INIT - BACKUP Jul 29 13:51:01 ucop2 /bsd: carp: carp3 demoted group carp by 1 to 129 (carpdev) Jul 29 13:51:01 ucop2 /bsd: carp: carp4 demoted group carp by 1 to 130 (carpdev) Jul 29 13:51:01 ucop2 /bsd: carp: carp5 demoted group carp by 1 to 131 (carpdev) Jul 29 13:51:01 ucop2 /bsd: carp: pfsync0 demoted group carp by 32 to 163 (pfsync init) Jul 29 13:51:01 ucop2 /bsd: carp: pfsync0 demoted group pfsync by 32 to 32 (pfsync init) Jul 29 13:51:01 ucop2 /bsd: carp: pfsync0 demoted group carp by 1 to 164 (pfsync bulk start) Jul 29 13:51:01 ucop2 /bsd: carp: pfsync0 demoted group pfsync by 1 to 33 (pfsync bulk start) Jul 29 13:51:01 ucop2 /bsd: carp3: state transition: INIT - BACKUP Jul 29 13:51:01 ucop2 /bsd: carp: carp3 demoted group carp by -1 to 163 (carpdev) Jul 29 13:51:01 ucop2 /bsd: carp4: state transition: INIT - BACKUP Jul 29 13:51:01 ucop2 /bsd: carp: carp4 demoted group carp by -1 to 162 (carpdev) Jul 29 13:51:01 ucop2 /bsd: carp5: state transition: INIT - BACKUP Jul 29 13:51:01 ucop2 /bsd: carp: carp5 demoted group carp by -1 to 161 (carpdev) carp demote = 33
Re: Management of pf.conf
Le Thu, 11 Jul 2013 13:18:13 +0200 (CEST), Jummo jum...@yahoo.de a écrit : This works quiet good for me and my firewalls with one exception, my big fat central router/firewall. This firewall has around 2000 lines of pf.conf, is attached with 12 VLAN interfaces and get slowly unmanageable with this concept. How to you manage such big firewalls? Do you split the pf.conf into logical parts? Do you use a base structure for every pf.conf? Do you use a tool for automatic creation of pf.conf? How do you tests your old rules after you changed something? We have a large set of rules at work on several routers/firewalls and we use a tool 'list firewall (lsfw)' to help to manage the rules set. The goal is to display the rules applied between a source address and a destination, on several equipments, doing routing and firewalling. See: https://groupes.renater.fr/wiki/jtacl/index It has some other features, ip cross references by example which is cool to know where an address is used directly or indirectly (in table/group) or to extract the addresses from the configurations and to automate tests on them. That works fine at work (PF + cisco + checkpoint), but there are some limitations (see the doc...) My next step is a tool to managed security policies. I mean if someone asks to open a port, we should be able to track this policy (who, why, which rules are used) and to check it. This is work in (slow) progress. If someone already has such tool please let me know :) If you want more precisions ask me, this is a bit out of topic here. Regards.
Re: PF sync doesn't not work very well
Le Wed, 03 Jul 2013 07:11:08 -0500, Mark Felder f...@feld.me a écrit : On Wed, 03 Jul 2013 07:00:02 -0500, Loïc Blot loic.b...@unix-experience.fr wrote: Hello, no carp is used at this time. pfsync needs to be used with carp... without it you're just playing whack-a-mole with your session table. I don't see why as states are not attached on carp interfaces but to real interfaces (if-bounded) or even by default to no interface at all ? Regards
Re: bad rule, or special filtering needed for bootp packets?
Le Wed, 27 Mar 2013 19:28:08 -0700, David Ruggiero thatseattle...@gmail.com a écrit : Thanks! No, it didn't occur to me, so very appreciated. I didn't remember that you could do that form of the table command to show explicit members in a list, so that's also really helpful. FWIW, though..I would not have expected that pf would silently drop - without any warning message or complaint - an address explicitly stated as being a member of a constant table definition. Even that address. You're right that (at least in hindsight) 0.0.0.0/mask might be treated differently - maybe it uses it as a marker for an empty slot or the like? But regardless of that, I would (a) expect that fact to be documented (if it is, I missed it), and (b) expect that the pf parser would say something as it was throwing it away (at least a warning message about unparseable address at line XX - ignored or the like). For it to just drop it on the floor and say nothing at all seems - well, kind of non-pf-ish. Perhaps worth a documentation patch, if not an actual code patch. Well, even if 0.0.0.0/32 is not included in the table, your table should match any address (at least 0.0.0.0/32). Because !192.168.5.128/25 OR !192.168.10.128/25 OR !192.168.99.128/25 is always true. int_net = 192.168.5.128/25 wls_net = 192.168.10.128/25 ptr_net = 192.168.99.128/25 table unroutable_ips const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, !$int_net, !$wls_net, !$ptr_net, 169.254.0.0/16, 127.0.0.0/8, 192.0.2.0/24, 0.0.0.0/32, 240.0.0.0/4, 255.255.255.255/32 } I'm wrong? Why 0.0.0.0 does not match this table? I would be happy to know the behavior, because my pfulator(*) does not work as PF for this. Thanks, regards. (*) https://groupes.renater.fr/wiki/jtacl/index
Re: Why to use packages?
Le Sat, 16 Mar 2013 12:36:35 +0400, Alexander Nusov alexander.nu...@gmail.com a écrit : Hello, I'm trying to get why to use binary packages if they are not updated? I don't see any reason to use packages too (IMHO). For example, this package confuses me: lighttpd ftp://ftp.openbsd.org/pub/OpenBSD/5.2/packages/amd64/ lighttpd-1.4.31p0-ldap-mysql.tgz339 kB31.07.12 0:00:00 lighttpd-1.4.31p0-ldap.tgz335 kB31.07.12 0:00:00 lighttpd-1.4.31p0-mysql.tgz337 kB31.07.12 0:00:00 lighttpd-1.4.31p0.tgz It was updated in the stable port tree (but there are no package available). You can build your own packages from it and deploy them. Regards.
Re: carp + 5.1/5.2 woes
Le Wed, 2 Jan 2013 13:39:25 +0100, Toni Mueller openbsd-m...@oeko.net a écrit : Hello, With this setup, carp1 will stay in BACKUP mode when I say ifconfig carp1 advskew 120 on A, while on B, it would go into MASTER immediately. Hmm, did you check the value of the carp demote counter? # ifconfig -g carp (just a guess, regards)
Re: [5.1] pflow(4) flow with starttime *after* endtime
Le Fri, 27 Jul 2012 11:13:21 +0200, Hrvoje Popovski hrv...@srce.hr a écrit : On 26.7.2012. 18:31, Patrick Lamaiziere wrote: Hello, We have just noticed that pflow (v5) sometime (but often) uses a StartTime value which is later than the EndTime. So the duration is interpreted 4294966.29600 secondes. This confuses our collector (nfsen). For the record, that should be fixed in current (r1.21). http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflow.c Thanks, regards.
Re: OBSD51: using macros with reply-to
Le Thu, 1 Nov 2012 13:28:18 -0200, Fernando Braga fermbr...@gmail.com a écrit : Hello, pass in on $int_if from VoIP to ! redeOscar route-to $cosmo@$int_if However, when I issue a pfctl -sr, I get pass in on trunk1 inet from VoIP to ! redeOscar flags S/SA route-to 172.16.99.249@$int_if Shouldn't this @$int_if be translated to trunk1 ? I guess yes, or rejected. Is there another way to acomplish this ? I use route-to on 5.1 with something like route-to ($int_if $cosmo) Regards.
[PF 5.1] strange unreachable icmp reply from firewall
(openbsd 5.1/amd64) Hello, I filter icmp echoreq for one host, but on output. The rules are : pass in quick on $ext_if inet proto icmp from any to any icmp-type echoreq keep state (floating) block out quick on $int_if inet proto icmp from any to $host When I ping this $host from out, I see sometimes some unreacheable icmp replies coming from the firewall (the block policy is default: drop). tcpdump on $ext_if 94.23.254.147 195.220.94.163: icmp: echo request 193.51.184.25 94.23.254.147: icmp: host 195.220.94.163 unreachable 94.23.254.147 195.220.94.163: icmp: echo request 94.23.254.147 195.220.94.163: icmp: echo request 94.23.254.147 195.220.94.163: icmp: echo request ... 193.51.184.25 94.23.254.147: icmp: host 195.220.94.163 unreachable The good thing is that the echoreq packet is droped but I don't understand why the firewall sometimes replies an icmp unreachable? Thanks, regards.
Re: Ports security updates in 5.1 or 5.2
Le Wed, 29 Aug 2012 09:59:46 +0200, Sebastien Marie semarie-open...@latrappe.fr a écrit : Hello, I currently follow STABLE branch for openbsd (and so, for ports too), which is OPENBSD_5_1. But, I saw that the last security updates for ports go to OPENBSD_5_2 and not to OPENBSD_5_1. Any examples ? The probleme may not be present in 5.1. According to the FAQ (http://www.openbsd.org/faq/faq15.html#PortsSecurity), only the current and last release are updated. But the current release is OPENBSD_5_1 (see http://www.openbsd.org/). Should I expect security updates will arrived somedays to OPENBSD_5_1 ? (but I doubt) Yes you can expect it, see the commits on 5.1 ports: http://www.freshbsd.org/search?project=openbsd-portsbranch=OPENBSD_5_1 Regards.
Re: Broken pfctl ..... ? I not understand my
Le Thu, 26 Jul 2012 12:44:40 +0430, Bahador NazariFard bahador.nazarif...@gmail.com a écrit : block in quick on msk0 proto tcp *to* port ssh whats this? instead of above wrong statement, you can use block in quick on msk0 proto tcp from any to any port ssh This is the same thing. The from is optional, and adresse is also optional in the from/to. So block in quick on msk0 proto tcp to port ssh is valid and is expanded by pfctl to block drop in quick proto tcp from any to any port = 22
[5.1] pflow(4) flow with starttime *after* endtime
Hello, We have just noticed that pflow (v5) sometime (but often) uses a StartTime value which is later than the EndTime. So the duration is interpreted 4294966.29600 secondes. This confuses our collector (nfsen). (wireshark) pdu 19/30 SrcAddr: 194.57.169.116 (194.57.169.116) DstAddr: 129.20.254.1 (129.20.254.1) NextHop: 0.0.0.0 (0.0.0.0) InputInt: 0 OutputInt: 0 Packets: 3 Octets: 164 [Duration: 4294966.29600 seconds] StartTime: 251367.0 seconds EndTime: 251366.0 seconds SrcPort: 55680 DstPort: 53 padding TCP Flags: 0x00 Protocol: 6 IP ToS: 0x00 SrcAS: 0 DstAS: 0 SrcMask: 0 (prefix: 194.57.169.116/32) DstMask: 0 (prefix: 129.20.254.1/32) padding Any clue? Thanks, regards.
[4.9-5.1] smtpd does not work anymore without resolver?
Hello, On 4.8 I was using smtpd to relay periodic mails. The box is a firewall and the resolver is not configured at all. smtp.conf # This is the smtpd server system-wide configuration file. # See smtpd.conf(5) for more information. listen on lo0 map aliases { source db /etc/mail/aliases.db } accept for local alias aliases deliver to mbox # smtp accept for all relay via 129.20.xxx.xxx That worked fine on 4.8, but with 4.9 the box does not send any mail : /var/log/mailog: smtpd[4269]:1317598201.5Tsv7GvPDRFc1Ozt:from=root@Y, size=6325, nrcpts=1, proto=ESMTP, relay=0@localhost [IPv6:::1] smtpd[30344]: 1317598201.5Tsv7GvPDRFc1Ozt: to=logadmin@Y, delay=1, relay=(none) [], stat=LocalError (Unable to resolve DNS f or domain) This still does not work on 5.1... Thanks, regards.
Re: [4.9-5.1] smtpd does not work anymore without resolver?
Le Tue, 24 Jul 2012 15:50:30 +0200, Gilles Chehade gil...@poolp.org a écrit : Hello, That worked fine on 4.8, but with 4.9 the box does not send any mail : /var/log/mailog: smtpd[4269]:1317598201.5Tsv7GvPDRFc1Ozt:from=root@Y, size=6325, nrcpts=1, proto=ESMTP, relay=0@localhost [IPv6:::1] smtpd[30344]: 1317598201.5Tsv7GvPDRFc1Ozt: to=logadmin@Y, delay=1, relay=(none) [], stat=LocalError (Unable to resolve DNS f or domain) This still does not work on 5.1... Can you confirm it is true with -current OpenSMTPD ? I can't double check right now, but I seem to recall eric@ fixing this a while ago Oh yes, I've just tried with a snapshot of 5.2 and it looks good. Many thanks, regards.
Re: More bgpd problems
Le Wed, 30 May 2012 09:27:23 + (UTC), Matt Hamilton ma...@netsight.co.uk a icrit : Hello, I'd be very interested to see your ifstated config and how you use that to verify peers being up as we could do with some better monitoring here. Here we use bgpctl show summary terse with a grep on the peer name and Established. Simple but it does the job. # bgpctl show summary terse RenaterV6 2200 Established RenaterV4 2200 Established (never see bgpd crashes) Regards.
Re: Router project on OpenBSD questions
Le Mon, 27 Feb 2012 19:38:45 +, Kaya Saman kayasa...@gmail.com a icrit : Hello, I have currently only used OpenBSD as a test vector setup on VirtualBox and 2x Sun Fire V240's as a DNS server (master/slave) using Bind9. So basically in short am an OpenBSD newbee :-) Ok so here goes; I've been using FreeBSD for around 3+ years now and really enjoy it, in comparing OpenBSD to FreeBSD I first would like to get some user experience of the major advantages over it. Well, I mostly use FreeBSD and I prefer it in general. But for router/firewall I think that OpenBSD suits better. All the tools are available out of the box and that just works. There are few things missing in FreeBSD (for our need at work): - missing tcp signature in OpenBGDd. - missing pflow. - some problem with carp (for example flip-flop of master/backup when a machine boots up, but carp would be better in FreeBSD 10.0). OpenBSD is not perfect too, it would be nice that pflow handles ipv6 and the support of one year is a bit short. But nothing is perfect. from my (vastly) limited experience it's quite different to work with then FreeBSD. Not really.
Re: Router project on OpenBSD questions
Le Mon, 27 Feb 2012 16:58:05 -0300, Christiano F. Haesbaert haesba...@haesbaert.org a icrit : Hello, With a decent hardware, I think you can reach 1mpps (that's million packets per second). I don't think. As far I can see here with a rate of 50K packets through the system, it already spents 50% in interrupt.
Re: Router project on OpenBSD questions
Le Wed, 29 Feb 2012 13:13:30 +0100, Peter Hessler phess...@theapt.org a icrit : Hello, On 2012 Feb 29 (Wed) at 11:54:13 +0100 (+0100), Patrick Lamaiziere wrote: :OpenBSD is not perfect too, it would be nice that pflow handles ipv6 pflow now handles ipv6 (in 5.1) That's cool! Thanks. :and the support of one year is a bit short. But nothing is perfect. If you need support for longer than a year, you will need to contact a vendor offering openbsd support. I don't believe they will be able to support if the support is ended upstream, only few are able to dig into the code. Sure, I will find tons of them able to sell support. But if they sell some wind I can do it myself for free. That was not a criticism, I understand well the release process on OpenBSD and the limited ressources available. But this is something to consider when you choose a system. Regards.
[PF] bug in port range.
Hello, happy new year. I think there is a off-by-one error in Packet Filter port ranges, for example with an exclude boundary range : port1 port2 PF or pfctl does not check that port1 = port2 and if port1 port2 the port range is not correct. For example 82 80 is not the same as 80 82 (but should IMO). I've tested with these rules: pass in quick block out quick proto tcp from self to 94.23.254.147 port 82 80 pass out quick Then, port 81 is not filtered out. Thanks, regards.
Re: [PF] bug in port range.
Le Tue, 3 Jan 2012 17:54:18 +0100, Henning Brauer lists-open...@bsws.de a icrit : Hello, * Patrick Lamaiziere patf...@davenulle.org [2012-01-03 17:45]: I think there is a off-by-one error in Packet Filter port ranges, for example with an exclude boundary range : port1 port2 nope. Ports and ranges of ports are specified using these operators: : (range including boundaries) (range excluding boundaries) yes, that is from the manpage, of course. explicitely EXCLUDES the boundaries. now where is that off by one? Please forget the off-by-one, I've found that 82:80 differs from 80:82 :) PF or pfctl does not check that port1 = port2 and if port1 port2 the port range is not correct. pf does what you, the operator, tells it to do. For example 82 80 is not the same as 80 82 (but should IMO). should? why? Well because for me 80:82 is (80, 81, 82) and 82:80 the same items and so the same range. But you are right, the man page is explicit. I should re-read it more often. So what is the meaning for PF of the range 82:80? If this is a non sense, an error from pfctl would be cool. port 82 80 defines a range that can't match, and it doesn't. as in, all is good. when you mean 80 82 you ought to write 80 82 and not 82 80. Sure, but when using service name it's easy to make a mistake. In fact I've found this strange behavior while translating a Cisco acl : permit tcp any any range ftp ftp-data Translated to port ftp:ftp-data, which if I understand well does not mean anything for PF. Thanks, regards.
Re: network bandwith with em(4)
Le Tue, 22 Feb 2011 18:09:32 +0100, Patrick Lamaiziere patf...@davenulle.org a icrit : (4.8/amd64) I'm using two ethernet cards Intel 1000/PRO quad ports (gigabit) on a firewall (one fiber and one copper). The problem is that we don't get more than ~320 Mbits/s of bandwith beetween the internal networks and internet (gigabit). As far I can see, on load there is a number of Ierr on the interface connected to Internet (between 1% to 5%). -- dmesg (on 4.8): em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 13 (irq 14), address 00:15:17:ed:98:9d em4 at pci9 dev 0 function 0 Intel PRO/1000 QP (82575GB) rev 0x02: apic 1 int 23 (irq 11), address 00:1b:21:38:e0:80 Hello, This issue (IERR on em) looks to be fixed on 5.0. With 4.8 and 4.9 there were IERR errors with traffic 150 Mbs. With 5.0 there are only few IERR from time to time, even on high load ( 400 Mbits/s, 40K packets/s in, 30K packets/s out) I guess that the fixes on em(4) helps. May be the use of MSI interrupts too because I see a significant improvement on CPU interrupt load (around 60% in load to 50% with 5.0). (the measures are averaged on 5 minutes) That's cool! There are still some PF congestions from time to time but I have to investigate. It happens even when the box is idle but may be there are some burst of traffic. The box has 6 interfaces and I don't believe it can handle 6 Gbits at once. Too finish this too long thread, since february we (an university) are very happy with the reliability of our two PF firewalls, that just works. Thanks a lot, regards.
[5.0] pkg_add too many FTP connections
Hello, I'm trying to update packages with pkg_add via ftp : # pkg_add -ui Error from ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gperf-3.0.4.tgz 421 There are too many connections from your internet address. ftp: Can't connect or login to host `ftp.irisa.fr' Error from ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gtar-1.26p0.tgz 421 There are too many connections from your internet address. ftp: Can't connect or login to host `ftp.irisa.fr' ... Is there a way to limit the number of FTP connections for pkg_add? Thanks, regards.
Re: [5.0] pkg_add too many FTP connections
Le Wed, 30 Nov 2011 12:35:40 +0100, Marc Espie es...@nerim.net a icrit : Fix your proxy/connection. pkg_add keeps one ftp connection alive, not more, but it does interrupt connections brutally as soon as it has the information it wants. All such problems come from stale ftp connections, there's something flaky in your network setup that means ftp.irisa.fr does not see the severed connections. Thanks Marc, Could it be that this ftp server (irisa) is near from here (1Gbit) and doesn't have the time to see that the connection was dropped? I don't have any problem with other mirror (ex ftp://fr.openbsd.org) Thanks, regards.
Re: Multiple ISPs: send packets to the interface they came from
Le Tue, 08 Nov 2011 15:27:02 -0500, Guillaume Filion g...@logidac.com a icrit : Hi all, Hello, I also tried using pf route-to but that seems to only work with NAT... No it does routing. I use it without nat. So basically my question is how to tell OpenBSD to send packets to the interface they came from? See reply-to Regards.
Re: PF.CONF - with DMZ and packet tagging example
Le Mon, 7 Nov 2011 16:58:29 -0500, Bentley, Dain dbent...@nas.edu a icrit : Hello, block in on $ext from bastards #NAT INBOUND TO DMZ pass in on $ext proto tcp from any to any port $web_services rdr-to $webserver tag INET_TO_DMZ pass in on $ext proto tcp from any to any port $mail_services rdr-to $mailserver tag INET_TO_DMZ Looks not good, missing quick in the block rule? Regards.
Re: why skip is not shown in pfctl -s rules ?
Le Thu, 20 Oct 2011 15:41:51 +0600, PP;QQ P(P8P?P8QP8P= chipits...@gmail.com a C)crit : Hello, but I do not find skip in pfctl -s rules output: Yes, you can check that the interface is skiped with # pfctl -vs Interfaces -i lo0 lo0 (skip) Regards.
[4.9] smtpd does not work anymore without resolver?
Hello, On 4.8 I was using smtpd to relay periodic mails. The box is a firewall and the resolver is not configured at all. smtp.conf # This is the smtpd server system-wide configuration file. # See smtpd.conf(5) for more information. listen on lo0 map aliases { source db /etc/mail/aliases.db } accept for local alias aliases deliver to mbox # smtp accept for all relay via 129.20.xxx.xxx That worked fine on 4.8, but with 4.9 the box does not send any mail : /var/log/mailog: smtpd[4269]:1317598201.5Tsv7GvPDRFc1Ozt:from=root@Y, size=6325, nrcpts=1, proto=ESMTP, relay=0@localhost [IPv6:::1] smtpd[30344]: 1317598201.5Tsv7GvPDRFc1Ozt: to=logadmin@Y, delay=1, relay=(none) [], stat=LocalError (Unable to resolve DNS f or domain) Any idea? Thanks, regards.
Re: bgpctl shiw rib out displaying incorrect information
Le Wed, 31 Aug 2011 07:19:15 +0200, Tony Sarendal t...@polarcap.org a C)crit : Hi, current1# cat /etc/bgpd.conf AS 65001 network 10.0.1.0/24 current1# bgpctl show rib nei 172.29.1.52 out flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin AI* 10.0.1.0/24 172.29.1.200 100 0 i So you announce (A) via IBGP (I) the route 10.0.1.0/24, looks good no?. current2# bgpctl show rib nei 172.29.1.51 in flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin I* 10.0.1.0/24 172.29.1.51100 0 i And you receive the route via IBGP (I), looks good too. Where is the problem? Regards.
Re: Expected throughput in an OpenBSD virtual server
Le Tue, 23 Aug 2011 19:21:32 +0200, Per-Olov SjC6holm p...@incedo.org a C)crit : Hello, Here we reach 400 MBits/s with a CPU rate ~70% but we run OpenBSD 4.9. How fast is your CPU ? cpu0: Intel(R) Xeon(R) CPU E5520 @ 2.27GHz, 2261.30 MHz It's a Dell R610 with 4Go RAM.
Re: Expected throughput in an OpenBSD virtual server
Le Mon, 22 Aug 2011 22:49:47 +0200, Per-Olov SjC6holm p...@incedo.org a C)crit : Hello, Have not tried current, but will try current as soon as I can. Also... I will try to do some laborations with CPU speed of the core the OpenBSD virtual machine has. This to see how the interrupts and throughput is related to the CPU speed of the allocated core. It would be nice to know if current is better with Intel em(4) cards. because of this commit : http://freshbsd.org/2011/04/13/00/19/01 Here we reach 400 MBits/s with a CPU rate ~70% but we run OpenBSD 4.9. Regards.
Re: Expected throughput in an OpenBSD virtual server
Le Mon, 22 Aug 2011 20:04:50 + (UTC), Stuart Henderson s...@spacehopper.org a C)crit : Hello, OpenBSD has another way to handle this, MCLGETI. Is there a documentation (for the human being, not the developer) about how MCLGETI works? (don't find a lot about it) Thanks, regards.
Re: carp issues
Le Tue, 09 Aug 2011 15:29:17 +0200, Michael Lechtermann mich...@lechtermann.net a icrit : Hi all, hello, # ifconfig carp0 carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:0a priority: 0 carp: carpdev em0 advbase 1 balancing ip-stealth carppeer 10.0.1.11 state MASTER vhid 10 advskew 0 state BACKUP vhid 11 advskew 100 Hmmm, why do you have different vhid ?
Re: fat32 interoperatibility issue
Le Mon, 01 Aug 2011 16:04:08 +0200, Daniel Gracia lists.d...@electronicagracia.com a icrit : Yep! That's it, and I totally agree with the discusion there but, as far as msdosfs is in OpenBSD for the very reason of portability -and now I'm supposing-, I wonder if this would be an any welcomed patch. Well Windows itself allows to create such files, so this is portable. But on Windows they are hidden by the explorer, this is (was?) used by some badwares to hide files (like hidden ftp server) See http://www.gohacking.com/2008/02/how-to-create-con-folder-in-windows.html I'm not sure if this is still true. Regards.
net-snmp in 4.9 : does it work for you ?
Hello, I've updated my two pf firewalls today from 4.8 to 4.9 (worked fine, nice). But it looks there is a problem with net-snmp and the traffic reported (IF-MIB). This is not correct anymore (like 30 Mbits/s instead more than 150 Mbits/s). I've checked the interfaces indexes in the snmp tables and they did not change. Other values (like packet per second) look good. I've tried the previous version of net-snmp (net-snmp-5.4.2.1p5) and there is the same problem. Any clue? Thanks, regards.
Re: net-snmp in 4.9 : does it work for you ?
Le Wed, 22 Jun 2011 09:23:01 +0200, Patrick Lamaiziere patf...@davenulle.org a C)crit : Hello, I've updated my two pf firewalls today from 4.8 to 4.9 (worked fine, nice). But it looks there is a problem with net-snmp and the traffic reported (IF-MIB). This is not correct anymore (like 30 Mbits/s instead more than 150 Mbits/s). I've checked the interfaces indexes in the snmp tables and they did not change. Other values (like packet per second) look good. I've tried the previous version of net-snmp (net-snmp-5.4.2.1p5) and there is the same problem. Any clue? Ooops. Looks like someone has changed the configuration of Cacti. My apologies. Regards.
Re: Need some input about: OpenBSD 4.9/amd64 and Dell PowerEdge Server R210,R410,R610,R710
Le Tue, 7 Jun 2011 20:49:50 -0700 (PDT), Stefan N stefanbsd...@yahoo.com a C)crit : Hi All, Hello, Have you ever tried to install OpenBSD 4.9/amd64 on the Dell PowerEdge Server R210,R410,R610,R710 (2.5 SAS Disk) with additional Intel. Gigabit ET Quad Port Server Adapter? If yes, are those servers fully compatible with OpenBSD 4.9/amd64? We use two R610 with 4.8/amd64 (PF firewall) since february with two Intel cards (one Intel PRO/1000 QP 82571EB and one Intel PRO/1000 QP 82575GB). It looks like solid as a rock. ipmi does not attach, I don't know if it should work: ipmi at mainbus0 not configured Regards.
Re: serious security improvement in OpenBSD
Le Mon, 06 Jun 2011 15:06:54 +0300, Kapetanakis Giannis bil...@edu.physics.uoc.gr a icrit : Who is this 'Charlie' guy anyway??? That is a good question. I've searched in the past looking old system passwd to find who decided this name for the root account but with no luck. Looks like Charlie is a tribute to Charlie Root (a famous baseball player):http://en.wikipedia.org/wiki/Charlie_Root Does someone remember who, when and why? Regards.
Re: Firewall sends wrong MAC address per ARP?
Le Tue, 22 Mar 2011 13:01:48 +0100, Marcus M|lb|sch muelbue...@as-infodienste.de a icrit : hello, carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:00:5e:00:01:21 priority: 0 carp: carpdev bge0 advbase 1 balancing arp carppeer 192.168.3.3 state MASTER vhid 33 advskew 0 state MASTER vhid 133 advskew 100 Why do you have two vhid and with different advskew values?
(4.8) Missing pkg.conf in see also manual for pkg_add
Hello, Just noticed that pkg.conf(5) is missing in the see also section of pkg_add(1) and friends. Regards.
Re: network bandwith with em(4)
Le Sat, 26 Feb 2011 00:23:36 +0900, Ryan McBride mcbr...@openbsd.org a icrit : How about a _full_ dmesg, so someone can take a wild guess at what your machine is capable of? full dmesg : http://user.lamaiziere.net/patrick/dmesg-open48.txt The box is a Dell R610 server. This box should be able to fill a gigabit of regular TCP traffic (1500 MTU) without any problem. Double-check your testing procedures. I will test this. I have some additional comments/questions though: 1) you probably don't want to run bsd.mp on a firewall, it'll hurt you more than it helps, unless you have significant CPU-bound userland stuff going on, for example antivirus scanning of email. I've tried with a sp kernel (amd64), does not look to change something. 2) You may get better performance running i386. I will try, but I do not expect a lot of difference on the IErr rate. 3) Besides the the em driver changes you've mentioned, is the source code you're building the kernel clean OPENBSD_4_8 -stable, or something else (4.8-current from after the 4.8 release, for example) It's a clean release 4.8/amd64, with 4.8 erratas applied. Thanks, regards.
Re: network bandwith with em(4)
Le Fri, 25 Feb 2011 08:41:20 +0900, Ryan McBride mcbr...@openbsd.org a icrit : On Wed, Feb 23, 2011 at 06:07:16PM +0100, Patrick Lamaiziere wrote: I log the congestion counter (each 10s) and there are at max 3 or 4 congestions per day. I don't think the bottleneck is pf. The congestion counter doesn't directly mean you have a bottleneck in PF; it's triggered by the IP input queue being full, and could indicate a bottleneck in other places as well, which PF tries to help out with by dropping packets earlier. Interface errors? Quite a lot. The output of `systat mbufs` is worth looking at, in particular the figure for LIVELOCKS, and the LWM/CWM figures for the interface(s) in question. If the livelocks value is very high, and the LWM/CWM numbers are very small, it is likely that the MCLGETI interface is protecting your system from being completly flattened by forcing the em card to drop packets (supported by your statement that the error rate is high). If it's bad enough MCLGETI will be so effective that the pf congestion counter will not get increment. systat mbufs: IFACELIVELOCKS SIZE ALIVE LWM HWM CWM System 256 375 149 2k 240 1125 em0 17722k 80 4 256 80 em1112k 5 4 256 5 em2 2932k 110 4 256 110 em3 em4182k 11 4 256 11 em5102k 12 4 256 12 em6142k 5 4 256 5 bnx032k 4 2 510 4 bnx112k 4 2 510 4 bnx312k 2 2 510 2 You mentioned the following in your initial email: #define MAX_INTS_PER_SEC8000 Do you think I can increase this value? The interrupt rate of the machine is at max ~60% (top). Increasing this value will likely hurt you. 60% interrupt rate sounds about right to me for a firewall system that is running at full tilt; 100% interrupt is very bad, if your system spends all cycles servicing interrupts it will not do very much of anything useful. dmesg: em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 13 (irq 14), address 00:15:17:ed:98:9d em4 at pci9 dev 0 function 0 Intel PRO/1000 QP (82575GB) rev 0x02: apic 1 int 23 (irq 11), address 00:1b:21:38:e0:80 How about a _full_ dmesg, so someone can take a wild guess at what your machine is capable of? -Ryan -- -- Patrick Lamaizihre CRI Universiti de Rennes 1 Til: 02 23 23 71 45
Re: network bandwith with em(4)
Le Fri, 25 Feb 2011 13:51:32 +0100, Patrick Lamaiziere patf...@davenulle.org a icrit : (ooops, push the wrong button) How about a _full_ dmesg, so someone can take a wild guess at what your machine is capable of? full dmesg : http://user.lamaiziere.net/patrick/dmesg-open48.txt The box is a Dell R610 server. Thanks, regards.
Re: network bandwith with em(4)
Le Fri, 25 Feb 2011 13:51:32 +0100, Patrick Lamaiziere patf...@davenulle.org a icrit : systat mbufs: IFACELIVELOCKS SIZE ALIVE LWM HWM CWM What does these counters mean? Thanks.
Re: network bandwith with em(4)
Le Tue, 22 Feb 2011 18:09:32 +0100, Patrick Lamaiziere patf...@davenulle.org a icrit : (4.8/amd64) Hello, I'm using two ethernet cards Intel 1000/PRO quad ports (gigabit) on a firewall (one fiber and one copper). The problem is that we don't get more than ~320 Mbits/s of bandwith beetween the internal networks and internet (gigabit). As far I can see, on load there is a number of Ierr on the interface connected to Internet (between 1% to 5%). Also the interrupt rate on this card is around ~7500 (using systat). In the em(4) driver, there is a limitation of the interrupt rate at 8000/s. ... Well, I've made some tests and increasing the number of interrupts or the number of RX descriptors does not help to reduce the Ierr count or to increase the bandwith. So I don't know where is the problem... Do you think the hardware used is not powerful enough ? (dmesg : http://user.lamaiziere.net/patrick/dmesg-openbsd4.8.txt). The box is a router/firewall, there are 6 interfaces on the box, one is connected to internet (the most busy interface). One is connected to the lan (very busy too). The others are far less busy. To give an idea, this box replaces an old Cisco 7204 which hangs at 200 Mbits, no more. I would be happy to know which kind of hardware you are using to build a gigabit router with good performance? Thanks to all. regards.
Re: network bandwith with em(4)
Le Wed, 23 Feb 2011 22:09:18 +0100, Manuel Guesdon ml+openbsd.m...@oxymium.net a icrit : | Did you try to increase the number of descriptor? | #define EM_MAX_TXD 256 | #define EM_MAX_RXD 256 | | I've tried up to 2048 (and with MAX_INTS_PER_SEC = 16000) but it looks | worth. Thank you ! I'll investigate this ! As I said it is worth here. The load is increaded and I lose around 50 Mbits of bandwith. I was curious if you've made some tests on this.
Re: network bandwith with em(4)
Le Tue, 22 Feb 2011 19:13:48 +0100, Manuel Guesdon ml+openbsd.m...@oxymium.net a icrit : Hello, We've got same problems (on a routeur, not a firewall). Increasing MAX_INTS_PER_SEC to 24000 increased bandwith and lowered packet loss. Our cards are Intel PRO/1000 (82576) and Intel PRO/1000 FP (82576). Did you try to increase the number of descriptor? #define EM_MAX_TXD 256 #define EM_MAX_RXD 256 I've tried up to 2048 (and with MAX_INTS_PER_SEC = 16000) but it looks worth. My configuration is two firewalls in master/backup mode. On the first one the two most busy links are on the first card (Fiber). On the second, these two links are not on the same card, one is on the fiber card and the other on the cupper card. I've noticed today that the input Ierr rate is far lower on the second firewall than on the first. Is it possible to have a bottleneck on the ethernet card or on the bus? I will make more tests tomorrow... Thanks, regards.
Re: network bandwith with em(4)
Le Tue, 22 Feb 2011 10:22:16 -0800 (PST), James A. Peltier jpelt...@sfu.ca a icrit : Those documents do not necessarily apply any more. Don't go tweaking knobs until you know what they do. We have machines here that transfer nearly a gigabit of traffic/s without tuning in bridge mode non-the-less. Are you seeing any packet congestion markers (counter congestion) in systat pf? If so you might not have sufficient states available I log the congestion counter (each 10s) and there are at max 3 or 4 congestions per day. I don't think the bottleneck is pf. What about framentation? None. Interface errors? Quite a lot. There are many other non-tweakable issues that could cause this. Sure, it's hard to know. Thanks, regards.
network bandwith with em(4)
(4.8/amd64) Hello, I'm using two ethernet cards Intel 1000/PRO quad ports (gigabit) on a firewall (one fiber and one copper). The problem is that we don't get more than ~320 Mbits/s of bandwith beetween the internal networks and internet (gigabit). As far I can see, on load there is a number of Ierr on the interface connected to Internet (between 1% to 5%). Also the interrupt rate on this card is around ~7500 (using systat). In the em(4) driver, there is a limitation of the interrupt rate at 8000/s. if_em.h /* * MAX_INTS_PER_SEC (ITR - Interrupt Throttle Register) * The Interrupt Throttle Register (ITR) limits the delivery of interrupts * to a reasonable rate by providing a guaranteed inter-interrupt delay * between interrupts asserted by the Ethernet controller. */ #define MAX_INTS_PER_SEC8000 Do you think I can increase this value? The interrupt rate of the machine is at max ~60% (top). Other ideas to increase the bandwith would be welcome too. I don't think the limitation come from PF because I don't see any congestion. thanks, regards. -- dmesg: em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 13 (irq 14), address 00:15:17:ed:98:9d em4 at pci9 dev 0 function 0 Intel PRO/1000 QP (82575GB) rev 0x02: apic 1 int 23 (irq 11), address 00:1b:21:38:e0:80
Re: network bandwith with em(4)
Le Tue, 22 Feb 2011 11:19:26 -0600, Mark Nipper ni...@bitgnome.net a icrit : The problem is that we don't get more than ~320 Mbits/s of bandwith beetween the internal networks and internet (gigabit). Have you already looked at: --- https://calomel.org/network_performance.html Yes thanks. I've already increase the size of the net.inet.ip.ifq.maxlen. But I don't see the point of these tunings for a firewall. IMHO, it could help for a host handling tcp/udp connection. Anyway, I've tried, that does not change anything and I don't think it should. I'm not a network expert, I could be wrong. Let see: ## Calomel.org OpenBSD /etc/sysctl.conf ## kern.maxclusters=128000 # Cluster allocation limit = netstat -m reports a peak of *only* 2500 mbufs used. net.inet.ip.mtudisc=0 # TCP MTU (Maximum Transmission Unit) = still at 1. I don't use scrub in pf or mss clamping. net.inet.tcp.ackonpush=1# acks for packets with the push bit = only one TCP connection on the firewall (ssh). net.inet.tcp.ecn=1 # Explicit Congestion Notification enabled net.inet.tcp.mssdflt=1472 # maximum segment size (1472 from scrub pf.conf) = same here, I guess the default mss is for connections from the machine. tcpdump shows that the mss is negociated around 1450. Looks good. net.inet.tcp.recvspace=262144 # Increase TCP recieve windows size to increase performance = same, no tcp nor udp... I'm wrong? Thanks, regards.
dump device
[4.8/amd64] Hello, Is there a way to change the dump device without rebuilding the kernel? That's not clear if config(8) -e is able to do this. Thanks, regards.
Re: PF: Route packets out specific interface with NAT
Le Mon, 31 Jan 2011 18:24:04 +0100, Joachim Tingvold joac...@tingvold.com a icrit : Hi, Hello, This does not work at all. If I change http://www.openbsd.org/faq/pf/carp.html#RulesetTips + Ruleset Tips Filter the physical interface. As far as PF is concerned, network traffic comes from the physical interface, not the CARP virtual interface (i.e., carp0). ;
netflow and ipv6?
Hello, Are there some plans to implement netflow v9 in pflow(4) (to be able to trace ipv6 flows)? Without, which collector can I use in userland? And is the load introduced by such userland tool a concern with a network traffic passing the firewall around ~500Mb/s? Thanks, regards.
Re: Another carp problem.
Le Fri, 31 Dec 2010 18:09:40 +0100, Alessandro Baggi alessandro.ba...@gmail.com a icrit : To exclude also pf rules problem, I've tried a rule set as: match...nat-to... pass all but the problem persists. Other Issue? Hmmm Ok, I don't know where is the problem. I've made recently a lot of tests with carp and pfsync without any problem (on 4.8/amd64). IMO it should work (but I don't use the carp peer option). One remark, you should use a dedicated interface for pfsync. In your setup, rl0 is shared by pfsync and carp1. This is a no sense. Best regards and happy new year to all.
Re: Another carp problem.
Le Thu, 30 Dec 2010 19:58:21 +0100, Alessandro Baggi alessandro.ba...@gmail.com a icrit : these are my pf rules for carp and pfsync: pass in quick proto pfsync pass in quick proto carp .. block in all ... And in output?
Re: soekris + openbsd server buy question
Le Fri, 3 Dec 2010 19:28:19 +0800 (CST), shweg...@gmail.com a icrit : Hello, I'm considering buying a Soekris net5501-70 and install OpenBSD on it to make myself a small server and use it as a proxy (ssh tunnel), it might serve as backup file sever as well. I guess at the most there will be two-three computers connnected at the same time, and there might be some streaming video going through, like the videos you find on online newspapers. I have googled around, and read that this kind of hardware is fine as a router but not so much as a server. Is it true? Thank you for any suggestions. It depends on the connection, do not expect a 100M/bits link. I use a net5501 for my all-in-one box (file server (samba), printers share, router, ...). The file server is not very speed but is enougth for doing backups. (From time to time, backup the server to an external usb disk). I was also considering using a netbook for the task. What about it? I don't think a netbook will be reliable running 24/24. This was my only concern on the net5501, the reliablity of the internal 2.5 disk drive, looks good after 3 years. Check the soekris-tech mailing list, questions about performances are often asked.
Re: soekris + openbsd server buy question
Le Fri, 3 Dec 2010 08:44:43 -0500, Adam M. Dutko dutko.a...@gmail.com a icrit : The specifications for the Soekris system you mentioned don't lead me to be believe they'd be great for file server duty. When I think of file servers I think of fast disk (5501 can use SATA so that's a plus) On the net5501 this is not a real SATA, the box uses a PATA-SATA adapter behind the cs5536 chipset.
ifconfig and carp demote count
(4.8/amd4) Hello, Looks like the carp demote count is limited to 255 but the max value in ifconfig is less or equal to 128. # ifconfig -g carp carp: carp demote count 0 # ifconfig -g carp carpdemote 100 # ifconfig -g carp carpdemote 100 # ifconfig -g carp carp: carp demote count 200 # ifconfig -g carp -carpdemote 200 ifconfig: invalid carp demotion: too large Thanks, regards.
Re: (4.8) OpenBGPd sometimes does not send the routes to the peer.
Le Mon, 8 Nov 2010 20:03:11 +0100, Claudio Jeker cje...@diehard.n-r-g.com a icrit : Can you run a bgpctl show rib detail 129.20.0.0/16 and a bgpctl show table. For some reason none of the above routes got selected and so nothing is redistributed. It looks like the decision process is turned off. So it is not what I first thought the problem is. Just in case: # bgpctl show rib detail 129.20.0.0/16 BGP routing table entry for 129.20.0.0/16 Nexthop 0.0.0.0 (via 0.0.0.0) from LOCAL (193.51.184.25) Origin IGP, metric 0, localpref 100, internal, valid, announced Last update: 15:37:39 ago Doh! I should read the log more carefully, the hint is there: new ktable rdomain_0 for rtableid 0 listening on 0.0.0.0 change to/from route-collector mode ignored RDE reconfigured In other words the daemon came up in route-collector mode and so no pathes are validated. Figured it out at the airport by just looking at the code and swearing. Diff is untested but I guess everyone agrees that a bit more memory inizialisation could help. It looks better, I'm not able to reproduce the problem with this patch (applied on 4.8 src). Thanks a lot! Regards.
(4.8) quagga and tcp-md5 signature
Hello, Do you know if Quagga in OpenBSD 4.8 implements the tcp-md5 signature (for BGP) ? Looks like it does not work. Thanks, regards.
Re: (4.8) quagga and tcp-md5 signature
Le Mon, 8 Nov 2010 15:14:49 +0100, David Coppa dco...@gmail.com a icrit : Do you know if Quagga in OpenBSD 4.8 implements the tcp-md5 signature (for BGP) ? Looks like it does not work. Why using quagga when you have bgpd (which is in the tree and supports md5 signatures as well)? Because: http://www.mail-archive.com/misc@openbsd.org/msg96725.html I would prefer to use OpenBGP.
Re: (4.8) OpenBGPd sometimes does not send the routes to the peer.
Le Mon, 8 Nov 2010 16:07:06 +0100, Claudio Jeker cje...@diehard.n-r-g.com a icrit : Have you checked if the networks were actaully added to the RIB? Do you mean bgpctl show rib ? No. Well, it takes some time but I'm able to reproduce this: # bgpctl show rib flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin AI* 129.20.0.0/160.0.0.0100 0 i AI* 148.60.0.0/160.0.0.0100 0 i * 192.168.1.0/24 193.51.184.26 100 0 2200 i AI* 193.52.12.0/24 0.0.0.0100 0 i AI* 193.52.37.0/24 0.0.0.0100 0 i AI* 193.52.56.0/24 0.0.0.0100 0 i AI* 193.52.60.0/24 0.0.0.0100 0 i AI* 195.220.94.0/24 0.0.0.0100 0 i AI* 2001:660:7307::/48 :: 100 0 i * 2001:660:7310:10::/80 2001:660:7300:1005:0:38:0:2200100 0 2200 i -- And there is nothing announced in show rib out neig PEER Ok for incomming routes : # bgpctl show rib in neig RenaterV4 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin * 192.168.1.0/24 193.51.184.26 100 0 2200 i The peer (running OpenBGPd but on FreeBSD) does not receive any route I keep the BGP session up if you need more informations. Thanks, regards.
(4.8) OpenBGPd sometimes does not send the routes to the peer.
(4.8/amd64) Hello, I'm doing some tests with OpenBGPd and sometimes (but often), when I restart bgpd it does not send anymore the routes to the peer. The routes are static and configured into bgpd.conf How to repeat: # bgpd -d -v wait until the routes are sent to the peer. ^D shoot again After few tests (around 5), bgpd does not send the routes : # bgpctl sh rib out nei RenaterV4 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin - But it gets the incoming routes from the peer # bgpctl sh rib in nei RenaterV4 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin * 192.168.1.0/24 193.51.184.26 100 0 2200 i # bgpctl sh nei BGP neighbor is 193.51.184.26, remote AS 2200 Description: RenaterV4 BGP version 4, remote router-id 193.51.184.26 BGP state = Established, up for 00:20:14 Last read 00:00:13, holdtime 90s, keepalive interval 30s Neighbor capabilities: Multiprotocol extensions: IPv4 unicast Route Refresh 4-byte AS numbers Message statistics: Sent Received Opens5 1 Notifications0 0 Updates 0 1 Keepalives 41 41 Route Refresh0 0 Total 46 43 Update statistics: Sent Received Updates 0 1 Withdraws0 0 Local host: 193.51.184.25, Local port: 42098 Remote host:193.51.184.26, Remote port: 179 (same for the renaterV6 peer) -- log: http://user.lamaiziere.net/patrick/obgpd/log-bgpd.txt bgpd.conf http://user.lamaiziere.net/patrick/obgpd/bgpd.conf.txt Any help will be nice. Thanks regards.
PF set skip on interface group
Hello, (snaphot 4.8/amd64) I'm trying to use a pf.conf hardware independent using some interface groups. PacketFilter Set skip does not look to work fine with interface group. # ifconfig IFPFSYNC bnx0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:22:19:5b:ad:da description: PFSYNC priority: 0 groups: IFPFSYNC media: Ethernet autoselect (1000baseT full-duplex,master) status: active inet 192.168.255.253 netmask 0xfffc broadcast 192.168.255.255 inet6 fe80::222:19ff:fe5b:adda%bnx0 prefixlen 64 scopeid 0xb and in pf.conf : set skip on { lo, IFPFSYNC } # pfctl -vvvs Interfaces -i bnx0 bnx0 # pfctl -vvvs Interfaces -i IFPFSYNC IFPFSYNC (skip) I think that bnx0 should be set to skip too, no? Also pflog shows that bnx0 is not skiped. Thanks, regards.
(snapshot 4.8) acpi button (on/off) not found on Dell Poweredge R610.
Hello, I'm using a snapshot of 4.8/amd64 (october, 6) and I'm not able to shutdown properly the box using the power on/off button. The machine is a Dell PowerEdge R610: bios bios0: vendor Dell Inc. version 2.1.9 date 05/21/2010 bios0: Dell Inc. PowerEdge R610 full dmesg : http://user.lamaiziere.net/patrick/dmesg-open48.txt acpidump : http://user.lamaiziere.net/patrick/acpidump.tar.gz sensors: # sysctl -a | grep sensor hw.sensors.cpu0.temp0=46.00 degC hw.sensors.cpu1.temp0=46.00 degC hw.sensors.cpu2.temp0=46.00 degC hw.sensors.cpu3.temp0=46.00 degC hw.sensors.cpu4.temp0=46.00 degC hw.sensors.cpu5.temp0=46.00 degC hw.sensors.cpu6.temp0=46.00 degC hw.sensors.cpu7.temp0=46.00 degC hw.sensors.mfi0.drive0=online (sd0), OK The button works fine on FreeBSD, tell me if a FreeBSD dmesg will be useful. Thanks, regards.
carp and IPv6 duplicate IP6 address
Hello, (snapshot 4.8/amd64) I'm playing with carp in master/backup mode. When a server becomes inactive (from master to backup or from backup to master) there is a dupplicate IP6 address. Is it bad doctor? By example on the master: Oct 15 15:34:27 ucop1 /bsd: carp1: state transition: MASTER - BACKUP Oct 15 15:34:27 ucop1 /bsd: carp16: state transition: MASTER - BACKUP Oct 15 15:34:27 ucop1 /bsd: nd6_na_input: duplicate IP6 address fe80:0014::0200: 5eff:fe00:0110 Oct 15 15:34:27 ucop1 /bsd: nd6_na_input: duplicate IP6 address 2001:0660:7307:0001:0002::000f I use IPv6 only on carp16. /etc/hostname.carp16 carpdev em0 vhid 16 pass inet6 2001:660:7307:1:2::f/80 up Thanks, regards.
Re: Carp Master / Backup
Le Fri, 15 Oct 2010 15:29:30 +0100, Harrower Gary (NHS National Services Scotland) gary.harro...@nhs.net a icrit : Hi, Any ideas why they were both trying to be master? did you set carp preemption on both machines?