Re: How to analyse excessive PF states?

2016-10-24 Thread Patrick Lamaiziere 
Le Sat, 22 Oct 2016 18:12:37 +0200,
Federico Giannici  a écrit :

> We have a firewall with OpenBSD 6.0 amd64 that handles about 1.5 Gbps
> of traffic.
> 
> I noticed that from a few weeks the number of states is increased
> from around 250.000 to almost 2 millions (no change in PF config)!
> 
> At the same time the firewall started loosing a few packets (around 
> 1-2%, with peeks of 4%). Maybe this is due to too many states to
> handle?

Hard to tell for the number of states but you have some PF congestions,
which is bad.

Did you try to augment the sysctl net.inet.ip.ifq.maxlen ?
In my previous setup that helped a bit against congestion
(net.inet.ip.ifq.maxlen=2048).

Regards,

Re: pf, bridge and vether: interface with no group

2016-02-16 Thread Patrick Lamaiziere 
Le Tue, 16 Feb 2016 13:05:51 +0100,
Clemens Goessnitzer  a écrit :

Ok I think :

the pf.conf rule 
### rules for internal network ###
pass inet proto { tcp, udp } from internal:network to port $udp_services

is expanded to 

pass inet proto udp from 10.0.0.0/24 to any port = 22
pass inet proto udp from 10.0.0.0/24 to any port = 53
pass inet proto udp from 10.0.0.0/24 to any port = 123
pass inet proto udp from 10.0.0.0/24 to any port = 67
pass inet proto udp from 10.0.0.0/24 to any port = 68

For DHCP, the source IP is 0.0.0.0 so this does not match.

If re1 is a member of the group internal how this rule is expanded ?
(may be there is something with "if:network' when the interface
does not have an IP address and a network.)

Regards,

Re: pf, bridge and vether: interface with no group

2016-02-16 Thread Patrick Lamaiziere 
Le Tue, 16 Feb 2016 00:10:41 +0100,
Clemens Goessnitzer  a écrit :

> Hello misc,

Hi

...

> So, if I specify a group for re1, everything is working as expected.
> However, if re1 is not a member of any group, DHCP request are blocked
> by pf, as tcpdump shows. Is this intended behaviour? Or have I done
> something wrong in my ruleset?

hmmm may be the output of the ruleset loaded by pf will help.

# pfctl -sr

Regards

Re: Firewall cluster.

2014-07-14 Thread Patrick Lamaiziere 
Le Wed, 09 Jul 2014 20:33:47 +0200,
Mxher o...@mxher.fr a écrit :

Hello,

  I'm doing few more tests and now I'm wondering if this is possible
  to disallow CARP to have some resources on serverA and others on
  serverB?

You can use ifstated to implement your own logic.

I have a pair of firewall, the first is the normal master, the second is
the backup. If a problem occurs on the first, carp allows the second to
become master. But then, ifstated running on the first fw disallows carp
to prevent it to become master again (even if a problem occurs on the
second). To make the first master again, someone must, by hand,
check the situation and enable carp on it. This is because the failover
depends on some BGP sessions here.

Regards,

Re: unlink utility

2014-03-26 Thread Patrick Lamaiziere 
Le Wed, 26 Mar 2014 12:19:25 +0100,
Dmitrij D. Czarkoff czark...@gmail.com a écrit :

Hello,

 For some reason POSIX X/Open Systems Interfaces option requires
 'unlink' utility to be present in operating system.  Sure, it does
 nothing that 'rm' doesn't already do, but given that 'unlink' is
 already used in some scripts, I wonder if it would be benefitial for
 OpenBSD to include such utility.
 
 FWIW a simple implementation follows.

On FreeBSD /bin/unlink is a link to /bin/rm 

/*
 * Test for the special case where the utility is called as
 * unlink, for which the functionality provided is greatly
 * simplified.
 */
if ((p = strrchr(argv[0], '/')) == NULL)
p = argv[0];
else
++p;
if (strcmp(p, unlink) == 0) {
while (getopt(argc, argv, ) != -1)
usage();
argc -= optind;
argv += optind;
if (argc != 1)
usage();
rm_file(argv[0]);
exit(eval);
}

   } else if (unlink(*(argv+1))) {

Hmm the code in rm does more than a simple unlink(2).

Regards,

Re: Snmpd question

2014-02-13 Thread Patrick Lamaiziere 
Le Wed, 12 Feb 2014 11:25:58 -0600,
Bales, Tracy tracy.ba...@williams.com a écrit :

Hello,

 Is it possible to have a shell script modify the contents of a user
 defined OID that is setup in snmpd.conf?
 
 I would like to have a cron event run a shell script and that script
 modify the OID values so that a remote SNMP server can monitor the
 changes using SNMP gets and mgets.  I do not want to use SNMP traps.
 
 Thanks for any feedback!

I don't know if snmpd can do this, I use net-snmpd (in ports) to pass
user OID values.

Regards,

Re: OpenBSD as a router on Oracle T5120

2014-01-20 Thread Patrick Lamaiziere 
Le Mon, 20 Jan 2014 18:59:02 -0200,
Eduardo Meyer dudu.me...@gmail.com a écrit :

 hello,
 
 I am doing some basic testings on the above mentioned scenario and I
 am stuck on some limits which I consider to be very low: I cannot get
 more than 27Kpps and 200Mbit/s routing performance without starting
 to loose packets.
 ...
 All 6 network cards are Intel 82571EB which support MSI-X and should,
 in theory support IRQ balance.

MSI are disabled on this chipset since OpenBSD 5.2...
You can try to renabled MSI in em(4), here this helps a lot (on amd64).

Check the thread (5.3) load problem on em(4) MSI / interrupt ? on
misc@ 

https://www.mail-archive.com/misc@openbsd.org/msg123743.html

Regards,

patch on 5.3:
--- /usr/src/sys/dev/pci/if_em.c.orig   Tue Oct  1 14:45:36 2013
+++ /usr/src/sys/dev/pci/if_em.cTue Oct  1 14:48:52 2013
@@ -337,7 +337,7 @@
 * Only use MSI on the newer PCIe parts, with the exception
 * of 82571/82572 due to Byte Enables 2 and 3 Are Not Set
errata */
-   if (sc-hw.mac_type = em_82572)
+   if (sc-hw.mac_type  em_82571)
sc-osdep.em_pa.pa_flags = ~PCI_FLAGS_MSI_ENABLED;
 
/* Parameters (to be read from user) */

Re: (5.3) load problem on em(4) MSI / interrupt ?

2013-12-09 Thread Patrick Lamaiziere 
Le Tue, 1 Oct 2013 08:37:09 + (UTC),
Stuart Henderson s...@spacehopper.org a écrit :

Hello,

 On 2013-10-01, Patrick Lamaiziere patf...@davenulle.org wrote:
  Hello,
 
  With OpenBSD 5.3, our firewall does not handle our network load
  well. We loose around 5% of packets and netstat shows a lot of Ierr.
 
  That worked much better with 5.1. There was a change to not enable
  MSI on 82572 chipset on our Intel card ( Intel PRO/1000 QP
  (82571EB) rev 0x06) in 5.2 : 
  http://freshbsd.org/commit/openbsd/a47ca448720823019bc6c618bf178a47fd1af73a
 
  My question is: could it be the cause of our load problem ?
 
  5.1:
  em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev
  0x06: msi, address 00:15:17:ed:98:9d em1 at pci5 dev 0 function 1
  Intel PRO/1000 QP (82571EB) rev 0x06: msi, address
  00:15:17:ed:98:9c em2 at pci6 dev 0 function 0 Intel PRO/1000 QP
  (82571EB) rev 0x06: msi, address 00:15:17:ed:98:9f em3 at pci6 dev
  0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: msi, address
  00:15:17:ed:98:9e
 
  5.3 (on another box with the same hardware):
  em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev
  0x06: apic 1 int 13, address 00:15:17:ed:98:65 em1 at pci5 dev 0
  function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 6,
  address 00:15:17:ed:98:64 em2 at pci6 dev 0 function 0 Intel
  PRO/1000 QP (82571EB) rev 0x06: apic 1 int 15, address
  00:15:17:ed:98:67 em3 at pci6 dev 0 function 1 Intel PRO/1000 QP
  (82571EB) rev 0x06: apic 1 int 13, address 00:15:17:ed:98:66
 
  We don't have any problem with this card, how can we re-enable MSI
  (without reverting this change)?
 
 Simplest way to test is to just revert that change in your source
 tree.. That will identify whether this issue is due to disabling MSI,
 or whether it's due to one of the many other changes between 5.1 and
 5.3..

Sure... Well sorry for the delay I was able to test with MSI enabled
only the last week. 

On OpenBSD 5.3 With MSI enabled we don't lose too many packets and the
firewall perform like they did on OpenBSD 5.1.

Is it possible to re-enable MSI on this type of network card? Our
firewall don't handle the load at all without MSI.

pcidump -v of the card:

 6:0:0: Intel PRO/1000 QP (82571EB)
0x: Vendor ID: 8086 Product ID: 10a5
0x0004: Command: 0007 Status ID: 0010
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 06
0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line
 Size: 10 0x0010: BAR mem 32bit addr: 0xd628/0x0002
0x0014: BAR mem 32bit addr: 0xd62a/0x0002
0x0018: BAR io addr: 0xecc0/0x0020
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 8086 Product ID: 10a5
0x0030: Expansion ROM Base Address: d620
0x0038: 
0x003c: Interrupt Pin: 02 Line: 0e Min Gnt: 00 Max Lat: 00
0x00c8: Capability 0x01: Power Management
0x00d0: Capability 0x05: Message Signaled Interrupts (MSI)
0x00e0: Capability 0x10: PCI Express
Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4
 6:0:1: Intel PRO/1000 QP (82571EB)
0x: Vendor ID: 8086 Product ID: 10a5
0x0004: Command: 0007 Status ID: 0010
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 06
0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line
 Size: 10 0x0010: BAR mem 32bit addr: 0xd62c/0x0002
0x0014: BAR mem 32bit addr: 0xd62e/0x0002
0x0018: BAR io addr: 0xece0/0x0020
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 8086 Product ID: 10a5
0x0030: Expansion ROM Base Address: d620
0x0038: 
0x003c: Interrupt Pin: 01 Line: 0f Min Gnt: 00 Max Lat: 00
0x00c8: Capability 0x01: Power Management
0x00d0: Capability 0x05: Message Signaled Interrupts (MSI)
0x00e0: Capability 0x10: PCI Express
Link Speed: 2.5 / 2.5 GT/s Link Width: x4 / x4
 7:0:0: Intel PRO/1000 QP (82571EB)
0x: Vendor ID: 8086 Product ID: 10a5
0x0004: Command: 0007 Status ID: 0010
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 06
0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line
 Size: 10 0x0010: BAR mem 32bit addr: 0xd618/0x0002
0x0014: BAR mem 32bit addr: 0xd61a/0x0002
0x0018: BAR io addr: 0xdcc0/0x0020
0x001c: BAR empty ()
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID: 8086 Product ID: 10a5
0x0030: Expansion ROM Base Address: d610
0x0038: 
0x003c: Interrupt Pin: 02 Line: 0b Min Gnt: 00 Max

Re: (5.3) load problem on em(4) MSI / interrupt ?

2013-12-09 Thread Patrick Lamaiziere 
Le Mon, 09 Dec 2013 12:31:04 +,
Stuart Henderson s...@spacehopper.org a écrit :

Hello,

 I don't think msi can be re-enabled for this part in OpenBSD, the
 reason it's disabled is that there is a bug in the 82571/2 chips
 (errata 63 in
 http://www.intel.co.uk/content/dam/www/public/us/en/documents/specification-updates/82571eb-82572ei-gbe-controller-spec-update.pdf)
 and the symptom in affected machines is that the card doesn't
 transmit at all, so unless someone else has a clever idea I think
 this will need to remain a local patch.

I agree, I've read the bug report
(http://openbsd.7691.n7.nabble.com/Intel-PRO-1000-PF-em-network-card-not-working-with-MSI-on-Dell-R610-td195975.html)
and we use a later bios on our R610, may be it fix this issue :

bios0: vendor Dell Inc. version 2.1.15 date 09/02/2010
bios0: Dell Inc. PowerEdge R610

(the number of erratas for this card is incredible!)

Thanks, regards.

Re: OpenBSD and NetFlow

2013-12-04 Thread Patrick Lamaiziere 
Le Tue, 03 Dec 2013 17:05:59 +0100,
Alexis VACHETTE avache...@sisteer.com a écrit :

 Hi everyone,

Hello,
 
 I would like to share an issue with one of my OpenBSD Firewall which
 is present in my company.
 
 Everything was working fine until a server crash this last week-end.
 
 We have setup the netflow protocol with the pseudo device pflow0.

If I understand well, you see the outgoing netflow packets on pflow0 but
not on the physical interface with tcpdump ?

I've tried on OpenBSD 5.1, tcpdump shows the netflow packets on both
interfaces.

Regards.

(5.3) load problem on em(4) MSI / interrupt ?

2013-10-01 Thread Patrick Lamaiziere 
Hello,

With OpenBSD 5.3, our firewall does not handle our network load well.
We loose around 5% of packets and netstat shows a lot of Ierr.

That worked much better with 5.1. There was a change to not enable MSI
on 82572 chipset on our Intel card ( Intel PRO/1000 QP (82571EB) rev 0x06) in 
5.2 :
 
http://freshbsd.org/commit/openbsd/a47ca448720823019bc6c618bf178a47fd1af73a

My question is: could it be the cause of our load problem ?

5.1:
em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: msi, 
address 00:15:17:ed:98:9d
em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: msi, 
address 00:15:17:ed:98:9c
em2 at pci6 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: msi, 
address 00:15:17:ed:98:9f
em3 at pci6 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: msi, 
address 00:15:17:ed:98:9e

5.3 (on another box with the same hardware):
em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 
13, address 00:15:17:ed:98:65
em1 at pci5 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 
6, address 00:15:17:ed:98:64
em2 at pci6 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 
15, address 00:15:17:ed:98:67
em3 at pci6 dev 0 function 1 Intel PRO/1000 QP (82571EB) rev 0x06: apic 1 int 
13, address 00:15:17:ed:98:66

We don't have any problem with this card, how can we re-enable MSI (without 
reverting this change)?

Thanks, regards.

carp demote count in 5.3 (change since 5.1)

2013-07-29 Thread Patrick Lamaiziere 
Hello,

I'm upgrading our firewalls to OpenBSD 5.3 (with erratas) from 5.1 :

As far I can see now, the firewall (without any problem) starts with a
carp demote count = 33. On 5.1 the demote count was = 0

looks like the 33 comes with a pfsync bulk start
Jul 29 13:51:01 ucop2 /bsd: carp: pfsync0 demoted group pfsync by 1 to 33 
(pfsync bulk start)

Questions
- is it the intented behavior?
- how to fix this?
- why 33 instead 42?

While I'm here, it would be nice to be abble to set the demote counter with
an absolute value, we use it to demote the master if BGP fails.


Thanks. Regards

carp log on 5.1

Jul 29 14:04:44 ucop2 /bsd: carp1: state transition: BACKUP - INIT
Jul 29 14:04:44 ucop2 /bsd: carp16: state transition: BACKUP - INIT
Jul 29 14:04:44 ucop2 /bsd: carp2: state transition: BACKUP - INIT
Jul 29 14:04:44 ucop2 /bsd: carp26: state transition: BACKUP - INIT
Jul 29 14:04:44 ucop2 /bsd: carp3: state transition: BACKUP - INIT
Jul 29 14:04:44 ucop2 /bsd: carp4: state transition: BACKUP - INIT
Jul 29 14:04:44 ucop2 /bsd: carp5: state transition: BACKUP - INIT
Jul 29 14:21:49 ucop2 /bsd: carp1: state transition: INIT - BACKUP
Jul 29 14:21:49 ucop2 /bsd: carp16: state transition: INIT - BACKUP
Jul 29 14:21:49 ucop2 /bsd: carp2: state transition: INIT - BACKUP
Jul 29 14:21:49 ucop2 /bsd: carp26: state transition: INIT - BACKUP
Jul 29 14:21:49 ucop2 /bsd: carp26: state transition: BACKUP - INIT
Jul 29 14:21:49 ucop2 /bsd: carp26: state transition: INIT - BACKUP
Jul 29 14:21:49 ucop2 /bsd: carp: carp3 demoted group carp by 1 to 129 (carpdev)
Jul 29 14:21:49 ucop2 /bsd: carp: carp4 demoted group carp by 1 to 130 (carpdev)
Jul 29 14:21:49 ucop2 /bsd: carp: carp5 demoted group carp by 1 to 131 (carpdev)
Jul 29 14:21:49 ucop2 /bsd: carp: pfsync0 demoted group carp by 1 to 132 
(pfsync bulk start)
Jul 29 14:21:49 ucop2 /bsd: carp: pfsync0 demoted group pfsync by 1 to 1 
(pfsync bulk start)
Jul 29 14:21:49 ucop2 /bsd: carp3: state transition: INIT - BACKUP
Jul 29 14:21:49 ucop2 /bsd: carp: carp3 demoted group carp by -1 to 131 
(carpdev)
Jul 29 14:21:49 ucop2 /bsd: carp4: state transition: INIT - BACKUP
Jul 29 14:21:49 ucop2 /bsd: carp: carp4 demoted group carp by -1 to 130 
(carpdev)
Jul 29 14:21:49 ucop2 /bsd: carp5: state transition: INIT - BACKUP
Jul 29 14:21:49 ucop2 /bsd: carp: carp5 demoted group carp by -1 to 129 
(carpdev)
Jul 29 14:21:49 ucop2 /bsd: carp: pfsync0 demoted group carp by -1 to 128 
(pfsyncdev)
Jul 29 14:21:49 ucop2 /bsd: carp: pfsync0 demoted group pfsync by -1 to 0 
(pfsyncdev)

carp demote = 0

carp log on 5.3

Jul 29 13:51:01 ucop2 /bsd: carp1: state transition: INIT - BACKUP
Jul 29 13:51:01 ucop2 /bsd: carp16: state transition: INIT - BACKUP
Jul 29 13:51:01 ucop2 /bsd: carp2: state transition: INIT - BACKUP
Jul 29 13:51:01 ucop2 /bsd: carp26: state transition: INIT - BACKUP
Jul 29 13:51:01 ucop2 /bsd: carp26: state transition: BACKUP - INIT
Jul 29 13:51:01 ucop2 /bsd: carp26: state transition: INIT - BACKUP
Jul 29 13:51:01 ucop2 /bsd: carp: carp3 demoted group carp by 1 to 129 (carpdev)
Jul 29 13:51:01 ucop2 /bsd: carp: carp4 demoted group carp by 1 to 130 (carpdev)
Jul 29 13:51:01 ucop2 /bsd: carp: carp5 demoted group carp by 1 to 131 (carpdev)
Jul 29 13:51:01 ucop2 /bsd: carp: pfsync0 demoted group carp by 32 to 163 
(pfsync init)
Jul 29 13:51:01 ucop2 /bsd: carp: pfsync0 demoted group pfsync by 32 to 32 
(pfsync init)
Jul 29 13:51:01 ucop2 /bsd: carp: pfsync0 demoted group carp by 1 to 164 
(pfsync bulk start)
Jul 29 13:51:01 ucop2 /bsd: carp: pfsync0 demoted group pfsync by 1 to 33 
(pfsync bulk start)
Jul 29 13:51:01 ucop2 /bsd: carp3: state transition: INIT - BACKUP
Jul 29 13:51:01 ucop2 /bsd: carp: carp3 demoted group carp by -1 to 163 
(carpdev)
Jul 29 13:51:01 ucop2 /bsd: carp4: state transition: INIT - BACKUP
Jul 29 13:51:01 ucop2 /bsd: carp: carp4 demoted group carp by -1 to 162 
(carpdev)
Jul 29 13:51:01 ucop2 /bsd: carp5: state transition: INIT - BACKUP
Jul 29 13:51:01 ucop2 /bsd: carp: carp5 demoted group carp by -1 to 161 
(carpdev)

carp demote  = 33

Re: Management of pf.conf

2013-07-11 Thread Patrick Lamaiziere 
Le Thu, 11 Jul 2013 13:18:13 +0200 (CEST),
Jummo jum...@yahoo.de a écrit :

 This works quiet good for me and my firewalls with one exception, my
 big fat central router/firewall. This firewall has around 2000 lines
 of pf.conf, is attached with 12 VLAN interfaces and get slowly
 unmanageable with this concept.
 
 How to you manage such big firewalls? Do you split the pf.conf into 
 logical parts? Do you use a base structure for every pf.conf? Do you
 use a tool for automatic creation of pf.conf? How do you tests your
 old rules after you changed something?

We have a large set of rules at work on several routers/firewalls and we
use a tool 'list firewall (lsfw)' to help to manage the rules set. The
goal is to display the rules applied between a source address and a
destination, on several equipments, doing routing and firewalling.
See: https://groupes.renater.fr/wiki/jtacl/index

It has some other features, ip cross references by example which is
cool to know where an address is used directly or indirectly (in
table/group) or to extract the addresses from the configurations and to
automate tests on them.

That works fine at work (PF + cisco + checkpoint), but there are some
limitations (see the doc...)

My next step is a tool to managed security policies. I mean if someone
asks to open a port, we should be able to track this policy (who, why,
which rules are used) and to check it. This is work in (slow) progress.
If someone already has such tool please let me know :)

If you want more precisions ask me, this is a bit out of topic here.

Regards.

Re: PF sync doesn't not work very well

2013-07-03 Thread Patrick Lamaiziere 
Le Wed, 03 Jul 2013 07:11:08 -0500,
Mark Felder f...@feld.me a écrit :

 On Wed, 03 Jul 2013 07:00:02 -0500, Loïc Blot  
 loic.b...@unix-experience.fr wrote:
 
  Hello,
  no carp is used at this time.
 
 pfsync needs to be used with carp... without it you're just playing  
 whack-a-mole with your session table.

I don't see why as states are not attached on carp interfaces but to
real interfaces (if-bounded) or even by default to no interface at
all ?

Regards

Re: bad rule, or special filtering needed for bootp packets?

2013-03-28 Thread Patrick Lamaiziere 
Le Wed, 27 Mar 2013 19:28:08 -0700,
David Ruggiero thatseattle...@gmail.com a écrit :

 Thanks! No, it didn't occur to me, so very appreciated.  I didn't
 remember that you could do that form of the table command to show
 explicit members in a list, so that's also really helpful.
 
 FWIW, though..I would not have expected that pf would silently
 drop - without any warning message or complaint - an address
 explicitly stated as being a member of a constant table definition.
 Even that address. You're right that (at least in hindsight)
 0.0.0.0/mask might be treated differently - maybe it uses it as a
 marker for an empty slot or the like?  But regardless of that,  I
 would (a) expect that fact to be documented (if it is, I missed it),
 and (b) expect that the pf parser would say something as it was
 throwing it away (at least a warning message about unparseable
 address at line XX - ignored or the like). For it to just drop it on
 the floor and say nothing at all seems - well, kind of non-pf-ish.
 
 Perhaps worth a documentation patch, if not an actual code patch.

Well, even if 0.0.0.0/32 is not included in the table, your table
should match any address (at least 0.0.0.0/32).

Because !192.168.5.128/25 OR !192.168.10.128/25
OR !192.168.99.128/25 is always true.

int_net = 192.168.5.128/25
wls_net = 192.168.10.128/25
ptr_net = 192.168.99.128/25
table unroutable_ips const { 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, !$int_net, !$wls_net, !$ptr_net, 169.254.0.0/16,
127.0.0.0/8, 192.0.2.0/24, 0.0.0.0/32, 240.0.0.0/4, 255.255.255.255/32 }

I'm wrong? Why 0.0.0.0 does not match this table?

I would be happy to know the behavior, because my pfulator(*) does not
work as PF for this.

Thanks, regards.

(*) https://groupes.renater.fr/wiki/jtacl/index

Re: Why to use packages?

2013-03-16 Thread Patrick Lamaiziere 
Le Sat, 16 Mar 2013 12:36:35 +0400,
Alexander Nusov alexander.nu...@gmail.com a écrit :

Hello,

 I'm trying to get why to use binary packages if they are not updated?

I don't see any reason to use packages too (IMHO).

 For example, this package confuses me: lighttpd
 
 ftp://ftp.openbsd.org/pub/OpenBSD/5.2/packages/amd64/
 lighttpd-1.4.31p0-ldap-mysql.tgz339 kB31.07.12 0:00:00
 lighttpd-1.4.31p0-ldap.tgz335 kB31.07.12 0:00:00
 lighttpd-1.4.31p0-mysql.tgz337 kB31.07.12 0:00:00
 lighttpd-1.4.31p0.tgz

It was updated in the stable port tree (but there are no package
available). You can build your own packages from it and deploy them.

Regards.

Re: carp + 5.1/5.2 woes

2013-01-02 Thread Patrick Lamaiziere 
Le Wed, 2 Jan 2013 13:39:25 +0100,
Toni Mueller openbsd-m...@oeko.net a écrit :

Hello,

 With this setup, carp1 will stay in BACKUP mode when I say ifconfig
 carp1 advskew 120 on A, while on B, it would go into MASTER
 immediately.

Hmm, did you check the value of the carp demote counter?

# ifconfig -g carp

(just a guess, regards)

Re: [5.1] pflow(4) flow with starttime *after* endtime

2012-11-05 Thread Patrick Lamaiziere 
Le Fri, 27 Jul 2012 11:13:21 +0200,
Hrvoje Popovski hrv...@srce.hr a écrit :

 On 26.7.2012. 18:31, Patrick Lamaiziere wrote:
  Hello,
  
  We have just noticed that pflow (v5) sometime (but often) uses a
  StartTime value which is later than the EndTime.
  So the duration is interpreted 4294966.29600 secondes.
  This confuses our collector (nfsen).

For the record, that should be fixed in current (r1.21).
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pflow.c

Thanks, regards.

Re: OBSD51: using macros with reply-to

2012-11-01 Thread Patrick Lamaiziere 
Le Thu, 1 Nov 2012 13:28:18 -0200,
Fernando Braga fermbr...@gmail.com a écrit :

Hello,

 pass in on $int_if from VoIP to ! redeOscar route-to
 $cosmo@$int_if
 
 However, when I issue a pfctl -sr, I get
 
 pass in on trunk1 inet from VoIP to ! redeOscar flags S/SA
 route-to 172.16.99.249@$int_if
 
 Shouldn't this @$int_if be translated to trunk1 ?

I guess yes, or rejected.

 Is there another way to acomplish this ?

I use route-to on 5.1 with something like route-to ($int_if $cosmo)

Regards.

[PF 5.1] strange unreachable icmp reply from firewall

2012-10-10 Thread Patrick Lamaiziere 
(openbsd 5.1/amd64)

Hello,

I filter icmp echoreq for one host, but on output.

The rules are :
pass in quick on $ext_if inet proto icmp from any to any icmp-type echoreq keep 
state (floating)
block out quick on $int_if inet proto icmp from any to $host

When I ping this $host from out, I see sometimes some unreacheable icmp replies
coming from the firewall (the block policy is default: drop).

tcpdump on $ext_if
94.23.254.147  195.220.94.163: icmp: echo request
193.51.184.25  94.23.254.147: icmp: host 195.220.94.163 unreachable
94.23.254.147  195.220.94.163: icmp: echo request
94.23.254.147  195.220.94.163: icmp: echo request
94.23.254.147  195.220.94.163: icmp: echo request
...
193.51.184.25  94.23.254.147: icmp: host 195.220.94.163 unreachable

The good thing is that the echoreq packet is droped but I don't understand 
why the firewall sometimes replies an icmp unreachable?

Thanks, regards.

Re: Ports security updates in 5.1 or 5.2

2012-08-29 Thread Patrick Lamaiziere 
Le Wed, 29 Aug 2012 09:59:46 +0200,
Sebastien Marie semarie-open...@latrappe.fr a écrit :

Hello,

 I currently follow STABLE branch for openbsd (and so, for ports too),
 which is OPENBSD_5_1.
 
 But, I saw that the last security updates for ports go to OPENBSD_5_2
 and not to OPENBSD_5_1.

Any examples ? The probleme may not be present in 5.1.

 According to the FAQ
 (http://www.openbsd.org/faq/faq15.html#PortsSecurity), only the
 current and last release are updated. But the current release is
 OPENBSD_5_1 (see http://www.openbsd.org/).
 
 Should I expect security updates will arrived somedays to
 OPENBSD_5_1 ? (but I doubt)

Yes you can expect it, see the commits on 5.1 ports:
http://www.freshbsd.org/search?project=openbsd-portsbranch=OPENBSD_5_1

Regards.

Re: Broken pfctl ..... ? I not understand my

2012-07-26 Thread Patrick Lamaiziere 
Le Thu, 26 Jul 2012 12:44:40 +0430,
Bahador NazariFard bahador.nazarif...@gmail.com a écrit :

 block in quick on msk0 proto tcp *to* port ssh
 whats this?
 
 instead of above wrong statement, you can use block in quick on msk0
 proto tcp  from any to any port ssh

This is the same thing. The from is optional, and adresse is also
optional in the from/to. 

So block in quick on msk0 proto tcp to port ssh is valid and is
expanded by pfctl to block drop in quick proto tcp from any to any port
= 22

[5.1] pflow(4) flow with starttime *after* endtime

2012-07-26 Thread Patrick Lamaiziere 
Hello,

We have just noticed that pflow (v5) sometime (but often) uses a
StartTime value which is later than the EndTime.
So the duration is interpreted 4294966.29600 secondes.
This confuses our collector (nfsen).

(wireshark)
   pdu 19/30
SrcAddr: 194.57.169.116 (194.57.169.116)
DstAddr: 129.20.254.1 (129.20.254.1)
NextHop: 0.0.0.0 (0.0.0.0)
InputInt: 0
OutputInt: 0
Packets: 3
Octets: 164
[Duration: 4294966.29600 seconds]
StartTime: 251367.0 seconds
EndTime: 251366.0 seconds
SrcPort: 55680
DstPort: 53
padding
TCP Flags: 0x00
Protocol: 6
IP ToS: 0x00
SrcAS: 0
DstAS: 0
SrcMask: 0 (prefix: 194.57.169.116/32)
DstMask: 0 (prefix: 129.20.254.1/32)
padding

Any clue?
Thanks, regards.

[4.9-5.1] smtpd does not work anymore without resolver?

2012-07-24 Thread Patrick Lamaiziere 
Hello,

On 4.8 I was using smtpd to relay periodic mails. The box is
a firewall and the resolver is not configured at all.

smtp.conf
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

listen on lo0

map aliases { source db /etc/mail/aliases.db }

accept for local alias aliases deliver to mbox

# smtp
accept for all relay via 129.20.xxx.xxx

That worked fine on 4.8, but with 4.9 the box does not send any mail :

/var/log/mailog:
smtpd[4269]:1317598201.5Tsv7GvPDRFc1Ozt:from=root@Y,
size=6325, nrcpts=1, proto=ESMTP, relay=0@localhost [IPv6:::1]

smtpd[30344]: 1317598201.5Tsv7GvPDRFc1Ozt:
to=logadmin@Y, delay=1, relay=(none) [],
stat=LocalError (Unable to resolve DNS f or domain)

This still does not work on 5.1...

Thanks, regards.

Re: [4.9-5.1] smtpd does not work anymore without resolver?

2012-07-24 Thread Patrick Lamaiziere 
Le Tue, 24 Jul 2012 15:50:30 +0200,
Gilles Chehade gil...@poolp.org a écrit :

Hello,

  That worked fine on 4.8, but with 4.9 the box does not send any
  mail :
  
  /var/log/mailog:
  smtpd[4269]:1317598201.5Tsv7GvPDRFc1Ozt:from=root@Y,
  size=6325, nrcpts=1, proto=ESMTP, relay=0@localhost [IPv6:::1]
  
  smtpd[30344]: 1317598201.5Tsv7GvPDRFc1Ozt:
  to=logadmin@Y, delay=1, relay=(none) [],
  stat=LocalError (Unable to resolve DNS f or domain)
  
  This still does not work on 5.1...
  
 
 Can you confirm it is true with -current OpenSMTPD ?
 
 I can't double check right now, but I seem to recall eric@ fixing this
 a while ago

Oh yes, I've just tried with a snapshot of 5.2 and it looks good.

Many thanks, regards.

Re: More bgpd problems

2012-05-30 Thread Patrick Lamaiziere 
Le Wed, 30 May 2012 09:27:23 + (UTC),
Matt Hamilton ma...@netsight.co.uk a icrit :

Hello,

 I'd be very interested to see your ifstated config and how you use
 that to verify peers being up as we could do with some better
 monitoring here.

Here we use bgpctl show summary terse with a grep on the
peer name and Established. Simple but it does the job.

# bgpctl show summary terse
RenaterV6 2200 Established
RenaterV4 2200 Established

(never see bgpd crashes)

Regards.

Re: Router project on OpenBSD questions

2012-02-29 Thread Patrick Lamaiziere 
Le Mon, 27 Feb 2012 19:38:45 +,
Kaya Saman kayasa...@gmail.com a icrit :

Hello,

 I have currently only used OpenBSD as a test vector setup on
 VirtualBox and 2x Sun Fire V240's as a DNS server (master/slave)
 using Bind9. So basically in short am an OpenBSD newbee :-)
 
 
 Ok so here goes;
 
 I've been using FreeBSD for around 3+ years now and really enjoy it,
 in comparing OpenBSD to FreeBSD I first would like to get some user 
 experience of the major advantages over it.

Well, I mostly use FreeBSD and I prefer it in general.
But for router/firewall I think that OpenBSD suits better. All the
tools are available out of the box and that just works. 

There are few things missing in FreeBSD (for our need at work):
- missing tcp signature in OpenBGDd.
- missing pflow.
- some problem with carp (for example flip-flop of master/backup when a
  machine boots up, but carp would be better in FreeBSD 10.0).

OpenBSD is not perfect too, it would be nice that pflow handles ipv6
and the support of one year is a bit short. But nothing is perfect.

 from my (vastly) limited experience it's quite different to work with then 
 FreeBSD.

Not really.

Re: Router project on OpenBSD questions

2012-02-29 Thread Patrick Lamaiziere 
Le Mon, 27 Feb 2012 16:58:05 -0300,
Christiano F. Haesbaert haesba...@haesbaert.org a icrit :

Hello,

 With a decent hardware, I think you can reach 1mpps (that's million
 packets per second).

I don't think.

As far I can see here with a rate of 50K packets through the system, it
already spents 50% in interrupt.

Re: Router project on OpenBSD questions

2012-02-29 Thread Patrick Lamaiziere 
Le Wed, 29 Feb 2012 13:13:30 +0100,
Peter Hessler phess...@theapt.org a icrit :

Hello,

 On 2012 Feb 29 (Wed) at 11:54:13 +0100 (+0100), Patrick Lamaiziere
 wrote: :OpenBSD is not perfect too, it would be nice that pflow
 handles ipv6
 
 pflow now handles ipv6 (in 5.1)

That's cool! Thanks.

 :and the support of one year is a bit short. But nothing is perfect.
 
 If you need support for longer than a year, you will need to contact a
 vendor offering openbsd support.

I don't believe they will be able to support if the support is ended
upstream, only few are able to dig into the code. Sure, I will find tons
of them able to sell support. But if they sell some wind I can do it
myself for free.

That was not a criticism, I understand well the release process on
OpenBSD and the limited ressources available. But this is something to
consider when you choose a system.

Regards.

[PF] bug in port range.

2012-01-03 Thread Patrick Lamaiziere 
Hello, happy new year.

I think there is a off-by-one error in Packet Filter port ranges, for
example with an exclude boundary range : port1  port2

PF or pfctl does not check that port1 = port2 and if port1  port2 the
port range is not correct. 

For example 82  80 is not the same as 80  82 (but should IMO).

I've tested with these rules:

pass in quick
block out quick proto tcp from self to 94.23.254.147 port 82  80
pass out quick

Then, port 81 is not filtered out.

Thanks, regards.

Re: [PF] bug in port range.

2012-01-03 Thread Patrick Lamaiziere 
Le Tue, 3 Jan 2012 17:54:18 +0100,
Henning Brauer lists-open...@bsws.de a icrit :

Hello,

 * Patrick Lamaiziere patf...@davenulle.org [2012-01-03 17:45]:
  I think there is a off-by-one error in Packet Filter port ranges,
  for example with an exclude boundary range : port1  port2
 
 nope.
 
  Ports and ranges of ports are specified using these
 operators: :   (range including boundaries)
  (range excluding boundaries)
 
 yes, that is from the manpage, of course.
  explicitely EXCLUDES the boundaries. now where is that off by one?

Please forget the off-by-one, I've found that 82:80 differs from
80:82 :)
 
  PF or pfctl does not check that port1 = port2 and if port1  port2
  the port range is not correct. 
 
 pf does what you, the operator, tells it to do.
 
  For example 82  80 is not the same as 80  82 (but should IMO).
 
 should? why?

Well because for me 80:82 is (80, 81, 82) and 82:80 the same
items and so the same range.

But you are right, the man page is explicit. I should re-read it
more often.

So what is the meaning for PF of the range 82:80? If this is a non
sense, an error from pfctl would be cool.

 port 82  80 defines a range that can't match, and it doesn't. as in,
 all is good. when you mean 80  82 you ought to write 80  82 and
 not 82  80.

Sure, but when using service name it's easy to make a mistake. In fact
I've found this strange behavior while translating a Cisco acl :

permit tcp any any range ftp ftp-data 

Translated to port ftp:ftp-data, which if I understand well does not
mean anything for PF.

Thanks, regards.

Re: network bandwith with em(4)

2011-12-07 Thread Patrick Lamaiziere 
Le Tue, 22 Feb 2011 18:09:32 +0100,
Patrick Lamaiziere patf...@davenulle.org a icrit :

 (4.8/amd64)
 I'm using two ethernet cards Intel 1000/PRO quad ports (gigabit) on a
 firewall (one fiber and one copper).
 
 The problem is that we don't get more than ~320 Mbits/s of bandwith
 beetween the internal networks and internet (gigabit).
 
 As far I can see, on load there is a number of Ierr on the interface
 connected to Internet (between 1% to 5%).
 
 --
 dmesg (on 4.8):
 em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev
 0x06: apic 1 int 13 (irq 14), address 00:15:17:ed:98:9d
 
 em4 at pci9 dev 0 function 0 Intel PRO/1000 QP (82575GB) rev 0x02:
 apic 1 int 23 (irq 11), address 00:1b:21:38:e0:80

Hello,

This issue (IERR on em) looks to be fixed on 5.0. With 4.8 and 4.9
there were IERR errors with traffic  150 Mbs. With 5.0 there are
only few IERR from time to time, even on high load ( 400 Mbits/s,
40K packets/s in, 30K packets/s out)

I guess that the fixes on em(4) helps. May be the use of MSI interrupts
too because I see a significant improvement on CPU interrupt load
(around 60% in load to 50% with 5.0).
(the measures are averaged on 5 minutes)

That's cool!

There are still some PF congestions from time to time but I have to
investigate. It happens even when the box is idle but may be there are
some burst of traffic. The box has 6 interfaces and I don't believe it
can handle 6 Gbits at once.

Too finish this too long thread, since february we (an university) are
very happy with the reliability of our two PF firewalls, that just
works.

Thanks a lot, regards.

[5.0] pkg_add too many FTP connections

2011-11-30 Thread Patrick Lamaiziere 
Hello,

I'm trying to update packages with pkg_add via ftp :

# pkg_add -ui  
Error from
ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gperf-3.0.4.tgz 421
There are too many connections from your internet address. ftp: Can't
connect or login to host `ftp.irisa.fr'
Error from
ftp://ftp.irisa.fr/pub/OpenBSD/5.0/packages/amd64/gtar-1.26p0.tgz 421
There are too many connections from your internet address. ftp: Can't
connect or login to host `ftp.irisa.fr'
...

Is there a way to limit the number of FTP connections for pkg_add?

Thanks, regards.

Re: [5.0] pkg_add too many FTP connections

2011-11-30 Thread Patrick Lamaiziere 
Le Wed, 30 Nov 2011 12:35:40 +0100,
Marc Espie es...@nerim.net a icrit :

 Fix your proxy/connection. pkg_add keeps one ftp connection alive,
 not more, but it does interrupt connections brutally as soon as it
 has the information it wants.
 
 All such problems come from stale ftp connections, there's something
 flaky in your network setup that means ftp.irisa.fr does not see the
 severed connections.

Thanks Marc, 

Could it be that this ftp server (irisa) is near from here (1Gbit) and
doesn't have the time to see that the connection was dropped?

I don't have any problem with other mirror (ex ftp://fr.openbsd.org)

Thanks, regards.

Re: Multiple ISPs: send packets to the interface they came from

2011-11-08 Thread Patrick Lamaiziere 
Le Tue, 08 Nov 2011 15:27:02 -0500,
Guillaume Filion g...@logidac.com a icrit :

 Hi all,

Hello,

 I also tried using pf route-to but that seems to only work with
 NAT...

No it does routing. I use it without nat.

 So basically my question is how to tell OpenBSD to send packets to the
 interface they came from?

See reply-to

Regards.

Re: PF.CONF - with DMZ and packet tagging example

2011-11-07 Thread Patrick Lamaiziere 
Le Mon, 7 Nov 2011 16:58:29 -0500,
Bentley, Dain dbent...@nas.edu a icrit :

Hello,

 block in on $ext from bastards
 #NAT INBOUND TO DMZ
 pass in on $ext proto tcp from any to any port $web_services rdr-to
 $webserver tag INET_TO_DMZ
 pass in on $ext proto tcp from any to any port $mail_services rdr-to
 $mailserver tag INET_TO_DMZ

Looks not good, missing quick in the block rule?

Regards.

Re: why skip is not shown in pfctl -s rules ?

2011-10-20 Thread Patrick Lamaiziere 
Le Thu, 20 Oct 2011 15:41:51 +0600,
PP;QQ P(P8P?P8QP8P= chipits...@gmail.com a C)crit :

Hello,

 but I do not find skip in pfctl -s rules output:

Yes, you can check that the interface is skiped with

# pfctl -vs Interfaces -i lo0   
lo0 (skip)

Regards.

[4.9] smtpd does not work anymore without resolver?

2011-10-03 Thread Patrick Lamaiziere 
Hello,

On 4.8 I was using smtpd to relay periodic mails. The box is
a firewall and the resolver is not configured at all.

smtp.conf
# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

listen on lo0

map aliases { source db /etc/mail/aliases.db }

accept for local alias aliases deliver to mbox

# smtp
accept for all relay via 129.20.xxx.xxx

That worked fine on 4.8, but with 4.9 the box does not send any mail :

/var/log/mailog:
smtpd[4269]:1317598201.5Tsv7GvPDRFc1Ozt:from=root@Y,
size=6325, nrcpts=1, proto=ESMTP, relay=0@localhost [IPv6:::1]

smtpd[30344]: 1317598201.5Tsv7GvPDRFc1Ozt:
to=logadmin@Y, delay=1, relay=(none) [],
stat=LocalError (Unable to resolve DNS f or domain)

Any idea?
Thanks, regards.

Re: bgpctl shiw rib out displaying incorrect information

2011-08-31 Thread Patrick Lamaiziere 
Le Wed, 31 Aug 2011 07:19:15 +0200,
Tony Sarendal t...@polarcap.org a C)crit :

Hi,

 current1# cat /etc/bgpd.conf
 AS 65001
 network 10.0.1.0/24
 
 current1# bgpctl show rib nei 172.29.1.52 out
 flags: * = Valid,  = Selected, I = via IBGP, A = Announced
 origin: i = IGP, e = EGP, ? = Incomplete
 
 flags destination  gateway  lpref   med aspath origin
 AI*  10.0.1.0/24  172.29.1.200   100 0 i

So you announce (A) via IBGP (I) the route 10.0.1.0/24, looks good no?.

 current2# bgpctl show rib nei 172.29.1.51 in
 flags: * = Valid,  = Selected, I = via IBGP, A = Announced
 origin: i = IGP, e = EGP, ? = Incomplete
 
 flags destination  gateway  lpref   med aspath origin
 I*   10.0.1.0/24  172.29.1.51100 0 i

And you receive the route via IBGP (I), looks good too.

Where is the problem?

Regards.

Re: Expected throughput in an OpenBSD virtual server

2011-08-24 Thread Patrick Lamaiziere 
Le Tue, 23 Aug 2011 19:21:32 +0200,
Per-Olov SjC6holm p...@incedo.org a C)crit :

Hello,

  Here we reach 400 MBits/s with a CPU rate ~70% but we
  run OpenBSD 4.9.

 How fast is your CPU ?

cpu0: Intel(R) Xeon(R) CPU E5520 @ 2.27GHz, 2261.30 MHz
It's a Dell R610 with 4Go RAM.

Re: Expected throughput in an OpenBSD virtual server

2011-08-23 Thread Patrick Lamaiziere 
Le Mon, 22 Aug 2011 22:49:47 +0200,
Per-Olov SjC6holm p...@incedo.org a C)crit :

Hello,
 Have not tried current, but will try current as soon as I can.
 Also... I will try to do some laborations with CPU speed of the core
 the OpenBSD virtual machine has. This to see how the interrupts and
 throughput is related to the CPU speed of the allocated core.

It would be nice to know if current is better with Intel em(4) cards. 
because of this commit : http://freshbsd.org/2011/04/13/00/19/01

Here we reach 400 MBits/s with a CPU rate ~70% but we
run OpenBSD 4.9.

Regards.

Re: Expected throughput in an OpenBSD virtual server

2011-08-23 Thread Patrick Lamaiziere 
Le Mon, 22 Aug 2011 20:04:50 + (UTC),
Stuart Henderson s...@spacehopper.org a C)crit :

Hello,

 OpenBSD has another way to handle this, MCLGETI.

Is there a documentation (for the human being, not the developer)
about how MCLGETI works? (don't find a lot about it)

Thanks, regards.

Re: carp issues

2011-08-09 Thread Patrick Lamaiziere 
Le Tue, 09 Aug 2011 15:29:17 +0200,
Michael Lechtermann mich...@lechtermann.net a icrit :

  Hi all,

hello,

  # ifconfig carp0
  carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
  lladdr 00:00:5e:00:01:0a
  priority: 0
  carp: carpdev em0 advbase 1 balancing ip-stealth carppeer 
  10.0.1.11
  state MASTER vhid 10 advskew 0
  state BACKUP vhid 11 advskew 100

Hmmm, why do you have different vhid ?

Re: fat32 interoperatibility issue

2011-08-01 Thread Patrick Lamaiziere 
Le Mon, 01 Aug 2011 16:04:08 +0200,
Daniel Gracia lists.d...@electronicagracia.com a icrit :

 Yep! That's it, and I totally agree with the discusion there but, as
 far as msdosfs is in OpenBSD for the very reason of portability -and
 now I'm supposing-, I wonder if this would be an any welcomed patch.

Well Windows itself allows to create such files, so this is portable.
But on Windows they are hidden by the explorer, this is (was?) used by
some badwares to hide files (like hidden ftp server)

See
http://www.gohacking.com/2008/02/how-to-create-con-folder-in-windows.html

I'm not sure if this is still true.

Regards.

net-snmp in 4.9 : does it work for you ?

2011-06-22 Thread Patrick Lamaiziere 
Hello,

I've updated my two pf firewalls today from 4.8 to 4.9 (worked fine,
nice). But it looks there is a problem with net-snmp and the
traffic reported (IF-MIB). This is not correct anymore (like 30
Mbits/s instead more than 150 Mbits/s). I've checked the interfaces
indexes in the snmp tables and they did not change. Other values (like
packet per second) look good.

I've tried the previous version of net-snmp (net-snmp-5.4.2.1p5) and
there is the same problem.

Any clue?

Thanks, regards.

Re: net-snmp in 4.9 : does it work for you ?

2011-06-22 Thread Patrick Lamaiziere 
Le Wed, 22 Jun 2011 09:23:01 +0200,
Patrick Lamaiziere patf...@davenulle.org a C)crit :

 Hello,
 
 I've updated my two pf firewalls today from 4.8 to 4.9 (worked fine,
 nice). But it looks there is a problem with net-snmp and the
 traffic reported (IF-MIB). This is not correct anymore (like 30
 Mbits/s instead more than 150 Mbits/s). I've checked the interfaces
 indexes in the snmp tables and they did not change. Other values (like
 packet per second) look good.
 
 I've tried the previous version of net-snmp (net-snmp-5.4.2.1p5) and
 there is the same problem.
 
 Any clue?

Ooops. 

Looks like someone has changed the configuration of Cacti.
My apologies. Regards.

Re: Need some input about: OpenBSD 4.9/amd64 and Dell PowerEdge Server R210,R410,R610,R710

2011-06-08 Thread Patrick Lamaiziere 
Le Tue, 7 Jun 2011 20:49:50 -0700 (PDT),
Stefan N stefanbsd...@yahoo.com a C)crit :

 Hi All,

Hello,

 Have you ever tried to install OpenBSD 4.9/amd64 on the Dell
 PowerEdge Server 
 R210,R410,R610,R710 (2.5 SAS Disk) with additional Intel.
 Gigabit ET Quad Port 
 Server Adapter? If yes, are those servers fully
 compatible with OpenBSD 
 4.9/amd64?

We use two R610 with 4.8/amd64 (PF firewall) since february with two
Intel cards (one Intel PRO/1000 QP 82571EB and one Intel PRO/1000 QP
82575GB). It looks like solid as a rock.

ipmi does not attach, I don't know if it should work:
ipmi at mainbus0 not configured

Regards.

Re: serious security improvement in OpenBSD

2011-06-06 Thread Patrick Lamaiziere 
Le Mon, 06 Jun 2011 15:06:54 +0300,
Kapetanakis Giannis bil...@edu.physics.uoc.gr a icrit :

 Who is this 'Charlie' guy anyway???

That is a good question. I've searched in the past looking old system
passwd to find who decided this name for the root account but with no
luck.

Looks like Charlie  is a tribute to Charlie Root (a famous baseball
player):http://en.wikipedia.org/wiki/Charlie_Root

Does someone remember who, when and why?

Regards.

Re: Firewall sends wrong MAC address per ARP?

2011-03-22 Thread Patrick Lamaiziere 
Le Tue, 22 Mar 2011 13:01:48 +0100,
Marcus M|lb|sch muelbue...@as-infodienste.de a icrit :

hello,

  carp3: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
  lladdr 00:00:5e:00:01:21
  priority: 0
  carp: carpdev bge0 advbase 1 balancing arp carppeer
  192.168.3.3 state MASTER vhid 33 advskew 0
  state MASTER vhid 133 advskew 100

Why do you have two vhid and with different advskew values?

(4.8) Missing pkg.conf in see also manual for pkg_add

2011-03-17 Thread Patrick Lamaiziere 
Hello,

Just noticed that pkg.conf(5) is missing in the see also section
of pkg_add(1) and friends.

Regards.

Re: network bandwith with em(4)

2011-02-28 Thread Patrick Lamaiziere 
Le Sat, 26 Feb 2011 00:23:36 +0900,
Ryan McBride mcbr...@openbsd.org a icrit :

How about a _full_ dmesg, so someone can take a wild guess at
what your machine is capable of?
  
  full dmesg : http://user.lamaiziere.net/patrick/dmesg-open48.txt
  
  The box is a Dell R610 server.
 
 This box should be able to fill a gigabit of regular TCP traffic (1500
 MTU) without any problem. Double-check your testing procedures.

I will test this.
 
 I have some additional comments/questions though:
 
 1) you probably don't want to run bsd.mp on a firewall, it'll hurt you
 more than it helps, unless you have significant CPU-bound userland
 stuff going on, for example antivirus scanning of email.

I've tried with a sp kernel (amd64), does not look to change something.
 
 2) You may get better performance running i386.

I will try, but I do not expect a lot of difference on the IErr rate.
 
 3) Besides the the em driver changes you've mentioned, is the source
 code you're building the kernel clean OPENBSD_4_8 -stable, or
 something else (4.8-current from after the 4.8 release, for example)

It's a clean release 4.8/amd64, with 4.8 erratas applied.

Thanks, regards.

Re: network bandwith with em(4)

2011-02-25 Thread Patrick Lamaiziere 
Le Fri, 25 Feb 2011 08:41:20 +0900,
Ryan McBride mcbr...@openbsd.org a icrit :

 On Wed, Feb 23, 2011 at 06:07:16PM +0100, Patrick Lamaiziere wrote:
  I log the congestion counter (each 10s) and there are at max 3 or 4
  congestions per day. I don't think the bottleneck is pf.
 
 The congestion counter doesn't directly mean you have a bottleneck in
 PF; it's triggered by the IP input queue being full, and could
 indicate a bottleneck in other places as well, which PF tries to help
 out with by dropping packets earlier.
 
 
   Interface errors?
  
  Quite a lot.
 
 The output of `systat mbufs` is worth looking at, in particular the
 figure for LIVELOCKS, and the LWM/CWM figures for the interface(s) in
 question. 
 
 If the livelocks value is very high, and the LWM/CWM numbers are very
 small, it is likely that the MCLGETI interface is protecting your
 system from being completly flattened by forcing the em card to drop
 packets (supported by your statement that the error rate is high). If
 it's bad enough MCLGETI will be so effective that the pf congestion
 counter will not get increment.

systat mbufs:
IFACELIVELOCKS SIZE ALIVE LWM HWM CWM
System 256  375   149
2k  240   1125

em0  17722k  80   4   256 80
em1112k   5   4   256  5
em2   2932k 110   4   256 110
em3
em4182k  11   4   256  11
em5102k  12   4   256  12
em6142k   5   4   256   5
bnx032k   4   2   510   4
bnx112k   4   2   510   4
bnx312k   2   2   510   2 
 
 
 You mentioned the following in your initial email:
 
  #define MAX_INTS_PER_SEC8000
 
  Do you think I can increase this value? The interrupt rate of the
  machine is at max ~60% (top).
 
 Increasing this value will likely hurt you. 60% interrupt rate sounds
 about right to me for a firewall system that is running at full tilt;
 100% interrupt is very bad, if your system spends all cycles servicing
 interrupts it will not do very much of anything useful.
 
 
 dmesg:
  em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev
  0x06: apic 1 int 13 (irq 14), address 00:15:17:ed:98:9d
 
  em4 at pci9 dev 0 function 0 Intel PRO/1000 QP (82575GB) rev 0x02:
  apic 1 int 23 (irq 11), address 00:1b:21:38:e0:80
 
 How about a _full_ dmesg, so someone can take a wild guess at what
 your machine is capable of?
 
 -Ryan
 



-- 
-- 
Patrick Lamaizihre
CRI Universiti de Rennes 1
Til: 02 23 23 71 45

Re: network bandwith with em(4)

2011-02-25 Thread Patrick Lamaiziere 
Le Fri, 25 Feb 2011 13:51:32 +0100,
Patrick Lamaiziere patf...@davenulle.org a icrit :

(ooops, push the wrong button)

  How about a _full_ dmesg, so someone can take a wild guess at what
  your machine is capable of?

full dmesg : http://user.lamaiziere.net/patrick/dmesg-open48.txt

The box is a Dell R610 server.

Thanks, regards.

Re: network bandwith with em(4)

2011-02-25 Thread Patrick Lamaiziere 
Le Fri, 25 Feb 2011 13:51:32 +0100,
Patrick Lamaiziere patf...@davenulle.org a icrit :

 systat mbufs:
 IFACELIVELOCKS SIZE ALIVE LWM HWM CWM

What does these counters mean?

Thanks.

Re: network bandwith with em(4)

2011-02-25 Thread Patrick Lamaiziere 
Le Tue, 22 Feb 2011 18:09:32 +0100,
Patrick Lamaiziere patf...@davenulle.org a icrit :

 (4.8/amd64)
 
 Hello,
 
 I'm using two ethernet cards Intel 1000/PRO quad ports (gigabit) on a
 firewall (one fiber and one copper).
 
 The problem is that we don't get more than ~320 Mbits/s of bandwith
 beetween the internal networks and internet (gigabit).
 
 As far I can see, on load there is a number of Ierr on the interface
 connected to Internet (between 1% to 5%).
 
 Also the interrupt rate on this card is around ~7500 (using systat).
 In the em(4) driver, there is a limitation of the interrupt rate at
 8000/s.

...

Well, I've made some tests and increasing the number of interrupts or
the number of RX descriptors does not help to reduce the Ierr count or
to increase the bandwith.

So I don't know where is the problem... 

Do you think the hardware used is not powerful enough ? (dmesg :
http://user.lamaiziere.net/patrick/dmesg-openbsd4.8.txt).

The box is a router/firewall, there are 6 interfaces on the box, one is
connected to internet (the most busy interface). One is connected to
the lan (very busy too). The others are far less busy.

To give an idea, this box replaces an old Cisco 7204 which hangs at 200
Mbits, no more.

I would be happy to know which kind of hardware you are using to build
a gigabit router with good performance?

Thanks to all. regards.

Re: network bandwith with em(4)

2011-02-24 Thread Patrick Lamaiziere 
Le Wed, 23 Feb 2011 22:09:18 +0100,
Manuel Guesdon ml+openbsd.m...@oxymium.net a icrit :


 | Did you try to increase the number of descriptor?
 | #define EM_MAX_TXD 256
 | #define EM_MAX_RXD 256
 | 
 | I've tried up to 2048 (and with MAX_INTS_PER_SEC = 16000) but it
 looks | worth.
 
 Thank you ! I'll investigate this !

As I said it is worth here. The load is increaded and I lose around 50
Mbits of bandwith. I was curious if you've made some tests on this.

Re: network bandwith with em(4)

2011-02-23 Thread Patrick Lamaiziere 
Le Tue, 22 Feb 2011 19:13:48 +0100,
Manuel Guesdon ml+openbsd.m...@oxymium.net a icrit :

Hello,

 We've got same problems (on a routeur, not a firewall). Increasing
 MAX_INTS_PER_SEC to 24000  increased bandwith and lowered packet loss.
 Our cards are Intel PRO/1000 (82576) and Intel PRO/1000 FP
 (82576).

Did you try to increase the number of descriptor?
#define EM_MAX_TXD 256
#define EM_MAX_RXD 256

I've tried up to 2048 (and with MAX_INTS_PER_SEC = 16000) but it looks
worth.

My configuration is two firewalls in master/backup mode. On the first
one the two most busy links are on the first card (Fiber). On the
second, these two links are not on the same card, one is on the fiber
card and the other on the cupper card. I've noticed today that the
input Ierr rate is far lower on the second firewall than on the first.

Is it possible to have a bottleneck on the ethernet card or on the bus?

I will make more tests tomorrow...
Thanks, regards.

Re: network bandwith with em(4)

2011-02-23 Thread Patrick Lamaiziere 
Le Tue, 22 Feb 2011 10:22:16 -0800 (PST),
James A. Peltier jpelt...@sfu.ca a icrit :

 Those documents do not necessarily apply any more.  Don't go tweaking
 knobs until you know what they do.  We have machines here that
 transfer nearly a gigabit of traffic/s without tuning in bridge mode
 non-the-less.
 
 Are you seeing any packet congestion markers (counter congestion) in
 systat pf?  If so you might not have sufficient states available

I log the congestion counter (each 10s) and there are at max 3 or 4
congestions per day. I don't think the bottleneck is pf.
 
 What about framentation?

None.

 Interface errors?

Quite a lot.
 
 There are many other non-tweakable issues that could cause this.

Sure, it's hard to know.

Thanks, regards.

network bandwith with em(4)

2011-02-22 Thread Patrick Lamaiziere 
(4.8/amd64)

Hello,

I'm using two ethernet cards Intel 1000/PRO quad ports (gigabit) on a
firewall (one fiber and one copper).

The problem is that we don't get more than ~320 Mbits/s of bandwith
beetween the internal networks and internet (gigabit).

As far I can see, on load there is a number of Ierr on the interface
connected to Internet (between 1% to 5%).

Also the interrupt rate on this card is around ~7500 (using systat). In
the em(4) driver, there is a limitation of the interrupt rate at 8000/s.

if_em.h
/*
 * MAX_INTS_PER_SEC (ITR - Interrupt Throttle Register)
 * The Interrupt Throttle Register (ITR) limits the delivery of
interrupts
 * to a reasonable rate by providing a guaranteed inter-interrupt delay
 * between interrupts asserted by the Ethernet controller.
 */
#define MAX_INTS_PER_SEC8000

Do you think I can increase this value? The interrupt rate of the
machine is at max ~60% (top).

Other ideas to increase the bandwith would be welcome too. I don't
think the limitation come from PF because I don't see any congestion.

thanks, regards.

--
dmesg:
em0 at pci5 dev 0 function 0 Intel PRO/1000 QP (82571EB) rev
0x06: apic 1 int 13 (irq 14), address 00:15:17:ed:98:9d

em4 at pci9 dev 0 function 0 Intel PRO/1000 QP (82575GB) rev 0x02:
apic 1 int 23 (irq 11), address 00:1b:21:38:e0:80

Re: network bandwith with em(4)

2011-02-22 Thread Patrick Lamaiziere 
Le Tue, 22 Feb 2011 11:19:26 -0600,
Mark Nipper ni...@bitgnome.net a icrit :

  The problem is that we don't get more than ~320 Mbits/s of bandwith
  beetween the internal networks and internet (gigabit).
 
   Have you already looked at:
 ---
 https://calomel.org/network_performance.html

Yes thanks. I've already increase the size of the
net.inet.ip.ifq.maxlen. 

But I don't see the point of these tunings for a firewall. IMHO, it
could help for a host handling tcp/udp connection. 

Anyway, I've tried, that does not change anything and I don't think it
should.

I'm not a network expert, I could be wrong. Let see:
## Calomel.org  OpenBSD  /etc/sysctl.conf
##
kern.maxclusters=128000 # Cluster allocation limit

= netstat -m reports a peak of *only* 2500 mbufs used.

net.inet.ip.mtudisc=0   # TCP MTU (Maximum Transmission Unit)

= still at 1. I don't use scrub in pf or mss clamping.

net.inet.tcp.ackonpush=1# acks for packets with the push bit

= only one TCP connection on the firewall (ssh).

net.inet.tcp.ecn=1  # Explicit Congestion Notification enabled

net.inet.tcp.mssdflt=1472   # maximum segment size (1472 from scrub
pf.conf)

= same here, I guess the default mss is for connections from the
machine. tcpdump shows that the mss is negociated around 1450. Looks
good.

net.inet.tcp.recvspace=262144 # Increase TCP recieve windows size
to increase performance

= same, no tcp nor udp...

I'm wrong?

Thanks, regards.

dump device

2011-02-08 Thread Patrick Lamaiziere 
[4.8/amd64]

Hello,

Is there a way to change the dump device without rebuilding the kernel?
That's not clear if config(8) -e is able to do this.

Thanks, regards.

Re: PF: Route packets out specific interface with NAT

2011-01-31 Thread Patrick Lamaiziere 
Le Mon, 31 Jan 2011 18:24:04 +0100,
Joachim Tingvold joac...@tingvold.com a icrit :

 Hi,

Hello,

 This does not work at all. If I change

http://www.openbsd.org/faq/pf/carp.html#RulesetTips

+ Ruleset Tips
Filter the physical interface. As far as PF is concerned, network
traffic comes from the physical interface, not the CARP virtual
interface (i.e., carp0). ;

netflow and ipv6?

2011-01-24 Thread Patrick Lamaiziere 
Hello,

Are there some plans to implement netflow v9 in pflow(4) (to be able to
trace ipv6 flows)?

Without, which collector can I use in userland? And is the load
introduced by such userland tool a concern with a network traffic
passing the firewall around ~500Mb/s?

Thanks, regards.

Re: Another carp problem.

2011-01-01 Thread Patrick Lamaiziere 
Le Fri, 31 Dec 2010 18:09:40 +0100,
Alessandro Baggi alessandro.ba...@gmail.com a icrit :

 To exclude also pf rules problem, I've tried a rule set as:
 
 match...nat-to...
 
 pass all
 
 but the problem persists.
 
 Other Issue?

Hmmm Ok, I don't know where is the problem.

I've made recently a lot of tests with carp and pfsync without any
problem (on 4.8/amd64). IMO it should work (but I don't use the
carp peer option).

One remark, you should use a dedicated interface for pfsync. In your
setup, rl0 is shared by pfsync and carp1. This is a no sense.

Best regards and happy new year to all.

Re: Another carp problem.

2010-12-31 Thread Patrick Lamaiziere 
Le Thu, 30 Dec 2010 19:58:21 +0100,
Alessandro Baggi alessandro.ba...@gmail.com a icrit :

 these are my pf rules for carp and pfsync:
 
 pass in quick proto pfsync
 pass in quick proto carp
 
 ..
 block in all
 ...

And in output?

Re: soekris + openbsd server buy question

2010-12-03 Thread Patrick Lamaiziere 
Le Fri, 3 Dec 2010 19:28:19 +0800 (CST),
shweg...@gmail.com a icrit :

 Hello, I'm considering buying a Soekris net5501-70 and install
 OpenBSD on it to make myself a small server and use it as a proxy
 (ssh tunnel), it might serve as backup file sever as well. I guess at
 the most there will be two-three computers connnected at the same
 time, and there might be some streaming video going through, like the
 videos you find on online newspapers. I have googled around, and read
 that this kind of hardware is fine as a router but not so much as a
 server. Is it true? Thank you for any 
 suggestions.

It depends on the connection, do not expect a 100M/bits link.
I use a net5501 for my all-in-one box (file server (samba), printers
share, router, ...). The file server is not very speed but is enougth
for doing backups. (From time to time, backup the server to an external
usb disk).

 I was also considering using a netbook for the task. What 
 about it?

I don't think a netbook will be reliable running 24/24.

This was my only concern on the net5501, the reliablity of the internal
2.5 disk drive, looks good after 3 years.

Check the soekris-tech mailing list, questions about performances are
often asked.

Re: soekris + openbsd server buy question

2010-12-03 Thread Patrick Lamaiziere 
Le Fri, 3 Dec 2010 08:44:43 -0500,
Adam M. Dutko dutko.a...@gmail.com a icrit :

 The specifications for the Soekris system you mentioned don't lead me
 to be believe they'd be great for file server duty.  When I think of
 file servers I think of fast disk (5501 can use SATA so that's a
 plus)

On the net5501 this is not a real SATA, the box uses a PATA-SATA adapter
behind the cs5536 chipset.

ifconfig and carp demote count

2010-11-16 Thread Patrick Lamaiziere 
(4.8/amd4)

Hello,

Looks like the carp demote count is limited to 255 but the max value
in ifconfig is less or equal to 128.

# ifconfig -g carp 
carp: carp demote count 0
# ifconfig -g carp carpdemote 100
# ifconfig -g carp carpdemote 100 
# ifconfig -g carp
carp: carp demote count 200
# ifconfig -g carp -carpdemote 200  
ifconfig: invalid carp demotion: too large

Thanks, regards.

Re: (4.8) OpenBGPd sometimes does not send the routes to the peer.

2010-11-09 Thread Patrick Lamaiziere 
Le Mon, 8 Nov 2010 20:03:11 +0100,
Claudio Jeker cje...@diehard.n-r-g.com a icrit :


  Can you run a bgpctl show rib detail 129.20.0.0/16 and a bgpctl
  show table. For some reason none of the above routes got selected
  and so nothing is redistributed. It looks like the decision process
  is turned off. So it is not what I first thought the problem is.
  

Just in case:
# bgpctl show rib detail 129.20.0.0/16

BGP routing table entry for 129.20.0.0/16
Nexthop 0.0.0.0 (via 0.0.0.0) from LOCAL (193.51.184.25)
Origin IGP, metric 0, localpref 100, internal, valid, announced
Last update: 15:37:39 ago

 Doh! I should read the log more carefully, the hint is there:
 
 new ktable rdomain_0 for rtableid 0
 listening on 0.0.0.0
 change to/from route-collector mode ignored
 RDE reconfigured
 
 In other words the daemon came up in route-collector mode and so no
 pathes are validated. Figured it out at the airport by just looking
 at the code and swearing.
 
 Diff is untested but I guess everyone agrees that a bit more memory
 inizialisation could help.

It looks better, I'm not able to reproduce the problem with this patch
(applied on 4.8 src).

Thanks a lot!
Regards.

(4.8) quagga and tcp-md5 signature

2010-11-08 Thread Patrick Lamaiziere 
Hello,

Do you know if Quagga in OpenBSD 4.8 implements the tcp-md5
signature (for BGP) ? Looks like it does not work.

Thanks, regards.

Re: (4.8) quagga and tcp-md5 signature

2010-11-08 Thread Patrick Lamaiziere 
Le Mon, 8 Nov 2010 15:14:49 +0100,
David Coppa dco...@gmail.com a icrit :

  Do you know if Quagga in OpenBSD 4.8 implements the tcp-md5
  signature (for BGP) ? Looks like it does not work.
 
 Why using quagga when you have bgpd (which is in the tree and supports
 md5 signatures as well)?

Because: http://www.mail-archive.com/misc@openbsd.org/msg96725.html

I would prefer to use OpenBGP.

Re: (4.8) OpenBGPd sometimes does not send the routes to the peer.

2010-11-08 Thread Patrick Lamaiziere 
Le Mon, 8 Nov 2010 16:07:06 +0100,
Claudio Jeker cje...@diehard.n-r-g.com a icrit :

 Have you checked if the networks were actaully added to the RIB?

Do you mean bgpctl show rib ? No.
Well, it takes some time but I'm able to reproduce this: 

# bgpctl show rib
flags: * = Valid,  = Selected, I = via IBGP, A = Announced
origin: i = IGP, e = EGP, ? = Incomplete

flags destination  gateway  lpref   med aspath origin
AI*   129.20.0.0/160.0.0.0100 0 i
AI*   148.60.0.0/160.0.0.0100 0 i
* 192.168.1.0/24   193.51.184.26  100 0 2200 i
AI*   193.52.12.0/24   0.0.0.0100 0 i
AI*   193.52.37.0/24   0.0.0.0100 0 i
AI*   193.52.56.0/24   0.0.0.0100 0 i
AI*   193.52.60.0/24   0.0.0.0100 0 i
AI*   195.220.94.0/24  0.0.0.0100 0 i
AI*   2001:660:7307::/48   :: 100 0 i
* 2001:660:7310:10::/80 2001:660:7300:1005:0:38:0:2200100 0
2200 i 
--

And there is nothing announced in show rib out neig PEER

Ok for incomming routes :
# bgpctl show rib in neig RenaterV4  
flags: * = Valid,  = Selected, I = via IBGP, A = Announced
origin: i = IGP, e = EGP, ? = Incomplete

flags destination  gateway  lpref   med aspath origin
* 192.168.1.0/24   193.51.184.26  100 0 2200 i

The peer (running OpenBGPd but on FreeBSD) does not receive any route

I keep the BGP session up if you need more informations.

Thanks, regards.

(4.8) OpenBGPd sometimes does not send the routes to the peer.

2010-11-03 Thread Patrick Lamaiziere 
(4.8/amd64)

Hello,

I'm doing some tests with OpenBGPd and sometimes (but often), when I
restart bgpd it does not send anymore the routes to the peer.
The routes are static and configured into bgpd.conf

How to repeat:
# bgpd -d -v
wait until the routes are sent to the peer.
^D
shoot again

After few tests (around 5), bgpd does not send the routes :

# bgpctl sh rib out nei RenaterV4 
flags: * = Valid,  = Selected, I = via IBGP, A = Announced
origin: i = IGP, e = EGP, ? = Incomplete

flags destination  gateway  lpref   med aspath origin
-

But it gets the incoming routes from the peer

# bgpctl sh rib in nei RenaterV4  
flags: * = Valid,  = Selected, I = via IBGP, A = Announced
origin: i = IGP, e = EGP, ? = Incomplete

flags destination  gateway  lpref   med aspath origin
* 192.168.1.0/24   193.51.184.26  100 0 2200 i

# bgpctl sh nei
BGP neighbor is 193.51.184.26, remote AS 2200
 Description: RenaterV4
  BGP version 4, remote router-id 193.51.184.26
  BGP state = Established, up for 00:20:14
  Last read 00:00:13, holdtime 90s, keepalive interval 30s
  Neighbor capabilities:
Multiprotocol extensions: IPv4 unicast
Route Refresh
4-byte AS numbers

  Message statistics:
  Sent   Received  
  Opens5  1
  Notifications0  0
  Updates  0  1
  Keepalives  41 41
  Route Refresh0  0
  Total   46 43

  Update statistics:
  Sent   Received  
  Updates  0  1
  Withdraws0  0

  Local host: 193.51.184.25, Local port:  42098
  Remote host:193.51.184.26, Remote port:   179

(same for the renaterV6 peer)

--

log:
http://user.lamaiziere.net/patrick/obgpd/log-bgpd.txt

bgpd.conf
http://user.lamaiziere.net/patrick/obgpd/bgpd.conf.txt

Any help will be nice. Thanks regards.

PF set skip on interface group

2010-10-25 Thread Patrick Lamaiziere 
Hello,

(snaphot 4.8/amd64)

I'm trying to use a pf.conf hardware independent using some interface
groups.

PacketFilter Set skip does not look to work fine with interface group.

# ifconfig IFPFSYNC
bnx0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:22:19:5b:ad:da
description: PFSYNC
priority: 0
groups: IFPFSYNC
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 192.168.255.253 netmask 0xfffc broadcast
192.168.255.255 inet6 fe80::222:19ff:fe5b:adda%bnx0 prefixlen 64
scopeid 0xb

and in pf.conf :
set skip on { lo, IFPFSYNC }

# pfctl -vvvs Interfaces -i bnx0
bnx0

# pfctl -vvvs Interfaces -i IFPFSYNC
IFPFSYNC (skip)

I think that bnx0 should be set to skip too, no?

Also pflog shows that bnx0 is not skiped.

Thanks, regards.

(snapshot 4.8) acpi button (on/off) not found on Dell Poweredge R610.

2010-10-18 Thread Patrick Lamaiziere 
Hello,

I'm using a snapshot of 4.8/amd64 (october, 6) and I'm not able to
shutdown properly the box using the power on/off button.

The machine is a Dell PowerEdge R610: 
bios bios0: vendor Dell Inc.
version 2.1.9 date 05/21/2010 bios0: Dell Inc. PowerEdge R610

full dmesg : http://user.lamaiziere.net/patrick/dmesg-open48.txt
acpidump : http://user.lamaiziere.net/patrick/acpidump.tar.gz

sensors:
# sysctl -a | grep sensor   
hw.sensors.cpu0.temp0=46.00 degC
hw.sensors.cpu1.temp0=46.00 degC
hw.sensors.cpu2.temp0=46.00 degC
hw.sensors.cpu3.temp0=46.00 degC
hw.sensors.cpu4.temp0=46.00 degC
hw.sensors.cpu5.temp0=46.00 degC
hw.sensors.cpu6.temp0=46.00 degC
hw.sensors.cpu7.temp0=46.00 degC
hw.sensors.mfi0.drive0=online (sd0), OK

The button works fine on FreeBSD, tell me if a FreeBSD dmesg will
be useful.

Thanks, regards.

carp and IPv6 duplicate IP6 address

2010-10-15 Thread Patrick Lamaiziere 
Hello,

(snapshot 4.8/amd64)

I'm playing with carp in master/backup mode. When a server becomes
inactive (from master to backup or from backup to master) there is a
dupplicate IP6 address. Is it bad doctor?

By example on the master:
Oct 15 15:34:27 ucop1 /bsd: carp1: state transition: MASTER - BACKUP
Oct 15 15:34:27 ucop1 /bsd: carp16: state transition: MASTER - BACKUP
Oct 15 15:34:27 ucop1 /bsd: nd6_na_input: duplicate IP6 address
fe80:0014::0200: 5eff:fe00:0110
Oct 15 15:34:27 ucop1 /bsd: nd6_na_input: duplicate IP6 address
2001:0660:7307:0001:0002::000f

I use IPv6 only on carp16.
/etc/hostname.carp16
carpdev em0 vhid 16 pass 
inet6 2001:660:7307:1:2::f/80
up

Thanks, regards.

Re: Carp Master / Backup

2010-10-15 Thread Patrick Lamaiziere 
Le Fri, 15 Oct 2010 15:29:30 +0100,
Harrower Gary (NHS National Services Scotland)
gary.harro...@nhs.net a icrit :

 Hi,

 Any ideas why they were both trying to be master?

did you set carp preemption on both machines?