[cryptography export] OpenBSD solution for usage within EAR/CRF defined rouge states.

[Per Engelbrecht]

Hi misc@
I have been assinged a task with an extremely short timeline. The objective is
to produce a EAR/CRF compliant laptop based workplace solution with as much
bells and whistles as possible (anything from vpn, mta, LibraOffice to SAPgui
and more) on non-us produced OS and hardware. 
I have looked at mtier.org and expect that there are other vendors out there
providing the same kind of service and solution, but with a two week timeline
it is not even feasible to have any of these vendors processed for usage and I
need to produce a stand-alone OpenBSD based laptop solution now.

Anybody on the list that can offer some advice or experience ?
This will be much appreciated.
/Per
 

Could someone please tell Mark Kettenis that ..

[Per Engelbrecht]

Hi all,

Could someone close to Mark Kettenis please tell Mark to get in touch 
with me directly/off-list, thank you.


The best to you all,

/per

[EMAIL PROTECTED]

--


The most worth-while thing is to try to put happiness into the lives of 
others.


- Sir Robert Baden-Powell

Syskonnect [msk] problem

[Per Engelbrecht]

Hi all,

i386 / 4.0 (Aug. 28 2006 23:10 snap)
dmesg below.

I am replacing a couple of high-traffic routers in our datacenter and 
have just received (among others) a bunch of Syskonnect SK-9X22 dual 
Gbit server adapters for the job.
These nic's should be supported by the 'msk' driver from 3.9-current as 
of ~ Aug. 20 2006 and they are also recognized by the system ... sort 
of. For comparison please note the 'bge' nic's.



Please note that on the Supermicro X6DH8-XB board I have disabled (in 
bios or by jumper):

ACPI
HTT
COM2
onboard 'bge' nic's (enabled while debugging)
Adaptec U320 controller


Any kind of input that can bring me closer to a couple of working 
systems is appreciated a lot.



From dmesg
[...]

OpenBSD 4.0 (GENERIC) #1097: Mon Aug 28 22:11:47 MDT 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 3.20GHz (GenuineIntel 686-class) 3.21 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,CX16
real mem  = 2146484224 (2096176K)
avail mem = 1949913088 (1904212K)
using 4256 buffers containing 107425792 bytes (104908K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(ce) BIOS, date 01/24/06, BIOS32 rev. 0 @ 0xfd420, 
SMBIOS rev. 2.33 @ 0x7ff79000 (41 entries)
bios0: Supermicro X6DH8-XB
pcibios0 at bios0: rev 2.1 @ 0xfd420/0xbe0
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde20/448 (26 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00)
pcibios0: PCI bus #10 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x1000
ipmi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7520 MCH rev 0x0c
Intel E7520 MCH ERR rev 0x0c at pci0 dev 0 function 1 not configured
Intel E7520 MCH DMA rev 0x0c at pci0 dev 1 function 0 not configured
ppb0 at pci0 dev 2 function 0 Intel MCH PCIE rev 0x0c
pci1 at ppb0 bus 1
ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci2 at ppb1 bus 2
mskc0 at pci2 dev 1 function 0 Schneider  Koch SK-9Sxx rev 0x14, Marvell 
Yukon-2 XL rev. A3 (0x3): irq 5
msk0 at mskc0 port A, address 00:00:5a:72:e0:4e
msk0: phy failed to come ready
msk0: no PHY found!
msk1 at mskc0 port B, address 00:00:5a:72:e0:4f
msk1: phy failed to come ready
msk1: no PHY found!
mskc1 at pci2 dev 3 function 0 Schneider  Koch SK-9Sxx rev 0x14, Marvell 
Yukon-2 XL rev. A3 (0x3): irq 5
msk2 at mskc1 port A, address 00:00:5a:72:e1:7f
msk2: phy failed to come ready
msk2: no PHY found!
msk3 at mskc1 port B, address 00:00:5a:72:e1:80
msk3: phy failed to come ready
msk3: no PHY found!
Intel IOxAPIC rev 0x09 at pci1 dev 0 function 1 not configured
ppb2 at pci1 dev 0 function 2 Intel PCIE-PCIE rev 0x09
pci3 at ppb2 bus 3
mskc2 at pci3 dev 1 function 0 Schneider  Koch SK-9Sxx rev 0x14, Marvell 
Yukon-2 XL rev. A3 (0x3): irq 5
msk4 at mskc2 port A, address 00:00:5a:72:e0:30
msk4: phy failed to come ready
msk4: no PHY found!
msk5 at mskc2 port B, address 00:00:5a:72:e0:31
msk5: phy failed to come ready
msk5: no PHY found!
Intel IOxAPIC rev 0x09 at pci1 dev 0 function 3 not configured
ppb3 at pci0 dev 4 function 0 Intel MCH PCIE rev 0x0c
pci4 at ppb3 bus 4
bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): 
irq 5, address 00:30:48:78:76:a8
brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb4 at pci0 dev 5 function 0 Intel MCH PCIE rev 0x0c
pci5 at ppb4 bus 5
bge1 at pci5 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): 
irq 5, address 00:30:48:78:76:a9
brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0
ppb5 at pci0 dev 6 function 0 Intel MCH PCIE rev 0x0c
pci6 at ppb5 bus 6
ppb6 at pci0 dev 7 function 0 Intel MCH PCIE rev 0x0c
pci7 at ppb6 bus 7
ppb7 at pci7 dev 0 function 0 Intel PCIE-PCIE rev 0x09
pci8 at ppb7 bus 8
mskc3 at pci8 dev 1 function 0 Schneider  Koch SK-9Sxx rev 0x14, Marvell 
Yukon-2 XL rev. A3 (0x3): irq 5
msk6 at mskc3 port A, address 00:00:5a:72:e0:42
msk6: phy failed to come ready
msk6: no PHY found!
msk7 at mskc3 port B, address 00:00:5a:72:e0:43
msk7: phy failed to come ready
msk7: no PHY found!
Intel IOxAPIC rev 0x09 at pci7 dev 0 function 1 not configured
ppb8 at pci7 dev 0 function 2 Intel PCIE-PCIE rev 0x09
pci9 at ppb8 bus 9
Intel IOxAPIC rev 0x09 at pci7 dev 0 function 3 not configured
uhci0 at pci0 dev 29 function 0 Intel 82801EB/ER USB rev 0x02: irq 5
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
uhci1 at pci0 dev 29 function 1 Intel 82801EB/ER USB rev 0x02: irq 11
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
uhci2 at pci0 dev 29 function 2 Intel 82801EB/ER USB rev 0x02: irq 7
usb2 at uhci2: USB revision 1.0
uhub2 at usb2
uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1

Re: OT Media-Converters, was Re: BGP router now running desp. low on mem.

[Per Engelbrecht]

Siegbert Marschall wrote:

Hi,

  

##
Physical connection: #
##
We are terminating with this carrier in a FE port but due to the
distance between them and us at the datacenter location, a FDDI
connection was placed in between like:

[our
router][100baseTX][IMC**]//..fiber..//[IMC**][100baseTX][switch
integrated in a Cisco 7200 iron][Cisco iron itself/router]

* Attenuation on the FDDI part was 1.2db respectively 1.3db which is not
brilliant, but okay. More importantly it's within the specifications of
the IMC's.

** (IMC = MOXA Industrial Media Converter 101 a.k.a. IMC-101 for both
Single- and Multi mode / SC connectors. We even replaced these with MOXA
EDS-208-M-SC (larger model) as well).



I think here you have the Problems. I can't see any FDDI stuff in this
drawing so I will assume for the moment that is just a FDDI type fiber
you are connected to and everything else is Ethernet. The IMC-101 is
just a plain media-converter without any Layer-2 capabilities according
to http://www.moxa.com/product/IMC-101.htm but they are not completely
dumb devices, so one has to be careful with them.
  


I chose Moxa because we have very good experiences with their other 
products (embedded solutions, RS-232 etc.) and because the IMC-101 (and 
EDS-208) all comply with the IEEE802.3 standard - and from the Moxa 
doc.:..provides industrial grade media conversion between 
10/100BaseT(X) and 100BaseFX.
Maybe I've presumed too much, but I took (from the above) layer-2 
capabilities as granted.



In the connection above there is something very important to know:

Autonegotiation activated in any part of the setup is a bit like playing
russian roulette. Either the whole chain supports it perfectly or you are
fd. Make sure that you have Autonegotiation off _everywhere_ and
everything is set and bolted to Fullduplex otherwise you might get the
strangest and hard to trace errors. I helped someone troubleshoot a
similar setup at his decix connection a few years ago and they've been
swapping media-converters back and forth till we just used a switch
as media converter catching the FDX/HDX issue in the middle so the
end's where happy and some people where wondering for a few weeks
to who the new mac address (of the switch) belonged which suddenly
appeared in the decix mesh till the link got switched over to fiber
end to end.
  


I'm well aware of that particular problem which is why I gave the new 
carrier a list of termination settings firsthand and later we've also 
went up and down all the speed- and duplex-mode (and other) setting 
during the troubleshoot (another nice feature that initially added to 
the go-list on the Moxa IMC's was indeed the dip switch on Moxa's 
converters giving an opportunity to choose between 'auto' and 
'full-duplex').


I think you are on to something / you are right about the (maybe) 
missing layer-2 feature and/or a faulty FDX/HDX issue.


About the mac; I can almost picture the wrinkles in someones forehead :)

I am not of the opinion of the other poster, media-converters are
not bad. But the are devices which need to be treated with respect,
not everything can be transparently converted to other media.
there normally aren't any flp-pulses on fiber since it is FDX by
nature, so FDX/HDX negotiation is troublesome. some converters
emulate it or catch the autoneg but wether the equipment you connect
to the converter is capable of actually talking to it is also not
for sure.

-sm
  


Thank you very much for your thorough answer Siegbert and it's been nice 
to hear from someone who has been through the same exercise.
  



/per
[EMAIL PROTECTED]

Re: OT Media-Converters, was Re: BGP router now running desp. low on mem.

[Per Engelbrecht]

Diana Eichert wrote:

Just wanted to throw in my US$.02 worth on the media converter issue.  At
my place of employment a facility design decision was taken a few years
ago mandating all fiber buildings.  It was pretty obvious they were
clueless about commodity h/w so now we have this huge installation of IMC
media converters.

We have seen the exact same issues related to auto negotiation with a lot
of our hosts.
  


I know that we've been through all negotiation settings, which is why I 
think the problem is caused by some sort of  TX/FX related error 
(unfortunately I'll never know for sure). Thank you for the input Diana.


/per
[EMAIL PROTECTED]


diana

Re: BGP router now running desperately low on memory [epilogue]

[Per Engelbrecht]

Hi all,

Just to make sure nobody's sitting and wondering what happened with this 
thread, then here's a final mail with a short description of what's 
cooking right now and what was boiling back then.


Below you'll find:
- case
- situation
- conclusion
- physical connection
- hardware
- a few tips


##
Case: #
##
When I added another bgp peer to my router the overall network/routing 
performance on the server was brought to an almost staggering halt until 
I downed the bgp session again.



##
Situation: #
#
At first I had warp-speed on the wire and all tests on the connection 
(*) seemed okay.
Trivialities like speed-, duplex-, mtu settings etc. was agreed upon 
before the connections was established.
The time elapsed from initiating the BGP session to severe performance 
degradation was 2 minutes and if I did not down the BGP session within 
the next minute (literally) then routing and network performance would 
drop like a piano out of the sky. In short I was using all mbuf (Kbytes 
allocated to network 97%).
Raising kern.maxclusters stepwise gave me a short lived break until I 
reached a given point (see tips below). Above that I gained nothing and 
stopped raising it any further.


The new carrier had a lot of alignment errors (CRC/FCS) and packet size 
problems (Jabbers/rxOversizedPkts) in their log / on their side. We 
both had heavy packelosses after these few minutes.
'tcpdump' did not reveal any significant signs of a sick connection on 
my side.
A lot of testing has been done since. The connections however, is still 
not running but adjustments on the peers side and replacements on the 
connection itself has raised the panic-threshold from 2min. to around 
18min. before disaster strikes.




Conclusion: #
###
I'll receive a fiber directly to my front door from the new peer shortly 
i.e. we'll bypass the copper-fiber-copper connection. I don't like not 
being able to pinpoint the problem before moving on, but I have no way 
of seeing what's going on on the other side. I have an idea that the 
Cisco box and the converters do not like each other, but again it's only 
a guess.


What I do know is that an error-prone connection combined with a well 
connected BGP peer, can jeopardize an entire bgp routers performance.
BGP can not see how well the connection is runing - it can only see 
link and link = traffic = congestion.


I can not claim to have found the 'holy grale' in BGP troubleshooting 
but I can rightfully claim that I've eliminated my OpenBGPD as source of 
error (both as i386 and amd64) and I can also rightfully claim to have 
found a few settings that actually makes a difference.
If the carrier find the problem and inform me, I will of course inform 
all of you as well.




##
Physical connection: #
##
We are terminating with this carrier in a FE port but due to the 
distance between them and us at the datacenter location, a FDDI 
connection was placed in between like:


[our 
router][100baseTX][IMC**]//..fiber..//[IMC**][100baseTX][switch 
integrated in a Cisco 7200 iron][Cisco iron itself/router]


* Attenuation on the FDDI part was 1.2db respectively 1.3db which is not 
brilliant, but okay. More importantly it's within the specifications of 
the IMC's.


** (IMC = MOXA Industrial Media Converter 101 a.k.a. IMC-101 for both 
Single- and Multi mode / SC connectors. We even replaced these with MOXA 
EDS-208-M-SC (larger model) as well).


All Cat6 STP cables has been replaced more than once and the fiber once.


##
Hardware: #
##
My OpenBGPD setup is plain-vanilla with 4 BGP peers, one eBGP peer and 
two public networks on the inside (700+  servers).
The BGP box I have  (OpenBSD 3.9 -stable / amd64 / bsd.mp) is a  
serverworks based box with 2GB of ram per cpu, Intel PRO/1000MT dual 
and quard server nic's, U320 SCSI etc., etc. -  i.e. this is not about 
exhaustion due to inferior or inadequate hardware.

My network performance related sysctl settings:
net.inet.ip.ifq.maxlen=250
kern.maxclusters=32768   (this has been tested stepwise (~6500 at a 
time) from the std. setting [6144] and up)


Note_0: normally I run this on a i386 Xeon based box with 4GB of ram, 
but the box is down for upgrade/maintenance, hence the temporary amd64 arch.


Note_1: the new boxes I'm building has a 64-bit Xeon cpu, 2GB of ram, 
Syskonnect nics and i386 as arch.



###
A few tips: #
##
The tips I've put below are all confirmed successes and a mixture of 
experience, what I've been told by Henning/Claudio and what I've seen on 
this list (some of the sysctl settings).

The important thing is that they actually work.

0 - run busy BGP routers on i386 compared to amd64

1 - run busy BGP routers on [serverworks based] single cpu systems.

2 - run busy BGP routers on 2GB of memory at the most.
On a healthy box going from 4 GB of ram to 2GB gives a drop on almost 
20% in 'Kbytes 

Re: BGP router now running desperately low on memory [epilogue]

[Per Engelbrecht]

Stuart Henderson wrote:

On 2006/09/20 17:05, Per Engelbrecht wrote:
  
The BGP box I have  (OpenBSD 3.9 -stable / amd64 / bsd.mp) is a  
serverworks based box with 2GB of ram per cpu, Intel PRO/1000MT dual 
and quard server nic's, U320 SCSI etc., etc. -  i.e. this is not about 
exhaustion due to inferior or inadequate hardware.



which serverworks? I'm not entirely happy with my ht1000 boards. and,
any particular reason you chose to run amd64 on them rather than i386?
  

*ServerWorks BCM5785 (Tyan Thunder / Opteron200)
respectively
*Intel 7500 chipsets (SuperMicro / Xeon)

Using serverworks kinda ensures a steady/fast platform with excellent 
bus IO.

*
*No it's the other way around - I prefer i386 on network critical 
installations like my BGP routers.
The current amd64 box was what I had at the moment when I made a switch 
two weeks ago.



thanks for the update.
  


Anytime.


/per

[EMAIL PROTECTED]

BGP router running low on memory with 4GB of RAM ..!

[Per Engelbrecht]

Hi all,

- OpenBSD 4.0 (build on snap from aug. 28 2006 23:10)
- i386
- 'netstat -m', 'top' and 'dmesg' below.

I've just rebuild one of my BGP routers and I'm having a real bad 
memory/performance issue with this box.
(yes, Im running -current in production due to a Intel Pro/1000GT Quard 
card I've had to put in the box; only supported in -current).
The box seems to choke on whatever once and awhile and the problem 
seems to be memory related.

If I e.g. ping one of my peers, I see this:
...
ping: Could only allocate a receive buffer of 8191 bytes (default 65535)
...

Do not like the sound of that, so I did a netstat -m:
4517 mbufs in use:
  4500 mbufs allocated to data
  12 mbufs allocated to packet headers
  5 mbufs allocated to socket names and addresses
4495/5886/6144 mbuf clusters in use (current/peak/max)
12988 Kbytes allocated to network (77% in use)
0 requests for memory denied
0 requests for memory delayed
0 calls to protocol drain routines
...

I've made a sysctl change:
net.inet.ip.ifq.maxlen=250
but resetting that to 50 (standard) does not help.

Can anybody point me in the right direction ?
Any help is appreciated.

top
load averages:  0.20,  0.17,  0.1611:13:28
27 processes:  26 idle, 1 on processor
CPU states:  0.6% user,  0.0% nice,  0.4% system, 56.6% interrupt, 42.4% 
idle

Memory: Real: 79M/369M act/tot  Free: 3534M  Swap: 0K/512M used/tot

 PID USERNAME PRI NICE  SIZE   RES STATEWAIT TIMECPU COMMAND
31095 _pflogd40  560K  344K sleepbpf  1:43  0.05% pflogd
29375 root   20 7088K 7312K sleeppoll 8:13  0.00% bgpd
4183 _bgpd  20   62M   63M sleeppoll 5:35  0.00% bgpd
30920 _syslogd   20  288K  544K sleeppoll 1:10  0.00% syslogd
16233 proxy  20  344K  740K sleepkqread   0:31  0.00% ftp-proxy
29026 _bgpd  20 1092K 1284K sleeppoll 0:09  0.00% bgpd
7885 root   20 1136K 1092K sleepselect   0:04  0.00% sendmail
23957 pere   20 3372K 1460K sleepselect   0:00  0.00% sshd
2921 root   20  324K  592K idle select   0:00  0.00% inetd
12586 named  20 2120K 2296K sleepselect   0:00  0.00% named
11677 _ntp   20  244K  592K sleeppoll 0:00  0.00% ntpd
23317 root   20  588K  676K idle select   0:00  0.00% cron
  97 root   20  264K  508K sleeppoll 0:00  0.00% ntpd
28186 pere  180  660K  524K sleeppause0:00  0.00% ksh
18197 root   20 3332K 2180K idle netio0:00  0.00% sshd
4479 root   20  268K  552K idle netio0:00  0.00% syslogd
   1 root  100  324K  356K idle wait 0:00  0.00% init
2759 pere  290  392K  900K onproc   -0:00  0.00% top
/top


dmesg
OpenBSD 4.0 (GENERIC) #0: Wed Aug 30 13:10:18 CEST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC

cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.81 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID

real mem  = 4160319488 (4062812K)
avail mem = 3818098688 (3728612K)
using 4256 buffers containing 208117760 bytes (203240K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 09/18/03, BIOS32 rev. 0 @ 0xf0010, 
SMBIOS rev. 2.3 @ 0xf84b0 (44 entries)

bios0: Supermicro X5DPA
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3000/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801CA LPC rev 0x00)
pcibios0: PCI bus #5 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x8e00
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7501 MCH Host rev 0x01
ppb0 at pci0 dev 2 function 0 Intel E7500 MCH rev 0x01
pci1 at ppb0 bus 2
Intel 82870P2 IOxAPIC rev 0x04 at pci1 dev 28 function 0 not configured
ppb1 at pci1 dev 29 function 0 Intel 82870P2 PCIX-PCIX rev 0x04
pci2 at ppb1 bus 4
ppb2 at pci2 dev 1 function 0 Pericom PI7C21P100 PCIX-PCIX rev 0x01
pci3 at ppb2 bus 5
em0 at pci3 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 10, 
address 00:0e:0c:b5:e0:d0
em1 at pci3 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 10, 
address 00:0e:0c:b5:e0:d1
em2 at pci3 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 10, 
address 00:0e:0c:b5:e0:d2
em3 at pci3 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: irq 10, 
address 00:0e:0c:b5:e0:d3
em4 at pci2 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, 
address 00:04:23:9e:f2:3a
em5 at pci2 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 10, 
address 00:04:23:9e:f2:3b

ahd0 at pci2 dev 3 function 0 Adaptec AIC-7902B U320 rev 0x10: irq 10
ahd0: aic7902, U320 Wide Channel A, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs
scsibus0 at ahd0: 16 targets
ahd1 at pci2 dev 3 function 1 Adaptec AIC-7902B U320 rev 0x10: irq 10
ahd1: aic7902, U320 Wide Channel B, SCSI Id=7, 

Re: BGP router running low on memory with 4GB of RAM ..!

[Per Engelbrecht]

Henning Brauer wrote:

* Per Engelbrecht [EMAIL PROTECTED] [2006-08-31 11:55]:
  

Hi all,

- OpenBSD 4.0 (build on snap from aug. 28 2006 23:10)
- i386
- 'netstat -m', 'top' and 'dmesg' below.

I've just rebuild one of my BGP routers and I'm having a real bad 
memory/performance issue with this box.
(yes, Im running -current in production due to a Intel Pro/1000GT Quard 
card I've had to put in the box; only supported in -current).



despite all the yammering by some pplz that is not a problem at all.
  


I know, but to avoid the lecture I mentioned it up front.
I've read the cvs logs as well and besides, both bgpd and pf has been 
running rock-steady for a very, very long time now so I was confident 
turning the power on .. as usual :)


  
The box seems to choke on whatever once and awhile and the problem 
seems to be memory related.

If I e.g. ping one of my peers, I see this:
...
ping: Could only allocate a receive buffer of 8191 bytes (default 65535)
...



so you are running out of mbufs.

  

Do not like the sound of that, so I did a netstat -m:
4517 mbufs in use:
  4500 mbufs allocated to data
  12 mbufs allocated to packet headers
  5 mbufs allocated to socket names and addresses
4495/5886/6144 mbuf clusters in use (current/peak/max)



so, the reason is mbuf cluster use.

two possibilities:
1) your mbuf cluster is high, but stable
2) it is constantly rising

hope for 1).
you have quite a few network interfaces in there. if =1 is connected 
to a slowish link and you have to buffer a lot, you could just use up 
that many mbuf clusters.
try to raise kern.maxclusters. monitor your mbuf cluster usage using 
  


The kern.maxclusters are currently 6144 (standard) on the box. If I 
raise it to e.g. 16384 or 12288 I get a:

sysctl: top level name 16384 is invalid
- what would be a correct stepwise increasement of the state/value ?


BTW, is kern.maxclusters a 'mbuf cluster' sysctl MIB analogy ?
More BTW, what is the size of  a 'mbuf cluster' i obsd ?


netstat -m.
if it is 2) there is a leak somewhere, and these are incredibly hard to 
track down.
  


The first peer is  running 100Mbps  / 'ifconfig' = (100baseTX full-duplex)
The second peer is running 60Mbps / 'ifconfig' = (1000baseT -duplex)
The third peer is running 100Mbps / 'ifconfig' = (100baseTX full-duplex)

Our second peer is running 60Mbps due to some sort of 
contract/pricing/whatever reason and this awkward speed mode is set on 
their side / their router.

Could the be mbuf thief/reason ?

Thank you Henning.

/per
[EMAIL PROTECTED]

Re: BGP router running low on memory with 4GB of RAM ..!

[Per Engelbrecht]

Henning Brauer wrote:

* Per Engelbrecht [EMAIL PROTECTED] [2006-08-31 13:45]:
  
The kern.maxclusters are currently 6144 (standard) on the box. If I 
raise it to e.g. 16384 or 12288 I get a:

sysctl: top level name 16384 is invalid
- what would be a correct stepwise increasement of the state/value ?



you have some misuse of sysctl.
sysctl kern.maxclusters=12288
or the like.

  

BTW, is kern.maxclusters a 'mbuf cluster' sysctl MIB analogy ?



clusters are allocated dynamically (well, it's a little more 
complicated than that, but that's sufficiently close to reality).

kern.maxclusters is the upper limit.
  


Check.
  

More BTW, what is the size of  a 'mbuf cluster' i obsd ?



2048 bytes
  


Check.

  

netstat -m.
if it is 2) there is a leak somewhere, and these are incredibly hard to 
track down.
 
  

The first peer is  running 100Mbps  / 'ifconfig' = (100baseTX full-duplex)
The second peer is running 60Mbps / 'ifconfig' = (1000baseT -duplex)
The third peer is running 100Mbps / 'ifconfig' = (100baseTX full-duplex)



sustained?
  


No, that's what the contract says respectively what 'ifconfig' has 
negotiated on the wire/link.


  
Our second peer is running 60Mbps due to some sort of 
contract/pricing/whatever reason and this awkward speed mode is set on 
their side / their router.

Could the be mbuf thief/reason ?



if you actually push more than 60 MBit/s, that might add up on usage.
  


On this particular link I could very well have a very high utilization. 
I must shamefully admit that I've used 'netstat' statistics for 
here-and-now measurements on this box so fare ... and with a limited 
32-bit netstat-buffer (4.294.967.296)  I'll never know for sure when the 
buffer has turned = 'netstat' is not the tool to use on a busy box.



/per
[EMAIL PROTECTED]

Re: AS path prepending [OpenBGPD]

[Per Engelbrecht]

Claudio Jeker wrote:

On Fri, Aug 18, 2006 at 07:25:17AM +0200, Per Engelbrecht wrote:
  

Claudio Jeker wrote:


On Thu, Aug 17, 2006 at 05:32:52PM +0200, Per Engelbrecht wrote:
 
  

Hi all,

(obsd3.8 / i386)

So fare I've used 'weight' and 'localpref' between our peers in order to 
put one in favour of the other (mainly for pricing). Now I'm adding 
third peer and wan't to use AS path prepending in ordet to compensate 
for one of my old peer's inappropriate peering agreements in .eu  making 
the old peer a sort of backup peer only.
I expect that the attribute 'prepend-self' is the one I should use one 
the peer I wan't to prepend/prefix/make less attractive, like:


neighbor $slowjoe {
  remote-as   
  descr slowjoe
  set localpref 100
  set weight 45
  announce   self
  announce IPv6   none
  tcp md5sig passwd x
  prepend-self 2
}

... right ?

   


Nope. prepend-self is an outgoing thing. You most probably need to use
prepend-neighbor.

 
  

And while I'm at it:
- if I wan't to make sure that $slowjoe is chosen as a last resort, how 
many times (0-9) should I prepend ?
   


More than 5 is normaly not needed as the avarage path is about that long.
Normaly it is easier to use localpref to make a backup session only
eligible if no other route is aroung. Just lower the localpref of your
backup neighbor.

 
  
- in short, how will the 'prepend-[self|neighbor]' attributes affect the 
'localpref' and/or 'weight' ?
   


The decision path is roughly like this:
1. nexthop
2. localpref
3. aspath lenght
4. origin
5. MED/metric
6. EBGP/IBGP
7. weight

 
  
- In contrast to 'prepend-self' when should the 'prepend-neighbor' 
attribute be used ?


   


prepend-self is for outgoing filters (it adds your own AS) whereas
prepend-neighbor is for incomming filters (it adds the AS of the
neighbor). Prepend-self on incomming filters will render all sent prefixes
invalid because the aspath is not loop free.
 
  

Hi Claudio,

Just to make absolutely sure:

If I want to express a policy with prepend rules to prefer INCOMING 
traffic via my better-connected $primetime peer and only use  my 
$slowjoe peer as a backup, I should do:

...
prepend-neighbor 5
...


If I want to express a policy with prepend rules to prefer OUTGOING 
traffic via my better-connected $primetime peer and only use my $slowjoe 
peer as a backup, I should do:

...
prepend-self 2
...




No, it is the other way around. Sorry to confuse you even more now.
Consider the following simple config:
AS 65001

neighbor 192.168.0.1 {
remote-as 65002
set prepend-self 2
}

neighbor 192.168.0.2 {
remote-as 65003
set prepend-neighbor 5
}

Now let's have a look what bgpd is doing with the config (bgpd -nv)
AS 65001
...
neighbor 192.168.0.2 {
remote-as 65003
...
}
neighbor 192.168.0.1 {
remote-as 65002
...
}

match to 192.168.0.1 set { prepend-self 2 }
match from 192.168.0.2 set { prepend-neighbor 5 }


As you can see the set statements where replaced by filterrules.
set prepend-self got replaced by a match to rule which changes outgoing
updates and set prepend-neighbor got replaced by a match from rule which
changes incomming updates.

Now comes the twist. If you change incomming updates you actually modify
your own routing table and so your OUTGOING traffic is influenced by this.
If you change outgoing updates (your own network announcements) you
influence the view of all other routers and so the INCOMMING traffic is
modified.
  


Okay, got it.


In short to discriminate an uplink for OUTGOING traffic you need to use
set prepend-neighbor 5. To discriminate an uplink for INCOMMING traffic
you need to set prepend-self 5.

Note: changing your incomming traffic is unprecise you normaly end up with
some traffic comming in on the wrong link but there is nothing you can do
about it because you can not control what the other ASs do.
  


From time to time I actually see incoming traffic heading for/through 
one of our peers and then at the last core-router before reaching our 
network, changing direction and enter through our second peer.

That's beyond me .. and beyond my reach as well.

  
The last part of your reply: Prepend-self on incomming filters will 
render all sent prefixes invalid because the as path is not loop free. 
kind of confuses me, the filter-part that is.



As shown above the set rules added to a neighbor are magically changed to
filter rules. Now there everything is done correctly but if you add your
own filter rule like

match from any set prepend-self 1

you will see that your RIB will stay empty because all prefixes are
invalid. The reason is that the resulting path is not loop free (it
already has your AS in the path).
  


i.e. my own crafted filter rules containing 'prepend-self' is where the 
loop could occur.

You've just put 1 major and 2 minor building blocks in place!!
:)

  
Based on the syntax

AS path prepending [OpenBGPD]

[Per Engelbrecht]

Hi all,

(obsd3.8 / i386)

So fare I've used 'weight' and 'localpref' between our peers in order to 
put one in favour of the other (mainly for pricing). Now I'm adding 
third peer and wan't to use AS path prepending in ordet to compensate 
for one of my old peer's inappropriate peering agreements in .eu  making 
the old peer a sort of backup peer only.
I expect that the attribute 'prepend-self' is the one I should use one 
the peer I wan't to prepend/prefix/make less attractive, like:


neighbor $slowjoe {
   remote-as   
   descr slowjoe
   set localpref 100
   set weight 45
   announce   self
   announce IPv6   none
   tcp md5sig passwd x
   prepend-self 2
}

... right ?


And while I'm at it:
- if I wan't to make sure that $slowjoe is chosen as a last resort, how 
many times (0-9) should I prepend ?
- in short, how will the 'prepend-[self|neighbor]' attributes affect the 
'localpref' and/or 'weight' ?
- In contrast to 'prepend-self' when should the 'prepend-neighbor' 
attribute be used ?


Thank you in advance.

/per
[EMAIL PROTECTED]

Re: AS path prepending [OpenBGPD]

[Per Engelbrecht]

Claudio Jeker wrote:

On Thu, Aug 17, 2006 at 05:32:52PM +0200, Per Engelbrecht wrote:
  

Hi all,

(obsd3.8 / i386)

So fare I've used 'weight' and 'localpref' between our peers in order to 
put one in favour of the other (mainly for pricing). Now I'm adding 
third peer and wan't to use AS path prepending in ordet to compensate 
for one of my old peer's inappropriate peering agreements in .eu  making 
the old peer a sort of backup peer only.
I expect that the attribute 'prepend-self' is the one I should use one 
the peer I wan't to prepend/prefix/make less attractive, like:


neighbor $slowjoe {
   remote-as   
   descr slowjoe
   set localpref 100
   set weight 45
   announce   self
   announce IPv6   none
   tcp md5sig passwd x
   prepend-self 2
}

... right ?




Nope. prepend-self is an outgoing thing. You most probably need to use
prepend-neighbor.

  

And while I'm at it:
- if I wan't to make sure that $slowjoe is chosen as a last resort, how 
many times (0-9) should I prepend ?



More than 5 is normaly not needed as the avarage path is about that long.
Normaly it is easier to use localpref to make a backup session only
eligible if no other route is aroung. Just lower the localpref of your
backup neighbor.

  
- in short, how will the 'prepend-[self|neighbor]' attributes affect the 
'localpref' and/or 'weight' ?



The decision path is roughly like this:
1. nexthop
2. localpref
3. aspath lenght
4. origin
5. MED/metric
6. EBGP/IBGP
7. weight

  
- In contrast to 'prepend-self' when should the 'prepend-neighbor' 
attribute be used ?





prepend-self is for outgoing filters (it adds your own AS) whereas
prepend-neighbor is for incomming filters (it adds the AS of the
neighbor). Prepend-self on incomming filters will render all sent prefixes
invalid because the aspath is not loop free.
  

Hi Claudio,

Just to make absolutely sure:

If I want to express a policy with prepend rules to prefer INCOMING 
traffic via my better-connected $primetime peer and only use  my 
$slowjoe peer as a backup, I should do:

...
prepend-neighbor 5
...


If I want to express a policy with prepend rules to prefer OUTGOING 
traffic via my better-connected $primetime peer and only use my $slowjoe 
peer as a backup, I should do:

...
prepend-self 2
...


The last part of your reply: Prepend-self on incomming filters will 
render all sent prefixes invalid because the as path is not loop free. 
kind of confuses me, the filter-part that is.
Based on the syntax in bgpd.conf how can I  (from what you're saying) 
ever avoid creating a loop if/when using prepend-self ?


example:

neighbor $slowjoe {
remote-as   
descr slowjoe
set localpref 100
set weight 45
announce   self
announce IPv6   none
tcp md5sig passwd x
prepend-self 2
prepend-neighbor 5

}

... from what you're saying, I've just created at loop ?

I would appreciate you answer very much.


The best

/per
[EMAIL PROTECTED]


  

Thank you in advance.

/per
[EMAIL PROTECTED]

Intel pro/1000GT quad adapter [not working]

[Per Engelbrecht]

Hi all,

(obsd3.9 / i386)

I'm beefing up two of our bgp routers i.e. replacing Intel Pro/1000MT 
dual port server adapters with Intel Pro/1000GT quad-port server 
adapters. The GT card is the MT cards successor and should be backwards 
compatible, but my vanilla 3.9 installation 'no habla GT'.


I've talked to Intel several times without any luck. The persons I 
talked to did not know the difference between SysV and BSD yet alone the 
difference between GT and MT (fair should be fair and normally Intel 
tech's know what they're talking about, but not today).


During install (with a dual and a quad card in the server) four 'em' 
interfaces was found, but none had link according to the installer!

See first dmesg (dmesg_both) below and please note my lines on the MAC's.
The second dmesg (dmesg_quadonly) is from when the system has a quad 
card (only) installed.


The MT card has a single FW82546GB chip.
The GT card has two NH82546GB chip.
The 'em' driver support 'i82546'.

http://www.openbsd.org/i386.html
...
Intel i82540, i82541, i82542, i82543, i82544, i82545, i82546, i82547, 
i82571, i82572 and i82573 based adapters (em 
http://www.openbsd.org/cgi-bin/man.cgi?query=emarch=i386sektion=4), 
including:

...
Intel PRO/1000 Gigabit Server Adapter (SX Fiber) (PWLA8490)
Intel PRO/1000F Gigabit Server Adapter (SX Fiber) (PWLA8490SX)
Intel PRO/1000T Server Adapter (PWLA8490T)
Intel PRO/1000XT Server Adapter (PWLA8490XT)
Intel PRO/1000XS Server Adapter (SX Fiber) (PWLA8490XF)
Intel PRO/1000T Desktop Adapter (PWLA8390T)
Intel PRO/1000XTL Low Profile PCI Server (PWLA8490XTL)
Intel PRO/1000MT Desktop Adapter (PWLA8390MT)
Intel PRO/1000MT Server Adapter (PWLA8490MT)
Intel PRO/1000MT Dual Port Server Adapter (PWLA8492MT)
Intel PRO/1000MF Server Adapter (SX Fiber) (PWLA8490MF)
Intel PRO/1000MF Dual Port Server Adapter (SX Fiber) (PWLA8492MF)
Intel PRO/1000MF Server Adapter (LX Fiber) (PWLA8490LX)
Intel PRO/1000MT Quad PCI-X Adapter (PWLA8494MT)
...
/http://www.openbsd.org/i386.html



Below is two dmesg files. The first one is with a dual + a quad card 
installed. The second on is with a quad card only.


Please note that the following two lines are the MAC's belonging to the 
dual card.
em0 at pci2 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 
10, address 00:04:23:9e:f2:3a
em1 at pci2 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 
10, address 00:04:23:9e:f2:3b


Please note that the following two lines are the MAC's belonging to the 
quad card.
em2 at pci4 dev 1 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 
10, address 00:30:48:71:3b:aa
em3 at pci4 dev 2 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 
10, address 00:30:48:71:3b:ab



[dmesg_both]
OpenBSD 3.9 (GENERIC) #617: Thu Mar  2 02:26:48 MST 2006
   [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,S

BF,CNXT-ID
real mem  = 4160266240 (4062760K)
avail mem = 3790917632 (3702068K)
using 4278 buffers containing 208117760 bytes (203240K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 09/18/03, BIOS32 rev. 0 @ 0xf0010
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3000/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801CA LPC rev 0x00)
pcibios0: PCI bus #5 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x8e00
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7501 MCH Host rev 0x01
ppb0 at pci0 dev 2 function 0 Intel E7500 MCH rev 0x01
pci1 at ppb0 bus 1
Intel 82870P2 IOxAPIC rev 0x04 at pci1 dev 28 function 0 not configured
ppb1 at pci1 dev 29 function 0 Intel 82870P2 PCI-PCI rev 0x04
pci2 at ppb1 bus 2
ppb2 at pci2 dev 1 function 0 unknown vendor 0x12d8 product 0x01a7 rev 0x01
pci3 at ppb2 bus 3
vendor Intel, unknown product 0x10b5 (class network subclass ethernet, 
rev 0x03) at pci3 dev 4 function 0 not configu

red
vendor Intel, unknown product 0x10b5 (class network subclass ethernet, 
rev 0x03) at pci3 dev 4 function 1 not configu

red
vendor Intel, unknown product 0x10b5 (class network subclass ethernet, 
rev 0x03) at pci3 dev 6 function 0 not configu

red
vendor Intel, unknown product 0x10b5 (class network subclass ethernet, 
rev 0x03) at pci3 dev 6 function 1 not configu

red
em0 at pci2 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 
10, address 00:04:23:9e:f2:3a
em1 at pci2 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 
10, address 00:04:23:9e:f2:3b

ahd0 at pci2 dev 3 function 0 Adaptec AIC-7902B U320 rev 0x10: irq 10
ahd0: aic7902, U320 Wide Channel A, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs
scsibus0 at ahd0: 16 targets
ahd1 at pci2 dev 3 function 1 Adaptec AIC-7902B U320 rev 0x10: irq 10
ahd1: aic7902, U320 Wide Channel B, SCSI Id=7, PCI-X 67-100Mhz, 512 

Re: Intel pro/1000GT quad adapter [not working]

[Per Engelbrecht]

Stuart Henderson wrote:

On 2006/08/03 15:54, Per Engelbrecht wrote:
  
I'm beefing up two of our bgp routers i.e. replacing Intel Pro/1000MT 
dual port server adapters with Intel Pro/1000GT quad-port server 
adapters. The GT card is the MT cards successor and should be backwards 
compatible, but my vanilla 3.9 installation 'no habla GT'.



GT PCI ID was added post-3.9. -current snapshot is probably the
easy way, and since we're approaching 4.0 it shouldn't be too
stressful. If you still have problems, maybe try adjusting irq
settings in bios, when I've had multi-port em(4) unable to see
all ports that has been the way to get them back. 
  


Hi Stuart,

Thank you, appreciate it!
Latest i386 snap (08/03/06 12:41:00) will have to do.
  

real mem  = 4160266240 (4062760K)



hey, it's not cisco-eee :-)
  

:)

/per
[EMAIL PROTECTED]

Re: x.org

[Per Engelbrecht]

[EMAIL PROTECTED] wrote:

Strange problem which appeared in 3.8 and appears in 3.9. When I type
startx it does nothing. After waiting for half a minute i press cancel and
only then it begins to do something but fails to start. When I open another
tty and type there startx it starts normally. The strangest thing is that I
do nothing, X fails to start without any reason.

Artyom


  

Your mail is a little sparse on fact/information.

First make sure that *machdep.allowaperture=2* is set in /etc/sysctl.conf

I expect you (as root) have made a /root/xorg.conf.new by running:
# xorgcfg
- and have made corrections to the Display section at the end of 
xorg.conf (DefaultDepth and Modes) and then done:

# cp /root/xorg.conf.new  /etc/X11/xorg.conf
If 'yes' you should  be able to run 'startx'.
Your /var/log/Xorg.0.log will give away what you need to know.


/per
[EMAIL PROTECTED]

Re: erratic networking problem

[per engelbrecht]

Han Boetes wrote:

Ted Unangst wrote:


On 12/22/05, Han Boetes [EMAIL PROTECTED] wrote:


This problem has been bugging me for month now. It started
happening a month after 3.8 got tagged. At least, that's when I
started noticing it. So it might be anything. But I suspect the
OpenBSD side the most since returning to an older Linux release on
the client from a liveCD didn't fix the problem. The OpenBSD
server doesn't have a CD-drive.

OpenBSD server - linux client
Both rtl8169 gigabit networkcards

Uploading to the server goes with 11Mbytes/s, the speedlimit of
the ide harddrives, but the downloading goes with erratic
speeds. 1Mbyte/s at best, 100Kbyte/s most of the time, sometimes
no more than 20Kbytes/s


and if you use a different protocol (ftp, http)?



Yes, I tried ftp and rsync over ssh and nfs. All three have the same problems.




anything unusual in netstat -s?




Have a look:

ip:
1173210 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size  data length
0 with header length  data size
0 with data length  header length
0 with bad options
0 with incorrect version number
0 fragments received
0 fragments dropped (duplicates or out of space)
0 malformed fragments dropped
0 fragments dropped after timeout
0 packets reassembled ok
1164892 packets for this host
0 packets for unknown/unsupported protocol
0 packets forwarded
0 packets not forwardable
0 redirects sent
1182870 packets sent from this host
0 packets sent with fabricated ip header
0 output packets dropped due to no bufs, etc.
0 output packets discarded due to no route
0 output datagrams fragmented
0 fragments created
0 datagrams that can't be fragmented
0 fragment floods
0 packets with ip length  max ip packet size
0 tunneling packets that can't find gif
0 datagrams with bad address in header
311675 input datagrams checksum-processed by hardware
0 output datagrams checksum-processed by hardware
0 multicast packets which we don't join
icmp:
0 calls to icmp_error
0 errors not generated because old message was icmp
0 messages with bad code fields
0 messages  minimum length
0 bad checksums
0 messages with bad length
Input packet histogram:
destination unreachable: 115
0 message responses generated
igmp:
0 messages received
0 messages received with too few bytes
0 messages received with bad checksum
0 membership queries received
0 membership queries received with invalid field(s)
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
0 membership reports sent
ipencap:
0 total input packets
0 total output packets
0 packets shorter than header shows
0 packets dropped due to policy
0 packets with possibly spoofed local addresses
0 packets were dropped due to full output queue
0 input bytes
0 output bytes
0 protocol family mismatches
0 attempts to use tunnel with unspecified endpoint(s)
tcp:
878085 packets sent
458267 data packets (490187475 bytes)
1133 data packets (976692 bytes) retransmitted
0 fast retransmitted packets
362473 ack-only packets (294077 delayed)
0 URG only packets
0 window probe packets
54002 window update packets
2210 control packets
0 packets hardware-checksummed
860321 packets received
229685 acks (for 489089407 bytes)
16982 duplicate acks
0 acks for unsent data
0 acks for old data
469932 packets (416700992 bytes) received in-sequence
18457 completely duplicate packets (12118924 bytes)
44 old duplicate packets
1566 packets with some duplicate data (175713 bytes duplicated)
200639 out-of-order packets (153176788 bytes)
0 packets (0 bytes) of data after window
0 window probes
1109 window update packets
77 packets received after close
675 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
0 discarded for missing IPsec protection
0 discarded due to memory shortage
860321 packets hardware-checksummed
0 bad/missing md5 checksums
0 good md5 checksums
742 connection requests

Re: erratic networking problem

[per engelbrecht]

Han Boetes wrote:

per engelbrecht wrote:


recently had a problem with a NFS server. Lousy performance when
getting data (not putting) from most clients (but not all) until
they discovered diffs in size of the transmit/receive
bufferes. When fixed users felt like going from walking to
flying both ways.
They do not use OpenBSD but the have different arch and OS as
well i.e.  might be a similar/related problem.
I read an article recently about the tux kernel hackers working
on a auto sensing feature for the upcomming 2.6.whatever
dealing with this.  The test result was quite impressive with
performance gains x 10-20 and above.
I could be a victim of christmas-lag (too much food, dark strong
beer and snaps [danish strong alcoholic drink]) or it could be
related.  Just a thought.



Sounds interesting.  But searching on google doesn't show any
usefull links.  Nor did I find out how to read/set the
transmit/receive buffers for either OS.


Can't find the article (typical!). Found this though;
http://dsd.lbl.gov/TCP-tuning/linux.html
It describe the topic yes, but it's not spot on.



I know how to set them for nfs. But that was not related to my
problem since it occured for ftp and ssh as well. And changing the
sizes didn't change the behaviour at all.


From mount_nfs(8)


 -r readsize
 Set the read data size to the specified value.  It should normal-
 ly be a power of 2 greater than or equal to 1024.  This should be
 used for UDP mounts when the ``fragments dropped after timeout''
 value is getting large while actively using a mount point.  (Use
 netstat(1) with the -s option to see what this value is.)  See
 the -w option as well.

 -w writesize
 Set the write data size to the specified value.  Ditto the com-
 ments w.r.t. the -r option, but using the ``fragments dropped
 after timeout'' value on the server instead of the client.  Note
 that both the -r and -w options should only be used as a last
 ditch effort at improving performance when mounting servers that
 do not support TCP mounts.

Makes sense doesn't it? Anyway, replacing my Gigabit NIC with a
100Mbit nic helped. I bet the old pII400 couldn't handle that
little thing.


I'm sure some of our commiters can elaborate further/completly on the 
gory details of why. I'm afraid I can not, sorry.


/per
[EMAIL PROTECTED]





# Han

Re: ccd on active disks?

[per engelbrecht]

Markus Wernig wrote:

Hi misc

Is anybody aware of a document that describes how to ccd all slices
(including /) after installation?
I've installed 3.8 generic using just one of two identical disks. Now I
need to mirror that disk onto the other one. I copied the disklabel from
the active disk over. I can of course create ccd's for each slice, but
this means newfs and data loss, and won't work because I can't umount
the root.
Now I assume that my approach was intrinsically bound to fail or just
dumb wrong. I'm sorry if this is covered somewhere public - I found
references to a FAQ on MARC, but was just unable to find my question
covered in the related documentation.
One thing I came up with was to boot from install media and do it from
the shell there, then newfs and reinstall on the ccd devices. But I'm
really not quite sure.

The goal is to bring the box back online as fast as possible after a
disk crash and replacement, and to be then able to rebuild the raidset
online (dd is fine).

thx /markus




Hi Markus

I've worked with 'ccd' on a number of systems, but only for the purpose 
of putting a number of slices into a single bigger one, most often /var.

The easiest way of doint that is during install.

If your want a raid mirror for the entire! disk(s) then have a look at 
bioctl. Yes, you can control how 'ccd' should write to the entries in 
your ccdconfig file, but it's still not a raid solution and 'ccd' on 
/root is not possible (not to my knowledge).


/per
[EMAIL PROTECTED]

Re: OpenBGPD and eBGP nexthop

[per engelbrecht]

Henning Brauer wrote:

* per engelbrecht [EMAIL PROTECTED] [2005-11-07 19:01]:


#neighbors and peers
neighbor $peer0 {
  remote-as 6
  descr eBGP
  local-address aaa.aaa.aaa.163
  set nexthop aaa.aaa.aaa.161
  multihop 10
  set localpref 100
  set weight 45
  announce self
}



i highly doubt you want to manually set the nexthop.


Hhhmm .. why not ?



aside from that, we'll need logs and a tcpdump to see why the session 
does not get established.


Next run will be in upcomming weekend. I'll gather and pile anything.

Appreciate your input Henning.

/per
[EMAIL PROTECTED]

OpenBGPD and eBGP nexthop

[per engelbrecht]

Hi All

[20051019 snap i386]

Last night I switched from our old BGP setup (fbsd/zebra) to our new 
obsd/openbgpd.

All but a single eBGP session to one of our peers was established.
The eBGP peer switched between 'active' and 'connected' and I could ping 
both nexthop IP and peer IP but still no candy. (bgpctl == great)

Getting 'established' to this peer normally takes from 4-6 min.
Finally rolled back to our old setup.

The [EMAIL PROTECTED] verified the IP part of my setup i.e. correct (new) 
nexthop IP etc.
Below I've listed first the Zebra part on the neighbor and further down 
the OpenBGPD part. If someone can spot a misconfiguration (I can't) then 
please speak up. I'm in a tight spot / at a dead-end.


  Fictive info:
  9 is our AS
  yyy.yyy.yyy.0 is the network that I announce
  yyy.yyy.yyy.1 is our router id

  6 is the remote-as
  aaa.aaa.aaa.163 is the local IP [on em0] facing the neithbor/peer
  aaa.aaa.aaa.161 is the new nexthop IP to the neithbor/peer
  xxx.xxx.xxx.99 is the neithbor/peer IP


snip from zebra.conf
...
router bgp 9
no synchronization
bgp log-neighbor-changes
network yyy.yyy.yyy.0 mask 255.255.192.0
redistribute static
neighbor xxx.xxx.xxx.99 remote-as 6
neighbor xxx.xxx.xxx.99 description eBGP
neighbor xxx.xxx.xxx.99 ebgp-multihop 10
neighbor xxx.xxx.xxx.99 send-community both
neighbor xxx.xxx.xxx.99 route-map BGPIN in
neighbor xxx.xxx.xxx.99 route-map BGPOUT out
(route-maps etc. left out)
...
/snip from zebra.conf




snip from bgpd.conf
...
#macros
peer0=xxx.xxx.xxx.99

#global conf
AS 9
router-id yyy.yyy.yyy.1
listen on aaa.aaa.aaa.163
fib-update yes
log updates
network yyy.yyy.yyy.0/18 set localpref 200

#neighbors and peers
neighbor $peer0 {
   remote-as 6
   descr eBGP
   local-address aaa.aaa.aaa.163
   set nexthop aaa.aaa.aaa.161
   multihop 10
   set localpref 100
   set weight 45
   announce self
}

#filter
(Other that adding a few BOGON net from 
http://www.cymru.com/BGP/robbgp-bogon.html [double checked with IANA] 
then the original filter section is untouched)



Any help is highly appreciated.

/per
[EMAIL PROTECTED]

Re: smartmontools (smartd) kills system [trace/gdb]

[per engelbrecht]

Kenneth R Westerback wrote:

On Fri, Nov 04, 2005 at 03:22:33PM +0100, per engelbrecht wrote:


Kenneth R Westerback wrote:


On Fri, Nov 04, 2005 at 07:14:05AM +0100, per engelbrecht wrote:



K WESTERBACK wrote:




I'm interested.

 Ken



Hi again Ken

If you find anything of value it would be nice to know.
(putting the box into production real soon)
Thank you.

/per
[EMAIL PROTECTED]







I hope to be able to investigate this weekend. I had a look at the
code and, well, it looked pretty weird. :-).

 Ken



Hi Ken

When you say weird I get the same sensation as when my dentist say 
'Uups' :-S


That would be just brilliant if you could. If not, fine too.
I just appresiate having you to on it.

The best
/per
[EMAIL PROTECTED]




The ahd timeout code is definately and completely borked. Thanks
very much for finding a program that proved this.


Hi Ken
(damn, you move fast)

I think of it as more of a coincidence, but you're welcome :)



This diff puts ahd back to the primitive 'timeout == bus reset that
most other drivers use. Now I can 'smartctl -a /dev/sd1c' many times
without crashing or hanging the machine.


Sounds like it's heading in the right direction.



In addition I suppress a lot of useless verbiage so that you can
actually read the program output.


Nice.



I'll be investigating further as to how much of this will committed,
and trying to figure out why it's timing out in the first place, and
why the results are inconsistant. The inconsistancy is that
sometimes commands fail, sometimes 'SMART Health Status: OK' is
displayed.


A few times I've also seen 'SMART Health Status: OK' randomly displayed 
among lots of dump output. Unable to catch it though.




Let me know if this helps you.


I sure will. Can't do it right now, but I'll give it a go around 1800 
CEST and give you the result.

Thank you for your time so fare Ken.

/per
[EMAIL PROTECTED]






 Ken


Index: aic79xx.c
===
RCS file: /cvs/src/sys/dev/ic/aic79xx.c,v
retrieving revision 1.28
diff -u -p -r1.28 aic79xx.c
--- aic79xx.c   4 Oct 2005 23:52:04 -   1.28
+++ aic79xx.c   5 Nov 2005 19:12:57 -
@@ -253,9 +253,6 @@ u_int   ahd_resolve_seqaddr(struct ahd_so
 void   ahd_download_instr(struct ahd_softc *ahd,
   u_int instrptr, uint8_t *dconsts);
 intahd_probe_stack_size(struct ahd_softc *ahd);
-intahd_other_scb_timeout(struct ahd_softc *ahd,
- struct scb *scb,
- struct scb *other_scb);
 intahd_scb_active_in_fifo(struct ahd_softc *ahd,
   struct scb *scb);
 void   ahd_run_data_fifo(struct ahd_softc *ahd,
@@ -3124,7 +3121,7 @@ ahd_set_syncrate(struct ahd_softc *ahd, 
 		ahd_send_async(ahd, devinfo-channel, devinfo-target,

   CAM_LUN_WILDCARD, AC_TRANSFER_NEG, NULL);
 #endif
-   if (1 /*bootverbose*/) {
+   if (bootverbose) {
if (offset != 0) {
int options;
 
@@ -9148,305 +9145,41 @@ ahd_timeout(void *arg)

 {
struct scb *scb = (struct scb *)arg;
struct ahd_softc *ahd;
+   char channel;
+   long s;
+   int found;
+#ifdef AHD_DEBUG
+   int was_paused;
+#endif
 
 	ahd = scb-ahd_softc;

-   if ((scb-flags  SCB_ACTIVE) != 0) {
-   if ((scb-flags  SCB_TIMEDOUT) == 0) {
-   LIST_INSERT_HEAD(ahd-timedout_scbs, scb,
-timedout_links);
-   scb-flags |= SCB_TIMEDOUT;
-   }
-   ahd_recover_commands(ahd);
-   }
-}
-
-/*
- * ahd_recover_commands determines if any of the commands that have currently
- * timedout are the root cause for this timeout.  Innocent commands are given
- * a new timeout while we wait for the command executing on the bus to timeout.
- * This routine is invoked from a thread context so we are allowed to sleep.
- * Our lock is not held on entry.
- */
-void
-ahd_recover_commands(struct ahd_softc *ahd)
-{
-   struct  scb *scb;
-   struct  scb *active_scb;
-   longs;
-   int found;
-   int was_paused;
-   u_int   active_scbptr;
-   u_int   last_phase;
-
ahd_lock(ahd, s);
 
+#ifdef AHD_DEBUG

+   was_paused = ahd_is_paused(ahd);
+   printf(%s: SCB %d timed out - Card was %spaused\n, ahd_name(ahd),
+   SCB_GET_TAG(scb), was_paused ?  : not );
+   ahd_dump_card_state(ahd);
+#endif
+
/*
 * Pause the controller and manually flush any
 * commands that have just completed but that our
 * interrupt handler has yet to see.
 */
-   was_paused = ahd_is_paused(ahd);
-
-   printf(%s: Recovery Initiated - Card was %spaused\n, ahd_name(ahd

Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf

[per engelbrecht]

Jesper Louis Andersen wrote:

per engelbrecht wrote:

Q: setting up iBGP I've used our own AS as 'remote-as' but can't find 
a 'no synchronization' option for this connection. Do I need it at all.
Been poking around in /usr/src/usr.sbin/bgpd without solving it, but 
it's needed in zebra and Cisco IOS hence the question.

A: ?



Using your own AS as an remote ASn will, per definition, make your BGP 
session into an internal BGP session. In the Ciscoeee world, no 
synchronization means to begin announcing your networks before higher 
priority network protocols are up and stabilized. Without you will wait 
for OSPF/IS-IS to stabilize first (For OSPF, there is a certain state in 
its state machine it has to reach for all broadcast clouds etc).


Hi jlouis

It was more of a what_can_option_[a-z] from Zebra be put on par with in 
OpenBGPD and/or do I need these options at all (different 
implementation) but thank you for your explanation.




However, in modern BGP setups, you screw OSPF/IS-IS royally and ignore 
the stabilization. This is viable, since you ``nail down'' your networks 
as CIDR aggregates (to minimize the number of BGP prefixes you announce) 
and give a heck about internal reachability.


Screwing IGP's from whitin EGP's keep things apart, buy they are 
(conceptually, at least in my head) still manipulating the same routing 
table. And yes of course I only announce our own net.
Returning 120.000+ prefixes (at that time) to a eBGP peer with inferior 
Cisco hw works like magic - the phone rings within minutes .. and 
they're not returning a call :)




Oh, and while we are at Zebra: Its crap, kill it as soon as possible or 
install quagga. Case in point:


.. install quagga ?
Nooope.



mirah% pwd
/usr/ports/net/zebra/w-zebra-0.93ap3/zebra-0.93a/ospfd
mirah% grep OSPF_LSA_HEADER ospf_lsa.c
  ospf_output_forward (s, OSPF_LSA_HEADER_SIZE);
  assert (l1-data-length  OSPF_LSA_HEADER_SIZE);
  if (memcmp (p1 + OSPF_LSA_HEADER_SIZE, p2 + OSPF_LSA_HEADER_SIZE,
  ntohs( l1-data-length ) - OSPF_LSA_HEADER_SIZE) != 0)
mirah%

Lets see... On the last line, we have identified that l1-data-length 
is in network byte order. But in the assert 2 lines up, we do _not_ have 
a ntohs() call.


This took a medium sized ISP down in Denmark because Zebra suddenly died 
due to the fact, that certain packets, if certain size, will be caught 
by the assertion and ospfd gets to say hello to the kernel thread known 
as reaper man.


Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and 
internal intfaces in area 0.0.0.1 (and from ospfd.conf)

[...]
fib-update yes
redistribute connected
[...]
This is about redistributing routes - will the above let BGP and OSPF 
play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS

A: ?



It will push directly connected routes into OSPF. That is, if the 
machine has a network to which it has a direct connection in the routing 
table, then the rest of your OSPF speakers will learn that this network 
is reachable by going through this router.


Which is also what I want.



redistribute ospf in Ciscoee in the BGP section of the router 
configuration tells the IOS to take all OSPF learned routes and push 
them into BGP. This can be extremely dangerous to do, depending on the 
configuration.


Yes that could easily have disaster written all over it.



Q: default gateway is added to the routing table after all interfaces 
are configured. BGP is adding information into the routing table and 
so does OSPF (updates). That's 3 times redistributing of routes 
between different protocols and with 3 different administrative 
distances but still in/from the same table. Since directly connected 
(0) or static (1) connections are superior to e.g. eBGP (20) and OSPF 
(110) then should or shouldn't /etc/mygate be removed from a BGP 
router before putting it into production. Will it/can it mock the 
routing decision despite 'weight' in bgpd.conf due to the lower distance.

A: ?



A more specific route will always match.

Normally, you do not need to redistribute routes between the protocols 
at all, considered all of your routers are running BGP as well as OSPF. 
BGP will then handle prefixes for external networks and OSPF will handle 
prefixes for internal ones in the case both BGP and OSPF have the route 
then BGP wins -- but note the note about specific matches ;)


Thank you for joining in jlouis.

/per
[EMAIL PROTECTED]

smartmontools (smartd) kills system

[per engelbrecht]

Hi all

[20051019 snap i386]

Running smartd on a SCSI/U320 based single-disk system kills the system 
at once! - dmesg further down.


(sysctl hw.disknames=sd0,cd0,fd0)

Snip of /etc/smartd.conf
[...]
#DEVICESCAN
/dev/sd0c
/dev/sd0c -m [EMAIL PROTECTED] -M test
/dev/sd0c -d scsi -H -l error -l selftest -t -m [EMAIL PROTECTED]
/dev/sd0c -d scsi -s L/../../7/01 -m [EMAIL PROTECTED]
[...]

I can run:
smartctl -i /dev/sd0c

   Device: SEAGATE ST336607LW Version: 0007
   Serial number: 3JA6X87D7426SUX6
   Device type: disk
   Transport protocol: Parallel SCSI (SPI-4)
   Local Time is: Thu Nov 3 15:07:14 2005 CEST
   Device supports SMART and is Enabled
   Temperature Warning Enabled

smartctl -r scsiioctl /dev/sd0c

   [inquriy: 12 00 00 00 24 00 ] status=0
   Incoming data, len=36:
   00   00 00 03 12 8b 00 01 3e   53 45 41 47 41 54 45 20
   10   53 54 33 33 36 36 30 37   4c 57 20 20 20 20 20 20
   20   30 30 30 37



I can not run:
smartctl -a /dev/sd0c

   *crash*

smartctl -l selftest /dev/sd0c

   Device does not support Self Test logging
   ( and then locks up hard).


Have added entries in syslog.conf and newsyslog.conf but the logfile is 
of course empty since the (damn) tool kills the server.




Anybody with a clue (any) ?
TIA



Kernel have these changes:
maxusers   64
option DUMMY_NOPS
(that's it)



dmesg:
OpenBSD 3.8-current (BGP) #1: Thu Oct 20 18:06:54 CEST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/BGP
cpu0: Intel(R) Xeon(TM) CPU 2.80GHz (GenuineIntel 686-class) 2.80 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID

real mem  = 3220807680 (3145320K)
avail mem = 2931445760 (2862740K)
using 4278 buffers containing 161144832 bytes (157368K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 09/18/03, BIOS32 rev. 0 @ 0xf0010
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf3000/176 (9 entries)
pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801CA LPC rev 0x00)
pcibios0: PCI bus #4 is the last bus
bios0: ROM list: 0xc/0x8000 0xc8000/0x8e00
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 Intel E7501 MCH Host rev 0x01
ppb0 at pci0 dev 2 function 0 Intel E7500 MCH rev 0x01
pci1 at ppb0 bus 1
Intel 82870P2 IOxAPIC rev 0x04 at pci1 dev 28 function 0 not configured
ppb1 at pci1 dev 29 function 0 Intel 82870P2 PCI-PCI rev 0x04
pci2 at ppb1 bus 2
em0 at pci2 dev 1 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 
10, address 00:04:23:bb:29:fa
em1 at pci2 dev 1 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 
10, address 00:04:23:bb:29:fb
em2 at pci2 dev 2 function 0 Intel PRO/1000MT (82546GB) rev 0x03: irq 
10, address 00:04:23:bb:27:94
em3 at pci2 dev 2 function 1 Intel PRO/1000MT (82546GB) rev 0x03: irq 
10, address 00:04:23:bb:27:95

ahd0 at pci2 dev 3 function 0 Adaptec AIC-7902B U320 rev 0x10: irq 10
aic7902: U320 Wide Channel A, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs
scsibus0 at ahd0: 16 targets
ahd1 at pci2 dev 3 function 1 Adaptec AIC-7902B U320 rev 0x10: irq 10
aic7902: U320 Wide Channel B, SCSI Id=7, PCI-X 67-100Mhz, 512 SCBs
scsibus1 at ahd1: 16 targets
sd0 at scsibus1 targ 0 lun 0: SEAGATE, ST336607LW, 0007 SCSI3 0/direct 
fixed

sd0: 35003MB, 49855 cyl, 2 head, 718 sec, 512 bytes/sec, 71687372 sec total
Intel 82870P2 IOxAPIC rev 0x04 at pci1 dev 30 function 0 not configured
ppb2 at pci1 dev 31 function 0 Intel 82870P2 PCI-PCI rev 0x04
pci3 at ppb2 bus 3
em4 at pci3 dev 1 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 
10, address 00:30:48:70:d7:30
em5 at pci3 dev 2 function 0 Intel PRO/1000MT (82541GI) rev 0x00: irq 
10, address 00:30:48:70:d7:31

ppb3 at pci0 dev 30 function 0 Intel 82801BA AGP rev 0x42
pci4 at ppb3 bus 4
vga1 at pci4 dev 4 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ichpcib0 at pci0 dev 31 function 0 Intel 82801CA LPC rev 0x02
pciide0 at pci0 dev 31 function 1 Intel 82801CA IDE rev 0x02: DMA, 
channel 0 configured to compatibility, channel 1 configured to compatibility

atapiscsi0 at pciide0 channel 0 drive 0
scsibus2 at atapiscsi0: 2 targets
cd0 at scsibus2 targ 0 lun 0: LITEON, CD-ROM LTN526, YH0X SCSI0 
5/cdrom removable

cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
Intel 82801CA/CAM SMBus rev 0x02 at pci0 dev 31 function 3 not configured
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: PC speaker
spkr0 at pcppi0
sysbeep0 at pcppi0
lm0 at isa0 port 0x290/8: W83627HF
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: 

smartmontools (smartd) kills system [trace/gdb]

[per engelbrecht]

Hi again

Followup on first mail with only trace/gdb info:


GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain 
conditions.

Type show copying to see the conditions.
There is absolutely no warranty for GDB.  Type show warranty for details.
This GDB was configured as i386-unknown-openbsd3.8.
Core was generated by `smartctl'.
Program terminated with signal 11, Segmentation fault.
#0  0x06485b22 in ?? ()
(gdb) quit




Running 'smartctl -t long /dev/sd0c | tee test.txt' gives:
[...]
smartctl version 5.33 [i386-unknown-openbsd3.8] Copyright (C) 2002-4 
Bruce Allen

Home page is http://smartmontools.sourceforge.net/

sd0(ahd1:0:0): host adapter code inconsistency

Extended Background Self Test has begun
Please wait 12 minutes for test to complete.
Estimated completion time: Thu Nov  3 17:54:14 2005

Use smartctl -X to abort test
[...]

NB the 'sd0(ahd1...' line only appears on stdout, not in test.txt file 
and the test is not executed (seem obvious from the line).




I have a ktrace file that's quite long (844 lines) but I think it's too 
long for a list mail. If anybody is interested I'll be happy to mail it.


So fare smartd will not be running on this box. I'm a litte concerned 
about the 'adapter code inconsistency' part though.




/per
[EMAIL PROTECTED]

Re: bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]

[per engelbrecht]

Claudio Jeker wrote:

On Wed, Nov 02, 2005 at 12:34:29AM +0100, per engelbrecht wrote:


Hi all

[20051019 snap i386]

I've made a setup with two identical bgp routers. On each router there's 
3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting 
these routers and finally pipes backwards to the internal nets. Part of 
bgpd.conf further down.

I'm replacing a single router (no ospf) fbsd/zebra setup.




That should be no problem.


Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 
'no synchronization' option for this connection. Do I need it at all.
Been poking around in /usr/src/usr.sbin/bgpd without solving it, but 
it's needed in zebra and Cisco IOS hence the question.

A: ?




There is no 'no synchronization' option. We never enforce the
synchronisation of iBGP with an IGP. That's retarded. Like pumping 170'000
routes into OSPF and thinking all will be fine. Sure you may get bitten if
you have routers that do not run iBGP in between the two iBGP routers but
that's more a design problem and is solvable.


Hi Claudio

Most documentation on BGP or OSPF is geared towards IOS systems or pro 
ISO systems like Zebra, with whatever options and syntax that comes with 
the territory. Finding alternatives for options like e.g. 'no 
synchronization' and'no auto-summary' when changing from (in my case) 
Zebra to OpenBGPD, is not covered too well in a otherwise fine 
documentation, but thank you for clarifying.
A small paragraph in the bgpd.conf man page for people comming to 
OpenBGPD dealing with this would be nice.





Q: adding md5sig password, how can I activate these stepwise without 
having to take bgpd down/up and affecting all connections - ospfctl does 
not seem have it as an option. Would like to add md5sig one carrier at a 
time on a live system.

A: ?




Just add the 'tcp md5sig password fluffy' to a neighbor and
bgpctl reload. Afterwards a bgpctl neighbor fluffy_peer clear will clear
the session and activate tcp md5. You can do that one peer at a time.


Check.
(thank you)




Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and 
internal intfaces in area 0.0.0.1 (and from ospfd.conf)

[...]
fib-update yes
redistribute connected
[...]
This is about redistributing routes - will the above let BGP and OSPF 
play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS

A: ?




redistribute ospf is currently not implemented. bgpd is currently not
able to redistribute routes added by ospfd. This is on the todo list.


Perfect.




Q: default gateway is added to the routing table after all interfaces 
are configured. BGP is adding information into the routing table and so 
does OSPF (updates). That's 3 times redistributing of routes between 
different protocols and with 3 different administrative distances but 
still in/from the same table. Since directly connected (0) or static (1) 
connections are superior to e.g. eBGP (20) and OSPF (110) then should or 
shouldn't /etc/mygate be removed from a BGP router before putting it 
into production. Will it/can it mock the routing decision despite 
'weight' in bgpd.conf due to the lower distance.

A: ?




Neither ospfd nor bgpd know about administrative distances. Currently it
is only save to use the two together if there are no equal routes. If
both bgpd and ospfd try to add the same route to the kernel routing table
it will result in undefined behaviour. (mostly the first one wins).
Again this is on the todo list (even before the redistribute thing).


I guess reading BGP from Cisco literature would match learning TCP/IP 
with books from Microsoft ...
The BGP implementation in Cisco IOS uses a administrative distance, 
hence the question.


I you mean equal routes from a 'weight' point of view, then I have a 
problem. So fare all my peers have the same weight.







Part of bgpd.conf:

[...]
neighbor $peer0 {
   remote-as ABCD
   descrebgp sucks
   set nexthop aaa.aaa.aaa.aab
   multihop 10
   local-address aaa.aaa.aaa.aaa
   announce self
   announce IPv6 none
   enforce neighbor-as yes
   set weight 100
   #tcp md5sig password HotPotatoes
}
...
...
neighbor $carp {
   remote-as our_own_AS
   descrinternal
   local-address 172.16.0.1
   depend on em5



I think this is not doing what you think. depend on is only useful on
carp(4) interfaces. It does not make sense for physical interfaces.


I have carp1 on em5. I'll change em5  carp1 right away. Thank you.





   announce all



That's actually the default :)


I know. In every conf file I write what I want it to do (even defaults) 
and remove anything else. Makes it easy to parse for !me without having 
to know system 'default'.






   announce IPv6 none
   enforce neighbor-as no



That one as well.


Ditto.
:)





   set weight 200
   #tcp md5sig password NoPotatoes
}

I have a:
deny from any prefix 172.16.0.0/12 prefixlen = 12
but the carp interface uses a /8 i.e. should be safe :)




Iick. That will cause troubles

bgpd.conf md5sig, iBGP and redistributing routes to/from ospf

[per engelbrecht]

Hi all

[20051019 snap i386]

I've made a setup with two identical bgp routers. On each router there's 
3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting 
these routers and finally pipes backwards to the internal nets. Part of 
bgpd.conf further down.

I'm replacing a single router (no ospf) fbsd/zebra setup.


Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 
'no synchronization' option for this connection. Do I need it at all.
Been poking around in /usr/src/usr.sbin/bgpd without solving it, but 
it's needed in zebra and Cisco IOS hence the question.

A: ?


Q: adding md5sig password, how can I activate these stepwise without 
having to take bgpd down/up and affecting all connections - ospfctl does 
not seem have it as an option. Would like to add md5sig one carrier at a 
time on a live system.

A: ?


Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and 
internal intfaces in area 0.0.0.1 (and from ospfd.conf)

[...]
fib-update yes
redistribute connected
[...]
This is about redistributing routes - will the above let BGP and OSPF 
play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS

A: ?


Q: default gateway is added to the routing table after all interfaces 
are configured. BGP is adding information into the routing table and so 
does OSPF (updates). That's 3 times redistributing of routes between 
different protocols and with 3 different administrative distances but 
still in/from the same table. Since directly connected (0) or static (1) 
connections are superior to e.g. eBGP (20) and OSPF (110) then should or 
shouldn't /etc/mygate be removed from a BGP router before putting it 
into production. Will it/can it mock the routing decision despite 
'weight' in bgpd.conf due to the lower distance.

A: ?


Part of bgpd.conf:

[...]
neighbor $peer0 {
remote-as ABCD
descr   ebgp sucks
set nexthop aaa.aaa.aaa.aab
multihop 10
local-address aaa.aaa.aaa.aaa
announce self
announce IPv6 none
enforce neighbor-as yes
set weight 100
#tcp md5sig password HotPotatoes
}
...
...
neighbor $carp {
remote-as our_own_AS
descr   internal
local-address 172.16.0.1
depend on em5
announce all
announce IPv6 none
enforce neighbor-as no
set weight 200
#tcp md5sig password NoPotatoes
}

I have a:
deny from any prefix 172.16.0.0/12 prefixlen = 12
but the carp interface uses a /8 i.e. should be safe :)

bgpd.conf md5sig, iBGP and redistributing routes to/from ospf [forgot to sign it]

[per engelbrecht]

Hi all

[20051019 snap i386]

I've made a setup with two identical bgp routers. On each router there's 
3 peers (BGP and eBGP), one failover (carp/iBGP/ospf) interconnecting 
these routers and finally pipes backwards to the internal nets. Part of 
bgpd.conf further down.

I'm replacing a single router (no ospf) fbsd/zebra setup.


Q: setting up iBGP I've used our own AS as 'remote-as' but can't find a 
'no synchronization' option for this connection. Do I need it at all.
Been poking around in /usr/src/usr.sbin/bgpd without solving it, but 
it's needed in zebra and Cisco IOS hence the question.

A: ?


Q: adding md5sig password, how can I activate these stepwise without 
having to take bgpd down/up and affecting all connections - ospfctl does 
not seem have it as an option. Would like to add md5sig one carrier at a 
time on a live system.

A: ?


Q: running ospf with all peers + carp intfaces in area 0.0.0.0 and 
internal intfaces in area 0.0.0.1 (and from ospfd.conf)

[...]
fib-update yes
redistribute connected
[...]
This is about redistributing routes - will the above let BGP and OSPF 
play along in the same way a 'redistribute ospf' in Zebra/Cisco IOS

A: ?


Q: default gateway is added to the routing table after all interfaces 
are configured. BGP is adding information into the routing table and so 
does OSPF (updates). That's 3 times redistributing of routes between 
different protocols and with 3 different administrative distances but 
still in/from the same table. Since directly connected (0) or static (1) 
connections are superior to e.g. eBGP (20) and OSPF (110) then should or 
shouldn't /etc/mygate be removed from a BGP router before putting it 
into production. Will it/can it mock the routing decision despite 
'weight' in bgpd.conf due to the lower distance.

A: ?


Part of bgpd.conf:

[...]
neighbor $peer0 {
remote-as ABCD
descrebgp sucks
set nexthop aaa.aaa.aaa.aab
multihop 10
local-address aaa.aaa.aaa.aaa
announce self
announce IPv6 none
enforce neighbor-as yes
set weight 100
#tcp md5sig password HotPotatoes
}
...
...
neighbor $carp {
remote-as our_own_AS
descrinternal
local-address 172.16.0.1
depend on em5
announce all
announce IPv6 none
enforce neighbor-as no
set weight 200
#tcp md5sig password NoPotatoes
}

I have a:
deny from any prefix 172.16.0.0/12 prefixlen = 12
but the carp interface uses a /8 i.e. should be safe :)


/per
[EMAIL PROTECTED]

Re: ipmi(4)

[per engelbrecht]

Marco Peereboom wrote:

Folks who keep track of cvs changes might have noticed a barrage of commits
regarding ipmi(4).  The driver is functionally complete but needs wide testing
on both amd64 and i386 architectures.  Jordan Hargrave (jordan@) wrote most of
the code.

Let's talk a bit about ipmi(4).
			  
What is it anyway?

The ipmi term Intelligent Platform Management refers to autonomous monitoring
and recovery features implemented directly in platform management hardware and
firmware.  The key characteristics of Intelligent Platform Management is that
inventory, monitoring, logging, and recovery control functions are available
independent of the main processor, BIOS, and operating system.

(much more in ipmi(4)!)

If your box supports IPMI you'll see a similar line in dmesg.
ipmi0 at mainbus0: version 1.0 interface SMIC iobase 0xecf4/3 spacing 1


Great, now how does that help me?
The driver retrieves ipmi readings and publishes them via the sysctl interface.
Here is the output of a Dell PowerEdge 2650:
# sysctl hw.sensors
hw.sensors.0=ipmi0, ESM Frt I/O Temp, OK, temp, 24.00 degC / 75.20 degF

hw.sensors.1=ipmi0, ESM Riser Temp, OK, temp, 26.00 degC / 78.80 degF
hw.sensors.2=ipmi0, ESM CPU 1 Temp, OK, temp, 26.00 degC / 78.80 degF
hw.sensors.3=ipmi0, ESM MB Bat Volt, OK, volts_dc, 3.18 V
hw.sensors.4=ipmi0, ESM 3.3 FP Volt, OK, volts_dc, 3.23 V
hw.sensors.5=ipmi0, ESM MB 3.3 Volt, OK, volts_dc, 3.27 V
hw.sensors.6=ipmi0, ESM MB 5 Volt, OK, volts_dc, 4.99 V
hw.sensors.7=ipmi0, ESM CPU Volt, OK, volts_dc, 1.47 V
hw.sensors.8=ipmi0, ESM MB +12 Volt, OK, volts_dc, 11.90 V
hw.sensors.9=ipmi0, ESM MB -12 Volt, OK, volts_dc, -11.97 V
hw.sensors.10=ipmi0, ESM MB 2.5 Volt, OK, volts_dc, 2.52 V
hw.sensors.11=ipmi0, ESM GB0 2.5 Volt, OK, volts_dc, 2.56 V
hw.sensors.12=ipmi0, ESM GB1 2.5 Volt, OK, volts_dc, 2.56 V
hw.sensors.13=ipmi0, ESM 5 AUX Volt, OK, volts_dc, 5.11 V
hw.sensors.14=ipmi0, ESM ROMB PK Volt, OK, volts_dc, 3.96 V
hw.sensors.15=ipmi0, ESM GB0 1.2 Volt, OK, volts_dc, 1.21 V
hw.sensors.16=ipmi0, ESM GB1 1.2 Volt, OK, volts_dc, 1.22 V
hw.sensors.17=ipmi0, ESM VTT Volt, OK, volts_dc, 1.27 V
hw.sensors.18=ipmi0, ESM MB Fan1 RPM, OK, fanrpm, 4740 RPM
hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 4800 RPM
hw.sensors.20=ipmi0, ESM MB Fan4 RPM, OK, fanrpm, 7500 RPM
hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7140 RPM
hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM
hw.sensors.23=ipmi0, Power Supply - 1, OK, indicator, On
hw.sensors.24=ipmi0, Power Supply - 2, CRITICAL, indicator, Off
hw.sensors.25=ipmi0, Cover Intrusion, OK, indicator, Off
hw.sensors.26=ipmi0, Bezel Intrusion, OK, indicator, Off
hw.sensors.27=safte0, temp0, OK, temp, 22.78 degC / 73.00 degF
hw.sensors.28=safte0, temp1, OK, temp, 24.44 degC / 76.00 degF

Lots of stuff!  In the list you'll find core voltage measurements, fan speeds,
power supply readings etc.  As you can see I do not have a 2nd power supply in
this box.

Nifty, now lets open up the chassis and see what happens.
hw.sensors.25=ipmi0, Cover Intrusion, CRITICAL, indicator, On

As you can see the Cover Intrusion went to critical.

Now lets pull a fan.
hw.sensors.18=ipmi0, ESM MB Fan1 RPM, CRITICAL, fanrpm, 0 RPM
hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 7980 RPM
hw.sensors.20=ipmi0, ESM MB Fan4 RPM, OK, fanrpm, 7380 RPM
hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7140 RPM
hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM

Fan1 went critical but also the speed of Fan2 went up to compensate.

Lets pull another fan.
hw.sensors.18=ipmi0, ESM MB Fan1 RPM, CRITICAL, fanrpm, 0 RPM
hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 7980 RPM
hw.sensors.20=ipmi0, ESM MB Fan4 RPM, CRITICAL, fanrpm, 0 RPM
hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7200 RPM
hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM

Now lets stick them back in.
hw.sensors.18=ipmi0, ESM MB Fan1 RPM, OK, fanrpm, 4740 RPM
hw.sensors.19=ipmi0, ESM MB Fan2 RPM, OK, fanrpm, 4800 RPM
hw.sensors.20=ipmi0, ESM MB Fan4 RPM, OK, fanrpm, 7320 RPM
hw.sensors.21=ipmi0, ESM MB Fan6 RPM, OK, fanrpm, 7140 RPM
hw.sensors.22=ipmi0, ESM MB Fan7 RPM, OK, fanrpm, 7020 RPM

Ah look at that, both fans are happy again and Fan2 slowed down.

Lets put the cover back on.
hw.sensors.25=ipmi0, Cover Intrusion, OK, indicator, Off

And the box is all happy again.

Combine this with sensorsd(8) and you can have email, pagers, sirens, fog horns
and other alerting mechanisms go off.


What's next?
We'll continue to add sensor types that make sense to report.  Another thing
that needs to happen is the reporting of threshold values and a mechanism to
change these values.  All that is in the future though.


Cool, what can I do?
Test!  We need wide testing on systems that have IPMI.  I bet there has to be
some tuning to work around timing differences between platforms.  The current
code was tested on Intel, Dell and Sun boards.

Re: congrats on OpenBSD SAN... one little question

[per engelbrecht]

Nick Holland wrote:

Jason Dixon wrote:


On Oct 20, 2005, at 1:49 PM, Joe Advisor wrote:



Congrats on the cool OpenBSD SAN installation.  I was
wondering how you are dealing with the relatively
large filesystem.  By default, if you lose power to
the server, OpenBSD will do a rather long fsck when
coming back up.  To alleviate this, there are numerous
suggestions running around that involve mounting with
softdep, commenting out the fsck portion of rc and
doing mount -f.  Are you doing any of these things, or
are you just living with the long fsck?  Thanks in
advance for any insight into your installation you are
willing to provide.


This is just a subversion repository server for a bunch of  
developers.  There are no dire uptime requirements, so I don't see a  
lengthy fsck being an issue.  Not to mention the hefty UPS keeping it  
powered.  Sorry if this doesn't help you out, but it's not a big  
problem on my end (thankfully).


If it was, I would have just created many slices and distributed  
projects equally across them.



I'm working on a couple big storage applications myself, and yes, this
is what I'm planning on doing, as well.  In fact, one app I'm going to
be turning on soon will be (probably) using Accusys 7630 boxes with
about 600G storage each, and I'll probably split that in two 300G pieces
for a number of reasons:
  1) shorter fsck
  2) If a volume gets corrupted, less to restore (they will be backed
up, but the restore will be a pain in the butt)
  3) Smaller chunks to move around if I need to
  4) Testing the storage rotation system more often (I really don't
want my app bumping from volume to volume every six months...I'd rather
see that the rotation system is Not Broke more often, with of course,
enough slop in the margins to have time to fix it if something quit
working.)
  5) Cost benefit of modular storage.  Today, I can populate an ACS7630
(three drive, RAID5 module) with 300G drives for probably $900.  I could
populate it with 400G drives for $1200.  That's a lotta extra money for
200G more storage.  Yet, if I buy the 300G drives in a couple storage
modules today, and in about a year when those are nearing full, replace
them with (then much cheaper) 500G (or 800G or ...) drives, I'll come
out way ahead.  Beats the heck out of buying a single 3+TB drive array
now and watching people point and laugh at it in a couple years when it
is still only partly full, and you can buy a bigger single drive at your
local office supply store. :)  With this system, I can easily add-on as
we go, and more easily throw the whole thing away when I decide there is
better technology available.

Would I love to see the 1T limit removed?  Sure.  HOWEVER, I think I
would handle this application the exact same way if it didn't exist
(that might not be true: I might foolishly plowed ahead with the One Big
Pile philosophy, and regretted it later).


Hi Nick

We can argue back and forth on the pros and cons of building 1TB 
partitions or not, but the need for these giant allocations are real 
enough and from a commen/broader view (small business) the demand is 
also moving closer and closer. At work we have a disk-to-disk backup 
server for (for customers) with one 1.5TB (SATA raid5) backup partition. 
The app works that way and if each customer start using it and used 
=20GB per customer, we would need at least 3.5TB more disk space. 
Breaking up in smaller chunks is not always possible/practical.


I would appresiate an unlimited filesystem one day - but not at the 
cost of  potentially losing data!
I would also just love to see OpenBSD large-scale enterprise SAN/NAS 
solutions in the LISA program some day :)


/per
[EMAIL PROTECTED]





For this application, the shorter fsck is not really an issue.  In fact,
as long as the archive gets back up within a week or two, it's ok -- the
first stage system is the one that's time critical...and it is designed
to be repairable VERY quickly, and it can temporarily hold a few weeks
worth of data. :)

Nick.

Re: iptables vs pf

[per engelbrecht]

Edy Purnomo wrote:

i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy
after 2 weeks later he switched it back linux and said : linux much 
faster to respond the http requests (he had a same configuration on 
openbsd, pf + squid proxy).


is there any program that can proof what he says ?
thanks.


No.

If your friend prefer Linux then fine, but his speed statement is wrong. 
(unless he'd misconfigured something due to a lack of knowlegde on 
OpenBSD .. or pf .. or squid .. or run unsupported hw .. or ..)


BTW Edy, statements (in particular 
tux_userland_mock-up_no_79_glued_on_kernel_no_61_aka_slashdotoftheweek 
[heck, it even got its own place on securityfocus.com] vs. OpenBSD) 
without  anything but the statement, is useless in any respect. In fact 
it appear borderline trollish.


If this friend of yours have a problem with a OpenBSD installation, then 
tell him to address this list and he will get all the help he need.



/per
[EMAIL PROTECTED]




-edy-

Re: pf and ospf

[per engelbrecht]

Claudio Jeker wrote:

On Mon, Oct 17, 2005 at 04:32:26PM -0400, stan wrote:


What ports do I need to open up on a pf firewall to allow it to
send/recieve ospf?




pass proto ospf


Hm, that's very short (but parsing the rule work).

Actually I'm building an OpenBSD/OpenBGPD/OSPF/PF [3.8 20051010 snap] as 
a replacement for a fbsd/zebra/ospf box.
The pf setup is somewhat hairy with 3 peers, 1 subnet for hosting, 1 
subnet for infrastructure, queueing, spamd (incomming only), carp (for 
the next obsd box with 3 more peers/redundancy) and what not.


I've made rules for 179/tcp but could I actually just do:
pass proto egp
?

Would still like it more specific than the above, but maybe not as 
specific as I've made it so fare.


My old setup has 3yrs on it's back and is a bit bulky (ipfw).
The transition from fbsd to obsd will be:
- switch cables
- power on
- check prefix/connections
- check rules/availability
- everybody's happy
which is why a initial set of effective rules for bgp and ospf is 
mandatory (every ruls is mandatory, but I have plenty on my hands the 
first 10min besides lack of connection due to a too strict setup).


Thank you very much.

/per
[EMAIL PROTECTED]

Re: pf and ospf

[per engelbrecht]

Henning Brauer wrote:

* per engelbrecht [EMAIL PROTECTED] [2005-10-18 14:36]:


Claudio Jeker wrote:


On Mon, Oct 17, 2005 at 04:32:26PM -0400, stan wrote:



What ports do I need to open up on a pf firewall to allow it to
send/recieve ospf?




pass proto ospf


Hm, that's very short (but parsing the rule work).

Actually I'm building an OpenBSD/OpenBGPD/OSPF/PF [3.8 20051010 snap] as 
a replacement for a fbsd/zebra/ospf box.
The pf setup is somewhat hairy with 3 peers, 1 subnet for hosting, 1 
subnet for infrastructure, queueing, spamd (incomming only), carp (for 
the next obsd box with 3 more peers/redundancy) and what not.


I've made rules for 179/tcp but could I actually just do:
pass proto egp
?



bgp uses tcp, no special protocol.

pass in  on dc2 inet proto tcp from $workix_lan to $workix_ip port 179 keep 
state
pass out on dc2 inet proto tcp to $workix_lan port 179 keep state


Check.

Thank you Henning.

/per
[EMAIL PROTECTED]



etc

Re: OpenBSD's 10th birthday

[per engelbrecht]

On 10/18/05, Theo de Raadt [EMAIL PROTECTED] wrote:

Now it is really OpenBSD's 10th birthday ;)


Greetings from Denmark and thank you all for OpenBSD (The TAO of 
Operatingsystems) and anything related.


/per
[EMAIL PROTECTED]

Re: OpenBGPD sizing

[per engelbrecht]

Claudio Jeker wrote:

On Thu, Sep 29, 2005 at 02:39:15AM +0200, per engelbrecht wrote:


per engelbrecht wrote:


Stuart Henderson wrote:



How much RAM might I want in order to accept full views from 2-3 peers?
Thanks.



Running 3 peers, full table (170.097 prefixes) uses 317MB ram all included.


Just to avoid any misinterpretation, that is for the BGP part only.
(.. ram all included)




Are you running -current or 3.7?
The old pre mmap malloc had a nasty bug that caused memory fragmentation.

Here is one of my boxes:
[EMAIL PROTECTED]:~ ps axl | grep bgp
0 23225 1   0   2 20  6292  6636 poll   Is??   43:17.45 bgpd: paren
   75 12481 23225   0   2 20 239896 240332 poll   I ??  167:21.94 bgpd: rout
   75 16989 23225   0   2 20  1916  2304 poll   I ??   26:39.54 bgpd: sessi

240M RDE for 10 full views plus additional non full onesi (1.8Mio
prefixes).  I never got it to 300M with three full views.


I'm not running obsd on neither of the boxes yet. Waiting for 3.8 (I 
prefere STABLE for production).
I'm still running fbsd/zebra, but it'll give Stuart a 
in_the_neighborhood_off idea.


/per
[EMAIL PROTECTED]

Re: OpenBGPD sizing

[per engelbrecht]

per engelbrecht wrote:

Stuart Henderson wrote:


How much RAM might I want in order to accept full views from 2-3 peers?
Thanks.



Running 3 peers, full table (170.097 prefixes) uses 317MB ram all included.


Just to avoid any misinterpretation, that is for the BGP part only.
(.. ram all included)

/per
[EMAIL PROTECTED]




/per
[EMAIL PROTECTED]

Re: OpenBGPD sizing

[per engelbrecht]

Stuart Henderson wrote:

How much RAM might I want in order to accept full views from 2-3 peers?
Thanks.


Running 3 peers, full table (170.097 prefixes) uses 317MB ram all included.

/per
[EMAIL PROTECTED]

Re: Nmap -O... will it be fixed some day?

[per engelbrecht]

Lukasz Sztachanski wrote:

[...]


doesn't think so; try to disable pf ;) Probably it's a matter of 
pf`s traffic normalization.



[...]

Or use;

pass in quick on $xxx all allow-opts

on int used specific(!) for nmap, snort et al.

/per
[EMAIL PROTECTED]

Re: ARP Poisoning

[per engelbrecht]

Artur Grabowski wrote:

Miroslav Kubik [EMAIL PROTECTED] writes:



Hello

In our intranet is an attacker who flooding OpenBSD router by ARP requests. 
Due to this we have trouble with internet connection. Is there a way how to 
protect server against ARP poisoning attack?



Excuse me? You have an attacker inside your intranet?

The best way to protect against that kind of attack is a baseball bat.
Or security guards who show the person where the door is and a lawyer
who hands over the lawsuit.

This is a social problem, don't solve it with a technical solution.

//art



messages in /var/log/messages

Aug  6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.249 by 
00:e0:98:be:d3:cd on rl0
Aug  6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.246 by 
00:e0:98:c5:8b:b9 on rl0
Aug  6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.245 by 
00:e0:98:c5:9b:c5 on rl0
Aug  6 23:33:53 host22 /bsd: arp info overwritten for 192.168.1.242 by 
00:e0:98:c5:8b:b9 on rl0

and still continue



S pozdravem / Best Regards
Miroslav Kubik
IT Specialist
Enterprise Server Farms






Have not read all mails in this thread (sorry) but an easy solution to 
this problem is to run 'static-mac' on all int on your switches a.k.a. 
mac-lockdown (require that you can manage your sw and the sw have this 
option). If you can't do that, you're in for a rough ride. If you can or 
can get help to do so, read on.


For mac-lockdown to have max effect, you'll have to have a list of the 
original MAC connected to each int on each sw = you can't trust the 
current arp entries on the sw(s).
The alternative is to extract the arp entries from the sw and use it to 
do the lockdown. If you allready have the fake MAC, then use the same 
table to find the int where the box is connected to. Downside to this 
approach is that you might lock a fake MAC to the int it is connected 
to, but don't worry, you can correct this later.
Most (but not all) arp-cache-poisoning is done with a home-made script 
or tool e.g. 'angst' and is trickered as a cronjob and then followed by 
whatever the attacker will run with his/her new temporary 'identity'. 
This automation can be to your advantage. This first time a MAC is 
changed on a end-node after your've made the lockdown, the box will be 
blocked from the network. This is irreverseable and will be written to 
the security-log on the sw with date, int, MAC and so on and if the box 
is accessed remotely then the hunting is over. If the attacker is 
sitting in front of the box the MAC can be reversed, but it will not 
help the poor suckers kneecaps when you kick down the door with a 
slegdehammer in your hands. Happy hunting.


P.S. arp entries don't live forever in the arp-table. When you hunt 
attackeres like this, move fast.


/per
[EMAIL PROTECTED]

Re: PHP or Mysql problem?

[Per Engelbrecht]

James Strandboge wrote:

On Wed, 2005-06-15 at 11:30 +0200, Nico Meijer wrote:


Hi Kiraly,



mysql error: Can't create/write to file '/tmp/
#sql_4c99_0.MYD' (Errcode: 9)


MySQL problem.

Simple suggestions, not idiot-proof:



I prefer this on OpenBSD 3.6 (should be same on 3.7):

Add to /etc/login.conf:
#
# for mysql to work right
#
mysql:\
   :datasize=infinity:\
   :maxproc=infinity:\
   :openfiles-cur=2048:\
   :openfiles-max=8192:\
   :stacksize-cur=8M:\
   :localcipher=blowfish,8:\
   :tc=default:

sudo vipw and change the login class for _mysql to 'mysql'.


Hmm .. why don't you just add a _mysql loginprofile in login.conf in the 
first place instead of adding oldstyle mysql and then change pw db. 
Seems backwards to me.


/per
[EMAIL PROTECTED]




To use this class, you MUST use 'sudo -c mysql -u _mysql', like this 
(can be put in /etc/rc.local):

sudo -c mysql -u _mysql /usr/local/sbin/mysql.server start

This may be useful as well (can also put in /etc/sysctl.conf):
sudo sysctl -w kern.maxfiles=16384

And finally, add to /etc/my.cnf on (OpenBSD 3.6 with mysql 4.0.20):

 [mysqld]
 ...
 open-files=1000
 ...

Jamie Strandboge

Re: MySQL issues

[Per Engelbrecht]

John Tate wrote:

Right, I created a hardlink of the socket into
/var/www/mysql/mysql.sock and changed this directive in php.ini to the
following...

mysql.default_socket = /var/www/mysql/mysql.sock

I however could not find the my.cnf file, where is it on OpenBSD 3.6,
I did a find / | grep my.cnf which showed up nothing.


Hi John
The 'my.cnf' is a file you make yourself (both on server and on clients) 
depending on your needs. A bit like you do with 'boot.conf' and 'mk.conf'.

On the server you place it in /etc for global options.
On the client you place it in ~

I use it for e.g. SSL (*.pem locations) on the server and client and on 
the client also for hosts, compress and other features.


The mysql people has a brilliant site/documentation!
I'm not particular thrilled about SAMS but they've published a few 
brilliant books on both MySQL and PostgreSQL.


MySQL, 3ed (new)
ISBN 0672326736
Paul DuBois

PostgreSQL
ISBN 0735712573
Korry Douglas/Susan Douglas

/per
[EMAIL PROTECTED]




From phpinfo()...


MySQL Support   enabled
Active Persistent Links 0
Active Links0
Client API version  4.0.20
MYSQL_MODULE_TYPE   external
MYSQL_SOCKET/var/run/mysql/mysql.sock
MYSQL_INCLUDE   -I/usr/local/include/mysql
MYSQL_LIBS  -L/usr/local/lib -lmysqlclient

Directive   Local Value Master Value
mysql.allow_persistent  On  On
mysql.connect_timeout   60  60
mysql.default_host  no valueno value
mysql.default_password  no valueno value
mysql.default_port  no valueno value
mysql.default_socket/var/www/mysql/mysql.sock   
/var/www/mysql/mysql.sock
mysql.default_user  no valueno value
mysql.max_links Unlimited   Unlimited
mysql.max_persistentUnlimited   Unlimited
mysql.trace_modeOff Off

Re: MySQL upgrade to 4.1.12 packages files

[Per Engelbrecht]

Daniel Ouellet wrote:




datasize, maxproc and openfiles values should then be ... ?



Value really varies for your setup. But you can't run the full tests, or
benchmark test with the default value. You can however run individual
tests and they will terminate well, but the run-full-test will not until
you increase the openfiles value and change the login.conf.


I know these values depend on setup, utilization and more, but if you 
had the-perfect-blend for a workhorse for this new port, it would be 
nice. You've done some testing already. That's all.


respectfully
/per
[EMAIL PROTECTED]

Re: MySQL upgrade to 4.1.12 packages files

[Per Engelbrecht]

Daniel Ouellet wrote:

Hi,



[...]

So, here is my first port to bring the in tree MySQL version to the 
latest stable recommended version 4.1.12. All works on AMD64 and I386.


I also added one more package for the benchmark as well as I use that 
too to test my port.


It's complete then :)



I did all the tests with the test suite, crash-me as well as the full 
benchmark and all pass very well after you adjust the max openfile as 
well as the resource in login.conf for the user _mysql.


datasize, maxproc and openfiles values should then be ... ?




Results for the test suite run:
All 278 tests were successful.


Summary results for the benchmark tests.
All 9 test executed successfully




Looking good Daniel.





[...]

I also have put the complete packages for amd64 here as well for testing 
if you like to do so.


http://openbsdsupport.org/packages/amd64/



[...]



Feedback, good or bad is welcome!


I'll let you know by monday or tuesday.



Regards.

Daniel


respectfully
/per
[EMAIL PROTECTED]

Re: Linuxwochen Vienna 2005, May 24 - 27, 2005, Vienna, Austria.

[Per Engelbrecht]

Wim Vandeputte wrote:

Hey,

I'm on my way to Vienna now for the Linuxwochen, May 24 - 27, 2005

Reinhard and me will be in the MuseumsQuartier from Wednesday 25 
to answer your questions or just meet people for a chat and drinks


Wim.




Hi Wim

A little off topic and for whatever it's worth;
- I find all the work that you do (OpenBSD advocacy, support et al) and 
all the traveling (saw you last time in Copenhagen at LF05) very 
admirable. I do my part as well (another order of magnitude downscale) 
but you manage to be everywhere. Thumbs up Wim.


respectfully
/per
[EMAIL PROTECTED]

Re: OBSD 3.7 ports -- mysql

[Per Engelbrecht]

Daniel Ouellet wrote:

Just FYI.

I am finishing up a port that hopefully will be put in for MySQL 4.1.12, 
their latest recommended stable version.


Hi Daniel

That's brilliant!



So far all works well and pass all the tests suites stuff, with the 
exception that I have to create three hard link to make it work still, 
but I am working on correcting that.


Would be nice to get some testing as well. I use it without problem so far.


I'm about to launche a [3.7  AMD64  GENERIC.MP] mysql server (mysql 
backend for a lot of servers / production environment) and would like to 
test and use the new MySQL 4.1.12




I have the packages for i386 and amd64 ready for all clients, servers, 
and test, or the files if you want to make your own compile from source.


pkg would be nice.



I haven't send it in yet to port@ as I am almost all there, not to my 
liking yet, but it does work and is all complete for the clients and 
servers part. I am still struggling with the tests part a bit.


I have amd64 done on stable 3.7 and i386 done on stable 3.6.

Testing if you want, may be good to do!


Gimmi, gimmi, gimmi.



I can make the packages available if you like, or my files for making 
your own from source. Works for me...


Keep up the good work.

respectfully
/per
[EMAIL PROTECTED]




Daniel

Re: OBSD 3.7 ports -- mysql

[Per Engelbrecht]

Daniel Ouellet wrote:

Per Engelbrecht wrote:



I'm about to launche a [3.7  AMD64  GENERIC.MP] mysql server (mysql 
backend for a lot of servers / production environment) and would like 
to test and use the new MySQL 4.1.12




I have the packages for i386 and amd64 ready for all clients, 
servers, and test, or the files if you want to make your own compile 
from source.




pkg would be nice.



You can get it from here for now for your amd64:

http://openbsdsupport.org/packages/amd64/


Check and done.



You will need to install the package p5-DBD-mysql-2.9004.tgz, but that's 
already available on the main site. So, get it from there. Then install 
the client and server. I didn't release the test suite as it doesn't go 
in the right place yet and I haven't finish the testing on it.


Fine by me Daniel.



You can use these, but it will be better in a few days. May be two or 
so. I don't expect any changes in these two, but you never know.


The server should be running a.s.a.p (as usual) and I'll start working 
on the sql part now and do some testing. If you come up with radical 
changes within the next couple of days or so, I'll take it from there.




Feedback would be welcome, but heavy testing would be best before using 
in production obviously!


I'll give you feedback and yes, testing in a production is always a 
risky business. The other servers using the sql-server will be assigned 
one by one i.e. I have time to fix things with your help (*) before any 
major disaster strikes.

(* = with your updates that is)



Have fun!


Thank you.



Daniel

PS: I will let you know when the final package are done if there is any 
changes on it.


I would appreciate that very much.




respectfully
/per
[EMAIL PROTECTED]

Re: apache2, webdav

[Per Engelbrecht]

Mike Gould wrote:
Hi
Has anyone got any advice for installing apache2 on openbsd 3.6 
(stable).  There seems to be a port for freebsd but nothing for openbsd. 
 If I start from the apache source what kinds of things will I need to 
change?
Hi Mike
httpd on OpenBSD will get you all the way. It's integrated(*) fast and 
secure. Installing apache2 will be a step backwards. Search the list. 
The last time it was asked it was labeled kind of too much work and too 
little to gain
* configure + start and your on your way.

Also what's the consensus on webdav?  Can it be made secure?
By ssl and systrace maybe.
/per
[EMAIL PROTECTED]

Thanks
Mike

OpenBSD 3.7 and 'tcpdump' problems [amd64]

[Per Engelbrecht]

Hi all
I'm having a peculiar problem with 'tcpdump' on a OpenBSD 3.7 (20050404 
snap) amd64. ('dmesg, + 'sysctl' + 'fstab' are below)

tcpdump with 0-2 flags = output.
tcpdump with 3-x flags = no output.
tcpdump with x flags and '-w' = non written at all.
When 'tcpdump' is stopped I recive normal 'tcpdump' statistics i.e. 
something must be working. No error-logs to guide me.

EXAMPLE:
$ sudo tcpdump -n -i em1
= output.
$ sudo tcpdump -e -n -i em1 -s 1515 src net xxx.xxx.xxx.0 and not arp
= no output.
$ sudo tcpdump -e -n -i em1 -s 1515 -w /data/tcpdumps/20050509_all.lpc 
src net xxx.xxx.xxx.0 and not arp 
= none written.

Why in the name of somebody is 'tcpdump' semi-working and why can't 
'tcpdump' write to a file. I have not seen this before, ever.

I'm no tcpdump-newbie and this server has with OpenBSD 3.6 and single 
cpu and same nic's, been running tcpdump just fine. The extra cpu is for 
psql, syslog-ng, snort, honeyd et al,

respectfully
/per
[EMAIL PROTECTED]

##
dmesg, sysctl and fstab below:
##
dmesg:
OpenBSD 3.7-current (GENERIC.MP) #0: Thu Apr 14 23:24:22 CEST 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2147086336 (2096764K)
avail mem = 1836515328 (1793472K)
using 22937 buffers containing 214917120 bytes (209880K) of memory
mainbus0 (root)
mainbus0: Intel MP Specification (Version 1.1) (TYAN S2882   )
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Opteron(tm) Processor 242, 1594.16 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: apic clock running at 199236672Hz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD Opteron(tm) Processor 242, 1593.89 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,NXE,MMXX,LONG,3DNOW2,3DNOW
cpu1: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 
64b/line 16-way L2 cache
cpu1: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu1: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
mpbios: bus 0 is type PCI
mpbios: bus 1 is type PCI
mpbios: bus 2 is type PCI
mpbios: bus 3 is type PCI
mpbios: bus 4 is type ISA
ioapic0 at mainbus0 apid 2: pa 0x83875e24, version 11, 24 pins
ioapic1 at mainbus0 apid 3: pa 0x83875d24, version 11, 4 pins
ioapic2 at mainbus0 apid 4: pa 0x83875c24, version 11, 4 pins
pci0 at mainbus0 bus 0: configuration mode 1
ppb0 at pci0 dev 6 function 0 AMD 8111 PCI-PCI rev 0x07
pci1 at ppb0 bus 3
ohci0 at pci1 dev 0 function 0 AMD 8111 USB rev 0x0b: apic 2 int 19 
(irq 10), version 1.0, legacy support
usb0 at ohci0: USB revision 1.0
uhub0 at usb0
uhub0: AMD OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub0: 3 ports with 3 removable, self powered
ohci1 at pci1 dev 0 function 1 AMD 8111 USB rev 0x0b: apic 2 int 19 
(irq 10), version 1.0, legacy support
usb1 at ohci1: USB revision 1.0
uhub1 at usb1
uhub1: AMD OHCI root hub, class 9/0, rev 1.00/1.00, addr 1
uhub1: 3 ports with 3 removable, self powered
pciide0 at pci1 dev 5 function 0 CMD Technology SiI3114 SATA rev 0x02: DMA
pciide0: using apic 2 int 19 (irq 10) for native-PCI interrupt
pciide0: port 0: device present, speed: 1.5Gb/s
wd0 at pciide0 channel 0 drive 0: Maxtor 6B250S0
wd0: 16-sector PIO, LBA48, 239372MB, 490234752 sectors
wd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 6
pciide0: port 1: device present, speed: 1.5Gb/s
wd1 at pciide0 channel 1 drive 0: Maxtor 6B250S0
wd1: 16-sector PIO, LBA48, 239372MB, 490234752 sectors
wd1(pciide0:1:0): using BIOS timings, Ultra-DMA mode 6
vga1 at pci1 dev 6 function 0 ATI Rage XL rev 0x27
wsdisplay0 at vga1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
AMD AMD8111 LPC rev 0x05 at pci0 dev 7 function 0 not configured
pciide1 at pci0 dev 7 function 1 AMD 8111 IDE rev 0x03: DMA, channel 0 
configured to compatibility, channel 1 configured to compatibility
atapiscsi0 at pciide1 channel 0 drive 1
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: TEAC, CD-232E, 1.0A SCSI0 5/cdrom removable
cd0(pciide1:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide1: channel 1 disabled (no drives)
AMD 8111 SMBus rev 0x02 at pci0 dev 7 function 2 not configured
AMD 8111 ACPI rev 0x05 at pci0 dev 7 function 3 not configured
ppb1 at pci0 dev 10 function 0 AMD 8131 PCIX rev 0x12
pci2 at ppb1 bus 2
bge0 at pci2 dev 9 function 0 Broadcom BCM5704C rev 0x03, BCM5704 A3 
(0x2003): apic 3 int 0 (irq 5) address 00:e0:81:2d:9d:5a
brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0
bge1 at pci2 dev 9 function 1 Broadcom