Re: DDB Crash Report About if_ether.c and arpinit() Gelen Kutusu
Hello Samuel, I think you should give a chance to this commit: https://github.com/openbsd/src/commit/73fb5aae645f3bc12746fd705a937dfc9f9abc01 I hope it works for you. -- Valdrin From: owner-m...@openbsd.org on behalf of Samuel Jayden Sent: Wednesday, January 31, 2024 10:29 To: misc@openbsd.org Subject: Re: DDB Crash Report About if_ether.c and arpinit() Gelen Kutusu Hello again, My device continues to crash almost every single day. Unfortunately, due to the system freeze, I'm unable to generate a crash report. These crashes typically result in the following errors: kernel : protection fault trap, code=0 Stopped at arptimer+0x45: movq 0x10(%r15),%rdi ddb{0}> Is there a solution to this issue? What steps should I take? Thanks. On Sat, Jan 27, 2024 at 10:51 AM Samuel Jayden wrote: > Hello Misc, > > My OpenBSD 7.4 crash with this error messages; > > panic: kernel diagnostic assertion "ifp != NULL" failed: file > "/usr/src/sys/net/inet/if_ether.c", line 758 > > Stopped at db_enter+0x14: popq %rbp >TID PID UID PRFLAGS PFLAGS CPUCOMMAND > 399412 7311877 0x112 0 10dhcpleased > 360364 39155 115 0x112 0 11slaacd > 155433 90182 00x14000 0x2002softnet0 > 162438 45442 00x14000 0x2004systq > * 37835 96688 00x14000 0x42000softclock > db_enter() at db_enter+0x14 > panic(820a8599) at panic+0xc3 > __assert(821232bc,8209baea,2f6,820712c0) at > __assert+0x29 > arpinit() at arpinit > arptimer(825a38e8) at arptimer+0x5f > softclock_thread(800021c1fd48) at softclock_thread+0x12b > end trace frame: 0x0, count: 9 > https://www.openbsd.org/ddb.html describes the minimum info required in > bug reports. Insufficient info makes it difficult to find and fix bugs. > ddb{0}> > > Dmesg output of my device is in the attachment. > > Thank you in advance for your interest. >
TSO and LRO while forwarding traffic
Hello Misc, I've got a question about TSO and LRO: How does enabling TSO and/or LRO on the Ethernet cards of a network device that will serve as a router and firewall affect the forward traffic of users accessing the internet behind this device? In short, should I keep these features on or turn them off in my OpenBSD firewall? What is the OpenBSD recommendation? Thank you in advance for your answers.
Re: Parallel PF
Hello Gábor, Of course, I am aware of OpenBSD's parallel forwarding implementation. The owner of this thread already mentioned this in his e-mail. I can reach 10Gbps speed via speedtest.net. Here my gateway is a Server with OpenBSD 7.3 installed... I also get similar values with Cisco-Trex. I can say that OpenBSD is more successful with 1518 byte TCP packets rather than 64 byte UDP packets. From: owner-m...@openbsd.org on behalf of Gábor LENCSE Sent: Wednesday, October 25, 2023 18:47 To: misc@openbsd.org Subject: Re: Parallel PF Hello Valdrin, 10/25/2023 4:18 PM keltezéssel, Valdrin MUJA írta: > Hello Sam, > > I don't have the answer to this question, but I can make a few comments on my > own behalf. Maybe it can give you an idea. > As far as I observed, it is not PF's turn yet. I guess what needs to be done > regarding cloned interfaces such as tun and the ethernet layer will be done > first. In fact, as far as I follow, there are some issues in the UDP_input > section. I have been somewhat surprised at this information. OpenBSD can use up to 4 softnet tasks for parallel IP packet forwarding since version 7.2. Please see "SMP Improvements" in page: https://www.openbsd.org/72.html > Of course, I'm sure a lot will change when PF becomes mp-safe, but I believe > there is still time for that. > PF's performance can reach up to 10Gbps with the right CPU selection. Expressing traffic in Gbps can be rather ambiguous. What frame size did you use? 64-byte or 1518-byte? The first one needs 14,880,952pps to saturate a 10Gbps link, whereas the second one can do it with 812,743pps. Please refer to: https://datatracker.ietf.org/doc/html/rfc5180#appendix-A.1 Best regards, Gábor
Re: Parallel PF
Hello Sam, I don't have the answer to this question, but I can make a few comments on my own behalf. Maybe it can give you an idea. As far as I observed, it is not PF's turn yet. I guess what needs to be done regarding cloned interfaces such as tun and the ethernet layer will be done first. In fact, as far as I follow, there are some issues in the UDP_input section. Of course, I'm sure a lot will change when PF becomes mp-safe, but I believe there is still time for that. PF's performance can reach up to 10Gbps with the right CPU selection. Do you have traffic that exceeds this? Maybe if you can provide specific information there will be a chance for someone to help. From: owner-m...@openbsd.org on behalf of Samuel Jayden Sent: Tuesday, October 24, 2023 17:54 To: Irreverent Monk Cc: misc@openbsd.org Subject: Re: Parallel PF I shared a naive user experience. I didn't mean to be rude. Anyway, thank you for reading and responding. On Tue, Oct 24, 2023 at 5:46 PM Irreverent Monk wrote: > The standard response is - show your code. If you sit down and think > about it, isn't it rude to go to a project to tell them that they must > prioritize what they are doing for what you want...? > > On Tue, Oct 24, 2023 at 6:40 AM Samuel Jayden > wrote: > >> Hello dear OpenBSD team, >> >> I'm sure that something like parallel IP forwarding and increasing the >> number of softnet kernel tasks to 4 is definitely being considered on the >> PF side too, but I would like to express my concern about timing. Do you >> have any schedule for this? >> >> I think one of the common prayers of all OpenBSD users is that PF will >> speed up. Thank you for reading and my best regards. >> >> -- >> Sam >> >
porting snort3
Hello, Is there any plan for porting Snort3 into OpenBSD? Thanks. Best, Valdrin
mp-safe tun
Hello OpenBSD, I've been thinking about this since OpenBSD devs do a lot of mp-safe on the network stack: Is it possible to make /dev/tun device mp-safe/Multi-queue? Thanks for reading.
increasing NET_TASKQ for better performance?
Hello Misc, I run OpenBSD 7.3 as L3 firewall under VMware. I have some rdr-to rules. Here System information: cpu15: Intel(R) Xeon(R) Gold 6338 CPU @ 2.00GHz, 1995.63 MHz, 06-6a-06 I know CPU cores are not at too important at the moment but this server has 16 cores on it. I use vmx nics. dmesg is attached. When traffic becomes high(*) systems slows. (Users say RDP connections are slow) When I checked uptime load average was ok but yeah OpenBSD was slow. For example, when I enter ifconfig command system was not too fast. After that I looked at top -SH output and see 3 of softnet tasks were over %74 and was ~%40. Would you suggest to increase the NET_TASKQ value to 8 or 16 (number of cores in the system) and use a custom kernel? Also, just wonder if it's CPU core dedicated value or not? P.S. I don't use pfsync and it's not in my plan... (*) At problem time; egress traffic was nearly 800mbps. 35K pf states. 300K pps ipv4 forwarding... Thanks, Valdrin OpenBSD 7.3 (GENERIC.MP) #1125: Sat Mar 25 10:36:29 MDT 2023 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34341781504 (32750MB) avail mem = 33281585152 (31739MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (284 entries) bios0: vendor Phoenix Technologies LTD version "6.00" date 11/12/2020 bios0: VMware, Inc. VMware Virtual Platform acpi0 at bios0: ACPI 4.0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S8F0(S3) S16F(S3) S17F(S3) S18F(S3) S22F(S3) S23F(S3) S24F(S3) S25F(S3) PE40(S3) S1F0(S3) PE50(S3) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) Gold 6338 CPU @ 2.00GHz, 1995.34 MHz, 06-6a-06 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 20-way L2 cache, 48MB 64b/line 12-way L3 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 66MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Xeon(R) Gold 6338 CPU @ 2.00GHz, 1995.65 MHz, 06-6a-06 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 20-way L2 cache, 48MB 64b/line 12-way L3 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Xeon(R) Gold 6338 CPU @ 2.00GHz, 1995.62 MHz, 06-6a-06 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 20-way L2 cache, 48MB 64b/line 12-way L3 cache cpu2: smt 0, core 0, package 1 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Xeon(R) Gold 6338 CPU @ 2.00GHz, 1995.62 MHz, 06-6a-06 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 20-way L2 cache, 48MB 64b/line 12-way L3 cache
Re: About Intel C3000 eMMC
Thanks, Aaron, for your review. But when I looked at the tech@ mailing listing description, I thought it would be better to continue here. I installed it on a USB disk, then I sent a compiled kernel here with the option SDMMC_DEBUG parameter. I've attached dmesg, pcidump outputs and /var/db/acpi via this e-mail. Maybe it can be a starting point for a developer who wants to look. Thank you for reading. From: Aaron Mason Sent: Sunday, June 11, 2023 14:45 To: Valdrin MUJA Cc: MISC@openbsd.org Subject: Re: About Intel C3000 eMMC On Sun, Jun 11, 2023 at 9:33 PM Aaron Mason wrote: > Looks like it's picking it up, but can't enable it - from the attached dmesg: > > sdhc0 at pci0 dev 28 function 0 "Intel C3000 eMMC" rev 0x11: apic 2 int 16 > sdhc0: SDHC 3.0, 200 MHz base clock > sdmmc0 at sdhc0: 8-bit, sd high-speed, mmc high-speed, ddr52, dma > [REDACTED] > sdmmc0: can't enable card > > Maybe getting some debugging from that driver will help a dev - I > don't know the option off hand but I'll have a look unless someone > more knowledgeable can point you in the right direction. > > -- > Aaron Mason - Programmer, open source addict > I've taken my software vows - for beta or for worse Ok so the option is SDMMC_DEBUG - if you're able, try rebuilding the kernel but add this line to the config file: option SDMMC_DEBUG Send the output to tech@ rather than here - someone there can have a look and see where it's tripping up. -- Aaron Mason - Programmer, open source addict I've taken my software vows - for beta or for worse acpi.tar.gz Description: acpi.tar.gz OpenBSD 7.3-stable (sdmmcDebug) #0: Sun Jun 11 12:42:36 UTC 2023 root@73.openbsd.local:/usr/src/sys/arch/amd64/compile/sdmmcDebug real mem = 8508928000 (8114MB) avail mem = 8231632896 (7850MB) random: good seed from bootblocks mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7c582000 (35 entries) bios0: vendor INSYDE Corp. version "CORDOBA-02.02.00.00-SLt" date 2021-10-31 bios0: Silicom 80500-0214-G03-SL00A efi0 at bios0: UEFI 2.5 efi0: Insyde Jul 27 2021 16:55:45 rev 0x0 acpi0 at bios0: ACPI 5.0 acpi0: sleep states S0 S4 S5 acpi0: tables DSDT FACP UEFI UEFI BDAT BOOT HPET APIC MCFG SSDT DMAR DBG2 acpi0: wakeup devices VRP2(S4) PXSX(S4) PEX0(S4) PXSX(S4) PEX1(S4) PXSX(S4) PEX2(S4) PXSX(S4) PEX3(S4) PXSX(S4) PEX4(S4) PXSX(S4) PEX5(S4) PXSX(S4) PEX6(S4) PXSX(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 2399 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 4 (boot processor) cpu0: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz, 2200.01 MHz, 06-5f-01 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 2MB 64b/line 16-way L2 cache cpu0: smt 0, core 2, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 25MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE cpu1 at mainbus0: apid 12 (application processor) cpu1: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz, 2200.00 MHz, 06-5f-01 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 2MB 64b/line 16-way L2 cache cpu1: smt 0, core 6, package 0 cpu2 at mainbus0: apid 16 (application processor) cpu2: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz, 2200.00 MHz, 06-5f-01 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 2MB 64b/line 16-way L2 cache cpu2: smt 0, core 8, package 0 cpu3 at mainbus0: apid 24 (application processor) cpu3: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz, 2200.00 MHz, 06-5f-01 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SE
About Intel C3000 eMMC
Hello OpenBSD, I'm trying to install OpenBSD 7.3 on a Cordoba Edge Gateway CPE(*) device manufactured by Silicom-USA. However, OpenBSD does not recognize the Intel C3000 eMMC (SOC type) disk that comes on it. Is there a way to run this? Thanks. Also you can find the dmesg output in the attachment of this email. (*) https://www.silicom-usa.com/pr/4g-5g-products/4g-5g-appliances/cordoba-edge-gateway-cpe/ OpenBSD 7.3 (RAMDISK_CD) #1063: Sat Mar 25 10:41:49 MDT 2023 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD real mem = 8508928000 (8114MB) avail mem = 8247029760 (7864MB) random: good seed from bootblocks mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7c582000 (35 entries) bios0: vendor INSYDE Corp. version "CORDOBA-02.02.00.00-SLt" date 2021-10-31 bios0: Silicom 80500-0214-G03-SL00A acpi0 at bios0: ACPI 5.0 acpi0: tables DSDT FACP UEFI UEFI BDAT BOOT HPET APIC MCFG SSDT DMAR DBG2 acpihpet0 at acpi0: 2399 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 4 (boot processor) cpu0: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz, 2200.00 MHz, 06-5f-01 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 2MB 64b/line 16-way L2 cache cpu0: apic clock running at 25MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE cpu at mainbus0: not configured cpu at mainbus0: not configured cpu at mainbus0: not configured ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (VRP2) acpiprt2 at acpi0: bus -1 (PEX0) acpiprt3 at acpi0: bus 17 (PEX1) acpiprt4 at acpi0: bus 8 (PEX2) acpiprt5 at acpi0: bus 4 (PEX3) acpiprt6 at acpi0: bus 5 (PEX4) acpiprt7 at acpi0: bus 6 (PEX5) acpiprt8 at acpi0: bus 7 (PEX6) acpiprt9 at acpi0: bus 9 (PEX7) acpiprt10 at acpi0: bus 3 (VRP0) acpiprt11 at acpi0: bus 2 (VRP1) acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x "PNP0003" at acpi0 not configured acpicmos0 at acpi0 com0 at acpi0 IUR3 addr 0x3f8/0x8 irq 16: ns16550a, 16 byte fifo com0: console com1 at acpi0 IUR4 addr 0x2f8/0x8 irq 17: ns16550a, 16 byte fifo "PNP0C33" at acpi0 not configured "PNP0C0C" at acpi0 not configured "PNP0C0B" at acpi0 not configured "IFX0102" at acpi0 not configured "INTC3000" at acpi0 not configured acpicpu at acpi0 not configured acpipwrres at acpi0 not configured acpitz at acpi0 not configured pci0 at mainbus0 bus 0 0:31:5: mem address conflict 0xfe01/0x1000 0:31:7: mem address conflict 0xfb00/0x80 pchb0 at pci0 dev 0 function 0 "Intel C3000 Host" rev 0x11 pchb1 at pci0 dev 4 function 0 "Intel C3000 GLREG" rev 0x11 "Intel C3000 RCEC" rev 0x11 at pci0 dev 5 function 0 not configured ppb0 at pci0 dev 6 function 0 "Intel C3000 PCIE" rev 0x11 pci1 at ppb0 bus 1 "Intel C3000 QAT" rev 0x11 at pci1 dev 0 function 0 not configured ppb1 at pci0 dev 10 function 0 "Intel C3000 PCIE" rev 0x11 pci2 at ppb1 bus 17 ppb2 at pci0 dev 11 function 0 "Intel C3000 PCIE" rev 0x11 pci3 at ppb2 bus 8 ppb3 at pci0 dev 12 function 0 "Intel C3000 PCIE" rev 0x11 pci4 at ppb3 bus 4 igc0 at pci4 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 1 queue, address 90:ec:77:23:6f:e9 ppb4 at pci0 dev 14 function 0 "Intel C3000 PCIE" rev 0x11 pci5 at ppb4 bus 5 igc1 at pci5 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 1 queue, address 90:ec:77:23:6f:ea ppb5 at pci0 dev 15 function 0 "Intel C3000 PCIE" rev 0x11 pci6 at ppb5 bus 6 igc2 at pci6 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 1 queue, address 90:ec:77:23:6f:eb ppb6 at pci0 dev 16 function 0 "Intel C3000 PCIE" rev 0x11 pci7 at ppb6 bus 7 igc3 at pci7 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 1 queue, address 90:ec:77:23:6f:ec ppb7 at pci0 dev 17 function 0 "Intel C3000 PCIE" rev 0x11 pci8 at ppb7 bus 9 "Intel C3000 SMBus" rev 0x11 at pci0 dev 18 function 0 not configured xhci0 at pci0 dev 21 function 0 "Intel C3000 xHCI" rev 0x11: msi, xHCI 1.0 usb0 at xhci0: USB revision 3.0 uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1 ppb8 at pci0 dev 22 function 0 "Intel C3000 PCIE" rev 0x11 pci9 at ppb8 bus 3 3:0:0: rom address conflict 0xfff8/0x8 3:0:1: rom address conflict 0xfff8/0x8 ix0 at pci9 dev 0 function 0 "Intel X553 SFP+" rev 0x11, msix, 1 queue, address 90:ec:77:23:6f:e7 ix1 at pci9 dev 0 function 1 "Intel X553 SFP+" rev 0x11, msix, 1 queue, address 90:ec:77:23:6f:e8 ppb9 at pci0 dev 23 function 0 "Intel C3000 PCIE" rev 0x11 pci10 at ppb9 bus 2 2:0:0: rom address conflict 0xfff8/0x8 2:0:1: rom address conflict
Re: Multi path routing with BGPD
Hi Claudio, Thanks for your reply. I think this is the saddest news lately. At this point, I have a question: This should not be a kernel issue, right? So, can I use an alternative like bird until this feature is developed? From: Claudio Jeker Sent: Thursday, June 1, 2023 19:34 To: Valdrin MUJA Cc: MISC@openbsd.org Subject: Re: Multi path routing with BGPD On Mon, May 29, 2023 at 07:29:14PM +, Valdrin MUJA wrote: > Hello, > > I try to setup multipath routing environment with OpenBSD's bgpd. multipath != add-path. OpenBGPD currently does not do multipath routing. It only uses the best path for the FIB and the nexthops are only resolved to one gateway. > As I understand from man page the keyword is add-path. > Here is my environmental report: > > 1. In my lab I simulate two wan links for each device. > 2. Each device also has a LAN network to announce. > 3. In the middle of these two devices there is another OpenBSD acting as > Router. > > Device 1 : > WAN1 : 192.168.10.2/24 > WAN2: 10.1.1.2/24 > LAN : 172.16.1.1/24 > GRE1 : 172.31.1.1 -> 172.31.1.2 netmask /24 (over wan1) > GRE2 : 172.31.2.1 -> 172.31.2.2 netmask /24 (over wan2) > > Device 2 : > WAN1 : 192.168.20.2/24 > WAN2: 10.1.2.2/24 > LAN : 172.16.2.1/24 > GRE1 : 172.31.1.2 -> 172.31.1.1 netmask /24 (over wan1) > GRE2 : 172.31.2.2 -> 172.31.2.1 netmask /24 (over wan2) > > > Router : > 192.168.10.1/24 > 192.168.20.1/24 > 10.1.1.1/24 > 10.1.2.1/24 > > - > > Here bgpd.conf file contents : > > Device1# cat /etc/bgpd.conf > AS 100 > network 172.16.1.0/24 > neighbor 172.31.1.2 { > remote-as 100 > log updates > announce IPv4 unicast > announce add-path recv yes > announce add-path send best > } > neighbor 172.31.2.2 { > remote-as 100 > log updates > announce IPv4 unicast > announce add-path recv yes > announce add-path send best > } > allow quick from { ibgp } > allow quick to { ibgp } > > Device2# cat /etc/bgpd.conf > AS 100 > network 172.16.2.0/24 > neighbor 172.31.1.1 { > remote-as 100 > log updates > announce IPv4 unicast > announce add-path recv yes > announce add-path send best > } > neighbor 172.31.2.1 { > remote-as 100 > log updates > announce IPv4 unicast > announce add-path recv yes > announce add-path send best > } > allow quick from { ibgp } > allow quick to { ibgp } > > Here bgpctl show outputs: > > #bgp connection is OK > > Device1# bgpctl show > Neighbor ASMsgRcvdMsgSent OutQ Up/Down > State/PrfRcvd > 172.31.1.2100 9 9 0 00:02:34 1 > 172.31.2.2100 9 9 0 00:02:34 1 > > # we can see rib tables are ready > > Device1# bgpctl show rib > flags: * = Valid, > = Selected, I = via IBGP, A = Announced, >S = Stale, E = Error > origin validation state: N = not-found, V = valid, ! = invalid > origin: i = IGP, e = EGP, ? = Incomplete > > flags ovs destination gateway lpref med aspath origin > AI*>N 172.16.1.0/240.0.0.0 100 0 i > I*> N 172.16.2.0/24172.31.1.2100 0 i > I*m N 172.16.2.0/24172.31.2.2100 0 i > > Device2# bgpctl show rib > flags: * = Valid, > = Selected, I = via IBGP, A = Announced, >S = Stale, E = Error > origin validation state: N = not-found, V = valid, ! = invalid > origin: i = IGP, e = EGP, ? = Incomplete > > flags ovs destination gateway lpref med aspath origin > I*> N 172.16.1.0/24172.31.1.1100 0 i > I*m N 172.16.1.0/24172.31.2.1100 0 i > AI*>N 172.16.2.0/240.0.0.0 100 0 i > > > But there is only one path in FIB table: > > Device1# bgpctl show fib | grep B > flags: B = BGP, C = Connected, S = Static >N = BGP Nexthop reachable via this route > B 48 172.16.2.0/24172.31.1.2 > > Device2# bgpctl show fib | grep B > flags: B = BGP, C = Connected, S = Static >N = BGP Nexthop reachable via this route > B 48 172.16.1.0/24172.31.1.1 > > Also my sysctl.conf is ok (net.inet.ip.multipath=1) > I just wanna add multpath routes for my networks as dynamic. > > It's ok with static routing(*) but I would like to achieve it as dynamically > with bgpd. > What is wrong with my configuration? Can you please help me. > Thanks. > > (*) > Device1# route add 172.16.2.0/
Re: Cannot setup more than one WireGuard peer
Hi, It's because of preventing possible spoofs by each peer. from man wg(4) : The interface will accept tunneled traffic only from the peer configured with the most specific matching allowed IP address range for the incoming traffic, or drop it if no such match exists. That is, tunneled traffic routed to a given peer cannot return through another peer of the same wg interface. This ensures that peers cannot spoof another's traffic. In addition, it is explained that by reading the 2nd article of the document at the https://www.wireguard.com/papers/wireguard.pdf url address, it is determined which public key to encrypt according to the Allowed IP address. So for security reasons, it was designed that way in principle. If this can be assigned to an option, it's a kernel question entirely specific to wireguard implementation. From: owner-m...@openbsd.org on behalf of Consus Sent: Thursday, June 1, 2023 15:47 To: misc@openbsd.org Subject: Cannot setup more than one WireGuard peer Hi, I'm using OpenBSD 7.3 and I have the following issue with WireGuard: adding more than one peer via ifconfig breaks wgaip assignments. Initial configuration: $ doas ifconfig wg0 wg0: flags=80c3 mtu 1420 index 8 priority 0 llprio 3 wgport wgpubkey groups: wg inet 10.45.0.1 netmask 0xff00 broadcast 10.45.0.255 Adding a new peer: $ doas ifconfig wg0 wgpeer wgaip 10.45.0.2/24 $ doas ifconfig wg0 wg0: flags=80c3 mtu 1420 index 8 priority 0 llprio 3 wgport wgpubkey wgpeer tx: 0, rx: 0 wgaip 10.45.0.2/24 groups: wg inet 10.45.0.1 netmask 0xff00 broadcast 10.45.0.255 So far so good, adding another peer: $ doas ifconfig wg0 wgpeer wgaip 10.45.0.3/24 $ doas ifconfig wg0 wg0: flags=80c3 mtu 1420 index 8 priority 0 llprio 3 wgport wgpubkey wgpeer tx: 0, rx: 0 wgpeer tx: 0, rx: 0 wgaip 10.45.0.2/24 groups: wg inet 10.45.0.1 netmask 0xff00 broadcast 10.45.0.255 Bam. The first peer has lost it's wgaip, the second one gets invalid wgaip, hence nothing works. Merging it all in a single ifconfig line does not help either. Please halp.
Re: High Interrupt After 7.3 Upgrade
Hi, I hit the same case too. It looks like there's something wrong with the ipi: I have a system where I am running the current OpenBSD kernel dated May 21. The systat output and the vmstat -i output do not match, and there are serious differences between them. For example, while the ip in vmstat -i output is below 5000, the ip in systat output can go above 65000. I don't know if it's a coincidence, but I received complaints from users on a firewall I upgraded to 7.3 and then I've downgraded the system when I saw the systat values. Maybe the notifications from the user were not correct and I was in a hurry. It can be both; I am not sure. On the other hand, when the ix(4) tso code is fully committed(*), I wanna make detailed tests with Cisco Trex and share it. (*) I think the ix(4) tso code is partially committed, but I guess it's not completely finished yet, right? From: owner-m...@openbsd.org on behalf of Sven F. Sent: Thursday, June 1, 2023 00:35 To: misc@openbsd.org Subject: Re: High Interrupt After 7.3 Upgrade On Wed, May 31, 2023 at 5:27 PM Stuart Henderson wrote: > On 2023-05-31, Mark (obsd) wrote: > > Hi Chris, > > > > On Tue, May 30, 2023 at 8:59 AM Chris Cappuccio > wrote: > > > >> Samuel Jayden [samueljaydan1...@gmail.com] wrote: > >> > Hi again, > >> > > >> > Just for the record: > >> > I've downgraded to OpenBSD 7.2 (reinstalled) and everything is working > >> like > >> > a charm again. > >> > I don't know what is wrong with 7.3 but ipi interrupt rate is too much > >> and > >> > somehow OpenBSD performance is too bad.. > >> > Thanks for reading. > >> > > >> > >> Sounds like you are using 'systat' to measure interrupts. This is a bug > >> in systat was was fixed in 7.3. Here is Scott Cheloha's message from > that > >> fix: > >> > >> "systat(1): vmstat: measure elapsed time with clock_gettime(2) instead > of > >> ticks > >> > >> The vmstat view in systat(1) should not use statclock() ticks to count > >> elapsed time. First, ticks are low resolution. Second, the statclock > >> is sometimes randomized, so each tick is not necessarily of equal > >> length. Third, we're counting ticks from every CPU on the system, so > >> every rate in the view is divided by the number of CPUs. For example, > >> on an amd64 system with 8 CPUs you currently see: > >> > >> 200 clock > >> > >> ... when the true clock interrupt rate on that system is 1600. > >> > >> Instead, measure elapsed time with clock_gettime(2). Use CLOCK_UPTIME > >> here so we exclude time when the system is suspended. With this > >> change we no longer need "stathz" or "hertz". We can also get rid of > >> the anachronistic secondary clock failure test. > >> > >> > >> > > I'm not the OP, but that's interesting to me because I'm wondering if > it's > > why Prometheus' > > node_exporter from packages is reporting wildly wrong CPU stats on 7.3 > that > > don't at all > > match what you'd expect when comparing top/htop output? It was fine prior > > to upgrading > > to 7.3, but I've just left digging into it on the back burner due to > other > > priorities. > > That's a different issue, it was fixed in -current - I've just merged it to > -stable so updated packages should show up in a day or two. > > > 7.3 interrupt ( Intel(R) Celeron(R) J6412 ) v6-fw# vmstat -i interrupt total rate irq96/acpi0 10 irq145/inteldrm0 4970 irq97/xhci0 30 irq98/ahci0 18738060 irq114/igc0:0 157799531 50 irq115/igc0:1 194120194 61 irq116/igc0:2 148272908 47 irq117/igc0:3 159077128 50 irq118/igc0 20 irq119/igc1:0 158925348 50 irq120/igc1:1 181916246 58 irq121/igc1:2 155586734 49 irq122/igc1:3 170737329 54 irq123/igc1 20 irq129/igc3:021260 irq130/igc3:1 540117832 172 irq131/igc3:2 5688860 irq132/igc3:3 909270099 290 irq133/igc3130 irq0/clock 2505321992 799 irq0/ipi 5601964631 1788 Total 1088308 3475 I did not notice performance issue here, but maybe irq0/ipi 5601964631 1788 is bad i did noticed some unexpected kernel_lock jittering the traffic ~15ms -- -- - Knowing is not enough; we must apply. Willing is not enough; we must do
Re: Route based IPsec
Hi Claudio & David, Wireguard can work behind NAT. In that case maybe the solution is wireguard + BGP. Infact, I already tried this and wanted to use BGP multipath but failed and sent it to the misc list in a separate mail. (I wrote gre + bgp in the related mail, my aim was not to prolong my work with the wireguard config.) From: owner-m...@openbsd.org on behalf of Claudio Jeker Sent: Wednesday, May 31, 2023 12:09 To: David Gwynne Cc: Misc Subject: Re: Route based IPsec On Wed, May 31, 2023 at 06:39:27PM +1000, David Gwynne wrote: > > > > On 31 May 2023, at 18:33, Claudio Jeker wrote: > > > > On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote: > >> > >> > >>> On 27 May 2023, at 21:40, Stuart Henderson > >>> wrote: > >>> > >>> On 2023-05-27, Valdrin MUJA wrote: > >>>> Does OpenBSD have routed based IPsec support? > >>> > >>> Not yet. > >> > >> while you wait, it might be possible to configure a gif tunnel protected > >> by ipsec transport mode. > >> > > > > The annoying bit with gif tunnels in transport mode is the need for static > > IPs on both sides of the tunnel. I ended up tunneling gif in tunnel mode > > because of that. > > that's an annoying thing about gif, even without ipsec in the mix. Indeed. Both gif and gre share this issue. > should i make it possible to specify an interface as the source of local > addresses on tunnels? Not sure if it is worth the effort since the other end of the tunnel needs to adjust the tunnel remote address as well. Neither gif nor gre support authentication. Using wg(4) for that is an option but because of dynamic routing I ended up packing a gif tunnel into wg(4) (so I'm back to square one). -- :wq Claudio
Re: Route based IPsec
Thanks David, I'll try it soon. From: owner-m...@openbsd.org on behalf of David Gwynne Sent: Wednesday, May 31, 2023 01:35 To: Stuart Henderson Cc: misc@openbsd.org Subject: Re: Route based IPsec > On 27 May 2023, at 21:40, Stuart Henderson wrote: > > On 2023-05-27, Valdrin MUJA wrote: >>Does OpenBSD have routed based IPsec support? > > Not yet. while you wait, it might be possible to configure a gif tunnel protected by ipsec transport mode. dlg
Multi path routing with BGPD
Hello, I try to setup multipath routing environment with OpenBSD's bgpd. As I understand from man page the keyword is add-path. Here is my environmental report: 1. In my lab I simulate two wan links for each device. 2. Each device also has a LAN network to announce. 3. In the middle of these two devices there is another OpenBSD acting as Router. Device 1 : WAN1 : 192.168.10.2/24 WAN2: 10.1.1.2/24 LAN : 172.16.1.1/24 GRE1 : 172.31.1.1 -> 172.31.1.2 netmask /24 (over wan1) GRE2 : 172.31.2.1 -> 172.31.2.2 netmask /24 (over wan2) Device 2 : WAN1 : 192.168.20.2/24 WAN2: 10.1.2.2/24 LAN : 172.16.2.1/24 GRE1 : 172.31.1.2 -> 172.31.1.1 netmask /24 (over wan1) GRE2 : 172.31.2.2 -> 172.31.2.1 netmask /24 (over wan2) Router : 192.168.10.1/24 192.168.20.1/24 10.1.1.1/24 10.1.2.1/24 - Here bgpd.conf file contents : Device1# cat /etc/bgpd.conf AS 100 network 172.16.1.0/24 neighbor 172.31.1.2 { remote-as 100 log updates announce IPv4 unicast announce add-path recv yes announce add-path send best } neighbor 172.31.2.2 { remote-as 100 log updates announce IPv4 unicast announce add-path recv yes announce add-path send best } allow quick from { ibgp } allow quick to { ibgp } Device2# cat /etc/bgpd.conf AS 100 network 172.16.2.0/24 neighbor 172.31.1.1 { remote-as 100 log updates announce IPv4 unicast announce add-path recv yes announce add-path send best } neighbor 172.31.2.1 { remote-as 100 log updates announce IPv4 unicast announce add-path recv yes announce add-path send best } allow quick from { ibgp } allow quick to { ibgp } Here bgpctl show outputs: #bgp connection is OK Device1# bgpctl show Neighbor ASMsgRcvdMsgSent OutQ Up/Down State/PrfRcvd 172.31.1.2100 9 9 0 00:02:34 1 172.31.2.2100 9 9 0 00:02:34 1 # we can see rib tables are ready Device1# bgpctl show rib flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale, E = Error origin validation state: N = not-found, V = valid, ! = invalid origin: i = IGP, e = EGP, ? = Incomplete flags ovs destination gateway lpref med aspath origin AI*>N 172.16.1.0/240.0.0.0 100 0 i I*> N 172.16.2.0/24172.31.1.2100 0 i I*m N 172.16.2.0/24172.31.2.2100 0 i Device2# bgpctl show rib flags: * = Valid, > = Selected, I = via IBGP, A = Announced, S = Stale, E = Error origin validation state: N = not-found, V = valid, ! = invalid origin: i = IGP, e = EGP, ? = Incomplete flags ovs destination gateway lpref med aspath origin I*> N 172.16.1.0/24172.31.1.1100 0 i I*m N 172.16.1.0/24172.31.2.1100 0 i AI*>N 172.16.2.0/240.0.0.0 100 0 i But there is only one path in FIB table: Device1# bgpctl show fib | grep B flags: B = BGP, C = Connected, S = Static N = BGP Nexthop reachable via this route B 48 172.16.2.0/24172.31.1.2 Device2# bgpctl show fib | grep B flags: B = BGP, C = Connected, S = Static N = BGP Nexthop reachable via this route B 48 172.16.1.0/24172.31.1.1 Also my sysctl.conf is ok (net.inet.ip.multipath=1) I just wanna add multpath routes for my networks as dynamic. It's ok with static routing(*) but I would like to achieve it as dynamically with bgpd. What is wrong with my configuration? Can you please help me. Thanks. (*) Device1# route add 172.16.2.0/24 172.31.1.2 -mpath add net 172.16.2.0/24: gateway 172.31.1.2 Device1# route add 172.16.2.0/24 172.31.2.2 -mpath add net 172.16.2.0/24: gateway 172.31.2.2 Device1# netstat -rnf inet | grep 172.16.2 172.16.2/24172.31.1.2 UGSP 00 - 8 gre1 172.16.2/24172.31.2.2 UGSP 00 - 8 gre2 Device2# route add 172.16.1.0/24 172.31.1.1 -mpath add net 172.16.1.0/24: gateway 172.31.1.1 Device2# route add 172.16.1.0/24 172.31.2.1 -mpath add net 172.16.1.0/24: gateway 172.31.2.1 Device2# netstat -rnf inet | grep 172.16.1 172.16.1/24172.31.1.1 UGSP 00 - 8 gre1 172.16.1/24172.31.2.1 UGSP 00 - 8 gre2
Route based IPsec
Hello, I need Route based IPsec solution to set up between a firewall device and my OpenBSD firewall. However, I am a little confused about this: I created more than one enc device, I did policy based routing with PF but no results. I guess this is not the intended use of interfaces like enc[0,1]. But since I am not sure, I would to ask: Does OpenBSD have routed based IPsec support? Thanks in advance.
Using veb instead of bridge at vpls section
Hello folks, I have successfully configured the VPLS by following the instruction on https://pawa.lt/posts/2018/01/vpls-with-openbsd/. Everything worked like a charm. But when I tried to use veb(4) instead of bridge(4) , I got 'Device Busy' error. I'm guessing ldpd(8) doesn't support the veb interface. Is it true? I'm just trying to be sure. If this is the case, I hope one day ldpd(8) will get veb(4) support. Thanks for these great efforts.
Re: increasing max value of rdomain/rtable
Hmm I get it. Thanks Stuart. You are very helpful as always. -- Valdrin From: owner-m...@openbsd.org on behalf of Stuart Henderson Sent: Friday, April 1, 2022 10:43 To: misc@openbsd.org Subject: Re: increasing max value of rdomain/rtable On 2022-04-01, Valdrin MUJA wrote: > I want to increase the number of rdomain/rtable from 255 to 1024. I will do > this at my own risk. I had a look at the kernel code but couldn't figure out > how to upgrade it. I would be very grateful if you could guide me on this. > Thanks in advance. I'm not sure if that's possible without wider changes, struct dommp only allows for 8 bits for rdomains. -- Please keep replies on the mailing list.
increasing max value of rdomain/rtable
Hello, I want to increase the number of rdomain/rtable from 255 to 1024. I will do this at my own risk. I had a look at the kernel code but couldn't figure out how to upgrade it. I would be very grateful if you could guide me on this. Thanks in advance. -- Valdrin
Re: apu2e4 intermittent network freeze
Wow! "Parallel forwarding" with multiqueue on em(4) is so beautiful, like a dream. Should we hope that we will see those beautiful days very soon? From: owner-m...@openbsd.org on behalf of Hrvoje Popovski Sent: Monday, January 31, 2022 20:52 To: Amarendra Godbole Cc: Łukasz Moskała ; misc Subject: Re: apu2e4 intermittent network freeze On 31.1.2022. 17:03, Amarendra Godbole wrote: > [...] > > Thanks for your response(s). A few releases ago I did have a bridge, > but realized it causes an overall throughput drop rather than using > individual interfaces directly. I should have clarified -- even though > both interfaces are on the same subnet, only one is connected at any > given time, until yesterday, when I started seeing the issue on em1. > > Let me give a try to veb(4) and vport(4). > > -Amarendra It would be great that em(4) have multiqueue support, that box with veb(4) and "parallel forwarding" diff on tech@ would kick ass :)
Re: Adding Password Protection to Single User Mode
Thanks for suggestions, I removed the "secure" from /etc/ttys but I can still use "boot -s" without password. Is this about console connection? Updated ttys file; # cat /etc/ttys | grep 115200 tty00 "/usr/libexec/getty std.115200" vt220off From: Paul de Weerd Sent: Tuesday, July 6, 2021 17:36 To: Valdrin MUJA Cc: misc@openbsd.org Subject: Re: Adding Password Protection to Single User Mode On Tue, Jul 06, 2021 at 12:27:03PM +, Valdrin MUJA wrote: | Hi Folks, | | I want to add a small password protection mechanism to | "boot -s" (single-user mode). | | Therefore, I'm working on /sys/stand/boot/boot.c, I've written | some code in boot.c, and run "make", "make obj", "make install" | in /sys/. However, I couldn't enable my update "boot" binary on startup. | On startup, the default boot program is working. | | How can I replace my updated boot program with the default one? | | P.S.: I've tried compile and install kernel and the result didn't change. After building a new boot loader, you will need to use installboot(8) to actually install said code into the system. Your `make install` merely placed the bootloader into the spot in the filesystem where installboot expects to find it, but won't do the special editing of the disk that installboot does. (but also see the replies from others about ttys(5) to deal with your situation without potentially screwing up your entire system with a faulty bootloader) Cheers, Paul 'WEiRD' de Weerd -- >[<++>-]<+++.>+++[<-->-]<.>+++[<+ +++>-]<.>++[<>-]<+.--.[-] http://www.weirdnet.nl/
Adding Password Protection to Single User Mode
Hi Folks, I want to add a small password protection mechanism to "boot -s" (single-user mode). Therefore, I'm working on /sys/stand/boot/boot.c, I've written some code in boot.c, and run "make", "make obj", "make install" in /sys/. However, I couldn't enable my update "boot" binary on startup. On startup, the default boot program is working. How can I replace my updated boot program with the default one? P.S.: I've tried compile and install kernel and the result didn't change.
Re: Howto measure pps at forwarding plane
Thanks, it's better now. From: owner-m...@openbsd.org on behalf of Claudio Jeker Sent: Thursday, June 10, 2021 12:33 PM To: misc@openbsd.org Subject: Re: Howto measure pps at forwarding plane On Thu, Jun 10, 2021 at 09:23:03AM -, Stuart Henderson wrote: > On 2021-06-10, Valdrin MUJA wrote: > > Hello, > > > > I'm trying to figure out how much packets are being forwarded on my OpenBSD > > firewall. > > Here a small script i wrote. > > > > > > #!/bin/sh > > > > > > VAL1=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print > > $1}'` > > > > sleep 1 > > > > VAL2=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print > > $1}'` > > > > > > echo "$(($VAL2-$VAL1))" > > > > > > But i can not be sure if i am doing the right thing? > > Can anyone check it please. > > Thanks. > > > > If you are only interested in IPv4 then yes that'll do it. > This would save some cpu cycles though: > > VAL1=`netstat -s | awk '/packets forwarded/ { print $1; exit }'` > And use netstat -spip which limits the number of sysctls made in netstat. -- :wq Claudio
Re: bind dhcpd to IP address
Thanks, working like a charm. From: owner-m...@openbsd.org on behalf of Stuart Henderson Sent: Thursday, June 10, 2021 12:15 PM To: misc@openbsd.org Subject: Re: bind dhcpd to IP address On 2021-06-10, Ralf Horstmann wrote: > Hi Valdrin, > > that setup works fine. You would use "ip helper-address" on the Ciscos to > forward the DHCP requests to your OpenBSD box. The forwarded requests use the > specified helper address as unicast destination. No need to have the VLANs > present on your OpenBSD box. > > I'm running dhcpd without -u for that. dhcpd will pickup all packets with > destination port 67 on the specified interface via bpf. No need to bind to a > specific IP. dhcpd will need to be listening on the interface containing the helper-address though; if you don't want it to actually serve clients on that network, the subnet declaration can be empty e.g. subnet 192.0.2.0 netmask 255.255.255.0 { } > I understand your last question as: Can dhcpd provide leases for subnets when > the dhcpd box has no IP addresses within the range? The answer is yes. You > will > need subnet declarations for all pools in dhcpd.conf though. The relay includes its own address on the client-facing interface in the relayed DHCP request; dhcpd uses that to determine which subnet to use.
Howto measure pps at forwarding plane
Hello, I'm trying to figure out how much packets are being forwarded on my OpenBSD firewall. Here a small script i wrote. #!/bin/sh VAL1=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print $1}'` sleep 1 VAL2=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print $1}'` echo "$(($VAL2-$VAL1))" But i can not be sure if i am doing the right thing? Can anyone check it please. Thanks.
Ynt: bind dhcpd to IP address
Thanks. I'll give a try. Gönderen: Ralf Horstmann Gönderildi: 10 Haziran 2021 Perşembe 08:42 Kime: misc@openbsd.org Bilgi: Valdrin MUJA Konu: Re: bind dhcpd to IP address Hi Valdrin, that setup works fine. You would use "ip helper-address" on the Ciscos to forward the DHCP requests to your OpenBSD box. The forwarded requests use the specified helper address as unicast destination. No need to have the VLANs present on your OpenBSD box. I'm running dhcpd without -u for that. dhcpd will pickup all packets with destination port 67 on the specified interface via bpf. No need to bind to a specific IP. I understand your last question as: Can dhcpd provide leases for subnets when the dhcpd box has no IP addresses within the range? The answer is yes. You will need subnet declarations for all pools in dhcpd.conf though. Regards, Ralf * Valdrin MUJA [2021-06-09 23:45]: > Hi misc, > > > I have 5 vlans terminated in Cisco switch as Layer 3. > > So the users' gateway is Cisco switch. > > The default gateway of Cisco switch is OpenBSD 6.9, which works as an office > firewall. > > The switch also works as a dhcp server. However, I want OpenBSD office > firewall to also act as a dhcp server. > > Is this possible while OpenBSD has no vlans on it? Only static routes for > these ip networks are installed. > > > I would set dhcp relay on the Cisco switch side, but when I looked at > dhcpd(8), I was not entirely sure. > > I see that dhcpd can listen on an ip address with the -u[bind_address] > parameter, but these lines confused me: > > ''With this option, dhcpd can answer DHCPINFORM from clients on non Ethernet > interfaces such as tun(4) or pppx(4)’’ > > What I understand from above is; if I configure -u for a physical (em0) > interface’s ip address it will not bind to em0’s IP address. > > It will use 255.255.255.255 instead of this. So it will not work; right? > > > One last and probably related question: > > Can OpenBSD be configured to distribute ip pools which it doesn’t have? > > Thanks for reading… >
bind dhcpd to IP address
Hi misc, I have 5 vlans terminated in Cisco switch as Layer 3. So the users' gateway is Cisco switch. The default gateway of Cisco switch is OpenBSD 6.9, which works as an office firewall. The switch also works as a dhcp server. However, I want OpenBSD office firewall to also act as a dhcp server. Is this possible while OpenBSD has no vlans on it? Only static routes for these ip networks are installed. I would set dhcp relay on the Cisco switch side, but when I looked at dhcpd(8), I was not entirely sure. I see that dhcpd can listen on an ip address with the -u[bind_address] parameter, but these lines confused me: ''With this option, dhcpd can answer DHCPINFORM from clients on non Ethernet interfaces such as tun(4) or pppx(4)’’ What I understand from above is; if I configure -u for a physical (em0) interface’s ip address it will not bind to em0’s IP address. It will use 255.255.255.255 instead of this. So it will not work; right? One last and probably related question: Can OpenBSD be configured to distribute ip pools which it doesn’t have? Thanks for reading…
PPPoE mtu overwrites/ignores
Hello misc, I try to change mtu size of my pppoe client but somehow that value returns to 1492 after getting ip address from ISP. I've opened a ticket them and got replied as '' you could use mtu up to 1600.'' So no limitation at their side... I have simple pppoe config: inet 0.0.0.0 255.255.255.255 NONE mtu 1550 \ pppoedev em0 authproto pap \ authname 'muja@intisp' authkey 's3cr4ty3s' up dest 0.0.0.1 !/sbin/route add default -ifp pppoe0 0.0.0.1 Em0 mtu size is 1558 As a grumpy person, I didn't believe at them and quickly installed npppd into another computer and used it as pppoe-server but nothing changed. (I've set mru as 1550 at npppd.conf) I use OpenBSD 6.9 with 19 April iso image. Is this a bug or am i missing something? Thanks in advance.
speedtest-cli gives too bad result
Hi, I think speedtest-cli port is misbehaving.When i run speedtest-cli under OpenBSD OS it scores less then 40Mbit/s. But when i use this openbsd device as a router i can get the real internet speed which is 400mbit/s. (IP Forward + PF + NAT) I deployed an OpenBSD server on vultr.com assuming there might be a problem with my ISP. But the result was even worse. (7mbit / s) Later I installed another OS using only the change os option on vultr and I got 4380.05 Mbit / s speed as download. I think there is some oddness about speedtest-cli port of OpenBSD. Thanks for reading.
Layer2 Tunneling Over pppoe(4)
Hi Misc, Can we set up egre(4), etherip(4) or vxlan(4) tunnel over pppoe ? Sent with [ProtonMail](https://protonmail.com) Secure Email.
PF route-to and divert-packet
Hi Misc, I’m trying to use policy based routing (route-to) with divert-packet feature. I’m just using example code written at divert’s man page. (man divert) I’ve two WAN interfaces which are pppoe0(default gw) and pppoe. Those pf rules works below: # pass in log quick on vether10 inet proto udp from 10.10.10.52 to any port 53 pass in log quick on vether10 inet proto tcp from 10.10.10.52 to any port { 80 443 } route-to (pppoe1 (pppoe1)) pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any nat-to (pppoe1) But when I add divert-packet into NAT lines as this: pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any divert-packet port 700 nat-to (pppoe1) It fails. What should I do for using route-to (+) divert-packet feature together. Please help. Thanks.
PF route-to and divert-packet
Hi Misc, I’m trying to use policy based routing (route-to) with divert-packet feature. I’m just using example code written at divert’s man page. (man divert) I’ve two wan interfaces which are pppoe0(default gw) and pppoe1 Those pf rules works below: # pass in log quick on vether10 inet proto udp from 10.10.10.52 to any port 53 … # pass in log quick on vether10 inet proto tcp from 10.10.10.52 to any port { 80 443 } route-to (pppoe1 (pppoe1)) pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any nat-to (pppoe1) But when I add divert-packet into NAT lines as this: pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any divert-packet port 700 nat-to (pppoe1) It fails. What should I do for using route-to (+) divert-packet feature together. Please help. Thanks. Sent with [ProtonMail](https://protonmail.com) Secure Email.
Measuring Routing Table Capacity
Hi Misc, I have a device which installed OpenBSD. I want to measure how many routes the routing table can hold? In brief, I want to measure the routing table's capacity. Is there any way to do it? Sent with [ProtonMail](https://protonmail.com) Secure Email.
OpenBSD 6.8 Relase Time
Hi Misc, I'm looking forward to OpenBSD 6.8 release. On OpenBSD 6.8 page, `Released Oct XXX` is writing.. https://www.openbsd.org/68.html When will it be released? Sent with [ProtonMail](https://protonmail.com) Secure Email.
pmap_unwire: wiring for pmap error
Hi Misc, I'm getting some error messages on dmesg but couldn't understand what's really going on. I have one binary running under OpenBSD 6.7 and it crashes few times in a day. Also, system is working slowly.For example, when I run "ifconfig" command it runs for a few seconds.. I see these error messages at dmesg: pmap_unwire: wiring for pmap 0xfd8782e1b710 va 0xc00032c000 didn't change! pmap_unwire: wiring for pmap 0xfd8782e1b710 va 0xc000b39000 didn't change! pmap_unwire: wiring for pmap 0xfd8782e1b710 va 0xc000a3a000 didn't change! pmap_unwire: wiring for pmap 0xfd8782e1b710 va 0xc000b2b000 didn't change! pmap_unwire: wiring for pmap 0xfd8782e1b710 va 0xc000857000 didn't change! Here full dmesg OpenBSD 6.7 ([GENERIC.MP](http://generic.mp/)) #182: Thu May 7 11:11:58 MDT 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/[GENERIC.MP](http://generic.mp/) real mem = 34302062592 (32712MB) avail mem = 33249861632 (31709MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7f31b000 (54 entries) bios0: vendor American Megatrends Inc. version "5.13" date 04/10/2019 bios0: Default string Default string acpi0 at bios0: ACPI 6.1 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP FPDT FIDT MCFG WDAT APIC BDAT HPET UEFI SSDT DMAR SPCR HEST BERT ERST EINJ WSMT acpi0: wakeup devices PEX0(S0) PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) PEX5(S0) PEX6(S0) PEX7(S0) XHC1(S4) LAN1(S0) LAN0(S0) LAN2(S0) LAN3(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 acpimcfg0: addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.41 MHz, 06-5f-01 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu0: 2MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 25MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.03 MHz, 06-5f-01 cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu1: 2MB 64b/line 16-way L2 cache cpu1: smt 0, core 2, package 0 cpu2 at mainbus0: apid 8 (application processor) cpu2: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.03 MHz, 06-5f-01 cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu2: 2MB 64b/line 16-way L2 cache cpu2: smt 0, core 4, package 0 cpu3 at mainbus0: apid 12 (application processor) cpu3: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.03 MHz, 06-5f-01 cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu3: 2MB 64b/line 16-way L2 cache cpu3: smt 0, core 6, package 0 cpu4 at mainbus0: apid 16 (application processor) cpu4: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.03 MHz, 06-5f-01 cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES cpu4: 2MB 64b/line 16-way L2 cache cpu4: smt 0, core 8, package 0 cpu5 at mainbus0: apid 20 (application processor) cpu5: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.03
pmap_unwire: wiring for pmap error
ueuepl 144 299 0 22 1 0 1 1 0 8 0 knotepl 112 1155269 0 99 11 7 4 7 0 8 0 futexpl 56 85974 0 31 2 1 1 1 0 8 0 sigapl 424 142384 0 81 73 62 11 13 0 8 0 plimitpl 152 95 0 23 2 0 2 2 0 8 0 scxspl 192 331815 0 0 22 21 1 2 0 8 1 pfiaddrpl 120 24 0 24 1 0 1 1 0 8 0 xhcixfer 240 31 0 1 1 0 1 1 0 8 0 percpumem 64 114 0 113 2 0 2 2 0 8 0 namei 1024 6280527 0 0 3 2 1 1 0 8 1 vnodes 208 77686 0 77686 4089 0 4089 4089 0 8 0 uvmvnodes 72 77686 0 77686 1413 0 1413 1413 0 8 0 nchpl 144 83863 0 4239 163 5 158 158 0 8 0 ffsino 240 77613 0 41275 2440 11 2429 2429 0 8 0 dino1pl 128 3762 0 1244 44 3 41 41 0 8 0 dino2pl 256 73851 0 40031 2582 79 2503 2503 0 8 0 dirhash 1024 344 0 279 35 0 35 35 0 8 0 art_node 16 6181 0 985 5 0 5 5 0 8 0 art_table 32 2354 0 613 6 0 6 6 0 8 0 art_heap4 256 2353 0 612 40 0 40 40 0 8 0 art_heap8 4096 1 0 1 1 0 1 1 0 8 0 pfrule 1360 118 0 118 10 0 10 10 0 8 0 pfstate 328 2560883 0 19434 3746 1986 1760 2124 0 8 0 pfstkey 112 3541803 0 30526 1289 272 1017 1094 0 8 1 pfstitem 24 3541803 0 30526 232 6 226 231 0 8 0 pfrktable 1344 1055 0 60 87 63 24 87 0 8 0 pfrke_plain 160 2231 0 988 93 39 54 93 0 8 0 pfosfpen 112 714 0 714 21 0 21 21 0 8 0 pfosfp 40 423 0 423 5 0 5 5 0 8 0 rttmr 72 15 0 0 13 13 0 1 0 8 0 inpcb 280 504026 0 54 12 5 7 9 0 8 0 tcpcb 544 2606 0 44 12 7 5 8 0 8 0 tcpqe 32 881 0 0 230 230 0 3 0 8 0 sackhl 24 2454 0 0 35 35 0 4 0 8 0 syncache 264 821 0 0 236 236 0 1 0 8 0 unpcb 120 297 0 29 6 5 1 2 0 8 0 rtentry 112 6181 0 987 30 0 30 30 0 8 0 rtpcb 80 213 0 1 2 1 1 1 0 8 0 plcache 128 80 0 80 3 0 3 3 0 8 0 arp 64 5937 0 760 14 0 14 14 0 8 0 In use 142409K, total allocated 190056K; utilization 74.9% # config -e /bsd WARNING no output file specified OpenBSD 6.7 ([GENERIC.MP](http://generic.mp/)) #182: Thu May 7 11:11:58 MDT 2020 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/[GENERIC.MP](http://generic.mp/) Enter 'help' for information ukc> nkmempg nkmempages = 762729960 ukc> # uptime 5:02PM up 3:20, 3 users, load averages: 0.90, 0.84, 0.89 56 processes: 54 idle, 2 on processor up 3:21 CPU0 states: 0.8% user, 0.0% nice, 0.2% sys, 0.0% spin, 4.8% intr, 94.2% idle CPU1 states: 0.4% user, 0.0% nice, 0.4% sys, 0.0% spin, 0.0% intr, 99.2% idle CPU2 states: 7.6% user, 0.0% nice, 17.8% sys, 0.6% spin, 0.0% intr, 74.1% idle CPU3 states: 5.4% user, 0.0% nice, 14.4% sys, 0.6% spin, 0.0% intr, 79.6% idle CPU4 states: 6.0% user, 0.0% nice, 15.2% sys, 0.2% spin, 0.0% intr, 78.6% idle CPU5 states: 2.8% user, 0.0% nice, 5.8% sys, 0.0% spin, 0.0% intr, 91.4% idle CPU6 states: 1.6% user, 0.0% nice, 2.2% sys, 0.2% spin, 0.0% intr, 96.0% idle CPU7 states: 1.0% user, 0.0% nice, 1.0% sys, 0.0% spin, 0.0% intr, 98.0% idle Memory: Real: 1568M/6249M act/tot Free: 25G Cache: 4362M Swap: 0K/4103M -- Valdrin Muja
Poor divert-packet performance
Hi Misc, I'm making some trials and benchmarks about pf's divert. My test environment is like this; I have 2 Linux devices and I have an OpenBSD device which are directly connected to an OpenBSD Device. This OpenBSD device acts likes a router. Network settings in OpenBSD: - vertigo# ifconfig em1 em1: flags=8843 mtu 1500 lladdr 00:30:18:0a:a6:2e index 2 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 172.20.35.1 netmask 0xff00 broadcast 172.20.35.255 vertigo# ifconfig em2 em2: flags=8843 mtu 1500 lladdr 00:30:18:0a:a6:2f index 3 priority 0 llprio 3 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet 172.20.36.1 netmask 0xff00 broadcast 172.20.36.255 vertigo# --- --- vertigo# sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 --- my pf.conf is like this; --- vertigo# cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ # # See pf.conf(5) and /etc/examples/pf.conf set skip on lo # em1 pass in log quick on em1 from em1:network to172.20.36.0/24 pass out log quick on em1 from172.20.36.0/24to em1:network # em2 pass in log quick on em2 from em2:network to172.20.35.0/24 pass out log quick on em2 from172.20.35.0/24to em2:network # block all block log quick all block return # block stateless traffic pass # establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # Port build user does not need network block return out log proto {tcp udp} user _pbuild On Linux-1, I'm making benchmark tests to Linux-2 with qperf, vertigo@linux1:~$ qperf 172.20.35.2 tcp_bw tcp_lat -t 10 tcp_bw: bw = 115 MB/sec tcp_lat: latency = 157 us vertigo@linux1:~$ qperf 172.20.35.2 udp_bw udp_lat -t 10 udp_bw: send_bw = 120 MB/sec recv_bw = 120 MB/sec udp_lat: latency = 158 us vertigo@linux1:~$ - After that, I updated the pf.conf and diverted packages to port 700 -- vertigo# cat /etc/pf.conf # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ # # See pf.conf(5) and /etc/examples/pf.conf set skip on lo # em1 pass in log quick on em1 from em1:network to172.20.36.0/24 pass out log quick on em1 from172.20.36.0/24to em1:network divert-packet port 700 # em2 pass in log quick on em2 from em2:network to172.20.35.0/24 pass out log quick on em2 from172.20.35.0/24to em2:network divert-packet port 700 # block all block log quick all block return # block stateless traffic pass # establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # Port build user does not need network block return out log proto {tcp udp} user _pbuild -- On port 700, I run the example program on OpenBSD divert manpage. https://man.openbsd.org/divert.4 - #include #include #include #include #include #include #include #include #include #define DIVERT_PORT 700 int main(int argc, char *argv[]) { int fd, s; struct sockaddr_in sin; socklen_t sin_len; fd = socket(AF_INET, SOCK_RAW, IPPROTO_DIVERT); if (fd == -1) err(1, "socket"); memset(, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_port = htons(DIVERT_PORT); sin.sin_addr.s_addr = 0; sin_len = sizeof(struct sockaddr_in); s = bind(fd, (struct sockaddr *) , sin_len); if (s == -1) err(1, "bind"); for (;;) { ssize_t n; char packet[IP_MAXPACKET]; struct ip *ip; struct tcphdr *th; int hlen; char src[48], dst[48]; memset(packet, 0, sizeof(packet)); n = recvfrom(fd, packet, sizeof(packet), 0, (struct sockaddr *) , _len); if (n == -1) { warn("recvfrom"); continue; } if (n < sizeof(struct ip)) { warnx("packet is too short"); continue; } ip = (struct ip *) packet; hlen = ip->ip_hl << 2; if (hlen < sizeof(struct ip) || ntohs(ip->ip_len) < hlen || n < ntohs(ip->ip_len)) { warnx("invalid IPv4 packet"); continue; } th = (struct tcphdr *) (packet + hlen); if (inet_ntop(AF_INET, >ip_src, src, sizeof(src)) == NULL) (void)strlcpy(src, "?", sizeof(src)); if (inet_ntop(AF_INET, >ip_dst, dst, sizeof(dst)) == NULL) (void)strlcpy(dst, "?", sizeof(dst)); printf("%s:%u -> %s:%u\n", src, ntohs(th->th_sport), dst,
Disabling OpenBSD Login Prompt
Hi Misc, I want to disable OpenBSD Login prompt at startup -and also after logging out-. Because I want to run my external program instead of ksh. There is an login prompt also in my program and I want to use it. I updated the /etc/ttys ; valdrin# cat /etc/ttys # # $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $ # # name getty typestatus comments # console "/usr/libexec/getty std.9600" vt220 off secure ttyC0 "/usr/libexec/getty std.9600" vt220 on secure ttyC1 "/usr/libexec/getty std.9600" vt220 on secure ttyC2 "/usr/libexec/getty std.9600" vt220 on secure ttyC3 "/usr/libexec/getty std.9600" vt220 on secure ttyC4 "/usr/libexec/getty std.9600" vt220 off secure ttyC5 "/usr/libexec/getty std.9600" vt220 on secure ttyC6 "/usr/libexec/getty std.9600" vt220 off secure ttyC7 "/usr/libexec/getty std.9600" vt220 off secure ttyC8 "/usr/libexec/getty std.9600" vt220 off secure ttyC9 "/usr/libexec/getty std.9600" vt220 off secure ttyCa "/usr/libexec/getty std.9600" vt220 off secure ttyCb "/usr/libexec/getty std.9600" vt220 off secure tty00 "/root/myprogram" vt220on secure tty01 "/usr/libexec/getty std.9600" unknown off tty02 "/usr/libexec/getty std.9600" unknown off tty03 "/usr/libexec/getty std.9600" unknown off tty04 "/usr/libexec/getty std.9600" unknown off tty05 "/usr/libexec/getty std.9600" unknown off tty06 "/usr/libexec/getty std.9600" unknown off tty07 "/usr/libexec/getty std.9600" unknown off I'm connected the device with com0 port so I updated the tty00 to run my external program. However; system is stucking after date appears on startup. starting network reordering libraries: done. starting early daemons: syslogd ntpd. starting RPC daemons:. savecore: no core dump checking quotas: done. clearing /tmp kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons: cron. Wed Jun 10 10:27:04 +03 2020 Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt appears.. How can I overcome this issue? Thanks..
Ynt: Disabling OpenBSD Login Prompt
Sorry for lack of information, Firstly, my program is a kind of interactive shell which has own login prompt. What I want to do is run my program on startup and do not use OpenBSD login prompt. When I use "chsh", firstly OpenBSD Login Prompt appearing, after that my program is running and my program's login prompt appearing. Lastly, I tried to update /etc/ttys and replace getty with my program to disable OpenBSD login prompt and run my program. However, obviously this didn't work. In short, I want to disable OpenBSD Login prompt and run my program. Gönderen: Kapetanakis Giannis adına owner-m...@openbsd.org Gönderildi: 10 Haziran 2020 Çarşamba 12:21 Kime: misc@openbsd.org Konu: Re: Disabling OpenBSD Login Prompt On 10/06/2020 12:03, Valdrin MUJA wrote: > Hi Misc, > > I want to disable OpenBSD Login prompt at startup -and also after logging > out-. Because I want to run my external program instead of ksh. There is an > login prompt also in my program and I want to use it. > > I updated the /etc/ttys ; > > valdrin# cat /etc/ttys > # > # $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $ > # > # name getty typestatus comments > # > console "/usr/libexec/getty std.9600" vt220 off secure > ttyC0 "/usr/libexec/getty std.9600" vt220 on secure > ttyC1 "/usr/libexec/getty std.9600" vt220 on secure > ttyC2 "/usr/libexec/getty std.9600" vt220 on secure > ttyC3 "/usr/libexec/getty std.9600" vt220 on secure > ttyC4 "/usr/libexec/getty std.9600" vt220 off secure > ttyC5 "/usr/libexec/getty std.9600" vt220 on secure > ttyC6 "/usr/libexec/getty std.9600" vt220 off secure > ttyC7 "/usr/libexec/getty std.9600" vt220 off secure > ttyC8 "/usr/libexec/getty std.9600" vt220 off secure > ttyC9 "/usr/libexec/getty std.9600" vt220 off secure > ttyCa "/usr/libexec/getty std.9600" vt220 off secure > ttyCb "/usr/libexec/getty std.9600" vt220 off secure > tty00 "/root/myprogram" vt220on secure > tty01 "/usr/libexec/getty std.9600" unknown off > tty02 "/usr/libexec/getty std.9600" unknown off > tty03 "/usr/libexec/getty std.9600" unknown off > tty04 "/usr/libexec/getty std.9600" unknown off > tty05 "/usr/libexec/getty std.9600" unknown off > tty06 "/usr/libexec/getty std.9600" unknown off > tty07 "/usr/libexec/getty std.9600" unknown off > > I'm connected the device with com0 port so I updated the tty00 to run my > external program. However; system is stucking after date appears on startup. > > > starting network > reordering libraries: done. > starting early daemons: syslogd ntpd. > starting RPC daemons:. > savecore: no core dump > checking quotas: done. > clearing /tmp > kern.securelevel: 0 -> 1 > creating runtime link editor directory cache. > preserving editor files. > starting network daemons: sshd. > starting local daemons: cron. > Wed Jun 10 10:27:04 +03 2020 > > > Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt appears.. > How can I overcome this issue? > > Thanks.. Since you're mixing login prompt (getty) with login shell (ksh) and since you don't provide info about "yourprogram" I believe that maybe you you've mixing things up? If you want to change a user's login shell, chsh(1) should be used. This specifies what shell is run for that user after login is successful. getty(8) is controlled by /etc/ttys - ttys(5) and has nothing to do with user login shell. read the man pages. G
Disabling OpenBSD Login Prompt
Hi Misc, I want to disable OpenBSD Login prompt at startup -and also after logging out-. Because I want to run my external program instead of ksh. There is an login prompt also in my program and I want to use it. I updated the /etc/ttys ; valdrin# cat /etc/ttys # # $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $ # # name getty typestatus comments # console "/usr/libexec/getty std.9600" vt220 off secure ttyC0 "/usr/libexec/getty std.9600" vt220 on secure ttyC1 "/usr/libexec/getty std.9600" vt220 on secure ttyC2 "/usr/libexec/getty std.9600" vt220 on secure ttyC3 "/usr/libexec/getty std.9600" vt220 on secure ttyC4 "/usr/libexec/getty std.9600" vt220 off secure ttyC5 "/usr/libexec/getty std.9600" vt220 on secure ttyC6 "/usr/libexec/getty std.9600" vt220 off secure ttyC7 "/usr/libexec/getty std.9600" vt220 off secure ttyC8 "/usr/libexec/getty std.9600" vt220 off secure ttyC9 "/usr/libexec/getty std.9600" vt220 off secure ttyCa "/usr/libexec/getty std.9600" vt220 off secure ttyCb "/usr/libexec/getty std.9600" vt220 off secure tty00 "/root/myprogram" vt220on secure tty01 "/usr/libexec/getty std.9600" unknown off tty02 "/usr/libexec/getty std.9600" unknown off tty03 "/usr/libexec/getty std.9600" unknown off tty04 "/usr/libexec/getty std.9600" unknown off tty05 "/usr/libexec/getty std.9600" unknown off tty06 "/usr/libexec/getty std.9600" unknown off tty07 "/usr/libexec/getty std.9600" unknown off I'm connected the device with com0 port so I updated the tty00 to run my external program. However; system is stucking after date appears on startup. starting network reordering libraries: done. starting early daemons: syslogd ntpd. starting RPC daemons:. savecore: no core dump checking quotas: done. clearing /tmp kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons: cron. Wed Jun 10 10:27:04 +03 2020 Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt appears.. How can I overcome this issue? Thanks..
Re: Howto change login mechanism on OpenBSD
Hello Again, Actually I updated the /etc/ttys file and add my program instead of getty. However, after boot, there was still OpenBSD login prompt before my program started. On the other hand, I tried chpass -s $myprogram $user, but still I'm faced with the same problem again, there was OpenBSD login prompt.. In short, I want to disable OpenBSD login prompt and execute my program. If user exits this external program, my program should run again etc. On Thu, 21 May 2020 01:53:29 +0200 Jeff Joshua Rollin wrote On Wed, 2020-05-20 at 17:00 -0500, Edgar Pettijohn wrote: > On Wed, May 20, 2020 at 09:50:17PM + > > > > I believe /etc/ttys controls getty, which may or not help. Getty is > > respawned too. > > https://man.openbsd.org/man5/ttys.5 > > I think you're right. Might just need to change a line in /etc/ttys > to > execute /bin/{my_program}. > > Edgar > Perhaps a better way would be just to change the user's login shell to the name of your program: chpass -s $myprogram $user. That way you can use OpenBSD's login authentication, and login automatically runs the program when the user logs in; when the user quits the program they are automatically logged out. Provided there's no way to execute a shell from within the program, they therefore can't execute arbitrary code once logged in. It's easy to add a user for this single purpose: just add the user as normal, and specify $myprogram as the shell. Jeff.
Howto change login mechanism on OpenBSD
Hi Misc, I have an interactive shell program which has an authentication section and I want to login via my program. How can I do that? Actually I want to run this program instead of /bin/ksh. I changed the root's shell with "chsh -s /bin/{my_program} root" command. However, when the system boots, firstly OpenBSD Login is coming and after that my program is running. In short, I want to run an external program on startup without OpenBSD Login.
Golang under Arm or Octeon
Hi Misc, I want to learn if there is any work-in-progress port for Golang under Arm or Octeon cpu architectures? Thanks. -- Best wishes Valdrin Muja
OpenBSD and SDN
Hi, I study software defined networks at my university. There are two parts as campus side and data center side in my project. I have chosen OpenBSD as networking OS cause of its’ visionary base system and thanks to all people of OpenBSD ,especially to Mr. Theo De Raadt. I just want to understand what is the future of OpenBSD and have some questions: At campus side I also analyze edge hardwares and my question is about PoE/PoE+ ports. Do OpenBSD team has plans or a roadmap about supporting this kind of hardware? Will OpenBSD have an IPS which would be better then Snort probably? And for data-center; how about supporting 25GbE/40GbE/100GbE speed ethernet chips? Is there any continuing project which will cover network protocols like NVGRE or else? Will OpenBSD support M-LAG? I see that vmd and switchd will create lots of benefits at cloud area by talented hands. Will switchd go on supporting new features which is already included on it’s roadmap? I’m trying to understand OpenBSD’s vision and hope that we could see more OpenBSD’s futuristic secure features. Thanks for reading my questions and have a nice weekend. -- Best wishes Valdrin Muja