Re: DDB Crash Report About if_ether.c and arpinit() Gelen Kutusu

2024-01-31 Thread Valdrin MUJA 
Hello Samuel,

I think you should give a chance to this commit:

https://github.com/openbsd/src/commit/73fb5aae645f3bc12746fd705a937dfc9f9abc01

I hope it works for you.

--
Valdrin

From: owner-m...@openbsd.org  on behalf of Samuel 
Jayden 
Sent: Wednesday, January 31, 2024 10:29
To: misc@openbsd.org 
Subject: Re: DDB Crash Report About if_ether.c and arpinit() Gelen Kutusu

Hello again,

My device continues to crash almost every single day.
Unfortunately, due to the system freeze, I'm unable to generate a crash
report. These crashes typically result in the following errors:

kernel : protection fault trap, code=0
Stopped at arptimer+0x45: movq 0x10(%r15),%rdi
ddb{0}>

Is there a solution to this issue? What steps should I take?
Thanks.


On Sat, Jan 27, 2024 at 10:51 AM Samuel Jayden 
wrote:

> Hello Misc,
>
> My OpenBSD 7.4 crash with this error messages;
>
> panic: kernel diagnostic assertion "ifp != NULL" failed: file
> "/usr/src/sys/net/inet/if_ether.c", line 758
>
> Stopped at db_enter+0x14: popq %rbp
>TID  PID UID   PRFLAGS   PFLAGS   CPUCOMMAND
>  399412   7311877   0x112 0   10dhcpleased
>  360364   39155   115   0x112 0   11slaacd
>  155433   90182 00x14000  0x2002softnet0
>  162438   45442 00x14000  0x2004systq
> * 37835   96688 00x14000 0x42000softclock
> db_enter() at db_enter+0x14
> panic(820a8599) at panic+0xc3
> __assert(821232bc,8209baea,2f6,820712c0) at
> __assert+0x29
> arpinit() at arpinit
> arptimer(825a38e8) at arptimer+0x5f
> softclock_thread(800021c1fd48) at softclock_thread+0x12b
> end trace frame: 0x0, count: 9
> https://www.openbsd.org/ddb.html describes the minimum info required in
> bug reports. Insufficient info makes it difficult to find and fix bugs.
> ddb{0}>
>
> Dmesg output of my device is in the attachment.
>
> Thank you in advance for your interest.
>

TSO and LRO while forwarding traffic

2024-01-08 Thread Valdrin MUJA 
Hello Misc,

I've got a question about TSO and LRO:

How does enabling TSO and/or LRO on the Ethernet cards of a network device that 
will serve as a router and firewall affect the forward traffic of users 
accessing the internet behind this device?

In short, should I keep these features on or turn them off in my OpenBSD 
firewall?
What is the OpenBSD recommendation?

Thank you in advance for your answers.

Re: Parallel PF

2023-10-25 Thread Valdrin MUJA 
Hello Gábor,

Of course, I am aware of OpenBSD's parallel forwarding implementation. The 
owner of this thread already mentioned this in his e-mail.

I can reach 10Gbps speed via speedtest.net. Here my gateway is a Server with 
OpenBSD 7.3 installed...
I also get similar values with Cisco-Trex. I can say that OpenBSD is more 
successful with 1518 byte TCP packets rather than 64 byte UDP packets.


From: owner-m...@openbsd.org  on behalf of Gábor LENCSE 

Sent: Wednesday, October 25, 2023 18:47
To: misc@openbsd.org 
Subject: Re: Parallel PF

Hello Valdrin,

10/25/2023 4:18 PM keltezéssel, Valdrin MUJA írta:
> Hello Sam,
>
> I don't have the answer to this question, but I can make a few comments on my 
> own behalf. Maybe it can give you an idea.
> As far as I observed, it is not PF's turn yet. I guess what needs to be done 
> regarding cloned interfaces such as tun and the ethernet layer will be done 
> first. In fact, as far as I follow, there are some issues in the UDP_input 
> section.

I have been somewhat surprised at this information. OpenBSD can use up
to 4 softnet tasks for parallel IP packet forwarding since version 7.2.
Please see "SMP Improvements" in page: https://www.openbsd.org/72.html

> Of course, I'm sure a lot will change when PF becomes mp-safe, but I believe 
> there is still time for that.
> PF's performance can reach up to 10Gbps with the right CPU selection.

Expressing traffic in Gbps can be rather ambiguous. What frame size did
you use? 64-byte or 1518-byte? The first one needs 14,880,952pps to
saturate a 10Gbps link, whereas the second one can do it with
812,743pps. Please refer to:
https://datatracker.ietf.org/doc/html/rfc5180#appendix-A.1

Best regards,

Gábor

Re: Parallel PF

2023-10-25 Thread Valdrin MUJA 
Hello Sam,

I don't have the answer to this question, but I can make a few comments on my 
own behalf. Maybe it can give you an idea.
As far as I observed, it is not PF's turn yet. I guess what needs to be done 
regarding cloned interfaces such as tun and the ethernet layer will be done 
first. In fact, as far as I follow, there are some issues in the UDP_input 
section.
Of course, I'm sure a lot will change when PF becomes mp-safe, but I believe 
there is still time for that.
PF's performance can reach up to 10Gbps with the right CPU selection. Do you 
have traffic that exceeds this? Maybe if you can provide specific information 
there will be a chance for someone to help.

From: owner-m...@openbsd.org  on behalf of Samuel 
Jayden 
Sent: Tuesday, October 24, 2023 17:54
To: Irreverent Monk 
Cc: misc@openbsd.org 
Subject: Re: Parallel PF

I shared a naive user experience. I didn't mean to be rude. Anyway, thank
you for reading and responding.

On Tue, Oct 24, 2023 at 5:46 PM Irreverent Monk  wrote:

> The standard response is - show your code.  If you sit down and think
> about it, isn't it rude to go to a project to tell them that they must
> prioritize what they are doing for what you want...?
>
> On Tue, Oct 24, 2023 at 6:40 AM Samuel Jayden 
> wrote:
>
>> Hello dear OpenBSD team,
>>
>> I'm sure that something like parallel IP forwarding and increasing the
>> number of softnet kernel tasks to 4 is definitely being considered on the
>> PF side too, but I would like to express my concern about timing. Do you
>> have any schedule for this?
>>
>> I think one of the common prayers of all OpenBSD users is that PF will
>> speed up. Thank you for reading and my best regards.
>>
>> --
>> Sam
>>
>

porting snort3

2023-09-24 Thread Valdrin MUJA 
Hello,

Is there any plan for porting Snort3 into OpenBSD? Thanks.

Best,
Valdrin

mp-safe tun

2023-06-26 Thread Valdrin MUJA 
Hello OpenBSD,

I've been thinking about this since OpenBSD devs do a lot of mp-safe on the 
network stack:
Is it possible to make /dev/tun device mp-safe/Multi-queue?
Thanks for reading.

increasing NET_TASKQ for better performance?

2023-06-18 Thread Valdrin MUJA 
Hello Misc,

I run OpenBSD 7.3 as L3 firewall under VMware. I have some rdr-to rules.

Here System information:
cpu15: Intel(R) Xeon(R) Gold 6338 CPU @ 2.00GHz, 1995.63 MHz, 06-6a-06
I know CPU cores are not at too important at the moment but this server has 16 
cores on it.
I use vmx nics. dmesg is attached.

When traffic becomes high(*) systems slows. (Users say RDP connections are slow)
When I checked uptime load average was ok but yeah OpenBSD was slow.
For example, when I enter ifconfig command system was not too fast.

After that I looked at top -SH output and see 3 of softnet tasks were over %74 
and was ~%40.

Would you suggest to increase the NET_TASKQ value to 8 or 16 (number of cores 
in the system) and use a custom kernel?
Also, just wonder if it's CPU core dedicated value or not?

P.S. I don't use pfsync and it's not in my plan...

(*) At problem time; egress traffic was nearly 800mbps. 35K pf states.
300K pps ipv4 forwarding...

Thanks,
Valdrin
OpenBSD 7.3 (GENERIC.MP) #1125: Sat Mar 25 10:36:29 MDT 2023
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 34341781504 (32750MB)
avail mem = 33281585152 (31739MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe0010 (284 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 11/12/2020
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: ACPI 4.0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S8F0(S3) 
S16F(S3) S17F(S3) S18F(S3) S22F(S3) S23F(S3) S24F(S3) S25F(S3) PE40(S3) 
S1F0(S3) PE50(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) Gold 6338 CPU @ 2.00GHz, 1995.34 MHz, 06-6a-06
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,WAITPKG,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
20-way L2 cache, 48MB 64b/line 12-way L3 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 66MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) Gold 6338 CPU @ 2.00GHz, 1995.65 MHz, 06-6a-06
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu1: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
20-way L2 cache, 48MB 64b/line 12-way L3 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) Gold 6338 CPU @ 2.00GHz, 1995.62 MHz, 06-6a-06
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu2: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
20-way L2 cache, 48MB 64b/line 12-way L3 cache
cpu2: smt 0, core 0, package 1
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Xeon(R) Gold 6338 CPU @ 2.00GHz, 1995.62 MHz, 06-6a-06
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,AVX512F,AVX512DQ,RDSEED,ADX,SMAP,AVX512IFMA,CLFLUSHOPT,CLWB,AVX512CD,SHA,AVX512BW,AVX512VL,AVX512VBMI,UMIP,PKU,MD_CLEAR,IBRS,IBPB,STIBP,L1DF,SSBD,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu3: 48KB 64b/line 12-way D-cache, 32KB 64b/line 8-way I-cache, 1MB 64b/line 
20-way L2 cache, 48MB 64b/line 12-way L3 cache

Re: About Intel C3000 eMMC

2023-06-11 Thread Valdrin MUJA 
Thanks, Aaron, for your review.
But when I looked at the tech@ mailing listing description, I thought it would 
be better to continue here.

I installed it on a USB disk, then I sent a compiled kernel here with the 
option SDMMC_DEBUG parameter.

I've attached dmesg, pcidump outputs and /var/db/acpi via this e-mail.
Maybe it can be a starting point for a developer who wants to look.
Thank you for reading.

From: Aaron Mason 
Sent: Sunday, June 11, 2023 14:45
To: Valdrin MUJA 
Cc: MISC@openbsd.org 
Subject: Re: About Intel C3000 eMMC

On Sun, Jun 11, 2023 at 9:33 PM Aaron Mason  wrote:
> Looks like it's picking it up, but can't enable it - from the attached dmesg:
>
> sdhc0 at pci0 dev 28 function 0 "Intel C3000 eMMC" rev 0x11: apic 2 int 16
> sdhc0: SDHC 3.0, 200 MHz base clock
> sdmmc0 at sdhc0: 8-bit, sd high-speed, mmc high-speed, ddr52, dma
> [REDACTED]
> sdmmc0: can't enable card
>
> Maybe getting some debugging from that driver will help a dev - I
> don't know the option off hand but I'll have a look unless someone
> more knowledgeable can point you in the right direction.
>
> --
> Aaron Mason - Programmer, open source addict
> I've taken my software vows - for beta or for worse

Ok so the option is SDMMC_DEBUG - if you're able, try rebuilding the
kernel but add this line to the config file:

option SDMMC_DEBUG

Send the output to tech@ rather than here - someone there can have a
look and see where it's tripping up.

--
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse


acpi.tar.gz
Description: acpi.tar.gz
OpenBSD 7.3-stable (sdmmcDebug) #0: Sun Jun 11 12:42:36 UTC 2023
root@73.openbsd.local:/usr/src/sys/arch/amd64/compile/sdmmcDebug
real mem = 8508928000 (8114MB)
avail mem = 8231632896 (7850MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7c582000 (35 entries)
bios0: vendor INSYDE Corp. version "CORDOBA-02.02.00.00-SLt" date 2021-10-31
bios0: Silicom 80500-0214-G03-SL00A
efi0 at bios0: UEFI 2.5
efi0: Insyde Jul 27 2021 16:55:45 rev 0x0
acpi0 at bios0: ACPI 5.0
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP UEFI UEFI BDAT BOOT HPET APIC MCFG SSDT DMAR DBG2
acpi0: wakeup devices VRP2(S4) PXSX(S4) PEX0(S4) PXSX(S4) PEX1(S4) PXSX(S4) 
PEX2(S4) PXSX(S4) PEX3(S4) PXSX(S4) PEX4(S4) PXSX(S4) PEX5(S4) PXSX(S4) 
PEX6(S4) PXSX(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 4 (boot processor)
cpu0: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz, 2200.01 MHz, 06-5f-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 2MB 64b/line 
16-way L2 cache
cpu0: smt 0, core 2, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 25MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE
cpu1 at mainbus0: apid 12 (application processor)
cpu1: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz, 2200.00 MHz, 06-5f-01
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu1: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 2MB 64b/line 
16-way L2 cache
cpu1: smt 0, core 6, package 0
cpu2 at mainbus0: apid 16 (application processor)
cpu2: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz, 2200.00 MHz, 06-5f-01
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu2: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 2MB 64b/line 
16-way L2 cache
cpu2: smt 0, core 8, package 0
cpu3 at mainbus0: apid 24 (application processor)
cpu3: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz, 2200.00 MHz, 06-5f-01
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SE

About Intel C3000 eMMC

2023-06-11 Thread Valdrin MUJA 
Hello OpenBSD,

I'm trying to install OpenBSD 7.3 on a Cordoba Edge Gateway CPE(*) device 
manufactured by Silicom-USA. However, OpenBSD does not recognize the Intel 
C3000 eMMC (SOC type) disk that comes on it.
Is there a way to run this?
Thanks.

Also you can find the dmesg output in the attachment of this email.

(*) 
https://www.silicom-usa.com/pr/4g-5g-products/4g-5g-appliances/cordoba-edge-gateway-cpe/

OpenBSD 7.3 (RAMDISK_CD) #1063: Sat Mar 25 10:41:49 MDT 2023
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/RAMDISK_CD
real mem = 8508928000 (8114MB)
avail mem = 8247029760 (7864MB)
random: good seed from bootblocks
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7c582000 (35 entries)
bios0: vendor INSYDE Corp. version "CORDOBA-02.02.00.00-SLt" date 2021-10-31
bios0: Silicom 80500-0214-G03-SL00A
acpi0 at bios0: ACPI 5.0
acpi0: tables DSDT FACP UEFI UEFI BDAT BOOT HPET APIC MCFG SSDT DMAR DBG2
acpihpet0 at acpi0: 2399 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 4 (boot processor)
cpu0: Intel(R) Atom(TM) CPU C3558 @ 2.20GHz, 2200.00 MHz, 06-5f-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 24KB 64b/line 6-way D-cache, 32KB 64b/line 8-way I-cache, 2MB 64b/line 
16-way L2 cache
cpu0: apic clock running at 25MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 120 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (VRP2)
acpiprt2 at acpi0: bus -1 (PEX0)
acpiprt3 at acpi0: bus 17 (PEX1)
acpiprt4 at acpi0: bus 8 (PEX2)
acpiprt5 at acpi0: bus 4 (PEX3)
acpiprt6 at acpi0: bus 5 (PEX4)
acpiprt7 at acpi0: bus 6 (PEX5)
acpiprt8 at acpi0: bus 7 (PEX6)
acpiprt9 at acpi0: bus 9 (PEX7)
acpiprt10 at acpi0: bus 3 (VRP0)
acpiprt11 at acpi0: bus 2 (VRP1)
acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x
"PNP0003" at acpi0 not configured
acpicmos0 at acpi0
com0 at acpi0 IUR3 addr 0x3f8/0x8 irq 16: ns16550a, 16 byte fifo
com0: console
com1 at acpi0 IUR4 addr 0x2f8/0x8 irq 17: ns16550a, 16 byte fifo
"PNP0C33" at acpi0 not configured
"PNP0C0C" at acpi0 not configured
"PNP0C0B" at acpi0 not configured
"IFX0102" at acpi0 not configured
"INTC3000" at acpi0 not configured
acpicpu at acpi0 not configured
acpipwrres at acpi0 not configured
acpitz at acpi0 not configured
pci0 at mainbus0 bus 0
0:31:5: mem address conflict 0xfe01/0x1000
0:31:7: mem address conflict 0xfb00/0x80
pchb0 at pci0 dev 0 function 0 "Intel C3000 Host" rev 0x11
pchb1 at pci0 dev 4 function 0 "Intel C3000 GLREG" rev 0x11
"Intel C3000 RCEC" rev 0x11 at pci0 dev 5 function 0 not configured
ppb0 at pci0 dev 6 function 0 "Intel C3000 PCIE" rev 0x11
pci1 at ppb0 bus 1
"Intel C3000 QAT" rev 0x11 at pci1 dev 0 function 0 not configured
ppb1 at pci0 dev 10 function 0 "Intel C3000 PCIE" rev 0x11
pci2 at ppb1 bus 17
ppb2 at pci0 dev 11 function 0 "Intel C3000 PCIE" rev 0x11
pci3 at ppb2 bus 8
ppb3 at pci0 dev 12 function 0 "Intel C3000 PCIE" rev 0x11
pci4 at ppb3 bus 4
igc0 at pci4 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 1 queue, address 
90:ec:77:23:6f:e9
ppb4 at pci0 dev 14 function 0 "Intel C3000 PCIE" rev 0x11
pci5 at ppb4 bus 5
igc1 at pci5 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 1 queue, address 
90:ec:77:23:6f:ea
ppb5 at pci0 dev 15 function 0 "Intel C3000 PCIE" rev 0x11
pci6 at ppb5 bus 6
igc2 at pci6 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 1 queue, address 
90:ec:77:23:6f:eb
ppb6 at pci0 dev 16 function 0 "Intel C3000 PCIE" rev 0x11
pci7 at ppb6 bus 7
igc3 at pci7 dev 0 function 0 "Intel I225-V" rev 0x03, msix, 1 queue, address 
90:ec:77:23:6f:ec
ppb7 at pci0 dev 17 function 0 "Intel C3000 PCIE" rev 0x11
pci8 at ppb7 bus 9
"Intel C3000 SMBus" rev 0x11 at pci0 dev 18 function 0 not configured
xhci0 at pci0 dev 21 function 0 "Intel C3000 xHCI" rev 0x11: msi, xHCI 1.0
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 
addr 1
ppb8 at pci0 dev 22 function 0 "Intel C3000 PCIE" rev 0x11
pci9 at ppb8 bus 3
3:0:0: rom address conflict 0xfff8/0x8
3:0:1: rom address conflict 0xfff8/0x8
ix0 at pci9 dev 0 function 0 "Intel X553 SFP+" rev 0x11, msix, 1 queue, address 
90:ec:77:23:6f:e7
ix1 at pci9 dev 0 function 1 "Intel X553 SFP+" rev 0x11, msix, 1 queue, address 
90:ec:77:23:6f:e8
ppb9 at pci0 dev 23 function 0 "Intel C3000 PCIE" rev 0x11
pci10 at ppb9 bus 2
2:0:0: rom address conflict 0xfff8/0x8
2:0:1: rom address conflict

Re: Multi path routing with BGPD

2023-06-01 Thread Valdrin MUJA 
Hi Claudio,

Thanks for your reply. I think this is the saddest news lately.
At this point, I have a question:
This should not be a kernel issue, right?
So, can I use an alternative like bird until this feature is developed?

From: Claudio Jeker 
Sent: Thursday, June 1, 2023 19:34
To: Valdrin MUJA 
Cc: MISC@openbsd.org 
Subject: Re: Multi path routing with BGPD

On Mon, May 29, 2023 at 07:29:14PM +, Valdrin MUJA wrote:
> Hello,
>
> I try to setup multipath routing environment with OpenBSD's bgpd.

multipath != add-path. OpenBGPD currently does not do multipath routing.
It only uses the best path for the FIB and the nexthops are only resolved
to one gateway.

> As I understand from man page the keyword is add-path.
> Here is my environmental report:
>
>   1.  In my lab I simulate two wan links for each device.
>   2.  Each device also has a LAN network to announce.
>   3.  In the middle of these two devices there is another OpenBSD acting as 
> Router.
>
> Device 1 :
> WAN1 : 192.168.10.2/24
> WAN2: 10.1.1.2/24
> LAN : 172.16.1.1/24
> GRE1 : 172.31.1.1 -> 172.31.1.2 netmask /24 (over wan1)
> GRE2 : 172.31.2.1 -> 172.31.2.2 netmask /24 (over wan2)
>
> Device 2 :
> WAN1 : 192.168.20.2/24
> WAN2: 10.1.2.2/24
> LAN : 172.16.2.1/24
> GRE1 : 172.31.1.2 -> 172.31.1.1 netmask /24 (over wan1)
> GRE2 : 172.31.2.2 -> 172.31.2.1 netmask /24 (over wan2)
>
>
> Router :
> 192.168.10.1/24
> 192.168.20.1/24
> 10.1.1.1/24
> 10.1.2.1/24
>
> -
>
> Here bgpd.conf file contents :
>
> Device1# cat /etc/bgpd.conf
> AS 100
> network 172.16.1.0/24
> neighbor 172.31.1.2 {
>   remote-as 100
>   log updates
>   announce IPv4 unicast
> announce add-path recv yes
> announce add-path send best
> }
> neighbor 172.31.2.2 {
>   remote-as 100
>   log updates
>   announce IPv4 unicast
>   announce add-path recv yes
>   announce add-path send best
> }
> allow quick from { ibgp }
> allow quick to { ibgp }
>
> Device2# cat /etc/bgpd.conf
> AS 100
> network 172.16.2.0/24
> neighbor 172.31.1.1 {
>   remote-as 100
>   log updates
>   announce IPv4 unicast
> announce add-path recv yes
> announce add-path send best
> }
> neighbor 172.31.2.1 {
>   remote-as 100
>   log updates
>   announce IPv4 unicast
> announce add-path recv yes
> announce add-path send best
> }
> allow quick from { ibgp }
> allow quick to { ibgp }
>
> Here bgpctl show outputs:
>
> #bgp connection is OK
>
> Device1# bgpctl show
> Neighbor   ASMsgRcvdMsgSent  OutQ Up/Down  
> State/PrfRcvd
> 172.31.1.2100  9  9 0 00:02:34  1
> 172.31.2.2100  9  9 0 00:02:34  1
>
> # we can see rib tables are ready
>
> Device1# bgpctl show rib
> flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
>S = Stale, E = Error
> origin validation state: N = not-found, V = valid, ! = invalid
> origin: i = IGP, e = EGP, ? = Incomplete
>
> flags ovs destination  gateway  lpref   med aspath origin
> AI*>N 172.16.1.0/240.0.0.0   100 0 i
> I*> N 172.16.2.0/24172.31.1.2100 0 i
> I*m N 172.16.2.0/24172.31.2.2100 0 i
>
> Device2# bgpctl show rib
> flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
>S = Stale, E = Error
> origin validation state: N = not-found, V = valid, ! = invalid
> origin: i = IGP, e = EGP, ? = Incomplete
>
> flags ovs destination  gateway  lpref   med aspath origin
> I*> N 172.16.1.0/24172.31.1.1100 0 i
> I*m N 172.16.1.0/24172.31.2.1100 0 i
> AI*>N 172.16.2.0/240.0.0.0   100 0 i
>
>
> But there is only one path in FIB table:
>
> Device1# bgpctl show fib | grep B
> flags: B = BGP, C = Connected, S = Static
>N = BGP Nexthop reachable via this route
> B   48 172.16.2.0/24172.31.1.2
>
> Device2# bgpctl show fib | grep B
> flags: B = BGP, C = Connected, S = Static
>N = BGP Nexthop reachable via this route
> B   48 172.16.1.0/24172.31.1.1
>
> Also my sysctl.conf is ok (net.inet.ip.multipath=1)
> I just wanna add multpath routes for my networks as dynamic.
>
> It's ok with static routing(*) but I would like to achieve it as dynamically 
> with bgpd.
> What is wrong with my configuration? Can you please help me.
> Thanks.
>
> (*)
> Device1# route add 172.16.2.0/

Re: Cannot setup more than one WireGuard peer

2023-06-01 Thread Valdrin MUJA 
Hi,

It's because of preventing possible spoofs by each peer.
from man wg(4) :
The interface will accept tunneled traffic only from the peer configured with 
the most specific matching allowed IP address range for the incoming traffic, 
or drop it if no such match exists. That is, tunneled traffic routed to a given 
peer cannot return through another peer of the same wg interface. This ensures 
that peers cannot spoof another's traffic.

In addition, it is explained that by reading the 2nd article of the document at 
the https://www.wireguard.com/papers/wireguard.pdf url address, it is 
determined which public key to encrypt according to the Allowed IP address.

So for security reasons, it was designed that way in principle.
If this can be assigned to an option, it's a kernel question entirely specific 
to wireguard implementation.



From: owner-m...@openbsd.org  on behalf of Consus 

Sent: Thursday, June 1, 2023 15:47
To: misc@openbsd.org 
Subject: Cannot setup more than one WireGuard peer

Hi,

I'm using OpenBSD 7.3 and I have the following issue with WireGuard:
adding more than one peer via ifconfig breaks wgaip assignments.

Initial configuration:

  $ doas ifconfig wg0
  wg0: flags=80c3 mtu 1420
index 8 priority 0 llprio 3
wgport 
wgpubkey 
groups: wg
inet 10.45.0.1 netmask 0xff00 broadcast 10.45.0.255

Adding a new peer:

  $ doas ifconfig wg0 wgpeer  wgaip 10.45.0.2/24
  $ doas ifconfig wg0
  wg0: flags=80c3 mtu 1420
  index 8 priority 0 llprio 3
  wgport 
  wgpubkey 
  wgpeer 
  tx: 0, rx: 0
  wgaip 10.45.0.2/24
  groups: wg
  inet 10.45.0.1 netmask 0xff00 broadcast 10.45.0.255

So far so good, adding another peer:

  $ doas ifconfig wg0 wgpeer  wgaip 10.45.0.3/24
  $ doas ifconfig wg0
  wg0: flags=80c3 mtu 1420
  index 8 priority 0 llprio 3
  wgport 
  wgpubkey 
  wgpeer 
  tx: 0, rx: 0
  wgpeer 
  tx: 0, rx: 0
  wgaip 10.45.0.2/24
  groups: wg
  inet 10.45.0.1 netmask 0xff00 broadcast 10.45.0.255

Bam. The first peer has lost it's wgaip, the second one gets invalid
wgaip, hence nothing works.

Merging it all in a single ifconfig line does not help either.

Please halp.

Re: High Interrupt After 7.3 Upgrade

2023-06-01 Thread Valdrin MUJA 
Hi,

I hit the same case too.
It looks like there's something wrong with the ipi:
I have a system where I am running the current OpenBSD kernel dated May 21.
The systat output and the vmstat -i output do not match, and there are serious 
differences between them.
For example, while the ip in vmstat -i output is below 5000, the ip in systat 
output can go above 65000.

I don't know if it's a coincidence, but I received complaints from users on a 
firewall I upgraded to 7.3 and then I've downgraded the system when I saw the 
systat values. Maybe the notifications from the user were not correct and I was 
in a hurry. It can be both; I am not sure.

On the other hand, when the ix(4) tso code is fully committed(*), I wanna make 
detailed tests with Cisco Trex and share it.

(*) I think the ix(4) tso code is partially committed, but I guess it's not 
completely finished yet, right?

From: owner-m...@openbsd.org  on behalf of Sven F. 

Sent: Thursday, June 1, 2023 00:35
To: misc@openbsd.org 
Subject: Re: High Interrupt After 7.3 Upgrade

On Wed, May 31, 2023 at 5:27 PM Stuart Henderson 
wrote:

> On 2023-05-31, Mark (obsd)  wrote:
> > Hi Chris,
> >
> > On Tue, May 30, 2023 at 8:59 AM Chris Cappuccio 
> wrote:
> >
> >> Samuel Jayden [samueljaydan1...@gmail.com] wrote:
> >> > Hi again,
> >> >
> >> > Just for the record:
> >> > I've downgraded to OpenBSD 7.2 (reinstalled) and everything is working
> >> like
> >> > a charm again.
> >> > I don't know what is wrong with 7.3 but ipi interrupt rate is too much
> >> and
> >> > somehow OpenBSD performance is too bad..
> >> > Thanks for reading.
> >> >
> >>
> >> Sounds like you are using 'systat' to measure interrupts. This is a bug
> >> in systat was was fixed in 7.3. Here is Scott Cheloha's message from
> that
> >> fix:
> >>
> >> "systat(1): vmstat: measure elapsed time with clock_gettime(2) instead
> of
> >> ticks
> >>
> >> The vmstat view in systat(1) should not use statclock() ticks to count
> >> elapsed time.  First, ticks are low resolution.  Second, the statclock
> >> is sometimes randomized, so each tick is not necessarily of equal
> >> length.  Third, we're counting ticks from every CPU on the system, so
> >> every rate in the view is divided by the number of CPUs.  For example,
> >> on an amd64 system with 8 CPUs you currently see:
> >>
> >>  200 clock
> >>
> >> ... when the true clock interrupt rate on that system is 1600.
> >>
> >> Instead, measure elapsed time with clock_gettime(2).  Use CLOCK_UPTIME
> >> here so we exclude time when the system is suspended.  With this
> >> change we no longer need "stathz" or "hertz".  We can also get rid of
> >> the anachronistic secondary clock failure test.
> >>
> >>
> >>
> > I'm not the OP, but that's interesting to me because I'm wondering if
> it's
> > why Prometheus'
> > node_exporter from packages is reporting wildly wrong CPU stats on 7.3
> that
> > don't at all
> > match what you'd expect when comparing top/htop output? It was fine prior
> > to upgrading
> > to 7.3, but I've just left digging into it on the back burner due to
> other
> > priorities.
>
> That's a different issue, it was fixed in -current - I've just merged it to
> -stable so updated packages should show up in a day or two.
>
>
> 7.3 interrupt ( Intel(R) Celeron(R) J6412 )

v6-fw# vmstat -i
interrupt   total rate
irq96/acpi0 10
irq145/inteldrm0  4970
irq97/xhci0 30
irq98/ahci0   18738060
irq114/igc0:0   157799531   50
irq115/igc0:1   194120194   61
irq116/igc0:2   148272908   47
irq117/igc0:3   159077128   50
irq118/igc0 20
irq119/igc1:0   158925348   50
irq120/igc1:1   181916246   58
irq121/igc1:2   155586734   49
irq122/igc1:3   170737329   54
irq123/igc1 20
irq129/igc3:021260
irq130/igc3:1   540117832  172
irq131/igc3:2  5688860
irq132/igc3:3   909270099  290
irq133/igc3130
irq0/clock 2505321992  799
irq0/ipi   5601964631 1788
Total 1088308 3475

I did not notice performance issue here,
but maybe irq0/ipi   5601964631 1788
is bad
i did noticed some unexpected kernel_lock jittering the traffic ~15ms

--
--
-
Knowing is not enough; we must apply. Willing is not enough; we must do

Re: Route based IPsec

2023-05-31 Thread Valdrin MUJA 
Hi Claudio & David,

Wireguard can work behind NAT. In that case maybe the solution is wireguard + 
BGP.

Infact, I already tried this and wanted to use BGP multipath but failed and 
sent it to the misc list in a separate mail.

(I wrote gre + bgp in the related mail, my aim was not to prolong my work with 
the wireguard config.)

From: owner-m...@openbsd.org  on behalf of Claudio 
Jeker 
Sent: Wednesday, May 31, 2023 12:09
To: David Gwynne 
Cc: Misc 
Subject: Re: Route based IPsec

On Wed, May 31, 2023 at 06:39:27PM +1000, David Gwynne wrote:
>
>
> > On 31 May 2023, at 18:33, Claudio Jeker  wrote:
> >
> > On Wed, May 31, 2023 at 08:35:45AM +1000, David Gwynne wrote:
> >>
> >>
> >>> On 27 May 2023, at 21:40, Stuart Henderson  
> >>> wrote:
> >>>
> >>> On 2023-05-27, Valdrin MUJA  wrote:
> >>>>   Does OpenBSD have routed based IPsec support?
> >>>
> >>> Not yet.
> >>
> >> while you wait, it might be possible to configure a gif tunnel protected
> >> by ipsec transport mode.
> >>
> >
> > The annoying bit with gif tunnels in transport mode is the need for static
> > IPs on both sides of the tunnel. I ended up tunneling gif in tunnel mode
> > because of that.
>
> that's an annoying thing about gif, even without ipsec in the mix.

Indeed. Both gif and gre share this issue.

> should i make it possible to specify an interface as the source of local
> addresses on tunnels?

Not sure if it is worth the effort since the other end of the tunnel needs
to adjust the tunnel remote address as well. Neither gif nor gre support
authentication. Using wg(4) for that is an option but because of dynamic
routing I ended up packing a gif tunnel into wg(4) (so I'm back to square
one).

--
:wq Claudio

Re: Route based IPsec

2023-05-31 Thread Valdrin MUJA 
Thanks David, I'll try it soon.

From: owner-m...@openbsd.org  on behalf of David Gwynne 

Sent: Wednesday, May 31, 2023 01:35
To: Stuart Henderson 
Cc: misc@openbsd.org 
Subject: Re: Route based IPsec



> On 27 May 2023, at 21:40, Stuart Henderson  wrote:
>
> On 2023-05-27, Valdrin MUJA  wrote:
>>Does OpenBSD have routed based IPsec support?
>
> Not yet.

while you wait, it might be possible to configure a gif tunnel protected by 
ipsec transport mode.

dlg

Multi path routing with BGPD

2023-05-29 Thread Valdrin MUJA 
Hello,

I try to setup multipath routing environment with OpenBSD's bgpd.
As I understand from man page the keyword is add-path.
Here is my environmental report:

  1.  In my lab I simulate two wan links for each device.
  2.  Each device also has a LAN network to announce.
  3.  In the middle of these two devices there is another OpenBSD acting as 
Router.

Device 1 :
WAN1 : 192.168.10.2/24
WAN2: 10.1.1.2/24
LAN : 172.16.1.1/24
GRE1 : 172.31.1.1 -> 172.31.1.2 netmask /24 (over wan1)
GRE2 : 172.31.2.1 -> 172.31.2.2 netmask /24 (over wan2)

Device 2 :
WAN1 : 192.168.20.2/24
WAN2: 10.1.2.2/24
LAN : 172.16.2.1/24
GRE1 : 172.31.1.2 -> 172.31.1.1 netmask /24 (over wan1)
GRE2 : 172.31.2.2 -> 172.31.2.1 netmask /24 (over wan2)


Router :
192.168.10.1/24
192.168.20.1/24
10.1.1.1/24
10.1.2.1/24

-

Here bgpd.conf file contents :

Device1# cat /etc/bgpd.conf
AS 100
network 172.16.1.0/24
neighbor 172.31.1.2 {
  remote-as 100
  log updates
  announce IPv4 unicast
announce add-path recv yes
announce add-path send best
}
neighbor 172.31.2.2 {
  remote-as 100
  log updates
  announce IPv4 unicast
  announce add-path recv yes
  announce add-path send best
}
allow quick from { ibgp }
allow quick to { ibgp }

Device2# cat /etc/bgpd.conf
AS 100
network 172.16.2.0/24
neighbor 172.31.1.1 {
  remote-as 100
  log updates
  announce IPv4 unicast
announce add-path recv yes
announce add-path send best
}
neighbor 172.31.2.1 {
  remote-as 100
  log updates
  announce IPv4 unicast
announce add-path recv yes
announce add-path send best
}
allow quick from { ibgp }
allow quick to { ibgp }

Here bgpctl show outputs:

#bgp connection is OK

Device1# bgpctl show
Neighbor   ASMsgRcvdMsgSent  OutQ Up/Down  State/PrfRcvd
172.31.1.2100  9  9 0 00:02:34  1
172.31.2.2100  9  9 0 00:02:34  1

# we can see rib tables are ready

Device1# bgpctl show rib
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
   S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete

flags ovs destination  gateway  lpref   med aspath origin
AI*>N 172.16.1.0/240.0.0.0   100 0 i
I*> N 172.16.2.0/24172.31.1.2100 0 i
I*m N 172.16.2.0/24172.31.2.2100 0 i

Device2# bgpctl show rib
flags: * = Valid, > = Selected, I = via IBGP, A = Announced,
   S = Stale, E = Error
origin validation state: N = not-found, V = valid, ! = invalid
origin: i = IGP, e = EGP, ? = Incomplete

flags ovs destination  gateway  lpref   med aspath origin
I*> N 172.16.1.0/24172.31.1.1100 0 i
I*m N 172.16.1.0/24172.31.2.1100 0 i
AI*>N 172.16.2.0/240.0.0.0   100 0 i


But there is only one path in FIB table:

Device1# bgpctl show fib | grep B
flags: B = BGP, C = Connected, S = Static
   N = BGP Nexthop reachable via this route
B   48 172.16.2.0/24172.31.1.2

Device2# bgpctl show fib | grep B
flags: B = BGP, C = Connected, S = Static
   N = BGP Nexthop reachable via this route
B   48 172.16.1.0/24172.31.1.1

Also my sysctl.conf is ok (net.inet.ip.multipath=1)
I just wanna add multpath routes for my networks as dynamic.

It's ok with static routing(*) but I would like to achieve it as dynamically 
with bgpd.
What is wrong with my configuration? Can you please help me.
Thanks.

(*)
Device1# route add 172.16.2.0/24 172.31.1.2 -mpath
add net 172.16.2.0/24: gateway 172.31.1.2
Device1# route add 172.16.2.0/24 172.31.2.2 -mpath
add net 172.16.2.0/24: gateway 172.31.2.2
Device1# netstat -rnf inet | grep 172.16.2
172.16.2/24172.31.1.2 UGSP   00 - 8 gre1
172.16.2/24172.31.2.2 UGSP   00 - 8 gre2

Device2# route add 172.16.1.0/24 172.31.1.1 -mpath
add net 172.16.1.0/24: gateway 172.31.1.1
Device2# route add 172.16.1.0/24 172.31.2.1 -mpath
add net 172.16.1.0/24: gateway 172.31.2.1
Device2# netstat -rnf inet | grep 172.16.1
172.16.1/24172.31.1.1 UGSP   00 - 8 gre1
172.16.1/24172.31.2.1 UGSP   00 - 8 gre2

Route based IPsec

2023-05-27 Thread Valdrin MUJA 
Hello,

I need Route based IPsec solution to set up between a firewall device and 
my OpenBSD firewall.
However, I am a little confused about this:
I created more than one enc device, I did policy based routing with PF but no 
results. I guess this is not the intended use of interfaces like enc[0,1]. But 
since I am not sure, I would to ask:
Does OpenBSD have routed based IPsec support? Thanks in advance.

Using veb instead of bridge at vpls section

2023-03-20 Thread Valdrin MUJA 
Hello folks,

I have successfully configured the VPLS by following the instruction on 
https://pawa.lt/posts/2018/01/vpls-with-openbsd/.
Everything worked like a charm.

But when I tried to use veb(4)  instead of bridge(4) , I got 'Device Busy' 
error.
I'm guessing ldpd(8) doesn't support the veb interface. Is it true?
I'm just trying to be sure. If this is the case, I hope one day ldpd(8) will 
get veb(4) support. Thanks for these great efforts.

Re: increasing max value of rdomain/rtable

2022-04-01 Thread Valdrin MUJA 
Hmm I get it. Thanks Stuart. You are very helpful as always.

--
Valdrin

From: owner-m...@openbsd.org  on behalf of Stuart 
Henderson 
Sent: Friday, April 1, 2022 10:43
To: misc@openbsd.org 
Subject: Re: increasing max value of rdomain/rtable

On 2022-04-01, Valdrin MUJA  wrote:
> I want to increase the number of rdomain/rtable from 255 to 1024. I will do 
> this at my own risk. I had a look at the kernel code but couldn't figure out 
> how to upgrade it. I would be very grateful if you could guide me on this. 
> Thanks in advance.

I'm not sure if that's possible without wider changes, struct dommp
only allows for 8 bits for rdomains.

--
Please keep replies on the mailing list.

increasing max value of rdomain/rtable

2022-04-01 Thread Valdrin MUJA 
Hello,

I want to increase the number of rdomain/rtable from 255 to 1024. I will do 
this at my own risk. I had a look at the kernel code but couldn't figure out 
how to upgrade it. I would be very grateful if you could guide me on this. 
Thanks in advance.

--
Valdrin

Re: apu2e4 intermittent network freeze

2022-01-31 Thread Valdrin MUJA 
Wow!
"Parallel forwarding" with multiqueue on em(4) is so beautiful, like a dream.
Should we hope that we will see those beautiful days very soon?

From: owner-m...@openbsd.org  on behalf of Hrvoje 
Popovski 
Sent: Monday, January 31, 2022 20:52
To: Amarendra Godbole 
Cc: Łukasz Moskała ; misc 
Subject: Re: apu2e4 intermittent network freeze

On 31.1.2022. 17:03, Amarendra Godbole wrote:
> [...]
>
> Thanks for your response(s). A few releases ago I did have a bridge,
> but realized it causes an overall throughput drop rather than using
> individual interfaces directly. I should have clarified -- even though
> both interfaces are on the same subnet, only one is connected at any
> given time, until yesterday, when I started seeing the issue on em1.
>
> Let me give a try to veb(4) and vport(4).
>
> -Amarendra


It would be great that em(4) have multiqueue support, that box with
veb(4) and "parallel forwarding" diff on tech@ would kick ass :)

Re: Adding Password Protection to Single User Mode

2021-07-07 Thread Valdrin MUJA 
Thanks for suggestions,
I removed the "secure" from /etc/ttys but I can still use "boot -s" without 
password. Is this about console connection?

Updated ttys file;

# cat /etc/ttys  | grep 115200
tty00   "/usr/libexec/getty std.115200" vt220off

From: Paul de Weerd 
Sent: Tuesday, July 6, 2021 17:36
To: Valdrin MUJA 
Cc: misc@openbsd.org 
Subject: Re: Adding Password Protection to Single User Mode

On Tue, Jul 06, 2021 at 12:27:03PM +, Valdrin MUJA wrote:
| Hi Folks,
|
| I want to add a small password protection mechanism to
| "boot -s" (single-user mode).
|
| Therefore, I'm working on /sys/stand/boot/boot.c, I've written
|  some code in boot.c, and run "make", "make obj", "make install"
|  in /sys/. However, I couldn't enable my update "boot" binary on startup.
| On startup, the default boot program is working.
|
| How can I replace my updated boot program with the default one?
|
| P.S.: I've tried compile and install kernel and the result didn't change.

After building a new boot loader, you will need to use installboot(8)
to actually install said code into the system.  Your `make install`
merely placed the bootloader into the spot in the filesystem where
installboot expects to find it, but won't do the special editing of
the disk that installboot does.

(but also see the replies from others about ttys(5) to deal with your
situation without potentially screwing up your entire system with a
faulty bootloader)

Cheers,

Paul 'WEiRD' de Weerd

--
>[<++>-]<+++.>+++[<-->-]<.>+++[<+
+++>-]<.>++[<>-]<+.--.[-]
 http://www.weirdnet.nl/

Adding Password Protection to Single User Mode

2021-07-06 Thread Valdrin MUJA 
Hi Folks,

I want to add a small password protection mechanism to
"boot -s" (single-user mode).

Therefore, I'm working on /sys/stand/boot/boot.c, I've written
 some code in boot.c, and run "make", "make obj", "make install"
 in /sys/. However, I couldn't enable my update "boot" binary on startup.
On startup, the default boot program is working.

How can I replace my updated boot program with the default one?

P.S.: I've tried compile and install kernel and the result didn't change.

Re: Howto measure pps at forwarding plane

2021-06-10 Thread Valdrin MUJA 
Thanks, it's better now.

From: owner-m...@openbsd.org  on behalf of Claudio 
Jeker 
Sent: Thursday, June 10, 2021 12:33 PM
To: misc@openbsd.org 
Subject: Re: Howto measure pps at forwarding plane

On Thu, Jun 10, 2021 at 09:23:03AM -, Stuart Henderson wrote:
> On 2021-06-10, Valdrin MUJA  wrote:
> > Hello,
> >
> > I'm trying to figure out how much packets are being forwarded on my OpenBSD 
> > firewall.
> > Here a small script i wrote.
> >
> >
> > #!/bin/sh
> >
> >
> > VAL1=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print 
> > $1}'`
> >
> > sleep 1
> >
> > VAL2=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print 
> > $1}'`
> >
> >
> > echo "$(($VAL2-$VAL1))"
> >
> >
> > But i can not be sure if i am doing the right thing?
> > Can anyone check it please.
> > Thanks.
> >
>
> If you are only interested in IPv4 then yes that'll do it.
> This would save some cpu cycles though:
>
> VAL1=`netstat -s | awk '/packets forwarded/ { print $1; exit }'`
>

And use netstat -spip which limits the number of sysctls made in netstat.

--
:wq Claudio

Re: bind dhcpd to IP address

2021-06-10 Thread Valdrin MUJA 
Thanks, working like a charm.

From: owner-m...@openbsd.org  on behalf of Stuart 
Henderson 
Sent: Thursday, June 10, 2021 12:15 PM
To: misc@openbsd.org 
Subject: Re: bind dhcpd to IP address

On 2021-06-10, Ralf Horstmann  wrote:
> Hi Valdrin,
>
> that setup works fine. You would use "ip helper-address" on the Ciscos to
> forward the DHCP requests to your OpenBSD box. The forwarded requests use the
> specified helper address as unicast destination. No need to have the VLANs
> present on your OpenBSD box.
>
> I'm running dhcpd without -u for that. dhcpd will pickup all packets with
> destination port 67 on the specified interface via bpf. No need to bind to a
> specific IP.

dhcpd will need to be listening on the interface containing the helper-address
though; if you don't want it to actually serve clients on that network, the
subnet declaration can be empty e.g. subnet 192.0.2.0 netmask 255.255.255.0 { }


> I understand your last question as: Can dhcpd provide leases for subnets when
> the dhcpd box has no IP addresses within the range? The answer is yes. You 
> will
> need subnet declarations for all pools in dhcpd.conf though.

The relay includes its own address on the client-facing interface in the
relayed DHCP request; dhcpd uses that to determine which subnet to use.

Howto measure pps at forwarding plane

2021-06-10 Thread Valdrin MUJA 
Hello,

I'm trying to figure out how much packets are being forwarded on my OpenBSD 
firewall.
Here a small script i wrote.


#!/bin/sh


VAL1=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print $1}'`

sleep 1

VAL2=`netstat -s | grep 'packets forwarded' | head -1 | awk -F ' ' '{print $1}'`


echo "$(($VAL2-$VAL1))"


But i can not be sure if i am doing the right thing?
Can anyone check it please.
Thanks.

Ynt: bind dhcpd to IP address

2021-06-10 Thread Valdrin MUJA 
Thanks. I'll give a try.

Gönderen: Ralf Horstmann 
Gönderildi: 10 Haziran 2021 Perşembe 08:42
Kime: misc@openbsd.org 
Bilgi: Valdrin MUJA 
Konu: Re: bind dhcpd to IP address

Hi Valdrin,

that setup works fine. You would use "ip helper-address" on the Ciscos to
forward the DHCP requests to your OpenBSD box. The forwarded requests use the
specified helper address as unicast destination. No need to have the VLANs
present on your OpenBSD box.

I'm running dhcpd without -u for that. dhcpd will pickup all packets with
destination port 67 on the specified interface via bpf. No need to bind to a
specific IP.

I understand your last question as: Can dhcpd provide leases for subnets when
the dhcpd box has no IP addresses within the range? The answer is yes. You will
need subnet declarations for all pools in dhcpd.conf though.

Regards,
Ralf

* Valdrin MUJA  [2021-06-09 23:45]:
> Hi misc,
>
>
> I have 5 vlans terminated in Cisco switch as Layer 3.
>
> So the users' gateway is Cisco switch.
>
> The default gateway of Cisco switch is OpenBSD 6.9, which works as an office 
> firewall.
>
> The switch also works as a dhcp server. However, I want OpenBSD office 
> firewall to also act as a dhcp server.
>
> Is this possible while OpenBSD has no vlans on it? Only static routes for 
> these ip networks are installed.
>
>
> I would set dhcp relay on the Cisco switch side, but when I looked at 
> dhcpd(8), I was not entirely sure.
>
> I see that dhcpd can listen on an ip address with the -u[bind_address] 
> parameter, but these lines confused me:
>
> ''With this option, dhcpd can answer DHCPINFORM from clients on non Ethernet 
> interfaces such as tun(4) or pppx(4)’’
>
> What I understand from above is; if I configure -u for a physical (em0) 
> interface’s ip address it will not bind to em0’s IP address.
>
> It will use 255.255.255.255 instead of this. So it will not work; right?
>
>
> One last and probably related question:
>
> Can OpenBSD be configured to distribute ip pools which it doesn’t have?
>
> Thanks for reading…​
>

bind dhcpd to IP address

2021-06-09 Thread Valdrin MUJA 
Hi misc,


I have 5 vlans terminated in Cisco switch as Layer 3.

So the users' gateway is Cisco switch.

The default gateway of Cisco switch is OpenBSD 6.9, which works as an office 
firewall.

The switch also works as a dhcp server. However, I want OpenBSD office firewall 
to also act as a dhcp server.

Is this possible while OpenBSD has no vlans on it? Only static routes for these 
ip networks are installed.


I would set dhcp relay on the Cisco switch side, but when I looked at dhcpd(8), 
I was not entirely sure.

I see that dhcpd can listen on an ip address with the -u[bind_address] 
parameter, but these lines confused me:

''With this option, dhcpd can answer DHCPINFORM from clients on non Ethernet 
interfaces such as tun(4) or pppx(4)’’

What I understand from above is; if I configure -u for a physical (em0) 
interface’s ip address it will not bind to em0’s IP address.

It will use 255.255.255.255 instead of this. So it will not work; right?


One last and probably related question:

Can OpenBSD be configured to distribute ip pools which it doesn’t have?

Thanks for reading…​

PPPoE mtu overwrites/ignores

2021-04-25 Thread Valdrin MUJA 
Hello misc,

I try to change mtu size of my pppoe client but somehow that value returns to 
1492 after getting ip address from ISP.
I've opened a ticket them and got replied as '' you could use mtu up to 1600.'' 
So no limitation at their side...

I have simple pppoe config:

inet 0.0.0.0 255.255.255.255 NONE mtu 1550 \
pppoedev em0 authproto pap \
authname 'muja@intisp' authkey 's3cr4ty3s' up
dest 0.0.0.1
!/sbin/route add default -ifp pppoe0 0.0.0.1

Em0 mtu size is 1558

As a grumpy person, I didn't believe at them and quickly installed npppd into 
another computer and used it as pppoe-server but nothing changed. (I've set mru 
as 1550 at npppd.conf)

I use OpenBSD 6.9 with 19 April iso image.

Is this a bug or am i missing something?

Thanks in advance.

speedtest-cli gives too bad result

2021-04-02 Thread Valdrin MUJA 
Hi,

I think speedtest-cli port is misbehaving.When i run speedtest-cli under 
OpenBSD OS it scores less then 40Mbit/s.
But when i use this openbsd device as a router i can get the real internet 
speed which is 400mbit/s. (IP Forward + PF + NAT)

I deployed an OpenBSD server on vultr.com assuming there might be a problem 
with my ISP.
But the result was even worse. (7mbit / s)
Later I installed another OS using only the change os option on vultr and I got 
4380.05 Mbit / s speed as download.
I think there is some oddness about speedtest-cli port of OpenBSD.
Thanks for reading.

Layer2 Tunneling Over pppoe(4)

2021-03-27 Thread Valdrin Muja 
Hi Misc,

Can we set up egre(4), etherip(4) or vxlan(4) tunnel over pppoe ?

Sent with [ProtonMail](https://protonmail.com) Secure Email.

PF route-to and divert-packet

2021-01-01 Thread Valdrin MUJA 
Hi Misc,

I’m trying to use policy based routing (route-to) with divert-packet feature.
I’m just using example code written at divert’s man page. (man divert)
I’ve two WAN interfaces which are pppoe0(default gw) and pppoe.
Those pf rules works below:
#
pass in log quick on vether10 inet proto udp from 10.10.10.52 to any port 53
pass in log quick on vether10 inet proto tcp from 10.10.10.52 to any port { 80 
443 } route-to (pppoe1 (pppoe1))
pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any nat-to 
(pppoe1)

But when I add divert-packet into NAT lines as this:
pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any 
divert-packet port 700 nat-to (pppoe1)

It fails. What should I do for using route-to (+) divert-packet feature 
together.
Please help. Thanks.

PF route-to and divert-packet

2020-12-30 Thread Valdrin Muja 
Hi Misc,

I’m trying to use policy based routing (route-to) with divert-packet feature.

I’m just using example code written at divert’s man page. (man divert)

I’ve two wan interfaces which are pppoe0(default gw) and pppoe1

Those pf rules works below:

#

pass in log quick on vether10 inet proto udp from 10.10.10.52 to any port 53

…

#

pass in log quick on vether10 inet proto tcp from 10.10.10.52 to any port { 80 
443 } route-to (pppoe1 (pppoe1))

pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any nat-to 
(pppoe1)

But when I add divert-packet into NAT lines as this:

pass out log quick on pppoe1 inet proto tcp from 10.10.10.52 to any 
divert-packet port 700 nat-to (pppoe1)

It fails. What should I do for using route-to (+) divert-packet feature 
together.

Please help. Thanks.

Sent with [ProtonMail](https://protonmail.com) Secure Email.

Measuring Routing Table Capacity

2020-11-20 Thread Valdrin Muja 
Hi Misc,

I have a device which installed OpenBSD. I want to measure how many routes the 
routing table can hold?
In brief, I want to measure the routing table's capacity. Is there any way to 
do it?

Sent with [ProtonMail](https://protonmail.com) Secure Email.

OpenBSD 6.8 Relase Time

2020-10-16 Thread Valdrin Muja 
Hi Misc,

I'm looking forward to OpenBSD 6.8 release.

On OpenBSD 6.8 page, `Released Oct XXX` is writing..

https://www.openbsd.org/68.html

When will it be released?

Sent with [ProtonMail](https://protonmail.com) Secure Email.

pmap_unwire: wiring for pmap error

2020-09-22 Thread Valdrin Muja 
Hi Misc,
I'm getting some error messages on dmesg but couldn't understand what's really 
going on.
I have one binary running under OpenBSD 6.7 and it crashes few times in a day.
Also, system is working slowly.For example, when I run "ifconfig" command it 
runs for a few seconds..

I see these error messages at dmesg:
pmap_unwire: wiring for pmap 0xfd8782e1b710 va 0xc00032c000 didn't change!
pmap_unwire: wiring for pmap 0xfd8782e1b710 va 0xc000b39000 didn't change!
pmap_unwire: wiring for pmap 0xfd8782e1b710 va 0xc000a3a000 didn't change!
pmap_unwire: wiring for pmap 0xfd8782e1b710 va 0xc000b2b000 didn't change!
pmap_unwire: wiring for pmap 0xfd8782e1b710 va 0xc000857000 didn't change!
Here full dmesg
OpenBSD 6.7 ([GENERIC.MP](http://generic.mp/)) #182: Thu May 7 11:11:58 MDT 2020
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/[GENERIC.MP](http://generic.mp/)
real mem = 34302062592 (32712MB)
avail mem = 33249861632 (31709MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x7f31b000 (54 entries)
bios0: vendor American Megatrends Inc. version "5.13" date 04/10/2019
bios0: Default string Default string
acpi0 at bios0: ACPI 6.1
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP FPDT FIDT MCFG WDAT APIC BDAT HPET UEFI SSDT DMAR SPCR 
HEST BERT ERST EINJ WSMT
acpi0: wakeup devices PEX0(S0) PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) PEX5(S0) 
PEX6(S0) PEX7(S0) XHC1(S4) LAN1(S0) LAN0(S0) LAN2(S0) LAN3(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0
acpimcfg0: addr 0xe000, bus 0-255
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.41 MHz, 06-5f-01
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu0: 2MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 25MHz
cpu0: mwait min=64, max=64, C-substates=0.2.0.2, IBE
cpu1 at mainbus0: apid 4 (application processor)
cpu1: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.03 MHz, 06-5f-01
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu1: 2MB 64b/line 16-way L2 cache
cpu1: smt 0, core 2, package 0
cpu2 at mainbus0: apid 8 (application processor)
cpu2: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.03 MHz, 06-5f-01
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu2: 2MB 64b/line 16-way L2 cache
cpu2: smt 0, core 4, package 0
cpu3 at mainbus0: apid 12 (application processor)
cpu3: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.03 MHz, 06-5f-01
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu3: 2MB 64b/line 16-way L2 cache
cpu3: smt 0, core 6, package 0
cpu4 at mainbus0: apid 16 (application processor)
cpu4: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.03 MHz, 06-5f-01
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,SDBG,CX16,xTPR,PDCM,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,FSGSBASE,TSC_ADJUST,SMEP,ERMS,MPX,RDSEED,SMAP,CLFLUSHOPT,PT,SHA,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,SENSOR,ARAT,XSAVEOPT,XSAVEC,XGETBV1,XSAVES
cpu4: 2MB 64b/line 16-way L2 cache
cpu4: smt 0, core 8, package 0
cpu5 at mainbus0: apid 20 (application processor)
cpu5: Intel(R) Atom(TM) CPU C3758 @ 2.20GHz, 2200.03

pmap_unwire: wiring for pmap error

2020-09-03 Thread Valdrin Muja 
ueuepl 144 299 0 22 1 0 1 1 0 8 0

knotepl 112 1155269 0 99 11 7 4 7 0 8 0

futexpl 56 85974 0 31 2 1 1 1 0 8 0

sigapl 424 142384 0 81 73 62 11 13 0 8 0

plimitpl 152 95 0 23 2 0 2 2 0 8 0

scxspl 192 331815 0 0 22 21 1 2 0 8 1

pfiaddrpl 120 24 0 24 1 0 1 1 0 8 0

xhcixfer 240 31 0 1 1 0 1 1 0 8 0

percpumem 64 114 0 113 2 0 2 2 0 8 0

namei 1024 6280527 0 0 3 2 1 1 0 8 1

vnodes 208 77686 0 77686 4089 0 4089 4089 0 8 0

uvmvnodes 72 77686 0 77686 1413 0 1413 1413 0 8 0

nchpl 144 83863 0 4239 163 5 158 158 0 8 0

ffsino 240 77613 0 41275 2440 11 2429 2429 0 8 0

dino1pl 128 3762 0 1244 44 3 41 41 0 8 0

dino2pl 256 73851 0 40031 2582 79 2503 2503 0 8 0

dirhash 1024 344 0 279 35 0 35 35 0 8 0

art_node 16 6181 0 985 5 0 5 5 0 8 0

art_table 32 2354 0 613 6 0 6 6 0 8 0

art_heap4 256 2353 0 612 40 0 40 40 0 8 0

art_heap8 4096 1 0 1 1 0 1 1 0 8 0

pfrule 1360 118 0 118 10 0 10 10 0 8 0

pfstate 328 2560883 0 19434 3746 1986 1760 2124 0 8 0

pfstkey 112 3541803 0 30526 1289 272 1017 1094 0 8 1

pfstitem 24 3541803 0 30526 232 6 226 231 0 8 0

pfrktable 1344 1055 0 60 87 63 24 87 0 8 0

pfrke_plain 160 2231 0 988 93 39 54 93 0 8 0

pfosfpen 112 714 0 714 21 0 21 21 0 8 0

pfosfp 40 423 0 423 5 0 5 5 0 8 0

rttmr 72 15 0 0 13 13 0 1 0 8 0

inpcb 280 504026 0 54 12 5 7 9 0 8 0

tcpcb 544 2606 0 44 12 7 5 8 0 8 0

tcpqe 32 881 0 0 230 230 0 3 0 8 0

sackhl 24 2454 0 0 35 35 0 4 0 8 0

syncache 264 821 0 0 236 236 0 1 0 8 0

unpcb 120 297 0 29 6 5 1 2 0 8 0

rtentry 112 6181 0 987 30 0 30 30 0 8 0

rtpcb 80 213 0 1 2 1 1 1 0 8 0

plcache 128 80 0 80 3 0 3 3 0 8 0

arp 64 5937 0 760 14 0 14 14 0 8 0

In use 142409K, total allocated 190056K; utilization 74.9%

# config -e /bsd

WARNING no output file specified

OpenBSD 6.7 ([GENERIC.MP](http://generic.mp/)) #182: Thu May 7 11:11:58 MDT 2020

dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/[GENERIC.MP](http://generic.mp/)

Enter 'help' for information

ukc> nkmempg

nkmempages = 762729960

ukc>

# uptime

5:02PM up 3:20, 3 users, load averages: 0.90, 0.84, 0.89

56 processes: 54 idle, 2 on processor up 3:21

CPU0 states: 0.8% user, 0.0% nice, 0.2% sys, 0.0% spin, 4.8% intr, 94.2% idle

CPU1 states: 0.4% user, 0.0% nice, 0.4% sys, 0.0% spin, 0.0% intr, 99.2% idle

CPU2 states: 7.6% user, 0.0% nice, 17.8% sys, 0.6% spin, 0.0% intr, 74.1% idle

CPU3 states: 5.4% user, 0.0% nice, 14.4% sys, 0.6% spin, 0.0% intr, 79.6% idle

CPU4 states: 6.0% user, 0.0% nice, 15.2% sys, 0.2% spin, 0.0% intr, 78.6% idle

CPU5 states: 2.8% user, 0.0% nice, 5.8% sys, 0.0% spin, 0.0% intr, 91.4% idle

CPU6 states: 1.6% user, 0.0% nice, 2.2% sys, 0.2% spin, 0.0% intr, 96.0% idle

CPU7 states: 1.0% user, 0.0% nice, 1.0% sys, 0.0% spin, 0.0% intr, 98.0% idle

Memory: Real: 1568M/6249M act/tot Free: 25G Cache: 4362M Swap: 0K/4103M

--
Valdrin Muja

Poor divert-packet performance

2020-07-15 Thread Valdrin Muja 
Hi Misc,

I'm making some trials and benchmarks about pf's divert. My test environment is 
like this;

I have 2 Linux devices and I have an OpenBSD device which are directly 
connected to an OpenBSD Device. This OpenBSD device acts likes a router.

Network settings in OpenBSD:
-
vertigo# ifconfig em1
em1: flags=8843 mtu 1500
lladdr 00:30:18:0a:a6:2e
index 2 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 172.20.35.1 netmask 0xff00 broadcast 172.20.35.255
vertigo# ifconfig em2
em2: flags=8843 mtu 1500
lladdr 00:30:18:0a:a6:2f
index 3 priority 0 llprio 3
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 172.20.36.1 netmask 0xff00 broadcast 172.20.36.255
vertigo#
---
---
vertigo# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
---
my pf.conf is like this;
---
vertigo# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo
# em1
pass in log quick on em1 from em1:network to172.20.36.0/24
pass out log quick on em1 from172.20.36.0/24to em1:network
# em2
pass in log quick on em2 from em2:network to172.20.35.0/24
pass out log quick on em2 from172.20.35.0/24to em2:network
# block all
block log quick all
block return # block stateless traffic
pass # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild


On Linux-1, I'm making benchmark tests to Linux-2 with qperf,


vertigo@linux1:~$ qperf 172.20.35.2 tcp_bw tcp_lat -t 10
tcp_bw:
bw = 115 MB/sec
tcp_lat:
latency = 157 us
vertigo@linux1:~$ qperf 172.20.35.2 udp_bw udp_lat -t 10
udp_bw:
send_bw = 120 MB/sec
recv_bw = 120 MB/sec
udp_lat:
latency = 158 us
vertigo@linux1:~$
-
After that, I updated the pf.conf and diverted packages to port 700

--
vertigo# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

set skip on lo
# em1
pass in log quick on em1 from em1:network to172.20.36.0/24
pass out log quick on em1 from172.20.36.0/24to em1:network divert-packet port 
700
# em2
pass in log quick on em2 from em2:network to172.20.35.0/24
pass out log quick on em2 from172.20.35.0/24to em2:network divert-packet port 
700
# block all
block log quick all
block return # block stateless traffic
pass # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
--
On port 700, I run the example program on OpenBSD divert manpage.
https://man.openbsd.org/divert.4
-

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define DIVERT_PORT 700

int
main(int argc, char *argv[])
{
int fd, s;
struct sockaddr_in sin;
socklen_t sin_len;

fd = socket(AF_INET, SOCK_RAW, IPPROTO_DIVERT);
if (fd == -1)
err(1, "socket");

memset(, 0, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(DIVERT_PORT);
sin.sin_addr.s_addr = 0;

sin_len = sizeof(struct sockaddr_in);

s = bind(fd, (struct sockaddr *) , sin_len);
if (s == -1)
err(1, "bind");

for (;;) {
ssize_t n;
char packet[IP_MAXPACKET];
struct ip *ip;
struct tcphdr *th;
int hlen;
char src[48], dst[48];

memset(packet, 0, sizeof(packet));
n = recvfrom(fd, packet, sizeof(packet), 0,
(struct sockaddr *) , _len);
if (n == -1) {
warn("recvfrom");
continue;
}
if (n < sizeof(struct ip)) {
warnx("packet is too short");
continue;
}

ip = (struct ip *) packet;
hlen = ip->ip_hl << 2;
if (hlen < sizeof(struct ip) || ntohs(ip->ip_len) < hlen ||
n < ntohs(ip->ip_len)) {
warnx("invalid IPv4 packet");
continue;
}

th = (struct tcphdr *) (packet + hlen);

if (inet_ntop(AF_INET, >ip_src, src,
sizeof(src)) == NULL)
(void)strlcpy(src, "?", sizeof(src));

if (inet_ntop(AF_INET, >ip_dst, dst,
sizeof(dst)) == NULL)
(void)strlcpy(dst, "?", sizeof(dst));

printf("%s:%u -> %s:%u\n",
src,
ntohs(th->th_sport),
dst,

Disabling OpenBSD Login Prompt

2020-06-10 Thread Valdrin MUJA 
Hi Misc,



I want to disable OpenBSD Login prompt at startup -and also after logging out-. 
Because I want to run my external program instead of ksh. There is an login 
prompt also in my program and I want to use it. 



I updated the /etc/ttys ; 

valdrin# cat /etc/ttys
#
#   $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $
#
# name  getty   typestatus  comments
#
console "/usr/libexec/getty std.9600"   vt220   off secure
ttyC0   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC1   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC2   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC3   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC4   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC5   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC6   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC7   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC8   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC9   "/usr/libexec/getty std.9600"   vt220   off secure
ttyCa   "/usr/libexec/getty std.9600"   vt220   off secure
ttyCb   "/usr/libexec/getty std.9600"   vt220   off secure
tty00   "/root/myprogram"   vt220on secure
tty01   "/usr/libexec/getty std.9600"   unknown off
tty02   "/usr/libexec/getty std.9600"   unknown off
tty03   "/usr/libexec/getty std.9600"   unknown off
tty04   "/usr/libexec/getty std.9600"   unknown off
tty05   "/usr/libexec/getty std.9600"   unknown off
tty06   "/usr/libexec/getty std.9600"   unknown off
tty07   "/usr/libexec/getty std.9600"   unknown off



I'm connected the device with com0 port so I updated the tty00 to run my 
external program. However; system is stucking after date appears on startup. 



starting network 
reordering libraries: done.
starting early daemons: syslogd ntpd.
starting RPC daemons:.
savecore: no core dump
checking quotas: done.
clearing /tmp
kern.securelevel: 0 -> 1
creating runtime link editor directory cache.
preserving editor files.
starting network daemons: sshd.
starting local daemons: cron.
Wed Jun 10 10:27:04 +03 2020





Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt appears.. 
How can I overcome this issue?



Thanks..

Ynt: Disabling OpenBSD Login Prompt

2020-06-10 Thread Valdrin MUJA 
Sorry for lack of information,

Firstly, my program is a kind of interactive shell which has own login prompt. 
What I want to do is run my program on startup and do not use OpenBSD login 
prompt.

When I use "chsh", firstly OpenBSD Login Prompt appearing, after that my 
program is running and my program's login prompt appearing.

Lastly, I tried to update /etc/ttys and replace getty with my program to 
disable OpenBSD login prompt and run my program. However, obviously this didn't 
work.

In short, I want to disable OpenBSD Login prompt and run my program.

Gönderen: Kapetanakis Giannis  adına 
owner-m...@openbsd.org 
Gönderildi: 10 Haziran 2020 Çarşamba 12:21
Kime: misc@openbsd.org 
Konu: Re: Disabling OpenBSD Login Prompt

On 10/06/2020 12:03, Valdrin MUJA wrote:
> Hi Misc,
>
> I want to disable OpenBSD Login prompt at startup -and also after logging 
> out-. Because I want to run my external program instead of ksh. There is an 
> login prompt also in my program and I want to use it.
>
> I updated the /etc/ttys ;
>
> valdrin# cat /etc/ttys
> #
> #   $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $
> #
> # name  getty   typestatus  comments
> #
> console "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC0   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC1   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC2   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC3   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC4   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC5   "/usr/libexec/getty std.9600"   vt220   on  secure
> ttyC6   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC7   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC8   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyC9   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyCa   "/usr/libexec/getty std.9600"   vt220   off secure
> ttyCb   "/usr/libexec/getty std.9600"   vt220   off secure
> tty00   "/root/myprogram"   vt220on secure
> tty01   "/usr/libexec/getty std.9600"   unknown off
> tty02   "/usr/libexec/getty std.9600"   unknown off
> tty03   "/usr/libexec/getty std.9600"   unknown off
> tty04   "/usr/libexec/getty std.9600"   unknown off
> tty05   "/usr/libexec/getty std.9600"   unknown off
> tty06   "/usr/libexec/getty std.9600"   unknown off
> tty07   "/usr/libexec/getty std.9600"   unknown off
>
> I'm connected the device with com0 port so I updated the tty00 to run my 
> external program. However; system is stucking after date appears on startup.
>
>
> starting network
> reordering libraries: done.
> starting early daemons: syslogd ntpd.
> starting RPC daemons:.
> savecore: no core dump
> checking quotas: done.
> clearing /tmp
> kern.securelevel: 0 -> 1
> creating runtime link editor directory cache.
> preserving editor files.
> starting network daemons: sshd.
> starting local daemons: cron.
> Wed Jun 10 10:27:04 +03 2020
>
>
> Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt appears.. 
> How can I overcome this issue?
>
> Thanks..


Since you're mixing login prompt (getty) with login shell (ksh) and since you 
don't provide info about "yourprogram" I believe that maybe you you've mixing 
things up?

If you want to change a user's login shell, chsh(1) should be used.
This specifies what shell is run for that user after login is successful.

getty(8) is controlled by /etc/ttys - ttys(5) and has nothing to do with user 
login shell.

read the man pages.

G

Disabling OpenBSD Login Prompt

2020-06-10 Thread Valdrin MUJA 
Hi Misc,

I want to disable OpenBSD Login prompt at startup -and also after logging out-. 
Because I want to run my external program instead of ksh. There is an login 
prompt also in my program and I want to use it.

I updated the /etc/ttys ;

valdrin# cat /etc/ttys
#
#   $OpenBSD: ttys,v 1.2 2008/01/09 17:39:42 miod Exp $
#
# name  getty   typestatus  comments
#
console "/usr/libexec/getty std.9600"   vt220   off secure
ttyC0   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC1   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC2   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC3   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC4   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC5   "/usr/libexec/getty std.9600"   vt220   on  secure
ttyC6   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC7   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC8   "/usr/libexec/getty std.9600"   vt220   off secure
ttyC9   "/usr/libexec/getty std.9600"   vt220   off secure
ttyCa   "/usr/libexec/getty std.9600"   vt220   off secure
ttyCb   "/usr/libexec/getty std.9600"   vt220   off secure
tty00   "/root/myprogram"   vt220on secure
tty01   "/usr/libexec/getty std.9600"   unknown off
tty02   "/usr/libexec/getty std.9600"   unknown off
tty03   "/usr/libexec/getty std.9600"   unknown off
tty04   "/usr/libexec/getty std.9600"   unknown off
tty05   "/usr/libexec/getty std.9600"   unknown off
tty06   "/usr/libexec/getty std.9600"   unknown off
tty07   "/usr/libexec/getty std.9600"   unknown off

I'm connected the device with com0 port so I updated the tty00 to run my 
external program. However; system is stucking after date appears on startup.


starting network
reordering libraries: done.
starting early daemons: syslogd ntpd.
starting RPC daemons:.
savecore: no core dump
checking quotas: done.
clearing /tmp
kern.securelevel: 0 -> 1
creating runtime link editor directory cache.
preserving editor files.
starting network daemons: sshd.
starting local daemons: cron.
Wed Jun 10 10:27:04 +03 2020


Also, I tried "chsh" and "chpass" , but still OpenBSD login prompt appears.. 
How can I overcome this issue?

Thanks..

Re: Howto change login mechanism on OpenBSD

2020-05-25 Thread Valdrin MUJA 
Hello Again,

Actually I updated the /etc/ttys file and add my program instead of getty. 
However, after boot, there was still OpenBSD login prompt before my program 
started. 

On the other hand, I tried chpass -s $myprogram $user, but still I'm faced with 
the same problem again, there was OpenBSD login prompt.. 

In short,  I want to disable OpenBSD login prompt and execute my program. If 
user exits this external program, my program should run again etc.




 On Thu, 21 May 2020 01:53:29 +0200 Jeff Joshua Rollin 
 wrote 


On Wed, 2020-05-20 at 17:00 -0500, Edgar Pettijohn wrote: 
> On Wed, May 20, 2020 at 09:50:17PM + 
> > 
> > I believe /etc/ttys controls getty, which may or not help. Getty is 
> > respawned too. 
> > https://man.openbsd.org/man5/ttys.5 
> 
> I think you're right. Might just need to change a line in /etc/ttys 
> to 
> execute /bin/{my_program}. 
> 
> Edgar 
> 
 
Perhaps a better way would be just to change the user's login shell to 
the name of your program: chpass -s $myprogram $user. That way you can 
use OpenBSD's login authentication, and login automatically runs the 
program when the user logs in; when the user quits the program they are 
automatically logged out. Provided there's no way to execute a shell 
from within the program, they therefore can't execute arbitrary code 
once logged in. It's easy to add a user for this single purpose: just 
add the user as normal, and specify $myprogram as the shell. 
 
Jeff.

Howto change login mechanism on OpenBSD

2020-05-20 Thread Valdrin MUJA 
Hi Misc,

I have an interactive shell program which has an authentication section and I 
want to login via my program. How can I do that?

Actually I want to run this program instead of /bin/ksh. I changed the root's 
shell with "chsh -s /bin/{my_program} root" command. However, when the system 
boots, firstly OpenBSD Login is coming and after that my program is running.

In short, I want to run an external program on startup without OpenBSD Login.

Golang under Arm or Octeon

2019-03-21 Thread Valdrin MUJA 
Hi Misc,



I want to learn if there is any work-in-progress port for Golang under Arm or 
Octeon cpu architectures?

Thanks.



--

Best wishes

Valdrin Muja

OpenBSD and SDN

2017-10-22 Thread Valdrin MUJA 
Hi,

I study software defined networks at my university. There are two parts as 
campus side and data center side in my project.
I have chosen OpenBSD as networking OS cause of its’ visionary base system and 
thanks to all people of OpenBSD ,especially to Mr. Theo De Raadt.

I just want to understand what is the future of OpenBSD and have some 
questions:
At campus side I also analyze edge hardwares and my question is about PoE/PoE+ 
ports. Do OpenBSD team has plans or a roadmap about supporting this kind of 
hardware?
Will OpenBSD have an IPS which would be better then Snort probably?

And for data-center; how about supporting 25GbE/40GbE/100GbE speed ethernet 
chips?
Is there any continuing project which will cover network protocols like NVGRE 
or else? Will OpenBSD support M-LAG?
I see that vmd and switchd will create lots of benefits at cloud area by 
talented hands. 
Will switchd go on supporting new features which is already included on it’s 
roadmap?

I’m trying to understand OpenBSD’s vision and hope that we could see more 
OpenBSD’s futuristic secure features.
Thanks for reading my questions and have a nice weekend.

--
Best wishes
Valdrin Muja