Re: Relayd SSL Configuration with Cerbot Certs
In relayd.conf you use something like this for each domain you are reverse proxying: # load certs tls keypair www.example.com tls keypair www.another_example.net tls keypair www.third_example.com Put your certs in /etc/ssl/ and keys in /etc/ssl/private/ they have to be named so they match the domains in relayd.conf so for above: /etc/ssl/www.example.com.crt /etc/ssl/private/www.example.com.key and permissions on the /etc/ssl/private dir need to be restrictive. On Sun, 20 Sep 2020 at 08:15, Benjamin Raskin wrote: > Hello, Misc; > > I'm attempting to configure relayd to work as a reverse proxy, such that > all > web traffic goes through relayd prior to reaching some web server. I'm > confused as to how I am to configure the ssl cert and key options in the > relayd configuration. The manual configures the protocol as follows: > > http protocol httpfilter { > tls ca key "/etc/ssl/private/ca.key" password "password123" > tls ca cert "/etc/ssl/ca.crt" > } > > Where do I get the password for the key? I'm using certbot to generate the > certs, and at no time was I prompted to enter, or given a password. Am I > missing something in terms of configuration or cert generation, or have I > gotten everything all wrong? Thank you in advance. > > > Ben Raskin > >
Re: obsd 6.7 - TOR relay (non-exit) & /var folder
What do you have set for Log notice in /etc/tor/torrc? I run a tor relay without problems on 6.7 and use: Log notice syslog On Sun, 28 Jun 2020 at 13:59, Salvatore Cuzzilla wrote: > the issue is temporary “solved": > > 03:42:36 -ksh ToTo@APU2c4 ~ $ doas cat /etc/tor/torrc | egrep "^Log " > Log debug file /dev/null > Log info file /dev/null > Log notice file /dev/null > > it’s confirmed that something is not going well with the logs handling ... > > > > On 25 Jun 2020, at 15:39, Stuart Henderson wrote: > > On 2020/06/25 14:59, Salvatore Cuzzilla wrote: > > > > Unfortunately the only think i know for sure is that the /var folder is > > constantly loosing free space & When i restart tor it gets back to > > normal. I can't (I don't know how to) figure out the involved files ... > > > > "du" is not really helping nor "fstat" ... Is there anything else > > i could test? > > du won't show size of an unlinked file. > > fstat won't show filenames but will show inode numbes. If it is from a > file that existed at startup and was then moved away, you could capture > inode numbers of all files on the filesystem when starting (find /var > -ls, the first number is the inode number), then compare with the INUM > column in fstat. > > Or, if you change logs to syslog, and that fixes the problem, you have > your answer... > > > > On 25.06.2020 09:29, Stuart Henderson wrote: > >> On 2020-06-24, Salvatore Cuzzilla wrote: > >>> After few attempts, I can't still don't understand what's going on > >>> it seems that the only way to free up the /var folder is to restart the > >>> tor's daemon. > >>> > >>> "pkill -HUP -u _tor -U _tor -x tor" didn't help ... > >>> > >>> Other ideas? > >> > >> Did you figure out what files are involved? > >> > >> If it's logs, use syslog instead. > >> > > > > --- > > :wq, > > Salvatore. > > >
Re: Multi-domain DKIM signature with OpenSMTPd
On 19/03/2020 8:45 am, Martijn van Duren wrote: On 3/18/20 8:41 PM, Matthieu wrote: Le 18/03/2020 à 19:39, Hiltjo Posthuma a écrit : On Wed, Mar 18, 2020 at 06:23:30PM +0100, Matthieu wrote: Hi everybody I'm looking to use OpenDKIM with OpenSMTPd. Has anyone ever done it before ? My first intention is to sign mails from different domains on a single mail server. So the OpenDKIM works with a socket and I don't know how and if it works with the smptd filter. I've seen the «opensmptd-filter-dkimsign» packet, but we can only specify one domaine. Otherwise I'd be looking at the side of dkimproxy if it can do the job or not. Thx for any help. Hi, Theres an example described in the smtpd.conf(5) man page. opensmtpd filters are in ports as a package: opensmtpd-filter-dkimsign The source-code is at: https://imperialat.at/dev/filter-dkimsign/ in main.c It's relatively small and also privilege-separated. It has a parameter to set the domain name (-d). In smtpd.conf you can define multiple filters. See also the man page filter-dkimsign(8) for detailed information. I've replaced dkimproxy (Perl-based and complex) with opensmtpd-filter-dkimsign. It works well for my needs. Hi Hiltjo, Currently I already use opensmtpd-filter-dkimsign, but I didn't understand how to use it for multiple domains at once. I've seen the example in the man page : https://man.openbsd.org/smtpd.conf#opensmtpd-filter-dkimsign I thought was to be replaced by only one domain to sign. Is a domain a table like Alias? If so, what is the format of the file? But I doubt it since in the filter code it doesn't look like a list. static char *domain = NULL; […] box 'd': domain = optarg; […] if (!dkim_signature_printf(message, "DKIM-Signature: v=%s; a=%s-%s; c=%s/%s; d=%s; s=%s; ", "1", cryptalg, hashalg, canonheader == CANON_SIMPLE ? "simple": "relaxed." canonbody == CANON_SIMPLE ? "simple": "relaxed." domain, selector)) Finally in the example given in this presentation it is indeed a single domain: https://fosdem.org/2020/schedule/event/opensmtpd_in_the_cloud/attachments/slides/3736/export/events/attachments/opensmtpd_in_the_cloud/slides/3736/OpenSMTPD_Slides.pdf That's because filter-dkimsign doesn't support multiple domains, and unless someone can give me a good reason to do so it probably is going to stay that way. I'm using dkimproxy for this. I host multiple domain names. dkimproxy is pretty easy to configure to sign outbound on a per domain basis. /etc/dkimproxy_out.conf listen 127.0.0.1: relay 127.0.0.1: sender_map /etc/mail/dkim/sender_map /etc/dmail/dkim/sender_map example.com dkim(key=/etc/mail/dkim/example.com.key,d=example.com,c=relaxed,s=selector1) example.org dkim(key=/etc/mail/dkim/example.org.key,d=example.org,c=simple,s=selector1) ... I can send the smtpdconf through if you're stuck. If the domain being relayed is not in the map, it isn't signed. dkimproxy is not doing any inbound processing. It would be awesome to pull this from a pgsql db source, which is how I manage what smtpd can and cannot relay. I know that some mail providers add an additional positive score to your spam rating if you have DKIM, but I reckon this is BS, because DKIM is nothing more than a glorified debugging tool to tell you which server butchered the content of your mail if every server in the chain adds a DKIM signature. To be precise: it only tells you that a particular domain owner (d-option) knows what server(s) a particular key (s-option) belongs to, so that if a signature fails it it could only have happened before the last server which has a valid signature. Could you explain why you (think you) need to have multiple domain support? I own (and manage) multiple domains. Why would I not take advantage of virtual domains on 1 host? Graeme
Re: opensmtpd forwarding sent mail and extras-pgsql
On 6/06/2019 6:50 am, Gilles Chehade wrote: On Mon, Jun 03, 2019 at 05:44:41PM +, Benny wrote: Hi, Hi, I am planning a mail server of opensmtpd and dovecot. I'd be glad to know if there is any way to save a copy of mail to dovecot's "Sent" mail box before relaying them out. sorry, I don't know dovecot enough for tricks and hacks. it's possible that it's doable through some weird trick when smtpd would notify dovecot somehow of messages that were sent, but I doubt it and it is generally the mail user agent that does the link between mails it did send over SMTP and copies it stores through IMAP. I am also not about find any docs on opensmtpd-extra-pgsql. Is there any guide to link postgresql up with smtpd for virtual users? There's a man page but no guide no. There are several tutorials for using SQLite and MySQL if you google and they are pretty much identical in terms of configuration. Hi Benny. I use Cyrus and Postgresql with smtpd. Everything you need for virtual users is in table-sqlite(5), but you will want to use IDENTITY or SERIAL for the ID column. (There is a man page for table-postgres(5) in the source, but it isn't installed) I can't speak for Dovecot. But I use LMTP to deliver locally to the cyrus mailer. Two actions are needed (below) to route to the local mail store. is /etc/mail/aliases, is the database table. # incoming email action "cyrus" lmtp "127.0.0.1:2003" rcpt-to virtual # locally generated email (system /etc/mail/aliases - alias root to a some...@your.local.domain.com) action "cyrus_internal" lmtp "127.0.0.1:2003" rcpt-to alias match from local for local action "cyrus_internal" match from any for domain action "cyrus"
Re: IPSEC with Juniper SRX220
On 27-Sep 14:42, Alexandre Westfahl wrote: Hi, I have trouble configuring ipsec with my sokeris 6501 (OBSD 5.7) with a carrier router (Juniper). SA seems to work well, I see packets going out on em0 and also see them on enc0. However, the other side said nothing come but they also see SA working and can see traffic going out. There may be explanation for this situation: - I have another IPSEC tunnel on same public IP (both on em0/enc0) - the carrier IPs seems to be on same network so OBSD may be lost with it *network* dmz network (DDD.EEE.FFF.0/28) <--(AAA.BBB.CCC.192)-->Internet<--( GGG.HHH.III.150)--> server (GGG.HHH.III.149) *ipsec.conf:* //working ipsec tunnel ike passive esp from {192.168.10.0/24, 192.168.11.0/24 192.168.12.0/24} to 192.168.1.0/24 \ local AAA.BBB.CCC.192 \ main auth hmac-sha1 enc 3des group modp1024 lifetime 28800 \ quick auth hmac-sha1 enc aes-256 group none lifetime 28800 \ srcid "gtfwpo192" dstid "pojimusho169" \ psk secret //carrier ipsec (not working) ike esp from DDD.EEE.FFF.0/28 to GGG.HHH.III.149/32 \ local AAA.BBB.CCC.192 peer GGG.HHH.III.150 \ main auth hmac-sha1 enc aes group modp1024 lifetime 86400 \ quick auth hmac-sha2-256 enc aes group none lifetime 86400 \ srcid "AAA.BBB.CCC.192" dstid "GGG.HHH.III.150" \ psk secret2 Hi Alex. That looks overly complex. Try simplifying it first (the OpenBSD config is so easy!): ike esp from to { } \ peer \ psk secret However! On the juniper, many things are needed. IKE policy and gateway, and IPSec proposal, a policy and a VPN please excuse my indentation and inline comments. ike policy alex { mode main proposal-set standard pre-shared-key ascii-text secret } ike gateway alex { ike policy alex # (the above policy name) address external-interface <- this will be ge-0/0/x but NOT a sub-interface - always the root. I happen to be using one over a gre tunnel through NAT so I have dead-pear-detection running as well } ipsec proposal phase2-alex { protocol esp authentication-algorithm hmac-sha-256-128 encryption-algorithm aes-128-cbc } ipsec policy phase2-alex (you can get away with the same name) ipsec vpn alex ike { gateway ales ipsec-policy phase2-alex } establish-tunnels immediately } but wait! There's more! you will also need policies on the SRX to apply security associations. Let's assume that the SRX local network is trust, and your vpn runs across the untrust zone. zone names are arbitrary edit security polices from-zone trust to-zone untrust policy alex-local-to-vpn { match { source-address local-ips < You will need address book entries for these destination-address remote-ips < more address book entries application [ allowed-application-sets or any ] } then { permit { tunnel { ipsec-vpn ales pair-policy alex-vpn-to-local < this is the same policy in reverse. yep. enter it twice. } } } } I actually have these deployed. It does work. Regards, Graeme I tried to enable or disable PF and use super permissive rules but nothing change. Do you have some ideas on what it could be? Thanks by advance!
Re: Does OpenBGPd suffer collateral damage with this?
The cause is Cisco routers with a max 512k entries in their FIB on some older units. http://www.bgpmon.net/what-caused-todays-internet-hiccup/ Graeme On 18-Aug 10:27, Rod Whitworth wrote: http://www.smh.com.au/technology/technology-news/how-flakey-is-the-inter net-20140816-104t8p.html I would love to hear that our beloved BGP routers are the only ones that don't get screwed or at least we are one of the few. I haven't heard any noises from the hosting site that I look after. *** NOTE *** Please DO NOT CC me. I am subscribed to the list. Mail to the sender address that does not originate at the list server is tarpitted. The reply-to: address is provided for those who feel compelled to reply off list. Thankyou. Rod/ --- This life is not the real thing. It is not even in Beta. If it was, then OpenBSD would already have a man page for it.
Re: USB mouse
On 27/10/2011 10:22 AM, Zantgo wrote: WTF? I use OpenBSD and hate the other operating systems Zantgo It's like this: Ask a stupid question, get a stupid answer. El 26-10-2011, a las 20:11, Bryan Irvinesparcta...@gmail.com escribiC3: On Wed, Oct 26, 2011 at 3:52 PM, Zantgozan...@gmail.com wrote: How I can run USB mouse? You have to extract the drivers from the ubuntu linux installation CD.
Re: SSH VPN without root login?
Pretty sure if you change the owner / group of the tap or tun device you are using to the user you want to bring up the tunnel you can avoid root. G On Fri, Aug 12, 2011 at 5:40 AM, Michael W. Lucas mwlu...@blackhelicopters.org wrote: Hi, I'm trying to get a SSH VPN working between a 4.9 i386 and a recent 5.0 amd64 snapshot (with the MP#49 kernel). The tunnel works fine if I SSH in as root. My guts really protest at enabling remote root logins, however. Yes, I can limit the access with a Match statement. Surely I can change some device permissions, or use sudo, to permit a particular otherwise-unprivileged user to bring up this VPN? Any suggestions on where to look for that? I've tried several Internet searches, but found nothing. Thanks, ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: Network Flow Analysis http://www.networkflowanalysis.com/ mwlu...@blackhelicopters.org, Twitter @mwlauthor
Re: Howto set an IPv6 route?
route add -inet6 2a00:1ff8:101:: -prefixlen 48 2a00:1ff8:102:ac01::1 Have a look at /etc/netstart for some guidance On 21/04/2011 9:57 AM, Roger Schreiter wrote: Hello, I tried: route add -inet6 2a00:1ff8:101::/48 2a00:1ff8:102:ac01::1 and got: route: 2a00:1ff8:101::/48: bad value I do not understand, what is wrong with that net? Can anyone give me a hint? Roger.
Re: Easy money with OpenBSD OpenBGPd?
FreeBSD and Linux The routing is done on FreeBSD. UI on Linux It's hardly rocket science either. It could easily be done on OpenBSD, but we would need to add a strip private or similar to make it implementable. On 14/03/2010 2:24 AM, Sevan / Venture37 wrote: Hi guys, I was reading the arstechnica article on the internet filtering that's now in place in New Zealand they mentioned that the appliance they're using called a Whitebox which uses a BSD-Unix Anyone know more about the OS used in this system?? Sevan / Venture37 http://arstechnica.com/tech-policy/news/2010/03/new-zealand-relies-on-bgp-router-protocol-to-filter-the-net.ars http://www.watchdoginternational.net/images/stories/ncwb2.pdf
Re: VLANs, OpenBSD, Cisco HP
On 14/01/2010 5:33 PM, James Peltier wrote: --- On Thu, 1/14/10, James Peltierjames_a_pelt...@yahoo.ca wrote: /etc/hostname.vlan301 -- inet 1.2.3.4 255.255.255.0 NONE vlandev em0 description Uplink Please note that I've typed this wrong and it actually has inet 1.2.3.4 255.255.255.0 NONE vlan 301 vlandev em0 description Uplink in /etc/hostname.em0 and doesn't work. Just wanted to make sure people don't jump to the your sytax is wrong theory. ;) Like this: # cat /etc/hostname.vlan0 vlan 301 vlandev em0 inet 192.168.1.2 255.255.255.0 192.168.1.255 description Uplink # cat /etc/hostname.em0 up
Re: VLANs, OpenBSD, Cisco HP
On 15/01/2010 3:13 AM, James Peltier wrote: --- On Thu, 1/14/10, Graeme Leegra...@omni.net.au wrote: From: Graeme Leegra...@omni.net.au Subject: Re: VLANs, OpenBSD, Cisco HP To: misc@openbsd.org Received: Thursday, January 14, 2010, 3:27 AM inet 1.2.3.4 255.255.255.0 NONE vlan 301 vlandev em0 description Uplink Like this: # cat /etc/hostname.vlan0 vlan 301 vlandev em0 inet 192.168.1.2 255.255.255.0 192.168.1.255 description Uplink # cat /etc/hostname.em0 up From everything I have read in the man pages, FAQ and the great oracle Google, my chosen syntax works too. See http://www.openbsd.org/faq/faq6.html Or, you may want to use special flags specific to a certain interface. The format of the hostname file doesn't change much! $ cat /etc/hostname.vlan0 inet 172.21.0.31 255.255.255.0 NONE vlan 2 vlandev fxp1 You caught me with a migraine. Either syntax works. However, had a re-read of your initial email, and you were missing the vlan 301 in your configuration line. /etc/hostname.vlan301 -- inet 1.2.3.4 255.255.255.0 NONE vlandev em0 description Uplink Check that you are not tagging the incoming traffic as vlan 301. The ports need to be in trunk mode. if your vlan interface is up, and you get the following: # ifconfig vlan0 vlan0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:c0:9f:4b:6f:38 description: test link vlan: 301 priority: 0 parent interface: em0 groups: vlan inet 1.2.3.4 netmask 0xff00 broadcast 1.2.3.255 inet6 fe80::2c0:9fff:fe4b:6f38%vlan0 prefixlen 64 scopeid 0x7 Then you'll need to re-visit the configuration of your procurve. Also, tcpdump is your friend. If your interfaces aren't doing hardware vlan tagging/untagging, you'll get to see # tcpdump -ni em0 10:33:13.588159 802.1Q vid 301 pri 0 .. Have fun! g
Re: VLANs, OpenBSD, Cisco HP
On 15/01/2010 1:25 PM, Stuart Henderson wrote: On 2010-01-15, Graeme Leegra...@omni.net.au wrote: Either syntax works. However, had a re-read of your initial email, and you were missing the vlan 301 in your configuration line. It's no longer necessary, it defaults to the number that's part of the interface name (e.g. vlan301 defaults to vlan 301).. Cool. And anyway, he corrected himself in a later email I noticed
Re: OpenBSD on first gen Asus eeePCs
Yup I like them. - WiFi is same as eeePC (Atheros 5424) so I swpped it out with an Intel wpi - JMicron mukti card reader not supported - Intel drm :) - bsd.mp (Intel Atom supports hyper threading) - built-in camera appears to work but I've never used it. OpenBSD 4.5 (GENERIC.MP) #108: Sat Feb 28 14:58:58 MST 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP RTC BIOS diagnostic error 80clock_battery cpu0: Intel(R) Atom(TM) CPU N270 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR real mem = 1060163584 (1011MB) avail mem = 1016795136 (969MB) RTC BIOS diagnostic error 80clock_battery mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 05/09/08, SMBIOS rev. 2.4 @ 0xe8e70 (32 entries) bios0: vendor Acer version v0.3114 date 05/09/2008 bios0: Acer AOA150 acpi0 at bios0: rev 2 acpi0: tables DSDT FACP SSDT HPET APIC MCFG ASF! SLIC BOOT acpi0: wakeup devices P32_(S4) UHC1(S3) UHC2(S3) UHC3(S3) UHC4(S3) ECHI(S3) EXP1(S4) EXP2(S4) EXP3(S4) EXP4(S4) AZAL(S0) MODM(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Atom(TM) CPU N270 @ 1.60GHz (GenuineIntel 686-class) 1.60 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,EST,TM2,xTPR ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 5 (P32_) acpiprt2 at acpi0: bus 1 (EXP1) acpiprt3 at acpi0: bus 2 (EXP2) acpiprt4 at acpi0: bus 3 (EXP3) acpiprt5 at acpi0: bus 4 (EXP4) acpiec0 at acpi0 acpicpu0 at acpi0 acpicpu1 at acpi0 acpibtn0 at acpi0: PWRB acpibtn1 at acpi0: LID0 acpibtn2 at acpi0: SLPB acpibat0 at acpi0: BAT1 not present acpiac0 at acpi0: AC unit online acpivideo at acpi0 not configured bios0: ROM list: 0xc/0xec00! 0xcf000/0x1000 cpu0: unknown Enhanced SpeedStep CPU, msr 0x060f0c2406000c24 cpu0: using only highest and lowest power states cpu0: Enhanced SpeedStep 1600 MHz (1276 mV): speeds: 1600, 800 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82945GME Host rev 0x03 vga1 at pci0 dev 2 function 0 Intel 82945GME Video rev 0x03 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) intagp0 at vga1 agp0 at intagp0: aperture at 0x4000, size 0x1000 inteldrm0 at vga1: apic 4 int 16 (irq 11) drm0 at inteldrm0 Intel 82945GM Video rev 0x03 at pci0 dev 2 function 1 not configured azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: apic 4 int 16 (irq 11) azalia0: codecs: Realtek ALC268 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: apic 4 int 16 (irq 255) pci1 at ppb0 bus 1 ppb1 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: apic 4 int 17 (irq 255) pci2 at ppb1 bus 2 re0 at pci2 dev 0 function 0 Realtek 8101E rev 0x02: RTL8102EL (0x2480), apic 4 int 17 (irq 11), address 00:1e:68:d5:61:e0 rlphy0 at re0 phy 7: RTL8201L 10/100 PHY, rev. 1 ppb2 at pci0 dev 28 function 2 Intel 82801GB PCIE rev 0x02: apic 4 int 18 (irq 255) pci3 at ppb2 bus 3 wpi0 at pci3 dev 0 function 0 Intel PRO/Wireless 3945ABG rev 0x02: apic 4 int 18 (irq 11), RoW, address 00:18:de:15:1a:36 ppb3 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x02: apic 4 int 19 (irq 255) pci4 at ppb3 bus 4 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: apic 4 int 16 (irq 11) uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: apic 4 int 17 (irq 11) uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: apic 4 int 18 (irq 11) uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: apic 4 int 19 (irq 11) ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x02: apic 4 int 16 (irq 11) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe2 pci5 at ppb4 bus 5 ichpcib0 at pci0 dev 31 function 0 Intel 82801GBM LPC rev 0x02: PM disabled pciide0 at pci0 dev 31 function 2 Intel 82801GBM SATA rev 0x02: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: ST9120817AS wd0: 16-sector PIO, LBA48, 114473MB, 234441648 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 ichiic0 at pci0 dev 31 function 3 Intel 82801GB SMBus rev 0x02: apic 4 int 17 (irq 11) iic0 at ichiic0 spdmem0 at iic0 addr 0x51: 512MB DDR2 SDRAM non-parity PC2-5300CL5 SO-DIMM usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 Intel UHCI root
Re: bgpd fails to install ipv6 routes in kernel routing table
Claudio Jeker wrote: On Mon, Feb 09, 2009 at 04:51:12PM +1100, Graeme Lee wrote: Graeme Lee wrote: Graeme Lee wrote: tico wrote: Graeme Lee wrote: tico wrote: Graeme Lee wrote: snip Ok forget bgp configs for a minute. I've been quickly scanning over the code, and notable is that the log displays: Feb 9 13:00:15 gw-nextgen bgpd[17223]: send_rtmsg: action 1, prefix 2001:7fb:fe07::/48: Network is unreachable but shouldn't it be a send_rt6msg call in kroute.c? Yes. The waning message had the wrong function name in it. well I was looking at least. On a hunch, I tried a 64bit and a 32 bit machine with 1 prefix each. The 32bit machine adds routes to the kernel without complaint. The 64bit machine complained with send_rtmsg Arrg. IPv6 is once again broken by design. For some ridiculous reason struct sockaddr_in6's size is 28 bytes. So IPv6 fucks up alignment on 64 bit archs. All hail link local addressing and all the crappy workarounds needed for it. Please try the attached diff. You are altogether a legend. I now have the full ipv6 table in the kernel.
Re: bgpd fails to install ipv6 routes in kernel routing table
Claudio Jeker wrote: On Mon, Feb 09, 2009 at 11:43:10AM +0100, Claudio Jeker wrote: On Mon, Feb 09, 2009 at 02:22:08AM -0800, patrick keshishian wrote: On Mon, Feb 9, 2009 at 12:53 AM, Claudio Jeker cje...@diehard.n-r-g.com wrote: On a hunch, I tried a 64bit and a 32 bit machine with 1 prefix each. The 32bit machine adds routes to the kernel without complaint. The 64bit machine complained with send_rtmsg Arrg. IPv6 is once again broken by design. For some ridiculous reason struct sockaddr_in6's size is 28 bytes. So IPv6 fucks up alignment on 64 bit archs. All hail link local addressing and all the crappy workarounds needed for it. Maybe it is too late for me to be thinking about this ... but could you explain the diff below? Unless I'm missing something obvious, it looks like it changes behavior for non-64bit archs as well. Hmm. I think your right. I think a different approach would be better. Will cook up something later today. I think this is better. Just compile tested and no real time to test until later today. Hi Claudio Tested on i386 and amd64 test bgp sessions ok Tested on amd64 production w/2 x ipv4 feeds and 1 x ipv6. Full ipv6 table is installed in the kernel. daemon log shows Feb 10 09:06:14 gw-nextgen bgpd[8598]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change Connect - OpenSent, reason: Connection opened Feb 10 09:06:14 gw-nextgen bgpd[8598]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change OpenSent - OpenConfirm, reason: OPEN message received Feb 10 09:06:14 gw-nextgen bgpd[8598]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change OpenConfirm - Established, reason: KEEPALIVE message received Feb 10 09:06:18 gw-nextgen bgpd[15752]: nexthop 2001:470:17:7f::1 now valid: directly connected No errors.
Re: bgpd fails to install ipv6 routes in kernel routing table
Rogier Krieger wrote: On Sun, Feb 8, 2009 at 02:09, Graeme Lee gra...@omni.net.au wrote: The bgpd log shows this: bgpd: send_rtmsg: action 1, prefix 2001:dc8:c000::/36: Network is unreachable bgpd: send_rtmsg: action 1, prefix 2a01:a8::/32: Network is unreachable for every network received via my peer. Are there intermediate hops that you receive from the peer but cannot reach? If your nexthop is unreachable, that may explain the message. If you go back far enough in the logs (before the first prefixes you receive, the log may provide more insight as well as I don't know how many peers you have/prefixes you get). Nope. Here's the first few lines from bgpctl show ip bgp inet6 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *2001::/32 2001:470:17:7f::1100 0 6939 12859 i *2001:200::/32 2001:470:17:7f::1100 0 6939 2500 i *2001:200:136::/48 2001:470:17:7f::1100 0 6939 2516 7660 9367 i *2001:200:600::/40 2001:470:17:7f::1100 0 6939 2516 7667 i *2001:200:900::/40 2001:470:17:7f::1100 0 6939 2516 7660 i *2001:200:a000::/35 2001:470:17:7f::1100 0 6939 3257 2497 4690 i *2001:200:c000::/35 2001:470:17:7f::1100 0 6939 2500 23634 i *2001:200:e000::/35 2001:470:17:7f::1100 0 6939 4635 7660 i *2001:208::/32 2001:470:17:7f::1100 0 6939 23911 9800 38035 7610 i *2001:218::/32 2001:470:17:7f::1100 0 6939 2914 i *2001:220::/35 2001:470:17:7f::1100 0 6939 2516 7660 9270 i *2001:220:2000::/35 2001:470:17:7f::1100 0 6939 2516 7660 9270 38128 i *2001:220:8000::/33 2001:470:17:7f::1100 0 6939 2516 7660 9270 38128 i 2001:470:17:7f::1 is my bgp peer from hurricane. The bgp table looks fine. It just doesn't translate to the kernel routing table. ergo, I cannot see or be seen. my prefix is advertised fine (2400:6800::/32) I can talk to and directly ping6 2001:470:17:7f::1 Adding static routes works (eg a default). It's just that bgpd isn't translating what it knows into the kernel. A clue to what I'm missing would be really appreciated. Other than checking the nexthop above, it'll help to include your network layout (what interfaces, uplink, addresses), bgpd configuration and a non-chopped dmesg. Dmesg was there to demonstrate I really was running -current and not something from somewhere random. Network layout is somewhat complicated. 1 x ebgp and 1 x ibgp session receive ipv4 world tables. Gif tunnel to a hurricane router in Hong Kong. I'm receiving ipv6 world bgp tables from this peer. Connectivity to the peer is fine. Just can't get past it. I can see that my prefix is announced via looking glasses. I'm receiving about 1.6k prefixes from hurricane. # bgpctl show ip bgp sum Neighbor ASMsgRcvdMsgSent OutQ Up/Down State/PrfRcvd HurricaneHK 6939 3220 1428 0 11:52:11 1588 Optus Peer 10105 104321 43663 0 11:58:08 222487 NextGen 38809 78041 1439 0 11:58:08 274913 complete restart of bgpd shows this: Feb 8 23:43:47 gw-nexgen bgpd[23344]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change Connect - OpenSent, reason: Connection opened Feb 8 23:43:47 gw-nexgen bgpd[23344]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change OpenSent - OpenConfirm, reason: OPEN message received Feb 8 23:43:47 gw-nexgen bgpd[23344]: neighbor 2001:470:17:7f::1 (HurricaneHK): state change OpenConfirm - Established, reason: KEEPALIVE message received Feb 8 23:44:13 gw-nexgen bgpd[4481]: nexthop 2001:470:17:7f::1 now valid: directly connected Feb 8 23:44:13 gw-nexgen bgpd[4481]: send_rtmsg: action 1, prefix 2a01:7b0::/32: Network is unreachable Feb 8 23:44:13 gw-nexgen bgpd[4481]: send_rtmsg: action 1, prefix 2404:1b0::/32: Network is unreachable Feb 8 23:44:13 gw-nexgen bgpd[4481]: send_rtmsg: action 1, prefix 2400:3000::/32: Network is unreachable etc etc for all 1.6k prefixes Hope it helps, Rogier
Re: bgpd fails to install ipv6 routes in kernel routing table
tico wrote: Graeme Lee wrote: snip Network layout is somewhat complicated. 1 x ebgp and 1 x ibgp session receive ipv4 world tables. Gif tunnel to a hurricane router in Hong Kong. I'm receiving ipv6 world bgp tables from this peer. Connectivity to the peer is fine. Just can't get past it. I can see that my prefix is announced via looking glasses. I'm receiving about 1.6k prefixes from hurricane. I'm speaking BGP over v6 with HE.net as well (albeit in Fremont, not HK), and I can see you just fine, and apparently you can see me (AS30708) as well, since I can ping you from both my Hurricane /64 as well as from an IP within my own /32. $ ping6 -c1 -S 2607:f618:1::1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2607:f618:1::1 -- 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=442.275 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 442.275/442.275/442.275/0.000 ms $ ping6 -c1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2001:470:1:53::2 -- 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=441.775 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 441.775/441.775/441.775/0.000 ms $ bgpctl sho ip bgp 2400:6800::/32 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *2400:6800::/32 2001:470:1:53::1100 0 6939 10105 i $ uname -mr 4.4 i386 What does your bgpctl sho nex give you? -tico Hi Tico. # bgpctl show next Nexthop State 2001:470:17:7f::1valid gif0UP 203.143.64.133 valid em1 UP, Ethernet, active, 100 MBit/s 121.200.227.93 valid em0 UP, Ethernet, active, 100 MBit/s However, the only reason you can see me is because i've manually stuck in a default route just to get things working # netstat -rnf inet6 Routing tables Internet6: DestinationGateway Flags Refs Use Mtu Prio Iface ::/104 ::1 UGRS 00 - 8 lo0 ::/96 ::1 UGRS 00 - 8 lo0 default2001:470:17:7f::1 UGS0 19 - 8 gif0 ::1::1 UH140 33160 4 lo0 ::127.0.0.0/104::1 UGRS 00 - 8 lo0 ::224.0.0.0/100::1 UGRS 00 - 8 lo0 ::255.0.0.0/104::1 UGRS 00 - 8 lo0 :::0.0.0.0/96 ::1 UGRS 00 - 8 lo0 2001:470:17:7f::/64link#6 UC 10 - 4 gif0 2001:470:17:7f::1 link#6 UHLc 2 3397 - 4 gif0 2001:470:17:7f::2 link#6 UHL10 - 4 lo0
Re: bgpd fails to install ipv6 routes in kernel routing table
tico wrote: Graeme Lee wrote: tico wrote: Graeme Lee wrote: snip Network layout is somewhat complicated. 1 x ebgp and 1 x ibgp session receive ipv4 world tables. Gif tunnel to a hurricane router in Hong Kong. I'm receiving ipv6 world bgp tables from this peer. Connectivity to the peer is fine. Just can't get past it. I can see that my prefix is announced via looking glasses. I'm receiving about 1.6k prefixes from hurricane. I'm speaking BGP over v6 with HE.net as well (albeit in Fremont, not HK), and I can see you just fine, and apparently you can see me (AS30708) as well, since I can ping you from both my Hurricane /64 as well as from an IP within my own /32. $ ping6 -c1 -S 2607:f618:1::1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2607:f618:1::1 -- 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=442.275 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 442.275/442.275/442.275/0.000 ms $ ping6 -c1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2001:470:1:53::2 -- 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=441.775 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 441.775/441.775/441.775/0.000 ms $ bgpctl sho ip bgp 2400:6800::/32 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *2400:6800::/32 2001:470:1:53::1100 0 6939 10105 i $ uname -mr 4.4 i386 What does your bgpctl sho nex give you? -tico Hi Tico. # bgpctl show next Nexthop State 2001:470:17:7f::1valid gif0UP 203.143.64.133 valid em1 UP, Ethernet, active, 100 MBit/s 121.200.227.93 valid em0 UP, Ethernet, active, 100 MBit/s However, the only reason you can see me is because i've manually stuck in a default route just to get things working # netstat -rnf inet6 Routing tables Internet6: DestinationGateway Flags Refs Use Mtu Prio Iface ::/104 ::1 UGRS 00 - 8 lo0 ::/96 ::1 UGRS 00 - 8 lo0 default2001:470:17:7f::1 UGS0 19 - 8 gif0 ::1::1 UH140 33160 4 lo0 ::127.0.0.0/104::1 UGRS 00 - 8 lo0 ::224.0.0.0/100::1 UGRS 00 - 8 lo0 ::255.0.0.0/104::1 UGRS 00 - 8 lo0 :::0.0.0.0/96 ::1 UGRS 00 - 8 lo0 2001:470:17:7f::/64link#6 UC 10 - 4 gif0 2001:470:17:7f::1 link#6 UHLc 2 3397 - 4 gif0 2001:470:17:7f::2 link#6 UHL10 - 4 lo0 I see. And what do your filters (bgpd, not PF) look like? What changes from a default bgpd.conf have you made? Is there anything peculiar about your gif0 interface? -tico There's only one line difference (plus a coment) allow from any inet6 prefixlen 12 - 64 neighbor 2001:470:17:7f::1 { remote-as 6939 descr HurricaneHK local-address 2001:470:17:7f::2 announceIPv4 none announceIPv6 unicast set nexthop self } # filter out prefixes longer than 24 or shorter than 8 bits deny from any allow from any inet prefixlen 8 - 24 # IPv6 Routing allow from any inet6 prefixlen 12 - 64 # do not accept a default route deny from any prefix 0.0.0.0/0 # filter bogus networks deny from any prefix 10.0.0.0/8 prefixlen = 8 deny from any prefix 172.16.0.0/12 prefixlen = 12 deny from any prefix 192.168.0.0/16 prefixlen = 16 deny from any prefix 169.254.0.0/16 prefixlen = 16 deny from any prefix 192.0.2.0/24 prefixlen = 24 deny from any prefix 224.0.0.0/4 prefixlen = 4 deny from any prefix 240.0.0.0/4 prefixlen = 4 # ifconfig gif0 gif0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1280 priority: 0 groups: gif egress physical address inet 121.200.227.94 -- 216.218.221.2 inet6 fe80::21f:d0ff:fe32:3d58%gif0 - prefixlen 64 scopeid 0x6 inet6 2001:470:17:7f::2 - prefixlen 64
Re: bgpd fails to install ipv6 routes in kernel routing table
Graeme Lee wrote: tico wrote: Graeme Lee wrote: tico wrote: Graeme Lee wrote: snip Network layout is somewhat complicated. 1 x ebgp and 1 x ibgp session receive ipv4 world tables. Gif tunnel to a hurricane router in Hong Kong. I'm receiving ipv6 world bgp tables from this peer. Connectivity to the peer is fine. Just can't get past it. I can see that my prefix is announced via looking glasses. I'm receiving about 1.6k prefixes from hurricane. I'm speaking BGP over v6 with HE.net as well (albeit in Fremont, not HK), and I can see you just fine, and apparently you can see me (AS30708) as well, since I can ping you from both my Hurricane /64 as well as from an IP within my own /32. $ ping6 -c1 -S 2607:f618:1::1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2607:f618:1::1 -- 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=442.275 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 442.275/442.275/442.275/0.000 ms $ ping6 -c1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2001:470:1:53::2 -- 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=441.775 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 441.775/441.775/441.775/0.000 ms $ bgpctl sho ip bgp 2400:6800::/32 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *2400:6800::/32 2001:470:1:53::1100 0 6939 10105 i $ uname -mr 4.4 i386 What does your bgpctl sho nex give you? -tico Ok forget bgp configs for a minute. I've been quickly scanning over the code, and notable is that the log displays: Feb 9 13:00:15 gw-nextgen bgpd[17223]: send_rtmsg: action 1, prefix 2001:7fb:fe07::/48: Network is unreachable but shouldn't it be a send_rt6msg call in kroute.c?
Re: bgpd fails to install ipv6 routes in kernel routing table
Graeme Lee wrote: Graeme Lee wrote: tico wrote: Graeme Lee wrote: tico wrote: Graeme Lee wrote: snip Network layout is somewhat complicated. 1 x ebgp and 1 x ibgp session receive ipv4 world tables. Gif tunnel to a hurricane router in Hong Kong. I'm receiving ipv6 world bgp tables from this peer. Connectivity to the peer is fine. Just can't get past it. I can see that my prefix is announced via looking glasses. I'm receiving about 1.6k prefixes from hurricane. I'm speaking BGP over v6 with HE.net as well (albeit in Fremont, not HK), and I can see you just fine, and apparently you can see me (AS30708) as well, since I can ping you from both my Hurricane /64 as well as from an IP within my own /32. $ ping6 -c1 -S 2607:f618:1::1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2607:f618:1::1 -- 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=442.275 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 442.275/442.275/442.275/0.000 ms $ ping6 -c1 2001:470:17:7f::2 PING6(56=40+8+8 bytes) 2001:470:1:53::2 -- 2001:470:17:7f::2 16 bytes from 2001:470:17:7f::2, icmp_seq=0 hlim=59 time=441.775 ms --- 2001:470:17:7f::2 ping6 statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 441.775/441.775/441.775/0.000 ms $ bgpctl sho ip bgp 2400:6800::/32 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *2400:6800::/32 2001:470:1:53::1100 0 6939 10105 i $ uname -mr 4.4 i386 What does your bgpctl sho nex give you? -tico Ok forget bgp configs for a minute. I've been quickly scanning over the code, and notable is that the log displays: Feb 9 13:00:15 gw-nextgen bgpd[17223]: send_rtmsg: action 1, prefix 2001:7fb:fe07::/48: Network is unreachable but shouldn't it be a send_rt6msg call in kroute.c? On a hunch, I tried a 64bit and a 32 bit machine with 1 prefix each. The 32bit machine adds routes to the kernel without complaint. The 64bit machine complained with send_rtmsg
bgpd fails to install ipv6 routes in kernel routing table
Hi all. I'm having problems with ipv6 on openbgpd, in that it isn't installing received ipv6 routes into the kernel's routing table. It receives them. I can advertise my own prefix just fine. But netstat -rnf inet6 shows only the basic static table. The bgpd log shows this: bgpd: send_rtmsg: action 1, prefix 2001:dc8:c000::/36: Network is unreachable bgpd: send_rtmsg: action 1, prefix 2a01:a8::/32: Network is unreachable for every network received via my peer. I believe I've done a good job searching through the archives, but I've turned up nothing useful. I'm running -current as of about 2 hours ago. A clue to what I'm missing would be really appreciated. Thanks, g OpenBSD 4.4-current (GENERIC) #11: Sun Feb 8 10:29:07 EST 2009 r...@gw-nexgen.omniconnect.com.au:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 2145255424 (2045MB) avail mem = 2071248896 (1975MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf0100 (55 entries) bios0: vendor Award Software International, Inc. version F3 date 03/04/2008 bios0: Gigabyte Technology Co., Ltd. GA-MA770-S3 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP SSDT HPET MCFG APIC acpi0: wakeup devices USB0(S3) USB1(S3) USB2(S3) USB3(S3) USB4(S3) USB5(S3) SBAZ(S4) P2P_(S5) PCE2(S4) PCE3(S4) PCE4(S4) P CE5(S4) PCE6(S4) PCE7(S4) PCE8(S4) PCE9(S4) PCEA(S4) PCEB(S4) PCEC(S4) PS2M(S5) PS2K(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 32 bits acpihpet0 at acpi0: 14318180 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+, 2712.70 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,CX16,NXE,M MXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: apic clock running at 200MHz
Re: OpenBGPD Flaps, 32bit ASn in the wild.
tico wrote: Claudio Jeker wrote: On Wed, Dec 10, 2008 at 04:47:31PM -0500, Ted Unangst wrote: On Wed, Dec 10, 2008 at 4:38 PM, Claudio Jeker cje...@diehard.n-r-g.com wrote: I looked at the porblem and I'm currently unsure what the best way is to handle such bad AS4_* attributes. The RFC in all its glory does not mention how to handle errors. So at the moment I'm in favor of just dropping/ignoring the bad optional attribute but I need to recheck with the BGP RFC to see if this is valid. Another solution is to ignore the full update but I have a bad feeling about that. Can you ignore just the route with the bad attribute? We don't want to propagate it more. The best thing we can do is to mark the update as ineligible so it will not propaget further and will not be used but this is a quite radical measure. On the other hand this is porbably the safest way to handle this error. Comments? My thinking is in line with yours. RFC4271 doesn't appear to specify how to handle this scenario gracefully, as already mentioned here: http://www.merit.edu/mail.archives/nanog/msg13422.html Apparently there are already enough BGP speakers on the net that don't check for a valid AS4_PATH before announcing it onwards to cause problems for OpenBGPd users, if not others. I'd rather be missing a route than missing an entire feed and/or propagating attributes that will kill others' BGP sessions. -tico I concur.
Re: bgpd extension handling capabilities
I have applied the patch supplied by Henning, and now get the following in my bgpctl show neighbor Neighbor capabilities: Multiprotocol extensions: IPv4 Unicast (previously was unknown (128)) yes, with my patch, we simply ignore the annoucement and show the default. Can this patch (along with IPv6) be considered for current? Thanks, g
Re: bgpd extension handling capabilities
Henning Brauer wrote: * Claudio Jeker [EMAIL PROTECTED] [2008-08-25 17:27]: On Mon, Aug 25, 2008 at 03:54:27PM +0200, Henning Brauer wrote: * Graeme Lee [EMAIL PROTECTED] [2008-08-25 03:28]: Yes but the safi's are handled during capability negotiation (in function parse_capabilities in session.c) Do I need to do more than just ignore the unknown safi's? Currently, the return (-1) in the mp_safi test never allows the connection to establish. Removing this at least allows the bgp session to function, but I'm not sure if that's all that's needed, or even if it's safe to do so. I don't remember exactly what the RFCs demanded. IThere is one for capabilties negotiation and one for the multiprotocol extensions. I guess the latter is the relevant one. if you could check what it says about the unknown safi case and it allows us to ingore them I am very willing to make that change :) RFC 2858 Section 7: A speaker that supports multiple AFI, SAFI tuples includes them as multiple Capabilities in the Capabilities Optional Parameter. To have a bi-directional exchange of routing information for a particular AFI, SAFI between a pair of BGP speakers, each such speaker must advertise to the other (via the Capability Advertisement mechanism) the capability to support that particular AFI, SAFI routes. I would say that unknown safi should be accepted in the capabilities but not during a bgp update. That would mean that your diff is not correct. huh? that is exactly wgat my diff does. it doesn't change the way we handle safis in updates - which means we might have to ignore unknown safis there too, didn't check wether we do that already. Previously the check (and subsequent return (-1)) was a show stopper. bgpd works fine for the rest of the time. Reading over RFC3397, section 3 covers the error handling. This is how I read it: If you don't understand capabilities advertisements at all, you should terminate, and re-establish with no capabilities options. If you don't understand a particular capability, you may choose to terminate, and send a message back to say which capability isn't supported (goto section 7). However, any particular capability is only supported if both peers advertise the same capability to each other. I have applied the patch supplied by Henning, and now get the following in my bgpctl show neighbor Neighbor capabilities: Multiprotocol extensions: IPv4 Unicast (previously was unknown (128)) Route Refresh
Re: bgpd extension handling capabilities
Henning Brauer wrote: * Graeme Lee [EMAIL PROTECTED] [2008-08-21 03:31]: Henning Brauer wrote: * Graeme Lee [EMAIL PROTECTED] [2008-08-21 01:51]: I've had to connect to a new upstream peer which is advertising an IPv4 safi of 128 (MPLS-labelled VPN address) see http://www.iana.org/assignments/safi-namespace I've modified the source to temporarily ignore this (actually anything over 127) as it currently only accepts 1 thru 3. Once the session is established, everything works well. What I really need to know is if this is potentially A Huge Mistake, or should bgpd be able to ignore unsupported capabilities being advertised to it? the standards are pretty unclear about it, but the most logical interpretation is that we have to send back a notification telling the peer that we don't support this so capability negotiation actually works. what is the peer? first time i hear sth doens't work w/ capa negitiation... The peer is NexGen networks. I gather they're using an Alcatel OS/R. All I've done to work around this at present is extended the test in session.c to ignore mp_safi 128 after the first test fails. Otherwise I just get this in the log every 30 seconds: Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change Idle - Active, reason: Start Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change Active - OpenSent, reason: Connection opened Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): parse_capabilities: AFI IPv4, mp_safi 128 illegal Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change OpenSent - Idle, reason: OPEN message received oh. you're not talking about a capability but a safi. otoh i don't really remember the what the standards demand about that. we can probably ignore unknown safis there since that is just the neighbor telling us he would accept prefixes of that safi. Yes but the safi's are handled during capability negotiation (in function parse_capabilities in session.c) Do I need to do more than just ignore the unknown safi's? Currently, the return (-1) in the mp_safi test never allows the connection to establish. Removing this at least allows the bgp session to function, but I'm not sure if that's all that's needed, or even if it's safe to do so. BGP neighbor is 121.200.227.93, remote AS 38809 Description: NexGen BGP version 4, remote router-id BGP state = Established, up for 5d00h00m Last read 00:00:02, holdtime 90s, keepalive interval 30s Neighbor capabilities: Multiprotocol extensions: IPv4 unknown (128) Route Refresh
bgpd extension handling capabilities
I've had to connect to a new upstream peer which is advertising an IPv4 safi of 128 (MPLS-labelled VPN address) see http://www.iana.org/assignments/safi-namespace I've modified the source to temporarily ignore this (actually anything over 127) as it currently only accepts 1 thru 3. Once the session is established, everything works well. What I really need to know is if this is potentially A Huge Mistake, or should bgpd be able to ignore unsupported capabilities being advertised to it? Any advice would be appreciated. g
Re: bgpd extension handling capabilities
Henning Brauer wrote: * Graeme Lee [EMAIL PROTECTED] [2008-08-21 01:51]: I've had to connect to a new upstream peer which is advertising an IPv4 safi of 128 (MPLS-labelled VPN address) see http://www.iana.org/assignments/safi-namespace I've modified the source to temporarily ignore this (actually anything over 127) as it currently only accepts 1 thru 3. Once the session is established, everything works well. What I really need to know is if this is potentially A Huge Mistake, or should bgpd be able to ignore unsupported capabilities being advertised to it? the standards are pretty unclear about it, but the most logical interpretation is that we have to send back a notification telling the peer that we don't support this so capability negotiation actually works. what is the peer? first time i hear sth doens't work w/ capa negitiation... The peer is NexGen networks. I gather they're using an Alcatel OS/R. All I've done to work around this at present is extended the test in session.c to ignore mp_safi 128 after the first test fails. Otherwise I just get this in the log every 30 seconds: Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change Idle - Active, reason: Start Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change Active - OpenSent, reason: Connection opened Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): parse_capabilities: AFI IPv4, mp_safi 128 illegal Aug 19 11:01:30 gw-nexgen bgpd[22795]: neighbor 121.200.227.93 (NexGen): state change OpenSent - Idle, reason: OPEN message received Changing the test allows bgpd to continue, and I can get the following at least: # bgpctl show neigh BGP neighbor is x, remote AS 38809 Description: NexGen BGP version 4, remote router-id BGP state = Established, up for 1d01h50m Last read 00:00:04, holdtime 90s, keepalive interval 30s Neighbor capabilities: Multiprotocol extensions: IPv4 unknown (128) Route Refresh Message statistics: Sent Received Opens1 1 Notifications0 0 Updates 4 92476 Keepalives2522 3107 Route Refresh0 0 Total 2527 95584 Update statistics: Sent Received Updates 4 351083 Withdraws3 17886 Local host:121.200.227.94, Local port: 41277 Remote host: 121.200.227.93, Remote port: 179
Re: expansion of FAQ# 1.10 re OpenBSD as a desktop system
I use OpenBSD as a desktop everyday and I have an 'entertainment center' that delivers music, movies and arcade games which also runs OpenBSD. OpenBSD is very well suited to being a media center due to the lean default install and excellent package system. On 10/12/07, Douglas A. Tutty [EMAIL PROTECTED] wrote: I've been evaluating OpenBSD as a desktop system while learning about it on my lesser (older) hardware. I've learned a lot and will continue to learn about OpenBSD but I don't think it will work as my primary desktop. Based on what I've learned here on Misc, I'd like to start a discussion about extending the answer to the OpenBSD FAQ # 1.10: Can I use OpenBSD as a Desktop System? While of course every potential new user has to evaluate OpenBSD for themselves, we could and I believe we should point out some of the more common tripping points found by people who end up not choosing OpenBSD for their desktop. As it exists right now it reads: # 8-- This question is often asked in exactly this manner -- with no explanation of what the asker means by desktop. The only person who can answer that question is you, as it depends on what your needs and expectations are. While OpenBSD has a great reputation as a server operating system, it can be and is used on the desktop. Many desktop applications are available through packages and ports. As with all operating systems decisions, the question is: can it do the job you desire in the way you wish? You must answer this question for yourself. It might be worth noting that a large amount of OpenBSD development is done on laptops. # 8-- I think the following paragraphs would enhance the FAQ to provide the person new to the OpenBSD focus a heads up on some of the difficulties. # 8-- However, it is also worth noting that some desktop needs and uses are incompatible with the focus of OBSD. There are currently no video cards that provide full specs to create open drivers for all hardware function, most notibly 3D accelleration. While more than adequate for most uses of the X-Window system, performance while watching movies, playing games, or graphic design, may be suboptimal or not possible depending on your hardware and expectations. The use of binary blob drivers would introduce the potential for unknown security breaches and is not going to be supported on OpenBSD. The work is ongoing in the larger open-source community to both create open-source drivers that can access the full hardware potential of the video cards that are available, and there is some work to create new video cards that will be fully open and high performance. It just doesn't exist yet. Similarily, flash plugins in browsers cause untested code to run on the computer and introduce the potential for unknown security breaches, and are therefore not supported, other than as it already exists for the Opera browser. It depends therefor on what is meant by desktop. System administrators will likely be thrilled with OpenBSD on their desktop. However, a home user wanting an entertainment centre, a movie editor, a graphic designer, or a user requiring a multi-headed Computer Aided Drafting and Design system may find the tradeoffs made for security are too steep to use OpenBSD as their operating system on such computers and may choose to use a less secure operating system. # 8-- Does this seem like a fair addition? Doug.
Re: Thank you developers... 4.2 arrived in the mail today
Pre-order has made it all the way to New Zealand already - thanks to all. On 10/7/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote: One other data point - My preordered 4.2 set arrived here in Bergen, Norway today. Excellent artwork as usual, and great song :) Cheers, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Thank you developers... 4.2 arrived in the mail today
I pre-ordered using the web form for international orders http://www.openbsd.org/orders.html with my new fangled credit card...;) On 10/8/07, Josh [EMAIL PROTECTED] wrote: How did you order yours? I am in NZ too... Is there a way to just transfer money via internet banking or something? Graeme Neilson wrote: Pre-order has made it all the way to New Zealand already - thanks to all. On 10/7/07, Peter N. M. Hansteen [EMAIL PROTECTED] wrote: One other data point - My preordered 4.2 set arrived here in Bergen, Norway today. Excellent artwork as usual, and great song :) Cheers, -- Peter N. M. Hansteen, member of the first RFC 1149 implementation teamhttp://bsdly.blogspot.com/ http://www.datadok.no/ http://www.nuug.no/Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
OpenBSD on a Dell PowerEdge SC1430 Server ?
Hi, I was wondering if anyone had any experience of OpenBSD on a Dell PowerEdge SC1430 Server? Specifically I am wondering if the SATA controller is supported. It doesn't seem to tell me what it is on the Dell site. I am considering putting two of these in it as well: Intel Pro/1000 PTx1 PCIe Single Port Copper Gigabit NIC (V9.0) These do not seem to be specifically mentioned on http://www.openbsd.org/i386.html but many other gigabit intel pro cards are supported. TIA Graeme
Re: Show your appreciation and get your 4.2 DVD
One ordered for NZ :) The wireframe puffy sticker from last time went on my Kawasaki. Maybe I'll have to buy a new bike for a new sticker...(dreaming of a ducati) On 9/7/07, Theo de Raadt [EMAIL PROTECTED] wrote: There's a wireframe puffy sticker with the audio cd? Gotta buy one now :P You've been missing out. What surprised me about the audio cd is that my non-geeky friends like it. OK, that didn't surprise me. It shocked me.
Re: Boot by USB thumb for installation
This is related and may be of interest to some ppl. I have posted some modifications to the excellent LiveCD instructions by Andreas Bihlmaier to create a Live USB (if you have a USB key thingie and you want to save space) http://openbsd-wiki.org/index.php?title=LiveUSB G On 6/24/07, Alex Kwan [EMAIL PROTECTED] wrote: Hi! Because the laptop doesn't have a CD-ROM. can the OpenBSD boot by the USB thumb for installation? (the BIOS supported boot by USB hard disk). thanks!
Re: Install OSSIM in OpenBSD
Dimitri, You have to build the server from source and then configure all the separate parts of the system - web interface, client agents, etc. Its pretty involved but to compile the server all I had to do was make two changes to the source: - defined sb_addr16b in sim-inet.c - edited out debug struct in sim-container.c The included documentation on installing from source for Debian should be enough for you to set up the rest of the system. You probably find it simpler to set it up without a chrooted apache (man httpd) first and then try it with a chrooted apache. Graeme On 3/31/07, Dimitri [EMAIL PROTECTED] wrote: Today and discovered OSSIM and I wanted to install it in my openbsd, but port does not exist. Some way exists to install it in openbsd 3.9. Regards. Dimitri.- Anti-Linux, I live BSD life http://deoxy.spaces.live.com/ http://deoxyt2.blogspot.com/ - LLama Gratis a cualquier PC del Mundo. Llamadas a fijos y msviles desde 1 cintimo por minuto. http://es.voice.yahoo.com
Re: OpenBSD 4.0 arrived in The Netherlands!
They have now made it all the way to New Zealand - pre ordering is the best. On 10/26/06, Chris Smith [EMAIL PROTECTED] wrote: On 10/25/06, Frank [EMAIL PROTECTED] wrote: Hello everyone, Five minutes ago my OpenBSD 4.0 cds, the three disks of freedom, have arrived here in The Netherlands! Many thanks to Wim Vandeputte and off course the OpenBSD team. Frank Got mine yesterday. Great system, great Asterix styling. Chris
Re: rc.local command for postgres
David B. wrote: trying to get postgres to start up at boot. found this at postgresql's site On OpenBSD, add the following lines to the file /etc/rc.local: if [ -x /usr/local/pgsql/bin/pg_ctl -a -x /usr/local/pgsql/bin/postmaster ]; then su - -c '/usr/local/pgsql/bin/pg_ctl start -l /var/postgresql/log -s' postgres echo -n ' postgresql' fi my pg_ctl and postmaster executables are at /usr/local/bin, and have modified the script accordingly. my script reads as follows: if [ -x /usr/local/bin/pg_ctl -a -x /usr/local/bin/postmaster ]; then su - -c '/usr/local/bin/pg_ctl -D /WEBSITE/DATADIRECTORY start' postgres fi at boot the error thrown is No such login class: /usr/local/bin/pg_ctl -D /WEBSITE/DATADIRECTORY start You may need to use su postgres -c '/usr/local/bin/pg_ctl -D path start' g the command I usually use after su'ing into postgres is: pg_ctl -D /WEBSITE/DATADIRECTORY start as /usr/local/bin is obviously in my PATH. Any Ideas? thanks _ Stay in touch with old friends and meet new ones with Windows Live Spaces http://clk.atdmt.com/MSN/go/msnnkwsp007001msn/direct/01/?href=http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us
Re: OpenBSD as TV media center
I am using mediabox from https://www.umaxx.net/mediacat/. It is written in python and I customised the code to add xmame and it was very straightforward. Recommended On 10/1/06, Sam Fourman Jr. [EMAIL PROTECTED] wrote: Thank you Very Much I didn't see those I am going to give xawtv a try I was told to look for MythTV Thanks for your help Sam Fourman Jr. On 9/30/06, Josh Grosse [EMAIL PROTECTED] wrote: On Sat, Sep 30, 2006 at 09:12:22PM -0500, Sam Fourman Jr. wrote: I am reasonably new to OpenBSD, I searched the ports tree but I am unsure if there is a application that would somehow allow me to setup a PVR to record TV I was looking for something like MythTV Both fxtv and xawtv are in the ports tree.
Re: Laptop recommendations
dell inspiron 8100 On 6/14/06, Christopher Snell [EMAIL PROTECTED] wrote: I'm still looking for a laptop. Does anybody know of a laptop that will do at least 1600x___ resolution and have rudimentary power management (ie., I can pull the AC plug and the laptop does not lock up)? Chris On 5/29/06, Theo de Raadt [EMAIL PROTECTED] wrote: On 5/26/06, Christopher Snell [EMAIL PROTECTED] wrote: It seems like every major laptop manufacturer is locked into Intel CPU, graphics, WiFi, and sound and that there's no chance in hell that Intel will release specs on these. What is the future of laptop support for free Unicies? Will SpeedStep ever be reverse engineered? Are we forever doomed to barely-working laptops? umm, the graphics and sound for intel chipsets are completely documented. the correct way to use speedstep (est) is through acpi, which is also documented, even though we should now pretty much support every est cpu at least basically. the situation with wifi could be better, but if you download the firmware it works. you have either misappraised the situation, or your defintion of barely working is very different than most people's. Intel is changing their ways. They got seriously hurt by NVidia and ATI taking over the video market, while simultaneously AMD hurt them on the processor side. The real enemy today is Nvidia (and ATI). Intel is trying to release documentation and open up as fast as they can to stay in the market. It's almost pathetic, but yes, it is benefiting us (as it should, and thus, us running on their machines benefits them, as it should).
Re: Laptop recommendations
I have had no problems from my 8100 and it has been going for years (touch wood!) On 5/12/06, Sam Chill [EMAIL PROTECTED] wrote: On 5/11/06, Chris Cappuccio [EMAIL PROTECTED] wrote: Pretty much any older dell that I try is very well supported, for what it's worth. I have noticed the same thing. I have a Dell Latitude c600 which goes for only a few hundred on ebay and works very well. Everything works but the winmodem.
Re: t-shirts
frantisek holop wrote: hi there, it is not my intention to pick a fight again about t-shirts, size, color, etc. but i was just wondering... the other day i went out in my puffy wireframe t-shirt and people who never heard of openbsd noticed it and expressed how nice and catchy it was. My wire frame t-shirt was pilfered... What more can I say? g
Re: Squid not starting on boot with ADSL
Luke Fogarty wrote: Hi Since moving from Cable to DSL, squid no longer starts on boot. I have the following entry in /etc/rc.local #start squid if [ -f /usr/local/squid/sbin/squid ]; then echo -n ' Squid' /usr/local/sbin/squid I've also tried just having /usr/local/sbin/squid in there For DSL I'm using a modem, and the OpenBSD box is creating a virtual tun0 interface and is making the PPPOE connection, I'm assuming it has something to do with this? I have the squid startup line AFTER the PPPOE connection line in rc.local? Squid starts fine once the machine has completely booted. I've checked /var/log/messages and /var/log/daemon but nothing of use in there as far as I can tell Any guidance is appreciated! Regards Luke Check the squid cache.log (/var/squid/cache.log for ports, /usr/local/squid/var/log for default prefix install) You may find out that it's not finding the dns when it starts up. If so, have a look at starting it with the -D switch. g
Re: Binat and if-bound
Jason Dixon wrote: I'm working with a fairly sizable ruleset with a lot of inter-VLAN routing, so I've chosen to implement if-bound stateful tracking with anchors and tagging. For some reason, PF is failing to route the binat traffic to the internal host. In a typical case, the firewall itself accepts SSH connections for a binat alias on carp0 that it *should* be passing on into the internal address instead. What's really strange is that I can see the state counter increment for the filter rule, but not the binat. Because binat changes the dest ip to your internal network, you need to pass based upon the internal ip destination The relevant anchor file: # Filter rules pass in on $ext_if inet proto tcp from any to $shell_ext port $shell_tcp_svcs flags S/SA tag DMZ_IN modulate state pass in on $ext_if inet proto tcp from any to $shell_int port $shell_tcp_svcs . pass in on $ext_if inet proto icmp from any to $shell_ext icmp-type echoreq tag DMZ_IN keep state pass out quick on $int_if tagged DMZ_IN keep state pass in on $int_if tag DMZ keep state Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
Re: radius on openbsd
man Chan wrote: Hello, I would like t know where can I get the authentication users using LDAP via Radius as it seems unavailable at the openbsd journel. Any pointers ? Thanks. Not sure about the ones in the ports tree, but freeradius works well http://www.freeradius.org/ ___ 7Q'Y.I,(l7s email 3q*!H $U8| Yahoo! Messenger http://messenger.yahoo.com.hk
Re: Shared memory / SQL
Fine. If the pg team want to call their shared memory space a disk buffer, let them. And you can too. Anything committed to disk still has to traverse the os disk cache. So in reality, it depends upon how you balance parameters such as your os disk cache and your sql disk cache etc etc. I think we've now flogged this enough now. This is absolute nonsense. The shared buffer cache is well understood, and the only way you will hurt performance by making it too big is by using up so much RAM that you start hitting swap, or by making it larger than your data plus the other usage. Unless perhaps your OS performs poorly with large shared memory allocations (does openbsd?). Which is what the original poster asked, because they are saying that FreeBSD's shared memory management is superior (compared with what?) So, does OpenBSD page shared memory to disk if ram becomes full? If it does, can it be prevented? G
Re: Shared memory / SQL
Adam wrote: On Fri, 19 Aug 2005 15:01:12 +1000 Graeme Lee [EMAIL PROTECTED] wrote: I think I was talking about the disk buffer, not the shared buffer. You said it uses the os disk buffer and doesn't maintain its own. its own disk buffer Everything that reads data from the filesystem uses the OS's buffer. Postgresql's shared buffer cache is used to cache data read from disk, so it is a disk cache maintained by on its own. I think postgresql stores and purges data in the shared buffer cache with an understanding of table/column access, so you should get more benefit from using extra RAM there than increasing BUFCACHEPERCENT, not positive though. The shared buffer is used by all the postmaster processes as a shared memory pool for selects/inserts/updates on the table space. The disk buffer is next stage where the os decides what to do with reads/writes etc. Both are important, but you need to decide to how to implement each caching scheme depending on the requirements of your application. Yes, but its only the write-ahead log that is being flushed to disk, not the actual data files. So the performance hit isn't that bad, and its needed to ensure that your data is not lost or corrupted if an Almost. It needs to sync everything to disk at each checkpoint too. unclean shutdown happens. Also keep in mind that its only flushed per transaction, so if you need to insert 10,000 rows, start a transaction first, do your inserts, then commit it and you will only get 1 fsync() instead of 10,000. Adam Oh if only every transaction were that easy! :-) Look, there are more buttons and knobs that you can twirl and fiddle with in any database application than you can poke a stick at. There are pro's and con's for all of them. The original question was is OBSD's shared memory performance good enough? which I think it is in my case, but David may decide otherwise. G
Re: Shared memory / SQL
Adam wrote: On Fri, 19 Aug 2005 17:08:36 +1000 Graeme Lee [EMAIL PROTECTED] wrote: This is very much off topic, but you seem to be misunderstanding me. The shared buffer is used by all the postmaster processes as a shared memory pool for selects/inserts/updates on the table space. The disk buffer is next stage where the os decides what to do with reads/ writes etc. The shared buffer cache is use to cache data read from disk. In what way is that not a disk cache? Yes, the filesystem buffer cache is a disk cache too, I never said it wasn't. But your statement that postgresql does not maintain its own disk cache is simply wrong, the shared buffer cache is a disk cache, it caches data read from disk, to prevent future reads from disk. And the advice to increase BUFCACHEPERCENT is misguided. For a dedicated postgresql database server you are better off using extra RAM for postgresql's cache, not the filesystem's. It was a suggestion. And the shared buffer cache is still not a disk cache. http://www.varlena.com/varlena/GeneralBits/Tidbits/perf.html http://www.powerpostgresql.com/PerfList/ Postgresql does have a disk cache. See above links G
Re: Shared memory / SQL
David Hill wrote: Hello - I need to build a server that will run PostgreSQL 8, handling up to 150 connections. The current database size is roughly 2GB now with 2.8 million rows in it's biggest table. This is expected to continue to grow steadily over time. The hardware I have to work with is a single 3Ghz p4 processor, 1GB RAM, and 2 36.7GB SCSI drives with a Dell Perc for doing RAID. How is OpenBSD's shared memory performance? Could it handle this type of load well? Many people suggest I go with FreeBSD instead because they say FreeBSD's shared memory performance is superior, something about a sysctl called kern.ipc.shm_use_phys to stop shared memory from swapping out and to use the physical ram instead, among a few other reasons. If OpenBSD would work just as well, I am sure I will have to increase the SHM* options in the kernel. Does OpenBSD have any barriers when it comes to that? Thanks for any help. David Difficult to say. I run a Postgresql database server (dmesg at end) Similar specs, 2 x 2.4G Xeon, 1GB RAM, 2 x 36.7 GB SCSI (RAID 1) I run 2 separate database clusters (bound to separate ips) each with their connection limit set to 100 without issue. The biggest database is only 600 MB though. It's largest table has over 7.5 million lines (it's a log) which hardly ever gets searched. The rest is quite fast. So far I've never even come close to using swap space. The biggest bottle neck is raid 1. It should have been raid 0 imho Postgresql uses the os disk buffer. It does not maintain its own. You may benefit by increasing the buffcachepct. Here's a decent link on hardware performance tuning: http://www.postgresql.org/files/documentation/books/aw_pgsql/hw_performance/ Graeme OpenBSD 3.6-stable (GENERIC.MP) #2: Fri Jul 8 11:39:20 EST 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Xeon(TM) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 1073197056 (1048044K) avail mem = 757547008 (739792K) using 4278 buffers containing 268820480 bytes (262520K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(00) BIOS, date 04/11/04, BIOS32 rev. 0 @ 0xffe90 pcibios0 at bios0: rev 2.1 @ 0xf/0x1 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfc410/176 (9 entries) pcibios0: PCI Interrupt Router at 000:15:0 (ServerWorks CSB5 SouthBridge rev 0x00) pcibios0: PCI bus #0 is the last bus bios0: ROM list: 0xc/0x8000 0xc8000/0x4000 0xcc000/0x600 0xec000/0x4000! mainbus0: Intel MP Specification (Version 1.4) (DELL PE 0121 ) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 132 MHz cpu1 at mainbus0: apid 6 (application processor) cpu1: Intel(R) Xeon(TM) CPU 2.40GHz (GenuineIntel 686-class) 2.40 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type PCI mainbus0: bus 6 is type ISA ioapic0 at mainbus0: apid 8 pa 0xfec0, version 11, 16 pins ioapic0: misconfigured as apic 0, remapped to apic 8 ioapic1 at mainbus0: apid 9 pa 0xfec01000, version 11, 16 pins ioapic1: misconfigured as apic 0, remapped to apic 9 ioapic2 at mainbus0: apid 10 pa 0xfec02000, version 11, 16 pins ioapic2: misconfigured as apic 0, remapped to apic 10 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 ServerWorks CNB20-HE rev 0x33 pchb1 at pci0 dev 0 function 1 ServerWorks CNB20-HE rev 0x00 pci1 at pchb1 bus 3 bge0 at pci1 dev 6 function 0 Broadcom BCM5703X rev 0x02: apic 9 int 12 (irq 7) address 00:0f:1f:6e:2d:af brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 bge1 at pci1 dev 8 function 0 Broadcom BCM5703X rev 0x02: apic 9 int 13 (irq 11) address 00:0f:1f:6e:2d:b1 brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 2 pchb2 at pci0 dev 0 function 2 ServerWorks CNB20-HE rev 0x00 pci2 at pchb2 bus 1 vendor Dell, unknown product 0xc (class undefined unknown subclass 0x00, rev 0x00) at pci0 dev 4 function 0 not configured Dell PERC 3/Di rev 0x00 at pci0 dev 4 function 1 not configured vendor Dell, unknown product 0xd (class undefined unknown subclass 0x00, rev 0x00) at pci0 dev 4 function 2 not configured vga1 at pci0 dev 14 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pchb3 at pci0 dev 15 function 0 ServerWorks CSB5 SouthBridge rev 0x93 pciide0 at pci0 dev 15 function 1 ServerWorks CSB5 IDE rev 0x93: DMA atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: TEAC, CD-224E, K.9A SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, DMA mode 2
Re: Shared memory / SQL
Adam wrote: On Fri, 19 Aug 2005 12:28:20 +1000 Graeme Lee [EMAIL PROTECTED] wrote: Postgresql uses the os disk buffer. It does not maintain its own. Yes it does. Postgresql uses a shared buffer cache, and increasing the number of shared buffers in your postgresql.conf can make a huge difference in performance. If your postgresql server has alot of free RAM, you should be giving it more for its cache. The link you provided even talks about this quite a bit. Adam I think I was talking about the disk buffer, not the shared buffer. My bad for not being explicit enough. Also, back-peddling here a bit... 'twould seem that fsync = true is the default setting flushing data to disk, which will always be a bit of a hit for writes. No? G
Re: 2 internet links
Roberto Pereyra wrote: Hi Look http://www.openbsd.org/faq/pf/es/pools.html Or you could potentially use the route-to option eg pass in on $link1_if reply-to ($link1_if $link1_defroute) proto icmp keep state pass in on $link2_if reply-to ($link2_if $link2_defroute) proto icmp keep state I used this to route between 2 adsl links with 2 different assigned ip address ranges through 1 firewall running different services (citrix on one link and www/smtp/ftp etc on the other) I honestly never thought of pools. Must check into it :-) G roberto (saludos) 2005/8/13, Diego Augusto Dalmolin [EMAIL PROTECTED]: Hi... I4ve got a obsd 3.7 firewall and have 2 internet links on it I don4t want to make a load balance... just what comes from link#1 goes out with link#1 what comes from link#2 goes out with link#2 from an outside box I4m trying to ping link#2 IP.. the icmp echorequest comes from link#2 and the echoreply is trying to go out on link#1(the default gateway) what can be made on pf.conf to fix this? -- Diego Augusto Dalmolin (41) 9648-0882
Re: Ammunition needed to defend OpenBSD/pf
Rod.. Whitworth wrote: Somebody sent me a query asking for a justification for my proposal to supply a firewall/router using OpenBSD when there was thsi device: http://www.dlink.com/products/?pid=327 , with all its claimed bells and whistles. Well, I we connected a new client with straight ethernet via a Dlink DL-600 (which their previous isp made them buy). It just wouldn't work. I could see it's mac address, but that was it. So I went there (7pm on Saturday night) and stuffed around with it for 1/2 an hour. Reset it. Reconfigured it etc. Zip. Nup. Nada. I plugged in a workstation and configured it and yep, it worked. I had a completely new OBSD firewall configured for them within 1/2 an hour. On a Saturday night. Oh, and the user interface on the dlink? Brain-dead would be a compliment. Anybody know what, if anything, it does that an OBSD solution doesn't/ cannot, that may be important? Or alternatively the reverse. I've started with SSL VPNs (OpenVPN based) which I have found to be very easy for clients to add to road-warrior machines. I'll be doing a bit more research on it too but hopefully somebody has some knowledge of the beast. Thanks, Rod/ From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: ADSL connection (PPPoE)
Clint Pachl wrote: Is there any issues I should consider before buying this modem? Will it work with Open3.7? I know it works fine with Linux. I highly doubt there will be any issues. The communication between the switch (built-in to the modem) and your OpenBSD box uses the TCP/IP protocol. The OS is not even an issue. Also, you will communicate with the modem via the http protocol for config stuff. BTW, I do not own and have never used this modem, so YMMV. Does the modem support bridging? Is there any issues I should consider before taking the connection from the service prodiver? Any other technical details? None serious enough to mention. I really want my ADSL connection to work with Open3.7. It will. Does this guy even need a modem? Don't you need a modem if you want to do ordinary 56k dialup? (I know I should start a new thread with this, but here we go) Can't an OpenBSD box handle a PPPoE/PPPoA connection directly? I recently setup a VPN between two networks with DSL connections where the modems make a PPPoA connection. An OpenBSD box resides behind each modem. Basically, the modem gets an IP address dynamically, does the authentication, and gets the block of static IPs, one of which the OBSD box gets. So I was thinking, couldn't the OBSD box theoretically make the connection and eliminate the modem all together? If your adsl modem supports bridging, you may most likely be able to run pppoe directly from OpenBSD. Telstra Internet Direct works really well. Here's the ppp.conf entry pppoe: set device !/usr/sbin/pppoe -i your external interface set mtu max 1492 set mru max 1492 set speed sync disable acfcomp protocomp deny acfcomp set authname your username set authkey your secret set ifaddr your permanent IP your default gateway add! default HISADDR The modem's a d-link 504g. Nothing exiting. But it bridges and I do everything else on my obsd box Regards, Clint Pachl