Re: OpenBSD on VMware ESXi

[mxb]

I think FreeBSD or any Linux template will work just fine and add vmxnet3.
However, last I checked (1year ago) vmxnet3 been less stable than e1000 under 
pressure. 

Sent from my iDevice

> 22 мая 2019 г., в 13:47, Reyk Floeter  написал(а):
> 
>> On Wed, May 22, 2019 at 01:43:35PM +0200, Janne Johansson wrote:
>> Den ons 22 maj 2019 kl 12:52 skrev Roderick :
>> 
>>> Hallo!
>>> As far as I read in WWW, OpenBSD do run on VMware ESXi out of the box.
>>> What does run better on amd64 virtual machine? i386 or amd64?
>>> Are there reasons to preffer one to the other?
>>> 
>> 
>> The ESX template for 64-bit comes with more recent "hardware" in the
>> environment IIRC, so it will be less tweaking the supplied virtualized
>> hardware if you select 64bit guest instead of 32bit.
>> Apart from that, 64bit is better on both virtual and real hw.
>> 
> 
> But unfortunately, there is no openbsd template.  So use "Other 64bit"
> and enable vmxnet3 manually, as mentioned in vmx(4):
> 
> The following entry must be added to the VMware configuration file to
> provide the vmx device:
> 
>   ethernet0.virtualDev = "vmxnet3"
> 
> This is much better than the e1000 emulation.
> 
> Reyk
> 

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

[mxb]

With -stable kernel and modded syspatch I was able to pull down all the patches 
I needed to have this machine to be fully up to date.

Sent from my iDevice

> 30 мая 2018 г., в 18:59, Stuart Henderson  написал(а):
> 
>> On 2018-05-30, Maxim Bourmistrov  wrote:
>> I ended up with a -stable kernel and syspatch refusing to pull down patches, 
>> but this is another story.
> 
> syspatch is only for releases or systems which have been syspatch'ed directly
> from a release - it can't work with -stable, own-built kernels or kernels 
> modified
> with config(8).
> 
> 

Re: Upgrade 6.0 -> 6.1: ix mmba is not mem space

[mxb]

Reverting if_ix.c to rev 1.139 brought ix back to live.

Sent from my iDevice

> 29 мая 2018 г., в 21:36, Maxim Bourmistrov  
> написал(а):
> 
> Diff, discussed in the thread, seems to follow all the way to 6.3.
> Sure I probably can try out 6.3, but I have a feeling that this will not help.
> 
> dmesg can be arranged.
> 
> Br 
> 
>> 29 maj 2018 kl. 20:56 skrev Chris Cappuccio :
>> 
>> No magic expected here, but why not try 6.3? 6.1 is not supported anymore, 
>> and in any event, you need to include full dmesg so that others without 
>> DL360 Gen9 have a chance at helping you.
>> 
>> Maxim Bourmistrov [m...@alumni.chalmers.se] wrote:
>>> Hey,
>>> While moving one of machines from 6.0 to 6.1, I found 6.1 not able to 
>>> attach ix-device.
>>> Machine is HP DL360 Gen9.
>>> 
>>> ix0 at pci5 dev 0 function 0 "Intel 82599" rev 0x01: mmba is not mem space
>>> ix1 at pci5 dev 0 function 1 "Intel 82599" rev 0x01: mmba is not mem space
>>> 
>>> Found this thread
>>> http://openbsd-archive.7691.n7.nabble.com/OpenBSD-6-1-ix-Intel-82598EB-issue-td317072.html
>>>  
>>> 
>>> 
>>> and as far as I can see, this diff is in tree, but not helping here :(
>>> 
>>> Any clues? 
>>> 
>>> 4:0:1: Intel 82599
>>>  0x: Vendor ID: 8086 Product ID: 10fb
>>>  0x0004: Command: 0147 Status: 0010
>>>  0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 01
>>>  0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line Size: 10
>>>  0x0010: BAR mem 32bit addr: 0x92c0/0x0010
>>>  0x0014: BAR empty ()
>>>  0x0018: BAR io addr: 0x2000/0x0020
>>>  0x001c: BAR mem 32bit addr: 0x92e0/0x4000
>>>  0x0020: BAR empty ()
>>>  0x0024: BAR empty ()
>>>  0x0028: Cardbus CIS: 
>>>  0x002c: Subsystem Vendor ID: 103c Product ID: 17d0
>>>  0x0030: Expansion ROM Base Address: 
>>>  0x0038: 
>>>  0x003c: Interrupt Pin: 01 Line: ff Min Gnt: 00 Max Lat: 00
>>>  0x0040: Capability 0x01: Power Management
>>>  State: D0 PME# enabled
>>>  0x0050: Capability 0x05: Message Signalled Interrupts (MSI)
>>>  0x0070: Capability 0x11: Extended Message Signalled Interrupts (MSI-X)
>>>  0x00a0: Capability 0x10: PCI Express
>>>  Link Speed: 5.0 / 5.0 GT/s Link Width: x8 / x8
>>>  0x0100: Enhanced Capability 0x01: Advanced Error Reporting
>>>  0x0140: Enhanced Capability 0x03: Device Serial Number
>>>  0x0150: Enhanced Capability 0x0e: Alternate Routing ID
>>>  0x0160: Enhanced Capability 0x10: Single Root I/O Virtualization
>>>  0x00e0: Capability 0x03: Vital Product Data (VPD)
>>> 
>>> Br
>>> 
>>> 
> 

Re: 6.0-stable panic

[mxb]

Just curious if there is any new around this problem.
I have -stable from mtier.org <http://mtier.org/>.
relayd leaves in a dynamic environment, so new relays are added quiet often.

Thus with reload or restart I can trigger this very often as well.

Question is if there are any diffs which can be applied to -stable to dump
more info
and hopefully resolve this long standing bug?
Sorry, but -current is not an option anymore to run there.

I’m happy to pull those in, apply and trigger.

br
//mxb

> On 21 sep. 2016, at 10:44, mxb <m...@alumni.chalmers.se> wrote:
>
> Panic is very similar to
>
> https://www.mail-archive.com/tech@openbsd.org/msg32608.html
<https://www.mail-archive.com/tech@openbsd.org/msg32608.html>
>
> Panic happened during restart of relayd.
>
> System is up to date with errata up to 004. Runs relayd, ospfd, bgpd.
> no Tor, no transparent stuff.
>
> OpenBSD 6.0-stable (GENERIC.MP) #0: Sun Sep  4 11:02:11 CEST 2016
> root@lb1.:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 17051353088 (16261MB)
> avail mem = 16530104320 (15764MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xed8a0 (122 entries)
> bios0: vendor American Megatrends Inc. version "1.0b" date 01/06/2015
> bios0: Supermicro X10DRT-PT
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S4 S5
> acpi0: tables DSDT FACP APIC FPDT FIDT SPMI MCFG UEFI BDAT HPET MSCT PMCT
SLIT SRAT WDDT SSDT SSDT SSDT PRAD DMAR HEST BERT ERST EINJ
> acpi0: wakeup devices IP2P(S4) EHC1(S4) EHC2(S4) RP01(S4) RP02(S4) RP03(S4)
RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) BR1A(S4) BR1B(S4) BR2A(S4)
BR2B(S4) BR2C(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.44 MHz
> cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 100MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.01 MHz
> cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 8 (application processor)
> cpu2: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.01 MHz
> cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 4, package 0
> cpu3 at mainbus0: apid 10 (application processor)
> cpu3: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.01 MHz
> cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 0, core 5, package 0
> cpu4 at mainbus0: apid 16 (application processor)
> cpu4: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3495.35 MHz
> cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
> cpu4: 256KB 64b/line 8-way L2 cache
> cpu4: smt 0, core 0, package 1
> cpu5 at mainbus0: apid 18 (application processor)
> cpu5: Intel(R) Xe

Re: IPSec

[mxb]

> On 28 nov. 2016, at 20:49, Damian McGuckin <dami...@esi.com.au> wrote:
>
> While I am here, I still see on the passive IPSec Port 500 traffic
>
>   got AES_CBC, expected 3DES_CBC

Running 'isakmpd -L’ will produce more debug info.
Later this can be processed by tcpdump:
# tcpdump -n -vs 1440 -r /var/run/isakmpd.pcap

All this info actually came from Stuart originally.

//mxb

Re: Recommendation for firewall appliance running of and OpenBSD

[mxb]

Looks nice. Like a Soekis x2 + Kerberos case.
What I miss on all those boards is dedicated IPMI.

Else, with IPMI, those are perfect products for remote small office.

//mxb

> On 25 nov. 2016, at 15:01, Bob Jones
<r.a.n.d.o.m.d.e.v.4+openbsdm...@gmail.com> wrote:
>
> Try the NetBoard A-10 and any of the products built on top of it :
> https://www.deciso.com/
>
> Comes with a version of FreeBSD running on it, but you can get OpenBSD
> on there via the console port, no probs.

Re: IPSec

[mxb]

You should be able to.
As far as I understand ipses.conf gets “translated” to isakmpd.conf

I use both.
What I have in isakmpd.conf is:

[General]
DPD-check-interval = 60

Works fine.

//mxb

> On 24 nov. 2016, at 22:58, Damian McGuckin <dami...@esi.com.au> wrote:
>
> Can you mix the use of 'isakmpd.conf' and 'ipsec.conf'?
>
> I currently use the former for port 500 stuff. We use both predefined
network-to-networks IPSec links with PreShared Secrets and also dynamic, i.e.
negotiated, network-to-network links. The thought of figuring out how to do
both with IPSec, especially the latter which does not seem to be documented
with examples, fills me with dread.
>
> I have just figured out to allow L2TP/IPSec connections which demands the
use of the latter.
>
> I would love to use both concurrently if I can?
>
> Has anybody got any experience with both working well together?
>
> Thanks - Damian
>
> Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
> Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted
here
> Views & opinions here are mine and not those of any past or present
employer

Re: Recommendation for firewall appliance running of and OpenBSD

[mxb]

As far as I know, Halon cuts the number of IPSec tunnels on free version.


> On 24 nov. 2016, at 21:21, Joe Crivello  wrote:
> 
>> Can somebody please recommend me a firewall appliance that can run OpenBSD
> and
>> pf, and can be upgradeable to the latest version? It would be a great plus
> if
>> the appliance can also be configured as part of CARP firewall group.
> 
> 
> http://securityrouter.org/
> 
> Great product.

relayd with multiple pools

[mxb]

Hello list,
following relayd setup exists in prod:

relay int_health_check {
listen on 127.0.0.1 port 78
protocol http_relay
forward to  port 80 mode roundrobin check http "/" code 200
forward to  port 80 mode roundrobin check  http "/" code
503
forward to  port 80 mode roundrobin check http "/" code 301
forward to  port 9800 mode roundrobin check http "/" code
503
}

table  { 192.168.10.31 parent 1, 192.168.10.32 parent 2, \
192.168.10.33 parent 3, 192.168.10.34 parent 4, \
192.168.10.35 parent 5, 192.168.10.36 parent 6 \
}

table  { 10.2.128.34 parent 9, 10.2.128.35 parent 10, \
10.2.128.36 parent 11, 10.2.128.37 parent 12, \
10.2.128.38 parent 13, 10.2.128.39 parent 14 \
}

table  { 192.168.10.83 parent 7, 192.168.10.84 parent 8 }

The dance above, if unclear, is done to eliminate number of health checks per
relay and copy the
state of machines into each relay using those pools. We have several relays.
Below is one of those.

relay se_m_tls {
listen on $VIP22 port 443 tls
listen on $VIP23 port 443 tls
protocol tls_accel
forward to  port 80 mode roundrobin check http "/" code
200
forward to  port 80 mode roundrobin check tcp
forward to  port 80 mode roundrobin check tcp
}

The idea here is obvious, is to fall through until client reaches
.

With relay above, status is following:
m_vm_pool is enabled
m_hw_pool is disabled
fallback_copy is enabled

We decided to test fallback_copy and thus I disabled m_vm_pool as well.
Expected result is that all traffic
should end up in fallback_copy and display very simple index.html. Actual
result is that relay continued to operate
as usual, eg. serving PHP generated content.
This test was done from a different location so no prev. states existed in
PF.
Eg. disable first, then surf.

Is this expected behavior ?

I also noted, that if I disable parent table, eg for example , hosts
within the pool never get status UNKNOWN and thus
appear UP in all child tables ().
My understanding is that if table is disabled, relayd will stop checking hosts
within table
and those eventually should switch status to UNKNOWN. As well as the rest on
child tables using this parent table.
As in the test above, disabling child table should override status of hosts
within the table and those should become UNKNOW,
which should prevent usage of this child table.


Any clarification regarding this scenario is appreciated.

P.S.
This is 6.0-stable

Br
//mxb

Re: Allow FTP through Openbsd firewall

[mxb]

Depending on the clients software, but you should be able to use Passive
mode.

man 1 ftp:

-p  Enable passive mode operation for use behind connection filtering
firewalls.  This option has been deprecated as ftp now tries to use passive
 mode by default, falling back to active mode if the server
does not support passive connections.

> On 28 okt. 2016, at 08:55, Mik J  wrote:
>
> Hello,
>
> I have FTP clients behind my Openbsd firewall and they want to access ftp
sites on the internet
>
> I have read numerous documentations but haven't found the answer yet.
>
> * I start the ftp-proxy like this
> /usr/sbin/ftp-proxy -D7 -v
>
> * I have rules in my pf.conf
> anchor "ftp-proxy/*"
> pass in quick on $int_if inet proto tcp from $lan to any port 21 divert-to
127.0.0.1 port 8021
> pass out quick on $ext_if inet proto tcp from $ext_add to any port 21
>
> I filter both interfaces lan and wan on my firewall
>
> I'm able to connect to a ftp server from inside the lan but when I do the
command ls it fails
> Of course, this is normal because there is no rule that allow the ftp data
(passive) to go out and the packets are dropped when they try to go out of the
firewall's external interface.
> Oct 28 08:21:00.471990 rule 0/(match) block out on vmx0: 37.187.79.88.56327
> x.x.x.x.39046: S 1161913180:1161913180(0) win 16384 
>
>
> * My question
> The ftp data channel connects to an unknown server and an unknown port. I
don't want to open a large range of ports on my external firewall's
interface.
> How can I only allow a specific set of outgoing port when the connection is
initiated by the ftp-proxy only ?

OpenBSD 6.0-stable: uvm_mapent_alloc: out of static map entries

[mxb]

Hey,
seeing following in dmesg:

uvm_mapent_alloc: out of static map entries

Wasn’t it fixed so system dynamically adjusted this or do I stil need to
increase and re-compile kernel ?

P.S.
Have plenty of RAM (15G free) on this box.


//mxb

Re: what all touches the carp demote counter?

[mxb]

> On 11 okt. 2016, at 23:56, Paul B. Henson <hen...@acm.org> wrote:
>
> Does pfsync fiddle with the carp
> demotion value even if it's not configured?


No.
But as R0me0 stated, you should probably re-check your configuration.

carp.preempt=1  (  /etc/sysctl.conf ) on both nodes, if not
node which toke over master roll will stay master until it goes down.

All default recommendations/“best practice” are in man pages.

//mxb

Re: Failure to get unbound to talk to nsd on the same server

[mxb]

Try to use forward-zone instead of stub-zone in unbound.conf

forward-zone:
name: “abc.com"
forward-addr: 127.0.0.1


> On 10 okt. 2016, at 23:42, Johan Mellberg  wrote:
>
> Hi all,
>
> I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
> home network with DNS. I have a custom zone (only for LAN use) set up
> and previously used BIND successfully (but that VM crashed and its
> disk was hosed...) both as authoritative and caching/resolving.
>
> So now I am trying to learn to set up NSD to be authoritative for my
> small zone and Unbound to serve the LAN with all other queries. But
> there is a problem:
>
> 1. Unbound successfully responds to queries and provides lookup to the
> LAN machines for "the internet".
> 2. NSD successfully responds to queries for the custom zone.
> 3. But I cannot get Unbound to get a reply from NSD...
>
> I have tried multiple combinations of ports and interface bindings and
> I suspect that I am missing something simple here. Currently I have
> set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
> so there should not be a conflict. In fact it works fine if I use dig
> @localhost  and dig @192.168.x.91 
> respectively, but the second version only provides an answer-less
> response if asked for a LAN hostname.
>
> Unbound is set to ask localhost for the stub zones, forward and reverse.
>
> And, yes, I could of course use Unbound to serve my local zone and
> drop NSD - but that would be giving up... It's supposed to work from
> all I read! :-)
>
> I have also tried having NSD listen on 127.0.0.1@5353, and telling
> unbound to use that as the stub-address, while then having Unbound
> listen on 127.0.0.1 as well as 192.168.x.91 to be able to set
> 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I
> can't test NSD with dig as it can't use an alternative port.
>
> A possibly related question: I can't seem to be able to use
> shortnames. The domain part should be picked up from the host name as
> given in /etc/myname, but that does not seem to work as I expect, I
> always have to provide the FQDN. Again something I have missed
> perhaps?
>
> Anyway, I am staring blindly at the config files now and really need
> help figuring it out. I have removed all that is commented, otherwise
> it's the default except for changes of course.
>
> Thanks for any clue bats coming my way...
> /Johan
>
> * resolv.conf
> lookup file bind
> nameserver 192.168.x.91
>
> # cat /etc/myname
> dns03.my.domain
>
> # cat /etc/hosts
> 127.0.0.1   localhost
> ::1 localhost
> 192.168.x.91   dns03.my.domain dns03
>
> # cat /var/unbound/etc/unbound.conf
> # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
>
> server:
>interface: 192.168.x.91
>interface: ::1
>do-not-query-localhost: no
>
>access-control: 192.168.x.64/24 allow
>access-control: 127.0.0.0/8 allow
>access-control: 0.0.0.0/0 refuse
>access-control: ::0/0 refuse
>access-control: ::1 allow
>
>hide-identity: yes
>hide-version: yes
>
># Uncomment to enable DNSSEC validation.
>#
>auto-trust-anchor-file: "/var/unbound/db/root.key"
>
>root-hints: /var/unbound/etc/root.hints
>
> remote-control:
>control-enable: yes
>control-use-cert: no
>control-interface: /var/run/unbound.sock
>
> stub-zone:
>name: "my.domain"
>stub-addr: 127.0.0.1
> stub-zone:
>name: "x.168.192.in-addr.arpa"
>stub-addr: 127.0.0.1
>
> # cat /var/nsd/etc/nsd.conf
> # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
>
> server:
>hide-version: yes
>verbosity: 1
>database: "" # disable database
>
> ## bind to a specific address/port
>ip-address: 127.0.0.1
>
> remote-control:
>control-enable: yes
>
> zone:
>name: "my.domain"
>zonefile: "master/my.domain"
> zone:
>name: "x.168.192.in-addr.arpa"
>zonefile: "master/192.168.x.rev"

Re: what all touches the carp demote counter?

[mxb]

Master-Backup setup with pfsync in place, means that you synchronize states
between boxes.
Then Master is rebooted, it becomes out-of-sync then it comes to states.
So until it is in sync with Backup (which became Master after reboot), it will
not become Master.

This process is auto. Just need to wait.

//mxb

> On 11 okt. 2016, at 03:58, Paul B. Henson <hen...@acm.org> wrote:
>
> On Mon, Oct 10, 2016 at 09:43:56PM -0300, R0me0 *** wrote:
>
>> Did you adjust advskew value on the machine you want to be Backup ?
>
> Yes, the backup has an advskew of 5 and the primary an advskew of 1. As
> I mentioned, when I first configured the interfaces by hand the two
> systems properly negotiated master/backup roles, it was only after I
> rebooted the one that was supposed to be primary on this interface that
> it came up as backup, and I traced it to the fact the the carp demote value
> was set to 2. When I manually changed the carp demote value to 0, the
> system once again pre-empted the master role on the interface.
>
> I'm just not sure what is twiddling with the carp demotion value. Unless
> ospdf does it by default? The man page for the config file reads like it
> would only do it if you explicitly include the demote keyword in the
> area or interface section.
>
> Thanks for the suggestion though.

Re: 6.0-stable panic

[mxb]

Thanks for the tip, Stuart.
I’ll take a look at it.

> On 30 sep. 2016, at 03:40, Stuart Henderson <s...@spacehopper.org> wrote:
>
> On 2016-09-29, mxb <m...@alumni.chalmers.se> wrote:
>> Unfortunately, this is a remote, IPMI machine - no kbd while it is in ddb
>
> Many machines with IPMI do give you keyboard in ddb. It may be worth
> disabling usb3 in bios. Not certain if it will help but maybe. Or switch
> to serial-over-lan instead of IPMI KVM and configure the machine for
> serial console on the port connected to the KVM (there's an example
> for how to connect from client-side in the conserver port; I just run
> all my consoles on conserver so I don't have to remember whether
> they're IPMI SOL or real cereal console..).
>
>> (supermicro branded java crap).
>
> Other than serial-over-lan, ports/net/noVNC is fairly likely to work for
> connecting to KVM on this machine. Then it's html5+websockets crap instead,
> but at least it's a bit less unpleasant than java.

Re: unbound and truly multihomed setup

[mxb]

Tried to play around with ports nsd/unbound listens on?

//Мэксб

> On 29 sep. 2016, at 09:48, Gregory Edigarov  wrote:
>
> Hi,
>
> Need an advice.
>
> I have a bgp router with 3 interfaces:
>
> em0 (xxx.yyy,zzz.1/24),
> em1, em2 - looking at uplinks
>
> bgp is up and running, packets are forwarded just fine. also there is nsd,
listening on both em1,em2 serving my reverse zone.
>
> so far everything works.
>
> now I want this host also be a resolver for lan, that sits  on
xxx.yyy,zzz.1
>
> here is what I have in unbound.conf
>
>
> server:
>verbosity: 1
>outgoing-interface: 0.0.0.0
>interface: 127.0.0.1
>interface:
>access-control: 127.0.0.0/8 allow
>access-control: xxx.yyy.zzz.0/24 allow
>access-control: ::1 allow
>access-control: :::127.0.0.1 allow
>root-hints: /etc/unbound/root.hints
>
> some hosts are resolving correctly, for example google.com, but many have
SERVFAIL.
>
> if I have
> outgoing-interface: xxx.yyy.zzz.1
>
> nothing works.
>
>
> so the question is: how to make unbound work in such setup?
>
> thank you.
>
> --
>
> With best regards,
>
>Gregory Edigarov

Re: 6.0-stable panic

[mxb]

Yet another one with “rcctl stop relayd”.
Same or similar trace.

Unfortunately, this is a remote, IPMI machine - no kbd while it is in ddb
(supermicro branded java crap).
And also in production. It gets stuck in “sync disk” and no reboot after
(don’t drop to ddb is ON on this machine).
Nor have I seen it to overwrite /var/crash . Should it?

//mxb

> On 21 sep. 2016, at 11:00, Martin Pieuchot <m...@openbsd.org> wrote:
>
> On 21/09/16(Wed) 10:44, mxb wrote:
>> Panic is very similar to
>
> So far no developer have a clue how to reproduce this panic.  It's a
> long standing bug that is now being exposed.  Without knowing what
> triggers it we are stuck.
>
>>
>> https://www.mail-archive.com/tech@openbsd.org/msg32608.html
>> <https://www.mail-archive.com/tech@openbsd.org/msg32608.html>
>>
>> Panic happened during restart of relayd.
>>
>> System is up to date with errata up to 004. Runs relayd, ospfd, bgpd.
>> no Tor, no transparent stuff.
>>
>> OpenBSD 6.0-stable (GENERIC.MP) #0: Sun Sep  4 11:02:11 CEST 2016
>>root@lb1.:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> real mem = 17051353088 (16261MB)
>> avail mem = 16530104320 (15764MB)
>> mpath0 at root
>> scsibus0 at mpath0: 256 targets
>> mainbus0 at root
>> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xed8a0 (122 entries)
>> bios0: vendor American Megatrends Inc. version "1.0b" date 01/06/2015
>> bios0: Supermicro X10DRT-PT
>> acpi0 at bios0: rev 2
>> acpi0: sleep states S0 S4 S5
>> acpi0: tables DSDT FACP APIC FPDT FIDT SPMI MCFG UEFI BDAT HPET MSCT PMCT
SLIT
>> SRAT WDDT SSDT SSDT SSDT PRAD DMAR HEST BERT ERST EINJ
>> acpi0: wakeup devices IP2P(S4) EHC1(S4) EHC2(S4) RP01(S4) RP02(S4)
RP03(S4)
>> RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) BR1A(S4) BR1B(S4) BR2A(S4)
>> BR2B(S4) BR2C(S4) [...]
>> acpitimer0 at acpi0: 3579545 Hz, 24 bits
>> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>> cpu0 at mainbus0: apid 0 (boot processor)
>> cpu0: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.44 MHz
>> cpu0:
>>
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
>>
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
>>
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
>>
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
>> SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
>> cpu0: 256KB 64b/line 8-way L2 cache
>> cpu0: smt 0, core 0, package 0
>> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
>> cpu0: apic clock running at 100MHz
>> cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
>> cpu1 at mainbus0: apid 2 (application processor)
>> cpu1: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.01 MHz
>> cpu1:
>>
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
>>
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
>>
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
>>
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
>> SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
>> cpu1: 256KB 64b/line 8-way L2 cache
>> cpu1: smt 0, core 1, package 0
>> cpu2 at mainbus0: apid 8 (application processor)
>> cpu2: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.01 MHz
>> cpu2:
>>
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
>>
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
>>
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
>>
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
>> SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
>> cpu2: 256KB 64b/line 8-way L2 cache
>> cpu2: smt 0, core 4, package 0
>> cpu3 at mainbus0: apid 10 (application processor)
>> cpu3: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.01 MHz
>> cpu3:
>>
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
>>
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
>>
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
>>
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
>> SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
>> cpu3: 256KB 64b/line 8-way L2 cache
>> cpu3: smt 0, core 5, package 0
>> cpu4 at mainbus0: apid 16 (application processor)
>> cpu4: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3495.35 MHz
>> cpu4:
>>
FPU,VME,DE,PSE,TSC,

Re: 6.0-stable panic

[mxb]

Where do you see word “solution” in the thread pointed out by URL?

> On 21 sep. 2016, at 10:50, Mihai Popescu  wrote:
>
>> Panic is very similar to
>
> So the solution must be very similar to ... too!

6.0-stable panic

[mxb]

Panic is very similar to

https://www.mail-archive.com/tech@openbsd.org/msg32608.html


Panic happened during restart of relayd.

System is up to date with errata up to 004. Runs relayd, ospfd, bgpd.
no Tor, no transparent stuff.

OpenBSD 6.0-stable (GENERIC.MP) #0: Sun Sep  4 11:02:11 CEST 2016
root@lb1.:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17051353088 (16261MB)
avail mem = 16530104320 (15764MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xed8a0 (122 entries)
bios0: vendor American Megatrends Inc. version "1.0b" date 01/06/2015
bios0: Supermicro X10DRT-PT
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT SPMI MCFG UEFI BDAT HPET MSCT PMCT SLIT
SRAT WDDT SSDT SSDT SSDT PRAD DMAR HEST BERT ERST EINJ
acpi0: wakeup devices IP2P(S4) EHC1(S4) EHC2(S4) RP01(S4) RP02(S4) RP03(S4)
RP04(S4) RP05(S4) RP06(S4) RP07(S4) RP08(S4) BR1A(S4) BR1B(S4) BR2A(S4)
BR2B(S4) BR2C(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.44 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 100MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.01 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 8 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.01 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 4, package 0
cpu3 at mainbus0: apid 10 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.01 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 5, package 0
cpu4 at mainbus0: apid 16 (application processor)
cpu4: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3495.35 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 0, core 0, package 1
cpu5 at mainbus0: apid 18 (application processor)
cpu5: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.01 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO
PCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,F
SGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,PQM,SENSOR,ARAT
cpu5: 256KB 64b/line 8-way L2 cache
cpu5: smt 0, core 1, package 1
cpu6 at mainbus0: apid 24 (application processor)
cpu6: Intel(R) Xeon(R) CPU E5-2637 v3 @ 3.50GHz, 3500.01 MHz
cpu6:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,MOVBE,PO

Re: 5.9: vmx0: device timeout

[mxb]

Hey,
it would be nice to define “network load”.
I have several VMs running 5.8-stable/5.9-stable/current without seeing this.

//mxb

> On 11 aug. 2016, at 21:44, Kurt Mosiejczuk <kurt-open...@se.rit.edu> wrote:
>
> I've noticed that for 5.9, any VMs (in VMware) using vmx(4), end up putting
> "vmx0: device timeout" into the dmesg a bunch when under network load.
>
> I switched one of the VMs to vic(4) and the messages stop.  Another VM that
> I haven't gotten to upgrading from 5.8 to 5.9 yet doesn't show this in its
> dmesg and it's our reasonably busy web server.
>
> Anyone else see this?  I noticed there were a bunch of changes to vmx(4)
> after 5.8 as part of the network mpsafe work.
>
> dmesg below.
>
> --Kurt
>
>
> OpenBSD 5.9 (GENERIC) #8: Thu Jul 14 20:12:37 CEST 2016
>
jas...@stable-59-amd64.mtier.org:/binpatchng/work-binpatch59-amd64/src/sys/ar
ch/amd64/compile/GENERIC
> real mem = 1056899072 (1007MB)
> avail mem = 1020764160 (973MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
> bios0: vendor Phoenix Technologies LTD version "6.00" date 09/17/2015
> bios0: VMware, Inc. VMware Virtual Platform
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
> acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
S12F(S3) S13F(S3) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz, 3093.38 MHz
> cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,PO
PCNT,AES,XSAVE,AVX,HV,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 65MHz
> ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
> acpimcfg0 at acpi0 addr 0xf000, bus 0-127
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpibat0 at acpi0: BAT1 not present
> acpibat1 at acpi0: BAT2 not present
> acpiac0 at acpi0: AC unit online
> acpibtn0 at acpi0: SLPB
> acpibtn1 at acpi0: LID_
> pvbus0 at mainbus0: VMware
> vmt0 at pvbus0
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
> ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
> pci1 at ppb0 bus 1
> pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
> pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
> pciide0: channel 0 disabled (no drives)
> atapiscsi0 at pciide0 channel 1 drive 0
> scsibus1 at atapiscsi0: 2 targets
> cd0 at scsibus1 targ 0 lun 0: <NECVMWar, VMware IDE CDR10, 1.00> ATAPI
5/cdrom removable
> cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
> piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
disabled
> "VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured
> vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> mpi0 at pci0 dev 16 function 0 "Symbios Logic 53c1030" rev 0x01: apic 1 int
17
> mpi0: 0, firmware 1.3.41.32
> scsibus2 at mpi0: 16 targets, initiator 7
> sd0 at scsibus2 targ 0 lun 0: <VMware, Virtual disk, 1.0> SCSI2 0/direct
fixed
> sd0: 20480MB, 512 bytes/sector, 41943040 sectors
> mpi0: target 0 Sync at 160MHz width 16bit offset 127 QAS 1 DT 1 IU 1
> ppb1 at pci0 dev 17 function 0 "VMware PCI" rev 0x02
> pci2 at ppb1 bus 2
> ppb2 at pci0 dev 21 function 0 "VMware PCIE" rev 0x01
> pci3 at ppb2 bus 3
> vmx0 at pci3 dev 0 function 0 "VMware VMXNET3" rev 0x01: apic 1 int 18,
address 00:50:56:8c:71:d1
> ppb3 at pci0 dev 21 function 1 "VMware PCIE" rev 0x01
> pci4 at ppb3 bus 4
> ppb4 at pci0 dev 21 function 2 "VMware PCIE" rev 0x01
> pci5 at ppb4 bus 5
> ppb5 at pci0 dev 21 function 3 "VMware PCIE" rev 0x01
> pci6 at ppb5 bus 6
> ppb6 at pci0 dev 21 function 4 "VMware PCIE" rev 0x01
> pci7 at ppb6 bus 7
> ppb7 at pci0 dev 21 function 5 "VMware PCIE" rev 0x01
> pci8 at ppb7 bus 8
> ppb8 at pci0 dev 21 function 6 "VMware

Re: tmpfs

[mxb]

Baikal too!

> On 31 juli 2016, at 22:13, ʞiᴌᴌʍᴀᴎ ḂØԲH <kill...@dkcorp.ec>
wrote:
>
> Alpine is great!
>
> _
> U N I X L e g i o n . c o m
> hacking the world
> Network operations center
> +593 995 956811 | +593 7 2952-763
>
> """This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they are
> addressed. If
> you have received this email in error please notify the system manager."""
>
> On Sun, 31 Jul 2016, Consus wrote:
>
>> On 20:53 Sun 31 Jul, mxb wrote:
>>> ?? ?? ?? ??,  ?? 
.
>>> ??  ?? ?? ??.
>>
>> Also fix your goddamn mail client. Your encoding is shit.

Re: tmpfs

[mxb]

Mine is sane. Yours just couple of thousands years after.
Fix yours.

> On 31 juli 2016, at 21:46, Consus <con...@gmx.com> wrote:
>
> On 20:53 Sun 31 Jul, mxb wrote:
>> ?? ?? ?? ??,  ?? 
.
>> ??  ?? ?? ??.
>
> Also fix your goddamn mail client. Your encoding is shit.

Re: tmpfs

[mxb]

Else it is just a discussion.

> On 31 juli 2016, at 20:48, Consus  wrote:
> 
> drama 

Re: tmpfs

[mxb]

Good one.
But private messages are not appreciated
So misc is in loop.
Sorry to pollute your private space.

> On 31 juli 2016, at 20:38, Karel Gardas <gard...@gmail.com> wrote:
>
> Could you be so kind and move this conversation out of misc@
>
> Thanks! Karel
>
> On Sun, Jul 31, 2016 at 7:54 PM, mxb <m...@alumni.chalmers.se> wrote:
>> Who gives a sh*t?!
>> Ppl supporting OpenBSD community what matters - with userbase without users
is
>> like masturbating.
>>
>> Ppl like me test public diffs on live equipment, donate money and buy CDs
so
>> Theo can continue to milk this project
>> so he can bike in Canadian woods.
>>
>> As we speak it in Russia:
>> “His long tongue will some day shorten his neck”.
>>
>> Good advice for him is to pledge() his mouth before someone else do it.
>>
>> The beauty in globalization is that distances and time get shorter.
>> Even time-to-market AND market itself.
>>
>> With his big mouth like THIS he might get it turbulent.
>> He actually did, buy pulling off DARPA feed.
>>
>>
>>> On 31 juli 2016, at 16:51, ludovic coues <cou...@gmail.com> wrote:
>>>
>>> Guess which one of you and theo have it's name all over the CVS tree ?
>>>
>>> 2016-07-31 16:37 GMT+02:00 mxb <m...@alumni.chalmers.se>:
>>>> While looking at the mirror, read your last email once again.
>>>>
>>>>
>>>>> On 30 juli 2016, at 19:58, Theo de Raadt <dera...@openbsd.org> wrote:
>>>>>
>>>>> Yeah, you sure are the cool dude.
>>>>>
>>>>> Despite the existance of people like you, OpenBSD has been
>>>>> progressing as working code for 20 years.
>>>>>
>>>>>
>>>>> And what have you added.  Just words.
>>>>>
>>>>> Mean ones about things you later say you don't are about.  Just
>>>>> layers of spite from you when it is pointed out your words don't
>>>>> change the world in any way.
>>>>>
>>>>>> I don't appreciate the private reply.
>>>>>>
>>>>>> Adding misc back in.
>>>>>>
>>>>>>> On 30 juli 2016, at 16:29, Theo de Raadt <dera...@openbsd.org> wrote:
>>>>>>>
>>>>>>> Just shut up.
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> Cordialement, Coues Ludovic
>>> +336 148 743 42

Re: tmpfs

[mxb]

Как у нас говорят, за базар надо отвечать.
В Швеции ему это предоставится.


> On 31 juli 2016, at 20:47, mxb <m...@alumni.chalmers.se> wrote:
>
> Я Русский, и что с этого?
>
>> On 31 juli 2016, at 20:37, Aioi Yuuko <yu...@cock.li
<mailto:yu...@cock.li>> wrote:
>>
>> Stop making Russians look bad. Some of us like OpenBSD

Re: tmpfs

[mxb]

Я Русский, и что с этого?

> On 31 juli 2016, at 20:37, Aioi Yuuko  wrote:
>
> Stop making Russians look bad. Some of us like OpenBSD

Re: tmpfs

[mxb]

He didn’t answered about mirrors.
I asked.
So this one you can send to /dev/null.


> On 31 juli 2016, at 20:37, Aioi Yuuko  wrote:
>
> See your previous message re: mirrors.

Re: tmpfs

[mxb]

Who gives a sh*t?!
Ppl supporting OpenBSD community what matters - with userbase without users is
like masturbating.

Ppl like me test public diffs on live equipment, donate money and buy CDs so
Theo can continue to milk this project
so he can bike in Canadian woods.

As we speak it in Russia:
“His long tongue will some day shorten his neck”.

Good advice for him is to pledge() his mouth before someone else do it.

The beauty in globalization is that distances and time get shorter.
Even time-to-market AND market itself.

With his big mouth like THIS he might get it turbulent.
He actually did, buy pulling off DARPA feed.


> On 31 juli 2016, at 16:51, ludovic coues <cou...@gmail.com> wrote:
>
> Guess which one of you and theo have it's name all over the CVS tree ?
>
> 2016-07-31 16:37 GMT+02:00 mxb <m...@alumni.chalmers.se>:
>> While looking at the mirror, read your last email once again.
>>
>>
>>> On 30 juli 2016, at 19:58, Theo de Raadt <dera...@openbsd.org> wrote:
>>>
>>> Yeah, you sure are the cool dude.
>>>
>>> Despite the existance of people like you, OpenBSD has been
>>> progressing as working code for 20 years.
>>>
>>>
>>> And what have you added.  Just words.
>>>
>>> Mean ones about things you later say you don't are about.  Just
>>> layers of spite from you when it is pointed out your words don't
>>> change the world in any way.
>>>
>>>> I don't appreciate the private reply.
>>>>
>>>> Adding misc back in.
>>>>
>>>>> On 30 juli 2016, at 16:29, Theo de Raadt <dera...@openbsd.org> wrote:
>>>>>
>>>>> Just shut up.
>>
>
>
>
> --
>
> Cordialement, Coues Ludovic
> +336 148 743 42

Re: tmpfs

[mxb]

While looking at the mirror, read your last email once again.


> On 30 juli 2016, at 19:58, Theo de Raadt  wrote:
> 
> Yeah, you sure are the cool dude.
> 
> Despite the existance of people like you, OpenBSD has been
> progressing as working code for 20 years.
> 
> 
> And what have you added.  Just words.
> 
> Mean ones about things you later say you don't are about.  Just
> layers of spite from you when it is pointed out your words don't
> change the world in any way.
> 
>> I don't appreciate the private reply.
>> 
>> Adding misc back in.
>> 
>>> On 30 juli 2016, at 16:29, Theo de Raadt  wrote:
>>> 
>>> Just shut up.

Re: tmpfs

[mxb]

I don't appreciate the private reply.

Adding misc back in.

> On 30 juli 2016, at 16:29, Theo de Raadt  wrote:
> 
> Just shut up.

Re: tmpfs

[mxb]

Missed "CC all" last time.

You or any other actually answered my questions.
Your “jumps” are as usual.

I understand that best way to defend is to actually attack.
This kind of answer I received is expected.

I could add more to this mail, but I’d rather not.

> On 29 juli 2016, at 23:04, Theo de Raadt  wrote:
>
> I don't appreciate the private reply.
>
> Adding misc back in.
>
>> 1. I don't use tmpfs. So for me - I don' care that much.
>
> If you don't care, then don't talk about it.
>
> In particular, don't send a message which criticizes the approaches we
> take to make OpenBSD more robust.
>
> Don't act butt-hurt in public, then reply privately and say you don't
> care.
>
>> 2. I'm abt any other/alpha/beta patches on the tech@. (Sorry,
>> might have missed that part, if any)
>
> Look, you said you don't care.
>
>> 3. You know better
>
> But apparently you don't.
>
> Your voice does not count.
>
> If you cannot contribute in some way to improve code, then don't
> question the people who invest their own time to either
>   (a) improve the code
>or (b) take another action when they don't see a way to improve the code
>
> It is that simple.  When you are such a jerk, it requires someone to
> act like a jerk to demonstrate a big problem in the open source
> ecosystem:  People who generate words rather than action.

Re: tmpfs

[mxb]

Are there any “gatekeepers” around the code?
I thought “tech” was the best place to release questionable code?

//mxb

> On 29 juli 2016, at 18:14, Theo de Raadt <dera...@openbsd.org> wrote:
>
> Because the code quality is crap.

Re: ipsec routing issues

[mxb]

Hey,

to begin with, it would be nice to see output from ‘netstat -rn’ before
you started adding/deleting routes.

//mxb

> On 15 juni 2016, at 22:56, rizz2pro <rizzz2...@gmail.com> wrote:
>
> Hi, im not sure if this is some kind of bug or by design but I thought
> i would ask.
>
> Firstly check out this diagram I made: http://i.imgur.com/EUXqauH.png
> - I hope im allowed to post that link.
>
>
> The servers have default routes to their firewalls.
> Firewall A has a default route to 10.100.100.2
> Firewall B has a default route to 10.100.100.1
>
> I turn off ipsec, kill all my tunnels.
>
> Server A can ping Server Z and on both firewalls I see the ICMP
> traffic coming on em1. Great, thats exactly what I expected.
>
> In /etc/ipsec.conf on each firewall I set the peer to use the
> 172.16.0.x IP instead of using what I've set as the default
> gateways(don't ask why..).
>
> FW1:
> ike esp from 192.168.99.0/24 to 192.168.200.0/24 peer 172.16.0.2
>
> FW2:
> ike esp from 192.168.200.0/24 to 192.168.99.0/24 peer 172.16.0.1
>
> I enable isakmpd, enable ipsec, my flows/SADs are good. My continuous
> ping still works but now I have no traffic flowing through em1 and all
> traffic is encrypted and flowing over em2. I figure that ipsec is
> ignoring the routing table and sending that matching traffic to his
> peer. I deleted the default routes altogether since no traffic is
> being passed through there anymore. All my pings stopped working.
>
> Another interesting thing is it seems like as long as there is any
> kind of entry in the routing table for the network you're trying to
> reach, it will fix things:
>
> On FW1 and FW2 this fixed my pings between Server A and Server Z:
>
> # route add default 127.0.0.1
>
> That fixes my pings. If I delete all default routes and add static routes:
>
> FW1:
> # route delete default
> # route add 192.168.200.0/24 127.0.0.1
>
> FW2:
> # route delete default
> # route add 192.168.99.0/24 127.0.0.1
>
> This also fixes my pings. I can also set the gateway to an IP that
> doesn't even exist:
>
> FW1:
> # route delete default
> # route add 192.168.200.0/24 192.168.99.45
>
> FW2:
> # route delete default
> # route add 192.168.99.0/24 192.168.200.27
>
> All of these things will fix my connectivity. The moment the route
> doesn't exist or I remove the default route it breaks everything.
>
>
> So I am wondering what is going on. I can fix my pings by adding fake
> routes, routes that point at a loopback address and creating default
> routes that lead to non-existant IP's, but everything seems to break
> if I delete the route altogether.
>
> Hopefully someone here can shed some light. If you need to see any
> config files, I can provide them but I felt like it's a pretty
> straight forward issue.
>
> Thanks

dhcp-class-identifier in dhclient

[mxb]

Hey,
is there any reason to no setting dhcp-class-indentifier by default in
dhclient?
My guess is that this is probably not mandatory?

//mxb

relayd: high CPU usage by one or two proc. of many

[mxb]

Hey,
I have a strange behavior of relayd running on 5.8.
This machine almost exclusively terminates TLS traffic.
Exceptions are forwards which are in backup state (listen on CARP).

Some times one or two relayd processes out of many consumes a lot of CPU
and stays like this until I restart relayd.

ktrace gives me following:
4013 relayd   CALL  getdtablecount()
  4013 relayd   RET   getdtablecount 101/0x65
  4013 relayd   CALL  getrlimit(RLIMIT_NOFILE,0x7f7bb630)
  4013 relayd   STRU  struct rlimit { cur=65536, max=65536 }
  4013 relayd   RET   getrlimit 0
  4013 relayd   CALL  recvmsg(550,0x7f7bb6a0,0)
  4013 relayd   RET   recvmsg -1 errno 35 Resource temporarily unavailable
  4013 relayd   CALL  getdtablecount()
  4013 relayd   RET   getdtablecount 101/0x65
  4013 relayd   CALL  getrlimit(RLIMIT_NOFILE,0x7f7bb630)
  4013 relayd   STRU  struct rlimit { cur=65536, max=65536 }
  4013 relayd   RET   getrlimit 0
  4013 relayd   CALL  recvmsg(550,0x7f7bb6a0,0)
  4013 relayd   RET   recvmsg -1 errno 35 Resource temporarily unavailable
  4013 relayd   CALL  getdtablecount()
  4013 relayd   RET   getdtablecount 101/0x65
  4013 relayd   CALL  getrlimit(RLIMIT_NOFILE,0x7f7bb630)
  4013 relayd   STRU  struct rlimit { cur=65536, max=65536 }
  4013 relayd   RET   getrlimit 0
  4013 relayd   CALL  recvmsg(550,0x7f7bb6a0,0)
  4013 relayd   RET   recvmsg -1 errno 35 Resource temporarily unavailable

Human readable file after kdump is filled with those lines.
This as far of my understanding is about limit of openfiles.
Thus login.conf was modified and relayd restarted.

Original problem however is yet there and ktrace looks the same.

relayd:\
:maxproc-max=31:\
:openfiles-cur=16384:\
:openfiles-max=65536:\
:tc=daemon:

 
Question if there is anything else can be done to trace this down?

Br

//mxb

Re: bgpd in snapshot from 4 feb.

[mxb]

I actually run sysmerge.
It added new users/groups, updated certs.
Rest of configs I merged. Seen nothing about rc-scripts.

> On 7 feb. 2016, at 22:01, Claudio Jeker <cje...@diehard.n-r-g.com> wrote:
>
> On Sun, Feb 07, 2016 at 07:53:01PM +0100, mxb wrote:
>> Hey,
>> bgpd from snap of 4 feb. fails to start (according to rc):
>>
>> shell# /etc/rc.d/bgpd start
>> bgpd(failed)
>
> You forgot to run sysmerge. The rc scripts changed on what they pgrep to
> see if the parent process is running. Since the rc script is unable to
> find the process it reports failed eventhough all is OK.
>
>> shell# ps aux|grep bgp
>> _bgpd11880  0.0  0.0  1220  1804 ??  Sp 7:46PM0:00.02 bgpd:
>> session engine (bgpd)
>> _bgpd11350  0.0  0.0   920  1816 ??  Sp 7:46PM0:00.02 bgpd:
route
>> decision engine (bgpd)
>> root 18325  0.0  0.0   864  1484 ??  Is 7:46PM0:00.01
>> /usr/sbin/bgpd
>> root 13125  0.0  0.0   176   356 p0  R+ 7:47PM0:00.00 grep bgp
>>
>>
>> rcctl reports the same, but ???ps aux|grep bgp??? after looks even worse:
>>
>> shell# rcctl restart bgpd
>> bgpd(failed)
>>
>> shell]# ps aux|grep bgp
>> root 18325  0.0  0.0   864  1484 ??  Ss 7:46PM0:00.01
>> /usr/sbin/bgpd
>> _bgpd11880  0.8  0.1  2120  3244 ??  Sp 7:46PM0:00.66 bgpd:
>> session engine (bgpd)
>> _bgpd11350  0.0  0.0   952  1864 ??  Sp 7:46PM0:00.04 bgpd:
route
>> decision engine (bgpd)
>> _bgpd 2567  0.7  0.1  2108  3404 ??  Sp 7:50PM0:00.62 bgpd:
>> session engine (bgpd)
>> _bgpd 4216  0.0  0.0   944  1840 ??  Sp 7:50PM0:00.01 bgpd:
route
>> decision engine (bgpd)
>> root 13197  0.0  0.0   864  1484 ??  Ss 7:50PM0:00.01
>> /usr/sbin/bgpd
>> root  3906  0.0  0.0   292   512 p0  R+ 7:50PM0:00.00 grep bgp
>>
>
> --
> :wq Claudio

bgpd in snapshot from 4 feb.

[mxb]

Hey,
bgpd from snap of 4 feb. fails to start (according to rc):

shell# /etc/rc.d/bgpd start
bgpd(failed)

shell# ps aux|grep bgp
_bgpd11880  0.0  0.0  1220  1804 ??  Sp 7:46PM0:00.02 bgpd:
session engine (bgpd)
_bgpd11350  0.0  0.0   920  1816 ??  Sp 7:46PM0:00.02 bgpd: route
decision engine (bgpd)
root 18325  0.0  0.0   864  1484 ??  Is 7:46PM0:00.01
/usr/sbin/bgpd
root 13125  0.0  0.0   176   356 p0  R+ 7:47PM0:00.00 grep bgp


rcctl reports the same, but ‘ps aux|grep bgp’ after looks even worse:

shell# rcctl restart bgpd
bgpd(failed)

shell]# ps aux|grep bgp
root 18325  0.0  0.0   864  1484 ??  Ss 7:46PM0:00.01
/usr/sbin/bgpd
_bgpd11880  0.8  0.1  2120  3244 ??  Sp 7:46PM0:00.66 bgpd:
session engine (bgpd)
_bgpd11350  0.0  0.0   952  1864 ??  Sp 7:46PM0:00.04 bgpd: route
decision engine (bgpd)
_bgpd 2567  0.7  0.1  2108  3404 ??  Sp 7:50PM0:00.62 bgpd:
session engine (bgpd)
_bgpd 4216  0.0  0.0   944  1840 ??  Sp 7:50PM0:00.01 bgpd: route
decision engine (bgpd)
root 13197  0.0  0.0   864  1484 ??  Ss 7:50PM0:00.01
/usr/sbin/bgpd
root  3906  0.0  0.0   292   512 p0  R+ 7:50PM0:00.00 grep bgp

Re: panic: mtx_enter: locking against myself

[mxb]

I was unable to trigger this with

OpenBSD 5.9 (GENERIC.MP) #1869: Thu Feb  4 09:50:59 MST 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

//mxb

> On 5 feb. 2016, at 19:12, mxb <m...@alumni.chalmers.se> wrote:
>
>
> Any one from @devs have time to pick it up?
>
> This is a new env. , so I have time to investigate.
> Access can be provided on need bases.
>
> //mxb
>
>> On 4 feb. 2016, at 15:46, mxb <m...@alumni.chalmers.se> wrote:
>>
>> Found it in dmesg buffer:
>>
>> Stopped at  Debugger+0x9:   leave
>> RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS
PANIC!
>> IF RUNNING SMP, USE 'mach ddbcpu <#>' AND 'trace' ON OTHER PROCESSORS,
TOO.
>> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
>>
>> ddb{0}> trace
>> Debugger() at Debugger+0x9
>> panic() at panic+0xfe
>> mtx_enter() at mtx_enter+0x60
>> sofree() at sofree+0xa0
>> in_pcbdetach() at in_pcbdetach+0x40
>> tcp_close() at tcp_close+0xad
>> tcp_timer_2msl() at tcp_timer_2msl+0x90
>> softclock() at softclock+0x315
>> softintr_dispatch() at softintr_dispatch+0x8b
>> Xsoftclock() at Xsoftclock+0x1f
>> --- interrupt ---
>> (null)() at 0x8
>> end of kernel
>> end trace frame: 0x11020001, count: -11
>>
>> ddb{0}>  show registers
>> rdi  0x1
>> rsi0x282
>> rbp   0x8000221c68f8
>> rbx   0x813285e0mtx_enter+0x60
>> rdx0
>> rcx   0x8188c640cpu_info_primary
>> rax  0x1
>> r80x8000221c6818
>> r9   0x1
>> r100
>> r11   0x8000221c66b0
>> r120x100
>> r13   0x8000221c6908
>> r14   0xff011d088010
>> r150
>> rip   0x81343b09Debugger+0x9
>> cs   0x8
>> rflags 0x286
>> rsp   0x8000221c68e8
>> ss  0x10
>> Debugger+0x9:   leave
>>
>> ddb{0}> ps
>> PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
>> 19921  12801  19921  0  30x83  poll  systat
>> 12801569  12801  0  30x8b  pause ksh
>>  569  23137569  0  30x92  selectsshd
>> 13678  1  13678  0  30x83  ttyin getty
>> 9776  1   9776  0  30x83  ttyin getty
>> 3392  1   3392  0  30x83  ttyin getty
>> 24230  1  24230  0  30x83  ttyin getty
>> 14469  1  14469  0  30x83  ttyin getty
>> 29209  1  29209  0  30x80  poll  cron
>> 4796   4087   4087 95  30x90  kqreadsmtpd
>>  269   4087   4087 95  30x90  kqreadsmtpd
>> 28144   4087   4087 95  30x90  kqreadsmtpd
>> 13626   4087   4087 95  30x90  kqreadsmtpd
>> 4756   4087   4087 95  30x90  kqreadsmtpd
>> 23276   4087   4087103  30x90  kqreadsmtpd
>> 4087  1   4087  0  30x80  kqreadsmtpd
>> 29277  28344  28344 89  30x90  kqreadrelayd
>> 15361  28344  28344 89  30x90  kqreadrelayd
>> 28344  26987  28344 89  30x90  kqreadrelayd
>> *18801   1528   1528 89  70x10relayd
>> 15066   1528   1528 89  30x90  kqreadrelayd
>> 1528  26987   1528 89  30x90  kqreadrelayd
>> 14013  26987  14013 89  30x90  kqreadrelayd
>> 25397  26987  25397 89  30x90  kqreadrelayd
>> 26987  1  26987  0  30x80  kqreadrelayd
>> 23945  0  0 85  30x90  kqreadospfd
>> 12948  0  0 85  30x90  kqreadospfd
>> 0  1  0  0  30x80  kqreadospfd
>> 23137  1  23137  0  30x80  selectsshd
>> 10031  27507981 83  30x90  poll  ntpd
>> 27507981981 83  30x90  poll  ntpd
>>  981  1981  0  30x80  poll  ntpd
>> 12220  25415  25415 74  30x90  bpf   pflogd
>> 25415  

Re: panic: mtx_enter: locking against myself

[mxb]

Any one from @devs have time to pick it up?

This is a new env. , so I have time to investigate.
Access can be provided on need bases.

//mxb

> On 4 feb. 2016, at 15:46, mxb <m...@alumni.chalmers.se> wrote:
>
> Found it in dmesg buffer:
>
> Stopped at  Debugger+0x9:   leave
> RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC!
> IF RUNNING SMP, USE 'mach ddbcpu <#>' AND 'trace' ON OTHER PROCESSORS, TOO.
> DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION!
>
> ddb{0}> trace
> Debugger() at Debugger+0x9
> panic() at panic+0xfe
> mtx_enter() at mtx_enter+0x60
> sofree() at sofree+0xa0
> in_pcbdetach() at in_pcbdetach+0x40
> tcp_close() at tcp_close+0xad
> tcp_timer_2msl() at tcp_timer_2msl+0x90
> softclock() at softclock+0x315
> softintr_dispatch() at softintr_dispatch+0x8b
> Xsoftclock() at Xsoftclock+0x1f
> --- interrupt ---
> (null)() at 0x8
> end of kernel
> end trace frame: 0x11020001, count: -11
>
> ddb{0}>  show registers
> rdi  0x1
> rsi0x282
> rbp   0x8000221c68f8
> rbx   0x813285e0mtx_enter+0x60
> rdx0
> rcx   0x8188c640cpu_info_primary
> rax  0x1
> r80x8000221c6818
> r9   0x1
> r100
> r11   0x8000221c66b0
> r120x100
> r13   0x8000221c6908
> r14   0xff011d088010
> r150
> rip   0x81343b09Debugger+0x9
> cs   0x8
> rflags 0x286
> rsp   0x8000221c68e8
> ss  0x10
> Debugger+0x9:   leave
>
> ddb{0}> ps
> PID   PPID   PGRPUID  S   FLAGS  WAIT  COMMAND
> 19921  12801  19921  0  30x83  poll  systat
> 12801569  12801  0  30x8b  pause ksh
>   569  23137569  0  30x92  selectsshd
> 13678  1  13678  0  30x83  ttyin getty
>  9776  1   9776  0  30x83  ttyin getty
>  3392  1   3392  0  30x83  ttyin getty
> 24230  1  24230  0  30x83  ttyin getty
> 14469  1  14469  0  30x83  ttyin getty
> 29209  1  29209  0  30x80  poll  cron
>  4796   4087   4087 95  30x90  kqreadsmtpd
>   269   4087   4087 95  30x90  kqreadsmtpd
> 28144   4087   4087 95  30x90  kqreadsmtpd
> 13626   4087   4087 95  30x90  kqreadsmtpd
>  4756   4087   4087 95  30x90  kqreadsmtpd
> 23276   4087   4087103  30x90  kqreadsmtpd
>  4087  1   4087  0  30x80  kqreadsmtpd
> 29277  28344  28344 89  30x90  kqreadrelayd
> 15361  28344  28344 89  30x90  kqreadrelayd
> 28344  26987  28344 89  30x90  kqreadrelayd
> *18801   1528   1528 89  70x10relayd
> 15066   1528   1528 89  30x90  kqreadrelayd
>  1528  26987   1528 89  30x90  kqreadrelayd
> 14013  26987  14013 89  30x90  kqreadrelayd
> 25397  26987  25397 89  30x90  kqreadrelayd
> 26987  1  26987  0  30x80  kqreadrelayd
> 23945  0  0 85  30x90  kqreadospfd
> 12948  0  0 85  30x90  kqreadospfd
> 0  1  0  0  30x80  kqreadospfd
> 23137  1  23137  0  30x80  selectsshd
> 10031  27507981 83  30x90  poll  ntpd
> 27507981981 83  30x90  poll  ntpd
>   981  1981  0  30x80  poll  ntpd
> 12220  25415  25415 74  30x90  bpf   pflogd
> 25415  1  25415  0  30x80  netio pflogd
>  3275  32486  32486 73  30x90  kqreadsyslogd
> 32486  1  32486  0  30x80  netio syslogd
> 14861  0  0  0  3 0x14200  pgzerozerothread
> 24670  0  0  0  3 0x14200  aiodoned  aiodoned
> 29165  0  0  0  3 0x14200  syncerupdate
> 27875  0  0  0  3 0x14200  cleaner   cleaner
>   645  0  0  0  3 0x14200  reaperreaper
> 17692  0  0  0  3 0x14200  pgdaemon  pagedaemon
>   76

Re: panic: mtx_enter: locking against myself

[mxb]

I was able to re-produce this panic with similar stack trace.
Unfortunately 'trace/show regs/ps' are not in txt format, but are
screenshots.

//mxb

> On 4 feb. 2016, at 12:42, mxb <m...@alumni.chalmers.se> wrote:
>
>
> Hey,
> see those again on 5.8-STABLE.
>
> This is a 2-node CARP setup within VMWare ESX.
> Both machines are rebooting after this and it happens quite often.
>
> Any ideas?
>
> panic: mtx_enter: locking against myself
> Starting stack trace...
> panic() at panic+0x10b
> mtx_enter() at mtx_enter+0x60
> sofree() at sofree+0xa0
> in_pcbdetach() at in_pcbdetach+0x40
> tcp_close() at tcp_close+0xad
> tcp_timer_2msl() at tcp_timer_2msl+0x90
> softclock() at softclock+0x315
> softintr_dispatch() at softintr_dispatch+0x8b
> Xsoftclock() at Xsoftclock+0x1f
> --- interrupt ---
> (null)() at 0x8
> (null)() at 0xff0118c50f90
> end trace frame: 0x0, count: 246
> End of stack trace.
> syncing disks... panic: assertwaitok: non-zero mutex count: 1
> Starting stack trace...
> panic() at panic+0x10b
> assertwaitok() at assertwaitok+0x52
> bufq_wait() at bufq_wait+0x2d
> bwrite() at bwrite+0xfe
> VOP_BWRITE() at VOP_BWRITE+0x38
> ffs_fsync() at ffs_fsync+0x13f
> VOP_FSYNC() at VOP_FSYNC+0x3c
> ffs_sync() at ffs_sync+0xc4
> sys_sync() at sys_sync+0x87
> vfs_syncwait() at vfs_syncwait+0x50
> vfs_shutdown() at panic: mtx_enter: locking against myself
> Faulted in traceback, aborting…
>
> OpenBSD 5.8-stable (GENERIC.MP) #0: Thu Oct 22 18:52:06 CEST 2015
>root@prdlba0001:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 4278124544 (4079MB)
> avail mem = 4144574464 (3952MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
> bios0: vendor Phoenix Technologies LTD version "6.00" date 04/14/2014
> bios0: VMware, Inc. VMware Virtual Platform
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S1 S4 S5
> acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
> acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
S12F(S3) S13F(S3) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz, 2400.20 MHz
> cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,
x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,PERF,I
TSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> cpu0: apic clock running at 65MHz
> cpu1 at mainbus0: apid 1 (application processor)
> cpu1: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz, 2399.74 MHz
> cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,
x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,PERF,I
TSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
> acpimcfg0 at acpi0 addr 0xf000, bus 0-127
> acpihpet0 at acpi0: 14318179 Hz
> acpiprt0 at acpi0: bus 0 (PCI0)
> acpicpu0 at acpi0: C1(@1 halt!)
> acpicpu1 at acpi0: C1(@1 halt!)
> acpibat0 at acpi0: BAT1 not present
> acpibat1 at acpi0: BAT2 not present
> acpiac0 at acpi0: AC unit online
> acpibtn0 at acpi0: SLPB
> acpibtn1 at acpi0: LID_
> pvbus0 at mainbus0: VMware
> vmt0 at pvbus0
> pci0 at mainbus0 bus 0
> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
> ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
> pci1 at ppb0 bus 1
> pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
> pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
> pciide0: channel 0 disabled (no drives)
> pciide0: channel 1 disabled (no drives)
> piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
disabled
> "VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured
> vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> ppb1 at pci0 dev 17 function 0 "VMware PCI" rev 0x02
> pci2 at ppb1 bus 2
> ahci0 at pci2 dev 1

panic: mtx_enter: locking against myself

[mxb]

Hey,
see those again on 5.8-STABLE.

This is a 2-node CARP setup within VMWare ESX.
Both machines are rebooting after this and it happens quite often.

Any ideas?

panic: mtx_enter: locking against myself
Starting stack trace...
panic() at panic+0x10b
mtx_enter() at mtx_enter+0x60
sofree() at sofree+0xa0
in_pcbdetach() at in_pcbdetach+0x40
tcp_close() at tcp_close+0xad
tcp_timer_2msl() at tcp_timer_2msl+0x90
softclock() at softclock+0x315
softintr_dispatch() at softintr_dispatch+0x8b
Xsoftclock() at Xsoftclock+0x1f
--- interrupt ---
(null)() at 0x8
(null)() at 0xff0118c50f90
end trace frame: 0x0, count: 246
End of stack trace.
syncing disks... panic: assertwaitok: non-zero mutex count: 1
Starting stack trace...
panic() at panic+0x10b
assertwaitok() at assertwaitok+0x52
bufq_wait() at bufq_wait+0x2d
bwrite() at bwrite+0xfe
VOP_BWRITE() at VOP_BWRITE+0x38
ffs_fsync() at ffs_fsync+0x13f
VOP_FSYNC() at VOP_FSYNC+0x3c
ffs_sync() at ffs_sync+0xc4
sys_sync() at sys_sync+0x87
vfs_syncwait() at vfs_syncwait+0x50
vfs_shutdown() at panic: mtx_enter: locking against myself
Faulted in traceback, aborting…

OpenBSD 5.8-stable (GENERIC.MP) #0: Thu Oct 22 18:52:06 CEST 2015
root@prdlba0001:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4278124544 (4079MB)
avail mem = 4144574464 (3952MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
bios0: vendor Phoenix Technologies LTD version "6.00" date 04/14/2014
bios0: VMware, Inc. VMware Virtual Platform
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
S12F(S3) S13F(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz, 2400.20 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,
x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,PERF,I
TSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 65MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz, 2399.74 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,
x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,PERF,I
TSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
acpimcfg0 at acpi0 addr 0xf000, bus 0-127
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpibat0 at acpi0: BAT1 not present
acpibat1 at acpi0: BAT2 not present
acpiac0 at acpi0: AC unit online
acpibtn0 at acpi0: SLPB
acpibtn1 at acpi0: LID_
pvbus0 at mainbus0: VMware
vmt0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
pci1 at ppb0 bus 1
pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel 0
configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
pciide0: channel 1 disabled (no drives)
piixpm0 at pci0 dev 7 function 3 "Intel 82371AB Power" rev 0x08: SMBus
disabled
"VMware VMCI" rev 0x10 at pci0 dev 7 function 7 not configured
vga1 at pci0 dev 15 function 0 "VMware SVGA II" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 17 function 0 "VMware PCI" rev 0x02
pci2 at ppb1 bus 2
ahci0 at pci2 dev 1 function 0 "VMware AHCI" rev 0x00: apic 2 int 19, AHCI
1.3
ahci0: port 0: 6.0Gb/s
scsibus1 at ahci0: 32 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI 5/cdrom
removable
ppb2 at pci0 dev 21 function 0 "VMware PCIE" rev 0x01
pci3 at ppb2 bus 3
vmwpvs0 at pci3 dev 0 function 0 "VMware PVSCSI" rev 0x02: apic 2 int 18
scsibus2 at vmwpvs0: 16 targets
sd0 at scsibus2 targ 0 lun 0:  SCSI2 0/direct
fixed
sd0: 16384MB, 512 bytes/sector, 33554432 sectors
ppb3 at pci0 dev 21 function 1 "VMware PCIE" rev 0x01
pci4 at ppb3 bus 4
ppb4 at pci0 dev 21 function 2 "VMware PCIE" rev 0x01
pci5 at ppb4 bus 5
ppb5 at pci0 dev 21 function 3 "VMware PCIE" rev 0x01
pci6 at ppb5 bus 6
ppb6 at pci0 dev 21 function 4 "VMware PCIE" rev 0x01
pci7 at ppb6 bus 7

Re: panic: mtx_enter: locking against myself

[mxb]

t  init
 0 -1  0  0  3 0x10200  scheduler swapper

> On 4 feb. 2016, at 13:49, mxb <m...@alumni.chalmers.se> wrote:
>
>
> I was able to re-produce this panic with similar stack trace.
> Unfortunately 'trace/show regs/ps' are not in txt format, but are
screenshots.
>
> //mxb
>
>> On 4 feb. 2016, at 12:42, mxb <m...@alumni.chalmers.se> wrote:
>>
>>
>> Hey,
>> see those again on 5.8-STABLE.
>>
>> This is a 2-node CARP setup within VMWare ESX.
>> Both machines are rebooting after this and it happens quite often.
>>
>> Any ideas?
>>
>> panic: mtx_enter: locking against myself
>> Starting stack trace...
>> panic() at panic+0x10b
>> mtx_enter() at mtx_enter+0x60
>> sofree() at sofree+0xa0
>> in_pcbdetach() at in_pcbdetach+0x40
>> tcp_close() at tcp_close+0xad
>> tcp_timer_2msl() at tcp_timer_2msl+0x90
>> softclock() at softclock+0x315
>> softintr_dispatch() at softintr_dispatch+0x8b
>> Xsoftclock() at Xsoftclock+0x1f
>> --- interrupt ---
>> (null)() at 0x8
>> (null)() at 0xff0118c50f90
>> end trace frame: 0x0, count: 246
>> End of stack trace.
>> syncing disks... panic: assertwaitok: non-zero mutex count: 1
>> Starting stack trace...
>> panic() at panic+0x10b
>> assertwaitok() at assertwaitok+0x52
>> bufq_wait() at bufq_wait+0x2d
>> bwrite() at bwrite+0xfe
>> VOP_BWRITE() at VOP_BWRITE+0x38
>> ffs_fsync() at ffs_fsync+0x13f
>> VOP_FSYNC() at VOP_FSYNC+0x3c
>> ffs_sync() at ffs_sync+0xc4
>> sys_sync() at sys_sync+0x87
>> vfs_syncwait() at vfs_syncwait+0x50
>> vfs_shutdown() at panic: mtx_enter: locking against myself
>> Faulted in traceback, aborting…
>>
>> OpenBSD 5.8-stable (GENERIC.MP) #0: Thu Oct 22 18:52:06 CEST 2015
>>   root@prdlba0001:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>> real mem = 4278124544 (4079MB)
>> avail mem = 4144574464 (3952MB)
>> mpath0 at root
>> scsibus0 at mpath0: 256 targets
>> mainbus0 at root
>> bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
>> bios0: vendor Phoenix Technologies LTD version "6.00" date 04/14/2014
>> bios0: VMware, Inc. VMware Virtual Platform
>> acpi0 at bios0: rev 2
>> acpi0: sleep states S0 S1 S4 S5
>> acpi0: tables DSDT FACP BOOT APIC MCFG SRAT HPET WAET
>> acpi0: wakeup devices PCI0(S3) USB_(S1) P2P0(S3) S1F0(S3) S2F0(S3) S3F0(S3)
S4F0(S3) S5F0(S3) S6F0(S3) S7F0(S3) S8F0(S3) S9F0(S3) S10F(S3) S11F(S3)
S12F(S3) S13F(S3) [...]
>> acpitimer0 at acpi0: 3579545 Hz, 24 bits
>> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
>> cpu0 at mainbus0: apid 0 (boot processor)
>> cpu0: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz, 2400.20 MHz
>> cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,
x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,PERF,I
TSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
>> cpu0: 256KB 64b/line 8-way L2 cache
>> cpu0: smt 0, core 0, package 0
>> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
>> cpu0: apic clock running at 65MHz
>> cpu1 at mainbus0: apid 1 (application processor)
>> cpu1: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz, 2399.74 MHz
>> cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,
x2APIC,MOVBE,POPCNT,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,LONG,LAHF,PERF,I
TSC,FSGSBASE,SMEP,ERMS,SENSOR,ARAT
>> cpu1: 256KB 64b/line 8-way L2 cache
>> cpu1: smt 0, core 1, package 0
>> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
>> acpimcfg0 at acpi0 addr 0xf000, bus 0-127
>> acpihpet0 at acpi0: 14318179 Hz
>> acpiprt0 at acpi0: bus 0 (PCI0)
>> acpicpu0 at acpi0: C1(@1 halt!)
>> acpicpu1 at acpi0: C1(@1 halt!)
>> acpibat0 at acpi0: BAT1 not present
>> acpibat1 at acpi0: BAT2 not present
>> acpiac0 at acpi0: AC unit online
>> acpibtn0 at acpi0: SLPB
>> acpibtn1 at acpi0: LID_
>> pvbus0 at mainbus0: VMware
>> vmt0 at pvbus0
>> pci0 at mainbus0 bus 0
>> pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x01
>> ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x01
>> pci1 at ppb0 bus 1
>> pcib0 at pci0 dev 7 function 0 "Intel 82371AB PIIX4 ISA" rev 0x08
>> pciide0 at pci0 dev 7 function 1 "Intel 82371AB IDE" rev 0x01: DMA, channel
0 configured to compatibility, channel 1 configured to compatibility
>> pciide0: channel 0 disabled (no

Re: ipsec between three networks

[mxb]

OSPF is not right protocol if you scale to more than 3 sites and want
influence routing.
BGP will do a better job in this situation.

> On 27 jan. 2016, at 03:39, Dewey Hylton  wrote:
>
> my current working configuration has 3 sites; each site is connected to the
> others, and routing is handled via ospfd.

Re: Downgrade from 5.8-current to 5.8 release

[mxb]

You could do an “Update” of existing installation via bsd.rd.
This will not be easy and you definitely will need access to console.
You need to remove any installed ports and pay attention to /usr/lib ans
shared libs in it.
After your update via bsd.rd you’ll need to remove those libs from
-current.

Also it depends on how far from -release your -current is.
As far you are then more is not compatible any more and more problems you’ll
get while reverting.

Most easiest way is to collect all configs and to install from scratch.

//mxb

> On 1 nov. 2015, at 14:38, Adam Wysocki <gm...@chmurka.net> wrote:
>
> Hi,
>
> I have a problem. I mistakenly installed OpenBSD 5.8-current (I thought it
> was 5.8 release). Everything is set up, configured and live, but now
> pkg_add fails, because libc version has changed.
>
> 
> Can't install p5-Crypt-OpenSSL-Random-0.10 because of libraries
> |library c.84.0 not found
> | /usr/lib/libc.so.83.0 (system): bad major
> -
>
> As I don't want to use snapshots and follow -current, is there an easy way
> to downgrade my installation to 5.8 release without losing my
> configuration? I thought about just untaring appropriate tgz packages
> (base58.tgz, copying /bsd etc.) and recompiling one program that I
> installed manually (because it now uses libs from my installed snapshot),
> but I am almost certain I would lose my configuration this way...
>
> --
> "qui hic minxerit aut cacaverit, habeat deos superos et inferos iratos"
> http://www.chmurka.net/

Re: iked ikev2 x509 authentication problem - no valid local certificate found

[mxb]

http://marc.info/?l=openbsd-tech=144362542514318=2


> On 1 okt. 2015, at 21:25, Rob  wrote:
>
> Hi,
>
> I’m a little stuck getting two different clients connected to my OpenBSD
> 5.7 (i386) VPN ikev2 server.  I suspect the clients are at fault as I can
> get past the error when connecting one OpenBSDs iked to another iked.
>
> FWIW the clients are both Apple, one IOS 9.1 device and one OSX 10.11.1
> laptop, so I’m a little stuck with the VPN client I can use.
>
> I have the following configuration:
>
> ikev2 "road_warrior" passive esp \
>from 192.168.20.0/24 to 192.168.40.0/24 \
>local 192.168.20.4 peer any \
>ikesa enc aes-128 prf hmac-sha2-256 \
>auth hmac-sha2-256 group modp2048 \
>childsa enc aes-128 auth hmac-sha2-256 \
>srcid "local.example.net \
>dstid "peer.example.net" \
>config address 192.168.40.10/29 \
>config netmask 255.255.255.0 \
>config name-server 192.168.20.53 \
>config protected-subnet 192.168.40.0/24
>
> (IPs and names have been changed to protect the innocent)
>
> I have keys installed as follows:
>
> /etc/iked/ca/example.net.crt
> /etc/iked/certs/local.example.net.crt
> /etc/iked/private/local.key
> /etc/iked/pubkeys/fqdn/peer.example.net
> /etc/iked/local.pub
>
>
> I believe the client isn’t sending the certificate request, but I
> could be completely wrong, the error appears to be:
>
> ikev2_sa_negotiate: score 4
> sa_stateflags: 0x18 -> 0x18 authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x18, require 0x1f cert,certvalid,auth,authvalid,sa
> sa_state: cannot switch: AUTH_SUCCESS -> VALID
> config_free_proposals: free 0x77286c80
> ca_getreq: no valid local certificate found
>
> The client is sending peer.example.net.crt to the server, which gets
> validated correctly:
>
> ca_validate_cert: /C=UK/L=London/O=Example Net/CN=peer.example.net ok
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x1c -> 0x1e certvalid,auth,authvalid,sa (required 0x1f
cert,certvalid,auth,authvalid,sa)
>
> I’ve been at this for a number of days and am completely stuck, so if
> anyone has any ideas/advice/clue-sticks I’d be very grateful.  If you
> need any further log information please let me know.
>
>
> thanks
>
> Rob

Re: 5.8-stable: panic: mtx_enter locking against myself

[mxb]

Looks like I found the root cause.
At least it is stable as it suppose to be.
In need to reproduce this in lab before making next move.

//mxb

> On 17 sep. 2015, at 10:35, mxb <m...@alumni.chalmers.se> wrote:
> 
> 
> Hey,
> getting panics with 5.8-STABLE kernel.
> 
> panic: mix_enter: locking against myself
> Starting stack trace…
> panic() at panic+0x10b
> mtx_enter() at mtx_enter+0x60
> sofree() at sofree+0xa0
> in_pcbdetach() at in_pcbdetach+0x40
> tcp_close() at tcp_close+0xad
> tcp_timer_2msl() at tcp_timer_2msl+0x90
> softclock() at softclock+0x315
> softintr_dispatch() at softintr_dispatch+0x8b
> Xsoftclock() at Xsoftclock+0x1f
> ——interrupt———
> (null)() at 0x8
> end of kernel
> end trace frame: 0x1120001, count: 247
> end of stack trace

Re: 5.8-stable: panic: mtx_enter locking against myself

[mxb]

t;Intel E5 v3 DMA" rev 0x02 at pci10 dev 4 function 0 not configured
"Intel E5 v3 DMA" rev 0x02 at pci10 dev 4 function 1 not configured
"Intel E5 v3 DMA" rev 0x02 at pci10 dev 4 function 2 not configured
"Intel E5 v3 DMA" rev 0x02 at pci10 dev 4 function 3 not configured
"Intel E5 v3 DMA" rev 0x02 at pci10 dev 4 function 4 not configured
"Intel E5 v3 DMA" rev 0x02 at pci10 dev 4 function 5 not configured
"Intel E5 v3 DMA" rev 0x02 at pci10 dev 4 function 6 not configured
"Intel E5 v3 DMA" rev 0x02 at pci10 dev 4 function 7 not configured
"Intel E5 v3 Address Map" rev 0x02 at pci10 dev 5 function 0 not configured
"Intel E5 v3 Hot Plug" rev 0x02 at pci10 dev 5 function 1 not configured
"Intel E5 v3 Error Reporting" rev 0x02 at pci10 dev 5 function 2 not configured
"Intel E5 v3 I/O APIC" rev 0x02 at pci10 dev 5 function 4 not configured
uhub3 at uhub0 port 14 "vendor 0x product 0x0001" rev 2.00/0.00 addr 2
uhub3: device problem, disabling port 1
uhub4 at uhub1 port 1 "Intel Rate Matching Hub" rev 2.00/0.05 addr 2
uhub5 at uhub2 port 1 "Intel Rate Matching Hub" rev 2.00/0.05 addr 2
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (a6bfac843655c015.a) swap on sd0b dump on sd0b
carp: pfsync0 demoted group carp by 32 to 160 (pfsync init)
carp: pfsync0 demoted group pfsync by 32 to 32 (pfsync init)
carp: pfsync0 demoted group carp by 1 to 161 (pfsync bulk start)
carp: pfsync0 demoted group pfsync by 1 to 33 (pfsync bulk start)
carp1: state transition: BACKUP -> MASTER
carp302: state transition (vhid 40): BACKUP -> MASTER
carp0: state transition: BACKUP -> MASTER
carp302: state transition (vhid 30): BACKUP -> MASTER
carp1: state transition: MASTER -> BACKUP
carp302: state transition (vhid 40): MASTER -> BACKUP
carp0: state transition: MASTER -> BACKUP
carp302: state transition (vhid 30): MASTER -> BACKUP
carp: pfsync0 demoted group carp by -1 to 32 (pfsync bulk done)
carp: pfsync0 demoted group pfsync by -1 to 32 (pfsync bulk done)
carp: pfsync0 demoted group carp by -32 to 0 (pfsync init)
carp: pfsync0 demoted group pfsync by -32 to 0 (pfsync init)
carp1: state transition: BACKUP -> MASTER
carp302: state transition (vhid 40): BACKUP -> MASTER

> On 17 sep. 2015, at 10:56, k...@kurawa.no-ip.org wrote:
> 
> On Thu, 17 Sep 2015 10:35:46 +0200
> mxb <m...@alumni.chalmers.se> wrote:
> 
>> getting panics with 5.8-STABLE kernel.
>> 
> 5.8-STABLE not released yet. you mean 5.8-CURRENT?

5.8-stable: panic: mtx_enter locking against myself

[mxb]

Hey,
getting panics with 5.8-STABLE kernel.

panic: mix_enter: locking against myself
Starting stack trace…
panic() at panic+0x10b
mtx_enter() at mtx_enter+0x60
sofree() at sofree+0xa0
in_pcbdetach() at in_pcbdetach+0x40
tcp_close() at tcp_close+0xad
tcp_timer_2msl() at tcp_timer_2msl+0x90
softclock() at softclock+0x315
softintr_dispatch() at softintr_dispatch+0x8b
Xsoftclock() at Xsoftclock+0x1f
——interrupt———
(null)() at 0x8
end of kernel
end trace frame: 0x1120001, count: 247
end of stack trace

Re: 5.8-stable: panic: mtx_enter locking against myself

[mxb]

and this is for a crash just 10min ago.

(gdb) file /var/crash/bsd.0
Reading symbols from /var/crash/bsd.0...(no debugging symbols found)...done.
(gdb) target kvm /var/crash/bsd.0.core
#0  0x8131cae4 in dumpsys ()
(gdb) where
#0  0x8131cae4 in dumpsys ()
#1  0x00030272 in ?? ()
#2  0x0005 in ?? ()
#3  0x8135e990 in sd_flush ()
Previous frame inner to this frame (corrupt stack?)


Any ideas?

> On 17 sep. 2015, at 10:35, mxb <m...@alumni.chalmers.se> wrote:
> 
> 
> Hey,
> getting panics with 5.8-STABLE kernel.
> 
> panic: mix_enter: locking against myself
> Starting stack trace…
> panic() at panic+0x10b
> mtx_enter() at mtx_enter+0x60
> sofree() at sofree+0xa0
> in_pcbdetach() at in_pcbdetach+0x40
> tcp_close() at tcp_close+0xad
> tcp_timer_2msl() at tcp_timer_2msl+0x90
> softclock() at softclock+0x315
> softintr_dispatch() at softintr_dispatch+0x8b
> Xsoftclock() at Xsoftclock+0x1f
> ——interrupt———
> (null)() at 0x8
> end of kernel
> end trace frame: 0x1120001, count: 247
> end of stack trace

Re: 5.8-stable: panic: mtx_enter locking against myself

[mxb]

006262 0 3 0 80
ehcixfer 264   9104 1 0 1 1 0 80
xhcixfer 240   8502 1 0 1 1 0 80
scxspl   19239727014443 1 2 0 80
sigapl   432  3420   37 6 1 5 5 0 80
knotepl  112  56998260  20511 2 910 0 80
kqueuepl 320   210   21 2 0 2 2 0 80
pipepl   120  16202 5 4 1 1 0 80
fdescpl  440  3430   38 6 1 5 5 0 80
filepl   120   7656380  2044437 710 0 80
lockfpl   88301 1 0 1 1 0 80
sessionpl 64   240   19 1 0 1 1 0 80
pgrppl40   360   23 1 0 1 1 0 80
ucredpl   96  1060   31 1 0 1 1 0 80
zombiepl 144  30500 8 8 0 1 0 80
processpl656  3650   6012 11111 0 80
procpl   576  3650   6010 1 910 0 80
sosppl88   7563220 5543   801   641   160   215 0 86
sockpl   392   7625000 5737  4060  3351   709  1182 0 8   10
mcl2k   2048  58675780   18  1835  176867   247 4  6144   58
mbufpl   256 168548330 5680  1800  1293   507   736 1   768   37
bufpl256387440 1656   104 0   104   104 0 80
anonpl16352360 676931 32829 0  10140
amappl72258620 329366 46264 0750
dma4096 4096100 1 1 0 1 0 80
dma512   512   1101 1 0 1 1 0 80
dma256   256   1000 1 1 0 1 0 80
dma64 64   1100 1 1 0 1 0 80
dma32 32900 1 1 0 1 0 80
dma16 16   2900 1 1 0 1 0 80
aobjpl64101 1 0 1 1 0 80
uaddrrnd  24  3430   38 1 0 1 1 0 80
uaddrbest 32202 1 0 1 1 0 80
uaddr 24  3430   38 1 0 1 1 0 80
vmmpekpl 1687443904 1 0 1 1 0 80
vmmpepl  168477120 5612   28135   246   261 0   3570
vmsppl   240  3420   37 3 0 3 3 0 80
pdppl   4096  3420   3747103742 0 80
pvpl  32   674839015266   14215   127   133 0   2650
pmappl   168  3420   37 2 0 2 2 0 80
extentpl  40  1490   53 1 0 1 1 0 80
phpool   112158380 3433   121 0   121   121 0 80

In use 23134K, total allocated 29244K; utilization 79.1%

> On 17 sep. 2015, at 11:20, Stuart Henderson <s...@spacehopper.org> wrote:
> 
> On 2015-09-17, mxb <m...@alumni.chalmers.se> wrote:
>> Hey,
>> getting panics with 5.8-STABLE kernel.
>> 
>> panic: mix_enter: locking against myself
>> Starting stack trace…
>> panic() at panic+0x10b
>> mtx_enter() at mtx_enter+0x60
>> sofree() at sofree+0xa0
>> in_pcbdetach() at in_pcbdetach+0x40
>> tcp_close() at tcp_close+0xad
>> tcp_timer_2msl() at tcp_timer_2msl+0x90
>> softclock() at softclock+0x315
>> softintr_dispatch() at softintr_dispatch+0x8b
>> Xsoftclock() at Xsoftclock+0x1f
>> ——interrupt———
>> (null)() at 0x8
>> end of kernel
>> end trace frame: 0x1120001, count: 247
>> end of stack trace
>> 
>> 
> 
> A bit more information about when this is happening might be useful..

Re: nsd configuration problem

[mxb]

Good that you solved your problem.
I'v done same work as you by converting from bind to nsd+unbound.
The hard way via digging Google and trying out.
You got lucky with shortcut ;)

//mxb

On 2015-06-25 21:22, Andrew Daugherity wrote:

On Wed, Jun 24, 2015 at 1:06 PM, Graham Stephens
gra...@thestephensdomain.com wrote:

---
On 24/06/2015 18:43, mxb wrote:

Hey,
this is a bit different from bind/named.

nsd is a authoritative server ONLY.
unbound is a caching server ONLY.

I use those together on the same machine.
nsd is handling all zones, unbound answers queries.

nsd.conf:
[port 5353, snip rest of cfg]

unbound.conf:

server:
  ## this one important to be able to query nsd
  do-not-query-localhost: no

  private-domain: homelan.com

  ## this one important to be able to query nsd
  local-zone: 78.168.192.in-addr.arpa. transparent

## forward to nsd
forward-zone:
  name: homelan.com
  forward-addr: 127.0.0.1@5353

## forward to nsd
forward-zone:
  name: 78.168.192.in-addr.arpa
  forward-addr: 127.0.0.1@5353

## forward to google
forward-zone:
  name: .
  forward-addr: 8.8.8.8

This is similar to my setup, although I used stub-zone/stub-addr
instead of forward-zone for my internal forward and reverse zones, as
that seems to make more sense based on my reading of unbound.conf(5).
(It says stub-zone is for authoritative servers, which nsd is, and
forward-zone is for recursive servers.  I'm not 100% sure I am correct
here, however.)  I also did not define a global forward-zone -- why
not just use the system DNS servers?

The important bits to actually make this work are the
'do-not-query-localhost: no' and 'local-zone: C.B.A.in-addr.arpa.
transparent' options, needed to override unbound's default behavior of
ignoring localhost and RFC1918 addresses.  It took me a while to find
this, until I discovered the proper keywords to Google for.

I think this would be a good addition to the OpenBSD FAQ.  While less
common than a simple caching resolver, it's probably not too uncommon
to have used BIND to serve a local zone and also act as a caching
resolver, and having some guidance on how to convert your BIND setup
to unbound+nsd would be nice.  (Good guidance, not misleading and/or
incorrect advice from ca***el.org!)  nsd on a localhost high port,
serving my old BIND zone files, and unbound forwarding to it for my
zones was easy enough, but the two magic options letting unbound
actually talk to nsd were somewhat less obvious.

-Andrew

ifconfig carp30 state backup

[mxb]

Hey misc@,

I have 2-node CARP setup in master/backup.

carp30 configuration follows:

carp30: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
lladdr 00:00:5e:00:01:0f
description: EXT_30
priority: 0
carp: carpdev trunk0 advbase 1 balancing ip-stealth
state MASTER vhid 15 advskew 0
state MASTER vhid 25 advskew 0
groups: carp
status: master
inet 155.4.x.x netmask 0xff80 broadcast 155.4.x.x

Then 'ifconfig carp30 state backup' is issued, carp30 becomes BACKUP for 
a very short period

and then returns to MASTER. advskew is 100 on the second node.

Question is if it is expected behavior? According to man I can force it 
to become BACKUP on the first node.


Br
//mxb

Re: AMD64 Snapshot Issues

[mxb]

This is how it goes with snaps. You should not complain. If team managed to 
build it, it does not mean that it IS stable. I'v been in this situation 
several times. There are no one to blame. You should ever stay away from snaps 
or be prepared to fix problems by yourself.

Br
//mxb

Sent from my iDevice

 17 Jun 2015, в 19:39, Michael McConville mmcconvi...@mykolab.com написал(а):
 
 About twelve hours ago, I downloaded and installed the latest AMD64
 snapshot (#1063 in /etc/motd). When booting it hits an infinite loop,
 repeatedly printing Process (pid 1) got signal 4 to the console.
 
 When I boot to a snapshot ramdisk or bsd.rd now, it hangs at root on
 rd0a swap on rd0b dump on rd0b. This happens on two different USBs, and
 whether or not my primary drive is even connected to the machine.
 
 A half hour ago, I downloaded a newer snapshot ramdisk from
 ftp.openbsd.org. When booted to, this one immediately hits an infinite
 loop, printing Using drive 0, partition 3. to the console.
 
 I'm pretty confident that this is an issue with the snapshots and not my
 machine because the 5.7 release images boot fine.
 
 I suspect that the devs are already aware of this, but I thought I'd
 mention it.

Re: tls with relayd (on 5.7) and key without password

[mxb]

Try to create symlink in /etc/ssl/private.
ln -s mydomain.org http://mydomain.org/.key 1.2.3.4.key, where “1.2.3.4”
is your address in $ext_addr.

//mxb

 On 3 maj 2015, at 13:04, Comète com...@daknet.org wrote:

 Hi,

 my tls key has no password and i already use it for other stuff, so i try to
enable TLS with relayd like this:

 http protocol http_tls {
tls tlsv1
tls ca key /etc/ssl/private/mydomain.org.key password 
tls ca cert /etc/ssl/mydomain.org.crt
 }

 relay transptls {
listen on $ext_addr port 443 tls
protocol http_tls
transparent forward with tls to 127.0.0.1 port http
 }

 but i get this error:

 startup
 socket_rlimit: max open files 1024
 socket_rlimit: max open files 1024
 relay_load_certfiles: using ca certificate /etc/ssl/mydomain.org.crt
 socket_rlimit: max open files 1024
 socket_rlimit: max open files 1024
 relay_load_certfiles: using ca key /etc/ssl/private/mydomain.org.key
 /etc/relayd.conf:24: cannot load certificates for relay transptls
 no actions, nothing to do
 ca exiting, pid 29173
 pfe exiting, pid 19946
 ca exiting, pid 3806
 ca exiting, pid 24689
 hce exiting, pid 32289
 relay exiting, pid 22936
 relay exiting, pid 25790

 So, is it possible to use a tls key without password with relayd ?

 Thank you

 Morgan

Re: relayd crashes often

[mxb]

 On 25 apr 2015, at 15:29, Claudio Jeker cje...@diehard.n-r-g.com wrote:

 Took some time to hunt down the cause of these CLOSE_WAIT sessions and
 caused some sleepless nights since our loadbalancer was hitting them as
 well. I think the following diff should solve the issue without causing
 further regressions.

 The problematic connections are HTTP session that are closed before the
 backend is started. In that case we can not wait for the backend.

After 200 days of peace, relayd started to get killed for yet unknown reason.
ALL process are killed.

My guess was that I’m hitting this problem as well.
So diff is applied on top of -current on a backup node.
Let’s see how it runs from now on.

I’m was running old, post 5.6 snapshot.

//mxb

Re: IPSec and Cisco peers

[mxb]

Run isakmpd with ‘-L’ and then
tcpdump -n -vs 1440 -r /var/run/isakmpd.pcap and se what is going on.

//mxb

 On 7 apr 2015, at 19:29, jean-yves boisiaud 
 jean-yves.boisi...@alcor-consulting.fr wrote:
 
 Hello Alexander,
 
 Thank you for your help.
 
 The problem is that I do not have any access to the Cisco configurations.
 
 
 
 2015-04-07 19:10 GMT+02:00 Alexander Salmin alexan...@salmin.biz:
 
 Hey,
 
 Based on my experience you could try three things:
 - Provide us with the Cisco configuration on that side.
 - Use packet-tracer from the cisco device, it's really helpful in these
 situations.
 - Verify every little bit of configuration on both sides so that they are
 exactly the same.
 
 Alexander Salmin
 
 
 On 2015-04-07 16:28:00, jean-yves boisiaud wrote:
 hello,
 
 I'm using IPSec with OpenBSD.
 
 I cannot connect with some Cisco appliances, a Cisco Asa and a Cisco
 2951.
 
 For these two Cisco gw, I can see in the log the same messages :
 
 Apr  7 16:10:00 billy isakmpd[31908]: isakmpd: phase 1 done: initiator id
 X, responder id Y, src: X dst: Y
 Apr  7 16:10:00 billy isakmpd[31908]: isakmpd: Peer Y made us delete live
 SA peer-Y-local-X for proto 1, initiator id: X, responder id: Y
 
 As the remote IT engineers wanted me to enable DPD, I changed the ipsec
 configuration from active to dynamic, but nothing changes.
 
 Is there something wrong in my configuration ?
 
 ike dynamic esp from 192.168.36.0/24 to 10.0.0.0/8 \
  local X peer Y \
  main auth hmac-md5 enc 3des group grp2 lifetime 28800 \
  quick auth hmac-sha1 enc 3des group grp2 lifetime 28800 \
  srcid X dstid Y \
  psk z
 
 --
 Jean-Yves Boisiaud - Alcor Consulting
 24, rue de la Glycine
 49250 Saint Remy la Varenne
 mobile : +33 6 63 71 73 46  fixe : +33 9 72 41 19 35
 
 
 
 
 -- 
 Jean-Yves Boisiaud - Alcor Consulting
 24, rue de la Glycine
 49250 Saint Remy la Varenne
 mobile : +33 6 63 71 73 46  fixe : +33 9 72 41 19 35

Re: l2pt traffic forwarding

[mxb]

You done the routing on the client side?
Client, after connecting to L2TP, should know how to reach your internal 
network there web3 lives.

//mxb

 On 31 mar 2015, at 23:17, Predrag Punosevac punoseva...@gmail.com wrote:
 
 Hi Misc,
 
 Thanks to sevral kind fox I got L2PT server to work like a charm on 5.7.
 I will post my configuration files in day or two as I am working on the
 very tight deadline.
 
 I am facing now another probably trivial problem.
 
 I would like L2PT server to serve as a web gateway to one of my
 websites.
 
 
 Namely I have something like this
 
 Internet  Firewall/L2PT/Nginx  insecure web using Nginx proxy 
    insecure web2 using Nginx proxy
   sec web3 only available to L2PT
 
 
 I have problem getting web3 to be available to L2PT folks. Was trying 
 to rdr the incomming traffic on vpn interfece tun0 address 10.0.0.1 to
 a host behind firewall on my private lan. It didn't work.
 
 I am tried to use nginx as proxy as declaring 10.0.0.1 to be the
 interface and redireting to virtual host but all I get is for nginx to
 push that traffic to one of the hosts web and web2 which use the same
 port but different non vpn address (the same physical interface with
 tun0)
 
 The only thing I have not done is using enc0 interface? Can somebody
 point me in the general direction how to solve this problem.
 
 Most Kind Regards,
 Predrag Punosevac

Re: can't ping CARP interfaces

[mxb]

Probably your PF rules.
put in ‘pass quick proto icmp’.


 On 28 mar 2015, at 00:59, David Newman dnew...@networktest.com wrote:
 
 Greetings. In preparation for upgrading two CARP+pfsync boxes to
 5.6/i386, I put together a lab network to test new firewall rules.
 
 Topology is pretty simple:
 
 outside box (vic0) - (vic1) two carp boxes (vic0) - inside box
 
 with a third interface on each firewall for pfsync traffic. I'm focused
 here on the outside box pinging the carp box's outside CARP interface.
 
 In the lab network everyone can ping everyone else, except for the CARP
 interfaces -- these are not pingable. Hosts on either side of the
 firewall can ping the underlying interfaces that the CARP interfaces are
 bound to.
 
 Also, 'netstat -f inet -nr' shows that CARP interfaces are bound to lo0.
 On the production boxes these systems model, carp interfaces are bound
 to the underlying physical interfaces.
 
 tcpdump on the physical interface of the master firewall says the
 outside box ARPs for the CARP interface, and the firewall sends an ARP
 response with the CARP interface's IP and MAC addresses.
 
 Thanks in advance for troubleshooting clues -- this is almost certainly
 a misconfiguration but I'm not sure where.
 
 dn
 
 Outside box's hostname.vic0:
 inet 12.220.174.101 255.255.255.224 12.220.174.127
 
 FW1 hostname.vic1:
 inet 12.220.174.99 255.255.255.224 12.220.174.127
 
 FW1 hostname.carp221:
 inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 1
 pass * carpdev vic1 carppeer 12.220.174.100
 
 FW1 ifconfig vic1:
 vic1:
 flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOINET6
 mtu 1500
lladdr 00:50:56:b2:33:0e
priority: 0
groups: egress
media: Ethernet autoselect
status: active
inet 12.220.174.99 netmask 0xffe0 broadcast 12.220.174.127
 
 FW1 ifconfig carp221:
 net 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 1 pass
 w00h00 carpdev vic1 carppeer 12.220.174.100
 # ifconfig carp221
 carp221: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu
 1500
lladdr 00:00:5e:00:01:dd
priority: 0
carp: MASTER carpdev vic1 vhid 221 advbase 1 advskew 1 carppeer
 12.220.174.100
groups: carp
status: master
inet 12.220.174.98 netmask 0xffe0 broadcast 12.220.174.127
 
 FW1 netstat -f inet -nr:
 # netstat -f inet -nr
 Routing tables
 
 Internet:
 DestinationGatewayFlags   Refs  Use   Mtu  Prio
 Iface
 default12.220.174.97  UGS0   38 - 8 vic1
 12.220.174.96/27   link#2 UC 20 - 4 vic1
 12.220.174.98  00:00:5e:00:01:dd  HLl00 - 1
 lo0  # -- NOTE lo0 BINDING
 12.220.174.99  00:50:56:b2:33:0e  UHLl   00 - 1 lo0
 12.220.174.100 00:50:56:b2:32:94  UHLc   0  274 - 4 vic1
 12.220.174.101 00:50:56:b2:5e:b5  UHLc   05 - 4 vic1
 127/8  127.0.0.1  UGRS   00 32768 8 lo0
 127.0.0.1  127.0.0.1  UH 14 32768 4 lo0
 
 
 FW2 hostname.vic1:
 inet 12.220.174.100 255.255.255.224 12.220.174.127
 
 FW2 hostname.carp221:
 inet 12.220.174.98 255.255.255.224 12.220.174.127 vhid 221 advskew 128
 pass * carpdev vic1 carppeer 12.220.174.99
 
 FW2 ifconfig carp221:
 carp221: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu
 1500
lladdr 00:00:5e:00:01:dd
priority: 0
carp: BACKUP carpdev vic1 vhid 221 advbase 1 advskew 128
 carppeer 12.220.174.99
groups: carp
status: backup
inet 12.220.174.98 netmask 0xffe0 broadcast 12.220.174.127
 
 pf.conf on both boxes:
 
 # interfaces
 pfsync0_if = vic2
 carp_dev = { vic0, vic1 }
 
 set skip on lo
 
 ##
 # Packet filtering
 ##
 
 block return# block stateless traffic
 #pass   # establish keep-state
 
 # By default, do not permit remote connections to X11
 block return in on ! lo0 proto tcp to port 6000:6010
 
 # icmp handling -- FIX THIS to specify ICMP types
 pass log inet proto icmp all
 
 # carp and pfsync
 pass on { $pfsync0_if } proto pfsync
 pass on $carp_dev proto carp
 
 FW1 dmesg:
 
 OpenBSD 5.6 (GENERIC.MP) #299: Fri Aug  8 00:10:33 MDT 2014
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
 cpu0: Intel(R) Xeon(R) CPU E5649 @ 2.53GHz (GenuineIntel 686-class)
 2.54 GHz
 cpu0:
 FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,NXE,LONG,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,LAHF,PERF,ITSC
 real mem  = 536309760 (511MB)
 avail mem = 515063808 (491MB)
 mpath0 at root
 scsibus0 at mpath0: 256 targets
 mainbus0 at root
 bios0 at mainbus0: AT/286+ BIOS, date 04/14/14, BIOS32 rev. 0 @ 0xfd780,
 SMBIOS rev. 2.4 @ 0xe0010 (364 entries)
 bios0: vendor Phoenix Technologies LTD version 6.00 date 

Re: httpd tls - what am i missing?

[mxb]

 On 25 mar 2015, at 23:44, Theodore Wynnychenko t...@uchicago.edu wrote:

 Thank you for the suggestion.  I was not aware of pound.

I’d rather go for relayd. Which is out of the box. No need to install “yet
another port and make sure it is up2date”.

//mxb

Re: OpenBSD 5.5 ISAKMPD

[mxb]

Hey,
You probably want to start with ipsec.conf(5).
isakmpd.conf is generated out of ipsec.conf.
I think people running 5.4+ don’t even use it any more.

Br

//mxb

 On 16 jan 2015, at 21:22, Motty Cruz motty.c...@gmail.com wrote:
 
 Hello All,
 
 I'm trying to setup IPSec Tunnel using the following parameters.
 Phase 1
 exchange encryption: AES256
 Data Integrity: SHA256
 DH: group 20
 Agressive Mode
 
 phase 2
 encryption: AESGCM256
 HASH: SHA384
 
 I can't find examples to configure isakmpd.conf using parameters above.
 
 [fw2-main-mode]
 DOI=IPSEC
 EXCHANGE_TYPE=  ID_PROT
 Transforms= AES256-SHA2-GRP20
 
 [fw2-quick-mode]
 DOI=IPSEC
 EXCHANGE_TYPE=  QUICK_MODE
 Suites= QM-ESP-AESGCM-SHA2-SUITE
 
 [QM-ESP-AESGCM-256-SHA2-SUITE]
 TRANSFORM_ID=   AESGCM
 ENCAPSULATION_MODE= TUNNEL
 AUTHENTICATION_ALGORITHM=   HMAC_SHA2
 GROUP_DESCRIPTION=  EC_384
 Life=   LIFE_3600_SECS
 
 using this configuration I get the following error:
 isakmpd[30247]: exchange_run: doi-initiato
 
 Thanks in advance,
 -Motty

Re: Dell R630 high interrupts on acpi0

[mxb]

 On 16 dec 2014, at 06:40, David Gwynne da...@gwynne.id.au wrote:

 others have hit this on r620s as well

I don’t see it on mine.

interrupt   total rate
irq0/clock 9587998940 1599
irq0/ipi136166514   22
irq144/acpi020
irq112/ix029053603446 4847
irq113/ix127844456217 4646
irq96/mfi080725871
irq114/ubsec0  3101629892  517
irq98/ehci0   1120
irq115/em0 4928262870  822
irq116/em1  211437268   35
irq99/ehci1280
irq100/ahci010
Total 7487162787712493


This is a pre-5.6

OpenBSD 5.6-current (GENERIC.MP) #394: Wed Oct  1 12:54:54 MDT 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8492285952 (8098MB)
avail mem = 8257511424 (7874MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xcf42c000 (99 entries)
bios0: vendor Dell Inc. version 1.3.6 date 09/11/2012
bios0: Dell Inc. PowerEdge R620
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC SPCR HPET DMAR MCFG WD__ SLIC ERST HEST BERT EINJ
TCPA PC__ SRAT SSDT
acpi0: wakeup devices PCI0(S5) PCI1(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 3400.43 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 32 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 3400.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 0, package 1
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 3400.00 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 34 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 3400.00 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 1, package 1
cpu4 at mainbus0: apid 4 (application processor)
cpu4: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 3400.00 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 0, core 2, package 0
cpu5 at mainbus0: apid 36 (application processor)
cpu5: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 3400.00 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC
cpu5: 256KB 64b/line 8-way L2 cache
cpu5: smt 0, core 2, package 1
cpu6 at mainbus0: apid 6 (application processor)
cpu6: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 3400.00 MHz
cpu6:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX
,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI
NE,AES,XSAVE,AVX,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC
cpu6: 256KB 64b/line 8-way L2 cache
cpu6: smt 0, core 3, package 0
cpu7 at mainbus0: apid 38 (application processor)
cpu7: Intel(R) Xeon(R) CPU E5-2643 0 

OpenSMTPD: SMTP_LIMIT_MAIL and SMTP_LIMIT_RCPT

[mxb]

Hello @list,

are there any plans for those constants to be configurable via smtpd.conf?

//mxb

Re: OpenBSD 5.6/current on Soekris 6501-70

[mxb]

We have exactly this model.
tcpbench from base gave only around 340Mbit/s on those.

So CPU is probably one problem on those boards.

tcpbench done against 1U machines with better CPU and doing almost line rate on 
1G NIC.


//mxb

 On 8 dec 2014, at 00:53, Martin Hanson greencopperm...@yandex.com wrote:
 
 Hi,
 
 Anyone running OpenBSD 5.6 or current on Soekris 6501-70 who
 wouldn't mind sharing some through-put data for gigabit
 performance.
 
 Regards,
 
 MH

Re: OpenSMTPD: SMTP_LIMIT_MAIL and SMTP_LIMIT_RCPT

[mxb]

We do a lot of bulk mails and not via local smtp, eg. PHP-code talks directly 
to opensmtpd.
opensmtpd used as internal relay/smart host.

I had to higher limits for those two in order to escape
452 4.5.3 Too many recipients: Too many messages sent “

//mxb

 On 8 dec 2014, at 11:14, Gilles Chehade gil...@poolp.org wrote:
 
 On Mon, Dec 08, 2014 at 11:00:50AM +0100, mxb wrote:
 Hello @list,
 
 are there any plans for those constants to be configurable via smtpd.conf?
 
 
 yes, they are actually already configurable in my sandbox thanks to a
 diff from a user, however not committed to OpenBSD yet.
 
 out of curiosity, why are you unhappy with the defaults ?
 
 
 -- 
 Gilles Chehade
 
 https://www.poolp.org  @poolpOrg

Re: Squid configuration

[mxb]

echo max_filedescriptors 4096”  /etc/squid/squid.conf

 On 3 dec 2014, at 04:07, Einfach Jemand rru@gmail.com wrote:
 
 Am 03.12.2014 03:55, schrieb Steve Shockley:
 On 12/2/2014 8:49 PM, Einfach Jemand wrote:
 
 Hmm, I checked on one of my boxen and there /etc/passwd has
 
 _squid
 ^! Note the underline.
 
 as account for this package, so you probably want
 
 According to the package README:
 
 When started by rc.d(8) (i.e. via pkg_scripts in rc.conf.local or from
 ${RCDIR}/squid start) the appropriately-named login class is used
 automatically.
 
 So, the underline shouldn't be necessary.
 
 Yes, I have rechecked and that is correct, no underline/underscore needed.
 
 Directing someone looking for a solution into the wrong direction is no
 good, please accept my apologies.
 
 Bye,
 rru

Re: Keyboard through IPMI lag/skipping keys

[mxb]

Tried upgrade to a newer IPMI firmware?


 On 13 okt 2014, at 02:11, Justin Winch flas...@hotmail.com wrote:
 
 I have a very irritating problem with the keyboard lag through IPMI on a
 supermicro X9DRT.  If i install centos I do not have the lag/missed keystrokes
 and also I do not have this problem with any of my other hardware running
 openbsd.  Some keystrokes dont get logged others are logged twice.
 
 System--
 http://www.supermicro.com/products/system/2U/6027/SYS-6027TR-DTRF.cfm
 dmesg --
 http://img.photobucket.com/albums/v641/2muchricemakesmesick/dmesgmaster.png~o
 riginal
 
 Can someone please tell me how I can fix this?  It pretty much makes the
 system useless.
 
 Thanks in advance

Re: amd64 snapshot from Sep 17 - isakmpd drops fifo

[mxb]

Looks like an old OpenBSD 5.0 install caused this problem.
isakmpd is stable as soon as 5.0 - 5.6 .

//mxb

 On 22 sep 2014, at 23:23, mxb m...@alumni.chalmers.se wrote:
 
 Hey,
 isakmpd seems to lose its FIFO-file in the snapshot from Sep17
 
 [fw1]-[23:16:35]# ipsecctl -f /etc/ipsec.conf
 ipsecctl: ike_ipsec_establish: open(/var/run/isakmpd.fifo): No such file or 
 directory
 
 However the process itself is still running.
 The only way is to restart isakmpd.
 
 Any ideas?
 
 OpenBSD fw1 5.6 GENERIC.MP#383 amd64
 
 //mxb

Re: Sponsorship offer

[mxb]

Hey,

all relevant info can be found at http://www.openbsd.org/
http://www.openbsd.org/
or at http://www.openbsd.org/donations.html
http://www.openbsd.org/donations.html
or at http://www.openbsdfoundation.org/ http://www.openbsdfoundation.org/

//mxb

 On 20 sep 2014, at 00:27, Gurkan Mercan gurkan.mer...@bsdmag.org wrote:

 Greetings,

 We're a magazine publishing free issues and online courses exclusively for
 BSD branches. I want to talk about becoming a paid sponsor of OpenBSD.
 We're willing to pay monthly. I'll be waiting for your answer so we can
 talk the details.

 Best Regards

 --

 *Gurkan Mercan*

 Product Manager of BSD Magazine


 http://bsdmag.org/

 *https://twitter.com/BSDmag https://twitter.com/BSDmag*



*
**

 This message and any attachments are confidential, understood as a business
 secret, and are intended solely for the use of the individual or entity to
 whom they are addressed. If you are not the intended recipient, please
 telephone or e-mail the sender and delete this message and any attachment
 from your system. Also, if you are not the intended recipient you should
 not disclose the content or take / retain / distribute any copies. The
 content of the correspondence is directed exclusively to its addressee and
 may be disclosed to third parties only with the consent of the sender.
 Disclosure of the content of the correspondence without the consent of the
 sender will be a violation of the secrecy of correspondence and thus,
 personal property of Hakin9 Media Sp. z o. o. S.K.


*
**

amd64 snapshot from Sep 17 - isakmpd drops fifo

[mxb]

Hey,
isakmpd seems to lose its FIFO-file in the snapshot from Sep17

[fw1]-[23:16:35]# ipsecctl -f /etc/ipsec.conf
ipsecctl: ike_ipsec_establish: open(/var/run/isakmpd.fifo): No such file or 
directory

However the process itself is still running.
The only way is to restart isakmpd.

Any ideas?

OpenBSD fw1 5.6 GENERIC.MP#383 amd64

//mxb

Re: Can OpenBSD access BBC Iplayer?

[mxb]

BBC is propaganda, any way. Why should you watch this?!


On 4 sep 2014, at 13:49, Anthony Campbell a...@acampbell.org.uk wrote:

 On 04 Sep 2014, Anthony Campbell wrote:
 On 03 Sep 2014, David Coppa wrote:
 
 Thanks. I'm not using -current at the moment (I'm too new to OpenBSD) so
 I'd better wait until the next release.
 
 Could you kindly tell me which command line you use for live streaming?
 I've found several versions on the net but am not sure which, if any, is
 most likely to work.
 
 
 Sorry to follow up to myself, but I should say I took the obvious step
 of downloading get_iplayer-2.86 from source and putting it in ~/bin.
 Streaming works perfectly with this.
 
 I'll use the official OpenBSD packkage when it arrives with the next
 upgrade.
 
 Anthony
 
 -- 
 Anthony Campbell - a...@acampbell.org.uk 
 http://www.acupuncturecourse.org.uk 
 http://www.smashwords.com/profile.view/acampbell
 https://itunes.apple.com/ca/artist/anthony-campbell/id73235412

Re: troubleshooting carp

[mxb]

What switch do you have?

advbase 20” and advskew 100” means that you’ll have to wait 20+ sec in order 
to see announcement in tcpdump.
Are you sure you have waited enough?

//mxb
 
On 14 aug 2014, at 16:37, Stefan Olsson stur...@hotmail.com wrote:

 Hi Misc,
 I am having problems with setting up a pair of firewalls (Soekris 6501-70 with
 an extra lan1841 quad-card, i.e. total 8 em-ports) - I can not get CARP to
 work - both firewalls insist on becoming Master. I did have it working a week
 or two ago, since then I've been working on the rulesets and have updated to
 current snapshots several times, latest was last night. I've been thinking it
 was the rulesets that prevented the carp-traffic somehow, but even with pf
 turned off the carp announcements doesn't seem to be transmitted on the
 em-port.
 In order to isolate the problem I've turned on tcpdump in one session:
 # tcpdump -vvv -i em7 proto carp
 and then in another session I've done the following# pfctl -d# ifconfig carp7
 down# ifconfig carp7 up
 -Should I not see some carp-traffic in the tcpdump-session? -I don't see any
 carp-traffic there, so I am starting to wonder whether something has changed
 with em-driver and/or carp in current?
 -
 -# ifconfig carp7
 
 
 
 
 
 
 
 carp7:
 flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500
 lladdr 00:00:5e:00:01:01
description: ISP
priority: 0
 carp: MASTER carpdev em7 vhid 1 advbase 20 advskew 100
groups: carp
 status: master
inet X.X.X.116 netmask 0xfff0 broadcast X.X.X.127
 # ifconfig em7  
 
 
 
 
 
 
 
 
 em7:
 flags=28b43UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,NOINET6
 mtu 1500
lladdr 00:00:24:d0:de:03
description: ISP
 priority: 0
groups: egress
media: Ethernet autoselect
 (1000baseT full-duplex,rxpause,txpause)
status: active
inet
 X.X.X.125 netmask 0xfff0 broadcast X.X.X.127
 # dmesg
 
 
 
 
 
 
 
 
 sdhc0 at pci2 dev 4 function 0 Intel EG20T SDIO rev 0x01:
 apic 0 int 18
 sdmmc0 at sdhc0
 sdhc1 at pci2 dev 4 function 1 Intel EG20T
 SDIO rev 0x01: apic 0 int 18
 sdmmc1 at sdhc1
 ahci0 at pci2 dev 6 function 0
 Intel EG20T AHCI rev 0x02: msi, AHCI 1.1
 scsibus1 at ahci0: 32 targets
 sd0
 at scsibus1 targ 0 lun 0: ATA, TS4GMSA500, 2012 SCSI3 0/direct fixed
 t10.ATA_TS4GMSA500_20140403B37910026705
 sd0: 3775MB, 512 bytes/sector, 7732368
 sectors
 ohci3 at pci2 dev 8 function 0 Intel EG20T USB rev 0x02: apic 0 int
 16, version 1.0
 ohci4 at pci2 dev 8 function 1 Intel EG20T USB rev 0x02:
 apic 0 int 16, version 1.0
 ohci5 at pci2 dev 8 function 2 Intel EG20T USB
 rev 0x02: apic 0 int 16, version 1.0
 ehci1 at pci2 dev 8 function 3 Intel
 EG20T USB rev 0x02: apic 0 int 16
 usb1 at ehci1: USB revision 2.0
 uhub1 at
 usb1 Intel EHCI root hub rev 2.00/1.00 addr 1
 Intel EG20T DMA rev 0x00 at
 pci2 dev 10 function 0 not configured
 puc0 at pci2 dev 10 function 1 Intel
 EG20T Serial rev 0x01: ports: 1 com
 com4 at puc0 port 0 apic 0 int 19:
 ti16750, 64 byte fifo
 puc1 at pci2 dev 10 function 2 Intel EG20T Serial rev
 0x00: ports: 1 com
 com5 at puc1 port 0 apic 0 int 19: ti16750, 64 byte fifo
 puc2 at pci2 dev 10 function 3 Intel EG20T Serial rev 0x00: ports: 1 com
 com6 at puc2 port 0 apic 0 int 19: ti16750, 64 byte fifo
 puc3 at pci2 dev 10
 function 4 Intel EG20T Serial rev 0x00: ports: 1 com
 com7 at puc3 port 0
 apic 0 int 19: ti16750, 64 byte fifo
 Intel EG20T DMA rev 0x00 at pci2 dev 12
 function 0 not configured
 Intel EG20T SPI rev 0x00 at pci2 dev 12 function 1
 not configured
 Intel EG20T I2C rev 0x00 at pci2 dev 12 function 2 not
 configured
 Intel EG20T CAN rev 0x00 at pci2 dev 12 function 3 not configured
 Intel EG20T 1588 rev 0x01 at pci2 dev 12 function 4 not configured
 usb2 at
 ohci0: USB revision 1.0
 uhub2 at usb2 Intel OHCI root hub rev 1.00/1.00 addr
 1
 usb3 at ohci1: USB revision 1.0
 uhub3 at usb3 Intel OHCI root hub rev
 1.00/1.00 addr 1
 usb4 at ohci2: USB revision 1.0
 uhub4 at usb4 Intel OHCI
 root hub rev 1.00/1.00 addr 1
 usb5 at ohci3: USB revision 1.0
 uhub5 at usb5
 Intel OHCI root hub rev 1.00/1.00 addr 1
 usb6 at ohci4: USB revision 1.0
 uhub6 at usb6 Intel OHCI root hub rev 1.00/1.00 addr 1
 usb7 at ohci5: USB
 revision 1.0
 uhub7 at usb7 Intel OHCI root hub rev 1.00/1.00 addr 1
 ppb2 at
 pci0 dev 24 function 0 Intel E600 PCIE rev 0x00
 pci3 at ppb2 bus 3
 ppb3 at
 pci3 dev 0 function 0 IDT 89HPES4T4 rev 0x0e
 pci4 at ppb3 bus 4
 ppb4 at pci4
 dev 2 function 0 IDT 89HPES4T4 rev 0x0e
 pci5 at ppb4 bus 5
 em0 at pci5 dev 0
 function 0 Intel 82574L rev 0x00: msi, address 00:00:24:d0:cd:c4
 ppb5 at
 pci4 dev 3 function 0 IDT 89HPES4T4 rev 0x0e
 pci6 at ppb5 bus 6
 em1 at pci6
 dev 0 function 0 Intel 82574L rev 0x00: msi, address 00:00:24:d0:cd:c5
 ppb6
 at pci4 dev 4 function 0 IDT 89HPES4T4 rev 0x0e
 pci7 at ppb6 bus 7
 ppb7 at
 pci0 dev 25 function 0

Re: troubleshooting carp

[mxb]

You should show configuration from the other side too.
You’ll have to start your troubleshooting from the base, eg. can you ping
node2 from node1?

//mxb

On 14 aug 2014, at 20:36, Stefan Olsson stur...@hotmail.com wrote:



 From: stur...@hotmail.com
 To: m...@alumni.chalmers.se
 CC: misc@openbsd.org
 Subject: RE: troubleshooting carp
 Date: Thu, 14 Aug 2014 14:00:37 -0400

  Subject: Re: troubleshooting carp
  From: m...@alumni.chalmers.se
  Date: Thu, 14 Aug 2014 19:31:06 +0200
  CC: misc@openbsd.org
  To: stur...@hotmail.com
 
  What switch do you have?
 


 -OK, so I tried tcpdump and carp up/down on em1 instead as that is connected
directly to
 the other firewall, i.e. no switch in between, and lo and behold, I can see
CARP
 advertisements!
 -So, considering that it is the same host and same driver (em), it seems to
be
 a wrongly configured switch rather than anything else!
 That begs the question though - what is so special with CARP, and what in
the
 switch would be preventing it?? Multicast? VLAN? ...?

 I believe the switch might be a Netgear GSM724, or it could be a GS105.

Re: l2tp / ipsec follow up

[mxb]

I suggested to re-configure your cable modem as a bridge,
so your OpenBSD-box gets public IP and not private (as you have it now).

On old days then I had a cable modem, I done exactly like this.

This WILL make your life easier. Trust me.
As you don’t really have any control of OS(Linux) inside your cable modem.
Nor services (ex. dhcpd) running inside.

And then you get connection problems, you’ll look for a problem and will end
up in
resetting/rebooting several devices(modem, openbsd-box).

//mxb

On 27 jul 2014, at 22:58, Gordon Turner tur...@ftn.net wrote:

 The OpenBSD ip (192.168.2.232) is statically assigned by the dhcp server.

Re: l2tp / ipsec issue

[mxb]

Probably, but you can play with ipsec-config and send your results over here.

On 24 jul 2014, at 13:23, Stefan Krueger stadtki...@gmx.de wrote:

 In mailing.openbsd.misc, you wrote:
 the public_ip in your ipsec.conf should be the external ip of your router,
 not the openbsd box.
 
 other setup checks can be referred to the following article.
 
 http://undeadly.org/cgi?action=articlesid=20120427125048
 
 Say I'm using PPPoE and my IP address changes every night, do I have
 to restart isakmpd + change the $public_ip in /etc/ipsec.conf every
 night, too?

Re: l2tp / ipsec issue

[mxb]

As been the original author of undeadly.org article I can state that info in is 
stil partially valid, except npppd.conf part.
So here it goes:

tunnel L2TP protocol l2tp {
listen on 1.2.3.4
l2tp-hostname vpn
l2tp-vendor-name OpenBSD
l2tp-accept-dialin yes
mru 1360
lcp-timeout 18
authentication-method mschapv2
tcp-mss-adjust yes
pipex yes
mppe no
#   ingress-filter yes
}

ipcp IPCP {
pool-address 172.17.0.0/24
dns-servers 172.16.0.1
allow-user-selected-address no
}

interface tun0 address 172.17.0.1 ipcp IPCP

authentication LOCAL type local {
users-file /etc/npppd/npppd-users
}

authentication RADIUS type radius {
authentication-server {
address 172.16.0.231 secret “SECRETPASSWORD
}

accounting-server {
address 172.16.0.231 secret “SECRETPASSWORD
}
}

bind tunnel from L2TP authenticated by RADIUS to tun0

Below comes ipsec.conf. Woking with OSX and Win7(Win8)

ike passive esp transport \
proto udp from 1.2.3.4 to any port 1701 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc aes \
psk “P4SSWORD \
tag rwarrior



This setup is on 5.4-current

//mxb

On 22 jul 2014, at 13:05, chenghan tv chenghan...@gmail.com wrote:

 OpenBSD L2TP/IPSec will work behind a Linux NAT port forwarding with
 iptables, based on my previous experience.  iOS and OSX VPN clients work
 fine, but not working for Windows. FYI.
 
 Gordon Turner tur...@ftn.net wrote:
 
 On 2014-07-22 05:33, Daniel Polak wrote:
 
 I'll give it a go with what I found but if anyone who has it working
 with local authentication can post their ipsec.conf and npppd.conf, I
 would appreciate it!
 
 
 Here are my notes, granted I am in the middle of getting things sorted
 out, so these are not validated.
 
 
 NOTE: My current issue is that I am trying to run this behind a router /
 firewall, which is likely the source of my problems.
 
 
 I am getting an old laptop setup to test the configuration with OpenBSD as
 the router / firewall.
 
 In the notes below the ipsec.conf, `public_ip` should be the public ip on
 the internet, if you place the OpenBSD box as the router / firewall.
 
 
 - References:
 http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd
 http://undeadly.org/cgi?action=articlesid=20120427125048
 http://comments.gmane.org/gmane.os.openbsd.misc/209636
 http://stackoverflow.com/questions/14967962/openbsd-
 ipsec-vpn-not-routing-traffic
 http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
 
 - Claims to have it working, on internet facing machine:
 https://www.mail-archive.com/misc@openbsd.org/msg125930.html
 
 - Reference for supported protocols and authentication methods for iOS:
 http://support.apple.com/kb/HT1288
 
 
 ---
 
 
 Requirements
 ---
 - Using OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9 clients.
  - Support for iOS, preferably native VPN client
  - Support for OSX, preferably native VPN client
 
 - VPN endpoint running on an internal server.
 - Forwarding appropriate ports from a router.
 
 
 Description
 ---
 - Use npppd, IPsec and Packet Filter (pf).
  - Configuration files `/etc/npppd/npppd.conf`, `/etc/npppd/npppd-users`,
 `/etc/ipsec.conf` and `/etc/pf.conf`.
 
 
 npppd Setup
 ---
 - npppd is a Point-to-Point Protocol (PPP) and tunneling daemon capable of
 L2TP, PPTP, and PPPoE.
 
 - Reference: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
 man8/npppd.8?manpath=OpenBSD-currentsec=8query=npppd
 http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
 man5/npppd.conf.5?manpath=OpenBSD-currentsec=5query=npppd.conf
 
 
 - Example of L2TP and authenticates using a local file.
 - Example npppd.conf file, `/etc/npppd/npppd.conf`:
 ```
 authentication LOCAL type local {
users-file /etc/npppd/npppd-users
 }
 
 tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
 }
 
 ipcp IPCP {
pool-address 192.168.2.150-192.168.2.199
dns-servers 8.8.8.8
 }
 
 interface pppx0 address 192.168.2.1 ipcp IPCP
 bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
 ```
 - NOTE: `pool-address` valus should be a block of addresses in the same
 subnet of the internal network.
 - NOTE: `dns-servers 8.8.8.8` is Google's public dns, local local DNS
 servers should be used if available.
 
 
 - Example npppd-users file, `/etc/npppd/npppd-users`:
 ```
 jtest: \
:password=SEEKRIT:\
:framed-ip-address=192.168.2.150:
 ```
 - NOTE: Replace `SEEKRIT` with your password.
 - NOTE: The `framed-ip-address` value should be in the `pool-address`
 block from `/etc/npppd/npppd.conf`.
 
 
 IPsec Setup
 
 - IPsec is a pair of protocols, Encapsulating Security Payload (ESP) and
 Authentication Header (AH), which provide security services for IP
 datagrams.
 
 - Reference:
 http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD

Re: l2tp / ipsec issue

[mxb]

pool-address in the same subnet may not work as you expect it.
proxyarp needed. at least I’v seen a discussion regarding this, so I have 
separate network for vpn-clients.
This might have changed.

framed-ip-address - yes, it should be within subnet range used for l2tp-clients


//mxb

On 22 jul 2014, at 13:55, Gordon Turner tur...@ftn.net wrote:

 Thanks mxb,
 
 Can you confirm the `npppd.conf` note?
 - NOTE: `pool-address` valus should be a block of addresses in the same 
 subnet of the internal network.
 
 And the npppd-users note?
 - NOTE: The `framed-ip-address` value should be in the `pool-address` block 
 from `/etc/npppd/npppd.conf`.
 
 Are these statements correct?
 
 Gord.
 
 On 2014-07-22 07:15, mxb wrote:
 As been the original author of undeadly.org article I can state that
 info in is stil partially valid, except npppd.conf part.
 So here it goes:
 tunnel L2TP protocol l2tp {
listen on 1.2.3.4
l2tp-hostname vpn
l2tp-vendor-name OpenBSD
l2tp-accept-dialin yes
mru 1360
lcp-timeout 18
authentication-method mschapv2
tcp-mss-adjust yes
pipex yes
mppe no
 #   ingress-filter yes
 }
 ipcp IPCP {
pool-address 172.17.0.0/24
dns-servers 172.16.0.1
allow-user-selected-address no
 }
 interface tun0 address 172.17.0.1 ipcp IPCP
 authentication LOCAL type local {
users-file /etc/npppd/npppd-users
 }
 authentication RADIUS type radius {
authentication-server {
address 172.16.0.231 secret “SECRETPASSWORD
}
accounting-server {
address 172.16.0.231 secret “SECRETPASSWORD
}
 }
 bind tunnel from L2TP authenticated by RADIUS to tun0
 Below comes ipsec.conf. Woking with OSX and Win7(Win8)
 ike passive esp transport \
proto udp from 1.2.3.4 to any port 1701 \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc aes \
psk “P4SSWORD \
tag rwarrior
 This setup is on 5.4-current
 //mxb
 On 22 jul 2014, at 13:05, chenghan tv chenghan...@gmail.com wrote:
 OpenBSD L2TP/IPSec will work behind a Linux NAT port forwarding with
 iptables, based on my previous experience.  iOS and OSX VPN clients work
 fine, but not working for Windows. FYI.
 Gordon Turner tur...@ftn.net wrote:
 On 2014-07-22 05:33, Daniel Polak wrote:
 I'll give it a go with what I found but if anyone who has it working
 with local authentication can post their ipsec.conf and npppd.conf, I
 would appreciate it!
 Here are my notes, granted I am in the middle of getting things sorted
 out, so these are not validated.
 NOTE: My current issue is that I am trying to run this behind a router /
 firewall, which is likely the source of my problems.
 I am getting an old laptop setup to test the configuration with OpenBSD as
 the router / firewall.
 In the notes below the ipsec.conf, `public_ip` should be the public ip on
 the internet, if you place the OpenBSD box as the router / firewall.
 - References:
 http://www.slideshare.net/GiovanniBechis/npppd-easy-vpn-with-openbsd
 http://undeadly.org/cgi?action=articlesid=20120427125048
 http://comments.gmane.org/gmane.os.openbsd.misc/209636
 http://stackoverflow.com/questions/14967962/openbsd-
 ipsec-vpn-not-routing-traffic
 http://www.packetmischief.ca/openbsd-ipsec-tunnel-guide/
 - Claims to have it working, on internet facing machine:
 https://www.mail-archive.com/misc@openbsd.org/msg125930.html
 - Reference for supported protocols and authentication methods for iOS:
 http://support.apple.com/kb/HT1288
 ---
 Requirements
 ---
 - Using OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9 clients.
 - Support for iOS, preferably native VPN client
 - Support for OSX, preferably native VPN client
 - VPN endpoint running on an internal server.
 - Forwarding appropriate ports from a router.
 Description
 ---
 - Use npppd, IPsec and Packet Filter (pf).
 - Configuration files `/etc/npppd/npppd.conf`, `/etc/npppd/npppd-users`,
 `/etc/ipsec.conf` and `/etc/pf.conf`.
 npppd Setup
 ---
 - npppd is a Point-to-Point Protocol (PPP) and tunneling daemon capable of
 L2TP, PPTP, and PPPoE.
 - Reference: http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
 man8/npppd.8?manpath=OpenBSD-currentsec=8query=npppd
 http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/
 man5/npppd.conf.5?manpath=OpenBSD-currentsec=5query=npppd.conf
 - Example of L2TP and authenticates using a local file.
 - Example npppd.conf file, `/etc/npppd/npppd.conf`:
 ```
 authentication LOCAL type local {
   users-file /etc/npppd/npppd-users
 }
 tunnel L2TP_ipv4 protocol l2tp {
   listen on 0.0.0.0
 }
 ipcp IPCP {
   pool-address 192.168.2.150-192.168.2.199
   dns-servers 8.8.8.8
 }
 interface pppx0 address 192.168.2.1 ipcp IPCP
 bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
 ```
 - NOTE: `pool-address` valus should be a block of addresses in the same
 subnet of the internal

Re: l2tp / ipsec issue

[mxb]

I’d made cable modem act as bridge and let OpenBSD handle public IP/firewall 
(guessing it is DHCP).
In this setup you’d eliminate this extra device with forwarding ports and 
simplified debugging.

//mxb

On 21 jul 2014, at 02:35, Gordon Turner tur...@ftn.net wrote:

 Hey List,
 
 I am trying to use OpenBSD 5.5 as an VPN end point for iOS 7.0 and OSX 10.9 
 native VPN clients, using L2TP / IPsec.
 
 At the moment I am running the VPN end point on an internal server and 
 forwarding appropriate ports from the router:
  - UDP 500  - Internet Key Exchange (IKE)
  - UDP 1701 - L2TP traffic
  - UDP 4500 - IPSec Network Address Translation (NAT-T)
 
 (Long term plan is to replace the router with an OpenBSD box and terminate 
 the VPN there.)
 
 It would seem that I am close, but can't over come this last issue.
 
 When I attempt to connect from an iOS device, in /var/log/messages I see this 
 error message repeated several times:
 
 --
 Jul 20 17:51:52 access isakmpd[2979]: responder_recv_HASH_SA_NONCE: peer 
 proposed invalid phase 2 IDs: initiator id 25.1.65.61, responder id 
 XXX.XXX.XXX.XXX
 Jul 20 17:51:52 access isakmpd[2979]: dropped message from YYY.YYY.YYY.YYY 
 port 16659 due to notification type INVALID_ID_INFORMATION
 --
 
 Where XXX.XXX.XXX.XXX is the public ip address (in my case the cable modem's 
 external ip) and YYY.YYY.YYY.YYY is the iOS device attempting to establish 
 the vpn connection.
 
 (The 25.1.65.61 address I don't recognize and appears to be UK Ministry of 
 Defence, so ah, wat?  Assuming this is some weird misconfiguration...)
 
 The network topo looks like:
 Internet - Cable Modem (XXX.XXX.XXX.XXX public ip) - Router Firewall 
 (forwarding ports) - OpenBSD
 
 Any suggestions, even You can't do that, would be appreciated.
 
 Gord.
 
 
 
 Details:
 
 
 Internal network is 192.168.2.x
 
 
 /etc/rc.conf.local
 --
 isakmpd_flags=-K
 ipsec=YES
 --
 
 
 /etc/npppd/npppd.conf
 --
 authentication LOCAL type local {
users-file /etc/npppd/npppd-users
 }
 
 tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
 }
 
 ipcp IPCP {
pool-address 192.168.2.150-192.168.2.199
dns-servers 8.8.8.8
 }
 
 interface pppx0 address 192.168.2.1 ipcp IPCP
 bind tunnel from L2TP_ipv4 authenticated by LOCAL to pppx0
 --
 
 
 /etc/npppd/npppd-users
 --
 juser:\
:password=SEEKRIT:\
:framed-ip-address=192.168.2.150:
 --
 
 
 /etc/ipsec.conf
 --
 public_ip = 192.168.2.232
 
 ike passive esp transport \
  proto udp from $public_ip to any port 1701 \
  main auth hmac-sha1 enc aes group modp1024 \
  quick auth hmac-sha1 enc aes \
  psk SEEKRIT
 --
 
 
 /etc/pf.conf
 --
 pass quick proto { esp, ah } from any to any
 pass in quick on egress proto udp from any to any port {500, 4500, 1701} keep 
 state
 pass on enc0 from any to any keep state (if-bound)
 --
 
 
 /etc/sysctl.conf
 --
 net.inet.ip.forwarding=1
 net.pipex.enable=1
 --
 
 
 --
 $ dmesg
 OpenBSD 5.5 (GENERIC) #271: Wed Mar  5 09:31:16 MST 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
 real mem = 520081408 (495MB)
 avail mem = 497725440 (474MB)
 mainbus0 at root
 bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfd9c0 (10 entries)
 bios0: vendor Bochs version Bochs date 01/01/2007
 bios0: Bochs Bochs
 acpi0 at bios0: rev 0
 acpi0: sleep states S3 S4 S5
 acpi0: tables DSDT FACP SSDT APIC HPET
 acpi0: wakeup devices
 acpitimer0 at acpi0: 3579545 Hz, 24 bits
 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
 acpihpet0 at acpi0: 1 Hz
 acpiprt0 at acpi0: bus 0 (PCI0)
 acpicpu0 at acpi0
 mpbios at bios0 not configured
 cpu0 at mainbus0: (uniprocessor)
 cpu0: QEMU Virtual CPU version 1.0, 3210.36 MHz
 cpu0: 
 FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,VMX,CX16,POPCNT,NXE,LONG,LAHF
 cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 
 64b/line 16-way L2 cache
 cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
 cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
 cpu0: smt 0, core 0, package 0
 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
 pci0 at mainbus0 bus 0
 pchb0 at pci0 dev 0 function 0 Intel 82441FX rev 0x02
 pcib0 at pci0 dev 1 function 0 Intel 82371SB ISA rev 0x00
 pciide0 at pci0 dev 1 function 1 Intel 82371SB IDE rev 0x00: DMA, channel 0 
 wired to compatibility, channel 1 wired to compatibility
 pciide0: channel 0 disabled (no drives)
 atapiscsi0 at pciide0 channel 1 drive 0
 scsibus0 at atapiscsi0: 2 targets
 cd0 at scsibus0 targ 0 lun 0: QEMU, QEMU DVD-ROM, 1.0 ATAPI 5/cdrom 
 removable
 cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
 uhci0 at pci0 dev 1 function 2 Intel 82371SB USB rev 0x01: irq 11
 piixpm0 at pci0 dev 1 function 3 Intel 82371AB Power rev 0x03: irq 10
 iic0 at piixpm0
 iic0: addr 0x4c 48=00 words 00= 01= 02= 03= 04= 05= 
 06= 07=
 iic0: addr 0x4e 48=00 words 00= 01= 02= 03= 04= 05= 
 06

Re: Poor CARP Interface Performance with NAT

[mxb]

You PF rules are needed too for this.

On 22 jan 2014, at 00:51, Gabriel Kuri gk...@ieee.org wrote:

 I am running obsd 5.4 as my NAT router. I decided to setup a second obsd
 box and run carp between the two for the external NATed interface (facing
 the ISP). After I setup everything and switched pf to NAT using the address
 on the carp interface, I'm seeing about 12Mbps - 13Mbps on the download, I
 have a 60Mbps pipe (down). When I switch pf back to NAT using the address
 on the physical interface, I get my full 60Mbps. Any ideas as to what I
 could be doing wrong that would limit performance through the carp
 interface to around 12Mbps - 13Mbps ?
 
 Thanks ...

Re: Is it possible to track bandwidth usage of different VPN accounts using PF?

[mxb]

You can setup RADIUS, make users authenticate against it and assign IP stored 
in RADIUS srv.
Then use plow(4) to account.
This is just theory.

On 10 jan 2014, at 16:33, Some Developer someukdevelo...@gmail.com wrote:

 I have a VPN server configured using L2TP and IPSec. Clients authenticate 
 using x509 certificates but I'd like to be able to be able to track the 
 bandwidth used by each client based on which x509 certificate they used to 
 authenticate with the VPN.
 
 I know that you can track types of connections etc with PF but I'm not sure 
 if you can track packets based on authentication such as this. Is this 
 possible to do at all?
 
 I'm still quite new to PF so I'm still trying to get an idea of what it is 
 capable of.

Re: BCM5719/20 or I350

[mxb]

This is a pair of CARP-nodes (2x Dell R620 ). Nodes are connected with 
cross-over, trunk to trunk (trunk of 2x I350 per node).
No vlans.

tcpbench from the base; PF used a lot, but with pass quick on trunk0 keep 
state”:

Conn:   1 Mbps:  926.569 Peak Mbps:  939.483 Avg Mbps:  926.569

On 6 jan 2014, at 22:44, Hrvoje Popovski hrv...@srce.hr wrote:

 On 5.1.2014. 17:10, mxb wrote:
 
 I have I350 on several machines and haven’t seen any problems.
 
 
 
 Do you have vlans or trunk on I350? Could you share some numbers like
 bps or pps?
 
 Tnx for info.

Re: BCM5719/20 or I350

[mxb]

I have I350 on several machines and haven’t seen any problems.
 
On 5 jan 2014, at 12:18, Hrvoje Popovski hrv...@srce.hr wrote:

 Hello,
 
 I need to upgrade my OpenBSD firewalls and have chance to buy HP DL360p
 G8 or Supermicro 5017R-WRF. Which card is better or more stable for
 firewalling BCM5719/20 or Intel I350? I see that I350 doesn't support
 VLAN_HWTAGGING nor TX CSUM's and it seems that is quite different from
 older em cards. On other hand BCM5719/20 cards are quite new but there
 was lot of development in a last couple of months. I prefer em over bge
 and I am willing to donate I350 for development, but if there are more
 interest in development bge card I will go with BCM5719/20.
 
 Present firewall numbers are between 300-400Mbps and 40-60kpps.
 
 Thank you.

Re: VPN Between OpenBSD and iOS

[mxb]

I’m doing RADIUS auth. Here is my npppd.conf:

tunnel L2TP protocol l2tp {
listen on my public IP
l2tp-hostname “myhostname.com
l2tp-vendor-name OpenBSD
l2tp-accept-dialin yes
mru 1360
lcp-timeout 18
authentication-method mschapv2
tcp-mss-adjust yes
pipex yes
mppe no
#   ingress-filter yes
}

ipcp IPCP {
pool-address 172.17.0.2-172.17.0.254
dns-servers 192.168.78.123
allow-user-selected-address no
}

interface tun0 address 172.17.0.1 ipcp IPCP

authentication LOCAL type local {
users-file /etc/npppd/npppd-users
}

authentication RADIUS type radius {
authentication-server {
address 192.168.78.125 secret “my_radius_secret
}

accounting-server {
address 192.168.78.125 secret my_radius_secret
}
}

bind tunnel from L2TP authenticated by RADIUS to tun0


//mxb


On 4 jan 2014, at 02:09, Matt Carlson obsda0...@mpcarlson.com wrote:

 mxb,

 I tried that and I'm getting the same results. Any other ideas? What does
your npppd.conf look like?

 Thanks,

 Matt


 On Fri, Jan 3, 2014 at 8:03 AM, mxb m...@alumni.chalmers.se wrote:
 I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is
pre-release). My ipsec.conf for L2TP is this:

 ike passive esp transport \
 proto udp from $local_gw to any port 1701 \
  main auth hmac-sha1 enc 3des group modp1024 \
  quick auth hmac-sha1 enc aes \
 psk “ReallyweakPassword”



 On 31 dec 2013, at 05:01, Mike Pistone mjpist...@gmail.com wrote:

  Strangely enough I am having the exact same problem.  OPENBSD 5.4, etc.
 
  Phase I works once I tweaked my isakmp settings to match IOS7's
capabilities
  (no modp2048 mainly), but I get the same messages Matt does on phase II.
 
 
  I have a npppd PPTP tunnel to the same server that works fine.
  It is just L2TP/IPSEC that has the issues.
 
 
  Mike

Re: VPN Between OpenBSD and iOS

[mxb]

I successfully connected my iOS 7.0.4 to an OpenBSD 5.4 (this is pre-release). 
My ipsec.conf for L2TP is this:

ike passive esp transport \
proto udp from $local_gw to any port 1701 \
 main auth hmac-sha1 enc 3des group modp1024 \
 quick auth hmac-sha1 enc aes \
psk “ReallyweakPassword”



On 31 dec 2013, at 05:01, Mike Pistone mjpist...@gmail.com wrote:

 Strangely enough I am having the exact same problem.  OPENBSD 5.4, etc.
 
 Phase I works once I tweaked my isakmp settings to match IOS7's capabilities 
 (no modp2048 mainly), but I get the same messages Matt does on phase II.
 
 
 I have a npppd PPTP tunnel to the same server that works fine.  
 It is just L2TP/IPSEC that has the issues.
 
 
 Mike

Re: relayd - sporadic high CPU usage

[mxb]

Could you point to the right commit in cvs?

//mxb

On 26 nov 2013, at 20:42, Chris Cappuccio ch...@nmedia.net wrote:

 There was a bug fixed in 5.4-current which may cause behavior like this i 
 believe
 
 mxb [m...@alumni.chalmers.se] wrote:
 Hello list,
 
 I have a pair of pre-5.4 in master/backup setup.
 This setup is used for load balancing and firewalling.
 relayd is used and ONLY redirects in relayd.conf.
 
 At some point of time, relayd starts to consume enormous amount of CPU and 
 start a chain reaction there the rest of processes start to consume CPU as 
 well.
 
 Notable thing is that I?v seen this on 5.3 as well.
 
 Any ideas where to dig?
 
 //mxb
 
 -- 
 It was the Nicolatians who first coined the separation between lay and clergy.

relayd - sporadic high CPU usage

[mxb]

Hello list,

I have a pair of pre-5.4 in master/backup setup.
This setup is used for load balancing and firewalling.
relayd is used and ONLY redirects in relayd.conf.

At some point of time, relayd starts to consume enormous amount of CPU and 
start a chain reaction there the rest of processes start to consume CPU as well.

Notable thing is that I’v seen this on 5.3 as well.

Any ideas where to dig?

//mxb

Re: carp+pfsync+relayd question

[mxb]

Output for

'pfctl -si', 'pfctl -sm' and 'sysctl -a|grep net.inet.ip.ifq’ would be hie to
see.

//mxb


On 18 nov 2013, at 04:20, Leonardo Santagostini lsantagost...@gmail.com
wrote:

 Sorry, looking more detailed at the logs i found this:

 /var/log/daemon
 Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no
connection in flight
 Nov 17 18:36:12 v-arcbabalancer01 relayd[22615]: pfe exiting, pid 22615
 Nov 17 18:36:12 v-arcbabalancer01 relayd[31674]: hce exiting, pid 31674
 Nov 17 18:36:12 v-arcbabalancer01 relayd[9082]: relay exiting, pid 9082
 Nov 17 18:36:12 v-arcbabalancer01 relayd[701]: relay exiting, pid 701
 Nov 17 18:36:12 v-arcbabalancer01 relayd[21358]: parent terminating, pid
21358
 Nov 17 18:36:12 v-arcbabalancer01 relayd[24886]: relay exiting, pid 24886
 Nov 17 18:36:12 v-arcbabalancer01 relayd[21395]: relay exiting, pid 21395
 Nov 17 18:36:12 v-arcbabalancer01 relayd[13155]: relay exiting, pid 13155
 Nov 17 18:36:12 v-arcbabalancer01 relayd[20557]: relay exiting, pid 20557
 Nov 17 18:36:12 v-arcbabalancer01 relayd[14903]: relay exiting, pid 14903
 Nov 17 18:36:12 v-arcbabalancer01 relayd[10686]: relay exiting, pid 10686
 Nov 17 18:36:12 v-arcbabalancer01 relayd[17355]: relay exiting, pid 17355
 Nov 17 18:36:12 v-arcbabalancer01 relayd[26908]: relay exiting, pid 26908
 Nov 17 18:36:12 v-arcbabalancer01 relayd[6551]: relay exiting, pid 6551
 Nov 17 18:36:12 v-arcbabalancer01 relayd[16649]: relay exiting, pid 16649
 Nov 17 18:36:12 v-arcbabalancer01 relayd[2567]: relay exiting, pid 2567
 Nov 17 18:36:12 v-arcbabalancer01 relayd[3159]: relay exiting, pid 3159


 /var/log/messages
 Nov 17 18:36:12 v-arcbabalancer01 relayd[13984]: fatal: relay_connect: no
connection in flight


 Regards

 Saludos.-
 Leonardo Santagostini







 2013/11/18 Leonardo Santagostini lsantagost...@gmail.com
 Hello everybody, i still having some issues whit relayd.

 Nov 17 21:01:56 v-arcbabalancer01 relayd[4252]: relay relay4, session 75 (1
active), 0, 190.51.90.22 - :0, buffer event timeout
 Nov 17 21:01:57 v-arcbabalancer01 relayd[12715]: relay relay4, session 97 (4
active), 0, 190.49.60.30 - :0, buffer event timeout
 Nov 17 21:01:58 v-arcbabalancer01 relayd[4781]: relay relay4, session 142 (3
active), 0, 190.188.18.202 - :0, buffer event timeout
 Nov 17 21:02:03 v-arcbabalancer01 relayd[25332]: relay relay4, session 28 (1
active), 0, 181.29.46.36 - :0, hard timeout
 Nov 17 21:02:03 v-arcbabalancer01 relayd[12715]: relay relay4, session 55 (3
active), 0, 108.36.150.233 - :0, hard timeout
 Nov 17 21:02:03 v-arcbabalancer01 relayd[18695]: relay relay4, session 67 (3
active), 0, 31.221.13.210 - :0, hard timeout
 Nov 17 21:02:03 v-arcbabalancer01 relayd[13096]: relay relay5, session 73 (3
active), 0, 190.195.118.49 - :0, hard timeout
 Nov 17 21:02:03 v-arcbabalancer01 relayd[31990]: relay relay4, session 25 (1
active), 0, 186.188.178.215 - :0, hard timeout
 Nov 17 21:02:03 v-arcbabalancer01 relayd[4781]: relay relay4, session 144 (7
active), 0, 31.221.13.210 - :0, hard timeout
 Nov 17 21:02:03 v-arcbabalancer01 relayd[23317]: relay relay2, session 55 (5
active), 0, 181.109.7.31 - :0, hard timeout
 Nov 17 21:02:03 v-arcbabalancer01 relayd[22942]: relay relay4, session 93 (2
active), 0, 31.221.13.210 - :0, hard timeout
 Nov 17 21:02:03 v-arcbabalancer01 relayd[13862]: relay relay4, session 80 (3
active), 0, 190.111.231.50 - :0, hard timeout
 Nov 17 21:02:06 v-arcbabalancer01 relayd[19770]: relay relay4, session 92 (1
active), 0, 75.70.87.158 - :0, buffer event timeout
 Nov 17 21:02:08 v-arcbabalancer01 relayd[23317]: relay relay4, session 131
(5 active), 0, 190.113.173.36 - :0, buffer event timeout
 Nov 17 21:02:11 v-arcbabalancer01 relayd[10590]: relay relay4, session 103
(9 active), 0, 186.137.241.254 - :0, buffer event timeout
 Nov 17 21:02:15 v-arcbabalancer01 relayd[23317]: relay relay4, session 143
(2 active), 0, 24.232.115.134 - :0, buffer event timeout
 Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 101
(7 active), 0, 108.87.58.21 - :0, buffer event timeout
 Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 102
(6 active), 0, 108.87.58.21 - :0, buffer event timeout
 Nov 17 21:02:16 v-arcbabalancer01 relayd[10590]: relay relay5, session 142
(13 active), 0, 190.195.118.49 - 172.19.224.73:80, no method
 Nov 17 21:02:16 v-arcbabalancer01 relayd[10590]: relay relay4, session 114
(12 active), 0, 190.49.11.36 - :0, buffer event timeout
 Nov 17 21:02:16 v-arcbabalancer01 relayd[12715]: relay relay4, session 104
(5 active), 0, 190.49.11.36 - :0, buffer event timeout
 Nov 17 21:02:17 v-arcbabalancer01 relayd[10590]: relay relay4, session 120
(10 active), 0, 189.237.152.81 - :0, buffer event timeout
 Nov 17 21:02:17 v-arcbabalancer01 relayd[31990]: relay relay4, session 117
(5 active), 0, 189.237.152.81 - :0, buffer event timeout
 Nov 17 21:02:17 v-arcbabalancer01 relayd[10590]: relay relay5, session 144
(9 active), 0, 190.195.118.49 - 172.19.224.71:80

Re: carp+pfsync+relayd question

[mxb]

15 sites and only 9?
I’d put around 50 (and have). You might need even more.

On 14 nov 2013, at 16:21, Leonardo Santagostini lsantagost...@gmail.com
wrote:

 set limit states 9

Re: carp+pfsync+relayd question

[mxb]

Put all of those into the same relay { }”  as they are going to the same
forward table.

relay {
listen on addr1 port 80
listen on addr2 port 80
etc….

}

or you’ll end up doing “check http” several times.

and I’d do just simple check tcp” - faster.

On 14 nov 2013, at 16:21, Leonardo Santagostini lsantagost...@gmail.com
wrote:

 relay site2 {
listen on $address3 port 80
protocol httpSite2
forward to webcaches port 80 mode roundrobin check http
 /monitoreo/relayd.txt code 200
 }

 #relay site3 {
 #listen on $address1 port 80
 #protocol httpSite3
 #forward to webcaches port 80 mode roundrobin check http
 /monitoreo/relayd.txt code 200
 #}

 #relay site4 {
 #listen on $address4 port 80
 #protocol httpSite4
 #forward to webcaches port 80 mode roundrobin check http
 /monitoreo/relayd.txt code 200
 #}

 #relay site5 {
 #listen on $address5 port 80
 #protocol httpSite5
 #forward to webcaches port 80 mode roundrobin check http
 /monitoreo/relayd.txt code 200
 #}

Re: carp+pfsync+relayd question

[mxb]

No,
it is number of currently active sessions for this particular relay.
Eg. 502 “users.

On 14 nov 2013, at 21:59, Andy Lemin a...@brandwatch.com wrote:

 Hi, as a complete guess (not used relayd yet let alone DSR) a 502 sounds
like
 an error return from nginx/apache etc. could be a direct server return
issue
 causing the TCP three way handshake to not be completing properly between
the
 endpoints, even though a 502 is usually server side issue.. I'd try
removing
 the 'in' or 'out' direction from the rules.

Re: Dell servers

[mxb]

I have couple of R620 in production
with ix(4) as 10G NICs. You might want to disable cores you don't need and HTT 
(I'v done it half way).
No problems so far.

Below is an old dmesg with HTT disabled (else it shows up 16 cores).

OpenBSD 5.3 (GENERIC.MP) #55: Fri Mar  1 09:13:04 MST 2013
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8508014592 (8113MB)
avail mem = 8259039232 (7876MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xcf42c000 (99 entries)
bios0: vendor Dell Inc. version 1.3.6 date 09/11/2012
bios0: Dell Inc. PowerEdge R620
acpi0 at bios0: rev 2
acpi0: sleep states S0 S4 S5
acpi0: tables DSDT FACP APIC SPCR HPET DM__ MCFG WD__ SLIC ERST HEST BERT EINJ 
TCPA PC__ SRAT SSDT
acpi0: wakeup devices PCI0(S5) PCI1(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 3400.50 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 99MHz
cpu1 at mainbus0: apid 32 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 1200.00 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
cpu1: 256KB 64b/line 8-way L2 cache
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 3400.00 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
cpu2: 256KB 64b/line 8-way L2 cache
cpu3 at mainbus0: apid 34 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 1200.00 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
cpu3: 256KB 64b/line 8-way L2 cache
cpu4 at mainbus0: apid 4 (application processor)
cpu4: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 3400.00 MHz
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
cpu4: 256KB 64b/line 8-way L2 cache
cpu5 at mainbus0: apid 36 (application processor)
cpu5: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 1200.00 MHz
cpu5: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
cpu5: 256KB 64b/line 8-way L2 cache
cpu6 at mainbus0: apid 6 (application processor)
cpu6: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 3400.00 MHz
cpu6: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
cpu6: 256KB 64b/line 8-way L2 cache
cpu7 at mainbus0: apid 38 (application processor)
cpu7: Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz, 2490.94 MHz
cpu7: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC
cpu7: 256KB 64b/line 8-way L2 cache
ioapic0 at mainbus0: apid 0 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0: apid 1 pa 0xfec3f000, version 20, 24 pins
ioapic1: misconfigured as apic 15, remapped to apid 1
ioapic2 at mainbus0: apid 2 pa 0xfec7f000, version 20, 24 pins
ioapic2: misconfigured as apic 15, remapped to apid 2
acpihpet0 at acpi0: 14318179 Hz
acpimcfg0 at acpi0 addr 0xe000, bus 0-255
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEX1)
acpiprt2 at acpi0: bus -1 (PE1C)
acpiprt3 at acpi0: bus 3 (PEX2)
acpiprt4 at acpi0: bus 2 (PEX3)
acpiprt5 at acpi0: bus 4 (PEX4)
acpiprt6 at acpi0: bus -1 (PEX5)
acpiprt7 at acpi0: bus 9 (PEX6)
acpiprt8 at acpi0: bus 8 (PEX7)
acpiprt9 at acpi0: bus 64 (PCI1)

Re: Sorry OpenBSD people, been a bit busy

[mxb]

I'd turn this to police
and tried to make Twitter to shut down this account.

On 7 okt 2013, at 02:48, dera...@cvs.openbsd.org wrote:

 Well, at the end
 of 2007 someone decided to open an impersonation account on twitter in
 my name, and start sending a mix of things I have said (see wikiquote
 for instance), with things that I would never say.  That account is
 http://twitter.com/theoderaadt

Broken IPSec tunnels with latest snapshot

[mxb]

141938.881716 Timr 10 timer_add_event: event message_send_expire(0x20ec11800) 
added before connection_checker(0x20f9be8c0), expiration in 7s
141945.886772 Timr 10 timer_handle_expirations: event 
message_send_expire(0x2088b5700)
141945.886909 Timr 10 timer_handle_expirations: event 
message_send_expire(0x2088b5500)
141945.887028 Timr 10 timer_handle_expirations: event 
message_send_expire(0x20ec11a00)
141945.887225 Timr 10 timer_handle_expirations: event 
message_send_expire(0x20ec11800) 


//mxb

Re: how to compare ipsec.conf and isakmpd.conf settings?

[mxb]

As naddy@ answered this already for ipsec outgoing address translation 
question on this list,
'ipsecctl -nv' is the right way to go.

//mxb

On 26 sep 2013, at 18:04, Daniel Polak dan...@sys.nl wrote:

 On a computer running OpenBSD 5.3 system I am migrating from an isakmpd.conf 
 based configuration to an ipsec.conf based configuration.
 
 The tunnel comes up and works correctly when using isakmpd.conf but I can't 
 get the tunnel to come up when I use ipsec.conf.
 As far as I can see ipsec.conf contains the same settings as the settings 
 that are in isakmpd.conf.
 
 The error message when using ipsec.conf is: attribute_unacceptable: 
 ENCRYPTION_ALGORITHM: got AES_CBC, expected 3DES_CBC.
 This means the proposal from the peer does not match the configuration added 
 by ipsecctl and isakmpd is trying to use its default settings.
 
 I've double-checked the settings ipsec.conf and especially the IP addresses. 
 I have also looked at the packets and the isakmpd debug output but all I can 
 see is the peer offering a proposal that matches what is in ipsec.conf.
 
 I'd like to see how isakmpd interprets the settings in ipsec.conf and 
 isakmpd.conf and would like to compare those interpretations.
 
 ipsecctl -nvf /etc/ipsec.conf shows the settings from ipsec.conf as they 
 would be used by isakmpd but don't see how to do the same with isakmpd.conf.
 
 How can I get the settings from isakmpd.conf and ipsec.conf in the same 
 format so I can compare them?
 
 
 Daniel

Re: OSPF ABR/ASBR issue

[mxb]

I'v seen this issue, but it just magically disappeared then I re-configured 
ospfd and restarted on both ends.
I had an issue to see routes from area 0.0.0.0 on area 0.0.0.78.

Host A:
area 0.0.0.0 {

interface vether0 { metric 5 }
interface vether1 { metric 5 }

}

area 0.0.0.78 {

interface vether2 { metric 10
   …….
}

interface carp1 { passive }
interface carp2 { passive }

interface lo1 { metric 5 }
interface vic2 { metric 10 }
}

Host B:
area 0.0.0.78 {

interface vether2 { metric 10
  …….
}

}


Host A is:
OpenBSD 5.4 (GENERIC.MP) #34: Sun Jul 21 22:07:08 MDT 2013
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

Host B is:
OpenBSD 5.3 (GENERIC) #53: Tue Mar 12 18:15:44 MDT 2013
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC


As you can see, this setup works without any patch.
I tested to remove lo1 and see if routes to carped nets disappear. No luck. 
Routes are there.


//mxb

On 24 sep 2013, at 11:08, Kapetanakis Giannis bil...@edu.physics.uoc.gr wrote:

 On 24/09/13 12:02, Kapetanakis Giannis wrote:
 Without this patch, routes to (lo2) and carpX:network where not distributed. 
 regards, G 
 
 My e-mail client somehow f@cked up Claudio's patch,
 
 Here is the link to hist original post
 http://marc.info/?l=openbsd-miscm=137038436926946w=2
 
 G

Re: ipsec outgoing address translation question

[mxb]

It is possible to achieve this via pf.conf.
Sorry, no example, as this was done long time ago and for testing only.

On 16 sep 2013, at 12:55, Christoph Leser le...@sup-logistik.de wrote:

 Hello,
 
 with ipsecctl  I can configure outgoing address translation in ipsec.conf 
 like this:
 
 ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24  peer 
 10.10.20.1
 
 
 
 Is there an equivalent syntax for isakmpd.conf? ( Due to problems with NAT-T 
 I need to use isakmpd.conf and cannot use ipsec.conf for the moment )
 
 Thanks

relayd: Is it safe to rise RELAY_MAX* limits

[mxb]

Hello list,

how safe is it to rise limits in relayd.h?

#define RELAY_MAX_SESSIONS  1024
#define RELAY_MAXPROC   32
#define RELAY_MAXHOSTS  32

Re: relayd: Is it safe to rise RELAY_MAX* limits

[mxb]

Discarded. :)

On 10 sep 2013, at 12:13, mxb m...@alumni.chalmers.se wrote:

 
 Hello list,
 
 how safe is it to rise limits in relayd.h?
 
 #define RELAY_MAX_SESSIONS1024
 #define RELAY_MAXPROC 32
 #define RELAY_MAXHOSTS32

Re: 10GbE (Intel X540) performance on OpenBSD 5.3

[mxb]

As far as I know X540-T2 out on the market don't do PCI 3.0.
Cards I have are PCI 2.1, this means (if I remember my calculations right) this 
10G card is caped by PCI bus - 6G max.
Basically Intel sells 10G which is caped up to 6G. and this is for the single 
port. If those ports are both in use, then you'll have to
divide this number with 2(avrg. and not precise number).

So, per port on X540-T2, you have maximum 3Gbit/s. in theory, if both ports 
used and have avrg. the same amount of traffic.
if not both - 6Gbit/s

Correct me if I'm wrong. 


//mxb

On 9 aug 2013, at 03:35, John Jasen jja...@realityfailure.org wrote:

 Apologies for the top posting, please.
 
 Interestingly, despite the E3 you're using being a newer chip, and
 having PCIE 3.0, the systems I'm running on Xeon X5570-based CPUs seem
 to have a few advantages -- and can push close to 20 Gb in testing
 scenarios.
 
 For example, it looks like the X5570 has better system bus bandwidth and
 better memory bus bandwidth (ark.intel.com lets you compare chips side
 by side).
 
 Dunno if that means anything, but its interesting.
 
 Topping out per 82599 card at ~8k interrupts does not surprise me, as I
 was unable to get any of mine beyond that. I personally think the 82598
 is better under OpenBSD, using about 40% of the interrupts for similar
 bandwidth.
 
 The system showing 90% utilization at 16k interrupts surprises me. My
 systems showed about 35-40% utilization at 25-30k interrupts.
 
 You may want to test jumbo frames, just to see what would happen. I
 would expect you to see closer to 10 Gb/s with the same number of
 interrupts.
 
 Since I've completely ignored email etiquette tonight, please allow me
 to snip through here.
 
 On 08/08/2013 08:26 PM, Maxim Khitrov wrote:
 snip
 The BIOS on these firewalls is current. For power-saving options, when
 I first configured these systems I tried turning Intel EIST
 (SpeedStep) off, but this caused OpenBSD to panic during boot.
 
 My systems are set to maximum performance at all power savings
 steppings. I don't know if this is Dell pretending we're all stupid, or
 if your BIOS has similar settings.
 
 snip
 
 Active Processor Cores: All
 
 I would turn that off, or at least make it only dual core.
 
 As a side note, iperf doesn't crash on FreeBSD when running in UDP
 mode, so I think it's a problem with the OpenBSD package. For these
 tests I stuck with TCP and 1500 MTU. Also, I noticed that a 10 second
 test is not always sufficient to get consistent results, so I'm now
 running all tests for 60 seconds.
 
 UDP can be a little iffy. FWIW, it never hurts to verify your tool's
 results with another tool. I used nuttcp on most of my tests.
 
 
 That's... a bit faster. The CPU in the desktops is Intel i7-3770,
 which is very similar to the Xeon E3-1275v2. Is this a FreeBSD vs
 OpenBSD difference?
 
 
 Could be. It might be worth testing FreeBSD on your packet forwarding
 boxes, just to see if you get similar results.
 
 -- 
 -- John Jasen (jja...@realityfailure.org)
 -- No one will sorrow for me when I die, because those who would
 -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring

Re: 10GbE (Intel X540) performance on OpenBSD 5.3

[mxb]

You might want to pull in 5.4-current instead.
One you have is not that current any more. :)

On 7 aug 2013, at 16:26, Maxim Khitrov m...@mxcrypt.com wrote:

 Hi all,
 
 I'm looking for performance measuring and tuning advice for 10 gigabit
 Ethernet. I have a pair of Lanner FW-8865 systems that will be used as
 firewalls for the local network. Each one has a Xeon E3-1270v2 CPU,
 Intel X540 10GbE NIC (PCIe 3.0 8x), and 8GB DDR3-1600 ECC RAM. Before
 putting them into production I wanted to do some throughput testing,
 so I connected one directly to the other (via ix0 interfaces) and used
 iperf to see how much data I can push through. I also disabled pf for
 now, but will do some additional testing with it enabled later on. The
 kernel is 5.3 amd64 GENERIC.MP.
 
 The initial iperf runs couldn't go beyond ~3.2 Gbps:
 
 # server: iperf -s
 # client: iperf -c 192.168.1.3
 [ ID] Interval   Transfer Bandwidth
 [  3]  0.0-10.2 sec  3.84 GBytes  3.22 Gbits/sec
 
 Increasing the TCP window size to 256 KB (seems to be the upper limit)
 brings this up to ~4.2 Gbps:
 
 # server: iperf -s -w 256k
 # client: iperf -c 192.168.1.3 -w 256k
 [ ID] Interval   Transfer Bandwidth
 [  3]  0.0-10.1 sec  4.96 GBytes  4.22 Gbits/sec
 
 Increasing the MTU on both ix0 interfaces to 9000 gives me ~7.2 Gbps:
 
 # server: ifconfig ix0 mtu 9000  iperf -s -w 256k
 # client: ifconfig ix0 mtu 9000  iperf -c 192.168.1.3 -w 256k -m
 [ ID] Interval   Transfer Bandwidth
 [  3]  0.0-10.0 sec  8.39 GBytes  7.21 Gbits/sec
 [  3] MSS size 8948 bytes (MTU 8988 bytes, unknown interface)
 
 This is where I'm stuck at the moment. When running iperf on
 127.0.0.1, which should only test CPU and memory, I get 11.6 Gbps.
 I've read the Network Tuning and Performance Guide @ calomel.org,
 but none of the tips there help me in getting beyond 7 Gbps on the
 physical interfaces.
 
 I'm also slightly concerned about the performance at the default MTU
 of 1500. Looking at `ifconfig ix0 hwfeatures` output (below), it seems
 that the ix driver does not support any checksum offloading for the
 X540. I wonder if that could be a reason for the poor performance?
 
 ix0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 9000
hwfeatures=30VLAN_MTU,VLAN_HWTAGGING hardmtu 16110
lladdr 00:90:0b:56:12:0c
priority: 0
groups: LAN SVR
media: Ethernet autoselect (10GbaseT full-duplex)
status: active
inet 192.168.1.2 netmask 0xff00 broadcast 192.168.1.255
 
 Any there any sysctl parameters that I should play with? Any other
 system stats that I should monitor? I did a few runs while watching
 `top` and `systat vmstat`, but didn't see any problem indications
 there. I should also note that I couldn't run iperf in UDP mode - the
 client segfaults any time I increase the bandwidth beyond 300 Mbps. No
 idea why, but I'm more interested in TCP performance anyway.
 
 - Max

Re: IPSec VPNs when traffic originates from a daemon on the OBSD firewall

[mxb]

I use OSPFd on each OpenSBD firewall I deploy.
This way you get access to all machines on the remote LAN, including firewall 
itself.
and you don't have to maintain routing manually.

//mxb

On 4 jul 2013, at 16:25, Andy a...@brandwatch.com wrote:

 On Thu 04 Jul 2013 15:22:55 BST, Anders Berggren wrote:
 I'd rather not have to create extra tunnels or define VPN policies with 
 subnets which have prefixes wider than the internal LANs.
 That leaves mangling, but I cannot see how I would do the mangling in PF to 
 make it work without doing a redirect through the loopback etc.. Just 
 wondering if anyone knows of a cleaner way?
 
 I think widening the flow's source is cleanest (as I mentioned in my first 
 reply). However, I think it's possible to use a gif tunnel for the tunnel 
 encapsulation, and only use IPsec for the endpoint encryption. It would 
 probably work, because unlike IPsec flows, it's not source routed.
 
 Ah ha!!! Of course!! Thank you :D
 
 Andy.