Re: Odd df reporting (On Apr 3 snapshot, data copied via 3.8snapshot)
Cool! That seems to have done the trick (April 20, 2006 snapshot): (I)nstall, (U)pgrade, or (S)hell? s # fsck -b32 -f /dev/rwd0d Alternate Superblock Location: 32 ** /dev/rwd0d ** File system is already clean ** Last mounted on ** Phase 1 - Check Blocks and Sizes ** Phase 2 - Check Pathnames ** Phase 3 - Check Connectivity ** Phase 4 - Check Reference Counts ** Phase 5 - Check Cyl groups SUMMARY INFORMATION BAD SALVAGE? [Fyn] y FREE BLK COUNT(S) IN WRONG SUPERBLK SALVAGE? [Fyn] y 9406 files, 8177199 used, 22783126 free (1086 frags, 2847755 blocks, 0.0% fragmentation) UPDATE STANDARD SUPERBLK? [Fyn?] y * FILE SYSTEM WAS MODIFIED * # Thanks, error message cleared! -Whyzzi On 14/04/06, Pedro Martelletto [EMAIL PROTECTED] wrote: Yes, it has a built-in fsck. But you will need to update your kernel too. -p.
Re: Wireless NIC for soekris 4801
Hi, Note that the PCI slot is 3.3V only, most WiFI PCI cards i have looked at are 5V. My guess is that you have to go with MiniPCI (but i might be wrong). Cheers, /Joakim * Lasse Bach ([EMAIL PROTECTED]) wrote: Hi all, I wrote a message about OpenBSD hardware recommendations some time ago. As I said I was going to buy a wireless NIC for an OpenBSD box. Well, the box is a soekris 4801 which is going to act as an wireless router. Does anyone have any HW recommendations on that and should it be PCI or MiniPCI? Thanks in advance Lasse Bach
Re: Wireless NIC for soekris 4801
Hi, I'm planning to do the same. The NET4801 has an USB 1.1 interface. I use it at home and I don't have a lot of traffic on wifi, so I thought I would try using the Zonet ZEW2500P USB Adapter. See: http://www.zonetusa.com/DispProduct.asp?ProductID=139 and Here: http://www.openbsdmetastore.com/ and here: https://kd85.com/soekris.html (a few mini-pci adapters are listed). Regards Didier -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lasse Bach Sent: 20 April 2006 17:15 To: misc@openbsd.org Subject: Wireless NIC for soekris 4801 Hi all, I wrote a message about OpenBSD hardware recommendations some time ago. As I said I was going to buy a wireless NIC for an OpenBSD box. Well, the box is a soekris 4801 which is going to act as an wireless router. Does anyone have any HW recommendations on that and should it be PCI or MiniPCI? Thanks in advance Lasse Bach
Re: VPN server and winxp client
Try OpenVPN - client software isn't native for win xp but exists and it's stable and usable.. http://openvpn.net http://openvpn.se Marek 2006/4/19, wolk [EMAIL PROTECTED]: Hello I want to create simply vpn server with native windows xp vpn client. What is the simply way to create this solution with openbsd? Jacek
Re: PF/CARP load balancing
Ashley Moran wrote: simplicity) is Pound. From what I read, failover is best provided by Heartbeat although so far I have only skimmed a few FAQs. I use 'heartbeast' for several years now and would not do so again. Failover always takes several seconds because of ARP change propagation. Do you think that avenue may lead to a more robust solution? No. -- Stephan A. Rickauer --- Institut f|r Neuroinformatik Tel: +41 44 635 30 50 Universitdt / ETH Z|rich Sek: +41 44 635 30 52 Winterthurerstrasse 190 Fax: +41 44 635 30 53 CH-8057 Z|richWeb: www.ini.ethz.ch RSA public key: https://www.ini.ethz.ch/~stephan/pubkey.asc --- [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: problems with carp and vlans
Hi, thank you all, it seems to work now. just for the records, my configuration: master carp interfaces are configured like this: vhid 1 pass foo carpdev vlan3 192.168.0.1 192.168.0.255 netmask 255.255.255.0 up and the backup interfaces are configured like this: vhid 1 pass foo carpdev vlan3 advskew 20 192.168.0.1 192.168.0.255 netmask 255.255.255.0 up net.inet.carp.preempt=1 darn, after reading the carp man page again, there it is stated how it works. I only remembered the advskew description from the ifconfig man page, there it is only mentioned to skew the advbase, no word about take over all interfaces with net.inet.carp.preempt=1 enabled. nevertheless, thanks a lot for all replies. --- Urspr|ngliche Nachricht --- Von: Marco Pfatschbacher [EMAIL PROTECTED] An: Otto Moerbeek [EMAIL PROTECTED] Kopie: Lars Weste [EMAIL PROTECTED], misc@openbsd.org Betreff: Re: problems with carp and vlans Datum: Thu, 20 Apr 2006 18:07:40 +0200 On Thu, Apr 20, 2006 at 05:42:20PM +0200, Otto Moerbeek wrote: On Thu, 20 Apr 2006, Lars Weste wrote: Hi, yes, i am running 3.8 -stable, and the backup has a higher advbase than err, for preemption to work, the advskew should be higher on the backup. At least, that is what carp(4) says. Yes, actually you should have have an identical advbase, but an higher advskew on the backup. If the master box looses one of its links, it bumps the advskew to 240 so that the backup has a chance to take over all carp interfaces. the master. Nevertheless, my problem doesn't seem to be the vlan interface itself, it is just a general problem keep the interfaces in sync, as ryan describes here: http://www.countersiege.com/doc/ifstated/ That document describes the carp behaviour at the time of 3.5. Ever since then, it takes care for about that by itself. so I am wondering whether I have to use ifstated, and to check all interfaces, or whether there is some new feature, that will do the trick. The latter. Ifstated is useful for some more advanced monitoring or reporting cases. -- Feel free - 10 GB Mailbox, 100 FreeSMS/Monat ... Jetzt GMX TopMail testen: http://www.gmx.net/de/go/topmail
Re: Best WAN Adaper?
On 21/04/06, Toni Mueller [EMAIL PROTECTED] wrote: Hello, On Wed, 19.04.2006 at 12:57:16 +0100, tony sarendal [EMAIL PROTECTED] wrote: On 19/04/06, Toni Mueller [EMAIL PROTECTED] wrote: Anyway, if someone of you comes across good E3 cards, please drop me a note. Otherwise, try to persuade your carrier to give you Ethernet. What about using Ethernet to T3/E3 converters instead ? That way you don't need funky cards in the openbsd box. unfortunately, there appears to be no standard line encoding for E3 lines, so if you want to have E3-Ethernet converters, you must use them in pairs, on both ends of the line. This rules out having eg your E3 terminating somewhere inside an STM1/4/... trunk on the other side, but many carriers only offer this kind of setup. So you're almost guaranteed to have a non-working line if they have, say, a Cisco 12000 on their end where your line terminates inside a trunk, and you have the simple fiber with only that one E3 incorporated. I've been told that the situation improves quite a bit when you have STM1 instead: There, a standard exists, but it doesn't appear to be widely tested if it actually works. Very true, my mindset was limited to circuits where you run both ends as that was what I was working on. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: pf blocking nets in a way like *.google.com ?
[EMAIL PROTECTED] wrote: That doesn`t mean I can use *.google.com but I would be able to use www.google.com if I understood the FAQ and the manual correctly. Because I may not be bale to know every Hostname in a foreign network a Joker would be a neat solution. Is it maybe planed to add any joker to PF so that such stuff would be possible in the future if it isn`t already possible? Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19)? Maybe you could use a script to update a table in pf using whois and grep for the CIDR/Netrange in the reply. Greets, Falk
Re: pf blocking nets in a way like *.google.com ?
On Friday 21 April 2006 17:52, Falk Husemann wrote: Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19)? Because there's nothing that says that every *.google.com site has to be within a block allocated to Google. --- Lars Hansson
Re: pf blocking nets in a way like *.google.com ?
Lars Hansson wrote: Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19)? Because there's nothing that says that every *.google.com site has to be within a block allocated to Google. Duh. The obvious solution is to have pf make a DNS lookup on each and every packet that arrives. Moritz
Re: pf blocking nets in a way like *.google.com ?
On 21/04/06, Moritz Grimm [EMAIL PROTECTED] wrote: Lars Hansson wrote: Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19 )? Because there's nothing that says that every *.google.com site has to be within a block allocated to Google. Duh. The obvious solution is to have pf make a DNS lookup on each and every packet that arrives. Good stuff, disarm the subject with humour. /Tony
Re: Wireless NIC for soekris 4801
On Fri, 21 Apr 2006 08:46:14 +0200, Joakim Aronius wrote: Hi, Note that the PCI slot is 3.3V only, most WiFI PCI cards i have looked at are 5V. My guess is that you have to go with MiniPCI (but i might be wrong). Cheers, /Joakim Nup! MSI PC54G2 is ral Netgear WAG311 is atheros AR5212 both are universal (3.3 and 5V signalling) Just look for the 2 key slots in the edge connector. I have both and the MSI is going to replace the Netgear in a Net4801-50 Soekris. Luckily here (in Australia) we can get Soekris boards in a neat black case that takes PCI cards and looks much cooler than the original pale greenl tight box. There's even a 1RU case that takes 2 x 4801 cards but it's expensive . We refer to the original as the SourKream Avocado Mousse unit. 8-) * Lasse Bach ([EMAIL PROTECTED]) wrote: Hi all, I wrote a message about OpenBSD hardware recommendations some time ago. As I said I was going to buy a wireless NIC for an OpenBSD box. Well, the box is a soekris 4801 which is going to act as an wireless router. Does anyone have any HW recommendations on that and should it be PCI or MiniPCI? Thanks in advance Lasse Bach From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: PF/CARP load balancing
On Thursday 20 April 2006 19:26, Joachim Schipper wrote: Some monitoring script sounds like the way to go, though. Perhaps you're right. Monit looks good - presumably I could install that both on the firewalls and the webservers, so that in the event of an httpd failure the local monit could restart it, and in the event of server failure, the firewall monit could modify the pf rules. Again, I haven't looked into this in detail but I assume it would be easy enough. I think rdr/source-hash avoids the need to use CARP on the web servers, which should avoid SSL problems and means we could apply it to our two old Windoze servers too. Ideally I wanted something more box fresh because I'm not actually our sysadmin although I end up doing a lot of the work on our production servers! But pf looks quite straightforward to administer. Maybe this is my best bet? Ashley
Re: PF/CARP load balancing
On 2006/04/21 12:08, Ashley Moran wrote: I think rdr/source-hash avoids the need to use CARP on the web servers, Failover should be quicker if you CARP on the web servers. Otherwise you have to wait until the monitoring script on the rdr box picks up the failure. which should avoid SSL problems I forgot to pick up on this before - I'm not sure there would be a problem - it's based on hostname, not IP address.
Re: PF/CARP load balancing
On Friday 21 April 2006 09:08, Stephan A. Rickauer wrote: I use 'heartbeast' for several years now and would not do so again. Failover always takes several seconds because of ARP change propagation. I though Heartbeast ( I'm assuming you wrote that on purpose :) ) was the flagship output of the Linux HA project. Can the same be achieved on *BSD with CARP and some monitoring software? Or have I misunderstood it's purpose? Ashley
Re: PF/CARP load balancing
On Friday 21 April 2006 12:18, Stuart Henderson wrote: On 2006/04/21 12:08, Ashley Moran wrote: I think rdr/source-hash avoids the need to use CARP on the web servers, Failover should be quicker if you CARP on the web servers. Otherwise you have to wait until the monitoring script on the rdr box picks up the failure. That's a good point about failover time. The only issue I can see with CARP is that if you have N boxes and one fails, one box gets double load instead of it being distributed across the other N-1 boxes, so if we had several boxes under heavy load we'd still want some monitoring to take the failed master out of the pool. Mind you this is very hypothetical as our vast budget only stretches to N=2 right now! I think I'll go ahead with just pf and CARP on the firewalls, and CARP and monit on the web servers, and see how I get along. That should handle server and daemon failures respectively, and allow me to pull each server down for upgrades, without complicating SSL. Thanks for everyone's help on this - I think I'd be still wading through mud otherwise Ashley
advantages/disadvantages of kernel pppoe(4) vs userland pppoe(8)?
Hi, I'm about to setup up ADSL at home for the first time, using the following network topology: ADSL+---+ +--+ +--+ to - | DSL |--- | firewall | - | ethernet | ISP | modem | pppoe | + router | | switch | +---+ | + nat| +--+ +--+ | || V VV to other computers The firewall/router/nat box is (will be when I get this setup) an old 486 laptop with 2 pcmcia ethernet cards, running 3.9-stable. (Yes, I've ordered a CD; until it arrives I'm using 3.8-stable.) I already have the (external) DSL modem, and from talking to other Unix-savvy customers of my ISP (arcor.de), their setup is that the DSL modem talks pppoe to me (in this case to my firewall/router/nat box). From looking at the FAQ section 6, it seems I have two basic options available doing this in OpenBSD: pppoe(4) in the kernal, and pppoe(8) in userland. My question is, what are the relative advantages/disadvantages of these? The obvious tradeoff is performance: I expect pppoe(8) to be slower due to the extra kernel/user-space crossings for each packet. My ADSL is 6M bits/sec downstream, 0.5M upstream. But are there other significant differences in * support for pppoe features? * ease of configuration? * reliability? ciao, -- -- Jonathan Thornburg (remove -animal to reply) [EMAIL PROTECTED] Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, Old Europe http://www.aei.mpg.de/~jthorn/home.html Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral. -- quote by Freire / poster by Oxfam
Re: pf blocking nets in a way like *.google.com ?
What do the client systems run? if they are on windows 2000/2003 Domain, use a GPO and block them as untrusted. Just a thought because what you want is done above PF James - Original Message - From: tony sarendal [EMAIL PROTECTED] To: misc misc@openbsd.org Sent: Friday, April 21, 2006 7:46 AM Subject: Re: pf blocking nets in a way like *.google.com ? On 21/04/06, Moritz Grimm [EMAIL PROTECTED] wrote: Lars Hansson wrote: Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19 )? Because there's nothing that says that every *.google.com site has to be within a block allocated to Google. Duh. The obvious solution is to have pf make a DNS lookup on each and every packet that arrives. Good stuff, disarm the subject with humour. /Tony
Re: advantages/disadvantages of kernel pppoe(4) vs userland pppoe(8)?
Jonathan Thornburg wrote: The firewall/router/nat box is (will be when I get this setup) an old 486 laptop with 2 pcmcia ethernet cards, running 3.9-stable. (Yes, I've ordered a CD; until it arrives I'm using 3.8-stable.) I already have the (external) DSL modem, and from talking to other Unix-savvy customers of my ISP (arcor.de), their setup is that the DSL modem talks pppoe to me (in this case to my firewall/router/nat box). From looking at the FAQ section 6, it seems I have two basic options available doing this in OpenBSD: pppoe(4) in the kernal, and pppoe(8) in userland. My question is, what are the relative advantages/disadvantages of these? The obvious tradeoff is performance: I expect pppoe(8) to be slower due to the extra kernel/user-space crossings for each packet. My ADSL is 6M bits/sec downstream, 0.5M upstream. But are there other significant differences in * support for pppoe features? * ease of configuration? * reliability? As someone who also use an old laptop for this purpose, a 486, PCMCIA cards and user mode pppoe will likely not allow you to achieve your full 6Mbps speeds. Since I've never used user mode pppoe, I can't comment on the differences, but as a kernel mode user I can say the configuration is very simple and well documented and the reliability issues that plagued 3.7 are gone in 3.8.
Re: PF/CARP load balancing
Ashley Moran wrote: I though Heartbeast ( I'm assuming you wrote that on purpose :) ) was the flagship output of the Linux HA project. Can the same be achieved on *BSD heartbeat is ancient. They want to replace it with keepalived. with CARP and some monitoring software? Or have I misunderstood it's purpose? All heartbeat does is having one virtual IP on the live server. In case of failure, a script runs which takes up the IP on the secondary, while some arp faking is done to update the arp tables. You can then also start services in the heartbeat script. I'd give CARP/ifstatd a try. It will always do at least what heartbeat does for you and even more (if you want) and much faster. If you have to use linux for some reason, you can try UCARP (or keepalived). -- Stephan A. Rickauer --- Institut f|r Neuroinformatik Tel: +41 44 635 30 50 Universitdt / ETH Z|rich Sek: +41 44 635 30 52 Winterthurerstrasse 190 Fax: +41 44 635 30 53 CH-8057 Z|richWeb: www.ini.ethz.ch RSA public key: https://www.ini.ethz.ch/~stephan/pubkey.asc --- [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: advantages/disadvantages of kernel pppoe(4) vs userland pppoe(8)?
Original message Date: Fri, 21 Apr 2006 14:30:00 +0200 (CEST) From: Jonathan Thornburg [EMAIL PROTECTED] Subject: advantages/disadvantages of kernel pppoe(4) vs userland pppoe(8)? To: misc@openbsd.org Cc: Jonathan Thornburg [EMAIL PROTECTED] Hi, I'm about to setup up ADSL at home for the first time, using the following network topology: ADSL+---+ +--+ +--+ to - | DSL |--- | firewall | - | ethernet | ISP | modem | pppoe | + router | | switch | +---+ | + nat| +--+ +--+ | || V VV to other computers The firewall/router/nat box is (will be when I get this setup) an old 486 laptop with 2 pcmcia ethernet cards, running 3.9-stable. (Yes, I've ordered a CD; until it arrives I'm using 3.8-stable.) i might worry that the 486 can't handle the work you're going to give it, but i haven't tested this hypothesis. i have a 486 DX2/50 laying around and it was so slow that ssh and terminal sessions to it were unacceptably sluggish. it wasn't handling any packets or filtering either, YMMV. I already have the (external) DSL modem, and from talking to other Unix-savvy customers of my ISP (arcor.de), their setup is that the DSL modem talks pppoe to me (in this case to my firewall/router/nat box). From looking at the FAQ section 6, it seems I have two basic options available doing this in OpenBSD: pppoe(4) in the kernal, and pppoe(8) in userland. My question is, what are the relative advantages/disadvantages of these? The obvious tradeoff is performance: I expect pppoe(8) to be slower due to the extra kernel/user-space crossings for each packet. My ADSL is 6M bits/sec downstream, 0.5M upstream. But are there other significant differences in * support for pppoe features? * ease of configuration? * reliability? i've used the userland pppoe for several years and i'm none too keen on how it works. all your settings are in /etc/ppp/ppp.X files and the standard thing to do is have PF brought up when the pppoe link, tun0 in this case, goes up (put pfctl -e -f /etc/pf.conf in ppp.linkup). the debugging outputs from the userland version are crappy too. i'm quite happy with the kernel pppoe since you can put all your configuration into the /etc/hostname.pppoe0 file and be done with it. you can also set PF=yes in your rc.conf.local instead of having it brought up and down with the pppoe link. the wildcarding for your IP and your default route upstream are optional, allowing you to more clearly see how the routing works, instead of ppp pppoe doing it for you. cheers, jake
Re: advantages/disadvantages of kernel pppoe(4) vs userland pppoe(8)?
Hi, I'm about to setup up ADSL at home for the first time, using the following network topology: ADSL+---+ +--+ +--+ to - | DSL |--- | firewall | - | ethernet | ISP | modem | pppoe | + router | | switch | +---+ | + nat| +--+ +--+ | || V VV to other computers The firewall/router/nat box is (will be when I get this setup) an old 486 laptop with 2 pcmcia ethernet cards, running 3.9-stable. (Yes, I've ordered a CD; until it arrives I'm using 3.8-stable.) i might worry that the 486 can't handle the work you're going to give it, but i haven't tested this hypothesis. i have a 486 DX2/50 laying around and it was so slow that ssh and terminal sessions to it were unacceptably sluggish. it wasn't handling any packets or filtering either, YMMV. At what line speed? You probably had some bad HW. I was running a 486 DX2/66MHz box with userland pppoe + nat without any problems on a 1,5Mbit DSL line. It got replaced because it was too loud not because it lacked power. For 6Mbit line you would have to use kernel pppoe, userland pppoe would kill the box. RAM is more likely to be a problem. 16MB I had in that 486 was enough for OBSD 3.0 but now is probably a bit problematic (read up on turning on swap during install if you can't show more RAM into it).
Re: PF/CARP load balancing
I think rdr/source-hash avoids the need to use CARP on the web servers, Failover should be quicker if you CARP on the web servers. Otherwise you have to wait until the monitoring script on the rdr box picks up the failure. That's a good point about failover time. The only issue I can see with CARP is that if you have N boxes and one fails, one box gets double load instead of it being distributed across the other N-1 boxes, so if we had several boxes under heavy load we'd still want some monitoring to take the failed master out of the pool. Mind you this is very hypothetical as our vast budget only stretches to N=2 right now! I think I'll go ahead with just pf and CARP on the firewalls, and CARP and monit on the web servers, and see how I get along. That should handle server and daemon failures respectively, and allow me to pull each server down for upgrades, without complicating SSL. Thanks for everyone's help on this - I think I'd be still wading through mud otherwise Ashley I must be missing something. Is this a mission critical setup? If so why not just get it over with and use hardware LB with checking and let the servers do a single job well. There are several cheap LB on ebay radware and the like that are surely affordable for even a small shop. just a thought ..
Re: pf blocking nets in a way like *.google.com ?
Falk Husemann wrote: [EMAIL PROTECTED] wrote: That doesn`t mean I can use *.google.com but I would be able to use www.google.com if I understood the FAQ and the manual correctly. Because I may not be bale to know every Hostname in a foreign network a Joker would be a neat solution. Is it maybe planed to add any joker to PF so that such stuff would be possible in the future if it isn`t already possible? Why isn't it feasible to use Googles allocated netblock (216.239.32.0/19)? It is feasible to block any numeric network block. What isn't feasible is to look at a DNS name and think that you can come up with simple PF rules that will block it. Maybe you could use a script to update a table in pf using whois and grep for the CIDR/Netrange in the reply. Maybe you could for your application. However, this is not a generic solution at all. Here's an example: at the office I work at, we used to have a firewall which claimed to block by DNS name, just as is being discussed. What it really did is exactly what you propose: periodically, it would do some DNS queries, and populate a table, and block those IP addresses. It was decided that our users should not have access to webmail from our offices, so mail.google.com was blocked, but www.google.com was ok. Here's what happened (warning: vast oversimplifications here!): A DNS query for mail.google.com returned a set of IP addresses. A small subset of the actual addresses that served mail.google.com. That's the way DNS can work: if there are five hundred machines that respond to a particular name, a single DNS query might return eight. Or one. Whatever. What this firewall didn't know is mail.google.com machines were the EXACT same machines as www.google.com. So, the results of the block was, uh..entertaining. Two people in the same department with the same network privileges would try to go to google, and one would get what the expected, the one next to them would get the This site is blocked! page. If I had thought to look for it, we'd have seen the same behavior for people trying to get to gmail -- some would be blocked, most would get through. Took a while to debug that one, as I really never figured someone would put such a clearly flawed feature in a commercial firewall product. :) (silly me, work with OpenBSD too long, you forget to think about buzzword compliance and management pressures to do something!, no matter how idiotic.) Today, many big sites use world-wide distributed front-end services like Akamai. Many of them use the SAME world-wide distributed front-end service -- so what you do by IP address (for example) to google.com might impact microsoft.com and apple.com, which is probably not what you intend. PF, can easily block every single address of every single Akamai server, but that won't necessarily do what you want. I've been a fan of DNS mangling to deal with this problem for some time. Technically, it is a horribly flawed system. Practically, it works, and works very easily. More: http://www.holland-consulting.net/tech/imblock.html Nick.
Odd problem with mtu
Hi all, I have this strange problem with my openbsd setup. I have a box which I use for one of my networks gateway. It has two NICs. One for internal network with ethernet connection (fxp0 driver) and one for external network (internet) with pppoe connection (rl0 driver). pppoe connection is set up using user land configuration. mtu on pppoe link is set to 1492. Everything works fine until I try to ping it with packet size of 1457 (from outside - internet). I run two parallel pings - one normal and one set to 1457 and DF bit set. When the second ping starts the connection to the box is disrupted the second ping shows Request timed out and the first ping shows TTL expired in transit. And if I do the same experiment with the second ping packet size set to 1456, everything works fine. I don't understand why this is happening... The second ping shouldn't disrupt the first ping. Event if packet size is too big... It shouldn't influence the whole box's work... I've done this experiment on other boxes (with openbsd) and everything worked fine - if the second pings packet size was too big then it got answers Packet needs to be fragmented but DF set or Request timed out, but the first ping worked fine (it always got good answers and not TTL expired in transit). I've tried to play with pf's scrub rule (max-mms 1492), but it didn't help. Can you help me?
Re: Virtualization of OpenBSD 3.9 on Xen
On Friday 21 April 2006 11:10, Stefan Kaltenbrunner [EMAIL PROTECTED] wrote: Dave Feustel wrote: On Saturday 15 April 2006 17:53, Anthony Liguori wrote: On Sat, 15 Apr 2006 17:39:10 -0500, Dave Feustel wrote: AMD Pacifica and Intel's VT make possible the virtualization of unmodified operating systems. Is it still necessary to add code to the hypervisor to support specific operating systems, or can Xen, as written, support any arbitrary OS that successfully boots on a PC? (I'm thinking of the BSDs here). (snipped) While theoretically, VT and SVM ought to allow any OS to run under Xen, in practice, if an OS hasn't been tested as a guest under Xen, it is likely to turn up some bugs or incompleteness. Over time, this will certainly be a less of an issue. The problem has to do with the fact that different OS's will use different instructions when accessing things like page tables. Right now, Xen only emulates the instructions that we know are used by the systems we test with (things like Linux and certain versions of Windows). (snipped) OpenBSD 3.9 works quite fine (installed using the native installer in the virtualized environment!) as an unmodified guest on my Intel VT box, with following caveats: *) pcn(4) - aka AMD Pcnet does not seem to work well with the emulated one (send works - receive does not) *) ne(4) does work but is complaining about corrupted nic memory under heavy traffic (does not seem to affect it much other than logging th errors) Stefan -- Lose, v., experience a loss, get rid of, lose the weight Loose, adj., not tight, let go, free, loose clothing
Re: PF/CARP load balancing
On Friday 21 April 2006 15:50, you wrote: I must be missing something. Is this a mission critical setup? If so why not just get it over with and use hardware LB with checking and let the servers do a single job well. There are several cheap LB on ebay radware and the like that are surely affordable for even a small shop. just a thought .. Well, yes it is mission critical, but that doesn't mean we're prepared to spend money on it :) We've been waiting the best part of a year to get approval to buy the new servers so a load balancer is out of the question. In fact now I think we'd be lucky to get a new KVM :( And we'd need two load balancers anyway, or we'd have just introduced a new single point of failure. If in a year or two we get a significant number of new servers I might suggest it though. Ashley
Re: PF/CARP load balancing
On Friday 21 April 2006 13:54, Stephan A. Rickauer wrote: All heartbeat does is having one virtual IP on the live server. In case of failure, a script runs which takes up the IP on the secondary, while some arp faking is done to update the arp tables. You can then also start services in the heartbeat script. Eww that sounds like a right kludge! I'd give CARP/ifstatd a try. It will always do at least what heartbeat does for you and even more (if you want) and much faster. If you have to use linux for some reason, you can try UCARP (or keepalived). Don't touch Linux myself - I'm using OpenBSD on our firewalls and FreeBSD on our web and database servers so CARP seems like the way to go. Interface failover seems pretty straightforward, I'm more concerned now with service availability, ie (lig)httpd and the pgcluster loadbalancer. That's why a combination of CARP and monit looks promising. Ashley
Secure programming over openbsd
Hi all, Does anyone know a book, tutorial or documents of any kind that treat about secure programming over OpenBSD? Since OpenBSD implements many secure system calls and lots of other methods that are much more secure that respective implementations in other platforms: mkstem, strlcpy, strlcat... Thanks... -- Joco Salvatti Undergraduating in Computer Science Federal University of Para - UFPA web: http://www.openbsd-pa.org e-mail: [EMAIL PROTECTED]
Re: Best WAN Adaper?
On Fri, Apr 21, 2006 at 10:36:27AM +0200, Toni Mueller wrote: Hello, On Wed, 19.04.2006 at 12:57:16 +0100, tony sarendal [EMAIL PROTECTED] wrote: On 19/04/06, Toni Mueller [EMAIL PROTECTED] wrote: Anyway, if someone of you comes across good E3 cards, please drop me a note. Otherwise, try to persuade your carrier to give you Ethernet. What about using Ethernet to T3/E3 converters instead ? That way you don't need funky cards in the openbsd box. unfortunately, there appears to be no standard line encoding for E3 lines, so if you want to have E3-Ethernet converters, you must use them in pairs, on both ends of the line. This rules out having eg your E3 terminating somewhere inside an STM1/4/... trunk on the other side, but many carriers only offer this kind of setup. So you're almost guaranteed to have a non-working line if they have, say, a Cisco 12000 on their end where your line terminates inside a trunk, and you have the simple fiber with only that one E3 incorporated. I've been told that the situation improves quite a bit when you have STM1 instead: There, a standard exists, but it doesn't appear to be widely tested if it actually works. FWIW: if you're in Qwest-land, you can now get up to 20mbps delivered as copper ethernet. They use a bucket of bonded pairs to do it, but it can supposedly be done. I looked at it a while ago, but it was somewhat pricey when I only needed 3mbps. ;-) Anything higher than 20mbps seems to require fibers. -- adam
Re: Secure programming over openbsd
On 4/21/06, Joco Salvatti [EMAIL PROTECTED] wrote: Does anyone know a book, tutorial or documents of any kind that treat about secure programming over OpenBSD? Since OpenBSD implements many secure system calls and lots of other methods that are much more secure that respective implementations in other platforms: mkstem, strlcpy, strlcat... i'd start by looking at events.html and the presentations various people have been giving. the only worthwhile book in the genre i've seen is secure coding in c and c++ by robert seacord. it covers a few openbsd only features (malloc.conf, ...). in general though, programming is like juggling or riding a bike. reading a book will not make you good at it.
Re: Multi Firewalls Admin
Thanks for your answears ! You gave me nice ideas, if I'm resuming to admin my remote OpenBSD boxes : - Monitoring: Cacti, Nagios, Argus and a centralised syslog - Distribued Configs: with CVS or maybe http://www.allard.nu/pfw/ for PF or Rsync/Rdisf/FTP - Distribued scripts: ssh It will be a lot of work, my 54 OpenBSD boxes will grow very fast to x2x4... I'm really interested on a project focused on mass admin, let me know if such thing is coming. Thanks again for your support it really help. Sacha.
problem with LSI Fibre Channel MPT AMD64 OpenBSD 3.9-current
Howdy I'm having a problem with an LSI929 FC card on a Tyan dual Opteron board. Here's the dmesg snippet specific to the 929 card: mpt2 at pci5 dev 9 function 0 Symbios Logic FC929 rev 0x02: irq 10 mpt2: mpt_read_cfg_header: Config Info Status 22 mpt2: Could not retrieve Manufacturing Page 4 Header. mpt2: could not retrieve manufacturingpages mpt3 at pci5 dev 9 function 1 Symbios Logic FC929 rev 0x02: irq 5 mpt3: mpt_read_cfg_header: Config Info Status 22 mpt3: Could not retrieve Manufacturing Page 4 Header. mpt3: could not retrieve manufacturingpages Reading the LSI Logic Fusion-MPT doc I see the error is related to not being able to read the Fusion-MPT Manufacturing Page 4. Well duh, that's exactly what the kernel message was. and follows is the entire dmesg. diana OpenBSD 3.9-current (GENERIC) #498: Sat Apr 1 23:23:33 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 3219873792 (3144408K) avail mem = 2758131712 (2693488K) using 22937 buffers containing 322195456 bytes (314644K) of memory mainbus0 (root) cpu0 at mainbus0: (uniprocessor) cpu0: AMD Opteron(tm) Processor 252, 2612.33 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3 nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2 iic0 at nviic0 iic1 at nviic0 ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: irq 10, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 10 ports with 10 removable, self powered ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: irq 11 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 uhub1: 10 ports with 10 removable, self powered auich0 at pci0 dev 4 function 0 NVIDIA nForce4 AC97 rev 0xa2: irq 10, nForce4 AC97 ac97: codec id 0x41445374 (Analog Devices AD1981B) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 pciide0 at pci0 dev 6 function 0 NVIDIA nForce4 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, DVD RW DW-G120A, MYS2 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 7 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA pciide1: using irq 10 for native-PCI interrupt pciide2 at pci0 dev 8 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA pciide2: using irq 11 for native-PCI interrupt ppb0 at pci0 dev 9 function 0 NVIDIA nForce4 PCI-PCI rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 4 function 0 NVIDIA GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Texas Instruments TSB43AB22 FireWire rev 0x00 at pci1 dev 5 function 0 not configured nfe0 at pci0 dev 10 function 0 NVIDIA CK804 LAN rev 0xa3: irq 11, address 00:e0:81:57:06:7e eephy0 at nfe0 phy 1: Marvell 88E Gigabit PHY, rev. 1 ppb1 at pci0 dev 14 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci2 at ppb1 bus 2 pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pci3 at pchb0 bus 8 ppb2 at pci3 dev 10 function 0 AMD 8131 PCIX rev 0x12 pci4 at ppb2 bus 9 AMD 8131 PCIX IOAPIC rev 0x01 at pci3 dev 10 function 1 not configured ppb3 at pci3 dev 11 function 0 AMD 8131 PCIX rev 0x12 pci5 at ppb3 bus 10 mpt0 at pci5 dev 6 function 0 Symbios Logic 53c1030 rev 0x07: irq 5 scsibus1 at mpt0: 16 targets sd0 at scsibus1 targ 0 lun 0: SEAGATE, ST373207LW, 0004 SCSI3 0/direct fixed sd0: 70007MB, 90774 cyl, 2 head, 789 sec, 512 bytes/sec, 143374744 sec total mpt0: target 0 Synchronous at 160MHz width 16bit offset 63 QAS 1 DT 1 IU 1 mpt1 at pci5 dev 6 function 1 Symbios Logic 53c1030 rev 0x07: irq 11 scsibus2 at mpt1: 16 targets mpt2 at pci5 dev 9 function 0 Symbios Logic FC929 rev 0x02: irq 10 mpt2: mpt_read_cfg_header: Config Info Status 22 mpt2: Could not retrieve Manufacturing Page 4 Header. mpt2: could not retrieve manufacturingpages mpt3 at pci5 dev 9 function 1 Symbios Logic FC929 rev 0x02: irq 5 mpt3: mpt_read_cfg_header: Config Info Status 22 mpt3: Could not retrieve Manufacturing Page 4 Header. mpt3: could not retrieve manufacturingpages AMD 8131 PCIX IOAPIC rev 0x01 at pci3 dev 11 function 1 not configured pchb1 at pci0 dev 24 function 1 AMD AMD64 Address Map rev 0x00 pchb2 at pci0 dev 24 function 2 AMD AMD64 DRAM Cfg rev
Re: Multi Firewalls Admin
On 20/04/06, xanadu [EMAIL PROTECTED] wrote: Thanks for your answears ! You gave me nice ideas, if I'm resuming to admin my remote OpenBSD boxes : - Monitoring: Cacti, Nagios, Argus and a centralised syslog - Distribued Configs: with CVS or maybe http://www.allard.nu/pfw/ for PF or Rsync/Rdisf/FTP - Distribued scripts: ssh It will be a lot of work, my 54 OpenBSD boxes will grow very fast to x2x4... I'm really interested on a project focused on mass admin, let me know if such thing is coming. Thanks again for your support it really help. I used to work on networks with thousands of routers to manage, in the end nothing was better than writing my own tools. I may be drunk now, but I do miss it. /Tony
Intel PRO/1000 82571EB failing to load on latest 3.9 snapshot
Hello, I have a Nexcom NR2107 (uses 2x xeon em64t processors) with two intel 82571EB controllers with 4 ports each. I get the following panic after installing openbsd 3.9 amd64. Before the install, the cd39.iso will boot, but won't load em0 or em6 (each of which are the first port of the 2 intel 82571EB controllers) with an error message of cannot allocate io space. The remaining 6 ports will will load fine. Has anybody else run into this problem? Does anyone have any advice? Thank you! -Darrian From boot message: ... clip ... pci1 at ppb0 bus1 em0 at pci1 dev 0 function 0 Intel PRO/1000 PT (82571EB) rev 0x06extent_alloc_region: extent 'ioport' (0x0 - 0x) extent_alloc_region: start 0x30007000, end 0x3000701f panic: extent_alloc_region: region lies outside extent Stopped atDebugger+0x5:leave ... clip ... trace: Debugger() at Debugger+0x5 panic() at panic+0x12a extent_alloc_region() at extent_alloc_region+0x87 x86_memio_map() at x86_memio_map+0x5a pci_mapreg_map() at pci_mapreg_map+0x96 em_allocate_pci_resources() at em_allocate_pci_resources+0x129 em_attach() at em_attach+0x190 config_attach() at config_attach+0x10f pci_probe_device() at pci_probe_device+0x1a8 pci_enumerate_bus() at pci_enumerate_bus+0x104 config_attach() at config_attach+0x10f mainbus_attach() at mainbus_attach+0x129 config_attach() at config_attach+0x10f cpu_configure() at cpu_configure+0x1c main() at main+0x35c end trace frame: 0x0, count: -20 ps: PIDPPIDPGRPUIDSFLAGSWAITCOMMAND *0-10070x80204swapper
isakmpd - DPD stops working
I'm debbuging something weird here. Before I put together a full and sanitized error report, just a quick question: is anybody else seeing DPD to just stop working after a couple of hours, or is it just me my setup? I have some pre-3.9 -current (mid March or so) machines running some IPsec tunnels, and from the IKE dump it appears that after two hours both ends suddenly stop sending DPD R_U_THERE requests, even if the tunnel is totally idle (for example, if I down the interface connecting the hosts). The tunnnel never dies so the traffic for the other network goes into a black hole. Regards, Mitja
OpenBGPd Questions
Hi Guys/Gals I have a stock install of OpenBSD/BGP 3.8 and I'm finding some weird happenings. I'm part of the Virt-IX project (http://www.virt-ix.net/), which is a training ground for learning BGP. The Setup is an OpenVPN connection to a peering LAN (194.126.235.0/24_ where other participants host there routers. Below is my 'bgpctl sh' # bgpctl sh Neighbor ASMsgRcvdMsgSentOutQ Up/Down State/PrefixRcvd New-V-IX 65438 1750 1749 0 1d05h06m 1 New-V-IX 64542 1221 1223 0 12:08:02 1 New-V-IX 65213 1752 1751 0 1d05h08m 1 cymrubogon-p265333 1751 1750 0 18:34:29 63/1000 cymrubogon-p165333 1753 1750 0 1d05h08m 63/1000 New-V-IX 0 0 0 0 NeverActive Melchior 65101 115012 3503 0 1d04h13m 183805 default virt-ix 31064 147297 3506 0 1d04h07m 183799 tvk 65126 1753 1751 0 1d05h08m 2 Lex van Roon (r3boot 65342 3497 3505 0 15:59:06 1 daviper 64662 1753 1754 0 10:02:14 2 lotjuh 65188 1752 1751 0 1d05h08m 1 mszabo 65302 1752 1751 0 1d05h08m 1 # bgpctl -n sh Neighbor ASMsgRcvdMsgSentOutQ Up/Down State/PrefixRcvd 194.126.235.89 65438 1750 1749 0 1d05h06m 1 194.126.235.49 64542 1221 1224 0 12:08:06 1 194.126.235.51 65213 1752 1751 0 1d05h08m 1 38.229.0.5 65333 1751 1750 0 18:34:33 63/1000 206.71.160.162 65333 1753 1750 0 1d05h08m 63/1000 194.126.235.0/24 0 0 0 0 NeverActive 194.126.235.765101 115012 3503 0 1d04h13m 183805 194.126.235.131064 147297 3507 0 1d04h07m 183799 194.126.235.29 65126 1753 1751 0 1d05h08m 2 194.126.235.111 65342 3497 3506 0 15:59:10 1 194.126.235.43 64662 1753 1754 0 10:02:18 2 194.126.235.365188 1752 1751 0 1d05h08m 1 194.126.235.47 65302 1752 1751 0 1d05h08m 1 (My bgpd.conf is at the bottom) I've done some traffic engineering and selected some non optimal routing; As you can see, I'm looking at the AS path to www.openbgpd.com (81.209.180.64) bgpctl bgpd # bgpctl sh ip bgp 81.209.180.64 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *81.209.180.0/22 194.126.235.1 15015 65101 31064 15703 13237 24640 i * 81.209.180.0/22 194.126.235.1 10015 31064 31064 15703 13237 24640 i # The selected path to 81.209.180.64 is thru:- 65101 31064 15703 13237 24640 As you can see, AS65101 (194.126.235.7) is the preferred route, but has the same gateway as AS31064 (the optimal route) just to double check that its not a glitch, I do a traceroute to www.openbgpd.com # traceroute www.openbgpd.com traceroute to www.openbgpd.com (81.209.180.64), 64 hops max, 40 byte packets 1 rtr-1.peering.virt-ix.net (194.126.235.1) 10.360 ms 10.277 ms 10.197 ms 2 c1201-gateway.trueserver.nl (213.193.208.73) 16.562 ms 17.771 ms 17.921 ms 3 AMS-IX.AMS-1-eth010-101.nl.lambdanet.net (195.69.144.212) 11.199 ms 11.106 ms 10.990 ms 4 DUS-2-pos700.de.lambdanet.net (82.197.128.29) 17.578 ms 17.549 ms 18.49 ms 5 HAN-7-pos600.de.lambdanet.net (217.71.105.125) 22.427 ms 21.874 ms 22.775 ms 6 HAM-4-pos010.de.lambdanet.net (217.71.105.34) 28.18 ms 27.124 ms 27.191 ms 7 ge2.cr10.ham.bsws.de (80.86.162.34) 26.241 ms 26.597 ms 26.375 ms 8 ge0.cr20.ham.bsws.de (80.86.183.4) 26.954 ms 26.806 ms 27.17 ms 9 064.n30.ham.bsws.de (81.209.180.64) 27.87 ms 27.357 ms 27.180 ms I would expect the first two hops to be:- 1 virtix-gw.melchioraelmans.nl (194.126.235.7) 2 rtr-1.peering.virt-ix.net (194.126.235.1) 3 .. 4 ... For another example, I have a Neighbour of AS65438 at 194.126.235.89, announcing 195.16.86.208/29. Now when I look at the AS Path to 195.16.86.208/29 I get:- # bgpctl sh ip bgp 195.16.86.208 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *195.16.86.208/29194.126.235.89 15015 65101 65438 i * 195.16.86.208/29194.126.235.89 100 0 65438 i * 195.16.86.208/29194.126.235.89 10015 31064 31064 65438 i # You see, I get the same thing:- *195.16.86.208/29194.126.235.89 15015 65101 65438 i Out of the three valid routes, AS65101 should be my route and have the gateway of 194.126.235.7, but the
Re: OpenBGPd Questions
On 21/04/06, Ben Ashton [EMAIL PROTECTED] wrote: Hi Guys/Gals I have a stock install of OpenBSD/BGP 3.8 and I'm finding some weird happenings. I'm part of the Virt-IX project (http://www.virt-ix.net/), which is a training ground for learning BGP. The Setup is an OpenVPN connection to a peering LAN (194.126.235.0/24_ where other participants host there routers. Below is my 'bgpctl sh' # bgpctl sh Neighbor ASMsgRcvdMsgSentOutQ Up/Down State/PrefixRcvd New-V-IX 65438 1750 1749 0 1d05h06m 1 New-V-IX 64542 1221 1223 0 12:08:02 1 New-V-IX 65213 1752 1751 0 1d05h08m 1 cymrubogon-p265333 1751 1750 0 18:34:29 63/1000 cymrubogon-p165333 1753 1750 0 1d05h08m 63/1000 New-V-IX 0 0 0 0 NeverActive Melchior 65101 115012 3503 0 1d04h13m 183805 default virt-ix 31064 147297 3506 0 1d04h07m 183799 tvk 65126 1753 1751 0 1d05h08m 2 Lex van Roon (r3boot 65342 3497 3505 0 15:59:06 1 daviper 64662 1753 1754 0 10:02:14 2 lotjuh 65188 1752 1751 0 1d05h08m 1 mszabo 65302 1752 1751 0 1d05h08m 1 # bgpctl -n sh Neighbor ASMsgRcvdMsgSentOutQ Up/Down State/PrefixRcvd 194.126.235.89 65438 1750 1749 0 1d05h06m 1 194.126.235.49 64542 1221 1224 0 12:08:06 1 194.126.235.51 65213 1752 1751 0 1d05h08m 1 38.229.0.5 65333 1751 1750 0 18:34:33 63/1000 206.71.160.162 65333 1753 1750 0 1d05h08m 63/1000 194.126.235.0/24 0 0 0 0 NeverActive 194.126.235.765101 115012 3503 0 1d04h13m 183805 194.126.235.131064 147297 3507 0 1d04h07m 183799 194.126.235.29 65126 1753 1751 0 1d05h08m 2 194.126.235.111 65342 3497 3506 0 15:59:10 1 194.126.235.43 64662 1753 1754 0 10:02:18 2 194.126.235.365188 1752 1751 0 1d05h08m 1 194.126.235.47 65302 1752 1751 0 1d05h08m 1 (My bgpd.conf is at the bottom) I've done some traffic engineering and selected some non optimal routing; As you can see, I'm looking at the AS path to www.openbgpd.com (81.209.180.64) bgpctl bgpd # bgpctl sh ip bgp 81.209.180.64 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *81.209.180.0/22 194.126.235.1 15015 65101 31064 15703 13237 24640 i * 81.209.180.0/22 194.126.235.1 10015 31064 31064 15703 13237 24640 i # The selected path to 81.209.180.64 is thru:- 65101 31064 15703 13237 24640 As you can see, AS65101 (194.126.235.7) is the preferred route, but has the same gateway as AS31064 (the optimal route) just to double check that its not a glitch, I do a traceroute to www.openbgpd.com # traceroute www.openbgpd.com traceroute to www.openbgpd.com (81.209.180.64), 64 hops max, 40 byte packets 1 rtr-1.peering.virt-ix.net (194.126.235.1) 10.360 ms 10.277 ms 10.197 ms 2 c1201-gateway.trueserver.nl (213.193.208.73) 16.562 ms 17.771 ms 17.921 ms 3 AMS-IX.AMS-1-eth010-101.nl.lambdanet.net (195.69.144.212) 11.199 ms 11.106 ms 10.990 ms 4 DUS-2-pos700.de.lambdanet.net (82.197.128.29) 17.578 ms 17.549 ms 18.49 ms 5 HAN-7-pos600.de.lambdanet.net (217.71.105.125) 22.427 ms 21.874 ms 22.775 ms 6 HAM-4-pos010.de.lambdanet.net (217.71.105.34) 28.18 ms 27.124 ms 27.191 ms 7 ge2.cr10.ham.bsws.de (80.86.162.34) 26.241 ms 26.597 ms 26.375 ms 8 ge0.cr20.ham.bsws.de (80.86.183.4) 26.954 ms 26.806 ms 27.17 ms 9 064.n30.ham.bsws.de (81.209.180.64) 27.87 ms 27.357 ms 27.180 ms I would expect the first two hops to be:- 1 virtix-gw.melchioraelmans.nl (194.126.235.7) 2 rtr-1.peering.virt-ix.net (194.126.235.1) 3 .. 4 ... For another example, I have a Neighbour of AS65438 at 194.126.235.89, announcing 195.16.86.208/29. Now when I look at the AS Path to 195.16.86.208/29 I get:- # bgpctl sh ip bgp 195.16.86.208 flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin *195.16.86.208/29194.126.235.89 15015 65101 65438 i * 195.16.86.208/29194.126.235.89 100 0 65438 i * 195.16.86.208/29194.126.235.89 10015 31064 31064 65438 i # You see, I get the same thing:- *195.16.86.208/29194.126.235.89
Re: problem with LSI Fibre Channel MPT AMD64 OpenBSD 3.9-current
I don't have the magic cable to hook up my FC929 boards to my FC enclosure. Anyone interested in donating an optical FC-LC cable? Diana Eichert wrote: Howdy I'm having a problem with an LSI929 FC card on a Tyan dual Opteron board. Here's the dmesg snippet specific to the 929 card: mpt2 at pci5 dev 9 function 0 Symbios Logic FC929 rev 0x02: irq 10 mpt2: mpt_read_cfg_header: Config Info Status 22 mpt2: Could not retrieve Manufacturing Page 4 Header. mpt2: could not retrieve manufacturingpages mpt3 at pci5 dev 9 function 1 Symbios Logic FC929 rev 0x02: irq 5 mpt3: mpt_read_cfg_header: Config Info Status 22 mpt3: Could not retrieve Manufacturing Page 4 Header. mpt3: could not retrieve manufacturingpages Reading the LSI Logic Fusion-MPT doc I see the error is related to not being able to read the Fusion-MPT Manufacturing Page 4. Well duh, that's exactly what the kernel message was. and follows is the entire dmesg. diana OpenBSD 3.9-current (GENERIC) #498: Sat Apr 1 23:23:33 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 3219873792 (3144408K) avail mem = 2758131712 (2693488K) using 22937 buffers containing 322195456 bytes (314644K) of memory mainbus0 (root) cpu0 at mainbus0: (uniprocessor) cpu0: AMD Opteron(tm) Processor 252, 2612.33 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3 nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2 iic0 at nviic0 iic1 at nviic0 ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: irq 10, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 10 ports with 10 removable, self powered ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: irq 11 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 uhub1: 10 ports with 10 removable, self powered auich0 at pci0 dev 4 function 0 NVIDIA nForce4 AC97 rev 0xa2: irq 10, nForce4 AC97 ac97: codec id 0x41445374 (Analog Devices AD1981B) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 pciide0 at pci0 dev 6 function 0 NVIDIA nForce4 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, DVD RW DW-G120A, MYS2 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 7 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA pciide1: using irq 10 for native-PCI interrupt pciide2 at pci0 dev 8 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA pciide2: using irq 11 for native-PCI interrupt ppb0 at pci0 dev 9 function 0 NVIDIA nForce4 PCI-PCI rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 4 function 0 NVIDIA GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Texas Instruments TSB43AB22 FireWire rev 0x00 at pci1 dev 5 function 0 not configured nfe0 at pci0 dev 10 function 0 NVIDIA CK804 LAN rev 0xa3: irq 11, address 00:e0:81:57:06:7e eephy0 at nfe0 phy 1: Marvell 88E Gigabit PHY, rev. 1 ppb1 at pci0 dev 14 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci2 at ppb1 bus 2 pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pci3 at pchb0 bus 8 ppb2 at pci3 dev 10 function 0 AMD 8131 PCIX rev 0x12 pci4 at ppb2 bus 9 AMD 8131 PCIX IOAPIC rev 0x01 at pci3 dev 10 function 1 not configured ppb3 at pci3 dev 11 function 0 AMD 8131 PCIX rev 0x12 pci5 at ppb3 bus 10 mpt0 at pci5 dev 6 function 0 Symbios Logic 53c1030 rev 0x07: irq 5 scsibus1 at mpt0: 16 targets sd0 at scsibus1 targ 0 lun 0: SEAGATE, ST373207LW, 0004 SCSI3 0/direct fixed sd0: 70007MB, 90774 cyl, 2 head, 789 sec, 512 bytes/sec, 143374744 sec total mpt0: target 0 Synchronous at 160MHz width 16bit offset 63 QAS 1 DT 1 IU 1 mpt1 at pci5 dev 6 function 1 Symbios Logic 53c1030 rev 0x07: irq 11 scsibus2 at mpt1: 16 targets mpt2 at pci5 dev 9 function 0 Symbios Logic FC929 rev 0x02: irq 10 mpt2: mpt_read_cfg_header: Config Info Status 22 mpt2: Could not retrieve Manufacturing Page 4 Header. mpt2: could not retrieve manufacturingpages mpt3 at pci5 dev 9 function 1 Symbios Logic FC929 rev 0x02: irq 5 mpt3: mpt_read_cfg_header: Config Info Status 22 mpt3: Could not retrieve Manufacturing Page 4 Header. mpt3: could not retrieve manufacturingpages AMD 8131 PCIX IOAPIC rev 0x01 at
zaurus package
My cd is on the way but won't have it till monday. I know about the flames but somebody please tar up the zaurus dir for me and post it please. Thx. Andrew Patterson
Re: problem with LSI Fibre Channel MPT AMD64 OpenBSD 3.9-current
On Fri, 21 Apr 2006, Diana Eichert wrote: Marco Would this work, LC/FC Duplex Multi Mode 5M Cable 2Gb/s to 1Gb/s device? http://cgi.ebay.com/LC-FC-Duplex-Multi-Mode-5M-Cable-2Gb-s-to-1Gb-s-device_W0QQitemZ9715347169QQcategoryZ3704QQssPageNameZWDVWQQrdZ1QQcmdZViewItem I've also asked my system / FC attached RAID enclosure if they could provide you one. thanks diana It appears I've been at work to long. I'm going to ask the VENDOR and not the system/enclosure to provide a cable. diana
Re: problem with LSI Fibre Channel MPT AMD64 OpenBSD 3.9-current
So I really meant SC-LC. Marco Peereboom wrote: I don't have the magic cable to hook up my FC929 boards to my FC enclosure. Anyone interested in donating an optical FC-LC cable? Diana Eichert wrote: Howdy I'm having a problem with an LSI929 FC card on a Tyan dual Opteron board. Here's the dmesg snippet specific to the 929 card: mpt2 at pci5 dev 9 function 0 Symbios Logic FC929 rev 0x02: irq 10 mpt2: mpt_read_cfg_header: Config Info Status 22 mpt2: Could not retrieve Manufacturing Page 4 Header. mpt2: could not retrieve manufacturingpages mpt3 at pci5 dev 9 function 1 Symbios Logic FC929 rev 0x02: irq 5 mpt3: mpt_read_cfg_header: Config Info Status 22 mpt3: Could not retrieve Manufacturing Page 4 Header. mpt3: could not retrieve manufacturingpages Reading the LSI Logic Fusion-MPT doc I see the error is related to not being able to read the Fusion-MPT Manufacturing Page 4. Well duh, that's exactly what the kernel message was. and follows is the entire dmesg. diana OpenBSD 3.9-current (GENERIC) #498: Sat Apr 1 23:23:33 MST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 3219873792 (3144408K) avail mem = 2758131712 (2693488K) using 22937 buffers containing 322195456 bytes (314644K) of memory mainbus0 (root) cpu0 at mainbus0: (uniprocessor) cpu0: AMD Opteron(tm) Processor 252, 2612.33 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB 64b/line 16-way L2 cache cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative pci0 at mainbus0 bus 0: configuration mode 1 NVIDIA nForce4 DDR rev 0xa3 at pci0 dev 0 function 0 not configured pcib0 at pci0 dev 1 function 0 NVIDIA nForce4 ISA rev 0xa3 nviic0 at pci0 dev 1 function 1 NVIDIA nForce4 SMBus rev 0xa2 iic0 at nviic0 iic1 at nviic0 ohci0 at pci0 dev 2 function 0 NVIDIA nForce4 USB rev 0xa2: irq 10, version 1.0, legacy support usb0 at ohci0: USB revision 1.0 uhub0 at usb0 uhub0: NVIDIA OHCI root hub, rev 1.00/1.00, addr 1 uhub0: 10 ports with 10 removable, self powered ehci0 at pci0 dev 2 function 1 NVIDIA nForce4 USB rev 0xa3: irq 11 usb1 at ehci0: USB revision 2.0 uhub1 at usb1 uhub1: NVIDIA EHCI root hub, rev 2.00/1.00, addr 1 uhub1: 10 ports with 10 removable, self powered auich0 at pci0 dev 4 function 0 NVIDIA nForce4 AC97 rev 0xa2: irq 10, nForce4 AC97 ac97: codec id 0x41445374 (Analog Devices AD1981B) ac97: codec features headphone, 20 bit DAC, No 3D Stereo audio0 at auich0 pciide0 at pci0 dev 6 function 0 NVIDIA nForce4 IDE rev 0xa2: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: SONY, DVD RW DW-G120A, MYS2 SCSI0 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 4 pciide0: channel 1 disabled (no drives) pciide1 at pci0 dev 7 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA pciide1: using irq 10 for native-PCI interrupt pciide2 at pci0 dev 8 function 0 NVIDIA nForce4 SATA rev 0xa3: DMA pciide2: using irq 11 for native-PCI interrupt ppb0 at pci0 dev 9 function 0 NVIDIA nForce4 PCI-PCI rev 0xa2 pci1 at ppb0 bus 1 vga1 at pci1 dev 4 function 0 NVIDIA GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) Texas Instruments TSB43AB22 FireWire rev 0x00 at pci1 dev 5 function 0 not configured nfe0 at pci0 dev 10 function 0 NVIDIA CK804 LAN rev 0xa3: irq 11, address 00:e0:81:57:06:7e eephy0 at nfe0 phy 1: Marvell 88E Gigabit PHY, rev. 1 ppb1 at pci0 dev 14 function 0 NVIDIA nForce4 PCIE rev 0xa3 pci2 at ppb1 bus 2 pchb0 at pci0 dev 24 function 0 AMD AMD64 HyperTransport rev 0x00 pci3 at pchb0 bus 8 ppb2 at pci3 dev 10 function 0 AMD 8131 PCIX rev 0x12 pci4 at ppb2 bus 9 AMD 8131 PCIX IOAPIC rev 0x01 at pci3 dev 10 function 1 not configured ppb3 at pci3 dev 11 function 0 AMD 8131 PCIX rev 0x12 pci5 at ppb3 bus 10 mpt0 at pci5 dev 6 function 0 Symbios Logic 53c1030 rev 0x07: irq 5 scsibus1 at mpt0: 16 targets sd0 at scsibus1 targ 0 lun 0: SEAGATE, ST373207LW, 0004 SCSI3 0/direct fixed sd0: 70007MB, 90774 cyl, 2 head, 789 sec, 512 bytes/sec, 143374744 sec total mpt0: target 0 Synchronous at 160MHz width 16bit offset 63 QAS 1 DT 1 IU 1 mpt1 at pci5 dev 6 function 1 Symbios Logic 53c1030 rev 0x07: irq 11 scsibus2 at mpt1: 16 targets mpt2 at pci5 dev 9 function 0 Symbios Logic FC929 rev 0x02: irq 10 mpt2: mpt_read_cfg_header: Config Info Status 22 mpt2: Could not retrieve Manufacturing Page 4 Header. mpt2: could not retrieve manufacturingpages mpt3 at pci5 dev 9 function 1 Symbios Logic FC929 rev 0x02: irq 5 mpt3: mpt_read_cfg_header: Config Info Status 22 mpt3: Could not retrieve Manufacturing Page 4 Header. mpt3: could
Override errno EBUSY on rd(4) device after boot in mount(2)?
Is there any way to override the flag on a device that permits it from being mounted twice?MNT_FORCE isn't it. I've got an embedded environment I'm setting up where I want to transfer the root (/) file system from an rd(4) to an MFS. To do this, I have to add some customizations to copy() in sbin/newfs/newfs.c. This is because as soon as a I call mount_mfs(8) from my RD's /etc/rc, all of / goes away, so I have to accomplish thing in C functions until I can get the previous (/) re-mounted as /rescue. I can call mount(2) manually from newfs::copy(), but /dev/rd0a refuses to unmount from it's previous ubiquitous root_device. Even if I explicitly mount /dev/rd0a as /, it refuses to dis-mount after I mount a new memfs at /, even with MNT_FORCE to unmount(2). Is it possible that rd(4)'s simply can't be unmounted? I'm assuming they can be, and that unlike their MFS counter-part, their contents do not reset (well, they would reset to whatever the contents of the RD image in the kernel is, assuming changes had been made). This is truly a chicken-and-egg scenario. Any thoughts would be appreciated. ~BAS
