Re: ospfd filtering
Hi
Sorry for the double, but i have forgotten the kroute.c in my diff, then
i cannot work :)
Have a nice day
--- old/usr.sbin/ospfd/kroute.c 2011-11-15 05:17:46.0 +0100
+++ OpenBSD/usr.sbin/ospfd/kroute.c 2013-05-31 22:37:59.434032287 +0200
@@ -1,6 +1,7 @@
-/* $OpenBSD: kroute.c,v 1.91 2011/09/16 18:24:57 sthen Exp $ */
+/* $OpenBSD: kroute.c,v 1.92 2013/05/31 22:37:13 sthen Exp $ */
/*
+ * Copyright (c) 2013 Loic Blot loic.b...@unix-experience.fr
* Copyright (c) 2004 Esben Norby no...@openbsd.org
* Copyright (c) 2003, 2004 Henning Brauer henn...@openbsd.org
*
@@ -580,7 +581,7 @@
struct kroute_node *kn;
struct krouterr;
int redistribute = 0;
-
+
/* only the highest prio route can be redistributed */
if (kroute_find(kh-r.prefix.s_addr, kh-r.prefixlen, RTP_ANY) != kh)
return;
@@ -1137,6 +1138,9 @@
if (kr_state.fib_sync == 0)
return (0);
+
+ if (kr_filter_do(kroute) != 0)
+ return (0);
/* initialize header */
bzero(hdr, sizeof(hdr));
@@ -1581,3 +1585,43 @@
return (offset);
}
+
+struct kroute_filter *
+kr_filter_new(struct in_addr nexthop, struct in_addr prefix,
+u_int8_t prefixlen)
+{
+ struct kroute_filter*kroute_filter;
+
+ if ((kroute_filter = calloc(1, sizeof(*kroute_filter))) == NULL)
+ err(1, kr_filter_new: calloc);
+
+ kroute_filter-prefix = prefix;
+ kroute_filter-nexthop = nexthop;
+ kroute_filter-prefixlen = prefixlen;
+
+ return (kroute_filter);
+}
+
+void
+kr_filter_del(struct kroute_filter *kroute_filter)
+{
+ LIST_REMOVE(kroute_filter, entry);
+
+ free(kroute_filter);
+}
+
+struct kroute_filter *
+kr_filter_find(struct ospfd_conf *ospfd_conf, struct in_addr nexthop,
+struct in_addr prefix, u_int8_t prefixlen)
+{
+ struct kroute_filter *kroute_filter;
+
+ LIST_FOREACH(kroute_filter, ospfd_conf-kroute_filter_list, entry) {
+ if (kroute_filter-nexthop.s_addr == nexthop.s_addr
+ kroute_filter-prefix.s_addr == prefix.s_addr
+ kroute_filter-prefixlen == prefixlen) {
+ return (kroute_filter);
+ }
+ }
+ return (NULL);
+}
--- old/usr.sbin/ospfd/ospfd.c 2011-11-15 05:17:46.0 +0100
+++ OpenBSD/usr.sbin/ospfd/ospfd.c 2013-05-31 22:38:22.202030731 +0200
@@ -1,6 +1,7 @@
-/* $OpenBSD: ospfd.c,v 1.78 2011/08/20 11:16:09 sthen Exp $ */
+/* $OpenBSD: ospfd.c,v 1.79 2013/05/31 22:35:17 sthen Exp $ */
/*
+ * Copyright (c) 2013 Loic Blot loic.b...@unix-experience.fr
* Copyright (c) 2005 Claudio Jeker clau...@openbsd.org
* Copyright (c) 2004 Esben Norby no...@openbsd.org
* Copyright (c) 2003, 2004 Henning Brauer henn...@openbsd.org
@@ -680,6 +681,7 @@
struct area *a, *xa, *na;
struct iface*iface;
struct redistribute *r;
+ struct kroute_filter *rf, *nrf;
int rchange = 0;
/* change of rtr_id needs a restart */
@@ -701,6 +703,14 @@
SIMPLEQ_REMOVE_HEAD(xconf-redist_list, entry);
SIMPLEQ_INSERT_TAIL(conf-redist_list, r, entry);
}
+ for (rf = LIST_FIRST(conf-kroute_filter_list); rf != NULL; rf
=
nrf) {
+ nrf = LIST_NEXT(rf, entry);
+ kr_filter_del(rf);
+ }
+ for (rf = LIST_FIRST(xconf-kroute_filter_list); rf != NULL;
rf =
nrf) {
+ nrf = LIST_NEXT(rf, entry);
+ LIST_INSERT_HEAD(conf-kroute_filter_list, rf, entry);
+ }
goto done;
}
@@ -891,3 +901,26 @@
return (i);
return (NULL);
}
+
+int
+kr_filter_do(struct kroute *kr)
+{
+ struct kroute_filter*i;
+
+ LIST_FOREACH(i, ospfd_conf-kroute_filter_list, entry) {
+ /*
+* TODO: filter all routes for one nexthop
+*/
+ if (i-prefix.s_addr == kr-prefix.s_addr
+ i-prefixlen == kr-prefixlen
+ (i-nexthop.s_addr == kr-nexthop.s_addr ||
+ i-nexthop.s_addr == INADDR_ANY)) {
+ log_info(ospfd_filternexthop: filtering route
%s/%u,
+ inet_ntoa(i-prefix), i-prefixlen);
+ log_info(ospfd_filternexthop: nexthop is %s,
+ inet_ntoa(i-nexthop));
+ return (1);
+ }
+ }
+ return (0);
+}
--- old/usr.sbin/ospfd/ospfd.h 2013-02-16 04:03:42.0 +0100
+++ OpenBSD/usr.sbin/ospfd/ospfd.h 2013-05-31 22:38:44.768029188 +0200
@@ -1,6
Re: Western Digital - Advanced Format
On 03/06/13 06:01, Otto Moerbeek wrote: On Mon, Jun 03, 2013 at 03:34:07AM +0100, MD wrote: On 01/06/13 15:59, MD wrote: On 01/06/13 12:56, Kenneth R Westerback wrote: On Sat, Jun 01, 2013 at 07:38:50AM +0100, MD wrote: Recently obtained WD7500-BPKT (750g) hard drive that apparently snip Will Advanced Format Just Work(TM)? snip If the drive claims to be using 512-byte sectors, everything should work but potentially be slow due to the drive compensating for i/o into the middle of 4K sectors. snip Ken snip On installation, fdisk partitioned the drive by default with the OpenBSD partition starting at... Physical/LBA (512-byte) sector 64 (oh yes... nudge-nudge wink-wink)... and subsequent OpenBSD partitions (i.e. logical partitions) starting on exact multiples of 4096bytes... JUST BY ACCIDENT!!! No, that isn't an accident. We moved the default fdisk start 1 sector some time ago and changed a few thing in disklabel to make this happpen. -Otto Erm... The capitals and the nudge-nudge, wink-wink was me... tipping me hat... because I'd got it ;-) So the change is in the disklabel code (I'd started to look in fdisk code first). Thanks for the guidance. Just sheer class, that. Sheer class, gents. Mike
Header files for C/C++ development
Hi there I am 'experimenting' with OpenBSD and pondering to switch from Linux to OpenBSD, I have installed OpenBSD in a virtual machine and during the installation I did not select the comp53 package when I rebooted and installed clang a tried to compile a simple hello world in C and I got errors saying 'stdio.h file not found' and I searched in both /usr/include and /usr/local/include for stdio.h but I didn't find it (and /usr/include is empty). I searched in the 'misc' mailing list for similar threads all way back to 2001 but I didn't find nothing helpful. Can someone help me. PS: Forgive me for my newbieness and thanks anyway.
Re: Header files for C/C++ development
On Sun, Jun 2, 2013 at 11:14 PM, eatg75 eat...@hotmail.com wrote: Can someone help me. You need to install the comp53 package.
Re: Header files for C/C++ development
On Sun, Jun 2, 2013 at 11:53 PM, Matthew Dempsky matt...@dempsky.org wrote: On Sun, Jun 2, 2013 at 11:14 PM, eatg75 eat...@hotmail.com wrote: Can someone help me. You need to install the comp53 package. Er, sorry, the comp53 set.
Re: Header files for C/C++ development
eatg75 eat...@hotmail.com writes: Hi there I am 'experimenting' with OpenBSD and pondering to switch from Linux to OpenBSD, I have installed OpenBSD in a virtual machine and during the installation I did not select the comp53 package when I rebooted and installed clang a tried to compile a simple hello world in C and I got errors saying 'stdio.h file not found' and I searched in both /usr/include and /usr/local/include for stdio.h but I didn't find it (and /usr/include is empty). I searched in the 'misc' mailing list for similar threads all way back to 2001 but I didn't find nothing helpful. Can someone help me. wild guess: try to install comp53.tgz PS: Forgive me for my newbieness and thanks anyway. -- Jérémie Courrèges-Anglas PGP Key fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: Header files for C/C++ development
Since you already installed the system, you can extract comp53.tgz on / so you don't have to reinstall if I recall correctly. YMMV but hope this helps. On Mon, Jun 3, 2013 at 2:54 PM, Jérémie Courrèges-Anglas j...@wxcvbn.orgwrote: eatg75 eat...@hotmail.com writes: Hi there I am 'experimenting' with OpenBSD and pondering to switch from Linux to OpenBSD, I have installed OpenBSD in a virtual machine and during the installation I did not select the comp53 package when I rebooted and installed clang a tried to compile a simple hello world in C and I got errors saying 'stdio.h file not found' and I searched in both /usr/include and /usr/local/include for stdio.h but I didn't find it (and /usr/include is empty). I searched in the 'misc' mailing list for similar threads all way back to 2001 but I didn't find nothing helpful. Can someone help me. wild guess: try to install comp53.tgz PS: Forgive me for my newbieness and thanks anyway. -- Jérémie Courrèges-Anglas PGP Key fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: Header files for C/C++ development
If only the FAQ had answers to questions like this... Oh wait = http://www.openbsd.org/faq/faq4.html#AddFileSet 2013/6/3 Tito Mari Francis Escaño titomarifran...@gmail.com Since you already installed the system, you can extract comp53.tgz on / so you don't have to reinstall if I recall correctly. YMMV but hope this helps. On Mon, Jun 3, 2013 at 2:54 PM, Jérémie Courrèges-Anglas j...@wxcvbn.orgwrote: eatg75 eat...@hotmail.com writes: Hi there I am 'experimenting' with OpenBSD and pondering to switch from Linux to OpenBSD, I have installed OpenBSD in a virtual machine and during the installation I did not select the comp53 package when I rebooted and installed clang a tried to compile a simple hello world in C and I got errors saying 'stdio.h file not found' and I searched in both /usr/include and /usr/local/include for stdio.h but I didn't find it (and /usr/include is empty). I searched in the 'misc' mailing list for similar threads all way back to 2001 but I didn't find nothing helpful. Can someone help me. wild guess: try to install comp53.tgz PS: Forgive me for my newbieness and thanks anyway. -- Jérémie Courrèges-Anglas PGP Key fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494 -- May the most significant bit of your life be positive.
Re: Header files for C/C++ development [SOLVED]
Thank you guys for time and attention, I have just tried the solution @Tito presented and It works! Again thank you all. eatg75
Re: bug in ksh tab complete
On v, jún 02, 2013 at 20:02:17 -0400, Ted Unangst wrote:
(1) I'm in src/usr.sbin/pkg_add. I type vi pod/tab. ksh prints some
completions for me:
athens:~/src/usr.sbin/pkg_add vi pod/
CVS/ OpenBSD::PackingElement.pod ...
(2) I type Opentab. ksh completes a little more for me:
athens:~/src/usr.sbin/pkg_add vi pod/OpenBSD::
[...]
If ksh is going to treat : as magic, then it needs to escape it when
autocompleting. (step 2 above)
I've fixed it with this:
--- edit.c.orig 2012-10-31 19:21:31.742319303 +0100
+++ edit.c 2012-10-31 19:21:44.031181937 +0100
@@ -809,7 +809,7 @@
int rval = 0;
for (add = 0, wlen = len; wlen - add 0; add++) {
- if (strchr(\#$'()*;=?[\\]`{|}, s[add]) ||
+ if (strchr(\#$'()*:;=?[\\]`{|}, s[add]) ||
strchr(ifs, s[add])) {
if (putbuf_func(s, add) != 0) {
rval = -1;
Didn't send the diff; I think because of the general lack of interest in
ksh patches in the past.
Daniel
--
LÉVAI Dániel
PGP key ID = 0x83B63A8F
Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: 005_in6.patch
J. Scott Heppler shepper at earthlink.net writes: The latest patch for 5.3 has incomplete instructions /usr/src has previously been cd /usr/src and the patch did not find the file on my i386 install. Also, isn't the diff supposed to be modified from: --- in6.c 30 Nov 2012 13:48:12 - 1.101 +++ in6.c 30 May 2013 20:41:24 - 1.101.2.1 to: --- sys/netinet6/in6.c 30 Nov 2012 13:48:12 - 1.101 +++ sys/netinet6/in6.c 30 May 2013 20:41:24 - 1.101.2.1
Re: A tricky pf + ecmp routing + squid question [Disregard - SOLVED]
On 2013-06-02, Rob Sheldon r...@associatedtechs.com wrote: Sorry for the noise. OpenBSD 5.3 introduced Squid 3.2, which now checks the destination IP of inbound packets against the Host: header in interception mode. This breaks rdr-to, which makes nearly every howto online incorrect (joy). There was a minor error in the Squid docs which confused me (http_port must have IP-of-interface-to-listen on:port, e.g., http_port 127.0.0.1:3129 intercept, instead of just http_port 3129 intercept as in the current docs), which caused the connection refused errors, which I stupidly misinterpreted. FWIW, the Squid docs link to http://www.openbsd.org/cgi-bin/cvsweb/ports/www/squid/pkg/README-main?rev=1.1;content-type=text%2Fplain, which have http_port 127.0.0.1:3129 transparent as the example, but as of Squid 3.1, transparent was deprecated in favor of intercept: http://www.squid-cache.org/Doc/config/http_port/ I've updated the README. In future please could you make sure that any suggestions relating to ports are sent (or at least CC'd) to the MAINTAINER? It's easy to miss things in the mailing lists (and a lot of developers don't read misc regularly). Thanks.
Re: A tricky pf + ecmp routing + squid question [Disregard - SOLVED]
On 2013-06-02, Loïc BLOT loic.b...@unix-experience.fr wrote: Hello rob, i'm using squid since 3.1 on OpenBSD 5.2 with compiled sources (squid 3.2.5-9 and 3.3.4 at this time). Building it yourself with squid's default options sets things up for the old method with rdr-to. The port is setup to use divert-to instead (--disable-pf-transparent --enable-ipfw-transparent) to avoid the need to make /dev/pf writable by squid (or even worse, run squid as root).
Re: ral(4) or ath(4)
On 2013-06-01, Lars Nooden lars.noo...@gmail.com wrote: Are there any big reasons not to choose ral(4) over ath(4) for a host ap? I've been trying out three wireless cards on -current as host access points. So far it seems that ral(4) works better, but is quite weak on the overall range in mode 11g as compared to 11a. One message earlier on misc suggested ral(4) as better for an access point. [2] The info on Wikipedia about drivers[3], if it's accurate, suggests that ral has more help from the vendors. Regards, /Lars [1] ath0 at pci0 dev 17 function 0 Atheros AR5413 rev 0x01: irq 15 ath0: AR5413 10.5 phy 6.1 rf 6.3, ETSI1W, address 00:15:61:x:x:x ath0 at pci0 dev 17 function 0 Atheros AR5212 rev 0x01: irq 15 ath0: AR5213A 5.9 phy 4.3 rf5112a 3.6, FCC2A*, address a8:54:b2:x:x:x ral0 at pci0 dev 17 function 0 Ralink RT2561S rev 0x00: irq 15, address 00:12:0e:x:x:x ral0: MAC/BBP RT2561C, RF RT5225 [2]http://marc.info/?l=openbsd-miscw=2r=1s=ral+or+athq=b [3] https://en.wikipedia.org/wiki/Comparison_of_open-source_wireless_drivers#OpenBSD IIRC, range on RT2860 is *much* better than 2561S. If you're buying something new, athn is usually the best choice, it is available in minipci as well as minipcie.
Re: 005_in6.patch
On 2013-06-03, Olivier Debre tichodr...@free.fr wrote: J. Scott Heppler shepper at earthlink.net writes: The latest patch for 5.3 has incomplete instructions /usr/src has previously been cd /usr/src and the patch did not find the file on my i386 install. Also, isn't the diff supposed to be modified from: --- in6.c 30 Nov 2012 13:48:12 - 1.101 +++ in6.c 30 May 2013 20:41:24 - 1.101.2.1 to: --- sys/netinet6/in6.c30 Nov 2012 13:48:12 - 1.101 +++ sys/netinet6/in6.c30 May 2013 20:41:24 - 1.101.2.1 fixed, thanks.
Re: Header files for C/C++ development [SOLVED]
On 06/03/13 03:39, eatg75 wrote: Thank you guys for time and attention, I have just tried the solution @Tito presented and It works! Again thank you all. eatg75 This is one of many reasons we recommend new users just install the entire system, not pick and chose the things they think they will need. Nick.
Re: A tricky pf + ecmp routing + squid question [Disregard - SOLVED]
On 2013-06-03 4:07, Stuart Henderson wrote: I've updated the README. In future please could you make sure that any suggestions relating to ports are sent (or at least CC'd) to the MAINTAINER? It's easy to miss things in the mailing lists (and a lot of developers don't read misc regularly). Thanks. Sure thing! Thanks for taking care of that. - R. -- [__ Robert Sheldon [__ No Problem [__ Information technology support and services [__ (530) 575-0278
Re: OSPF ABR/ASBR issue
On 01/06/13 18:44, Claudio Jeker wrote:
Can you give this diff a spin? Not much tested but the current way we
define an area as active (having at least one active neighbor) is wrong.
This changes the decision to have at least one active interface
(not IF_STA_DOWN). Not sure if that will cause troubles with passive
interfaces since those are not considered active. At least it seems that
RFC 3509 uses this to define active areas.
Thanks
Just tested this diff and it does not work in my case for passive
interfaces (either carp or loopback).
area 0.0.0.7 {
stub
interface carp8 {passive}
interface lo1 {passive}
}
If I add carp8 or lo1 in area 0.0.0.0 then the routes are announced.
Giannis
Re: ral(4) or ath(4)
On Mon, Jun 03, 2013 at 11:16:37AM +, Stuart Henderson wrote: If you're buying something new, athn is usually the best choice, it is available in minipci as well as minipcie. There are several newish athn which we don't support yet.
ALTQ(32bit)
Hi ALTQ can't use 10Gb NIC? altq support max 4,3Gb bandwidth, because altq is a 32bit. It's true?
Re: ALTQ(32bit)
On Mon, Jun 03, 2013 at 03:34:47PM +0200, emigrant wrote: Hi ALTQ can't use 10Gb NIC? altq support max 4,3Gb bandwidth, because altq is a 32bit. It's true? ALTQ is old code (perhaps move obviously so to German speakers than others ;)), a replacement is in the pipeline but not immediately ready, unfortunately. http://bsdly.blogspot.ca/2011/07/anticipating-post-altq-world.html gives some background, diffs are being tested by various people now, and the commit of the new queueing system *must* be moving closer by the minute. But no definite ETA just yet. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ Remember to set the evil bit on all malicious network traffic delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: ALTQ(32bit)
Hi, We're really looking forward to improvements in ALTQ too. And we are /really/ hoping that the queues can either be shared across interfaces (so your WAN downstream bandwidth doesn't have to be sliced up and divided up across all the internal interfaces), or that you can create queues on the external interface's 'ingress' flow. I know this opens a can of worms as many say you can't theoretically shape inbound bandwidth as you've already received the packets, however we do shape inbound bandwidth and it works brilliantly! But you have to do it on each of the internal interfaces egress (hence having to slice up the total downstream), so connections receiving too many downstream packets are slowed by dropping some of the already received TCP packets (not perfect but it works). Also whilst I'm wishing, also looking forward to the day that the FQ_Codel algorithms etc which significantly improve buffer-bloat are soon in OpenBSD (now in Linux 3.7 :) Cheers, Andrew Lemin On 03/06/13 14:49, Peter N. M. Hansteen wrote: On Mon, Jun 03, 2013 at 03:34:47PM +0200, emigrant wrote: Hi ALTQ can't use 10Gb NIC? altq support max 4,3Gb bandwidth, because altq is a 32bit. It's true? ALTQ is old code (perhaps move obviously so to German speakers than others ;)), a replacement is in the pipeline but not immediately ready, unfortunately. http://bsdly.blogspot.ca/2011/07/anticipating-post-altq-world.html gives some background, diffs are being tested by various people now, and the commit of the new queueing system *must* be moving closer by the minute. But no definite ETA just yet. - P
Re: bug in ksh tab complete
On Mon, Jun 03, 2013 at 09:45, LEVAI Daniel wrote:
--- edit.c.orig 2012-10-31 19:21:31.742319303 +0100
+++ edit.c2012-10-31 19:21:44.031181937 +0100
@@ -809,7 +809,7 @@
int rval = 0;
for (add = 0, wlen = len; wlen - add 0; add++) {
- if (strchr(\#$'()*;=?[\\]`{|}, s[add]) ||
+ if (strchr(\#$'()*:;=?[\\]`{|}, s[add]) ||
strchr(ifs, s[add])) {
if (putbuf_func(s, add) != 0) {
rval = -1;
I think so too.
Didn't send the diff; I think because of the general lack of interest in
ksh patches in the past.
I don't think that's always true, sometimes the interested people
aren't interested that day, or in that patch. But as a project, we
strongly encourage people to continue using ksh instead of resorting
to bash, so keeping ksh working and usable is important.
In general, I think no feedback is closer to good feedback than bad
feedback.
PF policy routing route-to rules don’t catch any packet
Hi there!
I asked, without an answer, something about nat-to and real IPs. Well, I
really need an answer there, so if someone get a clue, I will be glad tho
hear :)
Now, to the new issue!
Here in our WiFi ISP we are have contracted a tproxy service from FreeBSD
Brasil. It is somehow working, but I can not figure out exactly how. Here
is a diagram of the desired paths:
http://devio.us/~raitech/Obsd53PfTproxy.png
These are my rules by now:
RFC1918 = { 172.16/12, 192.168/16, 10/8, 127/8 }
table INT_NET persist { internal nets, all valid IPs }
ext_if_1 = em0
ext_gw_1 = 187.72.X.X
ext_ip_1 = 187.72.X.X
ext_if_2 = em1
ext_gw_2 = 187.72.X.X
ext_ip_2 = 187.72.X.X
ext_if_3 = alc0
ext_gw_3 = 187.72.X.X
ext_ip_3 = 187.72.X.X
int_if_1 = em2
int_gw_1 = 187.72.X.X
int_ip_1 = 187.72.X.X
squid_master_if = em3
squid_master_gw = 187.72.X.X
squid_master_ip = 187.72.X.X
set limit states 6304000
set limit tables 5000
set limit src-nodes 20
set limit frags 3000
set optimization aggressive
set state-defaults pflow, no-sync
set skip on lo
block in log quick on { \
$ext_if_1,\
$ext_if_2,\
$ext_if_3,\
$squid_master_if, \
$int_if_1 } from $RFC1918 label blocking RFC1918
# trying to prioritizing ACKs...
match set prio (3,5)
# ... and all traffic http. https over the others
match proto tcp to port { http, https } set prio (5,6)
match proto tcp from port { http, https } set prio (5,6)
match proto tcp to port { ssh, 9876 } set prio(5,7)
pass in on $int_if_1 proto tcp from { INT_NET, $int_gw_1 } to port http \
route-to ($squid_master_if $squid_master_gw)
pass in on { $ext_if_1, $ext_if_2, $ext_if_3 } proto tcp from port http \
to { INT_NET, $int_gw_1 } \
route-to ($squid_master_if $squid_master_gw)
pass in on $squid_master_if proto tcp from { INT_NET, $int_gw_1 } to \
port http no state route-to \
{ \
($ext_if_1 $ext_gw_1) , \
($ext_if_2 $ext_gw_2) \
} least-states label cahce external outbound balancing
pass in on $squid_master_if proto tcp from port http\
to { INT_NET, $int_gw_1 } route-to ($int_if_1 $int_gw_1) \
label cahce internal outbound routing
An here are a pfctl -vsr output:
block drop in log quick on em0 inet from 172.16.0.0/12 to any label
blocking RFC1918
[ Evaluations: 61764339 Packets: 332 Bytes: 32854 States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on em0 inet from 192.168.0.0/16 to any label
blocking RFC1918
[ Evaluations: 5883927 Packets: 114 Bytes: 28621 States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on em0 inet from 10.0.0.0/8 to any label blocking
RFC1918
[ Evaluations: 5883813 Packets: 170 Bytes: 18354 States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on em0 inet from 127.0.0.0/8 to any label blocking
RFC1918
[ Evaluations: 5883643 Packets: 0 Bytes: 0 States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on em1 inet from 172.16.0.0/12 to any label
blocking RFC1918
[ Evaluations: 60684174 Packets: 305 Bytes: 30912 States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on em1 inet from 192.168.0.0/16 to any label
blocking RFC1918
[ Evaluations: 6862827 Packets: 93Bytes: 9232States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on em1 inet from 10.0.0.0/8 to any label blocking
RFC1918
[ Evaluations: 6862734 Packets: 196 Bytes: 19396 States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on em1 inet from 127.0.0.0/8 to any label blocking
RFC1918
[ Evaluations: 6862538 Packets: 0 Bytes: 0 States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on alc0 inet from 172.16.0.0/12 to any label
blocking RFC1918
[ Evaluations: 50726925 Packets: 304 Bytes: 30856 States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on alc0 inet from 192.168.0.0/16 to any label
blocking RFC1918
[ Evaluations: 1251 Packets: 79Bytes: 8268States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on alc0 inet from 10.0.0.0/8 to any label blocking
RFC1918
[ Evaluations: 1172 Packets: 152 Bytes: 16948 States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on alc0 inet from 127.0.0.0/8 to any label
blocking RFC1918
[ Evaluations: 1020 Packets: 0 Bytes: 0 States: 0
]
[ Inserted: uid 0 pid 19584 State Creations: 0 ]
block drop in log quick on em3 inet from 172.16.0.0/12 to any label
blocking RFC1918
[ Evaluations: 50726392 Packets: 304 Bytes: 30856 States: 0
]
[ Inserted: uid 0 pid
Re: bug in ksh tab complete
Ted Unangst t...@tedunangst.com writes: [...] If ksh is going to treat : as magic, then it needs to escape it when autocompleting. (step 2 above) I do agree, but... why should ':' be special? -- Jérémie Courrèges-Anglas PGP Key fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: bug in ksh tab complete
On Mon, Jun 3, 2013 at 9:29 AM, Jérémie Courrèges-Anglas j...@wxcvbn.org wrote: Ted Unangst t...@tedunangst.com writes: If ksh is going to treat : as magic, then it needs to escape it when autocompleting. (step 2 above) I do agree, but... why should ':' be special? So that things like PATH=/usr/local/bin:/usr/btab and scp target:/etc/passtab will autocomplete the paths to the right of the colon. Philip Guenther
Re: ALTQ(32bit)
Andy [a...@brandwatch.com] wrote: Hi, We're really looking forward to improvements in ALTQ too. And we are /really/ hoping that the queues can either be shared across interfaces (so your WAN downstream bandwidth doesn't have to be sliced up and divided up across all the internal interfaces), or that you can create queues on the external interface's 'ingress' flow. I know this opens a can of worms as many say you can't theoretically shape inbound bandwidth as you've already received the packets, however we do shape inbound bandwidth and it works brilliantly! But you have to do it on each of the internal interfaces egress (hence having to slice up the total downstream), so connections receiving too many downstream packets are slowed by dropping some of the already received TCP packets (not perfect but it works). You should post your ruleset. It sounds like you may be able to get some better performance without new functionality. Also whilst I'm wishing, also looking forward to the day that the FQ_Codel algorithms etc which significantly improve buffer-bloat are soon in OpenBSD (now in Linux 3.7 :) Honestly, who cares about buffer bloat? Just because it's a popular issue in some circles does not mean that anything you do on your openbsd firewall is going to affect the problem one way or another.
Re: bug in ksh tab complete
On Mon, Jun 03, 2013 at 09:33:25AM -0700, Philip Guenther wrote: On Mon, Jun 3, 2013 at 9:29 AM, Jérémie Courrèges-Anglas j...@wxcvbn.org wrote: Ted Unangst t...@tedunangst.com writes: If ksh is going to treat : as magic, then it needs to escape it when autocompleting. (step 2 above) I do agree, but... why should ':' be special? So that things like PATH=/usr/local/bin:/usr/btab and scp target:/etc/passtab will autocomplete the paths to the right of the colon. The right fix would probably be to make :: not special... good luck with that :)
Re: bug in ksh tab complete
Philip Guenther guent...@gmail.com writes: On Mon, Jun 3, 2013 at 9:29 AM, Jérémie Courrèges-Anglas j...@wxcvbn.org wrote: Ted Unangst t...@tedunangst.com writes: If ksh is going to treat : as magic, then it needs to escape it when autocompleting. (step 2 above) I do agree, but... why should ':' be special? So that things like PATH=/usr/local/bin:/usr/btab and scp target:/etc/passtab will autocomplete the paths to the right of the colon. Makes sense. I don't remember having relied on that behaviour. -- Jérémie Courrèges-Anglas PGP Key fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
PANIC when loading pf rules
Hello!
If you are following my debut here in misc@ (if not, please help me to put
our OpenBSD to rock this network!), you are somehow familiar with my
problems. I was trying to reproduce the panic in another context, but
unsuccessful... it only happens in production. Well, this is the ruleset:
RFC1918 = { 172.16/12, 192.168/16, 10/8, 127/8 }
table INT_NET persist { internal valid IPs }
ext_if_1 = em0
ext_gw_1 = 187.72.X.X
ext_ip_1 = 187.72.
ext_if_2 = em1
ext_gw_2 = 187.72.X.X
ext_ip_2 = 187.72.X.X
ext_if_3 = alc0
ext_gw_3 = 187.72.X.X
ext_ip_3 = 187.72.X.X
int_if_1 = em2
int_gw_1 = 187.72.X.X
int_ip_1 = 187.72.X.X
squid_master_if = em3
squid_master_gw = 187.72.X.X
squid_master_ip = 187.72.X.X
# increase default state limit from 10'000 states on busy systems
set limit states 6304000
set limit tables 5000
set limit src-nodes 20
set limit frags 3000
set optimization aggressive
set state-defaults pflow, no-sync
set skip on lo
#block private nets
block in log quick on { \
$ext_if_1,\
$ext_if_2,\
$ext_if_3,\
$squid_master_if, \
$int_if_1 } from $RFC1918 label blocking RFC1918
match on { $ext_if_1, $ext_if_2, $ext_if_3 } set prio (3,5)
match on $int_if_1 set prio (3,5)
match on $squid_master_if set prio (3,5)
match proto tcp to port { ssh, 9876 } set prio(5,7)
## outbound balancing
pass in on $int_if_1 from $int_gw_1 route-to \
{ \
($ext_if_1 $ext_gw_1) , \
($ext_if_2 $ext_gw_2) weight 10, \
($ext_if_3 $ext_gw_3) \
} least-states set prio (4,6) label outbound balancing NATed
pass in on $int_if_1 from INT_NET route-to \
{ \
($ext_if_1 $ext_gw_1) , \
($ext_if_2 $ext_gw_2) weight 10, \
($ext_if_3 $ext_gw_3) \
} least-states set prio (4,6) label outbound balancing all but NATed
And the only thing I could save was:
May 29 19:38:18 monster /bsd: fatal integer divide fault in supervisor mode
May 29 19:38:18 monster /bsd: trap type 8 code 0 rip 80272252 cs 8
rflags 10246 cr2 208444010 cpl 5 rsp 8000330cd920
May 29 19:38:18 monster /bsd: panic: trap type 8, code=0,
pc=80272252
May 29 19:38:18 monster /bsd: Starting stack trace...
May 29 19:38:18 monster /bsd: panic() at panic+0xf5
May 29 19:38:18 monster /bsd: trap() at trap+0x7f1
May 29 19:38:18 monster /bsd: --- trap (number 8) ---
May 29 19:38:18 monster /bsd: pf_map_addr() at pf_map_addr+0x8c2
May 29 19:38:18 monster /bsd: pf_set_rt_ifp() at pf_set_rt_ifp+0xf9
May 29 19:38:18 monster /bsd: pf_test_rule() at pf_test_rule+0xe3d
May 29 19:38:18 monster /bsd: pf_test() at pf_test+0xd15
May 29 19:38:18 monster /bsd: ipv4_input() at ipv4_input+0x230
May 29 19:38:18 monster /bsd: ipintr() at ipintr+0x7f
May 29 19:38:18 monster /bsd: netintr() at netintr+0xd5
May 29 19:38:18 monster /bsd: softintr_dispatch() at softintr_dispatch+0x5d
May 29 19:38:18 monster /bsd: Xsoftnet() at Xsoftnet+0x2d
May 29 19:38:18 monster /bsd: --- interrupt ---
May 29 19:38:18 monster /bsd: end trace frame: 0x0, count: 246
May 29 19:38:18 monster /bsd: 0x8:
May 29 19:38:18 monster /bsd: End of stack trace.
May 29 19:38:18 monster /bsd: syncing disks... splassert: assertwaitok:
want -1 have 1
May 29 19:38:18 monster /bsd: splassert: assertwaitok: want -1 have 1
May 29 19:38:18 monster last message repeated 21 times
May 29 19:38:18 monster /bsd: done
May 29 19:38:18 monster /bsd: done
May 29 19:38:18 monster /bsd: dump to dev 4,1 not possible
May 29 19:38:18 monster /bsd: rebooting...
Doing the load in boot time, the same problem. Doing the load after another
working ruleset, the same problem. This is just annoying, cos I can not do
the balancing with PF in this way. The problematic rules, in my tests (on
4a.m., lowest traffic over the network - I guess some pr0n and torrents),
are these for load balancing outbound traffic that arrives in on $int_if_1
(em2).
My other needs are:
put traffic from/to Akamai and another CDNs over an emergenial link - by
nat-to.
put port 80 traffic to the web over $squid_master, a proprietary cache
solution from FreeBSD Brasil - this is almost working, but I notice some
problems.
But all these are over another threads, just citating here.
A fresh dmesg:
OpenBSD 5.3 (GENERIC.MP) #62: Tue Mar 12 18:21:20 MDT 2013
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17101266944 (16309MB)
avail mem = 16623542272 (15853MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb420 (75 entries)
bios0: vendor American Megatrends Inc. version F6 date 03/23/2012
bios0: Gigabyte Technology Co., Ltd. Z77X-D3H
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC MCFG HPET SSDT SSDT SSDT DMAR
acpi0: wakeup devices PS2K(S3) PS2M(S3) P0P1(S4) USB1(S3) USB2(S3) USB3(S3)
USB4(S3) USB5(S3) USB6(S3) USB7(S3) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4)
PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4)
PXSX(S4) RP07(S4) PXSX(S4) RP08(S4) PEGP(S4) PEG0(S4) PEG1(S4) PEG2(S4)
PEG3(S4) GLAN(S4) EHC1(S4) EHC2(S4) XHC_(S4)
5.3 relayd instability -- crashes with hce exiting
Hey all, Ever since upgrading to 5.3 a pair of firewalls whose main job is running relayd, we're seeing significant instability compared to the 5.2 version. Right now we're seeing relayd crash around 8 times a day, with the following not-so-informative error message 'hce exiting' (names of relays and IPs edited out): relay ***, session 39269 (43 active), 0, ***.***.19.132 - ***.***.15.81:80, done relay ***, session 38573 (43 active), 0, ***.***.93.209 - :0, closed relay_close: sessions inflight decremented, now 0 relay ***, session 38318 (40 active), 0, ***.***.93.209 - ***.***.15.104:443, done relay ***, session 39165 (44 active), 0, ***.***.19.132 - ***.***.15.81:80, done hce exiting, pid 19342 relay ***, session 38371 (43 active), 0, ***.***.93.209 - ***.***.15.104:443, done kill_tables: deleted 2 tables flush_rulesets: flushed rules relay_close: sessions inflight decremented, now 1 relay_close: sessions inflight decremented, now 0 relay_close: sessions inflight decremented, now 0 relay exiting, pid 2067 pfe exiting, pid 12850 relay exiting, pid 20156 relay exiting, pid 7514 relay_close: sessions inflight decremented, now 0 relay exiting, pid 576 relay exiting, pid 3186 parent terminating, pid 11155 relay exiting, pid 26777 relay exiting, pid 19108 relay exiting, pid 4265 When these firewalls were running 5.2, we saw relayd crash maybe 3-4 times a month with these same settings and load levels, now its occurring around 10 times a day. I was hoping for any ideas or hints on where to look next. These are production firewalls so I'm waiting on word from the customer about if/when I can drop in compiled relayd and relayctl binaries from the -CURRENT source tree. dmesg: OpenBSD 5.3 (GENERIC.MP) #58: Tue Mar 12 18:43:53 MDT 2013 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz (GenuineIntel 686-class) 2.94 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF real mem = 2145374208 (2045MB) avail mem = 2099318784 (2002MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/03/09, BIOS32 rev. 0 @ 0xfdb70, SMBIOS rev. 2.5 @ 0x7fedf000 (39 entries) bios0: vendor Phoenix Technologies LTD version 1.3a date 11/03/2009 bios0: Supermicro X7SBi acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP _MAR MCFG APIC BOOT SPCR ERST HEST BERT EINJ SLIC SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT acpi0: wakeup devices PXHA(S5) PEX_(S5) LAN_(S5) USB4(S5) USB5(S5) USB7(S5) ESB2(S5) EXP1(S5) EXP5(S5) EXP6(S5) USB1(S5) USB2(S5) USB3(S5) USB6(S5) ESB1(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) PWRB(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xe000, bus 0-16 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 290MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz (GenuineIntel 686-class) 3.20 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic1 at mainbus0: apid 3 pa 0xfecc, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (PXHA) acpiprt2 at acpi0: bus 3 (PEX_) acpiprt3 at acpi0: bus 5 (EXP1) acpiprt4 at acpi0: bus 13 (EXP5) acpiprt5 at acpi0: bus 15 (EXP6) acpiprt6 at acpi0: bus 17 (PCIB) acpicpu0 at acpi0: C3, PSS acpicpu1 at acpi0: C3, PSS acpibtn0 at acpi0: PWRB acpivideo0 at acpi0: IGD0 bios0: ROM list: 0xc/0x9000 0xc9000/0x1000 0xca000/0x1000 ipmi at mainbus0 not configured cpu0: Enhanced SpeedStep 3198 MHz: speeds: 2933, 2667, 2400, 2133, 1867, 1600 MHz pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 3200/3210 Host rev 0x01 ppb0 at pci0 dev 1 function 0 Intel 3200/3210 PCIE rev 0x01: apic 2 int 16 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel 6702PXH PCIE-PCIX rev 0x09 pci2 at ppb1 bus 2 Intel IOxAPIC rev 0x09 at pci1 dev 0 function 1 not configured ppb2 at pci0 dev 6 function 0 Intel 3210 PCIE rev 0x01: apic 2 int 16 pci3 at ppb2 bus 3 em0 at pci3 dev 0 function 0 Intel PRO/1000 PT (82575EB) rev 0x02: msi, address 00:25:90:04:c7:00 em1 at pci3 dev 0 function 1 Intel PRO/1000 PT (82575EB) rev 0x02: msi, address 00:25:90:04:c7:01 uhci0 at pci0 dev 26 function 0 Intel 82801I USB rev 0x02: apic 2 int 16 uhci1 at pci0 dev 26 function 1 Intel 82801I USB rev 0x02: apic 2 int 17 uhci2 at pci0 dev 26 function 2 Intel 82801I USB rev 0x02: apic 2 int 18 ehci0 at pci0 dev 26 function 7 Intel 82801I USB rev 0x02: apic 2 int 18 usb0 at ehci0: USB
Re: 5.3 relayd instability -- crashes with hce exiting
Hi,
unfortunatly you do not show your configfile, so i have to guess (you can
send it to me in private if you do not want to send it to a mailing-list).
You have a relay or redirect with ssl in your config?
Please try the attached patch, it's against -current, but should apply
on 5.3.
Apply by doing:
cd /usr/src/usr.sbin/relayd/
patch thisemail
make obj
make depend
make
make install
/Benno
Index: ssl.c
===
RCS file: /cvs/src/usr.sbin/relayd/ssl.c,v
retrieving revision 1.18
diff -u -p -r1.18 ssl.c
--- ssl.c 30 May 2013 20:17:12 - 1.18
+++ ssl.c 31 May 2013 20:16:35 -
@@ -220,8 +220,10 @@ ssl_cleanup(struct ctl_tcp_event *cte)
SSL_shutdown(cte-ssl);
SSL_clear(cte-ssl);
}
- if (cte-buf != NULL)
+ if (cte-buf != NULL) {
ibuf_free(cte-buf);
+ cte-buf = NULL;
+ }
}
void
Andrew Klettke(aklet...@opticfusion.net) on 2013.06.03 14:50:33 -0700:
Hey all,
Ever since upgrading to 5.3 a pair of firewalls whose main job is
running relayd, we're seeing significant instability compared to the 5.2
version. Right now we're seeing relayd crash around 8 times a day, with
the following not-so-informative error message 'hce exiting' (names of
relays and IPs edited out):
relay ***, session 39269 (43 active), 0, ***.***.19.132 -
***.***.15.81:80, done
relay ***, session 38573 (43 active), 0, ***.***.93.209 - :0, closed
relay_close: sessions inflight decremented, now 0
relay ***, session 38318 (40 active), 0, ***.***.93.209 -
***.***.15.104:443, done
relay ***, session 39165 (44 active), 0, ***.***.19.132 -
***.***.15.81:80, done
hce exiting, pid 19342
relay ***, session 38371 (43 active), 0, ***.***.93.209 -
***.***.15.104:443, done
kill_tables: deleted 2 tables
flush_rulesets: flushed rules
relay_close: sessions inflight decremented, now 1
relay_close: sessions inflight decremented, now 0
relay_close: sessions inflight decremented, now 0
relay exiting, pid 2067
pfe exiting, pid 12850
relay exiting, pid 20156
relay exiting, pid 7514
relay_close: sessions inflight decremented, now 0
relay exiting, pid 576
relay exiting, pid 3186
parent terminating, pid 11155
relay exiting, pid 26777
relay exiting, pid 19108
relay exiting, pid 4265
When these firewalls were running 5.2, we saw relayd crash maybe 3-4
times a month with these same settings and load levels, now its
occurring around 10 times a day. I was hoping for any ideas or hints on
where to look next. These are production firewalls so I'm waiting on
word from the customer about if/when I can drop in compiled relayd and
relayctl binaries from the -CURRENT source tree.
dmesg:
OpenBSD 5.3 (GENERIC.MP) #58: Tue Mar 12 18:43:53 MDT 2013
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz (GenuineIntel
686-class) 2.94 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF
real mem = 2145374208 (2045MB)
avail mem = 2099318784 (2002MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/03/09, BIOS32 rev. 0 @ 0xfdb70,
SMBIOS rev. 2.5 @ 0x7fedf000 (39 entries)
bios0: vendor Phoenix Technologies LTD version 1.3a date 11/03/2009
bios0: Supermicro X7SBi
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP _MAR MCFG APIC BOOT SPCR ERST HEST BERT EINJ
SLIC SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT
acpi0: wakeup devices PXHA(S5) PEX_(S5) LAN_(S5) USB4(S5) USB5(S5)
USB7(S5) ESB2(S5) EXP1(S5) EXP5(S5) EXP6(S5) USB1(S5) USB2(S5) USB3(S5)
USB6(S5) ESB1(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) PWRB(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-16
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 290MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz (GenuineIntel
686-class) 3.20 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0: apid 3 pa 0xfecc, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (PXHA)
acpiprt2 at acpi0: bus 3 (PEX_)
acpiprt3 at acpi0: bus 5 (EXP1)
acpiprt4 at acpi0: bus 13 (EXP5)
acpiprt5 at acpi0: bus 15 (EXP6)
acpiprt6 at acpi0: bus 17 (PCIB)
acpicpu0 at acpi0: C3, PSS
acpicpu1 at acpi0: C3, PSS
acpibtn0 at
Re: 5.3 relayd instability -- crashes with hce exiting
Thanks very much Sebastian,
I'll try this and let you know how it goes once I'm cleared to do so.
Thanks,
Andrew Klettke
Systems Admin
Optic Fusion
On 06/03/2013 03:05 PM, Sebastian Benoit wrote:
Hi,
unfortunatly you do not show your configfile, so i have to guess (you can
send it to me in private if you do not want to send it to a mailing-list).
You have a relay or redirect with ssl in your config?
Please try the attached patch, it's against -current, but should apply
on 5.3.
Apply by doing:
cd /usr/src/usr.sbin/relayd/
patch thisemail
make obj
make depend
make
make install
/Benno
Index: ssl.c
===
RCS file: /cvs/src/usr.sbin/relayd/ssl.c,v
retrieving revision 1.18
diff -u -p -r1.18 ssl.c
--- ssl.c 30 May 2013 20:17:12 - 1.18
+++ ssl.c 31 May 2013 20:16:35 -
@@ -220,8 +220,10 @@ ssl_cleanup(struct ctl_tcp_event *cte)
SSL_shutdown(cte-ssl);
SSL_clear(cte-ssl);
}
- if (cte-buf != NULL)
+ if (cte-buf != NULL) {
ibuf_free(cte-buf);
+ cte-buf = NULL;
+ }
}
void
Andrew Klettke(aklet...@opticfusion.net) on 2013.06.03 14:50:33 -0700:
Hey all,
Ever since upgrading to 5.3 a pair of firewalls whose main job is
running relayd, we're seeing significant instability compared to the 5.2
version. Right now we're seeing relayd crash around 8 times a day, with
the following not-so-informative error message 'hce exiting' (names of
relays and IPs edited out):
relay ***, session 39269 (43 active), 0, ***.***.19.132 -
***.***.15.81:80, done
relay ***, session 38573 (43 active), 0, ***.***.93.209 - :0, closed
relay_close: sessions inflight decremented, now 0
relay ***, session 38318 (40 active), 0, ***.***.93.209 -
***.***.15.104:443, done
relay ***, session 39165 (44 active), 0, ***.***.19.132 -
***.***.15.81:80, done
hce exiting, pid 19342
relay ***, session 38371 (43 active), 0, ***.***.93.209 -
***.***.15.104:443, done
kill_tables: deleted 2 tables
flush_rulesets: flushed rules
relay_close: sessions inflight decremented, now 1
relay_close: sessions inflight decremented, now 0
relay_close: sessions inflight decremented, now 0
relay exiting, pid 2067
pfe exiting, pid 12850
relay exiting, pid 20156
relay exiting, pid 7514
relay_close: sessions inflight decremented, now 0
relay exiting, pid 576
relay exiting, pid 3186
parent terminating, pid 11155
relay exiting, pid 26777
relay exiting, pid 19108
relay exiting, pid 4265
When these firewalls were running 5.2, we saw relayd crash maybe 3-4
times a month with these same settings and load levels, now its
occurring around 10 times a day. I was hoping for any ideas or hints on
where to look next. These are production firewalls so I'm waiting on
word from the customer about if/when I can drop in compiled relayd and
relayctl binaries from the -CURRENT source tree.
dmesg:
OpenBSD 5.3 (GENERIC.MP) #58: Tue Mar 12 18:43:53 MDT 2013
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP
cpu0: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz (GenuineIntel
686-class) 2.94 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF
real mem = 2145374208 (2045MB)
avail mem = 2099318784 (2002MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/03/09, BIOS32 rev. 0 @ 0xfdb70,
SMBIOS rev. 2.5 @ 0x7fedf000 (39 entries)
bios0: vendor Phoenix Technologies LTD version 1.3a date 11/03/2009
bios0: Supermicro X7SBi
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP _MAR MCFG APIC BOOT SPCR ERST HEST BERT EINJ
SLIC SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT
acpi0: wakeup devices PXHA(S5) PEX_(S5) LAN_(S5) USB4(S5) USB5(S5)
USB7(S5) ESB2(S5) EXP1(S5) EXP5(S5) EXP6(S5) USB1(S5) USB2(S5) USB3(S5)
USB6(S5) ESB1(S5) PCIB(S5) KBC0(S1) MSE0(S1) COM1(S5) COM2(S5) PWRB(S3)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe000, bus 0-16
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: apic clock running at 290MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz (GenuineIntel
686-class) 3.20 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,LONG,SSE3,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,LAHF,PERF
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic1 at mainbus0: apid 3 pa 0xfecc, version 20, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (PXHA)
acpiprt2 at acpi0: bus 3 (PEX_)
acpiprt3 at acpi0: bus 5 (EXP1)
acpiprt4 at acpi0: bus 13 (EXP5)
acpiprt5 at acpi0: bus 15 (EXP6)
PHPUnit2 on OBSD 5.3
Good day, I was trying to setup a PHP 5.x devt environment and was planning to have PHPUnit for unit testing purposes and other test-driven devt tasks, so I installed pear-PHPUnit2 package. However when I tried to run PHPUnit, it doesn't work, there isn't even a CLI command for it. Can somebody please advise me how to go forward with this? Thank you very much and have a great day.
