Re: how to "aggregate" a single TCP connection, is posible?

2013-10-01 Thread Abel Abraham Camarillo Ojeda 
> On Fri, 23 Aug 2013 18:39:29 -0500, Abel Abraham Camarillo Ojeda
>  wrote:
>> Not yet, will test.
>>
>> On Thu, Aug 22, 2013 at 7:05 AM, Stuart Henderson 
>> wrote:
>>> On 2013-08-22, Abel Abraham Camarillo Ojeda  wrote:
 Is there a way to duplicate the throughput of a single
 TCP connection using two servers having two gigabit NICs?

 I have tried using LACP but I cannot get more than
 900MB of throughput...
>>>
>>> LACP uses a hash over IP addresses/vlan tags/flowlabel to avoid
> problems
>>> with out-of-order packet delivery. (Similar for equal-cost multipath).
>>> Have you tried a roundrobin trunk yet?

Stuart:

Trying between two obsd hosts only (no switch) I was able to get
more than 1000Mb speed testing with tcpbench but only using great
values for -n option (-n >16)...

Is there a way to aggregate (reliably) a single TCP connection using an
LACP capable switch between two OpenBSD hosts?

I'm using this:

http://www.amazon.com/Cisco-SG200-26P-Ethernet-Mini-GBIC-SLM2024PT/dp/B004GHMU5Q

Thanks

Re: OpenOSPFd and CARP Masters

2013-10-01 Thread Stuart Henderson 
On 2013-10-01, Andy  wrote:
> Is there a way of ensuring that the CARP master is the one which is 
> FULL/DR, and the CARP backup is FULL/BDR?

No, but does it matter anyway? I don't believe it affects route selection,
and you wouldn't usually want more network instability from having a DR
election when the devices change CARP state..

Re: key precedence in ssh

2013-10-01 Thread Lars Nooden 
On Tue, 1 Oct 2013, Christian Weisgerber wrote:

> Lars Noodén  wrote:
> 
> > Is there a way in ssh(1) to get the identity specified by -i to take 
> > precedence over what is already in the agent?
> 
> IdentitiesOnly, see ssh_config(5).
> 
> -- 
> Christian "naddy" Weisgerber  na...@mips.inka.de

Thanks.  I should have seen it.

Regards,
/Lars

[OT] OpenBSD "Network Specialist" wanted in Kilgore, Texas

2013-10-01 Thread James Shupe 
I know this is off topic, but I'm looking to help fill my old position 
after moving away from East Texas.


The company is located in Kilgore, Texas and runs a WAN based heavily on 
OpenBSD (over a hundred OpenBSD boxes in router/firewall/VPN roles) and 
Cisco/ Netgear Prosafe switches. They are looking for somebody who is 
experienced with OpenBSD and capable of designing, implementing, and 
maintaining OpenBSD infrastructure as well as supporting FreeBSD, Linux, 
and Windows servers. The company is stable, has been around for several 
decades, and has a few hundred full time employees.


A few highlights of what you will need to know:
- i386/amd64 hardware (Alix, Soekris, Supermicro, HP, Dell)
- OpenBSD/ FreeBSD/ CentOS/ VMware ESXi
- BGP/ OSPF/ EIGRP
- LACP/ VLANs, subnetting, etc
- PF/ iptables/ Cisco ACLs
- IPv6 (the deployment is dual stack, so this is a huge plus)
- ZFS
- Perl

There is an existing employee who is still there and has a good 
understanding of the existing infrastructure, so you wouldn't be working 
alone. Not everything is necessarily expected right away, but the 
ability and willingness to learn is.


Salary is DOE and ranges from 52-72K for this specific position, but any 
applicants would unfortunately be expected to cover their own relocation 
costs because of the way funding is distributed. This is an on site 
position and telecommuting is off the table. Email me privately for more 
information.


--
James Shupe, HermeTek
developer/ engineer
BSD/ Linux support & hosting
jsh...@hermetek.com | www.hermetek.com
Office 8662351288 | Mobile 9035223425

Re: OpenOSPFd and CARP Masters

2013-10-01 Thread Brian Hechinger 
I'm not sure because at that point I gave up on CARP completely and just let 
OSPF failover to the secondary firewall if the first stops working.

-brian

On Oct 1, 2013, at 10:01, Andy  wrote:

> On 01/10/13 14:32, Brian Hechinger wrote:
>> On Tue, Oct 01, 2013 at 09:19:20AM +0100, Andy wrote:
>>> Also is there no way to have the CARP IP be the IP which is advertised
>>> as the neighbor ensuring that traffic is always sent to the CARP IP
>>> instead (I would MUCH prefer this!).
>> I spent an enormous amount of time trying to answer this same question.
>> What I ended up coming up with was that the answer was definitely not.
>> 
>> It's unfortunate and I no longer remember the exact reason why.
>> 
>> I wish I were wrong. Using the CARP interface for OSPF would be
>> wonderful.
>> 
>> -brian
> 
> I couldn't agree more!
> 
> Is there a way of ensuring that the CARP master is the one which is FULL/DR, 
> and the CARP backup is FULL/BDR?
> 
> At the moment I seem to have some of my CARP backup firewalls being the 
> Designated Router
> 
> Cheers, Andy.

Re: key precedence in ssh

2013-10-01 Thread Christian Weisgerber 
Lars Noodén  wrote:

> Is there a way in ssh(1) to get the identity specified by -i to take 
> precedence over what is already in the agent?

IdentitiesOnly, see ssh_config(5).

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: [OT] quotes speedup sed

2013-10-01 Thread Denis Fondras 
Le 01/10/2013 16:56, Alexander Hall a écrit :
> Without the quotes you get it all on a single line. A 45k line can be tough 
> on a regex.
> 

Thank you very much Alexander :)

Denis

Re: OpenOSPFd and CARP Masters

2013-10-01 Thread Marko Cupać 
I have setup where central cisco connects downstream to branch office
cisco routers and upstream to the Internet via pair of CARPed firewalls.

Cisco routers speak OSPF between themselves, and I keep them all in area
0 (I don't see any reason to complicate it with more areas). Central cisco
router also speaks OSPF to CARPed firewalls, but not in order to learn
the default route (as the only way to the Internet is through them I
have set it up statically on central cisco router so next-hop IP address
is CARP address), but in order for CARP firewalls to learn routes to
branch offices.

So, on master firewall I have:
router-priority 0
router-id 192.168.228.2
area 0.0.0.0 {
interface bnx0 { metric 100 }
}

On backup firewall I have:
router-priority 0
router-id 192.168.228.3
area 0.0.0.0 {
interface bnx0 { metric 200 }
}

Maybe google translate can help you with translation of my detailed
howto (in Serbian):
https://www.mimar.rs/openbsd-na-obodu-korporacijske-mreze/
-- 
Marko Cupać

Re: [OT] quotes speedup sed

2013-10-01 Thread Alexander Hall 
Without the quotes you get it all on a single line. A 45k line can be tough on 
a regex.

/Alexander

j...@wxcvbn.org wrote:
>Denis Fondras  writes:
>
>> Hello all,
>
>Hi,
>
>> This afternoon I stumbled upon a weirdness I can't explain. I hope
>some
>> misc-guru can give a clue.
>>
>> I was parsing a 45kB html document on my OpenBSD 5.3 with the help of
>> sed to extract a value and it was awfully slow. Quoting the input
>string
>> gave it a real boost :
>>
>> $ time echo "$webpage" | sed -n -r
>> 's/(.*)\"token\":\"([a-zA-Z0-9]+)\"(.*)/\2/p'
>> 0m0.19s real 0m0.00s user 0m0.00s system
>>
>> $ time echo $webpage | sed -n -r
>> 's/(.*)\"token\":\"([a-zA-Z0-9]+)\"(.*)/\2/p'>
>> 2m14.39s real 2m12.95s user 0m0.00s system
>>
>>
>> What could be the explanation ?
>
>Without the quotes the shell performs splitting, maybe ksh(1) is a bit
>slow at this...  I'd rather download the page to a temp file rather
>than
>put that stuff into memory.
>
>> Doing the same with GNU sed is instantaneous in both case
>(quoted/unquoted).
>
>Just by replacing sed by gsed, on the same system?
>
>> Thank you in advance,
>> Denis

key precedence in ssh

2013-10-01 Thread Lars Noodén 
Is there a way in ssh(1) to get the identity specified by -i to take 
precedence over what is already in the agent?

When six keys are added into ssh-agent(1), authentication is not possible 
with a seventh, or later, key even if that final key is pointed to by 
ssh(1) explicitly using -i.

  $ ssh-add -l
  2048 f6:46:87:70:e2:c4:9d:7f:a0:08:26:76:aa:7e:c2:c2 test_key_1 (RSA)
  2048 35:d7:21:d5:4c:3f:2d:d4:4b:89:c3:2f:a2:f4:3f:e4 test_key_2 (RSA)
  2048 ab:94:cf:5e:c9:e9:81:b1:74:ec:8b:91:a5:e9:46:ea test_key_3 (RSA)
  2048 4a:44:e1:b5:7c:eb:0b:21:09:87:b7:3d:86:19:6e:cf test_key_4 (RSA)
  2048 5e:d6:0c:1b:c8:67:1d:f7:5c:34:09:bd:22:f6:0d:e1 test_key_5 (RSA)
  2048 9a:7d:ab:1e:97:06:e1:06:ca:8e:40:62:32:8c:45:03 test_key_6 (RSA)

  $ ssh -i test_key_7 f...@xx.yy.zz.aa
  Received disconnect from xx.yy.zz.aa: 2: Too many authentication
  failures for foo

If a valid identity is in the first six, it is let through by the server.  
On the server side, MaxAuthTries can be increased beyond the default of 6 
to allow more identities to be tried.  It looks like the identities in the 
agent are tried first regardless of what the value of -i is with ssh(1) 
before -i is tried.  The same goes for setting IdentityFile in ssh_config.

This is with OpenSSH 6.3 from a recent snapshot on the client and 
5.3-stable on the server.

regards, 
/Lars

Re: OpenOSPFd and CARP Masters

2013-10-01 Thread Janne Johansson 
For 5.4, plus54.html states:

"Reinstate 
ospfd(8)code
to announce routes to backup carp interfaces, so that a specific route
is maintained during failover."
..which I think means it actually will announce it when being carp slave,
but with a higher cost/metric/whateveritsname.



2013/10/1 Andy 

> On Tue 01 Oct 2013 15:01:32 BST, Andy wrote:
>
>> On 01/10/13 14:32, Brian Hechinger wrote:
>>
>>> On Tue, Oct 01, 2013 at 09:19:20AM +0100, Andy wrote:
>>>
 Also is there no way to have the CARP IP be the IP which is advertised
 as the neighbor ensuring that traffic is always sent to the CARP IP
 instead (I would MUCH prefer this!).

>>> I spent an enormous amount of time trying to answer this same question.
>>> What I ended up coming up with was that the answer was definitely not.
>>>
>>> It's unfortunate and I no longer remember the exact reason why.
>>>
>>> I wish I were wrong. Using the CARP interface for OSPF would be
>>> wonderful.
>>>
>>> -brian
>>>
>>
>> I couldn't agree more!
>>
>> Is there a way of ensuring that the CARP master is the one which is
>> FULL/DR, and the CARP backup is FULL/BDR?
>>
>> At the moment I seem to have some of my CARP backup firewalls being
>> the Designated Router
>>
>> Cheers, Andy.
>>
>>
> Think I just answered my own question by not reading the documentation
> closely enough!
>
> http://www.openbsd.org/papers/**linuxtag06-network.pdf
> ;
> "The big change is that "redistribute connected" got replaced with a
> "interface
> carp0". This ensures that the announced network depends on the interface
> state of carp0. It is not recommended to use "redistribute connected" with
> carp(4) because the connected route is attached to the parent interface
> and so
> depends on the link state of that interface and not of the carp(4) one. The
> result would be that the router with the backup carp(4) interface will
> announce
> the network as well."
>
> Although, I would ideally still like the CARP backup to announce but for
> it to be the BDR as oppose to not announcing at all as the above seems to
> indicate.
> I guess I can't do this.
>
> Thanks :)
> Andy
>
>


-- 
May the most significant bit of your life be positive.

Re: OpenOSPFd and CARP Masters

2013-10-01 Thread Andy 

On Tue 01 Oct 2013 15:01:32 BST, Andy wrote:

On 01/10/13 14:32, Brian Hechinger wrote:

On Tue, Oct 01, 2013 at 09:19:20AM +0100, Andy wrote:

Also is there no way to have the CARP IP be the IP which is advertised
as the neighbor ensuring that traffic is always sent to the CARP IP
instead (I would MUCH prefer this!).

I spent an enormous amount of time trying to answer this same question.
What I ended up coming up with was that the answer was definitely not.

It's unfortunate and I no longer remember the exact reason why.

I wish I were wrong. Using the CARP interface for OSPF would be
wonderful.

-brian


I couldn't agree more!

Is there a way of ensuring that the CARP master is the one which is
FULL/DR, and the CARP backup is FULL/BDR?

At the moment I seem to have some of my CARP backup firewalls being
the Designated Router

Cheers, Andy.



Think I just answered my own question by not reading the documentation 
closely enough!


http://www.openbsd.org/papers/linuxtag06-network.pdf;
"The big change is that "redistribute connected" got replaced with a 
"interface

carp0". This ensures that the announced network depends on the interface
state of carp0. It is not recommended to use "redistribute connected" 
with
carp(4) because the connected route is attached to the parent interface 
and so
depends on the link state of that interface and not of the carp(4) one. 
The
result would be that the router with the backup carp(4) interface will 
announce

the network as well."

Although, I would ideally still like the CARP backup to announce but 
for it to be the BDR as oppose to not announcing at all as the above 
seems to indicate.

I guess I can't do this.

Thanks :)
Andy

Re: OpenOSPFd and CARP Masters

2013-10-01 Thread Andy 

On 01/10/13 14:32, Brian Hechinger wrote:

On Tue, Oct 01, 2013 at 09:19:20AM +0100, Andy wrote:

Also is there no way to have the CARP IP be the IP which is advertised
as the neighbor ensuring that traffic is always sent to the CARP IP
instead (I would MUCH prefer this!).

I spent an enormous amount of time trying to answer this same question.
What I ended up coming up with was that the answer was definitely not.

It's unfortunate and I no longer remember the exact reason why.

I wish I were wrong. Using the CARP interface for OSPF would be
wonderful.

-brian


I couldn't agree more!

Is there a way of ensuring that the CARP master is the one which is 
FULL/DR, and the CARP backup is FULL/BDR?


At the moment I seem to have some of my CARP backup firewalls being the 
Designated Router


Cheers, Andy.

Re: how routing multicast traffic?

2013-10-01 Thread Remco 
Koenig, Thomas wrote:

> Hello,
> 
> I try to route some multicast traffic between two networks, but it does
> not work.
> 
> em0: inet 10.100.1.1 netmask 0x broadcast 10.100.255.255
> em1: inet 192.168.251.251 netmask 0xff00 broadcast 192.168.251.255
> 
> Multicast address: 239.192.1.1 Port 12345
> Sender in em1, client in em0 network.
> 
> 
> changes in /etc/rc.conf:
> mrouted_flags=NO
> multicast_router=YES
> 
> changes in /etc/sysctl.conf:
> net.inet.ip.mforwarding=1
> 
> full /etc/igmpproxy.conf:
> phyint em1 upstream  ratelimit 0  threshold 1
> altnet 239.0.0.0/8
> phyint em0 downstream  ratelimit 0  threshold 1
> phyint lo0 disabled
> 
> 
> igmpproxy log:
> Current routing table (Insert Route);
> -
> Debu: #5: Dst: 239.192.1.1, Age:2, St: I, OutVifs: 0x0001
> 
> 
> tcpdump -npi em1 multicast
> tcpdump: listening on em1, link-type EN10MB
> 12:31:50.348887 192.168.251.1.51946 > 239.192.1.1.12345: udp 30 (DF)
> [ttl 1]
> 12:31:51.349844 192.168.251.1.51946 > 239.192.1.1.12345: udp 30 (DF)
> [ttl 1]
> 12:31:52.350939 192.168.251.1.51946 > 239.192.1.1.12345: udp 30 (DF)
> [ttl 1]
> 12:31:53.351810 192.168.251.1.51946 > 239.192.1.1.12345: udp 30 (DF)
> [ttl 1]
> 12:31:54.352781 192.168.251.1.51946 > 239.192.1.1.12345: udp 30 (DF)
> [ttl 1]
> 

I'm not 100% sure how to interpret the [ttl 1] value. Assuming it's the ttl as 
received by the router, in order to cross the router you need to send packets 
with a ttl > 1.

I found this in my personal notes:
"Every router will decrease the TTL by one. So the TTL determines how many 
routers can be crossed and how far packets will travel.

TTL (sender)  destination
   0  host
   1  local network
  >1  beyond local network"

> tcpdump on em0:
> -> no packets
> 
> 
> What I'm doing wrong?
> Thx in advance for any help.
> 
> Regards,
> Thomas

[sot] going long long on time_t

2013-10-01 Thread Mayuresh Kathe 
went through theo's presentation slides at eurobsdcon (via undeadly)
looks like 5.5 is the one that i've been saving money for all along
thanks theo and gang. :)

Broken IPSec tunnels with latest snapshot

2013-10-01 Thread mxb 
Hello list@,

I'v recently snapshoted several amd64-machines

from:

 OpenBSD 5.3 (GENERIC.MP) #55: Fri Mar  1 09:13:04 MST 2013
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

to:

Sep 30 on ftp.eu.openbsd.org

OpenBSD 5.4-current (GENERIC.MP) #58: Sat Sep 14 13:27:19 MDT 2013
t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP


This broke my isakmpd-tunnels between boxes with recent snapshot, but NOT 
between boxes with old/new.
No configuration changes to pf.conf/ipsec.conf/isakmpd.conf, just new kernel 
and userland.

Also, this broke tunnels between new snap and racoon on Linux.

Any ideas?

I'm seen this below  while ''isakmpd -d4KD A=50"

 - local IP for local machine.

141754.884545 Timr 10 timer_handle_expirations: event 
message_send_expire(0x202e77600)
141754.884684 Timr 10 timer_handle_expirations: event 
message_send_expire(0x202e77900)
141754.884802 Timr 10 timer_handle_expirations: event 
message_send_expire(0x20ec11800)
141754.885000 Timr 10 timer_handle_expirations: event 
message_send_expire(0x20ec11d00)
141754.885275 Trpt 30 transport_send_messages: message 0x202e77600 scheduled 
for retransmission 3 in 11 secs
141754.885290 Timr 10 timer_add_event: event message_send_expire(0x202e77600) 
added before connection_checker(0x20f9be8c0), expiration in 11s
141754.885318 Trpt 30 transport_send_messages: message 0x202e77900 scheduled 
for retransmission 3 in 11 secs
141754.885339 Timr 10 timer_add_event: event message_send_expire(0x202e77900) 
added before connection_checker(0x20f9be8c0), expiration in 11s
141754.885384 Trpt 30 transport_send_messages: message 0x20ec11800 scheduled 
for retransmission 3 in 11 secs
141754.885407 Timr 10 timer_add_event: event message_send_expire(0x20ec11800) 
added before connection_checker(0x20f9be8c0), expiration in 11s
141754.885442 Trpt 30 transport_send_messages: message 0x20ec11d00 scheduled 
for retransmission 3 in 11 secs
141754.885452 Timr 10 timer_add_event: event message_send_expire(0x20ec11d00) 
added before connection_checker(0x20f9be8c0), expiration in 11s
141805.894765 Timr 10 timer_handle_expirations: event 
message_send_expire(0x202e77600)
141805.894906 Timr 10 timer_handle_expirations: event 
message_send_expire(0x202e77900)
141805.895025 Timr 10 timer_handle_expirations: event 
message_send_expire(0x20ec11800)
141805.895232 Timr 10 timer_handle_expirations: event 
message_send_expire(0x20ec11d00)
141805.895520 Default transport_send_messages: giving up on exchange peer--local-, no response from peer :500
141805.895531 Mesg 20 message_free: freeing 0x202e77600
141805.895570 Default transport_send_messages: giving up on exchange peer--local-, no response from peer :500
141805.895578 Mesg 20 message_free: freeing 0x202e77900
141805.895646 Default transport_send_messages: giving up on exchange peer--local-, no response from peer :500
141805.895655 Mesg 20 message_free: freeing 0x20ec11800
141805.895694 Default transport_send_messages: giving up on exchange peer--local-, no response from peer :500
141805.895717 Mesg 20 message_free: freeing 0x20ec11d00
141838.875436 Timr 10 timer_handle_expirations: event 
connection_checker(0x20f9be8c0)
141838.875528 Timr 10 timer_add_event: event connection_checker(0x20f9be8c0) 
added last, expiration in 60s
141838.875548 Exch 40 exchange_establish: peer--local- 
exchange already exists as 0x20ec10800
141838.875557 Timr 10 timer_handle_expirations: event 
connection_checker(0x20f9be460)
141838.875569 Timr 10 timer_add_event: event connection_checker(0x20f9be460) 
added last, expiration in 60s
141838.875582 Exch 40 exchange_establish: peer--local- 
exchange already exists as 0x20ec10600
141838.875590 Timr 10 timer_handle_expirations: event 
connection_checker(0x20eb28e80)
141838.875618 Timr 10 timer_add_event: event connection_checker(0x20eb28e80) 
added last, expiration in 60s
141838.875630 Exch 40 exchange_establish: peer--local- 
exchange already exists as 0x2088b6200
141838.875638 Timr 10 timer_handle_expirations: event 
connection_checker(0x20f9bec60)
141838.875649 Timr 10 timer_add_event: event connection_checker(0x20f9bec60) 
added last, expiration in 60s
141838.875661 Exch 40 exchange_establish: peer--local- 
exchange already exists as 0x2088b6c00
141938.876867 Timr 10 timer_handle_expirations: event 
exchange_free_aux(0x20ec10800)
141938.876908 Exch 20 exchange_establish_finalize: finalizing exchange 
0x20ec10800 with arg 0x202374c80 (from--to-) & fail = 1
141938.876941 Exch 20 exchange_establish_finalize: finalizing exchange 
0x20ec10800 with arg 0x202374f00 (from--to-) & fail = 1
141938.876958 Timr 10 timer_handle_expirations: event 
exchange_free_aux(0x20ec10600)
141938.876971 Exch 20 exchange_establish_finalize: finalizing exchange 
0x20ec10600 with arg 0x204cb6a00 (from--to-) & fail = 1
141938.876992 Exch 20 exchange_establish_finalize: finalizing exchange 
0x20ec10600 with arg 0x204cb63c0 (from--to-) & fail = 1
141938.877020 Timr 10 timer_handle_expiratio

Re: OpenOSPFd and CARP Masters

2013-10-01 Thread Theo de Raadt 
 PS; Is there any support like BFD (Bidirectional Forward Detection) in 
> OpenBSD to improve the link failure detection time for OSPF and or BGP 
> seeing as the routers and OpenBSD boxes are connected via Layer 2 
> switches links (three types of up-links to the Cisco cores are being 
> used; VPLS, MPLS, and back-haul).

We don't have such a thing.  It would be really nice if someone would sit
down and write one.  Whoever that is, talk to myself and claudio about
some concerns.

Re: [OT] quotes speedup sed

2013-10-01 Thread Denis Fondras 
Hi Jérémie,

> Without the quotes the shell performs splitting, maybe ksh(1) is a bit
> slow at this...  I'd rather download the page to a temp file rather than
> put that stuff into memory.
> 

Ok, thank you. This is actually faster when I use a tempfile.
(sed is even faster than gsed in that case)

> 
> Just by replacing sed by gsed, on the same system?
> 

Yes, just a simple "pkg_add gsed-4.2.2.tgz" and
$ time echo $webpage | gsed -n -r
's/(.*)\"token\":\"([a-zA-Z0-9]+)\"(.*)/\2/p'

Denis

Re: [OT] quotes speedup sed

2013-10-01 Thread Jérémie Courrèges-Anglas 
Denis Fondras  writes:

> Hello all,

Hi,

> This afternoon I stumbled upon a weirdness I can't explain. I hope some
> misc-guru can give a clue.
>
> I was parsing a 45kB html document on my OpenBSD 5.3 with the help of
> sed to extract a value and it was awfully slow. Quoting the input string
> gave it a real boost :
>
> $ time echo "$webpage" | sed -n -r
> 's/(.*)\"token\":\"([a-zA-Z0-9]+)\"(.*)/\2/p'
> 0m0.19s real 0m0.00s user 0m0.00s system
>
> $ time echo $webpage | sed -n -r
> 's/(.*)\"token\":\"([a-zA-Z0-9]+)\"(.*)/\2/p'>
> 2m14.39s real 2m12.95s user 0m0.00s system
>
>
> What could be the explanation ?

Without the quotes the shell performs splitting, maybe ksh(1) is a bit
slow at this...  I'd rather download the page to a temp file rather than
put that stuff into memory.

> Doing the same with GNU sed is instantaneous in both case (quoted/unquoted).

Just by replacing sed by gsed, on the same system?

> Thank you in advance,
> Denis

-- 
jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90  8961 6191 8FBF 06A1 1494

how routing multicast traffic?

2013-10-01 Thread Koenig, Thomas 
Hello,

I try to route some multicast traffic between two networks, but it does
not work.

em0: inet 10.100.1.1 netmask 0x broadcast 10.100.255.255
em1: inet 192.168.251.251 netmask 0xff00 broadcast 192.168.251.255

Multicast address: 239.192.1.1 Port 12345
Sender in em1, client in em0 network.


changes in /etc/rc.conf:
mrouted_flags=NO
multicast_router=YES  

changes in /etc/sysctl.conf:
net.inet.ip.mforwarding=1

full /etc/igmpproxy.conf:
phyint em1 upstream  ratelimit 0  threshold 1
altnet 239.0.0.0/8
phyint em0 downstream  ratelimit 0  threshold 1
phyint lo0 disabled


igmpproxy log:
Current routing table (Insert Route);
-
Debu: #5: Dst: 239.192.1.1, Age:2, St: I, OutVifs: 0x0001


tcpdump -npi em1 multicast 
tcpdump: listening on em1, link-type EN10MB
12:31:50.348887 192.168.251.1.51946 > 239.192.1.1.12345: udp 30 (DF)
[ttl 1]
12:31:51.349844 192.168.251.1.51946 > 239.192.1.1.12345: udp 30 (DF)
[ttl 1]
12:31:52.350939 192.168.251.1.51946 > 239.192.1.1.12345: udp 30 (DF)
[ttl 1]
12:31:53.351810 192.168.251.1.51946 > 239.192.1.1.12345: udp 30 (DF)
[ttl 1]
12:31:54.352781 192.168.251.1.51946 > 239.192.1.1.12345: udp 30 (DF)
[ttl 1]

tcpdump on em0:
-> no packets 


What I'm doing wrong? 
Thx in advance for any help.

Regards,
Thomas

Re: (5.3) load problem on em(4) MSI / interrupt ?

2013-10-01 Thread Stuart Henderson 
On 2013-10-01, Patrick Lamaiziere  wrote:
> Hello,
>
> With OpenBSD 5.3, our firewall does not handle our network load well.
> We loose around 5% of packets and netstat shows a lot of Ierr.
>
> That worked much better with 5.1. There was a change to not enable MSI
> on 82572 chipset on our Intel card ( "Intel PRO/1000 QP (82571EB)" rev 0x06) 
> in 5.2 :
>  
> http://freshbsd.org/commit/openbsd/a47ca448720823019bc6c618bf178a47fd1af73a
>
> My question is: could it be the cause of our load problem ?
>
> 5.1:
> em0 at pci5 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, 
> address 00:15:17:ed:98:9d
> em1 at pci5 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, 
> address 00:15:17:ed:98:9c
> em2 at pci6 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, 
> address 00:15:17:ed:98:9f
> em3 at pci6 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, 
> address 00:15:17:ed:98:9e
>
> 5.3 (on another box with the same hardware):
> em0 at pci5 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 
> int 13, address 00:15:17:ed:98:65
> em1 at pci5 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 
> int 6, address 00:15:17:ed:98:64
> em2 at pci6 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 
> int 15, address 00:15:17:ed:98:67
> em3 at pci6 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 
> int 13, address 00:15:17:ed:98:66
>
> We don't have any problem with this card, how can we re-enable MSI (without 
> reverting this change)?

Simplest way to test is to just revert that change in your source tree..
That will identify whether this issue is due to disabling MSI, or whether
it's due to one of the many other changes between 5.1 and 5.3..

(5.3) load problem on em(4) MSI / interrupt ?

2013-10-01 Thread Patrick Lamaiziere 
Hello,

With OpenBSD 5.3, our firewall does not handle our network load well.
We loose around 5% of packets and netstat shows a lot of Ierr.

That worked much better with 5.1. There was a change to not enable MSI
on 82572 chipset on our Intel card ( "Intel PRO/1000 QP (82571EB)" rev 0x06) in 
5.2 :
 
http://freshbsd.org/commit/openbsd/a47ca448720823019bc6c618bf178a47fd1af73a

My question is: could it be the cause of our load problem ?

5.1:
em0 at pci5 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, 
address 00:15:17:ed:98:9d
em1 at pci5 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, 
address 00:15:17:ed:98:9c
em2 at pci6 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, 
address 00:15:17:ed:98:9f
em3 at pci6 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: msi, 
address 00:15:17:ed:98:9e

5.3 (on another box with the same hardware):
em0 at pci5 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 int 
13, address 00:15:17:ed:98:65
em1 at pci5 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 int 
6, address 00:15:17:ed:98:64
em2 at pci6 dev 0 function 0 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 int 
15, address 00:15:17:ed:98:67
em3 at pci6 dev 0 function 1 "Intel PRO/1000 QP (82571EB)" rev 0x06: apic 1 int 
13, address 00:15:17:ed:98:66

We don't have any problem with this card, how can we re-enable MSI (without 
reverting this change)?

Thanks, regards.

Re: OpenOSPFd and CARP Masters

2013-10-01 Thread Andy 
PS; Is there any support like BFD (Bidirectional Forward Detection) in 
OpenBSD to improve the link failure detection time for OSPF and or BGP 
seeing as the routers and OpenBSD boxes are connected via Layer 2 
switches links (three types of up-links to the Cisco cores are being 
used; VPLS, MPLS, and back-haul).


Thanks :)
Andy

On Tue 01 Oct 2013 09:19:20 BST, Andy wrote:

Hello,

I have started deploying OSPF in our test environment before deploying
it out to the production network.

We have two Cisco ASR 1002 IOS XE routers in the middle of our Area 0
which have the Transit connections to the rest of the world etc.

And we have OpenBSD firewalls (CARP pairs etc) located at each of our
main sites (3 sites in total). Each site is connected up to the two
core cisco routers via layer 2 links via 3 interfaces on each Cisco
router.

All interfaces on the Cisco routers are area 0, and the OpenBSD
firewalls external interfaces which connect up to the Cisco's are also
area 0 to act as ABR's. Behind each OpenBSD pair at each of the 3
sites will be a different OSPF area.

I am struggling to work out how I should best configure ospfd.conf
with regards to CARP? I have come across discussion in the Internet
with people saying that if traffic is received on the back OpenBSD box
and it has no connection to the LAN, it should send the traffic to the
other firewall via the PFSYNC crossover link. But I cannot find any
examples of how to actually achieve this?

Also is there no way to have the CARP IP be the IP which is advertised
as the neighbor ensuring that traffic is always sent to the CARP IP
instead (I would MUCH prefer this!).

Finally I have read the man pages but I cannot see how to best use the
'demote' attribute to increase the carp demotion counter?

I have read 'Routing with OpenBSD using OpenOSPFD and OpenBGPD', but
this only shows an example where the internal LAN connection is a CARP.

I have no choice but to run these as both firewalls and routers and I
must have CARP for redundancy etc.

Any advice or good URLs would be greatly appreciated.
Thanks, Andy.

OpenOSPFd and CARP Masters

2013-10-01 Thread Andy 

Hello,

I have started deploying OSPF in our test environment before deploying 
it out to the production network.


We have two Cisco ASR 1002 IOS XE routers in the middle of our Area 0 
which have the Transit connections to the rest of the world etc.


And we have OpenBSD firewalls (CARP pairs etc) located at each of our 
main sites (3 sites in total). Each site is connected up to the two core 
cisco routers via layer 2 links via 3 interfaces on each Cisco router.


All interfaces on the Cisco routers are area 0, and the OpenBSD 
firewalls external interfaces which connect up to the Cisco's are also 
area 0 to act as ABR's. Behind each OpenBSD pair at each of the 3 sites 
will be a different OSPF area.


I am struggling to work out how I should best configure ospfd.conf with 
regards to CARP? I have come across discussion in the Internet with 
people saying that if traffic is received on the back OpenBSD box and it 
has no connection to the LAN, it should send the traffic to the other 
firewall via the PFSYNC crossover link. But I cannot find any examples 
of how to actually achieve this?


Also is there no way to have the CARP IP be the IP which is advertised 
as the neighbor ensuring that traffic is always sent to the CARP IP 
instead (I would MUCH prefer this!).


Finally I have read the man pages but I cannot see how to best use the 
'demote' attribute to increase the carp demotion counter?


I have read 'Routing with OpenBSD using OpenOSPFD and OpenBGPD', but 
this only shows an example where the internal LAN connection is a CARP.


I have no choice but to run these as both firewalls and routers and I 
must have CARP for redundancy etc.


Any advice or good URLs would be greatly appreciated.
Thanks, Andy.

iked: ikev2 eats CPU after ikectl reload

2013-10-01 Thread LEVAI Daniel 
Hi!

For me, on two different 5.3-stable machines a simple ikectl reload
triggers a loop in the 'iked: ikev2' process. Aborting 'iked: ikev2' a
few times, it usually gets the signal in event_queue_remove() in
event_del().

To reproduce, basically I just start iked (no matter with that
parameters), invoke `ikectl reload`, then after ~2 seconds ikev2 starts
spinning. It doesn't even need an iked.conf, it is just an empty file.

In more detail: I started /sbin/iked -dvv, executed ikectl reload,
waited until "config_getcompile: compilation done" showed up in iked's
terminal, then saw iked's processor use rise up in top(1), then pkill
-ABRT -f ikev2. Now I saved these coredumps under different names:
iked.core-[0-9]+ , then executed gdb in a loop from a shell and got the
bt from every (currently six) coredump [1].

I also recompiled libevent with -DUSE_DEBUG (then recompiled sbin/iked),
and saved iked -dvv's (and libevent's) output on the terminal [2].

Anyone got any idea what could be going on?


[1]:
= iked.core-1 =
Core was generated by `iked'.
Program terminated with signal 6, Aborted.
#0  event_queue_insert (base=0x7feddc00, ev=0x7d10a48c, queue=8) at 
/usr/src/lib/libevent/event.c:1000
1000switch (queue) {
#0  event_queue_insert (base=0x7feddc00, ev=0x7d10a48c, queue=8) at 
/usr/src/lib/libevent/event.c:1000
#1  0x1c032a7d in event_base_loop (base=0x7feddc00, flags=0) at 
/usr/src/lib/libevent/event.c:952
#2  0x1c032b3a in event_loop (flags=0) at /usr/src/lib/libevent/event.c:478
#3  0x1c032b52 in event_dispatch () at /usr/src/lib/libevent/event.c:416
#4  0x1c028184 in proc_run (ps=0x7d10a4e0, p=0x3c03e47c, procs=0x3c03e520, 
nproc=3, init=0, arg=0x0) at /usr/src/sbin/iked/proc.c:276
#5  0x1c00a69c in ikev2 (ps=0x7d10a4e0, p=0x3c03e47c) at 
/usr/src/sbin/iked/ikev2.c:114
#6  0x1c02797a in proc_init (ps=0x7d10a4e0, p=0x3c03e47c, nproc=3) at 
/usr/src/sbin/iked/proc.c:61
#7  0x1c00955a in main (argc=2, argv=0xcfbc8ad8) at 
/usr/src/sbin/iked/iked.c:157

= iked.core-2 =
Core was generated by `iked'.
Program terminated with signal 6, Aborted.
#0  event_base_loop (base=0x8b986000, flags=0) at min_heap.h:65
65  struct event* min_heap_top(min_heap_t* s) { return s->n ? *s->p : 0; }
#0  event_base_loop (base=0x8b986000, flags=0) at min_heap.h:65
#1  0x1c032b3a in event_loop (flags=0) at /usr/src/lib/libevent/event.c:478
#2  0x1c032b52 in event_dispatch () at /usr/src/lib/libevent/event.c:416
#3  0x1c028184 in proc_run (ps=0x8b6074e0, p=0x3c03e47c, procs=0x3c03e520, 
nproc=3, init=0, arg=0x0) at /usr/src/sbin/iked/proc.c:276
#4  0x1c00a69c in ikev2 (ps=0x8b6074e0, p=0x3c03e47c) at 
/usr/src/sbin/iked/ikev2.c:114
#5  0x1c02797a in proc_init (ps=0x8b6074e0, p=0x3c03e47c, nproc=3) at 
/usr/src/sbin/iked/proc.c:61
#6  0x1c00955a in main (argc=2, argv=0xcfbecc8c) at 
/usr/src/sbin/iked/iked.c:157

= iked.core-3 =
Core was generated by `iked'.
Program terminated with signal 6, Aborted.
#0  event_queue_insert (base=0x7f44fc00, ev=0x8a86848c, queue=8) at 
/usr/src/lib/libevent/event.c:1016
1016}
#0  event_queue_insert (base=0x7f44fc00, ev=0x8a86848c, queue=8) at 
/usr/src/lib/libevent/event.c:1016
#1  0x1c032a7d in event_base_loop (base=0x7f44fc00, flags=0) at 
/usr/src/lib/libevent/event.c:952
#2  0x1c032b3a in event_loop (flags=0) at /usr/src/lib/libevent/event.c:478
#3  0x1c032b52 in event_dispatch () at /usr/src/lib/libevent/event.c:416
#4  0x1c028184 in proc_run (ps=0x8a8684e0, p=0x3c03e47c, procs=0x3c03e520, 
nproc=3, init=0, arg=0x0) at /usr/src/sbin/iked/proc.c:276
#5  0x1c00a69c in ikev2 (ps=0x8a8684e0, p=0x3c03e47c) at 
/usr/src/sbin/iked/ikev2.c:114
#6  0x1c02797a in proc_init (ps=0x8a8684e0, p=0x3c03e47c, nproc=3) at 
/usr/src/sbin/iked/proc.c:61
#7  0x1c00955a in main (argc=2, argv=0xcfbdef30) at 
/usr/src/sbin/iked/iked.c:157

= iked.core-4 =
Core was generated by `iked'.
Program terminated with signal 6, Aborted.
#0  event_queue_remove (base=0x8abaf000, ev=0x88a7848c, queue=8) at 
/usr/src/lib/libevent/event.c:958
958 {
#0  event_queue_remove (base=0x8abaf000, ev=0x88a7848c, queue=8) at 
/usr/src/lib/libevent/event.c:958
#1  0x1c0321ee in event_del (ev=0x88a7848c) at /usr/src/lib/libevent/event.c:836
#2  0x1c032a65 in event_base_loop (base=0x8abaf000, flags=0) at 
/usr/src/lib/libevent/event.c:948
#3  0x1c032b3a in event_loop (flags=0) at /usr/src/lib/libevent/event.c:478
#4  0x1c032b52 in event_dispatch () at /usr/src/lib/libevent/event.c:416
#5  0x1c028184 in proc_run (ps=0x88a784e0, p=0x3c03e47c, procs=0x3c03e520, 
nproc=3, init=0, arg=0x0) at /usr/src/sbin/iked/proc.c:276
#6  0x1c00a69c in ikev2 (ps=0x88a784e0, p=0x3c03e47c) at 
/usr/src/sbin/iked/ikev2.c:114
#7  0x1c02797a in proc_init (ps=0x88a784e0, p=0x3c03e47c, nproc=3) at 
/usr/src/sbin/iked/proc.c:61
#8  0x1c00955a in main (argc=2, argv=0xcfbf3c1c) at 
/usr/src/sbin/iked/iked.c:157

= iked.core-5 =
Core