Intermediate cert in relayd?
Hi list, I'm planning to configure SSL offloading using relayd(8). The manpage for relayd.conf(5) states the following: ``If the ssl keyword is present, the relay will accept connections using the encrypted SSL protocol. The relay will attempt to look up a private key in /etc/ssl/private/address:port.key and a public certificate in /etc/ssl/address:port.crt, where address is the specified IP address and port is the specified port that therelay listens on. If these files are not present, the relay will continue to look in /etc/ssl/private/address.key and /etc/ssl/address.crt. See ssl(8) for details about SSL server certificates.'' However, I also got an intermediate certificate provided by my CA. Using it in Apache, e.g., is no problem, however I wonder how to get this configured in(to) relayd... any clues? Thanks best, Bernd
ipsec or iked to deploy under openbsd carp fws
Hi all, I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients like linux and windows) under two openbsd carp firewalls. Searching in google and reading some docs, I have several doubts about which one to choose. If I am not wrong, iked doesn't supports sasyncd, is it correct?? What option can be best to deploy in these firewalls: ipsec (ipsec.conf and isakmpd) or iked? Thanks.
Re: ipsec or iked to deploy under openbsd carp fws
On Mon, Dec 2, 2013 at 8:13 AM, C. L. Martinez carlopm...@gmail.com wrote: Hi all, I need to deploy IPSec tunnels (lan-to-lan and roadwarriors clients like linux and windows) under two openbsd carp firewalls. Searching in google and reading some docs, I have several doubts about which one to choose. If I am not wrong, iked doesn't supports sasyncd, is it correct?? What option can be best to deploy in these firewalls: ipsec (ipsec.conf and isakmpd) or iked? Thanks. Sorry, I am using openbsd 5.4 in these fws.
Re: 10G with Intel card - GBIC options
Hmm surprised by that! Henning, could you please confirm for us if the 32bit bandwidth limit was lifted in the new queuing subsystem, or if it is just still in place whilst dual-running the new and the old? I guess considering Hrvoje's findings the limit is still in place until ALTQ is removed completely in 5.5?? Cheers, Andy. On Fri 29 Nov 2013 22:10:20 GMT, Hrvoje Popovski wrote: On 29.11.2013. 17:08, Andy wrote: PS; I hope you have reeaaaly fast servers.. NB; ALTQ is currently 32bit so you cannot queue faster than 4 and a bit gig, unless you go for Hennings new queueing system which I'm still yet to do when I actually find time.. Hi, I'm not sure if new queueing system is faster than 4.3Gbps or pfctl -nvf pf.conf is lying or interface must be up and running to see real bandwith with pfctl -vvsq. I can't test it because I have one ix card. Will try to lend another ix card to see. # ifconfig ix0 ix0: flags=28843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6 mtu 1500 lladdr 90:e2:ba:19:29:a8 priority: 0 media: Ethernet autoselect status: no carrier inet 10.22.22.1 netmask 0xff00 broadcast 10.22.22.255 pf.conf with 10G on ix0: queue queue@ix0 on ix0 bandwidth 10G max 10G queue ackn@ix0 parent queue@ix0 bandwidth 5G queue bulk@ix0 parent queue@ix0 bandwidth 5G default match on ix0 set ( queue (bulk@ix0i, ackn@ix0), prio (1,7) ) pfctl -nvf pf.conf queue queue@ix0 on ix0 bandwidth 1G, max 1G queue ackn@ix0 parent queue@ix0 on ix0 bandwidth 705M queue bulk@ix0 parent queue@ix0 on ix0 bandwidth 705M default pfctl -vvsq queue queue@ix0 on ix0 bandwidth 1G, max 1G qlimit 50 queue ack@ix0 parent queue@ix0 on ix0 bandwidth 705M qlimit 50 queue bulk@ix0 parent queue@ix0 on ix0 bandwidth 705M default qlimit 50 pf.conf with 6G on ix0: queue queue@ix0 on ix0 bandwidth 6G max 6G queue ackn@ix0 parent queue@ix0 bandwidth 3G queue bulk@ix0 parent queue@ix0 bandwidth 3G default match on ix0 set ( queue (bulk@ix0i, ackn@ix0), prio (1,7) ) pfctl -nvf pf.conf queue queue@ix0 on ix0 bandwidth 1G, max 1G queue ackn@ix0 parent queue@ix0 on ix0 bandwidth 3G queue bulk@ix0 parent queue@ix0 on ix0 bandwidth 3G default pfctl -vvsq queue queue@ix0 on ix0 bandwidth 1G, max 1G qlimit 50 queue ackn@ix0 parent queue@ix0 on ix0 bandwidth 3G qlimit 50 queue bulk@ix0 parent queue@ix0 on ix0 bandwidth 3G default qlimit 50 pf.conf with 4G on ix0: queue queue@ix0 on ix0 bandwidth 4G max 4G queue ackn@ix0 parent queue@ix0 bandwidth 2G queue bulk@ix0 parent queue@ix0 bandwidth 2G default match on ix0 set ( queue (bulk@ix0i, ackn@ix0), prio (1,7) ) pfctl -nvf pf.conf queue queue@ix0 on ix0 bandwidth 4G, max 4G queue ackn@ix0 parent queue@ix0 on ix0 bandwidth 2G queue bulk@ix0 parent queue@ix0 on ix0 bandwidth 2G default pfctl -vvsq queue queue@ix0 on ix0 bandwidth 4G, max 4G qlimit 50 queue ackn@ix0 parent queue@ix0 on ix0 bandwidth 2G qlimit 50 queue bulk@ix0 parent queue@ix0 on ix0 bandwidth 2G default qlimit 50
Re: 10G with Intel card - GBIC options
On 29/11/13 19:16, Andy wrote: On Fri 29 Nov 2013 16:19:26 GMT, Kapetanakis Giannis wrote: Unfortunately on the Cisco part I don't SFP+. I have XENPACK option only which give me 3 options: SR ~ 3K GPL LRM ~ 1.5K GPL (I can't find any LRM GBIC for Intel side) CX4 ~ 600 GPL I'd avoid CX4, you wont find a CX4 NIC working well with OpenBSD nor would you want one tbh.. Stick with well known supported cards for OpenBSD.. Thanks for all the replies Andy. Are we totally sure about this? I'm talking about Intel - CX4 support on OpenBSD with ix(4). The manual page lists these: o Intel 82598EB 10GbE Adapter (10GbaseCX4) o Intel 82598EB Dual Port 10GbE Adapter (10GbaseCX4) o Intel 82599EB 10GbE Adapter (10GbaseCX4) Thanks Giannis
Re: 10G with Intel card - GBIC options
On Mon, Dec 02, 2013 at 11:36:31AM +0200, Kapetanakis Giannis wrote: On 29/11/13 19:16, Andy wrote: On Fri 29 Nov 2013 16:19:26 GMT, Kapetanakis Giannis wrote: Unfortunately on the Cisco part I don't SFP+. I have XENPACK option only which give me 3 options: SR ~ 3K GPL LRM ~ 1.5K GPL (I can't find any LRM GBIC for Intel side) CX4 ~ 600 GPL I'd avoid CX4, you wont find a CX4 NIC working well with OpenBSD nor would you want one tbh.. Stick with well known supported cards for OpenBSD.. Thanks for all the replies Andy. Are we totally sure about this? I'm talking about Intel - CX4 support on OpenBSD with ix(4). The manual page lists these: o Intel 82598EB 10GbE Adapter (10GbaseCX4) o Intel 82598EB Dual Port 10GbE Adapter (10GbaseCX4) o Intel 82599EB 10GbE Adapter (10GbaseCX4) CX4 should work fine but has mostly been replaced by SFP+ direct attach/copper and 10GBase-T with new cards.
Re: Intermediate cert in relayd?
Em 02-12-2013 06:05, Bernd escreveu: Hi list, I'm planning to configure SSL offloading using relayd(8). The manpage for relayd.conf(5) states the following: ``If the ssl keyword is present, the relay will accept connections using the encrypted SSL protocol. The relay will attempt to look up a private key in /etc/ssl/private/address:port.key and a public certificate in /etc/ssl/address:port.crt, where address is the specified IP address and port is the specified port that therelay listens on. If these files are not present, the relay will continue to look in /etc/ssl/private/address.key and /etc/ssl/address.crt. See ssl(8) for details about SSL server certificates.'' However, I also got an intermediate certificate provided by my CA. Using it in Apache, e.g., is no problem, however I wonder how to get this configured in(to) relayd... any clues? Thanks best, Bernd Bernd, You can try concatenating all your certs in one single file, the CA cert, intermediate cert and your cert. The order matters your CA cert must be on the bottom of the file, the intermediate in the middle and your cert in the top. This might work. Your private key must still be kept in a separate file. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Should Android have used OpenBSD instead of Linux?
On Tue, Nov 26, 2013 at 02:00:53PM -0800, Chris Cappuccio wrote: Chris Cappuccio [ch...@nmedia.net] wrote: openda...@hushmail.com [openda...@hushmail.com] wrote: Hi, What are the ups and downs of replacing Linux with OpenBSD in Google's Android operating system? I guess this question would apply to the new Sailfish OS as well. OpenBSD is designed for mobile phones. Of course Google should have used it. Ok instead of my stupid smartass answer. How about this: 1. OpenBSD now includes KMS and could support systems like Wayland that, in theory, are probably better suited for mobile (or any modern graphics in general) than X11 (At least, the Nokia developer who spent years hacking X11 into the N900 series thinks so) 2. OpenBSD has a license that is well suited for inclusion into devices, even more so than GPLv2 (Although most manufacturers don't seem to mind the GPLv2 because Linus built in various exceptions into his model) 3. The chips that support these various phones are all proprietary, undocumented, and the manufacturers only produce support blobs to match the Linus licensing model and the Linux kernel on these devices. 4. OpenBSD has a tight and compact model that should be easy for embedded developers to embrace 5. OpenBSD does not currently do much to support various phones although it does have ever increasing support for ARMv7 chipsets which is what all of them run on (that and ARMv8 now) Obviously the biggest hurdle is #3 and of course someone has to have the interest, which is invariably going to be a manufacturer, and currently manufacturers embrace Linux, because it has a lot of knowledge/attention/momentum in this area. Yes, and also the fact that the userland for a phone or a tabled has to be quite different from the userland for a desktop/laptop kind of machine. Without a keyboard, you need touch-screen enabled applications to install the system, set it up and interact with it. And there are specific needs in terms of kernel services to be able to route audio to/from the phone part of your device, wake it up on incoming calls,... So this would not be OpenBSD, but merely a system based on a BSD-ish kernel plus some BSD base libs (libc, libm, what else). Most of the rest would need to be rewritten or ported from Android/Sailfish/Mozilla OS/... At EuroBSDCon 2004 in KA, in his Keynote lecture¹, Jordan Hubbard said he was seeing a future for NetBSD in this area, since they already had all the tools to cross-compile the base system in a much nicer way than linux. Well 9 years later this has not happened. ¹) http://2004.eurobsdcon.org/uploads/media/EBSD04_keynote.pdf page 48 -- Matthieu Herrb
Help troubleshooting performance problem
I m not sure if you already investigated this but s.m.a.r.t. has quite many diagnostic info. Even if the drive has not actually been marked as broken. This is somewhat vendor dependent. I did not check these info with openbsd but it should be possible. Facts from my hard drives include: Bad sectors, read retries, write reatries and so on (dumped with some windows tool)
Re: IPS hardware recomendation
El 29-11-2013 14:26, Andy escribió: On Fri 29 Nov 2013 17:24:15 GMT, Andy wrote: Fastest you can buy!! Even then you probably struggle.. You'll need the fastest single core you can get your hands on for the network stack/OBSD kernel, and the other cores for Snort etc.. ... On Fri 29 Nov 2013 16:08:39 GMT, deoxyt2 wrote: Hello guys. I need to install an IPS and of course I want to install this with OpenBSD, the througput of network is 10Gbps on fiber-optic. would recommend the hardware supported by OpenBSD for this function? Regards. Thank you for your recommendations, will seek a similar hardware. Regards. -- deoxyt2.- http://deoxyt2.livejournal.com
Re: Help troubleshooting performance problem
On Mon, Dec 02, 2013 at 03:39:17PM +0100, Jan Lambertz wrote: I m not sure if you already investigated this but s.m.a.r.t. has quite many diagnostic info. Even if the drive has not actually been marked as broken. This is somewhat vendor dependent. I did not check these info with openbsd but it should be possible. You have smartmontools in packages. ---8--- $ pkg_info smartmontools Information for http://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/packages/i386/smartmontools-6.1.tgz Comment: control and monitor storage systems using SMART Description: The smartmontools package contains two utility programs (smartctl and smartd) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (SMART) built into most modern ATA and SCSI hard disks. In many cases, these utilities will provide advanced warning of disk degradation and failure. ---8--- Facts from my hard drives include: Bad sectors, read retries, write reatries and so on (dumped with some windows tool) (I tried out smartmontools a couple of days ago and ran extensive tests on two disks in a RAID1 softraid. Both smartmontools and the BIOS test utility reported no errors, nevertheless I lost both disks - probably due to some damage caused by a failure with the PSU. Disks are black magic...)
Re: 10G with Intel card - GBIC options
Yea CX4 will work, its the chipset that matters. But CX4 is short range and superseded, and by using SFP+ you can pick and choose your transceivers for fibre or CAT cabling etc. On Mon 02 Dec 2013 10:10:37 GMT, Jonathan Gray wrote: On Mon, Dec 02, 2013 at 11:36:31AM +0200, Kapetanakis Giannis wrote: On 29/11/13 19:16, Andy wrote: On Fri 29 Nov 2013 16:19:26 GMT, Kapetanakis Giannis wrote: Unfortunately on the Cisco part I don't SFP+. I have XENPACK option only which give me 3 options: SR ~ 3K GPL LRM ~ 1.5K GPL (I can't find any LRM GBIC for Intel side) CX4 ~ 600 GPL I'd avoid CX4, you wont find a CX4 NIC working well with OpenBSD nor would you want one tbh.. Stick with well known supported cards for OpenBSD.. Thanks for all the replies Andy. Are we totally sure about this? I'm talking about Intel - CX4 support on OpenBSD with ix(4). The manual page lists these: o Intel 82598EB 10GbE Adapter (10GbaseCX4) o Intel 82598EB Dual Port 10GbE Adapter (10GbaseCX4) o Intel 82599EB 10GbE Adapter (10GbaseCX4) CX4 should work fine but has mostly been replaced by SFP+ direct attach/copper and 10GBase-T with new cards.
uvm_fault with OpenBSD 5.4
Hey guys, I have just upgraded two Dell servers (a PowerEdge R410 and a R320) to OpenBSD 5.4-stable -- before the upgrade, these machines were running 5.3-stable without a problem. After the upgrade to 5.4, both machines started to panic with a uvm_fault. (3 panics so far...) The panic messages are included below, extracted with a dmesg -M bsd.0.core -N bsd.0: -- hw.machine=amd64 hw.model=Intel(R) Xeon(R) CPU E5-2403 0 @ 1.80GHz hw.product=PowerEdge R320 uvm_fault(0x81c96be0, 0x804c2000, 0, 2) - e fatal page fault in supervisor mode trap type 6 code 2 rip 8136f636 cs 8 rflags 10206 cr2 804c2000 cpl 0 rsp 80002215fa38 panic: trap type 6, code=2, pc=8136f636 Starting stack trace... panic() at panic+0xf5 trap() at trap+0x7f1 --- trap (number 6) --- memmove() at memmove+0x16 mfi_mgmt() at mfi_mgmt+0x6a mfi_bio_getitall() at mfi_bio_getitall+0x22e mfi_ioctl_vol() at mfi_ioctl_vol+0x1f mfi_refresh_sensors() at mfi_refresh_sensors+0xbf sensor_task_work() at sensor_task_work+0x21 workq_thread() at workq_thread+0x33 end trace frame: 0x0, count: 248 End of stack trace. -- hw.machine=amd64 hw.model=Intel(R) Xeon(R) CPU X5660 @ 2.80GHz hw.product=PowerEdge R410 uvm_fault(0x81c96be0, 0x80766000, 0, 2) - e fatal page fault in supervisor mode trap type 6 code 2 rip 8136f636 cs 8 rflags 10206 cr2 80766000 cpl 0 rsp 80002614fa38 panic: trap type 6, code=2, pc=8136f636 Starting stack trace... panic() at panic+0xf5 trap() at trap+0x7f1 --- trap (number 6) --- memmove() at memmove+0x16 mfi_mgmt() at mfi_mgmt+0x6a mfi_bio_getitall() at mfi_bio_getitall+0x22e mfi_ioctl_vol() at mfi_ioctl_vol+0x1f mfi_refresh_sensors() at mfi_refresh_sensors+0xbf sensor_task_work() at sensor_task_work+0x21 workq_thread() at workq_thread+0x33 end trace frame: 0x0, count: 248 End of stack trace. -- Anybody else having similar problems? Thanks, -- Kor
Re: 10G with Intel card - GBIC options
On 02/12/13 17:15, Andy wrote: Yea CX4 will work, its the chipset that matters. But CX4 is short range and superseded, and by using SFP+ you can pick and choose your transceivers for fibre or CAT cabling etc. Well the Cisco CX4 costs ~ 600$ List price, while the SR one costs 3.000$ List price. That's my main problem... I would love to go for the SFP+ path but we cannot afford it, so the CX4 seems like my only choice so far if it's ok with OBSD. G
Re: Should Android have used OpenBSD instead of Linux?
On Sat, Nov 30, 2013 at 6:41 PM, Mikael mikael.tr...@gmail.com wrote: just like everyone else, i would love to see an openbsd powered android phone. but i think the elephant in the room no one is talking about is performance. without getting into running bad code faster vs running good code slower, openbsd is simply slow. Last time me and Paul de Weerd have checked the performance of OpenBSD vs Linux, OpenBSD was 0.5% slower than linux. That was mainly network latency check, granted one-sighted. I am sure that if I had tweaked the intel network driver in OpenBSD, fish would win. Max
Re: Help troubleshooting performance problem
On Mon, 2 Dec 2013, Erling Westenvik wrote: On Mon, Dec 02, 2013 at 03:39:17PM +0100, Jan Lambertz wrote: I m not sure if you already investigated this but s.m.a.r.t. has quite many diagnostic info. Even if the drive has not actually been marked as broken. This is somewhat vendor dependent. I did not check these info with openbsd but it should be possible. You have smartmontools in packages. ... and atactl(8) in the base system. Regards, David
Re: ntfs with big files
On Sat, 19 Oct 2013, David Vasek wrote: On Thu, 17 Oct 2013, David Vasek wrote: On Fri, 11 Oct 2013, Joel Sing wrote: On Thu, 10 Oct 2013, Manuel Giraud wrote: Hi, I have a ntfs partition with rather large (about 3GB) files on it. When I copy these files on a ffs partition they are corrupted. When I try to checksum them directly from the ntfs partition the checksum is not correct (compared to the same file on a fat32 partition copied with Windows). I tried this (with same behaviour) on i386 5.3 release and on i386 last week current. I'm willing to do some testing to fix this issue but don't really know where to start. See if you can isolate the smallest possible reproducable test case. If you create a 3GB file with known content (e.g. the same byte repeated), does the same issue occur? If so, how small do you need to go before the problem goes away? Also, what operating system (and version) was used to write the files to the NTFS volume? Hello, I encountered the same issue. Anything over the 2 GB limit is wrong. I mean, first exactly 2 GB of the file are read correctly, following that I get wrong data till the end of the file. It is reproducible with any file over 2 GB in size so far. Smells like int somewhere... I get the same wrong data with any release since at least 5.0, didn't test anything older, but I bet it is the same. The filesystem is a Windows XP NTFS system disk, 32-bit, the files were copied there with explorer.exe. Some additional notes and findings: (1) The data I receive after first 2 GB are not part of the file, the data is from another file (from the same directory, if that fact could be important). The data is taken in uninterrupted sequence and the starting offset of that sequence is way less than 2 GB in the other file where the data belong. (2) While reading past 2 GB in larger blocks gives me just wrong data, reading in smaller blocks (2kB and less) gives me kernel panic in KASSERT immediately when I read past the 2 GB limit. It is 100% reproducible with any file larger than 2 GB so far. Thanks for taking the time to dig into this further and provide some reproducable test cases. There were two problems - the first was an off_t (64-bit integer) to integer conversion, which meant that attempting to read past a 2GB offset would have become negative. The second issue was an unsigned 64-bit to unsigned 32-bit truncation, which effectively wrapped the attribute data length at 4GB. I've just committed fixes for both of these and I can now successfully read/checksum a 6.5GB file on NTFS. # mount -r /dev/wd0i /mnt # ls -lo /mnt/DATA/ntfs_2gb_test.bin -rwxr-xr-x 1 root wheel - 3054813184 Oct 17 22:11 /mnt/DATA/ntfs_2gb_test.bin # cat /mnt/DATA//ntfs_2gb_test.bin /dev/null # dd if=/mnt/DATA/ntfs_2gb_test.bin bs=4k of=/dev/null 745804+0 records in 745804+0 records out 3054813184 bytes transferred in 108.518 secs (28150083 bytes/sec) # dd if=/mnt/DATA/ntfs_2gb_test.bin bs=2k count=1m of=/dev/null 1048576+0 records in 1048576+0 records out 2147483648 bytes transferred in 78.783 secs (27258052 bytes/sec) # dd if=/mnt/DATA/ntfs_2gb_test.bin bs=1k count=2m of=/dev/null 2097152+0 records in 2097152+0 records out 2147483648 bytes transferred in 81.210 secs (26443280 bytes/sec) # dd if=/mnt/DATA/ntfs_2gb_test.bin bs=4k skip=512k of=/dev/null 221516+0 records in 221516+0 records out 907329536 bytes transferred in 32.314 secs (28077667 bytes/sec) # dd if=/mnt/DATA/ntfs_2gb_test.bin bs=2k skip=1m of=/dev/null panic: kernel diagnostic assertion cl == 1 tocopy = ntfs_cntob(1) failed: file ../../../../ntfs/ntfs_subr.c, line 1556 Stopped at Debugger+0x4: popl%ebp RUN AT LEAST 'trace' AND 'ps' AND INCLUDE OUTPUT WHEN REPORTING THIS PANIC! DO NOT EVEN BOTHER REPORTING THIS WITHOUT INCLUDING THAT INFORMATION! ddb trace Debugger(d08fdcbc,f544fb88,d08dc500,f544fb88,200) at Debugger+0x4 panic(d08dc500,d085fc0e,d08dfe60,d08e00b0,614) at panic+0x5d __assert(d085fc0e,d08e00b0,614,d08dfe60,8) at __assert+0x2e ntfs_readntvattr_plain(d1a2d200,d1a36200,d1a5bc00,8800,0) at ntfs_readntvat tr_plain+0x2e6 ntfs_readattr_plain(d1a2d200,d1a36200,80,0,8800) at ntfs_readattr_plain+0x1 41 ntfs_readattr(d1a2d200,d1a36200,80,0,8800) at ntfs_readattr+0x156 ntfs_read(f544fddc,d64e5140,d6522a60,f544fea0,0) at ntfs_read+0xa8 VOP_READ(d6522a60,f544fea0,0,d6599000,d64e5140) at VOP_READ+0x35 vn_read(d65290a8,d65290c4,f544fea0,d6599000,0) at vn_read+0xb5 dofilereadv(d65365d4,3,d65290a8,f544ff08,1) at dofilereadv+0x13a sys_read(d65365d4,f544ff64,f544ff84,106,d653f100) at sys_read+0x89 syscall() at syscall+0x227 --- syscall (number 0) --- 0x2: ddb ps PID PPID PGRPUID S FLAGS WAIT COMMAND *19967 9961 19967 0 7 0dd 9961 1 9961 0 30x88 pause sh 14 0 0 0 3
Re: 10G with Intel card - GBIC options
The choice is of course yours.. ;) It would be worth trying a Cisco 'compatible' first before spending the big bucks on 'branded' optics.. http://www.gbics.com/xenpak-10gb-sr/?gclid=CKv_96G-irsCFSX4wgodQDEAdA Anyway, this is quite a personal decision and does affect support.. On Mon 02 Dec 2013 15:52:07 GMT, Kapetanakis Giannis wrote: On 02/12/13 17:15, Andy wrote: Yea CX4 will work, its the chipset that matters. But CX4 is short range and superseded, and by using SFP+ you can pick and choose your transceivers for fibre or CAT cabling etc. Well the Cisco CX4 costs ~ 600$ List price, while the SR one costs 3.000$ List price. That's my main problem... I would love to go for the SFP+ path but we cannot afford it, so the CX4 seems like my only choice so far if it's ok with OBSD. G
Re: Should Android have used OpenBSD instead of Linux?
On Mon, Dec 2, 2013 at 7:50 AM, Matthieu Herrb mhe...@gmail.com wrote: On Tue, Nov 26, 2013 at 02:00:53PM -0800, Chris Cappuccio wrote: Chris Cappuccio [ch...@nmedia.net] wrote: openda...@hushmail.com [openda...@hushmail.com] wrote: Hi, What are the ups and downs of replacing Linux with OpenBSD in Google's Android operating system? I guess this question would apply to the new Sailfish OS as well. OpenBSD is designed for mobile phones. Of course Google should have used it. Ok instead of my stupid smartass answer. How about this: 1. OpenBSD now includes KMS and could support systems like Wayland that, in theory, are probably better suited for mobile (or any modern graphics in general) than X11 (At least, the Nokia developer who spent years hacking X11 into the N900 series thinks so) 2. OpenBSD has a license that is well suited for inclusion into devices, even more so than GPLv2 (Although most manufacturers don't seem to mind the GPLv2 because Linus built in various exceptions into his model) 3. The chips that support these various phones are all proprietary, undocumented, and the manufacturers only produce support blobs to match the Linus licensing model and the Linux kernel on these devices. 4. OpenBSD has a tight and compact model that should be easy for embedded developers to embrace 5. OpenBSD does not currently do much to support various phones although it does have ever increasing support for ARMv7 chipsets which is what all of them run on (that and ARMv8 now) Obviously the biggest hurdle is #3 and of course someone has to have the interest, which is invariably going to be a manufacturer, and currently manufacturers embrace Linux, because it has a lot of knowledge/attention/momentum in this area. Yes, and also the fact that the userland for a phone or a tabled has to be quite different from the userland for a desktop/laptop kind of machine. Without a keyboard, you need touch-screen enabled applications to install the system, set it up and interact with it. And there are specific needs in terms of kernel services to be able to route audio to/from the phone part of your device, wake it up on incoming calls,... So this would not be OpenBSD, but merely a system based on a BSD-ish kernel plus some BSD base libs (libc, libm, what else). Most of the rest would need to be rewritten or ported from Android/Sailfish/Mozilla OS/... At EuroBSDCon 2004 in KA, in his Keynote lecture¹, Jordan Hubbard said he was seeing a future for NetBSD in this area, since they already had all the tools to cross-compile the base system in a much nicer way than linux. Well 9 years later this has not happened. ¹) http://2004.eurobsdcon.org/uploads/media/EBSD04_keynote.pdf page 48 -- Matthieu Herrb cross compiling is really missing in openBSD to handle very small Platform which does not have the power to compile, and more. Thats why i sometimes hope the BSD was just working branches, ready to merge into bestBSD. -- () ascii ribbon campaign - against html e-mail /\
Re: Should Android have used OpenBSD instead of Linux?
cross compiling is really missing in openBSD to handle very small Platform which does not have the power to compile, and more. If you choose to not become educated, fine, that's your choice. There is a completely fine cross-build environment that works well. We can natively build on a vax and a landisk and a sparc, and the reality is that all the modern small platforms are bigger than that. Since our src tree with 820MB source tree and 1100MB obj tree, you surely must be talking about pathetically small machines which don't exist anymore considering 8GB microSD cards are nearing a buck. Basically, you are making up excuses, in essence trying to find ways to blame us for a variety of failings when you are the one who doesn't attack those goals and targets. Thats why i sometimes hope the BSD was just working branches, ready to merge into bestBSD. And precisely who would be served by restructuring everything in that way?
NPPPD and IPSec
Hi, I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret Thank you so much and keep up the good work I love the OpenBSD project ___ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
Re: 10G with Intel card - GBIC options
Kapetanakis Giannis [bil...@edu.physics.uoc.gr] wrote: On 02/12/13 17:15, Andy wrote: Yea CX4 will work, its the chipset that matters. But CX4 is short range and superseded, and by using SFP+ you can pick and choose your transceivers for fibre or CAT cabling etc. Well the Cisco CX4 costs ~ 600$ List price, while the SR one costs 3.000$ List price. That's my main problem... I would love to go for the SFP+ path but we cannot afford it, so the CX4 seems like my only choice so far if it's ok with OBSD. ebay for a cisco CX4 Xenpak for less than $100 USD
Potential scripting engine to integrate into mg?
Hello misc@ There have been discussions about extending mg with tinyscheme: http://www.daemonforums.org/showthread.php?t=7262 Or with lua: http://undeadly.org/cgi?action=articlesid=20120723072952 What about with python? Any thoughts? Regards,Edward.
Re: Potential scripting engine to integrate into mg?
There have been discussions about extending mg with tinyscheme: http://www.daemonforums.org/showthread.php?t=7262 Or with lua: http://undeadly.org/cgi?action=articlesid=20120723072952 What about with python? So we should put python in the base. That would be great.
Re: Potential scripting engine to integrate into mg?
So why don't we have python in the base? Perl is in there. Just curious, not that I'm requesting. :-) Thanks. Edward From: Theo de Raadt dera...@cvs.openbsd.org To: Edward L. drawd...@gmail.com CC: misc@openbsd.org misc@openbsd.org Sent: December 2, 2013 12:53 PM Subject: Re: Potential scripting engine to integrate into mg? There have been discussions about extending mg with tinyscheme: http://www.daemonforums.org/showthread.php?t=7262 Or with lua: http://undeadly.org/cgi?action=articlesid=20120723072952 What about with python? So we should put python in the base. That would be great.
Re: Potential scripting engine to integrate into mg?
On Mon, Dec 02, 2013 at 08:41:47PM -, Edward L. wrote: [...] Any thoughts? [...] For that, tinyscheme, lua or python would have to be integrated into base. That seems rather unlikely. What would be nice would be to take the Lisp interpreter from xedit and integrate it into mg. Xedit is in base, the engine is reasonably fast (for a Lisp integrated into an editor) and the language itself is rather nice. -- Gregor Best -- Valerie: Aww, Tom, you're going maudlin on me ... Tom: I reserve the right to wax maudlin as I wane eloquent ... -- Tom Chapin
Re: Potential scripting engine to integrate into mg?
On Mon, Dec 02, 2013 at 20:58, Edward L. wrote: So why don't we have python in the base? Perl is in there. Just curious, not that I'm requesting. :-) It's totally reasonable for an operating system to include *a* first class scripting language. It allows us to build tools like pkg_add in that language. There's no need for an OS to include *every* scripting language. perl was there first, it wins the crown.
Re: NPPPD and IPSec
I have used this with windows 7 and osx: ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk 2013/12/2 Or Elimelech o...@xwise.com Hi, I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret Thank you so much and keep up the good work I love the OpenBSD project ___ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.
Re: Potential scripting engine to integrate into mg?
On Mon, Dec 02, 2013 at 04:13:34PM -0500, Ted Unangst wrote: On Mon, Dec 02, 2013 at 20:58, Edward L. wrote: So why don't we have python in the base? Perl is in there. Just curious, not that I'm requesting. :-) It's totally reasonable for an operating system to include *a* first class scripting language. It allows us to build tools like pkg_add in that language. There's no need for an OS to include *every* scripting language. perl was there first, it wins the crown. Besides, there's no way in hell I'm going to rewrite any of my tools in python. I'm a perl junkie :)
Re: BGP changes to support CARP better
Hi, Could someone help me with this issue we have found where the OpenBGPd rule 'match to bgppeerip set nexthop bgpcarpip' doesn't work if OpenBGPd is started whilst the OpenBSD host is a carp master. It only works if it is a CARP backup :( Or could someone give me a clue where in the source code to look so I can try to comment out the code which is checking the state of carp? This is desperately important for us for reasons discussed in this thread and others. Thanks for your time, Andy. PS; Thanks to Henning and Claudio for their great work with OpenBGPd. On Thu, 21 Nov 2013 16:44:14 +, Andy a...@brandwatch.com wrote: Ah, so we have a potential bug here then I'm thinking! After all, why would the setting of nexthop have anything to do with CARP? On Thu 21 Nov 2013 16:14:33 GMT, Adam Thompson wrote: (Apologies for top-posting) I've seen the same thing, but I assumed I'd made a mistake somewhere. Maybe not. -Adam Andy a...@brandwatch.com wrote: On 15/11/13 16:50, Adam Thompson wrote: On 13-11-15 04:17 AM, Andy wrote: On 12/11/13 05:48, Chris Cappuccio wrote: Two BGP sessions from different IPs (no CARP) BGP next-hop pointing to CARP-protected IP Hi Chris, This sounds good.. Could you clarify further? I can clarify for him, see below. (Apologies if he's already done it - I'm on the daily digest.) Setup eBGP to the Transit router on both OBSD boxes using physical IPs, and iBGP between the OBSD routers. Got that working fine without 'depends on' (don't want the BGP teardown/setup delay. Yup. How are you configuring the BGP next-hop to the CARP IP?? match to x.x.x.x set nexthop x.x.x.x allow from any allow to any Hi Adam, The problem is to do with ensuring inbound packets always go to the CARP master. That's what set nexthop does in BGP - it tells the *other* router what to use for its nexthop. Hi, I have observed some strangeness with this! :( I have two OpenBSD firewalls running in a CARP pair. Each firewall in the pair has a single eBGP neighbor with the same single Cisco router using its physical IP with no 'depends on' statement. I have added the following line to /etc/bgp.conf on both firewalls; match to 170.16.3.1 set nexthop 170.16.3.4 NB; 170.16.3.1 is the Cisco router and 170.16.3.4 is the CARP IP of the firewall pair. If I start BGP on FW1 (master), the announced network seen in the Cisco has a nexthop = the physical IP and not the CARP IP :( If I start BGP on FW2 (backup), the announced network seen in the Cisco has a nexthop = the CARP IP :) Hmm, strange.. Maybe something is wrong with the master config I thought, but lets just try switching CARP first. So I stopped OpenBGPd on both and swapped the CARP master to be the other firewall etc. If I start BGP on FW1 (backup), the announced network seen in the Cisco has a nexthop = the CARP IP :) If I start BGP on FW2 (master), the announced network seen in the Cisco has a nexthop = the physical IP and not the CARP IP :( This is really strange! It seems that only the CARP backup sets the nexthop properly. Just for kicks, I shut down BGP on both and restarted BGPd on just the backup. Cisco shows one route via the CARP IP as wanted. I then swapped the CARP master again, and started BGP on the other firewall (just made backup). And now the Cisco shows two routes both via the CARP IP... This is what we want all the time. This confirms that if BGP is started when its the backup it works, but if its started when its the master, its the nexthop is the physical IP? Any thoughts as I'm lost.. This is just strange! Cheers, Andy. 'match to X.X.X.161 set nexthop X.X.X.162' Wouldn't this only mean that the outbound packets would egress to the transit via the CARP IP? Its the inbound control that's needed. Nope. It's actually much more difficult to control the egress IP, AFAIK. I was thinking about using ifstatd to dynamically change the MED / path prepending based on the CARP status, rather than trying to force which router is master. Experience says that fail-overs happen for many reasons (probably once every couple of months), but so far never because the master is actually dead, which means BGP will pretty much always be left running on the old master (unless ifstatd does something to it).. With 'set nexthop', it's OK if the old BGP session stays up - packets will always come inbound to the CARP master. You don't need to do anything to bgpd or routing tables on the old box. What you *might* have to do is use ifstated(8) to ensure that the LAN carp(4) interface always stays in sync with the WAN carp(4) interface. (i.e. router #1 being master for inside-facing while #2 is master for outside-facing will break pf(4).) I just can't seem to figure out a true clean way of doing this without configuring multiple BGP attributes in OpenBGPd based on CARP status :( I think that's only because you had the wrong end of the stick for
Re: BGP changes to support CARP better
andy [a...@brandwatch.com] wrote: Hi, Could someone help me with this issue we have found where the OpenBGPd rule 'match to bgppeerip set nexthop bgpcarpip' doesn't work if OpenBGPd is started whilst the OpenBSD host is a carp master. It only works if it is a CARP backup :( Or could someone give me a clue where in the source code to look so I can try to comment out the code which is checking the state of carp? This is desperately important for us for reasons discussed in this thread and others. Thanks for your time, Andy. PS; Thanks to Henning and Claudio for their great work with OpenBGPd. Can you demonstrate the failure through any bgpd output or some other way? For instance, does bgpd fail to advertise routes via bgp if it's the CARP nexthop master? Or does it all look like it should work, and just fail?
Re: wifi firmware for lenovo thinkpad E420
Siju George sgeorge.ml2 at gmail.com writes: On Fri, May 11, 2012 at 12:11 AM, Henning Brauer lists-openbsd at bsws.de wrote: I have one of these somewhere - basically, all that is needed is a pci attachment for the existing urtwn. shouldn't be too hard, but as usual - somebody has to do it. Hope somebody does this for 5.2 Thanks --Siju I also have one of these mini PCIe cards. Has any progress been made on getting this going over PCI?
Re: BGP changes to support CARP better
No, I'm seeing the same thing - the carp master advertises the carp IP as next-hop no matter what. The carp backup advertises whatever you've told it to advertise via set nexthop. -Adam On Dec 2, 2013 6:43 PM, Chris Cappuccio ch...@nmedia.net wrote: andy [a...@brandwatch.com] wrote: Hi, Could someone help me with this issue we have found where the OpenBGPd rule 'match to bgppeerip set nexthop bgpcarpip' doesn't work if OpenBGPd is started whilst the OpenBSD host is a carp master. It only works if it is a CARP backup :( Or could someone give me a clue where in the source code to look so I can try to comment out the code which is checking the state of carp? This is desperately important for us for reasons discussed in this thread and others. Thanks for your time, Andy. PS; Thanks to Henning and Claudio for their great work with OpenBGPd. Can you demonstrate the failure through any bgpd output or some other way? For instance, does bgpd fail to advertise routes via bgp if it's the CARP nexthop master? Or does it all look like it should work, and just fail?
Re: wifi firmware for lenovo thinkpad E420
On 12/2/2013 11:10 PM, Craig McCormick wrote: Siju George sgeorge.ml2 at gmail.com writes: On Fri, May 11, 2012 at 12:11 AM, Henning Brauer lists-openbsd at bsws.de wrote: I have one of these somewhere - basically, all that is needed is a pci attachment for the existing urtwn. shouldn't be too hard, but as usual - somebody has to do it. Hope somebody does this for 5.2 Thanks --Siju I also have one of these mini PCIe cards. Has any progress been made on getting this going over PCI? hi i have ThinkPad 1x1 11b/g/n Wireless LAN PCI Express Half Mini Card Adapter on my Lenovo L420 -- OS does not detect it. maybe you have the same adapter?
Lenovo L420 ACPI, kernel panic
hi there is always a kernel panic when booting with enabled acpi on my Lenovo ThinkPad L420 (7854RP1). here are pics of it and trace http://imgur.com/KPW4972http://imgur.com/gUAV1Gy any suggestions? thanks
Re: NPPPD and IPSec
This works with Windows 8, OSX, Android and iOS: ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes \ psk $psk On 03 Dec 2013, at 00:28, Frans Haarman franshaar...@gmail.com wrote: I have used this with windows 7 and osx: ike passive esp transport \ proto udp from $public_ip to any port 1701 \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc aes \ psk 2013/12/2 Or Elimelech o...@xwise.com Hi, I'm having trouble configuring Windows clients with l2tp over ipsec, This config works great on OSX/iOS/Android/Linux I do not know which type of auth/enc/group I should use for Windows clients I currently use OpenBSD 5.4 with the following ike passive esp transport \ proto udp from 1.2.3.4 to any port 1701 \ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk secret Thank you so much and keep up the good work I love the OpenBSD project _ __ The sender of this email is not authorized to bind XWise Marketing or any of its affiliate companies (hereby: the Companies) or to make any representations, contracts, or commitments on behalf of the Companies. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by forwarding this email to le...@xwise.com and then delete it from your system. The Companies are neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt.