Re: AMD64 packages
On 11 December 2014, Theo de Raadt wrote: > > On 10 December 2014, Stan Gammons wrote: > > > When will new packages be built for AMD64? I'm getting library errors > > > with the latest snapshot and the current packages. > > > > There are bigger problems with the latest snapshot: > > > > $ ldd /usr/sbin/unbound > > > > /usr/sbin/unbound: > > /usr/sbin/unbound: can't load library 'libssl.so.30.0' > > /usr/sbin/unbound: exit status 4 [...] > Look, this is rather simple. > > If you don't understand that snapshots get built, that libraries > crank, that there are PEOPLE building this, that the data takes time > to get to the mirrors, and that this is a non-static situation, that > small catch-up syncronization errors are made, that they get fixed by > real people, then PLEASE DON'T RUN SNAPSHOTS. [...] Oh, I wasn't accusing anybody, or pointing fingers, or anything like that. I was just saying it's currently broken, that's all. Sorry if it came accross any other way. Regards, Liviu Daia
Re: AMD64 packages
Look, this is rather simple. If you don't understand that snapshots get built, that libraries crank, that there are PEOPLE building this, that the data takes time to get to the mirrors, and that this is a non-static situation, that small catch-up syncronization errors are made, that they get fixed by real people, then PLEASE DON'T RUN SNAPSHOTS. Hours later, another snapshot neaks out for each architecture, which has managed to pick up the shared library crank. Please learn what the snapshot processes are. It's in the FAQ! If you don't learn and understand the strong tech-innovation promise but much weaker delivery promise of snapshots, you are denegrating the effort by chattering into people's mailboxes. We do what we can, based on what we have. It is very nearly an auto-build platform with catchup corrections for these details. AND furthermore, snapshots sometimes contain surprise eggs for future coming test code; where it is easier to build it for all architectures and get it dogfooded in subsets of the test community, than wait and wait and wait for them to build it themselves. Those are our prorities showing through. Alternatively we could create a snapshots-failed-minute-...@openbsd.org mailing list, which I will not participate in. > On 10 December 2014, Stan Gammons wrote: > > When will new packages be built for AMD64? I'm getting library errors > > with the latest snapshot and the current packages. > > There are bigger problems with the latest snapshot: > > $ ldd /usr/sbin/unbound > > /usr/sbin/unbound: > /usr/sbin/unbound: can't load library 'libssl.so.30.0' > /usr/sbin/unbound: exit status 4 > > $ ls -l /usr/lib/libssl* > > -r--r--r-- 1 root bin 1518902 Oct 29 03:25 /usr/lib/libssl.so.27.2 > -r--r--r-- 1 root bin 1512855 Nov 16 09:49 /usr/lib/libssl.so.28.0 > -r--r--r-- 1 root bin 1518550 Dec 8 07:54 /usr/lib/libssl.so.29.0 > > $ dmesg | head -1 > OpenBSD 5.6-current (GENERIC.MP) #668: Wed Dec 10 12:43:55 MST 2014 > > > Regards, > > Liviu Daia > <
Re: AMD64 packages
On 10 December 2014, Stan Gammons wrote: > When will new packages be built for AMD64? I'm getting library errors > with the latest snapshot and the current packages. There are bigger problems with the latest snapshot: $ ldd /usr/sbin/unbound /usr/sbin/unbound: /usr/sbin/unbound: can't load library 'libssl.so.30.0' /usr/sbin/unbound: exit status 4 $ ls -l /usr/lib/libssl* -r--r--r-- 1 root bin 1518902 Oct 29 03:25 /usr/lib/libssl.so.27.2 -r--r--r-- 1 root bin 1512855 Nov 16 09:49 /usr/lib/libssl.so.28.0 -r--r--r-- 1 root bin 1518550 Dec 8 07:54 /usr/lib/libssl.so.29.0 $ dmesg | head -1 OpenBSD 5.6-current (GENERIC.MP) #668: Wed Dec 10 12:43:55 MST 2014 Regards, Liviu Daia
Re: Missing libcanberra for Firefox on current
On Thu, Dec 11, 2014 at 07:03:27AM +0100, bodie wrote: > Hi, > > starting Firefox result in: > > $ firefox > Gtk-Message: Failed to load module "canberra-gtk-module" > > there are 3 versions available on mirror: > > $ pkg_info -Q canberra > libcanberra-0.30p1 > libcanberra-gtk-0.30p1 > libcanberra-gtk3-0.30p1 > $ > > but no one of them is installed: > > $ pkg_info | grep -i canberra > $ > > > $ sysctl kern.version > kern.version=OpenBSD 5.6-current (GENERIC.MP) #668: Wed Dec 10 12:43:55 MST > 2014 > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > $ > > > Is it a missing dependency? No. It's totally optional. GTK+2 will try to load it and if it does not exist, it will warn but that's all. In your case, to make the warning go away you can 'pkg_add libcanberra-gtk'. -- Antoine
Missing libcanberra for Firefox on current
Hi, starting Firefox result in: $ firefox Gtk-Message: Failed to load module "canberra-gtk-module" there are 3 versions available on mirror: $ pkg_info -Q canberra libcanberra-0.30p1 libcanberra-gtk-0.30p1 libcanberra-gtk3-0.30p1 $ but no one of them is installed: $ pkg_info | grep -i canberra $ $ sysctl kern.version kern.version=OpenBSD 5.6-current (GENERIC.MP) #668: Wed Dec 10 12:43:55 MST 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP $ Is it a missing dependency?
Re: AMD64 packages
On Dec 10, 2014 10:03 PM, "STeve Andre'" wrote: > > On 12/10/14 20:51, Stan Gammons wrote: >> >> When will new packages be built for AMD64? I'm getting library errors >> with the latest snapshot and the current packages. >> >> Stan >> >> > They come out frequently, but not on a set schedule. Since the > last set came out on the 6th, I would expect the next set in the > next several days -- unless some change caused a cascade of > non-compiles in which case the problem will be worked on before > the next release. > > You might want to subscribe to the ports-changes changes list, > which will show you what's been changed. The source-changes > list will show you all the other cvs commits. Look at > > http://www.openbsd.org/mail.html Ok. The way I normally update is by downloading the install5x.iso, make the cd and boot from it, do an upgrade, reboot, do a sysmerge, then do pkg_add -u. After all the failures because of the library mismatch, kde4 will no longer start due to an ssl library mismatch. Bummer... Looks like it's wait until new packages are built. Stan
Re: AMD64 packages
On 12/10/14 20:51, Stan Gammons wrote: When will new packages be built for AMD64? I'm getting library errors with the latest snapshot and the current packages. Stan They come out frequently, but not on a set schedule. Since the last set came out on the 6th, I would expect the next set in the next several days -- unless some change caused a cascade of non-compiles in which case the problem will be worked on before the next release. You might want to subscribe to the ports-changes changes list, which will show you what's been changed. The source-changes list will show you all the other cvs commits. Look at http://www.openbsd.org/mail.html
Re: wacom tablets
Followup: On Thu, Dec 11, 2014 at 11:03 AM, Joel Rees wrote: > Found an old post indicating that wacom tablets are functional: > > http://marc.info/?l=openbsd-misc&m=130458853424142&w=2 > > Wondering if they (still?) require configuration sections in xorg.conf > , and, if so, where. > > My ancient ET-0405-U isn't automatically found. > > I tried just pasting Stuart's xorg.conf entries into a file called > > /usr/X11R6/share/X11/xorg.conf.d/50_wacom-ET0405-U.conf > > and X11 refuses to start. Any hints or cluebats appreciated. Checking the logs and the screen line is rejected. Doesn't know a screen0. Guess I need to define one. (I'll look at that when I get back.) X11 will start if I comment out the ServerLayout section. > File contents: > -- > Section "InputDevice" > Identifier "w_stylus" > Driver "usbtablet" > Option "Type" "stylus" > Option "Device" "/dev/uhid0" > Option "Mode" "Absolute" > Option "Threshold" "10" > EndSection > > Section "InputDevice" > Identifier "w_eraser" > Driver "usbtablet" > Option "Type" "eraser" > Option "Device" "/dev/uhid0" > Option "Mode" "Absolute" > EndSection > > Section "ServerFlags" > Option "AllowMouseOpenFail" "True" > Option "DontZap" "True" > EndSection > > Section "ServerLayout" > Identifier "X.org Configured" > Screen 0 "Screen0" 0 0 > InputDevice"Keyboard0" "CoreKeyboard" > InputDevice"w_stylus" "SendCoreEvents" > InputDevice"w_eraser" "SendCoreEvents" > EndSection > > Section "InputDevice" > Identifier "Mouse0" > Driver "mouse" > Option "Protocol" "wsmouse" > Option "Device" "/dev/wsmouse" > Option "ZAxisMapping" "4 5 6 7" > EndSection > -- > > - > Joel Rees > > Computer memory is just fancy paper, > CPUs just fancy pens. > All is a stream of text > flowing from the past into the future. > -- Joel Rees Be careful when you look at conspiracy. Look first in your own heart, and ask yourself if you are not your own worst enemy. Arm yourself with knowledge of yourself, as well.
wacom tablets
Found an old post indicating that wacom tablets are functional:
http://marc.info/?l=openbsd-misc&m=130458853424142&w=2
Wondering if they (still?) require configuration sections in xorg.conf
, and, if so, where.
My ancient ET-0405-U isn't automatically found.
I tried just pasting Stuart's xorg.conf entries into a file called
/usr/X11R6/share/X11/xorg.conf.d/50_wacom-ET0405-U.conf
and X11 refuses to start. Any hints or cluebats appreciated.
File contents:
--
Section "InputDevice"
Identifier "w_stylus"
Driver "usbtablet"
Option "Type" "stylus"
Option "Device" "/dev/uhid0"
Option "Mode" "Absolute"
Option "Threshold" "10"
EndSection
Section "InputDevice"
Identifier "w_eraser"
Driver "usbtablet"
Option "Type" "eraser"
Option "Device" "/dev/uhid0"
Option "Mode" "Absolute"
EndSection
Section "ServerFlags"
Option "AllowMouseOpenFail" "True"
Option "DontZap" "True"
EndSection
Section "ServerLayout"
Identifier "X.org Configured"
Screen 0 "Screen0" 0 0
InputDevice"Keyboard0" "CoreKeyboard"
InputDevice"w_stylus" "SendCoreEvents"
InputDevice"w_eraser" "SendCoreEvents"
EndSection
Section "InputDevice"
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "wsmouse"
Option "Device" "/dev/wsmouse"
Option "ZAxisMapping" "4 5 6 7"
EndSection
--
-
Joel Rees
Computer memory is just fancy paper,
CPUs just fancy pens.
All is a stream of text
flowing from the past into the future.
dmesg:
OpenBSD 5.5 (GENERIC) #276: Wed Mar 5 09:57:06 MST 2014
dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: AMD Sempron(tm) 2600+ ("AuthenticAMD" 686-class, 256KB L2 cache) 1.84 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE,MPC,MMXX,3DNOW2,3DNOW
real mem = 737636352 (703MB)
avail mem = 713281536 (680MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/28/04, BIOS32 rev. 0 @
0xfbaa0, SMBIOS rev. 2.3 @ 0xf0800 (33 entries)
bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 07/28/2004
bios0: MICRO-STAR INTERNATIONAL CO., LTD KM266-8237
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices SLPB(S5) USB0(S1) USB1(S1) USB2(S1) USB3(S1)
USB4(S1) USB5(S1) USB6(S1) USB7(S1) LAN0(S5) UAR1(S5) LPT1(S5)
ECP1(S5) PCI0(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 333MHz
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 3, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0
acpitz0 at acpi0: critical temperature is 100 degC
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: SLPB
bios0: ROM list: 0xc/0x7e00 0xc8000/0x1a00!
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 0 function 0 "VIA VT8378 PCI" rev 0x00
viaagp0 at pchb0: v3
agp0 at viaagp0: aperture at 0xe000, size 0x1000
ppb0 at pci0 dev 1 function 0 "VIA VT8377 AGP" rev 0x00
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "VIA VT8378 VGA" rev 0x01
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
pciide0 at pci0 dev 7 function 0 "ITExpress IT8212F" rev 0x13: DMA,
channel 0 wired to native-PCI, channel 1 wired to native-PCI
pciide0: using apic 2 int 18 for native-PCI interrupt
wd0 at pciide0 channel 0 drive 0:
wd0: 16-sector PIO, LBA48, 156334MB, 320173056 sectors
wd1 at pciide0 channel 0 drive 1:
wd1: 16-sector PIO, LBA48, 305245MB, 625142448 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6
wd1(pciide0:0:1): using PIO mode 0
pciide1 at pci0 dev 15 function 0 "VIA VT82C571 IDE" rev 0x06: ATA133,
channel 0 configured to compatibility, channel 1 configured to
compatibility
wd2 at pciide1 channel 0 drive 0:
wd2: 16-sector PIO, LBA, 78167MB, 160086528 sectors
wd2(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6
atapiscsi0 at pciide1 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: ATAPI
5/cdrom removable
cd0(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 3
uhci0 at pci0 dev 16 function 0 "VIA VT83C572 USB" rev 0x81: apic 2 int 21
uhci1 at pci0 dev 16 function 1 "VIA VT83C572 USB" rev 0x81: apic 2 int 21
uhci2 at pci0 dev 16 function 2 "VIA VT83C572 USB" rev 0x81: apic 2 int 21
uhci3 at pci0 dev 16 function 3 "VIA VT83C572 USB" rev 0x81: apic 2 int 21
ehci0 at pci0 dev 16 function 4 "VIA VT6202 USB" rev 0x86: apic 2 int 21
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "VIA EHCI root hub" rev 2.00/1.00 addr 1
viapm0 at pci0 dev 17 function 0 "VIA VT8237 ISA" rev 0x00: SMI
iic0 at viapm0
iic0: addr 0x2f 00=00 01=07 02=00 03=00 04=07 05=00 06=00 07=00 14=14
15=62 16=03 17=02 words 00=00ff 01=07ff 02=00ff 03=00ff 04=07ff
05=00ff 06=00ff 07=00ff
spdmem0 at iic0
AMD64 packages
When will new packages be built for AMD64? I'm getting library errors with the latest snapshot and the current packages. Stan
Re: Hide VM data from customer
Tim, I didn't even think about just using another disk. That's the simpler solution by far, but does come with some drawbacks. A very small partition or disk by itself is pretty conspicuous, and wouldn't be very hard to figure out what its for. It also does make our install a bit more complex. We have standard hardware we use with only one drive and I'd rather not have to maintain a VM image and a physical image. So we'd have to use the partition as a key method which will mean maintaining code again for now. Another option I have at least though! Thanks! On Wed, Dec 10, 2014 at 8:42 AM, trondd wrote: > What about using a kay partition local to the VM disk > http://marc.info/?l=openbsd-misc&m=141435482820277&w=2 > > You'd be maintaining code either way, though. > > Or add an additional disk to the VM that is the keydisk. > > Tim.
Filter by originating IP on relayd
Hello all, First of all, I'd like to thank Reyk, Pierre-Yves and OpenBSD for this fantastic piece of software, alongside pf. SSL inspection was a total breeze, and my current test installation is working perfectly. I've configured relayd to act as a forward proxy for basic URL filtering using blacklists, in order to replace my current Squid installation. That said: I'd like to configure relayd to apply different blacklist filters depending on the connecting client. So, for example, a more complete blacklist would be applied against an unprivileged user, and a more lenient blacklist is applied against an administrative user. I figured I'd use 'match header' to accomplish that task, but it doesn't seem the client IP is present on HTTP headers (as expected). I've read the manpage and didn't find a suitable filter, so I ask: is there a way to filter by $REMOTE_ADDR (i.e. client address)? One alternative I've devised is to make relayd listen on two different ports, each with its respective filter, and redirect from pf depending on the originating address, but that'd result in a very verbose configuration file, I think. Thanks in advance for your help. Regards, fbscarel
Re: Hide VM data from customer
What about using a kay partition local to the VM disk http://marc.info/?l=openbsd-misc&m=141435482820277&w=2 You'd be maintaining code either way, though. Or add an additional disk to the VM that is the keydisk. Tim.
Re: Hide VM data from customer
Eric, thats an interesting way to do it. Though I think it would take more changes in the system than we'd like to implement. I was actually able to get full disk encryption to work without entering the passphrase. I edited softraid.c (http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/sys/arch/i386/stand/libsa/softraid.c) and hardcoded a passphrase so instead of prompting for it, it will automatically try the hardcoded passphrase. I compiled the second stage boot file and applied it with installboot like normal to the encrypted disk. The system boots with no manual intervention to an encrypted disk. Its some decent obfuscation to keep curious eyes out. Doing this seems kinda hokey so I'm not sure we'll go this route, but it does give us an option at least. On Tue, Dec 9, 2014 at 4:55 PM, Eric Lalonde wrote: > One of the services provided by a previous employer was to on-premise > appliance for customers, rented in a SAAS model. Customers paid for a certain > amount of disk space. To ensure they couldn’t just swap disks to add more > capacity, each of our disks went through a ‘blessing’ process where we > performed various interesting perturbations to the first few megs of every > disk, including a checksum that was a function of a machine and customer > identifier. > > We fully understood that these efforts would never get in the way of a > dedicated and sophisticated adversary, but the bar was low since most of the > customers were end users who were using a managed service provider and never > directly interacted with our appliance. > > You might want to try something like that to make it non-trivial for > customers to pull your data. > > - Eric > > On Dec 9, 2014, at 4:14 PM, Steve Shockley > wrote: > >> On 12/9/2014 2:38 PM, John Merriam wrote: >>> Oh, and no matter what you do, they could always dump the RAM from your VM >>> instance and get your data from there after it's been decrypted. >> >> The key is also likely stored in RAM, and it is simpler to get a snapshot of >> RAM from a VM than it is to get one from a physical machine.
Re: Remember to update /etc/machine-id
On 10 Dec 2014, Josh Grosse wrote:
> On 2014-12-10 09:02, Anthony Campbell wrote:
> >Whenever I upgrade to a new snapshot I receive these messages:
> >
> > Remember to update /var/db/dbus/machine-id
> > Remember to update /etc/machine-id
> >
> >I don't know how to do this and I couldn't find much about machine-id on
> >the net and the OBSD faq doesn't mention it. There is a discussion on
> >the gentoo forum about it, in which posters express worry about it as a
> >security risk.
> >
> >http://forums.gentoo.org/viewtopic-t-961454-start-0.html
> >
> >Can anyone shed light on this and say what, if anything, I should do?
> >
> >Anthony
>
> Anthony, I believe you're seeing messages from your x11/dbus package,
> specifically, from dbus-uuidgen, which is run when you update the dbus
> package.
>
> The PLIST contains this instruction:
>
> @exec ${PREFIX}/bin/dbus-uuidgen --ensure=${SYSCONFDIR}/machine-id
>
> Luckily, its man page is also included in the package; the PLISTS
> contains:
>
> @man man/man1/dbus-uuidgen.1
>
> :)
Thanks to both for replies and clarification.
Anthony
Re: Traffic shaping on small network.
On Wed, 10 Dec 2014, Paco Esteban wrote: > > Set a max on your root queue. > > Ok, I'll try. But, again, it is confusing how some examples on both > pf.conf(5) and "The Book of PF" are written. Ok, that was it. I needed to set the max on root queue. Now the numbers match the queue definitions. I've tried with and without prio and results are nearly the same as henning@ said on thet other thread. I'll make some tests with different values to play with it. So, the way I see it, the max on root queue is mandatory. At least with small links like upload channel on an ADSL connection. If you don't set it, it hits the physical limit and no shaping happens at all. (that is what I was trying to avoid setting the bandwith on root queue in the first place ... ) Cheers, -- Paco Esteban. GnuPG key: 0x44CA735E
Re: Traffic shaping on small network.
On Wed, 10 Dec 2014, Daniel Melameth wrote: > On Wed, Dec 10, 2014 at 4:30 AM, Paco Esteban wrote: > > Basically I want google hangouts traffic to be priorized as much as > > possible, then DNS resolutions. Torrent traffic comming from a specific > > subnet should work, but at low prio and should never exeed 210Kbps on > > the up link. In fact all traffic from this subnet is low prio (that's > > why I put the queue "tag" on the nat rule). > > Per henning@/http://marc.info/?l=openbsd-misc&m=140127924031145&w=2, > "prio is ignored when bandwidth shaping is on" so this is useless > here. Yes, I remember that thread. I posted there too. Just forgot to remove the prio parts. I just did and tested again. Same results. It's funny though that prio and hfsc are mixed on "The book of PF" examples. Even when the techical reviewer is henning@ > > The sum of all sub-queues when I try to saturate the uplink is greater > > than the bandwidth defined for "q_root". I see values near 900Kbps or > > sometimes near 910Kbps (which is physical limit, not my manually > > defined limit). > > Set a max on your root queue. Ok, I'll try. But, again, it is confusing how some examples on both pf.conf(5) and "The Book of PF" are written. Cheers, -- Paco Esteban. GnuPG key: 0x44CA735E
Re: Remember to update /etc/machine-id
On 2014-12-10 09:02, Anthony Campbell wrote:
Whenever I upgrade to a new snapshot I receive these messages:
Remember to update /var/db/dbus/machine-id
Remember to update /etc/machine-id
I don't know how to do this and I couldn't find much about machine-id
on
the net and the OBSD faq doesn't mention it. There is a discussion on
the gentoo forum about it, in which posters express worry about it as a
security risk.
http://forums.gentoo.org/viewtopic-t-961454-start-0.html
Can anyone shed light on this and say what, if anything, I should do?
Anthony
Anthony, I believe you're seeing messages from your x11/dbus package,
specifically, from dbus-uuidgen, which is run when you update the dbus
package.
The PLIST contains this instruction:
@exec ${PREFIX}/bin/dbus-uuidgen --ensure=${SYSCONFDIR}/machine-id
Luckily, its man page is also included in the package; the PLISTS
contains:
@man man/man1/dbus-uuidgen.1
:)
Re: Remember to update /etc/machine-id
On Wed, Dec 10, 2014 at 02:02:52PM +, Anthony Campbell wrote: > Whenever I upgrade to a new snapshot I receive these messages: > > Remember to update /var/db/dbus/machine-id > Remember to update /etc/machine-id It's just a generic pkg_add warning for @extra files IIRC. You can ignore it -- pkg_add output is somewhat too chatty and confusing at times but espie is working on making it better I think. -- Antoine
Remember to update /etc/machine-id
Whenever I upgrade to a new snapshot I receive these messages: Remember to update /var/db/dbus/machine-id Remember to update /etc/machine-id I don't know how to do this and I couldn't find much about machine-id on the net and the OBSD faq doesn't mention it. There is a discussion on the gentoo forum about it, in which posters express worry about it as a security risk. http://forums.gentoo.org/viewtopic-t-961454-start-0.html Can anyone shed light on this and say what, if anything, I should do? Anthony
Re: Packet Filter router i368 vs 64bit
On Sat, Dec 6, 2014 at 9:25 AM, Stuart Henderson wrote: > > Linux developers were seeing higher throughput (though obviously higher > cpu usage) when offload was disabled. Apparently the checksum offload > can't pipeline. I'm not sure if vlan hw tagging was also implicated. > IIRC there were more details in an old lkml post. > I think I found the one you are referring to: http://lkml.iu.edu/hypermail/linux/kernel/0712.3/1199.html I can't test this at the moment since the hardware is on the other side of the planet, but I might give this a spin when I get a chance. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: USB printer not working with CUPS 2.0.1 (in -current)
Hi Alessandro, On Mon, Dec 08, 2014 at 11:45:43AM EST, Alessandro DE LAURENZIS wrote: > Laptop's USB ports are 2.0; I do not know if there could be an impact > of the xhci driver anyway, but how could I check? Any chances to > switch off xhci and revert to uhci/ehci? Sure there is: #xhci* at pci? #usb* at xhci? :^) Well, at least one person has reported[0] issues with USB2.0 hub, which has been plugged into a USB2.0 port BTW (just to clarify). However, whether your issue is related to that one or whether xHCI enabled in the kernel has any impact on USB2.0 devices? That I don't know - I merely (making an assumption, which may as well be flawed) put the two together as it is plausible. [0] http://marc.info/?l=openbsd-misc&m=141690178901244&w=2 Regards, Raf
Re: Traffic shaping on small network.
On Wed, Dec 10, 2014 at 4:30 AM, Paco Esteban wrote:
> The box has an vr(4) interface connected to a ADSL modem that provides
> roughly 14Mbps/910Kbps (down/up) thought pppoe.
> I've set up some queues on pppoe0 interface (I use $gw_if in rules).
> There are also basically 3 subnets behind this box. One for wired net,
> one for wifi net and one I called torrent net which, as you may expect,
> has a torrent box handling P2P downloads.
>
> This is my queue definition:
>
> queue q_root on $gw_if bandwidth 850K
> queue q_dns parent q_root bandwidth 50K, min 25K
> queue q_pri parent q_root bandwidth 200K, min 100K
> queue q_dow parent q_root bandwidth 80K, max 210K
> queue q_def parent q_root bandwidth 520K default
>
> And the match rules that apply:
>
> match out on $gw_if inet proto { udp, tcp } from any to
> port 19302:19309 set queue(q_pri, q_pri) set prio (7,7)
> match out on $gw_if inet proto { tcp, udp } from $gw_if to { x.x.x.x, y.y.y.y
> } port domain set queue q_dns set prio (5,5)
> match out on $gw_if inet proto tcp from any to any port { 80, 443 } set
> queue(q_def, q_pri) set prio (3,6)
>
> match out on $gw_if from $torrent_net nat-to ($gw_if) set queue(q_dow, q_dow)
> set prio (0,0)
>
> Basically I want google hangouts traffic to be priorized as much as
> possible, then DNS resolutions. Torrent traffic comming from a specific
> subnet should work, but at low prio and should never exeed 210Kbps on
> the up link. In fact all traffic from this subnet is low prio (that's
> why I put the queue "tag" on the nat rule).
Per henning@/http://marc.info/?l=openbsd-misc&m=140127924031145&w=2,
"prio is ignored when bandwidth shaping is on" so this is useless
here.
> Http and https traffic goes to default queue, with ACKs to priority.
>
> Packets are correctly assigned to their respective queues. I can see
> counters go up on systat and pfctl -vvsq. All works as expected till here.
>
> The things I don't understand are:
>
> The sum of all sub-queues when I try to saturate the uplink is greater
> than the bandwidth defined for "q_root". I see values near 900Kbps or
> sometimes near 910Kbps (which is physical limit, not my manually
> defined limit).
Set a max on your root queue.
> When I saturate the link with traffic going out on "q_pri", "q_dow" and
> "q_def" the only rule that is always applied is the "max 210K" for
> "q_def". The other queues seem to share the bandwith in a "best-effort"
> manner.
>
> Maybe I'm messing things up ... I don't know.
>
> I can live without traffic shaping here. I can make the network quiet if
> I need all the uplink to make a video-call, but I really want to
> understand how this works.
Your best bet is to define your bandwidth requirements appropriately
in your queues. If you need a specific amount of bandwidth for a
quality video call, define an appropriate minimum for the queue.
> After reading pf.conf(5) and Chapter 7 on "The Book of PF" (3rd edition)
> I thought I got it, but clearly I did not.
>
> So, any good soul could waste some time trying to explain all this ?
Traffic shaping on small network.
Hi,
I've an ALIX board running 5.6-stable acting as a router/firewall on a
small network.
It does its job perfectly and it's easy to manage. So thanks to all devs
for that.
Some time ago I played a bit with traffic shaping on this box, but
did not have the time to test it properly and left that disabled on
pf.conf
Now I've enbaled it again and, although everything seems to work just
fine, I don't understant what is happening regarding queues
The box has an vr(4) interface connected to a ADSL modem that provides
roughly 14Mbps/910Kbps (down/up) thought pppoe.
I've set up some queues on pppoe0 interface (I use $gw_if in rules).
There are also basically 3 subnets behind this box. One for wired net,
one for wifi net and one I called torrent net which, as you may expect,
has a torrent box handling P2P downloads.
This is my queue definition:
queue q_root on $gw_if bandwidth 850K
queue q_dns parent q_root bandwidth 50K, min 25K
queue q_pri parent q_root bandwidth 200K, min 100K
queue q_dow parent q_root bandwidth 80K, max 210K
queue q_def parent q_root bandwidth 520K default
And the match rules that apply:
match out on $gw_if inet proto { udp, tcp } from any to port
19302:19309 set queue(q_pri, q_pri) set prio (7,7)
match out on $gw_if inet proto { tcp, udp } from $gw_if to { x.x.x.x, y.y.y.y }
port domain set queue q_dns set prio (5,5)
match out on $gw_if inet proto tcp from any to any port { 80, 443 } set
queue(q_def, q_pri) set prio (3,6)
match out on $gw_if from $torrent_net nat-to ($gw_if) set queue(q_dow, q_dow)
set prio (0,0)
Basically I want google hangouts traffic to be priorized as much as
possible, then DNS resolutions. Torrent traffic comming from a specific
subnet should work, but at low prio and should never exeed 210Kbps on
the up link. In fact all traffic from this subnet is low prio (that's
why I put the queue "tag" on the nat rule).
Http and https traffic goes to default queue, with ACKs to priority.
Packets are correctly assigned to their respective queues. I can see
counters go up on systat and pfctl -vvsq. All works as expected till here.
The things I don't understand are:
The sum of all sub-queues when I try to saturate the uplink is greater
than the bandwidth defined for "q_root". I see values near 900Kbps or
sometimes near 910Kbps (which is physical limit, not my manually
defined limit).
When I saturate the link with traffic going out on "q_pri", "q_dow" and
"q_def" the only rule that is always applied is the "max 210K" for
"q_def". The other queues seem to share the bandwith in a "best-effort"
manner.
Maybe I'm messing things up ... I don't know.
I can live without traffic shaping here. I can make the network quiet if
I need all the uplink to make a video-call, but I really want to
understand how this works.
After reading pf.conf(5) and Chapter 7 on "The Book of PF" (3rd edition)
I thought I got it, but clearly I did not.
So, any good soul could waste some time trying to explain all this ?
Cheers,
--
Paco Esteban.
GnuPG key: 0x44CA735E
Re: INVALID ROOT NODE
On 2014-12-09, Philip Guenther wrote: > On Sun, Nov 30, 2014 at 2:48 AM, Max Power wrote: >> I have a CRYPTO - RAID 1 softraid device /dev/sd4a [3TB OpenBSD 5.6/amd64] >> on which I have about 1,400,000 files and I've never had problems reading >> or writing. If, however, launch the tree command, eg. tree c *, returns me: >> tree: invalid root node: name_of_file. > >: morgaine; tree > /bin/ksh: tree: not found >: morgaine; > > So this is a program from some port? What does the documentation for > program say about that error message? >> I tried to run a fsck and this is the result > > Huh, an error message from a random program makes you fsck your disks? > That seems like an overreaction to me. As far as we know, you're > just invoking it with the wrong arguments... It's half understandable, given how badly written the text of the error message is. It seems that tree wants directory names, not filenames, on the command line.
Re: simple way to block one word domains?
On 2014-12-09, Joshua Smith wrote: > Does ndots:0 in your resolv.conf not achieve what you want? That's about the reverse of what's wanted, ndots sets the number of dots when it should always do an absolute query and avoid using search domains. Ted is asking for a way to never do an absolute query for names without a dot. I see where he's coming from but the problem runs deeper, as people who use host.prod.example.org and access it as "host.prod" via "search example.org" will have already discovered. At this point I think we need to just consider search domains as broken by IANA and stop using them. But hey, at least we can now have domains like http://thatsnumber.wang/ which totally makes up for breaking dns, right?
Re: simple way to block one word domains?
Am Dienstag, den 09.12.2014, 11:01 -0500 schrieb Ted Unangst:
> Curious if anyone knows a simple way to prevent resolution of one word
> hostnames.
Maybe I just think to simple here, but how about just switching on
DNSSEC ("auto-trust-anchor-file" in unbound.conf)?
David
--
David Dahlberg
Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany| Fax: +49-228-856277
