Re: NAT replies not triggering pf rule

[Stuart Henderson]

On 2015-10-26, Giancarlo Razzolini  wrote:
> I suggest you move your match rules to the beginning of the ruleset and
> use log on them. So you can watch your pflog interface and see the
> packets being triggered. Also, you can (should) always use tags. Not
> only they make your ruleset "debugable", but any stray packet should hit
> a block rule (possibly logging it). I suspect your first three rules
> aren't matching because you're using the external interface. Try using
> the internal on them.

Also: have the first "action" rule block everything ("block log" probably).
Then you can be sure that all packets match one of your rules (and don't get
accepted by the implicit default 'pass flags any no state' rule).

Re: LPR/LPD does not run filters

[Stuart Henderson]

On 2015-10-25, Jona Joachim  wrote:
> Hi, 
> I was tired of CUPS so I decided keep it simple and stupid and use
> lpd/lpr. Strangely, things don't work out as expected. It seems that
> lpd never executes input filters.
>
> Here is the content of /etc/printcap:
> lp|hl6050|Brother HL6050:\
> :lp=:rm=hl6050.lan:\
> :if=/home/jaj/bin/printbrother.sh:\
> :sh:
>
> mg3150|canon|Canon MG3150:\
> :lp=:rm=canon.lan:\
> :if=/home/jaj/bin/printcanon.sh:\
> :sh:
>
> Here is the content of printcanon.sh:
> #!/bin/sh
>
> logger "printcanon called $@"
>
> /usr/local/bin/a2ps -BRq --columns=1 -o - | \
> /usr/local/bin/foomatic-rip -q -P Canon-PIXMA-MG3150 \
> --ppd /home/jaj/bin/Canon-PIXMA-MG3150-ijs-simplified.ppd
>
> printbrother.sh is the same except for driver and ppd.
> Both scripts are executable.
> I never see the "printcanon called" message in syslog and the printers
> get incorrect data. The first printer understands a subset of
> postscript so it prints fine, the second printer however does not.
> If I run a document manually through the filter and the enqueue it to
> lpr, the printers are more than happy to print.
>
> I see no error nowhere.
>
> $ cat /var/log/lpd-errs
> Oct 25 07:47:01 asterix lpd[9652]: restarted
> Oct 25 14:57:06 asterix lpd[17953]: restarted
>
> $ cat /var/spool/output/lpd/status
> sending to hl6050.lan
>
> I went through the code of lpd to see where things could go wrong but
> it's a bit complex and I couldn't understand the bits.
>
> Does anybody know where I could look to solve this?
>
> Best regards,
> Jona
>
>

Does the lpd user have permission to run those scripts? Maybe run lpd
under ktrace -i for more clues. lpd filters definitely worked in -current
as of April because I was using them for the music queue at p2k15.

Suggested 1000BASE-LX adapter

[Federico Giannici]

I have to install in an OpenBSD 5.8 amd64 a PCI-E ethernet card 
supporting 1000BASE-LX (i.e. 1Gbps with Single Mode Fiber).


Usually we use Intel cards (em driver) but I found that the only Intel 
LX card has a PCI-X bus!


What reliable LX NIC with PCI-E do you suggest?

Thanks.

Re: NAT replies not triggering pf rule

[Michael S. Keller]

On 10/27/15 3:42 AM, Stuart Henderson wrote:

On 2015-10-26, Giancarlo Razzolini  wrote:

I suggest you move your match rules to the beginning of the ruleset and
use log on them. So you can watch your pflog interface and see the
packets being triggered. Also, you can (should) always use tags. Not
only they make your ruleset "debugable", but any stray packet should hit
a block rule (possibly logging it). I suspect your first three rules
aren't matching because you're using the external interface. Try using
the internal on them.


Also: have the first "action" rule block everything ("block log" probably).
Then you can be sure that all packets match one of your rules (and don't get
accepted by the implicit default 'pass flags any no state' rule).



These are the rules that appear potentially to affect outgoing packets 
on the internal interface:


match inet from any to 192.168.1.62
block drop out on gem0 all
pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA

Only traffic that initiates directly from the OpenBSD firewall triggers 
these rules. Neither web page loads (which traverse the NAT) nor SSH 
session replies increase the trigger counts on any of these three rules.


-Michael

Re: Unbound(8) error: could not set SSL_OP_NO_SSLv2

[Joel Sing]

On Monday 26 October 2015 10:42:01 Gerald Hanuer wrote:
>  Hello misc@,
> 
>  Unbound(8) in current errors out, not starting.
> 
>  This is not a bug report.
>  If this is known to devs@ please disregard.
> 
> 
>  /usr/bin/unbound -v
> 
>  Version 1.5.4
>  linked libs: libevent 1.4.15-stable (it uses kqueue), LibreSSL 2.3.1
>  linked modules: dns64 validator iterator
>  BSD licensed, see LICENSE in source package for details.
>  Report bugs to unbound-b...@nlnetlabs.nl
> 
> 
>  /usr/bin/unbound -v -v -d
> 
>  [1445853347] unbound[21343:0] notice: Start of unbound 1.5.4.
>  [1445853347] unbound[21343:0] debug: increased limit(open files) from
> 128 to 4140
>  [1445853347] unbound[21343:0] debug: creating udp4 socket 127.0.0.1 53
>  [1445853347] unbound[21343:0] debug: creating tcp4 socket 127.0.0.1 53
>  [1445853347] unbound[21343:0] error: could not set SSL_OP_NO_SSLv2 \
>  crypto error::lib(0):func(0):reason(0)
>  [1445853347] unbound[21343:0] fatal error: could not set up connect SSL_CTX

Thanks, this should now be fixed.

Re: NAT replies not triggering pf rule

[Giancarlo Razzolini]

Em 27-10-2015 09:37, Michael S. Keller escreveu:
> These are the rules that appear potentially to affect outgoing packets
> on the internal interface:
>
> match inet from any to 192.168.1.62
> block drop out on gem0 all
> pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA
>
> Only traffic that initiates directly from the OpenBSD firewall
> triggers these rules. Neither web page loads (which traverse the NAT)
> nor SSH session replies increase the trigger counts on any of these
> three rules.

Since you seem to be unwilling to use tags, lets try to debug this
another way. Install and configure nfsen, create a pflow(4) interface
and set the default for every state to use pflow:

option state-defaults pflow

You will see every flow passing, incoming and leaving your firewall.
Since you mentioned that you're seeing the traffic on tcpdump, this can
make it easier to visualize where you're packets are going.

Cheers,
Giancarlo Razzolini

Re: NAT replies not triggering pf rule

[Stuart Henderson]

On 2015-10-27, Michael S. Keller  wrote:
> On 10/27/15 3:42 AM, Stuart Henderson wrote:
>> On 2015-10-26, Giancarlo Razzolini  wrote:
>>> I suggest you move your match rules to the beginning of the ruleset and
>>> use log on them. So you can watch your pflog interface and see the
>>> packets being triggered. Also, you can (should) always use tags. Not
>>> only they make your ruleset "debugable", but any stray packet should hit
>>> a block rule (possibly logging it). I suspect your first three rules
>>> aren't matching because you're using the external interface. Try using
>>> the internal on them.
>>
>> Also: have the first "action" rule block everything ("block log" probably).
>> Then you can be sure that all packets match one of your rules (and don't get
>> accepted by the implicit default 'pass flags any no state' rule).
>>
>
> These are the rules that appear potentially to affect outgoing packets 
> on the internal interface:
>
> match inet from any to 192.168.1.62
> block drop out on gem0 all
> pass out on gem0 inet from any to 192.168.1.0/24 flags S/SA
>
> Only traffic that initiates directly from the OpenBSD firewall triggers 
> these rules. Neither web page loads (which traverse the NAT) nor SSH 
> session replies increase the trigger counts on any of these three rules.
>
> -Michael
>
>

I mean literally

block log

then put your other rules after it. It is too much hassle to work out
if there are rules to cover every packet that might pass through the
system, putting 'block log' up-front makes it clear so that every
packet will have to match one of the rules in your ruleset, rather
than matching the invisible implicit default rule.

"match inet from any to 192.168.1.62" doesn't do anything. "match" is
a modifier for other rules ("log", "tag", "queue" are common things to
use in a match rule), but your match line doesn't make any changes.

Re: Suggested 1000BASE-LX adapter

[Stuart Henderson]

On 2015-10-27, Federico Giannici  wrote:
> On 10/27/15 15:31, Chris Cappuccio wrote:
>> Federico Giannici [giann...@neomedia.it] wrote:
>>> I have to install in an OpenBSD 5.8 amd64 a PCI-E ethernet card supporting
>>> 1000BASE-LX (i.e. 1Gbps with Single Mode Fiber).
>>>
>>> Usually we use Intel cards (em driver) but I found that the only Intel LX
>>> card has a PCI-X bus!
>>>
>>> What reliable LX NIC with PCI-E do you suggest?
>>>
>>
>> If you have trouble finding SFP versions of em cards, you can always try
>> SFP+ versions of ix cards. They work with 1Gbps SFP and are readily available
>> from several vendors.

I can confirm this works as of 5.8.

ix1: flags=8843 mtu 1500
media: Ethernet autoselect (1000baseLX full-duplex,rxpause,txpause)

In earlier releases you would have got 'Unsupported SFP+ Module' when
attaching the interface.

> We do have an ix card, the Intel X520-LR1.
> I read that it is supposed to work as 1000BASE-LX too but we were not 
> able to make it work! It never gives the link.
>
> If we try to set 1000BASE-LX as media type it gives error.
>
> isengard:/home/giannici> ifconfig ix2 media
> ix2: flags=8802 mtu 1500
>  lladdr 00:1b:21:91:5f:20
>  priority: 0
>  media: Ethernet autoselect
>  status: no carrier
>  supported media:
>  media 10GbaseLR mediaopt full-duplex
>  media autoselect
>
> Are you sure that it is supposed to work as 1000BASE-LX with OpenBSD 5.8?
>
> Thanks.
>
>

I think you're trying to use a 10GbaseLR SFP+ for this, that won't work -
you need an 1000baseLX SFP.

Re: Suggested 1000BASE-LX adapter

[Chris Cappuccio]

Federico Giannici [giann...@neomedia.it] wrote:
> 
> We do have an ix card, the Intel X520-LR1.
> I read that it is supposed to work as 1000BASE-LX too but we were not able
> to make it work! It never gives the link.
> 
> If we try to set 1000BASE-LX as media type it gives error.
> 
> isengard:/home/giannici> ifconfig ix2 media
> ix2: flags=8802 mtu 1500
> lladdr 00:1b:21:91:5f:20
> priority: 0
> media: Ethernet autoselect
> status: no carrier
> supported media:
> media 10GbaseLR mediaopt full-duplex
> media autoselect
> 
> Are you sure that it is supposed to work as 1000BASE-LX with OpenBSD 5.8?
> 

I've used it with various SuperMicro ix cards. Nothing quite as new as the X520.

Have you tried 'ifconfig up' ?

Re: Suggested 1000BASE-LX adapter

[Chris Cappuccio]

Federico Giannici [giann...@neomedia.it] wrote:
> On 10/27/15 16:17, Chris Cappuccio wrote:
> >Federico Giannici [giann...@neomedia.it] wrote:
> >>
> >>We do have an ix card, the Intel X520-LR1.
> >>I read that it is supposed to work as 1000BASE-LX too but we were not able
> >>to make it work! It never gives the link.
> >>
> >>If we try to set 1000BASE-LX as media type it gives error.
> >>
> >>isengard:/home/giannici> ifconfig ix2 media
> >>ix2: flags=8802 mtu 1500
> >> lladdr 00:1b:21:91:5f:20
> >> priority: 0
> >> media: Ethernet autoselect
> >> status: no carrier
> >> supported media:
> >> media 10GbaseLR mediaopt full-duplex
> >> media autoselect
> >>
> >>Are you sure that it is supposed to work as 1000BASE-LX with OpenBSD 5.8?
> >>
> >
> >I've used it with various SuperMicro ix cards. Nothing quite as new as the 
> >X520.
> >
> >Have you tried 'ifconfig up' ?
> 
> Yes, nothing changes...

Well this doesn't bode well for my original idea :)

These SuperMicro single and dual port work with Cisco LX/LH SFPs:

ix0 at pci2 dev 0 function 0 "Intel 82599" rev 0x01: msi, address 
6c:b3:11:3b:43:4b
ix1 at pci2 dev 0 function 1 "Intel 82599" rev 0x01: msi, address 
6c:b3:11:3b:43:4d

ix0 at pci1 dev 0 function 0 "Intel 82599EN" rev 0x01: msi, address 
00:25:90:e1:c2:dd

Chris

Re: Suggested 1000BASE-LX adapter

[Federico Giannici]

On 10/27/15 16:17, Chris Cappuccio wrote:

Federico Giannici [giann...@neomedia.it] wrote:


We do have an ix card, the Intel X520-LR1.
I read that it is supposed to work as 1000BASE-LX too but we were not able
to make it work! It never gives the link.

If we try to set 1000BASE-LX as media type it gives error.

isengard:/home/giannici> ifconfig ix2 media
ix2: flags=8802 mtu 1500
 lladdr 00:1b:21:91:5f:20
 priority: 0
 media: Ethernet autoselect
 status: no carrier
 supported media:
 media 10GbaseLR mediaopt full-duplex
 media autoselect

Are you sure that it is supposed to work as 1000BASE-LX with OpenBSD 5.8?



I've used it with various SuperMicro ix cards. Nothing quite as new as the X520.

Have you tried 'ifconfig up' ?


Yes, nothing changes...

Re: Suggested 1000BASE-LX adapter

[Federico Giannici]

On 10/27/15 15:31, Chris Cappuccio wrote:

Federico Giannici [giann...@neomedia.it] wrote:

I have to install in an OpenBSD 5.8 amd64 a PCI-E ethernet card supporting
1000BASE-LX (i.e. 1Gbps with Single Mode Fiber).

Usually we use Intel cards (em driver) but I found that the only Intel LX
card has a PCI-X bus!

What reliable LX NIC with PCI-E do you suggest?



If you have trouble finding SFP versions of em cards, you can always try
SFP+ versions of ix cards. They work with 1Gbps SFP and are readily available
from several vendors.


We do have an ix card, the Intel X520-LR1.
I read that it is supposed to work as 1000BASE-LX too but we were not 
able to make it work! It never gives the link.


If we try to set 1000BASE-LX as media type it gives error.

isengard:/home/giannici> ifconfig ix2 media
ix2: flags=8802 mtu 1500
lladdr 00:1b:21:91:5f:20
priority: 0
media: Ethernet autoselect
status: no carrier
supported media:
media 10GbaseLR mediaopt full-duplex
media autoselect

Are you sure that it is supposed to work as 1000BASE-LX with OpenBSD 5.8?

Thanks.

Re: Suggested 1000BASE-LX adapter

[Federico Giannici]

On 10/27/15 16:33, Stuart Henderson wrote:

On 2015-10-27, Federico Giannici  wrote:

On 10/27/15 15:31, Chris Cappuccio wrote:

Federico Giannici [giann...@neomedia.it] wrote:

I have to install in an OpenBSD 5.8 amd64 a PCI-E ethernet card supporting
1000BASE-LX (i.e. 1Gbps with Single Mode Fiber).

Usually we use Intel cards (em driver) but I found that the only Intel LX
card has a PCI-X bus!

What reliable LX NIC with PCI-E do you suggest?



If you have trouble finding SFP versions of em cards, you can always try
SFP+ versions of ix cards. They work with 1Gbps SFP and are readily available
from several vendors.


I can confirm this works as of 5.8.

ix1: flags=8843 mtu 1500
 media: Ethernet autoselect (1000baseLX full-duplex,rxpause,txpause)

In earlier releases you would have got 'Unsupported SFP+ Module' when
attaching the interface.


Yes, I saw that change in the ix source, so I expected the 5.8 to make 
it work, but it didn't...




We do have an ix card, the Intel X520-LR1.
I read that it is supposed to work as 1000BASE-LX too but we were not
able to make it work! It never gives the link.

If we try to set 1000BASE-LX as media type it gives error.

isengard:/home/giannici> ifconfig ix2 media
ix2: flags=8802 mtu 1500
  lladdr 00:1b:21:91:5f:20
  priority: 0
  media: Ethernet autoselect
  status: no carrier
  supported media:
  media 10GbaseLR mediaopt full-duplex
  media autoselect

Are you sure that it is supposed to work as 1000BASE-LX with OpenBSD 5.8?

Thanks.




I think you're trying to use a 10GbaseLR SFP+ for this, that won't work -
you need an 1000baseLX SFP.


I tried with a couple of different 1000baseLX SFPs.
Now I'm waiting for a Cisco one, as Chris said these worked for him...

Thanks.

Re: Suggested 1000BASE-LX adapter

[Stuart Henderson]

On 2015-10-27, Federico Giannici  wrote:
> On 10/27/15 16:33, Stuart Henderson wrote:
>> On 2015-10-27, Federico Giannici  wrote:
>>> On 10/27/15 15:31, Chris Cappuccio wrote:
 Federico Giannici [giann...@neomedia.it] wrote:
> I have to install in an OpenBSD 5.8 amd64 a PCI-E ethernet card supporting
> 1000BASE-LX (i.e. 1Gbps with Single Mode Fiber).
>
> Usually we use Intel cards (em driver) but I found that the only Intel LX
> card has a PCI-X bus!
>
> What reliable LX NIC with PCI-E do you suggest?
>

 If you have trouble finding SFP versions of em cards, you can always try
 SFP+ versions of ix cards. They work with 1Gbps SFP and are readily 
 available
 from several vendors.
>>
>> I can confirm this works as of 5.8.
>>
>> ix1: flags=8843 mtu 1500
>>  media: Ethernet autoselect (1000baseLX full-duplex,rxpause,txpause)
>>
>> In earlier releases you would have got 'Unsupported SFP+ Module' when
>> attaching the interface.
>
> Yes, I saw that change in the ix source, so I expected the 5.8 to make 
> it work, but it didn't...
>
>
>>> We do have an ix card, the Intel X520-LR1.
>>> I read that it is supposed to work as 1000BASE-LX too but we were not
>>> able to make it work! It never gives the link.
>>>
>>> If we try to set 1000BASE-LX as media type it gives error.
>>>
>>> isengard:/home/giannici> ifconfig ix2 media
>>> ix2: flags=8802 mtu 1500
>>>   lladdr 00:1b:21:91:5f:20
>>>   priority: 0
>>>   media: Ethernet autoselect
>>>   status: no carrier
>>>   supported media:
>>>   media 10GbaseLR mediaopt full-duplex
>>>   media autoselect
>>>
>>> Are you sure that it is supposed to work as 1000BASE-LX with OpenBSD 5.8?
>>>
>>> Thanks.
>>>
>>>
>>
>> I think you're trying to use a 10GbaseLR SFP+ for this, that won't work -
>> you need an 1000baseLX SFP.
>
> I tried with a couple of different 1000baseLX SFPs.
> Now I'm waiting for a Cisco one, as Chris said these worked for him...
>
> Thanks.
>
>

FWIW I used an HP-coded flexoptix (reason for choosing that was so I could
move it to a switch if the ix(4) plan didn't work out).

How does your full dmesg look?

Maybe try building with IX_DEBUG defined and see if that gives clues?
Or change '#define DBG 0' to 1 in ixgbe.h?

top crash - pledge issue?

[Mike]

OpenBSD 5.8-current (GENERIC) #1: Tue Oct 27 12:31:10 EDT 2015
m...@otest.24cl.home:/usr/src/sys/arch/amd64/compile/GENERIC


I didn't see anything in current.html that may affect this.

I downloaded the Oct 20 snapshot.  Then I updated the source to current
this morning.  After the build, top crashes immediately upon invocation.

# top
Abort (core dumped)


In messages.log, I see two lines:

Oct 27 14:52:22 otest /bsd: top(12603): sysctl 2: 1 40 -2129088583 -1
981777920 -255

Oct 27 14:52:22 otest /bsd: top(12603): syscall 202 "stdio"


which looks like it may be pledge output.

If I need to do something else to track this let me know.  I can make
the core dump available to download, if needed.

thx.

Re: relayd as a reverse-proxy in front of OpenBSD httpd + custom Golang httpd

[Hiltjo Posthuma]

On Sun, Oct 25, 2015 at 7:30 PM, Hiltjo Posthuma 
wrote:
> My /etc/relayd.conf looked something like this:
>
> table  { 127.0.0.1 }
>
> http protocol "protmyapp" {
> return error
>
> # TODO: forward non-matching traffic to standard httpd.
> match request header "Host" value "someapp.mydomain.*"
> }
>
> relay "myapp" {
> listen on 0.0.0.0 port 80
> protocol "protmyapp"
> forward to  port 8081
> }
>

I figured it out, I overlooked in relayd.conf(5) FILTER RULES:

"forward to ⟨table⟩ Forward the request to a server in the specified
table. With this option, requests can be passed to specific backend
servers. -> A corresponding forward to declaration in the RELAYS
section is required. <-".

In case someone wants to do a similar thing the working relayd.conf is
(simplified):

table  { 127.0.0.1 }
table  { 127.0.0.1 }

http protocol "protsomeapp" {
match request quick header "Host" value "someapp.mydomain.*" \
forward to 
}

relay "someapp" {
listen on 0.0.0.0 port 80
protocol "protsomeapp"

forward to  port 8080
forward to  port 8081
}

Kind regards / hope this helps someone,
Hiltjo

Re: What hardware spec would I need to push 20 gigabit of network traffic on an OpenBSD server?

[Adam Thompson]

On 15-10-25 03:46 AM, Some Developer wrote:
I'm just wondering what hardware spec I'd need push 20 gigabits of 
network traffic on an OpenBSD server?


Short answer:  It's not generally possible today, at least for your use 
case.


Medium answer:  Contact Esdenera Networks to find out.  They manage to 
do it somehow.  I'm sure they'll be happy to make it happen for you in 
exchange for suitable amounts of money...



Longer answer:

Network performance research numbers have presented by gnn at various 
conferences over the last year or so, and they consistently showed that 
OpenBSD, while performing well for a single-threaded stack, fell badly 
behind in multi-core, and wasn't able to keep up to 10Gbps.  The OpenBSD 
team is (currently, AFAIK) working on making the network stack 
multi-threaded, or at least not giant-locked, which should (eventually) 
dramatically increase performance scalability.


On top of that, there are substantial optimizations possible; research 
in the FreeBSD camp (and experience under OpenBSD as well) has shown 
that seemingly-similar hardware can perform radically differently.  
Drivers make a big difference.


You talk about storing the data - *writing* data to disk at 10Gbps 
(sustained) is currently in the realm of high-energy physics, with 
multi-million-dollar budgets for the storage arrays.  A 7200rpm disk can 
charitably be said to write at up to 100MBytes/sec, but that's not 
necessarily sustained speed, so minimum 10-unit array assuming 100% 
ideal throughput, which doesn't actually exist in the real world.  More 
likely you'd have to buy a large HDS array to get that kind of 
throughput.  Plus, that's about 2.5PB (yes, PETAbytes) of data every 
month.  Are you building this for the NSA?!?


You do realize that this means you're now trying to push *30* Gbits/sec 
on a single server, right?  (10 in, 10 out, 10 logged) Even Netflix, who 
spend a ridiculous amount of time doing optimization, have only recently 
gotten FreeBSD servers with tons of custom code and tweaks to pass the 
65Gbps-per-socket mark.


Lastly, Gbits/sec isn't the bottleneck.  The bottleneck is 
packets-per-second.  If you're pushing 10Gbps worth of 1500-byte 
packets, then this is possible today. (Not sure about 30Gbps.)  If 
you're trying to push 10Gbps worth of 64-byte packets on commodity 
hardware, forget about this pipe dream for another few years until the 
fully-MP network stack is finished and optimized.


Good luck... but you might want to consider doing this on a Juniper MX 
series or Cisco ASR instead - those platforms can at least maybe do the 
tunnelling part for around $250k, then feed the output into a 10GE 
switch with port mirroring (~$10k), then a Network Flight Recorder or 
similar to actually capture that much data (~$150k).


-Adam

Re: LPR/LPD does not run filters

[Jona Joachim]

On 2015-10-27, Stuart Henderson  wrote:
> On 2015-10-25, Jona Joachim  wrote:
>> Hi, 
>> I was tired of CUPS so I decided keep it simple and stupid and use
>> lpd/lpr. Strangely, things don't work out as expected. It seems that
>> lpd never executes input filters.
>>
>> Here is the content of /etc/printcap:
>> lp|hl6050|Brother HL6050:\
>> :lp=:rm=hl6050.lan:\
>> :if=/home/jaj/bin/printbrother.sh:\
>> :sh:
>>
>> mg3150|canon|Canon MG3150:\
>> :lp=:rm=canon.lan:\
>> :if=/home/jaj/bin/printcanon.sh:\
>> :sh:
>>
>> Here is the content of printcanon.sh:
>> #!/bin/sh
>>
>> logger "printcanon called $@"
>>
>> /usr/local/bin/a2ps -BRq --columns=1 -o - | \
>> /usr/local/bin/foomatic-rip -q -P Canon-PIXMA-MG3150 \
>> --ppd /home/jaj/bin/Canon-PIXMA-MG3150-ijs-simplified.ppd
>>
>> printbrother.sh is the same except for driver and ppd.
>> Both scripts are executable.
>> I never see the "printcanon called" message in syslog and the printers
>> get incorrect data. The first printer understands a subset of
>> postscript so it prints fine, the second printer however does not.
>> If I run a document manually through the filter and the enqueue it to
>> lpr, the printers are more than happy to print.
>>
>> I see no error nowhere.
>>
>> $ cat /var/log/lpd-errs
>> Oct 25 07:47:01 asterix lpd[9652]: restarted
>> Oct 25 14:57:06 asterix lpd[17953]: restarted
>>
>> $ cat /var/spool/output/lpd/status
>> sending to hl6050.lan
>>
>> I went through the code of lpd to see where things could go wrong but
>> it's a bit complex and I couldn't understand the bits.
>>
>> Does anybody know where I could look to solve this?
>>
>> Best regards,
>> Jona
>>
>>
>
> Does the lpd user have permission to run those scripts? Maybe run lpd
> under ktrace -i for more clues. lpd filters definitely worked in -current
> as of April because I was using them for the music queue at p2k15.

I found out that it is related to using 'rm' instead of 'lp'. It
executes filters if I set lp=5...@hl6050.lan. It does not if I set
rm=hl6050.lan.

Re: LPR/LPD does not run filters

[Jona Joachim]

On 2015-10-27, Stuart Henderson  wrote:
> On 2015-10-25, Jona Joachim  wrote:
>> Hi, 
>> I was tired of CUPS so I decided keep it simple and stupid and use
>> lpd/lpr. Strangely, things don't work out as expected. It seems that
>> lpd never executes input filters.
>>
>> Here is the content of /etc/printcap:
>> lp|hl6050|Brother HL6050:\
>> :lp=:rm=hl6050.lan:\
>> :if=/home/jaj/bin/printbrother.sh:\
>> :sh:
>>
>> mg3150|canon|Canon MG3150:\
>> :lp=:rm=canon.lan:\
>> :if=/home/jaj/bin/printcanon.sh:\
>> :sh:
>>
>> Here is the content of printcanon.sh:
>> #!/bin/sh
>>
>> logger "printcanon called $@"
>>
>> /usr/local/bin/a2ps -BRq --columns=1 -o - | \
>> /usr/local/bin/foomatic-rip -q -P Canon-PIXMA-MG3150 \
>> --ppd /home/jaj/bin/Canon-PIXMA-MG3150-ijs-simplified.ppd
>>
>> printbrother.sh is the same except for driver and ppd.
>> Both scripts are executable.
>> I never see the "printcanon called" message in syslog and the printers
>> get incorrect data. The first printer understands a subset of
>> postscript so it prints fine, the second printer however does not.
>> If I run a document manually through the filter and the enqueue it to
>> lpr, the printers are more than happy to print.
>>
>> I see no error nowhere.
>>
>> $ cat /var/log/lpd-errs
>> Oct 25 07:47:01 asterix lpd[9652]: restarted
>> Oct 25 14:57:06 asterix lpd[17953]: restarted
>>
>> $ cat /var/spool/output/lpd/status
>> sending to hl6050.lan
>>
>> I went through the code of lpd to see where things could go wrong but
>> it's a bit complex and I couldn't understand the bits.
>>
>> Does anybody know where I could look to solve this?
>>
>> Best regards,
>> Jona
>>
>>
>
> Does the lpd user have permission to run those scripts? Maybe run lpd
> under ktrace -i for more clues. lpd filters definitely worked in -current
> as of April because I was using them for the music queue at p2k15.

Well, specifying 'lp' instead of 'rm' does make it run filters, but the job
is not sent to the printer, even when I use the port@host format from
the man page. As soon as I set 'rm', filters are no longer executed.

Re: top crash - pledge issue?

[Ricardo Mestre]

Hi people,

I can confirm this regress, just updated the kernel and top and had the 
same issue, but this diff seems to solve it, I just don't know if it's 
the right place to put it or not:


Index: kern_pledge.c
===
RCS file: /cvs/src/sys/kern/kern_pledge.c,v
retrieving revision 1.80
diff -u -p -u -r1.80 kern_pledge.c
--- kern_pledge.c   26 Oct 2015 17:52:19 -  1.80
+++ kern_pledge.c   27 Oct 2015 19:32:09 -
@@ -911,6 +911,9 @@ pledge_sysctl_check(struct proc *p, int
if (miblen == 3 &&  /* kern.cptime2 */
mib[0] == CTL_KERN && mib[1] == KERN_CPTIME2)
return (0);
+   if (miblen == 2 &&  /* kern.cp_time */
+   mib[0] == CTL_KERN && mib[1] == KERN_CPTIME)
+   return (0);
}

if ((p->p_p->ps_pledge & PLEDGE_PS)) {

Best regards,
Ricardo Mestre

On 27/10/2015 19:00, Mike wrote:

OpenBSD 5.8-current (GENERIC) #1: Tue Oct 27 12:31:10 EDT 2015
 m...@otest.24cl.home:/usr/src/sys/arch/amd64/compile/GENERIC


I didn't see anything in current.html that may affect this.

I downloaded the Oct 20 snapshot.  Then I updated the source to current
this morning.  After the build, top crashes immediately upon invocation.

# top
Abort (core dumped)


In messages.log, I see two lines:

Oct 27 14:52:22 otest /bsd: top(12603): sysctl 2: 1 40 -2129088583 -1
981777920 -255

Oct 27 14:52:22 otest /bsd: top(12603): syscall 202 "stdio"


which looks like it may be pledge output.

If I need to do something else to track this let me know.  I can make
the core dump available to download, if needed.

thx.

Re: What hardware spec would I need to push 20 gigabit of network traffic on an OpenBSD server?

[Martin Schröder]

2015-10-27 20:24 GMT+01:00 Adam Thompson :
> You talk about storing the data - *writing* data to disk at 10Gbps
> (sustained) is currently in the realm of high-energy physics, with
> multi-million-dollar budgets for the storage arrays.  A 7200rpm disk can

And then there are SSDs. PCIE SSDs do up to 3000 MB/s write throughput.
https://www-ssl.intel.com/content/www/us/en/solid-state-drives/solid-state-drives-dc-p3608-series.html

And I'm sure there are tape libraries that can write that, too. :-)

Best
   Martin

Re: What hardware spec would I need to push 20 gigabit of network traffic on an OpenBSD server?

[Daniel Melameth]

On Sun, Oct 25, 2015 at 2:46 AM, Some Developer
 wrote:
> I'm just wondering what hardware spec I'd need push 20 gigabits of network
> traffic on an OpenBSD server?

As someone else mentioned, this is likely not possible today.

> The thing is I want to log all traffic on the server for that so I'm not
> sure how that will affect performance of the server. Obviously I'll need a
> large storage pool to store the data but I'll use syslog to write to an
> external logging server which will then save the logging data to a large SAN
> of some description.

I recommend looking into NetFlow/IPFIX, which is supported in most
places including OpenBSD.

Re: What hardware spec would I need to push 20 gigabit of network traffic on an OpenBSD server?

[jungle Boogie]

On 27 October 2015 at 12:53, Martin Schröder  wrote:
> 2015-10-27 20:24 GMT+01:00 Adam Thompson :
>> You talk about storing the data - *writing* data to disk at 10Gbps
>> (sustained) is currently in the realm of high-energy physics, with
>> multi-million-dollar budgets for the storage arrays.  A 7200rpm disk can
>
> And then there are SSDs. PCIE SSDs do up to 3000 MB/s write throughput.
>
https://www-ssl.intel.com/content/www/us/en/solid-state-drives/solid-state-dr
ives-dc-p3608-series.html
>
> And I'm sure there are tape libraries that can write that, too. :-)
>
> Best


So he would need 600+ 4.0TB drives to keep 2.5TB of data for a month.

--
---
inum: 883510009027723
sip: jungleboo...@sip2sip.info
xmpp: jungle-boo...@jit.si

Re: LPR/LPD does not run filters

[Antoine Jacoutot]

> Well, specifying 'lp' instead of 'rm' does make it run filters, but the job
p is not sent to the printer, even when I use the port@host format from
> the man page. As soon as I set 'rm', filters are no longer executed.

It's all documented in /usr/local/share/doc/pkg-readmes/cups-filters-*

Extract:

lpd(8): network printer printcap(5) example
---
rp|samsung|Samsung-ML-2850D:\
:lp=9100@1.2.3.4:\
:if=/path/to/script.sh:\
:sd=/var/spool/output:\
:lf=/var/log/lpd-errs:\
:sh:
(where 1.2.3.4 is the printer IP address and 9100 the printer stream port)

foomatic-rip(1) does *not* speak LPD (port 515).
If the printer does not support raw printing over port 9100, it must be
setup locally on a print server (see above for an example using USB)
then accessed over LPD by the clients (there is no need to setup any
print filter on the clients since it will run on the print server).

-- 
Antoine

[OT] Re: What hardware spec would I need to push 20 gigabit of network traffic on an OpenBSD server?

[Adam Thompson]

On 15-10-27 02:53 PM, Martin Schröder wrote:

And then there are SSDs. PCIE SSDs do up to 3000 MB/s write throughput.
https://www-ssl.intel.com/content/www/us/en/solid-state-drives/solid-state-drives-dc-p3608-series.html

And I'm sure there are tape libraries that can write that, too. :-)

I disregarded that part, based on the unsustainable assumptions elsewhere.
Plus, how much would 2.5PB of PCIe SSD cost?!?!?

As to tape libraries... interesting idea.  An LTO-6 drive can write at 
~160MBytes/sec, and that's pretty much the top end of 
generally-available tape drives today, so you'd still need an 8-drive 
RAIT-0 setup.  After taking into account library changer latency, I'd 
guess you'd need a custom buffering solution, maybe one system to shard 
the data, then ~10 systems to buffer the data to ~10 tape drives with a 
big enough buffer to sustain the ~2-4min it can take to eject and load a 
new tape in a big library.  Perhaps that's where the PCIe SSDs come in? :-)
(10Gbits/sec ~= 1 Gbyte/sec ~= 60 Gbytes/min... you could probably get 
away with a 256MB SSD)


A 12-drive StorageTek LTO6 library with ~1000 tapes costs around $2M 
last I heard, but at least the tape cost is reasonable once you get 
going.  Of course, you also need the multi-path FC networking gear for 
that, and I think OpenBSD just dropped FC support.


An alternative might be a z-series mainframe, I hear they have massive 
I/O capabilities.  But they don't (AFAIK) run OpenBSD.


-Adam

Re: What hardware spec would I need to push 20 gigabit of network traffic on an OpenBSD server?

[Stuart Henderson]

Simply forwarding 10Gb/s is a tall order. Decapsulating 10Gb/s of l2tp I think
is probably some way off. Doing all that plus logging full packets, nope.

What do you actually need to log? Full packets? Flows? Sampled packets?
Can the traffic be split up to multiple machines?

KDE 3 "System":/remote" "Add a network folder" error

[Notofsoundmind .]

I apologize in advance.  I hope this is the correct list to post this
question.
I have come across a small problem in KDE 3.  I just installed and patched
5.8
and added KDE 3.  I opened the "system:/" desktop config file and clicked
on "Add a network folder".  What I get is an error window that states
"Failed to add a plugin to the panel" "No running instance of xfce4-panel
was found".  If I copy and paste the "Add a network folder" desktop config
file from the system:/remote directory onto the desktop and click on it, it
will bring up knetattach as per usual.  I can't find anything in a Google
search or in any of the mailing list archives.  Any ideas?

dmesg:
OpenBSD 5.8 (GENERIC) #1170: Sun Aug 16 02:26:00 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 1056636928 (1007MB)
avail mem = 1020821504 (973MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf906f (4 entries)
bios0: vendor American Megatrends Inc. version "P2.40" date 07/16/2007
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC OEMB
acpi0: wakeup devices PS2K(S4) PS2M(S4) UAR1(S4) USB0(S4) MAC_(S5) AC97(S4)
USB1(S4) USB2(S4) P0P1(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Athlon(tm) 64 Processor 3000+, 2010.03 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW,LAHF
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: AMD erratum 89 present, BIOS upgrade may be required
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 200MHz
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 1
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 2 (P0P1)
acpicpu0 at acpi0: C1(@1 halt!), PSS
acpipwrres0 at acpi0: ISAV, resource for IDE0
acpibtn0 at acpi0: PWRB
cpu0: Cool'n'Quiet K8 2010 MHz: speeds: 2000 1800 1000 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "NVIDIA nForce3 250 PCI Host" rev 0xa1
agp at pchb0 not configured
pcib0 at pci0 dev 1 function 0 "NVIDIA nForce3 250 ISA" rev 0xa2
nviic0 at pci0 dev 1 function 1 "NVIDIA nForce3 250 SMBus" rev 0xa1
iic0 at nviic0
spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0
iic1 at nviic0
ohci0 at pci0 dev 2 function 0 "NVIDIA nForce3 250 USB" rev 0xa1: apic 1
int 9, version 1.0, legacy support
ohci1 at pci0 dev 2 function 1 "NVIDIA nForce3 250 USB" rev 0xa1: apic 1
int 5, version 1.0, legacy support
ehci0 at pci0 dev 2 function 2 "NVIDIA nForce3 250 USB" rev 0xa2: apic 1
int 3
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "NVIDIA EHCI root hub" rev 2.00/1.00 addr 1
nfe0 at pci0 dev 5 function 0 "NVIDIA nForce3 LAN" rev 0xa2: apic 1 int 9,
address 00:19:66:54:59:33
rlphy0 at nfe0 phy 1: RTL8201L 10/100 PHY, rev. 1
auich0 at pci0 dev 6 function 0 "NVIDIA nForce3 250 AC97" rev 0xa1: apic 1
int 9, nForce3 AC97
ac97: codec id 0x414c4790 (Avance Logic ALC850 rev 0)
audio0 at auich0
pciide0 at pci0 dev 8 function 0 "NVIDIA nForce3 250 IDE" rev 0xa2: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 1
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0:  ATAPI
5/cdrom removable
cd0(pciide0:1:1): using PIO mode 4, Ultra-DMA mode 2
pciide1 at pci0 dev 10 function 0 "NVIDIA nForce3 250 SATA" rev 0xa2: DMA
pciide1: using apic 1 int 10 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: 
wd0: 16-sector PIO, LBA48, 76319MB, 156301488 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 5
ppb0 at pci0 dev 11 function 0 "NVIDIA nForce3 250 AGP" rev 0xa2
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "NVIDIA GeForce FX 5500" rev 0xa1
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 14 function 0 "NVIDIA nForce3 250" rev 0xa2
pci2 at ppb1 bus 2
rl0 at pci2 dev 5 function 0 "Realtek 8139" rev 0x10: apic 1 int 9, address
00:e0:52:9d:a1:08
rlphy1 at rl0 phy 0: RTL internal PHY
pchb1 at pci0 dev 24 function 0 "AMD AMD64 0Fh HyperTransport" rev 0x00
pchb2 at pci0 dev 24 function 1 "AMD AMD64 0Fh Address Map" rev 0x00
pchb3 at pci0 dev 24 function 2 "AMD AMD64 0Fh DRAM Cfg" rev 0x00
kate0 at pci0 dev 24 function 3 "AMD AMD64 0Fh Misc Cfg" rev 0x00
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 

OpenBSD 5.8 and IPv6 forwarding doesn't seem to be working

[Daniel Corbe]

I'm not sure what I missed here so I would appreciate it if someone would
hit me with a clue bat.

My OpenBSD firewall is acting as a DHCPv6-PD client and successfully
getting IP information:

My outside interface:

vlan9: flags=208843 mtu
1500
lladdr 00:1e:37:d6:00:ad
priority: 0
vlan: 9 parent interface: em0
groups: vlan egress
status: active
inet 73.12.6.33 netmask 0xfe00 broadcast 73.12.7.255
inet6 fe80::21e:37ff:fed6:ad%vlan9 prefixlen 64 scopeid 0x6
inet6 2001:558:6036:5a:2cb5:eab1:8726:104c prefixlen 128 pltime
344957 vltime 344957

My inside interface:

vlan10: flags=8843 mtu 1500
lladdr 00:1e:37:d6:00:ad
priority: 0
vlan: 10 parent interface: em0
groups: vlan
status: active
inet 10.64.14.1 netmask 0xff00 broadcast 10.64.14.255
inet6 fe80::21e:37ff:fed6:ad%vlan10 prefixlen 64 scopeid 0x5
inet6 2601:5ce:101:5350:21e:37ff:fed6:ad prefixlen 64

I can reach things from the OpenBSD box itself:

# ping6 www.google.com
PING6(72=40+8+24 bytes) 2601:5ce:101:5350:21e:37ff:fed6:ad -->
2607:f8b0:4004:809::1010
32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=0 hlim=56 time=17.318 ms
32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=1 hlim=56 time=17.933 ms
32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=2 hlim=56 time=16.289 ms
32 bytes from 2607:f8b0:4004:809::1010, icmp_seq=3 hlim=56 time=16.240 ms
^C
--- www.google.com ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 16.240/16.945/17.933/0.714 ms

I have IPv6 forwarding enabled:

# sysctl -a | grep forwarding
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=0
net.inet6.ip6.forwarding=1
net.inet6.ip6.mforwarding=0

My PF ruleset:

# pfctl -s all
FILTER RULES:
pass in on vlan9 inet from any to 73.12.6.0/23 flags S/SA
pass out on vlan9 inet from 73.12.6.0/23 to any flags S/SA
pass out on vlan9 inet from 10.64.14.0/24 to any flags S/SA nat-to
73.12.6.33
pass in quick inet6 all flags S/SA
pass out quick inet6 all flags S/SA
pass quick inet6 proto ipv6-icmp all

I have rtadv turned on and my client machine gets IPv6:

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : corbe.net
   Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network
Connection
   Physical Address. . . . . . . . . : 74-D0-2B-27-BE-B3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . :
2601:5ce:101:5350:28af:3026:cf75:988c(Preferred)
   Temporary IPv6 Address. . . . . . :
2601:5ce:101:5350:1dd6:cc0e:98b:50a9(Preferred)
   Link-local IPv6 Address . . . . . :
fe80::28af:3026:cf75:988c%7(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.64.14.13(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, October 27, 2015 10:48:18 PM
   Lease Expires . . . . . . . . . . : Wednesday, October 28, 2015 10:48:19
AM
   Default Gateway . . . . . . . . . : fe80::21e:37ff:fed6:ad%7
   10.64.14.1
   DHCP Server . . . . . . . . . . . : 10.64.14.1
   DHCPv6 IAID . . . . . . . . . . . : 91541547
   DHCPv6 Client DUID. . . . . . . . :
00-01-00-01-1D-C1-F8-6C-74-D0-2B-27-BE-B3
   DNS Servers . . . . . . . . . . . : 8.8.8.8
   4.2.2.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

IPv6 Route Table
===
Active Routes:
 If Metric Network Destination  Gateway
  7276 ::/0 fe80::21e:37ff:fed6:ad
  1306 ::1/128  On-link
  2306 2001::/32On-link
  2306 2001:0:5ef5:79fb:ca8:3fdf:f5bf:f1f2/128
On-link
  7276 2601:5ce:101:5350::/64   On-link
  7276 2601:5ce:101:5350:1dd6:cc0e:98b:50a9/128
On-link
  7276 2601:5ce:101:5350:28af:3026:cf75:988c/128
On-link
  7276 fe80::/64On-link
  2306 fe80::/64On-link
  2306 fe80::ca8:3fdf:f5bf:f1f2/128
On-link
  7276 fe80::28af:3026:cf75:988c/128
On-link
  1306 ff00::/8 On-link
  7276 ff00::/8 On-link
  2306 ff00::/8 On-link
===
Persistent Routes:
  None

But I can't ping out or do anything on the client:

C:\Users\dcorbe>ping ipv6.cybernode.com

Pinging ipv6.cybernode.com [2001:470:1:1b9::31] with 32 bytes of data:
Control-C
^C
C:\Users\dcorbe>tracert 2601:5ce:101:5350:21e:37ff:fed6:ad

Tracing route to 2601:5ce:101:5350:21e:37ff:fed6:ad over a maximum of 30
hops

  1  

Re: Suggested 1000BASE-LX adapter

[Chris Cappuccio]

Federico Giannici [giann...@neomedia.it] wrote:
> I have to install in an OpenBSD 5.8 amd64 a PCI-E ethernet card supporting
> 1000BASE-LX (i.e. 1Gbps with Single Mode Fiber).
> 
> Usually we use Intel cards (em driver) but I found that the only Intel LX
> card has a PCI-X bus!
> 
> What reliable LX NIC with PCI-E do you suggest?
> 

If you have trouble finding SFP versions of em cards, you can always try
SFP+ versions of ix cards. They work with 1Gbps SFP and are readily available
from several vendors.

Chris

Re: Suggested 1000BASE-LX adapter

[David Dahlberg]

Am Dienstag, den 27.10.2015, 13:01 +0100 schrieb Federico Giannici:
> I have to install in an OpenBSD 5.8 amd64 a PCI-E ethernet card 
> supporting 1000BASE-LX (i.e. 1Gbps with Single Mode Fiber).
> 
> Usually we use Intel cards (em driver) but I found that the only Intel
> LX card has a PCI-X bus!

We have a couple of those, they are em(4), I used them with 1000BASE-
LX10 SFPs of the same vendor:

http://www.allnet.de/en/allnet-brand/produkte/switches/netzwerkkarten/p/
allnet-all0130-2sfp-pcie-1000m-dual-sfp-fiber-card-adapter-lc-fiber-
opticef/


> What reliable LX NIC with PCI-E do you suggest?

I cannot really tell you anything about the reliability. I have not
tried to stress them yet, nor did I use those NICs continuously over a
prolonged period.

David