isakmpd listen address
Hello, I can't seem to find an option in isakmpd in order to have it listen only on one interface or IP address respectively. Is there an option for that I am not aware of? I just saw the -p option but that's for the port number. Thanks, M.
Re: isakmpd listen address
Thanks so much I was looking at the wrong place and was expecting it to be a parameter... Original Message Subject: Re: isakmpd listen address Local Time: May 25, 2017 9:06 PM UTC Time: May 25, 2017 7:06 PM From: hrv...@srce.hr To: misc@openbsd.org On 25.5.2017. 20:46, mabi wrote: > Hello, > I can't seem to find an option in isakmpd in order to have it listen only on > one interface or IP address respectively. Is there an option for that I am > not aware of? I just saw the -p option but that's for the port number. > Thanks, > M. > Hi, create isakmpd.conf file # ls -apl /etc/isakmpd/isakmpd.conf -rw--- 1 root wheel 31 Oct 29 2015 /etc/isakmpd/isakmpd.conf and edit like this: # cat /etc/isakmpd/isakmpd.conf [general] Listen-on =em0 man isakmpd.conf
SNMP OID for free memory
Hi, I am using OpenBSD 6.1 the the Net-SNMP port in order to monitor the system resources. I don't seem to find any OID for the free memory and was wondering if this information is simply not made available in SNMP. Doing an snmpwalk on the HOST-RESOURCES MIB for memory shows the following avaialble OIDs related to memory: HOST-RESOURCES-MIB::hrStorageDescr.1 = STRING: Physical memory HOST-RESOURCES-MIB::hrStorageDescr.2 = STRING: Real memory HOST-RESOURCES-MIB::hrStorageDescr.3 = STRING: Virtual memory HOST-RESOURCES-MIB::hrStorageDescr.8 = STRING: Shared virtual memory HOST-RESOURCES-MIB::hrStorageDescr.9 = STRING: Shared real memory HOST-RESOURCES-MIB::hrStorageDescr.10 = STRING: Swap space HOST-RESOURCES-MIB::hrStorageDescr.31 = STRING: / Any idea where the the free memory info would be hiding? I found a script called check_snmp_openbsd.py (https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py) where the OID .1.3.6.1.4.1.11.2.3.1.1.7.0 is used for getting the free memory but when I do an snmpget on my OpenBSD box this OID is not available. Regards, Mabi A
/etc/mygate equivalent for IPv6?
Hi, What is the "standard" approach for adding an IPv6 default gateway to an OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default route? There are no /etc/mygate6 file and as such for now I manually run: route -n add -inet6 default Regards, Mabi
Re: SNMP OID for free memory
Thanks Stuart for your input. In the pass I used the snmp daemon which comes with OpenBSD but I vaguely remember that some OID for my cacti graphs was missing so I switched to Net-SNMP which had this information. Can't remember though which OID that was and that was already a few years ago. As you suggest I will give snmpd a shot again and see how it goes. Regarding the script I was mentioning (https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py) have a look at line 51, there is the OID there for the free memory but in my setup it simply does not exist so I wonder where he got that OID from... Regards, M. Original Message Subject: Re: SNMP OID for free memory Local Time: June 5, 2017 9:46 AM UTC Time: June 5, 2017 7:46 AM From: s...@spacehopper.org To: misc@openbsd.org On 2017-06-04, mabi wrote: > Hi, > > I am using OpenBSD 6.1 the the Net-SNMP port in order to monitor the system > resources. I don't seem to find any OID for the free memory and was wondering > if this information is simply not made available in SNMP. Doing an snmpwalk > on the HOST-RESOURCES MIB for memory shows the following avaialble OIDs > related to memory: Don't use net-snmp's snmpd on OpenBSD without a very good reason, use snmpd from the base OS. > HOST-RESOURCES-MIB::hrStorageDescr.1 = STRING: Physical memory > HOST-RESOURCES-MIB::hrStorageDescr.2 = STRING: Real memory > HOST-RESOURCES-MIB::hrStorageDescr.3 = STRING: Virtual memory > HOST-RESOURCES-MIB::hrStorageDescr.8 = STRING: Shared virtual memory > HOST-RESOURCES-MIB::hrStorageDescr.9 = STRING: Shared real memory > HOST-RESOURCES-MIB::hrStorageDescr.10 = STRING: Swap space > HOST-RESOURCES-MIB::hrStorageDescr.31 = STRING: / > > Any idea where the the free memory info would be hiding? Whichever of the hrStorageUsed oids that relates to the memory you're interested in, e.g. given the list above it would be hrStorageUsed.1 for physical memory. Multiply it by the same-numbered hrStorageSize. Here's an example from the base OS's snmpd, using snmptable to pull in the relevant oids for the whole table and format the display. $ snmptable -v2c -c public 127.0.0.1 hrStorageTable SNMP table: HOST-RESOURCES-MIB::hrStorageTable hrStorageIndex hrStorageType hrStorageDescr hrStorageAllocationUnits hrStorageSize hrStorageUsed hrStorageAllocationFailures 1 HOST-RESOURCES-MIB::hrStorageTypes.2 Physical memory 4096 Bytes 2069645 1468114 0 2 HOST-RESOURCES-MIB::hrStorageTypes.2 Real memory 4096 Bytes 2082986 1481455 0 10 HOST-RESOURCES-MIB::hrStorageTypes.3 Swap space 4096 Bytes 1572863 0 0 31 HOST-RESOURCES-MIB::hrStorageTypes.4 / 4096 Bytes 520119 37923 0 32 HOST-RESOURCES-MIB::hrStorageTypes.4 /data 4096 Bytes 8254103 2292580 0 33 HOST-RESOURCES-MIB::hrStorageTypes.4 /home 4096 Bytes 31930799 10749150 0 34 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr 4096 Bytes 1546599 132582 0 35 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/X11R6 4096 Bytes 1028871 48383 0 36 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/local 4096 Bytes 8254103 4240627 0 37 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/src 4096 Bytes 1028871 271331 0 38 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/ports 4096 Bytes 2061047 523465 0 39 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/obj 4096 Bytes 12382807 1816114 0 40 HOST-RESOURCES-MIB::hrStorageTypes.4 /usr/xenocara 4096 Bytes 516007 179230 0 41 HOST-RESOURCES-MIB::hrStorageTypes.4 /var 4096 Bytes 8254103 879286 0 42 HOST-RESOURCES-MIB::hrStorageTypes.4 /distsrc 4096 Bytes 38701655 28351200 0 43 HOST-RESOURCES-MIB::hrStorageTypes.4 /var/www 4096 Bytes 4125399 660222 0 44 HOST-RESOURCES-MIB::hrStorageTypes.4 /var/www/htdocs/pub 512 Bytes 2097669360 3955189904 0 45 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/Multimedia 512 Bytes 2097669360 3955189904 0 46 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/Download 512 Bytes 2097669360 3955189904 0 47 HOST-RESOURCES-MIB::hrStorageTypes.4 /y/homes 512 Bytes 2097669360 3955189904 0 > I found a script called check_snmp_openbsd.py > (https://github.com/alexander-naumov/nagios-plugins/blob/master/check_snmp_openbsd.py) > where the OID .1.3.6.1.4.1.11.2.3.1.1.7.0 is used for getting the free > memory but when I do an snmpget on my OpenBSD box this OID is not available. I might have missed something but I don't see it actually using that mem_free definition.
Re: /etc/mygate equivalent for IPv6?
Fantastic, that was an easy one. Somehow I missed that from the OpenBSD FAQ, must have skimmed it too fast... So I guess here that I can have my IPv4 default gw and IPv6 default gw both on two different lines in the /etc/mygate file. Original Message Subject: Re: /etc/mygate equivalent for IPv6? Local Time: June 6, 2017 9:50 PM UTC Time: June 6, 2017 7:50 PM From: knight@gmail.com To: Janne Johansson mabi , openbsd-misc for example: fe80::1%carp0 :) 2017-06-06 16:48 GMT-03:00 Janne Johansson : Just add the ipv6 gw ip to /etc/mygate. 2017-06-06 21:45 GMT+02:00 mabi : > Hi, > > What is the "standard" approach for adding an IPv6 default gateway to an > OpenBSD 6.1 machine analog to the /etc/mygate file for an IPv4 default > route? > > There are no /etc/mygate6 file and as such for now I manually run: > > route -n add -inet6 default > > Regards, > Mabi -- May the most significant bit of your life be positive.
DHCP server for IPv6
Hello, Does anyone have any recommendations on which package to use on OpenBSD 6.1 for a DHCP server for IPv6? AKFAIK the default dhcpd does not do IPv6. Regards, M.
Re: Dynamic IPv6
Hi Thomas, Not using Cox here but in a similar setup here I use the dhcpcd package just for getting IPv6 from the ISP with SLAAC and prefix delegation. You will need to configure your /etc/dhcpcd.conf file to something looking like that: noipv6rs ipv6only slaac private nohook resolv.conf interface em0 ipv6rs iaid 1 ia_pd 2 em1/1 In that example em0 would be the WAN interface and em1 the LAN interface. Good luck, M. > Original Message > Subject: Dynamic IPv6 > Local Time: July 8, 2017 4:42 AM > UTC Time: July 8, 2017 2:42 AM > From: inq...@protonmail.com > To: misc@openbsd.org > My ISP (Cox) supports IPv6 and I have this working on a MikroTik router--it > pulls an address and prefix, creates a default route, creates an address pool > for internal client, etc. > I"ve been working to configure a similar setup in OpenBSD 6.1 and I"ve been > unable to even get the outside interface to pull an IPv6 address from Cox. > I"ve been searching for some time today to find information on how to > configure this but there are many different "how tos" and not one of them has > worked for me. > Can anyone point me to some definitive documentation for configuring this in > OpenBSD? Or advise as to how to set this up? > Seems like it should be a pretty basic thing, but I just can"t seem to get it > right. > I didn"t post any sample configs as I"ve tried many (many) different ways to > do this today and have removed all of those changes at this point.
Re: Fail2Ban filter for OpenSMTPD
Hi Nicolas, Thank you very much for your OpenSMTPD Fail2Ban filter. I just tried it out and it actually detects the IP address out of the log file as you can see here: 2017-08-23 17:30:13,089 fail2ban.filter [298]: INFO[opensmtpd] Found 1XX.2XX.5X.1XX but somehow does not manage add this IP address to be blocked by iptables. Maybe my jail.conf entry for that filter is wrong, I currently added the following entry: [opensmtpd] enabled = yes port = smtp logpath = /var/log/mail.log Any ideas? I am running Debian 9 as OS. Regards, Mabi > Original Message > Subject: Re: Fail2Ban filter for OpenSMTPD > Local Time: August 23, 2017 4:33 PM > UTC Time: August 23, 2017 2:33 PM > From: nico...@shivaserv.fr > To: misc@openbsd.org > > Hi > > I know some people was searching for fail2ban filters for opensmtpd. > > I had the same need, and I"ve created my own simple filter, I share it here > if it can help. > > # Fail2Ban filter for opensmtpd > # Author: Nicolas Repentin > # > > [INCLUDES] > > # Read common prefixes. If any customizations available -- read them from > # common.local > before = common.conf > > [Definition] > > failregex = ^.*smtp event=connected address=.*\n.*smtp > event=failed-command command="AUTH > LOGIN" result="503 5.5.1 Invalid command: Command not supported > > ignoreregex = > > [Init] > maxlines = 2 > > It only work actually for this example: > > #Aug 23 10:48:54 myserver smtpd[17412]: abc813f0c6789766 smtp event=connected > address=177.135.X.X > host=hidden.host.com > #Aug 23 10:48:55 myserver smtpd[17412]: abc813f0c6789766 smtp > event=failed-command command="AUTH > LOGIN" result="503 5.5.1 Invalid command: Command not supported" > > Nicolas
Re: Fail2Ban filter for OpenSMTPD
My bad, I had maxretry set to 5 and lowered it for testing. Your filter works perfectly, thumbs up for this contribution!! > Original Message > Subject: Re: Fail2Ban filter for OpenSMTPD > Local Time: August 23, 2017 5:31 PM > UTC Time: August 23, 2017 3:31 PM > From: m...@protonmail.ch > To: Nicolas > misc@openbsd.org > > Hi Nicolas, > > Thank you very much for your OpenSMTPD Fail2Ban filter. I just tried it out > and it actually detects the IP address out of the log file as you can see > here: > > 2017-08-23 17:30:13,089 fail2ban.filter [298]: INFO[opensmtpd] > Found 1XX.2XX.5X.1XX > > but somehow does not manage add this IP address to be blocked by iptables. > Maybe my jail.conf entry for that filter is wrong, I currently added the > following entry: > > [opensmtpd] > enabled = yes > port = smtp > logpath = /var/log/mail.log > > Any ideas? I am running Debian 9 as OS. > > Regards, > Mabi > >> Original Message >> Subject: Re: Fail2Ban filter for OpenSMTPD >> Local Time: August 23, 2017 4:33 PM >> UTC Time: August 23, 2017 2:33 PM >> From: nico...@shivaserv.fr >> To: misc@openbsd.org >> >> Hi >> >> I know some people was searching for fail2ban filters for opensmtpd. >> >> I had the same need, and I"ve created my own simple filter, I share it here >> if it can help. >> >> # Fail2Ban filter for opensmtpd >> # Author: Nicolas Repentin >> # >> >> [INCLUDES] >> >> # Read common prefixes. If any customizations available -- read them from >> # common.local >> before = common.conf >> >> [Definition] >> >> failregex = ^.*smtp event=connected address=.*\n.*smtp >> event=failed-command command="AUTH >> LOGIN" result="503 5.5.1 Invalid command: Command not supported >> >> ignoreregex = >> >> [Init] >> maxlines = 2 >> >> It only work actually for this example: >> >> #Aug 23 10:48:54 myserver smtpd[17412]: abc813f0c6789766 smtp >> event=connected address=177.135.X.X >> host=hidden.host.com >> #Aug 23 10:48:55 myserver smtpd[17412]: abc813f0c6789766 smtp >> event=failed-command command="AUTH >> LOGIN" result="503 5.5.1 Invalid command: Command not supported" >> >> Nicolas
relayd TLS load balancer for multiple websites
Hi, I was wondering if it is possible to use relayd as load balancer with TLS termination for multiple different websites residing on different server. From reading the man page I understand that for this purpose I will need to use one "relay" entity per website which will then have its own "http protocol" entity. If this is correct, this means I will require one public IP address per website which seems to me a bit a waste hence my asking. The alternative would be to have one "relay" entity but this means I can only have one "http protocol" entity assigned to it from my understanding. This also means that I would have to have to use one single SSL certificate file which includes every CN for each of my website. My feeling tells me that this does not sound good practice. Then how would relayd know that website www.website1.com has to be forwarded to the hosts in and that website www.website2.com has to be forwarded to the hosts in ? Would you in the "http protocol" entity filter using the HTTP "Host" header (such as SNI)? Sorry for all these questions but I am trying to find out the best way/good practice to setup a relayd TLS load balancer for a different websites/webapps/domains and can't find much documentation about this specific case. Note here that I will be using the acme-client for all of the domains. Thanks for your input. Best, Mabi
Re: relayd TLS load balancer for multiple websites
Thanks Bryan for your example. I saw in your example you only use the example.com domain. I would be using multiple domains such as example1.com, example2.com, exampleX.com, and so on. Would it also work in that case? Again I suppose here that I need to have all these different domains in one single SSL certificate file, right? On the relayd.conf man page I read that the second "forward to" config parameter in a "relay" entity is used as backup in case the first "forward to" table is down. So one could think in your config that your second "forward to " would be used as you backup table. Finally what is the purpose of setting the Connection HTTP header to close as you have here below? match request header set "Connection" value "close" > Original Message > Subject: Re: relayd TLS load balancer for multiple websites > Local Time: September 28, 2017 2:21 PM > UTC Time: September 28, 2017 12:21 PM > From: bryanlhar...@gmail.com > To: mabi > openbsd-misc > > Here is what I did, which I learned from the httpd & relayd book by Michael W > Lucas (I recommend). I cannot remember why I set the top header options, I > must have been trying to learn about them. The host ones are to figure out > the site and send the connection to the table above. > > ext_addr="..." > int_addr="127.0.0.1" > vm1_addr="192.0.2.11" > vm2_addr="192.0.2.12" > vm3_addr="192.0.2.13" > vm4_addr="192.0.2.14" > > table { $int_addr } > table { > $vm1_addr > $vm2_addr > $vm3_addr > $vm4_addr > } > > # Relay and protocol for HTTP layer 7 loadbalancing and SSL/TLS acceleration > http protocol https { > # playing with these options > match request header append "X-Forwarded-For" value "$REMOTE_ADDR" > match request header append "X-Forwarded-By" value > "$SERVER_ADDR:$SERVER_PORT" > match request header set "Keep-Alive" value "$TIMEOUT" > match request header set "Connection" value "close" > > match request header "Host" value "website.example.com" forward to > match request header "Host" value "example.com" forward to > match request header "Host" value "www.example.com" forward to > > } > > relay wwwtls { > # Run as a SSL/TLS accelerator > listen on $ext_addr port 443 tls > protocol https > > forward to port 80 check tcp > forward to port 80 mode loadbalance check tcp > } > > V/r, > Bryan > > On Thu, Sep 28, 2017 at 7:32 AM, mabi wrote: > >> Hi, >> >> I was wondering if it is possible to use relayd as load balancer with TLS >> termination for multiple different websites residing on different server. >> >> From reading the man page I understand that for this purpose I will need to >> use one "relay" entity per website which will then have its own "http >> protocol" entity. If this is correct, this means I will require one public >> IP address per website which seems to me a bit a waste hence my asking. >> >> The alternative would be to have one "relay" entity but this means I can >> only have one "http protocol" entity assigned to it from my understanding. >> This also means that I would have to have to use one single SSL certificate >> file which includes every CN for each of my website. My feeling tells me >> that this does not sound good practice. Then how would relayd know that >> website www.website1.com has to be forwarded to the hosts in and >> that website www.website2.com has to be forwarded to the hosts in ? >> Would you in the "http protocol" entity filter using the HTTP "Host" header >> (such as SNI)? >> >> Sorry for all these questions but I am trying to find out the best way/good >> practice to setup a relayd TLS load balancer for a different >> websites/webapps/domains and can't find much documentation about this >> specific case. >> >> Note here that I will be using the acme-client for all of the domains. >> >> Thanks for your input. >> >> Best, >> Mabi
Re: relayd TLS load balancer for multiple websites
Thanks for the pointer regarding SNI not being supported in relayd. I will go on and find another solution, probably HAproxy. > Original Message > Subject: Re: relayd TLS load balancer for multiple websites > Local Time: September 28, 2017 3:02 PM > UTC Time: September 28, 2017 1:02 PM > From: mcmer-open...@tor.at > To: mabi > openbsd-misc > > m...@protonmail.ch (mabi), 2017.09.28 (Thu) 13:32 (CEST): >> I was wondering if it is possible to use relayd as load balancer with >> TLS termination for multiple different websites residing on different >> server. > > With a public IP per website: yes. Else: no. > > reyk@, 2014-07-24, "no SNI yet" > https://marc.info/?l=openbsd-misc&m=140621533620964 > > recent thread: > https://marc.info/?l=openbsd-misc&m=150599591326006 > > Marcus > > btw, protonmail"s "text/plain, base64, utf-8" reportedly keeps people > from seeing these messages.
acpidump at bootup blocking for 5 minutes
Hi, I have a Nexcom 1150 (http://www.nexcom.co.uk/Products/network-and-communication-solutions/intel-based-appliance/entry-level-appliance/network-communication-nsa-1150) which I use as Firewall and noticed that it takes up to 7 minutes to bootup. By commenting out some parts of the the /etc/rc boot file I could find out that the acpidump takes 5 minutes to run. So I just commented the following lines out to boot up faster: if [[ -x /usr/sbin/acpidump ]]; then acpidump -o /var/db/acpi/ fi Regards, Mabi
vmm/vmd with Linux guest
Hello, I just read the OpenBSD vmm/vmd Update slides from Mike Larkin and have the following 2 questions. - it is mentioned that RHEL/CentOS is now supported and was wondering if Suse is also already supported or if it is planned? I had a try at SLES 12 as a guest on OpenBSD 6.3 but after the "Welcome to GRUB!" message on the console it is stuck. - when enabling "vmctl log verbose" where do the log entries go? I checked /var/log/messages and daemon but did not see more verbose output while starting a vm. Or what would I do if I want to investigate further why a VM is stuck? And by the way a big applause to those working on vmm/vmd for your great effort! Regards, Mabi
Dell PowerEdge R410 not booting 6.4
Hi, I just installed OpenBSD 6.4 on an older Dell PowerEdge R410 server. The installation went fine but upon reboot I get to the "boot>" prompt then the first line of the OpenBSD boot starts with all the numbers displaying but like 2 seconds later the whole server reboots. Any idea what that could be? This server is from around 2011 and has two Intel E5620 CPUs. I already tried disabling hyperthreading, booting single user mode (boot -s), booting the boot.sp image but so far no luck... Regards, Mabi
Re: Dell PowerEdge R410 not booting 6.4
Indeed, I just created one huge "a" slice with 500 GB for my / root partition. I will try first to create a smaller/many slices... @Kristjan: "entry point at ..." no it didn't even get to this line, it just rebooted at the line counting all these numbers, I think that it the very first line of the boot pricess if I am not mistaken. ‐‐‐ Original Message ‐‐‐ On Thursday, October 25, 2018 7:57 PM, diego righi wrote: > did you make only one big a slice? > try to put the i386 bootloader ;) > > On Thu, Oct 25, 2018, 18:20 mabi m...@protonmail.ch wrote: > > > Hi, > > I just installed OpenBSD 6.4 on an older Dell PowerEdge R410 server. The > > installation went fine but upon reboot I get to the "boot>" prompt then the > > first line of the OpenBSD boot starts with all the numbers displaying but > > like 2 seconds later the whole server reboots. Any idea what that could be? > > This server is from around 2011 and has two Intel E5620 CPUs. I already > > tried disabling hyperthreading, booting single user mode (boot -s), booting > > the boot.sp image but so far no luck... > > Regards, > > Mabi
Re: OpenBSD VPS hoster with unlimited/limited nonfiltered traffic
‐‐‐ Original Message ‐‐‐ On Friday, April 10, 2020 12:59 PM, Dumitru Moldovan wrote: > Vultr is close to that. Last time I created a new VPS with them, I > think they filtered port 25, but it was no big deal to get rid of that. > > Still running 2 productions VMs on Vultr, they are cheap, have great > support, and reasonable uptimes. Not OpenBSD-based unfortunately, even > though they support it officially. Here https://oriented.net/server/openbsd-virtual-machine they provide OpenBSD native VPS and traffic seems to be unlimited/unfiltered.
using aggr interface instead of trunk
Hello, I am currently running OpenBSD 6.5 as firewall with two ix interfaces inside a trunk interface with LACP protocol. On top of that I have a few vlan interfaces so it's basically (ix -> trunk -> vlan). Now I saw that OpenBSD has a new interface specifically for LACP which is called aggr. As I will soon be upgrading to OpenBSD 6.6 I was wondering if it is the right time to switch from trunk to the new aggr interface? >From what I understand the new aggr interface has mainly 2 advantages: it is >multi-processor safe and it should be faster than the tun interface. Is this >correct? And last point because aggr is pretty new, is it already safe to use it for a production firewall? Best regards, Mabi
Re: using aggr interface instead of trunk
Hi Iain, ‐‐‐ Original Message ‐‐‐ On Wednesday, May 13, 2020 7:55 PM, Iain R. Learmonth wrote: > More details are at:https://marc.info/?l=openbsd-cvs&m=156229058006706&w=2 I actually already read that one after seeing the announcement on undeadly.org iirc ;) > Assuming you mean trunk, not tun, yes. Right, thanks for spotting that, I meant trunk of course. > I don't see mention of any aggr fixes in the 6.7 changelog, so I guess it > didn't have any disasters in it. Others are using it on production systems. Nice to hear that, I will give it a shot as soon as I upgrade to 6.6 my HA CARP cluster of two OpenBSD firewalls. I might first try using it on one of the two firewalls so that I can easily switch to the other firewall in any case of issue.
msyscall error during boot
Hello, I just upgraded one of my vmd virtual machine from OpenBSD 6.6 to 6.7 using sysupgrade and noticed a new msyscall error message I have never seen before during reboot as you can see below: ... preserving editor files. starting network daemons: sshd smtpd httpd. starting package daemons: dovecot postgresql php72_fpm netsnmpd. msyscall a35ee0ce000 a3000 error msyscall a35187dd000 a5000 error starting local daemons: cron. Thu Jul 9 08:07:15 CEST 2020 Any ideas where this could come from? and if it is bad? The VMD host itself also runs OpenBSD 6.7. Regards, Mabi
Re: msyscall error during boot
‐‐‐ Original Message ‐‐‐ On Friday, July 10, 2020 10:18 PM, Jurjen Oskam wrote: > Did you update your packages? I ran into the same issue when I forgot to > update > the packages after upgrading the system. Yes, I did run a "pkg_add -u". I have found more details and actually it is the "rake" command, part of the ruby-2.5.8 which outputs this error message at boot because I am starting a Ruby rack web server for an API using "rake" command in /etc/rc.local.
fw_update issue with colon in URL
Hello, I just updated from 6.6 to 6.7 and the fw_update part failed so I tried to run it manually and get: $ sudo fw_update -n http://firmware.openbsd.org/firmware/6.7/: no such dir Couldn't find updates for intel-firmware-20191115v0 It looks like I have a colon ":" at the end of the URL which of course makes the URL invalid. Now how could this happen? and in which file do I fix that? Regards, Mabi
Re: fw_update issue with colon in URL
‐‐‐ Original Message ‐‐‐ On Wednesday, July 15, 2020 12:49 PM, Theo Buehler wrote: > One server had an incorrect config. This should be fixed now. Thanks for your notification, so I didn't go mad ;) I can confirm, it works like a charm. Thanks again for fixing!
'machine/cdefs.h' file not found when installing nokogiri gem
Hi, I am trying to install the nokogiri Ruby gem using "gem install nokogiri" and have the ruby-2.5.5 package from ports for that purpose installed. Unfortunately it does not want to install complaining that the 'machine/cdefs.h' header file can not be found. This header file is included on line 41 of /usr/include/sys/cdefs.h but is not present on my OpenBSD 6.5 system. Am I missing something here? I have pasted below the full error output from installing that gem if that is of any help. Best regards, Mabi $ gem install nokogiri Building native extensions. This could take a while... ERROR: Error installing nokogiri: ERROR: Failed to build gem native extension. current directory: /home/ma/.gem/gems/nokogiri-1.10.5/ext/nokogiri /usr/local/bin/ruby25 -r ./siteconf20191116-77258-1qm6dzx.rb extconf.rb checking if the C compiler accepts -I /usr/local/include... *** extconf.rb failed *** Could not create Makefile due to some reason, probably lack of necessary libraries and/or headers. Check the mkmf.log file for more details. You may need configuration options. Provided configuration options: --with-opt-dir --without-opt-dir --with-opt-include --without-opt-include=${opt-dir}/include --with-opt-lib --without-opt-lib=${opt-dir}/lib --with-make-prog --without-make-prog --srcdir=. --curdir --ruby=/usr/local/bin/$(RUBY_BASE_NAME)25 --help --clean --use-system-libraries /usr/local/lib/ruby/2.5/mkmf.rb:456:in `try_do': The compiler failed to generate an executable file. (RuntimeError) You have to install development tools first. from /usr/local/lib/ruby/2.5/mkmf.rb:574:in `block in try_compile' from /usr/local/lib/ruby/2.5/mkmf.rb:521:in `with_werror' from /usr/local/lib/ruby/2.5/mkmf.rb:574:in `try_compile' from extconf.rb:138:in `nokogiri_try_compile' from extconf.rb:162:in `block in add_cflags' from /usr/local/lib/ruby/2.5/mkmf.rb:632:in `with_cflags' from extconf.rb:161:in `add_cflags' from extconf.rb:416:in `' To see why this extension failed to compile, please check the mkmf.log which can be found here: /home/ma/.gem/extensions/x86_64-openbsd/2.5/nokogiri-1.10.5/mkmf.log extconf failed, exit code 1 Gem files will remain installed in /home/ma/.gem/gems/nokogiri-1.10.5 for inspection. Results logged to /home/ma/.gem/extensions/x86_64-openbsd/2.5/nokogiri-1.10.5/gem_make.out *** Content of the nokogiri-1.10.5/mkmf.log file below: *** "cc -o conftest -I/usr/local/include/ruby-2.5/x86_64-openbsd -I/usr/local/include/ruby-2.5/ruby/backward -I/usr/local/include/ruby-2.5 -I. -DOPENSSL_NO_STATIC_ENGINE -I/usr/local/include -O2 -pipe -fPIC -I /usr/local/include conftest.c -L. -L/usr/local/lib -Wl,-rpath,/usr/local/lib -L. -L/usr/local/lib -fstack-protector -Wl,-E -Wl,-rpath,/usr/local/lib -L/usr/local/lib -lruby25 -pthread -lgmp -lm -lc " In file included from conftest.c:1: In file included from /usr/local/include/ruby-2.5/ruby.h:33: In file included from /usr/local/include/ruby-2.5/ruby/ruby.h:29: In file included from /usr/local/include/ruby-2.5/ruby/defines.h:112: In file included from /usr/include/stdio.h:41: /usr/include/sys/cdefs.h:41:10: fatal error: 'machine/cdefs.h' file not found #include ^ 1 error generated. checked program was: /* begin */ 1: #include "ruby.h" 2: 3: int main(int argc, char **argv) 4: { 5: return 0; 6: } /* end */
Re: 'machine/cdefs.h' file not found when installing nokogiri gem
‐‐‐ Original Message ‐‐‐ On Saturday, November 16, 2019 2:38 PM, Stuart Henderson wrote: > For native extensions, it's really best to install from packages. > > pkg_add ruby25-nokogiri Thanks for the tip, I didn't think about that alternative. What puzzles me is that I managed to install that nokogiri gem on OpenBSD 6.4 using 'gem install' in the past. Will have to check with 6.6.
sysupgrade to 6.6 failed at comp66.tgz
Hi, I just tried out sysupgrade on one of my OpenBSD 6.5 servers in order to upgrade automatically to 6.6 but unfortunately it failed at the comp66.tgz and rebooted (upgrade log below). It looks like I am now running a half-upgraded hybrid OpenBSD 6.5/6.6 system. It also didn't manage to relink the kernel after reboot (log file below). So I was wondering if anyone had any recommendations or insights to my following points: - reason why it failed? - what should I do now? retry to upgrade with sysupgrade? - re-install the whole system? - maybe sysupgrade needs to be patched to avoid this issue? Best regards, Mabi *** output of upgrade log *** Terminal type? [vt220] vt220 Available disks are: sd0. Which disk is the root disk? ('?' for details) [sd0] sd0 Checking root filesystem (fsck -fp /dev/sd0a)... OK. Mounting root filesystem (mount -o ro /dev/sd0a /mnt)... OK. Force checking of clean non-root filesystems? [no] no fsck -p f8bd514855ccf1e5.f... OK. fsck -p f8bd514855ccf1e5.d... OK. fsck -p f8bd514855ccf1e5.e... OK. fsck -p f8bd514855ccf1e5.g... OK. /dev/sd0a (f8bd514855ccf1e5.a) on /mnt type ffs (rw, local) /dev/sd0f (f8bd514855ccf1e5.f) on /mnt/home type ffs (rw, local, nodev, nosuid) /dev/sd0d (f8bd514855ccf1e5.d) on /mnt/tmp type ffs (rw, local, nodev, nosuid) /dev/sd0e (f8bd514855ccf1e5.e) on /mnt/usr type ffs (rw, local, nodev, wxallowed) /dev/sd0g (f8bd514855ccf1e5.g) on /mnt/var type ffs (rw, local, nodev, nosuid) Let's upgrade the sets! Location of sets? (cd0 disk http nfs or 'done') [http] disk Is the disk partition already mounted? [yes] yes Pathname to the sets? (or 'done') [6.6/amd64] /home/_sysupgrade/ Select sets by entering a set name, a file name pattern or 'all'. De-select sets by prepending a '-', e.g.: '-game*'. Selected sets are labelled '[X]'. [X] bsd [X] base66.tgz[X] game66.tgz[X] xfont66.tgz [X] bsd.mp[X] comp66.tgz[X] xbase66.tgz [X] xserv66.tgz [X] bsd.rd[X] man66.tgz [X] xshare66.tgz Set name(s)? (or 'abort' or 'done') [done] done Directory does not contain SHA256.sig. Continue without verification? [no] yes Installing bsd 100% |**| 18250 KB00:00 Installing bsd.mp 100% |**| 18336 KB00:00 Installing bsd.rd 100% |**| 10058 KB00:00 Installing base66.tgz 100% |**| 236 MB00:36 Installing comp66.tgz81% |* | 58880 KB00:02 ETAtar: Unable to remove directory ./usr/include/machine: Directory not empty Installing comp66.tgz 100% |**| 72109 KB00:14 Installation of comp66.tgz failed. Continue anyway? [no] no *** output of /usr/share/relink/kernel/GENERIC/relink.log *** (SHA256) /bsd: FAILED Failed to verify /bsd's checksum, therefore a randomly linked kernel (KARL) is not being built. KARL can be re-enabled for next boot by issuing as root: sha256 -h /var/db/kernel.SHA256 /bsd
Re: sysupgrade to 6.6 failed at comp66.tgz
‐‐‐ Original Message ‐‐‐ On Friday, November 22, 2019 11:45 AM, Stuart Henderson wrote: > A combination of things: > > - You didn't install the comp set before Thank you Stuart for your detailed mail. That's exactly it, I did not have comp65.tgz set installed as I just recently read on this mailing list that the best practice would be to install all sets, including the x* sets even if I don't need X on my servers. This is the only way that guarantees that such tools like sysupgrade can work properly. Lesson learnt live here ;-) So thanks to your instructions I managed to upgrade to 6.6 using sysupgrade and it all worked well. Great work behind this sysupgrade tool!!
Can't install OpenBSD 6.6 on apu4d4
Hi there, I am trying to install OpenBSD 6.6 (install66.fs) from a USB key on a PC Engines apu4d4 box. Unfortunately the installer does not seem to start as it reboots after loading a few seconds of the bsd.rd image as you can see from my output below: SeaBIOS (version rel-1.12.1.3-0-g300e8b7) Press F10 key now for boot menu Booting from Hard Disk... Using drive 0, partition 3. Loading.. probing: pc0 com0 com1 com2 com3 mem[639K 3325M 752M a20=on] disk: hd0+ hd1+* >> OpenBSD/amd64 BOOT 3.45 boot> cannot open hd0a:/etc/random.seed: No such file or directory booting hd0a:/6.6/amd64/bsd.rd: 3732171+1537024+3885432+0+598016 [376562+128+455 544+303577]=0xa648d0 entry point at 0x8100100 PC Engines apu4 coreboot build 20202901 BIOS version v4.11.0.3 I upgraded the BIOS from v4.11.0.2 to v4.11.0.3 and tried another USB key but still the same happens. Am I missing something here? Regards, Mabi
Re: Can't install OpenBSD 6.6 on apu4d4
‐‐‐ Original Message ‐‐‐ On Thursday, February 6, 2020 8:25 AM, Mischa wrote: > Before you boot do at boot> do: > > stty com0 115200 > set tty com0 Thanks Mischa! I should have thought about that but I couldn't remember having done this with previous APU models and OpenBSD versions.
Time jumping forward issue under OpenBSD 6.6 VMM
Hello, I am running an OpenBSD 6.6 VMM server with a few virtual machines also running 6.6 and noticed that one of them which is running Dovecot 2.3.9 package outputs the following warning every few 10-15 seconds: dovecot: imap: Warning: Time jumped forwards 28.294585 seconds It looks like there is a time issue on that VM although I am running the default ntpd of OpenBSD 6.6 and I have added the following parameter into my /etc/sysctl.conf on that VM: kern.timecounter.hardware=tsc Is there anything else I can do to avoid this time issue in my VM? Best regards, Mabi
Re: Time jumping forward issue under OpenBSD 6.6 VMM
‐‐‐ Original Message ‐‐‐ On Tuesday, March 3, 2020 5:58 PM, Ian Gregory wrote: > I've had similar issues with timekeeping within guests of VMM, > although there are improvements in -current with the pvclock time > source. Since the fix below I now see occasional instances of the > clock stepping by a few whole seconds (typically less than 8s) but > it's much less frequent and the magnitude is within the bounds of what > ntpd can correct. > > See > http://openbsd-archive.7691.n7.nabble.com/pvclock-stability-tp376946p377922.html > for some backstory > > (aside: I see similar small occasional clock jumps of an integer > number of seconds on OpenBSD-6.6 guests using tsc running on a VMware > ESXi host) Thank you Ian for your answer. Unfortunately I don't understand too much of that post you linked. But if I understand you correctly you are suggesting that I should change on my VM: kern.timecounter.hardware=pvclock and the drift or jumps should be better than with "tsc" ?
Re: Time jumping forward issue under OpenBSD 6.6 VMM
‐‐‐ Original Message ‐‐‐ On Tuesday, March 3, 2020 8:52 PM, Jordan Geoghegan wrote: > The clocks are basically broken on vmm. The pvclock stuff is definitely > an improvement, but it's still not there. There's still a ways to go > before we have proper, reasonably accurate clocks for vmm guests. Thanks Jordan for this info. For now I might just avoid VMM for time sensitive services and use bare metal with OpenBSD of course. I will for sure go back to VMM once the clock is more accurate.
Atheros AR9300
Hi, I just got myself a new firewall device (Lanner FW-7526) to replace my dying Soekris box. That new firewall shipped with an Atheros AR9300 wireless chip and just realized from the dmesg output and athn man page (OpenBSD 6.2) that this chip must not be supported (yet). The dmesg output is the following: "Atheros AR9300" rev 0x01 at pci4 dev 0 function 0 not configured Is my conclusion here correct? or am I just missing a non-free firmware (though I ran the fw_update command already). Best regards, Mabi
NTP issue on Lanner FW-7526B
Hi, I have a new Lanner FW-7526B firewall loaded with OpenBSD 6.2. I must say it's a nice small firewall but unfortunately the ntp daemon does not seem to manage to set the time correctly with this hardware. The time is off by approximately 1:20h and every 2-3 minutes I see the following log entries: Dec 9 14:26:10 fw ntpd[828]: adjusting local clock by -85381.687984s Dec 9 14:29:53 fw ntpd[828]: adjusting local clock by -85380.584607s Dec 9 14:31:33 fw ntpd[828]: adjusting local clock by -85380.084014s Dec 9 14:33:12 fw ntpd[828]: adjusting local clock by -85379.589606s ntpctl reports: 4/4 peers valid, constraint offset -85442s, clock unsynced, clock offset is -85378257.156ms Any ideas what could be wrong here? I use the default ntp.conf file delivered with OpenBSD 6.2. In case I pasted below the dmesg output. Regards, Mabi OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017 r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8559403008 (8162MB) avail mem = 8292978688 (7908MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f52 (53 entries) bios0: vendor American Megatrends Inc. version "5.6.5" date 02/26/2016 acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP FPDT MCFG WDAT UEFI APIC BDAT HPET SSDT SPCR HEST BERT ERST EINJ acpi0: wakeup devices PS2K(S0) PS2M(S0) PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.32 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu0: 1MB 64b/line 16-way L2 cache cpu0: TSC frequency 1750324380 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 83MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu1: 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu2: 1MB 64b/line 16-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT cpu3: 1MB 64b/line 16-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (PEX1) acpiprt2 at acpi0: bus 2 (PEX2) acpiprt3 at acpi0: bus 3 (PEX3) acpiprt4 at acpi0: bus 4 (PEX4) acpicpu0 at acpi0: C1(@1 halt!) acpicpu1 at acpi0: C1(@1 halt!) acpicpu2 at acpi0: C1(@1 halt!) acpicpu3 at acpi0: C1(@1 halt!) "PNP0003" at acpi0 not configured "PNP0F03" at acpi0 not configured "PNP0C33" at acpi0 not configured pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 vendor "Intel", unknown product 0x1f0d rev 0x02 ppb0 at pci0 dev 1 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi pci1 at ppb0 bus 1 em0 at pci1 dev 0 function 0 "Intel I210 Fiber" rev 0x03: msi, address ppb1 at pci0 dev 2 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi pci2 at ppb1 bus 2 em1 at pci2 dev 0 function 0 "Intel I210 Fiber" rev 0x03: msi, address ppb2 at pci0 dev 3 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi pci3 at ppb2 bus 3 ppb3 at pci0 dev 4 function 0 "Intel Atom C2000 PCIE" rev 0x02: msi pci4 at ppb3 bus 4 athn0 at pci4 dev 0 function 0 "Atheros AR9281" rev 0x01: apic 2 int 23 athn0: AR9280 rev 2 (2T2R), ROM rev 16, add
Re: NTP issue on Lanner FW-7526B
Mhh thanks, totally forgot about that good old rdate. That did it and now ntp is happy in sync. > Original Message >Subject: Re: NTP issue on Lanner FW-7526B >Local Time: December 8, 2017 7:22 PM >UTC Time: December 8, 2017 6:22 PM >From: dan...@presscom.net >To: misc@openbsd.org > >It is adjusting the time, but your clock is way off, so it try to do it > slowly as to not mess any logs, but if you want to adjust it al at once > and don't care about that for now > > rdate -n4 pool.ntp.org > > Simple. > > > > On 12/8/17 9:58 AM, mabi wrote: >>Hi, >>I have a new Lanner FW-7526B firewall loaded with OpenBSD 6.2. I must say >>it's a nice small firewall but unfortunately the ntp daemon does not seem to >>manage to set the time correctly with this hardware. The time is off by >>approximately 1:20h and every 2-3 minutes I see the following log entries: >>Dec 9 14:26:10 fw ntpd[828]: adjusting local clock by -85381.687984s >> Dec 9 14:29:53 fw ntpd[828]: adjusting local clock by -85380.584607s >> Dec 9 14:31:33 fw ntpd[828]: adjusting local clock by -85380.084014s >> Dec 9 14:33:12 fw ntpd[828]: adjusting local clock by -85379.589606s >>ntpctl reports: >>4/4 peers valid, constraint offset -85442s, clock unsynced, clock offset is >>-85378257.156ms >>Any ideas what could be wrong here? I use the default ntp.conf file delivered >>with OpenBSD 6.2. >>In case I pasted below the dmesg output. >>Regards, >> Mabi >>OpenBSD 6.2 (GENERIC.MP) #0: Thu Oct 12 19:53:18 CEST 2017 >>r...@syspatch-62-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP >> real mem = 8559403008 (8162MB) >> avail mem = 8292978688 (7908MB) >> mpath0 at root >> scsibus0 at mpath0: 256 targets >> mainbus0 at root >> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f52 (53 entries) >> bios0: vendor American Megatrends Inc. version "5.6.5" date 02/26/2016 >> acpi0 at bios0: rev 2 >> acpi0: sleep states S0 S5 >> acpi0: tables DSDT FACP FPDT MCFG WDAT UEFI APIC BDAT HPET SSDT SPCR HEST >> BERT ERST EINJ >> acpi0: wakeup devices PS2K(S0) PS2M(S0) PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) >> EHC1(S0) >> acpitimer0 at acpi0: 3579545 Hz, 24 bits >> acpimcfg0 at acpi0 addr 0xe000, bus 0-255 >> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat >> cpu0 at mainbus0: apid 0 (boot processor) >> cpu0: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.32 MHz >> cpu0: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT >> cpu0: 1MB 64b/line 16-way L2 cache >> cpu0: TSC frequency 1750324380 Hz >> cpu0: smt 0, core 0, package 0 >> mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges >> cpu0: apic clock running at 83MHz >> cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE >> cpu1 at mainbus0: apid 2 (application processor) >> cpu1: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz >> cpu1: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT >> cpu1: 1MB 64b/line 16-way L2 cache >> cpu1: smt 0, core 1, package 0 >> cpu2 at mainbus0: apid 4 (application processor) >> cpu2: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz >> cpu2: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT >> cpu2: 1MB 64b/line 16-way L2 cache >> cpu2: smt 0, core 2, package 0 >> cpu3 at mainbus0: apid 6 (application processor) >> cpu3: Intel(R) Atom(TM) CPU C2518 @ 1.74GHz, 1750.00 MHz >> cpu3: >> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT >> cpu3: 1MB 64b/line 16-way L2 cache >> cpu3: smt 0, core 3, package 0 >> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins >> acpihpet0 at acpi0: 14318179 Hz >> acpiprt0 at acpi0:
Listen-on parameter in iked.conf
Hello, I just moved from isakmpd to iked and could not find the parameter name in iked.conf in order to tell iked on which IP it should listen. With isakmpd.conf I would use the following: [General] Listen-on= 123.123.123.123 Is there any equivalent with iked? Regards, Mabi
Re: Listen-on parameter in iked.conf
On April 16, 2018 9:05 AM, Stuart Henderson wrote: > There is not, but the main place this is needed is for setting the > > "from" address for outgoing packets. isakmpd uses the "default" address > > for this, which is often wrong on a multihomed system so it's necessary > > to bind to a particular address to fix this. iked (at least in the > > last few releases) uses the address from "local" in the config instead, > > so binding isn't needed in most cases. I see, so as long as I use the "local" parameter in iked.conf with the local IP address which I use for my site-2-site VPN I am saying to iked to listen only on that IP address. Here would be my generic example for a site-2-site VPN between two OpenBSD firewalls: ikev2 passive esp \ from $local_network to $remote_network local $local_ip peer $remote_ip \ srcid $local_ip I was also wondering in the case of a site-2-site VPN should one side be in active mode and the other one in passive mode? or what is usually used for site-2-site VPN?
pfstat package dependencies missing on 6.3 amd64
Hello, It looks like some package dependencies are missing on the package repository of 6.3 amd64 or pfstat dependencies is broken. See below: $ doas pkg_add -v pfstat quirks-2.414 signed on 2018-03-28T14:24:37Z quirks-2.414: ok pfstat-2.5p2:libiconv-1.14p3: ok pfstat-2.5p2:png-1.6.34: ok pfstat-2.5p2:jpeg-1.5.3v0: ok pfstat-2.5p2:tiff-4.0.9: ok pfstat-2.5p2:giflib-5.1.4: ok pfstat-2.5p2:libwebp-0.6.1p0: ok Can't install gd-2.2.5p0 because of libraries |library fontconfig.11.0 not found | not found anywhere |library freetype.28.2 not found | not found anywhere Direct dependencies for gd-2.2.5p0 resolve to png-1.6.34 jpeg-1.5.3v0 tiff-4.0.9 libiconv-1.14p3 libwebp-0.6.1p0 Full dependency tree is tiff-4.0.9 giflib-5.1.4 libwebp-0.6.1p0 libiconv-1.14p3 png-1.6.34 jpeg-1.5.3v0 Can't install pfstat-2.5p2: can't resolve gd-2.2.5p0 Extracted 12048693 from 12052934 Best regards, Mabi
Re: pfstat package dependencies missing on 6.3 amd64
Sorry my bad these are actually system libraries and not packages missing. Indeed I do not have X tgz packages installed yet. ‐‐‐ Original Message ‐‐‐ On April 16, 2018 3:48 PM, mabi wrote: > > > Hello, > > It looks like some package dependencies are missing on the package repository > of 6.3 amd64 or pfstat dependencies is broken. See below: > > $ doas pkg_add -v pfstat > > quirks-2.414 signed on 2018-03-28T14:24:37Z > > quirks-2.414: ok > > pfstat-2.5p2:libiconv-1.14p3: ok > > pfstat-2.5p2:png-1.6.34: ok > > pfstat-2.5p2:jpeg-1.5.3v0: ok > > pfstat-2.5p2:tiff-4.0.9: ok > > pfstat-2.5p2:giflib-5.1.4: ok > > pfstat-2.5p2:libwebp-0.6.1p0: ok > > Can't install gd-2.2.5p0 because of libraries > > |library fontconfig.11.0 not found > > | not found anywhere > > |library freetype.28.2 not found > > | not found anywhere > > Direct dependencies for gd-2.2.5p0 resolve to png-1.6.34 jpeg-1.5.3v0 > tiff-4.0.9 libiconv-1.14p3 libwebp-0.6.1p0 > > Full dependency tree is tiff-4.0.9 giflib-5.1.4 libwebp-0.6.1p0 > libiconv-1.14p3 png-1.6.34 jpeg-1.5.3v0 > > Can't install pfstat-2.5p2: can't resolve gd-2.2.5p0 > > Extracted 12048693 from 12052934 > > Best regards, > > Mabi
aesni/crypto related kernel panic on 6.3
Hi, I finally replaced my old OpenBSD 5.0 firewall with 6.3 which also serves as a site-to-site VPN using now iked instead of isakmpd. The problem is that when I start a big transfer over the VPN to the remote site, also an OpenBSD 6.3 firewall, the kernel panics. Crazy enough I tried to reproduce the problem to find out what it is related to and managed to even make both firewalls kernel panic at the same time. When this happens the hardware is frozen and won't take any input and won't even reboot automatically. I need to power it off and on again. As I was logged into the serial console when I reproduced this problem I managed to get the following messages from the console: fatal protection fault in supervisor mode trap type 4 code 0 rip 8104d58a cs 8 rflags 10202 cr2 1dd9ec5f7c70 cpl a rsp 80002231ce28 panic: trap type 4, code=0, pc=8104d58a Starting stack trace... panic() at panic+0x11c trap() at trap+0x688 --- trap (number 4) --- memcpy(801be460,ff03a0f34188,0,0,16,a21ae232a3847235) at memcpy+0xa aesni_process(ff03a0f34188) at aesni_process+0x124 crypto_invoke(8116ebc0) at crypto_invoke+0xd0 taskq_thread(0) at taskq_thread+0x67 end trace frame: 0x0, count: 251 End of stack trace. syncing disks... When this happened I just started to transfer over SSH a ZFS snapshot to the remote site using the IPSec VPN. The iked daemon was rekeying its SAs and then the kernel paniced... Below I pasted the dmesg of the firewall corresponding to the kernel panic message above. I can't send now the dmesg of the remote firewall as I need to go on-site first. Please let me know if I should send any log files or other details. Regards, Mabi OpenBSD 6.3 (GENERIC.MP) #107: Sat Mar 24 14:21:59 MDT 2018 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 17104490496 (16312MB) avail mem = 16579031040 (15810MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec1e0 (85 entries) bios0: vendor American Megatrends Inc. version "4.6.5" date 02/05/2015 bios0: INTEL Corporation DENLOW_REFRESH_WS acpi0 at bios0: rev 2 acpi0: sleep states S0 S5 acpi0: tables DSDT FACP APIC FPDT FIDT SSDT SSDT MCFG HPET SSDT SSDT ASF! SPCR DMAR EINJ ERST HEST BERT acpi0: wakeup devices PEGP(S0) PEG0(S0) PEGP(S0) PEG1(S0) PEGP(S0) PEG2(S0) PXSX(S0) RP01(S0) PXSX(S0) RP02(S0) PXSX(S0) RP03(S0) PXSX(S0) RP04(S0) PXSX(S0) RP05(S0) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz, 3691.99 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache acpitimer0: recalibrated TSC frequency 3491911605 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz, 3691.45 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz, 3691.45 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,STIBP,SENSOR,ARAT,MELTDOWN cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Xeon(R) CPU E3-1275 v3 @ 3.50GHz, 3691.45 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERM
limit UDP connection rate with PF pass rule
Hello, On my DNS authoritative servers which are behind an OpenBSD 6.6 firewall I just saw some weird UDP high volume traffic on port 53 my these DNS servers coming from Google (e.g. 74.125.18.1 or 172.253.214.111). These few IPs generated around 5200 requests/second on my DNS servers so I was wondering if one can also limit the rate of requests in PF on UDP traffic such as can be done with TCP (using max-src-nodes, max-src-conn, etc)? Looking at the documentation (https://www.openbsd.org/faq/pf/filter.html) it only mentions TCP. So I deduct that it is simply not possible to somehow limit the rate of UDP connections with PF, am I right here? Regards, Mabi
Re: limit UDP connection rate with PF pass rule
‐‐‐ Original Message ‐‐‐ On Tuesday, November 17, 2020 11:50 PM, Stuart Henderson wrote: > These packets are most likely sent from spoofed source addresses. > > Assuming this is the case, the address you are seeing on the packets > would not be the attacker but the victim. That totally makes sense because why would google be sending me all these DNS packets from different IP addresses from their network. Here is an example of packet which was logged by Bro (now called Zeek) on my NSM and there are tons of these during a time window of 3 minutes: {"ts":"2020-11-17T14:02:00.059396Z","uid":"CD5YJQ2eVZKX6bhyoj","id.orig_h":"74.125.18.1","id.orig_p":51423,"id.resp_h":"","id.resp_p":53,"proto":"udp","trans_id":39451,"rcode":3,"rcode_name":"NXDOMAIN","AA":false,"TC":false,"RD":false,"RA":false,"Z":0,"rejected":false} > PF doesn't support this type of request rate limiting on UDP > connections. It's a bit dangerous to do so because in many cases it's > trivial to spoof UDP packets and blocking packets from a source on the > basis of this can result in you DoS'ing yourself. This isn't such a > problem with TCP because only someone on the network path between > you and the supposed source address (i.e. someone with access to > the ACK packets) is likely to be able to successfully spoof packets. I understand and that's what I thought. So there is no much point in me trying to add "max-src-states 10" for example to my pass in rule for DNS UDP traffic to my DNS servers. > To mitigate this you might like to read the manual for your > authoritative nameserver software about RRL (response rate limiting), > many support it directly (including BIND and NSD), if not then you could > front-end with something that can handle it itself like dnsdist. > > The DNS RRL techniques typically still reply to a proportion of queries > (either directly with the answer, or with a "retry over TCP" response > code) reducing impact if the source IP is also used by real queries as > well as the attack traffic. I've been looking into that in the past and as I am using PowerDNS 4.0.3 the only valid config parameters I could find and which I already have in place are the following: overload-queue-length=1 max-tcp-connections=5 There is as far as I know no such parameter as "max-udp-connections".
pf adaptive syncookie
Hi, I see quite some syn flood packets on my OpenBSD firewall filling up the state table for nothing. So I thought let's try the pf's adaptive syncookies. I am just not quite sure what the percentage used by start and stop relate to. In the pf.conf man page the following is written: "pf will enable syncookie mode when a given percentage of the state table is used up by half-open TCP connections..." That "given percentage" does it compare the "half-open tcp" value of the state table (as seen in "pfctl -si") with the amount of "current entries" in the state table? or does it compare it with the limit of maximum states I have defined in my pf.conf (value of "set limit states") ? Thank you in advance for any precisions. Regards, Mabi
Re: pf adaptive syncookie
‐‐‐ Original Message ‐‐‐ On Friday, December 18, 2020 10:48 AM, Stuart Henderson wrote: > It's something like "what % of max allowed states is half-open tcp". > Watch out as there are some bugs in this area, definitely thewith > accounting of half-open connections can be wildly off sometimes > (triggering adaptive syncookies when they shouldn't really be triggered) > and I think also with the behaviour when they're active, I have had > it trigger spuriously and then a bunch of connections failing when > triggered, so monitor it carefully if you enable this. Thank you for your precisions. This means that if I want to start using syncookies when I have over 40'000 half-open tcp states and stop using it when it is back down to 30'000 halt-open tcp states I would use the following pf.conf parameter: set syncookies adaptive (start 4%, end 3%) Note that my max allowed states is set to 1'000'000. I guess this is better even if somehow imprecise than having syncookies set to "always"... What is the best way to monitor the usage of adaptive syncookies? In the output of "pfctl -si" I don't see any relevant metric for syncookies.
Re: pf adaptive syncookie
‐‐‐ Original Message ‐‐‐ On Friday, December 18, 2020 6:13 PM, Stuart Henderson wrote: > And if it's anything like when I try it, you'll see some TCP connections > failing when it is active too. Not everything fails. but e.g. if I have > "set syncookies always" on a router, and run "ftp -o- > http://www.facebook.com/"; > from a machine behind it, it fails every time (it appears to connect > immediately, but of course that's just syncookies - I never get a response > after making a request over it until I disblae syncookies again). > In that case where syncookies are active but things are failing I see > PROXY and SYN_SENT states in pfctl -ss e.g. > > all tcp 157.240.221.35:80 <- 82.68.199.130:16476 PROXY:DST > all tcp 82.68.199.130:16476 -> 157.240.221.35:80 SYN_SENT:CLOSED > > So I strongly recommend trying it with 'always' and see if things are > broken for you. Otherwise if you set 'adaptive' you may get an unpleasant > surprise sometime maybe much later when they do actually trigger. Thanks for the tip. I just tried it on my OpenSD 6.7 firewall at home and exactly as you say I can't connect to facebook.com anymore (same for instagram.com). This is really weird, do you have any idea why? Is it a bug in the implementation of syncookies in OpenBSD or facebook.com doing weird things with TCP?
PF rate limiting options valid for UDP?
Hello, >From the following documentation, I am trying to figure out which PF tracking >options are also valid for UDP but unfortunately it is not quite clear to me: https://man.openbsd.org/pf.conf.5#Stateful_Tracking_Options My goal would be to do add rate limiting options to a PF UDP pass rule in order to limit DDoS/DoS attacks on port 53. Interesting would be especially the "max-src-states" option. Is this option also valid for UDP? Is it also possible to use the "overload" option with UDP in order to add source IPs into a table of attackers which I will then block? That would be for an OpenBSD 7.3 firewall. Best regards, Mabi
Re: PF rate limiting options valid for UDP?
--- Original Message --- On Tuesday, July 18th, 2023 at 10:59 PM, Stuart Henderson wrote: > PF's state-tracking options are only for TCP. (Blocking an IP > based on number of connections from easily spoofed UDP is a good > way to let third parties prevent your machine from communicating > with IPs that may well get in the way i.e. trigger a "self DoS"). What a pitty, these kind of rate limiting options for UDP would have been quite useful. > You may be interested in looking into L7 methods of mitigating > problems from high rates of DNS queries - for example dnsdist > allows a lot of flexibility in this area. Thanks for the hint about dnsdist, it looks powerful. Still whenever possible I would rather avoid having an extra piece of software and instead have that traffic controlled more upstream so ideally on the firewall directly.
Re: PF rate limiting options valid for UDP?
--- Original Message --- On Wednesday, July 19th, 2023 at 12:40 PM, Stuart Henderson wrote: > I don't think you understood what I wrote then - they are the > opposite of helpful here. No, I do understand what you wrote but I should have explained my case in more details. Behind my OpenBSD firewall I have two authoritative DNS servers and because of recent DDoS originating from >12k IPs against UDP port 53 on these two servers the whole network behind the firewall gets unresponsive or has a high packet loss because there is over 2 million states in the PF states table during the attack. So in my specific case I don't care that cloudflare or other external DNS servers can not query my DNS authoritative servers for a few seconds or minutes but I do care a lot that my whole rest of my network and servers behind the OpenBSD firewall stays responsive. It's a trade-off I can totally accept and welcome. Furthermore when I have so many state entries due to a DDoS on UDP port 53, CARP breaks as well as the OSPF sessions with my border routers because it can not communicate properly within the defined timeouts.
Re: PF rate limiting options valid for UDP?
--- Original Message --- On Wednesday, July 19th, 2023 at 9:32 PM, Stuart Henderson wrote: > If PF is struggling as it is, there's a good chance it will buckle > completely if it has to do source tracking too That is also something I thought might be the case :| > Did you already tweak timeouts for the rule passing UDP DNS traffic? > Defaults are 60s/30s/60s for udp.first, udp.single and udp.multiple > respectively, that is much too high for a very busy DNS server - > you can set them on the specific rule itself rather than changing > defaults for all rules. For an auth server which is expected to > respond quickly they can be cranked way down. Yes, this at least I did since quite some time now and use the following timeout settings: set timeout udp.first 20 set timeout udp.multiple 20 set timeout udp.single 10 Do you think I could go even lower? When I check the PF state entries during such a DDoS I see mostly states with the "SINGLE" state. > (If that is still too many states, I wonder if your network might > actually be happier if you "pass quick proto udp to $server port 53 no > state" and "pass quick proto udp from $server port 53 no state" right at > the top of the ruleset). That's actually an excellent idea to bypass PF states and hence consume less resources... Next thing to try out. I was also thinking I should use "no state" with CARP and OSPF rules in pf.conf so that in case the PF state table entries is full it does not prevent such important protocols to function. What do you think, would that also work? > Are you already using your DNS server's response rate limiting features? Not yet, as I still believe I should stop as much as possible such traffic at the firewall before it even reaches the network behind my firewall. So at the software/daemon/service level it would be my last line of defense.
Re: PF rate limiting options valid for UDP?
--- Original Message --- On Wednesday, July 19th, 2023 at 10:58 PM, Stuart Henderson wrote: > For rules that pass traffic to your authoritative DNS servers, > I don't think you need much longer than the time taken to answer a > query. So could be quite a bit less. Right good point, I will add custom state timeouts for this specific UDP pass rule on port 53. > Usually carp/ospf will enter the state table before the machines start > seeing large amounts of packets and stay there, which is what you would > normally want. If the state table is full, you have more problem > opening new connections that require state to be added than you do > maintaining existing ones. > > fwiw I typically use this on ospf+carp machines, "pass quick proto > {carp, ospf} keep state (no-sync) set prio 7" That's very interesting, I never realized there was a simple priority system ready to use in PF without the need of setting up any queues. Probably the "set prio 7" option on OSPF+CARP pass rules will juts do the trick and I will definitely also implement this. > DNS server software is written with this type of traffic in mind, and > has more information available (from inside the DNS request packet) > to make a decision about what to do with it, than is available in a > general-purpose packet filter like PF. > > Also it stores the tracking information in data structures that have > been chosen to make sense for this use (and common DNS servers default > to masking on common subnet sizes, reducing the amount they have to > store compared to tracking the full IP address). > > http://man.openbsd.org/nsd.conf#rrl > https://bind9.readthedocs.io/en/latest/reference.html#response-rate-limiting > https://www.knot-dns.cz/docs/2.4/html/reference.html#module-rrl Too bad I use PowerDNS, it does not seem to offer much parameters related to rate-limiting for UDP but for TCP I found at least max-tcp-connections. Maybe it's time for a change as Gabor mentions his tests in his reply (thanks btw!)...
TSO support and performance gain
Hi, First thank you for another great OpenBSD release. I just updated my home firewall today and was wondering about the performance of TSO support on bnxt and em interfaces which have been added to the 7.5 release... Does anyone know roughly the performance gains by having TSO support on these NICs enabled? Best regards, Mabi
Re: TSO support and performance gain
On Friday, April 5th, 2024 at 8:32 PM, Jan Klemkow wrote: > Pure sending will saturate your interface 1/10 Gbit/s. So, it depends > on your traffic source. The receiving speed of the opposite interface > will be the bottleneck of the em(4)/bnxt(4) sending interface. Also > the speed of your disk, when you send local files over network. > > TSO in general just helps with bulk traffic like Downloads. If your > firewall just handles many small TCP connections, it wont help you that > much. Thank you both Jan and Claudio for your answers. I understand now that in my specific use case there is hardly any advantage. Best, Mabi
reboot after kernel panic on 7.2
Hello Is it possible to have OpenBSD 7.2 automatically reboot after a kernel panic happens? I tried setting: ddb.panic=0 but it does not reboot automatically. As I am affected by the pfsync issue which leads to a kernel panic on OpenBSD 7.2 so I would like the firewall to reboot as soon as this happens. Best, Mabi
carp status master on both firewalls
Hello, I am running two OpenBSD 7.3 firewalls with pfsync and CARP for redundancy and have one carp interface carp0 for the public internet and one carp interface carp1 for my private (NAT) internal network. The private carp interface has status master on the first firewall and status backup on the 2nd firewall so all good here but for my external carp interface both firewalls show master as status so I suspect I have something wrong here in my config or it is a bug. The config is below for reference: /etc/hostname.carp0 on fw1 inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em2 pass password advskew 1 inet alias x.x.x.115 0xfff0 inet alias x.x.x.116 0xfff0 /etc/hostname.carp0 on fw2 inet x.x.x.114 255.255.255.240 x.x.x.127 vhid 40 carpdev em0 pass password advskew 128 inet alias x.x.x.115 0xfff0 inet alias x.x.x.116 0xfff0 On both firewalls I have added the following in /etc/pf.conf: pass on { $ext_if $int_if } proto carp keep state (no-sync) Did anyone already encounter this issue or has any idea what might be wrong? Best regards, Mabi
Re: carp status master on both firewalls
--- Original Message --- On Friday, April 14th, 2023 at 10:50 AM, Markus Wernig wrote: Thank you Markus for your answer, as mentioned to Janne it was the switch the problem. For the sake of documenting I answered your questions below. > - Do the two fw actually have a link on their carp0 carpdev interfaces? Yes. > If both are master, both should be sending out CARP advertisements, so > I'd try to run tcpdump on both external interfaces and look for those: > tcpdump -n -e -i carp0 proto carp I did that yesterday and for both firewalls I could see the CARPv2 advertisements. > - Did you enable CARP preemption? Try setting these via sysctl: > net.inet.carp.preempt=1 > net.inet.carp.log=3 I have CARP preemption enabled but my carp log level is 2 and not 3. > - In your config one fw has carpdev em2, the other carpdev em0. Could be > OK, or could be an error. Well spotted but indeed it is correct, both firewalls have different hardware and the first interface on the first firewall is em2 whereas on the 2nd firewall it is em0.
Re: carp status master on both firewalls
--- Original Message --- On Friday, April 14th, 2023 at 7:14 AM, Janne Johansson wrote: > Not impossible to have switches(*) that dislike/filter/bug on > multicast too I guess, so I would suggest rigging the carps up (at > least temporary) with carppeer against the "real" ip of the remote > ext_if to make carp use normal unicast ip for sync and just see if it > helps. If it does, it is related to the boxes ability to talk > multicast and you would have to either stick with carppeer setup, or > "fix" the multicast issue, which can be hard to pin down where exactly > it is. Thank you Janne for pointing out the switch. I would have never thought about that. So indeed, I just upgraded my Cisco Catalyst 2960L switch the latest IOS version of 2022 and now the 2nd firewall correctly reports backup as status. I was running an IOS version from 2018. Strangely enough both firewalls are connected to that switch with both carp0 to the public VLAN and both carp1 to the private VLAN so I would have expected the same odd double master status on both carp interfaces and not just on carp0. But anyway it works now.
VMs as real hosts on the same network
Hello, I am trying out VMM on an OpenBSD 6.4 server which has the following network interfaces defined: [bnx0]+[bnx1]-->[trunk0]-->[vlan2] [bnx0]+[bnx1]-->[trunk0]-->[vlan6]-->[bridge6] The vlan2 is for the internal (management) network and vlan6 for the public (internet) network. I manage my server from vlan2 and would like to have my virtual machines on vlan6 which uses public IP addresses. For that purpose I have setup my /etc/hostname.* files as such: hostname.bnx0 + hostname.bnx1: up hostname.trunk0: trunkproto failover trunkport bnx0 trunkport bnx1 up hostname.vlan2: inet 192.168.1.5 255.255.255.0 192.168.1.255 vnetid 2 parent trunk0 description "private" hostname.vlan6: vnetid 6 parent trunk0 description "public" up hostname.bridge6: add vlan6 I am actually using Option 4 from the Networking chapter in the virtualization FAQ (https://www.openbsd.org/faq/faq16.html) just that my setup has a redundant link (trunk0) and a VLAN (vlan6). So in theory that should work but unfortunately when I start a VM to install OpenBSD 6.4 from the bsd.rd boot file I do not have any network connectivity. I tried with DHCP first and in that case on the DHCP server I see the DHCPDISCOVER and DHCPOFFER requests/answer but there is never a DHCPACK. Then I tried assigning a static IP directly but still no network connectivity. I can't ping the default gateway of that public network. Checking with tcpdump on the firewall I can see the ARP who-has request and the ARP reply back the the VM but again it seems like the VM does not get it. Here is my vm.conf conf file: switch "uplink_vlan6" { interface bridge6 } vm "example" { disable memory 2G boot "/home/admin/bsd.rd" disk "/var/vmm/example.qcow2" interface { switch "uplink_vlan6" lladdr fe:e1:bb:01:01:01 } } I have also totally disabled pf on that OpenBSD VMM server but that did not change anything (I am using the default pf.conf from the installation) Any ideas what I might be doing wrong or forgetting? Regards, Mabi
Re: VMs as real hosts on the same network
‐‐‐ Original Message ‐‐‐ On Friday, December 7, 2018 11:43 AM, Mischa wrote: > It might be as easy as adding: up > > cat /etc/hostname.bridge6 > > == > > add vlan6 > up > > By default the bridge interface is not brought up. > You can also run: ifconfig bridge6 up Good idea and I added "up" to my hostname.bridge6 file but it looks like it was already up (at least by doing an ifconfig bridge6 shows the "UP" flag). Neverthless to be on the safe side I rebooted the server but still not connectivity on the vlan6/bridge6 network for the VMs. On the bridge6 interface I can see the DHCP request with tcpdump when the OpenBSD installer in the VM tries to fetch an IP address with DHCP: 11:59:35.672258 0.0.0.0.68 > 255.255.255.255.67: xid:0xbafb375b [|bootp] [tos 0x10] Then on the DHCP server I can see the following in loop: Dec 7 12:00:27 dhcpsrv dhcpd[18917]: DHCPDISCOVER from fe:e1:bb:01:01:01 via XXX.XXX.XXX.1 Dec 7 12:00:27 dhcpsrv dhcpd[18917]: DHCPOFFER on XXX.XXX.XXX.101 to fe:e1:bb:01:01:01 via XXX.XXX.XXX.1 The IP address ending with .1 is the gateway on my public network and the one ending with .101 is the IP which should be assigned to my OpenBSD VM. It seems like the traffic is not flowing back to the VM itself. I just found a very interesting behaviour by running tcpdump on pretty much all interfaces of my server to analyze the traffic at different levels and BINGO: as soon as I run tcpdump on my trunk0 interface the DHCP request goes through and my VM has network connectivity! But as soon as I stop tcpdump on the trunk interface: no more network connectivity... Now as far as I know running tcpdump enables promiscous mode (PROMISC flag on the interface) and this should the reason why it works. But now what does it mean for my setup, do I need to enable promiscuous mode on my trunk interface manually? and if yes how can I do that?
Re: VMs as real hosts on the same network
‐‐‐ Original Message ‐‐‐ On Friday, December 7, 2018 12:40 PM, Mischa wrote: > The VLAN does require an IP address as far as I am aware. Thanks that worked. I now have network connectivity on my public VM VLAN. I saw that adding an IP to my VLAN interface automatically set the trunk interface to PROMISC. I was trying to avoid "wasting" an IP address as there is no real need for an IP on that VLAN interface on the server itself. But if that's the only way I am fine with that :)
Re: VMs as real hosts on the same network
‐‐‐ Original Message ‐‐‐ On Friday, December 7, 2018 12:57 PM, Martin Sukany wrote: > could you post here your /etc/pf.conf rules? Sure, it's actually the default OpenBSD 6.4 one as you can see below: # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ # # See pf.conf(5) and /etc/examples/pf.conf set skip on lo block return log# block stateless traffic pass# establish keep-state # By default, do not permit remote connections to X11 block return in on ! lo0 proto tcp to port 6000:6010 # Port build user does not need network block return out log proto {tcp udp} user _pbuild See my previous mail answering Mischa, his solution of adding an IP to the VLAN interface solves my issue...
short receive (0/4) from nfs server log messages
Hello, I have an OpenBSD 6.4 box where I mount via NFS a share from an NFS server and I see a few of the following log messages in /var/log/messages (around 10 per day). short receive (0/4) from nfs server nfsserver:/data/files I was wondering if this is anything to worry about and what does it really mean? That NFS share is mounted through my /etc/fstab as such: nfsserver:/data/files /mnt nfs rw,nodev,nosuid,tcp,nordirplus 0 0 Regards, Mabi
reorder_kernel: kernel relinking failed
Hello, While rebooting on a freshly new installed OpenBSD 6.4 VM (using VMM on an OpenBSD 6.4 server) I noticed that the kernel does not get relinked: reorder_kernel: kernel relinking failed; see /usr/share/relink/kernel/GENERIC/relink.log The content of the /usr/share/relink/kernel/GENERIC/relink.log file shows: (SHA256) /bsd: OK LD="ld" sh makegap.sh 0x ld -T ld.script -X --warn-common -nopie -o newbsd ${SYSTEM_HEAD} vers.o ${OBJS} ioconf.o:(.data+0x37b8): undefined reference to `lii_ca' ioconf.o:(.data+0x37c0): undefined reference to `lii_cd' ioconf.o:(.data+0x6ee0): undefined reference to `loopattach' i915_dma.o:(.rodata+0x4d0): undefined reference to `i915_gem_userptr_ioctl' i915_gem.o: In function `i915_gem_init': /usr/src/sys/dev/pci/drm/i915/i915_gem.c:5411: undefined reference to `i915_gem_init_userptr' *** Error 1 in /usr/share/relink/kernel/GENERIC (Makefile:985 'newbsd': @echo ld -T ld.script -X --warn-common -nopie -o newbsd '${SYSTEM_HE...) Anyone has an idea what it could be? My VM has only 1 GB of memory, maybe that's not enough? Regards, Mabi
Re: reorder_kernel: kernel relinking failed
‐‐‐ Original Message ‐‐‐ On Wednesday, January 16, 2019 11:48 PM, Mike Larkin wrote: > Looks like your /usr/share/relink/kernel/GENERIC.MP/*.o files got trashed > somehow? Or perhaps you ran out of space? So in the GENERIC directory there are 1311 *.o files, exactly the same amount as another OpenBSD 6.4 VM which does not have this issue. Maybe one of these files are corrupt, I didn't test for integrity. My /usr partition is 5 GB and has 0.6 GB used so I don't think it's the space. As this system is new I might just re-install the VM today and keep you posted.
Re: reorder_kernel: kernel relinking failed
‐‐‐ Original Message ‐‐‐ On Thursday, January 17, 2019 8:28 AM, mabi wrote: > As this system is new I might just re-install the VM today and keep you > posted. Strange, I just re-installed the VM and now there are no relinking issues anymore. Maybe something went wrong during the installation...
100% intr CPU state in OpenBSD 6.4 VM
Hi, I am testing VMM/VMD on an OpenBSD 6.4 host with an OpenBSD 6.4 as guest OS and noticed that on a fresh installation the CPU seems to be all the time 100% busy dealing with interrupts. Here is the relevant line from "top": CPU states: 0.0% user, 0.0% nice, 0.0% sys, 0.0% spin, 100% intr, 0.0% idle And the output of "vmstat" looks like this: vmstat 1 procsmemory pagedisk traps cpu r s avm fre flt re pi po fr sr sd0 int sys cs us sy id 1 32 15M668M4 0 0 0 0 0 0 10212 14 0 99 1 0 33 15M668M 12 0 0 0 0 0 0 21041 41 0 98 2 0 33 15M668M7 0 0 0 0 0 0 20736 33 0 99 1 0 33 15M668M7 0 0 0 0 0 0 21037 36 0 98 2 0 33 15M668M7 0 0 0 0 0 0 20937 36 0 100 0 The "Interrupts" column in the output of "systat" looks like this: Interrupts 276 total virtio0 virtio1 15 virtio2 com0 133 clock 128 rtc This VM has nothing running yet, the only thing I did is to disable sndiod and change this kernel parameter so that the time in the VM is more accurate: kern.timecounter.hardware=tsc So my question here would be if this 100% interrupt usage is normal under an OpenBSD VM? or is there something I might be doing wrong? Below I pasted the "dmesg" output of my VM. Let me know if more details are required. Regards, Mabi OpenBSD 6.4 (GENERIC) #3: Thu Dec 20 18:31:57 CET 2018 r...@syspatch-64-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 1056956416 (1007MB) avail mem = 1015816192 (968MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xf1950 (10 entries) bios0: vendor SeaBIOS version "1.11.0p0-OpenBSD-vmm" date 01/01/2011 bios0: OpenBSD VMM acpi at bios0 not configured cpu0 at mainbus0: (uniprocessor) cpu0: Intel(R) Xeon(R) CPU E5620 @ 2.40GHz, 2396.03 MHz, 06-2c-02 cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,SSSE3,CX16,SSE4.1,SSE4.2,POPCNT,AES,HV,NXE,PAGE1GB,LONG,LAHF,ITSC,MELTDOWN cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 pvbus0 at mainbus0: OpenBSD pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "OpenBSD VMM Host" rev 0x00 virtio0 at pci0 dev 1 function 0 "Qumranet Virtio RNG" rev 0x00 viornd0 at virtio0 virtio0: irq 3 virtio1 at pci0 dev 2 function 0 "Qumranet Virtio Storage" rev 0x00 vioblk0 at virtio1 scsibus1 at vioblk0: 2 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed sd0: 51200MB, 512 bytes/sector, 104857600 sectors virtio1: irq 5 virtio2 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00 vio0 at virtio2: address fe:e1:bb:ff:ff:ff virtio2: irq 6 virtio3 at pci0 dev 4 function 0 "OpenBSD VMM Control" rev 0x00 vmmci0 at virtio3 virtio3: irq 7 isa0 at mainbus0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo com0: console vscsi0 at root scsibus2 at vscsi0: 256 targets softraid0 at root scsibus3 at softraid0: 256 targets root on sd0a (2c1a48e720407786.a) swap on sd0b dump on sd0b
Re: 100% intr CPU state in OpenBSD 6.4 VM
‐‐‐ Original Message ‐‐‐ On Thursday, January 24, 2019 5:35 PM, Mike Larkin wrote: > I believe this to be an accounting error and has been discussed on the lists > several times. > Sorry about that, now that you mention I remember also reading something on the list about that but could not find anything on ddg search. I have an issue where my VM temporary loses network connection for a few seconds to a few minutes so I was wondering if it might have been related to the high amount of interrupts but in that case it is not. I will look in other directions...
VMs loosing network connectivity for a few minutes on a daily basis
Hello, I am testing VMM/VMD on OpenBSD 6.4 with OpenBSD 6.4 virtual machines but noticed that maybe around 2 times per day the VM loose their network connectivity for a short amount of time of around 2-3 minutes. I currently have 3 OpenBSD VM with very light load on them and it happens to all of them. The network connectivity recovers on its own or if I login through the console to the VM and initiate for example a ping to the outside. The host/hypervisor itself never looses connectivity. Now I presume there is either an issue with my network setup or maybe a bug but I would rather think it has to do with my network setup. My network setup on the OpenBSD host itself consists of two physical network devices (bnx0 + bnx1) which I have bundled in a trunk (trunk0) in failover mode. Then on top of my trunk I have two VLAN interfaces (vlan2 and vlan6). vlan2 is my private network and vlan6 is my public facing network (internet). Then finally I have a bridge interface (bridge6) with my vlan6 interface inside where my VM connect to as they are directly available on the internet. So the whole chain of network interfaces from host to VM looks like this: [bnx0+bnx1]-[trunk0]-[vlan6]-[bridge6]-[tap0]-[vio0] My /etc/vm.conf looks like this: switch "uplink_vlan6" { interface bridge6 } vm "obsd1vm" { memory 2G disk "/var/vmm/obsd1vm.qcow2" interface { switch "uplink_vlan6" lladdr fe:e1:bb:03:01:01 } } My /etc/hostname.* files look like this: /etc/hostname.bnx0 up /etc/hostname.bnx1 up /etc/hostname.trunk0 trunkproto failover trunkport bnx0 trunkport bnx1 up /etc/hostname.vlan2 inet 192.168.1.56 255.255.255.0 192.168.1.255 vnetid 2 parent trunk0 description "private" up /etc/hostname.vlan6 inet xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.255 vnetid 6 parent trunk0 description "public" up /etc/hostname.bridge6 add vlan6 up The hardware switch behind the host is a Cisco switch and the two ports connected to the two hardware NICS of the server have both the following config: interface Eth101/1/9 switchport mode trunk switchport trunk native vlan 99 switchport trunk allowed vlan 2,6 Finally below is the output of ifconfig: bnx0: flags=8b43 mtu 1500 lladdr ---REMOVED--- index 3 priority 0 llprio 3 trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseT full-duplex,rxpause) status: active bnx1: flags=8b43 mtu 1500 lladdr ---REMOVED--- index 4 priority 0 llprio 3 trunk: trunkdev trunk0 media: Ethernet autoselect (1000baseT full-duplex,rxpause) status: active bridge6: flags=41 description: switch1-uplink_vlan6 index 5 llprio 3 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp vlan6 flags=3 port 8 ifpriority 0 ifcost 0 tap0 flags=3 port 10 ifpriority 0 ifcost 0 trunk0: flags=8943 mtu 1500 lladdr ---REMOVED--- index 6 priority 0 llprio 3 trunk: trunkproto failover trunkport bnx1 trunkport bnx0 master,active groups: trunk media: Ethernet autoselect status: active vlan2: flags=8843 mtu 1500 lladdr ---REMOVED--- description: private index 7 priority 0 llprio 3 encap: vnetid 2 parent trunk0 groups: vlan egress media: Ethernet autoselect status: active inet 192.168.1.56 netmask 0xff00 broadcast 192.168.1.255 vlan6: flags=8943 mtu 1500 lladdr ---REMOVED--- description: public index 8 priority 0 llprio 3 encap: vnetid 6 parent trunk0 groups: vlan media: Ethernet autoselect status: active inet ---REMOVED--- netmask 0xff00 broadcast ---REMOVED--- pflog0: flags=141 mtu 33136 index 9 priority 0 llprio 3 groups: pflog tap0: flags=8943 mtu 1500 lladdr fe:e1:ba:d0:56:1c description: vm1-if0-obsd1vm index 10 priority 0 llprio 3 groups: tap status: active Last note, the host and VMs are all patched up to 013_unveil. I hope I could provide here all the relevant details, if there is anything else I should add I would be happy to provide with more info. Best regards, Mabi
Re: VMs loosing network connectivity for a few minutes on a daily basis
I was wondering if maybe this could have something to do with spanning tree on the bridge6 interface? An ifconfig on the bridge6 interface shows the following spanning tree settings: priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp Do I really need spanning tree here? and would it be safe to disable it for a test? Regards, Mabi ‐‐‐ Original Message ‐‐‐ On Friday, February 1, 2019 7:02 PM, mabi wrote: > Hello, > > I am testing VMM/VMD on OpenBSD 6.4 with OpenBSD 6.4 virtual machines but > noticed that maybe around 2 times per day the VM loose their network > connectivity for a short amount of time of around 2-3 minutes. I currently > have 3 OpenBSD VM with very light load on them and it happens to all of them. > > The network connectivity recovers on its own or if I login through the > console to the VM and initiate for example a ping to the outside. The > host/hypervisor itself never looses connectivity. > > Now I presume there is either an issue with my network setup or maybe a bug > but I would rather think it has to do with my network setup. My network setup > on the OpenBSD host itself consists of two physical network devices (bnx0 + > bnx1) which I have bundled in a trunk (trunk0) in failover mode. Then on top > of my trunk I have two VLAN interfaces (vlan2 and vlan6). vlan2 is my private > network and vlan6 is my public facing network (internet). Then finally I have > a bridge interface (bridge6) with my vlan6 interface inside where my VM > connect to as they are directly available on the internet. > > So the whole chain of network interfaces from host to VM looks like this: > > [bnx0+bnx1]-[trunk0]-[vlan6]-[bridge6]-[tap0]-[vio0] > > My /etc/vm.conf looks like this: > > switch "uplink_vlan6" { > interface bridge6 > } > > vm "obsd1vm" { > memory 2G > disk "/var/vmm/obsd1vm.qcow2" > > interface { > switch "uplink_vlan6" > lladdr fe:e1:bb:03:01:01 > } > } > > My /etc/hostname.* files look like this: > > /etc/hostname.bnx0 > up > > /etc/hostname.bnx1 > up > > /etc/hostname.trunk0 > trunkproto failover trunkport bnx0 trunkport bnx1 up > > /etc/hostname.vlan2 > inet 192.168.1.56 255.255.255.0 192.168.1.255 vnetid 2 parent trunk0 > description "private" up > > /etc/hostname.vlan6 > inet xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.255 vnetid 6 parent trunk0 > description "public" up > > /etc/hostname.bridge6 > add vlan6 > up > > The hardware switch behind the host is a Cisco switch and the two ports > connected to the two hardware NICS of the server have both the following > config: > > interface Eth101/1/9 > switchport mode trunk > switchport trunk native vlan 99 > switchport trunk allowed vlan 2,6 > > Finally below is the output of ifconfig: > > bnx0: flags=8b43 mtu > 1500 > > lladdr ---REMOVED--- > index 3 priority 0 llprio 3 > trunk: trunkdev trunk0 > media: Ethernet autoselect (1000baseT full-duplex,rxpause) > status: active > > > bnx1: flags=8b43 mtu > 1500 > > lladdr ---REMOVED--- > index 4 priority 0 llprio 3 > trunk: trunkdev trunk0 > media: Ethernet autoselect (1000baseT full-duplex,rxpause) > status: active > > > bridge6: flags=41 > > description: switch1-uplink_vlan6 > index 5 llprio 3 > groups: bridge > priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp > vlan6 flags=3 > > port 8 ifpriority 0 ifcost 0 > tap0 flags=3 > > port 10 ifpriority 0 ifcost 0 > > > trunk0: flags=8943 mtu 1500 > > lladdr ---REMOVED--- > index 6 priority 0 llprio 3 > trunk: trunkproto failover > trunkport bnx1 > trunkport bnx0 master,active > groups: trunk > media: Ethernet autoselect > status: active > > > vlan2: flags=8843 mtu 1500 > > lladdr ---REMOVED--- > description: private > index 7 priority 0 llprio 3 > encap: vnetid 2 parent trunk0 > groups: vlan egress > media: Ethernet autoselect > status: active > inet 192.168.1.56 netmask 0xff00 broadcast 192.168.1.255 > > > vlan6: flags=8943 mtu 1500 > > lladdr ---REMOVED--- > description: public > index 8 priority 0 llprio 3 > encap: vnetid 6 parent trunk0 > groups: vlan > media: Ethernet autoselect > status: active > inet ---REMOVED--- netmask 0xff00
Turn off athn0
Hello, I have an Atheros AR9280 miniPCI card acting as a WIFI hotspot on my OpenBSD firewall and would like to turn it off during a specific time window of the day. To turn it completely off (no waves) would a crontab entry using the following command be enough? ifconfig athn0 down or do I need any other commands in order to switch it completely off? Regards, Mabi
Re: Turn off athn0
‐‐‐ Original Message ‐‐‐ On Monday, February 18, 2019 8:31 PM, Stefan Sperling wrote: > Yes, putting the interface down will disable radio. Thanks Stefan for your answer, always so helpful and efficient ;-)
Re: em interface fails to enter promiscuous mode when bridging on vlan interfaces
‐‐‐ Original Message ‐‐‐ On Thursday, February 21, 2019 12:55 AM, Jordan Geoghegan wrote: > I'm not sure if this has already been reported, or if it is indeed a > bug, but the title pretty much sums it up. Hi Jordan, I have also reported this a while ago on this very same list and ended up assigning an IP address on that interface as a workaround. It would be great if a nicer fix for that could be found. Also I would be interested to know if you also are loosing connection from time to time on your VMs? I have posted this a three weeks ago: https://marc.info/?l=openbsd-misc&m=154904432526324&w=2 Cheers, Mabi
Upgrading a CARP firewall cluster
Hello, I have an OpenBSD 6.3 firewall cluster made out of two nodes (one master, one backup) using CARP and pfsync. This cluster also makes use of trunk and vlan interfaces. Now I would first like to upgrade the cluster to 6.4 and then to 6.5 and was wondering if it is possible to operate that cluster for a short amount of time having one node running 6.3 and the other node with 6.4 and then the same for going to 6.4 to 6.5. Is this safe? or could there be any incompatibilities in carp/pfsync which would prevent me to do that upgrade in two steps while keeping everything online? Cheers, Mabi
Re: Upgrading a CARP firewall cluster
‐‐‐ Original Message ‐‐‐ On Tuesday, April 30, 2019 11:20 AM, Igor Podlesny wrote: > CARP should be of no worries at all and PF state table's sync is > easily verified. > If after backup's upgrade-reboot it has roughly same amount of entries > you can safely demote master and repeat procedure. > Even if there were some major differences maximum what you could loose > is connections state table. Thank you Igor for the details. As you mention it doesn't really matter much if the connection state table gets lost in the worst case.
Re: Upgrading a CARP firewall cluster
‐‐‐ Original Message ‐‐‐ On Tuesday, April 30, 2019 9:29 PM, Lyndon Nerenberg wrote: > On our systems, we run the 'a' machine as primary and the 'b' machine > as backup. When upgrading, we do the 'b' machine first, since this > doesn't disrupt the primary. After the 'b' machine is fully configured, > monitor its state table to ensure it's consistent with the 'a' > machine. Once you are convinced pf is staying in sync, demote the > 'a' machine and upgrade it. Thanks for your procedure tips, that's pretty much the same procedure I use except that I didn't even demote the "a" machine before upgrading it. Now I guess demoting the machine in question before upgrading it is the best practice and so I checked the OpenBSD FAQ about CARP and see different methods. The "carpdemote" way seems the cleanest way so as I have 8 carp interfaces all in the default carp group, should I simply run the following command: $ ifconfig -g carp carpdemote 50 or what is your way of demoting the server before upgading it? Regards, Mabi
Upgrade procedure for VMM virtualization server
Hello, Now that 6.5 is out I was wondering what is the best approach of upgrading my OpenBSD 6.4 VMM virtualization server, should I first upgrade the VMM hypervisor host from 6.4 to 6.5 and then afterwards the virtual machines from 6.4 to 6.5? That would make sense to me but I just wanted to double check. Best, Mabi
Re: Upgrade procedure for VMM virtualization server
‐‐‐ Original Message ‐‐‐ On Monday, May 6, 2019 1:32 PM, Solene Rapenne wrote: > There are no order. But I would upgrade the host, then the VM, this > requires only one downtime for the whole stack. Thanks for confirming, I will then do so.
IPsec bandwidth perf on APU4C4
Hi, I am currently testing a PC Engines APU4C4 with OpenBSD 6.5 and iked for an IPsec tunnnel between two sites which both have 1 Gbit/s uplink. Bypassing the IPsec tunnel I get around 500 Mbit/s of bandwidth throughput which is quite satisfying. The bandwidth throughput over my IPsec tunnel achieves a max of 80 Mbit/s which I was sort of expecting with the default encryption settings (auth hmac-sha2-256 enc aes-256). In order to increase bandwidth throughput over my IPsec tunnel I wanted to know what you guys think is a good compromise between performance and security? I was thinking for example of changing the encryption cipher to aes-128 instead of aes-256 and maybe blowfish? What would you recommend? Anything else I should be looking at? maybe like a hardware crypto accellerator miniPCI card compatible with the APU4 and OpenBSD? Cheers, Mabi
Re: IPsec bandwidth perf on APU4C4
‐‐‐ Original Message ‐‐‐ On Monday, June 10, 2019 4:49 PM, Christian Weisgerber wrote: > It helps to understand that the authentication algorithm can require > as much or more CPU than the encryption. HMAC-SHA2 is expensive. > On hardware that has AES-NI support, like the APU2 family, AES-GCM > is generally the fastest encryption/authentication combo. Thanks for the tip regarding the cpu cost of the authentication algorithm. Now I was wondering how do you use the AES-GCM combo? I can't find any auth or enc parameters mentioning that combo.
Re: IPsec bandwidth perf on APU4C4
‐‐‐ Original Message ‐‐‐ On Monday, June 10, 2019 6:00 PM, Christian Weisgerber wrote: > enc aes-128-gcm etc. That part for the "enc" parameter makes sense to me but what about the "auth" parameter? Would you keep the default hmac-sha2-256? or which combination with the "enc aes-128-gcm" would be a good fit?
Re: IPsec bandwidth perf on APU4C4
‐‐‐ Original Message ‐‐‐ On Monday, June 10, 2019 7:09 PM, Christian Weisgerber wrote: > No "auth". AES-GCM is an authenticated encryption algorithm, i.e., > it handles both encryption and authentication at the same time. > Specifying an additional "auth" algorithm doesn't make sense. Ahh now it all makes sense with the word "combo", thanks for precising this!
Re: IPsec bandwidth perf on APU4C4
‐‐‐ Original Message ‐‐‐ On Monday, June 10, 2019 7:09 PM, Christian Weisgerber wrote: > No "auth". AES-GCM is an authenticated encryption algorithm, i.e., > it handles both encryption and authentication at the same time. > Specifying an additional "auth" algorithm doesn't make sense. Last question hopefully... Reading the iked.conf man page I conclude that all I need for that is to add to my ikev2 config is the following additional parameter: childsa enc aes-128-gcm is this correct?
Re: IPsec bandwidth perf on APU4C4
‐‐‐ Original Message ‐‐‐ On Tuesday, June 11, 2019 1:04 PM, Christian Weisgerber wrote: > > childsa enc aes-128-gcm > > Correct. For reference I now changed the childsa encryption cipher to aes-128-gcm and get 93 Mbit/s throughput instead of the 80 Mbit/s I saw with aes-256. Better than nothing but still not quite optimal so I was wondering if anyone had already achieved better IPsec site-to-site bandwidth throughput with a PC Engines APU4 box? I have a very simple site-2-site IPsec connection which basically is just the following config in my iked.conf file: ikev2 active esp from $local_ip to $remote_ip local $local_ip peer $remote_ip childsa enc aes-128-gcm srcid $local_ip dstid $remote_ip ikev2 active esp from $local_network to $remote_network local $local_ip peer $remote_ip childsa enc aes-128-gcm srcid $local_ip dstid $remote_ip Cheers, Mabi
Re: IPsec bandwidth perf on APU4C4
‐‐‐ Original Message ‐‐‐ On Wednesday, June 12, 2019 11:34 AM, Daniel Gracia wrote: > Those look like reasonable numbers for the given scenario. Improving > your IPsec bandwidth would take more horsepower than an APU box. > Improving site-to-site encrypted VPN speed, asuming two APU boxes, > would require switching from IPsec to something like a WireGuard VPN, > available on -current as a package, but I'm not quite sure how much > performance would be attainable on OpenBSD. Heard >500Mbps on > APU3/Debian combo[1], but once again, don't believe everything you > read on Internet. Interesting article thanks Daniel. As you mention I am also under the impression that with my config I have maxed out that APU4 box. It's quite hard to believe that on the same box WireGuard with Linux achieves 5x more throughput, even considered that it would fully use all 4 cores, so I do take these numbers cautiously. For now I'll stick to OpenBSD with iked, it's rock stable, easy to configure and "just" works.
Re: IPsec bandwidth perf on APU4C4
‐‐‐ Original Message ‐‐‐ On Wednesday, June 12, 2019 10:26 PM, Stuart Henderson wrote: > If you're on an old BIOS revision for the APU (more than a couple of > months old), try updating, they have enabled "core performance boost" > which increases speed of a single core if the others are not under > heavy load. > > I haven't done network benchmarks but there is a noticable improvement > in some other things (md5 -tt goes from 12 -> 9 seconds). > > To update BIOS from OpenBSD, pkg_add flashrom and download the BIOS > version for your board (https://pcengines.github.io/). Go to serial > console and reboot in single-user mode (boot -s), mount -a, and run > "flashrom --programmer internal -w apuX_vXXX.rom". Then reboot back > as normal. > > If you'd like to compare benchmarks, the feature can be toggled > from the setup menu in BIOS. > > https://blog.3mdeb.com/2019/2019-02-14-enabling-cpb-on-pcengines-apu2/ Thanks Stuart for the hint, that sounds fantastic. I bought my APU4 recently so it has a few months old BIOS (v4.0.24 to be precise) and based on the change log it also seems to include that "core performance boost". I need to reboot and check the BIOS settings first see if this new setting is enabled or not by default. I have the feeling it is not enabled. Anyway I think I will upgrade the BIOS to the latest v4.9.0.6. Will keep you posted as soon as I check this but right no I can't reboot the box.
Re: IPsec bandwidth perf on APU4C4
‐‐‐ Original Message ‐‐‐ On Thursday, June 13, 2019 10:46 PM, Stuart Henderson wrote: > 4.9.0.6 does have it enabled by default. I'm not sure about the 4.0.x releases > and don't want to reboot mine to check now either :) Finally managed to reboot my firewall box and so I can confirm that on my previous firmware (v4.0.24) the boost option was already enabled by default. I now upgraded to v4.9.0.6 but unfortunately as that boost option was already enabled I do not see any further improvements. For reference here is the output of a "md5 -tt": MD5 time trial. Processing 10 1-byte blocks... Digest = 766a2bb5d24bddae466c572bcabca3ee Time = 9.69 seconds Speed = 103199174.406605 bytes/second
opensmtpd-extras-[clamav|spamassassin] packages in 6.0
Hi, Just noticed that the OpenBSD 6.0 release does not include the opensmtpd-extras-clamav nor the opensmtpd-extras-spamassassin packages. I would like to upgrade my 5.9 OpenBSD mail gateway to 6.0 and was wondering if I can use the old packages from 5.9 with 6.0? Or what is the alternative to these two packages? Regards, Mabi
Re: opensmtpd-extras-[clamav|spamassassin] packages in 6.0
Thanks Joerg. I wasn't aware that amavis would play nicely with OpenSMTPD, as such problem solved. I will simply use amavisd-new. Original Message Subject: Re: opensmtpd-extras-[clamav|spamassassin] packages in 6.0 Local Time: October 11, 2016 11:27 PM UTC Time: October 11, 2016 9:27 PM From: m...@umaxx.net To: mabi misc@openbsd.org > Am 10.10.2016 um 17:59 schrieb mabi : > > Hi, > > Just noticed that the OpenBSD 6.0 release does not include the opensmtpd-extras-clamav nor the opensmtpd-extras-spamassassin packages. I would like to upgrade my 5.9 OpenBSD mail gateway to 6.0 and was wondering if I can use the old packages from 5.9 with 6.0? No. > Or what is the alternative to these two packages? Various options. One could be to proxy mails through spampd and clamsmtp. Amavisd might also be an option. > Regards, > Mabi
Re: An AR9280 as an Access Point
I am using an Atheros AR9281 in a Soekris box with OpenBSD 5.9 as access point and I am quite disappointed with it. Often I get disconnected from the access point and all I can see on the OpenBSD side is tons of timeout messages in the kernel log such as: athn0: device timeout I hope for you that that the AR9280 chip does a better job. Original Message Subject: An AR9280 as an Access Point Local Time: October 11, 2016 6:04 PM UTC Time: October 11, 2016 4:04 PM From: physk...@tutanota.com To: misc@openbsd.org Hello! I'd asked a related question on the OpenBSD subreddit, and someone pointed me here. Hope this is appropriate. https://www.reddit.com/r/openbsd/comments/56lzhu/which_wifi_card_to_make_an_access_point Does anyone know how good a WiFi Access Point I could make of the Atheros AR9280 card (Compex-wle200nx) offered by the guys at PC Engines: http://www.pcengines.ch/wle200nx.htm Thanks a lot!
Re: Looking for Xen blkfront driver xbf(4) tests
Hi, Thanks for your efforts and making OpenBSD work even better on Xen. I use Xen for all types of virtualization and started only recently using OpenBSD 6.0 as domU. My current test setup is a 2 node redundant cluster with Xen 4.4.1 and Debian 8 with DRBD for sync-replication and ZFS (RAIDZ-1) as storage with 3 Seagate enterprise 7.2k SATA (ST5000NM0024) disks on each nodes. So far so good I managed to re-configure the current kernel and re-compiled it with xbf enabled and at reboot it immediately used the xbf driver and switched using sd instead of wd. You will find the output of my dmesg below. For now the only thing a tried out is a quick "dd" as I was wondering how much more write throughput I could get on my guests disk using xbf. As you can see below I get around 81 MB/s and I remember before using xbf I would get around 25 MB/s. The read throughput didn't change much, if I remember correctly I had in both cases with and without xbf around 60 MB/s. $ dd if=/dev/zero of=file2.xbf bs=1M count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 12.277 secs (85405965 bytes/sec) Now is there anything else you would like to know/test or benchmarks you would like me to run? Keep in mind I am no dev but I am happy to help if it can make things progress with running OpenBSD even better on Xen. Cheers, Mabi OpenBSD 6.0-current (XBFTEST.MP) #0: Sat Dec 10 23:58:16 CET 2016 me@openbsds:/usr/src/sys/arch/amd64/compile/XBFTEST.MP real mem = 1048571904 (999MB) avail mem = 1012277248 (965MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xfc001000 (12 entries) bios0: vendor Xen version "4.4.1" date 09/08/2016 bios0: Xen HVM domU acpi0 at bios0: rev 2 acpi0: sleep states S3 S4 S5 acpi0: tables DSDT FACP APIC HPET WAET SSDT SSDT acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 32 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 48 pins cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5-2620 v3 @ 2.40GHz, 2400.34 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,XSAVE,AVX,F16C,RDRAND,HV,NXE,LONG,LAHF,ABM,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu1 at mainbus0: apid 2 (application processor) cpu1: failed to become ready cpu1: failed to identify acpihpet0 at acpi0: 6250 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0: C1(@1 halt!) "PNP0F13" at acpi0 not configured "PNP0303" at acpi0 not configured "PNP0700" at acpi0 not configured "PNP0501" at acpi0 not configured "ACPI0007" at acpi0 not configured "ACPI0007" at acpi0 not configured pvbus0 at mainbus0: Xen 4.4 xen0 at pvbus0: features 0x705, 32 grant table frames, event channel 4 xbf0 at xen0 backend 0 chan 6: disk scsibus1 at xbf0: 2 targets sd0 at scsibus1 targ 0 lun 0: SCSI3 0/direct fixed sd0: 10240MB, 512 bytes/sector, 20971520 sectors "vkbd" at xen0: device/vkbd/0 not configured xnf0 at xen0: backend 0, event channel 7, address aa:00:00:20:01:0d pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) uhci0 at pci0 dev 1 function 2 "Intel 82371SB USB" rev 0x01: apic 1 int 23 piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: SMBus disabled xspd0 at pci0 dev 2 function 0 "XenSource Platform Device" rev 0x01 vga1 at pci0 dev 3 function 0 "Cirrus Logic CL-GD5446" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) isa0 at pcib0 isadma0 at isa0 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 1: density unknown com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 vmm at mainbus0 not configured uhidev0 at uhub0 port 1 configuration 1 interface 0 "QEMU QEMU USB Tablet" rev 2.00/0.00 addr 2 uhidev0: iclass 3/0 ums0 at uhidev0: 3 buttons, Z dir wsmouse1 at ums0 mux 0 vscsi0 at root scsibus2 a
Re: Looking for Xen blkfront driver xbf(4) tests
Hi Mike, Thanks for your explanations. So far I did not have any troubles with this specific domU with xbf enabled. I tried to run your shell script in order to found out the num-ring-pages property but somehow there must be a small issue with it as I get the following output (after having removed the "#" comment out on the first line with the for loop: hostctl: ioctl: No such file or directory sd0 32 Regards, M. Original Message Subject: Re: Looking for Xen blkfront driver xbf(4) tests Local Time: December 13, 2016 8:46 PM UTC Time: December 13, 2016 7:46 PM From: m...@belopuhov.com To: mabi misc@openbsd.org On Sun, Dec 11, 2016 at 05:09 -0500, mabi wrote: > Hi, > > Thanks for your efforts and making OpenBSD work even better on > Xen. I use Xen for all types of virtualization and started only > recently using OpenBSD 6.0 as domU. My current test setup is a 2 > node redundant cluster with Xen 4.4.1 and Debian 8 with DRBD for > sync-replication and ZFS (RAIDZ-1) as storage with 3 Seagate > enterprise 7.2k SATA (ST5000NM0024) disks on each nodes. > > So far so good I managed to re-configure the current kernel and > re-compiled it with xbf enabled and at reboot it immediately used > the xbf driver and switched using sd instead of wd. You will find > the output of my dmesg below. > > For now the only thing a tried out is a quick "dd" as I was > wondering how much more write throughput I could get on my guests > disk using xbf. As you can see below I get around 81 MB/s and I > remember before using xbf I would get around 25 MB/s. The read > throughput didn't change much, if I remember correctly I had in both > cases with and without xbf around 60 MB/s. > > $ dd if=/dev/zero of=file2.xbf bs=1M count=1000 > 1000+0 records in > 1000+0 records out > 1048576000 bytes transferred in 12.277 secs (85405965 bytes/sec) > > Now is there anything else you would like to know/test or benchmarks > you would like me to run? Keep in mind I am no dev but I am happy to > help if it can make things progress with running OpenBSD even better > on Xen. > > Cheers, > Mabi > Hi, Thanks for taking your time to test and report. There's nothing special to test, just using the disk in a normal way is enough. After a few reports from Nathanael Rensen several bugs have been fixed. I've looked through a bunch of Xen disk subsystem documents and noted that one of the ways to improve performance is to use persistent grants. However it would be nice to establish a baseline, i.e. what kind of performance do NetBSD, FreeBSD and Linux guests get out of Blkfront in the VM with the same configuration on the same host compared to OpenBSD. It's worth noting that MAXPHYS value limiting the size of an individual I/O transfer is different on other systems. Furthermore currently xbf(4) driver limits it further to 11 page segments (44k) since we don't support indirect requests that potentially can get us extra 20k (MAXPHYS is 64k on OpenBSD) but would add additional tax on grant table entries. The other point of interest is the number of outstanding requests configured by the driver. If not limited by the host system, xbf(4) attempts to use 256 requests, but smaller EC2 instances limit that to just 32 requests which can result is large performance difference. To learn the amount of configured outstanding requests a num-ring-pages property must be queried: # for xbf in $(hostctl device/vbd); do dev=$(dmesg | grep $xbf | cut -f 1 -d ' ') npages=$(hostctl device/vbd/$xbf/num-ring-pages) if [ $? -eq 0 ]; then echo $dev $((npages * 32)) else echo $dev 32 fi done Output would look like so: sd0 256 sd1 256 cd0 256 Cheers, Mike
athn0: device timeout (AR9271 USB 2.0 Wifi-key as hostap)
Hi, I have an Atheros AR9271 Wifi USB 2.0 key on my OpenBSD 6.0 firewall in order to use as an access point. Unfortunately it happens nearly every day that the athn0 device times out, kernel log: athn0: device timeout and the only way to make the wireless work again is to reboot the firewall. I was told this would get better with 6.0 but I can't see any difference. Any ideas what's wrong? Below I post my hostname.athn0 and dmesg. Cheers, Mabi hostname.athn0: inet 172.16.20.1 255.255.255.0 mediaopt hostap nwid MYWLAN chan 11 wpakey removed dmesg: Jan 14 17:24:32 fw1 /bsd: OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 MDT 2016 Jan 14 17:24:32 fw1 /bsd: dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Jan 14 17:24:32 fw1 /bsd: real mem = 4264185856 (4066MB) Jan 14 17:24:32 fw1 /bsd: avail mem = 4130476032 (3939MB) Jan 14 17:24:32 fw1 /bsd: mpath0 at root Jan 14 17:24:32 fw1 /bsd: scsibus0 at mpath0: 256 targets Jan 14 17:24:32 fw1 /bsd: mainbus0 at root Jan 14 17:24:32 fw1 /bsd: bios0 at mainbus0: SMBIOS rev. 2.8 @ 0x7f52c000 (52 entries) Jan 14 17:24:32 fw1 /bsd: bios0: vendor American Megatrends Inc. version "5.6.5" date 01/25/2016 Jan 14 17:24:32 fw1 /bsd: acpi0 at bios0: rev 2 Jan 14 17:24:32 fw1 /bsd: acpi0: sleep states S0 S5 Jan 14 17:24:32 fw1 /bsd: acpi0: tables DSDT FACP FPDT MCFG WDAT UEFI APIC BDAT HPET SSDT SPCR Jan 14 17:24:32 fw1 /bsd: acpi0: wakeup devices PS2K(S0) PS2M(S0) PEX1(S0) PEX2(S0) PEX3(S0) PEX4(S0) EHC1(S0) Jan 14 17:24:32 fw1 /bsd: acpitimer0 at acpi0: 3579545 Hz, 24 bits Jan 14 17:24:32 fw1 /bsd: acpimcfg0 at acpi0 addr 0xe000, bus 0-255 Jan 14 17:24:32 fw1 /bsd: acpimadt0 at acpi0 addr 0xfee0: PC-AT compat Jan 14 17:24:32 fw1 /bsd: cpu0 at mainbus0: apid 0 (boot processor) Jan 14 17:24:32 fw1 /bsd: cpu0: Intel(R) Atom(TM) CPU C2558 @ 2.40GHz, 2400.46 MHz Jan 14 17:24:32 fw1 /bsd: cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT Jan 14 17:24:32 fw1 /bsd: cpu0: 1MB 64b/line 16-way L2 cache Jan 14 17:24:32 fw1 /bsd: cpu0: smt 0, core 0, package 0 Jan 14 17:24:32 fw1 /bsd: mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges Jan 14 17:24:32 fw1 /bsd: cpu0: apic clock running at 99MHz Jan 14 17:24:32 fw1 /bsd: cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3, IBE Jan 14 17:24:32 fw1 /bsd: cpu1 at mainbus0: apid 2 (application processor) Jan 14 17:24:32 fw1 /bsd: cpu1: Intel(R) Atom(TM) CPU C2558 @ 2.40GHz, 2399.99 MHz Jan 14 17:24:32 fw1 /bsd: cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT Jan 14 17:24:32 fw1 /bsd: cpu1: 1MB 64b/line 16-way L2 cache Jan 14 17:24:32 fw1 /bsd: cpu1: smt 0, core 1, package 0 Jan 14 17:24:32 fw1 /bsd: cpu2 at mainbus0: apid 4 (application processor) Jan 14 17:24:32 fw1 /bsd: cpu2: Intel(R) Atom(TM) CPU C2558 @ 2.40GHz, 2399.99 MHz Jan 14 17:24:32 fw1 /bsd: cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT Jan 14 17:24:32 fw1 /bsd: cpu2: 1MB 64b/line 16-way L2 cache Jan 14 17:24:32 fw1 /bsd: cpu2: smt 0, core 2, package 0 Jan 14 17:24:32 fw1 /bsd: cpu3 at mainbus0: apid 6 (application processor) Jan 14 17:24:32 fw1 /bsd: cpu3: Intel(R) Atom(TM) CPU C2558 @ 2.40GHz, 2399.99 MHz Jan 14 17:24:32 fw1 /bsd: cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT Jan 14 17:24:32 fw1 /bsd: cpu3: 1MB 64b/line 16-way L2 cache Jan 14 17:24:32 fw1 /bsd: cpu3: smt 0, core 3, package 0 Jan 14 17:24:32 fw1 /bsd: ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins Jan 14 17:24:32 fw1 /bsd: acpihpet0 at acpi0: 14318179 Hz Jan 14 17:24:32 fw1 /bsd: acpiprt0 at acpi0: bus 0 (PCI0) Jan 14 17:24:32 fw1 /bsd: acpiprt1 at acpi0: bus 1 (PEX1) Jan 14 17:24:32 fw1 /bsd: acpiprt2 at acpi0: bus 2 (PEX2) Jan 14 17:24:32 fw1 /bsd: acpiprt3 at acpi0: bus 3 (PEX3) Jan 14 17:24:32 fw1 /bsd: acpiprt4 at acpi0: bus 4 (PEX4) Jan 14 17:24:32 fw1 /bsd: acpicpu0 at acpi0: C1(@1 halt!) Jan 14 17:24:32 fw1 /bsd: acpicpu1 at acpi0: C1(@1 halt!) Jan 14 17:24:32 fw1 /bsd: acpicpu2 at acpi0: C1(@1 halt!) Jan 14 17:24:32 fw1 /bsd: acpicpu3 at acpi0: C1(@1
Re: athn0: device timeout (AR9271 USB 2.0 Wifi-key as hostap)
Hi Stefan Thanks for your input. It looks like the g2k16 modifications to the athn code from awolk@ did not make it into the 6.0 release. So there is still hope for 6.1 ;-) I suppose here that running a wifi host access point from a USB key is not a good idea. What a shame my firewall does not have any PCI or miniPCI interfaces... Regards M. Original Message Subject: Re: athn0: device timeout (AR9271 USB 2.0 Wifi-key as hostap) Local Time: January 23, 2017 11:28 PM UTC Time: January 23, 2017 10:28 PM From: s...@stsp.name To: mabi , misc@openbsd.org On Mon, Jan 23, 2017 at 11:19:31PM +0100, Stefan Sperling wrote: > On Mon, Jan 23, 2017 at 04:27:32PM -0500, mabi wrote: > > Hi, > > I have an Atheros AR9271 Wifi USB 2.0 key on my OpenBSD 6.0 firewall in > > order to use as an access point. Unfortunately it happens nearly every day > > that the athn0 device times out, kernel log: > > > > athn0: device timeout > > > > and the only way to make the wireless work again is to reboot the firewall. > > I was told this would get better with 6.0 but I can't see any difference. > > Any ideas what's wrong? Below I post my hostname.athn0 and dmesg. > > > > Cheers, > > Mabi > > These are known issues with athn on USB and hostap. > I have already spent a lot of time digging into this and never got anywhere. > Eventually I decided to document this in the man page which you apparently > missed: > > [[[ > ATHN(4) Device Drivers Manual ATHN(4) > > NAME > athn Atheros IEEE 802.11a/b/g/n wireless network device > [...] > BUGS > Host AP mode does not work with USB devices. > ]]] > > Sorry. Anybody, please let me know if you find a way to fix it. I now recall that awolk@ was working on a patch for a similar problem. See http://undeadly.org/cgi?action=article&sid=20160906004915 and https://marc.info/?l=openbsd-misc&m=144895556213390&w=2 which I had already forgotten about ever having written. Not sure what happened to the patch and if it is ready by now. Also not sure if it will actually fix your problem or if Adam's problem was caused by something else. Hard to tell without actually testing things.
Re: Topics for revised PF and networking tutorial
Dear Peter, May I suggest the following topic of interest: PF with VLAN interfaces (with LACP trunk interface behind) and CARP of course. Regards, M. Original Message Subject: Topics for revised PF and networking tutorial Local Time: April 1, 2017 10:52 AM UTC Time: April 1, 2017 8:52 AM From: pe...@bsdly.net To: misc@openbsd.org Hi, I thought I'd like to give you a heads up that there will be a "PF and networking" tutorial at BSDCan 2017 in Ottawa this June. The session will however not be the Nth rerun of the old one, we're starting from scratch this time, and were looking for input on what to include. Do you have questions on PF and related matters, or are there specific topics you would like to see covered? We want to hear from you, either contact us directly at the reply-to address use the list. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD as a non-routing access point
Earlier this week on this mailing list someone recommended the following product: https://www.olimex.com/Products/USB-Modules/USB-CAP/ I thought I will give it a try and ordered it... Original Message Subject: Re: OpenBSD as a non-routing access point Local Time: April 8, 2017 4:43 PM UTC Time: April 8, 2017 2:43 PM From: open...@sirjorj.com To: Stefan Sperling openbsd-misc > On Apr 8, 2017, at 3:38 AM, Stefan Sperling wrote: > > On Fri, Apr 07, 2017 at 05:06:22PM -0500, Jordon wrote: >> My new wifi adapter finally arrived today (AR9271) so I want to give hostap a >> try with its new 802.11n support. > >> Am I on the right track? > > No. AR9271 is a USB device, and unfortunately there are bugs in the > driver that prevent hostap from working properly with USB devices. > > At least in my testing, the device sends no beacons. I have not yet > found a way to fix it and am not currently investing more time into it. > Perhaps it will get fixed some day. > Dang. Although, IIRC, beacons are what announce the presence of the access point. I definitely saw it on the client machine, so I think that part was working. But, yeah, anything beyond that is unsupported so I guess Iâll have to get a PCIe one. Thanks! Jordon
Custom text in graph from pfstat
Hi, Is there a config parameter in pfstat's pfstat.conf config file which can be used to output a custom text a graph it generates? Best regards, M.