is there anything broken on http://ftp.openbsd.org/pub/OpenBSD/ ?

[Илья Шипицин]

sorry,

I've searched for announce, didn't find any.

[image: image.png]

faq addition: working with mfs disks?

[Илья Шипицин]

hello,

what do you think of adding a faq item which will give example how /tmp (or
any other write intensive temp disk partition) can be stored in mfs drive?

Ilya Shipitsin

Re: why icmp timestamping is enabled by default ?

[Илья Шипицин]

I apologise that I didn't predict such responces.
I was looking for real life examples, i.e. we use icmp timestamps
widely, because we use timed or a lot of devices like D-Link-NNN use
icmp timestamps.
I was not looking for theoretical possibilities that icmp timestamping gives.
I should mention that of course.

Sorry.

2013/10/14 Mihai Popescu mih...@gmail.com:
 it is famous your mother if fat openbsd community style. I was not
 asking whether it is secret or not. I was curious about common use
 scenarios, where icmp timestamping is involved.

 Hi,

 1. Maybe I'm wrong but I think OpenBSD doesn't have a community like
 other praised OSes, so there is no style.

 2. Looking at your thread it is very hard for me to figure out what
 the hell did you ask.

 3. If you try to impress some developers of OpenBSD, try to attach
 something at your email. It doesn't work with opinions and subtle
 suggestions about what might be wrong.

 * this message might be bad at line length (i'm sorry).

Re: why icmp timestamping is enabled by default ?

[Илья Шипицин]

2013/10/11 Christian Weisgerber na...@mips.inka.de:
 chipits...@gmail.com wrote:

 actually, I'm not going to block icmp at all, I was curious why
 net.inet.icmp.tstamprepl=1 by default.

 So you can run timed, of course.

timed was removed from OpenBSD recently

 As others have said, the time is not a secret.

it is famous your mother if fat openbsd community style. I was not
asking whether it is secret or not. I was curious about common use
scenarios, where icmp timestamping is involved.


 --
 Christian naddy Weisgerber  na...@mips.inka.de

Re: why icmp timestamping is enabled by default ?

[Илья Шипицин]

2013/10/11 Claudio Jeker cje...@diehard.n-r-g.com:
 On Fri, Oct 11, 2013 at 08:44:36AM +0600,  ??? wrote:
 2013/10/10 Philip Guenther guent...@gmail.com:
  On Thu, Oct 10, 2013 at 4:30 AM,  ??? chipits...@gmail.com wrote:
  I use ntp already.
 
  So everyone can predict what your machine would have sent in response
  to an ICMP timestamp query, meaning that turning it off doesn't hide
  anything.
 
 
  I am about to switch icmp timestamps off (security people are afraid
  of that setting),
 
  Cargo cult security.

 it is known behavior of security people.

 
 
  just curious what was the purpose of it.
 
  Oddly enough, the RFC that defines it (RFC792) has a reference about that.

 by purpose I mean common use scenarios, like

 we enable ssh by default, because it is used in routine
 administration and automation tasks, not because of RFC

 we enable icmp destination unreachable, because it is used commonly
 in PMTU mechanisms, not because it is mentioned in some RFC

 or you enable everything found in RFC ? you must be odd if so. I am
 not that odd.


 The better question is why block it? What is the attack vector?
 You start with ICMP timestamps, next you block ICMP echo then all of ICMP
 and by that break the internet. I waste way to much time with situations
 where I can't debug network issues because people block important internet
 control messages. So if there is not a well known threat (e.g. source
 routing or the fameous IPv6 rtr-0 header) it should not be disbale just
 for a bit of a warm fuzzy feeling.


icmp dest unreach, frag required (3/4) is very important, I'm not
going to block it. kinda fed up with poorly configured networks as
well.
icmp echo request/reply, i.e. ping/pong is also important, when
people do not see ping responce, they beleive host is down.
I'm also not going to block it.

actually, I'm not going to block icmp at all, I was curious why
net.inet.icmp.tstamprepl=1 by default.



 --
 :wq Claudio

Re: why icmp timestamping is enabled by default ?

[Илья Шипицин]

I use ntp already.
I am about to switch icmp timestamps off (security people are afraid
of that setting), just curious what was the purpose of it.

2013/10/10 Theo de Raadt dera...@cvs.openbsd.org:
  it turned out that OpenBSD allows icmp timestamping by default:
 
  net.inet.icmp.tstamprepl=1
 
  what was that done for ?

 well, why not?

 if you have some program vulnerable to a the attacker knows the time
 attack, i don't think turning off icmp timestamps will save you. the
 attacker could reasonably guess that your system time is going to be
 close to his system time. unless you are going to deliberately set the
 clock wrong on all your systems. fixing the vulnerability seems like a
 better idea.

 there is also this thing called ntp that is becoming rather common.
 if you're not doing time distribution to your systems, ah, i see the
 problem.

Re: why icmp timestamping is enabled by default ?

[Илья Шипицин]

2013/10/10 Philip Guenther guent...@gmail.com:
 On Thu, Oct 10, 2013 at 4:30 AM, Илья Шипицин chipits...@gmail.com wrote:
 I use ntp already.

 So everyone can predict what your machine would have sent in response
 to an ICMP timestamp query, meaning that turning it off doesn't hide
 anything.


 I am about to switch icmp timestamps off (security people are afraid
 of that setting),

 Cargo cult security.

it is known behavior of security people.



 just curious what was the purpose of it.

 Oddly enough, the RFC that defines it (RFC792) has a reference about that.

by purpose I mean common use scenarios, like

we enable ssh by default, because it is used in routine
administration and automation tasks, not because of RFC

we enable icmp destination unreachable, because it is used commonly
in PMTU mechanisms, not because it is mentioned in some RFC

or you enable everything found in RFC ? you must be odd if so. I am
not that odd.


 Philip Guenther

Re: why icmp timestamping is enabled by default ?

[Илья Шипицин]

2013/10/11 Paul de Weerd we...@weirdnet.nl:
 On Thu, Oct 10, 2013 at 05:30:39PM +0600,  ??? wrote:
 | I use ntp already.
 | I am about to switch icmp timestamps off (security people are afraid
 | of that setting), just curious what was the purpose of it.

 Uhm .. why?  Is your pf broken somehow?

it is not broken.


 block in on $interface inet proto icmp icmp-type { timereq, timerep }

does PF perform better than net.inet.icmp.tstamprepl=0 ?


 I can understand you don't want to send anything in reply to spoofed
 packets, but you're really better off filtering those with a firewall
 instead of a knob per type of packet.


 If you think this is going to improve the security of your host,
 you're wrong (as pointed out by others).

it is not about improving security, you got it wrong.
I was just curious why that timestamping is enabled by default.


 If others tell you this improves the security of your host, tell them
 they're wrong.

I wish they could understand what other people are talking about.


 If they are not open to sane arguments: run.


 Then, they can disable the sysctl themselves and wallow in their
 awesome security while their site is XSS'd by 10-year-olds.

yeah, we found an XSS on their site couple of months ago :-)


 Paul 'WEiRD' de Weerd

 --
[++-]+++.+++[---].+++[+
 +++-].++[-]+.--.[-]
  http://www.weirdnet.nl/

why icmp timestamping is enabled by default ?

[Илья Шипицин]

Hello!

it turned out that OpenBSD allows icmp timestamping by default:

net.inet.icmp.tstamprepl=1

what was that done for ?

Cheers,
Ilya Shipitsin

is it possible to block BT.UTP traffic in PF ?

[Илья Шипицин]

Hello!

I'm investigating whether it is possible to block certain UDP signatures ?
Maybe, I'd like not to block them, but lower priority using ALTQ,

for instance, this kind of traffic:

http://www.wireshark.org/docs/dfref/b/bt-utp.html

traffic signatures are known.

Cheers,
Ilya Shipitsin

strip down ECN flag in transit ?

[Илья Шипицин]

Hello!

after deploying windows 2012 we encountered that it enables ECN by
default and sometime it is a problem.

I studied pf guides, but I did not find whether it could strip ECN
flag (we use OpenBSD as routers) or not.

Cheers,
Ilya Shipitsin

route get syntax fror ipv6 ?

[Илья Шипицин]

Hello!

# ping6 www.ripe.net
PING6(56=40+8+8 bytes) 2001:1bb0:e000:d::2 -- 2001:67c:2e8:22::c100:68b
^C
--- www.ripe.net ping6 statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss

# route get 2001:67c:2e8:22::c100:68b
route: 2001:67c:2e8:22::c100:68b: bad address
#



is there route get equivalent for ipv6 ?

Cheers,
Ilya Shipitsin

Re: respawn-like behaviour ?

[Илья Шипицин]

hmm, I never had that crashy linux daemon becomes stable when it is
started under OpenBSD.
can you tell me how to enable that feature ?



2013/7/17 Jan Stary h...@stare.cz:
 On Jul 17 07:45:58, chipits...@gmail.com wrote:
 Hello!

 I used to run crashy daemons under respawn inittab capability on Linux.
 Is there similar thing on OpenBSD ?

 Sorry, we don't have crashy daemons here,
 you need to go back to linux for that.

respawn-like behaviour ?

[Илья Шипицин]

Hello!

I used to run crashy daemons under respawn inittab capability on Linux.
Is there similar thing on OpenBSD ?

Cheers,
Ilya Shipitsin

Re: respawn-like behaviour ?

[Илья Шипицин]

well, vnc repeater (which I'd like to run that way) crashes about once a week.
I'm already debugging it (-ggdb + core dump settings).

I need some way to respawn it until I'll find out the reason it crashes.

2013/7/17 Theo de Raadt dera...@cvs.openbsd.org:
 I used to run crashy daemons under respawn inittab capability on Linux.
 Is there similar thing on OpenBSD ?

 I try to attack a hole you've got...
 Oh damn I can't guess the propolice cookie or random addressing...
 But it crashes and restarts!

 I try to attack a hole you've got...
 Oh damn I can't guess the propolice cookie or random addressing...
 But it crashes and restarts!

 I try to attack a hole you've got...
 Oh damn I can't guess the propolice cookie or random addressing...
 But it crashes and restarts!

 I try to attack a hole you've got...
 Oh damn I can't guess the propolice cookie or random addressing...
 But it crashes and restarts!

 I try to attack a hole you've got...
 Oh damn I can't guess the propolice cookie or random addressing...
 But it crashes and restarts!

 I try to attack a hole you've got...
 Oh damn I can't guess the propolice cookie or random addressing...
 But it crashes and restarts!

 I try to attack a hole you've got...
 Oh damn I can't guess the propolice cookie or random addressing...
 But it crashes and restarts!

 I try to attack a hole you've got...
 Guessed enough win.

 Fail open methodology is not very smart.

why gmon.out is always limited to 470k ?

[Илья Шипицин]

Hello!

I'm trying to profile long running application, however gmon.out never
grows more than 470k (I'm running OpenBSD-5.2/amd64 if that matters)

is there special trick for long running application profiling ?

Cheers,
Ilya Shipitsin

Re: python GraphViz in ports ?

[Илья Шипицин]

after playing with pip I came to:


r1n1:/root/pygraphviz/pygraphviz-1.1# python setup.py install
library_path=/usr/local/lib/graphviz
include_path=/usr/local/include/graphviz
running install
running build
running build_py
creating build
creating build/lib.openbsd-5.2-amd64-2.7
creating build/lib.openbsd-5.2-amd64-2.7/pygraphviz

creating build/temp.openbsd-5.2-amd64-2.7/pygraphviz
cc -pthread -fno-strict-aliasing -O2 -pipe -DNDEBUG -O2 -pipe -fPIC -fPIC
-I/usr/local/include/graphviz -I/usr/local/include/python2.7 -c
pygraphviz/graphviz_wrap.c -o
build/temp.openbsd-5.2-amd64-2.7/pygraphviz/graphviz_wrap.o
pygraphviz/graphviz_wrap.c:2519:20: error: cgraph.h: No such file or
directory


I can only find cgraph.h in gcc source subtree.
google also says nothing.

nobody is using pygraphviz under OpenBSD ? however, pygraphviz changelog
says about OpenBSD.



2013/3/5 James Griffin j...@kontrol.kode5.net

 [- Tue  5.Mar'13 at 13:11:56 +0200  Gregory Edigarov :-]

  On 03/05/2013 11:49 AM, éÌØÑ ûÉÐÉÃÉÎ wrote:
  Hello!
  
  is there python GraphViz in ports ?
  if so, what is name of port (I couldn't find any)
  
  *type 'exceptions.ImportError'*: No module named gv
  
  
  Cheers,
  Ilya Shipitsin
  
  
 
  Seems like your problem is that you're looking in the wrong place.
  modules for python could be installed directly from it's packages
  repository via pip (or easy_install) utilities.
  you will need to install py-pip (py-pip-1.1p0.tgz) package first.
 

 easy_install come in the py-setuptools package. Personally, pip seems to
 be better. I have both installed though so just choose which you prefer
 after reading up a bit about them both.

python GraphViz in ports ?

[Илья Шипицин]

Hello!

is there python GraphViz in ports ?
if so, what is name of port (I couldn't find any)

*type 'exceptions.ImportError'*: No module named gv


Cheers,
Ilya Shipitsin

Re: python GraphViz in ports ?

[Илья Шипицин]

math/p5-GraphViz http://openports.se/math/p5-GraphViz is for Perl.
math/graphviz neither contains subpackage nor flavor for Python.

how can I use information provided by you to install python bindings for
graphviz, can you describe step by step ?


2013/3/5 Janne Johansson icepic...@gmail.com

 http://openports.se/search.php?so=graphviz

 yes there is.

 2013/3/5 éÌØÑ ûÉÐÉÃÉÎ chipits...@gmail.com:
  Hello!
 
  is there python GraphViz in ports ?
  if so, what is name of port (I couldn't find any)
 
  *type 'exceptions.ImportError'*: No module named gv
 
 
  Cheers,
  Ilya Shipitsin
 



 --
 May the most significant bit of your life be positive.

Re: python GraphViz in ports ?

[Илья Шипицин]

r1n1:/root# pkg_info -L py-dot-0.9.10p7 | grep gv.py
r1n1:/root#



gv.py still not found


2013/3/5 James Hartley jjhart...@gmail.com

 On Tue, Mar 5, 2013 at 4:12 AM, éÌØÑ ûÉÐÉÃÉÎ chipits...@gmail.com wrote:

 math/p5-GraphViz http://openports.se/math/p5-GraphViz is for Perl.

 math/graphviz neither contains subpackage nor flavor for Python.


 http://openports.se/graphics/py-dot


 how can I use information provided by you to install python bindings for
 graphviz, can you describe step by step ?


 http://www.openbsd.org/faq/faq15.html

Re: python GraphViz in ports ?

[Илья Шипицин]

thank everybody, I'll continue with pip. or easy_install.


2013/3/5 James Griffin j...@kontrol.kode5.net

 [- Tue  5.Mar'13 at 13:11:56 +0200  Gregory Edigarov :-]

  On 03/05/2013 11:49 AM, éÌØÑ ûÉÐÉÃÉÎ wrote:
  Hello!
  
  is there python GraphViz in ports ?
  if so, what is name of port (I couldn't find any)
  
  *type 'exceptions.ImportError'*: No module named gv
  
  
  Cheers,
  Ilya Shipitsin
  
  
 
  Seems like your problem is that you're looking in the wrong place.
  modules for python could be installed directly from it's packages
  repository via pip (or easy_install) utilities.
  you will need to install py-pip (py-pip-1.1p0.tgz) package first.
 

 easy_install come in the py-setuptools package. Personally, pip seems to
 be better. I have both installed though so just choose which you prefer
 after reading up a bit about them both.

Re: how to use cpu affinity from user space

[Илья Шипицин]

I meant OpenBSD feature to use only CPU00 for network things.
and I am afraid it could cause network issues when some process works on
CPU00 as well.


2013/1/22 Gregory Edigarov ediga...@qarea.com

 On 01/22/2013 12:55 PM, Gregor Best wrote:

 On Tue, Jan 22, 2013 at 07:56:22PM +1000, David Diggles wrote:

 Then if the scheduler always knows what's best, the backup process will
 be
 completely uninhibited, on a system maxed out on all cores.
 [...]


 What backup process? And why will it be uninhibited? If the system's
 maxed out, all processes will neccessarily suffer.

  I think he mean background processes.

 --
 With best regards,
  Gregory Edigarov

any special trick to use hwfeatures on em ?

[Илья Шипицин]

Hello!

I'mtrying to figure out whether or not my em cards are set up for high
performance.

ifconfig em0 hwfeatures does not show nothing on rx/tx checksum, neither
man pages on ifconfig and em explain how to do that.

I notice network delays on very moderate bit rates, say 500mbit or even
less, so I suspect em adapters are not working in the way they are
expected to work.

Cheers,
Ilya Shipitsin

Re: how to use cpu affinity from user space

[Илья Шипицин]

I appreciate your attention for homeopathy and astrology, however I see no
relation of those to CPU00.
Maybe modern processors will handle that stuff, I don't know.

I'm running https web reverse proxy.
at 200-500mbit scale, I see 3500 interrupts per second at em0, em1, also 12
cpus are running at 70-80%,
CPU00 is running at interrupt level, also there're user processes at
user and system levels.


under such load server is experience somewhat to general network delays,
network conections become slow (both incoming and outgoing), sometimes even
5 sec on 1G network.


so, I'm looking into optimal em tuning and cpu affinity things.

disk io is not affected.


2013/1/22 Marc Espie es...@nerim.net

 On Tue, Jan 22, 2013 at 05:37:42PM +0500,  ??? wrote:
  I meant OpenBSD feature to use only CPU00 for network things.
  and I am afraid it could cause network issues when some process works on
  CPU00 as well.

 OpenBSD is not a real-time OS.

 As far as I know there's no intention to make it so.

 However, I will challenge your methodology.

 You're afraid does not sound like any kind of serious methodology. Do you
 also believe in astrology or homeopathy ?

 Did you actually try out what you want to do ? do you have any real reason
 to think that tying it to CPU00 will make things better ? do you have any
 actual idea what network handling entails ? cpu, network card, disk/io,
 there
 are lots of potential issues there. The best thing to do is to try things
 out
 first.

 Then come back with actual numbers if you feel it does not work like you
 want.


 On the other hand, if you're contracting for some work where you need
 real-time
 guarantees, well OpenBSD is probably not the OS for you. And your hardware
 might not be up to it either...

how to use cpu affinity from user space

[Илья Шипицин]

Hello!

I'm investigating how program should set cpu affinity, is there any
examples ? (I didn't find any except the commit that adds cpu affinity
thing, but there's no user space documentation, no utility, no man page).

cheers,
Ilya Shipitsin

Re: how to use cpu affinity from user space

[Илья Шипицин]

I'm trying to keep CPU00 for network things, and avoid using it for user
applications (there're lots of CPUs).
is it possible to achive it without CPU affinity ?


2013/1/22 Brad Smith b...@comstyle.com

 On Tue, Jan 22, 2013 at 09:25:04AM +0500,  ??? wrote:
  Hello!
 
  I'm investigating how program should set cpu affinity, is there any
  examples ? (I didn't find any except the commit that adds cpu affinity
  thing, but there's no user space documentation, no utility, no man
 page).

 As far as I know of it isn't possible to do so.

 --
 This message has been scanned for viruses and
 dangerous content by MailScanner, and is
 believed to be clean.

is nat to (egress) possible ?

[Илья Шипицин]

I'm running multi-homed firewal.
at every single moment only one interface belongs to egress group.

is it possible to do something like that

match out from 192.168.0.0/16 to ! 192.168.0.0/16 nat-to (egress)

?

Cheers,
Ilya Shipitsin

Re: OpenBSD-5.1 hangs on Supermicro X9DR3-F

[Илья Шипицин]

Yahoo!!

3 days without single hang when running apmd -H


2012/10/12 Peter Hessler phess...@theapt.org

 I have seen some hangs when apmd -C changes cpu speed in very specific
 situations.  For testing purposes, switch to -L or -H.


 On 2012 Oct 12 (Fri) at 16:44:14 +0600 (+0600), éÌØÑ ûÉÐÉÃÉÎ wrote:
 :... and I'm running apmd -C if that matters.
 :could it cause problems ?
 :
 :2012/10/12 Christiano F. Haesbaert haesba...@haesbaert.org
 :
 : On 11 October 2012 08:30,  ??? chipits...@gmail.com wrote:
 :  Hello!
 : 
 :  we recently installed OpenBSD/amd64 on Supermicro X9DR3-F, it hangs
 : about 1
 :  times a day.
 :  5.1 does not understand i350 chip, so we put external Intel PRO/1000
 MT
 :  (82574L) nic.
 : 
 :  we have ddb.panic=1, but no ddb appears on screen on hang.
 :  also, it says savecore: no core dump during boot.
 : 
 :  we tested RAM with memtest, so we do not suspect it for memory related
 :  issue.
 : 
 : 
 :  how can we diagnose those hangs ?
 :  is it ok to run 5.1 on X9DR3-F ?
 : 
 :  do I need to provide dmesg output ? any other kind of diagnostics ?
 : 
 :  Cheers,
 :  Ilya Shipitsin
 : 
 :
 : If you can provide the dmesg I can help you, we have these at work:
 : hw.product=X9DRH-7TF/7F/iTF/iF
 :
 : Which should be similar, do you by any chance have a mfii(4) ?
 : Our machine had interrupt routing issues, maybe you're experiencing the
 : same.
 : Please provide a dmesg, even a picture should do and we can try
 something.
 :

 --
 There's no trick to being a humorist when you have the whole government
 working for you.
 -- Will Rodgers

Re: CARP - Active/Active question

[Илья Шипицин]

the tricky thing here is MAC-address.

it is 01:00:5e, which mimics Microsoft NLB in multicast IGMP mode.
first octet, 01, means it is multicast, which is very rare case
(comparing to unicast and broadcast).

most switches treat multicast in the same way as broadcast, i.e. delivering
packets to all ports.
also, there could be side effects in using multicast in routing mode.

be careful with multicast things :-)

2012/10/15 Indunil Jayasooriya induni...@gmail.com

 Hi list,


 I configured CARP - Active/Active. ( Things work )

 I have an question, When Both are Active/Active, Both should work
 simultaneously by balancing traffic.

 Am I right ?


 But, ifconfig  on fw1 says, *status: master  * and  ifconfig  on fw2 says,
   *status: backup


 Pls see the output of both fw1 and fw2
 *

 *on fw1*

 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 01:00:5e:00:01:01
 priority: 0
 carp: carpdev em0 advbase 1 balancing ip
* state MASTER vhid 1 advskew 0
 state BACKUP vhid 2 advskew 100*
 groups: carp
* status: master*
 inet6 fe80::a00:27ff:fe05:3294%carp1 prefixlen 64 scopeid 0x7
 inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255


 *on fw2
 *
 carp1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
 lladdr 01:00:5e:00:01:01
 priority: 0
 carp: carpdev em0 advbase 1 balancing ip
 *state BACKUP vhid 1 advskew 100
 state MASTER vhid 2 advskew 0*
 groups: carp
 *status: backup*
 inet6 fe80::a00:27ff:fe14:3690%carp1 prefixlen 64 scopeid 0x7
 inet 192.168.0.100 netmask 0xff00 broadcast 192.168.0.255


 Why is that?


 When* status is master and backup* , Do these 2 nodes ( fw1 and fw2 ) work
 simultaneously by balancing traffic? and one node goes down, all 100%
 traffic go via running node?

 That's What I want to achieve.


 Pls let me know.


 Here's the HOW TO, I performed.


 CARP - Active/Active configuration ( CARP, pfsync, PF and relayd )



   --   --
   | fw1 |-em1--em1-| fw2 |
   +-+  +-+
   em0||em0
  ||
   ---+---Shared LAN---+---




 fw1

 em0 - 192.168.0.10

 em1 - 192.168.9.67 ( for pfsync )

 fw2

 em0 - 192.168.0.11

 em1 - 192.168.9.68 ( for pfsync )


 carp1 - LAN shared IP: 192.168.0.100



 on fw1


 #
 hostname

 fw1.example.com

 # cat /etc/hostname.em0
 inet 192.168.0.10 255.255.255.0

 # cat /etc/hostname.em1
 inet 192.168.9.67 255.255.255.0


 on fw2

 #
 hostname

 fw2.example.com

 # cat /etc/hostname.em0
 inet 192.168.0.11 255.255.255.0

 # cat /etc/hostname.em1
 inet 192.168.9.68 255.255.255.0



 net.inet.ip.forwarding=1  in /etc/sysctl.conf on both fw1 and fw2 with
 below command

 sysctl -w net.inet.ip.forwarding=1


 Edit net.inet.ip.forwarding=1 in /etc/sysctl.conf file in this way

 #  less /etc/sysctl.conf |grep net.inet.ip.forwarding=1
 net.inet.ip.forwarding=1# 1=Permit forwarding (routing) of IPv4
 packets



 Configure fw1:

 ! enable preemption and group interface failover
 # sysctl -w net.inet.carp.preempt=1


 Uncomment net.inet.carp.preempt=1 in /etc/sysctl.conf in this way

 # less /etc/sysctl.conf |grep net.inet.carp.preempt=1
 net.inet.carp.preempt=1 # 1=Enable carp(4) preemption



 ! configure pfsync
 # ifconfig em1 192.168.9.67 netmask 255.255.255.0
 # ifconfig pfsync0 syncdev em1
 # ifconfig pfsync0 up

 ! configure CARP on the LAN side
 # ifconfig carp1 create
 # ifconfig carp1 192.168.0.100/24 carpnodes 1:0,2:100 balancing ip \
 pass lanpasswd


 vi /etc/hostname.carp1

 inet 192.168.0.100 255.255.255.0 192.168.0.255 carpnodes 1:0,2:100
 balancing ip pass lanpasswd


 vi /etc/hostname.pfsync0

 up syncdev em1




 Configure fw2:

 ! enable preemption and group interface failover
 # sysctl -w net.inet.carp.preempt=1


 Uncomment net.inet.carp.preempt=1 in /etc/sysctl.conf in this way

 #  less /etc/sysctl.conf |grep net.inet.carp.preempt=1
 net.inet.carp.preempt=1 # 1=Enable carp(4) preemption


 ! configure pfsync
 # ifconfig em1 192.168.9.68 netmask 255.255.255.0
 # ifconfig pfsync0 syncdev em1
 # ifconfig pfsync0 up

 ! configure CARP on the LAN side
 # ifconfig carp1 create
 # ifconfig carp1 192.168.0.100/24 carpnodes 1:100,2:0 balancing ip \
 pass lanpasswd


 vi /etc/hostname.carp1

 inet 192.168.0.100 255.255.255.0 192.168.0.255 carpnodes 1:100,2:0
 balancing ip pass lanpasswd


 vi /etc/hostname.pfsync0

 up syncdev em1



 Scp pf.conf and relayd.conf files to fw2 from fw1


 #
 hostname

 fw1.example.com

 # cd /etc/

 # scp pf.conf relayd.conf root@192.168.0.11:/etc/
 root@192.168.0.11's password:
 pf.conf
 100% 1584 1.6KB/s   00:00
 relayd.conf


 Pls run below command on both nodes ( fw1 and fw2 )


 # pfctl -f /etc/pf.conf

 # relayd


 # pfctl -sr
 anchor 

Re: OpenBSD-5.1 hangs on Supermicro X9DR3-F

[Илья Шипицин]

... and I'm running apmd -C if that matters.
could it cause problems ?

2012/10/12 Christiano F. Haesbaert haesba...@haesbaert.org

 On 11 October 2012 08:30, éÌØÑ ûÉÐÉÃÉÎ chipits...@gmail.com wrote:
  Hello!
 
  we recently installed OpenBSD/amd64 on Supermicro X9DR3-F, it hangs
 about 1
  times a day.
  5.1 does not understand i350 chip, so we put external Intel PRO/1000 MT
  (82574L) nic.
 
  we have ddb.panic=1, but no ddb appears on screen on hang.
  also, it says savecore: no core dump during boot.
 
  we tested RAM with memtest, so we do not suspect it for memory related
  issue.
 
 
  how can we diagnose those hangs ?
  is it ok to run 5.1 on X9DR3-F ?
 
  do I need to provide dmesg output ? any other kind of diagnostics ?
 
  Cheers,
  Ilya Shipitsin
 

 If you can provide the dmesg I can help you, we have these at work:
 hw.product=X9DRH-7TF/7F/iTF/iF

 Which should be similar, do you by any chance have a mfii(4) ?
 Our machine had interrupt routing issues, maybe you're experiencing the
 same.
 Please provide a dmesg, even a picture should do and we can try something.

Re: OpenBSD-5.1 hangs on Supermicro X9DR3-F

[Илья Шипицин]

ok. I figured out, it is X9DR3-F with a couple of external cards (NIC
82574L and RAID LSI 9261-8i, which I thougth is internal, because it
identifies itself as megaide)

I tried to run in UKCverbose, but it took me about an hour of debug
without getting to Login: prompt, so I gave up with that idea. Didn't try
recompiling kernel in DEBUG mode yet.

also, I double-checked for newer firmware/bios, no updates available.

here's dmesg:

OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 137408897024 (131043MB)
avail mem = 133736947712 (127541MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xe9380 (135 entries)
bios0: vendor American Megatrends Inc. version 1.0c date 06/29/2012
bios0: Supermicro X9DR3-F
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC SRAT SLIT HPET PRAD SPMI SSDT MCFG DMAR EINJ
ERST HEST BERT
acpi0: wakeup devices BR20(S1) EUSB(S4) USBE(S4) PEX0(S4) PEX1(S1) PEX2(S1)
PEX3(S1) PEX4(S1) PEX5(S1) PEX6(S1) PEX7(S1) GBE_(S4) NPE1(S4) NPE2(S4)
NPE3(S4) NPE4(S4) NPE5(S4) NPE6(S4) NPE7(S4)
 NPE8(S4) NPE9(S4) NPEA(S4) SLPB(S0) NPE1(S4) NPE3(S4) NPE7(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.27 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES
T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S
SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 100MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES
T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S
SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF
cpu1: 256KB 64b/line 8-way L2 cache
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES
T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S
SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF
cpu2: 256KB 64b/line 8-way L2 cache
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES
T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S
SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF
cpu3: 256KB 64b/line 8-way L2 cache
cpu4 at mainbus0: apid 8 (application processor)
cpu4: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz
cpu4:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES
T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S
SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF
cpu4: 256KB 64b/line 8-way L2 cache
cpu5 at mainbus0: apid 10 (application processor)
cpu5: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz
cpu5:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES
T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S
SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF
cpu5: 256KB 64b/line 8-way L2 cache
cpu6 at mainbus0: apid 32 (application processor)
cpu6: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz
cpu6:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES
T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S
SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF
cpu6: 256KB 64b/line 8-way L2 cache
cpu7 at mainbus0: apid 34 (application processor)
cpu7: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.01 MHz
cpu7:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES
T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S
SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF
cpu7: 256KB 64b/line 8-way L2 cache
cpu8 at mainbus0: apid 36 (application processor)
cpu8: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.01 MHz
cpu8:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS
H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,PCLMUL,MWAIT,DS-CPL,VMX,SMX,ES
T,TM2,SSSE3,CX16,xTPR,PDCM,DCA,S
SE4.1,SSE4.2,x2APIC,POPCNT,AES,XSAVE,AVX,NXE,LONG,LAHF
cpu8: 256KB 64b/line 8-way L2 cache
cpu9 at mainbus0: apid 38 (application processor)
cpu9: Intel(R) Xeon(R) CPU E5-2620 0 @ 2.00GHz, 2000.00 MHz

Re: OpenBSD-5.1 hangs on Supermicro X9DR3-F

[Илья Шипицин]

pardon, didn't pay attention to  mfii(4), what's that ?

# man -k mfii
mfii: nothing appropriate

# grep -i mfii /var/run/dmesg.boot


#



2012/10/12 Christiano F. Haesbaert haesba...@haesbaert.org

 On 11 October 2012 08:30, éÌØÑ ûÉÐÉÃÉÎ chipits...@gmail.com wrote:
  Hello!
 
  we recently installed OpenBSD/amd64 on Supermicro X9DR3-F, it hangs
 about 1
  times a day.
  5.1 does not understand i350 chip, so we put external Intel PRO/1000 MT
  (82574L) nic.
 
  we have ddb.panic=1, but no ddb appears on screen on hang.
  also, it says savecore: no core dump during boot.
 
  we tested RAM with memtest, so we do not suspect it for memory related
  issue.
 
 
  how can we diagnose those hangs ?
  is it ok to run 5.1 on X9DR3-F ?
 
  do I need to provide dmesg output ? any other kind of diagnostics ?
 
  Cheers,
  Ilya Shipitsin
 

 If you can provide the dmesg I can help you, we have these at work:
 hw.product=X9DRH-7TF/7F/iTF/iF

 Which should be similar, do you by any chance have a mfii(4) ?
 Our machine had interrupt routing issues, maybe you're experiencing the
 same.
 Please provide a dmesg, even a picture should do and we can try something.

OpenBSD-5.1 hangs on Supermicro X9DR3-F

[Илья Шипицин]

Hello!

we recently installed OpenBSD/amd64 on Supermicro X9DR3-F, it hangs about 1
times a day.
5.1 does not understand i350 chip, so we put external Intel PRO/1000 MT
(82574L) nic.

we have ddb.panic=1, but no ddb appears on screen on hang.
also, it says savecore: no core dump during boot.

we tested RAM with memtest, so we do not suspect it for memory related
issue.


how can we diagnose those hangs ?
is it ok to run 5.1 on X9DR3-F ?

do I need to provide dmesg output ? any other kind of diagnostics ?

Cheers,
Ilya Shipitsin

Re: the idea of /fastboot ?

[Илья Шипицин]

ÓÒÅÄÁ, 10 ÏËÔÑÂÒÑ 2012 Ç. ÐÏÌØÚÏ×ÁÔÅÌØ Nick Holland ÐÉÓÁÌ:

 On 10/09/2012 12:55 PM, éÌØÑ ûÉÐÉÃÉÎ wrote:

 Hello!

 I'm investigating /etc/rc script. And I found the following there:

 if [ -e /fastboot ]; then
  echo Fast boot: skipping disk checks.
 elif [ X$1 = Xautoboot ]; then
  echo Automatic boot in progress: starting file system checks.


 hmm... if I put /fastboot, no filesystem will be checked ?


 so says the code, yes.

  how it supposed
 to work for non-nfs filesystems ?


 properly?

 they'll be not checked, too?

 Just one more question.
If /fastboot presents, filesystem won't be checked, right?
But how does fsck detects if there's /fastboot? Is it possible thing to do
without actually mount it?

Is it possible to mount dirty filesystem in read-only mode ? If not, it
doesn't make sense at all.

Re: the idea of /fastboot ?

[Илья Шипицин]

2012/10/11 Otto Moerbeek o...@drijf.net

 On Thu, Oct 11, 2012 at 05:10:19PM +0600,  ??? wrote:

  ?, 10 ??? 2012 ?.  Nick Holland ?:
 
   On 10/09/2012 12:55 PM,  ??? wrote:
  
   Hello!
  
   I'm investigating /etc/rc script. And I found the following there:
  
   if [ -e /fastboot ]; then
echo Fast boot: skipping disk checks.
   elif [ X$1 = Xautoboot ]; then
echo Automatic boot in progress: starting file system
 checks.
  
  
   hmm... if I put /fastboot, no filesystem will be checked ?
  
  
   so says the code, yes.
  
how it supposed
   to work for non-nfs filesystems ?
  
  
   properly?
  
   they'll be not checked, too?
  
   Just one more question.
  If /fastboot presents, filesystem won't be checked, right?
  But how does fsck detects if there's /fastboot? Is it possible thing to
 do
  without actually mount it?

 fsck does not do anything with /fastboot. The rc script (which calls
 fsck) does that. During boot, the / filesystem is initially mounted

read-only, and then is possibly checked by the rc script. After that,
 the root filesystem ro status is updated to rw.


thank you. it is clear now. very similar to Linux and FreeBSD.



 
  Is it possible to mount dirty filesystem in read-only mode ? If not, it
  doesn't make sense at all.

 Yes, you can mount dirty filesystem with -f. Even read-write iirc.
 Very dangerous.


I'm struggling with 7Tb filesystems, it takes about 30 minutes to check
them in case of cold reset. Too much. Very too much.
and currently, no journals or anything else which could speed up 7Tb
filesystems check ?




 -Otto

Re: the idea of /fastboot ?

[Илья Шипицин]

2012/10/11 Jan Stary h...@stare.cz

Is it possible to mount dirty filesystem in read-only mode ? If not,
 it
doesn't make sense at all.
  
   Yes, you can mount dirty filesystem with -f. Even read-write iirc.
   Very dangerous.
  
 
  I'm struggling with 7Tb filesystems, it takes about 30 minutes to check
  them in case of cold reset. Too much. Very too much.
  and currently, no journals or anything else which could speed up 7Tb
  filesystems check ?

 man newfs, in particular the -i option.
 What does 'df -hi' say about your filesystem?



# df -hi
Filesystem SizeUsed   Avail Capacity iused   ifree  %iused  Mounted
on
/dev/sd0a  377G2.7G356G 1%  158121 24804949 1%   /
/dev/sd1a  6.7T331G6.1T 5%8041 228037269 0%   /big

Re: the idea of /fastboot ?

[Илья Шипицин]

2012/10/11 Nick Holland n...@holland-consulting.net

 ...

  I'm struggling with 7Tb filesystems, it takes about 30 minutes to check
 them in case of cold reset. Too much. Very too much.
 and currently, no journals or anything else which could speed up 7Tb
 filesystems check ?


 Almost always (in my mind/experience), file systems that big are bad
 design.  Break your system into chunks, you will end up much happier, and I
 suspect your users will be, too.

 Advanced file systems have costs that have to be considered in system
 design.  ZFS is everyone's favorite file system at the moment, but having
 played with it a bit, even if it re-released with a ISC/BSD license (don't
 wait up), I doubt it would ever be accepted into OpenBSD -- it's a
 knobfest, it's anything BUT set it and ignore it; it's job security for
 people setting up such systems.

 In your case...if you have multiple 500GB or 1TB file systems, you can
 hopefully mount most of them R/O, and not have to worry about fsck times at
 all.

 Nick.



there are http access logs for half an year.
it's easier to rotate them on a single filesystem from many points of view,
we also share it via samba (very tricky to share many chunks).

and it is bad idea to mount access logs R/O. difficult to rotate.

Re: the idea of /fastboot ?

[Илья Шипицин]

2012/10/11 Jiri B ji...@devio.us

 On Thu, Oct 11, 2012 at 09:29:50PM +0600, Ð?лÑ?Ñ? ШипиÑ?ин
wrote:
 
  there are http access logs for half an year.
  it's easier to rotate them on a single filesystem from many points of
 view,
  we also share it via samba (very tricky to share many chunks).
 
  and it is bad idea to mount access logs R/O. difficult to rotate.

 Bad design totally! I remember struggling with backup/restore times
 to satisfy SLA with huge filesystems having many files... And those
 were logs.

 One of proposals we did was to split filesystem into smaller ones and
 keep old logs on filesystems with read-only. Backup would be skipped,
 and restore (in this it was TSM) would be much faster if image would
 be used.

 j.



they are not old logs.
generally, today's log is access.log, yesterday's log is access.log.0 and
so on.
every rotate renames all the logs. older logs are removed.

too many tricks with r/o filesystems.

also, when dealing with rotating logs within single filesystem, it's cheap,
data is not moved.
and what if I want to move/rotate many-many-gigabytes logs in case of
better design when there're many chunks ?
I guess it is hard (and pretty useless) operation from filesystem point of
view.

ok, I can change configs of web-server to store logs in different location
every day. you call it better design ??

Re: OpenBSD-5.1 hangs on Supermicro X9DR3-F

[Илья Шипицин]

2012/10/11 Kenneth R Westerback kwesterb...@rogers.com

 On Thu, Oct 11, 2012 at 12:30:56PM +0600,  ??? wrote:
  Hello!
 
  we recently installed OpenBSD/amd64 on Supermicro X9DR3-F, it hangs
 about 1
  times a day.
  5.1 does not understand i350 chip, so we put external Intel PRO/1000 MT
  (82574L) nic.
 
  we have ddb.panic=1, but no ddb appears on screen on hang.
  also, it says savecore: no core dump during boot.
 
  we tested RAM with memtest, so we do not suspect it for memory related
  issue.
 
 
  how can we diagnose those hangs ?
  is it ok to run 5.1 on X9DR3-F ?
 
  do I need to provide dmesg output ? any other kind of diagnostics ?
 
  Cheers,
  Ilya Shipitsin
 

 http://openbsd.org/report.html

  Ken



it just hangs silently.
from http://openbsd.org/report.html point of view it is useless.
the only thing I have is dmesg output.

so, I'm asking, how to collect information in case of silent hang
behaviour
it will be very useless bug report without that information.

like blah-blah-blah, it hangs about once a day. silently

Re: the idea of /fastboot ?

[Илья Шипицин]

ÓÒÅÄÁ, 10 ÏËÔÑÂÒÑ 2012 Ç. ÐÏÌØÚÏ×ÁÔÅÌØ Nick Holland ÐÉÓÁÌ:

 On 10/09/2012 12:55 PM, éÌØÑ ûÉÐÉÃÉÎ wrote:

 Hello!

 I'm investigating /etc/rc script. And I found the following there:

 if [ -e /fastboot ]; then
  echo Fast boot: skipping disk checks.
 elif [ X$1 = Xautoboot ]; then
  echo Automatic boot in progress: starting file system checks.


 hmm... if I put /fastboot, no filesystem will be checked ?


 so says the code, yes.

  how it supposed
 to work for non-nfs filesystems ?


 properly?

 they'll be not checked, too?

 I think I'm missing part of your question...but the answer is in the code,
 which you are already reading.


I meant, in case of NFS you don't need to fsck at all. However, there's no
need to indicate such case. mount already knows if there nfs stuff.



 You don't normally fsck an nfs mount (that advisory has always satisfied
 my curiosity sufficiently, I've never actually tried it.  I probably
 should).

  is mount able to work with dirty
 filesystem ?


 for some definition of work with -- default is to refuse to mount dirty
 file systems.

  what will happen if I put /fastboot and cold reset (which leaves
 filesystems dirty) occures ?


 try it and find out?

 /fastboot is a marker to indicate the system was shut down cleanly, not a
 user-knob to twist for giggles.  If you deliberately place a marker that is
 supposed to indicate the file system was shut down cleanly when it wasn't,
 you will break things.  The good news is, you get to keep all the pieces.
  The other good news is it will be fairly easy to fix.


I got an idea. It won't help to mount dirty filesystems (like
error-behavour flag in case of ext4), it is just a relic, which was
occasionly removed :)
Great news.



 Nick.

the idea of /fastboot ?

[Илья Шипицин]

Hello!

I'm investigating /etc/rc script. And I found the following there:

if [ -e /fastboot ]; then
echo Fast boot: skipping disk checks.
elif [ X$1 = Xautoboot ]; then
echo Automatic boot in progress: starting file system checks.


hmm... if I put /fastboot, no filesystem will be checked ? how it supposed
to work for non-nfs filesystems ? is mount able to work with dirty
filesystem ?
what will happen if I put /fastboot and cold reset (which leaves
filesystems dirty) occures ?

Cheers,
Ilya Shipitsin

Re: kern.maxclusters vs syn proxy

[Илья Шипицин]

Great!
04.10.2012 16:52 ÐÏÌØÚÏ×ÁÔÅÌØ Henning Brauer lists-open...@bsws.de
ÎÁÐÉÓÁÌ:

 * Tyler Morgan tyl...@tradetech.net [2012-10-02 18:31]:
  which links to: http://www.openbsd.org/faq/pf/filter.html#synproxy
  which gets far from saying what Henning said.

 this has been fixed.

 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de, Full-Service ISP
 Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
 Managed
 Henning Brauer Consulting, http://henningbrauer.com/

Re: kern.maxclusters vs syn proxy

[Илья Шипицин]

2012/8/23 Claudio Jeker cje...@diehard.n-r-g.com

 On Thu, Aug 23, 2012 at 12:17:04AM +0600,  ??? wrote:
  Hello!
 
 
  we are running high load https server on OpenBSD, so there are questions
 on
  performance:
 
  since we already had to increase kern.maxclusters value, I guess default
  OpenBSD settings are not very well for high load https server ?
  in order to protect our server from denial of service, we can either
 
  a) increase kern.maxclusters to some huge value

 It is OK to increase kern.maxclusters, the default is good enough for 90%
 of the people but some systems need more. Calculate how much memory will
 be consumed by the clusters and compare it to the free memory reported by
 top. You don't want to run userland out of memory by buffering in the
 kernel. On the other hand you want enough maxclusters to make the system
 run smoothly.


so, there's no harm in huge kern.maxcluster values ? (until I keep enough
memory for userland)



  b) turn on syn proxy in PF

 Syn proxy will only protect you from syn attacks. For this there is also
 the syn cache used by the network stack. The syn cache will only allocate
 a full PCB when the handshake completed so it behaves similar to the syn
 proxy in PF.


is syn cache enabled by default ?
am I right that syn cache does almost the same as syn proxy ?



  does someone have experience with such high load applications and tell me
  pro et contra for each solution?
  why syn proxy is not enabled by default ?

 Because it has bad side-effects. Like accepting a connection before the
 actual server accepted it. So it is hard to signal closed ports back.


any other side-effect ?



 --
 :wq Claudio

kern.maxclusters vs syn proxy

[Илья Шипицин]

Hello!


we are running high load https server on OpenBSD, so there are questions on
performance:

since we already had to increase kern.maxclusters value, I guess default
OpenBSD settings are not very well for high load https server ?
in order to protect our server from denial of service, we can either

a) increase kern.maxclusters to some huge value
b) turn on syn proxy in PF

does someone have experience with such high load applications and tell me
pro et contra for each solution?
why syn proxy is not enabled by default ?

Ilya Shipitsin

missing /etc/fstab

[Илья Шипицин]

Hello!

I remember some early 5.1 snapshot which installed and successfully run
without /etc/fstab
however, 5.1-RELEASE came with /etc/fstab

it would be nice to move system from one server to another without having
to bother about /etc/fstab (I moved several of them due to buggy hardware).
is it possible to run without /etc/fstab ? is it supported configuration ?

Cheers,
Ilya Shipitsin

Re: Virtualizing firewalling scenarios in one physical OpenBSD host

[Илья Шипицин]

Look at www.fwbuilder.org
It is good. It even has commercial support if you like.

ÓÒÅÄÁ, 4 ÉÀÌÑ 2012 Ç. ÐÏÌØÚÏ×ÁÔÅÌØ C. L. Martinez ÐÉÓÁÌ:

 Hi all,

  I wonder if with OpenBSD is possible to create virtualized firewalled
 implementations of conventional physical topologies and designs such
 as central and remote DMZs (my question has nothing to do with
 virtualization platforms like ESXi/vSphere or Xen or KVM), like for
 example CheckPoint VSX does:
 http://www.checkpoint.com/products/vpn-1-power-vsx/index.html.

  The idea is to configure different security scenarios on a single
 system. Is it possible?? Some example??

 Thanks.

how to configure DHCP on trunk interfaces ?

[Илья Шипицин]

Hello!

it works for em0, if I put DHCP in hostname.em0
is it possible to do with trunk0 ?

can anybody give working example ?


Cheers,
Ilya Shipitsin

PF and ftp: to use or not to use ftp-proxy ?

[Илья Шипицин]

Hello!

I managed to get ftp through PF working either without ftp-proxy ...

match in inet proto tcp from any to $external port = ftp rdr-to $internal
port 21
match in inet proto tcp from any port = ftp-data to $external port
1024:65535 rdr-to $internal port 1024:65535
match in inet proto tcp from any to $external port = ftp-data rdr-to
$internal port 20


or with ftp-proxy...

pass in quick on vlan5 inet proto tcp from any to $external port ftp
divert-to 127.0.0.1 port 8021


/etc/rc.local:

/usr/sbin/ftp-proxy -p 8021 -R $internal -P 21 -D7 -v


I asked question is it possible to use multiple intances of ftp-proxy and
it turned out that several people are running reverse ftp-proxy in
production.
so... can anybody help me to choose between two above options ? with
ftp-proxy or without ftp-proxy ?

Cheers,
Ilya Shipitsin

multiple instances of ftp-proxy ?

[Илья Шипицин]

Hello!

is anybody running multiple instances of ftp-proxy in reverse mode?
I'd afraid of anchor ftp-proxy/*, ftp-proxy doesn't allow to specify
anchor, also, many instances of ftp-proxy can break each others anchors.

can somebody provide me with example of multiple ftp-proxies ?

Cheers,
Ilya Shipitsin

how to use patterns with newsyslog ?

[Илья Шипицин]

Hello!

I tried to use

/big/nginx/*.log644  100   10   * Z
/var/run/nginx.pid SIGUSR1

in order to rotate many files at once, but even newsyslog -v show nothing.
is it possible to use patterns with newsyslog ?

Cheers,
Ilya Shipitsin

similar behaviour to Linux netstat -lpn ?

[Илья Шипицин]

Hello!

I'd like to see every program (with program name) that listen something on
network. I can achive that on Linux by running netstat -lpn, like that

server:~# netstat -lpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address
State   PID/Program name
tcp0  0 0.0.0.0:25  0.0.0.0:*
LISTEN  411/master
tcp0  0 0.0.0.0:445 0.0.0.0:*
LISTEN  428/smbd
tcp0  0 0.0.0.0:139 0.0.0.0:*
LISTEN  428/smbd
tcp0  0 0.0.0.0:111 0.0.0.0:*
LISTEN  263/portmap
tcp0  0 127.0.0.1:20209 0.0.0.0:*
LISTEN  8547/dkim-filter
tcp0  0 0.0.0.0:22  0.0.0.0:*
LISTEN  343/sshd
tcp6   0  0 :::22   :::*
LISTEN  343/sshd
udp0  0 0.0.0.0:111 0.0.0.0:*
263/portmap
udp0  0 0.0.0.0:37764   0.0.0.0:*
8547/dkim-filter
udp0  0 127.0.0.2:137   0.0.0.0:*
421/nmbd
udp0  0 192.168.7.21:1370.0.0.0:*
421/nmbd
udp0  0 0.0.0.0:137 0.0.0.0:*
421/nmbd
udp0  0 127.0.0.2:138   0.0.0.0:*
421/nmbd
udp0  0 192.168.7.21:1380.0.0.0:*
421/nmbd
udp0  0 0.0.0.0:138 0.0.0.0:*
421/nmbd


is there similar things for OpenBSD ?

Cheers,
Ilya Shipitsin

Re: Is nginx to complement or replace apache?

[Илья Шипицин]

nginx is great piece of software, but it doesn't do CGI, how users will run
bgplg, for example ?

28 MARTA 2012 G. 18:39 POLXZOWATELX Kevin Chadwick
ma1l1i...@yahoo.co.ukNAPISAL:

 Knowing nginx is on it's way to base and having just seen some fixes
 for nginx on gentoo (some CVES from 2009).

 Is nginx going to complement apache in case users want features/prefer
 it or replace apache as apache can no longer have time spent on it?

 Also, does anyone know if there are any CVEs applicable to base apache
 currently?

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Илья Шипицин]

it doesn't match the FAQ, but it works.
my fail was using nat from 192.168.0.0/16 to !192.168.0.0/16 and it
affected CARP traffic, because of its multicast nature (it matched !
192.168.0.0/16)

not many people read FAQ actually.

I like the idea of OpenBSD just to work out of a box, it's more about how
people think and do.

13 MARTA 2012 G. 14:52 POLXZOWATELX Janne Johansson
icepic...@gmail.comNAPISAL:

 2012/3/4 iLXQ {IPICIN chipits...@gmail.com:
  thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which
  lead me to:
 
  pass quick proto carp no state

 Which doesn't match the PF FAQ which says:
 Since CARP is its own protocol it should have an explicit pass rule
 in filter rulesets:
 pass out on $carp_dev proto carp keep state

 I'll test the no state as soon as I can rig one of my previously
 failing boxes to not use my carppeer workaround.

 
 
  it did the job (I still do not understand how forewall passed 6
 interfaces
  and blocked 7th, need to have a closer look, but after that rule
 everything
  became ok,
  pf stopped blocking carp announces)
 
  2 MARTA 2012 G. 21:31 POLXZOWATELX favar 889...@gmail.com NAPISAL:
 
  hi list, we have same problem with carp. (with 45 ip addresses)
  and after reboot, host with advskew 200 became master, and with
  advskew 1 - slave.
 
  2012/3/2 iLXQ {IPICIN chipits...@gmail.com:
   no, I copied hostname.carpXX, just added advskew 200
   parameters are the same.
  
   2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net
  NAPISAL:
  
   On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:
  
hello!
   
we are running CARP-ed load balancers (carp over different vlans).
it was running just great with 6 carp addresses.
   
when we added 7th, randomly we get MASTERs on both server for
 certain
   carp
interface. After reboot we can get different carp interface on dual
   MASTER
state, and so on.
carp negotiations are ok, tcpdump shows them all. both peers see
 each
   other.
   
if I put one interface to BACKUP state, it goes to mASTER soon.
   
we are runnung 5.0/amd64
   
Cheers,
Ilya Shipitsin
  
   Carefully compare the address lists (including masks) on both
   machines. Likely they are not the same.
  
  -Otto
 



 --
  To our sweethearts and wives.  May they never meet. -- 19th century toast

Re: Trusting the Installation

[Илья Шипицин]

we tried those certs. they are not trusted by mobile devices.
and those certificates are free only for 3 months (you are supposed to buy
them after that).

so, it's marketing stuff, not a real deal.

5 MARTA 2012 G. 13:49 POLXZOWATELX Hugo Osvaldo Barrera 
h...@osvaldobarrera.com.ar NAPISAL:

 On 2012-03-04 07:05, P P;Q Q  P(P8P?P8Q P8P= wrote:
  if you mean public SSL certs, it's about $500/year.
  are you willing to pay for SSL certs ?
 
  I can do the rest. I have installed tens ssl-enabled services.

 Slightly OT: StartSSL offers free certificates trusted by every browser,
 so you're just exagerating - a lot.

 --
 Hugo Osvaldo Barrera

Re: Trusting the Installation

[Илья Шипицин]

I'd agree that 100% paranoic will never trust hardware vendor as well. Only
own manufactured components should be used in conjunction with md5/sha1
checksum evaluation and source code audit.

5 MARTA 2012 G. 17:00 POLXZOWATELX Rudolf Leitgeb
rudolf.leit...@gmx.atNAPISAL:

 Am Montag, 5. MC$rz 2012, 10:12:02 schrieb P P;Q Q  P(P8P?P8Q P8P=:
  P.S. I'm not a paranoic, but I respect people to be paranoic if they want
  to.

 You can be paranoid about the sources and binaries all you want, but you
 still
 don't know the CPU which executes all that code. Even if Intel/AMD would
 give
 you full access to their CPU blue prints, the chip foundry could add things
 you
 would not notice.

 That's the reason why companies which make secure encryption devices would
 never trust any CPU/OS combo. Depending on paranoia they offer you either
 an FPGA based solution or a hard wired one from logic ICs.

 And even if you create the most trusted device, using nothing but 100 year
 old
 relays and passive components, you are still prone to the we will whack
 you
 with
 a wrench if you don't give me your keys attack. Very, very effective.

Re: Google SoC 2012 is accepting open source organisations

[Илья Шипицин]

5 MARTA 2012 G. 21:55 POLXZOWATELX Tomas Bodzar
tomas.bod...@gmail.comNAPISAL:

 On Mon, Mar 5, 2012 at 3:27 PM, Kenneth R Westerback
 kwesterb...@rogers.com wrote:
  On Mon, Mar 05, 2012 at 07:04:06AM +0100, Tomas Bodzar wrote:
  On Mon, Mar 5, 2012 at 3:04 AM, Theo de Raadt dera...@cvs.openbsd.org
  wrote:
   But again. OpenBSD tried at least two times before to apply, but was
   not accepted by Google
  
   That is false.
  
   We were approached by Google people to participate, but we can
   find noone in our project who will accept signing their contract.
  
   We told them that was a problem. B They chose not to find a way
   around the problem.
  
   That is not the same as what you said, so what you said was false,
   yes, what you said was a lie.
 
  So probably Kenneth lie as well
  http://marc.info/?l=openbsd-miscm=120661469904489w=2 ;-) But I don't
  think so.
 
 
  1) The OpenBSD Foundation is NOT OpenBSD.
 
  2) That application never elicited a reply from Google, so no
  contract to read or sign was presented or known of.
 
  3) At some later point the required contract was obtained and, as Theo
  has said, nobody in the OpenBSD project or at the OpenBSD Foundation
  was interested in signing it after reading it.

 Thx for your details about that particular case.

 
   Ken

 BTW

https://groups.google.com/group/google-summer-of-code-discuss/msg/87feaa296ee
2792d?pli=1

 Now I'm  just curious why they don't have list of NOT accepted
 projects anywhere on their sites, but doesn't matter here of course.



it was me :-) I was told by google people to work directly with community,
but they said I could apply either for mentoring  or for whatever I'm
eligible to. Lot's of blah-blah-blah.


they didn't say that Theo refused to sign any paper. Just wonder, what kind
of responsibilty that paper was about ? Accepting student's code to OpenBSD
code base or something ?

Cheers,
Ilya Shipitsin

Re: Google SoC 2012 is accepting open source organisations

[Илья Шипицин]

6 MARTA 2012 G. 0:15 POLXZOWATELX Bob Beck b...@openbsd.org NAPISAL:

 
  they didn't say that Theo refused to sign any paper. Just wonder, what
 kind
  of responsibilty that paper was about ? Accepting student's code to
 OpenBSD
  code base or something ?

 No, it's actually about personal liability for the mentor (i.e. me) for
 taxes
 and other such nonsense.  Google SOC actually does *not* require that
 the code be accepted into the project at the end.  Fundamentally, I have no
 objections to the principle of summer of code, it's the byzantine paperwork
 and scary contract I have to sign as a mentor to do this for you. I'm more
 than willing to hang my personal ass out there a little bit for this,
 working
 at a university I can sort of blah blah blah a lot of the legal crap
 when it
 comes to students, but I do have my limits.. sorry... and as soon as I
 delete
 objectionable bits in the contract, the dialogue with the Googlers stops,
  I
 suspect because they can't get any traction with their internal legal
 people.



as far as I understand, there're 5 parties:

1) government (they want taxes to be paid)
2) Google (they spent money on SoC)
3) opensource organizations
4) mentors
5) students

at first, I'd notice, 3) != 4), right ? I can apply for mentoring after
OpenBSD is in the list of opensource organizations, but it doesn't be
mentoring itself ?
at second, taxes are rather government thing, not googlish ? why should I
sign something with Google about taxes ? It doesn't make any sense.

Cheers,
Ilya Shipitsin

Re: Trusting the Installation

[Илья Шипицин]

29 FEWRALQ 2012 G. 8:44 POLXZOWATELX Nathan Stiles
stiles.nat...@gmail.comNAPISAL:

 Hello,
 I've recently installed 5.0 and based upon my experience
 I expected a checksum to be posted for the ISO.
 Also I've noticed that HTTPS isn't implemented on openbsd.org.
 I was also expecting the checksum to be served over HTTPS.


if you mean public SSL certs, it's about $500/year.
are you willing to pay for SSL certs ?

I can do the rest. I have installed tens ssl-enabled services.



 I'm sure theres a good reason why this isn't necessary?


the reason is you can download source code, look at it, make sure for
yourself there's no backdoors, build your own ISO from source code

I wonder why you are not doing that with every ISO (which you prefer to
download via torrent).


 I want to check the files I've downloaded against something?
 Obviously I can check a few random mirrors to ensure
 that files are identical.  What are others doing?


other are doing what they want :-)
it's an opensource. you can also do what you want.



 Thanks,
 Nathan

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Илья Шипицин]

thank to Camiel Dobbelaar, carp log at 6 shown ip_output problem, which
lead me to:

pass quick proto carp no state


it did the job (I still do not understand how forewall passed 6 interfaces
and blocked 7th, need to have a closer look, but after that rule everything
became ok,
pf stopped blocking carp announces)

2 MARTA 2012 G. 21:31 POLXZOWATELX favar 889...@gmail.com NAPISAL:

 hi list, we have same problem with carp. (with 45 ip addresses)
 and after reboot, host with advskew 200 became master, and with
 advskew 1 - slave.

 2012/3/2 iLXQ {IPICIN chipits...@gmail.com:
  no, I copied hostname.carpXX, just added advskew 200
  parameters are the same.
 
  2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net
 NAPISAL:
 
  On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:
 
   hello!
  
   we are running CARP-ed load balancers (carp over different vlans).
   it was running just great with 6 carp addresses.
  
   when we added 7th, randomly we get MASTERs on both server for certain
  carp
   interface. After reboot we can get different carp interface on dual
  MASTER
   state, and so on.
   carp negotiations are ok, tcpdump shows them all. both peers see each
  other.
  
   if I put one interface to BACKUP state, it goes to mASTER soon.
  
   we are runnung 5.0/amd64
  
   Cheers,
   Ilya Shipitsin
 
  Carefully compare the address lists (including masks) on both
  machines. Likely they are not the same.
 
 -Otto

how to update cpu microcode ?

[Илья Шипицин]

Hello!

I observe strange problem on Supermicro X8DTN+-F with OpenBSD-5.0/amd64,
when I reboot it, sometime it gets broken, i.e. it doesn't start, I
cannot manage it via IPMI.
I suspect cpu microcode (it is put via ACPI into unconditional state), is
there a way to install microcode on OpenBSD ?

as far, as I understand, I need to load microcode every time cpu start.

cheers,
Ilya Shipitsin

Re: Trusting the Installation

[Илья Шипицин]

I do not check the code :-)

but every paranoid user who doesn't trust to ISP (they could swap ISO
image), who doesn't trust to public SSL companies (they are known to sell
google certificate to Iranian goverment), who doesn't trust post office
(they could swap CDs), who doesn't trust to developers (they can leave
backdoor in code)  can do that.

it is open source, you can do whatever you want actually.

P.S. I'm not a paranoic, but I respect people to be paranoic if they want
to.

4 PP0QQP0 2012 P3. 18:07 P?PP;QP7PP2P0QP5P;Q Martin SchrC6der
mar...@oneiros.deP=P0P?P8Q
P0P;:

 2012/3/4 P P;Q Q  P(P8P?P8Q P8P= chipits...@gmail.com:
  the reason is you can download source code, look at it, make sure for
  yourself there's no backdoors, build your own ISO from source code

 Who does that? Did _you_ check the code?

 Best
Martin

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Илья Шипицин]

I permormed tcpdump on appropriate vlan on BOTH SERVERS, I see on
advskew=200 announces. MASTER with advskew=0 does not do any
advertisement.

22:22:37.296866 CARPv2-advertise 36: vhid=60 advbase=1 advskew=200 demote=2
(DF) [tos 0x10]
22:22:39.096900 CARPv2-advertise 36: vhid=60 advbase=1 advskew=200 demote=2
(DF) [tos 0x10]

2 MARTA 2012 G. 16:14 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL:

 On Fri, Mar 02, 2012 at 02:53:31PM +0500,  ??? wrote:

  no, I copied hostname.carpXX, just added advskew 200
  parameters are the same.

 To be 100% sure, also look at ifconfig carpXX on both machines.

-Otto
 
  2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net
 NAPISAL:
 
   On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:
  
hello!
   
we are running CARP-ed load balancers (carp over different vlans).
it was running just great with 6 carp addresses.
   
when we added 7th, randomly we get MASTERs on both server for certain
   carp
interface. After reboot we can get different carp interface on dual
   MASTER
state, and so on.
carp negotiations are ok, tcpdump shows them all. both peers see each
   other.
   
if I put one interface to BACKUP state, it goes to mASTER soon.
   
we are runnung 5.0/amd64
   
Cheers,
Ilya Shipitsin
  
   Carefully compare the address lists (including masks) on both
   machines. Likely they are not the same.
  
  -Otto

may 7 carp addresses be too much on 5.0/amd64 ?

[Илья Шипицин]

hello!

we are running CARP-ed load balancers (carp over different vlans).
it was running just great with 6 carp addresses.

when we added 7th, randomly we get MASTERs on both server for certain carp
interface. After reboot we can get different carp interface on dual MASTER
state, and so on.
carp negotiations are ok, tcpdump shows them all. both peers see each other.

if I put one interface to BACKUP state, it goes to mASTER soon.

we are runnung 5.0/amd64

Cheers,
Ilya Shipitsin

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Илья Шипицин]

no, I copied hostname.carpXX, just added advskew 200
parameters are the same.

2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL:

 On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:

  hello!
 
  we are running CARP-ed load balancers (carp over different vlans).
  it was running just great with 6 carp addresses.
 
  when we added 7th, randomly we get MASTERs on both server for certain
 carp
  interface. After reboot we can get different carp interface on dual
 MASTER
  state, and so on.
  carp negotiations are ok, tcpdump shows them all. both peers see each
 other.
 
  if I put one interface to BACKUP state, it goes to mASTER soon.
 
  we are runnung 5.0/amd64
 
  Cheers,
  Ilya Shipitsin

 Carefully compare the address lists (including masks) on both
 machines. Likely they are not the same.

-Otto

carp and disk drive fault

[Илья Шипицин]

hello!

today we encountered situation with faulty drives.
we met it earluer, but today was very strange, carp was running, but
applications were not running due to disk failure.

it seems that carp firewall/router is a good solution, but running
applications on carp server is not very good.

does anyone have an experience in ifstated + drive failure diagnostics ?

Cheers,
Ilya Shipitsin

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
openbsd-drive-fault.jpg]

Re: android sdk on openbsd

[Илья Шипицин]

That worth publishing at undeadly.org, I think
16.02.2012 4:57 POLXZOWATELX frantisek holop min...@obiit.org NAPISAL:

 hi there,

 i wanted to try at least a hello world on android.
 so i installed some linux on a usb stick to use as a
 mobile development environment.  it went rather well,
 using the official hello world tutorial, eclipse and ADT.

 but eclipse is not my thing really and as many components
 needed for android development run on openbsd, and there
 is linux emulation (must be on for this) i started
 wondering how far could i get on openbsd before using
 linux as a crutch.

 turns out, looong way.

 the development flow is basically: write code, make apk,
 install apk on phone/emulator, run apk, (get rich).


 first things first, had to cheat to get the SDK.  the
 initial download android-sdk_r16-linux.tgz contains
 only scaffolding to get the real thing.  it is in java,
 but unfortunately swt (part of eclipse) from ports is
 too old and i couldnt use the GUI or install ADT (Android
 Development Tools).

 TODO: try to update the eclipse port.

 but as i already had all of it on the linux stick,
 i simply rsync-ed it over under ~/adroid-sdk

 $ ls -1 android-sdk
 SDK Readme.txt
 add-ons/
 docs/
 platform-tools/
 platforms/
 samples/
 sources/
 system-images/
 temp/
 tools/

 $ sudo pkg_add jdk apache-ant
 $ export

PATH=$PATH:/usr/local/jdk-1.7.0/bin:$HOME/android-sdk/tools:$HOME/adroid-sdk/
platform-tools
 $ java -version
 openjdk version 1.7.0
 OpenJDK Runtime Environment (build 1.7.0-b00)
 OpenJDK Server VM (build 21.0-b17, mixed mode)

 apply the attached patch to dx.

 these are the API's i have installed using linux:

 $ android list target | grep ^id
 id: 1 or android-3
 id: 2 or Google Inc.:Google APIs:3
 id: 3 or android-7
 id: 4 or Google Inc.:Google APIs:7
 id: 5 or android-15
 id: 6 or Google Inc.:Google APIs:15

 i will use id 3 (Android 2.1.x Eclair)
 HelloAndroid.java is also attached

 $ cd src/android/hello
 ~/src/android/hello$ android create project -t 3 -n HelloPuffy -p . -k
 com.puffy.hello -a HelloPuffy
 ~/src/android/hello$ cp ~/HelloAndroid.java src/com/puffy/hello/
 ~/src/android/hello$ ant debug

 if i did not leave out something, the output should finish with:

 BUILD SUCCESSFUL
 Total time: 7 seconds


 for now i upload the apk files using ftp (swiftp on android).
 http://obiit.org/f/hello.png

 obviously, this is a suboptimal solution, and there is the emulator...
 let's see how far that goes.

 ~/src/android/hello$ android create avd -n puffy_avd -t 3
 Auto-selecting single ABI armeabi
 Android 2.1 is a basic Android platform.
 Do you wish to create a custom hardware profile [no]
 Created AVD 'puffy_avd' based on Android 2.1, ARM (armeabi) processor,
 with the following hardware config:
 hw.lcd.density=240
 vm.heapSize=24

 unfortunately 'emulator' uses /proc to determine
 it's own path, so we need to trick it:

 ~/src/android/hello$ sudo ln -s ~/android-sdk/tools/emulator /proc/self/exe
 ~/src/android/hello$ emulator -avd puffy_avd
 emulator: ERROR: _camera_device_open: Cannot open camera device
 '/dev/video0': No such device or address
 emulator: warning: opening audio input failed

 emulator: WARNING: Unable to create sensors port: Connection refused


 masaka!  stupefaction
 http://obiit.org/f/android-emulator-on-openbsd.jpg
 http://obiit.org/f/android-emulator-on-openbsd2.jpg

 and its fast compared to the linux stick.  just wow.


 now the bad news.  adb does not work.
 i have asked about it some time ago on ports@
 as having a native adb just by itself would be
 great to push apk's, shell, root, etc.
 http://marc.info/?l=openbsd-miscm=131809077812364w=2
 some responses indicated it's already work in progress.

 TODO: get adb to work
 adb source: https://github.com/android/platform_system_core


 so this is it, perhaps because i started out with zero
 expectations, this is a massive happy end.

 of course, hello world is just that.  it remains
 to be seen if more complicated projects can be
 compiled.

 -f
 --
 most days the only good thing on tv is the vase.
 --- android-sdk/platform-tools/dx.orig  Wed Feb 15 21:42:04 2012
 +++ android-sdk/platform-tools/dx   Tue Feb 14 21:29:26 2012
 @@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/bin/sh
  #
  # Copyright (C) 2007 The Android Open Source Project
  #
 @@ -56,6 +56,7 @@
  # By default, give dx a max heap size of 1 gig. This can be overridden
  # by using a -J option (see below).
  defaultMx=-Xmx1024M
 +defaultMx=-Xmx512M

  # The following will extract any initial parameters of the form
  # -Jstuff from the command line and pass them to the Java
 package com.puffy.hello;

 import android.app.Activity;
 import android.os.Bundle;
 import android.widget.TextView;

 public class HelloPuffy extends Activity
 {
/** Called when the activity is first created. */
@Override
public void onCreate(Bundle savedInstanceState)
{
super.onCreate(savedInstanceState);
setContentView(R.layout.main);

linux xterm + openbsd vi

[Илья Шипицин]

Hello!

is anybody using linux xterm (or gnu terminal) + openbsd vi ?
it breaks home/end keys.

Google says things about utf-8 and non-utf8 terminals, some people tell to
fix terminfo/termcap.
I do not have any idea, what exactly to fix there.

I tried things, without result.

any advice ?

Ilya Shipitsin

Re: how to move advskew out of hostname.carpXXX ?

[Илья Шипицин]

I wonder if /etc/rc.conf.local included into hostname.xxx scripts ?

if so, I could use

advskew=100 in rc.conf.local and

$advskew in hostname.xxx later

14 FEWRALQ 2012 G. 23:29 POLXZOWATELX Stuart Henderson
s...@spacehopper.orgNAPISAL:

 On 2012-02-13, P P;Q Q  P(P8P?P8Q P8P= chipits...@gmail.com wrote:
   Hello!
 
  I'd like to sync /etc/hostname.carpXXX files between MASTER and BACKUP,
 the
  only difference, of course is advskew paramter. Is there a way to
 specify
  it in different config file ?
 
  I seen bug report on fwbuilder (www.fwbuilder.org), which describes
  something called create_args_carp0, but I didn't found any other
 presence
  of it:
 
 
  see #2636
  carp : Incorrect output in rc.conf.local format. Should use
  create_args_carp0 instead of ifconfig_carp0 to set up CARP interface
 vhid,
  pass and adskew parameters.
 
 
  Cheers,
  Ilya Shipitsin
 
 

 Adding something like this currently seems to work, but it's pretty dirty:

 `cat /etc/advskew`

how to move advskew out of hostname.carpXXX ?

[Илья Шипицин]

 Hello!

I'd like to sync /etc/hostname.carpXXX files between MASTER and BACKUP, the
only difference, of course is advskew paramter. Is there a way to specify
it in different config file ?

I seen bug report on fwbuilder (www.fwbuilder.org), which describes
something called create_args_carp0, but I didn't found any other presence
of it:


see #2636
carp : Incorrect output in rc.conf.local format. Should use
create_args_carp0 instead of ifconfig_carp0 to set up CARP interface vhid,
pass and adskew parameters.


Cheers,
Ilya Shipitsin

Google Summer of Code 2012 ?

[Илья Шипицин]

Dear Sirs,

I wonder .. if I apply for GSoC2012 mentoring (GVRP/MVRP for OpenBSD and
BFD for OpenBSD), how does it look from OpenBSD point of view ?
will code be accepted by community ? any licensing issue ?

Cheers,
Ilya Shipitsin

Re: locate weirdness

[Илья Шипицин]

guys, it was so funny to see you biting each other.
come on, can you do it one more time, please ?

2012/1/23 Nico Kadel-Garcia nka...@gmail.com

 On Sun, Jan 22, 2012 at 5:38 PM, L. V. Lammert l...@omnitec.net wrote:
  On Sun, 22 Jan 2012, Philip Guenther wrote:
 
  snip the BS
 
  There is no way of knowing if it would have found the problem, so why
  continue with this drivel? Contrary to the lengthy diatribes here trying
  to distract from the original problem an solution:
 
  1) The problem with locate was traced to a bunch of session files;
  2) The problem was fixed by cleaning them the hard way.
 
  There is no way to know if an upgrade would have fixed the problem, as
  upgrading is/was/would be just a distraction; it is not good practice to
  try and obscure the problem, and I do not understand why some people here
  like to expouse such practices.
 
  Sure, there is no support for 4.3, but, then I did not ASK for support on
  4.3 (to read the OP). Don't bother to try and dixtract from the original
  problem - it juse makes it harder for those LOOKING for the problem and
  solution to find it in all the noise.

 As someone who's faced this kind of thing from both sides, I think
 you're going to have a long term problem with the just help me fix
 the system I have, don't bother with telling me to upgrade approach.
 Too many bugs are fixed as part of re-engineering or feature addition,
 and expecting even the authors, whom you are not paying for contracted
 work, to maintain the old releases becomes futile pretty quickly. It's
 difficult for them to maintain the old environments as test beds, or
 to dredge back that far into memory of how things used to be done.
 I've been running into this for decades, all the way back to the shift
 from BSD 4.2 to BSD 4.3. (Note that that is not OpenBSD, it's BSD.)

 The yelling and namecalling is unfortunate. But from observation and
 professional experience, if you want professional grade support for a
 software livecycle of over 3 years, you should be willing to pay for
 it.

something like glusterfs ?

[Илья Шипицин]

Hello!

we are running carp-ed load balancers on openbsd. we are pretty happy with
fast switchover via carp.
however, we'd like to serve static (uploaded via ftp) content from those
servers.

I see two scenarios

a) files are uploaded to carp master, we run rsync every minute, which
pushes content from master to backup
b) something like glusterfs

is there things like glusterfs ? I didn't find any for openbsd.

cheers,
Ilya Shipitsin

gvrp support

[Илья Шипицин]

hello!

does OpenBSD support GVRP ?


Cheers,
Ilya Shipitsin

CARP health check ?

[Илья Шипицин]

Hello!


I'm running OpenBSD with CARP (and because of CARP), 10 servers in total.
Some of them preemt=1, some with preemt=0
I'd like to know that spare CARP server is up and running (and will play it
part when master server die).

questions are

1) how to detect that server is master? any other way except parsing
ifconfig output ?

2) how to detect whether carp peer is alive ?

Cheers,
Ilya Shipitsin

Re: CARP health check ?

[Илья Шипицин]

well, I need to make question more certain.

we are using nagios for monitoring and it is running on separate server. we
do not want to monitor server from inside.
we want to run run something via ssh and see whether carp peer is dead or
not.

probably we do not want to determine that we are carp master, because we
will always connect to master via ssh.

2012/1/13 Justin Jereza justinjer...@gmail.com

 I think ifstated is what you want to use.

 --
 Composed on a phone.
 On Jan 13, 2012 2:07 AM, iLXQ {IPICIN chipits...@gmail.com wrote:

 Hello!


 I'm running OpenBSD with CARP (and because of CARP), 10 servers in total.
 Some of them preemt=1, some with preemt=0
 I'd like to know that spare CARP server is up and running (and will play
 it
 part when master server die).

 questions are

 1) how to detect that server is master? any other way except parsing
 ifconfig output ?

 2) how to detect whether carp peer is alive ?

 Cheers,
 Ilya Shipitsin

Re: CARP health check ?

[Илья Шипицин]

well, it's usually not possible.
we use OpenBSD, because it supports carpdev option (FreeBSD does not
support it)

most of our carp clusters run on single address. no spare IP space.

we could do ssh and ping carp peer (some trouble with preemption), but we
do not want to stick with certain IP addresses. we would like to monitor
in general

1) define new carp cluster for monitoring
2) ssh to it and monitorcarp peer in general without specifying it's address

2012/1/13 Simon Perreault simon.perrea...@viagenie.ca

 On 01/12/2012 01:18 PM, P P;Q Q  P(P8P?P8Q P8P= wrote:

 we are using nagios for monitoring and it is running on separate server.
 we
 do not want to monitor server from inside.
 we want to run run something via ssh and see whether carp peer is dead or
 not.


 Give each server it's unique IP address.
 Use a third IP address for carp.
 Monitor all three addresses.

 Simon
 --
 DTN made easy, lean, and smart -- 
 http://postellation.viagenie.**cahttp://postellation.viagenie.ca
 NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
 STUN/TURN server   -- http://numb.viagenie.ca

Re: CARP health check ?

[Илья Шипицин]

RFC1918 addreeses are not routable.
there's no problem for carp peers to ping each other, I just cannot ping
both of them from Internet (where nagios is located)

the problem is to specify each peer's address in nagios config, I do not
want to depend on 10.0.0.2 for cluster1 peer and so on.
especially from preemption point of view.

I want to keep things simple.

1) there's another carp cluster at x.y.z.t
2) either it is running in preemption mode or not, I connect to carp master
from Internet
3) there should be alive carp backup (at some rfc1918 address, which I do
not want to specifi in nagios)
4) if backup is unreacheble, we are in trouble

2012/1/13 Simon Perreault simon.perrea...@viagenie.ca

 On 01/12/2012 01:49 PM, iLXQ {IPICIN wrote:

 most of our carp clusters run on single address. no spare IP space.


 That's the root of the problem.

 Use IPv6 for the non-carp addresses? RFC 1918? rdr on some ports?

 Otherwise, you'll have to invent a hackish and fragile solution...


 Simon
 --
 DTN made easy, lean, and smart --
http://postellation.viagenie.**cahttp://postellation.viagenie.ca
 NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
 STUN/TURN server   -- http://numb.viagenie.ca

Re: CARP health check ?

[Илья Шипицин]

sounds nice.

I came to somewhat similar. Just ssh to external address and ping both carp
peers (via internal addresses), if there're less than 2 answers, we are in
trouble.

your idea is also good.

2012/1/13 Nick Holland n...@holland-consulting.net

 ok, let's try this idea...

 Your systems have ONE external address, but they can have as many
 internal addresses as desired, right?

 SO...let's say you have two CARP'd firewalls, FW1 and FW2.  They share
 external address of x.x.x.x.

  FW1:   FW2:
 Externalx.x.x.xx.x.x.x   (same)
 Internal real   10.0.0.2   10.0.0.3
 internal CARP   10.0.0.1   10.0.0.1  (same)

 port 22 gets you ssh on the active firewall...but which is that?

 How about a PF ruleset that redirects port 2202 to 10.0.0.2 port 22 and
 port 2203 to 10.0.0.3?  Now you can find out anything you wish about
 either box ON DEMAND by selecting the port you ssh to?  If 2202 doesn't
 answer, you've lost fw1, if 2203 doesn't answer, you have lost fw2

 In addition to checking to see that the box is up, it's good to check
 for a sane CARP status -- i.e., all MASTER on one box, SLAVE on the
 other, plus other overall health issues.

 Nick.

 On 01/12/12 13:48, iLXQ {IPICIN wrote:
  well, it's usually not possible.
  we use OpenBSD, because it supports carpdev option (FreeBSD does not
  support it)
 
  most of our carp clusters run on single address. no spare IP space.
 
  we could do ssh and ping carp peer (some trouble with preemption), but we
  do not want to stick with certain IP addresses. we would like to monitor
  in general
 
  1) define new carp cluster for monitoring
  2) ssh to it and monitorcarp peer in general without specifying it's
 address
 
  2012/1/13 Simon Perreault simon.perrea...@viagenie.ca
 
  On 01/12/2012 01:18 PM, P P;Q Q  P(P8P?P8Q P8P= wrote:
 
  we are using nagios for monitoring and it is running on separate
 server.
  we
  do not want to monitor server from inside.
  we want to run run something via ssh and see whether carp peer is dead
 or
  not.
 
 
  Give each server it's unique IP address.
  Use a third IP address for carp.
  Monitor all three addresses.
 
  Simon
  --
  DTN made easy, lean, and smart -- http://postellation.viagenie.**ca
 http://postellation.viagenie.ca
  NAT64/DNS64 open-source-- http://ecdysis.viagenie.ca
  STUN/TURN server   -- http://numb.viagenie.ca

Re: TCO, txpause, rxpause and other nice things on em adapters

[Илья Шипицин]

2012/1/2 Christian Weisgerber na...@mips.inka.de:
 Ilya Shipitsin chipits...@gmail.com wrote:

 I'm running servers with em NICs.  People on list reported things
 like

hwfeatures=8037CSUM_IPv4,CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING,WOL
,
 I do not see such options in ifconfig output.

 Try ifconfig em0 hwfeatures on -current.

f2n0:/root#ifconfig em0 hwfeatures
ifconfig: hwfeatures: bad value



it doesn't work on 5.0RELEASE ?


 neither man page on em says anything about check sum offload.

 Liar.

  The em driver supports IPv4 receive IP/TCP/UDP checksum offload on all
  but 82542-based adapters, VLAN tag insertion and stripping, and Jumbo
  frames on all but 82562V, 82566DC/82566DM and 82573E/82573L/82573V-based
  adapters.

 em are advanced cards, do they already do all things out of a box?

 Yes.

 ifconfig also shows media: Ethernet autoselect (1000baseT
 full-duplex,rxpause,txpause), what is rxpause,txpause ?

 Ethernet flow control.

 --
 Christian naddy Weisgerber  na...@mips.inka.de

TCO, txpause, rxpause and other nice things on em adapters

[Илья Шипицин]

Hello!

I'm running servers with em NICs.  People on list reported things
like  
hwfeatures=8037CSUM_IPv4,CSUM_TCPv4,CSUM_UDPv4,VLAN_MTU,VLAN_HWTAGGING,WOL,
I do not see such options in ifconfig output. neither man page on em
says anything about check sum offload.


em are advanced cards, do they already do all things out of a box?
do I have to make special tuning for TCO ?

ifconfig also shows media: Ethernet autoselect (1000baseT
full-duplex,rxpause,txpause), what is rxpause,txpause ?


cheers,
Ilya Shipitsin

how to choose outgoing IPv4 address/interface ?

[Илья Шипицин]

Hello!

I'm runnning BGP server which is also dns resolver.

so, host can go to internet using 2 addresses

a) vlan379, which is connected to bgp peer
b) vlan200, which is my own routable network

bgp peer is strange. it permits only bgp and icmp traffic over
vlan379, the rest is silently dropped.
I'd like to use vlan379 address for bgp communication and vlan200 for
dns resolver (and the rest of the traffic), but OpenBSD simply uses
vlan379 address.

well, I can use NAT on outgoing traffic, but it doesn't seem to be a
proper solution.
why does OpenBSD choose vlan379 ? how can I make it use vlan200 for
all outgoing traffic except bgp communication ?

Cheers,
Ilya Shipitsin

Re: strange tcp rst with rdomain

[Илья Шипицин]

we hare 3 ISPs. and we are running haproxy (which is similar to
relayd, proxies tcp connections from Internet to LAN).

so, with rdomains we need to

a) run 3 instances of haproxy (route -T 2 exec
/usr/local/sbin/haproxy, and so on)
b) all of haproxy will access LAN, which can belong to just one rdomain

our situation is very tricky with rdomains. however, we are looking
with interest at rdomains and will probably use for some other
applications.



2011/12/23 Claudio Jeker cje...@diehard.n-r-g.com:
 On Thu, Dec 22, 2011 at 01:17:10PM +0500,  ??? wrote:
 thank everyone.

 routing domains seem to be much more powerful than I need.
 I just needed outgoing packets through the appropriate interface, it
 can be achived by reply-to thing in PF.


 You can also use a simple additional routing table.

 route -T 1 add default X.Y.Z.1

 this way the routing table will use routing table 0 to find the gateway
 (all interfaces are in the default rdomain 0) and pf will just tag the
 packets to use the other table for route lookups (adding rtable 1 to rules
 will send all traffic to X.Y.Z.1 for forwarding).

 For simple things route-to/reply-to is maybe easier to setup.

 --
 :wq Claudio

ufs journal ?

[Илья Шипицин]

Hello!

I used to run FreeBSD and Linux for years, but not that familiar with
OpenBSD yet.
we are running buggy server (I suspect RAM), it hangs sometimes and it
takes about 30 minutes to fsck 7Tb partition.
however, there are very few files and folders yet.

is there a way to speed up fsck ? some journalling like UFS2 for
FreeBSD ? softupdates ?

Cheers,
Ilya Shipitsin

10G router without polling ?

[Илья Шипицин]

am I right that OpenBSD does NOT use device polling like FreeBSD or
Linux (called NAPI) do ?
any router (even at 10G rate) will perfectly work without polling ?

specially, I have a router (100-200Mb rate now) on Broadcom BCM5721
which is bge and Intel PRO/1000 QP (82571EB) which is em.
those cards will perfectly work on any speed without any special tunung ?

Cheers,
Ilya Shipitsin

Re: strange tcp rst with rdomain

[Илья Шипицин]

thank everyone.

routing domains seem to be much more powerful than I need.
I just needed outgoing packets through the appropriate interface, it
can be achived by reply-to thing in PF.

but I'll keep an eye on rdomains for some future use.

2011/12/21 Henning Brauer lists-open...@bsws.de:
 well that is how rdomains work, they are isolated from each other, pf
 can break that isolation up. an sshd in rdomain 0 is not reachable
 from another rdomain, except pf is used to allow that - or something
 external routes between them.

 * Russell Garrison russell.garri...@gmail.com [2011-12-20 21:50]:
 I was inspired and realized you can do better with pf:

 pass in on em5 proto tcp to 192.168.235.12 port 22 \
 rdr-to 192.168.163.1 rtable 0

 I am not using vlan and my interfaces have IP addresses assigned.
 235.12 above is the management IP of the host in a non-zero rdomain
 and 163.1 is the IP of the host in rdomain 0 with sshd listener
 started. May still not be the best way, but I like this better than
 starting multiple sshd. That approach had an added problem that my tty
 would start in the rdomain local to where I connected, instead of
 using 0 as the default.



 On Tue, Dec 20, 2011 at 3:28 PM, Russell Garrison
 russell.garri...@gmail.com wrote:
  I have found that I need to add something like:
 
  !route -T 2 exec /usr/sbin/sshd
 
  To the pertinent hostname.if file to make sure sshd is listening in
  addtional routing tables, but I do not know if this is best.
 
  On Mon, Dec 19, 2011 at 1:02 PM, P P;Q Q  P(P8P?P8Q P8P=
 chipits...@gmail.com wrote:
  Hello.
 
  I'm running multihomed OpenBSD server:
 
  vlan5/carp5 - default
  vlan2/carp2 and vlan4/carp4 are connected to other ISPs.
 
  when there's no rdomain thing, everything seems to be working, except
  all outgoing packets goes through vlan5/carp5.
 
 
  so, I did
 
  f2n0:/root#cat /etc/hostname.vlan2
  vlan 2 vlandev trunk0 mtu 1300
  up
 
  f2n0:/root#cat /etc/hostname.carp2
  vhid 62 pass m1pass carpdev vlan2 X.X.X.X/26 rdomain 2
  !/sbin/route -T 2 add 0.0.0.0/0 X.X.X.Z
  f2n0:/root#cat /etc/hostname.vlan4
  vlan 4 vlandev trunk0 mtu 1300
  up
 
  f2n0:/root#cat /etc/hostname.carp4
  vhid 64 pass m1pass carpdev vlan4 Y.Y.Y.Y/26 rdomain 4
  !/sbin/route -T 4 add 0.0.0.0/0 Y.Y.Y.Z
  f2n0:/root#
 
  also, I did
 
  f2n0:/root#grep -v ^# /etc/pf.conf
 
  set skip on lo
 
  pass in vlan2 rtable 2
  pass in vlan4 rtable 4
 
  pass
 
 
  pingis working good, packets go out via appropriate interface.
  however, ssh ends with tcp rst, for example.
  how can the reason for that tcp rst might be detected?
 
  am I doing anything wrong with rdomains?
 
  Ilya Shipitsin


 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de, Full-Service ISP
 Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully
 Managed
 Henning Brauer Consulting, http://henningbrauer.com/

reply-to rule and carp ?

[Илья Шипицин]

hello!

I'm running multihomed server (two servers in carp cluster).

say carp5 is default route and carp2 is another ISP. I want to see
outgoing packets in the interface they came in. I supposed, it could
be done using reply-to pf keyword.
however, I'm not sure reply-to is runnung well with carp. Can anyone
proof such thing ?

I did

set skip on lo

pass in to X.X.X.X reply-to (carp5 X.X.X.N)
pass in to Y.Y.Y.Y reply-to (carp2 Y.Y.Y.N)


pass# to establish keep-state


and pfctl -sa -v shows zero packets and bytes (but a lot of evaluations)

Cheers,
Ilya Shipitsin

strange tcp rst with rdomain

[Илья Шипицин]

Hello.

I'm running multihomed OpenBSD server:

vlan5/carp5 - default
vlan2/carp2 and vlan4/carp4 are connected to other ISPs.

when there's no rdomain thing, everything seems to be working, except
all outgoing packets goes through vlan5/carp5.


so, I did

f2n0:/root#cat /etc/hostname.vlan2
vlan 2 vlandev trunk0 mtu 1300
up

f2n0:/root#cat /etc/hostname.carp2
vhid 62 pass m1pass carpdev vlan2 X.X.X.X/26 rdomain 2
!/sbin/route -T 2 add 0.0.0.0/0 X.X.X.Z
f2n0:/root#cat /etc/hostname.vlan4
vlan 4 vlandev trunk0 mtu 1300
up

f2n0:/root#cat /etc/hostname.carp4
vhid 64 pass m1pass carpdev vlan4 Y.Y.Y.Y/26 rdomain 4
!/sbin/route -T 4 add 0.0.0.0/0 Y.Y.Y.Z
f2n0:/root#

also, I did

f2n0:/root#grep -v ^# /etc/pf.conf

set skip on lo

pass in vlan2 rtable 2
pass in vlan4 rtable 4

pass


pingis working good, packets go out via appropriate interface.
however, ssh ends with tcp rst, for example.
how can the reason for that tcp rst might be detected?

am I doing anything wrong with rdomains?

Ilya Shipitsin

Re: Automatic fsck -y at Boot

[Илья Шипицин]

how fsck -p -y will work?

manual says -p quits on major problem, will -y make it assume
yes or just quit?

2011/12/15 Kenneth R Westerback kwesterb...@rogers.com:
 On Thu, Dec 15, 2011 at 09:55:47AM +0100, Sebastien Maerker, Continum wrote:
 Hello,

 it is possible, like in FreeBSD, to do an automatic fsck -y at boot time
 when
 the system hangs and need user intervention?

 In FreeBSD we have the possibility to edit the rc.conf and adding just these
 lines:
 ...
 background_fsck=NO
 fsck_y_enable=YES
 fsck_y_flags=
 ...

 Is there in OpenBSD such a similar thing?

 Thank you in advance
 SC)bastien Maerker


 You can change the 'fsck -p' in /etc/rc to whatever varient you wish. There
 is, to my knowledge, no knob.

  Ken

question about CARP/Trunk

[Илья Шипицин]

Hello!

we are using linux bonding (thing called trunk in openbsd) and
there's very interesting feature called arp_ip_target, custom ip is
being monitored via several links.

can OpenBSD CARP or trunk work in that way ?

cheers,
Ilya Shipitsin

strange messages on the server screen (ichiic0: abort failed, status 0x41BUSY,INUSE

[Илья Шипицин]

hello!

screen and dmesg output attached.
what could it mean ?

Ilya Shipitsin
OpenBSD 5.0 (GENERIC.MP) #63: Wed Aug 17 10:14:30 MDT 2011
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 137428860928 (131062MB)
avail mem = 133756428288 (127560MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0x9ec00 (55 entries)
bios0: vendor American Megatrends Inc. version 2.1c date 10/28/2011
bios0: Supermicro X8DTN+-F
acpi0 at bios0: rev 2
acpi0: sleep states S0 S1 S4 S5
acpi0: tables DSDT FACP APIC MCFG SLIT OEMB SRAT HPET DMAR SSDT EINJ BERT ERST 
HEST
acpi0: wakeup devices NPE3(S4) NPE5(S4) NPE7(S4) NPE8(S4) NPE9(S4) P0P1(S4) 
UAR1(S4) UAR2(S4) PS2K(S1) PS2M(S1) USB0(S4) USB1(S4) USB2(S4) USB5(S4) 
EUSB(S4) USB3(S4) USB4(S4) USB6(S4) USBE(S4) P0P4(S4) P0P5(S4) P0P6(S4) 
P0P7(S4) P0P8(S4) P0P9(S4) NPE1(S4) SLPB(S4) PWRB(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.39 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: apic clock running at 133MHz
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG
cpu1: 256KB 64b/line 8-way L2 cache
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG
cpu2: 256KB 64b/line 8-way L2 cache
cpu3 at mainbus0: apid 16 (application processor)
cpu3: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG
cpu3: 256KB 64b/line 8-way L2 cache
cpu4 at mainbus0: apid 18 (application processor)
cpu4: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG
cpu4: 256KB 64b/line 8-way L2 cache
cpu5 at mainbus0: apid 20 (application processor)
cpu5: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz
cpu5: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG
cpu5: 256KB 64b/line 8-way L2 cache
cpu6 at mainbus0: apid 32 (application processor)
cpu6: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.08 MHz
cpu6: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG
cpu6: 256KB 64b/line 8-way L2 cache
cpu7 at mainbus0: apid 34 (application processor)
cpu7: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz
cpu7: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG
cpu7: 256KB 64b/line 8-way L2 cache
cpu8 at mainbus0: apid 36 (application processor)
cpu8: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz
cpu8: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG
cpu8: 256KB 64b/line 8-way L2 cache
cpu9 at mainbus0: apid 48 (application processor)
cpu9: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz
cpu9: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG
cpu9: 256KB 64b/line 8-way L2 cache
cpu10 at mainbus0: apid 50 (application processor)
cpu10: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, 2400.09 MHz
cpu10: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,DCA,SSE4.1,SSE4.2,POPCNT,NXE,LONG
cpu10: 256KB 64b/line 8-way L2 cache
cpu11 at mainbus0: apid 52 (application processor)
cpu11: Intel(R) Xeon(R) CPU E5645 

why skip is not shown in pfctl -s rules ?

[Илья Шипицин]

Dear Sirs,

I added couple of rules to pf config file

xxx:/root# grep skip /etc/pf.conf
set skip on enc0
set skip on lo0


xxx:/root# pfctl -f /etc/pf.conf
xxx:/root#


but I do not find skip in pfctl -s rules output:

xxx:/root# pfctl -s rules | grep skip
xxx:/root#


is it ok ?


Cheers,
Ilya Shipitsin

4.9 build problems

[Илья Шипицин]

server is 4.9/amd64
source is CVS/4.9


cd /usr/src
make build

is it ok that system cannot build itself from source ?

building shared object objc library
ranlib libobjc_pic.a
building shared objc library (version 5.0)
cc -shared -fpic  -o libobjc.so.5.0  `lorder archive.so class.so
encoding.so gc.so hash.so init.so linking.so misc.so nil_method.so
NXConstStr.so Object.so objects.so Protocol.so sarray.so selector.so
sendmsg.so thr.so thr-objc.so exception.so|tsort -q`
=== libstdc++-v3
c++ -O2 -pipe -g -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H
-I/usr/src/gnu/lib/libstdc++-v3/../libstdc++-v3/
-I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++
-I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc
-I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include
-I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include
-I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include
-I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I.
-frandom-seed=RepeatabilityConsideredGood -DIN_GLIBCPP_V3
-DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3
-I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++
-I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc
-I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include
-I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include
-I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include
-I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I.
-frandom-seed=RepeatabilityConsideredGood  -fno-implicit-templates
-ffunction-sections -fdata-sections  -Wno-deprecated
-fno-implicit-templates -ffunction-sections -fdata-sections
-Wno-deprecated  -idirafter /home/dest/usr/include/g++  -nostdinc
-idirafter /home/dest/usr/include -c
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc
-o bitmap_allocator.o
In file included from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:37,
 from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30:
/home/dest/usr/include/g++/cstddef:50:28: error: bits/c++config.h: No
such file or directory
In file included from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:43,
 from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30:
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/concurrence.h:41:24:
error: bits/gthr.h: No such file or directory
In file included from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:37,
 from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30:
/home/dest/usr/include/g++/cstddef:53: error: expected constructor,
destructor, or type conversion before '(' token
/home/dest/usr/include/g++/cstddef:58: error: '_GLIBCXX_END_NAMESPACE'
does not name a type
In file included from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:38,
 from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30:
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/functexcept.h:93:
error: '_GLIBCXX_END_NAMESPACE' does not name a type
In file included from /home/dest/usr/include/g++/utility:66,
 from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:39,
 from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30:
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_relops.h:136:
error: '_GLIBCXX_END_NAMESPACE' does not name a type
In file included from /home/dest/usr/include/g++/utility:67,
 from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_allocator.h:39,
 from
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:30:
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:94:
error: template with C linkage
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:96:
error: expected ',' or '...' before '' token
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:96:
error: 'bool operator==(int)' must have an argument of class or
enumerated type
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:100:
error: template with C linkage
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:102:
error: expected ',' or '...' before '' token
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:102:
error: 'bool operator(int)' must have an argument of class or
enumerated type
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:107:
error: template with C linkage
/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:109:
error: expected ',' or '...' before '' token

Re: 4.9 build problems

[Илья Шипицин]

DESTDIR was the reason of mess.
unset DESTDIR solved the problem

2011/10/10 Stuart Henderson s...@spacehopper.org:
 You polluted your source directory by building without 'make obj'.
 Simplest is to wipe it, make a fresh checkout, and this time follow
 section 5.3.5 from http://www.openbsd.org/faq/faq5.html


 On 2011-10-10,  ??? chipits...@gmail.com wrote:
 server is 4.9/amd64
 source is CVS/4.9


 cd /usr/src
 make build

 is it ok that system cannot build itself from source ?

 building shared object objc library
 ranlib libobjc_pic.a
 building shared objc library (version 5.0)
 cc -shared -fpic  -o libobjc.so.5.0  `lorder archive.so class.so
 encoding.so gc.so hash.so init.so linking.so misc.so nil_method.so
 NXConstStr.so Object.so objects.so Protocol.so sarray.so selector.so
 sendmsg.so thr.so thr-objc.so exception.so|tsort -q`
=== libstdc++-v3
 c++ -O2 -pipe -g -DIN_GLIBCPP_V3 -DHAVE_CONFIG_H
 -I/usr/src/gnu/lib/libstdc++-v3/../libstdc++-v3/
 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++
 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc
 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include
 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include
 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include
 -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I.
 -frandom-seed=RepeatabilityConsideredGood -DIN_GLIBCPP_V3
 -DHAVE_CONFIG_H -I/usr/src/gnu/lib/libstdc++-v3
 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/libsupc++
 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc
 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include
 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/gcc/gcc/include
 -I/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include
 -I/usr/src/gnu/lib/libstdc++-v3/../libiberty/include -I.
 -frandom-seed=RepeatabilityConsideredGood  -fno-implicit-templates
 -ffunction-sections -fdata-sections  -Wno-deprecated
 -fno-implicit-templates -ffunction-sections -fdata-sections
 -Wno-deprecated  -idirafter /home/dest/usr/include/g++  -nostdinc
 -idirafter /home/dest/usr/include -c

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc
 -o bitmap_allocator.o
 In file included from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc
ator.h:37,
  from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:
30:
 /home/dest/usr/include/g++/cstddef:50:28: error: bits/c++config.h: No
 such file or directory
 In file included from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc
ator.h:43,
  from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:
30:

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/concurrence.
h:41:24:
 error: bits/gthr.h: No such file or directory
 In file included from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc
ator.h:37,
  from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:
30:
 /home/dest/usr/include/g++/cstddef:53: error: expected constructor,
 destructor, or type conversion before '(' token
 /home/dest/usr/include/g++/cstddef:58: error: '_GLIBCXX_END_NAMESPACE'
 does not name a type
 In file included from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc
ator.h:38,
  from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:
30:

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/functexcept
.h:93:
 error: '_GLIBCXX_END_NAMESPACE' does not name a type
 In file included from /home/dest/usr/include/g++/utility:66,
  from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc
ator.h:39,
  from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:
30:

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_relops.
h:136:
 error: '_GLIBCXX_END_NAMESPACE' does not name a type
 In file included from /home/dest/usr/include/g++/utility:67,
  from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/ext/bitmap_alloc
ator.h:39,
  from

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/src/bitmap_allocator.cc:
30:

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:
94:
 error: template with C linkage

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:
96:
 error: expected ',' or '...' before '' token

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:
96:
 error: 'bool operator==(int)' must have an argument of class or
 enumerated type

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:
100:
 error: template with C linkage

/usr/src/gnu/lib/libstdc++-v3/../../gcc/libstdc++-v3/include/bits/stl_pair.h:
102:
 error: expected ',' or '...' before '' 

any working example of IPv6 /etc/hostname.carpXXX ?

[Илья Шипицин]

Dear Sirs,

I need to configure ipv6 over carp interface. It seems that carp doesn't
like things in one line


ifconfig carp470 vhid 70 pass xxx carpdev vlan470 advskew 20 inet6
2a00:1a70:80:470::2 prefixlen 128

it says something wrong about ipv6. don't have any idea why. so, one-line
config for hostname.carpXXX will not work.

if I do two ifconfigs:


ifconfig carp470 vhid 70 pass xxx carpdev vlan470 advskew 20
ifconfig carp470 inet6 2a00:1a70:80:470::2 prefixlen 128


everthing seems to be ok.

but if I put  stuff to hostname.carpXXX

r1n0:/root# cat
/etc/hostname.carp470

vhid 70 pass xxx carpdev vlan470 advskew 20
inet6 2a00:1a70:80:470::2 prefixlen 128
up


I got no ipv6 address and carp is in INIT state (no RUNNING flag).


is there a way to configure ipv6 + carp from /etc/hostname.XXX ?

Cheers,
Ilya Shipitsin

Re: question regarding bgpd

[Илья Шипицин]

each single part is unclear

2011/2/6 Stuart Henderson s...@spacehopper.org:
 On 2011-01-27,  ??? chipits...@gmail.com wrote:
 I tried to investigate a liitle...

 2) my AS is 49675, 91.142.140.0/24 at location A and
 193.169.238.0/24 at location B, there are announces on rib

 R0N0#bgpctl show rib | grep 49675
   91.142.140.0/24 87.229.147.182 100 0 31359 3216 8342
49675 i
   91.142.140.0/24 81.91.54.241   100 0 25086 12389 16083
49675 i
   91.142.140.0/24 80.78.109.138  100 0 16285 20485
 9002 16083 49675 i

 but no prefixes on fib

 what part of bgpd doesn't currently support this is unclear?



 On 2011-01-26,  ??? chipits...@gmail.com wrote:
 Dear Sirs,

 we are running our AS in many locations (say AS65000)

 (location 1, AS65000, network n1.n1.n1.n1)  Internet ---
 (location 2, same AS65000, network n2.n2.n2.n2)

 when we were running quagga, allowas-in made the work. otherwise
 there was no route except default between two locations.
 now we are replacing quagga with OpenBGPD, what is openbgpd's
 equivalent of allowas-in ?

 Cheers,
 Ilya Shipitsin

 P.S. just to make sure - I already read manuals and somehow I didn't
 find relevant information there. So, if all you can say is RTFM,
 please also say where exactly relevant information is located.



 bgpd doesn't currently support this.

Re: question regarding bgpd

[Илья Шипицин]

I tried to investigate a liitle...

1) how do I enable logging ? I used log updates and -v flag. not a
bunch of diagnostics...

2) my AS is 49675, 91.142.140.0/24 at location A and
193.169.238.0/24 at location B, there are announces on rib

R0N0#bgpctl show rib | grep 49675
  91.142.140.0/24 87.229.147.182 100 0 31359 3216 8342 49675 i
  91.142.140.0/24 81.91.54.241   100 0 25086 12389 16083 49675 i
  91.142.140.0/24 80.78.109.138  100 0 16285 20485
9002 16083 49675 i

but no prefixes on fib

R0N0#bgpctl show fib | grep 49675
R0N0#

I do not see even a liitle complain why it refuses them.


2011/1/26 Stuart Henderson s...@spacehopper.org:
 On 2011-01-26,  ??? chipits...@gmail.com wrote:
 Dear Sirs,

 we are running our AS in many locations (say AS65000)

 (location 1, AS65000, network n1.n1.n1.n1)  Internet ---
 (location 2, same AS65000, network n2.n2.n2.n2)

 when we were running quagga, allowas-in made the work. otherwise
 there was no route except default between two locations.
 now we are replacing quagga with OpenBGPD, what is openbgpd's
 equivalent of allowas-in ?

 Cheers,
 Ilya Shipitsin

 P.S. just to make sure - I already read manuals and somehow I didn't
 find relevant information there. So, if all you can say is RTFM,
 please also say where exactly relevant information is located.



 bgpd doesn't currently support this.

Re: question regarding bgpd

[Илья Шипицин]

 Try bgpctl sh fib | grep your_prefix

it's not there

R0N0#bgpctl sh fib | grep 91.142.140
R0N0#

it's reachable only via default route:

R0N0#route -n get 91.142.140.254
   route to: 91.142.140.254
destination: default
   mask: default
gateway: 80.78.109.138
  interface: carp102
 if address: 80.78.109.137
   priority: 48 (bgp)
  flags: GATEWAY,DONE
 use   mtuexpire
 6587265 0 0
R0N0#


well, I didn't try suggested patch yet. need to upgrade to 4.8 first.




 I do not see even a liitle complain why it refuses them.


 2011/1/26 Stuart Henderson s...@spacehopper.org:

 On 2011-01-26,  ??? chipits...@gmail.com wrote:

 Dear Sirs,

 we are running our AS in many locations (say AS65000)

 (location 1, AS65000, network n1.n1.n1.n1)  Internet ---
 (location 2, same AS65000, network n2.n2.n2.n2)

 when we were running quagga, allowas-in made the work. otherwise
 there was no route except default between two locations.
 now we are replacing quagga with OpenBGPD, what is openbgpd's
 equivalent of allowas-in ?

 Cheers,
 Ilya Shipitsin

 P.S. just to make sure - I already read manuals and somehow I didn't
 find relevant information there. So, if all you can say is RTFM,
 please also say where exactly relevant information is located.



 bgpd doesn't currently support this.


 Regards,


 Insan Praja
 --
 Using Opera's revolutionary email client: http://www.opera.com/mail/

question regarding bgpd

[Илья Шипицин]

Dear Sirs,

we are running our AS in many locations (say AS65000)

(location 1, AS65000, network n1.n1.n1.n1)  Internet ---
(location 2, same AS65000, network n2.n2.n2.n2)

when we were running quagga, allowas-in made the work. otherwise
there was no route except default between two locations.
now we are replacing quagga with OpenBGPD, what is openbgpd's
equivalent of allowas-in ?

Cheers,
Ilya Shipitsin

P.S. just to make sure - I already read manuals and somehow I didn't
find relevant information there. So, if all you can say is RTFM,
please also say where exactly relevant information is located.

CARP-ed dns server ?

[Илья Шипицин]

Hello!

does anybody run dns server on CARP interface ?

Cheers,
Ilia Chipitsine

Re: CARP-ed dns server ?

[Илья Шипицин]

hello!

can you provide more details ?

1. what is dns software ?
2. how two copies of dns server (on master and backup) are replicated ?
3. any carp hooks on switching ?

cheers,
Ilia Chipitsine

2010/9/20 Henning Brauer lists-open...@bsws.de:
 *  ??? chipits...@gmail.com [2010-09-20 08:35]:
 does anybody run dns server on CARP interface ?

 yup.

 --
 Henning Brauer, h...@bsws.de, henn...@openbsd.org
 BS Web Services, http://bsws.de
 Full-Service ISP - Secure Hosting, Mail and DNS Services
 Dedicated Servers, Rootservers, Application Hosting