Re: SSH Controlmaster holding devices
Thus said Courtney on Mon, 05 Feb 2024 12:55:20 -0800: > I wasn't aware that it would still be impacted when leaving the cwd. Your shell "left the cwd" but the SSH process did not. In other words, don't start processes from a mount point that you expect to be able to unmount later (or kill them first). Andy
Re: Proper way to set PATH environment with SSH non-interactive command
Thus said "Andy Bradford" on 04 Feb 2024 08:39:27 -0700: > But is there a file that I can modify that will cause the shell proper > to load some kind of environment setup also for non-interactive shells > started with -c? [For the archives] As it turns out, given that the shell does not itself read any profile configuration files for non-interactive shells, I can just update /etc/login.conf using ~/bin in the path: default:\ :path=~/bin /usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin /usr/local/sbin:\ Before: $ ssh localhost env | grep PATH amb@localhost's password: PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin After: $ ssh localhost env | grep PATH amb@localhost's password: PATH=/home/amb/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin Arguably, this could be done for a class that is assigned to different users for which this should apply so not everyone has this. Also, this does not impact interactive shells because, well, interactive shells read ~/.profile and consequently ENV applies. Andy
Re: Proper way to set PATH environment with SSH non-interactive command
Thus said "Allan Streib" on Sun, 04 Feb 2024 20:54:26 -0500: > Just send the full path to your script in the ssh command, and set up > the rest of the environment within the script. Yes, this too is an option. It may actually be the best option in my opinion. If the user knows that their binary is found in a non-standard path, then the simplest thing is to specify the full path to the binary and leave the environment alone. Thanks, Andy
Re: Proper way to set PATH environment with SSH non-interactive command
Thus said Kastus Shchuka on Sun, 04 Feb 2024 13:40:58 -0800: > SetEnv Directly specify one or more environment variables and their > contents to be sent to the server. Thank you this option looks like it could also work, except it's not one of which a user with no permissions can take advantage as the AcceptEnv option is disabled by default on most servers I imagine. So, while a normal user can set the environment for interactive shells, it seems that for non-interactive shells, the only viable solution is to prepend each command with the environment to be set (I see nothing in ksh(1) that suggests that the environment of non-interactive shells are under the control of the user). Also, I don't seem to be succesful in making SetEnv (or SendEnv) work. I've reconfigured (and restarted) sshd_config to have: AcceptEnv PATH Then I configured ~/.ssh/config with: Host localhost SetEnv PATH=/home/amb/bin:/bin:/usr/bin:/usr/local/bin When I run "ssh -v localhost env" I can see that the client sends the path: debug1: channel 1: setting env PATH = "/home/amb/bin:/bin:/usr/bin:/usr/local/bin" debug1: Sending command: env But env reports the following PATH: PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin I also tried using SendEnv but while the client sends the environment, the server seems to ignore it, even if I set the AcceptEnv pattern to *. # sshd -T -C user=amb,host=localhost | grep acceptenv acceptenv PATH When I run "sshd -d -d" I see the following in the output: debug2: Setting env 0: PATH=/home/amb/bin:/bin:/usr/bin:/usr/local/bin So it certainly looks like the server is accepting the path, however, env still reports a different path. Is this perhaps a bug? Maybe step 5 in LOGIN PROCESS is overwriting the PATH that was sent and received by the server? This is on OpenBSD 7.4. Thanks, Andy
Proper way to set PATH environment with SSH non-interactive command
Hello, When using SSH to invoke a remote command via the syntax: ssh remotehost remotecommand The $HOME/.profile is not used and there appears to be a very minimal environment setup. The PATH does not include any components that have been added in .profile. This is probably what step 5 in the LOGIN PROCESS is all about: http://man.openbsd.org/sshd#LOGIN_PROCESS According to the man page for sshd(8): After this, the client either requests an interactive shell or execution of a non-interactive command, which sshd will execute via the user's shell using its -c option. So in the case where an interactive shell is chosen, the PATH will be set according to .profile, but in the case where a non-interactive command is chosen, a shell is invoked with -c. So I have a script in $HOME/bin (which is defined in PATH normally in .profile) which I can run when logged in interactively: $ helloworld HELLO WORLD But when I try to run it as a non-interactive command, it fails: $ ssh localhost helloworld amb@localhost's password: ksh: helloworld: not found Obviously, one way to do this is by calling the command like: $ ssh localhost PATH=\$HOME/bin:\$PATH helloworld amb@localhost's password: HELLO WORLD This works and can be seen in ssh -v output as: debug1: Sending command: PATH=$HOME/bin:$PATH helloworld But is there a file that I can modify that will cause the shell proper to load some kind of environment setup also for non-interactive shells started with -c? sshd does have PermitUserEnvironment and that works, however, it's not enabled by default and it's not a function of the SHELL proper. From a user perspective, it seems that the user only has control of the environment when using interactive shells and there is no way to control the environment for non-interactive shells (from the remote side). Are these the only 2 options (PermitUserEnvironment or prepend the command with the environment) or is there something I'm missing from ksh(1)? Thanks, Andy
Re: qcad does not segfault when qtscript is compiled with -O0.
Thus said Stuart Henderson on Tue, 26 Dec 2023 23:25:42 +: > This was already diagnosed and fixed in -current, see > https://marc.info/?l=openbsd-ports=170160684730438=2 Indeed it was. While I do follow ports@ I must not have noticed because I only recently discovered the association with qtscript and -O0 today. Thanks for the response. Andy
qcad does not segfault when qtscript is compiled with -O0.
:1320 1320while (context) { (gdb) print context $11 = (QScriptContext *) 0x1 When I run it compiled with -O0 the value of that context pointer is 0x0 at this same moment in execution. Is 0x1 something unique to the compiler that is trying to protect against bad code? Is there other useful information that I can try to obtain to figure out why it's crashing or what it's doing wrong? Is this perhaps a question for the QCad community? Thanks, Andy [1] https://marc.info/?l=openbsd-misc=166019212130315=2
Re: Default rdomain for CLI commands
A lot of interesting responses here! And the correct answer goes to Claudio! ;) Claudio correctly noted that if I am logging into the firewall via an SSH daemon running in a non-zero rdomain, then all commands I run in that SSH VTY will also be run under that rdomain :) And I will do some more testing with my cronjobs to figure out why I had to add route -T0 exec to my crons, maybe I broke something in login.conf. As always, thanks for your time and comments everyone! Always appreciated Andy > On 24 Oct 2023, at 18:51, Claudio Jeker wrote: > > On Tue, Oct 24, 2023 at 08:39:33AM -, Stuart Henderson wrote: >>> On 2023-10-24, Andy Lemin wrote: >>> Hi all, >>> >>> Just a quick question. >>> >>> I have multiple rdomains. My outside rdomain (rdomain 0) has a single >>> default route to my ISP. And my internal rdomain 9 has multiple default >>> routes pointing to various pairX interfaces for some funky routing stuff. >>> >>> Everything works beautifully, however, every command I type on the box >>> locally or over SSH which needs internet for example, is being executed >>> under the internal rdomain, not the edge rdomain. >>> >>> So I have to run; >>> ‘route -T0 exec syspatch’ for example. >>> >>> How do I set/override the default rdomain for system level CLI commands? >> >> The basic answer to your question is "set rtable in login.conf for the >> relevant class". But that doesn't explain why your machine is not already >> using rtable 0.. >> > > Because I think login.conf(5) is wrong. The default rtable is not 0. If > rtable is not set the current rtable is not modified by login_cap(3). > > -- > :wq Claudio > > Index: login.conf.5 > === > RCS file: /cvs/src/share/man/man5/login.conf.5,v > retrieving revision 1.70 > diff -u -p -r1.70 login.conf.5 > --- login.conf.531 Mar 2022 17:27:23 -1.70 > +++ login.conf.524 Oct 2023 08:41:21 - > @@ -284,7 +284,7 @@ Initial priority (nice) level. > Require home directory to login. > .\" > .Pp > -.It rtable Ta number Ta Dv 0 Ta > +.It rtable Ta number Ta "" Ta > Rtable to be set for the class. > .\" > .Pp >
Re: Default rdomain for CLI commands
Hi Lyndon, That is a good trick, I will try that. But it is more of an unexpected nuisance as I’m expecting the default to be rdomain 0. It seems to switch to use the rdomain with the most default routes which breaks things unexpectedly - for example many crontab commands break after adding routes, so now have to _always_ prefix with route -T0 exec (to support automated route changes etc). This must be unexpected behaviour to change dynamically like this? Thanks for your help, Andy. > On 24 Oct 2023, at 14:09, Lyndon Nerenberg (VE7TFX/VE6BBM) > wrote: > > Andy Lemin writes: > >> So I have to run; >> ‘route -T0 exec syspatch’ for example. >> >> How do I set/override the default rdomain for system level CLI commands? > > If you're talking about running a bunch of interactive shell commands > in rdomain 0, just 'route -T0 exec sh' to drop into a sub-shell in > rdomain 0. > > --lyndon
Default rdomain for CLI commands
Hi all, Just a quick question. I have multiple rdomains. My outside rdomain (rdomain 0) has a single default route to my ISP. And my internal rdomain 9 has multiple default routes pointing to various pairX interfaces for some funky routing stuff. Everything works beautifully, however, every command I type on the box locally or over SSH which needs internet for example, is being executed under the internal rdomain, not the edge rdomain. So I have to run; ‘route -T0 exec syspatch’ for example. How do I set/override the default rdomain for system level CLI commands? Thanks for your thoughts, Andy.
Re: Delay in starting xterm via ssh after upgrade from 7.3 to 7.4
Thus said Roger Marsh on Thu, 19 Oct 2023 17:23:47 -: > fixes the delay problem, but was the delay a predictable consequence > of some change? Or perhaps the entry should never have been expressed > in the way that led to the delay? Most likely the cause is an unexpected side effect of some other change. There have been some interesting changes to SSH with this release, perhaps try disabling: http://man.openbsd.org/OpenBSD-7.4/ssh_config#ObscureKeystrokeTiming I would be surprised if this is actually the cause, but it is a change that was introduced and something that is easily tested. You could also look through: http://www.openbsd.org/plus74.html See if any of the changes stand out as relevant and try to test them. Andy
Re: OpenBSD Wireguard implementation not copying ToS from inner to outer WG header
> On 29 Sep 2023, at 00:09, Sonic wrote: > > > Hopefully not as dumb of a question as I suspect it might be. > Does the generic... > = > match out on $ext_if inet proto tcp from ($ext_if) set prio (3, 7) > match in on $ext_if inet proto tcp to ($ext_if) set prio (3, 7) > = > ...take advantage of this patch when using wireguard or does the match need > to be applied to the wgx interface? Hi. I have a generic ‘match’ which does not specify interfaces or direction, and which sets prio, tos, and queue on all the important things. So yes, like your example but without direction or interface. And of course use specific interface dependant rules to pass or drop things as needed. Then as packets enter the inside Interface, the prio will be set. And when the packet gets to the wg interface, the prio is copied (with this patch), and finally the encrypted packet gets pulled out of the outside interface’s queue in prio order (there is more going on here, but you can assume prio order). You will not currently be able to get the encrypted packet into any queue other than the ‘default’ queue as the packet tos flags and queue state labels are lost during encryption. But now that the prio is copied with this patch, at least your ACKs etc will be pulled from the one default queue first. As this will be facing your internet connection (smaller than your LAN), you should still see a benefit even though TOS is not yet copied. The longer the pipe / greater the BDP, the more noticeable it will be. Hope this helps, Andy.
Re: OpenBSD Wireguard implementation not copying ToS from inner to outer WG header
On 19 Sep 2023, at 20:07, Janne Johansson wrote:Den sön 17 sep. 2023 kl 09:19 skrev Andrew Lemin:Hi, I have been testing the Wireguard implementation on OpenBSD and noticed that the ToS field is not being copied from the inner unencrypted header to the outer Wireguard header, resulting in ALL packets going into the same PF Prio / Queue.I think the original wireguard implementation defines it as a feature:You can see the lines at https://github.com/WireGuard/wireguard-linux/blob/stable/drivers/net/wireguard/send.c#L373they skip bringing it along to not leak that information to the outside.Hi,Yes totally agree that copying to the outer IP header should be configurable, so users have the choice to hide priority packets if required.For my use case I _would_ like to have it in the IP header as well, as I am not trying to achieve extreme privacy, but a high performance tunnel between sites over the internet.Allowing OpenBSD to prioritise internally makes sense to always be on however, as the ISP link is nearly always a lower speed.-- May the most significant bit of your life be positive.
Re: PF queue bandwidth limited to 32bit value
> On 15 Sep 2023, at 18:54, Stuart Henderson wrote: > > On 2023/09/15 13:40, Andy Lemin wrote: >> Hi Stuart, >> >> Seeing as it seems like everyone is too busy, and my workaround >> (not queue some flows on interfaces with queue defined) seems of no >> interest, > > well, it might be, but I'm not sure if it will fit with how > queues work.. Well I can only hope some more developers sees this :) > >> and my current hack to use queuing on Vlan interfaces is >> a very incomplete and restrictive workaround; Would you please be >> so kind as to provide me with a starting point in the source code >> and variable names to concentrate on, where I can start tracing from >> beginning to end for changing the scale from bits to bytes? > > maybe try hfsc.c, but overall there are quite a few files involved > in queue definition and use from start to finish. or going from the > other side start with how pfctl defines queues and follow through > from there. > Thank you, I will try (best effort as time permits), and see how far I get.. (probably not far ;)
Re: PF queue bandwidth limited to 32bit value
Hi Stuart,Seeing as it seems like everyone is too busy, and my workaround (not queue some flows on interfaces with queue defined) seems of no interest, and my current hack to use queuing on Vlan interfaces is a very incomplete and restrictive workaround;Would you please be so kind as to provide me with a starting point in the source code and variable names to concentrate on, where I can start tracing from beginning to end for changing the scale from bits to bytes?Thanks :)AndyOn 14 Sep 2023, at 19:34, Andrew Lemin wrote:On Thu, Sep 14, 2023 at 7:23 PM Andrew Leminwrote:On Wed, Sep 13, 2023 at 8:35 PM Stuart Henderson wrote:On 2023-09-13, Andrew Lemin wrote: > I have noticed another issue while trying to implement a 'prio'-only > workaround (using only prio ordering for inter-VLAN traffic, and HSFC > queuing for internet traffic); > It is not possible to have internal inter-vlan traffic be solely priority > ordered with 'set prio', as the existence of 'queue' definitions on the > same internal vlan interfaces (required for internet flows), demands one > leaf queue be set as 'default'. Thus forcing all inter-vlan traffic into > the 'default' queue despite queuing not being wanted, and so > unintentionally clamping all internal traffic to 4294M just because full > queuing is needed for internet traffic. If you enable queueing on an interface all traffic sent via that interface goes via one queue or another.Yes, that is indeed the very problem. Queueing is enabled on the inside interfaces, with bandwidth values set slightly below the ISP capacities (multiple ISP links as well), so that all things work well for all internal users.However this means that inter-vlan traffic from client networks to server networks are restricted to 4294Mbps for no reason.. It would make a huge difference to be able to allow local traffic to flow without being queued/restircted. (also, AIUI the correct place for queues is on the physical interface not the vlan, since that's where the bottleneck is... you can assign traffic to a queue name as it comes in on the vlan but I believe the actual queue definition should be on the physical iface).Hehe yes I know. Thanks for sharing though.I actually have very specific reasons for doing this (queues on the VLAN ifaces rather than phy) as there are multiple ISP connections for multiple VLANs, so the VLAN queues are set to restrict for the relevant ISP link etc.Also separate to the multiple ISPs (I wont bore you with why as it is not relevant here), the other reason for queueing on the VLANs is because it allows you to get closer to the 10Gbps figure..Ie, If you have queues on the 10Gbps PHY, you can only egress 4294Mbps to _all_ VLANs. But if you have queues per-VLAN iface, you can egress multiple times 4294Mbps on aggregate.Eg, vlans 10,11,12,13 on single mcx0 trunk. 10->11 can do 4294Mbps and 12->13 can do 4294Mbps, giving over 8Gbps egress in total on the PHY. It is dirty, but like I said, desperate for workarounds... :( "required for internet flows" - depends on your network layout.. the upstream feed doesn't have to go via the same interface as inter-vlan traffic.I'm not sure what you mean. All the internal networks/vlans are connected to local switches, and the switches have trunk to the firewall which hosts the default gateway for the VLANs and does inter-vlan routing.So all the clients go through the same VLANs/trunk/gateway for inter-vlan as they do for internet. Strict L3/4 filtering is required on inter-vlan traffic.I am honestly looking for support to recognise that this is a correct, valid and common setup, and so there is a genuine need to allow flows to not be queued on interfaces that have queues (which has many potential applications for many use cases, not just mine - so should be of interest to the developers?).Do you know why there has to be a default queue? Yes I know that traffic excluded from queues would take from the same interface the queueing is trying to manage, and potentially causes congestion. However with 10Gbps networking which is beyond common now, this does not matter when the queues are stuck at 4294MbpsDesperately trying to find workarounds that appeal.. Surely the need is a no brainer, and it is just a case of trying to encourage interest from a developer?Thanks :)
Re: SCRIPT_FILENAME not set to index file.
Thus said "Andy Bradford" on 19 Aug 2023 08:44:23 -0600: > location "/books/*" { > fastcgi socket "/run/tcl.sock" > directory { index "index.tcl" } > } Responding to self for the archives in case someone runs into a similar challenge. I think I've figured out the problem. I was combining too many options into a single "location" rule. This works as expected: location "/books/index.tcl" { fastcgi socket "/run/tcl.sock" } location "/books/" { directory { index "index.tcl" } } location "/books/*.tcl" { block } Sorry for the noise. Andy
SCRIPT_FILENAME not set to index file.
Hello, I have the following configuration in httpd.conf: location "/books/*" { fastcgi socket "/run/tcl.sock" directory { index "index.tcl" } } When I put the URL into my browser https://localhost/books/ I get a 500 Internal Server Error. Looking at the slowcgi logs, I see the following being set: 2023-08-19 08:35:18.157737500 slowcgi: env[2], SCRIPT_FILENAME=/vhosts/ssl/books/ ... 2023-08-19 08:35:18.157950500 slowcgi: fork: /vhosts/ssl/books/ 2023-08-19 08:35:18.158928500 slowcgi: wait: /vhosts/ssl/books/ And in the httpd log I find: slowcgi: execve /vhosts/ssl/books/: Permission denied I notice that if I put the full URL in my browser as https://localhost/books/index.html it works fine as can be seen from this log entry: 2023-08-19 08:38:58.806406500 slowcgi: env[2], SCRIPT_FILENAME=/vhosts/ssl/books/index.tcl Is there some confirmation I'm missing to make httpd construct the SCRIPT_FILENAME properly when using a directory index? Also, I notice that if I put the URL https://localhost/books/bogus.html I don't get a 404 or 403 but instead get a 500 and the SCRIPT_FILENAME is again set to /vhosts/ssl/books. I suspect there's something missing in my reading of the man page. Thanks, Andy
Re: IPsec "road warrior" VPN not getting set up properly.
Thus said Anthony Coulter on Thu, 06 Jul 2023 21:52:54 -0400: > I would also suggest comparing the "hackiness" of NDP proxying to the > hackiness of NAT, which is how we solve this same problem in IPv4. I realize I'm coming in late to this discussion, and may not actually have anything of value to add, but... I'm not sure how NDP proxying and NAT are related at all. I seems to me that NDP proxying is more akin to proxy ARP than NAT: http://man.openbsd.org/arp#s Andy
qcad segfault on 7.1 amd64
uot; rev 0x11: apic 0 int 17 usb3 at ehci1: USB revision 2.0 uhub3 at usb3 configuration 1 interface 0 "AMD EHCI root hub" rev 2.00/1.00 addr 1 piixpm0 at pci0 dev 20 function 0 "AMD Hudson-2 SMBus" rev 0x16: SMI iic0 at piixpm0 spdmem0 at iic0 addr 0x52: 8GB DDR3 SDRAM PC3-12800 spdmem1 at iic0 addr 0x53: 8GB DDR3 SDRAM PC3-12800 azalia1 at pci0 dev 20 function 2 "AMD Hudson-2 HD Audio" rev 0x01: apic 0 int 16 azalia1: codecs: Realtek ALC662 audio0 at azalia1 pcib0 at pci0 dev 20 function 3 "AMD Hudson-2 LPC" rev 0x11 ppb1 at pci0 dev 20 function 4 "AMD Hudson-2 PCI" rev 0x40 pci2 at ppb1 bus 2 ohci2 at pci0 dev 20 function 5 "AMD Hudson-2 USB" rev 0x11: apic 0 int 18, version 1.0, legacy support pchb4 at pci0 dev 24 function 0 "AMD 15h Link Cfg" rev 0x00 pchb5 at pci0 dev 24 function 1 "AMD 15h Address Map" rev 0x00 pchb6 at pci0 dev 24 function 2 "AMD 15h DRAM Cfg" rev 0x00 pchb7 at pci0 dev 24 function 3 "AMD 15h Misc Cfg" rev 0x00 pchb8 at pci0 dev 24 function 4 "AMD 15h CPU Power" rev 0x00 pchb9 at pci0 dev 24 function 5 "AMD 15h Misc Cfg" rev 0x00 usb4 at ohci0: USB revision 1.0 uhub4 at usb4 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 addr 1 usb5 at ohci1: USB revision 1.0 uhub5 at usb5 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 usb6 at ohci2: USB revision 1.0 uhub6 at usb6 configuration 1 interface 0 "AMD OHCI root hub" rev 1.00/1.00 addr 1 uhidev0 at uhub0 port 3 configuration 1 interface 0 "Holtek USB-HID Keyboard" rev 2.00/1.06 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd0 at ukbd0: console keyboard uhidev1 at uhub0 port 3 configuration 1 interface 1 "Holtek USB-HID Keyboard" rev 2.00/1.06 addr 2 uhidev1: iclass 3/0 uhid0 at uhidev1: input=64, output=64, feature=0 uhidev2 at uhub0 port 3 configuration 1 interface 2 "Holtek USB-HID Keyboard" rev 2.00/1.06 addr 2 uhidev2: iclass 3/0, 4 report ids uhid1 at uhidev2 reportid 1: input=1, output=0, feature=0 ucc0 at uhidev2 reportid 2: 18 usages, 13 keys, enum wskbd1 at ucc0 mux 1 ums0 at uhidev2 reportid 3: 8 buttons, Z and W dir wsmouse0 at ums0 mux 0 ukbd1 at uhidev2 reportid 4: no usable key codes array uhidev3 at uhub0 port 4 configuration 1 interface 0 "Acrox AmazonBasics gaming mouse" rev 2.00/2.15 addr 3 uhidev3: iclass 3/1 ums1 at uhidev3: 5 buttons, Z and W dir wsmouse1 at ums1 mux 0 uhidev4 at uhub0 port 4 configuration 1 interface 1 "Acrox AmazonBasics gaming mouse" rev 2.00/2.15 addr 3 uhidev4: iclass 3/1, 32 report ids ukbd2 at uhidev4 reportid 1: 8 variable keys, 6 key codes wskbd2 at ukbd2 mux 1 ucc1 at uhidev4 reportid 2: 897 usages, 18 keys, array wskbd3 at ucc1 mux 1 uhid2 at uhidev4 reportid 4: input=63, output=63, feature=0 uhid3 at uhidev4 reportid 32: input=0, output=0, feature=50 ugen0 at uhub2 port 1 "Amazon Kindle" rev 2.00/2.16 addr 2 umass0 at uhub2 port 3 configuration 1 interface 0 "Generic USB2.0-CRW" rev 2.00/57.13 addr 3 umass0: using SCSI over Bulk-Only scsibus2 at umass0: 2 targets, initiator 0 sd2 at scsibus2 targ 1 lun 0: removable serial.0bda015392657120 vscsi0 at root scsibus3 at vscsi0: 256 targets softraid0 at root scsibus4 at softraid0: 256 targets root on sd0a (2efaa3fa93ca6a53.a) swap on sd0b dump on sd0b radeondrm0: KAVERI ### AML PARSE ERROR (0xf98): Undefined name: \\_SB_.ALIB error evaluating: \\_SB_.PCI0.VGA_.ATCS radeondrm0: 1920x1200, 32bpp wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0 wskbd1: connecting to wsdisplay0 wskbd2: connecting to wsdisplay0 wskbd3: connecting to wsdisplay0 wsdisplay0: screen 1-5 added (std, vt100 emulation) Thanks, Andy
secure.io domain
Would you consider selling this domain? -- Andy Booth Telephone: (+350) 5600-2587 Email: a...@booth.com Address: Booth.com, Ltd., Suite 4, 4 Giro's Passage, Gibraltar, GX11 1AA "Knowledge speaks, but wisdom listens." - Jimi Hendrix
problems with outbound load-balancing (PF sticky-address for destination IPs)
Hi smart people :) The current implementation of ‘sticky-address‘ relates only to a sticky source IP. https://www.openbsd.org/faq/pf/pools.html This is used for inbound server load balancing, by ensuring that all socket connections from the same client/user/IP on the internet goes to the same server on your local server pool. This works great for ensuring simplified memory management of session artefacts on the application being hosted (the servers do not have to synchronise the users session data as extra sockets from that user will always connect to the same local server) However sticky-address does not have an equivalent for sticky destination IPs. For example when doing outbound load balancing over multiple ISP links, every single socket is load balanced randomly. This causes many websites to break (especially cookie login and single-sign-on style enterprise services), as the first outbound socket will originate randomly from one of the local ISP IPs, and the users login session/SSO (on the server side) will belong to that first random IP. When the user then browses to or uses another part of that same website which requires additional sockets, the additional sockets will pass the SSO credentials from the first socket, but the extra socket connection will again be randomly load-balanced, and so the remote server will reject the connection as it is originating from the wrong source IP etc. Therefore can I please propose a “sticky-address for destination IPs” as an analogue to the existing sticky-address for source IPs? This is now such a problem that we have to use sticky-address even on outbound load-balancing connections, which causes internal user1 to always use the same ISP for _everthing_ etc. While this does stop the breakage, it does not result in evenly distributed balancing of traffic, as users are locked to one single transit, for all their web browsing for the rest of the day after being randomly balanced once first-thing in the morning, rather than all users balancing over all transits throughout the day. Another pain; using the current source-ip sticky-address for outbound balancing, makes it hard to drain transits for maintenance. For example without source sticky-address balancing, you can just remove the transit from the Pf rule, and after some time, all traffic will eventually move over to the other transits, allowing the first to be shut down for whatever needs. But with the current source-ip sticky-address, that first transit will take months to drain in a real-world situations.. lastly just as a nice-to-have, how feasible would a deterministic load balancing algorithm be? So that balancing selection is done based on the “least utilised” path? Thanks for your time and consideration, Kindest regards Andy Sent from a teeny tiny keyboard, so please excuse typos.
Re: clock not set on boot
> From: "Theo de Raadt" > > ntpd is run by default, and magically will correct the time almost > immediately. > > Some significant effort went into this a few years ago. > > However, the kernel message will always be there. You can ignore it. > > Run ntpctl -s all, and you'll see the time has been corrected before > significant daemons start. ntpd is running, but the clock isn't getting corrected before significant daemons start. In fact, it's causing other daemons, like unbound, to fail. $ ntpctl -s all 5/5 peers valid, constraint offset 5355740s, clock unsynced, clock offset is 5355739014.329ms ... /var/messages: Oct 4 21:20:24 hostname ntpd[61157]: ntp engine ready Oct 4 21:20:25 hostname ntpd[61157]: constraint reply from 9.9.9.9: offset 5355740.057722 Oct 4 21:20:26 hostname unbound: [98456:0] notice: init module 0: validator Oct 4 21:20:26 hostname unbound: [98456:0] notice: init module 1: iterator Oct 4 21:20:26 hostname unbound: [98456:0] info: start of service (unbound 1.11.0). Oct 4 21:20:27 hostname ntpd[61157]: cancel settime because dns probe failed Oct 4 21:20:27 hostname unbound: [25295:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN ... Does ntpd need DNS to set the time? Because my reslov.conf points to 127.0.0.1 and unbound needs the time before it will work properly.
Re: No xenocara for ATI Radeon HD 2400 XT
Thus said Jonathan Gray on Mon, 10 Aug 2020 23:54:54 +1000: > For now we could just skip reading a disabled bios on RV610. Thanks, that tweak seems to have gotten past the problem and now X will start: initializing kernel modesetting (RV610 0x1002:0x94C1 0x1028:0x0D02 0x00). radeondrm0: 1680x1050, 32bpp wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0 wskbd1: connecting to wsdisplay0 wsdisplay0: screen 1-5 added (std, vt100 emulation) I wonder what the difference is between i386 and amd64... Thanks, Andy
Re: No xenocara for ATI Radeon HD 2400 XT
Thus said Jonathan Gray on Sun, 09 Aug 2020 12:39:36 +1000: > When this came up previously running i386 resulted in being able to > read the atombios. Can you confirm that is the case here? Yes, this is the case. I installed OpenBSD 6.7 i386 to the same hardware and there is no error in dmesg and X starts up without requiring machdep.allowaperture to be set. > The drm code in -current/snapshots has been replaced by a new port of > the linux 5.7 code so behaviour there may change. I tried the amd64 current/snapshot from August 8 and it has the same problem. I guess for now I can reinstall with i386 unless there is something else that I should try for debugging. I can provide whatever is needed. Thanks, Andy
No xenocara for ATI Radeon HD 2400 XT
X2, ATI Mobility Radeon HD 3870, ATI Mobility Radeon HD 3870 X2, ATI Radeon HD3870 X2, ATI FireGL V7700, ATI Radeon HD3690, AMD Firestream 9170, ATI Radeon HD 4550, ATI Radeon RV710, ATI Radeon HD 4350, ATI Mobility Radeon 4300 Series, ATI Mobility Radeon 4500 Series, ATI FirePro RG220, ATI Mobility Radeon 4330, ATI RV630, ATI Mobility Radeon HD 2600, ATI Mobility Radeon HD 2600 XT, ATI Radeon HD 2600 XT AGP, ATI Radeon HD 2600 Pro AGP, ATI Radeon HD 2600 XT, ATI Radeon HD 2600 Pro, ATI Gemini RV630, ATI Gemini Mobility Radeon HD 2600 XT, ATI FireGL V5600, ATI FireGL V3600, ATI Radeon HD 2600 LE, ATI Mobility FireGL Graphics Processor, ATI Radeon HD 3470, ATI Mobility Radeon HD 3430, ATI Mobility Radeon HD 3400 Series, ATI Radeon HD 3450, ATI Radeon HD 3430, ATI FirePro V3700, ATI FireMV 2450, ATI Radeon HD 3600 Series, ATI Radeon HD 3650 AGP, ATI Radeon HD 3600 PRO, ATI Radeon HD 3600 XT, ATI Mobility Radeon HD 3650, ATI Mobility Radeon HD 3670, ATI Mobility FireGL V5700, ATI Mobility FireGL V5725, ATI Radeon HD 3200 Graphics, ATI Radeon 3100 Graphics, ATI Radeon HD 3300 Graphics, ATI Radeon 3000 Graphics, SUMO, SUMO2, ATI Radeon HD 4200, ATI Radeon 4100, ATI Mobility Radeon HD 4200, ATI Mobility Radeon 4100, ATI Radeon HD 4290, ATI Radeon HD 4250, AMD Radeon HD 6310 Graphics, AMD Radeon HD 6250 Graphics, AMD Radeon HD 6300 Series Graphics, AMD Radeon HD 6200 Series Graphics, PALM, CYPRESS, ATI FirePro (FireGL) Graphics Adapter, AMD Firestream 9370, AMD Firestream 9350, ATI Radeon HD 5800 Series, ATI Radeon HD 5900 Series, ATI Mobility Radeon HD 5800 Series, ATI Radeon HD 5700 Series, ATI Radeon HD 6700 Series, ATI Mobility Radeon HD 5000 Series, ATI Mobility Radeon HD 5570, ATI Radeon HD 5670, ATI Radeon HD 5570, ATI Radeon HD 5500 Series, REDWOOD, ATI Mobility Radeon Graphics, CEDAR, ATI FirePro 2270, ATI Radeon HD 5450, CAYMAN, AMD Radeon HD 6900 Series, AMD Radeon HD 6900M Series, Mobility Radeon HD 6000 Series, BARTS, AMD Radeon HD 6800 Series, AMD Radeon HD 6700 Series, TURKS, CAICOS, ARUBA, TAHITI, PITCAIRN, VERDE, OLAND, HAINAN, BONAIRE, KABINI, MULLINS, KAVERI, HAWAII [34.366] (II) VESA: driver for VESA chipsets: vesa [34.368] (II) [KMS] drm report modesetting isn't supported. [34.390] (EE) Screen 0 deleted because of no matching config section. [34.390] (II) UnloadModule: "radeon" [34.391] (II) Loading sub module "vbe" [34.391] (II) LoadModule: "vbe" [34.457] (II) Loading /usr/X11R6/lib/modules/libvbe.so [34.508] (II) Module vbe: vendor="X.Org Foundation" [34.509]compiled for 1.20.8, module version = 1.1.0 [34.509]ABI class: X.Org Video Driver, version 24.1 [34.509] (II) Loading sub module "int10" [34.509] (II) LoadModule: "int10" [34.511] (II) Loading /usr/X11R6/lib/modules/libint10.so [34.700] (II) Module int10: vendor="X.Org Foundation" [34.700]compiled for 1.20.8, module version = 1.0.0 [34.700]ABI class: X.Org Video Driver, version 24.1 [34.700] (II) VESA(0): initializing int10 [34.742] (EE) VESA(0): Cannot read int vect [34.742] (II) UnloadModule: "vesa" [34.742] (II) UnloadSubModule: "int10" [34.742] (II) Unloading int10 [34.742] (II) UnloadSubModule: "vbe" [34.742] (II) Unloading vbe [34.743] (EE) Screen(s) found, but none have a usable configuration. [34.743] (EE) Fatal server error: [34.743] (EE) no screens found(EE) [34.743] (EE) Please consult the The X.Org Foundation support at http://wiki.x.org for help. [34.743] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information. [34.743] (EE) [34.774] (EE) Server terminated with error (1). Closing log file. Thanks, Andy -- When the whole world is running towards a cliff, he who is running in the opposite direction appears to have lost his mind. --- C. S. Lewis TAI64 timestamp: 40005f2ed196
Re: Disable ftp in pkg_add syspatch sysupgrade
For completeness, I discovered I was having issues with downloading the sources for the sysupgrade command on my edge firewall also! So it was not limited to internet servers as first thought. Since upgrading the 6.6 (had to run sysupgrade 4 times to get it to complete the downloads), the issues seems to have been resolved and now all packages are installing first time every time.. So I am not sure if this is just me or a 6.5 issue. Most likely the former ;) Kind regards, Andy. Sent from a teeny tiny keyboard, so please excuse typos > On 31 Oct 2019, at 01:47, Stuart Henderson wrote: > >> On 2019-10-30, Andrew Lemin wrote: >> - But throws errors when I try and use flavours which is critical for >> installing python for example (NB; This is a different error to before, >> where I was getting 'timeout' instead of 'Invalid argument'); >> [HOME]root@testbsd1:/local#pkg_add python%2 py-pip python%3 py3-pip >> py3-setuptools >> quirks-3.124 signed on 2019-10-16T20:27:45Z >> http://mirror.bytemark.co.uk/pub/OpenBSD/6.5/packages/amd64/py3-setuptools-40.0.0v0.tgz: >> ftp: Receiving HTTP reply: Invalid argument >> signify: gzheader truncated >> Couldn't install py3-setuptools-40.0.0v0 > > Odd. Can you try replicating on 6.6? > > Does "pkg_add py-pip py3-pip py3-setuptools" (i.e. allow pkg_add to > find the dependencies by itself) work? > >
Re: Disable ftp in pkg_add syspatch sysupgrade
Hahaha Thanks Theo, that made me smile. But you have answered my question perfectly, albeit in a round about way. Indeed it doesn’t matter what it is called, and would be clearer with a generic name, as we got caught out by a program calling another program with colliding name. For example, Having ‘pkg_add’ call a program named ‘ftp’ to perform http and https downloads. But where errors in the ftp subprocess are printed by the pkg_add process, making it seem like pkg_add was failing on an ftp protocol request, rather than the ‘ftp’ client process failing (while doing an http call).. So I think it was pretty fair for us to end up scratching our heads ;) Thanks, Andy. Sent from a teeny tiny keyboard, so please excuse typos > On 30 Oct 2019, at 15:54, Theo de Raadt wrote: > > Andrew Lemin wrote: > >> To me this seems unusual (was expecting 'curl' or 'wget' etc to avoid code >> duplication) and confusing? What do you think? > > curl is not in openbsd > > wget is not in openbsd > > Maybe we should rename our downloading software to lemin, which is > obviously a randomly chosen name with some obscure acronym we'll invent > to back the name, being a name noone recognizes we can probably avoid > assumptions as to what it does, whether it does ftp, or http, or https, > or who knows what. Of course such a strange name would also lead people > to not discovering it, and make them install some monster software > package off the internet with another strange name. > > In summary I think it's turning into a shitty world with selection by > meme. > >
Disable ftp in pkg_add syspatch sysupgrade
Hi guys, Does anyone know if it is possible to completely disable ftp in the package management utilities; pkg_add, syspatch, sysupgrade etc? My PKG_PATH references http:// urls, as does /etc/install. But I cannot stop these tools trying to use ftp which does not work! :( Every time I try and install a bunch of packages, some work fine via http, and then some will fall back to ftp, which of course fails. However when I test the url for the package it reports it could not download, due to the ftp connect timeout, the download works fine via http etc. So it is very frustrating. We cannot use ftpproxy as we use rdomains, and running the ftpproxy daemon within the rdomain that has the default route to the internet doesn’t seem to work. And generally speaking no one in my last two companies has ever asked me to make ftp work. As ftp is very much dead in most cases, could we please stop using it for package management tools? :( I cannot update any of my OpenBSD servers which reside inside the firewall. Only the firewall itself get et updates because of the ftp dependence :( Thanks for your time. Andy. Sent from a teeny tiny keyboard, so please excuse typos
Re: Building Unbound with Python module support
Hi Claudio, I did actually try putting my python plugin and unboundmodule.py into the chroot, but I completely forgot that I would also need to install the rest of python into the chroot! Haha Serves me right for working on it until 1am when I should should have been asleep and trying with fresh eyes the next day ;) All working now. You guys are heros. Thank you for the gentle nudges in the right direction. Kindest regards. Andy Lemin Sent from a teeny tiny keyboard, so please excuse typos > On 7 Aug 2019, at 09:01, Claudio Jeker wrote: > >> On Wed, Aug 07, 2019 at 08:44:07AM +0100, Andy Lemin wrote: >> Morning Stuart, >> >> So I’ve tested with the base build options properly, the initial errors I >> saw before have gone which is good. But I have a more fundamental issue with >> Unbound now sadly. >> >> Swig successfully built “/usr/src/unbound/pythonmod/unboundmodule.py” and >> installed it to “/usr/local/lib/python2.7/site-packages/unboundmodule.py”. >> >> However unbound is unable to find it, and the following errors are seen; >> [HOME]root@bsd1:/var/unbound#/usr/local/sbin/unbound -c >> /var/unbound/etc/unbound.conf -dv >> >> [1565135861] unbound[90497:0] notice: Start of unbound 1.9.3. >> >> [1565135861] unbound[90497:0] debug: increased limit(open files) from 128 to >> 16478 >> >> [1565135861] unbound[90497:0] debug: creating udp4 socket 127.0.0.1 53 >> >> [1565135861] unbound[90497:0] debug: creating udp4 socket 10.10.1.5 53 >> >> [1565135861] unbound[90497:0] debug: creating unix socket >> /var/run/unbound.sock >> >> [1565135861] unbound[90497:0] debug: switching log to syslog >> >> Could not find platform independent libraries >> >> Could not find platform dependent libraries >> >> Consider setting $PYTHONHOME to [:] >> >> Traceback (most recent call last): >> >> File "", line 1, in >> >> ImportError: No module named distutils.sysconfig >> >> Traceback (most recent call last): >> >> File "", line 1, in >> >> NameError: name 'distutils' is not defined >> >> Traceback (most recent call last): >> >> File "", line 1, in >> >> ImportError: No module named unboundmodule >> >> >> >> I have tried all manner of values for PYTHONHOME and I have also tried >> >> --with-pythonmodule=/usr/local/lib/python2.7/site-packages >> >> >> Searching around shows others have found the exact same issue; >> https://nlnetlabs.nl/pipermail/unbound-users/2011-July/007371.html >> >> What do you think about this in context of OpenBSD? >> > > unbound does a chroot(2) by default ot /var/unbound and so anything in > /usr/local is unreachable. Either install the python code into the chroot > or try running unbound with chroot: "" (which disables chroot). See also > unbound.conf(5) for more info about chroot. > > >> Sent from a teeny tiny keyboard, so please excuse typos >> >>> On 7 Aug 2019, at 00:03, Andy Lemin wrote: >>> >>> Hi Stuart, >>> >>> Thanks for your reply. >>> >>> So I put in some leg work to set myself up so I could build a new release >>> base system, and went digging. >>> >>> And I found “/usr/src/usr.src/unbound/Makefile.bsd-wrapper” so I think I >>> have found the correct build options to match with the base builds >>> CONFIGURE_OPTS_UNBOUND >>> >>> I will try again with these options tomorrow, and see if I have the same >>> errors. >>> >>> “The default install can't include Python support, because the default >>> install of Unbound is in the base OS, and Python isn't.” >>> >>> Facepalm.. Of course! >>> >>> Is there a C plugin library? I would like to make this project >>> native/portable so other users can use this project without having to >>> rebuild Unbound? >>> >>> Thanks Andy. >>> >>> >>> Sent from a teeny tiny keyboard, so please excuse typos >>> >>>>> On 6 Aug 2019, at 19:36, Stuart Henderson wrote: >>>>> >>>>> On 2019-08-06, Andy Lemin wrote: >>>>> Hi guys, >>>>> >>>>> I’m just after some general advice as I feel like I’m doing something >>>>> wrong, and having to hack around too much for what I believe should be >>>>> simple. >>>>> >>>>> I am de
Re: Building Unbound with Python module support
Morning Stuart, So I’ve tested with the base build options properly, the initial errors I saw before have gone which is good. But I have a more fundamental issue with Unbound now sadly. Swig successfully built “/usr/src/unbound/pythonmod/unboundmodule.py” and installed it to “/usr/local/lib/python2.7/site-packages/unboundmodule.py”. However unbound is unable to find it, and the following errors are seen; [HOME]root@bsd1:/var/unbound#/usr/local/sbin/unbound -c /var/unbound/etc/unbound.conf -dv [1565135861] unbound[90497:0] notice: Start of unbound 1.9.3. [1565135861] unbound[90497:0] debug: increased limit(open files) from 128 to 16478 [1565135861] unbound[90497:0] debug: creating udp4 socket 127.0.0.1 53 [1565135861] unbound[90497:0] debug: creating udp4 socket 10.10.1.5 53 [1565135861] unbound[90497:0] debug: creating unix socket /var/run/unbound.sock [1565135861] unbound[90497:0] debug: switching log to syslog Could not find platform independent libraries Could not find platform dependent libraries Consider setting $PYTHONHOME to [:] Traceback (most recent call last): File "", line 1, in ImportError: No module named distutils.sysconfig Traceback (most recent call last): File "", line 1, in NameError: name 'distutils' is not defined Traceback (most recent call last): File "", line 1, in ImportError: No module named unboundmodule I have tried all manner of values for PYTHONHOME and I have also tried --with-pythonmodule=/usr/local/lib/python2.7/site-packages Searching around shows others have found the exact same issue; https://nlnetlabs.nl/pipermail/unbound-users/2011-July/007371.html What do you think about this in context of OpenBSD? Thanks again for your time. Kind regards, Andy. Sent from a teeny tiny keyboard, so please excuse typos > On 7 Aug 2019, at 00:03, Andy Lemin wrote: > > Hi Stuart, > > Thanks for your reply. > > So I put in some leg work to set myself up so I could build a new release > base system, and went digging. > > And I found “/usr/src/usr.src/unbound/Makefile.bsd-wrapper” so I think I have > found the correct build options to match with the base builds > CONFIGURE_OPTS_UNBOUND > > I will try again with these options tomorrow, and see if I have the same > errors. > > “The default install can't include Python support, because the default > install of Unbound is in the base OS, and Python isn't.” > > Facepalm.. Of course! > > Is there a C plugin library? I would like to make this project > native/portable so other users can use this project without having to rebuild > Unbound? > > Thanks Andy. > > > Sent from a teeny tiny keyboard, so please excuse typos > >>> On 6 Aug 2019, at 19:36, Stuart Henderson wrote: >>> >>> On 2019-08-06, Andy Lemin wrote: >>> Hi guys, >>> >>> I’m just after some general advice as I feel like I’m doing something >>> wrong, and having to hack around too much for what I believe should be >>> simple. >>> >>> I am developing a simple Python plugin for Unbound, and the default Unbound >>> install on OpenBSD sadly wasn’t built with “—with-pythonmodule”. >>> >>> So I grabbed the Unbound source code with a git clone from GitHub, >>> installed dependencies, and did “./configure —with-pythonmodule”, make, >>> make install etc.. >>> >>> So nothing special here. It installed to /usr/local/ rather than just /usr >>> etc, and so fiddled around with /etc/rc.d/unbound to make the rc scripts >>> start the custom one. >>> >>> But I’m getting errors which requires some extra config settings to squash >>> when loading the same config as with the built in Unbound. ok maybe newer >>> unbound code.. >>> >>> But I am then also getting errors when trying to load the stock example >>> python plugin as per the source built sphinx docs. >>> >>> I’m not at my computer at the moment so can’t share the exact errors, but >>> thought I’d ask as it feels like I’m missing something obvious! >>> >>> Maybe I need some extra build options or static library references to make >>> it as smooth as the built in Unbound? Or maybe I should be using a >>> different source? >>> >>> Any initial thoughts? I’ll post exact errors as soon as I can. >> >> Initial thoughts are "did you use the same configure flags as much as >> possible >> as the build in base". Really need to see the errors to be able to make any >> more detailed suggestions. >> >> The default install can't include Python support, because the default install >> of Unbound is in the base OS, and Python isn't. >> >>
Re: Building Unbound with Python module support
Hi Stuart, Thanks for your reply. So I put in some leg work to set myself up so I could build a new release base system, and went digging. And I found “/usr/src/usr.src/unbound/Makefile.bsd-wrapper” so I think I have found the correct build options to match with the base builds CONFIGURE_OPTS_UNBOUND I will try again with these options tomorrow, and see if I have the same errors. “The default install can't include Python support, because the default install of Unbound is in the base OS, and Python isn't.” Facepalm.. Of course! Is there a C plugin library? I would like to make this project native/portable so other users can use this project without having to rebuild Unbound? Thanks Andy. Sent from a teeny tiny keyboard, so please excuse typos > On 6 Aug 2019, at 19:36, Stuart Henderson wrote: > >> On 2019-08-06, Andy Lemin wrote: >> Hi guys, >> >> I’m just after some general advice as I feel like I’m doing something wrong, >> and having to hack around too much for what I believe should be simple. >> >> I am developing a simple Python plugin for Unbound, and the default Unbound >> install on OpenBSD sadly wasn’t built with “—with-pythonmodule”. >> >> So I grabbed the Unbound source code with a git clone from GitHub, installed >> dependencies, and did “./configure —with-pythonmodule”, make, make install >> etc.. >> >> So nothing special here. It installed to /usr/local/ rather than just /usr >> etc, and so fiddled around with /etc/rc.d/unbound to make the rc scripts >> start the custom one. >> >> But I’m getting errors which requires some extra config settings to squash >> when loading the same config as with the built in Unbound. ok maybe newer >> unbound code.. >> >> But I am then also getting errors when trying to load the stock example >> python plugin as per the source built sphinx docs. >> >> I’m not at my computer at the moment so can’t share the exact errors, but >> thought I’d ask as it feels like I’m missing something obvious! >> >> Maybe I need some extra build options or static library references to make >> it as smooth as the built in Unbound? Or maybe I should be using a different >> source? >> >> Any initial thoughts? I’ll post exact errors as soon as I can. > > Initial thoughts are "did you use the same configure flags as much as possible > as the build in base". Really need to see the errors to be able to make any > more detailed suggestions. > > The default install can't include Python support, because the default install > of Unbound is in the base OS, and Python isn't. > >
Re: Best 1Gbe NIC
Thanks for your comments guys. I’ve ordered some Intel NICs :) I just wanted to make sure I was getting the best offload capability, but I agree with you Claudio ;) Cheers, Andy. Sent from a teeny tiny keyboard, so please excuse typos > On 2 Aug 2019, at 19:09, Brian Brombacher wrote: > > I find cheap PCI-Express and PCI-X em(4) cards suffice for my needs. 990-992 > Mbps with tcpbench. > > >>> On Aug 2, 2019, at 11:26 AM, Claudio Jeker wrote: >>> >>> On Fri, Aug 02, 2019 at 12:28:58PM +0100, Andy Lemin wrote: >>> Ahhh, thank you! >>> >>> I didn’t realise this had changed and now the drivers are written with >>> full knowledge of the interface. >> >> That is an overstatement but we know for sure a lot more about these cards >> then many other less open ones. >> >>> So that would make Intel Server NICs (i350 for example) some of the best >>> 1Gbe cards nowadays then? >> >> They are well supported by OpenBSD as are many other server nics like bge >> and bnx. I would not call them best, when it comes to network cards it >> seems to be a race to the bottom. All chips have stuff in them that is >> just not great. em(4) for example needs a major workaround because the >> buffersize is specified by a bitfield. >> >> My view is more pessimistic, all network cards are shit there are just >> some that are less shitty. Also I prefer to use em(4) over most other >> gigabit cards. >> >> -- >> :wq Claudio >> >>> >>> Sent from a teeny tiny keyboard, so please excuse typos >>> >>>>> On 2 Aug 2019, at 09:52, Jonathan Gray wrote: >>>>> >>>>> On Fri, Aug 02, 2019 at 09:19:09AM +0100, Andy Lemin wrote: >>>>> Hi list, >>>>> >>>>> I know this is a rather classic question, but I have searched a lot on >>>>> this again recently, and I just cannot find any conclusive up to date >>>>> information? >>>>> >>>>> I am looking to buy the best 1Gbe NIC possible for OpenBSD and the only >>>>> official comments I can find relate to 3COM for ISA, or community >>>>> consensus towards Chelsio for 10Gbe. >>>>> >>>>> I know Intel works ok and I???ve used the i350???s before, but my >>>>> understanding is that Intel still doesn???t provide the documentation for >>>>> their NICs and so the emX driver is reverse engineered. >>>> >>>> This is incorrect. Intel provides datasheets for Ethernet parts. >>>> em(4) is derived from Intel authored code for FreeBSD supplied under a >>>> permissive license. >>>> >>>>> >>>>> And if I remember correctly some offload features were also disabled in >>>>> the emX driver a while back as some functions where found to be insecure >>>>> on die and so it was deemed safer to bring the logic back on CPU. >>>>> >>>>> So I???m looking for the best 1Gbe NIC that supports the most >>>>> offloading/best driver support/performance etc. >>>>> >>>>> Thanks, Andy. >>>>> >>>>> PS; could we update the official supported hardware lists? ;) >>>>> All the best. >>>>> >>>>> >>>>> Sent from a teeny tiny keyboard, so please excuse typos >>>>> >>> >> >
Building Unbound with Python module support
Hi guys, I’m just after some general advice as I feel like I’m doing something wrong, and having to hack around too much for what I believe should be simple. I am developing a simple Python plugin for Unbound, and the default Unbound install on OpenBSD sadly wasn’t built with “—with-pythonmodule”. So I grabbed the Unbound source code with a git clone from GitHub, installed dependencies, and did “./configure —with-pythonmodule”, make, make install etc.. So nothing special here. It installed to /usr/local/ rather than just /usr etc, and so fiddled around with /etc/rc.d/unbound to make the rc scripts start the custom one. But I’m getting errors which requires some extra config settings to squash when loading the same config as with the built in Unbound. ok maybe newer unbound code.. But I am then also getting errors when trying to load the stock example python plugin as per the source built sphinx docs. I’m not at my computer at the moment so can’t share the exact errors, but thought I’d ask as it feels like I’m missing something obvious! Maybe I need some extra build options or static library references to make it as smooth as the built in Unbound? Or maybe I should be using a different source? Any initial thoughts? I’ll post exact errors as soon as I can. Thanks :) Andy. Sent from a teeny tiny keyboard, so please excuse typos
Re: Best 1Gbe NIC
Ahhh, thank you! I didn’t realise this had changed and now the drivers are written with full knowledge of the interface. So that would make Intel Server NICs (i350 for example) some of the best 1Gbe cards nowadays then? Thanks :) Andy Sent from a teeny tiny keyboard, so please excuse typos > On 2 Aug 2019, at 09:52, Jonathan Gray wrote: > >> On Fri, Aug 02, 2019 at 09:19:09AM +0100, Andy Lemin wrote: >> Hi list, >> >> I know this is a rather classic question, but I have searched a lot on this >> again recently, and I just cannot find any conclusive up to date information? >> >> I am looking to buy the best 1Gbe NIC possible for OpenBSD and the only >> official comments I can find relate to 3COM for ISA, or community consensus >> towards Chelsio for 10Gbe. >> >> I know Intel works ok and I???ve used the i350???s before, but my >> understanding is that Intel still doesn???t provide the documentation for >> their NICs and so the emX driver is reverse engineered. > > This is incorrect. Intel provides datasheets for Ethernet parts. > em(4) is derived from Intel authored code for FreeBSD supplied under a > permissive license. > >> >> And if I remember correctly some offload features were also disabled in the >> emX driver a while back as some functions where found to be insecure on die >> and so it was deemed safer to bring the logic back on CPU. >> >> So I???m looking for the best 1Gbe NIC that supports the most >> offloading/best driver support/performance etc. >> >> Thanks, Andy. >> >> PS; could we update the official supported hardware lists? ;) >> All the best. >> >> >> Sent from a teeny tiny keyboard, so please excuse typos >>
Best 1Gbe NIC
Hi list, I know this is a rather classic question, but I have searched a lot on this again recently, and I just cannot find any conclusive up to date information? I am looking to buy the best 1Gbe NIC possible for OpenBSD and the only official comments I can find relate to 3COM for ISA, or community consensus towards Chelsio for 10Gbe. I know Intel works ok and I’ve used the i350’s before, but my understanding is that Intel still doesn’t provide the documentation for their NICs and so the emX driver is reverse engineered. And if I remember correctly some offload features were also disabled in the emX driver a while back as some functions where found to be insecure on die and so it was deemed safer to bring the logic back on CPU. So I’m looking for the best 1Gbe NIC that supports the most offloading/best driver support/performance etc. Thanks, Andy. PS; could we update the official supported hardware lists? ;) All the best. Sent from a teeny tiny keyboard, so please excuse typos
Re: DNS Race Condition on Boot
Hey guys. Thanks for the ideas. Sadly I cannot use static IPs as we don’t control the domains. I think I’ll use Otto’s suggestion as I am already doing that to provide a black hole table for the spamhaus drop list. So I’ll just enhance that script to manage some more tables After all, the current fqdns in pf.conf can still go out of date (pf only resolves dns -> IP once during rule apply). So this solves that too. Cheers, Andy. Sent from a teeny tiny keyboard, so please excuse typos > On 4 Jul 2019, at 09:18, Otto Moerbeek wrote: > >> On Thu, Jul 04, 2019 at 09:14:19AM +0100, Andy Lemin wrote: >> >> Hi guys, >> >> Is anyone else aware of the Unbound and PF race condition that exists when >> FQDNs are used in pf.conf with a local Unbound server? > > Yes, it's an obvious one isn't it? > >> >> The issue occurs when pf starts before unbound, but where pf fails to start >> as it cannot resolve some DNS names.. and so unbound also fails to work when >> it is started later in the boot because pf failed to start.. >> >> The only solution I’ve found so far is to add some commands to /etc/rc.local >> (run end of boot) to temporarily disable (the failed) pf, restart unbound, >> and restart pf again now unbound is working. >> >> Just wondering if anyone knows of a cleaner workaround? PS; Using an >> external DNS server in resolv.conf is not an option in this scenario. > > Do not use DNS names in pf.conf. Use a IP addresses or a table filled > from a file. Run some script to update the file periodically. If it > changed kick pf. > >-Otto >
DNS Race Condition on Boot
Hi guys, Is anyone else aware of the Unbound and PF race condition that exists when FQDNs are used in pf.conf with a local Unbound server? The issue occurs when pf starts before unbound, but where pf fails to start as it cannot resolve some DNS names.. and so unbound also fails to work when it is started later in the boot because pf failed to start.. The only solution I’ve found so far is to add some commands to /etc/rc.local (run end of boot) to temporarily disable (the failed) pf, restart unbound, and restart pf again now unbound is working. Just wondering if anyone knows of a cleaner workaround? PS; Using an external DNS server in resolv.conf is not an option in this scenario. Cheers, Andy. Sent from a teeny tiny keyboard, so please excuse typos
ANN: pledge(1) security utility
**SPLASH** I've been made to walk the plank! *hastily assembles flotilla of blowfish* https://fremissant.net/pledge https://marc.info/?l=openbsd-tech=155762556220352=2 Your captain (master?) has spoken, and you are not allowed to know under which promises the processes on your system are running (though you can try to grep for this information in the sources if you have source). Not even if you are root; and not even yourself (pid 0). Or, you can run my patch and have all this and more, safely. It is compliant with the pledge mandate that promises can never be increased, and indeed with all the intricacies of pledge(2) semantics. [If it isn't, please send an email.] I don't much care who runs it besides me, though I do sense this is a pivotal project: either everything I ever did will get released after this, or silence. This gesture in particular was made to increase the security of my own system, learn some systems programming, and above all as an expression of my appreciation for UNIX generally. If it helps others to any of those things, so much the better. I'll keep the project pages (link at top) up to date, and decide the pledge(1) licence soon. I've uploaded a patched amd64 kernel image (built from mid-April OpenBSD -current sources), as well as compatible pledge(1) executable, in case you want to play in a VM. I've not installed 6.5 locally yet, but when I do I'll update the available images. If this work interests you, by all means feel free to contact me privately, you probably won't find me on the lists. Cheerio, Andy.
Re: radeondrm failure on amd64 but not on i386?
root hub" rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1 pci5 at ppb4 bus 5 "AT/Lucent FW322 1394" rev 0x61 at pci5 dev 5 function 0 not configured pcib0 at pci0 dev 31 function 0 "Intel 82801GH LPC" rev 0x01 pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom removable atapiscsi1 at pciide0 channel 0 drive 1 scsibus2 at atapiscsi1: 2 targets cd1 at scsibus2 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) ahci0 at pci0 dev 31 function 2 "Intel 82801GR AHCI" rev 0x01: msi, AHCI 1.1 ahci0: port 0: 3.0Gb/s ahci0: PHY offline on port 1 ahci0: PHY offline on port 2 ahci0: PHY offline on port 3 scsibus3 at ahci0: 32 targets sd0 at scsibus3 targ 0 lun 0: SCSI3 0/direct fixed t10.ATA_ST3250824AS_5ND4HD0K sd0: 238418MB, 512 bytes/sector, 488281250 sectors ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: apic 8 int 17 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-5300CL5 spdmem1 at iic0 addr 0x51: 1GB DDR2 SDRAM non-parity PC2-5300CL5 spdmem2 at iic0 addr 0x52: 1GB DDR2 SDRAM non-parity PC2-5300CL5 spdmem3 at iic0 addr 0x53: 1GB DDR2 SDRAM non-parity PC2-5300CL5 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 isa0 at pcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 spkr0 at pcppi0 umass0 at uhub0 port 3 configuration 1 interface 0 "TEAC CA-200" rev 2.00/4.00 addr 2 umass0: using SCSI over Bulk-Only scsibus4 at umass0: 2 targets, initiator 0 sd1 at scsibus4 targ 1 lun 0: SCSI0 0/direct removable sd2 at scsibus4 targ 1 lun 1: SCSI0 0/direct removable sd3 at scsibus4 targ 1 lun 2: SCSI0 0/direct removable sd4 at scsibus4 targ 1 lun 3: SCSI0 0/direct removable umass1 at uhub0 port 7 configuration 1 interface 0 "SanDisk Cruzer Dial" rev 2.10/1.00 addr 3 umass1: using SCSI over Bulk-Only scsibus5 at umass1: 2 targets, initiator 0 sd5 at scsibus5 targ 1 lun 0: SCSI4 0/direct removable serial.07815599450609104375 sd5: 14944MB, 512 bytes/sector, 30605312 sectors uhidev0 at uhub2 port 2 configuration 1 interface 0 "Dell Dell KB216 Wired Keyboard" rev 2.00/33.08 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd1 at ukbd0 mux 1 uhidev1 at uhub2 port 2 configuration 1 interface 1 "Dell Dell KB216 Wired Keyboard" rev 2.00/33.08 addr 2 uhidev1: iclass 3/0, 5 report ids uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=2, output=0, feature=0 uhid2 at uhidev1 reportid 5: input=0, output=0, feature=5 uhidev2 at uhub3 port 1 configuration 1 interface 0 "PixArt Lenovo USB Optical Mouse" rev 2.00/1.00 addr 2 uhidev2: iclass 3/1 ums0 at uhidev2: 3 buttons, Z dir wsmouse0 at ums0 mux 0 vscsi0 at root scsibus6 at vscsi0: 256 targets softraid0 at root scsibus7 at softraid0: 256 targets root on sd5a (f2d5da28e9d59e44.a) swap on sd5b dump on sd5b initializing kernel modesetting (RV610 0x1002:0x94C1 0x1028:0x0D02). drm:pid0:r600_init *ERROR* Expecting atombios for R600 GPU drm:pid0:radeondrm_attachhook *ERROR* Fatal error during GPU init [TTM] Memory type 2 has not been initialized drm0 detached radeondrm0 detached vga1 at pci1 dev 0 function 0 "ATI Radeon HD 2400 XT" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation), using wskbd0 wskbd1: connecting to wsdisplay0 wsdisplay0: screen 1-5 added (80x25, vt100 emulation) wsmouse0 detached ums0 detached uhidev2 detached Thanks, Andy -- TAI64 timestamp: 40005c1a6251
Re: radeondrm failure on amd64 but not on i386?
Thus said Allan Streib on Wed, 12 Dec 2018 14:09:06 -0500: > Stillhavingthis issueon-currentas ofDec10. > machdep.allowaperture=2 does get me past this, but am seeing > weird behavior, some regions of screens/terminals not painting or > refreshing. As far as I'm aware no progress has been made. It seems to be having a problem reading the ATOM BIOS and I haven't yet figured out a way to dump out what it is reading to disk so it can be analyzed. Maybe some of the commands from the other thread on bugs@ will lead to additional information. Another alternative, if you can, is to use i386 instead of amd64. I found that on i386 it does correctly detect the ATOM BIOS. Andy -- TAI64 timestamp: 40005c1431b9
Re: PF Outbound traffic Load Balancing over multiple tun/openvpn interfaces/tunnels
he connected peer >>>> ping -V 1 8.8.8.8 >>>> ping -V 2 8.8.8.8 >>>> >>>> Shows both VPN tunnels are definitely working independently with the >>>> overlapping addressing :) >>>> >>>> # Reverse routing - I have read in various places that PF's 'route-to' can >>>> be used for jumping rdomains's in the forward path of the session, but the >>>> reply packets need any matching route in the remote rdomain for the reply >>>> destination (the matching route is to ensure in the reply packet is passed >>>> through the routing table and gets into the PF processing, where PF can >>>> manage the return back to the default rdomain etc. >>>> >>>> But as I am using outbound NATing on the tunX interfaces, there is always a >>>> matching route for the reply traffic. And so a route for the internal >>>> subnet is not needed within rdomain 1 and 2. >>>> >>>> >>>> # Finally ensure '/etc/pf.conf' contains something like; >>>> if_ext = "em0" >>>> if_int = "em1" >>>> >>>> #CDR = 80 Down/20 Up >>>> queue out_ext on $if_ext flows 1024 bandwidth 18M max 19M qlimit 1024 >>>> default >>>> queue out_tun1 on tun1 flows 1024 bandwidth 17M max 18M qlimit 1024 default >>>> queue out_tun2 on tun2 flows 1024 bandwidth 17M max 18M qlimit 1024 default >>>> queue out_int on $if_srx flows 1024 bandwidth 74M max 78M qlimit 1024 >>>> default >>>> >>>> #MTU = 1500 >>>> match proto tcp all scrub (no-df max-mss 1460) set prio (2,5) >>>> match proto udp all scrub (no-df max-mss 1472) set prio (2,5) >>>> match proto icmp all scrub (no-df max-mss 1472) set prio 7 >>>> >>>> #NAT all outbound traffic >>>> match out on $if_ext from any to any nat-to ($if_ext) >>>> match out on tun1 from any to any nat-to (tun1) rtable 1 >>>> match out on tun2 from any to any nat-to (tun2) rtable 2 >>>> >>>> #Allow outbound traffic on egress for vpn tunnel setup etc >>>> pass out quick on { $if_ext } from self to any set prio (3,6) >>>> >>>> #Load balance outbound traffic from internal network across tun1 and tun2 - >>>> THIS IS NOT WORKING - IT ONLY USES FIRST TUNNEL >>>> pass in quick on { $if_int } to any route-to { (tun1 10.8.8.1), (tun2 >>>> 10.8.8.1) } round-robin set prio (3,6) >>>> >>>> #Allow outbound traffic over vpn tunnels >>>> pass out quick on tun1 to any set prio (3,6) >>>> pass out quick on tun2 to any set prio (3,6) >>>> >>>> >>>> # Verify which tunnels are being used >>>> systat ifstat >>>> >>>> *This command shows that all the traffic is only flowing over the first >>>> tun1 interface, and the second tun2 is never ever used.* >>>> >>>> >>>> # NB; I have tried with and without 'set state-policy if-bound'. >>>> >>>> I have tried all the load balancing policies; round-robin, random, >>>> least-states and source-hash >>>> >>>> If I change the 'route-to' pool to "{ (tun2 10.8.8.1), (tun1 10.8.8.1) }", >>>> then only tun2 is used instead.. :( >>>> >>>> So 'route-to' seems to only use the first tunnel in the pool. >>>> >>>> Any advice on what is going wrong here. I am wondering if I am falling >>>> victim to some processing-order issue with PF, or if this is a real bug? >>>> >>>> Thanks, Andy. >
Re: radeondrm failure on amd64 but not on i386?
Thus said Allan Streib on Tue, 27 Nov 2018 15:51:57 -0500: > The issue was also reported here, with no follups but more debug info: > > https://marc.info/?l=openbsd-bugs=153398230416756=2 That seems to be an identical problem, but definitely with more debug info. In my system, the card is also in a PCIe slot. By the way, it is possible to workaround the problem to some extent by just adding to sysctl.conf: machdep.allowaperture=2 X will then start up, but it won't be using the firmware. Andy -- TAI64 timestamp: 40005bfeb246
Re: radeondrm failure on amd64 but not on i386?
Thus said Allan Streib on Sun, 25 Nov 2018 21:54:45 -0500: > Same issue, also on a Dell machine with ATI Radeon HD 2400 XT. After Jonathan suggested adding some printf debug statements, I continued to do so and was able to see that the rdev->bios variable that is being inspected at lines 834--840 in radeon_bios.c has neither ATOM nor MOTA in the string at that address for amd64, but has ATOM for i386: tmp = rdev->bios_header_start + 4; if (!memcmp(rdev->bios + tmp, "ATOM", 4) || !memcmp(rdev->bios + tmp, "MOTA", 4)) { rdev->is_atom_bios = true; } else { rdev->is_atom_bios = false; } I suppose additional debug might involve writing the entire contents of rdev->bios to a file and then hexdump it? Andy -- TAI64 timestamp: 40005bfb8e86
Re: radeondrm failure on amd64 but not on i386?
Thus said Jonathan Gray on Mon, 19 Nov 2018 20:42:46 +1100: > > Thanks for the suggestion. Here's the additional output provided by your > > patch: > > > > radeon_atrm_get_bios false > > radeon_acpi_vfct_bios false > > igp_read_bios_from_vram false > > radeon_read_bios false > > radeon_read_disabled_bios true > > drm:pid0:r600_init *ERROR* Expecting atombios for R600 GPU > > drm:pid0:radeondrm_attachhook *ERROR* Fatal error during GPU init > > [TTM] Memory type 2 has not been initialized > > drm0 detached > > radeondrm0 detached > > Thanks, could you also show the i386 output with the patch? The output on i386 looks pretty much the same except for the failure: initializing kernel modesetting (RV610 0x1002:0x94C1 0x1028:0x0D02). radeon_atrm_get_bios false radeon_acpi_vfct_bios false igp_read_bios_from_vram false radeon_read_bios false radeon_read_disabled_bios true radeondrm0: 1680x1050, 32bpp wsdisplay0 at radeondrm0 mux 1: console (std, vt100 emulation), using wskbd0 Thanks, Andy -- TAI64 timestamp: 40005bf2d8c2
Re: radeondrm failure on amd64 but not on i386?
Thus said Jonathan Gray on Sat, 17 Nov 2018 14:08:53 +1100: > There are many ways of getting an atom bios it would be helpfull to > know which method is having trouble. Thanks for the suggestion. Here's the additional output provided by your patch: radeon_atrm_get_bios false radeon_acpi_vfct_bios false igp_read_bios_from_vram false radeon_read_bios false radeon_read_disabled_bios true drm:pid0:r600_init *ERROR* Expecting atombios for R600 GPU drm:pid0:radeondrm_attachhook *ERROR* Fatal error during GPU init [TTM] Memory type 2 has not been initialized drm0 detached radeondrm0 detached Thanks, Andy -- TAI64 timestamp: 40005bf24e83
radeondrm failure on amd64 but not on i386?
inbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82945G Host" rev 0x00 ppb0 at pci0 dev 1 function 0 "Intel 82945G PCIE" rev 0x00: apic 8 int 16 pci1 at ppb0 bus 1 radeondrm0 at pci1 dev 0 function 0 "ATI Radeon HD 2400 XT" rev 0x00 drm0 at radeondrm0 radeondrm0: msi azalia0 at pci0 dev 27 function 0 "Intel 82801GB HD Audio" rev 0x01: msi azalia0: codecs: Sigmatel STAC9220/1 audio0 at azalia0 ppb1 at pci0 dev 28 function 0 "Intel 82801GB PCIE" rev 0x01: apic 8 int 16 pci2 at ppb1 bus 2 ppb2 at pci0 dev 28 function 4 "Intel 82801G PCIE" rev 0x01: apic 8 int 16 pci3 at ppb2 bus 3 ppb3 at pci0 dev 28 function 5 "Intel 82801G PCIE" rev 0x01: apic 8 int 17 pci4 at ppb3 bus 4 em0 at pci4 dev 0 function 0 "Intel 82573L" rev 0x01: msi, address 00:13:72:1a:ed:5c uhci0 at pci0 dev 29 function 0 "Intel 82801GB USB" rev 0x01: apic 8 int 21 uhci1 at pci0 dev 29 function 1 "Intel 82801GB USB" rev 0x01: apic 8 int 22 uhci2 at pci0 dev 29 function 2 "Intel 82801GB USB" rev 0x01: apic 8 int 18 uhci3 at pci0 dev 29 function 3 "Intel 82801GB USB" rev 0x01: apic 8 int 23 ehci0 at pci0 dev 29 function 7 "Intel 82801GB USB" rev 0x01: apic 8 int 21 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 ppb4 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xe1 pci5 at ppb4 bus 5 "AT/Lucent FW322 1394" rev 0x61 at pci5 dev 5 function 0 not configured ichpcib0 at pci0 dev 31 function 0 "Intel 82801GH LPC" rev 0x01: PM disabled pciide0 at pci0 dev 31 function 1 "Intel 82801GB IDE" rev 0x01: DMA, channel 0 configured to compatibility, channel 1 configured to compatibility atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: ATAPI 5/cdrom removable atapiscsi1 at pciide0 channel 0 drive 1 scsibus2 at atapiscsi1: 2 targets cd1 at scsibus2 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 cd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 ignored (disabled) ahci0 at pci0 dev 31 function 2 "Intel 82801GR AHCI" rev 0x01: msi, AHCI 1.1 ahci0: port 0: 3.0Gb/s ahci0: PHY offline on port 1 ahci0: PHY offline on port 2 ahci0: PHY offline on port 3 scsibus3 at ahci0: 32 targets sd0 at scsibus3 targ 0 lun 0: SCSI3 0/direct fixed t10.ATA_ST3250824AS_5ND4HD0K sd0: 238418MB, 512 bytes/sector, 488281250 sectors ichiic0 at pci0 dev 31 function 3 "Intel 82801GB SMBus" rev 0x01: apic 8 int 17 iic0 at ichiic0 spdmem0 at iic0 addr 0x50: 1GB DDR2 SDRAM non-parity PC2-5300CL5 spdmem1 at iic0 addr 0x51: 1GB DDR2 SDRAM non-parity PC2-5300CL5 spdmem2 at iic0 addr 0x52: 1GB DDR2 SDRAM non-parity PC2-5300CL5 spdmem3 at iic0 addr 0x53: 1GB DDR2 SDRAM non-parity PC2-5300CL5 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 pckbc0 at isa0 port 0x60/5 irq 1 irq 12 pckbd0 at pckbc0 (kbd slot) wskbd0 at pckbd0: console keyboard pcppi0 at isa0 port 0x61 spkr0 at pcppi0 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 umass0 at uhub0 port 3 configuration 1 interface 0 "TEAC CA-200" rev 2.00/4.00 addr 2 umass0: using SCSI over Bulk-Only scsibus4 at umass0: 2 targets, initiator 0 sd1 at scsibus4 targ 1 lun 0: SCSI0 0/direct removable sd2 at scsibus4 targ 1 lun 1: SCSI0 0/direct removable sd3 at scsibus4 targ 1 lun 2: SCSI0 0/direct removable sd4 at scsibus4 targ 1 lun 3: SCSI0 0/direct removable umass1 at uhub0 port 7 configuration 1 interface 0 "SanDisk Cruzer Dial" rev 2.10/1.00 addr 3 umass1: using SCSI over Bulk-Only scsibus5 at umass1: 2 targets, initiator 0 sd5 at scsibus5 targ 1 lun 0: SCSI4 0/direct removable serial.07815599450609104375 sd5: 14944MB, 512 bytes/sector, 30605312 sectors uhidev0 at uhub2 port 2 configuration 1 interface 0 "Dell Dell KB216 Wired Keyboard" rev 2.00/33.08 addr 2 uhidev0: iclass 3/1 ukbd0 at uhidev0: 8 variable keys, 6 key codes wskbd1 at ukbd0 mux 1 uhidev1 at uhub2 port 2 configuration 1 interface 1 "Dell Dell KB216 Wired Keyboard" rev 2.00/33.08 addr 2 uhidev1: iclass 3/0, 5 report ids uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0 uhid1 at uhidev1 reportid 2: input=2, output=0, feature=0 uhid2 at uhidev1 reportid 5: input=0, output=0, feature=5 uhidev2 a
Re: PF Outbound traffic Load Balancing over multiple tun/openvpn interfaces/tunnels
Hi Andreas, Thanks for your reply. Sorry I should have been more clear. I know that rdomains are the correct method with overlapping addressing. The challenge is that I cannot figure out how to get openvpn to initialise it’s resulting tunX interface directly into the correct rdomain? You normally move interfaces to an rdomain with; ‘ifconfig em1 rdomain 1’ However is there a way I can get openvpn to do this at the time of setting up the interface? The problem is that you cannot just create the tunnel, and then move it over to an rdomain afterwards if there is already another conflicting tunnel in the default rdomain (as the tunnel just won’t come up due to the address conflict). I realise I could redesign it so that there is never a tunX in the default rdomain, so that tunnels can be setup in the default and then moved over. But this feels rather flawed/restricting and not the proper way of doing things? I would like to script the management of these tunnels, and so if there was a way of setting up the tunnel in its own rdomain directly that would be a lot more robust :) Thanks for your time. Andy. Sent from a teeny tiny keyboard, so please excuse typos. > On 11 Sep 2018, at 21:59, Andreas Krüger wrote: > > Maybe rdomains? > >> Den 11. sep. 2018 kl. 15.59 skrev Andrew Lemin : >> >> Hi list, >> >> I use an OpenVPN based internet access service (like NordVPN, AirVPN etc). >> >> The issue with these public VPN services, is the VPN servers are always >> congested. The most I’ll get is maybe 10Mbits through one server. >> >> Local connection is a few hundred mbps.. >> >> So I had the idea of running multiple openvpn tunnels to different servers, >> and load balancing outbound traffic across the tunnels. >> >> Sounds simple enough.. >> >> However every vpn tunnel uses the same subnet and nexthop gw. This of course >> won’t work with normal routing. >> >> So my question: >> How can I use rdomains or rtables with openvpn clients, so that each VPN is >> started in its own logical VRF? >> >> And is it then a case of just using PF to push the outbound packets into the >> various rdomains/rtables randomly (of course maintaining state)? LAN >> interface would be in the default rdomain/rtable.. >> >> My confusion is that an interface needs to be bound to the logical VRF, but >> the tunX interfaces are created dynamically by openvpn. >> >> So I am not sure how to configure this within hostname.tunX etc, or if I’m >> even approaching this correctly? >> >> Thanks, Andy. >> >
Re: Viewport for man.openbsd.org -- readability on phones
On Saturday, May 19, 2018, Mihai Popescu <mih...@gmail.com> wrote: > > I don't understand what you are trying to say. > > I took and iPhone with iOS and Safari ( i think!) on it and pointed > the browser to the current link of man pages [1]. All i can say is the > layout is displayed on full display, not stretched. > Text is fine, paragraphs are scaled ok, not even a simple problem. Font is > fine. > > [1] https://man.openbsd.org/ > > I can second that. It looks perfect on iPhone using Safari. --Andy
Re: NFS keeps crashing
MB <iam...@gmail.com> wrote: > Invest in a NetApp filer and do it the right way. Plenty of options > spectrascale glfs/cnfs lustre with DNE/IME why struggle with this hobby OS, > seriously? > > On Sat, Apr 21, 2018, 1:31 AM MB <iam...@gmail.com> wrote: > > > > > Why are you using ooenbsd for anything but a firewall. Even then its > > lagging way behind unless you deploying in a dentist office. Openbsd sucks > > at pretty much everything else. Sorry I come from corporate real world > > experience not Soho stuff. Use Linux. > > A couple of points: (1) Stop top-posting. (2) NetApp is using BSD nfs code. (3) I have run OpenBSD in a "corporate world" on a global scale and it usually outperforms everything else, including Linux, and definitely is much more stable and secure. (4) If OpenBSD "sucks" and you are on a mailing list that "sucks", your life must be truly miserable. To the original author of this thread -- nfs is a UNIX technology, originally made for Unix to Unix communication on a network. Windows client support came later and it is still not stellar. Samba/CIFS is what is a usual scenario here. But if you are serious about this and want to attract developers' attention then please become familiar with sendbug(1). http://www.openbsd.org/report.html --Andy
Re: van Sprundel
Hi. That’s ok. This list is a place for open and honest conversation :) My reaction was towards the article trying to say that BSD’s are dying, rather than against Van Sprundle or his research. I’ve read through his slides before and I skim through the erratas each upgrade, but this article tries to bloat the truth in my eyes. So I’m asking the question as to where the reality lies as it stands today? Linux is such a moving target with so much unnecessary complexity with SystemD, that in the bigger picture we can place far more more trust in the BSD’s. It’s also a pretty serious allegation to cite so many vulnerabilities as still being unfixed today? Is this true? Thanks for your reply :) A Sent from a teeny tiny keyboard, so please excuse typos > On 28 Jan 2018, at 14:11, Hiltjo Posthuma <hil...@codemadness.org> wrote: > >> On Sun, Jan 28, 2018 at 12:56:26PM +, Andy Lemin wrote: >> Really, did he actually post any real vulnerabilities to OpenBSD! >> >> This article has to be govt propaganda.. >> >> https://www.csoonline.com/article/3250653/open-source-tools/is-the-bsd-os-dying-some-security-researchers-think-so.amp.html >> >> I was laughing with tears when I read this.. >> >> OpenBSD is the only OS I place any real trust in <3 >> >> Is probably the only OS they can’t hack. >> >> And SystemD makes me want to both cry and scream at the same time. >> >> A >> >> >> Sent from a teeny tiny keyboard, so please excuse typos > > Hey, > > Maybe I shouldn't reply, but I feel this is insulting to the amazing work of > Van Sprundel. I've also seen better nuanced articles about the same > presentation talk. > > Sources: > - https://www.openbsd.org/errata60.html (the batch of patches on August 3 > 2017). > - http://undeadly.org/cgi?action=article=20170804053102 > - Slides: > https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Ilja-van-Sprundel-BSD-Kern-Vulns.pdf > - https://www.openbsd.org/errata56.html (earlier work). > > Please do more research before you post. > > -- > Kind regards, > Hiltjo
van Sprundel
Really, did he actually post any real vulnerabilities to OpenBSD! This article has to be govt propaganda.. https://www.csoonline.com/article/3250653/open-source-tools/is-the-bsd-os-dying-some-security-researchers-think-so.amp.html I was laughing with tears when I read this.. OpenBSD is the only OS I place any real trust in <3 Is probably the only OS they can’t hack. And SystemD makes me want to both cry and scream at the same time. A Sent from a teeny tiny keyboard, so please excuse typos
Re: protonmail.com broken on OpenBSD 6.2-Stable with Firefox
> From: r...@protonmail.com > > Try this... > > javascript.options.asmjs: true > > Sent from ProtonMail Mobile Changing the value from true to false resolved the issue for me. Thank you for that.
Re: protonmail.com broken on OpenBSD 6.2-Stable with Firefox
> Original Message > Subject: Re: protonmail.com broken on OpenBSD 6.2-Stable with Firefox > Local Time: November 1, 2017 7:12 PM > UTC Time: November 1, 2017 7:12 PM > From: astr...@indiana.edu > To: techay\@protonmail.com <tec...@protonmail.com>, vincent.de...@gmail.com > misc@openbsd.org > > "tec...@protonmail.com" <tec...@protonmail.com> writes: > >> Do you happen to know what the issue with Firefox is with this website >> on OpenBSD? I mean my guess is that it has to do with JavaScript in >> some way but why now? It wasn"t like this on 6.1, so what changed? > > Firefox version went from 52 -> 56 in 6.1 -> 6.2. > > You might peruse the release notes for those firefox releases. > > Allan I disagree about it it working in 6.1. protonmail hasn't worked for me using Firefox since 5.8 or 5.9. At one point the ESR worked but not the main version. Cheers Andy
Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn
Hi Stuart and Joel, Just to confirm for others reading, you are very correct. And patch 014_libcrypto has fixed this :) So just run syspatch (or openup) and you'll be working again. Thanks for the commits ;) PS; good to hear from you again Stuart! Long time.. I'm on this email now rather than andy@brandwatch, it's been a while since I've been around the lists. I knew I could rely on you amazing peeps. Take care, happy summer. Andy Sent from a teeny tiny keyboard, so please excuse typos > On 3 Jul 2017, at 16:51, Joel Sing <j...@sing.id.au> wrote: > >> On Tuesday 20 June 2017 23:26:10 Andrew Lemin wrote: >> Hi, >> >> Sadly in my testing it seems that CVE-2017-8301 ( >> http://seclists.org/oss-sec/2017/q2/145) is still broken with the >> latest LibreSSL >> (2.5.4) and OpenVPN 2.4.2. >> >> Here is someone else reporting the same issue; >> https://discourse.trueos.org/t/libre-openssl-tls-error-when-using-openvpn/13 >> 58/4 >> >> Of course I may have gotten this wrong somewhere, but for now it seems not >> possible to use OpenVPN as a client with TLS static certificate based >> server on OpenBSD. >> >> Hope this helps clarify for anyone else finding the same issue until some >> clever person does a fix. >> >> >> Error same with latest; >> >> Tue Jun 20 22:51:15 2017 OpenVPN 2.4.2 x86_64-unknown-openbsd6.1 [SSL >> (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 20 2017 >> >> Tue Jun 20 22:51:15 2017 library versions: LibreSSL 2.5.4, LZO 2.10 >> >> Tue Jun 20 22:52:08 2017 VERIFY ERROR: depth=0, error=self signed >> certificate: < Cert Info > >> >> Tue Jun 20 22:52:08 2017 OpenSSL: error:14007086:SSL >> routines:CONNECT_CR_CERT:certificate verify failed >> >> Tue Jun 20 22:52:08 2017 TLS_ERROR: BIO read tls_read_plaintext error >> >> Tue Jun 20 22:52:08 2017 TLS Error: TLS object -> incoming plaintext read >> error >> >> Tue Jun 20 22:52:08 2017 TLS Error: TLS handshake failed >> >> Tue Jun 20 22:52:08 2017 SIGUSR1[soft,tls-error] received, process >> restarting > > This should be fixed on -current (via r1.30 of libcrypto/x509v3/v3_purp.c) - > you should also be able to workaround the issue by using different CNs for > the > CA and server certificates (they're likely identical in this case).
Re: Libressl issue verifying self-signed certs with tls-auth and Openvpn
I've just found this hint on GitHub for the Openvpn compile options for Libressl; https://gist.github.com/gsora/2b3e9eb31c15a356c7662b0f960e2995 So will try a build later tonight and share back here if that CVE is fixed. Would prefer to rebuild with the same options as the packaged binary, and it occurred to me that I don't know how to find that on OpenBSD? Thanks again :) Sent from a teeny tiny keyboard, so please excuse typos > On 20 Jun 2017, at 20:23, Andrew Lemin <andrew.le...@gmail.com> wrote: > > Hi Misc, > > Has anyone else come across any issues recently with Openvpn, Libressl and > TLS on OpenBSD 6.1? > > I am using an .ovpn file with TLS auth static key and cert inline within the > file, to connect to VPN service. Running openvpn binary from command line > without any special params, just .ovpn file. > > I have tested this is working fine on a Linux server with same config (using > Openssl), so the server side, CA and cert are fine etc. > > I noticed on the Linux server the line; "Control Channel Authentication: > tls-auth using INLINE static key file", but I do not see this debug on the > OpenBSD version. Wondered if Libressl is not negotiating tls properly. > > > I have since found CVE-2017-8301 which I believe is related. And confirmed > that OpenBSD 6.1 seems to be running LibreSSL version 2.5.2 > > The CVE shows issue known between 2.5.1 and 2.5.3, and looking at the OpenBSD > trees I can see 2.5.4 was cut around 1st of May.. > > I used MTier to grab all major patches etc, but LibreSSL not in patch list > yet. openvpn did have a minor. > > So downloaded Libressl 2.5.4 source, compiled and installed as per INSTALL > etc.. However notice that openvpn is still linking to 2.5.2. > > It would be great if someone would be kind enough to confirm if this CVE is > indeed the same issue, and if 2.5.4 includes the relevant fixes for it? > > And if yes, a gentle nudge as to how to get openvpn to link to the 2.5.4 > install? > > Thanks for your time. > Kind regards, Andy Lemin > > > > Sent from a teeny tiny keyboard, so please excuse typos
Watch out for bad options in /var/run/rc.d/$daemon
Hello, Since I couldn't find any reference to this anywhere, I thought I would put out a description of the problem in the event that someone else runs into it with other daemons. At one point in time, identd -l had a different meaning than it does now. After upgrading, I noticed that identd was not running, thanks to the following section in the daily output email: Services that should be running but aren't: identd So I began investigating why it wasn't running and found the following in /var/log/messages: Jan 3 22:46:56 obsd identd[80696]: h/auth: no address associated with name Jan 3 22:46:56 obsd identd[84721]: child has gone Looking at the output, it seemed clear that something had changed, so I looked at the man page for identd, and sure enough, -l is now different. Previously, in /etc/rc.conf.local, I had: identd_flags="-elh" Which coincided with the error message. Clearly -lh meant that it was trying to look up a host named h, which doesn't exist, whereas before, -l meant to log to syslog. So, I removed the -l from identd_flags, and tried to restart the daemon. Much to my dismay, it failed to restart, even though I had corrected the problem in rc.conf.local. As it turns out, after further investigation, I discovered that the flags get cached in /var/run/rc.d/identd: $ cat /var/run/rc.d/identd daemon_class=daemon daemon_flags=-elh daemon_rtable=0 daemon_timeout=30 daemon_user=root pexp=identd: (listen|resolver) There's the offending -l that I thought I had removed! I can see why now: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/rc.subr?annotate=1.116 On line 109, the options that are cached in the _RC_RUNFILE override any that were provided before rc_cmd() was called. Not sure if this is a bug. How often does a command line option get repurposed for something else? At any rate, I wanted to give a heads up to anyone else who might end up with a daemon which refuses to restart, even after the options have been corrected. Andy -- TAI64 timestamp: 4000586c8fd2
Re: Making sense of ktrace
Thus said Jeff Ross on Wed, 23 Nov 2016 15:42:08 -0700: > The stack may indeed be too damaged--I get the following but it > doesn't look very helpful: More likely the symbols were stripped. Assuming this was installed from sources, edit conf-cc and add -g, then edit conf-ld and remove the -s: $ head -1 conf-cc cc -O2 -g $ head -1 conf-ld cc $ Then recompile and try again (e.g. get a new core file and run gdb again). Andy -- TAI64 timestamp: 4000583654c6
Re: Fan Speed - Supermicro
Just to share for others here. This worked a treat! I never knew that on BMC based systems, the fan control was taken away from the OS by IPMI like this. Simply set it to "Optimal", and now the fan speed is controlled automatically based on the different temperatures. Surprised this is the default, but it is a server... Cheers, Andy. On Mon, Nov 21, 2016 at 2:10 PM, Delan Azabani <de...@azabani.com> wrote: > At 19:11, Andy Lemin <a...@brandwatch.com> wrote: > > but we cannot figure out how to control the fan speed at all. > > Every board in the X9DRW series should have a BMC with IPMI, and this > is what controls your fans and other sensors. Plug in the management > port (but not to a public or hostile network!) and if these settings > havenât been changed, you can go to > > and log in with âADMINâ and âADMINâ (case sensitive, no quotes). > > From there, go to âConfigurationâ > âFan Speed Modeâ and change âFull > Speed Modeâ to âStandard Modeâ or âOptimal Modeâ. > > You can do this over IPMI. Install sysutils/ipmitool. I donât think > the tool works with ipmi(4), so youâll need to do this from one of > your real interfaces to the management interface. Try this: > > # ipmitool -I lanplus -H -U -P \ > raw 0x30 0x45 0 > > If it works, youâll see one of the following values: > > > 0 = Standard > > 1 = Full > > 2 = Optimal? > > 3 = Minimal? > > 4 = HeavyIO? > > Change the mode with this: > > # ipmitool [...] -P raw 0x30 0x45 1 > > I have a Supermicro board, but it doesnât run OpenBSD and I havenât > touched IPMI for some months now, so this guide might not be perfect. > > More reading: > > ⢠http://supermicro.com/manuals/other/SMT_IPMI_Manual.pdf > ⢠https://www.supermicro.com/support/faqs/faq.cfm?faq=18025 > ⢠https://siliconmechanics.zendesk.com/hc/en-us/articles/ > 201122989-Changing-fan-speeds-for-X9-X10-series-boards > ⢠https://forums.servethehome.com/index.php?resources/ > supermicro-x9-x10-x11-fan-speed-control.20/ > ⢠https://asgardahost.org/useful-raw-commands-for-supermicro-ipmi-modules/
Fan Speed - Supermicro
Hi, I know this is probably a simple question, but we have searched, found very little, and tried various things to no effect. We have a Supermicro server running OpenBSD which is _screaming_ loud due to fan noise. BIOS is latest and power mode is "Balanced" (during POST it is nice and quiet (how it should be). As soon as the OpenBSD kernel kicks in the fans go to max. We are running; apmd -A apm -A And the performance is currently; root@bsd1:~# sysctl | grep perf hw.setperf=0 hw.perfpolicy=auto But the fans are still at max. I think the problem is that we dont have any sensors; root@bsd1:~# sysctl | grep sensor hw.sensors.cpu0.temp0=22.00 degC Do we have to load something? Or enable a kernel module to get the controls? Would be happy to run sensorsd and manually control the fan speed that way, but we cannot figure out how to control the fan speed at all. So we cannot even force it to slow down at the moment. Thanks, Andy. DMESG; root@bsd1:~# dmesg OpenBSD 6.0 (GENERIC.MP) #2: Mon Oct 17 10:22:47 CEST 2016 r...@stable-60-amd64.mtier.org: /binpatchng/work-binpatch60-amd64/src/sys/arch/amd64/compile/GENERIC.MP real mem = 34307653632 (32718MB) avail mem = 33263423488 (31722MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xec640 (146 entries) bios0: vendor American Megatrends Inc. version "3.0c" date 03/24/2014 bios0: transtec_AG X9DRW acpi0 at bios0: rev 2 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC FPDT HPET PRAD SPMI SSDT EINJ ERST HEST BERT DMAR MCFG acpi0: wakeup devices PS2K(S1) PS2M(S1) P0P9(S1) EUSB(S4) USBE(S4) PEX0(S4) PEX7(S4) NPE1(S4) NPE4(S4) NPE5(S4) NPE6(S4) NPE8(S4) NPEA(S4) NPE3(S4) NPE7(S4) NPE9(S4) [...] acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 2 (boot processor) cpu0: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.49 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER MS,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: smt 0, core 1, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 100MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.1, IBE cpu1 at mainbus0: apid 4 (application processor) cpu1: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER MS,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 0, core 2, package 0 cpu2 at mainbus0: apid 6 (application processor) cpu2: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER MS,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 3, package 0 cpu3 at mainbus0: apid 8 (application processor) cpu3: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.00 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER MS,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 0, core 4, package 0 cpu4 at mainbus0: apid 3 (application processor) cpu4: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.00 MHz cpu4: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER MS,SENSOR,ARAT cpu4: 256KB 64b/line 8-way L2 cache cpu4: smt 1, core 1, package 0 cpu5 at mainbus0: apid 5 (application processor) cpu5: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, 3500.00 MHz cpu5: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX ,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,DCA,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLI NE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,PERF,ITSC,FSGSBASE,SMEP,ER MS,SENSOR,ARAT cpu5:
Re: SNMPD Source Address Issues
Sent from a teeny tiny keyboard, so please excuse typos > On 23 Sep 2016, at 20:24, Jeremie Courreges-Anglas <j...@wxcvbn.org> wrote: > > Andy Lemin <a...@brandwatch.com> writes: > >> Hi, >> >> TLDR; Is there a way of fixing the "source address" that SNMPD should use? >> >> >> We are having issues with reply snmpd packets sourcing from the egress >> interface and not the loopback interface which the poll request was sent to >> :( >> >> We have many GRE tunnels and various routes which traffic can take to and >> from our OpenBSD boxes. As such we poll the loopback interfaces instead of >> a specific interface, however the snmpwalk replies reply with the source IP >> of the egress interface and not the IP which was connected to. >> >> We tried setting "listen on $IP_Lo1" etc, and this seemed to work, but it >> is unstable. That is, occasionally packets start being sourced from the >> egress interface again when something changes until snmpd is restarted. > > I don't understand why binding on a loopback doesn't work. What is > "when something changes" here? I haven't been able to figure that out yet. We have about 20 OpenBSD boxes, and at some point or another, seemingly randomly, our monitoring system looses connection to snmpd as it starts responding with the egress IP again and not its loop back. It's happened on about 4 or 5 out of the 20 so far. Restarting snmpd fixes it each time. And we still have the trap source IP problem as the monitoring system (Observium) recognises the device by its loopback. > >> Also traps are always sourced from the Egress interface regardless of >> "listen on", however our monitoring system only knows about the loopback >> interface and so the traps are dropped. >> >> Cheers, Andy. > > -- > jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
Re: Output Errors on VLAN interfaces
Hi Chris, Sorry for the slow reply. Day job takes up most of my time. Anyway, I finally added some logging into /usr/src/sys/net/if_vlan.c etc; if (m == NULL) { ifp->if_oerrors++; printf("Output Error due to NULL mbuff\n"); continue; } } if (if_enqueue(ifp0, m)) { ifp->if_oerrors++; printf("Output Error from if_enqueue\n"); continue; } ifp->if_opackets++; Recompiled the kernel and rebooted onto it, and pushed traffic through it (~50Mbps). And sure enough every single instance of the VLAN Output drops is due to "if_enqueue(ifp0, m)" being TRUE. I edited if.c and again confirmed that IFQ_ENQUEUE does return the error. Traced it further back to ifq.c:ifq_enqueue_try(), and rv (from rv = ifq->ifq_ops->ifqop_enq(ifq, m);) is 55 for every one of the VLAN output drops. Needed some help from a colleague to figure out what ifq->ifq_ops->ifqop_enq(ifq, m) calls. We believe is should be calling ifq.c:priq_enq(). Still dont understand that glue part yet :( But after adding some logging on "if (ifq_len(ifq) >= ifq->ifq_maxlen)" it doesn't seem to be that? So have either made a mistake or gone as far as my knowledge can go? Any _pointers_ guys? ;) We do use HFSC (and have done since 5.0 without issues), but only on the physical interface, not on the VLANs. The reason for this is so that we can _share_ the whole of the 10Gig interface root bandwidth across all of the VLANs on the same physical .1q trunk. This has worked great for years without VLAN output errors. I think this started after 5.8 or 5.9. I increased the qlimits from the default but that made no difference. queue trunk_root on $if_trunk bandwidth 4294M queue qlocal on $if_trunk parent trunk_root bandwidth 4.1G queue local_kern on $if_trunk parent qlocal bandwidth 8M min 8M burst 8M for 1000ms queue local_pri on $if_trunk parent qlocal bandwidth 150M min 150M burst 200M for 2500ms qlimit 500 queue local_data on $if_trunk parent qlocal bandwidth 4G min 1G qlimit 1000 queue qwan on $if_trunk parent trunk_root bandwidth 190M queue wan_rt on $if_trunk parent qwan bandwidth 30M min 19M burst 38M for 5000ms queue wan_int on $if_trunk parent qwan bandwidth 19M min 9M queue wan_pri on $if_trunk parent qwan bandwidth 19M min 10M burst 25M for 2000ms queue wan_vpn on $if_trunk parent qwan bandwidth 50M min 25M queue wan_web on $if_trunk parent qwan bandwidth 29M min 10M burst 19M for 3000ms queue wan_dflt on $if_trunk parent qwan bandwidth 19M min 10M burst 19M for 5000ms queue wan_bulk on $if_trunk parent qwan bandwidth 20M max 100M default . . match out on INSIDE all received-on INSIDE queue (local_data,local_pri) set prio (2,4) So all traffic flowing from one VLAN to another (on the same trunk) are in queues local_data and local_pri, however looking at the queue statistics with systat queues 1, shows these large internal queues never drop a single packet. Yet if_oerrors for the VLANs is still incrementing quite a lot for most of our VLANs. Hi Henning, whilst I have the code open, I am also going to have another go at trying to find the missing 64bit counter/range check etc for the HFSC queue size tomorrow (if I dont get dragged onto anything else). Thanks for your time and help guys, Kind regards, Andy Lemin On Tue, Aug 9, 2016 at 2:48 AM, Chris Cappuccio <ch...@nmedia.net> wrote: > Andy Lemin [a...@brandwatch.com] wrote: > > The underlying trunk does not report any Rx or Tx errors at all. > > > > And the VLAN interfaces do not report any receive errors, only low rate > > transmit errors. > > > > Also as a thought exercise, could anyone kindly explain/discuss how an > > output error might even occur or be valid? > > > > Look at /usr/src/sys/net/if_vlan.c, you'll find exactly two places where > if_oerrors increments. Logically, both are in the vlan_start() routine. > The first happens after vlan_inject fails. If vlan_inject returns a null > mbuf, that appears to be a failure within m_prepend(), probably from > failure to allocate memory for the new mbuf. Where's your dmesg? Are you > using a card that does hw tagging? (If so, this isn't the codepath you're > looking for.) > > If the failure is the new if_enqueue, it seems like ifq_enqueue would be > calling priq_enq which would be returning a failure if the queue is full. > Are you using hfsc? > > Chris
SNMPD Source Address Issues
Hi, TLDR; Is there a way of fixing the "source address" that SNMPD should use? We are having issues with reply snmpd packets sourcing from the egress interface and not the loopback interface which the poll request was sent to :( We have many GRE tunnels and various routes which traffic can take to and from our OpenBSD boxes. As such we poll the loopback interfaces instead of a specific interface, however the snmpwalk replies reply with the source IP of the egress interface and not the IP which was connected to. We tried setting "listen on $IP_Lo1" etc, and this seemed to work, but it is unstable. That is, occasionally packets start being sourced from the egress interface again when something changes until snmpd is restarted. Also traps are always sourced from the Egress interface regardless of "listen on", however our monitoring system only knows about the loopback interface and so the traps are dropped. Cheers, Andy.
Re: OSPFD, setting point-to-point
Josh Grosse kindly sent me a message off list to confirm the question. So let me just add a little more clarity so as to not waste anyones time. This is purely an OSPFD thing and not a general networking question about point-to-point links ;) I am simply trying to tell OSPFD that only one other device is on this interface, and so OSPFD can skip the DR/BDR election process and jump straight to sharing LSA's etc. This way the devices can converge their control planes _much_ quicker.. GRE interfaces do this automatically, and thus converge faster (even over the internet) than the local ethernet p2p link. This causes local traffic to briefly traverse another remote router via the GRE's for a moment, whilst waiting for the local adjacency via the ethernet cable to finish their election etc. Thanks, Andy. On Mon, Aug 8, 2016 at 5:12 PM, Andy Lemin <a...@brandwatch.com> wrote: > Hi, > > Does anyone know if it is possible to set an ethernet crossover cable > between two OpenBSD firewalls running OpenOSPFD as point-to-point? > > OpenOSPFD recognises GRE's as point-to-point so the logic is there for > handling a point-to-point adjacency, but cannot see how to set this on the > ethernet port? > > Thanks, Andy.
OSPFD, setting point-to-point
Hi, Does anyone know if it is possible to set an ethernet crossover cable between two OpenBSD firewalls running OpenOSPFD as point-to-point? OpenOSPFD recognises GRE's as point-to-point so the logic is there for handling a point-to-point adjacency, but cannot see how to set this on the ethernet port? Thanks, Andy.
Output Errors on VLAN interfaces
Hi guys, Has anyone else seen issues with "output errors" occurring on only VLAN interfaces since upgrading to 5.9? (and after using openup to get latest kernel). It does not happen on all VLAN interfaces, only ones under load. The underlying trunk does not report any Rx or Tx errors at all. And the VLAN interfaces do not report any receive errors, only low rate transmit errors. Also as a thought exercise, could anyone kindly explain/discuss how an output error might even occur or be valid? You would think that if the packet has been through the whole OpenBSD stack that it should not have an error on output (input errors, yes, definitely possible). But if the packet was/is in error, why is it transmitting it at all, or not being dropped before the output stage? Thanks, Andy.
Re: How to handle different sections with new man.conf?
Thus said Ingo Schwarze on Fri, 01 Jul 2016 22:59:16 +0200: > >>> manpath /usr/local/lib/tcl/tcl8.5/man > >>> manpath /usr/local/lib/tcl/tcl8.6/man > > That's not necessarily a good idea; it adds both directories to the > default search path, so you may end up seeing Tcl documentation when > looking for something completely different. I see. I was just blindly copying the old directories that I had defined in man.conf prior to the upgrade without realizing that they wouldn't have the same effect. The goal was to have both sets of man pages available but allow me to choose which version of the man pages to read from. > Then again, nothing wrong with that if you do indeed want to have both > Tcl dirs searched by default... If I understand it, however, I don't really think it will have the intended effect, and while they would both be searched by default, matches would always come from tcl8.5 and the only time tcl8.6 would match is when there is a difference that exists in tcl8.6 only but not in tcl8.5. > But i also said: > > "So far, there is no noticeable demand -> KISS." True enough. My attempts at retaining prior behavior are certainly not ``noticeable demand.' :-) I'll toy around with shell aliases and see where that goes. Thanks for looking at it. Andy -- TAI64 timestamp: 4000577dd304
How to handle different sections with new man.conf?
Hello, Using OpenBSD 5.8-stable. I used to have the following in /etc/man.conf: tcl85 /usr/local/lib/tcl/tcl8.5/man/ tcl86 /usr/local/lib/tcl/tcl8.6/man/ Which made it easy to view one or the other by using the section argument: man tcl85 Tcl man tcl86 Tcl man(1) still appears to be documented to have this functionality: man [-acfhklw] [-C file] [-I os=name] [-K encoding] [-M path] [-m path] [-O option=value] [-S subsection] [-s section] [-T output] [-W level] [section] name ... ^ But I see no way of expressing it in the new man.conf or addressing it in the command line. Here is what I have added according to the new man.conf(5): manpath /usr/local/lib/tcl/tcl8.5/man manpath /usr/local/lib/tcl/tcl8.6/man But I don't see how to use [section] anymore. man(1) does mention using [-s section] with n as the section, but that only seems to display the first match of tcl8.5 and does not allow further granularity (as far as I can tell). Have I missed something in the man pages, or what am I doing wrong? Thanks, Andy -- TAI64 timestamp: 4000576f0095
Re: is 'set prio' in pf unidirectional or bidirectional?
Ohh, Forgot to mention.. PF by default sets good ToS values on its CARP heartbeats, but we use HP Procurve switches with DiffServ enabled. By default with HP, HP maps the ToS value that PF uses for CARP by default, into a low priority CoS queue! Yes really ;) Don't you just love HP. And on many HP switches, you cannot modify this DiffServ <-> CoS mapping. So the suggestion at the bottom is just to set a ToS that HP switches will prioritise.. Have fun, all the best. Andy Lemin On Wed, Jun 15, 2016 at 8:18 PM, Andy Lemin <a...@brandwatch.com> wrote: > Peter is quite right, to add some examples to his suggestion; > > tcpdump -nettti pflog0 <- Shows only dropped packets > tcpdump -nettti em0 <- Shows all packets on the interface, including ToS > values and VLAN ID etc. > tcpdump -nettti vlanX <- Shows only packets on the VLAN without the extra > info. > > Sure you can figure out the rest.. > > There are also a few caveats to writing good PF QoS rules that some are > not aware off. For example the PRIO value is copied into the VLAN header as > the CoS value, but if it is an untagged VLAN the frame wont have a value as > their is no VLAN header to store it in. I.e. PRIO is only transitive for > connected VLAN subnets, beyond the nexthop you cannot control layer 2 CoS, > only layer 3 QoS is transitive. > > Also PRIO is strictly speaking internal to the firewall, and it works for > both ingress and egress, whereas queuing/shaping is egress only. Best to > think of it as a priority picker or scheduler. I.e. packets get selected > from the buffers for processing based on their priority whether they are > input or output buffers (I am only 90% sure of this, so please correct me > if I am wrong). > > Also common good practice assumes that you would normally want to use two > prio values; E.g. > > pass quick on { $if_ext, $if_DMZ } proto { tcp, udp } from any to { > $int_ip_dns0 } port { 53 } queue (wan_web,wan_pri) set prio (2,4) > The first prio (2) is used for the payload packets in the session (ToS not > set), and the second prio (4) is used for the control packets (ACKs etc > because they have the ToS set). This again also sets the VLAN CoS correctly > for each packet type in the same session. > > Another thing to be careful of is setting ToS yourself and using PRIO (and > if using queues too). For example; > > match in proto tcp all scrub (no-df max-mss 1460) > > match in proto { udp, icmp } all scrub (no-df max-mss 1472) > > match out on { $if_ext } proto { tcp, udp } from any to { > } scrub (no-df max-mss 1420) set (tos ef, prio 7) > > The first two lines are just housekeeping. But the third line will set the > ToS value EF on every single packet in the session (payload and ACKs) for > the VoIP traffic. This means that the later pass rules will place all > voip traffic into 'second' "queue" and second "priority". > > And if you didn't spot the clue in the first example, yes, I believe state > does match returning traffic and does apply the prio to return traffic > also. But you wont see it with tcpdump unless you are using VLANs to > inspect the CoS field. > > > In my first example you will also notice I have only one rule that matches > traffic on both the inside and outside interfaces, so you need to make sure > you are using the same queue names on both the inside and outside > interfaces. This is done by adding the "on $if_ext" directive to your > queues. E.g. > > queue ext_root on $if_ext bandwidth 800M > > queue qlocal on $if_ext parent ext_root bandwidth 600M > > queue local_kern on $if_ext parent qlocal bandwidth 6M min 6M > burst 10M for 1000ms > > queue local_pri on $if_ext parent qlocal bandwidth 60M min 60M > > queue local_data on $if_ext parent qlocal bandwidth 510M min 100M > > queue qwan on $if_ext parent ext_root bandwidth 190M > > queue wan_rt on $if_ext parent qwan bandwidth 38M min 19M burst > 38M for 5000ms > > queue wan_int on $if_ext parent qwan bandwidth 19M min 9M > > queue wan_pri on $if_ext parent qwan bandwidth 19M min 10M burst > 25M for 2000ms > > queue wan_vpn on $if_ext parent qwan bandwidth 50M min 25M > > queue wan_web on $if_ext parent qwan bandwidth 19M min 10M burst > 19M for 3000ms > > queue wan_dflt on $if_ext parent qwan bandwidth 19M min 10M burst > 19M for 5000ms > > queue wan_bulk on $if_ext parent qwan bandwidth 20M max 50M > default > > > queue trunk_root on $if_trunk bandwidth 4294M > > queue qlocal on $if_trunk parent trunk_root bandwidth 4.1G > > queue local_kern on $if_trunk parent qlocal bandwidth 8M min 8M &g
Re: is 'set prio' in pf unidirectional or bidirectional?
the trunk interface, and not each VLAN. This way you can share your total download transit bandwidth across all internal VLANs instead of having to divide it out across the VLANs. Hope that makes sense. Just for some extra reading I have attached a paper that explains HFSC (the underlying queuing algorithm). PF Queue "bandwidth" = Link Sharing Service Curve PF Queue "min" = Realtime Service Curve PF Queue "burst" = Short-term realtime service curve for delay target PF queue "for" = time 't' for burst (delay target to be achieved within this initial period). And I have also attached a PF Packet Flow diagram I made (it's not 100% accurate, I need to update it but it should help). And lastly just for fun if you are using CARP with busy layer 2 networks where you are having problems with heartbeat delay, this solves that, again not perfect, just ideas for you; pass out quick proto carp keep state (no-sync) queue local_kern set (prio 7, tos ef) pass in quick proto carp keep state (no-sync) set (prio 7, tos ef) pass out quick inet6 proto carp from { fe80::/10 } to { ff00::/8 } keep state (no-sync) queue local_kern set (prio 7, tos ef) pass in quick inet6 proto carp from { fe80::/10 } to { ff00::/8 } keep state (no-sync) set (prio 7, tos ef) pass quick on { $if_pfsync_dev } proto pfsync keep state (no-sync) set (prio 7, tos ef) Kind regards, Andy. On Wed, Jun 15, 2016 at 11:02 AM, Peter N. M. Hansteen <pe...@bsdly.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > This is one of the cases where the best possible answer is, "tcpdump > is your friend". > > You have outlined a number of test cases. It would be really useful if > you try each one of them, and use tcpdump to record and identify the > effects of each one. It's worth noting that tcpdump with the right > options is able to display information such as the packets's ToS and > which rule in the loaded PF rule set the packet matched. > > If you run those tests properly and report your findings, I'm sure it > will be appreciated. > > - -- > Peter N. M. Hansteen, member of the first RFC 1149 implementation team > http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ > "Remember to set the evil bit on all malicious network traffic" > delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. > iQIcBAEBCAAGBQJXYSecAAoJELJiGF9h4DyeghcP/RZQeJ/4P8cj6DUoBhSw7HuZ > q0t8fgnnyfw7ItkWGP6WayW9aT7oMfR9XdgX3jn/jFBLj8aW55K1i/v4PbXFJTkB > yjnJ1WJN7fohVSYOYyfnjxCxw2RdGbcVUZpYkFCfIzsKPTxsuJynJyR7i6Ke8dYE > 5FiF68oqhKq0yAiHcE91UlMVFH/v8NAy3crzkeK1yjgYK3sU5dVs0H7D/qR8Zlfe > fmOO9SqDDcvMMn/7c6bQ9sHKBXSsHizZcf//yuQseSXv9ttsl/3XZyUEhS3fyqNt > WKw80vNwQ7MJShOFqjn12G+j72s0kaSkiDEi93rXUZJxsoD28Vn6dyBJhcrWFtfr > eEOwuyp82FiNabAvn3StzkKE+cAQ01Kag0hFhgwx/u1sD/9K31B9J8IiMpSIplFV > tx4jfWBh1MjadAu3DIvHINYzEPoaju4zUY1mh840l5Wz7SpaBUyeJce0eNtA3n6Z > pbpZQsi9mHCP7MOR2b+RvzcjFc4m5XoiLz29aMQDzeLj4GzroY9H0ramWchqbj1y > BXKtFNgOglKIkjickdlSnzahFAf53r5T6vv1KY7Ea4Z5PP88e8OiXdcJqiuJlo0T > c9VXE5cCy37i21ZPV4YK3LsuiCxMVuGtQ63B/OnP1kX34NVoatpZz6gcx5Y62MWA > rsxLSEMFHSJuoJzgGF7j > =mgmr > -END PGP SIGNATURE- > > -- *Download our latest free guide here <https://www.brandwatch.com/competitive-intelligence-guide/>* [demime 1.01d removed an attachment of type application/pdf which had a name of A Hierarchical Fair Service Curve Algorithm.pdf] [demime 1.01d removed an attachment of type application/pdf which had a name of OpenBSDPFPacketFlow-Jan2016.pdf]
Re: pf changes port on udp nat-to and rdr-to reply packets (RTP stream)
Because of this "Remember that static-port means you can't have two machines behind the same NAT using the same source port and destination.", you should instead probably use "binat-to" as a good practice. This will help force you to not be able to accidentally reuse the same public IP for another internal server. SIP uses a lot of ports, and so it really does need its own public IP with a one to one mapping to the private IP. If you have remote SIP phone clients that need to run over the gateway too (not just a SIP trunk), the following helped us keep client registrations alive; set timeout { udp.first 1200, udp.single 600, udp.multiple 1800 } Cheers, Andy. On Thu, Jun 9, 2016 at 11:40 PM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2016-06-09, Markus Wernig <liste...@wernig.net> wrote: > > On 06/09/2016 08:03 PM, Bryan Vyhmeister wrote: > >> On Thu, Jun 9, 2016, at 10:48 AM, Markus Wernig wrote: > >>> Short question: > >>> How do I prevent pf from changing the source port of outgoing natted > udp > >>> packets? > >> > >> Did you look at static-port in pf.conf(5)? > > > > Argh! I had overlooked that. Shame. Works now. > > Remember that static-port means you can't have two machines behind > the same NAT using the same source port and destination. > > If it's OK to change the source port as long as it ends up within > a certain port range, you can do something like 'nat-to $address port > 8000:9000'. > > -- *Download our latest free guide here <https://www.brandwatch.com/competitive-intelligence-guide/>*
5.9 is the best release yet, very excited for 6.0 - but worried some things will be missing that will ruin the fanfare
Not to say previous releases haven't been as great (they all are), but I must say that 5.9 really does feel like a huge step towards a massive milestone (well done), and 6.0 will hopefully be the release that kills the GIANT lock for OpenBSD as a firewall. So really thank you.. For ourselves, the biggest anticlimax for OpenBSD 6.0 would be, still no 64bit support for the Queue size.. :( OpenBSD can shift traffic at well above 4.2Gbps now, so it's such a shame to be superficially limited to 4Gbps still :( And a small, but "nice to have" would be; Bandwidth defined as percentages of the parent queue. Just wishing, nothing else ;) Humbly yours, Andy.
Possible SNMPD Bug - IF-MIB::ifInDiscards (and maybe ifOutDiscards) report the same value for every single interface :(
Hi list :) We have noticed our monitoring systems are reporting and alerting the wrong data for OpenBSD Interface Discards since adding all the OpenBSD firewalls to our new Monitoring system. And we have proven that it is SNMPD which is returning the same value for every single interface with; root@intermap:/opt/observium# snmpwalk -v2c -c 10.10.4.3 IF-MIB::ifInDiscards IF-MIB::ifInDiscards.1 = Counter32: 10837445 IF-MIB::ifInDiscards.2 = Counter32: 10837445 IF-MIB::ifInDiscards.3 = Counter32: 10837445 IF-MIB::ifInDiscards.4 = Counter32: 10837468 IF-MIB::ifInDiscards.5 = Counter32: 10837468 IF-MIB::ifInDiscards.6 = Counter32: 10837468 IF-MIB::ifInDiscards.7 = Counter32: 10837468 IF-MIB::ifInDiscards.8 = Counter32: 10837468 IF-MIB::ifInDiscards.9 = Counter32: 10837468 IF-MIB::ifInDiscards.10 = Counter32: 10837468 IF-MIB::ifInDiscards.11 = Counter32: 10837468 IF-MIB::ifInDiscards.12 = Counter32: 10837468 IF-MIB::ifInDiscards.13 = Counter32: 10837468 IF-MIB::ifInDiscards.14 = Counter32: 10837468 IF-MIB::ifInDiscards.15 = Counter32: 10837468 IF-MIB::ifInDiscards.16 = Counter32: 10837468 IF-MIB::ifInDiscards.17 = Counter32: 10837468 IF-MIB::ifInDiscards.18 = Counter32: 10837468 IF-MIB::ifInDiscards.19 = Counter32: 10837468 So it seems impossible to track down which interface is discarding packets? We have a few firewalls which experience a _lot_ of Discards. This in itself is not terrible, but we would really like to know on which interface they are occurring, and ideally why so many, and resolve if possible. Other firewalls are low figures and so just normal network traffic. "netstat -s" is great, but that is system wide and only shows a single discard counter. Is there a command that will show me a summary (like netstat -s) of the individual reasons for Discarded packets etc, even globally? (Buffer full, Queue Drops, Unknown VLAN etc..). Example from our monitoring; â As always, Humbly thank you for your time and great efforts :) Cheers, Andy. [demime 1.01d removed an attachment of type image/png which had a name of OpenBSD Packet Discards.png]
Re: hostname.carp - CARP Bootup Woes Correct layout / format for >=5.9 - man page for hostname.carp
Just if it helps anyone else having similar problems with CARP (was hoping someone would make a comment about the man page for hostname.carp if it is going to be so fussy about the order of parameters). - Anyway for a hostname.carpX file, the mandatory "carpdev" must always be the first parameter, and if you are using "carppeer", it must come after the IP addresses; hostname.carp1; carpdev ix0 advbase 2 advskew 10 pass carppass vhid 1 inet 10.2.1.254 255.255.255.0 10.2.1.255 carppeer 10.2.1.253 - If your CARP interfaces "carpdev" is a VLAN, the vlandev must also always be the first parameter. And if you are using IPv6 you seem to also need the "eui64" to stop all v6 errors even though the link-local is created just by defining an inet6; hostname.carp11; carpdev vlan11 advbase 2 advskew 10 pass carppass vhid 11 inet 10.2.11.254 255.255.255.0 10.2.11.255 inet6 2a12:12e0:2:11::254 64 inet6 eui64 carppeer 10.2.11.253 hostname.vlan11; vlandev ix0 vlan 11 inet 10.2.11.252 255.255.255.0 10.2.11.255 inet6 2a12:12e0:2:11::252 64 inet6 eui64 group INSIDE The above examples work perfectly. At boot up, the CARP interfaces gracefully start INIT->Backup (without a Master flap), and no errors are seen in dmesg. This is not obvious after working with the ifconfig commands, and there is no man so I hope this helps some people :) Cheers, All the best, Andy. On Wed, May 18, 2016 at 11:24 AM, Andy Lemin <a...@brandwatch.com> wrote: > Hi Martin, > > Thanks for your suggestion. > > Indeed it does clear the SIOCAIFADDR errors, however there are new errors > and the config is more unstable :( > > - New boot errors are; "carp0: master_down event in INIT state" > > - Instability after the firewall has booted; CARP statuses initialise as > Backup (and don't go Master temporarily) as they should do. Great.. > But, if we now run "sh /etc/netstart" to make any change, the CARP > interfaces fall into "status: invalid" and cannot be made functional > again until another reboot. > > > The previous config with the SIOCAIFADDR errors is more stable, because > at least we can run "sh /etc/netstart" and make changes to the firewall > without needing a reboot each time? > > What do you think is going on? > And just to play devils advocate, why is there not a man page for > hostname.carp? > > New hostname.carp0 > carpdev ix0 advbase 2 advskew 10 carppeer 10.255.12.3 pass testpass vhid > 212 > inet 10.255.12.1 255.255.255.0 10.255.12.255 > inet6 2a00:77e0:255:12::1 64 > inet6 eui64 > description "4D_CDC_VPLS" > > Cheers, Andy. > > > On Tue, May 17, 2016 at 5:37 PM, Martin Pieuchot <m...@openbsd.org> wrote: > >> On 17/05/16(Tue) 16:37, Andy Lemin wrote: >> > Hi Misc, >> > >> > Since 5.9 (maybe earlier), we noticed that our CARP interfaces no longer >> > behave as before, don't initialise properly on boot up, and throw >> errors at >> > boot. >> > >> > I know there has been lots of changes, especially IPv6. So hopefully >> this >> > is a simple question and I'm just being stupid, and unable to find a man >> > page that explains the correct format for hostname.carp ? >> > >> > >> > Otherwise if their really is no man page for hostname.carp, then could >> > someone please point us in the right direction. >> > >> > - Using the following examples; >> > hostname.ix0 >> > inet 10.255.12.2 255.255.255.0 10.255.12.255 >> > inet6 2a00:77e0:255:12::2 64 >> > inet6 eui64 >> > description "BACKHAUL" >> > !route add -net 10.1.0.0/16 10.255.12.254 >> > >> > hostname.carp0 >> > inet 10.255.12.1 255.255.255.0 10.255.12.255 >> > inet6 2a00:77e0:255:12::1 64 >> > advbase 2 advskew 10 carpdev ix0 carppeer 10.255.12.3 pass testpass >> vhid 212 >> > inet6 eui64 >> > description "BACKHAUL" >> > >> > - The following errors at boot are seen multiple times; >> > ifconfig: SIOCAIFADDR: Invalid argument >> >> That's because you're trying to add addresses *before* configuring >> a "carpdev" (parent) interface.
Re: hostname.carp - CARP Bootup Woes Correct layout / format for >=5.9 - man page for hostname.carp
Hi Martin, Thanks for your suggestion. Indeed it does clear the SIOCAIFADDR errors, however there are new errors and the config is more unstable :( - New boot errors are; "carp0: master_down event in INIT state" - Instability after the firewall has booted; CARP statuses initialise as Backup (and don't go Master temporarily) as they should do. Great.. But, if we now run "sh /etc/netstart" to make any change, the CARP interfaces fall into "status: invalid" and cannot be made functional again until another reboot. The previous config with the SIOCAIFADDR errors is more stable, because at least we can run "sh /etc/netstart" and make changes to the firewall without needing a reboot each time? What do you think is going on? And just to play devils advocate, why is there not a man page for hostname.carp? New hostname.carp0 carpdev ix0 advbase 2 advskew 10 carppeer 10.255.12.3 pass testpass vhid 212 inet 10.255.12.1 255.255.255.0 10.255.12.255 inet6 2a00:77e0:255:12::1 64 inet6 eui64 description "4D_CDC_VPLS" Cheers, Andy. On Tue, May 17, 2016 at 5:37 PM, Martin Pieuchot <m...@openbsd.org> wrote: > On 17/05/16(Tue) 16:37, Andy Lemin wrote: > > Hi Misc, > > > > Since 5.9 (maybe earlier), we noticed that our CARP interfaces no longer > > behave as before, don't initialise properly on boot up, and throw errors > at > > boot. > > > > I know there has been lots of changes, especially IPv6. So hopefully this > > is a simple question and I'm just being stupid, and unable to find a man > > page that explains the correct format for hostname.carp ? > > > > > > Otherwise if their really is no man page for hostname.carp, then could > > someone please point us in the right direction. > > > > - Using the following examples; > > hostname.ix0 > > inet 10.255.12.2 255.255.255.0 10.255.12.255 > > inet6 2a00:77e0:255:12::2 64 > > inet6 eui64 > > description "BACKHAUL" > > !route add -net 10.1.0.0/16 10.255.12.254 > > > > hostname.carp0 > > inet 10.255.12.1 255.255.255.0 10.255.12.255 > > inet6 2a00:77e0:255:12::1 64 > > advbase 2 advskew 10 carpdev ix0 carppeer 10.255.12.3 pass testpass vhid > 212 > > inet6 eui64 > > description "BACKHAUL" > > > > - The following errors at boot are seen multiple times; > > ifconfig: SIOCAIFADDR: Invalid argument > > That's because you're trying to add addresses *before* configuring > a "carpdev" (parent) interface.
hostname.carp - CARP Bootup Woes Correct layout / format for >=5.9 - man page for hostname.carp
Hi Misc, Since 5.9 (maybe earlier), we noticed that our CARP interfaces no longer behave as before, don't initialise properly on boot up, and throw errors at boot. I know there has been lots of changes, especially IPv6. So hopefully this is a simple question and I'm just being stupid, and unable to find a man page that explains the correct format for hostname.carp ? Otherwise if their really is no man page for hostname.carp, then could someone please point us in the right direction. - Using the following examples; hostname.ix0 inet 10.255.12.2 255.255.255.0 10.255.12.255 inet6 2a00:77e0:255:12::2 64 inet6 eui64 description "BACKHAUL" !route add -net 10.1.0.0/16 10.255.12.254 hostname.carp0 inet 10.255.12.1 255.255.255.0 10.255.12.255 inet6 2a00:77e0:255:12::1 64 advbase 2 advskew 10 carpdev ix0 carppeer 10.255.12.3 pass testpass vhid 212 inet6 eui64 description "BACKHAUL" - The following errors at boot are seen multiple times; ifconfig: SIOCAIFADDR: Invalid argument - The firewall boots up immediately as CARP Master, causing multi-Master :( - Running "pfctl -sr -vv" shows it's running the default ruleset, even though rc.conf (pf=YES) is default and "/etc/rc" shows it should load the PF rules.. We believe this to be the cause of the multi-master as running "pfctl -f /etc/pf.conf" and "sh /etc/netstart" resolves it and CARP goes Backup. I have added the following lines to "/etc/rc.local" so that the firewall can at least be rebooted (but only after carp goes INIT -> MASTER -> BACKUP); pfctl -f /etc/pf.conf sh /etc/netstart - Lastly Errors and Discards are now also being occasionally seen on the CARP interfaces - Is there a change to the SNMPD and do we have to update our MIBs? Or if it is legit, what circumstances would a CARP interface see errors or discards? Thank you kindly in advanced for your time and thoughts. Cheers, Andy. NB; We have been running CARP without problems since OpenBSD 4.9. We have read; http://www.openbsd.org/faq/upgrade59.html, upgrade58, upgrade57 and upgrade56 We know about "man hostname.if" but this does not include any carp examples, syntax, or general implementation (how ifconfig maps in etc) for hostname.carp.
Re: OT: Looking for email host with qmail like minus-addressing for custom domain
Thus said Gilles Chehade on Thu, 03 Mar 2016 22:48:57 +0100: > > I don't see this as necessarily an argument for or against - vs + > > > > too bad, it means my friend jean-pierre will not be able to be hosted > by you if you already host my other friend jean ;-) This is true, obviously. If one user has jean and jean-* then clearly jean-pierre@ is already taken. That doesn't mean I cannt host your friend jean-pierre, it just means he cannot have jean-pierre@, maybe he will settle for jean_pierre@ or jean+pierre@, or any other combination that suits him and allowed by the hosting software/MTA. Given the predominence of @gmail.com email addresses, clearly this is not a problem for the majority of people in the email world. There can only ever be one jean-pie...@gmail.com, right? Which means if your friend jean-pierre has jean-pie...@gmail.com, then necessarily my friend jean-pierre cannot also have jean-pie...@gmail.com. Bummer. Andy -- TAI64 timestamp: 400056d916f3
Re: OT: Looking for email host with qmail like minus-addressing for custom domain
Thus said "Constantine A. Murenin" on Thu, 03 Mar 2016 15:09:46 -0600: > > The MTA will decide who will get foo-bar@. > > How? A /dev/mind RPC? :-) Because the MTA is configured to handle it? :-) > And what happens if a "conflicting" user gets created after a mail was > sent, but before it was delivered? "This behaviour is undefined"? I'm not exactly sure what you mean by conflicting... The MTA, again, will already be configured to deal with addresses and mapping them to users. And the behavior is not undefined. If an email address exists and the MTA knows about the email address it will get delivered if the username configured to receive it exists. If the MTA knows about it, but the OS doesn't know about it, the MTA will queue it up until the local user who is supposed to receive it is created. If the username exists and the MTA doesn't have an email address for it, the email will bounce. My MTA can handle both + and - for email addresses and can map email addresses to local users in any fashion that the OS supports. For example, let's assume I have a local user named foo and I have assigned an email address foo@ and I have configured that email address to accept wildcard extensions (e.g. foo-*@ gets delivered to username test). Then, I create a local user named foo-bar. Clearly now, I cannot give the local username foo-bar an email address of foo-bar@ because, well, that is already superceded by test's wildcard claim on the address. Assuming that I had to give the user that username, what email address could I give him? Anything I want, as long as it is not part of foo-*@ I have the following mapping which permits username foo to receive email for foo@, foo-*@, and foo+*@, and another mapping which permits username foo-bar to receive email for foo_bar@ and foo_bar-*@: =foo:foo:1004:1004:/home/foo:-:: +foo-:foo:1004:1004:/home/foo:-:: +foo+:foo:1004:1004:/home/foo:-:: =foo_bar:foo-bar:1003:1003:/home/foo-bar:-:: +foo_bar:foo-bar:1003:1003:/home/foo-bar:-:: Is this sensible to do? Who knows, but the point is, just because - exists in usernames doesn't necessarily mean that it shouldn't be used in email extensions. Must there be a one-to-one mapping between email addresses and local usernames? In many systems it is typical for the email address to not even remotely resemble a local username. Thanks, Andy -- TAI64 timestamp: 400056d912b2
Re: OT: Looking for email host with qmail like minus-addressing for custom domain
Thus said Gilles Chehade on Thu, 03 Mar 2016 10:14:48 +0100: > Who should get mail for foo-bar@ ? The MTA will decide who will get foo-bar@. > This just doesn't happen with + because: It also doesn't happen with an MTA that can figure these things out. I don't see this as necessarily an argument for or against - vs + Andy -- TAI64 timestamp: 400056d8a13e
Re: Industrial use of line printers, does/would your company/organization use them with our lpd?
Thus said Chris Cappuccio on Thu, 18 Feb 2016 17:09:38 -0800: > aren't there plenty of simple pre-processor scripts that people are > using with lp to turn whatever into some output for simple dumb > printers? CUPS is so annoying and stupid, it's not even funny Perhaps apsfilter? Andy -- TAI64 timestamp: 400056c676d2
Re: Industrial use of line printers, does/would your company/organization use them with our lpd?
Thus said Tobias Ulmer on Wed, 17 Feb 2016 19:51:28 +0100: > No really, it is outdated beyond rescue. But it does work (at least in some configurations). To enable my PostScript printers, all I have to do is add a single line to /etc/printcap... well, maybe 2 lines. printer:\ :lp=:rm=printer:rp=lp:sd=/var/spool/output/printer:\ :lf=/var/log/lpd-errs:sh: That's it. Can it be more simple? CUPs is a nightmare, however it too works if one wants to spend the time with it. For non-PostScript printers, it would be nice to be able to just use :if: in the printcap (which I do use successfully with another non-PostScript printer): :if=/var/spool/output/printer/filter Of course, this would require the ability to figure out what kinds of things need to go into the filter. I suppose this is one of the things that CUPs tries to solve but without the simplicity of :if: Anyway, just some musings. Is there anyone else out there using lpr/lpd/lprm from base? Maybe I'm the only one? Thanks, Andy -- TAI64 timestamp: 400056c556b3
Re: 64 Queue Size, ARC routing, MP Networking, OpenBSD 5.9
Thanks guys :) As always I will report back on testing results. I have a lot of DR traffic (multiple TB's daily) I can push through this to see how it fairs.. Thanks Andy. On Tue, Feb 9, 2016 at 4:33 PM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2016/02/09 08:22, Chris Cappuccio wrote: > > Andy Lemin [a...@brandwatch.com] wrote: > > > > > > >ART not ARC. It's not enabled by default, you'll need to build > > > a new kernel to use it. > > > > > > Any clues how to enable "ART" when building? ;) > > > > > > > Put "option ART" in your kernel config, that's it. It seems to work in > various > > corner cases but won't be enabled by default until after 5.9 because > "seems" > > isn't good enough at this stage. > > Last time I tried it, minidlna broke (upnp multicast). I'll have to > try it again sometime..
Re: 64 Queue Size, ARC routing, MP Networking, OpenBSD 5.9
Hi Stuart, Good to hear from you! Hope you are well. >> 1) Will 5.9 have a 64bit integer for the queue sizes, or are we still >> limited to ~4294M? > There haven't been any changes in that area. Hi Henning, with the current MP works in progress this limit is about to become a very superficial bottleneck for a lot of people? I know it hasn't been as issue in the past as no one could get close to 4.3Gbps anyway.. Do you think you will find time to change this to a 64bit on -current soon? >> 2) When 5.9 comes out, will the new ARC routing table be enabled by >> default? If not can we turn it on without building from source? >ART not ARC. It's not enabled by default, you'll need to build a new kernel to use it. Any clues how to enable "ART" when building? ;) >> 3) Does anyone know which parts of the Network stack will have MP support >> in 5.9? >> MP NIC Interrupts, yes/no? >> MP Network Stack, yes/no? >> MP Queueing, yes/no? >> MP PF, yes/no? >> HW Offloading and other general MP NIC driver stuff (em(), ix()) yes/no? >> Any other important parts needing MP? Knowing these would be helpful to gauge performance expectations in testing.. Hahaha, yes. Managing Commercial Firewalls = Shoot me now! PS; I have also updated the OpenBSD Packet Flow diagram some more; https://www.lucidchart.com/publicSegments/view/06b87350-b11c-4732-a72c-5842126d9058 Please fire over any corrections please. I haven't had an answer to this query though, can anyone help? " I would suggesting adding a box for "Address & Port Translation (nat-to, rdr-to, binat-to, af-to)" right after "State Generate" in both ingress and egress, and have the "state exists" path merge into that step. I'll bow to your knowledge if you tell me this is correct, but isn't the state created *after* the nat-to/rdr-to etc is applied as the state stores both the inside IP and the outside IP etc? Or does this second box also append this extra info to the state that was created at the previous step (Packet Filtering)? Thanks everyone, Andy. On Sun, Feb 7, 2016 at 9:06 PM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2016-02-07, Andy Lemin <a...@brandwatch.com> wrote: > > Hi everyone, > > > > Just a couple very quick 5.9 questions; > > > > > > 1) Will 5.9 have a 64bit integer for the queue sizes, or are we still > > limited to ~4294M? > > There haven't been any changes in that area. > > > 2) When 5.9 comes out, will the new ARC routing table be enabled by > > default? If not can we turn it on without building from source? > > ART not ARC. It's not enabled by default, you'll need to build > a new kernel to use it. > > > 3) Does anyone know which parts of the Network stack will have MP support > > in 5.9? > > MP NIC Interrupts, yes/no? > > MP Network Stack, yes/no? > > MP Queueing, yes/no? > > MP PF, yes/no? > > HW Offloading and other general MP NIC driver stuff (em(), ix()) yes/no? > > Any other important parts needing MP? > > > > > > It is difficult to understand where we are currently. I know we are > > excitingly close with the MP work (and thank you again for such amazing > > work!), but we need to know for business decision reasons because simply > we > > are growing faster than OpenBSD's performance is, and we also have a new > > VP. > > > > So I'm deeply saddened to realise that if the MP networking commits do > not > > make it in to get us above 4Gbps in 5.9 we will have to say goodbye to > > OpenBSD for good (I really seriously don't want too because OpenBSD is > > better than *any* firewalls out there, but we are still a business and > need > > to make money, and we need more than 2-4Gbps). > > > > NB; 4Gbps is all we've managed on our current hardware class and 2Gbps > with > > PF enabled. > > > > Hardware: > > Supermicro X9DRW-iF > > 4x 1866 DDR3 DIMMS > > Cpu0/1: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, Turbo+ enabled = > 3600.01 > > MHz (Virtualisation, Hyperthreading and extra Cores disabled) > > Intel 82599 10Gbps NICs > > > > > > We need to be getting closer to 8Gbps with PF enabled by this summer, or > > I've been told to replace OpenBSD with something faster.. FreeBSD can max > > the 10G ports, but FBSD is not good enough for us in many other ways, so > > would mean a move to commercial firewalls (Hurghh). > > > > I REALLY don't want to have to walk away from OpenBSD in my current job > :_( > > > > Cheers, Andy. > > > > Thanks everyone, and good luck on these big changes.. > > > > > > Good luck with the commercial firewalls! [demime 1.01d removed an attachment of type application/pdf which had a name of OpenBSDPFPacketFlow-Jan2016.pdf]
64 Queue Size, ARC routing, MP Networking, OpenBSD 5.9
Hi everyone, Just a couple very quick 5.9 questions; 1) Will 5.9 have a 64bit integer for the queue sizes, or are we still limited to ~4294M? 2) When 5.9 comes out, will the new ARC routing table be enabled by default? If not can we turn it on without building from source? 3) Does anyone know which parts of the Network stack will have MP support in 5.9? MP NIC Interrupts, yes/no? MP Network Stack, yes/no? MP Queueing, yes/no? MP PF, yes/no? HW Offloading and other general MP NIC driver stuff (em(), ix()) yes/no? Any other important parts needing MP? It is difficult to understand where we are currently. I know we are excitingly close with the MP work (and thank you again for such amazing work!), but we need to know for business decision reasons because simply we are growing faster than OpenBSD's performance is, and we also have a new VP. So I'm deeply saddened to realise that if the MP networking commits do not make it in to get us above 4Gbps in 5.9 we will have to say goodbye to OpenBSD for good (I really seriously don't want too because OpenBSD is better than *any* firewalls out there, but we are still a business and need to make money, and we need more than 2-4Gbps). NB; 4Gbps is all we've managed on our current hardware class and 2Gbps with PF enabled. Hardware: Supermicro X9DRW-iF 4x 1866 DDR3 DIMMS Cpu0/1: Intel(R) Xeon(R) CPU E5-2637 v2 @ 3.50GHz, Turbo+ enabled = 3600.01 MHz (Virtualisation, Hyperthreading and extra Cores disabled) Intel 82599 10Gbps NICs We need to be getting closer to 8Gbps with PF enabled by this summer, or I've been told to replace OpenBSD with something faster.. FreeBSD can max the 10G ports, but FBSD is not good enough for us in many other ways, so would mean a move to commercial firewalls (Hurghh). I REALLY don't want to have to walk away from OpenBSD in my current job :_( Cheers, Andy. Thanks everyone, and good luck on these big changes..
Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/
Thus said Tati Chevron on Fri, 11 Dec 2015 13:16:23 +: > On the other hand, if somebody actually received a fake OpenBSD CD in > the mail, and it was discovered, it would be a huge news story within > the IT industry. A bad download, much less so. My OpenBSD 5.7 CD arrived with a green label affixed to the shipping packaging that claimed it had been inspected by some U.S.A. customs department. It had actually been opened and resealed and the green label placed on it to inform me of said tampering. Did anything change? Is this a fake CD? Who knows. I do know that there was an extra CD in the shipment by The OpenBSD Store, apparently because there were problems with first stamping of the CD. Hopefully signify will protect in this case. Andy -- TAI64 timestamp: 4000566c62a4
Re: letsencrypt && https && openbsd.org = https://www.openbsd.org/
Thus said Jason Barbier on Tue, 08 Dec 2015 10:14:37 -0800: > It is a read only site, the privacy you seek is breached as soon as > you make a DNS call to openbsd.org Not to mention the Subject on the SSL certificate will most likely be www.openbsd.org, and perhaps there's also SNI, all of which is transmitted in the plain. If one wants privacy on a website then more is required than just HTTPS. Andy -- TAI64 timestamp: 4000566a5669
Re: random.seed question
Thus said Paul de Weerd on Thu, 26 Nov 2015 15:54:11 +0100: > I'd recommend trying to keep such changes to a minimum: this will be > overwritten when you upgrade and it becomes a maintenance burden. Do files in /etc no longer undergo a round of sysmerge before being written? Thanks, Andy -- TAI64 timestamp: 400056575beb
Re: LPR/LPD does not run filters
Thus said Jona Joachim on Sun, 25 Oct 2015 15:11:01 +0100: > I was tired of CUPS so I decided keep it simple and stupid and use > lpd/lpr. Strangely, things don't work out as expected. It seems that > lpd never executes input filters. I have a system running standard lpd on OpenBSD 5.3 which works with a filter. I have: lp|parallel:\ :lp=/dev/lpa0:\ :br#57600:\ :rm=:\ :rp=:\ :mx#0:\ :sd=/var/spool/output/parallel:\ :lf=/var/log/lpd-errs:\ :sh:\ :if=/var/spool/output/parallel/filter So at least as of OpenBSD 5.3 filters worked just find with the standard lpd. I cannot say for newer versions as I have not yet upgraded, but I don't know why it should cease to work. Andy -- TAI64 timestamp: 4000562d5f56
64 Queue Sizes in OpenBSD 5.8
Hi, Is their any news whether we'll have 64bit PF queue sizes soon? Our link between our Primary and DR DCs needs more than 4.2Gbps, but we cannot shape traffic above this due to the 32bit queues. Simply we need to impose shaping to ensure the CDR is not breached. We really need to upgrade the CDR to 6Gbps, but the penalties for taking our 95% percentile above the CDR are very expensive. Cheers, Andy.
Re: Maybe OT: OpenSSH connection failure unless verbose
Thus said Quartz on Sat, 01 Aug 2015 19:00:56 -0400: good day: ssh user@server = works just like it should What about ssh -v user@server on a good day? And more specifically, if you run ssh -v on both a good day and a bad day, what does diff between the two outputs show? Andy -- TAI64 timestamp: 400055bd5813
Re: Audio Boost for Sndio
Thus said tekk on Sat, 11 Jul 2015 08:30:00 -0700: So e.g. mixerctl -v inputs.dac-0:1=255 sets it to 174,174? Exactly. inputs.dac-{0:1,2:3}=$value_above_174 simply sets it to 174. It would be more helpful if instead of describing the problem that you would just copy/paste the result of running the command and report that in an email. For example: $ mixerctl -v record.adc-0:1=255 record.adc-0:1: 120,120 - 248,248 Thanks, Andy -- TAI64 timestamp: 400055a14376
Re: PF Packet Flow Diagram
Hi Ryan, On 28 Jun 2015, at 04:04, Ryan McBride mcbr...@openbsd.org wrote: This is nice, I hope you'll share the editable source file as well. Currently just scribbling it together on Lucidchart. Its nothing clever like LaTeX source ;) However I can only add a couple of editors? I would be more than happy to give edit rights to anyone who is better informed about this stuff so we can get a good and up-to-date flow diagram which can be publicly shared? A few comments: rdr nat happen as part of packet filtering now, not as separate ruleset evaluations. Awesome, thanks. I have changed this can you check it looks right? http://postimg.org/image/l172i1vmx/ http://postimg.org/image/l172i1vmx/ or http://s12.postimg.org/40o69dilp/Open_BSD_Packet_Flow.png http://s12.postimg.org/40o69dilp/Open_BSD_Packet_Flow.png Its scruffy but its getting there :) They can both occur on ingress as well as egress packet paths; (binat in pf.conf gets expanded to a pair of nat rdr rules). pf now does af translation (NAT64) as well, see af-to in pf.conf(4) Amazing, thank you. I would suggesting adding a box for Address Port Translation (nat-to, rdr-to, binat-to, af-to) right after State Generate in both ingress and egress, and have the state exists path merge into that step. I'll bow to your knowledge if you tell me this is correct, but isn't the state created after the nat-to and rdr-to is applied as the state stores both the inside IP and the outside IP etc. Of does this second box also append this extra info to the state that was created at the previous step (Packet Filtering)? I haven't added this yet.. On Thu, Jun 25, 2015 at 10:15:08AM +0100, Andy Lemin wrote: Surprised I've not had any replies for this? http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg Thanks you so much for your time, I'm all ears for more ?? :)
Re: pf nat and routing question
Hi, We do exactly the same thing for our wifi network. Users on wifi can *only* use public IP addresses. The solution is easy, you just have to consider where you do your nat'ing; You can't do bin-at, so you will need nat-to and rdr-to rules to make it work. E.g. The following line translates the public IP to the internal IP regardless of whether to connection ingresses the firewall from the outside web, or from your internal wifi network match in proto tcp from any to { $ext_ip_rc5 } port { https } rdr-to $int_ip_lard But the nat-to is only needed on the outside interface match out on { $if_ext } from { $int_ip_lard } to any nat-to $ext_ip_rc5 And so you will need three rules.. Ingress pass rule on the external interface, another ingress pass rule on the wifi interface, and an egress pass rule on the DMZ interface where the server is. If the internal server is on the same LAN as the internal clients that *have to use the public IP address, then an extra nat-to rule is needed. Keep the same ingress rdr-to rule to translate the public to the private, but you will also need an extra nat-to rule as the packet egresses the firewall to make all connection look like they have come from the firewall. This ensure that when the server replies, it replies back to the firewall, who then replies back to the internal client. Without this rule the internal server would just reply to the internal client directly, meaning the firewall only sees the forward traffic and won't be able to update its states properly and things won't work. PS; Make sure to be carful about what internal firewall IP you NAT to, and you need to remember that this limits the number of connections to the internal server, as everyone (from internal) will appear to come from the firewall which has a limited number of source ports... EG; This ensure that if a firewall failover happens (with CARP) that all still works :) pass out on $if_lan from ($if_lan:network) to $server nat-to (carp1) Hope this helps. A On 24 Jun 2015, at 12:16, Marko CupaÄ marko.cu...@mimar.rs wrote: Hi, my setup is actually more complicated, but for purpose of this mail I am going to try and keep it simple. My firewall redirects requests to some service from the Internet to server on private network: pass in on $ext_if inet proto tcp from any to $srv-pub port $service rdr-to $srv-priv Internet hosts can access service without problem via its public IP address. Clients on internal network can access service without problem via its private IP address. Now, I have some clients on internal network who are forbidden communication with private address space, so they need to access service via its public IP address. Unfortunately this does not work. Hopefully someone already had this problem and will be able to point me in the right direction. Regards, -- Marko CupaÄ https://www.mimar.rs/
Re: PF Packet Flow Diagram
Hi, On 25 Jun 2015, at 10:31, Jiri B ji...@devio.us wrote: On Thu, Jun 25, 2015 at 10:15:08AM +0100, Andy Lemin wrote: Surprised I've not had any replies for this? http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg I copied this from a diagram I found some years ago which has been photocopied a few times and is now intelligible, so thought I'd quickly re-do it. I can't believe nothing has changed in 5 years (I think thats when the original I saw was dated). Anyway, I try and message Henning directly and get his thoughts, and I'll post back here once its got his approval. Cheers, Andy. IIRC pf packet flow is also influenced by routing which is done before pf. That's why local sourced traffic for remote destination cannot be redirected back to local host. Could you help me understand this a little better? How do you mean traffic locally originated by the firewall cannot be redirected? I understand FIB routing is only done after ingress processing (if no route-to is found on an matching inbound direction route). If you would get more info and incorporate routing factor into diagram it would be great ;) I know! :) It would be great if this was as complete as possible as it would be really helpful to both those just starting out and the more experienced alike. I would also like to understand the processing for virtual interfaces? I.e. should their be a separate Egress Processing chain for enc0 Also is policy based routing (created by IPSec encX tunnels) processed before and/or independently from rdomain routing? I also don't know how packet Labels and Tags are processed? I've done a little more to it; http://s27.postimg.org/4ul9nayvn/Open_BSDPFPacket_Flow.jpg http://s27.postimg.org/4ul9nayvn/Open_BSDPFPacket_Flow.jpg j.
Re: pf nat and routing question
On 25 Jun 2015, at 15:46, Marko Cupać marko.cu...@mimar.rs wrote: On Wed, 24 Jun 2015 08:17:15 -0400 Michel Blais mic...@targointernet.com wrote: The solution seem his explain on this link http://www.openbsd.org/faq/pf/rdr.html#reflect On Thu, 25 Jun 2015 14:50:42 +0100 Andy Lemin a...@brandwatch.com wrote: Hi, We do exactly the same thing for our wifi network. Users on wifi can *only* use public IP addresses. The solution is easy, you just have to consider where you do your nat'ing; Michel, Andy, thank you for your suggestions. I went for http://www.openbsd.org/faq/pf/rdr.html#tcpproxy I'm satisfied with result. Cool, but you are using a big hammer (not a sledge ;) for a nut.. And your CPU knows the difference. If load is v.small, then irelevant. Regards, -- Marko Cupać https://www.mimar.rs/
Re: PF Packet Flow Diagram
Surprised I've not had any replies for this? http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg I copied this from a diagram I found some years ago which has been photocopied a few times and is now intelligible, so thought I'd quickly re-do it. I can't believe nothing has changed in 5 years (I think thats when the original I saw was dated). Anyway, I try and message Henning directly and get his thoughts, and I'll post back here once its got his approval. Cheers, Andy. On 23 Jun 2015, at 14:27, Andy Lemin a...@brandwatch.com wrote: Haha, Oops! thanks Doug.. Here it is instead.. http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg Cheers, Andy. On 23 Jun 2015, at 14:13, Doug Hogan d...@acyclic.org mailto:d...@acyclic.org wrote: On Tue, Jun 23, 2015 at 11:56:17AM +0100, Andy Lemin wrote: I was updating an old copy of the PF flow diagram I had lying around and thought I'd post here quickly for comments / additions / corrections? Would be nice to update this and make it comprehensive as possible. [demime 1.01d removed an attachment of type application/pdf which had a name of OpenBSDPFPacketFlow.pdf] [demime 1.01d removed an attachment of type image/jpeg which had a name of OpenBSDPFPacketFlow.jpeg] The attachments were stripped when sent to the list.
Re: PF Packet Flow Diagram
Haha, Oops! thanks Doug.. Here it is instead.. http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg http://s12.postimg.org/i4pggq465/Open_BSDPFPacket_Flow.jpg Cheers, Andy. On 23 Jun 2015, at 14:13, Doug Hogan d...@acyclic.org wrote: On Tue, Jun 23, 2015 at 11:56:17AM +0100, Andy Lemin wrote: I was updating an old copy of the PF flow diagram I had lying around and thought I'd post here quickly for comments / additions / corrections? Would be nice to update this and make it comprehensive as possible. [demime 1.01d removed an attachment of type application/pdf which had a name of OpenBSDPFPacketFlow.pdf] [demime 1.01d removed an attachment of type image/jpeg which had a name of OpenBSDPFPacketFlow.jpeg] The attachments were stripped when sent to the list.
Re: HA / load balancing / fail-over using CARP
Hi, You can already do active-active CARP with OpenBSD. I believe it hashes by the MAC address (the MAC hash dictates which firewall responds to an ARP for the gateway IP). However you may have issues with states and state synchronisation depending on the pps and firewall hardware performance, meaning you might be forced to enable sloppy states, or at the very least enable defer on pfsync. But allowing sloppy states is bad as it throws away a significant proportion of OpenBSD's awesome TCP security. In short, it is *much* better to buy hardware where each firewall on its own is able to handle the full load, and run in active-backup mode. Generally speaking, I've always found the layer 2 high availability provided by CARP to be rock solid, and if you want to do full stateful firewalling, this is your only sensible choice. If you have no need for full statefull firewalling then you can do active-active at layer 3 using OSPF etc for the HA, and enable defer and sloppy and your all done. It depends on what network feeds you are connected to and what your requirements are. http://www.openbsd.org/papers/pfsync_v5.pdf http://www.openbsd.org/papers/pfsync_v5.pdf NB; We run Transtec servers with are just custom built Supermicro servers with a 3.5GHz E5-2609v2 CPU (with only two cores enabled and Turbo Plus enabled giving us two 3.7GHz cores). The highest I have seen these do with 10gig NICs is almost 1Mpps with PF enabled. So their is little excuse for people to complain about OpenBSD PF performance unless you are talking about higher than 10gig networking. But with all the work the devs are doing at the moment freeing up parts of the kernel from the BIG LOCK (http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/ http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/), it won't be much longer before the Network stack goes MP too (it is happening but its not trivial). After which discussions on throughput and performance really do become a moot point, and instead we'll start seeing big enterprises start using OpenBSD and pushing for things like an Openflow agent ;) So in short, stay active-backup, and sleep better :) Hope this helps. Cheers, Andy. Just for fun; https://events.yandex.com/events/ruBSD/2013/talks/104/ https://events.yandex.com/events/ruBSD/2013/talks/104/ On 22 Jun 2015, at 09:08, Romain FABBRI romain.fab...@alienconsulting.net wrote: Not sure you really want to do that but you could achieve some IP or MAC Load Balancing using this kind of setup : http://www.kernel-panic.it/openbsd/carp/carp4.html -Message d'origine- De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de Aviolat Romain Envoyé : lundi 22 juin 2015 09:40 À : 'misc@openbsd.org' (misc@openbsd.org) Objet : HA / load balancing / fail-over using CARP Dear OpenBSD community, I'll deploy a new redundant firewalls setup in few weeks (waiting for the hardware...). It'll be composed of two 1U supermicro servers and few additional 10GbE nics. The idea was to use CARP + pfsync as the fail-over mechanism. I already deployed that few time in the past, and we're pretty happy with this setup; maintenance is easy and the setup is rock solid. The only disadvantage IMHO is that there is no way to achieve load balancing between the members of the CARP cluster, one machine is always working while the other is idle. I could define some VLANs on top of CARP interfaces to be MASTER on routerA and some on routerB but still it's not real load balancing. So before making the same setup again I wanted to have your input about that, maybe I'm not aware of other ways to achieve HA/load-balancing using OpenBSD ? Thanks for your help ! Romain Aviolat Senior System Administrator - RD and ops Infrastructure Kudelski Security - Kudelski Group rte de Genève 22-24, 1033 Cheseaux, SWITZERLAND +41 21 732 03 79
Re: HA / load balancing / fail-over using CARP
Hi, On 23 Jun 2015, at 10:50, Aviolat Romain romain.avio...@nagra.com wrote: Hi Andy, Thanks for your detailed answer. Yes we are doing statefull firewalling and we want to keep it like that, we of course plan to have servers that are able to take the full load in case of failure of the other. We dont have yet requirements to go higher than the actual 1Mpps limit (around 500Mbit/s for standard web traffic), but we would be pleased to have MP supported on the Network stack ! Their is no hardcoded limit, it is purely down to the single core CPU performance and packet size that dictates the achievable throughput. We would have enabled only one core if it were't for the fact that we're running so many daemons too. OpenBSD is pretty sensible when it comes to scheduling user land stuff and so daemons rarely get in the way of your PF busy core. Ill follow your advice and stay in active-backup mode for now. Doesn't mean you should't try active-active out (in a lab).. But if you're only talking 500mbps, stick with steady and stable ;) Romain From: Andy Lemin [mailto:a...@brandwatch.com] Sent: mardi 23 juin 2015 11:25 To: Romain FABBRI Cc: Aviolat Romain; 'misc@openbsd.org' (misc@openbsd.org) Subject: Re: HA / load balancing / fail-over using CARP Hi, You can already do active-active CARP with OpenBSD. I believe it hashes by the MAC address (the MAC hash dictates which firewall responds to an ARP for the gateway IP). However you may have issues with states and state synchronisation depending on the pps and firewall hardware performance, meaning you might be forced to enable sloppy states, or at the very least enable defer on pfsync. But allowing sloppy states is bad as it throws away a significant proportion of OpenBSD's awesome TCP security. In short, it is *much* better to buy hardware where each firewall on its own is able to handle the full load, and run in active-backup mode. Generally speaking, I've always found the layer 2 high availability provided by CARP to be rock solid, and if you want to do full stateful firewalling, this is your only sensible choice. If you have no need for full statefull firewalling then you can do active-active at layer 3 using OSPF etc for the HA, and enable defer and sloppy and your all done. It depends on what network feeds you are connected to and what your requirements are. http://www.openbsd.org/papers/pfsync_v5.pdf http://www.openbsd.org/papers/pfsync_v5.pdf NB; We run Transtec servers with are just custom built Supermicro servers with a 3.5GHz E5-2609v2 CPU (with only two cores enabled and Turbo Plus enabled giving us two 3.7GHz cores). The highest I have seen these do with 10gig NICs is almost 1Mpps with PF enabled. So their is little excuse for people to complain about OpenBSD PF performance unless you are talking about higher than 10gig networking. But with all the work the devs are doing at the moment freeing up parts of the kernel from the BIG LOCK (http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/ http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/), it won't be much longer before the Network stack goes MP too (it is happening but its not trivial). After which discussions on throughput and performance really do become a moot point, and instead we'll start seeing big enterprises start using OpenBSD and pushing for things like an Openflow agent ;) So in short, stay active-backup, and sleep better :) Hope this helps. Cheers, Andy. Just for fun; https://events.yandex.com/events/ruBSD/2013/talks/104/ https://events.yandex.com/events/ruBSD/2013/talks/104/ On 22 Jun 2015, at 09:08, Romain FABBRI romain.fab...@alienconsulting.net mailto:romain.fab...@alienconsulting.net wrote: Not sure you really want to do that but you could achieve some IP or MAC Load Balancing using this kind of setup : http://www.kernel-panic.it/openbsd/carp/carp4.html http://www.kernel-panic.it/openbsd/carp/carp4.html -Message d'origine- De : owner-m...@openbsd.org mailto:owner-m...@openbsd.org [mailto:owner-m...@openbsd.org mailto:owner-m...@openbsd.org] De la part de Aviolat Romain Envoyé : lundi 22 juin 2015 09:40 À : 'misc@openbsd.org mailto:misc@openbsd.org' (misc@openbsd.org mailto:misc@openbsd.org) Objet : HA / load balancing / fail-over using CARP Dear OpenBSD community, I'll deploy a new redundant firewalls setup in few weeks (waiting for the hardware...). It'll be composed of two 1U supermicro servers and few additional 10GbE nics. The idea was to use CARP + pfsync as the fail-over mechanism. I already deployed that few time in the past, and we're pretty happy with this setup; maintenance is easy and the setup is rock solid. The only disadvantage IMHO is that there is no way to achieve load balancing between the members of the CARP cluster, one machine is always working while the other is idle. I could define some VLANs on top of CARP interfaces to be MASTER on routerA and some on routerB
PF Packet Flow Diagram
Hi, I was updating an old copy of the PF flow diagram I had lying around and thought I'd post here quickly for comments / additions / corrections? Would be nice to update this and make it comprehensive as possible. [demime 1.01d removed an attachment of type application/pdf which had a name of OpenBSDPFPacketFlow.pdf] [demime 1.01d removed an attachment of type image/jpeg which had a name of OpenBSDPFPacketFlow.jpeg]
Re: missing snmp OID's
Hi Stuart, Thanks for this. However I think I'm still missing something.. Sorry ;) On 24 Apr 2015, at 00:37, Stuart Henderson s...@spacehopper.org wrote: On 2015-04-23, andy a...@brandwatch.com wrote: Hi, This should be a simple one ;) I have configured and started snmpd, and then used snmpwalk (snmpwalk -v2c -c public 127.0.0.1:161 .) to walk the oid tree, and the only branch I see is OPENBSD-PF-MIB. Tested on 5.6. I don't seem to see any output for OPENBSD-BASE-MIB.txt, OPENBSD-CARP-MIB.txt, OPENBSD-MEM-MIB.txt, OPENBSD-RELAYD-MIB (pending 5.7), and OPENBSD-SENSORS-MIB.txt. What do we need to do to enable these? Or is snmpwalk just missing them? I'm being dumb? Cheers, Andy. You need to start the walk from a suitable location. If no OID argument is present, snmpwalk will search the subtree rooted at SNMPv2-SMI::mib-2 (including any MIB object values from other MIB modules, that are defined as lying within this subtree). The following examples assume that you have the OpenBSD MIBs loaded (these are setup by default in the net-snmp package, but you'll need to add them yourself if querying from another OS). $ snmpwalk -v2c -c public localhost SNMPv2-MIB::sysORID SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::mib-2 SNMPv2-MIB::sysORID.2 = OID: IP-MIB::ip SNMPv2-MIB::sysORID.3 = OID: IP-FORWARD-MIB::ipForward SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmp SNMPv2-MIB::sysORID.5 = OID: BRIDGE-MIB::dot1dBridge SNMPv2-MIB::sysORID.6 = OID: HOST-RESOURCES-MIB::host SNMPv2-MIB::sysORID.7 = OID: IF-MIB::ifMIB SNMPv2-MIB::sysORID.8 = OID: SNMPv2-SMI::enterprises.2021.13.15 SNMPv2-MIB::sysORID.9 = OID: OPENBSD-BASE-MIB::pfMIBObjects SNMPv2-MIB::sysORID.10 = OID: OPENBSD-BASE-MIB::sensorsMIBObjects SNMPv2-MIB::sysORID.11 = OID: OPENBSD-BASE-MIB::memMIBObjects SNMPv2-MIB::sysORID.12 = OID: OPENBSD-BASE-MIB::carpMIBObjects SNMPv2-MIB::sysORID.13 = OID: SNMPv2-SMI::snmpModules.10.2.1 SNMPv2-MIB::sysORID.14 = OID: SNMPv2-SMI::snmpModules.15.1.1 So SNMPv2-MIB::sysORID shows me all of the OID roots the system offers :) [LIVE]root@ar1301:/usr/local/share/snmp/mibs# snmpwalk -v2c -c public 127.0.0.1:161 SNMPv2-MIB::sysORID SNMPv2-MIB::sysORID.1 = OID: SNMPv2-SMI::mib-2 SNMPv2-MIB::sysORID.2 = OID: IP-MIB::ip SNMPv2-MIB::sysORID.3 = OID: IP-FORWARD-MIB::ipForward SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmp SNMPv2-MIB::sysORID.5 = OID: BRIDGE-MIB::dot1dBridge SNMPv2-MIB::sysORID.6 = OID: HOST-RESOURCES-MIB::host SNMPv2-MIB::sysORID.7 = OID: IF-MIB::ifMIB SNMPv2-MIB::sysORID.8 = OID: SNMPv2-SMI::enterprises.2021.13.15 SNMPv2-MIB::sysORID.9 = OID: OPENBSD-BASE-MIB::pfMIBObjects SNMPv2-MIB::sysORID.10 = OID: OPENBSD-BASE-MIB::sensorsMIBObjects SNMPv2-MIB::sysORID.11 = OID: OPENBSD-BASE-MIB::memMIBObjects SNMPv2-MIB::sysORID.12 = OID: OPENBSD-BASE-MIB::carpMIBObjects SNMPv2-MIB::sysORID.13 = OID: SNMPv2-SMI::snmpModules.10.2.1 SNMPv2-MIB::sysORID.14 = OID: SNMPv2-SMI::snmpModules.15.1.1 $ snmpwalk -v2c -c public localhost OPENBSD-BASE-MIB::carpMIBObjects OPENBSD-CARP-MIB::carpAllow.0 = INTEGER: true(1) OPENBSD-CARP-MIB::carpPreempt.0 = INTEGER: 0 OPENBSD-CARP-MIB::carpLog.0 = INTEGER: false(2) OPENBSD-CARP-MIB::carpIfNumber.0 = INTEGER: 0 OPENBSD-CARP-MIB::carpIpPktsRecv.0 = Counter64: 0 OPENBSD-CARP-MIB::carpIp6PktsRecv.0 = Counter64: 0 OPENBSD-CARP-MIB::carpPktDiscardsForBadInterface.0 = Counter64: 0 OPENBSD-CARP-MIB::carpPktDiscardsForWrongTtl.0 = Counter64: 0 OPENBSD-CARP-MIB::carpPktShorterThanHeader.0 = Counter64: 0 OPENBSD-CARP-MIB::carpPktDiscardsForBadChecksum.0 = Counter64: 0 OPENBSD-CARP-MIB::carpPktDiscardsForBadVersion.0 = Counter64: 0 OPENBSD-CARP-MIB::carpPktDiscardsForTooShort.0 = Counter64: 0 OPENBSD-CARP-MIB::carpPktDiscardsForBadAuth.0 = Counter64: 0 OPENBSD-CARP-MIB::carpPktDiscardsForBadVhid.0 = Counter64: 0 OPENBSD-CARP-MIB::carpPktDiscardsForBadAddressList.0 = Counter64: 0 OPENBSD-CARP-MIB::carpIpPktsSent.0 = Counter64: 0 OPENBSD-CARP-MIB::carpIp6PktsSent.0 = Counter64: 0 OPENBSD-CARP-MIB::carpNoMemory.0 = Counter64: 0 OPENBSD-CARP-MIB::carpTransitionsToMaster.0 = Counter64: 0 You can use iso.org.dod.internet.private.enterprises.openBSD to show all of the vendor OIDs. And you can use snmpctl rather than Net-SNMP; e.g. I tried this, but I don't see all of the OID's, I only see OPENBSD-PF-MIB at iso.org.dod.internet.private.enterprises.openBSD; [LIVE]root@ar1301:/usr/local/share/snmp/mibs# snmpctl walk 127.0.0.1 oid iso.org.dod.internet.private.enterprises.openBSD | wc -l 1289 [LIVE]root@ar1301:/usr/local/share/snmp/mibs# snmpwalk -v2c -c public 127.0.0.1:161 OPENBSD-PF-MIB::pfMIBObjects | wc -l 1290 [LIVE]root@ar1301:/usr/local/share/snmp/mibs# snmpwalk -v2c -c public 127.0.0.1:161 .1.3.6.1.4.1.30155 | wc -l 1290 The output from these 3 commands is the same (I.e. only the PF-MIB). Is there a single command that will show/walk every single OID and value snmpd provides? $ snmpctl walk sym oid