Re: Viewing SFP diagnostic data in OpenBSD ?

[Marco Prause]

On 08.04.19 06:25, David Gwynne wrote:
> OK. I made a start on this. Have a look for "sfp module info and diagnostics" 
> on tech@, or click on https://marc.info/?l=openbsd-tech=155469738013008=2
>
> We don't have an em(4) here with optics, but a diff doesn't look too bad if 
> you're willing to test it.
>
> dlg
>

David, I had a look at tech@ and this is really really awesome !


If you are also interested in the mentioned em(4) capable hardware, just
contact me off-list and I'm going to see, what we can do concerning the
hardware.


Cheers,

Marco

Re: Viewing SFP diagnostic data in OpenBSD ?

[Marco Prause]

On 05.04.19 02:54, David Gwynne wrote:
> you have em(4) with sfp?
yepp, e.g. in the following appliances :

http://www.lannerinc.com/network-appliances/x86-rackmount-network-appliances/?option=com_content=article=1683:nca-4210=25:rackmount


There are 2 SFP slots onboard and we are also using the optional module
on the right side of the appliance but not as RJ-45, but with 8x 1 GigE SFP.


Whereas the 10 GigE Modules we are using in some setups, are already ix.


Here's an example of the chipsets you may find (all *Fibre interfaces
are the SFP capable interface and the others are the RJ45 ones):

em0 at pci2 dev 0 function 0 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4e:0e:52  
em1 at pci2 dev 0 function 1 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4e:0e:53  
em2 at pci2 dev 0 function 2 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4e:0e:54  
em3 at pci2 dev 0 function 3 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4e:0e:55  
em4 at pci3 dev 0 function 0 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4e:0e:56  
em5 at pci3 dev 0 function 1 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4e:0e:57  
em6 at pci3 dev 0 function 2 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4e:0e:58  
em7 at pci3 dev 0 function 3 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4e:0e:59   
em8 at pci5 dev 0 function 0 "Intel I210" rev 0x03: msi, address
00:90:0b:68:30:4e
em9 at pci6 dev 0 function 0 "Intel I210" rev 0x03: msi, address
00:90:0b:68:30:4f
em10 at pci7 dev 0 function 0 "Intel I210" rev 0x03: msi, address
00:90:0b:68:30:50   
em11 at pci8 dev 0 function 0 "Intel I210" rev 0x03: msi, address
00:90:0b:68:30:51   
em12 at pci9 dev 0 function 0 "Intel I210" rev 0x03: msi, address
00:90:0b:68:30:52   
em13 at pci10 dev 0 function 0 "Intel I210" rev 0x03: msi, address
00:90:0b:68:30:53  
em14 at pci11 dev 0 function 0 "Intel I210 Fiber" rev 0x03: msi, address
00:90:0b:68:30:54
em15 at pci12 dev 0 function 0 "Intel I210 Fiber" rev 0x03: msi, address
00:90:0b:68:30:55


Cheers,

Marco

Re: Viewing SFP diagnostic data in OpenBSD ?

[Marco Prause]

I second that +1 for ix, but em would also be nice ;-)


On 03.04.19 00:40, Tom Smyth wrote:
> +1 for me also :)  ix :)
>
> On Tue, 2 Apr 2019 at 23:38, Stuart Henderson  wrote:
>
>>  :-)
>>

Re: Are there open source firewall distributions which are built on top of OpenBSD?

[Marco Prause]

>> A standard OpenBSD installation is somewhat susceptible to power failures
>> though. Especially fail/back/fail again during the startup procedure while
>> it's relinking libraries in random order. Not saying it can't be used but
>> some thought is needed if you know that it's *likely* to be powered off
>> without shutdown, or if the power is flaky.
> If you want to run a system that is resistant to damage from power faults, 
> take a look at Resflash. 
>
>  https://stable.rcesoftware.com/resflash/
>
> It's more tolerant of power faults since the running system has all of its 
> actual disks in read-only mode and anything writable is done to mfs-based 
> mounts, including /usr/lib and /usr/libexec during the re-linking process. It 
> also has a very nice upgrade and rollback process, useful if you're 
> maintaining remote routers/firewalls. 
>
> Don't ask for support on this list since it's not base OpenBSD, but the 
> author is pretty good about helping people out. 

I can second all what Paul wrote before. I've been running
resflash-image driven openbsd instances in round about 15 distributed
locations since 2016.

Compared to let's say "commercial" equipment they do a *very* good job.

As well it's update mechanism as it's integration in our automation and
monitoring framework works very well.

And they survived every datacenter current issue so far ;-)


Cheers,

Marco

Re: OpenBSD 6.4-stable + current "freezes" after 4h [not]

[Marco Prause]

Re,

On 14.01.19 18:40, Theo de Raadt wrote:
> We accept reasonable bug reports from systems with a few changes.  You do NOT 
> have
> a few changes, you have a huge pile of them, and therefore you are 
> 'responsible
> for all the pieces'.
...
> Almost assuredly you are being burned by your own changes.

First of all, there will be no irony in the following lines.

Theo, I really appreciate your intention protecting the devs from
unnecessary work. You were so damn right stopping the assumption I was
following.

Stuart and Hrvoje, thanks for helping with the information about ddb,
that pushes me in the right direction.


Just for the record and terms of sharing knowledge (also the bad ones):

the problem was caused by a really bad doas call, that I wasn't aware
of, but what might creep in my configs at the same time I updated the
integration stage to 6.4.

(a zabbix_agent was periodically calling

'...cmd ksh args -c "/usr/sbin/ospfctl args show neighbor"'

instead of

'...cmd /usr/sbin/ospfctl args show neighbor')


Fixing this doas-line let the server run stable again.


So again thanks and last but not least : sorry for the noise, guys !


Cheers,

Marco

Re: OpenBSD 6.4-stable + current "freezes" after 4h

[Marco Prause]

Am 14. Januar 2019 16:40:48 MEZ schrieb Theo de Raadt :
>It sure looks like you have a pile of your own changes which are highly
>unconventional,
>and you are very far away from a stock OpenBSD configuration.

Well, that's right so far, because I have decided to use the tool resflash to 
create images (https://stable.rcesoftware.com/resflash/). 

That's the "only" changes, that made the system away from a stock OpenBSD 
configuration. 

But sure, to get this also out of the way of possible causes, I could install 
current to the server on the hard disc. I just thought resflash just did some 
changes to the boot process and I assume the issue more at the bridge-part. 


>Having made those decisions, you are responsible for your own issues.
>
>Sorry.

That seems fair enough to me. 
Let me have a look at the ddb stuff, Stuart mentioned and the splassert stuff 
Hrvoje mentioned, before I'm going to reinstall the server with a stock current 
OpenBSD. 

Cheers, 
Marco

>> Hi Stuart,
>> 
>> thanks for having a look at this.
>> 
>> 
>> > Is it the same or different hardware type and BIOS version for the
>> > working and hanging machines? (maybe diff the two dmesgs)
>> >
>> > Same or different filesystem mount options?  (Are you using
>softdep?)
>> 
>> it's (nearly) the same hardware.
>> 
>> But thanks to your hint of diffing the dmesg outputs I found a small
>> difference :
>> 
>> 
>> * server1:
>> 
>> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec200 (78 entries)
>> bios0: vendor American Megatrends Inc. version "4.6.5" date
>03/02/2015
>> bios0: INTEL Corporation DENLOW_WS   
>> 
>> * server2:
>> 
>> bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec200 (77
>entries)
>> bios0: vendor American Megatrends Inc. version "4.6.5" date
>03/02/2015   
>> bios0: INTEL Corporation
>DENLOW_WS   
>> 
>> 
>> * server2 has an additional entry, I do not see on server1
>> 
>> acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x
>> 
>> 
>> * server2 also seems to have a slightly different memory setup :
>> 
>> spdmem0 at iic0 addr 0x50: 8GB DDR3 SDRAM PC3-12800
>> 
>> * whereas server1 has :
>> 
>> spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-12800
>> spdmem1 at iic0 addr 0x52: 4GB DDR3 SDRAM PC3-12800
>> 
>> 
>> 
>> On the filesystem I can't see any differences :
>> 
>> * server1:
>> $
>>
>mount  
>  
>> 
>> /dev/sd0d on / type ffs (local, noatime, nodev,
>> read-only) 
>> mfs:14405 on /tmp type mfs (asynchronous, local, noatime, nodev,
>nosuid,
>> size=65536 512-blocks)
>> mfs:35803 on /dev type mfs (asynchronous, local, noatime, noexec,
>> size=12288 512-blocks)   
>> mfs:30894 on /etc type mfs (asynchronous, local, noatime, nodev,
>nosuid,
>> size=65536 512-blocks)
>> mfs:75826 on /var type mfs (asynchronous, local, noatime, nodev,
>noexec,
>> size=131072 512-blocks)   
>> mfs:23894 on /usr/lib type mfs (asynchronous, local, noatime, nodev,
>> nosuid, size=262144 512-blocks)
>> mfs:21714 on /usr/libexec type mfs (asynchronous, local, noatime,
>nodev,
>> size=262144 512-blocks)   
>> $ cat
>>
>/etc/fstab 
>  
>> 
>> dd6727251088320b.a /mbr ffs rw,noatime,nodev,noexec,noauto 1
>> 2 
>> dd6727251088320b.d / ffs ro,noatime,nodev 1
>> 1  
>> dd6727251088320b.f /cfg ffs rw,noatime,nodev,noexec,noauto 1
>> 2 
>> dd6727251088320b.i /efi msdos rw,noatime,nodev,noexec,noauto 0
>> 0   
>> swap /tmp mfs rw,async,noatime,nodev,nosuid,-s32M 0
>> 0  
>>
>$  
>
>> 
>> 
>> 
>> * server2:
>> 
>> $ mount
>> /dev/sd0e on / type ffs (local, noatime, nodev, read-only)
>> mfs:19530 on /tmp type mfs (asynchronous, local, noatime, nodev,
>nosuid,
>> size=65536 512-blocks)
>> mfs:65784 on /dev type mfs (asynchronous, local, noatime, noexec,
>> size=12288 512-blocks)   
>> mfs:41465 on /etc type mfs (asynchronous, local, noatime, nodev,
>nosuid,
>> size=65536 512-blocks)
>> mfs:86708 on /var type mfs (asynchronous, local, noatime, nodev,
>noexec,
>> size=262144 512-blocks)   
>> mfs:90223 on /usr/lib type mfs (asynchronous, local, noatime, nodev,
>> nosuid, size=262144 512-blocks)
>> mfs:22430 on /usr/libexec type mfs (asynchronous, local, noatime,
>nodev,
>> size=262144 512-blocks)   
>> $ cat
>>
>/etc/fstab 
>  
>> 
>> 9f97b8d42ceedbf4.a /mbr ffs rw,noatime,nodev,noexec,noauto 1
>> 2 
>> 9f97b8d42ceedbf4.e / ffs 

Re: OpenBSD 6.4-stable + current "freezes" after 4h

[Marco Prause]

Just a small follow-up to my previous email:

I've just had a look at the hardware, that causes the problem before
I've exchanged it with the new one, that now also produce the problem.

This server seems to have the same hardware-setup then the server1, I
mentioned the email before, which is not freezing.


Here I see the same memory-setup :

spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-12800
spdmem1 at iic0 addr 0x52: 4GB DDR3 SDRAM PC3-12800

and no

acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x00

which may be produced from the current-kernel.

Re: OpenBSD 6.4-stable + current "freezes" after 4h

[Marco Prause]

Hi Stuart,

thanks for having a look at this.


> Is it the same or different hardware type and BIOS version for the
> working and hanging machines? (maybe diff the two dmesgs)
>
> Same or different filesystem mount options?  (Are you using softdep?)

it's (nearly) the same hardware.

But thanks to your hint of diffing the dmesg outputs I found a small
difference :


* server1:

bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec200 (78 entries)
bios0: vendor American Megatrends Inc. version "4.6.5" date 03/02/2015
bios0: INTEL Corporation DENLOW_WS   

* server2:

bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xec200 (77 entries)
bios0: vendor American Megatrends Inc. version "4.6.5" date 03/02/2015   
bios0: INTEL Corporation DENLOW_WS   


* server2 has an additional entry, I do not see on server1

acpipci0 at acpi0 PCI0: 0x0010 0x0011 0x


* server2 also seems to have a slightly different memory setup :

spdmem0 at iic0 addr 0x50: 8GB DDR3 SDRAM PC3-12800

* whereas server1 has :

spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-12800
spdmem1 at iic0 addr 0x52: 4GB DDR3 SDRAM PC3-12800



On the filesystem I can't see any differences :

* server1:
$
mount   
 

/dev/sd0d on / type ffs (local, noatime, nodev,
read-only) 
mfs:14405 on /tmp type mfs (asynchronous, local, noatime, nodev, nosuid,
size=65536 512-blocks)
mfs:35803 on /dev type mfs (asynchronous, local, noatime, noexec,
size=12288 512-blocks)   
mfs:30894 on /etc type mfs (asynchronous, local, noatime, nodev, nosuid,
size=65536 512-blocks)
mfs:75826 on /var type mfs (asynchronous, local, noatime, nodev, noexec,
size=131072 512-blocks)   
mfs:23894 on /usr/lib type mfs (asynchronous, local, noatime, nodev,
nosuid, size=262144 512-blocks)
mfs:21714 on /usr/libexec type mfs (asynchronous, local, noatime, nodev,
size=262144 512-blocks)   
$ cat
/etc/fstab  
 

dd6727251088320b.a /mbr ffs rw,noatime,nodev,noexec,noauto 1
2 
dd6727251088320b.d / ffs ro,noatime,nodev 1
1  
dd6727251088320b.f /cfg ffs rw,noatime,nodev,noexec,noauto 1
2 
dd6727251088320b.i /efi msdos rw,noatime,nodev,noexec,noauto 0
0   
swap /tmp mfs rw,async,noatime,nodev,nosuid,-s32M 0
0  
$   
   



* server2:

$ mount
/dev/sd0e on / type ffs (local, noatime, nodev, read-only)
mfs:19530 on /tmp type mfs (asynchronous, local, noatime, nodev, nosuid,
size=65536 512-blocks)
mfs:65784 on /dev type mfs (asynchronous, local, noatime, noexec,
size=12288 512-blocks)   
mfs:41465 on /etc type mfs (asynchronous, local, noatime, nodev, nosuid,
size=65536 512-blocks)
mfs:86708 on /var type mfs (asynchronous, local, noatime, nodev, noexec,
size=262144 512-blocks)   
mfs:90223 on /usr/lib type mfs (asynchronous, local, noatime, nodev,
nosuid, size=262144 512-blocks)
mfs:22430 on /usr/libexec type mfs (asynchronous, local, noatime, nodev,
size=262144 512-blocks)   
$ cat
/etc/fstab  
 

9f97b8d42ceedbf4.a /mbr ffs rw,noatime,nodev,noexec,noauto 1
2 
9f97b8d42ceedbf4.e / ffs ro,noatime,nodev 1 1
9f97b8d42ceedbf4.f /cfg ffs rw,noatime,nodev,noexec,noauto 1
2 
9f97b8d42ceedbf4.i /efi msdos rw,noatime,nodev,noexec,noauto 0
0   
swap /tmp mfs rw,async,noatime,nodev,nosuid,-s32M 0 0
$



For the other suggestions, let me run the system with "

sysctl ddb.console=1" and wait until the problem will occur to answer your 
questions as soon I have the additional information.


Cheers,
Marco

OpenBSD 6.4-stable + current "freezes" after 4h

[Marco Prause]

Hi all @misc,

1st things 1st : sorry for my long description, but :

after upgrading from 6.3-stable to 6.4-stable (and later also current)
in our integration stage, I've met a strange problem.

I run OpenBSD in a hub-and-spoke vpn architecture in round about 14
distributed datacenters.

6.3-stable is running fine and stable as expected.

(all versions 6.3-stable, 6.4-stable and current are running as
resflash-image)



All locations - including the mentioned integration stage - are running
with the same setup.

Each location have two OpenBSD server/gateways, that run:


- ospf over gre over ipsec

-- local to each other and to our two main datacenters (hub)


- two bridge-interfaces inside one server

-- one for tagged frames, one for untagged

-- both bridge-interfaces are connected with a pair-interface

-- first server is configured as primary within ospf,stp and carp


- layer-2 redundancy is done by stp on the openbsd-side and mstp
(instance 0) on the network-gear-side


- layer-3 redundancy is done by ospf and carp


- pf is enabled



The problem can be described as follows :

after an initial boot, everything is working fine for round about 4 hours.

After 4 hours, it is not possible to login into the backup/secondary
openbsd-server via ssh or even via serial console, but it seems to still
forward traffic correctly. Also the ospf adjacencies are up as
well as ipsec security associations and so on.

Monitoring metrics doesn't show any meassured increase of any data.

I've already exchanged the hardware, because it was my first guess, as
the first server/gateway is running without any problems with the same
6.4-stable and config version - but this unfortunately didn't help.

When I left an serial console login opened, I was able to execute some
commands and also a top, I've invoked before, was still running at the
failure-state. But when entering e.g. ifconfig, or trying a
tab-completion also the serial console freezes.


The problem will not occur, if I :


- shutdown bridge0 (for tagged frames)

or

- shutdown bridge1 (for untagged frames)

or

- shutdown pair0 or pair1 (interconnection between the bridges)



Please find attached the commands I was able to execute before
tab-completion or ifconfig in this case :

---cut---

# df -i
Filesystem  512-blocks  Used Avail Capacity iused   ifree 
%iused  Mounted on 
/dev/sd0e  3473724   1127852   2172188    34%   14494  219360
6%   /  
mfs:64049    63326    12 60148 0%   7    8183
0%   /tmp   
mfs:51486    11391    63 10759 1%    1231    1839   
40%   /dev   
mfs:86629    63326  8552 51608    14% 365    7825
4%   /etc   
mfs:35143   253790 11512    229590 5% 236   32530
1%   /var   
mfs:6765    253790 76506    164596    32%  45   32721
0%   /usr/lib   
mfs:9627    253790  6132    234970 3%  66   32700
0%   /usr/libexec

#

# vmstat 1 10
 procs    memory   page    disks    traps 
cpu
 r   s   avm fre  flt  re  pi  po  fr  sr sd0 sd1  int   sys   cs us
sy id
 0  64  104M   7474M   19   0   0   0   0   0   1   0   73    68  168 
0  0 100   
 0  64  104M   7474M   20   0   0   0   0   0   0   0   66    60  128 
0  0 100   
 0  64  104M   7474M   12   0   0   0   0   0   0   0   48    45   92 
0  0 100   
 0  64  104M   7474M   12   0   0   0   0   0   0   0   73    44  146 
0  0 100   
 0  64  104M   7474M   12   0   0   0   0   0   0   0   65    47  132 
0  0 100   
 0  64  104M   7474M   12   0   0   0   0   0   0   0   37    49   82 
0  0 100   
 0  64  104M   7474M   12   0   0   0   0   0   0   0   52    44  107 
0  0 100   
 0  64  104M   7474M   12   0   0   0   0   0   0   0   51    44  106 
0  0 100   
 0  64  104M   7474M   12   0   0   0   0   0   0   0   52    44  104 
0  0 100   
 0  64  104M   7474M   12   0   0   0   0   0   0   0   53    47  118 
0  0 100   
#
# iostat 1 10
  tty  sd0   sd1    cpu
 tin tout  KB/t  t/s  MB/s   KB/t  t/s  MB/s  us ni sy sp in id
   0    2 28.82    0  0.01   0.50    0  0.00   0  0  0  0  0100
   0  193  0.00    0  0.00   0.00    0  0.00   0  0  0  0  0100
   0   64  0.00    0  0.00   0.00    0  0.00   0  0  0  0  0100
   0   64  0.00    0  0.00   0.00    0  0.00   0  0  0  0  0100
   0   64  0.00    0  0.00   0.00    0  0.00   0  0  0  0  0100
   0   64  0.00    0  0.00   0.00    0  0.00   0  0  0  0  0100
   0   64  0.00    0  0.00   0.00    0  0.00   0  0  0  0  0100
   0   64  0.00    0  0.00   0.00    0  0.00   0  0  0  0  0100
   0   64  0.00    0  0.00   0.00    0  0.00   0  0  0  0  0100
   0   64  0.00    0  0.00   0.00    0  0.00   0  0  0  0  0100
#

# df -h
Filesystem Size    Used   Avail Capacity  Mounted on
/dev/sd0e  1.7G    551M    1.0G    34%    /
mfs:69819 30.9M    9.0K   29.4M 0%    /tmp

Re: Connecting two bridges for tagged + untagged traffic

[Marco Prause]

Re,

just for the records and to stop anyone wasting time into this issue:

It looks like it's woking now, when I use pair-interfaces to connect the
two bridges and use one pair as parent-interface for a new
vlan-interface with the same vlan-id.

---cut---
# ifconfig bridge
bridge0: flags=41
description: L2-Trunk-Ports-with-RSTP-and-VLAN123-parent-IF
index 24 llprio 3
groups: bridge
priority 16384 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
rstp
designated: id 00:90:0b:4f:5d:dc priority 16384
em9 flags=ab
port 10 ifpriority 128 ifcost 55 discarding role disabled
em10 flags=ab
port 11 ifpriority 128 ifcost 55 discarding role disabled
em11 flags=ab
port 12 ifpriority 128 ifcost 55 discarding role disabled
em15 flags=eb
port 16 ifpriority 128 ifcost 2 forwarding role
designated
vether0 flags=bb
port 19 ifpriority 128 ifcost 55 forwarding role designated
pair0 flags=ab
port 31 ifpriority 128 ifcost 55 forwarding role designated
Addresses (max cache: 100, timeout: 5):
18:a9:9b:a1:35:31 em15 1 flags=0<>
02:de:ac:10:65:5b em15 0 flags=0<>
02:de:ac:10:65:51 em15 0 flags=0<>
18:a9:9b:a1:35:16 em15 0 flags=0<>
02:de:ac:10:65:5c em15 1 flags=0<>
02:de:ac:10:65:52 em15 0 flags=0<>
00:25:46:6e:5e:c1 em15 1 flags=0<>
00:25:46:70:d3:01 em15 0 flags=0<>
18:a9:9b:a1:35:09 em15 0 flags=0<>
bridge1: flags=41
description: L2-Access-Ports-in-VLAN123
index 25 llprio 3
groups: bridge
priority 16384 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
rstp
designated: id 00:90:0b:4f:5d:e1 priority 16384
em12 flags=f3
port 13 ifpriority 0 ifcost 0
em13 flags=a3
port 14 ifpriority 0 ifcost 0
em14 flags=f3
port 15 ifpriority 0 ifcost 0
vlan1232 flags=b3
port 34 ifpriority 0 ifcost 0
Addresses (max cache: 100, timeout: 5):
00:25:46:6e:5e:c1 vlan1232 1 flags=0<>
18:a9:9b:a1:35:09 vlan1232 0 flags=0<>
18:a9:9b:a1:35:16 vlan1232 0 flags=0<>
fe:e1:ba:d0:87:5c vlan1232 1 flags=0<>
00:00:5e:00:01:01 vlan1232 1 flags=0<>
18:a9:9b:a1:35:31 vlan1232 1 flags=0<>
# ifconfig vlan



vlan123: flags=8943 mtu 1500
lladdr fe:e1:ba:d0:87:5c
index 20 priority 0 llprio 3
vlan: 123 parent interface: vether0
vnetid: 123
parent: vether0
groups: vlan
status: active
inet 10.20.30.2 netmask 0xfc00 broadcast 10.20.30.255
vlan1232: flags=8943 mtu
1500
lladdr fe:e1:ba:d4:39:d9
index 34 priority 0 llprio 3
vlan: 123 parent interface: pair1
vnetid: 123
parent: pair1
groups: vlan
status: active
# ifconfig pair



pair0: flags=8943 mtu 1500
lladdr fe:e1:ba:d3:cb:d1
index 31 priority 0 llprio 3
patch: pair1
groups: pair
media: Ethernet autoselect
status: active
pair1: flags=8943 mtu 1500
lladdr fe:e1:ba:d4:39:d9
index 32 priority 0 llprio 3
patch: pair0
groups: pair
media: Ethernet autoselect
status: active
#
---cut---



Again, sorry for the noise !

And last but not least - thanks for all the great code !


Cheers,
Marco

Connecting two bridges for tagged + untagged traffic

[Marco Prause]

Hi,

I've got a question concerning the usage of tagged and untagged traffic
with two bridges.

Maybe there's a better way to reach that goal, but I need to connect
e.g. switches to my OpenBSD server over a so called trunk-port (all
traffic should be tagged witch vlan-id 123 for example)

This works fine with the following setting :

---cut---
# ifconfig bridge0
bridge0: flags=41
description: L2-Trunk-Ports-with-RSTP-and-VLAN123
index 24 llprio 3
groups: bridge
priority 16384 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
rstp
em9 flags=ab
port 10 ifpriority 128 ifcost 55 discarding role disabled
em10 flags=ab
port 11 ifpriority 128 ifcost 55 discarding role disabled
em11 flags=ab
port 12 ifpriority 128 ifcost 55 discarding role disabled
em15 flags=eb
port 16 ifpriority 128 ifcost 2 forwarding role
designated
vether0 flags=bb
port 19 ifpriority 128 ifcost 55 forwarding role designated



# ifconfig vlan123



vlan123: flags=8943 mtu 1500
lladdr fe:e1:ba:d0:87:5c
index 20 priority 0 llprio 3
vlan: 123 parent interface: vether0
vnetid: 123
parent: vether0
groups: vlan
status: active
inet 10.20.30.2 netmask 0xfc00 broadcast 10.20.30.255
---cut---




But additionally, I need to have so called acces-ports with untagged
traffic, but located in vlan123 (aka "access vlan 123")


For this purpose, I use bridge1
---cut---
# ifconfig bridge1
bridge1: flags=41
description: L2-Access-Ports-in-VLAN666
index 25 llprio 3
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto
rstp
designated: id fe:e1:ba:d1:39:24 priority 32768
em12 flags=3
port 13 ifpriority 0 ifcost 0
em13 flags=3
port 14 ifpriority 0 ifcost 0
em14 flags=3
port 15 ifpriority 0 ifcost 0
Addresses (max cache: 100, timeout: 240):
---cut---



I think I remember, that a year ago or so, I just added vlan123 to
bridge1 and it worked.


But it's a year ago, so maybe that's not really correct :)


Does anyone have a clue, how to accomplish that goal ?



Kind regards,
Marco

Re: No free discspace after deleting files

[Marco Prause]

Re,

well as mentioned fstat didn't show any open filehandles or inodes, but
fsck was a bit more chatty :

# fsck /dev/sd0a


** /dev/rsd0a (NO WRITE)
** Last Mounted on /flash
** Phase 1 - Check Blocks and Sizes
** Phase 2 - Check Pathnames
** Phase 3 - Check Connectivity
** Phase 4 - Check Reference Counts
UNREF FILE I=9  OWNER=root MODE=100644
SIZE=1317309440 MTIME=Sep 27 13:48 2016
CLEAR? no

** Phase 5 - Check Cyl groups
15 files, 892592 used, 993071 free (31 frags, 124130 blocks, 0.0%
fragmentation)
#

a simple umount and mount of the partition did fix it and released the
discspace.

Because it happened the second time, I'm going to try to reproduce the
issue.


But until then cheers,
Marco

Am 27.09.2016 um 08:29 schrieb Raul Miller:
> Do any processes have those files open? Did you have any hard links to
> those files from other names?
> 
> The disk space cannot be removed until all references to those files
> are removed.

Re: No free discspace after deleting files

[Marco Prause]

No, there are no links and process that have the files opened.
Or better : I do not see any with fstat.

Maybe there's any other programs for this purpose I do not know at the
moment ?


Am 27. September 2016 08:29:06 MESZ, schrieb Raul Miller
:

Do any processes have those files open? Did you have any hard links to
those files from other names?

The disk space cannot be removed until all references to those files
are removed.

No free discspace after deleting files

[Marco Prause]

Hi all,

I met an interesting problem while deleting files that makes me curious.

After deleting two files for preparing an update in a flashrd-setup
(openbsd.vnd + bsd) I would have expected the ~1,2 GB beeing freed.

The files are gone - so far so good, but the disc space is not free.

I know this behaviour, if a process is still sitting on the file, but
with fstat I can't see any process or open file handler.

Now I'm just curious if I miss something and probably I just need a bit
more coffee ;-)


# df -h
Filesystem SizeUsed   Avail Capacity  Mounted on
/dev/rd0a  1.8M1.4M419K77%/
/dev/sd0a  1.8G872M878M50%/flash
/dev/vnd0e15.4M5.0M   10.3M32%/etc
/dev/vnd0f42.1M   14.6M   27.0M35%/sbin
/dev/vnd0a48.3M6.0K   47.8M 0%/root
/dev/vnd0d16.4M5.8M   10.4M36%/bin
/dev/vnd0g 1.1G735M347M68%/usr
tmpfs 64.0M   61.5M2.5M96%/var
tmpfs 50.0M4.0K   50.0M 0%/home
tmpfs 16.0M4.0K   16.0M 0%/tmp
/dev/sd0d 10.9G616M9.7G 6%/data
#
# du -hs /flash/
68.9M   /flash/
#
# mount
/dev/rd0a on / type ffs (local)
/dev/sd0a on /flash type ffs (local, noatime, nodev, nosuid)
/dev/vnd0e on /etc type ffs (local, noatime, nodev, nosuid, read-only)
/dev/vnd0f on /sbin type ffs (local, noatime, nodev, read-only)
/dev/vnd0a on /root type ffs (local, noatime, nodev, nosuid, read-only)
/dev/vnd0d on /bin type ffs (local, noatime, nodev, nosuid, read-only)
/dev/vnd0g on /usr type ffs (local, noatime, nodev, read-only)
tmpfs on /var type tmpfs (local, noatime, nodev, nosuid)
tmpfs on /home type tmpfs (local, noatime, nodev, nosuid)
tmpfs on /tmp type tmpfs (local, noatime, nodev, nosuid)
/dev/sd0d on /data type ffs (local)
#
# iostat 1 10
  tty  sd0   rd0   sd1
sd2 cpu
 tin tout  KB/t  t/s  MB/s   KB/t  t/s  MB/s   KB/t  t/s  MB/s   KB/t
t/s  MB/s  us ni sy in id
   01 15.280  0.00   0.000  0.00   6.090  0.00   0.00
0  0.00   0  0  1  1 98
   0  294  0.000  0.00   0.000  0.00   0.000  0.00   0.00
0  0.00   0  0  1  3 96
   0   97  0.000  0.00   0.000  0.00   0.000  0.00   0.00
0  0.00   0  0  2  3 95
   0   97  0.000  0.00   0.000  0.00   0.000  0.00   0.00
0  0.00   0  0  1  1 98
   0   98  0.000  0.00   0.000  0.00   0.000  0.00   0.00
0  0.00   0  0  0  0100
   0   96  0.000  0.00   0.000  0.00   0.000  0.00   0.00
0  0.00   1  0  1  2 96
   0   98  0.000  0.00   0.000  0.00   0.000  0.00   0.00
0  0.00   0  0  0  1 99
   0   97  0.000  0.00   0.000  0.00   0.000  0.00   0.00
0  0.00   0  0  2  1 97
   0   97  0.000  0.00   0.000  0.00   0.000  0.00   0.00
0  0.00   0  0  0  1 99
   0   96  0.000  0.00   0.000  0.00   0.000  0.00   0.00
0  0.00   2  0  0  3 95
#
# uname -a

OpenBSD gw.idst 5.9 FLASHRD.MP#2 amd64
#
# dmesg

OpenBSD 5.9-stable (FLASHRD.MP) #2: Wed Aug 17 17:48:07 CEST 2016

r...@openbsd-59-amd64-build.my.domain:/usr/src/sys/arch/amd64/compile/FLASHRD.MP
real mem = 2098520064 (2001MB)
avail mem = 2028883968 (1934MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0x7e16d820 (6 entries)
bios0: vendor coreboot version "SageBios_PCEngines_APU-45" date 04/05/2014
bios0: PC Engines APU
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SPCR HPET APIC HEST SSDT SSDT SSDT
acpi0: wakeup devices AGPB(S4) HDMI(S4) PBR4(S4) PBR5(S4) PBR6(S4)
PBR7(S4) PE20(S4) PE21(S4) PE22(S4) PE23(S4) PIBR(S4) UOH1(S3) UOH2(S3)
UOH3(S3) UOH4(S3) UOH5(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpihpet0 at acpi0: 14318180 Hz
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD G-T40E Processor, 1000.13 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
cpu0: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB
64b/line 16-way L2 cache
cpu0: 8 4MB entries fully associative
cpu0: DTLB 40 4KB entries fully associative, 8 4MB entries fully associative
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 199MHz
cpu0: mwait min=64, max=64, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: AMD G-T40E Processor, 1000.00 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,HTT,SSE3,MWAIT,SSSE3,CX16,POPCNT,NXE,MMXX,FFXSR,PAGE1GB,LONG,LAHF,CMPLEG,SVM,EAPICSP,AMCR8,ABM,SSE4A,MASSE,3DNOWP,IBS,SKINIT,ITSC
cpu1: 32KB 64b/line 2-way I-cache, 32KB 64b/line 8-way D-cache, 512KB
64b/line 16-way L2 cache
cpu1: 8 4MB entries fully 

Re: Network Interface "Intel I350 Fiber" 8 Port Module shows only 4 Ports

[Marco Prause]

Hi,

I just wanted to keep you in loop concerning my "8 Port Module" problem.
To make a long story short:

One jumper on the motherboard did fix the issue \o/


I've just changed :

  two x8 signals

into

  one x8, two x4 signals

with the PCIe slot and tadaa all interfaces are present.



So, sorry for the noise.


Have a nice weekend,
Marco

Re: Network Interface "Intel I350 Fiber" 8 Port Module shows only 4 Ports

[Marco Prause]

Hi,

> Concerning my chipset problem, I'm compiling current at the moment,
> because the msi-x feature sounds very promising in this case.

current for amd64 is compiled and booted, but unfortunately I still see
just 4 of the 8 interfaces.

But, I also still see that they are using msi and not msi-x as I
supposed after reading :

  http://www.openbsd.org/plus.html

and

  http://permalink.gmane.org/gmane.os.openbsd.tech/50018


The card itself indicates the usage of msi-x at pcidump as you can see
on the first recognised chipset :

 2:0:3: Intel I350 Fiber
0x: Vendor ID: 8086 Product ID: 1522
0x0004: Command: 0006 Status: 0010
0x0008: Class: 02 Subclass: 00 Interface: 00 Revision: 01
0x000c: BIST: 00 Header Type: 80 Latency Timer: 00 Cache Line
Size: 10
0x0010: BAR mem 32bit addr: 0xf7d0/0x0002
0x0014: BAR empty ()
0x0018: BAR empty ()
0x001c: BAR mem 32bit addr: 0xf7d8/0x4000
0x0020: BAR empty ()
0x0024: BAR empty ()
0x0028: Cardbus CIS: 
0x002c: Subsystem Vendor ID:  Product ID: 
0x0030: Expansion ROM Base Address: 
0x0038: 
0x003c: Interrupt Pin: 04 Line: 0b Min Gnt: 00 Max Lat: 00
0x0040: Capability 0x01: Power Management
State: D0
0x0050: Capability 0x05: Message Signaled Interrupts (MSI)
0x0070: Capability 0x11: Extended Message Signaled Interrupts
(MSI-X)
0x00a0: Capability 0x10: PCI Express
Link Speed: 5.0 / 5.0 GT/s Link Width: x4 / x4



Maybe there's an option in the Bios setting I have to activate ?


Marco



> 
> Cheers,
> Marco
> 
> 
> Am 24.07.2016 um 22:20 schrieb Chris Cappuccio:
>> Marco Prause [marco-obsdm...@prause.eu] wrote:
>>
>>> em1: flags=18802<BROADCAST,SIMPLEX,MULTICAST,MPSAFE> mtu 1500
>>> lladdr 00:90:0b:4b:54:0f
>>> priority: 0
>>> media: Ethernet autoselect (none)
>>> status: no carrier
>>> supported media:
>>> media 1000baseSX mediaopt full-duplex
>>> media 1000baseSX
>>> media autoselect
>>> #
>>>
>>> Having a look at the specification and em(4) I thought, it would be
>>> possible to connect e.g. 1000baseLX transceiver too.
>>> Does anybody know, if it is just because there's no 1000baseLX plugged
>>> in at the moment, or are there any limitations I should be aware of ?
>>>
>>
>> Yes it works fine. Perhaps you have an SX SFP installed at the moment?

Re: Network Interface "Intel I350 Fiber" 8 Port Module shows only 4 Ports

[Marco Prause]

Thanks Chris,

these are good news. And you are right, at the moment I've just
installed SX. I just thought, the output will show possible media types,
even if there's no corresponding sfp plugged in.
But I've ask the distributor to put a LX into the lab device, just to be
sure.

Concerning my chipset problem, I'm compiling current at the moment,
because the msi-x feature sounds very promising in this case.

Cheers,
Marco


Am 24.07.2016 um 22:20 schrieb Chris Cappuccio:
> Marco Prause [marco-obsdm...@prause.eu] wrote:
> 
>> em1: flags=18802<BROADCAST,SIMPLEX,MULTICAST,MPSAFE> mtu 1500
>> lladdr 00:90:0b:4b:54:0f
>> priority: 0
>> media: Ethernet autoselect (none)
>> status: no carrier
>> supported media:
>> media 1000baseSX mediaopt full-duplex
>> media 1000baseSX
>> media autoselect
>> #
>>
>> Having a look at the specification and em(4) I thought, it would be
>> possible to connect e.g. 1000baseLX transceiver too.
>> Does anybody know, if it is just because there's no 1000baseLX plugged
>> in at the moment, or are there any limitations I should be aware of ?
>>
> 
> Yes it works fine. Perhaps you have an SX SFP installed at the moment?

Re: Network Interface "Intel I350 Fiber" 8 Port Module shows only 4 Ports

[Marco Prause]

Re,


> So, I've just adjusted my build scripts and jenkins-job and hit the
> build button a few minutes ago to build a 5.9 stable image (yes it's not
> current, but I didn't see any changes in plus.html concerning em
> interfaces or pci stuff, but this will be the next step.

just as a short actual information on this topic. Booted with 5.9, but I
still see just the first 4 interfaces that belong to the first chip on
the card :

 2:0:0: Intel I350 Fiber
 2:0:1: Intel I350 Fiber
 2:0:2: Intel I350 Fiber
 2:0:3: Intel I350 Fiber

em0 at pci2 dev 0 function 0 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4b:54:0e
em1 at pci2 dev 0 function 1 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4b:54:0f
em2 at pci2 dev 0 function 2 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4b:54:10
em3 at pci2 dev 0 function 3 "Intel I350 Fiber" rev 0x01: msi, address
00:90:0b:4b:54:11


Unfortunately I'm just connected to a remote lab, so I neither can't
check the Bios settings or version concerning any PCI stuff nor perform
a "normal" installation.


Another question arised while looking at the supported media-types:

# ifconfig em1 media
em1: flags=18802 mtu 1500
lladdr 00:90:0b:4b:54:0f
priority: 0
media: Ethernet autoselect (none)
status: no carrier
supported media:
media 1000baseSX mediaopt full-duplex
media 1000baseSX
media autoselect
#

Having a look at the specification and em(4) I thought, it would be
possible to connect e.g. 1000baseLX transceiver too.
Does anybody know, if it is just because there's no 1000baseLX plugged
in at the moment, or are there any limitations I should be aware of ?



So long,
Marco

Re: Network Interface "Intel I350 Fiber" 8 Port Module shows only 4 Ports

[Marco Prause]

Hi Nick,

Am 20.07.2016 um 14:08 schrieb Nick Holland:
> On 07/20/16 05:17, Marco Prause wrote:
>> Hi @Misc,
>>
>> I am quite happy to test a 8 Port interface-Card in a 1U Appliance.
>>
>> Unfortunately at the moment I just see 4 of the 8 interfaces - did
>> anybody already have some experience with this NICs and this behavior ?
> ...
>> OpenBSD 5.8-stable (FLASHRD.MP) #17: Thu Jul 14 11:17:43 CEST 2016
>> r...@obsd58build.my.domain:/usr/src/sys/arch/i386/compile/FLASHRD.MP
> ...
> 
> You will probably get a lot more interest in your report if you try
> again with a -current GENERIC.MP kernel, rather than a year old
> frankenkernel.  The problem -- if there ever was one in GENERIC -- may
> well have been fixed in the last year of development.  And never
> underestimate the amount of damage you can do by customizing things.

Good point, thanks.

I was just always sitting on the second to last release/stable version -
just like good old wine, but you are right in those cases it's better to
have a look at the newest release or even current. Nobody wants to do
the work that's already done.

Concerning the generic kernel, I didn't change the kernel or better it's
configuration intentionaly. I was just using flashrd to generate a
bootable image. (note to me: "have a look inside flashrd, what it is
doing there")

So, I've just adjusted my build scripts and jenkins-job and hit the
build button a few minutes ago to build a 5.9 stable image (yes it's not
current, but I didn't see any changes in plus.html concerning em
interfaces or pci stuff, but this will be the next step.

Best regards,
Marco

Network Interface "Intel I350 Fiber" 8 Port Module shows only 4 Ports

[Marco Prause]

Hi @Misc,

I am quite happy to test a 8 Port interface-Card in a 1U Appliance.

Unfortunately at the moment I just see 4 of the 8 interfaces - did
anybody already have some experience with this NICs and this behavior ?

The spec lists the chipset as :

  8 GbE SFP Fiber   2 x Intel I350-AM4


And my OpenBSD 5.8 stable (from 2016-07-14) seems to see just one of
them as :

 "Intel I350 Fiber"


The recognized ports and the fixed RJ45-Ports work well so far.
But there's no indication that the second I350 chipset is recognized too.


Maybe anyone have a hint, if I can "activate" the second one (e.g.
fixing some interrupt-issues - which I didn't see so far, or any
different approach ?)

And last but nor least some dmesg and pcidump output :

# uname -a
OpenBSD gw 5.8 FLASHRD.MP#17 i386
#
# dmesg


OpenBSD 5.8-stable (FLASHRD.MP) #17: Thu Jul 14 11:17:43 CEST 2016
r...@obsd58build.my.domain:/usr/src/sys/arch/i386/compile/FLASHRD.MP
cpu0: Intel(R) Core(TM) i5-4570S CPU @ 2.90GHz ("GenuineIntel"
686-class) 2.91 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,PAGE1GB,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
real mem  = 3680247808 (3509MB)
avail mem = 3592876032 (3426MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: date 12/14/12, SMBIOS rev. 2.8 @ 0xec200 (78 entries)
bios0: vendor American Megatrends Inc. version "4.6.5" date 03/02/2015
bios0: INTEL Corporation DENLOW_WS
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC FPDT SSDT MCFG HPET SSDT SSDT ASF! DMAR
EINJ ERST HEST BERT
acpi0: wakeup devices PS2K(S0) PS2M(S0) PXSX(S0) RP01(S0) PXSX(S0)
RP02(S0) PXSX(S0) RP03(S0) PXSX(S0) RP04(S0) PXSX(S0) RP05(S0) PXSX(S0)
RP06(S0) PXSX(S0) RP07(S0) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i5-4570S CPU @ 2.90GHz ("GenuineIntel"
686-class) 2.90 GHz
cpu1:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,PAGE1GB,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i5-4570S CPU @ 2.90GHz ("GenuineIntel"
686-class) 2.90 GHz
cpu2:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,PAGE1GB,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i5-4570S CPU @ 2.90GHz ("GenuineIntel"
686-class) 2.90 GHz
cpu3:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,NXE,PAGE1GB,LONG,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,HLE,AVX2,SMEP,BMI2,ERMS,INVPCID,RTM,SENSOR,ARAT
ioapic0 at mainbus0: apid 8 pa 0xfec0, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf800, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 3 (RP01)
acpiprt2 at acpi0: bus 4 (RP02)
acpiprt3 at acpi0: bus 5 (RP03)
acpiprt4 at acpi0: bus 6 (RP04)
acpiprt5 at acpi0: bus 7 (RP05)
acpiprt6 at acpi0: bus 8 (RP06)
acpiprt7 at acpi0: bus 9 (RP07)
acpiprt8 at acpi0: bus 1 (PEG0)
acpiprt9 at acpi0: bus 2 (PEG1)
acpiprt10 at acpi0: bus -1 (PEG2)
acpiec0 at acpi0: not present
acpicpu0 at acpi0: C1(@1 halt!)
acpicpu1 at acpi0: C1(@1 halt!)
acpicpu2 at acpi0: C1(@1 halt!)
acpicpu3 at acpi0: C1(@1 halt!)
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpipwrres at acpi0 not configured
acpitz0 at acpi0: critical temperature is 105 degC
acpitz1 at acpi0: critical temperature is 105 degC
acpibat0 at acpi0: BAT0 not present
acpibat1 at acpi0: BAT1 not present
acpibat2 at acpi0: BAT2 not present
acpibtn0 at acpi0: PWRB
acpibtn1 at acpi0: LID0
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
bios0: ROM list: 0xc/0xec00
cpu0: Enhanced 

Re: OpenBGPD traps and triggers

[Marco Prause]

Hi Bill,

I don't know, if you saw some lines in the logfile concerning this. But if you 
did, maybe youn can use logfmon or something like this for alerting ?

Marco

Am 30. Juni 2016 20:30:25 MESZ, schrieb Bill Buhler :
>Hi,
>
> 
>
>I've been through the man pages a couple of times and am not seeing
>what I'm
>looking for. I have a couple of OpenBSD machines running BGP sessions
>with
>my ISPs. Yesterday one of the IPv6 sessions went down and I didn't
>notice
>for quite a while..
>
> 
>
>This got me looking for some kind of trigger / trap that would
>automatically
>alert me if a BGP session went down, or was flapping. I couldn't see
>any
>provision in the man page to execute a external script, and no mention
>of
>SNMP. So is there such a feature I missed?
>
> 
>
>I the short term I hacked together a cron job that parses the output
>of:
>bgpctl show status terse to send me email alerts, but I'd prefer to not
>be
>depending on polling if at all possible.
>
> 
>
>Thanks,
>
> 
>
>Bill Buhler
>
>[demime 1.01d removed an attachment of type application/pkcs7-signature
>which had a name of smime.p7s]

Re: 1U / 2 Computers? For redundant FW pair

[Marco Prause]

Christian,

sure - you're so damn right :)

Just for the records, I've used

main auth hmac-sha1 enc aes-128 group modp1536
quick auth hmac-sha1 enc aes-128

and just a dumb

# iperf -c 172.16.2.1

Client connecting to 172.16.2.1, TCP port 5001
TCP window size: 16.0 KByte (default)

[  3] local 172.16.1.1 port 8600 connected with 172.16.2.1 port 5001
[ ID] Interval   Transfer Bandwidth
[  3]  0.0-10.0 sec  72.5 MBytes  60.7 Mbits/sec
#


Without any testing on UDP or different datagram payloads and so forth.
All on OpenBSD flashrd 5.5 build on stable (2014-04-05).


Regards,
Marco


Am 21.01.2015 um 18:01 schrieb Christian Weisgerber:
 On 2015-01-21, Marco Prause marco-obsdm...@prause.eu wrote:
 
 Also when using ipsec in this test-setup, iperf was able to push ~60Mbps
 through the tunnel (ase-128).
   ^^^
 That's pretty useless without specifying which MAC algorithm you
 used.

Re: 1U / 2 Computers? For redundant FW pair

[Marco Prause]

Hi Alan,

some time ago I've had a look at them.

Supermicro still seem to have 1U Twin-Server in their List.
Unfortunately I can't say anything about running them - they are still
on my wishlist.

On the other hand - does anybody know alternatives ? Just in case of not
ending up in some kind of vendor-lock-in issue.

For weaker hardware I've allready tested the APU-Boards in a 1U
Dual-Box. I was able to push ~750 Mbps through them with pf enabled
(just the default rules)

  Workstation --- APU 1 --- APU 2

just with a simple iperf test.

Also when using ipsec in this test-setup, iperf was able to push ~60Mbps
through the tunnel (ase-128).


Best regards,
Marco


Am 21.01.2015 um 13:31 schrieb Alan McKay:
 I know that Supermicro has some interesting side-by-sides starting at
 2U, but I'm not aware of anything in 1U.  Basically I'd like to have
 my redundant FW pairs take up less rack space.   I guess another
 option would be half-width 1U if anything like that exists, and
 install a rack shelf.

Re: DNSSEC-query with DO-bit through libc ?

[Marco Prause]

Happy new year everyone,

Am 16.09.2014 um 00:55 schrieb Stuart Henderson:
 On 2014-09-15, Marco Prause marco-obsdm...@prause.eu wrote:
 Looking at  lib/libc/net/res_query.c
 
 Try libc/asr/res_query.c ..
 

thanks again, Stuart, for this hint.
Just a short follow-up to this thread :

I've read, that there has been an update on asr_run(3) some time ago :

-will request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit.
+will not request DNSSEC authentication using the EDNS0 DNSSEC OK (DO) bit.


For sure maybe nothing new to the majority of this and tech-list, but
just a short reality-check.


Regards,
Marco

Re: unbound

[Marco Prause]

Am 19.09.2014 um 12:28 schrieb Krzysztof Strzeszewski:
...
 I want add my global domain in my serwer dns unbound... How to do? I
 don't add local domain:
 
 local-data: example.com 10800 IN A local_IP
 
 but I want add mu global domain end record A for public_IP in global
 network.
 
 I konw how add my domain in named(bind):
 
 zone example.com {
 type master;
 file example.com.hosts;
 allow-update { none; };
 allow-transfer { 111.111.111.111; };
 notify yes;
 };
 
 end add record A in example.com.hosts.
...

hi Krzych,

as a read it correctly - you seem to be out of luck, because unbound is
just a resolving nameserver an no full authoritative one.

Your first step, by using a combination of local-zone: and local-data:
should be the best choice.

Otherwise you can configure a stub resolver, but this one has to be an
authoritative one as well like e.g. bind oder nsd.

Concening the RR in my opinion you should be able to use non RFC1918
addresses in these config-parts as well - but I haven't tested it yet.

Regards,
Marco

Re: DNSSEC-query with DO-bit through libc ?

[Marco Prause]

Am 16.09.2014 um 00:55 schrieb Stuart Henderson:
 On 2014-09-15, Marco Prause marco-obsdm...@prause.eu wrote:
 Looking at  lib/libc/net/res_query.c
 
 Try libc/asr/res_query.c ..

Thanks for the hint - I'd have a look at, but sadly it doesn't help me
understanding, what's going on.


Having a look at postfix-src I found a notice at

/usr/ports/distfiles/postfix/postfix-2.11.0/srcdns/dns_lookup.c

that says
...
/* .IP RES_USE_DNSSEC
/*  Request DNSSEC validation. This flag is silently ignored
/*  when the system stub resolver API, resolver(3), does not
/*  implement DNSSEC.
...


so far so good, but man resolver 3 looks also good to me :
...
RES_USE_EDNS0  Attach an OPT pseudo-RR for the EDNS0 extension, as
   specified in RFC 2671.  This informs DNS servers of a
   client's receive buffer size, allowing them to take
   advantage of a non-default receive buffer size, and thus
   to send larger replies.  DNS query packets with the EDNS0
   extension are not compatible with non-EDNS0 DNS servers.

RES_USE_DNSSEC  Request that the resolver uses Domain Name System
Security Extensions (DNSSEC), as defined in RFCs 4033,
4034, and 4035.
...



in include/resolv.h I also find global definitions for both :
...
#define RES_USE_EDNS0   0x4000  /* use EDNS0 */
/* DNSSEC extensions: use higher bit to avoid conflict with ISC use */
#define RES_USE_DNSSEC  0x2000  /* use DNSSEC using OK bit in OPT */
...


but I  can't see it anywhere beeing used at the query-parts at
getrrsetbyname.c, res_mkquery.c, res_query.c - they are mentioned only
at the responses, but in my opinion the DO-bit also have to be set in
the query, to signal the usage of DNSSEC and this is, what I didn't see
sniffing on the outgoing interface.


Regards,
Marco

DNSSEC-query with DO-bit through libc ?

[Marco Prause]

Hi,

while playing around with DANE-enabled postfix, I've been running in
some problems (maybe) concerning with postfix's usage of libc / res_query.c

At the moment it seems to me, libc (or something around) is cutting off
the necessary DO-Bit in the dns-queries.

While asking the local dnssec-aware unbound with dig or drill, I'm
getting the correct answer and the AD-flag set in the answer.


Running

OpenBSD 5.5-release
postfix-2.11.0
unbound-1.4.21p0

etc/resolv.conf says:
nameserver 127.0.0.1
options edns0


Looking at  lib/libc/net/res_query.c, I can see the usage of RES_DNSSEC
and RES_EDNS0, but I can't see anything specific concerning to DO-bit.
But to be honest, I'm far from being a C-programmer :)


Does anyone already met some familiar issue and maybe have some
workarounds ? Or can anyone verify / falsify my libc-theory ?


Kind regards,
Marco

Re: [Bulk] DNSSEC-query with DO-bit through libc ?

[Marco Prause]

Am 15.09.2014 um 15:58 schrieb Kevin Chadwick:
 On Mon, 15 Sep 2014 12:59:46 +0200
 Marco Prause wrote:

 Does anyone already met some familiar issue and maybe have some
 workarounds ? Or can anyone verify / falsify my libc-theory ?

 I'd look into whether you still have an issue whilst using TCP for the
 requests?

Well, I gave options edns0 tcp in resolv.conf a short try, but with
the same result in the maillog: non DNSSEC destination for i.e. ietf.org.

Concerning a DO-Bit I could only find a hint in the bind-sources, like
i.e. /usr.sbin/bind/bin/named/query.c but nothing equivalent in
./libc/net/res_query.c or ./lib/libc/net/res_mkquery.c

At the moment I have no idea to reproduce the postfix query manually
through the libc-calls.

While sniffing on the outside interface I can see, that queries that go
through libc-stub-resolver don't have the DO bit set anymore.


Regards,
Marco