Donnation to OpenBSD
Hi there, I have a Sun Ultra 60 that I wish to give to OpenBSD Team. The machine is based in Paris, have 2 creator 3D cards (I think), no keyboard. I can have a check if someone that is interressed to get it for OpenBSD. I have also a couple of Netapp Filer Head (Alpha based systems) Please contact me in private. Regards, Xavier
neighbor received notification: error in OPEN message, unknown subcode 8
Hello, I have some neighbor that is flapping since long day (looking at logs since I have some issues about 4.8 openbsd, that seems to be fixed). Dec 1 16:49:05 core-3 bgpd[27061]: neighbor 194.68.129.153: received notification: error in OPEN message, unknown subcode 8 Any idea what it is ... And how to fix that ? group Sfinx { local-address 194.68.129.xxx announceall announceIPv4unicast announceIPv6none softreconfigin yes softreconfigout yes set med 50 set localpref 5500 depend on vlan2 enforce neighbor-as yes ... neighbor 194.68.129.153 { remote-as 21409 max-prefix 50 restart 60 set community delete 21409:* } } Thanks /Xavier
Re: OpenBGPD fatal in RDE : cannot allocate memory
Hello, Le 30 nov. 2010 ` 11:03, Stuart Henderson a icrit : On 2010-11-30, Xavier Beaudouin k...@oav.net wrote: Hello, I have updated a openbgpd router from OpenBSD 4.7 i386 to 4.8 amd64. Now I have new instability like this : Nov 29 21:25:22 core-3 bgpd[28895]: fatal in RDE: path_alloc: Cannot allocate memory Nov 30 02:01:47 core-3 bgpd[5522]: fatal in RDE: up_generate: Cannot allocate memory Is this box acting as a route-reflector? No route reflector at all. It is a peering box with 3 IX, on transit and 3 ibgp session (count 6, because I use IPv6). Configuration of this box on demand . Xavier
Re: OpenBGPD fatal in RDE : cannot allocate memory
Hi Claudio, Maybe it is time to change the default datalimit in the RDE. So maybe something like this may help. bgpd needs quite a bit more (temporary) memory when running with softreconfig. A lot of additional memory is needed on reloads and when large sessions flap that cause a lot of UPDATE messages. Side note: bgpd on amd64 needs quite a bit more memory then i386 because of the 64bit pointers. Yeah... That's why I have 2G on this machine I hope this should be enougth ... 1G on i386 was ok... So... I will tell you if this fix my problem... (if you don't hear me... so it can be fixed...) ping me if you need a clear status. Cheers. Xavier -- :wq Claudio Index: rde.c === RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v retrieving revision 1.302 diff -u -p -r1.302 rde.c --- rde.c 24 Nov 2010 00:58:10 - 1.302 +++ rde.c 30 Nov 2010 10:12:56 - @@ -18,6 +18,8 @@ #include sys/types.h #include sys/socket.h +#include sys/time.h +#include sys/resource.h #include errno.h #include ifaddrs.h @@ -156,6 +158,7 @@ pid_t rde_main(int pipe_m2r[2], int pipe_s2r[2], int pipe_m2s[2], int pipe_s2rctl[2], int debug) { + struct rlimitrl; pid_tpid; struct passwd *pw; struct pollfd *pfd = NULL; @@ -184,6 +187,13 @@ rde_main(int pipe_m2r[2], int pipe_s2r[2 setproctitle(route decision engine); bgpd_process = PROC_RDE; + + if (getrlimit(RLIMIT_DATA, rl) == -1) + fatal(getrlimit); + rl.rlim_cur = RLIM_INFINITY; + rl.rlim_max = RLIM_INFINITY; + if (setrlimit(RLIMIT_DATA, rl) == -1) + fatal(setrlimit); if (setgroups(1, pw-pw_gid) || setresgid(pw-pw_gid, pw-pw_gid, pw-pw_gid) ||
Re: OpenBGPD fatal in RDE : cannot allocate memory
Hi Claudio, Le 30 nov. 2010 ` 17:45, Xavier Beaudouin a icrit : Hi Claudio, Maybe it is time to change the default datalimit in the RDE. So maybe something like this may help. bgpd needs quite a bit more (temporary) memory when running with softreconfig. A lot of additional memory is needed on reloads and when large sessions flap that cause a lot of UPDATE messages. Side note: bgpd on amd64 needs quite a bit more memory then i386 because of the 64bit pointers. Yeah... That's why I have 2G on this machine I hope this should be enougth ... 1G on i386 was ok... So... I will tell you if this fix my problem... (if you don't hear me... so it can be fixed...) ping me if you need a clear status. This patch, opens another problem, seems that FIB is not updated at all when applied. I reverted to openbgp 4.8 release. :( Xavier
Re: OpenBGPD fatal in RDE : cannot allocate memory
Hi Claudio, Le 30 nov. 2010 ` 19:38, Claudio Jeker a icrit : This patch, opens another problem, seems that FIB is not updated at all when applied. I reverted to openbgp 4.8 release. You sure you have http://ftp.openbsd.org/pub/OpenBSD/patches/4.8/common/001_bgpd.patch installed? Since that could be the cause of your problem. Both patch applied... Well I will see if those 2 patches fixes the problem. Sincerly, Xavier
OpenBGPD fatal in RDE : cannot allocate memory
Hello, I have updated a openbgpd router from OpenBSD 4.7 i386 to 4.8 amd64. Now I have new instability like this : Nov 29 21:25:22 core-3 bgpd[28895]: fatal in RDE: path_alloc: Cannot allocate memory Nov 30 02:01:47 core-3 bgpd[5522]: fatal in RDE: up_generate: Cannot allocate memory I have 2Gb on this machine and login.conf like this : default:\ :path=/usr/bin /bin /usr/sbin /sbin /usr/X11R6/bin /usr/local/bin:\ :umask=022:\ :datasize-max=1512M:\ :datasize-cur=1024M:\ :maxproc-max=2048:\ :maxproc-cur=1024:\ :openfiles-cur=1024:\ :stacksize-cur=4M:\ :localcipher=blowfish,6:\ :ypcipher=old:\ :tc=auth-defaults:\ :tc=auth-ftp-defaults: This currently make me mad, because this router handle more than 130 peers and is still unstable. What is needed to make openbgpd work as it should and shuttup ? (I am going to add a monit... because on production day this is not acceptable). Xavier
IVI support ?
Hello, About IPv6 and IPv4 access, my company want to kill dual stack stuff or limit them to minimum possible if possible and avoid subnetting that loose unfortunatly ips every time. Our idea is to have all our system to be IPv6 only native and when an IPv4 wants to access to an IPv6 service, IVI can do the translation (this is not magic, but the idea is to provide specific IPv6 hosts to be visible outside the IPv6 internet). So I get on IVI : IPv4 - IPv6 mapping : http://www.ivi2.org/ There is draft about that : http://tools.ietf.org/html/draft-xli-behave-ivi-07 Does OpenBSD has somewhat support about this draft ? or can we do that using OpenBSD standard tools (eg pf or relayd ?). I really don't want to us to rely on Linux, so That's why I'm asking question about that... Since OpenBSD is really network toolbox (OpenOSPF/BGP. etc). This can help to get a internet with v6 ready ? Regards, xavier
Re: IVI support ?
Hi Pete, Le 12 oct. 2010 ` 14:40, Pete Vickers a icrit : For v6 clients to access v4 services, see this RFC: http://tools.ietf.org/html/draft-ietf-behave-v6v4-xlate-stateful-12 Implemented on OpenBSD via pf BIND patches: http://ecdysis.viagenie.ca/ I know that... In fact this exactly the opposite thing that IVI does... Access from IPv4 to IPv6 services... An Edge router that allow IPv4 old internet access to IPv6 only services... /Xavier /Pete On 12. okt. 2010, at 13.01, Xavier Beaudouin wrote: Hello, About IPv6 and IPv4 access, my company want to kill dual stack stuff or limit them to minimum possible if possible and avoid subnetting that loose unfortunatly ips every time. Our idea is to have all our system to be IPv6 only native and when an IPv4 wants to access to an IPv6 service, IVI can do the translation (this is not magic, but the idea is to provide specific IPv6 hosts to be visible outside the IPv6 internet). So I get on IVI : IPv4 - IPv6 mapping : http://www.ivi2.org/ There is draft about that : http://tools.ietf.org/html/draft-xli-behave-ivi-07 Does OpenBSD has somewhat support about this draft ? or can we do that using OpenBSD standard tools (eg pf or relayd ?). I really don't want to us to rely on Linux, so That's why I'm asking question about that... Since OpenBSD is really network toolbox (OpenOSPF/BGP. etc). This can help to get a internet with v6 ready ? Regards, xavier Pete Vickers p...@systemnet.no | +47 48 17 91 00 SystemNet AS
ospf6ctl reload - ospf6d disapear
Hi there, I am using OpenBSD 4.7 (OpenBSD core-3.kazar.net 4.7 GENERIC.MP#449 i386). I have a simple setup : router-id 193.43.214.7 fib-update yes redistribute 2001:67c:ec::5 # lo0 redistribute 2001:67c:ec:fffc::/64 # vlan56 # areas area 0.0.0.0 { interface lo0 { passive metric 1000 } interface vlan722 { metric 100 } } When I add a redistribute subnet and interface xx { metric 100 } the ospf6ctl reload... give me a : Aug 12 12:15:46 core-4 ospf6d[31683]: fatal in rde: interface lost in rde Aug 12 12:15:46 core-4 ospf6d[1609]: lost child: route decision engine exited So I have to restart ospf6d manualy... Maybe there is some issue inside the code ? Sincerly, Xavier
Re: Resilient RAID
What is the most recent OpenBSD release that does support and document installing on to RAID? none. it's pointless anyway. use two machines and carp, et voila, resilent against a lot more things than just disk failures. And if you don't want to suffer because of a harddisk failure you can also use flashrd to make the openbsd stuff on a DOM, a Compact Flash or even an USB key. /Xavier
Re: OpenBGP tcp md5 woes...
Hi there, Le 16 mai 2010 ` 14:26, Claudio Jeker a icrit : On Sat, May 15, 2010 at 05:15:21PM +0200, Xavier Beaudouin wrote: Hi Stuart, Le 15 mai 2010 ` 13:47, Stuart Henderson a icrit : On 2010-05-15, Xavier Beaudouin k...@oav.net wrote: Hello, I am running OpenBSD 4.7-current, and it seems I have some problems to negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have connection timeout... or what ever. Please show ipsecctl -sa and netstat -rnfencap # netstat -rnfencap Routing tables (empty) # ipsecctl -sa FLOWS: No flows SAD: tcpmd5 from 194.68.129.120 to 194.68.129.151 spi 0x18ca8716 tcpmd5 from 194.68.129.120 to 194.68.129.150 spi 0x38c985dd tcpmd5 from 194.68.129.114 to 194.68.129.120 spi 0x4f5d8833 tcpmd5 from 194.68.129.103 to 194.68.129.120 spi 0x5351ca6b tcpmd5 from 194.68.129.120 to 194.68.129.115 spi 0x7a989c0e tcpmd5 from 194.68.129.120 to 194.68.129.121 spi 0x8c8c5051 tcpmd5 from 194.68.129.129 to 194.68.129.120 spi 0xaece6b67 tcpmd5 from 194.68.129.121 to 194.68.129.120 spi 0xbb6260f1 tcpmd5 from 194.68.129.115 to 194.68.129.120 spi 0xbc589b6f tcpmd5 from 194.68.129.120 to 194.68.129.129 spi 0xc16133b3 tcpmd5 from 194.68.129.120 to 194.68.129.114 spi 0xc36216e4 tcpmd5 from 194.68.129.120 to 194.68.129.103 spi 0xc39e4d97 tcpmd5 from 194.68.129.150 to 194.68.129.120 spi 0xc8bf11ca tcpmd5 from 194.68.129.120 to 194.68.129.102 spi 0xcc6b7756 tcpmd5 from 194.68.129.102 to 194.68.129.120 spi 0xd9097ad1 tcpmd5 from 194.68.129.197 to 194.68.129.120 spi 0xdb53b930 tcpmd5 from 194.68.129.151 to 194.68.129.120 spi 0xde1e91da tcpmd5 from 194.68.129.120 to 194.68.129.197 spi 0xe630b27a The .120 is my IP :p I have md5 working with a kernel from April 28th and an absolutely -current bgpd, and also with the version from the Apr 28th snapshot, so I don't think there is a general problem with the code you're running. I'm allmost sure there is no problems... I still try to find where is it the problem :( If you have any hints.. I'm be happy to apply them... Did it work before the update with that peer? Most of the time the problem is different passwords or some other misconfiguration. TCP MD5 is an ugly hack that has some nasty ramifications (it breaks some basic behaviour of TCP e.g. RST signaling). Hum, this is strange, in fact all tcp md5 sessions doesn't work at all. I can give you access to this router if you like Claudio... :) Xavier Normaly the best is to turn of md5 and check that the session works. Then enabling md5 or use ttl-security. -- :wq Claudio
OpenBGP tcp md5 woes...
Hello, I am running OpenBSD 4.7-current, and it seems I have some problems to negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have connection timeout... or what ever. dmesg : OpenBSD 4.7-current (GENERIC.MP) #560: Wed Apr 28 11:55:01 MDT 2010 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,D S,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR real mem = 1072132096 (1022MB) avail mem = 1028767744 (981MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/12/06, BIOS32 rev. 0 @ 0xfb6d0, SMBIOS rev. 2 .3 @ 0xf0800 (41 entries) bios0: vendor Phoenix Technologies, LTD version 6.00 PG date 06/12/2006 bios0: Supermicro P4SC8 acpi0 at bios0: rev 0 acpi0: tables DSDT FACP APIC acpi0: wakeup devices CSAD(S5) HUB0(S5) HRB_(S5) UAR1(S5) UAR2(S5) USB0(S3) USB1(S3) U SBE(S3) MODM(S5) PCI0(S5) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199MHz cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu1: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS H,D S,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,CNXT-ID,xTPR ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 2 ioapic1 at mainbus0: apid 3 pa 0xfec1, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (CSAB) acpiprt2 at acpi0: bus 4 (HUB0) acpiprt3 at acpi0: bus 2 (HRB_) acpicpu0 at acpi0 acpicpu1 at acpi0 acpitz0 at acpi0acpitz0: THRM: failed to read _TMP acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0x8000 0xc8000/0x4000! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82875P Host rev 0x02 ppb0 at pci0 dev 3 function 0 Intel 82875P CSA rev 0x02 pci1 at ppb0 bus 1 em0 at pci1 dev 1 function 0 Intel PRO/1000CT (82547GI) rev 0x00: apic 2 int 18 (irq 10), address 00:30:48:81:18:0a ppb1 at pci0 dev 28 function 0 Intel 6300ESB PCIX rev 0x02 pci2 at ppb1 bus 2 ppb2 at pci2 dev 1 function 0 Pericom PI7C21P100 PCIX-PCIX rev 0x01 pci3 at ppb2 bus 3 em1 at pci3 dev 4 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3 int 0 (i rq 9), address 00:1b:21:30:85:d4 em2 at pci3 dev 4 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3 int 1 (i rq 9), address 00:1b:21:30:85:d5 em3 at pci3 dev 6 function 0 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3 int 2 (i rq 9), address 00:1b:21:30:85:d6 em4 at pci3 dev 6 function 1 Intel PRO/1000MT QP (82546GB) rev 0x03: apic 3 int 3 (i rq 9), address 00:1b:21:30:85:d7 uhci0 at pci0 dev 29 function 0 Intel 6300ESB USB rev 0x02: apic 2 int 16 (irq 11) uhci1 at pci0 dev 29 function 1 Intel 6300ESB USB rev 0x02: apic 2 int 19 (irq 12) Intel 6300ESB WDT rev 0x02 at pci0 dev 29 function 4 not configured Intel 6300ESB APIC rev 0x02 at pci0 dev 29 function 5 not configured ehci0 at pci0 dev 29 function 7 Intel 6300ESB USB rev 0x02: apic 2 int 23 (irq 7) usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x0a pci4 at ppb3 bus 4 vga1 at pci4 dev 9 function 0 ATI Rage XL rev 0x27 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em5 at pci4 dev 10 function 0 Intel PRO/1000MT (82541GI) rev 0x00: apic 2 int 19 (ir q 12), address 00:30:48:81:18:0b ichpcib0 at pci0 dev 31 function 0 Intel 6300ESB LPC rev 0x02 pciide0 at pci0 dev 31 function 1 Intel 6300ESB IDE rev 0x02: DMA, channel 0 configu red to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: DMV340H4-004-M wd0: 1-sector PIO, LBA, 3679MB, 7535808 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 ifconfig em5 : ifconfig em5 em5: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr 00:30:48:81:18:0b description: Sfinx priority: 0 media: Ethernet 100baseTX full-duplex status: active inet 194.68.129.xxx netmask 0xff00 broadcast 194.68.129.255 inet6 fe80::230:48ff:fe81:180b%em5 prefixlen 64 scopeid 0x6 inet6 2001:7f8:4e:2::xxx prefixlen 64 Extract of /etc/bgpd.conf : group Sfinx { local-address 194.68.129.xxx announceall softreconfigin yes softreconfigout yes set med 50 set localpref 5000 # SFinx neighbor 194.68.129.102 { remote-as 2200 max-prefix 200 restart 60 tcp md5sig password ZeUnecryptedPass set { med +5 } set community delete 2200:* } }
Re: OpenBGP tcp md5 woes...
Hi Stuart, Le 15 mai 2010 ` 13:47, Stuart Henderson a icrit : On 2010-05-15, Xavier Beaudouin k...@oav.net wrote: Hello, I am running OpenBSD 4.7-current, and it seems I have some problems to negociate tcp md5 bgp session... They doesn't seems at all to wake up, I have connection timeout... or what ever. Please show ipsecctl -sa and netstat -rnfencap # netstat -rnfencap Routing tables (empty) # ipsecctl -sa FLOWS: No flows SAD: tcpmd5 from 194.68.129.120 to 194.68.129.151 spi 0x18ca8716 tcpmd5 from 194.68.129.120 to 194.68.129.150 spi 0x38c985dd tcpmd5 from 194.68.129.114 to 194.68.129.120 spi 0x4f5d8833 tcpmd5 from 194.68.129.103 to 194.68.129.120 spi 0x5351ca6b tcpmd5 from 194.68.129.120 to 194.68.129.115 spi 0x7a989c0e tcpmd5 from 194.68.129.120 to 194.68.129.121 spi 0x8c8c5051 tcpmd5 from 194.68.129.129 to 194.68.129.120 spi 0xaece6b67 tcpmd5 from 194.68.129.121 to 194.68.129.120 spi 0xbb6260f1 tcpmd5 from 194.68.129.115 to 194.68.129.120 spi 0xbc589b6f tcpmd5 from 194.68.129.120 to 194.68.129.129 spi 0xc16133b3 tcpmd5 from 194.68.129.120 to 194.68.129.114 spi 0xc36216e4 tcpmd5 from 194.68.129.120 to 194.68.129.103 spi 0xc39e4d97 tcpmd5 from 194.68.129.150 to 194.68.129.120 spi 0xc8bf11ca tcpmd5 from 194.68.129.120 to 194.68.129.102 spi 0xcc6b7756 tcpmd5 from 194.68.129.102 to 194.68.129.120 spi 0xd9097ad1 tcpmd5 from 194.68.129.197 to 194.68.129.120 spi 0xdb53b930 tcpmd5 from 194.68.129.151 to 194.68.129.120 spi 0xde1e91da tcpmd5 from 194.68.129.120 to 194.68.129.197 spi 0xe630b27a The .120 is my IP :p I have md5 working with a kernel from April 28th and an absolutely -current bgpd, and also with the version from the Apr 28th snapshot, so I don't think there is a general problem with the code you're running. I'm allmost sure there is no problems... I still try to find where is it the problem :( If you have any hints.. I'm be happy to apply them... Xavier
OpenBSD 4.6 and ospf6d ?
Hi there, Changelog says: various ospf6d changes... The main problem is I cannot find ospf6d on OpenBSD 4.6/i386 installation (even if it is a full installation). Is there something I missed? /Xavier
OpenBGPd + pf tables : removing prefix that is not on a table?
Hello, I use OpenBGPd and Pf to make some traffic shapping (see : http://blog.oav.net/dotclear/index.php?post/2007/01/19/32-traffic-shapping-avec-openbsd-pf-altq-et-openbgpd) , but I don't find yet the good way to tell PF to keep my bgp table to be up to date ? In fact I do just a bgpctl clear nei uplink every night to keep my table up to date. Problem is that the neighbor and all the routes I reinject into pf change all the time... so my shapping reflect the real life, only when I have just cleared the session, so it is not a good method. I found that http://marc.info/?l=openbsd-pfm=113646508819716w=2 is maybe a solution. But nothing more. Any solutions on OpenBSD 4.5 ? Thanks, /Xavier [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Openbgpd : how to ADD a community ?
Hello, I use OpenBSD 4.5 on one of my router. I'd like to ADD a community to group of peer. I have currenlty such statements : # Set transit communities match from group Transit set { community 35189:9000, med 20 } # Set peering communities match from group Peering set { community 35189:8000, med 15 } Problem, if that I have same subnet on 2 group Transit and Peering so I cannot have both of them on the route. Is there any way to do : match from group Peering set { community +35189:8000, med 15 } ? Thanks, /Xavier
relayd vs loopback interface
Hello, I'd like to create some setup with relayd to allow bounce-back access to VIP eg. allowing machines behind the load balancer to access other VIP. In order to do that I want to set the VIP into loopback and set /32 routes against public network to reach them. Now is there any problems against such setup and clues about that ? Thanks to your replies and any pointers. /xavier [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: hoststated status ?
Hello :) Just to say thank you about all replys I got :p Relayd is marvelous :) /Xavier Le 9 fivr. 09 ` 00:26, Xavier Beaudouin a icrit : Hello, Just a quick question, what is the status of hoststated ? I ran into http://www.openbsd.org/papers/eurobsdcon07/pyr-loadbalancing/ and I found that a quite exiting projet. Unfortunalty it doesn't seems to be into 4.4 or even on snapshots... Is there any replacements ? drawbacks or anything that explain it is not yet supported by stable releases? Thanks; /Xavier
hoststated status ?
Hello, Just a quick question, what is the status of hoststated ? I ran into http://www.openbsd.org/papers/eurobsdcon07/pyr- loadbalancing/ and I found that a quite exiting projet. Unfortunalty it doesn't seems to be into 4.4 or even on snapshots... Is there any replacements ? drawbacks or anything that explain it is not yet supported by stable releases? Thanks; /Xavier
OpenBGPd + pf + pf tables.
Hello, I receive several subnet with OpenBGPd and I add them into a pf table like this : pf.conf (extract) table bgp { 172.31.0.0/24, 10.0.1.1 } bgpd.conf (extract) AS 65530 holdtime 180 holdtime min 3 fib-update no listen on xxx.xxx.xxx.150 neighbor xxx.xxx.xxx.xxx { descr routeurs announce none remote-as 35189 } deny quick from any prefix 0.0.0.0/0 allow from any prefixlen 8 - 24 allow from any set pftable bgp The problem I have is if I have a subnet removed from bgp (eg my AS35189 neighbor) it is not removed from pf table bgp. Do you have an little idea to do this automaticaly ? Thanks ! /Xavier
Bge nic and ifconfig mtu ?
Hello there, I am trying to change MTU of a bge interface : # ifconfig bge1 mtu 1504 ifconfig: SIOCSIFMTU: Invalid argument (MTU is 1504 because some 3550 EMI are in the near of this marchine and needs same MTU everywhere to exchange OSPF packets). Is this normal of does bge interface doesn't support mtu 1500 ? Dmesg: OpenBSD 4.0-current (GENERIC.MP) #944: Tue Sep 26 21:55:34 MDT 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP cpu0: Intel(R) Pentium(R) 4 CPU 3.00GHz (GenuineIntel 686-class) 3 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36, CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- CPL,EST,CNXT-ID,CX16 real mem = 2144817152 (2094548K) avail mem = 1948323840 (1902660K) using 4256 buffers containing 107343872 bytes (104828K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(45) BIOS, date 02/27/06, BIOS32 rev. 0 @ 0xfa000, SMBIOS rev. 2.3 @ 0xf0800 (49 entries) bios0: Supermicro P8SCT apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 3.0 @ 0xf/0xcb84 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfca20/336 (19 entries) pcibios0: PCI Exclusive IRQs: 5 7 10 12 pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82801FB LPC rev 0x00) pcibios0: PCI bus #6 is the last bus bios0: ROM list: 0xc/0x9400! 0xcc000/0x4000! 0xd/0x3c00! mainbus0: Intel MP Specification (Version 1.4) (OEM0 PROD) cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 199 MHz mainbus0: bus 0 is type PCI mainbus0: bus 1 is type PCI mainbus0: bus 2 is type PCI mainbus0: bus 3 is type PCI mainbus0: bus 4 is type PCI mainbus0: bus 5 is type PCI mainbus0: bus 6 is type PCI mainbus0: bus 7 is type ISA ioapic0 at mainbus0: apid 4 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 0, remapped to apid 4 ioapic1 at mainbus0: apid 5 pa 0xfec84400, version 20, 24 pins pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel E7221 MCH Host rev 0x05 ppb0 at pci0 dev 1 function 0 Intel E7221 PCIE rev 0x05 pci1 at ppb0 bus 1 ppb1 at pci1 dev 0 function 0 Intel PCIE-PCIE rev 0x09 pci2 at ppb1 bus 2 ppb2 at pci2 dev 1 function 0 DEC 21152 PCI-PCI rev 0x03 pci3 at ppb2 bus 3 ste0 at pci3 dev 4 function 0 D-Link Systems 550TX rev 0x12: apic 5 int 0 (irq 12), address 00:05:5d:e6:1d:ad ukphy0 at ste0 phy 0: Generic IEEE 802.3u media interface, rev. 0: OUI 0x000885, model 0x0023 ste1 at pci3 dev 5 function 0 D-Link Systems 550TX rev 0x12: apic 5 int 1 (irq 5), address 00:05:5d:e6:1d:ae ukphy1 at ste1 phy 0: Generic IEEE 802.3u media interface, rev. 0: OUI 0x000885, model 0x0023 ste2 at pci3 dev 6 function 0 D-Link Systems 550TX rev 0x12: apic 5 int 2 (irq 7), address 00:05:5d:e6:1d:af ukphy2 at ste2 phy 0: Generic IEEE 802.3u media interface, rev. 0: OUI 0x000885, model 0x0023 ste3 at pci3 dev 7 function 0 D-Link Systems 550TX rev 0x12: apic 5 int 3 (irq 10), address 00:05:5d:e6:1d:b0 ukphy3 at ste3 phy 0: Generic IEEE 802.3u media interface, rev. 0: OUI 0x000885, model 0x0023 Intel IOxAPIC rev 0x09 at pci1 dev 0 function 1 not configured vga1 at pci0 dev 2 function 0 Intel E7221 Video rev 0x05: aperture at 0xd040, size 0x800 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb3 at pci0 dev 28 function 0 Intel 82801FB PCIE rev 0x03 pci4 at ppb3 bus 4 bge0 at pci4 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): apic 4 int 16 (irq 12), address 00:30:48:88:6c:ac brgphy0 at bge0 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 ppb4 at pci0 dev 28 function 1 Intel 82801FB PCIE rev 0x03 pci5 at ppb4 bus 5 bge1 at pci5 dev 0 function 0 Broadcom BCM5721 rev 0x11, BCM5750 B1 (0x4101): apic 4 int 17 (irq 5), address 00:30:48:88:6c:ad brgphy1 at bge1 phy 1: BCM5750 10/100/1000baseT PHY, rev. 0 uhci0 at pci0 dev 29 function 0 Intel 82801FB USB rev 0x03: apic 4 int 23 (irq 10) usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 29 function 1 Intel 82801FB USB rev 0x03: apic 4 int 19 (irq 10) usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2 at pci0 dev 29 function 2 Intel 82801FB USB rev 0x03: apic 4 int 18 (irq 7) usb2 at uhci2: USB revision 1.0 uhub2 at usb2 uhub2: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered uhci3 at pci0 dev 29 function 3 Intel 82801FB USB rev 0x03: apic 4 int 16 (irq 12) usb3 at uhci3: USB revision 1.0 uhub3 at usb3 uhub3: Intel UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered ehci0 at pci0 dev 29 function 7 Intel 82801FB USB rev 0x03: apic 4 int 23 (irq 10) usb4 at ehci0: USB revision
Re: OpenBGPd and show advertised-routes / show received-routes
Le 3 juin 06 ` 20:05, Falk Brockerhoff a icrit : Hello, is there an equivalent for cisco's sh ip bgp neighbors neighbor advertised-routes and sh ip bgp neighbors neighbor received-routes Regards, Should be really usefull to debug some filters and see if they are really applied... /Xavier
Re: OpenBGPd route reflector client ?
Le 26 avr. 06 ` 18:49, Claudio Jeker a icrit : On Wed, Apr 26, 2006 at 04:29:19PM +0200, Xavier Beaudouin wrote: Hello, Stupid question indeed, but I see we can set a route reflector server in bgpd.conf, but there is not hint on how to set a router reflector client in it. The clients don't need a special config. Just point them to your route-reflector(s). All the magic is done on the servers. Hum... Doesn't seems to work : neighbor 80.67.ZZZ.X { descr PouIX_routecollector remote-as 65432 local-address 80.67.ZZZ.AA announce self set localpref 490 passive } log : Apr 27 12:02:47 core-rdb-1 bgpd[20023]: neighbor 80.67.ZZZ.X (PouIX_routecollector): state change None - Idle, reason: None Apr 27 12:02:47 core-rdb-1 bgpd[20023]: neighbor 80.67.ZZZ.X (PouIX_routecollector): state change Idle - Active, reason: Start Apr 27 12:03:10 core-rdb-1 bgpd[22756]: RDE reconfigured Apr 27 12:04:25 core-rdb-1 bgpd[20023]: neighbor 80.67.ZZZ.X (PouIX_routecollector): state change Active - OpenSent, reason: Connection opened Apr 27 12:04:25 core-rdb-1 bgpd[20023]: neighbor 80.67.ZZZ.X (PouIX_routecollector): state change OpenSent - OpenConfirm, reason: OPEN message received Apr 27 12:04:25 core-rdb-1 bgpd[20023]: neighbor 80.67.ZZZ.x (PouIX_routecollector): state change OpenConfirm - Established, reason: KEEPALIVE message received Apr 27 12:04:25 core-rdb-1 bgpd[20023]: neighbor 80.67.ZZZ.X (PouIX_routecollector): state change Established - Idle, reason: Fatal error The route reflector is a Zebra / Quagga... Maybe there is a problem somewhere ? /Xavier
OpenBGPd route reflector client ?
Hello, Stupid question indeed, but I see we can set a route reflector server in bgpd.conf, but there is not hint on how to set a router reflector client in it. Any hints ? /Xavier
OpenBGPd... Feature request...
Hi, I'd like to add dampering support to OpenBGPd... I know this is bad... and ugly, but when there is too mutch up/down full transit that make all routers to be 100% CPU and loose traffic, we have really to avoid that. Is there any plan to add it ? Thanks, /xavier
Re: OpenBGPD : Lost child: route decision engine exited
This bugs seems to still existing on 3.9-current : Mar 12 17:46:20 core-vel-1 last message repeated 3 times Mar 12 17:46:20 core-vel-1 bgpd[10577]: nexthop_update: non-existent nexthop Mar 12 17:46:20 core-vel-1 bgpd[25242]: nexthop 85.31.106.1 now valid: via 193.43.214.1 Mar 12 17:46:20 core-vel-1 bgpd[25242]: nexthop 85.31.106.1 now valid: via 193.43.214.1 Mar 12 17:46:20 core-vel-1 bgpd[25242]: Lost child: route decision engine terminated; signal 6 Mar 12 17:46:20 core-vel-1 bgpd[12319]: fatal in SE: session_dispatch_imsg: pipe closed: Operation now in progress Mar 12 17:46:26 core-vel-1 bgpd[25242]: kernel routing table decoupled Mar 12 17:46:26 core-vel-1 bgpd[25242]: Terminating OpenBSD core-vel-1.kazar.net 3.9 GENERIC.MP#598 i386 Please can this be investigated ? OpenBSD 3.8 doesn't have this nasty bug /Xavier Henning Brauer wrote: that smells like a bad bug. I'll look into that asap. * Xavier Beaudouin [EMAIL PROTECTED] [2006-02-14 11:26]: Hi there, I have in the two last snapshot (9/02 and 12/02) are exiting very frequently with this error messages : Feb 14 06:36:17 core-vel-1 bgpd[9573]: nexthop 85.xxx.xxx.1 now valid: via 193.xx.xxx.1 Feb 14 06:36:17 core-vel-1 bgpd[20604]: fatal in RDE: nexthop_cmp: unknown af Feb 14 06:36:17 core-vel-1 bgpd[9573]: Lost child: route decision engine exited Feb 14 06:36:17 core-vel-1 bgpd[9831]: fatal in SE: session_dispatch_imsg: pipe closed: Operation now in progress Feb 14 06:36:19 core-vel-1 bgpd[9573]: kernel routing table decoupled Feb 14 06:36:19 core-vel-1 bgpd[9573]: Terminating This is really nasty because I lost the full mesh in *exaclty* same time on two routers. Previous snapshots didn't had this kind of behaviors... Is there any way to add into bgpd a sanity to restart RDE when it kill itself ? /Xavier
OpenBGPd BUG in 3.9-beta 12/02/2006
Hi there, seems I get a bug with openbgpd in 3.9-beta snapshot of 12/02/2006. I get some configuration like this group transit { remote-as x local-address xx.xx.xx.3 neighbor xx.xx.xx.1 { descr transit-1 announce self set localpref 220 } neighbor xx.xx.xx.2 { descr transit-2 announce self set localpref 220 } } group remote-cores { remote-as myas local-address zzz.zzz.zzz.1 neighbor zzz.zzz.zzz.3 { descr core-2 announce all set localpref 210 } neighbor zzz.zzz.zzz.2 { descr core-1 announce all set localpref 210 } } group IX-1 { local-address aaa.aaa.aaa.50 announce self set localpref 490 neighbor aaa.aaa.aaa.1 { remote-as 1 } } group IX-2 { local-address bbb.bbb.bbb.10 announce self set localpref 500 neighbor bbb.bbb.bbb.2 { remote-as 2 } } Now the bug trigger when I add a new peer in IX-1 or IX-2 group and that I make bgpctl reload. Uppon this reload *all* the peers get the localpref changed from 500 or 490 (depending of the group) to 100... and the fib is modified ... :/ I have to manualy clear each session to get the correct localpref in each peers... This is IMHO not good... /Xavier
OpenBGPd and TTL Security Check (RFC 3682)
Hi there, Is TTL Security Check (RFC 3682) is or will be implemented on OpenBGPd ? Or if it will not is there any good reasons (tm)(r) to not use it ? :) Thanks, /Xavier
Re: OpenBGPd and TTL Security Check (RFC 3682)
Le 16 janv. 06 ` 12:32, Claudio Jeker a icrit : On Mon, Jan 16, 2006 at 11:30:44AM +0100, Xavier Beaudouin wrote: Hi there, Is TTL Security Check (RFC 3682) is or will be implemented on OpenBGPd ? Or if it will not is there any good reasons (tm)(r) to not use it ? :) Why don't you use IPSec? Or as second best solution TCP MD5? Both are supported by OpenBGPD and give you more protection that playing around with the IP TTL. Hum... some people rather like such options I rather like using TCP MD5 or IPSec... /Xavier
Re: OpenBGPd filters
Hello Sylvain, I just tried a filter like this: match from any AS 29166 set nexthop blackhole and that did work: Yes. I have run more tests since my previous post, and filter apply the blackhole tag to the route. But packet were still forwarded. After having stopped the session and restarted it, they were then dropped. BTW, all tags (localpref, etc.) manipulations require to clear the session and even to restart bgpd itself. Could this be included in the doc so one wouldn't have to search for hours on some settings change ? Yes they need the session up/down to be applyed I think the version in -current nows handle that with a simple reload. /Xavier Thanks for your reply. -- Sylvain COUTANT ADVISEO http://www.adviseo.fr/ http://www.open-sp.fr/
Re: Telnet daemon retired in 3.8 ?
Shawn K. Quinn wrote: On Mon, 2005-11-07 at 17:28 -0600, Matthew S Elmore wrote: I understand the advantages of ssh over telnet, but telnet is still heavily used in many environments. Telnet is a horribly insecure protocol subject to at least two attacks by third parties with access to any part of the network between the two hosts. Thus, telnetd is gone for a damn good reason, that being that it's a turd that has no place in a secure by default OS. Maybe someone can make a port for insecure indentification for secured system with telnetd. Personnaly I don't use telnetd for ages especialy on systems that are security based... By the same is for rexecd / rshd :p /Xavier
Re: Telnet daemon retired in 3.8 ?
Xavier Beaudouin wrote: ... Personnaly I don't use telnetd for ages especialy on systems that are security based... there's a point. You use OpenBSD for security. Then you do horribly insecure things to access it. huh? I don't use telnetd for ages. I don't bother about the removing of telnetd on 3.8... It is just to help people that complain about the fact telnetd was removed, that a simple port for telnetd maybe help those people that use legacy method to connect. /Xavier -- Quand on essaye continuellement, on finit par y arriver. Donc, plus ca rate, plus on a de chance que ca marche... (Proverbe Shadok)
Memory leak in openbgpd ?
Hi there... Seems I have found some memory leak inside bgpd... When I set route-collector no in bgpd.conf my bgpd processes seems to growing and growing (I had some process to grow using more than 1G of total memory) when running it several days. But When I just comment it : #route-collector no The bgpd system is working correctly without any problems... I have tested that on production system with 2 full view and 2 ibgp view... If you need some more informations and examples please drop me a email. (note this bug has been seen on 3.7 Release on sparc64 and on 3.8 beta on x86... I think it is on 3.8 release also but I didn't tested yet).. /xavier
vlan0: initialized with non-standard mtu 1496 (parent fxp1)
Hello, I have just installed a OpenBSD 3.7 as main router (upgrading from 3.6 to 3.7). On OpenBSD 3.6 the following interfaces didn't bother me, but on 3.7 it seems that fxp driver don't allow me anymore to make VLANs on fxp1 to fxp2. here is extract of dmesg (GENERIC.MP / i386 kernel) : fxp0 at pci0 dev 12 function 0 Intel 82557 rev 0x08, i82559: irq 5, address 00:02:b3:23:86:2a inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci0 dev 13 function 0 Intel 82557 rev 0x08, i82559: irq 5, address 00:02:b3:23:86:2b inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4 ppb0 at pci0 dev 14 function 0 DEC 21154 PCI-PCI rev 0x05 pci1 at ppb0 bus 1 fxp2 at pci1 dev 0 function 0 Intel 82557 rev 0x05, i82558: irq 7, address 00:e0:b6:01:ce:59 inphy2 at fxp2 phy 1: i82555 10/100 PHY, rev. 0 fxp3 at pci1 dev 1 function 0 Intel 82557 rev 0x05, i82558: irq 5, address 00:e0:b6:01:ce:58 inphy3 at fxp3 phy 1: i82555 10/100 PHY, rev. 0 fxp4 at pci1 dev 2 function 0 Intel 82557 rev 0x05, i82558: irq 11, address 00:e0:b6:01:ce:57 inphy4 at fxp4 phy 1: i82555 10/100 PHY, rev. 0 fxp5 at pci1 dev 3 function 0 Intel 82557 rev 0x05, i82558: irq 10, address 00:e0:b6:01:ce:56 inphy5 at fxp5 phy 1: i82555 10/100 PHY, rev. 0 vlan0: initialized with non-standard mtu 1496 (parent fxp1) vlan2: initialized with non-standard mtu 1496 (parent fxp2) vlan3: initialized with non-standard mtu 1496 (parent fxp2) vlan4: initialized with non-standard mtu 1496 (parent fxp1) vlan5: initialized with non-standard mtu 1496 (parent fxp2) vlan6: initialized with non-standard mtu 1496 (parent fxp2) vlan7: initialized with non-standard mtu 1496 (parent fxp2) vlan8: initialized with non-standard mtu 1496 (parent fxp2) Can you give me a hint about that ? Thanks, /Xavier -- Quand on essaye continuellement, on finit par y arriver. Donc, plus ca rate, plus on a de chance que ca marche... (Proverbe Shadok)
Carp / VLAN and net.inet.carp.preempt=1
Hello there, I have 2 openbsd box (that does as well openbgpd but this is not the aim of this mail). Question is that any problems to do sysctl net.inet.carp.preempt=1 and ifconfig em0 up ifconfig vlan0 vlan 11 vlandev em0 ifconfig carp0 inet 10.0.0.1 netmask 255.255.255.0 vhid 1 carpdev vlan0 In each routers / carp border machines to have full redondancy ? Thanks :) /Xavier -- Quand on essaye continuellement, on finit par y arriver. Donc, plus ca rate, plus on a de chance que ca marche... (Proverbe Shadok)
Transit with OpenBGPd... How to allow only on or two as neighbor only ?
Hello, I'd like to find the good working solution when sending AS announces to our peering / transit neigbor. In fact on bgpd.conf man page we have : neighbor $peer1 { remote-as 65001 announce foo } With foo : announce (all|none|self|default-route) Problem is that I need to announce for example a pair of AS number.. How can I do that with openbgpd ? Thanks ! /Xavier -- Quand on essaye continuellement, on finit par y arriver. Donc, plus ca rate, plus on a de chance que ca marche... (Proverbe Shadok)
Re: Transit with OpenBGPd... How to allow only on or two as neighbor only ?
[...] The announce keyword is mostly for simple setups. For transit providers announce should be set to all and real bgp filtering should be used. The idea of announce is that small multihomed setups with e.g. two uplinks just work in a save manner (defaulting to self and so not the full table is reexported). Thanks Claudio, But can you provide me a more detailed example. Because I have some difficulies to make a filter for such setup... /Xavier -- Quand on essaye continuellement, on finit par y arriver. Donc, plus ca rate, plus on a de chance que ca marche... (Proverbe Shadok)
Re: OpenBGPd and /24 announces... that still lose their netmasks.
--- Quoting Xavier Beaudouin on 2005/09/04 at 22:37 +0200: rbgp2#sh ip bgp BGP table version is 19, local router ID is 192.168.0.31 Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path * 19.218.104.0/23 192.168.0.241 0 65336 i r 192.168.0.0 192.168.0.241 0 65336 i * 193.218.105.0192.168.0.241 0 65336 i As you se the netmask for /24 network has gone between cisco and openbgpd. IOS won't show classful masks. 192.168.0.0 is a legacy Class C block being advertised with a classful 255.255.255.0 mask so IOS drops the mask. Same applies to 193.218.105.0. There's nothing broken here. Thanks Joel. I was wrong and you are 100% right... Adding a second openbgp behind the cisco show me the /24 correctly... Blooody IOS. Thanks anyway :) /Xavier
OpenBGPd and /24 announces... that still lose their netmasks.
Hello, After looking everywhere I got still problems with OpenBGPD and non OpenBGPD system when announcing /24. Here is labtest : Cisco 7206 NPE 200 with c7200-ik91s-mz.122-25.S5.bin ISO. Configuration (very simple and not total production configuration ) : Current configuration : 1153 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname rbgp2 ! boot-start-marker boot system flash c7200-ik91s-mz.122-25.S5.bin boot-end-marker ! ip subnet-zero ! interface FastEthernet0/0 ip address 192.168.0.31 255.255.255.0 duplex half no clns route-cache ! router bgp 65334 no synchronization bgp log-neighbor-changes neighbor 192.168.0.241 remote-as 65336 neighbor 192.168.0.241 description openbsd no auto-summary ! ip default-gateway 192.168.0.254 ip classless ! no ip http server ! ip bgp-community new-format ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 login ! ! end OpenBGPd (3.6, 3.7 or 3.8 / snapshot) configuration : (Fresh install, only bgpd.conf modified, and bgpd started by hand). # global configuration AS 65336 router-id 192.168.0.241 holdtime 180 holdtime min 3 listen on 127.0.0.1 listen on ::1 listen on 192.168.0.241 fib-update no # route-collector no log updates network 193.218.105.1/24 network 19.218.105.0/23 network 192.168.0.0/24 neighbor 192.168.0.31 { remote-as 65334 descr cisco local-address 192.168.0.241 announce all } # filter out prefixes longer than 24 or shorter than 8 bits #deny from any #allow from any prefixlen 8 - 24 # do not accept a default route deny from any prefix 0.0.0.0/0 # filter bogus networks #deny from any prefix 10.0.0.0/8 prefixlen = 8 #deny from any prefix 172.16.0.0/12 prefixlen = 12 #deny from any prefix 192.168.0.0/16 prefixlen = 16 deny from any prefix 169.254.0.0/16 prefixlen = 16 deny from any prefix 192.0.2.0/24 prefixlen = 24 deny from any prefix 224.0.0.0/4 prefixlen = 4 deny from any prefix 240.0.0.0/4 prefixlen = 4 Now as you see configuration is *very* simple But why do I get that : OpenBSD box : openbsd# bgpctl sh ip bgp flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin AI* 19.218.104.0/23 0.0.0.0100 0 i AI* 192.168.0.0/24 0.0.0.0100 0 i AI* 193.218.105.0/240.0.0.0100 0 i Cisco 7206 : rbgp2#sh ip bgp BGP table version is 19, local router ID is 192.168.0.31 Status codes: s suppressed, d damped, h history, * valid, best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next HopMetric LocPrf Weight Path * 19.218.104.0/23 192.168.0.241 0 65336 i r 192.168.0.0 192.168.0.241 0 65336 i * 193.218.105.0192.168.0.241 0 65336 i As you se the netmask for /24 network has gone between cisco and openbgpd. Now the question is : how I fix that (don't tell me to trash away my cisco, because this is reproductible *also* on foundry networks boxes, and maybe on other systems). Why does the /23 correctly announced, but not all /24 ? Thanks for your attention. /Xavier
Re: bgpd bug with announcing /24 networks.
Hi Claudio, It looks like the output is not from the same box. bgpctl will always include a netmask but other tools try to be smart and leave them away if it is obvious. So please try to find out what kind of netmask the other bgp router added to his fib. Btw on my box this seems to be ok. But on peer router (Foundry...) seems to have not the right netmask... Btw it works for me: bgpctl network add 10.218.105.0/24 request sent. I will try that bgpctl show rib 10/8 all flags: * = Valid, = Selected, I = via IBGP, A = Announced origin: i = IGP, e = EGP, ? = Incomplete flags destination gateway lpref med aspath origin ... *10.218.105.0/24 194.42.48.2100 0 65001 i rib seems to be ok... since I get the right values... :/ I keep investigating that... /Xavier
Carp: looking for tool to make failover system.
Hello there, Before I remake the wheel, I am looking if someone has done some kind of software that can monitor a carp interface and execute a script that can execute some basic things. Idea is to make 2 mysql servers and start the backup one only if carp status move from BACKUP state to MASTER. Since I use SAN, some check has to be done (a quick fsck to see if filesystem is clean, remonting it from read only to read / write, mail to administrators to tell'em the mysql server has moved from master to slave). Is there anybody here that has done some tool like this (daemon is possible...)... ? THanks, /xavier
Re: OpenBGPD: filter bogus AS...
Le 17 juil. 05 ` 14:14, Claudio Jeker a icrit : On Sat, Jul 16, 2005 at 08:23:17PM +0200, Henning Brauer wrote: * Xavier Beaudouin [EMAIL PROTECTED] [2005-07-16 20:04]: I wish to add a filter to avoid that bogus AS that should be reserved for private network to be accepted by my router. The problem is that : # filter bogus AS allow from any AS { 64512, 65534 } set nexthop blackhole Doesn't allow ranges... Is there any better way to handle such setup ? no, but adding ranges might be a good idea... Btw. you don't want to do that because there are some valid networks that have reserved AS numbers in their path. Hum... # bgpctl show rib | grep 65[0-9][0-9][0-9] | awk '{print $2}' 194.146.116.0/24 199.222.136.0/22 200.32.76.0/24 200.32.77.0/24 200.61.32.0/20 201.30.243.0/24 203.177.192.0/24 209.125.232.0/23 209.218.6.0/23 213.154.225.0/24 213.154.230.0/24 213.154.242.0/23 213.154.242.0/24 213.154.243.0/24 216.53.126.0/23 216.217.68.0/22 Strange I have more subnet than you : 64.146.96.0/24 64.146.97.0/24 64.146.98.0/24 64.146.99.0/24 84.96.71.0/24 84.96.72.0/24 84.96.92.0/24 84.96.93.0/24 84.96.147.0/24 84.96.217.0/24 139.124.2.0/23 139.124.4.0/22 139.124.8.0/21 139.124.16.0/20 139.124.32.0/19 139.124.64.0/18 139.124.164.0/22 139.124.172.0/22 139.124.196.0/22 139.124.204.0/22 139.124.230.0/24 139.124.231.0/24 139.124.232.0/22 139.124.238.0/24 139.124.240.0/24 139.124.243.0/24 147.94.0.0/20 147.94.28.0/22 147.94.48.0/20 147.94.64.0/19 193.49.33.0/24 193.50.130.0/24 193.50.232.0/24 194.146.116.0/24 194.167.168.0/24 194.199.191.0/24 194.214.98.0/24 194.214.99.0/24 194.214.100.0/24 194.214.101.0/24 195.83.116.0/24 195.83.220.0/24 200.32.76.0/24 200.32.77.0/24 201.30.243.0/24 203.177.192.0/24 203.184.140.0/24 209.125.228.0/24 209.125.229.0/24 209.125.232.0/23 209.125.232.0/24 209.125.233.0/24 209.218.6.0/23 216.217.68.0/22 I don't know why you want to filter them out. Unless you are using these AS yourself internally -- in that case you should probably block the specific AS. This is already done on myself :) IMO having AS number ranges does not make that much sense -- there is almost no policy on AS number allocation. Very strange. I got mine from ripe.net and they were very picky about that... :p But it is sure that this is maybe not needed for security purposes :) /Xavier
OpenBGPD: filter bogus AS...
Hi there, I wish to add a filter to avoid that bogus AS that should be reserved for private network to be accepted by my router. The problem is that : # filter bogus AS allow from any AS { 64512, 65534 } set nexthop blackhole Doesn't allow ranges... Is there any better way to handle such setup ? (Do I need to add all AS ranges by hand ?) PS: I run openbgpd on OpenBSD 3.6 plus current patches... Sincerly, /Xavier
Re: Sun Netra T1 105
64bit 360mhz CPU (IIi) 128mb RAM 1 x 18gb 10krpm 2 x integrated NIC 1x PCI (which I intend to put a dual port compaq/intel NIC in) I have a T1 105, I don't know if it's a problem with my particular machine or a more general one, but I've tried to use hifn and em in the PCI slot - cards get detected OK, but don't actually work - I don't know whether or not it's a hardware problem so haven't looked into it much (especially as I don't actually need them). Might work for you, but I'm not sure I'd buy one if you're counting on this unless you can test it first (you can fairly easily setup a portable computer to allow you to netboot an OpenBSD bsd.rd if you want to try this out). I had exactly same problem on two netra T1 105 (with 440Mhz CPU and 512M RAM) but with network cards. I have tried a qfe pci (with 4 hme chips), double fxp cards and single fxp ones. All are correctly detected, but when trying to send a packet to any NIC, packet don't reach networks. Seems that the PCI port on such machine is more or less buggy... /Xavier
Re: Sun Netra T1 105
Le 2 juin 05 ` 18:09, mdff a icrit : 2 Xavier Beaudouin: I have tried a qfe pci (with 4 hme chips), double fxp cards and single fxp ones. All are correctly detected, but when trying to send a packet to any NIC, packet don't reach networks. Seems that the PCI port on such machine is more or less buggy... maybe it's not the machine hw but openbsd? i ran 36 sun-servers of this class with qfe-nic's and they worked very well. network redundancy and failover was also working perfectly. redundant servers taking over sessions, double wired VLANs etc...) under solaris8. Works well with Linux and FreeBSD as well with Solaris... This is definitively a bug in OpenBSD (known it seems). did you upgrade your firmware(s)? this sometimes helped me with sun-servers (just talking 'bout solaris, never had obsd on them) No. But I don't think this will solve this... anyway it have stopped to use T1, because I need giga ethernet card ... and since the pci port was unusable :p /off the records/ anyway... i wonder, why one want's to run obsd on a machine, if there is an os written for this type of hw... if i had to choose between any other os and solaris on a sun-sparc, i always would run solaris... make's sense, doesn't it? Because we need an Os that is designed for making things that we like and that is secure... /Xavier
Re: how to ifconfig another ip address in a network device
You can try man ifconfig and look for alias section. OpenBSD is not Linux for such commands. Le 26 mai 05 ` 00:09, wang fei a icrit : i tried ifconfig xxx:1 inet xxx.xxx.xxx.xxxwhich worked at linux, but it doesn't work.