Re: IKEv2: CHILD_SA is not created
Hi! Not only Cisco ASA. Checkpoint, Fortinet, Juniper only support single set of subnets per CHILD_SA too. https://wiki.strongswan.org/projects/strongswan/wiki/Checkpoint https://wiki.strongswan.org/projects/strongswan/wiki/Fortinet https://wiki.strongswan.org/projects/strongswan/wiki/Juniper https://wiki.strongswan.org/projects/strongswan/wiki/CiscoInteroperability Unfortunately the workaround does not always work. IKED established multiple IKE SA to the same peer if set up separate connection per subnet. For example Strongswan drop multiple IKE SA from the same peer if uniqueid=yes (default setup): *Uniqueness* of an IKE_SA, used to drop multiple connections with one peer. Of course, for Strongswan, this is not a problem because it handles multiple SAs per CHILD SA, but other implementation this can be a problem. Денис Давыдов ezt írta (időpont: 2021. máj. 21., P, 10:02): > It turns out that the Cisco ASA has a bug CSCue42170 with open status that > prevents multiple traffic selectors from being supported in one child SA in > IKEv2. > > For more information: > > https://bst.cloudapps.cisco.com/bugsearch/bug/CSCue42170/?reffering_site=dumpcr > > Known affected releases: 8.6(1), 9.1(7.13), 9.4(3.6) > > On Wed, May 12, 2021 at 7:44 PM Денис Давыдов wrote: > > > Finally solved! Tried TS one after another. To put it mildly, I'm > > surprised. it turns out that the equipment on the remote side is > configured > > in such a way that for each TS I had to set up a separate connection. > This > > configuration working fine now: > > > > ikev2 crypto-primary active esp \ > > from 10.21.139.8/30 to 2.2.2.2 \ > > peer 7.7.7.7 \ > > ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group > > modp2048 \ > > childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ > > ikelifetime 86400 lifetime 28800 \ > > psk "*" > > > > ikev2 crypto-primary active esp \ > > from 10.21.139.8/30 to 3.3.3.3 \ > > peer 7.7.7.7 \ > > ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group > > modp2048 \ > > childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ > > ikelifetime 86400 lifetime 28800 \ > > psk "*" > > > > Tobias, thanks for your time and attention to my problem. > > > > On Wed, May 12, 2021 at 3:36 PM Денис Давыдов wrote: > > > >> Tobias, > >> > >> I replaced the OpenBSD with the same configuration: > >> -> % uname -r -p > >> 6.9 amd64 > >> > >> Now, with this configuration: > >> > >> ikev2 crypto-primary active esp \ > >> from any to any \ > >> peer 7.7.7.7 \ > >> ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group > >> modp2048 \ > >> childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ > >> ikelifetime 86400 lifetime 28800 \ > >> psk "*" > >> > >> I got NO_PROPOSAL_CHOSEN: https://pastebin.com/Puhx41DZ > >> > >> And with the original configuration, which was agreed with the provider: > >> > >> ikev2 crypto-primary active esp \ > >> from 10.21.139.8/30 to 2.2.2.2 \ > >> from 10.21.139.8/30 to 3.3.3.3 \ > >> peer 7.7.7.7 \ > >> ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group > >> modp2048 \ > >> childsa auth hmac-sha2-256 enc aes-256 group modp2048 \ > >> ikelifetime 86400 lifetime 28800 \ > >> psk "*" > >> > >> I still got TS_UNACCEPTABLE: https://pastebin.com/nw0usUJi > >> > >> I don't know where to dig anymore. The remote side is not responding > yet. > >> I contacted another provider who shared their configuration from the > same > >> Cisco model ASA 5585 (IKEv2 works with that hardware without problems). > The > >> only difference is that they have no these two options (although, I am > not > >> an expert in Cisco IKEv2 configuration either): > >> > >> crypto map outside_map 2470 set connection-type answer-only > >> crypto map outside_map 2470 set reverse-route > >> > >> I understand that everyone is already tired of this topic. I will be in > >> close contact with this provider. If I can connect to their equipment, > I'll > >> write what the problem was. Most likely the problem is in their > >> configuration, rather than the problem in iked itself. I am sorry for > the > >> time wasted. > >> > >> Oh! One more question: Can iked work with the same TS but different > peers > >> at the same time? Am I correct in understanding that this is not > possible? > >> The remote side just offers the same settings for two public IP > addresses > >> from their side (they have two different crypto peers). So far, I just > >> commented out the configuration with the second peer. > >> > >> > >> On Wed, May 12, 2021 at 12:33 PM Tobias Heider > > >> wrote: > >> > >>> On Wed, May 12, 2021 at 12:06:21PM +0300, Денис Давыдов wrote: > >>> > I tried to specify an explicit parameter -T to disable NAT-Traversal > >>> > auto-detection and use `local' parameter. Also according to your > advice > >>> > tried a configuration like
Re: 10Gbit network work only 1Gbit
Hi! Latest snapshot works. Thx. OpenBSD 6.9-beta (GENERIC.MP) #360: Thu Feb 25 11:53:45 MST 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP ifconfig veb0 veb0: flags=8802 index 8 llprio 3 groups: veb Addresses (max cache: 100, timeout: 240): Hrvoje Popovski ezt írta (időpont: 2021. febr. 26., P, 9:16): > On 26.2.2021. 9:00, csszep wrote: > > Hi! > > > > I miss something , or veb(4) ifconfig bits not yet commited ? > > > > OpenBSD 6.9-beta (GENERIC.MP) #358: Wed Feb 24 17:11:53 MST 2021 > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > > > > > ifconfig veb0 create > > ifconfig: SIOCIFCREATE: Invalid argument > > > > > > > it this latest snapshot ? >
Re: 10Gbit network work only 1Gbit
Hi! I miss something , or veb(4) ifconfig bits not yet commited ? OpenBSD 6.9-beta (GENERIC.MP) #358: Wed Feb 24 17:11:53 MST 2021 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP ifconfig veb0 create ifconfig: SIOCIFCREATE: Invalid argument Hrvoje Popovski ezt írta (időpont: 2021. febr. 26., P, 8:43): > On 12.11.2019. 10:54, Szél Gábor wrote: > > Dear Hrvoje, Theo, > > > > Thank you for your answers! > > > > answers to the questions: > > - who is parent interface for carp? -> vlan ( carp10 interface parent > > vlan10 -> vlan10 interface parent -> trunk0 ) > > - why vlan interfaces don't have ip address ? -> it wasn't needed! i > > think vlan interface need only tag packages. Carp (over vlan) interface > > have IP address. > > - vether implies that you have bridge? -> yes whe have only one bridge > > for bridget openvpn clients, but we will eliminate it. > > > > > > we will do the following: > > - refresh our backup firewall to oBSD 6.6 > > - replace trunk interface with aggr > > - remove bridge interface > > > > if there was an update finised, I'll write again! > > > > Hi, > > if you still have bridge and you don't need spanning-tree, try veb > instead. I'm getting 1.95Mpps over veb vs 500Kpps over bridge on 6 x > E5-2643 v2 @ 3.50GHz, 3600.48 MHz. > > And of course .. big thanks to dlg@ who wrote it .. > >
Re: Virtualbox vs latest snapshot
Yes with pure sw virtualization. With hardware virtualization enabled (vt-x,amd-v) not do it, and amd64 guests recommends hw virtualization. Anyway thanks, for the answers., i just want to know if i only have a problem. Thx csszep 2018-04-10 12:58 GMT+02:00 Kevin Chadwick <m8il1i...@gmail.com>: > On Tue, 10 Apr 2018 11:09:33 +0200 > > > > Hi! > > > > I'm using Virtualbox for years with OpenBSD guest without any serious > > issue. But of course maybe it's a Virtualbox bug. > > OK, good luck but bear in mind that Virtualbox once thought it was a > good idea to try to patch the running kernel. > > https://marc.info/?l=openbsd-misc=133210764423153=2 > >
Re: Virtualbox vs latest snapshot
Hi! I'm using Virtualbox for years with OpenBSD guest without any serious issue. But of course maybe it's a Virtualbox bug. thx csszep 2018-04-10 11:51 GMT+02:00 Kevin Chadwick <m8il1i...@gmail.com>: > On Tue, 10 Apr 2018 10:50:27 +0200 > > > > There is a similar experience for someone with Virtualbox 5.2.8? > > Hasn't Virtualbox always sucked. When I used Linux as one of my > workstation desktops many moons ago. Vmware ran OpenBSD fast, nicely and > easily. > > Any of KVM/Xen/Vmware/Hyper-V are more accurate emulators of hardware! > >
Virtualbox vs latest snapshot
Hi! I installed the latest 04.10 snapshot, the install procedure went fine, but after reboot the VM stucks at endless boot loop . It prints only the "booting hda0:/bsd" line.. before reboot The 04.03 snapshot works fine. There is a similar experience for someone with Virtualbox 5.2.8?
Re: OSPF over gif on top of IPsec transport -current
Hi! Will this fix be commit before 6.3 release? Thx csszep David Gwynne <d...@openbsd.org> ezt írta (időpont: 2018. márc. 13., K 23:41): > > > On 10 Mar 2018, at 08:01, Remi Locherer <remi.loche...@relo.ch> wrote: > > > > > > With below diff the setup works as expected: tcpdump shows OSPF hellos > > on gif0 and ospfd sees the neighbour. > > > > I don't think it's the correct fix though. > > functionally it is the correct fix. > > when i reworked gif(4) in src/sys/net/if_gif.c r1.108, i merged the ipv4 > and ipv6 input paths. the ipv6 input code had this check, but ipv4 did not. > now it is applied to ipv4, but it is obviously wrong for both address > families. > > please commit the removal of this check, ok by me. > > thank you to everyone for the but report and debugging. i'm sorry for > taking so long to figure this out. > > dlg > > > > > > > Index: if_gif.c > > === > > RCS file: /cvs/src/sys/net/if_gif.c,v > > retrieving revision 1.112 > > diff -u -p -r1.112 if_gif.c > > --- if_gif.c 28 Feb 2018 23:28:05 - 1.112 > > +++ if_gif.c 9 Mar 2018 20:52:46 - > > @@ -745,8 +745,8 @@ gif_input(struct gif_tunnel *key, struct > > } > > > > /* XXX What if we run transport-mode IPsec to protect gif tunnel ? > */ > > - if (m->m_flags & (M_AUTH | M_CONF)) > > - return (-1); > > + //if (m->m_flags & (M_AUTH | M_CONF)) > > + // return (-1); > > > > key->t_rtableid = m->m_pkthdr.ph_rtableid; > >
Re: OpenBSD as an IKEv2 IPsec client with L/P authent
Hi!
So the OpenBSD kernel catch udp encapsulated ESP packets by default:
netstat -s
esp:
4288 input ESP packets
0 output ESP packets
0 packets from unsupported protocol families
0 packets shorter than header shows
0 packets dropped due to policy
4281 packets for which no TDB was found
I disabled it, and Strongswan works!
openbsdvm1# sysctl net.inet.esp.enable=0
net.inet.esp.enable: 1 -> 0
openbsdvm1# sysctl net.inet.esp.udpencap=0
net.inet.esp.udpencap: 1 -> 0
Thx
Csszep
2018-02-23 10:29 GMT+01:00 csszep <css...@gmail.com>:
> Hi!
>
> I tried to complie strongswan with "kernel-libipsec" plugin fro the same
> reason
>
> https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec
>
> The *kernel-libipsec* plugin provides an IPsec backend that works
> entirely in userland, using TUN devices
>
> My experience is that there is some work to be done to use, but my C fu
> isnt strong enough to finish.
>
> I made a simple patch, for the tun handling:
>
> --- src/libstrongswan/networking/tun_device.c.orig Fri Feb 23
> 10:10:34 2018
> +++ src/libstrongswan/networking/tun_device.c Fri Feb 23 10:43:38 2018
> @@ -62,6 +62,10 @@
> #include
> #include
> #include
> +#elif __OpenBSD__
> +#include
> +#include
> +#include
> #else
> #include
> #endif
> @@ -338,6 +342,12 @@
> uint32_t proto = htonl(AF_INET);
> packet = chunk_cata("cc", chunk_from_thing(proto), packet);
> #endif
> +#ifdef __OpenBSD__
> +/* OpenBSD tun expect the packets to be prepended by a 32-bit
> protocol number
> + * instead of parsing the packet again, we assume IPv4 for now */
> +uint32_t proto = htonl(AF_INET);
> +packet = chunk_cata("cc", chunk_from_thing(proto), packet);
> +#endif
> s = write(this->tunfd, packet.ptr, packet.len);
> if (s < 0)
> {
> @@ -374,6 +384,10 @@
> #ifdef __APPLE__
> /* UTUN's prepend packets with a 32-bit protocol number */
> data = chunk_skip(data, sizeof(uint32_t));
> +#endif
> +#ifdef __OpenBSD__
> +/* OpenBSD tun prepend packets with a 32-bit protocol number */
> +data = chunk_skip(data, sizeof(uint32_t));
> #endif
> *packet = chunk_clone(data);
> return TRUE;
>
>
> I compile Strongswan 5.6.2 with the following options:
>
> CC=clang ./configure --disable-kernel-netlink --enable-kernel-pfroute
> --enable-kernel-libipsec --disable-scripts --enable-eap-mschapv2
> --enable-md4 --enable-eap-tls --enable-eap-ttls --enable-eap-peap
> --enable-eap-radius --enable-eap-identity --enable-aesni --enable-gcm
> make
> make install
>
> openbsdvm1# ipsec start
> Starting strongSwan 5.6.2 IPsec [starter]...
> no netkey IPsec stack detected
> no KLIPS IPsec stack detected
> no known IPsec stack detected, ignoring!
>
>
> I"m using EAP-MSCHAPv2 client config with virtual IP address request , and
> the IKE part is working out of the box:
>
> conn vpn.csszep.net
> left=192.168.56.11
> leftsourceip=%config
> leftauth=eap
> eap_identity=carol
> right=vpn.csszep.net
> rightauth=pubkey
> #rightid=@vpn.csszep.net
> rightid="C=HU O=Strongswan CN=vpn.csszep.net"
> rightsubnet=192.0.2.0/24
> auto=add
>
>
> openbsdvm1# ipsec up vpn.csszep.net
> initiating IKE_SA vpn.csszep.net[1] to 192.168.56.16
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 192.168.56.11[500] to 192.168.56.16[500] (748 bytes)
> received packet: from 192.168.56.16[500] to 192.168.56.11[500] (38 bytes)
> parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
> peer didn't accept DH group CURVE_25519, it requested MODP_3072
> initiating IKE_SA vpn.csszep.net[1] to 192.168.56.16
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 192.168.56.11[500] to 192.168.56.16[500] (1100 bytes)
> received packet: from 192.168.56.16[500] to 192.168.56.11[500] (592 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
> faking NAT situation to enforce UDP encapsulation
> sending cert request for "C=HU O=Strongswan CN=Strongswan CA"
> establishing CHILD_SA vpn.csszep.net{1}
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR
> DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY)
> N(MSG_ID_SYN_SUP) ]
> sending packet: from 192.168.56.11[4500] to 192.
Re: OpenBSD as an IKEv2 IPsec client with L/P authent
ni tun1 tcpdump: listening on tun1, link-type LOOP 11:18:23.270727 100.64.0.1 > 192.0.2.1: icmp: echo request (id:d966 seq:0) [icmp cksum ok] (ttl 255, id 53428, len 84) 11:18:24.279648 100.64.0.1 > 192.0.2.1: icmp: echo request (id:d966 seq:1) [icmp cksum ok] (ttl 255, id 4228, len 84) 11:18:25.270434 100.64.0.1 > 192.0.2.1: icmp: echo request (id:d966 seq:2) [icmp cksum ok] (ttl 255, id 46403, len 84) openbsdvm1# /usr/local/libexec/ipsec/stroke loglevel any 4 openbsdvm1# tail -f /var/log/daemon | grep charon Feb 23 11:25:57 openbsdvm1 charon: 05[ESP] ESP packet: Feb 23 11:25:57 openbsdvm1 charon: 05[ESP] SPI c4694ca1 [seq 384] Feb 23 11:25:57 openbsdvm1 charon: 05[ESP] IV => 16 bytes @ 0x0811d9ce4208 Feb 23 11:25:57 openbsdvm1 charon: 05[ESP]0: D4 02 D1 2F CF BB A8 88 99 DD 4C 24 BE 64 6A 64 .../..L$.djd Feb 23 11:25:57 openbsdvm1 charon: 05[ESP] encrypted => 96 bytes @ 0x0811d9ce4218 Feb 23 11:25:57 openbsdvm1 charon: 05[ESP]0: 05 78 18 91 2A E1 12 88 33 B3 2B 6C 94 E8 90 01 .x..*...3.+l Feb 23 11:25:57 openbsdvm1 charon: 05[ESP] 16: EC 9B 0E 44 94 48 C2 D4 95 8C 0B 8D 0B 61 CA 4B ...D.H...a.K Feb 23 11:25:57 openbsdvm1 charon: 05[ESP] 32: BE 0E 16 09 6C EB C5 CC B9 01 E3 45 85 C1 D0 13 l..E Feb 23 11:25:57 openbsdvm1 charon: 05[ESP] 48: 61 4C 5E AA F6 65 42 1B 0E 67 21 ED DB 96 03 87 aL^..eB..g!. Feb 23 11:25:57 openbsdvm1 charon: 05[ESP] 64: 39 29 1A 0A 52 8E D8 EB 75 F8 D6 1C 83 00 29 0F 9)..R...u.). Feb 23 11:25:57 openbsdvm1 charon: 05[ESP] 80: 93 06 49 05 34 F1 DF 08 2A 05 CB 39 48 70 3E D9 ..I.4...*..9Hp>. Feb 23 11:25:57 openbsdvm1 charon: 05[ESP] ICV => 16 bytes @ 0x0811d9ce4278 Feb 23 11:25:57 openbsdvm1 charon: 05[ESP]0: 75 77 36 C9 3F 2D 35 6F 57 50 A2 58 1F FC 53 5A uw6.?-5oWP.X..SZ Feb 23 11:25:57 openbsdvm1 charon: 02[NET] sending packet: from 192.168.56.11[4500] to 192.168.56.16[4500] Feb 23 11:25:58 openbsdvm1 charon: 05[ESP] ESP before encryption: Feb 23 11:25:58 openbsdvm1 charon: 05[ESP] payload = => 84 bytes @ 0x0810fd997380 Feb 23 11:25:58 openbsdvm1 charon: 05[ESP]0: 45 00 00 54 CF B9 00 00 FF 01 C5 AC 64 40 00 01 E..Td@.. Feb 23 11:25:58 openbsdvm1 charon: 05[ESP] 16: C0 00 02 01 08 00 F1 6D 0A B2 01 7D 2A 4B 07 39 ...m...}*K.9 Feb 23 11:25:58 openbsdvm1 charon: 05[ESP] 32: E3 76 80 73 54 C7 CF D2 E5 F2 19 3A B3 28 07 F2 .v.sT..:.(.. Feb 23 11:25:58 openbsdvm1 charon: 05[ESP] 48: C0 DA 52 B5 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 ..R. !"# Feb 23 11:25:58 openbsdvm1 charon: 05[ESP] 64: 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 $%&'()*+,-./0123 Feb 23 11:25:58 openbsdvm1 charon: 05[ESP] 80: 34 35 36 37 4567 Feb 23 11:25:58 openbsdvm1 charon: 05[ESP] padding = => 10 bytes @ 0x08113230b16c Feb 23 11:25:58 openbsdvm1 charon: 05[ESP]0: 01 02 03 04 05 06 07 08 09 0A.. Feb 23 11:25:58 openbsdvm1 charon: 05[ESP] padding length = 10, next header = 4 I'm here now Thx csszep 2018-02-22 12:50 GMT+01:00 Stuart Henderson <s...@spacehopper.org>: > On 2018/02/22 09:51, Joel Carnat wrote: > > Hi, > > > > Le 22/02/2018 09:35, Stuart Henderson a écrit : > > > On 2018-02-22, Igor V. Gubenko <i...@gubenko.com> wrote: > > > > I am far from an expert; having issues myself at the moment, but > maybe > > > > if we get all of the iked experimenters together, we can figure it > out > > > > :) > > > > > > This definitely isn't going to work, iked only supports > > > username/password > > > authentication as a responder. not initiator. > > > > Is there any software that enables openbsd to be an ipsec initiator using > > user/pass ? > > Not for IKEv2. OpenBSD iked as client supports psk but not EAP for > user/password. afaik no other implementations have been ported. > > By far the simplest way which doesn't rely on psk, if the other side > supports it, is to use iked with public keys (without using x509 pki) > - just copy local.pub from one side to the appropriate subdirectory of > pubkeys/ on the other. > > It *may* be possible for IKEv1 with xauth using vpnc, but it's old > all-userland software, not using the standard OpenBSD IPsec stack, the > port (and probably upstream software) are not really maintained. > No modern crypto. > >
iked alternate location for the control socket?
Hello! In ikectl there is a "-s socket" parameter to change the control socket location. But in iked the "-s" parameter is missing, so you cannot change the socket location. This is not implemented in iked? It is useful if run two iked process in different rdomain. Thx csszep
ospfd 224.0.0.5: Can't assign requested address on rdomain 2
Hello!
I created a simple ospf test lab, but i ran into the following error:
The setup:
ospfd.conf
rdomain 2
area 0.0.0.0 {
interface vio2
}
route -T2 -n show
Routing tables
Internet:
DestinationGatewayFlags Refs Use Mtu Prio
Iface
default127.0.0.1 UGBS 00 32768 8 lo2
127/8 127.0.0.1 UGRS 00 32768 8 lo2
127.0.0.1 127.0.0.1 UHl09 32768 1 lo2
172.16.2/24172.16.2.1 UC 00 - 4 vio2
172.16.2.1 08:00:27:1b:ce:55 UHLl 05 - 1 vio2
172.16.2.255 172.16.2.1 UHb00 - 1 vio2
224/4 127.0.0.1 URS00 32768 8 lo2
ifconfig
lo0: flags=8049 mtu 32768
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff00
vio0: flags=8843 mtu 1500
lladdr 08:00:27:48:6a:16
priority: 0
groups: egress
media: Ethernet autoselect
status: active
inet 10.0.2.15 netmask 0xff00 broadcast 10.0.2.255
vio1: flags=8843 mtu 1500
lladdr 08:00:27:e8:94:dc
priority: 0
media: Ethernet autoselect
status: active
inet 192.168.56.11 netmask 0xff00 broadcast 192.168.56.255
vio2: flags=8843 rdomain 2 mtu 1500
lladdr 08:00:27:1b:ce:55
priority: 0
media: Ethernet autoselect
status: active
inet 172.16.2.1 netmask 0xff00 broadcast 172.16.2.255
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141 mtu 33144
priority: 0
groups: pflog
lo2: flags=8049 rdomain 2 mtu 32768
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff00
ospfd -dvv -f /etc/ospfd2.conf
WARNING: IP forwarding NOT enabled, running as stub router
password = "secret"
warning: macro 'password' not used
startup
if_join_group: error IP_ADD_MEMBERSHIP, interface vio2 address 224.0.0.5:
Can't assign requested address
if_fsm: error changing state for interface vio2, event UP, state DOWN
error starting interface vio2
ospfctl show interfaces
Interface AddressState HelloTimer Linkstate Uptimenc ac
vio2172.16.2.1/24 DOWN - active 00:00:00 0 0
ospfctl show fib
flags: * = valid, O = OSPF, C = Connected, S = Static
Flags Prio Destination Nexthop
*S8 0.0.0.0/0127.0.0.1
*C0 127.0.0.0/8 link#0
*S8 127.0.0.0/8 127.0.0.1
* 1 127.0.0.1/32 127.0.0.1
*C4 172.16.2.0/24link#3
*S8 224.0.0.0/4 127.0.0.1
ospfctl show summary
Router ID: 10.0.2.15
Uptime: 00:01:33
RFC1583 compatibility flag is disabled
SPF delay is 1000 msec(s), hold time between two SPFs is 5000 msec(s)
Number of external LSA(s) 0 (Checksum sum 0x0)
Number of areas attached to this router: 1
Area ID: 0.0.0.0
Number of interfaces in this area: 1
Number of fully adjacent neighbors in this area: 0
SPF algorithm executed 0 time(s)
Number LSA(s) 0 (Checksum sum 0x0)
I miss something, or this is a bug?
Thx
Godot
OpenBSD 5.9-beta (GENERIC) #1658: Sun Dec 27 17:03:23 MST 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 520028160 (495MB)
avail mem = 500244480 (477MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe1000 (10 entries)
bios0: vendor innotek GmbH version "VirtualBox" date 12/01/2006
bios0: innotek GmbH VirtualBox
acpi0 at bios0: rev 2
acpi0: sleep states S0 S5
acpi0: tables DSDT FACP APIC SSDT
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 32 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-4310U CPU @ 2.00GHz, 2594.82 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,PCLMUL,MWAIT,SSSE3,CX16,SSE4.1,SSE4.2,MOVBE,POPCNT,AES,XSAVE,AVX,RDRAND,HV,NXE,LONG,LAHF,ABM,ITSC
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: CPU supports MTRRs but not enabled by BIOS
cpu0: apic clock running at 1000MHz
cpu0: mwait min=64, max=64
ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
acpibat0 at acpi0: BAT0 model "1" serial 0 type VBOX oem "innotek"
acpiac0 at acpi0: AC unit online
acpivideo0 at acpi0: GFX0
pvbus0 at mainbus0: KVM
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1
Re: npppd with tun interface not work on i386?
Thx
It works as expected.
2013/1/31 YASUOKA Masahiko yasu...@yasuoka.net:
Hi,
On Tue, 29 Jan 2013 20:20:24 +0100
csszep css...@gmail.com wrote:
I tried to start npppd with the default config with tun0 interface on
my Alix board:
I get the following error message:
# npppd -d
2013-01-29 19:54:38:NOTICE: Starting npppd pid=13464 version=5.0.0
2013-01-29 19:54:38:NOTICE: Load configuration
from='/etc/npppd/npppd.conf' successfully.
2013-01-29 19:54:38:ERR: tun0 delete ipaddress tun0 failed: Device not
configured
This was from a bug. I fixed it on cvs. Please update your source
code from cvs or apply a patch below.
Thank you for your report.
Index: privsep.c
===
RCS file: /cvs/src/usr.sbin/npppd/npppd/privsep.c,v
retrieving revision 1.7
diff -u -p -r1.7 privsep.c
--- privsep.c 28 Sep 2012 23:46:00 - 1.7
+++ privsep.c 31 Jan 2013 02:03:36 -
@@ -463,7 +463,7 @@ priv_get_if_addr(const char *ifname, str
struct PRIVSEP_GET_IF_ADDR_RESP r;
a.cmd = PRIVSEP_GET_IF_ADDR;
- strlcpy(a.ifname, ifname, sizeof(ifname));
+ strlcpy(a.ifname, ifname, sizeof(a.ifname));
if ((retval = send(privsep_sock, a, sizeof(a), 0)) 0)
return retval;
if ((retval = recv(privsep_sock, r, sizeof(r), 0)) 0) {
@@ -488,7 +488,7 @@ priv_delete_if_addr(const char *ifname)
struct PRIVSEP_DEL_IF_ADDR_ARG a;
a.cmd = PRIVSEP_DEL_IF_ADDR;
- strlcpy(a.ifname, ifname, sizeof(ifname));
+ strlcpy(a.ifname, ifname, sizeof(a.ifname));
if ((retval = send(privsep_sock, a, sizeof(a), 0)) 0)
return retval;
retval = privsep_common_resp();
@@ -503,7 +503,7 @@ priv_set_if_addr(const char *ifname, str
struct PRIVSEP_SET_IF_ADDR_ARG a;
a.cmd = PRIVSEP_SET_IF_ADDR;
- strlcpy(a.ifname, ifname, sizeof(ifname));
+ strlcpy(a.ifname, ifname, sizeof(a.ifname));
a.addr = *addr;
if ((retval = send(privsep_sock, a, sizeof(a), 0)) 0)
return retval;
@@ -519,7 +519,7 @@ priv_get_if_flags(const char *ifname, in
struct PRIVSEP_GET_IF_FLAGS_RESP r;
a.cmd = PRIVSEP_GET_IF_FLAGS;
- strlcpy(a.ifname, ifname, sizeof(ifname));
+ strlcpy(a.ifname, ifname, sizeof(a.ifname));
if ((retval = send(privsep_sock, a, sizeof(a), 0)) 0)
return retval;
if ((retval = recv(privsep_sock, r, sizeof(r), 0)) 0) {
@@ -543,7 +543,7 @@ priv_set_if_flags(const char *ifname, in
struct PRIVSEP_SET_IF_FLAGS_ARG a;
a.cmd = PRIVSEP_SET_IF_FLAGS;
- strlcpy(a.ifname, ifname, sizeof(ifname));
+ strlcpy(a.ifname, ifname, sizeof(a.ifname));
a.flags = flags;
if ((retval = send(privsep_sock, a, sizeof(a), 0)) 0)
return retval;
npppd with tun interface not work on i386?
Hello Misc!
I tried to start npppd with the default config with tun0 interface on
my Alix board:
I get the following error message:
# npppd -d
2013-01-29 19:54:38:NOTICE: Starting npppd pid=13464 version=5.0.0
2013-01-29 19:54:38:NOTICE: Load configuration
from='/etc/npppd/npppd.conf' successfully.
2013-01-29 19:54:38:ERR: tun0 delete ipaddress tun0 failed: Device not
configured
jan 21 amd64 snapshot vmware machine works:
# npppd -d
2013-01-29 19:59:21:NOTICE: Starting npppd pid=18398 version=5.0.0
2013-01-29 19:59:21:NOTICE: Load configuration
from='/etc/npppd/npppd.conf' successfully.
2013-01-29 19:59:21:INFO: tun0 Started ip4addr=10.0.0.1
2013-01-29 19:59:21:INFO: Listening /var/run/npppd_ctl (npppd_ctl)
2013-01-29 19:59:21:INFO: ipcp=IPCP pool
dyn_pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32]
pool=[10.0.0.2/31,10.0.0.4/30,10.0.0.8/29,10.0.0.16/28,10.0.0.32/27,10.0.0.64/26,10.0.0.128/26,10.0.0.192/27,10.0.0.224/28,10.0.0.240/29,10.0.0.248/30,10.0.0.252/31,10.0.0.254/32]
2013-01-29 19:59:21:INFO: Added 13 routes for new pool addresses
2013-01-29 19:59:21:INFO: Loading pool config successfully.
2013-01-29 19:59:21:INFO: l2tpd Listening 0.0.0.0:1701/udp (L2TP LNS)
[L2TP_ipv4]
2013-01-29 19:59:21:INFO: l2tpd Listening [::]:1701/udp (L2TP LNS) [L2TP_ipv6]
Config:
authentication LOCAL type local {
users-file /etc/npppd/npppd-users
}
tunnel L2TP_ipv4 protocol l2tp {
listen on 0.0.0.0
}
tunnel L2TP_ipv6 protocol l2tp {
listen on ::
}
ipcp IPCP {
pool-address 10.0.0.2-10.0.0.254
dns-servers 8.8.8.8
}
# use tun(4) interface. multiple ppp sessions concentrate one interface.
interface tun0 address 10.0.0.1 ipcp IPCP
bind tunnel from L2TP_ipv4 authenticated by LOCAL to tun0
bind tunnel from L2TP_ipv6 authenticated by LOCAL to tun0
Dmesg:
OpenBSD 5.2-current (GENERIC) #19: Mon Jan 21 17:55:18 MST 2013
t...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS (AuthenticAMD
586-class) 499 MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX,MMXX,3DNOW2,3DNOW
real mem = 267976704 (255MB)
avail mem = 252608512 (240MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 11/05/08, BIOS32 rev. 0 @ 0xfd088
pcibios0 at bios0: rev 2.1 @ 0xf/0x1
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xe/0xa800
cpu0 at mainbus0: (uniprocessor)
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
pchb0 at pci0 dev 1 function 0 AMD Geode LX rev 0x33
glxsb0 at pci0 dev 1 function 2 AMD Geode LX Crypto rev 0x00: RNG AES
vr0 at pci0 dev 9 function 0 VIA VT6105M RhineIII rev 0x96: irq 10,
address 00:0d:b9:16:5e:e0
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr1 at pci0 dev 10 function 0 VIA VT6105M RhineIII rev 0x96: irq 11,
address 00:0d:b9:16:5e:e1
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
vr2 at pci0 dev 11 function 0 VIA VT6105M RhineIII rev 0x96: irq 15,
address 00:0d:b9:16:5e:e2
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI
0x004063, model 0x0034
athn0 at pci0 dev 12 function 0 Atheros AR5416 rev 0x01: irq 9
athn0: MAC AR5416 rev 2, RF AR2133 (3T2R), ROM rev 5, address 00:21:27:cb:7a:36
glxpcib0 at pci0 dev 15 function 0 AMD CS5536 ISA rev 0x03: rev 3,
32-bit 3579545Hz timer, watchdog, gpio, i2c
gpio0 at glxpcib0: 32 pins
iic0 at glxpcib0
maxtmp0 at iic0 addr 0x4c: lm86
pciide0 at pci0 dev 15 function 2 AMD CS5536 IDE rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: SILICON POWER
wd0: 1-sector PIO, LBA, 3831MB, 7847280 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 15 function 4 AMD CS5536 USB rev 0x02: irq 12,
version 1.0, legacy support
ehci0 at pci0 dev 15 function 5 AMD CS5536 USB rev 0x02: irq 12
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 AMD EHCI root hub rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 AMD OHCI root hub rev 1.00/1.00 addr 1
mtrr: K6-family MTRR support (2 registers)
nvram: invalid checksum
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
scsibus1 at softraid0: 256 targets
root on wd0a (86722b7d28b15b50.a) swap on wd0b dump on wd0b
clock: unknown CMOS layout
thx
csszep
Re: current snapshot pipex kernel panic
Thank you! It works as expected. Otherwise the mppe no option is missing from the manual page. 2012/9/26 YASUOKA Masahiko yasu...@yasuoka.net: Hello, On Tue, 25 Sep 2012 16:16:12 +0200 csszep css...@gmail.com wrote: I wanted to try a simple npppd setup and i got a panic. I'm looking into this problem and fixing it. But it will take more days. To workaround the problem, please add mppe no to the tunnel configuration. --yasuoka
Re: ciss(4) write very slow w/o bbwc
Hi! I tested the performance w and w/o the patch. There is no difference. ciss0 at pci3 dev 3 function 0 Compaq Smart Array 64xx rev 0x01: apic 10 int 3 ciss0: 2 LDs, HW rev 1, FW 2.84/2.84, 64bit fifo scsibus0 at ciss0: 2 targets sd0 at scsibus0 targ 0 lun 0: HP, LOGICAL VOLUME, 2.84 SCSI2 0/direct fixed sd0: 69459MB, 512 bytes/sector, 142253280 sectors sd1 at scsibus0 targ 1 lun 0: HP, LOGICAL VOLUME, 2.84 SCSI2 0/direct fixed sd1: 140006MB, 512 bytes/sector, 286734240 sectors kern.bufcachepercent=20 w/o patch raw device # dd if=/dev/zero of=/dev/rsd1d bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 75.550 secs (13879230 bytes/sec) file # dd if=/dev/zero of=test bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 16.986 secs (61728607 bytes/sec) w patch raw device # dd if=/dev/zero of=/dev/rsd1d bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 75.609 secs (13868396 bytes/sec) file # dd if=/dev/zero of=test bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 16.165 secs (64863961 bytes/sec) In fact, the file test performance is acceptable for me. The raw performace (eg. newfs) is not so important. Thx csszep 2012/5/29 Andreas Bartelt o...@bartula.de: Hello, On 05/29/12 17:28, Kenneth R Westerback wrote: On Tue, May 29, 2012 at 03:48:02PM +0200, csszep wrote: Hi! So i tested the ciss performance with Openbsd 5.1 and Netbsd 5.1.2 and the numbers are the same. :( approx 13Mbyte/s write with dd if=/dev/zero of=/dev/rsd1c bs=1m count=500 But why Linux is four times faster (approx 40Mbyte/s)? Dunno. But the diff below should apply the NetBSD 'fix' for the INQUIRY command. Ken Dunno. But the diff below should apply the NetBSD 'fix' for the INQUIRY command. I also can confirm relatively slow ciss(4) performance on OpenBSD. Enabling the (not battery backed) cache via BIOS doesn't help significantly. I just did some tests on a HP Proliant DL360G7 with RAID1 via ciss(4) with 2x300GB 6G SAS 1 rpm HDDs (cache disabled on this box): # disklabel sd0 # /dev/rsd0c: type: SCSI disk: SCSI disk label: LOGICAL VOLUME duid: 410f0efc5a9d86dd flags: bytes/sector: 512 sectors/track: 63 tracks/cylinder: 255 sectors/cylinder: 16065 cylinders: 36468 total sectors: 585871964 boundstart: 64 boundend: 585858420 drivedata: 0 16 partitions: #size offset fstype [fsize bsize cpg] a: 1028096 64 4.2BSD 2048 16384 1 # / c:5858719640 unused d: 1028160 1028160 4.2BSD 2048 16384 1 # /var e:146801952 2056320 4.2BSD 2048 16384 1 # /usr f: 20964832148858272 4.2BSD 2048 16384 1 # /home g:416035264169823104 4.2BSD 4096 32768 1 # /log # mount /dev/sd0a on / type ffs (local, noatime, softdep) /dev/sd0f on /home type ffs (local, noatime, nodev, nosuid, softdep) /dev/sd0g on /log type ffs (local, noatime, nodev, nosuid, softdep) /dev/sd0e on /usr type ffs (local, noatime, nodev, softdep) /dev/sd0d on /var type ffs (local, noatime, nodev, nosuid, softdep) # dmesg|grep ciss ciss0 at pci1 dev 0 function 0 Hewlett-Packard Smart Array rev 0x01: apic 0 int 4 ciss0: 2 LDs, HW rev 2, FW 3.66/3.66, 64bit fifo rro scsibus0 at ciss0: 2 targets before applying your patch: [/usr] # dd if=/dev/zero of=testfile bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 16.428 secs (63825353 bytes/sec) [/usr] # dd if=/dev/zero of=testfile bs=1m count=1 1+0 records in 1+0 records out 1048576 bytes transferred in 153.910 secs (68128911 bytes/sec) [/log] # dd if=/dev/zero of=testfile bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 8.122 secs (129087680 bytes/sec) [/log] # dd if=/dev/zero of=testfile bs=1m count=1 1+0 records in 1+0 records out 1048576 bytes transferred in 87.701 secs (119561580 bytes/sec) after applying your patch: [/usr] # dd if=/dev/zero of=testfile bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 14.113 secs (74296489 bytes/sec) [/usr] # dd if=/dev/zero of=testfile bs=1m count=1 1+0 records in 1+0 records out 1048576 bytes transferred in 154.600 secs (67824996 bytes/sec) [/log] # dd if=/dev/zero of=testfile bs=1m count=1000 1000+0 records in 1000+0 records out 1048576000 bytes transferred in 6.836 secs (153379539 bytes/sec) [/log] # dd if=/dev/zero of=testfile bs=1m count=1 1+0 records in 1+0 records out 1048576 bytes transferred in 82.955 secs (126402027 bytes/sec) The larger fsize/bsize of partition sd0g almost seems to double the writing throughput in comparison to partition sd0e. I didn't expect this much of a difference. Regarding
ciss(4) write very slow w/o bbwc
Hi Misc! We have some older HP Dl360, Dl380 G4 machines with Smart Array 6i controllores w/o battery backed cache. The disk performance in this case is really poor, for examle the disklabel operation on a 72GB disk lasted for about 5 mins. I found a commit in a NetBSD ciss driver (which is a port of OpenBSD driver), that solve the problem i think: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/ic/ciss.c?rev=1.23content-type=text/x-cvsweb-markuponly_with_tag=MAIN The problem is, that the NetBSD scsi midlayer is very different from the OpenBSD, so is it possible to integrate this patch? My C and OpenBSD internals knowledge is not enough for this task. PS: Yes i know, my english is terrible. thx csszep
Re: ciss(4) write very slow w/o bbwc
Ok, but i installed Linux (Debian 6) and there is no performance degradation. I will install NetBSD too, and i will do a test. The commit does not turn on the cache, it enable tagged queing if i understand it well. thx csszep 2012/5/29 Jonathan Gray j...@jsg.id.au: I don't think that commit will fix the problem. HP shouldn't sell machines without the battery, but they do. From memory the firmware on the raid controller has no way of turning on caching without the battery being present. On Tue, May 29, 2012 at 11:30:34AM +0200, csszep wrote: Hi Misc! We have some older HP Dl360, Dl380 G4 machines with Smart Array 6i controllores w/o battery backed cache. The disk performance in this case is really poor, for examle the disklabel operation on a 72GB disk lasted for about 5 mins. I found a commit in a NetBSD ciss driver (which is a port of OpenBSD driver), that solve the problem i think: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/ic/ciss.c?rev=1.23content-type=text/x-cvsweb-markuponly_with_tag=MAIN The problem is, that the NetBSD scsi midlayer is very different from the OpenBSD, so is it possible to integrate this patch? My C and OpenBSD internals knowledge is not enough for this task. PS: Yes i know, my english is terrible. thx csszep
Re: ciss(4) write very slow w/o bbwc
Hi! So i tested the ciss performance with Openbsd 5.1 and Netbsd 5.1.2 and the numbers are the same. :( approx 13Mbyte/s write with dd if=/dev/zero of=/dev/rsd1c bs=1m count=500 But why Linux is four times faster (approx 40Mbyte/s)? thx csszep 2012/5/29 csszep css...@gmail.com: Ok, but i installed Linux (Debian 6) and there is no performance degradation. I will install NetBSD too, and i will do a test. The commit does not turn on the cache, it enable tagged queing if i understand it well. thx csszep 2012/5/29 Jonathan Gray j...@jsg.id.au: I don't think that commit will fix the problem. HP shouldn't sell machines without the battery, but they do. From memory the firmware on the raid controller has no way of turning on caching without the battery being present. On Tue, May 29, 2012 at 11:30:34AM +0200, csszep wrote: Hi Misc! We have some older HP Dl360, Dl380 G4 machines with Smart Array 6i controllores w/o battery backed cache. The disk performance in this case is really poor, for examle the disklabel operation on a 72GB disk lasted for about 5 mins. I found a commit in a NetBSD ciss driver (which is a port of OpenBSD driver), that solve the problem i think: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/dev/ic/ciss.c?rev=1.23content-type=text/x-cvsweb-markuponly_with_tag=MAIN The problem is, that the NetBSD scsi midlayer is very different from the OpenBSD, so is it possible to integrate this patch? My C and OpenBSD internals knowledge is not enough for this task. PS: Yes i know, my english is terrible. thx csszep
virtual crossover link with vether(4) patch integration?
Hi! Is there any news about this patch integration? http://marc.info/?l=openbsd-techm=129622196824469w=2 And i'm sorry to bother you... thx Csszep
