Re: reloading pf through ansible easy hook

[BARDOU Pierre]

I know the official validate command is pfctl -nf, but if you do so, you need 
to register the result of this task, then make one more conditional task to 
apply.
This doubles your playbook execution time, which is not acceptable for me.

--
Cordialement,
Pierre BARDOU


-Message d'origine-
De : owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] De la part de 
Landry Breuil
Envoyé : mardi 22 novembre 2016 14:53
À : tech@openbsd.org
Objet : Re: reloading pf through ansible easy hook

On Tue, Nov 22, 2016 at 11:15:01AM +, BARDOU Pierre wrote:
> Hello,
> 
> - name: "Loading pf.conf"
>   template: src=pf.conf dest=/etc/ validate="pfctl -f %s"

Fwiw, i find it nicer to validate with 'pfctl -nf' ..

Landry

Re: reloading pf through ansible easy hook

[BARDOU Pierre]

Hello,

- name: "Loading pf.conf"
  template: src=pf.conf dest=/etc/ validate="pfctl -f %s"

Works fine for me.
Configuration is copied and loaded if correct, otherwise the rule file is not 
modified and not loaded (and the playbook fails with error).

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] De la part de 
Antoine Jacoutot
Envoyé : lundi 21 novembre 2016 23:48
À : sven falempin 
Cc : tech@openbsd.org
Objet : Re: reloading pf through ansible easy hook

On Mon, Nov 21, 2016 at 05:34:35PM -0500, sven falempin wrote:
> Ansible is already managing pkg and service of openBSD , cool
> 
> If one want to manage pf with it, and push or modify a few files, on 
> must run - command: /sbin/pfctl -f {{ dank.config }}
> 
> Yet - service could be use, if this glue was in the rc.d directory :

You can easily create an ansible role|module to do that natively.
The rc.d framework is only meant to handle real daemons.
We don't want it to manage pf, quota, network, mounts...

--
Antoine

Re: OPENBSD performance // intel NIC interrupts // interrupt moderation

[BARDOU Pierre]

Hello,

FYI, my last firewall in production : 
OpenBSD 5.7 (GENERIC.MP) #2: Mon Jul 27 16:16:48 CEST 2015
cpu0: Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz
ix0 at pci2 dev 0 function 0 "Intel 82599"

Peaks at 46% cpu on core1, traffic around 2 Gbps (230 kpps).


I'm very eager to see it with a full MP IP stack :)

--
Cordialement,
Pierre BARDOU

-Message d'origine-
De : owner-t...@openbsd.org [mailto:owner-t...@openbsd.org] De la part de 
Michael McConville
Envoyé : mardi 8 décembre 2015 22:32
À : Jeff Drago 
Cc : tech@OpenBSD.org
Objet : Re: OPENBSD performance // intel NIC interrupts // interrupt moderation

Jeff Drago wrote:
>  Hello - first post here , hopefully it is the right forum.
> 
> I recently setup a bgp box on top of OPENBSD 5.5 Generic.MP, with 6 
> INTEL EM nics.The problem is that when I get 700Mbits in one 
> interface, the CPU is peaking at 88% (interrupt).
> 
> I read about interrupt moderation and I dont know how to play with 
> that in my box. is it the case to update the NIC driver? here is the 
> reference that the NIC supports int 
> moderation:http://download.intel.com/design/network/applnots/ap450.pdf
> 
> Not sure how to turn that on or off in OpenBSD. Any help is greatly 
> appreciated. Here is the spec for the box (NETMAP 
> L-800)http://www.serveru.us/en/images/ServerU/Folder-Brochure_en.pdf

5.5 is no longer supported. Upgrade sequentially (5.5 -> 5.6, 5.6 -> 5.7, 5.7 
-> 5.8) and see if that fixes it. I've seen a huge network performance 
improvement over that series of upgrades.

Also, if the problem persists, please include a dmesg with your next email.

Thanks,
Michael

Pflow export every X seconds

[BARDOU Pierre]

Hello,

I'd love to see the feature Joerg Goltermann developed a while ago committed in 
the standard pflow :
http://marc.info/?l=openbsd-miscm=124661838923498w=2

Do you know why it was never committed ? What would it need to be ?
May I help in any way ?


--
Cordialement,


Pierre Bardou
Ingénieur réseau

12, rue Michel Labrousse
CS 93668 - 31036 Toulouse cedex 1


Avant d'imprimer cet e-mail, pensons à l'environnement