Re: vpn performance - C2750 vs C2758

[Stuart Henderson]

On 2015-01-26, Christian Weisgerber  wrote:
> On 2015-01-26, Sonic  wrote:
>
>> Wondering if the addition of the Intel's Quick Assist feature present
>> on Intel's C2758 processor provides any advantage for a VPN connection
>> between two OpenBSD systems.
>
> I don't think we support Quick Assist, whatever that is.

correct.

> http://www.intel.com/content/www/us/en/io/quickassist-technology/quickassist-technology-developer.html

>From what I can make out, it's an api to use an intel-provided
software abstraction layer for access to fpga-based crypto/compression
accelerators.

https://01.org/packet-processing/intel®-quickassist-technology-drivers-and-patches
 (linux code, api docs - 01.org is Intel open source technology centre)
http://rssi.ncsa.illinois.edu/proceedings/industry/Intel.pdf
http://blog.chinaaet.com/uploads/Blog_affix/files/11121036091012.pdf

It doesn't look like something we can use easily.

tcp wrappers question

[Alexei Malinin]

Hello.

I noticed that OpenBSD-5.6 does not include tcp wrappers (tcpd etc).

What is recommended to use instead of tcp wrappers?

PS. I used tcp wrappers to restrict access to sshd, sendmail, popa3d,
tftpd, ...


--
Alexei Malinin

Re: tcp wrappers question

[Maurice McCarthy]

On 2015-01-27 14:19, Alexei Malinin wrote:

Hello.

I noticed that OpenBSD-5.6 does not include tcp wrappers (tcpd etc).

What is recommended to use instead of tcp wrappers?

PS. I used tcp wrappers to restrict access to sshd, sendmail, popa3d,
tftpd, ...


--
Alexei Malinin


OpenBSD uses the Packet Filter or pf.
See "man 4 pf"  and http://www.openbsd.org/faq/pf/index.html

Regards

Re: tcp wrappers question

[Peter N. M. Hansteen]

On Tue, Jan 27, 2015 at 05:19:20PM +0300, Alexei Malinin wrote:

> I noticed that OpenBSD-5.6 does not include tcp wrappers (tcpd etc).
> 
> What is recommended to use instead of tcp wrappers?
> 
> PS. I used tcp wrappers to restrict access to sshd, sendmail, popa3d,
> tftpd, ...

The idea (which I think is also in the changelogs somewhere) was that PF 
is enabled by default, and tcpwrappers doesn't do anything that's not
easily done with PF rules.

So the short answer is: Implement what you used to do with tcpwrappers as rules 
in your pf.conf.

- Peter
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Re: Mapping pf syslog rule numbers to lines in pf.conf

[Hasse Hansson]

On Mon, Jan 26, 2015 at 03:42:22PM -0500, Alan McKay wrote:
> Hey folks,
> 
> This one seems to be difficult to google - not coming up with much.
> 
> I have some firewall blocks I want to investigate and of course they
> are reported as matching a specific rule number - but I am not sure
> how to map that back to a line in my pf.conf
> 
> Could someone enlighten me?
> 
> thanks,
> -Alan
> 
> -- 
> "Don't eat anything you've ever seen advertised on TV"
>  - Michael Pollan, author of "In Defense of Food"
> 
Don't know if this is what you're after, but it will list the rules by number.
pfctl -g -s rules | grep '@'

/Hasse

Re: vpn performance - C2750 vs C2758

[Adam Thompson]

On 2015-01-27 02:58 AM, Stuart Henderson wrote:

On 2015-01-26, Christian Weisgerber  wrote:
I don't think we support Quick Assist, whatever that is.
correct.
[...]
It doesn't look like something we can use easily.


FWIW, I just read that Netgate (i.e. pfSense) committed QuickAssist 
crypto accel support into FreeBSD 10.2 [possibly a private branch??] for 
some ciphers.  Apologies, but I'm completely failing to find the message 
that mentioned it on the pfSense mailing list, right now.


I don't know enough about FreeBSD's cryptodev engine to know if any of 
that work can be used here.


--
-Adam Thompson
 athom...@athompso.net

carp failover problem

[Leclerc, Sebastien]

Hi,

I have two firewalls in a carp failover setup, but the failover does not work 
as expected...
The problem happens when I reboot the backup firewall (while in backup state).
Just after the reboot, I have these entries in dmesg :

carp0: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp0: state transition: MASTER -> BACKUP
carp1: state transition: MASTER -> BACKUP

Why would there be no mention of carp2?
And no corresponding entries on the master?

States are consistent (all backup on backup, and all master on master), but 
forwarded connections hang, until I force back the master with this :
 sudo ifconfig -g carp carpdemote 128
 sudo ifconfig -g carp -carpdemote 128
Between these two commands, on the backup firewall, I see traffic coming from 
WAN and DMZ, but almost nothing from LAN, so it may be related to the LAN 
switch. I cannot see what the problem is though...

Here is the setup :

On both firewalls :
 - em0 is connected to WAN
 - em1 is connected to LAN
 - em2 is connected to DMZ
 - em3 is interconnected with a crossover cable, used for pfsync and rdist

WAN and DMZ connections are on the same switch, but on different untagged VLANs 
(Procurve 2524)
LAN is on a separate layer 3 switch (Procurve 5300xl)

Another strange behavior :
With tcpdump, on the backup, I can see this traffic :
 - on em1 and em2, I see only carp advertisements to the configured unicast IP 
address and physical MAC address
 - on em3, I see only pfsync packets
 - but on em0, I see carp advertisements, but also a lot of traffic from the 
ISP router's MAC, to the virtual MAC (00:00:5e:00:01:01)
Which situation is normal? (em0 with lots of packets, or em1/em2 with only carp 
advertisements)
The only difference I see :
 - on em0, both firewalls and the ISP router are connected to the switch
 - on em1, both firewalls are connected to the L3 switch, which is also the 
router
 - on em2, there is no router, the firewalls communicate directly with hosts 
connected on the switch


Common configuration (public addresses anonymized, but the network sizes are 
correct) :

/etc/mygate
192.0.2.1

/etc/sysctl.conf
net.inet.carp.preempt=1
net.inet.ip.forwarding=1

/etc/pf.conf (excerpt only)
ext_if  = "em0"
ext_if_carp = "carp0"
int_if  = "em1"
int_if_carp = "carp1"
dmz_if  = "em2"
dmz_if_carp = "carp2"
sync_if = "em3"
set skip on lo
set skip on $sync_if
pass quick on { $int_if, $ext_if, $dmz_if } inet proto carp keep state (no-sync)


Firewall A (expected to be always master) :
OpenBSD 5.5 (GENERIC.MP) #315: Wed Mar  5 09:37:46 MST 2014
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

/etc/hostname.em0
inet 192.168.3.9/30

/etc/hostname.em1
inet 192.168.3.1/29
!route add 192.168.0.0/16 192.168.3.5
!route add 172.16.0.0/12 192.168.3.5

/etc/hostname.em2
inet 192.168.3.13/30

/etc/hostname.em3
inet 192.168.3.17 255.255.255.252

/etc/hostname.carp0
advskew 0 carpdev em0 carppeer 192.168.3.10 pass secret1 state master vhid 1
inet 192.0.2.2/28
alias 192.0.2.3/32
alias 192.0.2.4/32
alias 192.0.2.5/32

/etc/hostname.carp1
advskew 0 carpdev em1 carppeer 192.168.3.4 pass secret2 state master vhid 2
inet 192.168.3.6/32

/etc/hostname.carp2
advskew 0 carpdev em2 carppeer 192.168.3.14 pass secret3 state master vhid 3
inet 192.0.2.17/28
alias 192.0.2.29/32

/etc/hostname.pfsync0
up
syncdev em3
syncpeer 192.168.3.18


Firewall B (expected to be always backup) :
OpenBSD 5.6 (GENERIC.MP) #5: Thu Dec 11 09:51:08 CET 2014

r...@stable-56-amd64.mtier.org:/binpatchng/work-binpatch56-amd64/src/sys/arch/amd64/compile/GENERIC.MP

/etc/hostname.em0
inet 192.168.3.10/30

/etc/hostname.em1
inet 192.168.3.4/29
!route add 192.168.0.0/16 192.168.3.5
!route add 172.16.0.0/12 192.168.3.5

/etc/hostname.em2
inet 192.168.3.14/30

/etc/hostname.em3
inet 192.168.3.18/30

/etc/hostname.carp0
advskew 200 carpdev em0 carppeer 192.168.3.9 pass secret1 state backup vhid 1
inet 192.0.2.2/28
alias 192.0.2.3/32
alias 192.0.2.4/32
alias 192.0.2.5/32

/etc/hostname.carp1
advskew 200 carpdev em1 carppeer 192.168.3.1 pass secret2 state backup vhid 2
inet 192.168.3.6/32

/etc/hostname.carp2
advskew 200 carpdev em2 carppeer 192.168.3.13 pass secret3 state backup vhid 3
inet 192.0.2.17/28
alias 192.0.2.29/32

/etc/hostname.pfsync0
up
syncdev em3
syncpeer 192.168.3.17


This message is already long, but if any other information would be helpful, I 
would be glad to provide it.
Any help or suggestion is appreciated.
Thank you!

Sebastien

Improved www/links+ with libtls

[trondd]

I use www/links+ often as a nice lightweight browser.  However, I
realized it didn't do any SSL certificate validation.  I found a
patch that added basic validation (while silently allowing self
signed certs) but still didn't do hostname verification.

I went in search of some examples of hostname verification with SSL
and, of course, found myself in the libtls code.  Awesome!  Why do
it myself?  It's already written for me.

So I replaced the SSL code with libtls and got a light, functional
web browser with cert verification and hostname verification.

I have a few things to clean up, but I wonder if people would be
interesting in using this?  It was just a "can I do it?" project
for me as I haven't written more than a few lines of C code in ~15
years and I really wanted to use links+ safely. It helped to have 
libtls available that just gets the job done.

I don't think libressl is ported as widely as links+ so wouldn't
expect this to go upstream, though I'll try to get their feedback.
Maybe they'll be encouraged to implement the solution they want to
support.

As an aside, I also added an option to enable/disable cookies.  It
was hardcoded to allow them, but the code to turn it off was there,
except the UI for it.

Some TODOs:
Optionally allow self signed certs (not sure how to do this with 
libtls).
Add a useful error message when there is an SSL error.
Test failure cases.  With SSL, links+ would retry or abort a 
connection depending on errors libtls seem to hide. (Maybe they
never matter?)

Tim.

Re: carp failover problem

[Christopher Barry]

On Tue, 27 Jan 2015 12:01:37 -0500
"Leclerc, Sebastien"  wrote:

>Hi,
>
>I have two firewalls in a carp failover setup, but the failover does
>not work as expected... The problem happens when I reboot the backup
>firewall (while in backup state). Just after the reboot, I have these
>entries in dmesg :
>
>carp0: state transition: BACKUP -> MASTER
>carp1: state transition: BACKUP -> MASTER
>carp0: state transition: MASTER -> BACKUP
>carp1: state transition: MASTER -> BACKUP
>
>Why would there be no mention of carp2?
>And no corresponding entries on the master?
>
>States are consistent (all backup on backup, and all master on
>master), but forwarded connections hang, until I force back the master
>with this :
> sudo ifconfig -g carp carpdemote 128
> sudo ifconfig -g carp -carpdemote 128
>Between these two commands, on the backup firewall, I see traffic
>coming from WAN and DMZ, but almost nothing from LAN, so it may be
>related to the LAN switch. I cannot see what the problem is though...
>
>Here is the setup :
>
>On both firewalls :
> - em0 is connected to WAN
> - em1 is connected to LAN
> - em2 is connected to DMZ
> - em3 is interconnected with a crossover cable, used for pfsync and
> rdist
>
>WAN and DMZ connections are on the same switch, but on different
>untagged VLANs (Procurve 2524) LAN is on a separate layer 3 switch
>(Procurve 5300xl)
>
>Another strange behavior :
>With tcpdump, on the backup, I can see this traffic :
> - on em1 and em2, I see only carp advertisements to the configured
> unicast IP address and physical MAC address
> - on em3, I see only pfsync packets
> - but on em0, I see carp advertisements, but also a lot of traffic
> from the ISP router's MAC, to the virtual MAC (00:00:5e:00:01:01)
>Which situation is normal? (em0 with lots of packets, or em1/em2 with
>only carp advertisements) The only difference I see :
> - on em0, both firewalls and the ISP router are connected to the
> switch
> - on em1, both firewalls are connected to the L3 switch, which is
> also the router
> - on em2, there is no router, the firewalls communicate directly with
> hosts connected on the switch
>
>
>Common configuration (public addresses anonymized, but the network
>sizes are correct) :
>
>/etc/mygate
>192.0.2.1
>
>/etc/sysctl.conf
>net.inet.carp.preempt=1
>net.inet.ip.forwarding=1
>
>/etc/pf.conf (excerpt only)
>ext_if  = "em0"
>ext_if_carp = "carp0"
>int_if  = "em1"
>int_if_carp = "carp1"
>dmz_if  = "em2"
>dmz_if_carp = "carp2"
>sync_if = "em3"
>set skip on lo
>set skip on $sync_if
>pass quick on { $int_if, $ext_if, $dmz_if } inet proto carp keep state
>(no-sync)
>
>
>Firewall A (expected to be always master) :
>OpenBSD 5.5 (GENERIC.MP) #315: Wed Mar  5 09:37:46 MST 2014
>dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
>
>/etc/hostname.em0
>inet 192.168.3.9/30
>
>/etc/hostname.em1
>inet 192.168.3.1/29
>!route add 192.168.0.0/16 192.168.3.5
>!route add 172.16.0.0/12 192.168.3.5
>
>/etc/hostname.em2
>inet 192.168.3.13/30
>
>/etc/hostname.em3
>inet 192.168.3.17 255.255.255.252
>
>/etc/hostname.carp0
>advskew 0 carpdev em0 carppeer 192.168.3.10 pass secret1 state master
>vhid 1 inet 192.0.2.2/28
>alias 192.0.2.3/32
>alias 192.0.2.4/32
>alias 192.0.2.5/32
>
>/etc/hostname.carp1
>advskew 0 carpdev em1 carppeer 192.168.3.4 pass secret2 state master
>vhid 2 inet 192.168.3.6/32
>
>/etc/hostname.carp2
>advskew 0 carpdev em2 carppeer 192.168.3.14 pass secret3 state master
>vhid 3 inet 192.0.2.17/28
>alias 192.0.2.29/32
>
>/etc/hostname.pfsync0
>up
>syncdev em3
>syncpeer 192.168.3.18
>
>
>Firewall B (expected to be always backup) :
>OpenBSD 5.6 (GENERIC.MP) #5: Thu Dec 11 09:51:08 CET 2014
>
> r...@stable-56-amd64.mtier.org:/binpatchng/work-binpatch56-amd64/src/sys/arch/amd64/compile/GENERIC.MP
>
>/etc/hostname.em0
>inet 192.168.3.10/30
>
>/etc/hostname.em1
>inet 192.168.3.4/29
>!route add 192.168.0.0/16 192.168.3.5
>!route add 172.16.0.0/12 192.168.3.5
>
>/etc/hostname.em2
>inet 192.168.3.14/30
>
>/etc/hostname.em3
>inet 192.168.3.18/30
>
>/etc/hostname.carp0
>advskew 200 carpdev em0 carppeer 192.168.3.9 pass secret1 state backup
>vhid 1 inet 192.0.2.2/28
>alias 192.0.2.3/32
>alias 192.0.2.4/32
>alias 192.0.2.5/32
>
>/etc/hostname.carp1
>advskew 200 carpdev em1 carppeer 192.168.3.1 pass secret2 state backup
>vhid 2 inet 192.168.3.6/32
>
>/etc/hostname.carp2
>advskew 200 carpdev em2 carppeer 192.168.3.13 pass secret3 state
>backup vhid 3 inet 192.0.2.17/28
>alias 192.0.2.29/32
>
>/etc/hostname.pfsync0
>up
>syncdev em3
>syncpeer 192.168.3.17
>
>
>This message is already long, but if any other information would be
>helpful, I would be glad to provide it. Any help or suggestion is
>appreciated. Thank you!
>
>Sebastien
>

Sebastien,

Well, it's been many years since I ran carp, so I cannot actually help
with the carp config, but I can absolutely say that I have experienced a
lot of unexplainable weirdness with ProCurve switches, so I can
appreciate your suspicions there. I'll 

Re: vpn performance - C2750 vs C2758

[Stuart Henderson]

On 2015-01-27, Adam Thompson  wrote:
> On 2015-01-27 02:58 AM, Stuart Henderson wrote:
>> On 2015-01-26, Christian Weisgerber  wrote:
>> I don't think we support Quick Assist, whatever that is.
>> correct.
>> [...]
>> It doesn't look like something we can use easily.
>
> FWIW, I just read that Netgate (i.e. pfSense) committed QuickAssist 
> crypto accel support into FreeBSD 10.2 [possibly a private branch??] for 
> some ciphers.  Apologies, but I'm completely failing to find the message 
> that mentioned it on the pfSense mailing list, right now.
>
> I don't know enough about FreeBSD's cryptodev engine to know if any of 
> that work can be used here.

One problem with that codebase is that it's US crypto.

shutdown -hp now doesn't power down

[Dorian Büttner]

Good evening,

my notebook doesn't powerdown anymore when the power supply is 
connected, it just reboots (looks like it can't power off). However it 
works when run on battery only. If memory serves well, there was some 
hibernation code work in december, but at roughly the same time the 
manufacturer published a bios update so I can't tell what's the root 
cause here.
Also, when I close the lid the machine keeps suspend/resume cycling?

http://wikisend.com/download/975438/W740SU.DSDT.dsl
http://wikisend.com/download/111590/W740SU.tgz

dmesg attached and hopefully the wikisend thing works...

Just wanted to stray this in as I've seen a call to test what's going 
into release ;-)

Thanks,
Dorian
OpenBSD 5.7-beta (GENERIC.MP) #44: Tue Jan 27 08:33:26 CET 2015
r...@smartie.doris.net:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8489222144 (8095MB)
avail mem = 8259362816 (7876MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb270 (35 entries)
bios0: vendor American Megatrends Inc. version "4.6.5" date 09/11/2014
bios0: Notebook W740SU
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT MCFG HPET SSDT SSDT DMAR
acpi0: wakeup devices PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) 
PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) RP07(S4) 
PXSX(S4) RP08(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.70 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.38 MHz
cpu1: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
cpu2 at mainbus0: apid 4 (application processor)
cpu2: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.38 MHz
cpu2: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 2, package 0
cpu3 at mainbus0: apid 6 (application processor)
cpu3: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.38 MHz
cpu3: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 0, core 3, package 0
cpu4 at mainbus0: apid 1 (application processor)
cpu4: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.38 MHz
cpu4: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
cpu4: 256KB 64b/line 8-way L2 cache
cpu4: smt 1, core 0, package 0
cpu5 at mainbus0: apid 3 (application processor)
cpu5: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.38 MHz
cpu5: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
cpu5: 256KB 64b/line 8-way L2 cache
cpu5: smt 1, core 1, package 0
cpu6 at mainbus0: apid 5 (application processor)
cpu6: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.38 MHz
cpu6: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUS

Re: vpn performance - C2750 vs C2758

[Axton]

On Tue, Jan 27, 2015 at 2:24 PM, Stuart Henderson 
wrote:

> On 2015-01-27, Adam Thompson  wrote:
> > On 2015-01-27 02:58 AM, Stuart Henderson wrote:
> >> On 2015-01-26, Christian Weisgerber  wrote:
> >> I don't think we support Quick Assist, whatever that is.
> >> correct.
> >> [...]
> >> It doesn't look like something we can use easily.
> >
> > FWIW, I just read that Netgate (i.e. pfSense) committed QuickAssist
> > crypto accel support into FreeBSD 10.2 [possibly a private branch??] for
> > some ciphers.  Apologies, but I'm completely failing to find the message
> > that mentioned it on the pfSense mailing list, right now.
> >
> > I don't know enough about FreeBSD's cryptodev engine to know if any of
> > that work can be used here.
>
> One problem with that codebase is that it's US crypto.
>
>
This pdf from Intel makes reference to OCF-Linux, a Linux port of the
OpenBSD/FreeBSD Cryptographic Framework (OCF) as it relates to QuickAssist.
http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/communications-quick-assist-paper.pdf

>From what I am seeing, there is a Kernel module and userland pieces
available for Linux and FreeBSD to support this capability.  In addition to
Stuart's point on the US crypto code base as it relates to export
restrictions, it is also hardware designed by a US company for strong
crypto.

Axton

What's wrong with script(1)?

[opendaddy]

Hi,

I find myself using script(1) (together with https://github.com/defunkt/gist) 
all the time. I was wondering though:

1. Why does it use CRLF line endings?

2. What's with all the startup noise?

Script started on Tue Jan 27 23:47:12 2015
# root@mybox:~# ssmtpd -dv 

Many thanks!

O.D.

Re: What's wrong with script(1)?

[Andy Bradford]

Thus said openda...@hushmail.com on Tue, 27 Jan 2015 23:03:35 +:

> 1. Why does it use CRLF line endings?
> 
> 2. What's with all the startup noise?

man script:

``script makes a typescript of everything printed on your terminal.''

more can handle the output.  less -r can also handle it.

Andy
--
TAI64 timestamp: 400054c81db4

Intel J2900 Can't Install OpenBSD AMD64 5.5 or 5.6

[cship]

Hello everyone, I have an Acer Aspire AXC-603-UR10 Desktop that has an
Intel Pentium J2900 2.41 GHz Processor. Link to the processor in this
computer:
http://ark.intel.com/products/78868/Intel-Pentium-Processor-J2900-2M-Cache-up-to-2_67-GHz

I received the same MPS issue the person who started the thread linked below 
did,
when I attempted to install OpenBSD 5.5. 

http://openbsd.7691.n7.nabble.com/cheap-and-low-power-quad-core-server-with-Intel-J1900-td256121.html

When I attempt to install
OpenBSD 5.6, I get other errors too.  

When I try to install install56.fs, booting hangs. The first
sign of trouble is this message: ppb0 at pci0 dev 28 function 0 vendor
"Inetl". unknown product 0x0f48 rev 0xe: msi
Linked is a photo of what I see: https://i.imgur.com/mte5beYh.jpg

When I tried to install the OpenBSD floppy56.fs image from a USB
stick, with emulate floppy selected in the BIOS, I receive a stream of
alternating errors running down the screen. The errors are "NMI port 61
20, port 70 ff" and "NMI port 61 30, port 70 ff" So it appears that the
20 and 30 are flickering.
Linked is a photo of what I see: https://i.imgur.com/qxJAmzsh.jpg

I'm stuck with linux because I can't get OpenBSD to install, which I
hope will change. Linked below are the outputs of lshw and dmesg. 
Here is a link to the raw lshw and dmesg:
http://www.pastebin.ca/2882575



root@linux ~ # lshw -sanitize

computer  
description: Desktop Computer
product: Aspire XC-603 ()
vendor: Acer
serial: [REMOVED]
width: 64 bits
capabilities: smbios-2.8 dmi-2.7 vsyscall32
configuration: administrator_password=disabled boot=normal
chassis=desktop family=Acer Desktop power-on_password=disabled
uuid=[REMOVED]
  *-core
   description: Motherboard
   product: Aspire XC-603
   vendor: Acer
   physical id: 0
   serial: [REMOVED]
 *-firmware
  description: BIOS
  vendor: American Megatrends Inc.
  physical id: 0
  version: P11-B2
  date: 08/28/2014
  size: 64KiB
  capacity: 5056KiB
  capabilities: pci upgrade shadowing cdboot bootselect
socketedrom edd int13floppy1200 int13floppy720 int13floppy2880
int5printscreen int9keyboard int14serial int17printer acpi usb
biosbootspecification uefi
 *-memory
  description: System Memory
  physical id: c
  slot: System board or motherboard
  size: 4GiB
*-bank:0
 description: SODIMM DDR3 1333 MHz (0.8 ns)
 product: ACR16D3LS1KFG/4G
 vendor: Kingston
 physical id: 0
 serial: [REMOVED]
 slot: DIMM0
 size: 4GiB
 width: 64 bits
 clock: 1333MHz (0.8ns)
*-bank:1
 description: SODIMM [empty]
 vendor: Empty
 physical id: 1
 serial: [REMOVED]
 slot: DIMM1
 *-cache:0
  description: L1 cache
  physical id: 18
  slot: CPU Internal L1
  size: 224KiB
  capacity: 224KiB
  capabilities: internal write-back
 *-cache:1
  description: L2 cache
  physical id: 19
  slot: CPU Internal L2
  size: 2MiB
  capacity: 2MiB
  capabilities: internal write-back unified
 *-cpu
  description: CPU
  product: Intel(R) Pentium(R) CPU  J2900  @ 2.41GHz
  vendor: Intel Corp.
  physical id: 1a
  bus info: cpu@0
  version: Intel(R) Pentium(R) CPU J2900 @ 2.41GHz
  slot: SOCKET 0
  size: 2410MHz
  width: 64 bits
  clock: 83MHz
  capabilities: x86-64 fpu fpu_exception wp vme de pse tsc msr
pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx
fxsr sse sse2 ss ht tm pbe syscall nx rdtscp constant_tsc arch_perfmon
pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq
dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2
movbe popcnt tsc_deadline_timer rdrand lahf_lm 3dnowprefetch ida arat
epb dtherm tpr_shadow vnmi flexpriority ept vpid tsc_adjust smep erms
cpufreq
  configuration: cores=4 enabledcores=4 threads=4
 *-pci
  description: Host bridge
  product: Atom Processor Z36xxx/Z37xxx Series SoC Transaction
Register
  vendor: Intel Corporation
  physical id: 100
  bus info: pci@:00:00.0
  version: 0e
  width: 32 bits
  clock: 33MHz
  configuration: driver=iosf_mbi_pci
  resources: irq:0
*-display
 description: VGA compatible controller
 product: Atom Processor Z36xxx/Z37xxx Series Graphics &
Display
 vendor: Intel Corporation
 physical id: 2
 bus info: pci@:00:02.0
 version: 0e
 width: 32 bits
 clock: 33MHz
 

Mystery Free Linux

[Duncan Patton a Campbell]

http://phys.org/news/2015-01-high-end-upstream-linux-laptop-ship.html

"the first high-end laptop in the world that ships without mystery software in 
the kernel, operating system, or any  software applications."  

Can this be?  No binary blobs?  

Dhu (inquiring minds, bla bla bla)

-- 
Ne obliviscaris, vix ea nostra voco.

Re: shutdown -hp now doesn't power down

[Mike Larkin]

On Tue, Jan 27, 2015 at 11:37:29PM +0100, Dorian B?ttner wrote:
> Good evening,
> 
> my notebook doesn't powerdown anymore when the power supply is 

"anymore" ... when did it last work?

-ml

> connected, it just reboots (looks like it can't power off). However it 
> works when run on battery only. If memory serves well, there was some 
> hibernation code work in december, but at roughly the same time the 
> manufacturer published a bios update so I can't tell what's the root 
> cause here.
> Also, when I close the lid the machine keeps suspend/resume cycling?
> 
> http://wikisend.com/download/975438/W740SU.DSDT.dsl
> http://wikisend.com/download/111590/W740SU.tgz
> 
> dmesg attached and hopefully the wikisend thing works...
> 
> Just wanted to stray this in as I've seen a call to test what's going 
> into release ;-)
> 
> Thanks,
> Dorian
> OpenBSD 5.7-beta (GENERIC.MP) #44: Tue Jan 27 08:33:26 CET 2015
> r...@smartie.doris.net:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> real mem = 8489222144 (8095MB)
> avail mem = 8259362816 (7876MB)
> mpath0 at root
> scsibus0 at mpath0: 256 targets
> mainbus0 at root
> bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xeb270 (35 entries)
> bios0: vendor American Megatrends Inc. version "4.6.5" date 09/11/2014
> bios0: Notebook W740SU
> acpi0 at bios0: rev 2
> acpi0: sleep states S0 S3 S4 S5
> acpi0: tables DSDT FACP APIC FPDT SSDT SSDT SSDT MCFG HPET SSDT SSDT DMAR
> acpi0: wakeup devices PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) 
> PXSX(S4) RP04(S4) PXSX(S4) RP05(S4) PXSX(S4) RP06(S4) PXSX(S4) RP07(S4) 
> PXSX(S4) RP08(S4) [...]
> acpitimer0 at acpi0: 3579545 Hz, 24 bits
> acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.70 MHz
> cpu0: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
> cpu0: 256KB 64b/line 8-way L2 cache
> cpu0: smt 0, core 0, package 0
> mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
> cpu0: apic clock running at 99MHz
> cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4, IBE
> cpu1 at mainbus0: apid 2 (application processor)
> cpu1: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.38 MHz
> cpu1: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
> cpu1: 256KB 64b/line 8-way L2 cache
> cpu1: smt 0, core 1, package 0
> cpu2 at mainbus0: apid 4 (application processor)
> cpu2: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.38 MHz
> cpu2: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
> cpu2: 256KB 64b/line 8-way L2 cache
> cpu2: smt 0, core 2, package 0
> cpu3 at mainbus0: apid 6 (application processor)
> cpu3: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.38 MHz
> cpu3: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
> cpu3: 256KB 64b/line 8-way L2 cache
> cpu3: smt 0, core 3, package 0
> cpu4 at mainbus0: apid 1 (application processor)
> cpu4: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.38 MHz
> cpu4: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
> cpu4: 256KB 64b/line 8-way L2 cache
> cpu4: smt 1, core 0, package 0
> cpu5 at mainbus0: apid 3 (application processor)
> cpu5: Intel(R) Core(TM) i7-4750HQ CPU @ 2.00GHz, 1995.38 MHz
> cpu5: 
> FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID
> c

Re: Mystery Free Linux

[Theo de Raadt]

>http://phys.org/news/2015-01-high-end-upstream-linux-laptop-ship.html
>
>"the first high-end laptop in the world that ships without mystery software in 
>the kernel, operating system, or any  software applications."  
>
>Can this be?  No binary blobs?  

It is complete and total BS.

If you dig down deep enough into what they are doing, you will see
this is a major manufacturer sales pitch mixed with a flopped PR
campaign by RMS that is settling for accepting a failure rather than
admitting defeat.

Don't waste your money on a false ideal by someone who misunderstands
modern hardware and the market forces.