Re: php/httpd segfaults after 5.2 upgrade (trace inline)
2012/11/6 André Stöbe :
>> PHP web interface (installed with the zabbix-web package). Upon
> The functions
>
> execute
> suhosin_execute_ex
> zend_do_fcall_common_helper_SPEC
>
> loop over and over again, in exactly this order.
Hi,
I had the same problem a while ago with Cacti. I don't remember
exactly what solved it in the end, but there was mysql involved.
Database permissions, or maybe I forgot to create some of the
tables/views it accessed, or something like that. I fixed it by
repeating the installation procedure as written in the manual.
Because I have no intentions of learning the guts of the PHP
interpreter, the method I used back then was the stupidest of them
all, adding die("hard"); after every suspicious line in the execution
path. The function that failed was a MySQL one, IIRC. You can try
repeating that...
--
Martin Pelikan
Re: altq: upsteam and downstream
> Hello misc, I'm a bit confusion with understanding such things.
> I have a symmetrical channel to the Internet with 20 Mbits and
> openbsd5.2 as gateway, with NAT.
> Imagine I defined ALTQ on $ext_if and on $int_if.
> Am I right that:
> 1) ALTQ on $ext_if will be applied for upstream channel (i.e. "upload speed"
> from the point of view the client behind the NAT)?
> 2) ALTQ on $int_if will be applied for download channel (i.e. "download
> speed"
> from the point of view the client behind the NAT)?
> If be much more simple, get for example http://speedtest.net.
> After the test I have two result: download and upload speed.
> Is it true, that if I apply queue for myself in filter rule, it will
> work both,
> for download and upload in the terms of speedtest.net, but only for
> upstream channel in the terms of ALTQ?
> Or am I totally wrong? Because I read man, faq, ca/REMOVED\org,
> BANDWIDTH MANAGEMENT by Benjamin Heckmann, misc, etc
> and still can't understood how upstream and downstream channel speed
> correlates with ALTQ and upload and download speeds for clients behind NAT.
ext_if=xl0
int_if=fxp0
queues_for_download="small big"
queues_for_upload="how about you go try it first and post a real problem"
altq on $ext_if hfsc bandwidth 20Mb queue { $queues_for_download }
altq on $int_if hfsc bandwidth 20Mb queue { $queues_for_upload }
queue small on $ext_if bandwidth 1Mb hfsc(default ecn)
queue big on $ext_if bandwidth 10Mb hfsc(ecn upperlimit 20Mb)
queue how bandwidth 1Mb hfsc(ecn realtime 2Mb)
queue about bandwidth 5Mb hfsc(default ecn upperlimit (10Mb, 1, 5Mb))
queue you bandwidth 64Kb hfsc(ecn upperlimit (1Mb, 3000, 300Kb))
queue go bandwidth 64Kb hfsc(ecn upperlimit (1Mb, 3000, 300Kb))
queue try bandwidth 64Kb hfsc(ecn upperlimit (1Mb, 3000, 300Kb))
queue it bandwidth 64Kb hfsc(ecn upperlimit (1Mb, 3000, 300Kb))
queue first bandwidth 64Kb hfsc(ecn upperlimit (1Mb, 3000, 300Kb))
queue and bandwidth 64Kb hfsc(ecn upperlimit (1Mb, 3000, 300Kb))
queue post bandwidth 64Kb hfsc(ecn upperlimit (1Mb, 3000, 300Kb))
queue a bandwidth 64Kb hfsc(ecn upperlimit (1Mb, 3000, 300Kb))
queue real bandwidth 64Kb hfsc(ecn upperlimit (1Mb, 3000, 300Kb))
queue problem bandwidth 64Kb hfsc(ecn upperlimit (1Mb, 3000, 300Kb))
pass out on $ext_if to speedtest.netqueue big
pass out on $int_if from speedtest.net queue problem
# Hint: it really helps if queues in both directions are the same name,
# if you're, say, shaping multiple customers in both ways.
# Remember, the rules create state, and queueing applies to that state.
# So, if anything matches to queue "big", it'll look for "big" on each
# direction, and appear on the queue it goes out on.
# This way you'll get bi-directional shaping using just one rule.
#
# Remember, never trust anything you didn't test yourself first.
--
Martin Pelikan
Re: altq: upsteam and downstream
> queues_for_download="small big"
> queues_for_upload="how about you go try it first and post a real problem"
>
> altq on $ext_if hfsc bandwidth 20Mb queue { $queues_for_download }
> altq on $int_if hfsc bandwidth 20Mb queue { $queues_for_upload }
Oops. Of course, swap "download" for "upload" in all this.
Stuff queued going out is usually called upload, and it is on your egress
interfaces. This queueing happens when traffic leaves the machine.
Sorry. (this confusion sometimes happens to almost everyone I know) :-(
--
Martin Pelikan
Re: OpenBSD 5.0-current (GENERIC) #65: Thu Nov 3 00:58:36 MDT 2011
On Thu, Jan 19, 2012 at 06:16:59PM +0100, Francois Pussault wrote: > I use this : > # echo $PKG_PATH > ftp://ftp.openbsd.org/pub/OpenBSD/5.0/packages/sparc64/ In case someone googles that and would think it's a good idea to set the variable like so, here's a better alternative: echo 'export PKG_PATH=ftp://ftp.XX.openbsd.org/pub/OpenBSD/`uname -r`/packages/`uname -m`/' >> ~/.profile for -release and -stable, or echo 'export PKG_PATH=ftp://ftp.XX.openbsd.org/pub/OpenBSD/snapshots/packages/`uname -m`/' >> ~/.profile for guess what? -current of course! Even that your -current might not be exactly the same one these packages were built on. I hope nothing in the way will truncate it to 80 chars per line, sorry in advance; plus substitute XX for your favourite mirror, ftp.openbsd.org doesn't seem to have much bandwidth and IIRC neither did the first mirror in alphabetical order last time I tried -> http://www.openbsd.org/ftp.html The quotes are there for a purpose, if you upgrade more systems at once manually, every step like "edit .profile for new system version" counts. So don't be lazy and find the backtick on your keyboard layout :-) To start a new discussion; why is it "OpenBSD/version/packages/arch" and not "OpenBSD/version/arch/packages", so the list of architectures is there twice? Historical reasons? I mean, compared to the mess some Linux distros have in their package management this already is a bless, but still... (it's probably irrelevant, so don't bother to start flamewars) -- Martin Pelikan
Re: tables behavior with in bracket anchor
On Tue, Apr 17, 2012 at 10:51:31AM -0400, Michel Blais wrote: > rule inside of a in bracket anchors, pf will see no rule using the table > and delete it. As a work around, I use persist option. I don't know if things have changed in the pfctl parser, but a way to be sure is to have per-anchor config files, like so: $ cat my.conf table persist pass from $ sudo pfctl -a potazmo -f my.conf $ sudo pfctl -a potazmo -sT ausfahrt $ sudo pfctl -sT | grep ausfahrt $ ...and then load the anchor in the main file using: load anchor potazmo from "my.conf" -- Martin Pelikan
Re: OpenBSD 5.1 XEN HVM DomU - kernel panic
On Wed, Jun 06, 2012 at 04:04:22PM +0200, Andre Keller wrote: > is any body running OpenBSD as a XEN HVM guest? I have a difficult time > accomplish that... Hi, I'm insane and I do that for a long time, because I don't really have a lot of options there. > The XEN guest does boot up and is usable. When f.e. do a cvs checkout of > ports the machine panics about every other time. I'm on Centos 5 without problems here, both with 5.1-release and -current snapshot. The performance is horrible as always, though. > ddb> trace > cpu_switchto() at cpu_switchto+0x4b Hint: when you are seeing crashes inside a context switch, someone may be interested in what processes took part in the switch, like "show proc $rdi" and "show proc $rsi". Then, "sh reg" and "x /x,30 $rsp" for starters. (pity it won't fit all on one screen) Also, you can say if you ran other versions of OpenBSD on the same configuration, or messed with the hypervisor's kernel lately, or if it is a new install on an out of the box dom0 that just happens to fail. -- Martin Pelikan OpenBSD 5.1-current (GENERIC) #258: Mon Jun 11 11:52:20 MDT 2012 t...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC real mem = 535797760 (510MB) avail mem = 499265536 (476MB) mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.4 @ 0xe901f (10 entries) bios0: vendor Xen version "3.1.2-194.3.1.el5" date 03/07/2012 bios0: Red Hat HVM domU acpi0 at bios0: rev 2, ACPI control unavailable mpbios0 at bios0: Intel MP Specification 1.4 cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz, 2388.47 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,MMX,FXSR,SSE,SSE2,SS,SBF,SSE3,DS-CPL,SSSE3,CX16,xTPR,PDCM,NXE,LONG,LAHF cpu0: 4MB 64b/line 16-way L2 cache cpu0: apic clock running at 99MHz mpbios0: bus 0 is type ISA ioapic0 at mainbus0: apid 1 pa 0xfec0, version 11, 48 pins ioapic0: misconfigured as apic 0, remapped to apid 1 pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 10240MB, 20971520 sectors wd0(pciide0:0:0): using PIO mode 0, DMA mode 2 pciide0: channel 1 disabled (no drives) piixpm0 at pci0 dev 1 function 2 "Intel 82371AB Power" rev 0x03: SMBus disabled vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) "XenSource Platform Device" rev 0x01 at pci0 dev 3 function 0 not configured em0 at pci0 dev 4 function 0 "Intel PRO/1000MT (82540EM)" rev 0x03: apic 1 int 5, address 00:16:3e:90:cc:2d isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: density unknown fd1 at fdc0 drive 1: density unknown nvram: invalid checksum mtrr: Pentium Pro MTRR support vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (4792285ca7b2d7f5.a) swap on wd0b dump on wd0b clock: unknown CMOS layout
Re: Does pfsync require same firewall rules on each fw?
2012/6/29 Matt Hamilton :
> Hi All,
>
> Does pfsync require firewalls to have the same firewall rules on all
> hosts in the sync group? May seem an odd thing to ask, but I have a
> situation in which I have two firewalls on different sides of my
> network, each one connected to a different external
> network. Occasionally due to BGP weights etc we might get asymettric
> packet flow and packets come into our network via one firewall and out
> via the other. This is a problem for pf's state system and the only
> way I've been able to work around it is to not keep state at all --
> obviously not a great idea.
Hi.
pfsync only synchronizes states. Which rules created them is
irrelevant. If you have a PI address space, you're probably fine.
Don't forget to provide a stable and possibly separate link between
the routers, IPsec tunnel or a VLAN, or don't rely on multicast and
set syncpeers. On an open network it can sometimes bite, which is
probably caused by others using similar multicast addresses, or I
don't know.
> But, I was wondering... could I use pfsync to sync states across from
> one side of the network to the other? Do pfsync packets contain
> reference to the firewall rule number or specific interface? Or does
> it just have information specific to the packet itself (ie, src
> address, dst address, sequence numbers etc)?
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pfsync.h?rev=1.44
struct pfsync_upd_c {
u_int64_t id;
struct pfsync_state_peersrc;
struct pfsync_state_peerdst;
u_int32_t creatorid;
u_int32_t expire;
u_int8_ttimeout;
u_int8_tstate_flags;
u_int8_t_pad[2];
} __packed;
Imagine what would you gain if you forced people to use the same rules
or even the same interface names. These are completely separate
things.
--
Martin Pelikan
Re: NSD vs BIND
2012/8/22, Gabriel Kihlman : > Chris Cappuccio writes: > >> I don't think the in-tree bind supports dnssec. > > Just for the archives; it does, I am using it. It does not support NSEC3 records, which in today's world can result in bad queries (there's a hash inside of a readable domain name) and consequently in someone's website being inaccessible. There's a reason BIND is being updated, but unfortunately more reasons why it's not done so in OpenBSD base. Most of them have a CVE article already. If I were you, I'd consider BIND in our base as a legacy option and go straight for NSD. Seriously, it's just a matter of time before someone in your network notices this and will wonder why some websites load and others not. -- Martin Pelikan
Re: OpenBSD 5.2-current - "panic: mtx_enter: locking against myself"
On Wed, Sep 12, 2012 at 02:18:06PM +0200, Maxim Bourmistrov wrote: > Hi, > > I'm getting "panic: mtx_enter: locking against myself" on not so > -current OpenBSD 5.2-current (snapshot). > > Machine is not dropping into ddb even if sysctl.conf says it should. > Console is filled with "panic: mtx_enter: locking against myself" > and seems to loop. Hi! Can we add something along these lines, to know at least something useful in these cases? Maybe, if someone had the binary/symbol table lying around, one could trace where it came from (somewhere near ddb entry perhaps?). Haven't tested it, though :-( -- Martin Pelikan Index: arch/amd64/amd64/mutex.S === RCS file: /cvs/src/sys/arch/amd64/amd64/mutex.S,v retrieving revision 1.8 diff -u -p -r1.8 mutex.S --- arch/amd64/amd64/mutex.S24 Sep 2010 13:21:30 - 1.8 +++ arch/amd64/amd64/mutex.S12 Sep 2012 17:51:02 - @@ -83,9 +83,10 @@ ENTRY(mtx_enter) jz 1b jmp 3b #ifdef DIAGNOSTIC -4: movq$5f, %rdi +4: movq%rdi, %rsi + movq$5f, %rdi call_C_LABEL(panic) -5: .asciz "mtx_enter: locking against myself" +5: .asciz "mtx_enter: locking against myself, %p" #endif ENTRY(mtx_enter_try)
Re: problem setting inet6 route
On Tue, Sep 04, 2012 at 08:13:59AM +0200, Remi Locherer wrote:
> On Sat, Sep 01, 2012 at 01:29:02PM -0700, Philip Guenther wrote:
> > On Fri, Aug 31, 2012 at 7:52 AM, Remi Locherer
> > wrote:
> > > On Fri, Aug 31, 2012 at 09:47:39AM -0400, Simon Perreault wrote:
> > >> Le 2012-08-31 03:19, Remi Locherer a ?crit :
> > >> >I rented a server from Hetzner where I installed OpenBSD 5.1. Hetzner
> > >> >also
> > >> >provides IPv6 but somehow with a strange setup. I got something like the
> > >> >following from them:
> > >> >
> > >> >Gateway Address: 2001:db8:1:1110::1/64
> > >> >Subnet I can use: 2001:db8:1:/64
> >
> >
> > > This works. But I have to figure out (ask Hetzner) if I'm the only
> > > customer they use 2001:db8:1:1110::/64 (I think so).
> >
> > I think the question I would have asked them is
> > What does your box (2001:db8:1:1110::1) need in order for it to
> > figure out how to send packets for my network (2001:db8:1:::/64)
> > to my box? Does my box need to have a specific address or send
> > out router advertisements?
> >
> > I.e., how is is their box going to know get the ethernet address of
> > your box so that it can send the packets to it?
>
> I now got an answer from Hetzner:
> - I'm not allowed to use an address from the gateway subnet. They will
> block my traffic if I'm using such an address
> - They recommend that I configure a /59 prefix. In my opinion this makes
> no sense. I now configured a /63 prefix which contains my subnet and
> the gateway subnet (this works).
>
> They did not explain how their gateway is configured to send traffic to
> my host without configuring a specific address on my host.
It's a good practice to use link-local addresses for default routes.
ICMPv6 Redirects won't work with the global ones for example, because
one of the RFCs requires the redirect packet's source address to match
the address you sent it to in the first place. Try telling them that.
Or ask them why can't they take one of your addresses and
use it for their gateway? This is just crazy.
Yes, their MAC addresses/{U,G,D}UIDs can change; that's why you need to
ask them first. It also helps if they're running CARP/VRRP, because if
they don't play with VHIDs, their MAC addresses don't change with their
infrastructure :-)
--
Martin Pelikan
Re: quick query.
2012/10/10 Peter N. M. Hansteen : > I tend to keep the following line in my ~/.profile > > export > PKG_PATH=http://ftp.eu.openbsd.org/pub/OpenBSD/snapshots/packages/`uname -m`/ Hi, as sthen@ kindly corrected me the some time ago, we now have pkg.conf(5) and "installpath". This way it'll work even if you don't invoke package updates from your shell, but using some kind of remote administration software for example. -- Martin Pelikan
Re: EAP-TLS WPA support
2011/10/20 Alexey E. Suslikov : > Vadim Zhukov gmail.com> writes: > http://www.rz.rwth-aachen.de/aw/cms/rz/Themen/unsere_dienste/kommunikation/netzbetrieb/dienste/wlan/installation/~sib/openbsd/?lang=en Well, that rc.conf option seems FreeBSD. AFAIK, OpenBSD doesn't support "enterprise WPA". You can try implementing it yourself. The last PDF I saw had about 1000 pages and basically was describing how to interconnect WPA, EAPOL (802.1x) and 802.11 state machines, and then implement like 42 different authentication mechanisms on top of that. Many people have asked that question and nobody seems to have the time to write the code and test it against different RADIUS servers. Good luck with that. FYI: porting current wpa_supplicant or writing new implementation (into iked?) to me seemed like the same effort, since the protocol suite is pretty complicated. But I gave it just a quick look (and moved to more important things to do). -- Martin Pelikan
Re: network bandwith with em(4)
-PCI" rev 0xa5 pci4 at ppb3 bus 4 vga1 at pci4 dev 3 function 0 "Matrox MGA G200eW" rev 0x0a wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) pcib0 at pci0 dev 31 function 0 "Intel 3400 LPC" rev 0x05 pciide0 at pci0 dev 31 function 2 "Intel 3400 SATA" rev 0x05: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using apic 5 int 19 (irq 14) for native-PCI interrupt wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 6 ichiic0 at pci0 dev 31 function 3 "Intel 3400 SMBus" rev 0x05: apic 5 int 18 (irq 7) iic0 at ichiic0 iic0: addr 0x18 00=00 01=00 02=00 03=00 04=00 05=c1 06=00 07=21 08=01 09=60 0a=a4 0b=2c 0c=00 0d=00 words 00=00ef 01= 02= 03= 04= 05=c184 06=0054 07=2101 spdmem0 at iic0 addr 0x50: 2GB DDR3 SDRAM ECC PC3-10600 with thermal sensor pciide1 at pci0 dev 31 function 5 "Intel 3400 SATA" rev 0x05: DMA, channel 0 wired to native-PCI, channel 1 wired to native-PCI pciide1: using apic 5 int 19 (irq 14) for native-PCI interrupt isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 wbsio0 at isa0 port 0x2e/2: W83627DHG rev 0x25 lm1 at wbsio0 port 0xa10/8: W83627DHG mtrr: Pentium Pro MTRR support uhub1 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2 softraid0 at root root on wd0a swap on wd0b dump on wd0b -- Martin Pelikan
Re: network bandwith with em(4)
2011/3/23 Kapetanakis Giannis : > I'm testing my self a 2 port 82571EB on a new fw. > How are you doing the pps test? I'm actually reporting the values found in the first systat page. I have a suspicion these counters act weird on cloning interfaces (I saw the IPKTS being twice as much as OPKTS on a router without much local-originating/consuming traffic, with fifty carps and vlans on one side and bgp on the other), but in all of these tests the values were more or less the same - around 200k each. The bandwidth was distributed 113MB/s inbound and 70MB/s outbound (depending on the way of course), and I watched it in systat ifs. 2011/3/23 Theo de Raadt : > -current kernels contain an option called POOL_DEBUG which has a pretty > high impact on network traffic. B Unfortunately POOL_DEBUG is useful.. Thank you! I've only played with DEBUG once, but after failing to explain some of the behaviour I consider myself not educated enough to play with kernel options... Unfortunately I probably won't be able to repeat the tests for some time now, as the machine is already in production. -- Martin Pelikan
Re: Is it safe to run tcpdump?
2011/3/5 Nigel Taylor : > $ sudo tcpdump -qn -w /pathto/xxx.pcap dst net 192.168.1.0/24 & > > Also ensure that there is enough space for xxx.pcap on the filesystem. Also don't forget to set the snaplen properly, if you ever want to "go deep" with "auditing". sudo tcpdump -qns 1500 -w ... -- Martin Pelikan
Re: OSPFD: No buffer space available
2011/4/1 Mindless Gr : > Hello List :) > > i came through a problem and i need your opinion about it, i have noticed that > some times i get this type of errors in my /var/log/daemon file and these > times > my ospf adjacency goes to loading and full again as you see on the logs a > little > research over the internet didnt came with any results, when this message > appears on the logs, i have tried to do netstat -m and gave me 5032 Kbytes > allocated to network (77% in use) which normaly is 6 - 15%, how can i increase > this buffer? or this problem came from somewhere else? Check your altq settings. Maybe you'll have to increase the particular qlimit a bit. I use this like so: queue lowdelay bandwidth 4Mb qlimit 600 priority 5 hfsc(ecn realtime 256Kb upperlimit 20Mb) ... pass on insidenet proto ospf keep state (no-sync) queue lowdelay pass on insidenet to 224.0.0.0/4 queue (some_big_queue, lowdelay) But this machine is quite loaded - consider increasing the limits by several smaller steps. I'm posting this also because someone can tell _me_ what I'm doing wrong - any thoughts? -- Martin Pelikan
Re: Is VPN initiation by traffic possible?
2011/4/15 Reyk Floeter : > Short answer: Yes, it works. Yes, it does. But... > See also: > http://www.allard.nu/openbsd/maillist/archive/200608/1331.html See also: http://old.nabble.com/isakmpd---get-CRLs-to-work-td30629580.html That basically means if you're using X.509 PKI and someone compromises one of your certificates, simple revocation (and updating the CRLs properly) won't work - the kicked client can just reconnect back. I've tested that once again on 4.8-release and even when both isakmpds load the newest CRL, the revoked client is allowed in anyway, creates flows and happily communicates. That patch raises a lot of XXXs because I simply needed a quick fix and don't really much understand the way that part of isakmpd is written. But none of the developers seemed to care about this so far, so I guess nobody uses it anyway :-) So, if your client is just one bank, use RSA keys. It's also easier to configure. But I think people with lots of clients should be aware of this bug (or does the revocation actually work for anyone?) > Note that iked(8) doesn't support this type of configuration yet. B It > does understand the acquire/require messages from the kernel but > currently requires to have an active flow from an initial IKEv2 > handshake. B It is on our TODO list ;-). iked(8) and certificate revocation work just fine. -- Martin Pelikan
Re: linux default shell, how annoying
2011/4/22 frantisek holop : > i imagine linux scripts often being full of bashims, so moving to dash > must have meant for the debian people to go through their tree to get > rid of those. B in which case replacing dash with pdksh for system > scripts could be fine. I guess you overestimate "the debian people". Have you ever tried to run Apache in chroot jail in debian? Or restart 'networking' service over ssh? Replacing one crap with other doesn't necessarily mean getting things right. I fact, almost never... When I sought ksh in Linux, pdksh quickly became out of the question since it doesn't support tab-completion at all. mksh seems to do work fine - thanks to Kevin for posting on this list. -- Martin Pelikan
Re: altq cripples other connections as well
2011/5/12 Tom Murphy : > Can someone recommend what the qlimit and tbr should be when throttling > a connection to just under 100 megabits? >From what I observed, for TCP are the defaults mostly sufficient (if you're not running tests originating at the router). I've never played with tbr (didn't need to). As for UDP, I use qlen 600 because of small DNS bursts (usually once per two hours); apart from suppressing messages in logs I don't think it was actually necessary. It usually handles from 40 to 120 mbit/s of traffic. > One of my concerns is we have an OpenVPN running with UDP. Lots of > dropped packets would be rather catastrophic for it. When dropped packets are 'rather catastrophic', why on earth do you use udp then? -- Martin Pelikan
Re: Testing OpenLDAP 2.4.23p1 on OpenBSD 4.9
2011/5/13 Stuart Henderson :
> you're confused between OpenLDAP and ldapd -
>
> ldapd is the OpenBSD LDAP daemon, part of the base OS.
>
> the OpenLDAP daemon is called slapd, installed with the openldap-server
> package.
Unfortunately, the OpenBSD ldapd isn't fully finished yet (even the
man page says that). So, if you plan to use it, make sure everything
you need works nicely for you.
I remember testing it couple of months ago on 4.8-stable - for example
if you fed it a mod_replace query to delete one value from a field
with more of them (typically groups->memberUid), it wouldn't touch the
one you wanted out and just delete the rest :-)
Or there were some crashes on searches for non-existent
users/groups/dunno. But that may be already fixed.
If martinh@ is reading this, maybe he'll find it useful. Because
otherwise the daemon rocks, easy-to-use-configuration and memory-wise.
If anyone's interested, I was using the simplest possible setup for
users and groups database to log in against:
# the very top
dn: o=storkhole
objectClass: top
objectClass: domain
o: storkhole
# ou=Users
dn: ou=Users,o=storkhole
objectClass: organizationalUnit
description: all the fancy users
ou: Users
# ou=Users, uid=myusr1 (an example of an user)
dn: uid=myusr1,ou=Users,o=storkhole
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uid: myusr1
cn: canonical name
sn: surname
homeDirectory: /home/myusr1
loginShell: /bin/ksh
mail: m...@mail.com
uidNumber: 1001
gidNumber: 100
userPassword: {CRYPT}$1$qc3rdebg$H5DsvSd4.1gjTfGPQZex67
# ou=Groups
dn: ou=Groups,o=storkhole
objectClass: organizationalUnit
description: all the fancy groups
ou: Groups
# ou=Groups, cn=mygroup1 (an example of a group)
dn: cn=mygroup1,ou=Groups,o=storkhole
objectClass: top
objectClass: posixGroup
cn: mygroup1
gidNumber: 1001
memberUid: myusr1
--
Martin Pelikan
Re: xxxterm and firefox35 May 11 snapshot
2011/5/15 Ted Unangst :
> On Sat, May 14, 2011 at 4:05 PM, Amit Kulkarni wrote:
> Determining which package needs rebuilding is really hard. B It's much
> easier to install a complete matched set.
I believe some Linuxes do something like 'find /usr/local/lib -name
lib*.so* -exec ldd {} ";" > stuff' and then match stuff's "not found"
lines against all installed packages' PLIST. Is there more difficulty
to it?
I mean, besides that OpenBSD's ldd fails to write anything if only one
library is missing, but that can't be too hard to write/port, can it?
And yes, it's painfully slow and stupid, but fortunately for us
unneccessary most of the time.
By the way, with the vmmap diff firefox4 and everything works just
fine for about 3 days now. Thanks!
--
Martin Pelikan
Re: Terminate IPSEC tunnel in virtual routing domain
2011/5/17 James Records : > Not sure about this but try doing it this way: > > route -T 1 exec netstat -an -f inet Peeking at the netstat code the -a uses kread(), which signs people are afraid of it and those parts are to be rewritten using some standardized sysctl() interface, and then rdomain compatible. And netstat -T1 and route -T1 exec netstat should be equivalent, IMO. This needs to be confirmed by some developer though. Otherwise it's just a piece of gossip. >> as long as em0 on system2 is in rdomain 0 (zero) >> everything seems fine and using tcpdump i can see bi-directional traffic on >> UDP/500 >> as soon as i put em0 on system2 >> into rdomain 1 using 'ifconfig em0 192.168.1.200 rdomain 1' my headache >> starts... >> i can check routing for domain 1 >> using 'netstat -rn -T1' >> i can ping 192.168.1.200 using 'ping -V1 192.168.1.200' >> *but* >> i do no longer see em0 in >> 'netstat -an -f inet' so i am not able to see if the listener for UDP/500 >> started on the em0 interface (only interfaces >> in rdomain 0 (zero) are displayed) >> bi-directional traffic for port UDP/500 stops Is the isakmpd process still running? Did you really run it like 'route -T1 exec isakmpd'? Because with httpd it seems to work fine for me (different setup, but works). netstat -a displays all of them all the time. >> maybe i should try GRE with IPSEC on top of >> that...(?) Not sure it'd help. -- Martin Pelikan
Re: OpenBSD + OpenLDAP
On Sun, May 29, 2011 at 04:22:07PM -0300, Friedrich Locke wrote:
> Dear list users,
>
> i am planning on migrating from tradicional unix password files to LDAP.
> But i have one question: what about uid definition? Does ldap will
> (for instance) auto increment it?
> If not, how will ldap manage uid alocation?
>
> Thanks in advance.
>
Hi!
You have to manage that for yourself; this might help your tools written
in C. And note that in most schemas it's not 'uid', but 'uidNumber'.
--
Martin Pelikan
unsigned
find_lowest_uidnum(LDAP *l, const char *bdn)
{
static char uidNumber[] = "uidNumber";
static char *attrs[] = { uidNumber, NULL };
int error, cur, i;
u_int8_t used[UIDNUMBER_MAX - UIDNUMBER_MIN];
LDAPMessage *e;
LDAPMessage *res;
struct berval **vals;
if ((error = ldap_search_ext_s(l, bdn, LDAP_SCOPE_ONELEVEL, NULL,
attrs, 0, NULL, NULL, NULL, 0, &res)) != LDAP_SUCCESS)
errx(1, "find_lowest_uidnum: synchronous search: %s",
ldap_err2string(error));
memset(used, 0, sizeof used);
for (e = ldap_first_entry(l, res); e; e = ldap_next_entry(l, e)) {
vals = ldap_get_values_len(l, e, uidNumber);
if (ldap_count_values_len(vals) != 1) {
warnx("Weird amount of UID numbers!");
ldap_value_free_len(vals);
continue;
}
cur = atoi(vals[0]->bv_val) - UIDNUMBER_MIN;
if (cur >= 0 && cur < (UIDNUMBER_MAX - UIDNUMBER_MIN)) {
used[cur]++;
}
ldap_value_free_len(vals);
}
ldap_msgfree(res);
for (i = 0; i < (UIDNUMBER_MAX - UIDNUMBER_MIN); ++i) {
if (used[i] == 0) {
return (i + UIDNUMBER_MIN);
}
}
return (-1);
}
Re: putty or ssh, screen $cmd
On Fri, May 27, 2011 at 11:15:14PM -0400, Hugo Villeneuve wrote: > Just saying that at least, screen has been working for decades > properly. Even if it was archaic. But it's not like tty are anything > new themselves (the 8bit version ones). Have you ever tried to use screen inside a screen? ssh'd to other machines? Not to mention ^A is beginning-of-line in most terminals. And the screen's window management! What a pleasure! And the way screen reports its messages! Still a mystery to me. tmux ftw :-) -- Martin Pelikan
Re: IPv6 - www.openbsd.org
2011/6/4 Zamri Besar : >> nslookup -type= www.openbsd.org 8.8.8.8 > Non-authoritative answer: > *** Can't find www.openbsd.org: No answer I remember having similar discussion here with Theo and Claudio a while ago: http://comments.gmane.org/gmane.os.openbsd.misc/177418 The problem is, IPv6 has some dragons hidden that don't show up in a newspaper article. You need experience to see them and even the protocol itself isn't simple. In addition, some people misunderstand the creators' intents (how many times did you use *and got working* multiple address spaces in one network to provide connection redundancy, instead of PI space, which is difficult to acquire?), others make wrong assumptions (/48s where /24 was too much already, because the space is oh so big!), try to force their old IPv4 customs (/117 for hundreds of users), act irrationally (non-/64 netmask and gateway via DHCPv6 in Linux, yay!) and suddenly the real world application turns into quite a mess. Hell, some soho routers still don't work well in IPv4, what'd you expect? You're probably going to experience some of that that the IPv6 day after tomorrow. However, I don't believe we're in a point where anyone can go back. Even if Theo, Henning and Claudio sat for a month and came up with something everyone would like, I have never met a manager willing to throw away millions of Cisco's "development" dollars. I have met very few network admins willing to learn yet another "solution". And I don't believe Microsoft is going to give Class E addresses in old Windows some welly, either. Nor anyone volunteerly giving up their 20 years old precious /16. Welcome to the human race. As a result, you're either in or out. Either you're making a living, and not-supporting IPv6 means deliberately disserving your customers (sorry everyone, but ordinary people don't give a damn about your opinion), or you're a non-profit organization, such as OpenBSD, and you can rebel against it by not using it. -- Martin Pelikan
Re: httpd virtualhost ip
2011/6/12 Bambero : > Hello > > I have many IP and IP based virtualhost configured. > Everything works fine. But when making request (for ex. fsockopen) > with php the outgoing IP is 123.456.789.66. > Does anybody know how to tell php to bind to virualhost IP when making > request ? There's a memory-wasting way by creating separate rdomain per each IP, and running multiple web servers in each of those. Does copy-on-write actually save us anything? Sorry for my misunderstanding of your memory management. Otherwise it seems more like a PHP issue. Using bind() as suggested by halex@ can become a problem if each of these hosts hosts some huge application which is hard to modify. -- Martin Pelikan
Re: Activating "ip6.forwarding" and "accept_rtadv" at the same time
On Mon, Sep 06, 2010 at 09:14:25AM +0200, Claudio Jeker wrote: > ah, great. So we just have 16 bits more then IPv4. Actually ISP can > provide whatever they like to customers. Residential customers will most > probably end up with /64. exactly, /64 is more than enough > IIRC it is actually forced by one of the great RFC. Accepting rtadv on a > system with more then one interface is a common cause for routing loops. > Especially since the acceptance can not be limited to an interface. I also thought so, but couldn't find it. Maybe we confused it with host/router differences in ability of following ICMP redirects, which is the same for IPv4 and v6 - host can, router must not. Or are you able to find the reference? I'm a bit afraid of touching the code before being sure that enabling rtadv on a router is a safe thing. RFC 4861 in section 6.2.7 enables the router to accept RAs and act upon it. I don't think loop detection would be too difficult, but it's probably a lot of work to make a button for this per interface. > I have seen the following ways to solve this a) static gateway IPs and > static routing, exactly. > > > They are all publicly routable IPv6 addresses. > > And it will stay like that! That's one of the reasons to use IPv6: no > > *(&#$(# NAT. > Actually that's the reason why organizations are not adopting IPv6. NAT is > less evil then IPv6. Why do you think so? Most people are refering to security reasons, but it just equals to "block in" or "block in from any to $my_net"... -- Martin Pelikan
Re: Need Advice: Thinkpad T60 or T61?
On Sun, Oct 24, 2010 at 04:59:04PM -0700, Clint Pachl wrote: > Henning Brauer wrote: > >> 1. Core Duo 32-bit (T60) or Core 2 Duo 64-bit (T61)? I've only used > >> > i386, should I think about amd64? > >> > > shouldn't make a difference. personally, I run i386 anyway. > > > > Any interesting reason you run i386 on 64-bit hardware? Stability? > Performance? I don't have any amd64 laptop, but one annoying thing I noticed would be the register dump in ddb won't fit the 80x25 screen :-) People say that you'll notice the difference only with lots of multimedia and heavy optimized computing. Or a habit is just a second nature... -- Martin Pelikan
crazy acpi - halts on reboot, sleeps on boot...
Hello misc@,
I have the strangest motherboard here in front of me. With the latest
amd64 snapshot it halts at the reboot command, and regularly goes to
S3 while booting (right after kernel finishes its output).
If I change "ACPI suspend state" to S1 in BIOS, system loads, the kernel
keeps writing "acpi0: PM1 stuck (en 0xfcff st 0xfcff), clearing" and
system goes immediately to shutdown (-> /etc/rc.shutdown)
When "ACPI suspend state" is S3 and systems goes to S3 while booting,
after I press the power button, it comes to life and my monitor shows
"out of range" until X is started.
Sometimes it doesn't and just keeps going to sleep when I wake it up.
I also had to disable AHCI, because bsd.rd wasn't able to boot (even
i386) and showed this (from what I was able to transcribe):
==
ahci0 at pci0 dev 31 function 2 "Intel 82801GR AHCI" rev 0x01: apic 2 int 19
(irq 10), AHCI 1.1
scsibus0 at ahci0: 32 targets
sd0 at scsibus0 targ 0 lun 0: SCSI3 0/direct fixed
sd0: 78167MB, 512 bytes/sec, 160086528 sec total
... (smbus, uhci, kbd)
ahci0: stopping the port, softreset slot 2 was still active.
ahci0: stopping the port, softreset slot 3 was still active.
ahci0: stopping the port, softreset slot 4 was still active.
ahci0: stopping the port, softreset slot 5 was still active.
ahci0: stopping the port, softreset slot 6 was still active.
ahci0: stopping the port, softreset slot 8 was still active.
ahci0: stopping the port, softreset slot 9 was still active.
ahci0: stopping the port, softreset slot 10 was still active.
ahci0: stopping the port, softreset slot 11 was still active.
ahci0: stopping the port, softreset slot 12 was still active.
==
When I disabled ACPI in ukc, I got a protfault at the beginning:
==
...
intagp0 at vga1
agp0 at intagp0: aperture at 0x8000, size 0x800
inteldrm0 at vga1kernel: protection fault trap, code=0
Stopped at intr_find_mpmapping+0x28: cmpl%esi,0x10(%rax)
intr_find_mpmapping() at intr_find_mpmapping+0x28
pci_intr_map() at pci_intr_map+0xc0
inteldrm_attach() at inteldrm_attach+0xb5
config_attach() at config_attach+0x150
config_attach() at config_attach+0x150
pci_probe_device() at pci_probe_device+0x3bb
pci_enumerate_bus() at pci_enumerate_bus+0xe9
config_attach() at config_attach+0x150
mainbus_attach() at mainbus_attach+0x153
config_attach() at config_attach+0x150
end trace frame: 0x80e24e90, count: 0
ddb{0}> sh reg
ds 0x10
es 0x10
fs 0
gs 0
rdi 0
rsi 0x8
rbp 0x80e24a40
rbx 0x80e24c30
rdx 0x80103fb0
rcx 0x8011b090
rax 0x544e4735343944
r8 0x80e24a5c
r9 0
r10 0x80e4e000
r11 1
r12 0x8011b08c
r13 1
r14 0xb
r15 0xb
rip 0x8042f988 (intr_find_mpmapping+0x28)
cs 0x8
rflags 0x10206
rsp 0x80e24a40
ss 0x10
ddb{0}> ps
* 0 -1 0 0 7 0x80200 swapper
==
Here in ddb "boot reboot" worked of course.
zzz -S and zzz -z do pretty much the same thing, including "out of
range" bug, which can be fixed by switching to X back and forth.
I'm able to test patches, but I don't have a clue what the hell is
going on. No ACPI sensors were found. What does "acpi0: PM1 stuck"
mean?
Thanks in advance.
--
Martin Pelikan
OpenBSD 4.8-current (GENERIC.MP) #759: Sun Jan 9 20:02:53 MST 2011
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 2135785472 (2036MB)
avail mem = 2064916480 (1969MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.5 @ 0xe4cf0 (34 entries)
bios0: vendor Intel Corp. version "NT94510J.86A.4131.2009.1122.2232" date
11/22/2009
bios0: Intel Corporation D945GNT
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP APIC WDDT MCFG ASF! HPET SSDT TCPA
acpi0: wakeup devices SLPB(S4) P32_(S4) UAR1(S4) UAR2(S4) PEX0(S4) PEX1(S4)
PEX2(S4) PEX3(S4) PEX4(S4) PEX5(S4) UHC1(S3) UHC2(S3) UHC3(S3) UHC4(S3)
EHCI(S3) AC9M(S4) AZAL(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Pentium(R) D CPU 3.00GHz, 3000.30 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,CNXT-ID,CX16,xTPR,PDCM,NXE,LONG
cpu0: 2MB 64b/line 8-way L2 cache
cpu0: apic clock running at 199MHz
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Pentium(R) D CPU 3.00GHz, 2999.90 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,CNXT-ID,CX16,xTPR,PDCM,NXE,LONG
cpu1: 2MB 64b/line 8-way L2 cache
ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins
ioapic0: misconfigured as apic 0, remapped to apid 2
Re: IPSEC/ISAKMPD routing question
2011/1/10, Christoph Leser : > Hello, > > I have an IPSEC VPNs in Tunnelmode, configured in ipsec.conf with a line > like: > > ike active esp tunnel from to peer > > > > My isakmpd.policy file is > > # cat /etc/isakmpd/isakmpd.policy > Keynote-version: 2 > Authorizer: "POLICY" > Conditions: app_domain == "IPsec policy" && > esp_present == "yes" && > esp_enc_alg != "null" -> "true"; > > > Every thing works fine. > > But today, one of the remote_gateways was replaced by a misconfigured > new one, leading to the following phase-2 packet: > > 13:29:01.098526 .500 > .500: [udp sum > ok] isakmp v1.0 exchange QUICK_MODE > cookie: 70de03ee348066c9->76aabe706bed52c2 msgid: 301c68c8 len: > 300 > payload: HASH len: 24 > payload: SA len: 56 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 44 proposal: 1 proto: IPSEC_ESP > spisz: 4 xforms: 1 SPI: 0xcb2d2b94 > payload: TRANSFORM len: 32 > transform: 1 ID: AES > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 28800 > attribute ENCAPSULATION_MODE = TUNNEL > attribute KEY_LENGTH = 128 > attribute AUTHENTICATION_ALGORITHM = HMAC_SHA > attribute GROUP_DESCRIPTION = 2 > payload: NONCE len: 20 > payload: KEY_EXCH len: 132 > payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0 > payload: ID len: 16 type: IPV4_ADDR_SUBNET = 0.0.0.0/0.0.0.0 > [ttl 0] (id 1, len 328) > > > Please note that both ID parameters in this packet are 0.0.0.0. > > This lead to a routing entry ( made by isakmpd, I suppose ): > # netstat -rn | grep his_ip > default0 default0 0 > /esp/use/in > default0 default0 0 > /esp/require/out > > This route virtually disconnected my gateway from the external and from > the internal network, no ping to any address was successful. > > I would like to ask: > > 1. Is it true, that isakmpd is supposed to accept any ID parameter of > type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route, > even when it is the 'default' route? > > 2. What would I have to change to only accept those remote network Ids > that are configured in ipsec.conf? > > Thanks > > -- Martin PelikC!n, Steadynet E-mail: martin.peli...@gmail.com, gpg key 0x7176E4C9 Tel: +420 724 818 573 Jabber: sztor...@jabber.cz web: http://cap.potazmo.cz/
Re: IPSEC/ISAKMPD routing question
2011/1/10, Christoph Leser : > > I would like to ask: > > 1. Is it true, that isakmpd is supposed to accept any ID parameter of > type IPV4_ADDR_SUBNET ) in quick mode and set up a corresponing route, > even when it is the 'default' route? Yes, some people want all their traffic through encrypted tunnel. I used to bring IPv6 to places where people were ignoring it -- exactly this way. You might want to specify it in your policy file, like: remote_filter != "000.000.000.000-255.255.255.255" or remote_filter_type != "IPv4 subnet" > 2. What would I have to change to only accept those remote network Ids > that are configured in ipsec.conf? The above, or more specific. Sorry for the previous empty reply, I'll finally try to learn how to use an email client. -- Martin Pelikan
Re: PPPoE for IPv6
2011/2/1, Stuart Henderson : > presumably you are running this machine as a router > and therefore can't use rtsol. Actually, you can. People were asking about this earlier on this list and as it turned out, you get only a warning that router solicitation isn't intended for router configuration. You should be careful about routing, though, especially with multiple interfaces where someone is advertising. Plus, you'll probably need another /64 for your network or to configure the box as a bridge. > if you have a static address, you can hand-configure. > something like this works for me (I'm in the UK and using > ADSL from bogons.net, who I thoroughly recommend) Of course, this should be the right way on the router. Feel free to ask your provider on how to acheive what you want.. -- Martin Pelikan
