Re: Packet priorization

2010-10-15 Thread Martin Pelikán
2010/10/15, Henning Brauer : > this way queue foo will exist on all interfaces. the assignment can be > done inbound if the packet is forwarded and doesn't go through a > userland proxy. A little bit off-topic question: Would it be too stupid to extend divert_output() with a way of assigning queue

Re: IVI support ?

2010-10-12 Thread Martin Pelikán
2010/10/12, Xavier Beaudouin : > Our idea is to have all our system to be IPv6 only native and when an IPv4 > wants to access to an IPv6 service, IVI can do the translation (this is not > magic, but the idea is to provide specific IPv6 hosts to be "visible" > Does OpenBSD has somewhat support abou

Re: Why renice not work in OpenBSD?

2010-10-11 Thread Martin Pelikán
2010/10/11, Claudio Jeker : > CPU consumed by the kernel is not accounted by the scheduler. All the > work done by urandom is system time. And for the curious people who can't see the obvious: why is that? -- Martin Pelikan

Re: Wireless Network GUI

2010-10-09 Thread Martin Pelikán
Giving up, my old curses code is too gross... better sent it to /dev/null. The only usable thing would be this piece, wrappers for adding/deleting ipv4/6 addresses. Might be useful even for python people, if they change err() for something they'd like. http://sztorkie.steadynet.org/files/temp/wra

Re: Wireless Network GUI

2010-10-07 Thread Martin Pelikán
2010/10/7, Jona Joachim : > On 2010-10-07, Christiano F. Haesbaert wrote: >> Why not make a curses GUI ? I find it much more useful than gtk/qt (IMHO). > > What would be really nice IMHO is to expose an API that gives access to > ifconfig functionality so everybody could easily write their own UI.

Re: LACP Over Wireless Bridge

2010-10-06 Thread Martin Pelikán
2010/10/6, Fabio Almeida : > Is there a chance this messy setup can work? > Has anyone configured some setup like that in Bridge mode (not ECMP)? I don't have access to any of the UBNT's we use right now, but any mode except WDS seems not to be fully L2 transparent, hence it might be incompatible

Re: route-to and divert-packet

2010-10-04 Thread Martin Pelikán
2010/10/3, Daniel Browning-Weber : > Okay, and the divert (4) man page says that outbound packets, > after being reinjected, "are processed directly by the relevant > IP/IPv6 output function," so I probably can't get pf to take > another look at them so that "route-to" will apply. > > If I were fee

Re: pf for routers?

2010-09-23 Thread Martin Pelikán
2010/9/22, Beavis : > I would like to ask if someone has done routing via pf(4) (non-NAT > rules). My idea is to be able to route packets from one interface to > the other. say from tun0 to rl0. I've been googling a lot and most of > the rules im seeing have something to do with NAT routes. hint:

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

2010-09-10 Thread Martin Pelikán
2010/9/10, Chris Cappuccio : > Stop using ALTQ on your DNS server, perhaps? That may be what is causing > the back-pressure that you're seeing. Why do you think it would help? Those lots of packets would arrive anyway, only the decent user will wait longer for his website to load. Fortunately alt

Re: Activating "ip6.forwarding" and "accept_rtadv" at the same time

2010-09-10 Thread Martin Pelikán
2010/9/9, Claudio Jeker : >> And a new flag to struct in6_ifextra? > > Nope, it will be part of ifnet->if_xflags. Actually, it's already in in6_ifextra->nd_ifinfo->flags, named ND6_IFF_ACCEPT_RTADV and controlled by the "ndp -i" command. However, ifconfig autoconfprivacy uses if_xflags and separat

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

2010-09-10 Thread Martin Pelikán
2010/9/10, Andy Bradford : > Why would you need 65k UDP for DNS? Almost all UDP based DNS responses > are under 512 bytes, those that are larger are required to set the > truncated bit and the client restart the query using TCP. We have probably too many wild users because the logs were fl

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

2010-09-10 Thread Martin Pelikán
2010/9/10, Stuart Henderson : > these affect traffic sourced from the box itself, *not* routed through it. We had to do quite extensive link testing because of strange packet loss on the SDH circuit. The buffer sizes really mattered :-) But thanks to the information as the link appears to be okay

Re: Activating "ip6.forwarding" and "accept_rtadv" at the same time

2010-09-09 Thread Martin Pelikán
2010/9/7, Claudio Jeker : > As soon as you spilt a /64 into something smaler you left IPv6 land end > entered something that looks like IPv6 but isn't. Sure it is possible but > by doing it you make every IPv6 disciple scream in agony (which is > probably a good thing anyway). I don't understand t

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

2010-09-09 Thread Martin Pelikán
2010/9/9, Joe Warren-Meeks : > Well, the machine has 6Gb of RAM and is only pushing 10Mbit/s of > traffic at peak. It does need to maintain a largeish state table, as > it is predominatly web traffic, but I've run much much larger and > busier sites behind much smaller hardware with the same config

Re: OpenBSD 4.6 + carp + pf + pfsync lockup

2010-09-09 Thread Martin Pelikán
2010/9/8, Joe Warren-Meeks : > I've had a weird problem happen twice now. It seems after about 4 - 6 > weeks of running very happily, both servers lock up completely at the > same time. Both consoles show no error messages, but the cursor is > blinking away happily. Neither console will take any in

Re: Activating "ip6.forwarding" and "accept_rtadv" at the same time

2010-09-07 Thread Martin Pelikán
2010/9/6, Claudio Jeker : > Only if you plan to use NAT in the near future. /64 is like a /32 in IP. > Not enough in most cases. Why? You can always use DHCPv6 and split the rank further... I haven't much studied the protocol itself, but in practice the only system that has trouble with it is Linu

Re: Activating "ip6.forwarding" and "accept_rtadv" at the same time

2010-09-05 Thread Martin Pelikán
2010/9/5, Simon Comeau Martel : > I am trying to figure out why OpenBSD won't let me activate > "net.inet6.ip6.accept_rtadv" and "net.inet6.ip6.forwarding" at the same > time. /usr/src/sys/netinet6/in6_proto.c:int ip6_accept_rtadv = 0; /* enabling forwarding and rtadv concurrently is dangerous

Re: Problem with uplcom(4) - hangs

2010-08-29 Thread Martin Pelikán
2010/8/29, Denis Fondras : > I have a problem with uplcom(4). Whenever I connect to a remote terminal > with "cu -l /dev/ttyU0", it hangs after a few seconds (usually under 2 > minutes). I've seen way too many faulty/misbehaving uplcom's. Have you tried different piece of hardware? -- Martin Pel

Re: pf - max number of cbq queues ?

2010-08-28 Thread Martin Pelikán
2010/8/27, Henning Brauer : > find that #define (I forgot its name and location), increase, > recompile. > We use such setup with HFSC limit raised up from 64 ten times, so far without any problems (core i3, 2G RAM, em(4) gigabit desktop nics, 12-15k pps on average). Is there a reason why are the

IPv6 calculator

2010-08-26 Thread Martin Pelikán
Hello list, I just updated my IPv6 address calculator and thought it might find its use in OpenBSD. It shouldn't contain any security risk, is small enough not to bloat the tree and handy enough to help admins visualize and plan their network's addressing or set those crazy PTRs properly. As there

Re: Is it stupid to may be have S.M.A.R.T in sysctl sensords frame work?

2010-08-21 Thread Martin Pelikán
2010/8/20, Daniel Ouellet : > I don't really know > much about how the smart drive suppose to be any good monitoring works > to alerts of up coming hard drive failures. Neither do I, but I've noticed that the measurement units across different HD vendors (I've only worked with IDE/SATA) are not s

Re: [OT] securely sharing documents on OpenBSD?

2010-08-19 Thread Martin Pelikán
2010/8/17, Jiri B. : > what's up with vpn and samba? who goes around, comes around... -- Martin Pelik an

Re: ath(4) - Wistron Neweb CM9 weird behavior

2010-08-11 Thread Martin Pelikán
2010/7/29, Chris Cappuccio : > I bet the IBM ath cards are probably an older chip than AR5413. Maybe > AR52xx ? Yes, mine is 5213. And so are CM9's. The 5413 is only in the Mikrotik AP. > The ath driver has never worked well with the "newer" stuff in my > experience. But these days, even the At

ath(4) - Wistron Neweb CM9 weird behavior

2010-07-21 Thread Martin Pelikán
Hello everyone. I have a AP with AR5413 with RouterOS and several OpenBSD clients. IBM notebooks using ath(4), iwi(4) and rum(4) work perfectly. The problem happens when I try to connect my alix board (4.7-release, i386) with Wistron Neweb CM9 (with unlocked all channels, cos we use 5500-5700 MHz):

Re: ipv6 pf ruleset

2010-07-19 Thread Martin Pelikán
2010/7/18, Matt S : > Hello, > > Could someone tell me why, given the following ruleset, I cannot get to my > machine from the outside on ipv6? Because you didn't allow neighbor discovery? pass in on $ip6if inet6 proto icmp6 icmp6-type \ {echoreq,unreach,neighbrsol,neighbradv} -- Martin Pelikan

i386 panic - mtx_enter: locking against myself

2010-07-19 Thread Martin Pelikán
Hello everyone. Yesterday I compiled some stuff from ports, when my i386 -current (about two days old) paniced (onproc was one of those cc(1)): Debugger(), panic(), mtx_enter+0x5a(d0a2fc20, d2bae000, d2baf000, 0, 0) uvm_pseg_release+0x6b uvm_swap_allocpages+0x8d9 uvm_swap_get+0x38 uvm_fault_anonget

Re: Question about moving system to different hardware

2010-07-13 Thread Martin Pelikán
2010/7/13, Ted Wynnychenko : > the network card will be the same, since it's moving too Actually, it doesn't have to; its number might change due to different motherboard layout (happened to me on one crappy ECS). Then you end up playing with config(8). -- Martin Pelikan

Re: Secret key in the packet filter.

2010-07-13 Thread Martin Pelikán
2010/7/13, jackwssp q : > Who knows anything about the secret keys in the packet filter(pf), such as > way only for developers. You can actually read the code yourself, find them and write paper about them... Don't forget to mail misc@ about it. -- MP

Re: Other FS support in OpenBSD

2010-07-12 Thread Martin Pelikán
2010/7/12, Paolo Aglialoro : > Unfortunately the question was meant for a dual boot P3-M 256MB laptop, so BTW: I can hardly think of a person I know who used XFS on laptop and didn't lose at least subset of his data there. My suggestion: run, before it's too late. Ext3fs works for me between Linux

Re: OpenBSD 4.4 : snmp for monitoring interfaces

2010-06-18 Thread Martin Pelikán
2010/6/18, Rioux, Christophe : > Hi > > We tried to implemant a monitoring on a OpenBSD 4.4; I get an error message: > index not found (monitoring via Cacti, means net-snmp). My Cacti server is > hosted on another server. So do we, our cacti is 0.8.7e, from some redhat repository quite some time a

Re: audio recording levels

2010-06-13 Thread Martin Pelikán
Hi, this you might already know, but good rule of thumb is to set the levels manually for each source (according to its dynamics), having peaks around -6dB to -10dB. If you have manual volume/gain control on your recording device/preamp, I'd set all levels in the computer to 80% of the scale and th

ospf6d - /63 prefix causes livelock (partial diff)

2010-06-09 Thread Martin Pelikán
Hello misc@, claudio@, I've noticed that when I propagate subnet of size /63 on our ospf-v3 network (unfortunately on routeros), ospf6d not only marks the ASE update as invalid, but also refuses to move on with the rest, ending up filling logs with nonsense in endless loop. This diff only makes osp

site.org vs. www.site.org relaying?

2010-05-28 Thread Martin Pelikán
Hello misc, I tried to set up relayd on internet gateway to handle our web requests this way: - "site.org", "www.site.org" and "intranet.site.org" forward to our main web server - "*.site.org" forward to the secondary web server (handling all those domains) At this time the "site.org" requests go t

Re: VPN Gateway, DHCP over IPSec, dhcrelay on enc0?

2010-05-23 Thread Martin Pelikán
2010/5/22, Don Reis : > I have the idea that to make DHCP work over IPSec on my VPN gateway, I have > to make dhcpd listen on lo0, and then have dhcrelay listen on enc0 and relay > to lo0. (dhcpd runs on same machine) > > Why doesn't dhcrelay find enc0? And Is this the proper way to make this > w

Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration

2010-05-23 Thread Martin Pelikán
2010/5/22, dontek : > Yes, thanks, I've read the man pages. I've even made the proposed > connection > work both ways. (less the DHCP working) What I was hoping for was a few > that > have more experience than I do to share their experiences and tell me some > of > the potential benefits and/or d

Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration

2010-05-21 Thread Martin Pelikán
Hi did you actually read any piece of documentation about the topic? Manual pages like ipsec(4) for overview, ipsec.conf(5) for configuration and isakmpd(8) + keynote(3,4,5) + openssl(1) + authpf(8) for possible ways of authenticating your warriors. > I've found many examples via Google. Some are

Re: Resilient RAID

2010-05-20 Thread Martin Pelikán
If your firewall has to run in not so hostile conditions like sub-zero temperatures or large temp differences over short time (typically right under the roof), consider using flash memory (CF-ATA converters being available around 20 USD) instead of hard disk + eventually mfs for some logging or so.

Re: VPN Clients Behind OpenBSD 4.6 PF NAT

2010-05-13 Thread Martin Pelikán
Is it possible that you have multiple addresses on $ext_if? You NAT it to the first one (:0), but tunnel established using FQDNs could try to send stuff to another IP that doesn't match your NAT table. Have you actually seen anything going out of the external boxes on your firewall? Pflog and tcpd

Re: Hardware for a PF box

2010-05-11 Thread Martin Pelikán
2010/5/11, Chris Smith : > Maybe I'm missing something: You might want something like this: # mkdir /var/log/rd ; chmod 700 /var/log/rd ; chown _pflogd:_pflogd /var/log/rd # echo 'pflogd_flags="-f /var/log/rd/pflog" ' >> /etc/rc.conf.local # echo 'swap /var/log/rd/ mfs rw,nodev,nosuid,-s=67108864

Re: pf icmp6 question

2010-05-05 Thread Martin Pelikán
Hi, my guess would be somewhere about line 2803 in pf.c: when the rule matches for the first time, it reaches the if (af != AF_INET6) which is isn't (pfctl's parse.y sets it to 0 when AF omitted). There's also a subtle name inconsistency between use of 'af' and 'pd->af' (compare ICMP4 vs 6 cases),

[patch] czech keyboard layout

2010-04-05 Thread Martin Pelikán
Hi, I've recently written czech keyboard layout to the console. It's basically standard cz_qwertz layout with every character that one might need from the us layout hidden under AltGr in the standard way (as in X.org). I don't know what's wrong about 29th layout in the kernel to get me banned from