Re: bgpd.conf rules changed?

Hi Claudio, On Mon, Dec 19, 2022 at 01:10:15PM +0100, Claudio Jeker wrote: > You update from a very old version of OpenBGPD. true. Your tips worked a treat, though, and adjusting the config wasn't too difficult. Thanks a lot, Toni

bgpd.conf rules changed?

Hi, I am trying to upgrade an OpenBSD based BGP router from an old version to 7.2. But on OpenBSD 7.2, the config file results in several errors, despite the man page not indicating any thing "obvious". Eg. I get syntax errors on softreconfig in yes softreconfig out yes announce self a

Re: carp + 5.1/5.2 woes [PARTIALLY SOLVED]

Hi, thanks for the insight. On Thu, Jan 03, 2013 at 01:37:38AM +, Stuart Henderson wrote: > On 2013-01-02, Toni Mueller wrote: > >> /bsd: in6_ifloop_request: ADD operation failed for 3ffe:3ffe::0001 > >> (errno=17) > > 17 is EEXIST - see errno(2) for a list of t

Re: carp + 5.1/5.2 woes [PARTIALLY SOLVED]

Hi, I have just discovered that I made a configuration error that had resulted in the undesired, but correct, carp behaviour for IPv4. Ie, OpenBSD operates as desired for this case. That leaves these questions open: On Wed, Jan 02, 2013 at 01:39:25PM +0100, Toni Mueller wrote: > I also h

Re: carp + 5.1/5.2 woes

Hi, On Wed, Jan 02, 2013 at 05:47:23PM +, Stuart Henderson wrote: > On 2013-01-02, Toni Mueller wrote: > > A: 5.1 (IPv4: master) > > B: 5.0 (IPv4: backup) > > C: 5.2 (IPv4: master, IPv6: backup) > > Is this 5.0 release or is it "something close to 5.0&qu

Re: carp + 5.1/5.2 woes

Hi, On Wed, Jan 02, 2013 at 04:53:02PM +0100, Patrick Lamaiziere wrote: > Le Wed, 2 Jan 2013 13:39:25 +0100, Toni Mueller a > écrit : > > With this setup, carp1 will stay in BACKUP mode when I say "ifconfig > > carp1 advskew 120" on A, while on B, it would go

carp + 5.1/5.2 woes

Hi, I have a setup with three machines, all i386, and all plugged into one switch: A: 5.1 (IPv4: master) B: 5.0 (IPv4: backup) C: 5.2 (IPv4: master, IPv6: backup) Each host has two IPv4 carp interfaces, all on one interface (carp0 and carp1), and host C has an additional carp2 with only an IP

ISAKMPD question: ID-type ASN1_...?

Hi, I've run into an interoperability problem with an Astaro, which does not like our certificate. The certificate basically looks like ... Subject: C=DE, L=..., CN=IP-number ... Subject Alternative Name: IPv4 Address: IP-number ... Now the Astaro is said to require an ID type of ASN1-DN, w

Re: ISAKMPD question: certificates shipped?

Hi Stu, On Sun, Dec 04, 2011 at 11:24:24AM +, Stuart Henderson wrote: > I don't see any code changes that would result in a different presentation > order of certificates between 4.8 and 5.0.. > > tcpdump traces of the negotiation from 4.8 and 5.0 might be useful, as might > logs from the 3rd

ISAKMPD question: certificates shipped?

Hi, I'm running into a problem with OpenBSD 5.0 and isakmpd. A config that works on 4.8, doesn't work on 5.0: the client is denied access, allegedly due to OpenBSD shipping the wrong (X.509) certificate, or certificates in the wrong order. The (3rd party) claim is that it might ship the CA certifi

Re: query bug reports?

Hi, On Thu, Oct 13, 2011 at 09:40:42AM +0200, Toni Mueller wrote: > My vote would go for Redmine (use together with thin), which has a if the project wants to use/try it, I can offer my help with this one. Please contact me off-list. Kind regards, --Toni++

Re: query bug reports?

Hi Daniel, On Thu, Oct 13, 2011 at 09:10:22AM +0200, LEVAI Daniel wrote: > On Thu, Oct 13, 2011 at 09:01:51 +0200, Toni Mueller wrote: > > today I wanted to research open bug reports for OpenBSD, using this link > > in lieu of anything linked from the homepage: > http://marc.in

4.9/amd64: kernel crash with temperhum

Hi, today I experienced a kernel crash on a machine with the temperhum device. The crash message indicates that the driver uthum was responsible, but since the machine is physically inaccessible to me, I only have a screenshot. Is it still worth reporting, scribbling from a handset screenshot, des

query bug reports?

Hi, today I wanted to research open bug reports for OpenBSD, using this link in lieu of anything linked from the homepage: http://www.openbsd.org/query-pr.html But when I submit the form, I only get an error message that the CGI was not found. Where should I be looking instead, please? Kind r

Re: ipsec: failure after upgrade [SOLVED]

Hi, I solved the site-site part of it. It turned out to be a typo somewhere. :( But the mobile issue is still open. Kind regards, --Toni++

ipsec: failure after upgrade

Hi, I have lan1 -- gw1 --- internet --- gw2 -- lan2 The setup has been working for years. Now I upgraded one side to 4.9, while the other - so far - is still at 4.6 (I know... :( ). After that, no connection gets established anymore: 1.2.3.4: OpenBSD 4.6 4.3.2.1: OpenBSD 4.9 13:18:25.029

Re: Custom bsd.rd contents

Hi, On Sun, 27.02.2011 at 18:52:28 -0500, Adam Van Ymeren wrote: > I'm trying to modify the contents of the ram disk in a bsd.rd kernel. > Is there any documentation on this process? Or can anyone point in my > a good direction to start looking? you might find this example interesting: http:/

Re: CARP and routing

On Thu, 25.11.2010 at 14:29:39 +, Michal wrote: > >Because your setup should rather look like this? > > > >Internet --- switch --- host1 --- switch --- LAN > > + --- host2 + > This is what I was trying to get at...the way you draw your diagram, > I can't understand what y

Re: CARP and routing

On Thu, 25.11.2010 at 13:15:06 +, Michal wrote: > On 25/11/10 12:22, Toni Mueller wrote: > >I discover that CARP and routing don't always mix well: > > > > Internet --- host1 host2 > Wait, do you mean; > > >

CARP and routing

Hi, I discover that CARP and routing don't always mix well: Internet --- host1 host2 If host1 and host2 have a CARP interface with the same IP, then packets destined for that IP don't ever reach host2, even if the interface on host1 is in BACKUP state. Kind regards, --Toni++

Re: Linux or OpenBSD

On Wed, 24.11.2010 at 21:30:05 +0100, ropers wrote: > On 23 November 2010 13:52, Toni Mueller wrote: > > I usually have a use case that can be satisfied > > with one XOR the other system > > So, not with both? > You have weird use cases. I don't think so. See e

[OT] Re: relayd port to linux

On Fri, 05.11.2010 at 16:54:00 +0100, Aleksandar Lazic wrote: > due to the fact that openssh and some other parts of openbsd are ported > to linux maybe you can tell me if you plan to make a openrelayd which is > able to compile on linux. > > I'am willing to try it by my self, maybe you can help

Re: Unattended OpenBSD Installation

Hi Nick, On Sun, 14.11.2010 at 11:31:52 -0700, Nick Bender wrote: > I am currently working on the next version which is much better - it meets > all your requirements. I'm calling it redux and I'm including the readme > below. this is great news! Any chance to get this into the mainline, somed

Re: Linux or OpenBSD

Hi, On Tue, 23.11.2010 at 14:09:48 -0500, daniel holtzman wrote: > Perhaps one or more developers would be curious about the crashes? Why not > donate the machines instead of throw them out? ok. I'm not the owner, only the janitor, for these machines. Unless I figure out a way to put them back

Re: Linux or OpenBSD

Hi, On Tue, 23.11.2010 at 10:55:30 -0500, and...@msu.edu wrote: > Toni, have you published a list of the hardware thats been causing you > problems? sorry, no I didn't think of it, yet. But I have posted to this list about some of them, most prominently the small PCs with C7 chips. > My experie

Re: Linux or OpenBSD

Hi, On Tue, 23.11.2010 at 17:45:16 +0100, Alexander Schrijver wrote: > Why don't you run linux on them? You aren't being very environmentally aware > are you? I don't understand what you mean with this remark. The application that I use these machines for requires OpenBSD, so there is very lit

Re: em(4) detailed errors

Hi, On Tue, 23.11.2010 at 11:07:40 -0500, Ted Unangst wrote: > On Tue, Nov 23, 2010 at 10:02 AM, Otto Moerbeek wrote: > > On Tue, Nov 23, 2010 at 03:16:57PM +0100, Toni Mueller wrote: > >> # ifconfig em3 > >> em3: > >> flags=8b43 mtu > >> 1500 >

Re: em(4) detailed errors

Hi, On Thu, 18.11.2010 at 16:38:55 +0100, Manuel Guesdon wrote: > Is there a way to get detailed em(4) device errors without having to > recompile kernel with EM_DEBUG ? > I try to find in-errors reason(s) but netstat only gives errors as a sum of > dropped_pkts + stats.rxerrc + stats.crcerrs +

Re: Linux or OpenBSD

Hi, On Sat, 23.10.2010 at 10:36:54 -0500, Marco Peereboom wrote: > On Oct 23, 2010, at 8:48, Toni Mueller wrote: > > Also, Linux is better supported by hardware vendors, and/or much less > > picky about hardware than OpenBSD is. > If you consider the garbage these vendors

Re: Linux or OpenBSD

Hi, On Sun, 24.10.2010 at 08:20:35 +0530, Siju George wrote: > On Sat, Oct 23, 2010 at 7:18 PM, Toni Mueller wrote: > > Also, Linux is better supported by hardware vendors, and/or much less > > picky about hardware than OpenBSD is. > Not always is it ? of course, my statemen

Re: Can't reach www.openbsd.org

Hi, On Tue, 02.11.2010 at 13:40:44 +0100, Guillaume DualC) wrote: > try it : http://openbsd.org it's (probably) not the same, and (worse!) it doesn't help with all the configurations that contain "www.openbsd.org". Kind regards, --Toni++

Re: Linux or OpenBSD

On Wed, 22.09.2010 at 15:47:02 -0400, Brad Tilley wrote: > Either will work fine so long as you purchase good NICs and avoid > cutting-edge (untested) hardware. The only things Linux does noticeably > better is: > > * Dealing with SMP > * Dealing with lot's and lot's of RAM >

Re: iked(8) and ikectl(8)

Hi, On Thu, 03.06.2010 at 23:06:58 +0200, Reyk Floeter wrote: > IPsec. In difference to isakmpd(8), which supports the ISAKMP/Oakley > a.k.a. IKEv1 protocol, iked(8) only supports the IKEv2 protocol at > present. The IKEv2 protocol in RFC 4306 has been simplified and > provides many benefits ov

Re: which monitoring do you use (on OpenBSD)

Hi, On Sat, 14.08.2010 at 23:49:49 -0700, Bryan Irvine wrote: > understand. Also, the OP wanted something that he can run on OpenBSD > and Zenoss runs on Linux. hmmm from my perspective, Zenoss looks like an "ordinary" Zope application, and should therefore run on OpenBSD as well. Kind regard

Re: Activating "ip6.forwarding" and "accept_rtadv" at the same time

Hi, On Mon, 06.09.2010 at 11:18:57 +1000, Olivier Mehani wrote: > On Sun, Sep 05, 2010 at 03:49:43PM -0400, Simon Comeau Martel wrote: > > > You received a /64 for your router interface ? Or are you in a /64 > > > subnet with other customers ? The setup sounds weird to me. To what > > > addres

Re: OBSD 4.7 and Via C7 motherboards problem

or might not be there. But it's worth a try. My supplier is already looking into this issue of possible BIOS uppgrades. > On 2010-08-13, Toni Mueller wrote: > > Having said that, what is the current common wisdom for reliable small > > CPE boxes that are reliable enough to be safely

Re: which monitoring do you use (on OpenBSD)

On Fri, 13.08.2010 at 14:36:21 +0100, Kevin Chadwick wrote: > What do people think of monit. Ok, I'll chime in: What do people think of Zenoss and splunk? I'm so far leaning twoards trying Zenoss, but it surely has a high barrier-of-entry, and I'm only interested in splunk for comparison. Kin

Re: OBSD 4.7 and Via C7 motherboards problem

Hi Stuart, thanks for the idea. On Thu, 12.08.2010 at 12:09:02 +, Stuart Henderson wrote: > Guessing based on very little information, but they probably have > different BIOSes. Unfortunately, as I just hear, the manufacturer dropped support for these machines. My supplier also only learnt

Re: OBSD 4.7 and Via C7 motherboards problem

Hi, On Sun, 01.08.2010 at 13:49:07 -0700, Peter Merritt wrote: > I have a firewall that has been running several versions of OpenBSD > successfully, the last being 4.6. After installing 4.7, I could not get > the firewall to pass any traffic from the lan side. I'm experiencing a very similar pr

4.7: my error, or system error?

Hi, I've recompiled my system(s) several times in order to follow -stable, but (now?) see this problem: # savecore -v /var/crash/ dumpoff = 4838922240 (9451020 * 512) savecore: /bsd: kvm_dump_mkheader: invalid magic in cpu_hdr savecore: no core dump

4.7/pf: table changes ignored until reloading the rule set?

Hi, I have a problem with tables in pf in that I can add addresses and/or network blocks to tables and don't get them recognized until I reload the filter rules. Example: # pfctl -T a -t extra-oekonet-dst 172.16.19.0/24 1/1 addresses added. # pfctl -T s -t extra-oekonet-dst 172.16.19.0/24

Re: OpenBSD 4.7 as VPN Gateway for Road Warriors, Preferred Configuration

Hi, On Sun, 23.05.2010 at 11:41:27 +0200, Martin PelikC!n wrote: > It really depends on what you need - most road warriors are okay with > transport mode (where obviously DHCP doesn't make any sense). If I'd say that transport mode is a design error in IPSEC and should be avoided at all costs.

Re: nested vlans: safe to use?

On Wed, 12.05.2010 at 19:48:47 +0100, Stuart Henderson wrote: > > > But usually you just feed plain vlans to the wan provider and they handle > > > translation or stacking.. > > > > ?!? > > If they're doing nested vlans (tag stacking), usually you feed them > frames, they add their own tag to g

Re: nested vlans: safe to use?

Hi, On Wed, 12.05.2010 at 14:23:18 +0200, Pete Vickers wrote: > http://www.openbsd.org/papers/asiabsdcon2010_vether/index.html > > especially page 6/7... thanks, but... I may have mis-stated the problem. I have no bandwidth or fragmentation problem, but rather a configuration problem in a Metr

Re: nested vlans: safe to use?

Hi, On Wed, 12.05.2010 at 01:09:55 +, Stuart Henderson wrote: > First talk to your wan provider, they might either be able to allocate > you a couple of vlans that they'll carry for you, or do QinQ (i.e. you > feed the provider plain vlans, and they appear directly at the other > side). I w

nested vlans: safe to use?

Hi, I've been trying to figure out whether I can use OpenBSD in a nested vlan scenario. I'm looking at a data centre where I want to get two wires, each carrying several vlans, and funneling them home across a WAN link. Various switch vendors claim to be able to do it, but I couldn't really figure

Re: OT - UML, can someone state that it works ?

Hi, I'm not an OpenBSD developer, but would like to chime in anyway: On Wed, 05.05.2010 at 16:08:47 -0300, Christiano F. Haesbaert wrote: > I'm really sick of hearing about UML/RUP and all this boulshit about > software engineering in my university. Many of those things are not really "bullshi

Re: OT - UML, can someone state that it works ?

On Wed, 05.05.2010 at 14:31:32 -0500, Walter Goulet wrote: > I think the UML the OP is referring to is Unified Modeling Language > and Rational Unified Process. I think this solves it: > On Wed, May 5, 2010 at 2:25 PM, Lars Nooden wrote: > > :P ;) Kind regards, --Toni++

Re: addendum: 4.7 causes different problem Re: spurious "need to frag" messages

Hi, On Wed, 17.03.2010 at 17:48:21 +0100, Toni Mueller wrote: > On Mon, 15.03.2010 at 19:10:12 +0100, Toni Mueller > wrote: > > # pfctl -s a |grep mss > > # ifconfig|grep mtu|grep -v 1500 > > lo0: flags=8049 mtu 33152 > > enc0: flags=41 mtu 1536 &

-current i386 (#501): massive performance drop from #448

Hi, going from #448 (March 16th) to #501 (April 8th), I noticed a sharp drop in performance. The problem manifests itself in the machine frequently becoming very sluggish wrt. network performance. In numbers, this means that the packet loss rate jumps to more than a felt 90% for more than a minute

Re: Howto Create a Auto-Extract Package with Shell Script & tar ?

Hello, On Sat, 10.04.2010 at 09:17:53 +0800, Aaron Lewis wrote: > Firstly i need to compress my fonts to a Font_Name.tar.bz2 , if i want > to put the extract script and Font_Name.tar.bz2 together , a single > bundle , howto archive it ? > > Right now , i tried to append the Archive

-current amd64 (#178): "NO PROPOSAL CHOSEN"

Hi, while playing around with the latest code as of today, off of CVS's HEAD, I find that it sometimes takes considerable time to establish a connection to a static peer, and while negotiating, the two isakmpds sometimes send "NO_PROPOSAL_CHOSEN" to each other. After a while, it suddenly works. No

Re: -current (#448): starts dropping packets after a while

Hi, this should have gone into the thread 'spurious "need to frag" messages'. Sorry for opening a new thread. On Wed, 31.03.2010 at 13:36:48 +0200, Toni Mueller wrote: > recently, a problem with OpenBSD has popped up over here that manifests > itself in "random&

Re: feature request: fallback boot image

On Fri, 02.04.2010 at 22:20:46 +0200, Henning Brauer wrote: > * Toni Mueller [2010-04-02 12:25]: > > it would be great to be able to specify a fallback kernel in case > > booting a new kernel fails > how exactly does the bootloader notice your new kernel sitting in ddb? Good

Re: feature request: fallback boot image

Hi, On Fri, 02.04.2010 at 15:50:36 +0200, Paul de Weerd wrote: > What do you mean "the new kernel won't boot" ? I mean that, for whatever reason, the kernel does not reach full multi-user capabilities within some timeout (say, 5 minutes). > there, the bootloader will automagically try /bsd. So

Re: feature request: fallback boot image

On Fri, 02.04.2010 at 08:44:56 -0500, Chris Bennett wrote: > If you don't have access to a console remotely, then exactly how > would you type fallback /bsd.backup? I would like to see a configuration option in /etc/boot.conf that I could use to specify a fallback kernel before I reboot to a new

Re: feature request: fallback boot image

Hi, On Fri, 02.04.2010 at 06:50:00 -0500, Chris Bennett wrote: > If you are talking about an upgrade then > cp bsd bsd.backup before install should do it. > Then use boot> boot /bsd.backup after a failed upgrade. I thought about the case where the new kernel won't boot and I don't have a consol

feature request: fallback boot image

Hi, it would be great to be able to specify a fallback kernel in case booting a new kernel fails - esp. if one needs to work on a remote site w/o hands-on support. TIA! Kind regards, --Toni++

Re: -current (GENERIC.MP#148 amd64): cannot load anchor from file

Hi, thanks for answering! On Thu, 01.04.2010 at 10:28:16 -0700, Philip Guenther wrote: > This is generally caused by mismatched kernel and userland. How > confident are you that yours were built from the same/matching > sources? I installed these files from my installation server, to which I

feature request: ifconfig emX clear

Hi, I'd like to be able to clear the counters of interfaces, similar to "clear counters" in Cisco lingo. TIA! Kind regards, --Toni++

-current (GENERIC.MP#148 amd64): cannot load anchor from file

Hi, I'm trying to run my pf setup on the latest -current/amd64 like this: # pfctl -n -f pf.conf (gives no error or warning) # pfctl -f pf.conf pfctl: pfctl_rules pfctl: load anchors pfctl: DIOCXROLLBACK: Invalid argument The only anchor statments I have are these: # grep anchor pf.conf anchor

Re: httpd segmentation fault

Hi, On Wed, 31.03.2010 at 22:10:08 +0300, Ozgur Kazancci wrote: > ----- Toni Mueller wrote: > > On Wed, 31.03.2010 at 14:03:06 -0400, Devin Ceartas > > wrote: > > > I suppose it should be "5.2.11 or later" my machine running 4.6 > > > stable has 5

Re: question wrt. -current

Hi, On Wed, 31.03.2010 at 17:12:30 -0700, Philip Guenther wrote: > The i386 build has been around a lot longer than amd64, so comparing > absolutes doesn't reveal the relative rate. that doesn't sound compelling to me, as, afair, the serial numbers are reset on every release. Eg. I can see this

Re: httpd segmentation fault

Hi, On Wed, 31.03.2010 at 14:03:06 -0400, Devin Ceartas wrote: > I suppose it should be "5.2.11 or later" my machine running 4.6 > stable has 5.2.12 installed from ports looking into CVS, it turns out that 5.2.10 is in 4.6-release, while 5.2.12 is in 4.6-stable. -- Kind regards, --Toni++

question wrt. -current

Hi, comparing the build dates and serial numbers of kernels, I get the impression that amd64 kernels are only built once in a while, so to say, compared to i386 kernels, because the #148 kernel for amd64 is much more recent than the #448 one for i386. Right? Wrong? Does it matter, and if so, how/

-current (#448): starts dropping packets after a while

Hi, recently, a problem with OpenBSD has popped up over here that manifests itself in "random" connection failures after some time. Network diagram: workstation (1) --- (3b) firewall (3a) --- Internet --- www.example.com (2) You surf from your workstation to www.example.com. On the firewall, yo

Re: 4.7: doesn't route IPSEC traffic very well

Hi, On Wed, 17.03.2010 at 16:26:39 -0500, Todd T. Fries wrote: > Try s/hmac-sha2-256/hmac-sha1/ until you have updated all your firewalls. > > Also try seeing http://www.openbsd.org/faq/current.html#20100110 .. thanks to all who helped out to solve this particular case of PEBCAK. Kind regards

Re: 4.7: doesn't route IPSEC traffic very well

Darn, I should write better messages. So here goes an important addendum: On Wed, 17.03.2010 at 17:55:34 +0100, Toni Mueller wrote: > I've installed the latest snapshot, with kernel bsd.mp#488, on a > machine that has several IPSEC connections to handle, some fixed > (branch offi

Re: pfctl(8): unclear docs

Hi, On Wed, 17.03.2010 at 16:24:42 +0100, Henning Brauer wrote: > -A, -O, -R are bullshit and I'll happily remove them. soon. that's ok with me. I thought that changing the docs was the less-intrusive thing to do, and I have no experience with ipf, so that certainly wasn't on my mind. TIA! --

4.7: doesn't route IPSEC traffic very well

Hi, I've installed the latest snapshot, with kernel bsd.mp#488, on a machine that has several IPSEC connections to handle, some fixed (branch offices), some for road warriors. The setup per se runs well for several years, but after this upgrade, traffic to the branch offices stopped. I checked one

addendum: 4.7 causes different problem Re: spurious "need to frag" messages

Hi, On Mon, 15.03.2010 at 19:10:12 +0100, Toni Mueller wrote: > # pfctl -s a |grep mss > # ifconfig|grep mtu|grep -v 1500 > lo0: flags=8049 mtu 33152 > enc0: flags=41 mtu 1536 > pflog0: flags=141 mtu 33152 > # > > And that's it... > Sample message from tcpdu

Re: pfctl(8): unclear docs

Hi, On Tue, 16.03.2010 at 07:37:42 +0001, Jason McIntyre wrote: > On Mon, Mar 15, 2010 at 10:35:23PM +0100, Toni Mueller wrote: > > An optimizer (or any other such device) which is on by default and > > claims to not change semantics, should imho be transparent to the user, &

Re: pfctl(8): unclear docs

Hi, On Mon, 15.03.2010 at 13:04:04 +, Jason McIntyre wrote: > doesn;t "Other rules and options are ignored." already cover this? may be. But then, you are possibly only too deeply entrenched in this stuff to "see" the problem. > furthermore, since -T has a load command, should we really exp

spurious "need to frag" messages

Hi, one of my OpenBSD 4.6 boxen starts sending out "need to fragment" messages to other hosts, w/o me seeing the reason. # pfctl -s a |grep mss # ifconfig|grep mtu|grep -v 1500 lo0: flags=8049 mtu 33152 enc0: flags=41 mtu 1536 pflog0: flags=141 mtu 33152 # And that's it... IOW: There are only p

Re: pfctl(8): unclear docs

Hi, On Mon, 15.03.2010 at 12:22:35 +0100, matteo filippetto wrote: > for me it works good ... just don't use -R option > > http://kerneltrap.org/mailarchive/openbsd-misc/2007/4/6/147502 thanks for this link. Not using "-R" is not too good, either, as on this particular box, reloading everythi

pfctl(8): unclear docs

Hi, I've just run into the following problem on a 4.6 box: /etc/pf.conf (excerpt): table const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } block out on $extif from # /sbin/pfctl -F rules -R -f pf.conf rules cleared pfctl: Must enable table loading f

Re: Easy money with OpenBSD & OpenBGPd?

Hi, technical issues aside, On Sat, 13.03.2010 at 15:24:30 +, Sevan / Venture37 wrote: > I was reading the arstechnica article on the internet filtering > that's now in place in New Zealand & they mentioned that the > appliance they're using called a "Whitebox" which uses a "BSD-Unix" > Any

ipsecctl(8): delete by SPI index?

Hi, I dimly remember that it was possible to delete flows by specifying their SPI index in the SADB, but when I say # ipsecctl -d 0x12345678 with 0x12345678 being a number obtained by running # ipsecctl -v -ss I only get back an error message. If I say "ipsecctl -sf" and feed one of these line

Re: sysctl(3)

Hi, On Fri, 12.03.2010 at 13:21:45 +0001, Jason McIntyre wrote: > On Thu, Mar 11, 2010 at 12:23:22AM +0100, Toni Mueller wrote: > > > what exactly is missing from sysctl(3)? > > the sections I read seem to exhaustively list the settings that can > > be used with the 

Re: sysctl(3)

On Thu, 11.03.2010 at 14:31:46 +0100, Toni Mueller wrote: > But I'll now grab 'comp' too and see if that helps. I've now looked at the man page in -current, and it does not cover the "leaves" below PF_KEY. -- Kind regards, --Toni++

Re: sysctl(3)

Hi Otto, On Thu, 11.03.2010 at 07:08:24 +0100, Otto Moerbeek wrote: > On Thu, Mar 11, 2010 at 12:23:22AM +0100, Toni Mueller wrote: > > Btw, in the snapshot of today, the sysctl(3) man page is absent: > > > > $ find . -name 'sysctl*' > > ./cat8/sysctl.0 &g

Re: sysctl(3)

Hi, On Wed, 10.03.2010 at 21:48:38 +0001, Jason McIntyre wrote: > what exactly is missing from sysctl(3)? the sections I read seem to exhaustively list the settings that can be used with the 'mib' parameter, but not for PF_KEY. Btw, in the snapshot of today, the sysctl(3) man page is absent: $

sysctl(3)

Hi, while digging into my problem with bogus SADB entries, I noticed that sysctl(3) is incomplete, and the online man page doesn't show up (I only get sysctl(8) to see when accessing this link: http://www.openbsd.org/cgi-bin/man.cgi?query=sysctl&apropos=0&sektion=3&manpath=OpenBSD+Current&arch=i38

Re: IPSEC: trying to understand ipsec.conf(5)

Hi, On Sun, 24.01.2010 at 17:47:22 +0100, Toni Mueller wrote: > First off, I noticed that, if isakmpd is running w/o the '-K' switch, > running 'ipsecctl -f somefile' results in a problem accessing > /var/run/isakmpd.fifo, with a "file does not exist" er

IPSEC: trying to understand ipsec.conf(5)

Hi, I'm running an IPSEC setup using iskampd.conf + isakmpd.policy, and would like to move to using ipsec.conf instead. First off, I noticed that, if isakmpd is running w/o the '-K' switch, running 'ipsecctl -f somefile' results in a problem accessing /var/run/isakmpd.fifo, with a "file does not

Re: IPSEC: "bad checksum"

Hi, On Thu, 21.01.2010 at 21:48:01 +, Christian Weisgerber wrote: > Toni Mueller wrote: > > today I see tons of these on a 4.6-stable/amd64 machine (sample): > > 17:21:00.848135 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132642 len 84 > > (DF) (ttl 64, id 49897, len 1

IPSEC: "bad checksum"

Hi, today I see tons of these on a 4.6-stable/amd64 machine (sample): 17:21:00.848135 esp 1.1.1.1 > 2.2.2.2 spi 0x54d46678 seq 132642 len 84 (DF) (ttl 64, id 49897, len 104, bad cksum 0! differs by 8b3c) 17:21:00.859630 esp 2.2.2.2 > 1.1.1.1 spi 0x87b9932c seq 89638 len 324 (ttl 46, id 63366, l

SOLVED: Re: Feature request: pf + "set-tos", Re: IPSEC & ECN: no-go?

Hi, On Sat, 09.01.2010 at 13:09:29 -0500, Ted Unangst wrote: > On Sat, Jan 9, 2010 at 11:40 AM, Toni Mueller wrote: > > # /sbin/pfctl -n -f pf.conf.test > > pf.conf.test:23: illegal tos value (null) > Best guess: sbin/pfctl/parse.y thanks, Ted, this worked quite nicely.

Re: Recommend T1 Card for 4.6

Hi, On Wed, 06.01.2010 at 14:45:42 -0800, Noah Pugsley wrote: > A little off topic but why trying to get rid of the Cisco? Other > than the power/size/noise or to simplify your setup, less links in > the chain, etc.. > > I use OpenBSD for everything I can, and some things I shouldn't but > an eb

Re: Feature request: pf + "set-tos", Re: IPSEC & ECN: no-go?

Hi, [ will cross-post this to tech@ ] On Mon, 05.10.2009 at 18:47:10 +0200, Toni Mueller wrote: > On Thu, 01.10.2009 at 12:21:19 +0200, Toni Mueller > wrote: > > Searching around, I found that this question was already raised by > > Martin Hedenfalk well over a y

Re: IPSEC bringing down networking 1.1

Hi, On Tue, 05.01.2010 at 12:44:49 -0800, Jeff Simmons wrote: > fw:$ netstat -nr tip: netstat -rnf encap > > Encap: > Source Port Destination Port Proto SA(Address/Proto/Type/Direction) > > 0/00 0/00 0 gatewayIP/50/use/in > 0/00

Re: ldconfig: default path?

Hi, On Wed, 30.12.2009 at 18:17:24 +0100, Marc Espie wrote: > I don't know about a "long list of directories". These days, there are at > most 5 ports that do this kind of annoying shit. > > Toni, this looks like hyperbolic speech to me. 4 or 5 doesn't amount to > "long list". I'll re-check, bu

Re: Recommend T1 Card for 4.6

Hi, On Wed, 06.01.2010 at 22:19:55 +0100, David Coppa wrote: > man 4 art these cards are "almost" great, but I don't know where to purchase any. Otherwise, I'd get two or three more myself. My only current problem with these cards is that they don't support in-depth line diagnostics as do Cisco

Re: ldconfig: default path?

Hi Dale, hi Theo, On Tue, 29.12.2009 at 11:55:55 -0600, Dale Rahn wrote: > On Tue, Dec 29, 2009 at 06:03:48PM +0100, Toni Mueller wrote: > > I've just seen a program fail to work, saying that it can't load a > > shared library (but a different one on each invocation - t

ldconfig: default path?

Hi, I've just seen a program fail to work, saying that it can't load a shared library (but a different one on each invocation - this is an SMP machine). Then I found out that /usr/local/lib was not part of the scanned directories. Looking into http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ld.

Re: shutdown and reboot sometimes ignored?

Hi, On Mon, 23.11.2009 at 10:04:20 -0600, Chris Bennett wrote: > If you are running PostgreSQL, and aren't running as root, you will need > to use sudo shutdown -r now or /etc/rc.shutdown will hang ?? you mean, if I am not running PostgreSQL as root? I usually log in as a regular user, then

Re: shutdown and reboot sometimes ignored?

Hi, On Sun, 22.11.2009 at 23:03:10 +0100, Joachim Schipper wrote: > On Sun, Nov 22, 2009 at 10:00:05PM +0100, Peter J. Philipp wrote: > > On Sun, Nov 22, 2009 at 09:20:46PM +0100, Toni Mueller wrote: > > > for several releases of OpenBSD, I now have encountered the problem &g

shutdown and reboot sometimes ignored?

Hi, for several releases of OpenBSD, I now have encountered the problem that I can say "shutdown -r now", or "halt", or "reboot", and nothing appears to happen, except for some messages on the associated terminals. Sometimes, it works after saying it multiple times, and literally after minutes, a

art(4): seeking new and used cards

Hi, if someone has to sell known-good Accom cards, I'm very much interested in purchasing some. Please contact me off-list. TIA! -- Kind regards, --Toni++

IGNORE: Re: Can't get carp to fail over all interfaces with pfsync

On Tue, 10.11.2009 at 13:58:26 +0100, Toni Mueller wrote: > Did you set the appropriate sysctl switch? > > net.inet.carp.preempt=1 Note to self: Don't write emails when not fully awake. -- Kind regards, --Toni++

  1   2   3   4   5   >